]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.39.3-201107161559.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.39.3-201107161559.patch
1 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3 +++ linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
4 @@ -3,9 +3,9 @@
5
6 #include <linux/dma-attrs.h>
7
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
10
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
13 {
14 return dma_ops;
15 }
16 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/elf.h linux-2.6.39.3/arch/alpha/include/asm/elf.h
17 --- linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
18 +++ linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
20
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
22
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25 +
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
28 +#endif
29 +
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/pgtable.h linux-2.6.39.3/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
35 +++ linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
40 +
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
45 +#else
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
49 +#endif
50 +
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
52
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_apecs.c linux-2.6.39.3/arch/alpha/kernel/core_apecs.c
55 --- linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-19 00:06:34.000000000 -0400
56 +++ linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-22 19:36:30.000000000 -0400
57 @@ -305,7 +305,7 @@ apecs_write_config(struct pci_bus *bus,
58 return PCIBIOS_SUCCESSFUL;
59 }
60
61 -struct pci_ops apecs_pci_ops =
62 +const struct pci_ops apecs_pci_ops =
63 {
64 .read = apecs_read_config,
65 .write = apecs_write_config,
66 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_cia.c linux-2.6.39.3/arch/alpha/kernel/core_cia.c
67 --- linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-19 00:06:34.000000000 -0400
68 +++ linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-22 19:36:30.000000000 -0400
69 @@ -239,7 +239,7 @@ cia_write_config(struct pci_bus *bus, un
70 return PCIBIOS_SUCCESSFUL;
71 }
72
73 -struct pci_ops cia_pci_ops =
74 +const struct pci_ops cia_pci_ops =
75 {
76 .read = cia_read_config,
77 .write = cia_write_config,
78 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_irongate.c linux-2.6.39.3/arch/alpha/kernel/core_irongate.c
79 --- linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-19 00:06:34.000000000 -0400
80 +++ linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-22 19:36:30.000000000 -0400
81 @@ -155,7 +155,7 @@ irongate_write_config(struct pci_bus *bu
82 return PCIBIOS_SUCCESSFUL;
83 }
84
85 -struct pci_ops irongate_pci_ops =
86 +const struct pci_ops irongate_pci_ops =
87 {
88 .read = irongate_read_config,
89 .write = irongate_write_config,
90 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_lca.c linux-2.6.39.3/arch/alpha/kernel/core_lca.c
91 --- linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-19 00:06:34.000000000 -0400
92 +++ linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-22 19:36:30.000000000 -0400
93 @@ -231,7 +231,7 @@ lca_write_config(struct pci_bus *bus, un
94 return PCIBIOS_SUCCESSFUL;
95 }
96
97 -struct pci_ops lca_pci_ops =
98 +const struct pci_ops lca_pci_ops =
99 {
100 .read = lca_read_config,
101 .write = lca_write_config,
102 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_marvel.c linux-2.6.39.3/arch/alpha/kernel/core_marvel.c
103 --- linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-19 00:06:34.000000000 -0400
104 +++ linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-22 19:36:30.000000000 -0400
105 @@ -588,7 +588,7 @@ marvel_write_config(struct pci_bus *bus,
106 return PCIBIOS_SUCCESSFUL;
107 }
108
109 -struct pci_ops marvel_pci_ops =
110 +const struct pci_ops marvel_pci_ops =
111 {
112 .read = marvel_read_config,
113 .write = marvel_write_config,
114 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c
115 --- linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-19 00:06:34.000000000 -0400
116 +++ linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-22 19:36:30.000000000 -0400
117 @@ -235,7 +235,7 @@ mcpcia_write_config(struct pci_bus *bus,
118 return PCIBIOS_SUCCESSFUL;
119 }
120
121 -struct pci_ops mcpcia_pci_ops =
122 +const struct pci_ops mcpcia_pci_ops =
123 {
124 .read = mcpcia_read_config,
125 .write = mcpcia_write_config,
126 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_polaris.c linux-2.6.39.3/arch/alpha/kernel/core_polaris.c
127 --- linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-19 00:06:34.000000000 -0400
128 +++ linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-22 19:36:30.000000000 -0400
129 @@ -136,7 +136,7 @@ polaris_write_config(struct pci_bus *bus
130 return PCIBIOS_SUCCESSFUL;
131 }
132
133 -struct pci_ops polaris_pci_ops =
134 +const struct pci_ops polaris_pci_ops =
135 {
136 .read = polaris_read_config,
137 .write = polaris_write_config,
138 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_t2.c linux-2.6.39.3/arch/alpha/kernel/core_t2.c
139 --- linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-19 00:06:34.000000000 -0400
140 +++ linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-22 19:36:30.000000000 -0400
141 @@ -314,7 +314,7 @@ t2_write_config(struct pci_bus *bus, uns
142 return PCIBIOS_SUCCESSFUL;
143 }
144
145 -struct pci_ops t2_pci_ops =
146 +const struct pci_ops t2_pci_ops =
147 {
148 .read = t2_read_config,
149 .write = t2_write_config,
150 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_titan.c linux-2.6.39.3/arch/alpha/kernel/core_titan.c
151 --- linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-19 00:06:34.000000000 -0400
152 +++ linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-22 19:36:30.000000000 -0400
153 @@ -191,7 +191,7 @@ titan_write_config(struct pci_bus *bus,
154 return PCIBIOS_SUCCESSFUL;
155 }
156
157 -struct pci_ops titan_pci_ops =
158 +const struct pci_ops titan_pci_ops =
159 {
160 .read = titan_read_config,
161 .write = titan_write_config,
162 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c
163 --- linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-19 00:06:34.000000000 -0400
164 +++ linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-22 19:36:30.000000000 -0400
165 @@ -166,7 +166,7 @@ tsunami_write_config(struct pci_bus *bus
166 return PCIBIOS_SUCCESSFUL;
167 }
168
169 -struct pci_ops tsunami_pci_ops =
170 +const struct pci_ops tsunami_pci_ops =
171 {
172 .read = tsunami_read_config,
173 .write = tsunami_write_config,
174 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c
175 --- linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-19 00:06:34.000000000 -0400
176 +++ linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-22 19:36:30.000000000 -0400
177 @@ -431,7 +431,7 @@ wildfire_write_config(struct pci_bus *bu
178 return PCIBIOS_SUCCESSFUL;
179 }
180
181 -struct pci_ops wildfire_pci_ops =
182 +const struct pci_ops wildfire_pci_ops =
183 {
184 .read = wildfire_read_config,
185 .write = wildfire_write_config,
186 diff -urNp linux-2.6.39.3/arch/alpha/kernel/module.c linux-2.6.39.3/arch/alpha/kernel/module.c
187 --- linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
188 +++ linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
189 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
190
191 /* The small sections were sorted to the end of the segment.
192 The following should definitely cover them. */
193 - gp = (u64)me->module_core + me->core_size - 0x8000;
194 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
195 got = sechdrs[me->arch.gotsecindex].sh_addr;
196
197 for (i = 0; i < n; i++) {
198 diff -urNp linux-2.6.39.3/arch/alpha/kernel/osf_sys.c linux-2.6.39.3/arch/alpha/kernel/osf_sys.c
199 --- linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400
200 +++ linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400
201 @@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
202 return -EFAULT;
203
204 len = namelen;
205 - if (namelen > 32)
206 + if (len > 32)
207 len = 32;
208
209 down_read(&uts_sem);
210 @@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
211 down_read(&uts_sem);
212 res = sysinfo_table[offset];
213 len = strlen(res)+1;
214 - if (len > count)
215 + if ((unsigned long)len > (unsigned long)count)
216 len = count;
217 if (copy_to_user(buf, res, len))
218 err = -EFAULT;
219 @@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
220 return 1;
221
222 case GSI_GET_HWRPB:
223 - if (nbytes < sizeof(*hwrpb))
224 + if (nbytes > sizeof(*hwrpb))
225 return -EINVAL;
226 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
227 return -EFAULT;
228 @@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
229 {
230 struct rusage r;
231 long ret, err;
232 + unsigned int status = 0;
233 mm_segment_t old_fs;
234
235 if (!ur)
236 @@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
237 old_fs = get_fs();
238
239 set_fs (KERNEL_DS);
240 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
241 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
242 + (struct rusage __user *) &r);
243 set_fs (old_fs);
244
245 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
246 return -EFAULT;
247
248 err = 0;
249 + err |= put_user(status, ustatus);
250 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
251 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
252 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
253 @@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
254 /* At this point: (!vma || addr < vma->vm_end). */
255 if (limit - len < addr)
256 return -ENOMEM;
257 - if (!vma || addr + len <= vma->vm_start)
258 + if (check_heap_stack_gap(vma, addr, len))
259 return addr;
260 addr = vma->vm_end;
261 vma = vma->vm_next;
262 @@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
263 merely specific addresses, but regions of memory -- perhaps
264 this feature should be incorporated into all ports? */
265
266 +#ifdef CONFIG_PAX_RANDMMAP
267 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
268 +#endif
269 +
270 if (addr) {
271 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
272 if (addr != (unsigned long) -ENOMEM)
273 @@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
274 }
275
276 /* Next, try allocating at TASK_UNMAPPED_BASE. */
277 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
278 - len, limit);
279 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
280 +
281 if (addr != (unsigned long) -ENOMEM)
282 return addr;
283
284 diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c
285 --- linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-19 00:06:34.000000000 -0400
286 +++ linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-22 19:36:30.000000000 -0400
287 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
288 return 0;
289 }
290
291 -struct dma_map_ops alpha_pci_ops = {
292 +const struct dma_map_ops alpha_pci_ops = {
293 .alloc_coherent = alpha_pci_alloc_coherent,
294 .free_coherent = alpha_pci_free_coherent,
295 .map_page = alpha_pci_map_page,
296 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
297 .set_dma_mask = alpha_pci_set_mask,
298 };
299
300 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
301 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
302 EXPORT_SYMBOL(dma_ops);
303 diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci-noop.c linux-2.6.39.3/arch/alpha/kernel/pci-noop.c
304 --- linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-19 00:06:34.000000000 -0400
305 +++ linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-22 19:36:30.000000000 -0400
306 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
307 return 0;
308 }
309
310 -struct dma_map_ops alpha_noop_ops = {
311 +const struct dma_map_ops alpha_noop_ops = {
312 .alloc_coherent = alpha_noop_alloc_coherent,
313 .free_coherent = alpha_noop_free_coherent,
314 .map_page = alpha_noop_map_page,
315 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
316 .set_dma_mask = alpha_noop_set_mask,
317 };
318
319 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
320 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
321 EXPORT_SYMBOL(dma_ops);
322
323 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
324 diff -urNp linux-2.6.39.3/arch/alpha/kernel/proto.h linux-2.6.39.3/arch/alpha/kernel/proto.h
325 --- linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-19 00:06:34.000000000 -0400
326 +++ linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-22 19:36:30.000000000 -0400
327 @@ -17,14 +17,14 @@ struct pci_dev;
328 struct pci_controller;
329
330 /* core_apecs.c */
331 -extern struct pci_ops apecs_pci_ops;
332 +extern const struct pci_ops apecs_pci_ops;
333 extern void apecs_init_arch(void);
334 extern void apecs_pci_clr_err(void);
335 extern void apecs_machine_check(unsigned long vector, unsigned long la_ptr);
336 extern void apecs_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
337
338 /* core_cia.c */
339 -extern struct pci_ops cia_pci_ops;
340 +extern const struct pci_ops cia_pci_ops;
341 extern void cia_init_pci(void);
342 extern void cia_init_arch(void);
343 extern void pyxis_init_arch(void);
344 @@ -33,19 +33,19 @@ extern void cia_machine_check(unsigned l
345 extern void cia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
346
347 /* core_irongate.c */
348 -extern struct pci_ops irongate_pci_ops;
349 +extern const struct pci_ops irongate_pci_ops;
350 extern int irongate_pci_clr_err(void);
351 extern void irongate_init_arch(void);
352 #define irongate_pci_tbi ((void *)0)
353
354 /* core_lca.c */
355 -extern struct pci_ops lca_pci_ops;
356 +extern const struct pci_ops lca_pci_ops;
357 extern void lca_init_arch(void);
358 extern void lca_machine_check(unsigned long vector, unsigned long la_ptr);
359 extern void lca_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
360
361 /* core_marvel.c */
362 -extern struct pci_ops marvel_pci_ops;
363 +extern const struct pci_ops marvel_pci_ops;
364 extern void marvel_init_arch(void);
365 extern void marvel_kill_arch(int);
366 extern void marvel_machine_check(unsigned long, unsigned long);
367 @@ -60,14 +60,14 @@ struct io7 *marvel_next_io7(struct io7 *
368 void io7_clear_errors(struct io7 *io7);
369
370 /* core_mcpcia.c */
371 -extern struct pci_ops mcpcia_pci_ops;
372 +extern const struct pci_ops mcpcia_pci_ops;
373 extern void mcpcia_init_arch(void);
374 extern void mcpcia_init_hoses(void);
375 extern void mcpcia_machine_check(unsigned long vector, unsigned long la_ptr);
376 extern void mcpcia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
377
378 /* core_polaris.c */
379 -extern struct pci_ops polaris_pci_ops;
380 +extern const struct pci_ops polaris_pci_ops;
381 extern int polaris_read_config_dword(struct pci_dev *, int, u32 *);
382 extern int polaris_write_config_dword(struct pci_dev *, int, u32);
383 extern void polaris_init_arch(void);
384 @@ -75,14 +75,14 @@ extern void polaris_machine_check(unsign
385 #define polaris_pci_tbi ((void *)0)
386
387 /* core_t2.c */
388 -extern struct pci_ops t2_pci_ops;
389 +extern const struct pci_ops t2_pci_ops;
390 extern void t2_init_arch(void);
391 extern void t2_kill_arch(int);
392 extern void t2_machine_check(unsigned long vector, unsigned long la_ptr);
393 extern void t2_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
394
395 /* core_titan.c */
396 -extern struct pci_ops titan_pci_ops;
397 +extern const struct pci_ops titan_pci_ops;
398 extern void titan_init_arch(void);
399 extern void titan_kill_arch(int);
400 extern void titan_machine_check(unsigned long, unsigned long);
401 @@ -90,14 +90,14 @@ extern void titan_pci_tbi(struct pci_con
402 extern struct _alpha_agp_info *titan_agp_info(void);
403
404 /* core_tsunami.c */
405 -extern struct pci_ops tsunami_pci_ops;
406 +extern const struct pci_ops tsunami_pci_ops;
407 extern void tsunami_init_arch(void);
408 extern void tsunami_kill_arch(int);
409 extern void tsunami_machine_check(unsigned long vector, unsigned long la_ptr);
410 extern void tsunami_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
411
412 /* core_wildfire.c */
413 -extern struct pci_ops wildfire_pci_ops;
414 +extern const struct pci_ops wildfire_pci_ops;
415 extern void wildfire_init_arch(void);
416 extern void wildfire_kill_arch(int);
417 extern void wildfire_machine_check(unsigned long vector, unsigned long la_ptr);
418 diff -urNp linux-2.6.39.3/arch/alpha/mm/fault.c linux-2.6.39.3/arch/alpha/mm/fault.c
419 --- linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
420 +++ linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
421 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
422 __reload_thread(pcb);
423 }
424
425 +#ifdef CONFIG_PAX_PAGEEXEC
426 +/*
427 + * PaX: decide what to do with offenders (regs->pc = fault address)
428 + *
429 + * returns 1 when task should be killed
430 + * 2 when patched PLT trampoline was detected
431 + * 3 when unpatched PLT trampoline was detected
432 + */
433 +static int pax_handle_fetch_fault(struct pt_regs *regs)
434 +{
435 +
436 +#ifdef CONFIG_PAX_EMUPLT
437 + int err;
438 +
439 + do { /* PaX: patched PLT emulation #1 */
440 + unsigned int ldah, ldq, jmp;
441 +
442 + err = get_user(ldah, (unsigned int *)regs->pc);
443 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
444 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
445 +
446 + if (err)
447 + break;
448 +
449 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
450 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
451 + jmp == 0x6BFB0000U)
452 + {
453 + unsigned long r27, addr;
454 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
455 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
456 +
457 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
458 + err = get_user(r27, (unsigned long *)addr);
459 + if (err)
460 + break;
461 +
462 + regs->r27 = r27;
463 + regs->pc = r27;
464 + return 2;
465 + }
466 + } while (0);
467 +
468 + do { /* PaX: patched PLT emulation #2 */
469 + unsigned int ldah, lda, br;
470 +
471 + err = get_user(ldah, (unsigned int *)regs->pc);
472 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
473 + err |= get_user(br, (unsigned int *)(regs->pc+8));
474 +
475 + if (err)
476 + break;
477 +
478 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
479 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
480 + (br & 0xFFE00000U) == 0xC3E00000U)
481 + {
482 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
483 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
484 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
485 +
486 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
487 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
488 + return 2;
489 + }
490 + } while (0);
491 +
492 + do { /* PaX: unpatched PLT emulation */
493 + unsigned int br;
494 +
495 + err = get_user(br, (unsigned int *)regs->pc);
496 +
497 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
498 + unsigned int br2, ldq, nop, jmp;
499 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
500 +
501 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
502 + err = get_user(br2, (unsigned int *)addr);
503 + err |= get_user(ldq, (unsigned int *)(addr+4));
504 + err |= get_user(nop, (unsigned int *)(addr+8));
505 + err |= get_user(jmp, (unsigned int *)(addr+12));
506 + err |= get_user(resolver, (unsigned long *)(addr+16));
507 +
508 + if (err)
509 + break;
510 +
511 + if (br2 == 0xC3600000U &&
512 + ldq == 0xA77B000CU &&
513 + nop == 0x47FF041FU &&
514 + jmp == 0x6B7B0000U)
515 + {
516 + regs->r28 = regs->pc+4;
517 + regs->r27 = addr+16;
518 + regs->pc = resolver;
519 + return 3;
520 + }
521 + }
522 + } while (0);
523 +#endif
524 +
525 + return 1;
526 +}
527 +
528 +void pax_report_insns(void *pc, void *sp)
529 +{
530 + unsigned long i;
531 +
532 + printk(KERN_ERR "PAX: bytes at PC: ");
533 + for (i = 0; i < 5; i++) {
534 + unsigned int c;
535 + if (get_user(c, (unsigned int *)pc+i))
536 + printk(KERN_CONT "???????? ");
537 + else
538 + printk(KERN_CONT "%08x ", c);
539 + }
540 + printk("\n");
541 +}
542 +#endif
543
544 /*
545 * This routine handles page faults. It determines the address,
546 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
547 good_area:
548 si_code = SEGV_ACCERR;
549 if (cause < 0) {
550 - if (!(vma->vm_flags & VM_EXEC))
551 + if (!(vma->vm_flags & VM_EXEC)) {
552 +
553 +#ifdef CONFIG_PAX_PAGEEXEC
554 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
555 + goto bad_area;
556 +
557 + up_read(&mm->mmap_sem);
558 + switch (pax_handle_fetch_fault(regs)) {
559 +
560 +#ifdef CONFIG_PAX_EMUPLT
561 + case 2:
562 + case 3:
563 + return;
564 +#endif
565 +
566 + }
567 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
568 + do_group_exit(SIGKILL);
569 +#else
570 goto bad_area;
571 +#endif
572 +
573 + }
574 } else if (!cause) {
575 /* Allow reads even for write-only mappings */
576 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
577 diff -urNp linux-2.6.39.3/arch/arm/common/it8152.c linux-2.6.39.3/arch/arm/common/it8152.c
578 --- linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-19 00:06:34.000000000 -0400
579 +++ linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-22 19:36:30.000000000 -0400
580 @@ -221,7 +221,7 @@ static int it8152_pci_write_config(struc
581 return PCIBIOS_SUCCESSFUL;
582 }
583
584 -static struct pci_ops it8152_ops = {
585 +static const struct pci_ops it8152_ops = {
586 .read = it8152_pci_read_config,
587 .write = it8152_pci_write_config,
588 };
589 diff -urNp linux-2.6.39.3/arch/arm/common/via82c505.c linux-2.6.39.3/arch/arm/common/via82c505.c
590 --- linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-19 00:06:34.000000000 -0400
591 +++ linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-22 19:36:30.000000000 -0400
592 @@ -52,7 +52,7 @@ via82c505_write_config(struct pci_bus *b
593 return PCIBIOS_SUCCESSFUL;
594 }
595
596 -static struct pci_ops via82c505_ops = {
597 +static const struct pci_ops via82c505_ops = {
598 .read = via82c505_read_config,
599 .write = via82c505_write_config,
600 };
601 diff -urNp linux-2.6.39.3/arch/arm/include/asm/cacheflush.h linux-2.6.39.3/arch/arm/include/asm/cacheflush.h
602 --- linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
603 +++ linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
604 @@ -115,7 +115,7 @@ struct cpu_cache_fns {
605 */
606 #ifdef MULTI_CACHE
607
608 -extern struct cpu_cache_fns cpu_cache;
609 +extern const struct cpu_cache_fns cpu_cache;
610
611 #define __cpuc_flush_icache_all cpu_cache.flush_icache_all
612 #define __cpuc_flush_kern_all cpu_cache.flush_kern_all
613 diff -urNp linux-2.6.39.3/arch/arm/include/asm/elf.h linux-2.6.39.3/arch/arm/include/asm/elf.h
614 --- linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
615 +++ linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
616 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
617 the loader. We need to make sure that it is out of the way of the program
618 that it will "exec", and that there is sufficient room for the brk. */
619
620 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
621 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
622 +
623 +#ifdef CONFIG_PAX_ASLR
624 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
625 +
626 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
627 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
628 +#endif
629
630 /* When the program starts, a1 contains a pointer to a function to be
631 registered with atexit, as per the SVR4 ABI. A value of 0 means we
632 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
633 extern void elf_set_personality(const struct elf32_hdr *);
634 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
635
636 -struct mm_struct;
637 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
638 -#define arch_randomize_brk arch_randomize_brk
639 -
640 extern int vectors_user_mapping(void);
641 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
642 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
643 diff -urNp linux-2.6.39.3/arch/arm/include/asm/kmap_types.h linux-2.6.39.3/arch/arm/include/asm/kmap_types.h
644 --- linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
645 +++ linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
646 @@ -21,6 +21,7 @@ enum km_type {
647 KM_L1_CACHE,
648 KM_L2_CACHE,
649 KM_KDB,
650 + KM_CLEARPAGE,
651 KM_TYPE_NR
652 };
653
654 diff -urNp linux-2.6.39.3/arch/arm/include/asm/outercache.h linux-2.6.39.3/arch/arm/include/asm/outercache.h
655 --- linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-19 00:06:34.000000000 -0400
656 +++ linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-22 19:36:30.000000000 -0400
657 @@ -38,7 +38,7 @@ struct outer_cache_fns {
658
659 #ifdef CONFIG_OUTER_CACHE
660
661 -extern struct outer_cache_fns outer_cache;
662 +extern const struct outer_cache_fns outer_cache;
663
664 static inline void outer_inv_range(phys_addr_t start, phys_addr_t end)
665 {
666 diff -urNp linux-2.6.39.3/arch/arm/include/asm/page.h linux-2.6.39.3/arch/arm/include/asm/page.h
667 --- linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
668 +++ linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
669 @@ -126,7 +126,7 @@ struct cpu_user_fns {
670 };
671
672 #ifdef MULTI_USER
673 -extern struct cpu_user_fns cpu_user;
674 +extern const struct cpu_user_fns cpu_user;
675
676 #define __cpu_clear_user_highpage cpu_user.cpu_clear_user_highpage
677 #define __cpu_copy_user_highpage cpu_user.cpu_copy_user_highpage
678 diff -urNp linux-2.6.39.3/arch/arm/include/asm/uaccess.h linux-2.6.39.3/arch/arm/include/asm/uaccess.h
679 --- linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
680 +++ linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-06-29 21:04:12.000000000 -0400
681 @@ -22,6 +22,8 @@
682 #define VERIFY_READ 0
683 #define VERIFY_WRITE 1
684
685 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
686 +
687 /*
688 * The exception table consists of pairs of addresses: the first is the
689 * address of an instruction that is allowed to fault, and the second is
690 @@ -387,8 +389,23 @@ do { \
691
692
693 #ifdef CONFIG_MMU
694 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
695 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
696 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
697 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
698 +
699 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
700 +{
701 + if (!__builtin_constant_p(n))
702 + check_object_size(to, n, false);
703 + return ___copy_from_user(to, from, n);
704 +}
705 +
706 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
707 +{
708 + if (!__builtin_constant_p(n))
709 + check_object_size(from, n, true);
710 + return ___copy_to_user(to, from, n);
711 +}
712 +
713 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
714 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
715 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
716 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
717
718 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
719 {
720 + if ((long)n < 0)
721 + return n;
722 +
723 if (access_ok(VERIFY_READ, from, n))
724 n = __copy_from_user(to, from, n);
725 else /* security hole - plug it */
726 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
727
728 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
729 {
730 + if ((long)n < 0)
731 + return n;
732 +
733 if (access_ok(VERIFY_WRITE, to, n))
734 n = __copy_to_user(to, from, n);
735 return n;
736 diff -urNp linux-2.6.39.3/arch/arm/kernel/armksyms.c linux-2.6.39.3/arch/arm/kernel/armksyms.c
737 --- linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-05-19 00:06:34.000000000 -0400
738 +++ linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-07-06 19:52:45.000000000 -0400
739 @@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
740 #ifdef CONFIG_MMU
741 EXPORT_SYMBOL(copy_page);
742
743 -EXPORT_SYMBOL(__copy_from_user);
744 -EXPORT_SYMBOL(__copy_to_user);
745 +EXPORT_SYMBOL(___copy_from_user);
746 +EXPORT_SYMBOL(___copy_to_user);
747 EXPORT_SYMBOL(__clear_user);
748
749 EXPORT_SYMBOL(__get_user_1);
750 diff -urNp linux-2.6.39.3/arch/arm/kernel/kgdb.c linux-2.6.39.3/arch/arm/kernel/kgdb.c
751 --- linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
752 +++ linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
753 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
754 * and we handle the normal undef case within the do_undefinstr
755 * handler.
756 */
757 -struct kgdb_arch arch_kgdb_ops = {
758 +const struct kgdb_arch arch_kgdb_ops = {
759 #ifndef __ARMEB__
760 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
761 #else /* ! __ARMEB__ */
762 diff -urNp linux-2.6.39.3/arch/arm/kernel/process.c linux-2.6.39.3/arch/arm/kernel/process.c
763 --- linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
764 +++ linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
765 @@ -28,7 +28,6 @@
766 #include <linux/tick.h>
767 #include <linux/utsname.h>
768 #include <linux/uaccess.h>
769 -#include <linux/random.h>
770 #include <linux/hw_breakpoint.h>
771
772 #include <asm/cacheflush.h>
773 @@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
774 return 0;
775 }
776
777 -unsigned long arch_randomize_brk(struct mm_struct *mm)
778 -{
779 - unsigned long range_end = mm->brk + 0x02000000;
780 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
781 -}
782 -
783 #ifdef CONFIG_MMU
784 /*
785 * The vectors page is always readable from user space for the
786 diff -urNp linux-2.6.39.3/arch/arm/kernel/traps.c linux-2.6.39.3/arch/arm/kernel/traps.c
787 --- linux-2.6.39.3/arch/arm/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
788 +++ linux-2.6.39.3/arch/arm/kernel/traps.c 2011-06-13 21:30:34.000000000 -0400
789 @@ -258,6 +258,8 @@ static int __die(const char *str, int er
790
791 static DEFINE_SPINLOCK(die_lock);
792
793 +extern void gr_handle_kernel_exploit(void);
794 +
795 /*
796 * This function is protected against re-entrancy.
797 */
798 @@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs
799 panic("Fatal exception in interrupt");
800 if (panic_on_oops)
801 panic("Fatal exception");
802 +
803 + gr_handle_kernel_exploit();
804 +
805 if (ret != NOTIFY_STOP)
806 do_exit(SIGSEGV);
807 }
808 diff -urNp linux-2.6.39.3/arch/arm/lib/copy_from_user.S linux-2.6.39.3/arch/arm/lib/copy_from_user.S
809 --- linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-05-19 00:06:34.000000000 -0400
810 +++ linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-06-29 20:58:18.000000000 -0400
811 @@ -16,7 +16,7 @@
812 /*
813 * Prototype:
814 *
815 - * size_t __copy_from_user(void *to, const void *from, size_t n)
816 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
817 *
818 * Purpose:
819 *
820 @@ -84,11 +84,11 @@
821
822 .text
823
824 -ENTRY(__copy_from_user)
825 +ENTRY(___copy_from_user)
826
827 #include "copy_template.S"
828
829 -ENDPROC(__copy_from_user)
830 +ENDPROC(___copy_from_user)
831
832 .pushsection .fixup,"ax"
833 .align 0
834 diff -urNp linux-2.6.39.3/arch/arm/lib/copy_to_user.S linux-2.6.39.3/arch/arm/lib/copy_to_user.S
835 --- linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-05-19 00:06:34.000000000 -0400
836 +++ linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-06-29 20:59:20.000000000 -0400
837 @@ -16,7 +16,7 @@
838 /*
839 * Prototype:
840 *
841 - * size_t __copy_to_user(void *to, const void *from, size_t n)
842 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
843 *
844 * Purpose:
845 *
846 @@ -88,11 +88,11 @@
847 .text
848
849 ENTRY(__copy_to_user_std)
850 -WEAK(__copy_to_user)
851 +WEAK(___copy_to_user)
852
853 #include "copy_template.S"
854
855 -ENDPROC(__copy_to_user)
856 +ENDPROC(___copy_to_user)
857 ENDPROC(__copy_to_user_std)
858
859 .pushsection .fixup,"ax"
860 diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess.S linux-2.6.39.3/arch/arm/lib/uaccess.S
861 --- linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-05-19 00:06:34.000000000 -0400
862 +++ linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-06-29 20:59:01.000000000 -0400
863 @@ -20,7 +20,7 @@
864
865 #define PAGE_SHIFT 12
866
867 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
868 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
869 * Purpose : copy a block to user memory from kernel memory
870 * Params : to - user memory
871 * : from - kernel memory
872 @@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
873 sub r2, r2, ip
874 b .Lc2u_dest_aligned
875
876 -ENTRY(__copy_to_user)
877 +ENTRY(___copy_to_user)
878 stmfd sp!, {r2, r4 - r7, lr}
879 cmp r2, #4
880 blt .Lc2u_not_enough
881 @@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
882 ldrgtb r3, [r1], #0
883 USER( T(strgtb) r3, [r0], #1) @ May fault
884 b .Lc2u_finished
885 -ENDPROC(__copy_to_user)
886 +ENDPROC(___copy_to_user)
887
888 .pushsection .fixup,"ax"
889 .align 0
890 9001: ldmfd sp!, {r0, r4 - r7, pc}
891 .popsection
892
893 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
894 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
895 * Purpose : copy a block from user memory to kernel memory
896 * Params : to - kernel memory
897 * : from - user memory
898 @@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
899 sub r2, r2, ip
900 b .Lcfu_dest_aligned
901
902 -ENTRY(__copy_from_user)
903 +ENTRY(___copy_from_user)
904 stmfd sp!, {r0, r2, r4 - r7, lr}
905 cmp r2, #4
906 blt .Lcfu_not_enough
907 @@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
908 USER( T(ldrgtb) r3, [r1], #1) @ May fault
909 strgtb r3, [r0], #1
910 b .Lcfu_finished
911 -ENDPROC(__copy_from_user)
912 +ENDPROC(___copy_from_user)
913
914 .pushsection .fixup,"ax"
915 .align 0
916 diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c
917 --- linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-05-19 00:06:34.000000000 -0400
918 +++ linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:59:55.000000000 -0400
919 @@ -103,7 +103,7 @@ out:
920 }
921
922 unsigned long
923 -__copy_to_user(void __user *to, const void *from, unsigned long n)
924 +___copy_to_user(void __user *to, const void *from, unsigned long n)
925 {
926 /*
927 * This test is stubbed out of the main function above to keep
928 diff -urNp linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c
929 --- linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400
930 +++ linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400
931 @@ -162,7 +162,7 @@ static int cns3xxx_pci_setup(int nr, str
932 return 1;
933 }
934
935 -static struct pci_ops cns3xxx_pcie_ops = {
936 +static const struct pci_ops cns3xxx_pcie_ops = {
937 .read = cns3xxx_pci_read_config,
938 .write = cns3xxx_pci_write_config,
939 };
940 diff -urNp linux-2.6.39.3/arch/arm/mach-dove/pcie.c linux-2.6.39.3/arch/arm/mach-dove/pcie.c
941 --- linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-19 00:06:34.000000000 -0400
942 +++ linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-22 19:36:30.000000000 -0400
943 @@ -155,7 +155,7 @@ static int pcie_wr_conf(struct pci_bus *
944 return ret;
945 }
946
947 -static struct pci_ops pcie_ops = {
948 +static const struct pci_ops pcie_ops = {
949 .read = pcie_rd_conf,
950 .write = pcie_wr_conf,
951 };
952 diff -urNp linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c
953 --- linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-19 00:06:34.000000000 -0400
954 +++ linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-22 19:36:30.000000000 -0400
955 @@ -129,7 +129,7 @@ dc21285_write_config(struct pci_bus *bus
956 return PCIBIOS_SUCCESSFUL;
957 }
958
959 -static struct pci_ops dc21285_ops = {
960 +static const struct pci_ops dc21285_ops = {
961 .read = dc21285_read_config,
962 .write = dc21285_write_config,
963 };
964 diff -urNp linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c
965 --- linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-19 00:06:34.000000000 -0400
966 +++ linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-22 19:36:30.000000000 -0400
967 @@ -340,7 +340,7 @@ static int v3_write_config(struct pci_bu
968 return PCIBIOS_SUCCESSFUL;
969 }
970
971 -static struct pci_ops pci_v3_ops = {
972 +static const struct pci_ops pci_v3_ops = {
973 .read = v3_read_config,
974 .write = v3_write_config,
975 };
976 diff -urNp linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c
977 --- linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-19 00:06:34.000000000 -0400
978 +++ linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-22 19:36:30.000000000 -0400
979 @@ -324,7 +324,7 @@ iop13xx_atux_write_config(struct pci_bus
980 return PCIBIOS_SUCCESSFUL;
981 }
982
983 -static struct pci_ops iop13xx_atux_ops = {
984 +static const struct pci_ops iop13xx_atux_ops = {
985 .read = iop13xx_atux_read_config,
986 .write = iop13xx_atux_write_config,
987 };
988 @@ -471,7 +471,7 @@ iop13xx_atue_write_config(struct pci_bus
989 return PCIBIOS_SUCCESSFUL;
990 }
991
992 -static struct pci_ops iop13xx_atue_ops = {
993 +static const struct pci_ops iop13xx_atue_ops = {
994 .read = iop13xx_atue_read_config,
995 .write = iop13xx_atue_write_config,
996 };
997 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c
998 --- linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-19 00:06:34.000000000 -0400
999 +++ linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-22 19:36:30.000000000 -0400
1000 @@ -137,7 +137,7 @@ static int enp2611_pci_write_config(stru
1001 return PCIBIOS_DEVICE_NOT_FOUND;
1002 }
1003
1004 -static struct pci_ops enp2611_pci_ops = {
1005 +static const struct pci_ops enp2611_pci_ops = {
1006 .read = enp2611_pci_read_config,
1007 .write = enp2611_pci_write_config
1008 };
1009 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c
1010 --- linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-19 00:06:34.000000000 -0400
1011 +++ linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-22 19:36:30.000000000 -0400
1012 @@ -125,7 +125,7 @@ int ixp2000_pci_write_config(struct pci_
1013 }
1014
1015
1016 -static struct pci_ops ixp2000_pci_ops = {
1017 +static const struct pci_ops ixp2000_pci_ops = {
1018 .read = ixp2000_pci_read_config,
1019 .write = ixp2000_pci_write_config
1020 };
1021 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c
1022 --- linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-19 00:06:34.000000000 -0400
1023 +++ linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-22 19:36:30.000000000 -0400
1024 @@ -136,7 +136,7 @@ static int ixp23xx_pci_write_config(stru
1025 return PCIBIOS_SUCCESSFUL;
1026 }
1027
1028 -struct pci_ops ixp23xx_pci_ops = {
1029 +const struct pci_ops ixp23xx_pci_ops = {
1030 .read = ixp23xx_pci_read_config,
1031 .write = ixp23xx_pci_write_config,
1032 };
1033 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c
1034 --- linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-19 00:06:34.000000000 -0400
1035 +++ linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-22 19:36:30.000000000 -0400
1036 @@ -283,7 +283,7 @@ static int ixp4xx_pci_write_config(struc
1037 return PCIBIOS_SUCCESSFUL;
1038 }
1039
1040 -struct pci_ops ixp4xx_ops = {
1041 +const struct pci_ops ixp4xx_ops = {
1042 .read = ixp4xx_pci_read_config,
1043 .write = ixp4xx_pci_write_config,
1044 };
1045 diff -urNp linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c
1046 --- linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-19 00:06:34.000000000 -0400
1047 +++ linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-22 19:36:30.000000000 -0400
1048 @@ -111,7 +111,7 @@ static int pcie_wr_conf(struct pci_bus *
1049 return ret;
1050 }
1051
1052 -static struct pci_ops pcie_ops = {
1053 +static const struct pci_ops pcie_ops = {
1054 .read = pcie_rd_conf,
1055 .write = pcie_wr_conf,
1056 };
1057 diff -urNp linux-2.6.39.3/arch/arm/mach-ks8695/pci.c linux-2.6.39.3/arch/arm/mach-ks8695/pci.c
1058 --- linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-19 00:06:34.000000000 -0400
1059 +++ linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-22 19:36:30.000000000 -0400
1060 @@ -136,7 +136,7 @@ static void ks8695_local_writeconfig(int
1061 __raw_writel(value, KS8695_PCI_VA + KS8695_PBCD);
1062 }
1063
1064 -static struct pci_ops ks8695_pci_ops = {
1065 +static const struct pci_ops ks8695_pci_ops = {
1066 .read = ks8695_pci_readconfig,
1067 .write = ks8695_pci_writeconfig,
1068 };
1069 diff -urNp linux-2.6.39.3/arch/arm/mach-mmp/clock.c linux-2.6.39.3/arch/arm/mach-mmp/clock.c
1070 --- linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-19 00:06:34.000000000 -0400
1071 +++ linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-22 19:36:30.000000000 -0400
1072 @@ -29,7 +29,7 @@ static void apbc_clk_disable(struct clk
1073 __raw_writel(0, clk->clk_rst);
1074 }
1075
1076 -struct clkops apbc_clk_ops = {
1077 +const struct clkops apbc_clk_ops = {
1078 .enable = apbc_clk_enable,
1079 .disable = apbc_clk_disable,
1080 };
1081 @@ -44,7 +44,7 @@ static void apmu_clk_disable(struct clk
1082 __raw_writel(0, clk->clk_rst);
1083 }
1084
1085 -struct clkops apmu_clk_ops = {
1086 +const struct clkops apmu_clk_ops = {
1087 .enable = apmu_clk_enable,
1088 .disable = apmu_clk_disable,
1089 };
1090 diff -urNp linux-2.6.39.3/arch/arm/mach-msm/iommu.c linux-2.6.39.3/arch/arm/mach-msm/iommu.c
1091 --- linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-19 00:06:34.000000000 -0400
1092 +++ linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-22 19:36:30.000000000 -0400
1093 @@ -669,7 +669,7 @@ fail:
1094 return 0;
1095 }
1096
1097 -static struct iommu_ops msm_iommu_ops = {
1098 +static const struct iommu_ops msm_iommu_ops = {
1099 .domain_init = msm_iommu_domain_init,
1100 .domain_destroy = msm_iommu_domain_destroy,
1101 .attach_dev = msm_iommu_attach_dev,
1102 diff -urNp linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c
1103 --- linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-19 00:06:34.000000000 -0400
1104 +++ linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-22 19:36:30.000000000 -0400
1105 @@ -48,6 +48,7 @@ static ssize_t last_radio_log_read(struc
1106 }
1107
1108 static struct file_operations last_radio_log_fops = {
1109 + /* cannot be const, see msm_init_last_radio_log */
1110 .read = last_radio_log_read,
1111 .llseek = default_llseek,
1112 };
1113 diff -urNp linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c
1114 --- linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-19 00:06:34.000000000 -0400
1115 +++ linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-22 19:36:30.000000000 -0400
1116 @@ -222,7 +222,7 @@ static int pcie_wr_conf(struct pci_bus *
1117 return ret;
1118 }
1119
1120 -static struct pci_ops pcie_ops = {
1121 +static const struct pci_ops pcie_ops = {
1122 .read = pcie_rd_conf,
1123 .write = pcie_wr_conf,
1124 };
1125 diff -urNp linux-2.6.39.3/arch/arm/mach-orion5x/pci.c linux-2.6.39.3/arch/arm/mach-orion5x/pci.c
1126 --- linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-19 00:06:34.000000000 -0400
1127 +++ linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-22 19:36:30.000000000 -0400
1128 @@ -130,7 +130,7 @@ static int pcie_wr_conf(struct pci_bus *
1129 return ret;
1130 }
1131
1132 -static struct pci_ops pcie_ops = {
1133 +static const struct pci_ops pcie_ops = {
1134 .read = pcie_rd_conf,
1135 .write = pcie_wr_conf,
1136 };
1137 @@ -368,7 +368,7 @@ static int orion5x_pci_wr_conf(struct pc
1138 PCI_FUNC(devfn), where, size, val);
1139 }
1140
1141 -static struct pci_ops pci_ops = {
1142 +static const struct pci_ops pci_ops = {
1143 .read = orion5x_pci_rd_conf,
1144 .write = orion5x_pci_wr_conf,
1145 };
1146 diff -urNp linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c
1147 --- linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-19 00:06:34.000000000 -0400
1148 +++ linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-22 19:36:30.000000000 -0400
1149 @@ -117,7 +117,7 @@ static int nanoengine_write_config(struc
1150 return PCIBIOS_SUCCESSFUL;
1151 }
1152
1153 -static struct pci_ops pci_nano_ops = {
1154 +static const struct pci_ops pci_nano_ops = {
1155 .read = nanoengine_read_config,
1156 .write = nanoengine_write_config,
1157 };
1158 diff -urNp linux-2.6.39.3/arch/arm/mach-tegra/pcie.c linux-2.6.39.3/arch/arm/mach-tegra/pcie.c
1159 --- linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-19 00:06:34.000000000 -0400
1160 +++ linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-22 19:36:30.000000000 -0400
1161 @@ -336,7 +336,7 @@ static int tegra_pcie_write_conf(struct
1162 return PCIBIOS_SUCCESSFUL;
1163 }
1164
1165 -static struct pci_ops tegra_pcie_ops = {
1166 +static const struct pci_ops tegra_pcie_ops = {
1167 .read = tegra_pcie_read_conf,
1168 .write = tegra_pcie_write_conf,
1169 };
1170 diff -urNp linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c
1171 --- linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-19 00:06:34.000000000 -0400
1172 +++ linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-22 19:41:32.000000000 -0400
1173 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
1174 return sprintf(buf, "0x%X\n", mbox_value);
1175 }
1176
1177 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1178 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1179
1180 static int mbox_show(struct seq_file *s, void *data)
1181 {
1182 diff -urNp linux-2.6.39.3/arch/arm/mach-versatile/pci.c linux-2.6.39.3/arch/arm/mach-versatile/pci.c
1183 --- linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-19 00:06:34.000000000 -0400
1184 +++ linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-22 19:36:30.000000000 -0400
1185 @@ -165,7 +165,7 @@ static int versatile_write_config(struct
1186 return PCIBIOS_SUCCESSFUL;
1187 }
1188
1189 -static struct pci_ops pci_versatile_ops = {
1190 +static const struct pci_ops pci_versatile_ops = {
1191 .read = versatile_read_config,
1192 .write = versatile_write_config,
1193 };
1194 diff -urNp linux-2.6.39.3/arch/arm/mm/fault.c linux-2.6.39.3/arch/arm/mm/fault.c
1195 --- linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1196 +++ linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1197 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
1198 }
1199 #endif
1200
1201 +#ifdef CONFIG_PAX_PAGEEXEC
1202 + if (fsr & FSR_LNX_PF) {
1203 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
1204 + do_group_exit(SIGKILL);
1205 + }
1206 +#endif
1207 +
1208 tsk->thread.address = addr;
1209 tsk->thread.error_code = fsr;
1210 tsk->thread.trap_no = 14;
1211 @@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
1212 }
1213 #endif /* CONFIG_MMU */
1214
1215 +#ifdef CONFIG_PAX_PAGEEXEC
1216 +void pax_report_insns(void *pc, void *sp)
1217 +{
1218 + long i;
1219 +
1220 + printk(KERN_ERR "PAX: bytes at PC: ");
1221 + for (i = 0; i < 20; i++) {
1222 + unsigned char c;
1223 + if (get_user(c, (__force unsigned char __user *)pc+i))
1224 + printk(KERN_CONT "?? ");
1225 + else
1226 + printk(KERN_CONT "%02x ", c);
1227 + }
1228 + printk("\n");
1229 +
1230 + printk(KERN_ERR "PAX: bytes at SP-4: ");
1231 + for (i = -1; i < 20; i++) {
1232 + unsigned long c;
1233 + if (get_user(c, (__force unsigned long __user *)sp+i))
1234 + printk(KERN_CONT "???????? ");
1235 + else
1236 + printk(KERN_CONT "%08lx ", c);
1237 + }
1238 + printk("\n");
1239 +}
1240 +#endif
1241 +
1242 /*
1243 * First Level Translation Fault Handler
1244 *
1245 diff -urNp linux-2.6.39.3/arch/arm/mm/mmap.c linux-2.6.39.3/arch/arm/mm/mmap.c
1246 --- linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
1247 +++ linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
1248 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
1249 if (len > TASK_SIZE)
1250 return -ENOMEM;
1251
1252 +#ifdef CONFIG_PAX_RANDMMAP
1253 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
1254 +#endif
1255 +
1256 if (addr) {
1257 if (do_align)
1258 addr = COLOUR_ALIGN(addr, pgoff);
1259 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
1260 addr = PAGE_ALIGN(addr);
1261
1262 vma = find_vma(mm, addr);
1263 - if (TASK_SIZE - len >= addr &&
1264 - (!vma || addr + len <= vma->vm_start))
1265 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1266 return addr;
1267 }
1268 if (len > mm->cached_hole_size) {
1269 - start_addr = addr = mm->free_area_cache;
1270 + start_addr = addr = mm->free_area_cache;
1271 } else {
1272 - start_addr = addr = TASK_UNMAPPED_BASE;
1273 - mm->cached_hole_size = 0;
1274 + start_addr = addr = mm->mmap_base;
1275 + mm->cached_hole_size = 0;
1276 }
1277 /* 8 bits of randomness in 20 address space bits */
1278 if ((current->flags & PF_RANDOMIZE) &&
1279 @@ -100,14 +103,14 @@ full_search:
1280 * Start a new search - just in case we missed
1281 * some holes.
1282 */
1283 - if (start_addr != TASK_UNMAPPED_BASE) {
1284 - start_addr = addr = TASK_UNMAPPED_BASE;
1285 + if (start_addr != mm->mmap_base) {
1286 + start_addr = addr = mm->mmap_base;
1287 mm->cached_hole_size = 0;
1288 goto full_search;
1289 }
1290 return -ENOMEM;
1291 }
1292 - if (!vma || addr + len <= vma->vm_start) {
1293 + if (check_heap_stack_gap(vma, addr, len)) {
1294 /*
1295 * Remember the place where we stopped the search:
1296 */
1297 diff -urNp linux-2.6.39.3/arch/arm/plat-iop/pci.c linux-2.6.39.3/arch/arm/plat-iop/pci.c
1298 --- linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-19 00:06:34.000000000 -0400
1299 +++ linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-22 19:36:30.000000000 -0400
1300 @@ -161,7 +161,7 @@ iop3xx_write_config(struct pci_bus *bus,
1301 return PCIBIOS_SUCCESSFUL;
1302 }
1303
1304 -static struct pci_ops iop3xx_ops = {
1305 +static const struct pci_ops iop3xx_ops = {
1306 .read = iop3xx_read_config,
1307 .write = iop3xx_write_config,
1308 };
1309 diff -urNp linux-2.6.39.3/arch/avr32/include/asm/elf.h linux-2.6.39.3/arch/avr32/include/asm/elf.h
1310 --- linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1311 +++ linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1312 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
1313 the loader. We need to make sure that it is out of the way of the program
1314 that it will "exec", and that there is sufficient room for the brk. */
1315
1316 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1317 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1318
1319 +#ifdef CONFIG_PAX_ASLR
1320 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
1321 +
1322 +#define PAX_DELTA_MMAP_LEN 15
1323 +#define PAX_DELTA_STACK_LEN 15
1324 +#endif
1325
1326 /* This yields a mask that user programs can use to figure out what
1327 instruction set this CPU supports. This could be done in user space,
1328 diff -urNp linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h
1329 --- linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1330 +++ linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1331 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
1332 D(11) KM_IRQ1,
1333 D(12) KM_SOFTIRQ0,
1334 D(13) KM_SOFTIRQ1,
1335 -D(14) KM_TYPE_NR
1336 +D(14) KM_CLEARPAGE,
1337 +D(15) KM_TYPE_NR
1338 };
1339
1340 #undef D
1341 diff -urNp linux-2.6.39.3/arch/avr32/mm/fault.c linux-2.6.39.3/arch/avr32/mm/fault.c
1342 --- linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1343 +++ linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1344 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1345
1346 int exception_trace = 1;
1347
1348 +#ifdef CONFIG_PAX_PAGEEXEC
1349 +void pax_report_insns(void *pc, void *sp)
1350 +{
1351 + unsigned long i;
1352 +
1353 + printk(KERN_ERR "PAX: bytes at PC: ");
1354 + for (i = 0; i < 20; i++) {
1355 + unsigned char c;
1356 + if (get_user(c, (unsigned char *)pc+i))
1357 + printk(KERN_CONT "???????? ");
1358 + else
1359 + printk(KERN_CONT "%02x ", c);
1360 + }
1361 + printk("\n");
1362 +}
1363 +#endif
1364 +
1365 /*
1366 * This routine handles page faults. It determines the address and the
1367 * problem, and then passes it off to one of the appropriate routines.
1368 @@ -156,6 +173,16 @@ bad_area:
1369 up_read(&mm->mmap_sem);
1370
1371 if (user_mode(regs)) {
1372 +
1373 +#ifdef CONFIG_PAX_PAGEEXEC
1374 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1375 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1376 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1377 + do_group_exit(SIGKILL);
1378 + }
1379 + }
1380 +#endif
1381 +
1382 if (exception_trace && printk_ratelimit())
1383 printk("%s%s[%d]: segfault at %08lx pc %08lx "
1384 "sp %08lx ecr %lu\n",
1385 diff -urNp linux-2.6.39.3/arch/blackfin/kernel/kgdb.c linux-2.6.39.3/arch/blackfin/kernel/kgdb.c
1386 --- linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
1387 +++ linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
1388 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
1389 return -1; /* this means that we do not want to exit from the handler */
1390 }
1391
1392 -struct kgdb_arch arch_kgdb_ops = {
1393 +const struct kgdb_arch arch_kgdb_ops = {
1394 .gdb_bpt_instr = {0xa1},
1395 .flags = KGDB_HW_BREAKPOINT,
1396 .set_hw_breakpoint = bfin_set_hw_break,
1397 diff -urNp linux-2.6.39.3/arch/blackfin/mm/maccess.c linux-2.6.39.3/arch/blackfin/mm/maccess.c
1398 --- linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
1399 +++ linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
1400 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
1401 return bfin_mem_access_type(addr, size);
1402 }
1403
1404 -long probe_kernel_read(void *dst, void *src, size_t size)
1405 +long probe_kernel_read(void *dst, const void *src, size_t size)
1406 {
1407 unsigned long lsrc = (unsigned long)src;
1408 int mem_type;
1409 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
1410 return -EFAULT;
1411 }
1412
1413 -long probe_kernel_write(void *dst, void *src, size_t size)
1414 +long probe_kernel_write(void *dst, const void *src, size_t size)
1415 {
1416 unsigned long ldst = (unsigned long)dst;
1417 int mem_type;
1418 diff -urNp linux-2.6.39.3/arch/frv/include/asm/kmap_types.h linux-2.6.39.3/arch/frv/include/asm/kmap_types.h
1419 --- linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1420 +++ linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1421 @@ -23,6 +23,7 @@ enum km_type {
1422 KM_IRQ1,
1423 KM_SOFTIRQ0,
1424 KM_SOFTIRQ1,
1425 + KM_CLEARPAGE,
1426 KM_TYPE_NR
1427 };
1428
1429 diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h
1430 --- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-19 00:06:34.000000000 -0400
1431 +++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-22 19:36:30.000000000 -0400
1432 @@ -34,7 +34,7 @@ void pcibios_resource_survey(void);
1433
1434 extern int __nongpreldata pcibios_last_bus;
1435 extern struct pci_bus *__nongpreldata pci_root_bus;
1436 -extern struct pci_ops *__nongpreldata pci_root_ops;
1437 +extern const struct pci_ops *__nongpreldata pci_root_ops;
1438
1439 /* pci-irq.c */
1440 extern unsigned int pcibios_irq_mask;
1441 diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c
1442 --- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-19 00:06:34.000000000 -0400
1443 +++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-22 19:36:30.000000000 -0400
1444 @@ -27,7 +27,7 @@ unsigned int __nongpreldata pci_probe =
1445
1446 int __nongpreldata pcibios_last_bus = -1;
1447 struct pci_bus *__nongpreldata pci_root_bus;
1448 -struct pci_ops *__nongpreldata pci_root_ops;
1449 +const struct pci_ops *__nongpreldata pci_root_ops;
1450
1451 /*
1452 * The accessible PCI window does not cover the entire CPU address space, but
1453 @@ -169,7 +169,7 @@ static int pci_frv_write_config(struct p
1454 return PCIBIOS_SUCCESSFUL;
1455 }
1456
1457 -static struct pci_ops pci_direct_frv = {
1458 +static const struct pci_ops pci_direct_frv = {
1459 pci_frv_read_config,
1460 pci_frv_write_config,
1461 };
1462 @@ -356,7 +356,7 @@ void __init pcibios_fixup_bus(struct pci
1463
1464 int __init pcibios_init(void)
1465 {
1466 - struct pci_ops *dir = NULL;
1467 + const struct pci_ops *dir = NULL;
1468
1469 if (!mb93090_mb00_detected)
1470 return -ENXIO;
1471 diff -urNp linux-2.6.39.3/arch/frv/mm/elf-fdpic.c linux-2.6.39.3/arch/frv/mm/elf-fdpic.c
1472 --- linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-19 00:06:34.000000000 -0400
1473 +++ linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-22 19:36:30.000000000 -0400
1474 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1475 if (addr) {
1476 addr = PAGE_ALIGN(addr);
1477 vma = find_vma(current->mm, addr);
1478 - if (TASK_SIZE - len >= addr &&
1479 - (!vma || addr + len <= vma->vm_start))
1480 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1481 goto success;
1482 }
1483
1484 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1485 for (; vma; vma = vma->vm_next) {
1486 if (addr > limit)
1487 break;
1488 - if (addr + len <= vma->vm_start)
1489 + if (check_heap_stack_gap(vma, addr, len))
1490 goto success;
1491 addr = vma->vm_end;
1492 }
1493 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1494 for (; vma; vma = vma->vm_next) {
1495 if (addr > limit)
1496 break;
1497 - if (addr + len <= vma->vm_start)
1498 + if (check_heap_stack_gap(vma, addr, len))
1499 goto success;
1500 addr = vma->vm_end;
1501 }
1502 diff -urNp linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c
1503 --- linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-19 00:06:34.000000000 -0400
1504 +++ linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-22 19:36:30.000000000 -0400
1505 @@ -17,7 +17,7 @@
1506 #include <linux/swiotlb.h>
1507 #include <asm/machvec.h>
1508
1509 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1510 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1511
1512 /* swiotlb declarations & definitions: */
1513 extern int swiotlb_late_init_with_default_size (size_t size);
1514 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
1515 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
1516 }
1517
1518 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1519 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1520 {
1521 if (use_swiotlb(dev))
1522 return &swiotlb_dma_ops;
1523 diff -urNp linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c
1524 --- linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-19 00:06:34.000000000 -0400
1525 +++ linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-22 19:36:30.000000000 -0400
1526 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
1527 },
1528 };
1529
1530 -extern struct dma_map_ops swiotlb_dma_ops;
1531 +extern const struct dma_map_ops swiotlb_dma_ops;
1532
1533 static int __init
1534 sba_init(void)
1535 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
1536
1537 __setup("sbapagesize=",sba_page_override);
1538
1539 -struct dma_map_ops sba_dma_ops = {
1540 +const struct dma_map_ops sba_dma_ops = {
1541 .alloc_coherent = sba_alloc_coherent,
1542 .free_coherent = sba_free_coherent,
1543 .map_page = sba_map_page,
1544 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h
1545 --- linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
1546 +++ linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
1547 @@ -14,7 +14,7 @@
1548
1549 #define DMA_ERROR_CODE 0
1550
1551 -extern struct dma_map_ops *dma_ops;
1552 +extern const struct dma_map_ops *dma_ops;
1553 extern struct ia64_machine_vector ia64_mv;
1554 extern void set_iommu_machvec(void);
1555
1556 @@ -26,7 +26,7 @@ extern void machvec_dma_sync_sg(struct d
1557 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1558 dma_addr_t *daddr, gfp_t gfp)
1559 {
1560 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1561 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1562 void *caddr;
1563
1564 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1565 @@ -37,7 +37,7 @@ static inline void *dma_alloc_coherent(s
1566 static inline void dma_free_coherent(struct device *dev, size_t size,
1567 void *caddr, dma_addr_t daddr)
1568 {
1569 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1570 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1571 debug_dma_free_coherent(dev, size, caddr, daddr);
1572 ops->free_coherent(dev, size, caddr, daddr);
1573 }
1574 @@ -51,13 +51,13 @@ static inline void dma_free_coherent(str
1575
1576 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1577 {
1578 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1579 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1580 return ops->mapping_error(dev, daddr);
1581 }
1582
1583 static inline int dma_supported(struct device *dev, u64 mask)
1584 {
1585 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1586 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1587 return ops->dma_supported(dev, mask);
1588 }
1589
1590 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/elf.h linux-2.6.39.3/arch/ia64/include/asm/elf.h
1591 --- linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1592 +++ linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1593 @@ -42,6 +42,13 @@
1594 */
1595 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1596
1597 +#ifdef CONFIG_PAX_ASLR
1598 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1599 +
1600 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1601 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1602 +#endif
1603 +
1604 #define PT_IA_64_UNWIND 0x70000001
1605
1606 /* IA-64 relocations: */
1607 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/machvec.h linux-2.6.39.3/arch/ia64/include/asm/machvec.h
1608 --- linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-19 00:06:34.000000000 -0400
1609 +++ linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-22 19:36:30.000000000 -0400
1610 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1611 /* DMA-mapping interface: */
1612 typedef void ia64_mv_dma_init (void);
1613 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1614 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1615 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1616
1617 /*
1618 * WARNING: The legacy I/O space is _architected_. Platforms are
1619 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1620 # endif /* CONFIG_IA64_GENERIC */
1621
1622 extern void swiotlb_dma_init(void);
1623 -extern struct dma_map_ops *dma_get_ops(struct device *);
1624 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1625
1626 /*
1627 * Define default versions so we can extend machvec for new platforms without having
1628 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/pgtable.h linux-2.6.39.3/arch/ia64/include/asm/pgtable.h
1629 --- linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
1630 +++ linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
1631 @@ -12,7 +12,7 @@
1632 * David Mosberger-Tang <davidm@hpl.hp.com>
1633 */
1634
1635 -
1636 +#include <linux/const.h>
1637 #include <asm/mman.h>
1638 #include <asm/page.h>
1639 #include <asm/processor.h>
1640 @@ -143,6 +143,17 @@
1641 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1642 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1643 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1644 +
1645 +#ifdef CONFIG_PAX_PAGEEXEC
1646 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1647 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1648 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1649 +#else
1650 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1651 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1652 +# define PAGE_COPY_NOEXEC PAGE_COPY
1653 +#endif
1654 +
1655 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1656 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1657 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1658 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/spinlock.h linux-2.6.39.3/arch/ia64/include/asm/spinlock.h
1659 --- linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
1660 +++ linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
1661 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1662 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1663
1664 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1665 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1666 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1667 }
1668
1669 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
1670 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/uaccess.h linux-2.6.39.3/arch/ia64/include/asm/uaccess.h
1671 --- linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
1672 +++ linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
1673 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1674 const void *__cu_from = (from); \
1675 long __cu_len = (n); \
1676 \
1677 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1678 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1679 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1680 __cu_len; \
1681 })
1682 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1683 long __cu_len = (n); \
1684 \
1685 __chk_user_ptr(__cu_from); \
1686 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1687 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1688 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1689 __cu_len; \
1690 })
1691 diff -urNp linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c
1692 --- linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-19 00:06:34.000000000 -0400
1693 +++ linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-22 19:36:30.000000000 -0400
1694 @@ -3,7 +3,7 @@
1695 /* Set this to 1 if there is a HW IOMMU in the system */
1696 int iommu_detected __read_mostly;
1697
1698 -struct dma_map_ops *dma_ops;
1699 +const struct dma_map_ops *dma_ops;
1700 EXPORT_SYMBOL(dma_ops);
1701
1702 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1703 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1704 }
1705 fs_initcall(dma_init);
1706
1707 -struct dma_map_ops *dma_get_ops(struct device *dev)
1708 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1709 {
1710 return dma_ops;
1711 }
1712 diff -urNp linux-2.6.39.3/arch/ia64/kernel/module.c linux-2.6.39.3/arch/ia64/kernel/module.c
1713 --- linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
1714 +++ linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
1715 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1716 void
1717 module_free (struct module *mod, void *module_region)
1718 {
1719 - if (mod && mod->arch.init_unw_table &&
1720 - module_region == mod->module_init) {
1721 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1722 unw_remove_unwind_table(mod->arch.init_unw_table);
1723 mod->arch.init_unw_table = NULL;
1724 }
1725 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1726 }
1727
1728 static inline int
1729 +in_init_rx (const struct module *mod, uint64_t addr)
1730 +{
1731 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1732 +}
1733 +
1734 +static inline int
1735 +in_init_rw (const struct module *mod, uint64_t addr)
1736 +{
1737 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1738 +}
1739 +
1740 +static inline int
1741 in_init (const struct module *mod, uint64_t addr)
1742 {
1743 - return addr - (uint64_t) mod->module_init < mod->init_size;
1744 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1745 +}
1746 +
1747 +static inline int
1748 +in_core_rx (const struct module *mod, uint64_t addr)
1749 +{
1750 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1751 +}
1752 +
1753 +static inline int
1754 +in_core_rw (const struct module *mod, uint64_t addr)
1755 +{
1756 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1757 }
1758
1759 static inline int
1760 in_core (const struct module *mod, uint64_t addr)
1761 {
1762 - return addr - (uint64_t) mod->module_core < mod->core_size;
1763 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1764 }
1765
1766 static inline int
1767 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1768 break;
1769
1770 case RV_BDREL:
1771 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1772 + if (in_init_rx(mod, val))
1773 + val -= (uint64_t) mod->module_init_rx;
1774 + else if (in_init_rw(mod, val))
1775 + val -= (uint64_t) mod->module_init_rw;
1776 + else if (in_core_rx(mod, val))
1777 + val -= (uint64_t) mod->module_core_rx;
1778 + else if (in_core_rw(mod, val))
1779 + val -= (uint64_t) mod->module_core_rw;
1780 break;
1781
1782 case RV_LTV:
1783 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1784 * addresses have been selected...
1785 */
1786 uint64_t gp;
1787 - if (mod->core_size > MAX_LTOFF)
1788 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1789 /*
1790 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1791 * at the end of the module.
1792 */
1793 - gp = mod->core_size - MAX_LTOFF / 2;
1794 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1795 else
1796 - gp = mod->core_size / 2;
1797 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1798 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1799 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1800 mod->arch.gp = gp;
1801 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1802 }
1803 diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-dma.c linux-2.6.39.3/arch/ia64/kernel/pci-dma.c
1804 --- linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
1805 +++ linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
1806 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1807 .dma_mask = &fallback_dev.coherent_dma_mask,
1808 };
1809
1810 -extern struct dma_map_ops intel_dma_ops;
1811 +extern const struct dma_map_ops intel_dma_ops;
1812
1813 static int __init pci_iommu_init(void)
1814 {
1815 diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c
1816 --- linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
1817 +++ linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
1818 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1819 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1820 }
1821
1822 -struct dma_map_ops swiotlb_dma_ops = {
1823 +const struct dma_map_ops swiotlb_dma_ops = {
1824 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1825 .free_coherent = swiotlb_free_coherent,
1826 .map_page = swiotlb_map_page,
1827 diff -urNp linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c
1828 --- linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-19 00:06:34.000000000 -0400
1829 +++ linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-22 19:36:30.000000000 -0400
1830 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1831 if (REGION_NUMBER(addr) == RGN_HPAGE)
1832 addr = 0;
1833 #endif
1834 +
1835 +#ifdef CONFIG_PAX_RANDMMAP
1836 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1837 + addr = mm->free_area_cache;
1838 + else
1839 +#endif
1840 +
1841 if (!addr)
1842 addr = mm->free_area_cache;
1843
1844 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1845 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1846 /* At this point: (!vma || addr < vma->vm_end). */
1847 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1848 - if (start_addr != TASK_UNMAPPED_BASE) {
1849 + if (start_addr != mm->mmap_base) {
1850 /* Start a new search --- just in case we missed some holes. */
1851 - addr = TASK_UNMAPPED_BASE;
1852 + addr = mm->mmap_base;
1853 goto full_search;
1854 }
1855 return -ENOMEM;
1856 }
1857 - if (!vma || addr + len <= vma->vm_start) {
1858 + if (check_heap_stack_gap(vma, addr, len)) {
1859 /* Remember the address where we stopped this search: */
1860 mm->free_area_cache = addr + len;
1861 return addr;
1862 diff -urNp linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S
1863 --- linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
1864 +++ linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
1865 @@ -199,7 +199,7 @@ SECTIONS {
1866 /* Per-cpu data: */
1867 . = ALIGN(PERCPU_PAGE_SIZE);
1868 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
1869 - __phys_per_cpu_start = __per_cpu_load;
1870 + __phys_per_cpu_start = per_cpu_load;
1871 /*
1872 * ensure percpu data fits
1873 * into percpu page size
1874 diff -urNp linux-2.6.39.3/arch/ia64/mm/fault.c linux-2.6.39.3/arch/ia64/mm/fault.c
1875 --- linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1876 +++ linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1877 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1878 return pte_present(pte);
1879 }
1880
1881 +#ifdef CONFIG_PAX_PAGEEXEC
1882 +void pax_report_insns(void *pc, void *sp)
1883 +{
1884 + unsigned long i;
1885 +
1886 + printk(KERN_ERR "PAX: bytes at PC: ");
1887 + for (i = 0; i < 8; i++) {
1888 + unsigned int c;
1889 + if (get_user(c, (unsigned int *)pc+i))
1890 + printk(KERN_CONT "???????? ");
1891 + else
1892 + printk(KERN_CONT "%08x ", c);
1893 + }
1894 + printk("\n");
1895 +}
1896 +#endif
1897 +
1898 void __kprobes
1899 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1900 {
1901 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1902 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1903 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1904
1905 - if ((vma->vm_flags & mask) != mask)
1906 + if ((vma->vm_flags & mask) != mask) {
1907 +
1908 +#ifdef CONFIG_PAX_PAGEEXEC
1909 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1910 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1911 + goto bad_area;
1912 +
1913 + up_read(&mm->mmap_sem);
1914 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1915 + do_group_exit(SIGKILL);
1916 + }
1917 +#endif
1918 +
1919 goto bad_area;
1920
1921 + }
1922 +
1923 /*
1924 * If for any reason at all we couldn't handle the fault, make
1925 * sure we exit gracefully rather than endlessly redo the
1926 diff -urNp linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c
1927 --- linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
1928 +++ linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
1929 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1930 /* At this point: (!vmm || addr < vmm->vm_end). */
1931 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1932 return -ENOMEM;
1933 - if (!vmm || (addr + len) <= vmm->vm_start)
1934 + if (check_heap_stack_gap(vmm, addr, len))
1935 return addr;
1936 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1937 }
1938 diff -urNp linux-2.6.39.3/arch/ia64/mm/init.c linux-2.6.39.3/arch/ia64/mm/init.c
1939 --- linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-19 00:06:34.000000000 -0400
1940 +++ linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-22 19:36:30.000000000 -0400
1941 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1942 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1943 vma->vm_end = vma->vm_start + PAGE_SIZE;
1944 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1945 +
1946 +#ifdef CONFIG_PAX_PAGEEXEC
1947 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1948 + vma->vm_flags &= ~VM_EXEC;
1949 +
1950 +#ifdef CONFIG_PAX_MPROTECT
1951 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1952 + vma->vm_flags &= ~VM_MAYEXEC;
1953 +#endif
1954 +
1955 + }
1956 +#endif
1957 +
1958 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1959 down_write(&current->mm->mmap_sem);
1960 if (insert_vm_struct(current->mm, vma)) {
1961 diff -urNp linux-2.6.39.3/arch/ia64/pci/pci.c linux-2.6.39.3/arch/ia64/pci/pci.c
1962 --- linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
1963 +++ linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-22 19:36:30.000000000 -0400
1964 @@ -109,7 +109,7 @@ static int pci_write(struct pci_bus *bus
1965 devfn, where, size, value);
1966 }
1967
1968 -struct pci_ops pci_root_ops = {
1969 +const struct pci_ops pci_root_ops = {
1970 .read = pci_read,
1971 .write = pci_write,
1972 };
1973 diff -urNp linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c
1974 --- linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-19 00:06:34.000000000 -0400
1975 +++ linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-22 19:36:30.000000000 -0400
1976 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1977 return ret;
1978 }
1979
1980 -static struct dma_map_ops sn_dma_ops = {
1981 +static const struct dma_map_ops sn_dma_ops = {
1982 .alloc_coherent = sn_dma_alloc_coherent,
1983 .free_coherent = sn_dma_free_coherent,
1984 .map_page = sn_dma_map_page,
1985 diff -urNp linux-2.6.39.3/arch/m32r/lib/usercopy.c linux-2.6.39.3/arch/m32r/lib/usercopy.c
1986 --- linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-19 00:06:34.000000000 -0400
1987 +++ linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-22 19:36:30.000000000 -0400
1988 @@ -14,6 +14,9 @@
1989 unsigned long
1990 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1991 {
1992 + if ((long)n < 0)
1993 + return n;
1994 +
1995 prefetch(from);
1996 if (access_ok(VERIFY_WRITE, to, n))
1997 __copy_user(to,from,n);
1998 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1999 unsigned long
2000 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
2001 {
2002 + if ((long)n < 0)
2003 + return n;
2004 +
2005 prefetchw(to);
2006 if (access_ok(VERIFY_READ, from, n))
2007 __copy_user_zeroing(to,from,n);
2008 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/device.h linux-2.6.39.3/arch/microblaze/include/asm/device.h
2009 --- linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2010 +++ linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2011 @@ -13,7 +13,7 @@ struct device_node;
2012
2013 struct dev_archdata {
2014 /* DMA operations on that device */
2015 - struct dma_map_ops *dma_ops;
2016 + const struct dma_map_ops *dma_ops;
2017 void *dma_data;
2018 };
2019
2020 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h
2021 --- linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2022 +++ linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2023 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
2024 return 0xfffffffful;
2025 }
2026
2027 -extern struct dma_map_ops *dma_ops;
2028 +extern const struct dma_map_ops *dma_ops;
2029
2030 /*
2031 * Available generic sets of operations
2032 */
2033 -extern struct dma_map_ops dma_direct_ops;
2034 +extern const struct dma_map_ops dma_direct_ops;
2035
2036 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2037 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2038 {
2039 /* We don't handle the NULL dev case for ISA for now. We could
2040 * do it via an out of line call but it is not needed for now. The
2041 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
2042 return dev->archdata.dma_ops;
2043 }
2044
2045 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2046 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2047 {
2048 dev->archdata.dma_ops = ops;
2049 }
2050
2051 static inline int dma_supported(struct device *dev, u64 mask)
2052 {
2053 - struct dma_map_ops *ops = get_dma_ops(dev);
2054 + const struct dma_map_ops *ops = get_dma_ops(dev);
2055
2056 if (unlikely(!ops))
2057 return 0;
2058 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
2059
2060 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2061 {
2062 - struct dma_map_ops *ops = get_dma_ops(dev);
2063 + const struct dma_map_ops *ops = get_dma_ops(dev);
2064
2065 if (unlikely(ops == NULL))
2066 return -EIO;
2067 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
2068
2069 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2070 {
2071 - struct dma_map_ops *ops = get_dma_ops(dev);
2072 + const struct dma_map_ops *ops = get_dma_ops(dev);
2073 if (ops->mapping_error)
2074 return ops->mapping_error(dev, dma_addr);
2075
2076 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
2077 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2078 dma_addr_t *dma_handle, gfp_t flag)
2079 {
2080 - struct dma_map_ops *ops = get_dma_ops(dev);
2081 + const struct dma_map_ops *ops = get_dma_ops(dev);
2082 void *memory;
2083
2084 BUG_ON(!ops);
2085 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
2086 static inline void dma_free_coherent(struct device *dev, size_t size,
2087 void *cpu_addr, dma_addr_t dma_handle)
2088 {
2089 - struct dma_map_ops *ops = get_dma_ops(dev);
2090 + const struct dma_map_ops *ops = get_dma_ops(dev);
2091
2092 BUG_ON(!ops);
2093 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
2094 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/pci.h linux-2.6.39.3/arch/microblaze/include/asm/pci.h
2095 --- linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
2096 +++ linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
2097 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
2098 }
2099
2100 #ifdef CONFIG_PCI
2101 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2102 -extern struct dma_map_ops *get_pci_dma_ops(void);
2103 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2104 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2105 #else /* CONFIG_PCI */
2106 #define set_pci_dma_ops(d)
2107 #define get_pci_dma_ops() NULL
2108 diff -urNp linux-2.6.39.3/arch/microblaze/kernel/dma.c linux-2.6.39.3/arch/microblaze/kernel/dma.c
2109 --- linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
2110 +++ linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
2111 @@ -134,7 +134,7 @@ static inline void dma_direct_unmap_page
2112 __dma_sync_page(dma_address, 0 , size, direction);
2113 }
2114
2115 -struct dma_map_ops dma_direct_ops = {
2116 +const struct dma_map_ops dma_direct_ops = {
2117 .alloc_coherent = dma_direct_alloc_coherent,
2118 .free_coherent = dma_direct_free_coherent,
2119 .map_sg = dma_direct_map_sg,
2120 diff -urNp linux-2.6.39.3/arch/microblaze/kernel/kgdb.c linux-2.6.39.3/arch/microblaze/kernel/kgdb.c
2121 --- linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2122 +++ linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2123 @@ -141,7 +141,7 @@ void kgdb_arch_exit(void)
2124 /*
2125 * Global data
2126 */
2127 -struct kgdb_arch arch_kgdb_ops = {
2128 +const struct kgdb_arch arch_kgdb_ops = {
2129 #ifdef __MICROBLAZEEL__
2130 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
2131 #else
2132 diff -urNp linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c
2133 --- linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
2134 +++ linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
2135 @@ -140,7 +140,7 @@ indirect_write_config(struct pci_bus *bu
2136 return PCIBIOS_SUCCESSFUL;
2137 }
2138
2139 -static struct pci_ops indirect_pci_ops = {
2140 +static const struct pci_ops indirect_pci_ops = {
2141 .read = indirect_read_config,
2142 .write = indirect_write_config,
2143 };
2144 diff -urNp linux-2.6.39.3/arch/microblaze/pci/pci-common.c linux-2.6.39.3/arch/microblaze/pci/pci-common.c
2145 --- linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-19 00:06:34.000000000 -0400
2146 +++ linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-22 19:36:30.000000000 -0400
2147 @@ -48,14 +48,14 @@ resource_size_t isa_mem_base;
2148 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
2149 unsigned int pci_flags;
2150
2151 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2152 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2153
2154 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2155 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2156 {
2157 pci_dma_ops = dma_ops;
2158 }
2159
2160 -struct dma_map_ops *get_pci_dma_ops(void)
2161 +const struct dma_map_ops *get_pci_dma_ops(void)
2162 {
2163 return pci_dma_ops;
2164 }
2165 @@ -1583,7 +1583,7 @@ null_write_config(struct pci_bus *bus, u
2166 return PCIBIOS_DEVICE_NOT_FOUND;
2167 }
2168
2169 -static struct pci_ops null_pci_ops = {
2170 +static const struct pci_ops null_pci_ops = {
2171 .read = null_read_config,
2172 .write = null_write_config,
2173 };
2174 diff -urNp linux-2.6.39.3/arch/mips/alchemy/common/pci.c linux-2.6.39.3/arch/mips/alchemy/common/pci.c
2175 --- linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2176 +++ linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2177 @@ -51,7 +51,7 @@ static struct resource pci_mem_resource
2178 .flags = IORESOURCE_MEM
2179 };
2180
2181 -extern struct pci_ops au1x_pci_ops;
2182 +extern const struct pci_ops au1x_pci_ops;
2183
2184 static struct pci_controller au1x_controller = {
2185 .pci_ops = &au1x_pci_ops,
2186 diff -urNp linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c
2187 --- linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-19 00:06:34.000000000 -0400
2188 +++ linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-22 19:36:30.000000000 -0400
2189 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
2190 }
2191
2192 struct octeon_dma_map_ops {
2193 - struct dma_map_ops dma_map_ops;
2194 + const struct dma_map_ops dma_map_ops;
2195 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
2196 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
2197 };
2198 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
2199 },
2200 };
2201
2202 -struct dma_map_ops *octeon_pci_dma_map_ops;
2203 +const struct dma_map_ops *octeon_pci_dma_map_ops;
2204
2205 void __init octeon_pci_dma_init(void)
2206 {
2207 diff -urNp linux-2.6.39.3/arch/mips/cobalt/pci.c linux-2.6.39.3/arch/mips/cobalt/pci.c
2208 --- linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-19 00:06:34.000000000 -0400
2209 +++ linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-22 19:36:30.000000000 -0400
2210 @@ -14,7 +14,7 @@
2211
2212 #include <asm/gt64120.h>
2213
2214 -extern struct pci_ops gt64xxx_pci0_ops;
2215 +extern const struct pci_ops gt64xxx_pci0_ops;
2216
2217 static struct resource cobalt_mem_resource = {
2218 .start = GT_DEF_PCI0_MEM0_BASE,
2219 diff -urNp linux-2.6.39.3/arch/mips/include/asm/device.h linux-2.6.39.3/arch/mips/include/asm/device.h
2220 --- linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2221 +++ linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2222 @@ -10,7 +10,7 @@ struct dma_map_ops;
2223
2224 struct dev_archdata {
2225 /* DMA operations on that device */
2226 - struct dma_map_ops *dma_ops;
2227 + const struct dma_map_ops *dma_ops;
2228 };
2229
2230 struct pdev_archdata {
2231 diff -urNp linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h
2232 --- linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2233 +++ linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2234 @@ -9,9 +9,9 @@
2235 #include <dma-coherence.h>
2236 #endif
2237
2238 -extern struct dma_map_ops *mips_dma_map_ops;
2239 +extern const struct dma_map_ops *mips_dma_map_ops;
2240
2241 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2242 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2243 {
2244 if (dev && dev->archdata.dma_ops)
2245 return dev->archdata.dma_ops;
2246 @@ -33,13 +33,13 @@ static inline void dma_mark_clean(void *
2247
2248 static inline int dma_supported(struct device *dev, u64 mask)
2249 {
2250 - struct dma_map_ops *ops = get_dma_ops(dev);
2251 + const struct dma_map_ops *ops = get_dma_ops(dev);
2252 return ops->dma_supported(dev, mask);
2253 }
2254
2255 static inline int dma_mapping_error(struct device *dev, u64 mask)
2256 {
2257 - struct dma_map_ops *ops = get_dma_ops(dev);
2258 + const struct dma_map_ops *ops = get_dma_ops(dev);
2259 return ops->mapping_error(dev, mask);
2260 }
2261
2262 @@ -61,7 +61,7 @@ static inline void *dma_alloc_coherent(s
2263 dma_addr_t *dma_handle, gfp_t gfp)
2264 {
2265 void *ret;
2266 - struct dma_map_ops *ops = get_dma_ops(dev);
2267 + const struct dma_map_ops *ops = get_dma_ops(dev);
2268
2269 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
2270
2271 @@ -73,7 +73,7 @@ static inline void *dma_alloc_coherent(s
2272 static inline void dma_free_coherent(struct device *dev, size_t size,
2273 void *vaddr, dma_addr_t dma_handle)
2274 {
2275 - struct dma_map_ops *ops = get_dma_ops(dev);
2276 + const struct dma_map_ops *ops = get_dma_ops(dev);
2277
2278 ops->free_coherent(dev, size, vaddr, dma_handle);
2279
2280 diff -urNp linux-2.6.39.3/arch/mips/include/asm/elf.h linux-2.6.39.3/arch/mips/include/asm/elf.h
2281 --- linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
2282 +++ linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
2283 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
2284 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
2285 #endif
2286
2287 +#ifdef CONFIG_PAX_ASLR
2288 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2289 +
2290 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2291 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2292 +#endif
2293 +
2294 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2295 struct linux_binprm;
2296 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
2297 int uses_interp);
2298
2299 -struct mm_struct;
2300 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2301 -#define arch_randomize_brk arch_randomize_brk
2302 -
2303 #endif /* _ASM_ELF_H */
2304 diff -urNp linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
2305 --- linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-19 00:06:34.000000000 -0400
2306 +++ linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-22 19:36:30.000000000 -0400
2307 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
2308 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
2309
2310 struct dma_map_ops;
2311 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
2312 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
2313 extern char *octeon_swiotlb;
2314
2315 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
2316 diff -urNp linux-2.6.39.3/arch/mips/include/asm/page.h linux-2.6.39.3/arch/mips/include/asm/page.h
2317 --- linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
2318 +++ linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
2319 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
2320 #ifdef CONFIG_CPU_MIPS32
2321 typedef struct { unsigned long pte_low, pte_high; } pte_t;
2322 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
2323 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
2324 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
2325 #else
2326 typedef struct { unsigned long long pte; } pte_t;
2327 #define pte_val(x) ((x).pte)
2328 diff -urNp linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h
2329 --- linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-19 00:06:34.000000000 -0400
2330 +++ linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-22 19:36:30.000000000 -0400
2331 @@ -849,6 +849,6 @@ struct bridge_controller {
2332 extern void register_bridge_irq(unsigned int irq);
2333 extern int request_bridge_irq(struct bridge_controller *bc);
2334
2335 -extern struct pci_ops bridge_pci_ops;
2336 +extern const struct pci_ops bridge_pci_ops;
2337
2338 #endif /* _ASM_PCI_BRIDGE_H */
2339 diff -urNp linux-2.6.39.3/arch/mips/include/asm/system.h linux-2.6.39.3/arch/mips/include/asm/system.h
2340 --- linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
2341 +++ linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
2342 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
2343 */
2344 #define __ARCH_WANT_UNLOCKED_CTXSW
2345
2346 -extern unsigned long arch_align_stack(unsigned long sp);
2347 +#define arch_align_stack(x) ((x) & ~0xfUL)
2348
2349 #endif /* _ASM_SYSTEM_H */
2350 diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c
2351 --- linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-19 00:06:34.000000000 -0400
2352 +++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-22 19:36:30.000000000 -0400
2353 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2354 #undef ELF_ET_DYN_BASE
2355 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2356
2357 +#ifdef CONFIG_PAX_ASLR
2358 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2359 +
2360 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2361 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2362 +#endif
2363 +
2364 #include <asm/processor.h>
2365 #include <linux/module.h>
2366 #include <linux/elfcore.h>
2367 diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c
2368 --- linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-19 00:06:34.000000000 -0400
2369 +++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-22 19:36:30.000000000 -0400
2370 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2371 #undef ELF_ET_DYN_BASE
2372 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2373
2374 +#ifdef CONFIG_PAX_ASLR
2375 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2376 +
2377 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2378 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2379 +#endif
2380 +
2381 #include <asm/processor.h>
2382
2383 /*
2384 diff -urNp linux-2.6.39.3/arch/mips/kernel/kgdb.c linux-2.6.39.3/arch/mips/kernel/kgdb.c
2385 --- linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2386 +++ linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2387 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
2388 return -1;
2389 }
2390
2391 -struct kgdb_arch arch_kgdb_ops;
2392 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
2393
2394 /*
2395 * We use kgdb_early_setup so that functions we need to call now don't
2396 diff -urNp linux-2.6.39.3/arch/mips/kernel/process.c linux-2.6.39.3/arch/mips/kernel/process.c
2397 --- linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
2398 +++ linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
2399 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
2400 out:
2401 return pc;
2402 }
2403 -
2404 -/*
2405 - * Don't forget that the stack pointer must be aligned on a 8 bytes
2406 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
2407 - */
2408 -unsigned long arch_align_stack(unsigned long sp)
2409 -{
2410 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2411 - sp -= get_random_int() & ~PAGE_MASK;
2412 -
2413 - return sp & ALMASK;
2414 -}
2415 diff -urNp linux-2.6.39.3/arch/mips/kernel/syscall.c linux-2.6.39.3/arch/mips/kernel/syscall.c
2416 --- linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-19 00:06:34.000000000 -0400
2417 +++ linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-22 19:36:30.000000000 -0400
2418 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
2419 do_color_align = 0;
2420 if (filp || (flags & MAP_SHARED))
2421 do_color_align = 1;
2422 +
2423 +#ifdef CONFIG_PAX_RANDMMAP
2424 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
2425 +#endif
2426 +
2427 if (addr) {
2428 if (do_color_align)
2429 addr = COLOUR_ALIGN(addr, pgoff);
2430 else
2431 addr = PAGE_ALIGN(addr);
2432 vmm = find_vma(current->mm, addr);
2433 - if (task_size - len >= addr &&
2434 - (!vmm || addr + len <= vmm->vm_start))
2435 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
2436 return addr;
2437 }
2438 addr = current->mm->mmap_base;
2439 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
2440 /* At this point: (!vmm || addr < vmm->vm_end). */
2441 if (task_size - len < addr)
2442 return -ENOMEM;
2443 - if (!vmm || addr + len <= vmm->vm_start)
2444 + if (check_heap_stack_gap(vmm, addr, len))
2445 return addr;
2446 addr = vmm->vm_end;
2447 if (do_color_align)
2448 @@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str
2449 mm->unmap_area = arch_unmap_area;
2450 }
2451
2452 -static inline unsigned long brk_rnd(void)
2453 -{
2454 - unsigned long rnd = get_random_int();
2455 -
2456 - rnd = rnd << PAGE_SHIFT;
2457 - /* 8MB for 32bit, 256MB for 64bit */
2458 - if (TASK_IS_32BIT_ADDR)
2459 - rnd = rnd & 0x7ffffful;
2460 - else
2461 - rnd = rnd & 0xffffffful;
2462 -
2463 - return rnd;
2464 -}
2465 -
2466 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2467 -{
2468 - unsigned long base = mm->brk;
2469 - unsigned long ret;
2470 -
2471 - ret = PAGE_ALIGN(base + brk_rnd());
2472 -
2473 - if (ret < mm->brk)
2474 - return mm->brk;
2475 -
2476 - return ret;
2477 -}
2478 -
2479 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
2480 unsigned long, prot, unsigned long, flags, unsigned long,
2481 fd, off_t, offset)
2482 diff -urNp linux-2.6.39.3/arch/mips/mm/dma-default.c linux-2.6.39.3/arch/mips/mm/dma-default.c
2483 --- linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-19 00:06:34.000000000 -0400
2484 +++ linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-22 19:36:30.000000000 -0400
2485 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
2486
2487 EXPORT_SYMBOL(dma_cache_sync);
2488
2489 -static struct dma_map_ops mips_default_dma_map_ops = {
2490 +static const struct dma_map_ops mips_default_dma_map_ops = {
2491 .alloc_coherent = mips_dma_alloc_coherent,
2492 .free_coherent = mips_dma_free_coherent,
2493 .map_page = mips_dma_map_page,
2494 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
2495 .dma_supported = mips_dma_supported
2496 };
2497
2498 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2499 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2500 EXPORT_SYMBOL(mips_dma_map_ops);
2501
2502 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
2503 diff -urNp linux-2.6.39.3/arch/mips/mm/fault.c linux-2.6.39.3/arch/mips/mm/fault.c
2504 --- linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
2505 +++ linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
2506 @@ -28,6 +28,23 @@
2507 #include <asm/highmem.h> /* For VMALLOC_END */
2508 #include <linux/kdebug.h>
2509
2510 +#ifdef CONFIG_PAX_PAGEEXEC
2511 +void pax_report_insns(void *pc, void *sp)
2512 +{
2513 + unsigned long i;
2514 +
2515 + printk(KERN_ERR "PAX: bytes at PC: ");
2516 + for (i = 0; i < 5; i++) {
2517 + unsigned int c;
2518 + if (get_user(c, (unsigned int *)pc+i))
2519 + printk(KERN_CONT "???????? ");
2520 + else
2521 + printk(KERN_CONT "%08x ", c);
2522 + }
2523 + printk("\n");
2524 +}
2525 +#endif
2526 +
2527 /*
2528 * This routine handles page faults. It determines the address,
2529 * and the problem, and then passes it off to one of the appropriate
2530 diff -urNp linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c
2531 --- linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-19 00:06:34.000000000 -0400
2532 +++ linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-22 19:36:30.000000000 -0400
2533 @@ -64,9 +64,9 @@ static struct resource msc_io_resource =
2534 .flags = IORESOURCE_IO,
2535 };
2536
2537 -extern struct pci_ops bonito64_pci_ops;
2538 -extern struct pci_ops gt64xxx_pci0_ops;
2539 -extern struct pci_ops msc_pci_ops;
2540 +extern const struct pci_ops bonito64_pci_ops;
2541 +extern const struct pci_ops gt64xxx_pci0_ops;
2542 +extern const struct pci_ops msc_pci_ops;
2543
2544 static struct pci_controller bonito64_controller = {
2545 .pci_ops = &bonito64_pci_ops,
2546 diff -urNp linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c
2547 --- linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2548 +++ linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2549 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2550 .flags = IORESOURCE_MEM
2551 };
2552
2553 -extern struct pci_ops pnx8550_pci_ops;
2554 +extern const struct pci_ops pnx8550_pci_ops;
2555
2556 static struct pci_controller pnx8550_controller = {
2557 .pci_ops = &pnx8550_pci_ops,
2558 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-au1000.c linux-2.6.39.3/arch/mips/pci/ops-au1000.c
2559 --- linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-19 00:06:34.000000000 -0400
2560 +++ linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-22 19:36:30.000000000 -0400
2561 @@ -302,7 +302,7 @@ static int config_write(struct pci_bus *
2562 }
2563 }
2564
2565 -struct pci_ops au1x_pci_ops = {
2566 +const struct pci_ops au1x_pci_ops = {
2567 config_read,
2568 config_write
2569 };
2570 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c
2571 --- linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-19 00:06:34.000000000 -0400
2572 +++ linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-22 19:36:30.000000000 -0400
2573 @@ -173,7 +173,7 @@ static int bcm63xx_pci_write(struct pci_
2574 where, size, val);
2575 }
2576
2577 -struct pci_ops bcm63xx_pci_ops = {
2578 +const struct pci_ops bcm63xx_pci_ops = {
2579 .read = bcm63xx_pci_read,
2580 .write = bcm63xx_pci_write
2581 };
2582 @@ -402,7 +402,7 @@ static int bcm63xx_cb_write(struct pci_b
2583 return PCIBIOS_DEVICE_NOT_FOUND;
2584 }
2585
2586 -struct pci_ops bcm63xx_cb_ops = {
2587 +const struct pci_ops bcm63xx_cb_ops = {
2588 .read = bcm63xx_cb_read,
2589 .write = bcm63xx_cb_write,
2590 };
2591 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bonito64.c linux-2.6.39.3/arch/mips/pci/ops-bonito64.c
2592 --- linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-19 00:06:34.000000000 -0400
2593 +++ linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-22 19:36:30.000000000 -0400
2594 @@ -155,7 +155,7 @@ static int bonito64_pcibios_write(struct
2595 return PCIBIOS_SUCCESSFUL;
2596 }
2597
2598 -struct pci_ops bonito64_pci_ops = {
2599 +const struct pci_ops bonito64_pci_ops = {
2600 .read = bonito64_pcibios_read,
2601 .write = bonito64_pcibios_write
2602 };
2603 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bridge.c linux-2.6.39.3/arch/mips/pci/ops-bridge.c
2604 --- linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-19 00:06:34.000000000 -0400
2605 +++ linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-22 19:36:30.000000000 -0400
2606 @@ -316,7 +316,7 @@ static int pci_write_config(struct pci_b
2607 return pci_conf0_write_config(bus, devfn, where, size, value);
2608 }
2609
2610 -struct pci_ops bridge_pci_ops = {
2611 +const struct pci_ops bridge_pci_ops = {
2612 .read = pci_read_config,
2613 .write = pci_write_config,
2614 };
2615 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c
2616 --- linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2617 +++ linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2618 @@ -176,7 +176,7 @@ static int pci_config_write(struct pci_b
2619 return PCIBIOS_SUCCESSFUL;
2620 }
2621
2622 -struct pci_ops emma2rh_pci_ops = {
2623 +const struct pci_ops emma2rh_pci_ops = {
2624 .read = pci_config_read,
2625 .write = pci_config_write,
2626 };
2627 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c
2628 --- linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-19 00:06:34.000000000 -0400
2629 +++ linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-22 19:36:30.000000000 -0400
2630 @@ -146,7 +146,7 @@ static int gt64xxx_pci0_pcibios_write(st
2631 return PCIBIOS_SUCCESSFUL;
2632 }
2633
2634 -struct pci_ops gt64xxx_pci0_ops = {
2635 +const struct pci_ops gt64xxx_pci0_ops = {
2636 .read = gt64xxx_pci0_pcibios_read,
2637 .write = gt64xxx_pci0_pcibios_write
2638 };
2639 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-loongson2.c linux-2.6.39.3/arch/mips/pci/ops-loongson2.c
2640 --- linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-19 00:06:34.000000000 -0400
2641 +++ linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-22 19:36:30.000000000 -0400
2642 @@ -174,7 +174,7 @@ static int loongson_pcibios_write(struct
2643 return PCIBIOS_SUCCESSFUL;
2644 }
2645
2646 -struct pci_ops loongson_pci_ops = {
2647 +const struct pci_ops loongson_pci_ops = {
2648 .read = loongson_pcibios_read,
2649 .write = loongson_pcibios_write
2650 };
2651 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-mace.c linux-2.6.39.3/arch/mips/pci/ops-mace.c
2652 --- linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-19 00:06:34.000000000 -0400
2653 +++ linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-22 19:36:30.000000000 -0400
2654 @@ -96,7 +96,7 @@ mace_pci_write_config(struct pci_bus *bu
2655 return PCIBIOS_SUCCESSFUL;
2656 }
2657
2658 -struct pci_ops mace_pci_ops = {
2659 +const struct pci_ops mace_pci_ops = {
2660 .read = mace_pci_read_config,
2661 .write = mace_pci_write_config,
2662 };
2663 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-msc.c linux-2.6.39.3/arch/mips/pci/ops-msc.c
2664 --- linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-19 00:06:34.000000000 -0400
2665 +++ linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-22 19:36:30.000000000 -0400
2666 @@ -142,7 +142,7 @@ static int msc_pcibios_write(struct pci_
2667 return PCIBIOS_SUCCESSFUL;
2668 }
2669
2670 -struct pci_ops msc_pci_ops = {
2671 +const struct pci_ops msc_pci_ops = {
2672 .read = msc_pcibios_read,
2673 .write = msc_pcibios_write
2674 };
2675 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-nile4.c linux-2.6.39.3/arch/mips/pci/ops-nile4.c
2676 --- linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-19 00:06:34.000000000 -0400
2677 +++ linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-22 19:36:30.000000000 -0400
2678 @@ -141,7 +141,7 @@ static int nile4_pcibios_write(struct pc
2679 return PCIBIOS_SUCCESSFUL;
2680 }
2681
2682 -struct pci_ops nile4_pci_ops = {
2683 +const struct pci_ops nile4_pci_ops = {
2684 .read = nile4_pcibios_read,
2685 .write = nile4_pcibios_write,
2686 };
2687 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c
2688 --- linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
2689 +++ linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-22 19:36:30.000000000 -0400
2690 @@ -904,7 +904,7 @@ msp_pcibios_write_config(struct pci_bus
2691 * write - function for Linux to generate PCI Configuration writes.
2692 *
2693 ****************************************************************************/
2694 -struct pci_ops msp_pci_ops = {
2695 +const struct pci_ops msp_pci_ops = {
2696 .read = msp_pcibios_read_config,
2697 .write = msp_pcibios_write_config
2698 };
2699 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c
2700 --- linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-19 00:06:34.000000000 -0400
2701 +++ linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-22 19:36:30.000000000 -0400
2702 @@ -276,7 +276,7 @@ static int config_write(struct pci_bus *
2703 }
2704 }
2705
2706 -struct pci_ops pnx8550_pci_ops = {
2707 +const struct pci_ops pnx8550_pci_ops = {
2708 config_read,
2709 config_write
2710 };
2711 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-rc32434.c linux-2.6.39.3/arch/mips/pci/ops-rc32434.c
2712 --- linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2713 +++ linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2714 @@ -201,7 +201,7 @@ static int pci_config_write(struct pci_b
2715 }
2716 }
2717
2718 -struct pci_ops rc32434_pci_ops = {
2719 +const struct pci_ops rc32434_pci_ops = {
2720 .read = pci_config_read,
2721 .write = pci_config_write,
2722 };
2723 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-sni.c linux-2.6.39.3/arch/mips/pci/ops-sni.c
2724 --- linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-19 00:06:34.000000000 -0400
2725 +++ linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-22 19:36:30.000000000 -0400
2726 @@ -83,7 +83,7 @@ static int pcimt_write(struct pci_bus *b
2727 return 0;
2728 }
2729
2730 -struct pci_ops sni_pcimt_ops = {
2731 +const struct pci_ops sni_pcimt_ops = {
2732 .read = pcimt_read,
2733 .write = pcimt_write,
2734 };
2735 @@ -158,7 +158,7 @@ static int pcit_write(struct pci_bus *bu
2736 }
2737
2738
2739 -struct pci_ops sni_pcit_ops = {
2740 +const struct pci_ops sni_pcit_ops = {
2741 .read = pcit_read,
2742 .write = pcit_write,
2743 };
2744 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan.c linux-2.6.39.3/arch/mips/pci/ops-titan.c
2745 --- linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-19 00:06:34.000000000 -0400
2746 +++ linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-22 19:36:30.000000000 -0400
2747 @@ -105,7 +105,7 @@ static int titan_write_config(struct pci
2748 /*
2749 * Titan PCI structure
2750 */
2751 -struct pci_ops titan_pci_ops = {
2752 +const struct pci_ops titan_pci_ops = {
2753 titan_read_config,
2754 titan_write_config,
2755 };
2756 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c
2757 --- linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-19 00:06:34.000000000 -0400
2758 +++ linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-22 19:36:30.000000000 -0400
2759 @@ -118,7 +118,7 @@ static int titan_ht_config_write(struct
2760 return PCIBIOS_SUCCESSFUL;
2761 }
2762
2763 -struct pci_ops titan_ht_pci_ops = {
2764 +const struct pci_ops titan_ht_pci_ops = {
2765 .read = titan_ht_config_read,
2766 .write = titan_ht_config_write,
2767 };
2768 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-tx3927.c linux-2.6.39.3/arch/mips/pci/ops-tx3927.c
2769 --- linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-19 00:06:34.000000000 -0400
2770 +++ linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-22 19:36:30.000000000 -0400
2771 @@ -121,7 +121,7 @@ static int tx3927_pci_write_config(struc
2772 return check_abort();
2773 }
2774
2775 -static struct pci_ops tx3927_pci_ops = {
2776 +static const struct pci_ops tx3927_pci_ops = {
2777 .read = tx3927_pci_read_config,
2778 .write = tx3927_pci_write_config,
2779 };
2780 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c
2781 --- linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2782 +++ linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2783 @@ -120,7 +120,7 @@ static int pci_config_write(struct pci_b
2784 return PCIBIOS_SUCCESSFUL;
2785 }
2786
2787 -struct pci_ops vr41xx_pci_ops = {
2788 +const struct pci_ops vr41xx_pci_ops = {
2789 .read = pci_config_read,
2790 .write = pci_config_write,
2791 };
2792 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c
2793 --- linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-19 00:06:34.000000000 -0400
2794 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-22 19:36:30.000000000 -0400
2795 @@ -171,7 +171,7 @@ static int bcm1480_pcibios_write(struct
2796 return PCIBIOS_SUCCESSFUL;
2797 }
2798
2799 -struct pci_ops bcm1480_pci_ops = {
2800 +const struct pci_ops bcm1480_pci_ops = {
2801 bcm1480_pcibios_read,
2802 bcm1480_pcibios_write,
2803 };
2804 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c
2805 --- linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-19 00:06:34.000000000 -0400
2806 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-22 19:36:30.000000000 -0400
2807 @@ -166,7 +166,7 @@ static int bcm1480ht_pcibios_get_busno(v
2808 return 0;
2809 }
2810
2811 -struct pci_ops bcm1480ht_pci_ops = {
2812 +const struct pci_ops bcm1480ht_pci_ops = {
2813 .read = bcm1480ht_pcibios_read,
2814 .write = bcm1480ht_pcibios_write,
2815 };
2816 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h
2817 --- linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-19 00:06:34.000000000 -0400
2818 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-22 19:36:30.000000000 -0400
2819 @@ -16,8 +16,8 @@
2820 /*
2821 * defined in ops-bcm63xx.c
2822 */
2823 -extern struct pci_ops bcm63xx_pci_ops;
2824 -extern struct pci_ops bcm63xx_cb_ops;
2825 +extern const struct pci_ops bcm63xx_pci_ops;
2826 +extern const struct pci_ops bcm63xx_cb_ops;
2827
2828 /*
2829 * defined in pci-bcm63xx.c
2830 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c
2831 --- linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2832 +++ linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2833 @@ -43,7 +43,7 @@ static struct resource pci_mem_resource
2834 .flags = IORESOURCE_MEM,
2835 };
2836
2837 -extern struct pci_ops emma2rh_pci_ops;
2838 +extern const struct pci_ops emma2rh_pci_ops;
2839
2840 static struct pci_controller emma2rh_pci_controller = {
2841 .pci_ops = &emma2rh_pci_ops,
2842 diff -urNp linux-2.6.39.3/arch/mips/pci/pcie-octeon.c linux-2.6.39.3/arch/mips/pci/pcie-octeon.c
2843 --- linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-19 00:06:34.000000000 -0400
2844 +++ linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-22 19:36:30.000000000 -0400
2845 @@ -1237,7 +1237,7 @@ static int octeon_pcie1_write_config(str
2846 return octeon_pcie_write_config(1, bus, devfn, reg, size, val);
2847 }
2848
2849 -static struct pci_ops octeon_pcie0_ops = {
2850 +static const struct pci_ops octeon_pcie0_ops = {
2851 octeon_pcie0_read_config,
2852 octeon_pcie0_write_config,
2853 };
2854 @@ -1258,7 +1258,7 @@ static struct pci_controller octeon_pcie
2855 .io_resource = &octeon_pcie0_io_resource,
2856 };
2857
2858 -static struct pci_ops octeon_pcie1_ops = {
2859 +static const struct pci_ops octeon_pcie1_ops = {
2860 octeon_pcie1_read_config,
2861 octeon_pcie1_write_config,
2862 };
2863 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip27.c linux-2.6.39.3/arch/mips/pci/pci-ip27.c
2864 --- linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-19 00:06:34.000000000 -0400
2865 +++ linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-22 19:36:30.000000000 -0400
2866 @@ -39,7 +39,7 @@ static struct bridge_controller bridges[
2867 struct bridge_controller *irq_to_bridge[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2868 int irq_to_slot[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2869
2870 -extern struct pci_ops bridge_pci_ops;
2871 +extern const struct pci_ops bridge_pci_ops;
2872
2873 int __cpuinit bridge_probe(nasid_t nasid, int widget_id, int masterwid)
2874 {
2875 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip32.c linux-2.6.39.3/arch/mips/pci/pci-ip32.c
2876 --- linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-19 00:06:34.000000000 -0400
2877 +++ linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-22 19:36:30.000000000 -0400
2878 @@ -82,7 +82,7 @@ static irqreturn_t macepci_error(int irq
2879 }
2880
2881
2882 -extern struct pci_ops mace_pci_ops;
2883 +extern const struct pci_ops mace_pci_ops;
2884 #ifdef CONFIG_64BIT
2885 static struct resource mace_pci_mem_resource = {
2886 .name = "SGI O2 PCI MEM",
2887 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-lasat.c linux-2.6.39.3/arch/mips/pci/pci-lasat.c
2888 --- linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-19 00:06:34.000000000 -0400
2889 +++ linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-22 19:36:30.000000000 -0400
2890 @@ -14,8 +14,8 @@
2891
2892 #include <irq.h>
2893
2894 -extern struct pci_ops nile4_pci_ops;
2895 -extern struct pci_ops gt64xxx_pci0_ops;
2896 +extern const struct pci_ops nile4_pci_ops;
2897 +extern const struct pci_ops gt64xxx_pci0_ops;
2898 static struct resource lasat_pci_mem_resource = {
2899 .name = "LASAT PCI MEM",
2900 .start = 0x18000000,
2901 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-octeon.c linux-2.6.39.3/arch/mips/pci/pci-octeon.c
2902 --- linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-19 00:06:34.000000000 -0400
2903 +++ linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-22 19:36:30.000000000 -0400
2904 @@ -334,7 +334,7 @@ static int octeon_write_config(struct pc
2905 }
2906
2907
2908 -static struct pci_ops octeon_pci_ops = {
2909 +static const struct pci_ops octeon_pci_ops = {
2910 octeon_read_config,
2911 octeon_write_config,
2912 };
2913 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-rc32434.c linux-2.6.39.3/arch/mips/pci/pci-rc32434.c
2914 --- linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2915 +++ linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2916 @@ -75,7 +75,7 @@ static struct resource rc32434_res_pci_i
2917 .flags = IORESOURCE_IO,
2918 };
2919
2920 -extern struct pci_ops rc32434_pci_ops;
2921 +extern const struct pci_ops rc32434_pci_ops;
2922
2923 #define PCI_MEM1_START PCI_ADDR_START
2924 #define PCI_MEM1_END (PCI_ADDR_START + CPUTOPCI_MEM_WIN - 1)
2925 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-sb1250.c linux-2.6.39.3/arch/mips/pci/pci-sb1250.c
2926 --- linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-19 00:06:34.000000000 -0400
2927 +++ linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-22 19:36:30.000000000 -0400
2928 @@ -181,7 +181,7 @@ static int sb1250_pcibios_write(struct p
2929 return PCIBIOS_SUCCESSFUL;
2930 }
2931
2932 -struct pci_ops sb1250_pci_ops = {
2933 +const struct pci_ops sb1250_pci_ops = {
2934 .read = sb1250_pcibios_read,
2935 .write = sb1250_pcibios_write,
2936 };
2937 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c
2938 --- linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2939 +++ linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2940 @@ -36,7 +36,7 @@
2941
2942 #include "pci-vr41xx.h"
2943
2944 -extern struct pci_ops vr41xx_pci_ops;
2945 +extern const struct pci_ops vr41xx_pci_ops;
2946
2947 static void __iomem *pciu_base;
2948
2949 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-yosemite.c linux-2.6.39.3/arch/mips/pci/pci-yosemite.c
2950 --- linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-19 00:06:34.000000000 -0400
2951 +++ linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-22 19:36:30.000000000 -0400
2952 @@ -11,7 +11,7 @@
2953 #include <linux/pci.h>
2954 #include <asm/titan_dep.h>
2955
2956 -extern struct pci_ops titan_pci_ops;
2957 +extern const struct pci_ops titan_pci_ops;
2958
2959 static struct resource py_mem_resource = {
2960 .start = 0xe0000000UL,
2961 diff -urNp linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c
2962 --- linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-19 00:06:34.000000000 -0400
2963 +++ linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-22 19:36:30.000000000 -0400
2964 @@ -366,7 +366,7 @@ resource_size_t pcibios_align_resource(v
2965 return start;
2966 }
2967
2968 -struct pci_ops titan_pci_ops = {
2969 +const struct pci_ops titan_pci_ops = {
2970 titan_ht_config_read_byte,
2971 titan_ht_config_read_word,
2972 titan_ht_config_read_dword,
2973 diff -urNp linux-2.6.39.3/arch/mips/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/pnx8550/common/pci.c
2974 --- linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2975 +++ linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2976 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2977 .flags = IORESOURCE_MEM
2978 };
2979
2980 -extern struct pci_ops pnx8550_pci_ops;
2981 +extern const struct pci_ops pnx8550_pci_ops;
2982
2983 static struct pci_controller pnx8550_controller = {
2984 .pci_ops = &pnx8550_pci_ops,
2985 diff -urNp linux-2.6.39.3/arch/mips/sni/pcimt.c linux-2.6.39.3/arch/mips/sni/pcimt.c
2986 --- linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-19 00:06:34.000000000 -0400
2987 +++ linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-22 19:36:30.000000000 -0400
2988 @@ -183,7 +183,7 @@ static void __init sni_pcimt_resource_in
2989 request_resource(&sni_mem_resource, pcimt_mem_resources + i);
2990 }
2991
2992 -extern struct pci_ops sni_pcimt_ops;
2993 +extern const struct pci_ops sni_pcimt_ops;
2994
2995 static struct pci_controller sni_controller = {
2996 .pci_ops = &sni_pcimt_ops,
2997 diff -urNp linux-2.6.39.3/arch/mips/sni/pcit.c linux-2.6.39.3/arch/mips/sni/pcit.c
2998 --- linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-19 00:06:34.000000000 -0400
2999 +++ linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-22 19:36:30.000000000 -0400
3000 @@ -145,7 +145,7 @@ static void __init sni_pcit_resource_ini
3001 }
3002
3003
3004 -extern struct pci_ops sni_pcit_ops;
3005 +extern const struct pci_ops sni_pcit_ops;
3006
3007 static struct pci_controller sni_pcit_controller = {
3008 .pci_ops = &sni_pcit_ops,
3009 diff -urNp linux-2.6.39.3/arch/mips/wrppmc/pci.c linux-2.6.39.3/arch/mips/wrppmc/pci.c
3010 --- linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-19 00:06:34.000000000 -0400
3011 +++ linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-22 19:36:30.000000000 -0400
3012 @@ -14,7 +14,7 @@
3013
3014 #include <asm/gt64120.h>
3015
3016 -extern struct pci_ops gt64xxx_pci0_ops;
3017 +extern const struct pci_ops gt64xxx_pci0_ops;
3018
3019 static struct resource pci0_io_resource = {
3020 .name = "pci_0 io",
3021 diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h
3022 --- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-19 00:06:34.000000000 -0400
3023 +++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-22 19:36:30.000000000 -0400
3024 @@ -39,7 +39,7 @@ extern void pcibios_resource_survey(void
3025
3026 extern int pcibios_last_bus;
3027 extern struct pci_bus *pci_root_bus;
3028 -extern struct pci_ops *pci_root_ops;
3029 +extern const struct pci_ops *pci_root_ops;
3030
3031 extern struct irq_routing_table *pcibios_get_irq_routing_table(void);
3032 extern int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq);
3033 diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c
3034 --- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-19 00:06:34.000000000 -0400
3035 +++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-22 19:36:30.000000000 -0400
3036 @@ -24,7 +24,7 @@ unsigned int pci_probe = 1;
3037
3038 int pcibios_last_bus = -1;
3039 struct pci_bus *pci_root_bus;
3040 -struct pci_ops *pci_root_ops;
3041 +const struct pci_ops *pci_root_ops;
3042
3043 /*
3044 * The accessible PCI window does not cover the entire CPU address space, but
3045 @@ -274,7 +274,7 @@ static int pci_ampci_write_config(struct
3046 }
3047 }
3048
3049 -static struct pci_ops pci_direct_ampci = {
3050 +static const struct pci_ops pci_direct_ampci = {
3051 pci_ampci_read_config,
3052 pci_ampci_write_config,
3053 };
3054 @@ -289,7 +289,7 @@ static struct pci_ops pci_direct_ampci =
3055 * This should be close to trivial, but it isn't, because there are buggy
3056 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
3057 */
3058 -static int __init pci_sanity_check(struct pci_ops *o)
3059 +static int __init pci_sanity_check(const struct pci_ops *o)
3060 {
3061 struct pci_bus bus; /* Fake bus and device */
3062 u32 x;
3063 diff -urNp linux-2.6.39.3/arch/parisc/include/asm/elf.h linux-2.6.39.3/arch/parisc/include/asm/elf.h
3064 --- linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3065 +++ linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3066 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
3067
3068 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
3069
3070 +#ifdef CONFIG_PAX_ASLR
3071 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3072 +
3073 +#define PAX_DELTA_MMAP_LEN 16
3074 +#define PAX_DELTA_STACK_LEN 16
3075 +#endif
3076 +
3077 /* This yields a mask that user programs can use to figure out what
3078 instruction set this CPU supports. This could be done in user space,
3079 but it's not easy, and we've already done it here. */
3080 diff -urNp linux-2.6.39.3/arch/parisc/include/asm/pgtable.h linux-2.6.39.3/arch/parisc/include/asm/pgtable.h
3081 --- linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3082 +++ linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3083 @@ -207,6 +207,17 @@ struct vm_area_struct;
3084 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
3085 #define PAGE_COPY PAGE_EXECREAD
3086 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
3087 +
3088 +#ifdef CONFIG_PAX_PAGEEXEC
3089 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
3090 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3091 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3092 +#else
3093 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3094 +# define PAGE_COPY_NOEXEC PAGE_COPY
3095 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3096 +#endif
3097 +
3098 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
3099 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
3100 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
3101 diff -urNp linux-2.6.39.3/arch/parisc/kernel/module.c linux-2.6.39.3/arch/parisc/kernel/module.c
3102 --- linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
3103 +++ linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
3104 @@ -96,16 +96,38 @@
3105
3106 /* three functions to determine where in the module core
3107 * or init pieces the location is */
3108 +static inline int in_init_rx(struct module *me, void *loc)
3109 +{
3110 + return (loc >= me->module_init_rx &&
3111 + loc < (me->module_init_rx + me->init_size_rx));
3112 +}
3113 +
3114 +static inline int in_init_rw(struct module *me, void *loc)
3115 +{
3116 + return (loc >= me->module_init_rw &&
3117 + loc < (me->module_init_rw + me->init_size_rw));
3118 +}
3119 +
3120 static inline int in_init(struct module *me, void *loc)
3121 {
3122 - return (loc >= me->module_init &&
3123 - loc <= (me->module_init + me->init_size));
3124 + return in_init_rx(me, loc) || in_init_rw(me, loc);
3125 +}
3126 +
3127 +static inline int in_core_rx(struct module *me, void *loc)
3128 +{
3129 + return (loc >= me->module_core_rx &&
3130 + loc < (me->module_core_rx + me->core_size_rx));
3131 +}
3132 +
3133 +static inline int in_core_rw(struct module *me, void *loc)
3134 +{
3135 + return (loc >= me->module_core_rw &&
3136 + loc < (me->module_core_rw + me->core_size_rw));
3137 }
3138
3139 static inline int in_core(struct module *me, void *loc)
3140 {
3141 - return (loc >= me->module_core &&
3142 - loc <= (me->module_core + me->core_size));
3143 + return in_core_rx(me, loc) || in_core_rw(me, loc);
3144 }
3145
3146 static inline int in_local(struct module *me, void *loc)
3147 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
3148 }
3149
3150 /* align things a bit */
3151 - me->core_size = ALIGN(me->core_size, 16);
3152 - me->arch.got_offset = me->core_size;
3153 - me->core_size += gots * sizeof(struct got_entry);
3154 -
3155 - me->core_size = ALIGN(me->core_size, 16);
3156 - me->arch.fdesc_offset = me->core_size;
3157 - me->core_size += fdescs * sizeof(Elf_Fdesc);
3158 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3159 + me->arch.got_offset = me->core_size_rw;
3160 + me->core_size_rw += gots * sizeof(struct got_entry);
3161 +
3162 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3163 + me->arch.fdesc_offset = me->core_size_rw;
3164 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
3165
3166 me->arch.got_max = gots;
3167 me->arch.fdesc_max = fdescs;
3168 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
3169
3170 BUG_ON(value == 0);
3171
3172 - got = me->module_core + me->arch.got_offset;
3173 + got = me->module_core_rw + me->arch.got_offset;
3174 for (i = 0; got[i].addr; i++)
3175 if (got[i].addr == value)
3176 goto out;
3177 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
3178 #ifdef CONFIG_64BIT
3179 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
3180 {
3181 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
3182 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
3183
3184 if (!value) {
3185 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
3186 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
3187
3188 /* Create new one */
3189 fdesc->addr = value;
3190 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3191 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3192 return (Elf_Addr)fdesc;
3193 }
3194 #endif /* CONFIG_64BIT */
3195 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
3196
3197 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
3198 end = table + sechdrs[me->arch.unwind_section].sh_size;
3199 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3200 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3201
3202 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
3203 me->arch.unwind_section, table, end, gp);
3204 diff -urNp linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c
3205 --- linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-19 00:06:34.000000000 -0400
3206 +++ linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-22 19:36:30.000000000 -0400
3207 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
3208 /* At this point: (!vma || addr < vma->vm_end). */
3209 if (TASK_SIZE - len < addr)
3210 return -ENOMEM;
3211 - if (!vma || addr + len <= vma->vm_start)
3212 + if (check_heap_stack_gap(vma, addr, len))
3213 return addr;
3214 addr = vma->vm_end;
3215 }
3216 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
3217 /* At this point: (!vma || addr < vma->vm_end). */
3218 if (TASK_SIZE - len < addr)
3219 return -ENOMEM;
3220 - if (!vma || addr + len <= vma->vm_start)
3221 + if (check_heap_stack_gap(vma, addr, len))
3222 return addr;
3223 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
3224 if (addr < vma->vm_end) /* handle wraparound */
3225 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
3226 if (flags & MAP_FIXED)
3227 return addr;
3228 if (!addr)
3229 - addr = TASK_UNMAPPED_BASE;
3230 + addr = current->mm->mmap_base;
3231
3232 if (filp) {
3233 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
3234 diff -urNp linux-2.6.39.3/arch/parisc/kernel/traps.c linux-2.6.39.3/arch/parisc/kernel/traps.c
3235 --- linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
3236 +++ linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
3237 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
3238
3239 down_read(&current->mm->mmap_sem);
3240 vma = find_vma(current->mm,regs->iaoq[0]);
3241 - if (vma && (regs->iaoq[0] >= vma->vm_start)
3242 - && (vma->vm_flags & VM_EXEC)) {
3243 -
3244 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
3245 fault_address = regs->iaoq[0];
3246 fault_space = regs->iasq[0];
3247
3248 diff -urNp linux-2.6.39.3/arch/parisc/mm/fault.c linux-2.6.39.3/arch/parisc/mm/fault.c
3249 --- linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
3250 +++ linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
3251 @@ -15,6 +15,7 @@
3252 #include <linux/sched.h>
3253 #include <linux/interrupt.h>
3254 #include <linux/module.h>
3255 +#include <linux/unistd.h>
3256
3257 #include <asm/uaccess.h>
3258 #include <asm/traps.h>
3259 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
3260 static unsigned long
3261 parisc_acctyp(unsigned long code, unsigned int inst)
3262 {
3263 - if (code == 6 || code == 16)
3264 + if (code == 6 || code == 7 || code == 16)
3265 return VM_EXEC;
3266
3267 switch (inst & 0xf0000000) {
3268 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
3269 }
3270 #endif
3271
3272 +#ifdef CONFIG_PAX_PAGEEXEC
3273 +/*
3274 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
3275 + *
3276 + * returns 1 when task should be killed
3277 + * 2 when rt_sigreturn trampoline was detected
3278 + * 3 when unpatched PLT trampoline was detected
3279 + */
3280 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3281 +{
3282 +
3283 +#ifdef CONFIG_PAX_EMUPLT
3284 + int err;
3285 +
3286 + do { /* PaX: unpatched PLT emulation */
3287 + unsigned int bl, depwi;
3288 +
3289 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
3290 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
3291 +
3292 + if (err)
3293 + break;
3294 +
3295 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
3296 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
3297 +
3298 + err = get_user(ldw, (unsigned int *)addr);
3299 + err |= get_user(bv, (unsigned int *)(addr+4));
3300 + err |= get_user(ldw2, (unsigned int *)(addr+8));
3301 +
3302 + if (err)
3303 + break;
3304 +
3305 + if (ldw == 0x0E801096U &&
3306 + bv == 0xEAC0C000U &&
3307 + ldw2 == 0x0E881095U)
3308 + {
3309 + unsigned int resolver, map;
3310 +
3311 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
3312 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
3313 + if (err)
3314 + break;
3315 +
3316 + regs->gr[20] = instruction_pointer(regs)+8;
3317 + regs->gr[21] = map;
3318 + regs->gr[22] = resolver;
3319 + regs->iaoq[0] = resolver | 3UL;
3320 + regs->iaoq[1] = regs->iaoq[0] + 4;
3321 + return 3;
3322 + }
3323 + }
3324 + } while (0);
3325 +#endif
3326 +
3327 +#ifdef CONFIG_PAX_EMUTRAMP
3328 +
3329 +#ifndef CONFIG_PAX_EMUSIGRT
3330 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
3331 + return 1;
3332 +#endif
3333 +
3334 + do { /* PaX: rt_sigreturn emulation */
3335 + unsigned int ldi1, ldi2, bel, nop;
3336 +
3337 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
3338 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
3339 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
3340 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
3341 +
3342 + if (err)
3343 + break;
3344 +
3345 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
3346 + ldi2 == 0x3414015AU &&
3347 + bel == 0xE4008200U &&
3348 + nop == 0x08000240U)
3349 + {
3350 + regs->gr[25] = (ldi1 & 2) >> 1;
3351 + regs->gr[20] = __NR_rt_sigreturn;
3352 + regs->gr[31] = regs->iaoq[1] + 16;
3353 + regs->sr[0] = regs->iasq[1];
3354 + regs->iaoq[0] = 0x100UL;
3355 + regs->iaoq[1] = regs->iaoq[0] + 4;
3356 + regs->iasq[0] = regs->sr[2];
3357 + regs->iasq[1] = regs->sr[2];
3358 + return 2;
3359 + }
3360 + } while (0);
3361 +#endif
3362 +
3363 + return 1;
3364 +}
3365 +
3366 +void pax_report_insns(void *pc, void *sp)
3367 +{
3368 + unsigned long i;
3369 +
3370 + printk(KERN_ERR "PAX: bytes at PC: ");
3371 + for (i = 0; i < 5; i++) {
3372 + unsigned int c;
3373 + if (get_user(c, (unsigned int *)pc+i))
3374 + printk(KERN_CONT "???????? ");
3375 + else
3376 + printk(KERN_CONT "%08x ", c);
3377 + }
3378 + printk("\n");
3379 +}
3380 +#endif
3381 +
3382 int fixup_exception(struct pt_regs *regs)
3383 {
3384 const struct exception_table_entry *fix;
3385 @@ -192,8 +303,33 @@ good_area:
3386
3387 acc_type = parisc_acctyp(code,regs->iir);
3388
3389 - if ((vma->vm_flags & acc_type) != acc_type)
3390 + if ((vma->vm_flags & acc_type) != acc_type) {
3391 +
3392 +#ifdef CONFIG_PAX_PAGEEXEC
3393 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
3394 + (address & ~3UL) == instruction_pointer(regs))
3395 + {
3396 + up_read(&mm->mmap_sem);
3397 + switch (pax_handle_fetch_fault(regs)) {
3398 +
3399 +#ifdef CONFIG_PAX_EMUPLT
3400 + case 3:
3401 + return;
3402 +#endif
3403 +
3404 +#ifdef CONFIG_PAX_EMUTRAMP
3405 + case 2:
3406 + return;
3407 +#endif
3408 +
3409 + }
3410 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
3411 + do_group_exit(SIGKILL);
3412 + }
3413 +#endif
3414 +
3415 goto bad_area;
3416 + }
3417
3418 /*
3419 * If for any reason at all we couldn't handle the fault, make
3420 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/device.h linux-2.6.39.3/arch/powerpc/include/asm/device.h
3421 --- linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
3422 +++ linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
3423 @@ -17,7 +17,7 @@ struct device_node;
3424 */
3425 struct dev_archdata {
3426 /* DMA operations on that device */
3427 - struct dma_map_ops *dma_ops;
3428 + const struct dma_map_ops *dma_ops;
3429
3430 /*
3431 * When an iommu is in use, dma_data is used as a ptr to the base of the
3432 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h
3433 --- linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3434 +++ linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
3435 @@ -67,12 +67,13 @@ static inline unsigned long device_to_ma
3436 /*
3437 * Available generic sets of operations
3438 */
3439 +/* cannot be const */
3440 #ifdef CONFIG_PPC64
3441 -extern struct dma_map_ops dma_iommu_ops;
3442 +extern const struct dma_map_ops dma_iommu_ops;
3443 #endif
3444 -extern struct dma_map_ops dma_direct_ops;
3445 +extern const struct dma_map_ops dma_direct_ops;
3446
3447 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3448 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3449 {
3450 /* We don't handle the NULL dev case for ISA for now. We could
3451 * do it via an out of line call but it is not needed for now. The
3452 @@ -85,7 +86,7 @@ static inline struct dma_map_ops *get_dm
3453 return dev->archdata.dma_ops;
3454 }
3455
3456 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
3457 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
3458 {
3459 dev->archdata.dma_ops = ops;
3460 }
3461 @@ -119,7 +120,7 @@ static inline void set_dma_offset(struct
3462
3463 static inline int dma_supported(struct device *dev, u64 mask)
3464 {
3465 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3466 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3467
3468 if (unlikely(dma_ops == NULL))
3469 return 0;
3470 @@ -133,7 +134,7 @@ extern int dma_set_mask(struct device *d
3471 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3472 dma_addr_t *dma_handle, gfp_t flag)
3473 {
3474 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3475 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3476 void *cpu_addr;
3477
3478 BUG_ON(!dma_ops);
3479 @@ -148,7 +149,7 @@ static inline void *dma_alloc_coherent(s
3480 static inline void dma_free_coherent(struct device *dev, size_t size,
3481 void *cpu_addr, dma_addr_t dma_handle)
3482 {
3483 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3484 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3485
3486 BUG_ON(!dma_ops);
3487
3488 @@ -159,7 +160,7 @@ static inline void dma_free_coherent(str
3489
3490 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3491 {
3492 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3493 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3494
3495 if (dma_ops->mapping_error)
3496 return dma_ops->mapping_error(dev, dma_addr);
3497 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/elf.h linux-2.6.39.3/arch/powerpc/include/asm/elf.h
3498 --- linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3499 +++ linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3500 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
3501 the loader. We need to make sure that it is out of the way of the program
3502 that it will "exec", and that there is sufficient room for the brk. */
3503
3504 -extern unsigned long randomize_et_dyn(unsigned long base);
3505 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
3506 +#define ELF_ET_DYN_BASE (0x20000000)
3507 +
3508 +#ifdef CONFIG_PAX_ASLR
3509 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
3510 +
3511 +#ifdef __powerpc64__
3512 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
3513 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
3514 +#else
3515 +#define PAX_DELTA_MMAP_LEN 15
3516 +#define PAX_DELTA_STACK_LEN 15
3517 +#endif
3518 +#endif
3519
3520 /*
3521 * Our registers are always unsigned longs, whether we're a 32 bit
3522 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
3523 (0x7ff >> (PAGE_SHIFT - 12)) : \
3524 (0x3ffff >> (PAGE_SHIFT - 12)))
3525
3526 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3527 -#define arch_randomize_brk arch_randomize_brk
3528 -
3529 #endif /* __KERNEL__ */
3530
3531 /*
3532 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/iommu.h linux-2.6.39.3/arch/powerpc/include/asm/iommu.h
3533 --- linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
3534 +++ linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
3535 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
3536 extern void iommu_init_early_dart(void);
3537 extern void iommu_init_early_pasemi(void);
3538
3539 +/* dma-iommu.c */
3540 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
3541 +
3542 #ifdef CONFIG_PCI
3543 extern void pci_iommu_init(void);
3544 extern void pci_direct_iommu_init(void);
3545 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h
3546 --- linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
3547 +++ linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
3548 @@ -27,6 +27,7 @@ enum km_type {
3549 KM_PPC_SYNC_PAGE,
3550 KM_PPC_SYNC_ICACHE,
3551 KM_KDB,
3552 + KM_CLEARPAGE,
3553 KM_TYPE_NR
3554 };
3555
3556 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page_64.h linux-2.6.39.3/arch/powerpc/include/asm/page_64.h
3557 --- linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-19 00:06:34.000000000 -0400
3558 +++ linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-22 19:36:30.000000000 -0400
3559 @@ -172,15 +172,18 @@ do { \
3560 * stack by default, so in the absence of a PT_GNU_STACK program header
3561 * we turn execute permission off.
3562 */
3563 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3564 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3565 +#define VM_STACK_DEFAULT_FLAGS32 \
3566 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3567 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3568
3569 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3570 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3571
3572 +#ifndef CONFIG_PAX_PAGEEXEC
3573 #define VM_STACK_DEFAULT_FLAGS \
3574 (is_32bit_task() ? \
3575 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
3576 +#endif
3577
3578 #include <asm-generic/getorder.h>
3579
3580 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page.h linux-2.6.39.3/arch/powerpc/include/asm/page.h
3581 --- linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
3582 +++ linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
3583 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
3584 * and needs to be executable. This means the whole heap ends
3585 * up being executable.
3586 */
3587 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3588 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3589 +#define VM_DATA_DEFAULT_FLAGS32 \
3590 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3591 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3592
3593 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3594 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3595 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
3596 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
3597 #endif
3598
3599 +#define ktla_ktva(addr) (addr)
3600 +#define ktva_ktla(addr) (addr)
3601 +
3602 #ifndef __ASSEMBLY__
3603
3604 #undef STRICT_MM_TYPECHECKS
3605 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pci.h linux-2.6.39.3/arch/powerpc/include/asm/pci.h
3606 --- linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
3607 +++ linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
3608 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
3609 }
3610
3611 #ifdef CONFIG_PCI
3612 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
3613 -extern struct dma_map_ops *get_pci_dma_ops(void);
3614 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
3615 +extern const struct dma_map_ops *get_pci_dma_ops(void);
3616 #else /* CONFIG_PCI */
3617 #define set_pci_dma_ops(d)
3618 #define get_pci_dma_ops() NULL
3619 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h
3620 --- linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3621 +++ linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3622 @@ -2,6 +2,7 @@
3623 #define _ASM_POWERPC_PGTABLE_H
3624 #ifdef __KERNEL__
3625
3626 +#include <linux/const.h>
3627 #ifndef __ASSEMBLY__
3628 #include <asm/processor.h> /* For TASK_SIZE */
3629 #include <asm/mmu.h>
3630 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h
3631 --- linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-19 00:06:34.000000000 -0400
3632 +++ linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-22 19:36:30.000000000 -0400
3633 @@ -21,6 +21,7 @@
3634 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
3635 #define _PAGE_USER 0x004 /* usermode access allowed */
3636 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
3637 +#define _PAGE_EXEC _PAGE_GUARDED
3638 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
3639 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
3640 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
3641 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/reg.h linux-2.6.39.3/arch/powerpc/include/asm/reg.h
3642 --- linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-19 00:06:34.000000000 -0400
3643 +++ linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-22 19:36:30.000000000 -0400
3644 @@ -201,6 +201,7 @@
3645 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
3646 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
3647 #define DSISR_NOHPTE 0x40000000 /* no translation found */
3648 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
3649 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
3650 #define DSISR_ISSTORE 0x02000000 /* access was a store */
3651 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
3652 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h
3653 --- linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-19 00:06:34.000000000 -0400
3654 +++ linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-22 19:36:30.000000000 -0400
3655 @@ -13,7 +13,7 @@
3656
3657 #include <linux/swiotlb.h>
3658
3659 -extern struct dma_map_ops swiotlb_dma_ops;
3660 +extern const struct dma_map_ops swiotlb_dma_ops;
3661
3662 static inline void dma_mark_clean(void *addr, size_t size) {}
3663
3664 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/system.h linux-2.6.39.3/arch/powerpc/include/asm/system.h
3665 --- linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
3666 +++ linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
3667 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
3668 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
3669 #endif
3670
3671 -extern unsigned long arch_align_stack(unsigned long sp);
3672 +#define arch_align_stack(x) ((x) & ~0xfUL)
3673
3674 /* Used in very early kernel initialization. */
3675 extern unsigned long reloc_offset(void);
3676 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h
3677 --- linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
3678 +++ linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
3679 @@ -13,6 +13,8 @@
3680 #define VERIFY_READ 0
3681 #define VERIFY_WRITE 1
3682
3683 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3684 +
3685 /*
3686 * The fs value determines whether argument validity checking should be
3687 * performed or not. If get_fs() == USER_DS, checking is performed, with
3688 @@ -327,52 +329,6 @@ do { \
3689 extern unsigned long __copy_tofrom_user(void __user *to,
3690 const void __user *from, unsigned long size);
3691
3692 -#ifndef __powerpc64__
3693 -
3694 -static inline unsigned long copy_from_user(void *to,
3695 - const void __user *from, unsigned long n)
3696 -{
3697 - unsigned long over;
3698 -
3699 - if (access_ok(VERIFY_READ, from, n))
3700 - return __copy_tofrom_user((__force void __user *)to, from, n);
3701 - if ((unsigned long)from < TASK_SIZE) {
3702 - over = (unsigned long)from + n - TASK_SIZE;
3703 - return __copy_tofrom_user((__force void __user *)to, from,
3704 - n - over) + over;
3705 - }
3706 - return n;
3707 -}
3708 -
3709 -static inline unsigned long copy_to_user(void __user *to,
3710 - const void *from, unsigned long n)
3711 -{
3712 - unsigned long over;
3713 -
3714 - if (access_ok(VERIFY_WRITE, to, n))
3715 - return __copy_tofrom_user(to, (__force void __user *)from, n);
3716 - if ((unsigned long)to < TASK_SIZE) {
3717 - over = (unsigned long)to + n - TASK_SIZE;
3718 - return __copy_tofrom_user(to, (__force void __user *)from,
3719 - n - over) + over;
3720 - }
3721 - return n;
3722 -}
3723 -
3724 -#else /* __powerpc64__ */
3725 -
3726 -#define __copy_in_user(to, from, size) \
3727 - __copy_tofrom_user((to), (from), (size))
3728 -
3729 -extern unsigned long copy_from_user(void *to, const void __user *from,
3730 - unsigned long n);
3731 -extern unsigned long copy_to_user(void __user *to, const void *from,
3732 - unsigned long n);
3733 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
3734 - unsigned long n);
3735 -
3736 -#endif /* __powerpc64__ */
3737 -
3738 static inline unsigned long __copy_from_user_inatomic(void *to,
3739 const void __user *from, unsigned long n)
3740 {
3741 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
3742 if (ret == 0)
3743 return 0;
3744 }
3745 +
3746 + if (!__builtin_constant_p(n))
3747 + check_object_size(to, n, false);
3748 +
3749 return __copy_tofrom_user((__force void __user *)to, from, n);
3750 }
3751
3752 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
3753 if (ret == 0)
3754 return 0;
3755 }
3756 +
3757 + if (!__builtin_constant_p(n))
3758 + check_object_size(from, n, true);
3759 +
3760 return __copy_tofrom_user(to, (__force const void __user *)from, n);
3761 }
3762
3763 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
3764 return __copy_to_user_inatomic(to, from, size);
3765 }
3766
3767 +#ifndef __powerpc64__
3768 +
3769 +static inline unsigned long __must_check copy_from_user(void *to,
3770 + const void __user *from, unsigned long n)
3771 +{
3772 + unsigned long over;
3773 +
3774 + if ((long)n < 0)
3775 + return n;
3776 +
3777 + if (access_ok(VERIFY_READ, from, n)) {
3778 + if (!__builtin_constant_p(n))
3779 + check_object_size(to, n, false);
3780 + return __copy_tofrom_user((__force void __user *)to, from, n);
3781 + }
3782 + if ((unsigned long)from < TASK_SIZE) {
3783 + over = (unsigned long)from + n - TASK_SIZE;
3784 + if (!__builtin_constant_p(n - over))
3785 + check_object_size(to, n - over, false);
3786 + return __copy_tofrom_user((__force void __user *)to, from,
3787 + n - over) + over;
3788 + }
3789 + return n;
3790 +}
3791 +
3792 +static inline unsigned long __must_check copy_to_user(void __user *to,
3793 + const void *from, unsigned long n)
3794 +{
3795 + unsigned long over;
3796 +
3797 + if ((long)n < 0)
3798 + return n;
3799 +
3800 + if (access_ok(VERIFY_WRITE, to, n)) {
3801 + if (!__builtin_constant_p(n))
3802 + check_object_size(from, n, true);
3803 + return __copy_tofrom_user(to, (__force void __user *)from, n);
3804 + }
3805 + if ((unsigned long)to < TASK_SIZE) {
3806 + over = (unsigned long)to + n - TASK_SIZE;
3807 + if (!__builtin_constant_p(n))
3808 + check_object_size(from, n - over, true);
3809 + return __copy_tofrom_user(to, (__force void __user *)from,
3810 + n - over) + over;
3811 + }
3812 + return n;
3813 +}
3814 +
3815 +#else /* __powerpc64__ */
3816 +
3817 +#define __copy_in_user(to, from, size) \
3818 + __copy_tofrom_user((to), (from), (size))
3819 +
3820 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
3821 +{
3822 + if ((long)n < 0 || n > INT_MAX)
3823 + return n;
3824 +
3825 + if (!__builtin_constant_p(n))
3826 + check_object_size(to, n, false);
3827 +
3828 + if (likely(access_ok(VERIFY_READ, from, n)))
3829 + n = __copy_from_user(to, from, n);
3830 + else
3831 + memset(to, 0, n);
3832 + return n;
3833 +}
3834 +
3835 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
3836 +{
3837 + if ((long)n < 0 || n > INT_MAX)
3838 + return n;
3839 +
3840 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
3841 + if (!__builtin_constant_p(n))
3842 + check_object_size(from, n, true);
3843 + n = __copy_to_user(to, from, n);
3844 + }
3845 + return n;
3846 +}
3847 +
3848 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
3849 + unsigned long n);
3850 +
3851 +#endif /* __powerpc64__ */
3852 +
3853 extern unsigned long __clear_user(void __user *addr, unsigned long size);
3854
3855 static inline unsigned long clear_user(void __user *addr, unsigned long size)
3856 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma.c linux-2.6.39.3/arch/powerpc/kernel/dma.c
3857 --- linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
3858 +++ linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
3859 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
3860 }
3861 #endif
3862
3863 -struct dma_map_ops dma_direct_ops = {
3864 +const struct dma_map_ops dma_direct_ops = {
3865 .alloc_coherent = dma_direct_alloc_coherent,
3866 .free_coherent = dma_direct_free_coherent,
3867 .map_sg = dma_direct_map_sg,
3868 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
3869
3870 int dma_set_mask(struct device *dev, u64 dma_mask)
3871 {
3872 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3873 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3874
3875 if (ppc_md.dma_set_mask)
3876 return ppc_md.dma_set_mask(dev, dma_mask);
3877 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c
3878 --- linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-19 00:06:34.000000000 -0400
3879 +++ linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-22 19:36:30.000000000 -0400
3880 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
3881 }
3882
3883 /* We support DMA to/from any memory page via the iommu */
3884 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
3885 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
3886 {
3887 struct iommu_table *tbl = get_iommu_table_base(dev);
3888
3889 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
3890 return 1;
3891 }
3892
3893 -struct dma_map_ops dma_iommu_ops = {
3894 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
3895 .alloc_coherent = dma_iommu_alloc_coherent,
3896 .free_coherent = dma_iommu_free_coherent,
3897 .map_sg = dma_iommu_map_sg,
3898 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c
3899 --- linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
3900 +++ linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
3901 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
3902 * map_page, and unmap_page on highmem, use normal dma_ops
3903 * for everything else.
3904 */
3905 -struct dma_map_ops swiotlb_dma_ops = {
3906 +const struct dma_map_ops swiotlb_dma_ops = {
3907 .alloc_coherent = dma_direct_alloc_coherent,
3908 .free_coherent = dma_direct_free_coherent,
3909 .map_sg = swiotlb_map_sg_attrs,
3910 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S
3911 --- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-19 00:06:34.000000000 -0400
3912 +++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-22 19:36:30.000000000 -0400
3913 @@ -495,6 +495,7 @@ storage_fault_common:
3914 std r14,_DAR(r1)
3915 std r15,_DSISR(r1)
3916 addi r3,r1,STACK_FRAME_OVERHEAD
3917 + bl .save_nvgprs
3918 mr r4,r14
3919 mr r5,r15
3920 ld r14,PACA_EXGEN+EX_R14(r13)
3921 @@ -504,8 +505,7 @@ storage_fault_common:
3922 cmpdi r3,0
3923 bne- 1f
3924 b .ret_from_except_lite
3925 -1: bl .save_nvgprs
3926 - mr r5,r3
3927 +1: mr r5,r3
3928 addi r3,r1,STACK_FRAME_OVERHEAD
3929 ld r4,_DAR(r1)
3930 bl .bad_page_fault
3931 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S
3932 --- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-19 00:06:34.000000000 -0400
3933 +++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-22 19:36:30.000000000 -0400
3934 @@ -848,10 +848,10 @@ handle_page_fault:
3935 11: ld r4,_DAR(r1)
3936 ld r5,_DSISR(r1)
3937 addi r3,r1,STACK_FRAME_OVERHEAD
3938 + bl .save_nvgprs
3939 bl .do_page_fault
3940 cmpdi r3,0
3941 beq+ 13f
3942 - bl .save_nvgprs
3943 mr r5,r3
3944 addi r3,r1,STACK_FRAME_OVERHEAD
3945 lwz r4,_DAR(r1)
3946 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c
3947 --- linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-19 00:06:34.000000000 -0400
3948 +++ linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-22 19:36:30.000000000 -0400
3949 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
3950 return 1;
3951 }
3952
3953 -static struct dma_map_ops ibmebus_dma_ops = {
3954 +static const struct dma_map_ops ibmebus_dma_ops = {
3955 .alloc_coherent = ibmebus_alloc_coherent,
3956 .free_coherent = ibmebus_free_coherent,
3957 .map_sg = ibmebus_map_sg,
3958 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/kgdb.c linux-2.6.39.3/arch/powerpc/kernel/kgdb.c
3959 --- linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
3960 +++ linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
3961 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
3962 /*
3963 * Global data
3964 */
3965 -struct kgdb_arch arch_kgdb_ops = {
3966 +const struct kgdb_arch arch_kgdb_ops = {
3967 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
3968 };
3969
3970 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module_32.c linux-2.6.39.3/arch/powerpc/kernel/module_32.c
3971 --- linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-19 00:06:34.000000000 -0400
3972 +++ linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-22 19:36:30.000000000 -0400
3973 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
3974 me->arch.core_plt_section = i;
3975 }
3976 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
3977 - printk("Module doesn't contain .plt or .init.plt sections.\n");
3978 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
3979 return -ENOEXEC;
3980 }
3981
3982 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
3983
3984 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
3985 /* Init, or core PLT? */
3986 - if (location >= mod->module_core
3987 - && location < mod->module_core + mod->core_size)
3988 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
3989 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
3990 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3991 - else
3992 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
3993 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
3994 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3995 + else {
3996 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
3997 + return ~0UL;
3998 + }
3999
4000 /* Find this entry, or if that fails, the next avail. entry */
4001 while (entry->jump[0]) {
4002 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module.c linux-2.6.39.3/arch/powerpc/kernel/module.c
4003 --- linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4004 +++ linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4005 @@ -31,11 +31,24 @@
4006
4007 LIST_HEAD(module_bug_list);
4008
4009 +#ifdef CONFIG_PAX_KERNEXEC
4010 void *module_alloc(unsigned long size)
4011 {
4012 if (size == 0)
4013 return NULL;
4014
4015 + return vmalloc(size);
4016 +}
4017 +
4018 +void *module_alloc_exec(unsigned long size)
4019 +#else
4020 +void *module_alloc(unsigned long size)
4021 +#endif
4022 +
4023 +{
4024 + if (size == 0)
4025 + return NULL;
4026 +
4027 return vmalloc_exec(size);
4028 }
4029
4030 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
4031 vfree(module_region);
4032 }
4033
4034 +#ifdef CONFIG_PAX_KERNEXEC
4035 +void module_free_exec(struct module *mod, void *module_region)
4036 +{
4037 + module_free(mod, module_region);
4038 +}
4039 +#endif
4040 +
4041 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
4042 const Elf_Shdr *sechdrs,
4043 const char *name)
4044 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/pci-common.c linux-2.6.39.3/arch/powerpc/kernel/pci-common.c
4045 --- linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-19 00:06:34.000000000 -0400
4046 +++ linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-22 19:36:30.000000000 -0400
4047 @@ -53,14 +53,14 @@ resource_size_t isa_mem_base;
4048 unsigned int ppc_pci_flags = 0;
4049
4050
4051 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4052 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4053
4054 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
4055 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
4056 {
4057 pci_dma_ops = dma_ops;
4058 }
4059
4060 -struct dma_map_ops *get_pci_dma_ops(void)
4061 +const struct dma_map_ops *get_pci_dma_ops(void)
4062 {
4063 return pci_dma_ops;
4064 }
4065 @@ -1639,7 +1639,7 @@ null_write_config(struct pci_bus *bus, u
4066 return PCIBIOS_DEVICE_NOT_FOUND;
4067 }
4068
4069 -static struct pci_ops null_pci_ops =
4070 +static const struct pci_ops null_pci_ops =
4071 {
4072 .read = null_read_config,
4073 .write = null_write_config,
4074 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/process.c linux-2.6.39.3/arch/powerpc/kernel/process.c
4075 --- linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4076 +++ linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-22 19:41:32.000000000 -0400
4077 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
4078 * Lookup NIP late so we have the best change of getting the
4079 * above info out without failing
4080 */
4081 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
4082 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
4083 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
4084 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
4085 #endif
4086 show_stack(current, (unsigned long *) regs->gpr[1]);
4087 if (!user_mode(regs))
4088 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
4089 newsp = stack[0];
4090 ip = stack[STACK_FRAME_LR_SAVE];
4091 if (!firstframe || ip != lr) {
4092 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
4093 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
4094 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4095 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
4096 - printk(" (%pS)",
4097 + printk(" (%pA)",
4098 (void *)current->ret_stack[curr_frame].ret);
4099 curr_frame--;
4100 }
4101 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
4102 struct pt_regs *regs = (struct pt_regs *)
4103 (sp + STACK_FRAME_OVERHEAD);
4104 lr = regs->link;
4105 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
4106 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
4107 regs->trap, (void *)regs->nip, (void *)lr);
4108 firstframe = 1;
4109 }
4110 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
4111 }
4112
4113 #endif /* THREAD_SHIFT < PAGE_SHIFT */
4114 -
4115 -unsigned long arch_align_stack(unsigned long sp)
4116 -{
4117 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4118 - sp -= get_random_int() & ~PAGE_MASK;
4119 - return sp & ~0xf;
4120 -}
4121 -
4122 -static inline unsigned long brk_rnd(void)
4123 -{
4124 - unsigned long rnd = 0;
4125 -
4126 - /* 8MB for 32bit, 1GB for 64bit */
4127 - if (is_32bit_task())
4128 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
4129 - else
4130 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
4131 -
4132 - return rnd << PAGE_SHIFT;
4133 -}
4134 -
4135 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4136 -{
4137 - unsigned long base = mm->brk;
4138 - unsigned long ret;
4139 -
4140 -#ifdef CONFIG_PPC_STD_MMU_64
4141 - /*
4142 - * If we are using 1TB segments and we are allowed to randomise
4143 - * the heap, we can put it above 1TB so it is backed by a 1TB
4144 - * segment. Otherwise the heap will be in the bottom 1TB
4145 - * which always uses 256MB segments and this may result in a
4146 - * performance penalty.
4147 - */
4148 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
4149 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
4150 -#endif
4151 -
4152 - ret = PAGE_ALIGN(base + brk_rnd());
4153 -
4154 - if (ret < mm->brk)
4155 - return mm->brk;
4156 -
4157 - return ret;
4158 -}
4159 -
4160 -unsigned long randomize_et_dyn(unsigned long base)
4161 -{
4162 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4163 -
4164 - if (ret < base)
4165 - return base;
4166 -
4167 - return ret;
4168 -}
4169 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c
4170 --- linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-19 00:06:34.000000000 -0400
4171 +++ linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-22 19:36:30.000000000 -0400
4172 @@ -149,7 +149,7 @@ static int rtas_pci_write_config(struct
4173 return PCIBIOS_DEVICE_NOT_FOUND;
4174 }
4175
4176 -static struct pci_ops rtas_pci_ops = {
4177 +static const struct pci_ops rtas_pci_ops = {
4178 .read = rtas_pci_read_config,
4179 .write = rtas_pci_write_config,
4180 };
4181 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_32.c linux-2.6.39.3/arch/powerpc/kernel/signal_32.c
4182 --- linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-19 00:06:34.000000000 -0400
4183 +++ linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-22 19:36:30.000000000 -0400
4184 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
4185 /* Save user registers on the stack */
4186 frame = &rt_sf->uc.uc_mcontext;
4187 addr = frame;
4188 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
4189 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4190 if (save_user_regs(regs, frame, 0, 1))
4191 goto badframe;
4192 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
4193 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_64.c linux-2.6.39.3/arch/powerpc/kernel/signal_64.c
4194 --- linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-19 00:06:34.000000000 -0400
4195 +++ linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-22 19:36:30.000000000 -0400
4196 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
4197 current->thread.fpscr.val = 0;
4198
4199 /* Set up to return from userspace. */
4200 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
4201 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4202 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
4203 } else {
4204 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
4205 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/traps.c linux-2.6.39.3/arch/powerpc/kernel/traps.c
4206 --- linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
4207 +++ linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-06-13 21:33:04.000000000 -0400
4208 @@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void)
4209 static inline void pmac_backlight_unblank(void) { }
4210 #endif
4211
4212 +extern void gr_handle_kernel_exploit(void);
4213 +
4214 int die(const char *str, struct pt_regs *regs, long err)
4215 {
4216 static struct {
4217 @@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs
4218 if (panic_on_oops)
4219 panic("Fatal exception");
4220
4221 + gr_handle_kernel_exploit();
4222 +
4223 oops_exit();
4224 do_exit(err);
4225
4226 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vdso.c linux-2.6.39.3/arch/powerpc/kernel/vdso.c
4227 --- linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400
4228 +++ linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400
4229 @@ -36,6 +36,7 @@
4230 #include <asm/firmware.h>
4231 #include <asm/vdso.h>
4232 #include <asm/vdso_datapage.h>
4233 +#include <asm/mman.h>
4234
4235 #include "setup.h"
4236
4237 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
4238 vdso_base = VDSO32_MBASE;
4239 #endif
4240
4241 - current->mm->context.vdso_base = 0;
4242 + current->mm->context.vdso_base = ~0UL;
4243
4244 /* vDSO has a problem and was disabled, just don't "enable" it for the
4245 * process
4246 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
4247 vdso_base = get_unmapped_area(NULL, vdso_base,
4248 (vdso_pages << PAGE_SHIFT) +
4249 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
4250 - 0, 0);
4251 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
4252 if (IS_ERR_VALUE(vdso_base)) {
4253 rc = vdso_base;
4254 goto fail_mmapsem;
4255 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vio.c linux-2.6.39.3/arch/powerpc/kernel/vio.c
4256 --- linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-19 00:06:34.000000000 -0400
4257 +++ linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-22 19:36:30.000000000 -0400
4258 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
4259 return dma_iommu_ops.dma_supported(dev, mask);
4260 }
4261
4262 -struct dma_map_ops vio_dma_mapping_ops = {
4263 +const struct dma_map_ops vio_dma_mapping_ops = {
4264 .alloc_coherent = vio_dma_iommu_alloc_coherent,
4265 .free_coherent = vio_dma_iommu_free_coherent,
4266 .map_sg = vio_dma_iommu_map_sg,
4267 .unmap_sg = vio_dma_iommu_unmap_sg,
4268 + .dma_supported = dma_iommu_dma_supported,
4269 .map_page = vio_dma_iommu_map_page,
4270 .unmap_page = vio_dma_iommu_unmap_page,
4271 .dma_supported = vio_dma_iommu_dma_supported,
4272 diff -urNp linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c
4273 --- linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
4274 +++ linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
4275 @@ -9,22 +9,6 @@
4276 #include <linux/module.h>
4277 #include <asm/uaccess.h>
4278
4279 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4280 -{
4281 - if (likely(access_ok(VERIFY_READ, from, n)))
4282 - n = __copy_from_user(to, from, n);
4283 - else
4284 - memset(to, 0, n);
4285 - return n;
4286 -}
4287 -
4288 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4289 -{
4290 - if (likely(access_ok(VERIFY_WRITE, to, n)))
4291 - n = __copy_to_user(to, from, n);
4292 - return n;
4293 -}
4294 -
4295 unsigned long copy_in_user(void __user *to, const void __user *from,
4296 unsigned long n)
4297 {
4298 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
4299 return n;
4300 }
4301
4302 -EXPORT_SYMBOL(copy_from_user);
4303 -EXPORT_SYMBOL(copy_to_user);
4304 EXPORT_SYMBOL(copy_in_user);
4305
4306 diff -urNp linux-2.6.39.3/arch/powerpc/mm/fault.c linux-2.6.39.3/arch/powerpc/mm/fault.c
4307 --- linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
4308 +++ linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
4309 @@ -31,6 +31,10 @@
4310 #include <linux/kdebug.h>
4311 #include <linux/perf_event.h>
4312 #include <linux/magic.h>
4313 +#include <linux/slab.h>
4314 +#include <linux/pagemap.h>
4315 +#include <linux/compiler.h>
4316 +#include <linux/unistd.h>
4317
4318 #include <asm/firmware.h>
4319 #include <asm/page.h>
4320 @@ -42,6 +46,7 @@
4321 #include <asm/tlbflush.h>
4322 #include <asm/siginfo.h>
4323 #include <mm/mmu_decl.h>
4324 +#include <asm/ptrace.h>
4325
4326 #ifdef CONFIG_KPROBES
4327 static inline int notify_page_fault(struct pt_regs *regs)
4328 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
4329 }
4330 #endif
4331
4332 +#ifdef CONFIG_PAX_PAGEEXEC
4333 +/*
4334 + * PaX: decide what to do with offenders (regs->nip = fault address)
4335 + *
4336 + * returns 1 when task should be killed
4337 + */
4338 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4339 +{
4340 + return 1;
4341 +}
4342 +
4343 +void pax_report_insns(void *pc, void *sp)
4344 +{
4345 + unsigned long i;
4346 +
4347 + printk(KERN_ERR "PAX: bytes at PC: ");
4348 + for (i = 0; i < 5; i++) {
4349 + unsigned int c;
4350 + if (get_user(c, (unsigned int __user *)pc+i))
4351 + printk(KERN_CONT "???????? ");
4352 + else
4353 + printk(KERN_CONT "%08x ", c);
4354 + }
4355 + printk("\n");
4356 +}
4357 +#endif
4358 +
4359 /*
4360 * Check whether the instruction at regs->nip is a store using
4361 * an update addressing form which will update r1.
4362 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
4363 * indicate errors in DSISR but can validly be set in SRR1.
4364 */
4365 if (trap == 0x400)
4366 - error_code &= 0x48200000;
4367 + error_code &= 0x58200000;
4368 else
4369 is_write = error_code & DSISR_ISSTORE;
4370 #else
4371 @@ -258,7 +290,7 @@ good_area:
4372 * "undefined". Of those that can be set, this is the only
4373 * one which seems bad.
4374 */
4375 - if (error_code & 0x10000000)
4376 + if (error_code & DSISR_GUARDED)
4377 /* Guarded storage error. */
4378 goto bad_area;
4379 #endif /* CONFIG_8xx */
4380 @@ -273,7 +305,7 @@ good_area:
4381 * processors use the same I/D cache coherency mechanism
4382 * as embedded.
4383 */
4384 - if (error_code & DSISR_PROTFAULT)
4385 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
4386 goto bad_area;
4387 #endif /* CONFIG_PPC_STD_MMU */
4388
4389 @@ -342,6 +374,23 @@ bad_area:
4390 bad_area_nosemaphore:
4391 /* User mode accesses cause a SIGSEGV */
4392 if (user_mode(regs)) {
4393 +
4394 +#ifdef CONFIG_PAX_PAGEEXEC
4395 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4396 +#ifdef CONFIG_PPC_STD_MMU
4397 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
4398 +#else
4399 + if (is_exec && regs->nip == address) {
4400 +#endif
4401 + switch (pax_handle_fetch_fault(regs)) {
4402 + }
4403 +
4404 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
4405 + do_group_exit(SIGKILL);
4406 + }
4407 + }
4408 +#endif
4409 +
4410 _exception(SIGSEGV, regs, code, address);
4411 return 0;
4412 }
4413 diff -urNp linux-2.6.39.3/arch/powerpc/mm/mmap_64.c linux-2.6.39.3/arch/powerpc/mm/mmap_64.c
4414 --- linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-19 00:06:34.000000000 -0400
4415 +++ linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-22 19:36:30.000000000 -0400
4416 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
4417 */
4418 if (mmap_is_legacy()) {
4419 mm->mmap_base = TASK_UNMAPPED_BASE;
4420 +
4421 +#ifdef CONFIG_PAX_RANDMMAP
4422 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4423 + mm->mmap_base += mm->delta_mmap;
4424 +#endif
4425 +
4426 mm->get_unmapped_area = arch_get_unmapped_area;
4427 mm->unmap_area = arch_unmap_area;
4428 } else {
4429 mm->mmap_base = mmap_base();
4430 +
4431 +#ifdef CONFIG_PAX_RANDMMAP
4432 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4433 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4434 +#endif
4435 +
4436 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4437 mm->unmap_area = arch_unmap_area_topdown;
4438 }
4439 diff -urNp linux-2.6.39.3/arch/powerpc/mm/slice.c linux-2.6.39.3/arch/powerpc/mm/slice.c
4440 --- linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-19 00:06:34.000000000 -0400
4441 +++ linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-22 19:36:30.000000000 -0400
4442 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
4443 if ((mm->task_size - len) < addr)
4444 return 0;
4445 vma = find_vma(mm, addr);
4446 - return (!vma || (addr + len) <= vma->vm_start);
4447 + return check_heap_stack_gap(vma, addr, len);
4448 }
4449
4450 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
4451 @@ -256,7 +256,7 @@ full_search:
4452 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
4453 continue;
4454 }
4455 - if (!vma || addr + len <= vma->vm_start) {
4456 + if (check_heap_stack_gap(vma, addr, len)) {
4457 /*
4458 * Remember the place where we stopped the search:
4459 */
4460 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
4461 }
4462 }
4463
4464 - addr = mm->mmap_base;
4465 - while (addr > len) {
4466 + if (mm->mmap_base < len)
4467 + addr = -ENOMEM;
4468 + else
4469 + addr = mm->mmap_base - len;
4470 +
4471 + while (!IS_ERR_VALUE(addr)) {
4472 /* Go down by chunk size */
4473 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
4474 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
4475
4476 /* Check for hit with different page size */
4477 mask = slice_range_to_mask(addr, len);
4478 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
4479 * return with success:
4480 */
4481 vma = find_vma(mm, addr);
4482 - if (!vma || (addr + len) <= vma->vm_start) {
4483 + if (check_heap_stack_gap(vma, addr, len)) {
4484 /* remember the address as a hint for next time */
4485 if (use_cache)
4486 mm->free_area_cache = addr;
4487 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
4488 mm->cached_hole_size = vma->vm_start - addr;
4489
4490 /* try just below the current vma->vm_start */
4491 - addr = vma->vm_start;
4492 + addr = skip_heap_stack_gap(vma, len);
4493 }
4494
4495 /*
4496 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
4497 if (fixed && addr > (mm->task_size - len))
4498 return -EINVAL;
4499
4500 +#ifdef CONFIG_PAX_RANDMMAP
4501 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
4502 + addr = 0;
4503 +#endif
4504 +
4505 /* If hint, make sure it matches our alignment restrictions */
4506 if (!fixed && addr) {
4507 addr = _ALIGN_UP(addr, 1ul << pshift);
4508 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c
4509 --- linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-19 00:06:34.000000000 -0400
4510 +++ linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-22 19:36:30.000000000 -0400
4511 @@ -60,7 +60,7 @@ static int rtas_write_config(struct pci_
4512 return rval ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
4513 }
4514
4515 -static struct pci_ops rtas_pci_ops = {
4516 +static const struct pci_ops rtas_pci_ops = {
4517 .read = rtas_read_config,
4518 .write = rtas_write_config,
4519 };
4520 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c
4521 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-19 00:06:34.000000000 -0400
4522 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-22 19:36:30.000000000 -0400
4523 @@ -234,7 +234,7 @@ static int celleb_fake_pci_write_config(
4524 return PCIBIOS_SUCCESSFUL;
4525 }
4526
4527 -static struct pci_ops celleb_fake_pci_ops = {
4528 +static const struct pci_ops celleb_fake_pci_ops = {
4529 .read = celleb_fake_pci_read_config,
4530 .write = celleb_fake_pci_write_config,
4531 };
4532 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c
4533 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-19 00:06:34.000000000 -0400
4534 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-22 19:36:30.000000000 -0400
4535 @@ -245,7 +245,7 @@ static int celleb_epci_write_config(stru
4536 return celleb_epci_check_abort(hose, addr);
4537 }
4538
4539 -struct pci_ops celleb_epci_ops = {
4540 +const struct pci_ops celleb_epci_ops = {
4541 .read = celleb_epci_read_config,
4542 .write = celleb_epci_write_config,
4543 };
4544 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c
4545 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-19 00:06:34.000000000 -0400
4546 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-22 19:36:30.000000000 -0400
4547 @@ -399,7 +399,7 @@ static int scc_pciex_write_config(struct
4548 return PCIBIOS_SUCCESSFUL;
4549 }
4550
4551 -static struct pci_ops scc_pciex_pci_ops = {
4552 +static const struct pci_ops scc_pciex_pci_ops = {
4553 scc_pciex_read_config,
4554 scc_pciex_write_config,
4555 };
4556 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c
4557 --- linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-19 00:06:34.000000000 -0400
4558 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-22 19:36:30.000000000 -0400
4559 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
4560
4561 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
4562
4563 -struct dma_map_ops dma_iommu_fixed_ops = {
4564 +const struct dma_map_ops dma_iommu_fixed_ops = {
4565 .alloc_coherent = dma_fixed_alloc_coherent,
4566 .free_coherent = dma_fixed_free_coherent,
4567 .map_sg = dma_fixed_map_sg,
4568 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c
4569 --- linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-19 00:06:34.000000000 -0400
4570 +++ linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-22 19:36:30.000000000 -0400
4571 @@ -84,7 +84,7 @@ int gg2_write_config(struct pci_bus *bus
4572 return PCIBIOS_SUCCESSFUL;
4573 }
4574
4575 -static struct pci_ops gg2_pci_ops =
4576 +static const struct pci_ops gg2_pci_ops =
4577 {
4578 .read = gg2_read_config,
4579 .write = gg2_write_config,
4580 @@ -122,7 +122,7 @@ int rtas_write_config(struct pci_bus *bu
4581 return rval? PCIBIOS_DEVICE_NOT_FOUND: PCIBIOS_SUCCESSFUL;
4582 }
4583
4584 -static struct pci_ops rtas_pci_ops =
4585 +static const struct pci_ops rtas_pci_ops =
4586 {
4587 .read = rtas_read_config,
4588 .write = rtas_write_config,
4589 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c
4590 --- linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-19 00:06:34.000000000 -0400
4591 +++ linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-22 19:36:30.000000000 -0400
4592 @@ -533,7 +533,7 @@ static int iSeries_pci_write_config(stru
4593 return 0;
4594 }
4595
4596 -static struct pci_ops iSeries_pci_ops = {
4597 +static const struct pci_ops iSeries_pci_ops = {
4598 .read = iSeries_pci_read_config,
4599 .write = iSeries_pci_write_config
4600 };
4601 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c
4602 --- linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-19 00:06:34.000000000 -0400
4603 +++ linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-22 19:36:30.000000000 -0400
4604 @@ -180,7 +180,7 @@ static int u3_agp_write_config(struct pc
4605 return PCIBIOS_SUCCESSFUL;
4606 }
4607
4608 -static struct pci_ops u3_agp_pci_ops =
4609 +static const struct pci_ops u3_agp_pci_ops =
4610 {
4611 .read = u3_agp_read_config,
4612 .write = u3_agp_write_config,
4613 @@ -276,7 +276,7 @@ static int u3_ht_write_config(struct pci
4614 return PCIBIOS_SUCCESSFUL;
4615 }
4616
4617 -static struct pci_ops u3_ht_pci_ops =
4618 +static const struct pci_ops u3_ht_pci_ops =
4619 {
4620 .read = u3_ht_read_config,
4621 .write = u3_ht_write_config,
4622 @@ -381,7 +381,7 @@ static int u4_pcie_write_config(struct p
4623 return PCIBIOS_SUCCESSFUL;
4624 }
4625
4626 -static struct pci_ops u4_pcie_pci_ops =
4627 +static const struct pci_ops u4_pcie_pci_ops =
4628 {
4629 .read = u4_pcie_read_config,
4630 .write = u4_pcie_write_config,
4631 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c
4632 --- linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-19 00:06:34.000000000 -0400
4633 +++ linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-22 19:36:30.000000000 -0400
4634 @@ -176,7 +176,7 @@ static int pa_pxp_write_config(struct pc
4635 return PCIBIOS_SUCCESSFUL;
4636 }
4637
4638 -static struct pci_ops pa_pxp_ops = {
4639 +static const struct pci_ops pa_pxp_ops = {
4640 .read = pa_pxp_read_config,
4641 .write = pa_pxp_write_config,
4642 };
4643 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c
4644 --- linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-19 00:06:34.000000000 -0400
4645 +++ linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-22 19:36:30.000000000 -0400
4646 @@ -218,7 +218,7 @@ static int macrisc_write_config(struct p
4647 return PCIBIOS_SUCCESSFUL;
4648 }
4649
4650 -static struct pci_ops macrisc_pci_ops =
4651 +static const struct pci_ops macrisc_pci_ops =
4652 {
4653 .read = macrisc_read_config,
4654 .write = macrisc_write_config,
4655 @@ -273,7 +273,7 @@ chaos_write_config(struct pci_bus *bus,
4656 return macrisc_write_config(bus, devfn, offset, len, val);
4657 }
4658
4659 -static struct pci_ops chaos_pci_ops =
4660 +static const struct pci_ops chaos_pci_ops =
4661 {
4662 .read = chaos_read_config,
4663 .write = chaos_write_config,
4664 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c
4665 --- linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-19 00:06:34.000000000 -0400
4666 +++ linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-22 19:36:30.000000000 -0400
4667 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
4668 return mask >= DMA_BIT_MASK(32);
4669 }
4670
4671 -static struct dma_map_ops ps3_sb_dma_ops = {
4672 +static const struct dma_map_ops ps3_sb_dma_ops = {
4673 .alloc_coherent = ps3_alloc_coherent,
4674 .free_coherent = ps3_free_coherent,
4675 .map_sg = ps3_sb_map_sg,
4676 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
4677 .unmap_page = ps3_unmap_page,
4678 };
4679
4680 -static struct dma_map_ops ps3_ioc0_dma_ops = {
4681 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
4682 .alloc_coherent = ps3_alloc_coherent,
4683 .free_coherent = ps3_free_coherent,
4684 .map_sg = ps3_ioc0_map_sg,
4685 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c
4686 --- linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-19 00:06:34.000000000 -0400
4687 +++ linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-22 19:36:30.000000000 -0400
4688 @@ -573,7 +573,7 @@ static int mpc83xx_pcie_write_config(str
4689 return PCIBIOS_SUCCESSFUL;
4690 }
4691
4692 -static struct pci_ops mpc83xx_pcie_ops = {
4693 +static const struct pci_ops mpc83xx_pcie_ops = {
4694 .read = mpc83xx_pcie_read_config,
4695 .write = mpc83xx_pcie_write_config,
4696 };
4697 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c
4698 --- linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
4699 +++ linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
4700 @@ -148,7 +148,7 @@ indirect_write_config(struct pci_bus *bu
4701 return PCIBIOS_SUCCESSFUL;
4702 }
4703
4704 -static struct pci_ops indirect_pci_ops =
4705 +static const struct pci_ops indirect_pci_ops =
4706 {
4707 .read = indirect_read_config,
4708 .write = indirect_write_config,
4709 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c
4710 --- linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-19 00:06:34.000000000 -0400
4711 +++ linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-22 19:36:30.000000000 -0400
4712 @@ -1514,7 +1514,7 @@ static int ppc4xx_pciex_write_config(str
4713 return PCIBIOS_SUCCESSFUL;
4714 }
4715
4716 -static struct pci_ops ppc4xx_pciex_pci_ops =
4717 +static const struct pci_ops ppc4xx_pciex_pci_ops =
4718 {
4719 .read = ppc4xx_pciex_read_config,
4720 .write = ppc4xx_pciex_write_config,
4721 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c
4722 --- linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-19 00:06:34.000000000 -0400
4723 +++ linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-22 19:36:30.000000000 -0400
4724 @@ -190,7 +190,7 @@ void tsi108_clear_pci_cfg_error(void)
4725 tsi108_clear_pci_error(tsi108_pci_cfg_phys);
4726 }
4727
4728 -static struct pci_ops tsi108_direct_pci_ops = {
4729 +static const struct pci_ops tsi108_direct_pci_ops = {
4730 .read = tsi108_direct_read_config,
4731 .write = tsi108_direct_write_config,
4732 };
4733 diff -urNp linux-2.6.39.3/arch/s390/include/asm/elf.h linux-2.6.39.3/arch/s390/include/asm/elf.h
4734 --- linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
4735 +++ linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
4736 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
4737 the loader. We need to make sure that it is out of the way of the program
4738 that it will "exec", and that there is sufficient room for the brk. */
4739
4740 -extern unsigned long randomize_et_dyn(unsigned long base);
4741 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
4742 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
4743 +
4744 +#ifdef CONFIG_PAX_ASLR
4745 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
4746 +
4747 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4748 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4749 +#endif
4750
4751 /* This yields a mask that user programs can use to figure out what
4752 instruction set this CPU supports. */
4753 @@ -222,7 +228,4 @@ struct linux_binprm;
4754 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
4755 int arch_setup_additional_pages(struct linux_binprm *, int);
4756
4757 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
4758 -#define arch_randomize_brk arch_randomize_brk
4759 -
4760 #endif
4761 diff -urNp linux-2.6.39.3/arch/s390/include/asm/system.h linux-2.6.39.3/arch/s390/include/asm/system.h
4762 --- linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
4763 +++ linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
4764 @@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
4765 extern void (*_machine_halt)(void);
4766 extern void (*_machine_power_off)(void);
4767
4768 -extern unsigned long arch_align_stack(unsigned long sp);
4769 +#define arch_align_stack(x) ((x) & ~0xfUL)
4770
4771 static inline int tprot(unsigned long addr)
4772 {
4773 diff -urNp linux-2.6.39.3/arch/s390/include/asm/uaccess.h linux-2.6.39.3/arch/s390/include/asm/uaccess.h
4774 --- linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
4775 +++ linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
4776 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
4777 copy_to_user(void __user *to, const void *from, unsigned long n)
4778 {
4779 might_fault();
4780 +
4781 + if ((long)n < 0)
4782 + return n;
4783 +
4784 if (access_ok(VERIFY_WRITE, to, n))
4785 n = __copy_to_user(to, from, n);
4786 return n;
4787 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
4788 static inline unsigned long __must_check
4789 __copy_from_user(void *to, const void __user *from, unsigned long n)
4790 {
4791 + if ((long)n < 0)
4792 + return n;
4793 +
4794 if (__builtin_constant_p(n) && (n <= 256))
4795 return uaccess.copy_from_user_small(n, from, to);
4796 else
4797 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
4798 unsigned int sz = __compiletime_object_size(to);
4799
4800 might_fault();
4801 +
4802 + if ((long)n < 0)
4803 + return n;
4804 +
4805 if (unlikely(sz != -1 && sz < n)) {
4806 copy_from_user_overflow();
4807 return n;
4808 diff -urNp linux-2.6.39.3/arch/s390/Kconfig linux-2.6.39.3/arch/s390/Kconfig
4809 --- linux-2.6.39.3/arch/s390/Kconfig 2011-05-19 00:06:34.000000000 -0400
4810 +++ linux-2.6.39.3/arch/s390/Kconfig 2011-05-22 19:36:30.000000000 -0400
4811 @@ -234,11 +234,9 @@ config S390_EXEC_PROTECT
4812 prompt "Data execute protection"
4813 help
4814 This option allows to enable a buffer overflow protection for user
4815 - space programs and it also selects the addressing mode option above.
4816 - The kernel parameter noexec=on will enable this feature and also
4817 - switch the addressing modes, default is disabled. Enabling this (via
4818 - kernel parameter) on machines earlier than IBM System z9 this will
4819 - reduce system performance.
4820 + space programs.
4821 + Enabling this (via kernel parameter) on machines earlier than IBM
4822 + System z9 this will reduce system performance.
4823
4824 comment "Code generation options"
4825
4826 diff -urNp linux-2.6.39.3/arch/s390/kernel/module.c linux-2.6.39.3/arch/s390/kernel/module.c
4827 --- linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4828 +++ linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4829 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4830
4831 /* Increase core size by size of got & plt and set start
4832 offsets for got and plt. */
4833 - me->core_size = ALIGN(me->core_size, 4);
4834 - me->arch.got_offset = me->core_size;
4835 - me->core_size += me->arch.got_size;
4836 - me->arch.plt_offset = me->core_size;
4837 - me->core_size += me->arch.plt_size;
4838 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
4839 + me->arch.got_offset = me->core_size_rw;
4840 + me->core_size_rw += me->arch.got_size;
4841 + me->arch.plt_offset = me->core_size_rx;
4842 + me->core_size_rx += me->arch.plt_size;
4843 return 0;
4844 }
4845
4846 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4847 if (info->got_initialized == 0) {
4848 Elf_Addr *gotent;
4849
4850 - gotent = me->module_core + me->arch.got_offset +
4851 + gotent = me->module_core_rw + me->arch.got_offset +
4852 info->got_offset;
4853 *gotent = val;
4854 info->got_initialized = 1;
4855 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4856 else if (r_type == R_390_GOTENT ||
4857 r_type == R_390_GOTPLTENT)
4858 *(unsigned int *) loc =
4859 - (val + (Elf_Addr) me->module_core - loc) >> 1;
4860 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4861 else if (r_type == R_390_GOT64 ||
4862 r_type == R_390_GOTPLT64)
4863 *(unsigned long *) loc = val;
4864 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4865 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4866 if (info->plt_initialized == 0) {
4867 unsigned int *ip;
4868 - ip = me->module_core + me->arch.plt_offset +
4869 + ip = me->module_core_rx + me->arch.plt_offset +
4870 info->plt_offset;
4871 #ifndef CONFIG_64BIT
4872 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4873 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4874 val - loc + 0xffffUL < 0x1ffffeUL) ||
4875 (r_type == R_390_PLT32DBL &&
4876 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
4877 - val = (Elf_Addr) me->module_core +
4878 + val = (Elf_Addr) me->module_core_rx +
4879 me->arch.plt_offset +
4880 info->plt_offset;
4881 val += rela->r_addend - loc;
4882 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4883 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4884 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4885 val = val + rela->r_addend -
4886 - ((Elf_Addr) me->module_core + me->arch.got_offset);
4887 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4888 if (r_type == R_390_GOTOFF16)
4889 *(unsigned short *) loc = val;
4890 else if (r_type == R_390_GOTOFF32)
4891 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4892 break;
4893 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4894 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4895 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
4896 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4897 rela->r_addend - loc;
4898 if (r_type == R_390_GOTPC)
4899 *(unsigned int *) loc = val;
4900 diff -urNp linux-2.6.39.3/arch/s390/kernel/process.c linux-2.6.39.3/arch/s390/kernel/process.c
4901 --- linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4902 +++ linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
4903 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
4904 }
4905 return 0;
4906 }
4907 -
4908 -unsigned long arch_align_stack(unsigned long sp)
4909 -{
4910 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4911 - sp -= get_random_int() & ~PAGE_MASK;
4912 - return sp & ~0xf;
4913 -}
4914 -
4915 -static inline unsigned long brk_rnd(void)
4916 -{
4917 - /* 8MB for 32bit, 1GB for 64bit */
4918 - if (is_32bit_task())
4919 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
4920 - else
4921 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
4922 -}
4923 -
4924 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4925 -{
4926 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
4927 -
4928 - if (ret < mm->brk)
4929 - return mm->brk;
4930 - return ret;
4931 -}
4932 -
4933 -unsigned long randomize_et_dyn(unsigned long base)
4934 -{
4935 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4936 -
4937 - if (!(current->flags & PF_RANDOMIZE))
4938 - return base;
4939 - if (ret < base)
4940 - return base;
4941 - return ret;
4942 -}
4943 diff -urNp linux-2.6.39.3/arch/s390/kernel/setup.c linux-2.6.39.3/arch/s390/kernel/setup.c
4944 --- linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-19 00:06:34.000000000 -0400
4945 +++ linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-22 19:36:30.000000000 -0400
4946 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
4947 }
4948 early_param("mem", early_parse_mem);
4949
4950 -unsigned int user_mode = HOME_SPACE_MODE;
4951 +unsigned int user_mode = SECONDARY_SPACE_MODE;
4952 EXPORT_SYMBOL_GPL(user_mode);
4953
4954 static int set_amode_and_uaccess(unsigned long user_amode,
4955 @@ -300,17 +300,6 @@ static int set_amode_and_uaccess(unsigne
4956 }
4957 }
4958
4959 -/*
4960 - * Switch kernel/user addressing modes?
4961 - */
4962 -static int __init early_parse_switch_amode(char *p)
4963 -{
4964 - if (user_mode != SECONDARY_SPACE_MODE)
4965 - user_mode = PRIMARY_SPACE_MODE;
4966 - return 0;
4967 -}
4968 -early_param("switch_amode", early_parse_switch_amode);
4969 -
4970 static int __init early_parse_user_mode(char *p)
4971 {
4972 if (p && strcmp(p, "primary") == 0)
4973 @@ -327,20 +316,6 @@ static int __init early_parse_user_mode(
4974 }
4975 early_param("user_mode", early_parse_user_mode);
4976
4977 -#ifdef CONFIG_S390_EXEC_PROTECT
4978 -/*
4979 - * Enable execute protection?
4980 - */
4981 -static int __init early_parse_noexec(char *p)
4982 -{
4983 - if (!strncmp(p, "off", 3))
4984 - return 0;
4985 - user_mode = SECONDARY_SPACE_MODE;
4986 - return 0;
4987 -}
4988 -early_param("noexec", early_parse_noexec);
4989 -#endif /* CONFIG_S390_EXEC_PROTECT */
4990 -
4991 static void setup_addressing_mode(void)
4992 {
4993 if (user_mode == SECONDARY_SPACE_MODE) {
4994 diff -urNp linux-2.6.39.3/arch/s390/mm/maccess.c linux-2.6.39.3/arch/s390/mm/maccess.c
4995 --- linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
4996 +++ linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
4997 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
4998 return rc ? rc : count;
4999 }
5000
5001 -long probe_kernel_write(void *dst, void *src, size_t size)
5002 +long probe_kernel_write(void *dst, const void *src, size_t size)
5003 {
5004 long copied = 0;
5005
5006 diff -urNp linux-2.6.39.3/arch/s390/mm/mmap.c linux-2.6.39.3/arch/s390/mm/mmap.c
5007 --- linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5008 +++ linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5009 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
5010 */
5011 if (mmap_is_legacy()) {
5012 mm->mmap_base = TASK_UNMAPPED_BASE;
5013 +
5014 +#ifdef CONFIG_PAX_RANDMMAP
5015 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5016 + mm->mmap_base += mm->delta_mmap;
5017 +#endif
5018 +
5019 mm->get_unmapped_area = arch_get_unmapped_area;
5020 mm->unmap_area = arch_unmap_area;
5021 } else {
5022 mm->mmap_base = mmap_base();
5023 +
5024 +#ifdef CONFIG_PAX_RANDMMAP
5025 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5026 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5027 +#endif
5028 +
5029 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5030 mm->unmap_area = arch_unmap_area_topdown;
5031 }
5032 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
5033 */
5034 if (mmap_is_legacy()) {
5035 mm->mmap_base = TASK_UNMAPPED_BASE;
5036 +
5037 +#ifdef CONFIG_PAX_RANDMMAP
5038 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5039 + mm->mmap_base += mm->delta_mmap;
5040 +#endif
5041 +
5042 mm->get_unmapped_area = s390_get_unmapped_area;
5043 mm->unmap_area = arch_unmap_area;
5044 } else {
5045 mm->mmap_base = mmap_base();
5046 +
5047 +#ifdef CONFIG_PAX_RANDMMAP
5048 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5049 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5050 +#endif
5051 +
5052 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
5053 mm->unmap_area = arch_unmap_area_topdown;
5054 }
5055 diff -urNp linux-2.6.39.3/arch/score/include/asm/system.h linux-2.6.39.3/arch/score/include/asm/system.h
5056 --- linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
5057 +++ linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
5058 @@ -17,7 +17,7 @@ do { \
5059 #define finish_arch_switch(prev) do {} while (0)
5060
5061 typedef void (*vi_handler_t)(void);
5062 -extern unsigned long arch_align_stack(unsigned long sp);
5063 +#define arch_align_stack(x) (x)
5064
5065 #define mb() barrier()
5066 #define rmb() barrier()
5067 diff -urNp linux-2.6.39.3/arch/score/kernel/process.c linux-2.6.39.3/arch/score/kernel/process.c
5068 --- linux-2.6.39.3/arch/score/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
5069 +++ linux-2.6.39.3/arch/score/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
5070 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
5071
5072 return task_pt_regs(task)->cp0_epc;
5073 }
5074 -
5075 -unsigned long arch_align_stack(unsigned long sp)
5076 -{
5077 - return sp;
5078 -}
5079 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c
5080 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-19 00:06:34.000000000 -0400
5081 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-22 19:36:30.000000000 -0400
5082 @@ -76,7 +76,7 @@ static int gapspci_write(struct pci_bus
5083 return PCIBIOS_SUCCESSFUL;
5084 }
5085
5086 -struct pci_ops gapspci_pci_ops = {
5087 +const struct pci_ops gapspci_pci_ops = {
5088 .read = gapspci_read,
5089 .write = gapspci_write,
5090 };
5091 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c
5092 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-19 00:06:34.000000000 -0400
5093 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-22 19:36:30.000000000 -0400
5094 @@ -96,7 +96,7 @@ static int sh4_pci_write(struct pci_bus
5095 return PCIBIOS_SUCCESSFUL;
5096 }
5097
5098 -struct pci_ops sh4_pci_ops = {
5099 +const struct pci_ops sh4_pci_ops = {
5100 .read = sh4_pci_read,
5101 .write = sh4_pci_write,
5102 };
5103 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c
5104 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-19 00:06:34.000000000 -0400
5105 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-22 19:36:30.000000000 -0400
5106 @@ -62,7 +62,7 @@ static int sh5pci_write(struct pci_bus *
5107 return PCIBIOS_SUCCESSFUL;
5108 }
5109
5110 -struct pci_ops sh5_pci_ops = {
5111 +const struct pci_ops sh5_pci_ops = {
5112 .read = sh5pci_read,
5113 .write = sh5pci_write,
5114 };
5115 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c
5116 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5117 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5118 @@ -165,7 +165,7 @@ out:
5119 return ret;
5120 }
5121
5122 -struct pci_ops sh7786_pci_ops = {
5123 +const struct pci_ops sh7786_pci_ops = {
5124 .read = sh7786_pcie_read,
5125 .write = sh7786_pcie_write,
5126 };
5127 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c
5128 --- linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5129 +++ linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5130 @@ -109,7 +109,7 @@ static struct resource sh7786_pci2_resou
5131 },
5132 };
5133
5134 -extern struct pci_ops sh7786_pci_ops;
5135 +extern const struct pci_ops sh7786_pci_ops;
5136
5137 #define DEFINE_CONTROLLER(start, idx) \
5138 { \
5139 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h
5140 --- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-19 00:06:34.000000000 -0400
5141 +++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-22 19:36:30.000000000 -0400
5142 @@ -161,7 +161,7 @@
5143 #define SH4_PCIPDR 0x220 /* Port IO Data Register */
5144
5145 /* arch/sh/kernel/drivers/pci/ops-sh4.c */
5146 -extern struct pci_ops sh4_pci_ops;
5147 +extern const struct pci_ops sh4_pci_ops;
5148 int pci_fixup_pcic(struct pci_channel *chan);
5149
5150 struct sh4_pci_address_space {
5151 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h
5152 --- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-19 00:06:34.000000000 -0400
5153 +++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-22 19:36:30.000000000 -0400
5154 @@ -105,6 +105,6 @@ extern unsigned long pcicr_virt;
5155 #define PCISH5_MEM_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5156 #define PCISH5_IO_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5157
5158 -extern struct pci_ops sh5_pci_ops;
5159 +extern const struct pci_ops sh5_pci_ops;
5160
5161 #endif /* __PCI_SH5_H */
5162 diff -urNp linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h
5163 --- linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5164 +++ linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5165 @@ -1,10 +1,10 @@
5166 #ifndef __ASM_SH_DMA_MAPPING_H
5167 #define __ASM_SH_DMA_MAPPING_H
5168
5169 -extern struct dma_map_ops *dma_ops;
5170 +extern const struct dma_map_ops *dma_ops;
5171 extern void no_iommu_init(void);
5172
5173 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5174 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5175 {
5176 return dma_ops;
5177 }
5178 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
5179
5180 static inline int dma_supported(struct device *dev, u64 mask)
5181 {
5182 - struct dma_map_ops *ops = get_dma_ops(dev);
5183 + const struct dma_map_ops *ops = get_dma_ops(dev);
5184
5185 if (ops->dma_supported)
5186 return ops->dma_supported(dev, mask);
5187 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
5188
5189 static inline int dma_set_mask(struct device *dev, u64 mask)
5190 {
5191 - struct dma_map_ops *ops = get_dma_ops(dev);
5192 + const struct dma_map_ops *ops = get_dma_ops(dev);
5193
5194 if (!dev->dma_mask || !dma_supported(dev, mask))
5195 return -EIO;
5196 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
5197
5198 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
5199 {
5200 - struct dma_map_ops *ops = get_dma_ops(dev);
5201 + const struct dma_map_ops *ops = get_dma_ops(dev);
5202
5203 if (ops->mapping_error)
5204 return ops->mapping_error(dev, dma_addr);
5205 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
5206 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5207 dma_addr_t *dma_handle, gfp_t gfp)
5208 {
5209 - struct dma_map_ops *ops = get_dma_ops(dev);
5210 + const struct dma_map_ops *ops = get_dma_ops(dev);
5211 void *memory;
5212
5213 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
5214 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
5215 static inline void dma_free_coherent(struct device *dev, size_t size,
5216 void *vaddr, dma_addr_t dma_handle)
5217 {
5218 - struct dma_map_ops *ops = get_dma_ops(dev);
5219 + const struct dma_map_ops *ops = get_dma_ops(dev);
5220
5221 if (dma_release_from_coherent(dev, get_order(size), vaddr))
5222 return;
5223 diff -urNp linux-2.6.39.3/arch/sh/kernel/dma-nommu.c linux-2.6.39.3/arch/sh/kernel/dma-nommu.c
5224 --- linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-19 00:06:34.000000000 -0400
5225 +++ linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-22 19:36:30.000000000 -0400
5226 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
5227 }
5228 #endif
5229
5230 -struct dma_map_ops nommu_dma_ops = {
5231 +const struct dma_map_ops nommu_dma_ops = {
5232 .alloc_coherent = dma_generic_alloc_coherent,
5233 .free_coherent = dma_generic_free_coherent,
5234 .map_page = nommu_map_page,
5235 diff -urNp linux-2.6.39.3/arch/sh/kernel/kgdb.c linux-2.6.39.3/arch/sh/kernel/kgdb.c
5236 --- linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
5237 +++ linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
5238 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
5239 unregister_die_notifier(&kgdb_notifier);
5240 }
5241
5242 -struct kgdb_arch arch_kgdb_ops = {
5243 +const struct kgdb_arch arch_kgdb_ops = {
5244 /* Breakpoint instruction: trapa #0x3c */
5245 #ifdef CONFIG_CPU_LITTLE_ENDIAN
5246 .gdb_bpt_instr = { 0x3c, 0xc3 },
5247 diff -urNp linux-2.6.39.3/arch/sh/mm/consistent.c linux-2.6.39.3/arch/sh/mm/consistent.c
5248 --- linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-19 00:06:34.000000000 -0400
5249 +++ linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-22 19:36:30.000000000 -0400
5250 @@ -22,7 +22,7 @@
5251
5252 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
5253
5254 -struct dma_map_ops *dma_ops;
5255 +const struct dma_map_ops *dma_ops;
5256 EXPORT_SYMBOL(dma_ops);
5257
5258 static int __init dma_init(void)
5259 diff -urNp linux-2.6.39.3/arch/sh/mm/mmap.c linux-2.6.39.3/arch/sh/mm/mmap.c
5260 --- linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5261 +++ linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5262 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
5263 addr = PAGE_ALIGN(addr);
5264
5265 vma = find_vma(mm, addr);
5266 - if (TASK_SIZE - len >= addr &&
5267 - (!vma || addr + len <= vma->vm_start))
5268 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5269 return addr;
5270 }
5271
5272 @@ -106,7 +105,7 @@ full_search:
5273 }
5274 return -ENOMEM;
5275 }
5276 - if (likely(!vma || addr + len <= vma->vm_start)) {
5277 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5278 /*
5279 * Remember the place where we stopped the search:
5280 */
5281 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
5282 addr = PAGE_ALIGN(addr);
5283
5284 vma = find_vma(mm, addr);
5285 - if (TASK_SIZE - len >= addr &&
5286 - (!vma || addr + len <= vma->vm_start))
5287 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5288 return addr;
5289 }
5290
5291 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
5292 /* make sure it can fit in the remaining address space */
5293 if (likely(addr > len)) {
5294 vma = find_vma(mm, addr-len);
5295 - if (!vma || addr <= vma->vm_start) {
5296 + if (check_heap_stack_gap(vma, addr - len, len)) {
5297 /* remember the address as a hint for next time */
5298 return (mm->free_area_cache = addr-len);
5299 }
5300 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
5301 if (unlikely(mm->mmap_base < len))
5302 goto bottomup;
5303
5304 - addr = mm->mmap_base-len;
5305 - if (do_colour_align)
5306 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5307 + addr = mm->mmap_base - len;
5308
5309 do {
5310 + if (do_colour_align)
5311 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5312 /*
5313 * Lookup failure means no vma is above this address,
5314 * else if new region fits below vma->vm_start,
5315 * return with success:
5316 */
5317 vma = find_vma(mm, addr);
5318 - if (likely(!vma || addr+len <= vma->vm_start)) {
5319 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5320 /* remember the address as a hint for next time */
5321 return (mm->free_area_cache = addr);
5322 }
5323 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
5324 mm->cached_hole_size = vma->vm_start - addr;
5325
5326 /* try just below the current vma->vm_start */
5327 - addr = vma->vm_start-len;
5328 - if (do_colour_align)
5329 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5330 - } while (likely(len < vma->vm_start));
5331 + addr = skip_heap_stack_gap(vma, len);
5332 + } while (!IS_ERR_VALUE(addr));
5333
5334 bottomup:
5335 /*
5336 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h
5337 --- linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-19 00:06:34.000000000 -0400
5338 +++ linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-22 19:36:30.000000000 -0400
5339 @@ -14,18 +14,40 @@
5340 #define ATOMIC64_INIT(i) { (i) }
5341
5342 #define atomic_read(v) (*(volatile int *)&(v)->counter)
5343 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5344 +{
5345 + return v->counter;
5346 +}
5347 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
5348 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
5349 +{
5350 + return v->counter;
5351 +}
5352
5353 #define atomic_set(v, i) (((v)->counter) = i)
5354 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5355 +{
5356 + v->counter = i;
5357 +}
5358 #define atomic64_set(v, i) (((v)->counter) = i)
5359 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
5360 +{
5361 + v->counter = i;
5362 +}
5363
5364 extern void atomic_add(int, atomic_t *);
5365 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
5366 extern void atomic64_add(long, atomic64_t *);
5367 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
5368 extern void atomic_sub(int, atomic_t *);
5369 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
5370 extern void atomic64_sub(long, atomic64_t *);
5371 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
5372
5373 extern int atomic_add_ret(int, atomic_t *);
5374 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
5375 extern long atomic64_add_ret(long, atomic64_t *);
5376 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
5377 extern int atomic_sub_ret(int, atomic_t *);
5378 extern long atomic64_sub_ret(long, atomic64_t *);
5379
5380 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
5381 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
5382
5383 #define atomic_inc_return(v) atomic_add_ret(1, v)
5384 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
5385 +{
5386 + return atomic_add_ret_unchecked(1, v);
5387 +}
5388 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
5389 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
5390 +{
5391 + return atomic64_add_ret_unchecked(1, v);
5392 +}
5393
5394 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
5395 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
5396
5397 #define atomic_add_return(i, v) atomic_add_ret(i, v)
5398 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5399 +{
5400 + return atomic_add_ret_unchecked(i, v);
5401 +}
5402 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
5403
5404 /*
5405 @@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi
5406 * other cases.
5407 */
5408 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
5409 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
5410 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
5411
5412 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
5413 @@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi
5414 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
5415
5416 #define atomic_inc(v) atomic_add(1, v)
5417 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5418 +{
5419 + atomic_add_unchecked(1, v);
5420 +}
5421 #define atomic64_inc(v) atomic64_add(1, v)
5422 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
5423 +{
5424 + atomic64_add_unchecked(1, v);
5425 +}
5426
5427 #define atomic_dec(v) atomic_sub(1, v)
5428 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
5429 +{
5430 + atomic_sub_unchecked(1, v);
5431 +}
5432 #define atomic64_dec(v) atomic64_sub(1, v)
5433 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
5434 +{
5435 + atomic64_sub_unchecked(1, v);
5436 +}
5437
5438 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
5439 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
5440
5441 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5442 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5443 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
5444 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
5445
5446 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5447 {
5448 - int c, old;
5449 + int c, old, new;
5450 c = atomic_read(v);
5451 for (;;) {
5452 - if (unlikely(c == (u)))
5453 + if (unlikely(c == u))
5454 break;
5455 - old = atomic_cmpxchg((v), c, c + (a));
5456 +
5457 + asm volatile("addcc %2, %0, %0\n"
5458 +
5459 +#ifdef CONFIG_PAX_REFCOUNT
5460 + "tvs %%icc, 6\n"
5461 +#endif
5462 +
5463 + : "=r" (new)
5464 + : "0" (c), "ir" (a)
5465 + : "cc");
5466 +
5467 + old = atomic_cmpxchg(v, c, new);
5468 if (likely(old == c))
5469 break;
5470 c = old;
5471 }
5472 - return c != (u);
5473 + return c != u;
5474 }
5475
5476 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5477 @@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom
5478
5479 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
5480 {
5481 - long c, old;
5482 + long c, old, new;
5483 c = atomic64_read(v);
5484 for (;;) {
5485 - if (unlikely(c == (u)))
5486 + if (unlikely(c == u))
5487 break;
5488 - old = atomic64_cmpxchg((v), c, c + (a));
5489 +
5490 + asm volatile("addcc %2, %0, %0\n"
5491 +
5492 +#ifdef CONFIG_PAX_REFCOUNT
5493 + "tvs %%xcc, 6\n"
5494 +#endif
5495 +
5496 + : "=r" (new)
5497 + : "0" (c), "ir" (a)
5498 + : "cc");
5499 +
5500 + old = atomic64_cmpxchg(v, c, new);
5501 if (likely(old == c))
5502 break;
5503 c = old;
5504 }
5505 - return c != (u);
5506 + return c != u;
5507 }
5508
5509 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
5510 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/cache.h linux-2.6.39.3/arch/sparc/include/asm/cache.h
5511 --- linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
5512 +++ linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400
5513 @@ -10,7 +10,7 @@
5514 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
5515
5516 #define L1_CACHE_SHIFT 5
5517 -#define L1_CACHE_BYTES 32
5518 +#define L1_CACHE_BYTES 32UL
5519
5520 #ifdef CONFIG_SPARC32
5521 #define SMP_CACHE_BYTES_SHIFT 5
5522 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h
5523 --- linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5524 +++ linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5525 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
5526 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
5527 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
5528
5529 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
5530 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
5531 extern struct bus_type pci_bus_type;
5532
5533 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5534 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5535 {
5536 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
5537 if (dev->bus == &pci_bus_type)
5538 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
5539 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5540 dma_addr_t *dma_handle, gfp_t flag)
5541 {
5542 - struct dma_map_ops *ops = get_dma_ops(dev);
5543 + const struct dma_map_ops *ops = get_dma_ops(dev);
5544 void *cpu_addr;
5545
5546 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
5547 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
5548 static inline void dma_free_coherent(struct device *dev, size_t size,
5549 void *cpu_addr, dma_addr_t dma_handle)
5550 {
5551 - struct dma_map_ops *ops = get_dma_ops(dev);
5552 + const struct dma_map_ops *ops = get_dma_ops(dev);
5553
5554 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
5555 ops->free_coherent(dev, size, cpu_addr, dma_handle);
5556 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_32.h linux-2.6.39.3/arch/sparc/include/asm/elf_32.h
5557 --- linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-19 00:06:34.000000000 -0400
5558 +++ linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-22 19:36:30.000000000 -0400
5559 @@ -114,6 +114,13 @@ typedef struct {
5560
5561 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
5562
5563 +#ifdef CONFIG_PAX_ASLR
5564 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
5565 +
5566 +#define PAX_DELTA_MMAP_LEN 16
5567 +#define PAX_DELTA_STACK_LEN 16
5568 +#endif
5569 +
5570 /* This yields a mask that user programs can use to figure out what
5571 instruction set this cpu supports. This can NOT be done in userspace
5572 on Sparc. */
5573 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_64.h linux-2.6.39.3/arch/sparc/include/asm/elf_64.h
5574 --- linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-19 00:06:34.000000000 -0400
5575 +++ linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-22 19:36:30.000000000 -0400
5576 @@ -162,6 +162,12 @@ typedef struct {
5577 #define ELF_ET_DYN_BASE 0x0000010000000000UL
5578 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
5579
5580 +#ifdef CONFIG_PAX_ASLR
5581 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
5582 +
5583 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
5584 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
5585 +#endif
5586
5587 /* This yields a mask that user programs can use to figure out what
5588 instruction set this cpu supports. */
5589 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h
5590 --- linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
5591 +++ linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
5592 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
5593 BTFIXUPDEF_INT(page_none)
5594 BTFIXUPDEF_INT(page_copy)
5595 BTFIXUPDEF_INT(page_readonly)
5596 +
5597 +#ifdef CONFIG_PAX_PAGEEXEC
5598 +BTFIXUPDEF_INT(page_shared_noexec)
5599 +BTFIXUPDEF_INT(page_copy_noexec)
5600 +BTFIXUPDEF_INT(page_readonly_noexec)
5601 +#endif
5602 +
5603 BTFIXUPDEF_INT(page_kernel)
5604
5605 #define PMD_SHIFT SUN4C_PMD_SHIFT
5606 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
5607 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
5608 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
5609
5610 +#ifdef CONFIG_PAX_PAGEEXEC
5611 +extern pgprot_t PAGE_SHARED_NOEXEC;
5612 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
5613 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
5614 +#else
5615 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
5616 +# define PAGE_COPY_NOEXEC PAGE_COPY
5617 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
5618 +#endif
5619 +
5620 extern unsigned long page_kernel;
5621
5622 #ifdef MODULE
5623 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h
5624 --- linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-19 00:06:34.000000000 -0400
5625 +++ linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-22 19:36:30.000000000 -0400
5626 @@ -115,6 +115,13 @@
5627 SRMMU_EXEC | SRMMU_REF)
5628 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
5629 SRMMU_EXEC | SRMMU_REF)
5630 +
5631 +#ifdef CONFIG_PAX_PAGEEXEC
5632 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
5633 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5634 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5635 +#endif
5636 +
5637 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
5638 SRMMU_DIRTY | SRMMU_REF)
5639
5640 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h
5641 --- linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-19 00:06:34.000000000 -0400
5642 +++ linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-22 19:36:30.000000000 -0400
5643 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
5644
5645 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
5646
5647 -static void inline arch_read_lock(arch_rwlock_t *lock)
5648 +static inline void arch_read_lock(arch_rwlock_t *lock)
5649 {
5650 unsigned long tmp1, tmp2;
5651
5652 __asm__ __volatile__ (
5653 "1: ldsw [%2], %0\n"
5654 " brlz,pn %0, 2f\n"
5655 -"4: add %0, 1, %1\n"
5656 +"4: addcc %0, 1, %1\n"
5657 +
5658 +#ifdef CONFIG_PAX_REFCOUNT
5659 +" tvs %%icc, 6\n"
5660 +#endif
5661 +
5662 " cas [%2], %0, %1\n"
5663 " cmp %0, %1\n"
5664 " bne,pn %%icc, 1b\n"
5665 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
5666 " .previous"
5667 : "=&r" (tmp1), "=&r" (tmp2)
5668 : "r" (lock)
5669 - : "memory");
5670 + : "memory", "cc");
5671 }
5672
5673 -static int inline arch_read_trylock(arch_rwlock_t *lock)
5674 +static inline int arch_read_trylock(arch_rwlock_t *lock)
5675 {
5676 int tmp1, tmp2;
5677
5678 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
5679 "1: ldsw [%2], %0\n"
5680 " brlz,a,pn %0, 2f\n"
5681 " mov 0, %0\n"
5682 -" add %0, 1, %1\n"
5683 +" addcc %0, 1, %1\n"
5684 +
5685 +#ifdef CONFIG_PAX_REFCOUNT
5686 +" tvs %%icc, 6\n"
5687 +#endif
5688 +
5689 " cas [%2], %0, %1\n"
5690 " cmp %0, %1\n"
5691 " bne,pn %%icc, 1b\n"
5692 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
5693 return tmp1;
5694 }
5695
5696 -static void inline arch_read_unlock(arch_rwlock_t *lock)
5697 +static inline void arch_read_unlock(arch_rwlock_t *lock)
5698 {
5699 unsigned long tmp1, tmp2;
5700
5701 __asm__ __volatile__(
5702 "1: lduw [%2], %0\n"
5703 -" sub %0, 1, %1\n"
5704 +" subcc %0, 1, %1\n"
5705 +
5706 +#ifdef CONFIG_PAX_REFCOUNT
5707 +" tvs %%icc, 6\n"
5708 +#endif
5709 +
5710 " cas [%2], %0, %1\n"
5711 " cmp %0, %1\n"
5712 " bne,pn %%xcc, 1b\n"
5713 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
5714 : "memory");
5715 }
5716
5717 -static void inline arch_write_lock(arch_rwlock_t *lock)
5718 +static inline void arch_write_lock(arch_rwlock_t *lock)
5719 {
5720 unsigned long mask, tmp1, tmp2;
5721
5722 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
5723 : "memory");
5724 }
5725
5726 -static void inline arch_write_unlock(arch_rwlock_t *lock)
5727 +static inline void arch_write_unlock(arch_rwlock_t *lock)
5728 {
5729 __asm__ __volatile__(
5730 " stw %%g0, [%0]"
5731 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
5732 : "memory");
5733 }
5734
5735 -static int inline arch_write_trylock(arch_rwlock_t *lock)
5736 +static inline int arch_write_trylock(arch_rwlock_t *lock)
5737 {
5738 unsigned long mask, tmp1, tmp2, result;
5739
5740 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h
5741 --- linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-05-19 00:06:34.000000000 -0400
5742 +++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-06-03 01:14:03.000000000 -0400
5743 @@ -50,6 +50,8 @@ struct thread_info {
5744 unsigned long w_saved;
5745
5746 struct restart_block restart_block;
5747 +
5748 + unsigned long lowest_stack;
5749 };
5750
5751 /*
5752 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h
5753 --- linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-05-19 00:06:34.000000000 -0400
5754 +++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-06-03 01:14:21.000000000 -0400
5755 @@ -63,6 +63,8 @@ struct thread_info {
5756 struct pt_regs *kern_una_regs;
5757 unsigned int kern_una_insn;
5758
5759 + unsigned long lowest_stack;
5760 +
5761 unsigned long fpregs[0] __attribute__ ((aligned(64)));
5762 };
5763
5764 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h
5765 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
5766 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
5767 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
5768
5769 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
5770 {
5771 - if (n && __access_ok((unsigned long) to, n))
5772 + if ((long)n < 0)
5773 + return n;
5774 +
5775 + if (n && __access_ok((unsigned long) to, n)) {
5776 + if (!__builtin_constant_p(n))
5777 + check_object_size(from, n, true);
5778 return __copy_user(to, (__force void __user *) from, n);
5779 - else
5780 + } else
5781 return n;
5782 }
5783
5784 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
5785 {
5786 + if ((long)n < 0)
5787 + return n;
5788 +
5789 + if (!__builtin_constant_p(n))
5790 + check_object_size(from, n, true);
5791 +
5792 return __copy_user(to, (__force void __user *) from, n);
5793 }
5794
5795 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
5796 {
5797 - if (n && __access_ok((unsigned long) from, n))
5798 + if ((long)n < 0)
5799 + return n;
5800 +
5801 + if (n && __access_ok((unsigned long) from, n)) {
5802 + if (!__builtin_constant_p(n))
5803 + check_object_size(to, n, false);
5804 return __copy_user((__force void __user *) to, from, n);
5805 - else
5806 + } else
5807 return n;
5808 }
5809
5810 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
5811 {
5812 + if ((long)n < 0)
5813 + return n;
5814 +
5815 return __copy_user((__force void __user *) to, from, n);
5816 }
5817
5818 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h
5819 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
5820 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
5821 @@ -10,6 +10,7 @@
5822 #include <linux/compiler.h>
5823 #include <linux/string.h>
5824 #include <linux/thread_info.h>
5825 +#include <linux/kernel.h>
5826 #include <asm/asi.h>
5827 #include <asm/system.h>
5828 #include <asm/spitfire.h>
5829 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
5830 static inline unsigned long __must_check
5831 copy_from_user(void *to, const void __user *from, unsigned long size)
5832 {
5833 - unsigned long ret = ___copy_from_user(to, from, size);
5834 + unsigned long ret;
5835
5836 + if ((long)size < 0 || size > INT_MAX)
5837 + return size;
5838 +
5839 + if (!__builtin_constant_p(size))
5840 + check_object_size(to, size, false);
5841 +
5842 + ret = ___copy_from_user(to, from, size);
5843 if (unlikely(ret))
5844 ret = copy_from_user_fixup(to, from, size);
5845
5846 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
5847 static inline unsigned long __must_check
5848 copy_to_user(void __user *to, const void *from, unsigned long size)
5849 {
5850 - unsigned long ret = ___copy_to_user(to, from, size);
5851 + unsigned long ret;
5852 +
5853 + if ((long)size < 0 || size > INT_MAX)
5854 + return size;
5855 +
5856 + if (!__builtin_constant_p(size))
5857 + check_object_size(from, size, true);
5858
5859 + ret = ___copy_to_user(to, from, size);
5860 if (unlikely(ret))
5861 ret = copy_to_user_fixup(to, from, size);
5862 return ret;
5863 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess.h linux-2.6.39.3/arch/sparc/include/asm/uaccess.h
5864 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
5865 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
5866 @@ -1,5 +1,13 @@
5867 #ifndef ___ASM_SPARC_UACCESS_H
5868 #define ___ASM_SPARC_UACCESS_H
5869 +
5870 +#ifdef __KERNEL__
5871 +#ifndef __ASSEMBLY__
5872 +#include <linux/types.h>
5873 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
5874 +#endif
5875 +#endif
5876 +
5877 #if defined(__sparc__) && defined(__arch64__)
5878 #include <asm/uaccess_64.h>
5879 #else
5880 diff -urNp linux-2.6.39.3/arch/sparc/kernel/iommu.c linux-2.6.39.3/arch/sparc/kernel/iommu.c
5881 --- linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-19 00:06:34.000000000 -0400
5882 +++ linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-22 19:36:30.000000000 -0400
5883 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
5884 spin_unlock_irqrestore(&iommu->lock, flags);
5885 }
5886
5887 -static struct dma_map_ops sun4u_dma_ops = {
5888 +static const struct dma_map_ops sun4u_dma_ops = {
5889 .alloc_coherent = dma_4u_alloc_coherent,
5890 .free_coherent = dma_4u_free_coherent,
5891 .map_page = dma_4u_map_page,
5892 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
5893 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
5894 };
5895
5896 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5897 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5898 EXPORT_SYMBOL(dma_ops);
5899
5900 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
5901 diff -urNp linux-2.6.39.3/arch/sparc/kernel/ioport.c linux-2.6.39.3/arch/sparc/kernel/ioport.c
5902 --- linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
5903 +++ linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-22 19:36:30.000000000 -0400
5904 @@ -402,7 +402,7 @@ static void sbus_sync_sg_for_device(stru
5905 BUG();
5906 }
5907
5908 -struct dma_map_ops sbus_dma_ops = {
5909 +const struct dma_map_ops sbus_dma_ops = {
5910 .alloc_coherent = sbus_alloc_coherent,
5911 .free_coherent = sbus_free_coherent,
5912 .map_page = sbus_map_page,
5913 @@ -653,7 +653,7 @@ static void pci32_sync_sg_for_device(str
5914 }
5915 }
5916
5917 -struct dma_map_ops pci32_dma_ops = {
5918 +const struct dma_map_ops pci32_dma_ops = {
5919 .alloc_coherent = pci32_alloc_coherent,
5920 .free_coherent = pci32_free_coherent,
5921 .map_page = pci32_map_page,
5922 diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c
5923 --- linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-19 00:06:34.000000000 -0400
5924 +++ linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-22 19:36:30.000000000 -0400
5925 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5926 regs->npc = regs->pc + 4;
5927 }
5928
5929 -struct kgdb_arch arch_kgdb_ops = {
5930 +const struct kgdb_arch arch_kgdb_ops = {
5931 /* Breakpoint instruction: ta 0x7d */
5932 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
5933 };
5934 diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c
5935 --- linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-19 00:06:34.000000000 -0400
5936 +++ linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-22 19:36:30.000000000 -0400
5937 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5938 regs->tnpc = regs->tpc + 4;
5939 }
5940
5941 -struct kgdb_arch arch_kgdb_ops = {
5942 +const struct kgdb_arch arch_kgdb_ops = {
5943 /* Breakpoint instruction: ta 0x72 */
5944 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
5945 };
5946 diff -urNp linux-2.6.39.3/arch/sparc/kernel/Makefile linux-2.6.39.3/arch/sparc/kernel/Makefile
5947 --- linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-19 00:06:34.000000000 -0400
5948 +++ linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-22 19:36:30.000000000 -0400
5949 @@ -3,7 +3,7 @@
5950 #
5951
5952 asflags-y := -ansi
5953 -ccflags-y := -Werror
5954 +#ccflags-y := -Werror
5955
5956 extra-y := head_$(BITS).o
5957 extra-y += init_task.o
5958 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pcic.c linux-2.6.39.3/arch/sparc/kernel/pcic.c
5959 --- linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-19 00:06:34.000000000 -0400
5960 +++ linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-22 19:36:30.000000000 -0400
5961 @@ -268,7 +268,7 @@ static int pcic_write_config(struct pci_
5962 return -EINVAL;
5963 }
5964
5965 -static struct pci_ops pcic_ops = {
5966 +static const struct pci_ops pcic_ops = {
5967 .read = pcic_read_config,
5968 .write = pcic_write_config,
5969 };
5970 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_common.c linux-2.6.39.3/arch/sparc/kernel/pci_common.c
5971 --- linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-19 00:06:34.000000000 -0400
5972 +++ linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-22 19:36:30.000000000 -0400
5973 @@ -249,7 +249,7 @@ static int sun4u_write_pci_cfg(struct pc
5974 return PCIBIOS_SUCCESSFUL;
5975 }
5976
5977 -struct pci_ops sun4u_pci_ops = {
5978 +const struct pci_ops sun4u_pci_ops = {
5979 .read = sun4u_read_pci_cfg,
5980 .write = sun4u_write_pci_cfg,
5981 };
5982 @@ -310,7 +310,7 @@ static int sun4v_write_pci_cfg(struct pc
5983 return PCIBIOS_SUCCESSFUL;
5984 }
5985
5986 -struct pci_ops sun4v_pci_ops = {
5987 +const struct pci_ops sun4v_pci_ops = {
5988 .read = sun4v_read_pci_cfg,
5989 .write = sun4v_write_pci_cfg,
5990 };
5991 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_impl.h linux-2.6.39.3/arch/sparc/kernel/pci_impl.h
5992 --- linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-19 00:06:34.000000000 -0400
5993 +++ linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-22 19:36:30.000000000 -0400
5994 @@ -175,8 +175,8 @@ extern void pci_config_write8(u8 *addr,
5995 extern void pci_config_write16(u16 *addr, u16 val);
5996 extern void pci_config_write32(u32 *addr, u32 val);
5997
5998 -extern struct pci_ops sun4u_pci_ops;
5999 -extern struct pci_ops sun4v_pci_ops;
6000 +extern const struct pci_ops sun4u_pci_ops;
6001 +extern const struct pci_ops sun4v_pci_ops;
6002
6003 extern volatile int pci_poke_in_progress;
6004 extern volatile int pci_poke_cpu;
6005 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c
6006 --- linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-19 00:06:34.000000000 -0400
6007 +++ linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-22 19:36:30.000000000 -0400
6008 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
6009 spin_unlock_irqrestore(&iommu->lock, flags);
6010 }
6011
6012 -static struct dma_map_ops sun4v_dma_ops = {
6013 +static const struct dma_map_ops sun4v_dma_ops = {
6014 .alloc_coherent = dma_4v_alloc_coherent,
6015 .free_coherent = dma_4v_free_coherent,
6016 .map_page = dma_4v_map_page,
6017 diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_32.c linux-2.6.39.3/arch/sparc/kernel/process_32.c
6018 --- linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400
6019 +++ linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-22 19:41:32.000000000 -0400
6020 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
6021 rw->ins[4], rw->ins[5],
6022 rw->ins[6],
6023 rw->ins[7]);
6024 - printk("%pS\n", (void *) rw->ins[7]);
6025 + printk("%pA\n", (void *) rw->ins[7]);
6026 rw = (struct reg_window32 *) rw->ins[6];
6027 }
6028 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
6029 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
6030
6031 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
6032 r->psr, r->pc, r->npc, r->y, print_tainted());
6033 - printk("PC: <%pS>\n", (void *) r->pc);
6034 + printk("PC: <%pA>\n", (void *) r->pc);
6035 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6036 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
6037 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
6038 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6039 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
6040 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
6041 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
6042 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
6043
6044 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6045 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
6046 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
6047 rw = (struct reg_window32 *) fp;
6048 pc = rw->ins[7];
6049 printk("[%08lx : ", pc);
6050 - printk("%pS ] ", (void *) pc);
6051 + printk("%pA ] ", (void *) pc);
6052 fp = rw->ins[6];
6053 } while (++count < 16);
6054 printk("\n");
6055 diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_64.c linux-2.6.39.3/arch/sparc/kernel/process_64.c
6056 --- linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400
6057 +++ linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-22 19:41:32.000000000 -0400
6058 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
6059 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
6060 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
6061 if (regs->tstate & TSTATE_PRIV)
6062 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
6063 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
6064 }
6065
6066 void show_regs(struct pt_regs *regs)
6067 {
6068 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
6069 regs->tpc, regs->tnpc, regs->y, print_tainted());
6070 - printk("TPC: <%pS>\n", (void *) regs->tpc);
6071 + printk("TPC: <%pA>\n", (void *) regs->tpc);
6072 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
6073 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
6074 regs->u_regs[3]);
6075 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
6076 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
6077 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
6078 regs->u_regs[15]);
6079 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
6080 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
6081 show_regwindow(regs);
6082 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
6083 }
6084 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
6085 ((tp && tp->task) ? tp->task->pid : -1));
6086
6087 if (gp->tstate & TSTATE_PRIV) {
6088 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
6089 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
6090 (void *) gp->tpc,
6091 (void *) gp->o7,
6092 (void *) gp->i7,
6093 diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c
6094 --- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-19 00:06:34.000000000 -0400
6095 +++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-22 19:36:30.000000000 -0400
6096 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
6097 if (ARCH_SUN4C && len > 0x20000000)
6098 return -ENOMEM;
6099 if (!addr)
6100 - addr = TASK_UNMAPPED_BASE;
6101 + addr = current->mm->mmap_base;
6102
6103 if (flags & MAP_SHARED)
6104 addr = COLOUR_ALIGN(addr);
6105 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
6106 }
6107 if (TASK_SIZE - PAGE_SIZE - len < addr)
6108 return -ENOMEM;
6109 - if (!vmm || addr + len <= vmm->vm_start)
6110 + if (check_heap_stack_gap(vmm, addr, len))
6111 return addr;
6112 addr = vmm->vm_end;
6113 if (flags & MAP_SHARED)
6114 diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c
6115 --- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-19 00:06:34.000000000 -0400
6116 +++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-22 19:36:30.000000000 -0400
6117 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
6118 /* We do not accept a shared mapping if it would violate
6119 * cache aliasing constraints.
6120 */
6121 - if ((flags & MAP_SHARED) &&
6122 + if ((filp || (flags & MAP_SHARED)) &&
6123 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6124 return -EINVAL;
6125 return addr;
6126 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
6127 if (filp || (flags & MAP_SHARED))
6128 do_color_align = 1;
6129
6130 +#ifdef CONFIG_PAX_RANDMMAP
6131 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
6132 +#endif
6133 +
6134 if (addr) {
6135 if (do_color_align)
6136 addr = COLOUR_ALIGN(addr, pgoff);
6137 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
6138 addr = PAGE_ALIGN(addr);
6139
6140 vma = find_vma(mm, addr);
6141 - if (task_size - len >= addr &&
6142 - (!vma || addr + len <= vma->vm_start))
6143 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6144 return addr;
6145 }
6146
6147 if (len > mm->cached_hole_size) {
6148 - start_addr = addr = mm->free_area_cache;
6149 + start_addr = addr = mm->free_area_cache;
6150 } else {
6151 - start_addr = addr = TASK_UNMAPPED_BASE;
6152 + start_addr = addr = mm->mmap_base;
6153 mm->cached_hole_size = 0;
6154 }
6155
6156 @@ -174,14 +177,14 @@ full_search:
6157 vma = find_vma(mm, VA_EXCLUDE_END);
6158 }
6159 if (unlikely(task_size < addr)) {
6160 - if (start_addr != TASK_UNMAPPED_BASE) {
6161 - start_addr = addr = TASK_UNMAPPED_BASE;
6162 + if (start_addr != mm->mmap_base) {
6163 + start_addr = addr = mm->mmap_base;
6164 mm->cached_hole_size = 0;
6165 goto full_search;
6166 }
6167 return -ENOMEM;
6168 }
6169 - if (likely(!vma || addr + len <= vma->vm_start)) {
6170 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6171 /*
6172 * Remember the place where we stopped the search:
6173 */
6174 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
6175 /* We do not accept a shared mapping if it would violate
6176 * cache aliasing constraints.
6177 */
6178 - if ((flags & MAP_SHARED) &&
6179 + if ((filp || (flags & MAP_SHARED)) &&
6180 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6181 return -EINVAL;
6182 return addr;
6183 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
6184 addr = PAGE_ALIGN(addr);
6185
6186 vma = find_vma(mm, addr);
6187 - if (task_size - len >= addr &&
6188 - (!vma || addr + len <= vma->vm_start))
6189 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6190 return addr;
6191 }
6192
6193 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
6194 /* make sure it can fit in the remaining address space */
6195 if (likely(addr > len)) {
6196 vma = find_vma(mm, addr-len);
6197 - if (!vma || addr <= vma->vm_start) {
6198 + if (check_heap_stack_gap(vma, addr - len, len)) {
6199 /* remember the address as a hint for next time */
6200 return (mm->free_area_cache = addr-len);
6201 }
6202 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
6203 if (unlikely(mm->mmap_base < len))
6204 goto bottomup;
6205
6206 - addr = mm->mmap_base-len;
6207 - if (do_color_align)
6208 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6209 + addr = mm->mmap_base - len;
6210
6211 do {
6212 + if (do_color_align)
6213 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6214 /*
6215 * Lookup failure means no vma is above this address,
6216 * else if new region fits below vma->vm_start,
6217 * return with success:
6218 */
6219 vma = find_vma(mm, addr);
6220 - if (likely(!vma || addr+len <= vma->vm_start)) {
6221 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6222 /* remember the address as a hint for next time */
6223 return (mm->free_area_cache = addr);
6224 }
6225 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
6226 mm->cached_hole_size = vma->vm_start - addr;
6227
6228 /* try just below the current vma->vm_start */
6229 - addr = vma->vm_start-len;
6230 - if (do_color_align)
6231 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6232 - } while (likely(len < vma->vm_start));
6233 + addr = skip_heap_stack_gap(vma, len);
6234 + } while (!IS_ERR_VALUE(addr));
6235
6236 bottomup:
6237 /*
6238 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
6239 gap == RLIM_INFINITY ||
6240 sysctl_legacy_va_layout) {
6241 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
6242 +
6243 +#ifdef CONFIG_PAX_RANDMMAP
6244 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6245 + mm->mmap_base += mm->delta_mmap;
6246 +#endif
6247 +
6248 mm->get_unmapped_area = arch_get_unmapped_area;
6249 mm->unmap_area = arch_unmap_area;
6250 } else {
6251 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
6252 gap = (task_size / 6 * 5);
6253
6254 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
6255 +
6256 +#ifdef CONFIG_PAX_RANDMMAP
6257 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6258 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
6259 +#endif
6260 +
6261 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
6262 mm->unmap_area = arch_unmap_area_topdown;
6263 }
6264 diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_32.c linux-2.6.39.3/arch/sparc/kernel/traps_32.c
6265 --- linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400
6266 +++ linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-06-13 21:29:23.000000000 -0400
6267 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
6268 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
6269 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
6270
6271 +extern void gr_handle_kernel_exploit(void);
6272 +
6273 void die_if_kernel(char *str, struct pt_regs *regs)
6274 {
6275 static int die_counter;
6276 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
6277 count++ < 30 &&
6278 (((unsigned long) rw) >= PAGE_OFFSET) &&
6279 !(((unsigned long) rw) & 0x7)) {
6280 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
6281 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
6282 (void *) rw->ins[7]);
6283 rw = (struct reg_window32 *)rw->ins[6];
6284 }
6285 }
6286 printk("Instruction DUMP:");
6287 instruction_dump ((unsigned long *) regs->pc);
6288 - if(regs->psr & PSR_PS)
6289 + if(regs->psr & PSR_PS) {
6290 + gr_handle_kernel_exploit();
6291 do_exit(SIGKILL);
6292 + }
6293 do_exit(SIGSEGV);
6294 }
6295
6296 diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_64.c linux-2.6.39.3/arch/sparc/kernel/traps_64.c
6297 --- linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400
6298 +++ linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-06-13 21:28:54.000000000 -0400
6299 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
6300 i + 1,
6301 p->trapstack[i].tstate, p->trapstack[i].tpc,
6302 p->trapstack[i].tnpc, p->trapstack[i].tt);
6303 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
6304 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
6305 }
6306 }
6307
6308 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
6309
6310 lvl -= 0x100;
6311 if (regs->tstate & TSTATE_PRIV) {
6312 +
6313 +#ifdef CONFIG_PAX_REFCOUNT
6314 + if (lvl == 6)
6315 + pax_report_refcount_overflow(regs);
6316 +#endif
6317 +
6318 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
6319 die_if_kernel(buffer, regs);
6320 }
6321 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
6322 void bad_trap_tl1(struct pt_regs *regs, long lvl)
6323 {
6324 char buffer[32];
6325 -
6326 +
6327 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
6328 0, lvl, SIGTRAP) == NOTIFY_STOP)
6329 return;
6330
6331 +#ifdef CONFIG_PAX_REFCOUNT
6332 + if (lvl == 6)
6333 + pax_report_refcount_overflow(regs);
6334 +#endif
6335 +
6336 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
6337
6338 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
6339 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
6340 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
6341 printk("%s" "ERROR(%d): ",
6342 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
6343 - printk("TPC<%pS>\n", (void *) regs->tpc);
6344 + printk("TPC<%pA>\n", (void *) regs->tpc);
6345 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
6346 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
6347 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
6348 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
6349 smp_processor_id(),
6350 (type & 0x1) ? 'I' : 'D',
6351 regs->tpc);
6352 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
6353 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
6354 panic("Irrecoverable Cheetah+ parity error.");
6355 }
6356
6357 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
6358 smp_processor_id(),
6359 (type & 0x1) ? 'I' : 'D',
6360 regs->tpc);
6361 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
6362 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
6363 }
6364
6365 struct sun4v_error_entry {
6366 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
6367
6368 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
6369 regs->tpc, tl);
6370 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
6371 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
6372 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6373 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
6374 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
6375 (void *) regs->u_regs[UREG_I7]);
6376 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
6377 "pte[%lx] error[%lx]\n",
6378 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
6379
6380 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
6381 regs->tpc, tl);
6382 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
6383 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
6384 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6385 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
6386 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
6387 (void *) regs->u_regs[UREG_I7]);
6388 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
6389 "pte[%lx] error[%lx]\n",
6390 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
6391 fp = (unsigned long)sf->fp + STACK_BIAS;
6392 }
6393
6394 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6395 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6396 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
6397 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
6398 int index = tsk->curr_ret_stack;
6399 if (tsk->ret_stack && index >= graph) {
6400 pc = tsk->ret_stack[index - graph].ret;
6401 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6402 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6403 graph++;
6404 }
6405 }
6406 @@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
6407 return (struct reg_window *) (fp + STACK_BIAS);
6408 }
6409
6410 +extern void gr_handle_kernel_exploit(void);
6411 +
6412 void die_if_kernel(char *str, struct pt_regs *regs)
6413 {
6414 static int die_counter;
6415 @@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
6416 while (rw &&
6417 count++ < 30 &&
6418 kstack_valid(tp, (unsigned long) rw)) {
6419 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
6420 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
6421 (void *) rw->ins[7]);
6422
6423 rw = kernel_stack_up(rw);
6424 @@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
6425 }
6426 user_instruction_dump ((unsigned int __user *) regs->tpc);
6427 }
6428 - if (regs->tstate & TSTATE_PRIV)
6429 + if (regs->tstate & TSTATE_PRIV) {
6430 + gr_handle_kernel_exploit();
6431 do_exit(SIGKILL);
6432 + }
6433 do_exit(SIGSEGV);
6434 }
6435 EXPORT_SYMBOL(die_if_kernel);
6436 diff -urNp linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c
6437 --- linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400
6438 +++ linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400
6439 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
6440 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
6441
6442 if (__ratelimit(&ratelimit)) {
6443 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
6444 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
6445 regs->tpc, (void *) regs->tpc);
6446 }
6447 }
6448 diff -urNp linux-2.6.39.3/arch/sparc/lib/atomic_64.S linux-2.6.39.3/arch/sparc/lib/atomic_64.S
6449 --- linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-19 00:06:34.000000000 -0400
6450 +++ linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-22 19:36:30.000000000 -0400
6451 @@ -18,7 +18,12 @@
6452 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
6453 BACKOFF_SETUP(%o2)
6454 1: lduw [%o1], %g1
6455 - add %g1, %o0, %g7
6456 + addcc %g1, %o0, %g7
6457 +
6458 +#ifdef CONFIG_PAX_REFCOUNT
6459 + tvs %icc, 6
6460 +#endif
6461 +
6462 cas [%o1], %g1, %g7
6463 cmp %g1, %g7
6464 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6465 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
6466 2: BACKOFF_SPIN(%o2, %o3, 1b)
6467 .size atomic_add, .-atomic_add
6468
6469 + .globl atomic_add_unchecked
6470 + .type atomic_add_unchecked,#function
6471 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6472 + BACKOFF_SETUP(%o2)
6473 +1: lduw [%o1], %g1
6474 + add %g1, %o0, %g7
6475 + cas [%o1], %g1, %g7
6476 + cmp %g1, %g7
6477 + bne,pn %icc, 2f
6478 + nop
6479 + retl
6480 + nop
6481 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6482 + .size atomic_add_unchecked, .-atomic_add_unchecked
6483 +
6484 .globl atomic_sub
6485 .type atomic_sub,#function
6486 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6487 BACKOFF_SETUP(%o2)
6488 1: lduw [%o1], %g1
6489 - sub %g1, %o0, %g7
6490 + subcc %g1, %o0, %g7
6491 +
6492 +#ifdef CONFIG_PAX_REFCOUNT
6493 + tvs %icc, 6
6494 +#endif
6495 +
6496 cas [%o1], %g1, %g7
6497 cmp %g1, %g7
6498 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6499 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
6500 2: BACKOFF_SPIN(%o2, %o3, 1b)
6501 .size atomic_sub, .-atomic_sub
6502
6503 + .globl atomic_sub_unchecked
6504 + .type atomic_sub_unchecked,#function
6505 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6506 + BACKOFF_SETUP(%o2)
6507 +1: lduw [%o1], %g1
6508 + sub %g1, %o0, %g7
6509 + cas [%o1], %g1, %g7
6510 + cmp %g1, %g7
6511 + bne,pn %icc, 2f
6512 + nop
6513 + retl
6514 + nop
6515 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6516 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
6517 +
6518 .globl atomic_add_ret
6519 .type atomic_add_ret,#function
6520 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6521 BACKOFF_SETUP(%o2)
6522 1: lduw [%o1], %g1
6523 - add %g1, %o0, %g7
6524 + addcc %g1, %o0, %g7
6525 +
6526 +#ifdef CONFIG_PAX_REFCOUNT
6527 + tvs %icc, 6
6528 +#endif
6529 +
6530 cas [%o1], %g1, %g7
6531 cmp %g1, %g7
6532 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6533 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
6534 2: BACKOFF_SPIN(%o2, %o3, 1b)
6535 .size atomic_add_ret, .-atomic_add_ret
6536
6537 + .globl atomic_add_ret_unchecked
6538 + .type atomic_add_ret_unchecked,#function
6539 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6540 + BACKOFF_SETUP(%o2)
6541 +1: lduw [%o1], %g1
6542 + addcc %g1, %o0, %g7
6543 + cas [%o1], %g1, %g7
6544 + cmp %g1, %g7
6545 + bne,pn %icc, 2f
6546 + add %g7, %o0, %g7
6547 + sra %g7, 0, %o0
6548 + retl
6549 + nop
6550 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6551 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
6552 +
6553 .globl atomic_sub_ret
6554 .type atomic_sub_ret,#function
6555 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6556 BACKOFF_SETUP(%o2)
6557 1: lduw [%o1], %g1
6558 - sub %g1, %o0, %g7
6559 + subcc %g1, %o0, %g7
6560 +
6561 +#ifdef CONFIG_PAX_REFCOUNT
6562 + tvs %icc, 6
6563 +#endif
6564 +
6565 cas [%o1], %g1, %g7
6566 cmp %g1, %g7
6567 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6568 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
6569 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
6570 BACKOFF_SETUP(%o2)
6571 1: ldx [%o1], %g1
6572 - add %g1, %o0, %g7
6573 + addcc %g1, %o0, %g7
6574 +
6575 +#ifdef CONFIG_PAX_REFCOUNT
6576 + tvs %xcc, 6
6577 +#endif
6578 +
6579 casx [%o1], %g1, %g7
6580 cmp %g1, %g7
6581 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6582 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
6583 2: BACKOFF_SPIN(%o2, %o3, 1b)
6584 .size atomic64_add, .-atomic64_add
6585
6586 + .globl atomic64_add_unchecked
6587 + .type atomic64_add_unchecked,#function
6588 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6589 + BACKOFF_SETUP(%o2)
6590 +1: ldx [%o1], %g1
6591 + addcc %g1, %o0, %g7
6592 + casx [%o1], %g1, %g7
6593 + cmp %g1, %g7
6594 + bne,pn %xcc, 2f
6595 + nop
6596 + retl
6597 + nop
6598 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6599 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
6600 +
6601 .globl atomic64_sub
6602 .type atomic64_sub,#function
6603 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6604 BACKOFF_SETUP(%o2)
6605 1: ldx [%o1], %g1
6606 - sub %g1, %o0, %g7
6607 + subcc %g1, %o0, %g7
6608 +
6609 +#ifdef CONFIG_PAX_REFCOUNT
6610 + tvs %xcc, 6
6611 +#endif
6612 +
6613 casx [%o1], %g1, %g7
6614 cmp %g1, %g7
6615 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6616 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
6617 2: BACKOFF_SPIN(%o2, %o3, 1b)
6618 .size atomic64_sub, .-atomic64_sub
6619
6620 + .globl atomic64_sub_unchecked
6621 + .type atomic64_sub_unchecked,#function
6622 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6623 + BACKOFF_SETUP(%o2)
6624 +1: ldx [%o1], %g1
6625 + subcc %g1, %o0, %g7
6626 + casx [%o1], %g1, %g7
6627 + cmp %g1, %g7
6628 + bne,pn %xcc, 2f
6629 + nop
6630 + retl
6631 + nop
6632 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6633 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
6634 +
6635 .globl atomic64_add_ret
6636 .type atomic64_add_ret,#function
6637 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6638 BACKOFF_SETUP(%o2)
6639 1: ldx [%o1], %g1
6640 - add %g1, %o0, %g7
6641 + addcc %g1, %o0, %g7
6642 +
6643 +#ifdef CONFIG_PAX_REFCOUNT
6644 + tvs %xcc, 6
6645 +#endif
6646 +
6647 casx [%o1], %g1, %g7
6648 cmp %g1, %g7
6649 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6650 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
6651 2: BACKOFF_SPIN(%o2, %o3, 1b)
6652 .size atomic64_add_ret, .-atomic64_add_ret
6653
6654 + .globl atomic64_add_ret_unchecked
6655 + .type atomic64_add_ret_unchecked,#function
6656 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6657 + BACKOFF_SETUP(%o2)
6658 +1: ldx [%o1], %g1
6659 + addcc %g1, %o0, %g7
6660 + casx [%o1], %g1, %g7
6661 + cmp %g1, %g7
6662 + bne,pn %xcc, 2f
6663 + add %g7, %o0, %g7
6664 + mov %g7, %o0
6665 + retl
6666 + nop
6667 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6668 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
6669 +
6670 .globl atomic64_sub_ret
6671 .type atomic64_sub_ret,#function
6672 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6673 BACKOFF_SETUP(%o2)
6674 1: ldx [%o1], %g1
6675 - sub %g1, %o0, %g7
6676 + subcc %g1, %o0, %g7
6677 +
6678 +#ifdef CONFIG_PAX_REFCOUNT
6679 + tvs %xcc, 6
6680 +#endif
6681 +
6682 casx [%o1], %g1, %g7
6683 cmp %g1, %g7
6684 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6685 diff -urNp linux-2.6.39.3/arch/sparc/lib/ksyms.c linux-2.6.39.3/arch/sparc/lib/ksyms.c
6686 --- linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-19 00:06:34.000000000 -0400
6687 +++ linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-22 19:36:30.000000000 -0400
6688 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
6689
6690 /* Atomic counter implementation. */
6691 EXPORT_SYMBOL(atomic_add);
6692 +EXPORT_SYMBOL(atomic_add_unchecked);
6693 EXPORT_SYMBOL(atomic_add_ret);
6694 EXPORT_SYMBOL(atomic_sub);
6695 +EXPORT_SYMBOL(atomic_sub_unchecked);
6696 EXPORT_SYMBOL(atomic_sub_ret);
6697 EXPORT_SYMBOL(atomic64_add);
6698 +EXPORT_SYMBOL(atomic64_add_unchecked);
6699 EXPORT_SYMBOL(atomic64_add_ret);
6700 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
6701 EXPORT_SYMBOL(atomic64_sub);
6702 +EXPORT_SYMBOL(atomic64_sub_unchecked);
6703 EXPORT_SYMBOL(atomic64_sub_ret);
6704
6705 /* Atomic bit operations. */
6706 diff -urNp linux-2.6.39.3/arch/sparc/lib/Makefile linux-2.6.39.3/arch/sparc/lib/Makefile
6707 --- linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-19 00:06:34.000000000 -0400
6708 +++ linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-22 19:36:30.000000000 -0400
6709 @@ -2,7 +2,7 @@
6710 #
6711
6712 asflags-y := -ansi -DST_DIV0=0x02
6713 -ccflags-y := -Werror
6714 +#ccflags-y := -Werror
6715
6716 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
6717 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
6718 diff -urNp linux-2.6.39.3/arch/sparc/Makefile linux-2.6.39.3/arch/sparc/Makefile
6719 --- linux-2.6.39.3/arch/sparc/Makefile 2011-05-19 00:06:34.000000000 -0400
6720 +++ linux-2.6.39.3/arch/sparc/Makefile 2011-05-22 19:41:32.000000000 -0400
6721 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
6722 # Export what is needed by arch/sparc/boot/Makefile
6723 export VMLINUX_INIT VMLINUX_MAIN
6724 VMLINUX_INIT := $(head-y) $(init-y)
6725 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
6726 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
6727 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
6728 VMLINUX_MAIN += $(drivers-y) $(net-y)
6729
6730 diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_32.c linux-2.6.39.3/arch/sparc/mm/fault_32.c
6731 --- linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-19 00:06:34.000000000 -0400
6732 +++ linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-22 19:36:30.000000000 -0400
6733 @@ -22,6 +22,9 @@
6734 #include <linux/interrupt.h>
6735 #include <linux/module.h>
6736 #include <linux/kdebug.h>
6737 +#include <linux/slab.h>
6738 +#include <linux/pagemap.h>
6739 +#include <linux/compiler.h>
6740
6741 #include <asm/system.h>
6742 #include <asm/page.h>
6743 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
6744 return safe_compute_effective_address(regs, insn);
6745 }
6746
6747 +#ifdef CONFIG_PAX_PAGEEXEC
6748 +#ifdef CONFIG_PAX_DLRESOLVE
6749 +static void pax_emuplt_close(struct vm_area_struct *vma)
6750 +{
6751 + vma->vm_mm->call_dl_resolve = 0UL;
6752 +}
6753 +
6754 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6755 +{
6756 + unsigned int *kaddr;
6757 +
6758 + vmf->page = alloc_page(GFP_HIGHUSER);
6759 + if (!vmf->page)
6760 + return VM_FAULT_OOM;
6761 +
6762 + kaddr = kmap(vmf->page);
6763 + memset(kaddr, 0, PAGE_SIZE);
6764 + kaddr[0] = 0x9DE3BFA8U; /* save */
6765 + flush_dcache_page(vmf->page);
6766 + kunmap(vmf->page);
6767 + return VM_FAULT_MAJOR;
6768 +}
6769 +
6770 +static const struct vm_operations_struct pax_vm_ops = {
6771 + .close = pax_emuplt_close,
6772 + .fault = pax_emuplt_fault
6773 +};
6774 +
6775 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6776 +{
6777 + int ret;
6778 +
6779 + INIT_LIST_HEAD(&vma->anon_vma_chain);
6780 + vma->vm_mm = current->mm;
6781 + vma->vm_start = addr;
6782 + vma->vm_end = addr + PAGE_SIZE;
6783 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6784 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6785 + vma->vm_ops = &pax_vm_ops;
6786 +
6787 + ret = insert_vm_struct(current->mm, vma);
6788 + if (ret)
6789 + return ret;
6790 +
6791 + ++current->mm->total_vm;
6792 + return 0;
6793 +}
6794 +#endif
6795 +
6796 +/*
6797 + * PaX: decide what to do with offenders (regs->pc = fault address)
6798 + *
6799 + * returns 1 when task should be killed
6800 + * 2 when patched PLT trampoline was detected
6801 + * 3 when unpatched PLT trampoline was detected
6802 + */
6803 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6804 +{
6805 +
6806 +#ifdef CONFIG_PAX_EMUPLT
6807 + int err;
6808 +
6809 + do { /* PaX: patched PLT emulation #1 */
6810 + unsigned int sethi1, sethi2, jmpl;
6811 +
6812 + err = get_user(sethi1, (unsigned int *)regs->pc);
6813 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
6814 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
6815 +
6816 + if (err)
6817 + break;
6818 +
6819 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6820 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
6821 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
6822 + {
6823 + unsigned int addr;
6824 +
6825 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6826 + addr = regs->u_regs[UREG_G1];
6827 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6828 + regs->pc = addr;
6829 + regs->npc = addr+4;
6830 + return 2;
6831 + }
6832 + } while (0);
6833 +
6834 + { /* PaX: patched PLT emulation #2 */
6835 + unsigned int ba;
6836 +
6837 + err = get_user(ba, (unsigned int *)regs->pc);
6838 +
6839 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6840 + unsigned int addr;
6841 +
6842 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6843 + regs->pc = addr;
6844 + regs->npc = addr+4;
6845 + return 2;
6846 + }
6847 + }
6848 +
6849 + do { /* PaX: patched PLT emulation #3 */
6850 + unsigned int sethi, jmpl, nop;
6851 +
6852 + err = get_user(sethi, (unsigned int *)regs->pc);
6853 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
6854 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6855 +
6856 + if (err)
6857 + break;
6858 +
6859 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6860 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6861 + nop == 0x01000000U)
6862 + {
6863 + unsigned int addr;
6864 +
6865 + addr = (sethi & 0x003FFFFFU) << 10;
6866 + regs->u_regs[UREG_G1] = addr;
6867 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6868 + regs->pc = addr;
6869 + regs->npc = addr+4;
6870 + return 2;
6871 + }
6872 + } while (0);
6873 +
6874 + do { /* PaX: unpatched PLT emulation step 1 */
6875 + unsigned int sethi, ba, nop;
6876 +
6877 + err = get_user(sethi, (unsigned int *)regs->pc);
6878 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
6879 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6880 +
6881 + if (err)
6882 + break;
6883 +
6884 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6885 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6886 + nop == 0x01000000U)
6887 + {
6888 + unsigned int addr, save, call;
6889 +
6890 + if ((ba & 0xFFC00000U) == 0x30800000U)
6891 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6892 + else
6893 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
6894 +
6895 + err = get_user(save, (unsigned int *)addr);
6896 + err |= get_user(call, (unsigned int *)(addr+4));
6897 + err |= get_user(nop, (unsigned int *)(addr+8));
6898 + if (err)
6899 + break;
6900 +
6901 +#ifdef CONFIG_PAX_DLRESOLVE
6902 + if (save == 0x9DE3BFA8U &&
6903 + (call & 0xC0000000U) == 0x40000000U &&
6904 + nop == 0x01000000U)
6905 + {
6906 + struct vm_area_struct *vma;
6907 + unsigned long call_dl_resolve;
6908 +
6909 + down_read(&current->mm->mmap_sem);
6910 + call_dl_resolve = current->mm->call_dl_resolve;
6911 + up_read(&current->mm->mmap_sem);
6912 + if (likely(call_dl_resolve))
6913 + goto emulate;
6914 +
6915 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6916 +
6917 + down_write(&current->mm->mmap_sem);
6918 + if (current->mm->call_dl_resolve) {
6919 + call_dl_resolve = current->mm->call_dl_resolve;
6920 + up_write(&current->mm->mmap_sem);
6921 + if (vma)
6922 + kmem_cache_free(vm_area_cachep, vma);
6923 + goto emulate;
6924 + }
6925 +
6926 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6927 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6928 + up_write(&current->mm->mmap_sem);
6929 + if (vma)
6930 + kmem_cache_free(vm_area_cachep, vma);
6931 + return 1;
6932 + }
6933 +
6934 + if (pax_insert_vma(vma, call_dl_resolve)) {
6935 + up_write(&current->mm->mmap_sem);
6936 + kmem_cache_free(vm_area_cachep, vma);
6937 + return 1;
6938 + }
6939 +
6940 + current->mm->call_dl_resolve = call_dl_resolve;
6941 + up_write(&current->mm->mmap_sem);
6942 +
6943 +emulate:
6944 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6945 + regs->pc = call_dl_resolve;
6946 + regs->npc = addr+4;
6947 + return 3;
6948 + }
6949 +#endif
6950 +
6951 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6952 + if ((save & 0xFFC00000U) == 0x05000000U &&
6953 + (call & 0xFFFFE000U) == 0x85C0A000U &&
6954 + nop == 0x01000000U)
6955 + {
6956 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6957 + regs->u_regs[UREG_G2] = addr + 4;
6958 + addr = (save & 0x003FFFFFU) << 10;
6959 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6960 + regs->pc = addr;
6961 + regs->npc = addr+4;
6962 + return 3;
6963 + }
6964 + }
6965 + } while (0);
6966 +
6967 + do { /* PaX: unpatched PLT emulation step 2 */
6968 + unsigned int save, call, nop;
6969 +
6970 + err = get_user(save, (unsigned int *)(regs->pc-4));
6971 + err |= get_user(call, (unsigned int *)regs->pc);
6972 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
6973 + if (err)
6974 + break;
6975 +
6976 + if (save == 0x9DE3BFA8U &&
6977 + (call & 0xC0000000U) == 0x40000000U &&
6978 + nop == 0x01000000U)
6979 + {
6980 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
6981 +
6982 + regs->u_regs[UREG_RETPC] = regs->pc;
6983 + regs->pc = dl_resolve;
6984 + regs->npc = dl_resolve+4;
6985 + return 3;
6986 + }
6987 + } while (0);
6988 +#endif
6989 +
6990 + return 1;
6991 +}
6992 +
6993 +void pax_report_insns(void *pc, void *sp)
6994 +{
6995 + unsigned long i;
6996 +
6997 + printk(KERN_ERR "PAX: bytes at PC: ");
6998 + for (i = 0; i < 8; i++) {
6999 + unsigned int c;
7000 + if (get_user(c, (unsigned int *)pc+i))
7001 + printk(KERN_CONT "???????? ");
7002 + else
7003 + printk(KERN_CONT "%08x ", c);
7004 + }
7005 + printk("\n");
7006 +}
7007 +#endif
7008 +
7009 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
7010 int text_fault)
7011 {
7012 @@ -281,6 +546,24 @@ good_area:
7013 if(!(vma->vm_flags & VM_WRITE))
7014 goto bad_area;
7015 } else {
7016 +
7017 +#ifdef CONFIG_PAX_PAGEEXEC
7018 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
7019 + up_read(&mm->mmap_sem);
7020 + switch (pax_handle_fetch_fault(regs)) {
7021 +
7022 +#ifdef CONFIG_PAX_EMUPLT
7023 + case 2:
7024 + case 3:
7025 + return;
7026 +#endif
7027 +
7028 + }
7029 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
7030 + do_group_exit(SIGKILL);
7031 + }
7032 +#endif
7033 +
7034 /* Allow reads even for write-only mappings */
7035 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
7036 goto bad_area;
7037 diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_64.c linux-2.6.39.3/arch/sparc/mm/fault_64.c
7038 --- linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-19 00:06:34.000000000 -0400
7039 +++ linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-22 19:41:32.000000000 -0400
7040 @@ -21,6 +21,9 @@
7041 #include <linux/kprobes.h>
7042 #include <linux/kdebug.h>
7043 #include <linux/percpu.h>
7044 +#include <linux/slab.h>
7045 +#include <linux/pagemap.h>
7046 +#include <linux/compiler.h>
7047
7048 #include <asm/page.h>
7049 #include <asm/pgtable.h>
7050 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
7051 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
7052 regs->tpc);
7053 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
7054 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
7055 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
7056 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
7057 dump_stack();
7058 unhandled_fault(regs->tpc, current, regs);
7059 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
7060 show_regs(regs);
7061 }
7062
7063 +#ifdef CONFIG_PAX_PAGEEXEC
7064 +#ifdef CONFIG_PAX_DLRESOLVE
7065 +static void pax_emuplt_close(struct vm_area_struct *vma)
7066 +{
7067 + vma->vm_mm->call_dl_resolve = 0UL;
7068 +}
7069 +
7070 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
7071 +{
7072 + unsigned int *kaddr;
7073 +
7074 + vmf->page = alloc_page(GFP_HIGHUSER);
7075 + if (!vmf->page)
7076 + return VM_FAULT_OOM;
7077 +
7078 + kaddr = kmap(vmf->page);
7079 + memset(kaddr, 0, PAGE_SIZE);
7080 + kaddr[0] = 0x9DE3BFA8U; /* save */
7081 + flush_dcache_page(vmf->page);
7082 + kunmap(vmf->page);
7083 + return VM_FAULT_MAJOR;
7084 +}
7085 +
7086 +static const struct vm_operations_struct pax_vm_ops = {
7087 + .close = pax_emuplt_close,
7088 + .fault = pax_emuplt_fault
7089 +};
7090 +
7091 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
7092 +{
7093 + int ret;
7094 +
7095 + INIT_LIST_HEAD(&vma->anon_vma_chain);
7096 + vma->vm_mm = current->mm;
7097 + vma->vm_start = addr;
7098 + vma->vm_end = addr + PAGE_SIZE;
7099 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
7100 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
7101 + vma->vm_ops = &pax_vm_ops;
7102 +
7103 + ret = insert_vm_struct(current->mm, vma);
7104 + if (ret)
7105 + return ret;
7106 +
7107 + ++current->mm->total_vm;
7108 + return 0;
7109 +}
7110 +#endif
7111 +
7112 +/*
7113 + * PaX: decide what to do with offenders (regs->tpc = fault address)
7114 + *
7115 + * returns 1 when task should be killed
7116 + * 2 when patched PLT trampoline was detected
7117 + * 3 when unpatched PLT trampoline was detected
7118 + */
7119 +static int pax_handle_fetch_fault(struct pt_regs *regs)
7120 +{
7121 +
7122 +#ifdef CONFIG_PAX_EMUPLT
7123 + int err;
7124 +
7125 + do { /* PaX: patched PLT emulation #1 */
7126 + unsigned int sethi1, sethi2, jmpl;
7127 +
7128 + err = get_user(sethi1, (unsigned int *)regs->tpc);
7129 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
7130 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
7131 +
7132 + if (err)
7133 + break;
7134 +
7135 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
7136 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
7137 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
7138 + {
7139 + unsigned long addr;
7140 +
7141 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
7142 + addr = regs->u_regs[UREG_G1];
7143 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7144 +
7145 + if (test_thread_flag(TIF_32BIT))
7146 + addr &= 0xFFFFFFFFUL;
7147 +
7148 + regs->tpc = addr;
7149 + regs->tnpc = addr+4;
7150 + return 2;
7151 + }
7152 + } while (0);
7153 +
7154 + { /* PaX: patched PLT emulation #2 */
7155 + unsigned int ba;
7156 +
7157 + err = get_user(ba, (unsigned int *)regs->tpc);
7158 +
7159 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
7160 + unsigned long addr;
7161 +
7162 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7163 +
7164 + if (test_thread_flag(TIF_32BIT))
7165 + addr &= 0xFFFFFFFFUL;
7166 +
7167 + regs->tpc = addr;
7168 + regs->tnpc = addr+4;
7169 + return 2;
7170 + }
7171 + }
7172 +
7173 + do { /* PaX: patched PLT emulation #3 */
7174 + unsigned int sethi, jmpl, nop;
7175 +
7176 + err = get_user(sethi, (unsigned int *)regs->tpc);
7177 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
7178 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7179 +
7180 + if (err)
7181 + break;
7182 +
7183 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7184 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
7185 + nop == 0x01000000U)
7186 + {
7187 + unsigned long addr;
7188 +
7189 + addr = (sethi & 0x003FFFFFU) << 10;
7190 + regs->u_regs[UREG_G1] = addr;
7191 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7192 +
7193 + if (test_thread_flag(TIF_32BIT))
7194 + addr &= 0xFFFFFFFFUL;
7195 +
7196 + regs->tpc = addr;
7197 + regs->tnpc = addr+4;
7198 + return 2;
7199 + }
7200 + } while (0);
7201 +
7202 + do { /* PaX: patched PLT emulation #4 */
7203 + unsigned int sethi, mov1, call, mov2;
7204 +
7205 + err = get_user(sethi, (unsigned int *)regs->tpc);
7206 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
7207 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
7208 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
7209 +
7210 + if (err)
7211 + break;
7212 +
7213 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7214 + mov1 == 0x8210000FU &&
7215 + (call & 0xC0000000U) == 0x40000000U &&
7216 + mov2 == 0x9E100001U)
7217 + {
7218 + unsigned long addr;
7219 +
7220 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
7221 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7222 +
7223 + if (test_thread_flag(TIF_32BIT))
7224 + addr &= 0xFFFFFFFFUL;
7225 +
7226 + regs->tpc = addr;
7227 + regs->tnpc = addr+4;
7228 + return 2;
7229 + }
7230 + } while (0);
7231 +
7232 + do { /* PaX: patched PLT emulation #5 */
7233 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
7234 +
7235 + err = get_user(sethi, (unsigned int *)regs->tpc);
7236 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7237 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7238 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
7239 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
7240 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
7241 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
7242 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
7243 +
7244 + if (err)
7245 + break;
7246 +
7247 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7248 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7249 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7250 + (or1 & 0xFFFFE000U) == 0x82106000U &&
7251 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7252 + sllx == 0x83287020U &&
7253 + jmpl == 0x81C04005U &&
7254 + nop == 0x01000000U)
7255 + {
7256 + unsigned long addr;
7257 +
7258 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7259 + regs->u_regs[UREG_G1] <<= 32;
7260 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7261 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7262 + regs->tpc = addr;
7263 + regs->tnpc = addr+4;
7264 + return 2;
7265 + }
7266 + } while (0);
7267 +
7268 + do { /* PaX: patched PLT emulation #6 */
7269 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
7270 +
7271 + err = get_user(sethi, (unsigned int *)regs->tpc);
7272 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7273 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7274 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
7275 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
7276 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
7277 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
7278 +
7279 + if (err)
7280 + break;
7281 +
7282 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7283 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7284 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7285 + sllx == 0x83287020U &&
7286 + (or & 0xFFFFE000U) == 0x8A116000U &&
7287 + jmpl == 0x81C04005U &&
7288 + nop == 0x01000000U)
7289 + {
7290 + unsigned long addr;
7291 +
7292 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
7293 + regs->u_regs[UREG_G1] <<= 32;
7294 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
7295 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7296 + regs->tpc = addr;
7297 + regs->tnpc = addr+4;
7298 + return 2;
7299 + }
7300 + } while (0);
7301 +
7302 + do { /* PaX: unpatched PLT emulation step 1 */
7303 + unsigned int sethi, ba, nop;
7304 +
7305 + err = get_user(sethi, (unsigned int *)regs->tpc);
7306 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7307 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7308 +
7309 + if (err)
7310 + break;
7311 +
7312 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7313 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
7314 + nop == 0x01000000U)
7315 + {
7316 + unsigned long addr;
7317 + unsigned int save, call;
7318 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
7319 +
7320 + if ((ba & 0xFFC00000U) == 0x30800000U)
7321 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7322 + else
7323 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7324 +
7325 + if (test_thread_flag(TIF_32BIT))
7326 + addr &= 0xFFFFFFFFUL;
7327 +
7328 + err = get_user(save, (unsigned int *)addr);
7329 + err |= get_user(call, (unsigned int *)(addr+4));
7330 + err |= get_user(nop, (unsigned int *)(addr+8));
7331 + if (err)
7332 + break;
7333 +
7334 +#ifdef CONFIG_PAX_DLRESOLVE
7335 + if (save == 0x9DE3BFA8U &&
7336 + (call & 0xC0000000U) == 0x40000000U &&
7337 + nop == 0x01000000U)
7338 + {
7339 + struct vm_area_struct *vma;
7340 + unsigned long call_dl_resolve;
7341 +
7342 + down_read(&current->mm->mmap_sem);
7343 + call_dl_resolve = current->mm->call_dl_resolve;
7344 + up_read(&current->mm->mmap_sem);
7345 + if (likely(call_dl_resolve))
7346 + goto emulate;
7347 +
7348 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
7349 +
7350 + down_write(&current->mm->mmap_sem);
7351 + if (current->mm->call_dl_resolve) {
7352 + call_dl_resolve = current->mm->call_dl_resolve;
7353 + up_write(&current->mm->mmap_sem);
7354 + if (vma)
7355 + kmem_cache_free(vm_area_cachep, vma);
7356 + goto emulate;
7357 + }
7358 +
7359 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
7360 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
7361 + up_write(&current->mm->mmap_sem);
7362 + if (vma)
7363 + kmem_cache_free(vm_area_cachep, vma);
7364 + return 1;
7365 + }
7366 +
7367 + if (pax_insert_vma(vma, call_dl_resolve)) {
7368 + up_write(&current->mm->mmap_sem);
7369 + kmem_cache_free(vm_area_cachep, vma);
7370 + return 1;
7371 + }
7372 +
7373 + current->mm->call_dl_resolve = call_dl_resolve;
7374 + up_write(&current->mm->mmap_sem);
7375 +
7376 +emulate:
7377 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7378 + regs->tpc = call_dl_resolve;
7379 + regs->tnpc = addr+4;
7380 + return 3;
7381 + }
7382 +#endif
7383 +
7384 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
7385 + if ((save & 0xFFC00000U) == 0x05000000U &&
7386 + (call & 0xFFFFE000U) == 0x85C0A000U &&
7387 + nop == 0x01000000U)
7388 + {
7389 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7390 + regs->u_regs[UREG_G2] = addr + 4;
7391 + addr = (save & 0x003FFFFFU) << 10;
7392 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7393 +
7394 + if (test_thread_flag(TIF_32BIT))
7395 + addr &= 0xFFFFFFFFUL;
7396 +
7397 + regs->tpc = addr;
7398 + regs->tnpc = addr+4;
7399 + return 3;
7400 + }
7401 +
7402 + /* PaX: 64-bit PLT stub */
7403 + err = get_user(sethi1, (unsigned int *)addr);
7404 + err |= get_user(sethi2, (unsigned int *)(addr+4));
7405 + err |= get_user(or1, (unsigned int *)(addr+8));
7406 + err |= get_user(or2, (unsigned int *)(addr+12));
7407 + err |= get_user(sllx, (unsigned int *)(addr+16));
7408 + err |= get_user(add, (unsigned int *)(addr+20));
7409 + err |= get_user(jmpl, (unsigned int *)(addr+24));
7410 + err |= get_user(nop, (unsigned int *)(addr+28));
7411 + if (err)
7412 + break;
7413 +
7414 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
7415 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7416 + (or1 & 0xFFFFE000U) == 0x88112000U &&
7417 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7418 + sllx == 0x89293020U &&
7419 + add == 0x8A010005U &&
7420 + jmpl == 0x89C14000U &&
7421 + nop == 0x01000000U)
7422 + {
7423 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7424 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7425 + regs->u_regs[UREG_G4] <<= 32;
7426 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7427 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
7428 + regs->u_regs[UREG_G4] = addr + 24;
7429 + addr = regs->u_regs[UREG_G5];
7430 + regs->tpc = addr;
7431 + regs->tnpc = addr+4;
7432 + return 3;
7433 + }
7434 + }
7435 + } while (0);
7436 +
7437 +#ifdef CONFIG_PAX_DLRESOLVE
7438 + do { /* PaX: unpatched PLT emulation step 2 */
7439 + unsigned int save, call, nop;
7440 +
7441 + err = get_user(save, (unsigned int *)(regs->tpc-4));
7442 + err |= get_user(call, (unsigned int *)regs->tpc);
7443 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
7444 + if (err)
7445 + break;
7446 +
7447 + if (save == 0x9DE3BFA8U &&
7448 + (call & 0xC0000000U) == 0x40000000U &&
7449 + nop == 0x01000000U)
7450 + {
7451 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7452 +
7453 + if (test_thread_flag(TIF_32BIT))
7454 + dl_resolve &= 0xFFFFFFFFUL;
7455 +
7456 + regs->u_regs[UREG_RETPC] = regs->tpc;
7457 + regs->tpc = dl_resolve;
7458 + regs->tnpc = dl_resolve+4;
7459 + return 3;
7460 + }
7461 + } while (0);
7462 +#endif
7463 +
7464 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
7465 + unsigned int sethi, ba, nop;
7466 +
7467 + err = get_user(sethi, (unsigned int *)regs->tpc);
7468 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7469 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7470 +
7471 + if (err)
7472 + break;
7473 +
7474 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7475 + (ba & 0xFFF00000U) == 0x30600000U &&
7476 + nop == 0x01000000U)
7477 + {
7478 + unsigned long addr;
7479 +
7480 + addr = (sethi & 0x003FFFFFU) << 10;
7481 + regs->u_regs[UREG_G1] = addr;
7482 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7483 +
7484 + if (test_thread_flag(TIF_32BIT))
7485 + addr &= 0xFFFFFFFFUL;
7486 +
7487 + regs->tpc = addr;
7488 + regs->tnpc = addr+4;
7489 + return 2;
7490 + }
7491 + } while (0);
7492 +
7493 +#endif
7494 +
7495 + return 1;
7496 +}
7497 +
7498 +void pax_report_insns(void *pc, void *sp)
7499 +{
7500 + unsigned long i;
7501 +
7502 + printk(KERN_ERR "PAX: bytes at PC: ");
7503 + for (i = 0; i < 8; i++) {
7504 + unsigned int c;
7505 + if (get_user(c, (unsigned int *)pc+i))
7506 + printk(KERN_CONT "???????? ");
7507 + else
7508 + printk(KERN_CONT "%08x ", c);
7509 + }
7510 + printk("\n");
7511 +}
7512 +#endif
7513 +
7514 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
7515 {
7516 struct mm_struct *mm = current->mm;
7517 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
7518 if (!vma)
7519 goto bad_area;
7520
7521 +#ifdef CONFIG_PAX_PAGEEXEC
7522 + /* PaX: detect ITLB misses on non-exec pages */
7523 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
7524 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
7525 + {
7526 + if (address != regs->tpc)
7527 + goto good_area;
7528 +
7529 + up_read(&mm->mmap_sem);
7530 + switch (pax_handle_fetch_fault(regs)) {
7531 +
7532 +#ifdef CONFIG_PAX_EMUPLT
7533 + case 2:
7534 + case 3:
7535 + return;
7536 +#endif
7537 +
7538 + }
7539 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
7540 + do_group_exit(SIGKILL);
7541 + }
7542 +#endif
7543 +
7544 /* Pure DTLB misses do not tell us whether the fault causing
7545 * load/store/atomic was a write or not, it only says that there
7546 * was no match. So in such a case we (carefully) read the
7547 diff -urNp linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c
7548 --- linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
7549 +++ linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
7550 @@ -68,7 +68,7 @@ full_search:
7551 }
7552 return -ENOMEM;
7553 }
7554 - if (likely(!vma || addr + len <= vma->vm_start)) {
7555 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7556 /*
7557 * Remember the place where we stopped the search:
7558 */
7559 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
7560 /* make sure it can fit in the remaining address space */
7561 if (likely(addr > len)) {
7562 vma = find_vma(mm, addr-len);
7563 - if (!vma || addr <= vma->vm_start) {
7564 + if (check_heap_stack_gap(vma, addr - len, len)) {
7565 /* remember the address as a hint for next time */
7566 return (mm->free_area_cache = addr-len);
7567 }
7568 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
7569 if (unlikely(mm->mmap_base < len))
7570 goto bottomup;
7571
7572 - addr = (mm->mmap_base-len) & HPAGE_MASK;
7573 + addr = mm->mmap_base - len;
7574
7575 do {
7576 + addr &= HPAGE_MASK;
7577 /*
7578 * Lookup failure means no vma is above this address,
7579 * else if new region fits below vma->vm_start,
7580 * return with success:
7581 */
7582 vma = find_vma(mm, addr);
7583 - if (likely(!vma || addr+len <= vma->vm_start)) {
7584 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7585 /* remember the address as a hint for next time */
7586 return (mm->free_area_cache = addr);
7587 }
7588 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
7589 mm->cached_hole_size = vma->vm_start - addr;
7590
7591 /* try just below the current vma->vm_start */
7592 - addr = (vma->vm_start-len) & HPAGE_MASK;
7593 - } while (likely(len < vma->vm_start));
7594 + addr = skip_heap_stack_gap(vma, len);
7595 + } while (!IS_ERR_VALUE(addr));
7596
7597 bottomup:
7598 /*
7599 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
7600 if (addr) {
7601 addr = ALIGN(addr, HPAGE_SIZE);
7602 vma = find_vma(mm, addr);
7603 - if (task_size - len >= addr &&
7604 - (!vma || addr + len <= vma->vm_start))
7605 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
7606 return addr;
7607 }
7608 if (mm->get_unmapped_area == arch_get_unmapped_area)
7609 diff -urNp linux-2.6.39.3/arch/sparc/mm/init_32.c linux-2.6.39.3/arch/sparc/mm/init_32.c
7610 --- linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
7611 +++ linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
7612 @@ -318,6 +318,9 @@ extern void device_scan(void);
7613 pgprot_t PAGE_SHARED __read_mostly;
7614 EXPORT_SYMBOL(PAGE_SHARED);
7615
7616 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
7617 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
7618 +
7619 void __init paging_init(void)
7620 {
7621 switch(sparc_cpu_model) {
7622 @@ -346,17 +349,17 @@ void __init paging_init(void)
7623
7624 /* Initialize the protection map with non-constant, MMU dependent values. */
7625 protection_map[0] = PAGE_NONE;
7626 - protection_map[1] = PAGE_READONLY;
7627 - protection_map[2] = PAGE_COPY;
7628 - protection_map[3] = PAGE_COPY;
7629 + protection_map[1] = PAGE_READONLY_NOEXEC;
7630 + protection_map[2] = PAGE_COPY_NOEXEC;
7631 + protection_map[3] = PAGE_COPY_NOEXEC;
7632 protection_map[4] = PAGE_READONLY;
7633 protection_map[5] = PAGE_READONLY;
7634 protection_map[6] = PAGE_COPY;
7635 protection_map[7] = PAGE_COPY;
7636 protection_map[8] = PAGE_NONE;
7637 - protection_map[9] = PAGE_READONLY;
7638 - protection_map[10] = PAGE_SHARED;
7639 - protection_map[11] = PAGE_SHARED;
7640 + protection_map[9] = PAGE_READONLY_NOEXEC;
7641 + protection_map[10] = PAGE_SHARED_NOEXEC;
7642 + protection_map[11] = PAGE_SHARED_NOEXEC;
7643 protection_map[12] = PAGE_READONLY;
7644 protection_map[13] = PAGE_READONLY;
7645 protection_map[14] = PAGE_SHARED;
7646 diff -urNp linux-2.6.39.3/arch/sparc/mm/Makefile linux-2.6.39.3/arch/sparc/mm/Makefile
7647 --- linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-19 00:06:34.000000000 -0400
7648 +++ linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-22 19:36:30.000000000 -0400
7649 @@ -2,7 +2,7 @@
7650 #
7651
7652 asflags-y := -ansi
7653 -ccflags-y := -Werror
7654 +#ccflags-y := -Werror
7655
7656 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
7657 obj-y += fault_$(BITS).o
7658 diff -urNp linux-2.6.39.3/arch/sparc/mm/srmmu.c linux-2.6.39.3/arch/sparc/mm/srmmu.c
7659 --- linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-19 00:06:34.000000000 -0400
7660 +++ linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-22 19:36:30.000000000 -0400
7661 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
7662 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
7663 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
7664 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
7665 +
7666 +#ifdef CONFIG_PAX_PAGEEXEC
7667 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
7668 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
7669 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
7670 +#endif
7671 +
7672 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
7673 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
7674
7675 diff -urNp linux-2.6.39.3/arch/tile/kernel/pci.c linux-2.6.39.3/arch/tile/kernel/pci.c
7676 --- linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 12:55:22.000000000 -0400
7677 +++ linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 13:00:25.000000000 -0400
7678 @@ -60,7 +60,7 @@ int __write_once tile_plx_gen1;
7679 static struct pci_controller controllers[TILE_NUM_PCIE];
7680 static int num_controllers;
7681
7682 -static struct pci_ops tile_cfg_ops;
7683 +static const struct pci_ops tile_cfg_ops;
7684
7685
7686 /*
7687 @@ -563,7 +563,7 @@ static int __devinit tile_cfg_write(stru
7688 }
7689
7690
7691 -static struct pci_ops tile_cfg_ops = {
7692 +static const struct pci_ops tile_cfg_ops = {
7693 .read = tile_cfg_read,
7694 .write = tile_cfg_write,
7695 };
7696 diff -urNp linux-2.6.39.3/arch/um/include/asm/kmap_types.h linux-2.6.39.3/arch/um/include/asm/kmap_types.h
7697 --- linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
7698 +++ linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
7699 @@ -23,6 +23,7 @@ enum km_type {
7700 KM_IRQ1,
7701 KM_SOFTIRQ0,
7702 KM_SOFTIRQ1,
7703 + KM_CLEARPAGE,
7704 KM_TYPE_NR
7705 };
7706
7707 diff -urNp linux-2.6.39.3/arch/um/include/asm/page.h linux-2.6.39.3/arch/um/include/asm/page.h
7708 --- linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
7709 +++ linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
7710 @@ -14,6 +14,9 @@
7711 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
7712 #define PAGE_MASK (~(PAGE_SIZE-1))
7713
7714 +#define ktla_ktva(addr) (addr)
7715 +#define ktva_ktla(addr) (addr)
7716 +
7717 #ifndef __ASSEMBLY__
7718
7719 struct page;
7720 diff -urNp linux-2.6.39.3/arch/um/kernel/process.c linux-2.6.39.3/arch/um/kernel/process.c
7721 --- linux-2.6.39.3/arch/um/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
7722 +++ linux-2.6.39.3/arch/um/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
7723 @@ -404,22 +404,6 @@ int singlestepping(void * t)
7724 return 2;
7725 }
7726
7727 -/*
7728 - * Only x86 and x86_64 have an arch_align_stack().
7729 - * All other arches have "#define arch_align_stack(x) (x)"
7730 - * in their asm/system.h
7731 - * As this is included in UML from asm-um/system-generic.h,
7732 - * we can use it to behave as the subarch does.
7733 - */
7734 -#ifndef arch_align_stack
7735 -unsigned long arch_align_stack(unsigned long sp)
7736 -{
7737 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7738 - sp -= get_random_int() % 8192;
7739 - return sp & ~0xf;
7740 -}
7741 -#endif
7742 -
7743 unsigned long get_wchan(struct task_struct *p)
7744 {
7745 unsigned long stack_page, sp, ip;
7746 diff -urNp linux-2.6.39.3/arch/um/sys-i386/syscalls.c linux-2.6.39.3/arch/um/sys-i386/syscalls.c
7747 --- linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-19 00:06:34.000000000 -0400
7748 +++ linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-22 19:36:30.000000000 -0400
7749 @@ -11,6 +11,21 @@
7750 #include "asm/uaccess.h"
7751 #include "asm/unistd.h"
7752
7753 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7754 +{
7755 + unsigned long pax_task_size = TASK_SIZE;
7756 +
7757 +#ifdef CONFIG_PAX_SEGMEXEC
7758 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7759 + pax_task_size = SEGMEXEC_TASK_SIZE;
7760 +#endif
7761 +
7762 + if (len > pax_task_size || addr > pax_task_size - len)
7763 + return -EINVAL;
7764 +
7765 + return 0;
7766 +}
7767 +
7768 /*
7769 * The prototype on i386 is:
7770 *
7771 diff -urNp linux-2.6.39.3/arch/unicore32/kernel/pci.c linux-2.6.39.3/arch/unicore32/kernel/pci.c
7772 --- linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400
7773 +++ linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400
7774 @@ -66,7 +66,7 @@ puv3_write_config(struct pci_bus *bus, u
7775 return PCIBIOS_SUCCESSFUL;
7776 }
7777
7778 -struct pci_ops pci_puv3_ops = {
7779 +const struct pci_ops pci_puv3_ops = {
7780 .read = puv3_read_config,
7781 .write = puv3_write_config,
7782 };
7783 diff -urNp linux-2.6.39.3/arch/x86/boot/bitops.h linux-2.6.39.3/arch/x86/boot/bitops.h
7784 --- linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-19 00:06:34.000000000 -0400
7785 +++ linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-22 19:36:30.000000000 -0400
7786 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
7787 u8 v;
7788 const u32 *p = (const u32 *)addr;
7789
7790 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7791 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7792 return v;
7793 }
7794
7795 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
7796
7797 static inline void set_bit(int nr, void *addr)
7798 {
7799 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7800 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7801 }
7802
7803 #endif /* BOOT_BITOPS_H */
7804 diff -urNp linux-2.6.39.3/arch/x86/boot/boot.h linux-2.6.39.3/arch/x86/boot/boot.h
7805 --- linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-19 00:06:34.000000000 -0400
7806 +++ linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-22 19:36:30.000000000 -0400
7807 @@ -85,7 +85,7 @@ static inline void io_delay(void)
7808 static inline u16 ds(void)
7809 {
7810 u16 seg;
7811 - asm("movw %%ds,%0" : "=rm" (seg));
7812 + asm volatile("movw %%ds,%0" : "=rm" (seg));
7813 return seg;
7814 }
7815
7816 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
7817 static inline int memcmp(const void *s1, const void *s2, size_t len)
7818 {
7819 u8 diff;
7820 - asm("repe; cmpsb; setnz %0"
7821 + asm volatile("repe; cmpsb; setnz %0"
7822 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
7823 return diff;
7824 }
7825 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_32.S linux-2.6.39.3/arch/x86/boot/compressed/head_32.S
7826 --- linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-19 00:06:34.000000000 -0400
7827 +++ linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-22 19:36:30.000000000 -0400
7828 @@ -76,7 +76,7 @@ ENTRY(startup_32)
7829 notl %eax
7830 andl %eax, %ebx
7831 #else
7832 - movl $LOAD_PHYSICAL_ADDR, %ebx
7833 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7834 #endif
7835
7836 /* Target address to relocate to for decompression */
7837 @@ -162,7 +162,7 @@ relocated:
7838 * and where it was actually loaded.
7839 */
7840 movl %ebp, %ebx
7841 - subl $LOAD_PHYSICAL_ADDR, %ebx
7842 + subl $____LOAD_PHYSICAL_ADDR, %ebx
7843 jz 2f /* Nothing to be done if loaded at compiled addr. */
7844 /*
7845 * Process relocations.
7846 @@ -170,8 +170,7 @@ relocated:
7847
7848 1: subl $4, %edi
7849 movl (%edi), %ecx
7850 - testl %ecx, %ecx
7851 - jz 2f
7852 + jecxz 2f
7853 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
7854 jmp 1b
7855 2:
7856 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_64.S linux-2.6.39.3/arch/x86/boot/compressed/head_64.S
7857 --- linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-19 00:06:34.000000000 -0400
7858 +++ linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-22 19:36:30.000000000 -0400
7859 @@ -91,7 +91,7 @@ ENTRY(startup_32)
7860 notl %eax
7861 andl %eax, %ebx
7862 #else
7863 - movl $LOAD_PHYSICAL_ADDR, %ebx
7864 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7865 #endif
7866
7867 /* Target address to relocate to for decompression */
7868 @@ -233,7 +233,7 @@ ENTRY(startup_64)
7869 notq %rax
7870 andq %rax, %rbp
7871 #else
7872 - movq $LOAD_PHYSICAL_ADDR, %rbp
7873 + movq $____LOAD_PHYSICAL_ADDR, %rbp
7874 #endif
7875
7876 /* Target address to relocate to for decompression */
7877 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/misc.c linux-2.6.39.3/arch/x86/boot/compressed/misc.c
7878 --- linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-19 00:06:34.000000000 -0400
7879 +++ linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-22 19:36:30.000000000 -0400
7880 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
7881 case PT_LOAD:
7882 #ifdef CONFIG_RELOCATABLE
7883 dest = output;
7884 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
7885 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
7886 #else
7887 dest = (void *)(phdr->p_paddr);
7888 #endif
7889 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
7890 error("Destination address too large");
7891 #endif
7892 #ifndef CONFIG_RELOCATABLE
7893 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
7894 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
7895 error("Wrong destination address");
7896 #endif
7897
7898 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/relocs.c linux-2.6.39.3/arch/x86/boot/compressed/relocs.c
7899 --- linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-19 00:06:34.000000000 -0400
7900 +++ linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-22 19:36:30.000000000 -0400
7901 @@ -13,8 +13,11 @@
7902
7903 static void die(char *fmt, ...);
7904
7905 +#include "../../../../include/generated/autoconf.h"
7906 +
7907 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
7908 static Elf32_Ehdr ehdr;
7909 +static Elf32_Phdr *phdr;
7910 static unsigned long reloc_count, reloc_idx;
7911 static unsigned long *relocs;
7912
7913 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
7914 }
7915 }
7916
7917 +static void read_phdrs(FILE *fp)
7918 +{
7919 + unsigned int i;
7920 +
7921 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
7922 + if (!phdr) {
7923 + die("Unable to allocate %d program headers\n",
7924 + ehdr.e_phnum);
7925 + }
7926 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
7927 + die("Seek to %d failed: %s\n",
7928 + ehdr.e_phoff, strerror(errno));
7929 + }
7930 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
7931 + die("Cannot read ELF program headers: %s\n",
7932 + strerror(errno));
7933 + }
7934 + for(i = 0; i < ehdr.e_phnum; i++) {
7935 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
7936 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
7937 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
7938 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
7939 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
7940 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
7941 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
7942 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
7943 + }
7944 +
7945 +}
7946 +
7947 static void read_shdrs(FILE *fp)
7948 {
7949 - int i;
7950 + unsigned int i;
7951 Elf32_Shdr shdr;
7952
7953 secs = calloc(ehdr.e_shnum, sizeof(struct section));
7954 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
7955
7956 static void read_strtabs(FILE *fp)
7957 {
7958 - int i;
7959 + unsigned int i;
7960 for (i = 0; i < ehdr.e_shnum; i++) {
7961 struct section *sec = &secs[i];
7962 if (sec->shdr.sh_type != SHT_STRTAB) {
7963 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
7964
7965 static void read_symtabs(FILE *fp)
7966 {
7967 - int i,j;
7968 + unsigned int i,j;
7969 for (i = 0; i < ehdr.e_shnum; i++) {
7970 struct section *sec = &secs[i];
7971 if (sec->shdr.sh_type != SHT_SYMTAB) {
7972 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
7973
7974 static void read_relocs(FILE *fp)
7975 {
7976 - int i,j;
7977 + unsigned int i,j;
7978 + uint32_t base;
7979 +
7980 for (i = 0; i < ehdr.e_shnum; i++) {
7981 struct section *sec = &secs[i];
7982 if (sec->shdr.sh_type != SHT_REL) {
7983 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
7984 die("Cannot read symbol table: %s\n",
7985 strerror(errno));
7986 }
7987 + base = 0;
7988 + for (j = 0; j < ehdr.e_phnum; j++) {
7989 + if (phdr[j].p_type != PT_LOAD )
7990 + continue;
7991 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
7992 + continue;
7993 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
7994 + break;
7995 + }
7996 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
7997 Elf32_Rel *rel = &sec->reltab[j];
7998 - rel->r_offset = elf32_to_cpu(rel->r_offset);
7999 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
8000 rel->r_info = elf32_to_cpu(rel->r_info);
8001 }
8002 }
8003 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
8004
8005 static void print_absolute_symbols(void)
8006 {
8007 - int i;
8008 + unsigned int i;
8009 printf("Absolute symbols\n");
8010 printf(" Num: Value Size Type Bind Visibility Name\n");
8011 for (i = 0; i < ehdr.e_shnum; i++) {
8012 struct section *sec = &secs[i];
8013 char *sym_strtab;
8014 Elf32_Sym *sh_symtab;
8015 - int j;
8016 + unsigned int j;
8017
8018 if (sec->shdr.sh_type != SHT_SYMTAB) {
8019 continue;
8020 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
8021
8022 static void print_absolute_relocs(void)
8023 {
8024 - int i, printed = 0;
8025 + unsigned int i, printed = 0;
8026
8027 for (i = 0; i < ehdr.e_shnum; i++) {
8028 struct section *sec = &secs[i];
8029 struct section *sec_applies, *sec_symtab;
8030 char *sym_strtab;
8031 Elf32_Sym *sh_symtab;
8032 - int j;
8033 + unsigned int j;
8034 if (sec->shdr.sh_type != SHT_REL) {
8035 continue;
8036 }
8037 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
8038
8039 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
8040 {
8041 - int i;
8042 + unsigned int i;
8043 /* Walk through the relocations */
8044 for (i = 0; i < ehdr.e_shnum; i++) {
8045 char *sym_strtab;
8046 Elf32_Sym *sh_symtab;
8047 struct section *sec_applies, *sec_symtab;
8048 - int j;
8049 + unsigned int j;
8050 struct section *sec = &secs[i];
8051
8052 if (sec->shdr.sh_type != SHT_REL) {
8053 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
8054 !is_rel_reloc(sym_name(sym_strtab, sym))) {
8055 continue;
8056 }
8057 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
8058 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
8059 + continue;
8060 +
8061 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
8062 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
8063 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
8064 + continue;
8065 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
8066 + continue;
8067 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
8068 + continue;
8069 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
8070 + continue;
8071 +#endif
8072 +
8073 switch (r_type) {
8074 case R_386_NONE:
8075 case R_386_PC32:
8076 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
8077
8078 static void emit_relocs(int as_text)
8079 {
8080 - int i;
8081 + unsigned int i;
8082 /* Count how many relocations I have and allocate space for them. */
8083 reloc_count = 0;
8084 walk_relocs(count_reloc);
8085 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
8086 fname, strerror(errno));
8087 }
8088 read_ehdr(fp);
8089 + read_phdrs(fp);
8090 read_shdrs(fp);
8091 read_strtabs(fp);
8092 read_symtabs(fp);
8093 diff -urNp linux-2.6.39.3/arch/x86/boot/cpucheck.c linux-2.6.39.3/arch/x86/boot/cpucheck.c
8094 --- linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-19 00:06:34.000000000 -0400
8095 +++ linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-22 19:36:30.000000000 -0400
8096 @@ -74,7 +74,7 @@ static int has_fpu(void)
8097 u16 fcw = -1, fsw = -1;
8098 u32 cr0;
8099
8100 - asm("movl %%cr0,%0" : "=r" (cr0));
8101 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
8102 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
8103 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
8104 asm volatile("movl %0,%%cr0" : : "r" (cr0));
8105 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
8106 {
8107 u32 f0, f1;
8108
8109 - asm("pushfl ; "
8110 + asm volatile("pushfl ; "
8111 "pushfl ; "
8112 "popl %0 ; "
8113 "movl %0,%1 ; "
8114 @@ -115,7 +115,7 @@ static void get_flags(void)
8115 set_bit(X86_FEATURE_FPU, cpu.flags);
8116
8117 if (has_eflag(X86_EFLAGS_ID)) {
8118 - asm("cpuid"
8119 + asm volatile("cpuid"
8120 : "=a" (max_intel_level),
8121 "=b" (cpu_vendor[0]),
8122 "=d" (cpu_vendor[1]),
8123 @@ -124,7 +124,7 @@ static void get_flags(void)
8124
8125 if (max_intel_level >= 0x00000001 &&
8126 max_intel_level <= 0x0000ffff) {
8127 - asm("cpuid"
8128 + asm volatile("cpuid"
8129 : "=a" (tfms),
8130 "=c" (cpu.flags[4]),
8131 "=d" (cpu.flags[0])
8132 @@ -136,7 +136,7 @@ static void get_flags(void)
8133 cpu.model += ((tfms >> 16) & 0xf) << 4;
8134 }
8135
8136 - asm("cpuid"
8137 + asm volatile("cpuid"
8138 : "=a" (max_amd_level)
8139 : "a" (0x80000000)
8140 : "ebx", "ecx", "edx");
8141 @@ -144,7 +144,7 @@ static void get_flags(void)
8142 if (max_amd_level >= 0x80000001 &&
8143 max_amd_level <= 0x8000ffff) {
8144 u32 eax = 0x80000001;
8145 - asm("cpuid"
8146 + asm volatile("cpuid"
8147 : "+a" (eax),
8148 "=c" (cpu.flags[6]),
8149 "=d" (cpu.flags[1])
8150 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8151 u32 ecx = MSR_K7_HWCR;
8152 u32 eax, edx;
8153
8154 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8155 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8156 eax &= ~(1 << 15);
8157 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8158 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8159
8160 get_flags(); /* Make sure it really did something */
8161 err = check_flags();
8162 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8163 u32 ecx = MSR_VIA_FCR;
8164 u32 eax, edx;
8165
8166 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8167 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8168 eax |= (1<<1)|(1<<7);
8169 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8170 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8171
8172 set_bit(X86_FEATURE_CX8, cpu.flags);
8173 err = check_flags();
8174 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
8175 u32 eax, edx;
8176 u32 level = 1;
8177
8178 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8179 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8180 - asm("cpuid"
8181 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8182 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8183 + asm volatile("cpuid"
8184 : "+a" (level), "=d" (cpu.flags[0])
8185 : : "ecx", "ebx");
8186 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8187 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8188
8189 err = check_flags();
8190 }
8191 diff -urNp linux-2.6.39.3/arch/x86/boot/header.S linux-2.6.39.3/arch/x86/boot/header.S
8192 --- linux-2.6.39.3/arch/x86/boot/header.S 2011-05-19 00:06:34.000000000 -0400
8193 +++ linux-2.6.39.3/arch/x86/boot/header.S 2011-05-22 19:36:30.000000000 -0400
8194 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
8195 # single linked list of
8196 # struct setup_data
8197
8198 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
8199 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
8200
8201 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
8202 #define VO_INIT_SIZE (VO__end - VO__text)
8203 diff -urNp linux-2.6.39.3/arch/x86/boot/memory.c linux-2.6.39.3/arch/x86/boot/memory.c
8204 --- linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-19 00:06:34.000000000 -0400
8205 +++ linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-22 19:36:30.000000000 -0400
8206 @@ -19,7 +19,7 @@
8207
8208 static int detect_memory_e820(void)
8209 {
8210 - int count = 0;
8211 + unsigned int count = 0;
8212 struct biosregs ireg, oreg;
8213 struct e820entry *desc = boot_params.e820_map;
8214 static struct e820entry buf; /* static so it is zeroed */
8215 diff -urNp linux-2.6.39.3/arch/x86/boot/video.c linux-2.6.39.3/arch/x86/boot/video.c
8216 --- linux-2.6.39.3/arch/x86/boot/video.c 2011-05-19 00:06:34.000000000 -0400
8217 +++ linux-2.6.39.3/arch/x86/boot/video.c 2011-05-22 19:36:30.000000000 -0400
8218 @@ -96,7 +96,7 @@ static void store_mode_params(void)
8219 static unsigned int get_entry(void)
8220 {
8221 char entry_buf[4];
8222 - int i, len = 0;
8223 + unsigned int i, len = 0;
8224 int key;
8225 unsigned int v;
8226
8227 diff -urNp linux-2.6.39.3/arch/x86/boot/video-vesa.c linux-2.6.39.3/arch/x86/boot/video-vesa.c
8228 --- linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-19 00:06:34.000000000 -0400
8229 +++ linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-22 19:36:30.000000000 -0400
8230 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
8231
8232 boot_params.screen_info.vesapm_seg = oreg.es;
8233 boot_params.screen_info.vesapm_off = oreg.di;
8234 + boot_params.screen_info.vesapm_size = oreg.cx;
8235 }
8236
8237 /*
8238 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_aout.c linux-2.6.39.3/arch/x86/ia32/ia32_aout.c
8239 --- linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-19 00:06:34.000000000 -0400
8240 +++ linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-22 19:41:32.000000000 -0400
8241 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
8242 unsigned long dump_start, dump_size;
8243 struct user32 dump;
8244
8245 + memset(&dump, 0, sizeof(dump));
8246 +
8247 fs = get_fs();
8248 set_fs(KERNEL_DS);
8249 has_dumped = 1;
8250 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32entry.S linux-2.6.39.3/arch/x86/ia32/ia32entry.S
8251 --- linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-19 00:06:34.000000000 -0400
8252 +++ linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-23 17:16:01.000000000 -0400
8253 @@ -13,6 +13,7 @@
8254 #include <asm/thread_info.h>
8255 #include <asm/segment.h>
8256 #include <asm/irqflags.h>
8257 +#include <asm/pgtable.h>
8258 #include <linux/linkage.h>
8259
8260 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
8261 @@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
8262 ENDPROC(native_irq_enable_sysexit)
8263 #endif
8264
8265 + .macro pax_enter_kernel_user
8266 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8267 + call pax_enter_kernel_user
8268 +#endif
8269 + .endm
8270 +
8271 + .macro pax_exit_kernel_user
8272 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8273 + call pax_exit_kernel_user
8274 +#endif
8275 +#ifdef CONFIG_PAX_RANDKSTACK
8276 + pushq %rax
8277 + call pax_randomize_kstack
8278 + popq %rax
8279 +#endif
8280 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8281 + call pax_erase_kstack
8282 +#endif
8283 + .endm
8284 +
8285 + .macro pax_erase_kstack
8286 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8287 + call pax_erase_kstack
8288 +#endif
8289 + .endm
8290 +
8291 /*
8292 * 32bit SYSENTER instruction entry.
8293 *
8294 @@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
8295 CFI_REGISTER rsp,rbp
8296 SWAPGS_UNSAFE_STACK
8297 movq PER_CPU_VAR(kernel_stack), %rsp
8298 - addq $(KERNEL_STACK_OFFSET),%rsp
8299 + pax_enter_kernel_user
8300 /*
8301 * No need to follow this irqs on/off section: the syscall
8302 * disabled irqs, here we enable it straight after entry:
8303 @@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
8304 CFI_REL_OFFSET rsp,0
8305 pushfq_cfi
8306 /*CFI_REL_OFFSET rflags,0*/
8307 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
8308 + GET_THREAD_INFO(%r10)
8309 + movl TI_sysenter_return(%r10), %r10d
8310 CFI_REGISTER rip,r10
8311 pushq_cfi $__USER32_CS
8312 /*CFI_REL_OFFSET cs,0*/
8313 @@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
8314 SAVE_ARGS 0,0,1
8315 /* no need to do an access_ok check here because rbp has been
8316 32bit zero extended */
8317 +
8318 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8319 + mov $PAX_USER_SHADOW_BASE,%r10
8320 + add %r10,%rbp
8321 +#endif
8322 +
8323 1: movl (%rbp),%ebp
8324 .section __ex_table,"a"
8325 .quad 1b,ia32_badarg
8326 @@ -168,6 +202,7 @@ sysenter_dispatch:
8327 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8328 jnz sysexit_audit
8329 sysexit_from_sys_call:
8330 + pax_exit_kernel_user
8331 andl $~TS_COMPAT,TI_status(%r10)
8332 /* clear IF, that popfq doesn't enable interrupts early */
8333 andl $~0x200,EFLAGS-R11(%rsp)
8334 @@ -194,6 +229,9 @@ sysexit_from_sys_call:
8335 movl %eax,%esi /* 2nd arg: syscall number */
8336 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
8337 call audit_syscall_entry
8338 +
8339 + pax_erase_kstack
8340 +
8341 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
8342 cmpq $(IA32_NR_syscalls-1),%rax
8343 ja ia32_badsys
8344 @@ -246,6 +284,9 @@ sysenter_tracesys:
8345 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
8346 movq %rsp,%rdi /* &pt_regs -> arg1 */
8347 call syscall_trace_enter
8348 +
8349 + pax_erase_kstack
8350 +
8351 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8352 RESTORE_REST
8353 cmpq $(IA32_NR_syscalls-1),%rax
8354 @@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
8355 ENTRY(ia32_cstar_target)
8356 CFI_STARTPROC32 simple
8357 CFI_SIGNAL_FRAME
8358 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
8359 + CFI_DEF_CFA rsp,0
8360 CFI_REGISTER rip,rcx
8361 /*CFI_REGISTER rflags,r11*/
8362 SWAPGS_UNSAFE_STACK
8363 movl %esp,%r8d
8364 CFI_REGISTER rsp,r8
8365 movq PER_CPU_VAR(kernel_stack),%rsp
8366 +
8367 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8368 + pax_enter_kernel_user
8369 +#endif
8370 +
8371 /*
8372 * No need to follow this irqs on/off section: the syscall
8373 * disabled irqs and here we enable it straight after entry:
8374 */
8375 ENABLE_INTERRUPTS(CLBR_NONE)
8376 - SAVE_ARGS 8,1,1
8377 + SAVE_ARGS 8*6,1,1
8378 movl %eax,%eax /* zero extension */
8379 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
8380 movq %rcx,RIP-ARGOFFSET(%rsp)
8381 @@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
8382 /* no need to do an access_ok check here because r8 has been
8383 32bit zero extended */
8384 /* hardware stack frame is complete now */
8385 +
8386 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8387 + mov $PAX_USER_SHADOW_BASE,%r10
8388 + add %r10,%r8
8389 +#endif
8390 +
8391 1: movl (%r8),%r9d
8392 .section __ex_table,"a"
8393 .quad 1b,ia32_badarg
8394 @@ -327,6 +379,7 @@ cstar_dispatch:
8395 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8396 jnz sysretl_audit
8397 sysretl_from_sys_call:
8398 + pax_exit_kernel_user
8399 andl $~TS_COMPAT,TI_status(%r10)
8400 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
8401 movl RIP-ARGOFFSET(%rsp),%ecx
8402 @@ -364,6 +417,9 @@ cstar_tracesys:
8403 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8404 movq %rsp,%rdi /* &pt_regs -> arg1 */
8405 call syscall_trace_enter
8406 +
8407 + pax_erase_kstack
8408 +
8409 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
8410 RESTORE_REST
8411 xchgl %ebp,%r9d
8412 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
8413 CFI_REL_OFFSET rip,RIP-RIP
8414 PARAVIRT_ADJUST_EXCEPTION_FRAME
8415 SWAPGS
8416 + pax_enter_kernel_user
8417 /*
8418 * No need to follow this irqs on/off section: the syscall
8419 * disabled irqs and here we enable it straight after entry:
8420 @@ -441,6 +498,9 @@ ia32_tracesys:
8421 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8422 movq %rsp,%rdi /* &pt_regs -> arg1 */
8423 call syscall_trace_enter
8424 +
8425 + pax_erase_kstack
8426 +
8427 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8428 RESTORE_REST
8429 cmpq $(IA32_NR_syscalls-1),%rax
8430 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_signal.c linux-2.6.39.3/arch/x86/ia32/ia32_signal.c
8431 --- linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-19 00:06:34.000000000 -0400
8432 +++ linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-22 19:36:30.000000000 -0400
8433 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
8434 sp -= frame_size;
8435 /* Align the stack pointer according to the i386 ABI,
8436 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
8437 - sp = ((sp + 4) & -16ul) - 4;
8438 + sp = ((sp - 12) & -16ul) - 4;
8439 return (void __user *) sp;
8440 }
8441
8442 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
8443 * These are actually not used anymore, but left because some
8444 * gdb versions depend on them as a marker.
8445 */
8446 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8447 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8448 } put_user_catch(err);
8449
8450 if (err)
8451 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
8452 0xb8,
8453 __NR_ia32_rt_sigreturn,
8454 0x80cd,
8455 - 0,
8456 + 0
8457 };
8458
8459 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
8460 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
8461
8462 if (ka->sa.sa_flags & SA_RESTORER)
8463 restorer = ka->sa.sa_restorer;
8464 + else if (current->mm->context.vdso)
8465 + /* Return stub is in 32bit vsyscall page */
8466 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
8467 else
8468 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
8469 - rt_sigreturn);
8470 + restorer = &frame->retcode;
8471 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
8472
8473 /*
8474 * Not actually used anymore, but left because some gdb
8475 * versions need it.
8476 */
8477 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8478 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8479 } put_user_catch(err);
8480
8481 if (err)
8482 diff -urNp linux-2.6.39.3/arch/x86/include/asm/alternative.h linux-2.6.39.3/arch/x86/include/asm/alternative.h
8483 --- linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-19 00:06:34.000000000 -0400
8484 +++ linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-22 19:36:30.000000000 -0400
8485 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
8486 ".section .discard,\"aw\",@progbits\n" \
8487 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
8488 ".previous\n" \
8489 - ".section .altinstr_replacement, \"ax\"\n" \
8490 + ".section .altinstr_replacement, \"a\"\n" \
8491 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
8492 ".previous"
8493
8494 diff -urNp linux-2.6.39.3/arch/x86/include/asm/apm.h linux-2.6.39.3/arch/x86/include/asm/apm.h
8495 --- linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-19 00:06:34.000000000 -0400
8496 +++ linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-22 19:36:30.000000000 -0400
8497 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
8498 __asm__ __volatile__(APM_DO_ZERO_SEGS
8499 "pushl %%edi\n\t"
8500 "pushl %%ebp\n\t"
8501 - "lcall *%%cs:apm_bios_entry\n\t"
8502 + "lcall *%%ss:apm_bios_entry\n\t"
8503 "setc %%al\n\t"
8504 "popl %%ebp\n\t"
8505 "popl %%edi\n\t"
8506 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
8507 __asm__ __volatile__(APM_DO_ZERO_SEGS
8508 "pushl %%edi\n\t"
8509 "pushl %%ebp\n\t"
8510 - "lcall *%%cs:apm_bios_entry\n\t"
8511 + "lcall *%%ss:apm_bios_entry\n\t"
8512 "setc %%bl\n\t"
8513 "popl %%ebp\n\t"
8514 "popl %%edi\n\t"
8515 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h
8516 --- linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-19 00:06:34.000000000 -0400
8517 +++ linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-22 19:36:30.000000000 -0400
8518 @@ -12,6 +12,14 @@ typedef struct {
8519 u64 __aligned(8) counter;
8520 } atomic64_t;
8521
8522 +#ifdef CONFIG_PAX_REFCOUNT
8523 +typedef struct {
8524 + u64 __aligned(8) counter;
8525 +} atomic64_unchecked_t;
8526 +#else
8527 +typedef atomic64_t atomic64_unchecked_t;
8528 +#endif
8529 +
8530 #define ATOMIC64_INIT(val) { (val) }
8531
8532 #ifdef CONFIG_X86_CMPXCHG64
8533 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
8534 }
8535
8536 /**
8537 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
8538 + * @p: pointer to type atomic64_unchecked_t
8539 + * @o: expected value
8540 + * @n: new value
8541 + *
8542 + * Atomically sets @v to @n if it was equal to @o and returns
8543 + * the old value.
8544 + */
8545 +
8546 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
8547 +{
8548 + return cmpxchg64(&v->counter, o, n);
8549 +}
8550 +
8551 +/**
8552 * atomic64_xchg - xchg atomic64 variable
8553 * @v: pointer to type atomic64_t
8554 * @n: value to assign
8555 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
8556 }
8557
8558 /**
8559 + * atomic64_set_unchecked - set atomic64 variable
8560 + * @v: pointer to type atomic64_unchecked_t
8561 + * @n: value to assign
8562 + *
8563 + * Atomically sets the value of @v to @n.
8564 + */
8565 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
8566 +{
8567 + unsigned high = (unsigned)(i >> 32);
8568 + unsigned low = (unsigned)i;
8569 + asm volatile(ATOMIC64_ALTERNATIVE(set)
8570 + : "+b" (low), "+c" (high)
8571 + : "S" (v)
8572 + : "eax", "edx", "memory"
8573 + );
8574 +}
8575 +
8576 +/**
8577 * atomic64_read - read atomic64 variable
8578 * @v: pointer to type atomic64_t
8579 *
8580 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
8581 }
8582
8583 /**
8584 + * atomic64_read_unchecked - read atomic64 variable
8585 + * @v: pointer to type atomic64_unchecked_t
8586 + *
8587 + * Atomically reads the value of @v and returns it.
8588 + */
8589 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
8590 +{
8591 + long long r;
8592 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
8593 + : "=A" (r), "+c" (v)
8594 + : : "memory"
8595 + );
8596 + return r;
8597 + }
8598 +
8599 +/**
8600 * atomic64_add_return - add and return
8601 * @i: integer value to add
8602 * @v: pointer to type atomic64_t
8603 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
8604 return i;
8605 }
8606
8607 +/**
8608 + * atomic64_add_return_unchecked - add and return
8609 + * @i: integer value to add
8610 + * @v: pointer to type atomic64_unchecked_t
8611 + *
8612 + * Atomically adds @i to @v and returns @i + *@v
8613 + */
8614 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
8615 +{
8616 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
8617 + : "+A" (i), "+c" (v)
8618 + : : "memory"
8619 + );
8620 + return i;
8621 +}
8622 +
8623 /*
8624 * Other variants with different arithmetic operators:
8625 */
8626 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
8627 return a;
8628 }
8629
8630 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8631 +{
8632 + long long a;
8633 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
8634 + : "=A" (a)
8635 + : "S" (v)
8636 + : "memory", "ecx"
8637 + );
8638 + return a;
8639 +}
8640 +
8641 static inline long long atomic64_dec_return(atomic64_t *v)
8642 {
8643 long long a;
8644 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
8645 }
8646
8647 /**
8648 + * atomic64_add_unchecked - add integer to atomic64 variable
8649 + * @i: integer value to add
8650 + * @v: pointer to type atomic64_unchecked_t
8651 + *
8652 + * Atomically adds @i to @v.
8653 + */
8654 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
8655 +{
8656 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
8657 + : "+A" (i), "+c" (v)
8658 + : : "memory"
8659 + );
8660 + return i;
8661 +}
8662 +
8663 +/**
8664 * atomic64_sub - subtract the atomic64 variable
8665 * @i: integer value to subtract
8666 * @v: pointer to type atomic64_t
8667 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h
8668 --- linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-19 00:06:34.000000000 -0400
8669 +++ linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-22 19:36:30.000000000 -0400
8670 @@ -18,7 +18,19 @@
8671 */
8672 static inline long atomic64_read(const atomic64_t *v)
8673 {
8674 - return (*(volatile long *)&(v)->counter);
8675 + return (*(volatile const long *)&(v)->counter);
8676 +}
8677 +
8678 +/**
8679 + * atomic64_read_unchecked - read atomic64 variable
8680 + * @v: pointer of type atomic64_unchecked_t
8681 + *
8682 + * Atomically reads the value of @v.
8683 + * Doesn't imply a read memory barrier.
8684 + */
8685 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8686 +{
8687 + return (*(volatile const long *)&(v)->counter);
8688 }
8689
8690 /**
8691 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
8692 }
8693
8694 /**
8695 + * atomic64_set_unchecked - set atomic64 variable
8696 + * @v: pointer to type atomic64_unchecked_t
8697 + * @i: required value
8698 + *
8699 + * Atomically sets the value of @v to @i.
8700 + */
8701 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8702 +{
8703 + v->counter = i;
8704 +}
8705 +
8706 +/**
8707 * atomic64_add - add integer to atomic64 variable
8708 * @i: integer value to add
8709 * @v: pointer to type atomic64_t
8710 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
8711 */
8712 static inline void atomic64_add(long i, atomic64_t *v)
8713 {
8714 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8715 +
8716 +#ifdef CONFIG_PAX_REFCOUNT
8717 + "jno 0f\n"
8718 + LOCK_PREFIX "subq %1,%0\n"
8719 + "int $4\n0:\n"
8720 + _ASM_EXTABLE(0b, 0b)
8721 +#endif
8722 +
8723 + : "=m" (v->counter)
8724 + : "er" (i), "m" (v->counter));
8725 +}
8726 +
8727 +/**
8728 + * atomic64_add_unchecked - add integer to atomic64 variable
8729 + * @i: integer value to add
8730 + * @v: pointer to type atomic64_unchecked_t
8731 + *
8732 + * Atomically adds @i to @v.
8733 + */
8734 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8735 +{
8736 asm volatile(LOCK_PREFIX "addq %1,%0"
8737 : "=m" (v->counter)
8738 : "er" (i), "m" (v->counter));
8739 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
8740 */
8741 static inline void atomic64_sub(long i, atomic64_t *v)
8742 {
8743 - asm volatile(LOCK_PREFIX "subq %1,%0"
8744 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8745 +
8746 +#ifdef CONFIG_PAX_REFCOUNT
8747 + "jno 0f\n"
8748 + LOCK_PREFIX "addq %1,%0\n"
8749 + "int $4\n0:\n"
8750 + _ASM_EXTABLE(0b, 0b)
8751 +#endif
8752 +
8753 + : "=m" (v->counter)
8754 + : "er" (i), "m" (v->counter));
8755 +}
8756 +
8757 +/**
8758 + * atomic64_sub_unchecked - subtract the atomic64 variable
8759 + * @i: integer value to subtract
8760 + * @v: pointer to type atomic64_unchecked_t
8761 + *
8762 + * Atomically subtracts @i from @v.
8763 + */
8764 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
8765 +{
8766 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8767 : "=m" (v->counter)
8768 : "er" (i), "m" (v->counter));
8769 }
8770 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
8771 {
8772 unsigned char c;
8773
8774 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8775 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8776 +
8777 +#ifdef CONFIG_PAX_REFCOUNT
8778 + "jno 0f\n"
8779 + LOCK_PREFIX "addq %2,%0\n"
8780 + "int $4\n0:\n"
8781 + _ASM_EXTABLE(0b, 0b)
8782 +#endif
8783 +
8784 + "sete %1\n"
8785 : "=m" (v->counter), "=qm" (c)
8786 : "er" (i), "m" (v->counter) : "memory");
8787 return c;
8788 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
8789 */
8790 static inline void atomic64_inc(atomic64_t *v)
8791 {
8792 + asm volatile(LOCK_PREFIX "incq %0\n"
8793 +
8794 +#ifdef CONFIG_PAX_REFCOUNT
8795 + "jno 0f\n"
8796 + LOCK_PREFIX "decq %0\n"
8797 + "int $4\n0:\n"
8798 + _ASM_EXTABLE(0b, 0b)
8799 +#endif
8800 +
8801 + : "=m" (v->counter)
8802 + : "m" (v->counter));
8803 +}
8804 +
8805 +/**
8806 + * atomic64_inc_unchecked - increment atomic64 variable
8807 + * @v: pointer to type atomic64_unchecked_t
8808 + *
8809 + * Atomically increments @v by 1.
8810 + */
8811 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8812 +{
8813 asm volatile(LOCK_PREFIX "incq %0"
8814 : "=m" (v->counter)
8815 : "m" (v->counter));
8816 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
8817 */
8818 static inline void atomic64_dec(atomic64_t *v)
8819 {
8820 - asm volatile(LOCK_PREFIX "decq %0"
8821 + asm volatile(LOCK_PREFIX "decq %0\n"
8822 +
8823 +#ifdef CONFIG_PAX_REFCOUNT
8824 + "jno 0f\n"
8825 + LOCK_PREFIX "incq %0\n"
8826 + "int $4\n0:\n"
8827 + _ASM_EXTABLE(0b, 0b)
8828 +#endif
8829 +
8830 + : "=m" (v->counter)
8831 + : "m" (v->counter));
8832 +}
8833 +
8834 +/**
8835 + * atomic64_dec_unchecked - decrement atomic64 variable
8836 + * @v: pointer to type atomic64_t
8837 + *
8838 + * Atomically decrements @v by 1.
8839 + */
8840 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8841 +{
8842 + asm volatile(LOCK_PREFIX "decq %0\n"
8843 : "=m" (v->counter)
8844 : "m" (v->counter));
8845 }
8846 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
8847 {
8848 unsigned char c;
8849
8850 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8851 + asm volatile(LOCK_PREFIX "decq %0\n"
8852 +
8853 +#ifdef CONFIG_PAX_REFCOUNT
8854 + "jno 0f\n"
8855 + LOCK_PREFIX "incq %0\n"
8856 + "int $4\n0:\n"
8857 + _ASM_EXTABLE(0b, 0b)
8858 +#endif
8859 +
8860 + "sete %1\n"
8861 : "=m" (v->counter), "=qm" (c)
8862 : "m" (v->counter) : "memory");
8863 return c != 0;
8864 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
8865 {
8866 unsigned char c;
8867
8868 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8869 + asm volatile(LOCK_PREFIX "incq %0\n"
8870 +
8871 +#ifdef CONFIG_PAX_REFCOUNT
8872 + "jno 0f\n"
8873 + LOCK_PREFIX "decq %0\n"
8874 + "int $4\n0:\n"
8875 + _ASM_EXTABLE(0b, 0b)
8876 +#endif
8877 +
8878 + "sete %1\n"
8879 : "=m" (v->counter), "=qm" (c)
8880 : "m" (v->counter) : "memory");
8881 return c != 0;
8882 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
8883 {
8884 unsigned char c;
8885
8886 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8887 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8888 +
8889 +#ifdef CONFIG_PAX_REFCOUNT
8890 + "jno 0f\n"
8891 + LOCK_PREFIX "subq %2,%0\n"
8892 + "int $4\n0:\n"
8893 + _ASM_EXTABLE(0b, 0b)
8894 +#endif
8895 +
8896 + "sets %1\n"
8897 : "=m" (v->counter), "=qm" (c)
8898 : "er" (i), "m" (v->counter) : "memory");
8899 return c;
8900 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
8901 static inline long atomic64_add_return(long i, atomic64_t *v)
8902 {
8903 long __i = i;
8904 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8905 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8906 +
8907 +#ifdef CONFIG_PAX_REFCOUNT
8908 + "jno 0f\n"
8909 + "movq %0, %1\n"
8910 + "int $4\n0:\n"
8911 + _ASM_EXTABLE(0b, 0b)
8912 +#endif
8913 +
8914 + : "+r" (i), "+m" (v->counter)
8915 + : : "memory");
8916 + return i + __i;
8917 +}
8918 +
8919 +/**
8920 + * atomic64_add_return_unchecked - add and return
8921 + * @i: integer value to add
8922 + * @v: pointer to type atomic64_unchecked_t
8923 + *
8924 + * Atomically adds @i to @v and returns @i + @v
8925 + */
8926 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8927 +{
8928 + long __i = i;
8929 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8930 : "+r" (i), "+m" (v->counter)
8931 : : "memory");
8932 return i + __i;
8933 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
8934 }
8935
8936 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8937 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8938 +{
8939 + return atomic64_add_return_unchecked(1, v);
8940 +}
8941 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8942
8943 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8944 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
8945 return cmpxchg(&v->counter, old, new);
8946 }
8947
8948 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8949 +{
8950 + return cmpxchg(&v->counter, old, new);
8951 +}
8952 +
8953 static inline long atomic64_xchg(atomic64_t *v, long new)
8954 {
8955 return xchg(&v->counter, new);
8956 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
8957 */
8958 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8959 {
8960 - long c, old;
8961 + long c, old, new;
8962 c = atomic64_read(v);
8963 for (;;) {
8964 - if (unlikely(c == (u)))
8965 + if (unlikely(c == u))
8966 break;
8967 - old = atomic64_cmpxchg((v), c, c + (a));
8968 +
8969 + asm volatile("add %2,%0\n"
8970 +
8971 +#ifdef CONFIG_PAX_REFCOUNT
8972 + "jno 0f\n"
8973 + "sub %2,%0\n"
8974 + "int $4\n0:\n"
8975 + _ASM_EXTABLE(0b, 0b)
8976 +#endif
8977 +
8978 + : "=r" (new)
8979 + : "0" (c), "ir" (a));
8980 +
8981 + old = atomic64_cmpxchg(v, c, new);
8982 if (likely(old == c))
8983 break;
8984 c = old;
8985 }
8986 - return c != (u);
8987 + return c != u;
8988 }
8989
8990 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
8991 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic.h linux-2.6.39.3/arch/x86/include/asm/atomic.h
8992 --- linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-19 00:06:34.000000000 -0400
8993 +++ linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-22 19:36:30.000000000 -0400
8994 @@ -22,7 +22,18 @@
8995 */
8996 static inline int atomic_read(const atomic_t *v)
8997 {
8998 - return (*(volatile int *)&(v)->counter);
8999 + return (*(volatile const int *)&(v)->counter);
9000 +}
9001 +
9002 +/**
9003 + * atomic_read_unchecked - read atomic variable
9004 + * @v: pointer of type atomic_unchecked_t
9005 + *
9006 + * Atomically reads the value of @v.
9007 + */
9008 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
9009 +{
9010 + return (*(volatile const int *)&(v)->counter);
9011 }
9012
9013 /**
9014 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
9015 }
9016
9017 /**
9018 + * atomic_set_unchecked - set atomic variable
9019 + * @v: pointer of type atomic_unchecked_t
9020 + * @i: required value
9021 + *
9022 + * Atomically sets the value of @v to @i.
9023 + */
9024 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
9025 +{
9026 + v->counter = i;
9027 +}
9028 +
9029 +/**
9030 * atomic_add - add integer to atomic variable
9031 * @i: integer value to add
9032 * @v: pointer of type atomic_t
9033 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
9034 */
9035 static inline void atomic_add(int i, atomic_t *v)
9036 {
9037 - asm volatile(LOCK_PREFIX "addl %1,%0"
9038 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9039 +
9040 +#ifdef CONFIG_PAX_REFCOUNT
9041 + "jno 0f\n"
9042 + LOCK_PREFIX "subl %1,%0\n"
9043 + "int $4\n0:\n"
9044 + _ASM_EXTABLE(0b, 0b)
9045 +#endif
9046 +
9047 + : "+m" (v->counter)
9048 + : "ir" (i));
9049 +}
9050 +
9051 +/**
9052 + * atomic_add_unchecked - add integer to atomic variable
9053 + * @i: integer value to add
9054 + * @v: pointer of type atomic_unchecked_t
9055 + *
9056 + * Atomically adds @i to @v.
9057 + */
9058 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
9059 +{
9060 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9061 : "+m" (v->counter)
9062 : "ir" (i));
9063 }
9064 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
9065 */
9066 static inline void atomic_sub(int i, atomic_t *v)
9067 {
9068 - asm volatile(LOCK_PREFIX "subl %1,%0"
9069 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9070 +
9071 +#ifdef CONFIG_PAX_REFCOUNT
9072 + "jno 0f\n"
9073 + LOCK_PREFIX "addl %1,%0\n"
9074 + "int $4\n0:\n"
9075 + _ASM_EXTABLE(0b, 0b)
9076 +#endif
9077 +
9078 + : "+m" (v->counter)
9079 + : "ir" (i));
9080 +}
9081 +
9082 +/**
9083 + * atomic_sub_unchecked - subtract integer from atomic variable
9084 + * @i: integer value to subtract
9085 + * @v: pointer of type atomic_unchecked_t
9086 + *
9087 + * Atomically subtracts @i from @v.
9088 + */
9089 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
9090 +{
9091 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9092 : "+m" (v->counter)
9093 : "ir" (i));
9094 }
9095 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
9096 {
9097 unsigned char c;
9098
9099 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
9100 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
9101 +
9102 +#ifdef CONFIG_PAX_REFCOUNT
9103 + "jno 0f\n"
9104 + LOCK_PREFIX "addl %2,%0\n"
9105 + "int $4\n0:\n"
9106 + _ASM_EXTABLE(0b, 0b)
9107 +#endif
9108 +
9109 + "sete %1\n"
9110 : "+m" (v->counter), "=qm" (c)
9111 : "ir" (i) : "memory");
9112 return c;
9113 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
9114 */
9115 static inline void atomic_inc(atomic_t *v)
9116 {
9117 - asm volatile(LOCK_PREFIX "incl %0"
9118 + asm volatile(LOCK_PREFIX "incl %0\n"
9119 +
9120 +#ifdef CONFIG_PAX_REFCOUNT
9121 + "jno 0f\n"
9122 + LOCK_PREFIX "decl %0\n"
9123 + "int $4\n0:\n"
9124 + _ASM_EXTABLE(0b, 0b)
9125 +#endif
9126 +
9127 + : "+m" (v->counter));
9128 +}
9129 +
9130 +/**
9131 + * atomic_inc_unchecked - increment atomic variable
9132 + * @v: pointer of type atomic_unchecked_t
9133 + *
9134 + * Atomically increments @v by 1.
9135 + */
9136 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
9137 +{
9138 + asm volatile(LOCK_PREFIX "incl %0\n"
9139 : "+m" (v->counter));
9140 }
9141
9142 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
9143 */
9144 static inline void atomic_dec(atomic_t *v)
9145 {
9146 - asm volatile(LOCK_PREFIX "decl %0"
9147 + asm volatile(LOCK_PREFIX "decl %0\n"
9148 +
9149 +#ifdef CONFIG_PAX_REFCOUNT
9150 + "jno 0f\n"
9151 + LOCK_PREFIX "incl %0\n"
9152 + "int $4\n0:\n"
9153 + _ASM_EXTABLE(0b, 0b)
9154 +#endif
9155 +
9156 + : "+m" (v->counter));
9157 +}
9158 +
9159 +/**
9160 + * atomic_dec_unchecked - decrement atomic variable
9161 + * @v: pointer of type atomic_unchecked_t
9162 + *
9163 + * Atomically decrements @v by 1.
9164 + */
9165 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
9166 +{
9167 + asm volatile(LOCK_PREFIX "decl %0\n"
9168 : "+m" (v->counter));
9169 }
9170
9171 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
9172 {
9173 unsigned char c;
9174
9175 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
9176 + asm volatile(LOCK_PREFIX "decl %0\n"
9177 +
9178 +#ifdef CONFIG_PAX_REFCOUNT
9179 + "jno 0f\n"
9180 + LOCK_PREFIX "incl %0\n"
9181 + "int $4\n0:\n"
9182 + _ASM_EXTABLE(0b, 0b)
9183 +#endif
9184 +
9185 + "sete %1\n"
9186 : "+m" (v->counter), "=qm" (c)
9187 : : "memory");
9188 return c != 0;
9189 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
9190 {
9191 unsigned char c;
9192
9193 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
9194 + asm volatile(LOCK_PREFIX "incl %0\n"
9195 +
9196 +#ifdef CONFIG_PAX_REFCOUNT
9197 + "jno 0f\n"
9198 + LOCK_PREFIX "decl %0\n"
9199 + "int $4\n0:\n"
9200 + _ASM_EXTABLE(0b, 0b)
9201 +#endif
9202 +
9203 + "sete %1\n"
9204 + : "+m" (v->counter), "=qm" (c)
9205 + : : "memory");
9206 + return c != 0;
9207 +}
9208 +
9209 +/**
9210 + * atomic_inc_and_test_unchecked - increment and test
9211 + * @v: pointer of type atomic_unchecked_t
9212 + *
9213 + * Atomically increments @v by 1
9214 + * and returns true if the result is zero, or false for all
9215 + * other cases.
9216 + */
9217 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
9218 +{
9219 + unsigned char c;
9220 +
9221 + asm volatile(LOCK_PREFIX "incl %0\n"
9222 + "sete %1\n"
9223 : "+m" (v->counter), "=qm" (c)
9224 : : "memory");
9225 return c != 0;
9226 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
9227 {
9228 unsigned char c;
9229
9230 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
9231 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
9232 +
9233 +#ifdef CONFIG_PAX_REFCOUNT
9234 + "jno 0f\n"
9235 + LOCK_PREFIX "subl %2,%0\n"
9236 + "int $4\n0:\n"
9237 + _ASM_EXTABLE(0b, 0b)
9238 +#endif
9239 +
9240 + "sets %1\n"
9241 : "+m" (v->counter), "=qm" (c)
9242 : "ir" (i) : "memory");
9243 return c;
9244 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
9245 #endif
9246 /* Modern 486+ processor */
9247 __i = i;
9248 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
9249 +
9250 +#ifdef CONFIG_PAX_REFCOUNT
9251 + "jno 0f\n"
9252 + "movl %0, %1\n"
9253 + "int $4\n0:\n"
9254 + _ASM_EXTABLE(0b, 0b)
9255 +#endif
9256 +
9257 + : "+r" (i), "+m" (v->counter)
9258 + : : "memory");
9259 + return i + __i;
9260 +
9261 +#ifdef CONFIG_M386
9262 +no_xadd: /* Legacy 386 processor */
9263 + local_irq_save(flags);
9264 + __i = atomic_read(v);
9265 + atomic_set(v, i + __i);
9266 + local_irq_restore(flags);
9267 + return i + __i;
9268 +#endif
9269 +}
9270 +
9271 +/**
9272 + * atomic_add_return_unchecked - add integer and return
9273 + * @v: pointer of type atomic_unchecked_t
9274 + * @i: integer value to add
9275 + *
9276 + * Atomically adds @i to @v and returns @i + @v
9277 + */
9278 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
9279 +{
9280 + int __i;
9281 +#ifdef CONFIG_M386
9282 + unsigned long flags;
9283 + if (unlikely(boot_cpu_data.x86 <= 3))
9284 + goto no_xadd;
9285 +#endif
9286 + /* Modern 486+ processor */
9287 + __i = i;
9288 asm volatile(LOCK_PREFIX "xaddl %0, %1"
9289 : "+r" (i), "+m" (v->counter)
9290 : : "memory");
9291 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
9292 }
9293
9294 #define atomic_inc_return(v) (atomic_add_return(1, v))
9295 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
9296 +{
9297 + return atomic_add_return_unchecked(1, v);
9298 +}
9299 #define atomic_dec_return(v) (atomic_sub_return(1, v))
9300
9301 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
9302 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
9303 return cmpxchg(&v->counter, old, new);
9304 }
9305
9306 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
9307 +{
9308 + return cmpxchg(&v->counter, old, new);
9309 +}
9310 +
9311 static inline int atomic_xchg(atomic_t *v, int new)
9312 {
9313 return xchg(&v->counter, new);
9314 }
9315
9316 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
9317 +{
9318 + return xchg(&v->counter, new);
9319 +}
9320 +
9321 /**
9322 * atomic_add_unless - add unless the number is already a given value
9323 * @v: pointer of type atomic_t
9324 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
9325 */
9326 static inline int atomic_add_unless(atomic_t *v, int a, int u)
9327 {
9328 - int c, old;
9329 + int c, old, new;
9330 c = atomic_read(v);
9331 for (;;) {
9332 - if (unlikely(c == (u)))
9333 + if (unlikely(c == u))
9334 break;
9335 - old = atomic_cmpxchg((v), c, c + (a));
9336 +
9337 + asm volatile("addl %2,%0\n"
9338 +
9339 +#ifdef CONFIG_PAX_REFCOUNT
9340 + "jno 0f\n"
9341 + "subl %2,%0\n"
9342 + "int $4\n0:\n"
9343 + _ASM_EXTABLE(0b, 0b)
9344 +#endif
9345 +
9346 + : "=r" (new)
9347 + : "0" (c), "ir" (a));
9348 +
9349 + old = atomic_cmpxchg(v, c, new);
9350 if (likely(old == c))
9351 break;
9352 c = old;
9353 }
9354 - return c != (u);
9355 + return c != u;
9356 }
9357
9358 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
9359
9360 +/**
9361 + * atomic_inc_not_zero_hint - increment if not null
9362 + * @v: pointer of type atomic_t
9363 + * @hint: probable value of the atomic before the increment
9364 + *
9365 + * This version of atomic_inc_not_zero() gives a hint of probable
9366 + * value of the atomic. This helps processor to not read the memory
9367 + * before doing the atomic read/modify/write cycle, lowering
9368 + * number of bus transactions on some arches.
9369 + *
9370 + * Returns: 0 if increment was not done, 1 otherwise.
9371 + */
9372 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
9373 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
9374 +{
9375 + int val, c = hint, new;
9376 +
9377 + /* sanity test, should be removed by compiler if hint is a constant */
9378 + if (!hint)
9379 + return atomic_inc_not_zero(v);
9380 +
9381 + do {
9382 + asm volatile("incl %0\n"
9383 +
9384 +#ifdef CONFIG_PAX_REFCOUNT
9385 + "jno 0f\n"
9386 + "decl %0\n"
9387 + "int $4\n0:\n"
9388 + _ASM_EXTABLE(0b, 0b)
9389 +#endif
9390 +
9391 + : "=r" (new)
9392 + : "0" (c));
9393 +
9394 + val = atomic_cmpxchg(v, c, new);
9395 + if (val == c)
9396 + return 1;
9397 + c = val;
9398 + } while (c);
9399 +
9400 + return 0;
9401 +}
9402 +
9403 /*
9404 * atomic_dec_if_positive - decrement by 1 if old value positive
9405 * @v: pointer of type atomic_t
9406 diff -urNp linux-2.6.39.3/arch/x86/include/asm/bitops.h linux-2.6.39.3/arch/x86/include/asm/bitops.h
9407 --- linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-19 00:06:34.000000000 -0400
9408 +++ linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-22 19:36:30.000000000 -0400
9409 @@ -38,7 +38,7 @@
9410 * a mask operation on a byte.
9411 */
9412 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
9413 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
9414 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
9415 #define CONST_MASK(nr) (1 << ((nr) & 7))
9416
9417 /**
9418 diff -urNp linux-2.6.39.3/arch/x86/include/asm/boot.h linux-2.6.39.3/arch/x86/include/asm/boot.h
9419 --- linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-19 00:06:34.000000000 -0400
9420 +++ linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-22 19:36:30.000000000 -0400
9421 @@ -11,10 +11,15 @@
9422 #include <asm/pgtable_types.h>
9423
9424 /* Physical address where kernel should be loaded. */
9425 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9426 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9427 + (CONFIG_PHYSICAL_ALIGN - 1)) \
9428 & ~(CONFIG_PHYSICAL_ALIGN - 1))
9429
9430 +#ifndef __ASSEMBLY__
9431 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
9432 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
9433 +#endif
9434 +
9435 /* Minimum kernel alignment, as a power of two */
9436 #ifdef CONFIG_X86_64
9437 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
9438 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cacheflush.h linux-2.6.39.3/arch/x86/include/asm/cacheflush.h
9439 --- linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
9440 +++ linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
9441 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
9442 unsigned long pg_flags = pg->flags & _PGMT_MASK;
9443
9444 if (pg_flags == _PGMT_DEFAULT)
9445 - return -1;
9446 + return ~0UL;
9447 else if (pg_flags == _PGMT_WC)
9448 return _PAGE_CACHE_WC;
9449 else if (pg_flags == _PGMT_UC_MINUS)
9450 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cache.h linux-2.6.39.3/arch/x86/include/asm/cache.h
9451 --- linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
9452 +++ linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400
9453 @@ -5,12 +5,13 @@
9454
9455 /* L1 cache line size */
9456 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
9457 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9458 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9459
9460 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9461 +#define __read_only __attribute__((__section__(".data..read_only")))
9462
9463 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
9464 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
9465 +#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
9466
9467 #ifdef CONFIG_X86_VSMP
9468 #ifdef CONFIG_SMP
9469 diff -urNp linux-2.6.39.3/arch/x86/include/asm/checksum_32.h linux-2.6.39.3/arch/x86/include/asm/checksum_32.h
9470 --- linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-19 00:06:34.000000000 -0400
9471 +++ linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-22 19:36:30.000000000 -0400
9472 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
9473 int len, __wsum sum,
9474 int *src_err_ptr, int *dst_err_ptr);
9475
9476 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
9477 + int len, __wsum sum,
9478 + int *src_err_ptr, int *dst_err_ptr);
9479 +
9480 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
9481 + int len, __wsum sum,
9482 + int *src_err_ptr, int *dst_err_ptr);
9483 +
9484 /*
9485 * Note: when you get a NULL pointer exception here this means someone
9486 * passed in an incorrect kernel address to one of these functions.
9487 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
9488 int *err_ptr)
9489 {
9490 might_sleep();
9491 - return csum_partial_copy_generic((__force void *)src, dst,
9492 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
9493 len, sum, err_ptr, NULL);
9494 }
9495
9496 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
9497 {
9498 might_sleep();
9499 if (access_ok(VERIFY_WRITE, dst, len))
9500 - return csum_partial_copy_generic(src, (__force void *)dst,
9501 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
9502 len, sum, NULL, err_ptr);
9503
9504 if (len)
9505 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cpufeature.h linux-2.6.39.3/arch/x86/include/asm/cpufeature.h
9506 --- linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:04:13.000000000 -0400
9507 +++ linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:32:04.000000000 -0400
9508 @@ -351,7 +351,7 @@ static __always_inline __pure bool __sta
9509 ".section .discard,\"aw\",@progbits\n"
9510 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
9511 ".previous\n"
9512 - ".section .altinstr_replacement,\"ax\"\n"
9513 + ".section .altinstr_replacement,\"a\"\n"
9514 "3: movb $1,%0\n"
9515 "4:\n"
9516 ".previous\n"
9517 diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc_defs.h linux-2.6.39.3/arch/x86/include/asm/desc_defs.h
9518 --- linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-19 00:06:34.000000000 -0400
9519 +++ linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-22 19:36:30.000000000 -0400
9520 @@ -31,6 +31,12 @@ struct desc_struct {
9521 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
9522 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
9523 };
9524 + struct {
9525 + u16 offset_low;
9526 + u16 seg;
9527 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
9528 + unsigned offset_high: 16;
9529 + } gate;
9530 };
9531 } __attribute__((packed));
9532
9533 diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc.h linux-2.6.39.3/arch/x86/include/asm/desc.h
9534 --- linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-19 00:06:34.000000000 -0400
9535 +++ linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-22 19:36:30.000000000 -0400
9536 @@ -4,6 +4,7 @@
9537 #include <asm/desc_defs.h>
9538 #include <asm/ldt.h>
9539 #include <asm/mmu.h>
9540 +#include <asm/pgtable.h>
9541 #include <linux/smp.h>
9542
9543 static inline void fill_ldt(struct desc_struct *desc,
9544 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
9545 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
9546 desc->type = (info->read_exec_only ^ 1) << 1;
9547 desc->type |= info->contents << 2;
9548 + desc->type |= info->seg_not_present ^ 1;
9549 desc->s = 1;
9550 desc->dpl = 0x3;
9551 desc->p = info->seg_not_present ^ 1;
9552 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
9553 }
9554
9555 extern struct desc_ptr idt_descr;
9556 -extern gate_desc idt_table[];
9557 -
9558 -struct gdt_page {
9559 - struct desc_struct gdt[GDT_ENTRIES];
9560 -} __attribute__((aligned(PAGE_SIZE)));
9561 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
9562 +extern gate_desc idt_table[256];
9563
9564 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
9565 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
9566 {
9567 - return per_cpu(gdt_page, cpu).gdt;
9568 + return cpu_gdt_table[cpu];
9569 }
9570
9571 #ifdef CONFIG_X86_64
9572 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
9573 unsigned long base, unsigned dpl, unsigned flags,
9574 unsigned short seg)
9575 {
9576 - gate->a = (seg << 16) | (base & 0xffff);
9577 - gate->b = (base & 0xffff0000) |
9578 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
9579 + gate->gate.offset_low = base;
9580 + gate->gate.seg = seg;
9581 + gate->gate.reserved = 0;
9582 + gate->gate.type = type;
9583 + gate->gate.s = 0;
9584 + gate->gate.dpl = dpl;
9585 + gate->gate.p = 1;
9586 + gate->gate.offset_high = base >> 16;
9587 }
9588
9589 #endif
9590 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
9591 static inline void native_write_idt_entry(gate_desc *idt, int entry,
9592 const gate_desc *gate)
9593 {
9594 + pax_open_kernel();
9595 memcpy(&idt[entry], gate, sizeof(*gate));
9596 + pax_close_kernel();
9597 }
9598
9599 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
9600 const void *desc)
9601 {
9602 + pax_open_kernel();
9603 memcpy(&ldt[entry], desc, 8);
9604 + pax_close_kernel();
9605 }
9606
9607 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
9608 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
9609 size = sizeof(struct desc_struct);
9610 break;
9611 }
9612 +
9613 + pax_open_kernel();
9614 memcpy(&gdt[entry], desc, size);
9615 + pax_close_kernel();
9616 }
9617
9618 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
9619 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
9620
9621 static inline void native_load_tr_desc(void)
9622 {
9623 + pax_open_kernel();
9624 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
9625 + pax_close_kernel();
9626 }
9627
9628 static inline void native_load_gdt(const struct desc_ptr *dtr)
9629 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
9630 unsigned int i;
9631 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
9632
9633 + pax_open_kernel();
9634 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
9635 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
9636 + pax_close_kernel();
9637 }
9638
9639 #define _LDT_empty(info) \
9640 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
9641 desc->limit = (limit >> 16) & 0xf;
9642 }
9643
9644 -static inline void _set_gate(int gate, unsigned type, void *addr,
9645 +static inline void _set_gate(int gate, unsigned type, const void *addr,
9646 unsigned dpl, unsigned ist, unsigned seg)
9647 {
9648 gate_desc s;
9649 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
9650 * Pentium F0 0F bugfix can have resulted in the mapped
9651 * IDT being write-protected.
9652 */
9653 -static inline void set_intr_gate(unsigned int n, void *addr)
9654 +static inline void set_intr_gate(unsigned int n, const void *addr)
9655 {
9656 BUG_ON((unsigned)n > 0xFF);
9657 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
9658 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
9659 /*
9660 * This routine sets up an interrupt gate at directory privilege level 3.
9661 */
9662 -static inline void set_system_intr_gate(unsigned int n, void *addr)
9663 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
9664 {
9665 BUG_ON((unsigned)n > 0xFF);
9666 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
9667 }
9668
9669 -static inline void set_system_trap_gate(unsigned int n, void *addr)
9670 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
9671 {
9672 BUG_ON((unsigned)n > 0xFF);
9673 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
9674 }
9675
9676 -static inline void set_trap_gate(unsigned int n, void *addr)
9677 +static inline void set_trap_gate(unsigned int n, const void *addr)
9678 {
9679 BUG_ON((unsigned)n > 0xFF);
9680 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
9681 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
9682 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
9683 {
9684 BUG_ON((unsigned)n > 0xFF);
9685 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
9686 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
9687 }
9688
9689 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
9690 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
9691 {
9692 BUG_ON((unsigned)n > 0xFF);
9693 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
9694 }
9695
9696 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
9697 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
9698 {
9699 BUG_ON((unsigned)n > 0xFF);
9700 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
9701 }
9702
9703 +#ifdef CONFIG_X86_32
9704 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
9705 +{
9706 + struct desc_struct d;
9707 +
9708 + if (likely(limit))
9709 + limit = (limit - 1UL) >> PAGE_SHIFT;
9710 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
9711 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
9712 +}
9713 +#endif
9714 +
9715 #endif /* _ASM_X86_DESC_H */
9716 diff -urNp linux-2.6.39.3/arch/x86/include/asm/device.h linux-2.6.39.3/arch/x86/include/asm/device.h
9717 --- linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
9718 +++ linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
9719 @@ -6,7 +6,7 @@ struct dev_archdata {
9720 void *acpi_handle;
9721 #endif
9722 #ifdef CONFIG_X86_64
9723 -struct dma_map_ops *dma_ops;
9724 + const struct dma_map_ops *dma_ops;
9725 #endif
9726 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
9727 void *iommu; /* hook for IOMMU specific extension */
9728 diff -urNp linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h
9729 --- linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
9730 +++ linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
9731 @@ -26,9 +26,9 @@ extern int iommu_merge;
9732 extern struct device x86_dma_fallback_dev;
9733 extern int panic_on_overflow;
9734
9735 -extern struct dma_map_ops *dma_ops;
9736 +extern const struct dma_map_ops *dma_ops;
9737
9738 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
9739 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
9740 {
9741 #ifdef CONFIG_X86_32
9742 return dma_ops;
9743 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
9744 /* Make sure we keep the same behaviour */
9745 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
9746 {
9747 - struct dma_map_ops *ops = get_dma_ops(dev);
9748 + const struct dma_map_ops *ops = get_dma_ops(dev);
9749 if (ops->mapping_error)
9750 return ops->mapping_error(dev, dma_addr);
9751
9752 @@ -115,7 +115,7 @@ static inline void *
9753 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
9754 gfp_t gfp)
9755 {
9756 - struct dma_map_ops *ops = get_dma_ops(dev);
9757 + const struct dma_map_ops *ops = get_dma_ops(dev);
9758 void *memory;
9759
9760 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
9761 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
9762 static inline void dma_free_coherent(struct device *dev, size_t size,
9763 void *vaddr, dma_addr_t bus)
9764 {
9765 - struct dma_map_ops *ops = get_dma_ops(dev);
9766 + const struct dma_map_ops *ops = get_dma_ops(dev);
9767
9768 WARN_ON(irqs_disabled()); /* for portability */
9769
9770 diff -urNp linux-2.6.39.3/arch/x86/include/asm/e820.h linux-2.6.39.3/arch/x86/include/asm/e820.h
9771 --- linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-19 00:06:34.000000000 -0400
9772 +++ linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-22 19:36:30.000000000 -0400
9773 @@ -69,7 +69,7 @@ struct e820map {
9774 #define ISA_START_ADDRESS 0xa0000
9775 #define ISA_END_ADDRESS 0x100000
9776
9777 -#define BIOS_BEGIN 0x000a0000
9778 +#define BIOS_BEGIN 0x000c0000
9779 #define BIOS_END 0x00100000
9780
9781 #define BIOS_ROM_BASE 0xffe00000
9782 diff -urNp linux-2.6.39.3/arch/x86/include/asm/elf.h linux-2.6.39.3/arch/x86/include/asm/elf.h
9783 --- linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
9784 +++ linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
9785 @@ -237,7 +237,25 @@ extern int force_personality32;
9786 the loader. We need to make sure that it is out of the way of the program
9787 that it will "exec", and that there is sufficient room for the brk. */
9788
9789 +#ifdef CONFIG_PAX_SEGMEXEC
9790 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
9791 +#else
9792 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
9793 +#endif
9794 +
9795 +#ifdef CONFIG_PAX_ASLR
9796 +#ifdef CONFIG_X86_32
9797 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
9798 +
9799 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9800 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9801 +#else
9802 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
9803 +
9804 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9805 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9806 +#endif
9807 +#endif
9808
9809 /* This yields a mask that user programs can use to figure out what
9810 instruction set this CPU supports. This could be done in user space,
9811 @@ -291,8 +309,7 @@ do { \
9812 #define ARCH_DLINFO \
9813 do { \
9814 if (vdso_enabled) \
9815 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
9816 - (unsigned long)current->mm->context.vdso); \
9817 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
9818 } while (0)
9819
9820 #define AT_SYSINFO 32
9821 @@ -303,7 +320,7 @@ do { \
9822
9823 #endif /* !CONFIG_X86_32 */
9824
9825 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
9826 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
9827
9828 #define VDSO_ENTRY \
9829 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
9830 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
9831 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
9832 #define compat_arch_setup_additional_pages syscall32_setup_pages
9833
9834 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
9835 -#define arch_randomize_brk arch_randomize_brk
9836 -
9837 #endif /* _ASM_X86_ELF_H */
9838 diff -urNp linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h
9839 --- linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-19 00:06:34.000000000 -0400
9840 +++ linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-22 19:36:30.000000000 -0400
9841 @@ -15,6 +15,6 @@ enum reboot_type {
9842
9843 extern enum reboot_type reboot_type;
9844
9845 -extern void machine_emergency_restart(void);
9846 +extern void machine_emergency_restart(void) __noreturn;
9847
9848 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
9849 diff -urNp linux-2.6.39.3/arch/x86/include/asm/futex.h linux-2.6.39.3/arch/x86/include/asm/futex.h
9850 --- linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-19 00:06:34.000000000 -0400
9851 +++ linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-22 19:36:30.000000000 -0400
9852 @@ -12,16 +12,18 @@
9853 #include <asm/system.h>
9854
9855 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
9856 + typecheck(u32 *, uaddr); \
9857 asm volatile("1:\t" insn "\n" \
9858 "2:\t.section .fixup,\"ax\"\n" \
9859 "3:\tmov\t%3, %1\n" \
9860 "\tjmp\t2b\n" \
9861 "\t.previous\n" \
9862 _ASM_EXTABLE(1b, 3b) \
9863 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
9864 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
9865 : "i" (-EFAULT), "0" (oparg), "1" (0))
9866
9867 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
9868 + typecheck(u32 *, uaddr); \
9869 asm volatile("1:\tmovl %2, %0\n" \
9870 "\tmovl\t%0, %3\n" \
9871 "\t" insn "\n" \
9872 @@ -34,7 +36,7 @@
9873 _ASM_EXTABLE(1b, 4b) \
9874 _ASM_EXTABLE(2b, 4b) \
9875 : "=&a" (oldval), "=&r" (ret), \
9876 - "+m" (*uaddr), "=&r" (tem) \
9877 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
9878 : "r" (oparg), "i" (-EFAULT), "1" (0))
9879
9880 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
9881 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
9882
9883 switch (op) {
9884 case FUTEX_OP_SET:
9885 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
9886 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
9887 break;
9888 case FUTEX_OP_ADD:
9889 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
9890 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9891 uaddr, oparg);
9892 break;
9893 case FUTEX_OP_OR:
9894 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
9895 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9896 return -EFAULT;
9897
9898 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
9899 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
9900 "2:\t.section .fixup, \"ax\"\n"
9901 "3:\tmov %3, %0\n"
9902 "\tjmp 2b\n"
9903 "\t.previous\n"
9904 _ASM_EXTABLE(1b, 3b)
9905 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
9906 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9907 : "i" (-EFAULT), "r" (newval), "1" (oldval)
9908 : "memory"
9909 );
9910 diff -urNp linux-2.6.39.3/arch/x86/include/asm/hw_irq.h linux-2.6.39.3/arch/x86/include/asm/hw_irq.h
9911 --- linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-19 00:06:34.000000000 -0400
9912 +++ linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-22 19:36:30.000000000 -0400
9913 @@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
9914 extern void enable_IO_APIC(void);
9915
9916 /* Statistics */
9917 -extern atomic_t irq_err_count;
9918 -extern atomic_t irq_mis_count;
9919 +extern atomic_unchecked_t irq_err_count;
9920 +extern atomic_unchecked_t irq_mis_count;
9921
9922 /* EISA */
9923 extern void eisa_set_level_irq(unsigned int irq);
9924 diff -urNp linux-2.6.39.3/arch/x86/include/asm/i387.h linux-2.6.39.3/arch/x86/include/asm/i387.h
9925 --- linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-19 00:06:34.000000000 -0400
9926 +++ linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-22 19:36:30.000000000 -0400
9927 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
9928 {
9929 int err;
9930
9931 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9932 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9933 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9934 +#endif
9935 +
9936 /* See comment in fxsave() below. */
9937 #ifdef CONFIG_AS_FXSAVEQ
9938 asm volatile("1: fxrstorq %[fx]\n\t"
9939 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
9940 {
9941 int err;
9942
9943 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9944 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9945 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9946 +#endif
9947 +
9948 /*
9949 * Clear the bytes not touched by the fxsave and reserved
9950 * for the SW usage.
9951 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
9952 #endif /* CONFIG_X86_64 */
9953
9954 /* We need a safe address that is cheap to find and that is already
9955 - in L1 during context switch. The best choices are unfortunately
9956 - different for UP and SMP */
9957 -#ifdef CONFIG_SMP
9958 -#define safe_address (__per_cpu_offset[0])
9959 -#else
9960 -#define safe_address (kstat_cpu(0).cpustat.user)
9961 -#endif
9962 + in L1 during context switch. */
9963 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9964
9965 /*
9966 * These must be called with preempt disabled
9967 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
9968 struct thread_info *me = current_thread_info();
9969 preempt_disable();
9970 if (me->status & TS_USEDFPU)
9971 - __save_init_fpu(me->task);
9972 + __save_init_fpu(current);
9973 else
9974 clts();
9975 }
9976 diff -urNp linux-2.6.39.3/arch/x86/include/asm/io.h linux-2.6.39.3/arch/x86/include/asm/io.h
9977 --- linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-19 00:06:34.000000000 -0400
9978 +++ linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-22 19:36:30.000000000 -0400
9979 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
9980
9981 #include <linux/vmalloc.h>
9982
9983 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9984 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9985 +{
9986 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9987 +}
9988 +
9989 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9990 +{
9991 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9992 +}
9993 +
9994 /*
9995 * Convert a virtual cached pointer to an uncached pointer
9996 */
9997 diff -urNp linux-2.6.39.3/arch/x86/include/asm/iommu.h linux-2.6.39.3/arch/x86/include/asm/iommu.h
9998 --- linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
9999 +++ linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
10000 @@ -1,7 +1,7 @@
10001 #ifndef _ASM_X86_IOMMU_H
10002 #define _ASM_X86_IOMMU_H
10003
10004 -extern struct dma_map_ops nommu_dma_ops;
10005 +extern const struct dma_map_ops nommu_dma_ops;
10006 extern int force_iommu, no_iommu;
10007 extern int iommu_detected;
10008 extern int iommu_pass_through;
10009 diff -urNp linux-2.6.39.3/arch/x86/include/asm/irqflags.h linux-2.6.39.3/arch/x86/include/asm/irqflags.h
10010 --- linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-19 00:06:34.000000000 -0400
10011 +++ linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-22 19:36:30.000000000 -0400
10012 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
10013 sti; \
10014 sysexit
10015
10016 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
10017 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
10018 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
10019 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
10020 +
10021 #else
10022 #define INTERRUPT_RETURN iret
10023 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
10024 diff -urNp linux-2.6.39.3/arch/x86/include/asm/kprobes.h linux-2.6.39.3/arch/x86/include/asm/kprobes.h
10025 --- linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-19 00:06:34.000000000 -0400
10026 +++ linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-22 19:36:30.000000000 -0400
10027 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
10028 #define RELATIVEJUMP_SIZE 5
10029 #define RELATIVECALL_OPCODE 0xe8
10030 #define RELATIVE_ADDR_SIZE 4
10031 -#define MAX_STACK_SIZE 64
10032 -#define MIN_STACK_SIZE(ADDR) \
10033 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
10034 - THREAD_SIZE - (unsigned long)(ADDR))) \
10035 - ? (MAX_STACK_SIZE) \
10036 - : (((unsigned long)current_thread_info()) + \
10037 - THREAD_SIZE - (unsigned long)(ADDR)))
10038 +#define MAX_STACK_SIZE 64UL
10039 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
10040
10041 #define flush_insn_slot(p) do { } while (0)
10042
10043 diff -urNp linux-2.6.39.3/arch/x86/include/asm/kvm_host.h linux-2.6.39.3/arch/x86/include/asm/kvm_host.h
10044 --- linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
10045 +++ linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-22 19:36:30.000000000 -0400
10046 @@ -419,7 +419,7 @@ struct kvm_arch {
10047 unsigned int n_used_mmu_pages;
10048 unsigned int n_requested_mmu_pages;
10049 unsigned int n_max_mmu_pages;
10050 - atomic_t invlpg_counter;
10051 + atomic_unchecked_t invlpg_counter;
10052 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
10053 /*
10054 * Hash table of struct kvm_mmu_page.
10055 @@ -599,7 +599,7 @@ struct kvm_arch_async_pf {
10056 bool direct_map;
10057 };
10058
10059 -extern struct kvm_x86_ops *kvm_x86_ops;
10060 +extern const struct kvm_x86_ops *kvm_x86_ops;
10061
10062 int kvm_mmu_module_init(void);
10063 void kvm_mmu_module_exit(void);
10064 diff -urNp linux-2.6.39.3/arch/x86/include/asm/local.h linux-2.6.39.3/arch/x86/include/asm/local.h
10065 --- linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-19 00:06:34.000000000 -0400
10066 +++ linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-22 19:36:30.000000000 -0400
10067 @@ -18,26 +18,58 @@ typedef struct {
10068
10069 static inline void local_inc(local_t *l)
10070 {
10071 - asm volatile(_ASM_INC "%0"
10072 + asm volatile(_ASM_INC "%0\n"
10073 +
10074 +#ifdef CONFIG_PAX_REFCOUNT
10075 + "jno 0f\n"
10076 + _ASM_DEC "%0\n"
10077 + "int $4\n0:\n"
10078 + _ASM_EXTABLE(0b, 0b)
10079 +#endif
10080 +
10081 : "+m" (l->a.counter));
10082 }
10083
10084 static inline void local_dec(local_t *l)
10085 {
10086 - asm volatile(_ASM_DEC "%0"
10087 + asm volatile(_ASM_DEC "%0\n"
10088 +
10089 +#ifdef CONFIG_PAX_REFCOUNT
10090 + "jno 0f\n"
10091 + _ASM_INC "%0\n"
10092 + "int $4\n0:\n"
10093 + _ASM_EXTABLE(0b, 0b)
10094 +#endif
10095 +
10096 : "+m" (l->a.counter));
10097 }
10098
10099 static inline void local_add(long i, local_t *l)
10100 {
10101 - asm volatile(_ASM_ADD "%1,%0"
10102 + asm volatile(_ASM_ADD "%1,%0\n"
10103 +
10104 +#ifdef CONFIG_PAX_REFCOUNT
10105 + "jno 0f\n"
10106 + _ASM_SUB "%1,%0\n"
10107 + "int $4\n0:\n"
10108 + _ASM_EXTABLE(0b, 0b)
10109 +#endif
10110 +
10111 : "+m" (l->a.counter)
10112 : "ir" (i));
10113 }
10114
10115 static inline void local_sub(long i, local_t *l)
10116 {
10117 - asm volatile(_ASM_SUB "%1,%0"
10118 + asm volatile(_ASM_SUB "%1,%0\n"
10119 +
10120 +#ifdef CONFIG_PAX_REFCOUNT
10121 + "jno 0f\n"
10122 + _ASM_ADD "%1,%0\n"
10123 + "int $4\n0:\n"
10124 + _ASM_EXTABLE(0b, 0b)
10125 +#endif
10126 +
10127 : "+m" (l->a.counter)
10128 : "ir" (i));
10129 }
10130 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
10131 {
10132 unsigned char c;
10133
10134 - asm volatile(_ASM_SUB "%2,%0; sete %1"
10135 + asm volatile(_ASM_SUB "%2,%0\n"
10136 +
10137 +#ifdef CONFIG_PAX_REFCOUNT
10138 + "jno 0f\n"
10139 + _ASM_ADD "%2,%0\n"
10140 + "int $4\n0:\n"
10141 + _ASM_EXTABLE(0b, 0b)
10142 +#endif
10143 +
10144 + "sete %1\n"
10145 : "+m" (l->a.counter), "=qm" (c)
10146 : "ir" (i) : "memory");
10147 return c;
10148 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
10149 {
10150 unsigned char c;
10151
10152 - asm volatile(_ASM_DEC "%0; sete %1"
10153 + asm volatile(_ASM_DEC "%0\n"
10154 +
10155 +#ifdef CONFIG_PAX_REFCOUNT
10156 + "jno 0f\n"
10157 + _ASM_INC "%0\n"
10158 + "int $4\n0:\n"
10159 + _ASM_EXTABLE(0b, 0b)
10160 +#endif
10161 +
10162 + "sete %1\n"
10163 : "+m" (l->a.counter), "=qm" (c)
10164 : : "memory");
10165 return c != 0;
10166 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
10167 {
10168 unsigned char c;
10169
10170 - asm volatile(_ASM_INC "%0; sete %1"
10171 + asm volatile(_ASM_INC "%0\n"
10172 +
10173 +#ifdef CONFIG_PAX_REFCOUNT
10174 + "jno 0f\n"
10175 + _ASM_DEC "%0\n"
10176 + "int $4\n0:\n"
10177 + _ASM_EXTABLE(0b, 0b)
10178 +#endif
10179 +
10180 + "sete %1\n"
10181 : "+m" (l->a.counter), "=qm" (c)
10182 : : "memory");
10183 return c != 0;
10184 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
10185 {
10186 unsigned char c;
10187
10188 - asm volatile(_ASM_ADD "%2,%0; sets %1"
10189 + asm volatile(_ASM_ADD "%2,%0\n"
10190 +
10191 +#ifdef CONFIG_PAX_REFCOUNT
10192 + "jno 0f\n"
10193 + _ASM_SUB "%2,%0\n"
10194 + "int $4\n0:\n"
10195 + _ASM_EXTABLE(0b, 0b)
10196 +#endif
10197 +
10198 + "sets %1\n"
10199 : "+m" (l->a.counter), "=qm" (c)
10200 : "ir" (i) : "memory");
10201 return c;
10202 @@ -133,7 +201,15 @@ static inline long local_add_return(long
10203 #endif
10204 /* Modern 486+ processor */
10205 __i = i;
10206 - asm volatile(_ASM_XADD "%0, %1;"
10207 + asm volatile(_ASM_XADD "%0, %1\n"
10208 +
10209 +#ifdef CONFIG_PAX_REFCOUNT
10210 + "jno 0f\n"
10211 + _ASM_MOV "%0,%1\n"
10212 + "int $4\n0:\n"
10213 + _ASM_EXTABLE(0b, 0b)
10214 +#endif
10215 +
10216 : "+r" (i), "+m" (l->a.counter)
10217 : : "memory");
10218 return i + __i;
10219 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mce.h linux-2.6.39.3/arch/x86/include/asm/mce.h
10220 --- linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-19 00:06:34.000000000 -0400
10221 +++ linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-22 19:36:30.000000000 -0400
10222 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
10223 void mce_notify_process(void);
10224
10225 DECLARE_PER_CPU(struct mce, injectm);
10226 -extern struct file_operations mce_chrdev_ops;
10227 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
10228
10229 /*
10230 * Exception handler
10231 diff -urNp linux-2.6.39.3/arch/x86/include/asm/microcode.h linux-2.6.39.3/arch/x86/include/asm/microcode.h
10232 --- linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-19 00:06:34.000000000 -0400
10233 +++ linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-22 19:36:30.000000000 -0400
10234 @@ -12,13 +12,13 @@ struct device;
10235 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
10236
10237 struct microcode_ops {
10238 - enum ucode_state (*request_microcode_user) (int cpu,
10239 + enum ucode_state (* const request_microcode_user) (int cpu,
10240 const void __user *buf, size_t size);
10241
10242 - enum ucode_state (*request_microcode_fw) (int cpu,
10243 + enum ucode_state (* const request_microcode_fw) (int cpu,
10244 struct device *device);
10245
10246 - void (*microcode_fini_cpu) (int cpu);
10247 + void (* const microcode_fini_cpu) (int cpu);
10248
10249 /*
10250 * The generic 'microcode_core' part guarantees that
10251 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
10252 extern struct ucode_cpu_info ucode_cpu_info[];
10253
10254 #ifdef CONFIG_MICROCODE_INTEL
10255 -extern struct microcode_ops * __init init_intel_microcode(void);
10256 +extern const struct microcode_ops * __init init_intel_microcode(void);
10257 #else
10258 -static inline struct microcode_ops * __init init_intel_microcode(void)
10259 +static inline const struct microcode_ops * __init init_intel_microcode(void)
10260 {
10261 return NULL;
10262 }
10263 #endif /* CONFIG_MICROCODE_INTEL */
10264
10265 #ifdef CONFIG_MICROCODE_AMD
10266 -extern struct microcode_ops * __init init_amd_microcode(void);
10267 +extern const struct microcode_ops * __init init_amd_microcode(void);
10268
10269 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
10270 {
10271 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
10272 }
10273
10274 #else
10275 -static inline struct microcode_ops * __init init_amd_microcode(void)
10276 +static inline const struct microcode_ops * __init init_amd_microcode(void)
10277 {
10278 return NULL;
10279 }
10280 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mman.h linux-2.6.39.3/arch/x86/include/asm/mman.h
10281 --- linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-19 00:06:34.000000000 -0400
10282 +++ linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-22 19:36:30.000000000 -0400
10283 @@ -5,4 +5,14 @@
10284
10285 #include <asm-generic/mman.h>
10286
10287 +#ifdef __KERNEL__
10288 +#ifndef __ASSEMBLY__
10289 +#ifdef CONFIG_X86_32
10290 +#define arch_mmap_check i386_mmap_check
10291 +int i386_mmap_check(unsigned long addr, unsigned long len,
10292 + unsigned long flags);
10293 +#endif
10294 +#endif
10295 +#endif
10296 +
10297 #endif /* _ASM_X86_MMAN_H */
10298 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu_context.h linux-2.6.39.3/arch/x86/include/asm/mmu_context.h
10299 --- linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-19 00:06:34.000000000 -0400
10300 +++ linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-22 19:36:30.000000000 -0400
10301 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
10302
10303 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
10304 {
10305 +
10306 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10307 + unsigned int i;
10308 + pgd_t *pgd;
10309 +
10310 + pax_open_kernel();
10311 + pgd = get_cpu_pgd(smp_processor_id());
10312 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
10313 + if (paravirt_enabled())
10314 + set_pgd(pgd+i, native_make_pgd(0));
10315 + else
10316 + pgd[i] = native_make_pgd(0);
10317 + pax_close_kernel();
10318 +#endif
10319 +
10320 #ifdef CONFIG_SMP
10321 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
10322 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
10323 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
10324 struct task_struct *tsk)
10325 {
10326 unsigned cpu = smp_processor_id();
10327 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
10328 + int tlbstate = TLBSTATE_OK;
10329 +#endif
10330
10331 if (likely(prev != next)) {
10332 #ifdef CONFIG_SMP
10333 +#ifdef CONFIG_X86_32
10334 + tlbstate = percpu_read(cpu_tlbstate.state);
10335 +#endif
10336 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10337 percpu_write(cpu_tlbstate.active_mm, next);
10338 #endif
10339 cpumask_set_cpu(cpu, mm_cpumask(next));
10340
10341 /* Re-load page tables */
10342 +#ifdef CONFIG_PAX_PER_CPU_PGD
10343 + pax_open_kernel();
10344 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10345 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10346 + pax_close_kernel();
10347 + load_cr3(get_cpu_pgd(cpu));
10348 +#else
10349 load_cr3(next->pgd);
10350 +#endif
10351
10352 /* stop flush ipis for the previous mm */
10353 cpumask_clear_cpu(cpu, mm_cpumask(prev));
10354 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
10355 */
10356 if (unlikely(prev->context.ldt != next->context.ldt))
10357 load_LDT_nolock(&next->context);
10358 - }
10359 +
10360 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10361 + if (!(__supported_pte_mask & _PAGE_NX)) {
10362 + smp_mb__before_clear_bit();
10363 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
10364 + smp_mb__after_clear_bit();
10365 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10366 + }
10367 +#endif
10368 +
10369 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10370 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
10371 + prev->context.user_cs_limit != next->context.user_cs_limit))
10372 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10373 #ifdef CONFIG_SMP
10374 + else if (unlikely(tlbstate != TLBSTATE_OK))
10375 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10376 +#endif
10377 +#endif
10378 +
10379 + }
10380 else {
10381 +
10382 +#ifdef CONFIG_PAX_PER_CPU_PGD
10383 + pax_open_kernel();
10384 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10385 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10386 + pax_close_kernel();
10387 + load_cr3(get_cpu_pgd(cpu));
10388 +#endif
10389 +
10390 +#ifdef CONFIG_SMP
10391 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10392 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
10393
10394 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
10395 * tlb flush IPI delivery. We must reload CR3
10396 * to make sure to use no freed page tables.
10397 */
10398 +
10399 +#ifndef CONFIG_PAX_PER_CPU_PGD
10400 load_cr3(next->pgd);
10401 +#endif
10402 +
10403 load_LDT_nolock(&next->context);
10404 +
10405 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
10406 + if (!(__supported_pte_mask & _PAGE_NX))
10407 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10408 +#endif
10409 +
10410 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10411 +#ifdef CONFIG_PAX_PAGEEXEC
10412 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
10413 +#endif
10414 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10415 +#endif
10416 +
10417 }
10418 - }
10419 #endif
10420 + }
10421 }
10422
10423 #define activate_mm(prev, next) \
10424 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu.h linux-2.6.39.3/arch/x86/include/asm/mmu.h
10425 --- linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-19 00:06:34.000000000 -0400
10426 +++ linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-22 19:36:30.000000000 -0400
10427 @@ -9,10 +9,22 @@
10428 * we put the segment information here.
10429 */
10430 typedef struct {
10431 - void *ldt;
10432 + struct desc_struct *ldt;
10433 int size;
10434 struct mutex lock;
10435 - void *vdso;
10436 + unsigned long vdso;
10437 +
10438 +#ifdef CONFIG_X86_32
10439 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10440 + unsigned long user_cs_base;
10441 + unsigned long user_cs_limit;
10442 +
10443 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10444 + cpumask_t cpu_user_cs_mask;
10445 +#endif
10446 +
10447 +#endif
10448 +#endif
10449
10450 #ifdef CONFIG_X86_64
10451 /* True if mm supports a task running in 32 bit compatibility mode. */
10452 diff -urNp linux-2.6.39.3/arch/x86/include/asm/module.h linux-2.6.39.3/arch/x86/include/asm/module.h
10453 --- linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-19 00:06:34.000000000 -0400
10454 +++ linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-22 19:41:32.000000000 -0400
10455 @@ -5,6 +5,7 @@
10456
10457 #ifdef CONFIG_X86_64
10458 /* X86_64 does not define MODULE_PROC_FAMILY */
10459 +#define MODULE_PROC_FAMILY ""
10460 #elif defined CONFIG_M386
10461 #define MODULE_PROC_FAMILY "386 "
10462 #elif defined CONFIG_M486
10463 @@ -59,8 +60,30 @@
10464 #error unknown processor family
10465 #endif
10466
10467 -#ifdef CONFIG_X86_32
10468 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
10469 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10470 +#define MODULE_PAX_UDEREF "UDEREF "
10471 +#else
10472 +#define MODULE_PAX_UDEREF ""
10473 +#endif
10474 +
10475 +#ifdef CONFIG_PAX_KERNEXEC
10476 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
10477 +#else
10478 +#define MODULE_PAX_KERNEXEC ""
10479 #endif
10480
10481 +#ifdef CONFIG_PAX_REFCOUNT
10482 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
10483 +#else
10484 +#define MODULE_PAX_REFCOUNT ""
10485 +#endif
10486 +
10487 +#ifdef CONFIG_GRKERNSEC
10488 +#define MODULE_GRSEC "GRSECURITY "
10489 +#else
10490 +#define MODULE_GRSEC ""
10491 +#endif
10492 +
10493 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
10494 +
10495 #endif /* _ASM_X86_MODULE_H */
10496 diff -urNp linux-2.6.39.3/arch/x86/include/asm/page_64_types.h linux-2.6.39.3/arch/x86/include/asm/page_64_types.h
10497 --- linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-19 00:06:34.000000000 -0400
10498 +++ linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-22 19:36:30.000000000 -0400
10499 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
10500
10501 /* duplicated to the one in bootmem.h */
10502 extern unsigned long max_pfn;
10503 -extern unsigned long phys_base;
10504 +extern const unsigned long phys_base;
10505
10506 extern unsigned long __phys_addr(unsigned long);
10507 #define __phys_reloc_hide(x) (x)
10508 diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt.h linux-2.6.39.3/arch/x86/include/asm/paravirt.h
10509 --- linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-19 00:06:34.000000000 -0400
10510 +++ linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-22 19:36:30.000000000 -0400
10511 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
10512 pv_mmu_ops.set_fixmap(idx, phys, flags);
10513 }
10514
10515 +#ifdef CONFIG_PAX_KERNEXEC
10516 +static inline unsigned long pax_open_kernel(void)
10517 +{
10518 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
10519 +}
10520 +
10521 +static inline unsigned long pax_close_kernel(void)
10522 +{
10523 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
10524 +}
10525 +#else
10526 +static inline unsigned long pax_open_kernel(void) { return 0; }
10527 +static inline unsigned long pax_close_kernel(void) { return 0; }
10528 +#endif
10529 +
10530 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
10531
10532 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
10533 @@ -955,7 +970,7 @@ extern void default_banner(void);
10534
10535 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
10536 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
10537 -#define PARA_INDIRECT(addr) *%cs:addr
10538 +#define PARA_INDIRECT(addr) *%ss:addr
10539 #endif
10540
10541 #define INTERRUPT_RETURN \
10542 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
10543 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
10544 CLBR_NONE, \
10545 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
10546 +
10547 +#define GET_CR0_INTO_RDI \
10548 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
10549 + mov %rax,%rdi
10550 +
10551 +#define SET_RDI_INTO_CR0 \
10552 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10553 +
10554 +#define GET_CR3_INTO_RDI \
10555 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
10556 + mov %rax,%rdi
10557 +
10558 +#define SET_RDI_INTO_CR3 \
10559 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
10560 +
10561 #endif /* CONFIG_X86_32 */
10562
10563 #endif /* __ASSEMBLY__ */
10564 diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h
10565 --- linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-19 00:06:34.000000000 -0400
10566 +++ linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-22 19:36:30.000000000 -0400
10567 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
10568 an mfn. We can tell which is which from the index. */
10569 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
10570 phys_addr_t phys, pgprot_t flags);
10571 +
10572 +#ifdef CONFIG_PAX_KERNEXEC
10573 + unsigned long (*pax_open_kernel)(void);
10574 + unsigned long (*pax_close_kernel)(void);
10575 +#endif
10576 +
10577 };
10578
10579 struct arch_spinlock;
10580 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pci_x86.h linux-2.6.39.3/arch/x86/include/asm/pci_x86.h
10581 --- linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-19 00:06:34.000000000 -0400
10582 +++ linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-22 19:36:30.000000000 -0400
10583 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
10584 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
10585
10586 struct pci_raw_ops {
10587 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10588 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10589 int reg, int len, u32 *val);
10590 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10591 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10592 int reg, int len, u32 val);
10593 };
10594
10595 -extern struct pci_raw_ops *raw_pci_ops;
10596 -extern struct pci_raw_ops *raw_pci_ext_ops;
10597 +extern const struct pci_raw_ops *raw_pci_ops;
10598 +extern const struct pci_raw_ops *raw_pci_ext_ops;
10599
10600 -extern struct pci_raw_ops pci_direct_conf1;
10601 +extern const struct pci_raw_ops pci_direct_conf1;
10602 extern bool port_cf9_safe;
10603
10604 /* arch_initcall level */
10605 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgalloc.h linux-2.6.39.3/arch/x86/include/asm/pgalloc.h
10606 --- linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-19 00:06:34.000000000 -0400
10607 +++ linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-22 19:36:30.000000000 -0400
10608 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
10609 pmd_t *pmd, pte_t *pte)
10610 {
10611 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10612 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
10613 +}
10614 +
10615 +static inline void pmd_populate_user(struct mm_struct *mm,
10616 + pmd_t *pmd, pte_t *pte)
10617 +{
10618 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10619 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
10620 }
10621
10622 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h
10623 --- linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-19 00:06:34.000000000 -0400
10624 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-22 19:36:30.000000000 -0400
10625 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
10626
10627 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10628 {
10629 + pax_open_kernel();
10630 *pmdp = pmd;
10631 + pax_close_kernel();
10632 }
10633
10634 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
10635 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h
10636 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
10637 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
10638 @@ -25,9 +25,6 @@
10639 struct mm_struct;
10640 struct vm_area_struct;
10641
10642 -extern pgd_t swapper_pg_dir[1024];
10643 -extern pgd_t initial_page_table[1024];
10644 -
10645 static inline void pgtable_cache_init(void) { }
10646 static inline void check_pgt_cache(void) { }
10647 void paging_init(void);
10648 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
10649 # include <asm/pgtable-2level.h>
10650 #endif
10651
10652 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
10653 +extern pgd_t initial_page_table[PTRS_PER_PGD];
10654 +#ifdef CONFIG_X86_PAE
10655 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
10656 +#endif
10657 +
10658 #if defined(CONFIG_HIGHPTE)
10659 #define pte_offset_map(dir, address) \
10660 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
10661 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
10662 /* Clear a kernel PTE and flush it from the TLB */
10663 #define kpte_clear_flush(ptep, vaddr) \
10664 do { \
10665 + pax_open_kernel(); \
10666 pte_clear(&init_mm, (vaddr), (ptep)); \
10667 + pax_close_kernel(); \
10668 __flush_tlb_one((vaddr)); \
10669 } while (0)
10670
10671 @@ -74,6 +79,9 @@ do { \
10672
10673 #endif /* !__ASSEMBLY__ */
10674
10675 +#define HAVE_ARCH_UNMAPPED_AREA
10676 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
10677 +
10678 /*
10679 * kern_addr_valid() is (1) for FLATMEM and (0) for
10680 * SPARSEMEM and DISCONTIGMEM
10681 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h
10682 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-19 00:06:34.000000000 -0400
10683 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-22 19:36:30.000000000 -0400
10684 @@ -8,7 +8,7 @@
10685 */
10686 #ifdef CONFIG_X86_PAE
10687 # include <asm/pgtable-3level_types.h>
10688 -# define PMD_SIZE (1UL << PMD_SHIFT)
10689 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
10690 # define PMD_MASK (~(PMD_SIZE - 1))
10691 #else
10692 # include <asm/pgtable-2level_types.h>
10693 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
10694 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
10695 #endif
10696
10697 +#ifdef CONFIG_PAX_KERNEXEC
10698 +#ifndef __ASSEMBLY__
10699 +extern unsigned char MODULES_EXEC_VADDR[];
10700 +extern unsigned char MODULES_EXEC_END[];
10701 +#endif
10702 +#include <asm/boot.h>
10703 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
10704 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
10705 +#else
10706 +#define ktla_ktva(addr) (addr)
10707 +#define ktva_ktla(addr) (addr)
10708 +#endif
10709 +
10710 #define MODULES_VADDR VMALLOC_START
10711 #define MODULES_END VMALLOC_END
10712 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
10713 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h
10714 --- linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-19 00:06:34.000000000 -0400
10715 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-22 19:36:30.000000000 -0400
10716 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
10717
10718 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10719 {
10720 + pax_open_kernel();
10721 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
10722 + pax_close_kernel();
10723 }
10724
10725 static inline void native_set_pud(pud_t *pudp, pud_t pud)
10726 {
10727 + pax_open_kernel();
10728 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
10729 + pax_close_kernel();
10730 }
10731
10732 /*
10733 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h
10734 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-19 00:06:34.000000000 -0400
10735 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-22 19:36:30.000000000 -0400
10736 @@ -16,10 +16,13 @@
10737
10738 extern pud_t level3_kernel_pgt[512];
10739 extern pud_t level3_ident_pgt[512];
10740 +extern pud_t level3_vmalloc_pgt[512];
10741 +extern pud_t level3_vmemmap_pgt[512];
10742 +extern pud_t level2_vmemmap_pgt[512];
10743 extern pmd_t level2_kernel_pgt[512];
10744 extern pmd_t level2_fixmap_pgt[512];
10745 -extern pmd_t level2_ident_pgt[512];
10746 -extern pgd_t init_level4_pgt[];
10747 +extern pmd_t level2_ident_pgt[512*2];
10748 +extern pgd_t init_level4_pgt[512];
10749
10750 #define swapper_pg_dir init_level4_pgt
10751
10752 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
10753
10754 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10755 {
10756 + pax_open_kernel();
10757 *pmdp = pmd;
10758 + pax_close_kernel();
10759 }
10760
10761 static inline void native_pmd_clear(pmd_t *pmd)
10762 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
10763
10764 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
10765 {
10766 + pax_open_kernel();
10767 *pgdp = pgd;
10768 + pax_close_kernel();
10769 }
10770
10771 static inline void native_pgd_clear(pgd_t *pgd)
10772 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h
10773 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-19 00:06:34.000000000 -0400
10774 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-22 19:36:30.000000000 -0400
10775 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
10776 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
10777 #define MODULES_END _AC(0xffffffffff000000, UL)
10778 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
10779 +#define MODULES_EXEC_VADDR MODULES_VADDR
10780 +#define MODULES_EXEC_END MODULES_END
10781 +
10782 +#define ktla_ktva(addr) (addr)
10783 +#define ktva_ktla(addr) (addr)
10784
10785 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10786 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable.h linux-2.6.39.3/arch/x86/include/asm/pgtable.h
10787 --- linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
10788 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
10789 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
10790
10791 #define arch_end_context_switch(prev) do {} while(0)
10792
10793 +#define pax_open_kernel() native_pax_open_kernel()
10794 +#define pax_close_kernel() native_pax_close_kernel()
10795 #endif /* CONFIG_PARAVIRT */
10796
10797 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
10798 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10799 +
10800 +#ifdef CONFIG_PAX_KERNEXEC
10801 +static inline unsigned long native_pax_open_kernel(void)
10802 +{
10803 + unsigned long cr0;
10804 +
10805 + preempt_disable();
10806 + barrier();
10807 + cr0 = read_cr0() ^ X86_CR0_WP;
10808 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
10809 + write_cr0(cr0);
10810 + return cr0 ^ X86_CR0_WP;
10811 +}
10812 +
10813 +static inline unsigned long native_pax_close_kernel(void)
10814 +{
10815 + unsigned long cr0;
10816 +
10817 + cr0 = read_cr0() ^ X86_CR0_WP;
10818 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10819 + write_cr0(cr0);
10820 + barrier();
10821 + preempt_enable_no_resched();
10822 + return cr0 ^ X86_CR0_WP;
10823 +}
10824 +#else
10825 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10826 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10827 +#endif
10828 +
10829 /*
10830 * The following only work if pte_present() is true.
10831 * Undefined behaviour if not..
10832 */
10833 +static inline int pte_user(pte_t pte)
10834 +{
10835 + return pte_val(pte) & _PAGE_USER;
10836 +}
10837 +
10838 static inline int pte_dirty(pte_t pte)
10839 {
10840 return pte_flags(pte) & _PAGE_DIRTY;
10841 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
10842 return pte_clear_flags(pte, _PAGE_RW);
10843 }
10844
10845 +static inline pte_t pte_mkread(pte_t pte)
10846 +{
10847 + return __pte(pte_val(pte) | _PAGE_USER);
10848 +}
10849 +
10850 static inline pte_t pte_mkexec(pte_t pte)
10851 {
10852 - return pte_clear_flags(pte, _PAGE_NX);
10853 +#ifdef CONFIG_X86_PAE
10854 + if (__supported_pte_mask & _PAGE_NX)
10855 + return pte_clear_flags(pte, _PAGE_NX);
10856 + else
10857 +#endif
10858 + return pte_set_flags(pte, _PAGE_USER);
10859 +}
10860 +
10861 +static inline pte_t pte_exprotect(pte_t pte)
10862 +{
10863 +#ifdef CONFIG_X86_PAE
10864 + if (__supported_pte_mask & _PAGE_NX)
10865 + return pte_set_flags(pte, _PAGE_NX);
10866 + else
10867 +#endif
10868 + return pte_clear_flags(pte, _PAGE_USER);
10869 }
10870
10871 static inline pte_t pte_mkdirty(pte_t pte)
10872 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
10873 #endif
10874
10875 #ifndef __ASSEMBLY__
10876 +
10877 +#ifdef CONFIG_PAX_PER_CPU_PGD
10878 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10879 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10880 +{
10881 + return cpu_pgd[cpu];
10882 +}
10883 +#endif
10884 +
10885 #include <linux/mm_types.h>
10886
10887 static inline int pte_none(pte_t pte)
10888 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
10889
10890 static inline int pgd_bad(pgd_t pgd)
10891 {
10892 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10893 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10894 }
10895
10896 static inline int pgd_none(pgd_t pgd)
10897 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
10898 * pgd_offset() returns a (pgd_t *)
10899 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10900 */
10901 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10902 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10903 +
10904 +#ifdef CONFIG_PAX_PER_CPU_PGD
10905 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10906 +#endif
10907 +
10908 /*
10909 * a shortcut which implies the use of the kernel's pgd, instead
10910 * of a process's
10911 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
10912 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10913 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10914
10915 +#ifdef CONFIG_X86_32
10916 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10917 +#else
10918 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10919 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10920 +
10921 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10922 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10923 +#else
10924 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10925 +#endif
10926 +
10927 +#endif
10928 +
10929 #ifndef __ASSEMBLY__
10930
10931 extern int direct_gbpages;
10932 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
10933 * dst and src can be on the same page, but the range must not overlap,
10934 * and must not cross a page boundary.
10935 */
10936 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10937 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10938 {
10939 - memcpy(dst, src, count * sizeof(pgd_t));
10940 + pax_open_kernel();
10941 + while (count--)
10942 + *dst++ = *src++;
10943 + pax_close_kernel();
10944 }
10945
10946 +#ifdef CONFIG_PAX_PER_CPU_PGD
10947 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10948 +#endif
10949 +
10950 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10951 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10952 +#else
10953 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10954 +#endif
10955
10956 #include <asm-generic/pgtable.h>
10957 #endif /* __ASSEMBLY__ */
10958 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h
10959 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-19 00:06:34.000000000 -0400
10960 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-22 19:36:30.000000000 -0400
10961 @@ -16,13 +16,12 @@
10962 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10963 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10964 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10965 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10966 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10967 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10968 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10969 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10970 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10971 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10972 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
10973 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10974 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
10975 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10976
10977 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10978 @@ -40,7 +39,6 @@
10979 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10980 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10981 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10982 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10983 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10984 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10985 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10986 @@ -57,8 +55,10 @@
10987
10988 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10989 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10990 -#else
10991 +#elif defined(CONFIG_KMEMCHECK)
10992 #define _PAGE_NX (_AT(pteval_t, 0))
10993 +#else
10994 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10995 #endif
10996
10997 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10998 @@ -96,6 +96,9 @@
10999 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
11000 _PAGE_ACCESSED)
11001
11002 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
11003 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
11004 +
11005 #define __PAGE_KERNEL_EXEC \
11006 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
11007 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
11008 @@ -106,8 +109,8 @@
11009 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
11010 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
11011 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
11012 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
11013 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
11014 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
11015 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
11016 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
11017 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
11018 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
11019 @@ -166,8 +169,8 @@
11020 * bits are combined, this will alow user to access the high address mapped
11021 * VDSO in the presence of CONFIG_COMPAT_VDSO
11022 */
11023 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
11024 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
11025 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11026 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11027 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
11028 #endif
11029
11030 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
11031 {
11032 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
11033 }
11034 +#endif
11035
11036 +#if PAGETABLE_LEVELS == 3
11037 +#include <asm-generic/pgtable-nopud.h>
11038 +#endif
11039 +
11040 +#if PAGETABLE_LEVELS == 2
11041 +#include <asm-generic/pgtable-nopmd.h>
11042 +#endif
11043 +
11044 +#ifndef __ASSEMBLY__
11045 #if PAGETABLE_LEVELS > 3
11046 typedef struct { pudval_t pud; } pud_t;
11047
11048 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
11049 return pud.pud;
11050 }
11051 #else
11052 -#include <asm-generic/pgtable-nopud.h>
11053 -
11054 static inline pudval_t native_pud_val(pud_t pud)
11055 {
11056 return native_pgd_val(pud.pgd);
11057 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
11058 return pmd.pmd;
11059 }
11060 #else
11061 -#include <asm-generic/pgtable-nopmd.h>
11062 -
11063 static inline pmdval_t native_pmd_val(pmd_t pmd)
11064 {
11065 return native_pgd_val(pmd.pud.pgd);
11066 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
11067
11068 extern pteval_t __supported_pte_mask;
11069 extern void set_nx(void);
11070 -extern int nx_enabled;
11071
11072 #define pgprot_writecombine pgprot_writecombine
11073 extern pgprot_t pgprot_writecombine(pgprot_t prot);
11074 diff -urNp linux-2.6.39.3/arch/x86/include/asm/processor.h linux-2.6.39.3/arch/x86/include/asm/processor.h
11075 --- linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-19 00:06:34.000000000 -0400
11076 +++ linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-22 19:36:30.000000000 -0400
11077 @@ -266,7 +266,7 @@ struct tss_struct {
11078
11079 } ____cacheline_aligned;
11080
11081 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
11082 +extern struct tss_struct init_tss[NR_CPUS];
11083
11084 /*
11085 * Save the original ist values for checking stack pointers during debugging
11086 @@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
11087 */
11088 #define TASK_SIZE PAGE_OFFSET
11089 #define TASK_SIZE_MAX TASK_SIZE
11090 +
11091 +#ifdef CONFIG_PAX_SEGMEXEC
11092 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
11093 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
11094 +#else
11095 #define STACK_TOP TASK_SIZE
11096 -#define STACK_TOP_MAX STACK_TOP
11097 +#endif
11098 +
11099 +#define STACK_TOP_MAX TASK_SIZE
11100
11101 #define INIT_THREAD { \
11102 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11103 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11104 .vm86_info = NULL, \
11105 .sysenter_cs = __KERNEL_CS, \
11106 .io_bitmap_ptr = NULL, \
11107 @@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
11108 */
11109 #define INIT_TSS { \
11110 .x86_tss = { \
11111 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11112 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11113 .ss0 = __KERNEL_DS, \
11114 .ss1 = __KERNEL_CS, \
11115 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
11116 @@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
11117 extern unsigned long thread_saved_pc(struct task_struct *tsk);
11118
11119 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
11120 -#define KSTK_TOP(info) \
11121 -({ \
11122 - unsigned long *__ptr = (unsigned long *)(info); \
11123 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
11124 -})
11125 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
11126
11127 /*
11128 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
11129 @@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
11130 #define task_pt_regs(task) \
11131 ({ \
11132 struct pt_regs *__regs__; \
11133 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
11134 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
11135 __regs__ - 1; \
11136 })
11137
11138 @@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
11139 /*
11140 * User space process size. 47bits minus one guard page.
11141 */
11142 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
11143 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
11144
11145 /* This decides where the kernel will search for a free chunk of vm
11146 * space during mmap's.
11147 */
11148 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
11149 - 0xc0000000 : 0xFFFFe000)
11150 + 0xc0000000 : 0xFFFFf000)
11151
11152 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
11153 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
11154 @@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
11155 #define STACK_TOP_MAX TASK_SIZE_MAX
11156
11157 #define INIT_THREAD { \
11158 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11159 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11160 }
11161
11162 #define INIT_TSS { \
11163 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11164 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11165 }
11166
11167 /*
11168 @@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
11169 */
11170 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
11171
11172 +#ifdef CONFIG_PAX_SEGMEXEC
11173 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
11174 +#endif
11175 +
11176 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
11177
11178 /* Get/set a process' ability to use the timestamp counter instruction */
11179 diff -urNp linux-2.6.39.3/arch/x86/include/asm/ptrace.h linux-2.6.39.3/arch/x86/include/asm/ptrace.h
11180 --- linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-19 00:06:34.000000000 -0400
11181 +++ linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-22 19:36:30.000000000 -0400
11182 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
11183 }
11184
11185 /*
11186 - * user_mode_vm(regs) determines whether a register set came from user mode.
11187 + * user_mode(regs) determines whether a register set came from user mode.
11188 * This is true if V8086 mode was enabled OR if the register set was from
11189 * protected mode with RPL-3 CS value. This tricky test checks that with
11190 * one comparison. Many places in the kernel can bypass this full check
11191 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
11192 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
11193 + * be used.
11194 */
11195 -static inline int user_mode(struct pt_regs *regs)
11196 +static inline int user_mode_novm(struct pt_regs *regs)
11197 {
11198 #ifdef CONFIG_X86_32
11199 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
11200 #else
11201 - return !!(regs->cs & 3);
11202 + return !!(regs->cs & SEGMENT_RPL_MASK);
11203 #endif
11204 }
11205
11206 -static inline int user_mode_vm(struct pt_regs *regs)
11207 +static inline int user_mode(struct pt_regs *regs)
11208 {
11209 #ifdef CONFIG_X86_32
11210 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
11211 USER_RPL;
11212 #else
11213 - return user_mode(regs);
11214 + return user_mode_novm(regs);
11215 #endif
11216 }
11217
11218 diff -urNp linux-2.6.39.3/arch/x86/include/asm/reboot.h linux-2.6.39.3/arch/x86/include/asm/reboot.h
11219 --- linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-19 00:06:34.000000000 -0400
11220 +++ linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-22 19:36:30.000000000 -0400
11221 @@ -6,19 +6,19 @@
11222 struct pt_regs;
11223
11224 struct machine_ops {
11225 - void (*restart)(char *cmd);
11226 - void (*halt)(void);
11227 - void (*power_off)(void);
11228 + void (* __noreturn restart)(char *cmd);
11229 + void (* __noreturn halt)(void);
11230 + void (* __noreturn power_off)(void);
11231 void (*shutdown)(void);
11232 void (*crash_shutdown)(struct pt_regs *);
11233 - void (*emergency_restart)(void);
11234 + void (* __noreturn emergency_restart)(void);
11235 };
11236
11237 extern struct machine_ops machine_ops;
11238
11239 void native_machine_crash_shutdown(struct pt_regs *regs);
11240 void native_machine_shutdown(void);
11241 -void machine_real_restart(unsigned int type);
11242 +void machine_real_restart(unsigned int type) __noreturn;
11243 /* These must match dispatch_table in reboot_32.S */
11244 #define MRR_BIOS 0
11245 #define MRR_APM 1
11246 diff -urNp linux-2.6.39.3/arch/x86/include/asm/rwsem.h linux-2.6.39.3/arch/x86/include/asm/rwsem.h
11247 --- linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-19 00:06:34.000000000 -0400
11248 +++ linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-22 19:36:30.000000000 -0400
11249 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
11250 {
11251 asm volatile("# beginning down_read\n\t"
11252 LOCK_PREFIX _ASM_INC "(%1)\n\t"
11253 +
11254 +#ifdef CONFIG_PAX_REFCOUNT
11255 + "jno 0f\n"
11256 + LOCK_PREFIX _ASM_DEC "(%1)\n"
11257 + "int $4\n0:\n"
11258 + _ASM_EXTABLE(0b, 0b)
11259 +#endif
11260 +
11261 /* adds 0x00000001 */
11262 " jns 1f\n"
11263 " call call_rwsem_down_read_failed\n"
11264 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
11265 "1:\n\t"
11266 " mov %1,%2\n\t"
11267 " add %3,%2\n\t"
11268 +
11269 +#ifdef CONFIG_PAX_REFCOUNT
11270 + "jno 0f\n"
11271 + "sub %3,%2\n"
11272 + "int $4\n0:\n"
11273 + _ASM_EXTABLE(0b, 0b)
11274 +#endif
11275 +
11276 " jle 2f\n\t"
11277 LOCK_PREFIX " cmpxchg %2,%0\n\t"
11278 " jnz 1b\n\t"
11279 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
11280 long tmp;
11281 asm volatile("# beginning down_write\n\t"
11282 LOCK_PREFIX " xadd %1,(%2)\n\t"
11283 +
11284 +#ifdef CONFIG_PAX_REFCOUNT
11285 + "jno 0f\n"
11286 + "mov %1,(%2)\n"
11287 + "int $4\n0:\n"
11288 + _ASM_EXTABLE(0b, 0b)
11289 +#endif
11290 +
11291 /* adds 0xffff0001, returns the old value */
11292 " test %1,%1\n\t"
11293 /* was the count 0 before? */
11294 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
11295 long tmp;
11296 asm volatile("# beginning __up_read\n\t"
11297 LOCK_PREFIX " xadd %1,(%2)\n\t"
11298 +
11299 +#ifdef CONFIG_PAX_REFCOUNT
11300 + "jno 0f\n"
11301 + "mov %1,(%2)\n"
11302 + "int $4\n0:\n"
11303 + _ASM_EXTABLE(0b, 0b)
11304 +#endif
11305 +
11306 /* subtracts 1, returns the old value */
11307 " jns 1f\n\t"
11308 " call call_rwsem_wake\n" /* expects old value in %edx */
11309 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
11310 long tmp;
11311 asm volatile("# beginning __up_write\n\t"
11312 LOCK_PREFIX " xadd %1,(%2)\n\t"
11313 +
11314 +#ifdef CONFIG_PAX_REFCOUNT
11315 + "jno 0f\n"
11316 + "mov %1,(%2)\n"
11317 + "int $4\n0:\n"
11318 + _ASM_EXTABLE(0b, 0b)
11319 +#endif
11320 +
11321 /* subtracts 0xffff0001, returns the old value */
11322 " jns 1f\n\t"
11323 " call call_rwsem_wake\n" /* expects old value in %edx */
11324 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
11325 {
11326 asm volatile("# beginning __downgrade_write\n\t"
11327 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
11328 +
11329 +#ifdef CONFIG_PAX_REFCOUNT
11330 + "jno 0f\n"
11331 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
11332 + "int $4\n0:\n"
11333 + _ASM_EXTABLE(0b, 0b)
11334 +#endif
11335 +
11336 /*
11337 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
11338 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
11339 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
11340 */
11341 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
11342 {
11343 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
11344 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
11345 +
11346 +#ifdef CONFIG_PAX_REFCOUNT
11347 + "jno 0f\n"
11348 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
11349 + "int $4\n0:\n"
11350 + _ASM_EXTABLE(0b, 0b)
11351 +#endif
11352 +
11353 : "+m" (sem->count)
11354 : "er" (delta));
11355 }
11356 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
11357 {
11358 long tmp = delta;
11359
11360 - asm volatile(LOCK_PREFIX "xadd %0,%1"
11361 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
11362 +
11363 +#ifdef CONFIG_PAX_REFCOUNT
11364 + "jno 0f\n"
11365 + "mov %0,%1\n"
11366 + "int $4\n0:\n"
11367 + _ASM_EXTABLE(0b, 0b)
11368 +#endif
11369 +
11370 : "+r" (tmp), "+m" (sem->count)
11371 : : "memory");
11372
11373 diff -urNp linux-2.6.39.3/arch/x86/include/asm/segment.h linux-2.6.39.3/arch/x86/include/asm/segment.h
11374 --- linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-19 00:06:34.000000000 -0400
11375 +++ linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-22 19:36:30.000000000 -0400
11376 @@ -64,8 +64,8 @@
11377 * 26 - ESPFIX small SS
11378 * 27 - per-cpu [ offset to per-cpu data area ]
11379 * 28 - stack_canary-20 [ for stack protector ]
11380 - * 29 - unused
11381 - * 30 - unused
11382 + * 29 - PCI BIOS CS
11383 + * 30 - PCI BIOS DS
11384 * 31 - TSS for double fault handler
11385 */
11386 #define GDT_ENTRY_TLS_MIN 6
11387 @@ -79,6 +79,8 @@
11388
11389 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
11390
11391 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
11392 +
11393 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
11394
11395 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
11396 @@ -104,6 +106,12 @@
11397 #define __KERNEL_STACK_CANARY 0
11398 #endif
11399
11400 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
11401 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
11402 +
11403 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
11404 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
11405 +
11406 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
11407
11408 /*
11409 @@ -141,7 +149,7 @@
11410 */
11411
11412 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
11413 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
11414 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
11415
11416
11417 #else
11418 @@ -165,6 +173,8 @@
11419 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
11420 #define __USER32_DS __USER_DS
11421
11422 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
11423 +
11424 #define GDT_ENTRY_TSS 8 /* needs two entries */
11425 #define GDT_ENTRY_LDT 10 /* needs two entries */
11426 #define GDT_ENTRY_TLS_MIN 12
11427 @@ -185,6 +195,7 @@
11428 #endif
11429
11430 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
11431 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
11432 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
11433 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
11434 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
11435 diff -urNp linux-2.6.39.3/arch/x86/include/asm/smp.h linux-2.6.39.3/arch/x86/include/asm/smp.h
11436 --- linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-19 00:06:34.000000000 -0400
11437 +++ linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-22 19:36:30.000000000 -0400
11438 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
11439 /* cpus sharing the last level cache: */
11440 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
11441 DECLARE_PER_CPU(u16, cpu_llc_id);
11442 -DECLARE_PER_CPU(int, cpu_number);
11443 +DECLARE_PER_CPU(unsigned int, cpu_number);
11444
11445 static inline struct cpumask *cpu_sibling_mask(int cpu)
11446 {
11447 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
11448 extern int safe_smp_processor_id(void);
11449
11450 #elif defined(CONFIG_X86_64_SMP)
11451 -#define raw_smp_processor_id() (percpu_read(cpu_number))
11452 -
11453 -#define stack_smp_processor_id() \
11454 -({ \
11455 - struct thread_info *ti; \
11456 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
11457 - ti->cpu; \
11458 -})
11459 +#define raw_smp_processor_id() (percpu_read(cpu_number))
11460 +#define stack_smp_processor_id() raw_smp_processor_id()
11461 #define safe_smp_processor_id() smp_processor_id()
11462
11463 #endif
11464 diff -urNp linux-2.6.39.3/arch/x86/include/asm/spinlock.h linux-2.6.39.3/arch/x86/include/asm/spinlock.h
11465 --- linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
11466 +++ linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
11467 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
11468 static inline void arch_read_lock(arch_rwlock_t *rw)
11469 {
11470 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
11471 +
11472 +#ifdef CONFIG_PAX_REFCOUNT
11473 + "jno 0f\n"
11474 + LOCK_PREFIX " addl $1,(%0)\n"
11475 + "int $4\n0:\n"
11476 + _ASM_EXTABLE(0b, 0b)
11477 +#endif
11478 +
11479 "jns 1f\n"
11480 "call __read_lock_failed\n\t"
11481 "1:\n"
11482 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
11483 static inline void arch_write_lock(arch_rwlock_t *rw)
11484 {
11485 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
11486 +
11487 +#ifdef CONFIG_PAX_REFCOUNT
11488 + "jno 0f\n"
11489 + LOCK_PREFIX " addl %1,(%0)\n"
11490 + "int $4\n0:\n"
11491 + _ASM_EXTABLE(0b, 0b)
11492 +#endif
11493 +
11494 "jz 1f\n"
11495 "call __write_lock_failed\n\t"
11496 "1:\n"
11497 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
11498
11499 static inline void arch_read_unlock(arch_rwlock_t *rw)
11500 {
11501 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
11502 + asm volatile(LOCK_PREFIX "incl %0\n"
11503 +
11504 +#ifdef CONFIG_PAX_REFCOUNT
11505 + "jno 0f\n"
11506 + LOCK_PREFIX "decl %0\n"
11507 + "int $4\n0:\n"
11508 + _ASM_EXTABLE(0b, 0b)
11509 +#endif
11510 +
11511 + :"+m" (rw->lock) : : "memory");
11512 }
11513
11514 static inline void arch_write_unlock(arch_rwlock_t *rw)
11515 {
11516 - asm volatile(LOCK_PREFIX "addl %1, %0"
11517 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
11518 +
11519 +#ifdef CONFIG_PAX_REFCOUNT
11520 + "jno 0f\n"
11521 + LOCK_PREFIX "subl %1, %0\n"
11522 + "int $4\n0:\n"
11523 + _ASM_EXTABLE(0b, 0b)
11524 +#endif
11525 +
11526 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
11527 }
11528
11529 diff -urNp linux-2.6.39.3/arch/x86/include/asm/stackprotector.h linux-2.6.39.3/arch/x86/include/asm/stackprotector.h
11530 --- linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-05-19 00:06:34.000000000 -0400
11531 +++ linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-07-06 20:00:13.000000000 -0400
11532 @@ -48,7 +48,7 @@
11533 * head_32 for boot CPU and setup_per_cpu_areas() for others.
11534 */
11535 #define GDT_STACK_CANARY_INIT \
11536 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
11537 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
11538
11539 /*
11540 * Initialize the stackprotector canary value.
11541 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
11542
11543 static inline void load_stack_canary_segment(void)
11544 {
11545 -#ifdef CONFIG_X86_32
11546 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
11547 asm volatile ("mov %0, %%gs" : : "r" (0));
11548 #endif
11549 }
11550 diff -urNp linux-2.6.39.3/arch/x86/include/asm/stacktrace.h linux-2.6.39.3/arch/x86/include/asm/stacktrace.h
11551 --- linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-19 00:06:34.000000000 -0400
11552 +++ linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-22 19:36:30.000000000 -0400
11553 @@ -11,28 +11,20 @@
11554
11555 extern int kstack_depth_to_print;
11556
11557 -struct thread_info;
11558 +struct task_struct;
11559 struct stacktrace_ops;
11560
11561 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
11562 - unsigned long *stack,
11563 - unsigned long bp,
11564 - const struct stacktrace_ops *ops,
11565 - void *data,
11566 - unsigned long *end,
11567 - int *graph);
11568 -
11569 -extern unsigned long
11570 -print_context_stack(struct thread_info *tinfo,
11571 - unsigned long *stack, unsigned long bp,
11572 - const struct stacktrace_ops *ops, void *data,
11573 - unsigned long *end, int *graph);
11574 -
11575 -extern unsigned long
11576 -print_context_stack_bp(struct thread_info *tinfo,
11577 - unsigned long *stack, unsigned long bp,
11578 - const struct stacktrace_ops *ops, void *data,
11579 - unsigned long *end, int *graph);
11580 +typedef unsigned long walk_stack_t(struct task_struct *task,
11581 + void *stack_start,
11582 + unsigned long *stack,
11583 + unsigned long bp,
11584 + const struct stacktrace_ops *ops,
11585 + void *data,
11586 + unsigned long *end,
11587 + int *graph);
11588 +
11589 +extern walk_stack_t print_context_stack;
11590 +extern walk_stack_t print_context_stack_bp;
11591
11592 /* Generic stack tracer with callbacks */
11593
11594 @@ -43,7 +35,7 @@ struct stacktrace_ops {
11595 void (*address)(void *data, unsigned long address, int reliable);
11596 /* On negative return stop dumping */
11597 int (*stack)(void *data, char *name);
11598 - walk_stack_t walk_stack;
11599 + walk_stack_t *walk_stack;
11600 };
11601
11602 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
11603 diff -urNp linux-2.6.39.3/arch/x86/include/asm/system.h linux-2.6.39.3/arch/x86/include/asm/system.h
11604 --- linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
11605 +++ linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
11606 @@ -129,7 +129,7 @@ do { \
11607 "call __switch_to\n\t" \
11608 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
11609 __switch_canary \
11610 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
11611 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
11612 "movq %%rax,%%rdi\n\t" \
11613 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
11614 "jnz ret_from_fork\n\t" \
11615 @@ -140,7 +140,7 @@ do { \
11616 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
11617 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
11618 [_tif_fork] "i" (_TIF_FORK), \
11619 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
11620 + [thread_info] "m" (current_tinfo), \
11621 [current_task] "m" (current_task) \
11622 __switch_canary_iparam \
11623 : "memory", "cc" __EXTRA_CLOBBER)
11624 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
11625 {
11626 unsigned long __limit;
11627 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
11628 - return __limit + 1;
11629 + return __limit;
11630 }
11631
11632 static inline void native_clts(void)
11633 @@ -340,12 +340,12 @@ void enable_hlt(void);
11634
11635 void cpu_idle_wait(void);
11636
11637 -extern unsigned long arch_align_stack(unsigned long sp);
11638 +#define arch_align_stack(x) ((x) & ~0xfUL)
11639 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
11640
11641 void default_idle(void);
11642
11643 -void stop_this_cpu(void *dummy);
11644 +void stop_this_cpu(void *dummy) __noreturn;
11645
11646 /*
11647 * Force strict CPU ordering.
11648 diff -urNp linux-2.6.39.3/arch/x86/include/asm/thread_info.h linux-2.6.39.3/arch/x86/include/asm/thread_info.h
11649 --- linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-19 00:06:34.000000000 -0400
11650 +++ linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-22 19:36:30.000000000 -0400
11651 @@ -10,6 +10,7 @@
11652 #include <linux/compiler.h>
11653 #include <asm/page.h>
11654 #include <asm/types.h>
11655 +#include <asm/percpu.h>
11656
11657 /*
11658 * low level task data that entry.S needs immediate access to
11659 @@ -24,7 +25,6 @@ struct exec_domain;
11660 #include <asm/atomic.h>
11661
11662 struct thread_info {
11663 - struct task_struct *task; /* main task structure */
11664 struct exec_domain *exec_domain; /* execution domain */
11665 __u32 flags; /* low level flags */
11666 __u32 status; /* thread synchronous flags */
11667 @@ -34,18 +34,12 @@ struct thread_info {
11668 mm_segment_t addr_limit;
11669 struct restart_block restart_block;
11670 void __user *sysenter_return;
11671 -#ifdef CONFIG_X86_32
11672 - unsigned long previous_esp; /* ESP of the previous stack in
11673 - case of nested (IRQ) stacks
11674 - */
11675 - __u8 supervisor_stack[0];
11676 -#endif
11677 + unsigned long lowest_stack;
11678 int uaccess_err;
11679 };
11680
11681 -#define INIT_THREAD_INFO(tsk) \
11682 +#define INIT_THREAD_INFO \
11683 { \
11684 - .task = &tsk, \
11685 .exec_domain = &default_exec_domain, \
11686 .flags = 0, \
11687 .cpu = 0, \
11688 @@ -56,7 +50,7 @@ struct thread_info {
11689 }, \
11690 }
11691
11692 -#define init_thread_info (init_thread_union.thread_info)
11693 +#define init_thread_info (init_thread_union.stack)
11694 #define init_stack (init_thread_union.stack)
11695
11696 #else /* !__ASSEMBLY__ */
11697 @@ -170,6 +164,23 @@ struct thread_info {
11698 ret; \
11699 })
11700
11701 +#ifdef __ASSEMBLY__
11702 +/* how to get the thread information struct from ASM */
11703 +#define GET_THREAD_INFO(reg) \
11704 + mov PER_CPU_VAR(current_tinfo), reg
11705 +
11706 +/* use this one if reg already contains %esp */
11707 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
11708 +#else
11709 +/* how to get the thread information struct from C */
11710 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
11711 +
11712 +static __always_inline struct thread_info *current_thread_info(void)
11713 +{
11714 + return percpu_read_stable(current_tinfo);
11715 +}
11716 +#endif
11717 +
11718 #ifdef CONFIG_X86_32
11719
11720 #define STACK_WARN (THREAD_SIZE/8)
11721 @@ -180,35 +191,13 @@ struct thread_info {
11722 */
11723 #ifndef __ASSEMBLY__
11724
11725 -
11726 /* how to get the current stack pointer from C */
11727 register unsigned long current_stack_pointer asm("esp") __used;
11728
11729 -/* how to get the thread information struct from C */
11730 -static inline struct thread_info *current_thread_info(void)
11731 -{
11732 - return (struct thread_info *)
11733 - (current_stack_pointer & ~(THREAD_SIZE - 1));
11734 -}
11735 -
11736 -#else /* !__ASSEMBLY__ */
11737 -
11738 -/* how to get the thread information struct from ASM */
11739 -#define GET_THREAD_INFO(reg) \
11740 - movl $-THREAD_SIZE, reg; \
11741 - andl %esp, reg
11742 -
11743 -/* use this one if reg already contains %esp */
11744 -#define GET_THREAD_INFO_WITH_ESP(reg) \
11745 - andl $-THREAD_SIZE, reg
11746 -
11747 #endif
11748
11749 #else /* X86_32 */
11750
11751 -#include <asm/percpu.h>
11752 -#define KERNEL_STACK_OFFSET (5*8)
11753 -
11754 /*
11755 * macros/functions for gaining access to the thread information structure
11756 * preempt_count needs to be 1 initially, until the scheduler is functional.
11757 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
11758 #ifndef __ASSEMBLY__
11759 DECLARE_PER_CPU(unsigned long, kernel_stack);
11760
11761 -static inline struct thread_info *current_thread_info(void)
11762 -{
11763 - struct thread_info *ti;
11764 - ti = (void *)(percpu_read_stable(kernel_stack) +
11765 - KERNEL_STACK_OFFSET - THREAD_SIZE);
11766 - return ti;
11767 -}
11768 -
11769 -#else /* !__ASSEMBLY__ */
11770 -
11771 -/* how to get the thread information struct from ASM */
11772 -#define GET_THREAD_INFO(reg) \
11773 - movq PER_CPU_VAR(kernel_stack),reg ; \
11774 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
11775 -
11776 +/* how to get the current stack pointer from C */
11777 +register unsigned long current_stack_pointer asm("rsp") __used;
11778 #endif
11779
11780 #endif /* !X86_32 */
11781 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
11782 extern void free_thread_info(struct thread_info *ti);
11783 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11784 #define arch_task_cache_init arch_task_cache_init
11785 +
11786 +#define __HAVE_THREAD_FUNCTIONS
11787 +#define task_thread_info(task) (&(task)->tinfo)
11788 +#define task_stack_page(task) ((task)->stack)
11789 +#define setup_thread_stack(p, org) do {} while (0)
11790 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11791 +
11792 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11793 +extern struct task_struct *alloc_task_struct_node(int node);
11794 +extern void free_task_struct(struct task_struct *);
11795 +
11796 #endif
11797 #endif /* _ASM_X86_THREAD_INFO_H */
11798 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h
11799 --- linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
11800 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
11801 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11802 static __always_inline unsigned long __must_check
11803 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11804 {
11805 + pax_track_stack();
11806 +
11807 + if ((long)n < 0)
11808 + return n;
11809 +
11810 if (__builtin_constant_p(n)) {
11811 unsigned long ret;
11812
11813 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11814 return ret;
11815 }
11816 }
11817 + if (!__builtin_constant_p(n))
11818 + check_object_size(from, n, true);
11819 return __copy_to_user_ll(to, from, n);
11820 }
11821
11822 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11823 __copy_to_user(void __user *to, const void *from, unsigned long n)
11824 {
11825 might_fault();
11826 +
11827 return __copy_to_user_inatomic(to, from, n);
11828 }
11829
11830 static __always_inline unsigned long
11831 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11832 {
11833 + if ((long)n < 0)
11834 + return n;
11835 +
11836 /* Avoid zeroing the tail if the copy fails..
11837 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11838 * but as the zeroing behaviour is only significant when n is not
11839 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11840 __copy_from_user(void *to, const void __user *from, unsigned long n)
11841 {
11842 might_fault();
11843 +
11844 + pax_track_stack();
11845 +
11846 + if ((long)n < 0)
11847 + return n;
11848 +
11849 if (__builtin_constant_p(n)) {
11850 unsigned long ret;
11851
11852 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11853 return ret;
11854 }
11855 }
11856 + if (!__builtin_constant_p(n))
11857 + check_object_size(to, n, false);
11858 return __copy_from_user_ll(to, from, n);
11859 }
11860
11861 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11862 const void __user *from, unsigned long n)
11863 {
11864 might_fault();
11865 +
11866 + if ((long)n < 0)
11867 + return n;
11868 +
11869 if (__builtin_constant_p(n)) {
11870 unsigned long ret;
11871
11872 @@ -182,15 +205,19 @@ static __always_inline unsigned long
11873 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11874 unsigned long n)
11875 {
11876 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11877 -}
11878 + if ((long)n < 0)
11879 + return n;
11880
11881 -unsigned long __must_check copy_to_user(void __user *to,
11882 - const void *from, unsigned long n);
11883 -unsigned long __must_check _copy_from_user(void *to,
11884 - const void __user *from,
11885 - unsigned long n);
11886 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11887 +}
11888
11889 +extern void copy_to_user_overflow(void)
11890 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11891 + __compiletime_error("copy_to_user() buffer size is not provably correct")
11892 +#else
11893 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
11894 +#endif
11895 +;
11896
11897 extern void copy_from_user_overflow(void)
11898 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11899 @@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void
11900 #endif
11901 ;
11902
11903 -static inline unsigned long __must_check copy_from_user(void *to,
11904 - const void __user *from,
11905 - unsigned long n)
11906 +/**
11907 + * copy_to_user: - Copy a block of data into user space.
11908 + * @to: Destination address, in user space.
11909 + * @from: Source address, in kernel space.
11910 + * @n: Number of bytes to copy.
11911 + *
11912 + * Context: User context only. This function may sleep.
11913 + *
11914 + * Copy data from kernel space to user space.
11915 + *
11916 + * Returns number of bytes that could not be copied.
11917 + * On success, this will be zero.
11918 + */
11919 +static inline unsigned long __must_check
11920 +copy_to_user(void __user *to, const void *from, unsigned long n)
11921 +{
11922 + int sz = __compiletime_object_size(from);
11923 +
11924 + if (unlikely(sz != -1 && sz < n))
11925 + copy_to_user_overflow();
11926 + else if (access_ok(VERIFY_WRITE, to, n))
11927 + n = __copy_to_user(to, from, n);
11928 + return n;
11929 +}
11930 +
11931 +/**
11932 + * copy_from_user: - Copy a block of data from user space.
11933 + * @to: Destination address, in kernel space.
11934 + * @from: Source address, in user space.
11935 + * @n: Number of bytes to copy.
11936 + *
11937 + * Context: User context only. This function may sleep.
11938 + *
11939 + * Copy data from user space to kernel space.
11940 + *
11941 + * Returns number of bytes that could not be copied.
11942 + * On success, this will be zero.
11943 + *
11944 + * If some data could not be copied, this function will pad the copied
11945 + * data to the requested size using zero bytes.
11946 + */
11947 +static inline unsigned long __must_check
11948 +copy_from_user(void *to, const void __user *from, unsigned long n)
11949 {
11950 int sz = __compiletime_object_size(to);
11951
11952 - if (likely(sz == -1 || sz >= n))
11953 - n = _copy_from_user(to, from, n);
11954 - else
11955 + if (unlikely(sz != -1 && sz < n))
11956 copy_from_user_overflow();
11957 -
11958 + else if (access_ok(VERIFY_READ, from, n))
11959 + n = __copy_from_user(to, from, n);
11960 + else if ((long)n > 0) {
11961 + if (!__builtin_constant_p(n))
11962 + check_object_size(to, n, false);
11963 + memset(to, 0, n);
11964 + }
11965 return n;
11966 }
11967
11968 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h
11969 --- linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
11970 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
11971 @@ -11,6 +11,9 @@
11972 #include <asm/alternative.h>
11973 #include <asm/cpufeature.h>
11974 #include <asm/page.h>
11975 +#include <asm/pgtable.h>
11976 +
11977 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11978
11979 /*
11980 * Copy To/From Userspace
11981 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
11982 return ret;
11983 }
11984
11985 -__must_check unsigned long
11986 -_copy_to_user(void __user *to, const void *from, unsigned len);
11987 -__must_check unsigned long
11988 -_copy_from_user(void *to, const void __user *from, unsigned len);
11989 +static __always_inline __must_check unsigned long
11990 +__copy_to_user(void __user *to, const void *from, unsigned len);
11991 +static __always_inline __must_check unsigned long
11992 +__copy_from_user(void *to, const void __user *from, unsigned len);
11993 __must_check unsigned long
11994 copy_in_user(void __user *to, const void __user *from, unsigned len);
11995
11996 static inline unsigned long __must_check copy_from_user(void *to,
11997 const void __user *from,
11998 - unsigned long n)
11999 + unsigned n)
12000 {
12001 - int sz = __compiletime_object_size(to);
12002 -
12003 might_fault();
12004 - if (likely(sz == -1 || sz >= n))
12005 - n = _copy_from_user(to, from, n);
12006 -#ifdef CONFIG_DEBUG_VM
12007 - else
12008 - WARN(1, "Buffer overflow detected!\n");
12009 -#endif
12010 +
12011 + if (access_ok(VERIFY_READ, from, n))
12012 + n = __copy_from_user(to, from, n);
12013 + else if ((int)n > 0) {
12014 + if (!__builtin_constant_p(n))
12015 + check_object_size(to, n, false);
12016 + memset(to, 0, n);
12017 + }
12018 return n;
12019 }
12020
12021 @@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const
12022 {
12023 might_fault();
12024
12025 - return _copy_to_user(dst, src, size);
12026 + if (access_ok(VERIFY_WRITE, dst, size))
12027 + size = __copy_to_user(dst, src, size);
12028 + return size;
12029 }
12030
12031 static __always_inline __must_check
12032 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
12033 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
12034 {
12035 - int ret = 0;
12036 + int sz = __compiletime_object_size(dst);
12037 + unsigned ret = 0;
12038
12039 might_fault();
12040 - if (!__builtin_constant_p(size))
12041 - return copy_user_generic(dst, (__force void *)src, size);
12042 +
12043 + pax_track_stack();
12044 +
12045 + if ((int)size < 0)
12046 + return size;
12047 +
12048 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12049 + if (!__access_ok(VERIFY_READ, src, size))
12050 + return size;
12051 +#endif
12052 +
12053 + if (unlikely(sz != -1 && sz < size)) {
12054 +#ifdef CONFIG_DEBUG_VM
12055 + WARN(1, "Buffer overflow detected!\n");
12056 +#endif
12057 + return size;
12058 + }
12059 +
12060 + if (!__builtin_constant_p(size)) {
12061 + check_object_size(dst, size, false);
12062 +
12063 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12064 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12065 + src += PAX_USER_SHADOW_BASE;
12066 +#endif
12067 +
12068 + return copy_user_generic(dst, (__force const void *)src, size);
12069 + }
12070 switch (size) {
12071 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
12072 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
12073 ret, "b", "b", "=q", 1);
12074 return ret;
12075 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
12076 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
12077 ret, "w", "w", "=r", 2);
12078 return ret;
12079 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
12080 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
12081 ret, "l", "k", "=r", 4);
12082 return ret;
12083 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
12084 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12085 ret, "q", "", "=r", 8);
12086 return ret;
12087 case 10:
12088 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12089 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12090 ret, "q", "", "=r", 10);
12091 if (unlikely(ret))
12092 return ret;
12093 __get_user_asm(*(u16 *)(8 + (char *)dst),
12094 - (u16 __user *)(8 + (char __user *)src),
12095 + (const u16 __user *)(8 + (const char __user *)src),
12096 ret, "w", "w", "=r", 2);
12097 return ret;
12098 case 16:
12099 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12100 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12101 ret, "q", "", "=r", 16);
12102 if (unlikely(ret))
12103 return ret;
12104 __get_user_asm(*(u64 *)(8 + (char *)dst),
12105 - (u64 __user *)(8 + (char __user *)src),
12106 + (const u64 __user *)(8 + (const char __user *)src),
12107 ret, "q", "", "=r", 8);
12108 return ret;
12109 default:
12110 - return copy_user_generic(dst, (__force void *)src, size);
12111 +
12112 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12113 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12114 + src += PAX_USER_SHADOW_BASE;
12115 +#endif
12116 +
12117 + return copy_user_generic(dst, (__force const void *)src, size);
12118 }
12119 }
12120
12121 static __always_inline __must_check
12122 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
12123 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
12124 {
12125 - int ret = 0;
12126 + int sz = __compiletime_object_size(src);
12127 + unsigned ret = 0;
12128
12129 might_fault();
12130 - if (!__builtin_constant_p(size))
12131 +
12132 + pax_track_stack();
12133 +
12134 + if ((int)size < 0)
12135 + return size;
12136 +
12137 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12138 + if (!__access_ok(VERIFY_WRITE, dst, size))
12139 + return size;
12140 +#endif
12141 +
12142 + if (unlikely(sz != -1 && sz < size)) {
12143 +#ifdef CONFIG_DEBUG_VM
12144 + WARN(1, "Buffer overflow detected!\n");
12145 +#endif
12146 + return size;
12147 + }
12148 +
12149 + if (!__builtin_constant_p(size)) {
12150 + check_object_size(src, size, true);
12151 +
12152 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12153 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12154 + dst += PAX_USER_SHADOW_BASE;
12155 +#endif
12156 +
12157 return copy_user_generic((__force void *)dst, src, size);
12158 + }
12159 switch (size) {
12160 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
12161 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
12162 ret, "b", "b", "iq", 1);
12163 return ret;
12164 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
12165 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
12166 ret, "w", "w", "ir", 2);
12167 return ret;
12168 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
12169 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
12170 ret, "l", "k", "ir", 4);
12171 return ret;
12172 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
12173 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12174 ret, "q", "", "er", 8);
12175 return ret;
12176 case 10:
12177 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12178 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12179 ret, "q", "", "er", 10);
12180 if (unlikely(ret))
12181 return ret;
12182 asm("":::"memory");
12183 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
12184 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
12185 ret, "w", "w", "ir", 2);
12186 return ret;
12187 case 16:
12188 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12189 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12190 ret, "q", "", "er", 16);
12191 if (unlikely(ret))
12192 return ret;
12193 asm("":::"memory");
12194 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
12195 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
12196 ret, "q", "", "er", 8);
12197 return ret;
12198 default:
12199 +
12200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12201 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12202 + dst += PAX_USER_SHADOW_BASE;
12203 +#endif
12204 +
12205 return copy_user_generic((__force void *)dst, src, size);
12206 }
12207 }
12208
12209 static __always_inline __must_check
12210 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12211 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12212 {
12213 - int ret = 0;
12214 + unsigned ret = 0;
12215
12216 might_fault();
12217 - if (!__builtin_constant_p(size))
12218 +
12219 + if ((int)size < 0)
12220 + return size;
12221 +
12222 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12223 + if (!__access_ok(VERIFY_READ, src, size))
12224 + return size;
12225 + if (!__access_ok(VERIFY_WRITE, dst, size))
12226 + return size;
12227 +#endif
12228 +
12229 + if (!__builtin_constant_p(size)) {
12230 +
12231 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12232 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12233 + src += PAX_USER_SHADOW_BASE;
12234 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12235 + dst += PAX_USER_SHADOW_BASE;
12236 +#endif
12237 +
12238 return copy_user_generic((__force void *)dst,
12239 - (__force void *)src, size);
12240 + (__force const void *)src, size);
12241 + }
12242 switch (size) {
12243 case 1: {
12244 u8 tmp;
12245 - __get_user_asm(tmp, (u8 __user *)src,
12246 + __get_user_asm(tmp, (const u8 __user *)src,
12247 ret, "b", "b", "=q", 1);
12248 if (likely(!ret))
12249 __put_user_asm(tmp, (u8 __user *)dst,
12250 @@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con
12251 }
12252 case 2: {
12253 u16 tmp;
12254 - __get_user_asm(tmp, (u16 __user *)src,
12255 + __get_user_asm(tmp, (const u16 __user *)src,
12256 ret, "w", "w", "=r", 2);
12257 if (likely(!ret))
12258 __put_user_asm(tmp, (u16 __user *)dst,
12259 @@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con
12260
12261 case 4: {
12262 u32 tmp;
12263 - __get_user_asm(tmp, (u32 __user *)src,
12264 + __get_user_asm(tmp, (const u32 __user *)src,
12265 ret, "l", "k", "=r", 4);
12266 if (likely(!ret))
12267 __put_user_asm(tmp, (u32 __user *)dst,
12268 @@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con
12269 }
12270 case 8: {
12271 u64 tmp;
12272 - __get_user_asm(tmp, (u64 __user *)src,
12273 + __get_user_asm(tmp, (const u64 __user *)src,
12274 ret, "q", "", "=r", 8);
12275 if (likely(!ret))
12276 __put_user_asm(tmp, (u64 __user *)dst,
12277 @@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con
12278 return ret;
12279 }
12280 default:
12281 +
12282 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12283 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12284 + src += PAX_USER_SHADOW_BASE;
12285 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12286 + dst += PAX_USER_SHADOW_BASE;
12287 +#endif
12288 +
12289 return copy_user_generic((__force void *)dst,
12290 - (__force void *)src, size);
12291 + (__force const void *)src, size);
12292 }
12293 }
12294
12295 @@ -222,33 +321,72 @@ __must_check unsigned long __clear_user(
12296 static __must_check __always_inline int
12297 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
12298 {
12299 + pax_track_stack();
12300 +
12301 + if ((int)size < 0)
12302 + return size;
12303 +
12304 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12305 + if (!__access_ok(VERIFY_READ, src, size))
12306 + return size;
12307 +
12308 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12309 + src += PAX_USER_SHADOW_BASE;
12310 +#endif
12311 +
12312 return copy_user_generic(dst, (__force const void *)src, size);
12313 }
12314
12315 -static __must_check __always_inline int
12316 +static __must_check __always_inline unsigned long
12317 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
12318 {
12319 + if ((int)size < 0)
12320 + return size;
12321 +
12322 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12323 + if (!__access_ok(VERIFY_WRITE, dst, size))
12324 + return size;
12325 +
12326 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12327 + dst += PAX_USER_SHADOW_BASE;
12328 +#endif
12329 +
12330 return copy_user_generic((__force void *)dst, src, size);
12331 }
12332
12333 -extern long __copy_user_nocache(void *dst, const void __user *src,
12334 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
12335 unsigned size, int zerorest);
12336
12337 -static inline int
12338 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12339 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12340 {
12341 might_sleep();
12342 +
12343 + if ((int)size < 0)
12344 + return size;
12345 +
12346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12347 + if (!__access_ok(VERIFY_READ, src, size))
12348 + return size;
12349 +#endif
12350 +
12351 return __copy_user_nocache(dst, src, size, 1);
12352 }
12353
12354 -static inline int
12355 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12356 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12357 unsigned size)
12358 {
12359 + if ((int)size < 0)
12360 + return size;
12361 +
12362 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12363 + if (!__access_ok(VERIFY_READ, src, size))
12364 + return size;
12365 +#endif
12366 +
12367 return __copy_user_nocache(dst, src, size, 0);
12368 }
12369
12370 -unsigned long
12371 +extern unsigned long
12372 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
12373
12374 #endif /* _ASM_X86_UACCESS_64_H */
12375 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess.h linux-2.6.39.3/arch/x86/include/asm/uaccess.h
12376 --- linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:04:13.000000000 -0400
12377 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:32:04.000000000 -0400
12378 @@ -8,12 +8,15 @@
12379 #include <linux/thread_info.h>
12380 #include <linux/prefetch.h>
12381 #include <linux/string.h>
12382 +#include <linux/sched.h>
12383 #include <asm/asm.h>
12384 #include <asm/page.h>
12385
12386 #define VERIFY_READ 0
12387 #define VERIFY_WRITE 1
12388
12389 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
12390 +
12391 /*
12392 * The fs value determines whether argument validity checking should be
12393 * performed or not. If get_fs() == USER_DS, checking is performed, with
12394 @@ -29,7 +32,12 @@
12395
12396 #define get_ds() (KERNEL_DS)
12397 #define get_fs() (current_thread_info()->addr_limit)
12398 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12399 +void __set_fs(mm_segment_t x);
12400 +void set_fs(mm_segment_t x);
12401 +#else
12402 #define set_fs(x) (current_thread_info()->addr_limit = (x))
12403 +#endif
12404
12405 #define segment_eq(a, b) ((a).seg == (b).seg)
12406
12407 @@ -77,7 +85,33 @@
12408 * checks that the pointer is in the user space range - after calling
12409 * this function, memory access functions may still return -EFAULT.
12410 */
12411 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12412 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12413 +#define access_ok(type, addr, size) \
12414 +({ \
12415 + long __size = size; \
12416 + unsigned long __addr = (unsigned long)addr; \
12417 + unsigned long __addr_ao = __addr & PAGE_MASK; \
12418 + unsigned long __end_ao = __addr + __size - 1; \
12419 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
12420 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
12421 + while(__addr_ao <= __end_ao) { \
12422 + char __c_ao; \
12423 + __addr_ao += PAGE_SIZE; \
12424 + if (__size > PAGE_SIZE) \
12425 + cond_resched(); \
12426 + if (__get_user(__c_ao, (char __user *)__addr)) \
12427 + break; \
12428 + if (type != VERIFY_WRITE) { \
12429 + __addr = __addr_ao; \
12430 + continue; \
12431 + } \
12432 + if (__put_user(__c_ao, (char __user *)__addr)) \
12433 + break; \
12434 + __addr = __addr_ao; \
12435 + } \
12436 + } \
12437 + __ret_ao; \
12438 +})
12439
12440 /*
12441 * The exception table consists of pairs of addresses: the first is the
12442 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
12443 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
12444 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
12445
12446 -
12447 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12448 +#define __copyuser_seg "gs;"
12449 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
12450 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
12451 +#else
12452 +#define __copyuser_seg
12453 +#define __COPYUSER_SET_ES
12454 +#define __COPYUSER_RESTORE_ES
12455 +#endif
12456
12457 #ifdef CONFIG_X86_32
12458 #define __put_user_asm_u64(x, addr, err, errret) \
12459 - asm volatile("1: movl %%eax,0(%2)\n" \
12460 - "2: movl %%edx,4(%2)\n" \
12461 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
12462 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
12463 "3:\n" \
12464 ".section .fixup,\"ax\"\n" \
12465 "4: movl %3,%0\n" \
12466 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
12467 : "A" (x), "r" (addr), "i" (errret), "0" (err))
12468
12469 #define __put_user_asm_ex_u64(x, addr) \
12470 - asm volatile("1: movl %%eax,0(%1)\n" \
12471 - "2: movl %%edx,4(%1)\n" \
12472 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
12473 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
12474 "3:\n" \
12475 _ASM_EXTABLE(1b, 2b - 1b) \
12476 _ASM_EXTABLE(2b, 3b - 2b) \
12477 @@ -374,7 +416,7 @@ do { \
12478 } while (0)
12479
12480 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12481 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
12482 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
12483 "2:\n" \
12484 ".section .fixup,\"ax\"\n" \
12485 "3: mov %3,%0\n" \
12486 @@ -382,7 +424,7 @@ do { \
12487 " jmp 2b\n" \
12488 ".previous\n" \
12489 _ASM_EXTABLE(1b, 3b) \
12490 - : "=r" (err), ltype(x) \
12491 + : "=r" (err), ltype (x) \
12492 : "m" (__m(addr)), "i" (errret), "0" (err))
12493
12494 #define __get_user_size_ex(x, ptr, size) \
12495 @@ -407,7 +449,7 @@ do { \
12496 } while (0)
12497
12498 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
12499 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
12500 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
12501 "2:\n" \
12502 _ASM_EXTABLE(1b, 2b - 1b) \
12503 : ltype(x) : "m" (__m(addr)))
12504 @@ -424,13 +466,24 @@ do { \
12505 int __gu_err; \
12506 unsigned long __gu_val; \
12507 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
12508 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
12509 + (x) = (__typeof__(*(ptr)))__gu_val; \
12510 __gu_err; \
12511 })
12512
12513 /* FIXME: this hack is definitely wrong -AK */
12514 struct __large_struct { unsigned long buf[100]; };
12515 -#define __m(x) (*(struct __large_struct __user *)(x))
12516 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12517 +#define ____m(x) \
12518 +({ \
12519 + unsigned long ____x = (unsigned long)(x); \
12520 + if (____x < PAX_USER_SHADOW_BASE) \
12521 + ____x += PAX_USER_SHADOW_BASE; \
12522 + (void __user *)____x; \
12523 +})
12524 +#else
12525 +#define ____m(x) (x)
12526 +#endif
12527 +#define __m(x) (*(struct __large_struct __user *)____m(x))
12528
12529 /*
12530 * Tell gcc we read from memory instead of writing: this is because
12531 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
12532 * aliasing issues.
12533 */
12534 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12535 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
12536 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
12537 "2:\n" \
12538 ".section .fixup,\"ax\"\n" \
12539 "3: mov %3,%0\n" \
12540 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
12541 ".previous\n" \
12542 _ASM_EXTABLE(1b, 3b) \
12543 : "=r"(err) \
12544 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
12545 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
12546
12547 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
12548 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
12549 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
12550 "2:\n" \
12551 _ASM_EXTABLE(1b, 2b - 1b) \
12552 : : ltype(x), "m" (__m(addr)))
12553 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
12554 * On error, the variable @x is set to zero.
12555 */
12556
12557 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12558 +#define __get_user(x, ptr) get_user((x), (ptr))
12559 +#else
12560 #define __get_user(x, ptr) \
12561 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
12562 +#endif
12563
12564 /**
12565 * __put_user: - Write a simple value into user space, with less checking.
12566 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
12567 * Returns zero on success, or -EFAULT on error.
12568 */
12569
12570 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12571 +#define __put_user(x, ptr) put_user((x), (ptr))
12572 +#else
12573 #define __put_user(x, ptr) \
12574 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
12575 +#endif
12576
12577 #define __get_user_unaligned __get_user
12578 #define __put_user_unaligned __put_user
12579 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
12580 #define get_user_ex(x, ptr) do { \
12581 unsigned long __gue_val; \
12582 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
12583 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
12584 + (x) = (__typeof__(*(ptr)))__gue_val; \
12585 } while (0)
12586
12587 #ifdef CONFIG_X86_WP_WORKS_OK
12588 @@ -567,6 +628,7 @@ extern struct movsl_mask {
12589
12590 #define ARCH_HAS_NOCACHE_UACCESS 1
12591
12592 +#define ARCH_HAS_SORT_EXTABLE
12593 #ifdef CONFIG_X86_32
12594 # include "uaccess_32.h"
12595 #else
12596 diff -urNp linux-2.6.39.3/arch/x86/include/asm/vgtod.h linux-2.6.39.3/arch/x86/include/asm/vgtod.h
12597 --- linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-19 00:06:34.000000000 -0400
12598 +++ linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-22 19:36:30.000000000 -0400
12599 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
12600 int sysctl_enabled;
12601 struct timezone sys_tz;
12602 struct { /* extract of a clocksource struct */
12603 + char name[8];
12604 cycle_t (*vread)(void);
12605 cycle_t cycle_last;
12606 cycle_t mask;
12607 diff -urNp linux-2.6.39.3/arch/x86/include/asm/vsyscall.h linux-2.6.39.3/arch/x86/include/asm/vsyscall.h
12608 --- linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-19 00:06:34.000000000 -0400
12609 +++ linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-22 19:36:30.000000000 -0400
12610 @@ -15,9 +15,10 @@ enum vsyscall_num {
12611
12612 #ifdef __KERNEL__
12613 #include <linux/seqlock.h>
12614 +#include <linux/getcpu.h>
12615 +#include <linux/time.h>
12616
12617 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
12618 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
12619
12620 /* Definitions for CONFIG_GENERIC_TIME definitions */
12621 #define __section_vsyscall_gtod_data __attribute__ \
12622 @@ -31,7 +32,6 @@ enum vsyscall_num {
12623 #define VGETCPU_LSL 2
12624
12625 extern int __vgetcpu_mode;
12626 -extern volatile unsigned long __jiffies;
12627
12628 /* kernel space (writeable) */
12629 extern int vgetcpu_mode;
12630 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
12631
12632 extern void map_vsyscall(void);
12633
12634 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
12635 +extern time_t vtime(time_t *t);
12636 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
12637 #endif /* __KERNEL__ */
12638
12639 #endif /* _ASM_X86_VSYSCALL_H */
12640 diff -urNp linux-2.6.39.3/arch/x86/include/asm/xen/pci.h linux-2.6.39.3/arch/x86/include/asm/xen/pci.h
12641 --- linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-19 00:06:34.000000000 -0400
12642 +++ linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-22 19:36:30.000000000 -0400
12643 @@ -33,7 +33,7 @@ struct xen_pci_frontend_ops {
12644 void (*disable_msix)(struct pci_dev *dev);
12645 };
12646
12647 -extern struct xen_pci_frontend_ops *xen_pci_frontend;
12648 +extern const struct xen_pci_frontend_ops *xen_pci_frontend;
12649
12650 static inline int xen_pci_frontend_enable_msi(struct pci_dev *dev,
12651 int vectors[])
12652 diff -urNp linux-2.6.39.3/arch/x86/include/asm/xsave.h linux-2.6.39.3/arch/x86/include/asm/xsave.h
12653 --- linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-19 00:06:34.000000000 -0400
12654 +++ linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-22 19:36:30.000000000 -0400
12655 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
12656 {
12657 int err;
12658
12659 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12660 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
12661 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
12662 +#endif
12663 +
12664 /*
12665 * Clear the xsave header first, so that reserved fields are
12666 * initialized to zero.
12667 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
12668 u32 lmask = mask;
12669 u32 hmask = mask >> 32;
12670
12671 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12672 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
12673 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
12674 +#endif
12675 +
12676 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
12677 "2:\n"
12678 ".section .fixup,\"ax\"\n"
12679 diff -urNp linux-2.6.39.3/arch/x86/Kconfig linux-2.6.39.3/arch/x86/Kconfig
12680 --- linux-2.6.39.3/arch/x86/Kconfig 2011-05-19 00:06:34.000000000 -0400
12681 +++ linux-2.6.39.3/arch/x86/Kconfig 2011-05-22 19:41:32.000000000 -0400
12682 @@ -224,7 +224,7 @@ config X86_HT
12683
12684 config X86_32_LAZY_GS
12685 def_bool y
12686 - depends on X86_32 && !CC_STACKPROTECTOR
12687 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12688
12689 config ARCH_HWEIGHT_CFLAGS
12690 string
12691 @@ -1022,7 +1022,7 @@ choice
12692
12693 config NOHIGHMEM
12694 bool "off"
12695 - depends on !X86_NUMAQ
12696 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12697 ---help---
12698 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12699 However, the address space of 32-bit x86 processors is only 4
12700 @@ -1059,7 +1059,7 @@ config NOHIGHMEM
12701
12702 config HIGHMEM4G
12703 bool "4GB"
12704 - depends on !X86_NUMAQ
12705 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12706 ---help---
12707 Select this if you have a 32-bit processor and between 1 and 4
12708 gigabytes of physical RAM.
12709 @@ -1113,7 +1113,7 @@ config PAGE_OFFSET
12710 hex
12711 default 0xB0000000 if VMSPLIT_3G_OPT
12712 default 0x80000000 if VMSPLIT_2G
12713 - default 0x78000000 if VMSPLIT_2G_OPT
12714 + default 0x70000000 if VMSPLIT_2G_OPT
12715 default 0x40000000 if VMSPLIT_1G
12716 default 0xC0000000
12717 depends on X86_32
12718 @@ -1457,7 +1457,7 @@ config ARCH_USES_PG_UNCACHED
12719
12720 config EFI
12721 bool "EFI runtime service support"
12722 - depends on ACPI
12723 + depends on ACPI && !PAX_KERNEXEC
12724 ---help---
12725 This enables the kernel to use EFI runtime services that are
12726 available (such as the EFI variable services).
12727 @@ -1487,6 +1487,7 @@ config SECCOMP
12728
12729 config CC_STACKPROTECTOR
12730 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12731 + depends on X86_64 || !PAX_MEMORY_UDEREF
12732 ---help---
12733 This option turns on the -fstack-protector GCC feature. This
12734 feature puts, at the beginning of functions, a canary value on
12735 @@ -1544,6 +1545,7 @@ config KEXEC_JUMP
12736 config PHYSICAL_START
12737 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
12738 default "0x1000000"
12739 + range 0x400000 0x40000000
12740 ---help---
12741 This gives the physical address where the kernel is loaded.
12742
12743 @@ -1607,6 +1609,7 @@ config X86_NEED_RELOCS
12744 config PHYSICAL_ALIGN
12745 hex "Alignment value to which kernel should be aligned" if X86_32
12746 default "0x1000000"
12747 + range 0x400000 0x1000000 if PAX_KERNEXEC
12748 range 0x2000 0x1000000
12749 ---help---
12750 This value puts the alignment restrictions on physical address
12751 @@ -1638,9 +1641,10 @@ config HOTPLUG_CPU
12752 Say N if you want to disable CPU hotplug.
12753
12754 config COMPAT_VDSO
12755 - def_bool y
12756 + def_bool n
12757 prompt "Compat VDSO support"
12758 depends on X86_32 || IA32_EMULATION
12759 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12760 ---help---
12761 Map the 32-bit VDSO to the predictable old-style address too.
12762
12763 diff -urNp linux-2.6.39.3/arch/x86/Kconfig.cpu linux-2.6.39.3/arch/x86/Kconfig.cpu
12764 --- linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-19 00:06:34.000000000 -0400
12765 +++ linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-22 19:36:30.000000000 -0400
12766 @@ -334,7 +334,7 @@ config X86_PPRO_FENCE
12767
12768 config X86_F00F_BUG
12769 def_bool y
12770 - depends on M586MMX || M586TSC || M586 || M486 || M386
12771 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12772
12773 config X86_INVD_BUG
12774 def_bool y
12775 @@ -358,7 +358,7 @@ config X86_POPAD_OK
12776
12777 config X86_ALIGNMENT_16
12778 def_bool y
12779 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12780 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12781
12782 config X86_INTEL_USERCOPY
12783 def_bool y
12784 @@ -404,7 +404,7 @@ config X86_CMPXCHG64
12785 # generates cmov.
12786 config X86_CMOV
12787 def_bool y
12788 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12789 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12790
12791 config X86_MINIMUM_CPU_FAMILY
12792 int
12793 diff -urNp linux-2.6.39.3/arch/x86/Kconfig.debug linux-2.6.39.3/arch/x86/Kconfig.debug
12794 --- linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
12795 +++ linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-22 19:36:30.000000000 -0400
12796 @@ -101,7 +101,7 @@ config X86_PTDUMP
12797 config DEBUG_RODATA
12798 bool "Write protect kernel read-only data structures"
12799 default y
12800 - depends on DEBUG_KERNEL
12801 + depends on DEBUG_KERNEL && BROKEN
12802 ---help---
12803 Mark the kernel read-only data as write-protected in the pagetables,
12804 in order to catch accidental (and incorrect) writes to such const
12805 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
12806
12807 config DEBUG_SET_MODULE_RONX
12808 bool "Set loadable kernel module data as NX and text as RO"
12809 - depends on MODULES
12810 + depends on MODULES && BROKEN
12811 ---help---
12812 This option helps catch unintended modifications to loadable
12813 kernel module's text and read-only data. It also prevents execution
12814 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S
12815 --- linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:18:51.000000000 -0400
12816 +++ linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:19:18.000000000 -0400
12817 @@ -108,6 +108,9 @@ wakeup_code:
12818 /* Do any other stuff... */
12819
12820 #ifndef CONFIG_64BIT
12821 + /* Recheck NX bit overrides (64bit path does this in trampoline */
12822 + call verify_cpu
12823 +
12824 /* This could also be done in C code... */
12825 movl pmode_cr3, %eax
12826 movl %eax, %cr3
12827 @@ -131,6 +134,7 @@ wakeup_code:
12828 movl pmode_cr0, %eax
12829 movl %eax, %cr0
12830 jmp pmode_return
12831 +# include "../../verify_cpu.S"
12832 #else
12833 pushw $0
12834 pushw trampoline_segment
12835 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c
12836 --- linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:18:51.000000000 -0400
12837 +++ linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:19:18.000000000 -0400
12838 @@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
12839 header->trampoline_segment = trampoline_address() >> 4;
12840 #ifdef CONFIG_SMP
12841 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12842 +
12843 + pax_open_kernel();
12844 early_gdt_descr.address =
12845 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12846 + pax_close_kernel();
12847 +
12848 initial_gs = per_cpu_offset(smp_processor_id());
12849 #endif
12850 initial_code = (unsigned long)wakeup_long64;
12851 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S
12852 --- linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-19 00:06:34.000000000 -0400
12853 +++ linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-22 19:36:30.000000000 -0400
12854 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12855 # and restore the stack ... but you need gdt for this to work
12856 movl saved_context_esp, %esp
12857
12858 - movl %cs:saved_magic, %eax
12859 - cmpl $0x12345678, %eax
12860 + cmpl $0x12345678, saved_magic
12861 jne bogus_magic
12862
12863 # jump to place where we left off
12864 - movl saved_eip, %eax
12865 - jmp *%eax
12866 + jmp *(saved_eip)
12867
12868 bogus_magic:
12869 jmp bogus_magic
12870 diff -urNp linux-2.6.39.3/arch/x86/kernel/alternative.c linux-2.6.39.3/arch/x86/kernel/alternative.c
12871 --- linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-19 00:06:34.000000000 -0400
12872 +++ linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-22 19:36:30.000000000 -0400
12873 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
12874 if (!*poff || ptr < text || ptr >= text_end)
12875 continue;
12876 /* turn DS segment override prefix into lock prefix */
12877 - if (*ptr == 0x3e)
12878 + if (*ktla_ktva(ptr) == 0x3e)
12879 text_poke(ptr, ((unsigned char []){0xf0}), 1);
12880 };
12881 mutex_unlock(&text_mutex);
12882 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
12883 if (!*poff || ptr < text || ptr >= text_end)
12884 continue;
12885 /* turn lock prefix into DS segment override prefix */
12886 - if (*ptr == 0xf0)
12887 + if (*ktla_ktva(ptr) == 0xf0)
12888 text_poke(ptr, ((unsigned char []){0x3E}), 1);
12889 };
12890 mutex_unlock(&text_mutex);
12891 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
12892
12893 BUG_ON(p->len > MAX_PATCH_LEN);
12894 /* prep the buffer with the original instructions */
12895 - memcpy(insnbuf, p->instr, p->len);
12896 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12897 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12898 (unsigned long)p->instr, p->len);
12899
12900 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
12901 if (smp_alt_once)
12902 free_init_pages("SMP alternatives",
12903 (unsigned long)__smp_locks,
12904 - (unsigned long)__smp_locks_end);
12905 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12906
12907 restart_nmi();
12908 }
12909 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
12910 * instructions. And on the local CPU you need to be protected again NMI or MCE
12911 * handlers seeing an inconsistent instruction while you patch.
12912 */
12913 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
12914 +void *__kprobes text_poke_early(void *addr, const void *opcode,
12915 size_t len)
12916 {
12917 unsigned long flags;
12918 local_irq_save(flags);
12919 - memcpy(addr, opcode, len);
12920 +
12921 + pax_open_kernel();
12922 + memcpy(ktla_ktva(addr), opcode, len);
12923 sync_core();
12924 + pax_close_kernel();
12925 +
12926 local_irq_restore(flags);
12927 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12928 that causes hangs on some VIA CPUs. */
12929 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
12930 */
12931 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12932 {
12933 - unsigned long flags;
12934 - char *vaddr;
12935 + unsigned char *vaddr = ktla_ktva(addr);
12936 struct page *pages[2];
12937 - int i;
12938 + size_t i;
12939
12940 if (!core_kernel_text((unsigned long)addr)) {
12941 - pages[0] = vmalloc_to_page(addr);
12942 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12943 + pages[0] = vmalloc_to_page(vaddr);
12944 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12945 } else {
12946 - pages[0] = virt_to_page(addr);
12947 + pages[0] = virt_to_page(vaddr);
12948 WARN_ON(!PageReserved(pages[0]));
12949 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12950 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12951 }
12952 BUG_ON(!pages[0]);
12953 - local_irq_save(flags);
12954 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12955 - if (pages[1])
12956 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12957 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12958 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12959 - clear_fixmap(FIX_TEXT_POKE0);
12960 - if (pages[1])
12961 - clear_fixmap(FIX_TEXT_POKE1);
12962 - local_flush_tlb();
12963 - sync_core();
12964 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12965 - that causes hangs on some VIA CPUs. */
12966 + text_poke_early(addr, opcode, len);
12967 for (i = 0; i < len; i++)
12968 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12969 - local_irq_restore(flags);
12970 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12971 return addr;
12972 }
12973
12974 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
12975 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
12976
12977 #ifdef CONFIG_X86_64
12978 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12979 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12980 #else
12981 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12982 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12983 #endif
12984
12985 void __init arch_init_ideal_nop5(void)
12986 diff -urNp linux-2.6.39.3/arch/x86/kernel/amd_iommu.c linux-2.6.39.3/arch/x86/kernel/amd_iommu.c
12987 --- linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 12:55:22.000000000 -0400
12988 +++ linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 13:00:25.000000000 -0400
12989 @@ -49,7 +49,7 @@ static DEFINE_SPINLOCK(iommu_pd_list_loc
12990 */
12991 static struct protection_domain *pt_domain;
12992
12993 -static struct iommu_ops amd_iommu_ops;
12994 +static const struct iommu_ops amd_iommu_ops;
12995
12996 /*
12997 * general struct to manage commands send to an IOMMU
12998 @@ -2307,7 +2307,7 @@ static void prealloc_protection_domains(
12999 }
13000 }
13001
13002 -static struct dma_map_ops amd_iommu_dma_ops = {
13003 +static const struct dma_map_ops amd_iommu_dma_ops = {
13004 .alloc_coherent = alloc_coherent,
13005 .free_coherent = free_coherent,
13006 .map_page = map_page,
13007 @@ -2624,7 +2624,7 @@ static int amd_iommu_domain_has_cap(stru
13008 return 0;
13009 }
13010
13011 -static struct iommu_ops amd_iommu_ops = {
13012 +static const struct iommu_ops amd_iommu_ops = {
13013 .domain_init = amd_iommu_domain_init,
13014 .domain_destroy = amd_iommu_domain_destroy,
13015 .attach_dev = amd_iommu_attach_device,
13016 diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/apic.c linux-2.6.39.3/arch/x86/kernel/apic/apic.c
13017 --- linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-19 00:06:34.000000000 -0400
13018 +++ linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-22 19:36:30.000000000 -0400
13019 @@ -1821,7 +1821,7 @@ void smp_error_interrupt(struct pt_regs
13020 apic_write(APIC_ESR, 0);
13021 v1 = apic_read(APIC_ESR);
13022 ack_APIC_irq();
13023 - atomic_inc(&irq_err_count);
13024 + atomic_inc_unchecked(&irq_err_count);
13025
13026 /*
13027 * Here is what the APIC error bits mean:
13028 @@ -2204,6 +2204,8 @@ static int __cpuinit apic_cluster_num(vo
13029 u16 *bios_cpu_apicid;
13030 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
13031
13032 + pax_track_stack();
13033 +
13034 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
13035 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
13036
13037 diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c
13038 --- linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:04:13.000000000 -0400
13039 +++ linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:42:37.000000000 -0400
13040 @@ -623,7 +623,7 @@ struct IO_APIC_route_entry **alloc_ioapi
13041 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
13042 GFP_ATOMIC);
13043 if (!ioapic_entries)
13044 - return 0;
13045 + return NULL;
13046
13047 for (apic = 0; apic < nr_ioapics; apic++) {
13048 ioapic_entries[apic] =
13049 @@ -640,7 +640,7 @@ nomem:
13050 kfree(ioapic_entries[apic]);
13051 kfree(ioapic_entries);
13052
13053 - return 0;
13054 + return NULL;
13055 }
13056
13057 /*
13058 @@ -1040,7 +1040,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
13059 }
13060 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
13061
13062 -void lock_vector_lock(void)
13063 +void lock_vector_lock(void) __acquires(vector_lock)
13064 {
13065 /* Used to the online set of cpus does not change
13066 * during assign_irq_vector.
13067 @@ -1048,7 +1048,7 @@ void lock_vector_lock(void)
13068 raw_spin_lock(&vector_lock);
13069 }
13070
13071 -void unlock_vector_lock(void)
13072 +void unlock_vector_lock(void) __releases(vector_lock)
13073 {
13074 raw_spin_unlock(&vector_lock);
13075 }
13076 @@ -2379,7 +2379,7 @@ static void ack_apic_edge(struct irq_dat
13077 ack_APIC_irq();
13078 }
13079
13080 -atomic_t irq_mis_count;
13081 +atomic_unchecked_t irq_mis_count;
13082
13083 /*
13084 * IO-APIC versions below 0x20 don't support EOI register.
13085 @@ -2487,7 +2487,7 @@ static void ack_apic_level(struct irq_da
13086 * at the cpu.
13087 */
13088 if (!(v & (1 << (i & 0x1f)))) {
13089 - atomic_inc(&irq_mis_count);
13090 + atomic_inc_unchecked(&irq_mis_count);
13091
13092 eoi_ioapic_irq(irq, cfg);
13093 }
13094 diff -urNp linux-2.6.39.3/arch/x86/kernel/apm_32.c linux-2.6.39.3/arch/x86/kernel/apm_32.c
13095 --- linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-19 00:06:34.000000000 -0400
13096 +++ linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-22 19:36:30.000000000 -0400
13097 @@ -412,7 +412,7 @@ static DEFINE_MUTEX(apm_mutex);
13098 * This is for buggy BIOS's that refer to (real mode) segment 0x40
13099 * even though they are called in protected mode.
13100 */
13101 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
13102 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
13103 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
13104
13105 static const char driver_version[] = "1.16ac"; /* no spaces */
13106 @@ -590,7 +590,10 @@ static long __apm_bios_call(void *_call)
13107 BUG_ON(cpu != 0);
13108 gdt = get_cpu_gdt_table(cpu);
13109 save_desc_40 = gdt[0x40 / 8];
13110 +
13111 + pax_open_kernel();
13112 gdt[0x40 / 8] = bad_bios_desc;
13113 + pax_close_kernel();
13114
13115 apm_irq_save(flags);
13116 APM_DO_SAVE_SEGS;
13117 @@ -599,7 +602,11 @@ static long __apm_bios_call(void *_call)
13118 &call->esi);
13119 APM_DO_RESTORE_SEGS;
13120 apm_irq_restore(flags);
13121 +
13122 + pax_open_kernel();
13123 gdt[0x40 / 8] = save_desc_40;
13124 + pax_close_kernel();
13125 +
13126 put_cpu();
13127
13128 return call->eax & 0xff;
13129 @@ -666,7 +673,10 @@ static long __apm_bios_call_simple(void
13130 BUG_ON(cpu != 0);
13131 gdt = get_cpu_gdt_table(cpu);
13132 save_desc_40 = gdt[0x40 / 8];
13133 +
13134 + pax_open_kernel();
13135 gdt[0x40 / 8] = bad_bios_desc;
13136 + pax_close_kernel();
13137
13138 apm_irq_save(flags);
13139 APM_DO_SAVE_SEGS;
13140 @@ -674,7 +684,11 @@ static long __apm_bios_call_simple(void
13141 &call->eax);
13142 APM_DO_RESTORE_SEGS;
13143 apm_irq_restore(flags);
13144 +
13145 + pax_open_kernel();
13146 gdt[0x40 / 8] = save_desc_40;
13147 + pax_close_kernel();
13148 +
13149 put_cpu();
13150 return error;
13151 }
13152 @@ -2351,12 +2365,15 @@ static int __init apm_init(void)
13153 * code to that CPU.
13154 */
13155 gdt = get_cpu_gdt_table(0);
13156 +
13157 + pax_open_kernel();
13158 set_desc_base(&gdt[APM_CS >> 3],
13159 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
13160 set_desc_base(&gdt[APM_CS_16 >> 3],
13161 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
13162 set_desc_base(&gdt[APM_DS >> 3],
13163 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
13164 + pax_close_kernel();
13165
13166 proc_create("apm", 0, NULL, &apm_file_ops);
13167
13168 diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c
13169 --- linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-19 00:06:34.000000000 -0400
13170 +++ linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-22 19:36:30.000000000 -0400
13171 @@ -69,6 +69,7 @@ int main(void)
13172 BLANK();
13173 #undef ENTRY
13174
13175 + DEFINE(TSS_size, sizeof(struct tss_struct));
13176 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
13177 BLANK();
13178
13179 diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets.c linux-2.6.39.3/arch/x86/kernel/asm-offsets.c
13180 --- linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-19 00:06:34.000000000 -0400
13181 +++ linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-25 17:35:48.000000000 -0400
13182 @@ -33,6 +33,8 @@ void common(void) {
13183 OFFSET(TI_status, thread_info, status);
13184 OFFSET(TI_addr_limit, thread_info, addr_limit);
13185 OFFSET(TI_preempt_count, thread_info, preempt_count);
13186 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
13187 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
13188
13189 BLANK();
13190 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
13191 @@ -53,8 +55,26 @@ void common(void) {
13192 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
13193 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
13194 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
13195 +
13196 +#ifdef CONFIG_PAX_KERNEXEC
13197 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
13198 +#endif
13199 +
13200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13201 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
13202 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
13203 +#ifdef CONFIG_X86_64
13204 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
13205 +#endif
13206 #endif
13207
13208 +#endif
13209 +
13210 + BLANK();
13211 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
13212 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
13213 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
13214 +
13215 #ifdef CONFIG_XEN
13216 BLANK();
13217 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
13218 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/amd.c linux-2.6.39.3/arch/x86/kernel/cpu/amd.c
13219 --- linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:04:13.000000000 -0400
13220 +++ linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:32:04.000000000 -0400
13221 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
13222 unsigned int size)
13223 {
13224 /* AMD errata T13 (order #21922) */
13225 - if ((c->x86 == 6)) {
13226 + if (c->x86 == 6) {
13227 /* Duron Rev A0 */
13228 if (c->x86_model == 3 && c->x86_mask == 0)
13229 size = 64;
13230 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/common.c linux-2.6.39.3/arch/x86/kernel/cpu/common.c
13231 --- linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:04:13.000000000 -0400
13232 +++ linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:32:04.000000000 -0400
13233 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
13234
13235 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
13236
13237 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
13238 -#ifdef CONFIG_X86_64
13239 - /*
13240 - * We need valid kernel segments for data and code in long mode too
13241 - * IRET will check the segment types kkeil 2000/10/28
13242 - * Also sysret mandates a special GDT layout
13243 - *
13244 - * TLS descriptors are currently at a different place compared to i386.
13245 - * Hopefully nobody expects them at a fixed place (Wine?)
13246 - */
13247 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
13248 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
13249 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
13250 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
13251 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
13252 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
13253 -#else
13254 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
13255 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13256 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
13257 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
13258 - /*
13259 - * Segments used for calling PnP BIOS have byte granularity.
13260 - * They code segments and data segments have fixed 64k limits,
13261 - * the transfer segment sizes are set at run time.
13262 - */
13263 - /* 32-bit code */
13264 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13265 - /* 16-bit code */
13266 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13267 - /* 16-bit data */
13268 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
13269 - /* 16-bit data */
13270 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
13271 - /* 16-bit data */
13272 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
13273 - /*
13274 - * The APM segments have byte granularity and their bases
13275 - * are set at run time. All have 64k limits.
13276 - */
13277 - /* 32-bit code */
13278 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13279 - /* 16-bit code */
13280 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13281 - /* data */
13282 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
13283 -
13284 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13285 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13286 - GDT_STACK_CANARY_INIT
13287 -#endif
13288 -} };
13289 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
13290 -
13291 static int __init x86_xsave_setup(char *s)
13292 {
13293 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
13294 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
13295 {
13296 struct desc_ptr gdt_descr;
13297
13298 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
13299 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13300 gdt_descr.size = GDT_SIZE - 1;
13301 load_gdt(&gdt_descr);
13302 /* Reload the per-cpu base */
13303 @@ -824,6 +770,10 @@ static void __cpuinit identify_cpu(struc
13304 /* Filter out anything that depends on CPUID levels we don't have */
13305 filter_cpuid_features(c, true);
13306
13307 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
13308 + setup_clear_cpu_cap(X86_FEATURE_SEP);
13309 +#endif
13310 +
13311 /* If the model name is still unset, do table lookup. */
13312 if (!c->x86_model_id[0]) {
13313 const char *p;
13314 @@ -1003,6 +953,9 @@ static __init int setup_disablecpuid(cha
13315 }
13316 __setup("clearcpuid=", setup_disablecpuid);
13317
13318 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
13319 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
13320 +
13321 #ifdef CONFIG_X86_64
13322 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
13323
13324 @@ -1018,7 +971,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
13325 EXPORT_PER_CPU_SYMBOL(current_task);
13326
13327 DEFINE_PER_CPU(unsigned long, kernel_stack) =
13328 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
13329 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
13330 EXPORT_PER_CPU_SYMBOL(kernel_stack);
13331
13332 DEFINE_PER_CPU(char *, irq_stack_ptr) =
13333 @@ -1083,7 +1036,7 @@ struct pt_regs * __cpuinit idle_regs(str
13334 {
13335 memset(regs, 0, sizeof(struct pt_regs));
13336 regs->fs = __KERNEL_PERCPU;
13337 - regs->gs = __KERNEL_STACK_CANARY;
13338 + savesegment(gs, regs->gs);
13339
13340 return regs;
13341 }
13342 @@ -1138,7 +1091,7 @@ void __cpuinit cpu_init(void)
13343 int i;
13344
13345 cpu = stack_smp_processor_id();
13346 - t = &per_cpu(init_tss, cpu);
13347 + t = init_tss + cpu;
13348 oist = &per_cpu(orig_ist, cpu);
13349
13350 #ifdef CONFIG_NUMA
13351 @@ -1164,7 +1117,7 @@ void __cpuinit cpu_init(void)
13352 switch_to_new_gdt(cpu);
13353 loadsegment(fs, 0);
13354
13355 - load_idt((const struct desc_ptr *)&idt_descr);
13356 + load_idt(&idt_descr);
13357
13358 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
13359 syscall_init();
13360 @@ -1173,7 +1126,6 @@ void __cpuinit cpu_init(void)
13361 wrmsrl(MSR_KERNEL_GS_BASE, 0);
13362 barrier();
13363
13364 - x86_configure_nx();
13365 if (cpu != 0)
13366 enable_x2apic();
13367
13368 @@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void)
13369 {
13370 int cpu = smp_processor_id();
13371 struct task_struct *curr = current;
13372 - struct tss_struct *t = &per_cpu(init_tss, cpu);
13373 + struct tss_struct *t = init_tss + cpu;
13374 struct thread_struct *thread = &curr->thread;
13375
13376 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
13377 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/intel.c linux-2.6.39.3/arch/x86/kernel/cpu/intel.c
13378 --- linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-19 00:06:34.000000000 -0400
13379 +++ linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-22 19:36:30.000000000 -0400
13380 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
13381 * Update the IDT descriptor and reload the IDT so that
13382 * it uses the read-only mapped virtual address.
13383 */
13384 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
13385 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
13386 load_idt(&idt_descr);
13387 }
13388 #endif
13389 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/Makefile linux-2.6.39.3/arch/x86/kernel/cpu/Makefile
13390 --- linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-19 00:06:34.000000000 -0400
13391 +++ linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-22 19:36:30.000000000 -0400
13392 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
13393 CFLAGS_REMOVE_perf_event.o = -pg
13394 endif
13395
13396 -# Make sure load_percpu_segment has no stackprotector
13397 -nostackp := $(call cc-option, -fno-stack-protector)
13398 -CFLAGS_common.o := $(nostackp)
13399 -
13400 obj-y := intel_cacheinfo.o scattered.o topology.o
13401 obj-y += proc.o capflags.o powerflags.o common.o
13402 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
13403 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c
13404 --- linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-19 00:06:34.000000000 -0400
13405 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-22 19:36:30.000000000 -0400
13406 @@ -46,6 +46,7 @@
13407 #include <asm/ipi.h>
13408 #include <asm/mce.h>
13409 #include <asm/msr.h>
13410 +#include <asm/local.h>
13411
13412 #include "mce-internal.h"
13413
13414 @@ -220,7 +221,7 @@ static void print_mce(struct mce *m)
13415 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
13416 m->cs, m->ip);
13417
13418 - if (m->cs == __KERNEL_CS)
13419 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
13420 print_symbol("{%s}", m->ip);
13421 pr_cont("\n");
13422 }
13423 @@ -244,10 +245,10 @@ static void print_mce(struct mce *m)
13424
13425 #define PANIC_TIMEOUT 5 /* 5 seconds */
13426
13427 -static atomic_t mce_paniced;
13428 +static atomic_unchecked_t mce_paniced;
13429
13430 static int fake_panic;
13431 -static atomic_t mce_fake_paniced;
13432 +static atomic_unchecked_t mce_fake_paniced;
13433
13434 /* Panic in progress. Enable interrupts and wait for final IPI */
13435 static void wait_for_panic(void)
13436 @@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
13437 /*
13438 * Make sure only one CPU runs in machine check panic
13439 */
13440 - if (atomic_inc_return(&mce_paniced) > 1)
13441 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
13442 wait_for_panic();
13443 barrier();
13444
13445 @@ -279,7 +280,7 @@ static void mce_panic(char *msg, struct
13446 console_verbose();
13447 } else {
13448 /* Don't log too much for fake panic */
13449 - if (atomic_inc_return(&mce_fake_paniced) > 1)
13450 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
13451 return;
13452 }
13453 /* First print corrected ones that are still unlogged */
13454 @@ -647,7 +648,7 @@ static int mce_timed_out(u64 *t)
13455 * might have been modified by someone else.
13456 */
13457 rmb();
13458 - if (atomic_read(&mce_paniced))
13459 + if (atomic_read_unchecked(&mce_paniced))
13460 wait_for_panic();
13461 if (!monarch_timeout)
13462 goto out;
13463 @@ -1461,14 +1462,14 @@ void __cpuinit mcheck_cpu_init(struct cp
13464 */
13465
13466 static DEFINE_SPINLOCK(mce_state_lock);
13467 -static int open_count; /* #times opened */
13468 +static local_t open_count; /* #times opened */
13469 static int open_exclu; /* already open exclusive? */
13470
13471 static int mce_open(struct inode *inode, struct file *file)
13472 {
13473 spin_lock(&mce_state_lock);
13474
13475 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
13476 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
13477 spin_unlock(&mce_state_lock);
13478
13479 return -EBUSY;
13480 @@ -1476,7 +1477,7 @@ static int mce_open(struct inode *inode,
13481
13482 if (file->f_flags & O_EXCL)
13483 open_exclu = 1;
13484 - open_count++;
13485 + local_inc(&open_count);
13486
13487 spin_unlock(&mce_state_lock);
13488
13489 @@ -1487,7 +1488,7 @@ static int mce_release(struct inode *ino
13490 {
13491 spin_lock(&mce_state_lock);
13492
13493 - open_count--;
13494 + local_dec(&open_count);
13495 open_exclu = 0;
13496
13497 spin_unlock(&mce_state_lock);
13498 @@ -2174,7 +2175,7 @@ struct dentry *mce_get_debugfs_dir(void)
13499 static void mce_reset(void)
13500 {
13501 cpu_missing = 0;
13502 - atomic_set(&mce_fake_paniced, 0);
13503 + atomic_set_unchecked(&mce_fake_paniced, 0);
13504 atomic_set(&mce_executing, 0);
13505 atomic_set(&mce_callin, 0);
13506 atomic_set(&global_nwo, 0);
13507 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c
13508 --- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-19 00:06:34.000000000 -0400
13509 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-22 19:36:30.000000000 -0400
13510 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
13511 u64 size_or_mask, size_and_mask;
13512 static bool mtrr_aps_delayed_init;
13513
13514 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
13515 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
13516
13517 const struct mtrr_ops *mtrr_if;
13518
13519 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h
13520 --- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-19 00:06:34.000000000 -0400
13521 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-22 19:36:30.000000000 -0400
13522 @@ -12,19 +12,19 @@
13523 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
13524
13525 struct mtrr_ops {
13526 - u32 vendor;
13527 - u32 use_intel_if;
13528 - void (*set)(unsigned int reg, unsigned long base,
13529 + const u32 vendor;
13530 + const u32 use_intel_if;
13531 + void (* const set)(unsigned int reg, unsigned long base,
13532 unsigned long size, mtrr_type type);
13533 - void (*set_all)(void);
13534 + void (* const set_all)(void);
13535
13536 - void (*get)(unsigned int reg, unsigned long *base,
13537 + void (* const get)(unsigned int reg, unsigned long *base,
13538 unsigned long *size, mtrr_type *type);
13539 - int (*get_free_region)(unsigned long base, unsigned long size,
13540 + int (* const get_free_region)(unsigned long base, unsigned long size,
13541 int replace_reg);
13542 - int (*validate_add_page)(unsigned long base, unsigned long size,
13543 + int (* const validate_add_page)(unsigned long base, unsigned long size,
13544 unsigned int type);
13545 - int (*have_wrcomb)(void);
13546 + int (* const have_wrcomb)(void);
13547 };
13548
13549 extern int generic_get_free_region(unsigned long base, unsigned long size,
13550 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c
13551 --- linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-19 00:06:34.000000000 -0400
13552 +++ linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-22 19:36:30.000000000 -0400
13553 @@ -774,6 +774,8 @@ static int x86_schedule_events(struct cp
13554 int i, j, w, wmax, num = 0;
13555 struct hw_perf_event *hwc;
13556
13557 + pax_track_stack();
13558 +
13559 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
13560
13561 for (i = 0; i < n; i++) {
13562 @@ -1878,7 +1880,7 @@ perf_callchain_user(struct perf_callchai
13563 break;
13564
13565 perf_callchain_store(entry, frame.return_address);
13566 - fp = frame.next_frame;
13567 + fp = (__force const void __user *)frame.next_frame;
13568 }
13569 }
13570
13571 diff -urNp linux-2.6.39.3/arch/x86/kernel/crash.c linux-2.6.39.3/arch/x86/kernel/crash.c
13572 --- linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-19 00:06:34.000000000 -0400
13573 +++ linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-22 19:36:30.000000000 -0400
13574 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
13575 regs = args->regs;
13576
13577 #ifdef CONFIG_X86_32
13578 - if (!user_mode_vm(regs)) {
13579 + if (!user_mode(regs)) {
13580 crash_fixup_ss_esp(&fixed_regs, regs);
13581 regs = &fixed_regs;
13582 }
13583 diff -urNp linux-2.6.39.3/arch/x86/kernel/doublefault_32.c linux-2.6.39.3/arch/x86/kernel/doublefault_32.c
13584 --- linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-19 00:06:34.000000000 -0400
13585 +++ linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-22 19:36:30.000000000 -0400
13586 @@ -11,7 +11,7 @@
13587
13588 #define DOUBLEFAULT_STACKSIZE (1024)
13589 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13590 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13591 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13592
13593 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13594
13595 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13596 unsigned long gdt, tss;
13597
13598 store_gdt(&gdt_desc);
13599 - gdt = gdt_desc.address;
13600 + gdt = (unsigned long)gdt_desc.address;
13601
13602 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13603
13604 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13605 /* 0x2 bit is always set */
13606 .flags = X86_EFLAGS_SF | 0x2,
13607 .sp = STACK_START,
13608 - .es = __USER_DS,
13609 + .es = __KERNEL_DS,
13610 .cs = __KERNEL_CS,
13611 .ss = __KERNEL_DS,
13612 - .ds = __USER_DS,
13613 + .ds = __KERNEL_DS,
13614 .fs = __KERNEL_PERCPU,
13615
13616 .__cr3 = __pa_nodebug(swapper_pg_dir),
13617 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c
13618 --- linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-19 00:06:34.000000000 -0400
13619 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-22 19:36:30.000000000 -0400
13620 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
13621 bp = stack_frame(task, regs);
13622
13623 for (;;) {
13624 - struct thread_info *context;
13625 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13626
13627 - context = (struct thread_info *)
13628 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13629 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
13630 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13631
13632 - stack = (unsigned long *)context->previous_esp;
13633 - if (!stack)
13634 + if (stack_start == task_stack_page(task))
13635 break;
13636 + stack = *(unsigned long **)stack_start;
13637 if (ops->stack(data, "IRQ") < 0)
13638 break;
13639 touch_nmi_watchdog();
13640 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
13641 * When in-kernel, we also print out the stack and code at the
13642 * time of the fault..
13643 */
13644 - if (!user_mode_vm(regs)) {
13645 + if (!user_mode(regs)) {
13646 unsigned int code_prologue = code_bytes * 43 / 64;
13647 unsigned int code_len = code_bytes;
13648 unsigned char c;
13649 u8 *ip;
13650 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13651
13652 printk(KERN_EMERG "Stack:\n");
13653 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
13654
13655 printk(KERN_EMERG "Code: ");
13656
13657 - ip = (u8 *)regs->ip - code_prologue;
13658 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13659 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13660 /* try starting at IP */
13661 - ip = (u8 *)regs->ip;
13662 + ip = (u8 *)regs->ip + cs_base;
13663 code_len = code_len - code_prologue + 1;
13664 }
13665 for (i = 0; i < code_len; i++, ip++) {
13666 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
13667 printk(" Bad EIP value.");
13668 break;
13669 }
13670 - if (ip == (u8 *)regs->ip)
13671 + if (ip == (u8 *)regs->ip + cs_base)
13672 printk("<%02x> ", c);
13673 else
13674 printk("%02x ", c);
13675 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
13676 {
13677 unsigned short ud2;
13678
13679 + ip = ktla_ktva(ip);
13680 if (ip < PAGE_OFFSET)
13681 return 0;
13682 if (probe_kernel_address((unsigned short *)ip, ud2))
13683 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c
13684 --- linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-19 00:06:34.000000000 -0400
13685 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-22 19:36:30.000000000 -0400
13686 @@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
13687 unsigned long *irq_stack_end =
13688 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13689 unsigned used = 0;
13690 - struct thread_info *tinfo;
13691 int graph = 0;
13692 unsigned long dummy;
13693 + void *stack_start;
13694
13695 if (!task)
13696 task = current;
13697 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
13698 * current stack address. If the stacks consist of nested
13699 * exceptions
13700 */
13701 - tinfo = task_thread_info(task);
13702 for (;;) {
13703 char *id;
13704 unsigned long *estack_end;
13705 +
13706 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13707 &used, &id);
13708
13709 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
13710 if (ops->stack(data, id) < 0)
13711 break;
13712
13713 - bp = ops->walk_stack(tinfo, stack, bp, ops,
13714 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13715 data, estack_end, &graph);
13716 ops->stack(data, "<EOE>");
13717 /*
13718 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
13719 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
13720 if (ops->stack(data, "IRQ") < 0)
13721 break;
13722 - bp = ops->walk_stack(tinfo, stack, bp,
13723 + bp = ops->walk_stack(task, irq_stack, stack, bp,
13724 ops, data, irq_stack_end, &graph);
13725 /*
13726 * We link to the next stack (which would be
13727 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
13728 /*
13729 * This handles the process stack:
13730 */
13731 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13732 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13733 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13734 put_cpu();
13735 }
13736 EXPORT_SYMBOL(dump_trace);
13737 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack.c linux-2.6.39.3/arch/x86/kernel/dumpstack.c
13738 --- linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-19 00:06:34.000000000 -0400
13739 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-22 19:41:32.000000000 -0400
13740 @@ -2,6 +2,9 @@
13741 * Copyright (C) 1991, 1992 Linus Torvalds
13742 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13743 */
13744 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13745 +#define __INCLUDED_BY_HIDESYM 1
13746 +#endif
13747 #include <linux/kallsyms.h>
13748 #include <linux/kprobes.h>
13749 #include <linux/uaccess.h>
13750 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
13751 static void
13752 print_ftrace_graph_addr(unsigned long addr, void *data,
13753 const struct stacktrace_ops *ops,
13754 - struct thread_info *tinfo, int *graph)
13755 + struct task_struct *task, int *graph)
13756 {
13757 - struct task_struct *task = tinfo->task;
13758 unsigned long ret_addr;
13759 int index = task->curr_ret_stack;
13760
13761 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
13762 static inline void
13763 print_ftrace_graph_addr(unsigned long addr, void *data,
13764 const struct stacktrace_ops *ops,
13765 - struct thread_info *tinfo, int *graph)
13766 + struct task_struct *task, int *graph)
13767 { }
13768 #endif
13769
13770 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
13771 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13772 */
13773
13774 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13775 - void *p, unsigned int size, void *end)
13776 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13777 {
13778 - void *t = tinfo;
13779 if (end) {
13780 if (p < end && p >= (end-THREAD_SIZE))
13781 return 1;
13782 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
13783 }
13784
13785 unsigned long
13786 -print_context_stack(struct thread_info *tinfo,
13787 +print_context_stack(struct task_struct *task, void *stack_start,
13788 unsigned long *stack, unsigned long bp,
13789 const struct stacktrace_ops *ops, void *data,
13790 unsigned long *end, int *graph)
13791 {
13792 struct stack_frame *frame = (struct stack_frame *)bp;
13793
13794 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13795 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13796 unsigned long addr;
13797
13798 addr = *stack;
13799 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
13800 } else {
13801 ops->address(data, addr, 0);
13802 }
13803 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13804 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13805 }
13806 stack++;
13807 }
13808 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
13809 EXPORT_SYMBOL_GPL(print_context_stack);
13810
13811 unsigned long
13812 -print_context_stack_bp(struct thread_info *tinfo,
13813 +print_context_stack_bp(struct task_struct *task, void *stack_start,
13814 unsigned long *stack, unsigned long bp,
13815 const struct stacktrace_ops *ops, void *data,
13816 unsigned long *end, int *graph)
13817 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
13818 struct stack_frame *frame = (struct stack_frame *)bp;
13819 unsigned long *ret_addr = &frame->return_address;
13820
13821 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
13822 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
13823 unsigned long addr = *ret_addr;
13824
13825 if (!__kernel_text_address(addr))
13826 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
13827 ops->address(data, addr, 1);
13828 frame = frame->next_frame;
13829 ret_addr = &frame->return_address;
13830 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13831 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13832 }
13833
13834 return (unsigned long)frame;
13835 @@ -202,7 +202,7 @@ void dump_stack(void)
13836
13837 bp = stack_frame(current, NULL);
13838 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13839 - current->pid, current->comm, print_tainted(),
13840 + task_pid_nr(current), current->comm, print_tainted(),
13841 init_utsname()->release,
13842 (int)strcspn(init_utsname()->version, " "),
13843 init_utsname()->version);
13844 @@ -238,6 +238,8 @@ unsigned __kprobes long oops_begin(void)
13845 }
13846 EXPORT_SYMBOL_GPL(oops_begin);
13847
13848 +extern void gr_handle_kernel_exploit(void);
13849 +
13850 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13851 {
13852 if (regs && kexec_should_crash(current))
13853 @@ -259,7 +261,10 @@ void __kprobes oops_end(unsigned long fl
13854 panic("Fatal exception in interrupt");
13855 if (panic_on_oops)
13856 panic("Fatal exception");
13857 - do_exit(signr);
13858 +
13859 + gr_handle_kernel_exploit();
13860 +
13861 + do_group_exit(signr);
13862 }
13863
13864 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13865 @@ -286,7 +291,7 @@ int __kprobes __die(const char *str, str
13866
13867 show_registers(regs);
13868 #ifdef CONFIG_X86_32
13869 - if (user_mode_vm(regs)) {
13870 + if (user_mode(regs)) {
13871 sp = regs->sp;
13872 ss = regs->ss & 0xffff;
13873 } else {
13874 @@ -314,7 +319,7 @@ void die(const char *str, struct pt_regs
13875 unsigned long flags = oops_begin();
13876 int sig = SIGSEGV;
13877
13878 - if (!user_mode_vm(regs))
13879 + if (!user_mode(regs))
13880 report_bug(regs->ip, regs);
13881
13882 if (__die(str, regs, err))
13883 diff -urNp linux-2.6.39.3/arch/x86/kernel/early_printk.c linux-2.6.39.3/arch/x86/kernel/early_printk.c
13884 --- linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-19 00:06:34.000000000 -0400
13885 +++ linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-22 19:36:30.000000000 -0400
13886 @@ -7,6 +7,7 @@
13887 #include <linux/pci_regs.h>
13888 #include <linux/pci_ids.h>
13889 #include <linux/errno.h>
13890 +#include <linux/sched.h>
13891 #include <asm/io.h>
13892 #include <asm/processor.h>
13893 #include <asm/fcntl.h>
13894 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
13895 int n;
13896 va_list ap;
13897
13898 + pax_track_stack();
13899 +
13900 va_start(ap, fmt);
13901 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13902 early_console->write(early_console, buf, n);
13903 diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_32.S linux-2.6.39.3/arch/x86/kernel/entry_32.S
13904 --- linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-19 00:06:34.000000000 -0400
13905 +++ linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-23 17:07:00.000000000 -0400
13906 @@ -185,13 +185,146 @@
13907 /*CFI_REL_OFFSET gs, PT_GS*/
13908 .endm
13909 .macro SET_KERNEL_GS reg
13910 +
13911 +#ifdef CONFIG_CC_STACKPROTECTOR
13912 movl $(__KERNEL_STACK_CANARY), \reg
13913 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13914 + movl $(__USER_DS), \reg
13915 +#else
13916 + xorl \reg, \reg
13917 +#endif
13918 +
13919 movl \reg, %gs
13920 .endm
13921
13922 #endif /* CONFIG_X86_32_LAZY_GS */
13923
13924 -.macro SAVE_ALL
13925 +.macro pax_enter_kernel
13926 +#ifdef CONFIG_PAX_KERNEXEC
13927 + call pax_enter_kernel
13928 +#endif
13929 +.endm
13930 +
13931 +.macro pax_exit_kernel
13932 +#ifdef CONFIG_PAX_KERNEXEC
13933 + call pax_exit_kernel
13934 +#endif
13935 +.endm
13936 +
13937 +#ifdef CONFIG_PAX_KERNEXEC
13938 +ENTRY(pax_enter_kernel)
13939 +#ifdef CONFIG_PARAVIRT
13940 + pushl %eax
13941 + pushl %ecx
13942 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13943 + mov %eax, %esi
13944 +#else
13945 + mov %cr0, %esi
13946 +#endif
13947 + bts $16, %esi
13948 + jnc 1f
13949 + mov %cs, %esi
13950 + cmp $__KERNEL_CS, %esi
13951 + jz 3f
13952 + ljmp $__KERNEL_CS, $3f
13953 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13954 +2:
13955 +#ifdef CONFIG_PARAVIRT
13956 + mov %esi, %eax
13957 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13958 +#else
13959 + mov %esi, %cr0
13960 +#endif
13961 +3:
13962 +#ifdef CONFIG_PARAVIRT
13963 + popl %ecx
13964 + popl %eax
13965 +#endif
13966 + ret
13967 +ENDPROC(pax_enter_kernel)
13968 +
13969 +ENTRY(pax_exit_kernel)
13970 +#ifdef CONFIG_PARAVIRT
13971 + pushl %eax
13972 + pushl %ecx
13973 +#endif
13974 + mov %cs, %esi
13975 + cmp $__KERNEXEC_KERNEL_CS, %esi
13976 + jnz 2f
13977 +#ifdef CONFIG_PARAVIRT
13978 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13979 + mov %eax, %esi
13980 +#else
13981 + mov %cr0, %esi
13982 +#endif
13983 + btr $16, %esi
13984 + ljmp $__KERNEL_CS, $1f
13985 +1:
13986 +#ifdef CONFIG_PARAVIRT
13987 + mov %esi, %eax
13988 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13989 +#else
13990 + mov %esi, %cr0
13991 +#endif
13992 +2:
13993 +#ifdef CONFIG_PARAVIRT
13994 + popl %ecx
13995 + popl %eax
13996 +#endif
13997 + ret
13998 +ENDPROC(pax_exit_kernel)
13999 +#endif
14000 +
14001 +.macro pax_erase_kstack
14002 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14003 + call pax_erase_kstack
14004 +#endif
14005 +.endm
14006 +
14007 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14008 +/*
14009 + * ebp: thread_info
14010 + * ecx, edx: can be clobbered
14011 + */
14012 +ENTRY(pax_erase_kstack)
14013 + pushl %edi
14014 + pushl %eax
14015 +
14016 + mov TI_lowest_stack(%ebp), %edi
14017 + mov $-0xBEEF, %eax
14018 + std
14019 +
14020 +1: mov %edi, %ecx
14021 + and $THREAD_SIZE_asm - 1, %ecx
14022 + shr $2, %ecx
14023 + repne scasl
14024 + jecxz 2f
14025 +
14026 + cmp $2*16, %ecx
14027 + jc 2f
14028 +
14029 + mov $2*16, %ecx
14030 + repe scasl
14031 + jecxz 2f
14032 + jne 1b
14033 +
14034 +2: cld
14035 + mov %esp, %ecx
14036 + sub %edi, %ecx
14037 + shr $2, %ecx
14038 + rep stosl
14039 +
14040 + mov TI_task_thread_sp0(%ebp), %edi
14041 + sub $128, %edi
14042 + mov %edi, TI_lowest_stack(%ebp)
14043 +
14044 + popl %eax
14045 + popl %edi
14046 + ret
14047 +ENDPROC(pax_erase_kstack)
14048 +#endif
14049 +
14050 +.macro __SAVE_ALL _DS
14051 cld
14052 PUSH_GS
14053 pushl_cfi %fs
14054 @@ -214,7 +347,7 @@
14055 CFI_REL_OFFSET ecx, 0
14056 pushl_cfi %ebx
14057 CFI_REL_OFFSET ebx, 0
14058 - movl $(__USER_DS), %edx
14059 + movl $\_DS, %edx
14060 movl %edx, %ds
14061 movl %edx, %es
14062 movl $(__KERNEL_PERCPU), %edx
14063 @@ -222,6 +355,15 @@
14064 SET_KERNEL_GS %edx
14065 .endm
14066
14067 +.macro SAVE_ALL
14068 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
14069 + __SAVE_ALL __KERNEL_DS
14070 + pax_enter_kernel
14071 +#else
14072 + __SAVE_ALL __USER_DS
14073 +#endif
14074 +.endm
14075 +
14076 .macro RESTORE_INT_REGS
14077 popl_cfi %ebx
14078 CFI_RESTORE ebx
14079 @@ -332,7 +474,15 @@ check_userspace:
14080 movb PT_CS(%esp), %al
14081 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
14082 cmpl $USER_RPL, %eax
14083 +
14084 +#ifdef CONFIG_PAX_KERNEXEC
14085 + jae resume_userspace
14086 +
14087 + PAX_EXIT_KERNEL
14088 + jmp resume_kernel
14089 +#else
14090 jb resume_kernel # not returning to v8086 or userspace
14091 +#endif
14092
14093 ENTRY(resume_userspace)
14094 LOCKDEP_SYS_EXIT
14095 @@ -344,7 +494,7 @@ ENTRY(resume_userspace)
14096 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
14097 # int/exception return?
14098 jne work_pending
14099 - jmp restore_all
14100 + jmp restore_all_pax
14101 END(ret_from_exception)
14102
14103 #ifdef CONFIG_PREEMPT
14104 @@ -394,23 +544,34 @@ sysenter_past_esp:
14105 /*CFI_REL_OFFSET cs, 0*/
14106 /*
14107 * Push current_thread_info()->sysenter_return to the stack.
14108 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
14109 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
14110 */
14111 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
14112 + pushl_cfi $0
14113 CFI_REL_OFFSET eip, 0
14114
14115 pushl_cfi %eax
14116 SAVE_ALL
14117 + GET_THREAD_INFO(%ebp)
14118 + movl TI_sysenter_return(%ebp),%ebp
14119 + movl %ebp,PT_EIP(%esp)
14120 ENABLE_INTERRUPTS(CLBR_NONE)
14121
14122 /*
14123 * Load the potential sixth argument from user stack.
14124 * Careful about security.
14125 */
14126 + movl PT_OLDESP(%esp),%ebp
14127 +
14128 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14129 + mov PT_OLDSS(%esp),%ds
14130 +1: movl %ds:(%ebp),%ebp
14131 + push %ss
14132 + pop %ds
14133 +#else
14134 cmpl $__PAGE_OFFSET-3,%ebp
14135 jae syscall_fault
14136 1: movl (%ebp),%ebp
14137 +#endif
14138 +
14139 movl %ebp,PT_EBP(%esp)
14140 .section __ex_table,"a"
14141 .align 4
14142 @@ -433,12 +594,23 @@ sysenter_do_call:
14143 testl $_TIF_ALLWORK_MASK, %ecx
14144 jne sysexit_audit
14145 sysenter_exit:
14146 +
14147 +#ifdef CONFIG_PAX_RANDKSTACK
14148 + pushl_cfi %eax
14149 + call pax_randomize_kstack
14150 + popl_cfi %eax
14151 +#endif
14152 +
14153 + pax_erase_kstack
14154 +
14155 /* if something modifies registers it must also disable sysexit */
14156 movl PT_EIP(%esp), %edx
14157 movl PT_OLDESP(%esp), %ecx
14158 xorl %ebp,%ebp
14159 TRACE_IRQS_ON
14160 1: mov PT_FS(%esp), %fs
14161 +2: mov PT_DS(%esp), %ds
14162 +3: mov PT_ES(%esp), %es
14163 PTGS_TO_GS
14164 ENABLE_INTERRUPTS_SYSEXIT
14165
14166 @@ -455,6 +627,9 @@ sysenter_audit:
14167 movl %eax,%edx /* 2nd arg: syscall number */
14168 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14169 call audit_syscall_entry
14170 +
14171 + pax_erase_kstack
14172 +
14173 pushl_cfi %ebx
14174 movl PT_EAX(%esp),%eax /* reload syscall number */
14175 jmp sysenter_do_call
14176 @@ -481,11 +656,17 @@ sysexit_audit:
14177
14178 CFI_ENDPROC
14179 .pushsection .fixup,"ax"
14180 -2: movl $0,PT_FS(%esp)
14181 +4: movl $0,PT_FS(%esp)
14182 + jmp 1b
14183 +5: movl $0,PT_DS(%esp)
14184 + jmp 1b
14185 +6: movl $0,PT_ES(%esp)
14186 jmp 1b
14187 .section __ex_table,"a"
14188 .align 4
14189 - .long 1b,2b
14190 + .long 1b,4b
14191 + .long 2b,5b
14192 + .long 3b,6b
14193 .popsection
14194 PTGS_TO_GS_EX
14195 ENDPROC(ia32_sysenter_target)
14196 @@ -518,6 +699,14 @@ syscall_exit:
14197 testl $_TIF_ALLWORK_MASK, %ecx # current->work
14198 jne syscall_exit_work
14199
14200 +restore_all_pax:
14201 +
14202 +#ifdef CONFIG_PAX_RANDKSTACK
14203 + call pax_randomize_kstack
14204 +#endif
14205 +
14206 + pax_erase_kstack
14207 +
14208 restore_all:
14209 TRACE_IRQS_IRET
14210 restore_all_notrace:
14211 @@ -577,14 +766,21 @@ ldt_ss:
14212 * compensating for the offset by changing to the ESPFIX segment with
14213 * a base address that matches for the difference.
14214 */
14215 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
14216 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
14217 mov %esp, %edx /* load kernel esp */
14218 mov PT_OLDESP(%esp), %eax /* load userspace esp */
14219 mov %dx, %ax /* eax: new kernel esp */
14220 sub %eax, %edx /* offset (low word is 0) */
14221 +#ifdef CONFIG_SMP
14222 + movl PER_CPU_VAR(cpu_number), %ebx
14223 + shll $PAGE_SHIFT_asm, %ebx
14224 + addl $cpu_gdt_table, %ebx
14225 +#else
14226 + movl $cpu_gdt_table, %ebx
14227 +#endif
14228 shr $16, %edx
14229 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
14230 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
14231 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
14232 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
14233 pushl_cfi $__ESPFIX_SS
14234 pushl_cfi %eax /* new kernel esp */
14235 /* Disable interrupts, but do not irqtrace this section: we
14236 @@ -613,29 +809,23 @@ work_resched:
14237 movl TI_flags(%ebp), %ecx
14238 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14239 # than syscall tracing?
14240 - jz restore_all
14241 + jz restore_all_pax
14242 testb $_TIF_NEED_RESCHED, %cl
14243 jnz work_resched
14244
14245 work_notifysig: # deal with pending signals and
14246 # notify-resume requests
14247 + movl %esp, %eax
14248 #ifdef CONFIG_VM86
14249 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14250 - movl %esp, %eax
14251 - jne work_notifysig_v86 # returning to kernel-space or
14252 + jz 1f # returning to kernel-space or
14253 # vm86-space
14254 - xorl %edx, %edx
14255 - call do_notify_resume
14256 - jmp resume_userspace_sig
14257
14258 - ALIGN
14259 -work_notifysig_v86:
14260 pushl_cfi %ecx # save ti_flags for do_notify_resume
14261 call save_v86_state # %eax contains pt_regs pointer
14262 popl_cfi %ecx
14263 movl %eax, %esp
14264 -#else
14265 - movl %esp, %eax
14266 +1:
14267 #endif
14268 xorl %edx, %edx
14269 call do_notify_resume
14270 @@ -648,6 +838,9 @@ syscall_trace_entry:
14271 movl $-ENOSYS,PT_EAX(%esp)
14272 movl %esp, %eax
14273 call syscall_trace_enter
14274 +
14275 + pax_erase_kstack
14276 +
14277 /* What it returned is what we'll actually use. */
14278 cmpl $(nr_syscalls), %eax
14279 jnae syscall_call
14280 @@ -670,6 +863,10 @@ END(syscall_exit_work)
14281
14282 RING0_INT_FRAME # can't unwind into user space anyway
14283 syscall_fault:
14284 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14285 + push %ss
14286 + pop %ds
14287 +#endif
14288 GET_THREAD_INFO(%ebp)
14289 movl $-EFAULT,PT_EAX(%esp)
14290 jmp resume_userspace
14291 @@ -752,6 +949,36 @@ ptregs_clone:
14292 CFI_ENDPROC
14293 ENDPROC(ptregs_clone)
14294
14295 + ALIGN;
14296 +ENTRY(kernel_execve)
14297 + CFI_STARTPROC
14298 + pushl_cfi %ebp
14299 + sub $PT_OLDSS+4,%esp
14300 + pushl_cfi %edi
14301 + pushl_cfi %ecx
14302 + pushl_cfi %eax
14303 + lea 3*4(%esp),%edi
14304 + mov $PT_OLDSS/4+1,%ecx
14305 + xorl %eax,%eax
14306 + rep stosl
14307 + popl_cfi %eax
14308 + popl_cfi %ecx
14309 + popl_cfi %edi
14310 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14311 + pushl_cfi %esp
14312 + call sys_execve
14313 + add $4,%esp
14314 + CFI_ADJUST_CFA_OFFSET -4
14315 + GET_THREAD_INFO(%ebp)
14316 + test %eax,%eax
14317 + jz syscall_exit
14318 + add $PT_OLDSS+4,%esp
14319 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
14320 + popl_cfi %ebp
14321 + ret
14322 + CFI_ENDPROC
14323 +ENDPROC(kernel_execve)
14324 +
14325 .macro FIXUP_ESPFIX_STACK
14326 /*
14327 * Switch back for ESPFIX stack to the normal zerobased stack
14328 @@ -761,8 +988,15 @@ ENDPROC(ptregs_clone)
14329 * normal stack and adjusts ESP with the matching offset.
14330 */
14331 /* fixup the stack */
14332 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
14333 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
14334 +#ifdef CONFIG_SMP
14335 + movl PER_CPU_VAR(cpu_number), %ebx
14336 + shll $PAGE_SHIFT_asm, %ebx
14337 + addl $cpu_gdt_table, %ebx
14338 +#else
14339 + movl $cpu_gdt_table, %ebx
14340 +#endif
14341 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
14342 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
14343 shl $16, %eax
14344 addl %esp, %eax /* the adjusted stack pointer */
14345 pushl_cfi $__KERNEL_DS
14346 @@ -1213,7 +1447,6 @@ return_to_handler:
14347 jmp *%ecx
14348 #endif
14349
14350 -.section .rodata,"a"
14351 #include "syscall_table_32.S"
14352
14353 syscall_table_size=(.-sys_call_table)
14354 @@ -1259,9 +1492,12 @@ error_code:
14355 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14356 REG_TO_PTGS %ecx
14357 SET_KERNEL_GS %ecx
14358 - movl $(__USER_DS), %ecx
14359 + movl $(__KERNEL_DS), %ecx
14360 movl %ecx, %ds
14361 movl %ecx, %es
14362 +
14363 + pax_enter_kernel
14364 +
14365 TRACE_IRQS_OFF
14366 movl %esp,%eax # pt_regs pointer
14367 call *%edi
14368 @@ -1346,6 +1582,9 @@ nmi_stack_correct:
14369 xorl %edx,%edx # zero error code
14370 movl %esp,%eax # pt_regs pointer
14371 call do_nmi
14372 +
14373 + pax_exit_kernel
14374 +
14375 jmp restore_all_notrace
14376 CFI_ENDPROC
14377
14378 @@ -1382,6 +1621,9 @@ nmi_espfix_stack:
14379 FIXUP_ESPFIX_STACK # %eax == %esp
14380 xorl %edx,%edx # zero error code
14381 call do_nmi
14382 +
14383 + pax_exit_kernel
14384 +
14385 RESTORE_REGS
14386 lss 12+4(%esp), %esp # back to espfix stack
14387 CFI_ADJUST_CFA_OFFSET -24
14388 diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_64.S linux-2.6.39.3/arch/x86/kernel/entry_64.S
14389 --- linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-19 00:06:34.000000000 -0400
14390 +++ linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-23 17:10:49.000000000 -0400
14391 @@ -53,6 +53,7 @@
14392 #include <asm/paravirt.h>
14393 #include <asm/ftrace.h>
14394 #include <asm/percpu.h>
14395 +#include <asm/pgtable.h>
14396
14397 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14398 #include <linux/elf-em.h>
14399 @@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
14400 ENDPROC(native_usergs_sysret64)
14401 #endif /* CONFIG_PARAVIRT */
14402
14403 + .macro ljmpq sel, off
14404 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14405 + .byte 0x48; ljmp *1234f(%rip)
14406 + .pushsection .rodata
14407 + .align 16
14408 + 1234: .quad \off; .word \sel
14409 + .popsection
14410 +#else
14411 + pushq $\sel
14412 + pushq $\off
14413 + lretq
14414 +#endif
14415 + .endm
14416 +
14417 + .macro pax_enter_kernel
14418 +#ifdef CONFIG_PAX_KERNEXEC
14419 + call pax_enter_kernel
14420 +#endif
14421 + .endm
14422 +
14423 + .macro pax_exit_kernel
14424 +#ifdef CONFIG_PAX_KERNEXEC
14425 + call pax_exit_kernel
14426 +#endif
14427 + .endm
14428 +
14429 +#ifdef CONFIG_PAX_KERNEXEC
14430 +ENTRY(pax_enter_kernel)
14431 + pushq %rdi
14432 +
14433 +#ifdef CONFIG_PARAVIRT
14434 + PV_SAVE_REGS(CLBR_RDI)
14435 +#endif
14436 +
14437 + GET_CR0_INTO_RDI
14438 + bts $16,%rdi
14439 + jnc 1f
14440 + mov %cs,%edi
14441 + cmp $__KERNEL_CS,%edi
14442 + jz 3f
14443 + ljmpq __KERNEL_CS,3f
14444 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14445 +2: SET_RDI_INTO_CR0
14446 +3:
14447 +
14448 +#ifdef CONFIG_PARAVIRT
14449 + PV_RESTORE_REGS(CLBR_RDI)
14450 +#endif
14451 +
14452 + popq %rdi
14453 + retq
14454 +ENDPROC(pax_enter_kernel)
14455 +
14456 +ENTRY(pax_exit_kernel)
14457 + pushq %rdi
14458 +
14459 +#ifdef CONFIG_PARAVIRT
14460 + PV_SAVE_REGS(CLBR_RDI)
14461 +#endif
14462 +
14463 + mov %cs,%rdi
14464 + cmp $__KERNEXEC_KERNEL_CS,%edi
14465 + jnz 2f
14466 + GET_CR0_INTO_RDI
14467 + btr $16,%rdi
14468 + ljmpq __KERNEL_CS,1f
14469 +1: SET_RDI_INTO_CR0
14470 +2:
14471 +
14472 +#ifdef CONFIG_PARAVIRT
14473 + PV_RESTORE_REGS(CLBR_RDI);
14474 +#endif
14475 +
14476 + popq %rdi
14477 + retq
14478 +ENDPROC(pax_exit_kernel)
14479 +#endif
14480 +
14481 + .macro pax_enter_kernel_user
14482 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14483 + call pax_enter_kernel_user
14484 +#endif
14485 + .endm
14486 +
14487 + .macro pax_exit_kernel_user
14488 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14489 + call pax_exit_kernel_user
14490 +#endif
14491 +#ifdef CONFIG_PAX_RANDKSTACK
14492 + push %rax
14493 + call pax_randomize_kstack
14494 + pop %rax
14495 +#endif
14496 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14497 + call pax_erase_kstack
14498 +#endif
14499 + .endm
14500 +
14501 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14502 +ENTRY(pax_enter_kernel_user)
14503 + pushq %rdi
14504 + pushq %rbx
14505 +
14506 +#ifdef CONFIG_PARAVIRT
14507 + PV_SAVE_REGS(CLBR_RDI)
14508 +#endif
14509 +
14510 + GET_CR3_INTO_RDI
14511 + mov %rdi,%rbx
14512 + add $__START_KERNEL_map,%rbx
14513 + sub phys_base(%rip),%rbx
14514 +
14515 +#ifdef CONFIG_PARAVIRT
14516 + pushq %rdi
14517 + cmpl $0, pv_info+PARAVIRT_enabled
14518 + jz 1f
14519 + i = 0
14520 + .rept USER_PGD_PTRS
14521 + mov i*8(%rbx),%rsi
14522 + mov $0,%sil
14523 + lea i*8(%rbx),%rdi
14524 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14525 + i = i + 1
14526 + .endr
14527 + jmp 2f
14528 +1:
14529 +#endif
14530 +
14531 + i = 0
14532 + .rept USER_PGD_PTRS
14533 + movb $0,i*8(%rbx)
14534 + i = i + 1
14535 + .endr
14536 +
14537 +#ifdef CONFIG_PARAVIRT
14538 +2: popq %rdi
14539 +#endif
14540 + SET_RDI_INTO_CR3
14541 +
14542 +#ifdef CONFIG_PAX_KERNEXEC
14543 + GET_CR0_INTO_RDI
14544 + bts $16,%rdi
14545 + SET_RDI_INTO_CR0
14546 +#endif
14547 +
14548 +#ifdef CONFIG_PARAVIRT
14549 + PV_RESTORE_REGS(CLBR_RDI)
14550 +#endif
14551 +
14552 + popq %rbx
14553 + popq %rdi
14554 + retq
14555 +ENDPROC(pax_enter_kernel_user)
14556 +
14557 +ENTRY(pax_exit_kernel_user)
14558 + push %rdi
14559 +
14560 +#ifdef CONFIG_PARAVIRT
14561 + pushq %rbx
14562 + PV_SAVE_REGS(CLBR_RDI)
14563 +#endif
14564 +
14565 +#ifdef CONFIG_PAX_KERNEXEC
14566 + GET_CR0_INTO_RDI
14567 + btr $16,%rdi
14568 + SET_RDI_INTO_CR0
14569 +#endif
14570 +
14571 + GET_CR3_INTO_RDI
14572 + add $__START_KERNEL_map,%rdi
14573 + sub phys_base(%rip),%rdi
14574 +
14575 +#ifdef CONFIG_PARAVIRT
14576 + cmpl $0, pv_info+PARAVIRT_enabled
14577 + jz 1f
14578 + mov %rdi,%rbx
14579 + i = 0
14580 + .rept USER_PGD_PTRS
14581 + mov i*8(%rbx),%rsi
14582 + mov $0x67,%sil
14583 + lea i*8(%rbx),%rdi
14584 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14585 + i = i + 1
14586 + .endr
14587 + jmp 2f
14588 +1:
14589 +#endif
14590 +
14591 + i = 0
14592 + .rept USER_PGD_PTRS
14593 + movb $0x67,i*8(%rdi)
14594 + i = i + 1
14595 + .endr
14596 +
14597 +#ifdef CONFIG_PARAVIRT
14598 +2: PV_RESTORE_REGS(CLBR_RDI)
14599 + popq %rbx
14600 +#endif
14601 +
14602 + popq %rdi
14603 + retq
14604 +ENDPROC(pax_exit_kernel_user)
14605 +#endif
14606 +
14607 + .macro pax_erase_kstack
14608 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14609 + call pax_erase_kstack
14610 +#endif
14611 + .endm
14612 +
14613 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14614 +/*
14615 + * r10: thread_info
14616 + * rcx, rdx: can be clobbered
14617 + */
14618 +ENTRY(pax_erase_kstack)
14619 + pushq %rdi
14620 + pushq %rax
14621 +
14622 + GET_THREAD_INFO(%r10)
14623 + mov TI_lowest_stack(%r10), %rdi
14624 + mov $-0xBEEF, %rax
14625 + std
14626 +
14627 +1: mov %edi, %ecx
14628 + and $THREAD_SIZE_asm - 1, %ecx
14629 + shr $3, %ecx
14630 + repne scasq
14631 + jecxz 2f
14632 +
14633 + cmp $2*8, %ecx
14634 + jc 2f
14635 +
14636 + mov $2*8, %ecx
14637 + repe scasq
14638 + jecxz 2f
14639 + jne 1b
14640 +
14641 +2: cld
14642 + mov %esp, %ecx
14643 + sub %edi, %ecx
14644 + shr $3, %ecx
14645 + rep stosq
14646 +
14647 + mov TI_task_thread_sp0(%r10), %rdi
14648 + sub $256, %rdi
14649 + mov %rdi, TI_lowest_stack(%r10)
14650 +
14651 + popq %rax
14652 + popq %rdi
14653 + ret
14654 +ENDPROC(pax_erase_kstack)
14655 +#endif
14656
14657 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14658 #ifdef CONFIG_TRACE_IRQFLAGS
14659 @@ -318,7 +572,7 @@ ENTRY(save_args)
14660 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
14661 movq_cfi rbp, 8 /* push %rbp */
14662 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14663 - testl $3, CS(%rdi)
14664 + testb $3, CS(%rdi)
14665 je 1f
14666 SWAPGS
14667 /*
14668 @@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
14669
14670 RESTORE_REST
14671
14672 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14673 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14674 je int_ret_from_sys_call
14675
14676 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14677 @@ -455,7 +709,7 @@ END(ret_from_fork)
14678 ENTRY(system_call)
14679 CFI_STARTPROC simple
14680 CFI_SIGNAL_FRAME
14681 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14682 + CFI_DEF_CFA rsp,0
14683 CFI_REGISTER rip,rcx
14684 /*CFI_REGISTER rflags,r11*/
14685 SWAPGS_UNSAFE_STACK
14686 @@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
14687
14688 movq %rsp,PER_CPU_VAR(old_rsp)
14689 movq PER_CPU_VAR(kernel_stack),%rsp
14690 + pax_enter_kernel_user
14691 /*
14692 * No need to follow this irqs off/on section - it's straight
14693 * and short:
14694 */
14695 ENABLE_INTERRUPTS(CLBR_NONE)
14696 - SAVE_ARGS 8,1
14697 + SAVE_ARGS 8*6,1
14698 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14699 movq %rcx,RIP-ARGOFFSET(%rsp)
14700 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14701 @@ -502,6 +757,7 @@ sysret_check:
14702 andl %edi,%edx
14703 jnz sysret_careful
14704 CFI_REMEMBER_STATE
14705 + pax_exit_kernel_user
14706 /*
14707 * sysretq will re-enable interrupts:
14708 */
14709 @@ -560,6 +816,9 @@ auditsys:
14710 movq %rax,%rsi /* 2nd arg: syscall number */
14711 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14712 call audit_syscall_entry
14713 +
14714 + pax_erase_kstack
14715 +
14716 LOAD_ARGS 0 /* reload call-clobbered registers */
14717 jmp system_call_fastpath
14718
14719 @@ -590,6 +849,9 @@ tracesys:
14720 FIXUP_TOP_OF_STACK %rdi
14721 movq %rsp,%rdi
14722 call syscall_trace_enter
14723 +
14724 + pax_erase_kstack
14725 +
14726 /*
14727 * Reload arg registers from stack in case ptrace changed them.
14728 * We don't reload %rax because syscall_trace_enter() returned
14729 @@ -611,7 +873,7 @@ tracesys:
14730 GLOBAL(int_ret_from_sys_call)
14731 DISABLE_INTERRUPTS(CLBR_NONE)
14732 TRACE_IRQS_OFF
14733 - testl $3,CS-ARGOFFSET(%rsp)
14734 + testb $3,CS-ARGOFFSET(%rsp)
14735 je retint_restore_args
14736 movl $_TIF_ALLWORK_MASK,%edi
14737 /* edi: mask to check */
14738 @@ -793,6 +1055,16 @@ END(interrupt)
14739 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
14740 call save_args
14741 PARTIAL_FRAME 0
14742 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14743 + testb $3, CS(%rdi)
14744 + jnz 1f
14745 + pax_enter_kernel
14746 + jmp 2f
14747 +1: pax_enter_kernel_user
14748 +2:
14749 +#else
14750 + pax_enter_kernel
14751 +#endif
14752 call \func
14753 .endm
14754
14755 @@ -825,7 +1097,7 @@ ret_from_intr:
14756 CFI_ADJUST_CFA_OFFSET -8
14757 exit_intr:
14758 GET_THREAD_INFO(%rcx)
14759 - testl $3,CS-ARGOFFSET(%rsp)
14760 + testb $3,CS-ARGOFFSET(%rsp)
14761 je retint_kernel
14762
14763 /* Interrupt came from user space */
14764 @@ -847,12 +1119,14 @@ retint_swapgs: /* return to user-space
14765 * The iretq could re-enable interrupts:
14766 */
14767 DISABLE_INTERRUPTS(CLBR_ANY)
14768 + pax_exit_kernel_user
14769 TRACE_IRQS_IRETQ
14770 SWAPGS
14771 jmp restore_args
14772
14773 retint_restore_args: /* return to kernel space */
14774 DISABLE_INTERRUPTS(CLBR_ANY)
14775 + pax_exit_kernel
14776 /*
14777 * The iretq could re-enable interrupts:
14778 */
14779 @@ -1027,6 +1301,16 @@ ENTRY(\sym)
14780 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14781 call error_entry
14782 DEFAULT_FRAME 0
14783 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14784 + testb $3, CS(%rsp)
14785 + jnz 1f
14786 + pax_enter_kernel
14787 + jmp 2f
14788 +1: pax_enter_kernel_user
14789 +2:
14790 +#else
14791 + pax_enter_kernel
14792 +#endif
14793 movq %rsp,%rdi /* pt_regs pointer */
14794 xorl %esi,%esi /* no error code */
14795 call \do_sym
14796 @@ -1044,6 +1328,16 @@ ENTRY(\sym)
14797 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14798 call save_paranoid
14799 TRACE_IRQS_OFF
14800 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14801 + testb $3, CS(%rsp)
14802 + jnz 1f
14803 + pax_enter_kernel
14804 + jmp 2f
14805 +1: pax_enter_kernel_user
14806 +2:
14807 +#else
14808 + pax_enter_kernel
14809 +#endif
14810 movq %rsp,%rdi /* pt_regs pointer */
14811 xorl %esi,%esi /* no error code */
14812 call \do_sym
14813 @@ -1052,7 +1346,7 @@ ENTRY(\sym)
14814 END(\sym)
14815 .endm
14816
14817 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
14818 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
14819 .macro paranoidzeroentry_ist sym do_sym ist
14820 ENTRY(\sym)
14821 INTR_FRAME
14822 @@ -1062,8 +1356,24 @@ ENTRY(\sym)
14823 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14824 call save_paranoid
14825 TRACE_IRQS_OFF
14826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14827 + testb $3, CS(%rsp)
14828 + jnz 1f
14829 + pax_enter_kernel
14830 + jmp 2f
14831 +1: pax_enter_kernel_user
14832 +2:
14833 +#else
14834 + pax_enter_kernel
14835 +#endif
14836 movq %rsp,%rdi /* pt_regs pointer */
14837 xorl %esi,%esi /* no error code */
14838 +#ifdef CONFIG_SMP
14839 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
14840 + lea init_tss(%r12), %r12
14841 +#else
14842 + lea init_tss(%rip), %r12
14843 +#endif
14844 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14845 call \do_sym
14846 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14847 @@ -1080,6 +1390,16 @@ ENTRY(\sym)
14848 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14849 call error_entry
14850 DEFAULT_FRAME 0
14851 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14852 + testb $3, CS(%rsp)
14853 + jnz 1f
14854 + pax_enter_kernel
14855 + jmp 2f
14856 +1: pax_enter_kernel_user
14857 +2:
14858 +#else
14859 + pax_enter_kernel
14860 +#endif
14861 movq %rsp,%rdi /* pt_regs pointer */
14862 movq ORIG_RAX(%rsp),%rsi /* get error code */
14863 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14864 @@ -1099,6 +1419,16 @@ ENTRY(\sym)
14865 call save_paranoid
14866 DEFAULT_FRAME 0
14867 TRACE_IRQS_OFF
14868 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14869 + testb $3, CS(%rsp)
14870 + jnz 1f
14871 + pax_enter_kernel
14872 + jmp 2f
14873 +1: pax_enter_kernel_user
14874 +2:
14875 +#else
14876 + pax_enter_kernel
14877 +#endif
14878 movq %rsp,%rdi /* pt_regs pointer */
14879 movq ORIG_RAX(%rsp),%rsi /* get error code */
14880 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14881 @@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
14882 TRACE_IRQS_OFF
14883 testl %ebx,%ebx /* swapgs needed? */
14884 jnz paranoid_restore
14885 - testl $3,CS(%rsp)
14886 + testb $3,CS(%rsp)
14887 jnz paranoid_userspace
14888 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14889 + pax_exit_kernel
14890 + TRACE_IRQS_IRETQ 0
14891 + SWAPGS_UNSAFE_STACK
14892 + RESTORE_ALL 8
14893 + jmp irq_return
14894 +#endif
14895 paranoid_swapgs:
14896 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14897 + pax_exit_kernel_user
14898 +#else
14899 + pax_exit_kernel
14900 +#endif
14901 TRACE_IRQS_IRETQ 0
14902 SWAPGS_UNSAFE_STACK
14903 RESTORE_ALL 8
14904 jmp irq_return
14905 paranoid_restore:
14906 + pax_exit_kernel
14907 TRACE_IRQS_IRETQ 0
14908 RESTORE_ALL 8
14909 jmp irq_return
14910 @@ -1426,7 +1769,7 @@ ENTRY(error_entry)
14911 movq_cfi r14, R14+8
14912 movq_cfi r15, R15+8
14913 xorl %ebx,%ebx
14914 - testl $3,CS+8(%rsp)
14915 + testb $3,CS+8(%rsp)
14916 je error_kernelspace
14917 error_swapgs:
14918 SWAPGS
14919 @@ -1490,6 +1833,16 @@ ENTRY(nmi)
14920 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14921 call save_paranoid
14922 DEFAULT_FRAME 0
14923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14924 + testb $3, CS(%rsp)
14925 + jnz 1f
14926 + pax_enter_kernel
14927 + jmp 2f
14928 +1: pax_enter_kernel_user
14929 +2:
14930 +#else
14931 + pax_enter_kernel
14932 +#endif
14933 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14934 movq %rsp,%rdi
14935 movq $-1,%rsi
14936 @@ -1500,11 +1853,25 @@ ENTRY(nmi)
14937 DISABLE_INTERRUPTS(CLBR_NONE)
14938 testl %ebx,%ebx /* swapgs needed? */
14939 jnz nmi_restore
14940 - testl $3,CS(%rsp)
14941 + testb $3,CS(%rsp)
14942 jnz nmi_userspace
14943 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14944 + pax_exit_kernel
14945 + SWAPGS_UNSAFE_STACK
14946 + RESTORE_ALL 8
14947 + jmp irq_return
14948 +#endif
14949 nmi_swapgs:
14950 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14951 + pax_exit_kernel_user
14952 +#else
14953 + pax_exit_kernel
14954 +#endif
14955 SWAPGS_UNSAFE_STACK
14956 + RESTORE_ALL 8
14957 + jmp irq_return
14958 nmi_restore:
14959 + pax_exit_kernel
14960 RESTORE_ALL 8
14961 jmp irq_return
14962 nmi_userspace:
14963 diff -urNp linux-2.6.39.3/arch/x86/kernel/ftrace.c linux-2.6.39.3/arch/x86/kernel/ftrace.c
14964 --- linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-19 00:06:34.000000000 -0400
14965 +++ linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-22 19:36:30.000000000 -0400
14966 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
14967 static void *mod_code_newcode; /* holds the text to write to the IP */
14968
14969 static unsigned nmi_wait_count;
14970 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14971 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14972
14973 int ftrace_arch_read_dyn_info(char *buf, int size)
14974 {
14975 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14976
14977 r = snprintf(buf, size, "%u %u",
14978 nmi_wait_count,
14979 - atomic_read(&nmi_update_count));
14980 + atomic_read_unchecked(&nmi_update_count));
14981 return r;
14982 }
14983
14984 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
14985
14986 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14987 smp_rmb();
14988 + pax_open_kernel();
14989 ftrace_mod_code();
14990 - atomic_inc(&nmi_update_count);
14991 + pax_close_kernel();
14992 + atomic_inc_unchecked(&nmi_update_count);
14993 }
14994 /* Must have previous changes seen before executions */
14995 smp_mb();
14996 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
14997 {
14998 unsigned char replaced[MCOUNT_INSN_SIZE];
14999
15000 + ip = ktla_ktva(ip);
15001 +
15002 /*
15003 * Note: Due to modules and __init, code can
15004 * disappear and change, we need to protect against faulting
15005 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
15006 unsigned char old[MCOUNT_INSN_SIZE], *new;
15007 int ret;
15008
15009 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
15010 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
15011 new = ftrace_call_replace(ip, (unsigned long)func);
15012 ret = ftrace_modify_code(ip, old, new);
15013
15014 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
15015 {
15016 unsigned char code[MCOUNT_INSN_SIZE];
15017
15018 + ip = ktla_ktva(ip);
15019 +
15020 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
15021 return -EFAULT;
15022
15023 diff -urNp linux-2.6.39.3/arch/x86/kernel/head32.c linux-2.6.39.3/arch/x86/kernel/head32.c
15024 --- linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-19 00:06:34.000000000 -0400
15025 +++ linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-22 19:36:30.000000000 -0400
15026 @@ -19,6 +19,7 @@
15027 #include <asm/io_apic.h>
15028 #include <asm/bios_ebda.h>
15029 #include <asm/tlbflush.h>
15030 +#include <asm/boot.h>
15031
15032 static void __init i386_default_early_setup(void)
15033 {
15034 @@ -34,7 +35,7 @@ void __init i386_start_kernel(void)
15035 {
15036 memblock_init();
15037
15038 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15039 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15040
15041 #ifdef CONFIG_BLK_DEV_INITRD
15042 /* Reserve INITRD */
15043 diff -urNp linux-2.6.39.3/arch/x86/kernel/head_32.S linux-2.6.39.3/arch/x86/kernel/head_32.S
15044 --- linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-05-19 00:06:34.000000000 -0400
15045 +++ linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-07-06 20:00:13.000000000 -0400
15046 @@ -25,6 +25,12 @@
15047 /* Physical address */
15048 #define pa(X) ((X) - __PAGE_OFFSET)
15049
15050 +#ifdef CONFIG_PAX_KERNEXEC
15051 +#define ta(X) (X)
15052 +#else
15053 +#define ta(X) ((X) - __PAGE_OFFSET)
15054 +#endif
15055 +
15056 /*
15057 * References to members of the new_cpu_data structure.
15058 */
15059 @@ -54,11 +60,7 @@
15060 * and small than max_low_pfn, otherwise will waste some page table entries
15061 */
15062
15063 -#if PTRS_PER_PMD > 1
15064 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15065 -#else
15066 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15067 -#endif
15068 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15069
15070 /* Number of possible pages in the lowmem region */
15071 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
15072 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15073 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15074
15075 /*
15076 + * Real beginning of normal "text" segment
15077 + */
15078 +ENTRY(stext)
15079 +ENTRY(_stext)
15080 +
15081 +/*
15082 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15083 * %esi points to the real-mode code as a 32-bit pointer.
15084 * CS and DS must be 4 GB flat segments, but we don't depend on
15085 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15086 * can.
15087 */
15088 __HEAD
15089 +
15090 +#ifdef CONFIG_PAX_KERNEXEC
15091 + jmp startup_32
15092 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15093 +.fill PAGE_SIZE-5,1,0xcc
15094 +#endif
15095 +
15096 ENTRY(startup_32)
15097 movl pa(stack_start),%ecx
15098
15099 @@ -105,6 +120,57 @@ ENTRY(startup_32)
15100 2:
15101 leal -__PAGE_OFFSET(%ecx),%esp
15102
15103 +#ifdef CONFIG_SMP
15104 + movl $pa(cpu_gdt_table),%edi
15105 + movl $__per_cpu_load,%eax
15106 + movw %ax,__KERNEL_PERCPU + 2(%edi)
15107 + rorl $16,%eax
15108 + movb %al,__KERNEL_PERCPU + 4(%edi)
15109 + movb %ah,__KERNEL_PERCPU + 7(%edi)
15110 + movl $__per_cpu_end - 1,%eax
15111 + subl $__per_cpu_start,%eax
15112 + movw %ax,__KERNEL_PERCPU + 0(%edi)
15113 +#endif
15114 +
15115 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15116 + movl $NR_CPUS,%ecx
15117 + movl $pa(cpu_gdt_table),%edi
15118 +1:
15119 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15120 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15121 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15122 + addl $PAGE_SIZE_asm,%edi
15123 + loop 1b
15124 +#endif
15125 +
15126 +#ifdef CONFIG_PAX_KERNEXEC
15127 + movl $pa(boot_gdt),%edi
15128 + movl $__LOAD_PHYSICAL_ADDR,%eax
15129 + movw %ax,__BOOT_CS + 2(%edi)
15130 + rorl $16,%eax
15131 + movb %al,__BOOT_CS + 4(%edi)
15132 + movb %ah,__BOOT_CS + 7(%edi)
15133 + rorl $16,%eax
15134 +
15135 + ljmp $(__BOOT_CS),$1f
15136 +1:
15137 +
15138 + movl $NR_CPUS,%ecx
15139 + movl $pa(cpu_gdt_table),%edi
15140 + addl $__PAGE_OFFSET,%eax
15141 +1:
15142 + movw %ax,__KERNEL_CS + 2(%edi)
15143 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15144 + rorl $16,%eax
15145 + movb %al,__KERNEL_CS + 4(%edi)
15146 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15147 + movb %ah,__KERNEL_CS + 7(%edi)
15148 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15149 + rorl $16,%eax
15150 + addl $PAGE_SIZE_asm,%edi
15151 + loop 1b
15152 +#endif
15153 +
15154 /*
15155 * Clear BSS first so that there are no surprises...
15156 */
15157 @@ -195,8 +261,11 @@ ENTRY(startup_32)
15158 movl %eax, pa(max_pfn_mapped)
15159
15160 /* Do early initialization of the fixmap area */
15161 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15162 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
15163 +#ifdef CONFIG_COMPAT_VDSO
15164 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
15165 +#else
15166 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
15167 +#endif
15168 #else /* Not PAE */
15169
15170 page_pde_offset = (__PAGE_OFFSET >> 20);
15171 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15172 movl %eax, pa(max_pfn_mapped)
15173
15174 /* Do early initialization of the fixmap area */
15175 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15176 - movl %eax,pa(initial_page_table+0xffc)
15177 +#ifdef CONFIG_COMPAT_VDSO
15178 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
15179 +#else
15180 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
15181 +#endif
15182 #endif
15183
15184 #ifdef CONFIG_PARAVIRT
15185 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15186 cmpl $num_subarch_entries, %eax
15187 jae bad_subarch
15188
15189 - movl pa(subarch_entries)(,%eax,4), %eax
15190 - subl $__PAGE_OFFSET, %eax
15191 - jmp *%eax
15192 + jmp *pa(subarch_entries)(,%eax,4)
15193
15194 bad_subarch:
15195 WEAK(lguest_entry)
15196 @@ -255,10 +325,10 @@ WEAK(xen_entry)
15197 __INITDATA
15198
15199 subarch_entries:
15200 - .long default_entry /* normal x86/PC */
15201 - .long lguest_entry /* lguest hypervisor */
15202 - .long xen_entry /* Xen hypervisor */
15203 - .long default_entry /* Moorestown MID */
15204 + .long ta(default_entry) /* normal x86/PC */
15205 + .long ta(lguest_entry) /* lguest hypervisor */
15206 + .long ta(xen_entry) /* Xen hypervisor */
15207 + .long ta(default_entry) /* Moorestown MID */
15208 num_subarch_entries = (. - subarch_entries) / 4
15209 .previous
15210 #else
15211 @@ -312,6 +382,7 @@ default_entry:
15212 orl %edx,%eax
15213 movl %eax,%cr4
15214
15215 +#ifdef CONFIG_X86_PAE
15216 testb $X86_CR4_PAE, %al # check if PAE is enabled
15217 jz 6f
15218
15219 @@ -340,6 +411,9 @@ default_entry:
15220 /* Make changes effective */
15221 wrmsr
15222
15223 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15224 +#endif
15225 +
15226 6:
15227
15228 /*
15229 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
15230 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15231 movl %eax,%ss # after changing gdt.
15232
15233 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
15234 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15235 movl %eax,%ds
15236 movl %eax,%es
15237
15238 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
15239 */
15240 cmpb $0,ready
15241 jne 1f
15242 - movl $gdt_page,%eax
15243 + movl $cpu_gdt_table,%eax
15244 movl $stack_canary,%ecx
15245 +#ifdef CONFIG_SMP
15246 + addl $__per_cpu_load,%ecx
15247 +#endif
15248 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15249 shrl $16, %ecx
15250 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15251 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15252 1:
15253 -#endif
15254 movl $(__KERNEL_STACK_CANARY),%eax
15255 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15256 + movl $(__USER_DS),%eax
15257 +#else
15258 + xorl %eax,%eax
15259 +#endif
15260 movl %eax,%gs
15261
15262 xorl %eax,%eax # Clear LDT
15263 @@ -558,22 +639,22 @@ early_page_fault:
15264 jmp early_fault
15265
15266 early_fault:
15267 - cld
15268 #ifdef CONFIG_PRINTK
15269 + cmpl $1,%ss:early_recursion_flag
15270 + je hlt_loop
15271 + incl %ss:early_recursion_flag
15272 + cld
15273 pusha
15274 movl $(__KERNEL_DS),%eax
15275 movl %eax,%ds
15276 movl %eax,%es
15277 - cmpl $2,early_recursion_flag
15278 - je hlt_loop
15279 - incl early_recursion_flag
15280 movl %cr2,%eax
15281 pushl %eax
15282 pushl %edx /* trapno */
15283 pushl $fault_msg
15284 call printk
15285 +; call dump_stack
15286 #endif
15287 - call dump_stack
15288 hlt_loop:
15289 hlt
15290 jmp hlt_loop
15291 @@ -581,8 +662,11 @@ hlt_loop:
15292 /* This is the default interrupt "handler" :-) */
15293 ALIGN
15294 ignore_int:
15295 - cld
15296 #ifdef CONFIG_PRINTK
15297 + cmpl $2,%ss:early_recursion_flag
15298 + je hlt_loop
15299 + incl %ss:early_recursion_flag
15300 + cld
15301 pushl %eax
15302 pushl %ecx
15303 pushl %edx
15304 @@ -591,9 +675,6 @@ ignore_int:
15305 movl $(__KERNEL_DS),%eax
15306 movl %eax,%ds
15307 movl %eax,%es
15308 - cmpl $2,early_recursion_flag
15309 - je hlt_loop
15310 - incl early_recursion_flag
15311 pushl 16(%esp)
15312 pushl 24(%esp)
15313 pushl 32(%esp)
15314 @@ -622,29 +703,43 @@ ENTRY(initial_code)
15315 /*
15316 * BSS section
15317 */
15318 -__PAGE_ALIGNED_BSS
15319 - .align PAGE_SIZE
15320 #ifdef CONFIG_X86_PAE
15321 +.section .initial_pg_pmd,"a",@progbits
15322 initial_pg_pmd:
15323 .fill 1024*KPMDS,4,0
15324 #else
15325 +.section .initial_page_table,"a",@progbits
15326 ENTRY(initial_page_table)
15327 .fill 1024,4,0
15328 #endif
15329 +.section .initial_pg_fixmap,"a",@progbits
15330 initial_pg_fixmap:
15331 .fill 1024,4,0
15332 +.section .empty_zero_page,"a",@progbits
15333 ENTRY(empty_zero_page)
15334 .fill 4096,1,0
15335 +.section .swapper_pg_dir,"a",@progbits
15336 ENTRY(swapper_pg_dir)
15337 +#ifdef CONFIG_X86_PAE
15338 + .fill 4,8,0
15339 +#else
15340 .fill 1024,4,0
15341 +#endif
15342 +
15343 +/*
15344 + * The IDT has to be page-aligned to simplify the Pentium
15345 + * F0 0F bug workaround.. We have a special link segment
15346 + * for this.
15347 + */
15348 +.section .idt,"a",@progbits
15349 +ENTRY(idt_table)
15350 + .fill 256,8,0
15351
15352 /*
15353 * This starts the data section.
15354 */
15355 #ifdef CONFIG_X86_PAE
15356 -__PAGE_ALIGNED_DATA
15357 - /* Page-aligned for the benefit of paravirt? */
15358 - .align PAGE_SIZE
15359 +.section .initial_page_table,"a",@progbits
15360 ENTRY(initial_page_table)
15361 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15362 # if KPMDS == 3
15363 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
15364 # error "Kernel PMDs should be 1, 2 or 3"
15365 # endif
15366 .align PAGE_SIZE /* needs to be page-sized too */
15367 +
15368 +#ifdef CONFIG_PAX_PER_CPU_PGD
15369 +ENTRY(cpu_pgd)
15370 + .rept NR_CPUS
15371 + .fill 4,8,0
15372 + .endr
15373 +#endif
15374 +
15375 #endif
15376
15377 .data
15378 .balign 4
15379 ENTRY(stack_start)
15380 - .long init_thread_union+THREAD_SIZE
15381 + .long init_thread_union+THREAD_SIZE-8
15382 +
15383 +ready: .byte 0
15384
15385 +.section .rodata,"a",@progbits
15386 early_recursion_flag:
15387 .long 0
15388
15389 -ready: .byte 0
15390 -
15391 int_msg:
15392 .asciz "Unknown interrupt or fault at: %p %p %p\n"
15393
15394 @@ -707,7 +811,7 @@ fault_msg:
15395 .word 0 # 32 bit align gdt_desc.address
15396 boot_gdt_descr:
15397 .word __BOOT_DS+7
15398 - .long boot_gdt - __PAGE_OFFSET
15399 + .long pa(boot_gdt)
15400
15401 .word 0 # 32-bit align idt_desc.address
15402 idt_descr:
15403 @@ -718,7 +822,7 @@ idt_descr:
15404 .word 0 # 32 bit align gdt_desc.address
15405 ENTRY(early_gdt_descr)
15406 .word GDT_ENTRIES*8-1
15407 - .long gdt_page /* Overwritten for secondary CPUs */
15408 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
15409
15410 /*
15411 * The boot_gdt must mirror the equivalent in setup.S and is
15412 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
15413 .align L1_CACHE_BYTES
15414 ENTRY(boot_gdt)
15415 .fill GDT_ENTRY_BOOT_CS,8,0
15416 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
15417 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
15418 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
15419 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
15420 +
15421 + .align PAGE_SIZE_asm
15422 +ENTRY(cpu_gdt_table)
15423 + .rept NR_CPUS
15424 + .quad 0x0000000000000000 /* NULL descriptor */
15425 + .quad 0x0000000000000000 /* 0x0b reserved */
15426 + .quad 0x0000000000000000 /* 0x13 reserved */
15427 + .quad 0x0000000000000000 /* 0x1b reserved */
15428 +
15429 +#ifdef CONFIG_PAX_KERNEXEC
15430 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
15431 +#else
15432 + .quad 0x0000000000000000 /* 0x20 unused */
15433 +#endif
15434 +
15435 + .quad 0x0000000000000000 /* 0x28 unused */
15436 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
15437 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
15438 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
15439 + .quad 0x0000000000000000 /* 0x4b reserved */
15440 + .quad 0x0000000000000000 /* 0x53 reserved */
15441 + .quad 0x0000000000000000 /* 0x5b reserved */
15442 +
15443 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
15444 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
15445 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
15446 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
15447 +
15448 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
15449 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
15450 +
15451 + /*
15452 + * Segments used for calling PnP BIOS have byte granularity.
15453 + * The code segments and data segments have fixed 64k limits,
15454 + * the transfer segment sizes are set at run time.
15455 + */
15456 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
15457 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
15458 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
15459 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
15460 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
15461 +
15462 + /*
15463 + * The APM segments have byte granularity and their bases
15464 + * are set at run time. All have 64k limits.
15465 + */
15466 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
15467 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
15468 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
15469 +
15470 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
15471 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
15472 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
15473 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
15474 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
15475 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
15476 +
15477 + /* Be sure this is zeroed to avoid false validations in Xen */
15478 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
15479 + .endr
15480 diff -urNp linux-2.6.39.3/arch/x86/kernel/head_64.S linux-2.6.39.3/arch/x86/kernel/head_64.S
15481 --- linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-19 00:06:34.000000000 -0400
15482 +++ linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-22 19:36:30.000000000 -0400
15483 @@ -19,6 +19,7 @@
15484 #include <asm/cache.h>
15485 #include <asm/processor-flags.h>
15486 #include <asm/percpu.h>
15487 +#include <asm/cpufeature.h>
15488
15489 #ifdef CONFIG_PARAVIRT
15490 #include <asm/asm-offsets.h>
15491 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
15492 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
15493 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
15494 L3_START_KERNEL = pud_index(__START_KERNEL_map)
15495 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
15496 +L3_VMALLOC_START = pud_index(VMALLOC_START)
15497 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
15498 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
15499
15500 .text
15501 __HEAD
15502 @@ -85,35 +90,22 @@ startup_64:
15503 */
15504 addq %rbp, init_level4_pgt + 0(%rip)
15505 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
15506 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
15507 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
15508 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
15509
15510 addq %rbp, level3_ident_pgt + 0(%rip)
15511 +#ifndef CONFIG_XEN
15512 + addq %rbp, level3_ident_pgt + 8(%rip)
15513 +#endif
15514
15515 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
15516 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
15517 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
15518
15519 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15520 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
15521 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
15522
15523 - /* Add an Identity mapping if I am above 1G */
15524 - leaq _text(%rip), %rdi
15525 - andq $PMD_PAGE_MASK, %rdi
15526 -
15527 - movq %rdi, %rax
15528 - shrq $PUD_SHIFT, %rax
15529 - andq $(PTRS_PER_PUD - 1), %rax
15530 - jz ident_complete
15531 -
15532 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15533 - leaq level3_ident_pgt(%rip), %rbx
15534 - movq %rdx, 0(%rbx, %rax, 8)
15535 -
15536 - movq %rdi, %rax
15537 - shrq $PMD_SHIFT, %rax
15538 - andq $(PTRS_PER_PMD - 1), %rax
15539 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15540 - leaq level2_spare_pgt(%rip), %rbx
15541 - movq %rdx, 0(%rbx, %rax, 8)
15542 -ident_complete:
15543 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15544 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15545
15546 /*
15547 * Fixup the kernel text+data virtual addresses. Note that
15548 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
15549 * after the boot processor executes this code.
15550 */
15551
15552 - /* Enable PAE mode and PGE */
15553 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15554 + /* Enable PAE mode and PSE/PGE */
15555 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15556 movq %rax, %cr4
15557
15558 /* Setup early boot stage 4 level pagetables. */
15559 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
15560 movl $MSR_EFER, %ecx
15561 rdmsr
15562 btsl $_EFER_SCE, %eax /* Enable System Call */
15563 - btl $20,%edi /* No Execute supported? */
15564 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15565 jnc 1f
15566 btsl $_EFER_NX, %eax
15567 + leaq init_level4_pgt(%rip), %rdi
15568 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15569 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15570 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15571 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
15572 1: wrmsr /* Make changes effective */
15573
15574 /* Setup cr0 */
15575 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
15576 bad_address:
15577 jmp bad_address
15578
15579 - .section ".init.text","ax"
15580 + __INIT
15581 #ifdef CONFIG_EARLY_PRINTK
15582 .globl early_idt_handlers
15583 early_idt_handlers:
15584 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
15585 #endif /* EARLY_PRINTK */
15586 1: hlt
15587 jmp 1b
15588 + .previous
15589
15590 #ifdef CONFIG_EARLY_PRINTK
15591 + __INITDATA
15592 early_recursion_flag:
15593 .long 0
15594 + .previous
15595
15596 + .section .rodata,"a",@progbits
15597 early_idt_msg:
15598 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15599 early_idt_ripmsg:
15600 .asciz "RIP %s\n"
15601 -#endif /* CONFIG_EARLY_PRINTK */
15602 .previous
15603 +#endif /* CONFIG_EARLY_PRINTK */
15604
15605 + .section .rodata,"a",@progbits
15606 #define NEXT_PAGE(name) \
15607 .balign PAGE_SIZE; \
15608 ENTRY(name)
15609 @@ -338,7 +340,6 @@ ENTRY(name)
15610 i = i + 1 ; \
15611 .endr
15612
15613 - .data
15614 /*
15615 * This default setting generates an ident mapping at address 0x100000
15616 * and a mapping for the kernel that precisely maps virtual address
15617 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
15618 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15619 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15620 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15621 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15622 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15623 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15624 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15625 .org init_level4_pgt + L4_START_KERNEL*8, 0
15626 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15627 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15628
15629 +#ifdef CONFIG_PAX_PER_CPU_PGD
15630 +NEXT_PAGE(cpu_pgd)
15631 + .rept NR_CPUS
15632 + .fill 512,8,0
15633 + .endr
15634 +#endif
15635 +
15636 NEXT_PAGE(level3_ident_pgt)
15637 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15638 +#ifdef CONFIG_XEN
15639 .fill 511,8,0
15640 +#else
15641 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15642 + .fill 510,8,0
15643 +#endif
15644 +
15645 +NEXT_PAGE(level3_vmalloc_pgt)
15646 + .fill 512,8,0
15647 +
15648 +NEXT_PAGE(level3_vmemmap_pgt)
15649 + .fill L3_VMEMMAP_START,8,0
15650 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15651
15652 NEXT_PAGE(level3_kernel_pgt)
15653 .fill L3_START_KERNEL,8,0
15654 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
15655 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15656 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15657
15658 +NEXT_PAGE(level2_vmemmap_pgt)
15659 + .fill 512,8,0
15660 +
15661 NEXT_PAGE(level2_fixmap_pgt)
15662 - .fill 506,8,0
15663 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15664 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15665 - .fill 5,8,0
15666 + .fill 507,8,0
15667 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15668 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15669 + .fill 4,8,0
15670
15671 -NEXT_PAGE(level1_fixmap_pgt)
15672 +NEXT_PAGE(level1_vsyscall_pgt)
15673 .fill 512,8,0
15674
15675 -NEXT_PAGE(level2_ident_pgt)
15676 - /* Since I easily can, map the first 1G.
15677 + /* Since I easily can, map the first 2G.
15678 * Don't set NX because code runs from these pages.
15679 */
15680 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15681 +NEXT_PAGE(level2_ident_pgt)
15682 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15683
15684 NEXT_PAGE(level2_kernel_pgt)
15685 /*
15686 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
15687 * If you want to increase this then increase MODULES_VADDR
15688 * too.)
15689 */
15690 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15691 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15692 -
15693 -NEXT_PAGE(level2_spare_pgt)
15694 - .fill 512, 8, 0
15695 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15696
15697 #undef PMDS
15698 #undef NEXT_PAGE
15699
15700 - .data
15701 + .align PAGE_SIZE
15702 +ENTRY(cpu_gdt_table)
15703 + .rept NR_CPUS
15704 + .quad 0x0000000000000000 /* NULL descriptor */
15705 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15706 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15707 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15708 + .quad 0x00cffb000000ffff /* __USER32_CS */
15709 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15710 + .quad 0x00affb000000ffff /* __USER_CS */
15711 +
15712 +#ifdef CONFIG_PAX_KERNEXEC
15713 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15714 +#else
15715 + .quad 0x0 /* unused */
15716 +#endif
15717 +
15718 + .quad 0,0 /* TSS */
15719 + .quad 0,0 /* LDT */
15720 + .quad 0,0,0 /* three TLS descriptors */
15721 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15722 + /* asm/segment.h:GDT_ENTRIES must match this */
15723 +
15724 + /* zero the remaining page */
15725 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15726 + .endr
15727 +
15728 .align 16
15729 .globl early_gdt_descr
15730 early_gdt_descr:
15731 .word GDT_ENTRIES*8-1
15732 early_gdt_descr_base:
15733 - .quad INIT_PER_CPU_VAR(gdt_page)
15734 + .quad cpu_gdt_table
15735
15736 ENTRY(phys_base)
15737 /* This must match the first entry in level2_kernel_pgt */
15738 .quad 0x0000000000000000
15739
15740 #include "../../x86/xen/xen-head.S"
15741 -
15742 - .section .bss, "aw", @nobits
15743 +
15744 + .section .rodata,"a",@progbits
15745 .align L1_CACHE_BYTES
15746 ENTRY(idt_table)
15747 - .skip IDT_ENTRIES * 16
15748 + .fill 512,8,0
15749
15750 __PAGE_ALIGNED_BSS
15751 .align PAGE_SIZE
15752 diff -urNp linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c
15753 --- linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-19 00:06:34.000000000 -0400
15754 +++ linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-22 19:36:30.000000000 -0400
15755 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15756 EXPORT_SYMBOL(cmpxchg8b_emu);
15757 #endif
15758
15759 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15760 +
15761 /* Networking helper routines. */
15762 EXPORT_SYMBOL(csum_partial_copy_generic);
15763 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15764 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15765
15766 EXPORT_SYMBOL(__get_user_1);
15767 EXPORT_SYMBOL(__get_user_2);
15768 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15769
15770 EXPORT_SYMBOL(csum_partial);
15771 EXPORT_SYMBOL(empty_zero_page);
15772 +
15773 +#ifdef CONFIG_PAX_KERNEXEC
15774 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15775 +#endif
15776 diff -urNp linux-2.6.39.3/arch/x86/kernel/i8259.c linux-2.6.39.3/arch/x86/kernel/i8259.c
15777 --- linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-19 00:06:34.000000000 -0400
15778 +++ linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-22 19:36:30.000000000 -0400
15779 @@ -210,7 +210,7 @@ spurious_8259A_irq:
15780 "spurious 8259A interrupt: IRQ%d.\n", irq);
15781 spurious_irq_mask |= irqmask;
15782 }
15783 - atomic_inc(&irq_err_count);
15784 + atomic_inc_unchecked(&irq_err_count);
15785 /*
15786 * Theoretically we do not have to handle this IRQ,
15787 * but in Linux this does not cause problems and is
15788 diff -urNp linux-2.6.39.3/arch/x86/kernel/init_task.c linux-2.6.39.3/arch/x86/kernel/init_task.c
15789 --- linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-19 00:06:34.000000000 -0400
15790 +++ linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-22 19:36:30.000000000 -0400
15791 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15792 * way process stacks are handled. This is done by having a special
15793 * "init_task" linker map entry..
15794 */
15795 -union thread_union init_thread_union __init_task_data =
15796 - { INIT_THREAD_INFO(init_task) };
15797 +union thread_union init_thread_union __init_task_data;
15798
15799 /*
15800 * Initial task structure.
15801 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15802 * section. Since TSS's are completely CPU-local, we want them
15803 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15804 */
15805 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15806 -
15807 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15808 +EXPORT_SYMBOL(init_tss);
15809 diff -urNp linux-2.6.39.3/arch/x86/kernel/ioport.c linux-2.6.39.3/arch/x86/kernel/ioport.c
15810 --- linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
15811 +++ linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-22 19:41:32.000000000 -0400
15812 @@ -6,6 +6,7 @@
15813 #include <linux/sched.h>
15814 #include <linux/kernel.h>
15815 #include <linux/capability.h>
15816 +#include <linux/security.h>
15817 #include <linux/errno.h>
15818 #include <linux/types.h>
15819 #include <linux/ioport.h>
15820 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
15821
15822 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15823 return -EINVAL;
15824 +#ifdef CONFIG_GRKERNSEC_IO
15825 + if (turn_on && grsec_disable_privio) {
15826 + gr_handle_ioperm();
15827 + return -EPERM;
15828 + }
15829 +#endif
15830 if (turn_on && !capable(CAP_SYS_RAWIO))
15831 return -EPERM;
15832
15833 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
15834 * because the ->io_bitmap_max value must match the bitmap
15835 * contents:
15836 */
15837 - tss = &per_cpu(init_tss, get_cpu());
15838 + tss = init_tss + get_cpu();
15839
15840 if (turn_on)
15841 bitmap_clear(t->io_bitmap_ptr, from, num);
15842 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
15843 return -EINVAL;
15844 /* Trying to gain more privileges? */
15845 if (level > old) {
15846 +#ifdef CONFIG_GRKERNSEC_IO
15847 + if (grsec_disable_privio) {
15848 + gr_handle_iopl();
15849 + return -EPERM;
15850 + }
15851 +#endif
15852 if (!capable(CAP_SYS_RAWIO))
15853 return -EPERM;
15854 }
15855 diff -urNp linux-2.6.39.3/arch/x86/kernel/irq_32.c linux-2.6.39.3/arch/x86/kernel/irq_32.c
15856 --- linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-05-19 00:06:34.000000000 -0400
15857 +++ linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-07-06 20:00:13.000000000 -0400
15858 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
15859 __asm__ __volatile__("andl %%esp,%0" :
15860 "=r" (sp) : "0" (THREAD_SIZE - 1));
15861
15862 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15863 + return sp < STACK_WARN;
15864 }
15865
15866 static void print_stack_overflow(void)
15867 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
15868 * per-CPU IRQ handling contexts (thread information and stack)
15869 */
15870 union irq_ctx {
15871 - struct thread_info tinfo;
15872 - u32 stack[THREAD_SIZE/sizeof(u32)];
15873 + unsigned long previous_esp;
15874 + u32 stack[THREAD_SIZE/sizeof(u32)];
15875 } __attribute__((aligned(THREAD_SIZE)));
15876
15877 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15878 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
15879 static inline int
15880 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15881 {
15882 - union irq_ctx *curctx, *irqctx;
15883 + union irq_ctx *irqctx;
15884 u32 *isp, arg1, arg2;
15885
15886 - curctx = (union irq_ctx *) current_thread_info();
15887 irqctx = __this_cpu_read(hardirq_ctx);
15888
15889 /*
15890 @@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
15891 * handler) we can't do that and just have to keep using the
15892 * current stack (which is the irq stack already after all)
15893 */
15894 - if (unlikely(curctx == irqctx))
15895 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15896 return 0;
15897
15898 /* build the stack frame on the IRQ stack */
15899 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15900 - irqctx->tinfo.task = curctx->tinfo.task;
15901 - irqctx->tinfo.previous_esp = current_stack_pointer;
15902 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15903 + irqctx->previous_esp = current_stack_pointer;
15904
15905 - /*
15906 - * Copy the softirq bits in preempt_count so that the
15907 - * softirq checks work in the hardirq context.
15908 - */
15909 - irqctx->tinfo.preempt_count =
15910 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15911 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15912 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15913 + __set_fs(MAKE_MM_SEG(0));
15914 +#endif
15915
15916 if (unlikely(overflow))
15917 call_on_stack(print_stack_overflow, isp);
15918 @@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
15919 : "0" (irq), "1" (desc), "2" (isp),
15920 "D" (desc->handle_irq)
15921 : "memory", "cc", "ecx");
15922 +
15923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15924 + __set_fs(current_thread_info()->addr_limit);
15925 +#endif
15926 +
15927 return 1;
15928 }
15929
15930 @@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
15931 */
15932 void __cpuinit irq_ctx_init(int cpu)
15933 {
15934 - union irq_ctx *irqctx;
15935 -
15936 if (per_cpu(hardirq_ctx, cpu))
15937 return;
15938
15939 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15940 - THREAD_FLAGS,
15941 - THREAD_ORDER));
15942 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15943 - irqctx->tinfo.cpu = cpu;
15944 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15945 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15946 -
15947 - per_cpu(hardirq_ctx, cpu) = irqctx;
15948 -
15949 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15950 - THREAD_FLAGS,
15951 - THREAD_ORDER));
15952 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15953 - irqctx->tinfo.cpu = cpu;
15954 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15955 -
15956 - per_cpu(softirq_ctx, cpu) = irqctx;
15957 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15958 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15959
15960 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15961 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15962 @@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
15963 asmlinkage void do_softirq(void)
15964 {
15965 unsigned long flags;
15966 - struct thread_info *curctx;
15967 union irq_ctx *irqctx;
15968 u32 *isp;
15969
15970 @@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
15971 local_irq_save(flags);
15972
15973 if (local_softirq_pending()) {
15974 - curctx = current_thread_info();
15975 irqctx = __this_cpu_read(softirq_ctx);
15976 - irqctx->tinfo.task = curctx->task;
15977 - irqctx->tinfo.previous_esp = current_stack_pointer;
15978 + irqctx->previous_esp = current_stack_pointer;
15979
15980 /* build the stack frame on the softirq stack */
15981 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15982 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15983 +
15984 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15985 + __set_fs(MAKE_MM_SEG(0));
15986 +#endif
15987
15988 call_on_stack(__do_softirq, isp);
15989 +
15990 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15991 + __set_fs(current_thread_info()->addr_limit);
15992 +#endif
15993 +
15994 /*
15995 * Shouldn't happen, we returned above if in_interrupt():
15996 */
15997 diff -urNp linux-2.6.39.3/arch/x86/kernel/irq.c linux-2.6.39.3/arch/x86/kernel/irq.c
15998 --- linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-19 00:06:34.000000000 -0400
15999 +++ linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-22 19:36:30.000000000 -0400
16000 @@ -17,7 +17,7 @@
16001 #include <asm/mce.h>
16002 #include <asm/hw_irq.h>
16003
16004 -atomic_t irq_err_count;
16005 +atomic_unchecked_t irq_err_count;
16006
16007 /* Function pointer for generic interrupt vector handling */
16008 void (*x86_platform_ipi_callback)(void) = NULL;
16009 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
16010 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
16011 seq_printf(p, " Machine check polls\n");
16012 #endif
16013 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
16014 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
16015 #if defined(CONFIG_X86_IO_APIC)
16016 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
16017 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
16018 #endif
16019 return 0;
16020 }
16021 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
16022
16023 u64 arch_irq_stat(void)
16024 {
16025 - u64 sum = atomic_read(&irq_err_count);
16026 + u64 sum = atomic_read_unchecked(&irq_err_count);
16027
16028 #ifdef CONFIG_X86_IO_APIC
16029 - sum += atomic_read(&irq_mis_count);
16030 + sum += atomic_read_unchecked(&irq_mis_count);
16031 #endif
16032 return sum;
16033 }
16034 diff -urNp linux-2.6.39.3/arch/x86/kernel/kgdb.c linux-2.6.39.3/arch/x86/kernel/kgdb.c
16035 --- linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
16036 +++ linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
16037 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
16038 #ifdef CONFIG_X86_32
16039 switch (regno) {
16040 case GDB_SS:
16041 - if (!user_mode_vm(regs))
16042 + if (!user_mode(regs))
16043 *(unsigned long *)mem = __KERNEL_DS;
16044 break;
16045 case GDB_SP:
16046 - if (!user_mode_vm(regs))
16047 + if (!user_mode(regs))
16048 *(unsigned long *)mem = kernel_stack_pointer(regs);
16049 break;
16050 case GDB_GS:
16051 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
16052 case 'k':
16053 /* clear the trace bit */
16054 linux_regs->flags &= ~X86_EFLAGS_TF;
16055 - atomic_set(&kgdb_cpu_doing_single_step, -1);
16056 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16057
16058 /* set the trace bit if we're stepping */
16059 if (remcomInBuffer[0] == 's') {
16060 linux_regs->flags |= X86_EFLAGS_TF;
16061 - atomic_set(&kgdb_cpu_doing_single_step,
16062 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16063 raw_smp_processor_id());
16064 }
16065
16066 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
16067 return NOTIFY_DONE;
16068
16069 case DIE_DEBUG:
16070 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
16071 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
16072 if (user_mode(regs))
16073 return single_step_cont(regs, args);
16074 break;
16075 @@ -710,7 +710,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
16076 regs->ip = ip;
16077 }
16078
16079 -struct kgdb_arch arch_kgdb_ops = {
16080 +const struct kgdb_arch arch_kgdb_ops = {
16081 /* Breakpoint instruction: */
16082 .gdb_bpt_instr = { 0xcc },
16083 .flags = KGDB_HW_BREAKPOINT,
16084 diff -urNp linux-2.6.39.3/arch/x86/kernel/kprobes.c linux-2.6.39.3/arch/x86/kernel/kprobes.c
16085 --- linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
16086 +++ linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-22 19:36:30.000000000 -0400
16087 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
16088 } __attribute__((packed)) *insn;
16089
16090 insn = (struct __arch_relative_insn *)from;
16091 +
16092 + pax_open_kernel();
16093 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
16094 insn->op = op;
16095 + pax_close_kernel();
16096 }
16097
16098 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
16099 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
16100 kprobe_opcode_t opcode;
16101 kprobe_opcode_t *orig_opcodes = opcodes;
16102
16103 - if (search_exception_tables((unsigned long)opcodes))
16104 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16105 return 0; /* Page fault may occur on this address. */
16106
16107 retry:
16108 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
16109 }
16110 }
16111 insn_get_length(&insn);
16112 + pax_open_kernel();
16113 memcpy(dest, insn.kaddr, insn.length);
16114 + pax_close_kernel();
16115
16116 #ifdef CONFIG_X86_64
16117 if (insn_rip_relative(&insn)) {
16118 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
16119 (u8 *) dest;
16120 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
16121 disp = (u8 *) dest + insn_offset_displacement(&insn);
16122 + pax_open_kernel();
16123 *(s32 *) disp = (s32) newdisp;
16124 + pax_close_kernel();
16125 }
16126 #endif
16127 return insn.length;
16128 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
16129 */
16130 __copy_instruction(p->ainsn.insn, p->addr, 0);
16131
16132 - if (can_boost(p->addr))
16133 + if (can_boost(ktla_ktva(p->addr)))
16134 p->ainsn.boostable = 0;
16135 else
16136 p->ainsn.boostable = -1;
16137
16138 - p->opcode = *p->addr;
16139 + p->opcode = *(ktla_ktva(p->addr));
16140 }
16141
16142 int __kprobes arch_prepare_kprobe(struct kprobe *p)
16143 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
16144 * nor set current_kprobe, because it doesn't use single
16145 * stepping.
16146 */
16147 - regs->ip = (unsigned long)p->ainsn.insn;
16148 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16149 preempt_enable_no_resched();
16150 return;
16151 }
16152 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
16153 if (p->opcode == BREAKPOINT_INSTRUCTION)
16154 regs->ip = (unsigned long)p->addr;
16155 else
16156 - regs->ip = (unsigned long)p->ainsn.insn;
16157 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16158 }
16159
16160 /*
16161 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
16162 setup_singlestep(p, regs, kcb, 0);
16163 return 1;
16164 }
16165 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
16166 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16167 /*
16168 * The breakpoint instruction was removed right
16169 * after we hit it. Another cpu has removed
16170 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
16171 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16172 {
16173 unsigned long *tos = stack_addr(regs);
16174 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16175 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16176 unsigned long orig_ip = (unsigned long)p->addr;
16177 kprobe_opcode_t *insn = p->ainsn.insn;
16178
16179 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
16180 struct die_args *args = data;
16181 int ret = NOTIFY_DONE;
16182
16183 - if (args->regs && user_mode_vm(args->regs))
16184 + if (args->regs && user_mode(args->regs))
16185 return ret;
16186
16187 switch (val) {
16188 @@ -1381,7 +1388,7 @@ int __kprobes arch_prepare_optimized_kpr
16189 * Verify if the address gap is in 2GB range, because this uses
16190 * a relative jump.
16191 */
16192 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
16193 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
16194 if (abs(rel) > 0x7fffffff)
16195 return -ERANGE;
16196
16197 @@ -1402,11 +1409,11 @@ int __kprobes arch_prepare_optimized_kpr
16198 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
16199
16200 /* Set probe function call */
16201 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
16202 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
16203
16204 /* Set returning jmp instruction at the tail of out-of-line buffer */
16205 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
16206 - (u8 *)op->kp.addr + op->optinsn.size);
16207 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
16208
16209 flush_icache_range((unsigned long) buf,
16210 (unsigned long) buf + TMPL_END_IDX +
16211 @@ -1428,7 +1435,7 @@ static void __kprobes setup_optimize_kpr
16212 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
16213
16214 /* Backup instructions which will be replaced by jump address */
16215 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
16216 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
16217 RELATIVE_ADDR_SIZE);
16218
16219 insn_buf[0] = RELATIVEJUMP_OPCODE;
16220 diff -urNp linux-2.6.39.3/arch/x86/kernel/ldt.c linux-2.6.39.3/arch/x86/kernel/ldt.c
16221 --- linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-19 00:06:34.000000000 -0400
16222 +++ linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-22 19:36:30.000000000 -0400
16223 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
16224 if (reload) {
16225 #ifdef CONFIG_SMP
16226 preempt_disable();
16227 - load_LDT(pc);
16228 + load_LDT_nolock(pc);
16229 if (!cpumask_equal(mm_cpumask(current->mm),
16230 cpumask_of(smp_processor_id())))
16231 smp_call_function(flush_ldt, current->mm, 1);
16232 preempt_enable();
16233 #else
16234 - load_LDT(pc);
16235 + load_LDT_nolock(pc);
16236 #endif
16237 }
16238 if (oldsize) {
16239 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
16240 return err;
16241
16242 for (i = 0; i < old->size; i++)
16243 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16244 + write_ldt_entry(new->ldt, i, old->ldt + i);
16245 return 0;
16246 }
16247
16248 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
16249 retval = copy_ldt(&mm->context, &old_mm->context);
16250 mutex_unlock(&old_mm->context.lock);
16251 }
16252 +
16253 + if (tsk == current) {
16254 + mm->context.vdso = 0;
16255 +
16256 +#ifdef CONFIG_X86_32
16257 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16258 + mm->context.user_cs_base = 0UL;
16259 + mm->context.user_cs_limit = ~0UL;
16260 +
16261 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16262 + cpus_clear(mm->context.cpu_user_cs_mask);
16263 +#endif
16264 +
16265 +#endif
16266 +#endif
16267 +
16268 + }
16269 +
16270 return retval;
16271 }
16272
16273 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
16274 }
16275 }
16276
16277 +#ifdef CONFIG_PAX_SEGMEXEC
16278 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16279 + error = -EINVAL;
16280 + goto out_unlock;
16281 + }
16282 +#endif
16283 +
16284 fill_ldt(&ldt, &ldt_info);
16285 if (oldmode)
16286 ldt.avl = 0;
16287 diff -urNp linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c
16288 --- linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-19 00:06:34.000000000 -0400
16289 +++ linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-22 19:36:30.000000000 -0400
16290 @@ -27,7 +27,7 @@
16291 #include <asm/cacheflush.h>
16292 #include <asm/debugreg.h>
16293
16294 -static void set_idt(void *newidt, __u16 limit)
16295 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16296 {
16297 struct desc_ptr curidt;
16298
16299 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
16300 }
16301
16302
16303 -static void set_gdt(void *newgdt, __u16 limit)
16304 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16305 {
16306 struct desc_ptr curgdt;
16307
16308 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16309 }
16310
16311 control_page = page_address(image->control_code_page);
16312 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16313 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16314
16315 relocate_kernel_ptr = control_page;
16316 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16317 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_amd.c linux-2.6.39.3/arch/x86/kernel/microcode_amd.c
16318 --- linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-19 00:06:34.000000000 -0400
16319 +++ linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-22 19:36:30.000000000 -0400
16320 @@ -339,7 +339,7 @@ static void microcode_fini_cpu_amd(int c
16321 uci->mc = NULL;
16322 }
16323
16324 -static struct microcode_ops microcode_amd_ops = {
16325 +static const struct microcode_ops microcode_amd_ops = {
16326 .request_microcode_user = request_microcode_user,
16327 .request_microcode_fw = request_microcode_amd,
16328 .collect_cpu_info = collect_cpu_info_amd,
16329 @@ -347,7 +347,7 @@ static struct microcode_ops microcode_am
16330 .microcode_fini_cpu = microcode_fini_cpu_amd,
16331 };
16332
16333 -struct microcode_ops * __init init_amd_microcode(void)
16334 +const struct microcode_ops * __init init_amd_microcode(void)
16335 {
16336 return &microcode_amd_ops;
16337 }
16338 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_core.c linux-2.6.39.3/arch/x86/kernel/microcode_core.c
16339 --- linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-19 00:06:34.000000000 -0400
16340 +++ linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-22 19:36:30.000000000 -0400
16341 @@ -93,7 +93,7 @@ MODULE_LICENSE("GPL");
16342
16343 #define MICROCODE_VERSION "2.00"
16344
16345 -static struct microcode_ops *microcode_ops;
16346 +static const struct microcode_ops *microcode_ops;
16347
16348 /*
16349 * Synchronization.
16350 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_intel.c linux-2.6.39.3/arch/x86/kernel/microcode_intel.c
16351 --- linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-19 00:06:34.000000000 -0400
16352 +++ linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-22 19:36:30.000000000 -0400
16353 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
16354
16355 static int get_ucode_user(void *to, const void *from, size_t n)
16356 {
16357 - return copy_from_user(to, from, n);
16358 + return copy_from_user(to, (__force const void __user *)from, n);
16359 }
16360
16361 static enum ucode_state
16362 request_microcode_user(int cpu, const void __user *buf, size_t size)
16363 {
16364 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16365 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
16366 }
16367
16368 static void microcode_fini_cpu(int cpu)
16369 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
16370 uci->mc = NULL;
16371 }
16372
16373 -static struct microcode_ops microcode_intel_ops = {
16374 +static const struct microcode_ops microcode_intel_ops = {
16375 .request_microcode_user = request_microcode_user,
16376 .request_microcode_fw = request_microcode_fw,
16377 .collect_cpu_info = collect_cpu_info,
16378 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
16379 .microcode_fini_cpu = microcode_fini_cpu,
16380 };
16381
16382 -struct microcode_ops * __init init_intel_microcode(void)
16383 +const struct microcode_ops * __init init_intel_microcode(void)
16384 {
16385 return &microcode_intel_ops;
16386 }
16387 diff -urNp linux-2.6.39.3/arch/x86/kernel/module.c linux-2.6.39.3/arch/x86/kernel/module.c
16388 --- linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
16389 +++ linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
16390 @@ -35,21 +35,66 @@
16391 #define DEBUGP(fmt...)
16392 #endif
16393
16394 -void *module_alloc(unsigned long size)
16395 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
16396 {
16397 if (PAGE_ALIGN(size) > MODULES_LEN)
16398 return NULL;
16399 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
16400 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
16401 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
16402 -1, __builtin_return_address(0));
16403 }
16404
16405 +void *module_alloc(unsigned long size)
16406 +{
16407 +
16408 +#ifdef CONFIG_PAX_KERNEXEC
16409 + return __module_alloc(size, PAGE_KERNEL);
16410 +#else
16411 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16412 +#endif
16413 +
16414 +}
16415 +
16416 /* Free memory returned from module_alloc */
16417 void module_free(struct module *mod, void *module_region)
16418 {
16419 vfree(module_region);
16420 }
16421
16422 +#ifdef CONFIG_PAX_KERNEXEC
16423 +#ifdef CONFIG_X86_32
16424 +void *module_alloc_exec(unsigned long size)
16425 +{
16426 + struct vm_struct *area;
16427 +
16428 + if (size == 0)
16429 + return NULL;
16430 +
16431 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16432 + return area ? area->addr : NULL;
16433 +}
16434 +EXPORT_SYMBOL(module_alloc_exec);
16435 +
16436 +void module_free_exec(struct module *mod, void *module_region)
16437 +{
16438 + vunmap(module_region);
16439 +}
16440 +EXPORT_SYMBOL(module_free_exec);
16441 +#else
16442 +void module_free_exec(struct module *mod, void *module_region)
16443 +{
16444 + module_free(mod, module_region);
16445 +}
16446 +EXPORT_SYMBOL(module_free_exec);
16447 +
16448 +void *module_alloc_exec(unsigned long size)
16449 +{
16450 + return __module_alloc(size, PAGE_KERNEL_RX);
16451 +}
16452 +EXPORT_SYMBOL(module_alloc_exec);
16453 +#endif
16454 +#endif
16455 +
16456 /* We don't need anything special. */
16457 int module_frob_arch_sections(Elf_Ehdr *hdr,
16458 Elf_Shdr *sechdrs,
16459 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16460 unsigned int i;
16461 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
16462 Elf32_Sym *sym;
16463 - uint32_t *location;
16464 + uint32_t *plocation, location;
16465
16466 DEBUGP("Applying relocate section %u to %u\n", relsec,
16467 sechdrs[relsec].sh_info);
16468 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
16469 /* This is where to make the change */
16470 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
16471 - + rel[i].r_offset;
16472 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
16473 + location = (uint32_t)plocation;
16474 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
16475 + plocation = ktla_ktva((void *)plocation);
16476 /* This is the symbol it is referring to. Note that all
16477 undefined symbols have been resolved. */
16478 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
16479 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16480 switch (ELF32_R_TYPE(rel[i].r_info)) {
16481 case R_386_32:
16482 /* We add the value into the location given */
16483 - *location += sym->st_value;
16484 + pax_open_kernel();
16485 + *plocation += sym->st_value;
16486 + pax_close_kernel();
16487 break;
16488 case R_386_PC32:
16489 /* Add the value, subtract its postition */
16490 - *location += sym->st_value - (uint32_t)location;
16491 + pax_open_kernel();
16492 + *plocation += sym->st_value - location;
16493 + pax_close_kernel();
16494 break;
16495 default:
16496 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
16497 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
16498 case R_X86_64_NONE:
16499 break;
16500 case R_X86_64_64:
16501 + pax_open_kernel();
16502 *(u64 *)loc = val;
16503 + pax_close_kernel();
16504 break;
16505 case R_X86_64_32:
16506 + pax_open_kernel();
16507 *(u32 *)loc = val;
16508 + pax_close_kernel();
16509 if (val != *(u32 *)loc)
16510 goto overflow;
16511 break;
16512 case R_X86_64_32S:
16513 + pax_open_kernel();
16514 *(s32 *)loc = val;
16515 + pax_close_kernel();
16516 if ((s64)val != *(s32 *)loc)
16517 goto overflow;
16518 break;
16519 case R_X86_64_PC32:
16520 val -= (u64)loc;
16521 + pax_open_kernel();
16522 *(u32 *)loc = val;
16523 + pax_close_kernel();
16524 +
16525 #if 0
16526 if ((s64)val != *(s32 *)loc)
16527 goto overflow;
16528 diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt.c linux-2.6.39.3/arch/x86/kernel/paravirt.c
16529 --- linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000000 -0400
16530 +++ linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-22 19:36:30.000000000 -0400
16531 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
16532 * corresponding structure. */
16533 static void *get_call_destination(u8 type)
16534 {
16535 - struct paravirt_patch_template tmpl = {
16536 + const struct paravirt_patch_template tmpl = {
16537 .pv_init_ops = pv_init_ops,
16538 .pv_time_ops = pv_time_ops,
16539 .pv_cpu_ops = pv_cpu_ops,
16540 @@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ
16541 .pv_lock_ops = pv_lock_ops,
16542 #endif
16543 };
16544 +
16545 + pax_track_stack();
16546 +
16547 return *((void **)&tmpl + type);
16548 }
16549
16550 @@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type,
16551 if (opfunc == NULL)
16552 /* If there's no function, patch it with a ud2a (BUG) */
16553 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16554 - else if (opfunc == _paravirt_nop)
16555 + else if (opfunc == (void *)_paravirt_nop)
16556 /* If the operation is a nop, then nop the callsite */
16557 ret = paravirt_patch_nop();
16558
16559 /* identity functions just return their single argument */
16560 - else if (opfunc == _paravirt_ident_32)
16561 + else if (opfunc == (void *)_paravirt_ident_32)
16562 ret = paravirt_patch_ident_32(insnbuf, len);
16563 - else if (opfunc == _paravirt_ident_64)
16564 + else if (opfunc == (void *)_paravirt_ident_64)
16565 ret = paravirt_patch_ident_64(insnbuf, len);
16566
16567 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16568 @@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn
16569 if (insn_len > len || start == NULL)
16570 insn_len = len;
16571 else
16572 - memcpy(insnbuf, start, insn_len);
16573 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16574
16575 return insn_len;
16576 }
16577 @@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void)
16578 preempt_enable();
16579 }
16580
16581 -struct pv_info pv_info = {
16582 +struct pv_info pv_info __read_only = {
16583 .name = "bare hardware",
16584 .paravirt_enabled = 0,
16585 .kernel_rpl = 0,
16586 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16587 };
16588
16589 -struct pv_init_ops pv_init_ops = {
16590 +struct pv_init_ops pv_init_ops __read_only = {
16591 .patch = native_patch,
16592 };
16593
16594 -struct pv_time_ops pv_time_ops = {
16595 +struct pv_time_ops pv_time_ops __read_only = {
16596 .sched_clock = native_sched_clock,
16597 };
16598
16599 -struct pv_irq_ops pv_irq_ops = {
16600 +struct pv_irq_ops pv_irq_ops __read_only = {
16601 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16602 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16603 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16604 @@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops = {
16605 #endif
16606 };
16607
16608 -struct pv_cpu_ops pv_cpu_ops = {
16609 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16610 .cpuid = native_cpuid,
16611 .get_debugreg = native_get_debugreg,
16612 .set_debugreg = native_set_debugreg,
16613 @@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops = {
16614 .end_context_switch = paravirt_nop,
16615 };
16616
16617 -struct pv_apic_ops pv_apic_ops = {
16618 +struct pv_apic_ops pv_apic_ops __read_only = {
16619 #ifdef CONFIG_X86_LOCAL_APIC
16620 .startup_ipi_hook = paravirt_nop,
16621 #endif
16622 @@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops = {
16623 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16624 #endif
16625
16626 -struct pv_mmu_ops pv_mmu_ops = {
16627 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16628
16629 .read_cr2 = native_read_cr2,
16630 .write_cr2 = native_write_cr2,
16631 @@ -465,6 +468,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16632 },
16633
16634 .set_fixmap = native_set_fixmap,
16635 +
16636 +#ifdef CONFIG_PAX_KERNEXEC
16637 + .pax_open_kernel = native_pax_open_kernel,
16638 + .pax_close_kernel = native_pax_close_kernel,
16639 +#endif
16640 +
16641 };
16642
16643 EXPORT_SYMBOL_GPL(pv_time_ops);
16644 diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c
16645 --- linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-19 00:06:34.000000000 -0400
16646 +++ linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-22 19:36:30.000000000 -0400
16647 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
16648 arch_spin_lock(lock);
16649 }
16650
16651 -struct pv_lock_ops pv_lock_ops = {
16652 +struct pv_lock_ops pv_lock_ops __read_only = {
16653 #ifdef CONFIG_SMP
16654 .spin_is_locked = __ticket_spin_is_locked,
16655 .spin_is_contended = __ticket_spin_is_contended,
16656 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c
16657 --- linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-19 00:06:34.000000000 -0400
16658 +++ linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-22 19:36:30.000000000 -0400
16659 @@ -179,13 +179,13 @@ static void calioc2_dump_error_regs(stru
16660 static void calgary_init_bitmap_from_tce_table(struct iommu_table *tbl);
16661 static void get_tce_space_from_tar(void);
16662
16663 -static struct cal_chipset_ops calgary_chip_ops = {
16664 +static const struct cal_chipset_ops calgary_chip_ops = {
16665 .handle_quirks = calgary_handle_quirks,
16666 .tce_cache_blast = calgary_tce_cache_blast,
16667 .dump_error_regs = calgary_dump_error_regs
16668 };
16669
16670 -static struct cal_chipset_ops calioc2_chip_ops = {
16671 +static const struct cal_chipset_ops calioc2_chip_ops = {
16672 .handle_quirks = calioc2_handle_quirks,
16673 .tce_cache_blast = calioc2_tce_cache_blast,
16674 .dump_error_regs = calioc2_dump_error_regs
16675 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
16676 free_pages((unsigned long)vaddr, get_order(size));
16677 }
16678
16679 -static struct dma_map_ops calgary_dma_ops = {
16680 +static const struct dma_map_ops calgary_dma_ops = {
16681 .alloc_coherent = calgary_alloc_coherent,
16682 .free_coherent = calgary_free_coherent,
16683 .map_sg = calgary_map_sg,
16684 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-dma.c linux-2.6.39.3/arch/x86/kernel/pci-dma.c
16685 --- linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
16686 +++ linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
16687 @@ -16,7 +16,7 @@
16688
16689 static int forbid_dac __read_mostly;
16690
16691 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
16692 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
16693 EXPORT_SYMBOL(dma_ops);
16694
16695 static int iommu_sac_force __read_mostly;
16696 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
16697
16698 int dma_supported(struct device *dev, u64 mask)
16699 {
16700 - struct dma_map_ops *ops = get_dma_ops(dev);
16701 + const struct dma_map_ops *ops = get_dma_ops(dev);
16702
16703 #ifdef CONFIG_PCI
16704 if (mask > 0xffffffff && forbid_dac > 0) {
16705 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c
16706 --- linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-19 00:06:34.000000000 -0400
16707 +++ linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-22 19:36:30.000000000 -0400
16708 @@ -695,7 +695,7 @@ static __init int init_amd_gatt(struct a
16709 return -1;
16710 }
16711
16712 -static struct dma_map_ops gart_dma_ops = {
16713 +static const struct dma_map_ops gart_dma_ops = {
16714 .map_sg = gart_map_sg,
16715 .unmap_sg = gart_unmap_sg,
16716 .map_page = gart_map_page,
16717 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c
16718 --- linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-19 00:06:34.000000000 -0400
16719 +++ linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-22 19:36:30.000000000 -0400
16720 @@ -2,7 +2,7 @@
16721 #include <asm/iommu_table.h>
16722 #include <linux/string.h>
16723 #include <linux/kallsyms.h>
16724 -
16725 +#include <linux/sched.h>
16726
16727 #define DEBUG 1
16728
16729 @@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i
16730 char sym_p[KSYM_SYMBOL_LEN];
16731 char sym_q[KSYM_SYMBOL_LEN];
16732
16733 + pax_track_stack();
16734 +
16735 /* Simple cyclic dependency checker. */
16736 for (p = start; p < finish; p++) {
16737 q = find_dependents_of(start, finish, p);
16738 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-nommu.c linux-2.6.39.3/arch/x86/kernel/pci-nommu.c
16739 --- linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-19 00:06:34.000000000 -0400
16740 +++ linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-22 19:36:30.000000000 -0400
16741 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
16742 flush_write_buffers();
16743 }
16744
16745 -struct dma_map_ops nommu_dma_ops = {
16746 +const struct dma_map_ops nommu_dma_ops = {
16747 .alloc_coherent = dma_generic_alloc_coherent,
16748 .free_coherent = nommu_free_coherent,
16749 .map_sg = nommu_map_sg,
16750 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c
16751 --- linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
16752 +++ linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
16753 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
16754 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16755 }
16756
16757 -static struct dma_map_ops swiotlb_dma_ops = {
16758 +static const struct dma_map_ops swiotlb_dma_ops = {
16759 .mapping_error = swiotlb_dma_mapping_error,
16760 .alloc_coherent = x86_swiotlb_alloc_coherent,
16761 .free_coherent = swiotlb_free_coherent,
16762 diff -urNp linux-2.6.39.3/arch/x86/kernel/process_32.c linux-2.6.39.3/arch/x86/kernel/process_32.c
16763 --- linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 12:55:22.000000000 -0400
16764 +++ linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 13:00:25.000000000 -0400
16765 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
16766 unsigned long thread_saved_pc(struct task_struct *tsk)
16767 {
16768 return ((unsigned long *)tsk->thread.sp)[3];
16769 +//XXX return tsk->thread.eip;
16770 }
16771
16772 #ifndef CONFIG_SMP
16773 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
16774 unsigned long sp;
16775 unsigned short ss, gs;
16776
16777 - if (user_mode_vm(regs)) {
16778 + if (user_mode(regs)) {
16779 sp = regs->sp;
16780 ss = regs->ss & 0xffff;
16781 - gs = get_user_gs(regs);
16782 } else {
16783 sp = kernel_stack_pointer(regs);
16784 savesegment(ss, ss);
16785 - savesegment(gs, gs);
16786 }
16787 + gs = get_user_gs(regs);
16788
16789 show_regs_common();
16790
16791 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
16792 struct task_struct *tsk;
16793 int err;
16794
16795 - childregs = task_pt_regs(p);
16796 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16797 *childregs = *regs;
16798 childregs->ax = 0;
16799 childregs->sp = sp;
16800
16801 p->thread.sp = (unsigned long) childregs;
16802 p->thread.sp0 = (unsigned long) (childregs+1);
16803 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16804
16805 p->thread.ip = (unsigned long) ret_from_fork;
16806
16807 @@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
16808 struct thread_struct *prev = &prev_p->thread,
16809 *next = &next_p->thread;
16810 int cpu = smp_processor_id();
16811 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16812 + struct tss_struct *tss = init_tss + cpu;
16813 bool preload_fpu;
16814
16815 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16816 @@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
16817 */
16818 lazy_save_gs(prev->gs);
16819
16820 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16821 + __set_fs(task_thread_info(next_p)->addr_limit);
16822 +#endif
16823 +
16824 /*
16825 * Load the per-thread Thread-Local Storage descriptor.
16826 */
16827 @@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
16828 */
16829 arch_end_context_switch(next_p);
16830
16831 + percpu_write(current_task, next_p);
16832 + percpu_write(current_tinfo, &next_p->tinfo);
16833 +
16834 if (preload_fpu)
16835 __math_state_restore();
16836
16837 @@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
16838 if (prev->gs | next->gs)
16839 lazy_load_gs(next->gs);
16840
16841 - percpu_write(current_task, next_p);
16842 -
16843 return prev_p;
16844 }
16845
16846 @@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru
16847 } while (count++ < 16);
16848 return 0;
16849 }
16850 -
16851 diff -urNp linux-2.6.39.3/arch/x86/kernel/process_64.c linux-2.6.39.3/arch/x86/kernel/process_64.c
16852 --- linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 12:55:22.000000000 -0400
16853 +++ linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 13:00:25.000000000 -0400
16854 @@ -87,7 +87,7 @@ static void __exit_idle(void)
16855 void exit_idle(void)
16856 {
16857 /* idle loop has pid 0 */
16858 - if (current->pid)
16859 + if (task_pid_nr(current))
16860 return;
16861 __exit_idle();
16862 }
16863 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
16864 struct pt_regs *childregs;
16865 struct task_struct *me = current;
16866
16867 - childregs = ((struct pt_regs *)
16868 - (THREAD_SIZE + task_stack_page(p))) - 1;
16869 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16870 *childregs = *regs;
16871
16872 childregs->ax = 0;
16873 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
16874 p->thread.sp = (unsigned long) childregs;
16875 p->thread.sp0 = (unsigned long) (childregs+1);
16876 p->thread.usersp = me->thread.usersp;
16877 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16878
16879 set_tsk_thread_flag(p, TIF_FORK);
16880
16881 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
16882 struct thread_struct *prev = &prev_p->thread;
16883 struct thread_struct *next = &next_p->thread;
16884 int cpu = smp_processor_id();
16885 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16886 + struct tss_struct *tss = init_tss + cpu;
16887 unsigned fsindex, gsindex;
16888 bool preload_fpu;
16889
16890 @@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
16891 prev->usersp = percpu_read(old_rsp);
16892 percpu_write(old_rsp, next->usersp);
16893 percpu_write(current_task, next_p);
16894 + percpu_write(current_tinfo, &next_p->tinfo);
16895
16896 - percpu_write(kernel_stack,
16897 - (unsigned long)task_stack_page(next_p) +
16898 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16899 + percpu_write(kernel_stack, next->sp0);
16900
16901 /*
16902 * Now maybe reload the debug registers and handle I/O bitmaps
16903 @@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru
16904 if (!p || p == current || p->state == TASK_RUNNING)
16905 return 0;
16906 stack = (unsigned long)task_stack_page(p);
16907 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16908 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16909 return 0;
16910 fp = *(u64 *)(p->thread.sp);
16911 do {
16912 - if (fp < (unsigned long)stack ||
16913 - fp >= (unsigned long)stack+THREAD_SIZE)
16914 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16915 return 0;
16916 ip = *(u64 *)(fp+8);
16917 if (!in_sched_functions(ip))
16918 diff -urNp linux-2.6.39.3/arch/x86/kernel/process.c linux-2.6.39.3/arch/x86/kernel/process.c
16919 --- linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
16920 +++ linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
16921 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
16922
16923 void free_thread_info(struct thread_info *ti)
16924 {
16925 - free_thread_xstate(ti->task);
16926 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16927 }
16928
16929 +static struct kmem_cache *task_struct_cachep;
16930 +
16931 void arch_task_cache_init(void)
16932 {
16933 - task_xstate_cachep =
16934 - kmem_cache_create("task_xstate", xstate_size,
16935 + /* create a slab on which task_structs can be allocated */
16936 + task_struct_cachep =
16937 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16938 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16939 +
16940 + task_xstate_cachep =
16941 + kmem_cache_create("task_xstate", xstate_size,
16942 __alignof__(union thread_xstate),
16943 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16944 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16945 +}
16946 +
16947 +struct task_struct *alloc_task_struct_node(int node)
16948 +{
16949 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
16950 +}
16951 +
16952 +void free_task_struct(struct task_struct *task)
16953 +{
16954 + free_thread_xstate(task);
16955 + kmem_cache_free(task_struct_cachep, task);
16956 }
16957
16958 /*
16959 @@ -70,7 +87,7 @@ void exit_thread(void)
16960 unsigned long *bp = t->io_bitmap_ptr;
16961
16962 if (bp) {
16963 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16964 + struct tss_struct *tss = init_tss + get_cpu();
16965
16966 t->io_bitmap_ptr = NULL;
16967 clear_thread_flag(TIF_IO_BITMAP);
16968 @@ -106,7 +123,7 @@ void show_regs_common(void)
16969
16970 printk(KERN_CONT "\n");
16971 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
16972 - current->pid, current->comm, print_tainted(),
16973 + task_pid_nr(current), current->comm, print_tainted(),
16974 init_utsname()->release,
16975 (int)strcspn(init_utsname()->version, " "),
16976 init_utsname()->version);
16977 @@ -120,6 +137,9 @@ void flush_thread(void)
16978 {
16979 struct task_struct *tsk = current;
16980
16981 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16982 + loadsegment(gs, 0);
16983 +#endif
16984 flush_ptrace_hw_breakpoint(tsk);
16985 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
16986 /*
16987 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
16988 regs.di = (unsigned long) arg;
16989
16990 #ifdef CONFIG_X86_32
16991 - regs.ds = __USER_DS;
16992 - regs.es = __USER_DS;
16993 + regs.ds = __KERNEL_DS;
16994 + regs.es = __KERNEL_DS;
16995 regs.fs = __KERNEL_PERCPU;
16996 - regs.gs = __KERNEL_STACK_CANARY;
16997 + savesegment(gs, regs.gs);
16998 #else
16999 regs.ss = __KERNEL_DS;
17000 #endif
17001 @@ -401,7 +421,7 @@ void default_idle(void)
17002 EXPORT_SYMBOL(default_idle);
17003 #endif
17004
17005 -void stop_this_cpu(void *dummy)
17006 +__noreturn void stop_this_cpu(void *dummy)
17007 {
17008 local_irq_disable();
17009 /*
17010 @@ -665,16 +685,34 @@ static int __init idle_setup(char *str)
17011 }
17012 early_param("idle", idle_setup);
17013
17014 -unsigned long arch_align_stack(unsigned long sp)
17015 +#ifdef CONFIG_PAX_RANDKSTACK
17016 +asmlinkage void pax_randomize_kstack(void)
17017 {
17018 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
17019 - sp -= get_random_int() % 8192;
17020 - return sp & ~0xf;
17021 -}
17022 + struct thread_struct *thread = &current->thread;
17023 + unsigned long time;
17024
17025 -unsigned long arch_randomize_brk(struct mm_struct *mm)
17026 -{
17027 - unsigned long range_end = mm->brk + 0x02000000;
17028 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
17029 -}
17030 + if (!randomize_va_space)
17031 + return;
17032 +
17033 + rdtscl(time);
17034 +
17035 + /* P4 seems to return a 0 LSB, ignore it */
17036 +#ifdef CONFIG_MPENTIUM4
17037 + time &= 0x3EUL;
17038 + time <<= 2;
17039 +#elif defined(CONFIG_X86_64)
17040 + time &= 0xFUL;
17041 + time <<= 4;
17042 +#else
17043 + time &= 0x1FUL;
17044 + time <<= 3;
17045 +#endif
17046 +
17047 + thread->sp0 ^= time;
17048 + load_sp0(init_tss + smp_processor_id(), thread);
17049
17050 +#ifdef CONFIG_X86_64
17051 + percpu_write(kernel_stack, thread->sp0);
17052 +#endif
17053 +}
17054 +#endif
17055 diff -urNp linux-2.6.39.3/arch/x86/kernel/ptrace.c linux-2.6.39.3/arch/x86/kernel/ptrace.c
17056 --- linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
17057 +++ linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-22 19:36:30.000000000 -0400
17058 @@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
17059 unsigned long addr, unsigned long data)
17060 {
17061 int ret;
17062 - unsigned long __user *datap = (unsigned long __user *)data;
17063 + unsigned long __user *datap = (__force unsigned long __user *)data;
17064
17065 switch (request) {
17066 /* read the word at location addr in the USER area. */
17067 @@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
17068 if ((int) addr < 0)
17069 return -EIO;
17070 ret = do_get_thread_area(child, addr,
17071 - (struct user_desc __user *)data);
17072 + (__force struct user_desc __user *) data);
17073 break;
17074
17075 case PTRACE_SET_THREAD_AREA:
17076 if ((int) addr < 0)
17077 return -EIO;
17078 ret = do_set_thread_area(child, addr,
17079 - (struct user_desc __user *)data, 0);
17080 + (__force struct user_desc __user *) data, 0);
17081 break;
17082 #endif
17083
17084 @@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
17085 memset(info, 0, sizeof(*info));
17086 info->si_signo = SIGTRAP;
17087 info->si_code = si_code;
17088 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
17089 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
17090 }
17091
17092 void user_single_step_siginfo(struct task_struct *tsk,
17093 @@ -1363,7 +1363,7 @@ void send_sigtrap(struct task_struct *ts
17094 * We must return the syscall number to actually look up in the table.
17095 * This can be -1L to skip running any syscall at all.
17096 */
17097 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
17098 +long syscall_trace_enter(struct pt_regs *regs)
17099 {
17100 long ret = 0;
17101
17102 @@ -1408,7 +1408,7 @@ asmregparm long syscall_trace_enter(stru
17103 return ret ?: regs->orig_ax;
17104 }
17105
17106 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
17107 +void syscall_trace_leave(struct pt_regs *regs)
17108 {
17109 bool step;
17110
17111 diff -urNp linux-2.6.39.3/arch/x86/kernel/pvclock.c linux-2.6.39.3/arch/x86/kernel/pvclock.c
17112 --- linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-19 00:06:34.000000000 -0400
17113 +++ linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-22 19:36:30.000000000 -0400
17114 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
17115 return pv_tsc_khz;
17116 }
17117
17118 -static atomic64_t last_value = ATOMIC64_INIT(0);
17119 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
17120
17121 void pvclock_resume(void)
17122 {
17123 - atomic64_set(&last_value, 0);
17124 + atomic64_set_unchecked(&last_value, 0);
17125 }
17126
17127 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
17128 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
17129 * updating at the same time, and one of them could be slightly behind,
17130 * making the assumption that last_value always go forward fail to hold.
17131 */
17132 - last = atomic64_read(&last_value);
17133 + last = atomic64_read_unchecked(&last_value);
17134 do {
17135 if (ret < last)
17136 return last;
17137 - last = atomic64_cmpxchg(&last_value, last, ret);
17138 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
17139 } while (unlikely(last != ret));
17140
17141 return ret;
17142 diff -urNp linux-2.6.39.3/arch/x86/kernel/reboot.c linux-2.6.39.3/arch/x86/kernel/reboot.c
17143 --- linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-19 00:06:34.000000000 -0400
17144 +++ linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-23 17:07:00.000000000 -0400
17145 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
17146 EXPORT_SYMBOL(pm_power_off);
17147
17148 static const struct desc_ptr no_idt = {};
17149 -static int reboot_mode;
17150 +static unsigned short reboot_mode;
17151 enum reboot_type reboot_type = BOOT_KBD;
17152 int reboot_force;
17153
17154 @@ -307,13 +307,17 @@ core_initcall(reboot_init);
17155 extern const unsigned char machine_real_restart_asm[];
17156 extern const u64 machine_real_restart_gdt[3];
17157
17158 -void machine_real_restart(unsigned int type)
17159 +__noreturn void machine_real_restart(unsigned int type)
17160 {
17161 void *restart_va;
17162 unsigned long restart_pa;
17163 - void (*restart_lowmem)(unsigned int);
17164 + void (* __noreturn restart_lowmem)(unsigned int);
17165 u64 *lowmem_gdt;
17166
17167 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17168 + struct desc_struct *gdt;
17169 +#endif
17170 +
17171 local_irq_disable();
17172
17173 /* Write zero to CMOS register number 0x0f, which the BIOS POST
17174 @@ -339,14 +343,14 @@ void machine_real_restart(unsigned int t
17175 boot)". This seems like a fairly standard thing that gets set by
17176 REBOOT.COM programs, and the previous reset routine did this
17177 too. */
17178 - *((unsigned short *)0x472) = reboot_mode;
17179 + *(unsigned short *)(__va(0x472)) = reboot_mode;
17180
17181 /* Patch the GDT in the low memory trampoline */
17182 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
17183
17184 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
17185 restart_pa = virt_to_phys(restart_va);
17186 - restart_lowmem = (void (*)(unsigned int))restart_pa;
17187 + restart_lowmem = (void *)restart_pa;
17188
17189 /* GDT[0]: GDT self-pointer */
17190 lowmem_gdt[0] =
17191 @@ -357,7 +361,33 @@ void machine_real_restart(unsigned int t
17192 GDT_ENTRY(0x009b, restart_pa, 0xffff);
17193
17194 /* Jump to the identity-mapped low memory code */
17195 +
17196 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17197 + gdt = get_cpu_gdt_table(smp_processor_id());
17198 + pax_open_kernel();
17199 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17200 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
17201 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
17202 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
17203 +#endif
17204 +#ifdef CONFIG_PAX_KERNEXEC
17205 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
17206 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
17207 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
17208 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
17209 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
17210 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
17211 +#endif
17212 + pax_close_kernel();
17213 +#endif
17214 +
17215 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17216 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
17217 + unreachable();
17218 +#else
17219 restart_lowmem(type);
17220 +#endif
17221 +
17222 }
17223 #ifdef CONFIG_APM_MODULE
17224 EXPORT_SYMBOL(machine_real_restart);
17225 @@ -478,7 +508,7 @@ void __attribute__((weak)) mach_reboot_f
17226 {
17227 }
17228
17229 -static void native_machine_emergency_restart(void)
17230 +__noreturn static void native_machine_emergency_restart(void)
17231 {
17232 int i;
17233
17234 @@ -593,13 +623,13 @@ void native_machine_shutdown(void)
17235 #endif
17236 }
17237
17238 -static void __machine_emergency_restart(int emergency)
17239 +static __noreturn void __machine_emergency_restart(int emergency)
17240 {
17241 reboot_emergency = emergency;
17242 machine_ops.emergency_restart();
17243 }
17244
17245 -static void native_machine_restart(char *__unused)
17246 +static __noreturn void native_machine_restart(char *__unused)
17247 {
17248 printk("machine restart\n");
17249
17250 @@ -608,7 +638,7 @@ static void native_machine_restart(char
17251 __machine_emergency_restart(0);
17252 }
17253
17254 -static void native_machine_halt(void)
17255 +static __noreturn void native_machine_halt(void)
17256 {
17257 /* stop other cpus and apics */
17258 machine_shutdown();
17259 @@ -619,7 +649,7 @@ static void native_machine_halt(void)
17260 stop_this_cpu(NULL);
17261 }
17262
17263 -static void native_machine_power_off(void)
17264 +__noreturn static void native_machine_power_off(void)
17265 {
17266 if (pm_power_off) {
17267 if (!reboot_force)
17268 @@ -628,6 +658,7 @@ static void native_machine_power_off(voi
17269 }
17270 /* a fallback in case there is no PM info available */
17271 tboot_shutdown(TB_SHUTDOWN_HALT);
17272 + unreachable();
17273 }
17274
17275 struct machine_ops machine_ops = {
17276 diff -urNp linux-2.6.39.3/arch/x86/kernel/setup.c linux-2.6.39.3/arch/x86/kernel/setup.c
17277 --- linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 12:55:22.000000000 -0400
17278 +++ linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 13:00:25.000000000 -0400
17279 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
17280 * area (640->1Mb) as ram even though it is not.
17281 * take them out.
17282 */
17283 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
17284 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
17285 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
17286 }
17287
17288 @@ -775,14 +775,14 @@ void __init setup_arch(char **cmdline_p)
17289
17290 if (!boot_params.hdr.root_flags)
17291 root_mountflags &= ~MS_RDONLY;
17292 - init_mm.start_code = (unsigned long) _text;
17293 - init_mm.end_code = (unsigned long) _etext;
17294 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17295 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17296 init_mm.end_data = (unsigned long) _edata;
17297 init_mm.brk = _brk_end;
17298
17299 - code_resource.start = virt_to_phys(_text);
17300 - code_resource.end = virt_to_phys(_etext)-1;
17301 - data_resource.start = virt_to_phys(_etext);
17302 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17303 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17304 + data_resource.start = virt_to_phys(_sdata);
17305 data_resource.end = virt_to_phys(_edata)-1;
17306 bss_resource.start = virt_to_phys(&__bss_start);
17307 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17308 diff -urNp linux-2.6.39.3/arch/x86/kernel/setup_percpu.c linux-2.6.39.3/arch/x86/kernel/setup_percpu.c
17309 --- linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-05-19 00:06:34.000000000 -0400
17310 +++ linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-06-04 20:08:30.000000000 -0400
17311 @@ -21,19 +21,17 @@
17312 #include <asm/cpu.h>
17313 #include <asm/stackprotector.h>
17314
17315 -DEFINE_PER_CPU(int, cpu_number);
17316 +#ifdef CONFIG_SMP
17317 +DEFINE_PER_CPU(unsigned int, cpu_number);
17318 EXPORT_PER_CPU_SYMBOL(cpu_number);
17319 +#endif
17320
17321 -#ifdef CONFIG_X86_64
17322 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17323 -#else
17324 -#define BOOT_PERCPU_OFFSET 0
17325 -#endif
17326
17327 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17328 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17329
17330 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17331 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17332 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17333 };
17334 EXPORT_SYMBOL(__per_cpu_offset);
17335 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
17336 {
17337 #ifdef CONFIG_X86_32
17338 struct desc_struct gdt;
17339 + unsigned long base = per_cpu_offset(cpu);
17340
17341 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17342 - 0x2 | DESCTYPE_S, 0x8);
17343 - gdt.s = 1;
17344 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17345 + 0x83 | DESCTYPE_S, 0xC);
17346 write_gdt_entry(get_cpu_gdt_table(cpu),
17347 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17348 #endif
17349 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
17350 /* alrighty, percpu areas up and running */
17351 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17352 for_each_possible_cpu(cpu) {
17353 +#ifdef CONFIG_CC_STACKPROTECTOR
17354 +#ifdef CONFIG_X86_32
17355 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17356 +#endif
17357 +#endif
17358 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17359 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17360 per_cpu(cpu_number, cpu) = cpu;
17361 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
17362 */
17363 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
17364 #endif
17365 +#ifdef CONFIG_CC_STACKPROTECTOR
17366 +#ifdef CONFIG_X86_32
17367 + if (!cpu)
17368 + per_cpu(stack_canary.canary, cpu) = canary;
17369 +#endif
17370 +#endif
17371 /*
17372 * Up to this point, the boot CPU has been using .init.data
17373 * area. Reload any changed state for the boot CPU.
17374 diff -urNp linux-2.6.39.3/arch/x86/kernel/signal.c linux-2.6.39.3/arch/x86/kernel/signal.c
17375 --- linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
17376 +++ linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
17377 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
17378 * Align the stack pointer according to the i386 ABI,
17379 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17380 */
17381 - sp = ((sp + 4) & -16ul) - 4;
17382 + sp = ((sp - 12) & -16ul) - 4;
17383 #else /* !CONFIG_X86_32 */
17384 sp = round_down(sp, 16) - 8;
17385 #endif
17386 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
17387 * Return an always-bogus address instead so we will die with SIGSEGV.
17388 */
17389 if (onsigstack && !likely(on_sig_stack(sp)))
17390 - return (void __user *)-1L;
17391 + return (__force void __user *)-1L;
17392
17393 /* save i387 state */
17394 if (used_math() && save_i387_xstate(*fpstate) < 0)
17395 - return (void __user *)-1L;
17396 + return (__force void __user *)-1L;
17397
17398 return (void __user *)sp;
17399 }
17400 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
17401 }
17402
17403 if (current->mm->context.vdso)
17404 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17405 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17406 else
17407 - restorer = &frame->retcode;
17408 + restorer = (void __user *)&frame->retcode;
17409 if (ka->sa.sa_flags & SA_RESTORER)
17410 restorer = ka->sa.sa_restorer;
17411
17412 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
17413 * reasons and because gdb uses it as a signature to notice
17414 * signal handler stack frames.
17415 */
17416 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17417 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17418
17419 if (err)
17420 return -EFAULT;
17421 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
17422 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17423
17424 /* Set up to return from userspace. */
17425 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17426 + if (current->mm->context.vdso)
17427 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17428 + else
17429 + restorer = (void __user *)&frame->retcode;
17430 if (ka->sa.sa_flags & SA_RESTORER)
17431 restorer = ka->sa.sa_restorer;
17432 put_user_ex(restorer, &frame->pretcode);
17433 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
17434 * reasons and because gdb uses it as a signature to notice
17435 * signal handler stack frames.
17436 */
17437 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17438 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17439 } put_user_catch(err);
17440
17441 if (err)
17442 @@ -773,6 +776,8 @@ static void do_signal(struct pt_regs *re
17443 int signr;
17444 sigset_t *oldset;
17445
17446 + pax_track_stack();
17447 +
17448 /*
17449 * We want the common case to go fast, which is why we may in certain
17450 * cases get here from kernel mode. Just return without doing anything
17451 @@ -780,7 +785,7 @@ static void do_signal(struct pt_regs *re
17452 * X86_32: vm86 regs switched out by assembly code before reaching
17453 * here, so testing against kernel CS suffices.
17454 */
17455 - if (!user_mode(regs))
17456 + if (!user_mode_novm(regs))
17457 return;
17458
17459 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
17460 diff -urNp linux-2.6.39.3/arch/x86/kernel/smpboot.c linux-2.6.39.3/arch/x86/kernel/smpboot.c
17461 --- linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 12:55:22.000000000 -0400
17462 +++ linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 13:00:25.000000000 -0400
17463 @@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
17464 set_idle_for_cpu(cpu, c_idle.idle);
17465 do_rest:
17466 per_cpu(current_task, cpu) = c_idle.idle;
17467 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
17468 #ifdef CONFIG_X86_32
17469 /* Stack for startup_32 can be just as for start_secondary onwards */
17470 irq_ctx_init(cpu);
17471 #else
17472 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
17473 initial_gs = per_cpu_offset(cpu);
17474 - per_cpu(kernel_stack, cpu) =
17475 - (unsigned long)task_stack_page(c_idle.idle) -
17476 - KERNEL_STACK_OFFSET + THREAD_SIZE;
17477 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
17478 #endif
17479 +
17480 + pax_open_kernel();
17481 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
17482 + pax_close_kernel();
17483 +
17484 initial_code = (unsigned long)start_secondary;
17485 stack_start = c_idle.idle->thread.sp;
17486
17487 @@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
17488
17489 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
17490
17491 +#ifdef CONFIG_PAX_PER_CPU_PGD
17492 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
17493 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17494 + KERNEL_PGD_PTRS);
17495 +#endif
17496 +
17497 err = do_boot_cpu(apicid, cpu);
17498 if (err) {
17499 pr_debug("do_boot_cpu failed %d\n", err);
17500 diff -urNp linux-2.6.39.3/arch/x86/kernel/step.c linux-2.6.39.3/arch/x86/kernel/step.c
17501 --- linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-19 00:06:34.000000000 -0400
17502 +++ linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-22 19:36:30.000000000 -0400
17503 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
17504 struct desc_struct *desc;
17505 unsigned long base;
17506
17507 - seg &= ~7UL;
17508 + seg >>= 3;
17509
17510 mutex_lock(&child->mm->context.lock);
17511 - if (unlikely((seg >> 3) >= child->mm->context.size))
17512 + if (unlikely(seg >= child->mm->context.size))
17513 addr = -1L; /* bogus selector, access would fault */
17514 else {
17515 desc = child->mm->context.ldt + seg;
17516 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
17517 addr += base;
17518 }
17519 mutex_unlock(&child->mm->context.lock);
17520 - }
17521 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
17522 + addr = ktla_ktva(addr);
17523
17524 return addr;
17525 }
17526 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
17527 unsigned char opcode[15];
17528 unsigned long addr = convert_ip_to_linear(child, regs);
17529
17530 + if (addr == -EINVAL)
17531 + return 0;
17532 +
17533 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
17534 for (i = 0; i < copied; i++) {
17535 switch (opcode[i]) {
17536 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
17537
17538 #ifdef CONFIG_X86_64
17539 case 0x40 ... 0x4f:
17540 - if (regs->cs != __USER_CS)
17541 + if ((regs->cs & 0xffff) != __USER_CS)
17542 /* 32-bit mode: register increment */
17543 return 0;
17544 /* 64-bit mode: REX prefix */
17545 diff -urNp linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S
17546 --- linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-19 00:06:34.000000000 -0400
17547 +++ linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-22 19:36:30.000000000 -0400
17548 @@ -1,3 +1,4 @@
17549 +.section .rodata,"a",@progbits
17550 ENTRY(sys_call_table)
17551 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17552 .long sys_exit
17553 diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c
17554 --- linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-19 00:06:34.000000000 -0400
17555 +++ linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-22 19:36:30.000000000 -0400
17556 @@ -24,17 +24,224 @@
17557
17558 #include <asm/syscalls.h>
17559
17560 -/*
17561 - * Do a system call from kernel instead of calling sys_execve so we
17562 - * end up with proper pt_regs.
17563 - */
17564 -int kernel_execve(const char *filename,
17565 - const char *const argv[],
17566 - const char *const envp[])
17567 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17568 {
17569 - long __res;
17570 - asm volatile ("int $0x80"
17571 - : "=a" (__res)
17572 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
17573 - return __res;
17574 + unsigned long pax_task_size = TASK_SIZE;
17575 +
17576 +#ifdef CONFIG_PAX_SEGMEXEC
17577 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17578 + pax_task_size = SEGMEXEC_TASK_SIZE;
17579 +#endif
17580 +
17581 + if (len > pax_task_size || addr > pax_task_size - len)
17582 + return -EINVAL;
17583 +
17584 + return 0;
17585 +}
17586 +
17587 +unsigned long
17588 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17589 + unsigned long len, unsigned long pgoff, unsigned long flags)
17590 +{
17591 + struct mm_struct *mm = current->mm;
17592 + struct vm_area_struct *vma;
17593 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17594 +
17595 +#ifdef CONFIG_PAX_SEGMEXEC
17596 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17597 + pax_task_size = SEGMEXEC_TASK_SIZE;
17598 +#endif
17599 +
17600 + pax_task_size -= PAGE_SIZE;
17601 +
17602 + if (len > pax_task_size)
17603 + return -ENOMEM;
17604 +
17605 + if (flags & MAP_FIXED)
17606 + return addr;
17607 +
17608 +#ifdef CONFIG_PAX_RANDMMAP
17609 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17610 +#endif
17611 +
17612 + if (addr) {
17613 + addr = PAGE_ALIGN(addr);
17614 + if (pax_task_size - len >= addr) {
17615 + vma = find_vma(mm, addr);
17616 + if (check_heap_stack_gap(vma, addr, len))
17617 + return addr;
17618 + }
17619 + }
17620 + if (len > mm->cached_hole_size) {
17621 + start_addr = addr = mm->free_area_cache;
17622 + } else {
17623 + start_addr = addr = mm->mmap_base;
17624 + mm->cached_hole_size = 0;
17625 + }
17626 +
17627 +#ifdef CONFIG_PAX_PAGEEXEC
17628 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17629 + start_addr = 0x00110000UL;
17630 +
17631 +#ifdef CONFIG_PAX_RANDMMAP
17632 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17633 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17634 +#endif
17635 +
17636 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17637 + start_addr = addr = mm->mmap_base;
17638 + else
17639 + addr = start_addr;
17640 + }
17641 +#endif
17642 +
17643 +full_search:
17644 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17645 + /* At this point: (!vma || addr < vma->vm_end). */
17646 + if (pax_task_size - len < addr) {
17647 + /*
17648 + * Start a new search - just in case we missed
17649 + * some holes.
17650 + */
17651 + if (start_addr != mm->mmap_base) {
17652 + start_addr = addr = mm->mmap_base;
17653 + mm->cached_hole_size = 0;
17654 + goto full_search;
17655 + }
17656 + return -ENOMEM;
17657 + }
17658 + if (check_heap_stack_gap(vma, addr, len))
17659 + break;
17660 + if (addr + mm->cached_hole_size < vma->vm_start)
17661 + mm->cached_hole_size = vma->vm_start - addr;
17662 + addr = vma->vm_end;
17663 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17664 + start_addr = addr = mm->mmap_base;
17665 + mm->cached_hole_size = 0;
17666 + goto full_search;
17667 + }
17668 + }
17669 +
17670 + /*
17671 + * Remember the place where we stopped the search:
17672 + */
17673 + mm->free_area_cache = addr + len;
17674 + return addr;
17675 +}
17676 +
17677 +unsigned long
17678 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17679 + const unsigned long len, const unsigned long pgoff,
17680 + const unsigned long flags)
17681 +{
17682 + struct vm_area_struct *vma;
17683 + struct mm_struct *mm = current->mm;
17684 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17685 +
17686 +#ifdef CONFIG_PAX_SEGMEXEC
17687 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17688 + pax_task_size = SEGMEXEC_TASK_SIZE;
17689 +#endif
17690 +
17691 + pax_task_size -= PAGE_SIZE;
17692 +
17693 + /* requested length too big for entire address space */
17694 + if (len > pax_task_size)
17695 + return -ENOMEM;
17696 +
17697 + if (flags & MAP_FIXED)
17698 + return addr;
17699 +
17700 +#ifdef CONFIG_PAX_PAGEEXEC
17701 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17702 + goto bottomup;
17703 +#endif
17704 +
17705 +#ifdef CONFIG_PAX_RANDMMAP
17706 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17707 +#endif
17708 +
17709 + /* requesting a specific address */
17710 + if (addr) {
17711 + addr = PAGE_ALIGN(addr);
17712 + if (pax_task_size - len >= addr) {
17713 + vma = find_vma(mm, addr);
17714 + if (check_heap_stack_gap(vma, addr, len))
17715 + return addr;
17716 + }
17717 + }
17718 +
17719 + /* check if free_area_cache is useful for us */
17720 + if (len <= mm->cached_hole_size) {
17721 + mm->cached_hole_size = 0;
17722 + mm->free_area_cache = mm->mmap_base;
17723 + }
17724 +
17725 + /* either no address requested or can't fit in requested address hole */
17726 + addr = mm->free_area_cache;
17727 +
17728 + /* make sure it can fit in the remaining address space */
17729 + if (addr > len) {
17730 + vma = find_vma(mm, addr-len);
17731 + if (check_heap_stack_gap(vma, addr - len, len))
17732 + /* remember the address as a hint for next time */
17733 + return (mm->free_area_cache = addr-len);
17734 + }
17735 +
17736 + if (mm->mmap_base < len)
17737 + goto bottomup;
17738 +
17739 + addr = mm->mmap_base-len;
17740 +
17741 + do {
17742 + /*
17743 + * Lookup failure means no vma is above this address,
17744 + * else if new region fits below vma->vm_start,
17745 + * return with success:
17746 + */
17747 + vma = find_vma(mm, addr);
17748 + if (check_heap_stack_gap(vma, addr, len))
17749 + /* remember the address as a hint for next time */
17750 + return (mm->free_area_cache = addr);
17751 +
17752 + /* remember the largest hole we saw so far */
17753 + if (addr + mm->cached_hole_size < vma->vm_start)
17754 + mm->cached_hole_size = vma->vm_start - addr;
17755 +
17756 + /* try just below the current vma->vm_start */
17757 + addr = skip_heap_stack_gap(vma, len);
17758 + } while (!IS_ERR_VALUE(addr));
17759 +
17760 +bottomup:
17761 + /*
17762 + * A failed mmap() very likely causes application failure,
17763 + * so fall back to the bottom-up function here. This scenario
17764 + * can happen with large stack limits and large mmap()
17765 + * allocations.
17766 + */
17767 +
17768 +#ifdef CONFIG_PAX_SEGMEXEC
17769 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17770 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17771 + else
17772 +#endif
17773 +
17774 + mm->mmap_base = TASK_UNMAPPED_BASE;
17775 +
17776 +#ifdef CONFIG_PAX_RANDMMAP
17777 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17778 + mm->mmap_base += mm->delta_mmap;
17779 +#endif
17780 +
17781 + mm->free_area_cache = mm->mmap_base;
17782 + mm->cached_hole_size = ~0UL;
17783 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17784 + /*
17785 + * Restore the topdown base:
17786 + */
17787 + mm->mmap_base = base;
17788 + mm->free_area_cache = base;
17789 + mm->cached_hole_size = ~0UL;
17790 +
17791 + return addr;
17792 }
17793 diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c
17794 --- linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-19 00:06:34.000000000 -0400
17795 +++ linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-22 19:36:30.000000000 -0400
17796 @@ -32,8 +32,8 @@ out:
17797 return error;
17798 }
17799
17800 -static void find_start_end(unsigned long flags, unsigned long *begin,
17801 - unsigned long *end)
17802 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17803 + unsigned long *begin, unsigned long *end)
17804 {
17805 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17806 unsigned long new_begin;
17807 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17808 *begin = new_begin;
17809 }
17810 } else {
17811 - *begin = TASK_UNMAPPED_BASE;
17812 + *begin = mm->mmap_base;
17813 *end = TASK_SIZE;
17814 }
17815 }
17816 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17817 if (flags & MAP_FIXED)
17818 return addr;
17819
17820 - find_start_end(flags, &begin, &end);
17821 + find_start_end(mm, flags, &begin, &end);
17822
17823 if (len > end)
17824 return -ENOMEM;
17825
17826 +#ifdef CONFIG_PAX_RANDMMAP
17827 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17828 +#endif
17829 +
17830 if (addr) {
17831 addr = PAGE_ALIGN(addr);
17832 vma = find_vma(mm, addr);
17833 - if (end - len >= addr &&
17834 - (!vma || addr + len <= vma->vm_start))
17835 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17836 return addr;
17837 }
17838 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17839 @@ -106,7 +109,7 @@ full_search:
17840 }
17841 return -ENOMEM;
17842 }
17843 - if (!vma || addr + len <= vma->vm_start) {
17844 + if (check_heap_stack_gap(vma, addr, len)) {
17845 /*
17846 * Remember the place where we stopped the search:
17847 */
17848 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17849 {
17850 struct vm_area_struct *vma;
17851 struct mm_struct *mm = current->mm;
17852 - unsigned long addr = addr0;
17853 + unsigned long base = mm->mmap_base, addr = addr0;
17854
17855 /* requested length too big for entire address space */
17856 if (len > TASK_SIZE)
17857 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17858 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17859 goto bottomup;
17860
17861 +#ifdef CONFIG_PAX_RANDMMAP
17862 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17863 +#endif
17864 +
17865 /* requesting a specific address */
17866 if (addr) {
17867 addr = PAGE_ALIGN(addr);
17868 - vma = find_vma(mm, addr);
17869 - if (TASK_SIZE - len >= addr &&
17870 - (!vma || addr + len <= vma->vm_start))
17871 - return addr;
17872 + if (TASK_SIZE - len >= addr) {
17873 + vma = find_vma(mm, addr);
17874 + if (check_heap_stack_gap(vma, addr, len))
17875 + return addr;
17876 + }
17877 }
17878
17879 /* check if free_area_cache is useful for us */
17880 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17881 /* make sure it can fit in the remaining address space */
17882 if (addr > len) {
17883 vma = find_vma(mm, addr-len);
17884 - if (!vma || addr <= vma->vm_start)
17885 + if (check_heap_stack_gap(vma, addr - len, len))
17886 /* remember the address as a hint for next time */
17887 return mm->free_area_cache = addr-len;
17888 }
17889 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17890 * return with success:
17891 */
17892 vma = find_vma(mm, addr);
17893 - if (!vma || addr+len <= vma->vm_start)
17894 + if (check_heap_stack_gap(vma, addr, len))
17895 /* remember the address as a hint for next time */
17896 return mm->free_area_cache = addr;
17897
17898 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17899 mm->cached_hole_size = vma->vm_start - addr;
17900
17901 /* try just below the current vma->vm_start */
17902 - addr = vma->vm_start-len;
17903 - } while (len < vma->vm_start);
17904 + addr = skip_heap_stack_gap(vma, len);
17905 + } while (!IS_ERR_VALUE(addr));
17906
17907 bottomup:
17908 /*
17909 @@ -198,13 +206,21 @@ bottomup:
17910 * can happen with large stack limits and large mmap()
17911 * allocations.
17912 */
17913 + mm->mmap_base = TASK_UNMAPPED_BASE;
17914 +
17915 +#ifdef CONFIG_PAX_RANDMMAP
17916 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17917 + mm->mmap_base += mm->delta_mmap;
17918 +#endif
17919 +
17920 + mm->free_area_cache = mm->mmap_base;
17921 mm->cached_hole_size = ~0UL;
17922 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17923 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17924 /*
17925 * Restore the topdown base:
17926 */
17927 - mm->free_area_cache = mm->mmap_base;
17928 + mm->mmap_base = base;
17929 + mm->free_area_cache = base;
17930 mm->cached_hole_size = ~0UL;
17931
17932 return addr;
17933 diff -urNp linux-2.6.39.3/arch/x86/kernel/tboot.c linux-2.6.39.3/arch/x86/kernel/tboot.c
17934 --- linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-19 00:06:34.000000000 -0400
17935 +++ linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-22 19:36:30.000000000 -0400
17936 @@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
17937
17938 void tboot_shutdown(u32 shutdown_type)
17939 {
17940 - void (*shutdown)(void);
17941 + void (* __noreturn shutdown)(void);
17942
17943 if (!tboot_enabled())
17944 return;
17945 @@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
17946
17947 switch_to_tboot_pt();
17948
17949 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17950 + shutdown = (void *)tboot->shutdown_entry;
17951 shutdown();
17952
17953 /* should not reach here */
17954 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17955 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17956 }
17957
17958 -static atomic_t ap_wfs_count;
17959 +static atomic_unchecked_t ap_wfs_count;
17960
17961 static int tboot_wait_for_aps(int num_aps)
17962 {
17963 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
17964 {
17965 switch (action) {
17966 case CPU_DYING:
17967 - atomic_inc(&ap_wfs_count);
17968 + atomic_inc_unchecked(&ap_wfs_count);
17969 if (num_online_cpus() == 1)
17970 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17971 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17972 return NOTIFY_BAD;
17973 break;
17974 }
17975 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
17976
17977 tboot_create_trampoline();
17978
17979 - atomic_set(&ap_wfs_count, 0);
17980 + atomic_set_unchecked(&ap_wfs_count, 0);
17981 register_hotcpu_notifier(&tboot_cpu_notifier);
17982 return 0;
17983 }
17984 diff -urNp linux-2.6.39.3/arch/x86/kernel/time.c linux-2.6.39.3/arch/x86/kernel/time.c
17985 --- linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
17986 +++ linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-22 19:36:30.000000000 -0400
17987 @@ -22,17 +22,13 @@
17988 #include <asm/hpet.h>
17989 #include <asm/time.h>
17990
17991 -#ifdef CONFIG_X86_64
17992 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17993 -#endif
17994 -
17995 unsigned long profile_pc(struct pt_regs *regs)
17996 {
17997 unsigned long pc = instruction_pointer(regs);
17998
17999 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
18000 + if (!user_mode(regs) && in_lock_functions(pc)) {
18001 #ifdef CONFIG_FRAME_POINTER
18002 - return *(unsigned long *)(regs->bp + sizeof(long));
18003 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
18004 #else
18005 unsigned long *sp =
18006 (unsigned long *)kernel_stack_pointer(regs);
18007 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
18008 * or above a saved flags. Eflags has bits 22-31 zero,
18009 * kernel addresses don't.
18010 */
18011 +
18012 +#ifdef CONFIG_PAX_KERNEXEC
18013 + return ktla_ktva(sp[0]);
18014 +#else
18015 if (sp[0] >> 22)
18016 return sp[0];
18017 if (sp[1] >> 22)
18018 return sp[1];
18019 #endif
18020 +
18021 +#endif
18022 }
18023 return pc;
18024 }
18025 diff -urNp linux-2.6.39.3/arch/x86/kernel/tls.c linux-2.6.39.3/arch/x86/kernel/tls.c
18026 --- linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-19 00:06:34.000000000 -0400
18027 +++ linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-22 19:36:30.000000000 -0400
18028 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
18029 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
18030 return -EINVAL;
18031
18032 +#ifdef CONFIG_PAX_SEGMEXEC
18033 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
18034 + return -EINVAL;
18035 +#endif
18036 +
18037 set_tls_desc(p, idx, &info, 1);
18038
18039 return 0;
18040 diff -urNp linux-2.6.39.3/arch/x86/kernel/trampoline_32.S linux-2.6.39.3/arch/x86/kernel/trampoline_32.S
18041 --- linux-2.6.39.3/arch/x86/kernel/trampoline_32.S 2011-05-19 00:06:34.000000000 -0400
18042 +++ linux-2.6.39.3/arch/x86/kernel/trampoline_32.S 2011-05-22 19:36:30.000000000 -0400
18043 @@ -32,6 +32,12 @@
18044 #include <asm/segment.h>
18045 #include <asm/page_types.h>
18046
18047 +#ifdef CONFIG_PAX_KERNEXEC
18048 +#define ta(X) (X)
18049 +#else
18050 +#define ta(X) ((X) - __PAGE_OFFSET)
18051 +#endif
18052 +
18053 #ifdef CONFIG_SMP
18054
18055 .section ".x86_trampoline","a"
18056 @@ -62,7 +68,7 @@ r_base = .
18057 inc %ax # protected mode (PE) bit
18058 lmsw %ax # into protected mode
18059 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18060 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18061 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
18062
18063 # These need to be in the same 64K segment as the above;
18064 # hence we don't use the boot_gdt_descr defined in head.S
18065 diff -urNp linux-2.6.39.3/arch/x86/kernel/trampoline_64.S linux-2.6.39.3/arch/x86/kernel/trampoline_64.S
18066 --- linux-2.6.39.3/arch/x86/kernel/trampoline_64.S 2011-05-19 00:06:34.000000000 -0400
18067 +++ linux-2.6.39.3/arch/x86/kernel/trampoline_64.S 2011-05-22 19:36:30.000000000 -0400
18068 @@ -90,7 +90,7 @@ startup_32:
18069 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18070 movl %eax, %ds
18071
18072 - movl $X86_CR4_PAE, %eax
18073 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18074 movl %eax, %cr4 # Enable PAE mode
18075
18076 # Setup trampoline 4 level pagetables
18077 @@ -138,7 +138,7 @@ tidt:
18078 # so the kernel can live anywhere
18079 .balign 4
18080 tgdt:
18081 - .short tgdt_end - tgdt # gdt limit
18082 + .short tgdt_end - tgdt - 1 # gdt limit
18083 .long tgdt - r_base
18084 .short 0
18085 .quad 0x00cf9b000000ffff # __KERNEL32_CS
18086 diff -urNp linux-2.6.39.3/arch/x86/kernel/traps.c linux-2.6.39.3/arch/x86/kernel/traps.c
18087 --- linux-2.6.39.3/arch/x86/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
18088 +++ linux-2.6.39.3/arch/x86/kernel/traps.c 2011-07-06 20:00:13.000000000 -0400
18089 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
18090
18091 /* Do we ignore FPU interrupts ? */
18092 char ignore_fpu_irq;
18093 -
18094 -/*
18095 - * The IDT has to be page-aligned to simplify the Pentium
18096 - * F0 0F bug workaround.
18097 - */
18098 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18099 #endif
18100
18101 DECLARE_BITMAP(used_vectors, NR_VECTORS);
18102 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
18103 }
18104
18105 static void __kprobes
18106 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18107 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18108 long error_code, siginfo_t *info)
18109 {
18110 struct task_struct *tsk = current;
18111
18112 #ifdef CONFIG_X86_32
18113 - if (regs->flags & X86_VM_MASK) {
18114 + if (v8086_mode(regs)) {
18115 /*
18116 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18117 * On nmi (interrupt 2), do_trap should not be called.
18118 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
18119 }
18120 #endif
18121
18122 - if (!user_mode(regs))
18123 + if (!user_mode_novm(regs))
18124 goto kernel_trap;
18125
18126 #ifdef CONFIG_X86_32
18127 @@ -157,7 +151,7 @@ trap_signal:
18128 printk_ratelimit()) {
18129 printk(KERN_INFO
18130 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18131 - tsk->comm, tsk->pid, str,
18132 + tsk->comm, task_pid_nr(tsk), str,
18133 regs->ip, regs->sp, error_code);
18134 print_vma_addr(" in ", regs->ip);
18135 printk("\n");
18136 @@ -174,8 +168,20 @@ kernel_trap:
18137 if (!fixup_exception(regs)) {
18138 tsk->thread.error_code = error_code;
18139 tsk->thread.trap_no = trapnr;
18140 +
18141 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18142 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18143 + str = "PAX: suspicious stack segment fault";
18144 +#endif
18145 +
18146 die(str, regs, error_code);
18147 }
18148 +
18149 +#ifdef CONFIG_PAX_REFCOUNT
18150 + if (trapnr == 4)
18151 + pax_report_refcount_overflow(regs);
18152 +#endif
18153 +
18154 return;
18155
18156 #ifdef CONFIG_X86_32
18157 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
18158 conditional_sti(regs);
18159
18160 #ifdef CONFIG_X86_32
18161 - if (regs->flags & X86_VM_MASK)
18162 + if (v8086_mode(regs))
18163 goto gp_in_vm86;
18164 #endif
18165
18166 tsk = current;
18167 - if (!user_mode(regs))
18168 + if (!user_mode_novm(regs))
18169 goto gp_in_kernel;
18170
18171 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18172 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18173 + struct mm_struct *mm = tsk->mm;
18174 + unsigned long limit;
18175 +
18176 + down_write(&mm->mmap_sem);
18177 + limit = mm->context.user_cs_limit;
18178 + if (limit < TASK_SIZE) {
18179 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18180 + up_write(&mm->mmap_sem);
18181 + return;
18182 + }
18183 + up_write(&mm->mmap_sem);
18184 + }
18185 +#endif
18186 +
18187 tsk->thread.error_code = error_code;
18188 tsk->thread.trap_no = 13;
18189
18190 @@ -304,6 +326,13 @@ gp_in_kernel:
18191 if (notify_die(DIE_GPF, "general protection fault", regs,
18192 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18193 return;
18194 +
18195 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18196 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18197 + die("PAX: suspicious general protection fault", regs, error_code);
18198 + else
18199 +#endif
18200 +
18201 die("general protection fault", regs, error_code);
18202 }
18203
18204 @@ -433,6 +462,17 @@ static notrace __kprobes void default_do
18205 dotraplinkage notrace __kprobes void
18206 do_nmi(struct pt_regs *regs, long error_code)
18207 {
18208 +
18209 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18210 + if (!user_mode(regs)) {
18211 + unsigned long cs = regs->cs & 0xFFFF;
18212 + unsigned long ip = ktva_ktla(regs->ip);
18213 +
18214 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18215 + regs->ip = ip;
18216 + }
18217 +#endif
18218 +
18219 nmi_enter();
18220
18221 inc_irq_stat(__nmi_count);
18222 @@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
18223 /* It's safe to allow irq's after DR6 has been saved */
18224 preempt_conditional_sti(regs);
18225
18226 - if (regs->flags & X86_VM_MASK) {
18227 + if (v8086_mode(regs)) {
18228 handle_vm86_trap((struct kernel_vm86_regs *) regs,
18229 error_code, 1);
18230 preempt_conditional_cli(regs);
18231 @@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
18232 * We already checked v86 mode above, so we can check for kernel mode
18233 * by just checking the CPL of CS.
18234 */
18235 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
18236 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
18237 tsk->thread.debugreg6 &= ~DR_STEP;
18238 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
18239 regs->flags &= ~X86_EFLAGS_TF;
18240 @@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
18241 return;
18242 conditional_sti(regs);
18243
18244 - if (!user_mode_vm(regs))
18245 + if (!user_mode(regs))
18246 {
18247 if (!fixup_exception(regs)) {
18248 task->thread.error_code = error_code;
18249 @@ -723,7 +763,7 @@ asmlinkage void __attribute__((weak)) sm
18250 void __math_state_restore(void)
18251 {
18252 struct thread_info *thread = current_thread_info();
18253 - struct task_struct *tsk = thread->task;
18254 + struct task_struct *tsk = current;
18255
18256 /*
18257 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18258 @@ -750,8 +790,7 @@ void __math_state_restore(void)
18259 */
18260 asmlinkage void math_state_restore(void)
18261 {
18262 - struct thread_info *thread = current_thread_info();
18263 - struct task_struct *tsk = thread->task;
18264 + struct task_struct *tsk = current;
18265
18266 if (!tsk_used_math(tsk)) {
18267 local_irq_enable();
18268 diff -urNp linux-2.6.39.3/arch/x86/kernel/verify_cpu.S linux-2.6.39.3/arch/x86/kernel/verify_cpu.S
18269 --- linux-2.6.39.3/arch/x86/kernel/verify_cpu.S 2011-05-19 00:06:34.000000000 -0400
18270 +++ linux-2.6.39.3/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:04.000000000 -0400
18271 @@ -20,6 +20,7 @@
18272 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
18273 * arch/x86/kernel/trampoline_64.S: secondary processor verification
18274 * arch/x86/kernel/head_32.S: processor startup
18275 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
18276 *
18277 * verify_cpu, returns the status of longmode and SSE in register %eax.
18278 * 0: Success 1: Failure
18279 diff -urNp linux-2.6.39.3/arch/x86/kernel/vm86_32.c linux-2.6.39.3/arch/x86/kernel/vm86_32.c
18280 --- linux-2.6.39.3/arch/x86/kernel/vm86_32.c 2011-05-19 00:06:34.000000000 -0400
18281 +++ linux-2.6.39.3/arch/x86/kernel/vm86_32.c 2011-05-22 19:41:32.000000000 -0400
18282 @@ -41,6 +41,7 @@
18283 #include <linux/ptrace.h>
18284 #include <linux/audit.h>
18285 #include <linux/stddef.h>
18286 +#include <linux/grsecurity.h>
18287
18288 #include <asm/uaccess.h>
18289 #include <asm/io.h>
18290 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
18291 do_exit(SIGSEGV);
18292 }
18293
18294 - tss = &per_cpu(init_tss, get_cpu());
18295 + tss = init_tss + get_cpu();
18296 current->thread.sp0 = current->thread.saved_sp0;
18297 current->thread.sysenter_cs = __KERNEL_CS;
18298 load_sp0(tss, &current->thread);
18299 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
18300 struct task_struct *tsk;
18301 int tmp, ret = -EPERM;
18302
18303 +#ifdef CONFIG_GRKERNSEC_VM86
18304 + if (!capable(CAP_SYS_RAWIO)) {
18305 + gr_handle_vm86();
18306 + goto out;
18307 + }
18308 +#endif
18309 +
18310 tsk = current;
18311 if (tsk->thread.saved_sp0)
18312 goto out;
18313 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
18314 int tmp, ret;
18315 struct vm86plus_struct __user *v86;
18316
18317 +#ifdef CONFIG_GRKERNSEC_VM86
18318 + if (!capable(CAP_SYS_RAWIO)) {
18319 + gr_handle_vm86();
18320 + ret = -EPERM;
18321 + goto out;
18322 + }
18323 +#endif
18324 +
18325 tsk = current;
18326 switch (cmd) {
18327 case VM86_REQUEST_IRQ:
18328 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18329 tsk->thread.saved_fs = info->regs32->fs;
18330 tsk->thread.saved_gs = get_user_gs(info->regs32);
18331
18332 - tss = &per_cpu(init_tss, get_cpu());
18333 + tss = init_tss + get_cpu();
18334 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18335 if (cpu_has_sep)
18336 tsk->thread.sysenter_cs = 0;
18337 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18338 goto cannot_handle;
18339 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18340 goto cannot_handle;
18341 - intr_ptr = (unsigned long __user *) (i << 2);
18342 + intr_ptr = (__force unsigned long __user *) (i << 2);
18343 if (get_user(segoffs, intr_ptr))
18344 goto cannot_handle;
18345 if ((segoffs >> 16) == BIOSSEG)
18346 diff -urNp linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S
18347 --- linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
18348 +++ linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
18349 @@ -26,6 +26,13 @@
18350 #include <asm/page_types.h>
18351 #include <asm/cache.h>
18352 #include <asm/boot.h>
18353 +#include <asm/segment.h>
18354 +
18355 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18356 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18357 +#else
18358 +#define __KERNEL_TEXT_OFFSET 0
18359 +#endif
18360
18361 #undef i386 /* in case the preprocessor is a 32bit one */
18362
18363 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18364 #ifdef CONFIG_X86_32
18365 OUTPUT_ARCH(i386)
18366 ENTRY(phys_startup_32)
18367 -jiffies = jiffies_64;
18368 #else
18369 OUTPUT_ARCH(i386:x86-64)
18370 ENTRY(phys_startup_64)
18371 -jiffies_64 = jiffies;
18372 #endif
18373
18374 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18375 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
18376
18377 PHDRS {
18378 text PT_LOAD FLAGS(5); /* R_E */
18379 +#ifdef CONFIG_X86_32
18380 + module PT_LOAD FLAGS(5); /* R_E */
18381 +#endif
18382 +#ifdef CONFIG_XEN
18383 + rodata PT_LOAD FLAGS(5); /* R_E */
18384 +#else
18385 + rodata PT_LOAD FLAGS(4); /* R__ */
18386 +#endif
18387 data PT_LOAD FLAGS(6); /* RW_ */
18388 #ifdef CONFIG_X86_64
18389 user PT_LOAD FLAGS(5); /* R_E */
18390 +#endif
18391 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18392 #ifdef CONFIG_SMP
18393 percpu PT_LOAD FLAGS(6); /* RW_ */
18394 #endif
18395 + text.init PT_LOAD FLAGS(5); /* R_E */
18396 + text.exit PT_LOAD FLAGS(5); /* R_E */
18397 init PT_LOAD FLAGS(7); /* RWE */
18398 -#endif
18399 note PT_NOTE FLAGS(0); /* ___ */
18400 }
18401
18402 SECTIONS
18403 {
18404 #ifdef CONFIG_X86_32
18405 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18406 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18407 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18408 #else
18409 - . = __START_KERNEL;
18410 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18411 + . = __START_KERNEL;
18412 #endif
18413
18414 /* Text and read-only data */
18415 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18416 - _text = .;
18417 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18418 /* bootstrapping code */
18419 +#ifdef CONFIG_X86_32
18420 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18421 +#else
18422 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18423 +#endif
18424 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18425 + _text = .;
18426 HEAD_TEXT
18427 #ifdef CONFIG_X86_32
18428 . = ALIGN(PAGE_SIZE);
18429 @@ -109,13 +129,47 @@ SECTIONS
18430 IRQENTRY_TEXT
18431 *(.fixup)
18432 *(.gnu.warning)
18433 - /* End of text section */
18434 - _etext = .;
18435 } :text = 0x9090
18436
18437 - NOTES :text :note
18438 + . += __KERNEL_TEXT_OFFSET;
18439 +
18440 +#ifdef CONFIG_X86_32
18441 + . = ALIGN(PAGE_SIZE);
18442 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18443 +
18444 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18445 + MODULES_EXEC_VADDR = .;
18446 + BYTE(0)
18447 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18448 + . = ALIGN(HPAGE_SIZE);
18449 + MODULES_EXEC_END = . - 1;
18450 +#endif
18451 +
18452 + } :module
18453 +#endif
18454 +
18455 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18456 + /* End of text section */
18457 + _etext = . - __KERNEL_TEXT_OFFSET;
18458 + }
18459
18460 - EXCEPTION_TABLE(16) :text = 0x9090
18461 +#ifdef CONFIG_X86_32
18462 + . = ALIGN(PAGE_SIZE);
18463 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18464 + *(.idt)
18465 + . = ALIGN(PAGE_SIZE);
18466 + *(.empty_zero_page)
18467 + *(.initial_pg_fixmap)
18468 + *(.initial_pg_pmd)
18469 + *(.initial_page_table)
18470 + *(.swapper_pg_dir)
18471 + } :rodata
18472 +#endif
18473 +
18474 + . = ALIGN(PAGE_SIZE);
18475 + NOTES :rodata :note
18476 +
18477 + EXCEPTION_TABLE(16) :rodata
18478
18479 #if defined(CONFIG_DEBUG_RODATA)
18480 /* .text should occupy whole number of pages */
18481 @@ -127,16 +181,20 @@ SECTIONS
18482
18483 /* Data */
18484 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18485 +
18486 +#ifdef CONFIG_PAX_KERNEXEC
18487 + . = ALIGN(HPAGE_SIZE);
18488 +#else
18489 + . = ALIGN(PAGE_SIZE);
18490 +#endif
18491 +
18492 /* Start of data section */
18493 _sdata = .;
18494
18495 /* init_task */
18496 INIT_TASK_DATA(THREAD_SIZE)
18497
18498 -#ifdef CONFIG_X86_32
18499 - /* 32 bit has nosave before _edata */
18500 NOSAVE_DATA
18501 -#endif
18502
18503 PAGE_ALIGNED_DATA(PAGE_SIZE)
18504
18505 @@ -145,6 +203,8 @@ SECTIONS
18506 DATA_DATA
18507 CONSTRUCTORS
18508
18509 + jiffies = jiffies_64;
18510 +
18511 /* rarely changed data like cpu maps */
18512 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
18513
18514 @@ -199,12 +259,6 @@ SECTIONS
18515 }
18516 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18517
18518 - . = ALIGN(L1_CACHE_BYTES);
18519 - .jiffies : AT(VLOAD(.jiffies)) {
18520 - *(.jiffies)
18521 - }
18522 - jiffies = VVIRT(.jiffies);
18523 -
18524 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18525 *(.vsyscall_3)
18526 }
18527 @@ -220,12 +274,19 @@ SECTIONS
18528 #endif /* CONFIG_X86_64 */
18529
18530 /* Init code and data - will be freed after init */
18531 - . = ALIGN(PAGE_SIZE);
18532 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18533 + BYTE(0)
18534 +
18535 +#ifdef CONFIG_PAX_KERNEXEC
18536 + . = ALIGN(HPAGE_SIZE);
18537 +#else
18538 + . = ALIGN(PAGE_SIZE);
18539 +#endif
18540 +
18541 __init_begin = .; /* paired with __init_end */
18542 - }
18543 + } :init.begin
18544
18545 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18546 +#ifdef CONFIG_SMP
18547 /*
18548 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18549 * output PHDR, so the next output section - .init.text - should
18550 @@ -234,12 +295,27 @@ SECTIONS
18551 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
18552 #endif
18553
18554 - INIT_TEXT_SECTION(PAGE_SIZE)
18555 -#ifdef CONFIG_X86_64
18556 - :init
18557 -#endif
18558 + . = ALIGN(PAGE_SIZE);
18559 + init_begin = .;
18560 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18561 + VMLINUX_SYMBOL(_sinittext) = .;
18562 + INIT_TEXT
18563 + VMLINUX_SYMBOL(_einittext) = .;
18564 + . = ALIGN(PAGE_SIZE);
18565 + } :text.init
18566
18567 - INIT_DATA_SECTION(16)
18568 + /*
18569 + * .exit.text is discard at runtime, not link time, to deal with
18570 + * references from .altinstructions and .eh_frame
18571 + */
18572 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18573 + EXIT_TEXT
18574 + . = ALIGN(16);
18575 + } :text.exit
18576 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18577 +
18578 + . = ALIGN(PAGE_SIZE);
18579 + INIT_DATA_SECTION(16) :init
18580
18581 /*
18582 * Code and data for a variety of lowlevel trampolines, to be
18583 @@ -306,19 +382,12 @@ SECTIONS
18584 }
18585
18586 . = ALIGN(8);
18587 - /*
18588 - * .exit.text is discard at runtime, not link time, to deal with
18589 - * references from .altinstructions and .eh_frame
18590 - */
18591 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18592 - EXIT_TEXT
18593 - }
18594
18595 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18596 EXIT_DATA
18597 }
18598
18599 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18600 +#ifndef CONFIG_SMP
18601 PERCPU(INTERNODE_CACHE_BYTES, PAGE_SIZE)
18602 #endif
18603
18604 @@ -337,16 +406,10 @@ SECTIONS
18605 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
18606 __smp_locks = .;
18607 *(.smp_locks)
18608 - . = ALIGN(PAGE_SIZE);
18609 __smp_locks_end = .;
18610 + . = ALIGN(PAGE_SIZE);
18611 }
18612
18613 -#ifdef CONFIG_X86_64
18614 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18615 - NOSAVE_DATA
18616 - }
18617 -#endif
18618 -
18619 /* BSS */
18620 . = ALIGN(PAGE_SIZE);
18621 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18622 @@ -362,6 +425,7 @@ SECTIONS
18623 __brk_base = .;
18624 . += 64 * 1024; /* 64k alignment slop space */
18625 *(.brk_reservation) /* areas brk users have reserved */
18626 + . = ALIGN(HPAGE_SIZE);
18627 __brk_limit = .;
18628 }
18629
18630 @@ -388,13 +452,12 @@ SECTIONS
18631 * for the boot processor.
18632 */
18633 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
18634 -INIT_PER_CPU(gdt_page);
18635 INIT_PER_CPU(irq_stack_union);
18636
18637 /*
18638 * Build-time check on the image size:
18639 */
18640 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18641 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18642 "kernel image bigger than KERNEL_IMAGE_SIZE");
18643
18644 #ifdef CONFIG_SMP
18645 diff -urNp linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c
18646 --- linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c 2011-05-19 00:06:34.000000000 -0400
18647 +++ linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c 2011-05-22 19:36:30.000000000 -0400
18648 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18649
18650 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18651 /* copy vsyscall data */
18652 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18653 vsyscall_gtod_data.clock.vread = clock->vread;
18654 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18655 vsyscall_gtod_data.clock.mask = clock->mask;
18656 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18657 We do this here because otherwise user space would do it on
18658 its own in a likely inferior way (no access to jiffies).
18659 If you don't like it pass NULL. */
18660 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18661 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18662 p = tcache->blob[1];
18663 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18664 /* Load per CPU data from RDTSCP */
18665 diff -urNp linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c
18666 --- linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c 2011-05-19 00:06:34.000000000 -0400
18667 +++ linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c 2011-05-22 19:36:30.000000000 -0400
18668 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
18669 EXPORT_SYMBOL(copy_user_generic_string);
18670 EXPORT_SYMBOL(copy_user_generic_unrolled);
18671 EXPORT_SYMBOL(__copy_user_nocache);
18672 -EXPORT_SYMBOL(_copy_from_user);
18673 -EXPORT_SYMBOL(_copy_to_user);
18674
18675 EXPORT_SYMBOL(copy_page);
18676 EXPORT_SYMBOL(clear_page);
18677 diff -urNp linux-2.6.39.3/arch/x86/kernel/xsave.c linux-2.6.39.3/arch/x86/kernel/xsave.c
18678 --- linux-2.6.39.3/arch/x86/kernel/xsave.c 2011-05-19 00:06:34.000000000 -0400
18679 +++ linux-2.6.39.3/arch/x86/kernel/xsave.c 2011-05-22 19:36:30.000000000 -0400
18680 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
18681 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18682 return -EINVAL;
18683
18684 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18685 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18686 fx_sw_user->extended_size -
18687 FP_XSTATE_MAGIC2_SIZE));
18688 if (err)
18689 @@ -267,7 +267,7 @@ fx_only:
18690 * the other extended state.
18691 */
18692 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18693 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18694 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18695 }
18696
18697 /*
18698 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
18699 if (use_xsave())
18700 err = restore_user_xstate(buf);
18701 else
18702 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18703 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18704 buf);
18705 if (unlikely(err)) {
18706 /*
18707 diff -urNp linux-2.6.39.3/arch/x86/kvm/emulate.c linux-2.6.39.3/arch/x86/kvm/emulate.c
18708 --- linux-2.6.39.3/arch/x86/kvm/emulate.c 2011-05-19 00:06:34.000000000 -0400
18709 +++ linux-2.6.39.3/arch/x86/kvm/emulate.c 2011-05-22 19:36:30.000000000 -0400
18710 @@ -89,7 +89,7 @@
18711 #define Src2ImmByte (2<<29)
18712 #define Src2One (3<<29)
18713 #define Src2Imm (4<<29)
18714 -#define Src2Mask (7<<29)
18715 +#define Src2Mask (7U<<29)
18716
18717 #define X2(x...) x, x
18718 #define X3(x...) X2(x), x
18719 @@ -190,6 +190,7 @@ struct group_dual {
18720
18721 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
18722 do { \
18723 + unsigned long _tmp; \
18724 __asm__ __volatile__ ( \
18725 _PRE_EFLAGS("0", "4", "2") \
18726 _op _suffix " %"_x"3,%1; " \
18727 @@ -203,8 +204,6 @@ struct group_dual {
18728 /* Raw emulation: instruction has two explicit operands. */
18729 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18730 do { \
18731 - unsigned long _tmp; \
18732 - \
18733 switch ((_dst).bytes) { \
18734 case 2: \
18735 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
18736 @@ -220,7 +219,6 @@ struct group_dual {
18737
18738 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18739 do { \
18740 - unsigned long _tmp; \
18741 switch ((_dst).bytes) { \
18742 case 1: \
18743 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
18744 diff -urNp linux-2.6.39.3/arch/x86/kvm/lapic.c linux-2.6.39.3/arch/x86/kvm/lapic.c
18745 --- linux-2.6.39.3/arch/x86/kvm/lapic.c 2011-05-19 00:06:34.000000000 -0400
18746 +++ linux-2.6.39.3/arch/x86/kvm/lapic.c 2011-05-22 19:36:30.000000000 -0400
18747 @@ -53,7 +53,7 @@
18748 #define APIC_BUS_CYCLE_NS 1
18749
18750 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18751 -#define apic_debug(fmt, arg...)
18752 +#define apic_debug(fmt, arg...) do {} while (0)
18753
18754 #define APIC_LVT_NUM 6
18755 /* 14 is the version for Xeon and Pentium 8.4.8*/
18756 diff -urNp linux-2.6.39.3/arch/x86/kvm/mmu.c linux-2.6.39.3/arch/x86/kvm/mmu.c
18757 --- linux-2.6.39.3/arch/x86/kvm/mmu.c 2011-05-19 00:06:34.000000000 -0400
18758 +++ linux-2.6.39.3/arch/x86/kvm/mmu.c 2011-05-22 19:36:30.000000000 -0400
18759 @@ -3240,7 +3240,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18760
18761 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
18762
18763 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
18764 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
18765
18766 /*
18767 * Assume that the pte write on a page table of the same type
18768 @@ -3275,7 +3275,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18769 smp_rmb();
18770
18771 spin_lock(&vcpu->kvm->mmu_lock);
18772 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18773 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18774 gentry = 0;
18775 kvm_mmu_free_some_pages(vcpu);
18776 ++vcpu->kvm->stat.mmu_pte_write;
18777 diff -urNp linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h
18778 --- linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h 2011-05-19 00:06:34.000000000 -0400
18779 +++ linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h 2011-05-22 19:36:30.000000000 -0400
18780 @@ -552,6 +552,8 @@ static int FNAME(page_fault)(struct kvm_
18781 unsigned long mmu_seq;
18782 bool map_writable;
18783
18784 + pax_track_stack();
18785 +
18786 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18787
18788 r = mmu_topup_memory_caches(vcpu);
18789 @@ -672,7 +674,7 @@ static void FNAME(invlpg)(struct kvm_vcp
18790 if (need_flush)
18791 kvm_flush_remote_tlbs(vcpu->kvm);
18792
18793 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
18794 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
18795
18796 spin_unlock(&vcpu->kvm->mmu_lock);
18797
18798 diff -urNp linux-2.6.39.3/arch/x86/kvm/svm.c linux-2.6.39.3/arch/x86/kvm/svm.c
18799 --- linux-2.6.39.3/arch/x86/kvm/svm.c 2011-05-19 00:06:34.000000000 -0400
18800 +++ linux-2.6.39.3/arch/x86/kvm/svm.c 2011-05-22 19:36:30.000000000 -0400
18801 @@ -3278,7 +3278,11 @@ static void reload_tss(struct kvm_vcpu *
18802 int cpu = raw_smp_processor_id();
18803
18804 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
18805 +
18806 + pax_open_kernel();
18807 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
18808 + pax_close_kernel();
18809 +
18810 load_TR_desc();
18811 }
18812
18813 @@ -3656,6 +3660,10 @@ static void svm_vcpu_run(struct kvm_vcpu
18814 #endif
18815 #endif
18816
18817 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18818 + __set_fs(current_thread_info()->addr_limit);
18819 +#endif
18820 +
18821 reload_tss(vcpu);
18822
18823 local_irq_disable();
18824 @@ -3871,7 +3879,7 @@ static void svm_fpu_deactivate(struct kv
18825 update_cr0_intercept(svm);
18826 }
18827
18828 -static struct kvm_x86_ops svm_x86_ops = {
18829 +static const struct kvm_x86_ops svm_x86_ops = {
18830 .cpu_has_kvm_support = has_svm,
18831 .disabled_by_bios = is_disabled,
18832 .hardware_setup = svm_hardware_setup,
18833 diff -urNp linux-2.6.39.3/arch/x86/kvm/vmx.c linux-2.6.39.3/arch/x86/kvm/vmx.c
18834 --- linux-2.6.39.3/arch/x86/kvm/vmx.c 2011-05-19 00:06:34.000000000 -0400
18835 +++ linux-2.6.39.3/arch/x86/kvm/vmx.c 2011-05-22 19:36:30.000000000 -0400
18836 @@ -725,7 +725,11 @@ static void reload_tss(void)
18837 struct desc_struct *descs;
18838
18839 descs = (void *)gdt->address;
18840 +
18841 + pax_open_kernel();
18842 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18843 + pax_close_kernel();
18844 +
18845 load_TR_desc();
18846 }
18847
18848 @@ -1648,8 +1652,11 @@ static __init int hardware_setup(void)
18849 if (!cpu_has_vmx_flexpriority())
18850 flexpriority_enabled = 0;
18851
18852 - if (!cpu_has_vmx_tpr_shadow())
18853 - kvm_x86_ops->update_cr8_intercept = NULL;
18854 + if (!cpu_has_vmx_tpr_shadow()) {
18855 + pax_open_kernel();
18856 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18857 + pax_close_kernel();
18858 + }
18859
18860 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18861 kvm_disable_largepages();
18862 @@ -2693,7 +2700,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18863 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
18864
18865 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18866 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18867 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18868 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18869 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18870 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
18871 @@ -4068,6 +4075,12 @@ static void __noclone vmx_vcpu_run(struc
18872 "jmp .Lkvm_vmx_return \n\t"
18873 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18874 ".Lkvm_vmx_return: "
18875 +
18876 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18877 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18878 + ".Lkvm_vmx_return2: "
18879 +#endif
18880 +
18881 /* Save guest registers, load host registers, keep flags */
18882 "mov %0, %c[wordsize](%%"R"sp) \n\t"
18883 "pop %0 \n\t"
18884 @@ -4116,6 +4129,11 @@ static void __noclone vmx_vcpu_run(struc
18885 #endif
18886 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
18887 [wordsize]"i"(sizeof(ulong))
18888 +
18889 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18890 + ,[cs]"i"(__KERNEL_CS)
18891 +#endif
18892 +
18893 : "cc", "memory"
18894 , R"ax", R"bx", R"di", R"si"
18895 #ifdef CONFIG_X86_64
18896 @@ -4130,7 +4148,16 @@ static void __noclone vmx_vcpu_run(struc
18897
18898 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
18899
18900 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18901 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18902 +
18903 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18904 + loadsegment(fs, __KERNEL_PERCPU);
18905 +#endif
18906 +
18907 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18908 + __set_fs(current_thread_info()->addr_limit);
18909 +#endif
18910 +
18911 vmx->launched = 1;
18912
18913 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
18914 @@ -4368,7 +4395,7 @@ static void vmx_set_supported_cpuid(u32
18915 {
18916 }
18917
18918 -static struct kvm_x86_ops vmx_x86_ops = {
18919 +static const struct kvm_x86_ops vmx_x86_ops = {
18920 .cpu_has_kvm_support = cpu_has_kvm_support,
18921 .disabled_by_bios = vmx_disabled_by_bios,
18922 .hardware_setup = hardware_setup,
18923 diff -urNp linux-2.6.39.3/arch/x86/kvm/x86.c linux-2.6.39.3/arch/x86/kvm/x86.c
18924 --- linux-2.6.39.3/arch/x86/kvm/x86.c 2011-05-19 00:06:34.000000000 -0400
18925 +++ linux-2.6.39.3/arch/x86/kvm/x86.c 2011-05-22 19:36:30.000000000 -0400
18926 @@ -94,7 +94,7 @@ static void update_cr8_intercept(struct
18927 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18928 struct kvm_cpuid_entry2 __user *entries);
18929
18930 -struct kvm_x86_ops *kvm_x86_ops;
18931 +const struct kvm_x86_ops *kvm_x86_ops;
18932 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18933
18934 int ignore_msrs = 0;
18935 @@ -2050,6 +2050,8 @@ long kvm_arch_dev_ioctl(struct file *fil
18936 if (n < msr_list.nmsrs)
18937 goto out;
18938 r = -EFAULT;
18939 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
18940 + goto out;
18941 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
18942 num_msrs_to_save * sizeof(u32)))
18943 goto out;
18944 @@ -2217,15 +2219,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18945 struct kvm_cpuid2 *cpuid,
18946 struct kvm_cpuid_entry2 __user *entries)
18947 {
18948 - int r;
18949 + int r, i;
18950
18951 r = -E2BIG;
18952 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18953 goto out;
18954 r = -EFAULT;
18955 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18956 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18957 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18958 goto out;
18959 + for (i = 0; i < cpuid->nent; ++i) {
18960 + struct kvm_cpuid_entry2 cpuid_entry;
18961 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18962 + goto out;
18963 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18964 + }
18965 vcpu->arch.cpuid_nent = cpuid->nent;
18966 kvm_apic_set_version(vcpu);
18967 kvm_x86_ops->cpuid_update(vcpu);
18968 @@ -2240,15 +2247,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18969 struct kvm_cpuid2 *cpuid,
18970 struct kvm_cpuid_entry2 __user *entries)
18971 {
18972 - int r;
18973 + int r, i;
18974
18975 r = -E2BIG;
18976 if (cpuid->nent < vcpu->arch.cpuid_nent)
18977 goto out;
18978 r = -EFAULT;
18979 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
18980 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18981 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18982 goto out;
18983 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
18984 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
18985 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
18986 + goto out;
18987 + }
18988 return 0;
18989
18990 out:
18991 @@ -2526,7 +2537,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
18992 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
18993 struct kvm_interrupt *irq)
18994 {
18995 - if (irq->irq < 0 || irq->irq >= 256)
18996 + if (irq->irq >= 256)
18997 return -EINVAL;
18998 if (irqchip_in_kernel(vcpu->kvm))
18999 return -ENXIO;
19000 @@ -4672,7 +4683,7 @@ static unsigned long kvm_get_guest_ip(vo
19001 return ip;
19002 }
19003
19004 -static struct perf_guest_info_callbacks kvm_guest_cbs = {
19005 +static const struct perf_guest_info_callbacks kvm_guest_cbs = {
19006 .is_in_guest = kvm_is_in_guest,
19007 .is_user_mode = kvm_is_user_mode,
19008 .get_guest_ip = kvm_get_guest_ip,
19009 @@ -4690,10 +4701,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
19010 }
19011 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
19012
19013 -int kvm_arch_init(void *opaque)
19014 +int kvm_arch_init(const void *opaque)
19015 {
19016 int r;
19017 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
19018 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
19019
19020 if (kvm_x86_ops) {
19021 printk(KERN_ERR "kvm: already loaded the other module\n");
19022 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_32.c linux-2.6.39.3/arch/x86/lib/atomic64_32.c
19023 --- linux-2.6.39.3/arch/x86/lib/atomic64_32.c 2011-05-19 00:06:34.000000000 -0400
19024 +++ linux-2.6.39.3/arch/x86/lib/atomic64_32.c 2011-05-22 19:36:30.000000000 -0400
19025 @@ -8,18 +8,30 @@
19026
19027 long long atomic64_read_cx8(long long, const atomic64_t *v);
19028 EXPORT_SYMBOL(atomic64_read_cx8);
19029 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
19030 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
19031 long long atomic64_set_cx8(long long, const atomic64_t *v);
19032 EXPORT_SYMBOL(atomic64_set_cx8);
19033 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
19034 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
19035 long long atomic64_xchg_cx8(long long, unsigned high);
19036 EXPORT_SYMBOL(atomic64_xchg_cx8);
19037 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
19038 EXPORT_SYMBOL(atomic64_add_return_cx8);
19039 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19040 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
19041 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
19042 EXPORT_SYMBOL(atomic64_sub_return_cx8);
19043 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19044 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
19045 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
19046 EXPORT_SYMBOL(atomic64_inc_return_cx8);
19047 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19048 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
19049 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
19050 EXPORT_SYMBOL(atomic64_dec_return_cx8);
19051 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19052 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
19053 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
19054 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
19055 int atomic64_inc_not_zero_cx8(atomic64_t *v);
19056 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
19057 #ifndef CONFIG_X86_CMPXCHG64
19058 long long atomic64_read_386(long long, const atomic64_t *v);
19059 EXPORT_SYMBOL(atomic64_read_386);
19060 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
19061 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
19062 long long atomic64_set_386(long long, const atomic64_t *v);
19063 EXPORT_SYMBOL(atomic64_set_386);
19064 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
19065 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
19066 long long atomic64_xchg_386(long long, unsigned high);
19067 EXPORT_SYMBOL(atomic64_xchg_386);
19068 long long atomic64_add_return_386(long long a, atomic64_t *v);
19069 EXPORT_SYMBOL(atomic64_add_return_386);
19070 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19071 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
19072 long long atomic64_sub_return_386(long long a, atomic64_t *v);
19073 EXPORT_SYMBOL(atomic64_sub_return_386);
19074 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19075 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
19076 long long atomic64_inc_return_386(long long a, atomic64_t *v);
19077 EXPORT_SYMBOL(atomic64_inc_return_386);
19078 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19079 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
19080 long long atomic64_dec_return_386(long long a, atomic64_t *v);
19081 EXPORT_SYMBOL(atomic64_dec_return_386);
19082 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19083 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
19084 long long atomic64_add_386(long long a, atomic64_t *v);
19085 EXPORT_SYMBOL(atomic64_add_386);
19086 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
19087 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
19088 long long atomic64_sub_386(long long a, atomic64_t *v);
19089 EXPORT_SYMBOL(atomic64_sub_386);
19090 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
19091 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
19092 long long atomic64_inc_386(long long a, atomic64_t *v);
19093 EXPORT_SYMBOL(atomic64_inc_386);
19094 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
19095 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
19096 long long atomic64_dec_386(long long a, atomic64_t *v);
19097 EXPORT_SYMBOL(atomic64_dec_386);
19098 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
19099 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
19100 long long atomic64_dec_if_positive_386(atomic64_t *v);
19101 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
19102 int atomic64_inc_not_zero_386(atomic64_t *v);
19103 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S
19104 --- linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S 2011-05-19 00:06:34.000000000 -0400
19105 +++ linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S 2011-05-22 19:36:30.000000000 -0400
19106 @@ -48,6 +48,10 @@ BEGIN(read)
19107 movl (v), %eax
19108 movl 4(v), %edx
19109 RET_ENDP
19110 +BEGIN(read_unchecked)
19111 + movl (v), %eax
19112 + movl 4(v), %edx
19113 +RET_ENDP
19114 #undef v
19115
19116 #define v %esi
19117 @@ -55,6 +59,10 @@ BEGIN(set)
19118 movl %ebx, (v)
19119 movl %ecx, 4(v)
19120 RET_ENDP
19121 +BEGIN(set_unchecked)
19122 + movl %ebx, (v)
19123 + movl %ecx, 4(v)
19124 +RET_ENDP
19125 #undef v
19126
19127 #define v %esi
19128 @@ -70,6 +78,20 @@ RET_ENDP
19129 BEGIN(add)
19130 addl %eax, (v)
19131 adcl %edx, 4(v)
19132 +
19133 +#ifdef CONFIG_PAX_REFCOUNT
19134 + jno 0f
19135 + subl %eax, (v)
19136 + sbbl %edx, 4(v)
19137 + int $4
19138 +0:
19139 + _ASM_EXTABLE(0b, 0b)
19140 +#endif
19141 +
19142 +RET_ENDP
19143 +BEGIN(add_unchecked)
19144 + addl %eax, (v)
19145 + adcl %edx, 4(v)
19146 RET_ENDP
19147 #undef v
19148
19149 @@ -77,6 +99,24 @@ RET_ENDP
19150 BEGIN(add_return)
19151 addl (v), %eax
19152 adcl 4(v), %edx
19153 +
19154 +#ifdef CONFIG_PAX_REFCOUNT
19155 + into
19156 +1234:
19157 + _ASM_EXTABLE(1234b, 2f)
19158 +#endif
19159 +
19160 + movl %eax, (v)
19161 + movl %edx, 4(v)
19162 +
19163 +#ifdef CONFIG_PAX_REFCOUNT
19164 +2:
19165 +#endif
19166 +
19167 +RET_ENDP
19168 +BEGIN(add_return_unchecked)
19169 + addl (v), %eax
19170 + adcl 4(v), %edx
19171 movl %eax, (v)
19172 movl %edx, 4(v)
19173 RET_ENDP
19174 @@ -86,6 +126,20 @@ RET_ENDP
19175 BEGIN(sub)
19176 subl %eax, (v)
19177 sbbl %edx, 4(v)
19178 +
19179 +#ifdef CONFIG_PAX_REFCOUNT
19180 + jno 0f
19181 + addl %eax, (v)
19182 + adcl %edx, 4(v)
19183 + int $4
19184 +0:
19185 + _ASM_EXTABLE(0b, 0b)
19186 +#endif
19187 +
19188 +RET_ENDP
19189 +BEGIN(sub_unchecked)
19190 + subl %eax, (v)
19191 + sbbl %edx, 4(v)
19192 RET_ENDP
19193 #undef v
19194
19195 @@ -96,6 +150,27 @@ BEGIN(sub_return)
19196 sbbl $0, %edx
19197 addl (v), %eax
19198 adcl 4(v), %edx
19199 +
19200 +#ifdef CONFIG_PAX_REFCOUNT
19201 + into
19202 +1234:
19203 + _ASM_EXTABLE(1234b, 2f)
19204 +#endif
19205 +
19206 + movl %eax, (v)
19207 + movl %edx, 4(v)
19208 +
19209 +#ifdef CONFIG_PAX_REFCOUNT
19210 +2:
19211 +#endif
19212 +
19213 +RET_ENDP
19214 +BEGIN(sub_return_unchecked)
19215 + negl %edx
19216 + negl %eax
19217 + sbbl $0, %edx
19218 + addl (v), %eax
19219 + adcl 4(v), %edx
19220 movl %eax, (v)
19221 movl %edx, 4(v)
19222 RET_ENDP
19223 @@ -105,6 +180,20 @@ RET_ENDP
19224 BEGIN(inc)
19225 addl $1, (v)
19226 adcl $0, 4(v)
19227 +
19228 +#ifdef CONFIG_PAX_REFCOUNT
19229 + jno 0f
19230 + subl $1, (v)
19231 + sbbl $0, 4(v)
19232 + int $4
19233 +0:
19234 + _ASM_EXTABLE(0b, 0b)
19235 +#endif
19236 +
19237 +RET_ENDP
19238 +BEGIN(inc_unchecked)
19239 + addl $1, (v)
19240 + adcl $0, 4(v)
19241 RET_ENDP
19242 #undef v
19243
19244 @@ -114,6 +203,26 @@ BEGIN(inc_return)
19245 movl 4(v), %edx
19246 addl $1, %eax
19247 adcl $0, %edx
19248 +
19249 +#ifdef CONFIG_PAX_REFCOUNT
19250 + into
19251 +1234:
19252 + _ASM_EXTABLE(1234b, 2f)
19253 +#endif
19254 +
19255 + movl %eax, (v)
19256 + movl %edx, 4(v)
19257 +
19258 +#ifdef CONFIG_PAX_REFCOUNT
19259 +2:
19260 +#endif
19261 +
19262 +RET_ENDP
19263 +BEGIN(inc_return_unchecked)
19264 + movl (v), %eax
19265 + movl 4(v), %edx
19266 + addl $1, %eax
19267 + adcl $0, %edx
19268 movl %eax, (v)
19269 movl %edx, 4(v)
19270 RET_ENDP
19271 @@ -123,6 +232,20 @@ RET_ENDP
19272 BEGIN(dec)
19273 subl $1, (v)
19274 sbbl $0, 4(v)
19275 +
19276 +#ifdef CONFIG_PAX_REFCOUNT
19277 + jno 0f
19278 + addl $1, (v)
19279 + adcl $0, 4(v)
19280 + int $4
19281 +0:
19282 + _ASM_EXTABLE(0b, 0b)
19283 +#endif
19284 +
19285 +RET_ENDP
19286 +BEGIN(dec_unchecked)
19287 + subl $1, (v)
19288 + sbbl $0, 4(v)
19289 RET_ENDP
19290 #undef v
19291
19292 @@ -132,6 +255,26 @@ BEGIN(dec_return)
19293 movl 4(v), %edx
19294 subl $1, %eax
19295 sbbl $0, %edx
19296 +
19297 +#ifdef CONFIG_PAX_REFCOUNT
19298 + into
19299 +1234:
19300 + _ASM_EXTABLE(1234b, 2f)
19301 +#endif
19302 +
19303 + movl %eax, (v)
19304 + movl %edx, 4(v)
19305 +
19306 +#ifdef CONFIG_PAX_REFCOUNT
19307 +2:
19308 +#endif
19309 +
19310 +RET_ENDP
19311 +BEGIN(dec_return_unchecked)
19312 + movl (v), %eax
19313 + movl 4(v), %edx
19314 + subl $1, %eax
19315 + sbbl $0, %edx
19316 movl %eax, (v)
19317 movl %edx, 4(v)
19318 RET_ENDP
19319 @@ -143,6 +286,13 @@ BEGIN(add_unless)
19320 adcl %edx, %edi
19321 addl (v), %eax
19322 adcl 4(v), %edx
19323 +
19324 +#ifdef CONFIG_PAX_REFCOUNT
19325 + into
19326 +1234:
19327 + _ASM_EXTABLE(1234b, 2f)
19328 +#endif
19329 +
19330 cmpl %eax, %esi
19331 je 3f
19332 1:
19333 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
19334 1:
19335 addl $1, %eax
19336 adcl $0, %edx
19337 +
19338 +#ifdef CONFIG_PAX_REFCOUNT
19339 + into
19340 +1234:
19341 + _ASM_EXTABLE(1234b, 2f)
19342 +#endif
19343 +
19344 movl %eax, (v)
19345 movl %edx, 4(v)
19346 movl $1, %eax
19347 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
19348 movl 4(v), %edx
19349 subl $1, %eax
19350 sbbl $0, %edx
19351 +
19352 +#ifdef CONFIG_PAX_REFCOUNT
19353 + into
19354 +1234:
19355 + _ASM_EXTABLE(1234b, 1f)
19356 +#endif
19357 +
19358 js 1f
19359 movl %eax, (v)
19360 movl %edx, 4(v)
19361 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S
19362 --- linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S 2011-05-19 00:06:34.000000000 -0400
19363 +++ linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S 2011-05-22 19:36:30.000000000 -0400
19364 @@ -39,6 +39,14 @@ ENTRY(atomic64_read_cx8)
19365 CFI_ENDPROC
19366 ENDPROC(atomic64_read_cx8)
19367
19368 +ENTRY(atomic64_read_unchecked_cx8)
19369 + CFI_STARTPROC
19370 +
19371 + read64 %ecx
19372 + ret
19373 + CFI_ENDPROC
19374 +ENDPROC(atomic64_read_unchecked_cx8)
19375 +
19376 ENTRY(atomic64_set_cx8)
19377 CFI_STARTPROC
19378
19379 @@ -52,6 +60,19 @@ ENTRY(atomic64_set_cx8)
19380 CFI_ENDPROC
19381 ENDPROC(atomic64_set_cx8)
19382
19383 +ENTRY(atomic64_set_unchecked_cx8)
19384 + CFI_STARTPROC
19385 +
19386 +1:
19387 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
19388 + * are atomic on 586 and newer */
19389 + cmpxchg8b (%esi)
19390 + jne 1b
19391 +
19392 + ret
19393 + CFI_ENDPROC
19394 +ENDPROC(atomic64_set_unchecked_cx8)
19395 +
19396 ENTRY(atomic64_xchg_cx8)
19397 CFI_STARTPROC
19398
19399 @@ -66,8 +87,8 @@ ENTRY(atomic64_xchg_cx8)
19400 CFI_ENDPROC
19401 ENDPROC(atomic64_xchg_cx8)
19402
19403 -.macro addsub_return func ins insc
19404 -ENTRY(atomic64_\func\()_return_cx8)
19405 +.macro addsub_return func ins insc unchecked=""
19406 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19407 CFI_STARTPROC
19408 SAVE ebp
19409 SAVE ebx
19410 @@ -84,27 +105,43 @@ ENTRY(atomic64_\func\()_return_cx8)
19411 movl %edx, %ecx
19412 \ins\()l %esi, %ebx
19413 \insc\()l %edi, %ecx
19414 +
19415 +.ifb \unchecked
19416 +#ifdef CONFIG_PAX_REFCOUNT
19417 + into
19418 +2:
19419 + _ASM_EXTABLE(2b, 3f)
19420 +#endif
19421 +.endif
19422 +
19423 LOCK_PREFIX
19424 cmpxchg8b (%ebp)
19425 jne 1b
19426 -
19427 -10:
19428 movl %ebx, %eax
19429 movl %ecx, %edx
19430 +
19431 +.ifb \unchecked
19432 +#ifdef CONFIG_PAX_REFCOUNT
19433 +3:
19434 +#endif
19435 +.endif
19436 +
19437 RESTORE edi
19438 RESTORE esi
19439 RESTORE ebx
19440 RESTORE ebp
19441 ret
19442 CFI_ENDPROC
19443 -ENDPROC(atomic64_\func\()_return_cx8)
19444 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19445 .endm
19446
19447 addsub_return add add adc
19448 addsub_return sub sub sbb
19449 +addsub_return add add adc _unchecked
19450 +addsub_return sub sub sbb _unchecked
19451
19452 -.macro incdec_return func ins insc
19453 -ENTRY(atomic64_\func\()_return_cx8)
19454 +.macro incdec_return func ins insc unchecked
19455 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19456 CFI_STARTPROC
19457 SAVE ebx
19458
19459 @@ -114,21 +151,38 @@ ENTRY(atomic64_\func\()_return_cx8)
19460 movl %edx, %ecx
19461 \ins\()l $1, %ebx
19462 \insc\()l $0, %ecx
19463 +
19464 +.ifb \unchecked
19465 +#ifdef CONFIG_PAX_REFCOUNT
19466 + into
19467 +2:
19468 + _ASM_EXTABLE(2b, 3f)
19469 +#endif
19470 +.endif
19471 +
19472 LOCK_PREFIX
19473 cmpxchg8b (%esi)
19474 jne 1b
19475
19476 -10:
19477 movl %ebx, %eax
19478 movl %ecx, %edx
19479 +
19480 +.ifb \unchecked
19481 +#ifdef CONFIG_PAX_REFCOUNT
19482 +3:
19483 +#endif
19484 +.endif
19485 +
19486 RESTORE ebx
19487 ret
19488 CFI_ENDPROC
19489 -ENDPROC(atomic64_\func\()_return_cx8)
19490 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19491 .endm
19492
19493 incdec_return inc add adc
19494 incdec_return dec sub sbb
19495 +incdec_return inc add adc _unchecked
19496 +incdec_return dec sub sbb _unchecked
19497
19498 ENTRY(atomic64_dec_if_positive_cx8)
19499 CFI_STARTPROC
19500 @@ -140,6 +194,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
19501 movl %edx, %ecx
19502 subl $1, %ebx
19503 sbb $0, %ecx
19504 +
19505 +#ifdef CONFIG_PAX_REFCOUNT
19506 + into
19507 +1234:
19508 + _ASM_EXTABLE(1234b, 2f)
19509 +#endif
19510 +
19511 js 2f
19512 LOCK_PREFIX
19513 cmpxchg8b (%esi)
19514 @@ -174,6 +235,13 @@ ENTRY(atomic64_add_unless_cx8)
19515 movl %edx, %ecx
19516 addl %esi, %ebx
19517 adcl %edi, %ecx
19518 +
19519 +#ifdef CONFIG_PAX_REFCOUNT
19520 + into
19521 +1234:
19522 + _ASM_EXTABLE(1234b, 3f)
19523 +#endif
19524 +
19525 LOCK_PREFIX
19526 cmpxchg8b (%ebp)
19527 jne 1b
19528 @@ -206,6 +274,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
19529 movl %edx, %ecx
19530 addl $1, %ebx
19531 adcl $0, %ecx
19532 +
19533 +#ifdef CONFIG_PAX_REFCOUNT
19534 + into
19535 +1234:
19536 + _ASM_EXTABLE(1234b, 3f)
19537 +#endif
19538 +
19539 LOCK_PREFIX
19540 cmpxchg8b (%esi)
19541 jne 1b
19542 diff -urNp linux-2.6.39.3/arch/x86/lib/checksum_32.S linux-2.6.39.3/arch/x86/lib/checksum_32.S
19543 --- linux-2.6.39.3/arch/x86/lib/checksum_32.S 2011-05-19 00:06:34.000000000 -0400
19544 +++ linux-2.6.39.3/arch/x86/lib/checksum_32.S 2011-05-22 19:36:30.000000000 -0400
19545 @@ -28,7 +28,8 @@
19546 #include <linux/linkage.h>
19547 #include <asm/dwarf2.h>
19548 #include <asm/errno.h>
19549 -
19550 +#include <asm/segment.h>
19551 +
19552 /*
19553 * computes a partial checksum, e.g. for TCP/UDP fragments
19554 */
19555 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
19556
19557 #define ARGBASE 16
19558 #define FP 12
19559 -
19560 -ENTRY(csum_partial_copy_generic)
19561 +
19562 +ENTRY(csum_partial_copy_generic_to_user)
19563 CFI_STARTPROC
19564 +
19565 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19566 + pushl_cfi %gs
19567 + popl_cfi %es
19568 + jmp csum_partial_copy_generic
19569 +#endif
19570 +
19571 +ENTRY(csum_partial_copy_generic_from_user)
19572 +
19573 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19574 + pushl_cfi %gs
19575 + popl_cfi %ds
19576 +#endif
19577 +
19578 +ENTRY(csum_partial_copy_generic)
19579 subl $4,%esp
19580 CFI_ADJUST_CFA_OFFSET 4
19581 pushl_cfi %edi
19582 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
19583 jmp 4f
19584 SRC(1: movw (%esi), %bx )
19585 addl $2, %esi
19586 -DST( movw %bx, (%edi) )
19587 +DST( movw %bx, %es:(%edi) )
19588 addl $2, %edi
19589 addw %bx, %ax
19590 adcl $0, %eax
19591 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
19592 SRC(1: movl (%esi), %ebx )
19593 SRC( movl 4(%esi), %edx )
19594 adcl %ebx, %eax
19595 -DST( movl %ebx, (%edi) )
19596 +DST( movl %ebx, %es:(%edi) )
19597 adcl %edx, %eax
19598 -DST( movl %edx, 4(%edi) )
19599 +DST( movl %edx, %es:4(%edi) )
19600
19601 SRC( movl 8(%esi), %ebx )
19602 SRC( movl 12(%esi), %edx )
19603 adcl %ebx, %eax
19604 -DST( movl %ebx, 8(%edi) )
19605 +DST( movl %ebx, %es:8(%edi) )
19606 adcl %edx, %eax
19607 -DST( movl %edx, 12(%edi) )
19608 +DST( movl %edx, %es:12(%edi) )
19609
19610 SRC( movl 16(%esi), %ebx )
19611 SRC( movl 20(%esi), %edx )
19612 adcl %ebx, %eax
19613 -DST( movl %ebx, 16(%edi) )
19614 +DST( movl %ebx, %es:16(%edi) )
19615 adcl %edx, %eax
19616 -DST( movl %edx, 20(%edi) )
19617 +DST( movl %edx, %es:20(%edi) )
19618
19619 SRC( movl 24(%esi), %ebx )
19620 SRC( movl 28(%esi), %edx )
19621 adcl %ebx, %eax
19622 -DST( movl %ebx, 24(%edi) )
19623 +DST( movl %ebx, %es:24(%edi) )
19624 adcl %edx, %eax
19625 -DST( movl %edx, 28(%edi) )
19626 +DST( movl %edx, %es:28(%edi) )
19627
19628 lea 32(%esi), %esi
19629 lea 32(%edi), %edi
19630 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
19631 shrl $2, %edx # This clears CF
19632 SRC(3: movl (%esi), %ebx )
19633 adcl %ebx, %eax
19634 -DST( movl %ebx, (%edi) )
19635 +DST( movl %ebx, %es:(%edi) )
19636 lea 4(%esi), %esi
19637 lea 4(%edi), %edi
19638 dec %edx
19639 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
19640 jb 5f
19641 SRC( movw (%esi), %cx )
19642 leal 2(%esi), %esi
19643 -DST( movw %cx, (%edi) )
19644 +DST( movw %cx, %es:(%edi) )
19645 leal 2(%edi), %edi
19646 je 6f
19647 shll $16,%ecx
19648 SRC(5: movb (%esi), %cl )
19649 -DST( movb %cl, (%edi) )
19650 +DST( movb %cl, %es:(%edi) )
19651 6: addl %ecx, %eax
19652 adcl $0, %eax
19653 7:
19654 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
19655
19656 6001:
19657 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19658 - movl $-EFAULT, (%ebx)
19659 + movl $-EFAULT, %ss:(%ebx)
19660
19661 # zero the complete destination - computing the rest
19662 # is too much work
19663 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
19664
19665 6002:
19666 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19667 - movl $-EFAULT,(%ebx)
19668 + movl $-EFAULT,%ss:(%ebx)
19669 jmp 5000b
19670
19671 .previous
19672
19673 + pushl_cfi %ss
19674 + popl_cfi %ds
19675 + pushl_cfi %ss
19676 + popl_cfi %es
19677 popl_cfi %ebx
19678 CFI_RESTORE ebx
19679 popl_cfi %esi
19680 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
19681 popl_cfi %ecx # equivalent to addl $4,%esp
19682 ret
19683 CFI_ENDPROC
19684 -ENDPROC(csum_partial_copy_generic)
19685 +ENDPROC(csum_partial_copy_generic_to_user)
19686
19687 #else
19688
19689 /* Version for PentiumII/PPro */
19690
19691 #define ROUND1(x) \
19692 + nop; nop; nop; \
19693 SRC(movl x(%esi), %ebx ) ; \
19694 addl %ebx, %eax ; \
19695 - DST(movl %ebx, x(%edi) ) ;
19696 + DST(movl %ebx, %es:x(%edi)) ;
19697
19698 #define ROUND(x) \
19699 + nop; nop; nop; \
19700 SRC(movl x(%esi), %ebx ) ; \
19701 adcl %ebx, %eax ; \
19702 - DST(movl %ebx, x(%edi) ) ;
19703 + DST(movl %ebx, %es:x(%edi)) ;
19704
19705 #define ARGBASE 12
19706 -
19707 -ENTRY(csum_partial_copy_generic)
19708 +
19709 +ENTRY(csum_partial_copy_generic_to_user)
19710 CFI_STARTPROC
19711 +
19712 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19713 + pushl_cfi %gs
19714 + popl_cfi %es
19715 + jmp csum_partial_copy_generic
19716 +#endif
19717 +
19718 +ENTRY(csum_partial_copy_generic_from_user)
19719 +
19720 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19721 + pushl_cfi %gs
19722 + popl_cfi %ds
19723 +#endif
19724 +
19725 +ENTRY(csum_partial_copy_generic)
19726 pushl_cfi %ebx
19727 CFI_REL_OFFSET ebx, 0
19728 pushl_cfi %edi
19729 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
19730 subl %ebx, %edi
19731 lea -1(%esi),%edx
19732 andl $-32,%edx
19733 - lea 3f(%ebx,%ebx), %ebx
19734 + lea 3f(%ebx,%ebx,2), %ebx
19735 testl %esi, %esi
19736 jmp *%ebx
19737 1: addl $64,%esi
19738 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
19739 jb 5f
19740 SRC( movw (%esi), %dx )
19741 leal 2(%esi), %esi
19742 -DST( movw %dx, (%edi) )
19743 +DST( movw %dx, %es:(%edi) )
19744 leal 2(%edi), %edi
19745 je 6f
19746 shll $16,%edx
19747 5:
19748 SRC( movb (%esi), %dl )
19749 -DST( movb %dl, (%edi) )
19750 +DST( movb %dl, %es:(%edi) )
19751 6: addl %edx, %eax
19752 adcl $0, %eax
19753 7:
19754 .section .fixup, "ax"
19755 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19756 - movl $-EFAULT, (%ebx)
19757 + movl $-EFAULT, %ss:(%ebx)
19758 # zero the complete destination (computing the rest is too much work)
19759 movl ARGBASE+8(%esp),%edi # dst
19760 movl ARGBASE+12(%esp),%ecx # len
19761 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
19762 rep; stosb
19763 jmp 7b
19764 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19765 - movl $-EFAULT, (%ebx)
19766 + movl $-EFAULT, %ss:(%ebx)
19767 jmp 7b
19768 .previous
19769
19770 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19771 + pushl_cfi %ss
19772 + popl_cfi %ds
19773 + pushl_cfi %ss
19774 + popl_cfi %es
19775 +#endif
19776 +
19777 popl_cfi %esi
19778 CFI_RESTORE esi
19779 popl_cfi %edi
19780 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
19781 CFI_RESTORE ebx
19782 ret
19783 CFI_ENDPROC
19784 -ENDPROC(csum_partial_copy_generic)
19785 +ENDPROC(csum_partial_copy_generic_to_user)
19786
19787 #undef ROUND
19788 #undef ROUND1
19789 diff -urNp linux-2.6.39.3/arch/x86/lib/clear_page_64.S linux-2.6.39.3/arch/x86/lib/clear_page_64.S
19790 --- linux-2.6.39.3/arch/x86/lib/clear_page_64.S 2011-05-19 00:06:34.000000000 -0400
19791 +++ linux-2.6.39.3/arch/x86/lib/clear_page_64.S 2011-05-22 19:36:30.000000000 -0400
19792 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19793
19794 #include <asm/cpufeature.h>
19795
19796 - .section .altinstr_replacement,"ax"
19797 + .section .altinstr_replacement,"a"
19798 1: .byte 0xeb /* jmp <disp8> */
19799 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19800 2:
19801 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_page_64.S linux-2.6.39.3/arch/x86/lib/copy_page_64.S
19802 --- linux-2.6.39.3/arch/x86/lib/copy_page_64.S 2011-05-19 00:06:34.000000000 -0400
19803 +++ linux-2.6.39.3/arch/x86/lib/copy_page_64.S 2011-05-22 19:36:30.000000000 -0400
19804 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19805
19806 #include <asm/cpufeature.h>
19807
19808 - .section .altinstr_replacement,"ax"
19809 + .section .altinstr_replacement,"a"
19810 1: .byte 0xeb /* jmp <disp8> */
19811 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19812 2:
19813 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_user_64.S linux-2.6.39.3/arch/x86/lib/copy_user_64.S
19814 --- linux-2.6.39.3/arch/x86/lib/copy_user_64.S 2011-06-03 00:04:13.000000000 -0400
19815 +++ linux-2.6.39.3/arch/x86/lib/copy_user_64.S 2011-06-03 00:32:05.000000000 -0400
19816 @@ -15,13 +15,14 @@
19817 #include <asm/asm-offsets.h>
19818 #include <asm/thread_info.h>
19819 #include <asm/cpufeature.h>
19820 +#include <asm/pgtable.h>
19821
19822 .macro ALTERNATIVE_JUMP feature,orig,alt
19823 0:
19824 .byte 0xe9 /* 32bit jump */
19825 .long \orig-1f /* by default jump to orig */
19826 1:
19827 - .section .altinstr_replacement,"ax"
19828 + .section .altinstr_replacement,"a"
19829 2: .byte 0xe9 /* near jump with 32bit immediate */
19830 .long \alt-1b /* offset */ /* or alternatively to alt */
19831 .previous
19832 @@ -64,37 +65,13 @@
19833 #endif
19834 .endm
19835
19836 -/* Standard copy_to_user with segment limit checking */
19837 -ENTRY(_copy_to_user)
19838 - CFI_STARTPROC
19839 - GET_THREAD_INFO(%rax)
19840 - movq %rdi,%rcx
19841 - addq %rdx,%rcx
19842 - jc bad_to_user
19843 - cmpq TI_addr_limit(%rax),%rcx
19844 - ja bad_to_user
19845 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19846 - CFI_ENDPROC
19847 -ENDPROC(_copy_to_user)
19848 -
19849 -/* Standard copy_from_user with segment limit checking */
19850 -ENTRY(_copy_from_user)
19851 - CFI_STARTPROC
19852 - GET_THREAD_INFO(%rax)
19853 - movq %rsi,%rcx
19854 - addq %rdx,%rcx
19855 - jc bad_from_user
19856 - cmpq TI_addr_limit(%rax),%rcx
19857 - ja bad_from_user
19858 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19859 - CFI_ENDPROC
19860 -ENDPROC(_copy_from_user)
19861 -
19862 .section .fixup,"ax"
19863 /* must zero dest */
19864 ENTRY(bad_from_user)
19865 bad_from_user:
19866 CFI_STARTPROC
19867 + testl %edx,%edx
19868 + js bad_to_user
19869 movl %edx,%ecx
19870 xorl %eax,%eax
19871 rep
19872 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S
19873 --- linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S 2011-05-19 00:06:34.000000000 -0400
19874 +++ linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S 2011-05-22 19:36:30.000000000 -0400
19875 @@ -14,6 +14,7 @@
19876 #include <asm/current.h>
19877 #include <asm/asm-offsets.h>
19878 #include <asm/thread_info.h>
19879 +#include <asm/pgtable.h>
19880
19881 .macro ALIGN_DESTINATION
19882 #ifdef FIX_ALIGNMENT
19883 @@ -50,6 +51,15 @@
19884 */
19885 ENTRY(__copy_user_nocache)
19886 CFI_STARTPROC
19887 +
19888 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19889 + mov $PAX_USER_SHADOW_BASE,%rcx
19890 + cmp %rcx,%rsi
19891 + jae 1f
19892 + add %rcx,%rsi
19893 +1:
19894 +#endif
19895 +
19896 cmpl $8,%edx
19897 jb 20f /* less then 8 bytes, go to byte copy loop */
19898 ALIGN_DESTINATION
19899 diff -urNp linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c
19900 --- linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c 2011-05-19 00:06:34.000000000 -0400
19901 +++ linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c 2011-05-22 19:36:30.000000000 -0400
19902 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19903 len -= 2;
19904 }
19905 }
19906 +
19907 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19908 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19909 + src += PAX_USER_SHADOW_BASE;
19910 +#endif
19911 +
19912 isum = csum_partial_copy_generic((__force const void *)src,
19913 dst, len, isum, errp, NULL);
19914 if (unlikely(*errp))
19915 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19916 }
19917
19918 *errp = 0;
19919 +
19920 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19921 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19922 + dst += PAX_USER_SHADOW_BASE;
19923 +#endif
19924 +
19925 return csum_partial_copy_generic(src, (void __force *)dst,
19926 len, isum, NULL, errp);
19927 }
19928 diff -urNp linux-2.6.39.3/arch/x86/lib/getuser.S linux-2.6.39.3/arch/x86/lib/getuser.S
19929 --- linux-2.6.39.3/arch/x86/lib/getuser.S 2011-05-19 00:06:34.000000000 -0400
19930 +++ linux-2.6.39.3/arch/x86/lib/getuser.S 2011-05-22 19:36:30.000000000 -0400
19931 @@ -33,14 +33,35 @@
19932 #include <asm/asm-offsets.h>
19933 #include <asm/thread_info.h>
19934 #include <asm/asm.h>
19935 +#include <asm/segment.h>
19936 +#include <asm/pgtable.h>
19937 +
19938 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19939 +#define __copyuser_seg gs;
19940 +#else
19941 +#define __copyuser_seg
19942 +#endif
19943
19944 .text
19945 ENTRY(__get_user_1)
19946 CFI_STARTPROC
19947 +
19948 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19949 GET_THREAD_INFO(%_ASM_DX)
19950 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19951 jae bad_get_user
19952 -1: movzb (%_ASM_AX),%edx
19953 +
19954 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19955 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19956 + cmp %_ASM_DX,%_ASM_AX
19957 + jae 1234f
19958 + add %_ASM_DX,%_ASM_AX
19959 +1234:
19960 +#endif
19961 +
19962 +#endif
19963 +
19964 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19965 xor %eax,%eax
19966 ret
19967 CFI_ENDPROC
19968 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19969 ENTRY(__get_user_2)
19970 CFI_STARTPROC
19971 add $1,%_ASM_AX
19972 +
19973 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19974 jc bad_get_user
19975 GET_THREAD_INFO(%_ASM_DX)
19976 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19977 jae bad_get_user
19978 -2: movzwl -1(%_ASM_AX),%edx
19979 +
19980 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19981 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19982 + cmp %_ASM_DX,%_ASM_AX
19983 + jae 1234f
19984 + add %_ASM_DX,%_ASM_AX
19985 +1234:
19986 +#endif
19987 +
19988 +#endif
19989 +
19990 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
19991 xor %eax,%eax
19992 ret
19993 CFI_ENDPROC
19994 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
19995 ENTRY(__get_user_4)
19996 CFI_STARTPROC
19997 add $3,%_ASM_AX
19998 +
19999 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20000 jc bad_get_user
20001 GET_THREAD_INFO(%_ASM_DX)
20002 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20003 jae bad_get_user
20004 -3: mov -3(%_ASM_AX),%edx
20005 +
20006 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20007 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20008 + cmp %_ASM_DX,%_ASM_AX
20009 + jae 1234f
20010 + add %_ASM_DX,%_ASM_AX
20011 +1234:
20012 +#endif
20013 +
20014 +#endif
20015 +
20016 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
20017 xor %eax,%eax
20018 ret
20019 CFI_ENDPROC
20020 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
20021 GET_THREAD_INFO(%_ASM_DX)
20022 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20023 jae bad_get_user
20024 +
20025 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20026 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20027 + cmp %_ASM_DX,%_ASM_AX
20028 + jae 1234f
20029 + add %_ASM_DX,%_ASM_AX
20030 +1234:
20031 +#endif
20032 +
20033 4: movq -7(%_ASM_AX),%_ASM_DX
20034 xor %eax,%eax
20035 ret
20036 diff -urNp linux-2.6.39.3/arch/x86/lib/insn.c linux-2.6.39.3/arch/x86/lib/insn.c
20037 --- linux-2.6.39.3/arch/x86/lib/insn.c 2011-05-19 00:06:34.000000000 -0400
20038 +++ linux-2.6.39.3/arch/x86/lib/insn.c 2011-05-22 19:36:30.000000000 -0400
20039 @@ -21,6 +21,11 @@
20040 #include <linux/string.h>
20041 #include <asm/inat.h>
20042 #include <asm/insn.h>
20043 +#ifdef __KERNEL__
20044 +#include <asm/pgtable_types.h>
20045 +#else
20046 +#define ktla_ktva(addr) addr
20047 +#endif
20048
20049 #define get_next(t, insn) \
20050 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
20051 @@ -40,8 +45,8 @@
20052 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
20053 {
20054 memset(insn, 0, sizeof(*insn));
20055 - insn->kaddr = kaddr;
20056 - insn->next_byte = kaddr;
20057 + insn->kaddr = ktla_ktva(kaddr);
20058 + insn->next_byte = ktla_ktva(kaddr);
20059 insn->x86_64 = x86_64 ? 1 : 0;
20060 insn->opnd_bytes = 4;
20061 if (x86_64)
20062 diff -urNp linux-2.6.39.3/arch/x86/lib/mmx_32.c linux-2.6.39.3/arch/x86/lib/mmx_32.c
20063 --- linux-2.6.39.3/arch/x86/lib/mmx_32.c 2011-05-19 00:06:34.000000000 -0400
20064 +++ linux-2.6.39.3/arch/x86/lib/mmx_32.c 2011-05-22 19:36:30.000000000 -0400
20065 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
20066 {
20067 void *p;
20068 int i;
20069 + unsigned long cr0;
20070
20071 if (unlikely(in_interrupt()))
20072 return __memcpy(to, from, len);
20073 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
20074 kernel_fpu_begin();
20075
20076 __asm__ __volatile__ (
20077 - "1: prefetch (%0)\n" /* This set is 28 bytes */
20078 - " prefetch 64(%0)\n"
20079 - " prefetch 128(%0)\n"
20080 - " prefetch 192(%0)\n"
20081 - " prefetch 256(%0)\n"
20082 + "1: prefetch (%1)\n" /* This set is 28 bytes */
20083 + " prefetch 64(%1)\n"
20084 + " prefetch 128(%1)\n"
20085 + " prefetch 192(%1)\n"
20086 + " prefetch 256(%1)\n"
20087 "2: \n"
20088 ".section .fixup, \"ax\"\n"
20089 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20090 + "3: \n"
20091 +
20092 +#ifdef CONFIG_PAX_KERNEXEC
20093 + " movl %%cr0, %0\n"
20094 + " movl %0, %%eax\n"
20095 + " andl $0xFFFEFFFF, %%eax\n"
20096 + " movl %%eax, %%cr0\n"
20097 +#endif
20098 +
20099 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20100 +
20101 +#ifdef CONFIG_PAX_KERNEXEC
20102 + " movl %0, %%cr0\n"
20103 +#endif
20104 +
20105 " jmp 2b\n"
20106 ".previous\n"
20107 _ASM_EXTABLE(1b, 3b)
20108 - : : "r" (from));
20109 + : "=&r" (cr0) : "r" (from) : "ax");
20110
20111 for ( ; i > 5; i--) {
20112 __asm__ __volatile__ (
20113 - "1: prefetch 320(%0)\n"
20114 - "2: movq (%0), %%mm0\n"
20115 - " movq 8(%0), %%mm1\n"
20116 - " movq 16(%0), %%mm2\n"
20117 - " movq 24(%0), %%mm3\n"
20118 - " movq %%mm0, (%1)\n"
20119 - " movq %%mm1, 8(%1)\n"
20120 - " movq %%mm2, 16(%1)\n"
20121 - " movq %%mm3, 24(%1)\n"
20122 - " movq 32(%0), %%mm0\n"
20123 - " movq 40(%0), %%mm1\n"
20124 - " movq 48(%0), %%mm2\n"
20125 - " movq 56(%0), %%mm3\n"
20126 - " movq %%mm0, 32(%1)\n"
20127 - " movq %%mm1, 40(%1)\n"
20128 - " movq %%mm2, 48(%1)\n"
20129 - " movq %%mm3, 56(%1)\n"
20130 + "1: prefetch 320(%1)\n"
20131 + "2: movq (%1), %%mm0\n"
20132 + " movq 8(%1), %%mm1\n"
20133 + " movq 16(%1), %%mm2\n"
20134 + " movq 24(%1), %%mm3\n"
20135 + " movq %%mm0, (%2)\n"
20136 + " movq %%mm1, 8(%2)\n"
20137 + " movq %%mm2, 16(%2)\n"
20138 + " movq %%mm3, 24(%2)\n"
20139 + " movq 32(%1), %%mm0\n"
20140 + " movq 40(%1), %%mm1\n"
20141 + " movq 48(%1), %%mm2\n"
20142 + " movq 56(%1), %%mm3\n"
20143 + " movq %%mm0, 32(%2)\n"
20144 + " movq %%mm1, 40(%2)\n"
20145 + " movq %%mm2, 48(%2)\n"
20146 + " movq %%mm3, 56(%2)\n"
20147 ".section .fixup, \"ax\"\n"
20148 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20149 + "3:\n"
20150 +
20151 +#ifdef CONFIG_PAX_KERNEXEC
20152 + " movl %%cr0, %0\n"
20153 + " movl %0, %%eax\n"
20154 + " andl $0xFFFEFFFF, %%eax\n"
20155 + " movl %%eax, %%cr0\n"
20156 +#endif
20157 +
20158 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20159 +
20160 +#ifdef CONFIG_PAX_KERNEXEC
20161 + " movl %0, %%cr0\n"
20162 +#endif
20163 +
20164 " jmp 2b\n"
20165 ".previous\n"
20166 _ASM_EXTABLE(1b, 3b)
20167 - : : "r" (from), "r" (to) : "memory");
20168 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20169
20170 from += 64;
20171 to += 64;
20172 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
20173 static void fast_copy_page(void *to, void *from)
20174 {
20175 int i;
20176 + unsigned long cr0;
20177
20178 kernel_fpu_begin();
20179
20180 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
20181 * but that is for later. -AV
20182 */
20183 __asm__ __volatile__(
20184 - "1: prefetch (%0)\n"
20185 - " prefetch 64(%0)\n"
20186 - " prefetch 128(%0)\n"
20187 - " prefetch 192(%0)\n"
20188 - " prefetch 256(%0)\n"
20189 + "1: prefetch (%1)\n"
20190 + " prefetch 64(%1)\n"
20191 + " prefetch 128(%1)\n"
20192 + " prefetch 192(%1)\n"
20193 + " prefetch 256(%1)\n"
20194 "2: \n"
20195 ".section .fixup, \"ax\"\n"
20196 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20197 + "3: \n"
20198 +
20199 +#ifdef CONFIG_PAX_KERNEXEC
20200 + " movl %%cr0, %0\n"
20201 + " movl %0, %%eax\n"
20202 + " andl $0xFFFEFFFF, %%eax\n"
20203 + " movl %%eax, %%cr0\n"
20204 +#endif
20205 +
20206 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20207 +
20208 +#ifdef CONFIG_PAX_KERNEXEC
20209 + " movl %0, %%cr0\n"
20210 +#endif
20211 +
20212 " jmp 2b\n"
20213 ".previous\n"
20214 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20215 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20216
20217 for (i = 0; i < (4096-320)/64; i++) {
20218 __asm__ __volatile__ (
20219 - "1: prefetch 320(%0)\n"
20220 - "2: movq (%0), %%mm0\n"
20221 - " movntq %%mm0, (%1)\n"
20222 - " movq 8(%0), %%mm1\n"
20223 - " movntq %%mm1, 8(%1)\n"
20224 - " movq 16(%0), %%mm2\n"
20225 - " movntq %%mm2, 16(%1)\n"
20226 - " movq 24(%0), %%mm3\n"
20227 - " movntq %%mm3, 24(%1)\n"
20228 - " movq 32(%0), %%mm4\n"
20229 - " movntq %%mm4, 32(%1)\n"
20230 - " movq 40(%0), %%mm5\n"
20231 - " movntq %%mm5, 40(%1)\n"
20232 - " movq 48(%0), %%mm6\n"
20233 - " movntq %%mm6, 48(%1)\n"
20234 - " movq 56(%0), %%mm7\n"
20235 - " movntq %%mm7, 56(%1)\n"
20236 + "1: prefetch 320(%1)\n"
20237 + "2: movq (%1), %%mm0\n"
20238 + " movntq %%mm0, (%2)\n"
20239 + " movq 8(%1), %%mm1\n"
20240 + " movntq %%mm1, 8(%2)\n"
20241 + " movq 16(%1), %%mm2\n"
20242 + " movntq %%mm2, 16(%2)\n"
20243 + " movq 24(%1), %%mm3\n"
20244 + " movntq %%mm3, 24(%2)\n"
20245 + " movq 32(%1), %%mm4\n"
20246 + " movntq %%mm4, 32(%2)\n"
20247 + " movq 40(%1), %%mm5\n"
20248 + " movntq %%mm5, 40(%2)\n"
20249 + " movq 48(%1), %%mm6\n"
20250 + " movntq %%mm6, 48(%2)\n"
20251 + " movq 56(%1), %%mm7\n"
20252 + " movntq %%mm7, 56(%2)\n"
20253 ".section .fixup, \"ax\"\n"
20254 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20255 + "3:\n"
20256 +
20257 +#ifdef CONFIG_PAX_KERNEXEC
20258 + " movl %%cr0, %0\n"
20259 + " movl %0, %%eax\n"
20260 + " andl $0xFFFEFFFF, %%eax\n"
20261 + " movl %%eax, %%cr0\n"
20262 +#endif
20263 +
20264 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20265 +
20266 +#ifdef CONFIG_PAX_KERNEXEC
20267 + " movl %0, %%cr0\n"
20268 +#endif
20269 +
20270 " jmp 2b\n"
20271 ".previous\n"
20272 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
20273 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20274
20275 from += 64;
20276 to += 64;
20277 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
20278 static void fast_copy_page(void *to, void *from)
20279 {
20280 int i;
20281 + unsigned long cr0;
20282
20283 kernel_fpu_begin();
20284
20285 __asm__ __volatile__ (
20286 - "1: prefetch (%0)\n"
20287 - " prefetch 64(%0)\n"
20288 - " prefetch 128(%0)\n"
20289 - " prefetch 192(%0)\n"
20290 - " prefetch 256(%0)\n"
20291 + "1: prefetch (%1)\n"
20292 + " prefetch 64(%1)\n"
20293 + " prefetch 128(%1)\n"
20294 + " prefetch 192(%1)\n"
20295 + " prefetch 256(%1)\n"
20296 "2: \n"
20297 ".section .fixup, \"ax\"\n"
20298 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20299 + "3: \n"
20300 +
20301 +#ifdef CONFIG_PAX_KERNEXEC
20302 + " movl %%cr0, %0\n"
20303 + " movl %0, %%eax\n"
20304 + " andl $0xFFFEFFFF, %%eax\n"
20305 + " movl %%eax, %%cr0\n"
20306 +#endif
20307 +
20308 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20309 +
20310 +#ifdef CONFIG_PAX_KERNEXEC
20311 + " movl %0, %%cr0\n"
20312 +#endif
20313 +
20314 " jmp 2b\n"
20315 ".previous\n"
20316 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20317 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20318
20319 for (i = 0; i < 4096/64; i++) {
20320 __asm__ __volatile__ (
20321 - "1: prefetch 320(%0)\n"
20322 - "2: movq (%0), %%mm0\n"
20323 - " movq 8(%0), %%mm1\n"
20324 - " movq 16(%0), %%mm2\n"
20325 - " movq 24(%0), %%mm3\n"
20326 - " movq %%mm0, (%1)\n"
20327 - " movq %%mm1, 8(%1)\n"
20328 - " movq %%mm2, 16(%1)\n"
20329 - " movq %%mm3, 24(%1)\n"
20330 - " movq 32(%0), %%mm0\n"
20331 - " movq 40(%0), %%mm1\n"
20332 - " movq 48(%0), %%mm2\n"
20333 - " movq 56(%0), %%mm3\n"
20334 - " movq %%mm0, 32(%1)\n"
20335 - " movq %%mm1, 40(%1)\n"
20336 - " movq %%mm2, 48(%1)\n"
20337 - " movq %%mm3, 56(%1)\n"
20338 + "1: prefetch 320(%1)\n"
20339 + "2: movq (%1), %%mm0\n"
20340 + " movq 8(%1), %%mm1\n"
20341 + " movq 16(%1), %%mm2\n"
20342 + " movq 24(%1), %%mm3\n"
20343 + " movq %%mm0, (%2)\n"
20344 + " movq %%mm1, 8(%2)\n"
20345 + " movq %%mm2, 16(%2)\n"
20346 + " movq %%mm3, 24(%2)\n"
20347 + " movq 32(%1), %%mm0\n"
20348 + " movq 40(%1), %%mm1\n"
20349 + " movq 48(%1), %%mm2\n"
20350 + " movq 56(%1), %%mm3\n"
20351 + " movq %%mm0, 32(%2)\n"
20352 + " movq %%mm1, 40(%2)\n"
20353 + " movq %%mm2, 48(%2)\n"
20354 + " movq %%mm3, 56(%2)\n"
20355 ".section .fixup, \"ax\"\n"
20356 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20357 + "3:\n"
20358 +
20359 +#ifdef CONFIG_PAX_KERNEXEC
20360 + " movl %%cr0, %0\n"
20361 + " movl %0, %%eax\n"
20362 + " andl $0xFFFEFFFF, %%eax\n"
20363 + " movl %%eax, %%cr0\n"
20364 +#endif
20365 +
20366 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20367 +
20368 +#ifdef CONFIG_PAX_KERNEXEC
20369 + " movl %0, %%cr0\n"
20370 +#endif
20371 +
20372 " jmp 2b\n"
20373 ".previous\n"
20374 _ASM_EXTABLE(1b, 3b)
20375 - : : "r" (from), "r" (to) : "memory");
20376 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20377
20378 from += 64;
20379 to += 64;
20380 diff -urNp linux-2.6.39.3/arch/x86/lib/putuser.S linux-2.6.39.3/arch/x86/lib/putuser.S
20381 --- linux-2.6.39.3/arch/x86/lib/putuser.S 2011-05-19 00:06:34.000000000 -0400
20382 +++ linux-2.6.39.3/arch/x86/lib/putuser.S 2011-05-22 19:36:30.000000000 -0400
20383 @@ -15,7 +15,8 @@
20384 #include <asm/thread_info.h>
20385 #include <asm/errno.h>
20386 #include <asm/asm.h>
20387 -
20388 +#include <asm/segment.h>
20389 +#include <asm/pgtable.h>
20390
20391 /*
20392 * __put_user_X
20393 @@ -29,52 +30,119 @@
20394 * as they get called from within inline assembly.
20395 */
20396
20397 -#define ENTER CFI_STARTPROC ; \
20398 - GET_THREAD_INFO(%_ASM_BX)
20399 +#define ENTER CFI_STARTPROC
20400 #define EXIT ret ; \
20401 CFI_ENDPROC
20402
20403 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20404 +#define _DEST %_ASM_CX,%_ASM_BX
20405 +#else
20406 +#define _DEST %_ASM_CX
20407 +#endif
20408 +
20409 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20410 +#define __copyuser_seg gs;
20411 +#else
20412 +#define __copyuser_seg
20413 +#endif
20414 +
20415 .text
20416 ENTRY(__put_user_1)
20417 ENTER
20418 +
20419 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20420 + GET_THREAD_INFO(%_ASM_BX)
20421 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20422 jae bad_put_user
20423 -1: movb %al,(%_ASM_CX)
20424 +
20425 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20426 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20427 + cmp %_ASM_BX,%_ASM_CX
20428 + jb 1234f
20429 + xor %ebx,%ebx
20430 +1234:
20431 +#endif
20432 +
20433 +#endif
20434 +
20435 +1: __copyuser_seg movb %al,(_DEST)
20436 xor %eax,%eax
20437 EXIT
20438 ENDPROC(__put_user_1)
20439
20440 ENTRY(__put_user_2)
20441 ENTER
20442 +
20443 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20444 + GET_THREAD_INFO(%_ASM_BX)
20445 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20446 sub $1,%_ASM_BX
20447 cmp %_ASM_BX,%_ASM_CX
20448 jae bad_put_user
20449 -2: movw %ax,(%_ASM_CX)
20450 +
20451 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20452 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20453 + cmp %_ASM_BX,%_ASM_CX
20454 + jb 1234f
20455 + xor %ebx,%ebx
20456 +1234:
20457 +#endif
20458 +
20459 +#endif
20460 +
20461 +2: __copyuser_seg movw %ax,(_DEST)
20462 xor %eax,%eax
20463 EXIT
20464 ENDPROC(__put_user_2)
20465
20466 ENTRY(__put_user_4)
20467 ENTER
20468 +
20469 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20470 + GET_THREAD_INFO(%_ASM_BX)
20471 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20472 sub $3,%_ASM_BX
20473 cmp %_ASM_BX,%_ASM_CX
20474 jae bad_put_user
20475 -3: movl %eax,(%_ASM_CX)
20476 +
20477 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20478 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20479 + cmp %_ASM_BX,%_ASM_CX
20480 + jb 1234f
20481 + xor %ebx,%ebx
20482 +1234:
20483 +#endif
20484 +
20485 +#endif
20486 +
20487 +3: __copyuser_seg movl %eax,(_DEST)
20488 xor %eax,%eax
20489 EXIT
20490 ENDPROC(__put_user_4)
20491
20492 ENTRY(__put_user_8)
20493 ENTER
20494 +
20495 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20496 + GET_THREAD_INFO(%_ASM_BX)
20497 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20498 sub $7,%_ASM_BX
20499 cmp %_ASM_BX,%_ASM_CX
20500 jae bad_put_user
20501 -4: mov %_ASM_AX,(%_ASM_CX)
20502 +
20503 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20504 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20505 + cmp %_ASM_BX,%_ASM_CX
20506 + jb 1234f
20507 + xor %ebx,%ebx
20508 +1234:
20509 +#endif
20510 +
20511 +#endif
20512 +
20513 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20514 #ifdef CONFIG_X86_32
20515 -5: movl %edx,4(%_ASM_CX)
20516 +5: __copyuser_seg movl %edx,4(_DEST)
20517 #endif
20518 xor %eax,%eax
20519 EXIT
20520 diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_32.c linux-2.6.39.3/arch/x86/lib/usercopy_32.c
20521 --- linux-2.6.39.3/arch/x86/lib/usercopy_32.c 2011-05-19 00:06:34.000000000 -0400
20522 +++ linux-2.6.39.3/arch/x86/lib/usercopy_32.c 2011-05-22 19:36:30.000000000 -0400
20523 @@ -43,7 +43,7 @@ do { \
20524 __asm__ __volatile__( \
20525 " testl %1,%1\n" \
20526 " jz 2f\n" \
20527 - "0: lodsb\n" \
20528 + "0: "__copyuser_seg"lodsb\n" \
20529 " stosb\n" \
20530 " testb %%al,%%al\n" \
20531 " jz 1f\n" \
20532 @@ -128,10 +128,12 @@ do { \
20533 int __d0; \
20534 might_fault(); \
20535 __asm__ __volatile__( \
20536 + __COPYUSER_SET_ES \
20537 "0: rep; stosl\n" \
20538 " movl %2,%0\n" \
20539 "1: rep; stosb\n" \
20540 "2:\n" \
20541 + __COPYUSER_RESTORE_ES \
20542 ".section .fixup,\"ax\"\n" \
20543 "3: lea 0(%2,%0,4),%0\n" \
20544 " jmp 2b\n" \
20545 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20546 might_fault();
20547
20548 __asm__ __volatile__(
20549 + __COPYUSER_SET_ES
20550 " testl %0, %0\n"
20551 " jz 3f\n"
20552 " andl %0,%%ecx\n"
20553 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20554 " subl %%ecx,%0\n"
20555 " addl %0,%%eax\n"
20556 "1:\n"
20557 + __COPYUSER_RESTORE_ES
20558 ".section .fixup,\"ax\"\n"
20559 "2: xorl %%eax,%%eax\n"
20560 " jmp 1b\n"
20561 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20562
20563 #ifdef CONFIG_X86_INTEL_USERCOPY
20564 static unsigned long
20565 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20566 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20567 {
20568 int d0, d1;
20569 __asm__ __volatile__(
20570 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20571 " .align 2,0x90\n"
20572 "3: movl 0(%4), %%eax\n"
20573 "4: movl 4(%4), %%edx\n"
20574 - "5: movl %%eax, 0(%3)\n"
20575 - "6: movl %%edx, 4(%3)\n"
20576 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20577 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20578 "7: movl 8(%4), %%eax\n"
20579 "8: movl 12(%4),%%edx\n"
20580 - "9: movl %%eax, 8(%3)\n"
20581 - "10: movl %%edx, 12(%3)\n"
20582 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20583 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20584 "11: movl 16(%4), %%eax\n"
20585 "12: movl 20(%4), %%edx\n"
20586 - "13: movl %%eax, 16(%3)\n"
20587 - "14: movl %%edx, 20(%3)\n"
20588 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20589 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20590 "15: movl 24(%4), %%eax\n"
20591 "16: movl 28(%4), %%edx\n"
20592 - "17: movl %%eax, 24(%3)\n"
20593 - "18: movl %%edx, 28(%3)\n"
20594 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20595 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20596 "19: movl 32(%4), %%eax\n"
20597 "20: movl 36(%4), %%edx\n"
20598 - "21: movl %%eax, 32(%3)\n"
20599 - "22: movl %%edx, 36(%3)\n"
20600 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20601 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20602 "23: movl 40(%4), %%eax\n"
20603 "24: movl 44(%4), %%edx\n"
20604 - "25: movl %%eax, 40(%3)\n"
20605 - "26: movl %%edx, 44(%3)\n"
20606 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20607 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20608 "27: movl 48(%4), %%eax\n"
20609 "28: movl 52(%4), %%edx\n"
20610 - "29: movl %%eax, 48(%3)\n"
20611 - "30: movl %%edx, 52(%3)\n"
20612 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20613 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20614 "31: movl 56(%4), %%eax\n"
20615 "32: movl 60(%4), %%edx\n"
20616 - "33: movl %%eax, 56(%3)\n"
20617 - "34: movl %%edx, 60(%3)\n"
20618 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20619 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20620 " addl $-64, %0\n"
20621 " addl $64, %4\n"
20622 " addl $64, %3\n"
20623 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20624 " shrl $2, %0\n"
20625 " andl $3, %%eax\n"
20626 " cld\n"
20627 + __COPYUSER_SET_ES
20628 "99: rep; movsl\n"
20629 "36: movl %%eax, %0\n"
20630 "37: rep; movsb\n"
20631 "100:\n"
20632 + __COPYUSER_RESTORE_ES
20633 + ".section .fixup,\"ax\"\n"
20634 + "101: lea 0(%%eax,%0,4),%0\n"
20635 + " jmp 100b\n"
20636 + ".previous\n"
20637 + ".section __ex_table,\"a\"\n"
20638 + " .align 4\n"
20639 + " .long 1b,100b\n"
20640 + " .long 2b,100b\n"
20641 + " .long 3b,100b\n"
20642 + " .long 4b,100b\n"
20643 + " .long 5b,100b\n"
20644 + " .long 6b,100b\n"
20645 + " .long 7b,100b\n"
20646 + " .long 8b,100b\n"
20647 + " .long 9b,100b\n"
20648 + " .long 10b,100b\n"
20649 + " .long 11b,100b\n"
20650 + " .long 12b,100b\n"
20651 + " .long 13b,100b\n"
20652 + " .long 14b,100b\n"
20653 + " .long 15b,100b\n"
20654 + " .long 16b,100b\n"
20655 + " .long 17b,100b\n"
20656 + " .long 18b,100b\n"
20657 + " .long 19b,100b\n"
20658 + " .long 20b,100b\n"
20659 + " .long 21b,100b\n"
20660 + " .long 22b,100b\n"
20661 + " .long 23b,100b\n"
20662 + " .long 24b,100b\n"
20663 + " .long 25b,100b\n"
20664 + " .long 26b,100b\n"
20665 + " .long 27b,100b\n"
20666 + " .long 28b,100b\n"
20667 + " .long 29b,100b\n"
20668 + " .long 30b,100b\n"
20669 + " .long 31b,100b\n"
20670 + " .long 32b,100b\n"
20671 + " .long 33b,100b\n"
20672 + " .long 34b,100b\n"
20673 + " .long 35b,100b\n"
20674 + " .long 36b,100b\n"
20675 + " .long 37b,100b\n"
20676 + " .long 99b,101b\n"
20677 + ".previous"
20678 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20679 + : "1"(to), "2"(from), "0"(size)
20680 + : "eax", "edx", "memory");
20681 + return size;
20682 +}
20683 +
20684 +static unsigned long
20685 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20686 +{
20687 + int d0, d1;
20688 + __asm__ __volatile__(
20689 + " .align 2,0x90\n"
20690 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20691 + " cmpl $67, %0\n"
20692 + " jbe 3f\n"
20693 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20694 + " .align 2,0x90\n"
20695 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20696 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20697 + "5: movl %%eax, 0(%3)\n"
20698 + "6: movl %%edx, 4(%3)\n"
20699 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20700 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20701 + "9: movl %%eax, 8(%3)\n"
20702 + "10: movl %%edx, 12(%3)\n"
20703 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20704 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20705 + "13: movl %%eax, 16(%3)\n"
20706 + "14: movl %%edx, 20(%3)\n"
20707 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20708 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20709 + "17: movl %%eax, 24(%3)\n"
20710 + "18: movl %%edx, 28(%3)\n"
20711 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20712 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20713 + "21: movl %%eax, 32(%3)\n"
20714 + "22: movl %%edx, 36(%3)\n"
20715 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20716 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20717 + "25: movl %%eax, 40(%3)\n"
20718 + "26: movl %%edx, 44(%3)\n"
20719 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20720 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20721 + "29: movl %%eax, 48(%3)\n"
20722 + "30: movl %%edx, 52(%3)\n"
20723 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20724 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20725 + "33: movl %%eax, 56(%3)\n"
20726 + "34: movl %%edx, 60(%3)\n"
20727 + " addl $-64, %0\n"
20728 + " addl $64, %4\n"
20729 + " addl $64, %3\n"
20730 + " cmpl $63, %0\n"
20731 + " ja 1b\n"
20732 + "35: movl %0, %%eax\n"
20733 + " shrl $2, %0\n"
20734 + " andl $3, %%eax\n"
20735 + " cld\n"
20736 + "99: rep; "__copyuser_seg" movsl\n"
20737 + "36: movl %%eax, %0\n"
20738 + "37: rep; "__copyuser_seg" movsb\n"
20739 + "100:\n"
20740 ".section .fixup,\"ax\"\n"
20741 "101: lea 0(%%eax,%0,4),%0\n"
20742 " jmp 100b\n"
20743 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20744 int d0, d1;
20745 __asm__ __volatile__(
20746 " .align 2,0x90\n"
20747 - "0: movl 32(%4), %%eax\n"
20748 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20749 " cmpl $67, %0\n"
20750 " jbe 2f\n"
20751 - "1: movl 64(%4), %%eax\n"
20752 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20753 " .align 2,0x90\n"
20754 - "2: movl 0(%4), %%eax\n"
20755 - "21: movl 4(%4), %%edx\n"
20756 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20757 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20758 " movl %%eax, 0(%3)\n"
20759 " movl %%edx, 4(%3)\n"
20760 - "3: movl 8(%4), %%eax\n"
20761 - "31: movl 12(%4),%%edx\n"
20762 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20763 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20764 " movl %%eax, 8(%3)\n"
20765 " movl %%edx, 12(%3)\n"
20766 - "4: movl 16(%4), %%eax\n"
20767 - "41: movl 20(%4), %%edx\n"
20768 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20769 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20770 " movl %%eax, 16(%3)\n"
20771 " movl %%edx, 20(%3)\n"
20772 - "10: movl 24(%4), %%eax\n"
20773 - "51: movl 28(%4), %%edx\n"
20774 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20775 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20776 " movl %%eax, 24(%3)\n"
20777 " movl %%edx, 28(%3)\n"
20778 - "11: movl 32(%4), %%eax\n"
20779 - "61: movl 36(%4), %%edx\n"
20780 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20781 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20782 " movl %%eax, 32(%3)\n"
20783 " movl %%edx, 36(%3)\n"
20784 - "12: movl 40(%4), %%eax\n"
20785 - "71: movl 44(%4), %%edx\n"
20786 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20787 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20788 " movl %%eax, 40(%3)\n"
20789 " movl %%edx, 44(%3)\n"
20790 - "13: movl 48(%4), %%eax\n"
20791 - "81: movl 52(%4), %%edx\n"
20792 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20793 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20794 " movl %%eax, 48(%3)\n"
20795 " movl %%edx, 52(%3)\n"
20796 - "14: movl 56(%4), %%eax\n"
20797 - "91: movl 60(%4), %%edx\n"
20798 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20799 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20800 " movl %%eax, 56(%3)\n"
20801 " movl %%edx, 60(%3)\n"
20802 " addl $-64, %0\n"
20803 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20804 " shrl $2, %0\n"
20805 " andl $3, %%eax\n"
20806 " cld\n"
20807 - "6: rep; movsl\n"
20808 + "6: rep; "__copyuser_seg" movsl\n"
20809 " movl %%eax,%0\n"
20810 - "7: rep; movsb\n"
20811 + "7: rep; "__copyuser_seg" movsb\n"
20812 "8:\n"
20813 ".section .fixup,\"ax\"\n"
20814 "9: lea 0(%%eax,%0,4),%0\n"
20815 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20816
20817 __asm__ __volatile__(
20818 " .align 2,0x90\n"
20819 - "0: movl 32(%4), %%eax\n"
20820 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20821 " cmpl $67, %0\n"
20822 " jbe 2f\n"
20823 - "1: movl 64(%4), %%eax\n"
20824 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20825 " .align 2,0x90\n"
20826 - "2: movl 0(%4), %%eax\n"
20827 - "21: movl 4(%4), %%edx\n"
20828 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20829 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20830 " movnti %%eax, 0(%3)\n"
20831 " movnti %%edx, 4(%3)\n"
20832 - "3: movl 8(%4), %%eax\n"
20833 - "31: movl 12(%4),%%edx\n"
20834 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20835 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20836 " movnti %%eax, 8(%3)\n"
20837 " movnti %%edx, 12(%3)\n"
20838 - "4: movl 16(%4), %%eax\n"
20839 - "41: movl 20(%4), %%edx\n"
20840 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20841 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20842 " movnti %%eax, 16(%3)\n"
20843 " movnti %%edx, 20(%3)\n"
20844 - "10: movl 24(%4), %%eax\n"
20845 - "51: movl 28(%4), %%edx\n"
20846 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20847 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20848 " movnti %%eax, 24(%3)\n"
20849 " movnti %%edx, 28(%3)\n"
20850 - "11: movl 32(%4), %%eax\n"
20851 - "61: movl 36(%4), %%edx\n"
20852 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20853 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20854 " movnti %%eax, 32(%3)\n"
20855 " movnti %%edx, 36(%3)\n"
20856 - "12: movl 40(%4), %%eax\n"
20857 - "71: movl 44(%4), %%edx\n"
20858 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20859 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20860 " movnti %%eax, 40(%3)\n"
20861 " movnti %%edx, 44(%3)\n"
20862 - "13: movl 48(%4), %%eax\n"
20863 - "81: movl 52(%4), %%edx\n"
20864 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20865 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20866 " movnti %%eax, 48(%3)\n"
20867 " movnti %%edx, 52(%3)\n"
20868 - "14: movl 56(%4), %%eax\n"
20869 - "91: movl 60(%4), %%edx\n"
20870 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20871 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20872 " movnti %%eax, 56(%3)\n"
20873 " movnti %%edx, 60(%3)\n"
20874 " addl $-64, %0\n"
20875 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20876 " shrl $2, %0\n"
20877 " andl $3, %%eax\n"
20878 " cld\n"
20879 - "6: rep; movsl\n"
20880 + "6: rep; "__copyuser_seg" movsl\n"
20881 " movl %%eax,%0\n"
20882 - "7: rep; movsb\n"
20883 + "7: rep; "__copyuser_seg" movsb\n"
20884 "8:\n"
20885 ".section .fixup,\"ax\"\n"
20886 "9: lea 0(%%eax,%0,4),%0\n"
20887 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20888
20889 __asm__ __volatile__(
20890 " .align 2,0x90\n"
20891 - "0: movl 32(%4), %%eax\n"
20892 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20893 " cmpl $67, %0\n"
20894 " jbe 2f\n"
20895 - "1: movl 64(%4), %%eax\n"
20896 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20897 " .align 2,0x90\n"
20898 - "2: movl 0(%4), %%eax\n"
20899 - "21: movl 4(%4), %%edx\n"
20900 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20901 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20902 " movnti %%eax, 0(%3)\n"
20903 " movnti %%edx, 4(%3)\n"
20904 - "3: movl 8(%4), %%eax\n"
20905 - "31: movl 12(%4),%%edx\n"
20906 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20907 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20908 " movnti %%eax, 8(%3)\n"
20909 " movnti %%edx, 12(%3)\n"
20910 - "4: movl 16(%4), %%eax\n"
20911 - "41: movl 20(%4), %%edx\n"
20912 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20913 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20914 " movnti %%eax, 16(%3)\n"
20915 " movnti %%edx, 20(%3)\n"
20916 - "10: movl 24(%4), %%eax\n"
20917 - "51: movl 28(%4), %%edx\n"
20918 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20919 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20920 " movnti %%eax, 24(%3)\n"
20921 " movnti %%edx, 28(%3)\n"
20922 - "11: movl 32(%4), %%eax\n"
20923 - "61: movl 36(%4), %%edx\n"
20924 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20925 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20926 " movnti %%eax, 32(%3)\n"
20927 " movnti %%edx, 36(%3)\n"
20928 - "12: movl 40(%4), %%eax\n"
20929 - "71: movl 44(%4), %%edx\n"
20930 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20931 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20932 " movnti %%eax, 40(%3)\n"
20933 " movnti %%edx, 44(%3)\n"
20934 - "13: movl 48(%4), %%eax\n"
20935 - "81: movl 52(%4), %%edx\n"
20936 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20937 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20938 " movnti %%eax, 48(%3)\n"
20939 " movnti %%edx, 52(%3)\n"
20940 - "14: movl 56(%4), %%eax\n"
20941 - "91: movl 60(%4), %%edx\n"
20942 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20943 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20944 " movnti %%eax, 56(%3)\n"
20945 " movnti %%edx, 60(%3)\n"
20946 " addl $-64, %0\n"
20947 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20948 " shrl $2, %0\n"
20949 " andl $3, %%eax\n"
20950 " cld\n"
20951 - "6: rep; movsl\n"
20952 + "6: rep; "__copyuser_seg" movsl\n"
20953 " movl %%eax,%0\n"
20954 - "7: rep; movsb\n"
20955 + "7: rep; "__copyuser_seg" movsb\n"
20956 "8:\n"
20957 ".section .fixup,\"ax\"\n"
20958 "9: lea 0(%%eax,%0,4),%0\n"
20959 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20960 */
20961 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20962 unsigned long size);
20963 -unsigned long __copy_user_intel(void __user *to, const void *from,
20964 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20965 + unsigned long size);
20966 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20967 unsigned long size);
20968 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20969 const void __user *from, unsigned long size);
20970 #endif /* CONFIG_X86_INTEL_USERCOPY */
20971
20972 /* Generic arbitrary sized copy. */
20973 -#define __copy_user(to, from, size) \
20974 +#define __copy_user(to, from, size, prefix, set, restore) \
20975 do { \
20976 int __d0, __d1, __d2; \
20977 __asm__ __volatile__( \
20978 + set \
20979 " cmp $7,%0\n" \
20980 " jbe 1f\n" \
20981 " movl %1,%0\n" \
20982 " negl %0\n" \
20983 " andl $7,%0\n" \
20984 " subl %0,%3\n" \
20985 - "4: rep; movsb\n" \
20986 + "4: rep; "prefix"movsb\n" \
20987 " movl %3,%0\n" \
20988 " shrl $2,%0\n" \
20989 " andl $3,%3\n" \
20990 " .align 2,0x90\n" \
20991 - "0: rep; movsl\n" \
20992 + "0: rep; "prefix"movsl\n" \
20993 " movl %3,%0\n" \
20994 - "1: rep; movsb\n" \
20995 + "1: rep; "prefix"movsb\n" \
20996 "2:\n" \
20997 + restore \
20998 ".section .fixup,\"ax\"\n" \
20999 "5: addl %3,%0\n" \
21000 " jmp 2b\n" \
21001 @@ -682,14 +799,14 @@ do { \
21002 " negl %0\n" \
21003 " andl $7,%0\n" \
21004 " subl %0,%3\n" \
21005 - "4: rep; movsb\n" \
21006 + "4: rep; "__copyuser_seg"movsb\n" \
21007 " movl %3,%0\n" \
21008 " shrl $2,%0\n" \
21009 " andl $3,%3\n" \
21010 " .align 2,0x90\n" \
21011 - "0: rep; movsl\n" \
21012 + "0: rep; "__copyuser_seg"movsl\n" \
21013 " movl %3,%0\n" \
21014 - "1: rep; movsb\n" \
21015 + "1: rep; "__copyuser_seg"movsb\n" \
21016 "2:\n" \
21017 ".section .fixup,\"ax\"\n" \
21018 "5: addl %3,%0\n" \
21019 @@ -775,9 +892,9 @@ survive:
21020 }
21021 #endif
21022 if (movsl_is_ok(to, from, n))
21023 - __copy_user(to, from, n);
21024 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
21025 else
21026 - n = __copy_user_intel(to, from, n);
21027 + n = __generic_copy_to_user_intel(to, from, n);
21028 return n;
21029 }
21030 EXPORT_SYMBOL(__copy_to_user_ll);
21031 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
21032 unsigned long n)
21033 {
21034 if (movsl_is_ok(to, from, n))
21035 - __copy_user(to, from, n);
21036 + __copy_user(to, from, n, __copyuser_seg, "", "");
21037 else
21038 - n = __copy_user_intel((void __user *)to,
21039 - (const void *)from, n);
21040 + n = __generic_copy_from_user_intel(to, from, n);
21041 return n;
21042 }
21043 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
21044 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
21045 if (n > 64 && cpu_has_xmm2)
21046 n = __copy_user_intel_nocache(to, from, n);
21047 else
21048 - __copy_user(to, from, n);
21049 + __copy_user(to, from, n, __copyuser_seg, "", "");
21050 #else
21051 - __copy_user(to, from, n);
21052 + __copy_user(to, from, n, __copyuser_seg, "", "");
21053 #endif
21054 return n;
21055 }
21056 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
21057
21058 -/**
21059 - * copy_to_user: - Copy a block of data into user space.
21060 - * @to: Destination address, in user space.
21061 - * @from: Source address, in kernel space.
21062 - * @n: Number of bytes to copy.
21063 - *
21064 - * Context: User context only. This function may sleep.
21065 - *
21066 - * Copy data from kernel space to user space.
21067 - *
21068 - * Returns number of bytes that could not be copied.
21069 - * On success, this will be zero.
21070 - */
21071 -unsigned long
21072 -copy_to_user(void __user *to, const void *from, unsigned long n)
21073 +void copy_from_user_overflow(void)
21074 {
21075 - if (access_ok(VERIFY_WRITE, to, n))
21076 - n = __copy_to_user(to, from, n);
21077 - return n;
21078 + WARN(1, "Buffer overflow detected!\n");
21079 }
21080 -EXPORT_SYMBOL(copy_to_user);
21081 +EXPORT_SYMBOL(copy_from_user_overflow);
21082
21083 -/**
21084 - * copy_from_user: - Copy a block of data from user space.
21085 - * @to: Destination address, in kernel space.
21086 - * @from: Source address, in user space.
21087 - * @n: Number of bytes to copy.
21088 - *
21089 - * Context: User context only. This function may sleep.
21090 - *
21091 - * Copy data from user space to kernel space.
21092 - *
21093 - * Returns number of bytes that could not be copied.
21094 - * On success, this will be zero.
21095 - *
21096 - * If some data could not be copied, this function will pad the copied
21097 - * data to the requested size using zero bytes.
21098 - */
21099 -unsigned long
21100 -_copy_from_user(void *to, const void __user *from, unsigned long n)
21101 +void copy_to_user_overflow(void)
21102 {
21103 - if (access_ok(VERIFY_READ, from, n))
21104 - n = __copy_from_user(to, from, n);
21105 - else
21106 - memset(to, 0, n);
21107 - return n;
21108 + WARN(1, "Buffer overflow detected!\n");
21109 }
21110 -EXPORT_SYMBOL(_copy_from_user);
21111 +EXPORT_SYMBOL(copy_to_user_overflow);
21112
21113 -void copy_from_user_overflow(void)
21114 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21115 +void __set_fs(mm_segment_t x)
21116 {
21117 - WARN(1, "Buffer overflow detected!\n");
21118 + switch (x.seg) {
21119 + case 0:
21120 + loadsegment(gs, 0);
21121 + break;
21122 + case TASK_SIZE_MAX:
21123 + loadsegment(gs, __USER_DS);
21124 + break;
21125 + case -1UL:
21126 + loadsegment(gs, __KERNEL_DS);
21127 + break;
21128 + default:
21129 + BUG();
21130 + }
21131 + return;
21132 }
21133 -EXPORT_SYMBOL(copy_from_user_overflow);
21134 +EXPORT_SYMBOL(__set_fs);
21135 +
21136 +void set_fs(mm_segment_t x)
21137 +{
21138 + current_thread_info()->addr_limit = x;
21139 + __set_fs(x);
21140 +}
21141 +EXPORT_SYMBOL(set_fs);
21142 +#endif
21143 diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_64.c linux-2.6.39.3/arch/x86/lib/usercopy_64.c
21144 --- linux-2.6.39.3/arch/x86/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
21145 +++ linux-2.6.39.3/arch/x86/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
21146 @@ -42,6 +42,12 @@ long
21147 __strncpy_from_user(char *dst, const char __user *src, long count)
21148 {
21149 long res;
21150 +
21151 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21152 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
21153 + src += PAX_USER_SHADOW_BASE;
21154 +#endif
21155 +
21156 __do_strncpy_from_user(dst, src, count, res);
21157 return res;
21158 }
21159 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
21160 {
21161 long __d0;
21162 might_fault();
21163 +
21164 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21165 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
21166 + addr += PAX_USER_SHADOW_BASE;
21167 +#endif
21168 +
21169 /* no memory constraint because it doesn't change any memory gcc knows
21170 about */
21171 asm volatile(
21172 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
21173
21174 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
21175 {
21176 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21177 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21178 +
21179 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21180 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
21181 + to += PAX_USER_SHADOW_BASE;
21182 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
21183 + from += PAX_USER_SHADOW_BASE;
21184 +#endif
21185 +
21186 return copy_user_generic((__force void *)to, (__force void *)from, len);
21187 - }
21188 - return len;
21189 + }
21190 + return len;
21191 }
21192 EXPORT_SYMBOL(copy_in_user);
21193
21194 diff -urNp linux-2.6.39.3/arch/x86/Makefile linux-2.6.39.3/arch/x86/Makefile
21195 --- linux-2.6.39.3/arch/x86/Makefile 2011-05-19 00:06:34.000000000 -0400
21196 +++ linux-2.6.39.3/arch/x86/Makefile 2011-05-22 19:36:30.000000000 -0400
21197 @@ -195,3 +195,12 @@ define archhelp
21198 echo ' FDARGS="..." arguments for the booted kernel'
21199 echo ' FDINITRD=file initrd for the booted kernel'
21200 endef
21201 +
21202 +define OLD_LD
21203 +
21204 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
21205 +*** Please upgrade your binutils to 2.18 or newer
21206 +endef
21207 +
21208 +archprepare:
21209 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
21210 diff -urNp linux-2.6.39.3/arch/x86/mm/extable.c linux-2.6.39.3/arch/x86/mm/extable.c
21211 --- linux-2.6.39.3/arch/x86/mm/extable.c 2011-05-19 00:06:34.000000000 -0400
21212 +++ linux-2.6.39.3/arch/x86/mm/extable.c 2011-05-22 19:36:30.000000000 -0400
21213 @@ -1,14 +1,71 @@
21214 #include <linux/module.h>
21215 #include <linux/spinlock.h>
21216 +#include <linux/sort.h>
21217 #include <asm/uaccess.h>
21218 +#include <asm/pgtable.h>
21219
21220 +/*
21221 + * The exception table needs to be sorted so that the binary
21222 + * search that we use to find entries in it works properly.
21223 + * This is used both for the kernel exception table and for
21224 + * the exception tables of modules that get loaded.
21225 + */
21226 +static int cmp_ex(const void *a, const void *b)
21227 +{
21228 + const struct exception_table_entry *x = a, *y = b;
21229 +
21230 + /* avoid overflow */
21231 + if (x->insn > y->insn)
21232 + return 1;
21233 + if (x->insn < y->insn)
21234 + return -1;
21235 + return 0;
21236 +}
21237 +
21238 +static void swap_ex(void *a, void *b, int size)
21239 +{
21240 + struct exception_table_entry t, *x = a, *y = b;
21241 +
21242 + t = *x;
21243 +
21244 + pax_open_kernel();
21245 + *x = *y;
21246 + *y = t;
21247 + pax_close_kernel();
21248 +}
21249 +
21250 +void sort_extable(struct exception_table_entry *start,
21251 + struct exception_table_entry *finish)
21252 +{
21253 + sort(start, finish - start, sizeof(struct exception_table_entry),
21254 + cmp_ex, swap_ex);
21255 +}
21256 +
21257 +#ifdef CONFIG_MODULES
21258 +/*
21259 + * If the exception table is sorted, any referring to the module init
21260 + * will be at the beginning or the end.
21261 + */
21262 +void trim_init_extable(struct module *m)
21263 +{
21264 + /*trim the beginning*/
21265 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
21266 + m->extable++;
21267 + m->num_exentries--;
21268 + }
21269 + /*trim the end*/
21270 + while (m->num_exentries &&
21271 + within_module_init(m->extable[m->num_exentries-1].insn, m))
21272 + m->num_exentries--;
21273 +}
21274 +#endif /* CONFIG_MODULES */
21275
21276 int fixup_exception(struct pt_regs *regs)
21277 {
21278 const struct exception_table_entry *fixup;
21279
21280 #ifdef CONFIG_PNPBIOS
21281 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
21282 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
21283 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
21284 extern u32 pnp_bios_is_utter_crap;
21285 pnp_bios_is_utter_crap = 1;
21286 diff -urNp linux-2.6.39.3/arch/x86/mm/fault.c linux-2.6.39.3/arch/x86/mm/fault.c
21287 --- linux-2.6.39.3/arch/x86/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
21288 +++ linux-2.6.39.3/arch/x86/mm/fault.c 2011-06-06 17:34:04.000000000 -0400
21289 @@ -12,10 +12,18 @@
21290 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
21291 #include <linux/perf_event.h> /* perf_sw_event */
21292 #include <linux/hugetlb.h> /* hstate_index_to_shift */
21293 +#include <linux/unistd.h>
21294 +#include <linux/compiler.h>
21295
21296 #include <asm/traps.h> /* dotraplinkage, ... */
21297 #include <asm/pgalloc.h> /* pgd_*(), ... */
21298 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
21299 +#include <asm/vsyscall.h>
21300 +#include <asm/tlbflush.h>
21301 +
21302 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21303 +#include <asm/stacktrace.h>
21304 +#endif
21305
21306 /*
21307 * Page fault error code bits:
21308 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
21309 int ret = 0;
21310
21311 /* kprobe_running() needs smp_processor_id() */
21312 - if (kprobes_built_in() && !user_mode_vm(regs)) {
21313 + if (kprobes_built_in() && !user_mode(regs)) {
21314 preempt_disable();
21315 if (kprobe_running() && kprobe_fault_handler(regs, 14))
21316 ret = 1;
21317 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
21318 return !instr_lo || (instr_lo>>1) == 1;
21319 case 0x00:
21320 /* Prefetch instruction is 0x0F0D or 0x0F18 */
21321 - if (probe_kernel_address(instr, opcode))
21322 + if (user_mode(regs)) {
21323 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21324 + return 0;
21325 + } else if (probe_kernel_address(instr, opcode))
21326 return 0;
21327
21328 *prefetch = (instr_lo == 0xF) &&
21329 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
21330 while (instr < max_instr) {
21331 unsigned char opcode;
21332
21333 - if (probe_kernel_address(instr, opcode))
21334 + if (user_mode(regs)) {
21335 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21336 + break;
21337 + } else if (probe_kernel_address(instr, opcode))
21338 break;
21339
21340 instr++;
21341 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
21342 force_sig_info(si_signo, &info, tsk);
21343 }
21344
21345 +#ifdef CONFIG_PAX_EMUTRAMP
21346 +static int pax_handle_fetch_fault(struct pt_regs *regs);
21347 +#endif
21348 +
21349 +#ifdef CONFIG_PAX_PAGEEXEC
21350 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
21351 +{
21352 + pgd_t *pgd;
21353 + pud_t *pud;
21354 + pmd_t *pmd;
21355 +
21356 + pgd = pgd_offset(mm, address);
21357 + if (!pgd_present(*pgd))
21358 + return NULL;
21359 + pud = pud_offset(pgd, address);
21360 + if (!pud_present(*pud))
21361 + return NULL;
21362 + pmd = pmd_offset(pud, address);
21363 + if (!pmd_present(*pmd))
21364 + return NULL;
21365 + return pmd;
21366 +}
21367 +#endif
21368 +
21369 DEFINE_SPINLOCK(pgd_lock);
21370 LIST_HEAD(pgd_list);
21371
21372 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
21373 for (address = VMALLOC_START & PMD_MASK;
21374 address >= TASK_SIZE && address < FIXADDR_TOP;
21375 address += PMD_SIZE) {
21376 +
21377 +#ifdef CONFIG_PAX_PER_CPU_PGD
21378 + unsigned long cpu;
21379 +#else
21380 struct page *page;
21381 +#endif
21382
21383 spin_lock(&pgd_lock);
21384 +
21385 +#ifdef CONFIG_PAX_PER_CPU_PGD
21386 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21387 + pgd_t *pgd = get_cpu_pgd(cpu);
21388 + pmd_t *ret;
21389 +#else
21390 list_for_each_entry(page, &pgd_list, lru) {
21391 + pgd_t *pgd = page_address(page);
21392 spinlock_t *pgt_lock;
21393 pmd_t *ret;
21394
21395 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
21396 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21397
21398 spin_lock(pgt_lock);
21399 - ret = vmalloc_sync_one(page_address(page), address);
21400 +#endif
21401 +
21402 + ret = vmalloc_sync_one(pgd, address);
21403 +
21404 +#ifndef CONFIG_PAX_PER_CPU_PGD
21405 spin_unlock(pgt_lock);
21406 +#endif
21407
21408 if (!ret)
21409 break;
21410 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
21411 * an interrupt in the middle of a task switch..
21412 */
21413 pgd_paddr = read_cr3();
21414 +
21415 +#ifdef CONFIG_PAX_PER_CPU_PGD
21416 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
21417 +#endif
21418 +
21419 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21420 if (!pmd_k)
21421 return -1;
21422 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
21423 * happen within a race in page table update. In the later
21424 * case just flush:
21425 */
21426 +
21427 +#ifdef CONFIG_PAX_PER_CPU_PGD
21428 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21429 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21430 +#else
21431 pgd = pgd_offset(current->active_mm, address);
21432 +#endif
21433 +
21434 pgd_ref = pgd_offset_k(address);
21435 if (pgd_none(*pgd_ref))
21436 return -1;
21437 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
21438 static int is_errata100(struct pt_regs *regs, unsigned long address)
21439 {
21440 #ifdef CONFIG_X86_64
21441 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21442 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21443 return 1;
21444 #endif
21445 return 0;
21446 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
21447 }
21448
21449 static const char nx_warning[] = KERN_CRIT
21450 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21451 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21452
21453 static void
21454 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21455 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
21456 if (!oops_may_print())
21457 return;
21458
21459 - if (error_code & PF_INSTR) {
21460 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
21461 unsigned int level;
21462
21463 pte_t *pte = lookup_address(address, &level);
21464
21465 if (pte && pte_present(*pte) && !pte_exec(*pte))
21466 - printk(nx_warning, current_uid());
21467 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21468 }
21469
21470 +#ifdef CONFIG_PAX_KERNEXEC
21471 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21472 + if (current->signal->curr_ip)
21473 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21474 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21475 + else
21476 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21477 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21478 + }
21479 +#endif
21480 +
21481 printk(KERN_ALERT "BUG: unable to handle kernel ");
21482 if (address < PAGE_SIZE)
21483 printk(KERN_CONT "NULL pointer dereference");
21484 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
21485 unsigned long address, int si_code)
21486 {
21487 struct task_struct *tsk = current;
21488 + struct mm_struct *mm = tsk->mm;
21489 +
21490 +#ifdef CONFIG_X86_64
21491 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21492 + if (regs->ip == (unsigned long)vgettimeofday) {
21493 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21494 + return;
21495 + } else if (regs->ip == (unsigned long)vtime) {
21496 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21497 + return;
21498 + } else if (regs->ip == (unsigned long)vgetcpu) {
21499 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21500 + return;
21501 + }
21502 + }
21503 +#endif
21504 +
21505 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21506 + if (mm && (error_code & PF_USER)) {
21507 + unsigned long ip = regs->ip;
21508 +
21509 + if (v8086_mode(regs))
21510 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21511 +
21512 + /*
21513 + * It's possible to have interrupts off here:
21514 + */
21515 + local_irq_enable();
21516 +
21517 +#ifdef CONFIG_PAX_PAGEEXEC
21518 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21519 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21520 +
21521 +#ifdef CONFIG_PAX_EMUTRAMP
21522 + switch (pax_handle_fetch_fault(regs)) {
21523 + case 2:
21524 + return;
21525 + }
21526 +#endif
21527 +
21528 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21529 + do_group_exit(SIGKILL);
21530 + }
21531 +#endif
21532 +
21533 +#ifdef CONFIG_PAX_SEGMEXEC
21534 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21535 +
21536 +#ifdef CONFIG_PAX_EMUTRAMP
21537 + switch (pax_handle_fetch_fault(regs)) {
21538 + case 2:
21539 + return;
21540 + }
21541 +#endif
21542 +
21543 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21544 + do_group_exit(SIGKILL);
21545 + }
21546 +#endif
21547 +
21548 + }
21549 +#endif
21550
21551 /* User mode accesses just cause a SIGSEGV */
21552 if (error_code & PF_USER) {
21553 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
21554 return 1;
21555 }
21556
21557 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21558 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21559 +{
21560 + pte_t *pte;
21561 + pmd_t *pmd;
21562 + spinlock_t *ptl;
21563 + unsigned char pte_mask;
21564 +
21565 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21566 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21567 + return 0;
21568 +
21569 + /* PaX: it's our fault, let's handle it if we can */
21570 +
21571 + /* PaX: take a look at read faults before acquiring any locks */
21572 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21573 + /* instruction fetch attempt from a protected page in user mode */
21574 + up_read(&mm->mmap_sem);
21575 +
21576 +#ifdef CONFIG_PAX_EMUTRAMP
21577 + switch (pax_handle_fetch_fault(regs)) {
21578 + case 2:
21579 + return 1;
21580 + }
21581 +#endif
21582 +
21583 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21584 + do_group_exit(SIGKILL);
21585 + }
21586 +
21587 + pmd = pax_get_pmd(mm, address);
21588 + if (unlikely(!pmd))
21589 + return 0;
21590 +
21591 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21592 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21593 + pte_unmap_unlock(pte, ptl);
21594 + return 0;
21595 + }
21596 +
21597 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21598 + /* write attempt to a protected page in user mode */
21599 + pte_unmap_unlock(pte, ptl);
21600 + return 0;
21601 + }
21602 +
21603 +#ifdef CONFIG_SMP
21604 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21605 +#else
21606 + if (likely(address > get_limit(regs->cs)))
21607 +#endif
21608 + {
21609 + set_pte(pte, pte_mkread(*pte));
21610 + __flush_tlb_one(address);
21611 + pte_unmap_unlock(pte, ptl);
21612 + up_read(&mm->mmap_sem);
21613 + return 1;
21614 + }
21615 +
21616 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21617 +
21618 + /*
21619 + * PaX: fill DTLB with user rights and retry
21620 + */
21621 + __asm__ __volatile__ (
21622 + "orb %2,(%1)\n"
21623 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21624 +/*
21625 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21626 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21627 + * page fault when examined during a TLB load attempt. this is true not only
21628 + * for PTEs holding a non-present entry but also present entries that will
21629 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21630 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21631 + * for our target pages since their PTEs are simply not in the TLBs at all.
21632 +
21633 + * the best thing in omitting it is that we gain around 15-20% speed in the
21634 + * fast path of the page fault handler and can get rid of tracing since we
21635 + * can no longer flush unintended entries.
21636 + */
21637 + "invlpg (%0)\n"
21638 +#endif
21639 + __copyuser_seg"testb $0,(%0)\n"
21640 + "xorb %3,(%1)\n"
21641 + :
21642 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21643 + : "memory", "cc");
21644 + pte_unmap_unlock(pte, ptl);
21645 + up_read(&mm->mmap_sem);
21646 + return 1;
21647 +}
21648 +#endif
21649 +
21650 /*
21651 * Handle a spurious fault caused by a stale TLB entry.
21652 *
21653 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
21654 static inline int
21655 access_error(unsigned long error_code, struct vm_area_struct *vma)
21656 {
21657 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21658 + return 1;
21659 +
21660 if (error_code & PF_WRITE) {
21661 /* write, present and write, not present: */
21662 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21663 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
21664 {
21665 struct vm_area_struct *vma;
21666 struct task_struct *tsk;
21667 - unsigned long address;
21668 struct mm_struct *mm;
21669 int fault;
21670 int write = error_code & PF_WRITE;
21671 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
21672 (write ? FAULT_FLAG_WRITE : 0);
21673
21674 + /* Get the faulting address: */
21675 + unsigned long address = read_cr2();
21676 +
21677 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21678 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21679 + if (!search_exception_tables(regs->ip)) {
21680 + bad_area_nosemaphore(regs, error_code, address);
21681 + return;
21682 + }
21683 + if (address < PAX_USER_SHADOW_BASE) {
21684 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21685 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21686 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21687 + } else
21688 + address -= PAX_USER_SHADOW_BASE;
21689 + }
21690 +#endif
21691 +
21692 tsk = current;
21693 mm = tsk->mm;
21694
21695 - /* Get the faulting address: */
21696 - address = read_cr2();
21697 -
21698 /*
21699 * Detect and handle instructions that would cause a page fault for
21700 * both a tracked kernel page and a userspace page.
21701 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
21702 * User-mode registers count as a user access even for any
21703 * potential system fault or CPU buglet:
21704 */
21705 - if (user_mode_vm(regs)) {
21706 + if (user_mode(regs)) {
21707 local_irq_enable();
21708 error_code |= PF_USER;
21709 } else {
21710 @@ -1087,6 +1337,11 @@ retry:
21711 might_sleep();
21712 }
21713
21714 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21715 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21716 + return;
21717 +#endif
21718 +
21719 vma = find_vma(mm, address);
21720 if (unlikely(!vma)) {
21721 bad_area(regs, error_code, address);
21722 @@ -1098,18 +1353,24 @@ retry:
21723 bad_area(regs, error_code, address);
21724 return;
21725 }
21726 - if (error_code & PF_USER) {
21727 - /*
21728 - * Accessing the stack below %sp is always a bug.
21729 - * The large cushion allows instructions like enter
21730 - * and pusha to work. ("enter $65535, $31" pushes
21731 - * 32 pointers and then decrements %sp by 65535.)
21732 - */
21733 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21734 - bad_area(regs, error_code, address);
21735 - return;
21736 - }
21737 + /*
21738 + * Accessing the stack below %sp is always a bug.
21739 + * The large cushion allows instructions like enter
21740 + * and pusha to work. ("enter $65535, $31" pushes
21741 + * 32 pointers and then decrements %sp by 65535.)
21742 + */
21743 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21744 + bad_area(regs, error_code, address);
21745 + return;
21746 }
21747 +
21748 +#ifdef CONFIG_PAX_SEGMEXEC
21749 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21750 + bad_area(regs, error_code, address);
21751 + return;
21752 + }
21753 +#endif
21754 +
21755 if (unlikely(expand_stack(vma, address))) {
21756 bad_area(regs, error_code, address);
21757 return;
21758 @@ -1164,3 +1425,199 @@ good_area:
21759
21760 up_read(&mm->mmap_sem);
21761 }
21762 +
21763 +#ifdef CONFIG_PAX_EMUTRAMP
21764 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21765 +{
21766 + int err;
21767 +
21768 + do { /* PaX: gcc trampoline emulation #1 */
21769 + unsigned char mov1, mov2;
21770 + unsigned short jmp;
21771 + unsigned int addr1, addr2;
21772 +
21773 +#ifdef CONFIG_X86_64
21774 + if ((regs->ip + 11) >> 32)
21775 + break;
21776 +#endif
21777 +
21778 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21779 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21780 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21781 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21782 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21783 +
21784 + if (err)
21785 + break;
21786 +
21787 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21788 + regs->cx = addr1;
21789 + regs->ax = addr2;
21790 + regs->ip = addr2;
21791 + return 2;
21792 + }
21793 + } while (0);
21794 +
21795 + do { /* PaX: gcc trampoline emulation #2 */
21796 + unsigned char mov, jmp;
21797 + unsigned int addr1, addr2;
21798 +
21799 +#ifdef CONFIG_X86_64
21800 + if ((regs->ip + 9) >> 32)
21801 + break;
21802 +#endif
21803 +
21804 + err = get_user(mov, (unsigned char __user *)regs->ip);
21805 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21806 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21807 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21808 +
21809 + if (err)
21810 + break;
21811 +
21812 + if (mov == 0xB9 && jmp == 0xE9) {
21813 + regs->cx = addr1;
21814 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21815 + return 2;
21816 + }
21817 + } while (0);
21818 +
21819 + return 1; /* PaX in action */
21820 +}
21821 +
21822 +#ifdef CONFIG_X86_64
21823 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21824 +{
21825 + int err;
21826 +
21827 + do { /* PaX: gcc trampoline emulation #1 */
21828 + unsigned short mov1, mov2, jmp1;
21829 + unsigned char jmp2;
21830 + unsigned int addr1;
21831 + unsigned long addr2;
21832 +
21833 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21834 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21835 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21836 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21837 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21838 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21839 +
21840 + if (err)
21841 + break;
21842 +
21843 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21844 + regs->r11 = addr1;
21845 + regs->r10 = addr2;
21846 + regs->ip = addr1;
21847 + return 2;
21848 + }
21849 + } while (0);
21850 +
21851 + do { /* PaX: gcc trampoline emulation #2 */
21852 + unsigned short mov1, mov2, jmp1;
21853 + unsigned char jmp2;
21854 + unsigned long addr1, addr2;
21855 +
21856 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21857 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21858 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21859 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21860 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21861 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21862 +
21863 + if (err)
21864 + break;
21865 +
21866 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21867 + regs->r11 = addr1;
21868 + regs->r10 = addr2;
21869 + regs->ip = addr1;
21870 + return 2;
21871 + }
21872 + } while (0);
21873 +
21874 + return 1; /* PaX in action */
21875 +}
21876 +#endif
21877 +
21878 +/*
21879 + * PaX: decide what to do with offenders (regs->ip = fault address)
21880 + *
21881 + * returns 1 when task should be killed
21882 + * 2 when gcc trampoline was detected
21883 + */
21884 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21885 +{
21886 + if (v8086_mode(regs))
21887 + return 1;
21888 +
21889 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21890 + return 1;
21891 +
21892 +#ifdef CONFIG_X86_32
21893 + return pax_handle_fetch_fault_32(regs);
21894 +#else
21895 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21896 + return pax_handle_fetch_fault_32(regs);
21897 + else
21898 + return pax_handle_fetch_fault_64(regs);
21899 +#endif
21900 +}
21901 +#endif
21902 +
21903 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21904 +void pax_report_insns(void *pc, void *sp)
21905 +{
21906 + long i;
21907 +
21908 + printk(KERN_ERR "PAX: bytes at PC: ");
21909 + for (i = 0; i < 20; i++) {
21910 + unsigned char c;
21911 + if (get_user(c, (__force unsigned char __user *)pc+i))
21912 + printk(KERN_CONT "?? ");
21913 + else
21914 + printk(KERN_CONT "%02x ", c);
21915 + }
21916 + printk("\n");
21917 +
21918 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21919 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21920 + unsigned long c;
21921 + if (get_user(c, (__force unsigned long __user *)sp+i))
21922 +#ifdef CONFIG_X86_32
21923 + printk(KERN_CONT "???????? ");
21924 +#else
21925 + printk(KERN_CONT "???????????????? ");
21926 +#endif
21927 + else
21928 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21929 + }
21930 + printk("\n");
21931 +}
21932 +#endif
21933 +
21934 +/**
21935 + * probe_kernel_write(): safely attempt to write to a location
21936 + * @dst: address to write to
21937 + * @src: pointer to the data that shall be written
21938 + * @size: size of the data chunk
21939 + *
21940 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21941 + * happens, handle that and return -EFAULT.
21942 + */
21943 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21944 +{
21945 + long ret;
21946 + mm_segment_t old_fs = get_fs();
21947 +
21948 + set_fs(KERNEL_DS);
21949 + pagefault_disable();
21950 + pax_open_kernel();
21951 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21952 + pax_close_kernel();
21953 + pagefault_enable();
21954 + set_fs(old_fs);
21955 +
21956 + return ret ? -EFAULT : 0;
21957 +}
21958 diff -urNp linux-2.6.39.3/arch/x86/mm/gup.c linux-2.6.39.3/arch/x86/mm/gup.c
21959 --- linux-2.6.39.3/arch/x86/mm/gup.c 2011-05-19 00:06:34.000000000 -0400
21960 +++ linux-2.6.39.3/arch/x86/mm/gup.c 2011-05-22 19:36:30.000000000 -0400
21961 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
21962 addr = start;
21963 len = (unsigned long) nr_pages << PAGE_SHIFT;
21964 end = start + len;
21965 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21966 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21967 (void __user *)start, len)))
21968 return 0;
21969
21970 diff -urNp linux-2.6.39.3/arch/x86/mm/highmem_32.c linux-2.6.39.3/arch/x86/mm/highmem_32.c
21971 --- linux-2.6.39.3/arch/x86/mm/highmem_32.c 2011-05-19 00:06:34.000000000 -0400
21972 +++ linux-2.6.39.3/arch/x86/mm/highmem_32.c 2011-05-22 19:36:30.000000000 -0400
21973 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
21974 idx = type + KM_TYPE_NR*smp_processor_id();
21975 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21976 BUG_ON(!pte_none(*(kmap_pte-idx)));
21977 +
21978 + pax_open_kernel();
21979 set_pte(kmap_pte-idx, mk_pte(page, prot));
21980 + pax_close_kernel();
21981
21982 return (void *)vaddr;
21983 }
21984 diff -urNp linux-2.6.39.3/arch/x86/mm/hugetlbpage.c linux-2.6.39.3/arch/x86/mm/hugetlbpage.c
21985 --- linux-2.6.39.3/arch/x86/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
21986 +++ linux-2.6.39.3/arch/x86/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
21987 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
21988 struct hstate *h = hstate_file(file);
21989 struct mm_struct *mm = current->mm;
21990 struct vm_area_struct *vma;
21991 - unsigned long start_addr;
21992 + unsigned long start_addr, pax_task_size = TASK_SIZE;
21993 +
21994 +#ifdef CONFIG_PAX_SEGMEXEC
21995 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21996 + pax_task_size = SEGMEXEC_TASK_SIZE;
21997 +#endif
21998 +
21999 + pax_task_size -= PAGE_SIZE;
22000
22001 if (len > mm->cached_hole_size) {
22002 - start_addr = mm->free_area_cache;
22003 + start_addr = mm->free_area_cache;
22004 } else {
22005 - start_addr = TASK_UNMAPPED_BASE;
22006 - mm->cached_hole_size = 0;
22007 + start_addr = mm->mmap_base;
22008 + mm->cached_hole_size = 0;
22009 }
22010
22011 full_search:
22012 @@ -280,26 +287,27 @@ full_search:
22013
22014 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
22015 /* At this point: (!vma || addr < vma->vm_end). */
22016 - if (TASK_SIZE - len < addr) {
22017 + if (pax_task_size - len < addr) {
22018 /*
22019 * Start a new search - just in case we missed
22020 * some holes.
22021 */
22022 - if (start_addr != TASK_UNMAPPED_BASE) {
22023 - start_addr = TASK_UNMAPPED_BASE;
22024 + if (start_addr != mm->mmap_base) {
22025 + start_addr = mm->mmap_base;
22026 mm->cached_hole_size = 0;
22027 goto full_search;
22028 }
22029 return -ENOMEM;
22030 }
22031 - if (!vma || addr + len <= vma->vm_start) {
22032 - mm->free_area_cache = addr + len;
22033 - return addr;
22034 - }
22035 + if (check_heap_stack_gap(vma, addr, len))
22036 + break;
22037 if (addr + mm->cached_hole_size < vma->vm_start)
22038 mm->cached_hole_size = vma->vm_start - addr;
22039 addr = ALIGN(vma->vm_end, huge_page_size(h));
22040 }
22041 +
22042 + mm->free_area_cache = addr + len;
22043 + return addr;
22044 }
22045
22046 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
22047 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
22048 {
22049 struct hstate *h = hstate_file(file);
22050 struct mm_struct *mm = current->mm;
22051 - struct vm_area_struct *vma, *prev_vma;
22052 - unsigned long base = mm->mmap_base, addr = addr0;
22053 + struct vm_area_struct *vma;
22054 + unsigned long base = mm->mmap_base, addr;
22055 unsigned long largest_hole = mm->cached_hole_size;
22056 - int first_time = 1;
22057
22058 /* don't allow allocations above current base */
22059 if (mm->free_area_cache > base)
22060 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
22061 largest_hole = 0;
22062 mm->free_area_cache = base;
22063 }
22064 -try_again:
22065 +
22066 /* make sure it can fit in the remaining address space */
22067 if (mm->free_area_cache < len)
22068 goto fail;
22069
22070 /* either no address requested or can't fit in requested address hole */
22071 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
22072 + addr = (mm->free_area_cache - len);
22073 do {
22074 + addr &= huge_page_mask(h);
22075 + vma = find_vma(mm, addr);
22076 /*
22077 * Lookup failure means no vma is above this address,
22078 * i.e. return with success:
22079 - */
22080 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
22081 - return addr;
22082 -
22083 - /*
22084 * new region fits between prev_vma->vm_end and
22085 * vma->vm_start, use it:
22086 */
22087 - if (addr + len <= vma->vm_start &&
22088 - (!prev_vma || (addr >= prev_vma->vm_end))) {
22089 + if (check_heap_stack_gap(vma, addr, len)) {
22090 /* remember the address as a hint for next time */
22091 - mm->cached_hole_size = largest_hole;
22092 - return (mm->free_area_cache = addr);
22093 - } else {
22094 - /* pull free_area_cache down to the first hole */
22095 - if (mm->free_area_cache == vma->vm_end) {
22096 - mm->free_area_cache = vma->vm_start;
22097 - mm->cached_hole_size = largest_hole;
22098 - }
22099 + mm->cached_hole_size = largest_hole;
22100 + return (mm->free_area_cache = addr);
22101 + }
22102 + /* pull free_area_cache down to the first hole */
22103 + if (mm->free_area_cache == vma->vm_end) {
22104 + mm->free_area_cache = vma->vm_start;
22105 + mm->cached_hole_size = largest_hole;
22106 }
22107
22108 /* remember the largest hole we saw so far */
22109 if (addr + largest_hole < vma->vm_start)
22110 - largest_hole = vma->vm_start - addr;
22111 + largest_hole = vma->vm_start - addr;
22112
22113 /* try just below the current vma->vm_start */
22114 - addr = (vma->vm_start - len) & huge_page_mask(h);
22115 - } while (len <= vma->vm_start);
22116 + addr = skip_heap_stack_gap(vma, len);
22117 + } while (!IS_ERR_VALUE(addr));
22118
22119 fail:
22120 /*
22121 - * if hint left us with no space for the requested
22122 - * mapping then try again:
22123 - */
22124 - if (first_time) {
22125 - mm->free_area_cache = base;
22126 - largest_hole = 0;
22127 - first_time = 0;
22128 - goto try_again;
22129 - }
22130 - /*
22131 * A failed mmap() very likely causes application failure,
22132 * so fall back to the bottom-up function here. This scenario
22133 * can happen with large stack limits and large mmap()
22134 * allocations.
22135 */
22136 - mm->free_area_cache = TASK_UNMAPPED_BASE;
22137 +
22138 +#ifdef CONFIG_PAX_SEGMEXEC
22139 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22140 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
22141 + else
22142 +#endif
22143 +
22144 + mm->mmap_base = TASK_UNMAPPED_BASE;
22145 +
22146 +#ifdef CONFIG_PAX_RANDMMAP
22147 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22148 + mm->mmap_base += mm->delta_mmap;
22149 +#endif
22150 +
22151 + mm->free_area_cache = mm->mmap_base;
22152 mm->cached_hole_size = ~0UL;
22153 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
22154 len, pgoff, flags);
22155 @@ -386,6 +392,7 @@ fail:
22156 /*
22157 * Restore the topdown base:
22158 */
22159 + mm->mmap_base = base;
22160 mm->free_area_cache = base;
22161 mm->cached_hole_size = ~0UL;
22162
22163 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
22164 struct hstate *h = hstate_file(file);
22165 struct mm_struct *mm = current->mm;
22166 struct vm_area_struct *vma;
22167 + unsigned long pax_task_size = TASK_SIZE;
22168
22169 if (len & ~huge_page_mask(h))
22170 return -EINVAL;
22171 - if (len > TASK_SIZE)
22172 +
22173 +#ifdef CONFIG_PAX_SEGMEXEC
22174 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22175 + pax_task_size = SEGMEXEC_TASK_SIZE;
22176 +#endif
22177 +
22178 + pax_task_size -= PAGE_SIZE;
22179 +
22180 + if (len > pax_task_size)
22181 return -ENOMEM;
22182
22183 if (flags & MAP_FIXED) {
22184 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
22185 if (addr) {
22186 addr = ALIGN(addr, huge_page_size(h));
22187 vma = find_vma(mm, addr);
22188 - if (TASK_SIZE - len >= addr &&
22189 - (!vma || addr + len <= vma->vm_start))
22190 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
22191 return addr;
22192 }
22193 if (mm->get_unmapped_area == arch_get_unmapped_area)
22194 diff -urNp linux-2.6.39.3/arch/x86/mm/init_32.c linux-2.6.39.3/arch/x86/mm/init_32.c
22195 --- linux-2.6.39.3/arch/x86/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
22196 +++ linux-2.6.39.3/arch/x86/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
22197 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
22198 }
22199
22200 /*
22201 - * Creates a middle page table and puts a pointer to it in the
22202 - * given global directory entry. This only returns the gd entry
22203 - * in non-PAE compilation mode, since the middle layer is folded.
22204 - */
22205 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
22206 -{
22207 - pud_t *pud;
22208 - pmd_t *pmd_table;
22209 -
22210 -#ifdef CONFIG_X86_PAE
22211 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
22212 - if (after_bootmem)
22213 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
22214 - else
22215 - pmd_table = (pmd_t *)alloc_low_page();
22216 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
22217 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
22218 - pud = pud_offset(pgd, 0);
22219 - BUG_ON(pmd_table != pmd_offset(pud, 0));
22220 -
22221 - return pmd_table;
22222 - }
22223 -#endif
22224 - pud = pud_offset(pgd, 0);
22225 - pmd_table = pmd_offset(pud, 0);
22226 -
22227 - return pmd_table;
22228 -}
22229 -
22230 -/*
22231 * Create a page table and place a pointer to it in a middle page
22232 * directory entry:
22233 */
22234 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
22235 page_table = (pte_t *)alloc_low_page();
22236
22237 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
22238 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22239 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
22240 +#else
22241 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
22242 +#endif
22243 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
22244 }
22245
22246 return pte_offset_kernel(pmd, 0);
22247 }
22248
22249 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
22250 +{
22251 + pud_t *pud;
22252 + pmd_t *pmd_table;
22253 +
22254 + pud = pud_offset(pgd, 0);
22255 + pmd_table = pmd_offset(pud, 0);
22256 +
22257 + return pmd_table;
22258 +}
22259 +
22260 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
22261 {
22262 int pgd_idx = pgd_index(vaddr);
22263 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
22264 int pgd_idx, pmd_idx;
22265 unsigned long vaddr;
22266 pgd_t *pgd;
22267 + pud_t *pud;
22268 pmd_t *pmd;
22269 pte_t *pte = NULL;
22270
22271 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
22272 pgd = pgd_base + pgd_idx;
22273
22274 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
22275 - pmd = one_md_table_init(pgd);
22276 - pmd = pmd + pmd_index(vaddr);
22277 + pud = pud_offset(pgd, vaddr);
22278 + pmd = pmd_offset(pud, vaddr);
22279 +
22280 +#ifdef CONFIG_X86_PAE
22281 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22282 +#endif
22283 +
22284 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
22285 pmd++, pmd_idx++) {
22286 pte = page_table_kmap_check(one_page_table_init(pmd),
22287 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
22288 }
22289 }
22290
22291 -static inline int is_kernel_text(unsigned long addr)
22292 +static inline int is_kernel_text(unsigned long start, unsigned long end)
22293 {
22294 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
22295 - return 1;
22296 - return 0;
22297 + if ((start > ktla_ktva((unsigned long)_etext) ||
22298 + end <= ktla_ktva((unsigned long)_stext)) &&
22299 + (start > ktla_ktva((unsigned long)_einittext) ||
22300 + end <= ktla_ktva((unsigned long)_sinittext)) &&
22301 +
22302 +#ifdef CONFIG_ACPI_SLEEP
22303 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
22304 +#endif
22305 +
22306 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
22307 + return 0;
22308 + return 1;
22309 }
22310
22311 /*
22312 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
22313 unsigned long last_map_addr = end;
22314 unsigned long start_pfn, end_pfn;
22315 pgd_t *pgd_base = swapper_pg_dir;
22316 - int pgd_idx, pmd_idx, pte_ofs;
22317 + unsigned int pgd_idx, pmd_idx, pte_ofs;
22318 unsigned long pfn;
22319 pgd_t *pgd;
22320 + pud_t *pud;
22321 pmd_t *pmd;
22322 pte_t *pte;
22323 unsigned pages_2m, pages_4k;
22324 @@ -281,8 +282,13 @@ repeat:
22325 pfn = start_pfn;
22326 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22327 pgd = pgd_base + pgd_idx;
22328 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
22329 - pmd = one_md_table_init(pgd);
22330 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
22331 + pud = pud_offset(pgd, 0);
22332 + pmd = pmd_offset(pud, 0);
22333 +
22334 +#ifdef CONFIG_X86_PAE
22335 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22336 +#endif
22337
22338 if (pfn >= end_pfn)
22339 continue;
22340 @@ -294,14 +300,13 @@ repeat:
22341 #endif
22342 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
22343 pmd++, pmd_idx++) {
22344 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
22345 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
22346
22347 /*
22348 * Map with big pages if possible, otherwise
22349 * create normal page tables:
22350 */
22351 if (use_pse) {
22352 - unsigned int addr2;
22353 pgprot_t prot = PAGE_KERNEL_LARGE;
22354 /*
22355 * first pass will use the same initial
22356 @@ -311,11 +316,7 @@ repeat:
22357 __pgprot(PTE_IDENT_ATTR |
22358 _PAGE_PSE);
22359
22360 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
22361 - PAGE_OFFSET + PAGE_SIZE-1;
22362 -
22363 - if (is_kernel_text(addr) ||
22364 - is_kernel_text(addr2))
22365 + if (is_kernel_text(address, address + PMD_SIZE))
22366 prot = PAGE_KERNEL_LARGE_EXEC;
22367
22368 pages_2m++;
22369 @@ -332,7 +333,7 @@ repeat:
22370 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22371 pte += pte_ofs;
22372 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
22373 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
22374 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
22375 pgprot_t prot = PAGE_KERNEL;
22376 /*
22377 * first pass will use the same initial
22378 @@ -340,7 +341,7 @@ repeat:
22379 */
22380 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
22381
22382 - if (is_kernel_text(addr))
22383 + if (is_kernel_text(address, address + PAGE_SIZE))
22384 prot = PAGE_KERNEL_EXEC;
22385
22386 pages_4k++;
22387 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
22388
22389 pud = pud_offset(pgd, va);
22390 pmd = pmd_offset(pud, va);
22391 - if (!pmd_present(*pmd))
22392 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22393 break;
22394
22395 pte = pte_offset_kernel(pmd, va);
22396 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
22397
22398 static void __init pagetable_init(void)
22399 {
22400 - pgd_t *pgd_base = swapper_pg_dir;
22401 -
22402 - permanent_kmaps_init(pgd_base);
22403 + permanent_kmaps_init(swapper_pg_dir);
22404 }
22405
22406 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22407 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22408 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22409
22410 /* user-defined highmem size */
22411 @@ -754,6 +753,12 @@ void __init mem_init(void)
22412
22413 pci_iommu_alloc();
22414
22415 +#ifdef CONFIG_PAX_PER_CPU_PGD
22416 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22417 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22418 + KERNEL_PGD_PTRS);
22419 +#endif
22420 +
22421 #ifdef CONFIG_FLATMEM
22422 BUG_ON(!mem_map);
22423 #endif
22424 @@ -771,7 +776,7 @@ void __init mem_init(void)
22425 set_highmem_pages_init();
22426
22427 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22428 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22429 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22430 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22431
22432 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22433 @@ -812,10 +817,10 @@ void __init mem_init(void)
22434 ((unsigned long)&__init_end -
22435 (unsigned long)&__init_begin) >> 10,
22436
22437 - (unsigned long)&_etext, (unsigned long)&_edata,
22438 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22439 + (unsigned long)&_sdata, (unsigned long)&_edata,
22440 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22441
22442 - (unsigned long)&_text, (unsigned long)&_etext,
22443 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22444 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22445
22446 /*
22447 @@ -893,6 +898,7 @@ void set_kernel_text_rw(void)
22448 if (!kernel_set_to_readonly)
22449 return;
22450
22451 + start = ktla_ktva(start);
22452 pr_debug("Set kernel text: %lx - %lx for read write\n",
22453 start, start+size);
22454
22455 @@ -907,6 +913,7 @@ void set_kernel_text_ro(void)
22456 if (!kernel_set_to_readonly)
22457 return;
22458
22459 + start = ktla_ktva(start);
22460 pr_debug("Set kernel text: %lx - %lx for read only\n",
22461 start, start+size);
22462
22463 @@ -935,6 +942,7 @@ void mark_rodata_ro(void)
22464 unsigned long start = PFN_ALIGN(_text);
22465 unsigned long size = PFN_ALIGN(_etext) - start;
22466
22467 + start = ktla_ktva(start);
22468 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22469 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22470 size >> 10);
22471 diff -urNp linux-2.6.39.3/arch/x86/mm/init_64.c linux-2.6.39.3/arch/x86/mm/init_64.c
22472 --- linux-2.6.39.3/arch/x86/mm/init_64.c 2011-05-19 00:06:34.000000000 -0400
22473 +++ linux-2.6.39.3/arch/x86/mm/init_64.c 2011-05-22 19:36:30.000000000 -0400
22474 @@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpa
22475 * around without checking the pgd every time.
22476 */
22477
22478 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
22479 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
22480 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22481
22482 int force_personality32;
22483 @@ -107,12 +107,22 @@ void sync_global_pgds(unsigned long star
22484
22485 for (address = start; address <= end; address += PGDIR_SIZE) {
22486 const pgd_t *pgd_ref = pgd_offset_k(address);
22487 +
22488 +#ifdef CONFIG_PAX_PER_CPU_PGD
22489 + unsigned long cpu;
22490 +#else
22491 struct page *page;
22492 +#endif
22493
22494 if (pgd_none(*pgd_ref))
22495 continue;
22496
22497 spin_lock(&pgd_lock);
22498 +
22499 +#ifdef CONFIG_PAX_PER_CPU_PGD
22500 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22501 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
22502 +#else
22503 list_for_each_entry(page, &pgd_list, lru) {
22504 pgd_t *pgd;
22505 spinlock_t *pgt_lock;
22506 @@ -121,6 +131,7 @@ void sync_global_pgds(unsigned long star
22507 /* the pgt_lock only for Xen */
22508 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
22509 spin_lock(pgt_lock);
22510 +#endif
22511
22512 if (pgd_none(*pgd))
22513 set_pgd(pgd, *pgd_ref);
22514 @@ -128,7 +139,10 @@ void sync_global_pgds(unsigned long star
22515 BUG_ON(pgd_page_vaddr(*pgd)
22516 != pgd_page_vaddr(*pgd_ref));
22517
22518 +#ifndef CONFIG_PAX_PER_CPU_PGD
22519 spin_unlock(pgt_lock);
22520 +#endif
22521 +
22522 }
22523 spin_unlock(&pgd_lock);
22524 }
22525 @@ -202,7 +216,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22526 pmd = fill_pmd(pud, vaddr);
22527 pte = fill_pte(pmd, vaddr);
22528
22529 + pax_open_kernel();
22530 set_pte(pte, new_pte);
22531 + pax_close_kernel();
22532
22533 /*
22534 * It's enough to flush this one mapping.
22535 @@ -261,14 +277,12 @@ static void __init __init_extra_mapping(
22536 pgd = pgd_offset_k((unsigned long)__va(phys));
22537 if (pgd_none(*pgd)) {
22538 pud = (pud_t *) spp_getpage();
22539 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22540 - _PAGE_USER));
22541 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22542 }
22543 pud = pud_offset(pgd, (unsigned long)__va(phys));
22544 if (pud_none(*pud)) {
22545 pmd = (pmd_t *) spp_getpage();
22546 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22547 - _PAGE_USER));
22548 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22549 }
22550 pmd = pmd_offset(pud, phys);
22551 BUG_ON(!pmd_none(*pmd));
22552 @@ -698,6 +712,12 @@ void __init mem_init(void)
22553
22554 pci_iommu_alloc();
22555
22556 +#ifdef CONFIG_PAX_PER_CPU_PGD
22557 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22558 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22559 + KERNEL_PGD_PTRS);
22560 +#endif
22561 +
22562 /* clear_bss() already clear the empty_zero_page */
22563
22564 reservedpages = 0;
22565 @@ -858,8 +878,8 @@ int kern_addr_valid(unsigned long addr)
22566 static struct vm_area_struct gate_vma = {
22567 .vm_start = VSYSCALL_START,
22568 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22569 - .vm_page_prot = PAGE_READONLY_EXEC,
22570 - .vm_flags = VM_READ | VM_EXEC
22571 + .vm_page_prot = PAGE_READONLY,
22572 + .vm_flags = VM_READ
22573 };
22574
22575 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
22576 @@ -893,7 +913,7 @@ int in_gate_area_no_mm(unsigned long add
22577
22578 const char *arch_vma_name(struct vm_area_struct *vma)
22579 {
22580 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22581 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22582 return "[vdso]";
22583 if (vma == &gate_vma)
22584 return "[vsyscall]";
22585 diff -urNp linux-2.6.39.3/arch/x86/mm/init.c linux-2.6.39.3/arch/x86/mm/init.c
22586 --- linux-2.6.39.3/arch/x86/mm/init.c 2011-05-19 00:06:34.000000000 -0400
22587 +++ linux-2.6.39.3/arch/x86/mm/init.c 2011-06-07 19:41:11.000000000 -0400
22588 @@ -33,7 +33,7 @@ int direct_gbpages
22589 static void __init find_early_table_space(unsigned long end, int use_pse,
22590 int use_gbpages)
22591 {
22592 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
22593 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
22594 phys_addr_t base;
22595
22596 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
22597 @@ -315,12 +315,34 @@ unsigned long __init_refok init_memory_m
22598 */
22599 int devmem_is_allowed(unsigned long pagenr)
22600 {
22601 - if (pagenr <= 256)
22602 +#ifdef CONFIG_GRKERNSEC_KMEM
22603 + /* allow BDA */
22604 + if (!pagenr)
22605 + return 1;
22606 + /* allow EBDA */
22607 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22608 + return 1;
22609 +#else
22610 + if (!pagenr)
22611 + return 1;
22612 +#ifdef CONFIG_VM86
22613 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
22614 + return 1;
22615 +#endif
22616 +#endif
22617 +
22618 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22619 return 1;
22620 +#ifdef CONFIG_GRKERNSEC_KMEM
22621 + /* throw out everything else below 1MB */
22622 + if (pagenr <= 256)
22623 + return 0;
22624 +#endif
22625 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22626 return 0;
22627 if (!page_is_ram(pagenr))
22628 return 1;
22629 +
22630 return 0;
22631 }
22632
22633 @@ -375,6 +397,86 @@ void free_init_pages(char *what, unsigne
22634
22635 void free_initmem(void)
22636 {
22637 +
22638 +#ifdef CONFIG_PAX_KERNEXEC
22639 +#ifdef CONFIG_X86_32
22640 + /* PaX: limit KERNEL_CS to actual size */
22641 + unsigned long addr, limit;
22642 + struct desc_struct d;
22643 + int cpu;
22644 +
22645 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22646 + limit = (limit - 1UL) >> PAGE_SHIFT;
22647 +
22648 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22649 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22650 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22651 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22652 + }
22653 +
22654 + /* PaX: make KERNEL_CS read-only */
22655 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22656 + if (!paravirt_enabled())
22657 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22658 +/*
22659 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22660 + pgd = pgd_offset_k(addr);
22661 + pud = pud_offset(pgd, addr);
22662 + pmd = pmd_offset(pud, addr);
22663 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22664 + }
22665 +*/
22666 +#ifdef CONFIG_X86_PAE
22667 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22668 +/*
22669 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22670 + pgd = pgd_offset_k(addr);
22671 + pud = pud_offset(pgd, addr);
22672 + pmd = pmd_offset(pud, addr);
22673 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22674 + }
22675 +*/
22676 +#endif
22677 +
22678 +#ifdef CONFIG_MODULES
22679 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22680 +#endif
22681 +
22682 +#else
22683 + pgd_t *pgd;
22684 + pud_t *pud;
22685 + pmd_t *pmd;
22686 + unsigned long addr, end;
22687 +
22688 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22689 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22690 + pgd = pgd_offset_k(addr);
22691 + pud = pud_offset(pgd, addr);
22692 + pmd = pmd_offset(pud, addr);
22693 + if (!pmd_present(*pmd))
22694 + continue;
22695 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22696 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22697 + else
22698 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22699 + }
22700 +
22701 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22702 + end = addr + KERNEL_IMAGE_SIZE;
22703 + for (; addr < end; addr += PMD_SIZE) {
22704 + pgd = pgd_offset_k(addr);
22705 + pud = pud_offset(pgd, addr);
22706 + pmd = pmd_offset(pud, addr);
22707 + if (!pmd_present(*pmd))
22708 + continue;
22709 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22710 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22711 + }
22712 +#endif
22713 +
22714 + flush_tlb_all();
22715 +#endif
22716 +
22717 free_init_pages("unused kernel memory",
22718 (unsigned long)(&__init_begin),
22719 (unsigned long)(&__init_end));
22720 diff -urNp linux-2.6.39.3/arch/x86/mm/iomap_32.c linux-2.6.39.3/arch/x86/mm/iomap_32.c
22721 --- linux-2.6.39.3/arch/x86/mm/iomap_32.c 2011-05-19 00:06:34.000000000 -0400
22722 +++ linux-2.6.39.3/arch/x86/mm/iomap_32.c 2011-05-22 19:36:30.000000000 -0400
22723 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22724 type = kmap_atomic_idx_push();
22725 idx = type + KM_TYPE_NR * smp_processor_id();
22726 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22727 +
22728 + pax_open_kernel();
22729 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22730 + pax_close_kernel();
22731 +
22732 arch_flush_lazy_mmu_mode();
22733
22734 return (void *)vaddr;
22735 diff -urNp linux-2.6.39.3/arch/x86/mm/ioremap.c linux-2.6.39.3/arch/x86/mm/ioremap.c
22736 --- linux-2.6.39.3/arch/x86/mm/ioremap.c 2011-05-19 00:06:34.000000000 -0400
22737 +++ linux-2.6.39.3/arch/x86/mm/ioremap.c 2011-05-22 19:36:30.000000000 -0400
22738 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
22739 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
22740 int is_ram = page_is_ram(pfn);
22741
22742 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22743 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22744 return NULL;
22745 WARN_ON_ONCE(is_ram);
22746 }
22747 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
22748 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22749
22750 static __initdata int after_paging_init;
22751 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22752 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22753
22754 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22755 {
22756 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
22757 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22758
22759 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22760 - memset(bm_pte, 0, sizeof(bm_pte));
22761 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22762 + pmd_populate_user(&init_mm, pmd, bm_pte);
22763
22764 /*
22765 * The boot-ioremap range spans multiple pmds, for which
22766 diff -urNp linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c
22767 --- linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-19 00:06:34.000000000 -0400
22768 +++ linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-22 19:36:30.000000000 -0400
22769 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22770 * memory (e.g. tracked pages)? For now, we need this to avoid
22771 * invoking kmemcheck for PnP BIOS calls.
22772 */
22773 - if (regs->flags & X86_VM_MASK)
22774 + if (v8086_mode(regs))
22775 return false;
22776 - if (regs->cs != __KERNEL_CS)
22777 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22778 return false;
22779
22780 pte = kmemcheck_pte_lookup(address);
22781 diff -urNp linux-2.6.39.3/arch/x86/mm/mmap.c linux-2.6.39.3/arch/x86/mm/mmap.c
22782 --- linux-2.6.39.3/arch/x86/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
22783 +++ linux-2.6.39.3/arch/x86/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
22784 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22785 * Leave an at least ~128 MB hole with possible stack randomization.
22786 */
22787 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22788 -#define MAX_GAP (TASK_SIZE/6*5)
22789 +#define MAX_GAP (pax_task_size/6*5)
22790
22791 /*
22792 * True on X86_32 or when emulating IA32 on X86_64
22793 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22794 return rnd << PAGE_SHIFT;
22795 }
22796
22797 -static unsigned long mmap_base(void)
22798 +static unsigned long mmap_base(struct mm_struct *mm)
22799 {
22800 unsigned long gap = rlimit(RLIMIT_STACK);
22801 + unsigned long pax_task_size = TASK_SIZE;
22802 +
22803 +#ifdef CONFIG_PAX_SEGMEXEC
22804 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22805 + pax_task_size = SEGMEXEC_TASK_SIZE;
22806 +#endif
22807
22808 if (gap < MIN_GAP)
22809 gap = MIN_GAP;
22810 else if (gap > MAX_GAP)
22811 gap = MAX_GAP;
22812
22813 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22814 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22815 }
22816
22817 /*
22818 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22819 * does, but not when emulating X86_32
22820 */
22821 -static unsigned long mmap_legacy_base(void)
22822 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22823 {
22824 - if (mmap_is_ia32())
22825 + if (mmap_is_ia32()) {
22826 +
22827 +#ifdef CONFIG_PAX_SEGMEXEC
22828 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22829 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22830 + else
22831 +#endif
22832 +
22833 return TASK_UNMAPPED_BASE;
22834 - else
22835 + } else
22836 return TASK_UNMAPPED_BASE + mmap_rnd();
22837 }
22838
22839 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22840 void arch_pick_mmap_layout(struct mm_struct *mm)
22841 {
22842 if (mmap_is_legacy()) {
22843 - mm->mmap_base = mmap_legacy_base();
22844 + mm->mmap_base = mmap_legacy_base(mm);
22845 +
22846 +#ifdef CONFIG_PAX_RANDMMAP
22847 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22848 + mm->mmap_base += mm->delta_mmap;
22849 +#endif
22850 +
22851 mm->get_unmapped_area = arch_get_unmapped_area;
22852 mm->unmap_area = arch_unmap_area;
22853 } else {
22854 - mm->mmap_base = mmap_base();
22855 + mm->mmap_base = mmap_base(mm);
22856 +
22857 +#ifdef CONFIG_PAX_RANDMMAP
22858 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22859 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22860 +#endif
22861 +
22862 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22863 mm->unmap_area = arch_unmap_area_topdown;
22864 }
22865 diff -urNp linux-2.6.39.3/arch/x86/mm/mmio-mod.c linux-2.6.39.3/arch/x86/mm/mmio-mod.c
22866 --- linux-2.6.39.3/arch/x86/mm/mmio-mod.c 2011-05-19 00:06:34.000000000 -0400
22867 +++ linux-2.6.39.3/arch/x86/mm/mmio-mod.c 2011-07-06 20:00:13.000000000 -0400
22868 @@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
22869 break;
22870 default:
22871 {
22872 - unsigned char *ip = (unsigned char *)instptr;
22873 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
22874 my_trace->opcode = MMIO_UNKNOWN_OP;
22875 my_trace->width = 0;
22876 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
22877 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
22878 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22879 void __iomem *addr)
22880 {
22881 - static atomic_t next_id;
22882 + static atomic_unchecked_t next_id;
22883 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22884 /* These are page-unaligned. */
22885 struct mmiotrace_map map = {
22886 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
22887 .private = trace
22888 },
22889 .phys = offset,
22890 - .id = atomic_inc_return(&next_id)
22891 + .id = atomic_inc_return_unchecked(&next_id)
22892 };
22893 map.map_id = trace->id;
22894
22895 diff -urNp linux-2.6.39.3/arch/x86/mm/numa_32.c linux-2.6.39.3/arch/x86/mm/numa_32.c
22896 --- linux-2.6.39.3/arch/x86/mm/numa_32.c 2011-05-19 00:06:34.000000000 -0400
22897 +++ linux-2.6.39.3/arch/x86/mm/numa_32.c 2011-05-22 19:36:30.000000000 -0400
22898 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
22899 }
22900 #endif
22901
22902 -extern unsigned long find_max_low_pfn(void);
22903 extern unsigned long highend_pfn, highstart_pfn;
22904
22905 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22906 diff -urNp linux-2.6.39.3/arch/x86/mm/pageattr.c linux-2.6.39.3/arch/x86/mm/pageattr.c
22907 --- linux-2.6.39.3/arch/x86/mm/pageattr.c 2011-05-19 00:06:34.000000000 -0400
22908 +++ linux-2.6.39.3/arch/x86/mm/pageattr.c 2011-05-22 19:36:30.000000000 -0400
22909 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
22910 */
22911 #ifdef CONFIG_PCI_BIOS
22912 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22913 - pgprot_val(forbidden) |= _PAGE_NX;
22914 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22915 #endif
22916
22917 /*
22918 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
22919 * Does not cover __inittext since that is gone later on. On
22920 * 64bit we do not enforce !NX on the low mapping
22921 */
22922 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22923 - pgprot_val(forbidden) |= _PAGE_NX;
22924 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22925 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22926
22927 +#ifdef CONFIG_DEBUG_RODATA
22928 /*
22929 * The .rodata section needs to be read-only. Using the pfn
22930 * catches all aliases.
22931 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
22932 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22933 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22934 pgprot_val(forbidden) |= _PAGE_RW;
22935 +#endif
22936
22937 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
22938 /*
22939 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
22940 }
22941 #endif
22942
22943 +#ifdef CONFIG_PAX_KERNEXEC
22944 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22945 + pgprot_val(forbidden) |= _PAGE_RW;
22946 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22947 + }
22948 +#endif
22949 +
22950 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22951
22952 return prot;
22953 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22954 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22955 {
22956 /* change init_mm */
22957 + pax_open_kernel();
22958 set_pte_atomic(kpte, pte);
22959 +
22960 #ifdef CONFIG_X86_32
22961 if (!SHARED_KERNEL_PMD) {
22962 +
22963 +#ifdef CONFIG_PAX_PER_CPU_PGD
22964 + unsigned long cpu;
22965 +#else
22966 struct page *page;
22967 +#endif
22968
22969 +#ifdef CONFIG_PAX_PER_CPU_PGD
22970 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22971 + pgd_t *pgd = get_cpu_pgd(cpu);
22972 +#else
22973 list_for_each_entry(page, &pgd_list, lru) {
22974 - pgd_t *pgd;
22975 + pgd_t *pgd = (pgd_t *)page_address(page);
22976 +#endif
22977 +
22978 pud_t *pud;
22979 pmd_t *pmd;
22980
22981 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22982 + pgd += pgd_index(address);
22983 pud = pud_offset(pgd, address);
22984 pmd = pmd_offset(pud, address);
22985 set_pte_atomic((pte_t *)pmd, pte);
22986 }
22987 }
22988 #endif
22989 + pax_close_kernel();
22990 }
22991
22992 static int
22993 diff -urNp linux-2.6.39.3/arch/x86/mm/pageattr-test.c linux-2.6.39.3/arch/x86/mm/pageattr-test.c
22994 --- linux-2.6.39.3/arch/x86/mm/pageattr-test.c 2011-05-19 00:06:34.000000000 -0400
22995 +++ linux-2.6.39.3/arch/x86/mm/pageattr-test.c 2011-05-22 19:36:30.000000000 -0400
22996 @@ -36,7 +36,7 @@ enum {
22997
22998 static int pte_testbit(pte_t pte)
22999 {
23000 - return pte_flags(pte) & _PAGE_UNUSED1;
23001 + return pte_flags(pte) & _PAGE_CPA_TEST;
23002 }
23003
23004 struct split_state {
23005 diff -urNp linux-2.6.39.3/arch/x86/mm/pat.c linux-2.6.39.3/arch/x86/mm/pat.c
23006 --- linux-2.6.39.3/arch/x86/mm/pat.c 2011-05-19 00:06:34.000000000 -0400
23007 +++ linux-2.6.39.3/arch/x86/mm/pat.c 2011-05-22 19:36:30.000000000 -0400
23008 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
23009
23010 if (!entry) {
23011 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
23012 - current->comm, current->pid, start, end);
23013 + current->comm, task_pid_nr(current), start, end);
23014 return -EINVAL;
23015 }
23016
23017 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
23018 while (cursor < to) {
23019 if (!devmem_is_allowed(pfn)) {
23020 printk(KERN_INFO
23021 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
23022 - current->comm, from, to);
23023 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
23024 + current->comm, from, to, cursor);
23025 return 0;
23026 }
23027 cursor += PAGE_SIZE;
23028 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
23029 printk(KERN_INFO
23030 "%s:%d ioremap_change_attr failed %s "
23031 "for %Lx-%Lx\n",
23032 - current->comm, current->pid,
23033 + current->comm, task_pid_nr(current),
23034 cattr_name(flags),
23035 base, (unsigned long long)(base + size));
23036 return -EINVAL;
23037 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
23038 if (want_flags != flags) {
23039 printk(KERN_WARNING
23040 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
23041 - current->comm, current->pid,
23042 + current->comm, task_pid_nr(current),
23043 cattr_name(want_flags),
23044 (unsigned long long)paddr,
23045 (unsigned long long)(paddr + size),
23046 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
23047 free_memtype(paddr, paddr + size);
23048 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
23049 " for %Lx-%Lx, got %s\n",
23050 - current->comm, current->pid,
23051 + current->comm, task_pid_nr(current),
23052 cattr_name(want_flags),
23053 (unsigned long long)paddr,
23054 (unsigned long long)(paddr + size),
23055 diff -urNp linux-2.6.39.3/arch/x86/mm/pf_in.c linux-2.6.39.3/arch/x86/mm/pf_in.c
23056 --- linux-2.6.39.3/arch/x86/mm/pf_in.c 2011-05-19 00:06:34.000000000 -0400
23057 +++ linux-2.6.39.3/arch/x86/mm/pf_in.c 2011-07-06 20:00:13.000000000 -0400
23058 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
23059 int i;
23060 enum reason_type rv = OTHERS;
23061
23062 - p = (unsigned char *)ins_addr;
23063 + p = (unsigned char *)ktla_ktva(ins_addr);
23064 p += skip_prefix(p, &prf);
23065 p += get_opcode(p, &opcode);
23066
23067 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
23068 struct prefix_bits prf;
23069 int i;
23070
23071 - p = (unsigned char *)ins_addr;
23072 + p = (unsigned char *)ktla_ktva(ins_addr);
23073 p += skip_prefix(p, &prf);
23074 p += get_opcode(p, &opcode);
23075
23076 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
23077 struct prefix_bits prf;
23078 int i;
23079
23080 - p = (unsigned char *)ins_addr;
23081 + p = (unsigned char *)ktla_ktva(ins_addr);
23082 p += skip_prefix(p, &prf);
23083 p += get_opcode(p, &opcode);
23084
23085 @@ -416,7 +416,7 @@ unsigned long get_ins_reg_val(unsigned l
23086 int i;
23087 unsigned long rv;
23088
23089 - p = (unsigned char *)ins_addr;
23090 + p = (unsigned char *)ktla_ktva(ins_addr);
23091 p += skip_prefix(p, &prf);
23092 p += get_opcode(p, &opcode);
23093 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
23094 @@ -476,7 +476,7 @@ unsigned long get_ins_imm_val(unsigned l
23095 int i;
23096 unsigned long rv;
23097
23098 - p = (unsigned char *)ins_addr;
23099 + p = (unsigned char *)ktla_ktva(ins_addr);
23100 p += skip_prefix(p, &prf);
23101 p += get_opcode(p, &opcode);
23102 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
23103 diff -urNp linux-2.6.39.3/arch/x86/mm/pgtable_32.c linux-2.6.39.3/arch/x86/mm/pgtable_32.c
23104 --- linux-2.6.39.3/arch/x86/mm/pgtable_32.c 2011-05-19 00:06:34.000000000 -0400
23105 +++ linux-2.6.39.3/arch/x86/mm/pgtable_32.c 2011-05-22 19:36:30.000000000 -0400
23106 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
23107 return;
23108 }
23109 pte = pte_offset_kernel(pmd, vaddr);
23110 +
23111 + pax_open_kernel();
23112 if (pte_val(pteval))
23113 set_pte_at(&init_mm, vaddr, pte, pteval);
23114 else
23115 pte_clear(&init_mm, vaddr, pte);
23116 + pax_close_kernel();
23117
23118 /*
23119 * It's enough to flush this one mapping.
23120 diff -urNp linux-2.6.39.3/arch/x86/mm/pgtable.c linux-2.6.39.3/arch/x86/mm/pgtable.c
23121 --- linux-2.6.39.3/arch/x86/mm/pgtable.c 2011-05-19 00:06:34.000000000 -0400
23122 +++ linux-2.6.39.3/arch/x86/mm/pgtable.c 2011-05-22 19:36:30.000000000 -0400
23123 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
23124 list_del(&page->lru);
23125 }
23126
23127 -#define UNSHARED_PTRS_PER_PGD \
23128 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23129 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23130 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
23131
23132 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23133 +{
23134 + while (count--)
23135 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
23136 +}
23137 +#endif
23138 +
23139 +#ifdef CONFIG_PAX_PER_CPU_PGD
23140 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23141 +{
23142 + while (count--)
23143 +
23144 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23145 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
23146 +#else
23147 + *dst++ = *src++;
23148 +#endif
23149
23150 +}
23151 +#endif
23152 +
23153 +#ifdef CONFIG_X86_64
23154 +#define pxd_t pud_t
23155 +#define pyd_t pgd_t
23156 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
23157 +#define pxd_free(mm, pud) pud_free((mm), (pud))
23158 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
23159 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
23160 +#define PYD_SIZE PGDIR_SIZE
23161 +#else
23162 +#define pxd_t pmd_t
23163 +#define pyd_t pud_t
23164 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
23165 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
23166 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
23167 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
23168 +#define PYD_SIZE PUD_SIZE
23169 +#endif
23170 +
23171 +#ifdef CONFIG_PAX_PER_CPU_PGD
23172 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
23173 +static inline void pgd_dtor(pgd_t *pgd) {}
23174 +#else
23175 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
23176 {
23177 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
23178 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
23179 pgd_list_del(pgd);
23180 spin_unlock(&pgd_lock);
23181 }
23182 +#endif
23183
23184 /*
23185 * List of all pgd's needed for non-PAE so it can invalidate entries
23186 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
23187 * -- wli
23188 */
23189
23190 -#ifdef CONFIG_X86_PAE
23191 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23192 /*
23193 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
23194 * updating the top-level pagetable entries to guarantee the
23195 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
23196 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
23197 * and initialize the kernel pmds here.
23198 */
23199 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
23200 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23201
23202 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
23203 {
23204 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
23205 */
23206 flush_tlb_mm(mm);
23207 }
23208 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
23209 +#define PREALLOCATED_PXDS USER_PGD_PTRS
23210 #else /* !CONFIG_X86_PAE */
23211
23212 /* No need to prepopulate any pagetable entries in non-PAE modes. */
23213 -#define PREALLOCATED_PMDS 0
23214 +#define PREALLOCATED_PXDS 0
23215
23216 #endif /* CONFIG_X86_PAE */
23217
23218 -static void free_pmds(pmd_t *pmds[])
23219 +static void free_pxds(pxd_t *pxds[])
23220 {
23221 int i;
23222
23223 - for(i = 0; i < PREALLOCATED_PMDS; i++)
23224 - if (pmds[i])
23225 - free_page((unsigned long)pmds[i]);
23226 + for(i = 0; i < PREALLOCATED_PXDS; i++)
23227 + if (pxds[i])
23228 + free_page((unsigned long)pxds[i]);
23229 }
23230
23231 -static int preallocate_pmds(pmd_t *pmds[])
23232 +static int preallocate_pxds(pxd_t *pxds[])
23233 {
23234 int i;
23235 bool failed = false;
23236
23237 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23238 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
23239 - if (pmd == NULL)
23240 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23241 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
23242 + if (pxd == NULL)
23243 failed = true;
23244 - pmds[i] = pmd;
23245 + pxds[i] = pxd;
23246 }
23247
23248 if (failed) {
23249 - free_pmds(pmds);
23250 + free_pxds(pxds);
23251 return -ENOMEM;
23252 }
23253
23254 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
23255 * preallocate which never got a corresponding vma will need to be
23256 * freed manually.
23257 */
23258 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
23259 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
23260 {
23261 int i;
23262
23263 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23264 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23265 pgd_t pgd = pgdp[i];
23266
23267 if (pgd_val(pgd) != 0) {
23268 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
23269 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
23270
23271 - pgdp[i] = native_make_pgd(0);
23272 + set_pgd(pgdp + i, native_make_pgd(0));
23273
23274 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
23275 - pmd_free(mm, pmd);
23276 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
23277 + pxd_free(mm, pxd);
23278 }
23279 }
23280 }
23281
23282 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
23283 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
23284 {
23285 - pud_t *pud;
23286 + pyd_t *pyd;
23287 unsigned long addr;
23288 int i;
23289
23290 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
23291 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
23292 return;
23293
23294 - pud = pud_offset(pgd, 0);
23295 +#ifdef CONFIG_X86_64
23296 + pyd = pyd_offset(mm, 0L);
23297 +#else
23298 + pyd = pyd_offset(pgd, 0L);
23299 +#endif
23300
23301 - for (addr = i = 0; i < PREALLOCATED_PMDS;
23302 - i++, pud++, addr += PUD_SIZE) {
23303 - pmd_t *pmd = pmds[i];
23304 + for (addr = i = 0; i < PREALLOCATED_PXDS;
23305 + i++, pyd++, addr += PYD_SIZE) {
23306 + pxd_t *pxd = pxds[i];
23307
23308 if (i >= KERNEL_PGD_BOUNDARY)
23309 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23310 - sizeof(pmd_t) * PTRS_PER_PMD);
23311 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23312 + sizeof(pxd_t) * PTRS_PER_PMD);
23313
23314 - pud_populate(mm, pud, pmd);
23315 + pyd_populate(mm, pyd, pxd);
23316 }
23317 }
23318
23319 pgd_t *pgd_alloc(struct mm_struct *mm)
23320 {
23321 pgd_t *pgd;
23322 - pmd_t *pmds[PREALLOCATED_PMDS];
23323 + pxd_t *pxds[PREALLOCATED_PXDS];
23324
23325 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
23326
23327 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23328
23329 mm->pgd = pgd;
23330
23331 - if (preallocate_pmds(pmds) != 0)
23332 + if (preallocate_pxds(pxds) != 0)
23333 goto out_free_pgd;
23334
23335 if (paravirt_pgd_alloc(mm) != 0)
23336 - goto out_free_pmds;
23337 + goto out_free_pxds;
23338
23339 /*
23340 * Make sure that pre-populating the pmds is atomic with
23341 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23342 spin_lock(&pgd_lock);
23343
23344 pgd_ctor(mm, pgd);
23345 - pgd_prepopulate_pmd(mm, pgd, pmds);
23346 + pgd_prepopulate_pxd(mm, pgd, pxds);
23347
23348 spin_unlock(&pgd_lock);
23349
23350 return pgd;
23351
23352 -out_free_pmds:
23353 - free_pmds(pmds);
23354 +out_free_pxds:
23355 + free_pxds(pxds);
23356 out_free_pgd:
23357 free_page((unsigned long)pgd);
23358 out:
23359 @@ -295,7 +344,7 @@ out:
23360
23361 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
23362 {
23363 - pgd_mop_up_pmds(mm, pgd);
23364 + pgd_mop_up_pxds(mm, pgd);
23365 pgd_dtor(pgd);
23366 paravirt_pgd_free(mm, pgd);
23367 free_page((unsigned long)pgd);
23368 diff -urNp linux-2.6.39.3/arch/x86/mm/setup_nx.c linux-2.6.39.3/arch/x86/mm/setup_nx.c
23369 --- linux-2.6.39.3/arch/x86/mm/setup_nx.c 2011-05-19 00:06:34.000000000 -0400
23370 +++ linux-2.6.39.3/arch/x86/mm/setup_nx.c 2011-05-22 19:36:30.000000000 -0400
23371 @@ -5,8 +5,10 @@
23372 #include <asm/pgtable.h>
23373 #include <asm/proto.h>
23374
23375 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23376 static int disable_nx __cpuinitdata;
23377
23378 +#ifndef CONFIG_PAX_PAGEEXEC
23379 /*
23380 * noexec = on|off
23381 *
23382 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
23383 return 0;
23384 }
23385 early_param("noexec", noexec_setup);
23386 +#endif
23387 +
23388 +#endif
23389
23390 void __cpuinit x86_configure_nx(void)
23391 {
23392 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23393 if (cpu_has_nx && !disable_nx)
23394 __supported_pte_mask |= _PAGE_NX;
23395 else
23396 +#endif
23397 __supported_pte_mask &= ~_PAGE_NX;
23398 }
23399
23400 diff -urNp linux-2.6.39.3/arch/x86/mm/tlb.c linux-2.6.39.3/arch/x86/mm/tlb.c
23401 --- linux-2.6.39.3/arch/x86/mm/tlb.c 2011-05-19 00:06:34.000000000 -0400
23402 +++ linux-2.6.39.3/arch/x86/mm/tlb.c 2011-05-22 19:36:30.000000000 -0400
23403 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
23404 BUG();
23405 cpumask_clear_cpu(cpu,
23406 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23407 +
23408 +#ifndef CONFIG_PAX_PER_CPU_PGD
23409 load_cr3(swapper_pg_dir);
23410 +#endif
23411 +
23412 }
23413 EXPORT_SYMBOL_GPL(leave_mm);
23414
23415 diff -urNp linux-2.6.39.3/arch/x86/oprofile/backtrace.c linux-2.6.39.3/arch/x86/oprofile/backtrace.c
23416 --- linux-2.6.39.3/arch/x86/oprofile/backtrace.c 2011-05-19 00:06:34.000000000 -0400
23417 +++ linux-2.6.39.3/arch/x86/oprofile/backtrace.c 2011-05-22 19:36:30.000000000 -0400
23418 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
23419 struct stack_frame_ia32 *fp;
23420
23421 /* Also check accessibility of one struct frame_head beyond */
23422 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23423 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23424 return NULL;
23425 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23426 return NULL;
23427 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
23428 {
23429 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
23430
23431 - if (!user_mode_vm(regs)) {
23432 + if (!user_mode(regs)) {
23433 unsigned long stack = kernel_stack_pointer(regs);
23434 if (depth)
23435 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23436 diff -urNp linux-2.6.39.3/arch/x86/pci/ce4100.c linux-2.6.39.3/arch/x86/pci/ce4100.c
23437 --- linux-2.6.39.3/arch/x86/pci/ce4100.c 2011-05-19 00:06:34.000000000 -0400
23438 +++ linux-2.6.39.3/arch/x86/pci/ce4100.c 2011-05-22 19:36:30.000000000 -0400
23439 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
23440 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
23441 }
23442
23443 -struct pci_raw_ops ce4100_pci_conf = {
23444 +const struct pci_raw_ops ce4100_pci_conf = {
23445 .read = ce4100_conf_read,
23446 .write = ce4100_conf_write,
23447 };
23448 diff -urNp linux-2.6.39.3/arch/x86/pci/common.c linux-2.6.39.3/arch/x86/pci/common.c
23449 --- linux-2.6.39.3/arch/x86/pci/common.c 2011-05-19 00:06:34.000000000 -0400
23450 +++ linux-2.6.39.3/arch/x86/pci/common.c 2011-05-22 19:36:30.000000000 -0400
23451 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
23452 int pcibios_last_bus = -1;
23453 unsigned long pirq_table_addr;
23454 struct pci_bus *pci_root_bus;
23455 -struct pci_raw_ops *raw_pci_ops;
23456 -struct pci_raw_ops *raw_pci_ext_ops;
23457 +const struct pci_raw_ops *raw_pci_ops;
23458 +const struct pci_raw_ops *raw_pci_ext_ops;
23459
23460 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23461 int reg, int len, u32 *val)
23462 diff -urNp linux-2.6.39.3/arch/x86/pci/direct.c linux-2.6.39.3/arch/x86/pci/direct.c
23463 --- linux-2.6.39.3/arch/x86/pci/direct.c 2011-05-19 00:06:34.000000000 -0400
23464 +++ linux-2.6.39.3/arch/x86/pci/direct.c 2011-05-22 19:36:30.000000000 -0400
23465 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23466
23467 #undef PCI_CONF1_ADDRESS
23468
23469 -struct pci_raw_ops pci_direct_conf1 = {
23470 +const struct pci_raw_ops pci_direct_conf1 = {
23471 .read = pci_conf1_read,
23472 .write = pci_conf1_write,
23473 };
23474 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23475
23476 #undef PCI_CONF2_ADDRESS
23477
23478 -struct pci_raw_ops pci_direct_conf2 = {
23479 +const struct pci_raw_ops pci_direct_conf2 = {
23480 .read = pci_conf2_read,
23481 .write = pci_conf2_write,
23482 };
23483 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23484 * This should be close to trivial, but it isn't, because there are buggy
23485 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23486 */
23487 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23488 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23489 {
23490 u32 x = 0;
23491 int year, devfn;
23492 diff -urNp linux-2.6.39.3/arch/x86/pci/fixup.c linux-2.6.39.3/arch/x86/pci/fixup.c
23493 --- linux-2.6.39.3/arch/x86/pci/fixup.c 2011-05-19 00:06:34.000000000 -0400
23494 +++ linux-2.6.39.3/arch/x86/pci/fixup.c 2011-05-22 19:36:30.000000000 -0400
23495 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
23496 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
23497 },
23498 },
23499 - { }
23500 + {}
23501 };
23502
23503 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
23504 diff -urNp linux-2.6.39.3/arch/x86/pci/mmconfig_32.c linux-2.6.39.3/arch/x86/pci/mmconfig_32.c
23505 --- linux-2.6.39.3/arch/x86/pci/mmconfig_32.c 2011-05-19 00:06:34.000000000 -0400
23506 +++ linux-2.6.39.3/arch/x86/pci/mmconfig_32.c 2011-05-22 19:36:30.000000000 -0400
23507 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
23508 return 0;
23509 }
23510
23511 -static struct pci_raw_ops pci_mmcfg = {
23512 +static const struct pci_raw_ops pci_mmcfg = {
23513 .read = pci_mmcfg_read,
23514 .write = pci_mmcfg_write,
23515 };
23516 diff -urNp linux-2.6.39.3/arch/x86/pci/mmconfig_64.c linux-2.6.39.3/arch/x86/pci/mmconfig_64.c
23517 --- linux-2.6.39.3/arch/x86/pci/mmconfig_64.c 2011-05-19 00:06:34.000000000 -0400
23518 +++ linux-2.6.39.3/arch/x86/pci/mmconfig_64.c 2011-05-22 19:36:30.000000000 -0400
23519 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
23520 return 0;
23521 }
23522
23523 -static struct pci_raw_ops pci_mmcfg = {
23524 +static const struct pci_raw_ops pci_mmcfg = {
23525 .read = pci_mmcfg_read,
23526 .write = pci_mmcfg_write,
23527 };
23528 diff -urNp linux-2.6.39.3/arch/x86/pci/mrst.c linux-2.6.39.3/arch/x86/pci/mrst.c
23529 --- linux-2.6.39.3/arch/x86/pci/mrst.c 2011-05-19 00:06:34.000000000 -0400
23530 +++ linux-2.6.39.3/arch/x86/pci/mrst.c 2011-05-22 19:36:30.000000000 -0400
23531 @@ -218,7 +218,7 @@ static int mrst_pci_irq_enable(struct pc
23532 return 0;
23533 }
23534
23535 -struct pci_ops pci_mrst_ops = {
23536 +const struct pci_ops pci_mrst_ops = {
23537 .read = pci_read,
23538 .write = pci_write,
23539 };
23540 diff -urNp linux-2.6.39.3/arch/x86/pci/numaq_32.c linux-2.6.39.3/arch/x86/pci/numaq_32.c
23541 --- linux-2.6.39.3/arch/x86/pci/numaq_32.c 2011-05-19 00:06:34.000000000 -0400
23542 +++ linux-2.6.39.3/arch/x86/pci/numaq_32.c 2011-05-22 19:36:30.000000000 -0400
23543 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
23544
23545 #undef PCI_CONF1_MQ_ADDRESS
23546
23547 -static struct pci_raw_ops pci_direct_conf1_mq = {
23548 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23549 .read = pci_conf1_mq_read,
23550 .write = pci_conf1_mq_write
23551 };
23552 diff -urNp linux-2.6.39.3/arch/x86/pci/olpc.c linux-2.6.39.3/arch/x86/pci/olpc.c
23553 --- linux-2.6.39.3/arch/x86/pci/olpc.c 2011-05-19 00:06:34.000000000 -0400
23554 +++ linux-2.6.39.3/arch/x86/pci/olpc.c 2011-05-22 19:36:30.000000000 -0400
23555 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23556 return 0;
23557 }
23558
23559 -static struct pci_raw_ops pci_olpc_conf = {
23560 +static const struct pci_raw_ops pci_olpc_conf = {
23561 .read = pci_olpc_read,
23562 .write = pci_olpc_write,
23563 };
23564 diff -urNp linux-2.6.39.3/arch/x86/pci/pcbios.c linux-2.6.39.3/arch/x86/pci/pcbios.c
23565 --- linux-2.6.39.3/arch/x86/pci/pcbios.c 2011-05-19 00:06:34.000000000 -0400
23566 +++ linux-2.6.39.3/arch/x86/pci/pcbios.c 2011-05-22 19:36:30.000000000 -0400
23567 @@ -79,50 +79,93 @@ union bios32 {
23568 static struct {
23569 unsigned long address;
23570 unsigned short segment;
23571 -} bios32_indirect = { 0, __KERNEL_CS };
23572 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23573
23574 /*
23575 * Returns the entry point for the given service, NULL on error
23576 */
23577
23578 -static unsigned long bios32_service(unsigned long service)
23579 +static unsigned long __devinit bios32_service(unsigned long service)
23580 {
23581 unsigned char return_code; /* %al */
23582 unsigned long address; /* %ebx */
23583 unsigned long length; /* %ecx */
23584 unsigned long entry; /* %edx */
23585 unsigned long flags;
23586 + struct desc_struct d, *gdt;
23587
23588 local_irq_save(flags);
23589 - __asm__("lcall *(%%edi); cld"
23590 +
23591 + gdt = get_cpu_gdt_table(smp_processor_id());
23592 +
23593 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23594 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23595 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23596 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23597 +
23598 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23599 : "=a" (return_code),
23600 "=b" (address),
23601 "=c" (length),
23602 "=d" (entry)
23603 : "0" (service),
23604 "1" (0),
23605 - "D" (&bios32_indirect));
23606 + "D" (&bios32_indirect),
23607 + "r"(__PCIBIOS_DS)
23608 + : "memory");
23609 +
23610 + pax_open_kernel();
23611 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23612 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23613 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23614 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23615 + pax_close_kernel();
23616 +
23617 local_irq_restore(flags);
23618
23619 switch (return_code) {
23620 - case 0:
23621 - return address + entry;
23622 - case 0x80: /* Not present */
23623 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23624 - return 0;
23625 - default: /* Shouldn't happen */
23626 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23627 - service, return_code);
23628 + case 0: {
23629 + int cpu;
23630 + unsigned char flags;
23631 +
23632 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23633 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23634 + printk(KERN_WARNING "bios32_service: not valid\n");
23635 return 0;
23636 + }
23637 + address = address + PAGE_OFFSET;
23638 + length += 16UL; /* some BIOSs underreport this... */
23639 + flags = 4;
23640 + if (length >= 64*1024*1024) {
23641 + length >>= PAGE_SHIFT;
23642 + flags |= 8;
23643 + }
23644 +
23645 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23646 + gdt = get_cpu_gdt_table(cpu);
23647 + pack_descriptor(&d, address, length, 0x9b, flags);
23648 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23649 + pack_descriptor(&d, address, length, 0x93, flags);
23650 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23651 + }
23652 + return entry;
23653 + }
23654 + case 0x80: /* Not present */
23655 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23656 + return 0;
23657 + default: /* Shouldn't happen */
23658 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23659 + service, return_code);
23660 + return 0;
23661 }
23662 }
23663
23664 static struct {
23665 unsigned long address;
23666 unsigned short segment;
23667 -} pci_indirect = { 0, __KERNEL_CS };
23668 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23669
23670 -static int pci_bios_present;
23671 +static int pci_bios_present __read_only;
23672
23673 static int __devinit check_pcibios(void)
23674 {
23675 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
23676 unsigned long flags, pcibios_entry;
23677
23678 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23679 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23680 + pci_indirect.address = pcibios_entry;
23681
23682 local_irq_save(flags);
23683 - __asm__(
23684 - "lcall *(%%edi); cld\n\t"
23685 + __asm__("movw %w6, %%ds\n\t"
23686 + "lcall *%%ss:(%%edi); cld\n\t"
23687 + "push %%ss\n\t"
23688 + "pop %%ds\n\t"
23689 "jc 1f\n\t"
23690 "xor %%ah, %%ah\n"
23691 "1:"
23692 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
23693 "=b" (ebx),
23694 "=c" (ecx)
23695 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23696 - "D" (&pci_indirect)
23697 + "D" (&pci_indirect),
23698 + "r" (__PCIBIOS_DS)
23699 : "memory");
23700 local_irq_restore(flags);
23701
23702 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
23703
23704 switch (len) {
23705 case 1:
23706 - __asm__("lcall *(%%esi); cld\n\t"
23707 + __asm__("movw %w6, %%ds\n\t"
23708 + "lcall *%%ss:(%%esi); cld\n\t"
23709 + "push %%ss\n\t"
23710 + "pop %%ds\n\t"
23711 "jc 1f\n\t"
23712 "xor %%ah, %%ah\n"
23713 "1:"
23714 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
23715 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23716 "b" (bx),
23717 "D" ((long)reg),
23718 - "S" (&pci_indirect));
23719 + "S" (&pci_indirect),
23720 + "r" (__PCIBIOS_DS));
23721 /*
23722 * Zero-extend the result beyond 8 bits, do not trust the
23723 * BIOS having done it:
23724 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
23725 *value &= 0xff;
23726 break;
23727 case 2:
23728 - __asm__("lcall *(%%esi); cld\n\t"
23729 + __asm__("movw %w6, %%ds\n\t"
23730 + "lcall *%%ss:(%%esi); cld\n\t"
23731 + "push %%ss\n\t"
23732 + "pop %%ds\n\t"
23733 "jc 1f\n\t"
23734 "xor %%ah, %%ah\n"
23735 "1:"
23736 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
23737 : "1" (PCIBIOS_READ_CONFIG_WORD),
23738 "b" (bx),
23739 "D" ((long)reg),
23740 - "S" (&pci_indirect));
23741 + "S" (&pci_indirect),
23742 + "r" (__PCIBIOS_DS));
23743 /*
23744 * Zero-extend the result beyond 16 bits, do not trust the
23745 * BIOS having done it:
23746 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
23747 *value &= 0xffff;
23748 break;
23749 case 4:
23750 - __asm__("lcall *(%%esi); cld\n\t"
23751 + __asm__("movw %w6, %%ds\n\t"
23752 + "lcall *%%ss:(%%esi); cld\n\t"
23753 + "push %%ss\n\t"
23754 + "pop %%ds\n\t"
23755 "jc 1f\n\t"
23756 "xor %%ah, %%ah\n"
23757 "1:"
23758 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
23759 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23760 "b" (bx),
23761 "D" ((long)reg),
23762 - "S" (&pci_indirect));
23763 + "S" (&pci_indirect),
23764 + "r" (__PCIBIOS_DS));
23765 break;
23766 }
23767
23768 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
23769
23770 switch (len) {
23771 case 1:
23772 - __asm__("lcall *(%%esi); cld\n\t"
23773 + __asm__("movw %w6, %%ds\n\t"
23774 + "lcall *%%ss:(%%esi); cld\n\t"
23775 + "push %%ss\n\t"
23776 + "pop %%ds\n\t"
23777 "jc 1f\n\t"
23778 "xor %%ah, %%ah\n"
23779 "1:"
23780 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
23781 "c" (value),
23782 "b" (bx),
23783 "D" ((long)reg),
23784 - "S" (&pci_indirect));
23785 + "S" (&pci_indirect),
23786 + "r" (__PCIBIOS_DS));
23787 break;
23788 case 2:
23789 - __asm__("lcall *(%%esi); cld\n\t"
23790 + __asm__("movw %w6, %%ds\n\t"
23791 + "lcall *%%ss:(%%esi); cld\n\t"
23792 + "push %%ss\n\t"
23793 + "pop %%ds\n\t"
23794 "jc 1f\n\t"
23795 "xor %%ah, %%ah\n"
23796 "1:"
23797 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
23798 "c" (value),
23799 "b" (bx),
23800 "D" ((long)reg),
23801 - "S" (&pci_indirect));
23802 + "S" (&pci_indirect),
23803 + "r" (__PCIBIOS_DS));
23804 break;
23805 case 4:
23806 - __asm__("lcall *(%%esi); cld\n\t"
23807 + __asm__("movw %w6, %%ds\n\t"
23808 + "lcall *%%ss:(%%esi); cld\n\t"
23809 + "push %%ss\n\t"
23810 + "pop %%ds\n\t"
23811 "jc 1f\n\t"
23812 "xor %%ah, %%ah\n"
23813 "1:"
23814 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
23815 "c" (value),
23816 "b" (bx),
23817 "D" ((long)reg),
23818 - "S" (&pci_indirect));
23819 + "S" (&pci_indirect),
23820 + "r" (__PCIBIOS_DS));
23821 break;
23822 }
23823
23824 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
23825 * Function table for BIOS32 access
23826 */
23827
23828 -static struct pci_raw_ops pci_bios_access = {
23829 +static const struct pci_raw_ops pci_bios_access = {
23830 .read = pci_bios_read,
23831 .write = pci_bios_write
23832 };
23833 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
23834 * Try to find PCI BIOS.
23835 */
23836
23837 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23838 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23839 {
23840 union bios32 *check;
23841 unsigned char sum;
23842 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
23843
23844 DBG("PCI: Fetching IRQ routing table... ");
23845 __asm__("push %%es\n\t"
23846 + "movw %w8, %%ds\n\t"
23847 "push %%ds\n\t"
23848 "pop %%es\n\t"
23849 - "lcall *(%%esi); cld\n\t"
23850 + "lcall *%%ss:(%%esi); cld\n\t"
23851 "pop %%es\n\t"
23852 + "push %%ss\n\t"
23853 + "pop %%ds\n"
23854 "jc 1f\n\t"
23855 "xor %%ah, %%ah\n"
23856 "1:"
23857 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
23858 "1" (0),
23859 "D" ((long) &opt),
23860 "S" (&pci_indirect),
23861 - "m" (opt)
23862 + "m" (opt),
23863 + "r" (__PCIBIOS_DS)
23864 : "memory");
23865 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23866 if (ret & 0xff00)
23867 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
23868 {
23869 int ret;
23870
23871 - __asm__("lcall *(%%esi); cld\n\t"
23872 + __asm__("movw %w5, %%ds\n\t"
23873 + "lcall *%%ss:(%%esi); cld\n\t"
23874 + "push %%ss\n\t"
23875 + "pop %%ds\n"
23876 "jc 1f\n\t"
23877 "xor %%ah, %%ah\n"
23878 "1:"
23879 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
23880 : "0" (PCIBIOS_SET_PCI_HW_INT),
23881 "b" ((dev->bus->number << 8) | dev->devfn),
23882 "c" ((irq << 8) | (pin + 10)),
23883 - "S" (&pci_indirect));
23884 + "S" (&pci_indirect),
23885 + "r" (__PCIBIOS_DS));
23886 return !(ret & 0xff00);
23887 }
23888 EXPORT_SYMBOL(pcibios_set_irq_routing);
23889 diff -urNp linux-2.6.39.3/arch/x86/pci/xen.c linux-2.6.39.3/arch/x86/pci/xen.c
23890 --- linux-2.6.39.3/arch/x86/pci/xen.c 2011-07-09 09:18:51.000000000 -0400
23891 +++ linux-2.6.39.3/arch/x86/pci/xen.c 2011-07-09 09:19:18.000000000 -0400
23892 @@ -62,7 +62,7 @@ static int acpi_register_gsi_xen_hvm(str
23893 #include <linux/msi.h>
23894 #include <asm/msidef.h>
23895
23896 -struct xen_pci_frontend_ops *xen_pci_frontend;
23897 +const struct xen_pci_frontend_ops *xen_pci_frontend;
23898 EXPORT_SYMBOL_GPL(xen_pci_frontend);
23899
23900 #define XEN_PIRQ_MSI_DATA (MSI_DATA_TRIGGER_EDGE | \
23901 diff -urNp linux-2.6.39.3/arch/x86/platform/efi/efi_32.c linux-2.6.39.3/arch/x86/platform/efi/efi_32.c
23902 --- linux-2.6.39.3/arch/x86/platform/efi/efi_32.c 2011-05-19 00:06:34.000000000 -0400
23903 +++ linux-2.6.39.3/arch/x86/platform/efi/efi_32.c 2011-05-22 19:36:30.000000000 -0400
23904 @@ -38,70 +38,37 @@
23905 */
23906
23907 static unsigned long efi_rt_eflags;
23908 -static pgd_t efi_bak_pg_dir_pointer[2];
23909 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
23910
23911 -void efi_call_phys_prelog(void)
23912 +void __init efi_call_phys_prelog(void)
23913 {
23914 - unsigned long cr4;
23915 - unsigned long temp;
23916 struct desc_ptr gdt_descr;
23917
23918 local_irq_save(efi_rt_eflags);
23919
23920 - /*
23921 - * If I don't have PAE, I should just duplicate two entries in page
23922 - * directory. If I have PAE, I just need to duplicate one entry in
23923 - * page directory.
23924 - */
23925 - cr4 = read_cr4_safe();
23926 -
23927 - if (cr4 & X86_CR4_PAE) {
23928 - efi_bak_pg_dir_pointer[0].pgd =
23929 - swapper_pg_dir[pgd_index(0)].pgd;
23930 - swapper_pg_dir[0].pgd =
23931 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23932 - } else {
23933 - efi_bak_pg_dir_pointer[0].pgd =
23934 - swapper_pg_dir[pgd_index(0)].pgd;
23935 - efi_bak_pg_dir_pointer[1].pgd =
23936 - swapper_pg_dir[pgd_index(0x400000)].pgd;
23937 - swapper_pg_dir[pgd_index(0)].pgd =
23938 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23939 - temp = PAGE_OFFSET + 0x400000;
23940 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23941 - swapper_pg_dir[pgd_index(temp)].pgd;
23942 - }
23943 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
23944 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23945 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
23946
23947 /*
23948 * After the lock is released, the original page table is restored.
23949 */
23950 __flush_tlb_all();
23951
23952 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
23953 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
23954 gdt_descr.size = GDT_SIZE - 1;
23955 load_gdt(&gdt_descr);
23956 }
23957
23958 -void efi_call_phys_epilog(void)
23959 +void __init efi_call_phys_epilog(void)
23960 {
23961 - unsigned long cr4;
23962 struct desc_ptr gdt_descr;
23963
23964 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
23965 + gdt_descr.address = get_cpu_gdt_table(0);
23966 gdt_descr.size = GDT_SIZE - 1;
23967 load_gdt(&gdt_descr);
23968
23969 - cr4 = read_cr4_safe();
23970 -
23971 - if (cr4 & X86_CR4_PAE) {
23972 - swapper_pg_dir[pgd_index(0)].pgd =
23973 - efi_bak_pg_dir_pointer[0].pgd;
23974 - } else {
23975 - swapper_pg_dir[pgd_index(0)].pgd =
23976 - efi_bak_pg_dir_pointer[0].pgd;
23977 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23978 - efi_bak_pg_dir_pointer[1].pgd;
23979 - }
23980 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
23981
23982 /*
23983 * After the lock is released, the original page table is restored.
23984 diff -urNp linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S
23985 --- linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S 2011-05-19 00:06:34.000000000 -0400
23986 +++ linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S 2011-05-22 19:36:30.000000000 -0400
23987 @@ -6,6 +6,7 @@
23988 */
23989
23990 #include <linux/linkage.h>
23991 +#include <linux/init.h>
23992 #include <asm/page_types.h>
23993
23994 /*
23995 @@ -20,7 +21,7 @@
23996 * service functions will comply with gcc calling convention, too.
23997 */
23998
23999 -.text
24000 +__INIT
24001 ENTRY(efi_call_phys)
24002 /*
24003 * 0. The function can only be called in Linux kernel. So CS has been
24004 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
24005 * The mapping of lower virtual memory has been created in prelog and
24006 * epilog.
24007 */
24008 - movl $1f, %edx
24009 - subl $__PAGE_OFFSET, %edx
24010 - jmp *%edx
24011 + jmp 1f-__PAGE_OFFSET
24012 1:
24013
24014 /*
24015 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
24016 * parameter 2, ..., param n. To make things easy, we save the return
24017 * address of efi_call_phys in a global variable.
24018 */
24019 - popl %edx
24020 - movl %edx, saved_return_addr
24021 - /* get the function pointer into ECX*/
24022 - popl %ecx
24023 - movl %ecx, efi_rt_function_ptr
24024 - movl $2f, %edx
24025 - subl $__PAGE_OFFSET, %edx
24026 - pushl %edx
24027 + popl (saved_return_addr)
24028 + popl (efi_rt_function_ptr)
24029
24030 /*
24031 * 3. Clear PG bit in %CR0.
24032 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
24033 /*
24034 * 5. Call the physical function.
24035 */
24036 - jmp *%ecx
24037 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
24038
24039 -2:
24040 /*
24041 * 6. After EFI runtime service returns, control will return to
24042 * following instruction. We'd better readjust stack pointer first.
24043 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
24044 movl %cr0, %edx
24045 orl $0x80000000, %edx
24046 movl %edx, %cr0
24047 - jmp 1f
24048 -1:
24049 +
24050 /*
24051 * 8. Now restore the virtual mode from flat mode by
24052 * adding EIP with PAGE_OFFSET.
24053 */
24054 - movl $1f, %edx
24055 - jmp *%edx
24056 + jmp 1f+__PAGE_OFFSET
24057 1:
24058
24059 /*
24060 * 9. Balance the stack. And because EAX contain the return value,
24061 * we'd better not clobber it.
24062 */
24063 - leal efi_rt_function_ptr, %edx
24064 - movl (%edx), %ecx
24065 - pushl %ecx
24066 + pushl (efi_rt_function_ptr)
24067
24068 /*
24069 - * 10. Push the saved return address onto the stack and return.
24070 + * 10. Return to the saved return address.
24071 */
24072 - leal saved_return_addr, %edx
24073 - movl (%edx), %ecx
24074 - pushl %ecx
24075 - ret
24076 + jmpl *(saved_return_addr)
24077 ENDPROC(efi_call_phys)
24078 .previous
24079
24080 -.data
24081 +__INITDATA
24082 saved_return_addr:
24083 .long 0
24084 efi_rt_function_ptr:
24085 diff -urNp linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c
24086 --- linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c 2011-05-19 00:06:34.000000000 -0400
24087 +++ linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c 2011-05-22 19:36:30.000000000 -0400
24088 @@ -154,7 +154,7 @@ void * __init prom_early_alloc(unsigned
24089 return res;
24090 }
24091
24092 -static struct of_pdt_ops prom_olpc_ops __initdata = {
24093 +static const struct of_pdt_ops prom_olpc_ops = {
24094 .nextprop = olpc_dt_nextprop,
24095 .getproplen = olpc_dt_getproplen,
24096 .getproperty = olpc_dt_getproperty,
24097 diff -urNp linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c
24098 --- linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c 2011-05-19 00:06:34.000000000 -0400
24099 +++ linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c 2011-05-22 19:36:30.000000000 -0400
24100 @@ -342,6 +342,8 @@ static void uv_reset_with_ipi(struct bau
24101 cpumask_t mask;
24102 struct reset_args reset_args;
24103
24104 + pax_track_stack();
24105 +
24106 reset_args.sender = sender;
24107
24108 cpus_clear(mask);
24109 diff -urNp linux-2.6.39.3/arch/x86/power/cpu.c linux-2.6.39.3/arch/x86/power/cpu.c
24110 --- linux-2.6.39.3/arch/x86/power/cpu.c 2011-05-19 00:06:34.000000000 -0400
24111 +++ linux-2.6.39.3/arch/x86/power/cpu.c 2011-05-22 19:36:30.000000000 -0400
24112 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
24113 static void fix_processor_context(void)
24114 {
24115 int cpu = smp_processor_id();
24116 - struct tss_struct *t = &per_cpu(init_tss, cpu);
24117 + struct tss_struct *t = init_tss + cpu;
24118
24119 set_tss_desc(cpu, t); /*
24120 * This just modifies memory; should not be
24121 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
24122 */
24123
24124 #ifdef CONFIG_X86_64
24125 + pax_open_kernel();
24126 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
24127 + pax_close_kernel();
24128
24129 syscall_init(); /* This sets MSR_*STAR and related */
24130 #endif
24131 diff -urNp linux-2.6.39.3/arch/x86/vdso/Makefile linux-2.6.39.3/arch/x86/vdso/Makefile
24132 --- linux-2.6.39.3/arch/x86/vdso/Makefile 2011-05-19 00:06:34.000000000 -0400
24133 +++ linux-2.6.39.3/arch/x86/vdso/Makefile 2011-05-22 19:36:30.000000000 -0400
24134 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
24135 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
24136 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
24137
24138 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24139 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24140 GCOV_PROFILE := n
24141
24142 #
24143 diff -urNp linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c
24144 --- linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c 2011-05-19 00:06:34.000000000 -0400
24145 +++ linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c 2011-05-22 19:36:30.000000000 -0400
24146 @@ -22,24 +22,48 @@
24147 #include <asm/hpet.h>
24148 #include <asm/unistd.h>
24149 #include <asm/io.h>
24150 +#include <asm/fixmap.h>
24151 #include "vextern.h"
24152
24153 #define gtod vdso_vsyscall_gtod_data
24154
24155 +notrace noinline long __vdso_fallback_time(long *t)
24156 +{
24157 + long secs;
24158 + asm volatile("syscall"
24159 + : "=a" (secs)
24160 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
24161 + return secs;
24162 +}
24163 +
24164 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
24165 {
24166 long ret;
24167 asm("syscall" : "=a" (ret) :
24168 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
24169 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
24170 return ret;
24171 }
24172
24173 +notrace static inline cycle_t __vdso_vread_hpet(void)
24174 +{
24175 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
24176 +}
24177 +
24178 +notrace static inline cycle_t __vdso_vread_tsc(void)
24179 +{
24180 + cycle_t ret = (cycle_t)vget_cycles();
24181 +
24182 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
24183 +}
24184 +
24185 notrace static inline long vgetns(void)
24186 {
24187 long v;
24188 - cycles_t (*vread)(void);
24189 - vread = gtod->clock.vread;
24190 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
24191 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
24192 + v = __vdso_vread_tsc();
24193 + else
24194 + v = __vdso_vread_hpet();
24195 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
24196 return (v * gtod->clock.mult) >> gtod->clock.shift;
24197 }
24198
24199 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
24200
24201 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
24202 {
24203 - if (likely(gtod->sysctl_enabled))
24204 + if (likely(gtod->sysctl_enabled &&
24205 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24206 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24207 switch (clock) {
24208 case CLOCK_REALTIME:
24209 if (likely(gtod->clock.vread))
24210 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
24211 int clock_gettime(clockid_t, struct timespec *)
24212 __attribute__((weak, alias("__vdso_clock_gettime")));
24213
24214 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24215 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
24216 {
24217 long ret;
24218 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
24219 + asm("syscall" : "=a" (ret) :
24220 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
24221 + return ret;
24222 +}
24223 +
24224 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24225 +{
24226 + if (likely(gtod->sysctl_enabled &&
24227 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24228 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24229 + {
24230 if (likely(tv != NULL)) {
24231 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
24232 offsetof(struct timespec, tv_nsec) ||
24233 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
24234 }
24235 return 0;
24236 }
24237 - asm("syscall" : "=a" (ret) :
24238 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
24239 - return ret;
24240 + return __vdso_fallback_gettimeofday(tv, tz);
24241 }
24242 int gettimeofday(struct timeval *, struct timezone *)
24243 __attribute__((weak, alias("__vdso_gettimeofday")));
24244 diff -urNp linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c
24245 --- linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c 2011-05-19 00:06:34.000000000 -0400
24246 +++ linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c 2011-05-22 19:36:30.000000000 -0400
24247 @@ -25,6 +25,7 @@
24248 #include <asm/tlbflush.h>
24249 #include <asm/vdso.h>
24250 #include <asm/proto.h>
24251 +#include <asm/mman.h>
24252
24253 enum {
24254 VDSO_DISABLED = 0,
24255 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
24256 void enable_sep_cpu(void)
24257 {
24258 int cpu = get_cpu();
24259 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
24260 + struct tss_struct *tss = init_tss + cpu;
24261
24262 if (!boot_cpu_has(X86_FEATURE_SEP)) {
24263 put_cpu();
24264 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
24265 gate_vma.vm_start = FIXADDR_USER_START;
24266 gate_vma.vm_end = FIXADDR_USER_END;
24267 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
24268 - gate_vma.vm_page_prot = __P101;
24269 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
24270 /*
24271 * Make sure the vDSO gets into every core dump.
24272 * Dumping its contents makes post-mortem fully interpretable later
24273 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
24274 if (compat)
24275 addr = VDSO_HIGH_BASE;
24276 else {
24277 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
24278 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
24279 if (IS_ERR_VALUE(addr)) {
24280 ret = addr;
24281 goto up_fail;
24282 }
24283 }
24284
24285 - current->mm->context.vdso = (void *)addr;
24286 + current->mm->context.vdso = addr;
24287
24288 if (compat_uses_vma || !compat) {
24289 /*
24290 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
24291 }
24292
24293 current_thread_info()->sysenter_return =
24294 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24295 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24296
24297 up_fail:
24298 if (ret)
24299 - current->mm->context.vdso = NULL;
24300 + current->mm->context.vdso = 0;
24301
24302 up_write(&mm->mmap_sem);
24303
24304 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
24305
24306 const char *arch_vma_name(struct vm_area_struct *vma)
24307 {
24308 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
24309 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
24310 return "[vdso]";
24311 +
24312 +#ifdef CONFIG_PAX_SEGMEXEC
24313 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
24314 + return "[vdso]";
24315 +#endif
24316 +
24317 return NULL;
24318 }
24319
24320 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
24321 * Check to see if the corresponding task was created in compat vdso
24322 * mode.
24323 */
24324 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
24325 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
24326 return &gate_vma;
24327 return NULL;
24328 }
24329 diff -urNp linux-2.6.39.3/arch/x86/vdso/vdso.lds.S linux-2.6.39.3/arch/x86/vdso/vdso.lds.S
24330 --- linux-2.6.39.3/arch/x86/vdso/vdso.lds.S 2011-05-19 00:06:34.000000000 -0400
24331 +++ linux-2.6.39.3/arch/x86/vdso/vdso.lds.S 2011-06-06 17:34:26.000000000 -0400
24332 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
24333 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
24334 #include "vextern.h"
24335 #undef VEXTERN
24336 +
24337 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
24338 +VEXTERN(fallback_gettimeofday)
24339 +VEXTERN(fallback_time)
24340 +VEXTERN(getcpu)
24341 +#undef VEXTERN
24342 diff -urNp linux-2.6.39.3/arch/x86/vdso/vextern.h linux-2.6.39.3/arch/x86/vdso/vextern.h
24343 --- linux-2.6.39.3/arch/x86/vdso/vextern.h 2011-05-19 00:06:34.000000000 -0400
24344 +++ linux-2.6.39.3/arch/x86/vdso/vextern.h 2011-05-22 19:36:30.000000000 -0400
24345 @@ -11,6 +11,5 @@
24346 put into vextern.h and be referenced as a pointer with vdso prefix.
24347 The main kernel later fills in the values. */
24348
24349 -VEXTERN(jiffies)
24350 VEXTERN(vgetcpu_mode)
24351 VEXTERN(vsyscall_gtod_data)
24352 diff -urNp linux-2.6.39.3/arch/x86/vdso/vma.c linux-2.6.39.3/arch/x86/vdso/vma.c
24353 --- linux-2.6.39.3/arch/x86/vdso/vma.c 2011-05-19 00:06:34.000000000 -0400
24354 +++ linux-2.6.39.3/arch/x86/vdso/vma.c 2011-05-22 19:36:30.000000000 -0400
24355 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
24356 if (!vbase)
24357 goto oom;
24358
24359 - if (memcmp(vbase, "\177ELF", 4)) {
24360 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
24361 printk("VDSO: I'm broken; not ELF\n");
24362 vdso_enabled = 0;
24363 }
24364 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
24365 goto up_fail;
24366 }
24367
24368 - current->mm->context.vdso = (void *)addr;
24369 + current->mm->context.vdso = addr;
24370
24371 ret = install_special_mapping(mm, addr, vdso_size,
24372 VM_READ|VM_EXEC|
24373 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
24374 VM_ALWAYSDUMP,
24375 vdso_pages);
24376 if (ret) {
24377 - current->mm->context.vdso = NULL;
24378 + current->mm->context.vdso = 0;
24379 goto up_fail;
24380 }
24381
24382 @@ -134,10 +134,3 @@ up_fail:
24383 up_write(&mm->mmap_sem);
24384 return ret;
24385 }
24386 -
24387 -static __init int vdso_setup(char *s)
24388 -{
24389 - vdso_enabled = simple_strtoul(s, NULL, 0);
24390 - return 0;
24391 -}
24392 -__setup("vdso=", vdso_setup);
24393 diff -urNp linux-2.6.39.3/arch/x86/xen/enlighten.c linux-2.6.39.3/arch/x86/xen/enlighten.c
24394 --- linux-2.6.39.3/arch/x86/xen/enlighten.c 2011-05-19 00:06:34.000000000 -0400
24395 +++ linux-2.6.39.3/arch/x86/xen/enlighten.c 2011-05-22 19:36:30.000000000 -0400
24396 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
24397
24398 struct shared_info xen_dummy_shared_info;
24399
24400 -void *xen_initial_gdt;
24401 -
24402 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
24403 __read_mostly int xen_have_vector_callback;
24404 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
24405 @@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
24406 #endif
24407 };
24408
24409 -static void xen_reboot(int reason)
24410 +static __noreturn void xen_reboot(int reason)
24411 {
24412 struct sched_shutdown r = { .reason = reason };
24413
24414 @@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
24415 BUG();
24416 }
24417
24418 -static void xen_restart(char *msg)
24419 +static __noreturn void xen_restart(char *msg)
24420 {
24421 xen_reboot(SHUTDOWN_reboot);
24422 }
24423
24424 -static void xen_emergency_restart(void)
24425 +static __noreturn void xen_emergency_restart(void)
24426 {
24427 xen_reboot(SHUTDOWN_reboot);
24428 }
24429
24430 -static void xen_machine_halt(void)
24431 +static __noreturn void xen_machine_halt(void)
24432 {
24433 xen_reboot(SHUTDOWN_poweroff);
24434 }
24435 @@ -1127,7 +1125,17 @@ asmlinkage void __init xen_start_kernel(
24436 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
24437
24438 /* Work out if we support NX */
24439 - x86_configure_nx();
24440 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24441 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
24442 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
24443 + unsigned l, h;
24444 +
24445 + __supported_pte_mask |= _PAGE_NX;
24446 + rdmsr(MSR_EFER, l, h);
24447 + l |= EFER_NX;
24448 + wrmsr(MSR_EFER, l, h);
24449 + }
24450 +#endif
24451
24452 xen_setup_features();
24453
24454 @@ -1158,13 +1166,6 @@ asmlinkage void __init xen_start_kernel(
24455
24456 machine_ops = xen_machine_ops;
24457
24458 - /*
24459 - * The only reliable way to retain the initial address of the
24460 - * percpu gdt_page is to remember it here, so we can go and
24461 - * mark it RW later, when the initial percpu area is freed.
24462 - */
24463 - xen_initial_gdt = &per_cpu(gdt_page, 0);
24464 -
24465 xen_smp_init();
24466
24467 #ifdef CONFIG_ACPI_NUMA
24468 diff -urNp linux-2.6.39.3/arch/x86/xen/mmu.c linux-2.6.39.3/arch/x86/xen/mmu.c
24469 --- linux-2.6.39.3/arch/x86/xen/mmu.c 2011-07-09 09:18:51.000000000 -0400
24470 +++ linux-2.6.39.3/arch/x86/xen/mmu.c 2011-07-09 09:19:18.000000000 -0400
24471 @@ -1801,6 +1801,8 @@ __init pgd_t *xen_setup_kernel_pagetable
24472 convert_pfn_mfn(init_level4_pgt);
24473 convert_pfn_mfn(level3_ident_pgt);
24474 convert_pfn_mfn(level3_kernel_pgt);
24475 + convert_pfn_mfn(level3_vmalloc_pgt);
24476 + convert_pfn_mfn(level3_vmemmap_pgt);
24477
24478 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
24479 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
24480 @@ -1819,7 +1821,10 @@ __init pgd_t *xen_setup_kernel_pagetable
24481 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
24482 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
24483 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
24484 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
24485 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
24486 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
24487 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
24488 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
24489 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
24490
24491 diff -urNp linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c
24492 --- linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c 2011-05-19 00:06:34.000000000 -0400
24493 +++ linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c 2011-05-22 19:36:30.000000000 -0400
24494 @@ -10,7 +10,7 @@
24495
24496 int xen_swiotlb __read_mostly;
24497
24498 -static struct dma_map_ops xen_swiotlb_dma_ops = {
24499 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
24500 .mapping_error = xen_swiotlb_dma_mapping_error,
24501 .alloc_coherent = xen_swiotlb_alloc_coherent,
24502 .free_coherent = xen_swiotlb_free_coherent,
24503 diff -urNp linux-2.6.39.3/arch/x86/xen/smp.c linux-2.6.39.3/arch/x86/xen/smp.c
24504 --- linux-2.6.39.3/arch/x86/xen/smp.c 2011-07-09 09:18:51.000000000 -0400
24505 +++ linux-2.6.39.3/arch/x86/xen/smp.c 2011-07-09 09:19:18.000000000 -0400
24506 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
24507 {
24508 BUG_ON(smp_processor_id() != 0);
24509 native_smp_prepare_boot_cpu();
24510 -
24511 - /* We've switched to the "real" per-cpu gdt, so make sure the
24512 - old memory can be recycled */
24513 - make_lowmem_page_readwrite(xen_initial_gdt);
24514 -
24515 xen_filter_cpu_maps();
24516 xen_setup_vcpu_info_placement();
24517 }
24518 @@ -266,12 +261,12 @@ cpu_initialize_context(unsigned int cpu,
24519 gdt = get_cpu_gdt_table(cpu);
24520
24521 ctxt->flags = VGCF_IN_KERNEL;
24522 - ctxt->user_regs.ds = __USER_DS;
24523 - ctxt->user_regs.es = __USER_DS;
24524 + ctxt->user_regs.ds = __KERNEL_DS;
24525 + ctxt->user_regs.es = __KERNEL_DS;
24526 ctxt->user_regs.ss = __KERNEL_DS;
24527 #ifdef CONFIG_X86_32
24528 ctxt->user_regs.fs = __KERNEL_PERCPU;
24529 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
24530 + savesegment(gs, ctxt->user_regs.gs);
24531 #else
24532 ctxt->gs_base_kernel = per_cpu_offset(cpu);
24533 #endif
24534 @@ -322,13 +317,12 @@ static int __cpuinit xen_cpu_up(unsigned
24535 int rc;
24536
24537 per_cpu(current_task, cpu) = idle;
24538 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24539 #ifdef CONFIG_X86_32
24540 irq_ctx_init(cpu);
24541 #else
24542 clear_tsk_thread_flag(idle, TIF_FORK);
24543 - per_cpu(kernel_stack, cpu) =
24544 - (unsigned long)task_stack_page(idle) -
24545 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24546 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24547 #endif
24548 xen_setup_runstate_info(cpu);
24549 xen_setup_timer(cpu);
24550 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-asm_32.S linux-2.6.39.3/arch/x86/xen/xen-asm_32.S
24551 --- linux-2.6.39.3/arch/x86/xen/xen-asm_32.S 2011-05-19 00:06:34.000000000 -0400
24552 +++ linux-2.6.39.3/arch/x86/xen/xen-asm_32.S 2011-05-22 19:36:30.000000000 -0400
24553 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24554 ESP_OFFSET=4 # bytes pushed onto stack
24555
24556 /*
24557 - * Store vcpu_info pointer for easy access. Do it this way to
24558 - * avoid having to reload %fs
24559 + * Store vcpu_info pointer for easy access.
24560 */
24561 #ifdef CONFIG_SMP
24562 - GET_THREAD_INFO(%eax)
24563 - movl TI_cpu(%eax), %eax
24564 - movl __per_cpu_offset(,%eax,4), %eax
24565 - mov xen_vcpu(%eax), %eax
24566 + push %fs
24567 + mov $(__KERNEL_PERCPU), %eax
24568 + mov %eax, %fs
24569 + mov PER_CPU_VAR(xen_vcpu), %eax
24570 + pop %fs
24571 #else
24572 movl xen_vcpu, %eax
24573 #endif
24574 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-head.S linux-2.6.39.3/arch/x86/xen/xen-head.S
24575 --- linux-2.6.39.3/arch/x86/xen/xen-head.S 2011-05-19 00:06:34.000000000 -0400
24576 +++ linux-2.6.39.3/arch/x86/xen/xen-head.S 2011-05-22 19:36:30.000000000 -0400
24577 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24578 #ifdef CONFIG_X86_32
24579 mov %esi,xen_start_info
24580 mov $init_thread_union+THREAD_SIZE,%esp
24581 +#ifdef CONFIG_SMP
24582 + movl $cpu_gdt_table,%edi
24583 + movl $__per_cpu_load,%eax
24584 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24585 + rorl $16,%eax
24586 + movb %al,__KERNEL_PERCPU + 4(%edi)
24587 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24588 + movl $__per_cpu_end - 1,%eax
24589 + subl $__per_cpu_start,%eax
24590 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24591 +#endif
24592 #else
24593 mov %rsi,xen_start_info
24594 mov $init_thread_union+THREAD_SIZE,%rsp
24595 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-ops.h linux-2.6.39.3/arch/x86/xen/xen-ops.h
24596 --- linux-2.6.39.3/arch/x86/xen/xen-ops.h 2011-05-19 00:06:34.000000000 -0400
24597 +++ linux-2.6.39.3/arch/x86/xen/xen-ops.h 2011-05-22 19:36:30.000000000 -0400
24598 @@ -10,8 +10,6 @@
24599 extern const char xen_hypervisor_callback[];
24600 extern const char xen_failsafe_callback[];
24601
24602 -extern void *xen_initial_gdt;
24603 -
24604 struct trap_info;
24605 void xen_copy_trap_info(struct trap_info *traps);
24606
24607 diff -urNp linux-2.6.39.3/block/blk-iopoll.c linux-2.6.39.3/block/blk-iopoll.c
24608 --- linux-2.6.39.3/block/blk-iopoll.c 2011-05-19 00:06:34.000000000 -0400
24609 +++ linux-2.6.39.3/block/blk-iopoll.c 2011-05-22 19:36:30.000000000 -0400
24610 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24611 }
24612 EXPORT_SYMBOL(blk_iopoll_complete);
24613
24614 -static void blk_iopoll_softirq(struct softirq_action *h)
24615 +static void blk_iopoll_softirq(void)
24616 {
24617 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24618 int rearm = 0, budget = blk_iopoll_budget;
24619 diff -urNp linux-2.6.39.3/block/blk-map.c linux-2.6.39.3/block/blk-map.c
24620 --- linux-2.6.39.3/block/blk-map.c 2011-05-19 00:06:34.000000000 -0400
24621 +++ linux-2.6.39.3/block/blk-map.c 2011-05-22 19:36:30.000000000 -0400
24622 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
24623 if (!len || !kbuf)
24624 return -EINVAL;
24625
24626 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
24627 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
24628 if (do_copy)
24629 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24630 else
24631 diff -urNp linux-2.6.39.3/block/blk-softirq.c linux-2.6.39.3/block/blk-softirq.c
24632 --- linux-2.6.39.3/block/blk-softirq.c 2011-05-19 00:06:34.000000000 -0400
24633 +++ linux-2.6.39.3/block/blk-softirq.c 2011-05-22 19:36:30.000000000 -0400
24634 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24635 * Softirq action handler - move entries to local list and loop over them
24636 * while passing them to the queue registered handler.
24637 */
24638 -static void blk_done_softirq(struct softirq_action *h)
24639 +static void blk_done_softirq(void)
24640 {
24641 struct list_head *cpu_list, local_list;
24642
24643 diff -urNp linux-2.6.39.3/block/bsg.c linux-2.6.39.3/block/bsg.c
24644 --- linux-2.6.39.3/block/bsg.c 2011-05-19 00:06:34.000000000 -0400
24645 +++ linux-2.6.39.3/block/bsg.c 2011-05-22 19:36:30.000000000 -0400
24646 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24647 struct sg_io_v4 *hdr, struct bsg_device *bd,
24648 fmode_t has_write_perm)
24649 {
24650 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24651 + unsigned char *cmdptr;
24652 +
24653 if (hdr->request_len > BLK_MAX_CDB) {
24654 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24655 if (!rq->cmd)
24656 return -ENOMEM;
24657 - }
24658 + cmdptr = rq->cmd;
24659 + } else
24660 + cmdptr = tmpcmd;
24661
24662 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24663 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
24664 hdr->request_len))
24665 return -EFAULT;
24666
24667 + if (cmdptr != rq->cmd)
24668 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24669 +
24670 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24671 if (blk_verify_command(rq->cmd, has_write_perm))
24672 return -EPERM;
24673 diff -urNp linux-2.6.39.3/block/scsi_ioctl.c linux-2.6.39.3/block/scsi_ioctl.c
24674 --- linux-2.6.39.3/block/scsi_ioctl.c 2011-05-19 00:06:34.000000000 -0400
24675 +++ linux-2.6.39.3/block/scsi_ioctl.c 2011-05-22 19:36:30.000000000 -0400
24676 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
24677 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24678 struct sg_io_hdr *hdr, fmode_t mode)
24679 {
24680 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24681 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24682 + unsigned char *cmdptr;
24683 +
24684 + if (rq->cmd != rq->__cmd)
24685 + cmdptr = rq->cmd;
24686 + else
24687 + cmdptr = tmpcmd;
24688 +
24689 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24690 return -EFAULT;
24691 +
24692 + if (cmdptr != rq->cmd)
24693 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24694 +
24695 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24696 return -EPERM;
24697
24698 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
24699 int err;
24700 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24701 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24702 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24703 + unsigned char *cmdptr;
24704
24705 if (!sic)
24706 return -EINVAL;
24707 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
24708 */
24709 err = -EFAULT;
24710 rq->cmd_len = cmdlen;
24711 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24712 +
24713 + if (rq->cmd != rq->__cmd)
24714 + cmdptr = rq->cmd;
24715 + else
24716 + cmdptr = tmpcmd;
24717 +
24718 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24719 goto error;
24720
24721 + if (rq->cmd != cmdptr)
24722 + memcpy(rq->cmd, cmdptr, cmdlen);
24723 +
24724 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24725 goto error;
24726
24727 diff -urNp linux-2.6.39.3/crypto/gf128mul.c linux-2.6.39.3/crypto/gf128mul.c
24728 --- linux-2.6.39.3/crypto/gf128mul.c 2011-05-19 00:06:34.000000000 -0400
24729 +++ linux-2.6.39.3/crypto/gf128mul.c 2011-07-06 20:00:14.000000000 -0400
24730 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
24731 for (i = 0; i < 7; ++i)
24732 gf128mul_x_lle(&p[i + 1], &p[i]);
24733
24734 - memset(r, 0, sizeof(r));
24735 + memset(r, 0, sizeof(*r));
24736 for (i = 0;;) {
24737 u8 ch = ((u8 *)b)[15 - i];
24738
24739 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
24740 for (i = 0; i < 7; ++i)
24741 gf128mul_x_bbe(&p[i + 1], &p[i]);
24742
24743 - memset(r, 0, sizeof(r));
24744 + memset(r, 0, sizeof(*r));
24745 for (i = 0;;) {
24746 u8 ch = ((u8 *)b)[i];
24747
24748 diff -urNp linux-2.6.39.3/crypto/serpent.c linux-2.6.39.3/crypto/serpent.c
24749 --- linux-2.6.39.3/crypto/serpent.c 2011-05-19 00:06:34.000000000 -0400
24750 +++ linux-2.6.39.3/crypto/serpent.c 2011-05-22 19:36:30.000000000 -0400
24751 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
24752 u32 r0,r1,r2,r3,r4;
24753 int i;
24754
24755 + pax_track_stack();
24756 +
24757 /* Copy key, add padding */
24758
24759 for (i = 0; i < keylen; ++i)
24760 diff -urNp linux-2.6.39.3/Documentation/dontdiff linux-2.6.39.3/Documentation/dontdiff
24761 --- linux-2.6.39.3/Documentation/dontdiff 2011-05-19 00:06:34.000000000 -0400
24762 +++ linux-2.6.39.3/Documentation/dontdiff 2011-05-22 19:36:30.000000000 -0400
24763 @@ -1,13 +1,16 @@
24764 *.a
24765 *.aux
24766 *.bin
24767 +*.cis
24768 *.cpio
24769 *.csp
24770 +*.dbg
24771 *.dsp
24772 *.dvi
24773 *.elf
24774 *.eps
24775 *.fw
24776 +*.gcno
24777 *.gen.S
24778 *.gif
24779 *.grep
24780 @@ -38,8 +41,10 @@
24781 *.tab.h
24782 *.tex
24783 *.ver
24784 +*.vim
24785 *.xml
24786 *_MODULES
24787 +*_reg_safe.h
24788 *_vga16.c
24789 *~
24790 *.9
24791 @@ -49,11 +54,16 @@
24792 53c700_d.h
24793 CVS
24794 ChangeSet
24795 +GPATH
24796 +GRTAGS
24797 +GSYMS
24798 +GTAGS
24799 Image
24800 Kerntypes
24801 Module.markers
24802 Module.symvers
24803 PENDING
24804 +PERF*
24805 SCCS
24806 System.map*
24807 TAGS
24808 @@ -80,8 +90,11 @@ btfixupprep
24809 build
24810 bvmlinux
24811 bzImage*
24812 +capability_names.h
24813 capflags.c
24814 classlist.h*
24815 +clut_vga16.c
24816 +common-cmds.h
24817 comp*.log
24818 compile.h*
24819 conf
24820 @@ -106,16 +119,19 @@ fore200e_mkfirm
24821 fore200e_pca_fw.c*
24822 gconf
24823 gen-devlist
24824 +gen-kdb_cmds.c
24825 gen_crc32table
24826 gen_init_cpio
24827 generated
24828 genheaders
24829 genksyms
24830 *_gray256.c
24831 +hash
24832 ihex2fw
24833 ikconfig.h*
24834 inat-tables.c
24835 initramfs_data.cpio
24836 +initramfs_data.cpio.bz2
24837 initramfs_data.cpio.gz
24838 initramfs_list
24839 int16.c
24840 @@ -125,7 +141,6 @@ int32.c
24841 int4.c
24842 int8.c
24843 kallsyms
24844 -kconfig
24845 keywords.c
24846 ksym.c*
24847 ksym.h*
24848 @@ -149,7 +164,9 @@ mkboot
24849 mkbugboot
24850 mkcpustr
24851 mkdep
24852 +mkpiggy
24853 mkprep
24854 +mkregtable
24855 mktables
24856 mktree
24857 modpost
24858 @@ -165,6 +182,7 @@ parse.h
24859 patches*
24860 pca200e.bin
24861 pca200e_ecd.bin2
24862 +perf-archive
24863 piggy.gz
24864 piggyback
24865 piggy.S
24866 @@ -180,7 +198,9 @@ r600_reg_safe.h
24867 raid6altivec*.c
24868 raid6int*.c
24869 raid6tables.c
24870 +regdb.c
24871 relocs
24872 +rlim_names.h
24873 rn50_reg_safe.h
24874 rs600_reg_safe.h
24875 rv515_reg_safe.h
24876 @@ -189,6 +209,7 @@ setup
24877 setup.bin
24878 setup.elf
24879 sImage
24880 +slabinfo
24881 sm_tbl*
24882 split-include
24883 syscalltab.h
24884 @@ -213,13 +234,17 @@ version.h*
24885 vmlinux
24886 vmlinux-*
24887 vmlinux.aout
24888 +vmlinux.bin.all
24889 +vmlinux.bin.bz2
24890 vmlinux.lds
24891 +vmlinux.relocs
24892 voffset.h
24893 vsyscall.lds
24894 vsyscall_32.lds
24895 wanxlfw.inc
24896 uImage
24897 unifdef
24898 +utsrelease.h
24899 wakeup.bin
24900 wakeup.elf
24901 wakeup.lds
24902 diff -urNp linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c
24903 --- linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-19 00:06:34.000000000 -0400
24904 +++ linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-22 19:36:30.000000000 -0400
24905 @@ -368,7 +368,7 @@ static struct configfs_item_operations g
24906 * Note that, since no extra work is required on ->drop_item(),
24907 * no ->drop_item() is provided.
24908 */
24909 -static struct configfs_group_operations group_children_group_ops = {
24910 +static const struct configfs_group_operations group_children_group_ops = {
24911 .make_group = group_children_make_group,
24912 };
24913
24914 diff -urNp linux-2.6.39.3/Documentation/filesystems/sysfs.txt linux-2.6.39.3/Documentation/filesystems/sysfs.txt
24915 --- linux-2.6.39.3/Documentation/filesystems/sysfs.txt 2011-05-19 00:06:34.000000000 -0400
24916 +++ linux-2.6.39.3/Documentation/filesystems/sysfs.txt 2011-05-22 19:36:30.000000000 -0400
24917 @@ -125,8 +125,8 @@ set of sysfs operations for forwarding r
24918 show and store methods of the attribute owners.
24919
24920 struct sysfs_ops {
24921 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
24922 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
24923 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
24924 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
24925 };
24926
24927 [ Subsystems should have already defined a struct kobj_type as a
24928 diff -urNp linux-2.6.39.3/Documentation/kernel-parameters.txt linux-2.6.39.3/Documentation/kernel-parameters.txt
24929 --- linux-2.6.39.3/Documentation/kernel-parameters.txt 2011-06-25 12:55:22.000000000 -0400
24930 +++ linux-2.6.39.3/Documentation/kernel-parameters.txt 2011-06-25 13:00:25.000000000 -0400
24931 @@ -1879,6 +1879,13 @@ bytes respectively. Such letter suffixes
24932 the specified number of seconds. This is to be used if
24933 your oopses keep scrolling off the screen.
24934
24935 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24936 + virtualization environments that don't cope well with the
24937 + expand down segment used by UDEREF on X86-32 or the frequent
24938 + page table updates on X86-64.
24939 +
24940 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24941 +
24942 pcbit= [HW,ISDN]
24943
24944 pcd. [PARIDE]
24945 diff -urNp linux-2.6.39.3/drivers/acpi/acpi_ipmi.c linux-2.6.39.3/drivers/acpi/acpi_ipmi.c
24946 --- linux-2.6.39.3/drivers/acpi/acpi_ipmi.c 2011-05-19 00:06:34.000000000 -0400
24947 +++ linux-2.6.39.3/drivers/acpi/acpi_ipmi.c 2011-05-22 19:36:30.000000000 -0400
24948 @@ -70,7 +70,7 @@ struct acpi_ipmi_device {
24949 struct ipmi_driver_data {
24950 struct list_head ipmi_devices;
24951 struct ipmi_smi_watcher bmc_events;
24952 - struct ipmi_user_hndl ipmi_hndlrs;
24953 + const struct ipmi_user_hndl ipmi_hndlrs;
24954 struct mutex ipmi_lock;
24955 };
24956
24957 diff -urNp linux-2.6.39.3/drivers/acpi/apei/cper.c linux-2.6.39.3/drivers/acpi/apei/cper.c
24958 --- linux-2.6.39.3/drivers/acpi/apei/cper.c 2011-05-19 00:06:34.000000000 -0400
24959 +++ linux-2.6.39.3/drivers/acpi/apei/cper.c 2011-05-22 19:36:30.000000000 -0400
24960 @@ -38,12 +38,12 @@
24961 */
24962 u64 cper_next_record_id(void)
24963 {
24964 - static atomic64_t seq;
24965 + static atomic64_unchecked_t seq;
24966
24967 - if (!atomic64_read(&seq))
24968 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
24969 + if (!atomic64_read_unchecked(&seq))
24970 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
24971
24972 - return atomic64_inc_return(&seq);
24973 + return atomic64_inc_return_unchecked(&seq);
24974 }
24975 EXPORT_SYMBOL_GPL(cper_next_record_id);
24976
24977 diff -urNp linux-2.6.39.3/drivers/acpi/battery.c linux-2.6.39.3/drivers/acpi/battery.c
24978 --- linux-2.6.39.3/drivers/acpi/battery.c 2011-05-19 00:06:34.000000000 -0400
24979 +++ linux-2.6.39.3/drivers/acpi/battery.c 2011-05-22 19:36:30.000000000 -0400
24980 @@ -864,7 +864,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
24981 }
24982
24983 static struct battery_file {
24984 - struct file_operations ops;
24985 + const struct file_operations ops;
24986 mode_t mode;
24987 const char *name;
24988 } acpi_battery_file[] = {
24989 diff -urNp linux-2.6.39.3/drivers/acpi/dock.c linux-2.6.39.3/drivers/acpi/dock.c
24990 --- linux-2.6.39.3/drivers/acpi/dock.c 2011-05-19 00:06:34.000000000 -0400
24991 +++ linux-2.6.39.3/drivers/acpi/dock.c 2011-05-22 19:36:30.000000000 -0400
24992 @@ -77,7 +77,7 @@ struct dock_dependent_device {
24993 struct list_head list;
24994 struct list_head hotplug_list;
24995 acpi_handle handle;
24996 - struct acpi_dock_ops *ops;
24997 + const struct acpi_dock_ops *ops;
24998 void *context;
24999 };
25000
25001 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
25002 * the dock driver after _DCK is executed.
25003 */
25004 int
25005 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
25006 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
25007 void *context)
25008 {
25009 struct dock_dependent_device *dd;
25010 diff -urNp linux-2.6.39.3/drivers/acpi/ec_sys.c linux-2.6.39.3/drivers/acpi/ec_sys.c
25011 --- linux-2.6.39.3/drivers/acpi/ec_sys.c 2011-05-19 00:06:34.000000000 -0400
25012 +++ linux-2.6.39.3/drivers/acpi/ec_sys.c 2011-05-22 19:36:30.000000000 -0400
25013 @@ -92,7 +92,7 @@ static ssize_t acpi_ec_write_io(struct f
25014 return count;
25015 }
25016
25017 -static struct file_operations acpi_ec_io_ops = {
25018 +static const struct file_operations acpi_ec_io_ops = {
25019 .owner = THIS_MODULE,
25020 .open = acpi_ec_open_io,
25021 .read = acpi_ec_read_io,
25022 diff -urNp linux-2.6.39.3/drivers/acpi/fan.c linux-2.6.39.3/drivers/acpi/fan.c
25023 --- linux-2.6.39.3/drivers/acpi/fan.c 2011-05-19 00:06:34.000000000 -0400
25024 +++ linux-2.6.39.3/drivers/acpi/fan.c 2011-05-22 19:36:30.000000000 -0400
25025 @@ -110,7 +110,7 @@ fan_set_cur_state(struct thermal_cooling
25026 return result;
25027 }
25028
25029 -static struct thermal_cooling_device_ops fan_cooling_ops = {
25030 +static const struct thermal_cooling_device_ops fan_cooling_ops = {
25031 .get_max_state = fan_get_max_state,
25032 .get_cur_state = fan_get_cur_state,
25033 .set_cur_state = fan_set_cur_state,
25034 diff -urNp linux-2.6.39.3/drivers/acpi/power_meter.c linux-2.6.39.3/drivers/acpi/power_meter.c
25035 --- linux-2.6.39.3/drivers/acpi/power_meter.c 2011-05-19 00:06:34.000000000 -0400
25036 +++ linux-2.6.39.3/drivers/acpi/power_meter.c 2011-05-22 19:36:30.000000000 -0400
25037 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
25038 return res;
25039
25040 temp /= 1000;
25041 - if (temp < 0)
25042 - return -EINVAL;
25043
25044 mutex_lock(&resource->lock);
25045 resource->trip[attr->index - 7] = temp;
25046 diff -urNp linux-2.6.39.3/drivers/acpi/proc.c linux-2.6.39.3/drivers/acpi/proc.c
25047 --- linux-2.6.39.3/drivers/acpi/proc.c 2011-05-19 00:06:34.000000000 -0400
25048 +++ linux-2.6.39.3/drivers/acpi/proc.c 2011-05-22 19:36:30.000000000 -0400
25049 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
25050 size_t count, loff_t * ppos)
25051 {
25052 struct list_head *node, *next;
25053 - char strbuf[5];
25054 - char str[5] = "";
25055 - unsigned int len = count;
25056 -
25057 - if (len > 4)
25058 - len = 4;
25059 - if (len < 0)
25060 - return -EFAULT;
25061 + char strbuf[5] = {0};
25062
25063 - if (copy_from_user(strbuf, buffer, len))
25064 + if (count > 4)
25065 + count = 4;
25066 + if (copy_from_user(strbuf, buffer, count))
25067 return -EFAULT;
25068 - strbuf[len] = '\0';
25069 - sscanf(strbuf, "%s", str);
25070 + strbuf[count] = '\0';
25071
25072 mutex_lock(&acpi_device_lock);
25073 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
25074 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
25075 if (!dev->wakeup.flags.valid)
25076 continue;
25077
25078 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
25079 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
25080 if (device_can_wakeup(&dev->dev)) {
25081 bool enable = !device_may_wakeup(&dev->dev);
25082 device_set_wakeup_enable(&dev->dev, enable);
25083 diff -urNp linux-2.6.39.3/drivers/acpi/processor_driver.c linux-2.6.39.3/drivers/acpi/processor_driver.c
25084 --- linux-2.6.39.3/drivers/acpi/processor_driver.c 2011-05-19 00:06:34.000000000 -0400
25085 +++ linux-2.6.39.3/drivers/acpi/processor_driver.c 2011-05-22 19:36:30.000000000 -0400
25086 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
25087 return 0;
25088 #endif
25089
25090 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
25091 + BUG_ON(pr->id >= nr_cpu_ids);
25092
25093 /*
25094 * Buggy BIOS check
25095 diff -urNp linux-2.6.39.3/drivers/acpi/processor_idle.c linux-2.6.39.3/drivers/acpi/processor_idle.c
25096 --- linux-2.6.39.3/drivers/acpi/processor_idle.c 2011-05-19 00:06:34.000000000 -0400
25097 +++ linux-2.6.39.3/drivers/acpi/processor_idle.c 2011-05-22 19:36:30.000000000 -0400
25098 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
25099 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
25100 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
25101 (void *)1},
25102 - {},
25103 + {}
25104 };
25105
25106
25107 diff -urNp linux-2.6.39.3/drivers/acpi/processor_thermal.c linux-2.6.39.3/drivers/acpi/processor_thermal.c
25108 --- linux-2.6.39.3/drivers/acpi/processor_thermal.c 2011-05-19 00:06:34.000000000 -0400
25109 +++ linux-2.6.39.3/drivers/acpi/processor_thermal.c 2011-05-22 19:36:30.000000000 -0400
25110 @@ -244,7 +244,7 @@ processor_set_cur_state(struct thermal_c
25111 return result;
25112 }
25113
25114 -struct thermal_cooling_device_ops processor_cooling_ops = {
25115 +const struct thermal_cooling_device_ops processor_cooling_ops = {
25116 .get_max_state = processor_get_max_state,
25117 .get_cur_state = processor_get_cur_state,
25118 .set_cur_state = processor_set_cur_state,
25119 diff -urNp linux-2.6.39.3/drivers/acpi/sysfs.c linux-2.6.39.3/drivers/acpi/sysfs.c
25120 --- linux-2.6.39.3/drivers/acpi/sysfs.c 2011-05-19 00:06:34.000000000 -0400
25121 +++ linux-2.6.39.3/drivers/acpi/sysfs.c 2011-05-22 19:36:30.000000000 -0400
25122 @@ -149,12 +149,12 @@ static int param_get_debug_level(char *b
25123 return result;
25124 }
25125
25126 -static struct kernel_param_ops param_ops_debug_layer = {
25127 +static const struct kernel_param_ops param_ops_debug_layer = {
25128 .set = param_set_uint,
25129 .get = param_get_debug_layer,
25130 };
25131
25132 -static struct kernel_param_ops param_ops_debug_level = {
25133 +static const struct kernel_param_ops param_ops_debug_level = {
25134 .set = param_set_uint,
25135 .get = param_get_debug_level,
25136 };
25137 diff -urNp linux-2.6.39.3/drivers/acpi/thermal.c linux-2.6.39.3/drivers/acpi/thermal.c
25138 --- linux-2.6.39.3/drivers/acpi/thermal.c 2011-05-19 00:06:34.000000000 -0400
25139 +++ linux-2.6.39.3/drivers/acpi/thermal.c 2011-05-22 19:36:30.000000000 -0400
25140 @@ -812,7 +812,7 @@ acpi_thermal_unbind_cooling_device(struc
25141 thermal_zone_unbind_cooling_device);
25142 }
25143
25144 -static struct thermal_zone_device_ops acpi_thermal_zone_ops = {
25145 +static const struct thermal_zone_device_ops acpi_thermal_zone_ops = {
25146 .bind = acpi_thermal_bind_cooling_device,
25147 .unbind = acpi_thermal_unbind_cooling_device,
25148 .get_temp = thermal_get_temp,
25149 diff -urNp linux-2.6.39.3/drivers/acpi/video.c linux-2.6.39.3/drivers/acpi/video.c
25150 --- linux-2.6.39.3/drivers/acpi/video.c 2011-05-19 00:06:34.000000000 -0400
25151 +++ linux-2.6.39.3/drivers/acpi/video.c 2011-05-22 19:36:30.000000000 -0400
25152 @@ -308,7 +308,7 @@ video_set_cur_state(struct thermal_cooli
25153 return acpi_video_device_lcd_set_level(video, level);
25154 }
25155
25156 -static struct thermal_cooling_device_ops video_cooling_ops = {
25157 +static const struct thermal_cooling_device_ops video_cooling_ops = {
25158 .get_max_state = video_get_max_state,
25159 .get_cur_state = video_get_cur_state,
25160 .set_cur_state = video_set_cur_state,
25161 diff -urNp linux-2.6.39.3/drivers/ata/acard-ahci.c linux-2.6.39.3/drivers/ata/acard-ahci.c
25162 --- linux-2.6.39.3/drivers/ata/acard-ahci.c 2011-05-19 00:06:34.000000000 -0400
25163 +++ linux-2.6.39.3/drivers/ata/acard-ahci.c 2011-05-22 19:36:30.000000000 -0400
25164 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
25165 AHCI_SHT("acard-ahci"),
25166 };
25167
25168 -static struct ata_port_operations acard_ops = {
25169 +static const struct ata_port_operations acard_ops = {
25170 .inherits = &ahci_ops,
25171 .qc_prep = acard_ahci_qc_prep,
25172 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
25173 diff -urNp linux-2.6.39.3/drivers/ata/ahci.c linux-2.6.39.3/drivers/ata/ahci.c
25174 --- linux-2.6.39.3/drivers/ata/ahci.c 2011-05-19 00:06:34.000000000 -0400
25175 +++ linux-2.6.39.3/drivers/ata/ahci.c 2011-05-22 19:36:30.000000000 -0400
25176 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
25177 AHCI_SHT("ahci"),
25178 };
25179
25180 -static struct ata_port_operations ahci_vt8251_ops = {
25181 +static const struct ata_port_operations ahci_vt8251_ops = {
25182 .inherits = &ahci_ops,
25183 .hardreset = ahci_vt8251_hardreset,
25184 };
25185
25186 -static struct ata_port_operations ahci_p5wdh_ops = {
25187 +static const struct ata_port_operations ahci_p5wdh_ops = {
25188 .inherits = &ahci_ops,
25189 .hardreset = ahci_p5wdh_hardreset,
25190 };
25191
25192 -static struct ata_port_operations ahci_sb600_ops = {
25193 +static const struct ata_port_operations ahci_sb600_ops = {
25194 .inherits = &ahci_ops,
25195 .softreset = ahci_sb600_softreset,
25196 .pmp_softreset = ahci_sb600_softreset,
25197 diff -urNp linux-2.6.39.3/drivers/ata/ahci.h linux-2.6.39.3/drivers/ata/ahci.h
25198 --- linux-2.6.39.3/drivers/ata/ahci.h 2011-05-19 00:06:34.000000000 -0400
25199 +++ linux-2.6.39.3/drivers/ata/ahci.h 2011-05-22 19:36:30.000000000 -0400
25200 @@ -311,7 +311,7 @@ extern struct device_attribute *ahci_sde
25201 .shost_attrs = ahci_shost_attrs, \
25202 .sdev_attrs = ahci_sdev_attrs
25203
25204 -extern struct ata_port_operations ahci_ops;
25205 +extern const struct ata_port_operations ahci_ops;
25206
25207 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
25208 u32 opts);
25209 diff -urNp linux-2.6.39.3/drivers/ata/ata_generic.c linux-2.6.39.3/drivers/ata/ata_generic.c
25210 --- linux-2.6.39.3/drivers/ata/ata_generic.c 2011-05-19 00:06:34.000000000 -0400
25211 +++ linux-2.6.39.3/drivers/ata/ata_generic.c 2011-05-22 19:36:30.000000000 -0400
25212 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
25213 ATA_BMDMA_SHT(DRV_NAME),
25214 };
25215
25216 -static struct ata_port_operations generic_port_ops = {
25217 +static const struct ata_port_operations generic_port_ops = {
25218 .inherits = &ata_bmdma_port_ops,
25219 .cable_detect = ata_cable_unknown,
25220 .set_mode = generic_set_mode,
25221 diff -urNp linux-2.6.39.3/drivers/ata/ata_piix.c linux-2.6.39.3/drivers/ata/ata_piix.c
25222 --- linux-2.6.39.3/drivers/ata/ata_piix.c 2011-05-19 00:06:34.000000000 -0400
25223 +++ linux-2.6.39.3/drivers/ata/ata_piix.c 2011-05-22 19:36:30.000000000 -0400
25224 @@ -335,12 +335,12 @@ static struct scsi_host_template piix_sh
25225 ATA_BMDMA_SHT(DRV_NAME),
25226 };
25227
25228 -static struct ata_port_operations piix_sata_ops = {
25229 +static const struct ata_port_operations piix_sata_ops = {
25230 .inherits = &ata_bmdma32_port_ops,
25231 .sff_irq_check = piix_irq_check,
25232 };
25233
25234 -static struct ata_port_operations piix_pata_ops = {
25235 +static const struct ata_port_operations piix_pata_ops = {
25236 .inherits = &piix_sata_ops,
25237 .cable_detect = ata_cable_40wire,
25238 .set_piomode = piix_set_piomode,
25239 @@ -348,12 +348,12 @@ static struct ata_port_operations piix_p
25240 .prereset = piix_pata_prereset,
25241 };
25242
25243 -static struct ata_port_operations piix_vmw_ops = {
25244 +static const struct ata_port_operations piix_vmw_ops = {
25245 .inherits = &piix_pata_ops,
25246 .bmdma_status = piix_vmw_bmdma_status,
25247 };
25248
25249 -static struct ata_port_operations ich_pata_ops = {
25250 +static const struct ata_port_operations ich_pata_ops = {
25251 .inherits = &piix_pata_ops,
25252 .cable_detect = ich_pata_cable_detect,
25253 .set_dmamode = ich_set_dmamode,
25254 @@ -369,7 +369,7 @@ static struct scsi_host_template piix_si
25255 .shost_attrs = piix_sidpr_shost_attrs,
25256 };
25257
25258 -static struct ata_port_operations piix_sidpr_sata_ops = {
25259 +static const struct ata_port_operations piix_sidpr_sata_ops = {
25260 .inherits = &piix_sata_ops,
25261 .hardreset = sata_std_hardreset,
25262 .scr_read = piix_sidpr_scr_read,
25263 diff -urNp linux-2.6.39.3/drivers/ata/libahci.c linux-2.6.39.3/drivers/ata/libahci.c
25264 --- linux-2.6.39.3/drivers/ata/libahci.c 2011-05-19 00:06:34.000000000 -0400
25265 +++ linux-2.6.39.3/drivers/ata/libahci.c 2011-05-22 19:36:30.000000000 -0400
25266 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
25267 };
25268 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
25269
25270 -struct ata_port_operations ahci_ops = {
25271 +const struct ata_port_operations ahci_ops = {
25272 .inherits = &sata_pmp_port_ops,
25273
25274 .qc_defer = ahci_pmp_qc_defer,
25275 diff -urNp linux-2.6.39.3/drivers/ata/libata-acpi.c linux-2.6.39.3/drivers/ata/libata-acpi.c
25276 --- linux-2.6.39.3/drivers/ata/libata-acpi.c 2011-05-19 00:06:34.000000000 -0400
25277 +++ linux-2.6.39.3/drivers/ata/libata-acpi.c 2011-05-22 19:36:30.000000000 -0400
25278 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
25279 ata_acpi_uevent(dev->link->ap, dev, event);
25280 }
25281
25282 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25283 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25284 .handler = ata_acpi_dev_notify_dock,
25285 .uevent = ata_acpi_dev_uevent,
25286 };
25287
25288 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25289 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25290 .handler = ata_acpi_ap_notify_dock,
25291 .uevent = ata_acpi_ap_uevent,
25292 };
25293 diff -urNp linux-2.6.39.3/drivers/ata/libata-core.c linux-2.6.39.3/drivers/ata/libata-core.c
25294 --- linux-2.6.39.3/drivers/ata/libata-core.c 2011-05-19 00:06:34.000000000 -0400
25295 +++ linux-2.6.39.3/drivers/ata/libata-core.c 2011-05-22 19:36:30.000000000 -0400
25296 @@ -4747,7 +4747,7 @@ void ata_qc_free(struct ata_queued_cmd *
25297 struct ata_port *ap;
25298 unsigned int tag;
25299
25300 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25301 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25302 ap = qc->ap;
25303
25304 qc->flags = 0;
25305 @@ -4763,7 +4763,7 @@ void __ata_qc_complete(struct ata_queued
25306 struct ata_port *ap;
25307 struct ata_link *link;
25308
25309 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25310 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25311 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
25312 ap = qc->ap;
25313 link = qc->dev->link;
25314 @@ -5756,7 +5756,7 @@ static void ata_host_stop(struct device
25315 * LOCKING:
25316 * None.
25317 */
25318 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
25319 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
25320 {
25321 static DEFINE_SPINLOCK(lock);
25322 const struct ata_port_operations *cur;
25323 @@ -5768,6 +5768,7 @@ static void ata_finalize_port_ops(struct
25324 return;
25325
25326 spin_lock(&lock);
25327 + pax_open_kernel();
25328
25329 for (cur = ops->inherits; cur; cur = cur->inherits) {
25330 void **inherit = (void **)cur;
25331 @@ -5781,8 +5782,9 @@ static void ata_finalize_port_ops(struct
25332 if (IS_ERR(*pp))
25333 *pp = NULL;
25334
25335 - ops->inherits = NULL;
25336 + ((struct ata_port_operations *)ops)->inherits = NULL;
25337
25338 + pax_close_kernel();
25339 spin_unlock(&lock);
25340 }
25341
25342 @@ -5879,7 +5881,7 @@ int ata_host_start(struct ata_host *host
25343 */
25344 /* KILLME - the only user left is ipr */
25345 void ata_host_init(struct ata_host *host, struct device *dev,
25346 - unsigned long flags, struct ata_port_operations *ops)
25347 + unsigned long flags, const struct ata_port_operations *ops)
25348 {
25349 spin_lock_init(&host->lock);
25350 mutex_init(&host->eh_mutex);
25351 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
25352 /* truly dummy */
25353 }
25354
25355 -struct ata_port_operations ata_dummy_port_ops = {
25356 +const struct ata_port_operations ata_dummy_port_ops = {
25357 .qc_prep = ata_noop_qc_prep,
25358 .qc_issue = ata_dummy_qc_issue,
25359 .error_handler = ata_dummy_error_handler,
25360 diff -urNp linux-2.6.39.3/drivers/ata/libata-eh.c linux-2.6.39.3/drivers/ata/libata-eh.c
25361 --- linux-2.6.39.3/drivers/ata/libata-eh.c 2011-05-19 00:06:34.000000000 -0400
25362 +++ linux-2.6.39.3/drivers/ata/libata-eh.c 2011-05-22 19:36:30.000000000 -0400
25363 @@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
25364 {
25365 struct ata_link *link;
25366
25367 + pax_track_stack();
25368 +
25369 ata_for_each_link(link, ap, HOST_FIRST)
25370 ata_eh_link_report(link);
25371 }
25372 @@ -3922,7 +3924,7 @@ void ata_do_eh(struct ata_port *ap, ata_
25373 */
25374 void ata_std_error_handler(struct ata_port *ap)
25375 {
25376 - struct ata_port_operations *ops = ap->ops;
25377 + const struct ata_port_operations *ops = ap->ops;
25378 ata_reset_fn_t hardreset = ops->hardreset;
25379
25380 /* ignore built-in hardreset if SCR access is not available */
25381 diff -urNp linux-2.6.39.3/drivers/ata/libata-pmp.c linux-2.6.39.3/drivers/ata/libata-pmp.c
25382 --- linux-2.6.39.3/drivers/ata/libata-pmp.c 2011-05-19 00:06:34.000000000 -0400
25383 +++ linux-2.6.39.3/drivers/ata/libata-pmp.c 2011-05-22 19:36:30.000000000 -0400
25384 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
25385 */
25386 static int sata_pmp_eh_recover(struct ata_port *ap)
25387 {
25388 - struct ata_port_operations *ops = ap->ops;
25389 + const struct ata_port_operations *ops = ap->ops;
25390 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
25391 struct ata_link *pmp_link = &ap->link;
25392 struct ata_device *pmp_dev = pmp_link->device;
25393 diff -urNp linux-2.6.39.3/drivers/ata/pata_acpi.c linux-2.6.39.3/drivers/ata/pata_acpi.c
25394 --- linux-2.6.39.3/drivers/ata/pata_acpi.c 2011-05-19 00:06:34.000000000 -0400
25395 +++ linux-2.6.39.3/drivers/ata/pata_acpi.c 2011-05-22 19:36:30.000000000 -0400
25396 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
25397 ATA_BMDMA_SHT(DRV_NAME),
25398 };
25399
25400 -static struct ata_port_operations pacpi_ops = {
25401 +static const struct ata_port_operations pacpi_ops = {
25402 .inherits = &ata_bmdma_port_ops,
25403 .qc_issue = pacpi_qc_issue,
25404 .cable_detect = pacpi_cable_detect,
25405 diff -urNp linux-2.6.39.3/drivers/ata/pata_ali.c linux-2.6.39.3/drivers/ata/pata_ali.c
25406 --- linux-2.6.39.3/drivers/ata/pata_ali.c 2011-05-19 00:06:34.000000000 -0400
25407 +++ linux-2.6.39.3/drivers/ata/pata_ali.c 2011-05-22 19:36:30.000000000 -0400
25408 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
25409 * Port operations for PIO only ALi
25410 */
25411
25412 -static struct ata_port_operations ali_early_port_ops = {
25413 +static const struct ata_port_operations ali_early_port_ops = {
25414 .inherits = &ata_sff_port_ops,
25415 .cable_detect = ata_cable_40wire,
25416 .set_piomode = ali_set_piomode,
25417 @@ -380,7 +380,7 @@ static const struct ata_port_operations
25418 * Port operations for DMA capable ALi without cable
25419 * detect
25420 */
25421 -static struct ata_port_operations ali_20_port_ops = {
25422 +static const struct ata_port_operations ali_20_port_ops = {
25423 .inherits = &ali_dma_base_ops,
25424 .cable_detect = ata_cable_40wire,
25425 .mode_filter = ali_20_filter,
25426 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
25427 /*
25428 * Port operations for DMA capable ALi with cable detect
25429 */
25430 -static struct ata_port_operations ali_c2_port_ops = {
25431 +static const struct ata_port_operations ali_c2_port_ops = {
25432 .inherits = &ali_dma_base_ops,
25433 .check_atapi_dma = ali_check_atapi_dma,
25434 .cable_detect = ali_c2_cable_detect,
25435 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
25436 /*
25437 * Port operations for DMA capable ALi with cable detect
25438 */
25439 -static struct ata_port_operations ali_c4_port_ops = {
25440 +static const struct ata_port_operations ali_c4_port_ops = {
25441 .inherits = &ali_dma_base_ops,
25442 .check_atapi_dma = ali_check_atapi_dma,
25443 .cable_detect = ali_c2_cable_detect,
25444 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
25445 /*
25446 * Port operations for DMA capable ALi with cable detect and LBA48
25447 */
25448 -static struct ata_port_operations ali_c5_port_ops = {
25449 +static const struct ata_port_operations ali_c5_port_ops = {
25450 .inherits = &ali_dma_base_ops,
25451 .check_atapi_dma = ali_check_atapi_dma,
25452 .dev_config = ali_warn_atapi_dma,
25453 diff -urNp linux-2.6.39.3/drivers/ata/pata_amd.c linux-2.6.39.3/drivers/ata/pata_amd.c
25454 --- linux-2.6.39.3/drivers/ata/pata_amd.c 2011-05-19 00:06:34.000000000 -0400
25455 +++ linux-2.6.39.3/drivers/ata/pata_amd.c 2011-05-22 19:36:31.000000000 -0400
25456 @@ -397,28 +397,28 @@ static const struct ata_port_operations
25457 .prereset = amd_pre_reset,
25458 };
25459
25460 -static struct ata_port_operations amd33_port_ops = {
25461 +static const struct ata_port_operations amd33_port_ops = {
25462 .inherits = &amd_base_port_ops,
25463 .cable_detect = ata_cable_40wire,
25464 .set_piomode = amd33_set_piomode,
25465 .set_dmamode = amd33_set_dmamode,
25466 };
25467
25468 -static struct ata_port_operations amd66_port_ops = {
25469 +static const struct ata_port_operations amd66_port_ops = {
25470 .inherits = &amd_base_port_ops,
25471 .cable_detect = ata_cable_unknown,
25472 .set_piomode = amd66_set_piomode,
25473 .set_dmamode = amd66_set_dmamode,
25474 };
25475
25476 -static struct ata_port_operations amd100_port_ops = {
25477 +static const struct ata_port_operations amd100_port_ops = {
25478 .inherits = &amd_base_port_ops,
25479 .cable_detect = ata_cable_unknown,
25480 .set_piomode = amd100_set_piomode,
25481 .set_dmamode = amd100_set_dmamode,
25482 };
25483
25484 -static struct ata_port_operations amd133_port_ops = {
25485 +static const struct ata_port_operations amd133_port_ops = {
25486 .inherits = &amd_base_port_ops,
25487 .cable_detect = amd_cable_detect,
25488 .set_piomode = amd133_set_piomode,
25489 @@ -433,13 +433,13 @@ static const struct ata_port_operations
25490 .host_stop = nv_host_stop,
25491 };
25492
25493 -static struct ata_port_operations nv100_port_ops = {
25494 +static const struct ata_port_operations nv100_port_ops = {
25495 .inherits = &nv_base_port_ops,
25496 .set_piomode = nv100_set_piomode,
25497 .set_dmamode = nv100_set_dmamode,
25498 };
25499
25500 -static struct ata_port_operations nv133_port_ops = {
25501 +static const struct ata_port_operations nv133_port_ops = {
25502 .inherits = &nv_base_port_ops,
25503 .set_piomode = nv133_set_piomode,
25504 .set_dmamode = nv133_set_dmamode,
25505 diff -urNp linux-2.6.39.3/drivers/ata/pata_arasan_cf.c linux-2.6.39.3/drivers/ata/pata_arasan_cf.c
25506 --- linux-2.6.39.3/drivers/ata/pata_arasan_cf.c 2011-05-19 00:06:34.000000000 -0400
25507 +++ linux-2.6.39.3/drivers/ata/pata_arasan_cf.c 2011-05-22 19:36:31.000000000 -0400
25508 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
25509 /* Handle platform specific quirks */
25510 if (pdata->quirk) {
25511 if (pdata->quirk & CF_BROKEN_PIO) {
25512 - ap->ops->set_piomode = NULL;
25513 + pax_open_kernel();
25514 + *(void**)&ap->ops->set_piomode = NULL;
25515 + pax_close_kernel();
25516 ap->pio_mask = 0;
25517 }
25518 if (pdata->quirk & CF_BROKEN_MWDMA)
25519 diff -urNp linux-2.6.39.3/drivers/ata/pata_artop.c linux-2.6.39.3/drivers/ata/pata_artop.c
25520 --- linux-2.6.39.3/drivers/ata/pata_artop.c 2011-05-19 00:06:34.000000000 -0400
25521 +++ linux-2.6.39.3/drivers/ata/pata_artop.c 2011-05-22 19:36:31.000000000 -0400
25522 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
25523 ATA_BMDMA_SHT(DRV_NAME),
25524 };
25525
25526 -static struct ata_port_operations artop6210_ops = {
25527 +static const struct ata_port_operations artop6210_ops = {
25528 .inherits = &ata_bmdma_port_ops,
25529 .cable_detect = ata_cable_40wire,
25530 .set_piomode = artop6210_set_piomode,
25531 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
25532 .qc_defer = artop6210_qc_defer,
25533 };
25534
25535 -static struct ata_port_operations artop6260_ops = {
25536 +static const struct ata_port_operations artop6260_ops = {
25537 .inherits = &ata_bmdma_port_ops,
25538 .cable_detect = artop6260_cable_detect,
25539 .set_piomode = artop6260_set_piomode,
25540 diff -urNp linux-2.6.39.3/drivers/ata/pata_at32.c linux-2.6.39.3/drivers/ata/pata_at32.c
25541 --- linux-2.6.39.3/drivers/ata/pata_at32.c 2011-05-19 00:06:34.000000000 -0400
25542 +++ linux-2.6.39.3/drivers/ata/pata_at32.c 2011-05-22 19:36:31.000000000 -0400
25543 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
25544 ATA_PIO_SHT(DRV_NAME),
25545 };
25546
25547 -static struct ata_port_operations at32_port_ops = {
25548 +static const struct ata_port_operations at32_port_ops = {
25549 .inherits = &ata_sff_port_ops,
25550 .cable_detect = ata_cable_40wire,
25551 .set_piomode = pata_at32_set_piomode,
25552 diff -urNp linux-2.6.39.3/drivers/ata/pata_at91.c linux-2.6.39.3/drivers/ata/pata_at91.c
25553 --- linux-2.6.39.3/drivers/ata/pata_at91.c 2011-05-19 00:06:34.000000000 -0400
25554 +++ linux-2.6.39.3/drivers/ata/pata_at91.c 2011-05-22 19:36:31.000000000 -0400
25555 @@ -212,7 +212,7 @@ static struct scsi_host_template pata_at
25556 ATA_PIO_SHT(DRV_NAME),
25557 };
25558
25559 -static struct ata_port_operations pata_at91_port_ops = {
25560 +static const struct ata_port_operations pata_at91_port_ops = {
25561 .inherits = &ata_sff_port_ops,
25562
25563 .sff_data_xfer = pata_at91_data_xfer_noirq,
25564 diff -urNp linux-2.6.39.3/drivers/ata/pata_atiixp.c linux-2.6.39.3/drivers/ata/pata_atiixp.c
25565 --- linux-2.6.39.3/drivers/ata/pata_atiixp.c 2011-05-19 00:06:34.000000000 -0400
25566 +++ linux-2.6.39.3/drivers/ata/pata_atiixp.c 2011-05-22 19:36:31.000000000 -0400
25567 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
25568 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25569 };
25570
25571 -static struct ata_port_operations atiixp_port_ops = {
25572 +static const struct ata_port_operations atiixp_port_ops = {
25573 .inherits = &ata_bmdma_port_ops,
25574
25575 .qc_prep = ata_bmdma_dumb_qc_prep,
25576 diff -urNp linux-2.6.39.3/drivers/ata/pata_atp867x.c linux-2.6.39.3/drivers/ata/pata_atp867x.c
25577 --- linux-2.6.39.3/drivers/ata/pata_atp867x.c 2011-05-19 00:06:34.000000000 -0400
25578 +++ linux-2.6.39.3/drivers/ata/pata_atp867x.c 2011-05-22 19:36:31.000000000 -0400
25579 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
25580 ATA_BMDMA_SHT(DRV_NAME),
25581 };
25582
25583 -static struct ata_port_operations atp867x_ops = {
25584 +static const struct ata_port_operations atp867x_ops = {
25585 .inherits = &ata_bmdma_port_ops,
25586 .cable_detect = atp867x_cable_detect,
25587 .set_piomode = atp867x_set_piomode,
25588 diff -urNp linux-2.6.39.3/drivers/ata/pata_bf54x.c linux-2.6.39.3/drivers/ata/pata_bf54x.c
25589 --- linux-2.6.39.3/drivers/ata/pata_bf54x.c 2011-05-19 00:06:34.000000000 -0400
25590 +++ linux-2.6.39.3/drivers/ata/pata_bf54x.c 2011-05-22 19:36:31.000000000 -0400
25591 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
25592 .dma_boundary = ATA_DMA_BOUNDARY,
25593 };
25594
25595 -static struct ata_port_operations bfin_pata_ops = {
25596 +static const struct ata_port_operations bfin_pata_ops = {
25597 .inherits = &ata_bmdma_port_ops,
25598
25599 .set_piomode = bfin_set_piomode,
25600 diff -urNp linux-2.6.39.3/drivers/ata/pata_cmd640.c linux-2.6.39.3/drivers/ata/pata_cmd640.c
25601 --- linux-2.6.39.3/drivers/ata/pata_cmd640.c 2011-05-19 00:06:34.000000000 -0400
25602 +++ linux-2.6.39.3/drivers/ata/pata_cmd640.c 2011-05-22 19:36:31.000000000 -0400
25603 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
25604 ATA_PIO_SHT(DRV_NAME),
25605 };
25606
25607 -static struct ata_port_operations cmd640_port_ops = {
25608 +static const struct ata_port_operations cmd640_port_ops = {
25609 .inherits = &ata_sff_port_ops,
25610 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25611 .sff_data_xfer = ata_sff_data_xfer_noirq,
25612 diff -urNp linux-2.6.39.3/drivers/ata/pata_cmd64x.c linux-2.6.39.3/drivers/ata/pata_cmd64x.c
25613 --- linux-2.6.39.3/drivers/ata/pata_cmd64x.c 2011-06-03 00:04:13.000000000 -0400
25614 +++ linux-2.6.39.3/drivers/ata/pata_cmd64x.c 2011-06-03 00:32:05.000000000 -0400
25615 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25616 .set_dmamode = cmd64x_set_dmamode,
25617 };
25618
25619 -static struct ata_port_operations cmd64x_port_ops = {
25620 +static const struct ata_port_operations cmd64x_port_ops = {
25621 .inherits = &cmd64x_base_ops,
25622 .cable_detect = ata_cable_40wire,
25623 };
25624
25625 -static struct ata_port_operations cmd646r1_port_ops = {
25626 +static const struct ata_port_operations cmd646r1_port_ops = {
25627 .inherits = &cmd64x_base_ops,
25628 .bmdma_stop = cmd646r1_bmdma_stop,
25629 .cable_detect = ata_cable_40wire,
25630 };
25631
25632 -static struct ata_port_operations cmd648_port_ops = {
25633 +static const struct ata_port_operations cmd648_port_ops = {
25634 .inherits = &cmd64x_base_ops,
25635 .bmdma_stop = cmd648_bmdma_stop,
25636 .cable_detect = cmd648_cable_detect,
25637 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5520.c linux-2.6.39.3/drivers/ata/pata_cs5520.c
25638 --- linux-2.6.39.3/drivers/ata/pata_cs5520.c 2011-05-19 00:06:34.000000000 -0400
25639 +++ linux-2.6.39.3/drivers/ata/pata_cs5520.c 2011-05-22 19:36:31.000000000 -0400
25640 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
25641 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25642 };
25643
25644 -static struct ata_port_operations cs5520_port_ops = {
25645 +static const struct ata_port_operations cs5520_port_ops = {
25646 .inherits = &ata_bmdma_port_ops,
25647 .qc_prep = ata_bmdma_dumb_qc_prep,
25648 .cable_detect = ata_cable_40wire,
25649 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5530.c linux-2.6.39.3/drivers/ata/pata_cs5530.c
25650 --- linux-2.6.39.3/drivers/ata/pata_cs5530.c 2011-05-19 00:06:34.000000000 -0400
25651 +++ linux-2.6.39.3/drivers/ata/pata_cs5530.c 2011-05-22 19:36:31.000000000 -0400
25652 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25653 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25654 };
25655
25656 -static struct ata_port_operations cs5530_port_ops = {
25657 +static const struct ata_port_operations cs5530_port_ops = {
25658 .inherits = &ata_bmdma_port_ops,
25659
25660 .qc_prep = ata_bmdma_dumb_qc_prep,
25661 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5535.c linux-2.6.39.3/drivers/ata/pata_cs5535.c
25662 --- linux-2.6.39.3/drivers/ata/pata_cs5535.c 2011-05-19 00:06:34.000000000 -0400
25663 +++ linux-2.6.39.3/drivers/ata/pata_cs5535.c 2011-05-22 19:36:31.000000000 -0400
25664 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25665 ATA_BMDMA_SHT(DRV_NAME),
25666 };
25667
25668 -static struct ata_port_operations cs5535_port_ops = {
25669 +static const struct ata_port_operations cs5535_port_ops = {
25670 .inherits = &ata_bmdma_port_ops,
25671 .cable_detect = cs5535_cable_detect,
25672 .set_piomode = cs5535_set_piomode,
25673 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5536.c linux-2.6.39.3/drivers/ata/pata_cs5536.c
25674 --- linux-2.6.39.3/drivers/ata/pata_cs5536.c 2011-05-19 00:06:34.000000000 -0400
25675 +++ linux-2.6.39.3/drivers/ata/pata_cs5536.c 2011-05-22 19:36:31.000000000 -0400
25676 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
25677 ATA_BMDMA_SHT(DRV_NAME),
25678 };
25679
25680 -static struct ata_port_operations cs5536_port_ops = {
25681 +static const struct ata_port_operations cs5536_port_ops = {
25682 .inherits = &ata_bmdma32_port_ops,
25683 .cable_detect = cs5536_cable_detect,
25684 .set_piomode = cs5536_set_piomode,
25685 diff -urNp linux-2.6.39.3/drivers/ata/pata_cypress.c linux-2.6.39.3/drivers/ata/pata_cypress.c
25686 --- linux-2.6.39.3/drivers/ata/pata_cypress.c 2011-05-19 00:06:34.000000000 -0400
25687 +++ linux-2.6.39.3/drivers/ata/pata_cypress.c 2011-05-22 19:36:31.000000000 -0400
25688 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
25689 ATA_BMDMA_SHT(DRV_NAME),
25690 };
25691
25692 -static struct ata_port_operations cy82c693_port_ops = {
25693 +static const struct ata_port_operations cy82c693_port_ops = {
25694 .inherits = &ata_bmdma_port_ops,
25695 .cable_detect = ata_cable_40wire,
25696 .set_piomode = cy82c693_set_piomode,
25697 diff -urNp linux-2.6.39.3/drivers/ata/pata_efar.c linux-2.6.39.3/drivers/ata/pata_efar.c
25698 --- linux-2.6.39.3/drivers/ata/pata_efar.c 2011-05-19 00:06:34.000000000 -0400
25699 +++ linux-2.6.39.3/drivers/ata/pata_efar.c 2011-05-22 19:36:31.000000000 -0400
25700 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
25701 ATA_BMDMA_SHT(DRV_NAME),
25702 };
25703
25704 -static struct ata_port_operations efar_ops = {
25705 +static const struct ata_port_operations efar_ops = {
25706 .inherits = &ata_bmdma_port_ops,
25707 .cable_detect = efar_cable_detect,
25708 .set_piomode = efar_set_piomode,
25709 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt366.c linux-2.6.39.3/drivers/ata/pata_hpt366.c
25710 --- linux-2.6.39.3/drivers/ata/pata_hpt366.c 2011-05-19 00:06:34.000000000 -0400
25711 +++ linux-2.6.39.3/drivers/ata/pata_hpt366.c 2011-05-22 19:36:31.000000000 -0400
25712 @@ -276,7 +276,7 @@ static struct scsi_host_template hpt36x_
25713 * Configuration for HPT366/68
25714 */
25715
25716 -static struct ata_port_operations hpt366_port_ops = {
25717 +static const struct ata_port_operations hpt366_port_ops = {
25718 .inherits = &ata_bmdma_port_ops,
25719 .cable_detect = hpt36x_cable_detect,
25720 .mode_filter = hpt366_filter,
25721 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt37x.c linux-2.6.39.3/drivers/ata/pata_hpt37x.c
25722 --- linux-2.6.39.3/drivers/ata/pata_hpt37x.c 2011-05-19 00:06:34.000000000 -0400
25723 +++ linux-2.6.39.3/drivers/ata/pata_hpt37x.c 2011-05-22 19:36:31.000000000 -0400
25724 @@ -589,7 +589,7 @@ static struct scsi_host_template hpt37x_
25725 * Configuration for HPT370
25726 */
25727
25728 -static struct ata_port_operations hpt370_port_ops = {
25729 +static const struct ata_port_operations hpt370_port_ops = {
25730 .inherits = &ata_bmdma_port_ops,
25731
25732 .bmdma_stop = hpt370_bmdma_stop,
25733 @@ -605,7 +605,7 @@ static struct ata_port_operations hpt370
25734 * Configuration for HPT370A. Close to 370 but less filters
25735 */
25736
25737 -static struct ata_port_operations hpt370a_port_ops = {
25738 +static const struct ata_port_operations hpt370a_port_ops = {
25739 .inherits = &hpt370_port_ops,
25740 .mode_filter = hpt370a_filter,
25741 };
25742 @@ -615,7 +615,7 @@ static struct ata_port_operations hpt370
25743 * mode setting functionality.
25744 */
25745
25746 -static struct ata_port_operations hpt302_port_ops = {
25747 +static const struct ata_port_operations hpt302_port_ops = {
25748 .inherits = &ata_bmdma_port_ops,
25749
25750 .bmdma_stop = hpt37x_bmdma_stop,
25751 @@ -631,7 +631,7 @@ static struct ata_port_operations hpt302
25752 * but we have a mode filter.
25753 */
25754
25755 -static struct ata_port_operations hpt372_port_ops = {
25756 +static const struct ata_port_operations hpt372_port_ops = {
25757 .inherits = &hpt302_port_ops,
25758 .mode_filter = hpt372_filter,
25759 };
25760 @@ -641,7 +641,7 @@ static struct ata_port_operations hpt372
25761 * but we have a different cable detection procedure for function 1.
25762 */
25763
25764 -static struct ata_port_operations hpt374_fn1_port_ops = {
25765 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25766 .inherits = &hpt372_port_ops,
25767 .cable_detect = hpt374_fn1_cable_detect,
25768 };
25769 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c
25770 --- linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c 2011-05-19 00:06:34.000000000 -0400
25771 +++ linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c 2011-05-22 19:36:31.000000000 -0400
25772 @@ -350,7 +350,7 @@ static struct scsi_host_template hpt3x2n
25773 * Configuration for HPT302N/371N.
25774 */
25775
25776 -static struct ata_port_operations hpt3xxn_port_ops = {
25777 +static const struct ata_port_operations hpt3xxn_port_ops = {
25778 .inherits = &ata_bmdma_port_ops,
25779
25780 .bmdma_stop = hpt3x2n_bmdma_stop,
25781 @@ -368,7 +368,7 @@ static struct ata_port_operations hpt3xx
25782 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
25783 */
25784
25785 -static struct ata_port_operations hpt372n_port_ops = {
25786 +static const struct ata_port_operations hpt372n_port_ops = {
25787 .inherits = &hpt3xxn_port_ops,
25788 .mode_filter = &hpt372n_filter,
25789 };
25790 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt3x3.c linux-2.6.39.3/drivers/ata/pata_hpt3x3.c
25791 --- linux-2.6.39.3/drivers/ata/pata_hpt3x3.c 2011-05-19 00:06:34.000000000 -0400
25792 +++ linux-2.6.39.3/drivers/ata/pata_hpt3x3.c 2011-05-22 19:36:31.000000000 -0400
25793 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25794 ATA_BMDMA_SHT(DRV_NAME),
25795 };
25796
25797 -static struct ata_port_operations hpt3x3_port_ops = {
25798 +static const struct ata_port_operations hpt3x3_port_ops = {
25799 .inherits = &ata_bmdma_port_ops,
25800 .cable_detect = ata_cable_40wire,
25801 .set_piomode = hpt3x3_set_piomode,
25802 diff -urNp linux-2.6.39.3/drivers/ata/pata_icside.c linux-2.6.39.3/drivers/ata/pata_icside.c
25803 --- linux-2.6.39.3/drivers/ata/pata_icside.c 2011-05-19 00:06:34.000000000 -0400
25804 +++ linux-2.6.39.3/drivers/ata/pata_icside.c 2011-05-22 19:36:31.000000000 -0400
25805 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
25806 }
25807 }
25808
25809 -static struct ata_port_operations pata_icside_port_ops = {
25810 +static const struct ata_port_operations pata_icside_port_ops = {
25811 .inherits = &ata_bmdma_port_ops,
25812 /* no need to build any PRD tables for DMA */
25813 .qc_prep = ata_noop_qc_prep,
25814 diff -urNp linux-2.6.39.3/drivers/ata/pata_isapnp.c linux-2.6.39.3/drivers/ata/pata_isapnp.c
25815 --- linux-2.6.39.3/drivers/ata/pata_isapnp.c 2011-05-19 00:06:34.000000000 -0400
25816 +++ linux-2.6.39.3/drivers/ata/pata_isapnp.c 2011-05-22 19:36:31.000000000 -0400
25817 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25818 ATA_PIO_SHT(DRV_NAME),
25819 };
25820
25821 -static struct ata_port_operations isapnp_port_ops = {
25822 +static const struct ata_port_operations isapnp_port_ops = {
25823 .inherits = &ata_sff_port_ops,
25824 .cable_detect = ata_cable_40wire,
25825 };
25826
25827 -static struct ata_port_operations isapnp_noalt_port_ops = {
25828 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25829 .inherits = &ata_sff_port_ops,
25830 .cable_detect = ata_cable_40wire,
25831 /* No altstatus so we don't want to use the lost interrupt poll */
25832 diff -urNp linux-2.6.39.3/drivers/ata/pata_it8213.c linux-2.6.39.3/drivers/ata/pata_it8213.c
25833 --- linux-2.6.39.3/drivers/ata/pata_it8213.c 2011-05-19 00:06:34.000000000 -0400
25834 +++ linux-2.6.39.3/drivers/ata/pata_it8213.c 2011-05-22 19:36:31.000000000 -0400
25835 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
25836 };
25837
25838
25839 -static struct ata_port_operations it8213_ops = {
25840 +static const struct ata_port_operations it8213_ops = {
25841 .inherits = &ata_bmdma_port_ops,
25842 .cable_detect = it8213_cable_detect,
25843 .set_piomode = it8213_set_piomode,
25844 diff -urNp linux-2.6.39.3/drivers/ata/pata_it821x.c linux-2.6.39.3/drivers/ata/pata_it821x.c
25845 --- linux-2.6.39.3/drivers/ata/pata_it821x.c 2011-05-19 00:06:34.000000000 -0400
25846 +++ linux-2.6.39.3/drivers/ata/pata_it821x.c 2011-05-22 19:36:31.000000000 -0400
25847 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
25848 ATA_BMDMA_SHT(DRV_NAME),
25849 };
25850
25851 -static struct ata_port_operations it821x_smart_port_ops = {
25852 +static const struct ata_port_operations it821x_smart_port_ops = {
25853 .inherits = &ata_bmdma_port_ops,
25854
25855 .check_atapi_dma= it821x_check_atapi_dma,
25856 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
25857 .port_start = it821x_port_start,
25858 };
25859
25860 -static struct ata_port_operations it821x_passthru_port_ops = {
25861 +static const struct ata_port_operations it821x_passthru_port_ops = {
25862 .inherits = &ata_bmdma_port_ops,
25863
25864 .check_atapi_dma= it821x_check_atapi_dma,
25865 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
25866 .port_start = it821x_port_start,
25867 };
25868
25869 -static struct ata_port_operations it821x_rdc_port_ops = {
25870 +static const struct ata_port_operations it821x_rdc_port_ops = {
25871 .inherits = &ata_bmdma_port_ops,
25872
25873 .check_atapi_dma= it821x_check_atapi_dma,
25874 diff -urNp linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c
25875 --- linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c 2011-05-19 00:06:34.000000000 -0400
25876 +++ linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c 2011-05-22 19:36:31.000000000 -0400
25877 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25878 ATA_PIO_SHT(DRV_NAME),
25879 };
25880
25881 -static struct ata_port_operations ixp4xx_port_ops = {
25882 +static const struct ata_port_operations ixp4xx_port_ops = {
25883 .inherits = &ata_sff_port_ops,
25884 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25885 .cable_detect = ata_cable_40wire,
25886 diff -urNp linux-2.6.39.3/drivers/ata/pata_jmicron.c linux-2.6.39.3/drivers/ata/pata_jmicron.c
25887 --- linux-2.6.39.3/drivers/ata/pata_jmicron.c 2011-05-19 00:06:34.000000000 -0400
25888 +++ linux-2.6.39.3/drivers/ata/pata_jmicron.c 2011-05-22 19:36:31.000000000 -0400
25889 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25890 ATA_BMDMA_SHT(DRV_NAME),
25891 };
25892
25893 -static struct ata_port_operations jmicron_ops = {
25894 +static const struct ata_port_operations jmicron_ops = {
25895 .inherits = &ata_bmdma_port_ops,
25896 .prereset = jmicron_pre_reset,
25897 };
25898 diff -urNp linux-2.6.39.3/drivers/ata/pata_legacy.c linux-2.6.39.3/drivers/ata/pata_legacy.c
25899 --- linux-2.6.39.3/drivers/ata/pata_legacy.c 2011-05-19 00:06:34.000000000 -0400
25900 +++ linux-2.6.39.3/drivers/ata/pata_legacy.c 2011-05-22 19:36:31.000000000 -0400
25901 @@ -116,7 +116,7 @@ struct legacy_probe {
25902
25903 struct legacy_controller {
25904 const char *name;
25905 - struct ata_port_operations *ops;
25906 + const struct ata_port_operations *ops;
25907 unsigned int pio_mask;
25908 unsigned int flags;
25909 unsigned int pflags;
25910 @@ -239,12 +239,12 @@ static const struct ata_port_operations
25911 * pio_mask as well.
25912 */
25913
25914 -static struct ata_port_operations simple_port_ops = {
25915 +static const struct ata_port_operations simple_port_ops = {
25916 .inherits = &legacy_base_port_ops,
25917 .sff_data_xfer = ata_sff_data_xfer_noirq,
25918 };
25919
25920 -static struct ata_port_operations legacy_port_ops = {
25921 +static const struct ata_port_operations legacy_port_ops = {
25922 .inherits = &legacy_base_port_ops,
25923 .sff_data_xfer = ata_sff_data_xfer_noirq,
25924 .set_mode = legacy_set_mode,
25925 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
25926 return buflen;
25927 }
25928
25929 -static struct ata_port_operations pdc20230_port_ops = {
25930 +static const struct ata_port_operations pdc20230_port_ops = {
25931 .inherits = &legacy_base_port_ops,
25932 .set_piomode = pdc20230_set_piomode,
25933 .sff_data_xfer = pdc_data_xfer_vlb,
25934 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
25935 ioread8(ap->ioaddr.status_addr);
25936 }
25937
25938 -static struct ata_port_operations ht6560a_port_ops = {
25939 +static const struct ata_port_operations ht6560a_port_ops = {
25940 .inherits = &legacy_base_port_ops,
25941 .set_piomode = ht6560a_set_piomode,
25942 };
25943 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
25944 ioread8(ap->ioaddr.status_addr);
25945 }
25946
25947 -static struct ata_port_operations ht6560b_port_ops = {
25948 +static const struct ata_port_operations ht6560b_port_ops = {
25949 .inherits = &legacy_base_port_ops,
25950 .set_piomode = ht6560b_set_piomode,
25951 };
25952 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
25953 }
25954
25955
25956 -static struct ata_port_operations opti82c611a_port_ops = {
25957 +static const struct ata_port_operations opti82c611a_port_ops = {
25958 .inherits = &legacy_base_port_ops,
25959 .set_piomode = opti82c611a_set_piomode,
25960 };
25961 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
25962 return ata_sff_qc_issue(qc);
25963 }
25964
25965 -static struct ata_port_operations opti82c46x_port_ops = {
25966 +static const struct ata_port_operations opti82c46x_port_ops = {
25967 .inherits = &legacy_base_port_ops,
25968 .set_piomode = opti82c46x_set_piomode,
25969 .qc_issue = opti82c46x_qc_issue,
25970 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
25971 return 0;
25972 }
25973
25974 -static struct ata_port_operations qdi6500_port_ops = {
25975 +static const struct ata_port_operations qdi6500_port_ops = {
25976 .inherits = &legacy_base_port_ops,
25977 .set_piomode = qdi6500_set_piomode,
25978 .qc_issue = qdi_qc_issue,
25979 .sff_data_xfer = vlb32_data_xfer,
25980 };
25981
25982 -static struct ata_port_operations qdi6580_port_ops = {
25983 +static const struct ata_port_operations qdi6580_port_ops = {
25984 .inherits = &legacy_base_port_ops,
25985 .set_piomode = qdi6580_set_piomode,
25986 .sff_data_xfer = vlb32_data_xfer,
25987 };
25988
25989 -static struct ata_port_operations qdi6580dp_port_ops = {
25990 +static const struct ata_port_operations qdi6580dp_port_ops = {
25991 .inherits = &legacy_base_port_ops,
25992 .set_piomode = qdi6580dp_set_piomode,
25993 .qc_issue = qdi_qc_issue,
25994 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
25995 return 0;
25996 }
25997
25998 -static struct ata_port_operations winbond_port_ops = {
25999 +static const struct ata_port_operations winbond_port_ops = {
26000 .inherits = &legacy_base_port_ops,
26001 .set_piomode = winbond_set_piomode,
26002 .sff_data_xfer = vlb32_data_xfer,
26003 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
26004 int pio_modes = controller->pio_mask;
26005 unsigned long io = probe->port;
26006 u32 mask = (1 << probe->slot);
26007 - struct ata_port_operations *ops = controller->ops;
26008 + const struct ata_port_operations *ops = controller->ops;
26009 struct legacy_data *ld = &legacy_data[probe->slot];
26010 struct ata_host *host = NULL;
26011 struct ata_port *ap;
26012 diff -urNp linux-2.6.39.3/drivers/ata/pata_macio.c linux-2.6.39.3/drivers/ata/pata_macio.c
26013 --- linux-2.6.39.3/drivers/ata/pata_macio.c 2011-05-19 00:06:34.000000000 -0400
26014 +++ linux-2.6.39.3/drivers/ata/pata_macio.c 2011-05-22 19:36:31.000000000 -0400
26015 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
26016 .slave_configure = pata_macio_slave_config,
26017 };
26018
26019 -static struct ata_port_operations pata_macio_ops = {
26020 +static const struct ata_port_operations pata_macio_ops = {
26021 .inherits = &ata_bmdma_port_ops,
26022 -
26023 .freeze = pata_macio_freeze,
26024 .set_piomode = pata_macio_set_timings,
26025 .set_dmamode = pata_macio_set_timings,
26026 diff -urNp linux-2.6.39.3/drivers/ata/pata_marvell.c linux-2.6.39.3/drivers/ata/pata_marvell.c
26027 --- linux-2.6.39.3/drivers/ata/pata_marvell.c 2011-05-19 00:06:34.000000000 -0400
26028 +++ linux-2.6.39.3/drivers/ata/pata_marvell.c 2011-05-22 19:36:31.000000000 -0400
26029 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26030 ATA_BMDMA_SHT(DRV_NAME),
26031 };
26032
26033 -static struct ata_port_operations marvell_ops = {
26034 +static const struct ata_port_operations marvell_ops = {
26035 .inherits = &ata_bmdma_port_ops,
26036 .cable_detect = marvell_cable_detect,
26037 .prereset = marvell_pre_reset,
26038 diff -urNp linux-2.6.39.3/drivers/ata/pata_mpc52xx.c linux-2.6.39.3/drivers/ata/pata_mpc52xx.c
26039 --- linux-2.6.39.3/drivers/ata/pata_mpc52xx.c 2011-05-19 00:06:34.000000000 -0400
26040 +++ linux-2.6.39.3/drivers/ata/pata_mpc52xx.c 2011-05-22 19:36:31.000000000 -0400
26041 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
26042 ATA_PIO_SHT(DRV_NAME),
26043 };
26044
26045 -static struct ata_port_operations mpc52xx_ata_port_ops = {
26046 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
26047 .inherits = &ata_bmdma_port_ops,
26048 .sff_dev_select = mpc52xx_ata_dev_select,
26049 .set_piomode = mpc52xx_ata_set_piomode,
26050 diff -urNp linux-2.6.39.3/drivers/ata/pata_mpiix.c linux-2.6.39.3/drivers/ata/pata_mpiix.c
26051 --- linux-2.6.39.3/drivers/ata/pata_mpiix.c 2011-05-19 00:06:34.000000000 -0400
26052 +++ linux-2.6.39.3/drivers/ata/pata_mpiix.c 2011-05-22 19:36:31.000000000 -0400
26053 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
26054 ATA_PIO_SHT(DRV_NAME),
26055 };
26056
26057 -static struct ata_port_operations mpiix_port_ops = {
26058 +static const struct ata_port_operations mpiix_port_ops = {
26059 .inherits = &ata_sff_port_ops,
26060 .qc_issue = mpiix_qc_issue,
26061 .cable_detect = ata_cable_40wire,
26062 diff -urNp linux-2.6.39.3/drivers/ata/pata_netcell.c linux-2.6.39.3/drivers/ata/pata_netcell.c
26063 --- linux-2.6.39.3/drivers/ata/pata_netcell.c 2011-05-19 00:06:34.000000000 -0400
26064 +++ linux-2.6.39.3/drivers/ata/pata_netcell.c 2011-05-22 19:36:31.000000000 -0400
26065 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
26066 ATA_BMDMA_SHT(DRV_NAME),
26067 };
26068
26069 -static struct ata_port_operations netcell_ops = {
26070 +static const struct ata_port_operations netcell_ops = {
26071 .inherits = &ata_bmdma_port_ops,
26072 .cable_detect = ata_cable_80wire,
26073 .read_id = netcell_read_id,
26074 diff -urNp linux-2.6.39.3/drivers/ata/pata_ninja32.c linux-2.6.39.3/drivers/ata/pata_ninja32.c
26075 --- linux-2.6.39.3/drivers/ata/pata_ninja32.c 2011-05-19 00:06:34.000000000 -0400
26076 +++ linux-2.6.39.3/drivers/ata/pata_ninja32.c 2011-05-22 19:36:31.000000000 -0400
26077 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
26078 ATA_BMDMA_SHT(DRV_NAME),
26079 };
26080
26081 -static struct ata_port_operations ninja32_port_ops = {
26082 +static const struct ata_port_operations ninja32_port_ops = {
26083 .inherits = &ata_bmdma_port_ops,
26084 .sff_dev_select = ninja32_dev_select,
26085 .cable_detect = ata_cable_40wire,
26086 diff -urNp linux-2.6.39.3/drivers/ata/pata_ns87410.c linux-2.6.39.3/drivers/ata/pata_ns87410.c
26087 --- linux-2.6.39.3/drivers/ata/pata_ns87410.c 2011-05-19 00:06:34.000000000 -0400
26088 +++ linux-2.6.39.3/drivers/ata/pata_ns87410.c 2011-05-22 19:36:31.000000000 -0400
26089 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
26090 ATA_PIO_SHT(DRV_NAME),
26091 };
26092
26093 -static struct ata_port_operations ns87410_port_ops = {
26094 +static const struct ata_port_operations ns87410_port_ops = {
26095 .inherits = &ata_sff_port_ops,
26096 .qc_issue = ns87410_qc_issue,
26097 .cable_detect = ata_cable_40wire,
26098 diff -urNp linux-2.6.39.3/drivers/ata/pata_ns87415.c linux-2.6.39.3/drivers/ata/pata_ns87415.c
26099 --- linux-2.6.39.3/drivers/ata/pata_ns87415.c 2011-05-19 00:06:34.000000000 -0400
26100 +++ linux-2.6.39.3/drivers/ata/pata_ns87415.c 2011-05-22 19:36:31.000000000 -0400
26101 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
26102 }
26103 #endif /* 87560 SuperIO Support */
26104
26105 -static struct ata_port_operations ns87415_pata_ops = {
26106 +static const struct ata_port_operations ns87415_pata_ops = {
26107 .inherits = &ata_bmdma_port_ops,
26108
26109 .check_atapi_dma = ns87415_check_atapi_dma,
26110 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
26111 };
26112
26113 #if defined(CONFIG_SUPERIO)
26114 -static struct ata_port_operations ns87560_pata_ops = {
26115 +static const struct ata_port_operations ns87560_pata_ops = {
26116 .inherits = &ns87415_pata_ops,
26117 .sff_tf_read = ns87560_tf_read,
26118 .sff_check_status = ns87560_check_status,
26119 diff -urNp linux-2.6.39.3/drivers/ata/pata_octeon_cf.c linux-2.6.39.3/drivers/ata/pata_octeon_cf.c
26120 --- linux-2.6.39.3/drivers/ata/pata_octeon_cf.c 2011-05-19 00:06:34.000000000 -0400
26121 +++ linux-2.6.39.3/drivers/ata/pata_octeon_cf.c 2011-05-22 19:36:31.000000000 -0400
26122 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
26123 return 0;
26124 }
26125
26126 -static struct ata_port_operations octeon_cf_ops = {
26127 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
26128 .inherits = &ata_sff_port_ops,
26129 .check_atapi_dma = octeon_cf_check_atapi_dma,
26130 .qc_prep = ata_noop_qc_prep,
26131 diff -urNp linux-2.6.39.3/drivers/ata/pata_oldpiix.c linux-2.6.39.3/drivers/ata/pata_oldpiix.c
26132 --- linux-2.6.39.3/drivers/ata/pata_oldpiix.c 2011-05-19 00:06:34.000000000 -0400
26133 +++ linux-2.6.39.3/drivers/ata/pata_oldpiix.c 2011-05-22 19:36:31.000000000 -0400
26134 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
26135 ATA_BMDMA_SHT(DRV_NAME),
26136 };
26137
26138 -static struct ata_port_operations oldpiix_pata_ops = {
26139 +static const struct ata_port_operations oldpiix_pata_ops = {
26140 .inherits = &ata_bmdma_port_ops,
26141 .qc_issue = oldpiix_qc_issue,
26142 .cable_detect = ata_cable_40wire,
26143 diff -urNp linux-2.6.39.3/drivers/ata/pata_opti.c linux-2.6.39.3/drivers/ata/pata_opti.c
26144 --- linux-2.6.39.3/drivers/ata/pata_opti.c 2011-05-19 00:06:34.000000000 -0400
26145 +++ linux-2.6.39.3/drivers/ata/pata_opti.c 2011-05-22 19:36:31.000000000 -0400
26146 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
26147 ATA_PIO_SHT(DRV_NAME),
26148 };
26149
26150 -static struct ata_port_operations opti_port_ops = {
26151 +static const struct ata_port_operations opti_port_ops = {
26152 .inherits = &ata_sff_port_ops,
26153 .cable_detect = ata_cable_40wire,
26154 .set_piomode = opti_set_piomode,
26155 diff -urNp linux-2.6.39.3/drivers/ata/pata_optidma.c linux-2.6.39.3/drivers/ata/pata_optidma.c
26156 --- linux-2.6.39.3/drivers/ata/pata_optidma.c 2011-05-19 00:06:34.000000000 -0400
26157 +++ linux-2.6.39.3/drivers/ata/pata_optidma.c 2011-05-22 19:36:31.000000000 -0400
26158 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
26159 ATA_BMDMA_SHT(DRV_NAME),
26160 };
26161
26162 -static struct ata_port_operations optidma_port_ops = {
26163 +static const struct ata_port_operations optidma_port_ops = {
26164 .inherits = &ata_bmdma_port_ops,
26165 .cable_detect = ata_cable_40wire,
26166 .set_piomode = optidma_set_pio_mode,
26167 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
26168 .prereset = optidma_pre_reset,
26169 };
26170
26171 -static struct ata_port_operations optiplus_port_ops = {
26172 +static const struct ata_port_operations optiplus_port_ops = {
26173 .inherits = &optidma_port_ops,
26174 .set_piomode = optiplus_set_pio_mode,
26175 .set_dmamode = optiplus_set_dma_mode,
26176 diff -urNp linux-2.6.39.3/drivers/ata/pata_palmld.c linux-2.6.39.3/drivers/ata/pata_palmld.c
26177 --- linux-2.6.39.3/drivers/ata/pata_palmld.c 2011-05-19 00:06:34.000000000 -0400
26178 +++ linux-2.6.39.3/drivers/ata/pata_palmld.c 2011-05-22 19:36:31.000000000 -0400
26179 @@ -42,7 +42,7 @@ static struct scsi_host_template palmld_
26180 ATA_PIO_SHT(DRV_NAME),
26181 };
26182
26183 -static struct ata_port_operations palmld_port_ops = {
26184 +static const struct ata_port_operations palmld_port_ops = {
26185 .inherits = &ata_sff_port_ops,
26186 .sff_data_xfer = ata_sff_data_xfer_noirq,
26187 .cable_detect = ata_cable_40wire,
26188 diff -urNp linux-2.6.39.3/drivers/ata/pata_pcmcia.c linux-2.6.39.3/drivers/ata/pata_pcmcia.c
26189 --- linux-2.6.39.3/drivers/ata/pata_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
26190 +++ linux-2.6.39.3/drivers/ata/pata_pcmcia.c 2011-05-22 19:36:31.000000000 -0400
26191 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
26192 ATA_PIO_SHT(DRV_NAME),
26193 };
26194
26195 -static struct ata_port_operations pcmcia_port_ops = {
26196 +static const struct ata_port_operations pcmcia_port_ops = {
26197 .inherits = &ata_sff_port_ops,
26198 .sff_data_xfer = ata_sff_data_xfer_noirq,
26199 .cable_detect = ata_cable_40wire,
26200 .set_mode = pcmcia_set_mode,
26201 };
26202
26203 -static struct ata_port_operations pcmcia_8bit_port_ops = {
26204 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
26205 .inherits = &ata_sff_port_ops,
26206 .sff_data_xfer = ata_data_xfer_8bit,
26207 .cable_detect = ata_cable_40wire,
26208 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
26209 unsigned long io_base, ctl_base;
26210 void __iomem *io_addr, *ctl_addr;
26211 int n_ports = 1;
26212 - struct ata_port_operations *ops = &pcmcia_port_ops;
26213 + const struct ata_port_operations *ops = &pcmcia_port_ops;
26214
26215 /* Set up attributes in order to probe card and get resources */
26216 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
26217 diff -urNp linux-2.6.39.3/drivers/ata/pata_pdc2027x.c linux-2.6.39.3/drivers/ata/pata_pdc2027x.c
26218 --- linux-2.6.39.3/drivers/ata/pata_pdc2027x.c 2011-05-19 00:06:34.000000000 -0400
26219 +++ linux-2.6.39.3/drivers/ata/pata_pdc2027x.c 2011-05-22 19:36:31.000000000 -0400
26220 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
26221 ATA_BMDMA_SHT(DRV_NAME),
26222 };
26223
26224 -static struct ata_port_operations pdc2027x_pata100_ops = {
26225 +static const struct ata_port_operations pdc2027x_pata100_ops = {
26226 .inherits = &ata_bmdma_port_ops,
26227 .check_atapi_dma = pdc2027x_check_atapi_dma,
26228 .cable_detect = pdc2027x_cable_detect,
26229 .prereset = pdc2027x_prereset,
26230 };
26231
26232 -static struct ata_port_operations pdc2027x_pata133_ops = {
26233 +static const struct ata_port_operations pdc2027x_pata133_ops = {
26234 .inherits = &pdc2027x_pata100_ops,
26235 .mode_filter = pdc2027x_mode_filter,
26236 .set_piomode = pdc2027x_set_piomode,
26237 diff -urNp linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c
26238 --- linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c 2011-05-19 00:06:34.000000000 -0400
26239 +++ linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c 2011-05-22 19:36:31.000000000 -0400
26240 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
26241 ATA_BMDMA_SHT(DRV_NAME),
26242 };
26243
26244 -static struct ata_port_operations pdc2024x_port_ops = {
26245 +static const struct ata_port_operations pdc2024x_port_ops = {
26246 .inherits = &ata_bmdma_port_ops,
26247
26248 .cable_detect = ata_cable_40wire,
26249 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
26250 .sff_irq_check = pdc202xx_irq_check,
26251 };
26252
26253 -static struct ata_port_operations pdc2026x_port_ops = {
26254 +static const struct ata_port_operations pdc2026x_port_ops = {
26255 .inherits = &pdc2024x_port_ops,
26256
26257 .check_atapi_dma = pdc2026x_check_atapi_dma,
26258 diff -urNp linux-2.6.39.3/drivers/ata/pata_piccolo.c linux-2.6.39.3/drivers/ata/pata_piccolo.c
26259 --- linux-2.6.39.3/drivers/ata/pata_piccolo.c 2011-05-19 00:06:34.000000000 -0400
26260 +++ linux-2.6.39.3/drivers/ata/pata_piccolo.c 2011-05-22 19:36:31.000000000 -0400
26261 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
26262 ATA_BMDMA_SHT(DRV_NAME),
26263 };
26264
26265 -static struct ata_port_operations tosh_port_ops = {
26266 +static const struct ata_port_operations tosh_port_ops = {
26267 .inherits = &ata_bmdma_port_ops,
26268 .cable_detect = ata_cable_unknown,
26269 .set_piomode = tosh_set_piomode,
26270 diff -urNp linux-2.6.39.3/drivers/ata/pata_platform.c linux-2.6.39.3/drivers/ata/pata_platform.c
26271 --- linux-2.6.39.3/drivers/ata/pata_platform.c 2011-05-19 00:06:34.000000000 -0400
26272 +++ linux-2.6.39.3/drivers/ata/pata_platform.c 2011-05-22 19:36:31.000000000 -0400
26273 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
26274 ATA_PIO_SHT(DRV_NAME),
26275 };
26276
26277 -static struct ata_port_operations pata_platform_port_ops = {
26278 +static const struct ata_port_operations pata_platform_port_ops = {
26279 .inherits = &ata_sff_port_ops,
26280 .sff_data_xfer = ata_sff_data_xfer_noirq,
26281 .cable_detect = ata_cable_unknown,
26282 diff -urNp linux-2.6.39.3/drivers/ata/pata_pxa.c linux-2.6.39.3/drivers/ata/pata_pxa.c
26283 --- linux-2.6.39.3/drivers/ata/pata_pxa.c 2011-05-19 00:06:34.000000000 -0400
26284 +++ linux-2.6.39.3/drivers/ata/pata_pxa.c 2011-05-22 19:36:31.000000000 -0400
26285 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
26286 ATA_BMDMA_SHT(DRV_NAME),
26287 };
26288
26289 -static struct ata_port_operations pxa_ata_port_ops = {
26290 +static const struct ata_port_operations pxa_ata_port_ops = {
26291 .inherits = &ata_bmdma_port_ops,
26292 .cable_detect = ata_cable_40wire,
26293
26294 diff -urNp linux-2.6.39.3/drivers/ata/pata_qdi.c linux-2.6.39.3/drivers/ata/pata_qdi.c
26295 --- linux-2.6.39.3/drivers/ata/pata_qdi.c 2011-05-19 00:06:34.000000000 -0400
26296 +++ linux-2.6.39.3/drivers/ata/pata_qdi.c 2011-05-22 19:36:31.000000000 -0400
26297 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
26298 ATA_PIO_SHT(DRV_NAME),
26299 };
26300
26301 -static struct ata_port_operations qdi6500_port_ops = {
26302 +static const struct ata_port_operations qdi6500_port_ops = {
26303 .inherits = &ata_sff_port_ops,
26304 .qc_issue = qdi_qc_issue,
26305 .sff_data_xfer = qdi_data_xfer,
26306 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
26307 .set_piomode = qdi6500_set_piomode,
26308 };
26309
26310 -static struct ata_port_operations qdi6580_port_ops = {
26311 +static const struct ata_port_operations qdi6580_port_ops = {
26312 .inherits = &qdi6500_port_ops,
26313 .set_piomode = qdi6580_set_piomode,
26314 };
26315 diff -urNp linux-2.6.39.3/drivers/ata/pata_radisys.c linux-2.6.39.3/drivers/ata/pata_radisys.c
26316 --- linux-2.6.39.3/drivers/ata/pata_radisys.c 2011-05-19 00:06:34.000000000 -0400
26317 +++ linux-2.6.39.3/drivers/ata/pata_radisys.c 2011-05-22 19:36:31.000000000 -0400
26318 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
26319 ATA_BMDMA_SHT(DRV_NAME),
26320 };
26321
26322 -static struct ata_port_operations radisys_pata_ops = {
26323 +static const struct ata_port_operations radisys_pata_ops = {
26324 .inherits = &ata_bmdma_port_ops,
26325 .qc_issue = radisys_qc_issue,
26326 .cable_detect = ata_cable_unknown,
26327 diff -urNp linux-2.6.39.3/drivers/ata/pata_rb532_cf.c linux-2.6.39.3/drivers/ata/pata_rb532_cf.c
26328 --- linux-2.6.39.3/drivers/ata/pata_rb532_cf.c 2011-05-19 00:06:34.000000000 -0400
26329 +++ linux-2.6.39.3/drivers/ata/pata_rb532_cf.c 2011-05-22 19:36:31.000000000 -0400
26330 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
26331 return IRQ_HANDLED;
26332 }
26333
26334 -static struct ata_port_operations rb532_pata_port_ops = {
26335 +static const struct ata_port_operations rb532_pata_port_ops = {
26336 .inherits = &ata_sff_port_ops,
26337 .sff_data_xfer = ata_sff_data_xfer32,
26338 };
26339 diff -urNp linux-2.6.39.3/drivers/ata/pata_rdc.c linux-2.6.39.3/drivers/ata/pata_rdc.c
26340 --- linux-2.6.39.3/drivers/ata/pata_rdc.c 2011-05-19 00:06:34.000000000 -0400
26341 +++ linux-2.6.39.3/drivers/ata/pata_rdc.c 2011-05-22 19:36:31.000000000 -0400
26342 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
26343 pci_write_config_byte(dev, 0x48, udma_enable);
26344 }
26345
26346 -static struct ata_port_operations rdc_pata_ops = {
26347 +static const struct ata_port_operations rdc_pata_ops = {
26348 .inherits = &ata_bmdma32_port_ops,
26349 .cable_detect = rdc_pata_cable_detect,
26350 .set_piomode = rdc_set_piomode,
26351 diff -urNp linux-2.6.39.3/drivers/ata/pata_rz1000.c linux-2.6.39.3/drivers/ata/pata_rz1000.c
26352 --- linux-2.6.39.3/drivers/ata/pata_rz1000.c 2011-05-19 00:06:34.000000000 -0400
26353 +++ linux-2.6.39.3/drivers/ata/pata_rz1000.c 2011-05-22 19:36:31.000000000 -0400
26354 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
26355 ATA_PIO_SHT(DRV_NAME),
26356 };
26357
26358 -static struct ata_port_operations rz1000_port_ops = {
26359 +static const struct ata_port_operations rz1000_port_ops = {
26360 .inherits = &ata_sff_port_ops,
26361 .cable_detect = ata_cable_40wire,
26362 .set_mode = rz1000_set_mode,
26363 diff -urNp linux-2.6.39.3/drivers/ata/pata_samsung_cf.c linux-2.6.39.3/drivers/ata/pata_samsung_cf.c
26364 --- linux-2.6.39.3/drivers/ata/pata_samsung_cf.c 2011-05-19 00:06:34.000000000 -0400
26365 +++ linux-2.6.39.3/drivers/ata/pata_samsung_cf.c 2011-05-22 19:36:31.000000000 -0400
26366 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
26367 ATA_PIO_SHT(DRV_NAME),
26368 };
26369
26370 -static struct ata_port_operations pata_s3c_port_ops = {
26371 +static const struct ata_port_operations pata_s3c_port_ops = {
26372 .inherits = &ata_sff_port_ops,
26373 .sff_check_status = pata_s3c_check_status,
26374 .sff_check_altstatus = pata_s3c_check_altstatus,
26375 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
26376 .set_piomode = pata_s3c_set_piomode,
26377 };
26378
26379 -static struct ata_port_operations pata_s5p_port_ops = {
26380 +static const struct ata_port_operations pata_s5p_port_ops = {
26381 .inherits = &ata_sff_port_ops,
26382 .set_piomode = pata_s3c_set_piomode,
26383 };
26384 diff -urNp linux-2.6.39.3/drivers/ata/pata_sc1200.c linux-2.6.39.3/drivers/ata/pata_sc1200.c
26385 --- linux-2.6.39.3/drivers/ata/pata_sc1200.c 2011-05-19 00:06:34.000000000 -0400
26386 +++ linux-2.6.39.3/drivers/ata/pata_sc1200.c 2011-05-22 19:36:31.000000000 -0400
26387 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
26388 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26389 };
26390
26391 -static struct ata_port_operations sc1200_port_ops = {
26392 +static const struct ata_port_operations sc1200_port_ops = {
26393 .inherits = &ata_bmdma_port_ops,
26394 .qc_prep = ata_bmdma_dumb_qc_prep,
26395 .qc_issue = sc1200_qc_issue,
26396 diff -urNp linux-2.6.39.3/drivers/ata/pata_scc.c linux-2.6.39.3/drivers/ata/pata_scc.c
26397 --- linux-2.6.39.3/drivers/ata/pata_scc.c 2011-05-19 00:06:34.000000000 -0400
26398 +++ linux-2.6.39.3/drivers/ata/pata_scc.c 2011-05-22 19:36:31.000000000 -0400
26399 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
26400 ATA_BMDMA_SHT(DRV_NAME),
26401 };
26402
26403 -static struct ata_port_operations scc_pata_ops = {
26404 +static const struct ata_port_operations scc_pata_ops = {
26405 .inherits = &ata_bmdma_port_ops,
26406
26407 .set_piomode = scc_set_piomode,
26408 diff -urNp linux-2.6.39.3/drivers/ata/pata_sch.c linux-2.6.39.3/drivers/ata/pata_sch.c
26409 --- linux-2.6.39.3/drivers/ata/pata_sch.c 2011-05-19 00:06:34.000000000 -0400
26410 +++ linux-2.6.39.3/drivers/ata/pata_sch.c 2011-05-22 19:36:31.000000000 -0400
26411 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
26412 ATA_BMDMA_SHT(DRV_NAME),
26413 };
26414
26415 -static struct ata_port_operations sch_pata_ops = {
26416 +static const struct ata_port_operations sch_pata_ops = {
26417 .inherits = &ata_bmdma_port_ops,
26418 .cable_detect = ata_cable_unknown,
26419 .set_piomode = sch_set_piomode,
26420 diff -urNp linux-2.6.39.3/drivers/ata/pata_serverworks.c linux-2.6.39.3/drivers/ata/pata_serverworks.c
26421 --- linux-2.6.39.3/drivers/ata/pata_serverworks.c 2011-05-19 00:06:34.000000000 -0400
26422 +++ linux-2.6.39.3/drivers/ata/pata_serverworks.c 2011-05-22 19:36:31.000000000 -0400
26423 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
26424 ATA_BMDMA_SHT(DRV_NAME),
26425 };
26426
26427 -static struct ata_port_operations serverworks_osb4_port_ops = {
26428 +static const struct ata_port_operations serverworks_osb4_port_ops = {
26429 .inherits = &ata_bmdma_port_ops,
26430 .cable_detect = serverworks_cable_detect,
26431 .mode_filter = serverworks_osb4_filter,
26432 @@ -308,7 +308,7 @@ static struct ata_port_operations server
26433 .set_dmamode = serverworks_set_dmamode,
26434 };
26435
26436 -static struct ata_port_operations serverworks_csb_port_ops = {
26437 +static const struct ata_port_operations serverworks_csb_port_ops = {
26438 .inherits = &serverworks_osb4_port_ops,
26439 .mode_filter = serverworks_csb_filter,
26440 };
26441 diff -urNp linux-2.6.39.3/drivers/ata/pata_sil680.c linux-2.6.39.3/drivers/ata/pata_sil680.c
26442 --- linux-2.6.39.3/drivers/ata/pata_sil680.c 2011-05-19 00:06:34.000000000 -0400
26443 +++ linux-2.6.39.3/drivers/ata/pata_sil680.c 2011-05-22 19:36:31.000000000 -0400
26444 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
26445 ATA_BMDMA_SHT(DRV_NAME),
26446 };
26447
26448 -
26449 -static struct ata_port_operations sil680_port_ops = {
26450 +static const struct ata_port_operations sil680_port_ops = {
26451 .inherits = &ata_bmdma32_port_ops,
26452 .sff_exec_command = sil680_sff_exec_command,
26453 .sff_irq_check = sil680_sff_irq_check,
26454 diff -urNp linux-2.6.39.3/drivers/ata/pata_sis.c linux-2.6.39.3/drivers/ata/pata_sis.c
26455 --- linux-2.6.39.3/drivers/ata/pata_sis.c 2011-05-19 00:06:34.000000000 -0400
26456 +++ linux-2.6.39.3/drivers/ata/pata_sis.c 2011-05-22 19:36:31.000000000 -0400
26457 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
26458 ATA_BMDMA_SHT(DRV_NAME),
26459 };
26460
26461 -static struct ata_port_operations sis_133_for_sata_ops = {
26462 +static const struct ata_port_operations sis_133_for_sata_ops = {
26463 .inherits = &ata_bmdma_port_ops,
26464 .set_piomode = sis_133_set_piomode,
26465 .set_dmamode = sis_133_set_dmamode,
26466 .cable_detect = sis_133_cable_detect,
26467 };
26468
26469 -static struct ata_port_operations sis_base_ops = {
26470 +static const struct ata_port_operations sis_base_ops = {
26471 .inherits = &ata_bmdma_port_ops,
26472 .prereset = sis_pre_reset,
26473 };
26474
26475 -static struct ata_port_operations sis_133_ops = {
26476 +static const struct ata_port_operations sis_133_ops = {
26477 .inherits = &sis_base_ops,
26478 .set_piomode = sis_133_set_piomode,
26479 .set_dmamode = sis_133_set_dmamode,
26480 .cable_detect = sis_133_cable_detect,
26481 };
26482
26483 -static struct ata_port_operations sis_133_early_ops = {
26484 +static const struct ata_port_operations sis_133_early_ops = {
26485 .inherits = &sis_base_ops,
26486 .set_piomode = sis_100_set_piomode,
26487 .set_dmamode = sis_133_early_set_dmamode,
26488 .cable_detect = sis_66_cable_detect,
26489 };
26490
26491 -static struct ata_port_operations sis_100_ops = {
26492 +static const struct ata_port_operations sis_100_ops = {
26493 .inherits = &sis_base_ops,
26494 .set_piomode = sis_100_set_piomode,
26495 .set_dmamode = sis_100_set_dmamode,
26496 .cable_detect = sis_66_cable_detect,
26497 };
26498
26499 -static struct ata_port_operations sis_66_ops = {
26500 +static const struct ata_port_operations sis_66_ops = {
26501 .inherits = &sis_base_ops,
26502 .set_piomode = sis_old_set_piomode,
26503 .set_dmamode = sis_66_set_dmamode,
26504 .cable_detect = sis_66_cable_detect,
26505 };
26506
26507 -static struct ata_port_operations sis_old_ops = {
26508 +static const struct ata_port_operations sis_old_ops = {
26509 .inherits = &sis_base_ops,
26510 .set_piomode = sis_old_set_piomode,
26511 .set_dmamode = sis_old_set_dmamode,
26512 diff -urNp linux-2.6.39.3/drivers/ata/pata_sl82c105.c linux-2.6.39.3/drivers/ata/pata_sl82c105.c
26513 --- linux-2.6.39.3/drivers/ata/pata_sl82c105.c 2011-05-19 00:06:34.000000000 -0400
26514 +++ linux-2.6.39.3/drivers/ata/pata_sl82c105.c 2011-05-22 19:36:31.000000000 -0400
26515 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
26516 ATA_BMDMA_SHT(DRV_NAME),
26517 };
26518
26519 -static struct ata_port_operations sl82c105_port_ops = {
26520 +static const struct ata_port_operations sl82c105_port_ops = {
26521 .inherits = &ata_bmdma_port_ops,
26522 .qc_defer = sl82c105_qc_defer,
26523 .bmdma_start = sl82c105_bmdma_start,
26524 diff -urNp linux-2.6.39.3/drivers/ata/pata_triflex.c linux-2.6.39.3/drivers/ata/pata_triflex.c
26525 --- linux-2.6.39.3/drivers/ata/pata_triflex.c 2011-05-19 00:06:34.000000000 -0400
26526 +++ linux-2.6.39.3/drivers/ata/pata_triflex.c 2011-05-22 19:36:31.000000000 -0400
26527 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
26528 ATA_BMDMA_SHT(DRV_NAME),
26529 };
26530
26531 -static struct ata_port_operations triflex_port_ops = {
26532 +static const struct ata_port_operations triflex_port_ops = {
26533 .inherits = &ata_bmdma_port_ops,
26534 .bmdma_start = triflex_bmdma_start,
26535 .bmdma_stop = triflex_bmdma_stop,
26536 diff -urNp linux-2.6.39.3/drivers/ata/pata_via.c linux-2.6.39.3/drivers/ata/pata_via.c
26537 --- linux-2.6.39.3/drivers/ata/pata_via.c 2011-05-19 00:06:34.000000000 -0400
26538 +++ linux-2.6.39.3/drivers/ata/pata_via.c 2011-05-22 19:36:31.000000000 -0400
26539 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
26540 ATA_BMDMA_SHT(DRV_NAME),
26541 };
26542
26543 -static struct ata_port_operations via_port_ops = {
26544 +static const struct ata_port_operations via_port_ops = {
26545 .inherits = &ata_bmdma_port_ops,
26546 .cable_detect = via_cable_detect,
26547 .set_piomode = via_set_piomode,
26548 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
26549 .mode_filter = via_mode_filter,
26550 };
26551
26552 -static struct ata_port_operations via_port_ops_noirq = {
26553 +static const struct ata_port_operations via_port_ops_noirq = {
26554 .inherits = &via_port_ops,
26555 .sff_data_xfer = ata_sff_data_xfer_noirq,
26556 };
26557 diff -urNp linux-2.6.39.3/drivers/ata/pdc_adma.c linux-2.6.39.3/drivers/ata/pdc_adma.c
26558 --- linux-2.6.39.3/drivers/ata/pdc_adma.c 2011-05-19 00:06:34.000000000 -0400
26559 +++ linux-2.6.39.3/drivers/ata/pdc_adma.c 2011-05-22 19:36:31.000000000 -0400
26560 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
26561 .dma_boundary = ADMA_DMA_BOUNDARY,
26562 };
26563
26564 -static struct ata_port_operations adma_ata_ops = {
26565 +static const struct ata_port_operations adma_ata_ops = {
26566 .inherits = &ata_sff_port_ops,
26567
26568 .lost_interrupt = ATA_OP_NULL,
26569 diff -urNp linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c
26570 --- linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c 2011-05-19 00:06:34.000000000 -0400
26571 +++ linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c 2011-05-22 19:36:31.000000000 -0400
26572 @@ -1598,7 +1598,7 @@ static struct scsi_host_template sata_dw
26573 .dma_boundary = ATA_DMA_BOUNDARY,
26574 };
26575
26576 -static struct ata_port_operations sata_dwc_ops = {
26577 +static const struct ata_port_operations sata_dwc_ops = {
26578 .inherits = &ata_sff_port_ops,
26579
26580 .error_handler = sata_dwc_error_handler,
26581 diff -urNp linux-2.6.39.3/drivers/ata/sata_fsl.c linux-2.6.39.3/drivers/ata/sata_fsl.c
26582 --- linux-2.6.39.3/drivers/ata/sata_fsl.c 2011-05-19 00:06:34.000000000 -0400
26583 +++ linux-2.6.39.3/drivers/ata/sata_fsl.c 2011-05-22 19:36:31.000000000 -0400
26584 @@ -1268,7 +1268,7 @@ static struct scsi_host_template sata_fs
26585 .dma_boundary = ATA_DMA_BOUNDARY,
26586 };
26587
26588 -static struct ata_port_operations sata_fsl_ops = {
26589 +static const struct ata_port_operations sata_fsl_ops = {
26590 .inherits = &sata_pmp_port_ops,
26591
26592 .qc_defer = ata_std_qc_defer,
26593 diff -urNp linux-2.6.39.3/drivers/ata/sata_inic162x.c linux-2.6.39.3/drivers/ata/sata_inic162x.c
26594 --- linux-2.6.39.3/drivers/ata/sata_inic162x.c 2011-05-19 00:06:34.000000000 -0400
26595 +++ linux-2.6.39.3/drivers/ata/sata_inic162x.c 2011-05-22 19:36:31.000000000 -0400
26596 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
26597 return 0;
26598 }
26599
26600 -static struct ata_port_operations inic_port_ops = {
26601 +static const struct ata_port_operations inic_port_ops = {
26602 .inherits = &sata_port_ops,
26603
26604 .check_atapi_dma = inic_check_atapi_dma,
26605 diff -urNp linux-2.6.39.3/drivers/ata/sata_mv.c linux-2.6.39.3/drivers/ata/sata_mv.c
26606 --- linux-2.6.39.3/drivers/ata/sata_mv.c 2011-05-19 00:06:34.000000000 -0400
26607 +++ linux-2.6.39.3/drivers/ata/sata_mv.c 2011-05-22 19:36:31.000000000 -0400
26608 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
26609 .dma_boundary = MV_DMA_BOUNDARY,
26610 };
26611
26612 -static struct ata_port_operations mv5_ops = {
26613 +static const struct ata_port_operations mv5_ops = {
26614 .inherits = &ata_sff_port_ops,
26615
26616 .lost_interrupt = ATA_OP_NULL,
26617 @@ -682,7 +682,7 @@ static struct ata_port_operations mv5_op
26618 .port_stop = mv_port_stop,
26619 };
26620
26621 -static struct ata_port_operations mv6_ops = {
26622 +static const struct ata_port_operations mv6_ops = {
26623 .inherits = &ata_bmdma_port_ops,
26624
26625 .lost_interrupt = ATA_OP_NULL,
26626 @@ -716,7 +716,7 @@ static struct ata_port_operations mv6_op
26627 .port_stop = mv_port_stop,
26628 };
26629
26630 -static struct ata_port_operations mv_iie_ops = {
26631 +static const struct ata_port_operations mv_iie_ops = {
26632 .inherits = &mv6_ops,
26633 .dev_config = ATA_OP_NULL,
26634 .qc_prep = mv_qc_prep_iie,
26635 diff -urNp linux-2.6.39.3/drivers/ata/sata_nv.c linux-2.6.39.3/drivers/ata/sata_nv.c
26636 --- linux-2.6.39.3/drivers/ata/sata_nv.c 2011-05-19 00:06:34.000000000 -0400
26637 +++ linux-2.6.39.3/drivers/ata/sata_nv.c 2011-05-22 19:36:31.000000000 -0400
26638 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
26639 * cases. Define nv_hardreset() which only kicks in for post-boot
26640 * probing and use it for all variants.
26641 */
26642 -static struct ata_port_operations nv_generic_ops = {
26643 +static const struct ata_port_operations nv_generic_ops = {
26644 .inherits = &ata_bmdma_port_ops,
26645 .lost_interrupt = ATA_OP_NULL,
26646 .scr_read = nv_scr_read,
26647 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
26648 .hardreset = nv_hardreset,
26649 };
26650
26651 -static struct ata_port_operations nv_nf2_ops = {
26652 +static const struct ata_port_operations nv_nf2_ops = {
26653 .inherits = &nv_generic_ops,
26654 .freeze = nv_nf2_freeze,
26655 .thaw = nv_nf2_thaw,
26656 };
26657
26658 -static struct ata_port_operations nv_ck804_ops = {
26659 +static const struct ata_port_operations nv_ck804_ops = {
26660 .inherits = &nv_generic_ops,
26661 .freeze = nv_ck804_freeze,
26662 .thaw = nv_ck804_thaw,
26663 .host_stop = nv_ck804_host_stop,
26664 };
26665
26666 -static struct ata_port_operations nv_adma_ops = {
26667 +static const struct ata_port_operations nv_adma_ops = {
26668 .inherits = &nv_ck804_ops,
26669
26670 .check_atapi_dma = nv_adma_check_atapi_dma,
26671 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
26672 .host_stop = nv_adma_host_stop,
26673 };
26674
26675 -static struct ata_port_operations nv_swncq_ops = {
26676 +static const struct ata_port_operations nv_swncq_ops = {
26677 .inherits = &nv_generic_ops,
26678
26679 .qc_defer = ata_std_qc_defer,
26680 diff -urNp linux-2.6.39.3/drivers/ata/sata_promise.c linux-2.6.39.3/drivers/ata/sata_promise.c
26681 --- linux-2.6.39.3/drivers/ata/sata_promise.c 2011-05-19 00:06:34.000000000 -0400
26682 +++ linux-2.6.39.3/drivers/ata/sata_promise.c 2011-05-22 19:36:31.000000000 -0400
26683 @@ -194,7 +194,7 @@ static const struct ata_port_operations
26684 .error_handler = pdc_error_handler,
26685 };
26686
26687 -static struct ata_port_operations pdc_sata_ops = {
26688 +static const struct ata_port_operations pdc_sata_ops = {
26689 .inherits = &pdc_common_ops,
26690 .cable_detect = pdc_sata_cable_detect,
26691 .freeze = pdc_sata_freeze,
26692 @@ -207,14 +207,14 @@ static struct ata_port_operations pdc_sa
26693
26694 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26695 and ->freeze/thaw that ignore the hotplug controls. */
26696 -static struct ata_port_operations pdc_old_sata_ops = {
26697 +static const struct ata_port_operations pdc_old_sata_ops = {
26698 .inherits = &pdc_sata_ops,
26699 .freeze = pdc_freeze,
26700 .thaw = pdc_thaw,
26701 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26702 };
26703
26704 -static struct ata_port_operations pdc_pata_ops = {
26705 +static const struct ata_port_operations pdc_pata_ops = {
26706 .inherits = &pdc_common_ops,
26707 .cable_detect = pdc_pata_cable_detect,
26708 .freeze = pdc_freeze,
26709 diff -urNp linux-2.6.39.3/drivers/ata/sata_qstor.c linux-2.6.39.3/drivers/ata/sata_qstor.c
26710 --- linux-2.6.39.3/drivers/ata/sata_qstor.c 2011-05-19 00:06:34.000000000 -0400
26711 +++ linux-2.6.39.3/drivers/ata/sata_qstor.c 2011-05-22 19:36:31.000000000 -0400
26712 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
26713 .dma_boundary = QS_DMA_BOUNDARY,
26714 };
26715
26716 -static struct ata_port_operations qs_ata_ops = {
26717 +static const struct ata_port_operations qs_ata_ops = {
26718 .inherits = &ata_sff_port_ops,
26719
26720 .check_atapi_dma = qs_check_atapi_dma,
26721 diff -urNp linux-2.6.39.3/drivers/ata/sata_sil24.c linux-2.6.39.3/drivers/ata/sata_sil24.c
26722 --- linux-2.6.39.3/drivers/ata/sata_sil24.c 2011-05-19 00:06:34.000000000 -0400
26723 +++ linux-2.6.39.3/drivers/ata/sata_sil24.c 2011-05-22 19:36:31.000000000 -0400
26724 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26725 .dma_boundary = ATA_DMA_BOUNDARY,
26726 };
26727
26728 -static struct ata_port_operations sil24_ops = {
26729 +static const struct ata_port_operations sil24_ops = {
26730 .inherits = &sata_pmp_port_ops,
26731
26732 .qc_defer = sil24_qc_defer,
26733 diff -urNp linux-2.6.39.3/drivers/ata/sata_sil.c linux-2.6.39.3/drivers/ata/sata_sil.c
26734 --- linux-2.6.39.3/drivers/ata/sata_sil.c 2011-05-19 00:06:34.000000000 -0400
26735 +++ linux-2.6.39.3/drivers/ata/sata_sil.c 2011-05-22 19:36:31.000000000 -0400
26736 @@ -181,7 +181,7 @@ static struct scsi_host_template sil_sht
26737 .sg_tablesize = ATA_MAX_PRD
26738 };
26739
26740 -static struct ata_port_operations sil_ops = {
26741 +static const struct ata_port_operations sil_ops = {
26742 .inherits = &ata_bmdma32_port_ops,
26743 .dev_config = sil_dev_config,
26744 .set_mode = sil_set_mode,
26745 diff -urNp linux-2.6.39.3/drivers/ata/sata_sis.c linux-2.6.39.3/drivers/ata/sata_sis.c
26746 --- linux-2.6.39.3/drivers/ata/sata_sis.c 2011-05-19 00:06:34.000000000 -0400
26747 +++ linux-2.6.39.3/drivers/ata/sata_sis.c 2011-05-22 19:36:31.000000000 -0400
26748 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26749 ATA_BMDMA_SHT(DRV_NAME),
26750 };
26751
26752 -static struct ata_port_operations sis_ops = {
26753 +static const struct ata_port_operations sis_ops = {
26754 .inherits = &ata_bmdma_port_ops,
26755 .scr_read = sis_scr_read,
26756 .scr_write = sis_scr_write,
26757 diff -urNp linux-2.6.39.3/drivers/ata/sata_svw.c linux-2.6.39.3/drivers/ata/sata_svw.c
26758 --- linux-2.6.39.3/drivers/ata/sata_svw.c 2011-05-19 00:06:34.000000000 -0400
26759 +++ linux-2.6.39.3/drivers/ata/sata_svw.c 2011-05-22 19:36:31.000000000 -0400
26760 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26761 };
26762
26763
26764 -static struct ata_port_operations k2_sata_ops = {
26765 +static const struct ata_port_operations k2_sata_ops = {
26766 .inherits = &ata_bmdma_port_ops,
26767 .sff_tf_load = k2_sata_tf_load,
26768 .sff_tf_read = k2_sata_tf_read,
26769 diff -urNp linux-2.6.39.3/drivers/ata/sata_sx4.c linux-2.6.39.3/drivers/ata/sata_sx4.c
26770 --- linux-2.6.39.3/drivers/ata/sata_sx4.c 2011-05-19 00:06:34.000000000 -0400
26771 +++ linux-2.6.39.3/drivers/ata/sata_sx4.c 2011-05-22 19:36:31.000000000 -0400
26772 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
26773 };
26774
26775 /* TODO: inherit from base port_ops after converting to new EH */
26776 -static struct ata_port_operations pdc_20621_ops = {
26777 +static const struct ata_port_operations pdc_20621_ops = {
26778 .inherits = &ata_sff_port_ops,
26779
26780 .check_atapi_dma = pdc_check_atapi_dma,
26781 diff -urNp linux-2.6.39.3/drivers/ata/sata_uli.c linux-2.6.39.3/drivers/ata/sata_uli.c
26782 --- linux-2.6.39.3/drivers/ata/sata_uli.c 2011-05-19 00:06:34.000000000 -0400
26783 +++ linux-2.6.39.3/drivers/ata/sata_uli.c 2011-05-22 19:36:31.000000000 -0400
26784 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
26785 ATA_BMDMA_SHT(DRV_NAME),
26786 };
26787
26788 -static struct ata_port_operations uli_ops = {
26789 +static const struct ata_port_operations uli_ops = {
26790 .inherits = &ata_bmdma_port_ops,
26791 .scr_read = uli_scr_read,
26792 .scr_write = uli_scr_write,
26793 diff -urNp linux-2.6.39.3/drivers/ata/sata_via.c linux-2.6.39.3/drivers/ata/sata_via.c
26794 --- linux-2.6.39.3/drivers/ata/sata_via.c 2011-05-19 00:06:34.000000000 -0400
26795 +++ linux-2.6.39.3/drivers/ata/sata_via.c 2011-05-22 19:36:31.000000000 -0400
26796 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26797 ATA_BMDMA_SHT(DRV_NAME),
26798 };
26799
26800 -static struct ata_port_operations svia_base_ops = {
26801 +static const struct ata_port_operations svia_base_ops = {
26802 .inherits = &ata_bmdma_port_ops,
26803 .sff_tf_load = svia_tf_load,
26804 };
26805
26806 -static struct ata_port_operations vt6420_sata_ops = {
26807 +static const struct ata_port_operations vt6420_sata_ops = {
26808 .inherits = &svia_base_ops,
26809 .freeze = svia_noop_freeze,
26810 .prereset = vt6420_prereset,
26811 .bmdma_start = vt6420_bmdma_start,
26812 };
26813
26814 -static struct ata_port_operations vt6421_pata_ops = {
26815 +static const struct ata_port_operations vt6421_pata_ops = {
26816 .inherits = &svia_base_ops,
26817 .cable_detect = vt6421_pata_cable_detect,
26818 .set_piomode = vt6421_set_pio_mode,
26819 .set_dmamode = vt6421_set_dma_mode,
26820 };
26821
26822 -static struct ata_port_operations vt6421_sata_ops = {
26823 +static const struct ata_port_operations vt6421_sata_ops = {
26824 .inherits = &svia_base_ops,
26825 .scr_read = svia_scr_read,
26826 .scr_write = svia_scr_write,
26827 };
26828
26829 -static struct ata_port_operations vt8251_ops = {
26830 +static const struct ata_port_operations vt8251_ops = {
26831 .inherits = &svia_base_ops,
26832 .hardreset = sata_std_hardreset,
26833 .scr_read = vt8251_scr_read,
26834 diff -urNp linux-2.6.39.3/drivers/ata/sata_vsc.c linux-2.6.39.3/drivers/ata/sata_vsc.c
26835 --- linux-2.6.39.3/drivers/ata/sata_vsc.c 2011-05-19 00:06:34.000000000 -0400
26836 +++ linux-2.6.39.3/drivers/ata/sata_vsc.c 2011-05-22 19:36:31.000000000 -0400
26837 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
26838 };
26839
26840
26841 -static struct ata_port_operations vsc_sata_ops = {
26842 +static const struct ata_port_operations vsc_sata_ops = {
26843 .inherits = &ata_bmdma_port_ops,
26844 /* The IRQ handling is not quite standard SFF behaviour so we
26845 cannot use the default lost interrupt handler */
26846 diff -urNp linux-2.6.39.3/drivers/atm/adummy.c linux-2.6.39.3/drivers/atm/adummy.c
26847 --- linux-2.6.39.3/drivers/atm/adummy.c 2011-05-19 00:06:34.000000000 -0400
26848 +++ linux-2.6.39.3/drivers/atm/adummy.c 2011-05-22 19:36:31.000000000 -0400
26849 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
26850 vcc->pop(vcc, skb);
26851 else
26852 dev_kfree_skb_any(skb);
26853 - atomic_inc(&vcc->stats->tx);
26854 + atomic_inc_unchecked(&vcc->stats->tx);
26855
26856 return 0;
26857 }
26858 diff -urNp linux-2.6.39.3/drivers/atm/ambassador.c linux-2.6.39.3/drivers/atm/ambassador.c
26859 --- linux-2.6.39.3/drivers/atm/ambassador.c 2011-05-19 00:06:34.000000000 -0400
26860 +++ linux-2.6.39.3/drivers/atm/ambassador.c 2011-05-22 19:36:31.000000000 -0400
26861 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
26862 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26863
26864 // VC layer stats
26865 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26866 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26867
26868 // free the descriptor
26869 kfree (tx_descr);
26870 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
26871 dump_skb ("<<<", vc, skb);
26872
26873 // VC layer stats
26874 - atomic_inc(&atm_vcc->stats->rx);
26875 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26876 __net_timestamp(skb);
26877 // end of our responsibility
26878 atm_vcc->push (atm_vcc, skb);
26879 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
26880 } else {
26881 PRINTK (KERN_INFO, "dropped over-size frame");
26882 // should we count this?
26883 - atomic_inc(&atm_vcc->stats->rx_drop);
26884 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26885 }
26886
26887 } else {
26888 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
26889 }
26890
26891 if (check_area (skb->data, skb->len)) {
26892 - atomic_inc(&atm_vcc->stats->tx_err);
26893 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26894 return -ENOMEM; // ?
26895 }
26896
26897 diff -urNp linux-2.6.39.3/drivers/atm/atmtcp.c linux-2.6.39.3/drivers/atm/atmtcp.c
26898 --- linux-2.6.39.3/drivers/atm/atmtcp.c 2011-05-19 00:06:34.000000000 -0400
26899 +++ linux-2.6.39.3/drivers/atm/atmtcp.c 2011-05-22 19:36:31.000000000 -0400
26900 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
26901 if (vcc->pop) vcc->pop(vcc,skb);
26902 else dev_kfree_skb(skb);
26903 if (dev_data) return 0;
26904 - atomic_inc(&vcc->stats->tx_err);
26905 + atomic_inc_unchecked(&vcc->stats->tx_err);
26906 return -ENOLINK;
26907 }
26908 size = skb->len+sizeof(struct atmtcp_hdr);
26909 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
26910 if (!new_skb) {
26911 if (vcc->pop) vcc->pop(vcc,skb);
26912 else dev_kfree_skb(skb);
26913 - atomic_inc(&vcc->stats->tx_err);
26914 + atomic_inc_unchecked(&vcc->stats->tx_err);
26915 return -ENOBUFS;
26916 }
26917 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26918 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
26919 if (vcc->pop) vcc->pop(vcc,skb);
26920 else dev_kfree_skb(skb);
26921 out_vcc->push(out_vcc,new_skb);
26922 - atomic_inc(&vcc->stats->tx);
26923 - atomic_inc(&out_vcc->stats->rx);
26924 + atomic_inc_unchecked(&vcc->stats->tx);
26925 + atomic_inc_unchecked(&out_vcc->stats->rx);
26926 return 0;
26927 }
26928
26929 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
26930 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26931 read_unlock(&vcc_sklist_lock);
26932 if (!out_vcc) {
26933 - atomic_inc(&vcc->stats->tx_err);
26934 + atomic_inc_unchecked(&vcc->stats->tx_err);
26935 goto done;
26936 }
26937 skb_pull(skb,sizeof(struct atmtcp_hdr));
26938 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
26939 __net_timestamp(new_skb);
26940 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26941 out_vcc->push(out_vcc,new_skb);
26942 - atomic_inc(&vcc->stats->tx);
26943 - atomic_inc(&out_vcc->stats->rx);
26944 + atomic_inc_unchecked(&vcc->stats->tx);
26945 + atomic_inc_unchecked(&out_vcc->stats->rx);
26946 done:
26947 if (vcc->pop) vcc->pop(vcc,skb);
26948 else dev_kfree_skb(skb);
26949 diff -urNp linux-2.6.39.3/drivers/atm/eni.c linux-2.6.39.3/drivers/atm/eni.c
26950 --- linux-2.6.39.3/drivers/atm/eni.c 2011-05-19 00:06:34.000000000 -0400
26951 +++ linux-2.6.39.3/drivers/atm/eni.c 2011-05-22 19:36:31.000000000 -0400
26952 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26953 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26954 vcc->dev->number);
26955 length = 0;
26956 - atomic_inc(&vcc->stats->rx_err);
26957 + atomic_inc_unchecked(&vcc->stats->rx_err);
26958 }
26959 else {
26960 length = ATM_CELL_SIZE-1; /* no HEC */
26961 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26962 size);
26963 }
26964 eff = length = 0;
26965 - atomic_inc(&vcc->stats->rx_err);
26966 + atomic_inc_unchecked(&vcc->stats->rx_err);
26967 }
26968 else {
26969 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
26970 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26971 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
26972 vcc->dev->number,vcc->vci,length,size << 2,descr);
26973 length = eff = 0;
26974 - atomic_inc(&vcc->stats->rx_err);
26975 + atomic_inc_unchecked(&vcc->stats->rx_err);
26976 }
26977 }
26978 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
26979 @@ -771,7 +771,7 @@ rx_dequeued++;
26980 vcc->push(vcc,skb);
26981 pushed++;
26982 }
26983 - atomic_inc(&vcc->stats->rx);
26984 + atomic_inc_unchecked(&vcc->stats->rx);
26985 }
26986 wake_up(&eni_dev->rx_wait);
26987 }
26988 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
26989 PCI_DMA_TODEVICE);
26990 if (vcc->pop) vcc->pop(vcc,skb);
26991 else dev_kfree_skb_irq(skb);
26992 - atomic_inc(&vcc->stats->tx);
26993 + atomic_inc_unchecked(&vcc->stats->tx);
26994 wake_up(&eni_dev->tx_wait);
26995 dma_complete++;
26996 }
26997 diff -urNp linux-2.6.39.3/drivers/atm/firestream.c linux-2.6.39.3/drivers/atm/firestream.c
26998 --- linux-2.6.39.3/drivers/atm/firestream.c 2011-05-19 00:06:34.000000000 -0400
26999 +++ linux-2.6.39.3/drivers/atm/firestream.c 2011-05-22 19:36:31.000000000 -0400
27000 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
27001 }
27002 }
27003
27004 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27005 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27006
27007 fs_dprintk (FS_DEBUG_TXMEM, "i");
27008 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27009 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
27010 #endif
27011 skb_put (skb, qe->p1 & 0xffff);
27012 ATM_SKB(skb)->vcc = atm_vcc;
27013 - atomic_inc(&atm_vcc->stats->rx);
27014 + atomic_inc_unchecked(&atm_vcc->stats->rx);
27015 __net_timestamp(skb);
27016 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27017 atm_vcc->push (atm_vcc, skb);
27018 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
27019 kfree (pe);
27020 }
27021 if (atm_vcc)
27022 - atomic_inc(&atm_vcc->stats->rx_drop);
27023 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27024 break;
27025 case 0x1f: /* Reassembly abort: no buffers. */
27026 /* Silently increment error counter. */
27027 if (atm_vcc)
27028 - atomic_inc(&atm_vcc->stats->rx_drop);
27029 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27030 break;
27031 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27032 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27033 diff -urNp linux-2.6.39.3/drivers/atm/fore200e.c linux-2.6.39.3/drivers/atm/fore200e.c
27034 --- linux-2.6.39.3/drivers/atm/fore200e.c 2011-05-19 00:06:34.000000000 -0400
27035 +++ linux-2.6.39.3/drivers/atm/fore200e.c 2011-05-22 19:36:31.000000000 -0400
27036 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
27037 #endif
27038 /* check error condition */
27039 if (*entry->status & STATUS_ERROR)
27040 - atomic_inc(&vcc->stats->tx_err);
27041 + atomic_inc_unchecked(&vcc->stats->tx_err);
27042 else
27043 - atomic_inc(&vcc->stats->tx);
27044 + atomic_inc_unchecked(&vcc->stats->tx);
27045 }
27046 }
27047
27048 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
27049 if (skb == NULL) {
27050 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27051
27052 - atomic_inc(&vcc->stats->rx_drop);
27053 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27054 return -ENOMEM;
27055 }
27056
27057 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
27058
27059 dev_kfree_skb_any(skb);
27060
27061 - atomic_inc(&vcc->stats->rx_drop);
27062 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27063 return -ENOMEM;
27064 }
27065
27066 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27067
27068 vcc->push(vcc, skb);
27069 - atomic_inc(&vcc->stats->rx);
27070 + atomic_inc_unchecked(&vcc->stats->rx);
27071
27072 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27073
27074 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
27075 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
27076 fore200e->atm_dev->number,
27077 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
27078 - atomic_inc(&vcc->stats->rx_err);
27079 + atomic_inc_unchecked(&vcc->stats->rx_err);
27080 }
27081 }
27082
27083 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
27084 goto retry_here;
27085 }
27086
27087 - atomic_inc(&vcc->stats->tx_err);
27088 + atomic_inc_unchecked(&vcc->stats->tx_err);
27089
27090 fore200e->tx_sat++;
27091 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
27092 diff -urNp linux-2.6.39.3/drivers/atm/he.c linux-2.6.39.3/drivers/atm/he.c
27093 --- linux-2.6.39.3/drivers/atm/he.c 2011-05-19 00:06:34.000000000 -0400
27094 +++ linux-2.6.39.3/drivers/atm/he.c 2011-05-22 19:36:31.000000000 -0400
27095 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27096
27097 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
27098 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
27099 - atomic_inc(&vcc->stats->rx_drop);
27100 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27101 goto return_host_buffers;
27102 }
27103
27104 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27105 RBRQ_LEN_ERR(he_dev->rbrq_head)
27106 ? "LEN_ERR" : "",
27107 vcc->vpi, vcc->vci);
27108 - atomic_inc(&vcc->stats->rx_err);
27109 + atomic_inc_unchecked(&vcc->stats->rx_err);
27110 goto return_host_buffers;
27111 }
27112
27113 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27114 vcc->push(vcc, skb);
27115 spin_lock(&he_dev->global_lock);
27116
27117 - atomic_inc(&vcc->stats->rx);
27118 + atomic_inc_unchecked(&vcc->stats->rx);
27119
27120 return_host_buffers:
27121 ++pdus_assembled;
27122 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
27123 tpd->vcc->pop(tpd->vcc, tpd->skb);
27124 else
27125 dev_kfree_skb_any(tpd->skb);
27126 - atomic_inc(&tpd->vcc->stats->tx_err);
27127 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
27128 }
27129 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
27130 return;
27131 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27132 vcc->pop(vcc, skb);
27133 else
27134 dev_kfree_skb_any(skb);
27135 - atomic_inc(&vcc->stats->tx_err);
27136 + atomic_inc_unchecked(&vcc->stats->tx_err);
27137 return -EINVAL;
27138 }
27139
27140 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27141 vcc->pop(vcc, skb);
27142 else
27143 dev_kfree_skb_any(skb);
27144 - atomic_inc(&vcc->stats->tx_err);
27145 + atomic_inc_unchecked(&vcc->stats->tx_err);
27146 return -EINVAL;
27147 }
27148 #endif
27149 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27150 vcc->pop(vcc, skb);
27151 else
27152 dev_kfree_skb_any(skb);
27153 - atomic_inc(&vcc->stats->tx_err);
27154 + atomic_inc_unchecked(&vcc->stats->tx_err);
27155 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27156 return -ENOMEM;
27157 }
27158 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27159 vcc->pop(vcc, skb);
27160 else
27161 dev_kfree_skb_any(skb);
27162 - atomic_inc(&vcc->stats->tx_err);
27163 + atomic_inc_unchecked(&vcc->stats->tx_err);
27164 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27165 return -ENOMEM;
27166 }
27167 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27168 __enqueue_tpd(he_dev, tpd, cid);
27169 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27170
27171 - atomic_inc(&vcc->stats->tx);
27172 + atomic_inc_unchecked(&vcc->stats->tx);
27173
27174 return 0;
27175 }
27176 diff -urNp linux-2.6.39.3/drivers/atm/horizon.c linux-2.6.39.3/drivers/atm/horizon.c
27177 --- linux-2.6.39.3/drivers/atm/horizon.c 2011-05-19 00:06:34.000000000 -0400
27178 +++ linux-2.6.39.3/drivers/atm/horizon.c 2011-05-22 19:36:31.000000000 -0400
27179 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
27180 {
27181 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
27182 // VC layer stats
27183 - atomic_inc(&vcc->stats->rx);
27184 + atomic_inc_unchecked(&vcc->stats->rx);
27185 __net_timestamp(skb);
27186 // end of our responsibility
27187 vcc->push (vcc, skb);
27188 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
27189 dev->tx_iovec = NULL;
27190
27191 // VC layer stats
27192 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27193 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27194
27195 // free the skb
27196 hrz_kfree_skb (skb);
27197 diff -urNp linux-2.6.39.3/drivers/atm/idt77252.c linux-2.6.39.3/drivers/atm/idt77252.c
27198 --- linux-2.6.39.3/drivers/atm/idt77252.c 2011-05-19 00:06:34.000000000 -0400
27199 +++ linux-2.6.39.3/drivers/atm/idt77252.c 2011-05-22 19:36:31.000000000 -0400
27200 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
27201 else
27202 dev_kfree_skb(skb);
27203
27204 - atomic_inc(&vcc->stats->tx);
27205 + atomic_inc_unchecked(&vcc->stats->tx);
27206 }
27207
27208 atomic_dec(&scq->used);
27209 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
27210 if ((sb = dev_alloc_skb(64)) == NULL) {
27211 printk("%s: Can't allocate buffers for aal0.\n",
27212 card->name);
27213 - atomic_add(i, &vcc->stats->rx_drop);
27214 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27215 break;
27216 }
27217 if (!atm_charge(vcc, sb->truesize)) {
27218 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
27219 card->name);
27220 - atomic_add(i - 1, &vcc->stats->rx_drop);
27221 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
27222 dev_kfree_skb(sb);
27223 break;
27224 }
27225 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
27226 ATM_SKB(sb)->vcc = vcc;
27227 __net_timestamp(sb);
27228 vcc->push(vcc, sb);
27229 - atomic_inc(&vcc->stats->rx);
27230 + atomic_inc_unchecked(&vcc->stats->rx);
27231
27232 cell += ATM_CELL_PAYLOAD;
27233 }
27234 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
27235 "(CDC: %08x)\n",
27236 card->name, len, rpp->len, readl(SAR_REG_CDC));
27237 recycle_rx_pool_skb(card, rpp);
27238 - atomic_inc(&vcc->stats->rx_err);
27239 + atomic_inc_unchecked(&vcc->stats->rx_err);
27240 return;
27241 }
27242 if (stat & SAR_RSQE_CRC) {
27243 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
27244 recycle_rx_pool_skb(card, rpp);
27245 - atomic_inc(&vcc->stats->rx_err);
27246 + atomic_inc_unchecked(&vcc->stats->rx_err);
27247 return;
27248 }
27249 if (skb_queue_len(&rpp->queue) > 1) {
27250 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
27251 RXPRINTK("%s: Can't alloc RX skb.\n",
27252 card->name);
27253 recycle_rx_pool_skb(card, rpp);
27254 - atomic_inc(&vcc->stats->rx_err);
27255 + atomic_inc_unchecked(&vcc->stats->rx_err);
27256 return;
27257 }
27258 if (!atm_charge(vcc, skb->truesize)) {
27259 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
27260 __net_timestamp(skb);
27261
27262 vcc->push(vcc, skb);
27263 - atomic_inc(&vcc->stats->rx);
27264 + atomic_inc_unchecked(&vcc->stats->rx);
27265
27266 return;
27267 }
27268 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
27269 __net_timestamp(skb);
27270
27271 vcc->push(vcc, skb);
27272 - atomic_inc(&vcc->stats->rx);
27273 + atomic_inc_unchecked(&vcc->stats->rx);
27274
27275 if (skb->truesize > SAR_FB_SIZE_3)
27276 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
27277 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
27278 if (vcc->qos.aal != ATM_AAL0) {
27279 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
27280 card->name, vpi, vci);
27281 - atomic_inc(&vcc->stats->rx_drop);
27282 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27283 goto drop;
27284 }
27285
27286 if ((sb = dev_alloc_skb(64)) == NULL) {
27287 printk("%s: Can't allocate buffers for AAL0.\n",
27288 card->name);
27289 - atomic_inc(&vcc->stats->rx_err);
27290 + atomic_inc_unchecked(&vcc->stats->rx_err);
27291 goto drop;
27292 }
27293
27294 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
27295 ATM_SKB(sb)->vcc = vcc;
27296 __net_timestamp(sb);
27297 vcc->push(vcc, sb);
27298 - atomic_inc(&vcc->stats->rx);
27299 + atomic_inc_unchecked(&vcc->stats->rx);
27300
27301 drop:
27302 skb_pull(queue, 64);
27303 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27304
27305 if (vc == NULL) {
27306 printk("%s: NULL connection in send().\n", card->name);
27307 - atomic_inc(&vcc->stats->tx_err);
27308 + atomic_inc_unchecked(&vcc->stats->tx_err);
27309 dev_kfree_skb(skb);
27310 return -EINVAL;
27311 }
27312 if (!test_bit(VCF_TX, &vc->flags)) {
27313 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
27314 - atomic_inc(&vcc->stats->tx_err);
27315 + atomic_inc_unchecked(&vcc->stats->tx_err);
27316 dev_kfree_skb(skb);
27317 return -EINVAL;
27318 }
27319 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27320 break;
27321 default:
27322 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
27323 - atomic_inc(&vcc->stats->tx_err);
27324 + atomic_inc_unchecked(&vcc->stats->tx_err);
27325 dev_kfree_skb(skb);
27326 return -EINVAL;
27327 }
27328
27329 if (skb_shinfo(skb)->nr_frags != 0) {
27330 printk("%s: No scatter-gather yet.\n", card->name);
27331 - atomic_inc(&vcc->stats->tx_err);
27332 + atomic_inc_unchecked(&vcc->stats->tx_err);
27333 dev_kfree_skb(skb);
27334 return -EINVAL;
27335 }
27336 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27337
27338 err = queue_skb(card, vc, skb, oam);
27339 if (err) {
27340 - atomic_inc(&vcc->stats->tx_err);
27341 + atomic_inc_unchecked(&vcc->stats->tx_err);
27342 dev_kfree_skb(skb);
27343 return err;
27344 }
27345 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
27346 skb = dev_alloc_skb(64);
27347 if (!skb) {
27348 printk("%s: Out of memory in send_oam().\n", card->name);
27349 - atomic_inc(&vcc->stats->tx_err);
27350 + atomic_inc_unchecked(&vcc->stats->tx_err);
27351 return -ENOMEM;
27352 }
27353 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
27354 diff -urNp linux-2.6.39.3/drivers/atm/iphase.c linux-2.6.39.3/drivers/atm/iphase.c
27355 --- linux-2.6.39.3/drivers/atm/iphase.c 2011-05-19 00:06:34.000000000 -0400
27356 +++ linux-2.6.39.3/drivers/atm/iphase.c 2011-05-22 19:36:31.000000000 -0400
27357 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
27358 status = (u_short) (buf_desc_ptr->desc_mode);
27359 if (status & (RX_CER | RX_PTE | RX_OFL))
27360 {
27361 - atomic_inc(&vcc->stats->rx_err);
27362 + atomic_inc_unchecked(&vcc->stats->rx_err);
27363 IF_ERR(printk("IA: bad packet, dropping it");)
27364 if (status & RX_CER) {
27365 IF_ERR(printk(" cause: packet CRC error\n");)
27366 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
27367 len = dma_addr - buf_addr;
27368 if (len > iadev->rx_buf_sz) {
27369 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
27370 - atomic_inc(&vcc->stats->rx_err);
27371 + atomic_inc_unchecked(&vcc->stats->rx_err);
27372 goto out_free_desc;
27373 }
27374
27375 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
27376 ia_vcc = INPH_IA_VCC(vcc);
27377 if (ia_vcc == NULL)
27378 {
27379 - atomic_inc(&vcc->stats->rx_err);
27380 + atomic_inc_unchecked(&vcc->stats->rx_err);
27381 dev_kfree_skb_any(skb);
27382 atm_return(vcc, atm_guess_pdu2truesize(len));
27383 goto INCR_DLE;
27384 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
27385 if ((length > iadev->rx_buf_sz) || (length >
27386 (skb->len - sizeof(struct cpcs_trailer))))
27387 {
27388 - atomic_inc(&vcc->stats->rx_err);
27389 + atomic_inc_unchecked(&vcc->stats->rx_err);
27390 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
27391 length, skb->len);)
27392 dev_kfree_skb_any(skb);
27393 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
27394
27395 IF_RX(printk("rx_dle_intr: skb push");)
27396 vcc->push(vcc,skb);
27397 - atomic_inc(&vcc->stats->rx);
27398 + atomic_inc_unchecked(&vcc->stats->rx);
27399 iadev->rx_pkt_cnt++;
27400 }
27401 INCR_DLE:
27402 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
27403 {
27404 struct k_sonet_stats *stats;
27405 stats = &PRIV(_ia_dev[board])->sonet_stats;
27406 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
27407 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
27408 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
27409 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
27410 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
27411 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
27412 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
27413 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
27414 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
27415 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
27416 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
27417 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
27418 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
27419 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
27420 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
27421 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
27422 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
27423 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
27424 }
27425 ia_cmds.status = 0;
27426 break;
27427 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
27428 if ((desc == 0) || (desc > iadev->num_tx_desc))
27429 {
27430 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
27431 - atomic_inc(&vcc->stats->tx);
27432 + atomic_inc_unchecked(&vcc->stats->tx);
27433 if (vcc->pop)
27434 vcc->pop(vcc, skb);
27435 else
27436 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
27437 ATM_DESC(skb) = vcc->vci;
27438 skb_queue_tail(&iadev->tx_dma_q, skb);
27439
27440 - atomic_inc(&vcc->stats->tx);
27441 + atomic_inc_unchecked(&vcc->stats->tx);
27442 iadev->tx_pkt_cnt++;
27443 /* Increment transaction counter */
27444 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
27445
27446 #if 0
27447 /* add flow control logic */
27448 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
27449 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
27450 if (iavcc->vc_desc_cnt > 10) {
27451 vcc->tx_quota = vcc->tx_quota * 3 / 4;
27452 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
27453 diff -urNp linux-2.6.39.3/drivers/atm/lanai.c linux-2.6.39.3/drivers/atm/lanai.c
27454 --- linux-2.6.39.3/drivers/atm/lanai.c 2011-05-19 00:06:34.000000000 -0400
27455 +++ linux-2.6.39.3/drivers/atm/lanai.c 2011-05-22 19:36:31.000000000 -0400
27456 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
27457 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
27458 lanai_endtx(lanai, lvcc);
27459 lanai_free_skb(lvcc->tx.atmvcc, skb);
27460 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
27461 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
27462 }
27463
27464 /* Try to fill the buffer - don't call unless there is backlog */
27465 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
27466 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
27467 __net_timestamp(skb);
27468 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
27469 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
27470 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
27471 out:
27472 lvcc->rx.buf.ptr = end;
27473 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
27474 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
27475 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
27476 "vcc %d\n", lanai->number, (unsigned int) s, vci);
27477 lanai->stats.service_rxnotaal5++;
27478 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27479 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27480 return 0;
27481 }
27482 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
27483 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
27484 int bytes;
27485 read_unlock(&vcc_sklist_lock);
27486 DPRINTK("got trashed rx pdu on vci %d\n", vci);
27487 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27488 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27489 lvcc->stats.x.aal5.service_trash++;
27490 bytes = (SERVICE_GET_END(s) * 16) -
27491 (((unsigned long) lvcc->rx.buf.ptr) -
27492 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
27493 }
27494 if (s & SERVICE_STREAM) {
27495 read_unlock(&vcc_sklist_lock);
27496 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27497 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27498 lvcc->stats.x.aal5.service_stream++;
27499 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
27500 "PDU on VCI %d!\n", lanai->number, vci);
27501 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
27502 return 0;
27503 }
27504 DPRINTK("got rx crc error on vci %d\n", vci);
27505 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27506 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27507 lvcc->stats.x.aal5.service_rxcrc++;
27508 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
27509 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
27510 diff -urNp linux-2.6.39.3/drivers/atm/nicstar.c linux-2.6.39.3/drivers/atm/nicstar.c
27511 --- linux-2.6.39.3/drivers/atm/nicstar.c 2011-05-19 00:06:34.000000000 -0400
27512 +++ linux-2.6.39.3/drivers/atm/nicstar.c 2011-05-22 19:36:31.000000000 -0400
27513 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
27514 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
27515 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
27516 card->index);
27517 - atomic_inc(&vcc->stats->tx_err);
27518 + atomic_inc_unchecked(&vcc->stats->tx_err);
27519 dev_kfree_skb_any(skb);
27520 return -EINVAL;
27521 }
27522 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
27523 if (!vc->tx) {
27524 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
27525 card->index);
27526 - atomic_inc(&vcc->stats->tx_err);
27527 + atomic_inc_unchecked(&vcc->stats->tx_err);
27528 dev_kfree_skb_any(skb);
27529 return -EINVAL;
27530 }
27531 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
27532 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
27533 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
27534 card->index);
27535 - atomic_inc(&vcc->stats->tx_err);
27536 + atomic_inc_unchecked(&vcc->stats->tx_err);
27537 dev_kfree_skb_any(skb);
27538 return -EINVAL;
27539 }
27540
27541 if (skb_shinfo(skb)->nr_frags != 0) {
27542 printk("nicstar%d: No scatter-gather yet.\n", card->index);
27543 - atomic_inc(&vcc->stats->tx_err);
27544 + atomic_inc_unchecked(&vcc->stats->tx_err);
27545 dev_kfree_skb_any(skb);
27546 return -EINVAL;
27547 }
27548 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
27549 }
27550
27551 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
27552 - atomic_inc(&vcc->stats->tx_err);
27553 + atomic_inc_unchecked(&vcc->stats->tx_err);
27554 dev_kfree_skb_any(skb);
27555 return -EIO;
27556 }
27557 - atomic_inc(&vcc->stats->tx);
27558 + atomic_inc_unchecked(&vcc->stats->tx);
27559
27560 return 0;
27561 }
27562 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
27563 printk
27564 ("nicstar%d: Can't allocate buffers for aal0.\n",
27565 card->index);
27566 - atomic_add(i, &vcc->stats->rx_drop);
27567 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27568 break;
27569 }
27570 if (!atm_charge(vcc, sb->truesize)) {
27571 RXPRINTK
27572 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
27573 card->index);
27574 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27575 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27576 dev_kfree_skb_any(sb);
27577 break;
27578 }
27579 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
27580 ATM_SKB(sb)->vcc = vcc;
27581 __net_timestamp(sb);
27582 vcc->push(vcc, sb);
27583 - atomic_inc(&vcc->stats->rx);
27584 + atomic_inc_unchecked(&vcc->stats->rx);
27585 cell += ATM_CELL_PAYLOAD;
27586 }
27587
27588 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
27589 if (iovb == NULL) {
27590 printk("nicstar%d: Out of iovec buffers.\n",
27591 card->index);
27592 - atomic_inc(&vcc->stats->rx_drop);
27593 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27594 recycle_rx_buf(card, skb);
27595 return;
27596 }
27597 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
27598 small or large buffer itself. */
27599 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
27600 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
27601 - atomic_inc(&vcc->stats->rx_err);
27602 + atomic_inc_unchecked(&vcc->stats->rx_err);
27603 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27604 NS_MAX_IOVECS);
27605 NS_PRV_IOVCNT(iovb) = 0;
27606 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
27607 ("nicstar%d: Expected a small buffer, and this is not one.\n",
27608 card->index);
27609 which_list(card, skb);
27610 - atomic_inc(&vcc->stats->rx_err);
27611 + atomic_inc_unchecked(&vcc->stats->rx_err);
27612 recycle_rx_buf(card, skb);
27613 vc->rx_iov = NULL;
27614 recycle_iov_buf(card, iovb);
27615 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
27616 ("nicstar%d: Expected a large buffer, and this is not one.\n",
27617 card->index);
27618 which_list(card, skb);
27619 - atomic_inc(&vcc->stats->rx_err);
27620 + atomic_inc_unchecked(&vcc->stats->rx_err);
27621 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27622 NS_PRV_IOVCNT(iovb));
27623 vc->rx_iov = NULL;
27624 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
27625 printk(" - PDU size mismatch.\n");
27626 else
27627 printk(".\n");
27628 - atomic_inc(&vcc->stats->rx_err);
27629 + atomic_inc_unchecked(&vcc->stats->rx_err);
27630 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27631 NS_PRV_IOVCNT(iovb));
27632 vc->rx_iov = NULL;
27633 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
27634 /* skb points to a small buffer */
27635 if (!atm_charge(vcc, skb->truesize)) {
27636 push_rxbufs(card, skb);
27637 - atomic_inc(&vcc->stats->rx_drop);
27638 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27639 } else {
27640 skb_put(skb, len);
27641 dequeue_sm_buf(card, skb);
27642 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
27643 ATM_SKB(skb)->vcc = vcc;
27644 __net_timestamp(skb);
27645 vcc->push(vcc, skb);
27646 - atomic_inc(&vcc->stats->rx);
27647 + atomic_inc_unchecked(&vcc->stats->rx);
27648 }
27649 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
27650 struct sk_buff *sb;
27651 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
27652 if (len <= NS_SMBUFSIZE) {
27653 if (!atm_charge(vcc, sb->truesize)) {
27654 push_rxbufs(card, sb);
27655 - atomic_inc(&vcc->stats->rx_drop);
27656 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27657 } else {
27658 skb_put(sb, len);
27659 dequeue_sm_buf(card, sb);
27660 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
27661 ATM_SKB(sb)->vcc = vcc;
27662 __net_timestamp(sb);
27663 vcc->push(vcc, sb);
27664 - atomic_inc(&vcc->stats->rx);
27665 + atomic_inc_unchecked(&vcc->stats->rx);
27666 }
27667
27668 push_rxbufs(card, skb);
27669 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
27670
27671 if (!atm_charge(vcc, skb->truesize)) {
27672 push_rxbufs(card, skb);
27673 - atomic_inc(&vcc->stats->rx_drop);
27674 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27675 } else {
27676 dequeue_lg_buf(card, skb);
27677 #ifdef NS_USE_DESTRUCTORS
27678 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
27679 ATM_SKB(skb)->vcc = vcc;
27680 __net_timestamp(skb);
27681 vcc->push(vcc, skb);
27682 - atomic_inc(&vcc->stats->rx);
27683 + atomic_inc_unchecked(&vcc->stats->rx);
27684 }
27685
27686 push_rxbufs(card, sb);
27687 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
27688 printk
27689 ("nicstar%d: Out of huge buffers.\n",
27690 card->index);
27691 - atomic_inc(&vcc->stats->rx_drop);
27692 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27693 recycle_iovec_rx_bufs(card,
27694 (struct iovec *)
27695 iovb->data,
27696 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
27697 card->hbpool.count++;
27698 } else
27699 dev_kfree_skb_any(hb);
27700 - atomic_inc(&vcc->stats->rx_drop);
27701 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27702 } else {
27703 /* Copy the small buffer to the huge buffer */
27704 sb = (struct sk_buff *)iov->iov_base;
27705 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
27706 #endif /* NS_USE_DESTRUCTORS */
27707 __net_timestamp(hb);
27708 vcc->push(vcc, hb);
27709 - atomic_inc(&vcc->stats->rx);
27710 + atomic_inc_unchecked(&vcc->stats->rx);
27711 }
27712 }
27713
27714 diff -urNp linux-2.6.39.3/drivers/atm/solos-pci.c linux-2.6.39.3/drivers/atm/solos-pci.c
27715 --- linux-2.6.39.3/drivers/atm/solos-pci.c 2011-05-19 00:06:34.000000000 -0400
27716 +++ linux-2.6.39.3/drivers/atm/solos-pci.c 2011-05-22 19:36:31.000000000 -0400
27717 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
27718 }
27719 atm_charge(vcc, skb->truesize);
27720 vcc->push(vcc, skb);
27721 - atomic_inc(&vcc->stats->rx);
27722 + atomic_inc_unchecked(&vcc->stats->rx);
27723 break;
27724
27725 case PKT_STATUS:
27726 @@ -900,6 +900,8 @@ static int print_buffer(struct sk_buff *
27727 char msg[500];
27728 char item[10];
27729
27730 + pax_track_stack();
27731 +
27732 len = buf->len;
27733 for (i = 0; i < len; i++){
27734 if(i % 8 == 0)
27735 @@ -1009,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
27736 vcc = SKB_CB(oldskb)->vcc;
27737
27738 if (vcc) {
27739 - atomic_inc(&vcc->stats->tx);
27740 + atomic_inc_unchecked(&vcc->stats->tx);
27741 solos_pop(vcc, oldskb);
27742 } else
27743 dev_kfree_skb_irq(oldskb);
27744 diff -urNp linux-2.6.39.3/drivers/atm/suni.c linux-2.6.39.3/drivers/atm/suni.c
27745 --- linux-2.6.39.3/drivers/atm/suni.c 2011-05-19 00:06:34.000000000 -0400
27746 +++ linux-2.6.39.3/drivers/atm/suni.c 2011-05-22 19:36:31.000000000 -0400
27747 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27748
27749
27750 #define ADD_LIMITED(s,v) \
27751 - atomic_add((v),&stats->s); \
27752 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27753 + atomic_add_unchecked((v),&stats->s); \
27754 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27755
27756
27757 static void suni_hz(unsigned long from_timer)
27758 diff -urNp linux-2.6.39.3/drivers/atm/uPD98402.c linux-2.6.39.3/drivers/atm/uPD98402.c
27759 --- linux-2.6.39.3/drivers/atm/uPD98402.c 2011-05-19 00:06:34.000000000 -0400
27760 +++ linux-2.6.39.3/drivers/atm/uPD98402.c 2011-05-22 19:36:31.000000000 -0400
27761 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
27762 struct sonet_stats tmp;
27763 int error = 0;
27764
27765 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27766 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27767 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27768 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27769 if (zero && !error) {
27770 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
27771
27772
27773 #define ADD_LIMITED(s,v) \
27774 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27775 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27776 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27777 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27778 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27779 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27780
27781
27782 static void stat_event(struct atm_dev *dev)
27783 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
27784 if (reason & uPD98402_INT_PFM) stat_event(dev);
27785 if (reason & uPD98402_INT_PCO) {
27786 (void) GET(PCOCR); /* clear interrupt cause */
27787 - atomic_add(GET(HECCT),
27788 + atomic_add_unchecked(GET(HECCT),
27789 &PRIV(dev)->sonet_stats.uncorr_hcs);
27790 }
27791 if ((reason & uPD98402_INT_RFO) &&
27792 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
27793 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27794 uPD98402_INT_LOS),PIMR); /* enable them */
27795 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27796 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27797 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27798 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27799 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27800 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27801 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27802 return 0;
27803 }
27804
27805 diff -urNp linux-2.6.39.3/drivers/atm/zatm.c linux-2.6.39.3/drivers/atm/zatm.c
27806 --- linux-2.6.39.3/drivers/atm/zatm.c 2011-05-19 00:06:34.000000000 -0400
27807 +++ linux-2.6.39.3/drivers/atm/zatm.c 2011-05-22 19:36:31.000000000 -0400
27808 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27809 }
27810 if (!size) {
27811 dev_kfree_skb_irq(skb);
27812 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27813 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27814 continue;
27815 }
27816 if (!atm_charge(vcc,skb->truesize)) {
27817 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27818 skb->len = size;
27819 ATM_SKB(skb)->vcc = vcc;
27820 vcc->push(vcc,skb);
27821 - atomic_inc(&vcc->stats->rx);
27822 + atomic_inc_unchecked(&vcc->stats->rx);
27823 }
27824 zout(pos & 0xffff,MTA(mbx));
27825 #if 0 /* probably a stupid idea */
27826 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27827 skb_queue_head(&zatm_vcc->backlog,skb);
27828 break;
27829 }
27830 - atomic_inc(&vcc->stats->tx);
27831 + atomic_inc_unchecked(&vcc->stats->tx);
27832 wake_up(&zatm_vcc->tx_wait);
27833 }
27834
27835 diff -urNp linux-2.6.39.3/drivers/base/iommu.c linux-2.6.39.3/drivers/base/iommu.c
27836 --- linux-2.6.39.3/drivers/base/iommu.c 2011-05-19 00:06:34.000000000 -0400
27837 +++ linux-2.6.39.3/drivers/base/iommu.c 2011-05-22 19:36:31.000000000 -0400
27838 @@ -23,9 +23,8 @@
27839 #include <linux/errno.h>
27840 #include <linux/iommu.h>
27841
27842 -static struct iommu_ops *iommu_ops;
27843 -
27844 -void register_iommu(struct iommu_ops *ops)
27845 +static const struct iommu_ops *iommu_ops;
27846 +void register_iommu(const struct iommu_ops *ops)
27847 {
27848 if (iommu_ops)
27849 BUG();
27850 diff -urNp linux-2.6.39.3/drivers/base/power/generic_ops.c linux-2.6.39.3/drivers/base/power/generic_ops.c
27851 --- linux-2.6.39.3/drivers/base/power/generic_ops.c 2011-05-19 00:06:34.000000000 -0400
27852 +++ linux-2.6.39.3/drivers/base/power/generic_ops.c 2011-05-22 19:36:31.000000000 -0400
27853 @@ -215,7 +215,7 @@ int pm_generic_restore(struct device *de
27854 EXPORT_SYMBOL_GPL(pm_generic_restore);
27855 #endif /* CONFIG_PM_SLEEP */
27856
27857 -struct dev_pm_ops generic_subsys_pm_ops = {
27858 +const struct dev_pm_ops generic_subsys_pm_ops = {
27859 #ifdef CONFIG_PM_SLEEP
27860 .suspend = pm_generic_suspend,
27861 .resume = pm_generic_resume,
27862 diff -urNp linux-2.6.39.3/drivers/base/power/wakeup.c linux-2.6.39.3/drivers/base/power/wakeup.c
27863 --- linux-2.6.39.3/drivers/base/power/wakeup.c 2011-05-19 00:06:34.000000000 -0400
27864 +++ linux-2.6.39.3/drivers/base/power/wakeup.c 2011-05-22 19:36:31.000000000 -0400
27865 @@ -29,14 +29,14 @@ bool events_check_enabled;
27866 * They need to be modified together atomically, so it's better to use one
27867 * atomic variable to hold them both.
27868 */
27869 -static atomic_t combined_event_count = ATOMIC_INIT(0);
27870 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
27871
27872 #define IN_PROGRESS_BITS (sizeof(int) * 4)
27873 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
27874
27875 static void split_counters(unsigned int *cnt, unsigned int *inpr)
27876 {
27877 - unsigned int comb = atomic_read(&combined_event_count);
27878 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
27879
27880 *cnt = (comb >> IN_PROGRESS_BITS);
27881 *inpr = comb & MAX_IN_PROGRESS;
27882 @@ -351,7 +351,7 @@ static void wakeup_source_activate(struc
27883 ws->last_time = ktime_get();
27884
27885 /* Increment the counter of events in progress. */
27886 - atomic_inc(&combined_event_count);
27887 + atomic_inc_unchecked(&combined_event_count);
27888 }
27889
27890 /**
27891 @@ -441,7 +441,7 @@ static void wakeup_source_deactivate(str
27892 * Increment the counter of registered wakeup events and decrement the
27893 * couter of wakeup events in progress simultaneously.
27894 */
27895 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
27896 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
27897 }
27898
27899 /**
27900 diff -urNp linux-2.6.39.3/drivers/block/cciss.c linux-2.6.39.3/drivers/block/cciss.c
27901 --- linux-2.6.39.3/drivers/block/cciss.c 2011-05-19 00:06:34.000000000 -0400
27902 +++ linux-2.6.39.3/drivers/block/cciss.c 2011-05-22 19:41:32.000000000 -0400
27903 @@ -103,7 +103,7 @@ MODULE_DEVICE_TABLE(pci, cciss_pci_devic
27904 * product = Marketing Name for the board
27905 * access = Address of the struct of function pointers
27906 */
27907 -static struct board_type products[] = {
27908 +static const struct board_type products[] = {
27909 {0x40700E11, "Smart Array 5300", &SA5_access},
27910 {0x40800E11, "Smart Array 5i", &SA5B_access},
27911 {0x40820E11, "Smart Array 532", &SA5B_access},
27912 @@ -1151,6 +1151,8 @@ static int cciss_ioctl32_passthru(struct
27913 int err;
27914 u32 cp;
27915
27916 + memset(&arg64, 0, sizeof(arg64));
27917 +
27918 err = 0;
27919 err |=
27920 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27921 diff -urNp linux-2.6.39.3/drivers/block/cciss.h linux-2.6.39.3/drivers/block/cciss.h
27922 --- linux-2.6.39.3/drivers/block/cciss.h 2011-05-19 00:06:34.000000000 -0400
27923 +++ linux-2.6.39.3/drivers/block/cciss.h 2011-05-22 19:36:31.000000000 -0400
27924 @@ -393,7 +393,7 @@ static bool SA5_performant_intr_pending(
27925 return register_value & SA5_OUTDB_STATUS_PERF_BIT;
27926 }
27927
27928 -static struct access_method SA5_access = {
27929 +static const struct access_method SA5_access = {
27930 SA5_submit_command,
27931 SA5_intr_mask,
27932 SA5_fifo_full,
27933 @@ -401,7 +401,7 @@ static struct access_method SA5_access =
27934 SA5_completed,
27935 };
27936
27937 -static struct access_method SA5B_access = {
27938 +static const struct access_method SA5B_access = {
27939 SA5_submit_command,
27940 SA5B_intr_mask,
27941 SA5_fifo_full,
27942 @@ -409,7 +409,7 @@ static struct access_method SA5B_access
27943 SA5_completed,
27944 };
27945
27946 -static struct access_method SA5_performant_access = {
27947 +static const struct access_method SA5_performant_access = {
27948 SA5_submit_command,
27949 SA5_performant_intr_mask,
27950 SA5_fifo_full,
27951 @@ -420,7 +420,7 @@ static struct access_method SA5_performa
27952 struct board_type {
27953 __u32 board_id;
27954 char *product_name;
27955 - struct access_method *access;
27956 + const struct access_method *access;
27957 int nr_cmds; /* Max cmds this kind of ctlr can handle. */
27958 };
27959
27960 diff -urNp linux-2.6.39.3/drivers/block/cpqarray.c linux-2.6.39.3/drivers/block/cpqarray.c
27961 --- linux-2.6.39.3/drivers/block/cpqarray.c 2011-05-19 00:06:34.000000000 -0400
27962 +++ linux-2.6.39.3/drivers/block/cpqarray.c 2011-05-22 19:36:31.000000000 -0400
27963 @@ -80,7 +80,7 @@ static int eisa[8];
27964 * product = Marketing Name for the board
27965 * access = Address of the struct of function pointers
27966 */
27967 -static struct board_type products[] = {
27968 +static const struct board_type products[] = {
27969 { 0x0040110E, "IDA", &smart1_access },
27970 { 0x0140110E, "IDA-2", &smart1_access },
27971 { 0x1040110E, "IAES", &smart1_access },
27972 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
27973 struct scatterlist tmp_sg[SG_MAX];
27974 int i, dir, seg;
27975
27976 + pax_track_stack();
27977 +
27978 queue_next:
27979 creq = blk_peek_request(q);
27980 if (!creq)
27981 diff -urNp linux-2.6.39.3/drivers/block/cpqarray.h linux-2.6.39.3/drivers/block/cpqarray.h
27982 --- linux-2.6.39.3/drivers/block/cpqarray.h 2011-05-19 00:06:34.000000000 -0400
27983 +++ linux-2.6.39.3/drivers/block/cpqarray.h 2011-05-22 19:36:31.000000000 -0400
27984 @@ -69,7 +69,7 @@ struct access_method {
27985 struct board_type {
27986 __u32 board_id;
27987 char *product_name;
27988 - struct access_method *access;
27989 + const struct access_method *access;
27990 };
27991
27992 struct ctlr_info {
27993 diff -urNp linux-2.6.39.3/drivers/block/DAC960.c linux-2.6.39.3/drivers/block/DAC960.c
27994 --- linux-2.6.39.3/drivers/block/DAC960.c 2011-05-19 00:06:34.000000000 -0400
27995 +++ linux-2.6.39.3/drivers/block/DAC960.c 2011-05-22 19:36:31.000000000 -0400
27996 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
27997 unsigned long flags;
27998 int Channel, TargetID;
27999
28000 + pax_track_stack();
28001 +
28002 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
28003 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
28004 sizeof(DAC960_SCSI_Inquiry_T) +
28005 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_int.h linux-2.6.39.3/drivers/block/drbd/drbd_int.h
28006 --- linux-2.6.39.3/drivers/block/drbd/drbd_int.h 2011-05-19 00:06:34.000000000 -0400
28007 +++ linux-2.6.39.3/drivers/block/drbd/drbd_int.h 2011-05-22 19:36:31.000000000 -0400
28008 @@ -736,7 +736,7 @@ struct drbd_request;
28009 struct drbd_epoch {
28010 struct list_head list;
28011 unsigned int barrier_nr;
28012 - atomic_t epoch_size; /* increased on every request added. */
28013 + atomic_unchecked_t epoch_size; /* increased on every request added. */
28014 atomic_t active; /* increased on every req. added, and dec on every finished. */
28015 unsigned long flags;
28016 };
28017 @@ -1108,7 +1108,7 @@ struct drbd_conf {
28018 void *int_dig_in;
28019 void *int_dig_vv;
28020 wait_queue_head_t seq_wait;
28021 - atomic_t packet_seq;
28022 + atomic_unchecked_t packet_seq;
28023 unsigned int peer_seq;
28024 spinlock_t peer_seq_lock;
28025 unsigned int minor;
28026 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_main.c linux-2.6.39.3/drivers/block/drbd/drbd_main.c
28027 --- linux-2.6.39.3/drivers/block/drbd/drbd_main.c 2011-05-19 00:06:34.000000000 -0400
28028 +++ linux-2.6.39.3/drivers/block/drbd/drbd_main.c 2011-05-22 19:36:31.000000000 -0400
28029 @@ -2387,7 +2387,7 @@ static int _drbd_send_ack(struct drbd_co
28030 p.sector = sector;
28031 p.block_id = block_id;
28032 p.blksize = blksize;
28033 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
28034 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
28035
28036 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
28037 return false;
28038 @@ -2686,7 +2686,7 @@ int drbd_send_dblock(struct drbd_conf *m
28039 p.sector = cpu_to_be64(req->sector);
28040 p.block_id = (unsigned long)req;
28041 p.seq_num = cpu_to_be32(req->seq_num =
28042 - atomic_add_return(1, &mdev->packet_seq));
28043 + atomic_add_return_unchecked(1, &mdev->packet_seq));
28044
28045 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
28046
28047 @@ -2971,7 +2971,7 @@ void drbd_init_set_defaults(struct drbd_
28048 atomic_set(&mdev->unacked_cnt, 0);
28049 atomic_set(&mdev->local_cnt, 0);
28050 atomic_set(&mdev->net_cnt, 0);
28051 - atomic_set(&mdev->packet_seq, 0);
28052 + atomic_set_unchecked(&mdev->packet_seq, 0);
28053 atomic_set(&mdev->pp_in_use, 0);
28054 atomic_set(&mdev->pp_in_use_by_net, 0);
28055 atomic_set(&mdev->rs_sect_in, 0);
28056 @@ -3051,8 +3051,8 @@ void drbd_mdev_cleanup(struct drbd_conf
28057 mdev->receiver.t_state);
28058
28059 /* no need to lock it, I'm the only thread alive */
28060 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
28061 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
28062 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
28063 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
28064 mdev->al_writ_cnt =
28065 mdev->bm_writ_cnt =
28066 mdev->read_cnt =
28067 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_nl.c linux-2.6.39.3/drivers/block/drbd/drbd_nl.c
28068 --- linux-2.6.39.3/drivers/block/drbd/drbd_nl.c 2011-05-19 00:06:34.000000000 -0400
28069 +++ linux-2.6.39.3/drivers/block/drbd/drbd_nl.c 2011-05-22 19:36:31.000000000 -0400
28070 @@ -2298,7 +2298,7 @@ static void drbd_connector_callback(stru
28071 module_put(THIS_MODULE);
28072 }
28073
28074 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
28075 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
28076
28077 static unsigned short *
28078 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
28079 @@ -2369,7 +2369,7 @@ void drbd_bcast_state(struct drbd_conf *
28080 cn_reply->id.idx = CN_IDX_DRBD;
28081 cn_reply->id.val = CN_VAL_DRBD;
28082
28083 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28084 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28085 cn_reply->ack = 0; /* not used here. */
28086 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28087 (int)((char *)tl - (char *)reply->tag_list);
28088 @@ -2401,7 +2401,7 @@ void drbd_bcast_ev_helper(struct drbd_co
28089 cn_reply->id.idx = CN_IDX_DRBD;
28090 cn_reply->id.val = CN_VAL_DRBD;
28091
28092 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28093 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28094 cn_reply->ack = 0; /* not used here. */
28095 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28096 (int)((char *)tl - (char *)reply->tag_list);
28097 @@ -2479,7 +2479,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
28098 cn_reply->id.idx = CN_IDX_DRBD;
28099 cn_reply->id.val = CN_VAL_DRBD;
28100
28101 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
28102 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
28103 cn_reply->ack = 0; // not used here.
28104 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28105 (int)((char*)tl - (char*)reply->tag_list);
28106 @@ -2518,7 +2518,7 @@ void drbd_bcast_sync_progress(struct drb
28107 cn_reply->id.idx = CN_IDX_DRBD;
28108 cn_reply->id.val = CN_VAL_DRBD;
28109
28110 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28111 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28112 cn_reply->ack = 0; /* not used here. */
28113 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28114 (int)((char *)tl - (char *)reply->tag_list);
28115 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c
28116 --- linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c 2011-05-19 00:06:34.000000000 -0400
28117 +++ linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c 2011-05-22 19:36:31.000000000 -0400
28118 @@ -894,7 +894,7 @@ retry:
28119 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
28120 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
28121
28122 - atomic_set(&mdev->packet_seq, 0);
28123 + atomic_set_unchecked(&mdev->packet_seq, 0);
28124 mdev->peer_seq = 0;
28125
28126 drbd_thread_start(&mdev->asender);
28127 @@ -990,7 +990,7 @@ static enum finish_epoch drbd_may_finish
28128 do {
28129 next_epoch = NULL;
28130
28131 - epoch_size = atomic_read(&epoch->epoch_size);
28132 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
28133
28134 switch (ev & ~EV_CLEANUP) {
28135 case EV_PUT:
28136 @@ -1025,7 +1025,7 @@ static enum finish_epoch drbd_may_finish
28137 rv = FE_DESTROYED;
28138 } else {
28139 epoch->flags = 0;
28140 - atomic_set(&epoch->epoch_size, 0);
28141 + atomic_set_unchecked(&epoch->epoch_size, 0);
28142 /* atomic_set(&epoch->active, 0); is already zero */
28143 if (rv == FE_STILL_LIVE)
28144 rv = FE_RECYCLED;
28145 @@ -1196,14 +1196,14 @@ static int receive_Barrier(struct drbd_c
28146 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
28147 drbd_flush(mdev);
28148
28149 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28150 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28151 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
28152 if (epoch)
28153 break;
28154 }
28155
28156 epoch = mdev->current_epoch;
28157 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
28158 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
28159
28160 D_ASSERT(atomic_read(&epoch->active) == 0);
28161 D_ASSERT(epoch->flags == 0);
28162 @@ -1215,11 +1215,11 @@ static int receive_Barrier(struct drbd_c
28163 }
28164
28165 epoch->flags = 0;
28166 - atomic_set(&epoch->epoch_size, 0);
28167 + atomic_set_unchecked(&epoch->epoch_size, 0);
28168 atomic_set(&epoch->active, 0);
28169
28170 spin_lock(&mdev->epoch_lock);
28171 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28172 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28173 list_add(&epoch->list, &mdev->current_epoch->list);
28174 mdev->current_epoch = epoch;
28175 mdev->epochs++;
28176 @@ -1668,7 +1668,7 @@ static int receive_Data(struct drbd_conf
28177 spin_unlock(&mdev->peer_seq_lock);
28178
28179 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
28180 - atomic_inc(&mdev->current_epoch->epoch_size);
28181 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
28182 return drbd_drain_block(mdev, data_size);
28183 }
28184
28185 @@ -1694,7 +1694,7 @@ static int receive_Data(struct drbd_conf
28186
28187 spin_lock(&mdev->epoch_lock);
28188 e->epoch = mdev->current_epoch;
28189 - atomic_inc(&e->epoch->epoch_size);
28190 + atomic_inc_unchecked(&e->epoch->epoch_size);
28191 atomic_inc(&e->epoch->active);
28192 spin_unlock(&mdev->epoch_lock);
28193
28194 @@ -3905,7 +3905,7 @@ static void drbd_disconnect(struct drbd_
28195 D_ASSERT(list_empty(&mdev->done_ee));
28196
28197 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
28198 - atomic_set(&mdev->current_epoch->epoch_size, 0);
28199 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
28200 D_ASSERT(list_empty(&mdev->current_epoch->list));
28201 }
28202
28203 diff -urNp linux-2.6.39.3/drivers/block/nbd.c linux-2.6.39.3/drivers/block/nbd.c
28204 --- linux-2.6.39.3/drivers/block/nbd.c 2011-06-25 12:55:22.000000000 -0400
28205 +++ linux-2.6.39.3/drivers/block/nbd.c 2011-06-25 13:00:25.000000000 -0400
28206 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
28207 struct kvec iov;
28208 sigset_t blocked, oldset;
28209
28210 + pax_track_stack();
28211 +
28212 if (unlikely(!sock)) {
28213 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
28214 lo->disk->disk_name, (send ? "send" : "recv"));
28215 @@ -571,6 +573,8 @@ static void do_nbd_request(struct reques
28216 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
28217 unsigned int cmd, unsigned long arg)
28218 {
28219 + pax_track_stack();
28220 +
28221 switch (cmd) {
28222 case NBD_DISCONNECT: {
28223 struct request sreq;
28224 diff -urNp linux-2.6.39.3/drivers/block/smart1,2.h linux-2.6.39.3/drivers/block/smart1,2.h
28225 --- linux-2.6.39.3/drivers/block/smart1,2.h 2011-05-19 00:06:34.000000000 -0400
28226 +++ linux-2.6.39.3/drivers/block/smart1,2.h 2011-05-22 19:36:31.000000000 -0400
28227 @@ -107,7 +107,7 @@ static unsigned long smart4_intr_pending
28228 return 0 ;
28229 }
28230
28231 -static struct access_method smart4_access = {
28232 +static const struct access_method smart4_access = {
28233 smart4_submit_command,
28234 smart4_intr_mask,
28235 smart4_fifo_full,
28236 @@ -143,7 +143,7 @@ static unsigned long smart2_intr_pending
28237 return readl(h->vaddr + INTR_PENDING);
28238 }
28239
28240 -static struct access_method smart2_access = {
28241 +static const struct access_method smart2_access = {
28242 smart2_submit_command,
28243 smart2_intr_mask,
28244 smart2_fifo_full,
28245 @@ -179,7 +179,7 @@ static unsigned long smart2e_intr_pendin
28246 return inl(h->io_mem_addr + INTR_PENDING);
28247 }
28248
28249 -static struct access_method smart2e_access = {
28250 +static const struct access_method smart2e_access = {
28251 smart2e_submit_command,
28252 smart2e_intr_mask,
28253 smart2e_fifo_full,
28254 @@ -269,7 +269,7 @@ static unsigned long smart1_intr_pending
28255 return chan;
28256 }
28257
28258 -static struct access_method smart1_access = {
28259 +static const struct access_method smart1_access = {
28260 smart1_submit_command,
28261 smart1_intr_mask,
28262 smart1_fifo_full,
28263 diff -urNp linux-2.6.39.3/drivers/block/xsysace.c linux-2.6.39.3/drivers/block/xsysace.c
28264 --- linux-2.6.39.3/drivers/block/xsysace.c 2011-05-19 00:06:34.000000000 -0400
28265 +++ linux-2.6.39.3/drivers/block/xsysace.c 2011-05-22 19:36:31.000000000 -0400
28266 @@ -262,7 +262,7 @@ static void ace_dataout_8(struct ace_dev
28267 ace->data_ptr = src;
28268 }
28269
28270 -static struct ace_reg_ops ace_reg_8_ops = {
28271 +static const struct ace_reg_ops ace_reg_8_ops = {
28272 .in = ace_in_8,
28273 .out = ace_out_8,
28274 .datain = ace_datain_8,
28275 @@ -327,14 +327,14 @@ static void ace_dataout_le16(struct ace_
28276 ace->data_ptr = src;
28277 }
28278
28279 -static struct ace_reg_ops ace_reg_be16_ops = {
28280 +static const struct ace_reg_ops ace_reg_be16_ops = {
28281 .in = ace_in_be16,
28282 .out = ace_out_be16,
28283 .datain = ace_datain_be16,
28284 .dataout = ace_dataout_be16,
28285 };
28286
28287 -static struct ace_reg_ops ace_reg_le16_ops = {
28288 +static const struct ace_reg_ops ace_reg_le16_ops = {
28289 .in = ace_in_le16,
28290 .out = ace_out_le16,
28291 .datain = ace_datain_le16,
28292 diff -urNp linux-2.6.39.3/drivers/char/agp/frontend.c linux-2.6.39.3/drivers/char/agp/frontend.c
28293 --- linux-2.6.39.3/drivers/char/agp/frontend.c 2011-05-19 00:06:34.000000000 -0400
28294 +++ linux-2.6.39.3/drivers/char/agp/frontend.c 2011-05-22 19:36:31.000000000 -0400
28295 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
28296 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
28297 return -EFAULT;
28298
28299 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
28300 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
28301 return -EFAULT;
28302
28303 client = agp_find_client_by_pid(reserve.pid);
28304 diff -urNp linux-2.6.39.3/drivers/char/briq_panel.c linux-2.6.39.3/drivers/char/briq_panel.c
28305 --- linux-2.6.39.3/drivers/char/briq_panel.c 2011-05-19 00:06:34.000000000 -0400
28306 +++ linux-2.6.39.3/drivers/char/briq_panel.c 2011-05-22 19:41:32.000000000 -0400
28307 @@ -9,6 +9,7 @@
28308 #include <linux/types.h>
28309 #include <linux/errno.h>
28310 #include <linux/tty.h>
28311 +#include <linux/mutex.h>
28312 #include <linux/timer.h>
28313 #include <linux/kernel.h>
28314 #include <linux/wait.h>
28315 @@ -34,6 +35,7 @@ static int vfd_is_open;
28316 static unsigned char vfd[40];
28317 static int vfd_cursor;
28318 static unsigned char ledpb, led;
28319 +static DEFINE_MUTEX(vfd_mutex);
28320
28321 static void update_vfd(void)
28322 {
28323 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
28324 if (!vfd_is_open)
28325 return -EBUSY;
28326
28327 + mutex_lock(&vfd_mutex);
28328 for (;;) {
28329 char c;
28330 if (!indx)
28331 break;
28332 - if (get_user(c, buf))
28333 + if (get_user(c, buf)) {
28334 + mutex_unlock(&vfd_mutex);
28335 return -EFAULT;
28336 + }
28337 if (esc) {
28338 set_led(c);
28339 esc = 0;
28340 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
28341 buf++;
28342 }
28343 update_vfd();
28344 + mutex_unlock(&vfd_mutex);
28345
28346 return len;
28347 }
28348 diff -urNp linux-2.6.39.3/drivers/char/genrtc.c linux-2.6.39.3/drivers/char/genrtc.c
28349 --- linux-2.6.39.3/drivers/char/genrtc.c 2011-05-19 00:06:34.000000000 -0400
28350 +++ linux-2.6.39.3/drivers/char/genrtc.c 2011-05-22 19:41:32.000000000 -0400
28351 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
28352 switch (cmd) {
28353
28354 case RTC_PLL_GET:
28355 + memset(&pll, 0, sizeof(pll));
28356 if (get_rtc_pll(&pll))
28357 return -EINVAL;
28358 else
28359 diff -urNp linux-2.6.39.3/drivers/char/hpet.c linux-2.6.39.3/drivers/char/hpet.c
28360 --- linux-2.6.39.3/drivers/char/hpet.c 2011-05-19 00:06:34.000000000 -0400
28361 +++ linux-2.6.39.3/drivers/char/hpet.c 2011-05-22 19:36:31.000000000 -0400
28362 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
28363 }
28364
28365 static int
28366 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
28367 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
28368 struct hpet_info *info)
28369 {
28370 struct hpet_timer __iomem *timer;
28371 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c
28372 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c 2011-05-19 00:06:34.000000000 -0400
28373 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c 2011-05-22 19:36:31.000000000 -0400
28374 @@ -109,8 +109,7 @@ static int ipmi_fasync(int fd, struct fi
28375 return (result);
28376 }
28377
28378 -static struct ipmi_user_hndl ipmi_hndlrs =
28379 -{
28380 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28381 .ipmi_recv_hndl = file_receive_handler,
28382 };
28383
28384 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c
28385 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c 2011-05-19 00:06:34.000000000 -0400
28386 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c 2011-05-22 19:36:31.000000000 -0400
28387 @@ -82,7 +82,7 @@ struct ipmi_user {
28388 struct kref refcount;
28389
28390 /* The upper layer that handles receive messages. */
28391 - struct ipmi_user_hndl *handler;
28392 + const struct ipmi_user_hndl *handler;
28393 void *handler_data;
28394
28395 /* The interface this user is bound to. */
28396 @@ -414,7 +414,7 @@ struct ipmi_smi {
28397 struct proc_dir_entry *proc_dir;
28398 char proc_dir_name[10];
28399
28400 - atomic_t stats[IPMI_NUM_STATS];
28401 + atomic_unchecked_t stats[IPMI_NUM_STATS];
28402
28403 /*
28404 * run_to_completion duplicate of smb_info, smi_info
28405 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
28406
28407
28408 #define ipmi_inc_stat(intf, stat) \
28409 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
28410 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
28411 #define ipmi_get_stat(intf, stat) \
28412 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
28413 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
28414
28415 static int is_lan_addr(struct ipmi_addr *addr)
28416 {
28417 @@ -875,7 +875,7 @@ static int intf_err_seq(ipmi_smi_t int
28418
28419
28420 int ipmi_create_user(unsigned int if_num,
28421 - struct ipmi_user_hndl *handler,
28422 + const struct ipmi_user_hndl *handler,
28423 void *handler_data,
28424 ipmi_user_t *user)
28425 {
28426 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
28427 INIT_LIST_HEAD(&intf->cmd_rcvrs);
28428 init_waitqueue_head(&intf->waitq);
28429 for (i = 0; i < IPMI_NUM_STATS; i++)
28430 - atomic_set(&intf->stats[i], 0);
28431 + atomic_set_unchecked(&intf->stats[i], 0);
28432
28433 intf->proc_dir = NULL;
28434
28435 @@ -4196,6 +4196,8 @@ static void send_panic_events(char *str)
28436 struct ipmi_smi_msg smi_msg;
28437 struct ipmi_recv_msg recv_msg;
28438
28439 + pax_track_stack();
28440 +
28441 si = (struct ipmi_system_interface_addr *) &addr;
28442 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
28443 si->channel = IPMI_BMC_CHANNEL;
28444 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c
28445 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c 2011-05-19 00:06:34.000000000 -0400
28446 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c 2011-05-22 19:36:31.000000000 -0400
28447 @@ -133,7 +133,7 @@ static void receive_handler(struct ipmi_
28448 complete(comp);
28449 }
28450
28451 -static struct ipmi_user_hndl ipmi_poweroff_handler = {
28452 +static const struct ipmi_user_hndl ipmi_poweroff_handler = {
28453 .ipmi_recv_hndl = receive_handler
28454 };
28455
28456 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c
28457 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c 2011-05-19 00:06:34.000000000 -0400
28458 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c 2011-05-22 19:36:31.000000000 -0400
28459 @@ -276,7 +276,7 @@ struct smi_info {
28460 unsigned char slave_addr;
28461
28462 /* Counters and things for the proc filesystem. */
28463 - atomic_t stats[SI_NUM_STATS];
28464 + atomic_unchecked_t stats[SI_NUM_STATS];
28465
28466 struct task_struct *thread;
28467
28468 @@ -285,9 +285,9 @@ struct smi_info {
28469 };
28470
28471 #define smi_inc_stat(smi, stat) \
28472 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28473 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28474 #define smi_get_stat(smi, stat) \
28475 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28476 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28477
28478 #define SI_MAX_PARMS 4
28479
28480 @@ -3198,7 +3198,7 @@ static int try_smi_init(struct smi_info
28481 atomic_set(&new_smi->req_events, 0);
28482 new_smi->run_to_completion = 0;
28483 for (i = 0; i < SI_NUM_STATS; i++)
28484 - atomic_set(&new_smi->stats[i], 0);
28485 + atomic_set_unchecked(&new_smi->stats[i], 0);
28486
28487 new_smi->interrupt_disabled = 1;
28488 atomic_set(&new_smi->stop_operation, 0);
28489 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c
28490 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c 2011-05-19 00:06:34.000000000 -0400
28491 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c 2011-05-22 19:36:31.000000000 -0400
28492 @@ -216,7 +216,7 @@ static int set_param_timeout(const char
28493 return rv;
28494 }
28495
28496 -static struct kernel_param_ops param_ops_timeout = {
28497 +static const struct kernel_param_ops param_ops_timeout = {
28498 .set = set_param_timeout,
28499 .get = param_get_int,
28500 };
28501 @@ -278,14 +278,14 @@ static int set_param_wdog_ifnum(const ch
28502 return 0;
28503 }
28504
28505 -static struct kernel_param_ops param_ops_wdog_ifnum = {
28506 +static const struct kernel_param_ops param_ops_wdog_ifnum = {
28507 .set = set_param_wdog_ifnum,
28508 .get = param_get_int,
28509 };
28510
28511 #define param_check_wdog_ifnum param_check_int
28512
28513 -static struct kernel_param_ops param_ops_str = {
28514 +static const struct kernel_param_ops param_ops_str = {
28515 .set = set_param_str,
28516 .get = get_param_str,
28517 };
28518 @@ -953,7 +953,7 @@ static void ipmi_wdog_pretimeout_handler
28519 pretimeout_since_last_heartbeat = 1;
28520 }
28521
28522 -static struct ipmi_user_hndl ipmi_hndlrs = {
28523 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28524 .ipmi_recv_hndl = ipmi_wdog_msg_handler,
28525 .ipmi_watchdog_pretimeout = ipmi_wdog_pretimeout_handler
28526 };
28527 diff -urNp linux-2.6.39.3/drivers/char/Kconfig linux-2.6.39.3/drivers/char/Kconfig
28528 --- linux-2.6.39.3/drivers/char/Kconfig 2011-05-19 00:06:34.000000000 -0400
28529 +++ linux-2.6.39.3/drivers/char/Kconfig 2011-05-22 19:41:37.000000000 -0400
28530 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
28531
28532 config DEVKMEM
28533 bool "/dev/kmem virtual device support"
28534 - default y
28535 + default n
28536 + depends on !GRKERNSEC_KMEM
28537 help
28538 Say Y here if you want to support the /dev/kmem device. The
28539 /dev/kmem device is rarely used, but can be used for certain
28540 @@ -596,6 +597,7 @@ config DEVPORT
28541 bool
28542 depends on !M68K
28543 depends on ISA || PCI
28544 + depends on !GRKERNSEC_KMEM
28545 default y
28546
28547 source "drivers/s390/char/Kconfig"
28548 diff -urNp linux-2.6.39.3/drivers/char/mem.c linux-2.6.39.3/drivers/char/mem.c
28549 --- linux-2.6.39.3/drivers/char/mem.c 2011-05-19 00:06:34.000000000 -0400
28550 +++ linux-2.6.39.3/drivers/char/mem.c 2011-05-22 19:41:37.000000000 -0400
28551 @@ -18,6 +18,7 @@
28552 #include <linux/raw.h>
28553 #include <linux/tty.h>
28554 #include <linux/capability.h>
28555 +#include <linux/security.h>
28556 #include <linux/ptrace.h>
28557 #include <linux/device.h>
28558 #include <linux/highmem.h>
28559 @@ -34,6 +35,10 @@
28560 # include <linux/efi.h>
28561 #endif
28562
28563 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28564 +extern struct file_operations grsec_fops;
28565 +#endif
28566 +
28567 static inline unsigned long size_inside_page(unsigned long start,
28568 unsigned long size)
28569 {
28570 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
28571
28572 while (cursor < to) {
28573 if (!devmem_is_allowed(pfn)) {
28574 +#ifdef CONFIG_GRKERNSEC_KMEM
28575 + gr_handle_mem_readwrite(from, to);
28576 +#else
28577 printk(KERN_INFO
28578 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28579 current->comm, from, to);
28580 +#endif
28581 return 0;
28582 }
28583 cursor += PAGE_SIZE;
28584 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
28585 }
28586 return 1;
28587 }
28588 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28589 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28590 +{
28591 + return 0;
28592 +}
28593 #else
28594 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28595 {
28596 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
28597
28598 while (count > 0) {
28599 unsigned long remaining;
28600 + char *temp;
28601
28602 sz = size_inside_page(p, count);
28603
28604 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
28605 if (!ptr)
28606 return -EFAULT;
28607
28608 - remaining = copy_to_user(buf, ptr, sz);
28609 +#ifdef CONFIG_PAX_USERCOPY
28610 + temp = kmalloc(sz, GFP_KERNEL);
28611 + if (!temp) {
28612 + unxlate_dev_mem_ptr(p, ptr);
28613 + return -ENOMEM;
28614 + }
28615 + memcpy(temp, ptr, sz);
28616 +#else
28617 + temp = ptr;
28618 +#endif
28619 +
28620 + remaining = copy_to_user(buf, temp, sz);
28621 +
28622 +#ifdef CONFIG_PAX_USERCOPY
28623 + kfree(temp);
28624 +#endif
28625 +
28626 unxlate_dev_mem_ptr(p, ptr);
28627 if (remaining)
28628 return -EFAULT;
28629 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
28630 size_t count, loff_t *ppos)
28631 {
28632 unsigned long p = *ppos;
28633 - ssize_t low_count, read, sz;
28634 + ssize_t low_count, read, sz, err = 0;
28635 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28636 - int err = 0;
28637
28638 read = 0;
28639 if (p < (unsigned long) high_memory) {
28640 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
28641 }
28642 #endif
28643 while (low_count > 0) {
28644 + char *temp;
28645 +
28646 sz = size_inside_page(p, low_count);
28647
28648 /*
28649 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
28650 */
28651 kbuf = xlate_dev_kmem_ptr((char *)p);
28652
28653 - if (copy_to_user(buf, kbuf, sz))
28654 +#ifdef CONFIG_PAX_USERCOPY
28655 + temp = kmalloc(sz, GFP_KERNEL);
28656 + if (!temp)
28657 + return -ENOMEM;
28658 + memcpy(temp, kbuf, sz);
28659 +#else
28660 + temp = kbuf;
28661 +#endif
28662 +
28663 + err = copy_to_user(buf, temp, sz);
28664 +
28665 +#ifdef CONFIG_PAX_USERCOPY
28666 + kfree(temp);
28667 +#endif
28668 +
28669 + if (err)
28670 return -EFAULT;
28671 buf += sz;
28672 p += sz;
28673 @@ -854,6 +901,9 @@ static const struct memdev {
28674 #ifdef CONFIG_CRASH_DUMP
28675 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28676 #endif
28677 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28678 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28679 +#endif
28680 };
28681
28682 static int memory_open(struct inode *inode, struct file *filp)
28683 diff -urNp linux-2.6.39.3/drivers/char/mmtimer.c linux-2.6.39.3/drivers/char/mmtimer.c
28684 --- linux-2.6.39.3/drivers/char/mmtimer.c 2011-05-19 00:06:34.000000000 -0400
28685 +++ linux-2.6.39.3/drivers/char/mmtimer.c 2011-05-22 19:36:31.000000000 -0400
28686 @@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
28687
28688 #define RTC_BITS 55 /* 55 bits for this implementation */
28689
28690 -static struct k_clock sgi_clock;
28691 +static const struct k_clock sgi_clock;
28692
28693 extern unsigned long sn_rtc_cycles_per_second;
28694
28695 @@ -772,7 +772,7 @@ static int sgi_clock_getres(const clocki
28696 return 0;
28697 }
28698
28699 -static struct k_clock sgi_clock = {
28700 +static const struct k_clock sgi_clock = {
28701 .clock_set = sgi_clock_set,
28702 .clock_get = sgi_clock_get,
28703 .clock_getres = sgi_clock_getres,
28704 diff -urNp linux-2.6.39.3/drivers/char/nvram.c linux-2.6.39.3/drivers/char/nvram.c
28705 --- linux-2.6.39.3/drivers/char/nvram.c 2011-05-19 00:06:34.000000000 -0400
28706 +++ linux-2.6.39.3/drivers/char/nvram.c 2011-05-22 19:36:31.000000000 -0400
28707 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
28708
28709 spin_unlock_irq(&rtc_lock);
28710
28711 - if (copy_to_user(buf, contents, tmp - contents))
28712 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
28713 return -EFAULT;
28714
28715 *ppos = i;
28716 diff -urNp linux-2.6.39.3/drivers/char/random.c linux-2.6.39.3/drivers/char/random.c
28717 --- linux-2.6.39.3/drivers/char/random.c 2011-05-19 00:06:34.000000000 -0400
28718 +++ linux-2.6.39.3/drivers/char/random.c 2011-05-22 19:41:37.000000000 -0400
28719 @@ -261,8 +261,13 @@
28720 /*
28721 * Configuration information
28722 */
28723 +#ifdef CONFIG_GRKERNSEC_RANDNET
28724 +#define INPUT_POOL_WORDS 512
28725 +#define OUTPUT_POOL_WORDS 128
28726 +#else
28727 #define INPUT_POOL_WORDS 128
28728 #define OUTPUT_POOL_WORDS 32
28729 +#endif
28730 #define SEC_XFER_SIZE 512
28731 #define EXTRACT_SIZE 10
28732
28733 @@ -300,10 +305,17 @@ static struct poolinfo {
28734 int poolwords;
28735 int tap1, tap2, tap3, tap4, tap5;
28736 } poolinfo_table[] = {
28737 +#ifdef CONFIG_GRKERNSEC_RANDNET
28738 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28739 + { 512, 411, 308, 208, 104, 1 },
28740 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28741 + { 128, 103, 76, 51, 25, 1 },
28742 +#else
28743 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28744 { 128, 103, 76, 51, 25, 1 },
28745 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28746 { 32, 26, 20, 14, 7, 1 },
28747 +#endif
28748 #if 0
28749 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28750 { 2048, 1638, 1231, 819, 411, 1 },
28751 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
28752
28753 extract_buf(r, tmp);
28754 i = min_t(int, nbytes, EXTRACT_SIZE);
28755 - if (copy_to_user(buf, tmp, i)) {
28756 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
28757 ret = -EFAULT;
28758 break;
28759 }
28760 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28761 #include <linux/sysctl.h>
28762
28763 static int min_read_thresh = 8, min_write_thresh;
28764 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28765 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28766 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28767 static char sysctl_bootid[16];
28768
28769 diff -urNp linux-2.6.39.3/drivers/char/sonypi.c linux-2.6.39.3/drivers/char/sonypi.c
28770 --- linux-2.6.39.3/drivers/char/sonypi.c 2011-05-19 00:06:34.000000000 -0400
28771 +++ linux-2.6.39.3/drivers/char/sonypi.c 2011-05-22 19:36:31.000000000 -0400
28772 @@ -55,6 +55,7 @@
28773 #include <asm/uaccess.h>
28774 #include <asm/io.h>
28775 #include <asm/system.h>
28776 +#include <asm/local.h>
28777
28778 #include <linux/sonypi.h>
28779
28780 @@ -491,7 +492,7 @@ static struct sonypi_device {
28781 spinlock_t fifo_lock;
28782 wait_queue_head_t fifo_proc_list;
28783 struct fasync_struct *fifo_async;
28784 - int open_count;
28785 + local_t open_count;
28786 int model;
28787 struct input_dev *input_jog_dev;
28788 struct input_dev *input_key_dev;
28789 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
28790 static int sonypi_misc_release(struct inode *inode, struct file *file)
28791 {
28792 mutex_lock(&sonypi_device.lock);
28793 - sonypi_device.open_count--;
28794 + local_dec(&sonypi_device.open_count);
28795 mutex_unlock(&sonypi_device.lock);
28796 return 0;
28797 }
28798 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
28799 {
28800 mutex_lock(&sonypi_device.lock);
28801 /* Flush input queue on first open */
28802 - if (!sonypi_device.open_count)
28803 + if (!local_read(&sonypi_device.open_count))
28804 kfifo_reset(&sonypi_device.fifo);
28805 - sonypi_device.open_count++;
28806 + local_inc(&sonypi_device.open_count);
28807 mutex_unlock(&sonypi_device.lock);
28808
28809 return 0;
28810 diff -urNp linux-2.6.39.3/drivers/char/tpm/tpm_bios.c linux-2.6.39.3/drivers/char/tpm/tpm_bios.c
28811 --- linux-2.6.39.3/drivers/char/tpm/tpm_bios.c 2011-05-19 00:06:34.000000000 -0400
28812 +++ linux-2.6.39.3/drivers/char/tpm/tpm_bios.c 2011-05-22 19:36:31.000000000 -0400
28813 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
28814 event = addr;
28815
28816 if ((event->event_type == 0 && event->event_size == 0) ||
28817 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28818 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28819 return NULL;
28820
28821 return addr;
28822 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
28823 return NULL;
28824
28825 if ((event->event_type == 0 && event->event_size == 0) ||
28826 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28827 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28828 return NULL;
28829
28830 (*pos)++;
28831 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
28832 int i;
28833
28834 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28835 - seq_putc(m, data[i]);
28836 + if (!seq_putc(m, data[i]))
28837 + return -EFAULT;
28838
28839 return 0;
28840 }
28841 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
28842 log->bios_event_log_end = log->bios_event_log + len;
28843
28844 virt = acpi_os_map_memory(start, len);
28845 + if (!virt) {
28846 + kfree(log->bios_event_log);
28847 + log->bios_event_log = NULL;
28848 + return -EFAULT;
28849 + }
28850
28851 memcpy(log->bios_event_log, virt, len);
28852
28853 diff -urNp linux-2.6.39.3/drivers/char/tpm/tpm.c linux-2.6.39.3/drivers/char/tpm/tpm.c
28854 --- linux-2.6.39.3/drivers/char/tpm/tpm.c 2011-05-19 00:06:34.000000000 -0400
28855 +++ linux-2.6.39.3/drivers/char/tpm/tpm.c 2011-05-22 19:36:31.000000000 -0400
28856 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
28857 chip->vendor.req_complete_val)
28858 goto out_recv;
28859
28860 - if ((status == chip->vendor.req_canceled)) {
28861 + if (status == chip->vendor.req_canceled) {
28862 dev_err(chip->dev, "Operation Canceled\n");
28863 rc = -ECANCELED;
28864 goto out;
28865 @@ -844,6 +844,8 @@ ssize_t tpm_show_pubek(struct device *de
28866
28867 struct tpm_chip *chip = dev_get_drvdata(dev);
28868
28869 + pax_track_stack();
28870 +
28871 tpm_cmd.header.in = tpm_readpubek_header;
28872 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28873 "attempting to read the PUBEK");
28874 diff -urNp linux-2.6.39.3/drivers/char/ttyprintk.c linux-2.6.39.3/drivers/char/ttyprintk.c
28875 --- linux-2.6.39.3/drivers/char/ttyprintk.c 2011-05-19 00:06:34.000000000 -0400
28876 +++ linux-2.6.39.3/drivers/char/ttyprintk.c 2011-05-22 19:36:31.000000000 -0400
28877 @@ -170,7 +170,7 @@ static const struct tty_operations ttypr
28878 .ioctl = tpk_ioctl,
28879 };
28880
28881 -struct tty_port_operations null_ops = { };
28882 +const struct tty_port_operations null_ops = { };
28883
28884 static struct tty_driver *ttyprintk_driver;
28885
28886 diff -urNp linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c
28887 --- linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-19 00:06:34.000000000 -0400
28888 +++ linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-22 19:36:31.000000000 -0400
28889 @@ -678,14 +678,14 @@ static int __devinit hwicap_setup(struct
28890 return retval;
28891 }
28892
28893 -static struct hwicap_driver_config buffer_icap_config = {
28894 +static const struct hwicap_driver_config buffer_icap_config = {
28895 .get_configuration = buffer_icap_get_configuration,
28896 .set_configuration = buffer_icap_set_configuration,
28897 .get_status = buffer_icap_get_status,
28898 .reset = buffer_icap_reset,
28899 };
28900
28901 -static struct hwicap_driver_config fifo_icap_config = {
28902 +static const struct hwicap_driver_config fifo_icap_config = {
28903 .get_configuration = fifo_icap_get_configuration,
28904 .set_configuration = fifo_icap_set_configuration,
28905 .get_status = fifo_icap_get_status,
28906 diff -urNp linux-2.6.39.3/drivers/crypto/hifn_795x.c linux-2.6.39.3/drivers/crypto/hifn_795x.c
28907 --- linux-2.6.39.3/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
28908 +++ linux-2.6.39.3/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
28909 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28910 0xCA, 0x34, 0x2B, 0x2E};
28911 struct scatterlist sg;
28912
28913 + pax_track_stack();
28914 +
28915 memset(src, 0, sizeof(src));
28916 memset(ctx.key, 0, sizeof(ctx.key));
28917
28918 diff -urNp linux-2.6.39.3/drivers/crypto/padlock-aes.c linux-2.6.39.3/drivers/crypto/padlock-aes.c
28919 --- linux-2.6.39.3/drivers/crypto/padlock-aes.c 2011-05-19 00:06:34.000000000 -0400
28920 +++ linux-2.6.39.3/drivers/crypto/padlock-aes.c 2011-05-22 19:36:31.000000000 -0400
28921 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
28922 struct crypto_aes_ctx gen_aes;
28923 int cpu;
28924
28925 + pax_track_stack();
28926 +
28927 if (key_len % 8) {
28928 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28929 return -EINVAL;
28930 diff -urNp linux-2.6.39.3/drivers/dca/dca-core.c linux-2.6.39.3/drivers/dca/dca-core.c
28931 --- linux-2.6.39.3/drivers/dca/dca-core.c 2011-05-19 00:06:34.000000000 -0400
28932 +++ linux-2.6.39.3/drivers/dca/dca-core.c 2011-05-22 19:36:31.000000000 -0400
28933 @@ -325,7 +325,7 @@ EXPORT_SYMBOL_GPL(dca_get_tag);
28934 * @ops - pointer to struct of dca operation function pointers
28935 * @priv_size - size of extra mem to be added for provider's needs
28936 */
28937 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size)
28938 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size)
28939 {
28940 struct dca_provider *dca;
28941 int alloc_size;
28942 diff -urNp linux-2.6.39.3/drivers/dma/ioat/dca.c linux-2.6.39.3/drivers/dma/ioat/dca.c
28943 --- linux-2.6.39.3/drivers/dma/ioat/dca.c 2011-05-19 00:06:34.000000000 -0400
28944 +++ linux-2.6.39.3/drivers/dma/ioat/dca.c 2011-05-22 19:36:31.000000000 -0400
28945 @@ -234,7 +234,7 @@ static int ioat_dca_dev_managed(struct d
28946 return 0;
28947 }
28948
28949 -static struct dca_ops ioat_dca_ops = {
28950 +static const struct dca_ops ioat_dca_ops = {
28951 .add_requester = ioat_dca_add_requester,
28952 .remove_requester = ioat_dca_remove_requester,
28953 .get_tag = ioat_dca_get_tag,
28954 @@ -384,7 +384,7 @@ static u8 ioat2_dca_get_tag(struct dca_p
28955 return tag;
28956 }
28957
28958 -static struct dca_ops ioat2_dca_ops = {
28959 +static const struct dca_ops ioat2_dca_ops = {
28960 .add_requester = ioat2_dca_add_requester,
28961 .remove_requester = ioat2_dca_remove_requester,
28962 .get_tag = ioat2_dca_get_tag,
28963 @@ -579,7 +579,7 @@ static u8 ioat3_dca_get_tag(struct dca_p
28964 return tag;
28965 }
28966
28967 -static struct dca_ops ioat3_dca_ops = {
28968 +static const struct dca_ops ioat3_dca_ops = {
28969 .add_requester = ioat3_dca_add_requester,
28970 .remove_requester = ioat3_dca_remove_requester,
28971 .get_tag = ioat3_dca_get_tag,
28972 diff -urNp linux-2.6.39.3/drivers/edac/amd64_edac.h linux-2.6.39.3/drivers/edac/amd64_edac.h
28973 --- linux-2.6.39.3/drivers/edac/amd64_edac.h 2011-05-19 00:06:34.000000000 -0400
28974 +++ linux-2.6.39.3/drivers/edac/amd64_edac.h 2011-05-22 19:36:31.000000000 -0400
28975 @@ -333,7 +333,7 @@ struct chip_select {
28976 };
28977
28978 struct amd64_pvt {
28979 - struct low_ops *ops;
28980 + const struct low_ops *ops;
28981
28982 /* pci_device handles which we utilize */
28983 struct pci_dev *F1, *F2, *F3;
28984 @@ -443,7 +443,7 @@ struct low_ops {
28985 struct amd64_family_type {
28986 const char *ctl_name;
28987 u16 f1_id, f3_id;
28988 - struct low_ops ops;
28989 + const struct low_ops ops;
28990 };
28991
28992 int __amd64_write_pci_cfg_dword(struct pci_dev *pdev, int offset,
28993 diff -urNp linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c
28994 --- linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c 2011-05-19 00:06:34.000000000 -0400
28995 +++ linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c 2011-05-22 19:36:31.000000000 -0400
28996 @@ -760,7 +760,7 @@ static void edac_inst_grp_release(struct
28997 }
28998
28999 /* Intermediate show/store table */
29000 -static struct sysfs_ops inst_grp_ops = {
29001 +static const struct sysfs_ops inst_grp_ops = {
29002 .show = inst_grp_show,
29003 .store = inst_grp_store
29004 };
29005 diff -urNp linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c
29006 --- linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c 2011-05-19 00:06:34.000000000 -0400
29007 +++ linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c 2011-05-22 19:36:31.000000000 -0400
29008 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
29009 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
29010 static int edac_pci_poll_msec = 1000; /* one second workq period */
29011
29012 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
29013 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
29014 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
29015 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
29016
29017 static struct kobject *edac_pci_top_main_kobj;
29018 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
29019 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
29020 edac_printk(KERN_CRIT, EDAC_PCI,
29021 "Signaled System Error on %s\n",
29022 pci_name(dev));
29023 - atomic_inc(&pci_nonparity_count);
29024 + atomic_inc_unchecked(&pci_nonparity_count);
29025 }
29026
29027 if (status & (PCI_STATUS_PARITY)) {
29028 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
29029 "Master Data Parity Error on %s\n",
29030 pci_name(dev));
29031
29032 - atomic_inc(&pci_parity_count);
29033 + atomic_inc_unchecked(&pci_parity_count);
29034 }
29035
29036 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29037 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
29038 "Detected Parity Error on %s\n",
29039 pci_name(dev));
29040
29041 - atomic_inc(&pci_parity_count);
29042 + atomic_inc_unchecked(&pci_parity_count);
29043 }
29044 }
29045
29046 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
29047 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
29048 "Signaled System Error on %s\n",
29049 pci_name(dev));
29050 - atomic_inc(&pci_nonparity_count);
29051 + atomic_inc_unchecked(&pci_nonparity_count);
29052 }
29053
29054 if (status & (PCI_STATUS_PARITY)) {
29055 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
29056 "Master Data Parity Error on "
29057 "%s\n", pci_name(dev));
29058
29059 - atomic_inc(&pci_parity_count);
29060 + atomic_inc_unchecked(&pci_parity_count);
29061 }
29062
29063 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29064 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
29065 "Detected Parity Error on %s\n",
29066 pci_name(dev));
29067
29068 - atomic_inc(&pci_parity_count);
29069 + atomic_inc_unchecked(&pci_parity_count);
29070 }
29071 }
29072 }
29073 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
29074 if (!check_pci_errors)
29075 return;
29076
29077 - before_count = atomic_read(&pci_parity_count);
29078 + before_count = atomic_read_unchecked(&pci_parity_count);
29079
29080 /* scan all PCI devices looking for a Parity Error on devices and
29081 * bridges.
29082 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
29083 /* Only if operator has selected panic on PCI Error */
29084 if (edac_pci_get_panic_on_pe()) {
29085 /* If the count is different 'after' from 'before' */
29086 - if (before_count != atomic_read(&pci_parity_count))
29087 + if (before_count != atomic_read_unchecked(&pci_parity_count))
29088 panic("EDAC: PCI Parity Error");
29089 }
29090 }
29091 diff -urNp linux-2.6.39.3/drivers/edac/i7core_edac.c linux-2.6.39.3/drivers/edac/i7core_edac.c
29092 --- linux-2.6.39.3/drivers/edac/i7core_edac.c 2011-05-19 00:06:34.000000000 -0400
29093 +++ linux-2.6.39.3/drivers/edac/i7core_edac.c 2011-07-06 20:00:14.000000000 -0400
29094 @@ -1670,7 +1670,7 @@ static void i7core_mce_output_error(stru
29095 char *type, *optype, *err, *msg;
29096 unsigned long error = m->status & 0x1ff0000l;
29097 u32 optypenum = (m->status >> 4) & 0x07;
29098 - u32 core_err_cnt = (m->status >> 38) && 0x7fff;
29099 + u32 core_err_cnt = (m->status >> 38) & 0x7fff;
29100 u32 dimm = (m->misc >> 16) & 0x3;
29101 u32 channel = (m->misc >> 18) & 0x3;
29102 u32 syndrome = m->misc >> 32;
29103 diff -urNp linux-2.6.39.3/drivers/firewire/core-cdev.c linux-2.6.39.3/drivers/firewire/core-cdev.c
29104 --- linux-2.6.39.3/drivers/firewire/core-cdev.c 2011-05-19 00:06:34.000000000 -0400
29105 +++ linux-2.6.39.3/drivers/firewire/core-cdev.c 2011-05-22 19:36:31.000000000 -0400
29106 @@ -1312,8 +1312,7 @@ static int init_iso_resource(struct clie
29107 int ret;
29108
29109 if ((request->channels == 0 && request->bandwidth == 0) ||
29110 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
29111 - request->bandwidth < 0)
29112 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
29113 return -EINVAL;
29114
29115 r = kmalloc(sizeof(*r), GFP_KERNEL);
29116 diff -urNp linux-2.6.39.3/drivers/firewire/core-transaction.c linux-2.6.39.3/drivers/firewire/core-transaction.c
29117 --- linux-2.6.39.3/drivers/firewire/core-transaction.c 2011-05-19 00:06:34.000000000 -0400
29118 +++ linux-2.6.39.3/drivers/firewire/core-transaction.c 2011-05-22 19:36:31.000000000 -0400
29119 @@ -36,6 +36,7 @@
29120 #include <linux/string.h>
29121 #include <linux/timer.h>
29122 #include <linux/types.h>
29123 +#include <linux/sched.h>
29124
29125 #include <asm/byteorder.h>
29126
29127 @@ -420,6 +421,8 @@ int fw_run_transaction(struct fw_card *c
29128 struct transaction_callback_data d;
29129 struct fw_transaction t;
29130
29131 + pax_track_stack();
29132 +
29133 init_timer_on_stack(&t.split_timeout_timer);
29134 init_completion(&d.done);
29135 d.payload = payload;
29136 diff -urNp linux-2.6.39.3/drivers/firmware/dmi_scan.c linux-2.6.39.3/drivers/firmware/dmi_scan.c
29137 --- linux-2.6.39.3/drivers/firmware/dmi_scan.c 2011-05-19 00:06:34.000000000 -0400
29138 +++ linux-2.6.39.3/drivers/firmware/dmi_scan.c 2011-05-22 19:36:31.000000000 -0400
29139 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
29140 }
29141 }
29142 else {
29143 - /*
29144 - * no iounmap() for that ioremap(); it would be a no-op, but
29145 - * it's so early in setup that sucker gets confused into doing
29146 - * what it shouldn't if we actually call it.
29147 - */
29148 p = dmi_ioremap(0xF0000, 0x10000);
29149 if (p == NULL)
29150 goto error;
29151 diff -urNp linux-2.6.39.3/drivers/gpio/vr41xx_giu.c linux-2.6.39.3/drivers/gpio/vr41xx_giu.c
29152 --- linux-2.6.39.3/drivers/gpio/vr41xx_giu.c 2011-05-19 00:06:34.000000000 -0400
29153 +++ linux-2.6.39.3/drivers/gpio/vr41xx_giu.c 2011-05-22 19:36:31.000000000 -0400
29154 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
29155 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
29156 maskl, pendl, maskh, pendh);
29157
29158 - atomic_inc(&irq_err_count);
29159 + atomic_inc_unchecked(&irq_err_count);
29160
29161 return -EINVAL;
29162 }
29163 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c
29164 --- linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c 2011-05-19 00:06:34.000000000 -0400
29165 +++ linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c 2011-05-22 19:36:31.000000000 -0400
29166 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
29167 struct drm_crtc *tmp;
29168 int crtc_mask = 1;
29169
29170 - WARN(!crtc, "checking null crtc?\n");
29171 + BUG_ON(!crtc);
29172
29173 dev = crtc->dev;
29174
29175 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
29176 struct drm_encoder *encoder;
29177 bool ret = true;
29178
29179 + pax_track_stack();
29180 +
29181 crtc->enabled = drm_helper_crtc_in_use(crtc);
29182 if (!crtc->enabled)
29183 return true;
29184 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_drv.c linux-2.6.39.3/drivers/gpu/drm/drm_drv.c
29185 --- linux-2.6.39.3/drivers/gpu/drm/drm_drv.c 2011-05-19 00:06:34.000000000 -0400
29186 +++ linux-2.6.39.3/drivers/gpu/drm/drm_drv.c 2011-05-22 19:36:31.000000000 -0400
29187 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
29188
29189 dev = file_priv->minor->dev;
29190 atomic_inc(&dev->ioctl_count);
29191 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
29192 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
29193 ++file_priv->ioctl_count;
29194
29195 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
29196 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_fops.c linux-2.6.39.3/drivers/gpu/drm/drm_fops.c
29197 --- linux-2.6.39.3/drivers/gpu/drm/drm_fops.c 2011-05-19 00:06:34.000000000 -0400
29198 +++ linux-2.6.39.3/drivers/gpu/drm/drm_fops.c 2011-05-22 19:36:31.000000000 -0400
29199 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
29200 }
29201
29202 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
29203 - atomic_set(&dev->counts[i], 0);
29204 + atomic_set_unchecked(&dev->counts[i], 0);
29205
29206 dev->sigdata.lock = NULL;
29207
29208 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
29209
29210 retcode = drm_open_helper(inode, filp, dev);
29211 if (!retcode) {
29212 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
29213 - if (!dev->open_count++)
29214 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
29215 + if (local_inc_return(&dev->open_count) == 1)
29216 retcode = drm_setup(dev);
29217 }
29218 if (!retcode) {
29219 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
29220
29221 mutex_lock(&drm_global_mutex);
29222
29223 - DRM_DEBUG("open_count = %d\n", dev->open_count);
29224 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
29225
29226 if (dev->driver->preclose)
29227 dev->driver->preclose(dev, file_priv);
29228 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
29229 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
29230 task_pid_nr(current),
29231 (long)old_encode_dev(file_priv->minor->device),
29232 - dev->open_count);
29233 + local_read(&dev->open_count));
29234
29235 /* if the master has gone away we can't do anything with the lock */
29236 if (file_priv->minor->master)
29237 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
29238 * End inline drm_release
29239 */
29240
29241 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
29242 - if (!--dev->open_count) {
29243 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
29244 + if (local_dec_and_test(&dev->open_count)) {
29245 if (atomic_read(&dev->ioctl_count)) {
29246 DRM_ERROR("Device busy: %d\n",
29247 atomic_read(&dev->ioctl_count));
29248 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_global.c linux-2.6.39.3/drivers/gpu/drm/drm_global.c
29249 --- linux-2.6.39.3/drivers/gpu/drm/drm_global.c 2011-05-19 00:06:34.000000000 -0400
29250 +++ linux-2.6.39.3/drivers/gpu/drm/drm_global.c 2011-05-22 19:36:31.000000000 -0400
29251 @@ -36,7 +36,7 @@
29252 struct drm_global_item {
29253 struct mutex mutex;
29254 void *object;
29255 - int refcount;
29256 + atomic_t refcount;
29257 };
29258
29259 static struct drm_global_item glob[DRM_GLOBAL_NUM];
29260 @@ -49,7 +49,7 @@ void drm_global_init(void)
29261 struct drm_global_item *item = &glob[i];
29262 mutex_init(&item->mutex);
29263 item->object = NULL;
29264 - item->refcount = 0;
29265 + atomic_set(&item->refcount, 0);
29266 }
29267 }
29268
29269 @@ -59,7 +59,7 @@ void drm_global_release(void)
29270 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
29271 struct drm_global_item *item = &glob[i];
29272 BUG_ON(item->object != NULL);
29273 - BUG_ON(item->refcount != 0);
29274 + BUG_ON(atomic_read(&item->refcount) != 0);
29275 }
29276 }
29277
29278 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
29279 void *object;
29280
29281 mutex_lock(&item->mutex);
29282 - if (item->refcount == 0) {
29283 + if (atomic_read(&item->refcount) == 0) {
29284 item->object = kzalloc(ref->size, GFP_KERNEL);
29285 if (unlikely(item->object == NULL)) {
29286 ret = -ENOMEM;
29287 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
29288 goto out_err;
29289
29290 }
29291 - ++item->refcount;
29292 + atomic_inc(&item->refcount);
29293 ref->object = item->object;
29294 object = item->object;
29295 mutex_unlock(&item->mutex);
29296 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
29297 struct drm_global_item *item = &glob[ref->global_type];
29298
29299 mutex_lock(&item->mutex);
29300 - BUG_ON(item->refcount == 0);
29301 + BUG_ON(atomic_read(&item->refcount) == 0);
29302 BUG_ON(ref->object != item->object);
29303 - if (--item->refcount == 0) {
29304 + if (atomic_dec_and_test(&item->refcount)) {
29305 ref->release(ref);
29306 item->object = NULL;
29307 }
29308 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_info.c linux-2.6.39.3/drivers/gpu/drm/drm_info.c
29309 --- linux-2.6.39.3/drivers/gpu/drm/drm_info.c 2011-05-19 00:06:34.000000000 -0400
29310 +++ linux-2.6.39.3/drivers/gpu/drm/drm_info.c 2011-05-22 19:41:37.000000000 -0400
29311 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
29312 struct drm_local_map *map;
29313 struct drm_map_list *r_list;
29314
29315 - /* Hardcoded from _DRM_FRAME_BUFFER,
29316 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
29317 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
29318 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
29319 + static const char * const types[] = {
29320 + [_DRM_FRAME_BUFFER] = "FB",
29321 + [_DRM_REGISTERS] = "REG",
29322 + [_DRM_SHM] = "SHM",
29323 + [_DRM_AGP] = "AGP",
29324 + [_DRM_SCATTER_GATHER] = "SG",
29325 + [_DRM_CONSISTENT] = "PCI",
29326 + [_DRM_GEM] = "GEM" };
29327 const char *type;
29328 int i;
29329
29330 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
29331 map = r_list->map;
29332 if (!map)
29333 continue;
29334 - if (map->type < 0 || map->type > 5)
29335 + if (map->type >= ARRAY_SIZE(types))
29336 type = "??";
29337 else
29338 type = types[map->type];
29339 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
29340 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
29341 vma->vm_flags & VM_LOCKED ? 'l' : '-',
29342 vma->vm_flags & VM_IO ? 'i' : '-',
29343 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29344 + 0);
29345 +#else
29346 vma->vm_pgoff);
29347 +#endif
29348
29349 #if defined(__i386__)
29350 pgprot = pgprot_val(vma->vm_page_prot);
29351 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c
29352 --- linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c 2011-05-19 00:06:34.000000000 -0400
29353 +++ linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c 2011-05-22 19:36:31.000000000 -0400
29354 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
29355 stats->data[i].value =
29356 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
29357 else
29358 - stats->data[i].value = atomic_read(&dev->counts[i]);
29359 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
29360 stats->data[i].type = dev->types[i];
29361 }
29362
29363 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_lock.c linux-2.6.39.3/drivers/gpu/drm/drm_lock.c
29364 --- linux-2.6.39.3/drivers/gpu/drm/drm_lock.c 2011-05-19 00:06:34.000000000 -0400
29365 +++ linux-2.6.39.3/drivers/gpu/drm/drm_lock.c 2011-05-22 19:36:31.000000000 -0400
29366 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
29367 if (drm_lock_take(&master->lock, lock->context)) {
29368 master->lock.file_priv = file_priv;
29369 master->lock.lock_time = jiffies;
29370 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
29371 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
29372 break; /* Got lock */
29373 }
29374
29375 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
29376 return -EINVAL;
29377 }
29378
29379 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
29380 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
29381
29382 if (drm_lock_free(&master->lock, lock->context)) {
29383 /* FIXME: Should really bail out here. */
29384 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c
29385 --- linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c 2011-05-19 00:06:34.000000000 -0400
29386 +++ linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c 2011-05-22 19:36:31.000000000 -0400
29387 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
29388 dma->buflist[vertex->idx],
29389 vertex->discard, vertex->used);
29390
29391 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29392 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29393 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29394 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29395 sarea_priv->last_enqueue = dev_priv->counter - 1;
29396 sarea_priv->last_dispatch = (int)hw_status[5];
29397
29398 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
29399 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29400 mc->last_render);
29401
29402 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29403 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29404 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29405 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29406 sarea_priv->last_enqueue = dev_priv->counter - 1;
29407 sarea_priv->last_dispatch = (int)hw_status[5];
29408
29409 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h
29410 --- linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h 2011-05-19 00:06:34.000000000 -0400
29411 +++ linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h 2011-05-22 19:36:31.000000000 -0400
29412 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29413 int page_flipping;
29414
29415 wait_queue_head_t irq_queue;
29416 - atomic_t irq_received;
29417 - atomic_t irq_emitted;
29418 + atomic_unchecked_t irq_received;
29419 + atomic_unchecked_t irq_emitted;
29420
29421 int front_offset;
29422 } drm_i810_private_t;
29423 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c
29424 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-19 00:06:34.000000000 -0400
29425 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-22 19:36:31.000000000 -0400
29426 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
29427 }
29428 }
29429
29430 -struct intel_dvo_dev_ops ch7017_ops = {
29431 +const struct intel_dvo_dev_ops ch7017_ops = {
29432 .init = ch7017_init,
29433 .detect = ch7017_detect,
29434 .mode_valid = ch7017_mode_valid,
29435 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c
29436 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-19 00:06:34.000000000 -0400
29437 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-22 19:36:31.000000000 -0400
29438 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
29439 }
29440 }
29441
29442 -struct intel_dvo_dev_ops ch7xxx_ops = {
29443 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29444 .init = ch7xxx_init,
29445 .detect = ch7xxx_detect,
29446 .mode_valid = ch7xxx_mode_valid,
29447 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h
29448 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h 2011-05-19 00:06:34.000000000 -0400
29449 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h 2011-05-22 19:36:31.000000000 -0400
29450 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
29451 *
29452 * \return singly-linked list of modes or NULL if no modes found.
29453 */
29454 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29455 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29456
29457 /**
29458 * Clean up driver-specific bits of the output
29459 */
29460 - void (*destroy) (struct intel_dvo_device *dvo);
29461 + void (* const destroy) (struct intel_dvo_device *dvo);
29462
29463 /**
29464 * Debugging hook to dump device registers to log file
29465 */
29466 - void (*dump_regs)(struct intel_dvo_device *dvo);
29467 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29468 };
29469
29470 -extern struct intel_dvo_dev_ops sil164_ops;
29471 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29472 -extern struct intel_dvo_dev_ops ivch_ops;
29473 -extern struct intel_dvo_dev_ops tfp410_ops;
29474 -extern struct intel_dvo_dev_ops ch7017_ops;
29475 +extern const struct intel_dvo_dev_ops sil164_ops;
29476 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29477 +extern const struct intel_dvo_dev_ops ivch_ops;
29478 +extern const struct intel_dvo_dev_ops tfp410_ops;
29479 +extern const struct intel_dvo_dev_ops ch7017_ops;
29480
29481 #endif /* _INTEL_DVO_H */
29482 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c
29483 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-19 00:06:34.000000000 -0400
29484 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-22 19:36:31.000000000 -0400
29485 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
29486 }
29487 }
29488
29489 -struct intel_dvo_dev_ops ivch_ops= {
29490 +const struct intel_dvo_dev_ops ivch_ops= {
29491 .init = ivch_init,
29492 .dpms = ivch_dpms,
29493 .mode_valid = ivch_mode_valid,
29494 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c
29495 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-19 00:06:34.000000000 -0400
29496 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-22 19:36:31.000000000 -0400
29497 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
29498 }
29499 }
29500
29501 -struct intel_dvo_dev_ops sil164_ops = {
29502 +const struct intel_dvo_dev_ops sil164_ops = {
29503 .init = sil164_init,
29504 .detect = sil164_detect,
29505 .mode_valid = sil164_mode_valid,
29506 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c
29507 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-19 00:06:34.000000000 -0400
29508 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-22 19:36:31.000000000 -0400
29509 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
29510 }
29511 }
29512
29513 -struct intel_dvo_dev_ops tfp410_ops = {
29514 +const struct intel_dvo_dev_ops tfp410_ops = {
29515 .init = tfp410_init,
29516 .detect = tfp410_detect,
29517 .mode_valid = tfp410_mode_valid,
29518 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c
29519 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-19 00:06:34.000000000 -0400
29520 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-22 19:36:31.000000000 -0400
29521 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct se
29522 I915_READ(GTIMR));
29523 }
29524 seq_printf(m, "Interrupts received: %d\n",
29525 - atomic_read(&dev_priv->irq_received));
29526 + atomic_read_unchecked(&dev_priv->irq_received));
29527 for (i = 0; i < I915_NUM_RINGS; i++) {
29528 if (IS_GEN6(dev)) {
29529 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
29530 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c
29531 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c 2011-05-19 00:06:34.000000000 -0400
29532 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c 2011-05-22 19:36:31.000000000 -0400
29533 @@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
29534 bool can_switch;
29535
29536 spin_lock(&dev->count_lock);
29537 - can_switch = (dev->open_count == 0);
29538 + can_switch = (local_read(&dev->open_count) == 0);
29539 spin_unlock(&dev->count_lock);
29540 return can_switch;
29541 }
29542 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c
29543 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c 2011-05-19 00:06:34.000000000 -0400
29544 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c 2011-05-22 19:36:31.000000000 -0400
29545 @@ -679,7 +679,7 @@ static const struct dev_pm_ops i915_pm_o
29546 .restore = i915_pm_resume,
29547 };
29548
29549 -static struct vm_operations_struct i915_gem_vm_ops = {
29550 +static const struct vm_operations_struct i915_gem_vm_ops = {
29551 .fault = i915_gem_fault,
29552 .open = drm_gem_vm_open,
29553 .close = drm_gem_vm_close,
29554 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h
29555 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h 2011-05-19 00:06:34.000000000 -0400
29556 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h 2011-05-22 19:36:31.000000000 -0400
29557 @@ -287,7 +287,7 @@ typedef struct drm_i915_private {
29558 int current_page;
29559 int page_flipping;
29560
29561 - atomic_t irq_received;
29562 + atomic_unchecked_t irq_received;
29563
29564 /* protects the irq masks */
29565 spinlock_t irq_lock;
29566 @@ -848,7 +848,7 @@ struct drm_i915_gem_object {
29567 * will be page flipped away on the next vblank. When it
29568 * reaches 0, dev_priv->pending_flip_queue will be woken up.
29569 */
29570 - atomic_t pending_flip;
29571 + atomic_unchecked_t pending_flip;
29572 };
29573
29574 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
29575 @@ -1232,7 +1232,7 @@ extern int intel_setup_gmbus(struct drm_
29576 extern void intel_teardown_gmbus(struct drm_device *dev);
29577 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
29578 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
29579 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29580 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29581 {
29582 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
29583 }
29584 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c
29585 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-19 00:06:34.000000000 -0400
29586 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-22 19:36:31.000000000 -0400
29587 @@ -192,7 +192,7 @@ i915_gem_object_set_to_gpu_domain(struct
29588 i915_gem_release_mmap(obj);
29589
29590 if (obj->base.pending_write_domain)
29591 - cd->flips |= atomic_read(&obj->pending_flip);
29592 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
29593
29594 /* The actual obj->write_domain will be updated with
29595 * pending_write_domain after we emit the accumulated flush for all
29596 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c
29597 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c 2011-07-09 09:18:51.000000000 -0400
29598 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c 2011-07-09 09:19:18.000000000 -0400
29599 @@ -1101,7 +1101,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29600 int ret = IRQ_NONE, pipe;
29601 bool blc_event = false;
29602
29603 - atomic_inc(&dev_priv->irq_received);
29604 + atomic_inc_unchecked(&dev_priv->irq_received);
29605
29606 if (HAS_PCH_SPLIT(dev))
29607 return ironlake_irq_handler(dev);
29608 @@ -1666,7 +1666,7 @@ void i915_driver_irq_preinstall(struct d
29609 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29610 int pipe;
29611
29612 - atomic_set(&dev_priv->irq_received, 0);
29613 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29614
29615 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29616 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29617 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c
29618 --- linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c 2011-05-19 00:06:34.000000000 -0400
29619 +++ linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c 2011-05-22 19:36:31.000000000 -0400
29620 @@ -2244,7 +2244,7 @@ intel_pipe_set_base(struct drm_crtc *crt
29621
29622 wait_event(dev_priv->pending_flip_queue,
29623 atomic_read(&dev_priv->mm.wedged) ||
29624 - atomic_read(&obj->pending_flip) == 0);
29625 + atomic_read_unchecked(&obj->pending_flip) == 0);
29626
29627 /* Big Hammer, we also need to ensure that any pending
29628 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
29629 @@ -2712,7 +2712,7 @@ static void intel_crtc_wait_for_pending_
29630 obj = to_intel_framebuffer(crtc->fb)->obj;
29631 dev_priv = crtc->dev->dev_private;
29632 wait_event(dev_priv->pending_flip_queue,
29633 - atomic_read(&obj->pending_flip) == 0);
29634 + atomic_read_unchecked(&obj->pending_flip) == 0);
29635 }
29636
29637 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
29638 @@ -6016,7 +6016,7 @@ static void do_intel_finish_page_flip(st
29639
29640 atomic_clear_mask(1 << intel_crtc->plane,
29641 &obj->pending_flip.counter);
29642 - if (atomic_read(&obj->pending_flip) == 0)
29643 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
29644 wake_up(&dev_priv->pending_flip_queue);
29645
29646 schedule_work(&work->work);
29647 @@ -6145,7 +6145,7 @@ static int intel_crtc_page_flip(struct d
29648 /* Block clients from rendering to the new back buffer until
29649 * the flip occurs and the object is no longer visible.
29650 */
29651 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29652 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29653
29654 switch (INTEL_INFO(dev)->gen) {
29655 case 2:
29656 diff -urNp linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h
29657 --- linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h 2011-05-19 00:06:34.000000000 -0400
29658 +++ linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h 2011-05-22 19:36:31.000000000 -0400
29659 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29660 u32 clear_cmd;
29661 u32 maccess;
29662
29663 - atomic_t vbl_received; /**< Number of vblanks received. */
29664 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29665 wait_queue_head_t fence_queue;
29666 - atomic_t last_fence_retired;
29667 + atomic_unchecked_t last_fence_retired;
29668 u32 next_fence_to_post;
29669
29670 unsigned int fb_cpp;
29671 diff -urNp linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c
29672 --- linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c 2011-05-19 00:06:34.000000000 -0400
29673 +++ linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c 2011-05-22 19:36:31.000000000 -0400
29674 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29675 if (crtc != 0)
29676 return 0;
29677
29678 - return atomic_read(&dev_priv->vbl_received);
29679 + return atomic_read_unchecked(&dev_priv->vbl_received);
29680 }
29681
29682
29683 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29684 /* VBLANK interrupt */
29685 if (status & MGA_VLINEPEN) {
29686 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29687 - atomic_inc(&dev_priv->vbl_received);
29688 + atomic_inc_unchecked(&dev_priv->vbl_received);
29689 drm_handle_vblank(dev, 0);
29690 handled = 1;
29691 }
29692 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29693 if ((prim_start & ~0x03) != (prim_end & ~0x03))
29694 MGA_WRITE(MGA_PRIMEND, prim_end);
29695
29696 - atomic_inc(&dev_priv->last_fence_retired);
29697 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29698 DRM_WAKEUP(&dev_priv->fence_queue);
29699 handled = 1;
29700 }
29701 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
29702 * using fences.
29703 */
29704 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29705 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29706 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29707 - *sequence) <= (1 << 23)));
29708
29709 *sequence = cur_fence;
29710 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c
29711 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-19 00:06:34.000000000 -0400
29712 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-22 19:36:31.000000000 -0400
29713 @@ -141,7 +141,7 @@ static int nouveau_dsm_get_client_id(str
29714 return VGA_SWITCHEROO_DIS;
29715 }
29716
29717 -static struct vga_switcheroo_handler nouveau_dsm_handler = {
29718 +static const struct vga_switcheroo_handler nouveau_dsm_handler = {
29719 .switchto = nouveau_dsm_switchto,
29720 .power_state = nouveau_dsm_power_state,
29721 .init = nouveau_dsm_init,
29722 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h
29723 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-05-19 00:06:34.000000000 -0400
29724 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-06-07 18:07:24.000000000 -0400
29725 @@ -228,7 +228,7 @@ struct nouveau_channel {
29726 struct list_head pending;
29727 uint32_t sequence;
29728 uint32_t sequence_ack;
29729 - atomic_t last_sequence_irq;
29730 + atomic_unchecked_t last_sequence_irq;
29731 } fence;
29732
29733 /* DMA push buffer */
29734 @@ -662,7 +662,7 @@ struct drm_nouveau_private {
29735 struct drm_global_reference mem_global_ref;
29736 struct ttm_bo_global_ref bo_global_ref;
29737 struct ttm_bo_device bdev;
29738 - atomic_t validate_sequence;
29739 + atomic_unchecked_t validate_sequence;
29740 } ttm;
29741
29742 struct {
29743 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c
29744 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-19 00:06:34.000000000 -0400
29745 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-22 19:36:31.000000000 -0400
29746 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
29747 if (USE_REFCNT(dev))
29748 sequence = nvchan_rd32(chan, 0x48);
29749 else
29750 - sequence = atomic_read(&chan->fence.last_sequence_irq);
29751 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
29752
29753 if (chan->fence.sequence_ack == sequence)
29754 goto out;
29755 @@ -553,7 +553,7 @@ nouveau_fence_channel_init(struct nouvea
29756 out_initialised:
29757 INIT_LIST_HEAD(&chan->fence.pending);
29758 spin_lock_init(&chan->fence.lock);
29759 - atomic_set(&chan->fence.last_sequence_irq, 0);
29760 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
29761 return 0;
29762 }
29763
29764 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c
29765 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-19 00:06:34.000000000 -0400
29766 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-22 19:36:31.000000000 -0400
29767 @@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
29768 int trycnt = 0;
29769 int ret, i;
29770
29771 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
29772 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
29773 retry:
29774 if (++trycnt > 100000) {
29775 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
29776 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c
29777 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-19 00:06:34.000000000 -0400
29778 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-22 19:36:31.000000000 -0400
29779 @@ -583,7 +583,7 @@ static bool nouveau_switcheroo_can_switc
29780 bool can_switch;
29781
29782 spin_lock(&dev->count_lock);
29783 - can_switch = (dev->open_count == 0);
29784 + can_switch = (local_read(&dev->open_count) == 0);
29785 spin_unlock(&dev->count_lock);
29786 return can_switch;
29787 }
29788 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c
29789 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-19 00:06:34.000000000 -0400
29790 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-22 19:36:31.000000000 -0400
29791 @@ -552,7 +552,7 @@ static int
29792 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
29793 u32 class, u32 mthd, u32 data)
29794 {
29795 - atomic_set(&chan->fence.last_sequence_irq, data);
29796 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
29797 return 0;
29798 }
29799
29800 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c
29801 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c 2011-05-19 00:06:34.000000000 -0400
29802 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c 2011-05-22 19:36:31.000000000 -0400
29803 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29804
29805 /* GH: Simple idle check.
29806 */
29807 - atomic_set(&dev_priv->idle_count, 0);
29808 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29809
29810 /* We don't support anything other than bus-mastering ring mode,
29811 * but the ring can be in either AGP or PCI space for the ring
29812 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h
29813 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h 2011-05-19 00:06:34.000000000 -0400
29814 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h 2011-05-22 19:36:31.000000000 -0400
29815 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29816 int is_pci;
29817 unsigned long cce_buffers_offset;
29818
29819 - atomic_t idle_count;
29820 + atomic_unchecked_t idle_count;
29821
29822 int page_flipping;
29823 int current_page;
29824 u32 crtc_offset;
29825 u32 crtc_offset_cntl;
29826
29827 - atomic_t vbl_received;
29828 + atomic_unchecked_t vbl_received;
29829
29830 u32 color_fmt;
29831 unsigned int front_offset;
29832 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c
29833 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c 2011-05-19 00:06:34.000000000 -0400
29834 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c 2011-05-22 19:36:31.000000000 -0400
29835 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29836 if (crtc != 0)
29837 return 0;
29838
29839 - return atomic_read(&dev_priv->vbl_received);
29840 + return atomic_read_unchecked(&dev_priv->vbl_received);
29841 }
29842
29843 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29844 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29845 /* VBLANK interrupt */
29846 if (status & R128_CRTC_VBLANK_INT) {
29847 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29848 - atomic_inc(&dev_priv->vbl_received);
29849 + atomic_inc_unchecked(&dev_priv->vbl_received);
29850 drm_handle_vblank(dev, 0);
29851 return IRQ_HANDLED;
29852 }
29853 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c
29854 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c 2011-05-19 00:06:34.000000000 -0400
29855 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c 2011-05-22 19:36:31.000000000 -0400
29856 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
29857
29858 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
29859 {
29860 - if (atomic_read(&dev_priv->idle_count) == 0)
29861 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
29862 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29863 else
29864 - atomic_set(&dev_priv->idle_count, 0);
29865 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29866 }
29867
29868 #endif
29869 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c
29870 --- linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c 2011-05-19 00:06:34.000000000 -0400
29871 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c 2011-05-22 19:36:31.000000000 -0400
29872 @@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
29873 char name[512];
29874 int i;
29875
29876 + pax_track_stack();
29877 +
29878 ctx->card = card;
29879 ctx->bios = bios;
29880
29881 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c
29882 --- linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c 2011-05-19 00:06:34.000000000 -0400
29883 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c 2011-05-22 19:36:31.000000000 -0400
29884 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29885 regex_t mask_rex;
29886 regmatch_t match[4];
29887 char buf[1024];
29888 - size_t end;
29889 + long end;
29890 int len;
29891 int done = 0;
29892 int r;
29893 unsigned o;
29894 struct offset *offset;
29895 char last_reg_s[10];
29896 - int last_reg;
29897 + unsigned long last_reg;
29898
29899 if (regcomp
29900 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29901 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c
29902 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-19 00:06:34.000000000 -0400
29903 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-22 19:36:31.000000000 -0400
29904 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
29905 struct radeon_gpio_rec gpio;
29906 struct radeon_hpd hpd;
29907
29908 + pax_track_stack();
29909 +
29910 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
29911 return false;
29912
29913 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c
29914 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-19 00:06:34.000000000 -0400
29915 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-22 19:36:31.000000000 -0400
29916 @@ -234,7 +234,7 @@ static int radeon_atpx_get_client_id(str
29917 return VGA_SWITCHEROO_DIS;
29918 }
29919
29920 -static struct vga_switcheroo_handler radeon_atpx_handler = {
29921 +static const struct vga_switcheroo_handler radeon_atpx_handler = {
29922 .switchto = radeon_atpx_switchto,
29923 .power_state = radeon_atpx_power_state,
29924 .init = radeon_atpx_init,
29925 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c
29926 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 12:55:22.000000000 -0400
29927 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 13:00:25.000000000 -0400
29928 @@ -674,7 +674,7 @@ static bool radeon_switcheroo_can_switch
29929 bool can_switch;
29930
29931 spin_lock(&dev->count_lock);
29932 - can_switch = (dev->open_count == 0);
29933 + can_switch = (local_read(&dev->open_count) == 0);
29934 spin_unlock(&dev->count_lock);
29935 return can_switch;
29936 }
29937 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c
29938 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c 2011-05-19 00:06:34.000000000 -0400
29939 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c 2011-05-22 19:36:31.000000000 -0400
29940 @@ -934,6 +934,8 @@ void radeon_compute_pll_legacy(struct ra
29941 uint32_t post_div;
29942 u32 pll_out_min, pll_out_max;
29943
29944 + pax_track_stack();
29945 +
29946 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
29947 freq = freq * 1000;
29948
29949 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h
29950 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-19 00:06:34.000000000 -0400
29951 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-22 19:36:31.000000000 -0400
29952 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
29953
29954 /* SW interrupt */
29955 wait_queue_head_t swi_queue;
29956 - atomic_t swi_emitted;
29957 + atomic_unchecked_t swi_emitted;
29958 int vblank_crtc;
29959 uint32_t irq_enable_reg;
29960 uint32_t r500_disp_irq_reg;
29961 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c
29962 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-19 00:06:34.000000000 -0400
29963 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-22 19:36:31.000000000 -0400
29964 @@ -49,7 +49,7 @@ int radeon_fence_emit(struct radeon_devi
29965 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
29966 return 0;
29967 }
29968 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
29969 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
29970 if (!rdev->cp.ready) {
29971 /* FIXME: cp is not running assume everythings is done right
29972 * away
29973 @@ -352,7 +352,7 @@ int radeon_fence_driver_init(struct rade
29974 return r;
29975 }
29976 WREG32(rdev->fence_drv.scratch_reg, 0);
29977 - atomic_set(&rdev->fence_drv.seq, 0);
29978 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
29979 INIT_LIST_HEAD(&rdev->fence_drv.created);
29980 INIT_LIST_HEAD(&rdev->fence_drv.emited);
29981 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
29982 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h
29983 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h 2011-05-19 00:06:34.000000000 -0400
29984 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h 2011-05-22 19:36:31.000000000 -0400
29985 @@ -189,7 +189,7 @@ extern int sumo_get_temp(struct radeon_d
29986 */
29987 struct radeon_fence_driver {
29988 uint32_t scratch_reg;
29989 - atomic_t seq;
29990 + atomic_unchecked_t seq;
29991 uint32_t last_seq;
29992 unsigned long last_jiffies;
29993 unsigned long last_timeout;
29994 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c
29995 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-19 00:06:34.000000000 -0400
29996 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-22 19:36:31.000000000 -0400
29997 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
29998 request = compat_alloc_user_space(sizeof(*request));
29999 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
30000 || __put_user(req32.param, &request->param)
30001 - || __put_user((void __user *)(unsigned long)req32.value,
30002 + || __put_user((unsigned long)req32.value,
30003 &request->value))
30004 return -EFAULT;
30005
30006 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c
30007 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-19 00:06:34.000000000 -0400
30008 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-22 19:36:31.000000000 -0400
30009 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
30010 unsigned int ret;
30011 RING_LOCALS;
30012
30013 - atomic_inc(&dev_priv->swi_emitted);
30014 - ret = atomic_read(&dev_priv->swi_emitted);
30015 + atomic_inc_unchecked(&dev_priv->swi_emitted);
30016 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
30017
30018 BEGIN_RING(4);
30019 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
30020 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
30021 drm_radeon_private_t *dev_priv =
30022 (drm_radeon_private_t *) dev->dev_private;
30023
30024 - atomic_set(&dev_priv->swi_emitted, 0);
30025 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
30026 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
30027
30028 dev->max_vblank_count = 0x001fffff;
30029 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c
30030 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c 2011-05-19 00:06:34.000000000 -0400
30031 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c 2011-05-22 19:36:31.000000000 -0400
30032 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
30033 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
30034 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
30035
30036 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
30037 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
30038 sarea_priv->nbox * sizeof(depth_boxes[0])))
30039 return -EFAULT;
30040
30041 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
30042 {
30043 drm_radeon_private_t *dev_priv = dev->dev_private;
30044 drm_radeon_getparam_t *param = data;
30045 - int value;
30046 + int value = 0;
30047
30048 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
30049
30050 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c
30051 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-19 00:06:34.000000000 -0400
30052 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-22 19:36:31.000000000 -0400
30053 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
30054 man->size = size >> PAGE_SHIFT;
30055 }
30056
30057 -static struct vm_operations_struct radeon_ttm_vm_ops;
30058 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
30059 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
30060 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
30061 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
30062
30063 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30064 {
30065 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
30066 struct radeon_device *rdev;
30067 int r;
30068
30069 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
30070 - if (bo == NULL) {
30071 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
30072 + if (!bo)
30073 return VM_FAULT_NOPAGE;
30074 - }
30075 rdev = radeon_get_rdev(bo->bdev);
30076 mutex_lock(&rdev->vram_mutex);
30077 - r = ttm_vm_ops->fault(vma, vmf);
30078 + r = ttm_bo_vm_fault(vma, vmf);
30079 mutex_unlock(&rdev->vram_mutex);
30080 return r;
30081 }
30082
30083 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
30084 + .fault = radeon_ttm_fault,
30085 + .open = ttm_bo_vm_open,
30086 + .close = ttm_bo_vm_close
30087 +};
30088 +
30089 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
30090 {
30091 struct drm_file *file_priv;
30092 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
30093
30094 file_priv = filp->private_data;
30095 rdev = file_priv->minor->dev->dev_private;
30096 - if (rdev == NULL) {
30097 + if (!rdev)
30098 return -EINVAL;
30099 - }
30100 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30101 - if (unlikely(r != 0)) {
30102 + if (r)
30103 return r;
30104 - }
30105 - if (unlikely(ttm_vm_ops == NULL)) {
30106 - ttm_vm_ops = vma->vm_ops;
30107 - radeon_ttm_vm_ops = *ttm_vm_ops;
30108 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
30109 - }
30110 vma->vm_ops = &radeon_ttm_vm_ops;
30111 return 0;
30112 }
30113 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c
30114 --- linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c 2011-05-19 00:06:34.000000000 -0400
30115 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c 2011-05-22 19:36:31.000000000 -0400
30116 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
30117 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
30118 rdev->pm.sideport_bandwidth.full)
30119 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
30120 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
30121 + read_delay_latency.full = dfixed_const(800 * 1000);
30122 read_delay_latency.full = dfixed_div(read_delay_latency,
30123 rdev->pm.igp_sideport_mclk);
30124 + a.full = dfixed_const(370);
30125 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
30126 } else {
30127 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
30128 rdev->pm.k8_bandwidth.full)
30129 diff -urNp linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c
30130 --- linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-19 00:06:34.000000000 -0400
30131 +++ linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-22 19:36:31.000000000 -0400
30132 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
30133 return best_bo;
30134 }
30135
30136 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30137 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30138 {
30139 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
30140 vma->vm_private_data;
30141 - struct ttm_bo_device *bdev = bo->bdev;
30142 + struct ttm_bo_device *bdev;
30143 unsigned long page_offset;
30144 unsigned long page_last;
30145 unsigned long pfn;
30146 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
30147 int i;
30148 unsigned long address = (unsigned long)vmf->virtual_address;
30149 int retval = VM_FAULT_NOPAGE;
30150 - struct ttm_mem_type_manager *man =
30151 - &bdev->man[bo->mem.mem_type];
30152 + struct ttm_mem_type_manager *man;
30153 +
30154 + if (!bo)
30155 + return VM_FAULT_NOPAGE;
30156 + bdev = bo->bdev;
30157 + man = &bdev->man[bo->mem.mem_type];
30158
30159 /*
30160 * Work around locking order reversal in fault / nopfn
30161 @@ -219,22 +223,25 @@ out_unlock:
30162 ttm_bo_unreserve(bo);
30163 return retval;
30164 }
30165 +EXPORT_SYMBOL(ttm_bo_vm_fault);
30166
30167 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
30168 +void ttm_bo_vm_open(struct vm_area_struct *vma)
30169 {
30170 struct ttm_buffer_object *bo =
30171 (struct ttm_buffer_object *)vma->vm_private_data;
30172
30173 (void)ttm_bo_reference(bo);
30174 }
30175 +EXPORT_SYMBOL(ttm_bo_vm_open);
30176
30177 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
30178 +void ttm_bo_vm_close(struct vm_area_struct *vma)
30179 {
30180 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
30181
30182 ttm_bo_unref(&bo);
30183 vma->vm_private_data = NULL;
30184 }
30185 +EXPORT_SYMBOL(ttm_bo_vm_close);
30186
30187 static const struct vm_operations_struct ttm_bo_vm_ops = {
30188 .fault = ttm_bo_vm_fault,
30189 diff -urNp linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c
30190 --- linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-19 00:06:34.000000000 -0400
30191 +++ linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-22 19:36:31.000000000 -0400
30192 @@ -397,9 +397,9 @@ static int ttm_pool_get_num_unused_pages
30193 */
30194 static int ttm_pool_mm_shrink(struct shrinker *shrink, int shrink_pages, gfp_t gfp_mask)
30195 {
30196 - static atomic_t start_pool = ATOMIC_INIT(0);
30197 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
30198 unsigned i;
30199 - unsigned pool_offset = atomic_add_return(1, &start_pool);
30200 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
30201 struct ttm_page_pool *pool;
30202
30203 pool_offset = pool_offset % NUM_POOLS;
30204 diff -urNp linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h
30205 --- linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h 2011-05-19 00:06:34.000000000 -0400
30206 +++ linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h 2011-05-22 19:36:31.000000000 -0400
30207 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
30208 typedef uint32_t maskarray_t[5];
30209
30210 typedef struct drm_via_irq {
30211 - atomic_t irq_received;
30212 + atomic_unchecked_t irq_received;
30213 uint32_t pending_mask;
30214 uint32_t enable_mask;
30215 wait_queue_head_t irq_queue;
30216 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
30217 struct timeval last_vblank;
30218 int last_vblank_valid;
30219 unsigned usec_per_vblank;
30220 - atomic_t vbl_received;
30221 + atomic_unchecked_t vbl_received;
30222 drm_via_state_t hc_state;
30223 char pci_buf[VIA_PCI_BUF_SIZE];
30224 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
30225 diff -urNp linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c
30226 --- linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c 2011-05-19 00:06:34.000000000 -0400
30227 +++ linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c 2011-05-22 19:36:31.000000000 -0400
30228 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
30229 if (crtc != 0)
30230 return 0;
30231
30232 - return atomic_read(&dev_priv->vbl_received);
30233 + return atomic_read_unchecked(&dev_priv->vbl_received);
30234 }
30235
30236 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
30237 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
30238
30239 status = VIA_READ(VIA_REG_INTERRUPT);
30240 if (status & VIA_IRQ_VBLANK_PENDING) {
30241 - atomic_inc(&dev_priv->vbl_received);
30242 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
30243 + atomic_inc_unchecked(&dev_priv->vbl_received);
30244 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
30245 do_gettimeofday(&cur_vblank);
30246 if (dev_priv->last_vblank_valid) {
30247 dev_priv->usec_per_vblank =
30248 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30249 dev_priv->last_vblank = cur_vblank;
30250 dev_priv->last_vblank_valid = 1;
30251 }
30252 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
30253 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
30254 DRM_DEBUG("US per vblank is: %u\n",
30255 dev_priv->usec_per_vblank);
30256 }
30257 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30258
30259 for (i = 0; i < dev_priv->num_irqs; ++i) {
30260 if (status & cur_irq->pending_mask) {
30261 - atomic_inc(&cur_irq->irq_received);
30262 + atomic_inc_unchecked(&cur_irq->irq_received);
30263 DRM_WAKEUP(&cur_irq->irq_queue);
30264 handled = 1;
30265 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
30266 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
30267 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30268 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
30269 masks[irq][4]));
30270 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
30271 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
30272 } else {
30273 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30274 (((cur_irq_sequence =
30275 - atomic_read(&cur_irq->irq_received)) -
30276 + atomic_read_unchecked(&cur_irq->irq_received)) -
30277 *sequence) <= (1 << 23)));
30278 }
30279 *sequence = cur_irq_sequence;
30280 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
30281 }
30282
30283 for (i = 0; i < dev_priv->num_irqs; ++i) {
30284 - atomic_set(&cur_irq->irq_received, 0);
30285 + atomic_set_unchecked(&cur_irq->irq_received, 0);
30286 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
30287 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
30288 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
30289 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
30290 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
30291 case VIA_IRQ_RELATIVE:
30292 irqwait->request.sequence +=
30293 - atomic_read(&cur_irq->irq_received);
30294 + atomic_read_unchecked(&cur_irq->irq_received);
30295 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
30296 case VIA_IRQ_ABSOLUTE:
30297 break;
30298 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
30299 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-19 00:06:34.000000000 -0400
30300 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-22 19:36:31.000000000 -0400
30301 @@ -240,7 +240,7 @@ struct vmw_private {
30302 * Fencing and IRQs.
30303 */
30304
30305 - atomic_t fence_seq;
30306 + atomic_unchecked_t fence_seq;
30307 wait_queue_head_t fence_queue;
30308 wait_queue_head_t fifo_queue;
30309 atomic_t fence_queue_waiters;
30310 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
30311 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-19 00:06:34.000000000 -0400
30312 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-22 19:36:31.000000000 -0400
30313 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
30314 while (!vmw_lag_lt(queue, us)) {
30315 spin_lock(&queue->lock);
30316 if (list_empty(&queue->head))
30317 - sequence = atomic_read(&dev_priv->fence_seq);
30318 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30319 else {
30320 fence = list_first_entry(&queue->head,
30321 struct vmw_fence, head);
30322 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
30323 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-19 00:06:34.000000000 -0400
30324 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-22 19:36:31.000000000 -0400
30325 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
30326 (unsigned int) min,
30327 (unsigned int) fifo->capabilities);
30328
30329 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30330 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30331 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
30332 vmw_fence_queue_init(&fifo->fence_queue);
30333 return vmw_fifo_send_fence(dev_priv, &dummy);
30334 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30335
30336 fm = vmw_fifo_reserve(dev_priv, bytes);
30337 if (unlikely(fm == NULL)) {
30338 - *sequence = atomic_read(&dev_priv->fence_seq);
30339 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30340 ret = -ENOMEM;
30341 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
30342 false, 3*HZ);
30343 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30344 }
30345
30346 do {
30347 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
30348 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
30349 } while (*sequence == 0);
30350
30351 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
30352 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
30353 return VM_FAULT_SIGBUS;
30354 }
30355
30356 -static struct vm_operations_struct vmw_fifo_vm_ops = {
30357 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
30358 .fault = vmw_fifo_vm_fault,
30359 .open = NULL,
30360 .close = NULL
30361 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
30362 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-19 00:06:34.000000000 -0400
30363 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-22 19:36:31.000000000 -0400
30364 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
30365 * emitted. Then the fence is stale and signaled.
30366 */
30367
30368 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
30369 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
30370 > VMW_FENCE_WRAP);
30371
30372 return ret;
30373 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
30374
30375 if (fifo_idle)
30376 down_read(&fifo_state->rwsem);
30377 - signal_seq = atomic_read(&dev_priv->fence_seq);
30378 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
30379 ret = 0;
30380
30381 for (;;) {
30382 diff -urNp linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c
30383 --- linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c 2011-05-19 00:06:34.000000000 -0400
30384 +++ linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c 2011-05-22 19:36:31.000000000 -0400
30385 @@ -53,7 +53,7 @@ struct vgasr_priv {
30386 int registered_clients;
30387 struct vga_switcheroo_client clients[VGA_SWITCHEROO_MAX_CLIENTS];
30388
30389 - struct vga_switcheroo_handler *handler;
30390 + const struct vga_switcheroo_handler *handler;
30391 };
30392
30393 static int vga_switcheroo_debugfs_init(struct vgasr_priv *priv);
30394 @@ -62,7 +62,7 @@ static void vga_switcheroo_debugfs_fini(
30395 /* only one switcheroo per system */
30396 static struct vgasr_priv vgasr_priv;
30397
30398 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler)
30399 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler)
30400 {
30401 mutex_lock(&vgasr_mutex);
30402 if (vgasr_priv.handler) {
30403 diff -urNp linux-2.6.39.3/drivers/hid/hid-core.c linux-2.6.39.3/drivers/hid/hid-core.c
30404 --- linux-2.6.39.3/drivers/hid/hid-core.c 2011-05-19 00:06:34.000000000 -0400
30405 +++ linux-2.6.39.3/drivers/hid/hid-core.c 2011-05-22 19:36:31.000000000 -0400
30406 @@ -1888,7 +1888,7 @@ static bool hid_ignore(struct hid_device
30407
30408 int hid_add_device(struct hid_device *hdev)
30409 {
30410 - static atomic_t id = ATOMIC_INIT(0);
30411 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30412 int ret;
30413
30414 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30415 @@ -1903,7 +1903,7 @@ int hid_add_device(struct hid_device *hd
30416 /* XXX hack, any other cleaner solution after the driver core
30417 * is converted to allow more than 20 bytes as the device name? */
30418 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30419 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30420 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30421
30422 hid_debug_register(hdev, dev_name(&hdev->dev));
30423 ret = device_add(&hdev->dev);
30424 diff -urNp linux-2.6.39.3/drivers/hid/hid-picolcd.c linux-2.6.39.3/drivers/hid/hid-picolcd.c
30425 --- linux-2.6.39.3/drivers/hid/hid-picolcd.c 2011-05-19 00:06:34.000000000 -0400
30426 +++ linux-2.6.39.3/drivers/hid/hid-picolcd.c 2011-05-22 19:36:31.000000000 -0400
30427 @@ -1037,7 +1037,7 @@ static int picolcd_check_lcd_fb(struct l
30428 return fb && fb == picolcd_fbinfo((struct picolcd_data *)lcd_get_data(ldev));
30429 }
30430
30431 -static struct lcd_ops picolcd_lcdops = {
30432 +static const struct lcd_ops picolcd_lcdops = {
30433 .get_contrast = picolcd_get_contrast,
30434 .set_contrast = picolcd_set_contrast,
30435 .check_fb = picolcd_check_lcd_fb,
30436 diff -urNp linux-2.6.39.3/drivers/hid/usbhid/hiddev.c linux-2.6.39.3/drivers/hid/usbhid/hiddev.c
30437 --- linux-2.6.39.3/drivers/hid/usbhid/hiddev.c 2011-05-19 00:06:34.000000000 -0400
30438 +++ linux-2.6.39.3/drivers/hid/usbhid/hiddev.c 2011-05-22 19:36:31.000000000 -0400
30439 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
30440 break;
30441
30442 case HIDIOCAPPLICATION:
30443 - if (arg < 0 || arg >= hid->maxapplication)
30444 + if (arg >= hid->maxapplication)
30445 break;
30446
30447 for (i = 0; i < hid->maxcollection; i++)
30448 diff -urNp linux-2.6.39.3/drivers/hwmon/ibmaem.c linux-2.6.39.3/drivers/hwmon/ibmaem.c
30449 --- linux-2.6.39.3/drivers/hwmon/ibmaem.c 2011-07-09 09:18:51.000000000 -0400
30450 +++ linux-2.6.39.3/drivers/hwmon/ibmaem.c 2011-07-09 09:19:18.000000000 -0400
30451 @@ -238,7 +238,7 @@ struct aem_read_sensor_resp {
30452 struct aem_driver_data {
30453 struct list_head aem_devices;
30454 struct ipmi_smi_watcher bmc_events;
30455 - struct ipmi_user_hndl ipmi_hndlrs;
30456 + const struct ipmi_user_hndl ipmi_hndlrs;
30457 };
30458
30459 static void aem_register_bmc(int iface, struct device *dev);
30460 diff -urNp linux-2.6.39.3/drivers/hwmon/ibmpex.c linux-2.6.39.3/drivers/hwmon/ibmpex.c
30461 --- linux-2.6.39.3/drivers/hwmon/ibmpex.c 2011-07-09 09:18:51.000000000 -0400
30462 +++ linux-2.6.39.3/drivers/hwmon/ibmpex.c 2011-07-09 09:19:18.000000000 -0400
30463 @@ -110,7 +110,7 @@ struct ibmpex_bmc_data {
30464 struct ibmpex_driver_data {
30465 struct list_head bmc_data;
30466 struct ipmi_smi_watcher bmc_events;
30467 - struct ipmi_user_hndl ipmi_hndlrs;
30468 + const struct ipmi_user_hndl ipmi_hndlrs;
30469 };
30470
30471 static struct ibmpex_driver_data driver_data = {
30472 diff -urNp linux-2.6.39.3/drivers/hwmon/sht15.c linux-2.6.39.3/drivers/hwmon/sht15.c
30473 --- linux-2.6.39.3/drivers/hwmon/sht15.c 2011-05-19 00:06:34.000000000 -0400
30474 +++ linux-2.6.39.3/drivers/hwmon/sht15.c 2011-05-22 19:36:31.000000000 -0400
30475 @@ -113,7 +113,7 @@ struct sht15_data {
30476 int supply_uV;
30477 int supply_uV_valid;
30478 struct work_struct update_supply_work;
30479 - atomic_t interrupt_handled;
30480 + atomic_unchecked_t interrupt_handled;
30481 };
30482
30483 /**
30484 @@ -246,13 +246,13 @@ static inline int sht15_update_single_va
30485 return ret;
30486
30487 gpio_direction_input(data->pdata->gpio_data);
30488 - atomic_set(&data->interrupt_handled, 0);
30489 + atomic_set_unchecked(&data->interrupt_handled, 0);
30490
30491 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30492 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30493 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30494 /* Only relevant if the interrupt hasn't occurred. */
30495 - if (!atomic_read(&data->interrupt_handled))
30496 + if (!atomic_read_unchecked(&data->interrupt_handled))
30497 schedule_work(&data->read_work);
30498 }
30499 ret = wait_event_timeout(data->wait_queue,
30500 @@ -399,7 +399,7 @@ static irqreturn_t sht15_interrupt_fired
30501 struct sht15_data *data = d;
30502 /* First disable the interrupt */
30503 disable_irq_nosync(irq);
30504 - atomic_inc(&data->interrupt_handled);
30505 + atomic_inc_unchecked(&data->interrupt_handled);
30506 /* Then schedule a reading work struct */
30507 if (data->flag != SHT15_READING_NOTHING)
30508 schedule_work(&data->read_work);
30509 @@ -450,11 +450,11 @@ static void sht15_bh_read_data(struct wo
30510 here as could have gone low in meantime so verify
30511 it hasn't!
30512 */
30513 - atomic_set(&data->interrupt_handled, 0);
30514 + atomic_set_unchecked(&data->interrupt_handled, 0);
30515 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30516 /* If still not occurred or another handler has been scheduled */
30517 if (gpio_get_value(data->pdata->gpio_data)
30518 - || atomic_read(&data->interrupt_handled))
30519 + || atomic_read_unchecked(&data->interrupt_handled))
30520 return;
30521 }
30522 /* Read the data back from the device */
30523 diff -urNp linux-2.6.39.3/drivers/hwmon/w83791d.c linux-2.6.39.3/drivers/hwmon/w83791d.c
30524 --- linux-2.6.39.3/drivers/hwmon/w83791d.c 2011-05-19 00:06:34.000000000 -0400
30525 +++ linux-2.6.39.3/drivers/hwmon/w83791d.c 2011-05-22 19:36:31.000000000 -0400
30526 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
30527 struct i2c_board_info *info);
30528 static int w83791d_remove(struct i2c_client *client);
30529
30530 -static int w83791d_read(struct i2c_client *client, u8 register);
30531 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30532 +static int w83791d_read(struct i2c_client *client, u8 reg);
30533 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30534 static struct w83791d_data *w83791d_update_device(struct device *dev);
30535
30536 #ifdef DEBUG
30537 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c
30538 --- linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c 2011-05-19 00:06:34.000000000 -0400
30539 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c 2011-05-22 19:36:31.000000000 -0400
30540 @@ -181,7 +181,7 @@ static u32 at91_func(struct i2c_adapter
30541 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30542 }
30543
30544 -static struct i2c_algorithm at91_algorithm = {
30545 +static const struct i2c_algorithm at91_algorithm = {
30546 .master_xfer = at91_xfer,
30547 .functionality = at91_func,
30548 };
30549 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c
30550 --- linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-19 00:06:34.000000000 -0400
30551 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-22 19:36:31.000000000 -0400
30552 @@ -599,7 +599,7 @@ static u32 bfin_twi_functionality(struct
30553 I2C_FUNC_I2C | I2C_FUNC_SMBUS_I2C_BLOCK;
30554 }
30555
30556 -static struct i2c_algorithm bfin_twi_algorithm = {
30557 +static const struct i2c_algorithm bfin_twi_algorithm = {
30558 .master_xfer = bfin_twi_master_xfer,
30559 .smbus_xfer = bfin_twi_smbus_xfer,
30560 .functionality = bfin_twi_functionality,
30561 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c
30562 --- linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c 2011-05-19 00:06:34.000000000 -0400
30563 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c 2011-05-22 19:36:31.000000000 -0400
30564 @@ -630,7 +630,7 @@ static inline void i2c_davinci_cpufreq_d
30565 }
30566 #endif
30567
30568 -static struct i2c_algorithm i2c_davinci_algo = {
30569 +static const struct i2c_algorithm i2c_davinci_algo = {
30570 .master_xfer = i2c_davinci_xfer,
30571 .functionality = i2c_davinci_func,
30572 };
30573 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c
30574 --- linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c 2011-05-19 00:06:34.000000000 -0400
30575 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c 2011-05-22 19:36:31.000000000 -0400
30576 @@ -689,7 +689,7 @@ tx_aborted:
30577 return IRQ_HANDLED;
30578 }
30579
30580 -static struct i2c_algorithm i2c_dw_algo = {
30581 +static const struct i2c_algorithm i2c_dw_algo = {
30582 .master_xfer = i2c_dw_xfer,
30583 .functionality = i2c_dw_func,
30584 };
30585 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c
30586 --- linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c 2011-05-19 00:06:34.000000000 -0400
30587 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c 2011-05-22 19:36:31.000000000 -0400
30588 @@ -708,7 +708,7 @@ static u32 pch_i2c_func(struct i2c_adapt
30589 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL | I2C_FUNC_10BIT_ADDR;
30590 }
30591
30592 -static struct i2c_algorithm pch_algorithm = {
30593 +static const struct i2c_algorithm pch_algorithm = {
30594 .master_xfer = pch_i2c_xfer,
30595 .functionality = pch_i2c_func
30596 };
30597 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c
30598 --- linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c 2011-05-19 00:06:34.000000000 -0400
30599 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c 2011-05-22 19:36:31.000000000 -0400
30600 @@ -457,7 +457,7 @@ static u32 i2c_imx_func(struct i2c_adapt
30601 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30602 }
30603
30604 -static struct i2c_algorithm i2c_imx_algo = {
30605 +static const struct i2c_algorithm i2c_imx_algo = {
30606 .master_xfer = i2c_imx_xfer,
30607 .functionality = i2c_imx_func,
30608 };
30609 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c
30610 --- linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c 2011-05-19 00:06:34.000000000 -0400
30611 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c 2011-05-22 19:36:31.000000000 -0400
30612 @@ -917,7 +917,7 @@ err:
30613 return IRQ_HANDLED;
30614 }
30615
30616 -static struct i2c_algorithm intel_mid_i2c_algorithm = {
30617 +static const struct i2c_algorithm intel_mid_i2c_algorithm = {
30618 .master_xfer = intel_mid_i2c_xfer,
30619 .functionality = intel_mid_i2c_func,
30620 };
30621 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c
30622 --- linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c 2011-05-19 00:06:34.000000000 -0400
30623 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c 2011-05-22 19:36:31.000000000 -0400
30624 @@ -303,7 +303,7 @@ static u32 nforce2_func(struct i2c_adapt
30625 I2C_FUNC_SMBUS_BLOCK_DATA : 0);
30626 }
30627
30628 -static struct i2c_algorithm smbus_algorithm = {
30629 +static const struct i2c_algorithm smbus_algorithm = {
30630 .smbus_xfer = nforce2_access,
30631 .functionality = nforce2_func,
30632 };
30633 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c
30634 --- linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
30635 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-22 19:36:31.000000000 -0400
30636 @@ -615,7 +615,7 @@ static u32 pmcmsptwi_i2c_func(struct i2c
30637
30638 /* -- Initialization -- */
30639
30640 -static struct i2c_algorithm pmcmsptwi_algo = {
30641 +static const struct i2c_algorithm pmcmsptwi_algo = {
30642 .master_xfer = pmcmsptwi_master_xfer,
30643 .functionality = pmcmsptwi_i2c_func,
30644 };
30645 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c
30646 --- linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c 2011-05-19 00:06:34.000000000 -0400
30647 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c 2011-05-22 19:36:31.000000000 -0400
30648 @@ -535,7 +535,7 @@ static u32 i2c_pnx_func(struct i2c_adapt
30649 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30650 }
30651
30652 -static struct i2c_algorithm pnx_algorithm = {
30653 +static const struct i2c_algorithm pnx_algorithm = {
30654 .master_xfer = i2c_pnx_xfer,
30655 .functionality = i2c_pnx_func,
30656 };
30657 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c
30658 --- linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c 2011-05-19 00:06:34.000000000 -0400
30659 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c 2011-05-22 19:36:31.000000000 -0400
30660 @@ -176,7 +176,7 @@ static u32 puv3_i2c_func(struct i2c_adap
30661 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30662 }
30663
30664 -static struct i2c_algorithm puv3_i2c_algorithm = {
30665 +static const struct i2c_algorithm puv3_i2c_algorithm = {
30666 .master_xfer = puv3_i2c_xfer,
30667 .functionality = puv3_i2c_func,
30668 };
30669 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c
30670 --- linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c 2011-05-19 00:06:34.000000000 -0400
30671 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c 2011-05-22 19:36:31.000000000 -0400
30672 @@ -243,7 +243,7 @@ static u32 s6i2c_functionality(struct i2
30673 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30674 }
30675
30676 -static struct i2c_algorithm s6i2c_algorithm = {
30677 +static const struct i2c_algorithm s6i2c_algorithm = {
30678 .master_xfer = s6i2c_master_xfer,
30679 .functionality = s6i2c_functionality,
30680 };
30681 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c
30682 --- linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-19 00:06:34.000000000 -0400
30683 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-22 19:36:31.000000000 -0400
30684 @@ -529,7 +529,7 @@ static u32 sh_mobile_i2c_func(struct i2c
30685 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30686 }
30687
30688 -static struct i2c_algorithm sh_mobile_i2c_algorithm = {
30689 +static const struct i2c_algorithm sh_mobile_i2c_algorithm = {
30690 .functionality = sh_mobile_i2c_func,
30691 .master_xfer = sh_mobile_i2c_xfer,
30692 };
30693 diff -urNp linux-2.6.39.3/drivers/ide/ide-cd.c linux-2.6.39.3/drivers/ide/ide-cd.c
30694 --- linux-2.6.39.3/drivers/ide/ide-cd.c 2011-06-03 00:04:14.000000000 -0400
30695 +++ linux-2.6.39.3/drivers/ide/ide-cd.c 2011-06-03 00:32:05.000000000 -0400
30696 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
30697 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30698 if ((unsigned long)buf & alignment
30699 || blk_rq_bytes(rq) & q->dma_pad_mask
30700 - || object_is_on_stack(buf))
30701 + || object_starts_on_stack(buf))
30702 drive->dma = 0;
30703 }
30704 }
30705 diff -urNp linux-2.6.39.3/drivers/ide/ide-floppy.c linux-2.6.39.3/drivers/ide/ide-floppy.c
30706 --- linux-2.6.39.3/drivers/ide/ide-floppy.c 2011-05-19 00:06:34.000000000 -0400
30707 +++ linux-2.6.39.3/drivers/ide/ide-floppy.c 2011-05-22 19:36:31.000000000 -0400
30708 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
30709 u8 pc_buf[256], header_len, desc_cnt;
30710 int i, rc = 1, blocks, length;
30711
30712 + pax_track_stack();
30713 +
30714 ide_debug_log(IDE_DBG_FUNC, "enter");
30715
30716 drive->bios_cyl = 0;
30717 diff -urNp linux-2.6.39.3/drivers/ide/it821x.c linux-2.6.39.3/drivers/ide/it821x.c
30718 --- linux-2.6.39.3/drivers/ide/it821x.c 2011-05-19 00:06:34.000000000 -0400
30719 +++ linux-2.6.39.3/drivers/ide/it821x.c 2011-05-22 19:36:31.000000000 -0400
30720 @@ -508,7 +508,7 @@ static void it821x_quirkproc(ide_drive_t
30721
30722 }
30723
30724 -static struct ide_dma_ops it821x_pass_through_dma_ops = {
30725 +static const struct ide_dma_ops it821x_pass_through_dma_ops = {
30726 .dma_host_set = ide_dma_host_set,
30727 .dma_setup = ide_dma_setup,
30728 .dma_start = it821x_dma_start,
30729 diff -urNp linux-2.6.39.3/drivers/ide/setup-pci.c linux-2.6.39.3/drivers/ide/setup-pci.c
30730 --- linux-2.6.39.3/drivers/ide/setup-pci.c 2011-05-19 00:06:34.000000000 -0400
30731 +++ linux-2.6.39.3/drivers/ide/setup-pci.c 2011-05-22 19:36:31.000000000 -0400
30732 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30733 int ret, i, n_ports = dev2 ? 4 : 2;
30734 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30735
30736 + pax_track_stack();
30737 +
30738 for (i = 0; i < n_ports / 2; i++) {
30739 ret = ide_setup_pci_controller(pdev[i], d, !i);
30740 if (ret < 0)
30741 diff -urNp linux-2.6.39.3/drivers/ide/trm290.c linux-2.6.39.3/drivers/ide/trm290.c
30742 --- linux-2.6.39.3/drivers/ide/trm290.c 2011-05-19 00:06:34.000000000 -0400
30743 +++ linux-2.6.39.3/drivers/ide/trm290.c 2011-05-22 19:36:31.000000000 -0400
30744 @@ -314,7 +314,7 @@ static const struct ide_tp_ops trm290_tp
30745 .output_data = ide_output_data,
30746 };
30747
30748 -static struct ide_dma_ops trm290_dma_ops = {
30749 +static const struct ide_dma_ops trm290_dma_ops = {
30750 .dma_host_set = trm290_dma_host_set,
30751 .dma_setup = trm290_dma_setup,
30752 .dma_start = trm290_dma_start,
30753 diff -urNp linux-2.6.39.3/drivers/infiniband/core/cm.c linux-2.6.39.3/drivers/infiniband/core/cm.c
30754 --- linux-2.6.39.3/drivers/infiniband/core/cm.c 2011-05-19 00:06:34.000000000 -0400
30755 +++ linux-2.6.39.3/drivers/infiniband/core/cm.c 2011-05-22 19:36:31.000000000 -0400
30756 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
30757
30758 struct cm_counter_group {
30759 struct kobject obj;
30760 - atomic_long_t counter[CM_ATTR_COUNT];
30761 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30762 };
30763
30764 struct cm_counter_attribute {
30765 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
30766 struct ib_mad_send_buf *msg = NULL;
30767 int ret;
30768
30769 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30770 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30771 counter[CM_REQ_COUNTER]);
30772
30773 /* Quick state check to discard duplicate REQs. */
30774 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
30775 if (!cm_id_priv)
30776 return;
30777
30778 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30779 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30780 counter[CM_REP_COUNTER]);
30781 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30782 if (ret)
30783 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
30784 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30785 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30786 spin_unlock_irq(&cm_id_priv->lock);
30787 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30788 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30789 counter[CM_RTU_COUNTER]);
30790 goto out;
30791 }
30792 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
30793 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30794 dreq_msg->local_comm_id);
30795 if (!cm_id_priv) {
30796 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30797 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30798 counter[CM_DREQ_COUNTER]);
30799 cm_issue_drep(work->port, work->mad_recv_wc);
30800 return -EINVAL;
30801 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
30802 case IB_CM_MRA_REP_RCVD:
30803 break;
30804 case IB_CM_TIMEWAIT:
30805 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30806 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30807 counter[CM_DREQ_COUNTER]);
30808 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30809 goto unlock;
30810 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
30811 cm_free_msg(msg);
30812 goto deref;
30813 case IB_CM_DREQ_RCVD:
30814 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30815 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30816 counter[CM_DREQ_COUNTER]);
30817 goto unlock;
30818 default:
30819 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
30820 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30821 cm_id_priv->msg, timeout)) {
30822 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30823 - atomic_long_inc(&work->port->
30824 + atomic_long_inc_unchecked(&work->port->
30825 counter_group[CM_RECV_DUPLICATES].
30826 counter[CM_MRA_COUNTER]);
30827 goto out;
30828 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
30829 break;
30830 case IB_CM_MRA_REQ_RCVD:
30831 case IB_CM_MRA_REP_RCVD:
30832 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30833 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30834 counter[CM_MRA_COUNTER]);
30835 /* fall through */
30836 default:
30837 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
30838 case IB_CM_LAP_IDLE:
30839 break;
30840 case IB_CM_MRA_LAP_SENT:
30841 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30842 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30843 counter[CM_LAP_COUNTER]);
30844 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30845 goto unlock;
30846 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
30847 cm_free_msg(msg);
30848 goto deref;
30849 case IB_CM_LAP_RCVD:
30850 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30851 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30852 counter[CM_LAP_COUNTER]);
30853 goto unlock;
30854 default:
30855 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
30856 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30857 if (cur_cm_id_priv) {
30858 spin_unlock_irq(&cm.lock);
30859 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30860 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30861 counter[CM_SIDR_REQ_COUNTER]);
30862 goto out; /* Duplicate message. */
30863 }
30864 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
30865 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30866 msg->retries = 1;
30867
30868 - atomic_long_add(1 + msg->retries,
30869 + atomic_long_add_unchecked(1 + msg->retries,
30870 &port->counter_group[CM_XMIT].counter[attr_index]);
30871 if (msg->retries)
30872 - atomic_long_add(msg->retries,
30873 + atomic_long_add_unchecked(msg->retries,
30874 &port->counter_group[CM_XMIT_RETRIES].
30875 counter[attr_index]);
30876
30877 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
30878 }
30879
30880 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30881 - atomic_long_inc(&port->counter_group[CM_RECV].
30882 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30883 counter[attr_id - CM_ATTR_ID_OFFSET]);
30884
30885 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30886 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
30887 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30888
30889 return sprintf(buf, "%ld\n",
30890 - atomic_long_read(&group->counter[cm_attr->index]));
30891 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30892 }
30893
30894 static const struct sysfs_ops cm_counter_ops = {
30895 diff -urNp linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c
30896 --- linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c 2011-05-19 00:06:34.000000000 -0400
30897 +++ linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c 2011-05-22 19:36:31.000000000 -0400
30898 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30899
30900 struct task_struct *thread;
30901
30902 - atomic_t req_ser;
30903 - atomic_t flush_ser;
30904 + atomic_unchecked_t req_ser;
30905 + atomic_unchecked_t flush_ser;
30906
30907 wait_queue_head_t force_wait;
30908 };
30909 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30910 struct ib_fmr_pool *pool = pool_ptr;
30911
30912 do {
30913 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30914 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30915 ib_fmr_batch_release(pool);
30916
30917 - atomic_inc(&pool->flush_ser);
30918 + atomic_inc_unchecked(&pool->flush_ser);
30919 wake_up_interruptible(&pool->force_wait);
30920
30921 if (pool->flush_function)
30922 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30923 }
30924
30925 set_current_state(TASK_INTERRUPTIBLE);
30926 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30927 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30928 !kthread_should_stop())
30929 schedule();
30930 __set_current_state(TASK_RUNNING);
30931 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30932 pool->dirty_watermark = params->dirty_watermark;
30933 pool->dirty_len = 0;
30934 spin_lock_init(&pool->pool_lock);
30935 - atomic_set(&pool->req_ser, 0);
30936 - atomic_set(&pool->flush_ser, 0);
30937 + atomic_set_unchecked(&pool->req_ser, 0);
30938 + atomic_set_unchecked(&pool->flush_ser, 0);
30939 init_waitqueue_head(&pool->force_wait);
30940
30941 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30942 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30943 }
30944 spin_unlock_irq(&pool->pool_lock);
30945
30946 - serial = atomic_inc_return(&pool->req_ser);
30947 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30948 wake_up_process(pool->thread);
30949
30950 if (wait_event_interruptible(pool->force_wait,
30951 - atomic_read(&pool->flush_ser) - serial >= 0))
30952 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30953 return -EINTR;
30954
30955 return 0;
30956 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30957 } else {
30958 list_add_tail(&fmr->list, &pool->dirty_list);
30959 if (++pool->dirty_len >= pool->dirty_watermark) {
30960 - atomic_inc(&pool->req_ser);
30961 + atomic_inc_unchecked(&pool->req_ser);
30962 wake_up_process(pool->thread);
30963 }
30964 }
30965 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c
30966 --- linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c 2011-05-19 00:06:34.000000000 -0400
30967 +++ linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c 2011-05-22 19:36:31.000000000 -0400
30968 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
30969 int err;
30970 struct fw_ri_tpte tpt;
30971 u32 stag_idx;
30972 - static atomic_t key;
30973 + static atomic_unchecked_t key;
30974
30975 if (c4iw_fatal_error(rdev))
30976 return -EIO;
30977 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
30978 &rdev->resource.tpt_fifo_lock);
30979 if (!stag_idx)
30980 return -ENOMEM;
30981 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
30982 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
30983 }
30984 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
30985 __func__, stag_state, type, pdid, stag_idx);
30986 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c
30987 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-19 00:06:34.000000000 -0400
30988 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-22 19:36:31.000000000 -0400
30989 @@ -175,7 +175,7 @@ static void ipath_dma_free_coherent(stru
30990 free_pages((unsigned long) cpu_addr, get_order(size));
30991 }
30992
30993 -struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30994 +const struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
30995 ipath_mapping_error,
30996 ipath_dma_map_single,
30997 ipath_dma_unmap_single,
30998 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c
30999 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-19 00:06:34.000000000 -0400
31000 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-22 19:36:31.000000000 -0400
31001 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
31002 struct infinipath_counters counters;
31003 struct ipath_devdata *dd;
31004
31005 + pax_track_stack();
31006 +
31007 dd = file->f_path.dentry->d_inode->i_private;
31008 dd->ipath_f_read_counters(dd, &counters);
31009
31010 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c
31011 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-19 00:06:34.000000000 -0400
31012 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-22 19:36:31.000000000 -0400
31013 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
31014 struct ib_atomic_eth *ateth;
31015 struct ipath_ack_entry *e;
31016 u64 vaddr;
31017 - atomic64_t *maddr;
31018 + atomic64_unchecked_t *maddr;
31019 u64 sdata;
31020 u32 rkey;
31021 u8 next;
31022 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
31023 IB_ACCESS_REMOTE_ATOMIC)))
31024 goto nack_acc_unlck;
31025 /* Perform atomic OP and save result. */
31026 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
31027 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
31028 sdata = be64_to_cpu(ateth->swap_data);
31029 e = &qp->s_ack_queue[qp->r_head_ack_queue];
31030 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
31031 - (u64) atomic64_add_return(sdata, maddr) - sdata :
31032 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
31033 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
31034 be64_to_cpu(ateth->compare_data),
31035 sdata);
31036 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c
31037 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-19 00:06:34.000000000 -0400
31038 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-22 19:36:31.000000000 -0400
31039 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
31040 unsigned long flags;
31041 struct ib_wc wc;
31042 u64 sdata;
31043 - atomic64_t *maddr;
31044 + atomic64_unchecked_t *maddr;
31045 enum ib_wc_status send_status;
31046
31047 /*
31048 @@ -382,11 +382,11 @@ again:
31049 IB_ACCESS_REMOTE_ATOMIC)))
31050 goto acc_err;
31051 /* Perform atomic OP and save result. */
31052 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
31053 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
31054 sdata = wqe->wr.wr.atomic.compare_add;
31055 *(u64 *) sqp->s_sge.sge.vaddr =
31056 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
31057 - (u64) atomic64_add_return(sdata, maddr) - sdata :
31058 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
31059 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
31060 sdata, wqe->wr.wr.atomic.swap);
31061 goto send_comp;
31062 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h
31063 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-19 00:06:34.000000000 -0400
31064 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-22 19:36:31.000000000 -0400
31065 @@ -931,6 +931,6 @@ extern unsigned int ib_ipath_max_srq_wrs
31066
31067 extern const u32 ib_ipath_rnr_table[];
31068
31069 -extern struct ib_dma_mapping_ops ipath_dma_mapping_ops;
31070 +extern const struct ib_dma_mapping_ops ipath_dma_mapping_ops;
31071
31072 #endif /* IPATH_VERBS_H */
31073 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c
31074 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c 2011-05-19 00:06:34.000000000 -0400
31075 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c 2011-05-22 19:36:31.000000000 -0400
31076 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
31077 LIST_HEAD(nes_adapter_list);
31078 static LIST_HEAD(nes_dev_list);
31079
31080 -atomic_t qps_destroyed;
31081 +atomic_unchecked_t qps_destroyed;
31082
31083 static unsigned int ee_flsh_adapter;
31084 static unsigned int sysfs_nonidx_addr;
31085 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
31086 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
31087 struct nes_adapter *nesadapter = nesdev->nesadapter;
31088
31089 - atomic_inc(&qps_destroyed);
31090 + atomic_inc_unchecked(&qps_destroyed);
31091
31092 /* Free the control structures */
31093
31094 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c
31095 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c 2011-05-19 00:06:34.000000000 -0400
31096 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c 2011-05-22 19:36:31.000000000 -0400
31097 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
31098 u32 cm_packets_retrans;
31099 u32 cm_packets_created;
31100 u32 cm_packets_received;
31101 -atomic_t cm_listens_created;
31102 -atomic_t cm_listens_destroyed;
31103 +atomic_unchecked_t cm_listens_created;
31104 +atomic_unchecked_t cm_listens_destroyed;
31105 u32 cm_backlog_drops;
31106 -atomic_t cm_loopbacks;
31107 -atomic_t cm_nodes_created;
31108 -atomic_t cm_nodes_destroyed;
31109 -atomic_t cm_accel_dropped_pkts;
31110 -atomic_t cm_resets_recvd;
31111 +atomic_unchecked_t cm_loopbacks;
31112 +atomic_unchecked_t cm_nodes_created;
31113 +atomic_unchecked_t cm_nodes_destroyed;
31114 +atomic_unchecked_t cm_accel_dropped_pkts;
31115 +atomic_unchecked_t cm_resets_recvd;
31116
31117 static inline int mini_cm_accelerated(struct nes_cm_core *,
31118 struct nes_cm_node *);
31119 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
31120
31121 static struct nes_cm_core *g_cm_core;
31122
31123 -atomic_t cm_connects;
31124 -atomic_t cm_accepts;
31125 -atomic_t cm_disconnects;
31126 -atomic_t cm_closes;
31127 -atomic_t cm_connecteds;
31128 -atomic_t cm_connect_reqs;
31129 -atomic_t cm_rejects;
31130 +atomic_unchecked_t cm_connects;
31131 +atomic_unchecked_t cm_accepts;
31132 +atomic_unchecked_t cm_disconnects;
31133 +atomic_unchecked_t cm_closes;
31134 +atomic_unchecked_t cm_connecteds;
31135 +atomic_unchecked_t cm_connect_reqs;
31136 +atomic_unchecked_t cm_rejects;
31137
31138
31139 /**
31140 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
31141 kfree(listener);
31142 listener = NULL;
31143 ret = 0;
31144 - atomic_inc(&cm_listens_destroyed);
31145 + atomic_inc_unchecked(&cm_listens_destroyed);
31146 } else {
31147 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
31148 }
31149 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
31150 cm_node->rem_mac);
31151
31152 add_hte_node(cm_core, cm_node);
31153 - atomic_inc(&cm_nodes_created);
31154 + atomic_inc_unchecked(&cm_nodes_created);
31155
31156 return cm_node;
31157 }
31158 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
31159 }
31160
31161 atomic_dec(&cm_core->node_cnt);
31162 - atomic_inc(&cm_nodes_destroyed);
31163 + atomic_inc_unchecked(&cm_nodes_destroyed);
31164 nesqp = cm_node->nesqp;
31165 if (nesqp) {
31166 nesqp->cm_node = NULL;
31167 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
31168
31169 static void drop_packet(struct sk_buff *skb)
31170 {
31171 - atomic_inc(&cm_accel_dropped_pkts);
31172 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31173 dev_kfree_skb_any(skb);
31174 }
31175
31176 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
31177 {
31178
31179 int reset = 0; /* whether to send reset in case of err.. */
31180 - atomic_inc(&cm_resets_recvd);
31181 + atomic_inc_unchecked(&cm_resets_recvd);
31182 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
31183 " refcnt=%d\n", cm_node, cm_node->state,
31184 atomic_read(&cm_node->ref_count));
31185 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
31186 rem_ref_cm_node(cm_node->cm_core, cm_node);
31187 return NULL;
31188 }
31189 - atomic_inc(&cm_loopbacks);
31190 + atomic_inc_unchecked(&cm_loopbacks);
31191 loopbackremotenode->loopbackpartner = cm_node;
31192 loopbackremotenode->tcp_cntxt.rcv_wscale =
31193 NES_CM_DEFAULT_RCV_WND_SCALE;
31194 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
31195 add_ref_cm_node(cm_node);
31196 } else if (cm_node->state == NES_CM_STATE_TSA) {
31197 rem_ref_cm_node(cm_core, cm_node);
31198 - atomic_inc(&cm_accel_dropped_pkts);
31199 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31200 dev_kfree_skb_any(skb);
31201 break;
31202 }
31203 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
31204
31205 if ((cm_id) && (cm_id->event_handler)) {
31206 if (issue_disconn) {
31207 - atomic_inc(&cm_disconnects);
31208 + atomic_inc_unchecked(&cm_disconnects);
31209 cm_event.event = IW_CM_EVENT_DISCONNECT;
31210 cm_event.status = disconn_status;
31211 cm_event.local_addr = cm_id->local_addr;
31212 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
31213 }
31214
31215 if (issue_close) {
31216 - atomic_inc(&cm_closes);
31217 + atomic_inc_unchecked(&cm_closes);
31218 nes_disconnect(nesqp, 1);
31219
31220 cm_id->provider_data = nesqp;
31221 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
31222
31223 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
31224 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
31225 - atomic_inc(&cm_accepts);
31226 + atomic_inc_unchecked(&cm_accepts);
31227
31228 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
31229 netdev_refcnt_read(nesvnic->netdev));
31230 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
31231
31232 struct nes_cm_core *cm_core;
31233
31234 - atomic_inc(&cm_rejects);
31235 + atomic_inc_unchecked(&cm_rejects);
31236 cm_node = (struct nes_cm_node *) cm_id->provider_data;
31237 loopback = cm_node->loopbackpartner;
31238 cm_core = cm_node->cm_core;
31239 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
31240 ntohl(cm_id->local_addr.sin_addr.s_addr),
31241 ntohs(cm_id->local_addr.sin_port));
31242
31243 - atomic_inc(&cm_connects);
31244 + atomic_inc_unchecked(&cm_connects);
31245 nesqp->active_conn = 1;
31246
31247 /* cache the cm_id in the qp */
31248 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
31249 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
31250 return err;
31251 }
31252 - atomic_inc(&cm_listens_created);
31253 + atomic_inc_unchecked(&cm_listens_created);
31254 }
31255
31256 cm_id->add_ref(cm_id);
31257 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
31258 if (nesqp->destroyed) {
31259 return;
31260 }
31261 - atomic_inc(&cm_connecteds);
31262 + atomic_inc_unchecked(&cm_connecteds);
31263 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
31264 " local port 0x%04X. jiffies = %lu.\n",
31265 nesqp->hwqp.qp_id,
31266 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
31267
31268 cm_id->add_ref(cm_id);
31269 ret = cm_id->event_handler(cm_id, &cm_event);
31270 - atomic_inc(&cm_closes);
31271 + atomic_inc_unchecked(&cm_closes);
31272 cm_event.event = IW_CM_EVENT_CLOSE;
31273 cm_event.status = IW_CM_EVENT_STATUS_OK;
31274 cm_event.provider_data = cm_id->provider_data;
31275 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
31276 return;
31277 cm_id = cm_node->cm_id;
31278
31279 - atomic_inc(&cm_connect_reqs);
31280 + atomic_inc_unchecked(&cm_connect_reqs);
31281 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31282 cm_node, cm_id, jiffies);
31283
31284 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
31285 return;
31286 cm_id = cm_node->cm_id;
31287
31288 - atomic_inc(&cm_connect_reqs);
31289 + atomic_inc_unchecked(&cm_connect_reqs);
31290 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31291 cm_node, cm_id, jiffies);
31292
31293 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h
31294 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h 2011-05-19 00:06:34.000000000 -0400
31295 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h 2011-05-22 19:36:31.000000000 -0400
31296 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
31297 extern unsigned int wqm_quanta;
31298 extern struct list_head nes_adapter_list;
31299
31300 -extern atomic_t cm_connects;
31301 -extern atomic_t cm_accepts;
31302 -extern atomic_t cm_disconnects;
31303 -extern atomic_t cm_closes;
31304 -extern atomic_t cm_connecteds;
31305 -extern atomic_t cm_connect_reqs;
31306 -extern atomic_t cm_rejects;
31307 -extern atomic_t mod_qp_timouts;
31308 -extern atomic_t qps_created;
31309 -extern atomic_t qps_destroyed;
31310 -extern atomic_t sw_qps_destroyed;
31311 +extern atomic_unchecked_t cm_connects;
31312 +extern atomic_unchecked_t cm_accepts;
31313 +extern atomic_unchecked_t cm_disconnects;
31314 +extern atomic_unchecked_t cm_closes;
31315 +extern atomic_unchecked_t cm_connecteds;
31316 +extern atomic_unchecked_t cm_connect_reqs;
31317 +extern atomic_unchecked_t cm_rejects;
31318 +extern atomic_unchecked_t mod_qp_timouts;
31319 +extern atomic_unchecked_t qps_created;
31320 +extern atomic_unchecked_t qps_destroyed;
31321 +extern atomic_unchecked_t sw_qps_destroyed;
31322 extern u32 mh_detected;
31323 extern u32 mh_pauses_sent;
31324 extern u32 cm_packets_sent;
31325 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
31326 extern u32 cm_packets_received;
31327 extern u32 cm_packets_dropped;
31328 extern u32 cm_packets_retrans;
31329 -extern atomic_t cm_listens_created;
31330 -extern atomic_t cm_listens_destroyed;
31331 +extern atomic_unchecked_t cm_listens_created;
31332 +extern atomic_unchecked_t cm_listens_destroyed;
31333 extern u32 cm_backlog_drops;
31334 -extern atomic_t cm_loopbacks;
31335 -extern atomic_t cm_nodes_created;
31336 -extern atomic_t cm_nodes_destroyed;
31337 -extern atomic_t cm_accel_dropped_pkts;
31338 -extern atomic_t cm_resets_recvd;
31339 +extern atomic_unchecked_t cm_loopbacks;
31340 +extern atomic_unchecked_t cm_nodes_created;
31341 +extern atomic_unchecked_t cm_nodes_destroyed;
31342 +extern atomic_unchecked_t cm_accel_dropped_pkts;
31343 +extern atomic_unchecked_t cm_resets_recvd;
31344
31345 extern u32 int_mod_timer_init;
31346 extern u32 int_mod_cq_depth_256;
31347 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c
31348 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c 2011-05-19 00:06:34.000000000 -0400
31349 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c 2011-05-22 19:36:31.000000000 -0400
31350 @@ -1302,31 +1302,31 @@ static void nes_netdev_get_ethtool_stats
31351 target_stat_values[++index] = mh_detected;
31352 target_stat_values[++index] = mh_pauses_sent;
31353 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
31354 - target_stat_values[++index] = atomic_read(&cm_connects);
31355 - target_stat_values[++index] = atomic_read(&cm_accepts);
31356 - target_stat_values[++index] = atomic_read(&cm_disconnects);
31357 - target_stat_values[++index] = atomic_read(&cm_connecteds);
31358 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
31359 - target_stat_values[++index] = atomic_read(&cm_rejects);
31360 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
31361 - target_stat_values[++index] = atomic_read(&qps_created);
31362 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
31363 - target_stat_values[++index] = atomic_read(&qps_destroyed);
31364 - target_stat_values[++index] = atomic_read(&cm_closes);
31365 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
31366 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
31367 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
31368 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
31369 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
31370 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
31371 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
31372 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
31373 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
31374 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
31375 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
31376 target_stat_values[++index] = cm_packets_sent;
31377 target_stat_values[++index] = cm_packets_bounced;
31378 target_stat_values[++index] = cm_packets_created;
31379 target_stat_values[++index] = cm_packets_received;
31380 target_stat_values[++index] = cm_packets_dropped;
31381 target_stat_values[++index] = cm_packets_retrans;
31382 - target_stat_values[++index] = atomic_read(&cm_listens_created);
31383 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
31384 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
31385 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
31386 target_stat_values[++index] = cm_backlog_drops;
31387 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
31388 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
31389 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
31390 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
31391 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
31392 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
31393 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
31394 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
31395 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
31396 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
31397 target_stat_values[++index] = nesadapter->free_4kpbl;
31398 target_stat_values[++index] = nesadapter->free_256pbl;
31399 target_stat_values[++index] = int_mod_timer_init;
31400 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c
31401 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-19 00:06:34.000000000 -0400
31402 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-22 19:36:31.000000000 -0400
31403 @@ -46,9 +46,9 @@
31404
31405 #include <rdma/ib_umem.h>
31406
31407 -atomic_t mod_qp_timouts;
31408 -atomic_t qps_created;
31409 -atomic_t sw_qps_destroyed;
31410 +atomic_unchecked_t mod_qp_timouts;
31411 +atomic_unchecked_t qps_created;
31412 +atomic_unchecked_t sw_qps_destroyed;
31413
31414 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31415
31416 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
31417 if (init_attr->create_flags)
31418 return ERR_PTR(-EINVAL);
31419
31420 - atomic_inc(&qps_created);
31421 + atomic_inc_unchecked(&qps_created);
31422 switch (init_attr->qp_type) {
31423 case IB_QPT_RC:
31424 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31425 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
31426 struct iw_cm_event cm_event;
31427 int ret;
31428
31429 - atomic_inc(&sw_qps_destroyed);
31430 + atomic_inc_unchecked(&sw_qps_destroyed);
31431 nesqp->destroyed = 1;
31432
31433 /* Blow away the connection if it exists. */
31434 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h
31435 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h 2011-05-19 00:06:34.000000000 -0400
31436 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h 2011-05-22 19:36:31.000000000 -0400
31437 @@ -51,6 +51,7 @@
31438 #include <linux/completion.h>
31439 #include <linux/kref.h>
31440 #include <linux/sched.h>
31441 +#include <linux/slab.h>
31442
31443 #include "qib_common.h"
31444 #include "qib_verbs.h"
31445 @@ -87,7 +88,7 @@ struct qlogic_ib_stats {
31446 };
31447
31448 extern struct qlogic_ib_stats qib_stats;
31449 -extern struct pci_error_handlers qib_pci_err_handler;
31450 +extern const struct pci_error_handlers qib_pci_err_handler;
31451 extern struct pci_driver qib_driver;
31452
31453 #define QIB_CHIP_SWVERSION QIB_CHIP_VERS_MAJ
31454 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c
31455 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-19 00:06:34.000000000 -0400
31456 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-22 19:36:31.000000000 -0400
31457 @@ -75,7 +75,7 @@ static void qib_vma_close(struct vm_area
31458 kref_put(&ip->ref, qib_release_mmap_info);
31459 }
31460
31461 -static struct vm_operations_struct qib_vm_ops = {
31462 +static const struct vm_operations_struct qib_vm_ops = {
31463 .open = qib_vma_open,
31464 .close = qib_vma_close,
31465 };
31466 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c
31467 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-19 00:06:34.000000000 -0400
31468 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-22 19:36:31.000000000 -0400
31469 @@ -735,7 +735,7 @@ qib_pci_resume(struct pci_dev *pdev)
31470 qib_init(dd, 1); /* same as re-init after reset */
31471 }
31472
31473 -struct pci_error_handlers qib_pci_err_handler = {
31474 +const struct pci_error_handlers qib_pci_err_handler = {
31475 .error_detected = qib_pci_error_detected,
31476 .mmio_enabled = qib_pci_mmio_enabled,
31477 .link_reset = qib_pci_link_reset,
31478 diff -urNp linux-2.6.39.3/drivers/input/gameport/gameport.c linux-2.6.39.3/drivers/input/gameport/gameport.c
31479 --- linux-2.6.39.3/drivers/input/gameport/gameport.c 2011-05-19 00:06:34.000000000 -0400
31480 +++ linux-2.6.39.3/drivers/input/gameport/gameport.c 2011-05-22 19:36:31.000000000 -0400
31481 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
31482 */
31483 static void gameport_init_port(struct gameport *gameport)
31484 {
31485 - static atomic_t gameport_no = ATOMIC_INIT(0);
31486 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
31487
31488 __module_get(THIS_MODULE);
31489
31490 mutex_init(&gameport->drv_mutex);
31491 device_initialize(&gameport->dev);
31492 dev_set_name(&gameport->dev, "gameport%lu",
31493 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
31494 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
31495 gameport->dev.bus = &gameport_bus;
31496 gameport->dev.release = gameport_release_port;
31497 if (gameport->parent)
31498 diff -urNp linux-2.6.39.3/drivers/input/input.c linux-2.6.39.3/drivers/input/input.c
31499 --- linux-2.6.39.3/drivers/input/input.c 2011-07-09 09:18:51.000000000 -0400
31500 +++ linux-2.6.39.3/drivers/input/input.c 2011-07-09 09:19:18.000000000 -0400
31501 @@ -1815,7 +1815,7 @@ static void input_cleanse_bitmasks(struc
31502 */
31503 int input_register_device(struct input_dev *dev)
31504 {
31505 - static atomic_t input_no = ATOMIC_INIT(0);
31506 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
31507 struct input_handler *handler;
31508 const char *path;
31509 int error;
31510 @@ -1852,7 +1852,7 @@ int input_register_device(struct input_d
31511 dev->setkeycode = input_default_setkeycode;
31512
31513 dev_set_name(&dev->dev, "input%ld",
31514 - (unsigned long) atomic_inc_return(&input_no) - 1);
31515 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
31516
31517 error = device_add(&dev->dev);
31518 if (error)
31519 diff -urNp linux-2.6.39.3/drivers/input/joystick/sidewinder.c linux-2.6.39.3/drivers/input/joystick/sidewinder.c
31520 --- linux-2.6.39.3/drivers/input/joystick/sidewinder.c 2011-05-19 00:06:34.000000000 -0400
31521 +++ linux-2.6.39.3/drivers/input/joystick/sidewinder.c 2011-05-22 19:36:31.000000000 -0400
31522 @@ -30,6 +30,7 @@
31523 #include <linux/kernel.h>
31524 #include <linux/module.h>
31525 #include <linux/slab.h>
31526 +#include <linux/sched.h>
31527 #include <linux/init.h>
31528 #include <linux/input.h>
31529 #include <linux/gameport.h>
31530 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
31531 unsigned char buf[SW_LENGTH];
31532 int i;
31533
31534 + pax_track_stack();
31535 +
31536 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31537
31538 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31539 diff -urNp linux-2.6.39.3/drivers/input/joystick/xpad.c linux-2.6.39.3/drivers/input/joystick/xpad.c
31540 --- linux-2.6.39.3/drivers/input/joystick/xpad.c 2011-05-19 00:06:34.000000000 -0400
31541 +++ linux-2.6.39.3/drivers/input/joystick/xpad.c 2011-05-22 19:36:31.000000000 -0400
31542 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
31543
31544 static int xpad_led_probe(struct usb_xpad *xpad)
31545 {
31546 - static atomic_t led_seq = ATOMIC_INIT(0);
31547 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31548 long led_no;
31549 struct xpad_led *led;
31550 struct led_classdev *led_cdev;
31551 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
31552 if (!led)
31553 return -ENOMEM;
31554
31555 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31556 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31557
31558 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31559 led->xpad = xpad;
31560 diff -urNp linux-2.6.39.3/drivers/input/mousedev.c linux-2.6.39.3/drivers/input/mousedev.c
31561 --- linux-2.6.39.3/drivers/input/mousedev.c 2011-07-09 09:18:51.000000000 -0400
31562 +++ linux-2.6.39.3/drivers/input/mousedev.c 2011-07-09 09:19:18.000000000 -0400
31563 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
31564
31565 spin_unlock_irq(&client->packet_lock);
31566
31567 - if (copy_to_user(buffer, data, count))
31568 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
31569 return -EFAULT;
31570
31571 return count;
31572 diff -urNp linux-2.6.39.3/drivers/input/serio/serio.c linux-2.6.39.3/drivers/input/serio/serio.c
31573 --- linux-2.6.39.3/drivers/input/serio/serio.c 2011-05-19 00:06:34.000000000 -0400
31574 +++ linux-2.6.39.3/drivers/input/serio/serio.c 2011-05-22 19:36:31.000000000 -0400
31575 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
31576 */
31577 static void serio_init_port(struct serio *serio)
31578 {
31579 - static atomic_t serio_no = ATOMIC_INIT(0);
31580 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31581
31582 __module_get(THIS_MODULE);
31583
31584 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
31585 mutex_init(&serio->drv_mutex);
31586 device_initialize(&serio->dev);
31587 dev_set_name(&serio->dev, "serio%ld",
31588 - (long)atomic_inc_return(&serio_no) - 1);
31589 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31590 serio->dev.bus = &serio_bus;
31591 serio->dev.release = serio_release_port;
31592 serio->dev.groups = serio_device_attr_groups;
31593 diff -urNp linux-2.6.39.3/drivers/isdn/capi/capi.c linux-2.6.39.3/drivers/isdn/capi/capi.c
31594 --- linux-2.6.39.3/drivers/isdn/capi/capi.c 2011-05-19 00:06:34.000000000 -0400
31595 +++ linux-2.6.39.3/drivers/isdn/capi/capi.c 2011-05-22 19:36:31.000000000 -0400
31596 @@ -89,8 +89,8 @@ struct capiminor {
31597
31598 struct capi20_appl *ap;
31599 u32 ncci;
31600 - atomic_t datahandle;
31601 - atomic_t msgid;
31602 + atomic_unchecked_t datahandle;
31603 + atomic_unchecked_t msgid;
31604
31605 struct tty_port port;
31606 int ttyinstop;
31607 @@ -414,7 +414,7 @@ gen_data_b3_resp_for(struct capiminor *m
31608 capimsg_setu16(s, 2, mp->ap->applid);
31609 capimsg_setu8 (s, 4, CAPI_DATA_B3);
31610 capimsg_setu8 (s, 5, CAPI_RESP);
31611 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
31612 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
31613 capimsg_setu32(s, 8, mp->ncci);
31614 capimsg_setu16(s, 12, datahandle);
31615 }
31616 @@ -547,14 +547,14 @@ static void handle_minor_send(struct cap
31617 mp->outbytes -= len;
31618 spin_unlock_bh(&mp->outlock);
31619
31620 - datahandle = atomic_inc_return(&mp->datahandle);
31621 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
31622 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
31623 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31624 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31625 capimsg_setu16(skb->data, 2, mp->ap->applid);
31626 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
31627 capimsg_setu8 (skb->data, 5, CAPI_REQ);
31628 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
31629 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
31630 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
31631 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
31632 capimsg_setu16(skb->data, 16, len); /* Data length */
31633 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/common.c linux-2.6.39.3/drivers/isdn/gigaset/common.c
31634 --- linux-2.6.39.3/drivers/isdn/gigaset/common.c 2011-05-19 00:06:34.000000000 -0400
31635 +++ linux-2.6.39.3/drivers/isdn/gigaset/common.c 2011-05-22 19:36:31.000000000 -0400
31636 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
31637 cs->commands_pending = 0;
31638 cs->cur_at_seq = 0;
31639 cs->gotfwver = -1;
31640 - cs->open_count = 0;
31641 + local_set(&cs->open_count, 0);
31642 cs->dev = NULL;
31643 cs->tty = NULL;
31644 cs->tty_dev = NULL;
31645 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h
31646 --- linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h 2011-05-19 00:06:34.000000000 -0400
31647 +++ linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h 2011-05-22 19:36:31.000000000 -0400
31648 @@ -35,6 +35,7 @@
31649 #include <linux/tty_driver.h>
31650 #include <linux/list.h>
31651 #include <asm/atomic.h>
31652 +#include <asm/local.h>
31653
31654 #define GIG_VERSION {0, 5, 0, 0}
31655 #define GIG_COMPAT {0, 4, 0, 0}
31656 @@ -433,7 +434,7 @@ struct cardstate {
31657 spinlock_t cmdlock;
31658 unsigned curlen, cmdbytes;
31659
31660 - unsigned open_count;
31661 + local_t open_count;
31662 struct tty_struct *tty;
31663 struct tasklet_struct if_wake_tasklet;
31664 unsigned control_state;
31665 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/interface.c linux-2.6.39.3/drivers/isdn/gigaset/interface.c
31666 --- linux-2.6.39.3/drivers/isdn/gigaset/interface.c 2011-05-19 00:06:34.000000000 -0400
31667 +++ linux-2.6.39.3/drivers/isdn/gigaset/interface.c 2011-05-22 19:36:31.000000000 -0400
31668 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
31669 return -ERESTARTSYS;
31670 tty->driver_data = cs;
31671
31672 - ++cs->open_count;
31673 -
31674 - if (cs->open_count == 1) {
31675 + if (local_inc_return(&cs->open_count) == 1) {
31676 spin_lock_irqsave(&cs->lock, flags);
31677 cs->tty = tty;
31678 spin_unlock_irqrestore(&cs->lock, flags);
31679 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
31680
31681 if (!cs->connected)
31682 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31683 - else if (!cs->open_count)
31684 + else if (!local_read(&cs->open_count))
31685 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31686 else {
31687 - if (!--cs->open_count) {
31688 + if (!local_dec_return(&cs->open_count)) {
31689 spin_lock_irqsave(&cs->lock, flags);
31690 cs->tty = NULL;
31691 spin_unlock_irqrestore(&cs->lock, flags);
31692 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
31693 if (!cs->connected) {
31694 gig_dbg(DEBUG_IF, "not connected");
31695 retval = -ENODEV;
31696 - } else if (!cs->open_count)
31697 + } else if (!local_read(&cs->open_count))
31698 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31699 else {
31700 retval = 0;
31701 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
31702 retval = -ENODEV;
31703 goto done;
31704 }
31705 - if (!cs->open_count) {
31706 + if (!local_read(&cs->open_count)) {
31707 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31708 retval = -ENODEV;
31709 goto done;
31710 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
31711 if (!cs->connected) {
31712 gig_dbg(DEBUG_IF, "not connected");
31713 retval = -ENODEV;
31714 - } else if (!cs->open_count)
31715 + } else if (!local_read(&cs->open_count))
31716 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31717 else if (cs->mstate != MS_LOCKED) {
31718 dev_warn(cs->dev, "can't write to unlocked device\n");
31719 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
31720
31721 if (!cs->connected)
31722 gig_dbg(DEBUG_IF, "not connected");
31723 - else if (!cs->open_count)
31724 + else if (!local_read(&cs->open_count))
31725 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31726 else if (cs->mstate != MS_LOCKED)
31727 dev_warn(cs->dev, "can't write to unlocked device\n");
31728 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
31729
31730 if (!cs->connected)
31731 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31732 - else if (!cs->open_count)
31733 + else if (!local_read(&cs->open_count))
31734 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31735 else
31736 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31737 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
31738
31739 if (!cs->connected)
31740 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31741 - else if (!cs->open_count)
31742 + else if (!local_read(&cs->open_count))
31743 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31744 else
31745 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31746 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
31747 goto out;
31748 }
31749
31750 - if (!cs->open_count) {
31751 + if (!local_read(&cs->open_count)) {
31752 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31753 goto out;
31754 }
31755 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c
31756 --- linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c 2011-05-19 00:06:34.000000000 -0400
31757 +++ linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c 2011-05-22 19:36:31.000000000 -0400
31758 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
31759 }
31760 if (left) {
31761 if (t4file->user) {
31762 - if (copy_from_user(buf, dp, left))
31763 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31764 return -EFAULT;
31765 } else {
31766 memcpy(buf, dp, left);
31767 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
31768 }
31769 if (left) {
31770 if (config->user) {
31771 - if (copy_from_user(buf, dp, left))
31772 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31773 return -EFAULT;
31774 } else {
31775 memcpy(buf, dp, left);
31776 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c
31777 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-19 00:06:34.000000000 -0400
31778 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-22 19:36:31.000000000 -0400
31779 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31780 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31781 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31782
31783 + pax_track_stack();
31784
31785 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31786 {
31787 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c
31788 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c 2011-05-19 00:06:34.000000000 -0400
31789 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c 2011-05-22 19:36:31.000000000 -0400
31790 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31791 IDI_SYNC_REQ req;
31792 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31793
31794 + pax_track_stack();
31795 +
31796 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31797
31798 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31799 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c
31800 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-19 00:06:34.000000000 -0400
31801 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-22 19:36:31.000000000 -0400
31802 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31803 IDI_SYNC_REQ req;
31804 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31805
31806 + pax_track_stack();
31807 +
31808 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31809
31810 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31811 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c
31812 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-19 00:06:34.000000000 -0400
31813 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-22 19:36:31.000000000 -0400
31814 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31815 IDI_SYNC_REQ req;
31816 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31817
31818 + pax_track_stack();
31819 +
31820 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31821
31822 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31823 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c
31824 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c 2011-05-19 00:06:34.000000000 -0400
31825 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c 2011-05-22 19:36:31.000000000 -0400
31826 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31827 IDI_SYNC_REQ req;
31828 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31829
31830 + pax_track_stack();
31831 +
31832 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31833
31834 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31835 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c
31836 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c 2011-05-19 00:06:34.000000000 -0400
31837 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c 2011-05-22 19:36:31.000000000 -0400
31838 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31839 dword d;
31840 word w;
31841
31842 + pax_track_stack();
31843 +
31844 a = plci->adapter;
31845 Id = ((word)plci->Id<<8)|a->Id;
31846 PUT_WORD(&SS_Ind[4],0x0000);
31847 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31848 word j, n, w;
31849 dword d;
31850
31851 + pax_track_stack();
31852 +
31853
31854 for(i=0;i<8;i++) bp_parms[i].length = 0;
31855 for(i=0;i<2;i++) global_config[i].length = 0;
31856 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31857 const byte llc3[] = {4,3,2,2,6,6,0};
31858 const byte header[] = {0,2,3,3,0,0,0};
31859
31860 + pax_track_stack();
31861 +
31862 for(i=0;i<8;i++) bp_parms[i].length = 0;
31863 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31864 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31865 @@ -14760,6 +14766,8 @@ static void group_optimization(DIVA_CAPI
31866 word appl_number_group_type[MAX_APPL];
31867 PLCI *auxplci;
31868
31869 + pax_track_stack();
31870 +
31871 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31872
31873 if(!a->group_optimization_enabled)
31874 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c
31875 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-19 00:06:34.000000000 -0400
31876 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-22 19:36:31.000000000 -0400
31877 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31878 IDI_SYNC_REQ req;
31879 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31880
31881 + pax_track_stack();
31882 +
31883 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31884
31885 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31886 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c
31887 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c 2011-05-19 00:06:34.000000000 -0400
31888 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c 2011-05-22 19:36:31.000000000 -0400
31889 @@ -1292,6 +1292,8 @@ isdn_ioctl(struct file *file, uint cmd,
31890 } iocpar;
31891 void __user *argp = (void __user *)arg;
31892
31893 + pax_track_stack();
31894 +
31895 #define name iocpar.name
31896 #define bname iocpar.bname
31897 #define iocts iocpar.iocts
31898 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c
31899 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c 2011-05-19 00:06:34.000000000 -0400
31900 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c 2011-05-22 19:36:31.000000000 -0400
31901 @@ -400,7 +400,7 @@ isdn_net_stat_callback(int idx, isdn_ctr
31902 isdn_net_local *lp = p->local;
31903 #ifdef CONFIG_ISDN_X25
31904 struct concap_proto *cprot = lp->netdev->cprot;
31905 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31906 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31907 #endif
31908 switch (cmd) {
31909 case ISDN_STAT_BSENT:
31910 @@ -831,7 +831,7 @@ isdn_net_hangup(struct net_device *d)
31911 isdn_ctrl cmd;
31912 #ifdef CONFIG_ISDN_X25
31913 struct concap_proto *cprot = lp->netdev->cprot;
31914 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31915 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31916 #endif
31917
31918 if (lp->flags & ISDN_NET_CONNECTED) {
31919 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c
31920 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c 2011-05-19 00:06:34.000000000 -0400
31921 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c 2011-05-22 19:36:31.000000000 -0400
31922 @@ -52,7 +52,7 @@ static int isdn_x25iface_connect_ind( st
31923 static int isdn_x25iface_disconn_ind( struct concap_proto * );
31924
31925
31926 -static struct concap_proto_ops ix25_pops = {
31927 +static const struct concap_proto_ops ix25_pops = {
31928 &isdn_x25iface_proto_new,
31929 &isdn_x25iface_proto_del,
31930 &isdn_x25iface_proto_restart,
31931 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h
31932 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h 2011-05-19 00:06:34.000000000 -0400
31933 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h 2011-05-22 19:36:31.000000000 -0400
31934 @@ -23,7 +23,7 @@
31935 #include <linux/isdn.h>
31936 #include <linux/concap.h>
31937
31938 -extern struct concap_proto_ops * isdn_x25iface_concap_proto_ops_pt;
31939 +extern const struct concap_proto_ops *isdn_x25iface_concap_proto_ops_pt;
31940 extern struct concap_proto * isdn_x25iface_proto_new(void);
31941
31942
31943 diff -urNp linux-2.6.39.3/drivers/isdn/icn/icn.c linux-2.6.39.3/drivers/isdn/icn/icn.c
31944 --- linux-2.6.39.3/drivers/isdn/icn/icn.c 2011-05-19 00:06:34.000000000 -0400
31945 +++ linux-2.6.39.3/drivers/isdn/icn/icn.c 2011-05-22 19:36:31.000000000 -0400
31946 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
31947 if (count > len)
31948 count = len;
31949 if (user) {
31950 - if (copy_from_user(msg, buf, count))
31951 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31952 return -EFAULT;
31953 } else
31954 memcpy(msg, buf, count);
31955 diff -urNp linux-2.6.39.3/drivers/lguest/core.c linux-2.6.39.3/drivers/lguest/core.c
31956 --- linux-2.6.39.3/drivers/lguest/core.c 2011-05-19 00:06:34.000000000 -0400
31957 +++ linux-2.6.39.3/drivers/lguest/core.c 2011-05-22 19:36:31.000000000 -0400
31958 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
31959 * it's worked so far. The end address needs +1 because __get_vm_area
31960 * allocates an extra guard page, so we need space for that.
31961 */
31962 +
31963 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31964 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31965 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
31966 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31967 +#else
31968 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31969 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
31970 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31971 +#endif
31972 +
31973 if (!switcher_vma) {
31974 err = -ENOMEM;
31975 printk("lguest: could not map switcher pages high\n");
31976 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
31977 * Now the Switcher is mapped at the right address, we can't fail!
31978 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
31979 */
31980 - memcpy(switcher_vma->addr, start_switcher_text,
31981 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
31982 end_switcher_text - start_switcher_text);
31983
31984 printk(KERN_INFO "lguest: mapped switcher at %p\n",
31985 diff -urNp linux-2.6.39.3/drivers/lguest/lguest_device.c linux-2.6.39.3/drivers/lguest/lguest_device.c
31986 --- linux-2.6.39.3/drivers/lguest/lguest_device.c 2011-05-19 00:06:34.000000000 -0400
31987 +++ linux-2.6.39.3/drivers/lguest/lguest_device.c 2011-05-22 19:36:31.000000000 -0400
31988 @@ -374,7 +374,7 @@ error:
31989 }
31990
31991 /* The ops structure which hooks everything together. */
31992 -static struct virtio_config_ops lguest_config_ops = {
31993 +static const struct virtio_config_ops lguest_config_ops = {
31994 .get_features = lg_get_features,
31995 .finalize_features = lg_finalize_features,
31996 .get = lg_get,
31997 diff -urNp linux-2.6.39.3/drivers/lguest/x86/core.c linux-2.6.39.3/drivers/lguest/x86/core.c
31998 --- linux-2.6.39.3/drivers/lguest/x86/core.c 2011-05-19 00:06:34.000000000 -0400
31999 +++ linux-2.6.39.3/drivers/lguest/x86/core.c 2011-05-22 19:36:31.000000000 -0400
32000 @@ -59,7 +59,7 @@ static struct {
32001 /* Offset from where switcher.S was compiled to where we've copied it */
32002 static unsigned long switcher_offset(void)
32003 {
32004 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
32005 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
32006 }
32007
32008 /* This cpu's struct lguest_pages. */
32009 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
32010 * These copies are pretty cheap, so we do them unconditionally: */
32011 /* Save the current Host top-level page directory.
32012 */
32013 +
32014 +#ifdef CONFIG_PAX_PER_CPU_PGD
32015 + pages->state.host_cr3 = read_cr3();
32016 +#else
32017 pages->state.host_cr3 = __pa(current->mm->pgd);
32018 +#endif
32019 +
32020 /*
32021 * Set up the Guest's page tables to see this CPU's pages (and no
32022 * other CPU's pages).
32023 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
32024 * compiled-in switcher code and the high-mapped copy we just made.
32025 */
32026 for (i = 0; i < IDT_ENTRIES; i++)
32027 - default_idt_entries[i] += switcher_offset();
32028 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
32029
32030 /*
32031 * Set up the Switcher's per-cpu areas.
32032 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
32033 * it will be undisturbed when we switch. To change %cs and jump we
32034 * need this structure to feed to Intel's "lcall" instruction.
32035 */
32036 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
32037 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
32038 lguest_entry.segment = LGUEST_CS;
32039
32040 /*
32041 diff -urNp linux-2.6.39.3/drivers/lguest/x86/switcher_32.S linux-2.6.39.3/drivers/lguest/x86/switcher_32.S
32042 --- linux-2.6.39.3/drivers/lguest/x86/switcher_32.S 2011-05-19 00:06:34.000000000 -0400
32043 +++ linux-2.6.39.3/drivers/lguest/x86/switcher_32.S 2011-05-22 19:36:31.000000000 -0400
32044 @@ -87,6 +87,7 @@
32045 #include <asm/page.h>
32046 #include <asm/segment.h>
32047 #include <asm/lguest.h>
32048 +#include <asm/processor-flags.h>
32049
32050 // We mark the start of the code to copy
32051 // It's placed in .text tho it's never run here
32052 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
32053 // Changes type when we load it: damn Intel!
32054 // For after we switch over our page tables
32055 // That entry will be read-only: we'd crash.
32056 +
32057 +#ifdef CONFIG_PAX_KERNEXEC
32058 + mov %cr0, %edx
32059 + xor $X86_CR0_WP, %edx
32060 + mov %edx, %cr0
32061 +#endif
32062 +
32063 movl $(GDT_ENTRY_TSS*8), %edx
32064 ltr %dx
32065
32066 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
32067 // Let's clear it again for our return.
32068 // The GDT descriptor of the Host
32069 // Points to the table after two "size" bytes
32070 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
32071 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
32072 // Clear "used" from type field (byte 5, bit 2)
32073 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
32074 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
32075 +
32076 +#ifdef CONFIG_PAX_KERNEXEC
32077 + mov %cr0, %eax
32078 + xor $X86_CR0_WP, %eax
32079 + mov %eax, %cr0
32080 +#endif
32081
32082 // Once our page table's switched, the Guest is live!
32083 // The Host fades as we run this final step.
32084 @@ -295,13 +309,12 @@ deliver_to_host:
32085 // I consulted gcc, and it gave
32086 // These instructions, which I gladly credit:
32087 leal (%edx,%ebx,8), %eax
32088 - movzwl (%eax),%edx
32089 - movl 4(%eax), %eax
32090 - xorw %ax, %ax
32091 - orl %eax, %edx
32092 + movl 4(%eax), %edx
32093 + movw (%eax), %dx
32094 // Now the address of the handler's in %edx
32095 // We call it now: its "iret" drops us home.
32096 - jmp *%edx
32097 + ljmp $__KERNEL_CS, $1f
32098 +1: jmp *%edx
32099
32100 // Every interrupt can come to us here
32101 // But we must truly tell each apart.
32102 diff -urNp linux-2.6.39.3/drivers/md/dm.c linux-2.6.39.3/drivers/md/dm.c
32103 --- linux-2.6.39.3/drivers/md/dm.c 2011-05-19 00:06:34.000000000 -0400
32104 +++ linux-2.6.39.3/drivers/md/dm.c 2011-05-22 19:36:31.000000000 -0400
32105 @@ -162,9 +162,9 @@ struct mapped_device {
32106 /*
32107 * Event handling.
32108 */
32109 - atomic_t event_nr;
32110 + atomic_unchecked_t event_nr;
32111 wait_queue_head_t eventq;
32112 - atomic_t uevent_seq;
32113 + atomic_unchecked_t uevent_seq;
32114 struct list_head uevent_list;
32115 spinlock_t uevent_lock; /* Protect access to uevent_list */
32116
32117 @@ -1836,8 +1836,8 @@ static struct mapped_device *alloc_dev(i
32118 rwlock_init(&md->map_lock);
32119 atomic_set(&md->holders, 1);
32120 atomic_set(&md->open_count, 0);
32121 - atomic_set(&md->event_nr, 0);
32122 - atomic_set(&md->uevent_seq, 0);
32123 + atomic_set_unchecked(&md->event_nr, 0);
32124 + atomic_set_unchecked(&md->uevent_seq, 0);
32125 INIT_LIST_HEAD(&md->uevent_list);
32126 spin_lock_init(&md->uevent_lock);
32127
32128 @@ -1971,7 +1971,7 @@ static void event_callback(void *context
32129
32130 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
32131
32132 - atomic_inc(&md->event_nr);
32133 + atomic_inc_unchecked(&md->event_nr);
32134 wake_up(&md->eventq);
32135 }
32136
32137 @@ -2547,18 +2547,18 @@ int dm_kobject_uevent(struct mapped_devi
32138
32139 uint32_t dm_next_uevent_seq(struct mapped_device *md)
32140 {
32141 - return atomic_add_return(1, &md->uevent_seq);
32142 + return atomic_add_return_unchecked(1, &md->uevent_seq);
32143 }
32144
32145 uint32_t dm_get_event_nr(struct mapped_device *md)
32146 {
32147 - return atomic_read(&md->event_nr);
32148 + return atomic_read_unchecked(&md->event_nr);
32149 }
32150
32151 int dm_wait_event(struct mapped_device *md, int event_nr)
32152 {
32153 return wait_event_interruptible(md->eventq,
32154 - (event_nr != atomic_read(&md->event_nr)));
32155 + (event_nr != atomic_read_unchecked(&md->event_nr)));
32156 }
32157
32158 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
32159 diff -urNp linux-2.6.39.3/drivers/md/dm-crypt.c linux-2.6.39.3/drivers/md/dm-crypt.c
32160 --- linux-2.6.39.3/drivers/md/dm-crypt.c 2011-05-19 00:06:34.000000000 -0400
32161 +++ linux-2.6.39.3/drivers/md/dm-crypt.c 2011-05-22 19:36:31.000000000 -0400
32162 @@ -138,7 +138,7 @@ struct crypt_config {
32163 char *cipher;
32164 char *cipher_string;
32165
32166 - struct crypt_iv_operations *iv_gen_ops;
32167 + const struct crypt_iv_operations *iv_gen_ops;
32168 union {
32169 struct iv_essiv_private essiv;
32170 struct iv_benbi_private benbi;
32171 @@ -620,15 +620,15 @@ static int crypt_iv_lmk_post(struct cryp
32172 return r;
32173 }
32174
32175 -static struct crypt_iv_operations crypt_iv_plain_ops = {
32176 +static const struct crypt_iv_operations crypt_iv_plain_ops = {
32177 .generator = crypt_iv_plain_gen
32178 };
32179
32180 -static struct crypt_iv_operations crypt_iv_plain64_ops = {
32181 +static const struct crypt_iv_operations crypt_iv_plain64_ops = {
32182 .generator = crypt_iv_plain64_gen
32183 };
32184
32185 -static struct crypt_iv_operations crypt_iv_essiv_ops = {
32186 +static const struct crypt_iv_operations crypt_iv_essiv_ops = {
32187 .ctr = crypt_iv_essiv_ctr,
32188 .dtr = crypt_iv_essiv_dtr,
32189 .init = crypt_iv_essiv_init,
32190 @@ -636,17 +636,17 @@ static struct crypt_iv_operations crypt_
32191 .generator = crypt_iv_essiv_gen
32192 };
32193
32194 -static struct crypt_iv_operations crypt_iv_benbi_ops = {
32195 +static const struct crypt_iv_operations crypt_iv_benbi_ops = {
32196 .ctr = crypt_iv_benbi_ctr,
32197 .dtr = crypt_iv_benbi_dtr,
32198 .generator = crypt_iv_benbi_gen
32199 };
32200
32201 -static struct crypt_iv_operations crypt_iv_null_ops = {
32202 +static const struct crypt_iv_operations crypt_iv_null_ops = {
32203 .generator = crypt_iv_null_gen
32204 };
32205
32206 -static struct crypt_iv_operations crypt_iv_lmk_ops = {
32207 +static const struct crypt_iv_operations crypt_iv_lmk_ops = {
32208 .ctr = crypt_iv_lmk_ctr,
32209 .dtr = crypt_iv_lmk_dtr,
32210 .init = crypt_iv_lmk_init,
32211 diff -urNp linux-2.6.39.3/drivers/md/dm-ioctl.c linux-2.6.39.3/drivers/md/dm-ioctl.c
32212 --- linux-2.6.39.3/drivers/md/dm-ioctl.c 2011-05-19 00:06:34.000000000 -0400
32213 +++ linux-2.6.39.3/drivers/md/dm-ioctl.c 2011-05-22 19:36:31.000000000 -0400
32214 @@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
32215 cmd == DM_LIST_VERSIONS_CMD)
32216 return 0;
32217
32218 - if ((cmd == DM_DEV_CREATE_CMD)) {
32219 + if (cmd == DM_DEV_CREATE_CMD) {
32220 if (!*param->name) {
32221 DMWARN("name not supplied when creating device");
32222 return -EINVAL;
32223 diff -urNp linux-2.6.39.3/drivers/md/dm-raid1.c linux-2.6.39.3/drivers/md/dm-raid1.c
32224 --- linux-2.6.39.3/drivers/md/dm-raid1.c 2011-05-19 00:06:34.000000000 -0400
32225 +++ linux-2.6.39.3/drivers/md/dm-raid1.c 2011-05-22 19:36:31.000000000 -0400
32226 @@ -42,7 +42,7 @@ enum dm_raid1_error {
32227
32228 struct mirror {
32229 struct mirror_set *ms;
32230 - atomic_t error_count;
32231 + atomic_unchecked_t error_count;
32232 unsigned long error_type;
32233 struct dm_dev *dev;
32234 sector_t offset;
32235 @@ -187,7 +187,7 @@ static struct mirror *get_valid_mirror(s
32236 struct mirror *m;
32237
32238 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
32239 - if (!atomic_read(&m->error_count))
32240 + if (!atomic_read_unchecked(&m->error_count))
32241 return m;
32242
32243 return NULL;
32244 @@ -219,7 +219,7 @@ static void fail_mirror(struct mirror *m
32245 * simple way to tell if a device has encountered
32246 * errors.
32247 */
32248 - atomic_inc(&m->error_count);
32249 + atomic_inc_unchecked(&m->error_count);
32250
32251 if (test_and_set_bit(error_type, &m->error_type))
32252 return;
32253 @@ -410,7 +410,7 @@ static struct mirror *choose_mirror(stru
32254 struct mirror *m = get_default_mirror(ms);
32255
32256 do {
32257 - if (likely(!atomic_read(&m->error_count)))
32258 + if (likely(!atomic_read_unchecked(&m->error_count)))
32259 return m;
32260
32261 if (m-- == ms->mirror)
32262 @@ -424,7 +424,7 @@ static int default_ok(struct mirror *m)
32263 {
32264 struct mirror *default_mirror = get_default_mirror(m->ms);
32265
32266 - return !atomic_read(&default_mirror->error_count);
32267 + return !atomic_read_unchecked(&default_mirror->error_count);
32268 }
32269
32270 static int mirror_available(struct mirror_set *ms, struct bio *bio)
32271 @@ -561,7 +561,7 @@ static void do_reads(struct mirror_set *
32272 */
32273 if (likely(region_in_sync(ms, region, 1)))
32274 m = choose_mirror(ms, bio->bi_sector);
32275 - else if (m && atomic_read(&m->error_count))
32276 + else if (m && atomic_read_unchecked(&m->error_count))
32277 m = NULL;
32278
32279 if (likely(m))
32280 @@ -939,7 +939,7 @@ static int get_mirror(struct mirror_set
32281 }
32282
32283 ms->mirror[mirror].ms = ms;
32284 - atomic_set(&(ms->mirror[mirror].error_count), 0);
32285 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
32286 ms->mirror[mirror].error_type = 0;
32287 ms->mirror[mirror].offset = offset;
32288
32289 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
32290 */
32291 static char device_status_char(struct mirror *m)
32292 {
32293 - if (!atomic_read(&(m->error_count)))
32294 + if (!atomic_read_unchecked(&(m->error_count)))
32295 return 'A';
32296
32297 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
32298 diff -urNp linux-2.6.39.3/drivers/md/dm-stripe.c linux-2.6.39.3/drivers/md/dm-stripe.c
32299 --- linux-2.6.39.3/drivers/md/dm-stripe.c 2011-05-19 00:06:34.000000000 -0400
32300 +++ linux-2.6.39.3/drivers/md/dm-stripe.c 2011-05-22 19:36:31.000000000 -0400
32301 @@ -20,7 +20,7 @@ struct stripe {
32302 struct dm_dev *dev;
32303 sector_t physical_start;
32304
32305 - atomic_t error_count;
32306 + atomic_unchecked_t error_count;
32307 };
32308
32309 struct stripe_c {
32310 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
32311 kfree(sc);
32312 return r;
32313 }
32314 - atomic_set(&(sc->stripe[i].error_count), 0);
32315 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
32316 }
32317
32318 ti->private = sc;
32319 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
32320 DMEMIT("%d ", sc->stripes);
32321 for (i = 0; i < sc->stripes; i++) {
32322 DMEMIT("%s ", sc->stripe[i].dev->name);
32323 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
32324 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
32325 'D' : 'A';
32326 }
32327 buffer[i] = '\0';
32328 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
32329 */
32330 for (i = 0; i < sc->stripes; i++)
32331 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
32332 - atomic_inc(&(sc->stripe[i].error_count));
32333 - if (atomic_read(&(sc->stripe[i].error_count)) <
32334 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
32335 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
32336 DM_IO_ERROR_THRESHOLD)
32337 schedule_work(&sc->trigger_event);
32338 }
32339 diff -urNp linux-2.6.39.3/drivers/md/dm-table.c linux-2.6.39.3/drivers/md/dm-table.c
32340 --- linux-2.6.39.3/drivers/md/dm-table.c 2011-06-03 00:04:14.000000000 -0400
32341 +++ linux-2.6.39.3/drivers/md/dm-table.c 2011-06-03 00:32:05.000000000 -0400
32342 @@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
32343 if (!dev_size)
32344 return 0;
32345
32346 - if ((start >= dev_size) || (start + len > dev_size)) {
32347 + if ((start >= dev_size) || (len > dev_size - start)) {
32348 DMWARN("%s: %s too small for target: "
32349 "start=%llu, len=%llu, dev_size=%llu",
32350 dm_device_name(ti->table->md), bdevname(bdev, b),
32351 diff -urNp linux-2.6.39.3/drivers/md/md.c linux-2.6.39.3/drivers/md/md.c
32352 --- linux-2.6.39.3/drivers/md/md.c 2011-07-09 09:18:51.000000000 -0400
32353 +++ linux-2.6.39.3/drivers/md/md.c 2011-07-09 09:19:18.000000000 -0400
32354 @@ -226,10 +226,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
32355 * start build, activate spare
32356 */
32357 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
32358 -static atomic_t md_event_count;
32359 +static atomic_unchecked_t md_event_count;
32360 void md_new_event(mddev_t *mddev)
32361 {
32362 - atomic_inc(&md_event_count);
32363 + atomic_inc_unchecked(&md_event_count);
32364 wake_up(&md_event_waiters);
32365 }
32366 EXPORT_SYMBOL_GPL(md_new_event);
32367 @@ -239,7 +239,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
32368 */
32369 static void md_new_event_inintr(mddev_t *mddev)
32370 {
32371 - atomic_inc(&md_event_count);
32372 + atomic_inc_unchecked(&md_event_count);
32373 wake_up(&md_event_waiters);
32374 }
32375
32376 @@ -1454,7 +1454,7 @@ static int super_1_load(mdk_rdev_t *rdev
32377
32378 rdev->preferred_minor = 0xffff;
32379 rdev->data_offset = le64_to_cpu(sb->data_offset);
32380 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32381 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32382
32383 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
32384 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
32385 @@ -1632,7 +1632,7 @@ static void super_1_sync(mddev_t *mddev,
32386 else
32387 sb->resync_offset = cpu_to_le64(0);
32388
32389 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
32390 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
32391
32392 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
32393 sb->size = cpu_to_le64(mddev->dev_sectors);
32394 @@ -2414,7 +2414,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
32395 static ssize_t
32396 errors_show(mdk_rdev_t *rdev, char *page)
32397 {
32398 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
32399 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32400 }
32401
32402 static ssize_t
32403 @@ -2423,7 +2423,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32404 char *e;
32405 unsigned long n = simple_strtoul(buf, &e, 10);
32406 if (*buf && (*e == 0 || *e == '\n')) {
32407 - atomic_set(&rdev->corrected_errors, n);
32408 + atomic_set_unchecked(&rdev->corrected_errors, n);
32409 return len;
32410 }
32411 return -EINVAL;
32412 @@ -2779,8 +2779,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
32413 rdev->last_read_error.tv_sec = 0;
32414 rdev->last_read_error.tv_nsec = 0;
32415 atomic_set(&rdev->nr_pending, 0);
32416 - atomic_set(&rdev->read_errors, 0);
32417 - atomic_set(&rdev->corrected_errors, 0);
32418 + atomic_set_unchecked(&rdev->read_errors, 0);
32419 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32420
32421 INIT_LIST_HEAD(&rdev->same_set);
32422 init_waitqueue_head(&rdev->blocked_wait);
32423 @@ -6388,7 +6388,7 @@ static int md_seq_show(struct seq_file *
32424
32425 spin_unlock(&pers_lock);
32426 seq_printf(seq, "\n");
32427 - mi->event = atomic_read(&md_event_count);
32428 + mi->event = atomic_read_unchecked(&md_event_count);
32429 return 0;
32430 }
32431 if (v == (void*)2) {
32432 @@ -6477,7 +6477,7 @@ static int md_seq_show(struct seq_file *
32433 chunk_kb ? "KB" : "B");
32434 if (bitmap->file) {
32435 seq_printf(seq, ", file: ");
32436 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32437 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32438 }
32439
32440 seq_printf(seq, "\n");
32441 @@ -6511,7 +6511,7 @@ static int md_seq_open(struct inode *ino
32442 else {
32443 struct seq_file *p = file->private_data;
32444 p->private = mi;
32445 - mi->event = atomic_read(&md_event_count);
32446 + mi->event = atomic_read_unchecked(&md_event_count);
32447 }
32448 return error;
32449 }
32450 @@ -6527,7 +6527,7 @@ static unsigned int mdstat_poll(struct f
32451 /* always allow read */
32452 mask = POLLIN | POLLRDNORM;
32453
32454 - if (mi->event != atomic_read(&md_event_count))
32455 + if (mi->event != atomic_read_unchecked(&md_event_count))
32456 mask |= POLLERR | POLLPRI;
32457 return mask;
32458 }
32459 @@ -6571,7 +6571,7 @@ static int is_mddev_idle(mddev_t *mddev,
32460 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32461 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32462 (int)part_stat_read(&disk->part0, sectors[1]) -
32463 - atomic_read(&disk->sync_io);
32464 + atomic_read_unchecked(&disk->sync_io);
32465 /* sync IO will cause sync_io to increase before the disk_stats
32466 * as sync_io is counted when a request starts, and
32467 * disk_stats is counted when it completes.
32468 diff -urNp linux-2.6.39.3/drivers/md/md.h linux-2.6.39.3/drivers/md/md.h
32469 --- linux-2.6.39.3/drivers/md/md.h 2011-05-19 00:06:34.000000000 -0400
32470 +++ linux-2.6.39.3/drivers/md/md.h 2011-05-22 19:36:31.000000000 -0400
32471 @@ -97,13 +97,13 @@ struct mdk_rdev_s
32472 * only maintained for arrays that
32473 * support hot removal
32474 */
32475 - atomic_t read_errors; /* number of consecutive read errors that
32476 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32477 * we have tried to ignore.
32478 */
32479 struct timespec last_read_error; /* monotonic time since our
32480 * last read error
32481 */
32482 - atomic_t corrected_errors; /* number of corrected read errors,
32483 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32484 * for reporting to userspace and storing
32485 * in superblock.
32486 */
32487 @@ -342,7 +342,7 @@ static inline void rdev_dec_pending(mdk_
32488
32489 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
32490 {
32491 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32492 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32493 }
32494
32495 struct mdk_personality
32496 diff -urNp linux-2.6.39.3/drivers/md/raid10.c linux-2.6.39.3/drivers/md/raid10.c
32497 --- linux-2.6.39.3/drivers/md/raid10.c 2011-05-19 00:06:34.000000000 -0400
32498 +++ linux-2.6.39.3/drivers/md/raid10.c 2011-05-22 19:36:31.000000000 -0400
32499 @@ -1209,7 +1209,7 @@ static void end_sync_read(struct bio *bi
32500 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
32501 set_bit(R10BIO_Uptodate, &r10_bio->state);
32502 else {
32503 - atomic_add(r10_bio->sectors,
32504 + atomic_add_unchecked(r10_bio->sectors,
32505 &conf->mirrors[d].rdev->corrected_errors);
32506 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
32507 md_error(r10_bio->mddev,
32508 @@ -1417,7 +1417,7 @@ static void check_decay_read_errors(mdde
32509 {
32510 struct timespec cur_time_mon;
32511 unsigned long hours_since_last;
32512 - unsigned int read_errors = atomic_read(&rdev->read_errors);
32513 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
32514
32515 ktime_get_ts(&cur_time_mon);
32516
32517 @@ -1439,9 +1439,9 @@ static void check_decay_read_errors(mdde
32518 * overflowing the shift of read_errors by hours_since_last.
32519 */
32520 if (hours_since_last >= 8 * sizeof(read_errors))
32521 - atomic_set(&rdev->read_errors, 0);
32522 + atomic_set_unchecked(&rdev->read_errors, 0);
32523 else
32524 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
32525 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
32526 }
32527
32528 /*
32529 @@ -1476,8 +1476,8 @@ static void fix_read_error(conf_t *conf,
32530 }
32531
32532 check_decay_read_errors(mddev, rdev);
32533 - atomic_inc(&rdev->read_errors);
32534 - cur_read_error_count = atomic_read(&rdev->read_errors);
32535 + atomic_inc_unchecked(&rdev->read_errors);
32536 + cur_read_error_count = atomic_read_unchecked(&rdev->read_errors);
32537 if (cur_read_error_count > max_read_errors) {
32538 rcu_read_unlock();
32539 printk(KERN_NOTICE
32540 @@ -1550,7 +1550,7 @@ static void fix_read_error(conf_t *conf,
32541 test_bit(In_sync, &rdev->flags)) {
32542 atomic_inc(&rdev->nr_pending);
32543 rcu_read_unlock();
32544 - atomic_add(s, &rdev->corrected_errors);
32545 + atomic_add_unchecked(s, &rdev->corrected_errors);
32546 if (sync_page_io(rdev,
32547 r10_bio->devs[sl].addr +
32548 sect,
32549 diff -urNp linux-2.6.39.3/drivers/md/raid1.c linux-2.6.39.3/drivers/md/raid1.c
32550 --- linux-2.6.39.3/drivers/md/raid1.c 2011-05-19 00:06:34.000000000 -0400
32551 +++ linux-2.6.39.3/drivers/md/raid1.c 2011-05-22 19:36:31.000000000 -0400
32552 @@ -1342,7 +1342,7 @@ static void sync_request_write(mddev_t *
32553 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
32554 continue;
32555 rdev = conf->mirrors[d].rdev;
32556 - atomic_add(s, &rdev->corrected_errors);
32557 + atomic_add_unchecked(s, &rdev->corrected_errors);
32558 if (sync_page_io(rdev,
32559 sect,
32560 s<<9,
32561 @@ -1488,7 +1488,7 @@ static void fix_read_error(conf_t *conf,
32562 /* Well, this device is dead */
32563 md_error(mddev, rdev);
32564 else {
32565 - atomic_add(s, &rdev->corrected_errors);
32566 + atomic_add_unchecked(s, &rdev->corrected_errors);
32567 printk(KERN_INFO
32568 "md/raid1:%s: read error corrected "
32569 "(%d sectors at %llu on %s)\n",
32570 diff -urNp linux-2.6.39.3/drivers/md/raid5.c linux-2.6.39.3/drivers/md/raid5.c
32571 --- linux-2.6.39.3/drivers/md/raid5.c 2011-06-25 12:55:22.000000000 -0400
32572 +++ linux-2.6.39.3/drivers/md/raid5.c 2011-06-25 13:01:13.000000000 -0400
32573 @@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
32574 bi->bi_next = NULL;
32575 if ((rw & WRITE) &&
32576 test_bit(R5_ReWrite, &sh->dev[i].flags))
32577 - atomic_add(STRIPE_SECTORS,
32578 + atomic_add_unchecked(STRIPE_SECTORS,
32579 &rdev->corrected_errors);
32580 generic_make_request(bi);
32581 } else {
32582 @@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
32583 clear_bit(R5_ReadError, &sh->dev[i].flags);
32584 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32585 }
32586 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32587 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32588 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32589 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32590 } else {
32591 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32592 int retry = 0;
32593 rdev = conf->disks[i].rdev;
32594
32595 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32596 - atomic_inc(&rdev->read_errors);
32597 + atomic_inc_unchecked(&rdev->read_errors);
32598 if (conf->mddev->degraded >= conf->max_degraded)
32599 printk_rl(KERN_WARNING
32600 "md/raid:%s: read error not correctable "
32601 @@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
32602 (unsigned long long)(sh->sector
32603 + rdev->data_offset),
32604 bdn);
32605 - else if (atomic_read(&rdev->read_errors)
32606 + else if (atomic_read_unchecked(&rdev->read_errors)
32607 > conf->max_nr_stripes)
32608 printk(KERN_WARNING
32609 "md/raid:%s: Too many read errors, failing device %s.\n",
32610 @@ -1947,6 +1947,7 @@ static sector_t compute_blocknr(struct s
32611 sector_t r_sector;
32612 struct stripe_head sh2;
32613
32614 + pax_track_stack();
32615
32616 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32617 stripe = new_sector;
32618 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_hlp.c linux-2.6.39.3/drivers/media/common/saa7146_hlp.c
32619 --- linux-2.6.39.3/drivers/media/common/saa7146_hlp.c 2011-05-19 00:06:34.000000000 -0400
32620 +++ linux-2.6.39.3/drivers/media/common/saa7146_hlp.c 2011-05-22 19:36:31.000000000 -0400
32621 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32622
32623 int x[32], y[32], w[32], h[32];
32624
32625 + pax_track_stack();
32626 +
32627 /* clear out memory */
32628 memset(&line_list[0], 0x00, sizeof(u32)*32);
32629 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32630 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_vbi.c linux-2.6.39.3/drivers/media/common/saa7146_vbi.c
32631 --- linux-2.6.39.3/drivers/media/common/saa7146_vbi.c 2011-05-19 00:06:34.000000000 -0400
32632 +++ linux-2.6.39.3/drivers/media/common/saa7146_vbi.c 2011-05-22 19:36:31.000000000 -0400
32633 @@ -501,7 +501,7 @@ static ssize_t vbi_read(struct file *fil
32634 return ret;
32635 }
32636
32637 -struct saa7146_use_ops saa7146_vbi_uops = {
32638 +const struct saa7146_use_ops saa7146_vbi_uops = {
32639 .init = vbi_init,
32640 .open = vbi_open,
32641 .release = vbi_close,
32642 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_video.c linux-2.6.39.3/drivers/media/common/saa7146_video.c
32643 --- linux-2.6.39.3/drivers/media/common/saa7146_video.c 2011-05-19 00:06:34.000000000 -0400
32644 +++ linux-2.6.39.3/drivers/media/common/saa7146_video.c 2011-05-22 19:36:31.000000000 -0400
32645 @@ -1420,7 +1420,7 @@ out:
32646 return ret;
32647 }
32648
32649 -struct saa7146_use_ops saa7146_video_uops = {
32650 +const struct saa7146_use_ops saa7146_video_uops = {
32651 .init = video_init,
32652 .open = video_open,
32653 .release = video_close,
32654 diff -urNp linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c
32655 --- linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c 2011-05-19 00:06:34.000000000 -0400
32656 +++ linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c 2011-05-22 19:36:31.000000000 -0400
32657 @@ -418,7 +418,7 @@ static u32 functionality(struct i2c_adap
32658 return I2C_FUNC_I2C;
32659 }
32660
32661 -static struct i2c_algorithm dm1105_algo = {
32662 +static const struct i2c_algorithm dm1105_algo = {
32663 .master_xfer = dm1105_i2c_xfer,
32664 .functionality = functionality,
32665 };
32666 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32667 --- linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-19 00:06:34.000000000 -0400
32668 +++ linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-22 19:36:31.000000000 -0400
32669 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32670 u8 buf[HOST_LINK_BUF_SIZE];
32671 int i;
32672
32673 + pax_track_stack();
32674 +
32675 dprintk("%s\n", __func__);
32676
32677 /* check if we have space for a link buf in the rx_buffer */
32678 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32679 unsigned long timeout;
32680 int written;
32681
32682 + pax_track_stack();
32683 +
32684 dprintk("%s\n", __func__);
32685
32686 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32687 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c
32688 --- linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-19 00:06:34.000000000 -0400
32689 +++ linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-22 19:36:31.000000000 -0400
32690 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
32691 const struct dvb_device *template, void *priv, int type)
32692 {
32693 struct dvb_device *dvbdev;
32694 - struct file_operations *dvbdevfops;
32695 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
32696 struct device *clsdev;
32697 int minor;
32698 int id;
32699 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c
32700 --- linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-19 00:06:34.000000000 -0400
32701 +++ linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-22 19:36:31.000000000 -0400
32702 @@ -391,6 +391,8 @@ int dib0700_download_firmware(struct usb
32703
32704 u8 buf[260];
32705
32706 + pax_track_stack();
32707 +
32708 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32709 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
32710 hx.addr, hx.len, hx.chk);
32711 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c
32712 --- linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-19 00:06:34.000000000 -0400
32713 +++ linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-22 19:36:31.000000000 -0400
32714 @@ -663,6 +663,7 @@ static int lme2510_download_firmware(str
32715 packet_size = 0x31;
32716 len_in = 1;
32717
32718 + pax_track_stack();
32719
32720 info("FRM Starting Firmware Download");
32721
32722 @@ -715,6 +716,8 @@ static void lme_coldreset(struct usb_dev
32723 int ret = 0, len_in;
32724 u8 data[512] = {0};
32725
32726 + pax_track_stack();
32727 +
32728 data[0] = 0x0a;
32729 len_in = 1;
32730 info("FRM Firmware Cold Reset");
32731 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c
32732 --- linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:04:14.000000000 -0400
32733 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:32:05.000000000 -0400
32734 @@ -1945,7 +1945,7 @@ static u32 dib7000p_i2c_func(struct i2c_
32735 return I2C_FUNC_I2C;
32736 }
32737
32738 -static struct i2c_algorithm dib7090_tuner_xfer_algo = {
32739 +static const struct i2c_algorithm dib7090_tuner_xfer_algo = {
32740 .master_xfer = dib7090_tuner_xfer,
32741 .functionality = dib7000p_i2c_func,
32742 };
32743 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c
32744 --- linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:04:14.000000000 -0400
32745 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:32:05.000000000 -0400
32746 @@ -1676,12 +1676,12 @@ static u32 dib9000_i2c_func(struct i2c_a
32747 return I2C_FUNC_I2C;
32748 }
32749
32750 -static struct i2c_algorithm dib9000_tuner_algo = {
32751 +static const struct i2c_algorithm dib9000_tuner_algo = {
32752 .master_xfer = dib9000_tuner_xfer,
32753 .functionality = dib9000_i2c_func,
32754 };
32755
32756 -static struct i2c_algorithm dib9000_component_bus_algo = {
32757 +static const struct i2c_algorithm dib9000_component_bus_algo = {
32758 .master_xfer = dib9000_fw_component_bus_xfer,
32759 .functionality = dib9000_i2c_func,
32760 };
32761 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c
32762 --- linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:04:14.000000000 -0400
32763 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:37:36.000000000 -0400
32764 @@ -221,12 +221,12 @@ static int dibx000_i2c_master_xfer_gpio3
32765 return num;
32766 }
32767
32768 -static struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32769 +static const struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32770 .master_xfer = dibx000_i2c_master_xfer_gpio12,
32771 .functionality = dibx000_i2c_func,
32772 };
32773
32774 -static struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32775 +static const struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32776 .master_xfer = dibx000_i2c_master_xfer_gpio34,
32777 .functionality = dibx000_i2c_func,
32778 };
32779 @@ -285,7 +285,7 @@ static int dibx000_i2c_gated_gpio67_xfer
32780 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32781 }
32782
32783 -static struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32784 +static const struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32785 .master_xfer = dibx000_i2c_gated_gpio67_xfer,
32786 .functionality = dibx000_i2c_func,
32787 };
32788 @@ -322,7 +322,7 @@ static int dibx000_i2c_gated_tuner_xfer(
32789 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32790 }
32791
32792 -static struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32793 +static const struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32794 .master_xfer = dibx000_i2c_gated_tuner_xfer,
32795 .functionality = dibx000_i2c_func,
32796 };
32797 @@ -375,7 +375,7 @@ void dibx000_reset_i2c_master(struct dib
32798 EXPORT_SYMBOL(dibx000_reset_i2c_master);
32799
32800 static int i2c_adapter_init(struct i2c_adapter *i2c_adap,
32801 - struct i2c_algorithm *algo, const char *name,
32802 + const struct i2c_algorithm *algo, const char *name,
32803 struct dibx000_i2c_master *mst)
32804 {
32805 strncpy(i2c_adap->name, name, sizeof(i2c_adap->name));
32806 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c
32807 --- linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c 2011-05-19 00:06:34.000000000 -0400
32808 +++ linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c 2011-05-22 19:36:31.000000000 -0400
32809 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
32810 int ret = -1;
32811 int sync;
32812
32813 + pax_track_stack();
32814 +
32815 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
32816
32817 fcp = 3000;
32818 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c
32819 --- linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c 2011-05-19 00:06:34.000000000 -0400
32820 +++ linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c 2011-05-22 19:36:31.000000000 -0400
32821 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32822 u8 tudata[585];
32823 int i;
32824
32825 + pax_track_stack();
32826 +
32827 dprintk("Firmware is %zd bytes\n",fw->size);
32828
32829 /* Get eprom data */
32830 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c
32831 --- linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c 2011-05-19 00:06:34.000000000 -0400
32832 +++ linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c 2011-05-22 19:36:31.000000000 -0400
32833 @@ -870,7 +870,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(
32834 return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO;
32835 }
32836
32837 -static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32838 +static const struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32839 .master_xfer = s5h1420_tuner_i2c_tuner_xfer,
32840 .functionality = s5h1420_tuner_i2c_func,
32841 };
32842 diff -urNp linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c
32843 --- linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-19 00:06:34.000000000 -0400
32844 +++ linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-22 19:36:31.000000000 -0400
32845 @@ -212,7 +212,7 @@ static u32 mantis_i2c_func(struct i2c_ad
32846 return I2C_FUNC_SMBUS_EMUL;
32847 }
32848
32849 -static struct i2c_algorithm mantis_algo = {
32850 +static const struct i2c_algorithm mantis_algo = {
32851 .master_xfer = mantis_i2c_xfer,
32852 .functionality = mantis_i2c_func,
32853 };
32854 diff -urNp linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c
32855 --- linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-19 00:06:34.000000000 -0400
32856 +++ linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-22 19:36:31.000000000 -0400
32857 @@ -1614,7 +1614,7 @@ static int fe_send_command(struct dvb_fr
32858 return ttusb_dec_send_command(dec, command, param_length, params, result_length, cmd_result);
32859 }
32860
32861 -static struct ttusbdecfe_config fe_config = {
32862 +static const struct ttusbdecfe_config fe_config = {
32863 .send_command = fe_send_command
32864 };
32865
32866 diff -urNp linux-2.6.39.3/drivers/media/radio/radio-cadet.c linux-2.6.39.3/drivers/media/radio/radio-cadet.c
32867 --- linux-2.6.39.3/drivers/media/radio/radio-cadet.c 2011-05-19 00:06:34.000000000 -0400
32868 +++ linux-2.6.39.3/drivers/media/radio/radio-cadet.c 2011-05-22 19:36:31.000000000 -0400
32869 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
32870 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32871 mutex_unlock(&dev->lock);
32872
32873 - if (copy_to_user(data, readbuf, i))
32874 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32875 return -EFAULT;
32876 return i;
32877 }
32878 diff -urNp linux-2.6.39.3/drivers/media/radio/radio-si4713.c linux-2.6.39.3/drivers/media/radio/radio-si4713.c
32879 --- linux-2.6.39.3/drivers/media/radio/radio-si4713.c 2011-05-19 00:06:34.000000000 -0400
32880 +++ linux-2.6.39.3/drivers/media/radio/radio-si4713.c 2011-05-22 19:36:31.000000000 -0400
32881 @@ -231,7 +231,7 @@ static long radio_si4713_default(struct
32882 ioctl, cmd, arg);
32883 }
32884
32885 -static struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32886 +static const struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32887 .vidioc_enumaudout = radio_si4713_enumaudout,
32888 .vidioc_g_audout = radio_si4713_g_audout,
32889 .vidioc_s_audout = radio_si4713_s_audout,
32890 diff -urNp linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c
32891 --- linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c 2011-05-19 00:06:34.000000000 -0400
32892 +++ linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c 2011-05-22 19:36:31.000000000 -0400
32893 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
32894 return;
32895 }
32896
32897 -static struct file_operations lirc_fops = {
32898 +static const struct file_operations lirc_fops = {
32899 .owner = THIS_MODULE,
32900 .write = ir_lirc_transmit_ir,
32901 .unlocked_ioctl = ir_lirc_ioctl,
32902 diff -urNp linux-2.6.39.3/drivers/media/rc/lirc_dev.c linux-2.6.39.3/drivers/media/rc/lirc_dev.c
32903 --- linux-2.6.39.3/drivers/media/rc/lirc_dev.c 2011-05-19 00:06:34.000000000 -0400
32904 +++ linux-2.6.39.3/drivers/media/rc/lirc_dev.c 2011-05-22 19:36:31.000000000 -0400
32905 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
32906 }
32907
32908
32909 -static struct file_operations lirc_dev_fops = {
32910 +static const struct file_operations lirc_dev_fops = {
32911 .owner = THIS_MODULE,
32912 .read = lirc_dev_fop_read,
32913 .write = lirc_dev_fop_write,
32914 diff -urNp linux-2.6.39.3/drivers/media/rc/rc-main.c linux-2.6.39.3/drivers/media/rc/rc-main.c
32915 --- linux-2.6.39.3/drivers/media/rc/rc-main.c 2011-05-19 00:06:34.000000000 -0400
32916 +++ linux-2.6.39.3/drivers/media/rc/rc-main.c 2011-05-22 19:36:31.000000000 -0400
32917 @@ -996,7 +996,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
32918
32919 int rc_register_device(struct rc_dev *dev)
32920 {
32921 - static atomic_t devno = ATOMIC_INIT(0);
32922 + static atomic_unchecked_t devno = ATOMIC_INIT(0);
32923 struct rc_map *rc_map;
32924 const char *path;
32925 int rc;
32926 @@ -1019,7 +1019,7 @@ int rc_register_device(struct rc_dev *de
32927 if (dev->close)
32928 dev->input_dev->close = ir_close;
32929
32930 - dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
32931 + dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
32932 dev_set_name(&dev->dev, "rc%ld", dev->devno);
32933 dev_set_drvdata(&dev->dev, dev);
32934 rc = device_add(&dev->dev);
32935 diff -urNp linux-2.6.39.3/drivers/media/video/cafe_ccic.c linux-2.6.39.3/drivers/media/video/cafe_ccic.c
32936 --- linux-2.6.39.3/drivers/media/video/cafe_ccic.c 2011-05-19 00:06:34.000000000 -0400
32937 +++ linux-2.6.39.3/drivers/media/video/cafe_ccic.c 2011-05-22 19:36:31.000000000 -0400
32938 @@ -520,7 +520,7 @@ static u32 cafe_smbus_func(struct i2c_ad
32939 I2C_FUNC_SMBUS_WRITE_BYTE_DATA;
32940 }
32941
32942 -static struct i2c_algorithm cafe_smbus_algo = {
32943 +static const struct i2c_algorithm cafe_smbus_algo = {
32944 .smbus_xfer = cafe_smbus_xfer,
32945 .functionality = cafe_smbus_func
32946 };
32947 diff -urNp linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c
32948 --- linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-19 00:06:34.000000000 -0400
32949 +++ linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-22 19:36:31.000000000 -0400
32950 @@ -314,7 +314,7 @@ static struct page *snd_pcm_get_vmalloc_
32951 return vmalloc_to_page(pageptr);
32952 }
32953
32954 -static struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32955 +static const struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32956 .open = snd_cx18_pcm_capture_open,
32957 .close = snd_cx18_pcm_capture_close,
32958 .ioctl = snd_cx18_pcm_ioctl,
32959 diff -urNp linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c
32960 --- linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c 2011-05-19 00:06:34.000000000 -0400
32961 +++ linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c 2011-05-22 19:36:31.000000000 -0400
32962 @@ -61,7 +61,7 @@ static struct pci_device_id cx18_pci_tbl
32963
32964 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
32965
32966 -static atomic_t cx18_instance = ATOMIC_INIT(0);
32967 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
32968
32969 /* Parameter declarations */
32970 static int cardtype[CX18_MAX_CARDS];
32971 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
32972 struct i2c_client c;
32973 u8 eedata[256];
32974
32975 + pax_track_stack();
32976 +
32977 memset(&c, 0, sizeof(c));
32978 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
32979 c.adapter = &cx->i2c_adap[0];
32980 @@ -892,7 +894,7 @@ static int __devinit cx18_probe(struct p
32981 struct cx18 *cx;
32982
32983 /* FIXME - module parameter arrays constrain max instances */
32984 - i = atomic_inc_return(&cx18_instance) - 1;
32985 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
32986 if (i >= CX18_MAX_CARDS) {
32987 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
32988 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
32989 diff -urNp linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c
32990 --- linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-19 00:06:34.000000000 -0400
32991 +++ linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-22 19:36:31.000000000 -0400
32992 @@ -613,7 +613,7 @@ static struct page *snd_pcm_get_vmalloc_
32993 return vmalloc_to_page(pageptr);
32994 }
32995
32996 -static struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32997 +static const struct snd_pcm_ops snd_cx231xx_pcm_capture = {
32998 .open = snd_cx231xx_capture_open,
32999 .close = snd_cx231xx_pcm_close,
33000 .ioctl = snd_pcm_lib_ioctl,
33001 diff -urNp linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c
33002 --- linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
33003 +++ linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
33004 @@ -435,7 +435,7 @@ static u32 functionality(struct i2c_adap
33005 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33006 }
33007
33008 -static struct i2c_algorithm cx231xx_algo = {
33009 +static const struct i2c_algorithm cx231xx_algo = {
33010 .master_xfer = cx231xx_i2c_xfer,
33011 .functionality = functionality,
33012 };
33013 diff -urNp linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c
33014 --- linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c 2011-05-19 00:06:34.000000000 -0400
33015 +++ linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c 2011-05-22 19:36:31.000000000 -0400
33016 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
33017 bool handle = false;
33018 struct ir_raw_event ir_core_event[64];
33019
33020 + pax_track_stack();
33021 +
33022 do {
33023 num = 0;
33024 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
33025 diff -urNp linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c
33026 --- linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c 2011-05-19 00:06:34.000000000 -0400
33027 +++ linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c 2011-05-22 19:36:31.000000000 -0400
33028 @@ -519,7 +519,7 @@ static struct page *snd_cx88_page(struct
33029 /*
33030 * operators
33031 */
33032 -static struct snd_pcm_ops snd_cx88_pcm_ops = {
33033 +static const struct snd_pcm_ops snd_cx88_pcm_ops = {
33034 .open = snd_cx88_pcm_open,
33035 .close = snd_cx88_close,
33036 .ioctl = snd_pcm_lib_ioctl,
33037 diff -urNp linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h
33038 --- linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-19 00:06:34.000000000 -0400
33039 +++ linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-22 19:36:31.000000000 -0400
33040 @@ -99,7 +99,7 @@ struct ccdc_hw_device {
33041 /* module owner */
33042 struct module *owner;
33043 /* hw ops */
33044 - struct ccdc_hw_ops hw_ops;
33045 + const struct ccdc_hw_ops hw_ops;
33046 };
33047
33048 /* Used by CCDC module to register & unregister with vpfe capture driver */
33049 diff -urNp linux-2.6.39.3/drivers/media/video/davinci/vpss.c linux-2.6.39.3/drivers/media/video/davinci/vpss.c
33050 --- linux-2.6.39.3/drivers/media/video/davinci/vpss.c 2011-05-19 00:06:34.000000000 -0400
33051 +++ linux-2.6.39.3/drivers/media/video/davinci/vpss.c 2011-05-22 19:36:31.000000000 -0400
33052 @@ -103,7 +103,7 @@ struct vpss_oper_config {
33053 __iomem void *vpss_regs_base1;
33054 enum vpss_platform_type platform;
33055 spinlock_t vpss_lock;
33056 - struct vpss_hw_ops hw_ops;
33057 + const struct vpss_hw_ops hw_ops;
33058 };
33059
33060 static struct vpss_oper_config oper_cfg;
33061 diff -urNp linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c
33062 --- linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c 2011-05-19 00:06:34.000000000 -0400
33063 +++ linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c 2011-05-22 19:36:31.000000000 -0400
33064 @@ -432,7 +432,7 @@ static struct page *snd_pcm_get_vmalloc_
33065 return vmalloc_to_page(pageptr);
33066 }
33067
33068 -static struct snd_pcm_ops snd_em28xx_pcm_capture = {
33069 +static const struct snd_pcm_ops snd_em28xx_pcm_capture = {
33070 .open = snd_em28xx_capture_open,
33071 .close = snd_em28xx_pcm_close,
33072 .ioctl = snd_pcm_lib_ioctl,
33073 diff -urNp linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c
33074 --- linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
33075 +++ linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
33076 @@ -451,7 +451,7 @@ static u32 functionality(struct i2c_adap
33077 return I2C_FUNC_SMBUS_EMUL;
33078 }
33079
33080 -static struct i2c_algorithm em28xx_algo = {
33081 +static const struct i2c_algorithm em28xx_algo = {
33082 .master_xfer = em28xx_i2c_xfer,
33083 .functionality = functionality,
33084 };
33085 diff -urNp linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c
33086 --- linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-19 00:06:34.000000000 -0400
33087 +++ linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-22 19:36:31.000000000 -0400
33088 @@ -179,7 +179,7 @@ static u32 hdpvr_functionality(struct i2
33089 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
33090 }
33091
33092 -static struct i2c_algorithm hdpvr_algo = {
33093 +static const struct i2c_algorithm hdpvr_algo = {
33094 .master_xfer = hdpvr_transfer,
33095 .functionality = hdpvr_functionality,
33096 };
33097 diff -urNp linux-2.6.39.3/drivers/media/video/imx074.c linux-2.6.39.3/drivers/media/video/imx074.c
33098 --- linux-2.6.39.3/drivers/media/video/imx074.c 2011-05-19 00:06:34.000000000 -0400
33099 +++ linux-2.6.39.3/drivers/media/video/imx074.c 2011-05-22 19:36:31.000000000 -0400
33100 @@ -267,7 +267,7 @@ static int imx074_g_chip_ident(struct v4
33101 return 0;
33102 }
33103
33104 -static struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
33105 +static const struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
33106 .s_stream = imx074_s_stream,
33107 .s_mbus_fmt = imx074_s_fmt,
33108 .g_mbus_fmt = imx074_g_fmt,
33109 @@ -277,7 +277,7 @@ static struct v4l2_subdev_video_ops imx0
33110 .cropcap = imx074_cropcap,
33111 };
33112
33113 -static struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
33114 +static const struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
33115 .g_chip_ident = imx074_g_chip_ident,
33116 };
33117
33118 diff -urNp linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c
33119 --- linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c 2011-05-19 00:06:34.000000000 -0400
33120 +++ linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c 2011-05-22 19:36:31.000000000 -0400
33121 @@ -80,7 +80,7 @@ static struct pci_device_id ivtv_pci_tbl
33122 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
33123
33124 /* ivtv instance counter */
33125 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
33126 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
33127
33128 /* Parameter declarations */
33129 static int cardtype[IVTV_MAX_CARDS];
33130 diff -urNp linux-2.6.39.3/drivers/media/video/mt9m001.c linux-2.6.39.3/drivers/media/video/mt9m001.c
33131 --- linux-2.6.39.3/drivers/media/video/mt9m001.c 2011-05-19 00:06:34.000000000 -0400
33132 +++ linux-2.6.39.3/drivers/media/video/mt9m001.c 2011-05-22 19:36:31.000000000 -0400
33133 @@ -691,7 +691,7 @@ static int mt9m001_g_skip_top_lines(stru
33134 return 0;
33135 }
33136
33137 -static struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
33138 +static const struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
33139 .g_ctrl = mt9m001_g_ctrl,
33140 .s_ctrl = mt9m001_s_ctrl,
33141 .g_chip_ident = mt9m001_g_chip_ident,
33142 @@ -714,7 +714,7 @@ static int mt9m001_enum_fmt(struct v4l2_
33143 return 0;
33144 }
33145
33146 -static struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
33147 +static const struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
33148 .s_stream = mt9m001_s_stream,
33149 .s_mbus_fmt = mt9m001_s_fmt,
33150 .g_mbus_fmt = mt9m001_g_fmt,
33151 @@ -725,7 +725,7 @@ static struct v4l2_subdev_video_ops mt9m
33152 .enum_mbus_fmt = mt9m001_enum_fmt,
33153 };
33154
33155 -static struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
33156 +static const struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
33157 .g_skip_top_lines = mt9m001_g_skip_top_lines,
33158 };
33159
33160 diff -urNp linux-2.6.39.3/drivers/media/video/mt9t031.c linux-2.6.39.3/drivers/media/video/mt9t031.c
33161 --- linux-2.6.39.3/drivers/media/video/mt9t031.c 2011-05-19 00:06:34.000000000 -0400
33162 +++ linux-2.6.39.3/drivers/media/video/mt9t031.c 2011-05-22 19:36:31.000000000 -0400
33163 @@ -725,7 +725,7 @@ static int mt9t031_runtime_resume(struct
33164 return 0;
33165 }
33166
33167 -static struct dev_pm_ops mt9t031_dev_pm_ops = {
33168 +static const struct dev_pm_ops mt9t031_dev_pm_ops = {
33169 .runtime_suspend = mt9t031_runtime_suspend,
33170 .runtime_resume = mt9t031_runtime_resume,
33171 };
33172 @@ -788,7 +788,7 @@ static int mt9t031_g_skip_top_lines(stru
33173 return 0;
33174 }
33175
33176 -static struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33177 +static const struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33178 .g_ctrl = mt9t031_g_ctrl,
33179 .s_ctrl = mt9t031_s_ctrl,
33180 .g_chip_ident = mt9t031_g_chip_ident,
33181 @@ -808,7 +808,7 @@ static int mt9t031_enum_fmt(struct v4l2_
33182 return 0;
33183 }
33184
33185 -static struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33186 +static const struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33187 .s_stream = mt9t031_s_stream,
33188 .s_mbus_fmt = mt9t031_s_fmt,
33189 .g_mbus_fmt = mt9t031_g_fmt,
33190 @@ -819,7 +819,7 @@ static struct v4l2_subdev_video_ops mt9t
33191 .enum_mbus_fmt = mt9t031_enum_fmt,
33192 };
33193
33194 -static struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33195 +static const struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33196 .g_skip_top_lines = mt9t031_g_skip_top_lines,
33197 };
33198
33199 diff -urNp linux-2.6.39.3/drivers/media/video/mt9v022.c linux-2.6.39.3/drivers/media/video/mt9v022.c
33200 --- linux-2.6.39.3/drivers/media/video/mt9v022.c 2011-05-19 00:06:34.000000000 -0400
33201 +++ linux-2.6.39.3/drivers/media/video/mt9v022.c 2011-05-22 19:36:31.000000000 -0400
33202 @@ -825,7 +825,7 @@ static int mt9v022_g_skip_top_lines(stru
33203 return 0;
33204 }
33205
33206 -static struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33207 +static const struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33208 .g_ctrl = mt9v022_g_ctrl,
33209 .s_ctrl = mt9v022_s_ctrl,
33210 .g_chip_ident = mt9v022_g_chip_ident,
33211 @@ -848,7 +848,7 @@ static int mt9v022_enum_fmt(struct v4l2_
33212 return 0;
33213 }
33214
33215 -static struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33216 +static const struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33217 .s_stream = mt9v022_s_stream,
33218 .s_mbus_fmt = mt9v022_s_fmt,
33219 .g_mbus_fmt = mt9v022_g_fmt,
33220 @@ -859,7 +859,7 @@ static struct v4l2_subdev_video_ops mt9v
33221 .enum_mbus_fmt = mt9v022_enum_fmt,
33222 };
33223
33224 -static struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33225 +static const struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33226 .g_skip_top_lines = mt9v022_g_skip_top_lines,
33227 };
33228
33229 diff -urNp linux-2.6.39.3/drivers/media/video/mx2_camera.c linux-2.6.39.3/drivers/media/video/mx2_camera.c
33230 --- linux-2.6.39.3/drivers/media/video/mx2_camera.c 2011-05-19 00:06:34.000000000 -0400
33231 +++ linux-2.6.39.3/drivers/media/video/mx2_camera.c 2011-05-22 19:36:31.000000000 -0400
33232 @@ -668,7 +668,7 @@ static void mx2_videobuf_release(struct
33233 free_buffer(vq, buf);
33234 }
33235
33236 -static struct videobuf_queue_ops mx2_videobuf_ops = {
33237 +static const struct videobuf_queue_ops mx2_videobuf_ops = {
33238 .buf_setup = mx2_videobuf_setup,
33239 .buf_prepare = mx2_videobuf_prepare,
33240 .buf_queue = mx2_videobuf_queue,
33241 diff -urNp linux-2.6.39.3/drivers/media/video/omap24xxcam.c linux-2.6.39.3/drivers/media/video/omap24xxcam.c
33242 --- linux-2.6.39.3/drivers/media/video/omap24xxcam.c 2011-05-19 00:06:34.000000000 -0400
33243 +++ linux-2.6.39.3/drivers/media/video/omap24xxcam.c 2011-05-22 19:36:31.000000000 -0400
33244 @@ -403,7 +403,7 @@ static void omap24xxcam_vbq_complete(str
33245 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
33246
33247 do_gettimeofday(&vb->ts);
33248 - vb->field_count = atomic_add_return(2, &fh->field_count);
33249 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
33250 if (csr & csr_error) {
33251 vb->state = VIDEOBUF_ERROR;
33252 if (!atomic_read(&fh->cam->in_reset)) {
33253 diff -urNp linux-2.6.39.3/drivers/media/video/omap24xxcam.h linux-2.6.39.3/drivers/media/video/omap24xxcam.h
33254 --- linux-2.6.39.3/drivers/media/video/omap24xxcam.h 2011-05-19 00:06:34.000000000 -0400
33255 +++ linux-2.6.39.3/drivers/media/video/omap24xxcam.h 2011-05-22 19:36:31.000000000 -0400
33256 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
33257 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
33258 struct videobuf_queue vbq;
33259 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
33260 - atomic_t field_count; /* field counter for videobuf_buffer */
33261 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
33262 /* accessing cam here doesn't need serialisation: it's constant */
33263 struct omap24xxcam_device *cam;
33264 };
33265 diff -urNp linux-2.6.39.3/drivers/media/video/omap3isp/isp.h linux-2.6.39.3/drivers/media/video/omap3isp/isp.h
33266 --- linux-2.6.39.3/drivers/media/video/omap3isp/isp.h 2011-05-19 00:06:34.000000000 -0400
33267 +++ linux-2.6.39.3/drivers/media/video/omap3isp/isp.h 2011-05-22 19:36:31.000000000 -0400
33268 @@ -290,7 +290,7 @@ struct isp_device {
33269
33270 struct iommu *iommu;
33271
33272 - struct isp_platform_callback platform_cb;
33273 + const struct isp_platform_callback platform_cb;
33274 };
33275
33276 #define v4l2_dev_to_isp_device(dev) \
33277 diff -urNp linux-2.6.39.3/drivers/media/video/ov2640.c linux-2.6.39.3/drivers/media/video/ov2640.c
33278 --- linux-2.6.39.3/drivers/media/video/ov2640.c 2011-05-19 00:06:34.000000000 -0400
33279 +++ linux-2.6.39.3/drivers/media/video/ov2640.c 2011-05-22 19:36:31.000000000 -0400
33280 @@ -1080,7 +1080,7 @@ static struct soc_camera_ops ov2640_ops
33281 .num_controls = ARRAY_SIZE(ov2640_controls),
33282 };
33283
33284 -static struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33285 +static const struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33286 .g_ctrl = ov2640_g_ctrl,
33287 .s_ctrl = ov2640_s_ctrl,
33288 .g_chip_ident = ov2640_g_chip_ident,
33289 @@ -1090,7 +1090,7 @@ static struct v4l2_subdev_core_ops ov264
33290 #endif
33291 };
33292
33293 -static struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33294 +static const struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33295 .s_stream = ov2640_s_stream,
33296 .g_mbus_fmt = ov2640_g_fmt,
33297 .s_mbus_fmt = ov2640_s_fmt,
33298 diff -urNp linux-2.6.39.3/drivers/media/video/ov772x.c linux-2.6.39.3/drivers/media/video/ov772x.c
33299 --- linux-2.6.39.3/drivers/media/video/ov772x.c 2011-05-19 00:06:34.000000000 -0400
33300 +++ linux-2.6.39.3/drivers/media/video/ov772x.c 2011-05-22 19:36:31.000000000 -0400
33301 @@ -1079,7 +1079,7 @@ static struct soc_camera_ops ov772x_ops
33302 .num_controls = ARRAY_SIZE(ov772x_controls),
33303 };
33304
33305 -static struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33306 +static const struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33307 .g_ctrl = ov772x_g_ctrl,
33308 .s_ctrl = ov772x_s_ctrl,
33309 .g_chip_ident = ov772x_g_chip_ident,
33310 @@ -1099,7 +1099,7 @@ static int ov772x_enum_fmt(struct v4l2_s
33311 return 0;
33312 }
33313
33314 -static struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33315 +static const struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33316 .s_stream = ov772x_s_stream,
33317 .g_mbus_fmt = ov772x_g_fmt,
33318 .s_mbus_fmt = ov772x_s_fmt,
33319 diff -urNp linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
33320 --- linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-19 00:06:34.000000000 -0400
33321 +++ linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-22 19:36:31.000000000 -0400
33322 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
33323 u8 *eeprom;
33324 struct tveeprom tvdata;
33325
33326 + pax_track_stack();
33327 +
33328 memset(&tvdata,0,sizeof(tvdata));
33329
33330 eeprom = pvr2_eeprom_fetch(hdw);
33331 diff -urNp linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c
33332 --- linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-19 00:06:34.000000000 -0400
33333 +++ linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-22 19:36:31.000000000 -0400
33334 @@ -527,7 +527,7 @@ static u32 pvr2_i2c_functionality(struct
33335 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33336 }
33337
33338 -static struct i2c_algorithm pvr2_i2c_algo_template = {
33339 +static const struct i2c_algorithm pvr2_i2c_algo_template = {
33340 .master_xfer = pvr2_i2c_xfer,
33341 .functionality = pvr2_i2c_functionality,
33342 };
33343 diff -urNp linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c
33344 --- linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c 2011-05-19 00:06:34.000000000 -0400
33345 +++ linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c 2011-05-22 19:36:31.000000000 -0400
33346 @@ -1327,7 +1327,7 @@ static int rj54n1_s_ctrl(struct v4l2_sub
33347 return 0;
33348 }
33349
33350 -static struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33351 +static const struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33352 .g_ctrl = rj54n1_g_ctrl,
33353 .s_ctrl = rj54n1_s_ctrl,
33354 .g_chip_ident = rj54n1_g_chip_ident,
33355 @@ -1337,7 +1337,7 @@ static struct v4l2_subdev_core_ops rj54n
33356 #endif
33357 };
33358
33359 -static struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33360 +static const struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33361 .s_stream = rj54n1_s_stream,
33362 .s_mbus_fmt = rj54n1_s_fmt,
33363 .g_mbus_fmt = rj54n1_g_fmt,
33364 diff -urNp linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c
33365 --- linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-19 00:06:34.000000000 -0400
33366 +++ linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-22 19:36:31.000000000 -0400
33367 @@ -376,7 +376,7 @@ static void fimc_unlock(struct vb2_queue
33368 mutex_unlock(&ctx->fimc_dev->lock);
33369 }
33370
33371 -static struct vb2_ops fimc_capture_qops = {
33372 +static const struct vb2_ops fimc_capture_qops = {
33373 .queue_setup = queue_setup,
33374 .buf_prepare = buffer_prepare,
33375 .buf_queue = buffer_queue,
33376 diff -urNp linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c
33377 --- linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-19 00:06:34.000000000 -0400
33378 +++ linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-22 19:36:31.000000000 -0400
33379 @@ -768,7 +768,7 @@ static void fimc_unlock(struct vb2_queue
33380 mutex_unlock(&ctx->fimc_dev->lock);
33381 }
33382
33383 -static struct vb2_ops fimc_qops = {
33384 +static const struct vb2_ops fimc_qops = {
33385 .queue_setup = fimc_queue_setup,
33386 .buf_prepare = fimc_buf_prepare,
33387 .buf_queue = fimc_buf_queue,
33388 diff -urNp linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c
33389 --- linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c 2011-05-19 00:06:34.000000000 -0400
33390 +++ linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c 2011-05-22 19:36:31.000000000 -0400
33391 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
33392 unsigned char localPAT[256];
33393 unsigned char localPMT[256];
33394
33395 + pax_track_stack();
33396 +
33397 /* Set video format - must be done first as it resets other settings */
33398 set_reg8(client, 0x41, h->video_format);
33399
33400 diff -urNp linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c
33401 --- linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-19 00:06:34.000000000 -0400
33402 +++ linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-22 19:36:31.000000000 -0400
33403 @@ -808,7 +808,7 @@ static struct page *snd_card_saa7134_pag
33404 * ALSA capture callbacks definition
33405 */
33406
33407 -static struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33408 +static const struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33409 .open = snd_card_saa7134_capture_open,
33410 .close = snd_card_saa7134_capture_close,
33411 .ioctl = snd_pcm_lib_ioctl,
33412 diff -urNp linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c
33413 --- linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-19 00:06:34.000000000 -0400
33414 +++ linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-22 19:36:31.000000000 -0400
33415 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
33416 u8 tmp[512];
33417 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33418
33419 + pax_track_stack();
33420 +
33421 /* While any outstand message on the bus exists... */
33422 do {
33423
33424 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
33425 u8 tmp[512];
33426 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33427
33428 + pax_track_stack();
33429 +
33430 while (loop) {
33431
33432 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
33433 diff -urNp linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c
33434 --- linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c 2011-05-19 00:06:34.000000000 -0400
33435 +++ linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c 2011-05-22 19:36:31.000000000 -0400
33436 @@ -127,12 +127,12 @@ static int sh_csi2_s_fmt(struct v4l2_sub
33437 return 0;
33438 }
33439
33440 -static struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33441 +static const struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33442 .s_mbus_fmt = sh_csi2_s_fmt,
33443 .try_mbus_fmt = sh_csi2_try_fmt,
33444 };
33445
33446 -static struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33447 +static const struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33448
33449 static struct v4l2_subdev_ops sh_csi2_subdev_ops = {
33450 .core = &sh_csi2_subdev_core_ops,
33451 diff -urNp linux-2.6.39.3/drivers/media/video/soc_camera_platform.c linux-2.6.39.3/drivers/media/video/soc_camera_platform.c
33452 --- linux-2.6.39.3/drivers/media/video/soc_camera_platform.c 2011-05-19 00:06:34.000000000 -0400
33453 +++ linux-2.6.39.3/drivers/media/video/soc_camera_platform.c 2011-05-22 19:36:31.000000000 -0400
33454 @@ -70,7 +70,7 @@ static int soc_camera_platform_fill_fmt(
33455 return 0;
33456 }
33457
33458 -static struct v4l2_subdev_core_ops platform_subdev_core_ops;
33459 +static const struct v4l2_subdev_core_ops platform_subdev_core_ops;
33460
33461 static int soc_camera_platform_enum_fmt(struct v4l2_subdev *sd, unsigned int index,
33462 enum v4l2_mbus_pixelcode *code)
33463 @@ -115,7 +115,7 @@ static int soc_camera_platform_cropcap(s
33464 return 0;
33465 }
33466
33467 -static struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33468 +static const struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33469 .s_stream = soc_camera_platform_s_stream,
33470 .enum_mbus_fmt = soc_camera_platform_enum_fmt,
33471 .cropcap = soc_camera_platform_cropcap,
33472 diff -urNp linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c
33473 --- linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c 2011-05-19 00:06:34.000000000 -0400
33474 +++ linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c 2011-05-22 19:36:31.000000000 -0400
33475 @@ -265,7 +265,7 @@ static struct page *snd_pcm_pd_get_page(
33476 return vmalloc_to_page(pageptr);
33477 }
33478
33479 -static struct snd_pcm_ops pcm_capture_ops = {
33480 +static const struct snd_pcm_ops pcm_capture_ops = {
33481 .open = snd_pd_capture_open,
33482 .close = snd_pd_pcm_close,
33483 .ioctl = snd_pcm_lib_ioctl,
33484 diff -urNp linux-2.6.39.3/drivers/media/video/tw9910.c linux-2.6.39.3/drivers/media/video/tw9910.c
33485 --- linux-2.6.39.3/drivers/media/video/tw9910.c 2011-05-19 00:06:34.000000000 -0400
33486 +++ linux-2.6.39.3/drivers/media/video/tw9910.c 2011-05-22 19:36:31.000000000 -0400
33487 @@ -894,7 +894,7 @@ static struct soc_camera_ops tw9910_ops
33488 .enum_input = tw9910_enum_input,
33489 };
33490
33491 -static struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33492 +static const struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33493 .g_chip_ident = tw9910_g_chip_ident,
33494 .s_std = tw9910_s_std,
33495 #ifdef CONFIG_VIDEO_ADV_DEBUG
33496 @@ -913,7 +913,7 @@ static int tw9910_enum_fmt(struct v4l2_s
33497 return 0;
33498 }
33499
33500 -static struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33501 +static const struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33502 .s_stream = tw9910_s_stream,
33503 .g_mbus_fmt = tw9910_g_fmt,
33504 .s_mbus_fmt = tw9910_s_fmt,
33505 diff -urNp linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c
33506 --- linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c 2011-05-19 00:06:34.000000000 -0400
33507 +++ linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c 2011-05-22 19:36:31.000000000 -0400
33508 @@ -799,6 +799,8 @@ static enum parse_state usbvision_parse_
33509 unsigned char rv, gv, bv;
33510 static unsigned char *Y, *U, *V;
33511
33512 + pax_track_stack();
33513 +
33514 frame = usbvision->cur_frame;
33515 image_size = frame->frmwidth * frame->frmheight;
33516 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
33517 diff -urNp linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c
33518 --- linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-19 00:06:34.000000000 -0400
33519 +++ linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-22 19:36:31.000000000 -0400
33520 @@ -189,7 +189,7 @@ static u32 functionality(struct i2c_adap
33521
33522 /* -----exported algorithm data: ------------------------------------- */
33523
33524 -static struct i2c_algorithm usbvision_algo = {
33525 +static const struct i2c_algorithm usbvision_algo = {
33526 .master_xfer = usbvision_i2c_xfer,
33527 .smbus_xfer = NULL,
33528 .functionality = functionality,
33529 diff -urNp linux-2.6.39.3/drivers/media/video/v4l2-device.c linux-2.6.39.3/drivers/media/video/v4l2-device.c
33530 --- linux-2.6.39.3/drivers/media/video/v4l2-device.c 2011-05-19 00:06:34.000000000 -0400
33531 +++ linux-2.6.39.3/drivers/media/video/v4l2-device.c 2011-05-22 19:36:31.000000000 -0400
33532 @@ -71,9 +71,9 @@ int v4l2_device_put(struct v4l2_device *
33533 EXPORT_SYMBOL_GPL(v4l2_device_put);
33534
33535 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
33536 - atomic_t *instance)
33537 + atomic_unchecked_t *instance)
33538 {
33539 - int num = atomic_inc_return(instance) - 1;
33540 + int num = atomic_inc_return_unchecked(instance) - 1;
33541 int len = strlen(basename);
33542
33543 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
33544 diff -urNp linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c
33545 --- linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c 2011-05-19 00:06:34.000000000 -0400
33546 +++ linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c 2011-05-22 19:36:31.000000000 -0400
33547 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
33548 {
33549 struct videobuf_queue q;
33550
33551 + pax_track_stack();
33552 +
33553 /* Required to make generic handler to call __videobuf_alloc */
33554 q.int_ops = &sg_ops;
33555
33556 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptbase.c linux-2.6.39.3/drivers/message/fusion/mptbase.c
33557 --- linux-2.6.39.3/drivers/message/fusion/mptbase.c 2011-05-19 00:06:34.000000000 -0400
33558 +++ linux-2.6.39.3/drivers/message/fusion/mptbase.c 2011-05-22 19:41:37.000000000 -0400
33559 @@ -143,7 +143,7 @@ static int MptDriverClass[MPT_MAX_PRO
33560 static MPT_EVHANDLER MptEvHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33561 /* Reset handler lookup table */
33562 static MPT_RESETHANDLER MptResetHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33563 -static struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33564 +static const struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33565
33566 #ifdef CONFIG_PROC_FS
33567 static struct proc_dir_entry *mpt_proc_root_dir;
33568 @@ -772,7 +772,7 @@ mpt_reset_deregister(u8 cb_idx)
33569 * @cb_idx: MPT protocol driver index
33570 */
33571 int
33572 -mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33573 +mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33574 {
33575 MPT_ADAPTER *ioc;
33576 const struct pci_device_id *id;
33577 @@ -801,7 +801,7 @@ mpt_device_driver_register(struct mpt_pc
33578 void
33579 mpt_device_driver_deregister(u8 cb_idx)
33580 {
33581 - struct mpt_pci_driver *dd_cbfunc;
33582 + const struct mpt_pci_driver *dd_cbfunc;
33583 MPT_ADAPTER *ioc;
33584
33585 if (!cb_idx || cb_idx >= MPT_MAX_PROTOCOL_DRIVERS)
33586 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
33587 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
33588 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
33589
33590 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33591 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
33592 +#else
33593 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33594 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
33595 +#endif
33596 +
33597 /*
33598 * Rounding UP to nearest 4-kB boundary here...
33599 */
33600 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptbase.h linux-2.6.39.3/drivers/message/fusion/mptbase.h
33601 --- linux-2.6.39.3/drivers/message/fusion/mptbase.h 2011-05-19 00:06:34.000000000 -0400
33602 +++ linux-2.6.39.3/drivers/message/fusion/mptbase.h 2011-05-22 19:36:31.000000000 -0400
33603 @@ -908,7 +908,7 @@ extern int mpt_event_register(u8 cb_idx
33604 extern void mpt_event_deregister(u8 cb_idx);
33605 extern int mpt_reset_register(u8 cb_idx, MPT_RESETHANDLER reset_func);
33606 extern void mpt_reset_deregister(u8 cb_idx);
33607 -extern int mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33608 +extern int mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33609 extern void mpt_device_driver_deregister(u8 cb_idx);
33610 extern MPT_FRAME_HDR *mpt_get_msg_frame(u8 cb_idx, MPT_ADAPTER *ioc);
33611 extern void mpt_free_msg_frame(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf);
33612 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptctl.c linux-2.6.39.3/drivers/message/fusion/mptctl.c
33613 --- linux-2.6.39.3/drivers/message/fusion/mptctl.c 2011-05-19 00:06:34.000000000 -0400
33614 +++ linux-2.6.39.3/drivers/message/fusion/mptctl.c 2011-05-22 19:36:31.000000000 -0400
33615 @@ -3000,7 +3000,7 @@ mptctl_remove(struct pci_dev *pdev)
33616 {
33617 }
33618
33619 -static struct mpt_pci_driver mptctl_driver = {
33620 +static const struct mpt_pci_driver mptctl_driver = {
33621 .probe = mptctl_probe,
33622 .remove = mptctl_remove,
33623 };
33624 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptsas.c linux-2.6.39.3/drivers/message/fusion/mptsas.c
33625 --- linux-2.6.39.3/drivers/message/fusion/mptsas.c 2011-05-19 00:06:34.000000000 -0400
33626 +++ linux-2.6.39.3/drivers/message/fusion/mptsas.c 2011-05-22 19:36:31.000000000 -0400
33627 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
33628 return 0;
33629 }
33630
33631 +static inline void
33632 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33633 +{
33634 + if (phy_info->port_details) {
33635 + phy_info->port_details->rphy = rphy;
33636 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33637 + ioc->name, rphy));
33638 + }
33639 +
33640 + if (rphy) {
33641 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33642 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33643 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33644 + ioc->name, rphy, rphy->dev.release));
33645 + }
33646 +}
33647 +
33648 /* no mutex */
33649 static void
33650 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
33651 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
33652 return NULL;
33653 }
33654
33655 -static inline void
33656 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33657 -{
33658 - if (phy_info->port_details) {
33659 - phy_info->port_details->rphy = rphy;
33660 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33661 - ioc->name, rphy));
33662 - }
33663 -
33664 - if (rphy) {
33665 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33666 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33667 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33668 - ioc->name, rphy, rphy->dev.release));
33669 - }
33670 -}
33671 -
33672 static inline struct sas_port *
33673 mptsas_get_port(struct mptsas_phyinfo *phy_info)
33674 {
33675 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptscsih.c linux-2.6.39.3/drivers/message/fusion/mptscsih.c
33676 --- linux-2.6.39.3/drivers/message/fusion/mptscsih.c 2011-05-19 00:06:34.000000000 -0400
33677 +++ linux-2.6.39.3/drivers/message/fusion/mptscsih.c 2011-05-22 19:36:31.000000000 -0400
33678 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
33679
33680 h = shost_priv(SChost);
33681
33682 - if (h) {
33683 - if (h->info_kbuf == NULL)
33684 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33685 - return h->info_kbuf;
33686 - h->info_kbuf[0] = '\0';
33687 + if (!h)
33688 + return NULL;
33689
33690 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33691 - h->info_kbuf[size-1] = '\0';
33692 - }
33693 + if (h->info_kbuf == NULL)
33694 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33695 + return h->info_kbuf;
33696 + h->info_kbuf[0] = '\0';
33697 +
33698 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33699 + h->info_kbuf[size-1] = '\0';
33700
33701 return h->info_kbuf;
33702 }
33703 diff -urNp linux-2.6.39.3/drivers/message/i2o/i2o_config.c linux-2.6.39.3/drivers/message/i2o/i2o_config.c
33704 --- linux-2.6.39.3/drivers/message/i2o/i2o_config.c 2011-05-19 00:06:34.000000000 -0400
33705 +++ linux-2.6.39.3/drivers/message/i2o/i2o_config.c 2011-05-22 19:36:31.000000000 -0400
33706 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
33707 struct i2o_message *msg;
33708 unsigned int iop;
33709
33710 + pax_track_stack();
33711 +
33712 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
33713 return -EFAULT;
33714
33715 diff -urNp linux-2.6.39.3/drivers/message/i2o/i2o_proc.c linux-2.6.39.3/drivers/message/i2o/i2o_proc.c
33716 --- linux-2.6.39.3/drivers/message/i2o/i2o_proc.c 2011-05-19 00:06:34.000000000 -0400
33717 +++ linux-2.6.39.3/drivers/message/i2o/i2o_proc.c 2011-05-22 19:36:31.000000000 -0400
33718 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
33719 "Array Controller Device"
33720 };
33721
33722 -static char *chtostr(u8 * chars, int n)
33723 -{
33724 - char tmp[256];
33725 - tmp[0] = 0;
33726 - return strncat(tmp, (char *)chars, n);
33727 -}
33728 -
33729 static int i2o_report_query_status(struct seq_file *seq, int block_status,
33730 char *group)
33731 {
33732 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
33733
33734 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
33735 seq_printf(seq, "%-#8x", ddm_table.module_id);
33736 - seq_printf(seq, "%-29s",
33737 - chtostr(ddm_table.module_name_version, 28));
33738 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
33739 seq_printf(seq, "%9d ", ddm_table.data_size);
33740 seq_printf(seq, "%8d", ddm_table.code_size);
33741
33742 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
33743
33744 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
33745 seq_printf(seq, "%-#8x", dst->module_id);
33746 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
33747 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
33748 + seq_printf(seq, "%-.28s", dst->module_name_version);
33749 + seq_printf(seq, "%-.8s", dst->date);
33750 seq_printf(seq, "%8d ", dst->module_size);
33751 seq_printf(seq, "%8d ", dst->mpb_size);
33752 seq_printf(seq, "0x%04x", dst->module_flags);
33753 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
33754 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
33755 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
33756 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
33757 - seq_printf(seq, "Vendor info : %s\n",
33758 - chtostr((u8 *) (work32 + 2), 16));
33759 - seq_printf(seq, "Product info : %s\n",
33760 - chtostr((u8 *) (work32 + 6), 16));
33761 - seq_printf(seq, "Description : %s\n",
33762 - chtostr((u8 *) (work32 + 10), 16));
33763 - seq_printf(seq, "Product rev. : %s\n",
33764 - chtostr((u8 *) (work32 + 14), 8));
33765 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
33766 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
33767 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
33768 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
33769
33770 seq_printf(seq, "Serial number : ");
33771 print_serial_number(seq, (u8 *) (work32 + 16),
33772 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
33773 }
33774
33775 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
33776 - seq_printf(seq, "Module name : %s\n",
33777 - chtostr(result.module_name, 24));
33778 - seq_printf(seq, "Module revision : %s\n",
33779 - chtostr(result.module_rev, 8));
33780 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
33781 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
33782
33783 seq_printf(seq, "Serial number : ");
33784 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
33785 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
33786 return 0;
33787 }
33788
33789 - seq_printf(seq, "Device name : %s\n",
33790 - chtostr(result.device_name, 64));
33791 - seq_printf(seq, "Service name : %s\n",
33792 - chtostr(result.service_name, 64));
33793 - seq_printf(seq, "Physical name : %s\n",
33794 - chtostr(result.physical_location, 64));
33795 - seq_printf(seq, "Instance number : %s\n",
33796 - chtostr(result.instance_number, 4));
33797 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
33798 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
33799 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
33800 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
33801
33802 return 0;
33803 }
33804 diff -urNp linux-2.6.39.3/drivers/message/i2o/iop.c linux-2.6.39.3/drivers/message/i2o/iop.c
33805 --- linux-2.6.39.3/drivers/message/i2o/iop.c 2011-05-19 00:06:34.000000000 -0400
33806 +++ linux-2.6.39.3/drivers/message/i2o/iop.c 2011-05-22 19:36:31.000000000 -0400
33807 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
33808
33809 spin_lock_irqsave(&c->context_list_lock, flags);
33810
33811 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
33812 - atomic_inc(&c->context_list_counter);
33813 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
33814 + atomic_inc_unchecked(&c->context_list_counter);
33815
33816 - entry->context = atomic_read(&c->context_list_counter);
33817 + entry->context = atomic_read_unchecked(&c->context_list_counter);
33818
33819 list_add(&entry->list, &c->context_list);
33820
33821 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
33822
33823 #if BITS_PER_LONG == 64
33824 spin_lock_init(&c->context_list_lock);
33825 - atomic_set(&c->context_list_counter, 0);
33826 + atomic_set_unchecked(&c->context_list_counter, 0);
33827 INIT_LIST_HEAD(&c->context_list);
33828 #endif
33829
33830 diff -urNp linux-2.6.39.3/drivers/mfd/ab3100-core.c linux-2.6.39.3/drivers/mfd/ab3100-core.c
33831 --- linux-2.6.39.3/drivers/mfd/ab3100-core.c 2011-05-19 00:06:34.000000000 -0400
33832 +++ linux-2.6.39.3/drivers/mfd/ab3100-core.c 2011-05-22 19:36:31.000000000 -0400
33833 @@ -385,7 +385,7 @@ static int ab3100_event_registers_startu
33834 return 0;
33835 }
33836
33837 -static struct abx500_ops ab3100_ops = {
33838 +static const struct abx500_ops ab3100_ops = {
33839 .get_chip_id = ab3100_get_chip_id,
33840 .set_register = set_register_interruptible,
33841 .get_register = get_register_interruptible,
33842 diff -urNp linux-2.6.39.3/drivers/mfd/ab3550-core.c linux-2.6.39.3/drivers/mfd/ab3550-core.c
33843 --- linux-2.6.39.3/drivers/mfd/ab3550-core.c 2011-05-19 00:06:34.000000000 -0400
33844 +++ linux-2.6.39.3/drivers/mfd/ab3550-core.c 2011-05-22 19:36:31.000000000 -0400
33845 @@ -676,7 +676,7 @@ static int ab3550_startup_irq_enabled(st
33846 return val;
33847 }
33848
33849 -static struct abx500_ops ab3550_ops = {
33850 +static const struct abx500_ops ab3550_ops = {
33851 .get_chip_id = ab3550_get_chip_id,
33852 .get_register = ab3550_get_register_interruptible,
33853 .set_register = ab3550_set_register_interruptible,
33854 diff -urNp linux-2.6.39.3/drivers/mfd/ab8500-core.c linux-2.6.39.3/drivers/mfd/ab8500-core.c
33855 --- linux-2.6.39.3/drivers/mfd/ab8500-core.c 2011-05-19 00:06:34.000000000 -0400
33856 +++ linux-2.6.39.3/drivers/mfd/ab8500-core.c 2011-05-22 19:36:31.000000000 -0400
33857 @@ -223,7 +223,7 @@ static int ab8500_mask_and_set_register(
33858
33859 }
33860
33861 -static struct abx500_ops ab8500_ops = {
33862 +static const struct abx500_ops ab8500_ops = {
33863 .get_chip_id = ab8500_get_chip_id,
33864 .get_register = ab8500_get_register,
33865 .set_register = ab8500_set_register,
33866 diff -urNp linux-2.6.39.3/drivers/mfd/abx500-core.c linux-2.6.39.3/drivers/mfd/abx500-core.c
33867 --- linux-2.6.39.3/drivers/mfd/abx500-core.c 2011-05-19 00:06:34.000000000 -0400
33868 +++ linux-2.6.39.3/drivers/mfd/abx500-core.c 2011-05-22 19:36:31.000000000 -0400
33869 @@ -18,7 +18,7 @@ struct abx500_device_entry {
33870 struct device *dev;
33871 };
33872
33873 -static void lookup_ops(struct device *dev, struct abx500_ops **ops)
33874 +static void lookup_ops(struct device *dev, const struct abx500_ops **ops)
33875 {
33876 struct abx500_device_entry *dev_entry;
33877
33878 @@ -31,7 +31,7 @@ static void lookup_ops(struct device *de
33879 }
33880 }
33881
33882 -int abx500_register_ops(struct device *dev, struct abx500_ops *ops)
33883 +int abx500_register_ops(struct device *dev, const struct abx500_ops *ops)
33884 {
33885 struct abx500_device_entry *dev_entry;
33886
33887 @@ -65,7 +65,7 @@ EXPORT_SYMBOL(abx500_remove_ops);
33888 int abx500_set_register_interruptible(struct device *dev, u8 bank, u8 reg,
33889 u8 value)
33890 {
33891 - struct abx500_ops *ops;
33892 + const struct abx500_ops *ops;
33893
33894 lookup_ops(dev->parent, &ops);
33895 if ((ops != NULL) && (ops->set_register != NULL))
33896 @@ -78,7 +78,7 @@ EXPORT_SYMBOL(abx500_set_register_interr
33897 int abx500_get_register_interruptible(struct device *dev, u8 bank, u8 reg,
33898 u8 *value)
33899 {
33900 - struct abx500_ops *ops;
33901 + const struct abx500_ops *ops;
33902
33903 lookup_ops(dev->parent, &ops);
33904 if ((ops != NULL) && (ops->get_register != NULL))
33905 @@ -91,7 +91,7 @@ EXPORT_SYMBOL(abx500_get_register_interr
33906 int abx500_get_register_page_interruptible(struct device *dev, u8 bank,
33907 u8 first_reg, u8 *regvals, u8 numregs)
33908 {
33909 - struct abx500_ops *ops;
33910 + const struct abx500_ops *ops;
33911
33912 lookup_ops(dev->parent, &ops);
33913 if ((ops != NULL) && (ops->get_register_page != NULL))
33914 @@ -105,7 +105,7 @@ EXPORT_SYMBOL(abx500_get_register_page_i
33915 int abx500_mask_and_set_register_interruptible(struct device *dev, u8 bank,
33916 u8 reg, u8 bitmask, u8 bitvalues)
33917 {
33918 - struct abx500_ops *ops;
33919 + const struct abx500_ops *ops;
33920
33921 lookup_ops(dev->parent, &ops);
33922 if ((ops != NULL) && (ops->mask_and_set_register != NULL))
33923 @@ -118,7 +118,7 @@ EXPORT_SYMBOL(abx500_mask_and_set_regist
33924
33925 int abx500_get_chip_id(struct device *dev)
33926 {
33927 - struct abx500_ops *ops;
33928 + const struct abx500_ops *ops;
33929
33930 lookup_ops(dev->parent, &ops);
33931 if ((ops != NULL) && (ops->get_chip_id != NULL))
33932 @@ -130,7 +130,7 @@ EXPORT_SYMBOL(abx500_get_chip_id);
33933
33934 int abx500_event_registers_startup_state_get(struct device *dev, u8 *event)
33935 {
33936 - struct abx500_ops *ops;
33937 + const struct abx500_ops *ops;
33938
33939 lookup_ops(dev->parent, &ops);
33940 if ((ops != NULL) && (ops->event_registers_startup_state_get != NULL))
33941 @@ -142,7 +142,7 @@ EXPORT_SYMBOL(abx500_event_registers_sta
33942
33943 int abx500_startup_irq_enabled(struct device *dev, unsigned int irq)
33944 {
33945 - struct abx500_ops *ops;
33946 + const struct abx500_ops *ops;
33947
33948 lookup_ops(dev->parent, &ops);
33949 if ((ops != NULL) && (ops->startup_irq_enabled != NULL))
33950 diff -urNp linux-2.6.39.3/drivers/mfd/janz-cmodio.c linux-2.6.39.3/drivers/mfd/janz-cmodio.c
33951 --- linux-2.6.39.3/drivers/mfd/janz-cmodio.c 2011-05-19 00:06:34.000000000 -0400
33952 +++ linux-2.6.39.3/drivers/mfd/janz-cmodio.c 2011-05-22 19:36:31.000000000 -0400
33953 @@ -13,6 +13,7 @@
33954
33955 #include <linux/kernel.h>
33956 #include <linux/module.h>
33957 +#include <linux/slab.h>
33958 #include <linux/init.h>
33959 #include <linux/pci.h>
33960 #include <linux/interrupt.h>
33961 diff -urNp linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c
33962 --- linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c 2011-05-19 00:06:34.000000000 -0400
33963 +++ linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c 2011-05-22 19:36:31.000000000 -0400
33964 @@ -128,7 +128,7 @@ static void mcp_sa11x0_disable(struct mc
33965 /*
33966 * Our methods.
33967 */
33968 -static struct mcp_ops mcp_sa11x0 = {
33969 +static const struct mcp_ops mcp_sa11x0 = {
33970 .set_telecom_divisor = mcp_sa11x0_set_telecom_divisor,
33971 .set_audio_divisor = mcp_sa11x0_set_audio_divisor,
33972 .reg_write = mcp_sa11x0_write,
33973 diff -urNp linux-2.6.39.3/drivers/mfd/wm8350-i2c.c linux-2.6.39.3/drivers/mfd/wm8350-i2c.c
33974 --- linux-2.6.39.3/drivers/mfd/wm8350-i2c.c 2011-05-19 00:06:34.000000000 -0400
33975 +++ linux-2.6.39.3/drivers/mfd/wm8350-i2c.c 2011-05-22 19:36:31.000000000 -0400
33976 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
33977 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
33978 int ret;
33979
33980 + pax_track_stack();
33981 +
33982 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
33983 return -EINVAL;
33984
33985 diff -urNp linux-2.6.39.3/drivers/misc/enclosure.c linux-2.6.39.3/drivers/misc/enclosure.c
33986 --- linux-2.6.39.3/drivers/misc/enclosure.c 2011-05-19 00:06:34.000000000 -0400
33987 +++ linux-2.6.39.3/drivers/misc/enclosure.c 2011-05-22 19:36:31.000000000 -0400
33988 @@ -161,7 +161,7 @@ enclosure_register(struct device *dev, c
33989 }
33990 EXPORT_SYMBOL_GPL(enclosure_register);
33991
33992 -static struct enclosure_component_callbacks enclosure_null_callbacks;
33993 +static const struct enclosure_component_callbacks enclosure_null_callbacks;
33994
33995 /**
33996 * enclosure_unregister - remove an enclosure
33997 diff -urNp linux-2.6.39.3/drivers/misc/kgdbts.c linux-2.6.39.3/drivers/misc/kgdbts.c
33998 --- linux-2.6.39.3/drivers/misc/kgdbts.c 2011-05-19 00:06:34.000000000 -0400
33999 +++ linux-2.6.39.3/drivers/misc/kgdbts.c 2011-05-22 19:36:31.000000000 -0400
34000 @@ -118,7 +118,7 @@
34001 } while (0)
34002 #define MAX_CONFIG_LEN 40
34003
34004 -static struct kgdb_io kgdbts_io_ops;
34005 +static const struct kgdb_io kgdbts_io_ops;
34006 static char get_buf[BUFMAX];
34007 static int get_buf_cnt;
34008 static char put_buf[BUFMAX];
34009 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
34010 module_put(THIS_MODULE);
34011 }
34012
34013 -static struct kgdb_io kgdbts_io_ops = {
34014 +static const struct kgdb_io kgdbts_io_ops = {
34015 .name = "kgdbts",
34016 .read_char = kgdbts_get_char,
34017 .write_char = kgdbts_put_char,
34018 diff -urNp linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c
34019 --- linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-19 00:06:34.000000000 -0400
34020 +++ linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-22 19:36:31.000000000 -0400
34021 @@ -435,7 +435,7 @@ static irqreturn_t lis302dl_interrupt(in
34022 * the lid is closed. This leads to interrupts as soon as a little move
34023 * is done.
34024 */
34025 - atomic_inc(&lis3_dev.count);
34026 + atomic_inc_unchecked(&lis3_dev.count);
34027
34028 wake_up_interruptible(&lis3_dev.misc_wait);
34029 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
34030 @@ -518,7 +518,7 @@ static int lis3lv02d_misc_open(struct in
34031 if (lis3_dev.pm_dev)
34032 pm_runtime_get_sync(lis3_dev.pm_dev);
34033
34034 - atomic_set(&lis3_dev.count, 0);
34035 + atomic_set_unchecked(&lis3_dev.count, 0);
34036 return 0;
34037 }
34038
34039 @@ -545,7 +545,7 @@ static ssize_t lis3lv02d_misc_read(struc
34040 add_wait_queue(&lis3_dev.misc_wait, &wait);
34041 while (true) {
34042 set_current_state(TASK_INTERRUPTIBLE);
34043 - data = atomic_xchg(&lis3_dev.count, 0);
34044 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
34045 if (data)
34046 break;
34047
34048 @@ -583,7 +583,7 @@ out:
34049 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
34050 {
34051 poll_wait(file, &lis3_dev.misc_wait, wait);
34052 - if (atomic_read(&lis3_dev.count))
34053 + if (atomic_read_unchecked(&lis3_dev.count))
34054 return POLLIN | POLLRDNORM;
34055 return 0;
34056 }
34057 diff -urNp linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h
34058 --- linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-19 00:06:34.000000000 -0400
34059 +++ linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-22 19:36:31.000000000 -0400
34060 @@ -265,7 +265,7 @@ struct lis3lv02d {
34061 struct input_polled_dev *idev; /* input device */
34062 struct platform_device *pdev; /* platform device */
34063 struct regulator_bulk_data regulators[2];
34064 - atomic_t count; /* interrupt count after last read */
34065 + atomic_unchecked_t count; /* interrupt count after last read */
34066 union axis_conversion ac; /* hw -> logical axis */
34067 int mapped_btns[3];
34068
34069 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c
34070 --- linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c 2011-05-19 00:06:34.000000000 -0400
34071 +++ linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c 2011-05-22 19:36:31.000000000 -0400
34072 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
34073 unsigned long nsec;
34074
34075 nsec = CLKS2NSEC(clks);
34076 - atomic_long_inc(&mcs_op_statistics[op].count);
34077 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
34078 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
34079 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
34080 if (mcs_op_statistics[op].max < nsec)
34081 mcs_op_statistics[op].max = nsec;
34082 }
34083 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c
34084 --- linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c 2011-05-19 00:06:34.000000000 -0400
34085 +++ linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c 2011-05-22 19:36:31.000000000 -0400
34086 @@ -32,9 +32,9 @@
34087
34088 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
34089
34090 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
34091 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
34092 {
34093 - unsigned long val = atomic_long_read(v);
34094 + unsigned long val = atomic_long_read_unchecked(v);
34095
34096 seq_printf(s, "%16lu %s\n", val, id);
34097 }
34098 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
34099
34100 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
34101 for (op = 0; op < mcsop_last; op++) {
34102 - count = atomic_long_read(&mcs_op_statistics[op].count);
34103 - total = atomic_long_read(&mcs_op_statistics[op].total);
34104 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
34105 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
34106 max = mcs_op_statistics[op].max;
34107 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
34108 count ? total / count : 0, max);
34109 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h
34110 --- linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h 2011-05-19 00:06:34.000000000 -0400
34111 +++ linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h 2011-05-22 19:36:31.000000000 -0400
34112 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
34113 * GRU statistics.
34114 */
34115 struct gru_stats_s {
34116 - atomic_long_t vdata_alloc;
34117 - atomic_long_t vdata_free;
34118 - atomic_long_t gts_alloc;
34119 - atomic_long_t gts_free;
34120 - atomic_long_t gms_alloc;
34121 - atomic_long_t gms_free;
34122 - atomic_long_t gts_double_allocate;
34123 - atomic_long_t assign_context;
34124 - atomic_long_t assign_context_failed;
34125 - atomic_long_t free_context;
34126 - atomic_long_t load_user_context;
34127 - atomic_long_t load_kernel_context;
34128 - atomic_long_t lock_kernel_context;
34129 - atomic_long_t unlock_kernel_context;
34130 - atomic_long_t steal_user_context;
34131 - atomic_long_t steal_kernel_context;
34132 - atomic_long_t steal_context_failed;
34133 - atomic_long_t nopfn;
34134 - atomic_long_t asid_new;
34135 - atomic_long_t asid_next;
34136 - atomic_long_t asid_wrap;
34137 - atomic_long_t asid_reuse;
34138 - atomic_long_t intr;
34139 - atomic_long_t intr_cbr;
34140 - atomic_long_t intr_tfh;
34141 - atomic_long_t intr_spurious;
34142 - atomic_long_t intr_mm_lock_failed;
34143 - atomic_long_t call_os;
34144 - atomic_long_t call_os_wait_queue;
34145 - atomic_long_t user_flush_tlb;
34146 - atomic_long_t user_unload_context;
34147 - atomic_long_t user_exception;
34148 - atomic_long_t set_context_option;
34149 - atomic_long_t check_context_retarget_intr;
34150 - atomic_long_t check_context_unload;
34151 - atomic_long_t tlb_dropin;
34152 - atomic_long_t tlb_preload_page;
34153 - atomic_long_t tlb_dropin_fail_no_asid;
34154 - atomic_long_t tlb_dropin_fail_upm;
34155 - atomic_long_t tlb_dropin_fail_invalid;
34156 - atomic_long_t tlb_dropin_fail_range_active;
34157 - atomic_long_t tlb_dropin_fail_idle;
34158 - atomic_long_t tlb_dropin_fail_fmm;
34159 - atomic_long_t tlb_dropin_fail_no_exception;
34160 - atomic_long_t tfh_stale_on_fault;
34161 - atomic_long_t mmu_invalidate_range;
34162 - atomic_long_t mmu_invalidate_page;
34163 - atomic_long_t flush_tlb;
34164 - atomic_long_t flush_tlb_gru;
34165 - atomic_long_t flush_tlb_gru_tgh;
34166 - atomic_long_t flush_tlb_gru_zero_asid;
34167 -
34168 - atomic_long_t copy_gpa;
34169 - atomic_long_t read_gpa;
34170 -
34171 - atomic_long_t mesq_receive;
34172 - atomic_long_t mesq_receive_none;
34173 - atomic_long_t mesq_send;
34174 - atomic_long_t mesq_send_failed;
34175 - atomic_long_t mesq_noop;
34176 - atomic_long_t mesq_send_unexpected_error;
34177 - atomic_long_t mesq_send_lb_overflow;
34178 - atomic_long_t mesq_send_qlimit_reached;
34179 - atomic_long_t mesq_send_amo_nacked;
34180 - atomic_long_t mesq_send_put_nacked;
34181 - atomic_long_t mesq_page_overflow;
34182 - atomic_long_t mesq_qf_locked;
34183 - atomic_long_t mesq_qf_noop_not_full;
34184 - atomic_long_t mesq_qf_switch_head_failed;
34185 - atomic_long_t mesq_qf_unexpected_error;
34186 - atomic_long_t mesq_noop_unexpected_error;
34187 - atomic_long_t mesq_noop_lb_overflow;
34188 - atomic_long_t mesq_noop_qlimit_reached;
34189 - atomic_long_t mesq_noop_amo_nacked;
34190 - atomic_long_t mesq_noop_put_nacked;
34191 - atomic_long_t mesq_noop_page_overflow;
34192 + atomic_long_unchecked_t vdata_alloc;
34193 + atomic_long_unchecked_t vdata_free;
34194 + atomic_long_unchecked_t gts_alloc;
34195 + atomic_long_unchecked_t gts_free;
34196 + atomic_long_unchecked_t gms_alloc;
34197 + atomic_long_unchecked_t gms_free;
34198 + atomic_long_unchecked_t gts_double_allocate;
34199 + atomic_long_unchecked_t assign_context;
34200 + atomic_long_unchecked_t assign_context_failed;
34201 + atomic_long_unchecked_t free_context;
34202 + atomic_long_unchecked_t load_user_context;
34203 + atomic_long_unchecked_t load_kernel_context;
34204 + atomic_long_unchecked_t lock_kernel_context;
34205 + atomic_long_unchecked_t unlock_kernel_context;
34206 + atomic_long_unchecked_t steal_user_context;
34207 + atomic_long_unchecked_t steal_kernel_context;
34208 + atomic_long_unchecked_t steal_context_failed;
34209 + atomic_long_unchecked_t nopfn;
34210 + atomic_long_unchecked_t asid_new;
34211 + atomic_long_unchecked_t asid_next;
34212 + atomic_long_unchecked_t asid_wrap;
34213 + atomic_long_unchecked_t asid_reuse;
34214 + atomic_long_unchecked_t intr;
34215 + atomic_long_unchecked_t intr_cbr;
34216 + atomic_long_unchecked_t intr_tfh;
34217 + atomic_long_unchecked_t intr_spurious;
34218 + atomic_long_unchecked_t intr_mm_lock_failed;
34219 + atomic_long_unchecked_t call_os;
34220 + atomic_long_unchecked_t call_os_wait_queue;
34221 + atomic_long_unchecked_t user_flush_tlb;
34222 + atomic_long_unchecked_t user_unload_context;
34223 + atomic_long_unchecked_t user_exception;
34224 + atomic_long_unchecked_t set_context_option;
34225 + atomic_long_unchecked_t check_context_retarget_intr;
34226 + atomic_long_unchecked_t check_context_unload;
34227 + atomic_long_unchecked_t tlb_dropin;
34228 + atomic_long_unchecked_t tlb_preload_page;
34229 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
34230 + atomic_long_unchecked_t tlb_dropin_fail_upm;
34231 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
34232 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
34233 + atomic_long_unchecked_t tlb_dropin_fail_idle;
34234 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
34235 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
34236 + atomic_long_unchecked_t tfh_stale_on_fault;
34237 + atomic_long_unchecked_t mmu_invalidate_range;
34238 + atomic_long_unchecked_t mmu_invalidate_page;
34239 + atomic_long_unchecked_t flush_tlb;
34240 + atomic_long_unchecked_t flush_tlb_gru;
34241 + atomic_long_unchecked_t flush_tlb_gru_tgh;
34242 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
34243 +
34244 + atomic_long_unchecked_t copy_gpa;
34245 + atomic_long_unchecked_t read_gpa;
34246 +
34247 + atomic_long_unchecked_t mesq_receive;
34248 + atomic_long_unchecked_t mesq_receive_none;
34249 + atomic_long_unchecked_t mesq_send;
34250 + atomic_long_unchecked_t mesq_send_failed;
34251 + atomic_long_unchecked_t mesq_noop;
34252 + atomic_long_unchecked_t mesq_send_unexpected_error;
34253 + atomic_long_unchecked_t mesq_send_lb_overflow;
34254 + atomic_long_unchecked_t mesq_send_qlimit_reached;
34255 + atomic_long_unchecked_t mesq_send_amo_nacked;
34256 + atomic_long_unchecked_t mesq_send_put_nacked;
34257 + atomic_long_unchecked_t mesq_page_overflow;
34258 + atomic_long_unchecked_t mesq_qf_locked;
34259 + atomic_long_unchecked_t mesq_qf_noop_not_full;
34260 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
34261 + atomic_long_unchecked_t mesq_qf_unexpected_error;
34262 + atomic_long_unchecked_t mesq_noop_unexpected_error;
34263 + atomic_long_unchecked_t mesq_noop_lb_overflow;
34264 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
34265 + atomic_long_unchecked_t mesq_noop_amo_nacked;
34266 + atomic_long_unchecked_t mesq_noop_put_nacked;
34267 + atomic_long_unchecked_t mesq_noop_page_overflow;
34268
34269 };
34270
34271 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
34272 tghop_invalidate, mcsop_last};
34273
34274 struct mcs_op_statistic {
34275 - atomic_long_t count;
34276 - atomic_long_t total;
34277 + atomic_long_unchecked_t count;
34278 + atomic_long_unchecked_t total;
34279 unsigned long max;
34280 };
34281
34282 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
34283
34284 #define STAT(id) do { \
34285 if (gru_options & OPT_STATS) \
34286 - atomic_long_inc(&gru_stats.id); \
34287 + atomic_long_inc_unchecked(&gru_stats.id); \
34288 } while (0)
34289
34290 #ifdef CONFIG_SGI_GRU_DEBUG
34291 diff -urNp linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c
34292 --- linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-19 00:06:34.000000000 -0400
34293 +++ linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-22 19:36:31.000000000 -0400
34294 @@ -2351,7 +2351,7 @@ xpc_received_payload_sn2(struct xpc_chan
34295 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
34296 }
34297
34298 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
34299 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
34300 .setup_partitions = xpc_setup_partitions_sn2,
34301 .teardown_partitions = xpc_teardown_partitions_sn2,
34302 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
34303 diff -urNp linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c
34304 --- linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c 2011-05-19 00:06:34.000000000 -0400
34305 +++ linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c 2011-05-22 19:36:31.000000000 -0400
34306 @@ -1674,7 +1674,7 @@ xpc_received_payload_uv(struct xpc_chann
34307 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
34308 }
34309
34310 -static struct xpc_arch_operations xpc_arch_ops_uv = {
34311 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
34312 .setup_partitions = xpc_setup_partitions_uv,
34313 .teardown_partitions = xpc_teardown_partitions_uv,
34314 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
34315 diff -urNp linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c
34316 --- linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c 2011-05-19 00:06:34.000000000 -0400
34317 +++ linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c 2011-05-22 19:36:31.000000000 -0400
34318 @@ -644,7 +644,7 @@ static ssize_t pcie_gadget_target_attr_s
34319 return ret;
34320 }
34321
34322 -static struct configfs_item_operations pcie_gadget_target_item_ops = {
34323 +static const struct configfs_item_operations pcie_gadget_target_item_ops = {
34324 .show_attribute = pcie_gadget_target_attr_show,
34325 .store_attribute = pcie_gadget_target_attr_store,
34326 };
34327 diff -urNp linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c
34328 --- linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c 2011-05-19 00:06:34.000000000 -0400
34329 +++ linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c 2011-05-22 19:36:31.000000000 -0400
34330 @@ -1133,7 +1133,7 @@ static void mmc_davinci_enable_sdio_irq(
34331 }
34332 }
34333
34334 -static struct mmc_host_ops mmc_davinci_ops = {
34335 +static const struct mmc_host_ops mmc_davinci_ops = {
34336 .request = mmc_davinci_request,
34337 .set_ios = mmc_davinci_set_ios,
34338 .get_cd = mmc_davinci_get_cd,
34339 diff -urNp linux-2.6.39.3/drivers/mmc/host/dw_mmc.c linux-2.6.39.3/drivers/mmc/host/dw_mmc.c
34340 --- linux-2.6.39.3/drivers/mmc/host/dw_mmc.c 2011-05-19 00:06:34.000000000 -0400
34341 +++ linux-2.6.39.3/drivers/mmc/host/dw_mmc.c 2011-05-22 19:36:31.000000000 -0400
34342 @@ -417,7 +417,7 @@ static int dw_mci_idmac_init(struct dw_m
34343 return 0;
34344 }
34345
34346 -static struct dw_mci_dma_ops dw_mci_idmac_ops = {
34347 +static const struct dw_mci_dma_ops dw_mci_idmac_ops = {
34348 .init = dw_mci_idmac_init,
34349 .start = dw_mci_idmac_start_dma,
34350 .stop = dw_mci_idmac_stop_dma,
34351 diff -urNp linux-2.6.39.3/drivers/mmc/host/s3cmci.c linux-2.6.39.3/drivers/mmc/host/s3cmci.c
34352 --- linux-2.6.39.3/drivers/mmc/host/s3cmci.c 2011-05-19 00:06:34.000000000 -0400
34353 +++ linux-2.6.39.3/drivers/mmc/host/s3cmci.c 2011-05-22 19:36:31.000000000 -0400
34354 @@ -1349,7 +1349,7 @@ static void s3cmci_enable_sdio_irq(struc
34355 s3cmci_check_sdio_irq(host);
34356 }
34357
34358 -static struct mmc_host_ops s3cmci_ops = {
34359 +static const struct mmc_host_ops s3cmci_ops = {
34360 .request = s3cmci_request,
34361 .set_ios = s3cmci_set_ios,
34362 .get_ro = s3cmci_get_ro,
34363 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c
34364 --- linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-19 00:06:34.000000000 -0400
34365 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-22 19:36:31.000000000 -0400
34366 @@ -81,7 +81,7 @@ out:
34367 host->clock = clock;
34368 }
34369
34370 -static struct sdhci_ops sdhci_cns3xxx_ops = {
34371 +static const struct sdhci_ops sdhci_cns3xxx_ops = {
34372 .get_max_clock = sdhci_cns3xxx_get_max_clk,
34373 .set_clock = sdhci_cns3xxx_set_clock,
34374 };
34375 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c
34376 --- linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c 2011-05-19 00:06:34.000000000 -0400
34377 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c 2011-05-22 19:36:31.000000000 -0400
34378 @@ -56,7 +56,7 @@ static u32 sdhci_dove_readl(struct sdhci
34379 return ret;
34380 }
34381
34382 -static struct sdhci_ops sdhci_dove_ops = {
34383 +static const struct sdhci_ops sdhci_dove_ops = {
34384 .read_w = sdhci_dove_readw,
34385 .read_l = sdhci_dove_readl,
34386 };
34387 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c
34388 --- linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-19 00:06:34.000000000 -0400
34389 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-22 19:36:31.000000000 -0400
34390 @@ -201,7 +201,7 @@ static unsigned int esdhc_pltfm_get_ro(s
34391 return -ENOSYS;
34392 }
34393
34394 -static struct sdhci_ops sdhci_esdhc_ops = {
34395 +static const struct sdhci_ops sdhci_esdhc_ops = {
34396 .read_l = esdhc_readl_le,
34397 .read_w = esdhc_readw_le,
34398 .write_l = esdhc_writel_le,
34399 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-of.h linux-2.6.39.3/drivers/mmc/host/sdhci-of.h
34400 --- linux-2.6.39.3/drivers/mmc/host/sdhci-of.h 2011-05-19 00:06:34.000000000 -0400
34401 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-of.h 2011-05-22 19:36:31.000000000 -0400
34402 @@ -21,7 +21,7 @@
34403
34404 struct sdhci_of_data {
34405 unsigned int quirks;
34406 - struct sdhci_ops ops;
34407 + const struct sdhci_ops ops;
34408 };
34409
34410 struct sdhci_of_host {
34411 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c
34412 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c 2011-05-19 00:06:34.000000000 -0400
34413 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c 2011-05-22 19:36:31.000000000 -0400
34414 @@ -786,7 +786,7 @@ static int sdhci_pci_enable_dma(struct s
34415 return 0;
34416 }
34417
34418 -static struct sdhci_ops sdhci_pci_ops = {
34419 +static const struct sdhci_ops sdhci_pci_ops = {
34420 .enable_dma = sdhci_pci_enable_dma,
34421 };
34422
34423 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c
34424 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c 2011-05-19 00:06:34.000000000 -0400
34425 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c 2011-05-22 19:36:31.000000000 -0400
34426 @@ -41,7 +41,7 @@
34427 * *
34428 \*****************************************************************************/
34429
34430 -static struct sdhci_ops sdhci_pltfm_ops = {
34431 +static const struct sdhci_ops sdhci_pltfm_ops = {
34432 };
34433
34434 /*****************************************************************************\
34435 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c
34436 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c 2011-05-19 00:06:34.000000000 -0400
34437 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c 2011-05-22 19:36:31.000000000 -0400
34438 @@ -69,7 +69,7 @@ static void set_clock(struct sdhci_host
34439 }
34440 }
34441
34442 -static struct sdhci_ops sdhci_pxa_ops = {
34443 +static const struct sdhci_ops sdhci_pxa_ops = {
34444 .set_clock = set_clock,
34445 };
34446
34447 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c
34448 --- linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c 2011-05-19 00:06:34.000000000 -0400
34449 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c 2011-05-22 19:36:31.000000000 -0400
34450 @@ -309,7 +309,7 @@ static int sdhci_s3c_platform_8bit_width
34451 return 0;
34452 }
34453
34454 -static struct sdhci_ops sdhci_s3c_ops = {
34455 +static const struct sdhci_ops sdhci_s3c_ops = {
34456 .get_max_clock = sdhci_s3c_get_max_clk,
34457 .set_clock = sdhci_s3c_set_clock,
34458 .get_min_clock = sdhci_s3c_get_min_clock,
34459 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c
34460 --- linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c 2011-05-19 00:06:34.000000000 -0400
34461 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c 2011-05-22 19:36:31.000000000 -0400
34462 @@ -32,7 +32,7 @@ struct spear_sdhci {
34463 };
34464
34465 /* sdhci ops */
34466 -static struct sdhci_ops sdhci_pltfm_ops = {
34467 +static const struct sdhci_ops sdhci_pltfm_ops = {
34468 /* Nothing to do for now. */
34469 };
34470
34471 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c
34472 --- linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c 2011-05-19 00:06:34.000000000 -0400
34473 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c 2011-05-22 19:36:31.000000000 -0400
34474 @@ -242,7 +242,7 @@ static void tegra_sdhci_pltfm_exit(struc
34475 clk_put(pltfm_host->clk);
34476 }
34477
34478 -static struct sdhci_ops tegra_sdhci_ops = {
34479 +static const struct sdhci_ops tegra_sdhci_ops = {
34480 .get_ro = tegra_sdhci_get_ro,
34481 .read_l = tegra_sdhci_readl,
34482 .read_w = tegra_sdhci_readw,
34483 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c
34484 --- linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c 2011-05-19 00:06:34.000000000 -0400
34485 +++ linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c 2011-05-22 19:36:31.000000000 -0400
34486 @@ -387,7 +387,7 @@ static int sdricoh_get_ro(struct mmc_hos
34487 return (status & STATUS_CARD_LOCKED);
34488 }
34489
34490 -static struct mmc_host_ops sdricoh_ops = {
34491 +static const struct mmc_host_ops sdricoh_ops = {
34492 .request = sdricoh_request,
34493 .set_ios = sdricoh_set_ios,
34494 .get_ro = sdricoh_get_ro,
34495 diff -urNp linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c
34496 --- linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c 2011-05-19 00:06:34.000000000 -0400
34497 +++ linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c 2011-05-22 19:36:31.000000000 -0400
34498 @@ -872,7 +872,7 @@ static int sh_mmcif_get_cd(struct mmc_ho
34499 return p->get_cd(host->pd);
34500 }
34501
34502 -static struct mmc_host_ops sh_mmcif_ops = {
34503 +static const struct mmc_host_ops sh_mmcif_ops = {
34504 .request = sh_mmcif_request,
34505 .set_ios = sh_mmcif_set_ios,
34506 .get_cd = sh_mmcif_get_cd,
34507 diff -urNp linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c
34508 --- linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-19 00:06:34.000000000 -0400
34509 +++ linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-22 19:36:31.000000000 -0400
34510 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
34511 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34512 unsigned long timeo = jiffies + HZ;
34513
34514 + pax_track_stack();
34515 +
34516 /* Prevent setting state FL_SYNCING for chip in suspended state. */
34517 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34518 goto sleep;
34519 @@ -1657,6 +1659,8 @@ static int __xipram do_write_buffer(stru
34520 unsigned long initial_adr;
34521 int initial_len = len;
34522
34523 + pax_track_stack();
34524 +
34525 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34526 adr += chip->start;
34527 initial_adr = adr;
34528 @@ -1875,6 +1879,8 @@ static int __xipram do_erase_oneblock(st
34529 int retries = 3;
34530 int ret;
34531
34532 + pax_track_stack();
34533 +
34534 adr += chip->start;
34535
34536 retry:
34537 diff -urNp linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c
34538 --- linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-19 00:06:34.000000000 -0400
34539 +++ linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-22 19:36:31.000000000 -0400
34540 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34541 unsigned long cmd_addr;
34542 struct cfi_private *cfi = map->fldrv_priv;
34543
34544 + pax_track_stack();
34545 +
34546 adr += chip->start;
34547
34548 /* Ensure cmd read/writes are aligned. */
34549 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34550 DECLARE_WAITQUEUE(wait, current);
34551 int wbufsize, z;
34552
34553 + pax_track_stack();
34554 +
34555 /* M58LW064A requires bus alignment for buffer wriets -- saw */
34556 if (adr & (map_bankwidth(map)-1))
34557 return -EINVAL;
34558 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34559 DECLARE_WAITQUEUE(wait, current);
34560 int ret = 0;
34561
34562 + pax_track_stack();
34563 +
34564 adr += chip->start;
34565
34566 /* Let's determine this according to the interleave only once */
34567 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34568 unsigned long timeo = jiffies + HZ;
34569 DECLARE_WAITQUEUE(wait, current);
34570
34571 + pax_track_stack();
34572 +
34573 adr += chip->start;
34574
34575 /* Let's determine this according to the interleave only once */
34576 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34577 unsigned long timeo = jiffies + HZ;
34578 DECLARE_WAITQUEUE(wait, current);
34579
34580 + pax_track_stack();
34581 +
34582 adr += chip->start;
34583
34584 /* Let's determine this according to the interleave only once */
34585 diff -urNp linux-2.6.39.3/drivers/mtd/devices/doc2000.c linux-2.6.39.3/drivers/mtd/devices/doc2000.c
34586 --- linux-2.6.39.3/drivers/mtd/devices/doc2000.c 2011-05-19 00:06:34.000000000 -0400
34587 +++ linux-2.6.39.3/drivers/mtd/devices/doc2000.c 2011-05-22 19:36:31.000000000 -0400
34588 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34589
34590 /* The ECC will not be calculated correctly if less than 512 is written */
34591 /* DBB-
34592 - if (len != 0x200 && eccbuf)
34593 + if (len != 0x200)
34594 printk(KERN_WARNING
34595 "ECC needs a full sector write (adr: %lx size %lx)\n",
34596 (long) to, (long) len);
34597 diff -urNp linux-2.6.39.3/drivers/mtd/devices/doc2001.c linux-2.6.39.3/drivers/mtd/devices/doc2001.c
34598 --- linux-2.6.39.3/drivers/mtd/devices/doc2001.c 2011-05-19 00:06:34.000000000 -0400
34599 +++ linux-2.6.39.3/drivers/mtd/devices/doc2001.c 2011-05-22 19:36:31.000000000 -0400
34600 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34601 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34602
34603 /* Don't allow read past end of device */
34604 - if (from >= this->totlen)
34605 + if (from >= this->totlen || !len)
34606 return -EINVAL;
34607
34608 /* Don't allow a single read to cross a 512-byte block boundary */
34609 diff -urNp linux-2.6.39.3/drivers/mtd/ftl.c linux-2.6.39.3/drivers/mtd/ftl.c
34610 --- linux-2.6.39.3/drivers/mtd/ftl.c 2011-05-19 00:06:34.000000000 -0400
34611 +++ linux-2.6.39.3/drivers/mtd/ftl.c 2011-05-22 19:36:31.000000000 -0400
34612 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34613 loff_t offset;
34614 uint16_t srcunitswap = cpu_to_le16(srcunit);
34615
34616 + pax_track_stack();
34617 +
34618 eun = &part->EUNInfo[srcunit];
34619 xfer = &part->XferInfo[xferunit];
34620 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34621 diff -urNp linux-2.6.39.3/drivers/mtd/inftlcore.c linux-2.6.39.3/drivers/mtd/inftlcore.c
34622 --- linux-2.6.39.3/drivers/mtd/inftlcore.c 2011-05-19 00:06:34.000000000 -0400
34623 +++ linux-2.6.39.3/drivers/mtd/inftlcore.c 2011-05-22 19:36:31.000000000 -0400
34624 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
34625 struct inftl_oob oob;
34626 size_t retlen;
34627
34628 + pax_track_stack();
34629 +
34630 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34631 "pending=%d)\n", inftl, thisVUC, pendingblock);
34632
34633 diff -urNp linux-2.6.39.3/drivers/mtd/inftlmount.c linux-2.6.39.3/drivers/mtd/inftlmount.c
34634 --- linux-2.6.39.3/drivers/mtd/inftlmount.c 2011-05-19 00:06:34.000000000 -0400
34635 +++ linux-2.6.39.3/drivers/mtd/inftlmount.c 2011-05-22 19:36:31.000000000 -0400
34636 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
34637 struct INFTLPartition *ip;
34638 size_t retlen;
34639
34640 + pax_track_stack();
34641 +
34642 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34643
34644 /*
34645 diff -urNp linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c
34646 --- linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c 2011-05-19 00:06:34.000000000 -0400
34647 +++ linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c 2011-05-22 19:36:31.000000000 -0400
34648 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34649 {
34650 map_word pfow_val[4];
34651
34652 + pax_track_stack();
34653 +
34654 /* Check identification string */
34655 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34656 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34657 diff -urNp linux-2.6.39.3/drivers/mtd/mtdchar.c linux-2.6.39.3/drivers/mtd/mtdchar.c
34658 --- linux-2.6.39.3/drivers/mtd/mtdchar.c 2011-05-19 00:06:34.000000000 -0400
34659 +++ linux-2.6.39.3/drivers/mtd/mtdchar.c 2011-05-22 19:36:31.000000000 -0400
34660 @@ -560,6 +560,8 @@ static int mtd_ioctl(struct file *file,
34661 u_long size;
34662 struct mtd_info_user info;
34663
34664 + pax_track_stack();
34665 +
34666 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34667
34668 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34669 diff -urNp linux-2.6.39.3/drivers/mtd/nand/denali.c linux-2.6.39.3/drivers/mtd/nand/denali.c
34670 --- linux-2.6.39.3/drivers/mtd/nand/denali.c 2011-05-19 00:06:34.000000000 -0400
34671 +++ linux-2.6.39.3/drivers/mtd/nand/denali.c 2011-05-22 19:36:31.000000000 -0400
34672 @@ -25,6 +25,7 @@
34673 #include <linux/pci.h>
34674 #include <linux/mtd/mtd.h>
34675 #include <linux/module.h>
34676 +#include <linux/slab.h>
34677
34678 #include "denali.h"
34679
34680 diff -urNp linux-2.6.39.3/drivers/mtd/nftlcore.c linux-2.6.39.3/drivers/mtd/nftlcore.c
34681 --- linux-2.6.39.3/drivers/mtd/nftlcore.c 2011-05-19 00:06:34.000000000 -0400
34682 +++ linux-2.6.39.3/drivers/mtd/nftlcore.c 2011-05-22 19:36:31.000000000 -0400
34683 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
34684 int inplace = 1;
34685 size_t retlen;
34686
34687 + pax_track_stack();
34688 +
34689 memset(BlockMap, 0xff, sizeof(BlockMap));
34690 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34691
34692 diff -urNp linux-2.6.39.3/drivers/mtd/nftlmount.c linux-2.6.39.3/drivers/mtd/nftlmount.c
34693 --- linux-2.6.39.3/drivers/mtd/nftlmount.c 2011-05-19 00:06:34.000000000 -0400
34694 +++ linux-2.6.39.3/drivers/mtd/nftlmount.c 2011-05-22 19:36:31.000000000 -0400
34695 @@ -24,6 +24,7 @@
34696 #include <asm/errno.h>
34697 #include <linux/delay.h>
34698 #include <linux/slab.h>
34699 +#include <linux/sched.h>
34700 #include <linux/mtd/mtd.h>
34701 #include <linux/mtd/nand.h>
34702 #include <linux/mtd/nftl.h>
34703 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
34704 struct mtd_info *mtd = nftl->mbd.mtd;
34705 unsigned int i;
34706
34707 + pax_track_stack();
34708 +
34709 /* Assume logical EraseSize == physical erasesize for starting the scan.
34710 We'll sort it out later if we find a MediaHeader which says otherwise */
34711 /* Actually, we won't. The new DiskOnChip driver has already scanned
34712 diff -urNp linux-2.6.39.3/drivers/mtd/ubi/build.c linux-2.6.39.3/drivers/mtd/ubi/build.c
34713 --- linux-2.6.39.3/drivers/mtd/ubi/build.c 2011-05-19 00:06:34.000000000 -0400
34714 +++ linux-2.6.39.3/drivers/mtd/ubi/build.c 2011-05-22 19:36:31.000000000 -0400
34715 @@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
34716 static int __init bytes_str_to_int(const char *str)
34717 {
34718 char *endp;
34719 - unsigned long result;
34720 + unsigned long result, scale = 1;
34721
34722 result = simple_strtoul(str, &endp, 0);
34723 if (str == endp || result >= INT_MAX) {
34724 @@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
34725
34726 switch (*endp) {
34727 case 'G':
34728 - result *= 1024;
34729 + scale *= 1024;
34730 case 'M':
34731 - result *= 1024;
34732 + scale *= 1024;
34733 case 'K':
34734 - result *= 1024;
34735 + scale *= 1024;
34736 if (endp[1] == 'i' && endp[2] == 'B')
34737 endp += 2;
34738 case '\0':
34739 @@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
34740 return -EINVAL;
34741 }
34742
34743 - return result;
34744 + if ((intoverflow_t)result*scale >= INT_MAX) {
34745 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
34746 + str);
34747 + return -EINVAL;
34748 + }
34749 +
34750 + return result*scale;
34751 }
34752
34753 /**
34754 diff -urNp linux-2.6.39.3/drivers/net/bcm63xx_enet.c linux-2.6.39.3/drivers/net/bcm63xx_enet.c
34755 --- linux-2.6.39.3/drivers/net/bcm63xx_enet.c 2011-05-19 00:06:34.000000000 -0400
34756 +++ linux-2.6.39.3/drivers/net/bcm63xx_enet.c 2011-05-22 19:36:31.000000000 -0400
34757 @@ -1469,7 +1469,7 @@ static int bcm_enet_set_pauseparam(struc
34758 return 0;
34759 }
34760
34761 -static struct ethtool_ops bcm_enet_ethtool_ops = {
34762 +static const struct ethtool_ops bcm_enet_ethtool_ops = {
34763 .get_strings = bcm_enet_get_strings,
34764 .get_sset_count = bcm_enet_get_sset_count,
34765 .get_ethtool_stats = bcm_enet_get_ethtool_stats,
34766 diff -urNp linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c
34767 --- linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34768 +++ linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34769 @@ -1242,7 +1242,7 @@ bnad_get_sset_count(struct net_device *n
34770 }
34771 }
34772
34773 -static struct ethtool_ops bnad_ethtool_ops = {
34774 +static const struct ethtool_ops bnad_ethtool_ops = {
34775 .get_settings = bnad_get_settings,
34776 .set_settings = bnad_set_settings,
34777 .get_drvinfo = bnad_get_drvinfo,
34778 diff -urNp linux-2.6.39.3/drivers/net/bnx2.c linux-2.6.39.3/drivers/net/bnx2.c
34779 --- linux-2.6.39.3/drivers/net/bnx2.c 2011-05-19 00:06:34.000000000 -0400
34780 +++ linux-2.6.39.3/drivers/net/bnx2.c 2011-05-22 19:36:31.000000000 -0400
34781 @@ -5828,6 +5828,8 @@ bnx2_test_nvram(struct bnx2 *bp)
34782 int rc = 0;
34783 u32 magic, csum;
34784
34785 + pax_track_stack();
34786 +
34787 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
34788 goto test_nvram_done;
34789
34790 diff -urNp linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c
34791 --- linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34792 +++ linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34793 @@ -1788,6 +1788,8 @@ static int bnx2x_test_nvram(struct bnx2x
34794 int i, rc;
34795 u32 magic, crc;
34796
34797 + pax_track_stack();
34798 +
34799 if (BP_NOMCP(bp))
34800 return 0;
34801
34802 diff -urNp linux-2.6.39.3/drivers/net/chelsio/pm3393.c linux-2.6.39.3/drivers/net/chelsio/pm3393.c
34803 --- linux-2.6.39.3/drivers/net/chelsio/pm3393.c 2011-05-19 00:06:34.000000000 -0400
34804 +++ linux-2.6.39.3/drivers/net/chelsio/pm3393.c 2011-05-22 19:36:31.000000000 -0400
34805 @@ -571,7 +571,7 @@ static void pm3393_destroy(struct cmac *
34806 kfree(cmac);
34807 }
34808
34809 -static struct cmac_ops pm3393_ops = {
34810 +static const struct cmac_ops pm3393_ops = {
34811 .destroy = pm3393_destroy,
34812 .reset = pm3393_reset,
34813 .interrupt_enable = pm3393_interrupt_enable,
34814 diff -urNp linux-2.6.39.3/drivers/net/chelsio/vsc7326.c linux-2.6.39.3/drivers/net/chelsio/vsc7326.c
34815 --- linux-2.6.39.3/drivers/net/chelsio/vsc7326.c 2011-05-19 00:06:34.000000000 -0400
34816 +++ linux-2.6.39.3/drivers/net/chelsio/vsc7326.c 2011-05-22 19:36:31.000000000 -0400
34817 @@ -666,7 +666,7 @@ static void mac_destroy(struct cmac *mac
34818 kfree(mac);
34819 }
34820
34821 -static struct cmac_ops vsc7326_ops = {
34822 +static const struct cmac_ops vsc7326_ops = {
34823 .destroy = mac_destroy,
34824 .reset = mac_reset,
34825 .interrupt_handler = mac_intr_handler,
34826 diff -urNp linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c
34827 --- linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c 2011-05-19 00:06:34.000000000 -0400
34828 +++ linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c 2011-05-22 19:36:31.000000000 -0400
34829 @@ -3428,6 +3428,8 @@ static int __devinit enable_msix(struct
34830 unsigned int nchan = adap->params.nports;
34831 struct msix_entry entries[MAX_INGQ + 1];
34832
34833 + pax_track_stack();
34834 +
34835 for (i = 0; i < ARRAY_SIZE(entries); ++i)
34836 entries[i].entry = i;
34837
34838 diff -urNp linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c
34839 --- linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c 2011-05-19 00:06:34.000000000 -0400
34840 +++ linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c 2011-05-22 19:36:31.000000000 -0400
34841 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
34842 u8 vpd[VPD_LEN], csum;
34843 unsigned int vpdr_len, kw_offset, id_len;
34844
34845 + pax_track_stack();
34846 +
34847 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
34848 if (ret < 0)
34849 return ret;
34850 diff -urNp linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c
34851 --- linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-19 00:06:34.000000000 -0400
34852 +++ linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-22 19:36:31.000000000 -0400
34853 @@ -1572,7 +1572,7 @@ static int cxgb4vf_set_tso(struct net_de
34854 return 0;
34855 }
34856
34857 -static struct ethtool_ops cxgb4vf_ethtool_ops = {
34858 +static const struct ethtool_ops cxgb4vf_ethtool_ops = {
34859 .get_settings = cxgb4vf_get_settings,
34860 .get_drvinfo = cxgb4vf_get_drvinfo,
34861 .get_msglevel = cxgb4vf_get_msglevel,
34862 diff -urNp linux-2.6.39.3/drivers/net/e1000e/82571.c linux-2.6.39.3/drivers/net/e1000e/82571.c
34863 --- linux-2.6.39.3/drivers/net/e1000e/82571.c 2011-05-19 00:06:34.000000000 -0400
34864 +++ linux-2.6.39.3/drivers/net/e1000e/82571.c 2011-05-22 19:36:31.000000000 -0400
34865 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
34866 {
34867 struct e1000_hw *hw = &adapter->hw;
34868 struct e1000_mac_info *mac = &hw->mac;
34869 - struct e1000_mac_operations *func = &mac->ops;
34870 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34871 u32 swsm = 0;
34872 u32 swsm2 = 0;
34873 bool force_clear_smbi = false;
34874 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
34875 er32(ICRXDMTC);
34876 }
34877
34878 -static struct e1000_mac_operations e82571_mac_ops = {
34879 +static const struct e1000_mac_operations e82571_mac_ops = {
34880 /* .check_mng_mode: mac type dependent */
34881 /* .check_for_link: media type dependent */
34882 .id_led_init = e1000e_id_led_init,
34883 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
34884 .read_mac_addr = e1000_read_mac_addr_82571,
34885 };
34886
34887 -static struct e1000_phy_operations e82_phy_ops_igp = {
34888 +static const struct e1000_phy_operations e82_phy_ops_igp = {
34889 .acquire = e1000_get_hw_semaphore_82571,
34890 .check_polarity = e1000_check_polarity_igp,
34891 .check_reset_block = e1000e_check_reset_block_generic,
34892 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
34893 .cfg_on_link_up = NULL,
34894 };
34895
34896 -static struct e1000_phy_operations e82_phy_ops_m88 = {
34897 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
34898 .acquire = e1000_get_hw_semaphore_82571,
34899 .check_polarity = e1000_check_polarity_m88,
34900 .check_reset_block = e1000e_check_reset_block_generic,
34901 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
34902 .cfg_on_link_up = NULL,
34903 };
34904
34905 -static struct e1000_phy_operations e82_phy_ops_bm = {
34906 +static const struct e1000_phy_operations e82_phy_ops_bm = {
34907 .acquire = e1000_get_hw_semaphore_82571,
34908 .check_polarity = e1000_check_polarity_m88,
34909 .check_reset_block = e1000e_check_reset_block_generic,
34910 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
34911 .cfg_on_link_up = NULL,
34912 };
34913
34914 -static struct e1000_nvm_operations e82571_nvm_ops = {
34915 +static const struct e1000_nvm_operations e82571_nvm_ops = {
34916 .acquire = e1000_acquire_nvm_82571,
34917 .read = e1000e_read_nvm_eerd,
34918 .release = e1000_release_nvm_82571,
34919 diff -urNp linux-2.6.39.3/drivers/net/e1000e/e1000.h linux-2.6.39.3/drivers/net/e1000e/e1000.h
34920 --- linux-2.6.39.3/drivers/net/e1000e/e1000.h 2011-05-19 00:06:34.000000000 -0400
34921 +++ linux-2.6.39.3/drivers/net/e1000e/e1000.h 2011-05-22 19:36:31.000000000 -0400
34922 @@ -409,9 +409,9 @@ struct e1000_info {
34923 u32 pba;
34924 u32 max_hw_frame_size;
34925 s32 (*get_variants)(struct e1000_adapter *);
34926 - struct e1000_mac_operations *mac_ops;
34927 - struct e1000_phy_operations *phy_ops;
34928 - struct e1000_nvm_operations *nvm_ops;
34929 + const struct e1000_mac_operations *mac_ops;
34930 + const struct e1000_phy_operations *phy_ops;
34931 + const struct e1000_nvm_operations *nvm_ops;
34932 };
34933
34934 /* hardware capability, feature, and workaround flags */
34935 diff -urNp linux-2.6.39.3/drivers/net/e1000e/es2lan.c linux-2.6.39.3/drivers/net/e1000e/es2lan.c
34936 --- linux-2.6.39.3/drivers/net/e1000e/es2lan.c 2011-05-19 00:06:34.000000000 -0400
34937 +++ linux-2.6.39.3/drivers/net/e1000e/es2lan.c 2011-05-22 19:36:31.000000000 -0400
34938 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
34939 {
34940 struct e1000_hw *hw = &adapter->hw;
34941 struct e1000_mac_info *mac = &hw->mac;
34942 - struct e1000_mac_operations *func = &mac->ops;
34943 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34944
34945 /* Set media type */
34946 switch (adapter->pdev->device) {
34947 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
34948 er32(ICRXDMTC);
34949 }
34950
34951 -static struct e1000_mac_operations es2_mac_ops = {
34952 +static const struct e1000_mac_operations es2_mac_ops = {
34953 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
34954 .id_led_init = e1000e_id_led_init,
34955 .check_mng_mode = e1000e_check_mng_mode_generic,
34956 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
34957 .setup_led = e1000e_setup_led_generic,
34958 };
34959
34960 -static struct e1000_phy_operations es2_phy_ops = {
34961 +static const struct e1000_phy_operations es2_phy_ops = {
34962 .acquire = e1000_acquire_phy_80003es2lan,
34963 .check_polarity = e1000_check_polarity_m88,
34964 .check_reset_block = e1000e_check_reset_block_generic,
34965 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
34966 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
34967 };
34968
34969 -static struct e1000_nvm_operations es2_nvm_ops = {
34970 +static const struct e1000_nvm_operations es2_nvm_ops = {
34971 .acquire = e1000_acquire_nvm_80003es2lan,
34972 .read = e1000e_read_nvm_eerd,
34973 .release = e1000_release_nvm_80003es2lan,
34974 diff -urNp linux-2.6.39.3/drivers/net/e1000e/hw.h linux-2.6.39.3/drivers/net/e1000e/hw.h
34975 --- linux-2.6.39.3/drivers/net/e1000e/hw.h 2011-05-19 00:06:34.000000000 -0400
34976 +++ linux-2.6.39.3/drivers/net/e1000e/hw.h 2011-05-22 19:36:31.000000000 -0400
34977 @@ -811,6 +811,7 @@ struct e1000_nvm_operations {
34978 };
34979
34980 struct e1000_mac_info {
34981 + /* cannot be const see e1000_init_mac_params_ich8lan */
34982 struct e1000_mac_operations ops;
34983 u8 addr[ETH_ALEN];
34984 u8 perm_addr[ETH_ALEN];
34985 @@ -852,6 +853,7 @@ struct e1000_mac_info {
34986 };
34987
34988 struct e1000_phy_info {
34989 + /* Cannot be const see e1000_init_phy_params_82571() */
34990 struct e1000_phy_operations ops;
34991
34992 enum e1000_phy_type type;
34993 @@ -886,6 +888,7 @@ struct e1000_phy_info {
34994 };
34995
34996 struct e1000_nvm_info {
34997 + /* cannot be const */
34998 struct e1000_nvm_operations ops;
34999
35000 enum e1000_nvm_type type;
35001 diff -urNp linux-2.6.39.3/drivers/net/e1000e/ich8lan.c linux-2.6.39.3/drivers/net/e1000e/ich8lan.c
35002 --- linux-2.6.39.3/drivers/net/e1000e/ich8lan.c 2011-05-19 00:06:34.000000000 -0400
35003 +++ linux-2.6.39.3/drivers/net/e1000e/ich8lan.c 2011-05-22 19:36:31.000000000 -0400
35004 @@ -3866,7 +3866,7 @@ static void e1000_clear_hw_cntrs_ich8lan
35005 }
35006 }
35007
35008 -static struct e1000_mac_operations ich8_mac_ops = {
35009 +static const struct e1000_mac_operations ich8_mac_ops = {
35010 .id_led_init = e1000e_id_led_init,
35011 /* check_mng_mode dependent on mac type */
35012 .check_for_link = e1000_check_for_copper_link_ich8lan,
35013 @@ -3885,7 +3885,7 @@ static struct e1000_mac_operations ich8_
35014 /* id_led_init dependent on mac type */
35015 };
35016
35017 -static struct e1000_phy_operations ich8_phy_ops = {
35018 +static const struct e1000_phy_operations ich8_phy_ops = {
35019 .acquire = e1000_acquire_swflag_ich8lan,
35020 .check_reset_block = e1000_check_reset_block_ich8lan,
35021 .commit = NULL,
35022 @@ -3899,7 +3899,7 @@ static struct e1000_phy_operations ich8_
35023 .write_reg = e1000e_write_phy_reg_igp,
35024 };
35025
35026 -static struct e1000_nvm_operations ich8_nvm_ops = {
35027 +static const struct e1000_nvm_operations ich8_nvm_ops = {
35028 .acquire = e1000_acquire_nvm_ich8lan,
35029 .read = e1000_read_nvm_ich8lan,
35030 .release = e1000_release_nvm_ich8lan,
35031 diff -urNp linux-2.6.39.3/drivers/net/greth.c linux-2.6.39.3/drivers/net/greth.c
35032 --- linux-2.6.39.3/drivers/net/greth.c 2011-05-19 00:06:34.000000000 -0400
35033 +++ linux-2.6.39.3/drivers/net/greth.c 2011-05-22 19:36:31.000000000 -0400
35034 @@ -1192,7 +1192,7 @@ static const struct ethtool_ops greth_et
35035 .get_link = ethtool_op_get_link,
35036 };
35037
35038 -static struct net_device_ops greth_netdev_ops = {
35039 +static const struct net_device_ops greth_netdev_ops = {
35040 .ndo_open = greth_open,
35041 .ndo_stop = greth_close,
35042 .ndo_start_xmit = greth_start_xmit,
35043 diff -urNp linux-2.6.39.3/drivers/net/hamradio/6pack.c linux-2.6.39.3/drivers/net/hamradio/6pack.c
35044 --- linux-2.6.39.3/drivers/net/hamradio/6pack.c 2011-07-09 09:18:51.000000000 -0400
35045 +++ linux-2.6.39.3/drivers/net/hamradio/6pack.c 2011-07-09 09:19:18.000000000 -0400
35046 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
35047 unsigned char buf[512];
35048 int count1;
35049
35050 + pax_track_stack();
35051 +
35052 if (!count)
35053 return;
35054
35055 diff -urNp linux-2.6.39.3/drivers/net/ibm_newemac/phy.c linux-2.6.39.3/drivers/net/ibm_newemac/phy.c
35056 --- linux-2.6.39.3/drivers/net/ibm_newemac/phy.c 2011-05-19 00:06:34.000000000 -0400
35057 +++ linux-2.6.39.3/drivers/net/ibm_newemac/phy.c 2011-05-22 19:36:31.000000000 -0400
35058 @@ -273,7 +273,7 @@ static int genmii_read_link(struct mii_p
35059 }
35060
35061 /* Generic implementation for most 10/100/1000 PHYs */
35062 -static struct mii_phy_ops generic_phy_ops = {
35063 +static const struct mii_phy_ops generic_phy_ops = {
35064 .setup_aneg = genmii_setup_aneg,
35065 .setup_forced = genmii_setup_forced,
35066 .poll_link = genmii_poll_link,
35067 @@ -337,7 +337,7 @@ static int cis8201_init(struct mii_phy *
35068 return 0;
35069 }
35070
35071 -static struct mii_phy_ops cis8201_phy_ops = {
35072 +static const struct mii_phy_ops cis8201_phy_ops = {
35073 .init = cis8201_init,
35074 .setup_aneg = genmii_setup_aneg,
35075 .setup_forced = genmii_setup_forced,
35076 @@ -417,7 +417,7 @@ static int et1011c_init(struct mii_phy *
35077 return 0;
35078 }
35079
35080 -static struct mii_phy_ops et1011c_phy_ops = {
35081 +static const struct mii_phy_ops et1011c_phy_ops = {
35082 .init = et1011c_init,
35083 .setup_aneg = genmii_setup_aneg,
35084 .setup_forced = genmii_setup_forced,
35085 @@ -436,7 +436,7 @@ static struct mii_phy_def et1011c_phy_de
35086
35087
35088
35089 -static struct mii_phy_ops m88e1111_phy_ops = {
35090 +static const struct mii_phy_ops m88e1111_phy_ops = {
35091 .init = m88e1111_init,
35092 .setup_aneg = genmii_setup_aneg,
35093 .setup_forced = genmii_setup_forced,
35094 @@ -452,7 +452,7 @@ static struct mii_phy_def m88e1111_phy_d
35095 .ops = &m88e1111_phy_ops,
35096 };
35097
35098 -static struct mii_phy_ops m88e1112_phy_ops = {
35099 +static const struct mii_phy_ops m88e1112_phy_ops = {
35100 .init = m88e1112_init,
35101 .setup_aneg = genmii_setup_aneg,
35102 .setup_forced = genmii_setup_forced,
35103 diff -urNp linux-2.6.39.3/drivers/net/ibmveth.c linux-2.6.39.3/drivers/net/ibmveth.c
35104 --- linux-2.6.39.3/drivers/net/ibmveth.c 2011-05-19 00:06:34.000000000 -0400
35105 +++ linux-2.6.39.3/drivers/net/ibmveth.c 2011-05-22 19:36:31.000000000 -0400
35106 @@ -1625,7 +1625,7 @@ static struct vio_device_id ibmveth_devi
35107 };
35108 MODULE_DEVICE_TABLE(vio, ibmveth_device_table);
35109
35110 -static struct dev_pm_ops ibmveth_pm_ops = {
35111 +static const struct dev_pm_ops ibmveth_pm_ops = {
35112 .resume = ibmveth_resume
35113 };
35114
35115 diff -urNp linux-2.6.39.3/drivers/net/igb/e1000_82575.c linux-2.6.39.3/drivers/net/igb/e1000_82575.c
35116 --- linux-2.6.39.3/drivers/net/igb/e1000_82575.c 2011-05-19 00:06:34.000000000 -0400
35117 +++ linux-2.6.39.3/drivers/net/igb/e1000_82575.c 2011-05-22 19:36:31.000000000 -0400
35118 @@ -2029,7 +2029,7 @@ out:
35119 return ret_val;
35120 }
35121
35122 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
35123 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
35124 .init_hw = igb_init_hw_82575,
35125 .check_for_link = igb_check_for_link_82575,
35126 .rar_set = igb_rar_set,
35127 @@ -2037,13 +2037,13 @@ static struct e1000_mac_operations e1000
35128 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
35129 };
35130
35131 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
35132 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
35133 .acquire = igb_acquire_phy_82575,
35134 .get_cfg_done = igb_get_cfg_done_82575,
35135 .release = igb_release_phy_82575,
35136 };
35137
35138 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35139 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35140 .acquire = igb_acquire_nvm_82575,
35141 .read = igb_read_nvm_eerd,
35142 .release = igb_release_nvm_82575,
35143 diff -urNp linux-2.6.39.3/drivers/net/igb/e1000_hw.h linux-2.6.39.3/drivers/net/igb/e1000_hw.h
35144 --- linux-2.6.39.3/drivers/net/igb/e1000_hw.h 2011-05-19 00:06:34.000000000 -0400
35145 +++ linux-2.6.39.3/drivers/net/igb/e1000_hw.h 2011-05-22 19:36:31.000000000 -0400
35146 @@ -342,14 +342,15 @@ struct e1000_nvm_operations {
35147
35148 struct e1000_info {
35149 s32 (*get_invariants)(struct e1000_hw *);
35150 - struct e1000_mac_operations *mac_ops;
35151 - struct e1000_phy_operations *phy_ops;
35152 - struct e1000_nvm_operations *nvm_ops;
35153 + const struct e1000_mac_operations *mac_ops;
35154 + const struct e1000_phy_operations *phy_ops;
35155 + const struct e1000_nvm_operations *nvm_ops;
35156 };
35157
35158 extern const struct e1000_info e1000_82575_info;
35159
35160 struct e1000_mac_info {
35161 + /* cannot be const see igb_get_invariants_82575() */
35162 struct e1000_mac_operations ops;
35163
35164 u8 addr[6];
35165 @@ -388,6 +389,7 @@ struct e1000_mac_info {
35166 };
35167
35168 struct e1000_phy_info {
35169 + /* cannot be const see igb_get_invariants_82575() */
35170 struct e1000_phy_operations ops;
35171
35172 enum e1000_phy_type type;
35173 @@ -423,6 +425,7 @@ struct e1000_phy_info {
35174 };
35175
35176 struct e1000_nvm_info {
35177 + /* cannot be const */
35178 struct e1000_nvm_operations ops;
35179 enum e1000_nvm_type type;
35180 enum e1000_nvm_override override;
35181 diff -urNp linux-2.6.39.3/drivers/net/igbvf/vf.h linux-2.6.39.3/drivers/net/igbvf/vf.h
35182 --- linux-2.6.39.3/drivers/net/igbvf/vf.h 2011-05-19 00:06:34.000000000 -0400
35183 +++ linux-2.6.39.3/drivers/net/igbvf/vf.h 2011-05-22 19:36:31.000000000 -0400
35184 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
35185 };
35186
35187 struct e1000_mac_info {
35188 + /* cannot be const see e1000_init_mac_params_vf() */
35189 struct e1000_mac_operations ops;
35190 u8 addr[6];
35191 u8 perm_addr[6];
35192 diff -urNp linux-2.6.39.3/drivers/net/irda/sh_irda.c linux-2.6.39.3/drivers/net/irda/sh_irda.c
35193 --- linux-2.6.39.3/drivers/net/irda/sh_irda.c 2011-05-19 00:06:34.000000000 -0400
35194 +++ linux-2.6.39.3/drivers/net/irda/sh_irda.c 2011-05-22 19:36:31.000000000 -0400
35195 @@ -307,7 +307,7 @@ static int xir_fte(struct sh_irda_self *
35196 return 0;
35197 }
35198
35199 -static struct sh_irda_xir_func xir_func = {
35200 +static const struct sh_irda_xir_func xir_func = {
35201 .xir_fre = xir_fre,
35202 .xir_trov = xir_trov,
35203 .xir_9 = xir_9,
35204 @@ -321,7 +321,7 @@ static struct sh_irda_xir_func xir_func
35205 *
35206 * MIR/FIR are not supported now
35207 *=====================================*/
35208 -static struct sh_irda_xir_func mfir_func = {
35209 +static const struct sh_irda_xir_func mfir_func = {
35210 .xir_fre = xir_fre,
35211 .xir_trov = xir_trov,
35212 .xir_9 = xir_9,
35213 @@ -400,7 +400,7 @@ static int sir_fte(struct sh_irda_self *
35214 return 0;
35215 }
35216
35217 -static struct sh_irda_xir_func sir_func = {
35218 +static const struct sh_irda_xir_func sir_func = {
35219 .xir_fre = sir_fre,
35220 .xir_trov = sir_trov,
35221 .xir_9 = sir_tot,
35222 @@ -411,7 +411,7 @@ static struct sh_irda_xir_func sir_func
35223 static void sh_irda_set_mode(struct sh_irda_self *self, enum sh_irda_mode mode)
35224 {
35225 struct device *dev = &self->ndev->dev;
35226 - struct sh_irda_xir_func *func;
35227 + const struct sh_irda_xir_func *func;
35228 const char *name;
35229 u16 data;
35230
35231 diff -urNp linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c
35232 --- linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c 2011-05-19 00:06:34.000000000 -0400
35233 +++ linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c 2011-05-22 19:36:31.000000000 -0400
35234 @@ -1069,6 +1069,8 @@ ixgb_set_multi(struct net_device *netdev
35235 u32 rctl;
35236 int i;
35237
35238 + pax_track_stack();
35239 +
35240 /* Check for Promiscuous and All Multicast modes */
35241
35242 rctl = IXGB_READ_REG(hw, RCTL);
35243 diff -urNp linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c
35244 --- linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c 2011-05-19 00:06:34.000000000 -0400
35245 +++ linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c 2011-05-22 19:36:31.000000000 -0400
35246 @@ -261,6 +261,9 @@ void __devinit
35247 ixgb_check_options(struct ixgb_adapter *adapter)
35248 {
35249 int bd = adapter->bd_number;
35250 +
35251 + pax_track_stack();
35252 +
35253 if (bd >= IXGB_MAX_NIC) {
35254 pr_notice("Warning: no configuration for board #%i\n", bd);
35255 pr_notice("Using defaults for all values\n");
35256 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c
35257 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c 2011-05-19 00:06:34.000000000 -0400
35258 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c 2011-05-22 19:36:31.000000000 -0400
35259 @@ -2099,7 +2099,7 @@ static struct ixgbe_phy_operations phy_o
35260 .check_overtemp = &ixgbe_tn_check_overtemp,
35261 };
35262
35263 -struct ixgbe_info ixgbe_82599_info = {
35264 +const struct ixgbe_info ixgbe_82599_info = {
35265 .mac = ixgbe_mac_82599EB,
35266 .get_invariants = &ixgbe_get_invariants_82599,
35267 .mac_ops = &mac_ops_82599,
35268 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h
35269 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h 2011-05-19 00:06:34.000000000 -0400
35270 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h 2011-05-22 19:36:31.000000000 -0400
35271 @@ -493,8 +493,8 @@ enum ixgbe_boards {
35272 };
35273
35274 extern struct ixgbe_info ixgbe_82598_info;
35275 -extern struct ixgbe_info ixgbe_82599_info;
35276 -extern struct ixgbe_info ixgbe_X540_info;
35277 +extern const struct ixgbe_info ixgbe_82599_info;
35278 +extern const struct ixgbe_info ixgbe_X540_info;
35279 #ifdef CONFIG_IXGBE_DCB
35280 extern const struct dcbnl_rtnl_ops dcbnl_ops;
35281 extern int ixgbe_copy_dcb_cfg(struct ixgbe_dcb_config *src_dcb_cfg,
35282 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c
35283 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c 2011-05-19 00:06:34.000000000 -0400
35284 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c 2011-05-22 19:36:31.000000000 -0400
35285 @@ -727,7 +727,7 @@ static struct ixgbe_phy_operations phy_o
35286 .check_overtemp = &ixgbe_tn_check_overtemp,
35287 };
35288
35289 -struct ixgbe_info ixgbe_X540_info = {
35290 +const struct ixgbe_info ixgbe_X540_info = {
35291 .mac = ixgbe_mac_X540,
35292 .get_invariants = &ixgbe_get_invariants_X540,
35293 .mac_ops = &mac_ops_X540,
35294 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c
35295 --- linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c 2011-05-19 00:06:34.000000000 -0400
35296 +++ linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c 2011-05-22 19:36:31.000000000 -0400
35297 @@ -709,7 +709,7 @@ static int ixgbevf_nway_reset(struct net
35298 return 0;
35299 }
35300
35301 -static struct ethtool_ops ixgbevf_ethtool_ops = {
35302 +static const struct ethtool_ops ixgbevf_ethtool_ops = {
35303 .get_settings = ixgbevf_get_settings,
35304 .get_drvinfo = ixgbevf_get_drvinfo,
35305 .get_regs_len = ixgbevf_get_regs_len,
35306 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h
35307 --- linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h 2011-05-19 00:06:34.000000000 -0400
35308 +++ linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h 2011-05-22 19:36:31.000000000 -0400
35309 @@ -279,7 +279,7 @@ enum ixgbevf_boards {
35310
35311 extern struct ixgbevf_info ixgbevf_82599_vf_info;
35312 extern struct ixgbevf_info ixgbevf_X540_vf_info;
35313 -extern struct ixgbe_mac_operations ixgbevf_mbx_ops;
35314 +extern const struct ixgbe_mac_operations ixgbevf_mbx_ops;
35315
35316 /* needed by ethtool.c */
35317 extern char ixgbevf_driver_name[];
35318 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/vf.c linux-2.6.39.3/drivers/net/ixgbevf/vf.c
35319 --- linux-2.6.39.3/drivers/net/ixgbevf/vf.c 2011-05-19 00:06:34.000000000 -0400
35320 +++ linux-2.6.39.3/drivers/net/ixgbevf/vf.c 2011-05-22 19:36:31.000000000 -0400
35321 @@ -368,7 +368,7 @@ static s32 ixgbevf_check_mac_link_vf(str
35322 return 0;
35323 }
35324
35325 -static struct ixgbe_mac_operations ixgbevf_mac_ops = {
35326 +static const struct ixgbe_mac_operations ixgbevf_mac_ops = {
35327 .init_hw = ixgbevf_init_hw_vf,
35328 .reset_hw = ixgbevf_reset_hw_vf,
35329 .start_hw = ixgbevf_start_hw_vf,
35330 @@ -381,12 +381,12 @@ static struct ixgbe_mac_operations ixgbe
35331 .set_vfta = ixgbevf_set_vfta_vf,
35332 };
35333
35334 -struct ixgbevf_info ixgbevf_82599_vf_info = {
35335 +const struct ixgbevf_info ixgbevf_82599_vf_info = {
35336 .mac = ixgbe_mac_82599_vf,
35337 .mac_ops = &ixgbevf_mac_ops,
35338 };
35339
35340 -struct ixgbevf_info ixgbevf_X540_vf_info = {
35341 +const struct ixgbevf_info ixgbevf_X540_vf_info = {
35342 .mac = ixgbe_mac_X540_vf,
35343 .mac_ops = &ixgbevf_mac_ops,
35344 };
35345 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/vf.h linux-2.6.39.3/drivers/net/ixgbevf/vf.h
35346 --- linux-2.6.39.3/drivers/net/ixgbevf/vf.h 2011-05-19 00:06:34.000000000 -0400
35347 +++ linux-2.6.39.3/drivers/net/ixgbevf/vf.h 2011-05-22 19:36:31.000000000 -0400
35348 @@ -166,7 +166,7 @@ struct ixgbevf_hw_stats {
35349
35350 struct ixgbevf_info {
35351 enum ixgbe_mac_type mac;
35352 - struct ixgbe_mac_operations *mac_ops;
35353 + const struct ixgbe_mac_operations *mac_ops;
35354 };
35355
35356 #endif /* __IXGBE_VF_H__ */
35357 diff -urNp linux-2.6.39.3/drivers/net/ksz884x.c linux-2.6.39.3/drivers/net/ksz884x.c
35358 --- linux-2.6.39.3/drivers/net/ksz884x.c 2011-05-19 00:06:34.000000000 -0400
35359 +++ linux-2.6.39.3/drivers/net/ksz884x.c 2011-05-22 19:36:31.000000000 -0400
35360 @@ -6536,6 +6536,8 @@ static void netdev_get_ethtool_stats(str
35361 int rc;
35362 u64 counter[TOTAL_PORT_COUNTER_NUM];
35363
35364 + pax_track_stack();
35365 +
35366 mutex_lock(&hw_priv->lock);
35367 n = SWITCH_PORT_NUM;
35368 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
35369 @@ -6637,7 +6639,7 @@ static int netdev_set_rx_csum(struct net
35370 return 0;
35371 }
35372
35373 -static struct ethtool_ops netdev_ethtool_ops = {
35374 +static const struct ethtool_ops netdev_ethtool_ops = {
35375 .get_settings = netdev_get_settings,
35376 .set_settings = netdev_set_settings,
35377 .nway_reset = netdev_nway_reset,
35378 diff -urNp linux-2.6.39.3/drivers/net/mlx4/main.c linux-2.6.39.3/drivers/net/mlx4/main.c
35379 --- linux-2.6.39.3/drivers/net/mlx4/main.c 2011-05-19 00:06:34.000000000 -0400
35380 +++ linux-2.6.39.3/drivers/net/mlx4/main.c 2011-05-22 19:36:31.000000000 -0400
35381 @@ -40,6 +40,7 @@
35382 #include <linux/dma-mapping.h>
35383 #include <linux/slab.h>
35384 #include <linux/io-mapping.h>
35385 +#include <linux/sched.h>
35386
35387 #include <linux/mlx4/device.h>
35388 #include <linux/mlx4/doorbell.h>
35389 @@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
35390 u64 icm_size;
35391 int err;
35392
35393 + pax_track_stack();
35394 +
35395 err = mlx4_QUERY_FW(dev);
35396 if (err) {
35397 if (err == -EACCES)
35398 diff -urNp linux-2.6.39.3/drivers/net/netconsole.c linux-2.6.39.3/drivers/net/netconsole.c
35399 --- linux-2.6.39.3/drivers/net/netconsole.c 2011-05-19 00:06:34.000000000 -0400
35400 +++ linux-2.6.39.3/drivers/net/netconsole.c 2011-05-22 19:36:31.000000000 -0400
35401 @@ -634,7 +634,7 @@ static void drop_netconsole_target(struc
35402 config_item_put(&nt->item);
35403 }
35404
35405 -static struct configfs_group_operations netconsole_subsys_group_ops = {
35406 +static const struct configfs_group_operations netconsole_subsys_group_ops = {
35407 .make_item = make_netconsole_target,
35408 .drop_item = drop_netconsole_target,
35409 };
35410 diff -urNp linux-2.6.39.3/drivers/net/niu.c linux-2.6.39.3/drivers/net/niu.c
35411 --- linux-2.6.39.3/drivers/net/niu.c 2011-05-19 00:06:34.000000000 -0400
35412 +++ linux-2.6.39.3/drivers/net/niu.c 2011-05-22 19:36:31.000000000 -0400
35413 @@ -9067,6 +9067,8 @@ static void __devinit niu_try_msix(struc
35414 int i, num_irqs, err;
35415 u8 first_ldg;
35416
35417 + pax_track_stack();
35418 +
35419 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
35420 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
35421 ldg_num_map[i] = first_ldg + i;
35422 diff -urNp linux-2.6.39.3/drivers/net/pcnet32.c linux-2.6.39.3/drivers/net/pcnet32.c
35423 --- linux-2.6.39.3/drivers/net/pcnet32.c 2011-05-19 00:06:34.000000000 -0400
35424 +++ linux-2.6.39.3/drivers/net/pcnet32.c 2011-05-22 19:36:31.000000000 -0400
35425 @@ -82,7 +82,7 @@ static int cards_found;
35426 /*
35427 * VLB I/O addresses
35428 */
35429 -static unsigned int pcnet32_portlist[] __initdata =
35430 +static unsigned int pcnet32_portlist[] __devinitdata =
35431 { 0x300, 0x320, 0x340, 0x360, 0 };
35432
35433 static int pcnet32_debug;
35434 @@ -379,7 +379,7 @@ static int pcnet32_wio_check(unsigned lo
35435 return inw(addr + PCNET32_WIO_RAP) == 88;
35436 }
35437
35438 -static struct pcnet32_access pcnet32_wio = {
35439 +static const struct pcnet32_access pcnet32_wio = {
35440 .read_csr = pcnet32_wio_read_csr,
35441 .write_csr = pcnet32_wio_write_csr,
35442 .read_bcr = pcnet32_wio_read_bcr,
35443 @@ -434,7 +434,7 @@ static int pcnet32_dwio_check(unsigned l
35444 return (inl(addr + PCNET32_DWIO_RAP) & 0xffff) == 88;
35445 }
35446
35447 -static struct pcnet32_access pcnet32_dwio = {
35448 +static const struct pcnet32_access pcnet32_dwio = {
35449 .read_csr = pcnet32_dwio_read_csr,
35450 .write_csr = pcnet32_dwio_write_csr,
35451 .read_bcr = pcnet32_dwio_read_bcr,
35452 @@ -1546,7 +1546,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35453 int chip_version;
35454 char *chipname;
35455 struct net_device *dev;
35456 - struct pcnet32_access *a = NULL;
35457 + const struct pcnet32_access *a = NULL;
35458 u8 promaddr[6];
35459 int ret = -ENODEV;
35460
35461 diff -urNp linux-2.6.39.3/drivers/net/ppp_generic.c linux-2.6.39.3/drivers/net/ppp_generic.c
35462 --- linux-2.6.39.3/drivers/net/ppp_generic.c 2011-05-19 00:06:34.000000000 -0400
35463 +++ linux-2.6.39.3/drivers/net/ppp_generic.c 2011-05-22 19:36:31.000000000 -0400
35464 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
35465 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
35466 struct ppp_stats stats;
35467 struct ppp_comp_stats cstats;
35468 - char *vers;
35469
35470 switch (cmd) {
35471 case SIOCGPPPSTATS:
35472 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
35473 break;
35474
35475 case SIOCGPPPVER:
35476 - vers = PPP_VERSION;
35477 - if (copy_to_user(addr, vers, strlen(vers) + 1))
35478 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
35479 break;
35480 err = 0;
35481 break;
35482 diff -urNp linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h
35483 --- linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h 2011-05-19 00:06:34.000000000 -0400
35484 +++ linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h 2011-05-22 19:36:31.000000000 -0400
35485 @@ -1037,7 +1037,7 @@ struct qlcnic_adapter {
35486 struct vlan_group *vlgrp;
35487 struct qlcnic_npar_info *npars;
35488 struct qlcnic_eswitch *eswitch;
35489 - struct qlcnic_nic_template *nic_ops;
35490 + const struct qlcnic_nic_template *nic_ops;
35491
35492 struct qlcnic_adapter_stats stats;
35493
35494 diff -urNp linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c
35495 --- linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c 2011-05-19 00:06:34.000000000 -0400
35496 +++ linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c 2011-05-22 19:36:31.000000000 -0400
35497 @@ -340,13 +340,13 @@ static const struct net_device_ops qlcni
35498 #endif
35499 };
35500
35501 -static struct qlcnic_nic_template qlcnic_ops = {
35502 +static const struct qlcnic_nic_template qlcnic_ops = {
35503 .config_bridged_mode = qlcnic_config_bridged_mode,
35504 .config_led = qlcnic_config_led,
35505 .start_firmware = qlcnic_start_firmware
35506 };
35507
35508 -static struct qlcnic_nic_template qlcnic_vf_ops = {
35509 +static const struct qlcnic_nic_template qlcnic_vf_ops = {
35510 .config_bridged_mode = qlcnicvf_config_bridged_mode,
35511 .config_led = qlcnicvf_config_led,
35512 .start_firmware = qlcnicvf_start_firmware
35513 diff -urNp linux-2.6.39.3/drivers/net/qlge/qlge.h linux-2.6.39.3/drivers/net/qlge/qlge.h
35514 --- linux-2.6.39.3/drivers/net/qlge/qlge.h 2011-05-19 00:06:34.000000000 -0400
35515 +++ linux-2.6.39.3/drivers/net/qlge/qlge.h 2011-05-22 19:36:31.000000000 -0400
35516 @@ -2134,7 +2134,7 @@ struct ql_adapter {
35517 struct delayed_work mpi_idc_work;
35518 struct delayed_work mpi_core_to_log;
35519 struct completion ide_completion;
35520 - struct nic_operations *nic_ops;
35521 + const struct nic_operations *nic_ops;
35522 u16 device_id;
35523 struct timer_list timer;
35524 atomic_t lb_count;
35525 diff -urNp linux-2.6.39.3/drivers/net/qlge/qlge_main.c linux-2.6.39.3/drivers/net/qlge/qlge_main.c
35526 --- linux-2.6.39.3/drivers/net/qlge/qlge_main.c 2011-05-19 00:06:34.000000000 -0400
35527 +++ linux-2.6.39.3/drivers/net/qlge/qlge_main.c 2011-05-22 19:36:31.000000000 -0400
35528 @@ -4412,12 +4412,12 @@ error:
35529 rtnl_unlock();
35530 }
35531
35532 -static struct nic_operations qla8012_nic_ops = {
35533 +static const struct nic_operations qla8012_nic_ops = {
35534 .get_flash = ql_get_8012_flash_params,
35535 .port_initialize = ql_8012_port_initialize,
35536 };
35537
35538 -static struct nic_operations qla8000_nic_ops = {
35539 +static const struct nic_operations qla8000_nic_ops = {
35540 .get_flash = ql_get_8000_flash_params,
35541 .port_initialize = ql_8000_port_initialize,
35542 };
35543 diff -urNp linux-2.6.39.3/drivers/net/sfc/falcon.c linux-2.6.39.3/drivers/net/sfc/falcon.c
35544 --- linux-2.6.39.3/drivers/net/sfc/falcon.c 2011-05-19 00:06:34.000000000 -0400
35545 +++ linux-2.6.39.3/drivers/net/sfc/falcon.c 2011-05-22 19:36:31.000000000 -0400
35546 @@ -1703,7 +1703,7 @@ static int falcon_set_wol(struct efx_nic
35547 **************************************************************************
35548 */
35549
35550 -struct efx_nic_type falcon_a1_nic_type = {
35551 +const struct efx_nic_type falcon_a1_nic_type = {
35552 .probe = falcon_probe_nic,
35553 .remove = falcon_remove_nic,
35554 .init = falcon_init_nic,
35555 @@ -1744,7 +1744,7 @@ struct efx_nic_type falcon_a1_nic_type =
35556 .reset_world_flags = ETH_RESET_IRQ,
35557 };
35558
35559 -struct efx_nic_type falcon_b0_nic_type = {
35560 +const struct efx_nic_type falcon_b0_nic_type = {
35561 .probe = falcon_probe_nic,
35562 .remove = falcon_remove_nic,
35563 .init = falcon_init_nic,
35564 diff -urNp linux-2.6.39.3/drivers/net/sfc/mtd.c linux-2.6.39.3/drivers/net/sfc/mtd.c
35565 --- linux-2.6.39.3/drivers/net/sfc/mtd.c 2011-05-19 00:06:34.000000000 -0400
35566 +++ linux-2.6.39.3/drivers/net/sfc/mtd.c 2011-05-22 19:36:31.000000000 -0400
35567 @@ -382,7 +382,7 @@ static int falcon_mtd_sync(struct mtd_in
35568 return rc;
35569 }
35570
35571 -static struct efx_mtd_ops falcon_mtd_ops = {
35572 +static const struct efx_mtd_ops falcon_mtd_ops = {
35573 .read = falcon_mtd_read,
35574 .erase = falcon_mtd_erase,
35575 .write = falcon_mtd_write,
35576 @@ -560,7 +560,7 @@ static int siena_mtd_sync(struct mtd_inf
35577 return rc;
35578 }
35579
35580 -static struct efx_mtd_ops siena_mtd_ops = {
35581 +static const struct efx_mtd_ops siena_mtd_ops = {
35582 .read = siena_mtd_read,
35583 .erase = siena_mtd_erase,
35584 .write = siena_mtd_write,
35585 diff -urNp linux-2.6.39.3/drivers/net/sfc/nic.h linux-2.6.39.3/drivers/net/sfc/nic.h
35586 --- linux-2.6.39.3/drivers/net/sfc/nic.h 2011-05-19 00:06:34.000000000 -0400
35587 +++ linux-2.6.39.3/drivers/net/sfc/nic.h 2011-05-22 19:36:31.000000000 -0400
35588 @@ -152,9 +152,9 @@ struct siena_nic_data {
35589 int wol_filter_id;
35590 };
35591
35592 -extern struct efx_nic_type falcon_a1_nic_type;
35593 -extern struct efx_nic_type falcon_b0_nic_type;
35594 -extern struct efx_nic_type siena_a0_nic_type;
35595 +extern const struct efx_nic_type falcon_a1_nic_type;
35596 +extern const struct efx_nic_type falcon_b0_nic_type;
35597 +extern const struct efx_nic_type siena_a0_nic_type;
35598
35599 /**************************************************************************
35600 *
35601 diff -urNp linux-2.6.39.3/drivers/net/sfc/siena.c linux-2.6.39.3/drivers/net/sfc/siena.c
35602 --- linux-2.6.39.3/drivers/net/sfc/siena.c 2011-05-19 00:06:34.000000000 -0400
35603 +++ linux-2.6.39.3/drivers/net/sfc/siena.c 2011-05-22 19:36:31.000000000 -0400
35604 @@ -599,7 +599,7 @@ static void siena_init_wol(struct efx_ni
35605 **************************************************************************
35606 */
35607
35608 -struct efx_nic_type siena_a0_nic_type = {
35609 +const struct efx_nic_type siena_a0_nic_type = {
35610 .probe = siena_probe_nic,
35611 .remove = siena_remove_nic,
35612 .init = siena_init_nic,
35613 diff -urNp linux-2.6.39.3/drivers/net/sh_eth.c linux-2.6.39.3/drivers/net/sh_eth.c
35614 --- linux-2.6.39.3/drivers/net/sh_eth.c 2011-05-19 00:06:34.000000000 -0400
35615 +++ linux-2.6.39.3/drivers/net/sh_eth.c 2011-05-22 19:36:31.000000000 -0400
35616 @@ -1360,7 +1360,7 @@ static void sh_eth_get_strings(struct ne
35617 }
35618 }
35619
35620 -static struct ethtool_ops sh_eth_ethtool_ops = {
35621 +static const struct ethtool_ops sh_eth_ethtool_ops = {
35622 .get_settings = sh_eth_get_settings,
35623 .set_settings = sh_eth_set_settings,
35624 .nway_reset = sh_eth_nway_reset,
35625 diff -urNp linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c
35626 --- linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35627 +++ linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35628 @@ -348,7 +348,7 @@ static int stmmac_set_wol(struct net_dev
35629 return 0;
35630 }
35631
35632 -static struct ethtool_ops stmmac_ethtool_ops = {
35633 +static const struct ethtool_ops stmmac_ethtool_ops = {
35634 .begin = stmmac_check_if_running,
35635 .get_drvinfo = stmmac_ethtool_getdrvinfo,
35636 .get_settings = stmmac_ethtool_getsettings,
35637 diff -urNp linux-2.6.39.3/drivers/net/sungem_phy.c linux-2.6.39.3/drivers/net/sungem_phy.c
35638 --- linux-2.6.39.3/drivers/net/sungem_phy.c 2011-05-19 00:06:34.000000000 -0400
35639 +++ linux-2.6.39.3/drivers/net/sungem_phy.c 2011-05-22 19:36:31.000000000 -0400
35640 @@ -886,7 +886,7 @@ static int marvell_read_link(struct mii_
35641 SUPPORTED_1000baseT_Half | SUPPORTED_1000baseT_Full)
35642
35643 /* Broadcom BCM 5201 */
35644 -static struct mii_phy_ops bcm5201_phy_ops = {
35645 +static const struct mii_phy_ops bcm5201_phy_ops = {
35646 .init = bcm5201_init,
35647 .suspend = bcm5201_suspend,
35648 .setup_aneg = genmii_setup_aneg,
35649 @@ -905,7 +905,7 @@ static struct mii_phy_def bcm5201_phy_de
35650 };
35651
35652 /* Broadcom BCM 5221 */
35653 -static struct mii_phy_ops bcm5221_phy_ops = {
35654 +static const struct mii_phy_ops bcm5221_phy_ops = {
35655 .suspend = bcm5221_suspend,
35656 .init = bcm5221_init,
35657 .setup_aneg = genmii_setup_aneg,
35658 @@ -924,7 +924,7 @@ static struct mii_phy_def bcm5221_phy_de
35659 };
35660
35661 /* Broadcom BCM 5241 */
35662 -static struct mii_phy_ops bcm5241_phy_ops = {
35663 +static const struct mii_phy_ops bcm5241_phy_ops = {
35664 .suspend = bcm5241_suspend,
35665 .init = bcm5241_init,
35666 .setup_aneg = genmii_setup_aneg,
35667 @@ -942,7 +942,7 @@ static struct mii_phy_def bcm5241_phy_de
35668 };
35669
35670 /* Broadcom BCM 5400 */
35671 -static struct mii_phy_ops bcm5400_phy_ops = {
35672 +static const struct mii_phy_ops bcm5400_phy_ops = {
35673 .init = bcm5400_init,
35674 .suspend = bcm5400_suspend,
35675 .setup_aneg = bcm54xx_setup_aneg,
35676 @@ -961,7 +961,7 @@ static struct mii_phy_def bcm5400_phy_de
35677 };
35678
35679 /* Broadcom BCM 5401 */
35680 -static struct mii_phy_ops bcm5401_phy_ops = {
35681 +static const struct mii_phy_ops bcm5401_phy_ops = {
35682 .init = bcm5401_init,
35683 .suspend = bcm5401_suspend,
35684 .setup_aneg = bcm54xx_setup_aneg,
35685 @@ -980,7 +980,7 @@ static struct mii_phy_def bcm5401_phy_de
35686 };
35687
35688 /* Broadcom BCM 5411 */
35689 -static struct mii_phy_ops bcm5411_phy_ops = {
35690 +static const struct mii_phy_ops bcm5411_phy_ops = {
35691 .init = bcm5411_init,
35692 .suspend = generic_suspend,
35693 .setup_aneg = bcm54xx_setup_aneg,
35694 @@ -999,7 +999,7 @@ static struct mii_phy_def bcm5411_phy_de
35695 };
35696
35697 /* Broadcom BCM 5421 */
35698 -static struct mii_phy_ops bcm5421_phy_ops = {
35699 +static const struct mii_phy_ops bcm5421_phy_ops = {
35700 .init = bcm5421_init,
35701 .suspend = generic_suspend,
35702 .setup_aneg = bcm54xx_setup_aneg,
35703 @@ -1019,7 +1019,7 @@ static struct mii_phy_def bcm5421_phy_de
35704 };
35705
35706 /* Broadcom BCM 5421 built-in K2 */
35707 -static struct mii_phy_ops bcm5421k2_phy_ops = {
35708 +static const struct mii_phy_ops bcm5421k2_phy_ops = {
35709 .init = bcm5421_init,
35710 .suspend = generic_suspend,
35711 .setup_aneg = bcm54xx_setup_aneg,
35712 @@ -1037,7 +1037,7 @@ static struct mii_phy_def bcm5421k2_phy_
35713 .ops = &bcm5421k2_phy_ops
35714 };
35715
35716 -static struct mii_phy_ops bcm5461_phy_ops = {
35717 +static const struct mii_phy_ops bcm5461_phy_ops = {
35718 .init = bcm5421_init,
35719 .suspend = generic_suspend,
35720 .setup_aneg = bcm54xx_setup_aneg,
35721 @@ -1057,7 +1057,7 @@ static struct mii_phy_def bcm5461_phy_de
35722 };
35723
35724 /* Broadcom BCM 5462 built-in Vesta */
35725 -static struct mii_phy_ops bcm5462V_phy_ops = {
35726 +static const struct mii_phy_ops bcm5462V_phy_ops = {
35727 .init = bcm5421_init,
35728 .suspend = generic_suspend,
35729 .setup_aneg = bcm54xx_setup_aneg,
35730 @@ -1076,7 +1076,7 @@ static struct mii_phy_def bcm5462V_phy_d
35731 };
35732
35733 /* Marvell 88E1101 amd 88E1111 */
35734 -static struct mii_phy_ops marvell88e1101_phy_ops = {
35735 +static const struct mii_phy_ops marvell88e1101_phy_ops = {
35736 .suspend = generic_suspend,
35737 .setup_aneg = marvell_setup_aneg,
35738 .setup_forced = marvell_setup_forced,
35739 @@ -1084,7 +1084,7 @@ static struct mii_phy_ops marvell88e1101
35740 .read_link = marvell_read_link
35741 };
35742
35743 -static struct mii_phy_ops marvell88e1111_phy_ops = {
35744 +static const struct mii_phy_ops marvell88e1111_phy_ops = {
35745 .init = marvell88e1111_init,
35746 .suspend = generic_suspend,
35747 .setup_aneg = marvell_setup_aneg,
35748 @@ -1122,7 +1122,7 @@ static struct mii_phy_def marvell88e1111
35749 };
35750
35751 /* Generic implementation for most 10/100 PHYs */
35752 -static struct mii_phy_ops generic_phy_ops = {
35753 +static const struct mii_phy_ops generic_phy_ops = {
35754 .setup_aneg = genmii_setup_aneg,
35755 .setup_forced = genmii_setup_forced,
35756 .poll_link = genmii_poll_link,
35757 diff -urNp linux-2.6.39.3/drivers/net/tg3.h linux-2.6.39.3/drivers/net/tg3.h
35758 --- linux-2.6.39.3/drivers/net/tg3.h 2011-05-19 00:06:34.000000000 -0400
35759 +++ linux-2.6.39.3/drivers/net/tg3.h 2011-05-22 19:36:31.000000000 -0400
35760 @@ -131,6 +131,7 @@
35761 #define CHIPREV_ID_5750_A0 0x4000
35762 #define CHIPREV_ID_5750_A1 0x4001
35763 #define CHIPREV_ID_5750_A3 0x4003
35764 +#define CHIPREV_ID_5750_C1 0x4201
35765 #define CHIPREV_ID_5750_C2 0x4202
35766 #define CHIPREV_ID_5752_A0_HW 0x5000
35767 #define CHIPREV_ID_5752_A0 0x6000
35768 diff -urNp linux-2.6.39.3/drivers/net/tile/tilepro.c linux-2.6.39.3/drivers/net/tile/tilepro.c
35769 --- linux-2.6.39.3/drivers/net/tile/tilepro.c 2011-05-19 00:06:34.000000000 -0400
35770 +++ linux-2.6.39.3/drivers/net/tile/tilepro.c 2011-05-22 19:36:31.000000000 -0400
35771 @@ -2263,7 +2263,7 @@ static int tile_net_get_mac(struct net_d
35772 }
35773
35774
35775 -static struct net_device_ops tile_net_ops = {
35776 +static const struct net_device_ops tile_net_ops = {
35777 .ndo_open = tile_net_open,
35778 .ndo_stop = tile_net_stop,
35779 .ndo_start_xmit = tile_net_tx,
35780 diff -urNp linux-2.6.39.3/drivers/net/tulip/de2104x.c linux-2.6.39.3/drivers/net/tulip/de2104x.c
35781 --- linux-2.6.39.3/drivers/net/tulip/de2104x.c 2011-05-19 00:06:34.000000000 -0400
35782 +++ linux-2.6.39.3/drivers/net/tulip/de2104x.c 2011-05-22 19:36:31.000000000 -0400
35783 @@ -1817,6 +1817,8 @@ static void __devinit de21041_get_srom_i
35784 struct de_srom_info_leaf *il;
35785 void *bufp;
35786
35787 + pax_track_stack();
35788 +
35789 /* download entire eeprom */
35790 for (i = 0; i < DE_EEPROM_WORDS; i++)
35791 ((__le16 *)ee_data)[i] =
35792 diff -urNp linux-2.6.39.3/drivers/net/tulip/de4x5.c linux-2.6.39.3/drivers/net/tulip/de4x5.c
35793 --- linux-2.6.39.3/drivers/net/tulip/de4x5.c 2011-05-19 00:06:34.000000000 -0400
35794 +++ linux-2.6.39.3/drivers/net/tulip/de4x5.c 2011-05-22 19:36:31.000000000 -0400
35795 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
35796 for (i=0; i<ETH_ALEN; i++) {
35797 tmp.addr[i] = dev->dev_addr[i];
35798 }
35799 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35800 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35801 break;
35802
35803 case DE4X5_SET_HWADDR: /* Set the hardware address */
35804 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
35805 spin_lock_irqsave(&lp->lock, flags);
35806 memcpy(&statbuf, &lp->pktStats, ioc->len);
35807 spin_unlock_irqrestore(&lp->lock, flags);
35808 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
35809 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
35810 return -EFAULT;
35811 break;
35812 }
35813 diff -urNp linux-2.6.39.3/drivers/net/usb/asix.c linux-2.6.39.3/drivers/net/usb/asix.c
35814 --- linux-2.6.39.3/drivers/net/usb/asix.c 2011-05-19 00:06:34.000000000 -0400
35815 +++ linux-2.6.39.3/drivers/net/usb/asix.c 2011-05-22 19:36:31.000000000 -0400
35816 @@ -1098,7 +1098,7 @@ out:
35817 return ret;
35818 }
35819
35820 -static struct ethtool_ops ax88178_ethtool_ops = {
35821 +static const struct ethtool_ops ax88178_ethtool_ops = {
35822 .get_drvinfo = asix_get_drvinfo,
35823 .get_link = asix_get_link,
35824 .get_msglevel = usbnet_get_msglevel,
35825 diff -urNp linux-2.6.39.3/drivers/net/usb/cdc_ncm.c linux-2.6.39.3/drivers/net/usb/cdc_ncm.c
35826 --- linux-2.6.39.3/drivers/net/usb/cdc_ncm.c 2011-06-25 12:55:22.000000000 -0400
35827 +++ linux-2.6.39.3/drivers/net/usb/cdc_ncm.c 2011-06-25 13:00:26.000000000 -0400
35828 @@ -141,7 +141,7 @@ struct cdc_ncm_ctx {
35829 static void cdc_ncm_tx_timeout(unsigned long arg);
35830 static const struct driver_info cdc_ncm_info;
35831 static struct usb_driver cdc_ncm_driver;
35832 -static struct ethtool_ops cdc_ncm_ethtool_ops;
35833 +static const struct ethtool_ops cdc_ncm_ethtool_ops;
35834
35835 static const struct usb_device_id cdc_devs[] = {
35836 { USB_INTERFACE_INFO(USB_CLASS_COMM,
35837 @@ -1258,7 +1258,7 @@ static struct usb_driver cdc_ncm_driver
35838 .supports_autosuspend = 1,
35839 };
35840
35841 -static struct ethtool_ops cdc_ncm_ethtool_ops = {
35842 +static const struct ethtool_ops cdc_ncm_ethtool_ops = {
35843 .get_drvinfo = cdc_ncm_get_drvinfo,
35844 .get_link = usbnet_get_link,
35845 .get_msglevel = usbnet_get_msglevel,
35846 diff -urNp linux-2.6.39.3/drivers/net/usb/hso.c linux-2.6.39.3/drivers/net/usb/hso.c
35847 --- linux-2.6.39.3/drivers/net/usb/hso.c 2011-05-19 00:06:34.000000000 -0400
35848 +++ linux-2.6.39.3/drivers/net/usb/hso.c 2011-05-22 19:36:31.000000000 -0400
35849 @@ -71,7 +71,7 @@
35850 #include <asm/byteorder.h>
35851 #include <linux/serial_core.h>
35852 #include <linux/serial.h>
35853 -
35854 +#include <asm/local.h>
35855
35856 #define MOD_AUTHOR "Option Wireless"
35857 #define MOD_DESCRIPTION "USB High Speed Option driver"
35858 @@ -257,7 +257,7 @@ struct hso_serial {
35859
35860 /* from usb_serial_port */
35861 struct tty_struct *tty;
35862 - int open_count;
35863 + local_t open_count;
35864 spinlock_t serial_lock;
35865
35866 int (*write_data) (struct hso_serial *serial);
35867 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
35868 struct urb *urb;
35869
35870 urb = serial->rx_urb[0];
35871 - if (serial->open_count > 0) {
35872 + if (local_read(&serial->open_count) > 0) {
35873 count = put_rxbuf_data(urb, serial);
35874 if (count == -1)
35875 return;
35876 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
35877 DUMP1(urb->transfer_buffer, urb->actual_length);
35878
35879 /* Anyone listening? */
35880 - if (serial->open_count == 0)
35881 + if (local_read(&serial->open_count) == 0)
35882 return;
35883
35884 if (status == 0) {
35885 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35886 spin_unlock_irq(&serial->serial_lock);
35887
35888 /* check for port already opened, if not set the termios */
35889 - serial->open_count++;
35890 - if (serial->open_count == 1) {
35891 + if (local_inc_return(&serial->open_count) == 1) {
35892 serial->rx_state = RX_IDLE;
35893 /* Force default termio settings */
35894 _hso_serial_set_termios(tty, NULL);
35895 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
35896 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35897 if (result) {
35898 hso_stop_serial_device(serial->parent);
35899 - serial->open_count--;
35900 + local_dec(&serial->open_count);
35901 kref_put(&serial->parent->ref, hso_serial_ref_free);
35902 }
35903 } else {
35904 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
35905
35906 /* reset the rts and dtr */
35907 /* do the actual close */
35908 - serial->open_count--;
35909 + local_dec(&serial->open_count);
35910
35911 - if (serial->open_count <= 0) {
35912 - serial->open_count = 0;
35913 + if (local_read(&serial->open_count) <= 0) {
35914 + local_set(&serial->open_count, 0);
35915 spin_lock_irq(&serial->serial_lock);
35916 if (serial->tty == tty) {
35917 serial->tty->driver_data = NULL;
35918 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
35919
35920 /* the actual setup */
35921 spin_lock_irqsave(&serial->serial_lock, flags);
35922 - if (serial->open_count)
35923 + if (local_read(&serial->open_count))
35924 _hso_serial_set_termios(tty, old);
35925 else
35926 tty->termios = old;
35927 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
35928 D1("Pending read interrupt on port %d\n", i);
35929 spin_lock(&serial->serial_lock);
35930 if (serial->rx_state == RX_IDLE &&
35931 - serial->open_count > 0) {
35932 + local_read(&serial->open_count) > 0) {
35933 /* Setup and send a ctrl req read on
35934 * port i */
35935 if (!serial->rx_urb_filled[0]) {
35936 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35937 /* Start all serial ports */
35938 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35939 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35940 - if (dev2ser(serial_table[i])->open_count) {
35941 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35942 result =
35943 hso_start_serial_device(serial_table[i], GFP_NOIO);
35944 hso_kick_transmit(dev2ser(serial_table[i]));
35945 diff -urNp linux-2.6.39.3/drivers/net/usb/ipheth.c linux-2.6.39.3/drivers/net/usb/ipheth.c
35946 --- linux-2.6.39.3/drivers/net/usb/ipheth.c 2011-05-19 00:06:34.000000000 -0400
35947 +++ linux-2.6.39.3/drivers/net/usb/ipheth.c 2011-05-22 19:36:31.000000000 -0400
35948 @@ -421,7 +421,7 @@ static u32 ipheth_ethtool_op_get_link(st
35949 return netif_carrier_ok(dev->net);
35950 }
35951
35952 -static struct ethtool_ops ops = {
35953 +static const struct ethtool_ops ops = {
35954 .get_link = ipheth_ethtool_op_get_link
35955 };
35956
35957 diff -urNp linux-2.6.39.3/drivers/net/usb/sierra_net.c linux-2.6.39.3/drivers/net/usb/sierra_net.c
35958 --- linux-2.6.39.3/drivers/net/usb/sierra_net.c 2011-05-19 00:06:34.000000000 -0400
35959 +++ linux-2.6.39.3/drivers/net/usb/sierra_net.c 2011-05-22 19:36:31.000000000 -0400
35960 @@ -618,7 +618,7 @@ static u32 sierra_net_get_link(struct ne
35961 return sierra_net_get_private(dev)->link_up && netif_running(net);
35962 }
35963
35964 -static struct ethtool_ops sierra_net_ethtool_ops = {
35965 +static const struct ethtool_ops sierra_net_ethtool_ops = {
35966 .get_drvinfo = sierra_net_get_drvinfo,
35967 .get_link = sierra_net_get_link,
35968 .get_msglevel = usbnet_get_msglevel,
35969 diff -urNp linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c
35970 --- linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35971 +++ linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35972 @@ -631,8 +631,7 @@ vmxnet3_set_rss_indir(struct net_device
35973 * Return with error code if any of the queue indices
35974 * is out of range
35975 */
35976 - if (p->ring_index[i] < 0 ||
35977 - p->ring_index[i] >= adapter->num_rx_queues)
35978 + if (p->ring_index[i] >= adapter->num_rx_queues)
35979 return -EINVAL;
35980 }
35981
35982 diff -urNp linux-2.6.39.3/drivers/net/vxge/vxge-main.c linux-2.6.39.3/drivers/net/vxge/vxge-main.c
35983 --- linux-2.6.39.3/drivers/net/vxge/vxge-main.c 2011-05-19 00:06:34.000000000 -0400
35984 +++ linux-2.6.39.3/drivers/net/vxge/vxge-main.c 2011-05-22 19:36:31.000000000 -0400
35985 @@ -97,6 +97,8 @@ static inline void VXGE_COMPLETE_VPATH_T
35986 struct sk_buff *completed[NR_SKB_COMPLETED];
35987 int more;
35988
35989 + pax_track_stack();
35990 +
35991 do {
35992 more = 0;
35993 skb_ptr = completed;
35994 @@ -1927,6 +1929,8 @@ static enum vxge_hw_status vxge_rth_conf
35995 u8 mtable[256] = {0}; /* CPU to vpath mapping */
35996 int index;
35997
35998 + pax_track_stack();
35999 +
36000 /*
36001 * Filling
36002 * - itable with bucket numbers
36003 diff -urNp linux-2.6.39.3/drivers/net/wan/cycx_x25.c linux-2.6.39.3/drivers/net/wan/cycx_x25.c
36004 --- linux-2.6.39.3/drivers/net/wan/cycx_x25.c 2011-05-19 00:06:34.000000000 -0400
36005 +++ linux-2.6.39.3/drivers/net/wan/cycx_x25.c 2011-05-22 19:36:31.000000000 -0400
36006 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
36007 unsigned char hex[1024],
36008 * phex = hex;
36009
36010 + pax_track_stack();
36011 +
36012 if (len >= (sizeof(hex) / 2))
36013 len = (sizeof(hex) / 2) - 1;
36014
36015 diff -urNp linux-2.6.39.3/drivers/net/wan/lapbether.c linux-2.6.39.3/drivers/net/wan/lapbether.c
36016 --- linux-2.6.39.3/drivers/net/wan/lapbether.c 2011-05-19 00:06:34.000000000 -0400
36017 +++ linux-2.6.39.3/drivers/net/wan/lapbether.c 2011-05-22 19:36:31.000000000 -0400
36018 @@ -259,7 +259,7 @@ static int lapbeth_set_mac_address(struc
36019 }
36020
36021
36022 -static struct lapb_register_struct lapbeth_callbacks = {
36023 +static const struct lapb_register_struct lapbeth_callbacks = {
36024 .connect_confirmation = lapbeth_connected,
36025 .connect_indication = lapbeth_connected,
36026 .disconnect_confirmation = lapbeth_disconnected,
36027 diff -urNp linux-2.6.39.3/drivers/net/wan/x25_asy.c linux-2.6.39.3/drivers/net/wan/x25_asy.c
36028 --- linux-2.6.39.3/drivers/net/wan/x25_asy.c 2011-05-19 00:06:34.000000000 -0400
36029 +++ linux-2.6.39.3/drivers/net/wan/x25_asy.c 2011-05-22 19:36:31.000000000 -0400
36030 @@ -434,7 +434,7 @@ static void x25_asy_disconnected(struct
36031 netif_rx(skb);
36032 }
36033
36034 -static struct lapb_register_struct x25_asy_callbacks = {
36035 +static const struct lapb_register_struct x25_asy_callbacks = {
36036 .connect_confirmation = x25_asy_connected,
36037 .connect_indication = x25_asy_connected,
36038 .disconnect_confirmation = x25_asy_disconnected,
36039 diff -urNp linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c
36040 --- linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c 2011-05-19 00:06:34.000000000 -0400
36041 +++ linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c 2011-05-22 19:36:31.000000000 -0400
36042 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
36043 int do_autopm = 1;
36044 DECLARE_COMPLETION_ONSTACK(notif_completion);
36045
36046 + pax_track_stack();
36047 +
36048 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
36049 i2400m, ack, ack_size);
36050 BUG_ON(_ack == i2400m->bm_ack_buf);
36051 diff -urNp linux-2.6.39.3/drivers/net/wireless/airo.c linux-2.6.39.3/drivers/net/wireless/airo.c
36052 --- linux-2.6.39.3/drivers/net/wireless/airo.c 2011-05-19 00:06:34.000000000 -0400
36053 +++ linux-2.6.39.3/drivers/net/wireless/airo.c 2011-05-22 19:36:31.000000000 -0400
36054 @@ -3001,6 +3001,8 @@ static void airo_process_scan_results (s
36055 BSSListElement * loop_net;
36056 BSSListElement * tmp_net;
36057
36058 + pax_track_stack();
36059 +
36060 /* Blow away current list of scan results */
36061 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
36062 list_move_tail (&loop_net->list, &ai->network_free_list);
36063 @@ -3792,6 +3794,8 @@ static u16 setup_card(struct airo_info *
36064 WepKeyRid wkr;
36065 int rc;
36066
36067 + pax_track_stack();
36068 +
36069 memset( &mySsid, 0, sizeof( mySsid ) );
36070 kfree (ai->flash);
36071 ai->flash = NULL;
36072 @@ -4760,6 +4764,8 @@ static int proc_stats_rid_open( struct i
36073 __le32 *vals = stats.vals;
36074 int len;
36075
36076 + pax_track_stack();
36077 +
36078 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36079 return -ENOMEM;
36080 data = file->private_data;
36081 @@ -5483,6 +5489,8 @@ static int proc_BSSList_open( struct ino
36082 /* If doLoseSync is not 1, we won't do a Lose Sync */
36083 int doLoseSync = -1;
36084
36085 + pax_track_stack();
36086 +
36087 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36088 return -ENOMEM;
36089 data = file->private_data;
36090 @@ -7190,6 +7198,8 @@ static int airo_get_aplist(struct net_de
36091 int i;
36092 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
36093
36094 + pax_track_stack();
36095 +
36096 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
36097 if (!qual)
36098 return -ENOMEM;
36099 @@ -7750,6 +7760,8 @@ static void airo_read_wireless_stats(str
36100 CapabilityRid cap_rid;
36101 __le32 *vals = stats_rid.vals;
36102
36103 + pax_track_stack();
36104 +
36105 /* Get stats out of the card */
36106 clear_bit(JOB_WSTATS, &local->jobs);
36107 if (local->power.event) {
36108 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c
36109 --- linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c 2011-05-19 00:06:34.000000000 -0400
36110 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c 2011-05-22 19:36:31.000000000 -0400
36111 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
36112 unsigned int v;
36113 u64 tsf;
36114
36115 + pax_track_stack();
36116 +
36117 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
36118 len += snprintf(buf+len, sizeof(buf)-len,
36119 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
36120 @@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
36121 unsigned int len = 0;
36122 unsigned int i;
36123
36124 + pax_track_stack();
36125 +
36126 len += snprintf(buf+len, sizeof(buf)-len,
36127 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
36128
36129 @@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
36130 unsigned int i;
36131 unsigned int v;
36132
36133 + pax_track_stack();
36134 +
36135 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
36136 sc->ah->ah_ant_mode);
36137 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
36138 @@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
36139 unsigned int len = 0;
36140 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
36141
36142 + pax_track_stack();
36143 +
36144 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
36145 sc->bssidmask);
36146 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
36147 @@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
36148 unsigned int len = 0;
36149 int i;
36150
36151 + pax_track_stack();
36152 +
36153 len += snprintf(buf+len, sizeof(buf)-len,
36154 "RX\n---------------------\n");
36155 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
36156 @@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
36157 char buf[700];
36158 unsigned int len = 0;
36159
36160 + pax_track_stack();
36161 +
36162 len += snprintf(buf+len, sizeof(buf)-len,
36163 "HW has PHY error counters:\t%s\n",
36164 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
36165 @@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
36166 struct ath5k_buf *bf, *bf0;
36167 int i, n;
36168
36169 + pax_track_stack();
36170 +
36171 len += snprintf(buf+len, sizeof(buf)-len,
36172 "available txbuffers: %d\n", sc->txbuf_len);
36173
36174 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c
36175 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-19 00:06:34.000000000 -0400
36176 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-22 19:36:31.000000000 -0400
36177 @@ -734,6 +734,8 @@ static void ar9003_hw_tx_iq_cal(struct a
36178 s32 i, j, ip, im, nmeasurement;
36179 u8 nchains = get_streams(common->tx_chainmask);
36180
36181 + pax_track_stack();
36182 +
36183 for (ip = 0; ip < MPASS; ip++) {
36184 REG_RMW_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_1,
36185 AR_PHY_TX_IQCAQL_CONTROL_1_IQCORR_I_Q_COFF_DELPT,
36186 @@ -856,6 +858,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
36187 int i, ip, im, j;
36188 int nmeasurement;
36189
36190 + pax_track_stack();
36191 +
36192 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
36193 if (ah->txchainmask & (1 << i))
36194 num_chains++;
36195 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
36196 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-19 00:06:34.000000000 -0400
36197 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-22 19:36:31.000000000 -0400
36198 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
36199 int theta_low_bin = 0;
36200 int i;
36201
36202 + pax_track_stack();
36203 +
36204 /* disregard any bin that contains <= 16 samples */
36205 thresh_accum_cnt = 16;
36206 scale_factor = 5;
36207 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c
36208 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c 2011-05-19 00:06:34.000000000 -0400
36209 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c 2011-05-22 19:36:31.000000000 -0400
36210 @@ -335,6 +335,8 @@ static ssize_t read_file_interrupt(struc
36211 char buf[512];
36212 unsigned int len = 0;
36213
36214 + pax_track_stack();
36215 +
36216 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
36217 len += snprintf(buf + len, sizeof(buf) - len,
36218 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
36219 @@ -422,6 +424,8 @@ static ssize_t read_file_wiphy(struct fi
36220 u8 addr[ETH_ALEN];
36221 u32 tmp;
36222
36223 + pax_track_stack();
36224 +
36225 len += snprintf(buf + len, sizeof(buf) - len,
36226 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
36227 wiphy_name(sc->hw->wiphy),
36228 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c
36229 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-19 00:06:34.000000000 -0400
36230 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-22 19:36:31.000000000 -0400
36231 @@ -737,6 +737,8 @@ static ssize_t read_file_tgt_stats(struc
36232 unsigned int len = 0;
36233 int ret = 0;
36234
36235 + pax_track_stack();
36236 +
36237 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
36238
36239 WMI_CMD(WMI_TGT_STATS_CMDID);
36240 @@ -782,6 +784,8 @@ static ssize_t read_file_xmit(struct fil
36241 char buf[512];
36242 unsigned int len = 0;
36243
36244 + pax_track_stack();
36245 +
36246 len += snprintf(buf + len, sizeof(buf) - len,
36247 "%20s : %10u\n", "Buffers queued",
36248 priv->debug.tx_stats.buf_queued);
36249 @@ -831,6 +835,8 @@ static ssize_t read_file_recv(struct fil
36250 char buf[512];
36251 unsigned int len = 0;
36252
36253 + pax_track_stack();
36254 +
36255 len += snprintf(buf + len, sizeof(buf) - len,
36256 "%20s : %10u\n", "SKBs allocated",
36257 priv->debug.rx_stats.skb_allocated);
36258 @@ -1816,7 +1822,7 @@ static void ath9k_htc_set_coverage_class
36259 mutex_unlock(&priv->mutex);
36260 }
36261
36262 -struct ieee80211_ops ath9k_htc_ops = {
36263 +const struct ieee80211_ops ath9k_htc_ops = {
36264 .tx = ath9k_htc_tx,
36265 .start = ath9k_htc_start,
36266 .stop = ath9k_htc_stop,
36267 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h
36268 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h 2011-05-19 00:06:34.000000000 -0400
36269 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h 2011-05-22 19:36:31.000000000 -0400
36270 @@ -42,7 +42,7 @@
36271 #define TSF_TO_TU(_h, _l) \
36272 ((((u32)(_h)) << 22) | (((u32)(_l)) >> 10))
36273
36274 -extern struct ieee80211_ops ath9k_htc_ops;
36275 +extern const struct ieee80211_ops ath9k_htc_ops;
36276 extern int htc_modparam_nohwcrypt;
36277
36278 enum htc_phymode {
36279 diff -urNp linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c
36280 --- linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36281 +++ linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36282 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
36283 struct b43_debugfs_fops {
36284 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
36285 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
36286 - struct file_operations fops;
36287 + const struct file_operations fops;
36288 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
36289 size_t file_struct_offset;
36290 };
36291 diff -urNp linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c
36292 --- linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36293 +++ linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36294 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
36295 struct b43legacy_debugfs_fops {
36296 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
36297 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
36298 - struct file_operations fops;
36299 + const struct file_operations fops;
36300 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
36301 size_t file_struct_offset;
36302 /* Take wl->irq_lock before calling read/write? */
36303 diff -urNp linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c
36304 --- linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-19 00:06:34.000000000 -0400
36305 +++ linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-22 19:36:31.000000000 -0400
36306 @@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
36307 int err;
36308 DECLARE_SSID_BUF(ssid);
36309
36310 + pax_track_stack();
36311 +
36312 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
36313
36314 if (ssid_len)
36315 @@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
36316 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
36317 int err;
36318
36319 + pax_track_stack();
36320 +
36321 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
36322 idx, keylen, len);
36323
36324 diff -urNp linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c
36325 --- linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-19 00:06:34.000000000 -0400
36326 +++ linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-22 19:36:31.000000000 -0400
36327 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
36328 unsigned long flags;
36329 DECLARE_SSID_BUF(ssid);
36330
36331 + pax_track_stack();
36332 +
36333 LIBIPW_DEBUG_SCAN("'%s' (%pM"
36334 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
36335 print_ssid(ssid, info_element->data, info_element->len),
36336 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c
36337 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-19 00:06:34.000000000 -0400
36338 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-22 19:36:31.000000000 -0400
36339 @@ -2630,7 +2630,7 @@ static int iwl3945_load_bsm(struct iwl_p
36340 return 0;
36341 }
36342
36343 -static struct iwl_hcmd_ops iwl3945_hcmd = {
36344 +static const struct iwl_hcmd_ops iwl3945_hcmd = {
36345 .rxon_assoc = iwl3945_send_rxon_assoc,
36346 .commit_rxon = iwl3945_commit_rxon,
36347 };
36348 @@ -2675,7 +2675,7 @@ static const struct iwl_legacy_ops iwl39
36349 .manage_ibss_station = iwl3945_manage_ibss_station,
36350 };
36351
36352 -static struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36353 +static const struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36354 .get_hcmd_size = iwl3945_get_hcmd_size,
36355 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
36356 .request_scan = iwl3945_request_scan,
36357 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c
36358 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 12:55:22.000000000 -0400
36359 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 13:00:26.000000000 -0400
36360 @@ -1902,7 +1902,7 @@ static void iwl4965_rx_handler_setup(str
36361 priv->rx_handlers[BEACON_NOTIFICATION] = iwl4965_rx_beacon_notif;
36362 }
36363
36364 -static struct iwl_hcmd_ops iwl4965_hcmd = {
36365 +static const struct iwl_hcmd_ops iwl4965_hcmd = {
36366 .rxon_assoc = iwl4965_send_rxon_assoc,
36367 .commit_rxon = iwl4965_commit_rxon,
36368 .set_rxon_chain = iwl4965_set_rxon_chain,
36369 @@ -2054,7 +2054,7 @@ static void iwl4965_config_ap(struct iwl
36370 iwl4965_send_beacon_cmd(priv);
36371 }
36372
36373 -static struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36374 +static const struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36375 .get_hcmd_size = iwl4965_get_hcmd_size,
36376 .build_addsta_hcmd = iwl4965_build_addsta_hcmd,
36377 .request_scan = iwl4965_request_scan,
36378 @@ -2112,7 +2112,7 @@ static const struct iwl_legacy_ops iwl49
36379 .update_bcast_stations = iwl4965_update_bcast_stations,
36380 };
36381
36382 -struct ieee80211_ops iwl4965_hw_ops = {
36383 +const struct ieee80211_ops iwl4965_hw_ops = {
36384 .tx = iwl4965_mac_tx,
36385 .start = iwl4965_mac_start,
36386 .stop = iwl4965_mac_stop,
36387 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h
36388 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-19 00:06:34.000000000 -0400
36389 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-22 19:36:32.000000000 -0400
36390 @@ -70,7 +70,7 @@ extern struct iwl_cfg iwl4965_cfg;
36391
36392 extern struct iwl_mod_params iwl4965_mod_params;
36393
36394 -extern struct ieee80211_ops iwl4965_hw_ops;
36395 +extern const struct ieee80211_ops iwl4965_hw_ops;
36396
36397 /* tx queue */
36398 void iwl4965_free_tfds_in_queue(struct iwl_priv *priv,
36399 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h
36400 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36401 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36402 @@ -150,7 +150,7 @@ struct iwl_lib_ops {
36403 int (*set_channel_switch)(struct iwl_priv *priv,
36404 struct ieee80211_channel_switch *ch_switch);
36405 /* power management */
36406 - struct iwl_apm_ops apm_ops;
36407 + const struct iwl_apm_ops apm_ops;
36408
36409 /* power */
36410 int (*send_tx_power) (struct iwl_priv *priv);
36411 @@ -160,12 +160,12 @@ struct iwl_lib_ops {
36412 struct iwl_eeprom_ops eeprom_ops;
36413
36414 /* temperature */
36415 - struct iwl_temp_ops temp_ops;
36416 + const struct iwl_temp_ops temp_ops;
36417 /* check for plcp health */
36418 bool (*check_plcp_health)(struct iwl_priv *priv,
36419 struct iwl_rx_packet *pkt);
36420
36421 - struct iwl_debugfs_ops debugfs_ops;
36422 + const struct iwl_debugfs_ops debugfs_ops;
36423
36424 };
36425
36426 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c
36427 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 12:55:22.000000000 -0400
36428 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 13:00:26.000000000 -0400
36429 @@ -420,11 +420,11 @@ static struct iwl_lib_ops iwl6030_lib =
36430 }
36431 };
36432
36433 -static struct iwl_nic_ops iwl6050_nic_ops = {
36434 +static const struct iwl_nic_ops iwl6050_nic_ops = {
36435 .additional_nic_config = &iwl6050_additional_nic_config,
36436 };
36437
36438 -static struct iwl_nic_ops iwl6150_nic_ops = {
36439 +static const struct iwl_nic_ops iwl6150_nic_ops = {
36440 .additional_nic_config = &iwl6150_additional_nic_config,
36441 };
36442
36443 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h
36444 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-19 00:06:34.000000000 -0400
36445 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-22 19:36:32.000000000 -0400
36446 @@ -109,9 +109,9 @@ extern struct iwl_cfg iwl230_bg_cfg;
36447 extern struct iwl_cfg iwl230_bgn_cfg;
36448
36449 extern struct iwl_mod_params iwlagn_mod_params;
36450 -extern struct iwl_hcmd_ops iwlagn_hcmd;
36451 -extern struct iwl_hcmd_ops iwlagn_bt_hcmd;
36452 -extern struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36453 +extern const struct iwl_hcmd_ops iwlagn_hcmd;
36454 +extern const struct iwl_hcmd_ops iwlagn_bt_hcmd;
36455 +extern const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36456
36457 extern struct ieee80211_ops iwlagn_hw_ops;
36458 extern struct ieee80211_ops iwl4965_hw_ops;
36459 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c
36460 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 12:55:22.000000000 -0400
36461 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 13:00:26.000000000 -0400
36462 @@ -355,7 +355,7 @@ static int iwlagn_set_pan_params(struct
36463 return ret;
36464 }
36465
36466 -struct iwl_hcmd_ops iwlagn_hcmd = {
36467 +const struct iwl_hcmd_ops iwlagn_hcmd = {
36468 .rxon_assoc = iwlagn_send_rxon_assoc,
36469 .commit_rxon = iwlagn_commit_rxon,
36470 .set_rxon_chain = iwlagn_set_rxon_chain,
36471 @@ -364,7 +364,7 @@ struct iwl_hcmd_ops iwlagn_hcmd = {
36472 .set_pan_params = iwlagn_set_pan_params,
36473 };
36474
36475 -struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36476 +const struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36477 .rxon_assoc = iwlagn_send_rxon_assoc,
36478 .commit_rxon = iwlagn_commit_rxon,
36479 .set_rxon_chain = iwlagn_set_rxon_chain,
36480 @@ -373,7 +373,7 @@ struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36481 .set_pan_params = iwlagn_set_pan_params,
36482 };
36483
36484 -struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36485 +const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36486 .get_hcmd_size = iwlagn_get_hcmd_size,
36487 .build_addsta_hcmd = iwlagn_build_addsta_hcmd,
36488 .gain_computation = iwlagn_gain_computation,
36489 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36490 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-19 00:06:34.000000000 -0400
36491 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-22 19:36:32.000000000 -0400
36492 @@ -883,6 +883,8 @@ static void rs_tx_status(void *priv_r, s
36493 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
36494 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
36495
36496 + pax_track_stack();
36497 +
36498 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36499
36500 /* Treat uninitialized rate scaling data same as non-existing. */
36501 @@ -2894,6 +2896,8 @@ static void rs_fill_link_cmd(struct iwl_
36502 container_of(lq_sta, struct iwl_station_priv, lq_sta);
36503 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36504
36505 + pax_track_stack();
36506 +
36507 /* Override starting rate (index 0) if needed for debug purposes */
36508 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36509
36510 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h
36511 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36512 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36513 @@ -198,28 +198,25 @@ struct iwl_lib_ops {
36514 int (*set_channel_switch)(struct iwl_priv *priv,
36515 struct ieee80211_channel_switch *ch_switch);
36516 /* power management */
36517 - struct iwl_apm_ops apm_ops;
36518 + const struct iwl_apm_ops apm_ops;
36519
36520 /* power */
36521 int (*send_tx_power) (struct iwl_priv *priv);
36522 void (*update_chain_flags)(struct iwl_priv *priv);
36523
36524 /* isr */
36525 - struct iwl_isr_ops isr_ops;
36526 + const struct iwl_isr_ops isr_ops;
36527
36528 /* eeprom operations (as defined in iwl-eeprom.h) */
36529 struct iwl_eeprom_ops eeprom_ops;
36530
36531 /* temperature */
36532 - struct iwl_temp_ops temp_ops;
36533 + const struct iwl_temp_ops temp_ops;
36534
36535 int (*txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36536 void (*dev_txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36537
36538 - struct iwl_debugfs_ops debugfs_ops;
36539 -
36540 - /* thermal throttling */
36541 - struct iwl_tt_ops tt_ops;
36542 + const struct iwl_debugfs_ops debugfs_ops;const struct iwl_tt_ops tt_ops;
36543 };
36544
36545 struct iwl_led_ops {
36546 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36547 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-19 00:06:34.000000000 -0400
36548 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-22 19:36:32.000000000 -0400
36549 @@ -549,6 +549,8 @@ static ssize_t iwl_dbgfs_status_read(str
36550 int pos = 0;
36551 const size_t bufsz = sizeof(buf);
36552
36553 + pax_track_stack();
36554 +
36555 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36556 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36557 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
36558 @@ -681,6 +683,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36559 char buf[256 * NUM_IWL_RXON_CTX];
36560 const size_t bufsz = sizeof(buf);
36561
36562 + pax_track_stack();
36563 +
36564 for_each_context(priv, ctx) {
36565 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
36566 ctx->ctxid);
36567 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h
36568 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-19 00:06:34.000000000 -0400
36569 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-22 19:36:32.000000000 -0400
36570 @@ -68,8 +68,8 @@ do {
36571 } while (0)
36572
36573 #else
36574 -#define IWL_DEBUG(__priv, level, fmt, args...)
36575 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36576 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36577 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36578 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36579 const void *p, u32 len)
36580 {}
36581 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c
36582 --- linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
36583 +++ linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
36584 @@ -763,7 +763,7 @@ static int iwm_cfg80211_flush_pmksa(stru
36585 }
36586
36587
36588 -static struct cfg80211_ops iwm_cfg80211_ops = {
36589 +static const struct cfg80211_ops iwm_cfg80211_ops = {
36590 .change_virtual_intf = iwm_cfg80211_change_iface,
36591 .add_key = iwm_cfg80211_add_key,
36592 .get_key = iwm_cfg80211_get_key,
36593 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c
36594 --- linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36595 +++ linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36596 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36597 int buf_len = 512;
36598 size_t len = 0;
36599
36600 + pax_track_stack();
36601 +
36602 if (*ppos != 0)
36603 return 0;
36604 if (count < sizeof(buf))
36605 diff -urNp linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c
36606 --- linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c 2011-05-19 00:06:34.000000000 -0400
36607 +++ linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c 2011-05-22 19:36:32.000000000 -0400
36608 @@ -2003,7 +2003,7 @@ static int lbs_leave_ibss(struct wiphy *
36609 * Initialization
36610 */
36611
36612 -static struct cfg80211_ops lbs_cfg80211_ops = {
36613 +static const struct cfg80211_ops lbs_cfg80211_ops = {
36614 .set_channel = lbs_cfg_set_channel,
36615 .scan = lbs_cfg_scan,
36616 .connect = lbs_cfg_connect,
36617 diff -urNp linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c
36618 --- linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36619 +++ linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36620 @@ -702,7 +702,7 @@ out_unlock:
36621 struct lbs_debugfs_files {
36622 const char *name;
36623 int perm;
36624 - struct file_operations fops;
36625 + const struct file_operations fops;
36626 };
36627
36628 static const struct lbs_debugfs_files debugfs_files[] = {
36629 diff -urNp linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c
36630 --- linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c 2011-05-19 00:06:34.000000000 -0400
36631 +++ linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c 2011-05-22 19:36:32.000000000 -0400
36632 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
36633
36634 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
36635
36636 - if (rts_threshold < 0 || rts_threshold > 2347)
36637 + if (rts_threshold > 2347)
36638 rts_threshold = 2347;
36639
36640 tmp = cpu_to_le32(rts_threshold);
36641 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c
36642 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c 2011-05-19 00:06:34.000000000 -0400
36643 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c 2011-05-22 19:36:32.000000000 -0400
36644 @@ -1869,7 +1869,7 @@ int rtl_pci_resume(struct pci_dev *pdev)
36645 }
36646 EXPORT_SYMBOL(rtl_pci_resume);
36647
36648 -struct rtl_intf_ops rtl_pci_ops = {
36649 +const struct rtl_intf_ops rtl_pci_ops = {
36650 .adapter_start = rtl_pci_start,
36651 .adapter_stop = rtl_pci_stop,
36652 .adapter_tx = rtl_pci_tx,
36653 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h
36654 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h 2011-05-19 00:06:34.000000000 -0400
36655 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h 2011-05-22 19:36:32.000000000 -0400
36656 @@ -234,7 +234,7 @@ struct rtl_pci_priv {
36657
36658 int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw);
36659
36660 -extern struct rtl_intf_ops rtl_pci_ops;
36661 +extern const struct rtl_intf_ops rtl_pci_ops;
36662
36663 int __devinit rtl_pci_probe(struct pci_dev *pdev,
36664 const struct pci_device_id *id);
36665 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
36666 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-19 00:06:34.000000000 -0400
36667 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-22 19:36:32.000000000 -0400
36668 @@ -827,6 +827,8 @@ static bool _rtl92c_phy_sw_chnl_step_by_
36669 u8 rfpath;
36670 u8 num_total_rfpath = rtlphy->num_total_rfpath;
36671
36672 + pax_track_stack();
36673 +
36674 precommoncmdcnt = 0;
36675 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
36676 MAX_PRECMD_CNT,
36677 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
36678 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-19 00:06:34.000000000 -0400
36679 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-22 19:36:32.000000000 -0400
36680 @@ -96,7 +96,7 @@ void rtl92c_deinit_sw_vars(struct ieee80
36681 }
36682 }
36683
36684 -static struct rtl_hal_ops rtl8192ce_hal_ops = {
36685 +static const struct rtl_hal_ops rtl8192ce_hal_ops = {
36686 .init_sw_vars = rtl92c_init_sw_vars,
36687 .deinit_sw_vars = rtl92c_deinit_sw_vars,
36688 .read_eeprom_info = rtl92ce_read_eeprom_info,
36689 @@ -151,7 +151,7 @@ static struct rtl_mod_params rtl92ce_mod
36690 .sw_crypto = 0,
36691 };
36692
36693 -static struct rtl_hal_cfg rtl92ce_hal_cfg = {
36694 +static const struct rtl_hal_cfg rtl92ce_hal_cfg = {
36695 .name = "rtl92c_pci",
36696 .fw_name = "rtlwifi/rtl8192cfw.bin",
36697 .ops = &rtl8192ce_hal_ops,
36698 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
36699 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-19 00:06:34.000000000 -0400
36700 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-22 19:36:32.000000000 -0400
36701 @@ -77,7 +77,7 @@ static void rtl92cu_deinit_sw_vars(struc
36702 }
36703 }
36704
36705 -static struct rtl_hal_ops rtl8192cu_hal_ops = {
36706 +static const struct rtl_hal_ops rtl8192cu_hal_ops = {
36707 .init_sw_vars = rtl92cu_init_sw_vars,
36708 .deinit_sw_vars = rtl92cu_deinit_sw_vars,
36709 .read_chip_version = rtl92c_read_chip_version,
36710 @@ -147,7 +147,7 @@ static struct rtl_hal_usbint_cfg rtl92cu
36711 .usb_mq_to_hwq = rtl8192cu_mq_to_hwq,
36712 };
36713
36714 -static struct rtl_hal_cfg rtl92cu_hal_cfg = {
36715 +static const struct rtl_hal_cfg rtl92cu_hal_cfg = {
36716 .name = "rtl92c_usb",
36717 .fw_name = "rtlwifi/rtl8192cufw.bin",
36718 .ops = &rtl8192cu_hal_ops,
36719 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c
36720 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c 2011-05-19 00:06:34.000000000 -0400
36721 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c 2011-05-22 19:36:32.000000000 -0400
36722 @@ -913,7 +913,7 @@ static bool rtl_usb_tx_chk_waitq_insert(
36723 return false;
36724 }
36725
36726 -static struct rtl_intf_ops rtl_usb_ops = {
36727 +static const struct rtl_intf_ops rtl_usb_ops = {
36728 .adapter_start = rtl_usb_start,
36729 .adapter_stop = rtl_usb_stop,
36730 .adapter_tx = rtl_usb_tx,
36731 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h
36732 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h 2011-05-19 00:06:34.000000000 -0400
36733 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h 2011-05-22 19:36:32.000000000 -0400
36734 @@ -1447,7 +1447,7 @@ struct rtl_hal_cfg {
36735 u8 bar_id;
36736 char *name;
36737 char *fw_name;
36738 - struct rtl_hal_ops *ops;
36739 + const struct rtl_hal_ops *ops;
36740 struct rtl_mod_params *mod_params;
36741 struct rtl_hal_usbint_cfg *usb_interface_cfg;
36742
36743 @@ -1533,7 +1533,7 @@ struct rtl_priv {
36744 *intf_ops : for diff interrface usb/pcie
36745 */
36746 struct rtl_hal_cfg *cfg;
36747 - struct rtl_intf_ops *intf_ops;
36748 + const struct rtl_intf_ops *intf_ops;
36749
36750 /*this var will be set by set_bit,
36751 and was used to indicate status of
36752 diff -urNp linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c
36753 --- linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c 2011-05-19 00:06:34.000000000 -0400
36754 +++ linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c 2011-05-22 19:36:32.000000000 -0400
36755 @@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
36756 u32 chunk_len;
36757 int i;
36758
36759 + pax_track_stack();
36760 +
36761 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
36762
36763 spi_message_init(&m);
36764 diff -urNp linux-2.6.39.3/drivers/net/xen-netback/interface.c linux-2.6.39.3/drivers/net/xen-netback/interface.c
36765 --- linux-2.6.39.3/drivers/net/xen-netback/interface.c 2011-05-19 00:06:34.000000000 -0400
36766 +++ linux-2.6.39.3/drivers/net/xen-netback/interface.c 2011-05-22 19:36:32.000000000 -0400
36767 @@ -273,7 +273,7 @@ static void xenvif_get_strings(struct ne
36768 }
36769 }
36770
36771 -static struct ethtool_ops xenvif_ethtool_ops = {
36772 +static const struct ethtool_ops xenvif_ethtool_ops = {
36773 .get_tx_csum = ethtool_op_get_tx_csum,
36774 .set_tx_csum = xenvif_set_tx_csum,
36775 .get_sg = ethtool_op_get_sg,
36776 diff -urNp linux-2.6.39.3/drivers/net/xilinx_emaclite.c linux-2.6.39.3/drivers/net/xilinx_emaclite.c
36777 --- linux-2.6.39.3/drivers/net/xilinx_emaclite.c 2011-05-19 00:06:34.000000000 -0400
36778 +++ linux-2.6.39.3/drivers/net/xilinx_emaclite.c 2011-05-22 19:36:32.000000000 -0400
36779 @@ -1085,7 +1085,7 @@ static bool get_bool(struct platform_dev
36780 }
36781 }
36782
36783 -static struct net_device_ops xemaclite_netdev_ops;
36784 +static const struct net_device_ops xemaclite_netdev_ops;
36785
36786 /**
36787 * xemaclite_of_probe - Probe method for the Emaclite device.
36788 @@ -1264,7 +1264,7 @@ xemaclite_poll_controller(struct net_dev
36789 }
36790 #endif
36791
36792 -static struct net_device_ops xemaclite_netdev_ops = {
36793 +static const struct net_device_ops xemaclite_netdev_ops = {
36794 .ndo_open = xemaclite_open,
36795 .ndo_stop = xemaclite_close,
36796 .ndo_start_xmit = xemaclite_send,
36797 diff -urNp linux-2.6.39.3/drivers/nfc/pn544.c linux-2.6.39.3/drivers/nfc/pn544.c
36798 --- linux-2.6.39.3/drivers/nfc/pn544.c 2011-05-19 00:06:34.000000000 -0400
36799 +++ linux-2.6.39.3/drivers/nfc/pn544.c 2011-05-22 19:36:32.000000000 -0400
36800 @@ -89,7 +89,7 @@ static ssize_t pn544_test(struct device
36801
36802 static int pn544_enable(struct pn544_info *info, int mode)
36803 {
36804 - struct pn544_nfc_platform_data *pdata;
36805 + const struct pn544_nfc_platform_data *pdata;
36806 struct i2c_client *client = info->i2c_dev;
36807
36808 int r;
36809 @@ -118,7 +118,7 @@ static int pn544_enable(struct pn544_inf
36810
36811 static void pn544_disable(struct pn544_info *info)
36812 {
36813 - struct pn544_nfc_platform_data *pdata;
36814 + const struct pn544_nfc_platform_data *pdata;
36815 struct i2c_client *client = info->i2c_dev;
36816
36817 pdata = client->dev.platform_data;
36818 @@ -509,7 +509,7 @@ static long pn544_ioctl(struct file *fil
36819 struct pn544_info *info = container_of(file->private_data,
36820 struct pn544_info, miscdev);
36821 struct i2c_client *client = info->i2c_dev;
36822 - struct pn544_nfc_platform_data *pdata;
36823 + const struct pn544_nfc_platform_data *pdata;
36824 unsigned int val;
36825 int r = 0;
36826
36827 @@ -715,7 +715,7 @@ static int __devinit pn544_probe(struct
36828 const struct i2c_device_id *id)
36829 {
36830 struct pn544_info *info;
36831 - struct pn544_nfc_platform_data *pdata;
36832 + const struct pn544_nfc_platform_data *pdata;
36833 int r = 0;
36834
36835 dev_dbg(&client->dev, "%s\n", __func__);
36836 diff -urNp linux-2.6.39.3/drivers/of/pdt.c linux-2.6.39.3/drivers/of/pdt.c
36837 --- linux-2.6.39.3/drivers/of/pdt.c 2011-05-19 00:06:34.000000000 -0400
36838 +++ linux-2.6.39.3/drivers/of/pdt.c 2011-05-22 19:36:32.000000000 -0400
36839 @@ -24,7 +24,7 @@
36840 #include <linux/of_pdt.h>
36841 #include <asm/prom.h>
36842
36843 -static struct of_pdt_ops *of_pdt_prom_ops __initdata;
36844 +static const struct of_pdt_ops *of_pdt_prom_ops;
36845
36846 void __initdata (*of_pdt_build_more)(struct device_node *dp,
36847 struct device_node ***nextp);
36848 diff -urNp linux-2.6.39.3/drivers/oprofile/buffer_sync.c linux-2.6.39.3/drivers/oprofile/buffer_sync.c
36849 --- linux-2.6.39.3/drivers/oprofile/buffer_sync.c 2011-06-25 12:55:22.000000000 -0400
36850 +++ linux-2.6.39.3/drivers/oprofile/buffer_sync.c 2011-06-25 13:00:26.000000000 -0400
36851 @@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
36852 if (cookie == NO_COOKIE)
36853 offset = pc;
36854 if (cookie == INVALID_COOKIE) {
36855 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36856 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36857 offset = pc;
36858 }
36859 if (cookie != last_cookie) {
36860 @@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
36861 /* add userspace sample */
36862
36863 if (!mm) {
36864 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
36865 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36866 return 0;
36867 }
36868
36869 cookie = lookup_dcookie(mm, s->eip, &offset);
36870
36871 if (cookie == INVALID_COOKIE) {
36872 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36873 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36874 return 0;
36875 }
36876
36877 @@ -563,7 +563,7 @@ void sync_buffer(int cpu)
36878 /* ignore backtraces if failed to add a sample */
36879 if (state == sb_bt_start) {
36880 state = sb_bt_ignore;
36881 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36882 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36883 }
36884 }
36885 release_mm(mm);
36886 diff -urNp linux-2.6.39.3/drivers/oprofile/event_buffer.c linux-2.6.39.3/drivers/oprofile/event_buffer.c
36887 --- linux-2.6.39.3/drivers/oprofile/event_buffer.c 2011-05-19 00:06:34.000000000 -0400
36888 +++ linux-2.6.39.3/drivers/oprofile/event_buffer.c 2011-05-22 19:36:32.000000000 -0400
36889 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36890 }
36891
36892 if (buffer_pos == buffer_size) {
36893 - atomic_inc(&oprofile_stats.event_lost_overflow);
36894 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36895 return;
36896 }
36897
36898 diff -urNp linux-2.6.39.3/drivers/oprofile/oprof.c linux-2.6.39.3/drivers/oprofile/oprof.c
36899 --- linux-2.6.39.3/drivers/oprofile/oprof.c 2011-05-19 00:06:34.000000000 -0400
36900 +++ linux-2.6.39.3/drivers/oprofile/oprof.c 2011-05-22 19:36:32.000000000 -0400
36901 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36902 if (oprofile_ops.switch_events())
36903 return;
36904
36905 - atomic_inc(&oprofile_stats.multiplex_counter);
36906 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36907 start_switch_worker();
36908 }
36909
36910 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofilefs.c linux-2.6.39.3/drivers/oprofile/oprofilefs.c
36911 --- linux-2.6.39.3/drivers/oprofile/oprofilefs.c 2011-05-19 00:06:34.000000000 -0400
36912 +++ linux-2.6.39.3/drivers/oprofile/oprofilefs.c 2011-05-22 19:36:32.000000000 -0400
36913 @@ -186,7 +186,7 @@ static const struct file_operations atom
36914
36915
36916 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36917 - char const *name, atomic_t *val)
36918 + char const *name, atomic_unchecked_t *val)
36919 {
36920 return __oprofilefs_create_file(sb, root, name,
36921 &atomic_ro_fops, 0444, val);
36922 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofile_stats.c linux-2.6.39.3/drivers/oprofile/oprofile_stats.c
36923 --- linux-2.6.39.3/drivers/oprofile/oprofile_stats.c 2011-05-19 00:06:34.000000000 -0400
36924 +++ linux-2.6.39.3/drivers/oprofile/oprofile_stats.c 2011-05-22 19:36:32.000000000 -0400
36925 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36926 cpu_buf->sample_invalid_eip = 0;
36927 }
36928
36929 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36930 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36931 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
36932 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36933 - atomic_set(&oprofile_stats.multiplex_counter, 0);
36934 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36935 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36936 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36937 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36938 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36939 }
36940
36941
36942 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofile_stats.h linux-2.6.39.3/drivers/oprofile/oprofile_stats.h
36943 --- linux-2.6.39.3/drivers/oprofile/oprofile_stats.h 2011-05-19 00:06:34.000000000 -0400
36944 +++ linux-2.6.39.3/drivers/oprofile/oprofile_stats.h 2011-05-22 19:36:32.000000000 -0400
36945 @@ -13,11 +13,11 @@
36946 #include <asm/atomic.h>
36947
36948 struct oprofile_stat_struct {
36949 - atomic_t sample_lost_no_mm;
36950 - atomic_t sample_lost_no_mapping;
36951 - atomic_t bt_lost_no_mapping;
36952 - atomic_t event_lost_overflow;
36953 - atomic_t multiplex_counter;
36954 + atomic_unchecked_t sample_lost_no_mm;
36955 + atomic_unchecked_t sample_lost_no_mapping;
36956 + atomic_unchecked_t bt_lost_no_mapping;
36957 + atomic_unchecked_t event_lost_overflow;
36958 + atomic_unchecked_t multiplex_counter;
36959 };
36960
36961 extern struct oprofile_stat_struct oprofile_stats;
36962 diff -urNp linux-2.6.39.3/drivers/parisc/dino.c linux-2.6.39.3/drivers/parisc/dino.c
36963 --- linux-2.6.39.3/drivers/parisc/dino.c 2011-05-19 00:06:34.000000000 -0400
36964 +++ linux-2.6.39.3/drivers/parisc/dino.c 2011-05-22 19:36:32.000000000 -0400
36965 @@ -238,7 +238,7 @@ static int dino_cfg_write(struct pci_bus
36966 return 0;
36967 }
36968
36969 -static struct pci_ops dino_cfg_ops = {
36970 +static const struct pci_ops dino_cfg_ops = {
36971 .read = dino_cfg_read,
36972 .write = dino_cfg_write,
36973 };
36974 diff -urNp linux-2.6.39.3/drivers/parisc/lba_pci.c linux-2.6.39.3/drivers/parisc/lba_pci.c
36975 --- linux-2.6.39.3/drivers/parisc/lba_pci.c 2011-05-19 00:06:34.000000000 -0400
36976 +++ linux-2.6.39.3/drivers/parisc/lba_pci.c 2011-05-22 19:36:32.000000000 -0400
36977 @@ -468,7 +468,7 @@ static int elroy_cfg_write(struct pci_bu
36978 }
36979
36980
36981 -static struct pci_ops elroy_cfg_ops = {
36982 +static const struct pci_ops elroy_cfg_ops = {
36983 .read = elroy_cfg_read,
36984 .write = elroy_cfg_write,
36985 };
36986 @@ -541,7 +541,7 @@ static int mercury_cfg_write(struct pci_
36987 return 0;
36988 }
36989
36990 -static struct pci_ops mercury_cfg_ops = {
36991 +static const struct pci_ops mercury_cfg_ops = {
36992 .read = mercury_cfg_read,
36993 .write = mercury_cfg_write,
36994 };
36995 @@ -1405,7 +1405,7 @@ lba_driver_probe(struct parisc_device *d
36996 {
36997 struct lba_device *lba_dev;
36998 struct pci_bus *lba_bus;
36999 - struct pci_ops *cfg_ops;
37000 + const struct pci_ops *cfg_ops;
37001 u32 func_class;
37002 void *tmp_obj;
37003 char *version;
37004 diff -urNp linux-2.6.39.3/drivers/parport/procfs.c linux-2.6.39.3/drivers/parport/procfs.c
37005 --- linux-2.6.39.3/drivers/parport/procfs.c 2011-05-19 00:06:34.000000000 -0400
37006 +++ linux-2.6.39.3/drivers/parport/procfs.c 2011-05-22 19:36:32.000000000 -0400
37007 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
37008
37009 *ppos += len;
37010
37011 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
37012 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
37013 }
37014
37015 #ifdef CONFIG_PARPORT_1284
37016 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
37017
37018 *ppos += len;
37019
37020 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
37021 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
37022 }
37023 #endif /* IEEE1284.3 support. */
37024
37025 diff -urNp linux-2.6.39.3/drivers/pci/access.c linux-2.6.39.3/drivers/pci/access.c
37026 --- linux-2.6.39.3/drivers/pci/access.c 2011-05-19 00:06:34.000000000 -0400
37027 +++ linux-2.6.39.3/drivers/pci/access.c 2011-05-22 19:36:32.000000000 -0400
37028 @@ -74,9 +74,9 @@ EXPORT_SYMBOL(pci_bus_write_config_dword
37029 *
37030 * Return previous raw operations
37031 */
37032 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops)
37033 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops)
37034 {
37035 - struct pci_ops *old_ops;
37036 + const struct pci_ops *old_ops;
37037 unsigned long flags;
37038
37039 raw_spin_lock_irqsave(&pci_lock, flags);
37040 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c
37041 --- linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c 2011-05-19 00:06:34.000000000 -0400
37042 +++ linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c 2011-05-22 19:36:32.000000000 -0400
37043 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
37044 }
37045
37046
37047 -static struct acpi_dock_ops acpiphp_dock_ops = {
37048 +static const struct acpi_dock_ops acpiphp_dock_ops = {
37049 .handler = handle_hotplug_event_func,
37050 };
37051
37052 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c
37053 --- linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-19 00:06:34.000000000 -0400
37054 +++ linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-22 19:36:32.000000000 -0400
37055 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
37056
37057 void compaq_nvram_init (void __iomem *rom_start)
37058 {
37059 +
37060 +#ifndef CONFIG_PAX_KERNEXEC
37061 if (rom_start) {
37062 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
37063 }
37064 +#endif
37065 +
37066 dbg("int15 entry = %p\n", compaq_int15_entry_point);
37067
37068 /* initialize our int15 lock */
37069 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/shpchp.h linux-2.6.39.3/drivers/pci/hotplug/shpchp.h
37070 --- linux-2.6.39.3/drivers/pci/hotplug/shpchp.h 2011-05-19 00:06:34.000000000 -0400
37071 +++ linux-2.6.39.3/drivers/pci/hotplug/shpchp.h 2011-05-22 19:36:32.000000000 -0400
37072 @@ -86,7 +86,7 @@ struct slot {
37073 u8 presence_save;
37074 u8 pwr_save;
37075 struct controller *ctrl;
37076 - struct hpc_ops *hpc_ops;
37077 + const struct hpc_ops *hpc_ops;
37078 struct hotplug_slot *hotplug_slot;
37079 struct list_head slot_list;
37080 struct delayed_work work; /* work for button event */
37081 @@ -107,7 +107,7 @@ struct controller {
37082 int slot_num_inc; /* 1 or -1 */
37083 struct pci_dev *pci_dev;
37084 struct list_head slot_list;
37085 - struct hpc_ops *hpc_ops;
37086 + const struct hpc_ops *hpc_ops;
37087 wait_queue_head_t queue; /* sleep & wake process */
37088 u8 slot_device_offset;
37089 u32 pcix_misc2_reg; /* for amd pogo errata */
37090 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c
37091 --- linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c 2011-05-19 00:06:34.000000000 -0400
37092 +++ linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c 2011-05-22 19:36:32.000000000 -0400
37093 @@ -910,7 +910,7 @@ static int shpc_get_max_bus_speed(struct
37094 return retval;
37095 }
37096
37097 -static struct hpc_ops shpchp_hpc_ops = {
37098 +static const struct hpc_ops shpchp_hpc_ops = {
37099 .power_on_slot = hpc_power_on_slot,
37100 .slot_enable = hpc_slot_enable,
37101 .slot_disable = hpc_slot_disable,
37102 diff -urNp linux-2.6.39.3/drivers/pci/intel-iommu.c linux-2.6.39.3/drivers/pci/intel-iommu.c
37103 --- linux-2.6.39.3/drivers/pci/intel-iommu.c 2011-06-25 12:55:22.000000000 -0400
37104 +++ linux-2.6.39.3/drivers/pci/intel-iommu.c 2011-06-25 13:00:26.000000000 -0400
37105 @@ -393,7 +393,7 @@ static int intel_iommu_strict;
37106 static DEFINE_SPINLOCK(device_domain_lock);
37107 static LIST_HEAD(device_domain_list);
37108
37109 -static struct iommu_ops intel_iommu_ops;
37110 +static const struct iommu_ops intel_iommu_ops;
37111
37112 static int __init intel_iommu_setup(char *str)
37113 {
37114 @@ -2964,7 +2964,7 @@ static int intel_mapping_error(struct de
37115 return !dma_addr;
37116 }
37117
37118 -struct dma_map_ops intel_dma_ops = {
37119 +const struct dma_map_ops intel_dma_ops = {
37120 .alloc_coherent = intel_alloc_coherent,
37121 .free_coherent = intel_free_coherent,
37122 .map_sg = intel_map_sg,
37123 @@ -3761,7 +3761,7 @@ static int intel_iommu_domain_has_cap(st
37124 return 0;
37125 }
37126
37127 -static struct iommu_ops intel_iommu_ops = {
37128 +static const struct iommu_ops intel_iommu_ops = {
37129 .domain_init = intel_iommu_domain_init,
37130 .domain_destroy = intel_iommu_domain_destroy,
37131 .attach_dev = intel_iommu_attach_device,
37132 diff -urNp linux-2.6.39.3/drivers/pci/pci-acpi.c linux-2.6.39.3/drivers/pci/pci-acpi.c
37133 --- linux-2.6.39.3/drivers/pci/pci-acpi.c 2011-05-19 00:06:34.000000000 -0400
37134 +++ linux-2.6.39.3/drivers/pci/pci-acpi.c 2011-05-22 19:36:32.000000000 -0400
37135 @@ -332,7 +332,7 @@ static int acpi_pci_run_wake(struct pci_
37136 return 0;
37137 }
37138
37139 -static struct pci_platform_pm_ops acpi_pci_platform_pm = {
37140 +static const struct pci_platform_pm_ops acpi_pci_platform_pm = {
37141 .is_manageable = acpi_pci_power_manageable,
37142 .set_state = acpi_pci_set_power_state,
37143 .choose_state = acpi_pci_choose_state,
37144 diff -urNp linux-2.6.39.3/drivers/pci/pci.c linux-2.6.39.3/drivers/pci/pci.c
37145 --- linux-2.6.39.3/drivers/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
37146 +++ linux-2.6.39.3/drivers/pci/pci.c 2011-05-22 19:36:32.000000000 -0400
37147 @@ -480,9 +480,9 @@ pci_restore_bars(struct pci_dev *dev)
37148 pci_update_resource(dev, i);
37149 }
37150
37151 -static struct pci_platform_pm_ops *pci_platform_pm;
37152 +static const struct pci_platform_pm_ops *pci_platform_pm;
37153
37154 -int pci_set_platform_pm(struct pci_platform_pm_ops *ops)
37155 +int pci_set_platform_pm(const struct pci_platform_pm_ops *ops)
37156 {
37157 if (!ops->is_manageable || !ops->set_state || !ops->choose_state
37158 || !ops->sleep_wake || !ops->can_wakeup)
37159 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c
37160 --- linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-19 00:06:34.000000000 -0400
37161 +++ linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-22 19:36:32.000000000 -0400
37162 @@ -239,7 +239,7 @@ static bool find_source_device(struct pc
37163 static int report_error_detected(struct pci_dev *dev, void *data)
37164 {
37165 pci_ers_result_t vote;
37166 - struct pci_error_handlers *err_handler;
37167 + const struct pci_error_handlers *err_handler;
37168 struct aer_broadcast_data *result_data;
37169 result_data = (struct aer_broadcast_data *) data;
37170
37171 @@ -273,7 +273,7 @@ static int report_error_detected(struct
37172 static int report_mmio_enabled(struct pci_dev *dev, void *data)
37173 {
37174 pci_ers_result_t vote;
37175 - struct pci_error_handlers *err_handler;
37176 + const struct pci_error_handlers *err_handler;
37177 struct aer_broadcast_data *result_data;
37178 result_data = (struct aer_broadcast_data *) data;
37179
37180 @@ -291,7 +291,7 @@ static int report_mmio_enabled(struct pc
37181 static int report_slot_reset(struct pci_dev *dev, void *data)
37182 {
37183 pci_ers_result_t vote;
37184 - struct pci_error_handlers *err_handler;
37185 + const struct pci_error_handlers *err_handler;
37186 struct aer_broadcast_data *result_data;
37187 result_data = (struct aer_broadcast_data *) data;
37188
37189 @@ -308,7 +308,7 @@ static int report_slot_reset(struct pci_
37190
37191 static int report_resume(struct pci_dev *dev, void *data)
37192 {
37193 - struct pci_error_handlers *err_handler;
37194 + const struct pci_error_handlers *err_handler;
37195
37196 dev->error_state = pci_channel_io_normal;
37197
37198 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c
37199 --- linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c 2011-05-19 00:06:34.000000000 -0400
37200 +++ linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c 2011-05-22 19:36:32.000000000 -0400
37201 @@ -64,7 +64,7 @@ struct aer_error {
37202 struct pci_bus_ops {
37203 struct list_head list;
37204 struct pci_bus *bus;
37205 - struct pci_ops *ops;
37206 + const struct pci_ops *ops;
37207 };
37208
37209 static LIST_HEAD(einjected);
37210 @@ -110,7 +110,7 @@ static struct aer_error *__find_aer_erro
37211 }
37212
37213 /* inject_lock must be held before calling */
37214 -static struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37215 +static const struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37216 {
37217 struct pci_bus_ops *bus_ops;
37218
37219 @@ -187,7 +187,7 @@ static int pci_read_aer(struct pci_bus *
37220 u32 *sim;
37221 struct aer_error *err;
37222 unsigned long flags;
37223 - struct pci_ops *ops;
37224 + const struct pci_ops *ops;
37225 int domain;
37226
37227 spin_lock_irqsave(&inject_lock, flags);
37228 @@ -219,7 +219,7 @@ int pci_write_aer(struct pci_bus *bus, u
37229 struct aer_error *err;
37230 unsigned long flags;
37231 int rw1cs;
37232 - struct pci_ops *ops;
37233 + const struct pci_ops *ops;
37234 int domain;
37235
37236 spin_lock_irqsave(&inject_lock, flags);
37237 @@ -254,7 +254,7 @@ static struct pci_ops pci_ops_aer = {
37238
37239 static void pci_bus_ops_init(struct pci_bus_ops *bus_ops,
37240 struct pci_bus *bus,
37241 - struct pci_ops *ops)
37242 + const struct pci_ops *ops)
37243 {
37244 INIT_LIST_HEAD(&bus_ops->list);
37245 bus_ops->bus = bus;
37246 @@ -263,7 +263,7 @@ static void pci_bus_ops_init(struct pci_
37247
37248 static int pci_bus_set_aer_ops(struct pci_bus *bus)
37249 {
37250 - struct pci_ops *ops;
37251 + const struct pci_ops *ops;
37252 struct pci_bus_ops *bus_ops;
37253 unsigned long flags;
37254
37255 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aspm.c linux-2.6.39.3/drivers/pci/pcie/aspm.c
37256 --- linux-2.6.39.3/drivers/pci/pcie/aspm.c 2011-05-19 00:06:34.000000000 -0400
37257 +++ linux-2.6.39.3/drivers/pci/pcie/aspm.c 2011-05-22 19:36:32.000000000 -0400
37258 @@ -27,9 +27,9 @@
37259 #define MODULE_PARAM_PREFIX "pcie_aspm."
37260
37261 /* Note: those are not register definitions */
37262 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
37263 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
37264 -#define ASPM_STATE_L1 (4) /* L1 state */
37265 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
37266 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
37267 +#define ASPM_STATE_L1 (4U) /* L1 state */
37268 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
37269 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
37270
37271 diff -urNp linux-2.6.39.3/drivers/pci/pci.h linux-2.6.39.3/drivers/pci/pci.h
37272 --- linux-2.6.39.3/drivers/pci/pci.h 2011-05-19 00:06:34.000000000 -0400
37273 +++ linux-2.6.39.3/drivers/pci/pci.h 2011-05-22 19:36:32.000000000 -0400
37274 @@ -65,7 +65,7 @@ struct pci_platform_pm_ops {
37275 int (*run_wake)(struct pci_dev *dev, bool enable);
37276 };
37277
37278 -extern int pci_set_platform_pm(struct pci_platform_pm_ops *ops);
37279 +extern int pci_set_platform_pm(const struct pci_platform_pm_ops *ops);
37280 extern void pci_update_current_state(struct pci_dev *dev, pci_power_t state);
37281 extern void pci_disable_enabled_device(struct pci_dev *dev);
37282 extern int pci_finish_runtime_suspend(struct pci_dev *dev);
37283 diff -urNp linux-2.6.39.3/drivers/pci/probe.c linux-2.6.39.3/drivers/pci/probe.c
37284 --- linux-2.6.39.3/drivers/pci/probe.c 2011-05-19 00:06:34.000000000 -0400
37285 +++ linux-2.6.39.3/drivers/pci/probe.c 2011-05-22 19:36:32.000000000 -0400
37286 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
37287 return ret;
37288 }
37289
37290 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
37291 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
37292 struct device_attribute *attr,
37293 char *buf)
37294 {
37295 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
37296 }
37297
37298 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
37299 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
37300 struct device_attribute *attr,
37301 char *buf)
37302 {
37303 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
37304 u32 l, sz, mask;
37305 u16 orig_cmd;
37306
37307 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
37308 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
37309
37310 if (!dev->mmio_always_on) {
37311 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
37312 @@ -1407,7 +1407,7 @@ unsigned int __devinit pci_scan_child_bu
37313 }
37314
37315 struct pci_bus * pci_create_bus(struct device *parent,
37316 - int bus, struct pci_ops *ops, void *sysdata)
37317 + int bus, const struct pci_ops *ops, void *sysdata)
37318 {
37319 int error;
37320 struct pci_bus *b, *b2;
37321 @@ -1483,7 +1483,7 @@ err_out:
37322 }
37323
37324 struct pci_bus * __devinit pci_scan_bus_parented(struct device *parent,
37325 - int bus, struct pci_ops *ops, void *sysdata)
37326 + int bus, const struct pci_ops *ops, void *sysdata)
37327 {
37328 struct pci_bus *b;
37329
37330 diff -urNp linux-2.6.39.3/drivers/pci/proc.c linux-2.6.39.3/drivers/pci/proc.c
37331 --- linux-2.6.39.3/drivers/pci/proc.c 2011-05-19 00:06:34.000000000 -0400
37332 +++ linux-2.6.39.3/drivers/pci/proc.c 2011-05-22 19:41:37.000000000 -0400
37333 @@ -476,7 +476,16 @@ static const struct file_operations proc
37334 static int __init pci_proc_init(void)
37335 {
37336 struct pci_dev *dev = NULL;
37337 +
37338 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
37339 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37340 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
37341 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37342 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
37343 +#endif
37344 +#else
37345 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
37346 +#endif
37347 proc_create("devices", 0, proc_bus_pci_dir,
37348 &proc_bus_pci_dev_operations);
37349 proc_initialized = 1;
37350 diff -urNp linux-2.6.39.3/drivers/pci/xen-pcifront.c linux-2.6.39.3/drivers/pci/xen-pcifront.c
37351 --- linux-2.6.39.3/drivers/pci/xen-pcifront.c 2011-05-19 00:06:34.000000000 -0400
37352 +++ linux-2.6.39.3/drivers/pci/xen-pcifront.c 2011-05-22 19:36:32.000000000 -0400
37353 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
37354 struct pcifront_sd *sd = bus->sysdata;
37355 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37356
37357 + pax_track_stack();
37358 +
37359 if (verbose_request)
37360 dev_info(&pdev->xdev->dev,
37361 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
37362 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
37363 struct pcifront_sd *sd = bus->sysdata;
37364 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37365
37366 + pax_track_stack();
37367 +
37368 if (verbose_request)
37369 dev_info(&pdev->xdev->dev,
37370 "write dev=%04x:%02x:%02x.%01x - "
37371 @@ -236,7 +240,7 @@ static int pcifront_bus_write(struct pci
37372 return errno_to_pcibios_err(do_pci_op(pdev, &op));
37373 }
37374
37375 -struct pci_ops pcifront_bus_ops = {
37376 +const struct pci_ops pcifront_bus_ops = {
37377 .read = pcifront_bus_read,
37378 .write = pcifront_bus_write,
37379 };
37380 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
37381 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37382 struct msi_desc *entry;
37383
37384 + pax_track_stack();
37385 +
37386 if (nvec > SH_INFO_MAX_VEC) {
37387 dev_err(&dev->dev, "too much vector for pci frontend: %x."
37388 " Increase SH_INFO_MAX_VEC.\n", nvec);
37389 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
37390 struct pcifront_sd *sd = dev->bus->sysdata;
37391 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37392
37393 + pax_track_stack();
37394 +
37395 err = do_pci_op(pdev, &op);
37396
37397 /* What should do for error ? */
37398 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
37399 struct pcifront_sd *sd = dev->bus->sysdata;
37400 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37401
37402 + pax_track_stack();
37403 +
37404 err = do_pci_op(pdev, &op);
37405 if (likely(!err)) {
37406 vector[0] = op.value;
37407 @@ -368,7 +378,7 @@ static void pci_frontend_disable_msi(str
37408 printk(KERN_DEBUG "get fake response frombackend\n");
37409 }
37410
37411 -static struct xen_pci_frontend_ops pci_frontend_ops = {
37412 +static const struct xen_pci_frontend_ops pci_frontend_ops = {
37413 .enable_msi = pci_frontend_enable_msi,
37414 .disable_msi = pci_frontend_disable_msi,
37415 .enable_msix = pci_frontend_enable_msix,
37416 diff -urNp linux-2.6.39.3/drivers/pcmcia/at91_cf.c linux-2.6.39.3/drivers/pcmcia/at91_cf.c
37417 --- linux-2.6.39.3/drivers/pcmcia/at91_cf.c 2011-05-19 00:06:34.000000000 -0400
37418 +++ linux-2.6.39.3/drivers/pcmcia/at91_cf.c 2011-05-22 19:36:32.000000000 -0400
37419 @@ -203,7 +203,7 @@ at91_cf_set_mem_map(struct pcmcia_socket
37420 return 0;
37421 }
37422
37423 -static struct pccard_operations at91_cf_ops = {
37424 +static const struct pccard_operations at91_cf_ops = {
37425 .init = at91_cf_ss_init,
37426 .suspend = at91_cf_ss_suspend,
37427 .get_status = at91_cf_get_status,
37428 diff -urNp linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c
37429 --- linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37430 +++ linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37431 @@ -184,7 +184,7 @@ bfin_cf_set_mem_map(struct pcmcia_socket
37432 return 0;
37433 }
37434
37435 -static struct pccard_operations bfin_cf_ops = {
37436 +static const struct pccard_operations bfin_cf_ops = {
37437 .init = bfin_cf_ss_init,
37438 .suspend = bfin_cf_ss_suspend,
37439 .get_status = bfin_cf_get_status,
37440 diff -urNp linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c
37441 --- linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c 2011-05-19 00:06:34.000000000 -0400
37442 +++ linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c 2011-05-22 19:36:32.000000000 -0400
37443 @@ -384,7 +384,7 @@ static int au1x00_pcmcia_set_mem_map(str
37444 return 0;
37445 }
37446
37447 -static struct pccard_operations db1x_pcmcia_operations = {
37448 +static const struct pccard_operations db1x_pcmcia_operations = {
37449 .init = db1x_pcmcia_sock_init,
37450 .suspend = db1x_pcmcia_sock_suspend,
37451 .get_status = db1x_pcmcia_get_status,
37452 diff -urNp linux-2.6.39.3/drivers/pcmcia/electra_cf.c linux-2.6.39.3/drivers/pcmcia/electra_cf.c
37453 --- linux-2.6.39.3/drivers/pcmcia/electra_cf.c 2011-05-19 00:06:34.000000000 -0400
37454 +++ linux-2.6.39.3/drivers/pcmcia/electra_cf.c 2011-05-22 19:36:32.000000000 -0400
37455 @@ -173,7 +173,7 @@ static int electra_cf_set_mem_map(struct
37456 return 0;
37457 }
37458
37459 -static struct pccard_operations electra_cf_ops = {
37460 +static const struct pccard_operations electra_cf_ops = {
37461 .init = electra_cf_ss_init,
37462 .get_status = electra_cf_get_status,
37463 .set_socket = electra_cf_set_socket,
37464 diff -urNp linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c
37465 --- linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c 2011-05-19 00:06:34.000000000 -0400
37466 +++ linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c 2011-05-22 19:36:32.000000000 -0400
37467 @@ -674,7 +674,7 @@ static int pcc_init(struct pcmcia_socket
37468 return 0;
37469 }
37470
37471 -static struct pccard_operations pcc_operations = {
37472 +static const struct pccard_operations pcc_operations = {
37473 .init = pcc_init,
37474 .get_status = pcc_get_status,
37475 .set_socket = pcc_set_socket,
37476 diff -urNp linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c
37477 --- linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c 2011-05-19 00:06:34.000000000 -0400
37478 +++ linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c 2011-05-22 19:36:32.000000000 -0400
37479 @@ -652,7 +652,7 @@ static int pcc_init(struct pcmcia_socket
37480 return 0;
37481 }
37482
37483 -static struct pccard_operations pcc_operations = {
37484 +static const struct pccard_operations pcc_operations = {
37485 .init = pcc_init,
37486 .get_status = pcc_get_status,
37487 .set_socket = pcc_set_socket,
37488 diff -urNp linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c
37489 --- linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37490 +++ linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37491 @@ -1139,7 +1139,7 @@ static int m8xx_sock_suspend(struct pcmc
37492 return m8xx_set_socket(sock, &dead_socket);
37493 }
37494
37495 -static struct pccard_operations m8xx_services = {
37496 +static const struct pccard_operations m8xx_services = {
37497 .init = m8xx_sock_init,
37498 .suspend = m8xx_sock_suspend,
37499 .get_status = m8xx_get_status,
37500 diff -urNp linux-2.6.39.3/drivers/pcmcia/omap_cf.c linux-2.6.39.3/drivers/pcmcia/omap_cf.c
37501 --- linux-2.6.39.3/drivers/pcmcia/omap_cf.c 2011-05-19 00:06:34.000000000 -0400
37502 +++ linux-2.6.39.3/drivers/pcmcia/omap_cf.c 2011-05-22 19:36:32.000000000 -0400
37503 @@ -185,7 +185,7 @@ omap_cf_set_mem_map(struct pcmcia_socket
37504 return 0;
37505 }
37506
37507 -static struct pccard_operations omap_cf_ops = {
37508 +static const struct pccard_operations omap_cf_ops = {
37509 .init = omap_cf_ss_init,
37510 .suspend = omap_cf_ss_suspend,
37511 .get_status = omap_cf_get_status,
37512 diff -urNp linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c
37513 --- linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c 2011-05-19 00:06:34.000000000 -0400
37514 +++ linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c 2011-05-22 19:36:32.000000000 -0400
37515 @@ -161,7 +161,7 @@ static int iodyn_find_io(struct pcmcia_s
37516 }
37517
37518
37519 -struct pccard_resource_ops pccard_iodyn_ops = {
37520 +const struct pccard_resource_ops pccard_iodyn_ops = {
37521 .validate_mem = NULL,
37522 .find_io = iodyn_find_io,
37523 .find_mem = NULL,
37524 diff -urNp linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c
37525 --- linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c 2011-05-19 00:06:34.000000000 -0400
37526 +++ linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c 2011-05-22 19:36:32.000000000 -0400
37527 @@ -57,7 +57,7 @@ static int static_find_io(struct pcmcia_
37528 }
37529
37530
37531 -struct pccard_resource_ops pccard_static_ops = {
37532 +const struct pccard_resource_ops pccard_static_ops = {
37533 .validate_mem = NULL,
37534 .find_io = static_find_io,
37535 .find_mem = NULL,
37536 diff -urNp linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c
37537 --- linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c 2011-05-19 00:06:34.000000000 -0400
37538 +++ linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c 2011-05-22 19:36:32.000000000 -0400
37539 @@ -479,7 +479,7 @@ static int pccard_set_mem_map(struct pcm
37540 return 0;
37541 }
37542
37543 -static struct pccard_operations vrc4171_pccard_operations = {
37544 +static const struct pccard_operations vrc4171_pccard_operations = {
37545 .init = pccard_init,
37546 .get_status = pccard_get_status,
37547 .set_socket = pccard_set_socket,
37548 diff -urNp linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c
37549 --- linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c 2011-05-19 00:06:34.000000000 -0400
37550 +++ linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c 2011-05-22 19:36:32.000000000 -0400
37551 @@ -384,7 +384,7 @@ static void cardu_proc_setup(unsigned in
37552 {
37553 }
37554
37555 -static struct pccard_operations cardu_operations = {
37556 +static const struct pccard_operations cardu_operations = {
37557 .init = cardu_init,
37558 .register_callback = cardu_register_callback,
37559 .inquire_socket = cardu_inquire_socket,
37560 diff -urNp linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c
37561 --- linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c 2011-05-19 00:06:34.000000000 -0400
37562 +++ linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c 2011-05-22 19:36:32.000000000 -0400
37563 @@ -196,7 +196,7 @@ static int au1x00_pcmcia_set_mem_map(str
37564 return 0;
37565 }
37566
37567 -static struct pccard_operations xxs1500_pcmcia_operations = {
37568 +static const struct pccard_operations xxs1500_pcmcia_operations = {
37569 .init = xxs1500_pcmcia_sock_init,
37570 .suspend = xxs1500_pcmcia_sock_suspend,
37571 .get_status = xxs1500_pcmcia_get_status,
37572 diff -urNp linux-2.6.39.3/drivers/platform/x86/acerhdf.c linux-2.6.39.3/drivers/platform/x86/acerhdf.c
37573 --- linux-2.6.39.3/drivers/platform/x86/acerhdf.c 2011-05-19 00:06:34.000000000 -0400
37574 +++ linux-2.6.39.3/drivers/platform/x86/acerhdf.c 2011-05-22 19:36:32.000000000 -0400
37575 @@ -406,7 +406,7 @@ static int acerhdf_get_crit_temp(struct
37576 }
37577
37578 /* bind callback functions to thermalzone */
37579 -static struct thermal_zone_device_ops acerhdf_dev_ops = {
37580 +static const struct thermal_zone_device_ops acerhdf_dev_ops = {
37581 .bind = acerhdf_bind,
37582 .unbind = acerhdf_unbind,
37583 .get_temp = acerhdf_get_ec_temp,
37584 @@ -481,7 +481,7 @@ err_out:
37585 }
37586
37587 /* bind fan callbacks to fan device */
37588 -static struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37589 +static const struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37590 .get_max_state = acerhdf_get_max_state,
37591 .get_cur_state = acerhdf_get_cur_state,
37592 .set_cur_state = acerhdf_set_cur_state,
37593 diff -urNp linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c
37594 --- linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c 2011-05-19 00:06:34.000000000 -0400
37595 +++ linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c 2011-05-22 19:36:32.000000000 -0400
37596 @@ -207,7 +207,7 @@ static int ideapad_rfk_set(void *data, b
37597 return write_ec_cmd(ideapad_handle, opcode, !blocked);
37598 }
37599
37600 -static struct rfkill_ops ideapad_rfk_ops = {
37601 +static const struct rfkill_ops ideapad_rfk_ops = {
37602 .set_block = ideapad_rfk_set,
37603 };
37604
37605 diff -urNp linux-2.6.39.3/drivers/platform/x86/intel_menlow.c linux-2.6.39.3/drivers/platform/x86/intel_menlow.c
37606 --- linux-2.6.39.3/drivers/platform/x86/intel_menlow.c 2011-05-19 00:06:34.000000000 -0400
37607 +++ linux-2.6.39.3/drivers/platform/x86/intel_menlow.c 2011-05-22 19:36:32.000000000 -0400
37608 @@ -143,7 +143,7 @@ static int memory_set_cur_bandwidth(stru
37609 return 0;
37610 }
37611
37612 -static struct thermal_cooling_device_ops memory_cooling_ops = {
37613 +static const struct thermal_cooling_device_ops memory_cooling_ops = {
37614 .get_max_state = memory_get_max_bandwidth,
37615 .get_cur_state = memory_get_cur_bandwidth,
37616 .set_cur_state = memory_set_cur_bandwidth,
37617 diff -urNp linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c
37618 --- linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c 2011-05-19 00:06:34.000000000 -0400
37619 +++ linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c 2011-05-22 19:36:32.000000000 -0400
37620 @@ -458,7 +458,7 @@ static int read_curr_temp(struct thermal
37621 }
37622
37623 /* Can't be const */
37624 -static struct thermal_zone_device_ops tzd_ops = {
37625 +static const struct thermal_zone_device_ops tzd_ops = {
37626 .get_temp = read_curr_temp,
37627 };
37628
37629 diff -urNp linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c
37630 --- linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c 2011-05-19 00:06:34.000000000 -0400
37631 +++ linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c 2011-05-22 19:36:32.000000000 -0400
37632 @@ -419,7 +419,7 @@ static int rfkill_set(void *data, bool b
37633 return 0;
37634 }
37635
37636 -static struct rfkill_ops rfkill_ops = {
37637 +static const struct rfkill_ops rfkill_ops = {
37638 .set_block = rfkill_set,
37639 };
37640
37641 diff -urNp linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c
37642 --- linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c 2011-05-19 00:06:34.000000000 -0400
37643 +++ linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c 2011-05-22 19:36:32.000000000 -0400
37644 @@ -59,7 +59,7 @@ do { \
37645 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
37646 } while(0)
37647
37648 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
37649 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
37650 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
37651
37652 /*
37653 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
37654
37655 cpu = get_cpu();
37656 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
37657 +
37658 + pax_open_kernel();
37659 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
37660 + pax_close_kernel();
37661
37662 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
37663 spin_lock_irqsave(&pnp_bios_lock, flags);
37664 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
37665 :"memory");
37666 spin_unlock_irqrestore(&pnp_bios_lock, flags);
37667
37668 + pax_open_kernel();
37669 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
37670 + pax_close_kernel();
37671 +
37672 put_cpu();
37673
37674 /* If we get here and this is set then the PnP BIOS faulted on us. */
37675 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
37676 return status;
37677 }
37678
37679 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
37680 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
37681 {
37682 int i;
37683
37684 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
37685 pnp_bios_callpoint.offset = header->fields.pm16offset;
37686 pnp_bios_callpoint.segment = PNP_CS16;
37687
37688 + pax_open_kernel();
37689 +
37690 for_each_possible_cpu(i) {
37691 struct desc_struct *gdt = get_cpu_gdt_table(i);
37692 if (!gdt)
37693 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
37694 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
37695 (unsigned long)__va(header->fields.pm16dseg));
37696 }
37697 +
37698 + pax_close_kernel();
37699 }
37700 diff -urNp linux-2.6.39.3/drivers/pnp/resource.c linux-2.6.39.3/drivers/pnp/resource.c
37701 --- linux-2.6.39.3/drivers/pnp/resource.c 2011-05-19 00:06:34.000000000 -0400
37702 +++ linux-2.6.39.3/drivers/pnp/resource.c 2011-05-22 19:36:32.000000000 -0400
37703 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
37704 return 1;
37705
37706 /* check if the resource is valid */
37707 - if (*irq < 0 || *irq > 15)
37708 + if (*irq > 15)
37709 return 0;
37710
37711 /* check if the resource is reserved */
37712 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
37713 return 1;
37714
37715 /* check if the resource is valid */
37716 - if (*dma < 0 || *dma == 4 || *dma > 7)
37717 + if (*dma == 4 || *dma > 7)
37718 return 0;
37719
37720 /* check if the resource is reserved */
37721 diff -urNp linux-2.6.39.3/drivers/power/max8925_power.c linux-2.6.39.3/drivers/power/max8925_power.c
37722 --- linux-2.6.39.3/drivers/power/max8925_power.c 2011-05-19 00:06:34.000000000 -0400
37723 +++ linux-2.6.39.3/drivers/power/max8925_power.c 2011-05-22 19:36:32.000000000 -0400
37724 @@ -426,7 +426,7 @@ static __devinit int max8925_power_probe
37725 {
37726 struct max8925_chip *chip = dev_get_drvdata(pdev->dev.parent);
37727 struct max8925_platform_data *max8925_pdata;
37728 - struct max8925_power_pdata *pdata = NULL;
37729 + const struct max8925_power_pdata *pdata = NULL;
37730 struct max8925_power_info *info;
37731 int ret;
37732
37733 diff -urNp linux-2.6.39.3/drivers/regulator/core.c linux-2.6.39.3/drivers/regulator/core.c
37734 --- linux-2.6.39.3/drivers/regulator/core.c 2011-05-19 00:06:34.000000000 -0400
37735 +++ linux-2.6.39.3/drivers/regulator/core.c 2011-05-22 19:36:32.000000000 -0400
37736 @@ -2883,7 +2883,7 @@ core_initcall(regulator_init);
37737 static int __init regulator_init_complete(void)
37738 {
37739 struct regulator_dev *rdev;
37740 - struct regulator_ops *ops;
37741 + const struct regulator_ops *ops;
37742 struct regulation_constraints *c;
37743 int enabled, ret;
37744
37745 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c
37746 --- linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c 2011-05-19 00:06:34.000000000 -0400
37747 +++ linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c 2011-05-22 19:36:32.000000000 -0400
37748 @@ -187,7 +187,7 @@ static irqreturn_t at32_rtc_interrupt(in
37749 return ret;
37750 }
37751
37752 -static struct rtc_class_ops at32_rtc_ops = {
37753 +static const struct rtc_class_ops at32_rtc_ops = {
37754 .read_time = at32_rtc_readtime,
37755 .set_time = at32_rtc_settime,
37756 .read_alarm = at32_rtc_readalarm,
37757 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c
37758 --- linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c 2011-05-19 00:06:34.000000000 -0400
37759 +++ linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c 2011-05-22 19:36:32.000000000 -0400
37760 @@ -57,7 +57,7 @@ static int au1xtoy_rtc_set_time(struct d
37761 return 0;
37762 }
37763
37764 -static struct rtc_class_ops au1xtoy_rtc_ops = {
37765 +static const struct rtc_class_ops au1xtoy_rtc_ops = {
37766 .read_time = au1xtoy_rtc_read_time,
37767 .set_time = au1xtoy_rtc_set_time,
37768 };
37769 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-bfin.c linux-2.6.39.3/drivers/rtc/rtc-bfin.c
37770 --- linux-2.6.39.3/drivers/rtc/rtc-bfin.c 2011-05-19 00:06:34.000000000 -0400
37771 +++ linux-2.6.39.3/drivers/rtc/rtc-bfin.c 2011-05-22 19:36:32.000000000 -0400
37772 @@ -333,7 +333,7 @@ static int bfin_rtc_proc(struct device *
37773 #undef yesno
37774 }
37775
37776 -static struct rtc_class_ops bfin_rtc_ops = {
37777 +static const struct rtc_class_ops bfin_rtc_ops = {
37778 .read_time = bfin_rtc_read_time,
37779 .set_time = bfin_rtc_set_time,
37780 .read_alarm = bfin_rtc_read_alarm,
37781 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-coh901331.c linux-2.6.39.3/drivers/rtc/rtc-coh901331.c
37782 --- linux-2.6.39.3/drivers/rtc/rtc-coh901331.c 2011-05-19 00:06:34.000000000 -0400
37783 +++ linux-2.6.39.3/drivers/rtc/rtc-coh901331.c 2011-05-22 19:36:32.000000000 -0400
37784 @@ -142,7 +142,7 @@ static int coh901331_alarm_irq_enable(st
37785 return 0;
37786 }
37787
37788 -static struct rtc_class_ops coh901331_ops = {
37789 +static const struct rtc_class_ops coh901331_ops = {
37790 .read_time = coh901331_read_time,
37791 .set_mmss = coh901331_set_mmss,
37792 .read_alarm = coh901331_read_alarm,
37793 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-davinci.c linux-2.6.39.3/drivers/rtc/rtc-davinci.c
37794 --- linux-2.6.39.3/drivers/rtc/rtc-davinci.c 2011-05-19 00:06:34.000000000 -0400
37795 +++ linux-2.6.39.3/drivers/rtc/rtc-davinci.c 2011-05-22 19:36:32.000000000 -0400
37796 @@ -469,7 +469,7 @@ static int davinci_rtc_set_alarm(struct
37797 return 0;
37798 }
37799
37800 -static struct rtc_class_ops davinci_rtc_ops = {
37801 +static const struct rtc_class_ops davinci_rtc_ops = {
37802 .ioctl = davinci_rtc_ioctl,
37803 .read_time = davinci_rtc_read_time,
37804 .set_time = davinci_rtc_set_time,
37805 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-dev.c linux-2.6.39.3/drivers/rtc/rtc-dev.c
37806 --- linux-2.6.39.3/drivers/rtc/rtc-dev.c 2011-05-19 00:06:34.000000000 -0400
37807 +++ linux-2.6.39.3/drivers/rtc/rtc-dev.c 2011-05-22 19:41:37.000000000 -0400
37808 @@ -14,6 +14,7 @@
37809 #include <linux/module.h>
37810 #include <linux/rtc.h>
37811 #include <linux/sched.h>
37812 +#include <linux/grsecurity.h>
37813 #include "rtc-core.h"
37814
37815 static dev_t rtc_devt;
37816 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
37817 if (copy_from_user(&tm, uarg, sizeof(tm)))
37818 return -EFAULT;
37819
37820 + gr_log_timechange();
37821 +
37822 return rtc_set_time(rtc, &tm);
37823
37824 case RTC_PIE_ON:
37825 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c
37826 --- linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c 2011-05-19 00:06:34.000000000 -0400
37827 +++ linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c 2011-05-22 19:36:32.000000000 -0400
37828 @@ -115,7 +115,7 @@ static int dm355evm_rtc_set_time(struct
37829 return 0;
37830 }
37831
37832 -static struct rtc_class_ops dm355evm_rtc_ops = {
37833 +static const struct rtc_class_ops dm355evm_rtc_ops = {
37834 .read_time = dm355evm_rtc_read_time,
37835 .set_time = dm355evm_rtc_set_time,
37836 };
37837 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-ds1302.c linux-2.6.39.3/drivers/rtc/rtc-ds1302.c
37838 --- linux-2.6.39.3/drivers/rtc/rtc-ds1302.c 2011-05-19 00:06:34.000000000 -0400
37839 +++ linux-2.6.39.3/drivers/rtc/rtc-ds1302.c 2011-05-22 19:36:32.000000000 -0400
37840 @@ -199,7 +199,7 @@ static int ds1302_rtc_ioctl(struct devic
37841 return -ENOIOCTLCMD;
37842 }
37843
37844 -static struct rtc_class_ops ds1302_rtc_ops = {
37845 +static const struct rtc_class_ops ds1302_rtc_ops = {
37846 .read_time = ds1302_rtc_read_time,
37847 .set_time = ds1302_rtc_set_time,
37848 .ioctl = ds1302_rtc_ioctl,
37849 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-imxdi.c linux-2.6.39.3/drivers/rtc/rtc-imxdi.c
37850 --- linux-2.6.39.3/drivers/rtc/rtc-imxdi.c 2011-05-19 00:06:34.000000000 -0400
37851 +++ linux-2.6.39.3/drivers/rtc/rtc-imxdi.c 2011-05-22 19:36:32.000000000 -0400
37852 @@ -290,7 +290,7 @@ static int dryice_rtc_set_alarm(struct d
37853 return 0;
37854 }
37855
37856 -static struct rtc_class_ops dryice_rtc_ops = {
37857 +static const struct rtc_class_ops dryice_rtc_ops = {
37858 .read_time = dryice_rtc_read_time,
37859 .set_mmss = dryice_rtc_set_mmss,
37860 .alarm_irq_enable = dryice_rtc_alarm_irq_enable,
37861 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-jz4740.c linux-2.6.39.3/drivers/rtc/rtc-jz4740.c
37862 --- linux-2.6.39.3/drivers/rtc/rtc-jz4740.c 2011-05-19 00:06:34.000000000 -0400
37863 +++ linux-2.6.39.3/drivers/rtc/rtc-jz4740.c 2011-05-22 19:36:32.000000000 -0400
37864 @@ -174,7 +174,7 @@ static int jz4740_rtc_alarm_irq_enable(s
37865 return jz4740_rtc_ctrl_set_bits(rtc, JZ_RTC_CTRL_AF_IRQ, enable);
37866 }
37867
37868 -static struct rtc_class_ops jz4740_rtc_ops = {
37869 +static const struct rtc_class_ops jz4740_rtc_ops = {
37870 .read_time = jz4740_rtc_read_time,
37871 .set_mmss = jz4740_rtc_set_mmss,
37872 .read_alarm = jz4740_rtc_read_alarm,
37873 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-m41t80.c linux-2.6.39.3/drivers/rtc/rtc-m41t80.c
37874 --- linux-2.6.39.3/drivers/rtc/rtc-m41t80.c 2011-05-19 00:06:34.000000000 -0400
37875 +++ linux-2.6.39.3/drivers/rtc/rtc-m41t80.c 2011-05-22 19:36:32.000000000 -0400
37876 @@ -354,7 +354,7 @@ static int m41t80_rtc_read_alarm(struct
37877 return 0;
37878 }
37879
37880 -static struct rtc_class_ops m41t80_rtc_ops = {
37881 +static const struct rtc_class_ops m41t80_rtc_ops = {
37882 .read_time = m41t80_rtc_read_time,
37883 .set_time = m41t80_rtc_set_time,
37884 .read_alarm = m41t80_rtc_read_alarm,
37885 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-mxc.c linux-2.6.39.3/drivers/rtc/rtc-mxc.c
37886 --- linux-2.6.39.3/drivers/rtc/rtc-mxc.c 2011-05-19 00:06:34.000000000 -0400
37887 +++ linux-2.6.39.3/drivers/rtc/rtc-mxc.c 2011-05-22 19:36:32.000000000 -0400
37888 @@ -355,7 +355,7 @@ static int mxc_rtc_set_alarm(struct devi
37889 }
37890
37891 /* RTC layer */
37892 -static struct rtc_class_ops mxc_rtc_ops = {
37893 +static const struct rtc_class_ops mxc_rtc_ops = {
37894 .release = mxc_rtc_release,
37895 .read_time = mxc_rtc_read_time,
37896 .set_mmss = mxc_rtc_set_mmss,
37897 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-nuc900.c linux-2.6.39.3/drivers/rtc/rtc-nuc900.c
37898 --- linux-2.6.39.3/drivers/rtc/rtc-nuc900.c 2011-05-19 00:06:34.000000000 -0400
37899 +++ linux-2.6.39.3/drivers/rtc/rtc-nuc900.c 2011-05-22 19:36:32.000000000 -0400
37900 @@ -214,7 +214,7 @@ static int nuc900_rtc_set_alarm(struct d
37901 return 0;
37902 }
37903
37904 -static struct rtc_class_ops nuc900_rtc_ops = {
37905 +static const struct rtc_class_ops nuc900_rtc_ops = {
37906 .read_time = nuc900_rtc_read_time,
37907 .set_time = nuc900_rtc_set_time,
37908 .read_alarm = nuc900_rtc_read_alarm,
37909 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-omap.c linux-2.6.39.3/drivers/rtc/rtc-omap.c
37910 --- linux-2.6.39.3/drivers/rtc/rtc-omap.c 2011-05-19 00:06:34.000000000 -0400
37911 +++ linux-2.6.39.3/drivers/rtc/rtc-omap.c 2011-05-22 19:36:32.000000000 -0400
37912 @@ -274,7 +274,7 @@ static int omap_rtc_set_alarm(struct dev
37913 return 0;
37914 }
37915
37916 -static struct rtc_class_ops omap_rtc_ops = {
37917 +static const struct rtc_class_ops omap_rtc_ops = {
37918 .read_time = omap_rtc_read_time,
37919 .set_time = omap_rtc_set_time,
37920 .read_alarm = omap_rtc_read_alarm,
37921 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c
37922 --- linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c 2011-05-19 00:06:34.000000000 -0400
37923 +++ linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c 2011-05-22 19:36:32.000000000 -0400
37924 @@ -238,7 +238,7 @@ static int pcf50633_rtc_set_alarm(struct
37925 return ret;
37926 }
37927
37928 -static struct rtc_class_ops pcf50633_rtc_ops = {
37929 +static const struct rtc_class_ops pcf50633_rtc_ops = {
37930 .read_time = pcf50633_rtc_read_time,
37931 .set_time = pcf50633_rtc_set_time,
37932 .read_alarm = pcf50633_rtc_read_alarm,
37933 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-pl031.c linux-2.6.39.3/drivers/rtc/rtc-pl031.c
37934 --- linux-2.6.39.3/drivers/rtc/rtc-pl031.c 2011-05-19 00:06:34.000000000 -0400
37935 +++ linux-2.6.39.3/drivers/rtc/rtc-pl031.c 2011-05-22 19:36:32.000000000 -0400
37936 @@ -374,7 +374,7 @@ err_req:
37937 }
37938
37939 /* Operations for the original ARM version */
37940 -static struct rtc_class_ops arm_pl031_ops = {
37941 +static const struct rtc_class_ops arm_pl031_ops = {
37942 .read_time = pl031_read_time,
37943 .set_time = pl031_set_time,
37944 .read_alarm = pl031_read_alarm,
37945 @@ -383,7 +383,7 @@ static struct rtc_class_ops arm_pl031_op
37946 };
37947
37948 /* The First ST derivative */
37949 -static struct rtc_class_ops stv1_pl031_ops = {
37950 +static const struct rtc_class_ops stv1_pl031_ops = {
37951 .read_time = pl031_read_time,
37952 .set_time = pl031_set_time,
37953 .read_alarm = pl031_read_alarm,
37954 @@ -392,7 +392,7 @@ static struct rtc_class_ops stv1_pl031_o
37955 };
37956
37957 /* And the second ST derivative */
37958 -static struct rtc_class_ops stv2_pl031_ops = {
37959 +static const struct rtc_class_ops stv2_pl031_ops = {
37960 .read_time = pl031_stv2_read_time,
37961 .set_time = pl031_stv2_set_time,
37962 .read_alarm = pl031_stv2_read_alarm,
37963 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-rx8025.c linux-2.6.39.3/drivers/rtc/rtc-rx8025.c
37964 --- linux-2.6.39.3/drivers/rtc/rtc-rx8025.c 2011-05-19 00:06:34.000000000 -0400
37965 +++ linux-2.6.39.3/drivers/rtc/rtc-rx8025.c 2011-05-22 19:36:32.000000000 -0400
37966 @@ -424,7 +424,7 @@ static int rx8025_alarm_irq_enable(struc
37967 return 0;
37968 }
37969
37970 -static struct rtc_class_ops rx8025_rtc_ops = {
37971 +static const struct rtc_class_ops rx8025_rtc_ops = {
37972 .read_time = rx8025_get_time,
37973 .set_time = rx8025_set_time,
37974 .read_alarm = rx8025_read_alarm,
37975 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-sh.c linux-2.6.39.3/drivers/rtc/rtc-sh.c
37976 --- linux-2.6.39.3/drivers/rtc/rtc-sh.c 2011-05-19 00:06:34.000000000 -0400
37977 +++ linux-2.6.39.3/drivers/rtc/rtc-sh.c 2011-05-22 19:36:32.000000000 -0400
37978 @@ -576,7 +576,7 @@ static int sh_rtc_set_alarm(struct devic
37979 return 0;
37980 }
37981
37982 -static struct rtc_class_ops sh_rtc_ops = {
37983 +static const struct rtc_class_ops sh_rtc_ops = {
37984 .read_time = sh_rtc_read_time,
37985 .set_time = sh_rtc_set_time,
37986 .read_alarm = sh_rtc_read_alarm,
37987 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c
37988 --- linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c 2011-05-19 00:06:34.000000000 -0400
37989 +++ linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c 2011-05-22 19:36:32.000000000 -0400
37990 @@ -133,7 +133,7 @@ static int stmp3xxx_rtc_set_alarm(struct
37991 return 0;
37992 }
37993
37994 -static struct rtc_class_ops stmp3xxx_rtc_ops = {
37995 +static const struct rtc_class_ops stmp3xxx_rtc_ops = {
37996 .alarm_irq_enable =
37997 stmp3xxx_alarm_irq_enable,
37998 .read_time = stmp3xxx_rtc_gettime,
37999 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-tegra.c linux-2.6.39.3/drivers/rtc/rtc-tegra.c
38000 --- linux-2.6.39.3/drivers/rtc/rtc-tegra.c 2011-05-19 00:06:34.000000000 -0400
38001 +++ linux-2.6.39.3/drivers/rtc/rtc-tegra.c 2011-05-22 19:36:32.000000000 -0400
38002 @@ -294,7 +294,7 @@ static irqreturn_t tegra_rtc_irq_handler
38003 return IRQ_HANDLED;
38004 }
38005
38006 -static struct rtc_class_ops tegra_rtc_ops = {
38007 +static const struct rtc_class_ops tegra_rtc_ops = {
38008 .read_time = tegra_rtc_read_time,
38009 .set_time = tegra_rtc_set_time,
38010 .read_alarm = tegra_rtc_read_alarm,
38011 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-twl.c linux-2.6.39.3/drivers/rtc/rtc-twl.c
38012 --- linux-2.6.39.3/drivers/rtc/rtc-twl.c 2011-05-19 00:06:34.000000000 -0400
38013 +++ linux-2.6.39.3/drivers/rtc/rtc-twl.c 2011-05-22 19:36:32.000000000 -0400
38014 @@ -415,7 +415,7 @@ out:
38015 return ret;
38016 }
38017
38018 -static struct rtc_class_ops twl_rtc_ops = {
38019 +static const struct rtc_class_ops twl_rtc_ops = {
38020 .read_time = twl_rtc_read_time,
38021 .set_time = twl_rtc_set_time,
38022 .read_alarm = twl_rtc_read_alarm,
38023 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-v3020.c linux-2.6.39.3/drivers/rtc/rtc-v3020.c
38024 --- linux-2.6.39.3/drivers/rtc/rtc-v3020.c 2011-05-19 00:06:34.000000000 -0400
38025 +++ linux-2.6.39.3/drivers/rtc/rtc-v3020.c 2011-05-22 19:36:32.000000000 -0400
38026 @@ -62,7 +62,7 @@ struct v3020 {
38027 /* GPIO access */
38028 struct v3020_gpio *gpio;
38029
38030 - struct v3020_chip_ops *ops;
38031 + const struct v3020_chip_ops *ops;
38032
38033 struct rtc_device *rtc;
38034 };
38035 @@ -100,7 +100,7 @@ static unsigned char v3020_mmio_read_bit
38036 return !!(readl(chip->ioaddress) & (1 << chip->leftshift));
38037 }
38038
38039 -static struct v3020_chip_ops v3020_mmio_ops = {
38040 +static const struct v3020_chip_ops v3020_mmio_ops = {
38041 .map_io = v3020_mmio_map,
38042 .unmap_io = v3020_mmio_unmap,
38043 .read_bit = v3020_mmio_read_bit,
38044 @@ -177,7 +177,7 @@ static unsigned char v3020_gpio_read_bit
38045 return bit;
38046 }
38047
38048 -static struct v3020_chip_ops v3020_gpio_ops = {
38049 +static const struct v3020_chip_ops v3020_gpio_ops = {
38050 .map_io = v3020_gpio_map,
38051 .unmap_io = v3020_gpio_unmap,
38052 .read_bit = v3020_gpio_read_bit,
38053 diff -urNp linux-2.6.39.3/drivers/s390/char/con3270.c linux-2.6.39.3/drivers/s390/char/con3270.c
38054 --- linux-2.6.39.3/drivers/s390/char/con3270.c 2011-05-19 00:06:34.000000000 -0400
38055 +++ linux-2.6.39.3/drivers/s390/char/con3270.c 2011-05-22 19:36:32.000000000 -0400
38056 @@ -28,7 +28,7 @@
38057 #define CON3270_OUTPUT_BUFFER_SIZE 1024
38058 #define CON3270_STRING_PAGES 4
38059
38060 -static struct raw3270_fn con3270_fn;
38061 +static const struct raw3270_fn con3270_fn;
38062
38063 /*
38064 * Main 3270 console view data structure.
38065 @@ -413,7 +413,7 @@ con3270_irq(struct con3270 *cp, struct r
38066 }
38067
38068 /* Console view to a 3270 device. */
38069 -static struct raw3270_fn con3270_fn = {
38070 +static const struct raw3270_fn con3270_fn = {
38071 .activate = con3270_activate,
38072 .deactivate = con3270_deactivate,
38073 .intv = (void *) con3270_irq
38074 diff -urNp linux-2.6.39.3/drivers/s390/char/fs3270.c linux-2.6.39.3/drivers/s390/char/fs3270.c
38075 --- linux-2.6.39.3/drivers/s390/char/fs3270.c 2011-05-19 00:06:34.000000000 -0400
38076 +++ linux-2.6.39.3/drivers/s390/char/fs3270.c 2011-05-22 19:36:32.000000000 -0400
38077 @@ -24,7 +24,7 @@
38078 #include "raw3270.h"
38079 #include "ctrlchar.h"
38080
38081 -static struct raw3270_fn fs3270_fn;
38082 +static const struct raw3270_fn fs3270_fn;
38083
38084 struct fs3270 {
38085 struct raw3270_view view;
38086 @@ -413,7 +413,7 @@ fs3270_release(struct raw3270_view *view
38087 }
38088
38089 /* View to a 3270 device. Can be console, tty or fullscreen. */
38090 -static struct raw3270_fn fs3270_fn = {
38091 +static const struct raw3270_fn fs3270_fn = {
38092 .activate = fs3270_activate,
38093 .deactivate = fs3270_deactivate,
38094 .intv = (void *) fs3270_irq,
38095 diff -urNp linux-2.6.39.3/drivers/s390/char/raw3270.c linux-2.6.39.3/drivers/s390/char/raw3270.c
38096 --- linux-2.6.39.3/drivers/s390/char/raw3270.c 2011-05-19 00:06:34.000000000 -0400
38097 +++ linux-2.6.39.3/drivers/s390/char/raw3270.c 2011-05-22 19:36:32.000000000 -0400
38098 @@ -488,7 +488,7 @@ raw3270_init_irq(struct raw3270_view *vi
38099 return RAW3270_IO_DONE;
38100 }
38101
38102 -static struct raw3270_fn raw3270_init_fn = {
38103 +static const struct raw3270_fn raw3270_init_fn = {
38104 .intv = raw3270_init_irq
38105 };
38106
38107 diff -urNp linux-2.6.39.3/drivers/s390/char/tty3270.c linux-2.6.39.3/drivers/s390/char/tty3270.c
38108 --- linux-2.6.39.3/drivers/s390/char/tty3270.c 2011-05-19 00:06:34.000000000 -0400
38109 +++ linux-2.6.39.3/drivers/s390/char/tty3270.c 2011-05-22 19:36:32.000000000 -0400
38110 @@ -37,7 +37,7 @@
38111 struct tty_driver *tty3270_driver;
38112 static int tty3270_max_index;
38113
38114 -static struct raw3270_fn tty3270_fn;
38115 +static const struct raw3270_fn tty3270_fn;
38116
38117 struct tty3270_cell {
38118 unsigned char character;
38119 @@ -834,7 +834,7 @@ tty3270_del_views(void)
38120 }
38121 }
38122
38123 -static struct raw3270_fn tty3270_fn = {
38124 +static const struct raw3270_fn tty3270_fn = {
38125 .activate = tty3270_activate,
38126 .deactivate = tty3270_deactivate,
38127 .intv = (void *) tty3270_irq,
38128 diff -urNp linux-2.6.39.3/drivers/s390/cio/qdio_debug.c linux-2.6.39.3/drivers/s390/cio/qdio_debug.c
38129 --- linux-2.6.39.3/drivers/s390/cio/qdio_debug.c 2011-05-19 00:06:34.000000000 -0400
38130 +++ linux-2.6.39.3/drivers/s390/cio/qdio_debug.c 2011-05-22 19:36:32.000000000 -0400
38131 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
38132 filp->f_path.dentry->d_inode->i_private);
38133 }
38134
38135 -static struct file_operations debugfs_perf_fops = {
38136 +static const struct file_operations debugfs_perf_fops = {
38137 .owner = THIS_MODULE,
38138 .open = qperf_seq_open,
38139 .read = seq_read,
38140 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c
38141 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-19 00:06:34.000000000 -0400
38142 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-22 19:36:32.000000000 -0400
38143 @@ -415,7 +415,7 @@ out_free:
38144 /**
38145 * The crypto operations for a CEX2A card.
38146 */
38147 -static struct zcrypt_ops zcrypt_cex2a_ops = {
38148 +static const struct zcrypt_ops zcrypt_cex2a_ops = {
38149 .rsa_modexpo = zcrypt_cex2a_modexpo,
38150 .rsa_modexpo_crt = zcrypt_cex2a_modexpo_crt,
38151 };
38152 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c
38153 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c 2011-05-19 00:06:34.000000000 -0400
38154 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c 2011-05-22 19:36:32.000000000 -0400
38155 @@ -347,7 +347,7 @@ out_free:
38156 /**
38157 * The crypto operations for a PCICA card.
38158 */
38159 -static struct zcrypt_ops zcrypt_pcica_ops = {
38160 +static const struct zcrypt_ops zcrypt_pcica_ops = {
38161 .rsa_modexpo = zcrypt_pcica_modexpo,
38162 .rsa_modexpo_crt = zcrypt_pcica_modexpo_crt,
38163 };
38164 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c
38165 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-19 00:06:34.000000000 -0400
38166 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-22 19:36:32.000000000 -0400
38167 @@ -553,7 +553,7 @@ out_free:
38168 /**
38169 * The crypto operations for a PCICC card.
38170 */
38171 -static struct zcrypt_ops zcrypt_pcicc_ops = {
38172 +static const struct zcrypt_ops zcrypt_pcicc_ops = {
38173 .rsa_modexpo = zcrypt_pcicc_modexpo,
38174 .rsa_modexpo_crt = zcrypt_pcicc_modexpo_crt,
38175 };
38176 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c
38177 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-19 00:06:34.000000000 -0400
38178 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-22 19:36:32.000000000 -0400
38179 @@ -851,13 +851,13 @@ static long zcrypt_pcixcc_rng(struct zcr
38180 /**
38181 * The crypto operations for a PCIXCC/CEX2C card.
38182 */
38183 -static struct zcrypt_ops zcrypt_pcixcc_ops = {
38184 +static const struct zcrypt_ops zcrypt_pcixcc_ops = {
38185 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38186 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38187 .send_cprb = zcrypt_pcixcc_send_cprb,
38188 };
38189
38190 -static struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38191 +static const struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38192 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38193 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38194 .send_cprb = zcrypt_pcixcc_send_cprb,
38195 diff -urNp linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c
38196 --- linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c 2011-05-19 00:06:34.000000000 -0400
38197 +++ linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c 2011-05-22 19:36:32.000000000 -0400
38198 @@ -266,7 +266,7 @@ error:
38199 /*
38200 * The config ops structure as defined by virtio config
38201 */
38202 -static struct virtio_config_ops kvm_vq_configspace_ops = {
38203 +static const struct virtio_config_ops kvm_vq_configspace_ops = {
38204 .get_features = kvm_get_features,
38205 .finalize_features = kvm_finalize_features,
38206 .get = kvm_get,
38207 diff -urNp linux-2.6.39.3/drivers/s390/net/qeth_core.h linux-2.6.39.3/drivers/s390/net/qeth_core.h
38208 --- linux-2.6.39.3/drivers/s390/net/qeth_core.h 2011-05-19 00:06:34.000000000 -0400
38209 +++ linux-2.6.39.3/drivers/s390/net/qeth_core.h 2011-05-22 19:36:32.000000000 -0400
38210 @@ -743,7 +743,7 @@ struct qeth_card {
38211 struct qeth_qdio_info qdio;
38212 struct qeth_perf_stats perf_stats;
38213 int read_or_write_problem;
38214 - struct qeth_osn_info osn_info;
38215 + const struct qeth_osn_info osn_info;
38216 struct qeth_discipline discipline;
38217 atomic_t force_alloc_skb;
38218 struct service_level qeth_service_level;
38219 diff -urNp linux-2.6.39.3/drivers/scsi/53c700.c linux-2.6.39.3/drivers/scsi/53c700.c
38220 --- linux-2.6.39.3/drivers/scsi/53c700.c 2011-05-19 00:06:34.000000000 -0400
38221 +++ linux-2.6.39.3/drivers/scsi/53c700.c 2011-05-22 19:36:32.000000000 -0400
38222 @@ -2153,7 +2153,7 @@ EXPORT_SYMBOL(NCR_700_detect);
38223 EXPORT_SYMBOL(NCR_700_release);
38224 EXPORT_SYMBOL(NCR_700_intr);
38225
38226 -static struct spi_function_template NCR_700_transport_functions = {
38227 +static struct spi_function_template NCR_700_transport_functions = {
38228 .set_period = NCR_700_set_period,
38229 .show_period = 1,
38230 .set_offset = NCR_700_set_offset,
38231 diff -urNp linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c
38232 --- linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c 2011-05-19 00:06:34.000000000 -0400
38233 +++ linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c 2011-05-22 19:36:32.000000000 -0400
38234 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
38235 u32 actual_fibsize64, actual_fibsize = 0;
38236 int i;
38237
38238 + pax_track_stack();
38239
38240 if (dev->in_reset) {
38241 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
38242 diff -urNp linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c
38243 --- linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-19 00:06:34.000000000 -0400
38244 +++ linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-22 19:41:37.000000000 -0400
38245 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
38246 flash_error_table[i].reason);
38247 }
38248
38249 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
38250 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
38251 asd_show_update_bios, asd_store_update_bios);
38252
38253 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
38254 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c
38255 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c 2011-05-19 00:06:34.000000000 -0400
38256 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c 2011-05-22 19:36:32.000000000 -0400
38257 @@ -24,7 +24,7 @@ BFA_TRC_FILE(HAL, CORE);
38258 /*
38259 * BFA module list terminated by NULL
38260 */
38261 -static struct bfa_module_s *hal_mods[] = {
38262 +static const struct bfa_module_s *hal_mods[] = {
38263 &hal_mod_sgpg,
38264 &hal_mod_fcport,
38265 &hal_mod_fcxp,
38266 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfad.c linux-2.6.39.3/drivers/scsi/bfa/bfad.c
38267 --- linux-2.6.39.3/drivers/scsi/bfa/bfad.c 2011-05-19 00:06:34.000000000 -0400
38268 +++ linux-2.6.39.3/drivers/scsi/bfa/bfad.c 2011-05-22 19:36:32.000000000 -0400
38269 @@ -1027,6 +1027,8 @@ bfad_start_ops(struct bfad_s *bfad) {
38270 struct bfad_vport_s *vport, *vport_new;
38271 struct bfa_fcs_driver_info_s driver_info;
38272
38273 + pax_track_stack();
38274 +
38275 /* Fill the driver_info info to fcs*/
38276 memset(&driver_info, 0, sizeof(driver_info));
38277 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
38278 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c
38279 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c 2011-05-19 00:06:34.000000000 -0400
38280 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c 2011-05-22 19:36:32.000000000 -0400
38281 @@ -70,7 +70,7 @@ bfa_fcs_attach(struct bfa_fcs_s *fcs, st
38282 bfa_boolean_t min_cfg)
38283 {
38284 int i;
38285 - struct bfa_fcs_mod_s *mod;
38286 + const struct bfa_fcs_mod_s *mod;
38287
38288 fcs->bfa = bfa;
38289 fcs->bfad = bfad;
38290 @@ -93,7 +93,7 @@ void
38291 bfa_fcs_init(struct bfa_fcs_s *fcs)
38292 {
38293 int i, npbc_vports;
38294 - struct bfa_fcs_mod_s *mod;
38295 + const struct bfa_fcs_mod_s *mod;
38296 struct bfi_pbc_vport_s pbc_vports[BFI_PBC_MAX_VPORTS];
38297
38298 for (i = 0; i < sizeof(fcs_modules) / sizeof(fcs_modules[0]); i++) {
38299 @@ -140,7 +140,7 @@ bfa_fcs_driver_info_init(struct bfa_fcs_
38300 void
38301 bfa_fcs_exit(struct bfa_fcs_s *fcs)
38302 {
38303 - struct bfa_fcs_mod_s *mod;
38304 + const struct bfa_fcs_mod_s *mod;
38305 int nmods, i;
38306
38307 bfa_wc_init(&fcs->wc, bfa_fcs_exit_comp, fcs);
38308 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c
38309 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-19 00:06:34.000000000 -0400
38310 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-22 19:36:32.000000000 -0400
38311 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
38312 u16 len, count;
38313 u16 templen;
38314
38315 + pax_track_stack();
38316 +
38317 /*
38318 * get hba attributes
38319 */
38320 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
38321 u8 count = 0;
38322 u16 templen;
38323
38324 + pax_track_stack();
38325 +
38326 /*
38327 * get port attributes
38328 */
38329 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c
38330 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-19 00:06:34.000000000 -0400
38331 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-22 19:36:32.000000000 -0400
38332 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
38333 struct fc_rpsc_speed_info_s speeds;
38334 struct bfa_port_attr_s pport_attr;
38335
38336 + pax_track_stack();
38337 +
38338 bfa_trc(port->fcs, rx_fchs->s_id);
38339 bfa_trc(port->fcs, rx_fchs->d_id);
38340
38341 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h
38342 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h 2011-05-19 00:06:34.000000000 -0400
38343 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h 2011-05-22 19:36:32.000000000 -0400
38344 @@ -68,8 +68,8 @@ enum {
38345 static void bfa_ ## __mod ## _stop(struct bfa_s *bfa); \
38346 static void bfa_ ## __mod ## _iocdisable(struct bfa_s *bfa); \
38347 \
38348 - extern struct bfa_module_s hal_mod_ ## __mod; \
38349 - struct bfa_module_s hal_mod_ ## __mod = { \
38350 + extern const struct bfa_module_s hal_mod_ ## __mod; \
38351 + const struct bfa_module_s hal_mod_ ## __mod = { \
38352 bfa_ ## __mod ## _meminfo, \
38353 bfa_ ## __mod ## _attach, \
38354 bfa_ ## __mod ## _detach, \
38355 @@ -116,12 +116,12 @@ struct bfa_s {
38356 };
38357
38358 extern bfa_boolean_t bfa_auto_recover;
38359 -extern struct bfa_module_s hal_mod_sgpg;
38360 -extern struct bfa_module_s hal_mod_fcport;
38361 -extern struct bfa_module_s hal_mod_fcxp;
38362 -extern struct bfa_module_s hal_mod_lps;
38363 -extern struct bfa_module_s hal_mod_uf;
38364 -extern struct bfa_module_s hal_mod_rport;
38365 -extern struct bfa_module_s hal_mod_fcpim;
38366 +extern const struct bfa_module_s hal_mod_sgpg;
38367 +extern const struct bfa_module_s hal_mod_fcport;
38368 +extern const struct bfa_module_s hal_mod_fcxp;
38369 +extern const struct bfa_module_s hal_mod_lps;
38370 +extern const struct bfa_module_s hal_mod_uf;
38371 +extern const struct bfa_module_s hal_mod_rport;
38372 +extern const struct bfa_module_s hal_mod_fcpim;
38373
38374 #endif /* __BFA_MODULES_H__ */
38375 diff -urNp linux-2.6.39.3/drivers/scsi/BusLogic.c linux-2.6.39.3/drivers/scsi/BusLogic.c
38376 --- linux-2.6.39.3/drivers/scsi/BusLogic.c 2011-05-19 00:06:34.000000000 -0400
38377 +++ linux-2.6.39.3/drivers/scsi/BusLogic.c 2011-05-22 19:36:32.000000000 -0400
38378 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
38379 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
38380 *PrototypeHostAdapter)
38381 {
38382 + pax_track_stack();
38383 +
38384 /*
38385 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
38386 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
38387 diff -urNp linux-2.6.39.3/drivers/scsi/dpt_i2o.c linux-2.6.39.3/drivers/scsi/dpt_i2o.c
38388 --- linux-2.6.39.3/drivers/scsi/dpt_i2o.c 2011-05-19 00:06:34.000000000 -0400
38389 +++ linux-2.6.39.3/drivers/scsi/dpt_i2o.c 2011-05-22 19:36:32.000000000 -0400
38390 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
38391 dma_addr_t addr;
38392 ulong flags = 0;
38393
38394 + pax_track_stack();
38395 +
38396 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
38397 // get user msg size in u32s
38398 if(get_user(size, &user_msg[0])){
38399 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38400 s32 rcode;
38401 dma_addr_t addr;
38402
38403 + pax_track_stack();
38404 +
38405 memset(msg, 0 , sizeof(msg));
38406 len = scsi_bufflen(cmd);
38407 direction = 0x00000000;
38408 diff -urNp linux-2.6.39.3/drivers/scsi/eata.c linux-2.6.39.3/drivers/scsi/eata.c
38409 --- linux-2.6.39.3/drivers/scsi/eata.c 2011-05-19 00:06:34.000000000 -0400
38410 +++ linux-2.6.39.3/drivers/scsi/eata.c 2011-05-22 19:36:32.000000000 -0400
38411 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38412 struct hostdata *ha;
38413 char name[16];
38414
38415 + pax_track_stack();
38416 +
38417 sprintf(name, "%s%d", driver_name, j);
38418
38419 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38420 diff -urNp linux-2.6.39.3/drivers/scsi/esp_scsi.c linux-2.6.39.3/drivers/scsi/esp_scsi.c
38421 --- linux-2.6.39.3/drivers/scsi/esp_scsi.c 2011-05-19 00:06:34.000000000 -0400
38422 +++ linux-2.6.39.3/drivers/scsi/esp_scsi.c 2011-05-22 19:36:32.000000000 -0400
38423 @@ -2680,7 +2680,7 @@ static void esp_set_width(struct scsi_ta
38424 tp->flags |= ESP_TGT_CHECK_NEGO;
38425 }
38426
38427 -static struct spi_function_template esp_transport_ops = {
38428 +static const struct spi_function_template esp_transport_ops = {
38429 .set_offset = esp_set_offset,
38430 .show_offset = 1,
38431 .set_period = esp_set_period,
38432 diff -urNp linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c
38433 --- linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c 2011-05-19 00:06:34.000000000 -0400
38434 +++ linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c 2011-05-22 19:36:32.000000000 -0400
38435 @@ -138,7 +138,7 @@ static int fcoe_vport_disable(struct fc_
38436 static void fcoe_set_vport_symbolic_name(struct fc_vport *);
38437 static void fcoe_set_port_id(struct fc_lport *, u32, struct fc_frame *);
38438
38439 -static struct libfc_function_template fcoe_libfc_fcn_templ = {
38440 +static const struct libfc_function_template fcoe_libfc_fcn_templ = {
38441 .frame_send = fcoe_xmit,
38442 .ddp_setup = fcoe_ddp_setup,
38443 .ddp_done = fcoe_ddp_done,
38444 diff -urNp linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c
38445 --- linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-19 00:06:34.000000000 -0400
38446 +++ linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-22 19:36:32.000000000 -0400
38447 @@ -1912,7 +1912,7 @@ static void fcoe_ctlr_vn_rport_callback(
38448 mutex_unlock(&fip->ctlr_mutex);
38449 }
38450
38451 -static struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38452 +static const struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38453 .event_callback = fcoe_ctlr_vn_rport_callback,
38454 };
38455
38456 @@ -2458,6 +2458,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
38457 } buf;
38458 int rc;
38459
38460 + pax_track_stack();
38461 +
38462 fiph = (struct fip_header *)skb->data;
38463 sub = fiph->fip_subcode;
38464
38465 diff -urNp linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c
38466 --- linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c 2011-05-19 00:06:34.000000000 -0400
38467 +++ linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c 2011-05-22 19:36:32.000000000 -0400
38468 @@ -69,7 +69,7 @@ module_param(fnic_log_level, int, S_IRUG
38469 MODULE_PARM_DESC(fnic_log_level, "bit mask of fnic logging levels");
38470
38471
38472 -static struct libfc_function_template fnic_transport_template = {
38473 +static const struct libfc_function_template fnic_transport_template = {
38474 .frame_send = fnic_send,
38475 .lport_set_port_id = fnic_set_port_id,
38476 .fcp_abort_io = fnic_empty_scsi_cleanup,
38477 diff -urNp linux-2.6.39.3/drivers/scsi/gdth.c linux-2.6.39.3/drivers/scsi/gdth.c
38478 --- linux-2.6.39.3/drivers/scsi/gdth.c 2011-05-19 00:06:34.000000000 -0400
38479 +++ linux-2.6.39.3/drivers/scsi/gdth.c 2011-05-22 19:36:32.000000000 -0400
38480 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
38481 unsigned long flags;
38482 gdth_ha_str *ha;
38483
38484 + pax_track_stack();
38485 +
38486 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38487 return -EFAULT;
38488 ha = gdth_find_ha(ldrv.ionode);
38489 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
38490 gdth_ha_str *ha;
38491 int rval;
38492
38493 + pax_track_stack();
38494 +
38495 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38496 res.number >= MAX_HDRIVES)
38497 return -EFAULT;
38498 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
38499 gdth_ha_str *ha;
38500 int rval;
38501
38502 + pax_track_stack();
38503 +
38504 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38505 return -EFAULT;
38506 ha = gdth_find_ha(gen.ionode);
38507 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
38508 int i;
38509 gdth_cmd_str gdtcmd;
38510 char cmnd[MAX_COMMAND_SIZE];
38511 +
38512 + pax_track_stack();
38513 +
38514 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38515
38516 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38517 diff -urNp linux-2.6.39.3/drivers/scsi/gdth_proc.c linux-2.6.39.3/drivers/scsi/gdth_proc.c
38518 --- linux-2.6.39.3/drivers/scsi/gdth_proc.c 2011-05-19 00:06:34.000000000 -0400
38519 +++ linux-2.6.39.3/drivers/scsi/gdth_proc.c 2011-05-22 19:36:32.000000000 -0400
38520 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
38521 u64 paddr;
38522
38523 char cmnd[MAX_COMMAND_SIZE];
38524 +
38525 + pax_track_stack();
38526 +
38527 memset(cmnd, 0xff, 12);
38528 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38529
38530 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
38531 gdth_hget_str *phg;
38532 char cmnd[MAX_COMMAND_SIZE];
38533
38534 + pax_track_stack();
38535 +
38536 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38537 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38538 if (!gdtcmd || !estr)
38539 diff -urNp linux-2.6.39.3/drivers/scsi/hosts.c linux-2.6.39.3/drivers/scsi/hosts.c
38540 --- linux-2.6.39.3/drivers/scsi/hosts.c 2011-05-19 00:06:34.000000000 -0400
38541 +++ linux-2.6.39.3/drivers/scsi/hosts.c 2011-05-22 19:36:32.000000000 -0400
38542 @@ -42,7 +42,7 @@
38543 #include "scsi_logging.h"
38544
38545
38546 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
38547 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38548
38549
38550 static void scsi_host_cls_release(struct device *dev)
38551 @@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38552 * subtract one because we increment first then return, but we need to
38553 * know what the next host number was before increment
38554 */
38555 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38556 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38557 shost->dma_channel = 0xff;
38558
38559 /* These three are default values which can be overridden */
38560 diff -urNp linux-2.6.39.3/drivers/scsi/hpsa.h linux-2.6.39.3/drivers/scsi/hpsa.h
38561 --- linux-2.6.39.3/drivers/scsi/hpsa.h 2011-05-19 00:06:34.000000000 -0400
38562 +++ linux-2.6.39.3/drivers/scsi/hpsa.h 2011-05-22 19:36:32.000000000 -0400
38563 @@ -347,7 +347,7 @@ static struct access_method SA5_access =
38564 SA5_completed,
38565 };
38566
38567 -static struct access_method SA5_performant_access = {
38568 +static const struct access_method SA5_performant_access = {
38569 SA5_submit_command,
38570 SA5_performant_intr_mask,
38571 SA5_fifo_full,
38572 diff -urNp linux-2.6.39.3/drivers/scsi/hptiop.c linux-2.6.39.3/drivers/scsi/hptiop.c
38573 --- linux-2.6.39.3/drivers/scsi/hptiop.c 2011-05-19 00:06:34.000000000 -0400
38574 +++ linux-2.6.39.3/drivers/scsi/hptiop.c 2011-05-22 19:36:32.000000000 -0400
38575 @@ -1226,7 +1226,7 @@ static void hptiop_remove(struct pci_dev
38576 scsi_host_put(host);
38577 }
38578
38579 -static struct hptiop_adapter_ops hptiop_itl_ops = {
38580 +static const struct hptiop_adapter_ops hptiop_itl_ops = {
38581 .iop_wait_ready = iop_wait_ready_itl,
38582 .internal_memalloc = NULL,
38583 .internal_memfree = NULL,
38584 @@ -1241,7 +1241,7 @@ static struct hptiop_adapter_ops hptiop_
38585 .post_req = hptiop_post_req_itl,
38586 };
38587
38588 -static struct hptiop_adapter_ops hptiop_mv_ops = {
38589 +static const struct hptiop_adapter_ops hptiop_mv_ops = {
38590 .iop_wait_ready = iop_wait_ready_mv,
38591 .internal_memalloc = hptiop_internal_memalloc_mv,
38592 .internal_memfree = hptiop_internal_memfree_mv,
38593 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c
38594 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-19 00:06:34.000000000 -0400
38595 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-22 19:36:32.000000000 -0400
38596 @@ -4881,7 +4881,7 @@ static struct vio_device_id ibmvfc_devic
38597 };
38598 MODULE_DEVICE_TABLE(vio, ibmvfc_device_table);
38599
38600 -static struct dev_pm_ops ibmvfc_pm_ops = {
38601 +static const struct dev_pm_ops ibmvfc_pm_ops = {
38602 .resume = ibmvfc_resume
38603 };
38604
38605 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c
38606 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-19 00:06:34.000000000 -0400
38607 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-22 19:36:32.000000000 -0400
38608 @@ -104,7 +104,7 @@ static struct scsi_transport_template *i
38609
38610 #define IBMVSCSI_VERSION "1.5.9"
38611
38612 -static struct ibmvscsi_ops *ibmvscsi_ops;
38613 +static const struct ibmvscsi_ops *ibmvscsi_ops;
38614
38615 MODULE_DESCRIPTION("IBM Virtual SCSI");
38616 MODULE_AUTHOR("Dave Boutcher");
38617 @@ -2059,7 +2059,7 @@ static struct vio_device_id ibmvscsi_dev
38618 };
38619 MODULE_DEVICE_TABLE(vio, ibmvscsi_device_table);
38620
38621 -static struct dev_pm_ops ibmvscsi_pm_ops = {
38622 +static const struct dev_pm_ops ibmvscsi_pm_ops = {
38623 .resume = ibmvscsi_resume
38624 };
38625
38626 @@ -2075,7 +2075,7 @@ static struct vio_driver ibmvscsi_driver
38627 }
38628 };
38629
38630 -static struct srp_function_template ibmvscsi_transport_functions = {
38631 +static const struct srp_function_template ibmvscsi_transport_functions = {
38632 };
38633
38634 int __init ibmvscsi_module_init(void)
38635 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h
38636 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-19 00:06:34.000000000 -0400
38637 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-22 19:36:32.000000000 -0400
38638 @@ -127,7 +127,7 @@ struct ibmvscsi_ops {
38639 int (*resume) (struct ibmvscsi_host_data *hostdata);
38640 };
38641
38642 -extern struct ibmvscsi_ops iseriesvscsi_ops;
38643 -extern struct ibmvscsi_ops rpavscsi_ops;
38644 +extern const struct ibmvscsi_ops iseriesvscsi_ops;
38645 +extern const struct ibmvscsi_ops rpavscsi_ops;
38646
38647 #endif /* IBMVSCSI_H */
38648 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c
38649 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-19 00:06:34.000000000 -0400
38650 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-22 19:36:32.000000000 -0400
38651 @@ -951,7 +951,7 @@ static int get_system_info(void)
38652 return 0;
38653 }
38654
38655 -static struct srp_function_template ibmvstgt_transport_functions = {
38656 +static const struct srp_function_template ibmvstgt_transport_functions = {
38657 .tsk_mgmt_response = ibmvstgt_tsk_mgmt_response,
38658 .it_nexus_response = ibmvstgt_it_nexus_response,
38659 };
38660 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c
38661 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38662 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38663 @@ -163,7 +163,7 @@ static int iseriesvscsi_resume(struct ib
38664 return 0;
38665 }
38666
38667 -struct ibmvscsi_ops iseriesvscsi_ops = {
38668 +const struct ibmvscsi_ops iseriesvscsi_ops = {
38669 .init_crq_queue = iseriesvscsi_init_crq_queue,
38670 .release_crq_queue = iseriesvscsi_release_crq_queue,
38671 .reset_crq_queue = iseriesvscsi_reset_crq_queue,
38672 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c
38673 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38674 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38675 @@ -358,7 +358,7 @@ static int rpavscsi_resume(struct ibmvsc
38676 return 0;
38677 }
38678
38679 -struct ibmvscsi_ops rpavscsi_ops = {
38680 +const struct ibmvscsi_ops rpavscsi_ops = {
38681 .init_crq_queue = rpavscsi_init_crq_queue,
38682 .release_crq_queue = rpavscsi_release_crq_queue,
38683 .reset_crq_queue = rpavscsi_reset_crq_queue,
38684 diff -urNp linux-2.6.39.3/drivers/scsi/ipr.c linux-2.6.39.3/drivers/scsi/ipr.c
38685 --- linux-2.6.39.3/drivers/scsi/ipr.c 2011-05-19 00:06:34.000000000 -0400
38686 +++ linux-2.6.39.3/drivers/scsi/ipr.c 2011-05-22 19:36:32.000000000 -0400
38687 @@ -6210,7 +6210,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38688 return true;
38689 }
38690
38691 -static struct ata_port_operations ipr_sata_ops = {
38692 +static const struct ata_port_operations ipr_sata_ops = {
38693 .phy_reset = ipr_ata_phy_reset,
38694 .hardreset = ipr_sata_reset,
38695 .post_internal_cmd = ipr_ata_post_internal,
38696 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c
38697 --- linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c 2011-05-19 00:06:34.000000000 -0400
38698 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c 2011-05-22 19:36:32.000000000 -0400
38699 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
38700 * all together if not used XXX
38701 */
38702 struct {
38703 - atomic_t no_free_exch;
38704 - atomic_t no_free_exch_xid;
38705 - atomic_t xid_not_found;
38706 - atomic_t xid_busy;
38707 - atomic_t seq_not_found;
38708 - atomic_t non_bls_resp;
38709 + atomic_unchecked_t no_free_exch;
38710 + atomic_unchecked_t no_free_exch_xid;
38711 + atomic_unchecked_t xid_not_found;
38712 + atomic_unchecked_t xid_busy;
38713 + atomic_unchecked_t seq_not_found;
38714 + atomic_unchecked_t non_bls_resp;
38715 } stats;
38716 };
38717
38718 @@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
38719 /* allocate memory for exchange */
38720 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38721 if (!ep) {
38722 - atomic_inc(&mp->stats.no_free_exch);
38723 + atomic_inc_unchecked(&mp->stats.no_free_exch);
38724 goto out;
38725 }
38726 memset(ep, 0, sizeof(*ep));
38727 @@ -761,7 +761,7 @@ out:
38728 return ep;
38729 err:
38730 spin_unlock_bh(&pool->lock);
38731 - atomic_inc(&mp->stats.no_free_exch_xid);
38732 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38733 mempool_free(ep, mp->ep_pool);
38734 return NULL;
38735 }
38736 @@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38737 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38738 ep = fc_exch_find(mp, xid);
38739 if (!ep) {
38740 - atomic_inc(&mp->stats.xid_not_found);
38741 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38742 reject = FC_RJT_OX_ID;
38743 goto out;
38744 }
38745 @@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38746 ep = fc_exch_find(mp, xid);
38747 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38748 if (ep) {
38749 - atomic_inc(&mp->stats.xid_busy);
38750 + atomic_inc_unchecked(&mp->stats.xid_busy);
38751 reject = FC_RJT_RX_ID;
38752 goto rel;
38753 }
38754 @@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38755 }
38756 xid = ep->xid; /* get our XID */
38757 } else if (!ep) {
38758 - atomic_inc(&mp->stats.xid_not_found);
38759 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38760 reject = FC_RJT_RX_ID; /* XID not found */
38761 goto out;
38762 }
38763 @@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38764 } else {
38765 sp = &ep->seq;
38766 if (sp->id != fh->fh_seq_id) {
38767 - atomic_inc(&mp->stats.seq_not_found);
38768 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38769 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38770 goto rel;
38771 }
38772 @@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
38773
38774 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38775 if (!ep) {
38776 - atomic_inc(&mp->stats.xid_not_found);
38777 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38778 goto out;
38779 }
38780 if (ep->esb_stat & ESB_ST_COMPLETE) {
38781 - atomic_inc(&mp->stats.xid_not_found);
38782 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38783 goto rel;
38784 }
38785 if (ep->rxid == FC_XID_UNKNOWN)
38786 ep->rxid = ntohs(fh->fh_rx_id);
38787 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38788 - atomic_inc(&mp->stats.xid_not_found);
38789 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38790 goto rel;
38791 }
38792 if (ep->did != ntoh24(fh->fh_s_id) &&
38793 ep->did != FC_FID_FLOGI) {
38794 - atomic_inc(&mp->stats.xid_not_found);
38795 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38796 goto rel;
38797 }
38798 sof = fr_sof(fp);
38799 @@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
38800 sp->ssb_stat |= SSB_ST_RESP;
38801 sp->id = fh->fh_seq_id;
38802 } else if (sp->id != fh->fh_seq_id) {
38803 - atomic_inc(&mp->stats.seq_not_found);
38804 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38805 goto rel;
38806 }
38807
38808 @@ -1479,9 +1479,9 @@ static void fc_exch_recv_resp(struct fc_
38809 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38810
38811 if (!sp)
38812 - atomic_inc(&mp->stats.xid_not_found);
38813 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38814 else
38815 - atomic_inc(&mp->stats.non_bls_resp);
38816 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
38817
38818 fc_frame_free(fp);
38819 }
38820 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c
38821 --- linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c 2011-05-19 00:06:34.000000000 -0400
38822 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c 2011-05-22 19:36:32.000000000 -0400
38823 @@ -1299,7 +1299,7 @@ static void fc_lport_enter_ns(struct fc_
38824 fc_lport_error(lport, fp);
38825 }
38826
38827 -static struct fc_rport_operations fc_lport_rport_ops = {
38828 +static const struct fc_rport_operations fc_lport_rport_ops = {
38829 .event_callback = fc_lport_rport_callback,
38830 };
38831
38832 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c
38833 --- linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c 2011-05-19 00:06:34.000000000 -0400
38834 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c 2011-05-22 19:36:32.000000000 -0400
38835 @@ -256,7 +256,7 @@ static void fc_rport_work(struct work_st
38836 struct fc_rport_libfc_priv *rpriv;
38837 enum fc_rport_event event;
38838 struct fc_lport *lport = rdata->local_port;
38839 - struct fc_rport_operations *rport_ops;
38840 + const struct fc_rport_operations *rport_ops;
38841 struct fc_rport_identifiers ids;
38842 struct fc_rport *rport;
38843 struct fc4_prov *prov;
38844 diff -urNp linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c
38845 --- linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c 2011-05-19 00:06:34.000000000 -0400
38846 +++ linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c 2011-05-22 19:36:32.000000000 -0400
38847 @@ -307,14 +307,14 @@ static void sas_ata_post_internal(struct
38848 }
38849 }
38850
38851 -static struct ata_port_operations sas_sata_ops = {
38852 +static const struct ata_port_operations sas_sata_ops = {
38853 .prereset = ata_std_prereset,
38854 .softreset = NULL,
38855 .hardreset = sas_ata_hard_reset,
38856 .postreset = ata_std_postreset,
38857 .error_handler = ata_std_error_handler,
38858 .post_internal_cmd = sas_ata_post_internal,
38859 - .qc_defer = ata_std_qc_defer,
38860 + .qc_defer = ata_std_qc_defer,
38861 .qc_prep = ata_noop_qc_prep,
38862 .qc_issue = sas_ata_qc_issue,
38863 .qc_fill_rtf = sas_ata_qc_fill_rtf,
38864 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c
38865 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-19 00:06:34.000000000 -0400
38866 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-22 19:36:32.000000000 -0400
38867 @@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
38868
38869 #include <linux/debugfs.h>
38870
38871 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38872 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38873 static unsigned long lpfc_debugfs_start_time = 0L;
38874
38875 /* iDiag */
38876 @@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38877 lpfc_debugfs_enable = 0;
38878
38879 len = 0;
38880 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38881 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38882 (lpfc_debugfs_max_disc_trc - 1);
38883 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38884 dtp = vport->disc_trc + i;
38885 @@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38886 lpfc_debugfs_enable = 0;
38887
38888 len = 0;
38889 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38890 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38891 (lpfc_debugfs_max_slow_ring_trc - 1);
38892 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38893 dtp = phba->slow_ring_trc + i;
38894 @@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38895 uint32_t *ptr;
38896 char buffer[1024];
38897
38898 + pax_track_stack();
38899 +
38900 off = 0;
38901 spin_lock_irq(&phba->hbalock);
38902
38903 @@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38904 !vport || !vport->disc_trc)
38905 return;
38906
38907 - index = atomic_inc_return(&vport->disc_trc_cnt) &
38908 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
38909 (lpfc_debugfs_max_disc_trc - 1);
38910 dtp = vport->disc_trc + index;
38911 dtp->fmt = fmt;
38912 dtp->data1 = data1;
38913 dtp->data2 = data2;
38914 dtp->data3 = data3;
38915 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38916 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38917 dtp->jif = jiffies;
38918 #endif
38919 return;
38920 @@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
38921 !phba || !phba->slow_ring_trc)
38922 return;
38923
38924 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
38925 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
38926 (lpfc_debugfs_max_slow_ring_trc - 1);
38927 dtp = phba->slow_ring_trc + index;
38928 dtp->fmt = fmt;
38929 dtp->data1 = data1;
38930 dtp->data2 = data2;
38931 dtp->data3 = data3;
38932 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38933 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38934 dtp->jif = jiffies;
38935 #endif
38936 return;
38937 @@ -2145,7 +2147,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38938 "slow_ring buffer\n");
38939 goto debug_failed;
38940 }
38941 - atomic_set(&phba->slow_ring_trc_cnt, 0);
38942 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
38943 memset(phba->slow_ring_trc, 0,
38944 (sizeof(struct lpfc_debugfs_trc) *
38945 lpfc_debugfs_max_slow_ring_trc));
38946 @@ -2191,7 +2193,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38947 "buffer\n");
38948 goto debug_failed;
38949 }
38950 - atomic_set(&vport->disc_trc_cnt, 0);
38951 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
38952
38953 snprintf(name, sizeof(name), "discovery_trace");
38954 vport->debug_disc_trc =
38955 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h
38956 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h 2011-05-19 00:06:34.000000000 -0400
38957 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h 2011-05-22 19:36:32.000000000 -0400
38958 @@ -419,7 +419,7 @@ struct lpfc_vport {
38959 struct dentry *debug_nodelist;
38960 struct dentry *vport_debugfs_root;
38961 struct lpfc_debugfs_trc *disc_trc;
38962 - atomic_t disc_trc_cnt;
38963 + atomic_unchecked_t disc_trc_cnt;
38964 #endif
38965 uint8_t stat_data_enabled;
38966 uint8_t stat_data_blocked;
38967 @@ -785,8 +785,8 @@ struct lpfc_hba {
38968 struct timer_list fabric_block_timer;
38969 unsigned long bit_flags;
38970 #define FABRIC_COMANDS_BLOCKED 0
38971 - atomic_t num_rsrc_err;
38972 - atomic_t num_cmd_success;
38973 + atomic_unchecked_t num_rsrc_err;
38974 + atomic_unchecked_t num_cmd_success;
38975 unsigned long last_rsrc_error_time;
38976 unsigned long last_ramp_down_time;
38977 unsigned long last_ramp_up_time;
38978 @@ -800,7 +800,7 @@ struct lpfc_hba {
38979 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
38980 struct dentry *debug_slow_ring_trc;
38981 struct lpfc_debugfs_trc *slow_ring_trc;
38982 - atomic_t slow_ring_trc_cnt;
38983 + atomic_unchecked_t slow_ring_trc_cnt;
38984 /* iDiag debugfs sub-directory */
38985 struct dentry *idiag_root;
38986 struct dentry *idiag_pci_cfg;
38987 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c
38988 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-19 00:06:34.000000000 -0400
38989 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-22 19:36:32.000000000 -0400
38990 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
38991 uint32_t evt_posted;
38992
38993 spin_lock_irqsave(&phba->hbalock, flags);
38994 - atomic_inc(&phba->num_rsrc_err);
38995 + atomic_inc_unchecked(&phba->num_rsrc_err);
38996 phba->last_rsrc_error_time = jiffies;
38997
38998 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
38999 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
39000 unsigned long flags;
39001 struct lpfc_hba *phba = vport->phba;
39002 uint32_t evt_posted;
39003 - atomic_inc(&phba->num_cmd_success);
39004 + atomic_inc_unchecked(&phba->num_cmd_success);
39005
39006 if (vport->cfg_lun_queue_depth <= queue_depth)
39007 return;
39008 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39009 unsigned long num_rsrc_err, num_cmd_success;
39010 int i;
39011
39012 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
39013 - num_cmd_success = atomic_read(&phba->num_cmd_success);
39014 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
39015 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
39016
39017 vports = lpfc_create_vport_work_array(phba);
39018 if (vports != NULL)
39019 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39020 }
39021 }
39022 lpfc_destroy_vport_work_array(phba, vports);
39023 - atomic_set(&phba->num_rsrc_err, 0);
39024 - atomic_set(&phba->num_cmd_success, 0);
39025 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39026 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39027 }
39028
39029 /**
39030 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
39031 }
39032 }
39033 lpfc_destroy_vport_work_array(phba, vports);
39034 - atomic_set(&phba->num_rsrc_err, 0);
39035 - atomic_set(&phba->num_cmd_success, 0);
39036 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39037 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39038 }
39039
39040 /**
39041 diff -urNp linux-2.6.39.3/drivers/scsi/mac_esp.c linux-2.6.39.3/drivers/scsi/mac_esp.c
39042 --- linux-2.6.39.3/drivers/scsi/mac_esp.c 2011-05-19 00:06:34.000000000 -0400
39043 +++ linux-2.6.39.3/drivers/scsi/mac_esp.c 2011-05-22 19:36:32.000000000 -0400
39044 @@ -473,7 +473,7 @@ static irqreturn_t mac_scsi_esp_intr(int
39045 return IRQ_HANDLED;
39046 }
39047
39048 -static struct esp_driver_ops mac_esp_ops = {
39049 +static const struct esp_driver_ops mac_esp_ops = {
39050 .esp_write8 = mac_esp_write8,
39051 .esp_read8 = mac_esp_read8,
39052 .map_single = mac_esp_map_single,
39053 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c
39054 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-19 00:06:34.000000000 -0400
39055 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-22 19:36:32.000000000 -0400
39056 @@ -3510,6 +3510,8 @@ megaraid_cmm_register(adapter_t *adapter
39057 int rval;
39058 int i;
39059
39060 + pax_track_stack();
39061 +
39062 // Allocate memory for the base list of scb for management module.
39063 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
39064
39065 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c
39066 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-19 00:06:34.000000000 -0400
39067 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-22 19:36:32.000000000 -0400
39068 @@ -366,7 +366,7 @@ megasas_check_reset_xscale(struct megasa
39069 return 0;
39070 }
39071
39072 -static struct megasas_instance_template megasas_instance_template_xscale = {
39073 +static const struct megasas_instance_template megasas_instance_template_xscale = {
39074
39075 .fire_cmd = megasas_fire_cmd_xscale,
39076 .enable_intr = megasas_enable_intr_xscale,
39077 @@ -497,7 +497,7 @@ megasas_check_reset_ppc(struct megasas_i
39078 {
39079 return 0;
39080 }
39081 -static struct megasas_instance_template megasas_instance_template_ppc = {
39082 +static const struct megasas_instance_template megasas_instance_template_ppc = {
39083
39084 .fire_cmd = megasas_fire_cmd_ppc,
39085 .enable_intr = megasas_enable_intr_ppc,
39086 @@ -623,7 +623,7 @@ megasas_check_reset_skinny(struct megasa
39087 return 0;
39088 }
39089
39090 -static struct megasas_instance_template megasas_instance_template_skinny = {
39091 +static const struct megasas_instance_template megasas_instance_template_skinny = {
39092
39093 .fire_cmd = megasas_fire_cmd_skinny,
39094 .enable_intr = megasas_enable_intr_skinny,
39095 @@ -810,7 +810,7 @@ megasas_check_reset_gen2(struct megasas_
39096 return 0;
39097 }
39098
39099 -static struct megasas_instance_template megasas_instance_template_gen2 = {
39100 +static const struct megasas_instance_template megasas_instance_template_gen2 = {
39101
39102 .fire_cmd = megasas_fire_cmd_gen2,
39103 .enable_intr = megasas_enable_intr_gen2,
39104 @@ -834,7 +834,7 @@ static struct megasas_instance_template
39105 /*
39106 * Template added for TB (Fusion)
39107 */
39108 -extern struct megasas_instance_template megasas_instance_template_fusion;
39109 +extern const struct megasas_instance_template megasas_instance_template_fusion;
39110
39111 /**
39112 * megasas_issue_polled - Issues a polling command
39113 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c
39114 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-19 00:06:34.000000000 -0400
39115 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-22 19:36:32.000000000 -0400
39116 @@ -2236,7 +2236,7 @@ void megasas_fusion_ocr_wq(struct work_s
39117 megasas_reset_fusion(instance->host);
39118 }
39119
39120 -struct megasas_instance_template megasas_instance_template_fusion = {
39121 +const struct megasas_instance_template megasas_instance_template_fusion = {
39122 .fire_cmd = megasas_fire_cmd_fusion,
39123 .enable_intr = megasas_enable_intr_fusion,
39124 .disable_intr = megasas_disable_intr_fusion,
39125 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h
39126 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h 2011-05-19 00:06:34.000000000 -0400
39127 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h 2011-05-22 19:36:32.000000000 -0400
39128 @@ -1330,7 +1330,7 @@ struct megasas_instance {
39129 atomic_t fw_outstanding;
39130 atomic_t fw_reset_no_pci_access;
39131
39132 - struct megasas_instance_template *instancet;
39133 + const struct megasas_instance_template *instancet;
39134 struct tasklet_struct isr_tasklet;
39135 struct work_struct work_init;
39136
39137 diff -urNp linux-2.6.39.3/drivers/scsi/ncr53c8xx.c linux-2.6.39.3/drivers/scsi/ncr53c8xx.c
39138 --- linux-2.6.39.3/drivers/scsi/ncr53c8xx.c 2011-05-19 00:06:34.000000000 -0400
39139 +++ linux-2.6.39.3/drivers/scsi/ncr53c8xx.c 2011-05-22 19:36:32.000000000 -0400
39140 @@ -8606,7 +8606,7 @@ static void ncr53c8xx_get_signalling(str
39141 spi_signalling(shost) = type;
39142 }
39143
39144 -static struct spi_function_template ncr53c8xx_transport_functions = {
39145 +static struct spi_function_template ncr53c8xx_transport_functions = {
39146 .set_period = ncr53c8xx_set_period,
39147 .show_period = 1,
39148 .set_offset = ncr53c8xx_set_offset,
39149 diff -urNp linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c
39150 --- linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c 2011-05-19 00:06:34.000000000 -0400
39151 +++ linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c 2011-05-22 19:36:32.000000000 -0400
39152 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
39153 int nelem = ARRAY_SIZE(get_attrs), a = 0;
39154 int ret;
39155
39156 + pax_track_stack();
39157 +
39158 or = osd_start_request(od, GFP_KERNEL);
39159 if (!or)
39160 return -ENOMEM;
39161 diff -urNp linux-2.6.39.3/drivers/scsi/pmcraid.c linux-2.6.39.3/drivers/scsi/pmcraid.c
39162 --- linux-2.6.39.3/drivers/scsi/pmcraid.c 2011-05-19 00:06:34.000000000 -0400
39163 +++ linux-2.6.39.3/drivers/scsi/pmcraid.c 2011-05-22 19:36:32.000000000 -0400
39164 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
39165 res->scsi_dev = scsi_dev;
39166 scsi_dev->hostdata = res;
39167 res->change_detected = 0;
39168 - atomic_set(&res->read_failures, 0);
39169 - atomic_set(&res->write_failures, 0);
39170 + atomic_set_unchecked(&res->read_failures, 0);
39171 + atomic_set_unchecked(&res->write_failures, 0);
39172 rc = 0;
39173 }
39174 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
39175 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
39176
39177 /* If this was a SCSI read/write command keep count of errors */
39178 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
39179 - atomic_inc(&res->read_failures);
39180 + atomic_inc_unchecked(&res->read_failures);
39181 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
39182 - atomic_inc(&res->write_failures);
39183 + atomic_inc_unchecked(&res->write_failures);
39184
39185 if (!RES_IS_GSCSI(res->cfg_entry) &&
39186 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
39187 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
39188 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39189 * hrrq_id assigned here in queuecommand
39190 */
39191 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39192 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39193 pinstance->num_hrrq;
39194 cmd->cmd_done = pmcraid_io_done;
39195
39196 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
39197 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39198 * hrrq_id assigned here in queuecommand
39199 */
39200 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39201 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39202 pinstance->num_hrrq;
39203
39204 if (request_size) {
39205 @@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(stru
39206
39207 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
39208 /* add resources only after host is added into system */
39209 - if (!atomic_read(&pinstance->expose_resources))
39210 + if (!atomic_read_unchecked(&pinstance->expose_resources))
39211 return;
39212
39213 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
39214 @@ -5329,8 +5329,8 @@ static int __devinit pmcraid_init_instan
39215 init_waitqueue_head(&pinstance->reset_wait_q);
39216
39217 atomic_set(&pinstance->outstanding_cmds, 0);
39218 - atomic_set(&pinstance->last_message_id, 0);
39219 - atomic_set(&pinstance->expose_resources, 0);
39220 + atomic_set_unchecked(&pinstance->last_message_id, 0);
39221 + atomic_set_unchecked(&pinstance->expose_resources, 0);
39222
39223 INIT_LIST_HEAD(&pinstance->free_res_q);
39224 INIT_LIST_HEAD(&pinstance->used_res_q);
39225 @@ -6045,7 +6045,7 @@ static int __devinit pmcraid_probe(
39226 /* Schedule worker thread to handle CCN and take care of adding and
39227 * removing devices to OS
39228 */
39229 - atomic_set(&pinstance->expose_resources, 1);
39230 + atomic_set_unchecked(&pinstance->expose_resources, 1);
39231 schedule_work(&pinstance->worker_q);
39232 return rc;
39233
39234 diff -urNp linux-2.6.39.3/drivers/scsi/pmcraid.h linux-2.6.39.3/drivers/scsi/pmcraid.h
39235 --- linux-2.6.39.3/drivers/scsi/pmcraid.h 2011-05-19 00:06:34.000000000 -0400
39236 +++ linux-2.6.39.3/drivers/scsi/pmcraid.h 2011-05-22 19:36:32.000000000 -0400
39237 @@ -750,7 +750,7 @@ struct pmcraid_instance {
39238 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
39239
39240 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
39241 - atomic_t last_message_id;
39242 + atomic_unchecked_t last_message_id;
39243
39244 /* configuration table */
39245 struct pmcraid_config_table *cfg_table;
39246 @@ -779,7 +779,7 @@ struct pmcraid_instance {
39247 atomic_t outstanding_cmds;
39248
39249 /* should add/delete resources to mid-layer now ?*/
39250 - atomic_t expose_resources;
39251 + atomic_unchecked_t expose_resources;
39252
39253
39254
39255 @@ -815,8 +815,8 @@ struct pmcraid_resource_entry {
39256 struct pmcraid_config_table_entry_ext cfg_entry_ext;
39257 };
39258 struct scsi_device *scsi_dev; /* Link scsi_device structure */
39259 - atomic_t read_failures; /* count of failed READ commands */
39260 - atomic_t write_failures; /* count of failed WRITE commands */
39261 + atomic_unchecked_t read_failures; /* count of failed READ commands */
39262 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
39263
39264 /* To indicate add/delete/modify during CCN */
39265 u8 change_detected;
39266 diff -urNp linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c
39267 --- linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:04:14.000000000 -0400
39268 +++ linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:32:06.000000000 -0400
39269 @@ -4103,7 +4103,7 @@ static struct pci_driver qla2xxx_pci_dri
39270 .err_handler = &qla2xxx_err_handler,
39271 };
39272
39273 -static struct file_operations apidev_fops = {
39274 +static const struct file_operations apidev_fops = {
39275 .owner = THIS_MODULE,
39276 .llseek = noop_llseek,
39277 };
39278 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h
39279 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h 2011-05-19 00:06:34.000000000 -0400
39280 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h 2011-05-22 19:36:32.000000000 -0400
39281 @@ -256,7 +256,7 @@ struct ddb_entry {
39282 atomic_t retry_relogin_timer; /* Min Time between relogins
39283 * (4000 only) */
39284 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
39285 - atomic_t relogin_retry_count; /* Num of times relogin has been
39286 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
39287 * retried */
39288
39289 uint16_t port;
39290 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c
39291 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c 2011-05-19 00:06:34.000000000 -0400
39292 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c 2011-05-22 19:36:32.000000000 -0400
39293 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
39294 ddb_entry->fw_ddb_index = fw_ddb_index;
39295 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
39296 atomic_set(&ddb_entry->relogin_timer, 0);
39297 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39298 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39299 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39300 list_add_tail(&ddb_entry->list, &ha->ddb_list);
39301 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
39302 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
39303 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
39304 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
39305 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39306 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39307 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39308 atomic_set(&ddb_entry->relogin_timer, 0);
39309 clear_bit(DF_RELOGIN, &ddb_entry->flags);
39310 iscsi_unblock_session(ddb_entry->sess);
39311 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c
39312 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c 2011-05-19 00:06:34.000000000 -0400
39313 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c 2011-05-22 19:36:32.000000000 -0400
39314 @@ -802,13 +802,13 @@ static void qla4xxx_timer(struct scsi_ql
39315 ddb_entry->fw_ddb_device_state ==
39316 DDB_DS_SESSION_FAILED) {
39317 /* Reset retry relogin timer */
39318 - atomic_inc(&ddb_entry->relogin_retry_count);
39319 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
39320 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
39321 " timed out-retrying"
39322 " relogin (%d)\n",
39323 ha->host_no,
39324 ddb_entry->fw_ddb_index,
39325 - atomic_read(&ddb_entry->
39326 + atomic_read_unchecked(&ddb_entry->
39327 relogin_retry_count))
39328 );
39329 start_dpc++;
39330 diff -urNp linux-2.6.39.3/drivers/scsi/scsi.c linux-2.6.39.3/drivers/scsi/scsi.c
39331 --- linux-2.6.39.3/drivers/scsi/scsi.c 2011-05-19 00:06:34.000000000 -0400
39332 +++ linux-2.6.39.3/drivers/scsi/scsi.c 2011-05-22 19:36:32.000000000 -0400
39333 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
39334 unsigned long timeout;
39335 int rtn = 0;
39336
39337 - atomic_inc(&cmd->device->iorequest_cnt);
39338 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39339
39340 /* check if the device is still usable */
39341 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
39342 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_debug.c linux-2.6.39.3/drivers/scsi/scsi_debug.c
39343 --- linux-2.6.39.3/drivers/scsi/scsi_debug.c 2011-05-19 00:06:34.000000000 -0400
39344 +++ linux-2.6.39.3/drivers/scsi/scsi_debug.c 2011-05-22 19:36:32.000000000 -0400
39345 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
39346 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
39347 unsigned char *cmd = (unsigned char *)scp->cmnd;
39348
39349 + pax_track_stack();
39350 +
39351 if ((errsts = check_readiness(scp, 1, devip)))
39352 return errsts;
39353 memset(arr, 0, sizeof(arr));
39354 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
39355 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
39356 unsigned char *cmd = (unsigned char *)scp->cmnd;
39357
39358 + pax_track_stack();
39359 +
39360 if ((errsts = check_readiness(scp, 1, devip)))
39361 return errsts;
39362 memset(arr, 0, sizeof(arr));
39363 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_lib.c linux-2.6.39.3/drivers/scsi/scsi_lib.c
39364 --- linux-2.6.39.3/drivers/scsi/scsi_lib.c 2011-05-19 00:06:34.000000000 -0400
39365 +++ linux-2.6.39.3/drivers/scsi/scsi_lib.c 2011-05-22 19:36:32.000000000 -0400
39366 @@ -1410,7 +1410,7 @@ static void scsi_kill_request(struct req
39367 shost = sdev->host;
39368 scsi_init_cmd_errh(cmd);
39369 cmd->result = DID_NO_CONNECT << 16;
39370 - atomic_inc(&cmd->device->iorequest_cnt);
39371 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39372
39373 /*
39374 * SCSI request completion path will do scsi_device_unbusy(),
39375 @@ -1436,9 +1436,9 @@ static void scsi_softirq_done(struct req
39376
39377 INIT_LIST_HEAD(&cmd->eh_entry);
39378
39379 - atomic_inc(&cmd->device->iodone_cnt);
39380 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
39381 if (cmd->result)
39382 - atomic_inc(&cmd->device->ioerr_cnt);
39383 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
39384
39385 disposition = scsi_decide_disposition(cmd);
39386 if (disposition != SUCCESS &&
39387 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_sysfs.c linux-2.6.39.3/drivers/scsi/scsi_sysfs.c
39388 --- linux-2.6.39.3/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:22.000000000 -0400
39389 +++ linux-2.6.39.3/drivers/scsi/scsi_sysfs.c 2011-06-25 13:00:26.000000000 -0400
39390 @@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
39391 char *buf) \
39392 { \
39393 struct scsi_device *sdev = to_scsi_device(dev); \
39394 - unsigned long long count = atomic_read(&sdev->field); \
39395 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
39396 return snprintf(buf, 20, "0x%llx\n", count); \
39397 } \
39398 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
39399 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c
39400 --- linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c 2011-05-19 00:06:34.000000000 -0400
39401 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c 2011-05-22 19:36:32.000000000 -0400
39402 @@ -485,7 +485,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
39403 * Netlink Infrastructure
39404 */
39405
39406 -static atomic_t fc_event_seq;
39407 +static atomic_unchecked_t fc_event_seq;
39408
39409 /**
39410 * fc_get_event_number - Obtain the next sequential FC event number
39411 @@ -498,7 +498,7 @@ static atomic_t fc_event_seq;
39412 u32
39413 fc_get_event_number(void)
39414 {
39415 - return atomic_add_return(1, &fc_event_seq);
39416 + return atomic_add_return_unchecked(1, &fc_event_seq);
39417 }
39418 EXPORT_SYMBOL(fc_get_event_number);
39419
39420 @@ -646,7 +646,7 @@ static __init int fc_transport_init(void
39421 {
39422 int error;
39423
39424 - atomic_set(&fc_event_seq, 0);
39425 + atomic_set_unchecked(&fc_event_seq, 0);
39426
39427 error = transport_class_register(&fc_host_class);
39428 if (error)
39429 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
39430 char *cp;
39431
39432 *val = simple_strtoul(buf, &cp, 0);
39433 - if ((*cp && (*cp != '\n')) || (*val < 0))
39434 + if (*cp && (*cp != '\n'))
39435 return -EINVAL;
39436 /*
39437 * Check for overflow; dev_loss_tmo is u32
39438 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c
39439 --- linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c 2011-05-19 00:06:34.000000000 -0400
39440 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c 2011-05-22 19:36:32.000000000 -0400
39441 @@ -83,7 +83,7 @@ struct iscsi_internal {
39442 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39443 };
39444
39445 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39446 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39447 static struct workqueue_struct *iscsi_eh_timer_workq;
39448
39449 /*
39450 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
39451 int err;
39452
39453 ihost = shost->shost_data;
39454 - session->sid = atomic_add_return(1, &iscsi_session_nr);
39455 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39456
39457 if (id == ISCSI_MAX_TARGET) {
39458 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39459 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
39460 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39461 ISCSI_TRANSPORT_VERSION);
39462
39463 - atomic_set(&iscsi_session_nr, 0);
39464 + atomic_set_unchecked(&iscsi_session_nr, 0);
39465
39466 err = class_register(&iscsi_transport_class);
39467 if (err)
39468 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c
39469 --- linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c 2011-05-19 00:06:34.000000000 -0400
39470 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c 2011-05-22 19:36:32.000000000 -0400
39471 @@ -33,7 +33,7 @@
39472 #include "scsi_transport_srp_internal.h"
39473
39474 struct srp_host_attrs {
39475 - atomic_t next_port_id;
39476 + atomic_unchecked_t next_port_id;
39477 };
39478 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39479
39480 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39481 struct Scsi_Host *shost = dev_to_shost(dev);
39482 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39483
39484 - atomic_set(&srp_host->next_port_id, 0);
39485 + atomic_set_unchecked(&srp_host->next_port_id, 0);
39486 return 0;
39487 }
39488
39489 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39490 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39491 rport->roles = ids->roles;
39492
39493 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39494 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39495 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39496
39497 transport_setup_device(&rport->dev);
39498 diff -urNp linux-2.6.39.3/drivers/scsi/sg.c linux-2.6.39.3/drivers/scsi/sg.c
39499 --- linux-2.6.39.3/drivers/scsi/sg.c 2011-05-19 00:06:34.000000000 -0400
39500 +++ linux-2.6.39.3/drivers/scsi/sg.c 2011-05-22 19:36:32.000000000 -0400
39501 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
39502 const struct file_operations * fops;
39503 };
39504
39505 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39506 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39507 {"allow_dio", &adio_fops},
39508 {"debug", &debug_fops},
39509 {"def_reserved_size", &dressz_fops},
39510 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
39511 {
39512 int k, mask;
39513 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39514 - struct sg_proc_leaf * leaf;
39515 + const struct sg_proc_leaf * leaf;
39516
39517 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39518 if (!sg_proc_sgp)
39519 diff -urNp linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c
39520 --- linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-19 00:06:34.000000000 -0400
39521 +++ linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-22 19:36:32.000000000 -0400
39522 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
39523 int do_iounmap = 0;
39524 int do_disable_device = 1;
39525
39526 + pax_track_stack();
39527 +
39528 memset(&sym_dev, 0, sizeof(sym_dev));
39529 memset(&nvram, 0, sizeof(nvram));
39530 sym_dev.pdev = pdev;
39531 diff -urNp linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c
39532 --- linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c 2011-05-19 00:06:34.000000000 -0400
39533 +++ linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c 2011-05-22 19:36:32.000000000 -0400
39534 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
39535 dma_addr_t base;
39536 unsigned i;
39537
39538 + pax_track_stack();
39539 +
39540 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
39541 cmd.reqRingNumPages = adapter->req_pages;
39542 cmd.cmpRingNumPages = adapter->cmp_pages;
39543 diff -urNp linux-2.6.39.3/drivers/sh/clk/cpg.c linux-2.6.39.3/drivers/sh/clk/cpg.c
39544 --- linux-2.6.39.3/drivers/sh/clk/cpg.c 2011-06-03 00:04:14.000000000 -0400
39545 +++ linux-2.6.39.3/drivers/sh/clk/cpg.c 2011-06-03 00:32:06.000000000 -0400
39546 @@ -26,7 +26,7 @@ static void sh_clk_mstp32_disable(struct
39547 clk->enable_reg);
39548 }
39549
39550 -static struct clk_ops sh_clk_mstp32_clk_ops = {
39551 +static const struct clk_ops sh_clk_mstp32_clk_ops = {
39552 .enable = sh_clk_mstp32_enable,
39553 .disable = sh_clk_mstp32_disable,
39554 .recalc = followparent_recalc,
39555 @@ -150,7 +150,7 @@ static void sh_clk_div6_disable(struct c
39556 __raw_writel(value, clk->enable_reg);
39557 }
39558
39559 -static struct clk_ops sh_clk_div6_clk_ops = {
39560 +static const struct clk_ops sh_clk_div6_clk_ops = {
39561 .recalc = sh_clk_div6_recalc,
39562 .round_rate = sh_clk_div_round_rate,
39563 .set_rate = sh_clk_div6_set_rate,
39564 @@ -158,7 +158,7 @@ static struct clk_ops sh_clk_div6_clk_op
39565 .disable = sh_clk_div6_disable,
39566 };
39567
39568 -static struct clk_ops sh_clk_div6_reparent_clk_ops = {
39569 +static const struct clk_ops sh_clk_div6_reparent_clk_ops = {
39570 .recalc = sh_clk_div6_recalc,
39571 .round_rate = sh_clk_div_round_rate,
39572 .set_rate = sh_clk_div6_set_rate,
39573 @@ -282,13 +282,13 @@ static void sh_clk_div4_disable(struct c
39574 __raw_writel(__raw_readl(clk->enable_reg) | (1 << 8), clk->enable_reg);
39575 }
39576
39577 -static struct clk_ops sh_clk_div4_clk_ops = {
39578 +static const struct clk_ops sh_clk_div4_clk_ops = {
39579 .recalc = sh_clk_div4_recalc,
39580 .set_rate = sh_clk_div4_set_rate,
39581 .round_rate = sh_clk_div_round_rate,
39582 };
39583
39584 -static struct clk_ops sh_clk_div4_enable_clk_ops = {
39585 +static const struct clk_ops sh_clk_div4_enable_clk_ops = {
39586 .recalc = sh_clk_div4_recalc,
39587 .set_rate = sh_clk_div4_set_rate,
39588 .round_rate = sh_clk_div_round_rate,
39589 @@ -296,7 +296,7 @@ static struct clk_ops sh_clk_div4_enable
39590 .disable = sh_clk_div4_disable,
39591 };
39592
39593 -static struct clk_ops sh_clk_div4_reparent_clk_ops = {
39594 +static const struct clk_ops sh_clk_div4_reparent_clk_ops = {
39595 .recalc = sh_clk_div4_recalc,
39596 .set_rate = sh_clk_div4_set_rate,
39597 .round_rate = sh_clk_div_round_rate,
39598 diff -urNp linux-2.6.39.3/drivers/spi/dw_spi.h linux-2.6.39.3/drivers/spi/dw_spi.h
39599 --- linux-2.6.39.3/drivers/spi/dw_spi.h 2011-05-19 00:06:34.000000000 -0400
39600 +++ linux-2.6.39.3/drivers/spi/dw_spi.h 2011-05-22 19:36:32.000000000 -0400
39601 @@ -151,7 +151,7 @@ struct dw_spi {
39602 int dma_chan_done;
39603 struct device *dma_dev;
39604 dma_addr_t dma_addr; /* phy address of the Data register */
39605 - struct dw_spi_dma_ops *dma_ops;
39606 + const struct dw_spi_dma_ops *dma_ops;
39607 void *dma_priv; /* platform relate info */
39608 struct pci_dev *dmac;
39609
39610 diff -urNp linux-2.6.39.3/drivers/spi/dw_spi_mid.c linux-2.6.39.3/drivers/spi/dw_spi_mid.c
39611 --- linux-2.6.39.3/drivers/spi/dw_spi_mid.c 2011-05-19 00:06:34.000000000 -0400
39612 +++ linux-2.6.39.3/drivers/spi/dw_spi_mid.c 2011-05-22 19:36:32.000000000 -0400
39613 @@ -180,7 +180,7 @@ static int mid_spi_dma_transfer(struct d
39614 return 0;
39615 }
39616
39617 -static struct dw_spi_dma_ops mid_dma_ops = {
39618 +static const struct dw_spi_dma_ops mid_dma_ops = {
39619 .dma_init = mid_spi_dma_init,
39620 .dma_exit = mid_spi_dma_exit,
39621 .dma_transfer = mid_spi_dma_transfer,
39622 diff -urNp linux-2.6.39.3/drivers/spi/spi.c linux-2.6.39.3/drivers/spi/spi.c
39623 --- linux-2.6.39.3/drivers/spi/spi.c 2011-05-19 00:06:34.000000000 -0400
39624 +++ linux-2.6.39.3/drivers/spi/spi.c 2011-05-22 19:36:32.000000000 -0400
39625 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
39626 EXPORT_SYMBOL_GPL(spi_bus_unlock);
39627
39628 /* portable code must never pass more than 32 bytes */
39629 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39630 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39631
39632 static u8 *buf;
39633
39634 diff -urNp linux-2.6.39.3/drivers/ssb/driver_pcicore.c linux-2.6.39.3/drivers/ssb/driver_pcicore.c
39635 --- linux-2.6.39.3/drivers/ssb/driver_pcicore.c 2011-05-19 00:06:34.000000000 -0400
39636 +++ linux-2.6.39.3/drivers/ssb/driver_pcicore.c 2011-05-22 19:36:32.000000000 -0400
39637 @@ -223,7 +223,7 @@ static int ssb_pcicore_write_config(stru
39638 return err ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
39639 }
39640
39641 -static struct pci_ops ssb_pcicore_pciops = {
39642 +static const struct pci_ops ssb_pcicore_pciops = {
39643 .read = ssb_pcicore_read_config,
39644 .write = ssb_pcicore_write_config,
39645 };
39646 diff -urNp linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c
39647 --- linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39648 +++ linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39649 @@ -1391,8 +1391,7 @@ u32 cipher_suites[] = {
39650 WLAN_CIPHER_SUITE_CCMP,
39651 };
39652
39653 -static struct
39654 -cfg80211_ops ar6k_cfg80211_ops = {
39655 +static const struct cfg80211_ops ar6k_cfg80211_ops = {
39656 .change_virtual_intf = ar6k_cfg80211_change_iface,
39657 .add_virtual_intf = ar6k_cfg80211_add_virtual_intf,
39658 .del_virtual_intf = ar6k_cfg80211_del_virtual_intf,
39659 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
39660 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-19 00:06:34.000000000 -0400
39661 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-22 19:36:32.000000000 -0400
39662 @@ -857,14 +857,14 @@ static void dhd_op_if(dhd_if_t *ifp)
39663 free_netdev(ifp->net);
39664 }
39665 /* Allocate etherdev, including space for private structure */
39666 - ifp->net = alloc_etherdev(sizeof(dhd));
39667 + ifp->net = alloc_etherdev(sizeof(*dhd));
39668 if (!ifp->net) {
39669 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39670 ret = -ENOMEM;
39671 }
39672 if (ret == 0) {
39673 strcpy(ifp->net->name, ifp->name);
39674 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
39675 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
39676 err = dhd_net_attach(&dhd->pub, ifp->idx);
39677 if (err != 0) {
39678 DHD_ERROR(("%s: dhd_net_attach failed, "
39679 @@ -1500,7 +1500,7 @@ static void dhd_ethtool_get_drvinfo(stru
39680 sprintf(info->bus_info, "%s", dev_name(&wl_cfg80211_get_sdio_func()->dev));
39681 }
39682
39683 -struct ethtool_ops dhd_ethtool_ops = {
39684 +const struct ethtool_ops dhd_ethtool_ops = {
39685 .get_drvinfo = dhd_ethtool_get_drvinfo
39686 };
39687
39688 @@ -1923,7 +1923,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39689 strcpy(nv_path, nvram_path);
39690
39691 /* Allocate etherdev, including space for private structure */
39692 - net = alloc_etherdev(sizeof(dhd));
39693 + net = alloc_etherdev(sizeof(*dhd));
39694 if (!net) {
39695 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39696 goto fail;
39697 @@ -1939,7 +1939,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39698 /*
39699 * Save the dhd_info into the priv
39700 */
39701 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39702 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39703
39704 /* Set network interface name if it was provided as module parameter */
39705 if (iface_name[0]) {
39706 @@ -2056,7 +2056,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39707 /*
39708 * Save the dhd_info into the priv
39709 */
39710 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39711 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39712
39713 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
39714 g_bus = bus;
39715 @@ -2206,7 +2206,7 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, cha
39716 return ret;
39717 }
39718
39719 -static struct net_device_ops dhd_ops_pri = {
39720 +static const struct net_device_ops dhd_ops_pri = {
39721 .ndo_open = dhd_open,
39722 .ndo_stop = dhd_stop,
39723 .ndo_get_stats = dhd_get_stats,
39724 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c
39725 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39726 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39727 @@ -2109,7 +2109,7 @@ wl_cfg80211_flush_pmksa(struct wiphy *wi
39728
39729 }
39730
39731 -static struct cfg80211_ops wl_cfg80211_ops = {
39732 +static const struct cfg80211_ops wl_cfg80211_ops = {
39733 .change_virtual_intf = wl_cfg80211_change_iface,
39734 .scan = wl_cfg80211_scan,
39735 .set_wiphy_params = wl_cfg80211_set_wiphy_params,
39736 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c
39737 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-19 00:06:34.000000000 -0400
39738 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-22 19:36:32.000000000 -0400
39739 @@ -495,7 +495,7 @@ wl_iw_get_range(struct net_device *dev,
39740 list = (wl_u32_list_t *) channels;
39741
39742 dwrq->length = sizeof(struct iw_range);
39743 - memset(range, 0, sizeof(range));
39744 + memset(range, 0, sizeof(*range));
39745
39746 range->min_nwid = range->max_nwid = 0;
39747
39748 diff -urNp linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c
39749 --- linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c 2011-05-19 00:06:34.000000000 -0400
39750 +++ linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c 2011-05-22 19:36:32.000000000 -0400
39751 @@ -1445,7 +1445,7 @@ static void comedi_unmap(struct vm_area_
39752 mutex_unlock(&dev->mutex);
39753 }
39754
39755 -static struct vm_operations_struct comedi_vm_ops = {
39756 +static const struct vm_operations_struct comedi_vm_ops = {
39757 .close = comedi_unmap,
39758 };
39759
39760 diff -urNp linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c
39761 --- linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c 2011-05-19 00:06:34.000000000 -0400
39762 +++ linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c 2011-05-22 19:36:32.000000000 -0400
39763 @@ -586,7 +586,7 @@ static struct page *snd_cx25821_page(str
39764 /*
39765 * operators
39766 */
39767 -static struct snd_pcm_ops snd_cx25821_pcm_ops = {
39768 +static const struct snd_pcm_ops snd_cx25821_pcm_ops = {
39769 .open = snd_cx25821_pcm_open,
39770 .close = snd_cx25821_close,
39771 .ioctl = snd_pcm_lib_ioctl,
39772 diff -urNp linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c
39773 --- linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c 2011-05-19 00:06:34.000000000 -0400
39774 +++ linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c 2011-05-22 19:36:32.000000000 -0400
39775 @@ -282,7 +282,7 @@ static u32 cx25821_functionality(struct
39776 I2C_FUNC_SMBUS_READ_WORD_DATA | I2C_FUNC_SMBUS_WRITE_WORD_DATA;
39777 }
39778
39779 -static struct i2c_algorithm cx25821_i2c_algo_template = {
39780 +static const struct i2c_algorithm cx25821_i2c_algo_template = {
39781 .master_xfer = i2c_xfer,
39782 .functionality = cx25821_functionality,
39783 #ifdef NEED_ALGO_CONTROL
39784 diff -urNp linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c
39785 --- linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c 2011-05-19 00:06:34.000000000 -0400
39786 +++ linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c 2011-05-22 19:36:32.000000000 -0400
39787 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
39788 struct net_device_stats *stats = &etdev->net_stats;
39789
39790 if (tcb->flags & fMP_DEST_BROAD)
39791 - atomic_inc(&etdev->Stats.brdcstxmt);
39792 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39793 else if (tcb->flags & fMP_DEST_MULTI)
39794 - atomic_inc(&etdev->Stats.multixmt);
39795 + atomic_inc_unchecked(&etdev->Stats.multixmt);
39796 else
39797 - atomic_inc(&etdev->Stats.unixmt);
39798 + atomic_inc_unchecked(&etdev->Stats.unixmt);
39799
39800 if (tcb->skb) {
39801 stats->tx_bytes += tcb->skb->len;
39802 diff -urNp linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h
39803 --- linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h 2011-05-19 00:06:34.000000000 -0400
39804 +++ linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h 2011-05-22 19:36:32.000000000 -0400
39805 @@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
39806 * operations
39807 */
39808 u32 unircv; /* # multicast packets received */
39809 - atomic_t unixmt; /* # multicast packets for Tx */
39810 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39811 u32 multircv; /* # multicast packets received */
39812 - atomic_t multixmt; /* # multicast packets for Tx */
39813 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39814 u32 brdcstrcv; /* # broadcast packets received */
39815 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
39816 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39817 u32 norcvbuf; /* # Rx packets discarded */
39818 u32 noxmtbuf; /* # Tx packets discarded */
39819
39820 diff -urNp linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
39821 --- linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-19 00:06:34.000000000 -0400
39822 +++ linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-22 19:36:32.000000000 -0400
39823 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
39824 //
39825 // Table of entry-point routines for char device
39826 //
39827 -static struct file_operations ft1000fops =
39828 +static const struct file_operations ft1000fops =
39829 {
39830 .unlocked_ioctl = ft1000_ioctl,
39831 .poll = ft1000_poll_dev,
39832 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c
39833 --- linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-19 00:06:34.000000000 -0400
39834 +++ linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-22 19:36:32.000000000 -0400
39835 @@ -221,7 +221,7 @@ module_param(rio_poll, int, 0);
39836 module_param(rio_debug, int, 0644);
39837 module_param(rio_irqmask, long, 0);
39838
39839 -static struct real_driver rio_real_driver = {
39840 +static const struct real_driver rio_real_driver = {
39841 rio_disable_tx_interrupts,
39842 rio_enable_tx_interrupts,
39843 rio_disable_rx_interrupts,
39844 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c
39845 --- linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c 2011-05-19 00:06:34.000000000 -0400
39846 +++ linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c 2011-05-22 19:36:32.000000000 -0400
39847 @@ -144,7 +144,7 @@ static int a2232_open(struct tty_struct
39848 /*---------------------------------------------------------------------------
39849 * Interface from generic_serial.c back here
39850 *--------------------------------------------------------------------------*/
39851 -static struct real_driver a2232_real_driver = {
39852 +static const struct real_driver a2232_real_driver = {
39853 a2232_disable_tx_interrupts,
39854 a2232_enable_tx_interrupts,
39855 a2232_disable_rx_interrupts,
39856 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/sx.c linux-2.6.39.3/drivers/staging/generic_serial/sx.c
39857 --- linux-2.6.39.3/drivers/staging/generic_serial/sx.c 2011-05-19 00:06:34.000000000 -0400
39858 +++ linux-2.6.39.3/drivers/staging/generic_serial/sx.c 2011-05-22 19:36:32.000000000 -0400
39859 @@ -355,7 +355,7 @@ module_param(sx_irqmask, int, 0);
39860
39861 MODULE_LICENSE("GPL");
39862
39863 -static struct real_driver sx_real_driver = {
39864 +static const struct real_driver sx_real_driver = {
39865 sx_disable_tx_interrupts,
39866 sx_enable_tx_interrupts,
39867 sx_disable_rx_interrupts,
39868 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c
39869 --- linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c 2011-05-19 00:06:34.000000000 -0400
39870 +++ linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c 2011-05-22 19:36:32.000000000 -0400
39871 @@ -94,7 +94,7 @@ static struct scc_port scc_ports[2];
39872 * Interface from generic_serial.c back here
39873 *--------------------------------------------------------------------------*/
39874
39875 -static struct real_driver scc_real_driver = {
39876 +static const struct real_driver scc_real_driver = {
39877 scc_disable_tx_interrupts,
39878 scc_enable_tx_interrupts,
39879 scc_disable_rx_interrupts,
39880 diff -urNp linux-2.6.39.3/drivers/staging/gma500/psb_fb.c linux-2.6.39.3/drivers/staging/gma500/psb_fb.c
39881 --- linux-2.6.39.3/drivers/staging/gma500/psb_fb.c 2011-06-25 12:55:22.000000000 -0400
39882 +++ linux-2.6.39.3/drivers/staging/gma500/psb_fb.c 2011-06-25 13:00:26.000000000 -0400
39883 @@ -230,7 +230,7 @@ static void psbfb_vm_close(struct vm_are
39884 DRM_DEBUG("vm_close\n");
39885 }
39886
39887 -static struct vm_operations_struct psbfb_vm_ops = {
39888 +static const struct vm_operations_struct psbfb_vm_ops = {
39889 .fault = psbfb_vm_fault,
39890 .open = psbfb_vm_open,
39891 .close = psbfb_vm_close
39892 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c
39893 --- linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c 2011-05-19 00:06:34.000000000 -0400
39894 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c 2011-05-22 19:36:32.000000000 -0400
39895 @@ -198,7 +198,7 @@ static u32 go7007_functionality(struct i
39896 return I2C_FUNC_SMBUS_BYTE_DATA;
39897 }
39898
39899 -static struct i2c_algorithm go7007_algo = {
39900 +static const struct i2c_algorithm go7007_algo = {
39901 .smbus_xfer = go7007_smbus_xfer,
39902 .master_xfer = go7007_i2c_master_xfer,
39903 .functionality = go7007_functionality,
39904 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c
39905 --- linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c 2011-05-19 00:06:34.000000000 -0400
39906 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c 2011-05-22 19:36:32.000000000 -0400
39907 @@ -849,7 +849,7 @@ static int go7007_usb_send_firmware(stru
39908 &transferred, timeout);
39909 }
39910
39911 -static struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39912 +static const struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39913 .interface_reset = go7007_usb_interface_reset,
39914 .write_interrupt = go7007_usb_ezusb_write_interrupt,
39915 .read_interrupt = go7007_usb_read_interrupt,
39916 @@ -858,7 +858,7 @@ static struct go7007_hpi_ops go7007_usb_
39917 .send_firmware = go7007_usb_send_firmware,
39918 };
39919
39920 -static struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39921 +static const struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39922 .interface_reset = go7007_usb_interface_reset,
39923 .write_interrupt = go7007_usb_onboard_write_interrupt,
39924 .read_interrupt = go7007_usb_read_interrupt,
39925 @@ -950,7 +950,7 @@ static u32 go7007_usb_functionality(stru
39926 return (I2C_FUNC_SMBUS_EMUL) & ~I2C_FUNC_SMBUS_QUICK;
39927 }
39928
39929 -static struct i2c_algorithm go7007_usb_algo = {
39930 +static const struct i2c_algorithm go7007_usb_algo = {
39931 .master_xfer = go7007_usb_i2c_master_xfer,
39932 .functionality = go7007_usb_functionality,
39933 };
39934 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c
39935 --- linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c 2011-05-19 00:06:34.000000000 -0400
39936 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c 2011-05-22 19:36:32.000000000 -0400
39937 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
39938 return 0;
39939 }
39940
39941 -static struct vm_operations_struct go7007_vm_ops = {
39942 +static const struct vm_operations_struct go7007_vm_ops = {
39943 .open = go7007_vm_open,
39944 .close = go7007_vm_close,
39945 .fault = go7007_vm_fault,
39946 diff -urNp linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c
39947 --- linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c 2011-05-19 00:06:34.000000000 -0400
39948 +++ linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c 2011-05-22 19:36:32.000000000 -0400
39949 @@ -421,7 +421,7 @@ static int saa7134_go7007_send_command(s
39950
39951 }
39952
39953 -static struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39954 +static const struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39955 .interface_reset = saa7134_go7007_interface_reset,
39956 .write_interrupt = saa7134_go7007_write_interrupt,
39957 .read_interrupt = saa7134_go7007_read_interrupt,
39958 diff -urNp linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c
39959 --- linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c 2011-05-19 00:06:34.000000000 -0400
39960 +++ linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c 2011-05-22 19:36:32.000000000 -0400
39961 @@ -204,7 +204,7 @@ static struct page *go7007_snd_pcm_page(
39962 return vmalloc_to_page(substream->runtime->dma_area + offset);
39963 }
39964
39965 -static struct snd_pcm_ops go7007_snd_capture_ops = {
39966 +static const struct snd_pcm_ops go7007_snd_capture_ops = {
39967 .open = go7007_snd_capture_open,
39968 .close = go7007_snd_capture_close,
39969 .ioctl = snd_pcm_lib_ioctl,
39970 @@ -227,7 +227,7 @@ static int go7007_snd_free(struct snd_de
39971 return 0;
39972 }
39973
39974 -static struct snd_device_ops go7007_snd_device_ops = {
39975 +static const struct snd_device_ops go7007_snd_device_ops = {
39976 .dev_free = go7007_snd_free,
39977 };
39978
39979 diff -urNp linux-2.6.39.3/drivers/staging/hv/channel.c linux-2.6.39.3/drivers/staging/hv/channel.c
39980 --- linux-2.6.39.3/drivers/staging/hv/channel.c 2011-05-19 00:06:34.000000000 -0400
39981 +++ linux-2.6.39.3/drivers/staging/hv/channel.c 2011-05-22 19:36:32.000000000 -0400
39982 @@ -509,8 +509,8 @@ int vmbus_establish_gpadl(struct vmbus_c
39983 unsigned long flags;
39984 int ret = 0;
39985
39986 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
39987 - atomic_inc(&vmbus_connection.next_gpadl_handle);
39988 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
39989 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
39990
39991 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
39992 if (ret)
39993 diff -urNp linux-2.6.39.3/drivers/staging/hv/hv.c linux-2.6.39.3/drivers/staging/hv/hv.c
39994 --- linux-2.6.39.3/drivers/staging/hv/hv.c 2011-05-19 00:06:34.000000000 -0400
39995 +++ linux-2.6.39.3/drivers/staging/hv/hv.c 2011-05-22 19:36:32.000000000 -0400
39996 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
39997 u64 output_address = (output) ? virt_to_phys(output) : 0;
39998 u32 output_address_hi = output_address >> 32;
39999 u32 output_address_lo = output_address & 0xFFFFFFFF;
40000 - volatile void *hypercall_page = hv_context.hypercall_page;
40001 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
40002
40003 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
40004 control, input, output);
40005 diff -urNp linux-2.6.39.3/drivers/staging/hv/rndis_filter.c linux-2.6.39.3/drivers/staging/hv/rndis_filter.c
40006 --- linux-2.6.39.3/drivers/staging/hv/rndis_filter.c 2011-05-19 00:06:34.000000000 -0400
40007 +++ linux-2.6.39.3/drivers/staging/hv/rndis_filter.c 2011-05-22 19:36:32.000000000 -0400
40008 @@ -49,7 +49,7 @@ struct rndis_device {
40009
40010 enum rndis_device_state state;
40011 u32 link_stat;
40012 - atomic_t new_req_id;
40013 + atomic_unchecked_t new_req_id;
40014
40015 spinlock_t request_lock;
40016 struct list_head req_list;
40017 @@ -144,7 +144,7 @@ static struct rndis_request *get_rndis_r
40018 * template
40019 */
40020 set = &rndis_msg->msg.set_req;
40021 - set->req_id = atomic_inc_return(&dev->new_req_id);
40022 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
40023
40024 /* Add to the request list */
40025 spin_lock_irqsave(&dev->request_lock, flags);
40026 @@ -709,7 +709,7 @@ static void rndis_filter_halt_device(str
40027
40028 /* Setup the rndis set */
40029 halt = &request->request_msg.msg.halt_req;
40030 - halt->req_id = atomic_inc_return(&dev->new_req_id);
40031 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
40032
40033 /* Ignore return since this msg is optional. */
40034 rndis_filter_send_request(dev, request);
40035 diff -urNp linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c
40036 --- linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c 2011-05-19 00:06:34.000000000 -0400
40037 +++ linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c 2011-05-22 19:36:32.000000000 -0400
40038 @@ -661,14 +661,14 @@ int vmbus_child_device_register(struct h
40039 {
40040 int ret = 0;
40041
40042 - static atomic_t device_num = ATOMIC_INIT(0);
40043 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
40044
40045 DPRINT_DBG(VMBUS_DRV, "child device (%p) registering",
40046 child_device_obj);
40047
40048 /* Set the device name. Otherwise, device_register() will fail. */
40049 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
40050 - atomic_inc_return(&device_num));
40051 + atomic_inc_return_unchecked(&device_num));
40052
40053 /* The new device belongs to this bus */
40054 child_device_obj->device.bus = &vmbus_drv.bus; /* device->dev.bus; */
40055 diff -urNp linux-2.6.39.3/drivers/staging/hv/vmbus_private.h linux-2.6.39.3/drivers/staging/hv/vmbus_private.h
40056 --- linux-2.6.39.3/drivers/staging/hv/vmbus_private.h 2011-05-19 00:06:34.000000000 -0400
40057 +++ linux-2.6.39.3/drivers/staging/hv/vmbus_private.h 2011-05-22 19:36:32.000000000 -0400
40058 @@ -58,7 +58,7 @@ enum vmbus_connect_state {
40059 struct vmbus_connection {
40060 enum vmbus_connect_state conn_state;
40061
40062 - atomic_t next_gpadl_handle;
40063 + atomic_unchecked_t next_gpadl_handle;
40064
40065 /*
40066 * Represents channel interrupts. Each bit position represents a
40067 diff -urNp linux-2.6.39.3/drivers/staging/iio/ring_generic.h linux-2.6.39.3/drivers/staging/iio/ring_generic.h
40068 --- linux-2.6.39.3/drivers/staging/iio/ring_generic.h 2011-05-19 00:06:34.000000000 -0400
40069 +++ linux-2.6.39.3/drivers/staging/iio/ring_generic.h 2011-05-25 16:55:27.000000000 -0400
40070 @@ -134,7 +134,7 @@ struct iio_ring_buffer {
40071 struct iio_handler access_handler;
40072 struct iio_event_interface ev_int;
40073 struct iio_shared_ev_pointer shared_ev_pointer;
40074 - struct iio_ring_access_funcs access;
40075 + struct iio_ring_access_funcs access;
40076 int (*preenable)(struct iio_dev *);
40077 int (*postenable)(struct iio_dev *);
40078 int (*predisable)(struct iio_dev *);
40079 diff -urNp linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c
40080 --- linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-19 00:06:34.000000000 -0400
40081 +++ linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-22 19:36:32.000000000 -0400
40082 @@ -494,7 +494,7 @@ static int snd_intelmad_device_set(struc
40083 struct snd_intelmad *intelmaddata;
40084 struct snd_pmic_ops *scard_ops;
40085 int ret_val = 0, vendor, status;
40086 - struct intel_sst_pcm_control *pcm_control;
40087 + const struct intel_sst_pcm_control *pcm_control;
40088
40089 pr_debug("snd_intelmad_device_set called\n");
40090
40091 diff -urNp linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c
40092 --- linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-19 00:06:34.000000000 -0400
40093 +++ linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-22 19:36:32.000000000 -0400
40094 @@ -470,7 +470,7 @@ int sst_device_control(int cmd, void *ar
40095 }
40096
40097
40098 -struct intel_sst_pcm_control pcm_ops = {
40099 +const struct intel_sst_pcm_control pcm_ops = {
40100 .open = sst_open_pcm_stream,
40101 .device_control = sst_device_control,
40102 .close = sst_close_pcm_stream,
40103 diff -urNp linux-2.6.39.3/drivers/staging/line6/capture.c linux-2.6.39.3/drivers/staging/line6/capture.c
40104 --- linux-2.6.39.3/drivers/staging/line6/capture.c 2011-05-19 00:06:34.000000000 -0400
40105 +++ linux-2.6.39.3/drivers/staging/line6/capture.c 2011-05-22 19:36:32.000000000 -0400
40106 @@ -378,7 +378,7 @@ snd_line6_capture_pointer(struct snd_pcm
40107 }
40108
40109 /* capture operators */
40110 -struct snd_pcm_ops snd_line6_capture_ops = {
40111 +const struct snd_pcm_ops snd_line6_capture_ops = {
40112 .open = snd_line6_capture_open,
40113 .close = snd_line6_capture_close,
40114 .ioctl = snd_pcm_lib_ioctl,
40115 diff -urNp linux-2.6.39.3/drivers/staging/line6/capture.h linux-2.6.39.3/drivers/staging/line6/capture.h
40116 --- linux-2.6.39.3/drivers/staging/line6/capture.h 2011-05-19 00:06:34.000000000 -0400
40117 +++ linux-2.6.39.3/drivers/staging/line6/capture.h 2011-05-22 19:36:32.000000000 -0400
40118 @@ -17,7 +17,7 @@
40119 #include "driver.h"
40120 #include "pcm.h"
40121
40122 -extern struct snd_pcm_ops snd_line6_capture_ops;
40123 +extern const struct snd_pcm_ops snd_line6_capture_ops;
40124
40125 extern void line6_capture_copy(struct snd_line6_pcm *line6pcm, char *fbuf,
40126 int fsize);
40127 diff -urNp linux-2.6.39.3/drivers/staging/line6/midi.c linux-2.6.39.3/drivers/staging/line6/midi.c
40128 --- linux-2.6.39.3/drivers/staging/line6/midi.c 2011-05-19 00:06:34.000000000 -0400
40129 +++ linux-2.6.39.3/drivers/staging/line6/midi.c 2011-05-22 19:36:32.000000000 -0400
40130 @@ -239,14 +239,14 @@ static void line6_midi_input_trigger(str
40131 line6->line6midi->substream_receive = 0;
40132 }
40133
40134 -static struct snd_rawmidi_ops line6_midi_output_ops = {
40135 +static const struct snd_rawmidi_ops line6_midi_output_ops = {
40136 .open = line6_midi_output_open,
40137 .close = line6_midi_output_close,
40138 .trigger = line6_midi_output_trigger,
40139 .drain = line6_midi_output_drain,
40140 };
40141
40142 -static struct snd_rawmidi_ops line6_midi_input_ops = {
40143 +static const struct snd_rawmidi_ops line6_midi_input_ops = {
40144 .open = line6_midi_input_open,
40145 .close = line6_midi_input_close,
40146 .trigger = line6_midi_input_trigger,
40147 @@ -373,7 +373,7 @@ static int snd_line6_midi_free(struct sn
40148 */
40149 int line6_init_midi(struct usb_line6 *line6)
40150 {
40151 - static struct snd_device_ops midi_ops = {
40152 + static const struct snd_device_ops midi_ops = {
40153 .dev_free = snd_line6_midi_free,
40154 };
40155
40156 diff -urNp linux-2.6.39.3/drivers/staging/line6/pcm.c linux-2.6.39.3/drivers/staging/line6/pcm.c
40157 --- linux-2.6.39.3/drivers/staging/line6/pcm.c 2011-05-19 00:06:34.000000000 -0400
40158 +++ linux-2.6.39.3/drivers/staging/line6/pcm.c 2011-05-22 19:36:32.000000000 -0400
40159 @@ -384,7 +384,7 @@ void line6_pcm_disconnect(struct snd_lin
40160 int line6_init_pcm(struct usb_line6 *line6,
40161 struct line6_pcm_properties *properties)
40162 {
40163 - static struct snd_device_ops pcm_ops = {
40164 + static const struct snd_device_ops pcm_ops = {
40165 .dev_free = snd_line6_pcm_free,
40166 };
40167
40168 diff -urNp linux-2.6.39.3/drivers/staging/line6/playback.c linux-2.6.39.3/drivers/staging/line6/playback.c
40169 --- linux-2.6.39.3/drivers/staging/line6/playback.c 2011-05-19 00:06:34.000000000 -0400
40170 +++ linux-2.6.39.3/drivers/staging/line6/playback.c 2011-05-22 19:36:32.000000000 -0400
40171 @@ -536,7 +536,7 @@ snd_line6_playback_pointer(struct snd_pc
40172 }
40173
40174 /* playback operators */
40175 -struct snd_pcm_ops snd_line6_playback_ops = {
40176 +const struct snd_pcm_ops snd_line6_playback_ops = {
40177 .open = snd_line6_playback_open,
40178 .close = snd_line6_playback_close,
40179 .ioctl = snd_pcm_lib_ioctl,
40180 diff -urNp linux-2.6.39.3/drivers/staging/line6/playback.h linux-2.6.39.3/drivers/staging/line6/playback.h
40181 --- linux-2.6.39.3/drivers/staging/line6/playback.h 2011-05-19 00:06:34.000000000 -0400
40182 +++ linux-2.6.39.3/drivers/staging/line6/playback.h 2011-05-22 19:36:32.000000000 -0400
40183 @@ -27,7 +27,7 @@
40184 */
40185 #define USE_CLEAR_BUFFER_WORKAROUND 1
40186
40187 -extern struct snd_pcm_ops snd_line6_playback_ops;
40188 +extern const struct snd_pcm_ops snd_line6_playback_ops;
40189
40190 extern int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm);
40191 extern int line6_submit_audio_out_all_urbs(struct snd_line6_pcm *line6pcm);
40192 diff -urNp linux-2.6.39.3/drivers/staging/msm/staging-devices.c linux-2.6.39.3/drivers/staging/msm/staging-devices.c
40193 --- linux-2.6.39.3/drivers/staging/msm/staging-devices.c 2011-05-19 00:06:34.000000000 -0400
40194 +++ linux-2.6.39.3/drivers/staging/msm/staging-devices.c 2011-05-22 19:36:32.000000000 -0400
40195 @@ -211,7 +211,7 @@ static int msm_fb_lcdc_gpio_config(int o
40196 }
40197
40198
40199 -static struct lcdc_platform_data lcdc_pdata = {
40200 +static const struct lcdc_platform_data lcdc_pdata = {
40201 .lcdc_gpio_config = msm_fb_lcdc_gpio_config,
40202 };
40203
40204 diff -urNp linux-2.6.39.3/drivers/staging/octeon/ethernet.c linux-2.6.39.3/drivers/staging/octeon/ethernet.c
40205 --- linux-2.6.39.3/drivers/staging/octeon/ethernet.c 2011-05-19 00:06:34.000000000 -0400
40206 +++ linux-2.6.39.3/drivers/staging/octeon/ethernet.c 2011-05-22 19:36:32.000000000 -0400
40207 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
40208 * since the RX tasklet also increments it.
40209 */
40210 #ifdef CONFIG_64BIT
40211 - atomic64_add(rx_status.dropped_packets,
40212 - (atomic64_t *)&priv->stats.rx_dropped);
40213 + atomic64_add_unchecked(rx_status.dropped_packets,
40214 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40215 #else
40216 - atomic_add(rx_status.dropped_packets,
40217 - (atomic_t *)&priv->stats.rx_dropped);
40218 + atomic_add_unchecked(rx_status.dropped_packets,
40219 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
40220 #endif
40221 }
40222
40223 diff -urNp linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c
40224 --- linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c 2011-05-19 00:06:34.000000000 -0400
40225 +++ linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c 2011-05-22 19:36:32.000000000 -0400
40226 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
40227 /* Increment RX stats for virtual ports */
40228 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
40229 #ifdef CONFIG_64BIT
40230 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
40231 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
40232 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
40233 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
40234 #else
40235 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
40236 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
40237 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
40238 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
40239 #endif
40240 }
40241 netif_receive_skb(skb);
40242 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
40243 dev->name);
40244 */
40245 #ifdef CONFIG_64BIT
40246 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
40247 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40248 #else
40249 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
40250 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
40251 #endif
40252 dev_kfree_skb_irq(skb);
40253 }
40254 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c
40255 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-19 00:06:34.000000000 -0400
40256 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-22 19:36:32.000000000 -0400
40257 @@ -43,7 +43,7 @@ module_param(noinit, int, 0444);
40258 static int useaa = 1;
40259 module_param(useaa, int, 0444);
40260
40261 -static struct dcon_platform_data *pdata;
40262 +static const struct dcon_platform_data *pdata;
40263
40264 /* I2C structures */
40265
40266 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h
40267 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-19 00:06:34.000000000 -0400
40268 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-22 19:36:32.000000000 -0400
40269 @@ -92,11 +92,11 @@ struct dcon_platform_data {
40270 extern irqreturn_t dcon_interrupt(int irq, void *id);
40271
40272 #ifdef CONFIG_FB_OLPC_DCON_1
40273 -extern struct dcon_platform_data dcon_pdata_xo_1;
40274 +extern const struct dcon_platform_data dcon_pdata_xo_1;
40275 #endif
40276
40277 #ifdef CONFIG_FB_OLPC_DCON_1_5
40278 -extern struct dcon_platform_data dcon_pdata_xo_1_5;
40279 +extern const struct dcon_platform_data dcon_pdata_xo_1_5;
40280 #endif
40281
40282 #endif
40283 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c
40284 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-19 00:06:34.000000000 -0400
40285 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-22 19:36:32.000000000 -0400
40286 @@ -185,7 +185,7 @@ static u8 dcon_read_status_xo_1_5(void)
40287 return status;
40288 }
40289
40290 -struct dcon_platform_data dcon_pdata_xo_1_5 = {
40291 +const struct dcon_platform_data dcon_pdata_xo_1_5 = {
40292 .init = dcon_init_xo_1_5,
40293 .bus_stabilize_wiggle = dcon_wiggle_xo_1_5,
40294 .set_dconload = dcon_set_dconload_xo_1_5,
40295 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c
40296 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-19 00:06:34.000000000 -0400
40297 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-22 19:36:32.000000000 -0400
40298 @@ -196,7 +196,7 @@ static u8 dcon_read_status_xo_1(void)
40299 return status;
40300 }
40301
40302 -struct dcon_platform_data dcon_pdata_xo_1 = {
40303 +const struct dcon_platform_data dcon_pdata_xo_1 = {
40304 .init = dcon_init_xo_1,
40305 .bus_stabilize_wiggle = dcon_wiggle_xo_1,
40306 .set_dconload = dcon_set_dconload_1,
40307 diff -urNp linux-2.6.39.3/drivers/staging/phison/phison.c linux-2.6.39.3/drivers/staging/phison/phison.c
40308 --- linux-2.6.39.3/drivers/staging/phison/phison.c 2011-05-19 00:06:34.000000000 -0400
40309 +++ linux-2.6.39.3/drivers/staging/phison/phison.c 2011-05-22 19:36:32.000000000 -0400
40310 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
40311 ATA_BMDMA_SHT(DRV_NAME),
40312 };
40313
40314 -static struct ata_port_operations phison_ops = {
40315 +static const struct ata_port_operations phison_ops = {
40316 .inherits = &ata_bmdma_port_ops,
40317 .prereset = phison_pre_reset,
40318 };
40319 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/inode.c linux-2.6.39.3/drivers/staging/pohmelfs/inode.c
40320 --- linux-2.6.39.3/drivers/staging/pohmelfs/inode.c 2011-05-19 00:06:34.000000000 -0400
40321 +++ linux-2.6.39.3/drivers/staging/pohmelfs/inode.c 2011-05-22 19:36:32.000000000 -0400
40322 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
40323 mutex_init(&psb->mcache_lock);
40324 psb->mcache_root = RB_ROOT;
40325 psb->mcache_timeout = msecs_to_jiffies(5000);
40326 - atomic_long_set(&psb->mcache_gen, 0);
40327 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
40328
40329 psb->trans_max_pages = 100;
40330
40331 @@ -1870,7 +1870,7 @@ static int pohmelfs_fill_super(struct su
40332 INIT_LIST_HEAD(&psb->crypto_ready_list);
40333 INIT_LIST_HEAD(&psb->crypto_active_list);
40334
40335 - atomic_set(&psb->trans_gen, 1);
40336 + atomic_set_unchecked(&psb->trans_gen, 1);
40337 atomic_long_set(&psb->total_inodes, 0);
40338
40339 mutex_init(&psb->state_lock);
40340 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c
40341 --- linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c 2011-05-19 00:06:34.000000000 -0400
40342 +++ linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c 2011-05-22 19:36:32.000000000 -0400
40343 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
40344 m->data = data;
40345 m->start = start;
40346 m->size = size;
40347 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
40348 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
40349
40350 mutex_lock(&psb->mcache_lock);
40351 err = pohmelfs_mcache_insert(psb, m);
40352 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h
40353 --- linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h 2011-05-19 00:06:34.000000000 -0400
40354 +++ linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h 2011-05-22 19:36:32.000000000 -0400
40355 @@ -571,14 +571,14 @@ struct pohmelfs_config;
40356 struct pohmelfs_sb {
40357 struct rb_root mcache_root;
40358 struct mutex mcache_lock;
40359 - atomic_long_t mcache_gen;
40360 + atomic_long_unchecked_t mcache_gen;
40361 unsigned long mcache_timeout;
40362
40363 unsigned int idx;
40364
40365 unsigned int trans_retries;
40366
40367 - atomic_t trans_gen;
40368 + atomic_unchecked_t trans_gen;
40369
40370 unsigned int crypto_attached_size;
40371 unsigned int crypto_align_size;
40372 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/trans.c linux-2.6.39.3/drivers/staging/pohmelfs/trans.c
40373 --- linux-2.6.39.3/drivers/staging/pohmelfs/trans.c 2011-05-19 00:06:34.000000000 -0400
40374 +++ linux-2.6.39.3/drivers/staging/pohmelfs/trans.c 2011-05-22 19:36:32.000000000 -0400
40375 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
40376 int err;
40377 struct netfs_cmd *cmd = t->iovec.iov_base;
40378
40379 - t->gen = atomic_inc_return(&psb->trans_gen);
40380 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
40381
40382 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
40383 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
40384 diff -urNp linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c
40385 --- linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-19 00:06:34.000000000 -0400
40386 +++ linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-22 19:36:32.000000000 -0400
40387 @@ -87,7 +87,7 @@ static int c_show(struct seq_file *m, vo
40388 return 0;
40389 }
40390
40391 -static struct seq_operations crypto_seq_ops = {
40392 +static const struct seq_operations crypto_seq_ops = {
40393 .start = c_start,
40394 .next = c_next,
40395 .stop = c_stop,
40396 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
40397 return seq_open(file, &crypto_seq_ops);
40398 }
40399
40400 -static struct file_operations proc_crypto_ops = {
40401 +static const struct file_operations proc_crypto_ops = {
40402 .open = crypto_info_open,
40403 .read = seq_read,
40404 .llseek = seq_lseek,
40405 diff -urNp linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h
40406 --- linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h 2011-05-19 00:06:34.000000000 -0400
40407 +++ linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h 2011-05-22 19:36:32.000000000 -0400
40408 @@ -107,7 +107,7 @@ struct intf_hdl {
40409 void (*intf_hdl_unload)(u8 *priv);
40410 void (*intf_hdl_open)(u8 *priv);
40411 void (*intf_hdl_close)(u8 *priv);
40412 - struct _io_ops io_ops;
40413 + const struct _io_ops io_ops;
40414 };
40415
40416 struct reg_protocol_rd {
40417 diff -urNp linux-2.6.39.3/drivers/staging/solo6x10/g723.c linux-2.6.39.3/drivers/staging/solo6x10/g723.c
40418 --- linux-2.6.39.3/drivers/staging/solo6x10/g723.c 2011-05-19 00:06:34.000000000 -0400
40419 +++ linux-2.6.39.3/drivers/staging/solo6x10/g723.c 2011-05-22 19:36:32.000000000 -0400
40420 @@ -237,7 +237,7 @@ static int snd_solo_pcm_copy(struct snd_
40421 return 0;
40422 }
40423
40424 -static struct snd_pcm_ops snd_solo_pcm_ops = {
40425 +static const struct snd_pcm_ops snd_solo_pcm_ops = {
40426 .open = snd_solo_pcm_open,
40427 .close = snd_solo_pcm_close,
40428 .ioctl = snd_pcm_lib_ioctl,
40429 @@ -334,7 +334,7 @@ static int solo_snd_pcm_init(struct solo
40430
40431 int solo_g723_init(struct solo_dev *solo_dev)
40432 {
40433 - static struct snd_device_ops ops = { NULL };
40434 + static const struct snd_device_ops ops = { NULL };
40435 struct snd_card *card;
40436 struct snd_kcontrol_new kctl;
40437 char name[32];
40438 diff -urNp linux-2.6.39.3/drivers/staging/spectra/ffsport.c linux-2.6.39.3/drivers/staging/spectra/ffsport.c
40439 --- linux-2.6.39.3/drivers/staging/spectra/ffsport.c 2011-05-19 00:06:34.000000000 -0400
40440 +++ linux-2.6.39.3/drivers/staging/spectra/ffsport.c 2011-05-22 19:36:32.000000000 -0400
40441 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
40442 return ret;
40443 }
40444
40445 -static struct block_device_operations GLOB_SBD_ops = {
40446 +static const struct block_device_operations GLOB_SBD_ops = {
40447 .owner = THIS_MODULE,
40448 .open = GLOB_SBD_open,
40449 .release = GLOB_SBD_release,
40450 diff -urNp linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c
40451 --- linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c 2011-05-19 00:06:34.000000000 -0400
40452 +++ linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c 2011-05-22 19:36:32.000000000 -0400
40453 @@ -380,7 +380,7 @@ static snd_pcm_uframes_t snd_tm6000_poin
40454 /*
40455 * operators
40456 */
40457 -static struct snd_pcm_ops snd_tm6000_pcm_ops = {
40458 +static const struct snd_pcm_ops snd_tm6000_pcm_ops = {
40459 .open = snd_tm6000_pcm_open,
40460 .close = snd_tm6000_close,
40461 .ioctl = snd_pcm_lib_ioctl,
40462 diff -urNp linux-2.6.39.3/drivers/staging/tty/istallion.c linux-2.6.39.3/drivers/staging/tty/istallion.c
40463 --- linux-2.6.39.3/drivers/staging/tty/istallion.c 2011-05-19 00:06:34.000000000 -0400
40464 +++ linux-2.6.39.3/drivers/staging/tty/istallion.c 2011-05-22 20:49:07.000000000 -0400
40465 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
40466 * re-used for each stats call.
40467 */
40468 static comstats_t stli_comstats;
40469 -static combrd_t stli_brdstats;
40470 static struct asystats stli_cdkstats;
40471
40472 /*****************************************************************************/
40473 @@ -4003,6 +4002,7 @@ out:
40474
40475 static int stli_getbrdstats(combrd_t __user *bp)
40476 {
40477 + combrd_t stli_brdstats;
40478 struct stlibrd *brdp;
40479 unsigned int i;
40480
40481 @@ -4226,6 +4226,8 @@ static int stli_getportstruct(struct stl
40482 struct stliport stli_dummyport;
40483 struct stliport *portp;
40484
40485 + pax_track_stack();
40486 +
40487 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
40488 return -EFAULT;
40489 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
40490 @@ -4248,6 +4250,8 @@ static int stli_getbrdstruct(struct stli
40491 struct stlibrd stli_dummybrd;
40492 struct stlibrd *brdp;
40493
40494 + pax_track_stack();
40495 +
40496 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
40497 return -EFAULT;
40498 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
40499 diff -urNp linux-2.6.39.3/drivers/staging/tty/stallion.c linux-2.6.39.3/drivers/staging/tty/stallion.c
40500 --- linux-2.6.39.3/drivers/staging/tty/stallion.c 2011-05-19 00:06:34.000000000 -0400
40501 +++ linux-2.6.39.3/drivers/staging/tty/stallion.c 2011-05-22 19:36:32.000000000 -0400
40502 @@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
40503 struct stlport stl_dummyport;
40504 struct stlport *portp;
40505
40506 + pax_track_stack();
40507 +
40508 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
40509 return -EFAULT;
40510 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
40511 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci.h linux-2.6.39.3/drivers/staging/usbip/vhci.h
40512 --- linux-2.6.39.3/drivers/staging/usbip/vhci.h 2011-05-19 00:06:34.000000000 -0400
40513 +++ linux-2.6.39.3/drivers/staging/usbip/vhci.h 2011-05-22 19:36:32.000000000 -0400
40514 @@ -92,7 +92,7 @@ struct vhci_hcd {
40515 unsigned resuming:1;
40516 unsigned long re_timeout;
40517
40518 - atomic_t seqnum;
40519 + atomic_unchecked_t seqnum;
40520
40521 /*
40522 * NOTE:
40523 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c
40524 --- linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c 2011-05-19 00:06:34.000000000 -0400
40525 +++ linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c 2011-05-22 19:36:32.000000000 -0400
40526 @@ -536,7 +536,7 @@ static void vhci_tx_urb(struct urb *urb)
40527 return;
40528 }
40529
40530 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40531 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40532 if (priv->seqnum == 0xffff)
40533 usbip_uinfo("seqnum max\n");
40534
40535 @@ -795,7 +795,7 @@ static int vhci_urb_dequeue(struct usb_h
40536 return -ENOMEM;
40537 }
40538
40539 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40540 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40541 if (unlink->seqnum == 0xffff)
40542 usbip_uinfo("seqnum max\n");
40543
40544 @@ -992,7 +992,7 @@ static int vhci_start(struct usb_hcd *hc
40545 vdev->rhport = rhport;
40546 }
40547
40548 - atomic_set(&vhci->seqnum, 0);
40549 + atomic_set_unchecked(&vhci->seqnum, 0);
40550 spin_lock_init(&vhci->lock);
40551
40552
40553 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c
40554 --- linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c 2011-05-19 00:06:34.000000000 -0400
40555 +++ linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c 2011-05-22 19:36:32.000000000 -0400
40556 @@ -81,7 +81,7 @@ static void vhci_recv_ret_submit(struct
40557 usbip_uerr("cannot find a urb of seqnum %u\n",
40558 pdu->base.seqnum);
40559 usbip_uinfo("max seqnum %d\n",
40560 - atomic_read(&the_controller->seqnum));
40561 + atomic_read_unchecked(&the_controller->seqnum));
40562 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40563 return;
40564 }
40565 diff -urNp linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c
40566 --- linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c 2011-05-19 00:06:34.000000000 -0400
40567 +++ linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c 2011-05-22 19:36:32.000000000 -0400
40568 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
40569 static int __devinit vme_user_probe(struct device *, int, int);
40570 static int __devexit vme_user_remove(struct device *, int, int);
40571
40572 -static struct file_operations vme_user_fops = {
40573 +static const struct file_operations vme_user_fops = {
40574 .open = vme_user_open,
40575 .release = vme_user_release,
40576 .read = vme_user_read,
40577 diff -urNp linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
40578 --- linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-19 00:06:34.000000000 -0400
40579 +++ linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-22 19:36:32.000000000 -0400
40580 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
40581
40582
40583 /*standard block device driver interface */
40584 -static struct block_device_operations cyasblkdev_bdops = {
40585 +static const struct block_device_operations cyasblkdev_bdops = {
40586 .open = cyasblkdev_blk_open,
40587 .release = cyasblkdev_blk_release,
40588 .ioctl = cyasblkdev_blk_ioctl,
40589 diff -urNp linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c
40590 --- linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-19 00:06:34.000000000 -0400
40591 +++ linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-22 19:36:32.000000000 -0400
40592 @@ -474,7 +474,7 @@ static void wl_get_drvinfo(struct net_de
40593 }
40594 } // wl_get_drvinfo
40595
40596 -static struct ethtool_ops wl_ethtool_ops = {
40597 +static const struct ethtool_ops wl_ethtool_ops = {
40598 .get_drvinfo = wl_get_drvinfo,
40599 .get_link = ethtool_op_get_link,
40600 };
40601 diff -urNp linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c
40602 --- linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-19 00:06:34.000000000 -0400
40603 +++ linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-22 19:36:32.000000000 -0400
40604 @@ -671,7 +671,7 @@ struct usbctlx_cmd_completor {
40605 hfa384x_cmdresult_t *result;
40606 };
40607
40608 -static inline int usbctlx_cmd_completor_fn(struct usbctlx_completor *head)
40609 +static inline int usbctlx_cmd_completor_fn(const struct usbctlx_completor *head)
40610 {
40611 struct usbctlx_cmd_completor *complete;
40612
40613 @@ -705,7 +705,7 @@ struct usbctlx_rrid_completor {
40614 unsigned int riddatalen;
40615 };
40616
40617 -static int usbctlx_rrid_completor_fn(struct usbctlx_completor *head)
40618 +static int usbctlx_rrid_completor_fn(const struct usbctlx_completor *head)
40619 {
40620 struct usbctlx_rrid_completor *complete;
40621 hfa384x_rridresult_t rridresult;
40622 @@ -768,7 +768,7 @@ struct usbctlx_rmem_completor {
40623 };
40624 typedef struct usbctlx_rmem_completor usbctlx_rmem_completor_t;
40625
40626 -static int usbctlx_rmem_completor_fn(struct usbctlx_completor *head)
40627 +static int usbctlx_rmem_completor_fn(const struct usbctlx_completor *head)
40628 {
40629 usbctlx_rmem_completor_t *complete = (usbctlx_rmem_completor_t *) head;
40630
40631 diff -urNp linux-2.6.39.3/drivers/staging/zcache/tmem.c linux-2.6.39.3/drivers/staging/zcache/tmem.c
40632 --- linux-2.6.39.3/drivers/staging/zcache/tmem.c 2011-05-19 00:06:34.000000000 -0400
40633 +++ linux-2.6.39.3/drivers/staging/zcache/tmem.c 2011-05-22 19:36:32.000000000 -0400
40634 @@ -39,7 +39,7 @@
40635 * A tmem host implementation must use this function to register callbacks
40636 * for memory allocation.
40637 */
40638 -static struct tmem_hostops tmem_hostops;
40639 +static const struct tmem_hostops tmem_hostops;
40640
40641 static void tmem_objnode_tree_init(void);
40642
40643 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
40644 * A tmem host implementation must use this function to register
40645 * callbacks for a page-accessible memory (PAM) implementation
40646 */
40647 -static struct tmem_pamops tmem_pamops;
40648 +static const struct tmem_pamops tmem_pamops;
40649
40650 void tmem_register_pamops(struct tmem_pamops *m)
40651 {
40652 diff -urNp linux-2.6.39.3/drivers/staging/zcache/zcache.c linux-2.6.39.3/drivers/staging/zcache/zcache.c
40653 --- linux-2.6.39.3/drivers/staging/zcache/zcache.c 2011-05-19 00:06:34.000000000 -0400
40654 +++ linux-2.6.39.3/drivers/staging/zcache/zcache.c 2011-05-22 19:36:32.000000000 -0400
40655 @@ -882,7 +882,7 @@ static void zcache_obj_free(struct tmem_
40656 kmem_cache_free(zcache_obj_cache, obj);
40657 }
40658
40659 -static struct tmem_hostops zcache_hostops = {
40660 +static const struct tmem_hostops zcache_hostops = {
40661 .obj_alloc = zcache_obj_alloc,
40662 .obj_free = zcache_obj_free,
40663 .objnode_alloc = zcache_objnode_alloc,
40664 @@ -987,7 +987,7 @@ static void zcache_pampd_free(void *pamp
40665 }
40666 }
40667
40668 -static struct tmem_pamops zcache_pamops = {
40669 +static const struct tmem_pamops zcache_pamops = {
40670 .create = zcache_pampd_create,
40671 .get_data = zcache_pampd_get_data,
40672 .free = zcache_pampd_free,
40673 diff -urNp linux-2.6.39.3/drivers/target/target_core_alua.c linux-2.6.39.3/drivers/target/target_core_alua.c
40674 --- linux-2.6.39.3/drivers/target/target_core_alua.c 2011-05-19 00:06:34.000000000 -0400
40675 +++ linux-2.6.39.3/drivers/target/target_core_alua.c 2011-05-22 19:36:32.000000000 -0400
40676 @@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
40677 char path[ALUA_METADATA_PATH_LEN];
40678 int len;
40679
40680 + pax_track_stack();
40681 +
40682 memset(path, 0, ALUA_METADATA_PATH_LEN);
40683
40684 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
40685 @@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
40686 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
40687 int len;
40688
40689 + pax_track_stack();
40690 +
40691 memset(path, 0, ALUA_METADATA_PATH_LEN);
40692 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
40693
40694 diff -urNp linux-2.6.39.3/drivers/target/target_core_cdb.c linux-2.6.39.3/drivers/target/target_core_cdb.c
40695 --- linux-2.6.39.3/drivers/target/target_core_cdb.c 2011-05-19 00:06:34.000000000 -0400
40696 +++ linux-2.6.39.3/drivers/target/target_core_cdb.c 2011-05-22 19:36:32.000000000 -0400
40697 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
40698 int length = 0;
40699 unsigned char buf[SE_MODE_PAGE_BUF];
40700
40701 + pax_track_stack();
40702 +
40703 memset(buf, 0, SE_MODE_PAGE_BUF);
40704
40705 switch (cdb[2] & 0x3f) {
40706 diff -urNp linux-2.6.39.3/drivers/target/target_core_configfs.c linux-2.6.39.3/drivers/target/target_core_configfs.c
40707 --- linux-2.6.39.3/drivers/target/target_core_configfs.c 2011-05-19 00:06:34.000000000 -0400
40708 +++ linux-2.6.39.3/drivers/target/target_core_configfs.c 2011-05-22 19:36:32.000000000 -0400
40709 @@ -1280,6 +1280,8 @@ static ssize_t target_core_dev_pr_show_a
40710 ssize_t len = 0;
40711 int reg_count = 0, prf_isid;
40712
40713 + pax_track_stack();
40714 +
40715 if (!(su_dev->se_dev_ptr))
40716 return -ENODEV;
40717
40718 @@ -2682,7 +2684,7 @@ static void target_core_alua_drop_tg_pt_
40719 config_item_put(item);
40720 }
40721
40722 -static struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40723 +static const struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40724 .make_group = &target_core_alua_create_tg_pt_gp,
40725 .drop_item = &target_core_alua_drop_tg_pt_gp,
40726 };
40727 @@ -2726,7 +2728,7 @@ static void target_core_stat_rmdir(
40728 return;
40729 }
40730
40731 -static struct configfs_group_operations target_core_stat_group_ops = {
40732 +static const struct configfs_group_operations target_core_stat_group_ops = {
40733 .make_group = &target_core_stat_mkdir,
40734 .drop_item = &target_core_stat_rmdir,
40735 };
40736 @@ -2939,7 +2941,7 @@ static void target_core_drop_subdev(
40737 mutex_unlock(&hba->hba_access_mutex);
40738 }
40739
40740 -static struct configfs_group_operations target_core_hba_group_ops = {
40741 +static const struct configfs_group_operations target_core_hba_group_ops = {
40742 .make_group = target_core_make_subdev,
40743 .drop_item = target_core_drop_subdev,
40744 };
40745 @@ -3117,7 +3119,7 @@ static void target_core_call_delhbafromt
40746 config_item_put(item);
40747 }
40748
40749 -static struct configfs_group_operations target_core_group_ops = {
40750 +static const struct configfs_group_operations target_core_group_ops = {
40751 .make_group = target_core_call_addhbatotarget,
40752 .drop_item = target_core_call_delhbafromtarget,
40753 };
40754 diff -urNp linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c
40755 --- linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c 2011-05-19 00:06:34.000000000 -0400
40756 +++ linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c 2011-05-22 19:36:32.000000000 -0400
40757 @@ -1174,7 +1174,7 @@ static void target_fabric_drop_wwn(
40758 config_item_put(item);
40759 }
40760
40761 -static struct configfs_group_operations target_fabric_wwn_group_ops = {
40762 +static const struct configfs_group_operations target_fabric_wwn_group_ops = {
40763 .make_group = target_fabric_make_wwn,
40764 .drop_item = target_fabric_drop_wwn,
40765 };
40766 diff -urNp linux-2.6.39.3/drivers/target/target_core_pr.c linux-2.6.39.3/drivers/target/target_core_pr.c
40767 --- linux-2.6.39.3/drivers/target/target_core_pr.c 2011-05-19 00:06:34.000000000 -0400
40768 +++ linux-2.6.39.3/drivers/target/target_core_pr.c 2011-05-22 19:36:32.000000000 -0400
40769 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
40770 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
40771 u16 tpgt;
40772
40773 + pax_track_stack();
40774 +
40775 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
40776 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
40777 /*
40778 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
40779 ssize_t len = 0;
40780 int reg_count = 0;
40781
40782 + pax_track_stack();
40783 +
40784 memset(buf, 0, pr_aptpl_buf_len);
40785 /*
40786 * Called to clear metadata once APTPL has been deactivated.
40787 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
40788 char path[512];
40789 int ret;
40790
40791 + pax_track_stack();
40792 +
40793 memset(iov, 0, sizeof(struct iovec));
40794 memset(path, 0, 512);
40795
40796 diff -urNp linux-2.6.39.3/drivers/target/target_core_tmr.c linux-2.6.39.3/drivers/target/target_core_tmr.c
40797 --- linux-2.6.39.3/drivers/target/target_core_tmr.c 2011-06-03 00:04:14.000000000 -0400
40798 +++ linux-2.6.39.3/drivers/target/target_core_tmr.c 2011-06-03 00:32:07.000000000 -0400
40799 @@ -263,7 +263,7 @@ int core_tmr_lun_reset(
40800 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
40801 T_TASK(cmd)->t_task_cdbs,
40802 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40803 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40804 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40805 atomic_read(&T_TASK(cmd)->t_transport_active),
40806 atomic_read(&T_TASK(cmd)->t_transport_stop),
40807 atomic_read(&T_TASK(cmd)->t_transport_sent));
40808 @@ -305,7 +305,7 @@ int core_tmr_lun_reset(
40809 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
40810 " task: %p, t_fe_count: %d dev: %p\n", task,
40811 fe_count, dev);
40812 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40813 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40814 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
40815 flags);
40816 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40817 @@ -315,7 +315,7 @@ int core_tmr_lun_reset(
40818 }
40819 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
40820 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
40821 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40822 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40823 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
40824 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40825
40826 diff -urNp linux-2.6.39.3/drivers/target/target_core_transport.c linux-2.6.39.3/drivers/target/target_core_transport.c
40827 --- linux-2.6.39.3/drivers/target/target_core_transport.c 2011-06-03 00:04:14.000000000 -0400
40828 +++ linux-2.6.39.3/drivers/target/target_core_transport.c 2011-06-03 00:32:07.000000000 -0400
40829 @@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
40830
40831 dev->queue_depth = dev_limits->queue_depth;
40832 atomic_set(&dev->depth_left, dev->queue_depth);
40833 - atomic_set(&dev->dev_ordered_id, 0);
40834 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
40835
40836 se_dev_set_default_attribs(dev, dev_limits);
40837
40838 @@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
40839 * Used to determine when ORDERED commands should go from
40840 * Dormant to Active status.
40841 */
40842 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
40843 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
40844 smp_mb__after_atomic_inc();
40845 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
40846 cmd->se_ordered_id, cmd->sam_task_attr,
40847 @@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
40848 " t_transport_active: %d t_transport_stop: %d"
40849 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
40850 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40851 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40852 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40853 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
40854 atomic_read(&T_TASK(cmd)->t_transport_active),
40855 atomic_read(&T_TASK(cmd)->t_transport_stop),
40856 @@ -2673,9 +2673,9 @@ check_depth:
40857 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
40858 atomic_set(&task->task_active, 1);
40859 atomic_set(&task->task_sent, 1);
40860 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
40861 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
40862
40863 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
40864 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
40865 T_TASK(cmd)->t_task_cdbs)
40866 atomic_set(&cmd->transport_sent, 1);
40867
40868 @@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
40869 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
40870 }
40871 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
40872 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
40873 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
40874 goto remove;
40875
40876 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
40877 @@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
40878 {
40879 int ret = 0;
40880
40881 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
40882 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
40883 if (!(send_status) ||
40884 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
40885 return 1;
40886 @@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
40887 */
40888 if (cmd->data_direction == DMA_TO_DEVICE) {
40889 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
40890 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
40891 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
40892 smp_mb__after_atomic_inc();
40893 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
40894 transport_new_cmd_failure(cmd);
40895 @@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
40896 CMD_TFO(cmd)->get_task_tag(cmd),
40897 T_TASK(cmd)->t_task_cdbs,
40898 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40899 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40900 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40901 atomic_read(&T_TASK(cmd)->t_transport_active),
40902 atomic_read(&T_TASK(cmd)->t_transport_stop),
40903 atomic_read(&T_TASK(cmd)->t_transport_sent));
40904 diff -urNp linux-2.6.39.3/drivers/telephony/ixj.c linux-2.6.39.3/drivers/telephony/ixj.c
40905 --- linux-2.6.39.3/drivers/telephony/ixj.c 2011-05-19 00:06:34.000000000 -0400
40906 +++ linux-2.6.39.3/drivers/telephony/ixj.c 2011-05-22 19:36:32.000000000 -0400
40907 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40908 bool mContinue;
40909 char *pIn, *pOut;
40910
40911 + pax_track_stack();
40912 +
40913 if (!SCI_Prepare(j))
40914 return 0;
40915
40916 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_console.h linux-2.6.39.3/drivers/tty/hvc/hvc_console.h
40917 --- linux-2.6.39.3/drivers/tty/hvc/hvc_console.h 2011-05-19 00:06:34.000000000 -0400
40918 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_console.h 2011-05-22 19:36:32.000000000 -0400
40919 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
40920 /* register a vterm for hvc tty operation (module_init or hotplug add) */
40921 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
40922 const struct hv_ops *ops, int outbuf_size);
40923 +
40924 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
40925 extern int hvc_remove(struct hvc_struct *hp);
40926
40927 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c
40928 --- linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c 2011-05-19 00:06:34.000000000 -0400
40929 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c 2011-05-22 19:36:32.000000000 -0400
40930 @@ -1203,7 +1203,7 @@ static int param_get_vmidfilter(char *bu
40931
40932 #define param_check_vmidfilter(name, p) __param_check(name, p, void)
40933
40934 -static struct kernel_param_ops param_ops_vmidfilter = {
40935 +static const struct kernel_param_ops param_ops_vmidfilter = {
40936 .set = param_set_vmidfilter,
40937 .get = param_get_vmidfilter,
40938 };
40939 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvcs.c linux-2.6.39.3/drivers/tty/hvc/hvcs.c
40940 --- linux-2.6.39.3/drivers/tty/hvc/hvcs.c 2011-05-19 00:06:34.000000000 -0400
40941 +++ linux-2.6.39.3/drivers/tty/hvc/hvcs.c 2011-05-22 19:36:32.000000000 -0400
40942 @@ -83,6 +83,7 @@
40943 #include <asm/hvcserver.h>
40944 #include <asm/uaccess.h>
40945 #include <asm/vio.h>
40946 +#include <asm/local.h>
40947
40948 /*
40949 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
40950 @@ -270,7 +271,7 @@ struct hvcs_struct {
40951 unsigned int index;
40952
40953 struct tty_struct *tty;
40954 - int open_count;
40955 + local_t open_count;
40956
40957 /*
40958 * Used to tell the driver kernel_thread what operations need to take
40959 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
40960
40961 spin_lock_irqsave(&hvcsd->lock, flags);
40962
40963 - if (hvcsd->open_count > 0) {
40964 + if (local_read(&hvcsd->open_count) > 0) {
40965 spin_unlock_irqrestore(&hvcsd->lock, flags);
40966 printk(KERN_INFO "HVCS: vterm state unchanged. "
40967 "The hvcs device node is still in use.\n");
40968 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
40969 if ((retval = hvcs_partner_connect(hvcsd)))
40970 goto error_release;
40971
40972 - hvcsd->open_count = 1;
40973 + local_set(&hvcsd->open_count, 1);
40974 hvcsd->tty = tty;
40975 tty->driver_data = hvcsd;
40976
40977 @@ -1179,7 +1180,7 @@ fast_open:
40978
40979 spin_lock_irqsave(&hvcsd->lock, flags);
40980 kref_get(&hvcsd->kref);
40981 - hvcsd->open_count++;
40982 + local_inc(&hvcsd->open_count);
40983 hvcsd->todo_mask |= HVCS_SCHED_READ;
40984 spin_unlock_irqrestore(&hvcsd->lock, flags);
40985
40986 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
40987 hvcsd = tty->driver_data;
40988
40989 spin_lock_irqsave(&hvcsd->lock, flags);
40990 - if (--hvcsd->open_count == 0) {
40991 + if (local_dec_and_test(&hvcsd->open_count)) {
40992
40993 vio_disable_interrupts(hvcsd->vdev);
40994
40995 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
40996 free_irq(irq, hvcsd);
40997 kref_put(&hvcsd->kref, destroy_hvcs_struct);
40998 return;
40999 - } else if (hvcsd->open_count < 0) {
41000 + } else if (local_read(&hvcsd->open_count) < 0) {
41001 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
41002 " is missmanaged.\n",
41003 - hvcsd->vdev->unit_address, hvcsd->open_count);
41004 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
41005 }
41006
41007 spin_unlock_irqrestore(&hvcsd->lock, flags);
41008 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
41009
41010 spin_lock_irqsave(&hvcsd->lock, flags);
41011 /* Preserve this so that we know how many kref refs to put */
41012 - temp_open_count = hvcsd->open_count;
41013 + temp_open_count = local_read(&hvcsd->open_count);
41014
41015 /*
41016 * Don't kref put inside the spinlock because the destruction
41017 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
41018 hvcsd->tty->driver_data = NULL;
41019 hvcsd->tty = NULL;
41020
41021 - hvcsd->open_count = 0;
41022 + local_set(&hvcsd->open_count, 0);
41023
41024 /* This will drop any buffered data on the floor which is OK in a hangup
41025 * scenario. */
41026 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
41027 * the middle of a write operation? This is a crummy place to do this
41028 * but we want to keep it all in the spinlock.
41029 */
41030 - if (hvcsd->open_count <= 0) {
41031 + if (local_read(&hvcsd->open_count) <= 0) {
41032 spin_unlock_irqrestore(&hvcsd->lock, flags);
41033 return -ENODEV;
41034 }
41035 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
41036 {
41037 struct hvcs_struct *hvcsd = tty->driver_data;
41038
41039 - if (!hvcsd || hvcsd->open_count <= 0)
41040 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
41041 return 0;
41042
41043 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
41044 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c
41045 --- linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c 2011-05-19 00:06:34.000000000 -0400
41046 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c 2011-05-22 19:36:32.000000000 -0400
41047 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
41048 return recv;
41049 }
41050
41051 -static struct hv_ops domU_hvc_ops = {
41052 +static const struct hv_ops domU_hvc_ops = {
41053 .get_chars = domU_read_console,
41054 .put_chars = domU_write_console,
41055 .notifier_add = notifier_add_irq,
41056 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
41057 return len;
41058 }
41059
41060 -static struct hv_ops dom0_hvc_ops = {
41061 +static const struct hv_ops dom0_hvc_ops = {
41062 .get_chars = dom0_read_console,
41063 .put_chars = dom0_write_console,
41064 .notifier_add = notifier_add_irq,
41065 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
41066 static int __init xen_hvc_init(void)
41067 {
41068 struct hvc_struct *hp;
41069 - struct hv_ops *ops;
41070 + const struct hv_ops *ops;
41071
41072 if (!xen_pv_domain())
41073 return -ENODEV;
41074 @@ -205,7 +205,7 @@ static void __exit xen_hvc_fini(void)
41075
41076 static int xen_cons_init(void)
41077 {
41078 - struct hv_ops *ops;
41079 + const struct hv_ops *ops;
41080
41081 if (!xen_pv_domain())
41082 return 0;
41083 diff -urNp linux-2.6.39.3/drivers/tty/ipwireless/tty.c linux-2.6.39.3/drivers/tty/ipwireless/tty.c
41084 --- linux-2.6.39.3/drivers/tty/ipwireless/tty.c 2011-05-19 00:06:34.000000000 -0400
41085 +++ linux-2.6.39.3/drivers/tty/ipwireless/tty.c 2011-05-22 19:36:32.000000000 -0400
41086 @@ -29,6 +29,7 @@
41087 #include <linux/tty_driver.h>
41088 #include <linux/tty_flip.h>
41089 #include <linux/uaccess.h>
41090 +#include <asm/local.h>
41091
41092 #include "tty.h"
41093 #include "network.h"
41094 @@ -51,7 +52,7 @@ struct ipw_tty {
41095 int tty_type;
41096 struct ipw_network *network;
41097 struct tty_struct *linux_tty;
41098 - int open_count;
41099 + local_t open_count;
41100 unsigned int control_lines;
41101 struct mutex ipw_tty_mutex;
41102 int tx_bytes_queued;
41103 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
41104 mutex_unlock(&tty->ipw_tty_mutex);
41105 return -ENODEV;
41106 }
41107 - if (tty->open_count == 0)
41108 + if (local_read(&tty->open_count) == 0)
41109 tty->tx_bytes_queued = 0;
41110
41111 - tty->open_count++;
41112 + local_inc(&tty->open_count);
41113
41114 tty->linux_tty = linux_tty;
41115 linux_tty->driver_data = tty;
41116 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
41117
41118 static void do_ipw_close(struct ipw_tty *tty)
41119 {
41120 - tty->open_count--;
41121 -
41122 - if (tty->open_count == 0) {
41123 + if (local_dec_return(&tty->open_count) == 0) {
41124 struct tty_struct *linux_tty = tty->linux_tty;
41125
41126 if (linux_tty != NULL) {
41127 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
41128 return;
41129
41130 mutex_lock(&tty->ipw_tty_mutex);
41131 - if (tty->open_count == 0) {
41132 + if (local_read(&tty->open_count) == 0) {
41133 mutex_unlock(&tty->ipw_tty_mutex);
41134 return;
41135 }
41136 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
41137 return;
41138 }
41139
41140 - if (!tty->open_count) {
41141 + if (!local_read(&tty->open_count)) {
41142 mutex_unlock(&tty->ipw_tty_mutex);
41143 return;
41144 }
41145 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
41146 return -ENODEV;
41147
41148 mutex_lock(&tty->ipw_tty_mutex);
41149 - if (!tty->open_count) {
41150 + if (!local_read(&tty->open_count)) {
41151 mutex_unlock(&tty->ipw_tty_mutex);
41152 return -EINVAL;
41153 }
41154 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
41155 if (!tty)
41156 return -ENODEV;
41157
41158 - if (!tty->open_count)
41159 + if (!local_read(&tty->open_count))
41160 return -EINVAL;
41161
41162 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
41163 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
41164 if (!tty)
41165 return 0;
41166
41167 - if (!tty->open_count)
41168 + if (!local_read(&tty->open_count))
41169 return 0;
41170
41171 return tty->tx_bytes_queued;
41172 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
41173 if (!tty)
41174 return -ENODEV;
41175
41176 - if (!tty->open_count)
41177 + if (!local_read(&tty->open_count))
41178 return -EINVAL;
41179
41180 return get_control_lines(tty);
41181 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
41182 if (!tty)
41183 return -ENODEV;
41184
41185 - if (!tty->open_count)
41186 + if (!local_read(&tty->open_count))
41187 return -EINVAL;
41188
41189 return set_control_lines(tty, set, clear);
41190 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
41191 if (!tty)
41192 return -ENODEV;
41193
41194 - if (!tty->open_count)
41195 + if (!local_read(&tty->open_count))
41196 return -EINVAL;
41197
41198 /* FIXME: Exactly how is the tty object locked here .. */
41199 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
41200 against a parallel ioctl etc */
41201 mutex_lock(&ttyj->ipw_tty_mutex);
41202 }
41203 - while (ttyj->open_count)
41204 + while (local_read(&ttyj->open_count))
41205 do_ipw_close(ttyj);
41206 ipwireless_disassociate_network_ttys(network,
41207 ttyj->channel_idx);
41208 diff -urNp linux-2.6.39.3/drivers/tty/mxser.c linux-2.6.39.3/drivers/tty/mxser.c
41209 --- linux-2.6.39.3/drivers/tty/mxser.c 2011-05-19 00:06:34.000000000 -0400
41210 +++ linux-2.6.39.3/drivers/tty/mxser.c 2011-05-22 19:36:32.000000000 -0400
41211 @@ -2340,7 +2340,7 @@ static const struct tty_operations mxser
41212 .get_icount = mxser_get_icount,
41213 };
41214
41215 -struct tty_port_operations mxser_port_ops = {
41216 +const struct tty_port_operations mxser_port_ops = {
41217 .carrier_raised = mxser_carrier_raised,
41218 .dtr_rts = mxser_dtr_rts,
41219 .activate = mxser_activate,
41220 diff -urNp linux-2.6.39.3/drivers/tty/n_gsm.c linux-2.6.39.3/drivers/tty/n_gsm.c
41221 --- linux-2.6.39.3/drivers/tty/n_gsm.c 2011-05-19 00:06:34.000000000 -0400
41222 +++ linux-2.6.39.3/drivers/tty/n_gsm.c 2011-05-22 19:36:32.000000000 -0400
41223 @@ -1588,7 +1588,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
41224 return NULL;
41225 spin_lock_init(&dlci->lock);
41226 dlci->fifo = &dlci->_fifo;
41227 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
41228 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
41229 kfree(dlci);
41230 return NULL;
41231 }
41232 diff -urNp linux-2.6.39.3/drivers/tty/n_tty.c linux-2.6.39.3/drivers/tty/n_tty.c
41233 --- linux-2.6.39.3/drivers/tty/n_tty.c 2011-05-19 00:06:34.000000000 -0400
41234 +++ linux-2.6.39.3/drivers/tty/n_tty.c 2011-05-22 19:36:32.000000000 -0400
41235 @@ -2122,6 +2122,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
41236 {
41237 *ops = tty_ldisc_N_TTY;
41238 ops->owner = NULL;
41239 - ops->refcount = ops->flags = 0;
41240 + atomic_set(&ops->refcount, 0);
41241 + ops->flags = 0;
41242 }
41243 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
41244 diff -urNp linux-2.6.39.3/drivers/tty/pty.c linux-2.6.39.3/drivers/tty/pty.c
41245 --- linux-2.6.39.3/drivers/tty/pty.c 2011-05-19 00:06:34.000000000 -0400
41246 +++ linux-2.6.39.3/drivers/tty/pty.c 2011-05-22 19:36:32.000000000 -0400
41247 @@ -699,7 +699,18 @@ out:
41248 return retval;
41249 }
41250
41251 -static struct file_operations ptmx_fops;
41252 +static const struct file_operations ptmx_fops = {
41253 + .llseek = no_llseek,
41254 + .read = tty_read,
41255 + .write = tty_write,
41256 + .poll = tty_poll,
41257 + .unlocked_ioctl = tty_ioctl,
41258 + .compat_ioctl = tty_compat_ioctl,
41259 + .open = ptmx_open,
41260 + .release = tty_release,
41261 + .fasync = tty_fasync,
41262 +};
41263 +
41264
41265 static void __init unix98_pty_init(void)
41266 {
41267 @@ -752,10 +763,6 @@ static void __init unix98_pty_init(void)
41268
41269 register_sysctl_table(pty_root_table);
41270
41271 - /* Now create the /dev/ptmx special device */
41272 - tty_default_fops(&ptmx_fops);
41273 - ptmx_fops.open = ptmx_open;
41274 -
41275 cdev_init(&ptmx_cdev, &ptmx_fops);
41276 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
41277 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
41278 diff -urNp linux-2.6.39.3/drivers/tty/rocket.c linux-2.6.39.3/drivers/tty/rocket.c
41279 --- linux-2.6.39.3/drivers/tty/rocket.c 2011-05-19 00:06:34.000000000 -0400
41280 +++ linux-2.6.39.3/drivers/tty/rocket.c 2011-05-22 19:36:32.000000000 -0400
41281 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
41282 struct rocket_ports tmp;
41283 int board;
41284
41285 + pax_track_stack();
41286 +
41287 if (!retports)
41288 return -EFAULT;
41289 memset(&tmp, 0, sizeof (tmp));
41290 diff -urNp linux-2.6.39.3/drivers/tty/serial/21285.c linux-2.6.39.3/drivers/tty/serial/21285.c
41291 --- linux-2.6.39.3/drivers/tty/serial/21285.c 2011-05-19 00:06:34.000000000 -0400
41292 +++ linux-2.6.39.3/drivers/tty/serial/21285.c 2011-05-22 19:36:32.000000000 -0400
41293 @@ -340,7 +340,7 @@ static int serial21285_verify_port(struc
41294 return ret;
41295 }
41296
41297 -static struct uart_ops serial21285_ops = {
41298 +static const struct uart_ops serial21285_ops = {
41299 .tx_empty = serial21285_tx_empty,
41300 .get_mctrl = serial21285_get_mctrl,
41301 .set_mctrl = serial21285_set_mctrl,
41302 diff -urNp linux-2.6.39.3/drivers/tty/serial/8250.c linux-2.6.39.3/drivers/tty/serial/8250.c
41303 --- linux-2.6.39.3/drivers/tty/serial/8250.c 2011-05-19 00:06:34.000000000 -0400
41304 +++ linux-2.6.39.3/drivers/tty/serial/8250.c 2011-05-22 19:36:32.000000000 -0400
41305 @@ -2708,7 +2708,7 @@ serial8250_type(struct uart_port *port)
41306 return uart_config[type].name;
41307 }
41308
41309 -static struct uart_ops serial8250_pops = {
41310 +static const struct uart_ops serial8250_pops = {
41311 .tx_empty = serial8250_tx_empty,
41312 .set_mctrl = serial8250_set_mctrl,
41313 .get_mctrl = serial8250_get_mctrl,
41314 diff -urNp linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c
41315 --- linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c 2011-05-19 00:06:34.000000000 -0400
41316 +++ linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c 2011-05-22 19:36:32.000000000 -0400
41317 @@ -281,7 +281,7 @@ static int altera_jtaguart_verify_port(s
41318 /*
41319 * Define the basic serial functions we support.
41320 */
41321 -static struct uart_ops altera_jtaguart_ops = {
41322 +static const struct uart_ops altera_jtaguart_ops = {
41323 .tx_empty = altera_jtaguart_tx_empty,
41324 .get_mctrl = altera_jtaguart_get_mctrl,
41325 .set_mctrl = altera_jtaguart_set_mctrl,
41326 diff -urNp linux-2.6.39.3/drivers/tty/serial/altera_uart.c linux-2.6.39.3/drivers/tty/serial/altera_uart.c
41327 --- linux-2.6.39.3/drivers/tty/serial/altera_uart.c 2011-05-19 00:06:34.000000000 -0400
41328 +++ linux-2.6.39.3/drivers/tty/serial/altera_uart.c 2011-05-22 19:36:32.000000000 -0400
41329 @@ -380,7 +380,7 @@ static int altera_uart_verify_port(struc
41330 /*
41331 * Define the basic serial functions we support.
41332 */
41333 -static struct uart_ops altera_uart_ops = {
41334 +static const struct uart_ops altera_uart_ops = {
41335 .tx_empty = altera_uart_tx_empty,
41336 .get_mctrl = altera_uart_get_mctrl,
41337 .set_mctrl = altera_uart_set_mctrl,
41338 diff -urNp linux-2.6.39.3/drivers/tty/serial/amba-pl010.c linux-2.6.39.3/drivers/tty/serial/amba-pl010.c
41339 --- linux-2.6.39.3/drivers/tty/serial/amba-pl010.c 2011-05-19 00:06:34.000000000 -0400
41340 +++ linux-2.6.39.3/drivers/tty/serial/amba-pl010.c 2011-05-22 19:36:32.000000000 -0400
41341 @@ -529,7 +529,7 @@ static int pl010_verify_port(struct uart
41342 return ret;
41343 }
41344
41345 -static struct uart_ops amba_pl010_pops = {
41346 +static const struct uart_ops amba_pl010_pops = {
41347 .tx_empty = pl010_tx_empty,
41348 .set_mctrl = pl010_set_mctrl,
41349 .get_mctrl = pl010_get_mctrl,
41350 diff -urNp linux-2.6.39.3/drivers/tty/serial/amba-pl011.c linux-2.6.39.3/drivers/tty/serial/amba-pl011.c
41351 --- linux-2.6.39.3/drivers/tty/serial/amba-pl011.c 2011-05-19 00:06:34.000000000 -0400
41352 +++ linux-2.6.39.3/drivers/tty/serial/amba-pl011.c 2011-05-22 19:36:32.000000000 -0400
41353 @@ -1581,7 +1581,7 @@ static int pl010_verify_port(struct uart
41354 return ret;
41355 }
41356
41357 -static struct uart_ops amba_pl011_pops = {
41358 +static const struct uart_ops amba_pl011_pops = {
41359 .tx_empty = pl01x_tx_empty,
41360 .set_mctrl = pl011_set_mctrl,
41361 .get_mctrl = pl01x_get_mctrl,
41362 diff -urNp linux-2.6.39.3/drivers/tty/serial/apbuart.c linux-2.6.39.3/drivers/tty/serial/apbuart.c
41363 --- linux-2.6.39.3/drivers/tty/serial/apbuart.c 2011-05-19 00:06:34.000000000 -0400
41364 +++ linux-2.6.39.3/drivers/tty/serial/apbuart.c 2011-05-22 19:36:32.000000000 -0400
41365 @@ -328,7 +328,7 @@ static int apbuart_verify_port(struct ua
41366 return ret;
41367 }
41368
41369 -static struct uart_ops grlib_apbuart_ops = {
41370 +static const struct uart_ops grlib_apbuart_ops = {
41371 .tx_empty = apbuart_tx_empty,
41372 .set_mctrl = apbuart_set_mctrl,
41373 .get_mctrl = apbuart_get_mctrl,
41374 diff -urNp linux-2.6.39.3/drivers/tty/serial/atmel_serial.c linux-2.6.39.3/drivers/tty/serial/atmel_serial.c
41375 --- linux-2.6.39.3/drivers/tty/serial/atmel_serial.c 2011-05-19 00:06:34.000000000 -0400
41376 +++ linux-2.6.39.3/drivers/tty/serial/atmel_serial.c 2011-05-22 19:36:32.000000000 -0400
41377 @@ -1382,7 +1382,7 @@ atmel_ioctl(struct uart_port *port, unsi
41378
41379
41380
41381 -static struct uart_ops atmel_pops = {
41382 +static const struct uart_ops atmel_pops = {
41383 .tx_empty = atmel_tx_empty,
41384 .set_mctrl = atmel_set_mctrl,
41385 .get_mctrl = atmel_get_mctrl,
41386 diff -urNp linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c
41387 --- linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41388 +++ linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41389 @@ -636,7 +636,7 @@ static int bcm_uart_verify_port(struct u
41390 }
41391
41392 /* serial core callbacks */
41393 -static struct uart_ops bcm_uart_ops = {
41394 +static const struct uart_ops bcm_uart_ops = {
41395 .tx_empty = bcm_uart_tx_empty,
41396 .get_mctrl = bcm_uart_get_mctrl,
41397 .set_mctrl = bcm_uart_set_mctrl,
41398 diff -urNp linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c
41399 --- linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c 2011-05-19 00:06:34.000000000 -0400
41400 +++ linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c 2011-05-22 19:36:32.000000000 -0400
41401 @@ -1036,7 +1036,7 @@ static int bfin_kgdboc_port_startup(stru
41402 }
41403 #endif
41404
41405 -static struct uart_ops bfin_serial_pops = {
41406 +static const struct uart_ops bfin_serial_pops = {
41407 .tx_empty = bfin_serial_tx_empty,
41408 .set_mctrl = bfin_serial_set_mctrl,
41409 .get_mctrl = bfin_serial_get_mctrl,
41410 diff -urNp linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c
41411 --- linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c 2011-05-19 00:06:34.000000000 -0400
41412 +++ linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c 2011-05-22 19:36:32.000000000 -0400
41413 @@ -571,7 +571,7 @@ static void sport_set_termios(struct uar
41414 spin_unlock_irqrestore(&up->port.lock, flags);
41415 }
41416
41417 -struct uart_ops sport_uart_ops = {
41418 +const struct uart_ops sport_uart_ops = {
41419 .tx_empty = sport_tx_empty,
41420 .set_mctrl = sport_set_mctrl,
41421 .get_mctrl = sport_get_mctrl,
41422 diff -urNp linux-2.6.39.3/drivers/tty/serial/clps711x.c linux-2.6.39.3/drivers/tty/serial/clps711x.c
41423 --- linux-2.6.39.3/drivers/tty/serial/clps711x.c 2011-05-19 00:06:34.000000000 -0400
41424 +++ linux-2.6.39.3/drivers/tty/serial/clps711x.c 2011-05-22 19:36:32.000000000 -0400
41425 @@ -380,7 +380,7 @@ static int clps711xuart_request_port(str
41426 return 0;
41427 }
41428
41429 -static struct uart_ops clps711x_pops = {
41430 +static const struct uart_ops clps711x_pops = {
41431 .tx_empty = clps711xuart_tx_empty,
41432 .set_mctrl = clps711xuart_set_mctrl_null,
41433 .get_mctrl = clps711xuart_get_mctrl,
41434 diff -urNp linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c
41435 --- linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-19 00:06:34.000000000 -0400
41436 +++ linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-22 19:36:32.000000000 -0400
41437 @@ -1099,7 +1099,7 @@ static void cpm_put_poll_char(struct uar
41438 }
41439 #endif /* CONFIG_CONSOLE_POLL */
41440
41441 -static struct uart_ops cpm_uart_pops = {
41442 +static const struct uart_ops cpm_uart_pops = {
41443 .tx_empty = cpm_uart_tx_empty,
41444 .set_mctrl = cpm_uart_set_mctrl,
41445 .get_mctrl = cpm_uart_get_mctrl,
41446 diff -urNp linux-2.6.39.3/drivers/tty/serial/dz.c linux-2.6.39.3/drivers/tty/serial/dz.c
41447 --- linux-2.6.39.3/drivers/tty/serial/dz.c 2011-05-19 00:06:34.000000000 -0400
41448 +++ linux-2.6.39.3/drivers/tty/serial/dz.c 2011-05-22 19:36:32.000000000 -0400
41449 @@ -746,7 +746,7 @@ static int dz_verify_port(struct uart_po
41450 return ret;
41451 }
41452
41453 -static struct uart_ops dz_ops = {
41454 +static const struct uart_ops dz_ops = {
41455 .tx_empty = dz_tx_empty,
41456 .get_mctrl = dz_get_mctrl,
41457 .set_mctrl = dz_set_mctrl,
41458 diff -urNp linux-2.6.39.3/drivers/tty/serial/imx.c linux-2.6.39.3/drivers/tty/serial/imx.c
41459 --- linux-2.6.39.3/drivers/tty/serial/imx.c 2011-05-19 00:06:34.000000000 -0400
41460 +++ linux-2.6.39.3/drivers/tty/serial/imx.c 2011-05-22 19:36:32.000000000 -0400
41461 @@ -1018,7 +1018,7 @@ imx_verify_port(struct uart_port *port,
41462 return ret;
41463 }
41464
41465 -static struct uart_ops imx_pops = {
41466 +static const struct uart_ops imx_pops = {
41467 .tx_empty = imx_tx_empty,
41468 .set_mctrl = imx_set_mctrl,
41469 .get_mctrl = imx_get_mctrl,
41470 diff -urNp linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c
41471 --- linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c 2011-05-19 00:06:34.000000000 -0400
41472 +++ linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c 2011-05-22 19:36:32.000000000 -0400
41473 @@ -1874,7 +1874,7 @@ static int ic3_request_port(struct uart_
41474 }
41475
41476 /* Associate the uart functions above - given to serial core */
41477 -static struct uart_ops ioc3_ops = {
41478 +static const struct uart_ops ioc3_ops = {
41479 .tx_empty = ic3_tx_empty,
41480 .set_mctrl = ic3_set_mctrl,
41481 .get_mctrl = ic3_get_mctrl,
41482 diff -urNp linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c
41483 --- linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c 2011-05-19 00:06:34.000000000 -0400
41484 +++ linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c 2011-05-22 19:36:32.000000000 -0400
41485 @@ -2593,7 +2593,7 @@ static int ic4_request_port(struct uart_
41486
41487 /* Associate the uart functions above - given to serial core */
41488
41489 -static struct uart_ops ioc4_ops = {
41490 +static const struct uart_ops ioc4_ops = {
41491 .tx_empty = ic4_tx_empty,
41492 .set_mctrl = ic4_set_mctrl,
41493 .get_mctrl = ic4_get_mctrl,
41494 diff -urNp linux-2.6.39.3/drivers/tty/serial/ip22zilog.c linux-2.6.39.3/drivers/tty/serial/ip22zilog.c
41495 --- linux-2.6.39.3/drivers/tty/serial/ip22zilog.c 2011-05-19 00:06:34.000000000 -0400
41496 +++ linux-2.6.39.3/drivers/tty/serial/ip22zilog.c 2011-05-22 19:36:32.000000000 -0400
41497 @@ -928,7 +928,7 @@ static int ip22zilog_verify_port(struct
41498 return -EINVAL;
41499 }
41500
41501 -static struct uart_ops ip22zilog_pops = {
41502 +static const struct uart_ops ip22zilog_pops = {
41503 .tx_empty = ip22zilog_tx_empty,
41504 .set_mctrl = ip22zilog_set_mctrl,
41505 .get_mctrl = ip22zilog_get_mctrl,
41506 diff -urNp linux-2.6.39.3/drivers/tty/serial/kgdboc.c linux-2.6.39.3/drivers/tty/serial/kgdboc.c
41507 --- linux-2.6.39.3/drivers/tty/serial/kgdboc.c 2011-05-19 00:06:34.000000000 -0400
41508 +++ linux-2.6.39.3/drivers/tty/serial/kgdboc.c 2011-05-22 19:36:32.000000000 -0400
41509 @@ -22,7 +22,7 @@
41510
41511 #define MAX_CONFIG_LEN 40
41512
41513 -static struct kgdb_io kgdboc_io_ops;
41514 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
41515
41516 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
41517 static int configured = -1;
41518 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
41519 kgdboc_restore_input();
41520 }
41521
41522 -static struct kgdb_io kgdboc_io_ops = {
41523 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
41524 .name = "kgdboc",
41525 .read_char = kgdboc_get_char,
41526 .write_char = kgdboc_put_char,
41527 diff -urNp linux-2.6.39.3/drivers/tty/serial/m32r_sio.c linux-2.6.39.3/drivers/tty/serial/m32r_sio.c
41528 --- linux-2.6.39.3/drivers/tty/serial/m32r_sio.c 2011-05-19 00:06:34.000000000 -0400
41529 +++ linux-2.6.39.3/drivers/tty/serial/m32r_sio.c 2011-05-22 19:36:32.000000000 -0400
41530 @@ -939,7 +939,7 @@ m32r_sio_type(struct uart_port *port)
41531 return uart_config[type].name;
41532 }
41533
41534 -static struct uart_ops m32r_sio_pops = {
41535 +static const struct uart_ops m32r_sio_pops = {
41536 .tx_empty = m32r_sio_tx_empty,
41537 .set_mctrl = m32r_sio_set_mctrl,
41538 .get_mctrl = m32r_sio_get_mctrl,
41539 diff -urNp linux-2.6.39.3/drivers/tty/serial/max3100.c linux-2.6.39.3/drivers/tty/serial/max3100.c
41540 --- linux-2.6.39.3/drivers/tty/serial/max3100.c 2011-05-19 00:06:34.000000000 -0400
41541 +++ linux-2.6.39.3/drivers/tty/serial/max3100.c 2011-05-22 19:36:32.000000000 -0400
41542 @@ -710,7 +710,7 @@ static void max3100_break_ctl(struct uar
41543 dev_dbg(&s->spi->dev, "%s\n", __func__);
41544 }
41545
41546 -static struct uart_ops max3100_ops = {
41547 +static const struct uart_ops max3100_ops = {
41548 .tx_empty = max3100_tx_empty,
41549 .set_mctrl = max3100_set_mctrl,
41550 .get_mctrl = max3100_get_mctrl,
41551 diff -urNp linux-2.6.39.3/drivers/tty/serial/max3107.c linux-2.6.39.3/drivers/tty/serial/max3107.c
41552 --- linux-2.6.39.3/drivers/tty/serial/max3107.c 2011-05-19 00:06:34.000000000 -0400
41553 +++ linux-2.6.39.3/drivers/tty/serial/max3107.c 2011-05-22 19:36:32.000000000 -0400
41554 @@ -910,7 +910,7 @@ static void max3107_break_ctl(struct uar
41555
41556
41557 /* Port functions */
41558 -static struct uart_ops max3107_ops = {
41559 +static const struct uart_ops max3107_ops = {
41560 .tx_empty = max3107_tx_empty,
41561 .set_mctrl = max3107_set_mctrl,
41562 .get_mctrl = max3107_get_mctrl,
41563 diff -urNp linux-2.6.39.3/drivers/tty/serial/mfd.c linux-2.6.39.3/drivers/tty/serial/mfd.c
41564 --- linux-2.6.39.3/drivers/tty/serial/mfd.c 2011-05-19 00:06:34.000000000 -0400
41565 +++ linux-2.6.39.3/drivers/tty/serial/mfd.c 2011-05-22 19:36:32.000000000 -0400
41566 @@ -1178,7 +1178,7 @@ static struct console serial_hsu_console
41567 };
41568 #endif
41569
41570 -struct uart_ops serial_hsu_pops = {
41571 +const struct uart_ops serial_hsu_pops = {
41572 .tx_empty = serial_hsu_tx_empty,
41573 .set_mctrl = serial_hsu_set_mctrl,
41574 .get_mctrl = serial_hsu_get_mctrl,
41575 diff -urNp linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c
41576 --- linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41577 +++ linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41578 @@ -283,7 +283,7 @@ static irqreturn_t mpc52xx_psc_handle_ir
41579 return mpc5xxx_uart_process_int(port);
41580 }
41581
41582 -static struct psc_ops mpc52xx_psc_ops = {
41583 +static const struct psc_ops mpc52xx_psc_ops = {
41584 .fifo_init = mpc52xx_psc_fifo_init,
41585 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41586 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41587 @@ -304,7 +304,7 @@ static struct psc_ops mpc52xx_psc_ops =
41588 .handle_irq = mpc52xx_psc_handle_irq,
41589 };
41590
41591 -static struct psc_ops mpc5200b_psc_ops = {
41592 +static const struct psc_ops mpc5200b_psc_ops = {
41593 .fifo_init = mpc52xx_psc_fifo_init,
41594 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41595 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41596 @@ -571,7 +571,7 @@ static void mpc512x_psc_get_irq(struct u
41597 port->irq = psc_fifoc_irq;
41598 }
41599
41600 -static struct psc_ops mpc512x_psc_ops = {
41601 +static const struct psc_ops mpc512x_psc_ops = {
41602 .fifo_init = mpc512x_psc_fifo_init,
41603 .raw_rx_rdy = mpc512x_psc_raw_rx_rdy,
41604 .raw_tx_rdy = mpc512x_psc_raw_tx_rdy,
41605 @@ -596,7 +596,7 @@ static struct psc_ops mpc512x_psc_ops =
41606 };
41607 #endif
41608
41609 -static struct psc_ops *psc_ops;
41610 +static const struct psc_ops *psc_ops;
41611
41612 /* ======================================================================== */
41613 /* UART operations */
41614 @@ -905,7 +905,7 @@ mpc52xx_uart_verify_port(struct uart_por
41615 }
41616
41617
41618 -static struct uart_ops mpc52xx_uart_ops = {
41619 +static const struct uart_ops mpc52xx_uart_ops = {
41620 .tx_empty = mpc52xx_uart_tx_empty,
41621 .set_mctrl = mpc52xx_uart_set_mctrl,
41622 .get_mctrl = mpc52xx_uart_get_mctrl,
41623 diff -urNp linux-2.6.39.3/drivers/tty/serial/mpsc.c linux-2.6.39.3/drivers/tty/serial/mpsc.c
41624 --- linux-2.6.39.3/drivers/tty/serial/mpsc.c 2011-05-19 00:06:34.000000000 -0400
41625 +++ linux-2.6.39.3/drivers/tty/serial/mpsc.c 2011-05-22 19:36:32.000000000 -0400
41626 @@ -1663,7 +1663,7 @@ static void mpsc_put_poll_char(struct ua
41627 }
41628 #endif
41629
41630 -static struct uart_ops mpsc_pops = {
41631 +static const struct uart_ops mpsc_pops = {
41632 .tx_empty = mpsc_tx_empty,
41633 .set_mctrl = mpsc_set_mctrl,
41634 .get_mctrl = mpsc_get_mctrl,
41635 diff -urNp linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c
41636 --- linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c 2011-05-19 00:06:34.000000000 -0400
41637 +++ linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c 2011-05-22 19:36:32.000000000 -0400
41638 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
41639 int loop = 1, num, total = 0;
41640 u8 recv_buf[512], *pbuf;
41641
41642 + pax_track_stack();
41643 +
41644 pbuf = recv_buf;
41645 do {
41646 num = max3110_read_multi(max, pbuf);
41647 @@ -726,7 +728,7 @@ static void serial_m3110_enable_ms(struc
41648 {
41649 }
41650
41651 -struct uart_ops serial_m3110_ops = {
41652 +const struct uart_ops serial_m3110_ops = {
41653 .tx_empty = serial_m3110_tx_empty,
41654 .set_mctrl = serial_m3110_set_mctrl,
41655 .get_mctrl = serial_m3110_get_mctrl,
41656 diff -urNp linux-2.6.39.3/drivers/tty/serial/msm_serial.c linux-2.6.39.3/drivers/tty/serial/msm_serial.c
41657 --- linux-2.6.39.3/drivers/tty/serial/msm_serial.c 2011-05-19 00:06:34.000000000 -0400
41658 +++ linux-2.6.39.3/drivers/tty/serial/msm_serial.c 2011-05-22 19:36:32.000000000 -0400
41659 @@ -702,7 +702,7 @@ static void msm_power(struct uart_port *
41660 }
41661 }
41662
41663 -static struct uart_ops msm_uart_pops = {
41664 +static const struct uart_ops msm_uart_pops = {
41665 .tx_empty = msm_tx_empty,
41666 .set_mctrl = msm_set_mctrl,
41667 .get_mctrl = msm_get_mctrl,
41668 diff -urNp linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c
41669 --- linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c 2011-05-19 00:06:34.000000000 -0400
41670 +++ linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c 2011-05-22 19:36:32.000000000 -0400
41671 @@ -360,7 +360,7 @@ struct msm_hs_port {
41672 static struct msm_hs_port q_uart_port[UARTDM_NR];
41673 static struct platform_driver msm_serial_hs_platform_driver;
41674 static struct uart_driver msm_hs_driver;
41675 -static struct uart_ops msm_hs_ops;
41676 +static const struct uart_ops msm_hs_ops;
41677 static struct workqueue_struct *msm_hs_workqueue;
41678
41679 #define UARTDM_TO_MSM(uart_port) \
41680 @@ -1856,7 +1856,7 @@ static struct uart_driver msm_hs_driver
41681 .cons = 0,
41682 };
41683
41684 -static struct uart_ops msm_hs_ops = {
41685 +static const struct uart_ops msm_hs_ops = {
41686 .tx_empty = msm_hs_tx_empty,
41687 .set_mctrl = msm_hs_set_mctrl_locked,
41688 .get_mctrl = msm_hs_get_mctrl_locked,
41689 diff -urNp linux-2.6.39.3/drivers/tty/serial/mux.c linux-2.6.39.3/drivers/tty/serial/mux.c
41690 --- linux-2.6.39.3/drivers/tty/serial/mux.c 2011-05-19 00:06:34.000000000 -0400
41691 +++ linux-2.6.39.3/drivers/tty/serial/mux.c 2011-05-22 19:36:32.000000000 -0400
41692 @@ -442,7 +442,7 @@ static struct console mux_console = {
41693 #define MUX_CONSOLE NULL
41694 #endif
41695
41696 -static struct uart_ops mux_pops = {
41697 +static const struct uart_ops mux_pops = {
41698 .tx_empty = mux_tx_empty,
41699 .set_mctrl = mux_set_mctrl,
41700 .get_mctrl = mux_get_mctrl,
41701 diff -urNp linux-2.6.39.3/drivers/tty/serial/mxs-auart.c linux-2.6.39.3/drivers/tty/serial/mxs-auart.c
41702 --- linux-2.6.39.3/drivers/tty/serial/mxs-auart.c 2011-05-19 00:06:34.000000000 -0400
41703 +++ linux-2.6.39.3/drivers/tty/serial/mxs-auart.c 2011-05-22 19:36:32.000000000 -0400
41704 @@ -499,7 +499,7 @@ static void mxs_auart_enable_ms(struct u
41705 /* just empty */
41706 }
41707
41708 -static struct uart_ops mxs_auart_ops = {
41709 +static const struct uart_ops mxs_auart_ops = {
41710 .tx_empty = mxs_auart_tx_empty,
41711 .start_tx = mxs_auart_start_tx,
41712 .stop_tx = mxs_auart_stop_tx,
41713 diff -urNp linux-2.6.39.3/drivers/tty/serial/netx-serial.c linux-2.6.39.3/drivers/tty/serial/netx-serial.c
41714 --- linux-2.6.39.3/drivers/tty/serial/netx-serial.c 2011-05-19 00:06:34.000000000 -0400
41715 +++ linux-2.6.39.3/drivers/tty/serial/netx-serial.c 2011-05-22 19:36:32.000000000 -0400
41716 @@ -464,7 +464,7 @@ netx_verify_port(struct uart_port *port,
41717 return ret;
41718 }
41719
41720 -static struct uart_ops netx_pops = {
41721 +static const struct uart_ops netx_pops = {
41722 .tx_empty = netx_tx_empty,
41723 .set_mctrl = netx_set_mctrl,
41724 .get_mctrl = netx_get_mctrl,
41725 diff -urNp linux-2.6.39.3/drivers/tty/serial/nwpserial.c linux-2.6.39.3/drivers/tty/serial/nwpserial.c
41726 --- linux-2.6.39.3/drivers/tty/serial/nwpserial.c 2011-05-19 00:06:34.000000000 -0400
41727 +++ linux-2.6.39.3/drivers/tty/serial/nwpserial.c 2011-05-22 19:36:32.000000000 -0400
41728 @@ -303,7 +303,7 @@ static unsigned int nwpserial_tx_empty(s
41729 return ret & UART_LSR_TEMT ? TIOCSER_TEMT : 0;
41730 }
41731
41732 -static struct uart_ops nwpserial_pops = {
41733 +static const struct uart_ops nwpserial_pops = {
41734 .tx_empty = nwpserial_tx_empty,
41735 .set_mctrl = nwpserial_set_mctrl,
41736 .get_mctrl = nwpserial_get_mctrl,
41737 diff -urNp linux-2.6.39.3/drivers/tty/serial/omap-serial.c linux-2.6.39.3/drivers/tty/serial/omap-serial.c
41738 --- linux-2.6.39.3/drivers/tty/serial/omap-serial.c 2011-05-19 00:06:34.000000000 -0400
41739 +++ linux-2.6.39.3/drivers/tty/serial/omap-serial.c 2011-05-22 19:36:32.000000000 -0400
41740 @@ -1029,7 +1029,7 @@ static inline void serial_omap_add_conso
41741
41742 #endif
41743
41744 -static struct uart_ops serial_omap_pops = {
41745 +static const struct uart_ops serial_omap_pops = {
41746 .tx_empty = serial_omap_tx_empty,
41747 .set_mctrl = serial_omap_set_mctrl,
41748 .get_mctrl = serial_omap_get_mctrl,
41749 diff -urNp linux-2.6.39.3/drivers/tty/serial/pch_uart.c linux-2.6.39.3/drivers/tty/serial/pch_uart.c
41750 --- linux-2.6.39.3/drivers/tty/serial/pch_uart.c 2011-07-09 09:18:51.000000000 -0400
41751 +++ linux-2.6.39.3/drivers/tty/serial/pch_uart.c 2011-07-09 09:19:18.000000000 -0400
41752 @@ -1351,7 +1351,7 @@ static int pch_uart_verify_port(struct u
41753 return 0;
41754 }
41755
41756 -static struct uart_ops pch_uart_ops = {
41757 +static const struct uart_ops pch_uart_ops = {
41758 .tx_empty = pch_uart_tx_empty,
41759 .set_mctrl = pch_uart_set_mctrl,
41760 .get_mctrl = pch_uart_get_mctrl,
41761 diff -urNp linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c
41762 --- linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c 2011-05-19 00:06:34.000000000 -0400
41763 +++ linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c 2011-05-22 19:36:32.000000000 -0400
41764 @@ -1427,7 +1427,7 @@ static void pmz_poll_put_char(struct uar
41765
41766 #endif /* CONFIG_CONSOLE_POLL */
41767
41768 -static struct uart_ops pmz_pops = {
41769 +static const struct uart_ops pmz_pops = {
41770 .tx_empty = pmz_tx_empty,
41771 .set_mctrl = pmz_set_mctrl,
41772 .get_mctrl = pmz_get_mctrl,
41773 diff -urNp linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c
41774 --- linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c 2011-05-19 00:06:34.000000000 -0400
41775 +++ linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c 2011-05-22 19:36:32.000000000 -0400
41776 @@ -614,7 +614,7 @@ pnx8xxx_verify_port(struct uart_port *po
41777 return ret;
41778 }
41779
41780 -static struct uart_ops pnx8xxx_pops = {
41781 +static const struct uart_ops pnx8xxx_pops = {
41782 .tx_empty = pnx8xxx_tx_empty,
41783 .set_mctrl = pnx8xxx_set_mctrl,
41784 .get_mctrl = pnx8xxx_get_mctrl,
41785 diff -urNp linux-2.6.39.3/drivers/tty/serial/pxa.c linux-2.6.39.3/drivers/tty/serial/pxa.c
41786 --- linux-2.6.39.3/drivers/tty/serial/pxa.c 2011-05-19 00:06:34.000000000 -0400
41787 +++ linux-2.6.39.3/drivers/tty/serial/pxa.c 2011-05-22 19:36:32.000000000 -0400
41788 @@ -706,7 +706,7 @@ static struct console serial_pxa_console
41789 #define PXA_CONSOLE NULL
41790 #endif
41791
41792 -struct uart_ops serial_pxa_pops = {
41793 +const struct uart_ops serial_pxa_pops = {
41794 .tx_empty = serial_pxa_tx_empty,
41795 .set_mctrl = serial_pxa_set_mctrl,
41796 .get_mctrl = serial_pxa_get_mctrl,
41797 diff -urNp linux-2.6.39.3/drivers/tty/serial/sa1100.c linux-2.6.39.3/drivers/tty/serial/sa1100.c
41798 --- linux-2.6.39.3/drivers/tty/serial/sa1100.c 2011-05-19 00:06:34.000000000 -0400
41799 +++ linux-2.6.39.3/drivers/tty/serial/sa1100.c 2011-05-22 19:36:32.000000000 -0400
41800 @@ -577,7 +577,7 @@ sa1100_verify_port(struct uart_port *por
41801 return ret;
41802 }
41803
41804 -static struct uart_ops sa1100_pops = {
41805 +static const struct uart_ops sa1100_pops = {
41806 .tx_empty = sa1100_tx_empty,
41807 .set_mctrl = sa1100_set_mctrl,
41808 .get_mctrl = sa1100_get_mctrl,
41809 diff -urNp linux-2.6.39.3/drivers/tty/serial/samsung.c linux-2.6.39.3/drivers/tty/serial/samsung.c
41810 --- linux-2.6.39.3/drivers/tty/serial/samsung.c 2011-05-19 00:06:34.000000000 -0400
41811 +++ linux-2.6.39.3/drivers/tty/serial/samsung.c 2011-05-22 19:36:32.000000000 -0400
41812 @@ -860,7 +860,7 @@ static struct console s3c24xx_serial_con
41813 #define S3C24XX_SERIAL_CONSOLE NULL
41814 #endif
41815
41816 -static struct uart_ops s3c24xx_serial_ops = {
41817 +static const struct uart_ops s3c24xx_serial_ops = {
41818 .pm = s3c24xx_serial_pm,
41819 .tx_empty = s3c24xx_serial_tx_empty,
41820 .get_mctrl = s3c24xx_serial_get_mctrl,
41821 diff -urNp linux-2.6.39.3/drivers/tty/serial/sc26xx.c linux-2.6.39.3/drivers/tty/serial/sc26xx.c
41822 --- linux-2.6.39.3/drivers/tty/serial/sc26xx.c 2011-05-19 00:06:34.000000000 -0400
41823 +++ linux-2.6.39.3/drivers/tty/serial/sc26xx.c 2011-05-22 19:36:32.000000000 -0400
41824 @@ -515,7 +515,7 @@ static int sc26xx_verify_port(struct uar
41825 return -EINVAL;
41826 }
41827
41828 -static struct uart_ops sc26xx_ops = {
41829 +static const struct uart_ops sc26xx_ops = {
41830 .tx_empty = sc26xx_tx_empty,
41831 .set_mctrl = sc26xx_set_mctrl,
41832 .get_mctrl = sc26xx_get_mctrl,
41833 diff -urNp linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c
41834 --- linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c 2011-05-19 00:06:34.000000000 -0400
41835 +++ linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c 2011-05-22 19:36:32.000000000 -0400
41836 @@ -528,7 +528,7 @@ static int ks8695uart_verify_port(struct
41837 return ret;
41838 }
41839
41840 -static struct uart_ops ks8695uart_pops = {
41841 +static const struct uart_ops ks8695uart_pops = {
41842 .tx_empty = ks8695uart_tx_empty,
41843 .set_mctrl = ks8695uart_set_mctrl,
41844 .get_mctrl = ks8695uart_get_mctrl,
41845 diff -urNp linux-2.6.39.3/drivers/tty/serial/serial_txx9.c linux-2.6.39.3/drivers/tty/serial/serial_txx9.c
41846 --- linux-2.6.39.3/drivers/tty/serial/serial_txx9.c 2011-05-19 00:06:34.000000000 -0400
41847 +++ linux-2.6.39.3/drivers/tty/serial/serial_txx9.c 2011-05-22 19:36:32.000000000 -0400
41848 @@ -857,7 +857,7 @@ serial_txx9_type(struct uart_port *port)
41849 return "txx9";
41850 }
41851
41852 -static struct uart_ops serial_txx9_pops = {
41853 +static const struct uart_ops serial_txx9_pops = {
41854 .tx_empty = serial_txx9_tx_empty,
41855 .set_mctrl = serial_txx9_set_mctrl,
41856 .get_mctrl = serial_txx9_get_mctrl,
41857 diff -urNp linux-2.6.39.3/drivers/tty/serial/sn_console.c linux-2.6.39.3/drivers/tty/serial/sn_console.c
41858 --- linux-2.6.39.3/drivers/tty/serial/sn_console.c 2011-05-19 00:06:34.000000000 -0400
41859 +++ linux-2.6.39.3/drivers/tty/serial/sn_console.c 2011-05-22 19:36:32.000000000 -0400
41860 @@ -388,7 +388,7 @@ static void snp_config_port(struct uart_
41861
41862 /* Associate the uart functions above - given to serial core */
41863
41864 -static struct uart_ops sn_console_ops = {
41865 +static const struct uart_ops sn_console_ops = {
41866 .tx_empty = snp_tx_empty,
41867 .set_mctrl = snp_set_mctrl,
41868 .get_mctrl = snp_get_mctrl,
41869 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunhv.c linux-2.6.39.3/drivers/tty/serial/sunhv.c
41870 --- linux-2.6.39.3/drivers/tty/serial/sunhv.c 2011-05-19 00:06:34.000000000 -0400
41871 +++ linux-2.6.39.3/drivers/tty/serial/sunhv.c 2011-05-22 19:36:32.000000000 -0400
41872 @@ -168,12 +168,12 @@ struct sunhv_ops {
41873 int (*receive_chars)(struct uart_port *port, struct tty_struct *tty);
41874 };
41875
41876 -static struct sunhv_ops bychar_ops = {
41877 +static const struct sunhv_ops bychar_ops = {
41878 .transmit_chars = transmit_chars_putchar,
41879 .receive_chars = receive_chars_getchar,
41880 };
41881
41882 -static struct sunhv_ops bywrite_ops = {
41883 +static const struct sunhv_ops bywrite_ops = {
41884 .transmit_chars = transmit_chars_write,
41885 .receive_chars = receive_chars_read,
41886 };
41887 @@ -370,7 +370,7 @@ static int sunhv_verify_port(struct uart
41888 return -EINVAL;
41889 }
41890
41891 -static struct uart_ops sunhv_pops = {
41892 +static const struct uart_ops sunhv_pops = {
41893 .tx_empty = sunhv_tx_empty,
41894 .set_mctrl = sunhv_set_mctrl,
41895 .get_mctrl = sunhv_get_mctrl,
41896 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunsab.c linux-2.6.39.3/drivers/tty/serial/sunsab.c
41897 --- linux-2.6.39.3/drivers/tty/serial/sunsab.c 2011-05-19 00:06:34.000000000 -0400
41898 +++ linux-2.6.39.3/drivers/tty/serial/sunsab.c 2011-05-22 19:36:32.000000000 -0400
41899 @@ -804,7 +804,7 @@ static int sunsab_verify_port(struct uar
41900 return -EINVAL;
41901 }
41902
41903 -static struct uart_ops sunsab_pops = {
41904 +static const struct uart_ops sunsab_pops = {
41905 .tx_empty = sunsab_tx_empty,
41906 .set_mctrl = sunsab_set_mctrl,
41907 .get_mctrl = sunsab_get_mctrl,
41908 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunsu.c linux-2.6.39.3/drivers/tty/serial/sunsu.c
41909 --- linux-2.6.39.3/drivers/tty/serial/sunsu.c 2011-05-19 00:06:34.000000000 -0400
41910 +++ linux-2.6.39.3/drivers/tty/serial/sunsu.c 2011-05-22 19:36:32.000000000 -0400
41911 @@ -946,7 +946,7 @@ sunsu_type(struct uart_port *port)
41912 return uart_config[type].name;
41913 }
41914
41915 -static struct uart_ops sunsu_pops = {
41916 +static const struct uart_ops sunsu_pops = {
41917 .tx_empty = sunsu_tx_empty,
41918 .set_mctrl = sunsu_set_mctrl,
41919 .get_mctrl = sunsu_get_mctrl,
41920 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunzilog.c linux-2.6.39.3/drivers/tty/serial/sunzilog.c
41921 --- linux-2.6.39.3/drivers/tty/serial/sunzilog.c 2011-05-19 00:06:34.000000000 -0400
41922 +++ linux-2.6.39.3/drivers/tty/serial/sunzilog.c 2011-05-22 19:36:32.000000000 -0400
41923 @@ -1042,7 +1042,7 @@ static void sunzilog_put_poll_char(struc
41924 }
41925 #endif /* CONFIG_CONSOLE_POLL */
41926
41927 -static struct uart_ops sunzilog_pops = {
41928 +static const struct uart_ops sunzilog_pops = {
41929 .tx_empty = sunzilog_tx_empty,
41930 .set_mctrl = sunzilog_set_mctrl,
41931 .get_mctrl = sunzilog_get_mctrl,
41932 diff -urNp linux-2.6.39.3/drivers/tty/serial/timbuart.c linux-2.6.39.3/drivers/tty/serial/timbuart.c
41933 --- linux-2.6.39.3/drivers/tty/serial/timbuart.c 2011-05-19 00:06:34.000000000 -0400
41934 +++ linux-2.6.39.3/drivers/tty/serial/timbuart.c 2011-05-22 19:36:32.000000000 -0400
41935 @@ -394,7 +394,7 @@ static int timbuart_verify_port(struct u
41936 return -EINVAL;
41937 }
41938
41939 -static struct uart_ops timbuart_ops = {
41940 +static const struct uart_ops timbuart_ops = {
41941 .tx_empty = timbuart_tx_empty,
41942 .set_mctrl = timbuart_set_mctrl,
41943 .get_mctrl = timbuart_get_mctrl,
41944 diff -urNp linux-2.6.39.3/drivers/tty/serial/uartlite.c linux-2.6.39.3/drivers/tty/serial/uartlite.c
41945 --- linux-2.6.39.3/drivers/tty/serial/uartlite.c 2011-05-19 00:06:34.000000000 -0400
41946 +++ linux-2.6.39.3/drivers/tty/serial/uartlite.c 2011-05-22 19:36:32.000000000 -0400
41947 @@ -331,7 +331,7 @@ static void ulite_put_poll_char(struct u
41948 }
41949 #endif
41950
41951 -static struct uart_ops ulite_ops = {
41952 +static const struct uart_ops ulite_ops = {
41953 .tx_empty = ulite_tx_empty,
41954 .set_mctrl = ulite_set_mctrl,
41955 .get_mctrl = ulite_get_mctrl,
41956 diff -urNp linux-2.6.39.3/drivers/tty/serial/ucc_uart.c linux-2.6.39.3/drivers/tty/serial/ucc_uart.c
41957 --- linux-2.6.39.3/drivers/tty/serial/ucc_uart.c 2011-05-19 00:06:34.000000000 -0400
41958 +++ linux-2.6.39.3/drivers/tty/serial/ucc_uart.c 2011-05-22 19:36:32.000000000 -0400
41959 @@ -1088,7 +1088,7 @@ static int qe_uart_verify_port(struct ua
41960 *
41961 * Details on these functions can be found in Documentation/serial/driver
41962 */
41963 -static struct uart_ops qe_uart_pops = {
41964 +static const struct uart_ops qe_uart_pops = {
41965 .tx_empty = qe_uart_tx_empty,
41966 .set_mctrl = qe_uart_set_mctrl,
41967 .get_mctrl = qe_uart_get_mctrl,
41968 diff -urNp linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c
41969 --- linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c 2011-05-19 00:06:34.000000000 -0400
41970 +++ linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c 2011-05-22 19:36:32.000000000 -0400
41971 @@ -683,7 +683,7 @@ static int siu_verify_port(struct uart_p
41972 return 0;
41973 }
41974
41975 -static struct uart_ops siu_uart_ops = {
41976 +static const struct uart_ops siu_uart_ops = {
41977 .tx_empty = siu_tx_empty,
41978 .set_mctrl = siu_set_mctrl,
41979 .get_mctrl = siu_get_mctrl,
41980 diff -urNp linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c
41981 --- linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c 2011-05-19 00:06:34.000000000 -0400
41982 +++ linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c 2011-05-22 19:36:32.000000000 -0400
41983 @@ -519,7 +519,7 @@ static struct console vt8500_console = {
41984 #define VT8500_CONSOLE NULL
41985 #endif
41986
41987 -static struct uart_ops vt8500_uart_pops = {
41988 +static const struct uart_ops vt8500_uart_pops = {
41989 .tx_empty = vt8500_tx_empty,
41990 .set_mctrl = vt8500_set_mctrl,
41991 .get_mctrl = vt8500_get_mctrl,
41992 diff -urNp linux-2.6.39.3/drivers/tty/serial/zs.c linux-2.6.39.3/drivers/tty/serial/zs.c
41993 --- linux-2.6.39.3/drivers/tty/serial/zs.c 2011-05-19 00:06:34.000000000 -0400
41994 +++ linux-2.6.39.3/drivers/tty/serial/zs.c 2011-05-22 19:36:32.000000000 -0400
41995 @@ -1044,7 +1044,7 @@ static int zs_verify_port(struct uart_po
41996 }
41997
41998
41999 -static struct uart_ops zs_ops = {
42000 +static const struct uart_ops zs_ops = {
42001 .tx_empty = zs_tx_empty,
42002 .set_mctrl = zs_set_mctrl,
42003 .get_mctrl = zs_get_mctrl,
42004 diff -urNp linux-2.6.39.3/drivers/tty/tty_io.c linux-2.6.39.3/drivers/tty/tty_io.c
42005 --- linux-2.6.39.3/drivers/tty/tty_io.c 2011-05-19 00:06:34.000000000 -0400
42006 +++ linux-2.6.39.3/drivers/tty/tty_io.c 2011-05-22 19:36:32.000000000 -0400
42007 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
42008 /* Spinlock to protect the tty->tty_files list */
42009 DEFINE_SPINLOCK(tty_files_lock);
42010
42011 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
42012 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
42013 ssize_t redirected_tty_write(struct file *, const char __user *,
42014 size_t, loff_t *);
42015 -static unsigned int tty_poll(struct file *, poll_table *);
42016 static int tty_open(struct inode *, struct file *);
42017 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
42018 -#ifdef CONFIG_COMPAT
42019 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
42020 - unsigned long arg);
42021 -#else
42022 -#define tty_compat_ioctl NULL
42023 -#endif
42024 static int __tty_fasync(int fd, struct file *filp, int on);
42025 -static int tty_fasync(int fd, struct file *filp, int on);
42026 static void release_tty(struct tty_struct *tty, int idx);
42027 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
42028 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
42029 @@ -937,7 +927,7 @@ EXPORT_SYMBOL(start_tty);
42030 * read calls may be outstanding in parallel.
42031 */
42032
42033 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
42034 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
42035 loff_t *ppos)
42036 {
42037 int i;
42038 @@ -963,6 +953,8 @@ static ssize_t tty_read(struct file *fil
42039 return i;
42040 }
42041
42042 +EXPORT_SYMBOL(tty_read);
42043 +
42044 void tty_write_unlock(struct tty_struct *tty)
42045 {
42046 mutex_unlock(&tty->atomic_write_lock);
42047 @@ -1112,7 +1104,7 @@ void tty_write_message(struct tty_struct
42048 * write method will not be invoked in parallel for each device.
42049 */
42050
42051 -static ssize_t tty_write(struct file *file, const char __user *buf,
42052 +ssize_t tty_write(struct file *file, const char __user *buf,
42053 size_t count, loff_t *ppos)
42054 {
42055 struct inode *inode = file->f_path.dentry->d_inode;
42056 @@ -1138,6 +1130,8 @@ static ssize_t tty_write(struct file *fi
42057 return ret;
42058 }
42059
42060 +EXPORT_SYMBOL(tty_write);
42061 +
42062 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
42063 size_t count, loff_t *ppos)
42064 {
42065 @@ -1777,6 +1771,8 @@ int tty_release(struct inode *inode, str
42066 return 0;
42067 }
42068
42069 +EXPORT_SYMBOL(tty_release);
42070 +
42071 /**
42072 * tty_open - open a tty device
42073 * @inode: inode of device file
42074 @@ -1968,7 +1964,7 @@ got_driver:
42075 * may be re-entered freely by other callers.
42076 */
42077
42078 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
42079 +unsigned int tty_poll(struct file *filp, poll_table *wait)
42080 {
42081 struct tty_struct *tty = file_tty(filp);
42082 struct tty_ldisc *ld;
42083 @@ -1984,6 +1980,8 @@ static unsigned int tty_poll(struct file
42084 return ret;
42085 }
42086
42087 +EXPORT_SYMBOL(tty_poll);
42088 +
42089 static int __tty_fasync(int fd, struct file *filp, int on)
42090 {
42091 struct tty_struct *tty = file_tty(filp);
42092 @@ -2025,7 +2023,7 @@ out:
42093 return retval;
42094 }
42095
42096 -static int tty_fasync(int fd, struct file *filp, int on)
42097 +int tty_fasync(int fd, struct file *filp, int on)
42098 {
42099 int retval;
42100 tty_lock();
42101 @@ -2034,6 +2032,8 @@ static int tty_fasync(int fd, struct fil
42102 return retval;
42103 }
42104
42105 +EXPORT_SYMBOL(tty_fasync);
42106 +
42107 /**
42108 * tiocsti - fake input character
42109 * @tty: tty to fake input into
42110 @@ -2695,8 +2695,10 @@ long tty_ioctl(struct file *file, unsign
42111 return retval;
42112 }
42113
42114 +EXPORT_SYMBOL(tty_ioctl);
42115 +
42116 #ifdef CONFIG_COMPAT
42117 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
42118 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
42119 unsigned long arg)
42120 {
42121 struct inode *inode = file->f_dentry->d_inode;
42122 @@ -2720,6 +2722,9 @@ static long tty_compat_ioctl(struct file
42123
42124 return retval;
42125 }
42126 +
42127 +EXPORT_SYMBOL(tty_compat_ioctl);
42128 +
42129 #endif
42130
42131 /*
42132 @@ -3198,11 +3203,6 @@ struct tty_struct *get_current_tty(void)
42133 }
42134 EXPORT_SYMBOL_GPL(get_current_tty);
42135
42136 -void tty_default_fops(struct file_operations *fops)
42137 -{
42138 - *fops = tty_fops;
42139 -}
42140 -
42141 /*
42142 * Initialize the console device. This is called *early*, so
42143 * we can't necessarily depend on lots of kernel help here.
42144 diff -urNp linux-2.6.39.3/drivers/tty/tty_ldisc.c linux-2.6.39.3/drivers/tty/tty_ldisc.c
42145 --- linux-2.6.39.3/drivers/tty/tty_ldisc.c 2011-07-09 09:18:51.000000000 -0400
42146 +++ linux-2.6.39.3/drivers/tty/tty_ldisc.c 2011-07-09 09:19:18.000000000 -0400
42147 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
42148 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
42149 struct tty_ldisc_ops *ldo = ld->ops;
42150
42151 - ldo->refcount--;
42152 + atomic_dec(&ldo->refcount);
42153 module_put(ldo->owner);
42154 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42155
42156 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
42157 spin_lock_irqsave(&tty_ldisc_lock, flags);
42158 tty_ldiscs[disc] = new_ldisc;
42159 new_ldisc->num = disc;
42160 - new_ldisc->refcount = 0;
42161 + atomic_set(&new_ldisc->refcount, 0);
42162 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42163
42164 return ret;
42165 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
42166 return -EINVAL;
42167
42168 spin_lock_irqsave(&tty_ldisc_lock, flags);
42169 - if (tty_ldiscs[disc]->refcount)
42170 + if (atomic_read(&tty_ldiscs[disc]->refcount))
42171 ret = -EBUSY;
42172 else
42173 tty_ldiscs[disc] = NULL;
42174 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
42175 if (ldops) {
42176 ret = ERR_PTR(-EAGAIN);
42177 if (try_module_get(ldops->owner)) {
42178 - ldops->refcount++;
42179 + atomic_inc(&ldops->refcount);
42180 ret = ldops;
42181 }
42182 }
42183 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
42184 unsigned long flags;
42185
42186 spin_lock_irqsave(&tty_ldisc_lock, flags);
42187 - ldops->refcount--;
42188 + atomic_dec(&ldops->refcount);
42189 module_put(ldops->owner);
42190 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42191 }
42192 diff -urNp linux-2.6.39.3/drivers/tty/vt/keyboard.c linux-2.6.39.3/drivers/tty/vt/keyboard.c
42193 --- linux-2.6.39.3/drivers/tty/vt/keyboard.c 2011-05-19 00:06:34.000000000 -0400
42194 +++ linux-2.6.39.3/drivers/tty/vt/keyboard.c 2011-05-22 20:32:43.000000000 -0400
42195 @@ -658,6 +658,16 @@ static void k_spec(struct vc_data *vc, u
42196 kbd->kbdmode == VC_OFF) &&
42197 value != KVAL(K_SAK))
42198 return; /* SAK is allowed even in raw mode */
42199 +
42200 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42201 + {
42202 + void *func = fn_handler[value];
42203 + if (func == fn_show_state || func == fn_show_ptregs ||
42204 + func == fn_show_mem)
42205 + return;
42206 + }
42207 +#endif
42208 +
42209 fn_handler[value](vc);
42210 }
42211
42212 diff -urNp linux-2.6.39.3/drivers/tty/vt/vt.c linux-2.6.39.3/drivers/tty/vt/vt.c
42213 --- linux-2.6.39.3/drivers/tty/vt/vt.c 2011-05-19 00:06:34.000000000 -0400
42214 +++ linux-2.6.39.3/drivers/tty/vt/vt.c 2011-05-22 19:36:32.000000000 -0400
42215 @@ -261,7 +261,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
42216
42217 static void notify_write(struct vc_data *vc, unsigned int unicode)
42218 {
42219 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
42220 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
42221 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
42222 }
42223
42224 diff -urNp linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c
42225 --- linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c 2011-05-19 00:06:34.000000000 -0400
42226 +++ linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c 2011-05-22 19:41:37.000000000 -0400
42227 @@ -209,9 +209,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42228 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
42229 return -EFAULT;
42230
42231 - if (!capable(CAP_SYS_TTY_CONFIG))
42232 - perm = 0;
42233 -
42234 switch (cmd) {
42235 case KDGKBENT:
42236 key_map = key_maps[s];
42237 @@ -223,6 +220,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42238 val = (i ? K_HOLE : K_NOSUCHMAP);
42239 return put_user(val, &user_kbe->kb_value);
42240 case KDSKBENT:
42241 + if (!capable(CAP_SYS_TTY_CONFIG))
42242 + perm = 0;
42243 +
42244 if (!perm)
42245 return -EPERM;
42246 if (!i && v == K_NOSUCHMAP) {
42247 @@ -324,9 +324,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42248 int i, j, k;
42249 int ret;
42250
42251 - if (!capable(CAP_SYS_TTY_CONFIG))
42252 - perm = 0;
42253 -
42254 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
42255 if (!kbs) {
42256 ret = -ENOMEM;
42257 @@ -360,6 +357,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42258 kfree(kbs);
42259 return ((p && *p) ? -EOVERFLOW : 0);
42260 case KDSKBSENT:
42261 + if (!capable(CAP_SYS_TTY_CONFIG))
42262 + perm = 0;
42263 +
42264 if (!perm) {
42265 ret = -EPERM;
42266 goto reterr;
42267 diff -urNp linux-2.6.39.3/drivers/uio/uio.c linux-2.6.39.3/drivers/uio/uio.c
42268 --- linux-2.6.39.3/drivers/uio/uio.c 2011-05-19 00:06:34.000000000 -0400
42269 +++ linux-2.6.39.3/drivers/uio/uio.c 2011-05-22 19:36:32.000000000 -0400
42270 @@ -25,6 +25,7 @@
42271 #include <linux/kobject.h>
42272 #include <linux/cdev.h>
42273 #include <linux/uio_driver.h>
42274 +#include <asm/local.h>
42275
42276 #define UIO_MAX_DEVICES (1U << MINORBITS)
42277
42278 @@ -32,10 +33,10 @@ struct uio_device {
42279 struct module *owner;
42280 struct device *dev;
42281 int minor;
42282 - atomic_t event;
42283 + atomic_unchecked_t event;
42284 struct fasync_struct *async_queue;
42285 wait_queue_head_t wait;
42286 - int vma_count;
42287 + local_t vma_count;
42288 struct uio_info *info;
42289 struct kobject *map_dir;
42290 struct kobject *portio_dir;
42291 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
42292 struct device_attribute *attr, char *buf)
42293 {
42294 struct uio_device *idev = dev_get_drvdata(dev);
42295 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
42296 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
42297 }
42298
42299 static struct device_attribute uio_class_attributes[] = {
42300 @@ -402,7 +403,7 @@ void uio_event_notify(struct uio_info *i
42301 {
42302 struct uio_device *idev = info->uio_dev;
42303
42304 - atomic_inc(&idev->event);
42305 + atomic_inc_unchecked(&idev->event);
42306 wake_up_interruptible(&idev->wait);
42307 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
42308 }
42309 @@ -455,7 +456,7 @@ static int uio_open(struct inode *inode,
42310 }
42311
42312 listener->dev = idev;
42313 - listener->event_count = atomic_read(&idev->event);
42314 + listener->event_count = atomic_read_unchecked(&idev->event);
42315 filep->private_data = listener;
42316
42317 if (idev->info->open) {
42318 @@ -506,7 +507,7 @@ static unsigned int uio_poll(struct file
42319 return -EIO;
42320
42321 poll_wait(filep, &idev->wait, wait);
42322 - if (listener->event_count != atomic_read(&idev->event))
42323 + if (listener->event_count != atomic_read_unchecked(&idev->event))
42324 return POLLIN | POLLRDNORM;
42325 return 0;
42326 }
42327 @@ -531,7 +532,7 @@ static ssize_t uio_read(struct file *fil
42328 do {
42329 set_current_state(TASK_INTERRUPTIBLE);
42330
42331 - event_count = atomic_read(&idev->event);
42332 + event_count = atomic_read_unchecked(&idev->event);
42333 if (event_count != listener->event_count) {
42334 if (copy_to_user(buf, &event_count, count))
42335 retval = -EFAULT;
42336 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
42337 static void uio_vma_open(struct vm_area_struct *vma)
42338 {
42339 struct uio_device *idev = vma->vm_private_data;
42340 - idev->vma_count++;
42341 + local_inc(&idev->vma_count);
42342 }
42343
42344 static void uio_vma_close(struct vm_area_struct *vma)
42345 {
42346 struct uio_device *idev = vma->vm_private_data;
42347 - idev->vma_count--;
42348 + local_dec(&idev->vma_count);
42349 }
42350
42351 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
42352 @@ -819,7 +820,7 @@ int __uio_register_device(struct module
42353 idev->owner = owner;
42354 idev->info = info;
42355 init_waitqueue_head(&idev->wait);
42356 - atomic_set(&idev->event, 0);
42357 + atomic_set_unchecked(&idev->event, 0);
42358
42359 ret = uio_get_minor(idev);
42360 if (ret)
42361 diff -urNp linux-2.6.39.3/drivers/usb/atm/cxacru.c linux-2.6.39.3/drivers/usb/atm/cxacru.c
42362 --- linux-2.6.39.3/drivers/usb/atm/cxacru.c 2011-05-19 00:06:34.000000000 -0400
42363 +++ linux-2.6.39.3/drivers/usb/atm/cxacru.c 2011-05-22 19:36:32.000000000 -0400
42364 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
42365 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
42366 if (ret < 2)
42367 return -EINVAL;
42368 - if (index < 0 || index > 0x7f)
42369 + if (index > 0x7f)
42370 return -EINVAL;
42371 pos += tmp;
42372
42373 diff -urNp linux-2.6.39.3/drivers/usb/atm/usbatm.c linux-2.6.39.3/drivers/usb/atm/usbatm.c
42374 --- linux-2.6.39.3/drivers/usb/atm/usbatm.c 2011-05-19 00:06:34.000000000 -0400
42375 +++ linux-2.6.39.3/drivers/usb/atm/usbatm.c 2011-05-22 19:36:32.000000000 -0400
42376 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
42377 if (printk_ratelimit())
42378 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
42379 __func__, vpi, vci);
42380 - atomic_inc(&vcc->stats->rx_err);
42381 + atomic_inc_unchecked(&vcc->stats->rx_err);
42382 return;
42383 }
42384
42385 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
42386 if (length > ATM_MAX_AAL5_PDU) {
42387 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
42388 __func__, length, vcc);
42389 - atomic_inc(&vcc->stats->rx_err);
42390 + atomic_inc_unchecked(&vcc->stats->rx_err);
42391 goto out;
42392 }
42393
42394 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
42395 if (sarb->len < pdu_length) {
42396 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
42397 __func__, pdu_length, sarb->len, vcc);
42398 - atomic_inc(&vcc->stats->rx_err);
42399 + atomic_inc_unchecked(&vcc->stats->rx_err);
42400 goto out;
42401 }
42402
42403 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
42404 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
42405 __func__, vcc);
42406 - atomic_inc(&vcc->stats->rx_err);
42407 + atomic_inc_unchecked(&vcc->stats->rx_err);
42408 goto out;
42409 }
42410
42411 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
42412 if (printk_ratelimit())
42413 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
42414 __func__, length);
42415 - atomic_inc(&vcc->stats->rx_drop);
42416 + atomic_inc_unchecked(&vcc->stats->rx_drop);
42417 goto out;
42418 }
42419
42420 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
42421
42422 vcc->push(vcc, skb);
42423
42424 - atomic_inc(&vcc->stats->rx);
42425 + atomic_inc_unchecked(&vcc->stats->rx);
42426 out:
42427 skb_trim(sarb, 0);
42428 }
42429 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
42430 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
42431
42432 usbatm_pop(vcc, skb);
42433 - atomic_inc(&vcc->stats->tx);
42434 + atomic_inc_unchecked(&vcc->stats->tx);
42435
42436 skb = skb_dequeue(&instance->sndqueue);
42437 }
42438 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
42439 if (!left--)
42440 return sprintf(page,
42441 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
42442 - atomic_read(&atm_dev->stats.aal5.tx),
42443 - atomic_read(&atm_dev->stats.aal5.tx_err),
42444 - atomic_read(&atm_dev->stats.aal5.rx),
42445 - atomic_read(&atm_dev->stats.aal5.rx_err),
42446 - atomic_read(&atm_dev->stats.aal5.rx_drop));
42447 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
42448 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
42449 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
42450 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
42451 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
42452
42453 if (!left--) {
42454 if (instance->disconnected)
42455 diff -urNp linux-2.6.39.3/drivers/usb/core/devices.c linux-2.6.39.3/drivers/usb/core/devices.c
42456 --- linux-2.6.39.3/drivers/usb/core/devices.c 2011-05-19 00:06:34.000000000 -0400
42457 +++ linux-2.6.39.3/drivers/usb/core/devices.c 2011-05-22 19:36:32.000000000 -0400
42458 @@ -126,7 +126,7 @@ static const char *format_endpt =
42459 * time it gets called.
42460 */
42461 static struct device_connect_event {
42462 - atomic_t count;
42463 + atomic_unchecked_t count;
42464 wait_queue_head_t wait;
42465 } device_event = {
42466 .count = ATOMIC_INIT(1),
42467 @@ -164,7 +164,7 @@ static const struct class_info clas_info
42468
42469 void usbfs_conn_disc_event(void)
42470 {
42471 - atomic_add(2, &device_event.count);
42472 + atomic_add_unchecked(2, &device_event.count);
42473 wake_up(&device_event.wait);
42474 }
42475
42476 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
42477
42478 poll_wait(file, &device_event.wait, wait);
42479
42480 - event_count = atomic_read(&device_event.count);
42481 + event_count = atomic_read_unchecked(&device_event.count);
42482 if (file->f_version != event_count) {
42483 file->f_version = event_count;
42484 return POLLIN | POLLRDNORM;
42485 diff -urNp linux-2.6.39.3/drivers/usb/core/hcd.c linux-2.6.39.3/drivers/usb/core/hcd.c
42486 --- linux-2.6.39.3/drivers/usb/core/hcd.c 2011-06-03 00:04:14.000000000 -0400
42487 +++ linux-2.6.39.3/drivers/usb/core/hcd.c 2011-06-03 00:32:07.000000000 -0400
42488 @@ -2574,7 +2574,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
42489
42490 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
42491
42492 -struct usb_mon_operations *mon_ops;
42493 +const struct usb_mon_operations *mon_ops;
42494
42495 /*
42496 * The registration is unlocked.
42497 @@ -2584,7 +2584,7 @@ struct usb_mon_operations *mon_ops;
42498 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
42499 */
42500
42501 -int usb_mon_register (struct usb_mon_operations *ops)
42502 +int usb_mon_register (const struct usb_mon_operations *ops)
42503 {
42504
42505 if (mon_ops)
42506 diff -urNp linux-2.6.39.3/drivers/usb/core/message.c linux-2.6.39.3/drivers/usb/core/message.c
42507 --- linux-2.6.39.3/drivers/usb/core/message.c 2011-07-09 09:18:51.000000000 -0400
42508 +++ linux-2.6.39.3/drivers/usb/core/message.c 2011-07-09 09:19:18.000000000 -0400
42509 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
42510 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
42511 if (buf) {
42512 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
42513 - if (len > 0) {
42514 - smallbuf = kmalloc(++len, GFP_NOIO);
42515 + if (len++ > 0) {
42516 + smallbuf = kmalloc(len, GFP_NOIO);
42517 if (!smallbuf)
42518 return buf;
42519 memcpy(smallbuf, buf, len);
42520 diff -urNp linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c
42521 --- linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c 2011-05-19 00:06:34.000000000 -0400
42522 +++ linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c 2011-05-22 19:36:32.000000000 -0400
42523 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
42524 }
42525
42526 #ifdef CONFIG_KGDB
42527 -static struct kgdb_io kgdbdbgp_io_ops;
42528 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
42529 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
42530 #else
42531 #define dbgp_kgdb_mode (0)
42532 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
42533 early_dbgp_write(NULL, &chr, 1);
42534 }
42535
42536 -static struct kgdb_io kgdbdbgp_io_ops = {
42537 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
42538 .name = "kgdbdbgp",
42539 .read_char = kgdbdbgp_read_char,
42540 .write_char = kgdbdbgp_write_char,
42541 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c
42542 --- linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c 2011-05-19 00:06:34.000000000 -0400
42543 +++ linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c 2011-05-22 19:36:32.000000000 -0400
42544 @@ -1859,7 +1859,7 @@ out:
42545 return status;
42546 }
42547
42548 -static struct usb_ep_ops qe_ep_ops = {
42549 +static const struct usb_ep_ops qe_ep_ops = {
42550 .enable = qe_ep_enable,
42551 .disable = qe_ep_disable,
42552
42553 @@ -1928,7 +1928,7 @@ static int qe_pullup(struct usb_gadget *
42554 }
42555
42556 /* defined in usb_gadget.h */
42557 -static struct usb_gadget_ops qe_gadget_ops = {
42558 +static const struct usb_gadget_ops qe_gadget_ops = {
42559 .get_frame = qe_get_frame,
42560 .wakeup = qe_wakeup,
42561 /* .set_selfpowered = qe_set_selfpowered,*/ /* always selfpowered */
42562 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c
42563 --- linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42564 +++ linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42565 @@ -1003,7 +1003,7 @@ static void fsl_ep_fifo_flush(struct usb
42566 } while (fsl_readl(&dr_regs->endptstatus) & bits);
42567 }
42568
42569 -static struct usb_ep_ops fsl_ep_ops = {
42570 +static const struct usb_ep_ops fsl_ep_ops = {
42571 .enable = fsl_ep_enable,
42572 .disable = fsl_ep_disable,
42573
42574 @@ -1114,7 +1114,7 @@ static int fsl_pullup(struct usb_gadget
42575 }
42576
42577 /* defined in gadget.h */
42578 -static struct usb_gadget_ops fsl_gadget_ops = {
42579 +static const struct usb_gadget_ops fsl_gadget_ops = {
42580 .get_frame = fsl_get_frame,
42581 .wakeup = fsl_wakeup,
42582 /* .set_selfpowered = fsl_set_selfpowered, */ /* Always selfpowered */
42583 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c
42584 --- linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c 2011-05-19 00:06:34.000000000 -0400
42585 +++ linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c 2011-05-22 19:36:32.000000000 -0400
42586 @@ -527,7 +527,7 @@ static void fusb300_fifo_flush(struct us
42587 {
42588 }
42589
42590 -static struct usb_ep_ops fusb300_ep_ops = {
42591 +static const struct usb_ep_ops fusb300_ep_ops = {
42592 .enable = fusb300_enable,
42593 .disable = fusb300_disable,
42594
42595 @@ -1570,7 +1570,7 @@ static int fusb300_udc_pullup(struct usb
42596 return 0;
42597 }
42598
42599 -static struct usb_gadget_ops fusb300_gadget_ops = {
42600 +static const struct usb_gadget_ops fusb300_gadget_ops = {
42601 .pullup = fusb300_udc_pullup,
42602 };
42603
42604 diff -urNp linux-2.6.39.3/drivers/usb/gadget/goku_udc.c linux-2.6.39.3/drivers/usb/gadget/goku_udc.c
42605 --- linux-2.6.39.3/drivers/usb/gadget/goku_udc.c 2011-05-19 00:06:34.000000000 -0400
42606 +++ linux-2.6.39.3/drivers/usb/gadget/goku_udc.c 2011-05-22 19:36:32.000000000 -0400
42607 @@ -973,7 +973,7 @@ static void goku_fifo_flush(struct usb_e
42608 command(regs, COMMAND_FIFO_CLEAR, ep->num);
42609 }
42610
42611 -static struct usb_ep_ops goku_ep_ops = {
42612 +static const struct usb_ep_ops goku_ep_ops = {
42613 .enable = goku_ep_enable,
42614 .disable = goku_ep_disable,
42615
42616 diff -urNp linux-2.6.39.3/drivers/usb/gadget/imx_udc.c linux-2.6.39.3/drivers/usb/gadget/imx_udc.c
42617 --- linux-2.6.39.3/drivers/usb/gadget/imx_udc.c 2011-05-19 00:06:34.000000000 -0400
42618 +++ linux-2.6.39.3/drivers/usb/gadget/imx_udc.c 2011-05-22 19:36:32.000000000 -0400
42619 @@ -937,7 +937,7 @@ static void imx_ep_fifo_flush(struct usb
42620 local_irq_restore(flags);
42621 }
42622
42623 -static struct usb_ep_ops imx_ep_ops = {
42624 +static const struct usb_ep_ops imx_ep_ops = {
42625 .enable = imx_ep_enable,
42626 .disable = imx_ep_disable,
42627
42628 diff -urNp linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c
42629 --- linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c 2011-05-19 00:06:34.000000000 -0400
42630 +++ linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c 2011-05-22 19:36:32.000000000 -0400
42631 @@ -1437,7 +1437,7 @@ static void m66592_fifo_flush(struct usb
42632 spin_unlock_irqrestore(&ep->m66592->lock, flags);
42633 }
42634
42635 -static struct usb_ep_ops m66592_ep_ops = {
42636 +static const struct usb_ep_ops m66592_ep_ops = {
42637 .enable = m66592_enable,
42638 .disable = m66592_disable,
42639
42640 @@ -1542,7 +1542,7 @@ static int m66592_get_frame(struct usb_g
42641 return m66592_read(m66592, M66592_FRMNUM) & 0x03FF;
42642 }
42643
42644 -static struct usb_gadget_ops m66592_gadget_ops = {
42645 +static const struct usb_gadget_ops m66592_gadget_ops = {
42646 .get_frame = m66592_get_frame,
42647 };
42648
42649 diff -urNp linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c
42650 --- linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42651 +++ linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42652 @@ -972,7 +972,7 @@ static int mv_ep_set_wedge(struct usb_ep
42653 return mv_ep_set_halt_wedge(_ep, 1, 1);
42654 }
42655
42656 -static struct usb_ep_ops mv_ep_ops = {
42657 +static const struct usb_ep_ops mv_ep_ops = {
42658 .enable = mv_ep_enable,
42659 .disable = mv_ep_disable,
42660
42661 diff -urNp linux-2.6.39.3/drivers/usb/gadget/omap_udc.c linux-2.6.39.3/drivers/usb/gadget/omap_udc.c
42662 --- linux-2.6.39.3/drivers/usb/gadget/omap_udc.c 2011-05-19 00:06:34.000000000 -0400
42663 +++ linux-2.6.39.3/drivers/usb/gadget/omap_udc.c 2011-05-22 19:36:32.000000000 -0400
42664 @@ -1177,7 +1177,7 @@ done:
42665 return status;
42666 }
42667
42668 -static struct usb_ep_ops omap_ep_ops = {
42669 +static const struct usb_ep_ops omap_ep_ops = {
42670 .enable = omap_ep_enable,
42671 .disable = omap_ep_disable,
42672
42673 @@ -1374,7 +1374,7 @@ static int omap_pullup(struct usb_gadget
42674 return 0;
42675 }
42676
42677 -static struct usb_gadget_ops omap_gadget_ops = {
42678 +static const struct usb_gadget_ops omap_gadget_ops = {
42679 .get_frame = omap_get_frame,
42680 .wakeup = omap_wakeup,
42681 .set_selfpowered = omap_set_selfpowered,
42682 diff -urNp linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c
42683 --- linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c 2011-05-19 00:06:34.000000000 -0400
42684 +++ linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c 2011-05-22 19:36:32.000000000 -0400
42685 @@ -896,7 +896,7 @@ static void pxa25x_ep_fifo_flush(struct
42686 }
42687
42688
42689 -static struct usb_ep_ops pxa25x_ep_ops = {
42690 +static const struct usb_ep_ops pxa25x_ep_ops = {
42691 .enable = pxa25x_ep_enable,
42692 .disable = pxa25x_ep_disable,
42693
42694 diff -urNp linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c
42695 --- linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c 2011-05-19 00:06:34.000000000 -0400
42696 +++ linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c 2011-05-22 19:36:32.000000000 -0400
42697 @@ -1491,7 +1491,7 @@ static int pxa_ep_disable(struct usb_ep
42698 return 0;
42699 }
42700
42701 -static struct usb_ep_ops pxa_ep_ops = {
42702 +static const struct usb_ep_ops pxa_ep_ops = {
42703 .enable = pxa_ep_enable,
42704 .disable = pxa_ep_disable,
42705
42706 diff -urNp linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c
42707 --- linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c 2011-05-19 00:06:34.000000000 -0400
42708 +++ linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c 2011-05-22 19:36:32.000000000 -0400
42709 @@ -1392,7 +1392,7 @@ static void r8a66597_fifo_flush(struct u
42710 spin_unlock_irqrestore(&ep->r8a66597->lock, flags);
42711 }
42712
42713 -static struct usb_ep_ops r8a66597_ep_ops = {
42714 +static const struct usb_ep_ops r8a66597_ep_ops = {
42715 .enable = r8a66597_enable,
42716 .disable = r8a66597_disable,
42717
42718 @@ -1497,7 +1497,7 @@ static int r8a66597_get_frame(struct usb
42719 return r8a66597_read(r8a66597, FRMNUM) & 0x03FF;
42720 }
42721
42722 -static struct usb_gadget_ops r8a66597_gadget_ops = {
42723 +static const struct usb_gadget_ops r8a66597_gadget_ops = {
42724 .get_frame = r8a66597_get_frame,
42725 };
42726
42727 diff -urNp linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c
42728 --- linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c 2011-05-19 00:06:34.000000000 -0400
42729 +++ linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c 2011-05-22 19:36:32.000000000 -0400
42730 @@ -2461,7 +2461,7 @@ static int s3c_hsotg_ep_sethalt(struct u
42731 return 0;
42732 }
42733
42734 -static struct usb_ep_ops s3c_hsotg_ep_ops = {
42735 +static const struct usb_ep_ops s3c_hsotg_ep_ops = {
42736 .enable = s3c_hsotg_ep_enable,
42737 .disable = s3c_hsotg_ep_disable,
42738 .alloc_request = s3c_hsotg_ep_alloc_request,
42739 @@ -2725,7 +2725,7 @@ static int s3c_hsotg_gadget_getframe(str
42740 return s3c_hsotg_read_frameno(to_hsotg(gadget));
42741 }
42742
42743 -static struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42744 +static const struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42745 .get_frame = s3c_hsotg_gadget_getframe,
42746 };
42747
42748 diff -urNp linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c
42749 --- linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c 2011-05-19 00:06:34.000000000 -0400
42750 +++ linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c 2011-05-22 19:36:32.000000000 -0400
42751 @@ -400,7 +400,7 @@ static void uvc_vm_close(struct vm_area_
42752 buffer->vma_use_count--;
42753 }
42754
42755 -static struct vm_operations_struct uvc_vm_ops = {
42756 +static const struct vm_operations_struct uvc_vm_ops = {
42757 .open = uvc_vm_open,
42758 .close = uvc_vm_close,
42759 };
42760 diff -urNp linux-2.6.39.3/drivers/usb/host/ehci-fsl.c linux-2.6.39.3/drivers/usb/host/ehci-fsl.c
42761 --- linux-2.6.39.3/drivers/usb/host/ehci-fsl.c 2011-05-19 00:06:34.000000000 -0400
42762 +++ linux-2.6.39.3/drivers/usb/host/ehci-fsl.c 2011-05-22 19:36:32.000000000 -0400
42763 @@ -380,7 +380,7 @@ static int ehci_fsl_drv_restore(struct d
42764 return 0;
42765 }
42766
42767 -static struct dev_pm_ops ehci_fsl_pm_ops = {
42768 +static const struct dev_pm_ops ehci_fsl_pm_ops = {
42769 .suspend = ehci_fsl_drv_suspend,
42770 .resume = ehci_fsl_drv_resume,
42771 .restore = ehci_fsl_drv_restore,
42772 diff -urNp linux-2.6.39.3/drivers/usb/host/xhci-mem.c linux-2.6.39.3/drivers/usb/host/xhci-mem.c
42773 --- linux-2.6.39.3/drivers/usb/host/xhci-mem.c 2011-06-25 12:55:23.000000000 -0400
42774 +++ linux-2.6.39.3/drivers/usb/host/xhci-mem.c 2011-06-25 13:00:26.000000000 -0400
42775 @@ -1680,6 +1680,8 @@ static int xhci_check_trb_in_td_math(str
42776 unsigned int num_tests;
42777 int i, ret;
42778
42779 + pax_track_stack();
42780 +
42781 num_tests = ARRAY_SIZE(simple_test_vector);
42782 for (i = 0; i < num_tests; i++) {
42783 ret = xhci_test_trb_in_td(xhci,
42784 diff -urNp linux-2.6.39.3/drivers/usb/mon/mon_main.c linux-2.6.39.3/drivers/usb/mon/mon_main.c
42785 --- linux-2.6.39.3/drivers/usb/mon/mon_main.c 2011-05-19 00:06:34.000000000 -0400
42786 +++ linux-2.6.39.3/drivers/usb/mon/mon_main.c 2011-05-22 19:36:32.000000000 -0400
42787 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
42788 /*
42789 * Ops
42790 */
42791 -static struct usb_mon_operations mon_ops_0 = {
42792 +static const struct usb_mon_operations mon_ops_0 = {
42793 .urb_submit = mon_submit,
42794 .urb_submit_error = mon_submit_error,
42795 .urb_complete = mon_complete,
42796 diff -urNp linux-2.6.39.3/drivers/usb/musb/cppi_dma.h linux-2.6.39.3/drivers/usb/musb/cppi_dma.h
42797 --- linux-2.6.39.3/drivers/usb/musb/cppi_dma.h 2011-05-19 00:06:34.000000000 -0400
42798 +++ linux-2.6.39.3/drivers/usb/musb/cppi_dma.h 2011-05-22 19:36:32.000000000 -0400
42799 @@ -113,7 +113,7 @@ struct cppi_channel {
42800
42801 /* CPPI DMA controller object */
42802 struct cppi {
42803 - struct dma_controller controller;
42804 + const struct dma_controller controller;
42805 struct musb *musb;
42806 void __iomem *mregs; /* Mentor regs */
42807 void __iomem *tibase; /* TI/CPPI regs */
42808 diff -urNp linux-2.6.39.3/drivers/usb/otg/msm_otg.c linux-2.6.39.3/drivers/usb/otg/msm_otg.c
42809 --- linux-2.6.39.3/drivers/usb/otg/msm_otg.c 2011-05-19 00:06:34.000000000 -0400
42810 +++ linux-2.6.39.3/drivers/usb/otg/msm_otg.c 2011-05-22 19:36:32.000000000 -0400
42811 @@ -95,7 +95,7 @@ static int ulpi_write(struct otg_transce
42812 return 0;
42813 }
42814
42815 -static struct otg_io_access_ops msm_otg_io_ops = {
42816 +static const struct otg_io_access_ops msm_otg_io_ops = {
42817 .read = ulpi_read,
42818 .write = ulpi_write,
42819 };
42820 diff -urNp linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c
42821 --- linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c 2011-05-19 00:06:34.000000000 -0400
42822 +++ linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c 2011-05-22 19:36:32.000000000 -0400
42823 @@ -74,7 +74,7 @@ static int ulpi_viewport_write(struct ot
42824 return ulpi_viewport_wait(view, ULPI_VIEW_RUN);
42825 }
42826
42827 -struct otg_io_access_ops ulpi_viewport_access_ops = {
42828 +const struct otg_io_access_ops ulpi_viewport_access_ops = {
42829 .read = ulpi_viewport_read,
42830 .write = ulpi_viewport_write,
42831 };
42832 diff -urNp linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c
42833 --- linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c 2011-07-09 09:18:51.000000000 -0400
42834 +++ linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c 2011-07-09 09:19:18.000000000 -0400
42835 @@ -104,27 +104,27 @@ static int ftdi_stmclite_probe(struct
42836 static void ftdi_USB_UIRT_setup(struct ftdi_private *priv);
42837 static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv);
42838
42839 -static struct ftdi_sio_quirk ftdi_jtag_quirk = {
42840 +static const struct ftdi_sio_quirk ftdi_jtag_quirk = {
42841 .probe = ftdi_jtag_probe,
42842 };
42843
42844 -static struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42845 +static const struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42846 .probe = ftdi_mtxorb_hack_setup,
42847 };
42848
42849 -static struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42850 +static const struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42851 .probe = ftdi_NDI_device_setup,
42852 };
42853
42854 -static struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42855 +static const struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42856 .port_probe = ftdi_USB_UIRT_setup,
42857 };
42858
42859 -static struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42860 +static const struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42861 .port_probe = ftdi_HE_TIRA1_setup,
42862 };
42863
42864 -static struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42865 +static const struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42866 .probe = ftdi_stmclite_probe,
42867 };
42868
42869 diff -urNp linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h
42870 --- linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h 2011-05-19 00:06:34.000000000 -0400
42871 +++ linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h 2011-05-22 19:36:32.000000000 -0400
42872 @@ -192,7 +192,7 @@ struct wahc {
42873 struct list_head xfer_delayed_list;
42874 spinlock_t xfer_list_lock;
42875 struct work_struct xfer_work;
42876 - atomic_t xfer_id_count;
42877 + atomic_unchecked_t xfer_id_count;
42878 };
42879
42880
42881 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
42882 INIT_LIST_HEAD(&wa->xfer_delayed_list);
42883 spin_lock_init(&wa->xfer_list_lock);
42884 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
42885 - atomic_set(&wa->xfer_id_count, 1);
42886 + atomic_set_unchecked(&wa->xfer_id_count, 1);
42887 }
42888
42889 /**
42890 diff -urNp linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c
42891 --- linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c 2011-05-19 00:06:34.000000000 -0400
42892 +++ linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c 2011-05-22 19:36:32.000000000 -0400
42893 @@ -294,7 +294,7 @@ out:
42894 */
42895 static void wa_xfer_id_init(struct wa_xfer *xfer)
42896 {
42897 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
42898 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
42899 }
42900
42901 /*
42902 diff -urNp linux-2.6.39.3/drivers/vhost/vhost.c linux-2.6.39.3/drivers/vhost/vhost.c
42903 --- linux-2.6.39.3/drivers/vhost/vhost.c 2011-05-19 00:06:34.000000000 -0400
42904 +++ linux-2.6.39.3/drivers/vhost/vhost.c 2011-05-22 19:36:32.000000000 -0400
42905 @@ -580,7 +580,7 @@ static int init_used(struct vhost_virtqu
42906 return get_user(vq->last_used_idx, &used->idx);
42907 }
42908
42909 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
42910 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
42911 {
42912 struct file *eventfp, *filep = NULL,
42913 *pollstart = NULL, *pollstop = NULL;
42914 diff -urNp linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c
42915 --- linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c 2011-05-19 00:06:34.000000000 -0400
42916 +++ linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c 2011-05-22 19:36:32.000000000 -0400
42917 @@ -383,7 +383,7 @@ static int corgi_lcd_get_power(struct lc
42918 return lcd->power;
42919 }
42920
42921 -static struct lcd_ops corgi_lcd_ops = {
42922 +static const struct lcd_ops corgi_lcd_ops = {
42923 .get_power = corgi_lcd_get_power,
42924 .set_power = corgi_lcd_set_power,
42925 .set_mode = corgi_lcd_set_mode,
42926 diff -urNp linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c
42927 --- linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c 2011-05-19 00:06:34.000000000 -0400
42928 +++ linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c 2011-05-22 19:36:32.000000000 -0400
42929 @@ -165,7 +165,7 @@ static int cr_lcd_set_power(struct lcd_d
42930 return 0;
42931 }
42932
42933 -static struct lcd_ops cr_lcd_ops = {
42934 +static const struct lcd_ops cr_lcd_ops = {
42935 .set_power = cr_lcd_set_power,
42936 };
42937
42938 diff -urNp linux-2.6.39.3/drivers/video/backlight/ili9320.c linux-2.6.39.3/drivers/video/backlight/ili9320.c
42939 --- linux-2.6.39.3/drivers/video/backlight/ili9320.c 2011-05-19 00:06:34.000000000 -0400
42940 +++ linux-2.6.39.3/drivers/video/backlight/ili9320.c 2011-05-22 19:36:32.000000000 -0400
42941 @@ -166,7 +166,7 @@ static int ili9320_get_power(struct lcd_
42942 return lcd->power;
42943 }
42944
42945 -static struct lcd_ops ili9320_ops = {
42946 +static const struct lcd_ops ili9320_ops = {
42947 .get_power = ili9320_get_power,
42948 .set_power = ili9320_set_power,
42949 };
42950 diff -urNp linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c
42951 --- linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c 2011-05-19 00:06:34.000000000 -0400
42952 +++ linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c 2011-05-22 19:36:32.000000000 -0400
42953 @@ -87,7 +87,7 @@ static int jornada_lcd_set_power(struct
42954 return 0;
42955 }
42956
42957 -static struct lcd_ops jornada_lcd_props = {
42958 +static const struct lcd_ops jornada_lcd_props = {
42959 .get_contrast = jornada_lcd_get_contrast,
42960 .set_contrast = jornada_lcd_set_contrast,
42961 .get_power = jornada_lcd_get_power,
42962 diff -urNp linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c
42963 --- linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c 2011-05-19 00:06:34.000000000 -0400
42964 +++ linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c 2011-05-22 19:36:32.000000000 -0400
42965 @@ -149,7 +149,7 @@ static int l4f00242t03_lcd_power_set(str
42966 return 0;
42967 }
42968
42969 -static struct lcd_ops l4f_ops = {
42970 +static const struct lcd_ops l4f_ops = {
42971 .set_power = l4f00242t03_lcd_power_set,
42972 .get_power = l4f00242t03_lcd_power_get,
42973 };
42974 diff -urNp linux-2.6.39.3/drivers/video/backlight/lcd.c linux-2.6.39.3/drivers/video/backlight/lcd.c
42975 --- linux-2.6.39.3/drivers/video/backlight/lcd.c 2011-05-19 00:06:34.000000000 -0400
42976 +++ linux-2.6.39.3/drivers/video/backlight/lcd.c 2011-05-22 19:36:32.000000000 -0400
42977 @@ -192,7 +192,7 @@ static struct device_attribute lcd_devic
42978 * or a pointer to the newly allocated device.
42979 */
42980 struct lcd_device *lcd_device_register(const char *name, struct device *parent,
42981 - void *devdata, struct lcd_ops *ops)
42982 + void *devdata, const struct lcd_ops *ops)
42983 {
42984 struct lcd_device *new_ld;
42985 int rc;
42986 diff -urNp linux-2.6.39.3/drivers/video/backlight/ld9040.c linux-2.6.39.3/drivers/video/backlight/ld9040.c
42987 --- linux-2.6.39.3/drivers/video/backlight/ld9040.c 2011-05-19 00:06:34.000000000 -0400
42988 +++ linux-2.6.39.3/drivers/video/backlight/ld9040.c 2011-05-22 19:36:32.000000000 -0400
42989 @@ -651,7 +651,7 @@ static int ld9040_set_brightness(struct
42990 return ret;
42991 }
42992
42993 -static struct lcd_ops ld9040_lcd_ops = {
42994 +static const struct lcd_ops ld9040_lcd_ops = {
42995 .set_power = ld9040_set_power,
42996 .get_power = ld9040_get_power,
42997 };
42998 diff -urNp linux-2.6.39.3/drivers/video/backlight/lms283gf05.c linux-2.6.39.3/drivers/video/backlight/lms283gf05.c
42999 --- linux-2.6.39.3/drivers/video/backlight/lms283gf05.c 2011-05-19 00:06:34.000000000 -0400
43000 +++ linux-2.6.39.3/drivers/video/backlight/lms283gf05.c 2011-05-22 19:36:32.000000000 -0400
43001 @@ -144,7 +144,7 @@ static int lms283gf05_power_set(struct l
43002 return 0;
43003 }
43004
43005 -static struct lcd_ops lms_ops = {
43006 +static const struct lcd_ops lms_ops = {
43007 .set_power = lms283gf05_power_set,
43008 .get_power = NULL,
43009 };
43010 diff -urNp linux-2.6.39.3/drivers/video/backlight/ltv350qv.c linux-2.6.39.3/drivers/video/backlight/ltv350qv.c
43011 --- linux-2.6.39.3/drivers/video/backlight/ltv350qv.c 2011-05-19 00:06:34.000000000 -0400
43012 +++ linux-2.6.39.3/drivers/video/backlight/ltv350qv.c 2011-05-22 19:36:32.000000000 -0400
43013 @@ -221,7 +221,7 @@ static int ltv350qv_get_power(struct lcd
43014 return lcd->power;
43015 }
43016
43017 -static struct lcd_ops ltv_ops = {
43018 +static const struct lcd_ops ltv_ops = {
43019 .get_power = ltv350qv_get_power,
43020 .set_power = ltv350qv_set_power,
43021 };
43022 diff -urNp linux-2.6.39.3/drivers/video/backlight/platform_lcd.c linux-2.6.39.3/drivers/video/backlight/platform_lcd.c
43023 --- linux-2.6.39.3/drivers/video/backlight/platform_lcd.c 2011-05-19 00:06:34.000000000 -0400
43024 +++ linux-2.6.39.3/drivers/video/backlight/platform_lcd.c 2011-05-22 19:36:32.000000000 -0400
43025 @@ -66,7 +66,7 @@ static int platform_lcd_match(struct lcd
43026 return plcd->us->parent == info->device;
43027 }
43028
43029 -static struct lcd_ops platform_lcd_ops = {
43030 +static const struct lcd_ops platform_lcd_ops = {
43031 .get_power = platform_lcd_get_power,
43032 .set_power = platform_lcd_set_power,
43033 .check_fb = platform_lcd_match,
43034 diff -urNp linux-2.6.39.3/drivers/video/backlight/s6e63m0.c linux-2.6.39.3/drivers/video/backlight/s6e63m0.c
43035 --- linux-2.6.39.3/drivers/video/backlight/s6e63m0.c 2011-05-19 00:06:34.000000000 -0400
43036 +++ linux-2.6.39.3/drivers/video/backlight/s6e63m0.c 2011-05-22 19:36:32.000000000 -0400
43037 @@ -644,7 +644,7 @@ static int s6e63m0_set_brightness(struct
43038 return ret;
43039 }
43040
43041 -static struct lcd_ops s6e63m0_lcd_ops = {
43042 +static const struct lcd_ops s6e63m0_lcd_ops = {
43043 .set_power = s6e63m0_set_power,
43044 .get_power = s6e63m0_get_power,
43045 };
43046 diff -urNp linux-2.6.39.3/drivers/video/backlight/tdo24m.c linux-2.6.39.3/drivers/video/backlight/tdo24m.c
43047 --- linux-2.6.39.3/drivers/video/backlight/tdo24m.c 2011-05-19 00:06:34.000000000 -0400
43048 +++ linux-2.6.39.3/drivers/video/backlight/tdo24m.c 2011-05-22 19:36:32.000000000 -0400
43049 @@ -322,7 +322,7 @@ static int tdo24m_set_mode(struct lcd_de
43050 return lcd->adj_mode(lcd, mode);
43051 }
43052
43053 -static struct lcd_ops tdo24m_ops = {
43054 +static const struct lcd_ops tdo24m_ops = {
43055 .get_power = tdo24m_get_power,
43056 .set_power = tdo24m_set_power,
43057 .set_mode = tdo24m_set_mode,
43058 diff -urNp linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c
43059 --- linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c 2011-05-19 00:06:34.000000000 -0400
43060 +++ linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c 2011-05-22 19:36:32.000000000 -0400
43061 @@ -163,7 +163,7 @@ static int tosa_lcd_set_mode(struct lcd_
43062 return 0;
43063 }
43064
43065 -static struct lcd_ops tosa_lcd_ops = {
43066 +static const struct lcd_ops tosa_lcd_ops = {
43067 .set_power = tosa_lcd_set_power,
43068 .get_power = tosa_lcd_get_power,
43069 .set_mode = tosa_lcd_set_mode,
43070 diff -urNp linux-2.6.39.3/drivers/video/bf537-lq035.c linux-2.6.39.3/drivers/video/bf537-lq035.c
43071 --- linux-2.6.39.3/drivers/video/bf537-lq035.c 2011-05-19 00:06:34.000000000 -0400
43072 +++ linux-2.6.39.3/drivers/video/bf537-lq035.c 2011-05-22 19:36:32.000000000 -0400
43073 @@ -682,7 +682,7 @@ static int bfin_lcd_check_fb(struct lcd_
43074 return 0;
43075 }
43076
43077 -static struct lcd_ops bfin_lcd_ops = {
43078 +static const struct lcd_ops bfin_lcd_ops = {
43079 .get_power = bfin_lcd_get_power,
43080 .set_power = bfin_lcd_set_power,
43081 .get_contrast = bfin_lcd_get_contrast,
43082 diff -urNp linux-2.6.39.3/drivers/video/bf54x-lq043fb.c linux-2.6.39.3/drivers/video/bf54x-lq043fb.c
43083 --- linux-2.6.39.3/drivers/video/bf54x-lq043fb.c 2011-05-19 00:06:34.000000000 -0400
43084 +++ linux-2.6.39.3/drivers/video/bf54x-lq043fb.c 2011-05-22 19:36:32.000000000 -0400
43085 @@ -467,7 +467,7 @@ static int bfin_lcd_check_fb(struct lcd_
43086 return 0;
43087 }
43088
43089 -static struct lcd_ops bfin_lcd_ops = {
43090 +static const struct lcd_ops bfin_lcd_ops = {
43091 .get_power = bfin_lcd_get_power,
43092 .set_power = bfin_lcd_set_power,
43093 .get_contrast = bfin_lcd_get_contrast,
43094 diff -urNp linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c
43095 --- linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c 2011-05-19 00:06:34.000000000 -0400
43096 +++ linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c 2011-05-22 19:36:32.000000000 -0400
43097 @@ -387,7 +387,7 @@ static int bfin_lcd_check_fb(struct lcd_
43098 return 0;
43099 }
43100
43101 -static struct lcd_ops bfin_lcd_ops = {
43102 +static const struct lcd_ops bfin_lcd_ops = {
43103 .get_power = bfin_lcd_get_power,
43104 .set_power = bfin_lcd_set_power,
43105 .get_contrast = bfin_lcd_get_contrast,
43106 diff -urNp linux-2.6.39.3/drivers/video/fbcmap.c linux-2.6.39.3/drivers/video/fbcmap.c
43107 --- linux-2.6.39.3/drivers/video/fbcmap.c 2011-05-19 00:06:34.000000000 -0400
43108 +++ linux-2.6.39.3/drivers/video/fbcmap.c 2011-05-22 19:36:32.000000000 -0400
43109 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
43110 rc = -ENODEV;
43111 goto out;
43112 }
43113 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
43114 - !info->fbops->fb_setcmap)) {
43115 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
43116 rc = -EINVAL;
43117 goto out1;
43118 }
43119 diff -urNp linux-2.6.39.3/drivers/video/fbmem.c linux-2.6.39.3/drivers/video/fbmem.c
43120 --- linux-2.6.39.3/drivers/video/fbmem.c 2011-05-19 00:06:34.000000000 -0400
43121 +++ linux-2.6.39.3/drivers/video/fbmem.c 2011-05-22 19:36:32.000000000 -0400
43122 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
43123 image->dx += image->width + 8;
43124 }
43125 } else if (rotate == FB_ROTATE_UD) {
43126 - for (x = 0; x < num && image->dx >= 0; x++) {
43127 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
43128 info->fbops->fb_imageblit(info, image);
43129 image->dx -= image->width + 8;
43130 }
43131 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
43132 image->dy += image->height + 8;
43133 }
43134 } else if (rotate == FB_ROTATE_CCW) {
43135 - for (x = 0; x < num && image->dy >= 0; x++) {
43136 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
43137 info->fbops->fb_imageblit(info, image);
43138 image->dy -= image->height + 8;
43139 }
43140 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
43141 int flags = info->flags;
43142 int ret = 0;
43143
43144 + pax_track_stack();
43145 +
43146 if (var->activate & FB_ACTIVATE_INV_MODE) {
43147 struct fb_videomode mode1, mode2;
43148
43149 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
43150 void __user *argp = (void __user *)arg;
43151 long ret = 0;
43152
43153 + pax_track_stack();
43154 +
43155 switch (cmd) {
43156 case FBIOGET_VSCREENINFO:
43157 if (!lock_fb_info(info))
43158 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
43159 return -EFAULT;
43160 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
43161 return -EINVAL;
43162 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
43163 + if (con2fb.framebuffer >= FB_MAX)
43164 return -EINVAL;
43165 if (!registered_fb[con2fb.framebuffer])
43166 request_module("fb%d", con2fb.framebuffer);
43167 diff -urNp linux-2.6.39.3/drivers/video/geode/display_gx1.c linux-2.6.39.3/drivers/video/geode/display_gx1.c
43168 --- linux-2.6.39.3/drivers/video/geode/display_gx1.c 2011-05-19 00:06:34.000000000 -0400
43169 +++ linux-2.6.39.3/drivers/video/geode/display_gx1.c 2011-05-22 19:36:32.000000000 -0400
43170 @@ -208,7 +208,7 @@ static void gx1_set_hw_palette_reg(struc
43171 writel(val, par->dc_regs + DC_PAL_DATA);
43172 }
43173
43174 -struct geode_dc_ops gx1_dc_ops = {
43175 +const struct geode_dc_ops gx1_dc_ops = {
43176 .set_mode = gx1_set_mode,
43177 .set_palette_reg = gx1_set_hw_palette_reg,
43178 };
43179 diff -urNp linux-2.6.39.3/drivers/video/geode/display_gx1.h linux-2.6.39.3/drivers/video/geode/display_gx1.h
43180 --- linux-2.6.39.3/drivers/video/geode/display_gx1.h 2011-05-19 00:06:34.000000000 -0400
43181 +++ linux-2.6.39.3/drivers/video/geode/display_gx1.h 2011-05-22 19:36:32.000000000 -0400
43182 @@ -18,7 +18,7 @@
43183 unsigned gx1_gx_base(void);
43184 int gx1_frame_buffer_size(void);
43185
43186 -extern struct geode_dc_ops gx1_dc_ops;
43187 +extern const struct geode_dc_ops gx1_dc_ops;
43188
43189 /* GX1 configuration I/O registers */
43190
43191 diff -urNp linux-2.6.39.3/drivers/video/geode/geodefb.h linux-2.6.39.3/drivers/video/geode/geodefb.h
43192 --- linux-2.6.39.3/drivers/video/geode/geodefb.h 2011-05-19 00:06:34.000000000 -0400
43193 +++ linux-2.6.39.3/drivers/video/geode/geodefb.h 2011-05-22 19:36:32.000000000 -0400
43194 @@ -31,8 +31,8 @@ struct geodefb_par {
43195 int panel_y;
43196 void __iomem *dc_regs;
43197 void __iomem *vid_regs;
43198 - struct geode_dc_ops *dc_ops;
43199 - struct geode_vid_ops *vid_ops;
43200 + const struct geode_dc_ops *dc_ops;
43201 + const struct geode_vid_ops *vid_ops;
43202 };
43203
43204 #endif /* !__GEODEFB_H__ */
43205 diff -urNp linux-2.6.39.3/drivers/video/geode/video_cs5530.c linux-2.6.39.3/drivers/video/geode/video_cs5530.c
43206 --- linux-2.6.39.3/drivers/video/geode/video_cs5530.c 2011-05-19 00:06:34.000000000 -0400
43207 +++ linux-2.6.39.3/drivers/video/geode/video_cs5530.c 2011-05-22 19:36:32.000000000 -0400
43208 @@ -186,7 +186,7 @@ static int cs5530_blank_display(struct f
43209 return 0;
43210 }
43211
43212 -struct geode_vid_ops cs5530_vid_ops = {
43213 +const struct geode_vid_ops cs5530_vid_ops = {
43214 .set_dclk = cs5530_set_dclk_frequency,
43215 .configure_display = cs5530_configure_display,
43216 .blank_display = cs5530_blank_display,
43217 diff -urNp linux-2.6.39.3/drivers/video/geode/video_cs5530.h linux-2.6.39.3/drivers/video/geode/video_cs5530.h
43218 --- linux-2.6.39.3/drivers/video/geode/video_cs5530.h 2011-05-19 00:06:34.000000000 -0400
43219 +++ linux-2.6.39.3/drivers/video/geode/video_cs5530.h 2011-05-22 19:36:32.000000000 -0400
43220 @@ -15,7 +15,7 @@
43221 #ifndef __VIDEO_CS5530_H__
43222 #define __VIDEO_CS5530_H__
43223
43224 -extern struct geode_vid_ops cs5530_vid_ops;
43225 +extern const struct geode_vid_ops cs5530_vid_ops;
43226
43227 /* CS5530 Video device registers */
43228
43229 diff -urNp linux-2.6.39.3/drivers/video/i810/i810_accel.c linux-2.6.39.3/drivers/video/i810/i810_accel.c
43230 --- linux-2.6.39.3/drivers/video/i810/i810_accel.c 2011-05-19 00:06:34.000000000 -0400
43231 +++ linux-2.6.39.3/drivers/video/i810/i810_accel.c 2011-05-22 19:36:32.000000000 -0400
43232 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
43233 }
43234 }
43235 printk("ringbuffer lockup!!!\n");
43236 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
43237 i810_report_error(mmio);
43238 par->dev_flags |= LOCKUP;
43239 info->pixmap.scan_align = 1;
43240 diff -urNp linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c
43241 --- linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c 2011-05-19 00:06:34.000000000 -0400
43242 +++ linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c 2011-05-22 19:36:32.000000000 -0400
43243 @@ -1232,7 +1232,7 @@ static struct fb_ops matroxfb_ops = {
43244 #define RSText 0x7
43245 #define RSText8 0x8
43246 /* 9-F */
43247 -static struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43248 +static const struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43249 { { 0, 8, 0}, { 0, 8, 0}, { 0, 8, 0}, { 0, 0, 0}, 8 },
43250 { { 10, 5, 0}, { 5, 5, 0}, { 0, 5, 0}, { 15, 1, 0}, 16 },
43251 { { 11, 5, 0}, { 5, 6, 0}, { 0, 5, 0}, { 0, 0, 0}, 16 },
43252 diff -urNp linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c
43253 --- linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c 2011-05-19 00:06:34.000000000 -0400
43254 +++ linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c 2011-05-22 19:36:32.000000000 -0400
43255 @@ -87,7 +87,7 @@ static int ams_delta_lcd_get_contrast(st
43256 return ams_delta_lcd & AMS_DELTA_MAX_CONTRAST;
43257 }
43258
43259 -static struct lcd_ops ams_delta_lcd_ops = {
43260 +static const struct lcd_ops ams_delta_lcd_ops = {
43261 .get_power = ams_delta_lcd_get_power,
43262 .set_power = ams_delta_lcd_set_power,
43263 .get_contrast = ams_delta_lcd_get_contrast,
43264 diff -urNp linux-2.6.39.3/drivers/video/pxa3xx-gcu.c linux-2.6.39.3/drivers/video/pxa3xx-gcu.c
43265 --- linux-2.6.39.3/drivers/video/pxa3xx-gcu.c 2011-05-19 00:06:34.000000000 -0400
43266 +++ linux-2.6.39.3/drivers/video/pxa3xx-gcu.c 2011-05-22 19:36:32.000000000 -0400
43267 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
43268 dma_addr_t shared_phys;
43269 struct resource *resource_mem;
43270 struct miscdevice misc_dev;
43271 - struct file_operations misc_fops;
43272 + const struct file_operations misc_fops;
43273 wait_queue_head_t wait_idle;
43274 wait_queue_head_t wait_free;
43275 spinlock_t spinlock;
43276 diff -urNp linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c
43277 --- linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c 2011-05-19 00:06:34.000000000 -0400
43278 +++ linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c 2011-05-22 19:36:32.000000000 -0400
43279 @@ -245,7 +245,7 @@ static unsigned long lcdc_sys_read_data(
43280 return lcdc_read(ch->lcdc, _LDDRDR) & 0x3ffff;
43281 }
43282
43283 -struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43284 +const struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43285 lcdc_sys_write_index,
43286 lcdc_sys_write_data,
43287 lcdc_sys_read_data,
43288 diff -urNp linux-2.6.39.3/drivers/video/udlfb.c linux-2.6.39.3/drivers/video/udlfb.c
43289 --- linux-2.6.39.3/drivers/video/udlfb.c 2011-05-19 00:06:34.000000000 -0400
43290 +++ linux-2.6.39.3/drivers/video/udlfb.c 2011-05-22 19:36:32.000000000 -0400
43291 @@ -584,11 +584,11 @@ int dlfb_handle_damage(struct dlfb_data
43292 dlfb_urb_completion(urb);
43293
43294 error:
43295 - atomic_add(bytes_sent, &dev->bytes_sent);
43296 - atomic_add(bytes_identical, &dev->bytes_identical);
43297 - atomic_add(width*height*2, &dev->bytes_rendered);
43298 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43299 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43300 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
43301 end_cycles = get_cycles();
43302 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43303 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43304 >> 10)), /* Kcycles */
43305 &dev->cpu_kcycles_used);
43306
43307 @@ -709,11 +709,11 @@ static void dlfb_dpy_deferred_io(struct
43308 dlfb_urb_completion(urb);
43309
43310 error:
43311 - atomic_add(bytes_sent, &dev->bytes_sent);
43312 - atomic_add(bytes_identical, &dev->bytes_identical);
43313 - atomic_add(bytes_rendered, &dev->bytes_rendered);
43314 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43315 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43316 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
43317 end_cycles = get_cycles();
43318 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43319 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43320 >> 10)), /* Kcycles */
43321 &dev->cpu_kcycles_used);
43322 }
43323 @@ -1301,7 +1301,7 @@ static ssize_t metrics_bytes_rendered_sh
43324 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43325 struct dlfb_data *dev = fb_info->par;
43326 return snprintf(buf, PAGE_SIZE, "%u\n",
43327 - atomic_read(&dev->bytes_rendered));
43328 + atomic_read_unchecked(&dev->bytes_rendered));
43329 }
43330
43331 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
43332 @@ -1309,7 +1309,7 @@ static ssize_t metrics_bytes_identical_s
43333 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43334 struct dlfb_data *dev = fb_info->par;
43335 return snprintf(buf, PAGE_SIZE, "%u\n",
43336 - atomic_read(&dev->bytes_identical));
43337 + atomic_read_unchecked(&dev->bytes_identical));
43338 }
43339
43340 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
43341 @@ -1317,7 +1317,7 @@ static ssize_t metrics_bytes_sent_show(s
43342 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43343 struct dlfb_data *dev = fb_info->par;
43344 return snprintf(buf, PAGE_SIZE, "%u\n",
43345 - atomic_read(&dev->bytes_sent));
43346 + atomic_read_unchecked(&dev->bytes_sent));
43347 }
43348
43349 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
43350 @@ -1325,7 +1325,7 @@ static ssize_t metrics_cpu_kcycles_used_
43351 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43352 struct dlfb_data *dev = fb_info->par;
43353 return snprintf(buf, PAGE_SIZE, "%u\n",
43354 - atomic_read(&dev->cpu_kcycles_used));
43355 + atomic_read_unchecked(&dev->cpu_kcycles_used));
43356 }
43357
43358 static ssize_t edid_show(
43359 @@ -1382,10 +1382,10 @@ static ssize_t metrics_reset_store(struc
43360 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43361 struct dlfb_data *dev = fb_info->par;
43362
43363 - atomic_set(&dev->bytes_rendered, 0);
43364 - atomic_set(&dev->bytes_identical, 0);
43365 - atomic_set(&dev->bytes_sent, 0);
43366 - atomic_set(&dev->cpu_kcycles_used, 0);
43367 + atomic_set_unchecked(&dev->bytes_rendered, 0);
43368 + atomic_set_unchecked(&dev->bytes_identical, 0);
43369 + atomic_set_unchecked(&dev->bytes_sent, 0);
43370 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
43371
43372 return count;
43373 }
43374 diff -urNp linux-2.6.39.3/drivers/video/uvesafb.c linux-2.6.39.3/drivers/video/uvesafb.c
43375 --- linux-2.6.39.3/drivers/video/uvesafb.c 2011-05-19 00:06:34.000000000 -0400
43376 +++ linux-2.6.39.3/drivers/video/uvesafb.c 2011-05-22 19:36:32.000000000 -0400
43377 @@ -19,6 +19,7 @@
43378 #include <linux/io.h>
43379 #include <linux/mutex.h>
43380 #include <linux/slab.h>
43381 +#include <linux/moduleloader.h>
43382 #include <video/edid.h>
43383 #include <video/uvesafb.h>
43384 #ifdef CONFIG_X86
43385 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
43386 NULL,
43387 };
43388
43389 - return call_usermodehelper(v86d_path, argv, envp, 1);
43390 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
43391 }
43392
43393 /*
43394 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
43395 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
43396 par->pmi_setpal = par->ypan = 0;
43397 } else {
43398 +
43399 +#ifdef CONFIG_PAX_KERNEXEC
43400 +#ifdef CONFIG_MODULES
43401 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43402 +#endif
43403 + if (!par->pmi_code) {
43404 + par->pmi_setpal = par->ypan = 0;
43405 + return 0;
43406 + }
43407 +#endif
43408 +
43409 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43410 + task->t.regs.edi);
43411 +
43412 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43413 + pax_open_kernel();
43414 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43415 + pax_close_kernel();
43416 +
43417 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43418 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43419 +#else
43420 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43421 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43422 +#endif
43423 +
43424 printk(KERN_INFO "uvesafb: protected mode interface info at "
43425 "%04x:%04x\n",
43426 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43427 @@ -1821,6 +1844,11 @@ out:
43428 if (par->vbe_modes)
43429 kfree(par->vbe_modes);
43430
43431 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43432 + if (par->pmi_code)
43433 + module_free_exec(NULL, par->pmi_code);
43434 +#endif
43435 +
43436 framebuffer_release(info);
43437 return err;
43438 }
43439 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
43440 kfree(par->vbe_state_orig);
43441 if (par->vbe_state_saved)
43442 kfree(par->vbe_state_saved);
43443 +
43444 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43445 + if (par->pmi_code)
43446 + module_free_exec(NULL, par->pmi_code);
43447 +#endif
43448 +
43449 }
43450
43451 framebuffer_release(info);
43452 @@ -2013,7 +2047,7 @@ static int param_set_scroll(const char *
43453
43454 return 0;
43455 }
43456 -static struct kernel_param_ops param_ops_scroll = {
43457 +static const struct kernel_param_ops param_ops_scroll = {
43458 .set = param_set_scroll,
43459 };
43460 #define param_check_scroll(name, p) __param_check(name, p, void)
43461 diff -urNp linux-2.6.39.3/drivers/video/vesafb.c linux-2.6.39.3/drivers/video/vesafb.c
43462 --- linux-2.6.39.3/drivers/video/vesafb.c 2011-05-19 00:06:34.000000000 -0400
43463 +++ linux-2.6.39.3/drivers/video/vesafb.c 2011-05-22 19:36:32.000000000 -0400
43464 @@ -9,6 +9,7 @@
43465 */
43466
43467 #include <linux/module.h>
43468 +#include <linux/moduleloader.h>
43469 #include <linux/kernel.h>
43470 #include <linux/errno.h>
43471 #include <linux/string.h>
43472 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
43473 static int vram_total __initdata; /* Set total amount of memory */
43474 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43475 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43476 -static void (*pmi_start)(void) __read_mostly;
43477 -static void (*pmi_pal) (void) __read_mostly;
43478 +static void (*pmi_start)(void) __read_only;
43479 +static void (*pmi_pal) (void) __read_only;
43480 static int depth __read_mostly;
43481 static int vga_compat __read_mostly;
43482 /* --------------------------------------------------------------------- */
43483 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
43484 unsigned int size_vmode;
43485 unsigned int size_remap;
43486 unsigned int size_total;
43487 + void *pmi_code = NULL;
43488
43489 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43490 return -ENODEV;
43491 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
43492 size_remap = size_total;
43493 vesafb_fix.smem_len = size_remap;
43494
43495 -#ifndef __i386__
43496 - screen_info.vesapm_seg = 0;
43497 -#endif
43498 -
43499 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43500 printk(KERN_WARNING
43501 "vesafb: cannot reserve video memory at 0x%lx\n",
43502 @@ -306,9 +304,21 @@ static int __init vesafb_probe(struct pl
43503 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43504 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43505
43506 +#ifdef __i386__
43507 +
43508 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43509 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
43510 + if (!pmi_code)
43511 +#elif !defined(CONFIG_PAX_KERNEXEC)
43512 + if (0)
43513 +#endif
43514 +
43515 +#endif
43516 + screen_info.vesapm_seg = 0;
43517 +
43518 if (screen_info.vesapm_seg) {
43519 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43520 - screen_info.vesapm_seg,screen_info.vesapm_off);
43521 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43522 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43523 }
43524
43525 if (screen_info.vesapm_seg < 0xc000)
43526 @@ -316,9 +326,25 @@ static int __init vesafb_probe(struct pl
43527
43528 if (ypan || pmi_setpal) {
43529 unsigned short *pmi_base;
43530 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43531 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43532 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43533 +
43534 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43535 +
43536 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43537 + pax_open_kernel();
43538 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43539 +#else
43540 + pmi_code = pmi_base;
43541 +#endif
43542 +
43543 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43544 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43545 +
43546 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43547 + pmi_start = ktva_ktla(pmi_start);
43548 + pmi_pal = ktva_ktla(pmi_pal);
43549 + pax_close_kernel();
43550 +#endif
43551 +
43552 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43553 if (pmi_base[3]) {
43554 printk(KERN_INFO "vesafb: pmi: ports = ");
43555 @@ -487,6 +513,11 @@ static int __init vesafb_probe(struct pl
43556 info->node, info->fix.id);
43557 return 0;
43558 err:
43559 +
43560 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43561 + module_free_exec(NULL, pmi_code);
43562 +#endif
43563 +
43564 if (info->screen_base)
43565 iounmap(info->screen_base);
43566 framebuffer_release(info);
43567 diff -urNp linux-2.6.39.3/drivers/virtio/virtio_balloon.c linux-2.6.39.3/drivers/virtio/virtio_balloon.c
43568 --- linux-2.6.39.3/drivers/virtio/virtio_balloon.c 2011-05-19 00:06:34.000000000 -0400
43569 +++ linux-2.6.39.3/drivers/virtio/virtio_balloon.c 2011-05-22 19:36:32.000000000 -0400
43570 @@ -176,6 +176,8 @@ static void update_balloon_stats(struct
43571 struct sysinfo i;
43572 int idx = 0;
43573
43574 + pax_track_stack();
43575 +
43576 all_vm_events(events);
43577 si_meminfo(&i);
43578
43579 diff -urNp linux-2.6.39.3/drivers/xen/gntalloc.c linux-2.6.39.3/drivers/xen/gntalloc.c
43580 --- linux-2.6.39.3/drivers/xen/gntalloc.c 2011-05-19 00:06:34.000000000 -0400
43581 +++ linux-2.6.39.3/drivers/xen/gntalloc.c 2011-05-22 19:36:32.000000000 -0400
43582 @@ -440,7 +440,7 @@ static void gntalloc_vma_close(struct vm
43583 spin_unlock(&gref_lock);
43584 }
43585
43586 -static struct vm_operations_struct gntalloc_vmops = {
43587 +static const struct vm_operations_struct gntalloc_vmops = {
43588 .close = gntalloc_vma_close,
43589 };
43590
43591 diff -urNp linux-2.6.39.3/drivers/xen/gntdev.c linux-2.6.39.3/drivers/xen/gntdev.c
43592 --- linux-2.6.39.3/drivers/xen/gntdev.c 2011-05-19 00:06:34.000000000 -0400
43593 +++ linux-2.6.39.3/drivers/xen/gntdev.c 2011-05-22 19:36:32.000000000 -0400
43594 @@ -340,7 +340,7 @@ static void gntdev_vma_close(struct vm_a
43595 gntdev_put_map(map);
43596 }
43597
43598 -static struct vm_operations_struct gntdev_vmops = {
43599 +static const struct vm_operations_struct gntdev_vmops = {
43600 .close = gntdev_vma_close,
43601 };
43602
43603 @@ -404,7 +404,7 @@ static void mn_release(struct mmu_notifi
43604 spin_unlock(&priv->lock);
43605 }
43606
43607 -struct mmu_notifier_ops gntdev_mmu_ops = {
43608 +const struct mmu_notifier_ops gntdev_mmu_ops = {
43609 .release = mn_release,
43610 .invalidate_page = mn_invl_page,
43611 .invalidate_range_start = mn_invl_range_start,
43612 diff -urNp linux-2.6.39.3/drivers/xen/xenfs/privcmd.c linux-2.6.39.3/drivers/xen/xenfs/privcmd.c
43613 --- linux-2.6.39.3/drivers/xen/xenfs/privcmd.c 2011-05-19 00:06:34.000000000 -0400
43614 +++ linux-2.6.39.3/drivers/xen/xenfs/privcmd.c 2011-05-22 19:36:32.000000000 -0400
43615 @@ -268,7 +268,7 @@ static int mmap_return_errors(void *data
43616 return put_user(*mfnp, st->user++);
43617 }
43618
43619 -static struct vm_operations_struct privcmd_vm_ops;
43620 +static const struct vm_operations_struct privcmd_vm_ops;
43621
43622 static long privcmd_ioctl_mmap_batch(void __user *udata)
43623 {
43624 @@ -369,7 +369,7 @@ static int privcmd_fault(struct vm_area_
43625 return VM_FAULT_SIGBUS;
43626 }
43627
43628 -static struct vm_operations_struct privcmd_vm_ops = {
43629 +static const struct vm_operations_struct privcmd_vm_ops = {
43630 .fault = privcmd_fault
43631 };
43632
43633 diff -urNp linux-2.6.39.3/fs/9p/vfs_inode.c linux-2.6.39.3/fs/9p/vfs_inode.c
43634 --- linux-2.6.39.3/fs/9p/vfs_inode.c 2011-05-19 00:06:34.000000000 -0400
43635 +++ linux-2.6.39.3/fs/9p/vfs_inode.c 2011-05-22 19:36:32.000000000 -0400
43636 @@ -1210,7 +1210,7 @@ static void *v9fs_vfs_follow_link(struct
43637 void
43638 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43639 {
43640 - char *s = nd_get_link(nd);
43641 + const char *s = nd_get_link(nd);
43642
43643 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43644 IS_ERR(s) ? "<error>" : s);
43645 diff -urNp linux-2.6.39.3/fs/aio.c linux-2.6.39.3/fs/aio.c
43646 --- linux-2.6.39.3/fs/aio.c 2011-05-19 00:06:34.000000000 -0400
43647 +++ linux-2.6.39.3/fs/aio.c 2011-06-03 01:00:34.000000000 -0400
43648 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
43649 size += sizeof(struct io_event) * nr_events;
43650 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43651
43652 - if (nr_pages < 0)
43653 + if (nr_pages <= 0)
43654 return -EINVAL;
43655
43656 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43657 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
43658 struct aio_timeout to;
43659 int retry = 0;
43660
43661 + pax_track_stack();
43662 +
43663 /* needed to zero any padding within an entry (there shouldn't be
43664 * any, but C is fun!
43665 */
43666 @@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
43667 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
43668 {
43669 ssize_t ret;
43670 + struct iovec iovstack;
43671
43672 #ifdef CONFIG_COMPAT
43673 if (compat)
43674 ret = compat_rw_copy_check_uvector(type,
43675 (struct compat_iovec __user *)kiocb->ki_buf,
43676 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43677 + kiocb->ki_nbytes, 1, &iovstack,
43678 &kiocb->ki_iovec);
43679 else
43680 #endif
43681 ret = rw_copy_check_uvector(type,
43682 (struct iovec __user *)kiocb->ki_buf,
43683 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43684 + kiocb->ki_nbytes, 1, &iovstack,
43685 &kiocb->ki_iovec);
43686 if (ret < 0)
43687 goto out;
43688
43689 + if (kiocb->ki_iovec == &iovstack) {
43690 + kiocb->ki_inline_vec = iovstack;
43691 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
43692 + }
43693 kiocb->ki_nr_segs = kiocb->ki_nbytes;
43694 kiocb->ki_cur_seg = 0;
43695 /* ki_nbytes/left now reflect bytes instead of segs */
43696 diff -urNp linux-2.6.39.3/fs/attr.c linux-2.6.39.3/fs/attr.c
43697 --- linux-2.6.39.3/fs/attr.c 2011-05-19 00:06:34.000000000 -0400
43698 +++ linux-2.6.39.3/fs/attr.c 2011-05-22 19:41:37.000000000 -0400
43699 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
43700 unsigned long limit;
43701
43702 limit = rlimit(RLIMIT_FSIZE);
43703 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
43704 if (limit != RLIM_INFINITY && offset > limit)
43705 goto out_sig;
43706 if (offset > inode->i_sb->s_maxbytes)
43707 diff -urNp linux-2.6.39.3/fs/befs/linuxvfs.c linux-2.6.39.3/fs/befs/linuxvfs.c
43708 --- linux-2.6.39.3/fs/befs/linuxvfs.c 2011-05-19 00:06:34.000000000 -0400
43709 +++ linux-2.6.39.3/fs/befs/linuxvfs.c 2011-05-22 19:36:32.000000000 -0400
43710 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
43711 {
43712 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
43713 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
43714 - char *link = nd_get_link(nd);
43715 + const char *link = nd_get_link(nd);
43716 if (!IS_ERR(link))
43717 kfree(link);
43718 }
43719 diff -urNp linux-2.6.39.3/fs/binfmt_aout.c linux-2.6.39.3/fs/binfmt_aout.c
43720 --- linux-2.6.39.3/fs/binfmt_aout.c 2011-05-19 00:06:34.000000000 -0400
43721 +++ linux-2.6.39.3/fs/binfmt_aout.c 2011-05-22 19:41:37.000000000 -0400
43722 @@ -16,6 +16,7 @@
43723 #include <linux/string.h>
43724 #include <linux/fs.h>
43725 #include <linux/file.h>
43726 +#include <linux/security.h>
43727 #include <linux/stat.h>
43728 #include <linux/fcntl.h>
43729 #include <linux/ptrace.h>
43730 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
43731 #endif
43732 # define START_STACK(u) ((void __user *)u.start_stack)
43733
43734 + memset(&dump, 0, sizeof(dump));
43735 +
43736 fs = get_fs();
43737 set_fs(KERNEL_DS);
43738 has_dumped = 1;
43739 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
43740
43741 /* If the size of the dump file exceeds the rlimit, then see what would happen
43742 if we wrote the stack, but not the data area. */
43743 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
43744 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
43745 dump.u_dsize = 0;
43746
43747 /* Make sure we have enough room to write the stack and data areas. */
43748 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
43749 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
43750 dump.u_ssize = 0;
43751
43752 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
43753 rlim = rlimit(RLIMIT_DATA);
43754 if (rlim >= RLIM_INFINITY)
43755 rlim = ~0;
43756 +
43757 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
43758 if (ex.a_data + ex.a_bss > rlim)
43759 return -ENOMEM;
43760
43761 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
43762 install_exec_creds(bprm);
43763 current->flags &= ~PF_FORKNOEXEC;
43764
43765 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43766 + current->mm->pax_flags = 0UL;
43767 +#endif
43768 +
43769 +#ifdef CONFIG_PAX_PAGEEXEC
43770 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
43771 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
43772 +
43773 +#ifdef CONFIG_PAX_EMUTRAMP
43774 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
43775 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
43776 +#endif
43777 +
43778 +#ifdef CONFIG_PAX_MPROTECT
43779 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
43780 + current->mm->pax_flags |= MF_PAX_MPROTECT;
43781 +#endif
43782 +
43783 + }
43784 +#endif
43785 +
43786 if (N_MAGIC(ex) == OMAGIC) {
43787 unsigned long text_addr, map_size;
43788 loff_t pos;
43789 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
43790
43791 down_write(&current->mm->mmap_sem);
43792 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
43793 - PROT_READ | PROT_WRITE | PROT_EXEC,
43794 + PROT_READ | PROT_WRITE,
43795 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
43796 fd_offset + ex.a_text);
43797 up_write(&current->mm->mmap_sem);
43798 diff -urNp linux-2.6.39.3/fs/binfmt_elf.c linux-2.6.39.3/fs/binfmt_elf.c
43799 --- linux-2.6.39.3/fs/binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
43800 +++ linux-2.6.39.3/fs/binfmt_elf.c 2011-05-22 19:41:37.000000000 -0400
43801 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
43802 #define elf_core_dump NULL
43803 #endif
43804
43805 +#ifdef CONFIG_PAX_MPROTECT
43806 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
43807 +#endif
43808 +
43809 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
43810 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
43811 #else
43812 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
43813 .load_binary = load_elf_binary,
43814 .load_shlib = load_elf_library,
43815 .core_dump = elf_core_dump,
43816 +
43817 +#ifdef CONFIG_PAX_MPROTECT
43818 + .handle_mprotect= elf_handle_mprotect,
43819 +#endif
43820 +
43821 .min_coredump = ELF_EXEC_PAGESIZE,
43822 };
43823
43824 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
43825
43826 static int set_brk(unsigned long start, unsigned long end)
43827 {
43828 + unsigned long e = end;
43829 +
43830 start = ELF_PAGEALIGN(start);
43831 end = ELF_PAGEALIGN(end);
43832 if (end > start) {
43833 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
43834 if (BAD_ADDR(addr))
43835 return addr;
43836 }
43837 - current->mm->start_brk = current->mm->brk = end;
43838 + current->mm->start_brk = current->mm->brk = e;
43839 return 0;
43840 }
43841
43842 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
43843 elf_addr_t __user *u_rand_bytes;
43844 const char *k_platform = ELF_PLATFORM;
43845 const char *k_base_platform = ELF_BASE_PLATFORM;
43846 - unsigned char k_rand_bytes[16];
43847 + u32 k_rand_bytes[4];
43848 int items;
43849 elf_addr_t *elf_info;
43850 int ei_index = 0;
43851 const struct cred *cred = current_cred();
43852 struct vm_area_struct *vma;
43853 + unsigned long saved_auxv[AT_VECTOR_SIZE];
43854 +
43855 + pax_track_stack();
43856
43857 /*
43858 * In some cases (e.g. Hyper-Threading), we want to avoid L1
43859 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
43860 * Generate 16 random bytes for userspace PRNG seeding.
43861 */
43862 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
43863 - u_rand_bytes = (elf_addr_t __user *)
43864 - STACK_ALLOC(p, sizeof(k_rand_bytes));
43865 + srandom32(k_rand_bytes[0] ^ random32());
43866 + srandom32(k_rand_bytes[1] ^ random32());
43867 + srandom32(k_rand_bytes[2] ^ random32());
43868 + srandom32(k_rand_bytes[3] ^ random32());
43869 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
43870 + u_rand_bytes = (elf_addr_t __user *) p;
43871 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
43872 return -EFAULT;
43873
43874 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
43875 return -EFAULT;
43876 current->mm->env_end = p;
43877
43878 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
43879 +
43880 /* Put the elf_info on the stack in the right place. */
43881 sp = (elf_addr_t __user *)envp + 1;
43882 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
43883 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
43884 return -EFAULT;
43885 return 0;
43886 }
43887 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
43888 {
43889 struct elf_phdr *elf_phdata;
43890 struct elf_phdr *eppnt;
43891 - unsigned long load_addr = 0;
43892 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
43893 int load_addr_set = 0;
43894 unsigned long last_bss = 0, elf_bss = 0;
43895 - unsigned long error = ~0UL;
43896 + unsigned long error = -EINVAL;
43897 unsigned long total_size;
43898 int retval, i, size;
43899
43900 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
43901 goto out_close;
43902 }
43903
43904 +#ifdef CONFIG_PAX_SEGMEXEC
43905 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43906 + pax_task_size = SEGMEXEC_TASK_SIZE;
43907 +#endif
43908 +
43909 eppnt = elf_phdata;
43910 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
43911 if (eppnt->p_type == PT_LOAD) {
43912 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
43913 k = load_addr + eppnt->p_vaddr;
43914 if (BAD_ADDR(k) ||
43915 eppnt->p_filesz > eppnt->p_memsz ||
43916 - eppnt->p_memsz > TASK_SIZE ||
43917 - TASK_SIZE - eppnt->p_memsz < k) {
43918 + eppnt->p_memsz > pax_task_size ||
43919 + pax_task_size - eppnt->p_memsz < k) {
43920 error = -ENOMEM;
43921 goto out_close;
43922 }
43923 @@ -528,6 +553,193 @@ out:
43924 return error;
43925 }
43926
43927 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
43928 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
43929 +{
43930 + unsigned long pax_flags = 0UL;
43931 +
43932 +#ifdef CONFIG_PAX_PAGEEXEC
43933 + if (elf_phdata->p_flags & PF_PAGEEXEC)
43934 + pax_flags |= MF_PAX_PAGEEXEC;
43935 +#endif
43936 +
43937 +#ifdef CONFIG_PAX_SEGMEXEC
43938 + if (elf_phdata->p_flags & PF_SEGMEXEC)
43939 + pax_flags |= MF_PAX_SEGMEXEC;
43940 +#endif
43941 +
43942 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43943 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43944 + if ((__supported_pte_mask & _PAGE_NX))
43945 + pax_flags &= ~MF_PAX_SEGMEXEC;
43946 + else
43947 + pax_flags &= ~MF_PAX_PAGEEXEC;
43948 + }
43949 +#endif
43950 +
43951 +#ifdef CONFIG_PAX_EMUTRAMP
43952 + if (elf_phdata->p_flags & PF_EMUTRAMP)
43953 + pax_flags |= MF_PAX_EMUTRAMP;
43954 +#endif
43955 +
43956 +#ifdef CONFIG_PAX_MPROTECT
43957 + if (elf_phdata->p_flags & PF_MPROTECT)
43958 + pax_flags |= MF_PAX_MPROTECT;
43959 +#endif
43960 +
43961 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43962 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
43963 + pax_flags |= MF_PAX_RANDMMAP;
43964 +#endif
43965 +
43966 + return pax_flags;
43967 +}
43968 +#endif
43969 +
43970 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
43971 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
43972 +{
43973 + unsigned long pax_flags = 0UL;
43974 +
43975 +#ifdef CONFIG_PAX_PAGEEXEC
43976 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
43977 + pax_flags |= MF_PAX_PAGEEXEC;
43978 +#endif
43979 +
43980 +#ifdef CONFIG_PAX_SEGMEXEC
43981 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
43982 + pax_flags |= MF_PAX_SEGMEXEC;
43983 +#endif
43984 +
43985 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43986 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43987 + if ((__supported_pte_mask & _PAGE_NX))
43988 + pax_flags &= ~MF_PAX_SEGMEXEC;
43989 + else
43990 + pax_flags &= ~MF_PAX_PAGEEXEC;
43991 + }
43992 +#endif
43993 +
43994 +#ifdef CONFIG_PAX_EMUTRAMP
43995 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
43996 + pax_flags |= MF_PAX_EMUTRAMP;
43997 +#endif
43998 +
43999 +#ifdef CONFIG_PAX_MPROTECT
44000 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
44001 + pax_flags |= MF_PAX_MPROTECT;
44002 +#endif
44003 +
44004 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44005 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
44006 + pax_flags |= MF_PAX_RANDMMAP;
44007 +#endif
44008 +
44009 + return pax_flags;
44010 +}
44011 +#endif
44012 +
44013 +#ifdef CONFIG_PAX_EI_PAX
44014 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
44015 +{
44016 + unsigned long pax_flags = 0UL;
44017 +
44018 +#ifdef CONFIG_PAX_PAGEEXEC
44019 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
44020 + pax_flags |= MF_PAX_PAGEEXEC;
44021 +#endif
44022 +
44023 +#ifdef CONFIG_PAX_SEGMEXEC
44024 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
44025 + pax_flags |= MF_PAX_SEGMEXEC;
44026 +#endif
44027 +
44028 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44029 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44030 + if ((__supported_pte_mask & _PAGE_NX))
44031 + pax_flags &= ~MF_PAX_SEGMEXEC;
44032 + else
44033 + pax_flags &= ~MF_PAX_PAGEEXEC;
44034 + }
44035 +#endif
44036 +
44037 +#ifdef CONFIG_PAX_EMUTRAMP
44038 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
44039 + pax_flags |= MF_PAX_EMUTRAMP;
44040 +#endif
44041 +
44042 +#ifdef CONFIG_PAX_MPROTECT
44043 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
44044 + pax_flags |= MF_PAX_MPROTECT;
44045 +#endif
44046 +
44047 +#ifdef CONFIG_PAX_ASLR
44048 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
44049 + pax_flags |= MF_PAX_RANDMMAP;
44050 +#endif
44051 +
44052 + return pax_flags;
44053 +}
44054 +#endif
44055 +
44056 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44057 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
44058 +{
44059 + unsigned long pax_flags = 0UL;
44060 +
44061 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44062 + unsigned long i;
44063 + int found_flags = 0;
44064 +#endif
44065 +
44066 +#ifdef CONFIG_PAX_EI_PAX
44067 + pax_flags = pax_parse_ei_pax(elf_ex);
44068 +#endif
44069 +
44070 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44071 + for (i = 0UL; i < elf_ex->e_phnum; i++)
44072 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
44073 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
44074 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
44075 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
44076 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
44077 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
44078 + return -EINVAL;
44079 +
44080 +#ifdef CONFIG_PAX_SOFTMODE
44081 + if (pax_softmode)
44082 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
44083 + else
44084 +#endif
44085 +
44086 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
44087 + found_flags = 1;
44088 + break;
44089 + }
44090 +#endif
44091 +
44092 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
44093 + if (found_flags == 0) {
44094 + struct elf_phdr phdr;
44095 + memset(&phdr, 0, sizeof(phdr));
44096 + phdr.p_flags = PF_NOEMUTRAMP;
44097 +#ifdef CONFIG_PAX_SOFTMODE
44098 + if (pax_softmode)
44099 + pax_flags = pax_parse_softmode(&phdr);
44100 + else
44101 +#endif
44102 + pax_flags = pax_parse_hardmode(&phdr);
44103 + }
44104 +#endif
44105 +
44106 + if (0 > pax_check_flags(&pax_flags))
44107 + return -EINVAL;
44108 +
44109 + current->mm->pax_flags = pax_flags;
44110 + return 0;
44111 +}
44112 +#endif
44113 +
44114 /*
44115 * These are the functions used to load ELF style executables and shared
44116 * libraries. There is no binary dependent code anywhere else.
44117 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
44118 {
44119 unsigned int random_variable = 0;
44120
44121 +#ifdef CONFIG_PAX_RANDUSTACK
44122 + if (randomize_va_space)
44123 + return stack_top - current->mm->delta_stack;
44124 +#endif
44125 +
44126 if ((current->flags & PF_RANDOMIZE) &&
44127 !(current->personality & ADDR_NO_RANDOMIZE)) {
44128 random_variable = get_random_int() & STACK_RND_MASK;
44129 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
44130 unsigned long load_addr = 0, load_bias = 0;
44131 int load_addr_set = 0;
44132 char * elf_interpreter = NULL;
44133 - unsigned long error;
44134 + unsigned long error = 0;
44135 struct elf_phdr *elf_ppnt, *elf_phdata;
44136 unsigned long elf_bss, elf_brk;
44137 int retval, i;
44138 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
44139 unsigned long start_code, end_code, start_data, end_data;
44140 unsigned long reloc_func_desc __maybe_unused = 0;
44141 int executable_stack = EXSTACK_DEFAULT;
44142 - unsigned long def_flags = 0;
44143 struct {
44144 struct elfhdr elf_ex;
44145 struct elfhdr interp_elf_ex;
44146 } *loc;
44147 + unsigned long pax_task_size = TASK_SIZE;
44148
44149 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
44150 if (!loc) {
44151 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
44152
44153 /* OK, This is the point of no return */
44154 current->flags &= ~PF_FORKNOEXEC;
44155 - current->mm->def_flags = def_flags;
44156 +
44157 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44158 + current->mm->pax_flags = 0UL;
44159 +#endif
44160 +
44161 +#ifdef CONFIG_PAX_DLRESOLVE
44162 + current->mm->call_dl_resolve = 0UL;
44163 +#endif
44164 +
44165 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
44166 + current->mm->call_syscall = 0UL;
44167 +#endif
44168 +
44169 +#ifdef CONFIG_PAX_ASLR
44170 + current->mm->delta_mmap = 0UL;
44171 + current->mm->delta_stack = 0UL;
44172 +#endif
44173 +
44174 + current->mm->def_flags = 0;
44175 +
44176 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44177 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
44178 + send_sig(SIGKILL, current, 0);
44179 + goto out_free_dentry;
44180 + }
44181 +#endif
44182 +
44183 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44184 + pax_set_initial_flags(bprm);
44185 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44186 + if (pax_set_initial_flags_func)
44187 + (pax_set_initial_flags_func)(bprm);
44188 +#endif
44189 +
44190 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
44191 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
44192 + current->mm->context.user_cs_limit = PAGE_SIZE;
44193 + current->mm->def_flags |= VM_PAGEEXEC;
44194 + }
44195 +#endif
44196 +
44197 +#ifdef CONFIG_PAX_SEGMEXEC
44198 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
44199 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
44200 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
44201 + pax_task_size = SEGMEXEC_TASK_SIZE;
44202 + current->mm->def_flags |= VM_NOHUGEPAGE;
44203 + }
44204 +#endif
44205 +
44206 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
44207 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44208 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
44209 + put_cpu();
44210 + }
44211 +#endif
44212
44213 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
44214 may depend on the personality. */
44215 SET_PERSONALITY(loc->elf_ex);
44216 +
44217 +#ifdef CONFIG_PAX_ASLR
44218 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
44219 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
44220 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
44221 + }
44222 +#endif
44223 +
44224 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44225 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44226 + executable_stack = EXSTACK_DISABLE_X;
44227 + current->personality &= ~READ_IMPLIES_EXEC;
44228 + } else
44229 +#endif
44230 +
44231 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
44232 current->personality |= READ_IMPLIES_EXEC;
44233
44234 @@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
44235 #else
44236 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44237 #endif
44238 +
44239 +#ifdef CONFIG_PAX_RANDMMAP
44240 + /* PaX: randomize base address at the default exe base if requested */
44241 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
44242 +#ifdef CONFIG_SPARC64
44243 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
44244 +#else
44245 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
44246 +#endif
44247 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
44248 + elf_flags |= MAP_FIXED;
44249 + }
44250 +#endif
44251 +
44252 }
44253
44254 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
44255 @@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
44256 * allowed task size. Note that p_filesz must always be
44257 * <= p_memsz so it is only necessary to check p_memsz.
44258 */
44259 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44260 - elf_ppnt->p_memsz > TASK_SIZE ||
44261 - TASK_SIZE - elf_ppnt->p_memsz < k) {
44262 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44263 + elf_ppnt->p_memsz > pax_task_size ||
44264 + pax_task_size - elf_ppnt->p_memsz < k) {
44265 /* set_brk can never work. Avoid overflows. */
44266 send_sig(SIGKILL, current, 0);
44267 retval = -EINVAL;
44268 @@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
44269 start_data += load_bias;
44270 end_data += load_bias;
44271
44272 +#ifdef CONFIG_PAX_RANDMMAP
44273 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
44274 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
44275 +#endif
44276 +
44277 /* Calling set_brk effectively mmaps the pages that we need
44278 * for the bss and break sections. We must do this before
44279 * mapping in the interpreter, to make sure it doesn't wind
44280 @@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
44281 goto out_free_dentry;
44282 }
44283 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
44284 - send_sig(SIGSEGV, current, 0);
44285 - retval = -EFAULT; /* Nobody gets to see this, but.. */
44286 - goto out_free_dentry;
44287 + /*
44288 + * This bss-zeroing can fail if the ELF
44289 + * file specifies odd protections. So
44290 + * we don't check the return value
44291 + */
44292 }
44293
44294 if (elf_interpreter) {
44295 @@ -1090,7 +1398,7 @@ out:
44296 * Decide what to dump of a segment, part, all or none.
44297 */
44298 static unsigned long vma_dump_size(struct vm_area_struct *vma,
44299 - unsigned long mm_flags)
44300 + unsigned long mm_flags, long signr)
44301 {
44302 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
44303
44304 @@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
44305 if (vma->vm_file == NULL)
44306 return 0;
44307
44308 - if (FILTER(MAPPED_PRIVATE))
44309 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
44310 goto whole;
44311
44312 /*
44313 @@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
44314 {
44315 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
44316 int i = 0;
44317 - do
44318 + do {
44319 i += 2;
44320 - while (auxv[i - 2] != AT_NULL);
44321 + } while (auxv[i - 2] != AT_NULL);
44322 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
44323 }
44324
44325 @@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
44326 }
44327
44328 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
44329 - unsigned long mm_flags)
44330 + struct coredump_params *cprm)
44331 {
44332 struct vm_area_struct *vma;
44333 size_t size = 0;
44334
44335 for (vma = first_vma(current, gate_vma); vma != NULL;
44336 vma = next_vma(vma, gate_vma))
44337 - size += vma_dump_size(vma, mm_flags);
44338 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44339 return size;
44340 }
44341
44342 @@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
44343
44344 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
44345
44346 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
44347 + offset += elf_core_vma_data_size(gate_vma, cprm);
44348 offset += elf_core_extra_data_size();
44349 e_shoff = offset;
44350
44351 @@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
44352 offset = dataoff;
44353
44354 size += sizeof(*elf);
44355 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44356 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
44357 goto end_coredump;
44358
44359 size += sizeof(*phdr4note);
44360 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44361 if (size > cprm->limit
44362 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
44363 goto end_coredump;
44364 @@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
44365 phdr.p_offset = offset;
44366 phdr.p_vaddr = vma->vm_start;
44367 phdr.p_paddr = 0;
44368 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
44369 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44370 phdr.p_memsz = vma->vm_end - vma->vm_start;
44371 offset += phdr.p_filesz;
44372 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
44373 @@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
44374 phdr.p_align = ELF_EXEC_PAGESIZE;
44375
44376 size += sizeof(phdr);
44377 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44378 if (size > cprm->limit
44379 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
44380 goto end_coredump;
44381 @@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
44382 unsigned long addr;
44383 unsigned long end;
44384
44385 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
44386 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44387
44388 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
44389 struct page *page;
44390 @@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
44391 page = get_dump_page(addr);
44392 if (page) {
44393 void *kaddr = kmap(page);
44394 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
44395 stop = ((size += PAGE_SIZE) > cprm->limit) ||
44396 !dump_write(cprm->file, kaddr,
44397 PAGE_SIZE);
44398 @@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
44399
44400 if (e_phnum == PN_XNUM) {
44401 size += sizeof(*shdr4extnum);
44402 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44403 if (size > cprm->limit
44404 || !dump_write(cprm->file, shdr4extnum,
44405 sizeof(*shdr4extnum)))
44406 @@ -2067,6 +2380,97 @@ out:
44407
44408 #endif /* CONFIG_ELF_CORE */
44409
44410 +#ifdef CONFIG_PAX_MPROTECT
44411 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
44412 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44413 + * we'll remove VM_MAYWRITE for good on RELRO segments.
44414 + *
44415 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44416 + * basis because we want to allow the common case and not the special ones.
44417 + */
44418 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44419 +{
44420 + struct elfhdr elf_h;
44421 + struct elf_phdr elf_p;
44422 + unsigned long i;
44423 + unsigned long oldflags;
44424 + bool is_textrel_rw, is_textrel_rx, is_relro;
44425 +
44426 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44427 + return;
44428 +
44429 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44430 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44431 +
44432 +#ifdef CONFIG_PAX_ELFRELOCS
44433 + /* possible TEXTREL */
44434 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44435 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44436 +#else
44437 + is_textrel_rw = false;
44438 + is_textrel_rx = false;
44439 +#endif
44440 +
44441 + /* possible RELRO */
44442 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44443 +
44444 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44445 + return;
44446 +
44447 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44448 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44449 +
44450 +#ifdef CONFIG_PAX_ETEXECRELOCS
44451 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44452 +#else
44453 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44454 +#endif
44455 +
44456 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44457 + !elf_check_arch(&elf_h) ||
44458 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44459 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44460 + return;
44461 +
44462 + for (i = 0UL; i < elf_h.e_phnum; i++) {
44463 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44464 + return;
44465 + switch (elf_p.p_type) {
44466 + case PT_DYNAMIC:
44467 + if (!is_textrel_rw && !is_textrel_rx)
44468 + continue;
44469 + i = 0UL;
44470 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44471 + elf_dyn dyn;
44472 +
44473 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44474 + return;
44475 + if (dyn.d_tag == DT_NULL)
44476 + return;
44477 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44478 + gr_log_textrel(vma);
44479 + if (is_textrel_rw)
44480 + vma->vm_flags |= VM_MAYWRITE;
44481 + else
44482 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44483 + vma->vm_flags &= ~VM_MAYWRITE;
44484 + return;
44485 + }
44486 + i++;
44487 + }
44488 + return;
44489 +
44490 + case PT_GNU_RELRO:
44491 + if (!is_relro)
44492 + continue;
44493 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44494 + vma->vm_flags &= ~VM_MAYWRITE;
44495 + return;
44496 + }
44497 + }
44498 +}
44499 +#endif
44500 +
44501 static int __init init_elf_binfmt(void)
44502 {
44503 return register_binfmt(&elf_format);
44504 diff -urNp linux-2.6.39.3/fs/binfmt_flat.c linux-2.6.39.3/fs/binfmt_flat.c
44505 --- linux-2.6.39.3/fs/binfmt_flat.c 2011-05-19 00:06:34.000000000 -0400
44506 +++ linux-2.6.39.3/fs/binfmt_flat.c 2011-05-22 19:36:32.000000000 -0400
44507 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
44508 realdatastart = (unsigned long) -ENOMEM;
44509 printk("Unable to allocate RAM for process data, errno %d\n",
44510 (int)-realdatastart);
44511 + down_write(&current->mm->mmap_sem);
44512 do_munmap(current->mm, textpos, text_len);
44513 + up_write(&current->mm->mmap_sem);
44514 ret = realdatastart;
44515 goto err;
44516 }
44517 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
44518 }
44519 if (IS_ERR_VALUE(result)) {
44520 printk("Unable to read data+bss, errno %d\n", (int)-result);
44521 + down_write(&current->mm->mmap_sem);
44522 do_munmap(current->mm, textpos, text_len);
44523 do_munmap(current->mm, realdatastart, len);
44524 + up_write(&current->mm->mmap_sem);
44525 ret = result;
44526 goto err;
44527 }
44528 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
44529 }
44530 if (IS_ERR_VALUE(result)) {
44531 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44532 + down_write(&current->mm->mmap_sem);
44533 do_munmap(current->mm, textpos, text_len + data_len + extra +
44534 MAX_SHARED_LIBS * sizeof(unsigned long));
44535 + up_write(&current->mm->mmap_sem);
44536 ret = result;
44537 goto err;
44538 }
44539 diff -urNp linux-2.6.39.3/fs/bio.c linux-2.6.39.3/fs/bio.c
44540 --- linux-2.6.39.3/fs/bio.c 2011-05-19 00:06:34.000000000 -0400
44541 +++ linux-2.6.39.3/fs/bio.c 2011-05-22 19:36:32.000000000 -0400
44542 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
44543 const int read = bio_data_dir(bio) == READ;
44544 struct bio_map_data *bmd = bio->bi_private;
44545 int i;
44546 - char *p = bmd->sgvecs[0].iov_base;
44547 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
44548
44549 __bio_for_each_segment(bvec, bio, i, 0) {
44550 char *addr = page_address(bvec->bv_page);
44551 diff -urNp linux-2.6.39.3/fs/block_dev.c linux-2.6.39.3/fs/block_dev.c
44552 --- linux-2.6.39.3/fs/block_dev.c 2011-07-09 09:18:51.000000000 -0400
44553 +++ linux-2.6.39.3/fs/block_dev.c 2011-07-09 09:19:18.000000000 -0400
44554 @@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
44555 else if (bdev->bd_contains == bdev)
44556 return true; /* is a whole device which isn't held */
44557
44558 - else if (whole->bd_holder == bd_may_claim)
44559 + else if (whole->bd_holder == (void *)bd_may_claim)
44560 return true; /* is a partition of a device that is being partitioned */
44561 else if (whole->bd_holder != NULL)
44562 return false; /* is a partition of a held device */
44563 diff -urNp linux-2.6.39.3/fs/btrfs/compression.c linux-2.6.39.3/fs/btrfs/compression.c
44564 --- linux-2.6.39.3/fs/btrfs/compression.c 2011-05-19 00:06:34.000000000 -0400
44565 +++ linux-2.6.39.3/fs/btrfs/compression.c 2011-05-22 19:36:32.000000000 -0400
44566 @@ -719,7 +719,7 @@ static int comp_num_workspace[BTRFS_COMP
44567 static atomic_t comp_alloc_workspace[BTRFS_COMPRESS_TYPES];
44568 static wait_queue_head_t comp_workspace_wait[BTRFS_COMPRESS_TYPES];
44569
44570 -struct btrfs_compress_op *btrfs_compress_op[] = {
44571 +const struct btrfs_compress_op *btrfs_compress_op[] = {
44572 &btrfs_zlib_compress,
44573 &btrfs_lzo_compress,
44574 };
44575 diff -urNp linux-2.6.39.3/fs/btrfs/compression.h linux-2.6.39.3/fs/btrfs/compression.h
44576 --- linux-2.6.39.3/fs/btrfs/compression.h 2011-05-19 00:06:34.000000000 -0400
44577 +++ linux-2.6.39.3/fs/btrfs/compression.h 2011-05-22 19:36:32.000000000 -0400
44578 @@ -77,7 +77,7 @@ struct btrfs_compress_op {
44579 size_t srclen, size_t destlen);
44580 };
44581
44582 -extern struct btrfs_compress_op btrfs_zlib_compress;
44583 -extern struct btrfs_compress_op btrfs_lzo_compress;
44584 +extern const struct btrfs_compress_op btrfs_zlib_compress;
44585 +extern const struct btrfs_compress_op btrfs_lzo_compress;
44586
44587 #endif
44588 diff -urNp linux-2.6.39.3/fs/btrfs/ctree.c linux-2.6.39.3/fs/btrfs/ctree.c
44589 --- linux-2.6.39.3/fs/btrfs/ctree.c 2011-05-19 00:06:34.000000000 -0400
44590 +++ linux-2.6.39.3/fs/btrfs/ctree.c 2011-05-22 19:36:32.000000000 -0400
44591 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44592 free_extent_buffer(buf);
44593 add_root_to_dirty_list(root);
44594 } else {
44595 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44596 - parent_start = parent->start;
44597 - else
44598 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44599 + if (parent)
44600 + parent_start = parent->start;
44601 + else
44602 + parent_start = 0;
44603 + } else
44604 parent_start = 0;
44605
44606 WARN_ON(trans->transid != btrfs_header_generation(parent));
44607 @@ -3647,7 +3650,6 @@ setup_items_for_insert(struct btrfs_tran
44608
44609 ret = 0;
44610 if (slot == 0) {
44611 - struct btrfs_disk_key disk_key;
44612 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44613 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44614 }
44615 diff -urNp linux-2.6.39.3/fs/btrfs/disk-io.c linux-2.6.39.3/fs/btrfs/disk-io.c
44616 --- linux-2.6.39.3/fs/btrfs/disk-io.c 2011-05-19 00:06:34.000000000 -0400
44617 +++ linux-2.6.39.3/fs/btrfs/disk-io.c 2011-05-22 19:36:32.000000000 -0400
44618 @@ -42,7 +42,7 @@
44619 #include "tree-log.h"
44620 #include "free-space-cache.h"
44621
44622 -static struct extent_io_ops btree_extent_io_ops;
44623 +static const struct extent_io_ops btree_extent_io_ops;
44624 static void end_workqueue_fn(struct btrfs_work *work);
44625 static void free_fs_root(struct btrfs_root *root);
44626 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
44627 @@ -3070,7 +3070,7 @@ static int btrfs_cleanup_transaction(str
44628 return 0;
44629 }
44630
44631 -static struct extent_io_ops btree_extent_io_ops = {
44632 +static const struct extent_io_ops btree_extent_io_ops = {
44633 .write_cache_pages_lock_hook = btree_lock_page_hook,
44634 .readpage_end_io_hook = btree_readpage_end_io_hook,
44635 .submit_bio_hook = btree_submit_bio_hook,
44636 diff -urNp linux-2.6.39.3/fs/btrfs/extent_io.h linux-2.6.39.3/fs/btrfs/extent_io.h
44637 --- linux-2.6.39.3/fs/btrfs/extent_io.h 2011-05-19 00:06:34.000000000 -0400
44638 +++ linux-2.6.39.3/fs/btrfs/extent_io.h 2011-05-22 19:36:32.000000000 -0400
44639 @@ -56,36 +56,36 @@ typedef int (extent_submit_bio_hook_t)(s
44640 struct bio *bio, int mirror_num,
44641 unsigned long bio_flags, u64 bio_offset);
44642 struct extent_io_ops {
44643 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44644 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44645 u64 start, u64 end, int *page_started,
44646 unsigned long *nr_written);
44647 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44648 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44649 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44650 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44651 extent_submit_bio_hook_t *submit_bio_hook;
44652 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
44653 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44654 size_t size, struct bio *bio,
44655 unsigned long bio_flags);
44656 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44657 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
44658 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
44659 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
44660 u64 start, u64 end,
44661 struct extent_state *state);
44662 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
44663 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
44664 u64 start, u64 end,
44665 struct extent_state *state);
44666 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44667 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44668 struct extent_state *state);
44669 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44670 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44671 struct extent_state *state, int uptodate);
44672 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
44673 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
44674 int *bits);
44675 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
44676 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
44677 int *bits);
44678 - int (*merge_extent_hook)(struct inode *inode,
44679 + int (* const merge_extent_hook)(struct inode *inode,
44680 struct extent_state *new,
44681 struct extent_state *other);
44682 - int (*split_extent_hook)(struct inode *inode,
44683 + int (* const split_extent_hook)(struct inode *inode,
44684 struct extent_state *orig, u64 split);
44685 - int (*write_cache_pages_lock_hook)(struct page *page);
44686 + int (* const write_cache_pages_lock_hook)(struct page *page);
44687 };
44688
44689 struct extent_io_tree {
44690 @@ -95,7 +95,7 @@ struct extent_io_tree {
44691 u64 dirty_bytes;
44692 spinlock_t lock;
44693 spinlock_t buffer_lock;
44694 - struct extent_io_ops *ops;
44695 + const struct extent_io_ops *ops;
44696 };
44697
44698 struct extent_state {
44699 diff -urNp linux-2.6.39.3/fs/btrfs/free-space-cache.c linux-2.6.39.3/fs/btrfs/free-space-cache.c
44700 --- linux-2.6.39.3/fs/btrfs/free-space-cache.c 2011-05-19 00:06:34.000000000 -0400
44701 +++ linux-2.6.39.3/fs/btrfs/free-space-cache.c 2011-05-22 19:36:32.000000000 -0400
44702 @@ -1910,8 +1910,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44703 while(1) {
44704 if (entry->bytes < bytes ||
44705 (!entry->bitmap && entry->offset < min_start)) {
44706 - struct rb_node *node;
44707 -
44708 node = rb_next(&entry->offset_index);
44709 if (!node)
44710 break;
44711 @@ -1925,7 +1923,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44712 cluster, entry, bytes,
44713 min_start);
44714 if (ret == 0) {
44715 - struct rb_node *node;
44716 node = rb_next(&entry->offset_index);
44717 if (!node)
44718 break;
44719 diff -urNp linux-2.6.39.3/fs/btrfs/inode.c linux-2.6.39.3/fs/btrfs/inode.c
44720 --- linux-2.6.39.3/fs/btrfs/inode.c 2011-05-19 00:06:34.000000000 -0400
44721 +++ linux-2.6.39.3/fs/btrfs/inode.c 2011-05-22 20:42:42.000000000 -0400
44722 @@ -65,7 +65,7 @@ static const struct inode_operations btr
44723 static const struct address_space_operations btrfs_aops;
44724 static const struct address_space_operations btrfs_symlink_aops;
44725 static const struct file_operations btrfs_dir_file_operations;
44726 -static struct extent_io_ops btrfs_extent_io_ops;
44727 +static const struct extent_io_ops btrfs_extent_io_ops;
44728
44729 static struct kmem_cache *btrfs_inode_cachep;
44730 struct kmem_cache *btrfs_trans_handle_cachep;
44731 @@ -6947,7 +6947,7 @@ fail:
44732 return -ENOMEM;
44733 }
44734
44735 -static int btrfs_getattr(struct vfsmount *mnt,
44736 +int btrfs_getattr(struct vfsmount *mnt,
44737 struct dentry *dentry, struct kstat *stat)
44738 {
44739 struct inode *inode = dentry->d_inode;
44740 @@ -6959,6 +6959,14 @@ static int btrfs_getattr(struct vfsmount
44741 return 0;
44742 }
44743
44744 +EXPORT_SYMBOL(btrfs_getattr);
44745 +
44746 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
44747 +{
44748 + return BTRFS_I(inode)->root->anon_super.s_dev;
44749 +}
44750 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
44751 +
44752 /*
44753 * If a file is moved, it will inherit the cow and compression flags of the new
44754 * directory.
44755 @@ -7488,7 +7496,7 @@ static const struct file_operations btrf
44756 .fsync = btrfs_sync_file,
44757 };
44758
44759 -static struct extent_io_ops btrfs_extent_io_ops = {
44760 +static const struct extent_io_ops btrfs_extent_io_ops = {
44761 .fill_delalloc = run_delalloc_range,
44762 .submit_bio_hook = btrfs_submit_bio_hook,
44763 .merge_bio_hook = btrfs_merge_bio_hook,
44764 diff -urNp linux-2.6.39.3/fs/btrfs/ioctl.c linux-2.6.39.3/fs/btrfs/ioctl.c
44765 --- linux-2.6.39.3/fs/btrfs/ioctl.c 2011-05-19 00:06:34.000000000 -0400
44766 +++ linux-2.6.39.3/fs/btrfs/ioctl.c 2011-05-22 19:41:37.000000000 -0400
44767 @@ -2361,9 +2361,12 @@ long btrfs_ioctl_space_info(struct btrfs
44768 for (i = 0; i < num_types; i++) {
44769 struct btrfs_space_info *tmp;
44770
44771 + /* Don't copy in more than we allocated */
44772 if (!slot_count)
44773 break;
44774
44775 + slot_count--;
44776 +
44777 info = NULL;
44778 rcu_read_lock();
44779 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
44780 @@ -2385,10 +2388,7 @@ long btrfs_ioctl_space_info(struct btrfs
44781 memcpy(dest, &space, sizeof(space));
44782 dest++;
44783 space_args.total_spaces++;
44784 - slot_count--;
44785 }
44786 - if (!slot_count)
44787 - break;
44788 }
44789 up_read(&info->groups_sem);
44790 }
44791 diff -urNp linux-2.6.39.3/fs/btrfs/lzo.c linux-2.6.39.3/fs/btrfs/lzo.c
44792 --- linux-2.6.39.3/fs/btrfs/lzo.c 2011-05-19 00:06:34.000000000 -0400
44793 +++ linux-2.6.39.3/fs/btrfs/lzo.c 2011-05-22 19:36:32.000000000 -0400
44794 @@ -418,7 +418,7 @@ out:
44795 return ret;
44796 }
44797
44798 -struct btrfs_compress_op btrfs_lzo_compress = {
44799 +const struct btrfs_compress_op btrfs_lzo_compress = {
44800 .alloc_workspace = lzo_alloc_workspace,
44801 .free_workspace = lzo_free_workspace,
44802 .compress_pages = lzo_compress_pages,
44803 diff -urNp linux-2.6.39.3/fs/btrfs/relocation.c linux-2.6.39.3/fs/btrfs/relocation.c
44804 --- linux-2.6.39.3/fs/btrfs/relocation.c 2011-05-19 00:06:34.000000000 -0400
44805 +++ linux-2.6.39.3/fs/btrfs/relocation.c 2011-05-22 19:36:32.000000000 -0400
44806 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
44807 }
44808 spin_unlock(&rc->reloc_root_tree.lock);
44809
44810 - BUG_ON((struct btrfs_root *)node->data != root);
44811 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
44812
44813 if (!del) {
44814 spin_lock(&rc->reloc_root_tree.lock);
44815 diff -urNp linux-2.6.39.3/fs/btrfs/zlib.c linux-2.6.39.3/fs/btrfs/zlib.c
44816 --- linux-2.6.39.3/fs/btrfs/zlib.c 2011-05-19 00:06:34.000000000 -0400
44817 +++ linux-2.6.39.3/fs/btrfs/zlib.c 2011-05-22 19:36:32.000000000 -0400
44818 @@ -390,7 +390,7 @@ next:
44819 return ret;
44820 }
44821
44822 -struct btrfs_compress_op btrfs_zlib_compress = {
44823 +const struct btrfs_compress_op btrfs_zlib_compress = {
44824 .alloc_workspace = zlib_alloc_workspace,
44825 .free_workspace = zlib_free_workspace,
44826 .compress_pages = zlib_compress_pages,
44827 diff -urNp linux-2.6.39.3/fs/cachefiles/bind.c linux-2.6.39.3/fs/cachefiles/bind.c
44828 --- linux-2.6.39.3/fs/cachefiles/bind.c 2011-05-19 00:06:34.000000000 -0400
44829 +++ linux-2.6.39.3/fs/cachefiles/bind.c 2011-05-22 19:36:32.000000000 -0400
44830 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
44831 args);
44832
44833 /* start by checking things over */
44834 - ASSERT(cache->fstop_percent >= 0 &&
44835 - cache->fstop_percent < cache->fcull_percent &&
44836 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
44837 cache->fcull_percent < cache->frun_percent &&
44838 cache->frun_percent < 100);
44839
44840 - ASSERT(cache->bstop_percent >= 0 &&
44841 - cache->bstop_percent < cache->bcull_percent &&
44842 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
44843 cache->bcull_percent < cache->brun_percent &&
44844 cache->brun_percent < 100);
44845
44846 diff -urNp linux-2.6.39.3/fs/cachefiles/daemon.c linux-2.6.39.3/fs/cachefiles/daemon.c
44847 --- linux-2.6.39.3/fs/cachefiles/daemon.c 2011-05-19 00:06:34.000000000 -0400
44848 +++ linux-2.6.39.3/fs/cachefiles/daemon.c 2011-05-22 19:36:32.000000000 -0400
44849 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
44850 if (n > buflen)
44851 return -EMSGSIZE;
44852
44853 - if (copy_to_user(_buffer, buffer, n) != 0)
44854 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
44855 return -EFAULT;
44856
44857 return n;
44858 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
44859 if (test_bit(CACHEFILES_DEAD, &cache->flags))
44860 return -EIO;
44861
44862 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
44863 + if (datalen > PAGE_SIZE - 1)
44864 return -EOPNOTSUPP;
44865
44866 /* drag the command string into the kernel so we can parse it */
44867 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
44868 if (args[0] != '%' || args[1] != '\0')
44869 return -EINVAL;
44870
44871 - if (fstop < 0 || fstop >= cache->fcull_percent)
44872 + if (fstop >= cache->fcull_percent)
44873 return cachefiles_daemon_range_error(cache, args);
44874
44875 cache->fstop_percent = fstop;
44876 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
44877 if (args[0] != '%' || args[1] != '\0')
44878 return -EINVAL;
44879
44880 - if (bstop < 0 || bstop >= cache->bcull_percent)
44881 + if (bstop >= cache->bcull_percent)
44882 return cachefiles_daemon_range_error(cache, args);
44883
44884 cache->bstop_percent = bstop;
44885 diff -urNp linux-2.6.39.3/fs/cachefiles/internal.h linux-2.6.39.3/fs/cachefiles/internal.h
44886 --- linux-2.6.39.3/fs/cachefiles/internal.h 2011-05-19 00:06:34.000000000 -0400
44887 +++ linux-2.6.39.3/fs/cachefiles/internal.h 2011-05-22 19:36:32.000000000 -0400
44888 @@ -57,7 +57,7 @@ struct cachefiles_cache {
44889 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
44890 struct rb_root active_nodes; /* active nodes (can't be culled) */
44891 rwlock_t active_lock; /* lock for active_nodes */
44892 - atomic_t gravecounter; /* graveyard uniquifier */
44893 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
44894 unsigned frun_percent; /* when to stop culling (% files) */
44895 unsigned fcull_percent; /* when to start culling (% files) */
44896 unsigned fstop_percent; /* when to stop allocating (% files) */
44897 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
44898 * proc.c
44899 */
44900 #ifdef CONFIG_CACHEFILES_HISTOGRAM
44901 -extern atomic_t cachefiles_lookup_histogram[HZ];
44902 -extern atomic_t cachefiles_mkdir_histogram[HZ];
44903 -extern atomic_t cachefiles_create_histogram[HZ];
44904 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44905 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44906 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
44907
44908 extern int __init cachefiles_proc_init(void);
44909 extern void cachefiles_proc_cleanup(void);
44910 static inline
44911 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
44912 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
44913 {
44914 unsigned long jif = jiffies - start_jif;
44915 if (jif >= HZ)
44916 jif = HZ - 1;
44917 - atomic_inc(&histogram[jif]);
44918 + atomic_inc_unchecked(&histogram[jif]);
44919 }
44920
44921 #else
44922 diff -urNp linux-2.6.39.3/fs/cachefiles/namei.c linux-2.6.39.3/fs/cachefiles/namei.c
44923 --- linux-2.6.39.3/fs/cachefiles/namei.c 2011-05-19 00:06:34.000000000 -0400
44924 +++ linux-2.6.39.3/fs/cachefiles/namei.c 2011-05-22 19:36:32.000000000 -0400
44925 @@ -318,7 +318,7 @@ try_again:
44926 /* first step is to make up a grave dentry in the graveyard */
44927 sprintf(nbuffer, "%08x%08x",
44928 (uint32_t) get_seconds(),
44929 - (uint32_t) atomic_inc_return(&cache->gravecounter));
44930 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
44931
44932 /* do the multiway lock magic */
44933 trap = lock_rename(cache->graveyard, dir);
44934 diff -urNp linux-2.6.39.3/fs/cachefiles/proc.c linux-2.6.39.3/fs/cachefiles/proc.c
44935 --- linux-2.6.39.3/fs/cachefiles/proc.c 2011-05-19 00:06:34.000000000 -0400
44936 +++ linux-2.6.39.3/fs/cachefiles/proc.c 2011-05-22 19:36:32.000000000 -0400
44937 @@ -14,9 +14,9 @@
44938 #include <linux/seq_file.h>
44939 #include "internal.h"
44940
44941 -atomic_t cachefiles_lookup_histogram[HZ];
44942 -atomic_t cachefiles_mkdir_histogram[HZ];
44943 -atomic_t cachefiles_create_histogram[HZ];
44944 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44945 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44946 +atomic_unchecked_t cachefiles_create_histogram[HZ];
44947
44948 /*
44949 * display the latency histogram
44950 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
44951 return 0;
44952 default:
44953 index = (unsigned long) v - 3;
44954 - x = atomic_read(&cachefiles_lookup_histogram[index]);
44955 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
44956 - z = atomic_read(&cachefiles_create_histogram[index]);
44957 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
44958 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
44959 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
44960 if (x == 0 && y == 0 && z == 0)
44961 return 0;
44962
44963 diff -urNp linux-2.6.39.3/fs/cachefiles/rdwr.c linux-2.6.39.3/fs/cachefiles/rdwr.c
44964 --- linux-2.6.39.3/fs/cachefiles/rdwr.c 2011-05-19 00:06:34.000000000 -0400
44965 +++ linux-2.6.39.3/fs/cachefiles/rdwr.c 2011-05-22 19:36:32.000000000 -0400
44966 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
44967 old_fs = get_fs();
44968 set_fs(KERNEL_DS);
44969 ret = file->f_op->write(
44970 - file, (const void __user *) data, len, &pos);
44971 + file, (__force const void __user *) data, len, &pos);
44972 set_fs(old_fs);
44973 kunmap(page);
44974 if (ret != len)
44975 diff -urNp linux-2.6.39.3/fs/ceph/addr.c linux-2.6.39.3/fs/ceph/addr.c
44976 --- linux-2.6.39.3/fs/ceph/addr.c 2011-05-19 00:06:34.000000000 -0400
44977 +++ linux-2.6.39.3/fs/ceph/addr.c 2011-05-22 19:36:32.000000000 -0400
44978 @@ -1164,7 +1164,7 @@ out:
44979 return ret;
44980 }
44981
44982 -static struct vm_operations_struct ceph_vmops = {
44983 +static const struct vm_operations_struct ceph_vmops = {
44984 .fault = filemap_fault,
44985 .page_mkwrite = ceph_page_mkwrite,
44986 };
44987 diff -urNp linux-2.6.39.3/fs/ceph/dir.c linux-2.6.39.3/fs/ceph/dir.c
44988 --- linux-2.6.39.3/fs/ceph/dir.c 2011-05-19 00:06:34.000000000 -0400
44989 +++ linux-2.6.39.3/fs/ceph/dir.c 2011-05-22 19:36:32.000000000 -0400
44990 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
44991 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
44992 struct ceph_mds_client *mdsc = fsc->mdsc;
44993 unsigned frag = fpos_frag(filp->f_pos);
44994 - int off = fpos_off(filp->f_pos);
44995 + unsigned int off = fpos_off(filp->f_pos);
44996 int err;
44997 u32 ftype;
44998 struct ceph_mds_reply_info_parsed *rinfo;
44999 @@ -360,7 +360,7 @@ more:
45000 rinfo = &fi->last_readdir->r_reply_info;
45001 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
45002 rinfo->dir_nr, off, fi->offset);
45003 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
45004 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
45005 u64 pos = ceph_make_fpos(frag, off);
45006 struct ceph_mds_reply_inode *in =
45007 rinfo->dir_in[off - fi->offset].in;
45008 diff -urNp linux-2.6.39.3/fs/cifs/cifs_debug.c linux-2.6.39.3/fs/cifs/cifs_debug.c
45009 --- linux-2.6.39.3/fs/cifs/cifs_debug.c 2011-05-19 00:06:34.000000000 -0400
45010 +++ linux-2.6.39.3/fs/cifs/cifs_debug.c 2011-05-22 19:36:32.000000000 -0400
45011 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
45012 tcon = list_entry(tmp3,
45013 struct cifsTconInfo,
45014 tcon_list);
45015 - atomic_set(&tcon->num_smbs_sent, 0);
45016 - atomic_set(&tcon->num_writes, 0);
45017 - atomic_set(&tcon->num_reads, 0);
45018 - atomic_set(&tcon->num_oplock_brks, 0);
45019 - atomic_set(&tcon->num_opens, 0);
45020 - atomic_set(&tcon->num_posixopens, 0);
45021 - atomic_set(&tcon->num_posixmkdirs, 0);
45022 - atomic_set(&tcon->num_closes, 0);
45023 - atomic_set(&tcon->num_deletes, 0);
45024 - atomic_set(&tcon->num_mkdirs, 0);
45025 - atomic_set(&tcon->num_rmdirs, 0);
45026 - atomic_set(&tcon->num_renames, 0);
45027 - atomic_set(&tcon->num_t2renames, 0);
45028 - atomic_set(&tcon->num_ffirst, 0);
45029 - atomic_set(&tcon->num_fnext, 0);
45030 - atomic_set(&tcon->num_fclose, 0);
45031 - atomic_set(&tcon->num_hardlinks, 0);
45032 - atomic_set(&tcon->num_symlinks, 0);
45033 - atomic_set(&tcon->num_locks, 0);
45034 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
45035 + atomic_set_unchecked(&tcon->num_writes, 0);
45036 + atomic_set_unchecked(&tcon->num_reads, 0);
45037 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
45038 + atomic_set_unchecked(&tcon->num_opens, 0);
45039 + atomic_set_unchecked(&tcon->num_posixopens, 0);
45040 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
45041 + atomic_set_unchecked(&tcon->num_closes, 0);
45042 + atomic_set_unchecked(&tcon->num_deletes, 0);
45043 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
45044 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
45045 + atomic_set_unchecked(&tcon->num_renames, 0);
45046 + atomic_set_unchecked(&tcon->num_t2renames, 0);
45047 + atomic_set_unchecked(&tcon->num_ffirst, 0);
45048 + atomic_set_unchecked(&tcon->num_fnext, 0);
45049 + atomic_set_unchecked(&tcon->num_fclose, 0);
45050 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
45051 + atomic_set_unchecked(&tcon->num_symlinks, 0);
45052 + atomic_set_unchecked(&tcon->num_locks, 0);
45053 }
45054 }
45055 }
45056 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
45057 if (tcon->need_reconnect)
45058 seq_puts(m, "\tDISCONNECTED ");
45059 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
45060 - atomic_read(&tcon->num_smbs_sent),
45061 - atomic_read(&tcon->num_oplock_brks));
45062 + atomic_read_unchecked(&tcon->num_smbs_sent),
45063 + atomic_read_unchecked(&tcon->num_oplock_brks));
45064 seq_printf(m, "\nReads: %d Bytes: %lld",
45065 - atomic_read(&tcon->num_reads),
45066 + atomic_read_unchecked(&tcon->num_reads),
45067 (long long)(tcon->bytes_read));
45068 seq_printf(m, "\nWrites: %d Bytes: %lld",
45069 - atomic_read(&tcon->num_writes),
45070 + atomic_read_unchecked(&tcon->num_writes),
45071 (long long)(tcon->bytes_written));
45072 seq_printf(m, "\nFlushes: %d",
45073 - atomic_read(&tcon->num_flushes));
45074 + atomic_read_unchecked(&tcon->num_flushes));
45075 seq_printf(m, "\nLocks: %d HardLinks: %d "
45076 "Symlinks: %d",
45077 - atomic_read(&tcon->num_locks),
45078 - atomic_read(&tcon->num_hardlinks),
45079 - atomic_read(&tcon->num_symlinks));
45080 + atomic_read_unchecked(&tcon->num_locks),
45081 + atomic_read_unchecked(&tcon->num_hardlinks),
45082 + atomic_read_unchecked(&tcon->num_symlinks));
45083 seq_printf(m, "\nOpens: %d Closes: %d "
45084 "Deletes: %d",
45085 - atomic_read(&tcon->num_opens),
45086 - atomic_read(&tcon->num_closes),
45087 - atomic_read(&tcon->num_deletes));
45088 + atomic_read_unchecked(&tcon->num_opens),
45089 + atomic_read_unchecked(&tcon->num_closes),
45090 + atomic_read_unchecked(&tcon->num_deletes));
45091 seq_printf(m, "\nPosix Opens: %d "
45092 "Posix Mkdirs: %d",
45093 - atomic_read(&tcon->num_posixopens),
45094 - atomic_read(&tcon->num_posixmkdirs));
45095 + atomic_read_unchecked(&tcon->num_posixopens),
45096 + atomic_read_unchecked(&tcon->num_posixmkdirs));
45097 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
45098 - atomic_read(&tcon->num_mkdirs),
45099 - atomic_read(&tcon->num_rmdirs));
45100 + atomic_read_unchecked(&tcon->num_mkdirs),
45101 + atomic_read_unchecked(&tcon->num_rmdirs));
45102 seq_printf(m, "\nRenames: %d T2 Renames %d",
45103 - atomic_read(&tcon->num_renames),
45104 - atomic_read(&tcon->num_t2renames));
45105 + atomic_read_unchecked(&tcon->num_renames),
45106 + atomic_read_unchecked(&tcon->num_t2renames));
45107 seq_printf(m, "\nFindFirst: %d FNext %d "
45108 "FClose %d",
45109 - atomic_read(&tcon->num_ffirst),
45110 - atomic_read(&tcon->num_fnext),
45111 - atomic_read(&tcon->num_fclose));
45112 + atomic_read_unchecked(&tcon->num_ffirst),
45113 + atomic_read_unchecked(&tcon->num_fnext),
45114 + atomic_read_unchecked(&tcon->num_fclose));
45115 }
45116 }
45117 }
45118 diff -urNp linux-2.6.39.3/fs/cifs/cifsglob.h linux-2.6.39.3/fs/cifs/cifsglob.h
45119 --- linux-2.6.39.3/fs/cifs/cifsglob.h 2011-05-19 00:06:34.000000000 -0400
45120 +++ linux-2.6.39.3/fs/cifs/cifsglob.h 2011-05-22 19:36:32.000000000 -0400
45121 @@ -305,28 +305,28 @@ struct cifsTconInfo {
45122 __u16 Flags; /* optional support bits */
45123 enum statusEnum tidStatus;
45124 #ifdef CONFIG_CIFS_STATS
45125 - atomic_t num_smbs_sent;
45126 - atomic_t num_writes;
45127 - atomic_t num_reads;
45128 - atomic_t num_flushes;
45129 - atomic_t num_oplock_brks;
45130 - atomic_t num_opens;
45131 - atomic_t num_closes;
45132 - atomic_t num_deletes;
45133 - atomic_t num_mkdirs;
45134 - atomic_t num_posixopens;
45135 - atomic_t num_posixmkdirs;
45136 - atomic_t num_rmdirs;
45137 - atomic_t num_renames;
45138 - atomic_t num_t2renames;
45139 - atomic_t num_ffirst;
45140 - atomic_t num_fnext;
45141 - atomic_t num_fclose;
45142 - atomic_t num_hardlinks;
45143 - atomic_t num_symlinks;
45144 - atomic_t num_locks;
45145 - atomic_t num_acl_get;
45146 - atomic_t num_acl_set;
45147 + atomic_unchecked_t num_smbs_sent;
45148 + atomic_unchecked_t num_writes;
45149 + atomic_unchecked_t num_reads;
45150 + atomic_unchecked_t num_flushes;
45151 + atomic_unchecked_t num_oplock_brks;
45152 + atomic_unchecked_t num_opens;
45153 + atomic_unchecked_t num_closes;
45154 + atomic_unchecked_t num_deletes;
45155 + atomic_unchecked_t num_mkdirs;
45156 + atomic_unchecked_t num_posixopens;
45157 + atomic_unchecked_t num_posixmkdirs;
45158 + atomic_unchecked_t num_rmdirs;
45159 + atomic_unchecked_t num_renames;
45160 + atomic_unchecked_t num_t2renames;
45161 + atomic_unchecked_t num_ffirst;
45162 + atomic_unchecked_t num_fnext;
45163 + atomic_unchecked_t num_fclose;
45164 + atomic_unchecked_t num_hardlinks;
45165 + atomic_unchecked_t num_symlinks;
45166 + atomic_unchecked_t num_locks;
45167 + atomic_unchecked_t num_acl_get;
45168 + atomic_unchecked_t num_acl_set;
45169 #ifdef CONFIG_CIFS_STATS2
45170 unsigned long long time_writes;
45171 unsigned long long time_reads;
45172 @@ -509,7 +509,7 @@ static inline char CIFS_DIR_SEP(const st
45173 }
45174
45175 #ifdef CONFIG_CIFS_STATS
45176 -#define cifs_stats_inc atomic_inc
45177 +#define cifs_stats_inc atomic_inc_unchecked
45178
45179 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
45180 unsigned int bytes)
45181 diff -urNp linux-2.6.39.3/fs/cifs/link.c linux-2.6.39.3/fs/cifs/link.c
45182 --- linux-2.6.39.3/fs/cifs/link.c 2011-05-19 00:06:34.000000000 -0400
45183 +++ linux-2.6.39.3/fs/cifs/link.c 2011-05-22 19:36:32.000000000 -0400
45184 @@ -577,7 +577,7 @@ symlink_exit:
45185
45186 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
45187 {
45188 - char *p = nd_get_link(nd);
45189 + const char *p = nd_get_link(nd);
45190 if (!IS_ERR(p))
45191 kfree(p);
45192 }
45193 diff -urNp linux-2.6.39.3/fs/coda/cache.c linux-2.6.39.3/fs/coda/cache.c
45194 --- linux-2.6.39.3/fs/coda/cache.c 2011-05-19 00:06:34.000000000 -0400
45195 +++ linux-2.6.39.3/fs/coda/cache.c 2011-05-22 19:36:32.000000000 -0400
45196 @@ -24,7 +24,7 @@
45197 #include "coda_linux.h"
45198 #include "coda_cache.h"
45199
45200 -static atomic_t permission_epoch = ATOMIC_INIT(0);
45201 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
45202
45203 /* replace or extend an acl cache hit */
45204 void coda_cache_enter(struct inode *inode, int mask)
45205 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
45206 struct coda_inode_info *cii = ITOC(inode);
45207
45208 spin_lock(&cii->c_lock);
45209 - cii->c_cached_epoch = atomic_read(&permission_epoch);
45210 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
45211 if (cii->c_uid != current_fsuid()) {
45212 cii->c_uid = current_fsuid();
45213 cii->c_cached_perm = mask;
45214 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
45215 {
45216 struct coda_inode_info *cii = ITOC(inode);
45217 spin_lock(&cii->c_lock);
45218 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
45219 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
45220 spin_unlock(&cii->c_lock);
45221 }
45222
45223 /* remove all acl caches */
45224 void coda_cache_clear_all(struct super_block *sb)
45225 {
45226 - atomic_inc(&permission_epoch);
45227 + atomic_inc_unchecked(&permission_epoch);
45228 }
45229
45230
45231 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
45232 spin_lock(&cii->c_lock);
45233 hit = (mask & cii->c_cached_perm) == mask &&
45234 cii->c_uid == current_fsuid() &&
45235 - cii->c_cached_epoch == atomic_read(&permission_epoch);
45236 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
45237 spin_unlock(&cii->c_lock);
45238
45239 return hit;
45240 diff -urNp linux-2.6.39.3/fs/compat_binfmt_elf.c linux-2.6.39.3/fs/compat_binfmt_elf.c
45241 --- linux-2.6.39.3/fs/compat_binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
45242 +++ linux-2.6.39.3/fs/compat_binfmt_elf.c 2011-05-22 19:36:32.000000000 -0400
45243 @@ -30,11 +30,13 @@
45244 #undef elf_phdr
45245 #undef elf_shdr
45246 #undef elf_note
45247 +#undef elf_dyn
45248 #undef elf_addr_t
45249 #define elfhdr elf32_hdr
45250 #define elf_phdr elf32_phdr
45251 #define elf_shdr elf32_shdr
45252 #define elf_note elf32_note
45253 +#define elf_dyn Elf32_Dyn
45254 #define elf_addr_t Elf32_Addr
45255
45256 /*
45257 diff -urNp linux-2.6.39.3/fs/compat.c linux-2.6.39.3/fs/compat.c
45258 --- linux-2.6.39.3/fs/compat.c 2011-05-19 00:06:34.000000000 -0400
45259 +++ linux-2.6.39.3/fs/compat.c 2011-05-22 19:41:37.000000000 -0400
45260 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
45261 goto out;
45262
45263 ret = -EINVAL;
45264 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
45265 + if (nr_segs > UIO_MAXIOV)
45266 goto out;
45267 if (nr_segs > fast_segs) {
45268 ret = -ENOMEM;
45269 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
45270
45271 struct compat_readdir_callback {
45272 struct compat_old_linux_dirent __user *dirent;
45273 + struct file * file;
45274 int result;
45275 };
45276
45277 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
45278 buf->result = -EOVERFLOW;
45279 return -EOVERFLOW;
45280 }
45281 +
45282 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45283 + return 0;
45284 +
45285 buf->result++;
45286 dirent = buf->dirent;
45287 if (!access_ok(VERIFY_WRITE, dirent,
45288 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
45289
45290 buf.result = 0;
45291 buf.dirent = dirent;
45292 + buf.file = file;
45293
45294 error = vfs_readdir(file, compat_fillonedir, &buf);
45295 if (buf.result)
45296 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
45297 struct compat_getdents_callback {
45298 struct compat_linux_dirent __user *current_dir;
45299 struct compat_linux_dirent __user *previous;
45300 + struct file * file;
45301 int count;
45302 int error;
45303 };
45304 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
45305 buf->error = -EOVERFLOW;
45306 return -EOVERFLOW;
45307 }
45308 +
45309 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45310 + return 0;
45311 +
45312 dirent = buf->previous;
45313 if (dirent) {
45314 if (__put_user(offset, &dirent->d_off))
45315 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
45316 buf.previous = NULL;
45317 buf.count = count;
45318 buf.error = 0;
45319 + buf.file = file;
45320
45321 error = vfs_readdir(file, compat_filldir, &buf);
45322 if (error >= 0)
45323 @@ -1006,6 +1018,7 @@ out:
45324 struct compat_getdents_callback64 {
45325 struct linux_dirent64 __user *current_dir;
45326 struct linux_dirent64 __user *previous;
45327 + struct file * file;
45328 int count;
45329 int error;
45330 };
45331 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
45332 buf->error = -EINVAL; /* only used if we fail.. */
45333 if (reclen > buf->count)
45334 return -EINVAL;
45335 +
45336 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45337 + return 0;
45338 +
45339 dirent = buf->previous;
45340
45341 if (dirent) {
45342 @@ -1073,6 +1090,7 @@ asmlinkage long compat_sys_getdents64(un
45343 buf.previous = NULL;
45344 buf.count = count;
45345 buf.error = 0;
45346 + buf.file = file;
45347
45348 error = vfs_readdir(file, compat_filldir64, &buf);
45349 if (error >= 0)
45350 @@ -1436,6 +1454,11 @@ int compat_do_execve(char * filename,
45351 compat_uptr_t __user *envp,
45352 struct pt_regs * regs)
45353 {
45354 +#ifdef CONFIG_GRKERNSEC
45355 + struct file *old_exec_file;
45356 + struct acl_subject_label *old_acl;
45357 + struct rlimit old_rlim[RLIM_NLIMITS];
45358 +#endif
45359 struct linux_binprm *bprm;
45360 struct file *file;
45361 struct files_struct *displaced;
45362 @@ -1472,6 +1495,19 @@ int compat_do_execve(char * filename,
45363 bprm->filename = filename;
45364 bprm->interp = filename;
45365
45366 + if (gr_process_user_ban()) {
45367 + retval = -EPERM;
45368 + goto out_file;
45369 + }
45370 +
45371 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45372 + retval = -EAGAIN;
45373 + if (gr_handle_nproc())
45374 + goto out_file;
45375 + retval = -EACCES;
45376 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
45377 + goto out_file;
45378 +
45379 retval = bprm_mm_init(bprm);
45380 if (retval)
45381 goto out_file;
45382 @@ -1501,9 +1537,40 @@ int compat_do_execve(char * filename,
45383 if (retval < 0)
45384 goto out;
45385
45386 + if (!gr_tpe_allow(file)) {
45387 + retval = -EACCES;
45388 + goto out;
45389 + }
45390 +
45391 + if (gr_check_crash_exec(file)) {
45392 + retval = -EACCES;
45393 + goto out;
45394 + }
45395 +
45396 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45397 +
45398 + gr_handle_exec_args_compat(bprm, argv);
45399 +
45400 +#ifdef CONFIG_GRKERNSEC
45401 + old_acl = current->acl;
45402 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45403 + old_exec_file = current->exec_file;
45404 + get_file(file);
45405 + current->exec_file = file;
45406 +#endif
45407 +
45408 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45409 + bprm->unsafe & LSM_UNSAFE_SHARE);
45410 + if (retval < 0)
45411 + goto out_fail;
45412 +
45413 retval = search_binary_handler(bprm, regs);
45414 if (retval < 0)
45415 - goto out;
45416 + goto out_fail;
45417 +#ifdef CONFIG_GRKERNSEC
45418 + if (old_exec_file)
45419 + fput(old_exec_file);
45420 +#endif
45421
45422 /* execve succeeded */
45423 current->fs->in_exec = 0;
45424 @@ -1514,6 +1581,14 @@ int compat_do_execve(char * filename,
45425 put_files_struct(displaced);
45426 return retval;
45427
45428 +out_fail:
45429 +#ifdef CONFIG_GRKERNSEC
45430 + current->acl = old_acl;
45431 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45432 + fput(current->exec_file);
45433 + current->exec_file = old_exec_file;
45434 +#endif
45435 +
45436 out:
45437 if (bprm->mm) {
45438 acct_arg_size(bprm, 0);
45439 @@ -1681,6 +1756,8 @@ int compat_core_sys_select(int n, compat
45440 struct fdtable *fdt;
45441 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45442
45443 + pax_track_stack();
45444 +
45445 if (n < 0)
45446 goto out_nofds;
45447
45448 diff -urNp linux-2.6.39.3/fs/compat_ioctl.c linux-2.6.39.3/fs/compat_ioctl.c
45449 --- linux-2.6.39.3/fs/compat_ioctl.c 2011-05-19 00:06:34.000000000 -0400
45450 +++ linux-2.6.39.3/fs/compat_ioctl.c 2011-05-22 19:36:32.000000000 -0400
45451 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
45452
45453 err = get_user(palp, &up->palette);
45454 err |= get_user(length, &up->length);
45455 + if (err)
45456 + return -EFAULT;
45457
45458 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45459 err = put_user(compat_ptr(palp), &up_native->palette);
45460 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
45461 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
45462 {
45463 unsigned int a, b;
45464 - a = *(unsigned int *)p;
45465 - b = *(unsigned int *)q;
45466 + a = *(const unsigned int *)p;
45467 + b = *(const unsigned int *)q;
45468 if (a > b)
45469 return 1;
45470 if (a < b)
45471 diff -urNp linux-2.6.39.3/fs/configfs/dir.c linux-2.6.39.3/fs/configfs/dir.c
45472 --- linux-2.6.39.3/fs/configfs/dir.c 2011-05-19 00:06:34.000000000 -0400
45473 +++ linux-2.6.39.3/fs/configfs/dir.c 2011-05-22 19:36:32.000000000 -0400
45474 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
45475 }
45476 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45477 struct configfs_dirent *next;
45478 - const char * name;
45479 + const unsigned char * name;
45480 + char d_name[sizeof(next->s_dentry->d_iname)];
45481 int len;
45482 struct inode *inode = NULL;
45483
45484 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
45485 continue;
45486
45487 name = configfs_get_name(next);
45488 - len = strlen(name);
45489 + if (next->s_dentry && name == next->s_dentry->d_iname) {
45490 + len = next->s_dentry->d_name.len;
45491 + memcpy(d_name, name, len);
45492 + name = d_name;
45493 + } else
45494 + len = strlen(name);
45495
45496 /*
45497 * We'll have a dentry and an inode for
45498 diff -urNp linux-2.6.39.3/fs/configfs/file.c linux-2.6.39.3/fs/configfs/file.c
45499 --- linux-2.6.39.3/fs/configfs/file.c 2011-05-19 00:06:34.000000000 -0400
45500 +++ linux-2.6.39.3/fs/configfs/file.c 2011-05-22 19:36:32.000000000 -0400
45501 @@ -215,7 +215,7 @@ static int check_perm(struct inode * ino
45502 struct config_item *item = configfs_get_config_item(file->f_path.dentry->d_parent);
45503 struct configfs_attribute * attr = to_attr(file->f_path.dentry);
45504 struct configfs_buffer * buffer;
45505 - struct configfs_item_operations * ops = NULL;
45506 + struct configfs_item_operations *ops = NULL;
45507 int error = 0;
45508
45509 if (!item || !attr)
45510 diff -urNp linux-2.6.39.3/fs/configfs/item.c linux-2.6.39.3/fs/configfs/item.c
45511 --- linux-2.6.39.3/fs/configfs/item.c 2011-05-19 00:06:34.000000000 -0400
45512 +++ linux-2.6.39.3/fs/configfs/item.c 2011-05-22 19:36:32.000000000 -0400
45513 @@ -123,7 +123,7 @@ void config_item_init_type_name(struct c
45514 EXPORT_SYMBOL(config_item_init_type_name);
45515
45516 void config_group_init_type_name(struct config_group *group, const char *name,
45517 - struct config_item_type *type)
45518 + struct config_item_type *type)
45519 {
45520 config_item_set_name(&group->cg_item, name);
45521 group->cg_item.ci_type = type;
45522 diff -urNp linux-2.6.39.3/fs/dcache.c linux-2.6.39.3/fs/dcache.c
45523 --- linux-2.6.39.3/fs/dcache.c 2011-05-19 00:06:34.000000000 -0400
45524 +++ linux-2.6.39.3/fs/dcache.c 2011-05-22 19:36:32.000000000 -0400
45525 @@ -3069,7 +3069,7 @@ void __init vfs_caches_init(unsigned lon
45526 mempages -= reserve;
45527
45528 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45529 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45530 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45531
45532 dcache_init();
45533 inode_init();
45534 diff -urNp linux-2.6.39.3/fs/dlm/lockspace.c linux-2.6.39.3/fs/dlm/lockspace.c
45535 --- linux-2.6.39.3/fs/dlm/lockspace.c 2011-05-19 00:06:34.000000000 -0400
45536 +++ linux-2.6.39.3/fs/dlm/lockspace.c 2011-05-22 19:36:32.000000000 -0400
45537 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
45538 return 0;
45539 }
45540
45541 -static struct kset_uevent_ops dlm_uevent_ops = {
45542 +static const struct kset_uevent_ops dlm_uevent_ops = {
45543 .uevent = dlm_uevent,
45544 };
45545
45546 diff -urNp linux-2.6.39.3/fs/ecryptfs/inode.c linux-2.6.39.3/fs/ecryptfs/inode.c
45547 --- linux-2.6.39.3/fs/ecryptfs/inode.c 2011-06-03 00:04:14.000000000 -0400
45548 +++ linux-2.6.39.3/fs/ecryptfs/inode.c 2011-06-03 00:32:07.000000000 -0400
45549 @@ -623,7 +623,7 @@ static int ecryptfs_readlink_lower(struc
45550 old_fs = get_fs();
45551 set_fs(get_ds());
45552 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45553 - (char __user *)lower_buf,
45554 + (__force char __user *)lower_buf,
45555 lower_bufsiz);
45556 set_fs(old_fs);
45557 if (rc < 0)
45558 @@ -669,7 +669,7 @@ static void *ecryptfs_follow_link(struct
45559 }
45560 old_fs = get_fs();
45561 set_fs(get_ds());
45562 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45563 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45564 set_fs(old_fs);
45565 if (rc < 0) {
45566 kfree(buf);
45567 @@ -684,7 +684,7 @@ out:
45568 static void
45569 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
45570 {
45571 - char *buf = nd_get_link(nd);
45572 + const char *buf = nd_get_link(nd);
45573 if (!IS_ERR(buf)) {
45574 /* Free the char* */
45575 kfree(buf);
45576 diff -urNp linux-2.6.39.3/fs/ecryptfs/miscdev.c linux-2.6.39.3/fs/ecryptfs/miscdev.c
45577 --- linux-2.6.39.3/fs/ecryptfs/miscdev.c 2011-05-19 00:06:34.000000000 -0400
45578 +++ linux-2.6.39.3/fs/ecryptfs/miscdev.c 2011-05-22 19:36:32.000000000 -0400
45579 @@ -328,7 +328,7 @@ check_list:
45580 goto out_unlock_msg_ctx;
45581 i = 5;
45582 if (msg_ctx->msg) {
45583 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
45584 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
45585 goto out_unlock_msg_ctx;
45586 i += packet_length_size;
45587 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
45588 diff -urNp linux-2.6.39.3/fs/exec.c linux-2.6.39.3/fs/exec.c
45589 --- linux-2.6.39.3/fs/exec.c 2011-06-25 12:55:23.000000000 -0400
45590 +++ linux-2.6.39.3/fs/exec.c 2011-07-06 20:00:13.000000000 -0400
45591 @@ -55,12 +55,24 @@
45592 #include <linux/fs_struct.h>
45593 #include <linux/pipe_fs_i.h>
45594 #include <linux/oom.h>
45595 +#include <linux/random.h>
45596 +#include <linux/seq_file.h>
45597 +
45598 +#ifdef CONFIG_PAX_REFCOUNT
45599 +#include <linux/kallsyms.h>
45600 +#include <linux/kdebug.h>
45601 +#endif
45602
45603 #include <asm/uaccess.h>
45604 #include <asm/mmu_context.h>
45605 #include <asm/tlb.h>
45606 #include "internal.h"
45607
45608 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
45609 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
45610 +EXPORT_SYMBOL(pax_set_initial_flags_func);
45611 +#endif
45612 +
45613 int core_uses_pid;
45614 char core_pattern[CORENAME_MAX_SIZE] = "core";
45615 unsigned int core_pipe_limit;
45616 @@ -70,7 +82,7 @@ struct core_name {
45617 char *corename;
45618 int used, size;
45619 };
45620 -static atomic_t call_count = ATOMIC_INIT(1);
45621 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
45622
45623 /* The maximal length of core_pattern is also specified in sysctl.c */
45624
45625 @@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
45626 char *tmp = getname(library);
45627 int error = PTR_ERR(tmp);
45628 static const struct open_flags uselib_flags = {
45629 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45630 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45631 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
45632 .intent = LOOKUP_OPEN
45633 };
45634 @@ -190,18 +202,10 @@ struct page *get_arg_page(struct linux_b
45635 int write)
45636 {
45637 struct page *page;
45638 - int ret;
45639
45640 -#ifdef CONFIG_STACK_GROWSUP
45641 - if (write) {
45642 - ret = expand_stack_downwards(bprm->vma, pos);
45643 - if (ret < 0)
45644 - return NULL;
45645 - }
45646 -#endif
45647 - ret = get_user_pages(current, bprm->mm, pos,
45648 - 1, write, 1, &page, NULL);
45649 - if (ret <= 0)
45650 + if (0 > expand_stack_downwards(bprm->vma, pos))
45651 + return NULL;
45652 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
45653 return NULL;
45654
45655 if (write) {
45656 @@ -276,6 +280,11 @@ static int __bprm_mm_init(struct linux_b
45657 vma->vm_end = STACK_TOP_MAX;
45658 vma->vm_start = vma->vm_end - PAGE_SIZE;
45659 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
45660 +
45661 +#ifdef CONFIG_PAX_SEGMEXEC
45662 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
45663 +#endif
45664 +
45665 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45666 INIT_LIST_HEAD(&vma->anon_vma_chain);
45667
45668 @@ -290,6 +299,12 @@ static int __bprm_mm_init(struct linux_b
45669 mm->stack_vm = mm->total_vm = 1;
45670 up_write(&mm->mmap_sem);
45671 bprm->p = vma->vm_end - sizeof(void *);
45672 +
45673 +#ifdef CONFIG_PAX_RANDUSTACK
45674 + if (randomize_va_space)
45675 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
45676 +#endif
45677 +
45678 return 0;
45679 err:
45680 up_write(&mm->mmap_sem);
45681 @@ -525,7 +540,7 @@ int copy_strings_kernel(int argc, const
45682 int r;
45683 mm_segment_t oldfs = get_fs();
45684 set_fs(KERNEL_DS);
45685 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
45686 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
45687 set_fs(oldfs);
45688 return r;
45689 }
45690 @@ -555,7 +570,8 @@ static int shift_arg_pages(struct vm_are
45691 unsigned long new_end = old_end - shift;
45692 struct mmu_gather *tlb;
45693
45694 - BUG_ON(new_start > new_end);
45695 + if (new_start >= new_end || new_start < mmap_min_addr)
45696 + return -ENOMEM;
45697
45698 /*
45699 * ensure there are no vmas between where we want to go
45700 @@ -564,6 +580,10 @@ static int shift_arg_pages(struct vm_are
45701 if (vma != find_vma(mm, new_start))
45702 return -EFAULT;
45703
45704 +#ifdef CONFIG_PAX_SEGMEXEC
45705 + BUG_ON(pax_find_mirror_vma(vma));
45706 +#endif
45707 +
45708 /*
45709 * cover the whole range: [new_start, old_end)
45710 */
45711 @@ -644,10 +664,6 @@ int setup_arg_pages(struct linux_binprm
45712 stack_top = arch_align_stack(stack_top);
45713 stack_top = PAGE_ALIGN(stack_top);
45714
45715 - if (unlikely(stack_top < mmap_min_addr) ||
45716 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
45717 - return -ENOMEM;
45718 -
45719 stack_shift = vma->vm_end - stack_top;
45720
45721 bprm->p -= stack_shift;
45722 @@ -659,8 +675,28 @@ int setup_arg_pages(struct linux_binprm
45723 bprm->exec -= stack_shift;
45724
45725 down_write(&mm->mmap_sem);
45726 +
45727 + /* Move stack pages down in memory. */
45728 + if (stack_shift) {
45729 + ret = shift_arg_pages(vma, stack_shift);
45730 + if (ret)
45731 + goto out_unlock;
45732 + }
45733 +
45734 vm_flags = VM_STACK_FLAGS;
45735
45736 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45737 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
45738 + vm_flags &= ~VM_EXEC;
45739 +
45740 +#ifdef CONFIG_PAX_MPROTECT
45741 + if (mm->pax_flags & MF_PAX_MPROTECT)
45742 + vm_flags &= ~VM_MAYEXEC;
45743 +#endif
45744 +
45745 + }
45746 +#endif
45747 +
45748 /*
45749 * Adjust stack execute permissions; explicitly enable for
45750 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
45751 @@ -679,13 +715,6 @@ int setup_arg_pages(struct linux_binprm
45752 goto out_unlock;
45753 BUG_ON(prev != vma);
45754
45755 - /* Move stack pages down in memory. */
45756 - if (stack_shift) {
45757 - ret = shift_arg_pages(vma, stack_shift);
45758 - if (ret)
45759 - goto out_unlock;
45760 - }
45761 -
45762 /* mprotect_fixup is overkill to remove the temporary stack flags */
45763 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
45764
45765 @@ -725,7 +754,7 @@ struct file *open_exec(const char *name)
45766 struct file *file;
45767 int err;
45768 static const struct open_flags open_exec_flags = {
45769 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45770 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45771 .acc_mode = MAY_EXEC | MAY_OPEN,
45772 .intent = LOOKUP_OPEN
45773 };
45774 @@ -766,7 +795,7 @@ int kernel_read(struct file *file, loff_
45775 old_fs = get_fs();
45776 set_fs(get_ds());
45777 /* The cast to a user pointer is valid due to the set_fs() */
45778 - result = vfs_read(file, (void __user *)addr, count, &pos);
45779 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
45780 set_fs(old_fs);
45781 return result;
45782 }
45783 @@ -1189,7 +1218,7 @@ int check_unsafe_exec(struct linux_binpr
45784 }
45785 rcu_read_unlock();
45786
45787 - if (p->fs->users > n_fs) {
45788 + if (atomic_read(&p->fs->users) > n_fs) {
45789 bprm->unsafe |= LSM_UNSAFE_SHARE;
45790 } else {
45791 res = -EAGAIN;
45792 @@ -1381,6 +1410,11 @@ int do_execve(const char * filename,
45793 const char __user *const __user *envp,
45794 struct pt_regs * regs)
45795 {
45796 +#ifdef CONFIG_GRKERNSEC
45797 + struct file *old_exec_file;
45798 + struct acl_subject_label *old_acl;
45799 + struct rlimit old_rlim[RLIM_NLIMITS];
45800 +#endif
45801 struct linux_binprm *bprm;
45802 struct file *file;
45803 struct files_struct *displaced;
45804 @@ -1417,6 +1451,23 @@ int do_execve(const char * filename,
45805 bprm->filename = filename;
45806 bprm->interp = filename;
45807
45808 + if (gr_process_user_ban()) {
45809 + retval = -EPERM;
45810 + goto out_file;
45811 + }
45812 +
45813 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45814 +
45815 + if (gr_handle_nproc()) {
45816 + retval = -EAGAIN;
45817 + goto out_file;
45818 + }
45819 +
45820 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
45821 + retval = -EACCES;
45822 + goto out_file;
45823 + }
45824 +
45825 retval = bprm_mm_init(bprm);
45826 if (retval)
45827 goto out_file;
45828 @@ -1446,9 +1497,40 @@ int do_execve(const char * filename,
45829 if (retval < 0)
45830 goto out;
45831
45832 + if (!gr_tpe_allow(file)) {
45833 + retval = -EACCES;
45834 + goto out;
45835 + }
45836 +
45837 + if (gr_check_crash_exec(file)) {
45838 + retval = -EACCES;
45839 + goto out;
45840 + }
45841 +
45842 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45843 +
45844 + gr_handle_exec_args(bprm, argv);
45845 +
45846 +#ifdef CONFIG_GRKERNSEC
45847 + old_acl = current->acl;
45848 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45849 + old_exec_file = current->exec_file;
45850 + get_file(file);
45851 + current->exec_file = file;
45852 +#endif
45853 +
45854 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45855 + bprm->unsafe & LSM_UNSAFE_SHARE);
45856 + if (retval < 0)
45857 + goto out_fail;
45858 +
45859 retval = search_binary_handler(bprm,regs);
45860 if (retval < 0)
45861 - goto out;
45862 + goto out_fail;
45863 +#ifdef CONFIG_GRKERNSEC
45864 + if (old_exec_file)
45865 + fput(old_exec_file);
45866 +#endif
45867
45868 /* execve succeeded */
45869 current->fs->in_exec = 0;
45870 @@ -1459,6 +1541,14 @@ int do_execve(const char * filename,
45871 put_files_struct(displaced);
45872 return retval;
45873
45874 +out_fail:
45875 +#ifdef CONFIG_GRKERNSEC
45876 + current->acl = old_acl;
45877 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45878 + fput(current->exec_file);
45879 + current->exec_file = old_exec_file;
45880 +#endif
45881 +
45882 out:
45883 if (bprm->mm) {
45884 acct_arg_size(bprm, 0);
45885 @@ -1504,7 +1594,7 @@ static int expand_corename(struct core_n
45886 {
45887 char *old_corename = cn->corename;
45888
45889 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
45890 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
45891 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
45892
45893 if (!cn->corename) {
45894 @@ -1557,7 +1647,7 @@ static int format_corename(struct core_n
45895 int pid_in_pattern = 0;
45896 int err = 0;
45897
45898 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
45899 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
45900 cn->corename = kmalloc(cn->size, GFP_KERNEL);
45901 cn->used = 0;
45902
45903 @@ -1645,6 +1735,219 @@ out:
45904 return ispipe;
45905 }
45906
45907 +int pax_check_flags(unsigned long *flags)
45908 +{
45909 + int retval = 0;
45910 +
45911 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
45912 + if (*flags & MF_PAX_SEGMEXEC)
45913 + {
45914 + *flags &= ~MF_PAX_SEGMEXEC;
45915 + retval = -EINVAL;
45916 + }
45917 +#endif
45918 +
45919 + if ((*flags & MF_PAX_PAGEEXEC)
45920 +
45921 +#ifdef CONFIG_PAX_PAGEEXEC
45922 + && (*flags & MF_PAX_SEGMEXEC)
45923 +#endif
45924 +
45925 + )
45926 + {
45927 + *flags &= ~MF_PAX_PAGEEXEC;
45928 + retval = -EINVAL;
45929 + }
45930 +
45931 + if ((*flags & MF_PAX_MPROTECT)
45932 +
45933 +#ifdef CONFIG_PAX_MPROTECT
45934 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45935 +#endif
45936 +
45937 + )
45938 + {
45939 + *flags &= ~MF_PAX_MPROTECT;
45940 + retval = -EINVAL;
45941 + }
45942 +
45943 + if ((*flags & MF_PAX_EMUTRAMP)
45944 +
45945 +#ifdef CONFIG_PAX_EMUTRAMP
45946 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45947 +#endif
45948 +
45949 + )
45950 + {
45951 + *flags &= ~MF_PAX_EMUTRAMP;
45952 + retval = -EINVAL;
45953 + }
45954 +
45955 + return retval;
45956 +}
45957 +
45958 +EXPORT_SYMBOL(pax_check_flags);
45959 +
45960 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45961 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
45962 +{
45963 + struct task_struct *tsk = current;
45964 + struct mm_struct *mm = current->mm;
45965 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
45966 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
45967 + char *path_exec = NULL;
45968 + char *path_fault = NULL;
45969 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
45970 +
45971 + if (buffer_exec && buffer_fault) {
45972 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
45973 +
45974 + down_read(&mm->mmap_sem);
45975 + vma = mm->mmap;
45976 + while (vma && (!vma_exec || !vma_fault)) {
45977 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
45978 + vma_exec = vma;
45979 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
45980 + vma_fault = vma;
45981 + vma = vma->vm_next;
45982 + }
45983 + if (vma_exec) {
45984 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
45985 + if (IS_ERR(path_exec))
45986 + path_exec = "<path too long>";
45987 + else {
45988 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
45989 + if (path_exec) {
45990 + *path_exec = 0;
45991 + path_exec = buffer_exec;
45992 + } else
45993 + path_exec = "<path too long>";
45994 + }
45995 + }
45996 + if (vma_fault) {
45997 + start = vma_fault->vm_start;
45998 + end = vma_fault->vm_end;
45999 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
46000 + if (vma_fault->vm_file) {
46001 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
46002 + if (IS_ERR(path_fault))
46003 + path_fault = "<path too long>";
46004 + else {
46005 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
46006 + if (path_fault) {
46007 + *path_fault = 0;
46008 + path_fault = buffer_fault;
46009 + } else
46010 + path_fault = "<path too long>";
46011 + }
46012 + } else
46013 + path_fault = "<anonymous mapping>";
46014 + }
46015 + up_read(&mm->mmap_sem);
46016 + }
46017 + if (tsk->signal->curr_ip)
46018 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
46019 + else
46020 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
46021 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
46022 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
46023 + task_uid(tsk), task_euid(tsk), pc, sp);
46024 + free_page((unsigned long)buffer_exec);
46025 + free_page((unsigned long)buffer_fault);
46026 + pax_report_insns(pc, sp);
46027 + do_coredump(SIGKILL, SIGKILL, regs);
46028 +}
46029 +#endif
46030 +
46031 +#ifdef CONFIG_PAX_REFCOUNT
46032 +void pax_report_refcount_overflow(struct pt_regs *regs)
46033 +{
46034 + if (current->signal->curr_ip)
46035 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46036 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
46037 + else
46038 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46039 + current->comm, task_pid_nr(current), current_uid(), current_euid());
46040 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
46041 + show_regs(regs);
46042 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
46043 +}
46044 +#endif
46045 +
46046 +#ifdef CONFIG_PAX_USERCOPY
46047 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
46048 +int object_is_on_stack(const void *obj, unsigned long len)
46049 +{
46050 + const void * const stack = task_stack_page(current);
46051 + const void * const stackend = stack + THREAD_SIZE;
46052 +
46053 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46054 + const void *frame = NULL;
46055 + const void *oldframe;
46056 +#endif
46057 +
46058 + if (obj + len < obj)
46059 + return -1;
46060 +
46061 + if (obj + len <= stack || stackend <= obj)
46062 + return 0;
46063 +
46064 + if (obj < stack || stackend < obj + len)
46065 + return -1;
46066 +
46067 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46068 + oldframe = __builtin_frame_address(1);
46069 + if (oldframe)
46070 + frame = __builtin_frame_address(2);
46071 + /*
46072 + low ----------------------------------------------> high
46073 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
46074 + ^----------------^
46075 + allow copies only within here
46076 + */
46077 + while (stack <= frame && frame < stackend) {
46078 + /* if obj + len extends past the last frame, this
46079 + check won't pass and the next frame will be 0,
46080 + causing us to bail out and correctly report
46081 + the copy as invalid
46082 + */
46083 + if (obj + len <= frame)
46084 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
46085 + oldframe = frame;
46086 + frame = *(const void * const *)frame;
46087 + }
46088 + return -1;
46089 +#else
46090 + return 1;
46091 +#endif
46092 +}
46093 +
46094 +
46095 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
46096 +{
46097 + if (current->signal->curr_ip)
46098 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46099 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46100 + else
46101 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46102 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46103 + dump_stack();
46104 + gr_handle_kernel_exploit();
46105 + do_group_exit(SIGKILL);
46106 +}
46107 +#endif
46108 +
46109 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
46110 +void pax_track_stack(void)
46111 +{
46112 + unsigned long sp = (unsigned long)&sp;
46113 + if (sp < current_thread_info()->lowest_stack &&
46114 + sp > (unsigned long)task_stack_page(current))
46115 + current_thread_info()->lowest_stack = sp;
46116 +}
46117 +EXPORT_SYMBOL(pax_track_stack);
46118 +#endif
46119 +
46120 static int zap_process(struct task_struct *start, int exit_code)
46121 {
46122 struct task_struct *t;
46123 @@ -1855,17 +2158,17 @@ static void wait_for_dump_helpers(struct
46124 pipe = file->f_path.dentry->d_inode->i_pipe;
46125
46126 pipe_lock(pipe);
46127 - pipe->readers++;
46128 - pipe->writers--;
46129 + atomic_inc(&pipe->readers);
46130 + atomic_dec(&pipe->writers);
46131
46132 - while ((pipe->readers > 1) && (!signal_pending(current))) {
46133 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
46134 wake_up_interruptible_sync(&pipe->wait);
46135 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
46136 pipe_wait(pipe);
46137 }
46138
46139 - pipe->readers--;
46140 - pipe->writers++;
46141 + atomic_dec(&pipe->readers);
46142 + atomic_inc(&pipe->writers);
46143 pipe_unlock(pipe);
46144
46145 }
46146 @@ -1926,7 +2229,7 @@ void do_coredump(long signr, int exit_co
46147 int retval = 0;
46148 int flag = 0;
46149 int ispipe;
46150 - static atomic_t core_dump_count = ATOMIC_INIT(0);
46151 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
46152 struct coredump_params cprm = {
46153 .signr = signr,
46154 .regs = regs,
46155 @@ -1941,6 +2244,9 @@ void do_coredump(long signr, int exit_co
46156
46157 audit_core_dumps(signr);
46158
46159 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
46160 + gr_handle_brute_attach(current, cprm.mm_flags);
46161 +
46162 binfmt = mm->binfmt;
46163 if (!binfmt || !binfmt->core_dump)
46164 goto fail;
46165 @@ -1981,6 +2287,8 @@ void do_coredump(long signr, int exit_co
46166 goto fail_corename;
46167 }
46168
46169 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
46170 +
46171 if (ispipe) {
46172 int dump_count;
46173 char **helper_argv;
46174 @@ -2008,7 +2316,7 @@ void do_coredump(long signr, int exit_co
46175 }
46176 cprm.limit = RLIM_INFINITY;
46177
46178 - dump_count = atomic_inc_return(&core_dump_count);
46179 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
46180 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
46181 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
46182 task_tgid_vnr(current), current->comm);
46183 @@ -2078,7 +2386,7 @@ close_fail:
46184 filp_close(cprm.file, NULL);
46185 fail_dropcount:
46186 if (ispipe)
46187 - atomic_dec(&core_dump_count);
46188 + atomic_dec_unchecked(&core_dump_count);
46189 fail_unlock:
46190 kfree(cn.corename);
46191 fail_corename:
46192 diff -urNp linux-2.6.39.3/fs/ext2/balloc.c linux-2.6.39.3/fs/ext2/balloc.c
46193 --- linux-2.6.39.3/fs/ext2/balloc.c 2011-05-19 00:06:34.000000000 -0400
46194 +++ linux-2.6.39.3/fs/ext2/balloc.c 2011-05-22 19:41:37.000000000 -0400
46195 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
46196
46197 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46198 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46199 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46200 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46201 sbi->s_resuid != current_fsuid() &&
46202 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46203 return 0;
46204 diff -urNp linux-2.6.39.3/fs/ext3/balloc.c linux-2.6.39.3/fs/ext3/balloc.c
46205 --- linux-2.6.39.3/fs/ext3/balloc.c 2011-05-19 00:06:34.000000000 -0400
46206 +++ linux-2.6.39.3/fs/ext3/balloc.c 2011-05-22 19:41:37.000000000 -0400
46207 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
46208
46209 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46210 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46211 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46212 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46213 sbi->s_resuid != current_fsuid() &&
46214 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46215 return 0;
46216 diff -urNp linux-2.6.39.3/fs/ext4/balloc.c linux-2.6.39.3/fs/ext4/balloc.c
46217 --- linux-2.6.39.3/fs/ext4/balloc.c 2011-05-19 00:06:34.000000000 -0400
46218 +++ linux-2.6.39.3/fs/ext4/balloc.c 2011-05-22 19:41:37.000000000 -0400
46219 @@ -522,7 +522,7 @@ static int ext4_has_free_blocks(struct e
46220 /* Hm, nope. Are (enough) root reserved blocks available? */
46221 if (sbi->s_resuid == current_fsuid() ||
46222 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
46223 - capable(CAP_SYS_RESOURCE)) {
46224 + capable_nolog(CAP_SYS_RESOURCE)) {
46225 if (free_blocks >= (nblocks + dirty_blocks))
46226 return 1;
46227 }
46228 diff -urNp linux-2.6.39.3/fs/ext4/ext4.h linux-2.6.39.3/fs/ext4/ext4.h
46229 --- linux-2.6.39.3/fs/ext4/ext4.h 2011-06-03 00:04:14.000000000 -0400
46230 +++ linux-2.6.39.3/fs/ext4/ext4.h 2011-06-03 00:32:07.000000000 -0400
46231 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
46232 unsigned long s_mb_last_start;
46233
46234 /* stats for buddy allocator */
46235 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
46236 - atomic_t s_bal_success; /* we found long enough chunks */
46237 - atomic_t s_bal_allocated; /* in blocks */
46238 - atomic_t s_bal_ex_scanned; /* total extents scanned */
46239 - atomic_t s_bal_goals; /* goal hits */
46240 - atomic_t s_bal_breaks; /* too long searches */
46241 - atomic_t s_bal_2orders; /* 2^order hits */
46242 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
46243 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
46244 + atomic_unchecked_t s_bal_allocated; /* in blocks */
46245 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
46246 + atomic_unchecked_t s_bal_goals; /* goal hits */
46247 + atomic_unchecked_t s_bal_breaks; /* too long searches */
46248 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
46249 spinlock_t s_bal_lock;
46250 unsigned long s_mb_buddies_generated;
46251 unsigned long long s_mb_generation_time;
46252 - atomic_t s_mb_lost_chunks;
46253 - atomic_t s_mb_preallocated;
46254 - atomic_t s_mb_discarded;
46255 + atomic_unchecked_t s_mb_lost_chunks;
46256 + atomic_unchecked_t s_mb_preallocated;
46257 + atomic_unchecked_t s_mb_discarded;
46258 atomic_t s_lock_busy;
46259
46260 /* locality groups */
46261 diff -urNp linux-2.6.39.3/fs/ext4/mballoc.c linux-2.6.39.3/fs/ext4/mballoc.c
46262 --- linux-2.6.39.3/fs/ext4/mballoc.c 2011-06-03 00:04:14.000000000 -0400
46263 +++ linux-2.6.39.3/fs/ext4/mballoc.c 2011-06-03 00:32:07.000000000 -0400
46264 @@ -1853,7 +1853,7 @@ void ext4_mb_simple_scan_group(struct ex
46265 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
46266
46267 if (EXT4_SB(sb)->s_mb_stats)
46268 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
46269 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
46270
46271 break;
46272 }
46273 @@ -2147,7 +2147,7 @@ repeat:
46274 ac->ac_status = AC_STATUS_CONTINUE;
46275 ac->ac_flags |= EXT4_MB_HINT_FIRST;
46276 cr = 3;
46277 - atomic_inc(&sbi->s_mb_lost_chunks);
46278 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
46279 goto repeat;
46280 }
46281 }
46282 @@ -2190,6 +2190,8 @@ static int ext4_mb_seq_groups_show(struc
46283 ext4_grpblk_t counters[16];
46284 } sg;
46285
46286 + pax_track_stack();
46287 +
46288 group--;
46289 if (group == 0)
46290 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
46291 @@ -2613,25 +2615,25 @@ int ext4_mb_release(struct super_block *
46292 if (sbi->s_mb_stats) {
46293 printk(KERN_INFO
46294 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
46295 - atomic_read(&sbi->s_bal_allocated),
46296 - atomic_read(&sbi->s_bal_reqs),
46297 - atomic_read(&sbi->s_bal_success));
46298 + atomic_read_unchecked(&sbi->s_bal_allocated),
46299 + atomic_read_unchecked(&sbi->s_bal_reqs),
46300 + atomic_read_unchecked(&sbi->s_bal_success));
46301 printk(KERN_INFO
46302 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
46303 "%u 2^N hits, %u breaks, %u lost\n",
46304 - atomic_read(&sbi->s_bal_ex_scanned),
46305 - atomic_read(&sbi->s_bal_goals),
46306 - atomic_read(&sbi->s_bal_2orders),
46307 - atomic_read(&sbi->s_bal_breaks),
46308 - atomic_read(&sbi->s_mb_lost_chunks));
46309 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
46310 + atomic_read_unchecked(&sbi->s_bal_goals),
46311 + atomic_read_unchecked(&sbi->s_bal_2orders),
46312 + atomic_read_unchecked(&sbi->s_bal_breaks),
46313 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
46314 printk(KERN_INFO
46315 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
46316 sbi->s_mb_buddies_generated++,
46317 sbi->s_mb_generation_time);
46318 printk(KERN_INFO
46319 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
46320 - atomic_read(&sbi->s_mb_preallocated),
46321 - atomic_read(&sbi->s_mb_discarded));
46322 + atomic_read_unchecked(&sbi->s_mb_preallocated),
46323 + atomic_read_unchecked(&sbi->s_mb_discarded));
46324 }
46325
46326 free_percpu(sbi->s_locality_groups);
46327 @@ -3107,16 +3109,16 @@ static void ext4_mb_collect_stats(struct
46328 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
46329
46330 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
46331 - atomic_inc(&sbi->s_bal_reqs);
46332 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46333 + atomic_inc_unchecked(&sbi->s_bal_reqs);
46334 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46335 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
46336 - atomic_inc(&sbi->s_bal_success);
46337 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
46338 + atomic_inc_unchecked(&sbi->s_bal_success);
46339 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
46340 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
46341 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
46342 - atomic_inc(&sbi->s_bal_goals);
46343 + atomic_inc_unchecked(&sbi->s_bal_goals);
46344 if (ac->ac_found > sbi->s_mb_max_to_scan)
46345 - atomic_inc(&sbi->s_bal_breaks);
46346 + atomic_inc_unchecked(&sbi->s_bal_breaks);
46347 }
46348
46349 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
46350 @@ -3514,7 +3516,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
46351 trace_ext4_mb_new_inode_pa(ac, pa);
46352
46353 ext4_mb_use_inode_pa(ac, pa);
46354 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46355 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46356
46357 ei = EXT4_I(ac->ac_inode);
46358 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46359 @@ -3574,7 +3576,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
46360 trace_ext4_mb_new_group_pa(ac, pa);
46361
46362 ext4_mb_use_group_pa(ac, pa);
46363 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46364 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46365
46366 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46367 lg = ac->ac_lg;
46368 @@ -3661,7 +3663,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
46369 * from the bitmap and continue.
46370 */
46371 }
46372 - atomic_add(free, &sbi->s_mb_discarded);
46373 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
46374
46375 return err;
46376 }
46377 @@ -3679,7 +3681,7 @@ ext4_mb_release_group_pa(struct ext4_bud
46378 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
46379 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
46380 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
46381 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46382 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46383 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
46384
46385 return 0;
46386 diff -urNp linux-2.6.39.3/fs/fcntl.c linux-2.6.39.3/fs/fcntl.c
46387 --- linux-2.6.39.3/fs/fcntl.c 2011-05-19 00:06:34.000000000 -0400
46388 +++ linux-2.6.39.3/fs/fcntl.c 2011-05-22 20:45:50.000000000 -0400
46389 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
46390 if (err)
46391 return err;
46392
46393 + if (gr_handle_chroot_fowner(pid, type))
46394 + return -ENOENT;
46395 + if (gr_check_protected_task_fowner(pid, type))
46396 + return -EACCES;
46397 +
46398 f_modown(filp, pid, type, force);
46399 return 0;
46400 }
46401 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
46402 switch (cmd) {
46403 case F_DUPFD:
46404 case F_DUPFD_CLOEXEC:
46405 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46406 if (arg >= rlimit(RLIMIT_NOFILE))
46407 break;
46408 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46409 @@ -835,14 +841,14 @@ static int __init fcntl_init(void)
46410 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
46411 * is defined as O_NONBLOCK on some platforms and not on others.
46412 */
46413 - BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46414 + BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46415 O_RDONLY | O_WRONLY | O_RDWR |
46416 O_CREAT | O_EXCL | O_NOCTTY |
46417 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
46418 __O_SYNC | O_DSYNC | FASYNC |
46419 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
46420 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
46421 - __FMODE_EXEC | O_PATH
46422 + __FMODE_EXEC | O_PATH | FMODE_GREXEC
46423 ));
46424
46425 fasync_cache = kmem_cache_create("fasync_cache",
46426 diff -urNp linux-2.6.39.3/fs/fifo.c linux-2.6.39.3/fs/fifo.c
46427 --- linux-2.6.39.3/fs/fifo.c 2011-05-19 00:06:34.000000000 -0400
46428 +++ linux-2.6.39.3/fs/fifo.c 2011-05-22 19:36:32.000000000 -0400
46429 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
46430 */
46431 filp->f_op = &read_pipefifo_fops;
46432 pipe->r_counter++;
46433 - if (pipe->readers++ == 0)
46434 + if (atomic_inc_return(&pipe->readers) == 1)
46435 wake_up_partner(inode);
46436
46437 - if (!pipe->writers) {
46438 + if (!atomic_read(&pipe->writers)) {
46439 if ((filp->f_flags & O_NONBLOCK)) {
46440 /* suppress POLLHUP until we have
46441 * seen a writer */
46442 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
46443 * errno=ENXIO when there is no process reading the FIFO.
46444 */
46445 ret = -ENXIO;
46446 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46447 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46448 goto err;
46449
46450 filp->f_op = &write_pipefifo_fops;
46451 pipe->w_counter++;
46452 - if (!pipe->writers++)
46453 + if (atomic_inc_return(&pipe->writers) == 1)
46454 wake_up_partner(inode);
46455
46456 - if (!pipe->readers) {
46457 + if (!atomic_read(&pipe->readers)) {
46458 wait_for_partner(inode, &pipe->r_counter);
46459 if (signal_pending(current))
46460 goto err_wr;
46461 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
46462 */
46463 filp->f_op = &rdwr_pipefifo_fops;
46464
46465 - pipe->readers++;
46466 - pipe->writers++;
46467 + atomic_inc(&pipe->readers);
46468 + atomic_inc(&pipe->writers);
46469 pipe->r_counter++;
46470 pipe->w_counter++;
46471 - if (pipe->readers == 1 || pipe->writers == 1)
46472 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46473 wake_up_partner(inode);
46474 break;
46475
46476 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
46477 return 0;
46478
46479 err_rd:
46480 - if (!--pipe->readers)
46481 + if (atomic_dec_and_test(&pipe->readers))
46482 wake_up_interruptible(&pipe->wait);
46483 ret = -ERESTARTSYS;
46484 goto err;
46485
46486 err_wr:
46487 - if (!--pipe->writers)
46488 + if (atomic_dec_and_test(&pipe->writers))
46489 wake_up_interruptible(&pipe->wait);
46490 ret = -ERESTARTSYS;
46491 goto err;
46492
46493 err:
46494 - if (!pipe->readers && !pipe->writers)
46495 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46496 free_pipe_info(inode);
46497
46498 err_nocleanup:
46499 diff -urNp linux-2.6.39.3/fs/file.c linux-2.6.39.3/fs/file.c
46500 --- linux-2.6.39.3/fs/file.c 2011-05-19 00:06:34.000000000 -0400
46501 +++ linux-2.6.39.3/fs/file.c 2011-05-22 19:41:37.000000000 -0400
46502 @@ -15,6 +15,7 @@
46503 #include <linux/slab.h>
46504 #include <linux/vmalloc.h>
46505 #include <linux/file.h>
46506 +#include <linux/security.h>
46507 #include <linux/fdtable.h>
46508 #include <linux/bitops.h>
46509 #include <linux/interrupt.h>
46510 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
46511 * N.B. For clone tasks sharing a files structure, this test
46512 * will limit the total number of files that can be opened.
46513 */
46514 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46515 if (nr >= rlimit(RLIMIT_NOFILE))
46516 return -EMFILE;
46517
46518 diff -urNp linux-2.6.39.3/fs/filesystems.c linux-2.6.39.3/fs/filesystems.c
46519 --- linux-2.6.39.3/fs/filesystems.c 2011-05-19 00:06:34.000000000 -0400
46520 +++ linux-2.6.39.3/fs/filesystems.c 2011-05-22 19:41:37.000000000 -0400
46521 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
46522 int len = dot ? dot - name : strlen(name);
46523
46524 fs = __get_fs_type(name, len);
46525 +
46526 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46527 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46528 +#else
46529 if (!fs && (request_module("%.*s", len, name) == 0))
46530 +#endif
46531 fs = __get_fs_type(name, len);
46532
46533 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46534 diff -urNp linux-2.6.39.3/fs/fscache/cookie.c linux-2.6.39.3/fs/fscache/cookie.c
46535 --- linux-2.6.39.3/fs/fscache/cookie.c 2011-05-19 00:06:34.000000000 -0400
46536 +++ linux-2.6.39.3/fs/fscache/cookie.c 2011-05-22 19:36:32.000000000 -0400
46537 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46538 parent ? (char *) parent->def->name : "<no-parent>",
46539 def->name, netfs_data);
46540
46541 - fscache_stat(&fscache_n_acquires);
46542 + fscache_stat_unchecked(&fscache_n_acquires);
46543
46544 /* if there's no parent cookie, then we don't create one here either */
46545 if (!parent) {
46546 - fscache_stat(&fscache_n_acquires_null);
46547 + fscache_stat_unchecked(&fscache_n_acquires_null);
46548 _leave(" [no parent]");
46549 return NULL;
46550 }
46551 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46552 /* allocate and initialise a cookie */
46553 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46554 if (!cookie) {
46555 - fscache_stat(&fscache_n_acquires_oom);
46556 + fscache_stat_unchecked(&fscache_n_acquires_oom);
46557 _leave(" [ENOMEM]");
46558 return NULL;
46559 }
46560 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46561
46562 switch (cookie->def->type) {
46563 case FSCACHE_COOKIE_TYPE_INDEX:
46564 - fscache_stat(&fscache_n_cookie_index);
46565 + fscache_stat_unchecked(&fscache_n_cookie_index);
46566 break;
46567 case FSCACHE_COOKIE_TYPE_DATAFILE:
46568 - fscache_stat(&fscache_n_cookie_data);
46569 + fscache_stat_unchecked(&fscache_n_cookie_data);
46570 break;
46571 default:
46572 - fscache_stat(&fscache_n_cookie_special);
46573 + fscache_stat_unchecked(&fscache_n_cookie_special);
46574 break;
46575 }
46576
46577 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46578 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46579 atomic_dec(&parent->n_children);
46580 __fscache_cookie_put(cookie);
46581 - fscache_stat(&fscache_n_acquires_nobufs);
46582 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46583 _leave(" = NULL");
46584 return NULL;
46585 }
46586 }
46587
46588 - fscache_stat(&fscache_n_acquires_ok);
46589 + fscache_stat_unchecked(&fscache_n_acquires_ok);
46590 _leave(" = %p", cookie);
46591 return cookie;
46592 }
46593 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46594 cache = fscache_select_cache_for_object(cookie->parent);
46595 if (!cache) {
46596 up_read(&fscache_addremove_sem);
46597 - fscache_stat(&fscache_n_acquires_no_cache);
46598 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46599 _leave(" = -ENOMEDIUM [no cache]");
46600 return -ENOMEDIUM;
46601 }
46602 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46603 object = cache->ops->alloc_object(cache, cookie);
46604 fscache_stat_d(&fscache_n_cop_alloc_object);
46605 if (IS_ERR(object)) {
46606 - fscache_stat(&fscache_n_object_no_alloc);
46607 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
46608 ret = PTR_ERR(object);
46609 goto error;
46610 }
46611
46612 - fscache_stat(&fscache_n_object_alloc);
46613 + fscache_stat_unchecked(&fscache_n_object_alloc);
46614
46615 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
46616
46617 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
46618 struct fscache_object *object;
46619 struct hlist_node *_p;
46620
46621 - fscache_stat(&fscache_n_updates);
46622 + fscache_stat_unchecked(&fscache_n_updates);
46623
46624 if (!cookie) {
46625 - fscache_stat(&fscache_n_updates_null);
46626 + fscache_stat_unchecked(&fscache_n_updates_null);
46627 _leave(" [no cookie]");
46628 return;
46629 }
46630 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
46631 struct fscache_object *object;
46632 unsigned long event;
46633
46634 - fscache_stat(&fscache_n_relinquishes);
46635 + fscache_stat_unchecked(&fscache_n_relinquishes);
46636 if (retire)
46637 - fscache_stat(&fscache_n_relinquishes_retire);
46638 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
46639
46640 if (!cookie) {
46641 - fscache_stat(&fscache_n_relinquishes_null);
46642 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
46643 _leave(" [no cookie]");
46644 return;
46645 }
46646 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
46647
46648 /* wait for the cookie to finish being instantiated (or to fail) */
46649 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
46650 - fscache_stat(&fscache_n_relinquishes_waitcrt);
46651 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
46652 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
46653 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
46654 }
46655 diff -urNp linux-2.6.39.3/fs/fscache/internal.h linux-2.6.39.3/fs/fscache/internal.h
46656 --- linux-2.6.39.3/fs/fscache/internal.h 2011-05-19 00:06:34.000000000 -0400
46657 +++ linux-2.6.39.3/fs/fscache/internal.h 2011-05-22 19:36:32.000000000 -0400
46658 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
46659 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
46660 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
46661
46662 -extern atomic_t fscache_n_op_pend;
46663 -extern atomic_t fscache_n_op_run;
46664 -extern atomic_t fscache_n_op_enqueue;
46665 -extern atomic_t fscache_n_op_deferred_release;
46666 -extern atomic_t fscache_n_op_release;
46667 -extern atomic_t fscache_n_op_gc;
46668 -extern atomic_t fscache_n_op_cancelled;
46669 -extern atomic_t fscache_n_op_rejected;
46670 -
46671 -extern atomic_t fscache_n_attr_changed;
46672 -extern atomic_t fscache_n_attr_changed_ok;
46673 -extern atomic_t fscache_n_attr_changed_nobufs;
46674 -extern atomic_t fscache_n_attr_changed_nomem;
46675 -extern atomic_t fscache_n_attr_changed_calls;
46676 -
46677 -extern atomic_t fscache_n_allocs;
46678 -extern atomic_t fscache_n_allocs_ok;
46679 -extern atomic_t fscache_n_allocs_wait;
46680 -extern atomic_t fscache_n_allocs_nobufs;
46681 -extern atomic_t fscache_n_allocs_intr;
46682 -extern atomic_t fscache_n_allocs_object_dead;
46683 -extern atomic_t fscache_n_alloc_ops;
46684 -extern atomic_t fscache_n_alloc_op_waits;
46685 -
46686 -extern atomic_t fscache_n_retrievals;
46687 -extern atomic_t fscache_n_retrievals_ok;
46688 -extern atomic_t fscache_n_retrievals_wait;
46689 -extern atomic_t fscache_n_retrievals_nodata;
46690 -extern atomic_t fscache_n_retrievals_nobufs;
46691 -extern atomic_t fscache_n_retrievals_intr;
46692 -extern atomic_t fscache_n_retrievals_nomem;
46693 -extern atomic_t fscache_n_retrievals_object_dead;
46694 -extern atomic_t fscache_n_retrieval_ops;
46695 -extern atomic_t fscache_n_retrieval_op_waits;
46696 -
46697 -extern atomic_t fscache_n_stores;
46698 -extern atomic_t fscache_n_stores_ok;
46699 -extern atomic_t fscache_n_stores_again;
46700 -extern atomic_t fscache_n_stores_nobufs;
46701 -extern atomic_t fscache_n_stores_oom;
46702 -extern atomic_t fscache_n_store_ops;
46703 -extern atomic_t fscache_n_store_calls;
46704 -extern atomic_t fscache_n_store_pages;
46705 -extern atomic_t fscache_n_store_radix_deletes;
46706 -extern atomic_t fscache_n_store_pages_over_limit;
46707 -
46708 -extern atomic_t fscache_n_store_vmscan_not_storing;
46709 -extern atomic_t fscache_n_store_vmscan_gone;
46710 -extern atomic_t fscache_n_store_vmscan_busy;
46711 -extern atomic_t fscache_n_store_vmscan_cancelled;
46712 -
46713 -extern atomic_t fscache_n_marks;
46714 -extern atomic_t fscache_n_uncaches;
46715 -
46716 -extern atomic_t fscache_n_acquires;
46717 -extern atomic_t fscache_n_acquires_null;
46718 -extern atomic_t fscache_n_acquires_no_cache;
46719 -extern atomic_t fscache_n_acquires_ok;
46720 -extern atomic_t fscache_n_acquires_nobufs;
46721 -extern atomic_t fscache_n_acquires_oom;
46722 -
46723 -extern atomic_t fscache_n_updates;
46724 -extern atomic_t fscache_n_updates_null;
46725 -extern atomic_t fscache_n_updates_run;
46726 -
46727 -extern atomic_t fscache_n_relinquishes;
46728 -extern atomic_t fscache_n_relinquishes_null;
46729 -extern atomic_t fscache_n_relinquishes_waitcrt;
46730 -extern atomic_t fscache_n_relinquishes_retire;
46731 -
46732 -extern atomic_t fscache_n_cookie_index;
46733 -extern atomic_t fscache_n_cookie_data;
46734 -extern atomic_t fscache_n_cookie_special;
46735 -
46736 -extern atomic_t fscache_n_object_alloc;
46737 -extern atomic_t fscache_n_object_no_alloc;
46738 -extern atomic_t fscache_n_object_lookups;
46739 -extern atomic_t fscache_n_object_lookups_negative;
46740 -extern atomic_t fscache_n_object_lookups_positive;
46741 -extern atomic_t fscache_n_object_lookups_timed_out;
46742 -extern atomic_t fscache_n_object_created;
46743 -extern atomic_t fscache_n_object_avail;
46744 -extern atomic_t fscache_n_object_dead;
46745 -
46746 -extern atomic_t fscache_n_checkaux_none;
46747 -extern atomic_t fscache_n_checkaux_okay;
46748 -extern atomic_t fscache_n_checkaux_update;
46749 -extern atomic_t fscache_n_checkaux_obsolete;
46750 +extern atomic_unchecked_t fscache_n_op_pend;
46751 +extern atomic_unchecked_t fscache_n_op_run;
46752 +extern atomic_unchecked_t fscache_n_op_enqueue;
46753 +extern atomic_unchecked_t fscache_n_op_deferred_release;
46754 +extern atomic_unchecked_t fscache_n_op_release;
46755 +extern atomic_unchecked_t fscache_n_op_gc;
46756 +extern atomic_unchecked_t fscache_n_op_cancelled;
46757 +extern atomic_unchecked_t fscache_n_op_rejected;
46758 +
46759 +extern atomic_unchecked_t fscache_n_attr_changed;
46760 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
46761 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
46762 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
46763 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
46764 +
46765 +extern atomic_unchecked_t fscache_n_allocs;
46766 +extern atomic_unchecked_t fscache_n_allocs_ok;
46767 +extern atomic_unchecked_t fscache_n_allocs_wait;
46768 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
46769 +extern atomic_unchecked_t fscache_n_allocs_intr;
46770 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
46771 +extern atomic_unchecked_t fscache_n_alloc_ops;
46772 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
46773 +
46774 +extern atomic_unchecked_t fscache_n_retrievals;
46775 +extern atomic_unchecked_t fscache_n_retrievals_ok;
46776 +extern atomic_unchecked_t fscache_n_retrievals_wait;
46777 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
46778 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
46779 +extern atomic_unchecked_t fscache_n_retrievals_intr;
46780 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
46781 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
46782 +extern atomic_unchecked_t fscache_n_retrieval_ops;
46783 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
46784 +
46785 +extern atomic_unchecked_t fscache_n_stores;
46786 +extern atomic_unchecked_t fscache_n_stores_ok;
46787 +extern atomic_unchecked_t fscache_n_stores_again;
46788 +extern atomic_unchecked_t fscache_n_stores_nobufs;
46789 +extern atomic_unchecked_t fscache_n_stores_oom;
46790 +extern atomic_unchecked_t fscache_n_store_ops;
46791 +extern atomic_unchecked_t fscache_n_store_calls;
46792 +extern atomic_unchecked_t fscache_n_store_pages;
46793 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
46794 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
46795 +
46796 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46797 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
46798 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
46799 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46800 +
46801 +extern atomic_unchecked_t fscache_n_marks;
46802 +extern atomic_unchecked_t fscache_n_uncaches;
46803 +
46804 +extern atomic_unchecked_t fscache_n_acquires;
46805 +extern atomic_unchecked_t fscache_n_acquires_null;
46806 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
46807 +extern atomic_unchecked_t fscache_n_acquires_ok;
46808 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
46809 +extern atomic_unchecked_t fscache_n_acquires_oom;
46810 +
46811 +extern atomic_unchecked_t fscache_n_updates;
46812 +extern atomic_unchecked_t fscache_n_updates_null;
46813 +extern atomic_unchecked_t fscache_n_updates_run;
46814 +
46815 +extern atomic_unchecked_t fscache_n_relinquishes;
46816 +extern atomic_unchecked_t fscache_n_relinquishes_null;
46817 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46818 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
46819 +
46820 +extern atomic_unchecked_t fscache_n_cookie_index;
46821 +extern atomic_unchecked_t fscache_n_cookie_data;
46822 +extern atomic_unchecked_t fscache_n_cookie_special;
46823 +
46824 +extern atomic_unchecked_t fscache_n_object_alloc;
46825 +extern atomic_unchecked_t fscache_n_object_no_alloc;
46826 +extern atomic_unchecked_t fscache_n_object_lookups;
46827 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
46828 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
46829 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
46830 +extern atomic_unchecked_t fscache_n_object_created;
46831 +extern atomic_unchecked_t fscache_n_object_avail;
46832 +extern atomic_unchecked_t fscache_n_object_dead;
46833 +
46834 +extern atomic_unchecked_t fscache_n_checkaux_none;
46835 +extern atomic_unchecked_t fscache_n_checkaux_okay;
46836 +extern atomic_unchecked_t fscache_n_checkaux_update;
46837 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
46838
46839 extern atomic_t fscache_n_cop_alloc_object;
46840 extern atomic_t fscache_n_cop_lookup_object;
46841 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
46842 atomic_inc(stat);
46843 }
46844
46845 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
46846 +{
46847 + atomic_inc_unchecked(stat);
46848 +}
46849 +
46850 static inline void fscache_stat_d(atomic_t *stat)
46851 {
46852 atomic_dec(stat);
46853 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
46854
46855 #define __fscache_stat(stat) (NULL)
46856 #define fscache_stat(stat) do {} while (0)
46857 +#define fscache_stat_unchecked(stat) do {} while (0)
46858 #define fscache_stat_d(stat) do {} while (0)
46859 #endif
46860
46861 diff -urNp linux-2.6.39.3/fs/fscache/object.c linux-2.6.39.3/fs/fscache/object.c
46862 --- linux-2.6.39.3/fs/fscache/object.c 2011-05-19 00:06:34.000000000 -0400
46863 +++ linux-2.6.39.3/fs/fscache/object.c 2011-05-22 19:36:32.000000000 -0400
46864 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
46865 /* update the object metadata on disk */
46866 case FSCACHE_OBJECT_UPDATING:
46867 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
46868 - fscache_stat(&fscache_n_updates_run);
46869 + fscache_stat_unchecked(&fscache_n_updates_run);
46870 fscache_stat(&fscache_n_cop_update_object);
46871 object->cache->ops->update_object(object);
46872 fscache_stat_d(&fscache_n_cop_update_object);
46873 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
46874 spin_lock(&object->lock);
46875 object->state = FSCACHE_OBJECT_DEAD;
46876 spin_unlock(&object->lock);
46877 - fscache_stat(&fscache_n_object_dead);
46878 + fscache_stat_unchecked(&fscache_n_object_dead);
46879 goto terminal_transit;
46880
46881 /* handle the parent cache of this object being withdrawn from
46882 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
46883 spin_lock(&object->lock);
46884 object->state = FSCACHE_OBJECT_DEAD;
46885 spin_unlock(&object->lock);
46886 - fscache_stat(&fscache_n_object_dead);
46887 + fscache_stat_unchecked(&fscache_n_object_dead);
46888 goto terminal_transit;
46889
46890 /* complain about the object being woken up once it is
46891 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
46892 parent->cookie->def->name, cookie->def->name,
46893 object->cache->tag->name);
46894
46895 - fscache_stat(&fscache_n_object_lookups);
46896 + fscache_stat_unchecked(&fscache_n_object_lookups);
46897 fscache_stat(&fscache_n_cop_lookup_object);
46898 ret = object->cache->ops->lookup_object(object);
46899 fscache_stat_d(&fscache_n_cop_lookup_object);
46900 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
46901 if (ret == -ETIMEDOUT) {
46902 /* probably stuck behind another object, so move this one to
46903 * the back of the queue */
46904 - fscache_stat(&fscache_n_object_lookups_timed_out);
46905 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
46906 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46907 }
46908
46909 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
46910
46911 spin_lock(&object->lock);
46912 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46913 - fscache_stat(&fscache_n_object_lookups_negative);
46914 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
46915
46916 /* transit here to allow write requests to begin stacking up
46917 * and read requests to begin returning ENODATA */
46918 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
46919 * result, in which case there may be data available */
46920 spin_lock(&object->lock);
46921 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46922 - fscache_stat(&fscache_n_object_lookups_positive);
46923 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
46924
46925 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
46926
46927 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
46928 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46929 } else {
46930 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
46931 - fscache_stat(&fscache_n_object_created);
46932 + fscache_stat_unchecked(&fscache_n_object_created);
46933
46934 object->state = FSCACHE_OBJECT_AVAILABLE;
46935 spin_unlock(&object->lock);
46936 @@ -602,7 +602,7 @@ static void fscache_object_available(str
46937 fscache_enqueue_dependents(object);
46938
46939 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
46940 - fscache_stat(&fscache_n_object_avail);
46941 + fscache_stat_unchecked(&fscache_n_object_avail);
46942
46943 _leave("");
46944 }
46945 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
46946 enum fscache_checkaux result;
46947
46948 if (!object->cookie->def->check_aux) {
46949 - fscache_stat(&fscache_n_checkaux_none);
46950 + fscache_stat_unchecked(&fscache_n_checkaux_none);
46951 return FSCACHE_CHECKAUX_OKAY;
46952 }
46953
46954 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
46955 switch (result) {
46956 /* entry okay as is */
46957 case FSCACHE_CHECKAUX_OKAY:
46958 - fscache_stat(&fscache_n_checkaux_okay);
46959 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
46960 break;
46961
46962 /* entry requires update */
46963 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
46964 - fscache_stat(&fscache_n_checkaux_update);
46965 + fscache_stat_unchecked(&fscache_n_checkaux_update);
46966 break;
46967
46968 /* entry requires deletion */
46969 case FSCACHE_CHECKAUX_OBSOLETE:
46970 - fscache_stat(&fscache_n_checkaux_obsolete);
46971 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
46972 break;
46973
46974 default:
46975 diff -urNp linux-2.6.39.3/fs/fscache/operation.c linux-2.6.39.3/fs/fscache/operation.c
46976 --- linux-2.6.39.3/fs/fscache/operation.c 2011-05-19 00:06:34.000000000 -0400
46977 +++ linux-2.6.39.3/fs/fscache/operation.c 2011-05-22 19:36:32.000000000 -0400
46978 @@ -17,7 +17,7 @@
46979 #include <linux/slab.h>
46980 #include "internal.h"
46981
46982 -atomic_t fscache_op_debug_id;
46983 +atomic_unchecked_t fscache_op_debug_id;
46984 EXPORT_SYMBOL(fscache_op_debug_id);
46985
46986 /**
46987 @@ -40,7 +40,7 @@ void fscache_enqueue_operation(struct fs
46988 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
46989 ASSERTCMP(atomic_read(&op->usage), >, 0);
46990
46991 - fscache_stat(&fscache_n_op_enqueue);
46992 + fscache_stat_unchecked(&fscache_n_op_enqueue);
46993 switch (op->flags & FSCACHE_OP_TYPE) {
46994 case FSCACHE_OP_ASYNC:
46995 _debug("queue async");
46996 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscach
46997 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
46998 if (op->processor)
46999 fscache_enqueue_operation(op);
47000 - fscache_stat(&fscache_n_op_run);
47001 + fscache_stat_unchecked(&fscache_n_op_run);
47002 }
47003
47004 /*
47005 @@ -104,11 +104,11 @@ int fscache_submit_exclusive_op(struct f
47006 if (object->n_ops > 1) {
47007 atomic_inc(&op->usage);
47008 list_add_tail(&op->pend_link, &object->pending_ops);
47009 - fscache_stat(&fscache_n_op_pend);
47010 + fscache_stat_unchecked(&fscache_n_op_pend);
47011 } else if (!list_empty(&object->pending_ops)) {
47012 atomic_inc(&op->usage);
47013 list_add_tail(&op->pend_link, &object->pending_ops);
47014 - fscache_stat(&fscache_n_op_pend);
47015 + fscache_stat_unchecked(&fscache_n_op_pend);
47016 fscache_start_operations(object);
47017 } else {
47018 ASSERTCMP(object->n_in_progress, ==, 0);
47019 @@ -124,7 +124,7 @@ int fscache_submit_exclusive_op(struct f
47020 object->n_exclusive++; /* reads and writes must wait */
47021 atomic_inc(&op->usage);
47022 list_add_tail(&op->pend_link, &object->pending_ops);
47023 - fscache_stat(&fscache_n_op_pend);
47024 + fscache_stat_unchecked(&fscache_n_op_pend);
47025 ret = 0;
47026 } else {
47027 /* not allowed to submit ops in any other state */
47028 @@ -211,11 +211,11 @@ int fscache_submit_op(struct fscache_obj
47029 if (object->n_exclusive > 0) {
47030 atomic_inc(&op->usage);
47031 list_add_tail(&op->pend_link, &object->pending_ops);
47032 - fscache_stat(&fscache_n_op_pend);
47033 + fscache_stat_unchecked(&fscache_n_op_pend);
47034 } else if (!list_empty(&object->pending_ops)) {
47035 atomic_inc(&op->usage);
47036 list_add_tail(&op->pend_link, &object->pending_ops);
47037 - fscache_stat(&fscache_n_op_pend);
47038 + fscache_stat_unchecked(&fscache_n_op_pend);
47039 fscache_start_operations(object);
47040 } else {
47041 ASSERTCMP(object->n_exclusive, ==, 0);
47042 @@ -227,12 +227,12 @@ int fscache_submit_op(struct fscache_obj
47043 object->n_ops++;
47044 atomic_inc(&op->usage);
47045 list_add_tail(&op->pend_link, &object->pending_ops);
47046 - fscache_stat(&fscache_n_op_pend);
47047 + fscache_stat_unchecked(&fscache_n_op_pend);
47048 ret = 0;
47049 } else if (object->state == FSCACHE_OBJECT_DYING ||
47050 object->state == FSCACHE_OBJECT_LC_DYING ||
47051 object->state == FSCACHE_OBJECT_WITHDRAWING) {
47052 - fscache_stat(&fscache_n_op_rejected);
47053 + fscache_stat_unchecked(&fscache_n_op_rejected);
47054 ret = -ENOBUFS;
47055 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
47056 fscache_report_unexpected_submission(object, op, ostate);
47057 @@ -302,7 +302,7 @@ int fscache_cancel_op(struct fscache_ope
47058
47059 ret = -EBUSY;
47060 if (!list_empty(&op->pend_link)) {
47061 - fscache_stat(&fscache_n_op_cancelled);
47062 + fscache_stat_unchecked(&fscache_n_op_cancelled);
47063 list_del_init(&op->pend_link);
47064 object->n_ops--;
47065 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
47066 @@ -341,7 +341,7 @@ void fscache_put_operation(struct fscach
47067 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
47068 BUG();
47069
47070 - fscache_stat(&fscache_n_op_release);
47071 + fscache_stat_unchecked(&fscache_n_op_release);
47072
47073 if (op->release) {
47074 op->release(op);
47075 @@ -358,7 +358,7 @@ void fscache_put_operation(struct fscach
47076 * lock, and defer it otherwise */
47077 if (!spin_trylock(&object->lock)) {
47078 _debug("defer put");
47079 - fscache_stat(&fscache_n_op_deferred_release);
47080 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
47081
47082 cache = object->cache;
47083 spin_lock(&cache->op_gc_list_lock);
47084 @@ -420,7 +420,7 @@ void fscache_operation_gc(struct work_st
47085
47086 _debug("GC DEFERRED REL OBJ%x OP%x",
47087 object->debug_id, op->debug_id);
47088 - fscache_stat(&fscache_n_op_gc);
47089 + fscache_stat_unchecked(&fscache_n_op_gc);
47090
47091 ASSERTCMP(atomic_read(&op->usage), ==, 0);
47092
47093 diff -urNp linux-2.6.39.3/fs/fscache/page.c linux-2.6.39.3/fs/fscache/page.c
47094 --- linux-2.6.39.3/fs/fscache/page.c 2011-07-09 09:18:51.000000000 -0400
47095 +++ linux-2.6.39.3/fs/fscache/page.c 2011-07-09 09:19:18.000000000 -0400
47096 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
47097 val = radix_tree_lookup(&cookie->stores, page->index);
47098 if (!val) {
47099 rcu_read_unlock();
47100 - fscache_stat(&fscache_n_store_vmscan_not_storing);
47101 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
47102 __fscache_uncache_page(cookie, page);
47103 return true;
47104 }
47105 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
47106 spin_unlock(&cookie->stores_lock);
47107
47108 if (xpage) {
47109 - fscache_stat(&fscache_n_store_vmscan_cancelled);
47110 - fscache_stat(&fscache_n_store_radix_deletes);
47111 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
47112 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47113 ASSERTCMP(xpage, ==, page);
47114 } else {
47115 - fscache_stat(&fscache_n_store_vmscan_gone);
47116 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
47117 }
47118
47119 wake_up_bit(&cookie->flags, 0);
47120 @@ -107,7 +107,7 @@ page_busy:
47121 /* we might want to wait here, but that could deadlock the allocator as
47122 * the work threads writing to the cache may all end up sleeping
47123 * on memory allocation */
47124 - fscache_stat(&fscache_n_store_vmscan_busy);
47125 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
47126 return false;
47127 }
47128 EXPORT_SYMBOL(__fscache_maybe_release_page);
47129 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
47130 FSCACHE_COOKIE_STORING_TAG);
47131 if (!radix_tree_tag_get(&cookie->stores, page->index,
47132 FSCACHE_COOKIE_PENDING_TAG)) {
47133 - fscache_stat(&fscache_n_store_radix_deletes);
47134 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47135 xpage = radix_tree_delete(&cookie->stores, page->index);
47136 }
47137 spin_unlock(&cookie->stores_lock);
47138 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
47139
47140 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
47141
47142 - fscache_stat(&fscache_n_attr_changed_calls);
47143 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
47144
47145 if (fscache_object_is_active(object)) {
47146 fscache_set_op_state(op, "CallFS");
47147 @@ -179,11 +179,11 @@ int __fscache_attr_changed(struct fscach
47148
47149 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47150
47151 - fscache_stat(&fscache_n_attr_changed);
47152 + fscache_stat_unchecked(&fscache_n_attr_changed);
47153
47154 op = kzalloc(sizeof(*op), GFP_KERNEL);
47155 if (!op) {
47156 - fscache_stat(&fscache_n_attr_changed_nomem);
47157 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
47158 _leave(" = -ENOMEM");
47159 return -ENOMEM;
47160 }
47161 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
47162 if (fscache_submit_exclusive_op(object, op) < 0)
47163 goto nobufs;
47164 spin_unlock(&cookie->lock);
47165 - fscache_stat(&fscache_n_attr_changed_ok);
47166 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
47167 fscache_put_operation(op);
47168 _leave(" = 0");
47169 return 0;
47170 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
47171 nobufs:
47172 spin_unlock(&cookie->lock);
47173 kfree(op);
47174 - fscache_stat(&fscache_n_attr_changed_nobufs);
47175 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
47176 _leave(" = %d", -ENOBUFS);
47177 return -ENOBUFS;
47178 }
47179 @@ -246,7 +246,7 @@ static struct fscache_retrieval *fscache
47180 /* allocate a retrieval operation and attempt to submit it */
47181 op = kzalloc(sizeof(*op), GFP_NOIO);
47182 if (!op) {
47183 - fscache_stat(&fscache_n_retrievals_nomem);
47184 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47185 return NULL;
47186 }
47187
47188 @@ -275,13 +275,13 @@ static int fscache_wait_for_deferred_loo
47189 return 0;
47190 }
47191
47192 - fscache_stat(&fscache_n_retrievals_wait);
47193 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
47194
47195 jif = jiffies;
47196 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
47197 fscache_wait_bit_interruptible,
47198 TASK_INTERRUPTIBLE) != 0) {
47199 - fscache_stat(&fscache_n_retrievals_intr);
47200 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47201 _leave(" = -ERESTARTSYS");
47202 return -ERESTARTSYS;
47203 }
47204 @@ -299,8 +299,8 @@ static int fscache_wait_for_deferred_loo
47205 */
47206 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
47207 struct fscache_retrieval *op,
47208 - atomic_t *stat_op_waits,
47209 - atomic_t *stat_object_dead)
47210 + atomic_unchecked_t *stat_op_waits,
47211 + atomic_unchecked_t *stat_object_dead)
47212 {
47213 int ret;
47214
47215 @@ -308,7 +308,7 @@ static int fscache_wait_for_retrieval_ac
47216 goto check_if_dead;
47217
47218 _debug(">>> WT");
47219 - fscache_stat(stat_op_waits);
47220 + fscache_stat_unchecked(stat_op_waits);
47221 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
47222 fscache_wait_bit_interruptible,
47223 TASK_INTERRUPTIBLE) < 0) {
47224 @@ -325,7 +325,7 @@ static int fscache_wait_for_retrieval_ac
47225
47226 check_if_dead:
47227 if (unlikely(fscache_object_is_dead(object))) {
47228 - fscache_stat(stat_object_dead);
47229 + fscache_stat_unchecked(stat_object_dead);
47230 return -ENOBUFS;
47231 }
47232 return 0;
47233 @@ -352,7 +352,7 @@ int __fscache_read_or_alloc_page(struct
47234
47235 _enter("%p,%p,,,", cookie, page);
47236
47237 - fscache_stat(&fscache_n_retrievals);
47238 + fscache_stat_unchecked(&fscache_n_retrievals);
47239
47240 if (hlist_empty(&cookie->backing_objects))
47241 goto nobufs;
47242 @@ -386,7 +386,7 @@ int __fscache_read_or_alloc_page(struct
47243 goto nobufs_unlock;
47244 spin_unlock(&cookie->lock);
47245
47246 - fscache_stat(&fscache_n_retrieval_ops);
47247 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47248
47249 /* pin the netfs read context in case we need to do the actual netfs
47250 * read because we've encountered a cache read failure */
47251 @@ -416,15 +416,15 @@ int __fscache_read_or_alloc_page(struct
47252
47253 error:
47254 if (ret == -ENOMEM)
47255 - fscache_stat(&fscache_n_retrievals_nomem);
47256 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47257 else if (ret == -ERESTARTSYS)
47258 - fscache_stat(&fscache_n_retrievals_intr);
47259 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47260 else if (ret == -ENODATA)
47261 - fscache_stat(&fscache_n_retrievals_nodata);
47262 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47263 else if (ret < 0)
47264 - fscache_stat(&fscache_n_retrievals_nobufs);
47265 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47266 else
47267 - fscache_stat(&fscache_n_retrievals_ok);
47268 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47269
47270 fscache_put_retrieval(op);
47271 _leave(" = %d", ret);
47272 @@ -434,7 +434,7 @@ nobufs_unlock:
47273 spin_unlock(&cookie->lock);
47274 kfree(op);
47275 nobufs:
47276 - fscache_stat(&fscache_n_retrievals_nobufs);
47277 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47278 _leave(" = -ENOBUFS");
47279 return -ENOBUFS;
47280 }
47281 @@ -472,7 +472,7 @@ int __fscache_read_or_alloc_pages(struct
47282
47283 _enter("%p,,%d,,,", cookie, *nr_pages);
47284
47285 - fscache_stat(&fscache_n_retrievals);
47286 + fscache_stat_unchecked(&fscache_n_retrievals);
47287
47288 if (hlist_empty(&cookie->backing_objects))
47289 goto nobufs;
47290 @@ -503,7 +503,7 @@ int __fscache_read_or_alloc_pages(struct
47291 goto nobufs_unlock;
47292 spin_unlock(&cookie->lock);
47293
47294 - fscache_stat(&fscache_n_retrieval_ops);
47295 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47296
47297 /* pin the netfs read context in case we need to do the actual netfs
47298 * read because we've encountered a cache read failure */
47299 @@ -533,15 +533,15 @@ int __fscache_read_or_alloc_pages(struct
47300
47301 error:
47302 if (ret == -ENOMEM)
47303 - fscache_stat(&fscache_n_retrievals_nomem);
47304 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47305 else if (ret == -ERESTARTSYS)
47306 - fscache_stat(&fscache_n_retrievals_intr);
47307 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47308 else if (ret == -ENODATA)
47309 - fscache_stat(&fscache_n_retrievals_nodata);
47310 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47311 else if (ret < 0)
47312 - fscache_stat(&fscache_n_retrievals_nobufs);
47313 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47314 else
47315 - fscache_stat(&fscache_n_retrievals_ok);
47316 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47317
47318 fscache_put_retrieval(op);
47319 _leave(" = %d", ret);
47320 @@ -551,7 +551,7 @@ nobufs_unlock:
47321 spin_unlock(&cookie->lock);
47322 kfree(op);
47323 nobufs:
47324 - fscache_stat(&fscache_n_retrievals_nobufs);
47325 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47326 _leave(" = -ENOBUFS");
47327 return -ENOBUFS;
47328 }
47329 @@ -575,7 +575,7 @@ int __fscache_alloc_page(struct fscache_
47330
47331 _enter("%p,%p,,,", cookie, page);
47332
47333 - fscache_stat(&fscache_n_allocs);
47334 + fscache_stat_unchecked(&fscache_n_allocs);
47335
47336 if (hlist_empty(&cookie->backing_objects))
47337 goto nobufs;
47338 @@ -602,7 +602,7 @@ int __fscache_alloc_page(struct fscache_
47339 goto nobufs_unlock;
47340 spin_unlock(&cookie->lock);
47341
47342 - fscache_stat(&fscache_n_alloc_ops);
47343 + fscache_stat_unchecked(&fscache_n_alloc_ops);
47344
47345 ret = fscache_wait_for_retrieval_activation(
47346 object, op,
47347 @@ -618,11 +618,11 @@ int __fscache_alloc_page(struct fscache_
47348
47349 error:
47350 if (ret == -ERESTARTSYS)
47351 - fscache_stat(&fscache_n_allocs_intr);
47352 + fscache_stat_unchecked(&fscache_n_allocs_intr);
47353 else if (ret < 0)
47354 - fscache_stat(&fscache_n_allocs_nobufs);
47355 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47356 else
47357 - fscache_stat(&fscache_n_allocs_ok);
47358 + fscache_stat_unchecked(&fscache_n_allocs_ok);
47359
47360 fscache_put_retrieval(op);
47361 _leave(" = %d", ret);
47362 @@ -632,7 +632,7 @@ nobufs_unlock:
47363 spin_unlock(&cookie->lock);
47364 kfree(op);
47365 nobufs:
47366 - fscache_stat(&fscache_n_allocs_nobufs);
47367 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47368 _leave(" = -ENOBUFS");
47369 return -ENOBUFS;
47370 }
47371 @@ -675,7 +675,7 @@ static void fscache_write_op(struct fsca
47372
47373 spin_lock(&cookie->stores_lock);
47374
47375 - fscache_stat(&fscache_n_store_calls);
47376 + fscache_stat_unchecked(&fscache_n_store_calls);
47377
47378 /* find a page to store */
47379 page = NULL;
47380 @@ -686,7 +686,7 @@ static void fscache_write_op(struct fsca
47381 page = results[0];
47382 _debug("gang %d [%lx]", n, page->index);
47383 if (page->index > op->store_limit) {
47384 - fscache_stat(&fscache_n_store_pages_over_limit);
47385 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
47386 goto superseded;
47387 }
47388
47389 @@ -699,7 +699,7 @@ static void fscache_write_op(struct fsca
47390 spin_unlock(&object->lock);
47391
47392 fscache_set_op_state(&op->op, "Store");
47393 - fscache_stat(&fscache_n_store_pages);
47394 + fscache_stat_unchecked(&fscache_n_store_pages);
47395 fscache_stat(&fscache_n_cop_write_page);
47396 ret = object->cache->ops->write_page(op, page);
47397 fscache_stat_d(&fscache_n_cop_write_page);
47398 @@ -769,7 +769,7 @@ int __fscache_write_page(struct fscache_
47399 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47400 ASSERT(PageFsCache(page));
47401
47402 - fscache_stat(&fscache_n_stores);
47403 + fscache_stat_unchecked(&fscache_n_stores);
47404
47405 op = kzalloc(sizeof(*op), GFP_NOIO);
47406 if (!op)
47407 @@ -821,7 +821,7 @@ int __fscache_write_page(struct fscache_
47408 spin_unlock(&cookie->stores_lock);
47409 spin_unlock(&object->lock);
47410
47411 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47412 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47413 op->store_limit = object->store_limit;
47414
47415 if (fscache_submit_op(object, &op->op) < 0)
47416 @@ -829,8 +829,8 @@ int __fscache_write_page(struct fscache_
47417
47418 spin_unlock(&cookie->lock);
47419 radix_tree_preload_end();
47420 - fscache_stat(&fscache_n_store_ops);
47421 - fscache_stat(&fscache_n_stores_ok);
47422 + fscache_stat_unchecked(&fscache_n_store_ops);
47423 + fscache_stat_unchecked(&fscache_n_stores_ok);
47424
47425 /* the work queue now carries its own ref on the object */
47426 fscache_put_operation(&op->op);
47427 @@ -838,14 +838,14 @@ int __fscache_write_page(struct fscache_
47428 return 0;
47429
47430 already_queued:
47431 - fscache_stat(&fscache_n_stores_again);
47432 + fscache_stat_unchecked(&fscache_n_stores_again);
47433 already_pending:
47434 spin_unlock(&cookie->stores_lock);
47435 spin_unlock(&object->lock);
47436 spin_unlock(&cookie->lock);
47437 radix_tree_preload_end();
47438 kfree(op);
47439 - fscache_stat(&fscache_n_stores_ok);
47440 + fscache_stat_unchecked(&fscache_n_stores_ok);
47441 _leave(" = 0");
47442 return 0;
47443
47444 @@ -864,14 +864,14 @@ nobufs:
47445 spin_unlock(&cookie->lock);
47446 radix_tree_preload_end();
47447 kfree(op);
47448 - fscache_stat(&fscache_n_stores_nobufs);
47449 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
47450 _leave(" = -ENOBUFS");
47451 return -ENOBUFS;
47452
47453 nomem_free:
47454 kfree(op);
47455 nomem:
47456 - fscache_stat(&fscache_n_stores_oom);
47457 + fscache_stat_unchecked(&fscache_n_stores_oom);
47458 _leave(" = -ENOMEM");
47459 return -ENOMEM;
47460 }
47461 @@ -889,7 +889,7 @@ void __fscache_uncache_page(struct fscac
47462 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47463 ASSERTCMP(page, !=, NULL);
47464
47465 - fscache_stat(&fscache_n_uncaches);
47466 + fscache_stat_unchecked(&fscache_n_uncaches);
47467
47468 /* cache withdrawal may beat us to it */
47469 if (!PageFsCache(page))
47470 @@ -942,7 +942,7 @@ void fscache_mark_pages_cached(struct fs
47471 unsigned long loop;
47472
47473 #ifdef CONFIG_FSCACHE_STATS
47474 - atomic_add(pagevec->nr, &fscache_n_marks);
47475 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47476 #endif
47477
47478 for (loop = 0; loop < pagevec->nr; loop++) {
47479 diff -urNp linux-2.6.39.3/fs/fscache/stats.c linux-2.6.39.3/fs/fscache/stats.c
47480 --- linux-2.6.39.3/fs/fscache/stats.c 2011-05-19 00:06:34.000000000 -0400
47481 +++ linux-2.6.39.3/fs/fscache/stats.c 2011-05-22 19:36:32.000000000 -0400
47482 @@ -18,95 +18,95 @@
47483 /*
47484 * operation counters
47485 */
47486 -atomic_t fscache_n_op_pend;
47487 -atomic_t fscache_n_op_run;
47488 -atomic_t fscache_n_op_enqueue;
47489 -atomic_t fscache_n_op_requeue;
47490 -atomic_t fscache_n_op_deferred_release;
47491 -atomic_t fscache_n_op_release;
47492 -atomic_t fscache_n_op_gc;
47493 -atomic_t fscache_n_op_cancelled;
47494 -atomic_t fscache_n_op_rejected;
47495 -
47496 -atomic_t fscache_n_attr_changed;
47497 -atomic_t fscache_n_attr_changed_ok;
47498 -atomic_t fscache_n_attr_changed_nobufs;
47499 -atomic_t fscache_n_attr_changed_nomem;
47500 -atomic_t fscache_n_attr_changed_calls;
47501 -
47502 -atomic_t fscache_n_allocs;
47503 -atomic_t fscache_n_allocs_ok;
47504 -atomic_t fscache_n_allocs_wait;
47505 -atomic_t fscache_n_allocs_nobufs;
47506 -atomic_t fscache_n_allocs_intr;
47507 -atomic_t fscache_n_allocs_object_dead;
47508 -atomic_t fscache_n_alloc_ops;
47509 -atomic_t fscache_n_alloc_op_waits;
47510 -
47511 -atomic_t fscache_n_retrievals;
47512 -atomic_t fscache_n_retrievals_ok;
47513 -atomic_t fscache_n_retrievals_wait;
47514 -atomic_t fscache_n_retrievals_nodata;
47515 -atomic_t fscache_n_retrievals_nobufs;
47516 -atomic_t fscache_n_retrievals_intr;
47517 -atomic_t fscache_n_retrievals_nomem;
47518 -atomic_t fscache_n_retrievals_object_dead;
47519 -atomic_t fscache_n_retrieval_ops;
47520 -atomic_t fscache_n_retrieval_op_waits;
47521 -
47522 -atomic_t fscache_n_stores;
47523 -atomic_t fscache_n_stores_ok;
47524 -atomic_t fscache_n_stores_again;
47525 -atomic_t fscache_n_stores_nobufs;
47526 -atomic_t fscache_n_stores_oom;
47527 -atomic_t fscache_n_store_ops;
47528 -atomic_t fscache_n_store_calls;
47529 -atomic_t fscache_n_store_pages;
47530 -atomic_t fscache_n_store_radix_deletes;
47531 -atomic_t fscache_n_store_pages_over_limit;
47532 -
47533 -atomic_t fscache_n_store_vmscan_not_storing;
47534 -atomic_t fscache_n_store_vmscan_gone;
47535 -atomic_t fscache_n_store_vmscan_busy;
47536 -atomic_t fscache_n_store_vmscan_cancelled;
47537 -
47538 -atomic_t fscache_n_marks;
47539 -atomic_t fscache_n_uncaches;
47540 -
47541 -atomic_t fscache_n_acquires;
47542 -atomic_t fscache_n_acquires_null;
47543 -atomic_t fscache_n_acquires_no_cache;
47544 -atomic_t fscache_n_acquires_ok;
47545 -atomic_t fscache_n_acquires_nobufs;
47546 -atomic_t fscache_n_acquires_oom;
47547 -
47548 -atomic_t fscache_n_updates;
47549 -atomic_t fscache_n_updates_null;
47550 -atomic_t fscache_n_updates_run;
47551 -
47552 -atomic_t fscache_n_relinquishes;
47553 -atomic_t fscache_n_relinquishes_null;
47554 -atomic_t fscache_n_relinquishes_waitcrt;
47555 -atomic_t fscache_n_relinquishes_retire;
47556 -
47557 -atomic_t fscache_n_cookie_index;
47558 -atomic_t fscache_n_cookie_data;
47559 -atomic_t fscache_n_cookie_special;
47560 -
47561 -atomic_t fscache_n_object_alloc;
47562 -atomic_t fscache_n_object_no_alloc;
47563 -atomic_t fscache_n_object_lookups;
47564 -atomic_t fscache_n_object_lookups_negative;
47565 -atomic_t fscache_n_object_lookups_positive;
47566 -atomic_t fscache_n_object_lookups_timed_out;
47567 -atomic_t fscache_n_object_created;
47568 -atomic_t fscache_n_object_avail;
47569 -atomic_t fscache_n_object_dead;
47570 -
47571 -atomic_t fscache_n_checkaux_none;
47572 -atomic_t fscache_n_checkaux_okay;
47573 -atomic_t fscache_n_checkaux_update;
47574 -atomic_t fscache_n_checkaux_obsolete;
47575 +atomic_unchecked_t fscache_n_op_pend;
47576 +atomic_unchecked_t fscache_n_op_run;
47577 +atomic_unchecked_t fscache_n_op_enqueue;
47578 +atomic_unchecked_t fscache_n_op_requeue;
47579 +atomic_unchecked_t fscache_n_op_deferred_release;
47580 +atomic_unchecked_t fscache_n_op_release;
47581 +atomic_unchecked_t fscache_n_op_gc;
47582 +atomic_unchecked_t fscache_n_op_cancelled;
47583 +atomic_unchecked_t fscache_n_op_rejected;
47584 +
47585 +atomic_unchecked_t fscache_n_attr_changed;
47586 +atomic_unchecked_t fscache_n_attr_changed_ok;
47587 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
47588 +atomic_unchecked_t fscache_n_attr_changed_nomem;
47589 +atomic_unchecked_t fscache_n_attr_changed_calls;
47590 +
47591 +atomic_unchecked_t fscache_n_allocs;
47592 +atomic_unchecked_t fscache_n_allocs_ok;
47593 +atomic_unchecked_t fscache_n_allocs_wait;
47594 +atomic_unchecked_t fscache_n_allocs_nobufs;
47595 +atomic_unchecked_t fscache_n_allocs_intr;
47596 +atomic_unchecked_t fscache_n_allocs_object_dead;
47597 +atomic_unchecked_t fscache_n_alloc_ops;
47598 +atomic_unchecked_t fscache_n_alloc_op_waits;
47599 +
47600 +atomic_unchecked_t fscache_n_retrievals;
47601 +atomic_unchecked_t fscache_n_retrievals_ok;
47602 +atomic_unchecked_t fscache_n_retrievals_wait;
47603 +atomic_unchecked_t fscache_n_retrievals_nodata;
47604 +atomic_unchecked_t fscache_n_retrievals_nobufs;
47605 +atomic_unchecked_t fscache_n_retrievals_intr;
47606 +atomic_unchecked_t fscache_n_retrievals_nomem;
47607 +atomic_unchecked_t fscache_n_retrievals_object_dead;
47608 +atomic_unchecked_t fscache_n_retrieval_ops;
47609 +atomic_unchecked_t fscache_n_retrieval_op_waits;
47610 +
47611 +atomic_unchecked_t fscache_n_stores;
47612 +atomic_unchecked_t fscache_n_stores_ok;
47613 +atomic_unchecked_t fscache_n_stores_again;
47614 +atomic_unchecked_t fscache_n_stores_nobufs;
47615 +atomic_unchecked_t fscache_n_stores_oom;
47616 +atomic_unchecked_t fscache_n_store_ops;
47617 +atomic_unchecked_t fscache_n_store_calls;
47618 +atomic_unchecked_t fscache_n_store_pages;
47619 +atomic_unchecked_t fscache_n_store_radix_deletes;
47620 +atomic_unchecked_t fscache_n_store_pages_over_limit;
47621 +
47622 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47623 +atomic_unchecked_t fscache_n_store_vmscan_gone;
47624 +atomic_unchecked_t fscache_n_store_vmscan_busy;
47625 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47626 +
47627 +atomic_unchecked_t fscache_n_marks;
47628 +atomic_unchecked_t fscache_n_uncaches;
47629 +
47630 +atomic_unchecked_t fscache_n_acquires;
47631 +atomic_unchecked_t fscache_n_acquires_null;
47632 +atomic_unchecked_t fscache_n_acquires_no_cache;
47633 +atomic_unchecked_t fscache_n_acquires_ok;
47634 +atomic_unchecked_t fscache_n_acquires_nobufs;
47635 +atomic_unchecked_t fscache_n_acquires_oom;
47636 +
47637 +atomic_unchecked_t fscache_n_updates;
47638 +atomic_unchecked_t fscache_n_updates_null;
47639 +atomic_unchecked_t fscache_n_updates_run;
47640 +
47641 +atomic_unchecked_t fscache_n_relinquishes;
47642 +atomic_unchecked_t fscache_n_relinquishes_null;
47643 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47644 +atomic_unchecked_t fscache_n_relinquishes_retire;
47645 +
47646 +atomic_unchecked_t fscache_n_cookie_index;
47647 +atomic_unchecked_t fscache_n_cookie_data;
47648 +atomic_unchecked_t fscache_n_cookie_special;
47649 +
47650 +atomic_unchecked_t fscache_n_object_alloc;
47651 +atomic_unchecked_t fscache_n_object_no_alloc;
47652 +atomic_unchecked_t fscache_n_object_lookups;
47653 +atomic_unchecked_t fscache_n_object_lookups_negative;
47654 +atomic_unchecked_t fscache_n_object_lookups_positive;
47655 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
47656 +atomic_unchecked_t fscache_n_object_created;
47657 +atomic_unchecked_t fscache_n_object_avail;
47658 +atomic_unchecked_t fscache_n_object_dead;
47659 +
47660 +atomic_unchecked_t fscache_n_checkaux_none;
47661 +atomic_unchecked_t fscache_n_checkaux_okay;
47662 +atomic_unchecked_t fscache_n_checkaux_update;
47663 +atomic_unchecked_t fscache_n_checkaux_obsolete;
47664
47665 atomic_t fscache_n_cop_alloc_object;
47666 atomic_t fscache_n_cop_lookup_object;
47667 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
47668 seq_puts(m, "FS-Cache statistics\n");
47669
47670 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
47671 - atomic_read(&fscache_n_cookie_index),
47672 - atomic_read(&fscache_n_cookie_data),
47673 - atomic_read(&fscache_n_cookie_special));
47674 + atomic_read_unchecked(&fscache_n_cookie_index),
47675 + atomic_read_unchecked(&fscache_n_cookie_data),
47676 + atomic_read_unchecked(&fscache_n_cookie_special));
47677
47678 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
47679 - atomic_read(&fscache_n_object_alloc),
47680 - atomic_read(&fscache_n_object_no_alloc),
47681 - atomic_read(&fscache_n_object_avail),
47682 - atomic_read(&fscache_n_object_dead));
47683 + atomic_read_unchecked(&fscache_n_object_alloc),
47684 + atomic_read_unchecked(&fscache_n_object_no_alloc),
47685 + atomic_read_unchecked(&fscache_n_object_avail),
47686 + atomic_read_unchecked(&fscache_n_object_dead));
47687 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
47688 - atomic_read(&fscache_n_checkaux_none),
47689 - atomic_read(&fscache_n_checkaux_okay),
47690 - atomic_read(&fscache_n_checkaux_update),
47691 - atomic_read(&fscache_n_checkaux_obsolete));
47692 + atomic_read_unchecked(&fscache_n_checkaux_none),
47693 + atomic_read_unchecked(&fscache_n_checkaux_okay),
47694 + atomic_read_unchecked(&fscache_n_checkaux_update),
47695 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
47696
47697 seq_printf(m, "Pages : mrk=%u unc=%u\n",
47698 - atomic_read(&fscache_n_marks),
47699 - atomic_read(&fscache_n_uncaches));
47700 + atomic_read_unchecked(&fscache_n_marks),
47701 + atomic_read_unchecked(&fscache_n_uncaches));
47702
47703 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
47704 " oom=%u\n",
47705 - atomic_read(&fscache_n_acquires),
47706 - atomic_read(&fscache_n_acquires_null),
47707 - atomic_read(&fscache_n_acquires_no_cache),
47708 - atomic_read(&fscache_n_acquires_ok),
47709 - atomic_read(&fscache_n_acquires_nobufs),
47710 - atomic_read(&fscache_n_acquires_oom));
47711 + atomic_read_unchecked(&fscache_n_acquires),
47712 + atomic_read_unchecked(&fscache_n_acquires_null),
47713 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
47714 + atomic_read_unchecked(&fscache_n_acquires_ok),
47715 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
47716 + atomic_read_unchecked(&fscache_n_acquires_oom));
47717
47718 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
47719 - atomic_read(&fscache_n_object_lookups),
47720 - atomic_read(&fscache_n_object_lookups_negative),
47721 - atomic_read(&fscache_n_object_lookups_positive),
47722 - atomic_read(&fscache_n_object_created),
47723 - atomic_read(&fscache_n_object_lookups_timed_out));
47724 + atomic_read_unchecked(&fscache_n_object_lookups),
47725 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
47726 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
47727 + atomic_read_unchecked(&fscache_n_object_created),
47728 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
47729
47730 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
47731 - atomic_read(&fscache_n_updates),
47732 - atomic_read(&fscache_n_updates_null),
47733 - atomic_read(&fscache_n_updates_run));
47734 + atomic_read_unchecked(&fscache_n_updates),
47735 + atomic_read_unchecked(&fscache_n_updates_null),
47736 + atomic_read_unchecked(&fscache_n_updates_run));
47737
47738 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
47739 - atomic_read(&fscache_n_relinquishes),
47740 - atomic_read(&fscache_n_relinquishes_null),
47741 - atomic_read(&fscache_n_relinquishes_waitcrt),
47742 - atomic_read(&fscache_n_relinquishes_retire));
47743 + atomic_read_unchecked(&fscache_n_relinquishes),
47744 + atomic_read_unchecked(&fscache_n_relinquishes_null),
47745 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
47746 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
47747
47748 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
47749 - atomic_read(&fscache_n_attr_changed),
47750 - atomic_read(&fscache_n_attr_changed_ok),
47751 - atomic_read(&fscache_n_attr_changed_nobufs),
47752 - atomic_read(&fscache_n_attr_changed_nomem),
47753 - atomic_read(&fscache_n_attr_changed_calls));
47754 + atomic_read_unchecked(&fscache_n_attr_changed),
47755 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
47756 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
47757 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
47758 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
47759
47760 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
47761 - atomic_read(&fscache_n_allocs),
47762 - atomic_read(&fscache_n_allocs_ok),
47763 - atomic_read(&fscache_n_allocs_wait),
47764 - atomic_read(&fscache_n_allocs_nobufs),
47765 - atomic_read(&fscache_n_allocs_intr));
47766 + atomic_read_unchecked(&fscache_n_allocs),
47767 + atomic_read_unchecked(&fscache_n_allocs_ok),
47768 + atomic_read_unchecked(&fscache_n_allocs_wait),
47769 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
47770 + atomic_read_unchecked(&fscache_n_allocs_intr));
47771 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
47772 - atomic_read(&fscache_n_alloc_ops),
47773 - atomic_read(&fscache_n_alloc_op_waits),
47774 - atomic_read(&fscache_n_allocs_object_dead));
47775 + atomic_read_unchecked(&fscache_n_alloc_ops),
47776 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
47777 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
47778
47779 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
47780 " int=%u oom=%u\n",
47781 - atomic_read(&fscache_n_retrievals),
47782 - atomic_read(&fscache_n_retrievals_ok),
47783 - atomic_read(&fscache_n_retrievals_wait),
47784 - atomic_read(&fscache_n_retrievals_nodata),
47785 - atomic_read(&fscache_n_retrievals_nobufs),
47786 - atomic_read(&fscache_n_retrievals_intr),
47787 - atomic_read(&fscache_n_retrievals_nomem));
47788 + atomic_read_unchecked(&fscache_n_retrievals),
47789 + atomic_read_unchecked(&fscache_n_retrievals_ok),
47790 + atomic_read_unchecked(&fscache_n_retrievals_wait),
47791 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
47792 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
47793 + atomic_read_unchecked(&fscache_n_retrievals_intr),
47794 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
47795 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
47796 - atomic_read(&fscache_n_retrieval_ops),
47797 - atomic_read(&fscache_n_retrieval_op_waits),
47798 - atomic_read(&fscache_n_retrievals_object_dead));
47799 + atomic_read_unchecked(&fscache_n_retrieval_ops),
47800 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
47801 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
47802
47803 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
47804 - atomic_read(&fscache_n_stores),
47805 - atomic_read(&fscache_n_stores_ok),
47806 - atomic_read(&fscache_n_stores_again),
47807 - atomic_read(&fscache_n_stores_nobufs),
47808 - atomic_read(&fscache_n_stores_oom));
47809 + atomic_read_unchecked(&fscache_n_stores),
47810 + atomic_read_unchecked(&fscache_n_stores_ok),
47811 + atomic_read_unchecked(&fscache_n_stores_again),
47812 + atomic_read_unchecked(&fscache_n_stores_nobufs),
47813 + atomic_read_unchecked(&fscache_n_stores_oom));
47814 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
47815 - atomic_read(&fscache_n_store_ops),
47816 - atomic_read(&fscache_n_store_calls),
47817 - atomic_read(&fscache_n_store_pages),
47818 - atomic_read(&fscache_n_store_radix_deletes),
47819 - atomic_read(&fscache_n_store_pages_over_limit));
47820 + atomic_read_unchecked(&fscache_n_store_ops),
47821 + atomic_read_unchecked(&fscache_n_store_calls),
47822 + atomic_read_unchecked(&fscache_n_store_pages),
47823 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
47824 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
47825
47826 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
47827 - atomic_read(&fscache_n_store_vmscan_not_storing),
47828 - atomic_read(&fscache_n_store_vmscan_gone),
47829 - atomic_read(&fscache_n_store_vmscan_busy),
47830 - atomic_read(&fscache_n_store_vmscan_cancelled));
47831 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
47832 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
47833 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
47834 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
47835
47836 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
47837 - atomic_read(&fscache_n_op_pend),
47838 - atomic_read(&fscache_n_op_run),
47839 - atomic_read(&fscache_n_op_enqueue),
47840 - atomic_read(&fscache_n_op_cancelled),
47841 - atomic_read(&fscache_n_op_rejected));
47842 + atomic_read_unchecked(&fscache_n_op_pend),
47843 + atomic_read_unchecked(&fscache_n_op_run),
47844 + atomic_read_unchecked(&fscache_n_op_enqueue),
47845 + atomic_read_unchecked(&fscache_n_op_cancelled),
47846 + atomic_read_unchecked(&fscache_n_op_rejected));
47847 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
47848 - atomic_read(&fscache_n_op_deferred_release),
47849 - atomic_read(&fscache_n_op_release),
47850 - atomic_read(&fscache_n_op_gc));
47851 + atomic_read_unchecked(&fscache_n_op_deferred_release),
47852 + atomic_read_unchecked(&fscache_n_op_release),
47853 + atomic_read_unchecked(&fscache_n_op_gc));
47854
47855 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
47856 atomic_read(&fscache_n_cop_alloc_object),
47857 diff -urNp linux-2.6.39.3/fs/fs_struct.c linux-2.6.39.3/fs/fs_struct.c
47858 --- linux-2.6.39.3/fs/fs_struct.c 2011-05-19 00:06:34.000000000 -0400
47859 +++ linux-2.6.39.3/fs/fs_struct.c 2011-05-22 19:41:37.000000000 -0400
47860 @@ -4,6 +4,7 @@
47861 #include <linux/path.h>
47862 #include <linux/slab.h>
47863 #include <linux/fs_struct.h>
47864 +#include <linux/grsecurity.h>
47865 #include "internal.h"
47866
47867 static inline void path_get_longterm(struct path *path)
47868 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
47869 old_root = fs->root;
47870 fs->root = *path;
47871 path_get_longterm(path);
47872 + gr_set_chroot_entries(current, path);
47873 write_seqcount_end(&fs->seq);
47874 spin_unlock(&fs->lock);
47875 if (old_root.dentry)
47876 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
47877 && fs->root.mnt == old_root->mnt) {
47878 path_get_longterm(new_root);
47879 fs->root = *new_root;
47880 + gr_set_chroot_entries(p, new_root);
47881 count++;
47882 }
47883 if (fs->pwd.dentry == old_root->dentry
47884 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
47885 spin_lock(&fs->lock);
47886 write_seqcount_begin(&fs->seq);
47887 tsk->fs = NULL;
47888 - kill = !--fs->users;
47889 + gr_clear_chroot_entries(tsk);
47890 + kill = !atomic_dec_return(&fs->users);
47891 write_seqcount_end(&fs->seq);
47892 spin_unlock(&fs->lock);
47893 task_unlock(tsk);
47894 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
47895 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
47896 /* We don't need to lock fs - think why ;-) */
47897 if (fs) {
47898 - fs->users = 1;
47899 + atomic_set(&fs->users, 1);
47900 fs->in_exec = 0;
47901 spin_lock_init(&fs->lock);
47902 seqcount_init(&fs->seq);
47903 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
47904 spin_lock(&old->lock);
47905 fs->root = old->root;
47906 path_get_longterm(&fs->root);
47907 + /* instead of calling gr_set_chroot_entries here,
47908 + we call it from every caller of this function
47909 + */
47910 fs->pwd = old->pwd;
47911 path_get_longterm(&fs->pwd);
47912 spin_unlock(&old->lock);
47913 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
47914
47915 task_lock(current);
47916 spin_lock(&fs->lock);
47917 - kill = !--fs->users;
47918 + kill = !atomic_dec_return(&fs->users);
47919 current->fs = new_fs;
47920 + gr_set_chroot_entries(current, &new_fs->root);
47921 spin_unlock(&fs->lock);
47922 task_unlock(current);
47923
47924 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
47925
47926 /* to be mentioned only in INIT_TASK */
47927 struct fs_struct init_fs = {
47928 - .users = 1,
47929 + .users = ATOMIC_INIT(1),
47930 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
47931 .seq = SEQCNT_ZERO,
47932 .umask = 0022,
47933 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
47934 task_lock(current);
47935
47936 spin_lock(&init_fs.lock);
47937 - init_fs.users++;
47938 + atomic_inc(&init_fs.users);
47939 spin_unlock(&init_fs.lock);
47940
47941 spin_lock(&fs->lock);
47942 current->fs = &init_fs;
47943 - kill = !--fs->users;
47944 + gr_set_chroot_entries(current, &current->fs->root);
47945 + kill = !atomic_dec_return(&fs->users);
47946 spin_unlock(&fs->lock);
47947
47948 task_unlock(current);
47949 diff -urNp linux-2.6.39.3/fs/fuse/cuse.c linux-2.6.39.3/fs/fuse/cuse.c
47950 --- linux-2.6.39.3/fs/fuse/cuse.c 2011-05-19 00:06:34.000000000 -0400
47951 +++ linux-2.6.39.3/fs/fuse/cuse.c 2011-05-22 19:36:32.000000000 -0400
47952 @@ -538,8 +538,18 @@ static int cuse_channel_release(struct i
47953 return rc;
47954 }
47955
47956 -static struct file_operations cuse_channel_fops; /* initialized during init */
47957 -
47958 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
47959 + .owner = THIS_MODULE,
47960 + .llseek = no_llseek,
47961 + .read = do_sync_read,
47962 + .aio_read = fuse_dev_read,
47963 + .write = do_sync_write,
47964 + .aio_write = fuse_dev_write,
47965 + .poll = fuse_dev_poll,
47966 + .open = cuse_channel_open,
47967 + .release = cuse_channel_release,
47968 + .fasync = fuse_dev_fasync,
47969 +};
47970
47971 /**************************************************************************
47972 * Misc stuff and module initializatiion
47973 @@ -585,12 +595,6 @@ static int __init cuse_init(void)
47974 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
47975 INIT_LIST_HEAD(&cuse_conntbl[i]);
47976
47977 - /* inherit and extend fuse_dev_operations */
47978 - cuse_channel_fops = fuse_dev_operations;
47979 - cuse_channel_fops.owner = THIS_MODULE;
47980 - cuse_channel_fops.open = cuse_channel_open;
47981 - cuse_channel_fops.release = cuse_channel_release;
47982 -
47983 cuse_class = class_create(THIS_MODULE, "cuse");
47984 if (IS_ERR(cuse_class))
47985 return PTR_ERR(cuse_class);
47986 diff -urNp linux-2.6.39.3/fs/fuse/dev.c linux-2.6.39.3/fs/fuse/dev.c
47987 --- linux-2.6.39.3/fs/fuse/dev.c 2011-05-19 00:06:34.000000000 -0400
47988 +++ linux-2.6.39.3/fs/fuse/dev.c 2011-05-22 19:36:32.000000000 -0400
47989 @@ -1181,7 +1181,7 @@ static ssize_t fuse_dev_do_read(struct f
47990 return err;
47991 }
47992
47993 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47994 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
47995 unsigned long nr_segs, loff_t pos)
47996 {
47997 struct fuse_copy_state cs;
47998 @@ -1195,6 +1195,8 @@ static ssize_t fuse_dev_read(struct kioc
47999 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
48000 }
48001
48002 +EXPORT_SYMBOL_GPL(fuse_dev_read);
48003 +
48004 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
48005 struct pipe_buffer *buf)
48006 {
48007 @@ -1238,7 +1240,7 @@ static ssize_t fuse_dev_splice_read(stru
48008 ret = 0;
48009 pipe_lock(pipe);
48010
48011 - if (!pipe->readers) {
48012 + if (!atomic_read(&pipe->readers)) {
48013 send_sig(SIGPIPE, current, 0);
48014 if (!ret)
48015 ret = -EPIPE;
48016 @@ -1731,7 +1733,7 @@ static ssize_t fuse_dev_do_write(struct
48017 return err;
48018 }
48019
48020 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48021 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48022 unsigned long nr_segs, loff_t pos)
48023 {
48024 struct fuse_copy_state cs;
48025 @@ -1744,6 +1746,8 @@ static ssize_t fuse_dev_write(struct kio
48026 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
48027 }
48028
48029 +EXPORT_SYMBOL_GPL(fuse_dev_write);
48030 +
48031 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
48032 struct file *out, loff_t *ppos,
48033 size_t len, unsigned int flags)
48034 @@ -1822,7 +1826,7 @@ out:
48035 return ret;
48036 }
48037
48038 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
48039 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
48040 {
48041 unsigned mask = POLLOUT | POLLWRNORM;
48042 struct fuse_conn *fc = fuse_get_conn(file);
48043 @@ -1841,6 +1845,8 @@ static unsigned fuse_dev_poll(struct fil
48044 return mask;
48045 }
48046
48047 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
48048 +
48049 /*
48050 * Abort all requests on the given list (pending or processing)
48051 *
48052 @@ -1977,7 +1983,7 @@ int fuse_dev_release(struct inode *inode
48053 }
48054 EXPORT_SYMBOL_GPL(fuse_dev_release);
48055
48056 -static int fuse_dev_fasync(int fd, struct file *file, int on)
48057 +int fuse_dev_fasync(int fd, struct file *file, int on)
48058 {
48059 struct fuse_conn *fc = fuse_get_conn(file);
48060 if (!fc)
48061 @@ -1987,6 +1993,8 @@ static int fuse_dev_fasync(int fd, struc
48062 return fasync_helper(fd, file, on, &fc->fasync);
48063 }
48064
48065 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
48066 +
48067 const struct file_operations fuse_dev_operations = {
48068 .owner = THIS_MODULE,
48069 .llseek = no_llseek,
48070 diff -urNp linux-2.6.39.3/fs/fuse/dir.c linux-2.6.39.3/fs/fuse/dir.c
48071 --- linux-2.6.39.3/fs/fuse/dir.c 2011-05-19 00:06:34.000000000 -0400
48072 +++ linux-2.6.39.3/fs/fuse/dir.c 2011-05-22 19:36:32.000000000 -0400
48073 @@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
48074 return link;
48075 }
48076
48077 -static void free_link(char *link)
48078 +static void free_link(const char *link)
48079 {
48080 if (!IS_ERR(link))
48081 free_page((unsigned long) link);
48082 diff -urNp linux-2.6.39.3/fs/fuse/fuse_i.h linux-2.6.39.3/fs/fuse/fuse_i.h
48083 --- linux-2.6.39.3/fs/fuse/fuse_i.h 2011-05-19 00:06:34.000000000 -0400
48084 +++ linux-2.6.39.3/fs/fuse/fuse_i.h 2011-05-22 19:36:32.000000000 -0400
48085 @@ -540,6 +540,16 @@ extern const struct file_operations fuse
48086
48087 extern const struct dentry_operations fuse_dentry_operations;
48088
48089 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
48090 + unsigned long nr_segs, loff_t pos);
48091 +
48092 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48093 + unsigned long nr_segs, loff_t pos);
48094 +
48095 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
48096 +
48097 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
48098 +
48099 /**
48100 * Inode to nodeid comparison.
48101 */
48102 diff -urNp linux-2.6.39.3/fs/gfs2/ops_inode.c linux-2.6.39.3/fs/gfs2/ops_inode.c
48103 --- linux-2.6.39.3/fs/gfs2/ops_inode.c 2011-05-19 00:06:34.000000000 -0400
48104 +++ linux-2.6.39.3/fs/gfs2/ops_inode.c 2011-05-22 19:36:32.000000000 -0400
48105 @@ -740,6 +740,8 @@ static int gfs2_rename(struct inode *odi
48106 unsigned int x;
48107 int error;
48108
48109 + pax_track_stack();
48110 +
48111 if (ndentry->d_inode) {
48112 nip = GFS2_I(ndentry->d_inode);
48113 if (ip == nip)
48114 @@ -1019,7 +1021,7 @@ out:
48115
48116 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
48117 {
48118 - char *s = nd_get_link(nd);
48119 + const char *s = nd_get_link(nd);
48120 if (!IS_ERR(s))
48121 kfree(s);
48122 }
48123 diff -urNp linux-2.6.39.3/fs/hfsplus/catalog.c linux-2.6.39.3/fs/hfsplus/catalog.c
48124 --- linux-2.6.39.3/fs/hfsplus/catalog.c 2011-05-19 00:06:34.000000000 -0400
48125 +++ linux-2.6.39.3/fs/hfsplus/catalog.c 2011-05-22 19:36:32.000000000 -0400
48126 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
48127 int err;
48128 u16 type;
48129
48130 + pax_track_stack();
48131 +
48132 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
48133 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
48134 if (err)
48135 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
48136 int entry_size;
48137 int err;
48138
48139 + pax_track_stack();
48140 +
48141 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
48142 str->name, cnid, inode->i_nlink);
48143 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
48144 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
48145 int entry_size, type;
48146 int err = 0;
48147
48148 + pax_track_stack();
48149 +
48150 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
48151 cnid, src_dir->i_ino, src_name->name,
48152 dst_dir->i_ino, dst_name->name);
48153 diff -urNp linux-2.6.39.3/fs/hfsplus/dir.c linux-2.6.39.3/fs/hfsplus/dir.c
48154 --- linux-2.6.39.3/fs/hfsplus/dir.c 2011-05-19 00:06:34.000000000 -0400
48155 +++ linux-2.6.39.3/fs/hfsplus/dir.c 2011-05-22 19:36:32.000000000 -0400
48156 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
48157 struct hfsplus_readdir_data *rd;
48158 u16 type;
48159
48160 + pax_track_stack();
48161 +
48162 if (filp->f_pos >= inode->i_size)
48163 return 0;
48164
48165 diff -urNp linux-2.6.39.3/fs/hfsplus/inode.c linux-2.6.39.3/fs/hfsplus/inode.c
48166 --- linux-2.6.39.3/fs/hfsplus/inode.c 2011-05-19 00:06:34.000000000 -0400
48167 +++ linux-2.6.39.3/fs/hfsplus/inode.c 2011-05-22 19:36:32.000000000 -0400
48168 @@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
48169 int res = 0;
48170 u16 type;
48171
48172 + pax_track_stack();
48173 +
48174 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
48175
48176 HFSPLUS_I(inode)->linkid = 0;
48177 @@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
48178 struct hfs_find_data fd;
48179 hfsplus_cat_entry entry;
48180
48181 + pax_track_stack();
48182 +
48183 if (HFSPLUS_IS_RSRC(inode))
48184 main_inode = HFSPLUS_I(inode)->rsrc_inode;
48185
48186 diff -urNp linux-2.6.39.3/fs/hfsplus/ioctl.c linux-2.6.39.3/fs/hfsplus/ioctl.c
48187 --- linux-2.6.39.3/fs/hfsplus/ioctl.c 2011-05-19 00:06:34.000000000 -0400
48188 +++ linux-2.6.39.3/fs/hfsplus/ioctl.c 2011-05-22 19:36:32.000000000 -0400
48189 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
48190 struct hfsplus_cat_file *file;
48191 int res;
48192
48193 + pax_track_stack();
48194 +
48195 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48196 return -EOPNOTSUPP;
48197
48198 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
48199 struct hfsplus_cat_file *file;
48200 ssize_t res = 0;
48201
48202 + pax_track_stack();
48203 +
48204 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48205 return -EOPNOTSUPP;
48206
48207 diff -urNp linux-2.6.39.3/fs/hfsplus/super.c linux-2.6.39.3/fs/hfsplus/super.c
48208 --- linux-2.6.39.3/fs/hfsplus/super.c 2011-05-19 00:06:34.000000000 -0400
48209 +++ linux-2.6.39.3/fs/hfsplus/super.c 2011-05-22 19:36:32.000000000 -0400
48210 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
48211 struct nls_table *nls = NULL;
48212 int err;
48213
48214 + pax_track_stack();
48215 +
48216 err = -EINVAL;
48217 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
48218 if (!sbi)
48219 diff -urNp linux-2.6.39.3/fs/hugetlbfs/inode.c linux-2.6.39.3/fs/hugetlbfs/inode.c
48220 --- linux-2.6.39.3/fs/hugetlbfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48221 +++ linux-2.6.39.3/fs/hugetlbfs/inode.c 2011-05-22 19:41:37.000000000 -0400
48222 @@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
48223 .kill_sb = kill_litter_super,
48224 };
48225
48226 -static struct vfsmount *hugetlbfs_vfsmount;
48227 +struct vfsmount *hugetlbfs_vfsmount;
48228
48229 static int can_do_hugetlb_shm(void)
48230 {
48231 diff -urNp linux-2.6.39.3/fs/inode.c linux-2.6.39.3/fs/inode.c
48232 --- linux-2.6.39.3/fs/inode.c 2011-05-19 00:06:34.000000000 -0400
48233 +++ linux-2.6.39.3/fs/inode.c 2011-05-22 19:36:32.000000000 -0400
48234 @@ -862,8 +862,8 @@ unsigned int get_next_ino(void)
48235
48236 #ifdef CONFIG_SMP
48237 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
48238 - static atomic_t shared_last_ino;
48239 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
48240 + static atomic_unchecked_t shared_last_ino;
48241 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
48242
48243 res = next - LAST_INO_BATCH;
48244 }
48245 diff -urNp linux-2.6.39.3/fs/jbd/checkpoint.c linux-2.6.39.3/fs/jbd/checkpoint.c
48246 --- linux-2.6.39.3/fs/jbd/checkpoint.c 2011-05-19 00:06:34.000000000 -0400
48247 +++ linux-2.6.39.3/fs/jbd/checkpoint.c 2011-05-22 19:36:32.000000000 -0400
48248 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
48249 tid_t this_tid;
48250 int result;
48251
48252 + pax_track_stack();
48253 +
48254 jbd_debug(1, "Start checkpoint\n");
48255
48256 /*
48257 diff -urNp linux-2.6.39.3/fs/jffs2/compr_rtime.c linux-2.6.39.3/fs/jffs2/compr_rtime.c
48258 --- linux-2.6.39.3/fs/jffs2/compr_rtime.c 2011-05-19 00:06:34.000000000 -0400
48259 +++ linux-2.6.39.3/fs/jffs2/compr_rtime.c 2011-05-22 19:36:32.000000000 -0400
48260 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
48261 int outpos = 0;
48262 int pos=0;
48263
48264 + pax_track_stack();
48265 +
48266 memset(positions,0,sizeof(positions));
48267
48268 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
48269 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
48270 int outpos = 0;
48271 int pos=0;
48272
48273 + pax_track_stack();
48274 +
48275 memset(positions,0,sizeof(positions));
48276
48277 while (outpos<destlen) {
48278 diff -urNp linux-2.6.39.3/fs/jffs2/compr_rubin.c linux-2.6.39.3/fs/jffs2/compr_rubin.c
48279 --- linux-2.6.39.3/fs/jffs2/compr_rubin.c 2011-05-19 00:06:34.000000000 -0400
48280 +++ linux-2.6.39.3/fs/jffs2/compr_rubin.c 2011-05-22 19:36:32.000000000 -0400
48281 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
48282 int ret;
48283 uint32_t mysrclen, mydstlen;
48284
48285 + pax_track_stack();
48286 +
48287 mysrclen = *sourcelen;
48288 mydstlen = *dstlen - 8;
48289
48290 diff -urNp linux-2.6.39.3/fs/jffs2/erase.c linux-2.6.39.3/fs/jffs2/erase.c
48291 --- linux-2.6.39.3/fs/jffs2/erase.c 2011-05-19 00:06:34.000000000 -0400
48292 +++ linux-2.6.39.3/fs/jffs2/erase.c 2011-05-22 19:36:32.000000000 -0400
48293 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
48294 struct jffs2_unknown_node marker = {
48295 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
48296 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48297 - .totlen = cpu_to_je32(c->cleanmarker_size)
48298 + .totlen = cpu_to_je32(c->cleanmarker_size),
48299 + .hdr_crc = cpu_to_je32(0)
48300 };
48301
48302 jffs2_prealloc_raw_node_refs(c, jeb, 1);
48303 diff -urNp linux-2.6.39.3/fs/jffs2/wbuf.c linux-2.6.39.3/fs/jffs2/wbuf.c
48304 --- linux-2.6.39.3/fs/jffs2/wbuf.c 2011-05-19 00:06:34.000000000 -0400
48305 +++ linux-2.6.39.3/fs/jffs2/wbuf.c 2011-05-22 19:36:32.000000000 -0400
48306 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
48307 {
48308 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
48309 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48310 - .totlen = constant_cpu_to_je32(8)
48311 + .totlen = constant_cpu_to_je32(8),
48312 + .hdr_crc = constant_cpu_to_je32(0)
48313 };
48314
48315 /*
48316 diff -urNp linux-2.6.39.3/fs/jffs2/xattr.c linux-2.6.39.3/fs/jffs2/xattr.c
48317 --- linux-2.6.39.3/fs/jffs2/xattr.c 2011-05-19 00:06:34.000000000 -0400
48318 +++ linux-2.6.39.3/fs/jffs2/xattr.c 2011-05-22 19:36:32.000000000 -0400
48319 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
48320
48321 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
48322
48323 + pax_track_stack();
48324 +
48325 /* Phase.1 : Merge same xref */
48326 for (i=0; i < XREF_TMPHASH_SIZE; i++)
48327 xref_tmphash[i] = NULL;
48328 diff -urNp linux-2.6.39.3/fs/jfs/super.c linux-2.6.39.3/fs/jfs/super.c
48329 --- linux-2.6.39.3/fs/jfs/super.c 2011-05-19 00:06:34.000000000 -0400
48330 +++ linux-2.6.39.3/fs/jfs/super.c 2011-06-07 18:07:24.000000000 -0400
48331 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
48332
48333 jfs_inode_cachep =
48334 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
48335 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
48336 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
48337 init_once);
48338 if (jfs_inode_cachep == NULL)
48339 return -ENOMEM;
48340 diff -urNp linux-2.6.39.3/fs/Kconfig.binfmt linux-2.6.39.3/fs/Kconfig.binfmt
48341 --- linux-2.6.39.3/fs/Kconfig.binfmt 2011-05-19 00:06:34.000000000 -0400
48342 +++ linux-2.6.39.3/fs/Kconfig.binfmt 2011-05-22 19:36:32.000000000 -0400
48343 @@ -86,7 +86,7 @@ config HAVE_AOUT
48344
48345 config BINFMT_AOUT
48346 tristate "Kernel support for a.out and ECOFF binaries"
48347 - depends on HAVE_AOUT
48348 + depends on HAVE_AOUT && BROKEN
48349 ---help---
48350 A.out (Assembler.OUTput) is a set of formats for libraries and
48351 executables used in the earliest versions of UNIX. Linux used
48352 diff -urNp linux-2.6.39.3/fs/libfs.c linux-2.6.39.3/fs/libfs.c
48353 --- linux-2.6.39.3/fs/libfs.c 2011-05-19 00:06:34.000000000 -0400
48354 +++ linux-2.6.39.3/fs/libfs.c 2011-05-22 19:36:32.000000000 -0400
48355 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
48356
48357 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
48358 struct dentry *next;
48359 + char d_name[sizeof(next->d_iname)];
48360 + const unsigned char *name;
48361 +
48362 next = list_entry(p, struct dentry, d_u.d_child);
48363 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
48364 if (!simple_positive(next)) {
48365 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
48366
48367 spin_unlock(&next->d_lock);
48368 spin_unlock(&dentry->d_lock);
48369 - if (filldir(dirent, next->d_name.name,
48370 + name = next->d_name.name;
48371 + if (name == next->d_iname) {
48372 + memcpy(d_name, name, next->d_name.len);
48373 + name = d_name;
48374 + }
48375 + if (filldir(dirent, name,
48376 next->d_name.len, filp->f_pos,
48377 next->d_inode->i_ino,
48378 dt_type(next->d_inode)) < 0)
48379 diff -urNp linux-2.6.39.3/fs/lockd/clntproc.c linux-2.6.39.3/fs/lockd/clntproc.c
48380 --- linux-2.6.39.3/fs/lockd/clntproc.c 2011-07-09 09:18:51.000000000 -0400
48381 +++ linux-2.6.39.3/fs/lockd/clntproc.c 2011-07-09 09:19:18.000000000 -0400
48382 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
48383 /*
48384 * Cookie counter for NLM requests
48385 */
48386 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
48387 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
48388
48389 void nlmclnt_next_cookie(struct nlm_cookie *c)
48390 {
48391 - u32 cookie = atomic_inc_return(&nlm_cookie);
48392 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48393
48394 memcpy(c->data, &cookie, 4);
48395 c->len=4;
48396 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48397 struct nlm_rqst reqst, *req;
48398 int status;
48399
48400 + pax_track_stack();
48401 +
48402 req = &reqst;
48403 memset(req, 0, sizeof(*req));
48404 locks_init_lock(&req->a_args.lock.fl);
48405 diff -urNp linux-2.6.39.3/fs/lockd/svc.c linux-2.6.39.3/fs/lockd/svc.c
48406 --- linux-2.6.39.3/fs/lockd/svc.c 2011-05-19 00:06:34.000000000 -0400
48407 +++ linux-2.6.39.3/fs/lockd/svc.c 2011-05-22 19:36:32.000000000 -0400
48408 @@ -41,7 +41,7 @@
48409
48410 static struct svc_program nlmsvc_program;
48411
48412 -struct nlmsvc_binding * nlmsvc_ops;
48413 +const struct nlmsvc_binding * nlmsvc_ops;
48414 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48415
48416 static DEFINE_MUTEX(nlmsvc_mutex);
48417 diff -urNp linux-2.6.39.3/fs/locks.c linux-2.6.39.3/fs/locks.c
48418 --- linux-2.6.39.3/fs/locks.c 2011-07-09 09:18:51.000000000 -0400
48419 +++ linux-2.6.39.3/fs/locks.c 2011-07-06 19:44:53.000000000 -0400
48420 @@ -2043,16 +2043,16 @@ void locks_remove_flock(struct file *fil
48421 return;
48422
48423 if (filp->f_op && filp->f_op->flock) {
48424 - struct file_lock fl = {
48425 + struct file_lock flock = {
48426 .fl_pid = current->tgid,
48427 .fl_file = filp,
48428 .fl_flags = FL_FLOCK,
48429 .fl_type = F_UNLCK,
48430 .fl_end = OFFSET_MAX,
48431 };
48432 - filp->f_op->flock(filp, F_SETLKW, &fl);
48433 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
48434 - fl.fl_ops->fl_release_private(&fl);
48435 + filp->f_op->flock(filp, F_SETLKW, &flock);
48436 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
48437 + flock.fl_ops->fl_release_private(&flock);
48438 }
48439
48440 lock_flocks();
48441 diff -urNp linux-2.6.39.3/fs/logfs/super.c linux-2.6.39.3/fs/logfs/super.c
48442 --- linux-2.6.39.3/fs/logfs/super.c 2011-05-19 00:06:34.000000000 -0400
48443 +++ linux-2.6.39.3/fs/logfs/super.c 2011-05-22 19:36:32.000000000 -0400
48444 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
48445 struct logfs_disk_super _ds1, *ds1 = &_ds1;
48446 int err, valid0, valid1;
48447
48448 + pax_track_stack();
48449 +
48450 /* read first superblock */
48451 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
48452 if (err)
48453 diff -urNp linux-2.6.39.3/fs/namei.c linux-2.6.39.3/fs/namei.c
48454 --- linux-2.6.39.3/fs/namei.c 2011-06-03 00:04:14.000000000 -0400
48455 +++ linux-2.6.39.3/fs/namei.c 2011-06-03 00:32:07.000000000 -0400
48456 @@ -237,20 +237,30 @@ int generic_permission(struct inode *ino
48457 return ret;
48458
48459 /*
48460 - * Read/write DACs are always overridable.
48461 - * Executable DACs are overridable if at least one exec bit is set.
48462 + * Searching includes executable on directories, else just read.
48463 */
48464 - if (!(mask & MAY_EXEC) || execute_ok(inode))
48465 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48466 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48467 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
48468 +#ifdef CONFIG_GRKERNSEC
48469 + if (flags & IPERM_FLAG_RCU)
48470 + return -ECHILD;
48471 +#endif
48472 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48473 return 0;
48474 + }
48475
48476 /*
48477 - * Searching includes executable on directories, else just read.
48478 + * Read/write DACs are always overridable.
48479 + * Executable DACs are overridable if at least one exec bit is set.
48480 */
48481 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48482 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
48483 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48484 + if (!(mask & MAY_EXEC) || execute_ok(inode)) {
48485 +#ifdef CONFIG_GRKERNSEC
48486 + if (flags & IPERM_FLAG_RCU)
48487 + return -ECHILD;
48488 +#endif
48489 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48490 return 0;
48491 + }
48492
48493 return -EACCES;
48494 }
48495 @@ -626,6 +636,9 @@ static inline int handle_reval_path(stru
48496 struct dentry *dentry = nd->path.dentry;
48497 int status;
48498
48499 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
48500 + return -ENOENT;
48501 +
48502 if (likely(!(nd->flags & LOOKUP_JUMPED)))
48503 return 0;
48504
48505 @@ -671,9 +684,16 @@ static inline int exec_permission(struct
48506 if (ret == -ECHILD)
48507 return ret;
48508
48509 - if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
48510 - ns_capable(ns, CAP_DAC_READ_SEARCH))
48511 + if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
48512 goto ok;
48513 + else {
48514 +#ifdef CONFIG_GRKERNSEC
48515 + if (flags & IPERM_FLAG_RCU)
48516 + return -ECHILD;
48517 +#endif
48518 + if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
48519 + goto ok;
48520 + }
48521
48522 return ret;
48523 ok:
48524 @@ -781,11 +801,19 @@ follow_link(struct path *link, struct na
48525 return error;
48526 }
48527
48528 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
48529 + dentry->d_inode, dentry, nd->path.mnt)) {
48530 + error = -EACCES;
48531 + *p = ERR_PTR(error); /* no ->put_link(), please */
48532 + path_put(&nd->path);
48533 + return error;
48534 + }
48535 +
48536 nd->last_type = LAST_BIND;
48537 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
48538 error = PTR_ERR(*p);
48539 if (!IS_ERR(*p)) {
48540 - char *s = nd_get_link(nd);
48541 + const char *s = nd_get_link(nd);
48542 error = 0;
48543 if (s)
48544 error = __vfs_follow_link(nd, s);
48545 @@ -1697,6 +1725,9 @@ static int do_path_lookup(int dfd, const
48546 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
48547
48548 if (likely(!retval)) {
48549 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
48550 + return -ENOENT;
48551 +
48552 if (unlikely(!audit_dummy_context())) {
48553 if (nd->path.dentry && nd->inode)
48554 audit_inode(name, nd->path.dentry);
48555 @@ -2007,6 +2038,30 @@ int vfs_create(struct inode *dir, struct
48556 return error;
48557 }
48558
48559 +/*
48560 + * Note that while the flag value (low two bits) for sys_open means:
48561 + * 00 - read-only
48562 + * 01 - write-only
48563 + * 10 - read-write
48564 + * 11 - special
48565 + * it is changed into
48566 + * 00 - no permissions needed
48567 + * 01 - read-permission
48568 + * 10 - write-permission
48569 + * 11 - read-write
48570 + * for the internal routines (ie open_namei()/follow_link() etc)
48571 + * This is more logical, and also allows the 00 "no perm needed"
48572 + * to be used for symlinks (where the permissions are checked
48573 + * later).
48574 + *
48575 +*/
48576 +static inline int open_to_namei_flags(int flag)
48577 +{
48578 + if ((flag+1) & O_ACCMODE)
48579 + flag++;
48580 + return flag;
48581 +}
48582 +
48583 static int may_open(struct path *path, int acc_mode, int flag)
48584 {
48585 struct dentry *dentry = path->dentry;
48586 @@ -2059,7 +2114,27 @@ static int may_open(struct path *path, i
48587 /*
48588 * Ensure there are no outstanding leases on the file.
48589 */
48590 - return break_lease(inode, flag);
48591 + error = break_lease(inode, flag);
48592 +
48593 + if (error)
48594 + return error;
48595 +
48596 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
48597 + error = -EPERM;
48598 + goto exit;
48599 + }
48600 +
48601 + if (gr_handle_rawio(inode)) {
48602 + error = -EPERM;
48603 + goto exit;
48604 + }
48605 +
48606 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
48607 + error = -EACCES;
48608 + goto exit;
48609 + }
48610 +exit:
48611 + return error;
48612 }
48613
48614 static int handle_truncate(struct file *filp)
48615 @@ -2085,30 +2160,6 @@ static int handle_truncate(struct file *
48616 }
48617
48618 /*
48619 - * Note that while the flag value (low two bits) for sys_open means:
48620 - * 00 - read-only
48621 - * 01 - write-only
48622 - * 10 - read-write
48623 - * 11 - special
48624 - * it is changed into
48625 - * 00 - no permissions needed
48626 - * 01 - read-permission
48627 - * 10 - write-permission
48628 - * 11 - read-write
48629 - * for the internal routines (ie open_namei()/follow_link() etc)
48630 - * This is more logical, and also allows the 00 "no perm needed"
48631 - * to be used for symlinks (where the permissions are checked
48632 - * later).
48633 - *
48634 -*/
48635 -static inline int open_to_namei_flags(int flag)
48636 -{
48637 - if ((flag+1) & O_ACCMODE)
48638 - flag++;
48639 - return flag;
48640 -}
48641 -
48642 -/*
48643 * Handle the last step of open()
48644 */
48645 static struct file *do_last(struct nameidata *nd, struct path *path,
48646 @@ -2117,6 +2168,7 @@ static struct file *do_last(struct namei
48647 struct dentry *dir = nd->path.dentry;
48648 struct dentry *dentry;
48649 int open_flag = op->open_flag;
48650 + int flag = open_to_namei_flags(open_flag);
48651 int will_truncate = open_flag & O_TRUNC;
48652 int want_write = 0;
48653 int acc_mode = op->acc_mode;
48654 @@ -2212,6 +2264,12 @@ static struct file *do_last(struct namei
48655 /* Negative dentry, just create the file */
48656 if (!dentry->d_inode) {
48657 int mode = op->mode;
48658 +
48659 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
48660 + error = -EACCES;
48661 + goto exit_mutex_unlock;
48662 + }
48663 +
48664 if (!IS_POSIXACL(dir->d_inode))
48665 mode &= ~current_umask();
48666 /*
48667 @@ -2235,6 +2293,8 @@ static struct file *do_last(struct namei
48668 error = vfs_create(dir->d_inode, dentry, mode, nd);
48669 if (error)
48670 goto exit_mutex_unlock;
48671 + else
48672 + gr_handle_create(path->dentry, path->mnt);
48673 mutex_unlock(&dir->d_inode->i_mutex);
48674 dput(nd->path.dentry);
48675 nd->path.dentry = dentry;
48676 @@ -2244,6 +2304,14 @@ static struct file *do_last(struct namei
48677 /*
48678 * It already exists.
48679 */
48680 +
48681 + /* only check if O_CREAT is specified, all other checks need to go
48682 + into may_open */
48683 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
48684 + error = -EACCES;
48685 + goto exit_mutex_unlock;
48686 + }
48687 +
48688 mutex_unlock(&dir->d_inode->i_mutex);
48689 audit_inode(pathname, path->dentry);
48690
48691 @@ -2530,6 +2598,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48692 error = may_mknod(mode);
48693 if (error)
48694 goto out_dput;
48695 +
48696 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
48697 + error = -EPERM;
48698 + goto out_dput;
48699 + }
48700 +
48701 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
48702 + error = -EACCES;
48703 + goto out_dput;
48704 + }
48705 +
48706 error = mnt_want_write(nd.path.mnt);
48707 if (error)
48708 goto out_dput;
48709 @@ -2550,6 +2629,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48710 }
48711 out_drop_write:
48712 mnt_drop_write(nd.path.mnt);
48713 +
48714 + if (!error)
48715 + gr_handle_create(dentry, nd.path.mnt);
48716 out_dput:
48717 dput(dentry);
48718 out_unlock:
48719 @@ -2602,6 +2684,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48720 if (IS_ERR(dentry))
48721 goto out_unlock;
48722
48723 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
48724 + error = -EACCES;
48725 + goto out_dput;
48726 + }
48727 +
48728 if (!IS_POSIXACL(nd.path.dentry->d_inode))
48729 mode &= ~current_umask();
48730 error = mnt_want_write(nd.path.mnt);
48731 @@ -2613,6 +2700,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48732 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
48733 out_drop_write:
48734 mnt_drop_write(nd.path.mnt);
48735 +
48736 + if (!error)
48737 + gr_handle_create(dentry, nd.path.mnt);
48738 +
48739 out_dput:
48740 dput(dentry);
48741 out_unlock:
48742 @@ -2692,6 +2783,8 @@ static long do_rmdir(int dfd, const char
48743 char * name;
48744 struct dentry *dentry;
48745 struct nameidata nd;
48746 + ino_t saved_ino = 0;
48747 + dev_t saved_dev = 0;
48748
48749 error = user_path_parent(dfd, pathname, &nd, &name);
48750 if (error)
48751 @@ -2716,6 +2809,19 @@ static long do_rmdir(int dfd, const char
48752 error = PTR_ERR(dentry);
48753 if (IS_ERR(dentry))
48754 goto exit2;
48755 +
48756 + if (dentry->d_inode != NULL) {
48757 + if (dentry->d_inode->i_nlink <= 1) {
48758 + saved_ino = dentry->d_inode->i_ino;
48759 + saved_dev = gr_get_dev_from_dentry(dentry);
48760 + }
48761 +
48762 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
48763 + error = -EACCES;
48764 + goto exit3;
48765 + }
48766 + }
48767 +
48768 error = mnt_want_write(nd.path.mnt);
48769 if (error)
48770 goto exit3;
48771 @@ -2723,6 +2829,8 @@ static long do_rmdir(int dfd, const char
48772 if (error)
48773 goto exit4;
48774 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
48775 + if (!error && (saved_dev || saved_ino))
48776 + gr_handle_delete(saved_ino, saved_dev);
48777 exit4:
48778 mnt_drop_write(nd.path.mnt);
48779 exit3:
48780 @@ -2785,6 +2893,8 @@ static long do_unlinkat(int dfd, const c
48781 struct dentry *dentry;
48782 struct nameidata nd;
48783 struct inode *inode = NULL;
48784 + ino_t saved_ino = 0;
48785 + dev_t saved_dev = 0;
48786
48787 error = user_path_parent(dfd, pathname, &nd, &name);
48788 if (error)
48789 @@ -2804,8 +2914,17 @@ static long do_unlinkat(int dfd, const c
48790 if (nd.last.name[nd.last.len])
48791 goto slashes;
48792 inode = dentry->d_inode;
48793 - if (inode)
48794 + if (inode) {
48795 ihold(inode);
48796 + if (inode->i_nlink <= 1) {
48797 + saved_ino = inode->i_ino;
48798 + saved_dev = gr_get_dev_from_dentry(dentry);
48799 + }
48800 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
48801 + error = -EACCES;
48802 + goto exit2;
48803 + }
48804 + }
48805 error = mnt_want_write(nd.path.mnt);
48806 if (error)
48807 goto exit2;
48808 @@ -2813,6 +2932,8 @@ static long do_unlinkat(int dfd, const c
48809 if (error)
48810 goto exit3;
48811 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
48812 + if (!error && (saved_ino || saved_dev))
48813 + gr_handle_delete(saved_ino, saved_dev);
48814 exit3:
48815 mnt_drop_write(nd.path.mnt);
48816 exit2:
48817 @@ -2890,6 +3011,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
48818 if (IS_ERR(dentry))
48819 goto out_unlock;
48820
48821 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
48822 + error = -EACCES;
48823 + goto out_dput;
48824 + }
48825 +
48826 error = mnt_want_write(nd.path.mnt);
48827 if (error)
48828 goto out_dput;
48829 @@ -2897,6 +3023,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
48830 if (error)
48831 goto out_drop_write;
48832 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
48833 + if (!error)
48834 + gr_handle_create(dentry, nd.path.mnt);
48835 out_drop_write:
48836 mnt_drop_write(nd.path.mnt);
48837 out_dput:
48838 @@ -3005,6 +3133,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48839 error = PTR_ERR(new_dentry);
48840 if (IS_ERR(new_dentry))
48841 goto out_unlock;
48842 +
48843 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
48844 + old_path.dentry->d_inode,
48845 + old_path.dentry->d_inode->i_mode, to)) {
48846 + error = -EACCES;
48847 + goto out_dput;
48848 + }
48849 +
48850 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
48851 + old_path.dentry, old_path.mnt, to)) {
48852 + error = -EACCES;
48853 + goto out_dput;
48854 + }
48855 +
48856 error = mnt_want_write(nd.path.mnt);
48857 if (error)
48858 goto out_dput;
48859 @@ -3012,6 +3154,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48860 if (error)
48861 goto out_drop_write;
48862 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
48863 + if (!error)
48864 + gr_handle_create(new_dentry, nd.path.mnt);
48865 out_drop_write:
48866 mnt_drop_write(nd.path.mnt);
48867 out_dput:
48868 @@ -3189,6 +3333,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48869 char *to;
48870 int error;
48871
48872 + pax_track_stack();
48873 +
48874 error = user_path_parent(olddfd, oldname, &oldnd, &from);
48875 if (error)
48876 goto exit;
48877 @@ -3245,6 +3391,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48878 if (new_dentry == trap)
48879 goto exit5;
48880
48881 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
48882 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
48883 + to);
48884 + if (error)
48885 + goto exit5;
48886 +
48887 error = mnt_want_write(oldnd.path.mnt);
48888 if (error)
48889 goto exit5;
48890 @@ -3254,6 +3406,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48891 goto exit6;
48892 error = vfs_rename(old_dir->d_inode, old_dentry,
48893 new_dir->d_inode, new_dentry);
48894 + if (!error)
48895 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
48896 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
48897 exit6:
48898 mnt_drop_write(oldnd.path.mnt);
48899 exit5:
48900 @@ -3279,6 +3434,8 @@ SYSCALL_DEFINE2(rename, const char __use
48901
48902 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
48903 {
48904 + char tmpbuf[64];
48905 + const char *newlink;
48906 int len;
48907
48908 len = PTR_ERR(link);
48909 @@ -3288,7 +3445,14 @@ int vfs_readlink(struct dentry *dentry,
48910 len = strlen(link);
48911 if (len > (unsigned) buflen)
48912 len = buflen;
48913 - if (copy_to_user(buffer, link, len))
48914 +
48915 + if (len < sizeof(tmpbuf)) {
48916 + memcpy(tmpbuf, link, len);
48917 + newlink = tmpbuf;
48918 + } else
48919 + newlink = link;
48920 +
48921 + if (copy_to_user(buffer, newlink, len))
48922 len = -EFAULT;
48923 out:
48924 return len;
48925 diff -urNp linux-2.6.39.3/fs/namespace.c linux-2.6.39.3/fs/namespace.c
48926 --- linux-2.6.39.3/fs/namespace.c 2011-05-19 00:06:34.000000000 -0400
48927 +++ linux-2.6.39.3/fs/namespace.c 2011-05-22 20:43:58.000000000 -0400
48928 @@ -1328,6 +1328,9 @@ static int do_umount(struct vfsmount *mn
48929 if (!(sb->s_flags & MS_RDONLY))
48930 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
48931 up_write(&sb->s_umount);
48932 +
48933 + gr_log_remount(mnt->mnt_devname, retval);
48934 +
48935 return retval;
48936 }
48937
48938 @@ -1347,6 +1350,9 @@ static int do_umount(struct vfsmount *mn
48939 br_write_unlock(vfsmount_lock);
48940 up_write(&namespace_sem);
48941 release_mounts(&umount_list);
48942 +
48943 + gr_log_unmount(mnt->mnt_devname, retval);
48944 +
48945 return retval;
48946 }
48947
48948 @@ -2338,6 +2344,16 @@ long do_mount(char *dev_name, char *dir_
48949 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
48950 MS_STRICTATIME);
48951
48952 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
48953 + retval = -EPERM;
48954 + goto dput_out;
48955 + }
48956 +
48957 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
48958 + retval = -EPERM;
48959 + goto dput_out;
48960 + }
48961 +
48962 if (flags & MS_REMOUNT)
48963 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
48964 data_page);
48965 @@ -2352,6 +2368,9 @@ long do_mount(char *dev_name, char *dir_
48966 dev_name, data_page);
48967 dput_out:
48968 path_put(&path);
48969 +
48970 + gr_log_mount(dev_name, dir_name, retval);
48971 +
48972 return retval;
48973 }
48974
48975 @@ -2575,6 +2594,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
48976 if (error)
48977 goto out2;
48978
48979 + if (gr_handle_chroot_pivot()) {
48980 + error = -EPERM;
48981 + goto out2;
48982 + }
48983 +
48984 get_fs_root(current->fs, &root);
48985 error = lock_mount(&old);
48986 if (error)
48987 diff -urNp linux-2.6.39.3/fs/ncpfs/dir.c linux-2.6.39.3/fs/ncpfs/dir.c
48988 --- linux-2.6.39.3/fs/ncpfs/dir.c 2011-05-19 00:06:34.000000000 -0400
48989 +++ linux-2.6.39.3/fs/ncpfs/dir.c 2011-05-22 19:36:32.000000000 -0400
48990 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
48991 int res, val = 0, len;
48992 __u8 __name[NCP_MAXPATHLEN + 1];
48993
48994 + pax_track_stack();
48995 +
48996 if (dentry == dentry->d_sb->s_root)
48997 return 1;
48998
48999 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
49000 int error, res, len;
49001 __u8 __name[NCP_MAXPATHLEN + 1];
49002
49003 + pax_track_stack();
49004 +
49005 error = -EIO;
49006 if (!ncp_conn_valid(server))
49007 goto finished;
49008 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
49009 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
49010 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
49011
49012 + pax_track_stack();
49013 +
49014 ncp_age_dentry(server, dentry);
49015 len = sizeof(__name);
49016 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
49017 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
49018 int error, len;
49019 __u8 __name[NCP_MAXPATHLEN + 1];
49020
49021 + pax_track_stack();
49022 +
49023 DPRINTK("ncp_mkdir: making %s/%s\n",
49024 dentry->d_parent->d_name.name, dentry->d_name.name);
49025
49026 @@ -1135,6 +1143,8 @@ static int ncp_rename(struct inode *old_
49027 int old_len, new_len;
49028 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
49029
49030 + pax_track_stack();
49031 +
49032 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
49033 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
49034 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
49035 diff -urNp linux-2.6.39.3/fs/ncpfs/inode.c linux-2.6.39.3/fs/ncpfs/inode.c
49036 --- linux-2.6.39.3/fs/ncpfs/inode.c 2011-05-19 00:06:34.000000000 -0400
49037 +++ linux-2.6.39.3/fs/ncpfs/inode.c 2011-05-22 19:36:32.000000000 -0400
49038 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
49039 #endif
49040 struct ncp_entry_info finfo;
49041
49042 + pax_track_stack();
49043 +
49044 data.wdog_pid = NULL;
49045 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
49046 if (!server)
49047 diff -urNp linux-2.6.39.3/fs/nfs/inode.c linux-2.6.39.3/fs/nfs/inode.c
49048 --- linux-2.6.39.3/fs/nfs/inode.c 2011-07-09 09:18:51.000000000 -0400
49049 +++ linux-2.6.39.3/fs/nfs/inode.c 2011-07-09 09:19:24.000000000 -0400
49050 @@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
49051 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
49052 nfsi->attrtimeo_timestamp = jiffies;
49053
49054 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
49055 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
49056 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
49057 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
49058 else
49059 @@ -1000,16 +1000,16 @@ static int nfs_size_need_update(const st
49060 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
49061 }
49062
49063 -static atomic_long_t nfs_attr_generation_counter;
49064 +static atomic_long_unchecked_t nfs_attr_generation_counter;
49065
49066 static unsigned long nfs_read_attr_generation_counter(void)
49067 {
49068 - return atomic_long_read(&nfs_attr_generation_counter);
49069 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
49070 }
49071
49072 unsigned long nfs_inc_attr_generation_counter(void)
49073 {
49074 - return atomic_long_inc_return(&nfs_attr_generation_counter);
49075 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
49076 }
49077
49078 void nfs_fattr_init(struct nfs_fattr *fattr)
49079 diff -urNp linux-2.6.39.3/fs/nfs/nfs4proc.c linux-2.6.39.3/fs/nfs/nfs4proc.c
49080 --- linux-2.6.39.3/fs/nfs/nfs4proc.c 2011-07-09 09:18:51.000000000 -0400
49081 +++ linux-2.6.39.3/fs/nfs/nfs4proc.c 2011-07-09 09:19:24.000000000 -0400
49082 @@ -5858,14 +5858,14 @@ struct nfs4_state_recovery_ops nfs41_nog
49083 };
49084 #endif /* CONFIG_NFS_V4_1 */
49085
49086 -struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
49087 +const struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
49088 .sched_state_renewal = nfs4_proc_async_renew,
49089 .get_state_renewal_cred_locked = nfs4_get_renew_cred_locked,
49090 .renew_lease = nfs4_proc_renew,
49091 };
49092
49093 #if defined(CONFIG_NFS_V4_1)
49094 -struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
49095 +const struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
49096 .sched_state_renewal = nfs41_proc_async_sequence,
49097 .get_state_renewal_cred_locked = nfs4_get_machine_cred_locked,
49098 .renew_lease = nfs4_proc_sequence,
49099 diff -urNp linux-2.6.39.3/fs/nfsd/lockd.c linux-2.6.39.3/fs/nfsd/lockd.c
49100 --- linux-2.6.39.3/fs/nfsd/lockd.c 2011-05-19 00:06:34.000000000 -0400
49101 +++ linux-2.6.39.3/fs/nfsd/lockd.c 2011-05-22 19:36:32.000000000 -0400
49102 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
49103 fput(filp);
49104 }
49105
49106 -static struct nlmsvc_binding nfsd_nlm_ops = {
49107 +static const struct nlmsvc_binding nfsd_nlm_ops = {
49108 .fopen = nlm_fopen, /* open file for locking */
49109 .fclose = nlm_fclose, /* close file */
49110 };
49111 diff -urNp linux-2.6.39.3/fs/nfsd/nfs4state.c linux-2.6.39.3/fs/nfsd/nfs4state.c
49112 --- linux-2.6.39.3/fs/nfsd/nfs4state.c 2011-05-19 00:06:34.000000000 -0400
49113 +++ linux-2.6.39.3/fs/nfsd/nfs4state.c 2011-05-22 19:36:32.000000000 -0400
49114 @@ -3784,6 +3784,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
49115 unsigned int strhashval;
49116 int err;
49117
49118 + pax_track_stack();
49119 +
49120 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
49121 (long long) lock->lk_offset,
49122 (long long) lock->lk_length);
49123 diff -urNp linux-2.6.39.3/fs/nfsd/nfs4xdr.c linux-2.6.39.3/fs/nfsd/nfs4xdr.c
49124 --- linux-2.6.39.3/fs/nfsd/nfs4xdr.c 2011-05-19 00:06:34.000000000 -0400
49125 +++ linux-2.6.39.3/fs/nfsd/nfs4xdr.c 2011-05-22 19:36:32.000000000 -0400
49126 @@ -1793,6 +1793,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
49127 .dentry = dentry,
49128 };
49129
49130 + pax_track_stack();
49131 +
49132 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
49133 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
49134 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
49135 diff -urNp linux-2.6.39.3/fs/nfsd/nfsctl.c linux-2.6.39.3/fs/nfsd/nfsctl.c
49136 --- linux-2.6.39.3/fs/nfsd/nfsctl.c 2011-07-09 09:18:51.000000000 -0400
49137 +++ linux-2.6.39.3/fs/nfsd/nfsctl.c 2011-07-09 09:19:24.000000000 -0400
49138 @@ -183,7 +183,7 @@ static int export_features_open(struct i
49139 return single_open(file, export_features_show, NULL);
49140 }
49141
49142 -static struct file_operations export_features_operations = {
49143 +static const struct file_operations export_features_operations = {
49144 .open = export_features_open,
49145 .read = seq_read,
49146 .llseek = seq_lseek,
49147 diff -urNp linux-2.6.39.3/fs/nfsd/vfs.c linux-2.6.39.3/fs/nfsd/vfs.c
49148 --- linux-2.6.39.3/fs/nfsd/vfs.c 2011-07-09 09:18:51.000000000 -0400
49149 +++ linux-2.6.39.3/fs/nfsd/vfs.c 2011-07-09 09:19:24.000000000 -0400
49150 @@ -901,7 +901,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
49151 } else {
49152 oldfs = get_fs();
49153 set_fs(KERNEL_DS);
49154 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
49155 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
49156 set_fs(oldfs);
49157 }
49158
49159 @@ -1005,7 +1005,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
49160
49161 /* Write the data. */
49162 oldfs = get_fs(); set_fs(KERNEL_DS);
49163 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
49164 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
49165 set_fs(oldfs);
49166 if (host_err < 0)
49167 goto out_nfserr;
49168 @@ -1528,7 +1528,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
49169 */
49170
49171 oldfs = get_fs(); set_fs(KERNEL_DS);
49172 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
49173 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
49174 set_fs(oldfs);
49175
49176 if (host_err < 0)
49177 diff -urNp linux-2.6.39.3/fs/nilfs2/segment.c linux-2.6.39.3/fs/nilfs2/segment.c
49178 --- linux-2.6.39.3/fs/nilfs2/segment.c 2011-05-19 00:06:34.000000000 -0400
49179 +++ linux-2.6.39.3/fs/nilfs2/segment.c 2011-05-22 19:36:32.000000000 -0400
49180 @@ -555,7 +555,7 @@ static void nilfs_write_file_node_binfo(
49181 *vblocknr = binfo->bi_v.bi_vblocknr;
49182 }
49183
49184 -static struct nilfs_sc_operations nilfs_sc_file_ops = {
49185 +static const struct nilfs_sc_operations nilfs_sc_file_ops = {
49186 .collect_data = nilfs_collect_file_data,
49187 .collect_node = nilfs_collect_file_node,
49188 .collect_bmap = nilfs_collect_file_bmap,
49189 @@ -604,7 +604,7 @@ static void nilfs_write_dat_node_binfo(s
49190 *binfo_dat = binfo->bi_dat;
49191 }
49192
49193 -static struct nilfs_sc_operations nilfs_sc_dat_ops = {
49194 +static const struct nilfs_sc_operations nilfs_sc_dat_ops = {
49195 .collect_data = nilfs_collect_dat_data,
49196 .collect_node = nilfs_collect_file_node,
49197 .collect_bmap = nilfs_collect_dat_bmap,
49198 @@ -612,7 +612,7 @@ static struct nilfs_sc_operations nilfs_
49199 .write_node_binfo = nilfs_write_dat_node_binfo,
49200 };
49201
49202 -static struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49203 +static const struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49204 .collect_data = nilfs_collect_file_data,
49205 .collect_node = NULL,
49206 .collect_bmap = NULL,
49207 @@ -971,7 +971,7 @@ static size_t nilfs_segctor_buffer_rest(
49208
49209 static int nilfs_segctor_scan_file(struct nilfs_sc_info *sci,
49210 struct inode *inode,
49211 - struct nilfs_sc_operations *sc_ops)
49212 + const struct nilfs_sc_operations *sc_ops)
49213 {
49214 LIST_HEAD(data_buffers);
49215 LIST_HEAD(node_buffers);
49216 @@ -1475,7 +1475,7 @@ nilfs_segctor_update_payload_blocknr(str
49217 sector_t blocknr;
49218 unsigned long nfinfo = segbuf->sb_sum.nfinfo;
49219 unsigned long nblocks = 0, ndatablk = 0;
49220 - struct nilfs_sc_operations *sc_op = NULL;
49221 + const struct nilfs_sc_operations *sc_op = NULL;
49222 struct nilfs_segsum_pointer ssp;
49223 struct nilfs_finfo *finfo = NULL;
49224 union nilfs_binfo binfo;
49225 diff -urNp linux-2.6.39.3/fs/notify/dnotify/dnotify.c linux-2.6.39.3/fs/notify/dnotify/dnotify.c
49226 --- linux-2.6.39.3/fs/notify/dnotify/dnotify.c 2011-05-19 00:06:34.000000000 -0400
49227 +++ linux-2.6.39.3/fs/notify/dnotify/dnotify.c 2011-05-22 19:36:32.000000000 -0400
49228 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
49229 kmem_cache_free(dnotify_mark_cache, dn_mark);
49230 }
49231
49232 -static struct fsnotify_ops dnotify_fsnotify_ops = {
49233 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
49234 .handle_event = dnotify_handle_event,
49235 .should_send_event = dnotify_should_send_event,
49236 .free_group_priv = NULL,
49237 diff -urNp linux-2.6.39.3/fs/notify/notification.c linux-2.6.39.3/fs/notify/notification.c
49238 --- linux-2.6.39.3/fs/notify/notification.c 2011-05-19 00:06:34.000000000 -0400
49239 +++ linux-2.6.39.3/fs/notify/notification.c 2011-05-22 19:36:32.000000000 -0400
49240 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
49241 * get set to 0 so it will never get 'freed'
49242 */
49243 static struct fsnotify_event *q_overflow_event;
49244 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49245 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49246
49247 /**
49248 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
49249 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
49250 */
49251 u32 fsnotify_get_cookie(void)
49252 {
49253 - return atomic_inc_return(&fsnotify_sync_cookie);
49254 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
49255 }
49256 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
49257
49258 diff -urNp linux-2.6.39.3/fs/ntfs/dir.c linux-2.6.39.3/fs/ntfs/dir.c
49259 --- linux-2.6.39.3/fs/ntfs/dir.c 2011-05-19 00:06:34.000000000 -0400
49260 +++ linux-2.6.39.3/fs/ntfs/dir.c 2011-05-22 19:36:32.000000000 -0400
49261 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
49262 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
49263 ~(s64)(ndir->itype.index.block_size - 1)));
49264 /* Bounds checks. */
49265 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49266 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49267 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
49268 "inode 0x%lx or driver bug.", vdir->i_ino);
49269 goto err_out;
49270 diff -urNp linux-2.6.39.3/fs/ntfs/file.c linux-2.6.39.3/fs/ntfs/file.c
49271 --- linux-2.6.39.3/fs/ntfs/file.c 2011-05-19 00:06:34.000000000 -0400
49272 +++ linux-2.6.39.3/fs/ntfs/file.c 2011-05-22 19:36:32.000000000 -0400
49273 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
49274 #endif /* NTFS_RW */
49275 };
49276
49277 -const struct file_operations ntfs_empty_file_ops = {};
49278 +const struct file_operations ntfs_empty_file_ops __read_only;
49279
49280 -const struct inode_operations ntfs_empty_inode_ops = {};
49281 +const struct inode_operations ntfs_empty_inode_ops __read_only;
49282 diff -urNp linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c
49283 --- linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c 2011-05-19 00:06:34.000000000 -0400
49284 +++ linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c 2011-05-22 19:36:32.000000000 -0400
49285 @@ -2261,7 +2261,7 @@ static struct configfs_item_operations o
49286 .store_attribute = o2hb_heartbeat_group_store,
49287 };
49288
49289 -static struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49290 +static const struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49291 .make_item = o2hb_heartbeat_group_make_item,
49292 .drop_item = o2hb_heartbeat_group_drop_item,
49293 };
49294 diff -urNp linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c
49295 --- linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c 2011-05-19 00:06:34.000000000 -0400
49296 +++ linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c 2011-05-22 19:36:32.000000000 -0400
49297 @@ -752,7 +752,7 @@ static void o2nm_node_group_drop_item(st
49298 config_item_put(item);
49299 }
49300
49301 -static struct configfs_group_operations o2nm_node_group_group_ops = {
49302 +static const struct configfs_group_operations o2nm_node_group_group_ops = {
49303 .make_item = o2nm_node_group_make_item,
49304 .drop_item = o2nm_node_group_drop_item,
49305 };
49306 @@ -869,7 +869,7 @@ static void o2nm_cluster_group_drop_item
49307 config_item_put(item);
49308 }
49309
49310 -static struct configfs_group_operations o2nm_cluster_group_group_ops = {
49311 +static const struct configfs_group_operations o2nm_cluster_group_group_ops = {
49312 .make_group = o2nm_cluster_group_make_group,
49313 .drop_item = o2nm_cluster_group_drop_item,
49314 };
49315 diff -urNp linux-2.6.39.3/fs/ocfs2/localalloc.c linux-2.6.39.3/fs/ocfs2/localalloc.c
49316 --- linux-2.6.39.3/fs/ocfs2/localalloc.c 2011-05-19 00:06:34.000000000 -0400
49317 +++ linux-2.6.39.3/fs/ocfs2/localalloc.c 2011-05-22 19:36:32.000000000 -0400
49318 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
49319 goto bail;
49320 }
49321
49322 - atomic_inc(&osb->alloc_stats.moves);
49323 + atomic_inc_unchecked(&osb->alloc_stats.moves);
49324
49325 bail:
49326 if (handle)
49327 diff -urNp linux-2.6.39.3/fs/ocfs2/namei.c linux-2.6.39.3/fs/ocfs2/namei.c
49328 --- linux-2.6.39.3/fs/ocfs2/namei.c 2011-05-19 00:06:34.000000000 -0400
49329 +++ linux-2.6.39.3/fs/ocfs2/namei.c 2011-05-22 19:36:32.000000000 -0400
49330 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
49331 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
49332 struct ocfs2_dir_lookup_result target_insert = { NULL, };
49333
49334 + pax_track_stack();
49335 +
49336 /* At some point it might be nice to break this function up a
49337 * bit. */
49338
49339 diff -urNp linux-2.6.39.3/fs/ocfs2/ocfs2.h linux-2.6.39.3/fs/ocfs2/ocfs2.h
49340 --- linux-2.6.39.3/fs/ocfs2/ocfs2.h 2011-05-19 00:06:34.000000000 -0400
49341 +++ linux-2.6.39.3/fs/ocfs2/ocfs2.h 2011-05-22 19:36:32.000000000 -0400
49342 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
49343
49344 struct ocfs2_alloc_stats
49345 {
49346 - atomic_t moves;
49347 - atomic_t local_data;
49348 - atomic_t bitmap_data;
49349 - atomic_t bg_allocs;
49350 - atomic_t bg_extends;
49351 + atomic_unchecked_t moves;
49352 + atomic_unchecked_t local_data;
49353 + atomic_unchecked_t bitmap_data;
49354 + atomic_unchecked_t bg_allocs;
49355 + atomic_unchecked_t bg_extends;
49356 };
49357
49358 enum ocfs2_local_alloc_state
49359 diff -urNp linux-2.6.39.3/fs/ocfs2/stackglue.h linux-2.6.39.3/fs/ocfs2/stackglue.h
49360 --- linux-2.6.39.3/fs/ocfs2/stackglue.h 2011-05-19 00:06:34.000000000 -0400
49361 +++ linux-2.6.39.3/fs/ocfs2/stackglue.h 2011-05-22 19:36:32.000000000 -0400
49362 @@ -221,13 +221,13 @@ struct ocfs2_stack_operations {
49363 };
49364
49365 /*
49366 - * Each stack plugin must describe itself by registering a
49367 + * Each stack plugin must describe itself by registerin const g a
49368 * ocfs2_stack_plugin structure. This is only seen by stackglue and the
49369 * stack driver.
49370 */
49371 struct ocfs2_stack_plugin {
49372 char *sp_name;
49373 - struct ocfs2_stack_operations *sp_ops;
49374 + const struct ocfs2_stack_operations *sp_ops;
49375 struct module *sp_owner;
49376
49377 /* These are managed by the stackglue code. */
49378 diff -urNp linux-2.6.39.3/fs/ocfs2/stack_o2cb.c linux-2.6.39.3/fs/ocfs2/stack_o2cb.c
49379 --- linux-2.6.39.3/fs/ocfs2/stack_o2cb.c 2011-05-19 00:06:34.000000000 -0400
49380 +++ linux-2.6.39.3/fs/ocfs2/stack_o2cb.c 2011-06-07 18:07:24.000000000 -0400
49381 @@ -358,7 +358,7 @@ static int o2cb_cluster_this_node(unsign
49382 return 0;
49383 }
49384
49385 -static struct ocfs2_stack_operations o2cb_stack_ops = {
49386 +static const struct ocfs2_stack_operations o2cb_stack_ops = {
49387 .connect = o2cb_cluster_connect,
49388 .disconnect = o2cb_cluster_disconnect,
49389 .this_node = o2cb_cluster_this_node,
49390 diff -urNp linux-2.6.39.3/fs/ocfs2/stack_user.c linux-2.6.39.3/fs/ocfs2/stack_user.c
49391 --- linux-2.6.39.3/fs/ocfs2/stack_user.c 2011-05-19 00:06:34.000000000 -0400
49392 +++ linux-2.6.39.3/fs/ocfs2/stack_user.c 2011-05-22 19:36:32.000000000 -0400
49393 @@ -399,7 +399,7 @@ static int ocfs2_control_do_setversion_m
49394 long major, minor;
49395 char *ptr = NULL;
49396 struct ocfs2_control_private *p = file->private_data;
49397 - struct ocfs2_protocol_version *max =
49398 + const struct ocfs2_protocol_version *max =
49399 &ocfs2_user_plugin.sp_max_proto;
49400
49401 if (ocfs2_control_get_handshake_state(file) !=
49402 @@ -861,7 +861,7 @@ static int user_cluster_this_node(unsign
49403 return 0;
49404 }
49405
49406 -static struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49407 +static const struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49408 .connect = user_cluster_connect,
49409 .disconnect = user_cluster_disconnect,
49410 .this_node = user_cluster_this_node,
49411 diff -urNp linux-2.6.39.3/fs/ocfs2/suballoc.c linux-2.6.39.3/fs/ocfs2/suballoc.c
49412 --- linux-2.6.39.3/fs/ocfs2/suballoc.c 2011-05-19 00:06:34.000000000 -0400
49413 +++ linux-2.6.39.3/fs/ocfs2/suballoc.c 2011-05-22 19:36:32.000000000 -0400
49414 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
49415 mlog_errno(status);
49416 goto bail;
49417 }
49418 - atomic_inc(&osb->alloc_stats.bg_extends);
49419 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49420
49421 /* You should never ask for this much metadata */
49422 BUG_ON(bits_wanted >
49423 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
49424 mlog_errno(status);
49425 goto bail;
49426 }
49427 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49428 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49429
49430 *suballoc_loc = res.sr_bg_blkno;
49431 *suballoc_bit_start = res.sr_bit_offset;
49432 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
49433 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
49434 res->sr_bits);
49435
49436 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49437 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49438
49439 BUG_ON(res->sr_bits != 1);
49440
49441 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
49442 mlog_errno(status);
49443 goto bail;
49444 }
49445 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49446 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49447
49448 BUG_ON(res.sr_bits != 1);
49449
49450 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
49451 cluster_start,
49452 num_clusters);
49453 if (!status)
49454 - atomic_inc(&osb->alloc_stats.local_data);
49455 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
49456 } else {
49457 if (min_clusters > (osb->bitmap_cpg - 1)) {
49458 /* The only paths asking for contiguousness
49459 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
49460 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49461 res.sr_bg_blkno,
49462 res.sr_bit_offset);
49463 - atomic_inc(&osb->alloc_stats.bitmap_data);
49464 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49465 *num_clusters = res.sr_bits;
49466 }
49467 }
49468 diff -urNp linux-2.6.39.3/fs/ocfs2/super.c linux-2.6.39.3/fs/ocfs2/super.c
49469 --- linux-2.6.39.3/fs/ocfs2/super.c 2011-05-19 00:06:34.000000000 -0400
49470 +++ linux-2.6.39.3/fs/ocfs2/super.c 2011-05-22 19:36:32.000000000 -0400
49471 @@ -299,11 +299,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49472 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49473 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49474 "Stats",
49475 - atomic_read(&osb->alloc_stats.bitmap_data),
49476 - atomic_read(&osb->alloc_stats.local_data),
49477 - atomic_read(&osb->alloc_stats.bg_allocs),
49478 - atomic_read(&osb->alloc_stats.moves),
49479 - atomic_read(&osb->alloc_stats.bg_extends));
49480 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49481 + atomic_read_unchecked(&osb->alloc_stats.local_data),
49482 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49483 + atomic_read_unchecked(&osb->alloc_stats.moves),
49484 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49485
49486 out += snprintf(buf + out, len - out,
49487 "%10s => State: %u Descriptor: %llu Size: %u bits "
49488 @@ -2111,11 +2111,11 @@ static int ocfs2_initialize_super(struct
49489 spin_lock_init(&osb->osb_xattr_lock);
49490 ocfs2_init_steal_slots(osb);
49491
49492 - atomic_set(&osb->alloc_stats.moves, 0);
49493 - atomic_set(&osb->alloc_stats.local_data, 0);
49494 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
49495 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
49496 - atomic_set(&osb->alloc_stats.bg_extends, 0);
49497 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49498 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49499 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49500 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49501 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49502
49503 /* Copy the blockcheck stats from the superblock probe */
49504 osb->osb_ecc_stats = *stats;
49505 diff -urNp linux-2.6.39.3/fs/ocfs2/symlink.c linux-2.6.39.3/fs/ocfs2/symlink.c
49506 --- linux-2.6.39.3/fs/ocfs2/symlink.c 2011-05-19 00:06:34.000000000 -0400
49507 +++ linux-2.6.39.3/fs/ocfs2/symlink.c 2011-05-22 19:36:32.000000000 -0400
49508 @@ -142,7 +142,7 @@ bail:
49509
49510 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
49511 {
49512 - char *link = nd_get_link(nd);
49513 + const char *link = nd_get_link(nd);
49514 if (!IS_ERR(link))
49515 kfree(link);
49516 }
49517 diff -urNp linux-2.6.39.3/fs/open.c linux-2.6.39.3/fs/open.c
49518 --- linux-2.6.39.3/fs/open.c 2011-05-19 00:06:34.000000000 -0400
49519 +++ linux-2.6.39.3/fs/open.c 2011-05-22 20:46:51.000000000 -0400
49520 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
49521 error = locks_verify_truncate(inode, NULL, length);
49522 if (!error)
49523 error = security_path_truncate(&path);
49524 +
49525 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49526 + error = -EACCES;
49527 +
49528 if (!error)
49529 error = do_truncate(path.dentry, length, 0, NULL);
49530
49531 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49532 if (__mnt_is_readonly(path.mnt))
49533 res = -EROFS;
49534
49535 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49536 + res = -EACCES;
49537 +
49538 out_path_release:
49539 path_put(&path);
49540 out:
49541 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49542 if (error)
49543 goto dput_and_out;
49544
49545 + gr_log_chdir(path.dentry, path.mnt);
49546 +
49547 set_fs_pwd(current->fs, &path);
49548
49549 dput_and_out:
49550 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49551 goto out_putf;
49552
49553 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
49554 +
49555 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49556 + error = -EPERM;
49557 +
49558 + if (!error)
49559 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49560 +
49561 if (!error)
49562 set_fs_pwd(current->fs, &file->f_path);
49563 out_putf:
49564 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
49565 if (error)
49566 goto dput_and_out;
49567
49568 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49569 + goto dput_and_out;
49570 +
49571 + if (gr_handle_chroot_caps(&path)) {
49572 + error = -ENOMEM;
49573 + goto dput_and_out;
49574 + }
49575 +
49576 set_fs_root(current->fs, &path);
49577 +
49578 + gr_handle_chroot_chdir(&path);
49579 +
49580 error = 0;
49581 dput_and_out:
49582 path_put(&path);
49583 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49584 err = mnt_want_write_file(file);
49585 if (err)
49586 goto out_putf;
49587 +
49588 mutex_lock(&inode->i_mutex);
49589 +
49590 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
49591 + err = -EACCES;
49592 + goto out_unlock;
49593 + }
49594 +
49595 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
49596 if (err)
49597 goto out_unlock;
49598 if (mode == (mode_t) -1)
49599 mode = inode->i_mode;
49600 +
49601 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
49602 + err = -EACCES;
49603 + goto out_unlock;
49604 + }
49605 +
49606 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49607 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49608 err = notify_change(dentry, &newattrs);
49609 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49610 error = mnt_want_write(path.mnt);
49611 if (error)
49612 goto dput_and_out;
49613 +
49614 mutex_lock(&inode->i_mutex);
49615 +
49616 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49617 + error = -EACCES;
49618 + goto out_unlock;
49619 + }
49620 +
49621 error = security_path_chmod(path.dentry, path.mnt, mode);
49622 if (error)
49623 goto out_unlock;
49624 if (mode == (mode_t) -1)
49625 mode = inode->i_mode;
49626 +
49627 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49628 + error = -EACCES;
49629 + goto out_unlock;
49630 + }
49631 +
49632 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49633 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49634 error = notify_change(path.dentry, &newattrs);
49635 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
49636 int error;
49637 struct iattr newattrs;
49638
49639 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
49640 + return -EACCES;
49641 +
49642 newattrs.ia_valid = ATTR_CTIME;
49643 if (user != (uid_t) -1) {
49644 newattrs.ia_valid |= ATTR_UID;
49645 @@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u
49646 if (!IS_ERR(tmp)) {
49647 fd = get_unused_fd_flags(flags);
49648 if (fd >= 0) {
49649 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
49650 + struct file *f;
49651 + /* don't allow to be set by userland */
49652 + flags &= ~FMODE_GREXEC;
49653 + f = do_filp_open(dfd, tmp, &op, lookup);
49654 if (IS_ERR(f)) {
49655 put_unused_fd(fd);
49656 fd = PTR_ERR(f);
49657 diff -urNp linux-2.6.39.3/fs/partitions/ldm.c linux-2.6.39.3/fs/partitions/ldm.c
49658 --- linux-2.6.39.3/fs/partitions/ldm.c 2011-06-03 00:04:14.000000000 -0400
49659 +++ linux-2.6.39.3/fs/partitions/ldm.c 2011-06-03 00:32:07.000000000 -0400
49660 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
49661 ldm_error ("A VBLK claims to have %d parts.", num);
49662 return false;
49663 }
49664 +
49665 if (rec >= num) {
49666 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
49667 return false;
49668 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
49669 goto found;
49670 }
49671
49672 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
49673 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
49674 if (!f) {
49675 ldm_crit ("Out of memory.");
49676 return false;
49677 diff -urNp linux-2.6.39.3/fs/pipe.c linux-2.6.39.3/fs/pipe.c
49678 --- linux-2.6.39.3/fs/pipe.c 2011-05-19 00:06:34.000000000 -0400
49679 +++ linux-2.6.39.3/fs/pipe.c 2011-05-22 19:41:37.000000000 -0400
49680 @@ -420,9 +420,9 @@ redo:
49681 }
49682 if (bufs) /* More to do? */
49683 continue;
49684 - if (!pipe->writers)
49685 + if (!atomic_read(&pipe->writers))
49686 break;
49687 - if (!pipe->waiting_writers) {
49688 + if (!atomic_read(&pipe->waiting_writers)) {
49689 /* syscall merging: Usually we must not sleep
49690 * if O_NONBLOCK is set, or if we got some data.
49691 * But if a writer sleeps in kernel space, then
49692 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
49693 mutex_lock(&inode->i_mutex);
49694 pipe = inode->i_pipe;
49695
49696 - if (!pipe->readers) {
49697 + if (!atomic_read(&pipe->readers)) {
49698 send_sig(SIGPIPE, current, 0);
49699 ret = -EPIPE;
49700 goto out;
49701 @@ -530,7 +530,7 @@ redo1:
49702 for (;;) {
49703 int bufs;
49704
49705 - if (!pipe->readers) {
49706 + if (!atomic_read(&pipe->readers)) {
49707 send_sig(SIGPIPE, current, 0);
49708 if (!ret)
49709 ret = -EPIPE;
49710 @@ -616,9 +616,9 @@ redo2:
49711 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
49712 do_wakeup = 0;
49713 }
49714 - pipe->waiting_writers++;
49715 + atomic_inc(&pipe->waiting_writers);
49716 pipe_wait(pipe);
49717 - pipe->waiting_writers--;
49718 + atomic_dec(&pipe->waiting_writers);
49719 }
49720 out:
49721 mutex_unlock(&inode->i_mutex);
49722 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
49723 mask = 0;
49724 if (filp->f_mode & FMODE_READ) {
49725 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
49726 - if (!pipe->writers && filp->f_version != pipe->w_counter)
49727 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
49728 mask |= POLLHUP;
49729 }
49730
49731 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
49732 * Most Unices do not set POLLERR for FIFOs but on Linux they
49733 * behave exactly like pipes for poll().
49734 */
49735 - if (!pipe->readers)
49736 + if (!atomic_read(&pipe->readers))
49737 mask |= POLLERR;
49738 }
49739
49740 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
49741
49742 mutex_lock(&inode->i_mutex);
49743 pipe = inode->i_pipe;
49744 - pipe->readers -= decr;
49745 - pipe->writers -= decw;
49746 + atomic_sub(decr, &pipe->readers);
49747 + atomic_sub(decw, &pipe->writers);
49748
49749 - if (!pipe->readers && !pipe->writers) {
49750 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
49751 free_pipe_info(inode);
49752 } else {
49753 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
49754 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
49755
49756 if (inode->i_pipe) {
49757 ret = 0;
49758 - inode->i_pipe->readers++;
49759 + atomic_inc(&inode->i_pipe->readers);
49760 }
49761
49762 mutex_unlock(&inode->i_mutex);
49763 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
49764
49765 if (inode->i_pipe) {
49766 ret = 0;
49767 - inode->i_pipe->writers++;
49768 + atomic_inc(&inode->i_pipe->writers);
49769 }
49770
49771 mutex_unlock(&inode->i_mutex);
49772 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
49773 if (inode->i_pipe) {
49774 ret = 0;
49775 if (filp->f_mode & FMODE_READ)
49776 - inode->i_pipe->readers++;
49777 + atomic_inc(&inode->i_pipe->readers);
49778 if (filp->f_mode & FMODE_WRITE)
49779 - inode->i_pipe->writers++;
49780 + atomic_inc(&inode->i_pipe->writers);
49781 }
49782
49783 mutex_unlock(&inode->i_mutex);
49784 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
49785 inode->i_pipe = NULL;
49786 }
49787
49788 -static struct vfsmount *pipe_mnt __read_mostly;
49789 +struct vfsmount *pipe_mnt __read_mostly;
49790
49791 /*
49792 * pipefs_dname() is called from d_path().
49793 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
49794 goto fail_iput;
49795 inode->i_pipe = pipe;
49796
49797 - pipe->readers = pipe->writers = 1;
49798 + atomic_set(&pipe->readers, 1);
49799 + atomic_set(&pipe->writers, 1);
49800 inode->i_fop = &rdwr_pipefifo_fops;
49801
49802 /*
49803 diff -urNp linux-2.6.39.3/fs/proc/array.c linux-2.6.39.3/fs/proc/array.c
49804 --- linux-2.6.39.3/fs/proc/array.c 2011-05-19 00:06:34.000000000 -0400
49805 +++ linux-2.6.39.3/fs/proc/array.c 2011-05-22 19:41:37.000000000 -0400
49806 @@ -60,6 +60,7 @@
49807 #include <linux/tty.h>
49808 #include <linux/string.h>
49809 #include <linux/mman.h>
49810 +#include <linux/grsecurity.h>
49811 #include <linux/proc_fs.h>
49812 #include <linux/ioport.h>
49813 #include <linux/uaccess.h>
49814 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
49815 seq_putc(m, '\n');
49816 }
49817
49818 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49819 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
49820 +{
49821 + if (p->mm)
49822 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
49823 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
49824 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
49825 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
49826 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
49827 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
49828 + else
49829 + seq_printf(m, "PaX:\t-----\n");
49830 +}
49831 +#endif
49832 +
49833 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
49834 struct pid *pid, struct task_struct *task)
49835 {
49836 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
49837 task_cpus_allowed(m, task);
49838 cpuset_task_status_allowed(m, task);
49839 task_context_switch_counts(m, task);
49840 +
49841 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49842 + task_pax(m, task);
49843 +#endif
49844 +
49845 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
49846 + task_grsec_rbac(m, task);
49847 +#endif
49848 +
49849 return 0;
49850 }
49851
49852 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49853 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49854 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49855 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49856 +#endif
49857 +
49858 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
49859 struct pid *pid, struct task_struct *task, int whole)
49860 {
49861 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
49862 cputime_t cutime, cstime, utime, stime;
49863 cputime_t cgtime, gtime;
49864 unsigned long rsslim = 0;
49865 - char tcomm[sizeof(task->comm)];
49866 + char tcomm[sizeof(task->comm)] = { 0 };
49867 unsigned long flags;
49868
49869 + pax_track_stack();
49870 +
49871 state = *get_task_state(task);
49872 vsize = eip = esp = 0;
49873 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
49874 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
49875 gtime = task->gtime;
49876 }
49877
49878 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49879 + if (PAX_RAND_FLAGS(mm)) {
49880 + eip = 0;
49881 + esp = 0;
49882 + wchan = 0;
49883 + }
49884 +#endif
49885 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49886 + wchan = 0;
49887 + eip =0;
49888 + esp =0;
49889 +#endif
49890 +
49891 /* scale priority and nice values from timeslices to -20..20 */
49892 /* to make it look like a "normal" Unix priority/nice value */
49893 priority = task_prio(task);
49894 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
49895 vsize,
49896 mm ? get_mm_rss(mm) : 0,
49897 rsslim,
49898 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49899 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
49900 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
49901 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
49902 +#else
49903 mm ? (permitted ? mm->start_code : 1) : 0,
49904 mm ? (permitted ? mm->end_code : 1) : 0,
49905 (permitted && mm) ? mm->start_stack : 0,
49906 +#endif
49907 esp,
49908 eip,
49909 /* The signal information here is obsolete.
49910 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
49911
49912 return 0;
49913 }
49914 +
49915 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49916 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
49917 +{
49918 + u32 curr_ip = 0;
49919 + unsigned long flags;
49920 +
49921 + if (lock_task_sighand(task, &flags)) {
49922 + curr_ip = task->signal->curr_ip;
49923 + unlock_task_sighand(task, &flags);
49924 + }
49925 +
49926 + return sprintf(buffer, "%pI4\n", &curr_ip);
49927 +}
49928 +#endif
49929 diff -urNp linux-2.6.39.3/fs/proc/base.c linux-2.6.39.3/fs/proc/base.c
49930 --- linux-2.6.39.3/fs/proc/base.c 2011-05-19 00:06:34.000000000 -0400
49931 +++ linux-2.6.39.3/fs/proc/base.c 2011-06-04 21:20:04.000000000 -0400
49932 @@ -104,6 +104,22 @@ struct pid_entry {
49933 union proc_op op;
49934 };
49935
49936 +struct getdents_callback {
49937 + struct linux_dirent __user * current_dir;
49938 + struct linux_dirent __user * previous;
49939 + struct file * file;
49940 + int count;
49941 + int error;
49942 +};
49943 +
49944 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
49945 + loff_t offset, u64 ino, unsigned int d_type)
49946 +{
49947 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
49948 + buf->error = -EINVAL;
49949 + return 0;
49950 +}
49951 +
49952 #define NOD(NAME, MODE, IOP, FOP, OP) { \
49953 .name = (NAME), \
49954 .len = sizeof(NAME) - 1, \
49955 @@ -206,6 +222,9 @@ static struct mm_struct *__check_mem_per
49956 if (task == current)
49957 return mm;
49958
49959 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
49960 + return ERR_PTR(-EPERM);
49961 +
49962 /*
49963 * If current is actively ptrace'ing, and would also be
49964 * permitted to freshly attach with ptrace now, permit it.
49965 @@ -279,6 +298,9 @@ static int proc_pid_cmdline(struct task_
49966 if (!mm->arg_end)
49967 goto out_mm; /* Shh! No looking before we're done */
49968
49969 + if (gr_acl_handle_procpidmem(task))
49970 + goto out_mm;
49971 +
49972 len = mm->arg_end - mm->arg_start;
49973
49974 if (len > PAGE_SIZE)
49975 @@ -306,12 +328,28 @@ out:
49976 return res;
49977 }
49978
49979 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49980 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49981 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49982 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49983 +#endif
49984 +
49985 static int proc_pid_auxv(struct task_struct *task, char *buffer)
49986 {
49987 struct mm_struct *mm = mm_for_maps(task);
49988 int res = PTR_ERR(mm);
49989 if (mm && !IS_ERR(mm)) {
49990 unsigned int nwords = 0;
49991 +
49992 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49993 + /* allow if we're currently ptracing this task */
49994 + if (PAX_RAND_FLAGS(mm) &&
49995 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
49996 + mmput(mm);
49997 + return res;
49998 + }
49999 +#endif
50000 +
50001 do {
50002 nwords += 2;
50003 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
50004 @@ -325,7 +363,7 @@ static int proc_pid_auxv(struct task_str
50005 }
50006
50007
50008 -#ifdef CONFIG_KALLSYMS
50009 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50010 /*
50011 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
50012 * Returns the resolved symbol. If that fails, simply return the address.
50013 @@ -364,7 +402,7 @@ static void unlock_trace(struct task_str
50014 mutex_unlock(&task->signal->cred_guard_mutex);
50015 }
50016
50017 -#ifdef CONFIG_STACKTRACE
50018 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50019
50020 #define MAX_STACK_TRACE_DEPTH 64
50021
50022 @@ -555,7 +593,7 @@ static int proc_pid_limits(struct task_s
50023 return count;
50024 }
50025
50026 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50027 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50028 static int proc_pid_syscall(struct task_struct *task, char *buffer)
50029 {
50030 long nr;
50031 @@ -584,7 +622,7 @@ static int proc_pid_syscall(struct task_
50032 /************************************************************************/
50033
50034 /* permission checks */
50035 -static int proc_fd_access_allowed(struct inode *inode)
50036 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
50037 {
50038 struct task_struct *task;
50039 int allowed = 0;
50040 @@ -594,7 +632,10 @@ static int proc_fd_access_allowed(struct
50041 */
50042 task = get_proc_task(inode);
50043 if (task) {
50044 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50045 + if (log)
50046 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
50047 + else
50048 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50049 put_task_struct(task);
50050 }
50051 return allowed;
50052 @@ -973,6 +1014,9 @@ static ssize_t environ_read(struct file
50053 if (!task)
50054 goto out_no_task;
50055
50056 + if (gr_acl_handle_procpidmem(task))
50057 + goto out;
50058 +
50059 ret = -ENOMEM;
50060 page = (char *)__get_free_page(GFP_TEMPORARY);
50061 if (!page)
50062 @@ -1660,7 +1704,7 @@ static void *proc_pid_follow_link(struct
50063 path_put(&nd->path);
50064
50065 /* Are we allowed to snoop on the tasks file descriptors? */
50066 - if (!proc_fd_access_allowed(inode))
50067 + if (!proc_fd_access_allowed(inode,0))
50068 goto out;
50069
50070 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
50071 @@ -1699,8 +1743,18 @@ static int proc_pid_readlink(struct dent
50072 struct path path;
50073
50074 /* Are we allowed to snoop on the tasks file descriptors? */
50075 - if (!proc_fd_access_allowed(inode))
50076 - goto out;
50077 + /* logging this is needed for learning on chromium to work properly,
50078 + but we don't want to flood the logs from 'ps' which does a readlink
50079 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
50080 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
50081 + */
50082 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
50083 + if (!proc_fd_access_allowed(inode,0))
50084 + goto out;
50085 + } else {
50086 + if (!proc_fd_access_allowed(inode,1))
50087 + goto out;
50088 + }
50089
50090 error = PROC_I(inode)->op.proc_get_link(inode, &path);
50091 if (error)
50092 @@ -1766,7 +1820,11 @@ static struct inode *proc_pid_make_inode
50093 rcu_read_lock();
50094 cred = __task_cred(task);
50095 inode->i_uid = cred->euid;
50096 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50097 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50098 +#else
50099 inode->i_gid = cred->egid;
50100 +#endif
50101 rcu_read_unlock();
50102 }
50103 security_task_to_inode(task, inode);
50104 @@ -1784,6 +1842,9 @@ static int pid_getattr(struct vfsmount *
50105 struct inode *inode = dentry->d_inode;
50106 struct task_struct *task;
50107 const struct cred *cred;
50108 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50109 + const struct cred *tmpcred = current_cred();
50110 +#endif
50111
50112 generic_fillattr(inode, stat);
50113
50114 @@ -1791,13 +1852,41 @@ static int pid_getattr(struct vfsmount *
50115 stat->uid = 0;
50116 stat->gid = 0;
50117 task = pid_task(proc_pid(inode), PIDTYPE_PID);
50118 +
50119 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
50120 + rcu_read_unlock();
50121 + return -ENOENT;
50122 + }
50123 +
50124 if (task) {
50125 + cred = __task_cred(task);
50126 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50127 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
50128 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50129 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50130 +#endif
50131 + ) {
50132 +#endif
50133 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50134 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50135 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50136 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50137 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50138 +#endif
50139 task_dumpable(task)) {
50140 - cred = __task_cred(task);
50141 stat->uid = cred->euid;
50142 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50143 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
50144 +#else
50145 stat->gid = cred->egid;
50146 +#endif
50147 }
50148 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50149 + } else {
50150 + rcu_read_unlock();
50151 + return -ENOENT;
50152 + }
50153 +#endif
50154 }
50155 rcu_read_unlock();
50156 return 0;
50157 @@ -1834,11 +1923,20 @@ static int pid_revalidate(struct dentry
50158
50159 if (task) {
50160 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50161 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50162 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50163 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50164 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50165 +#endif
50166 task_dumpable(task)) {
50167 rcu_read_lock();
50168 cred = __task_cred(task);
50169 inode->i_uid = cred->euid;
50170 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50171 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50172 +#else
50173 inode->i_gid = cred->egid;
50174 +#endif
50175 rcu_read_unlock();
50176 } else {
50177 inode->i_uid = 0;
50178 @@ -1959,7 +2057,8 @@ static int proc_fd_info(struct inode *in
50179 int fd = proc_fd(inode);
50180
50181 if (task) {
50182 - files = get_files_struct(task);
50183 + if (!gr_acl_handle_procpidmem(task))
50184 + files = get_files_struct(task);
50185 put_task_struct(task);
50186 }
50187 if (files) {
50188 @@ -2219,15 +2318,25 @@ static const struct file_operations proc
50189 */
50190 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
50191 {
50192 + struct task_struct *task;
50193 int rv;
50194
50195 if (flags & IPERM_FLAG_RCU)
50196 return -ECHILD;
50197 rv = generic_permission(inode, mask, flags, NULL);
50198 - if (rv == 0)
50199 - return 0;
50200 +
50201 if (task_pid(current) == proc_pid(inode))
50202 rv = 0;
50203 +
50204 + task = get_proc_task(inode);
50205 + if (task == NULL)
50206 + return rv;
50207 +
50208 + if (gr_acl_handle_procpidmem(task))
50209 + rv = -EACCES;
50210 +
50211 + put_task_struct(task);
50212 +
50213 return rv;
50214 }
50215
50216 @@ -2337,6 +2446,9 @@ static struct dentry *proc_pident_lookup
50217 if (!task)
50218 goto out_no_task;
50219
50220 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50221 + goto out;
50222 +
50223 /*
50224 * Yes, it does not scale. And it should not. Don't add
50225 * new entries into /proc/<tgid>/ without very good reasons.
50226 @@ -2381,6 +2493,9 @@ static int proc_pident_readdir(struct fi
50227 if (!task)
50228 goto out_no_task;
50229
50230 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50231 + goto out;
50232 +
50233 ret = 0;
50234 i = filp->f_pos;
50235 switch (i) {
50236 @@ -2651,7 +2766,7 @@ static void *proc_self_follow_link(struc
50237 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
50238 void *cookie)
50239 {
50240 - char *s = nd_get_link(nd);
50241 + const char *s = nd_get_link(nd);
50242 if (!IS_ERR(s))
50243 __putname(s);
50244 }
50245 @@ -2835,7 +2950,7 @@ static const struct pid_entry tgid_base_
50246 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
50247 #endif
50248 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50249 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50250 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50251 INF("syscall", S_IRUGO, proc_pid_syscall),
50252 #endif
50253 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50254 @@ -2860,10 +2975,10 @@ static const struct pid_entry tgid_base_
50255 #ifdef CONFIG_SECURITY
50256 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50257 #endif
50258 -#ifdef CONFIG_KALLSYMS
50259 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50260 INF("wchan", S_IRUGO, proc_pid_wchan),
50261 #endif
50262 -#ifdef CONFIG_STACKTRACE
50263 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50264 ONE("stack", S_IRUGO, proc_pid_stack),
50265 #endif
50266 #ifdef CONFIG_SCHEDSTATS
50267 @@ -2894,6 +3009,9 @@ static const struct pid_entry tgid_base_
50268 #ifdef CONFIG_TASK_IO_ACCOUNTING
50269 INF("io", S_IRUGO, proc_tgid_io_accounting),
50270 #endif
50271 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50272 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
50273 +#endif
50274 };
50275
50276 static int proc_tgid_base_readdir(struct file * filp,
50277 @@ -3019,7 +3137,14 @@ static struct dentry *proc_pid_instantia
50278 if (!inode)
50279 goto out;
50280
50281 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50282 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
50283 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50284 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50285 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
50286 +#else
50287 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
50288 +#endif
50289 inode->i_op = &proc_tgid_base_inode_operations;
50290 inode->i_fop = &proc_tgid_base_operations;
50291 inode->i_flags|=S_IMMUTABLE;
50292 @@ -3061,7 +3186,11 @@ struct dentry *proc_pid_lookup(struct in
50293 if (!task)
50294 goto out;
50295
50296 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50297 + goto out_put_task;
50298 +
50299 result = proc_pid_instantiate(dir, dentry, task, NULL);
50300 +out_put_task:
50301 put_task_struct(task);
50302 out:
50303 return result;
50304 @@ -3126,6 +3255,11 @@ int proc_pid_readdir(struct file * filp,
50305 {
50306 unsigned int nr;
50307 struct task_struct *reaper;
50308 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50309 + const struct cred *tmpcred = current_cred();
50310 + const struct cred *itercred;
50311 +#endif
50312 + filldir_t __filldir = filldir;
50313 struct tgid_iter iter;
50314 struct pid_namespace *ns;
50315
50316 @@ -3149,8 +3283,27 @@ int proc_pid_readdir(struct file * filp,
50317 for (iter = next_tgid(ns, iter);
50318 iter.task;
50319 iter.tgid += 1, iter = next_tgid(ns, iter)) {
50320 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50321 + rcu_read_lock();
50322 + itercred = __task_cred(iter.task);
50323 +#endif
50324 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
50325 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50326 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
50327 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50328 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50329 +#endif
50330 + )
50331 +#endif
50332 + )
50333 + __filldir = &gr_fake_filldir;
50334 + else
50335 + __filldir = filldir;
50336 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50337 + rcu_read_unlock();
50338 +#endif
50339 filp->f_pos = iter.tgid + TGID_OFFSET;
50340 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
50341 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
50342 put_task_struct(iter.task);
50343 goto out;
50344 }
50345 @@ -3177,7 +3330,7 @@ static const struct pid_entry tid_base_s
50346 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50347 #endif
50348 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50349 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50350 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50351 INF("syscall", S_IRUGO, proc_pid_syscall),
50352 #endif
50353 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50354 @@ -3201,10 +3354,10 @@ static const struct pid_entry tid_base_s
50355 #ifdef CONFIG_SECURITY
50356 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50357 #endif
50358 -#ifdef CONFIG_KALLSYMS
50359 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50360 INF("wchan", S_IRUGO, proc_pid_wchan),
50361 #endif
50362 -#ifdef CONFIG_STACKTRACE
50363 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50364 ONE("stack", S_IRUGO, proc_pid_stack),
50365 #endif
50366 #ifdef CONFIG_SCHEDSTATS
50367 diff -urNp linux-2.6.39.3/fs/proc/cmdline.c linux-2.6.39.3/fs/proc/cmdline.c
50368 --- linux-2.6.39.3/fs/proc/cmdline.c 2011-05-19 00:06:34.000000000 -0400
50369 +++ linux-2.6.39.3/fs/proc/cmdline.c 2011-05-22 19:41:37.000000000 -0400
50370 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
50371
50372 static int __init proc_cmdline_init(void)
50373 {
50374 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50375 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
50376 +#else
50377 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
50378 +#endif
50379 return 0;
50380 }
50381 module_init(proc_cmdline_init);
50382 diff -urNp linux-2.6.39.3/fs/proc/devices.c linux-2.6.39.3/fs/proc/devices.c
50383 --- linux-2.6.39.3/fs/proc/devices.c 2011-05-19 00:06:34.000000000 -0400
50384 +++ linux-2.6.39.3/fs/proc/devices.c 2011-05-22 19:41:37.000000000 -0400
50385 @@ -64,7 +64,11 @@ static const struct file_operations proc
50386
50387 static int __init proc_devices_init(void)
50388 {
50389 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50390 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
50391 +#else
50392 proc_create("devices", 0, NULL, &proc_devinfo_operations);
50393 +#endif
50394 return 0;
50395 }
50396 module_init(proc_devices_init);
50397 diff -urNp linux-2.6.39.3/fs/proc/inode.c linux-2.6.39.3/fs/proc/inode.c
50398 --- linux-2.6.39.3/fs/proc/inode.c 2011-05-19 00:06:34.000000000 -0400
50399 +++ linux-2.6.39.3/fs/proc/inode.c 2011-05-22 19:41:37.000000000 -0400
50400 @@ -433,7 +433,11 @@ struct inode *proc_get_inode(struct supe
50401 if (de->mode) {
50402 inode->i_mode = de->mode;
50403 inode->i_uid = de->uid;
50404 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50405 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50406 +#else
50407 inode->i_gid = de->gid;
50408 +#endif
50409 }
50410 if (de->size)
50411 inode->i_size = de->size;
50412 diff -urNp linux-2.6.39.3/fs/proc/internal.h linux-2.6.39.3/fs/proc/internal.h
50413 --- linux-2.6.39.3/fs/proc/internal.h 2011-05-19 00:06:34.000000000 -0400
50414 +++ linux-2.6.39.3/fs/proc/internal.h 2011-05-22 19:41:37.000000000 -0400
50415 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50416 struct pid *pid, struct task_struct *task);
50417 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50418 struct pid *pid, struct task_struct *task);
50419 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50420 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50421 +#endif
50422 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50423
50424 extern const struct file_operations proc_maps_operations;
50425 diff -urNp linux-2.6.39.3/fs/proc/Kconfig linux-2.6.39.3/fs/proc/Kconfig
50426 --- linux-2.6.39.3/fs/proc/Kconfig 2011-05-19 00:06:34.000000000 -0400
50427 +++ linux-2.6.39.3/fs/proc/Kconfig 2011-05-22 19:41:37.000000000 -0400
50428 @@ -30,12 +30,12 @@ config PROC_FS
50429
50430 config PROC_KCORE
50431 bool "/proc/kcore support" if !ARM
50432 - depends on PROC_FS && MMU
50433 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50434
50435 config PROC_VMCORE
50436 bool "/proc/vmcore support"
50437 - depends on PROC_FS && CRASH_DUMP
50438 - default y
50439 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50440 + default n
50441 help
50442 Exports the dump image of crashed kernel in ELF format.
50443
50444 @@ -59,8 +59,8 @@ config PROC_SYSCTL
50445 limited in memory.
50446
50447 config PROC_PAGE_MONITOR
50448 - default y
50449 - depends on PROC_FS && MMU
50450 + default n
50451 + depends on PROC_FS && MMU && !GRKERNSEC
50452 bool "Enable /proc page monitoring" if EXPERT
50453 help
50454 Various /proc files exist to monitor process memory utilization:
50455 diff -urNp linux-2.6.39.3/fs/proc/kcore.c linux-2.6.39.3/fs/proc/kcore.c
50456 --- linux-2.6.39.3/fs/proc/kcore.c 2011-05-19 00:06:34.000000000 -0400
50457 +++ linux-2.6.39.3/fs/proc/kcore.c 2011-05-22 19:41:37.000000000 -0400
50458 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
50459 off_t offset = 0;
50460 struct kcore_list *m;
50461
50462 + pax_track_stack();
50463 +
50464 /* setup ELF header */
50465 elf = (struct elfhdr *) bufp;
50466 bufp += sizeof(struct elfhdr);
50467 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
50468 * the addresses in the elf_phdr on our list.
50469 */
50470 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50471 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50472 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50473 + if (tsz > buflen)
50474 tsz = buflen;
50475 -
50476 +
50477 while (buflen) {
50478 struct kcore_list *m;
50479
50480 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
50481 kfree(elf_buf);
50482 } else {
50483 if (kern_addr_valid(start)) {
50484 - unsigned long n;
50485 + char *elf_buf;
50486 + mm_segment_t oldfs;
50487
50488 - n = copy_to_user(buffer, (char *)start, tsz);
50489 - /*
50490 - * We cannot distingush between fault on source
50491 - * and fault on destination. When this happens
50492 - * we clear too and hope it will trigger the
50493 - * EFAULT again.
50494 - */
50495 - if (n) {
50496 - if (clear_user(buffer + tsz - n,
50497 - n))
50498 + elf_buf = kmalloc(tsz, GFP_KERNEL);
50499 + if (!elf_buf)
50500 + return -ENOMEM;
50501 + oldfs = get_fs();
50502 + set_fs(KERNEL_DS);
50503 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50504 + set_fs(oldfs);
50505 + if (copy_to_user(buffer, elf_buf, tsz)) {
50506 + kfree(elf_buf);
50507 return -EFAULT;
50508 + }
50509 }
50510 + set_fs(oldfs);
50511 + kfree(elf_buf);
50512 } else {
50513 if (clear_user(buffer, tsz))
50514 return -EFAULT;
50515 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
50516
50517 static int open_kcore(struct inode *inode, struct file *filp)
50518 {
50519 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50520 + return -EPERM;
50521 +#endif
50522 if (!capable(CAP_SYS_RAWIO))
50523 return -EPERM;
50524 if (kcore_need_update)
50525 diff -urNp linux-2.6.39.3/fs/proc/meminfo.c linux-2.6.39.3/fs/proc/meminfo.c
50526 --- linux-2.6.39.3/fs/proc/meminfo.c 2011-05-19 00:06:34.000000000 -0400
50527 +++ linux-2.6.39.3/fs/proc/meminfo.c 2011-05-22 19:36:32.000000000 -0400
50528 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50529 unsigned long pages[NR_LRU_LISTS];
50530 int lru;
50531
50532 + pax_track_stack();
50533 +
50534 /*
50535 * display in kilobytes.
50536 */
50537 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
50538 vmi.used >> 10,
50539 vmi.largest_chunk >> 10
50540 #ifdef CONFIG_MEMORY_FAILURE
50541 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50542 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50543 #endif
50544 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
50545 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
50546 diff -urNp linux-2.6.39.3/fs/proc/nommu.c linux-2.6.39.3/fs/proc/nommu.c
50547 --- linux-2.6.39.3/fs/proc/nommu.c 2011-05-19 00:06:34.000000000 -0400
50548 +++ linux-2.6.39.3/fs/proc/nommu.c 2011-05-22 19:36:32.000000000 -0400
50549 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
50550 if (len < 1)
50551 len = 1;
50552 seq_printf(m, "%*c", len, ' ');
50553 - seq_path(m, &file->f_path, "");
50554 + seq_path(m, &file->f_path, "\n\\");
50555 }
50556
50557 seq_putc(m, '\n');
50558 diff -urNp linux-2.6.39.3/fs/proc/proc_net.c linux-2.6.39.3/fs/proc/proc_net.c
50559 --- linux-2.6.39.3/fs/proc/proc_net.c 2011-05-19 00:06:34.000000000 -0400
50560 +++ linux-2.6.39.3/fs/proc/proc_net.c 2011-05-22 19:41:37.000000000 -0400
50561 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
50562 struct task_struct *task;
50563 struct nsproxy *ns;
50564 struct net *net = NULL;
50565 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50566 + const struct cred *cred = current_cred();
50567 +#endif
50568 +
50569 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50570 + if (cred->fsuid)
50571 + return net;
50572 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50573 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50574 + return net;
50575 +#endif
50576
50577 rcu_read_lock();
50578 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50579 diff -urNp linux-2.6.39.3/fs/proc/proc_sysctl.c linux-2.6.39.3/fs/proc/proc_sysctl.c
50580 --- linux-2.6.39.3/fs/proc/proc_sysctl.c 2011-05-19 00:06:34.000000000 -0400
50581 +++ linux-2.6.39.3/fs/proc/proc_sysctl.c 2011-05-22 19:41:37.000000000 -0400
50582 @@ -8,6 +8,8 @@
50583 #include <linux/namei.h>
50584 #include "internal.h"
50585
50586 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50587 +
50588 static const struct dentry_operations proc_sys_dentry_operations;
50589 static const struct file_operations proc_sys_file_operations;
50590 static const struct inode_operations proc_sys_inode_operations;
50591 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
50592 if (!p)
50593 goto out;
50594
50595 + if (gr_handle_sysctl(p, MAY_EXEC))
50596 + goto out;
50597 +
50598 err = ERR_PTR(-ENOMEM);
50599 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
50600 if (h)
50601 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
50602 if (*pos < file->f_pos)
50603 continue;
50604
50605 + if (gr_handle_sysctl(table, 0))
50606 + continue;
50607 +
50608 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
50609 if (res)
50610 return res;
50611 @@ -358,6 +366,9 @@ static int proc_sys_getattr(struct vfsmo
50612 if (IS_ERR(head))
50613 return PTR_ERR(head);
50614
50615 + if (table && gr_handle_sysctl(table, MAY_EXEC))
50616 + return -ENOENT;
50617 +
50618 generic_fillattr(inode, stat);
50619 if (table)
50620 stat->mode = (stat->mode & S_IFMT) | table->mode;
50621 diff -urNp linux-2.6.39.3/fs/proc/root.c linux-2.6.39.3/fs/proc/root.c
50622 --- linux-2.6.39.3/fs/proc/root.c 2011-05-19 00:06:34.000000000 -0400
50623 +++ linux-2.6.39.3/fs/proc/root.c 2011-05-22 19:41:37.000000000 -0400
50624 @@ -122,7 +122,15 @@ void __init proc_root_init(void)
50625 #ifdef CONFIG_PROC_DEVICETREE
50626 proc_device_tree_init();
50627 #endif
50628 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50629 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50630 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
50631 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50632 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
50633 +#endif
50634 +#else
50635 proc_mkdir("bus", NULL);
50636 +#endif
50637 proc_sys_init();
50638 }
50639
50640 diff -urNp linux-2.6.39.3/fs/proc/task_mmu.c linux-2.6.39.3/fs/proc/task_mmu.c
50641 --- linux-2.6.39.3/fs/proc/task_mmu.c 2011-05-19 00:06:34.000000000 -0400
50642 +++ linux-2.6.39.3/fs/proc/task_mmu.c 2011-05-22 22:43:29.000000000 -0400
50643 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
50644 "VmExe:\t%8lu kB\n"
50645 "VmLib:\t%8lu kB\n"
50646 "VmPTE:\t%8lu kB\n"
50647 - "VmSwap:\t%8lu kB\n",
50648 - hiwater_vm << (PAGE_SHIFT-10),
50649 + "VmSwap:\t%8lu kB\n"
50650 +
50651 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50652 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
50653 +#endif
50654 +
50655 + ,hiwater_vm << (PAGE_SHIFT-10),
50656 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
50657 mm->locked_vm << (PAGE_SHIFT-10),
50658 hiwater_rss << (PAGE_SHIFT-10),
50659 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
50660 data << (PAGE_SHIFT-10),
50661 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
50662 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
50663 - swap << (PAGE_SHIFT-10));
50664 + swap << (PAGE_SHIFT-10)
50665 +
50666 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50667 + , mm->context.user_cs_base, mm->context.user_cs_limit
50668 +#endif
50669 +
50670 + );
50671 }
50672
50673 unsigned long task_vsize(struct mm_struct *mm)
50674 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
50675 return ret;
50676 }
50677
50678 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50679 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50680 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50681 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50682 +#endif
50683 +
50684 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
50685 {
50686 struct mm_struct *mm = vma->vm_mm;
50687 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
50688 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
50689 }
50690
50691 - /* We don't show the stack guard page in /proc/maps */
50692 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50693 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
50694 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
50695 +#else
50696 start = vma->vm_start;
50697 - if (stack_guard_page_start(vma, start))
50698 - start += PAGE_SIZE;
50699 end = vma->vm_end;
50700 - if (stack_guard_page_end(vma, end))
50701 - end -= PAGE_SIZE;
50702 +#endif
50703
50704 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
50705 start,
50706 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
50707 flags & VM_WRITE ? 'w' : '-',
50708 flags & VM_EXEC ? 'x' : '-',
50709 flags & VM_MAYSHARE ? 's' : 'p',
50710 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50711 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
50712 +#else
50713 pgoff,
50714 +#endif
50715 MAJOR(dev), MINOR(dev), ino, &len);
50716
50717 /*
50718 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
50719 */
50720 if (file) {
50721 pad_len_spaces(m, len);
50722 - seq_path(m, &file->f_path, "\n");
50723 + seq_path(m, &file->f_path, "\n\\");
50724 } else {
50725 const char *name = arch_vma_name(vma);
50726 if (!name) {
50727 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
50728 if (vma->vm_start <= mm->brk &&
50729 vma->vm_end >= mm->start_brk) {
50730 name = "[heap]";
50731 - } else if (vma->vm_start <= mm->start_stack &&
50732 - vma->vm_end >= mm->start_stack) {
50733 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
50734 + (vma->vm_start <= mm->start_stack &&
50735 + vma->vm_end >= mm->start_stack)) {
50736 name = "[stack]";
50737 }
50738 } else {
50739 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
50740 };
50741
50742 memset(&mss, 0, sizeof mss);
50743 - mss.vma = vma;
50744 - /* mmap_sem is held in m_start */
50745 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50746 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50747 -
50748 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50749 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
50750 +#endif
50751 + mss.vma = vma;
50752 + /* mmap_sem is held in m_start */
50753 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50754 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50755 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50756 + }
50757 +#endif
50758 show_map_vma(m, vma);
50759
50760 seq_printf(m,
50761 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
50762 "KernelPageSize: %8lu kB\n"
50763 "MMUPageSize: %8lu kB\n"
50764 "Locked: %8lu kB\n",
50765 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50766 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
50767 +#else
50768 (vma->vm_end - vma->vm_start) >> 10,
50769 +#endif
50770 mss.resident >> 10,
50771 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
50772 mss.shared_clean >> 10,
50773 diff -urNp linux-2.6.39.3/fs/proc/task_nommu.c linux-2.6.39.3/fs/proc/task_nommu.c
50774 --- linux-2.6.39.3/fs/proc/task_nommu.c 2011-05-19 00:06:34.000000000 -0400
50775 +++ linux-2.6.39.3/fs/proc/task_nommu.c 2011-05-22 19:36:32.000000000 -0400
50776 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
50777 else
50778 bytes += kobjsize(mm);
50779
50780 - if (current->fs && current->fs->users > 1)
50781 + if (current->fs && atomic_read(&current->fs->users) > 1)
50782 sbytes += kobjsize(current->fs);
50783 else
50784 bytes += kobjsize(current->fs);
50785 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
50786
50787 if (file) {
50788 pad_len_spaces(m, len);
50789 - seq_path(m, &file->f_path, "");
50790 + seq_path(m, &file->f_path, "\n\\");
50791 } else if (mm) {
50792 if (vma->vm_start <= mm->start_stack &&
50793 vma->vm_end >= mm->start_stack) {
50794 diff -urNp linux-2.6.39.3/fs/quota/netlink.c linux-2.6.39.3/fs/quota/netlink.c
50795 --- linux-2.6.39.3/fs/quota/netlink.c 2011-05-19 00:06:34.000000000 -0400
50796 +++ linux-2.6.39.3/fs/quota/netlink.c 2011-05-22 19:36:32.000000000 -0400
50797 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
50798 void quota_send_warning(short type, unsigned int id, dev_t dev,
50799 const char warntype)
50800 {
50801 - static atomic_t seq;
50802 + static atomic_unchecked_t seq;
50803 struct sk_buff *skb;
50804 void *msg_head;
50805 int ret;
50806 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
50807 "VFS: Not enough memory to send quota warning.\n");
50808 return;
50809 }
50810 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
50811 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
50812 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
50813 if (!msg_head) {
50814 printk(KERN_ERR
50815 diff -urNp linux-2.6.39.3/fs/readdir.c linux-2.6.39.3/fs/readdir.c
50816 --- linux-2.6.39.3/fs/readdir.c 2011-05-19 00:06:34.000000000 -0400
50817 +++ linux-2.6.39.3/fs/readdir.c 2011-05-22 19:41:42.000000000 -0400
50818 @@ -17,6 +17,7 @@
50819 #include <linux/security.h>
50820 #include <linux/syscalls.h>
50821 #include <linux/unistd.h>
50822 +#include <linux/namei.h>
50823
50824 #include <asm/uaccess.h>
50825
50826 @@ -67,6 +68,7 @@ struct old_linux_dirent {
50827
50828 struct readdir_callback {
50829 struct old_linux_dirent __user * dirent;
50830 + struct file * file;
50831 int result;
50832 };
50833
50834 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
50835 buf->result = -EOVERFLOW;
50836 return -EOVERFLOW;
50837 }
50838 +
50839 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50840 + return 0;
50841 +
50842 buf->result++;
50843 dirent = buf->dirent;
50844 if (!access_ok(VERIFY_WRITE, dirent,
50845 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
50846
50847 buf.result = 0;
50848 buf.dirent = dirent;
50849 + buf.file = file;
50850
50851 error = vfs_readdir(file, fillonedir, &buf);
50852 if (buf.result)
50853 @@ -142,6 +149,7 @@ struct linux_dirent {
50854 struct getdents_callback {
50855 struct linux_dirent __user * current_dir;
50856 struct linux_dirent __user * previous;
50857 + struct file * file;
50858 int count;
50859 int error;
50860 };
50861 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
50862 buf->error = -EOVERFLOW;
50863 return -EOVERFLOW;
50864 }
50865 +
50866 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50867 + return 0;
50868 +
50869 dirent = buf->previous;
50870 if (dirent) {
50871 if (__put_user(offset, &dirent->d_off))
50872 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
50873 buf.previous = NULL;
50874 buf.count = count;
50875 buf.error = 0;
50876 + buf.file = file;
50877
50878 error = vfs_readdir(file, filldir, &buf);
50879 if (error >= 0)
50880 @@ -229,6 +242,7 @@ out:
50881 struct getdents_callback64 {
50882 struct linux_dirent64 __user * current_dir;
50883 struct linux_dirent64 __user * previous;
50884 + struct file *file;
50885 int count;
50886 int error;
50887 };
50888 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
50889 buf->error = -EINVAL; /* only used if we fail.. */
50890 if (reclen > buf->count)
50891 return -EINVAL;
50892 +
50893 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50894 + return 0;
50895 +
50896 dirent = buf->previous;
50897 if (dirent) {
50898 if (__put_user(offset, &dirent->d_off))
50899 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50900
50901 buf.current_dir = dirent;
50902 buf.previous = NULL;
50903 + buf.file = file;
50904 buf.count = count;
50905 buf.error = 0;
50906
50907 diff -urNp linux-2.6.39.3/fs/reiserfs/dir.c linux-2.6.39.3/fs/reiserfs/dir.c
50908 --- linux-2.6.39.3/fs/reiserfs/dir.c 2011-05-19 00:06:34.000000000 -0400
50909 +++ linux-2.6.39.3/fs/reiserfs/dir.c 2011-05-22 19:36:32.000000000 -0400
50910 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
50911 struct reiserfs_dir_entry de;
50912 int ret = 0;
50913
50914 + pax_track_stack();
50915 +
50916 reiserfs_write_lock(inode->i_sb);
50917
50918 reiserfs_check_lock_depth(inode->i_sb, "readdir");
50919 diff -urNp linux-2.6.39.3/fs/reiserfs/do_balan.c linux-2.6.39.3/fs/reiserfs/do_balan.c
50920 --- linux-2.6.39.3/fs/reiserfs/do_balan.c 2011-05-19 00:06:34.000000000 -0400
50921 +++ linux-2.6.39.3/fs/reiserfs/do_balan.c 2011-05-22 19:36:32.000000000 -0400
50922 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
50923 return;
50924 }
50925
50926 - atomic_inc(&(fs_generation(tb->tb_sb)));
50927 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
50928 do_balance_starts(tb);
50929
50930 /* balance leaf returns 0 except if combining L R and S into
50931 diff -urNp linux-2.6.39.3/fs/reiserfs/item_ops.c linux-2.6.39.3/fs/reiserfs/item_ops.c
50932 --- linux-2.6.39.3/fs/reiserfs/item_ops.c 2011-05-19 00:06:34.000000000 -0400
50933 +++ linux-2.6.39.3/fs/reiserfs/item_ops.c 2011-05-22 19:36:32.000000000 -0400
50934 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
50935 vi->vi_index, vi->vi_type, vi->vi_ih);
50936 }
50937
50938 -static struct item_operations stat_data_ops = {
50939 +static const struct item_operations stat_data_ops = {
50940 .bytes_number = sd_bytes_number,
50941 .decrement_key = sd_decrement_key,
50942 .is_left_mergeable = sd_is_left_mergeable,
50943 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
50944 vi->vi_index, vi->vi_type, vi->vi_ih);
50945 }
50946
50947 -static struct item_operations direct_ops = {
50948 +static const struct item_operations direct_ops = {
50949 .bytes_number = direct_bytes_number,
50950 .decrement_key = direct_decrement_key,
50951 .is_left_mergeable = direct_is_left_mergeable,
50952 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
50953 vi->vi_index, vi->vi_type, vi->vi_ih);
50954 }
50955
50956 -static struct item_operations indirect_ops = {
50957 +static const struct item_operations indirect_ops = {
50958 .bytes_number = indirect_bytes_number,
50959 .decrement_key = indirect_decrement_key,
50960 .is_left_mergeable = indirect_is_left_mergeable,
50961 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
50962 printk("\n");
50963 }
50964
50965 -static struct item_operations direntry_ops = {
50966 +static const struct item_operations direntry_ops = {
50967 .bytes_number = direntry_bytes_number,
50968 .decrement_key = direntry_decrement_key,
50969 .is_left_mergeable = direntry_is_left_mergeable,
50970 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
50971 "Invalid item type observed, run fsck ASAP");
50972 }
50973
50974 -static struct item_operations errcatch_ops = {
50975 +static const struct item_operations errcatch_ops = {
50976 errcatch_bytes_number,
50977 errcatch_decrement_key,
50978 errcatch_is_left_mergeable,
50979 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
50980 #error Item types must use disk-format assigned values.
50981 #endif
50982
50983 -struct item_operations *item_ops[TYPE_ANY + 1] = {
50984 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
50985 &stat_data_ops,
50986 &indirect_ops,
50987 &direct_ops,
50988 diff -urNp linux-2.6.39.3/fs/reiserfs/journal.c linux-2.6.39.3/fs/reiserfs/journal.c
50989 --- linux-2.6.39.3/fs/reiserfs/journal.c 2011-05-19 00:06:34.000000000 -0400
50990 +++ linux-2.6.39.3/fs/reiserfs/journal.c 2011-05-22 19:36:32.000000000 -0400
50991 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
50992 struct buffer_head *bh;
50993 int i, j;
50994
50995 + pax_track_stack();
50996 +
50997 bh = __getblk(dev, block, bufsize);
50998 if (buffer_uptodate(bh))
50999 return (bh);
51000 diff -urNp linux-2.6.39.3/fs/reiserfs/namei.c linux-2.6.39.3/fs/reiserfs/namei.c
51001 --- linux-2.6.39.3/fs/reiserfs/namei.c 2011-05-19 00:06:34.000000000 -0400
51002 +++ linux-2.6.39.3/fs/reiserfs/namei.c 2011-05-22 19:36:32.000000000 -0400
51003 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
51004 unsigned long savelink = 1;
51005 struct timespec ctime;
51006
51007 + pax_track_stack();
51008 +
51009 /* three balancings: (1) old name removal, (2) new name insertion
51010 and (3) maybe "save" link insertion
51011 stat data updates: (1) old directory,
51012 diff -urNp linux-2.6.39.3/fs/reiserfs/procfs.c linux-2.6.39.3/fs/reiserfs/procfs.c
51013 --- linux-2.6.39.3/fs/reiserfs/procfs.c 2011-05-19 00:06:34.000000000 -0400
51014 +++ linux-2.6.39.3/fs/reiserfs/procfs.c 2011-05-22 19:36:32.000000000 -0400
51015 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
51016 "SMALL_TAILS " : "NO_TAILS ",
51017 replay_only(sb) ? "REPLAY_ONLY " : "",
51018 convert_reiserfs(sb) ? "CONV " : "",
51019 - atomic_read(&r->s_generation_counter),
51020 + atomic_read_unchecked(&r->s_generation_counter),
51021 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
51022 SF(s_do_balance), SF(s_unneeded_left_neighbor),
51023 SF(s_good_search_by_key_reada), SF(s_bmaps),
51024 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
51025 struct journal_params *jp = &rs->s_v1.s_journal;
51026 char b[BDEVNAME_SIZE];
51027
51028 + pax_track_stack();
51029 +
51030 seq_printf(m, /* on-disk fields */
51031 "jp_journal_1st_block: \t%i\n"
51032 "jp_journal_dev: \t%s[%x]\n"
51033 diff -urNp linux-2.6.39.3/fs/reiserfs/stree.c linux-2.6.39.3/fs/reiserfs/stree.c
51034 --- linux-2.6.39.3/fs/reiserfs/stree.c 2011-05-19 00:06:34.000000000 -0400
51035 +++ linux-2.6.39.3/fs/reiserfs/stree.c 2011-05-22 19:36:32.000000000 -0400
51036 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
51037 int iter = 0;
51038 #endif
51039
51040 + pax_track_stack();
51041 +
51042 BUG_ON(!th->t_trans_id);
51043
51044 init_tb_struct(th, &s_del_balance, sb, path,
51045 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
51046 int retval;
51047 int quota_cut_bytes = 0;
51048
51049 + pax_track_stack();
51050 +
51051 BUG_ON(!th->t_trans_id);
51052
51053 le_key2cpu_key(&cpu_key, key);
51054 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
51055 int quota_cut_bytes;
51056 loff_t tail_pos = 0;
51057
51058 + pax_track_stack();
51059 +
51060 BUG_ON(!th->t_trans_id);
51061
51062 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
51063 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
51064 int retval;
51065 int fs_gen;
51066
51067 + pax_track_stack();
51068 +
51069 BUG_ON(!th->t_trans_id);
51070
51071 fs_gen = get_generation(inode->i_sb);
51072 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
51073 int fs_gen = 0;
51074 int quota_bytes = 0;
51075
51076 + pax_track_stack();
51077 +
51078 BUG_ON(!th->t_trans_id);
51079
51080 if (inode) { /* Do we count quotas for item? */
51081 diff -urNp linux-2.6.39.3/fs/reiserfs/super.c linux-2.6.39.3/fs/reiserfs/super.c
51082 --- linux-2.6.39.3/fs/reiserfs/super.c 2011-05-19 00:06:34.000000000 -0400
51083 +++ linux-2.6.39.3/fs/reiserfs/super.c 2011-05-22 19:36:32.000000000 -0400
51084 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
51085 {.option_name = NULL}
51086 };
51087
51088 + pax_track_stack();
51089 +
51090 *blocks = 0;
51091 if (!options || !*options)
51092 /* use default configuration: create tails, journaling on, no
51093 diff -urNp linux-2.6.39.3/fs/select.c linux-2.6.39.3/fs/select.c
51094 --- linux-2.6.39.3/fs/select.c 2011-05-19 00:06:34.000000000 -0400
51095 +++ linux-2.6.39.3/fs/select.c 2011-05-22 19:41:42.000000000 -0400
51096 @@ -20,6 +20,7 @@
51097 #include <linux/module.h>
51098 #include <linux/slab.h>
51099 #include <linux/poll.h>
51100 +#include <linux/security.h>
51101 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
51102 #include <linux/file.h>
51103 #include <linux/fdtable.h>
51104 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
51105 int retval, i, timed_out = 0;
51106 unsigned long slack = 0;
51107
51108 + pax_track_stack();
51109 +
51110 rcu_read_lock();
51111 retval = max_select_fd(n, fds);
51112 rcu_read_unlock();
51113 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
51114 /* Allocate small arguments on the stack to save memory and be faster */
51115 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
51116
51117 + pax_track_stack();
51118 +
51119 ret = -EINVAL;
51120 if (n < 0)
51121 goto out_nofds;
51122 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
51123 struct poll_list *walk = head;
51124 unsigned long todo = nfds;
51125
51126 + pax_track_stack();
51127 +
51128 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
51129 if (nfds > rlimit(RLIMIT_NOFILE))
51130 return -EINVAL;
51131
51132 diff -urNp linux-2.6.39.3/fs/seq_file.c linux-2.6.39.3/fs/seq_file.c
51133 --- linux-2.6.39.3/fs/seq_file.c 2011-05-19 00:06:34.000000000 -0400
51134 +++ linux-2.6.39.3/fs/seq_file.c 2011-05-22 19:36:32.000000000 -0400
51135 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
51136 return 0;
51137 }
51138 if (!m->buf) {
51139 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51140 + m->size = PAGE_SIZE;
51141 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51142 if (!m->buf)
51143 return -ENOMEM;
51144 }
51145 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
51146 Eoverflow:
51147 m->op->stop(m, p);
51148 kfree(m->buf);
51149 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51150 + m->size <<= 1;
51151 + m->buf = kmalloc(m->size, GFP_KERNEL);
51152 return !m->buf ? -ENOMEM : -EAGAIN;
51153 }
51154
51155 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
51156 m->version = file->f_version;
51157 /* grab buffer if we didn't have one */
51158 if (!m->buf) {
51159 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51160 + m->size = PAGE_SIZE;
51161 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51162 if (!m->buf)
51163 goto Enomem;
51164 }
51165 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
51166 goto Fill;
51167 m->op->stop(m, p);
51168 kfree(m->buf);
51169 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51170 + m->size <<= 1;
51171 + m->buf = kmalloc(m->size, GFP_KERNEL);
51172 if (!m->buf)
51173 goto Enomem;
51174 m->count = 0;
51175 diff -urNp linux-2.6.39.3/fs/splice.c linux-2.6.39.3/fs/splice.c
51176 --- linux-2.6.39.3/fs/splice.c 2011-05-19 00:06:34.000000000 -0400
51177 +++ linux-2.6.39.3/fs/splice.c 2011-05-22 19:36:32.000000000 -0400
51178 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
51179 pipe_lock(pipe);
51180
51181 for (;;) {
51182 - if (!pipe->readers) {
51183 + if (!atomic_read(&pipe->readers)) {
51184 send_sig(SIGPIPE, current, 0);
51185 if (!ret)
51186 ret = -EPIPE;
51187 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
51188 do_wakeup = 0;
51189 }
51190
51191 - pipe->waiting_writers++;
51192 + atomic_inc(&pipe->waiting_writers);
51193 pipe_wait(pipe);
51194 - pipe->waiting_writers--;
51195 + atomic_dec(&pipe->waiting_writers);
51196 }
51197
51198 pipe_unlock(pipe);
51199 @@ -316,6 +316,8 @@ __generic_file_splice_read(struct file *
51200 .spd_release = spd_release_page,
51201 };
51202
51203 + pax_track_stack();
51204 +
51205 if (splice_grow_spd(pipe, &spd))
51206 return -ENOMEM;
51207
51208 @@ -556,7 +558,7 @@ static ssize_t kernel_readv(struct file
51209 old_fs = get_fs();
51210 set_fs(get_ds());
51211 /* The cast to a user pointer is valid due to the set_fs() */
51212 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
51213 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
51214 set_fs(old_fs);
51215
51216 return res;
51217 @@ -571,7 +573,7 @@ static ssize_t kernel_write(struct file
51218 old_fs = get_fs();
51219 set_fs(get_ds());
51220 /* The cast to a user pointer is valid due to the set_fs() */
51221 - res = vfs_write(file, (const char __user *)buf, count, &pos);
51222 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
51223 set_fs(old_fs);
51224
51225 return res;
51226 @@ -599,6 +601,8 @@ ssize_t default_file_splice_read(struct
51227 .spd_release = spd_release_page,
51228 };
51229
51230 + pax_track_stack();
51231 +
51232 if (splice_grow_spd(pipe, &spd))
51233 return -ENOMEM;
51234
51235 @@ -622,7 +626,7 @@ ssize_t default_file_splice_read(struct
51236 goto err;
51237
51238 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
51239 - vec[i].iov_base = (void __user *) page_address(page);
51240 + vec[i].iov_base = (__force void __user *) page_address(page);
51241 vec[i].iov_len = this_len;
51242 spd.pages[i] = page;
51243 spd.nr_pages++;
51244 @@ -842,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
51245 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
51246 {
51247 while (!pipe->nrbufs) {
51248 - if (!pipe->writers)
51249 + if (!atomic_read(&pipe->writers))
51250 return 0;
51251
51252 - if (!pipe->waiting_writers && sd->num_spliced)
51253 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
51254 return 0;
51255
51256 if (sd->flags & SPLICE_F_NONBLOCK)
51257 @@ -1178,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct fi
51258 * out of the pipe right after the splice_to_pipe(). So set
51259 * PIPE_READERS appropriately.
51260 */
51261 - pipe->readers = 1;
51262 + atomic_set(&pipe->readers, 1);
51263
51264 current->splice_pipe = pipe;
51265 }
51266 @@ -1615,6 +1619,8 @@ static long vmsplice_to_pipe(struct file
51267 };
51268 long ret;
51269
51270 + pax_track_stack();
51271 +
51272 pipe = get_pipe_info(file);
51273 if (!pipe)
51274 return -EBADF;
51275 @@ -1730,9 +1736,9 @@ static int ipipe_prep(struct pipe_inode_
51276 ret = -ERESTARTSYS;
51277 break;
51278 }
51279 - if (!pipe->writers)
51280 + if (!atomic_read(&pipe->writers))
51281 break;
51282 - if (!pipe->waiting_writers) {
51283 + if (!atomic_read(&pipe->waiting_writers)) {
51284 if (flags & SPLICE_F_NONBLOCK) {
51285 ret = -EAGAIN;
51286 break;
51287 @@ -1764,7 +1770,7 @@ static int opipe_prep(struct pipe_inode_
51288 pipe_lock(pipe);
51289
51290 while (pipe->nrbufs >= pipe->buffers) {
51291 - if (!pipe->readers) {
51292 + if (!atomic_read(&pipe->readers)) {
51293 send_sig(SIGPIPE, current, 0);
51294 ret = -EPIPE;
51295 break;
51296 @@ -1777,9 +1783,9 @@ static int opipe_prep(struct pipe_inode_
51297 ret = -ERESTARTSYS;
51298 break;
51299 }
51300 - pipe->waiting_writers++;
51301 + atomic_inc(&pipe->waiting_writers);
51302 pipe_wait(pipe);
51303 - pipe->waiting_writers--;
51304 + atomic_dec(&pipe->waiting_writers);
51305 }
51306
51307 pipe_unlock(pipe);
51308 @@ -1815,14 +1821,14 @@ retry:
51309 pipe_double_lock(ipipe, opipe);
51310
51311 do {
51312 - if (!opipe->readers) {
51313 + if (!atomic_read(&opipe->readers)) {
51314 send_sig(SIGPIPE, current, 0);
51315 if (!ret)
51316 ret = -EPIPE;
51317 break;
51318 }
51319
51320 - if (!ipipe->nrbufs && !ipipe->writers)
51321 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
51322 break;
51323
51324 /*
51325 @@ -1922,7 +1928,7 @@ static int link_pipe(struct pipe_inode_i
51326 pipe_double_lock(ipipe, opipe);
51327
51328 do {
51329 - if (!opipe->readers) {
51330 + if (!atomic_read(&opipe->readers)) {
51331 send_sig(SIGPIPE, current, 0);
51332 if (!ret)
51333 ret = -EPIPE;
51334 @@ -1967,7 +1973,7 @@ static int link_pipe(struct pipe_inode_i
51335 * return EAGAIN if we have the potential of some data in the
51336 * future, otherwise just return 0
51337 */
51338 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
51339 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
51340 ret = -EAGAIN;
51341
51342 pipe_unlock(ipipe);
51343 diff -urNp linux-2.6.39.3/fs/sysfs/file.c linux-2.6.39.3/fs/sysfs/file.c
51344 --- linux-2.6.39.3/fs/sysfs/file.c 2011-05-19 00:06:34.000000000 -0400
51345 +++ linux-2.6.39.3/fs/sysfs/file.c 2011-05-22 19:36:32.000000000 -0400
51346 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
51347
51348 struct sysfs_open_dirent {
51349 atomic_t refcnt;
51350 - atomic_t event;
51351 + atomic_unchecked_t event;
51352 wait_queue_head_t poll;
51353 struct list_head buffers; /* goes through sysfs_buffer.list */
51354 };
51355 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
51356 if (!sysfs_get_active(attr_sd))
51357 return -ENODEV;
51358
51359 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
51360 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
51361 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
51362
51363 sysfs_put_active(attr_sd);
51364 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
51365 return -ENOMEM;
51366
51367 atomic_set(&new_od->refcnt, 0);
51368 - atomic_set(&new_od->event, 1);
51369 + atomic_set_unchecked(&new_od->event, 1);
51370 init_waitqueue_head(&new_od->poll);
51371 INIT_LIST_HEAD(&new_od->buffers);
51372 goto retry;
51373 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
51374
51375 sysfs_put_active(attr_sd);
51376
51377 - if (buffer->event != atomic_read(&od->event))
51378 + if (buffer->event != atomic_read_unchecked(&od->event))
51379 goto trigger;
51380
51381 return DEFAULT_POLLMASK;
51382 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
51383
51384 od = sd->s_attr.open;
51385 if (od) {
51386 - atomic_inc(&od->event);
51387 + atomic_inc_unchecked(&od->event);
51388 wake_up_interruptible(&od->poll);
51389 }
51390
51391 diff -urNp linux-2.6.39.3/fs/sysfs/mount.c linux-2.6.39.3/fs/sysfs/mount.c
51392 --- linux-2.6.39.3/fs/sysfs/mount.c 2011-05-19 00:06:34.000000000 -0400
51393 +++ linux-2.6.39.3/fs/sysfs/mount.c 2011-05-22 19:41:42.000000000 -0400
51394 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
51395 .s_name = "",
51396 .s_count = ATOMIC_INIT(1),
51397 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
51398 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51399 + .s_mode = S_IFDIR | S_IRWXU,
51400 +#else
51401 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51402 +#endif
51403 .s_ino = 1,
51404 };
51405
51406 diff -urNp linux-2.6.39.3/fs/sysfs/symlink.c linux-2.6.39.3/fs/sysfs/symlink.c
51407 --- linux-2.6.39.3/fs/sysfs/symlink.c 2011-05-19 00:06:34.000000000 -0400
51408 +++ linux-2.6.39.3/fs/sysfs/symlink.c 2011-05-22 19:36:32.000000000 -0400
51409 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
51410
51411 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51412 {
51413 - char *page = nd_get_link(nd);
51414 + const char *page = nd_get_link(nd);
51415 if (!IS_ERR(page))
51416 free_page((unsigned long)page);
51417 }
51418 diff -urNp linux-2.6.39.3/fs/udf/inode.c linux-2.6.39.3/fs/udf/inode.c
51419 --- linux-2.6.39.3/fs/udf/inode.c 2011-05-19 00:06:34.000000000 -0400
51420 +++ linux-2.6.39.3/fs/udf/inode.c 2011-05-22 19:36:32.000000000 -0400
51421 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
51422 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51423 int lastblock = 0;
51424
51425 + pax_track_stack();
51426 +
51427 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51428 prev_epos.block = iinfo->i_location;
51429 prev_epos.bh = NULL;
51430 diff -urNp linux-2.6.39.3/fs/udf/misc.c linux-2.6.39.3/fs/udf/misc.c
51431 --- linux-2.6.39.3/fs/udf/misc.c 2011-05-19 00:06:34.000000000 -0400
51432 +++ linux-2.6.39.3/fs/udf/misc.c 2011-05-22 19:36:32.000000000 -0400
51433 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51434
51435 u8 udf_tag_checksum(const struct tag *t)
51436 {
51437 - u8 *data = (u8 *)t;
51438 + const u8 *data = (const u8 *)t;
51439 u8 checksum = 0;
51440 int i;
51441 for (i = 0; i < sizeof(struct tag); ++i)
51442 diff -urNp linux-2.6.39.3/fs/utimes.c linux-2.6.39.3/fs/utimes.c
51443 --- linux-2.6.39.3/fs/utimes.c 2011-05-19 00:06:34.000000000 -0400
51444 +++ linux-2.6.39.3/fs/utimes.c 2011-05-22 19:41:42.000000000 -0400
51445 @@ -1,6 +1,7 @@
51446 #include <linux/compiler.h>
51447 #include <linux/file.h>
51448 #include <linux/fs.h>
51449 +#include <linux/security.h>
51450 #include <linux/linkage.h>
51451 #include <linux/mount.h>
51452 #include <linux/namei.h>
51453 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
51454 goto mnt_drop_write_and_out;
51455 }
51456 }
51457 +
51458 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
51459 + error = -EACCES;
51460 + goto mnt_drop_write_and_out;
51461 + }
51462 +
51463 mutex_lock(&inode->i_mutex);
51464 error = notify_change(path->dentry, &newattrs);
51465 mutex_unlock(&inode->i_mutex);
51466 diff -urNp linux-2.6.39.3/fs/xattr_acl.c linux-2.6.39.3/fs/xattr_acl.c
51467 --- linux-2.6.39.3/fs/xattr_acl.c 2011-05-19 00:06:34.000000000 -0400
51468 +++ linux-2.6.39.3/fs/xattr_acl.c 2011-05-22 19:36:32.000000000 -0400
51469 @@ -17,8 +17,8 @@
51470 struct posix_acl *
51471 posix_acl_from_xattr(const void *value, size_t size)
51472 {
51473 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51474 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51475 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51476 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
51477 int count;
51478 struct posix_acl *acl;
51479 struct posix_acl_entry *acl_e;
51480 diff -urNp linux-2.6.39.3/fs/xattr.c linux-2.6.39.3/fs/xattr.c
51481 --- linux-2.6.39.3/fs/xattr.c 2011-05-19 00:06:34.000000000 -0400
51482 +++ linux-2.6.39.3/fs/xattr.c 2011-05-22 19:41:42.000000000 -0400
51483 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
51484 * Extended attribute SET operations
51485 */
51486 static long
51487 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
51488 +setxattr(struct path *path, const char __user *name, const void __user *value,
51489 size_t size, int flags)
51490 {
51491 int error;
51492 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
51493 return PTR_ERR(kvalue);
51494 }
51495
51496 - error = vfs_setxattr(d, kname, kvalue, size, flags);
51497 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
51498 + error = -EACCES;
51499 + goto out;
51500 + }
51501 +
51502 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
51503 +out:
51504 kfree(kvalue);
51505 return error;
51506 }
51507 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
51508 return error;
51509 error = mnt_want_write(path.mnt);
51510 if (!error) {
51511 - error = setxattr(path.dentry, name, value, size, flags);
51512 + error = setxattr(&path, name, value, size, flags);
51513 mnt_drop_write(path.mnt);
51514 }
51515 path_put(&path);
51516 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
51517 return error;
51518 error = mnt_want_write(path.mnt);
51519 if (!error) {
51520 - error = setxattr(path.dentry, name, value, size, flags);
51521 + error = setxattr(&path, name, value, size, flags);
51522 mnt_drop_write(path.mnt);
51523 }
51524 path_put(&path);
51525 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
51526 const void __user *,value, size_t, size, int, flags)
51527 {
51528 struct file *f;
51529 - struct dentry *dentry;
51530 int error = -EBADF;
51531
51532 f = fget(fd);
51533 if (!f)
51534 return error;
51535 - dentry = f->f_path.dentry;
51536 - audit_inode(NULL, dentry);
51537 + audit_inode(NULL, f->f_path.dentry);
51538 error = mnt_want_write_file(f);
51539 if (!error) {
51540 - error = setxattr(dentry, name, value, size, flags);
51541 + error = setxattr(&f->f_path, name, value, size, flags);
51542 mnt_drop_write(f->f_path.mnt);
51543 }
51544 fput(f);
51545 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c
51546 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-19 00:06:34.000000000 -0400
51547 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-22 19:41:42.000000000 -0400
51548 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
51549 xfs_fsop_geom_t fsgeo;
51550 int error;
51551
51552 + memset(&fsgeo, 0, sizeof(fsgeo));
51553 error = xfs_fs_geometry(mp, &fsgeo, 3);
51554 if (error)
51555 return -error;
51556 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c
51557 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-19 00:06:34.000000000 -0400
51558 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-22 19:36:32.000000000 -0400
51559 @@ -128,7 +128,7 @@ xfs_find_handle(
51560 }
51561
51562 error = -EFAULT;
51563 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
51564 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
51565 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
51566 goto out_put;
51567
51568 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c
51569 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c 2011-05-19 00:06:34.000000000 -0400
51570 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c 2011-05-22 19:36:32.000000000 -0400
51571 @@ -437,7 +437,7 @@ xfs_vn_put_link(
51572 struct nameidata *nd,
51573 void *p)
51574 {
51575 - char *s = nd_get_link(nd);
51576 + const char *s = nd_get_link(nd);
51577
51578 if (!IS_ERR(s))
51579 kfree(s);
51580 diff -urNp linux-2.6.39.3/fs/xfs/xfs_bmap.c linux-2.6.39.3/fs/xfs/xfs_bmap.c
51581 --- linux-2.6.39.3/fs/xfs/xfs_bmap.c 2011-05-19 00:06:34.000000000 -0400
51582 +++ linux-2.6.39.3/fs/xfs/xfs_bmap.c 2011-05-22 19:36:32.000000000 -0400
51583 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
51584 int nmap,
51585 int ret_nmap);
51586 #else
51587 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
51588 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
51589 #endif /* DEBUG */
51590
51591 STATIC int
51592 diff -urNp linux-2.6.39.3/fs/xfs/xfs_dir2.c linux-2.6.39.3/fs/xfs/xfs_dir2.c
51593 --- linux-2.6.39.3/fs/xfs/xfs_dir2.c 2011-05-19 00:06:34.000000000 -0400
51594 +++ linux-2.6.39.3/fs/xfs/xfs_dir2.c 2011-05-22 19:36:32.000000000 -0400
51595 @@ -85,7 +85,7 @@ xfs_ascii_ci_compname(
51596 return result;
51597 }
51598
51599 -static struct xfs_nameops xfs_ascii_ci_nameops = {
51600 +static const struct xfs_nameops xfs_ascii_ci_nameops = {
51601 .hashname = xfs_ascii_ci_hashname,
51602 .compname = xfs_ascii_ci_compname,
51603 };
51604 diff -urNp linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c
51605 --- linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c 2011-05-19 00:06:34.000000000 -0400
51606 +++ linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c 2011-05-22 19:36:32.000000000 -0400
51607 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
51608 }
51609
51610 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
51611 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51612 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
51613 + char name[sfep->namelen];
51614 + memcpy(name, sfep->name, sfep->namelen);
51615 + if (filldir(dirent, name, sfep->namelen,
51616 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
51617 + *offset = off & 0x7fffffff;
51618 + return 0;
51619 + }
51620 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51621 off & 0x7fffffff, ino, DT_UNKNOWN)) {
51622 *offset = off & 0x7fffffff;
51623 return 0;
51624 diff -urNp linux-2.6.39.3/grsecurity/gracl_alloc.c linux-2.6.39.3/grsecurity/gracl_alloc.c
51625 --- linux-2.6.39.3/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
51626 +++ linux-2.6.39.3/grsecurity/gracl_alloc.c 2011-05-22 19:41:42.000000000 -0400
51627 @@ -0,0 +1,105 @@
51628 +#include <linux/kernel.h>
51629 +#include <linux/mm.h>
51630 +#include <linux/slab.h>
51631 +#include <linux/vmalloc.h>
51632 +#include <linux/gracl.h>
51633 +#include <linux/grsecurity.h>
51634 +
51635 +static unsigned long alloc_stack_next = 1;
51636 +static unsigned long alloc_stack_size = 1;
51637 +static void **alloc_stack;
51638 +
51639 +static __inline__ int
51640 +alloc_pop(void)
51641 +{
51642 + if (alloc_stack_next == 1)
51643 + return 0;
51644 +
51645 + kfree(alloc_stack[alloc_stack_next - 2]);
51646 +
51647 + alloc_stack_next--;
51648 +
51649 + return 1;
51650 +}
51651 +
51652 +static __inline__ int
51653 +alloc_push(void *buf)
51654 +{
51655 + if (alloc_stack_next >= alloc_stack_size)
51656 + return 1;
51657 +
51658 + alloc_stack[alloc_stack_next - 1] = buf;
51659 +
51660 + alloc_stack_next++;
51661 +
51662 + return 0;
51663 +}
51664 +
51665 +void *
51666 +acl_alloc(unsigned long len)
51667 +{
51668 + void *ret = NULL;
51669 +
51670 + if (!len || len > PAGE_SIZE)
51671 + goto out;
51672 +
51673 + ret = kmalloc(len, GFP_KERNEL);
51674 +
51675 + if (ret) {
51676 + if (alloc_push(ret)) {
51677 + kfree(ret);
51678 + ret = NULL;
51679 + }
51680 + }
51681 +
51682 +out:
51683 + return ret;
51684 +}
51685 +
51686 +void *
51687 +acl_alloc_num(unsigned long num, unsigned long len)
51688 +{
51689 + if (!len || (num > (PAGE_SIZE / len)))
51690 + return NULL;
51691 +
51692 + return acl_alloc(num * len);
51693 +}
51694 +
51695 +void
51696 +acl_free_all(void)
51697 +{
51698 + if (gr_acl_is_enabled() || !alloc_stack)
51699 + return;
51700 +
51701 + while (alloc_pop()) ;
51702 +
51703 + if (alloc_stack) {
51704 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
51705 + kfree(alloc_stack);
51706 + else
51707 + vfree(alloc_stack);
51708 + }
51709 +
51710 + alloc_stack = NULL;
51711 + alloc_stack_size = 1;
51712 + alloc_stack_next = 1;
51713 +
51714 + return;
51715 +}
51716 +
51717 +int
51718 +acl_alloc_stack_init(unsigned long size)
51719 +{
51720 + if ((size * sizeof (void *)) <= PAGE_SIZE)
51721 + alloc_stack =
51722 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
51723 + else
51724 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
51725 +
51726 + alloc_stack_size = size;
51727 +
51728 + if (!alloc_stack)
51729 + return 0;
51730 + else
51731 + return 1;
51732 +}
51733 diff -urNp linux-2.6.39.3/grsecurity/gracl.c linux-2.6.39.3/grsecurity/gracl.c
51734 --- linux-2.6.39.3/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
51735 +++ linux-2.6.39.3/grsecurity/gracl.c 2011-07-14 21:03:00.000000000 -0400
51736 @@ -0,0 +1,4106 @@
51737 +#include <linux/kernel.h>
51738 +#include <linux/module.h>
51739 +#include <linux/sched.h>
51740 +#include <linux/mm.h>
51741 +#include <linux/file.h>
51742 +#include <linux/fs.h>
51743 +#include <linux/namei.h>
51744 +#include <linux/mount.h>
51745 +#include <linux/tty.h>
51746 +#include <linux/proc_fs.h>
51747 +#include <linux/lglock.h>
51748 +#include <linux/slab.h>
51749 +#include <linux/vmalloc.h>
51750 +#include <linux/types.h>
51751 +#include <linux/sysctl.h>
51752 +#include <linux/netdevice.h>
51753 +#include <linux/ptrace.h>
51754 +#include <linux/gracl.h>
51755 +#include <linux/gralloc.h>
51756 +#include <linux/grsecurity.h>
51757 +#include <linux/grinternal.h>
51758 +#include <linux/pid_namespace.h>
51759 +#include <linux/fdtable.h>
51760 +#include <linux/percpu.h>
51761 +
51762 +#include <asm/uaccess.h>
51763 +#include <asm/errno.h>
51764 +#include <asm/mman.h>
51765 +
51766 +static struct acl_role_db acl_role_set;
51767 +static struct name_db name_set;
51768 +static struct inodev_db inodev_set;
51769 +
51770 +/* for keeping track of userspace pointers used for subjects, so we
51771 + can share references in the kernel as well
51772 +*/
51773 +
51774 +static struct path real_root;
51775 +
51776 +static struct acl_subj_map_db subj_map_set;
51777 +
51778 +static struct acl_role_label *default_role;
51779 +
51780 +static struct acl_role_label *role_list;
51781 +
51782 +static u16 acl_sp_role_value;
51783 +
51784 +extern char *gr_shared_page[4];
51785 +static DEFINE_MUTEX(gr_dev_mutex);
51786 +DEFINE_RWLOCK(gr_inode_lock);
51787 +
51788 +struct gr_arg *gr_usermode;
51789 +
51790 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
51791 +
51792 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
51793 +extern void gr_clear_learn_entries(void);
51794 +
51795 +#ifdef CONFIG_GRKERNSEC_RESLOG
51796 +extern void gr_log_resource(const struct task_struct *task,
51797 + const int res, const unsigned long wanted, const int gt);
51798 +#endif
51799 +
51800 +unsigned char *gr_system_salt;
51801 +unsigned char *gr_system_sum;
51802 +
51803 +static struct sprole_pw **acl_special_roles = NULL;
51804 +static __u16 num_sprole_pws = 0;
51805 +
51806 +static struct acl_role_label *kernel_role = NULL;
51807 +
51808 +static unsigned int gr_auth_attempts = 0;
51809 +static unsigned long gr_auth_expires = 0UL;
51810 +
51811 +#ifdef CONFIG_NET
51812 +extern struct vfsmount *sock_mnt;
51813 +#endif
51814 +
51815 +extern struct vfsmount *pipe_mnt;
51816 +extern struct vfsmount *shm_mnt;
51817 +#ifdef CONFIG_HUGETLBFS
51818 +extern struct vfsmount *hugetlbfs_vfsmount;
51819 +#endif
51820 +
51821 +static struct acl_object_label *fakefs_obj_rw;
51822 +static struct acl_object_label *fakefs_obj_rwx;
51823 +
51824 +extern int gr_init_uidset(void);
51825 +extern void gr_free_uidset(void);
51826 +extern void gr_remove_uid(uid_t uid);
51827 +extern int gr_find_uid(uid_t uid);
51828 +
51829 +DECLARE_BRLOCK(vfsmount_lock);
51830 +
51831 +__inline__ int
51832 +gr_acl_is_enabled(void)
51833 +{
51834 + return (gr_status & GR_READY);
51835 +}
51836 +
51837 +#ifdef CONFIG_BTRFS_FS
51838 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
51839 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
51840 +#endif
51841 +
51842 +static inline dev_t __get_dev(const struct dentry *dentry)
51843 +{
51844 +#ifdef CONFIG_BTRFS_FS
51845 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
51846 + return get_btrfs_dev_from_inode(dentry->d_inode);
51847 + else
51848 +#endif
51849 + return dentry->d_inode->i_sb->s_dev;
51850 +}
51851 +
51852 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
51853 +{
51854 + return __get_dev(dentry);
51855 +}
51856 +
51857 +static char gr_task_roletype_to_char(struct task_struct *task)
51858 +{
51859 + switch (task->role->roletype &
51860 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
51861 + GR_ROLE_SPECIAL)) {
51862 + case GR_ROLE_DEFAULT:
51863 + return 'D';
51864 + case GR_ROLE_USER:
51865 + return 'U';
51866 + case GR_ROLE_GROUP:
51867 + return 'G';
51868 + case GR_ROLE_SPECIAL:
51869 + return 'S';
51870 + }
51871 +
51872 + return 'X';
51873 +}
51874 +
51875 +char gr_roletype_to_char(void)
51876 +{
51877 + return gr_task_roletype_to_char(current);
51878 +}
51879 +
51880 +__inline__ int
51881 +gr_acl_tpe_check(void)
51882 +{
51883 + if (unlikely(!(gr_status & GR_READY)))
51884 + return 0;
51885 + if (current->role->roletype & GR_ROLE_TPE)
51886 + return 1;
51887 + else
51888 + return 0;
51889 +}
51890 +
51891 +int
51892 +gr_handle_rawio(const struct inode *inode)
51893 +{
51894 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
51895 + if (inode && S_ISBLK(inode->i_mode) &&
51896 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
51897 + !capable(CAP_SYS_RAWIO))
51898 + return 1;
51899 +#endif
51900 + return 0;
51901 +}
51902 +
51903 +static int
51904 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
51905 +{
51906 + if (likely(lena != lenb))
51907 + return 0;
51908 +
51909 + return !memcmp(a, b, lena);
51910 +}
51911 +
51912 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
51913 +{
51914 + *buflen -= namelen;
51915 + if (*buflen < 0)
51916 + return -ENAMETOOLONG;
51917 + *buffer -= namelen;
51918 + memcpy(*buffer, str, namelen);
51919 + return 0;
51920 +}
51921 +
51922 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
51923 +{
51924 + return prepend(buffer, buflen, name->name, name->len);
51925 +}
51926 +
51927 +static int prepend_path(const struct path *path, struct path *root,
51928 + char **buffer, int *buflen)
51929 +{
51930 + struct dentry *dentry = path->dentry;
51931 + struct vfsmount *vfsmnt = path->mnt;
51932 + bool slash = false;
51933 + int error = 0;
51934 +
51935 + while (dentry != root->dentry || vfsmnt != root->mnt) {
51936 + struct dentry * parent;
51937 +
51938 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
51939 + /* Global root? */
51940 + if (vfsmnt->mnt_parent == vfsmnt) {
51941 + goto out;
51942 + }
51943 + dentry = vfsmnt->mnt_mountpoint;
51944 + vfsmnt = vfsmnt->mnt_parent;
51945 + continue;
51946 + }
51947 + parent = dentry->d_parent;
51948 + prefetch(parent);
51949 + spin_lock(&dentry->d_lock);
51950 + error = prepend_name(buffer, buflen, &dentry->d_name);
51951 + spin_unlock(&dentry->d_lock);
51952 + if (!error)
51953 + error = prepend(buffer, buflen, "/", 1);
51954 + if (error)
51955 + break;
51956 +
51957 + slash = true;
51958 + dentry = parent;
51959 + }
51960 +
51961 +out:
51962 + if (!error && !slash)
51963 + error = prepend(buffer, buflen, "/", 1);
51964 +
51965 + return error;
51966 +}
51967 +
51968 +/* this must be called with vfsmount_lock and rename_lock held */
51969 +
51970 +static char *__our_d_path(const struct path *path, struct path *root,
51971 + char *buf, int buflen)
51972 +{
51973 + char *res = buf + buflen;
51974 + int error;
51975 +
51976 + prepend(&res, &buflen, "\0", 1);
51977 + error = prepend_path(path, root, &res, &buflen);
51978 + if (error)
51979 + return ERR_PTR(error);
51980 +
51981 + return res;
51982 +}
51983 +
51984 +static char *
51985 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
51986 +{
51987 + char *retval;
51988 +
51989 + retval = __our_d_path(path, root, buf, buflen);
51990 + if (unlikely(IS_ERR(retval)))
51991 + retval = strcpy(buf, "<path too long>");
51992 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
51993 + retval[1] = '\0';
51994 +
51995 + return retval;
51996 +}
51997 +
51998 +static char *
51999 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52000 + char *buf, int buflen)
52001 +{
52002 + struct path path;
52003 + char *res;
52004 +
52005 + path.dentry = (struct dentry *)dentry;
52006 + path.mnt = (struct vfsmount *)vfsmnt;
52007 +
52008 + /* we can use real_root.dentry, real_root.mnt, because this is only called
52009 + by the RBAC system */
52010 + res = gen_full_path(&path, &real_root, buf, buflen);
52011 +
52012 + return res;
52013 +}
52014 +
52015 +static char *
52016 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52017 + char *buf, int buflen)
52018 +{
52019 + char *res;
52020 + struct path path;
52021 + struct path root;
52022 + struct task_struct *reaper = &init_task;
52023 +
52024 + path.dentry = (struct dentry *)dentry;
52025 + path.mnt = (struct vfsmount *)vfsmnt;
52026 +
52027 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
52028 + get_fs_root(reaper->fs, &root);
52029 +
52030 + write_seqlock(&rename_lock);
52031 + br_read_lock(vfsmount_lock);
52032 + res = gen_full_path(&path, &root, buf, buflen);
52033 + br_read_unlock(vfsmount_lock);
52034 + write_sequnlock(&rename_lock);
52035 +
52036 + path_put(&root);
52037 + return res;
52038 +}
52039 +
52040 +static char *
52041 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52042 +{
52043 + char *ret;
52044 + write_seqlock(&rename_lock);
52045 + br_read_lock(vfsmount_lock);
52046 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52047 + PAGE_SIZE);
52048 + br_read_unlock(vfsmount_lock);
52049 + write_sequnlock(&rename_lock);
52050 + return ret;
52051 +}
52052 +
52053 +char *
52054 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
52055 +{
52056 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52057 + PAGE_SIZE);
52058 +}
52059 +
52060 +char *
52061 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
52062 +{
52063 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52064 + PAGE_SIZE);
52065 +}
52066 +
52067 +char *
52068 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
52069 +{
52070 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
52071 + PAGE_SIZE);
52072 +}
52073 +
52074 +char *
52075 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
52076 +{
52077 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
52078 + PAGE_SIZE);
52079 +}
52080 +
52081 +char *
52082 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
52083 +{
52084 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
52085 + PAGE_SIZE);
52086 +}
52087 +
52088 +__inline__ __u32
52089 +to_gr_audit(const __u32 reqmode)
52090 +{
52091 + /* masks off auditable permission flags, then shifts them to create
52092 + auditing flags, and adds the special case of append auditing if
52093 + we're requesting write */
52094 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
52095 +}
52096 +
52097 +struct acl_subject_label *
52098 +lookup_subject_map(const struct acl_subject_label *userp)
52099 +{
52100 + unsigned int index = shash(userp, subj_map_set.s_size);
52101 + struct subject_map *match;
52102 +
52103 + match = subj_map_set.s_hash[index];
52104 +
52105 + while (match && match->user != userp)
52106 + match = match->next;
52107 +
52108 + if (match != NULL)
52109 + return match->kernel;
52110 + else
52111 + return NULL;
52112 +}
52113 +
52114 +static void
52115 +insert_subj_map_entry(struct subject_map *subjmap)
52116 +{
52117 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
52118 + struct subject_map **curr;
52119 +
52120 + subjmap->prev = NULL;
52121 +
52122 + curr = &subj_map_set.s_hash[index];
52123 + if (*curr != NULL)
52124 + (*curr)->prev = subjmap;
52125 +
52126 + subjmap->next = *curr;
52127 + *curr = subjmap;
52128 +
52129 + return;
52130 +}
52131 +
52132 +static struct acl_role_label *
52133 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
52134 + const gid_t gid)
52135 +{
52136 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
52137 + struct acl_role_label *match;
52138 + struct role_allowed_ip *ipp;
52139 + unsigned int x;
52140 + u32 curr_ip = task->signal->curr_ip;
52141 +
52142 + task->signal->saved_ip = curr_ip;
52143 +
52144 + match = acl_role_set.r_hash[index];
52145 +
52146 + while (match) {
52147 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
52148 + for (x = 0; x < match->domain_child_num; x++) {
52149 + if (match->domain_children[x] == uid)
52150 + goto found;
52151 + }
52152 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
52153 + break;
52154 + match = match->next;
52155 + }
52156 +found:
52157 + if (match == NULL) {
52158 + try_group:
52159 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
52160 + match = acl_role_set.r_hash[index];
52161 +
52162 + while (match) {
52163 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
52164 + for (x = 0; x < match->domain_child_num; x++) {
52165 + if (match->domain_children[x] == gid)
52166 + goto found2;
52167 + }
52168 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
52169 + break;
52170 + match = match->next;
52171 + }
52172 +found2:
52173 + if (match == NULL)
52174 + match = default_role;
52175 + if (match->allowed_ips == NULL)
52176 + return match;
52177 + else {
52178 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52179 + if (likely
52180 + ((ntohl(curr_ip) & ipp->netmask) ==
52181 + (ntohl(ipp->addr) & ipp->netmask)))
52182 + return match;
52183 + }
52184 + match = default_role;
52185 + }
52186 + } else if (match->allowed_ips == NULL) {
52187 + return match;
52188 + } else {
52189 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52190 + if (likely
52191 + ((ntohl(curr_ip) & ipp->netmask) ==
52192 + (ntohl(ipp->addr) & ipp->netmask)))
52193 + return match;
52194 + }
52195 + goto try_group;
52196 + }
52197 +
52198 + return match;
52199 +}
52200 +
52201 +struct acl_subject_label *
52202 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52203 + const struct acl_role_label *role)
52204 +{
52205 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52206 + struct acl_subject_label *match;
52207 +
52208 + match = role->subj_hash[index];
52209 +
52210 + while (match && (match->inode != ino || match->device != dev ||
52211 + (match->mode & GR_DELETED))) {
52212 + match = match->next;
52213 + }
52214 +
52215 + if (match && !(match->mode & GR_DELETED))
52216 + return match;
52217 + else
52218 + return NULL;
52219 +}
52220 +
52221 +struct acl_subject_label *
52222 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52223 + const struct acl_role_label *role)
52224 +{
52225 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52226 + struct acl_subject_label *match;
52227 +
52228 + match = role->subj_hash[index];
52229 +
52230 + while (match && (match->inode != ino || match->device != dev ||
52231 + !(match->mode & GR_DELETED))) {
52232 + match = match->next;
52233 + }
52234 +
52235 + if (match && (match->mode & GR_DELETED))
52236 + return match;
52237 + else
52238 + return NULL;
52239 +}
52240 +
52241 +static struct acl_object_label *
52242 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52243 + const struct acl_subject_label *subj)
52244 +{
52245 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52246 + struct acl_object_label *match;
52247 +
52248 + match = subj->obj_hash[index];
52249 +
52250 + while (match && (match->inode != ino || match->device != dev ||
52251 + (match->mode & GR_DELETED))) {
52252 + match = match->next;
52253 + }
52254 +
52255 + if (match && !(match->mode & GR_DELETED))
52256 + return match;
52257 + else
52258 + return NULL;
52259 +}
52260 +
52261 +static struct acl_object_label *
52262 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52263 + const struct acl_subject_label *subj)
52264 +{
52265 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52266 + struct acl_object_label *match;
52267 +
52268 + match = subj->obj_hash[index];
52269 +
52270 + while (match && (match->inode != ino || match->device != dev ||
52271 + !(match->mode & GR_DELETED))) {
52272 + match = match->next;
52273 + }
52274 +
52275 + if (match && (match->mode & GR_DELETED))
52276 + return match;
52277 +
52278 + match = subj->obj_hash[index];
52279 +
52280 + while (match && (match->inode != ino || match->device != dev ||
52281 + (match->mode & GR_DELETED))) {
52282 + match = match->next;
52283 + }
52284 +
52285 + if (match && !(match->mode & GR_DELETED))
52286 + return match;
52287 + else
52288 + return NULL;
52289 +}
52290 +
52291 +static struct name_entry *
52292 +lookup_name_entry(const char *name)
52293 +{
52294 + unsigned int len = strlen(name);
52295 + unsigned int key = full_name_hash(name, len);
52296 + unsigned int index = key % name_set.n_size;
52297 + struct name_entry *match;
52298 +
52299 + match = name_set.n_hash[index];
52300 +
52301 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52302 + match = match->next;
52303 +
52304 + return match;
52305 +}
52306 +
52307 +static struct name_entry *
52308 +lookup_name_entry_create(const char *name)
52309 +{
52310 + unsigned int len = strlen(name);
52311 + unsigned int key = full_name_hash(name, len);
52312 + unsigned int index = key % name_set.n_size;
52313 + struct name_entry *match;
52314 +
52315 + match = name_set.n_hash[index];
52316 +
52317 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52318 + !match->deleted))
52319 + match = match->next;
52320 +
52321 + if (match && match->deleted)
52322 + return match;
52323 +
52324 + match = name_set.n_hash[index];
52325 +
52326 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52327 + match->deleted))
52328 + match = match->next;
52329 +
52330 + if (match && !match->deleted)
52331 + return match;
52332 + else
52333 + return NULL;
52334 +}
52335 +
52336 +static struct inodev_entry *
52337 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
52338 +{
52339 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
52340 + struct inodev_entry *match;
52341 +
52342 + match = inodev_set.i_hash[index];
52343 +
52344 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52345 + match = match->next;
52346 +
52347 + return match;
52348 +}
52349 +
52350 +static void
52351 +insert_inodev_entry(struct inodev_entry *entry)
52352 +{
52353 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52354 + inodev_set.i_size);
52355 + struct inodev_entry **curr;
52356 +
52357 + entry->prev = NULL;
52358 +
52359 + curr = &inodev_set.i_hash[index];
52360 + if (*curr != NULL)
52361 + (*curr)->prev = entry;
52362 +
52363 + entry->next = *curr;
52364 + *curr = entry;
52365 +
52366 + return;
52367 +}
52368 +
52369 +static void
52370 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52371 +{
52372 + unsigned int index =
52373 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52374 + struct acl_role_label **curr;
52375 + struct acl_role_label *tmp;
52376 +
52377 + curr = &acl_role_set.r_hash[index];
52378 +
52379 + /* if role was already inserted due to domains and already has
52380 + a role in the same bucket as it attached, then we need to
52381 + combine these two buckets
52382 + */
52383 + if (role->next) {
52384 + tmp = role->next;
52385 + while (tmp->next)
52386 + tmp = tmp->next;
52387 + tmp->next = *curr;
52388 + } else
52389 + role->next = *curr;
52390 + *curr = role;
52391 +
52392 + return;
52393 +}
52394 +
52395 +static void
52396 +insert_acl_role_label(struct acl_role_label *role)
52397 +{
52398 + int i;
52399 +
52400 + if (role_list == NULL) {
52401 + role_list = role;
52402 + role->prev = NULL;
52403 + } else {
52404 + role->prev = role_list;
52405 + role_list = role;
52406 + }
52407 +
52408 + /* used for hash chains */
52409 + role->next = NULL;
52410 +
52411 + if (role->roletype & GR_ROLE_DOMAIN) {
52412 + for (i = 0; i < role->domain_child_num; i++)
52413 + __insert_acl_role_label(role, role->domain_children[i]);
52414 + } else
52415 + __insert_acl_role_label(role, role->uidgid);
52416 +}
52417 +
52418 +static int
52419 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52420 +{
52421 + struct name_entry **curr, *nentry;
52422 + struct inodev_entry *ientry;
52423 + unsigned int len = strlen(name);
52424 + unsigned int key = full_name_hash(name, len);
52425 + unsigned int index = key % name_set.n_size;
52426 +
52427 + curr = &name_set.n_hash[index];
52428 +
52429 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52430 + curr = &((*curr)->next);
52431 +
52432 + if (*curr != NULL)
52433 + return 1;
52434 +
52435 + nentry = acl_alloc(sizeof (struct name_entry));
52436 + if (nentry == NULL)
52437 + return 0;
52438 + ientry = acl_alloc(sizeof (struct inodev_entry));
52439 + if (ientry == NULL)
52440 + return 0;
52441 + ientry->nentry = nentry;
52442 +
52443 + nentry->key = key;
52444 + nentry->name = name;
52445 + nentry->inode = inode;
52446 + nentry->device = device;
52447 + nentry->len = len;
52448 + nentry->deleted = deleted;
52449 +
52450 + nentry->prev = NULL;
52451 + curr = &name_set.n_hash[index];
52452 + if (*curr != NULL)
52453 + (*curr)->prev = nentry;
52454 + nentry->next = *curr;
52455 + *curr = nentry;
52456 +
52457 + /* insert us into the table searchable by inode/dev */
52458 + insert_inodev_entry(ientry);
52459 +
52460 + return 1;
52461 +}
52462 +
52463 +static void
52464 +insert_acl_obj_label(struct acl_object_label *obj,
52465 + struct acl_subject_label *subj)
52466 +{
52467 + unsigned int index =
52468 + fhash(obj->inode, obj->device, subj->obj_hash_size);
52469 + struct acl_object_label **curr;
52470 +
52471 +
52472 + obj->prev = NULL;
52473 +
52474 + curr = &subj->obj_hash[index];
52475 + if (*curr != NULL)
52476 + (*curr)->prev = obj;
52477 +
52478 + obj->next = *curr;
52479 + *curr = obj;
52480 +
52481 + return;
52482 +}
52483 +
52484 +static void
52485 +insert_acl_subj_label(struct acl_subject_label *obj,
52486 + struct acl_role_label *role)
52487 +{
52488 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
52489 + struct acl_subject_label **curr;
52490 +
52491 + obj->prev = NULL;
52492 +
52493 + curr = &role->subj_hash[index];
52494 + if (*curr != NULL)
52495 + (*curr)->prev = obj;
52496 +
52497 + obj->next = *curr;
52498 + *curr = obj;
52499 +
52500 + return;
52501 +}
52502 +
52503 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
52504 +
52505 +static void *
52506 +create_table(__u32 * len, int elementsize)
52507 +{
52508 + unsigned int table_sizes[] = {
52509 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
52510 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
52511 + 4194301, 8388593, 16777213, 33554393, 67108859
52512 + };
52513 + void *newtable = NULL;
52514 + unsigned int pwr = 0;
52515 +
52516 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
52517 + table_sizes[pwr] <= *len)
52518 + pwr++;
52519 +
52520 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
52521 + return newtable;
52522 +
52523 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
52524 + newtable =
52525 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
52526 + else
52527 + newtable = vmalloc(table_sizes[pwr] * elementsize);
52528 +
52529 + *len = table_sizes[pwr];
52530 +
52531 + return newtable;
52532 +}
52533 +
52534 +static int
52535 +init_variables(const struct gr_arg *arg)
52536 +{
52537 + struct task_struct *reaper = &init_task;
52538 + unsigned int stacksize;
52539 +
52540 + subj_map_set.s_size = arg->role_db.num_subjects;
52541 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
52542 + name_set.n_size = arg->role_db.num_objects;
52543 + inodev_set.i_size = arg->role_db.num_objects;
52544 +
52545 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
52546 + !name_set.n_size || !inodev_set.i_size)
52547 + return 1;
52548 +
52549 + if (!gr_init_uidset())
52550 + return 1;
52551 +
52552 + /* set up the stack that holds allocation info */
52553 +
52554 + stacksize = arg->role_db.num_pointers + 5;
52555 +
52556 + if (!acl_alloc_stack_init(stacksize))
52557 + return 1;
52558 +
52559 + /* grab reference for the real root dentry and vfsmount */
52560 + get_fs_root(reaper->fs, &real_root);
52561 +
52562 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52563 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
52564 +#endif
52565 +
52566 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
52567 + if (fakefs_obj_rw == NULL)
52568 + return 1;
52569 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
52570 +
52571 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
52572 + if (fakefs_obj_rwx == NULL)
52573 + return 1;
52574 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
52575 +
52576 + subj_map_set.s_hash =
52577 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
52578 + acl_role_set.r_hash =
52579 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
52580 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
52581 + inodev_set.i_hash =
52582 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
52583 +
52584 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
52585 + !name_set.n_hash || !inodev_set.i_hash)
52586 + return 1;
52587 +
52588 + memset(subj_map_set.s_hash, 0,
52589 + sizeof(struct subject_map *) * subj_map_set.s_size);
52590 + memset(acl_role_set.r_hash, 0,
52591 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
52592 + memset(name_set.n_hash, 0,
52593 + sizeof (struct name_entry *) * name_set.n_size);
52594 + memset(inodev_set.i_hash, 0,
52595 + sizeof (struct inodev_entry *) * inodev_set.i_size);
52596 +
52597 + return 0;
52598 +}
52599 +
52600 +/* free information not needed after startup
52601 + currently contains user->kernel pointer mappings for subjects
52602 +*/
52603 +
52604 +static void
52605 +free_init_variables(void)
52606 +{
52607 + __u32 i;
52608 +
52609 + if (subj_map_set.s_hash) {
52610 + for (i = 0; i < subj_map_set.s_size; i++) {
52611 + if (subj_map_set.s_hash[i]) {
52612 + kfree(subj_map_set.s_hash[i]);
52613 + subj_map_set.s_hash[i] = NULL;
52614 + }
52615 + }
52616 +
52617 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
52618 + PAGE_SIZE)
52619 + kfree(subj_map_set.s_hash);
52620 + else
52621 + vfree(subj_map_set.s_hash);
52622 + }
52623 +
52624 + return;
52625 +}
52626 +
52627 +static void
52628 +free_variables(void)
52629 +{
52630 + struct acl_subject_label *s;
52631 + struct acl_role_label *r;
52632 + struct task_struct *task, *task2;
52633 + unsigned int x;
52634 +
52635 + gr_clear_learn_entries();
52636 +
52637 + read_lock(&tasklist_lock);
52638 + do_each_thread(task2, task) {
52639 + task->acl_sp_role = 0;
52640 + task->acl_role_id = 0;
52641 + task->acl = NULL;
52642 + task->role = NULL;
52643 + } while_each_thread(task2, task);
52644 + read_unlock(&tasklist_lock);
52645 +
52646 + /* release the reference to the real root dentry and vfsmount */
52647 + path_put(&real_root);
52648 +
52649 + /* free all object hash tables */
52650 +
52651 + FOR_EACH_ROLE_START(r)
52652 + if (r->subj_hash == NULL)
52653 + goto next_role;
52654 + FOR_EACH_SUBJECT_START(r, s, x)
52655 + if (s->obj_hash == NULL)
52656 + break;
52657 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52658 + kfree(s->obj_hash);
52659 + else
52660 + vfree(s->obj_hash);
52661 + FOR_EACH_SUBJECT_END(s, x)
52662 + FOR_EACH_NESTED_SUBJECT_START(r, s)
52663 + if (s->obj_hash == NULL)
52664 + break;
52665 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52666 + kfree(s->obj_hash);
52667 + else
52668 + vfree(s->obj_hash);
52669 + FOR_EACH_NESTED_SUBJECT_END(s)
52670 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
52671 + kfree(r->subj_hash);
52672 + else
52673 + vfree(r->subj_hash);
52674 + r->subj_hash = NULL;
52675 +next_role:
52676 + FOR_EACH_ROLE_END(r)
52677 +
52678 + acl_free_all();
52679 +
52680 + if (acl_role_set.r_hash) {
52681 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
52682 + PAGE_SIZE)
52683 + kfree(acl_role_set.r_hash);
52684 + else
52685 + vfree(acl_role_set.r_hash);
52686 + }
52687 + if (name_set.n_hash) {
52688 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
52689 + PAGE_SIZE)
52690 + kfree(name_set.n_hash);
52691 + else
52692 + vfree(name_set.n_hash);
52693 + }
52694 +
52695 + if (inodev_set.i_hash) {
52696 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
52697 + PAGE_SIZE)
52698 + kfree(inodev_set.i_hash);
52699 + else
52700 + vfree(inodev_set.i_hash);
52701 + }
52702 +
52703 + gr_free_uidset();
52704 +
52705 + memset(&name_set, 0, sizeof (struct name_db));
52706 + memset(&inodev_set, 0, sizeof (struct inodev_db));
52707 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
52708 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
52709 +
52710 + default_role = NULL;
52711 + role_list = NULL;
52712 +
52713 + return;
52714 +}
52715 +
52716 +static __u32
52717 +count_user_objs(struct acl_object_label *userp)
52718 +{
52719 + struct acl_object_label o_tmp;
52720 + __u32 num = 0;
52721 +
52722 + while (userp) {
52723 + if (copy_from_user(&o_tmp, userp,
52724 + sizeof (struct acl_object_label)))
52725 + break;
52726 +
52727 + userp = o_tmp.prev;
52728 + num++;
52729 + }
52730 +
52731 + return num;
52732 +}
52733 +
52734 +static struct acl_subject_label *
52735 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
52736 +
52737 +static int
52738 +copy_user_glob(struct acl_object_label *obj)
52739 +{
52740 + struct acl_object_label *g_tmp, **guser;
52741 + unsigned int len;
52742 + char *tmp;
52743 +
52744 + if (obj->globbed == NULL)
52745 + return 0;
52746 +
52747 + guser = &obj->globbed;
52748 + while (*guser) {
52749 + g_tmp = (struct acl_object_label *)
52750 + acl_alloc(sizeof (struct acl_object_label));
52751 + if (g_tmp == NULL)
52752 + return -ENOMEM;
52753 +
52754 + if (copy_from_user(g_tmp, *guser,
52755 + sizeof (struct acl_object_label)))
52756 + return -EFAULT;
52757 +
52758 + len = strnlen_user(g_tmp->filename, PATH_MAX);
52759 +
52760 + if (!len || len >= PATH_MAX)
52761 + return -EINVAL;
52762 +
52763 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52764 + return -ENOMEM;
52765 +
52766 + if (copy_from_user(tmp, g_tmp->filename, len))
52767 + return -EFAULT;
52768 + tmp[len-1] = '\0';
52769 + g_tmp->filename = tmp;
52770 +
52771 + *guser = g_tmp;
52772 + guser = &(g_tmp->next);
52773 + }
52774 +
52775 + return 0;
52776 +}
52777 +
52778 +static int
52779 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
52780 + struct acl_role_label *role)
52781 +{
52782 + struct acl_object_label *o_tmp;
52783 + unsigned int len;
52784 + int ret;
52785 + char *tmp;
52786 +
52787 + while (userp) {
52788 + if ((o_tmp = (struct acl_object_label *)
52789 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
52790 + return -ENOMEM;
52791 +
52792 + if (copy_from_user(o_tmp, userp,
52793 + sizeof (struct acl_object_label)))
52794 + return -EFAULT;
52795 +
52796 + userp = o_tmp->prev;
52797 +
52798 + len = strnlen_user(o_tmp->filename, PATH_MAX);
52799 +
52800 + if (!len || len >= PATH_MAX)
52801 + return -EINVAL;
52802 +
52803 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52804 + return -ENOMEM;
52805 +
52806 + if (copy_from_user(tmp, o_tmp->filename, len))
52807 + return -EFAULT;
52808 + tmp[len-1] = '\0';
52809 + o_tmp->filename = tmp;
52810 +
52811 + insert_acl_obj_label(o_tmp, subj);
52812 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
52813 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
52814 + return -ENOMEM;
52815 +
52816 + ret = copy_user_glob(o_tmp);
52817 + if (ret)
52818 + return ret;
52819 +
52820 + if (o_tmp->nested) {
52821 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
52822 + if (IS_ERR(o_tmp->nested))
52823 + return PTR_ERR(o_tmp->nested);
52824 +
52825 + /* insert into nested subject list */
52826 + o_tmp->nested->next = role->hash->first;
52827 + role->hash->first = o_tmp->nested;
52828 + }
52829 + }
52830 +
52831 + return 0;
52832 +}
52833 +
52834 +static __u32
52835 +count_user_subjs(struct acl_subject_label *userp)
52836 +{
52837 + struct acl_subject_label s_tmp;
52838 + __u32 num = 0;
52839 +
52840 + while (userp) {
52841 + if (copy_from_user(&s_tmp, userp,
52842 + sizeof (struct acl_subject_label)))
52843 + break;
52844 +
52845 + userp = s_tmp.prev;
52846 + /* do not count nested subjects against this count, since
52847 + they are not included in the hash table, but are
52848 + attached to objects. We have already counted
52849 + the subjects in userspace for the allocation
52850 + stack
52851 + */
52852 + if (!(s_tmp.mode & GR_NESTED))
52853 + num++;
52854 + }
52855 +
52856 + return num;
52857 +}
52858 +
52859 +static int
52860 +copy_user_allowedips(struct acl_role_label *rolep)
52861 +{
52862 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
52863 +
52864 + ruserip = rolep->allowed_ips;
52865 +
52866 + while (ruserip) {
52867 + rlast = rtmp;
52868 +
52869 + if ((rtmp = (struct role_allowed_ip *)
52870 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
52871 + return -ENOMEM;
52872 +
52873 + if (copy_from_user(rtmp, ruserip,
52874 + sizeof (struct role_allowed_ip)))
52875 + return -EFAULT;
52876 +
52877 + ruserip = rtmp->prev;
52878 +
52879 + if (!rlast) {
52880 + rtmp->prev = NULL;
52881 + rolep->allowed_ips = rtmp;
52882 + } else {
52883 + rlast->next = rtmp;
52884 + rtmp->prev = rlast;
52885 + }
52886 +
52887 + if (!ruserip)
52888 + rtmp->next = NULL;
52889 + }
52890 +
52891 + return 0;
52892 +}
52893 +
52894 +static int
52895 +copy_user_transitions(struct acl_role_label *rolep)
52896 +{
52897 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
52898 +
52899 + unsigned int len;
52900 + char *tmp;
52901 +
52902 + rusertp = rolep->transitions;
52903 +
52904 + while (rusertp) {
52905 + rlast = rtmp;
52906 +
52907 + if ((rtmp = (struct role_transition *)
52908 + acl_alloc(sizeof (struct role_transition))) == NULL)
52909 + return -ENOMEM;
52910 +
52911 + if (copy_from_user(rtmp, rusertp,
52912 + sizeof (struct role_transition)))
52913 + return -EFAULT;
52914 +
52915 + rusertp = rtmp->prev;
52916 +
52917 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
52918 +
52919 + if (!len || len >= GR_SPROLE_LEN)
52920 + return -EINVAL;
52921 +
52922 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52923 + return -ENOMEM;
52924 +
52925 + if (copy_from_user(tmp, rtmp->rolename, len))
52926 + return -EFAULT;
52927 + tmp[len-1] = '\0';
52928 + rtmp->rolename = tmp;
52929 +
52930 + if (!rlast) {
52931 + rtmp->prev = NULL;
52932 + rolep->transitions = rtmp;
52933 + } else {
52934 + rlast->next = rtmp;
52935 + rtmp->prev = rlast;
52936 + }
52937 +
52938 + if (!rusertp)
52939 + rtmp->next = NULL;
52940 + }
52941 +
52942 + return 0;
52943 +}
52944 +
52945 +static struct acl_subject_label *
52946 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
52947 +{
52948 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
52949 + unsigned int len;
52950 + char *tmp;
52951 + __u32 num_objs;
52952 + struct acl_ip_label **i_tmp, *i_utmp2;
52953 + struct gr_hash_struct ghash;
52954 + struct subject_map *subjmap;
52955 + unsigned int i_num;
52956 + int err;
52957 +
52958 + s_tmp = lookup_subject_map(userp);
52959 +
52960 + /* we've already copied this subject into the kernel, just return
52961 + the reference to it, and don't copy it over again
52962 + */
52963 + if (s_tmp)
52964 + return(s_tmp);
52965 +
52966 + if ((s_tmp = (struct acl_subject_label *)
52967 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
52968 + return ERR_PTR(-ENOMEM);
52969 +
52970 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
52971 + if (subjmap == NULL)
52972 + return ERR_PTR(-ENOMEM);
52973 +
52974 + subjmap->user = userp;
52975 + subjmap->kernel = s_tmp;
52976 + insert_subj_map_entry(subjmap);
52977 +
52978 + if (copy_from_user(s_tmp, userp,
52979 + sizeof (struct acl_subject_label)))
52980 + return ERR_PTR(-EFAULT);
52981 +
52982 + len = strnlen_user(s_tmp->filename, PATH_MAX);
52983 +
52984 + if (!len || len >= PATH_MAX)
52985 + return ERR_PTR(-EINVAL);
52986 +
52987 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52988 + return ERR_PTR(-ENOMEM);
52989 +
52990 + if (copy_from_user(tmp, s_tmp->filename, len))
52991 + return ERR_PTR(-EFAULT);
52992 + tmp[len-1] = '\0';
52993 + s_tmp->filename = tmp;
52994 +
52995 + if (!strcmp(s_tmp->filename, "/"))
52996 + role->root_label = s_tmp;
52997 +
52998 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
52999 + return ERR_PTR(-EFAULT);
53000 +
53001 + /* copy user and group transition tables */
53002 +
53003 + if (s_tmp->user_trans_num) {
53004 + uid_t *uidlist;
53005 +
53006 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
53007 + if (uidlist == NULL)
53008 + return ERR_PTR(-ENOMEM);
53009 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
53010 + return ERR_PTR(-EFAULT);
53011 +
53012 + s_tmp->user_transitions = uidlist;
53013 + }
53014 +
53015 + if (s_tmp->group_trans_num) {
53016 + gid_t *gidlist;
53017 +
53018 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
53019 + if (gidlist == NULL)
53020 + return ERR_PTR(-ENOMEM);
53021 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
53022 + return ERR_PTR(-EFAULT);
53023 +
53024 + s_tmp->group_transitions = gidlist;
53025 + }
53026 +
53027 + /* set up object hash table */
53028 + num_objs = count_user_objs(ghash.first);
53029 +
53030 + s_tmp->obj_hash_size = num_objs;
53031 + s_tmp->obj_hash =
53032 + (struct acl_object_label **)
53033 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
53034 +
53035 + if (!s_tmp->obj_hash)
53036 + return ERR_PTR(-ENOMEM);
53037 +
53038 + memset(s_tmp->obj_hash, 0,
53039 + s_tmp->obj_hash_size *
53040 + sizeof (struct acl_object_label *));
53041 +
53042 + /* add in objects */
53043 + err = copy_user_objs(ghash.first, s_tmp, role);
53044 +
53045 + if (err)
53046 + return ERR_PTR(err);
53047 +
53048 + /* set pointer for parent subject */
53049 + if (s_tmp->parent_subject) {
53050 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
53051 +
53052 + if (IS_ERR(s_tmp2))
53053 + return s_tmp2;
53054 +
53055 + s_tmp->parent_subject = s_tmp2;
53056 + }
53057 +
53058 + /* add in ip acls */
53059 +
53060 + if (!s_tmp->ip_num) {
53061 + s_tmp->ips = NULL;
53062 + goto insert;
53063 + }
53064 +
53065 + i_tmp =
53066 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
53067 + sizeof (struct acl_ip_label *));
53068 +
53069 + if (!i_tmp)
53070 + return ERR_PTR(-ENOMEM);
53071 +
53072 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
53073 + *(i_tmp + i_num) =
53074 + (struct acl_ip_label *)
53075 + acl_alloc(sizeof (struct acl_ip_label));
53076 + if (!*(i_tmp + i_num))
53077 + return ERR_PTR(-ENOMEM);
53078 +
53079 + if (copy_from_user
53080 + (&i_utmp2, s_tmp->ips + i_num,
53081 + sizeof (struct acl_ip_label *)))
53082 + return ERR_PTR(-EFAULT);
53083 +
53084 + if (copy_from_user
53085 + (*(i_tmp + i_num), i_utmp2,
53086 + sizeof (struct acl_ip_label)))
53087 + return ERR_PTR(-EFAULT);
53088 +
53089 + if ((*(i_tmp + i_num))->iface == NULL)
53090 + continue;
53091 +
53092 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
53093 + if (!len || len >= IFNAMSIZ)
53094 + return ERR_PTR(-EINVAL);
53095 + tmp = acl_alloc(len);
53096 + if (tmp == NULL)
53097 + return ERR_PTR(-ENOMEM);
53098 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
53099 + return ERR_PTR(-EFAULT);
53100 + (*(i_tmp + i_num))->iface = tmp;
53101 + }
53102 +
53103 + s_tmp->ips = i_tmp;
53104 +
53105 +insert:
53106 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
53107 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
53108 + return ERR_PTR(-ENOMEM);
53109 +
53110 + return s_tmp;
53111 +}
53112 +
53113 +static int
53114 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
53115 +{
53116 + struct acl_subject_label s_pre;
53117 + struct acl_subject_label * ret;
53118 + int err;
53119 +
53120 + while (userp) {
53121 + if (copy_from_user(&s_pre, userp,
53122 + sizeof (struct acl_subject_label)))
53123 + return -EFAULT;
53124 +
53125 + /* do not add nested subjects here, add
53126 + while parsing objects
53127 + */
53128 +
53129 + if (s_pre.mode & GR_NESTED) {
53130 + userp = s_pre.prev;
53131 + continue;
53132 + }
53133 +
53134 + ret = do_copy_user_subj(userp, role);
53135 +
53136 + err = PTR_ERR(ret);
53137 + if (IS_ERR(ret))
53138 + return err;
53139 +
53140 + insert_acl_subj_label(ret, role);
53141 +
53142 + userp = s_pre.prev;
53143 + }
53144 +
53145 + return 0;
53146 +}
53147 +
53148 +static int
53149 +copy_user_acl(struct gr_arg *arg)
53150 +{
53151 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
53152 + struct sprole_pw *sptmp;
53153 + struct gr_hash_struct *ghash;
53154 + uid_t *domainlist;
53155 + unsigned int r_num;
53156 + unsigned int len;
53157 + char *tmp;
53158 + int err = 0;
53159 + __u16 i;
53160 + __u32 num_subjs;
53161 +
53162 + /* we need a default and kernel role */
53163 + if (arg->role_db.num_roles < 2)
53164 + return -EINVAL;
53165 +
53166 + /* copy special role authentication info from userspace */
53167 +
53168 + num_sprole_pws = arg->num_sprole_pws;
53169 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53170 +
53171 + if (!acl_special_roles) {
53172 + err = -ENOMEM;
53173 + goto cleanup;
53174 + }
53175 +
53176 + for (i = 0; i < num_sprole_pws; i++) {
53177 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53178 + if (!sptmp) {
53179 + err = -ENOMEM;
53180 + goto cleanup;
53181 + }
53182 + if (copy_from_user(sptmp, arg->sprole_pws + i,
53183 + sizeof (struct sprole_pw))) {
53184 + err = -EFAULT;
53185 + goto cleanup;
53186 + }
53187 +
53188 + len =
53189 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53190 +
53191 + if (!len || len >= GR_SPROLE_LEN) {
53192 + err = -EINVAL;
53193 + goto cleanup;
53194 + }
53195 +
53196 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53197 + err = -ENOMEM;
53198 + goto cleanup;
53199 + }
53200 +
53201 + if (copy_from_user(tmp, sptmp->rolename, len)) {
53202 + err = -EFAULT;
53203 + goto cleanup;
53204 + }
53205 + tmp[len-1] = '\0';
53206 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53207 + printk(KERN_ALERT "Copying special role %s\n", tmp);
53208 +#endif
53209 + sptmp->rolename = tmp;
53210 + acl_special_roles[i] = sptmp;
53211 + }
53212 +
53213 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53214 +
53215 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53216 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
53217 +
53218 + if (!r_tmp) {
53219 + err = -ENOMEM;
53220 + goto cleanup;
53221 + }
53222 +
53223 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
53224 + sizeof (struct acl_role_label *))) {
53225 + err = -EFAULT;
53226 + goto cleanup;
53227 + }
53228 +
53229 + if (copy_from_user(r_tmp, r_utmp2,
53230 + sizeof (struct acl_role_label))) {
53231 + err = -EFAULT;
53232 + goto cleanup;
53233 + }
53234 +
53235 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53236 +
53237 + if (!len || len >= PATH_MAX) {
53238 + err = -EINVAL;
53239 + goto cleanup;
53240 + }
53241 +
53242 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53243 + err = -ENOMEM;
53244 + goto cleanup;
53245 + }
53246 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
53247 + err = -EFAULT;
53248 + goto cleanup;
53249 + }
53250 + tmp[len-1] = '\0';
53251 + r_tmp->rolename = tmp;
53252 +
53253 + if (!strcmp(r_tmp->rolename, "default")
53254 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53255 + default_role = r_tmp;
53256 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53257 + kernel_role = r_tmp;
53258 + }
53259 +
53260 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53261 + err = -ENOMEM;
53262 + goto cleanup;
53263 + }
53264 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53265 + err = -EFAULT;
53266 + goto cleanup;
53267 + }
53268 +
53269 + r_tmp->hash = ghash;
53270 +
53271 + num_subjs = count_user_subjs(r_tmp->hash->first);
53272 +
53273 + r_tmp->subj_hash_size = num_subjs;
53274 + r_tmp->subj_hash =
53275 + (struct acl_subject_label **)
53276 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53277 +
53278 + if (!r_tmp->subj_hash) {
53279 + err = -ENOMEM;
53280 + goto cleanup;
53281 + }
53282 +
53283 + err = copy_user_allowedips(r_tmp);
53284 + if (err)
53285 + goto cleanup;
53286 +
53287 + /* copy domain info */
53288 + if (r_tmp->domain_children != NULL) {
53289 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53290 + if (domainlist == NULL) {
53291 + err = -ENOMEM;
53292 + goto cleanup;
53293 + }
53294 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53295 + err = -EFAULT;
53296 + goto cleanup;
53297 + }
53298 + r_tmp->domain_children = domainlist;
53299 + }
53300 +
53301 + err = copy_user_transitions(r_tmp);
53302 + if (err)
53303 + goto cleanup;
53304 +
53305 + memset(r_tmp->subj_hash, 0,
53306 + r_tmp->subj_hash_size *
53307 + sizeof (struct acl_subject_label *));
53308 +
53309 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53310 +
53311 + if (err)
53312 + goto cleanup;
53313 +
53314 + /* set nested subject list to null */
53315 + r_tmp->hash->first = NULL;
53316 +
53317 + insert_acl_role_label(r_tmp);
53318 + }
53319 +
53320 + goto return_err;
53321 + cleanup:
53322 + free_variables();
53323 + return_err:
53324 + return err;
53325 +
53326 +}
53327 +
53328 +static int
53329 +gracl_init(struct gr_arg *args)
53330 +{
53331 + int error = 0;
53332 +
53333 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53334 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53335 +
53336 + if (init_variables(args)) {
53337 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53338 + error = -ENOMEM;
53339 + free_variables();
53340 + goto out;
53341 + }
53342 +
53343 + error = copy_user_acl(args);
53344 + free_init_variables();
53345 + if (error) {
53346 + free_variables();
53347 + goto out;
53348 + }
53349 +
53350 + if ((error = gr_set_acls(0))) {
53351 + free_variables();
53352 + goto out;
53353 + }
53354 +
53355 + pax_open_kernel();
53356 + gr_status |= GR_READY;
53357 + pax_close_kernel();
53358 +
53359 + out:
53360 + return error;
53361 +}
53362 +
53363 +/* derived from glibc fnmatch() 0: match, 1: no match*/
53364 +
53365 +static int
53366 +glob_match(const char *p, const char *n)
53367 +{
53368 + char c;
53369 +
53370 + while ((c = *p++) != '\0') {
53371 + switch (c) {
53372 + case '?':
53373 + if (*n == '\0')
53374 + return 1;
53375 + else if (*n == '/')
53376 + return 1;
53377 + break;
53378 + case '\\':
53379 + if (*n != c)
53380 + return 1;
53381 + break;
53382 + case '*':
53383 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
53384 + if (*n == '/')
53385 + return 1;
53386 + else if (c == '?') {
53387 + if (*n == '\0')
53388 + return 1;
53389 + else
53390 + ++n;
53391 + }
53392 + }
53393 + if (c == '\0') {
53394 + return 0;
53395 + } else {
53396 + const char *endp;
53397 +
53398 + if ((endp = strchr(n, '/')) == NULL)
53399 + endp = n + strlen(n);
53400 +
53401 + if (c == '[') {
53402 + for (--p; n < endp; ++n)
53403 + if (!glob_match(p, n))
53404 + return 0;
53405 + } else if (c == '/') {
53406 + while (*n != '\0' && *n != '/')
53407 + ++n;
53408 + if (*n == '/' && !glob_match(p, n + 1))
53409 + return 0;
53410 + } else {
53411 + for (--p; n < endp; ++n)
53412 + if (*n == c && !glob_match(p, n))
53413 + return 0;
53414 + }
53415 +
53416 + return 1;
53417 + }
53418 + case '[':
53419 + {
53420 + int not;
53421 + char cold;
53422 +
53423 + if (*n == '\0' || *n == '/')
53424 + return 1;
53425 +
53426 + not = (*p == '!' || *p == '^');
53427 + if (not)
53428 + ++p;
53429 +
53430 + c = *p++;
53431 + for (;;) {
53432 + unsigned char fn = (unsigned char)*n;
53433 +
53434 + if (c == '\0')
53435 + return 1;
53436 + else {
53437 + if (c == fn)
53438 + goto matched;
53439 + cold = c;
53440 + c = *p++;
53441 +
53442 + if (c == '-' && *p != ']') {
53443 + unsigned char cend = *p++;
53444 +
53445 + if (cend == '\0')
53446 + return 1;
53447 +
53448 + if (cold <= fn && fn <= cend)
53449 + goto matched;
53450 +
53451 + c = *p++;
53452 + }
53453 + }
53454 +
53455 + if (c == ']')
53456 + break;
53457 + }
53458 + if (!not)
53459 + return 1;
53460 + break;
53461 + matched:
53462 + while (c != ']') {
53463 + if (c == '\0')
53464 + return 1;
53465 +
53466 + c = *p++;
53467 + }
53468 + if (not)
53469 + return 1;
53470 + }
53471 + break;
53472 + default:
53473 + if (c != *n)
53474 + return 1;
53475 + }
53476 +
53477 + ++n;
53478 + }
53479 +
53480 + if (*n == '\0')
53481 + return 0;
53482 +
53483 + if (*n == '/')
53484 + return 0;
53485 +
53486 + return 1;
53487 +}
53488 +
53489 +static struct acl_object_label *
53490 +chk_glob_label(struct acl_object_label *globbed,
53491 + struct dentry *dentry, struct vfsmount *mnt, char **path)
53492 +{
53493 + struct acl_object_label *tmp;
53494 +
53495 + if (*path == NULL)
53496 + *path = gr_to_filename_nolock(dentry, mnt);
53497 +
53498 + tmp = globbed;
53499 +
53500 + while (tmp) {
53501 + if (!glob_match(tmp->filename, *path))
53502 + return tmp;
53503 + tmp = tmp->next;
53504 + }
53505 +
53506 + return NULL;
53507 +}
53508 +
53509 +static struct acl_object_label *
53510 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53511 + const ino_t curr_ino, const dev_t curr_dev,
53512 + const struct acl_subject_label *subj, char **path, const int checkglob)
53513 +{
53514 + struct acl_subject_label *tmpsubj;
53515 + struct acl_object_label *retval;
53516 + struct acl_object_label *retval2;
53517 +
53518 + tmpsubj = (struct acl_subject_label *) subj;
53519 + read_lock(&gr_inode_lock);
53520 + do {
53521 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
53522 + if (retval) {
53523 + if (checkglob && retval->globbed) {
53524 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
53525 + (struct vfsmount *)orig_mnt, path);
53526 + if (retval2)
53527 + retval = retval2;
53528 + }
53529 + break;
53530 + }
53531 + } while ((tmpsubj = tmpsubj->parent_subject));
53532 + read_unlock(&gr_inode_lock);
53533 +
53534 + return retval;
53535 +}
53536 +
53537 +static __inline__ struct acl_object_label *
53538 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53539 + struct dentry *curr_dentry,
53540 + const struct acl_subject_label *subj, char **path, const int checkglob)
53541 +{
53542 + int newglob = checkglob;
53543 + ino_t inode;
53544 + dev_t device;
53545 +
53546 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
53547 + as we don't want a / * rule to match instead of the / object
53548 + don't do this for create lookups that call this function though, since they're looking up
53549 + on the parent and thus need globbing checks on all paths
53550 + */
53551 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
53552 + newglob = GR_NO_GLOB;
53553 +
53554 + spin_lock(&curr_dentry->d_lock);
53555 + inode = curr_dentry->d_inode->i_ino;
53556 + device = __get_dev(curr_dentry);
53557 + spin_unlock(&curr_dentry->d_lock);
53558 +
53559 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
53560 +}
53561 +
53562 +static struct acl_object_label *
53563 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53564 + const struct acl_subject_label *subj, char *path, const int checkglob)
53565 +{
53566 + struct dentry *dentry = (struct dentry *) l_dentry;
53567 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53568 + struct acl_object_label *retval;
53569 + struct dentry *parent;
53570 +
53571 + write_seqlock(&rename_lock);
53572 + br_read_lock(vfsmount_lock);
53573 +
53574 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
53575 +#ifdef CONFIG_NET
53576 + mnt == sock_mnt ||
53577 +#endif
53578 +#ifdef CONFIG_HUGETLBFS
53579 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
53580 +#endif
53581 + /* ignore Eric Biederman */
53582 + IS_PRIVATE(l_dentry->d_inode))) {
53583 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
53584 + goto out;
53585 + }
53586 +
53587 + for (;;) {
53588 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53589 + break;
53590 +
53591 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53592 + if (mnt->mnt_parent == mnt)
53593 + break;
53594 +
53595 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53596 + if (retval != NULL)
53597 + goto out;
53598 +
53599 + dentry = mnt->mnt_mountpoint;
53600 + mnt = mnt->mnt_parent;
53601 + continue;
53602 + }
53603 +
53604 + parent = dentry->d_parent;
53605 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53606 + if (retval != NULL)
53607 + goto out;
53608 +
53609 + dentry = parent;
53610 + }
53611 +
53612 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53613 +
53614 + /* real_root is pinned so we don't have to hold a reference */
53615 + if (retval == NULL)
53616 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
53617 +out:
53618 + br_read_unlock(vfsmount_lock);
53619 + write_sequnlock(&rename_lock);
53620 +
53621 + BUG_ON(retval == NULL);
53622 +
53623 + return retval;
53624 +}
53625 +
53626 +static __inline__ struct acl_object_label *
53627 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53628 + const struct acl_subject_label *subj)
53629 +{
53630 + char *path = NULL;
53631 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
53632 +}
53633 +
53634 +static __inline__ struct acl_object_label *
53635 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53636 + const struct acl_subject_label *subj)
53637 +{
53638 + char *path = NULL;
53639 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
53640 +}
53641 +
53642 +static __inline__ struct acl_object_label *
53643 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53644 + const struct acl_subject_label *subj, char *path)
53645 +{
53646 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
53647 +}
53648 +
53649 +static struct acl_subject_label *
53650 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53651 + const struct acl_role_label *role)
53652 +{
53653 + struct dentry *dentry = (struct dentry *) l_dentry;
53654 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53655 + struct acl_subject_label *retval;
53656 + struct dentry *parent;
53657 +
53658 + write_seqlock(&rename_lock);
53659 + br_read_lock(vfsmount_lock);
53660 +
53661 + for (;;) {
53662 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53663 + break;
53664 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53665 + if (mnt->mnt_parent == mnt)
53666 + break;
53667 +
53668 + spin_lock(&dentry->d_lock);
53669 + read_lock(&gr_inode_lock);
53670 + retval =
53671 + lookup_acl_subj_label(dentry->d_inode->i_ino,
53672 + __get_dev(dentry), role);
53673 + read_unlock(&gr_inode_lock);
53674 + spin_unlock(&dentry->d_lock);
53675 + if (retval != NULL)
53676 + goto out;
53677 +
53678 + dentry = mnt->mnt_mountpoint;
53679 + mnt = mnt->mnt_parent;
53680 + continue;
53681 + }
53682 +
53683 + spin_lock(&dentry->d_lock);
53684 + read_lock(&gr_inode_lock);
53685 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53686 + __get_dev(dentry), role);
53687 + read_unlock(&gr_inode_lock);
53688 + parent = dentry->d_parent;
53689 + spin_unlock(&dentry->d_lock);
53690 +
53691 + if (retval != NULL)
53692 + goto out;
53693 +
53694 + dentry = parent;
53695 + }
53696 +
53697 + spin_lock(&dentry->d_lock);
53698 + read_lock(&gr_inode_lock);
53699 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53700 + __get_dev(dentry), role);
53701 + read_unlock(&gr_inode_lock);
53702 + spin_unlock(&dentry->d_lock);
53703 +
53704 + if (unlikely(retval == NULL)) {
53705 + /* real_root is pinned, we don't need to hold a reference */
53706 + read_lock(&gr_inode_lock);
53707 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
53708 + __get_dev(real_root.dentry), role);
53709 + read_unlock(&gr_inode_lock);
53710 + }
53711 +out:
53712 + br_read_unlock(vfsmount_lock);
53713 + write_sequnlock(&rename_lock);
53714 +
53715 + BUG_ON(retval == NULL);
53716 +
53717 + return retval;
53718 +}
53719 +
53720 +static void
53721 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
53722 +{
53723 + struct task_struct *task = current;
53724 + const struct cred *cred = current_cred();
53725 +
53726 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53727 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53728 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53729 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
53730 +
53731 + return;
53732 +}
53733 +
53734 +static void
53735 +gr_log_learn_sysctl(const char *path, const __u32 mode)
53736 +{
53737 + struct task_struct *task = current;
53738 + const struct cred *cred = current_cred();
53739 +
53740 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53741 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53742 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53743 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
53744 +
53745 + return;
53746 +}
53747 +
53748 +static void
53749 +gr_log_learn_id_change(const char type, const unsigned int real,
53750 + const unsigned int effective, const unsigned int fs)
53751 +{
53752 + struct task_struct *task = current;
53753 + const struct cred *cred = current_cred();
53754 +
53755 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
53756 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53757 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53758 + type, real, effective, fs, &task->signal->saved_ip);
53759 +
53760 + return;
53761 +}
53762 +
53763 +__u32
53764 +gr_check_link(const struct dentry * new_dentry,
53765 + const struct dentry * parent_dentry,
53766 + const struct vfsmount * parent_mnt,
53767 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
53768 +{
53769 + struct acl_object_label *obj;
53770 + __u32 oldmode, newmode;
53771 + __u32 needmode;
53772 +
53773 + if (unlikely(!(gr_status & GR_READY)))
53774 + return (GR_CREATE | GR_LINK);
53775 +
53776 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
53777 + oldmode = obj->mode;
53778 +
53779 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53780 + oldmode |= (GR_CREATE | GR_LINK);
53781 +
53782 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
53783 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53784 + needmode |= GR_SETID | GR_AUDIT_SETID;
53785 +
53786 + newmode =
53787 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
53788 + oldmode | needmode);
53789 +
53790 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
53791 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
53792 + GR_INHERIT | GR_AUDIT_INHERIT);
53793 +
53794 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
53795 + goto bad;
53796 +
53797 + if ((oldmode & needmode) != needmode)
53798 + goto bad;
53799 +
53800 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
53801 + if ((newmode & needmode) != needmode)
53802 + goto bad;
53803 +
53804 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
53805 + return newmode;
53806 +bad:
53807 + needmode = oldmode;
53808 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53809 + needmode |= GR_SETID;
53810 +
53811 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53812 + gr_log_learn(old_dentry, old_mnt, needmode);
53813 + return (GR_CREATE | GR_LINK);
53814 + } else if (newmode & GR_SUPPRESS)
53815 + return GR_SUPPRESS;
53816 + else
53817 + return 0;
53818 +}
53819 +
53820 +__u32
53821 +gr_search_file(const struct dentry * dentry, const __u32 mode,
53822 + const struct vfsmount * mnt)
53823 +{
53824 + __u32 retval = mode;
53825 + struct acl_subject_label *curracl;
53826 + struct acl_object_label *currobj;
53827 +
53828 + if (unlikely(!(gr_status & GR_READY)))
53829 + return (mode & ~GR_AUDITS);
53830 +
53831 + curracl = current->acl;
53832 +
53833 + currobj = chk_obj_label(dentry, mnt, curracl);
53834 + retval = currobj->mode & mode;
53835 +
53836 + /* if we're opening a specified transfer file for writing
53837 + (e.g. /dev/initctl), then transfer our role to init
53838 + */
53839 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
53840 + current->role->roletype & GR_ROLE_PERSIST)) {
53841 + struct task_struct *task = init_pid_ns.child_reaper;
53842 +
53843 + if (task->role != current->role) {
53844 + task->acl_sp_role = 0;
53845 + task->acl_role_id = current->acl_role_id;
53846 + task->role = current->role;
53847 + rcu_read_lock();
53848 + read_lock(&grsec_exec_file_lock);
53849 + gr_apply_subject_to_task(task);
53850 + read_unlock(&grsec_exec_file_lock);
53851 + rcu_read_unlock();
53852 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
53853 + }
53854 + }
53855 +
53856 + if (unlikely
53857 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
53858 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
53859 + __u32 new_mode = mode;
53860 +
53861 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53862 +
53863 + retval = new_mode;
53864 +
53865 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
53866 + new_mode |= GR_INHERIT;
53867 +
53868 + if (!(mode & GR_NOLEARN))
53869 + gr_log_learn(dentry, mnt, new_mode);
53870 + }
53871 +
53872 + return retval;
53873 +}
53874 +
53875 +__u32
53876 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
53877 + const struct vfsmount * mnt, const __u32 mode)
53878 +{
53879 + struct name_entry *match;
53880 + struct acl_object_label *matchpo;
53881 + struct acl_subject_label *curracl;
53882 + char *path;
53883 + __u32 retval;
53884 +
53885 + if (unlikely(!(gr_status & GR_READY)))
53886 + return (mode & ~GR_AUDITS);
53887 +
53888 + preempt_disable();
53889 + path = gr_to_filename_rbac(new_dentry, mnt);
53890 + match = lookup_name_entry_create(path);
53891 +
53892 + if (!match)
53893 + goto check_parent;
53894 +
53895 + curracl = current->acl;
53896 +
53897 + read_lock(&gr_inode_lock);
53898 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
53899 + read_unlock(&gr_inode_lock);
53900 +
53901 + if (matchpo) {
53902 + if ((matchpo->mode & mode) !=
53903 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
53904 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53905 + __u32 new_mode = mode;
53906 +
53907 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53908 +
53909 + gr_log_learn(new_dentry, mnt, new_mode);
53910 +
53911 + preempt_enable();
53912 + return new_mode;
53913 + }
53914 + preempt_enable();
53915 + return (matchpo->mode & mode);
53916 + }
53917 +
53918 + check_parent:
53919 + curracl = current->acl;
53920 +
53921 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
53922 + retval = matchpo->mode & mode;
53923 +
53924 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
53925 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
53926 + __u32 new_mode = mode;
53927 +
53928 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53929 +
53930 + gr_log_learn(new_dentry, mnt, new_mode);
53931 + preempt_enable();
53932 + return new_mode;
53933 + }
53934 +
53935 + preempt_enable();
53936 + return retval;
53937 +}
53938 +
53939 +int
53940 +gr_check_hidden_task(const struct task_struct *task)
53941 +{
53942 + if (unlikely(!(gr_status & GR_READY)))
53943 + return 0;
53944 +
53945 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
53946 + return 1;
53947 +
53948 + return 0;
53949 +}
53950 +
53951 +int
53952 +gr_check_protected_task(const struct task_struct *task)
53953 +{
53954 + if (unlikely(!(gr_status & GR_READY) || !task))
53955 + return 0;
53956 +
53957 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53958 + task->acl != current->acl)
53959 + return 1;
53960 +
53961 + return 0;
53962 +}
53963 +
53964 +int
53965 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53966 +{
53967 + struct task_struct *p;
53968 + int ret = 0;
53969 +
53970 + if (unlikely(!(gr_status & GR_READY) || !pid))
53971 + return ret;
53972 +
53973 + read_lock(&tasklist_lock);
53974 + do_each_pid_task(pid, type, p) {
53975 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53976 + p->acl != current->acl) {
53977 + ret = 1;
53978 + goto out;
53979 + }
53980 + } while_each_pid_task(pid, type, p);
53981 +out:
53982 + read_unlock(&tasklist_lock);
53983 +
53984 + return ret;
53985 +}
53986 +
53987 +void
53988 +gr_copy_label(struct task_struct *tsk)
53989 +{
53990 + tsk->signal->used_accept = 0;
53991 + tsk->acl_sp_role = 0;
53992 + tsk->acl_role_id = current->acl_role_id;
53993 + tsk->acl = current->acl;
53994 + tsk->role = current->role;
53995 + tsk->signal->curr_ip = current->signal->curr_ip;
53996 + tsk->signal->saved_ip = current->signal->saved_ip;
53997 + if (current->exec_file)
53998 + get_file(current->exec_file);
53999 + tsk->exec_file = current->exec_file;
54000 + tsk->is_writable = current->is_writable;
54001 + if (unlikely(current->signal->used_accept)) {
54002 + current->signal->curr_ip = 0;
54003 + current->signal->saved_ip = 0;
54004 + }
54005 +
54006 + return;
54007 +}
54008 +
54009 +static void
54010 +gr_set_proc_res(struct task_struct *task)
54011 +{
54012 + struct acl_subject_label *proc;
54013 + unsigned short i;
54014 +
54015 + proc = task->acl;
54016 +
54017 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
54018 + return;
54019 +
54020 + for (i = 0; i < RLIM_NLIMITS; i++) {
54021 + if (!(proc->resmask & (1 << i)))
54022 + continue;
54023 +
54024 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
54025 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
54026 + }
54027 +
54028 + return;
54029 +}
54030 +
54031 +extern int __gr_process_user_ban(struct user_struct *user);
54032 +
54033 +int
54034 +gr_check_user_change(int real, int effective, int fs)
54035 +{
54036 + unsigned int i;
54037 + __u16 num;
54038 + uid_t *uidlist;
54039 + int curuid;
54040 + int realok = 0;
54041 + int effectiveok = 0;
54042 + int fsok = 0;
54043 +
54044 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54045 + struct user_struct *user;
54046 +
54047 + if (real == -1)
54048 + goto skipit;
54049 +
54050 + user = find_user(real);
54051 + if (user == NULL)
54052 + goto skipit;
54053 +
54054 + if (__gr_process_user_ban(user)) {
54055 + /* for find_user */
54056 + free_uid(user);
54057 + return 1;
54058 + }
54059 +
54060 + /* for find_user */
54061 + free_uid(user);
54062 +
54063 +skipit:
54064 +#endif
54065 +
54066 + if (unlikely(!(gr_status & GR_READY)))
54067 + return 0;
54068 +
54069 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54070 + gr_log_learn_id_change('u', real, effective, fs);
54071 +
54072 + num = current->acl->user_trans_num;
54073 + uidlist = current->acl->user_transitions;
54074 +
54075 + if (uidlist == NULL)
54076 + return 0;
54077 +
54078 + if (real == -1)
54079 + realok = 1;
54080 + if (effective == -1)
54081 + effectiveok = 1;
54082 + if (fs == -1)
54083 + fsok = 1;
54084 +
54085 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
54086 + for (i = 0; i < num; i++) {
54087 + curuid = (int)uidlist[i];
54088 + if (real == curuid)
54089 + realok = 1;
54090 + if (effective == curuid)
54091 + effectiveok = 1;
54092 + if (fs == curuid)
54093 + fsok = 1;
54094 + }
54095 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
54096 + for (i = 0; i < num; i++) {
54097 + curuid = (int)uidlist[i];
54098 + if (real == curuid)
54099 + break;
54100 + if (effective == curuid)
54101 + break;
54102 + if (fs == curuid)
54103 + break;
54104 + }
54105 + /* not in deny list */
54106 + if (i == num) {
54107 + realok = 1;
54108 + effectiveok = 1;
54109 + fsok = 1;
54110 + }
54111 + }
54112 +
54113 + if (realok && effectiveok && fsok)
54114 + return 0;
54115 + else {
54116 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54117 + return 1;
54118 + }
54119 +}
54120 +
54121 +int
54122 +gr_check_group_change(int real, int effective, int fs)
54123 +{
54124 + unsigned int i;
54125 + __u16 num;
54126 + gid_t *gidlist;
54127 + int curgid;
54128 + int realok = 0;
54129 + int effectiveok = 0;
54130 + int fsok = 0;
54131 +
54132 + if (unlikely(!(gr_status & GR_READY)))
54133 + return 0;
54134 +
54135 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54136 + gr_log_learn_id_change('g', real, effective, fs);
54137 +
54138 + num = current->acl->group_trans_num;
54139 + gidlist = current->acl->group_transitions;
54140 +
54141 + if (gidlist == NULL)
54142 + return 0;
54143 +
54144 + if (real == -1)
54145 + realok = 1;
54146 + if (effective == -1)
54147 + effectiveok = 1;
54148 + if (fs == -1)
54149 + fsok = 1;
54150 +
54151 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
54152 + for (i = 0; i < num; i++) {
54153 + curgid = (int)gidlist[i];
54154 + if (real == curgid)
54155 + realok = 1;
54156 + if (effective == curgid)
54157 + effectiveok = 1;
54158 + if (fs == curgid)
54159 + fsok = 1;
54160 + }
54161 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
54162 + for (i = 0; i < num; i++) {
54163 + curgid = (int)gidlist[i];
54164 + if (real == curgid)
54165 + break;
54166 + if (effective == curgid)
54167 + break;
54168 + if (fs == curgid)
54169 + break;
54170 + }
54171 + /* not in deny list */
54172 + if (i == num) {
54173 + realok = 1;
54174 + effectiveok = 1;
54175 + fsok = 1;
54176 + }
54177 + }
54178 +
54179 + if (realok && effectiveok && fsok)
54180 + return 0;
54181 + else {
54182 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54183 + return 1;
54184 + }
54185 +}
54186 +
54187 +void
54188 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54189 +{
54190 + struct acl_role_label *role = task->role;
54191 + struct acl_subject_label *subj = NULL;
54192 + struct acl_object_label *obj;
54193 + struct file *filp;
54194 +
54195 + if (unlikely(!(gr_status & GR_READY)))
54196 + return;
54197 +
54198 + filp = task->exec_file;
54199 +
54200 + /* kernel process, we'll give them the kernel role */
54201 + if (unlikely(!filp)) {
54202 + task->role = kernel_role;
54203 + task->acl = kernel_role->root_label;
54204 + return;
54205 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54206 + role = lookup_acl_role_label(task, uid, gid);
54207 +
54208 + /* perform subject lookup in possibly new role
54209 + we can use this result below in the case where role == task->role
54210 + */
54211 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54212 +
54213 + /* if we changed uid/gid, but result in the same role
54214 + and are using inheritance, don't lose the inherited subject
54215 + if current subject is other than what normal lookup
54216 + would result in, we arrived via inheritance, don't
54217 + lose subject
54218 + */
54219 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54220 + (subj == task->acl)))
54221 + task->acl = subj;
54222 +
54223 + task->role = role;
54224 +
54225 + task->is_writable = 0;
54226 +
54227 + /* ignore additional mmap checks for processes that are writable
54228 + by the default ACL */
54229 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54230 + if (unlikely(obj->mode & GR_WRITE))
54231 + task->is_writable = 1;
54232 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54233 + if (unlikely(obj->mode & GR_WRITE))
54234 + task->is_writable = 1;
54235 +
54236 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54237 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54238 +#endif
54239 +
54240 + gr_set_proc_res(task);
54241 +
54242 + return;
54243 +}
54244 +
54245 +int
54246 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54247 + const int unsafe_share)
54248 +{
54249 + struct task_struct *task = current;
54250 + struct acl_subject_label *newacl;
54251 + struct acl_object_label *obj;
54252 + __u32 retmode;
54253 +
54254 + if (unlikely(!(gr_status & GR_READY)))
54255 + return 0;
54256 +
54257 + newacl = chk_subj_label(dentry, mnt, task->role);
54258 +
54259 + task_lock(task);
54260 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54261 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54262 + !(task->role->roletype & GR_ROLE_GOD) &&
54263 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54264 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54265 + task_unlock(task);
54266 + if (unsafe_share)
54267 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54268 + else
54269 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54270 + return -EACCES;
54271 + }
54272 + task_unlock(task);
54273 +
54274 + obj = chk_obj_label(dentry, mnt, task->acl);
54275 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54276 +
54277 + if (!(task->acl->mode & GR_INHERITLEARN) &&
54278 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54279 + if (obj->nested)
54280 + task->acl = obj->nested;
54281 + else
54282 + task->acl = newacl;
54283 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54284 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54285 +
54286 + task->is_writable = 0;
54287 +
54288 + /* ignore additional mmap checks for processes that are writable
54289 + by the default ACL */
54290 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
54291 + if (unlikely(obj->mode & GR_WRITE))
54292 + task->is_writable = 1;
54293 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
54294 + if (unlikely(obj->mode & GR_WRITE))
54295 + task->is_writable = 1;
54296 +
54297 + gr_set_proc_res(task);
54298 +
54299 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54300 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54301 +#endif
54302 + return 0;
54303 +}
54304 +
54305 +/* always called with valid inodev ptr */
54306 +static void
54307 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54308 +{
54309 + struct acl_object_label *matchpo;
54310 + struct acl_subject_label *matchps;
54311 + struct acl_subject_label *subj;
54312 + struct acl_role_label *role;
54313 + unsigned int x;
54314 +
54315 + FOR_EACH_ROLE_START(role)
54316 + FOR_EACH_SUBJECT_START(role, subj, x)
54317 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54318 + matchpo->mode |= GR_DELETED;
54319 + FOR_EACH_SUBJECT_END(subj,x)
54320 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54321 + if (subj->inode == ino && subj->device == dev)
54322 + subj->mode |= GR_DELETED;
54323 + FOR_EACH_NESTED_SUBJECT_END(subj)
54324 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54325 + matchps->mode |= GR_DELETED;
54326 + FOR_EACH_ROLE_END(role)
54327 +
54328 + inodev->nentry->deleted = 1;
54329 +
54330 + return;
54331 +}
54332 +
54333 +void
54334 +gr_handle_delete(const ino_t ino, const dev_t dev)
54335 +{
54336 + struct inodev_entry *inodev;
54337 +
54338 + if (unlikely(!(gr_status & GR_READY)))
54339 + return;
54340 +
54341 + write_lock(&gr_inode_lock);
54342 + inodev = lookup_inodev_entry(ino, dev);
54343 + if (inodev != NULL)
54344 + do_handle_delete(inodev, ino, dev);
54345 + write_unlock(&gr_inode_lock);
54346 +
54347 + return;
54348 +}
54349 +
54350 +static void
54351 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54352 + const ino_t newinode, const dev_t newdevice,
54353 + struct acl_subject_label *subj)
54354 +{
54355 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54356 + struct acl_object_label *match;
54357 +
54358 + match = subj->obj_hash[index];
54359 +
54360 + while (match && (match->inode != oldinode ||
54361 + match->device != olddevice ||
54362 + !(match->mode & GR_DELETED)))
54363 + match = match->next;
54364 +
54365 + if (match && (match->inode == oldinode)
54366 + && (match->device == olddevice)
54367 + && (match->mode & GR_DELETED)) {
54368 + if (match->prev == NULL) {
54369 + subj->obj_hash[index] = match->next;
54370 + if (match->next != NULL)
54371 + match->next->prev = NULL;
54372 + } else {
54373 + match->prev->next = match->next;
54374 + if (match->next != NULL)
54375 + match->next->prev = match->prev;
54376 + }
54377 + match->prev = NULL;
54378 + match->next = NULL;
54379 + match->inode = newinode;
54380 + match->device = newdevice;
54381 + match->mode &= ~GR_DELETED;
54382 +
54383 + insert_acl_obj_label(match, subj);
54384 + }
54385 +
54386 + return;
54387 +}
54388 +
54389 +static void
54390 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54391 + const ino_t newinode, const dev_t newdevice,
54392 + struct acl_role_label *role)
54393 +{
54394 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54395 + struct acl_subject_label *match;
54396 +
54397 + match = role->subj_hash[index];
54398 +
54399 + while (match && (match->inode != oldinode ||
54400 + match->device != olddevice ||
54401 + !(match->mode & GR_DELETED)))
54402 + match = match->next;
54403 +
54404 + if (match && (match->inode == oldinode)
54405 + && (match->device == olddevice)
54406 + && (match->mode & GR_DELETED)) {
54407 + if (match->prev == NULL) {
54408 + role->subj_hash[index] = match->next;
54409 + if (match->next != NULL)
54410 + match->next->prev = NULL;
54411 + } else {
54412 + match->prev->next = match->next;
54413 + if (match->next != NULL)
54414 + match->next->prev = match->prev;
54415 + }
54416 + match->prev = NULL;
54417 + match->next = NULL;
54418 + match->inode = newinode;
54419 + match->device = newdevice;
54420 + match->mode &= ~GR_DELETED;
54421 +
54422 + insert_acl_subj_label(match, role);
54423 + }
54424 +
54425 + return;
54426 +}
54427 +
54428 +static void
54429 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54430 + const ino_t newinode, const dev_t newdevice)
54431 +{
54432 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54433 + struct inodev_entry *match;
54434 +
54435 + match = inodev_set.i_hash[index];
54436 +
54437 + while (match && (match->nentry->inode != oldinode ||
54438 + match->nentry->device != olddevice || !match->nentry->deleted))
54439 + match = match->next;
54440 +
54441 + if (match && (match->nentry->inode == oldinode)
54442 + && (match->nentry->device == olddevice) &&
54443 + match->nentry->deleted) {
54444 + if (match->prev == NULL) {
54445 + inodev_set.i_hash[index] = match->next;
54446 + if (match->next != NULL)
54447 + match->next->prev = NULL;
54448 + } else {
54449 + match->prev->next = match->next;
54450 + if (match->next != NULL)
54451 + match->next->prev = match->prev;
54452 + }
54453 + match->prev = NULL;
54454 + match->next = NULL;
54455 + match->nentry->inode = newinode;
54456 + match->nentry->device = newdevice;
54457 + match->nentry->deleted = 0;
54458 +
54459 + insert_inodev_entry(match);
54460 + }
54461 +
54462 + return;
54463 +}
54464 +
54465 +static void
54466 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
54467 + const struct vfsmount *mnt)
54468 +{
54469 + struct acl_subject_label *subj;
54470 + struct acl_role_label *role;
54471 + unsigned int x;
54472 + ino_t ino = dentry->d_inode->i_ino;
54473 + dev_t dev = __get_dev(dentry);
54474 +
54475 + FOR_EACH_ROLE_START(role)
54476 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
54477 +
54478 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54479 + if ((subj->inode == ino) && (subj->device == dev)) {
54480 + subj->inode = ino;
54481 + subj->device = dev;
54482 + }
54483 + FOR_EACH_NESTED_SUBJECT_END(subj)
54484 + FOR_EACH_SUBJECT_START(role, subj, x)
54485 + update_acl_obj_label(matchn->inode, matchn->device,
54486 + ino, dev, subj);
54487 + FOR_EACH_SUBJECT_END(subj,x)
54488 + FOR_EACH_ROLE_END(role)
54489 +
54490 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
54491 +
54492 + return;
54493 +}
54494 +
54495 +void
54496 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54497 +{
54498 + struct name_entry *matchn;
54499 +
54500 + if (unlikely(!(gr_status & GR_READY)))
54501 + return;
54502 +
54503 + preempt_disable();
54504 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
54505 +
54506 + if (unlikely((unsigned long)matchn)) {
54507 + write_lock(&gr_inode_lock);
54508 + do_handle_create(matchn, dentry, mnt);
54509 + write_unlock(&gr_inode_lock);
54510 + }
54511 + preempt_enable();
54512 +
54513 + return;
54514 +}
54515 +
54516 +void
54517 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54518 + struct dentry *old_dentry,
54519 + struct dentry *new_dentry,
54520 + struct vfsmount *mnt, const __u8 replace)
54521 +{
54522 + struct name_entry *matchn;
54523 + struct inodev_entry *inodev;
54524 + ino_t old_ino = old_dentry->d_inode->i_ino;
54525 + dev_t old_dev = __get_dev(old_dentry);
54526 +
54527 + /* vfs_rename swaps the name and parent link for old_dentry and
54528 + new_dentry
54529 + at this point, old_dentry has the new name, parent link, and inode
54530 + for the renamed file
54531 + if a file is being replaced by a rename, new_dentry has the inode
54532 + and name for the replaced file
54533 + */
54534 +
54535 + if (unlikely(!(gr_status & GR_READY)))
54536 + return;
54537 +
54538 + preempt_disable();
54539 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
54540 +
54541 + /* we wouldn't have to check d_inode if it weren't for
54542 + NFS silly-renaming
54543 + */
54544 +
54545 + write_lock(&gr_inode_lock);
54546 + if (unlikely(replace && new_dentry->d_inode)) {
54547 + ino_t new_ino = new_dentry->d_inode->i_ino;
54548 + dev_t new_dev = __get_dev(new_dentry);
54549 +
54550 + inodev = lookup_inodev_entry(new_ino, new_dev);
54551 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
54552 + do_handle_delete(inodev, new_ino, new_dev);
54553 + }
54554 +
54555 + inodev = lookup_inodev_entry(old_ino, old_dev);
54556 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
54557 + do_handle_delete(inodev, old_ino, old_dev);
54558 +
54559 + if (unlikely((unsigned long)matchn))
54560 + do_handle_create(matchn, old_dentry, mnt);
54561 +
54562 + write_unlock(&gr_inode_lock);
54563 + preempt_enable();
54564 +
54565 + return;
54566 +}
54567 +
54568 +static int
54569 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
54570 + unsigned char **sum)
54571 +{
54572 + struct acl_role_label *r;
54573 + struct role_allowed_ip *ipp;
54574 + struct role_transition *trans;
54575 + unsigned int i;
54576 + int found = 0;
54577 + u32 curr_ip = current->signal->curr_ip;
54578 +
54579 + current->signal->saved_ip = curr_ip;
54580 +
54581 + /* check transition table */
54582 +
54583 + for (trans = current->role->transitions; trans; trans = trans->next) {
54584 + if (!strcmp(rolename, trans->rolename)) {
54585 + found = 1;
54586 + break;
54587 + }
54588 + }
54589 +
54590 + if (!found)
54591 + return 0;
54592 +
54593 + /* handle special roles that do not require authentication
54594 + and check ip */
54595 +
54596 + FOR_EACH_ROLE_START(r)
54597 + if (!strcmp(rolename, r->rolename) &&
54598 + (r->roletype & GR_ROLE_SPECIAL)) {
54599 + found = 0;
54600 + if (r->allowed_ips != NULL) {
54601 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
54602 + if ((ntohl(curr_ip) & ipp->netmask) ==
54603 + (ntohl(ipp->addr) & ipp->netmask))
54604 + found = 1;
54605 + }
54606 + } else
54607 + found = 2;
54608 + if (!found)
54609 + return 0;
54610 +
54611 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
54612 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
54613 + *salt = NULL;
54614 + *sum = NULL;
54615 + return 1;
54616 + }
54617 + }
54618 + FOR_EACH_ROLE_END(r)
54619 +
54620 + for (i = 0; i < num_sprole_pws; i++) {
54621 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
54622 + *salt = acl_special_roles[i]->salt;
54623 + *sum = acl_special_roles[i]->sum;
54624 + return 1;
54625 + }
54626 + }
54627 +
54628 + return 0;
54629 +}
54630 +
54631 +static void
54632 +assign_special_role(char *rolename)
54633 +{
54634 + struct acl_object_label *obj;
54635 + struct acl_role_label *r;
54636 + struct acl_role_label *assigned = NULL;
54637 + struct task_struct *tsk;
54638 + struct file *filp;
54639 +
54640 + FOR_EACH_ROLE_START(r)
54641 + if (!strcmp(rolename, r->rolename) &&
54642 + (r->roletype & GR_ROLE_SPECIAL)) {
54643 + assigned = r;
54644 + break;
54645 + }
54646 + FOR_EACH_ROLE_END(r)
54647 +
54648 + if (!assigned)
54649 + return;
54650 +
54651 + read_lock(&tasklist_lock);
54652 + read_lock(&grsec_exec_file_lock);
54653 +
54654 + tsk = current->real_parent;
54655 + if (tsk == NULL)
54656 + goto out_unlock;
54657 +
54658 + filp = tsk->exec_file;
54659 + if (filp == NULL)
54660 + goto out_unlock;
54661 +
54662 + tsk->is_writable = 0;
54663 +
54664 + tsk->acl_sp_role = 1;
54665 + tsk->acl_role_id = ++acl_sp_role_value;
54666 + tsk->role = assigned;
54667 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
54668 +
54669 + /* ignore additional mmap checks for processes that are writable
54670 + by the default ACL */
54671 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54672 + if (unlikely(obj->mode & GR_WRITE))
54673 + tsk->is_writable = 1;
54674 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
54675 + if (unlikely(obj->mode & GR_WRITE))
54676 + tsk->is_writable = 1;
54677 +
54678 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54679 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
54680 +#endif
54681 +
54682 +out_unlock:
54683 + read_unlock(&grsec_exec_file_lock);
54684 + read_unlock(&tasklist_lock);
54685 + return;
54686 +}
54687 +
54688 +int gr_check_secure_terminal(struct task_struct *task)
54689 +{
54690 + struct task_struct *p, *p2, *p3;
54691 + struct files_struct *files;
54692 + struct fdtable *fdt;
54693 + struct file *our_file = NULL, *file;
54694 + int i;
54695 +
54696 + if (task->signal->tty == NULL)
54697 + return 1;
54698 +
54699 + files = get_files_struct(task);
54700 + if (files != NULL) {
54701 + rcu_read_lock();
54702 + fdt = files_fdtable(files);
54703 + for (i=0; i < fdt->max_fds; i++) {
54704 + file = fcheck_files(files, i);
54705 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
54706 + get_file(file);
54707 + our_file = file;
54708 + }
54709 + }
54710 + rcu_read_unlock();
54711 + put_files_struct(files);
54712 + }
54713 +
54714 + if (our_file == NULL)
54715 + return 1;
54716 +
54717 + read_lock(&tasklist_lock);
54718 + do_each_thread(p2, p) {
54719 + files = get_files_struct(p);
54720 + if (files == NULL ||
54721 + (p->signal && p->signal->tty == task->signal->tty)) {
54722 + if (files != NULL)
54723 + put_files_struct(files);
54724 + continue;
54725 + }
54726 + rcu_read_lock();
54727 + fdt = files_fdtable(files);
54728 + for (i=0; i < fdt->max_fds; i++) {
54729 + file = fcheck_files(files, i);
54730 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
54731 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
54732 + p3 = task;
54733 + while (p3->pid > 0) {
54734 + if (p3 == p)
54735 + break;
54736 + p3 = p3->real_parent;
54737 + }
54738 + if (p3 == p)
54739 + break;
54740 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
54741 + gr_handle_alertkill(p);
54742 + rcu_read_unlock();
54743 + put_files_struct(files);
54744 + read_unlock(&tasklist_lock);
54745 + fput(our_file);
54746 + return 0;
54747 + }
54748 + }
54749 + rcu_read_unlock();
54750 + put_files_struct(files);
54751 + } while_each_thread(p2, p);
54752 + read_unlock(&tasklist_lock);
54753 +
54754 + fput(our_file);
54755 + return 1;
54756 +}
54757 +
54758 +ssize_t
54759 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
54760 +{
54761 + struct gr_arg_wrapper uwrap;
54762 + unsigned char *sprole_salt = NULL;
54763 + unsigned char *sprole_sum = NULL;
54764 + int error = sizeof (struct gr_arg_wrapper);
54765 + int error2 = 0;
54766 +
54767 + mutex_lock(&gr_dev_mutex);
54768 +
54769 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
54770 + error = -EPERM;
54771 + goto out;
54772 + }
54773 +
54774 + if (count != sizeof (struct gr_arg_wrapper)) {
54775 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
54776 + error = -EINVAL;
54777 + goto out;
54778 + }
54779 +
54780 +
54781 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
54782 + gr_auth_expires = 0;
54783 + gr_auth_attempts = 0;
54784 + }
54785 +
54786 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
54787 + error = -EFAULT;
54788 + goto out;
54789 + }
54790 +
54791 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
54792 + error = -EINVAL;
54793 + goto out;
54794 + }
54795 +
54796 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
54797 + error = -EFAULT;
54798 + goto out;
54799 + }
54800 +
54801 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54802 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54803 + time_after(gr_auth_expires, get_seconds())) {
54804 + error = -EBUSY;
54805 + goto out;
54806 + }
54807 +
54808 + /* if non-root trying to do anything other than use a special role,
54809 + do not attempt authentication, do not count towards authentication
54810 + locking
54811 + */
54812 +
54813 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
54814 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54815 + current_uid()) {
54816 + error = -EPERM;
54817 + goto out;
54818 + }
54819 +
54820 + /* ensure pw and special role name are null terminated */
54821 +
54822 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
54823 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
54824 +
54825 + /* Okay.
54826 + * We have our enough of the argument structure..(we have yet
54827 + * to copy_from_user the tables themselves) . Copy the tables
54828 + * only if we need them, i.e. for loading operations. */
54829 +
54830 + switch (gr_usermode->mode) {
54831 + case GR_STATUS:
54832 + if (gr_status & GR_READY) {
54833 + error = 1;
54834 + if (!gr_check_secure_terminal(current))
54835 + error = 3;
54836 + } else
54837 + error = 2;
54838 + goto out;
54839 + case GR_SHUTDOWN:
54840 + if ((gr_status & GR_READY)
54841 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54842 + pax_open_kernel();
54843 + gr_status &= ~GR_READY;
54844 + pax_close_kernel();
54845 +
54846 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
54847 + free_variables();
54848 + memset(gr_usermode, 0, sizeof (struct gr_arg));
54849 + memset(gr_system_salt, 0, GR_SALT_LEN);
54850 + memset(gr_system_sum, 0, GR_SHA_LEN);
54851 + } else if (gr_status & GR_READY) {
54852 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
54853 + error = -EPERM;
54854 + } else {
54855 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
54856 + error = -EAGAIN;
54857 + }
54858 + break;
54859 + case GR_ENABLE:
54860 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
54861 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
54862 + else {
54863 + if (gr_status & GR_READY)
54864 + error = -EAGAIN;
54865 + else
54866 + error = error2;
54867 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
54868 + }
54869 + break;
54870 + case GR_RELOAD:
54871 + if (!(gr_status & GR_READY)) {
54872 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
54873 + error = -EAGAIN;
54874 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54875 + preempt_disable();
54876 +
54877 + pax_open_kernel();
54878 + gr_status &= ~GR_READY;
54879 + pax_close_kernel();
54880 +
54881 + free_variables();
54882 + if (!(error2 = gracl_init(gr_usermode))) {
54883 + preempt_enable();
54884 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
54885 + } else {
54886 + preempt_enable();
54887 + error = error2;
54888 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54889 + }
54890 + } else {
54891 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54892 + error = -EPERM;
54893 + }
54894 + break;
54895 + case GR_SEGVMOD:
54896 + if (unlikely(!(gr_status & GR_READY))) {
54897 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
54898 + error = -EAGAIN;
54899 + break;
54900 + }
54901 +
54902 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54903 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
54904 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
54905 + struct acl_subject_label *segvacl;
54906 + segvacl =
54907 + lookup_acl_subj_label(gr_usermode->segv_inode,
54908 + gr_usermode->segv_device,
54909 + current->role);
54910 + if (segvacl) {
54911 + segvacl->crashes = 0;
54912 + segvacl->expires = 0;
54913 + }
54914 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
54915 + gr_remove_uid(gr_usermode->segv_uid);
54916 + }
54917 + } else {
54918 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
54919 + error = -EPERM;
54920 + }
54921 + break;
54922 + case GR_SPROLE:
54923 + case GR_SPROLEPAM:
54924 + if (unlikely(!(gr_status & GR_READY))) {
54925 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
54926 + error = -EAGAIN;
54927 + break;
54928 + }
54929 +
54930 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
54931 + current->role->expires = 0;
54932 + current->role->auth_attempts = 0;
54933 + }
54934 +
54935 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54936 + time_after(current->role->expires, get_seconds())) {
54937 + error = -EBUSY;
54938 + goto out;
54939 + }
54940 +
54941 + if (lookup_special_role_auth
54942 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
54943 + && ((!sprole_salt && !sprole_sum)
54944 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
54945 + char *p = "";
54946 + assign_special_role(gr_usermode->sp_role);
54947 + read_lock(&tasklist_lock);
54948 + if (current->real_parent)
54949 + p = current->real_parent->role->rolename;
54950 + read_unlock(&tasklist_lock);
54951 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
54952 + p, acl_sp_role_value);
54953 + } else {
54954 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
54955 + error = -EPERM;
54956 + if(!(current->role->auth_attempts++))
54957 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54958 +
54959 + goto out;
54960 + }
54961 + break;
54962 + case GR_UNSPROLE:
54963 + if (unlikely(!(gr_status & GR_READY))) {
54964 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
54965 + error = -EAGAIN;
54966 + break;
54967 + }
54968 +
54969 + if (current->role->roletype & GR_ROLE_SPECIAL) {
54970 + char *p = "";
54971 + int i = 0;
54972 +
54973 + read_lock(&tasklist_lock);
54974 + if (current->real_parent) {
54975 + p = current->real_parent->role->rolename;
54976 + i = current->real_parent->acl_role_id;
54977 + }
54978 + read_unlock(&tasklist_lock);
54979 +
54980 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
54981 + gr_set_acls(1);
54982 + } else {
54983 + error = -EPERM;
54984 + goto out;
54985 + }
54986 + break;
54987 + default:
54988 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
54989 + error = -EINVAL;
54990 + break;
54991 + }
54992 +
54993 + if (error != -EPERM)
54994 + goto out;
54995 +
54996 + if(!(gr_auth_attempts++))
54997 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54998 +
54999 + out:
55000 + mutex_unlock(&gr_dev_mutex);
55001 + return error;
55002 +}
55003 +
55004 +/* must be called with
55005 + rcu_read_lock();
55006 + read_lock(&tasklist_lock);
55007 + read_lock(&grsec_exec_file_lock);
55008 +*/
55009 +int gr_apply_subject_to_task(struct task_struct *task)
55010 +{
55011 + struct acl_object_label *obj;
55012 + char *tmpname;
55013 + struct acl_subject_label *tmpsubj;
55014 + struct file *filp;
55015 + struct name_entry *nmatch;
55016 +
55017 + filp = task->exec_file;
55018 + if (filp == NULL)
55019 + return 0;
55020 +
55021 + /* the following is to apply the correct subject
55022 + on binaries running when the RBAC system
55023 + is enabled, when the binaries have been
55024 + replaced or deleted since their execution
55025 + -----
55026 + when the RBAC system starts, the inode/dev
55027 + from exec_file will be one the RBAC system
55028 + is unaware of. It only knows the inode/dev
55029 + of the present file on disk, or the absence
55030 + of it.
55031 + */
55032 + preempt_disable();
55033 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
55034 +
55035 + nmatch = lookup_name_entry(tmpname);
55036 + preempt_enable();
55037 + tmpsubj = NULL;
55038 + if (nmatch) {
55039 + if (nmatch->deleted)
55040 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
55041 + else
55042 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
55043 + if (tmpsubj != NULL)
55044 + task->acl = tmpsubj;
55045 + }
55046 + if (tmpsubj == NULL)
55047 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
55048 + task->role);
55049 + if (task->acl) {
55050 + task->is_writable = 0;
55051 + /* ignore additional mmap checks for processes that are writable
55052 + by the default ACL */
55053 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55054 + if (unlikely(obj->mode & GR_WRITE))
55055 + task->is_writable = 1;
55056 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
55057 + if (unlikely(obj->mode & GR_WRITE))
55058 + task->is_writable = 1;
55059 +
55060 + gr_set_proc_res(task);
55061 +
55062 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55063 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
55064 +#endif
55065 + } else {
55066 + return 1;
55067 + }
55068 +
55069 + return 0;
55070 +}
55071 +
55072 +int
55073 +gr_set_acls(const int type)
55074 +{
55075 + struct task_struct *task, *task2;
55076 + struct acl_role_label *role = current->role;
55077 + __u16 acl_role_id = current->acl_role_id;
55078 + const struct cred *cred;
55079 + int ret;
55080 +
55081 + rcu_read_lock();
55082 + read_lock(&tasklist_lock);
55083 + read_lock(&grsec_exec_file_lock);
55084 + do_each_thread(task2, task) {
55085 + /* check to see if we're called from the exit handler,
55086 + if so, only replace ACLs that have inherited the admin
55087 + ACL */
55088 +
55089 + if (type && (task->role != role ||
55090 + task->acl_role_id != acl_role_id))
55091 + continue;
55092 +
55093 + task->acl_role_id = 0;
55094 + task->acl_sp_role = 0;
55095 +
55096 + if (task->exec_file) {
55097 + cred = __task_cred(task);
55098 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
55099 + ret = gr_apply_subject_to_task(task);
55100 + if (ret) {
55101 + read_unlock(&grsec_exec_file_lock);
55102 + read_unlock(&tasklist_lock);
55103 + rcu_read_unlock();
55104 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
55105 + return ret;
55106 + }
55107 + } else {
55108 + // it's a kernel process
55109 + task->role = kernel_role;
55110 + task->acl = kernel_role->root_label;
55111 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
55112 + task->acl->mode &= ~GR_PROCFIND;
55113 +#endif
55114 + }
55115 + } while_each_thread(task2, task);
55116 + read_unlock(&grsec_exec_file_lock);
55117 + read_unlock(&tasklist_lock);
55118 + rcu_read_unlock();
55119 +
55120 + return 0;
55121 +}
55122 +
55123 +void
55124 +gr_learn_resource(const struct task_struct *task,
55125 + const int res, const unsigned long wanted, const int gt)
55126 +{
55127 + struct acl_subject_label *acl;
55128 + const struct cred *cred;
55129 +
55130 + if (unlikely((gr_status & GR_READY) &&
55131 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
55132 + goto skip_reslog;
55133 +
55134 +#ifdef CONFIG_GRKERNSEC_RESLOG
55135 + gr_log_resource(task, res, wanted, gt);
55136 +#endif
55137 + skip_reslog:
55138 +
55139 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
55140 + return;
55141 +
55142 + acl = task->acl;
55143 +
55144 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
55145 + !(acl->resmask & (1 << (unsigned short) res))))
55146 + return;
55147 +
55148 + if (wanted >= acl->res[res].rlim_cur) {
55149 + unsigned long res_add;
55150 +
55151 + res_add = wanted;
55152 + switch (res) {
55153 + case RLIMIT_CPU:
55154 + res_add += GR_RLIM_CPU_BUMP;
55155 + break;
55156 + case RLIMIT_FSIZE:
55157 + res_add += GR_RLIM_FSIZE_BUMP;
55158 + break;
55159 + case RLIMIT_DATA:
55160 + res_add += GR_RLIM_DATA_BUMP;
55161 + break;
55162 + case RLIMIT_STACK:
55163 + res_add += GR_RLIM_STACK_BUMP;
55164 + break;
55165 + case RLIMIT_CORE:
55166 + res_add += GR_RLIM_CORE_BUMP;
55167 + break;
55168 + case RLIMIT_RSS:
55169 + res_add += GR_RLIM_RSS_BUMP;
55170 + break;
55171 + case RLIMIT_NPROC:
55172 + res_add += GR_RLIM_NPROC_BUMP;
55173 + break;
55174 + case RLIMIT_NOFILE:
55175 + res_add += GR_RLIM_NOFILE_BUMP;
55176 + break;
55177 + case RLIMIT_MEMLOCK:
55178 + res_add += GR_RLIM_MEMLOCK_BUMP;
55179 + break;
55180 + case RLIMIT_AS:
55181 + res_add += GR_RLIM_AS_BUMP;
55182 + break;
55183 + case RLIMIT_LOCKS:
55184 + res_add += GR_RLIM_LOCKS_BUMP;
55185 + break;
55186 + case RLIMIT_SIGPENDING:
55187 + res_add += GR_RLIM_SIGPENDING_BUMP;
55188 + break;
55189 + case RLIMIT_MSGQUEUE:
55190 + res_add += GR_RLIM_MSGQUEUE_BUMP;
55191 + break;
55192 + case RLIMIT_NICE:
55193 + res_add += GR_RLIM_NICE_BUMP;
55194 + break;
55195 + case RLIMIT_RTPRIO:
55196 + res_add += GR_RLIM_RTPRIO_BUMP;
55197 + break;
55198 + case RLIMIT_RTTIME:
55199 + res_add += GR_RLIM_RTTIME_BUMP;
55200 + break;
55201 + }
55202 +
55203 + acl->res[res].rlim_cur = res_add;
55204 +
55205 + if (wanted > acl->res[res].rlim_max)
55206 + acl->res[res].rlim_max = res_add;
55207 +
55208 + /* only log the subject filename, since resource logging is supported for
55209 + single-subject learning only */
55210 + rcu_read_lock();
55211 + cred = __task_cred(task);
55212 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55213 + task->role->roletype, cred->uid, cred->gid, acl->filename,
55214 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55215 + "", (unsigned long) res, &task->signal->saved_ip);
55216 + rcu_read_unlock();
55217 + }
55218 +
55219 + return;
55220 +}
55221 +
55222 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55223 +void
55224 +pax_set_initial_flags(struct linux_binprm *bprm)
55225 +{
55226 + struct task_struct *task = current;
55227 + struct acl_subject_label *proc;
55228 + unsigned long flags;
55229 +
55230 + if (unlikely(!(gr_status & GR_READY)))
55231 + return;
55232 +
55233 + flags = pax_get_flags(task);
55234 +
55235 + proc = task->acl;
55236 +
55237 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55238 + flags &= ~MF_PAX_PAGEEXEC;
55239 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55240 + flags &= ~MF_PAX_SEGMEXEC;
55241 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55242 + flags &= ~MF_PAX_RANDMMAP;
55243 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55244 + flags &= ~MF_PAX_EMUTRAMP;
55245 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55246 + flags &= ~MF_PAX_MPROTECT;
55247 +
55248 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55249 + flags |= MF_PAX_PAGEEXEC;
55250 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55251 + flags |= MF_PAX_SEGMEXEC;
55252 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55253 + flags |= MF_PAX_RANDMMAP;
55254 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55255 + flags |= MF_PAX_EMUTRAMP;
55256 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55257 + flags |= MF_PAX_MPROTECT;
55258 +
55259 + pax_set_flags(task, flags);
55260 +
55261 + return;
55262 +}
55263 +#endif
55264 +
55265 +#ifdef CONFIG_SYSCTL
55266 +/* Eric Biederman likes breaking userland ABI and every inode-based security
55267 + system to save 35kb of memory */
55268 +
55269 +/* we modify the passed in filename, but adjust it back before returning */
55270 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55271 +{
55272 + struct name_entry *nmatch;
55273 + char *p, *lastp = NULL;
55274 + struct acl_object_label *obj = NULL, *tmp;
55275 + struct acl_subject_label *tmpsubj;
55276 + char c = '\0';
55277 +
55278 + read_lock(&gr_inode_lock);
55279 +
55280 + p = name + len - 1;
55281 + do {
55282 + nmatch = lookup_name_entry(name);
55283 + if (lastp != NULL)
55284 + *lastp = c;
55285 +
55286 + if (nmatch == NULL)
55287 + goto next_component;
55288 + tmpsubj = current->acl;
55289 + do {
55290 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55291 + if (obj != NULL) {
55292 + tmp = obj->globbed;
55293 + while (tmp) {
55294 + if (!glob_match(tmp->filename, name)) {
55295 + obj = tmp;
55296 + goto found_obj;
55297 + }
55298 + tmp = tmp->next;
55299 + }
55300 + goto found_obj;
55301 + }
55302 + } while ((tmpsubj = tmpsubj->parent_subject));
55303 +next_component:
55304 + /* end case */
55305 + if (p == name)
55306 + break;
55307 +
55308 + while (*p != '/')
55309 + p--;
55310 + if (p == name)
55311 + lastp = p + 1;
55312 + else {
55313 + lastp = p;
55314 + p--;
55315 + }
55316 + c = *lastp;
55317 + *lastp = '\0';
55318 + } while (1);
55319 +found_obj:
55320 + read_unlock(&gr_inode_lock);
55321 + /* obj returned will always be non-null */
55322 + return obj;
55323 +}
55324 +
55325 +/* returns 0 when allowing, non-zero on error
55326 + op of 0 is used for readdir, so we don't log the names of hidden files
55327 +*/
55328 +__u32
55329 +gr_handle_sysctl(const struct ctl_table *table, const int op)
55330 +{
55331 + struct ctl_table *tmp;
55332 + const char *proc_sys = "/proc/sys";
55333 + char *path;
55334 + struct acl_object_label *obj;
55335 + unsigned short len = 0, pos = 0, depth = 0, i;
55336 + __u32 err = 0;
55337 + __u32 mode = 0;
55338 +
55339 + if (unlikely(!(gr_status & GR_READY)))
55340 + return 0;
55341 +
55342 + /* for now, ignore operations on non-sysctl entries if it's not a
55343 + readdir*/
55344 + if (table->child != NULL && op != 0)
55345 + return 0;
55346 +
55347 + mode |= GR_FIND;
55348 + /* it's only a read if it's an entry, read on dirs is for readdir */
55349 + if (op & MAY_READ)
55350 + mode |= GR_READ;
55351 + if (op & MAY_WRITE)
55352 + mode |= GR_WRITE;
55353 +
55354 + preempt_disable();
55355 +
55356 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55357 +
55358 + /* it's only a read/write if it's an actual entry, not a dir
55359 + (which are opened for readdir)
55360 + */
55361 +
55362 + /* convert the requested sysctl entry into a pathname */
55363 +
55364 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55365 + len += strlen(tmp->procname);
55366 + len++;
55367 + depth++;
55368 + }
55369 +
55370 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55371 + /* deny */
55372 + goto out;
55373 + }
55374 +
55375 + memset(path, 0, PAGE_SIZE);
55376 +
55377 + memcpy(path, proc_sys, strlen(proc_sys));
55378 +
55379 + pos += strlen(proc_sys);
55380 +
55381 + for (; depth > 0; depth--) {
55382 + path[pos] = '/';
55383 + pos++;
55384 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55385 + if (depth == i) {
55386 + memcpy(path + pos, tmp->procname,
55387 + strlen(tmp->procname));
55388 + pos += strlen(tmp->procname);
55389 + }
55390 + i++;
55391 + }
55392 + }
55393 +
55394 + obj = gr_lookup_by_name(path, pos);
55395 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55396 +
55397 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55398 + ((err & mode) != mode))) {
55399 + __u32 new_mode = mode;
55400 +
55401 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55402 +
55403 + err = 0;
55404 + gr_log_learn_sysctl(path, new_mode);
55405 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55406 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55407 + err = -ENOENT;
55408 + } else if (!(err & GR_FIND)) {
55409 + err = -ENOENT;
55410 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55411 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
55412 + path, (mode & GR_READ) ? " reading" : "",
55413 + (mode & GR_WRITE) ? " writing" : "");
55414 + err = -EACCES;
55415 + } else if ((err & mode) != mode) {
55416 + err = -EACCES;
55417 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
55418 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
55419 + path, (mode & GR_READ) ? " reading" : "",
55420 + (mode & GR_WRITE) ? " writing" : "");
55421 + err = 0;
55422 + } else
55423 + err = 0;
55424 +
55425 + out:
55426 + preempt_enable();
55427 +
55428 + return err;
55429 +}
55430 +#endif
55431 +
55432 +int
55433 +gr_handle_proc_ptrace(struct task_struct *task)
55434 +{
55435 + struct file *filp;
55436 + struct task_struct *tmp = task;
55437 + struct task_struct *curtemp = current;
55438 + __u32 retmode;
55439 +
55440 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55441 + if (unlikely(!(gr_status & GR_READY)))
55442 + return 0;
55443 +#endif
55444 +
55445 + read_lock(&tasklist_lock);
55446 + read_lock(&grsec_exec_file_lock);
55447 + filp = task->exec_file;
55448 +
55449 + while (tmp->pid > 0) {
55450 + if (tmp == curtemp)
55451 + break;
55452 + tmp = tmp->real_parent;
55453 + }
55454 +
55455 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55456 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
55457 + read_unlock(&grsec_exec_file_lock);
55458 + read_unlock(&tasklist_lock);
55459 + return 1;
55460 + }
55461 +
55462 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55463 + if (!(gr_status & GR_READY)) {
55464 + read_unlock(&grsec_exec_file_lock);
55465 + read_unlock(&tasklist_lock);
55466 + return 0;
55467 + }
55468 +#endif
55469 +
55470 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
55471 + read_unlock(&grsec_exec_file_lock);
55472 + read_unlock(&tasklist_lock);
55473 +
55474 + if (retmode & GR_NOPTRACE)
55475 + return 1;
55476 +
55477 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
55478 + && (current->acl != task->acl || (current->acl != current->role->root_label
55479 + && current->pid != task->pid)))
55480 + return 1;
55481 +
55482 + return 0;
55483 +}
55484 +
55485 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
55486 +{
55487 + if (unlikely(!(gr_status & GR_READY)))
55488 + return;
55489 +
55490 + if (!(current->role->roletype & GR_ROLE_GOD))
55491 + return;
55492 +
55493 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
55494 + p->role->rolename, gr_task_roletype_to_char(p),
55495 + p->acl->filename);
55496 +}
55497 +
55498 +int
55499 +gr_handle_ptrace(struct task_struct *task, const long request)
55500 +{
55501 + struct task_struct *tmp = task;
55502 + struct task_struct *curtemp = current;
55503 + __u32 retmode;
55504 +
55505 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55506 + if (unlikely(!(gr_status & GR_READY)))
55507 + return 0;
55508 +#endif
55509 +
55510 + read_lock(&tasklist_lock);
55511 + while (tmp->pid > 0) {
55512 + if (tmp == curtemp)
55513 + break;
55514 + tmp = tmp->real_parent;
55515 + }
55516 +
55517 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55518 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
55519 + read_unlock(&tasklist_lock);
55520 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55521 + return 1;
55522 + }
55523 + read_unlock(&tasklist_lock);
55524 +
55525 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55526 + if (!(gr_status & GR_READY))
55527 + return 0;
55528 +#endif
55529 +
55530 + read_lock(&grsec_exec_file_lock);
55531 + if (unlikely(!task->exec_file)) {
55532 + read_unlock(&grsec_exec_file_lock);
55533 + return 0;
55534 + }
55535 +
55536 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
55537 + read_unlock(&grsec_exec_file_lock);
55538 +
55539 + if (retmode & GR_NOPTRACE) {
55540 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55541 + return 1;
55542 + }
55543 +
55544 + if (retmode & GR_PTRACERD) {
55545 + switch (request) {
55546 + case PTRACE_POKETEXT:
55547 + case PTRACE_POKEDATA:
55548 + case PTRACE_POKEUSR:
55549 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
55550 + case PTRACE_SETREGS:
55551 + case PTRACE_SETFPREGS:
55552 +#endif
55553 +#ifdef CONFIG_X86
55554 + case PTRACE_SETFPXREGS:
55555 +#endif
55556 +#ifdef CONFIG_ALTIVEC
55557 + case PTRACE_SETVRREGS:
55558 +#endif
55559 + return 1;
55560 + default:
55561 + return 0;
55562 + }
55563 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
55564 + !(current->role->roletype & GR_ROLE_GOD) &&
55565 + (current->acl != task->acl)) {
55566 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55567 + return 1;
55568 + }
55569 +
55570 + return 0;
55571 +}
55572 +
55573 +static int is_writable_mmap(const struct file *filp)
55574 +{
55575 + struct task_struct *task = current;
55576 + struct acl_object_label *obj, *obj2;
55577 +
55578 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
55579 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
55580 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55581 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
55582 + task->role->root_label);
55583 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
55584 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
55585 + return 1;
55586 + }
55587 + }
55588 + return 0;
55589 +}
55590 +
55591 +int
55592 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
55593 +{
55594 + __u32 mode;
55595 +
55596 + if (unlikely(!file || !(prot & PROT_EXEC)))
55597 + return 1;
55598 +
55599 + if (is_writable_mmap(file))
55600 + return 0;
55601 +
55602 + mode =
55603 + gr_search_file(file->f_path.dentry,
55604 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55605 + file->f_path.mnt);
55606 +
55607 + if (!gr_tpe_allow(file))
55608 + return 0;
55609 +
55610 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55611 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55612 + return 0;
55613 + } else if (unlikely(!(mode & GR_EXEC))) {
55614 + return 0;
55615 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55616 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55617 + return 1;
55618 + }
55619 +
55620 + return 1;
55621 +}
55622 +
55623 +int
55624 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
55625 +{
55626 + __u32 mode;
55627 +
55628 + if (unlikely(!file || !(prot & PROT_EXEC)))
55629 + return 1;
55630 +
55631 + if (is_writable_mmap(file))
55632 + return 0;
55633 +
55634 + mode =
55635 + gr_search_file(file->f_path.dentry,
55636 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55637 + file->f_path.mnt);
55638 +
55639 + if (!gr_tpe_allow(file))
55640 + return 0;
55641 +
55642 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55643 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55644 + return 0;
55645 + } else if (unlikely(!(mode & GR_EXEC))) {
55646 + return 0;
55647 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55648 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55649 + return 1;
55650 + }
55651 +
55652 + return 1;
55653 +}
55654 +
55655 +void
55656 +gr_acl_handle_psacct(struct task_struct *task, const long code)
55657 +{
55658 + unsigned long runtime;
55659 + unsigned long cputime;
55660 + unsigned int wday, cday;
55661 + __u8 whr, chr;
55662 + __u8 wmin, cmin;
55663 + __u8 wsec, csec;
55664 + struct timespec timeval;
55665 +
55666 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
55667 + !(task->acl->mode & GR_PROCACCT)))
55668 + return;
55669 +
55670 + do_posix_clock_monotonic_gettime(&timeval);
55671 + runtime = timeval.tv_sec - task->start_time.tv_sec;
55672 + wday = runtime / (3600 * 24);
55673 + runtime -= wday * (3600 * 24);
55674 + whr = runtime / 3600;
55675 + runtime -= whr * 3600;
55676 + wmin = runtime / 60;
55677 + runtime -= wmin * 60;
55678 + wsec = runtime;
55679 +
55680 + cputime = (task->utime + task->stime) / HZ;
55681 + cday = cputime / (3600 * 24);
55682 + cputime -= cday * (3600 * 24);
55683 + chr = cputime / 3600;
55684 + cputime -= chr * 3600;
55685 + cmin = cputime / 60;
55686 + cputime -= cmin * 60;
55687 + csec = cputime;
55688 +
55689 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
55690 +
55691 + return;
55692 +}
55693 +
55694 +void gr_set_kernel_label(struct task_struct *task)
55695 +{
55696 + if (gr_status & GR_READY) {
55697 + task->role = kernel_role;
55698 + task->acl = kernel_role->root_label;
55699 + }
55700 + return;
55701 +}
55702 +
55703 +#ifdef CONFIG_TASKSTATS
55704 +int gr_is_taskstats_denied(int pid)
55705 +{
55706 + struct task_struct *task;
55707 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55708 + const struct cred *cred;
55709 +#endif
55710 + int ret = 0;
55711 +
55712 + /* restrict taskstats viewing to un-chrooted root users
55713 + who have the 'view' subject flag if the RBAC system is enabled
55714 + */
55715 +
55716 + rcu_read_lock();
55717 + read_lock(&tasklist_lock);
55718 + task = find_task_by_vpid(pid);
55719 + if (task) {
55720 +#ifdef CONFIG_GRKERNSEC_CHROOT
55721 + if (proc_is_chrooted(task))
55722 + ret = -EACCES;
55723 +#endif
55724 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55725 + cred = __task_cred(task);
55726 +#ifdef CONFIG_GRKERNSEC_PROC_USER
55727 + if (cred->uid != 0)
55728 + ret = -EACCES;
55729 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55730 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
55731 + ret = -EACCES;
55732 +#endif
55733 +#endif
55734 + if (gr_status & GR_READY) {
55735 + if (!(task->acl->mode & GR_VIEW))
55736 + ret = -EACCES;
55737 + }
55738 + } else
55739 + ret = -ENOENT;
55740 +
55741 + read_unlock(&tasklist_lock);
55742 + rcu_read_unlock();
55743 +
55744 + return ret;
55745 +}
55746 +#endif
55747 +
55748 +/* AUXV entries are filled via a descendant of search_binary_handler
55749 + after we've already applied the subject for the target
55750 +*/
55751 +int gr_acl_enable_at_secure(void)
55752 +{
55753 + if (unlikely(!(gr_status & GR_READY)))
55754 + return 0;
55755 +
55756 + if (current->acl->mode & GR_ATSECURE)
55757 + return 1;
55758 +
55759 + return 0;
55760 +}
55761 +
55762 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
55763 +{
55764 + struct task_struct *task = current;
55765 + struct dentry *dentry = file->f_path.dentry;
55766 + struct vfsmount *mnt = file->f_path.mnt;
55767 + struct acl_object_label *obj, *tmp;
55768 + struct acl_subject_label *subj;
55769 + unsigned int bufsize;
55770 + int is_not_root;
55771 + char *path;
55772 + dev_t dev = __get_dev(dentry);
55773 +
55774 + if (unlikely(!(gr_status & GR_READY)))
55775 + return 1;
55776 +
55777 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55778 + return 1;
55779 +
55780 + /* ignore Eric Biederman */
55781 + if (IS_PRIVATE(dentry->d_inode))
55782 + return 1;
55783 +
55784 + subj = task->acl;
55785 + do {
55786 + obj = lookup_acl_obj_label(ino, dev, subj);
55787 + if (obj != NULL)
55788 + return (obj->mode & GR_FIND) ? 1 : 0;
55789 + } while ((subj = subj->parent_subject));
55790 +
55791 + /* this is purely an optimization since we're looking for an object
55792 + for the directory we're doing a readdir on
55793 + if it's possible for any globbed object to match the entry we're
55794 + filling into the directory, then the object we find here will be
55795 + an anchor point with attached globbed objects
55796 + */
55797 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
55798 + if (obj->globbed == NULL)
55799 + return (obj->mode & GR_FIND) ? 1 : 0;
55800 +
55801 + is_not_root = ((obj->filename[0] == '/') &&
55802 + (obj->filename[1] == '\0')) ? 0 : 1;
55803 + bufsize = PAGE_SIZE - namelen - is_not_root;
55804 +
55805 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
55806 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
55807 + return 1;
55808 +
55809 + preempt_disable();
55810 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
55811 + bufsize);
55812 +
55813 + bufsize = strlen(path);
55814 +
55815 + /* if base is "/", don't append an additional slash */
55816 + if (is_not_root)
55817 + *(path + bufsize) = '/';
55818 + memcpy(path + bufsize + is_not_root, name, namelen);
55819 + *(path + bufsize + namelen + is_not_root) = '\0';
55820 +
55821 + tmp = obj->globbed;
55822 + while (tmp) {
55823 + if (!glob_match(tmp->filename, path)) {
55824 + preempt_enable();
55825 + return (tmp->mode & GR_FIND) ? 1 : 0;
55826 + }
55827 + tmp = tmp->next;
55828 + }
55829 + preempt_enable();
55830 + return (obj->mode & GR_FIND) ? 1 : 0;
55831 +}
55832 +
55833 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
55834 +EXPORT_SYMBOL(gr_acl_is_enabled);
55835 +#endif
55836 +EXPORT_SYMBOL(gr_learn_resource);
55837 +EXPORT_SYMBOL(gr_set_kernel_label);
55838 +#ifdef CONFIG_SECURITY
55839 +EXPORT_SYMBOL(gr_check_user_change);
55840 +EXPORT_SYMBOL(gr_check_group_change);
55841 +#endif
55842 +
55843 diff -urNp linux-2.6.39.3/grsecurity/gracl_cap.c linux-2.6.39.3/grsecurity/gracl_cap.c
55844 --- linux-2.6.39.3/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
55845 +++ linux-2.6.39.3/grsecurity/gracl_cap.c 2011-05-22 19:41:42.000000000 -0400
55846 @@ -0,0 +1,139 @@
55847 +#include <linux/kernel.h>
55848 +#include <linux/module.h>
55849 +#include <linux/sched.h>
55850 +#include <linux/gracl.h>
55851 +#include <linux/grsecurity.h>
55852 +#include <linux/grinternal.h>
55853 +
55854 +static const char *captab_log[] = {
55855 + "CAP_CHOWN",
55856 + "CAP_DAC_OVERRIDE",
55857 + "CAP_DAC_READ_SEARCH",
55858 + "CAP_FOWNER",
55859 + "CAP_FSETID",
55860 + "CAP_KILL",
55861 + "CAP_SETGID",
55862 + "CAP_SETUID",
55863 + "CAP_SETPCAP",
55864 + "CAP_LINUX_IMMUTABLE",
55865 + "CAP_NET_BIND_SERVICE",
55866 + "CAP_NET_BROADCAST",
55867 + "CAP_NET_ADMIN",
55868 + "CAP_NET_RAW",
55869 + "CAP_IPC_LOCK",
55870 + "CAP_IPC_OWNER",
55871 + "CAP_SYS_MODULE",
55872 + "CAP_SYS_RAWIO",
55873 + "CAP_SYS_CHROOT",
55874 + "CAP_SYS_PTRACE",
55875 + "CAP_SYS_PACCT",
55876 + "CAP_SYS_ADMIN",
55877 + "CAP_SYS_BOOT",
55878 + "CAP_SYS_NICE",
55879 + "CAP_SYS_RESOURCE",
55880 + "CAP_SYS_TIME",
55881 + "CAP_SYS_TTY_CONFIG",
55882 + "CAP_MKNOD",
55883 + "CAP_LEASE",
55884 + "CAP_AUDIT_WRITE",
55885 + "CAP_AUDIT_CONTROL",
55886 + "CAP_SETFCAP",
55887 + "CAP_MAC_OVERRIDE",
55888 + "CAP_MAC_ADMIN",
55889 + "CAP_SYSLOG"
55890 +};
55891 +
55892 +EXPORT_SYMBOL(gr_is_capable);
55893 +EXPORT_SYMBOL(gr_is_capable_nolog);
55894 +
55895 +int
55896 +gr_is_capable(const int cap)
55897 +{
55898 + struct task_struct *task = current;
55899 + const struct cred *cred = current_cred();
55900 + struct acl_subject_label *curracl;
55901 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55902 + kernel_cap_t cap_audit = __cap_empty_set;
55903 +
55904 + if (!gr_acl_is_enabled())
55905 + return 1;
55906 +
55907 + curracl = task->acl;
55908 +
55909 + cap_drop = curracl->cap_lower;
55910 + cap_mask = curracl->cap_mask;
55911 + cap_audit = curracl->cap_invert_audit;
55912 +
55913 + while ((curracl = curracl->parent_subject)) {
55914 + /* if the cap isn't specified in the current computed mask but is specified in the
55915 + current level subject, and is lowered in the current level subject, then add
55916 + it to the set of dropped capabilities
55917 + otherwise, add the current level subject's mask to the current computed mask
55918 + */
55919 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55920 + cap_raise(cap_mask, cap);
55921 + if (cap_raised(curracl->cap_lower, cap))
55922 + cap_raise(cap_drop, cap);
55923 + if (cap_raised(curracl->cap_invert_audit, cap))
55924 + cap_raise(cap_audit, cap);
55925 + }
55926 + }
55927 +
55928 + if (!cap_raised(cap_drop, cap)) {
55929 + if (cap_raised(cap_audit, cap))
55930 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
55931 + return 1;
55932 + }
55933 +
55934 + curracl = task->acl;
55935 +
55936 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
55937 + && cap_raised(cred->cap_effective, cap)) {
55938 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55939 + task->role->roletype, cred->uid,
55940 + cred->gid, task->exec_file ?
55941 + gr_to_filename(task->exec_file->f_path.dentry,
55942 + task->exec_file->f_path.mnt) : curracl->filename,
55943 + curracl->filename, 0UL,
55944 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
55945 + return 1;
55946 + }
55947 +
55948 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
55949 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
55950 + return 0;
55951 +}
55952 +
55953 +int
55954 +gr_is_capable_nolog(const int cap)
55955 +{
55956 + struct acl_subject_label *curracl;
55957 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55958 +
55959 + if (!gr_acl_is_enabled())
55960 + return 1;
55961 +
55962 + curracl = current->acl;
55963 +
55964 + cap_drop = curracl->cap_lower;
55965 + cap_mask = curracl->cap_mask;
55966 +
55967 + while ((curracl = curracl->parent_subject)) {
55968 + /* if the cap isn't specified in the current computed mask but is specified in the
55969 + current level subject, and is lowered in the current level subject, then add
55970 + it to the set of dropped capabilities
55971 + otherwise, add the current level subject's mask to the current computed mask
55972 + */
55973 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55974 + cap_raise(cap_mask, cap);
55975 + if (cap_raised(curracl->cap_lower, cap))
55976 + cap_raise(cap_drop, cap);
55977 + }
55978 + }
55979 +
55980 + if (!cap_raised(cap_drop, cap))
55981 + return 1;
55982 +
55983 + return 0;
55984 +}
55985 +
55986 diff -urNp linux-2.6.39.3/grsecurity/gracl_fs.c linux-2.6.39.3/grsecurity/gracl_fs.c
55987 --- linux-2.6.39.3/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
55988 +++ linux-2.6.39.3/grsecurity/gracl_fs.c 2011-05-22 19:41:42.000000000 -0400
55989 @@ -0,0 +1,431 @@
55990 +#include <linux/kernel.h>
55991 +#include <linux/sched.h>
55992 +#include <linux/types.h>
55993 +#include <linux/fs.h>
55994 +#include <linux/file.h>
55995 +#include <linux/stat.h>
55996 +#include <linux/grsecurity.h>
55997 +#include <linux/grinternal.h>
55998 +#include <linux/gracl.h>
55999 +
56000 +__u32
56001 +gr_acl_handle_hidden_file(const struct dentry * dentry,
56002 + const struct vfsmount * mnt)
56003 +{
56004 + __u32 mode;
56005 +
56006 + if (unlikely(!dentry->d_inode))
56007 + return GR_FIND;
56008 +
56009 + mode =
56010 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
56011 +
56012 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
56013 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56014 + return mode;
56015 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
56016 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56017 + return 0;
56018 + } else if (unlikely(!(mode & GR_FIND)))
56019 + return 0;
56020 +
56021 + return GR_FIND;
56022 +}
56023 +
56024 +__u32
56025 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56026 + const int fmode)
56027 +{
56028 + __u32 reqmode = GR_FIND;
56029 + __u32 mode;
56030 +
56031 + if (unlikely(!dentry->d_inode))
56032 + return reqmode;
56033 +
56034 + if (unlikely(fmode & O_APPEND))
56035 + reqmode |= GR_APPEND;
56036 + else if (unlikely(fmode & FMODE_WRITE))
56037 + reqmode |= GR_WRITE;
56038 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56039 + reqmode |= GR_READ;
56040 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
56041 + reqmode &= ~GR_READ;
56042 + mode =
56043 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56044 + mnt);
56045 +
56046 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56047 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56048 + reqmode & GR_READ ? " reading" : "",
56049 + reqmode & GR_WRITE ? " writing" : reqmode &
56050 + GR_APPEND ? " appending" : "");
56051 + return reqmode;
56052 + } else
56053 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56054 + {
56055 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56056 + reqmode & GR_READ ? " reading" : "",
56057 + reqmode & GR_WRITE ? " writing" : reqmode &
56058 + GR_APPEND ? " appending" : "");
56059 + return 0;
56060 + } else if (unlikely((mode & reqmode) != reqmode))
56061 + return 0;
56062 +
56063 + return reqmode;
56064 +}
56065 +
56066 +__u32
56067 +gr_acl_handle_creat(const struct dentry * dentry,
56068 + const struct dentry * p_dentry,
56069 + const struct vfsmount * p_mnt, const int fmode,
56070 + const int imode)
56071 +{
56072 + __u32 reqmode = GR_WRITE | GR_CREATE;
56073 + __u32 mode;
56074 +
56075 + if (unlikely(fmode & O_APPEND))
56076 + reqmode |= GR_APPEND;
56077 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56078 + reqmode |= GR_READ;
56079 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
56080 + reqmode |= GR_SETID;
56081 +
56082 + mode =
56083 + gr_check_create(dentry, p_dentry, p_mnt,
56084 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56085 +
56086 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56087 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56088 + reqmode & GR_READ ? " reading" : "",
56089 + reqmode & GR_WRITE ? " writing" : reqmode &
56090 + GR_APPEND ? " appending" : "");
56091 + return reqmode;
56092 + } else
56093 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56094 + {
56095 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56096 + reqmode & GR_READ ? " reading" : "",
56097 + reqmode & GR_WRITE ? " writing" : reqmode &
56098 + GR_APPEND ? " appending" : "");
56099 + return 0;
56100 + } else if (unlikely((mode & reqmode) != reqmode))
56101 + return 0;
56102 +
56103 + return reqmode;
56104 +}
56105 +
56106 +__u32
56107 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
56108 + const int fmode)
56109 +{
56110 + __u32 mode, reqmode = GR_FIND;
56111 +
56112 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
56113 + reqmode |= GR_EXEC;
56114 + if (fmode & S_IWOTH)
56115 + reqmode |= GR_WRITE;
56116 + if (fmode & S_IROTH)
56117 + reqmode |= GR_READ;
56118 +
56119 + mode =
56120 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56121 + mnt);
56122 +
56123 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56124 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56125 + reqmode & GR_READ ? " reading" : "",
56126 + reqmode & GR_WRITE ? " writing" : "",
56127 + reqmode & GR_EXEC ? " executing" : "");
56128 + return reqmode;
56129 + } else
56130 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56131 + {
56132 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56133 + reqmode & GR_READ ? " reading" : "",
56134 + reqmode & GR_WRITE ? " writing" : "",
56135 + reqmode & GR_EXEC ? " executing" : "");
56136 + return 0;
56137 + } else if (unlikely((mode & reqmode) != reqmode))
56138 + return 0;
56139 +
56140 + return reqmode;
56141 +}
56142 +
56143 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
56144 +{
56145 + __u32 mode;
56146 +
56147 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
56148 +
56149 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56150 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
56151 + return mode;
56152 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56153 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
56154 + return 0;
56155 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56156 + return 0;
56157 +
56158 + return (reqmode);
56159 +}
56160 +
56161 +__u32
56162 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56163 +{
56164 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
56165 +}
56166 +
56167 +__u32
56168 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56169 +{
56170 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56171 +}
56172 +
56173 +__u32
56174 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56175 +{
56176 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56177 +}
56178 +
56179 +__u32
56180 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56181 +{
56182 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56183 +}
56184 +
56185 +__u32
56186 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56187 + mode_t mode)
56188 +{
56189 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56190 + return 1;
56191 +
56192 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56193 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56194 + GR_FCHMOD_ACL_MSG);
56195 + } else {
56196 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56197 + }
56198 +}
56199 +
56200 +__u32
56201 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56202 + mode_t mode)
56203 +{
56204 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56205 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56206 + GR_CHMOD_ACL_MSG);
56207 + } else {
56208 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56209 + }
56210 +}
56211 +
56212 +__u32
56213 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56214 +{
56215 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56216 +}
56217 +
56218 +__u32
56219 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56220 +{
56221 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56222 +}
56223 +
56224 +__u32
56225 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56226 +{
56227 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56228 +}
56229 +
56230 +__u32
56231 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56232 +{
56233 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56234 + GR_UNIXCONNECT_ACL_MSG);
56235 +}
56236 +
56237 +/* hardlinks require at minimum create permission,
56238 + any additional privilege required is based on the
56239 + privilege of the file being linked to
56240 +*/
56241 +__u32
56242 +gr_acl_handle_link(const struct dentry * new_dentry,
56243 + const struct dentry * parent_dentry,
56244 + const struct vfsmount * parent_mnt,
56245 + const struct dentry * old_dentry,
56246 + const struct vfsmount * old_mnt, const char *to)
56247 +{
56248 + __u32 mode;
56249 + __u32 needmode = GR_CREATE | GR_LINK;
56250 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56251 +
56252 + mode =
56253 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56254 + old_mnt);
56255 +
56256 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56257 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56258 + return mode;
56259 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56260 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56261 + return 0;
56262 + } else if (unlikely((mode & needmode) != needmode))
56263 + return 0;
56264 +
56265 + return 1;
56266 +}
56267 +
56268 +__u32
56269 +gr_acl_handle_symlink(const struct dentry * new_dentry,
56270 + const struct dentry * parent_dentry,
56271 + const struct vfsmount * parent_mnt, const char *from)
56272 +{
56273 + __u32 needmode = GR_WRITE | GR_CREATE;
56274 + __u32 mode;
56275 +
56276 + mode =
56277 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
56278 + GR_CREATE | GR_AUDIT_CREATE |
56279 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56280 +
56281 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56282 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56283 + return mode;
56284 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56285 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56286 + return 0;
56287 + } else if (unlikely((mode & needmode) != needmode))
56288 + return 0;
56289 +
56290 + return (GR_WRITE | GR_CREATE);
56291 +}
56292 +
56293 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56294 +{
56295 + __u32 mode;
56296 +
56297 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56298 +
56299 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56300 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56301 + return mode;
56302 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56303 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56304 + return 0;
56305 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56306 + return 0;
56307 +
56308 + return (reqmode);
56309 +}
56310 +
56311 +__u32
56312 +gr_acl_handle_mknod(const struct dentry * new_dentry,
56313 + const struct dentry * parent_dentry,
56314 + const struct vfsmount * parent_mnt,
56315 + const int mode)
56316 +{
56317 + __u32 reqmode = GR_WRITE | GR_CREATE;
56318 + if (unlikely(mode & (S_ISUID | S_ISGID)))
56319 + reqmode |= GR_SETID;
56320 +
56321 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56322 + reqmode, GR_MKNOD_ACL_MSG);
56323 +}
56324 +
56325 +__u32
56326 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
56327 + const struct dentry *parent_dentry,
56328 + const struct vfsmount *parent_mnt)
56329 +{
56330 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56331 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56332 +}
56333 +
56334 +#define RENAME_CHECK_SUCCESS(old, new) \
56335 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56336 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56337 +
56338 +int
56339 +gr_acl_handle_rename(struct dentry *new_dentry,
56340 + struct dentry *parent_dentry,
56341 + const struct vfsmount *parent_mnt,
56342 + struct dentry *old_dentry,
56343 + struct inode *old_parent_inode,
56344 + struct vfsmount *old_mnt, const char *newname)
56345 +{
56346 + __u32 comp1, comp2;
56347 + int error = 0;
56348 +
56349 + if (unlikely(!gr_acl_is_enabled()))
56350 + return 0;
56351 +
56352 + if (!new_dentry->d_inode) {
56353 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56354 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56355 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56356 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56357 + GR_DELETE | GR_AUDIT_DELETE |
56358 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56359 + GR_SUPPRESS, old_mnt);
56360 + } else {
56361 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56362 + GR_CREATE | GR_DELETE |
56363 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56364 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56365 + GR_SUPPRESS, parent_mnt);
56366 + comp2 =
56367 + gr_search_file(old_dentry,
56368 + GR_READ | GR_WRITE | GR_AUDIT_READ |
56369 + GR_DELETE | GR_AUDIT_DELETE |
56370 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56371 + }
56372 +
56373 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56374 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56375 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56376 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56377 + && !(comp2 & GR_SUPPRESS)) {
56378 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56379 + error = -EACCES;
56380 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56381 + error = -EACCES;
56382 +
56383 + return error;
56384 +}
56385 +
56386 +void
56387 +gr_acl_handle_exit(void)
56388 +{
56389 + u16 id;
56390 + char *rolename;
56391 + struct file *exec_file;
56392 +
56393 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56394 + !(current->role->roletype & GR_ROLE_PERSIST))) {
56395 + id = current->acl_role_id;
56396 + rolename = current->role->rolename;
56397 + gr_set_acls(1);
56398 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56399 + }
56400 +
56401 + write_lock(&grsec_exec_file_lock);
56402 + exec_file = current->exec_file;
56403 + current->exec_file = NULL;
56404 + write_unlock(&grsec_exec_file_lock);
56405 +
56406 + if (exec_file)
56407 + fput(exec_file);
56408 +}
56409 +
56410 +int
56411 +gr_acl_handle_procpidmem(const struct task_struct *task)
56412 +{
56413 + if (unlikely(!gr_acl_is_enabled()))
56414 + return 0;
56415 +
56416 + if (task != current && task->acl->mode & GR_PROTPROCFD)
56417 + return -EACCES;
56418 +
56419 + return 0;
56420 +}
56421 diff -urNp linux-2.6.39.3/grsecurity/gracl_ip.c linux-2.6.39.3/grsecurity/gracl_ip.c
56422 --- linux-2.6.39.3/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56423 +++ linux-2.6.39.3/grsecurity/gracl_ip.c 2011-05-22 22:47:31.000000000 -0400
56424 @@ -0,0 +1,381 @@
56425 +#include <linux/kernel.h>
56426 +#include <asm/uaccess.h>
56427 +#include <asm/errno.h>
56428 +#include <net/sock.h>
56429 +#include <linux/file.h>
56430 +#include <linux/fs.h>
56431 +#include <linux/net.h>
56432 +#include <linux/in.h>
56433 +#include <linux/skbuff.h>
56434 +#include <linux/ip.h>
56435 +#include <linux/udp.h>
56436 +#include <linux/types.h>
56437 +#include <linux/sched.h>
56438 +#include <linux/netdevice.h>
56439 +#include <linux/inetdevice.h>
56440 +#include <linux/gracl.h>
56441 +#include <linux/grsecurity.h>
56442 +#include <linux/grinternal.h>
56443 +
56444 +#define GR_BIND 0x01
56445 +#define GR_CONNECT 0x02
56446 +#define GR_INVERT 0x04
56447 +#define GR_BINDOVERRIDE 0x08
56448 +#define GR_CONNECTOVERRIDE 0x10
56449 +#define GR_SOCK_FAMILY 0x20
56450 +
56451 +static const char * gr_protocols[IPPROTO_MAX] = {
56452 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
56453 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
56454 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
56455 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
56456 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
56457 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
56458 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
56459 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
56460 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
56461 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
56462 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
56463 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
56464 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
56465 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
56466 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
56467 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
56468 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
56469 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
56470 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
56471 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
56472 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
56473 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
56474 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
56475 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
56476 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
56477 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
56478 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
56479 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
56480 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
56481 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
56482 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
56483 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
56484 + };
56485 +
56486 +static const char * gr_socktypes[SOCK_MAX] = {
56487 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
56488 + "unknown:7", "unknown:8", "unknown:9", "packet"
56489 + };
56490 +
56491 +static const char * gr_sockfamilies[AF_MAX+1] = {
56492 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
56493 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
56494 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
56495 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
56496 + };
56497 +
56498 +const char *
56499 +gr_proto_to_name(unsigned char proto)
56500 +{
56501 + return gr_protocols[proto];
56502 +}
56503 +
56504 +const char *
56505 +gr_socktype_to_name(unsigned char type)
56506 +{
56507 + return gr_socktypes[type];
56508 +}
56509 +
56510 +const char *
56511 +gr_sockfamily_to_name(unsigned char family)
56512 +{
56513 + return gr_sockfamilies[family];
56514 +}
56515 +
56516 +int
56517 +gr_search_socket(const int domain, const int type, const int protocol)
56518 +{
56519 + struct acl_subject_label *curr;
56520 + const struct cred *cred = current_cred();
56521 +
56522 + if (unlikely(!gr_acl_is_enabled()))
56523 + goto exit;
56524 +
56525 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
56526 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
56527 + goto exit; // let the kernel handle it
56528 +
56529 + curr = current->acl;
56530 +
56531 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
56532 + /* the family is allowed, if this is PF_INET allow it only if
56533 + the extra sock type/protocol checks pass */
56534 + if (domain == PF_INET)
56535 + goto inet_check;
56536 + goto exit;
56537 + } else {
56538 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56539 + __u32 fakeip = 0;
56540 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56541 + current->role->roletype, cred->uid,
56542 + cred->gid, current->exec_file ?
56543 + gr_to_filename(current->exec_file->f_path.dentry,
56544 + current->exec_file->f_path.mnt) :
56545 + curr->filename, curr->filename,
56546 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
56547 + &current->signal->saved_ip);
56548 + goto exit;
56549 + }
56550 + goto exit_fail;
56551 + }
56552 +
56553 +inet_check:
56554 + /* the rest of this checking is for IPv4 only */
56555 + if (!curr->ips)
56556 + goto exit;
56557 +
56558 + if ((curr->ip_type & (1 << type)) &&
56559 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
56560 + goto exit;
56561 +
56562 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56563 + /* we don't place acls on raw sockets , and sometimes
56564 + dgram/ip sockets are opened for ioctl and not
56565 + bind/connect, so we'll fake a bind learn log */
56566 + if (type == SOCK_RAW || type == SOCK_PACKET) {
56567 + __u32 fakeip = 0;
56568 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56569 + current->role->roletype, cred->uid,
56570 + cred->gid, current->exec_file ?
56571 + gr_to_filename(current->exec_file->f_path.dentry,
56572 + current->exec_file->f_path.mnt) :
56573 + curr->filename, curr->filename,
56574 + &fakeip, 0, type,
56575 + protocol, GR_CONNECT, &current->signal->saved_ip);
56576 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
56577 + __u32 fakeip = 0;
56578 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56579 + current->role->roletype, cred->uid,
56580 + cred->gid, current->exec_file ?
56581 + gr_to_filename(current->exec_file->f_path.dentry,
56582 + current->exec_file->f_path.mnt) :
56583 + curr->filename, curr->filename,
56584 + &fakeip, 0, type,
56585 + protocol, GR_BIND, &current->signal->saved_ip);
56586 + }
56587 + /* we'll log when they use connect or bind */
56588 + goto exit;
56589 + }
56590 +
56591 +exit_fail:
56592 + if (domain == PF_INET)
56593 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
56594 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
56595 + else
56596 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
56597 + gr_socktype_to_name(type), protocol);
56598 +
56599 + return 0;
56600 +exit:
56601 + return 1;
56602 +}
56603 +
56604 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
56605 +{
56606 + if ((ip->mode & mode) &&
56607 + (ip_port >= ip->low) &&
56608 + (ip_port <= ip->high) &&
56609 + ((ntohl(ip_addr) & our_netmask) ==
56610 + (ntohl(our_addr) & our_netmask))
56611 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
56612 + && (ip->type & (1 << type))) {
56613 + if (ip->mode & GR_INVERT)
56614 + return 2; // specifically denied
56615 + else
56616 + return 1; // allowed
56617 + }
56618 +
56619 + return 0; // not specifically allowed, may continue parsing
56620 +}
56621 +
56622 +static int
56623 +gr_search_connectbind(const int full_mode, struct sock *sk,
56624 + struct sockaddr_in *addr, const int type)
56625 +{
56626 + char iface[IFNAMSIZ] = {0};
56627 + struct acl_subject_label *curr;
56628 + struct acl_ip_label *ip;
56629 + struct inet_sock *isk;
56630 + struct net_device *dev;
56631 + struct in_device *idev;
56632 + unsigned long i;
56633 + int ret;
56634 + int mode = full_mode & (GR_BIND | GR_CONNECT);
56635 + __u32 ip_addr = 0;
56636 + __u32 our_addr;
56637 + __u32 our_netmask;
56638 + char *p;
56639 + __u16 ip_port = 0;
56640 + const struct cred *cred = current_cred();
56641 +
56642 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
56643 + return 0;
56644 +
56645 + curr = current->acl;
56646 + isk = inet_sk(sk);
56647 +
56648 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
56649 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
56650 + addr->sin_addr.s_addr = curr->inaddr_any_override;
56651 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
56652 + struct sockaddr_in saddr;
56653 + int err;
56654 +
56655 + saddr.sin_family = AF_INET;
56656 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
56657 + saddr.sin_port = isk->inet_sport;
56658 +
56659 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56660 + if (err)
56661 + return err;
56662 +
56663 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56664 + if (err)
56665 + return err;
56666 + }
56667 +
56668 + if (!curr->ips)
56669 + return 0;
56670 +
56671 + ip_addr = addr->sin_addr.s_addr;
56672 + ip_port = ntohs(addr->sin_port);
56673 +
56674 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56675 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56676 + current->role->roletype, cred->uid,
56677 + cred->gid, current->exec_file ?
56678 + gr_to_filename(current->exec_file->f_path.dentry,
56679 + current->exec_file->f_path.mnt) :
56680 + curr->filename, curr->filename,
56681 + &ip_addr, ip_port, type,
56682 + sk->sk_protocol, mode, &current->signal->saved_ip);
56683 + return 0;
56684 + }
56685 +
56686 + for (i = 0; i < curr->ip_num; i++) {
56687 + ip = *(curr->ips + i);
56688 + if (ip->iface != NULL) {
56689 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
56690 + p = strchr(iface, ':');
56691 + if (p != NULL)
56692 + *p = '\0';
56693 + dev = dev_get_by_name(sock_net(sk), iface);
56694 + if (dev == NULL)
56695 + continue;
56696 + idev = in_dev_get(dev);
56697 + if (idev == NULL) {
56698 + dev_put(dev);
56699 + continue;
56700 + }
56701 + rcu_read_lock();
56702 + for_ifa(idev) {
56703 + if (!strcmp(ip->iface, ifa->ifa_label)) {
56704 + our_addr = ifa->ifa_address;
56705 + our_netmask = 0xffffffff;
56706 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56707 + if (ret == 1) {
56708 + rcu_read_unlock();
56709 + in_dev_put(idev);
56710 + dev_put(dev);
56711 + return 0;
56712 + } else if (ret == 2) {
56713 + rcu_read_unlock();
56714 + in_dev_put(idev);
56715 + dev_put(dev);
56716 + goto denied;
56717 + }
56718 + }
56719 + } endfor_ifa(idev);
56720 + rcu_read_unlock();
56721 + in_dev_put(idev);
56722 + dev_put(dev);
56723 + } else {
56724 + our_addr = ip->addr;
56725 + our_netmask = ip->netmask;
56726 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56727 + if (ret == 1)
56728 + return 0;
56729 + else if (ret == 2)
56730 + goto denied;
56731 + }
56732 + }
56733 +
56734 +denied:
56735 + if (mode == GR_BIND)
56736 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56737 + else if (mode == GR_CONNECT)
56738 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56739 +
56740 + return -EACCES;
56741 +}
56742 +
56743 +int
56744 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
56745 +{
56746 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
56747 +}
56748 +
56749 +int
56750 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
56751 +{
56752 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
56753 +}
56754 +
56755 +int gr_search_listen(struct socket *sock)
56756 +{
56757 + struct sock *sk = sock->sk;
56758 + struct sockaddr_in addr;
56759 +
56760 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56761 + addr.sin_port = inet_sk(sk)->inet_sport;
56762 +
56763 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56764 +}
56765 +
56766 +int gr_search_accept(struct socket *sock)
56767 +{
56768 + struct sock *sk = sock->sk;
56769 + struct sockaddr_in addr;
56770 +
56771 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56772 + addr.sin_port = inet_sk(sk)->inet_sport;
56773 +
56774 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56775 +}
56776 +
56777 +int
56778 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
56779 +{
56780 + if (addr)
56781 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
56782 + else {
56783 + struct sockaddr_in sin;
56784 + const struct inet_sock *inet = inet_sk(sk);
56785 +
56786 + sin.sin_addr.s_addr = inet->inet_daddr;
56787 + sin.sin_port = inet->inet_dport;
56788 +
56789 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56790 + }
56791 +}
56792 +
56793 +int
56794 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
56795 +{
56796 + struct sockaddr_in sin;
56797 +
56798 + if (unlikely(skb->len < sizeof (struct udphdr)))
56799 + return 0; // skip this packet
56800 +
56801 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
56802 + sin.sin_port = udp_hdr(skb)->source;
56803 +
56804 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56805 +}
56806 diff -urNp linux-2.6.39.3/grsecurity/gracl_learn.c linux-2.6.39.3/grsecurity/gracl_learn.c
56807 --- linux-2.6.39.3/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
56808 +++ linux-2.6.39.3/grsecurity/gracl_learn.c 2011-07-14 21:03:00.000000000 -0400
56809 @@ -0,0 +1,207 @@
56810 +#include <linux/kernel.h>
56811 +#include <linux/mm.h>
56812 +#include <linux/sched.h>
56813 +#include <linux/poll.h>
56814 +#include <linux/string.h>
56815 +#include <linux/file.h>
56816 +#include <linux/types.h>
56817 +#include <linux/vmalloc.h>
56818 +#include <linux/grinternal.h>
56819 +
56820 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
56821 + size_t count, loff_t *ppos);
56822 +extern int gr_acl_is_enabled(void);
56823 +
56824 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
56825 +static int gr_learn_attached;
56826 +
56827 +/* use a 512k buffer */
56828 +#define LEARN_BUFFER_SIZE (512 * 1024)
56829 +
56830 +static DEFINE_SPINLOCK(gr_learn_lock);
56831 +static DEFINE_MUTEX(gr_learn_user_mutex);
56832 +
56833 +/* we need to maintain two buffers, so that the kernel context of grlearn
56834 + uses a semaphore around the userspace copying, and the other kernel contexts
56835 + use a spinlock when copying into the buffer, since they cannot sleep
56836 +*/
56837 +static char *learn_buffer;
56838 +static char *learn_buffer_user;
56839 +static int learn_buffer_len;
56840 +static int learn_buffer_user_len;
56841 +
56842 +static ssize_t
56843 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
56844 +{
56845 + DECLARE_WAITQUEUE(wait, current);
56846 + ssize_t retval = 0;
56847 +
56848 + add_wait_queue(&learn_wait, &wait);
56849 + set_current_state(TASK_INTERRUPTIBLE);
56850 + do {
56851 + mutex_lock(&gr_learn_user_mutex);
56852 + spin_lock(&gr_learn_lock);
56853 + if (learn_buffer_len)
56854 + break;
56855 + spin_unlock(&gr_learn_lock);
56856 + mutex_unlock(&gr_learn_user_mutex);
56857 + if (file->f_flags & O_NONBLOCK) {
56858 + retval = -EAGAIN;
56859 + goto out;
56860 + }
56861 + if (signal_pending(current)) {
56862 + retval = -ERESTARTSYS;
56863 + goto out;
56864 + }
56865 +
56866 + schedule();
56867 + } while (1);
56868 +
56869 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
56870 + learn_buffer_user_len = learn_buffer_len;
56871 + retval = learn_buffer_len;
56872 + learn_buffer_len = 0;
56873 +
56874 + spin_unlock(&gr_learn_lock);
56875 +
56876 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
56877 + retval = -EFAULT;
56878 +
56879 + mutex_unlock(&gr_learn_user_mutex);
56880 +out:
56881 + set_current_state(TASK_RUNNING);
56882 + remove_wait_queue(&learn_wait, &wait);
56883 + return retval;
56884 +}
56885 +
56886 +static unsigned int
56887 +poll_learn(struct file * file, poll_table * wait)
56888 +{
56889 + poll_wait(file, &learn_wait, wait);
56890 +
56891 + if (learn_buffer_len)
56892 + return (POLLIN | POLLRDNORM);
56893 +
56894 + return 0;
56895 +}
56896 +
56897 +void
56898 +gr_clear_learn_entries(void)
56899 +{
56900 + char *tmp;
56901 +
56902 + mutex_lock(&gr_learn_user_mutex);
56903 + spin_lock(&gr_learn_lock);
56904 + tmp = learn_buffer;
56905 + learn_buffer = NULL;
56906 + spin_unlock(&gr_learn_lock);
56907 + if (tmp)
56908 + vfree(tmp);
56909 + if (learn_buffer_user != NULL) {
56910 + vfree(learn_buffer_user);
56911 + learn_buffer_user = NULL;
56912 + }
56913 + learn_buffer_len = 0;
56914 + mutex_unlock(&gr_learn_user_mutex);
56915 +
56916 + return;
56917 +}
56918 +
56919 +void
56920 +gr_add_learn_entry(const char *fmt, ...)
56921 +{
56922 + va_list args;
56923 + unsigned int len;
56924 +
56925 + if (!gr_learn_attached)
56926 + return;
56927 +
56928 + spin_lock(&gr_learn_lock);
56929 +
56930 + /* leave a gap at the end so we know when it's "full" but don't have to
56931 + compute the exact length of the string we're trying to append
56932 + */
56933 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
56934 + spin_unlock(&gr_learn_lock);
56935 + wake_up_interruptible(&learn_wait);
56936 + return;
56937 + }
56938 + if (learn_buffer == NULL) {
56939 + spin_unlock(&gr_learn_lock);
56940 + return;
56941 + }
56942 +
56943 + va_start(args, fmt);
56944 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
56945 + va_end(args);
56946 +
56947 + learn_buffer_len += len + 1;
56948 +
56949 + spin_unlock(&gr_learn_lock);
56950 + wake_up_interruptible(&learn_wait);
56951 +
56952 + return;
56953 +}
56954 +
56955 +static int
56956 +open_learn(struct inode *inode, struct file *file)
56957 +{
56958 + if (file->f_mode & FMODE_READ && gr_learn_attached)
56959 + return -EBUSY;
56960 + if (file->f_mode & FMODE_READ) {
56961 + int retval = 0;
56962 + mutex_lock(&gr_learn_user_mutex);
56963 + if (learn_buffer == NULL)
56964 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
56965 + if (learn_buffer_user == NULL)
56966 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
56967 + if (learn_buffer == NULL) {
56968 + retval = -ENOMEM;
56969 + goto out_error;
56970 + }
56971 + if (learn_buffer_user == NULL) {
56972 + retval = -ENOMEM;
56973 + goto out_error;
56974 + }
56975 + learn_buffer_len = 0;
56976 + learn_buffer_user_len = 0;
56977 + gr_learn_attached = 1;
56978 +out_error:
56979 + mutex_unlock(&gr_learn_user_mutex);
56980 + return retval;
56981 + }
56982 + return 0;
56983 +}
56984 +
56985 +static int
56986 +close_learn(struct inode *inode, struct file *file)
56987 +{
56988 + if (file->f_mode & FMODE_READ) {
56989 + char *tmp = NULL;
56990 + mutex_lock(&gr_learn_user_mutex);
56991 + spin_lock(&gr_learn_lock);
56992 + tmp = learn_buffer;
56993 + learn_buffer = NULL;
56994 + spin_unlock(&gr_learn_lock);
56995 + if (tmp)
56996 + vfree(tmp);
56997 + if (learn_buffer_user != NULL) {
56998 + vfree(learn_buffer_user);
56999 + learn_buffer_user = NULL;
57000 + }
57001 + learn_buffer_len = 0;
57002 + learn_buffer_user_len = 0;
57003 + gr_learn_attached = 0;
57004 + mutex_unlock(&gr_learn_user_mutex);
57005 + }
57006 +
57007 + return 0;
57008 +}
57009 +
57010 +const struct file_operations grsec_fops = {
57011 + .read = read_learn,
57012 + .write = write_grsec_handler,
57013 + .open = open_learn,
57014 + .release = close_learn,
57015 + .poll = poll_learn,
57016 +};
57017 diff -urNp linux-2.6.39.3/grsecurity/gracl_res.c linux-2.6.39.3/grsecurity/gracl_res.c
57018 --- linux-2.6.39.3/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
57019 +++ linux-2.6.39.3/grsecurity/gracl_res.c 2011-05-22 19:41:42.000000000 -0400
57020 @@ -0,0 +1,68 @@
57021 +#include <linux/kernel.h>
57022 +#include <linux/sched.h>
57023 +#include <linux/gracl.h>
57024 +#include <linux/grinternal.h>
57025 +
57026 +static const char *restab_log[] = {
57027 + [RLIMIT_CPU] = "RLIMIT_CPU",
57028 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
57029 + [RLIMIT_DATA] = "RLIMIT_DATA",
57030 + [RLIMIT_STACK] = "RLIMIT_STACK",
57031 + [RLIMIT_CORE] = "RLIMIT_CORE",
57032 + [RLIMIT_RSS] = "RLIMIT_RSS",
57033 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
57034 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
57035 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
57036 + [RLIMIT_AS] = "RLIMIT_AS",
57037 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
57038 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
57039 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
57040 + [RLIMIT_NICE] = "RLIMIT_NICE",
57041 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
57042 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
57043 + [GR_CRASH_RES] = "RLIMIT_CRASH"
57044 +};
57045 +
57046 +void
57047 +gr_log_resource(const struct task_struct *task,
57048 + const int res, const unsigned long wanted, const int gt)
57049 +{
57050 + const struct cred *cred;
57051 + unsigned long rlim;
57052 +
57053 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
57054 + return;
57055 +
57056 + // not yet supported resource
57057 + if (unlikely(!restab_log[res]))
57058 + return;
57059 +
57060 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
57061 + rlim = task_rlimit_max(task, res);
57062 + else
57063 + rlim = task_rlimit(task, res);
57064 +
57065 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
57066 + return;
57067 +
57068 + rcu_read_lock();
57069 + cred = __task_cred(task);
57070 +
57071 + if (res == RLIMIT_NPROC &&
57072 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
57073 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
57074 + goto out_rcu_unlock;
57075 + else if (res == RLIMIT_MEMLOCK &&
57076 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
57077 + goto out_rcu_unlock;
57078 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
57079 + goto out_rcu_unlock;
57080 + rcu_read_unlock();
57081 +
57082 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
57083 +
57084 + return;
57085 +out_rcu_unlock:
57086 + rcu_read_unlock();
57087 + return;
57088 +}
57089 diff -urNp linux-2.6.39.3/grsecurity/gracl_segv.c linux-2.6.39.3/grsecurity/gracl_segv.c
57090 --- linux-2.6.39.3/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
57091 +++ linux-2.6.39.3/grsecurity/gracl_segv.c 2011-05-22 22:47:39.000000000 -0400
57092 @@ -0,0 +1,299 @@
57093 +#include <linux/kernel.h>
57094 +#include <linux/mm.h>
57095 +#include <asm/uaccess.h>
57096 +#include <asm/errno.h>
57097 +#include <asm/mman.h>
57098 +#include <net/sock.h>
57099 +#include <linux/file.h>
57100 +#include <linux/fs.h>
57101 +#include <linux/net.h>
57102 +#include <linux/in.h>
57103 +#include <linux/slab.h>
57104 +#include <linux/types.h>
57105 +#include <linux/sched.h>
57106 +#include <linux/timer.h>
57107 +#include <linux/gracl.h>
57108 +#include <linux/grsecurity.h>
57109 +#include <linux/grinternal.h>
57110 +
57111 +static struct crash_uid *uid_set;
57112 +static unsigned short uid_used;
57113 +static DEFINE_SPINLOCK(gr_uid_lock);
57114 +extern rwlock_t gr_inode_lock;
57115 +extern struct acl_subject_label *
57116 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
57117 + struct acl_role_label *role);
57118 +
57119 +#ifdef CONFIG_BTRFS_FS
57120 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
57121 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
57122 +#endif
57123 +
57124 +static inline dev_t __get_dev(const struct dentry *dentry)
57125 +{
57126 +#ifdef CONFIG_BTRFS_FS
57127 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
57128 + return get_btrfs_dev_from_inode(dentry->d_inode);
57129 + else
57130 +#endif
57131 + return dentry->d_inode->i_sb->s_dev;
57132 +}
57133 +
57134 +int
57135 +gr_init_uidset(void)
57136 +{
57137 + uid_set =
57138 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
57139 + uid_used = 0;
57140 +
57141 + return uid_set ? 1 : 0;
57142 +}
57143 +
57144 +void
57145 +gr_free_uidset(void)
57146 +{
57147 + if (uid_set)
57148 + kfree(uid_set);
57149 +
57150 + return;
57151 +}
57152 +
57153 +int
57154 +gr_find_uid(const uid_t uid)
57155 +{
57156 + struct crash_uid *tmp = uid_set;
57157 + uid_t buid;
57158 + int low = 0, high = uid_used - 1, mid;
57159 +
57160 + while (high >= low) {
57161 + mid = (low + high) >> 1;
57162 + buid = tmp[mid].uid;
57163 + if (buid == uid)
57164 + return mid;
57165 + if (buid > uid)
57166 + high = mid - 1;
57167 + if (buid < uid)
57168 + low = mid + 1;
57169 + }
57170 +
57171 + return -1;
57172 +}
57173 +
57174 +static __inline__ void
57175 +gr_insertsort(void)
57176 +{
57177 + unsigned short i, j;
57178 + struct crash_uid index;
57179 +
57180 + for (i = 1; i < uid_used; i++) {
57181 + index = uid_set[i];
57182 + j = i;
57183 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57184 + uid_set[j] = uid_set[j - 1];
57185 + j--;
57186 + }
57187 + uid_set[j] = index;
57188 + }
57189 +
57190 + return;
57191 +}
57192 +
57193 +static __inline__ void
57194 +gr_insert_uid(const uid_t uid, const unsigned long expires)
57195 +{
57196 + int loc;
57197 +
57198 + if (uid_used == GR_UIDTABLE_MAX)
57199 + return;
57200 +
57201 + loc = gr_find_uid(uid);
57202 +
57203 + if (loc >= 0) {
57204 + uid_set[loc].expires = expires;
57205 + return;
57206 + }
57207 +
57208 + uid_set[uid_used].uid = uid;
57209 + uid_set[uid_used].expires = expires;
57210 + uid_used++;
57211 +
57212 + gr_insertsort();
57213 +
57214 + return;
57215 +}
57216 +
57217 +void
57218 +gr_remove_uid(const unsigned short loc)
57219 +{
57220 + unsigned short i;
57221 +
57222 + for (i = loc + 1; i < uid_used; i++)
57223 + uid_set[i - 1] = uid_set[i];
57224 +
57225 + uid_used--;
57226 +
57227 + return;
57228 +}
57229 +
57230 +int
57231 +gr_check_crash_uid(const uid_t uid)
57232 +{
57233 + int loc;
57234 + int ret = 0;
57235 +
57236 + if (unlikely(!gr_acl_is_enabled()))
57237 + return 0;
57238 +
57239 + spin_lock(&gr_uid_lock);
57240 + loc = gr_find_uid(uid);
57241 +
57242 + if (loc < 0)
57243 + goto out_unlock;
57244 +
57245 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
57246 + gr_remove_uid(loc);
57247 + else
57248 + ret = 1;
57249 +
57250 +out_unlock:
57251 + spin_unlock(&gr_uid_lock);
57252 + return ret;
57253 +}
57254 +
57255 +static __inline__ int
57256 +proc_is_setxid(const struct cred *cred)
57257 +{
57258 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
57259 + cred->uid != cred->fsuid)
57260 + return 1;
57261 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57262 + cred->gid != cred->fsgid)
57263 + return 1;
57264 +
57265 + return 0;
57266 +}
57267 +
57268 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
57269 +
57270 +void
57271 +gr_handle_crash(struct task_struct *task, const int sig)
57272 +{
57273 + struct acl_subject_label *curr;
57274 + struct acl_subject_label *curr2;
57275 + struct task_struct *tsk, *tsk2;
57276 + const struct cred *cred;
57277 + const struct cred *cred2;
57278 +
57279 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57280 + return;
57281 +
57282 + if (unlikely(!gr_acl_is_enabled()))
57283 + return;
57284 +
57285 + curr = task->acl;
57286 +
57287 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
57288 + return;
57289 +
57290 + if (time_before_eq(curr->expires, get_seconds())) {
57291 + curr->expires = 0;
57292 + curr->crashes = 0;
57293 + }
57294 +
57295 + curr->crashes++;
57296 +
57297 + if (!curr->expires)
57298 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57299 +
57300 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57301 + time_after(curr->expires, get_seconds())) {
57302 + rcu_read_lock();
57303 + cred = __task_cred(task);
57304 + if (cred->uid && proc_is_setxid(cred)) {
57305 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57306 + spin_lock(&gr_uid_lock);
57307 + gr_insert_uid(cred->uid, curr->expires);
57308 + spin_unlock(&gr_uid_lock);
57309 + curr->expires = 0;
57310 + curr->crashes = 0;
57311 + read_lock(&tasklist_lock);
57312 + do_each_thread(tsk2, tsk) {
57313 + cred2 = __task_cred(tsk);
57314 + if (tsk != task && cred2->uid == cred->uid)
57315 + gr_fake_force_sig(SIGKILL, tsk);
57316 + } while_each_thread(tsk2, tsk);
57317 + read_unlock(&tasklist_lock);
57318 + } else {
57319 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57320 + read_lock(&tasklist_lock);
57321 + do_each_thread(tsk2, tsk) {
57322 + if (likely(tsk != task)) {
57323 + curr2 = tsk->acl;
57324 +
57325 + if (curr2->device == curr->device &&
57326 + curr2->inode == curr->inode)
57327 + gr_fake_force_sig(SIGKILL, tsk);
57328 + }
57329 + } while_each_thread(tsk2, tsk);
57330 + read_unlock(&tasklist_lock);
57331 + }
57332 + rcu_read_unlock();
57333 + }
57334 +
57335 + return;
57336 +}
57337 +
57338 +int
57339 +gr_check_crash_exec(const struct file *filp)
57340 +{
57341 + struct acl_subject_label *curr;
57342 +
57343 + if (unlikely(!gr_acl_is_enabled()))
57344 + return 0;
57345 +
57346 + read_lock(&gr_inode_lock);
57347 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57348 + __get_dev(filp->f_path.dentry),
57349 + current->role);
57350 + read_unlock(&gr_inode_lock);
57351 +
57352 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57353 + (!curr->crashes && !curr->expires))
57354 + return 0;
57355 +
57356 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57357 + time_after(curr->expires, get_seconds()))
57358 + return 1;
57359 + else if (time_before_eq(curr->expires, get_seconds())) {
57360 + curr->crashes = 0;
57361 + curr->expires = 0;
57362 + }
57363 +
57364 + return 0;
57365 +}
57366 +
57367 +void
57368 +gr_handle_alertkill(struct task_struct *task)
57369 +{
57370 + struct acl_subject_label *curracl;
57371 + __u32 curr_ip;
57372 + struct task_struct *p, *p2;
57373 +
57374 + if (unlikely(!gr_acl_is_enabled()))
57375 + return;
57376 +
57377 + curracl = task->acl;
57378 + curr_ip = task->signal->curr_ip;
57379 +
57380 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57381 + read_lock(&tasklist_lock);
57382 + do_each_thread(p2, p) {
57383 + if (p->signal->curr_ip == curr_ip)
57384 + gr_fake_force_sig(SIGKILL, p);
57385 + } while_each_thread(p2, p);
57386 + read_unlock(&tasklist_lock);
57387 + } else if (curracl->mode & GR_KILLPROC)
57388 + gr_fake_force_sig(SIGKILL, task);
57389 +
57390 + return;
57391 +}
57392 diff -urNp linux-2.6.39.3/grsecurity/gracl_shm.c linux-2.6.39.3/grsecurity/gracl_shm.c
57393 --- linux-2.6.39.3/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57394 +++ linux-2.6.39.3/grsecurity/gracl_shm.c 2011-05-22 19:41:42.000000000 -0400
57395 @@ -0,0 +1,40 @@
57396 +#include <linux/kernel.h>
57397 +#include <linux/mm.h>
57398 +#include <linux/sched.h>
57399 +#include <linux/file.h>
57400 +#include <linux/ipc.h>
57401 +#include <linux/gracl.h>
57402 +#include <linux/grsecurity.h>
57403 +#include <linux/grinternal.h>
57404 +
57405 +int
57406 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57407 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57408 +{
57409 + struct task_struct *task;
57410 +
57411 + if (!gr_acl_is_enabled())
57412 + return 1;
57413 +
57414 + rcu_read_lock();
57415 + read_lock(&tasklist_lock);
57416 +
57417 + task = find_task_by_vpid(shm_cprid);
57418 +
57419 + if (unlikely(!task))
57420 + task = find_task_by_vpid(shm_lapid);
57421 +
57422 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57423 + (task->pid == shm_lapid)) &&
57424 + (task->acl->mode & GR_PROTSHM) &&
57425 + (task->acl != current->acl))) {
57426 + read_unlock(&tasklist_lock);
57427 + rcu_read_unlock();
57428 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57429 + return 0;
57430 + }
57431 + read_unlock(&tasklist_lock);
57432 + rcu_read_unlock();
57433 +
57434 + return 1;
57435 +}
57436 diff -urNp linux-2.6.39.3/grsecurity/grsec_chdir.c linux-2.6.39.3/grsecurity/grsec_chdir.c
57437 --- linux-2.6.39.3/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57438 +++ linux-2.6.39.3/grsecurity/grsec_chdir.c 2011-05-22 19:41:42.000000000 -0400
57439 @@ -0,0 +1,19 @@
57440 +#include <linux/kernel.h>
57441 +#include <linux/sched.h>
57442 +#include <linux/fs.h>
57443 +#include <linux/file.h>
57444 +#include <linux/grsecurity.h>
57445 +#include <linux/grinternal.h>
57446 +
57447 +void
57448 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57449 +{
57450 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57451 + if ((grsec_enable_chdir && grsec_enable_group &&
57452 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57453 + !grsec_enable_group)) {
57454 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57455 + }
57456 +#endif
57457 + return;
57458 +}
57459 diff -urNp linux-2.6.39.3/grsecurity/grsec_chroot.c linux-2.6.39.3/grsecurity/grsec_chroot.c
57460 --- linux-2.6.39.3/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
57461 +++ linux-2.6.39.3/grsecurity/grsec_chroot.c 2011-07-16 15:27:28.000000000 -0400
57462 @@ -0,0 +1,343 @@
57463 +#include <linux/kernel.h>
57464 +#include <linux/module.h>
57465 +#include <linux/sched.h>
57466 +#include <linux/file.h>
57467 +#include <linux/fs.h>
57468 +#include <linux/mount.h>
57469 +#include <linux/types.h>
57470 +#include <linux/pid_namespace.h>
57471 +#include <linux/grsecurity.h>
57472 +#include <linux/grinternal.h>
57473 +
57474 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
57475 +{
57476 +#ifdef CONFIG_GRKERNSEC
57477 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
57478 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
57479 + task->gr_is_chrooted = 1;
57480 + else
57481 + task->gr_is_chrooted = 0;
57482 +
57483 + task->gr_chroot_dentry = path->dentry;
57484 +#endif
57485 + return;
57486 +}
57487 +
57488 +void gr_clear_chroot_entries(struct task_struct *task)
57489 +{
57490 +#ifdef CONFIG_GRKERNSEC
57491 + task->gr_is_chrooted = 0;
57492 + task->gr_chroot_dentry = NULL;
57493 +#endif
57494 + return;
57495 +}
57496 +
57497 +int
57498 +gr_handle_chroot_unix(const pid_t pid)
57499 +{
57500 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57501 + struct task_struct *p;
57502 +
57503 + if (unlikely(!grsec_enable_chroot_unix))
57504 + return 1;
57505 +
57506 + if (likely(!proc_is_chrooted(current)))
57507 + return 1;
57508 +
57509 + rcu_read_lock();
57510 + read_lock(&tasklist_lock);
57511 + p = find_task_by_vpid_unrestricted(pid);
57512 + if (unlikely(p && !have_same_root(current, p))) {
57513 + read_unlock(&tasklist_lock);
57514 + rcu_read_unlock();
57515 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
57516 + return 0;
57517 + }
57518 + read_unlock(&tasklist_lock);
57519 + rcu_read_unlock();
57520 +#endif
57521 + return 1;
57522 +}
57523 +
57524 +int
57525 +gr_handle_chroot_nice(void)
57526 +{
57527 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57528 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
57529 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
57530 + return -EPERM;
57531 + }
57532 +#endif
57533 + return 0;
57534 +}
57535 +
57536 +int
57537 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
57538 +{
57539 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57540 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
57541 + && proc_is_chrooted(current)) {
57542 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
57543 + return -EACCES;
57544 + }
57545 +#endif
57546 + return 0;
57547 +}
57548 +
57549 +int
57550 +gr_handle_chroot_rawio(const struct inode *inode)
57551 +{
57552 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57553 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
57554 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
57555 + return 1;
57556 +#endif
57557 + return 0;
57558 +}
57559 +
57560 +int
57561 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
57562 +{
57563 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57564 + struct task_struct *p;
57565 + int ret = 0;
57566 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
57567 + return ret;
57568 +
57569 + read_lock(&tasklist_lock);
57570 + do_each_pid_task(pid, type, p) {
57571 + if (!have_same_root(current, p)) {
57572 + ret = 1;
57573 + goto out;
57574 + }
57575 + } while_each_pid_task(pid, type, p);
57576 +out:
57577 + read_unlock(&tasklist_lock);
57578 + return ret;
57579 +#endif
57580 + return 0;
57581 +}
57582 +
57583 +int
57584 +gr_pid_is_chrooted(struct task_struct *p)
57585 +{
57586 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57587 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
57588 + return 0;
57589 +
57590 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
57591 + !have_same_root(current, p)) {
57592 + return 1;
57593 + }
57594 +#endif
57595 + return 0;
57596 +}
57597 +
57598 +EXPORT_SYMBOL(gr_pid_is_chrooted);
57599 +
57600 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
57601 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
57602 +{
57603 + struct path path, currentroot;
57604 + int ret = 0;
57605 +
57606 + path.dentry = (struct dentry *)u_dentry;
57607 + path.mnt = (struct vfsmount *)u_mnt;
57608 + get_fs_root(current->fs, &currentroot);
57609 + if (path_is_under(&path, &currentroot))
57610 + ret = 1;
57611 + path_put(&currentroot);
57612 +
57613 + return ret;
57614 +}
57615 +#endif
57616 +
57617 +int
57618 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
57619 +{
57620 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57621 + if (!grsec_enable_chroot_fchdir)
57622 + return 1;
57623 +
57624 + if (!proc_is_chrooted(current))
57625 + return 1;
57626 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
57627 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
57628 + return 0;
57629 + }
57630 +#endif
57631 + return 1;
57632 +}
57633 +
57634 +int
57635 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57636 + const time_t shm_createtime)
57637 +{
57638 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57639 + struct task_struct *p;
57640 + time_t starttime;
57641 +
57642 + if (unlikely(!grsec_enable_chroot_shmat))
57643 + return 1;
57644 +
57645 + if (likely(!proc_is_chrooted(current)))
57646 + return 1;
57647 +
57648 + rcu_read_lock();
57649 + read_lock(&tasklist_lock);
57650 +
57651 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
57652 + starttime = p->start_time.tv_sec;
57653 + if (unlikely(!have_same_root(current, p) &&
57654 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
57655 + read_unlock(&tasklist_lock);
57656 + rcu_read_unlock();
57657 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57658 + return 0;
57659 + }
57660 + } else if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
57661 + if (unlikely(!have_same_root(current, p))) {
57662 + read_unlock(&tasklist_lock);
57663 + rcu_read_unlock();
57664 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57665 + return 0;
57666 + }
57667 + }
57668 +
57669 + read_unlock(&tasklist_lock);
57670 + rcu_read_unlock();
57671 +#endif
57672 + return 1;
57673 +}
57674 +
57675 +void
57676 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
57677 +{
57678 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57679 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
57680 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
57681 +#endif
57682 + return;
57683 +}
57684 +
57685 +int
57686 +gr_handle_chroot_mknod(const struct dentry *dentry,
57687 + const struct vfsmount *mnt, const int mode)
57688 +{
57689 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57690 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
57691 + proc_is_chrooted(current)) {
57692 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
57693 + return -EPERM;
57694 + }
57695 +#endif
57696 + return 0;
57697 +}
57698 +
57699 +int
57700 +gr_handle_chroot_mount(const struct dentry *dentry,
57701 + const struct vfsmount *mnt, const char *dev_name)
57702 +{
57703 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57704 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
57705 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
57706 + return -EPERM;
57707 + }
57708 +#endif
57709 + return 0;
57710 +}
57711 +
57712 +int
57713 +gr_handle_chroot_pivot(void)
57714 +{
57715 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57716 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
57717 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
57718 + return -EPERM;
57719 + }
57720 +#endif
57721 + return 0;
57722 +}
57723 +
57724 +int
57725 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
57726 +{
57727 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57728 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
57729 + !gr_is_outside_chroot(dentry, mnt)) {
57730 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
57731 + return -EPERM;
57732 + }
57733 +#endif
57734 + return 0;
57735 +}
57736 +
57737 +int
57738 +gr_handle_chroot_caps(struct path *path)
57739 +{
57740 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57741 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
57742 + (init_task.fs->root.dentry != path->dentry) &&
57743 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
57744 +
57745 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
57746 + const struct cred *old = current_cred();
57747 + struct cred *new = prepare_creds();
57748 + if (new == NULL)
57749 + return 1;
57750 +
57751 + new->cap_permitted = cap_drop(old->cap_permitted,
57752 + chroot_caps);
57753 + new->cap_inheritable = cap_drop(old->cap_inheritable,
57754 + chroot_caps);
57755 + new->cap_effective = cap_drop(old->cap_effective,
57756 + chroot_caps);
57757 +
57758 + commit_creds(new);
57759 +
57760 + return 0;
57761 + }
57762 +#endif
57763 + return 0;
57764 +}
57765 +
57766 +int
57767 +gr_handle_chroot_sysctl(const int op)
57768 +{
57769 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57770 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
57771 + proc_is_chrooted(current))
57772 + return -EACCES;
57773 +#endif
57774 + return 0;
57775 +}
57776 +
57777 +void
57778 +gr_handle_chroot_chdir(struct path *path)
57779 +{
57780 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57781 + if (grsec_enable_chroot_chdir)
57782 + set_fs_pwd(current->fs, path);
57783 +#endif
57784 + return;
57785 +}
57786 +
57787 +int
57788 +gr_handle_chroot_chmod(const struct dentry *dentry,
57789 + const struct vfsmount *mnt, const int mode)
57790 +{
57791 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57792 + /* allow chmod +s on directories, but not files */
57793 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
57794 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
57795 + proc_is_chrooted(current)) {
57796 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
57797 + return -EPERM;
57798 + }
57799 +#endif
57800 + return 0;
57801 +}
57802 +
57803 +#ifdef CONFIG_SECURITY
57804 +EXPORT_SYMBOL(gr_handle_chroot_caps);
57805 +#endif
57806 diff -urNp linux-2.6.39.3/grsecurity/grsec_disabled.c linux-2.6.39.3/grsecurity/grsec_disabled.c
57807 --- linux-2.6.39.3/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
57808 +++ linux-2.6.39.3/grsecurity/grsec_disabled.c 2011-05-22 19:41:42.000000000 -0400
57809 @@ -0,0 +1,447 @@
57810 +#include <linux/kernel.h>
57811 +#include <linux/module.h>
57812 +#include <linux/sched.h>
57813 +#include <linux/file.h>
57814 +#include <linux/fs.h>
57815 +#include <linux/kdev_t.h>
57816 +#include <linux/net.h>
57817 +#include <linux/in.h>
57818 +#include <linux/ip.h>
57819 +#include <linux/skbuff.h>
57820 +#include <linux/sysctl.h>
57821 +
57822 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57823 +void
57824 +pax_set_initial_flags(struct linux_binprm *bprm)
57825 +{
57826 + return;
57827 +}
57828 +#endif
57829 +
57830 +#ifdef CONFIG_SYSCTL
57831 +__u32
57832 +gr_handle_sysctl(const struct ctl_table * table, const int op)
57833 +{
57834 + return 0;
57835 +}
57836 +#endif
57837 +
57838 +#ifdef CONFIG_TASKSTATS
57839 +int gr_is_taskstats_denied(int pid)
57840 +{
57841 + return 0;
57842 +}
57843 +#endif
57844 +
57845 +int
57846 +gr_acl_is_enabled(void)
57847 +{
57848 + return 0;
57849 +}
57850 +
57851 +int
57852 +gr_handle_rawio(const struct inode *inode)
57853 +{
57854 + return 0;
57855 +}
57856 +
57857 +void
57858 +gr_acl_handle_psacct(struct task_struct *task, const long code)
57859 +{
57860 + return;
57861 +}
57862 +
57863 +int
57864 +gr_handle_ptrace(struct task_struct *task, const long request)
57865 +{
57866 + return 0;
57867 +}
57868 +
57869 +int
57870 +gr_handle_proc_ptrace(struct task_struct *task)
57871 +{
57872 + return 0;
57873 +}
57874 +
57875 +void
57876 +gr_learn_resource(const struct task_struct *task,
57877 + const int res, const unsigned long wanted, const int gt)
57878 +{
57879 + return;
57880 +}
57881 +
57882 +int
57883 +gr_set_acls(const int type)
57884 +{
57885 + return 0;
57886 +}
57887 +
57888 +int
57889 +gr_check_hidden_task(const struct task_struct *tsk)
57890 +{
57891 + return 0;
57892 +}
57893 +
57894 +int
57895 +gr_check_protected_task(const struct task_struct *task)
57896 +{
57897 + return 0;
57898 +}
57899 +
57900 +int
57901 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
57902 +{
57903 + return 0;
57904 +}
57905 +
57906 +void
57907 +gr_copy_label(struct task_struct *tsk)
57908 +{
57909 + return;
57910 +}
57911 +
57912 +void
57913 +gr_set_pax_flags(struct task_struct *task)
57914 +{
57915 + return;
57916 +}
57917 +
57918 +int
57919 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
57920 + const int unsafe_share)
57921 +{
57922 + return 0;
57923 +}
57924 +
57925 +void
57926 +gr_handle_delete(const ino_t ino, const dev_t dev)
57927 +{
57928 + return;
57929 +}
57930 +
57931 +void
57932 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
57933 +{
57934 + return;
57935 +}
57936 +
57937 +void
57938 +gr_handle_crash(struct task_struct *task, const int sig)
57939 +{
57940 + return;
57941 +}
57942 +
57943 +int
57944 +gr_check_crash_exec(const struct file *filp)
57945 +{
57946 + return 0;
57947 +}
57948 +
57949 +int
57950 +gr_check_crash_uid(const uid_t uid)
57951 +{
57952 + return 0;
57953 +}
57954 +
57955 +void
57956 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
57957 + struct dentry *old_dentry,
57958 + struct dentry *new_dentry,
57959 + struct vfsmount *mnt, const __u8 replace)
57960 +{
57961 + return;
57962 +}
57963 +
57964 +int
57965 +gr_search_socket(const int family, const int type, const int protocol)
57966 +{
57967 + return 1;
57968 +}
57969 +
57970 +int
57971 +gr_search_connectbind(const int mode, const struct socket *sock,
57972 + const struct sockaddr_in *addr)
57973 +{
57974 + return 0;
57975 +}
57976 +
57977 +int
57978 +gr_is_capable(const int cap)
57979 +{
57980 + return 1;
57981 +}
57982 +
57983 +int
57984 +gr_is_capable_nolog(const int cap)
57985 +{
57986 + return 1;
57987 +}
57988 +
57989 +void
57990 +gr_handle_alertkill(struct task_struct *task)
57991 +{
57992 + return;
57993 +}
57994 +
57995 +__u32
57996 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
57997 +{
57998 + return 1;
57999 +}
58000 +
58001 +__u32
58002 +gr_acl_handle_hidden_file(const struct dentry * dentry,
58003 + const struct vfsmount * mnt)
58004 +{
58005 + return 1;
58006 +}
58007 +
58008 +__u32
58009 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
58010 + const int fmode)
58011 +{
58012 + return 1;
58013 +}
58014 +
58015 +__u32
58016 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
58017 +{
58018 + return 1;
58019 +}
58020 +
58021 +__u32
58022 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
58023 +{
58024 + return 1;
58025 +}
58026 +
58027 +int
58028 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
58029 + unsigned int *vm_flags)
58030 +{
58031 + return 1;
58032 +}
58033 +
58034 +__u32
58035 +gr_acl_handle_truncate(const struct dentry * dentry,
58036 + const struct vfsmount * mnt)
58037 +{
58038 + return 1;
58039 +}
58040 +
58041 +__u32
58042 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
58043 +{
58044 + return 1;
58045 +}
58046 +
58047 +__u32
58048 +gr_acl_handle_access(const struct dentry * dentry,
58049 + const struct vfsmount * mnt, const int fmode)
58050 +{
58051 + return 1;
58052 +}
58053 +
58054 +__u32
58055 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
58056 + mode_t mode)
58057 +{
58058 + return 1;
58059 +}
58060 +
58061 +__u32
58062 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
58063 + mode_t mode)
58064 +{
58065 + return 1;
58066 +}
58067 +
58068 +__u32
58069 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
58070 +{
58071 + return 1;
58072 +}
58073 +
58074 +__u32
58075 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
58076 +{
58077 + return 1;
58078 +}
58079 +
58080 +void
58081 +grsecurity_init(void)
58082 +{
58083 + return;
58084 +}
58085 +
58086 +__u32
58087 +gr_acl_handle_mknod(const struct dentry * new_dentry,
58088 + const struct dentry * parent_dentry,
58089 + const struct vfsmount * parent_mnt,
58090 + const int mode)
58091 +{
58092 + return 1;
58093 +}
58094 +
58095 +__u32
58096 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
58097 + const struct dentry * parent_dentry,
58098 + const struct vfsmount * parent_mnt)
58099 +{
58100 + return 1;
58101 +}
58102 +
58103 +__u32
58104 +gr_acl_handle_symlink(const struct dentry * new_dentry,
58105 + const struct dentry * parent_dentry,
58106 + const struct vfsmount * parent_mnt, const char *from)
58107 +{
58108 + return 1;
58109 +}
58110 +
58111 +__u32
58112 +gr_acl_handle_link(const struct dentry * new_dentry,
58113 + const struct dentry * parent_dentry,
58114 + const struct vfsmount * parent_mnt,
58115 + const struct dentry * old_dentry,
58116 + const struct vfsmount * old_mnt, const char *to)
58117 +{
58118 + return 1;
58119 +}
58120 +
58121 +int
58122 +gr_acl_handle_rename(const struct dentry *new_dentry,
58123 + const struct dentry *parent_dentry,
58124 + const struct vfsmount *parent_mnt,
58125 + const struct dentry *old_dentry,
58126 + const struct inode *old_parent_inode,
58127 + const struct vfsmount *old_mnt, const char *newname)
58128 +{
58129 + return 0;
58130 +}
58131 +
58132 +int
58133 +gr_acl_handle_filldir(const struct file *file, const char *name,
58134 + const int namelen, const ino_t ino)
58135 +{
58136 + return 1;
58137 +}
58138 +
58139 +int
58140 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58141 + const time_t shm_createtime, const uid_t cuid, const int shmid)
58142 +{
58143 + return 1;
58144 +}
58145 +
58146 +int
58147 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58148 +{
58149 + return 0;
58150 +}
58151 +
58152 +int
58153 +gr_search_accept(const struct socket *sock)
58154 +{
58155 + return 0;
58156 +}
58157 +
58158 +int
58159 +gr_search_listen(const struct socket *sock)
58160 +{
58161 + return 0;
58162 +}
58163 +
58164 +int
58165 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58166 +{
58167 + return 0;
58168 +}
58169 +
58170 +__u32
58171 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58172 +{
58173 + return 1;
58174 +}
58175 +
58176 +__u32
58177 +gr_acl_handle_creat(const struct dentry * dentry,
58178 + const struct dentry * p_dentry,
58179 + const struct vfsmount * p_mnt, const int fmode,
58180 + const int imode)
58181 +{
58182 + return 1;
58183 +}
58184 +
58185 +void
58186 +gr_acl_handle_exit(void)
58187 +{
58188 + return;
58189 +}
58190 +
58191 +int
58192 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58193 +{
58194 + return 1;
58195 +}
58196 +
58197 +void
58198 +gr_set_role_label(const uid_t uid, const gid_t gid)
58199 +{
58200 + return;
58201 +}
58202 +
58203 +int
58204 +gr_acl_handle_procpidmem(const struct task_struct *task)
58205 +{
58206 + return 0;
58207 +}
58208 +
58209 +int
58210 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58211 +{
58212 + return 0;
58213 +}
58214 +
58215 +int
58216 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58217 +{
58218 + return 0;
58219 +}
58220 +
58221 +void
58222 +gr_set_kernel_label(struct task_struct *task)
58223 +{
58224 + return;
58225 +}
58226 +
58227 +int
58228 +gr_check_user_change(int real, int effective, int fs)
58229 +{
58230 + return 0;
58231 +}
58232 +
58233 +int
58234 +gr_check_group_change(int real, int effective, int fs)
58235 +{
58236 + return 0;
58237 +}
58238 +
58239 +int gr_acl_enable_at_secure(void)
58240 +{
58241 + return 0;
58242 +}
58243 +
58244 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58245 +{
58246 + return dentry->d_inode->i_sb->s_dev;
58247 +}
58248 +
58249 +EXPORT_SYMBOL(gr_is_capable);
58250 +EXPORT_SYMBOL(gr_is_capable_nolog);
58251 +EXPORT_SYMBOL(gr_learn_resource);
58252 +EXPORT_SYMBOL(gr_set_kernel_label);
58253 +#ifdef CONFIG_SECURITY
58254 +EXPORT_SYMBOL(gr_check_user_change);
58255 +EXPORT_SYMBOL(gr_check_group_change);
58256 +#endif
58257 diff -urNp linux-2.6.39.3/grsecurity/grsec_exec.c linux-2.6.39.3/grsecurity/grsec_exec.c
58258 --- linux-2.6.39.3/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58259 +++ linux-2.6.39.3/grsecurity/grsec_exec.c 2011-05-22 22:41:29.000000000 -0400
58260 @@ -0,0 +1,146 @@
58261 +#include <linux/kernel.h>
58262 +#include <linux/sched.h>
58263 +#include <linux/file.h>
58264 +#include <linux/binfmts.h>
58265 +#include <linux/fs.h>
58266 +#include <linux/types.h>
58267 +#include <linux/grdefs.h>
58268 +#include <linux/grinternal.h>
58269 +#include <linux/capability.h>
58270 +#include <linux/compat.h>
58271 +
58272 +#include <asm/uaccess.h>
58273 +
58274 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58275 +static char gr_exec_arg_buf[132];
58276 +static DEFINE_MUTEX(gr_exec_arg_mutex);
58277 +#endif
58278 +
58279 +int
58280 +gr_handle_nproc(void)
58281 +{
58282 +#ifdef CONFIG_GRKERNSEC_EXECVE
58283 + const struct cred *cred = current_cred();
58284 + if (grsec_enable_execve && cred->user &&
58285 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
58286 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
58287 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
58288 + return -EAGAIN;
58289 + }
58290 +#endif
58291 + return 0;
58292 +}
58293 +
58294 +void
58295 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58296 +{
58297 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58298 + char *grarg = gr_exec_arg_buf;
58299 + unsigned int i, x, execlen = 0;
58300 + char c;
58301 +
58302 + if (!((grsec_enable_execlog && grsec_enable_group &&
58303 + in_group_p(grsec_audit_gid))
58304 + || (grsec_enable_execlog && !grsec_enable_group)))
58305 + return;
58306 +
58307 + mutex_lock(&gr_exec_arg_mutex);
58308 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58309 +
58310 + if (unlikely(argv == NULL))
58311 + goto log;
58312 +
58313 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58314 + const char __user *p;
58315 + unsigned int len;
58316 +
58317 + if (copy_from_user(&p, argv + i, sizeof(p)))
58318 + goto log;
58319 + if (!p)
58320 + goto log;
58321 + len = strnlen_user(p, 128 - execlen);
58322 + if (len > 128 - execlen)
58323 + len = 128 - execlen;
58324 + else if (len > 0)
58325 + len--;
58326 + if (copy_from_user(grarg + execlen, p, len))
58327 + goto log;
58328 +
58329 + /* rewrite unprintable characters */
58330 + for (x = 0; x < len; x++) {
58331 + c = *(grarg + execlen + x);
58332 + if (c < 32 || c > 126)
58333 + *(grarg + execlen + x) = ' ';
58334 + }
58335 +
58336 + execlen += len;
58337 + *(grarg + execlen) = ' ';
58338 + *(grarg + execlen + 1) = '\0';
58339 + execlen++;
58340 + }
58341 +
58342 + log:
58343 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58344 + bprm->file->f_path.mnt, grarg);
58345 + mutex_unlock(&gr_exec_arg_mutex);
58346 +#endif
58347 + return;
58348 +}
58349 +
58350 +#ifdef CONFIG_COMPAT
58351 +void
58352 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58353 +{
58354 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58355 + char *grarg = gr_exec_arg_buf;
58356 + unsigned int i, x, execlen = 0;
58357 + char c;
58358 +
58359 + if (!((grsec_enable_execlog && grsec_enable_group &&
58360 + in_group_p(grsec_audit_gid))
58361 + || (grsec_enable_execlog && !grsec_enable_group)))
58362 + return;
58363 +
58364 + mutex_lock(&gr_exec_arg_mutex);
58365 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58366 +
58367 + if (unlikely(argv == NULL))
58368 + goto log;
58369 +
58370 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58371 + compat_uptr_t p;
58372 + unsigned int len;
58373 +
58374 + if (get_user(p, argv + i))
58375 + goto log;
58376 + len = strnlen_user(compat_ptr(p), 128 - execlen);
58377 + if (len > 128 - execlen)
58378 + len = 128 - execlen;
58379 + else if (len > 0)
58380 + len--;
58381 + else
58382 + goto log;
58383 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58384 + goto log;
58385 +
58386 + /* rewrite unprintable characters */
58387 + for (x = 0; x < len; x++) {
58388 + c = *(grarg + execlen + x);
58389 + if (c < 32 || c > 126)
58390 + *(grarg + execlen + x) = ' ';
58391 + }
58392 +
58393 + execlen += len;
58394 + *(grarg + execlen) = ' ';
58395 + *(grarg + execlen + 1) = '\0';
58396 + execlen++;
58397 + }
58398 +
58399 + log:
58400 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58401 + bprm->file->f_path.mnt, grarg);
58402 + mutex_unlock(&gr_exec_arg_mutex);
58403 +#endif
58404 + return;
58405 +}
58406 +#endif
58407 diff -urNp linux-2.6.39.3/grsecurity/grsec_fifo.c linux-2.6.39.3/grsecurity/grsec_fifo.c
58408 --- linux-2.6.39.3/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
58409 +++ linux-2.6.39.3/grsecurity/grsec_fifo.c 2011-05-22 19:41:42.000000000 -0400
58410 @@ -0,0 +1,24 @@
58411 +#include <linux/kernel.h>
58412 +#include <linux/sched.h>
58413 +#include <linux/fs.h>
58414 +#include <linux/file.h>
58415 +#include <linux/grinternal.h>
58416 +
58417 +int
58418 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
58419 + const struct dentry *dir, const int flag, const int acc_mode)
58420 +{
58421 +#ifdef CONFIG_GRKERNSEC_FIFO
58422 + const struct cred *cred = current_cred();
58423 +
58424 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
58425 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
58426 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
58427 + (cred->fsuid != dentry->d_inode->i_uid)) {
58428 + if (!inode_permission(dentry->d_inode, acc_mode))
58429 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
58430 + return -EACCES;
58431 + }
58432 +#endif
58433 + return 0;
58434 +}
58435 diff -urNp linux-2.6.39.3/grsecurity/grsec_fork.c linux-2.6.39.3/grsecurity/grsec_fork.c
58436 --- linux-2.6.39.3/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
58437 +++ linux-2.6.39.3/grsecurity/grsec_fork.c 2011-05-22 19:41:42.000000000 -0400
58438 @@ -0,0 +1,23 @@
58439 +#include <linux/kernel.h>
58440 +#include <linux/sched.h>
58441 +#include <linux/grsecurity.h>
58442 +#include <linux/grinternal.h>
58443 +#include <linux/errno.h>
58444 +
58445 +void
58446 +gr_log_forkfail(const int retval)
58447 +{
58448 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58449 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
58450 + switch (retval) {
58451 + case -EAGAIN:
58452 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
58453 + break;
58454 + case -ENOMEM:
58455 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
58456 + break;
58457 + }
58458 + }
58459 +#endif
58460 + return;
58461 +}
58462 diff -urNp linux-2.6.39.3/grsecurity/grsec_init.c linux-2.6.39.3/grsecurity/grsec_init.c
58463 --- linux-2.6.39.3/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
58464 +++ linux-2.6.39.3/grsecurity/grsec_init.c 2011-06-29 19:35:59.000000000 -0400
58465 @@ -0,0 +1,273 @@
58466 +#include <linux/kernel.h>
58467 +#include <linux/sched.h>
58468 +#include <linux/mm.h>
58469 +#include <linux/gracl.h>
58470 +#include <linux/slab.h>
58471 +#include <linux/vmalloc.h>
58472 +#include <linux/percpu.h>
58473 +#include <linux/module.h>
58474 +
58475 +int grsec_enable_brute;
58476 +int grsec_enable_link;
58477 +int grsec_enable_dmesg;
58478 +int grsec_enable_harden_ptrace;
58479 +int grsec_enable_fifo;
58480 +int grsec_enable_execve;
58481 +int grsec_enable_execlog;
58482 +int grsec_enable_signal;
58483 +int grsec_enable_forkfail;
58484 +int grsec_enable_audit_ptrace;
58485 +int grsec_enable_time;
58486 +int grsec_enable_audit_textrel;
58487 +int grsec_enable_group;
58488 +int grsec_audit_gid;
58489 +int grsec_enable_chdir;
58490 +int grsec_enable_mount;
58491 +int grsec_enable_rofs;
58492 +int grsec_enable_chroot_findtask;
58493 +int grsec_enable_chroot_mount;
58494 +int grsec_enable_chroot_shmat;
58495 +int grsec_enable_chroot_fchdir;
58496 +int grsec_enable_chroot_double;
58497 +int grsec_enable_chroot_pivot;
58498 +int grsec_enable_chroot_chdir;
58499 +int grsec_enable_chroot_chmod;
58500 +int grsec_enable_chroot_mknod;
58501 +int grsec_enable_chroot_nice;
58502 +int grsec_enable_chroot_execlog;
58503 +int grsec_enable_chroot_caps;
58504 +int grsec_enable_chroot_sysctl;
58505 +int grsec_enable_chroot_unix;
58506 +int grsec_enable_tpe;
58507 +int grsec_tpe_gid;
58508 +int grsec_enable_blackhole;
58509 +#ifdef CONFIG_IPV6_MODULE
58510 +EXPORT_SYMBOL(grsec_enable_blackhole);
58511 +#endif
58512 +int grsec_lastack_retries;
58513 +int grsec_enable_tpe_all;
58514 +int grsec_enable_tpe_invert;
58515 +int grsec_enable_socket_all;
58516 +int grsec_socket_all_gid;
58517 +int grsec_enable_socket_client;
58518 +int grsec_socket_client_gid;
58519 +int grsec_enable_socket_server;
58520 +int grsec_socket_server_gid;
58521 +int grsec_resource_logging;
58522 +int grsec_disable_privio;
58523 +int grsec_enable_log_rwxmaps;
58524 +int grsec_lock;
58525 +
58526 +DEFINE_SPINLOCK(grsec_alert_lock);
58527 +unsigned long grsec_alert_wtime = 0;
58528 +unsigned long grsec_alert_fyet = 0;
58529 +
58530 +DEFINE_SPINLOCK(grsec_audit_lock);
58531 +
58532 +DEFINE_RWLOCK(grsec_exec_file_lock);
58533 +
58534 +char *gr_shared_page[4];
58535 +
58536 +char *gr_alert_log_fmt;
58537 +char *gr_audit_log_fmt;
58538 +char *gr_alert_log_buf;
58539 +char *gr_audit_log_buf;
58540 +
58541 +extern struct gr_arg *gr_usermode;
58542 +extern unsigned char *gr_system_salt;
58543 +extern unsigned char *gr_system_sum;
58544 +
58545 +void __init
58546 +grsecurity_init(void)
58547 +{
58548 + int j;
58549 + /* create the per-cpu shared pages */
58550 +
58551 +#ifdef CONFIG_X86
58552 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
58553 +#endif
58554 +
58555 + for (j = 0; j < 4; j++) {
58556 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
58557 + if (gr_shared_page[j] == NULL) {
58558 + panic("Unable to allocate grsecurity shared page");
58559 + return;
58560 + }
58561 + }
58562 +
58563 + /* allocate log buffers */
58564 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
58565 + if (!gr_alert_log_fmt) {
58566 + panic("Unable to allocate grsecurity alert log format buffer");
58567 + return;
58568 + }
58569 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
58570 + if (!gr_audit_log_fmt) {
58571 + panic("Unable to allocate grsecurity audit log format buffer");
58572 + return;
58573 + }
58574 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58575 + if (!gr_alert_log_buf) {
58576 + panic("Unable to allocate grsecurity alert log buffer");
58577 + return;
58578 + }
58579 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58580 + if (!gr_audit_log_buf) {
58581 + panic("Unable to allocate grsecurity audit log buffer");
58582 + return;
58583 + }
58584 +
58585 + /* allocate memory for authentication structure */
58586 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
58587 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
58588 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
58589 +
58590 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
58591 + panic("Unable to allocate grsecurity authentication structure");
58592 + return;
58593 + }
58594 +
58595 +
58596 +#ifdef CONFIG_GRKERNSEC_IO
58597 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
58598 + grsec_disable_privio = 1;
58599 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58600 + grsec_disable_privio = 1;
58601 +#else
58602 + grsec_disable_privio = 0;
58603 +#endif
58604 +#endif
58605 +
58606 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58607 + /* for backward compatibility, tpe_invert always defaults to on if
58608 + enabled in the kernel
58609 + */
58610 + grsec_enable_tpe_invert = 1;
58611 +#endif
58612 +
58613 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58614 +#ifndef CONFIG_GRKERNSEC_SYSCTL
58615 + grsec_lock = 1;
58616 +#endif
58617 +
58618 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58619 + grsec_enable_audit_textrel = 1;
58620 +#endif
58621 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58622 + grsec_enable_log_rwxmaps = 1;
58623 +#endif
58624 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
58625 + grsec_enable_group = 1;
58626 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
58627 +#endif
58628 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58629 + grsec_enable_chdir = 1;
58630 +#endif
58631 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
58632 + grsec_enable_harden_ptrace = 1;
58633 +#endif
58634 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58635 + grsec_enable_mount = 1;
58636 +#endif
58637 +#ifdef CONFIG_GRKERNSEC_LINK
58638 + grsec_enable_link = 1;
58639 +#endif
58640 +#ifdef CONFIG_GRKERNSEC_BRUTE
58641 + grsec_enable_brute = 1;
58642 +#endif
58643 +#ifdef CONFIG_GRKERNSEC_DMESG
58644 + grsec_enable_dmesg = 1;
58645 +#endif
58646 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58647 + grsec_enable_blackhole = 1;
58648 + grsec_lastack_retries = 4;
58649 +#endif
58650 +#ifdef CONFIG_GRKERNSEC_FIFO
58651 + grsec_enable_fifo = 1;
58652 +#endif
58653 +#ifdef CONFIG_GRKERNSEC_EXECVE
58654 + grsec_enable_execve = 1;
58655 +#endif
58656 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58657 + grsec_enable_execlog = 1;
58658 +#endif
58659 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58660 + grsec_enable_signal = 1;
58661 +#endif
58662 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58663 + grsec_enable_forkfail = 1;
58664 +#endif
58665 +#ifdef CONFIG_GRKERNSEC_TIME
58666 + grsec_enable_time = 1;
58667 +#endif
58668 +#ifdef CONFIG_GRKERNSEC_RESLOG
58669 + grsec_resource_logging = 1;
58670 +#endif
58671 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58672 + grsec_enable_chroot_findtask = 1;
58673 +#endif
58674 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58675 + grsec_enable_chroot_unix = 1;
58676 +#endif
58677 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58678 + grsec_enable_chroot_mount = 1;
58679 +#endif
58680 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58681 + grsec_enable_chroot_fchdir = 1;
58682 +#endif
58683 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58684 + grsec_enable_chroot_shmat = 1;
58685 +#endif
58686 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58687 + grsec_enable_audit_ptrace = 1;
58688 +#endif
58689 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58690 + grsec_enable_chroot_double = 1;
58691 +#endif
58692 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58693 + grsec_enable_chroot_pivot = 1;
58694 +#endif
58695 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58696 + grsec_enable_chroot_chdir = 1;
58697 +#endif
58698 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58699 + grsec_enable_chroot_chmod = 1;
58700 +#endif
58701 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58702 + grsec_enable_chroot_mknod = 1;
58703 +#endif
58704 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58705 + grsec_enable_chroot_nice = 1;
58706 +#endif
58707 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58708 + grsec_enable_chroot_execlog = 1;
58709 +#endif
58710 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58711 + grsec_enable_chroot_caps = 1;
58712 +#endif
58713 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58714 + grsec_enable_chroot_sysctl = 1;
58715 +#endif
58716 +#ifdef CONFIG_GRKERNSEC_TPE
58717 + grsec_enable_tpe = 1;
58718 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
58719 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58720 + grsec_enable_tpe_all = 1;
58721 +#endif
58722 +#endif
58723 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58724 + grsec_enable_socket_all = 1;
58725 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
58726 +#endif
58727 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58728 + grsec_enable_socket_client = 1;
58729 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
58730 +#endif
58731 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58732 + grsec_enable_socket_server = 1;
58733 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
58734 +#endif
58735 +#endif
58736 +
58737 + return;
58738 +}
58739 diff -urNp linux-2.6.39.3/grsecurity/grsec_link.c linux-2.6.39.3/grsecurity/grsec_link.c
58740 --- linux-2.6.39.3/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
58741 +++ linux-2.6.39.3/grsecurity/grsec_link.c 2011-05-22 19:41:42.000000000 -0400
58742 @@ -0,0 +1,43 @@
58743 +#include <linux/kernel.h>
58744 +#include <linux/sched.h>
58745 +#include <linux/fs.h>
58746 +#include <linux/file.h>
58747 +#include <linux/grinternal.h>
58748 +
58749 +int
58750 +gr_handle_follow_link(const struct inode *parent,
58751 + const struct inode *inode,
58752 + const struct dentry *dentry, const struct vfsmount *mnt)
58753 +{
58754 +#ifdef CONFIG_GRKERNSEC_LINK
58755 + const struct cred *cred = current_cred();
58756 +
58757 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
58758 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
58759 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
58760 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
58761 + return -EACCES;
58762 + }
58763 +#endif
58764 + return 0;
58765 +}
58766 +
58767 +int
58768 +gr_handle_hardlink(const struct dentry *dentry,
58769 + const struct vfsmount *mnt,
58770 + struct inode *inode, const int mode, const char *to)
58771 +{
58772 +#ifdef CONFIG_GRKERNSEC_LINK
58773 + const struct cred *cred = current_cred();
58774 +
58775 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
58776 + (!S_ISREG(mode) || (mode & S_ISUID) ||
58777 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
58778 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
58779 + !capable(CAP_FOWNER) && cred->uid) {
58780 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
58781 + return -EPERM;
58782 + }
58783 +#endif
58784 + return 0;
58785 +}
58786 diff -urNp linux-2.6.39.3/grsecurity/grsec_log.c linux-2.6.39.3/grsecurity/grsec_log.c
58787 --- linux-2.6.39.3/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
58788 +++ linux-2.6.39.3/grsecurity/grsec_log.c 2011-05-22 19:41:42.000000000 -0400
58789 @@ -0,0 +1,310 @@
58790 +#include <linux/kernel.h>
58791 +#include <linux/sched.h>
58792 +#include <linux/file.h>
58793 +#include <linux/tty.h>
58794 +#include <linux/fs.h>
58795 +#include <linux/grinternal.h>
58796 +
58797 +#ifdef CONFIG_TREE_PREEMPT_RCU
58798 +#define DISABLE_PREEMPT() preempt_disable()
58799 +#define ENABLE_PREEMPT() preempt_enable()
58800 +#else
58801 +#define DISABLE_PREEMPT()
58802 +#define ENABLE_PREEMPT()
58803 +#endif
58804 +
58805 +#define BEGIN_LOCKS(x) \
58806 + DISABLE_PREEMPT(); \
58807 + rcu_read_lock(); \
58808 + read_lock(&tasklist_lock); \
58809 + read_lock(&grsec_exec_file_lock); \
58810 + if (x != GR_DO_AUDIT) \
58811 + spin_lock(&grsec_alert_lock); \
58812 + else \
58813 + spin_lock(&grsec_audit_lock)
58814 +
58815 +#define END_LOCKS(x) \
58816 + if (x != GR_DO_AUDIT) \
58817 + spin_unlock(&grsec_alert_lock); \
58818 + else \
58819 + spin_unlock(&grsec_audit_lock); \
58820 + read_unlock(&grsec_exec_file_lock); \
58821 + read_unlock(&tasklist_lock); \
58822 + rcu_read_unlock(); \
58823 + ENABLE_PREEMPT(); \
58824 + if (x == GR_DONT_AUDIT) \
58825 + gr_handle_alertkill(current)
58826 +
58827 +enum {
58828 + FLOODING,
58829 + NO_FLOODING
58830 +};
58831 +
58832 +extern char *gr_alert_log_fmt;
58833 +extern char *gr_audit_log_fmt;
58834 +extern char *gr_alert_log_buf;
58835 +extern char *gr_audit_log_buf;
58836 +
58837 +static int gr_log_start(int audit)
58838 +{
58839 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
58840 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
58841 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58842 +
58843 + if (audit == GR_DO_AUDIT)
58844 + goto set_fmt;
58845 +
58846 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
58847 + grsec_alert_wtime = jiffies;
58848 + grsec_alert_fyet = 0;
58849 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
58850 + grsec_alert_fyet++;
58851 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
58852 + grsec_alert_wtime = jiffies;
58853 + grsec_alert_fyet++;
58854 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
58855 + return FLOODING;
58856 + } else return FLOODING;
58857 +
58858 +set_fmt:
58859 + memset(buf, 0, PAGE_SIZE);
58860 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
58861 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
58862 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58863 + } else if (current->signal->curr_ip) {
58864 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
58865 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58866 + } else if (gr_acl_is_enabled()) {
58867 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
58868 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58869 + } else {
58870 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
58871 + strcpy(buf, fmt);
58872 + }
58873 +
58874 + return NO_FLOODING;
58875 +}
58876 +
58877 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58878 + __attribute__ ((format (printf, 2, 0)));
58879 +
58880 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58881 +{
58882 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58883 + unsigned int len = strlen(buf);
58884 +
58885 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58886 +
58887 + return;
58888 +}
58889 +
58890 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58891 + __attribute__ ((format (printf, 2, 3)));
58892 +
58893 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58894 +{
58895 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58896 + unsigned int len = strlen(buf);
58897 + va_list ap;
58898 +
58899 + va_start(ap, msg);
58900 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58901 + va_end(ap);
58902 +
58903 + return;
58904 +}
58905 +
58906 +static void gr_log_end(int audit)
58907 +{
58908 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58909 + unsigned int len = strlen(buf);
58910 +
58911 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
58912 + printk("%s\n", buf);
58913 +
58914 + return;
58915 +}
58916 +
58917 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
58918 +{
58919 + int logtype;
58920 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
58921 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
58922 + void *voidptr = NULL;
58923 + int num1 = 0, num2 = 0;
58924 + unsigned long ulong1 = 0, ulong2 = 0;
58925 + struct dentry *dentry = NULL;
58926 + struct vfsmount *mnt = NULL;
58927 + struct file *file = NULL;
58928 + struct task_struct *task = NULL;
58929 + const struct cred *cred, *pcred;
58930 + va_list ap;
58931 +
58932 + BEGIN_LOCKS(audit);
58933 + logtype = gr_log_start(audit);
58934 + if (logtype == FLOODING) {
58935 + END_LOCKS(audit);
58936 + return;
58937 + }
58938 + va_start(ap, argtypes);
58939 + switch (argtypes) {
58940 + case GR_TTYSNIFF:
58941 + task = va_arg(ap, struct task_struct *);
58942 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
58943 + break;
58944 + case GR_SYSCTL_HIDDEN:
58945 + str1 = va_arg(ap, char *);
58946 + gr_log_middle_varargs(audit, msg, result, str1);
58947 + break;
58948 + case GR_RBAC:
58949 + dentry = va_arg(ap, struct dentry *);
58950 + mnt = va_arg(ap, struct vfsmount *);
58951 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
58952 + break;
58953 + case GR_RBAC_STR:
58954 + dentry = va_arg(ap, struct dentry *);
58955 + mnt = va_arg(ap, struct vfsmount *);
58956 + str1 = va_arg(ap, char *);
58957 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
58958 + break;
58959 + case GR_STR_RBAC:
58960 + str1 = va_arg(ap, char *);
58961 + dentry = va_arg(ap, struct dentry *);
58962 + mnt = va_arg(ap, struct vfsmount *);
58963 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
58964 + break;
58965 + case GR_RBAC_MODE2:
58966 + dentry = va_arg(ap, struct dentry *);
58967 + mnt = va_arg(ap, struct vfsmount *);
58968 + str1 = va_arg(ap, char *);
58969 + str2 = va_arg(ap, char *);
58970 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
58971 + break;
58972 + case GR_RBAC_MODE3:
58973 + dentry = va_arg(ap, struct dentry *);
58974 + mnt = va_arg(ap, struct vfsmount *);
58975 + str1 = va_arg(ap, char *);
58976 + str2 = va_arg(ap, char *);
58977 + str3 = va_arg(ap, char *);
58978 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
58979 + break;
58980 + case GR_FILENAME:
58981 + dentry = va_arg(ap, struct dentry *);
58982 + mnt = va_arg(ap, struct vfsmount *);
58983 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
58984 + break;
58985 + case GR_STR_FILENAME:
58986 + str1 = va_arg(ap, char *);
58987 + dentry = va_arg(ap, struct dentry *);
58988 + mnt = va_arg(ap, struct vfsmount *);
58989 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
58990 + break;
58991 + case GR_FILENAME_STR:
58992 + dentry = va_arg(ap, struct dentry *);
58993 + mnt = va_arg(ap, struct vfsmount *);
58994 + str1 = va_arg(ap, char *);
58995 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
58996 + break;
58997 + case GR_FILENAME_TWO_INT:
58998 + dentry = va_arg(ap, struct dentry *);
58999 + mnt = va_arg(ap, struct vfsmount *);
59000 + num1 = va_arg(ap, int);
59001 + num2 = va_arg(ap, int);
59002 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
59003 + break;
59004 + case GR_FILENAME_TWO_INT_STR:
59005 + dentry = va_arg(ap, struct dentry *);
59006 + mnt = va_arg(ap, struct vfsmount *);
59007 + num1 = va_arg(ap, int);
59008 + num2 = va_arg(ap, int);
59009 + str1 = va_arg(ap, char *);
59010 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
59011 + break;
59012 + case GR_TEXTREL:
59013 + file = va_arg(ap, struct file *);
59014 + ulong1 = va_arg(ap, unsigned long);
59015 + ulong2 = va_arg(ap, unsigned long);
59016 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
59017 + break;
59018 + case GR_PTRACE:
59019 + task = va_arg(ap, struct task_struct *);
59020 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
59021 + break;
59022 + case GR_RESOURCE:
59023 + task = va_arg(ap, struct task_struct *);
59024 + cred = __task_cred(task);
59025 + pcred = __task_cred(task->real_parent);
59026 + ulong1 = va_arg(ap, unsigned long);
59027 + str1 = va_arg(ap, char *);
59028 + ulong2 = va_arg(ap, unsigned long);
59029 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59030 + break;
59031 + case GR_CAP:
59032 + task = va_arg(ap, struct task_struct *);
59033 + cred = __task_cred(task);
59034 + pcred = __task_cred(task->real_parent);
59035 + str1 = va_arg(ap, char *);
59036 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59037 + break;
59038 + case GR_SIG:
59039 + str1 = va_arg(ap, char *);
59040 + voidptr = va_arg(ap, void *);
59041 + gr_log_middle_varargs(audit, msg, str1, voidptr);
59042 + break;
59043 + case GR_SIG2:
59044 + task = va_arg(ap, struct task_struct *);
59045 + cred = __task_cred(task);
59046 + pcred = __task_cred(task->real_parent);
59047 + num1 = va_arg(ap, int);
59048 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59049 + break;
59050 + case GR_CRASH1:
59051 + task = va_arg(ap, struct task_struct *);
59052 + cred = __task_cred(task);
59053 + pcred = __task_cred(task->real_parent);
59054 + ulong1 = va_arg(ap, unsigned long);
59055 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
59056 + break;
59057 + case GR_CRASH2:
59058 + task = va_arg(ap, struct task_struct *);
59059 + cred = __task_cred(task);
59060 + pcred = __task_cred(task->real_parent);
59061 + ulong1 = va_arg(ap, unsigned long);
59062 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
59063 + break;
59064 + case GR_RWXMAP:
59065 + file = va_arg(ap, struct file *);
59066 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
59067 + break;
59068 + case GR_PSACCT:
59069 + {
59070 + unsigned int wday, cday;
59071 + __u8 whr, chr;
59072 + __u8 wmin, cmin;
59073 + __u8 wsec, csec;
59074 + char cur_tty[64] = { 0 };
59075 + char parent_tty[64] = { 0 };
59076 +
59077 + task = va_arg(ap, struct task_struct *);
59078 + wday = va_arg(ap, unsigned int);
59079 + cday = va_arg(ap, unsigned int);
59080 + whr = va_arg(ap, int);
59081 + chr = va_arg(ap, int);
59082 + wmin = va_arg(ap, int);
59083 + cmin = va_arg(ap, int);
59084 + wsec = va_arg(ap, int);
59085 + csec = va_arg(ap, int);
59086 + ulong1 = va_arg(ap, unsigned long);
59087 + cred = __task_cred(task);
59088 + pcred = __task_cred(task->real_parent);
59089 +
59090 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59091 + }
59092 + break;
59093 + default:
59094 + gr_log_middle(audit, msg, ap);
59095 + }
59096 + va_end(ap);
59097 + gr_log_end(audit);
59098 + END_LOCKS(audit);
59099 +}
59100 diff -urNp linux-2.6.39.3/grsecurity/grsec_mem.c linux-2.6.39.3/grsecurity/grsec_mem.c
59101 --- linux-2.6.39.3/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
59102 +++ linux-2.6.39.3/grsecurity/grsec_mem.c 2011-05-22 19:41:42.000000000 -0400
59103 @@ -0,0 +1,33 @@
59104 +#include <linux/kernel.h>
59105 +#include <linux/sched.h>
59106 +#include <linux/mm.h>
59107 +#include <linux/mman.h>
59108 +#include <linux/grinternal.h>
59109 +
59110 +void
59111 +gr_handle_ioperm(void)
59112 +{
59113 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
59114 + return;
59115 +}
59116 +
59117 +void
59118 +gr_handle_iopl(void)
59119 +{
59120 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
59121 + return;
59122 +}
59123 +
59124 +void
59125 +gr_handle_mem_readwrite(u64 from, u64 to)
59126 +{
59127 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
59128 + return;
59129 +}
59130 +
59131 +void
59132 +gr_handle_vm86(void)
59133 +{
59134 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
59135 + return;
59136 +}
59137 diff -urNp linux-2.6.39.3/grsecurity/grsec_mount.c linux-2.6.39.3/grsecurity/grsec_mount.c
59138 --- linux-2.6.39.3/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
59139 +++ linux-2.6.39.3/grsecurity/grsec_mount.c 2011-06-20 19:46:18.000000000 -0400
59140 @@ -0,0 +1,62 @@
59141 +#include <linux/kernel.h>
59142 +#include <linux/sched.h>
59143 +#include <linux/mount.h>
59144 +#include <linux/grsecurity.h>
59145 +#include <linux/grinternal.h>
59146 +
59147 +void
59148 +gr_log_remount(const char *devname, const int retval)
59149 +{
59150 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59151 + if (grsec_enable_mount && (retval >= 0))
59152 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59153 +#endif
59154 + return;
59155 +}
59156 +
59157 +void
59158 +gr_log_unmount(const char *devname, const int retval)
59159 +{
59160 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59161 + if (grsec_enable_mount && (retval >= 0))
59162 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59163 +#endif
59164 + return;
59165 +}
59166 +
59167 +void
59168 +gr_log_mount(const char *from, const char *to, const int retval)
59169 +{
59170 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59171 + if (grsec_enable_mount && (retval >= 0))
59172 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59173 +#endif
59174 + return;
59175 +}
59176 +
59177 +int
59178 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59179 +{
59180 +#ifdef CONFIG_GRKERNSEC_ROFS
59181 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59182 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59183 + return -EPERM;
59184 + } else
59185 + return 0;
59186 +#endif
59187 + return 0;
59188 +}
59189 +
59190 +int
59191 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59192 +{
59193 +#ifdef CONFIG_GRKERNSEC_ROFS
59194 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59195 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59196 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59197 + return -EPERM;
59198 + } else
59199 + return 0;
59200 +#endif
59201 + return 0;
59202 +}
59203 diff -urNp linux-2.6.39.3/grsecurity/grsec_pax.c linux-2.6.39.3/grsecurity/grsec_pax.c
59204 --- linux-2.6.39.3/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59205 +++ linux-2.6.39.3/grsecurity/grsec_pax.c 2011-05-22 19:41:42.000000000 -0400
59206 @@ -0,0 +1,36 @@
59207 +#include <linux/kernel.h>
59208 +#include <linux/sched.h>
59209 +#include <linux/mm.h>
59210 +#include <linux/file.h>
59211 +#include <linux/grinternal.h>
59212 +#include <linux/grsecurity.h>
59213 +
59214 +void
59215 +gr_log_textrel(struct vm_area_struct * vma)
59216 +{
59217 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59218 + if (grsec_enable_audit_textrel)
59219 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59220 +#endif
59221 + return;
59222 +}
59223 +
59224 +void
59225 +gr_log_rwxmmap(struct file *file)
59226 +{
59227 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59228 + if (grsec_enable_log_rwxmaps)
59229 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59230 +#endif
59231 + return;
59232 +}
59233 +
59234 +void
59235 +gr_log_rwxmprotect(struct file *file)
59236 +{
59237 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59238 + if (grsec_enable_log_rwxmaps)
59239 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59240 +#endif
59241 + return;
59242 +}
59243 diff -urNp linux-2.6.39.3/grsecurity/grsec_ptrace.c linux-2.6.39.3/grsecurity/grsec_ptrace.c
59244 --- linux-2.6.39.3/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59245 +++ linux-2.6.39.3/grsecurity/grsec_ptrace.c 2011-05-22 19:41:42.000000000 -0400
59246 @@ -0,0 +1,14 @@
59247 +#include <linux/kernel.h>
59248 +#include <linux/sched.h>
59249 +#include <linux/grinternal.h>
59250 +#include <linux/grsecurity.h>
59251 +
59252 +void
59253 +gr_audit_ptrace(struct task_struct *task)
59254 +{
59255 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59256 + if (grsec_enable_audit_ptrace)
59257 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59258 +#endif
59259 + return;
59260 +}
59261 diff -urNp linux-2.6.39.3/grsecurity/grsec_sig.c linux-2.6.39.3/grsecurity/grsec_sig.c
59262 --- linux-2.6.39.3/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59263 +++ linux-2.6.39.3/grsecurity/grsec_sig.c 2011-06-29 19:40:46.000000000 -0400
59264 @@ -0,0 +1,206 @@
59265 +#include <linux/kernel.h>
59266 +#include <linux/sched.h>
59267 +#include <linux/delay.h>
59268 +#include <linux/grsecurity.h>
59269 +#include <linux/grinternal.h>
59270 +#include <linux/hardirq.h>
59271 +
59272 +char *signames[] = {
59273 + [SIGSEGV] = "Segmentation fault",
59274 + [SIGILL] = "Illegal instruction",
59275 + [SIGABRT] = "Abort",
59276 + [SIGBUS] = "Invalid alignment/Bus error"
59277 +};
59278 +
59279 +void
59280 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59281 +{
59282 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59283 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59284 + (sig == SIGABRT) || (sig == SIGBUS))) {
59285 + if (t->pid == current->pid) {
59286 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59287 + } else {
59288 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59289 + }
59290 + }
59291 +#endif
59292 + return;
59293 +}
59294 +
59295 +int
59296 +gr_handle_signal(const struct task_struct *p, const int sig)
59297 +{
59298 +#ifdef CONFIG_GRKERNSEC
59299 + if (current->pid > 1 && gr_check_protected_task(p)) {
59300 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59301 + return -EPERM;
59302 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59303 + return -EPERM;
59304 + }
59305 +#endif
59306 + return 0;
59307 +}
59308 +
59309 +#ifdef CONFIG_GRKERNSEC
59310 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59311 +
59312 +int gr_fake_force_sig(int sig, struct task_struct *t)
59313 +{
59314 + unsigned long int flags;
59315 + int ret, blocked, ignored;
59316 + struct k_sigaction *action;
59317 +
59318 + spin_lock_irqsave(&t->sighand->siglock, flags);
59319 + action = &t->sighand->action[sig-1];
59320 + ignored = action->sa.sa_handler == SIG_IGN;
59321 + blocked = sigismember(&t->blocked, sig);
59322 + if (blocked || ignored) {
59323 + action->sa.sa_handler = SIG_DFL;
59324 + if (blocked) {
59325 + sigdelset(&t->blocked, sig);
59326 + recalc_sigpending_and_wake(t);
59327 + }
59328 + }
59329 + if (action->sa.sa_handler == SIG_DFL)
59330 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
59331 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
59332 +
59333 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
59334 +
59335 + return ret;
59336 +}
59337 +#endif
59338 +
59339 +#ifdef CONFIG_GRKERNSEC_BRUTE
59340 +#define GR_USER_BAN_TIME (15 * 60)
59341 +
59342 +static int __get_dumpable(unsigned long mm_flags)
59343 +{
59344 + int ret;
59345 +
59346 + ret = mm_flags & MMF_DUMPABLE_MASK;
59347 + return (ret >= 2) ? 2 : ret;
59348 +}
59349 +#endif
59350 +
59351 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
59352 +{
59353 +#ifdef CONFIG_GRKERNSEC_BRUTE
59354 + uid_t uid = 0;
59355 +
59356 + if (!grsec_enable_brute)
59357 + return;
59358 +
59359 + rcu_read_lock();
59360 + read_lock(&tasklist_lock);
59361 + read_lock(&grsec_exec_file_lock);
59362 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
59363 + p->real_parent->brute = 1;
59364 + else {
59365 + const struct cred *cred = __task_cred(p), *cred2;
59366 + struct task_struct *tsk, *tsk2;
59367 +
59368 + if (!__get_dumpable(mm_flags) && cred->uid) {
59369 + struct user_struct *user;
59370 +
59371 + uid = cred->uid;
59372 +
59373 + /* this is put upon execution past expiration */
59374 + user = find_user(uid);
59375 + if (user == NULL)
59376 + goto unlock;
59377 + user->banned = 1;
59378 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
59379 + if (user->ban_expires == ~0UL)
59380 + user->ban_expires--;
59381 +
59382 + do_each_thread(tsk2, tsk) {
59383 + cred2 = __task_cred(tsk);
59384 + if (tsk != p && cred2->uid == uid)
59385 + gr_fake_force_sig(SIGKILL, tsk);
59386 + } while_each_thread(tsk2, tsk);
59387 + }
59388 + }
59389 +unlock:
59390 + read_unlock(&grsec_exec_file_lock);
59391 + read_unlock(&tasklist_lock);
59392 + rcu_read_unlock();
59393 +
59394 + if (uid)
59395 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
59396 +
59397 +#endif
59398 + return;
59399 +}
59400 +
59401 +void gr_handle_brute_check(void)
59402 +{
59403 +#ifdef CONFIG_GRKERNSEC_BRUTE
59404 + if (current->brute)
59405 + msleep(30 * 1000);
59406 +#endif
59407 + return;
59408 +}
59409 +
59410 +void gr_handle_kernel_exploit(void)
59411 +{
59412 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
59413 + const struct cred *cred;
59414 + struct task_struct *tsk, *tsk2;
59415 + struct user_struct *user;
59416 + uid_t uid;
59417 +
59418 + if (in_irq() || in_serving_softirq() || in_nmi())
59419 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
59420 +
59421 + uid = current_uid();
59422 +
59423 + if (uid == 0)
59424 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
59425 + else {
59426 + /* kill all the processes of this user, hold a reference
59427 + to their creds struct, and prevent them from creating
59428 + another process until system reset
59429 + */
59430 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
59431 + /* we intentionally leak this ref */
59432 + user = get_uid(current->cred->user);
59433 + if (user) {
59434 + user->banned = 1;
59435 + user->ban_expires = ~0UL;
59436 + }
59437 +
59438 + read_lock(&tasklist_lock);
59439 + do_each_thread(tsk2, tsk) {
59440 + cred = __task_cred(tsk);
59441 + if (cred->uid == uid)
59442 + gr_fake_force_sig(SIGKILL, tsk);
59443 + } while_each_thread(tsk2, tsk);
59444 + read_unlock(&tasklist_lock);
59445 + }
59446 +#endif
59447 +}
59448 +
59449 +int __gr_process_user_ban(struct user_struct *user)
59450 +{
59451 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59452 + if (unlikely(user->banned)) {
59453 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
59454 + user->banned = 0;
59455 + user->ban_expires = 0;
59456 + free_uid(user);
59457 + } else
59458 + return -EPERM;
59459 + }
59460 +#endif
59461 + return 0;
59462 +}
59463 +
59464 +int gr_process_user_ban(void)
59465 +{
59466 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59467 + return __gr_process_user_ban(current->cred->user);
59468 +#endif
59469 + return 0;
59470 +}
59471 diff -urNp linux-2.6.39.3/grsecurity/grsec_sock.c linux-2.6.39.3/grsecurity/grsec_sock.c
59472 --- linux-2.6.39.3/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
59473 +++ linux-2.6.39.3/grsecurity/grsec_sock.c 2011-05-22 20:29:21.000000000 -0400
59474 @@ -0,0 +1,244 @@
59475 +#include <linux/kernel.h>
59476 +#include <linux/module.h>
59477 +#include <linux/sched.h>
59478 +#include <linux/file.h>
59479 +#include <linux/net.h>
59480 +#include <linux/in.h>
59481 +#include <linux/ip.h>
59482 +#include <net/sock.h>
59483 +#include <net/inet_sock.h>
59484 +#include <linux/grsecurity.h>
59485 +#include <linux/grinternal.h>
59486 +#include <linux/gracl.h>
59487 +
59488 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
59489 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
59490 +
59491 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
59492 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
59493 +
59494 +#ifdef CONFIG_UNIX_MODULE
59495 +EXPORT_SYMBOL(gr_acl_handle_unix);
59496 +EXPORT_SYMBOL(gr_acl_handle_mknod);
59497 +EXPORT_SYMBOL(gr_handle_chroot_unix);
59498 +EXPORT_SYMBOL(gr_handle_create);
59499 +#endif
59500 +
59501 +#ifdef CONFIG_GRKERNSEC
59502 +#define gr_conn_table_size 32749
59503 +struct conn_table_entry {
59504 + struct conn_table_entry *next;
59505 + struct signal_struct *sig;
59506 +};
59507 +
59508 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
59509 +DEFINE_SPINLOCK(gr_conn_table_lock);
59510 +
59511 +extern const char * gr_socktype_to_name(unsigned char type);
59512 +extern const char * gr_proto_to_name(unsigned char proto);
59513 +extern const char * gr_sockfamily_to_name(unsigned char family);
59514 +
59515 +static __inline__ int
59516 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
59517 +{
59518 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
59519 +}
59520 +
59521 +static __inline__ int
59522 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
59523 + __u16 sport, __u16 dport)
59524 +{
59525 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
59526 + sig->gr_sport == sport && sig->gr_dport == dport))
59527 + return 1;
59528 + else
59529 + return 0;
59530 +}
59531 +
59532 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
59533 +{
59534 + struct conn_table_entry **match;
59535 + unsigned int index;
59536 +
59537 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59538 + sig->gr_sport, sig->gr_dport,
59539 + gr_conn_table_size);
59540 +
59541 + newent->sig = sig;
59542 +
59543 + match = &gr_conn_table[index];
59544 + newent->next = *match;
59545 + *match = newent;
59546 +
59547 + return;
59548 +}
59549 +
59550 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
59551 +{
59552 + struct conn_table_entry *match, *last = NULL;
59553 + unsigned int index;
59554 +
59555 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59556 + sig->gr_sport, sig->gr_dport,
59557 + gr_conn_table_size);
59558 +
59559 + match = gr_conn_table[index];
59560 + while (match && !conn_match(match->sig,
59561 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
59562 + sig->gr_dport)) {
59563 + last = match;
59564 + match = match->next;
59565 + }
59566 +
59567 + if (match) {
59568 + if (last)
59569 + last->next = match->next;
59570 + else
59571 + gr_conn_table[index] = NULL;
59572 + kfree(match);
59573 + }
59574 +
59575 + return;
59576 +}
59577 +
59578 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
59579 + __u16 sport, __u16 dport)
59580 +{
59581 + struct conn_table_entry *match;
59582 + unsigned int index;
59583 +
59584 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
59585 +
59586 + match = gr_conn_table[index];
59587 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
59588 + match = match->next;
59589 +
59590 + if (match)
59591 + return match->sig;
59592 + else
59593 + return NULL;
59594 +}
59595 +
59596 +#endif
59597 +
59598 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
59599 +{
59600 +#ifdef CONFIG_GRKERNSEC
59601 + struct signal_struct *sig = task->signal;
59602 + struct conn_table_entry *newent;
59603 +
59604 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
59605 + if (newent == NULL)
59606 + return;
59607 + /* no bh lock needed since we are called with bh disabled */
59608 + spin_lock(&gr_conn_table_lock);
59609 + gr_del_task_from_ip_table_nolock(sig);
59610 + sig->gr_saddr = inet->inet_rcv_saddr;
59611 + sig->gr_daddr = inet->inet_daddr;
59612 + sig->gr_sport = inet->inet_sport;
59613 + sig->gr_dport = inet->inet_dport;
59614 + gr_add_to_task_ip_table_nolock(sig, newent);
59615 + spin_unlock(&gr_conn_table_lock);
59616 +#endif
59617 + return;
59618 +}
59619 +
59620 +void gr_del_task_from_ip_table(struct task_struct *task)
59621 +{
59622 +#ifdef CONFIG_GRKERNSEC
59623 + spin_lock_bh(&gr_conn_table_lock);
59624 + gr_del_task_from_ip_table_nolock(task->signal);
59625 + spin_unlock_bh(&gr_conn_table_lock);
59626 +#endif
59627 + return;
59628 +}
59629 +
59630 +void
59631 +gr_attach_curr_ip(const struct sock *sk)
59632 +{
59633 +#ifdef CONFIG_GRKERNSEC
59634 + struct signal_struct *p, *set;
59635 + const struct inet_sock *inet = inet_sk(sk);
59636 +
59637 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
59638 + return;
59639 +
59640 + set = current->signal;
59641 +
59642 + spin_lock_bh(&gr_conn_table_lock);
59643 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
59644 + inet->inet_dport, inet->inet_sport);
59645 + if (unlikely(p != NULL)) {
59646 + set->curr_ip = p->curr_ip;
59647 + set->used_accept = 1;
59648 + gr_del_task_from_ip_table_nolock(p);
59649 + spin_unlock_bh(&gr_conn_table_lock);
59650 + return;
59651 + }
59652 + spin_unlock_bh(&gr_conn_table_lock);
59653 +
59654 + set->curr_ip = inet->inet_daddr;
59655 + set->used_accept = 1;
59656 +#endif
59657 + return;
59658 +}
59659 +
59660 +int
59661 +gr_handle_sock_all(const int family, const int type, const int protocol)
59662 +{
59663 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59664 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
59665 + (family != AF_UNIX)) {
59666 + if (family == AF_INET)
59667 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
59668 + else
59669 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
59670 + return -EACCES;
59671 + }
59672 +#endif
59673 + return 0;
59674 +}
59675 +
59676 +int
59677 +gr_handle_sock_server(const struct sockaddr *sck)
59678 +{
59679 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59680 + if (grsec_enable_socket_server &&
59681 + in_group_p(grsec_socket_server_gid) &&
59682 + sck && (sck->sa_family != AF_UNIX) &&
59683 + (sck->sa_family != AF_LOCAL)) {
59684 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59685 + return -EACCES;
59686 + }
59687 +#endif
59688 + return 0;
59689 +}
59690 +
59691 +int
59692 +gr_handle_sock_server_other(const struct sock *sck)
59693 +{
59694 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59695 + if (grsec_enable_socket_server &&
59696 + in_group_p(grsec_socket_server_gid) &&
59697 + sck && (sck->sk_family != AF_UNIX) &&
59698 + (sck->sk_family != AF_LOCAL)) {
59699 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59700 + return -EACCES;
59701 + }
59702 +#endif
59703 + return 0;
59704 +}
59705 +
59706 +int
59707 +gr_handle_sock_client(const struct sockaddr *sck)
59708 +{
59709 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59710 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
59711 + sck && (sck->sa_family != AF_UNIX) &&
59712 + (sck->sa_family != AF_LOCAL)) {
59713 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
59714 + return -EACCES;
59715 + }
59716 +#endif
59717 + return 0;
59718 +}
59719 diff -urNp linux-2.6.39.3/grsecurity/grsec_sysctl.c linux-2.6.39.3/grsecurity/grsec_sysctl.c
59720 --- linux-2.6.39.3/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
59721 +++ linux-2.6.39.3/grsecurity/grsec_sysctl.c 2011-06-29 19:38:04.000000000 -0400
59722 @@ -0,0 +1,442 @@
59723 +#include <linux/kernel.h>
59724 +#include <linux/sched.h>
59725 +#include <linux/sysctl.h>
59726 +#include <linux/grsecurity.h>
59727 +#include <linux/grinternal.h>
59728 +
59729 +int
59730 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
59731 +{
59732 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59733 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
59734 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
59735 + return -EACCES;
59736 + }
59737 +#endif
59738 + return 0;
59739 +}
59740 +
59741 +#ifdef CONFIG_GRKERNSEC_ROFS
59742 +static int __maybe_unused one = 1;
59743 +#endif
59744 +
59745 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
59746 +struct ctl_table grsecurity_table[] = {
59747 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59748 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
59749 +#ifdef CONFIG_GRKERNSEC_IO
59750 + {
59751 + .procname = "disable_priv_io",
59752 + .data = &grsec_disable_privio,
59753 + .maxlen = sizeof(int),
59754 + .mode = 0600,
59755 + .proc_handler = &proc_dointvec,
59756 + },
59757 +#endif
59758 +#endif
59759 +#ifdef CONFIG_GRKERNSEC_LINK
59760 + {
59761 + .procname = "linking_restrictions",
59762 + .data = &grsec_enable_link,
59763 + .maxlen = sizeof(int),
59764 + .mode = 0600,
59765 + .proc_handler = &proc_dointvec,
59766 + },
59767 +#endif
59768 +#ifdef CONFIG_GRKERNSEC_BRUTE
59769 + {
59770 + .procname = "deter_bruteforce",
59771 + .data = &grsec_enable_brute,
59772 + .maxlen = sizeof(int),
59773 + .mode = 0600,
59774 + .proc_handler = &proc_dointvec,
59775 + },
59776 +#endif
59777 +#ifdef CONFIG_GRKERNSEC_FIFO
59778 + {
59779 + .procname = "fifo_restrictions",
59780 + .data = &grsec_enable_fifo,
59781 + .maxlen = sizeof(int),
59782 + .mode = 0600,
59783 + .proc_handler = &proc_dointvec,
59784 + },
59785 +#endif
59786 +#ifdef CONFIG_GRKERNSEC_EXECVE
59787 + {
59788 + .procname = "execve_limiting",
59789 + .data = &grsec_enable_execve,
59790 + .maxlen = sizeof(int),
59791 + .mode = 0600,
59792 + .proc_handler = &proc_dointvec,
59793 + },
59794 +#endif
59795 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59796 + {
59797 + .procname = "ip_blackhole",
59798 + .data = &grsec_enable_blackhole,
59799 + .maxlen = sizeof(int),
59800 + .mode = 0600,
59801 + .proc_handler = &proc_dointvec,
59802 + },
59803 + {
59804 + .procname = "lastack_retries",
59805 + .data = &grsec_lastack_retries,
59806 + .maxlen = sizeof(int),
59807 + .mode = 0600,
59808 + .proc_handler = &proc_dointvec,
59809 + },
59810 +#endif
59811 +#ifdef CONFIG_GRKERNSEC_EXECLOG
59812 + {
59813 + .procname = "exec_logging",
59814 + .data = &grsec_enable_execlog,
59815 + .maxlen = sizeof(int),
59816 + .mode = 0600,
59817 + .proc_handler = &proc_dointvec,
59818 + },
59819 +#endif
59820 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59821 + {
59822 + .procname = "rwxmap_logging",
59823 + .data = &grsec_enable_log_rwxmaps,
59824 + .maxlen = sizeof(int),
59825 + .mode = 0600,
59826 + .proc_handler = &proc_dointvec,
59827 + },
59828 +#endif
59829 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59830 + {
59831 + .procname = "signal_logging",
59832 + .data = &grsec_enable_signal,
59833 + .maxlen = sizeof(int),
59834 + .mode = 0600,
59835 + .proc_handler = &proc_dointvec,
59836 + },
59837 +#endif
59838 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59839 + {
59840 + .procname = "forkfail_logging",
59841 + .data = &grsec_enable_forkfail,
59842 + .maxlen = sizeof(int),
59843 + .mode = 0600,
59844 + .proc_handler = &proc_dointvec,
59845 + },
59846 +#endif
59847 +#ifdef CONFIG_GRKERNSEC_TIME
59848 + {
59849 + .procname = "timechange_logging",
59850 + .data = &grsec_enable_time,
59851 + .maxlen = sizeof(int),
59852 + .mode = 0600,
59853 + .proc_handler = &proc_dointvec,
59854 + },
59855 +#endif
59856 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59857 + {
59858 + .procname = "chroot_deny_shmat",
59859 + .data = &grsec_enable_chroot_shmat,
59860 + .maxlen = sizeof(int),
59861 + .mode = 0600,
59862 + .proc_handler = &proc_dointvec,
59863 + },
59864 +#endif
59865 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59866 + {
59867 + .procname = "chroot_deny_unix",
59868 + .data = &grsec_enable_chroot_unix,
59869 + .maxlen = sizeof(int),
59870 + .mode = 0600,
59871 + .proc_handler = &proc_dointvec,
59872 + },
59873 +#endif
59874 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59875 + {
59876 + .procname = "chroot_deny_mount",
59877 + .data = &grsec_enable_chroot_mount,
59878 + .maxlen = sizeof(int),
59879 + .mode = 0600,
59880 + .proc_handler = &proc_dointvec,
59881 + },
59882 +#endif
59883 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59884 + {
59885 + .procname = "chroot_deny_fchdir",
59886 + .data = &grsec_enable_chroot_fchdir,
59887 + .maxlen = sizeof(int),
59888 + .mode = 0600,
59889 + .proc_handler = &proc_dointvec,
59890 + },
59891 +#endif
59892 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59893 + {
59894 + .procname = "chroot_deny_chroot",
59895 + .data = &grsec_enable_chroot_double,
59896 + .maxlen = sizeof(int),
59897 + .mode = 0600,
59898 + .proc_handler = &proc_dointvec,
59899 + },
59900 +#endif
59901 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59902 + {
59903 + .procname = "chroot_deny_pivot",
59904 + .data = &grsec_enable_chroot_pivot,
59905 + .maxlen = sizeof(int),
59906 + .mode = 0600,
59907 + .proc_handler = &proc_dointvec,
59908 + },
59909 +#endif
59910 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59911 + {
59912 + .procname = "chroot_enforce_chdir",
59913 + .data = &grsec_enable_chroot_chdir,
59914 + .maxlen = sizeof(int),
59915 + .mode = 0600,
59916 + .proc_handler = &proc_dointvec,
59917 + },
59918 +#endif
59919 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59920 + {
59921 + .procname = "chroot_deny_chmod",
59922 + .data = &grsec_enable_chroot_chmod,
59923 + .maxlen = sizeof(int),
59924 + .mode = 0600,
59925 + .proc_handler = &proc_dointvec,
59926 + },
59927 +#endif
59928 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59929 + {
59930 + .procname = "chroot_deny_mknod",
59931 + .data = &grsec_enable_chroot_mknod,
59932 + .maxlen = sizeof(int),
59933 + .mode = 0600,
59934 + .proc_handler = &proc_dointvec,
59935 + },
59936 +#endif
59937 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59938 + {
59939 + .procname = "chroot_restrict_nice",
59940 + .data = &grsec_enable_chroot_nice,
59941 + .maxlen = sizeof(int),
59942 + .mode = 0600,
59943 + .proc_handler = &proc_dointvec,
59944 + },
59945 +#endif
59946 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59947 + {
59948 + .procname = "chroot_execlog",
59949 + .data = &grsec_enable_chroot_execlog,
59950 + .maxlen = sizeof(int),
59951 + .mode = 0600,
59952 + .proc_handler = &proc_dointvec,
59953 + },
59954 +#endif
59955 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59956 + {
59957 + .procname = "chroot_caps",
59958 + .data = &grsec_enable_chroot_caps,
59959 + .maxlen = sizeof(int),
59960 + .mode = 0600,
59961 + .proc_handler = &proc_dointvec,
59962 + },
59963 +#endif
59964 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59965 + {
59966 + .procname = "chroot_deny_sysctl",
59967 + .data = &grsec_enable_chroot_sysctl,
59968 + .maxlen = sizeof(int),
59969 + .mode = 0600,
59970 + .proc_handler = &proc_dointvec,
59971 + },
59972 +#endif
59973 +#ifdef CONFIG_GRKERNSEC_TPE
59974 + {
59975 + .procname = "tpe",
59976 + .data = &grsec_enable_tpe,
59977 + .maxlen = sizeof(int),
59978 + .mode = 0600,
59979 + .proc_handler = &proc_dointvec,
59980 + },
59981 + {
59982 + .procname = "tpe_gid",
59983 + .data = &grsec_tpe_gid,
59984 + .maxlen = sizeof(int),
59985 + .mode = 0600,
59986 + .proc_handler = &proc_dointvec,
59987 + },
59988 +#endif
59989 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59990 + {
59991 + .procname = "tpe_invert",
59992 + .data = &grsec_enable_tpe_invert,
59993 + .maxlen = sizeof(int),
59994 + .mode = 0600,
59995 + .proc_handler = &proc_dointvec,
59996 + },
59997 +#endif
59998 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
59999 + {
60000 + .procname = "tpe_restrict_all",
60001 + .data = &grsec_enable_tpe_all,
60002 + .maxlen = sizeof(int),
60003 + .mode = 0600,
60004 + .proc_handler = &proc_dointvec,
60005 + },
60006 +#endif
60007 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60008 + {
60009 + .procname = "socket_all",
60010 + .data = &grsec_enable_socket_all,
60011 + .maxlen = sizeof(int),
60012 + .mode = 0600,
60013 + .proc_handler = &proc_dointvec,
60014 + },
60015 + {
60016 + .procname = "socket_all_gid",
60017 + .data = &grsec_socket_all_gid,
60018 + .maxlen = sizeof(int),
60019 + .mode = 0600,
60020 + .proc_handler = &proc_dointvec,
60021 + },
60022 +#endif
60023 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60024 + {
60025 + .procname = "socket_client",
60026 + .data = &grsec_enable_socket_client,
60027 + .maxlen = sizeof(int),
60028 + .mode = 0600,
60029 + .proc_handler = &proc_dointvec,
60030 + },
60031 + {
60032 + .procname = "socket_client_gid",
60033 + .data = &grsec_socket_client_gid,
60034 + .maxlen = sizeof(int),
60035 + .mode = 0600,
60036 + .proc_handler = &proc_dointvec,
60037 + },
60038 +#endif
60039 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60040 + {
60041 + .procname = "socket_server",
60042 + .data = &grsec_enable_socket_server,
60043 + .maxlen = sizeof(int),
60044 + .mode = 0600,
60045 + .proc_handler = &proc_dointvec,
60046 + },
60047 + {
60048 + .procname = "socket_server_gid",
60049 + .data = &grsec_socket_server_gid,
60050 + .maxlen = sizeof(int),
60051 + .mode = 0600,
60052 + .proc_handler = &proc_dointvec,
60053 + },
60054 +#endif
60055 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60056 + {
60057 + .procname = "audit_group",
60058 + .data = &grsec_enable_group,
60059 + .maxlen = sizeof(int),
60060 + .mode = 0600,
60061 + .proc_handler = &proc_dointvec,
60062 + },
60063 + {
60064 + .procname = "audit_gid",
60065 + .data = &grsec_audit_gid,
60066 + .maxlen = sizeof(int),
60067 + .mode = 0600,
60068 + .proc_handler = &proc_dointvec,
60069 + },
60070 +#endif
60071 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60072 + {
60073 + .procname = "audit_chdir",
60074 + .data = &grsec_enable_chdir,
60075 + .maxlen = sizeof(int),
60076 + .mode = 0600,
60077 + .proc_handler = &proc_dointvec,
60078 + },
60079 +#endif
60080 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60081 + {
60082 + .procname = "audit_mount",
60083 + .data = &grsec_enable_mount,
60084 + .maxlen = sizeof(int),
60085 + .mode = 0600,
60086 + .proc_handler = &proc_dointvec,
60087 + },
60088 +#endif
60089 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60090 + {
60091 + .procname = "audit_textrel",
60092 + .data = &grsec_enable_audit_textrel,
60093 + .maxlen = sizeof(int),
60094 + .mode = 0600,
60095 + .proc_handler = &proc_dointvec,
60096 + },
60097 +#endif
60098 +#ifdef CONFIG_GRKERNSEC_DMESG
60099 + {
60100 + .procname = "dmesg",
60101 + .data = &grsec_enable_dmesg,
60102 + .maxlen = sizeof(int),
60103 + .mode = 0600,
60104 + .proc_handler = &proc_dointvec,
60105 + },
60106 +#endif
60107 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60108 + {
60109 + .procname = "chroot_findtask",
60110 + .data = &grsec_enable_chroot_findtask,
60111 + .maxlen = sizeof(int),
60112 + .mode = 0600,
60113 + .proc_handler = &proc_dointvec,
60114 + },
60115 +#endif
60116 +#ifdef CONFIG_GRKERNSEC_RESLOG
60117 + {
60118 + .procname = "resource_logging",
60119 + .data = &grsec_resource_logging,
60120 + .maxlen = sizeof(int),
60121 + .mode = 0600,
60122 + .proc_handler = &proc_dointvec,
60123 + },
60124 +#endif
60125 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
60126 + {
60127 + .procname = "audit_ptrace",
60128 + .data = &grsec_enable_audit_ptrace,
60129 + .maxlen = sizeof(int),
60130 + .mode = 0600,
60131 + .proc_handler = &proc_dointvec,
60132 + },
60133 +#endif
60134 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
60135 + {
60136 + .procname = "harden_ptrace",
60137 + .data = &grsec_enable_harden_ptrace,
60138 + .maxlen = sizeof(int),
60139 + .mode = 0600,
60140 + .proc_handler = &proc_dointvec,
60141 + },
60142 +#endif
60143 + {
60144 + .procname = "grsec_lock",
60145 + .data = &grsec_lock,
60146 + .maxlen = sizeof(int),
60147 + .mode = 0600,
60148 + .proc_handler = &proc_dointvec,
60149 + },
60150 +#endif
60151 +#ifdef CONFIG_GRKERNSEC_ROFS
60152 + {
60153 + .procname = "romount_protect",
60154 + .data = &grsec_enable_rofs,
60155 + .maxlen = sizeof(int),
60156 + .mode = 0600,
60157 + .proc_handler = &proc_dointvec_minmax,
60158 + .extra1 = &one,
60159 + .extra2 = &one,
60160 + },
60161 +#endif
60162 + { }
60163 +};
60164 +#endif
60165 diff -urNp linux-2.6.39.3/grsecurity/grsec_time.c linux-2.6.39.3/grsecurity/grsec_time.c
60166 --- linux-2.6.39.3/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60167 +++ linux-2.6.39.3/grsecurity/grsec_time.c 2011-05-22 19:41:42.000000000 -0400
60168 @@ -0,0 +1,16 @@
60169 +#include <linux/kernel.h>
60170 +#include <linux/sched.h>
60171 +#include <linux/grinternal.h>
60172 +#include <linux/module.h>
60173 +
60174 +void
60175 +gr_log_timechange(void)
60176 +{
60177 +#ifdef CONFIG_GRKERNSEC_TIME
60178 + if (grsec_enable_time)
60179 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60180 +#endif
60181 + return;
60182 +}
60183 +
60184 +EXPORT_SYMBOL(gr_log_timechange);
60185 diff -urNp linux-2.6.39.3/grsecurity/grsec_tpe.c linux-2.6.39.3/grsecurity/grsec_tpe.c
60186 --- linux-2.6.39.3/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60187 +++ linux-2.6.39.3/grsecurity/grsec_tpe.c 2011-05-22 19:41:42.000000000 -0400
60188 @@ -0,0 +1,39 @@
60189 +#include <linux/kernel.h>
60190 +#include <linux/sched.h>
60191 +#include <linux/file.h>
60192 +#include <linux/fs.h>
60193 +#include <linux/grinternal.h>
60194 +
60195 +extern int gr_acl_tpe_check(void);
60196 +
60197 +int
60198 +gr_tpe_allow(const struct file *file)
60199 +{
60200 +#ifdef CONFIG_GRKERNSEC
60201 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60202 + const struct cred *cred = current_cred();
60203 +
60204 + if (cred->uid && ((grsec_enable_tpe &&
60205 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60206 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60207 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60208 +#else
60209 + in_group_p(grsec_tpe_gid)
60210 +#endif
60211 + ) || gr_acl_tpe_check()) &&
60212 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60213 + (inode->i_mode & S_IWOTH))))) {
60214 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60215 + return 0;
60216 + }
60217 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60218 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60219 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60220 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60221 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60222 + return 0;
60223 + }
60224 +#endif
60225 +#endif
60226 + return 1;
60227 +}
60228 diff -urNp linux-2.6.39.3/grsecurity/grsum.c linux-2.6.39.3/grsecurity/grsum.c
60229 --- linux-2.6.39.3/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60230 +++ linux-2.6.39.3/grsecurity/grsum.c 2011-05-22 19:41:42.000000000 -0400
60231 @@ -0,0 +1,61 @@
60232 +#include <linux/err.h>
60233 +#include <linux/kernel.h>
60234 +#include <linux/sched.h>
60235 +#include <linux/mm.h>
60236 +#include <linux/scatterlist.h>
60237 +#include <linux/crypto.h>
60238 +#include <linux/gracl.h>
60239 +
60240 +
60241 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60242 +#error "crypto and sha256 must be built into the kernel"
60243 +#endif
60244 +
60245 +int
60246 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60247 +{
60248 + char *p;
60249 + struct crypto_hash *tfm;
60250 + struct hash_desc desc;
60251 + struct scatterlist sg;
60252 + unsigned char temp_sum[GR_SHA_LEN];
60253 + volatile int retval = 0;
60254 + volatile int dummy = 0;
60255 + unsigned int i;
60256 +
60257 + sg_init_table(&sg, 1);
60258 +
60259 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
60260 + if (IS_ERR(tfm)) {
60261 + /* should never happen, since sha256 should be built in */
60262 + return 1;
60263 + }
60264 +
60265 + desc.tfm = tfm;
60266 + desc.flags = 0;
60267 +
60268 + crypto_hash_init(&desc);
60269 +
60270 + p = salt;
60271 + sg_set_buf(&sg, p, GR_SALT_LEN);
60272 + crypto_hash_update(&desc, &sg, sg.length);
60273 +
60274 + p = entry->pw;
60275 + sg_set_buf(&sg, p, strlen(p));
60276 +
60277 + crypto_hash_update(&desc, &sg, sg.length);
60278 +
60279 + crypto_hash_final(&desc, temp_sum);
60280 +
60281 + memset(entry->pw, 0, GR_PW_LEN);
60282 +
60283 + for (i = 0; i < GR_SHA_LEN; i++)
60284 + if (sum[i] != temp_sum[i])
60285 + retval = 1;
60286 + else
60287 + dummy = 1; // waste a cycle
60288 +
60289 + crypto_free_hash(tfm);
60290 +
60291 + return retval;
60292 +}
60293 diff -urNp linux-2.6.39.3/grsecurity/Kconfig linux-2.6.39.3/grsecurity/Kconfig
60294 --- linux-2.6.39.3/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
60295 +++ linux-2.6.39.3/grsecurity/Kconfig 2011-07-06 19:58:30.000000000 -0400
60296 @@ -0,0 +1,1048 @@
60297 +#
60298 +# grecurity configuration
60299 +#
60300 +
60301 +menu "Grsecurity"
60302 +
60303 +config GRKERNSEC
60304 + bool "Grsecurity"
60305 + select CRYPTO
60306 + select CRYPTO_SHA256
60307 + help
60308 + If you say Y here, you will be able to configure many features
60309 + that will enhance the security of your system. It is highly
60310 + recommended that you say Y here and read through the help
60311 + for each option so that you fully understand the features and
60312 + can evaluate their usefulness for your machine.
60313 +
60314 +choice
60315 + prompt "Security Level"
60316 + depends on GRKERNSEC
60317 + default GRKERNSEC_CUSTOM
60318 +
60319 +config GRKERNSEC_LOW
60320 + bool "Low"
60321 + select GRKERNSEC_LINK
60322 + select GRKERNSEC_FIFO
60323 + select GRKERNSEC_EXECVE
60324 + select GRKERNSEC_RANDNET
60325 + select GRKERNSEC_DMESG
60326 + select GRKERNSEC_CHROOT
60327 + select GRKERNSEC_CHROOT_CHDIR
60328 +
60329 + help
60330 + If you choose this option, several of the grsecurity options will
60331 + be enabled that will give you greater protection against a number
60332 + of attacks, while assuring that none of your software will have any
60333 + conflicts with the additional security measures. If you run a lot
60334 + of unusual software, or you are having problems with the higher
60335 + security levels, you should say Y here. With this option, the
60336 + following features are enabled:
60337 +
60338 + - Linking restrictions
60339 + - FIFO restrictions
60340 + - Enforcing RLIMIT_NPROC on execve
60341 + - Restricted dmesg
60342 + - Enforced chdir("/") on chroot
60343 + - Runtime module disabling
60344 +
60345 +config GRKERNSEC_MEDIUM
60346 + bool "Medium"
60347 + select PAX
60348 + select PAX_EI_PAX
60349 + select PAX_PT_PAX_FLAGS
60350 + select PAX_HAVE_ACL_FLAGS
60351 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60352 + select GRKERNSEC_CHROOT
60353 + select GRKERNSEC_CHROOT_SYSCTL
60354 + select GRKERNSEC_LINK
60355 + select GRKERNSEC_FIFO
60356 + select GRKERNSEC_EXECVE
60357 + select GRKERNSEC_DMESG
60358 + select GRKERNSEC_RANDNET
60359 + select GRKERNSEC_FORKFAIL
60360 + select GRKERNSEC_TIME
60361 + select GRKERNSEC_SIGNAL
60362 + select GRKERNSEC_CHROOT
60363 + select GRKERNSEC_CHROOT_UNIX
60364 + select GRKERNSEC_CHROOT_MOUNT
60365 + select GRKERNSEC_CHROOT_PIVOT
60366 + select GRKERNSEC_CHROOT_DOUBLE
60367 + select GRKERNSEC_CHROOT_CHDIR
60368 + select GRKERNSEC_CHROOT_MKNOD
60369 + select GRKERNSEC_PROC
60370 + select GRKERNSEC_PROC_USERGROUP
60371 + select PAX_RANDUSTACK
60372 + select PAX_ASLR
60373 + select PAX_RANDMMAP
60374 + select PAX_REFCOUNT if (X86 || SPARC64)
60375 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
60376 +
60377 + help
60378 + If you say Y here, several features in addition to those included
60379 + in the low additional security level will be enabled. These
60380 + features provide even more security to your system, though in rare
60381 + cases they may be incompatible with very old or poorly written
60382 + software. If you enable this option, make sure that your auth
60383 + service (identd) is running as gid 1001. With this option,
60384 + the following features (in addition to those provided in the
60385 + low additional security level) will be enabled:
60386 +
60387 + - Failed fork logging
60388 + - Time change logging
60389 + - Signal logging
60390 + - Deny mounts in chroot
60391 + - Deny double chrooting
60392 + - Deny sysctl writes in chroot
60393 + - Deny mknod in chroot
60394 + - Deny access to abstract AF_UNIX sockets out of chroot
60395 + - Deny pivot_root in chroot
60396 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
60397 + - /proc restrictions with special GID set to 10 (usually wheel)
60398 + - Address Space Layout Randomization (ASLR)
60399 + - Prevent exploitation of most refcount overflows
60400 + - Bounds checking of copying between the kernel and userland
60401 +
60402 +config GRKERNSEC_HIGH
60403 + bool "High"
60404 + select GRKERNSEC_LINK
60405 + select GRKERNSEC_FIFO
60406 + select GRKERNSEC_EXECVE
60407 + select GRKERNSEC_DMESG
60408 + select GRKERNSEC_FORKFAIL
60409 + select GRKERNSEC_TIME
60410 + select GRKERNSEC_SIGNAL
60411 + select GRKERNSEC_CHROOT
60412 + select GRKERNSEC_CHROOT_SHMAT
60413 + select GRKERNSEC_CHROOT_UNIX
60414 + select GRKERNSEC_CHROOT_MOUNT
60415 + select GRKERNSEC_CHROOT_FCHDIR
60416 + select GRKERNSEC_CHROOT_PIVOT
60417 + select GRKERNSEC_CHROOT_DOUBLE
60418 + select GRKERNSEC_CHROOT_CHDIR
60419 + select GRKERNSEC_CHROOT_MKNOD
60420 + select GRKERNSEC_CHROOT_CAPS
60421 + select GRKERNSEC_CHROOT_SYSCTL
60422 + select GRKERNSEC_CHROOT_FINDTASK
60423 + select GRKERNSEC_SYSFS_RESTRICT
60424 + select GRKERNSEC_PROC
60425 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60426 + select GRKERNSEC_HIDESYM
60427 + select GRKERNSEC_BRUTE
60428 + select GRKERNSEC_PROC_USERGROUP
60429 + select GRKERNSEC_KMEM
60430 + select GRKERNSEC_RESLOG
60431 + select GRKERNSEC_RANDNET
60432 + select GRKERNSEC_PROC_ADD
60433 + select GRKERNSEC_CHROOT_CHMOD
60434 + select GRKERNSEC_CHROOT_NICE
60435 + select GRKERNSEC_AUDIT_MOUNT
60436 + select GRKERNSEC_MODHARDEN if (MODULES)
60437 + select GRKERNSEC_HARDEN_PTRACE
60438 + select GRKERNSEC_VM86 if (X86_32)
60439 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
60440 + select PAX
60441 + select PAX_RANDUSTACK
60442 + select PAX_ASLR
60443 + select PAX_RANDMMAP
60444 + select PAX_NOEXEC
60445 + select PAX_MPROTECT
60446 + select PAX_EI_PAX
60447 + select PAX_PT_PAX_FLAGS
60448 + select PAX_HAVE_ACL_FLAGS
60449 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
60450 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
60451 + select PAX_RANDKSTACK if (X86_TSC && X86)
60452 + select PAX_SEGMEXEC if (X86_32)
60453 + select PAX_PAGEEXEC
60454 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
60455 + select PAX_EMUTRAMP if (PARISC)
60456 + select PAX_EMUSIGRT if (PARISC)
60457 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
60458 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
60459 + select PAX_REFCOUNT if (X86 || SPARC64)
60460 + select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
60461 + help
60462 + If you say Y here, many of the features of grsecurity will be
60463 + enabled, which will protect you against many kinds of attacks
60464 + against your system. The heightened security comes at a cost
60465 + of an increased chance of incompatibilities with rare software
60466 + on your machine. Since this security level enables PaX, you should
60467 + view <http://pax.grsecurity.net> and read about the PaX
60468 + project. While you are there, download chpax and run it on
60469 + binaries that cause problems with PaX. Also remember that
60470 + since the /proc restrictions are enabled, you must run your
60471 + identd as gid 1001. This security level enables the following
60472 + features in addition to those listed in the low and medium
60473 + security levels:
60474 +
60475 + - Additional /proc restrictions
60476 + - Chmod restrictions in chroot
60477 + - No signals, ptrace, or viewing of processes outside of chroot
60478 + - Capability restrictions in chroot
60479 + - Deny fchdir out of chroot
60480 + - Priority restrictions in chroot
60481 + - Segmentation-based implementation of PaX
60482 + - Mprotect restrictions
60483 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
60484 + - Kernel stack randomization
60485 + - Mount/unmount/remount logging
60486 + - Kernel symbol hiding
60487 + - Prevention of memory exhaustion-based exploits
60488 + - Hardening of module auto-loading
60489 + - Ptrace restrictions
60490 + - Restricted vm86 mode
60491 + - Restricted sysfs/debugfs
60492 + - Active kernel exploit response
60493 +
60494 +config GRKERNSEC_CUSTOM
60495 + bool "Custom"
60496 + help
60497 + If you say Y here, you will be able to configure every grsecurity
60498 + option, which allows you to enable many more features that aren't
60499 + covered in the basic security levels. These additional features
60500 + include TPE, socket restrictions, and the sysctl system for
60501 + grsecurity. It is advised that you read through the help for
60502 + each option to determine its usefulness in your situation.
60503 +
60504 +endchoice
60505 +
60506 +menu "Address Space Protection"
60507 +depends on GRKERNSEC
60508 +
60509 +config GRKERNSEC_KMEM
60510 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
60511 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
60512 + help
60513 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
60514 + be written to via mmap or otherwise to modify the running kernel.
60515 + /dev/port will also not be allowed to be opened. If you have module
60516 + support disabled, enabling this will close up four ways that are
60517 + currently used to insert malicious code into the running kernel.
60518 + Even with all these features enabled, we still highly recommend that
60519 + you use the RBAC system, as it is still possible for an attacker to
60520 + modify the running kernel through privileged I/O granted by ioperm/iopl.
60521 + If you are not using XFree86, you may be able to stop this additional
60522 + case by enabling the 'Disable privileged I/O' option. Though nothing
60523 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
60524 + but only to video memory, which is the only writing we allow in this
60525 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
60526 + not be allowed to mprotect it with PROT_WRITE later.
60527 + It is highly recommended that you say Y here if you meet all the
60528 + conditions above.
60529 +
60530 +config GRKERNSEC_VM86
60531 + bool "Restrict VM86 mode"
60532 + depends on X86_32
60533 +
60534 + help
60535 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
60536 + make use of a special execution mode on 32bit x86 processors called
60537 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
60538 + video cards and will still work with this option enabled. The purpose
60539 + of the option is to prevent exploitation of emulation errors in
60540 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
60541 + Nearly all users should be able to enable this option.
60542 +
60543 +config GRKERNSEC_IO
60544 + bool "Disable privileged I/O"
60545 + depends on X86
60546 + select RTC_CLASS
60547 + select RTC_INTF_DEV
60548 + select RTC_DRV_CMOS
60549 +
60550 + help
60551 + If you say Y here, all ioperm and iopl calls will return an error.
60552 + Ioperm and iopl can be used to modify the running kernel.
60553 + Unfortunately, some programs need this access to operate properly,
60554 + the most notable of which are XFree86 and hwclock. hwclock can be
60555 + remedied by having RTC support in the kernel, so real-time
60556 + clock support is enabled if this option is enabled, to ensure
60557 + that hwclock operates correctly. XFree86 still will not
60558 + operate correctly with this option enabled, so DO NOT CHOOSE Y
60559 + IF YOU USE XFree86. If you use XFree86 and you still want to
60560 + protect your kernel against modification, use the RBAC system.
60561 +
60562 +config GRKERNSEC_PROC_MEMMAP
60563 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
60564 + default y if (PAX_NOEXEC || PAX_ASLR)
60565 + depends on PAX_NOEXEC || PAX_ASLR
60566 + help
60567 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
60568 + give no information about the addresses of its mappings if
60569 + PaX features that rely on random addresses are enabled on the task.
60570 + If you use PaX it is greatly recommended that you say Y here as it
60571 + closes up a hole that makes the full ASLR useless for suid
60572 + binaries.
60573 +
60574 +config GRKERNSEC_BRUTE
60575 + bool "Deter exploit bruteforcing"
60576 + help
60577 + If you say Y here, attempts to bruteforce exploits against forking
60578 + daemons such as apache or sshd, as well as against suid/sgid binaries
60579 + will be deterred. When a child of a forking daemon is killed by PaX
60580 + or crashes due to an illegal instruction or other suspicious signal,
60581 + the parent process will be delayed 30 seconds upon every subsequent
60582 + fork until the administrator is able to assess the situation and
60583 + restart the daemon.
60584 + In the suid/sgid case, the attempt is logged, the user has all their
60585 + processes terminated, and they are prevented from executing any further
60586 + processes for 15 minutes.
60587 + It is recommended that you also enable signal logging in the auditing
60588 + section so that logs are generated when a process triggers a suspicious
60589 + signal.
60590 + If the sysctl option is enabled, a sysctl option with name
60591 + "deter_bruteforce" is created.
60592 +
60593 +
60594 +config GRKERNSEC_MODHARDEN
60595 + bool "Harden module auto-loading"
60596 + depends on MODULES
60597 + help
60598 + If you say Y here, module auto-loading in response to use of some
60599 + feature implemented by an unloaded module will be restricted to
60600 + root users. Enabling this option helps defend against attacks
60601 + by unprivileged users who abuse the auto-loading behavior to
60602 + cause a vulnerable module to load that is then exploited.
60603 +
60604 + If this option prevents a legitimate use of auto-loading for a
60605 + non-root user, the administrator can execute modprobe manually
60606 + with the exact name of the module mentioned in the alert log.
60607 + Alternatively, the administrator can add the module to the list
60608 + of modules loaded at boot by modifying init scripts.
60609 +
60610 + Modification of init scripts will most likely be needed on
60611 + Ubuntu servers with encrypted home directory support enabled,
60612 + as the first non-root user logging in will cause the ecb(aes),
60613 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
60614 +
60615 +config GRKERNSEC_HIDESYM
60616 + bool "Hide kernel symbols"
60617 + help
60618 + If you say Y here, getting information on loaded modules, and
60619 + displaying all kernel symbols through a syscall will be restricted
60620 + to users with CAP_SYS_MODULE. For software compatibility reasons,
60621 + /proc/kallsyms will be restricted to the root user. The RBAC
60622 + system can hide that entry even from root.
60623 +
60624 + This option also prevents leaking of kernel addresses through
60625 + several /proc entries.
60626 +
60627 + Note that this option is only effective provided the following
60628 + conditions are met:
60629 + 1) The kernel using grsecurity is not precompiled by some distribution
60630 + 2) You have also enabled GRKERNSEC_DMESG
60631 + 3) You are using the RBAC system and hiding other files such as your
60632 + kernel image and System.map. Alternatively, enabling this option
60633 + causes the permissions on /boot, /lib/modules, and the kernel
60634 + source directory to change at compile time to prevent
60635 + reading by non-root users.
60636 + If the above conditions are met, this option will aid in providing a
60637 + useful protection against local kernel exploitation of overflows
60638 + and arbitrary read/write vulnerabilities.
60639 +
60640 +config GRKERNSEC_KERN_LOCKOUT
60641 + bool "Active kernel exploit response"
60642 + depends on X86 || ARM || PPC || SPARC
60643 + help
60644 + If you say Y here, when a PaX alert is triggered due to suspicious
60645 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
60646 + or an OOPs occurs due to bad memory accesses, instead of just
60647 + terminating the offending process (and potentially allowing
60648 + a subsequent exploit from the same user), we will take one of two
60649 + actions:
60650 + If the user was root, we will panic the system
60651 + If the user was non-root, we will log the attempt, terminate
60652 + all processes owned by the user, then prevent them from creating
60653 + any new processes until the system is restarted
60654 + This deters repeated kernel exploitation/bruteforcing attempts
60655 + and is useful for later forensics.
60656 +
60657 +endmenu
60658 +menu "Role Based Access Control Options"
60659 +depends on GRKERNSEC
60660 +
60661 +config GRKERNSEC_RBAC_DEBUG
60662 + bool
60663 +
60664 +config GRKERNSEC_NO_RBAC
60665 + bool "Disable RBAC system"
60666 + help
60667 + If you say Y here, the /dev/grsec device will be removed from the kernel,
60668 + preventing the RBAC system from being enabled. You should only say Y
60669 + here if you have no intention of using the RBAC system, so as to prevent
60670 + an attacker with root access from misusing the RBAC system to hide files
60671 + and processes when loadable module support and /dev/[k]mem have been
60672 + locked down.
60673 +
60674 +config GRKERNSEC_ACL_HIDEKERN
60675 + bool "Hide kernel processes"
60676 + help
60677 + If you say Y here, all kernel threads will be hidden to all
60678 + processes but those whose subject has the "view hidden processes"
60679 + flag.
60680 +
60681 +config GRKERNSEC_ACL_MAXTRIES
60682 + int "Maximum tries before password lockout"
60683 + default 3
60684 + help
60685 + This option enforces the maximum number of times a user can attempt
60686 + to authorize themselves with the grsecurity RBAC system before being
60687 + denied the ability to attempt authorization again for a specified time.
60688 + The lower the number, the harder it will be to brute-force a password.
60689 +
60690 +config GRKERNSEC_ACL_TIMEOUT
60691 + int "Time to wait after max password tries, in seconds"
60692 + default 30
60693 + help
60694 + This option specifies the time the user must wait after attempting to
60695 + authorize to the RBAC system with the maximum number of invalid
60696 + passwords. The higher the number, the harder it will be to brute-force
60697 + a password.
60698 +
60699 +endmenu
60700 +menu "Filesystem Protections"
60701 +depends on GRKERNSEC
60702 +
60703 +config GRKERNSEC_PROC
60704 + bool "Proc restrictions"
60705 + help
60706 + If you say Y here, the permissions of the /proc filesystem
60707 + will be altered to enhance system security and privacy. You MUST
60708 + choose either a user only restriction or a user and group restriction.
60709 + Depending upon the option you choose, you can either restrict users to
60710 + see only the processes they themselves run, or choose a group that can
60711 + view all processes and files normally restricted to root if you choose
60712 + the "restrict to user only" option. NOTE: If you're running identd as
60713 + a non-root user, you will have to run it as the group you specify here.
60714 +
60715 +config GRKERNSEC_PROC_USER
60716 + bool "Restrict /proc to user only"
60717 + depends on GRKERNSEC_PROC
60718 + help
60719 + If you say Y here, non-root users will only be able to view their own
60720 + processes, and restricts them from viewing network-related information,
60721 + and viewing kernel symbol and module information.
60722 +
60723 +config GRKERNSEC_PROC_USERGROUP
60724 + bool "Allow special group"
60725 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
60726 + help
60727 + If you say Y here, you will be able to select a group that will be
60728 + able to view all processes and network-related information. If you've
60729 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
60730 + remain hidden. This option is useful if you want to run identd as
60731 + a non-root user.
60732 +
60733 +config GRKERNSEC_PROC_GID
60734 + int "GID for special group"
60735 + depends on GRKERNSEC_PROC_USERGROUP
60736 + default 1001
60737 +
60738 +config GRKERNSEC_PROC_ADD
60739 + bool "Additional restrictions"
60740 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
60741 + help
60742 + If you say Y here, additional restrictions will be placed on
60743 + /proc that keep normal users from viewing device information and
60744 + slabinfo information that could be useful for exploits.
60745 +
60746 +config GRKERNSEC_LINK
60747 + bool "Linking restrictions"
60748 + help
60749 + If you say Y here, /tmp race exploits will be prevented, since users
60750 + will no longer be able to follow symlinks owned by other users in
60751 + world-writable +t directories (e.g. /tmp), unless the owner of the
60752 + symlink is the owner of the directory. users will also not be
60753 + able to hardlink to files they do not own. If the sysctl option is
60754 + enabled, a sysctl option with name "linking_restrictions" is created.
60755 +
60756 +config GRKERNSEC_FIFO
60757 + bool "FIFO restrictions"
60758 + help
60759 + If you say Y here, users will not be able to write to FIFOs they don't
60760 + own in world-writable +t directories (e.g. /tmp), unless the owner of
60761 + the FIFO is the same owner of the directory it's held in. If the sysctl
60762 + option is enabled, a sysctl option with name "fifo_restrictions" is
60763 + created.
60764 +
60765 +config GRKERNSEC_SYSFS_RESTRICT
60766 + bool "Sysfs/debugfs restriction"
60767 + depends on SYSFS
60768 + help
60769 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
60770 + any filesystem normally mounted under it (e.g. debugfs) will only
60771 + be accessible by root. These filesystems generally provide access
60772 + to hardware and debug information that isn't appropriate for unprivileged
60773 + users of the system. Sysfs and debugfs have also become a large source
60774 + of new vulnerabilities, ranging from infoleaks to local compromise.
60775 + There has been very little oversight with an eye toward security involved
60776 + in adding new exporters of information to these filesystems, so their
60777 + use is discouraged.
60778 + This option is equivalent to a chmod 0700 of the mount paths.
60779 +
60780 +config GRKERNSEC_ROFS
60781 + bool "Runtime read-only mount protection"
60782 + help
60783 + If you say Y here, a sysctl option with name "romount_protect" will
60784 + be created. By setting this option to 1 at runtime, filesystems
60785 + will be protected in the following ways:
60786 + * No new writable mounts will be allowed
60787 + * Existing read-only mounts won't be able to be remounted read/write
60788 + * Write operations will be denied on all block devices
60789 + This option acts independently of grsec_lock: once it is set to 1,
60790 + it cannot be turned off. Therefore, please be mindful of the resulting
60791 + behavior if this option is enabled in an init script on a read-only
60792 + filesystem. This feature is mainly intended for secure embedded systems.
60793 +
60794 +config GRKERNSEC_CHROOT
60795 + bool "Chroot jail restrictions"
60796 + help
60797 + If you say Y here, you will be able to choose several options that will
60798 + make breaking out of a chrooted jail much more difficult. If you
60799 + encounter no software incompatibilities with the following options, it
60800 + is recommended that you enable each one.
60801 +
60802 +config GRKERNSEC_CHROOT_MOUNT
60803 + bool "Deny mounts"
60804 + depends on GRKERNSEC_CHROOT
60805 + help
60806 + If you say Y here, processes inside a chroot will not be able to
60807 + mount or remount filesystems. If the sysctl option is enabled, a
60808 + sysctl option with name "chroot_deny_mount" is created.
60809 +
60810 +config GRKERNSEC_CHROOT_DOUBLE
60811 + bool "Deny double-chroots"
60812 + depends on GRKERNSEC_CHROOT
60813 + help
60814 + If you say Y here, processes inside a chroot will not be able to chroot
60815 + again outside the chroot. This is a widely used method of breaking
60816 + out of a chroot jail and should not be allowed. If the sysctl
60817 + option is enabled, a sysctl option with name
60818 + "chroot_deny_chroot" is created.
60819 +
60820 +config GRKERNSEC_CHROOT_PIVOT
60821 + bool "Deny pivot_root in chroot"
60822 + depends on GRKERNSEC_CHROOT
60823 + help
60824 + If you say Y here, processes inside a chroot will not be able to use
60825 + a function called pivot_root() that was introduced in Linux 2.3.41. It
60826 + works similar to chroot in that it changes the root filesystem. This
60827 + function could be misused in a chrooted process to attempt to break out
60828 + of the chroot, and therefore should not be allowed. If the sysctl
60829 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
60830 + created.
60831 +
60832 +config GRKERNSEC_CHROOT_CHDIR
60833 + bool "Enforce chdir(\"/\") on all chroots"
60834 + depends on GRKERNSEC_CHROOT
60835 + help
60836 + If you say Y here, the current working directory of all newly-chrooted
60837 + applications will be set to the the root directory of the chroot.
60838 + The man page on chroot(2) states:
60839 + Note that this call does not change the current working
60840 + directory, so that `.' can be outside the tree rooted at
60841 + `/'. In particular, the super-user can escape from a
60842 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
60843 +
60844 + It is recommended that you say Y here, since it's not known to break
60845 + any software. If the sysctl option is enabled, a sysctl option with
60846 + name "chroot_enforce_chdir" is created.
60847 +
60848 +config GRKERNSEC_CHROOT_CHMOD
60849 + bool "Deny (f)chmod +s"
60850 + depends on GRKERNSEC_CHROOT
60851 + help
60852 + If you say Y here, processes inside a chroot will not be able to chmod
60853 + or fchmod files to make them have suid or sgid bits. This protects
60854 + against another published method of breaking a chroot. If the sysctl
60855 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
60856 + created.
60857 +
60858 +config GRKERNSEC_CHROOT_FCHDIR
60859 + bool "Deny fchdir out of chroot"
60860 + depends on GRKERNSEC_CHROOT
60861 + help
60862 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
60863 + to a file descriptor of the chrooting process that points to a directory
60864 + outside the filesystem will be stopped. If the sysctl option
60865 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
60866 +
60867 +config GRKERNSEC_CHROOT_MKNOD
60868 + bool "Deny mknod"
60869 + depends on GRKERNSEC_CHROOT
60870 + help
60871 + If you say Y here, processes inside a chroot will not be allowed to
60872 + mknod. The problem with using mknod inside a chroot is that it
60873 + would allow an attacker to create a device entry that is the same
60874 + as one on the physical root of your system, which could range from
60875 + anything from the console device to a device for your harddrive (which
60876 + they could then use to wipe the drive or steal data). It is recommended
60877 + that you say Y here, unless you run into software incompatibilities.
60878 + If the sysctl option is enabled, a sysctl option with name
60879 + "chroot_deny_mknod" is created.
60880 +
60881 +config GRKERNSEC_CHROOT_SHMAT
60882 + bool "Deny shmat() out of chroot"
60883 + depends on GRKERNSEC_CHROOT
60884 + help
60885 + If you say Y here, processes inside a chroot will not be able to attach
60886 + to shared memory segments that were created outside of the chroot jail.
60887 + It is recommended that you say Y here. If the sysctl option is enabled,
60888 + a sysctl option with name "chroot_deny_shmat" is created.
60889 +
60890 +config GRKERNSEC_CHROOT_UNIX
60891 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
60892 + depends on GRKERNSEC_CHROOT
60893 + help
60894 + If you say Y here, processes inside a chroot will not be able to
60895 + connect to abstract (meaning not belonging to a filesystem) Unix
60896 + domain sockets that were bound outside of a chroot. It is recommended
60897 + that you say Y here. If the sysctl option is enabled, a sysctl option
60898 + with name "chroot_deny_unix" is created.
60899 +
60900 +config GRKERNSEC_CHROOT_FINDTASK
60901 + bool "Protect outside processes"
60902 + depends on GRKERNSEC_CHROOT
60903 + help
60904 + If you say Y here, processes inside a chroot will not be able to
60905 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
60906 + getsid, or view any process outside of the chroot. If the sysctl
60907 + option is enabled, a sysctl option with name "chroot_findtask" is
60908 + created.
60909 +
60910 +config GRKERNSEC_CHROOT_NICE
60911 + bool "Restrict priority changes"
60912 + depends on GRKERNSEC_CHROOT
60913 + help
60914 + If you say Y here, processes inside a chroot will not be able to raise
60915 + the priority of processes in the chroot, or alter the priority of
60916 + processes outside the chroot. This provides more security than simply
60917 + removing CAP_SYS_NICE from the process' capability set. If the
60918 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
60919 + is created.
60920 +
60921 +config GRKERNSEC_CHROOT_SYSCTL
60922 + bool "Deny sysctl writes"
60923 + depends on GRKERNSEC_CHROOT
60924 + help
60925 + If you say Y here, an attacker in a chroot will not be able to
60926 + write to sysctl entries, either by sysctl(2) or through a /proc
60927 + interface. It is strongly recommended that you say Y here. If the
60928 + sysctl option is enabled, a sysctl option with name
60929 + "chroot_deny_sysctl" is created.
60930 +
60931 +config GRKERNSEC_CHROOT_CAPS
60932 + bool "Capability restrictions"
60933 + depends on GRKERNSEC_CHROOT
60934 + help
60935 + If you say Y here, the capabilities on all root processes within a
60936 + chroot jail will be lowered to stop module insertion, raw i/o,
60937 + system and net admin tasks, rebooting the system, modifying immutable
60938 + files, modifying IPC owned by another, and changing the system time.
60939 + This is left an option because it can break some apps. Disable this
60940 + if your chrooted apps are having problems performing those kinds of
60941 + tasks. If the sysctl option is enabled, a sysctl option with
60942 + name "chroot_caps" is created.
60943 +
60944 +endmenu
60945 +menu "Kernel Auditing"
60946 +depends on GRKERNSEC
60947 +
60948 +config GRKERNSEC_AUDIT_GROUP
60949 + bool "Single group for auditing"
60950 + help
60951 + If you say Y here, the exec, chdir, and (un)mount logging features
60952 + will only operate on a group you specify. This option is recommended
60953 + if you only want to watch certain users instead of having a large
60954 + amount of logs from the entire system. If the sysctl option is enabled,
60955 + a sysctl option with name "audit_group" is created.
60956 +
60957 +config GRKERNSEC_AUDIT_GID
60958 + int "GID for auditing"
60959 + depends on GRKERNSEC_AUDIT_GROUP
60960 + default 1007
60961 +
60962 +config GRKERNSEC_EXECLOG
60963 + bool "Exec logging"
60964 + help
60965 + If you say Y here, all execve() calls will be logged (since the
60966 + other exec*() calls are frontends to execve(), all execution
60967 + will be logged). Useful for shell-servers that like to keep track
60968 + of their users. If the sysctl option is enabled, a sysctl option with
60969 + name "exec_logging" is created.
60970 + WARNING: This option when enabled will produce a LOT of logs, especially
60971 + on an active system.
60972 +
60973 +config GRKERNSEC_RESLOG
60974 + bool "Resource logging"
60975 + help
60976 + If you say Y here, all attempts to overstep resource limits will
60977 + be logged with the resource name, the requested size, and the current
60978 + limit. It is highly recommended that you say Y here. If the sysctl
60979 + option is enabled, a sysctl option with name "resource_logging" is
60980 + created. If the RBAC system is enabled, the sysctl value is ignored.
60981 +
60982 +config GRKERNSEC_CHROOT_EXECLOG
60983 + bool "Log execs within chroot"
60984 + help
60985 + If you say Y here, all executions inside a chroot jail will be logged
60986 + to syslog. This can cause a large amount of logs if certain
60987 + applications (eg. djb's daemontools) are installed on the system, and
60988 + is therefore left as an option. If the sysctl option is enabled, a
60989 + sysctl option with name "chroot_execlog" is created.
60990 +
60991 +config GRKERNSEC_AUDIT_PTRACE
60992 + bool "Ptrace logging"
60993 + help
60994 + If you say Y here, all attempts to attach to a process via ptrace
60995 + will be logged. If the sysctl option is enabled, a sysctl option
60996 + with name "audit_ptrace" is created.
60997 +
60998 +config GRKERNSEC_AUDIT_CHDIR
60999 + bool "Chdir logging"
61000 + help
61001 + If you say Y here, all chdir() calls will be logged. If the sysctl
61002 + option is enabled, a sysctl option with name "audit_chdir" is created.
61003 +
61004 +config GRKERNSEC_AUDIT_MOUNT
61005 + bool "(Un)Mount logging"
61006 + help
61007 + If you say Y here, all mounts and unmounts will be logged. If the
61008 + sysctl option is enabled, a sysctl option with name "audit_mount" is
61009 + created.
61010 +
61011 +config GRKERNSEC_SIGNAL
61012 + bool "Signal logging"
61013 + help
61014 + If you say Y here, certain important signals will be logged, such as
61015 + SIGSEGV, which will as a result inform you of when a error in a program
61016 + occurred, which in some cases could mean a possible exploit attempt.
61017 + If the sysctl option is enabled, a sysctl option with name
61018 + "signal_logging" is created.
61019 +
61020 +config GRKERNSEC_FORKFAIL
61021 + bool "Fork failure logging"
61022 + help
61023 + If you say Y here, all failed fork() attempts will be logged.
61024 + This could suggest a fork bomb, or someone attempting to overstep
61025 + their process limit. If the sysctl option is enabled, a sysctl option
61026 + with name "forkfail_logging" is created.
61027 +
61028 +config GRKERNSEC_TIME
61029 + bool "Time change logging"
61030 + help
61031 + If you say Y here, any changes of the system clock will be logged.
61032 + If the sysctl option is enabled, a sysctl option with name
61033 + "timechange_logging" is created.
61034 +
61035 +config GRKERNSEC_PROC_IPADDR
61036 + bool "/proc/<pid>/ipaddr support"
61037 + help
61038 + If you say Y here, a new entry will be added to each /proc/<pid>
61039 + directory that contains the IP address of the person using the task.
61040 + The IP is carried across local TCP and AF_UNIX stream sockets.
61041 + This information can be useful for IDS/IPSes to perform remote response
61042 + to a local attack. The entry is readable by only the owner of the
61043 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
61044 + the RBAC system), and thus does not create privacy concerns.
61045 +
61046 +config GRKERNSEC_RWXMAP_LOG
61047 + bool 'Denied RWX mmap/mprotect logging'
61048 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
61049 + help
61050 + If you say Y here, calls to mmap() and mprotect() with explicit
61051 + usage of PROT_WRITE and PROT_EXEC together will be logged when
61052 + denied by the PAX_MPROTECT feature. If the sysctl option is
61053 + enabled, a sysctl option with name "rwxmap_logging" is created.
61054 +
61055 +config GRKERNSEC_AUDIT_TEXTREL
61056 + bool 'ELF text relocations logging (READ HELP)'
61057 + depends on PAX_MPROTECT
61058 + help
61059 + If you say Y here, text relocations will be logged with the filename
61060 + of the offending library or binary. The purpose of the feature is
61061 + to help Linux distribution developers get rid of libraries and
61062 + binaries that need text relocations which hinder the future progress
61063 + of PaX. Only Linux distribution developers should say Y here, and
61064 + never on a production machine, as this option creates an information
61065 + leak that could aid an attacker in defeating the randomization of
61066 + a single memory region. If the sysctl option is enabled, a sysctl
61067 + option with name "audit_textrel" is created.
61068 +
61069 +endmenu
61070 +
61071 +menu "Executable Protections"
61072 +depends on GRKERNSEC
61073 +
61074 +config GRKERNSEC_EXECVE
61075 + bool "Enforce RLIMIT_NPROC on execs"
61076 + help
61077 + If you say Y here, users with a resource limit on processes will
61078 + have the value checked during execve() calls. The current system
61079 + only checks the system limit during fork() calls. If the sysctl option
61080 + is enabled, a sysctl option with name "execve_limiting" is created.
61081 +
61082 +config GRKERNSEC_DMESG
61083 + bool "Dmesg(8) restriction"
61084 + help
61085 + If you say Y here, non-root users will not be able to use dmesg(8)
61086 + to view up to the last 4kb of messages in the kernel's log buffer.
61087 + The kernel's log buffer often contains kernel addresses and other
61088 + identifying information useful to an attacker in fingerprinting a
61089 + system for a targeted exploit.
61090 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
61091 + created.
61092 +
61093 +config GRKERNSEC_HARDEN_PTRACE
61094 + bool "Deter ptrace-based process snooping"
61095 + help
61096 + If you say Y here, TTY sniffers and other malicious monitoring
61097 + programs implemented through ptrace will be defeated. If you
61098 + have been using the RBAC system, this option has already been
61099 + enabled for several years for all users, with the ability to make
61100 + fine-grained exceptions.
61101 +
61102 + This option only affects the ability of non-root users to ptrace
61103 + processes that are not a descendent of the ptracing process.
61104 + This means that strace ./binary and gdb ./binary will still work,
61105 + but attaching to arbitrary processes will not. If the sysctl
61106 + option is enabled, a sysctl option with name "harden_ptrace" is
61107 + created.
61108 +
61109 +config GRKERNSEC_TPE
61110 + bool "Trusted Path Execution (TPE)"
61111 + help
61112 + If you say Y here, you will be able to choose a gid to add to the
61113 + supplementary groups of users you want to mark as "untrusted."
61114 + These users will not be able to execute any files that are not in
61115 + root-owned directories writable only by root. If the sysctl option
61116 + is enabled, a sysctl option with name "tpe" is created.
61117 +
61118 +config GRKERNSEC_TPE_ALL
61119 + bool "Partially restrict all non-root users"
61120 + depends on GRKERNSEC_TPE
61121 + help
61122 + If you say Y here, all non-root users will be covered under
61123 + a weaker TPE restriction. This is separate from, and in addition to,
61124 + the main TPE options that you have selected elsewhere. Thus, if a
61125 + "trusted" GID is chosen, this restriction applies to even that GID.
61126 + Under this restriction, all non-root users will only be allowed to
61127 + execute files in directories they own that are not group or
61128 + world-writable, or in directories owned by root and writable only by
61129 + root. If the sysctl option is enabled, a sysctl option with name
61130 + "tpe_restrict_all" is created.
61131 +
61132 +config GRKERNSEC_TPE_INVERT
61133 + bool "Invert GID option"
61134 + depends on GRKERNSEC_TPE
61135 + help
61136 + If you say Y here, the group you specify in the TPE configuration will
61137 + decide what group TPE restrictions will be *disabled* for. This
61138 + option is useful if you want TPE restrictions to be applied to most
61139 + users on the system. If the sysctl option is enabled, a sysctl option
61140 + with name "tpe_invert" is created. Unlike other sysctl options, this
61141 + entry will default to on for backward-compatibility.
61142 +
61143 +config GRKERNSEC_TPE_GID
61144 + int "GID for untrusted users"
61145 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
61146 + default 1005
61147 + help
61148 + Setting this GID determines what group TPE restrictions will be
61149 + *enabled* for. If the sysctl option is enabled, a sysctl option
61150 + with name "tpe_gid" is created.
61151 +
61152 +config GRKERNSEC_TPE_GID
61153 + int "GID for trusted users"
61154 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
61155 + default 1005
61156 + help
61157 + Setting this GID determines what group TPE restrictions will be
61158 + *disabled* for. If the sysctl option is enabled, a sysctl option
61159 + with name "tpe_gid" is created.
61160 +
61161 +endmenu
61162 +menu "Network Protections"
61163 +depends on GRKERNSEC
61164 +
61165 +config GRKERNSEC_RANDNET
61166 + bool "Larger entropy pools"
61167 + help
61168 + If you say Y here, the entropy pools used for many features of Linux
61169 + and grsecurity will be doubled in size. Since several grsecurity
61170 + features use additional randomness, it is recommended that you say Y
61171 + here. Saying Y here has a similar effect as modifying
61172 + /proc/sys/kernel/random/poolsize.
61173 +
61174 +config GRKERNSEC_BLACKHOLE
61175 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
61176 + help
61177 + If you say Y here, neither TCP resets nor ICMP
61178 + destination-unreachable packets will be sent in response to packets
61179 + sent to ports for which no associated listening process exists.
61180 + This feature supports both IPV4 and IPV6 and exempts the
61181 + loopback interface from blackholing. Enabling this feature
61182 + makes a host more resilient to DoS attacks and reduces network
61183 + visibility against scanners.
61184 +
61185 + The blackhole feature as-implemented is equivalent to the FreeBSD
61186 + blackhole feature, as it prevents RST responses to all packets, not
61187 + just SYNs. Under most application behavior this causes no
61188 + problems, but applications (like haproxy) may not close certain
61189 + connections in a way that cleanly terminates them on the remote
61190 + end, leaving the remote host in LAST_ACK state. Because of this
61191 + side-effect and to prevent intentional LAST_ACK DoSes, this
61192 + feature also adds automatic mitigation against such attacks.
61193 + The mitigation drastically reduces the amount of time a socket
61194 + can spend in LAST_ACK state. If you're using haproxy and not
61195 + all servers it connects to have this option enabled, consider
61196 + disabling this feature on the haproxy host.
61197 +
61198 + If the sysctl option is enabled, two sysctl options with names
61199 + "ip_blackhole" and "lastack_retries" will be created.
61200 + While "ip_blackhole" takes the standard zero/non-zero on/off
61201 + toggle, "lastack_retries" uses the same kinds of values as
61202 + "tcp_retries1" and "tcp_retries2". The default value of 4
61203 + prevents a socket from lasting more than 45 seconds in LAST_ACK
61204 + state.
61205 +
61206 +config GRKERNSEC_SOCKET
61207 + bool "Socket restrictions"
61208 + help
61209 + If you say Y here, you will be able to choose from several options.
61210 + If you assign a GID on your system and add it to the supplementary
61211 + groups of users you want to restrict socket access to, this patch
61212 + will perform up to three things, based on the option(s) you choose.
61213 +
61214 +config GRKERNSEC_SOCKET_ALL
61215 + bool "Deny any sockets to group"
61216 + depends on GRKERNSEC_SOCKET
61217 + help
61218 + If you say Y here, you will be able to choose a GID of whose users will
61219 + be unable to connect to other hosts from your machine or run server
61220 + applications from your machine. If the sysctl option is enabled, a
61221 + sysctl option with name "socket_all" is created.
61222 +
61223 +config GRKERNSEC_SOCKET_ALL_GID
61224 + int "GID to deny all sockets for"
61225 + depends on GRKERNSEC_SOCKET_ALL
61226 + default 1004
61227 + help
61228 + Here you can choose the GID to disable socket access for. Remember to
61229 + add the users you want socket access disabled for to the GID
61230 + specified here. If the sysctl option is enabled, a sysctl option
61231 + with name "socket_all_gid" is created.
61232 +
61233 +config GRKERNSEC_SOCKET_CLIENT
61234 + bool "Deny client sockets to group"
61235 + depends on GRKERNSEC_SOCKET
61236 + help
61237 + If you say Y here, you will be able to choose a GID of whose users will
61238 + be unable to connect to other hosts from your machine, but will be
61239 + able to run servers. If this option is enabled, all users in the group
61240 + you specify will have to use passive mode when initiating ftp transfers
61241 + from the shell on your machine. If the sysctl option is enabled, a
61242 + sysctl option with name "socket_client" is created.
61243 +
61244 +config GRKERNSEC_SOCKET_CLIENT_GID
61245 + int "GID to deny client sockets for"
61246 + depends on GRKERNSEC_SOCKET_CLIENT
61247 + default 1003
61248 + help
61249 + Here you can choose the GID to disable client socket access for.
61250 + Remember to add the users you want client socket access disabled for to
61251 + the GID specified here. If the sysctl option is enabled, a sysctl
61252 + option with name "socket_client_gid" is created.
61253 +
61254 +config GRKERNSEC_SOCKET_SERVER
61255 + bool "Deny server sockets to group"
61256 + depends on GRKERNSEC_SOCKET
61257 + help
61258 + If you say Y here, you will be able to choose a GID of whose users will
61259 + be unable to run server applications from your machine. If the sysctl
61260 + option is enabled, a sysctl option with name "socket_server" is created.
61261 +
61262 +config GRKERNSEC_SOCKET_SERVER_GID
61263 + int "GID to deny server sockets for"
61264 + depends on GRKERNSEC_SOCKET_SERVER
61265 + default 1002
61266 + help
61267 + Here you can choose the GID to disable server socket access for.
61268 + Remember to add the users you want server socket access disabled for to
61269 + the GID specified here. If the sysctl option is enabled, a sysctl
61270 + option with name "socket_server_gid" is created.
61271 +
61272 +endmenu
61273 +menu "Sysctl support"
61274 +depends on GRKERNSEC && SYSCTL
61275 +
61276 +config GRKERNSEC_SYSCTL
61277 + bool "Sysctl support"
61278 + help
61279 + If you say Y here, you will be able to change the options that
61280 + grsecurity runs with at bootup, without having to recompile your
61281 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
61282 + to enable (1) or disable (0) various features. All the sysctl entries
61283 + are mutable until the "grsec_lock" entry is set to a non-zero value.
61284 + All features enabled in the kernel configuration are disabled at boot
61285 + if you do not say Y to the "Turn on features by default" option.
61286 + All options should be set at startup, and the grsec_lock entry should
61287 + be set to a non-zero value after all the options are set.
61288 + *THIS IS EXTREMELY IMPORTANT*
61289 +
61290 +config GRKERNSEC_SYSCTL_DISTRO
61291 + bool "Extra sysctl support for distro makers (READ HELP)"
61292 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
61293 + help
61294 + If you say Y here, additional sysctl options will be created
61295 + for features that affect processes running as root. Therefore,
61296 + it is critical when using this option that the grsec_lock entry be
61297 + enabled after boot. Only distros with prebuilt kernel packages
61298 + with this option enabled that can ensure grsec_lock is enabled
61299 + after boot should use this option.
61300 + *Failure to set grsec_lock after boot makes all grsec features
61301 + this option covers useless*
61302 +
61303 + Currently this option creates the following sysctl entries:
61304 + "Disable Privileged I/O": "disable_priv_io"
61305 +
61306 +config GRKERNSEC_SYSCTL_ON
61307 + bool "Turn on features by default"
61308 + depends on GRKERNSEC_SYSCTL
61309 + help
61310 + If you say Y here, instead of having all features enabled in the
61311 + kernel configuration disabled at boot time, the features will be
61312 + enabled at boot time. It is recommended you say Y here unless
61313 + there is some reason you would want all sysctl-tunable features to
61314 + be disabled by default. As mentioned elsewhere, it is important
61315 + to enable the grsec_lock entry once you have finished modifying
61316 + the sysctl entries.
61317 +
61318 +endmenu
61319 +menu "Logging Options"
61320 +depends on GRKERNSEC
61321 +
61322 +config GRKERNSEC_FLOODTIME
61323 + int "Seconds in between log messages (minimum)"
61324 + default 10
61325 + help
61326 + This option allows you to enforce the number of seconds between
61327 + grsecurity log messages. The default should be suitable for most
61328 + people, however, if you choose to change it, choose a value small enough
61329 + to allow informative logs to be produced, but large enough to
61330 + prevent flooding.
61331 +
61332 +config GRKERNSEC_FLOODBURST
61333 + int "Number of messages in a burst (maximum)"
61334 + default 4
61335 + help
61336 + This option allows you to choose the maximum number of messages allowed
61337 + within the flood time interval you chose in a separate option. The
61338 + default should be suitable for most people, however if you find that
61339 + many of your logs are being interpreted as flooding, you may want to
61340 + raise this value.
61341 +
61342 +endmenu
61343 +
61344 +endmenu
61345 diff -urNp linux-2.6.39.3/grsecurity/Makefile linux-2.6.39.3/grsecurity/Makefile
61346 --- linux-2.6.39.3/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
61347 +++ linux-2.6.39.3/grsecurity/Makefile 2011-05-24 20:26:54.000000000 -0400
61348 @@ -0,0 +1,33 @@
61349 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
61350 +# during 2001-2009 it has been completely redesigned by Brad Spengler
61351 +# into an RBAC system
61352 +#
61353 +# All code in this directory and various hooks inserted throughout the kernel
61354 +# are copyright Brad Spengler - Open Source Security, Inc., and released
61355 +# under the GPL v2 or higher
61356 +
61357 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
61358 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
61359 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
61360 +
61361 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
61362 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
61363 + gracl_learn.o grsec_log.o
61364 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
61365 +
61366 +ifdef CONFIG_NET
61367 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
61368 +endif
61369 +
61370 +ifndef CONFIG_GRKERNSEC
61371 +obj-y += grsec_disabled.o
61372 +endif
61373 +
61374 +ifdef CONFIG_GRKERNSEC_HIDESYM
61375 +extra-y := grsec_hidesym.o
61376 +$(obj)/grsec_hidesym.o:
61377 + @-chmod -f 500 /boot
61378 + @-chmod -f 500 /lib/modules
61379 + @-chmod -f 700 .
61380 + @echo ' grsec: protected kernel image paths'
61381 +endif
61382 diff -urNp linux-2.6.39.3/include/acpi/acpi_drivers.h linux-2.6.39.3/include/acpi/acpi_drivers.h
61383 --- linux-2.6.39.3/include/acpi/acpi_drivers.h 2011-05-19 00:06:34.000000000 -0400
61384 +++ linux-2.6.39.3/include/acpi/acpi_drivers.h 2011-05-22 19:36:32.000000000 -0400
61385 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
61386 Dock Station
61387 -------------------------------------------------------------------------- */
61388 struct acpi_dock_ops {
61389 - acpi_notify_handler handler;
61390 - acpi_notify_handler uevent;
61391 + const acpi_notify_handler handler;
61392 + const acpi_notify_handler uevent;
61393 };
61394
61395 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
61396 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
61397 extern int register_dock_notifier(struct notifier_block *nb);
61398 extern void unregister_dock_notifier(struct notifier_block *nb);
61399 extern int register_hotplug_dock_device(acpi_handle handle,
61400 - struct acpi_dock_ops *ops,
61401 + const struct acpi_dock_ops *ops,
61402 void *context);
61403 extern void unregister_hotplug_dock_device(acpi_handle handle);
61404 #else
61405 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
61406 {
61407 }
61408 static inline int register_hotplug_dock_device(acpi_handle handle,
61409 - struct acpi_dock_ops *ops,
61410 + const struct acpi_dock_ops *ops,
61411 void *context)
61412 {
61413 return -ENODEV;
61414 diff -urNp linux-2.6.39.3/include/acpi/processor.h linux-2.6.39.3/include/acpi/processor.h
61415 --- linux-2.6.39.3/include/acpi/processor.h 2011-05-19 00:06:34.000000000 -0400
61416 +++ linux-2.6.39.3/include/acpi/processor.h 2011-05-22 19:36:32.000000000 -0400
61417 @@ -344,7 +344,7 @@ extern struct cpuidle_driver acpi_idle_d
61418
61419 /* in processor_thermal.c */
61420 int acpi_processor_get_limit_info(struct acpi_processor *pr);
61421 -extern struct thermal_cooling_device_ops processor_cooling_ops;
61422 +extern const struct thermal_cooling_device_ops processor_cooling_ops;
61423 #ifdef CONFIG_CPU_FREQ
61424 void acpi_thermal_cpufreq_init(void);
61425 void acpi_thermal_cpufreq_exit(void);
61426 diff -urNp linux-2.6.39.3/include/asm-generic/atomic-long.h linux-2.6.39.3/include/asm-generic/atomic-long.h
61427 --- linux-2.6.39.3/include/asm-generic/atomic-long.h 2011-05-19 00:06:34.000000000 -0400
61428 +++ linux-2.6.39.3/include/asm-generic/atomic-long.h 2011-05-22 19:36:32.000000000 -0400
61429 @@ -22,6 +22,12 @@
61430
61431 typedef atomic64_t atomic_long_t;
61432
61433 +#ifdef CONFIG_PAX_REFCOUNT
61434 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
61435 +#else
61436 +typedef atomic64_t atomic_long_unchecked_t;
61437 +#endif
61438 +
61439 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
61440
61441 static inline long atomic_long_read(atomic_long_t *l)
61442 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
61443 return (long)atomic64_read(v);
61444 }
61445
61446 +#ifdef CONFIG_PAX_REFCOUNT
61447 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61448 +{
61449 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61450 +
61451 + return (long)atomic64_read_unchecked(v);
61452 +}
61453 +#endif
61454 +
61455 static inline void atomic_long_set(atomic_long_t *l, long i)
61456 {
61457 atomic64_t *v = (atomic64_t *)l;
61458 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
61459 atomic64_set(v, i);
61460 }
61461
61462 +#ifdef CONFIG_PAX_REFCOUNT
61463 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61464 +{
61465 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61466 +
61467 + atomic64_set_unchecked(v, i);
61468 +}
61469 +#endif
61470 +
61471 static inline void atomic_long_inc(atomic_long_t *l)
61472 {
61473 atomic64_t *v = (atomic64_t *)l;
61474 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
61475 atomic64_inc(v);
61476 }
61477
61478 +#ifdef CONFIG_PAX_REFCOUNT
61479 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61480 +{
61481 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61482 +
61483 + atomic64_inc_unchecked(v);
61484 +}
61485 +#endif
61486 +
61487 static inline void atomic_long_dec(atomic_long_t *l)
61488 {
61489 atomic64_t *v = (atomic64_t *)l;
61490 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
61491 atomic64_dec(v);
61492 }
61493
61494 +#ifdef CONFIG_PAX_REFCOUNT
61495 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61496 +{
61497 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61498 +
61499 + atomic64_dec_unchecked(v);
61500 +}
61501 +#endif
61502 +
61503 static inline void atomic_long_add(long i, atomic_long_t *l)
61504 {
61505 atomic64_t *v = (atomic64_t *)l;
61506 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
61507 atomic64_add(i, v);
61508 }
61509
61510 +#ifdef CONFIG_PAX_REFCOUNT
61511 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61512 +{
61513 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61514 +
61515 + atomic64_add_unchecked(i, v);
61516 +}
61517 +#endif
61518 +
61519 static inline void atomic_long_sub(long i, atomic_long_t *l)
61520 {
61521 atomic64_t *v = (atomic64_t *)l;
61522 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
61523 atomic64_sub(i, v);
61524 }
61525
61526 +#ifdef CONFIG_PAX_REFCOUNT
61527 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61528 +{
61529 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61530 +
61531 + atomic64_sub_unchecked(i, v);
61532 +}
61533 +#endif
61534 +
61535 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61536 {
61537 atomic64_t *v = (atomic64_t *)l;
61538 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
61539 return (long)atomic64_inc_return(v);
61540 }
61541
61542 +#ifdef CONFIG_PAX_REFCOUNT
61543 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61544 +{
61545 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61546 +
61547 + return (long)atomic64_inc_return_unchecked(v);
61548 +}
61549 +#endif
61550 +
61551 static inline long atomic_long_dec_return(atomic_long_t *l)
61552 {
61553 atomic64_t *v = (atomic64_t *)l;
61554 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
61555
61556 typedef atomic_t atomic_long_t;
61557
61558 +#ifdef CONFIG_PAX_REFCOUNT
61559 +typedef atomic_unchecked_t atomic_long_unchecked_t;
61560 +#else
61561 +typedef atomic_t atomic_long_unchecked_t;
61562 +#endif
61563 +
61564 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
61565 static inline long atomic_long_read(atomic_long_t *l)
61566 {
61567 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
61568 return (long)atomic_read(v);
61569 }
61570
61571 +#ifdef CONFIG_PAX_REFCOUNT
61572 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61573 +{
61574 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61575 +
61576 + return (long)atomic_read_unchecked(v);
61577 +}
61578 +#endif
61579 +
61580 static inline void atomic_long_set(atomic_long_t *l, long i)
61581 {
61582 atomic_t *v = (atomic_t *)l;
61583 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
61584 atomic_set(v, i);
61585 }
61586
61587 +#ifdef CONFIG_PAX_REFCOUNT
61588 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61589 +{
61590 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61591 +
61592 + atomic_set_unchecked(v, i);
61593 +}
61594 +#endif
61595 +
61596 static inline void atomic_long_inc(atomic_long_t *l)
61597 {
61598 atomic_t *v = (atomic_t *)l;
61599 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
61600 atomic_inc(v);
61601 }
61602
61603 +#ifdef CONFIG_PAX_REFCOUNT
61604 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61605 +{
61606 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61607 +
61608 + atomic_inc_unchecked(v);
61609 +}
61610 +#endif
61611 +
61612 static inline void atomic_long_dec(atomic_long_t *l)
61613 {
61614 atomic_t *v = (atomic_t *)l;
61615 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
61616 atomic_dec(v);
61617 }
61618
61619 +#ifdef CONFIG_PAX_REFCOUNT
61620 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61621 +{
61622 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61623 +
61624 + atomic_dec_unchecked(v);
61625 +}
61626 +#endif
61627 +
61628 static inline void atomic_long_add(long i, atomic_long_t *l)
61629 {
61630 atomic_t *v = (atomic_t *)l;
61631 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
61632 atomic_add(i, v);
61633 }
61634
61635 +#ifdef CONFIG_PAX_REFCOUNT
61636 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61637 +{
61638 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61639 +
61640 + atomic_add_unchecked(i, v);
61641 +}
61642 +#endif
61643 +
61644 static inline void atomic_long_sub(long i, atomic_long_t *l)
61645 {
61646 atomic_t *v = (atomic_t *)l;
61647 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
61648 atomic_sub(i, v);
61649 }
61650
61651 +#ifdef CONFIG_PAX_REFCOUNT
61652 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61653 +{
61654 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61655 +
61656 + atomic_sub_unchecked(i, v);
61657 +}
61658 +#endif
61659 +
61660 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61661 {
61662 atomic_t *v = (atomic_t *)l;
61663 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
61664 return (long)atomic_inc_return(v);
61665 }
61666
61667 +#ifdef CONFIG_PAX_REFCOUNT
61668 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61669 +{
61670 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61671 +
61672 + return (long)atomic_inc_return_unchecked(v);
61673 +}
61674 +#endif
61675 +
61676 static inline long atomic_long_dec_return(atomic_long_t *l)
61677 {
61678 atomic_t *v = (atomic_t *)l;
61679 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
61680
61681 #endif /* BITS_PER_LONG == 64 */
61682
61683 +#ifdef CONFIG_PAX_REFCOUNT
61684 +static inline void pax_refcount_needs_these_functions(void)
61685 +{
61686 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
61687 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
61688 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
61689 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
61690 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
61691 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
61692 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
61693 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
61694 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
61695 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
61696 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
61697 +
61698 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
61699 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
61700 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
61701 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
61702 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
61703 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
61704 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
61705 +}
61706 +#else
61707 +#define atomic_read_unchecked(v) atomic_read(v)
61708 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
61709 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
61710 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
61711 +#define atomic_inc_unchecked(v) atomic_inc(v)
61712 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
61713 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
61714 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
61715 +#define atomic_dec_unchecked(v) atomic_dec(v)
61716 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
61717 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
61718 +
61719 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
61720 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
61721 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
61722 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
61723 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
61724 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
61725 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
61726 +#endif
61727 +
61728 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
61729 diff -urNp linux-2.6.39.3/include/asm-generic/cache.h linux-2.6.39.3/include/asm-generic/cache.h
61730 --- linux-2.6.39.3/include/asm-generic/cache.h 2011-05-19 00:06:34.000000000 -0400
61731 +++ linux-2.6.39.3/include/asm-generic/cache.h 2011-07-06 20:00:13.000000000 -0400
61732 @@ -6,7 +6,7 @@
61733 * cache lines need to provide their own cache.h.
61734 */
61735
61736 -#define L1_CACHE_SHIFT 5
61737 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61738 +#define L1_CACHE_SHIFT 5UL
61739 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
61740
61741 #endif /* __ASM_GENERIC_CACHE_H */
61742 diff -urNp linux-2.6.39.3/include/asm-generic/dma-mapping-common.h linux-2.6.39.3/include/asm-generic/dma-mapping-common.h
61743 --- linux-2.6.39.3/include/asm-generic/dma-mapping-common.h 2011-05-19 00:06:34.000000000 -0400
61744 +++ linux-2.6.39.3/include/asm-generic/dma-mapping-common.h 2011-05-22 19:36:32.000000000 -0400
61745 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
61746 enum dma_data_direction dir,
61747 struct dma_attrs *attrs)
61748 {
61749 - struct dma_map_ops *ops = get_dma_ops(dev);
61750 + const struct dma_map_ops *ops = get_dma_ops(dev);
61751 dma_addr_t addr;
61752
61753 kmemcheck_mark_initialized(ptr, size);
61754 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
61755 enum dma_data_direction dir,
61756 struct dma_attrs *attrs)
61757 {
61758 - struct dma_map_ops *ops = get_dma_ops(dev);
61759 + const struct dma_map_ops *ops = get_dma_ops(dev);
61760
61761 BUG_ON(!valid_dma_direction(dir));
61762 if (ops->unmap_page)
61763 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
61764 int nents, enum dma_data_direction dir,
61765 struct dma_attrs *attrs)
61766 {
61767 - struct dma_map_ops *ops = get_dma_ops(dev);
61768 + const struct dma_map_ops *ops = get_dma_ops(dev);
61769 int i, ents;
61770 struct scatterlist *s;
61771
61772 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
61773 int nents, enum dma_data_direction dir,
61774 struct dma_attrs *attrs)
61775 {
61776 - struct dma_map_ops *ops = get_dma_ops(dev);
61777 + const struct dma_map_ops *ops = get_dma_ops(dev);
61778
61779 BUG_ON(!valid_dma_direction(dir));
61780 debug_dma_unmap_sg(dev, sg, nents, dir);
61781 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
61782 size_t offset, size_t size,
61783 enum dma_data_direction dir)
61784 {
61785 - struct dma_map_ops *ops = get_dma_ops(dev);
61786 + const struct dma_map_ops *ops = get_dma_ops(dev);
61787 dma_addr_t addr;
61788
61789 kmemcheck_mark_initialized(page_address(page) + offset, size);
61790 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
61791 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
61792 size_t size, enum dma_data_direction dir)
61793 {
61794 - struct dma_map_ops *ops = get_dma_ops(dev);
61795 + const struct dma_map_ops *ops = get_dma_ops(dev);
61796
61797 BUG_ON(!valid_dma_direction(dir));
61798 if (ops->unmap_page)
61799 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
61800 size_t size,
61801 enum dma_data_direction dir)
61802 {
61803 - struct dma_map_ops *ops = get_dma_ops(dev);
61804 + const struct dma_map_ops *ops = get_dma_ops(dev);
61805
61806 BUG_ON(!valid_dma_direction(dir));
61807 if (ops->sync_single_for_cpu)
61808 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
61809 dma_addr_t addr, size_t size,
61810 enum dma_data_direction dir)
61811 {
61812 - struct dma_map_ops *ops = get_dma_ops(dev);
61813 + const struct dma_map_ops *ops = get_dma_ops(dev);
61814
61815 BUG_ON(!valid_dma_direction(dir));
61816 if (ops->sync_single_for_device)
61817 @@ -139,7 +139,7 @@ static inline void
61818 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
61819 int nelems, enum dma_data_direction dir)
61820 {
61821 - struct dma_map_ops *ops = get_dma_ops(dev);
61822 + const struct dma_map_ops *ops = get_dma_ops(dev);
61823
61824 BUG_ON(!valid_dma_direction(dir));
61825 if (ops->sync_sg_for_cpu)
61826 @@ -151,7 +151,7 @@ static inline void
61827 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
61828 int nelems, enum dma_data_direction dir)
61829 {
61830 - struct dma_map_ops *ops = get_dma_ops(dev);
61831 + const struct dma_map_ops *ops = get_dma_ops(dev);
61832
61833 BUG_ON(!valid_dma_direction(dir));
61834 if (ops->sync_sg_for_device)
61835 diff -urNp linux-2.6.39.3/include/asm-generic/int-l64.h linux-2.6.39.3/include/asm-generic/int-l64.h
61836 --- linux-2.6.39.3/include/asm-generic/int-l64.h 2011-05-19 00:06:34.000000000 -0400
61837 +++ linux-2.6.39.3/include/asm-generic/int-l64.h 2011-05-22 19:36:32.000000000 -0400
61838 @@ -46,6 +46,8 @@ typedef unsigned int u32;
61839 typedef signed long s64;
61840 typedef unsigned long u64;
61841
61842 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
61843 +
61844 #define S8_C(x) x
61845 #define U8_C(x) x ## U
61846 #define S16_C(x) x
61847 diff -urNp linux-2.6.39.3/include/asm-generic/int-ll64.h linux-2.6.39.3/include/asm-generic/int-ll64.h
61848 --- linux-2.6.39.3/include/asm-generic/int-ll64.h 2011-05-19 00:06:34.000000000 -0400
61849 +++ linux-2.6.39.3/include/asm-generic/int-ll64.h 2011-05-22 19:36:32.000000000 -0400
61850 @@ -51,6 +51,8 @@ typedef unsigned int u32;
61851 typedef signed long long s64;
61852 typedef unsigned long long u64;
61853
61854 +typedef unsigned long long intoverflow_t;
61855 +
61856 #define S8_C(x) x
61857 #define U8_C(x) x ## U
61858 #define S16_C(x) x
61859 diff -urNp linux-2.6.39.3/include/asm-generic/kmap_types.h linux-2.6.39.3/include/asm-generic/kmap_types.h
61860 --- linux-2.6.39.3/include/asm-generic/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
61861 +++ linux-2.6.39.3/include/asm-generic/kmap_types.h 2011-05-22 19:36:32.000000000 -0400
61862 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
61863 KMAP_D(17) KM_NMI,
61864 KMAP_D(18) KM_NMI_PTE,
61865 KMAP_D(19) KM_KDB,
61866 +KMAP_D(20) KM_CLEARPAGE,
61867 /*
61868 * Remember to update debug_kmap_atomic() when adding new kmap types!
61869 */
61870 -KMAP_D(20) KM_TYPE_NR
61871 +KMAP_D(21) KM_TYPE_NR
61872 };
61873
61874 #undef KMAP_D
61875 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable.h linux-2.6.39.3/include/asm-generic/pgtable.h
61876 --- linux-2.6.39.3/include/asm-generic/pgtable.h 2011-05-19 00:06:34.000000000 -0400
61877 +++ linux-2.6.39.3/include/asm-generic/pgtable.h 2011-05-22 19:36:32.000000000 -0400
61878 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
61879 #endif /* __HAVE_ARCH_PMD_WRITE */
61880 #endif
61881
61882 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
61883 +static inline unsigned long pax_open_kernel(void) { return 0; }
61884 +#endif
61885 +
61886 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
61887 +static inline unsigned long pax_close_kernel(void) { return 0; }
61888 +#endif
61889 +
61890 #endif /* !__ASSEMBLY__ */
61891
61892 #endif /* _ASM_GENERIC_PGTABLE_H */
61893 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h
61894 --- linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h 2011-05-19 00:06:34.000000000 -0400
61895 +++ linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h 2011-05-22 19:36:32.000000000 -0400
61896 @@ -1,14 +1,19 @@
61897 #ifndef _PGTABLE_NOPMD_H
61898 #define _PGTABLE_NOPMD_H
61899
61900 -#ifndef __ASSEMBLY__
61901 -
61902 #include <asm-generic/pgtable-nopud.h>
61903
61904 -struct mm_struct;
61905 -
61906 #define __PAGETABLE_PMD_FOLDED
61907
61908 +#define PMD_SHIFT PUD_SHIFT
61909 +#define PTRS_PER_PMD 1
61910 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
61911 +#define PMD_MASK (~(PMD_SIZE-1))
61912 +
61913 +#ifndef __ASSEMBLY__
61914 +
61915 +struct mm_struct;
61916 +
61917 /*
61918 * Having the pmd type consist of a pud gets the size right, and allows
61919 * us to conceptually access the pud entry that this pmd is folded into
61920 @@ -16,11 +21,6 @@ struct mm_struct;
61921 */
61922 typedef struct { pud_t pud; } pmd_t;
61923
61924 -#define PMD_SHIFT PUD_SHIFT
61925 -#define PTRS_PER_PMD 1
61926 -#define PMD_SIZE (1UL << PMD_SHIFT)
61927 -#define PMD_MASK (~(PMD_SIZE-1))
61928 -
61929 /*
61930 * The "pud_xxx()" functions here are trivial for a folded two-level
61931 * setup: the pmd is never bad, and a pmd always exists (as it's folded
61932 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable-nopud.h linux-2.6.39.3/include/asm-generic/pgtable-nopud.h
61933 --- linux-2.6.39.3/include/asm-generic/pgtable-nopud.h 2011-05-19 00:06:34.000000000 -0400
61934 +++ linux-2.6.39.3/include/asm-generic/pgtable-nopud.h 2011-05-22 19:36:32.000000000 -0400
61935 @@ -1,10 +1,15 @@
61936 #ifndef _PGTABLE_NOPUD_H
61937 #define _PGTABLE_NOPUD_H
61938
61939 -#ifndef __ASSEMBLY__
61940 -
61941 #define __PAGETABLE_PUD_FOLDED
61942
61943 +#define PUD_SHIFT PGDIR_SHIFT
61944 +#define PTRS_PER_PUD 1
61945 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
61946 +#define PUD_MASK (~(PUD_SIZE-1))
61947 +
61948 +#ifndef __ASSEMBLY__
61949 +
61950 /*
61951 * Having the pud type consist of a pgd gets the size right, and allows
61952 * us to conceptually access the pgd entry that this pud is folded into
61953 @@ -12,11 +17,6 @@
61954 */
61955 typedef struct { pgd_t pgd; } pud_t;
61956
61957 -#define PUD_SHIFT PGDIR_SHIFT
61958 -#define PTRS_PER_PUD 1
61959 -#define PUD_SIZE (1UL << PUD_SHIFT)
61960 -#define PUD_MASK (~(PUD_SIZE-1))
61961 -
61962 /*
61963 * The "pgd_xxx()" functions here are trivial for a folded two-level
61964 * setup: the pud is never bad, and a pud always exists (as it's folded
61965 diff -urNp linux-2.6.39.3/include/asm-generic/vmlinux.lds.h linux-2.6.39.3/include/asm-generic/vmlinux.lds.h
61966 --- linux-2.6.39.3/include/asm-generic/vmlinux.lds.h 2011-05-19 00:06:34.000000000 -0400
61967 +++ linux-2.6.39.3/include/asm-generic/vmlinux.lds.h 2011-05-22 19:36:32.000000000 -0400
61968 @@ -213,6 +213,7 @@
61969 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61970 VMLINUX_SYMBOL(__start_rodata) = .; \
61971 *(.rodata) *(.rodata.*) \
61972 + *(.data..read_only) \
61973 *(__vermagic) /* Kernel version magic */ \
61974 . = ALIGN(8); \
61975 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
61976 @@ -707,14 +708,15 @@
61977 * section in the linker script will go there too. @phdr should have
61978 * a leading colon.
61979 *
61980 - * Note that this macros defines __per_cpu_load as an absolute symbol.
61981 + * Note that this macros defines per_cpu_load as an absolute symbol.
61982 * If there is no need to put the percpu section at a predetermined
61983 * address, use PERCPU().
61984 */
61985 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
61986 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
61987 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
61988 + per_cpu_load = .; \
61989 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
61990 - LOAD_OFFSET) { \
61991 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
61992 VMLINUX_SYMBOL(__per_cpu_start) = .; \
61993 *(.data..percpu..first) \
61994 . = ALIGN(PAGE_SIZE); \
61995 @@ -726,7 +728,7 @@
61996 *(.data..percpu..shared_aligned) \
61997 VMLINUX_SYMBOL(__per_cpu_end) = .; \
61998 } phdr \
61999 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
62000 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
62001
62002 /**
62003 * PERCPU - define output section for percpu area, simple version
62004 diff -urNp linux-2.6.39.3/include/drm/drmP.h linux-2.6.39.3/include/drm/drmP.h
62005 --- linux-2.6.39.3/include/drm/drmP.h 2011-05-19 00:06:34.000000000 -0400
62006 +++ linux-2.6.39.3/include/drm/drmP.h 2011-05-22 19:41:42.000000000 -0400
62007 @@ -73,6 +73,7 @@
62008 #include <linux/workqueue.h>
62009 #include <linux/poll.h>
62010 #include <asm/pgalloc.h>
62011 +#include <asm/local.h>
62012 #include "drm.h"
62013
62014 #include <linux/idr.h>
62015 @@ -908,7 +909,7 @@ struct drm_driver {
62016 uint32_t handle);
62017
62018 /* Driver private ops for this object */
62019 - struct vm_operations_struct *gem_vm_ops;
62020 + const struct vm_operations_struct *gem_vm_ops;
62021
62022 int major;
62023 int minor;
62024 @@ -1023,7 +1024,7 @@ struct drm_device {
62025
62026 /** \name Usage Counters */
62027 /*@{ */
62028 - int open_count; /**< Outstanding files open */
62029 + local_t open_count; /**< Outstanding files open */
62030 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
62031 atomic_t vma_count; /**< Outstanding vma areas open */
62032 int buf_use; /**< Buffers in use -- cannot alloc */
62033 @@ -1034,7 +1035,7 @@ struct drm_device {
62034 /*@{ */
62035 unsigned long counters;
62036 enum drm_stat_type types[15];
62037 - atomic_t counts[15];
62038 + atomic_unchecked_t counts[15];
62039 /*@} */
62040
62041 struct list_head filelist;
62042 diff -urNp linux-2.6.39.3/include/linux/a.out.h linux-2.6.39.3/include/linux/a.out.h
62043 --- linux-2.6.39.3/include/linux/a.out.h 2011-05-19 00:06:34.000000000 -0400
62044 +++ linux-2.6.39.3/include/linux/a.out.h 2011-05-22 19:36:32.000000000 -0400
62045 @@ -39,6 +39,14 @@ enum machine_type {
62046 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
62047 };
62048
62049 +/* Constants for the N_FLAGS field */
62050 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62051 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
62052 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
62053 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
62054 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62055 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62056 +
62057 #if !defined (N_MAGIC)
62058 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
62059 #endif
62060 diff -urNp linux-2.6.39.3/include/linux/atmdev.h linux-2.6.39.3/include/linux/atmdev.h
62061 --- linux-2.6.39.3/include/linux/atmdev.h 2011-05-19 00:06:34.000000000 -0400
62062 +++ linux-2.6.39.3/include/linux/atmdev.h 2011-05-22 19:36:32.000000000 -0400
62063 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
62064 #endif
62065
62066 struct k_atm_aal_stats {
62067 -#define __HANDLE_ITEM(i) atomic_t i
62068 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
62069 __AAL_STAT_ITEMS
62070 #undef __HANDLE_ITEM
62071 };
62072 diff -urNp linux-2.6.39.3/include/linux/binfmts.h linux-2.6.39.3/include/linux/binfmts.h
62073 --- linux-2.6.39.3/include/linux/binfmts.h 2011-05-19 00:06:34.000000000 -0400
62074 +++ linux-2.6.39.3/include/linux/binfmts.h 2011-05-22 19:36:32.000000000 -0400
62075 @@ -92,6 +92,7 @@ struct linux_binfmt {
62076 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
62077 int (*load_shlib)(struct file *);
62078 int (*core_dump)(struct coredump_params *cprm);
62079 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
62080 unsigned long min_coredump; /* minimal dump size */
62081 };
62082
62083 diff -urNp linux-2.6.39.3/include/linux/blkdev.h linux-2.6.39.3/include/linux/blkdev.h
62084 --- linux-2.6.39.3/include/linux/blkdev.h 2011-06-03 00:04:14.000000000 -0400
62085 +++ linux-2.6.39.3/include/linux/blkdev.h 2011-06-03 00:32:08.000000000 -0400
62086 @@ -1292,22 +1292,22 @@ queue_max_integrity_segments(struct requ
62087 #endif /* CONFIG_BLK_DEV_INTEGRITY */
62088
62089 struct block_device_operations {
62090 - int (*open) (struct block_device *, fmode_t);
62091 - int (*release) (struct gendisk *, fmode_t);
62092 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62093 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62094 - int (*direct_access) (struct block_device *, sector_t,
62095 + int (* const open) (struct block_device *, fmode_t);
62096 + int (* const release) (struct gendisk *, fmode_t);
62097 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62098 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62099 + int (* const direct_access) (struct block_device *, sector_t,
62100 void **, unsigned long *);
62101 - unsigned int (*check_events) (struct gendisk *disk,
62102 + unsigned int (* const check_events) (struct gendisk *disk,
62103 unsigned int clearing);
62104 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
62105 - int (*media_changed) (struct gendisk *);
62106 - void (*unlock_native_capacity) (struct gendisk *);
62107 - int (*revalidate_disk) (struct gendisk *);
62108 - int (*getgeo)(struct block_device *, struct hd_geometry *);
62109 + int (* const media_changed) (struct gendisk *);
62110 + void (* const unlock_native_capacity) (struct gendisk *);
62111 + int (* const revalidate_disk) (struct gendisk *);
62112 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
62113 /* this callback is with swap_lock and sometimes page table lock held */
62114 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
62115 - struct module *owner;
62116 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
62117 + struct module * const owner;
62118 };
62119
62120 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
62121 diff -urNp linux-2.6.39.3/include/linux/blktrace_api.h linux-2.6.39.3/include/linux/blktrace_api.h
62122 --- linux-2.6.39.3/include/linux/blktrace_api.h 2011-05-19 00:06:34.000000000 -0400
62123 +++ linux-2.6.39.3/include/linux/blktrace_api.h 2011-05-22 19:36:32.000000000 -0400
62124 @@ -161,7 +161,7 @@ struct blk_trace {
62125 struct dentry *dir;
62126 struct dentry *dropped_file;
62127 struct dentry *msg_file;
62128 - atomic_t dropped;
62129 + atomic_unchecked_t dropped;
62130 };
62131
62132 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
62133 diff -urNp linux-2.6.39.3/include/linux/byteorder/little_endian.h linux-2.6.39.3/include/linux/byteorder/little_endian.h
62134 --- linux-2.6.39.3/include/linux/byteorder/little_endian.h 2011-05-19 00:06:34.000000000 -0400
62135 +++ linux-2.6.39.3/include/linux/byteorder/little_endian.h 2011-05-22 19:36:32.000000000 -0400
62136 @@ -42,51 +42,51 @@
62137
62138 static inline __le64 __cpu_to_le64p(const __u64 *p)
62139 {
62140 - return (__force __le64)*p;
62141 + return (__force const __le64)*p;
62142 }
62143 static inline __u64 __le64_to_cpup(const __le64 *p)
62144 {
62145 - return (__force __u64)*p;
62146 + return (__force const __u64)*p;
62147 }
62148 static inline __le32 __cpu_to_le32p(const __u32 *p)
62149 {
62150 - return (__force __le32)*p;
62151 + return (__force const __le32)*p;
62152 }
62153 static inline __u32 __le32_to_cpup(const __le32 *p)
62154 {
62155 - return (__force __u32)*p;
62156 + return (__force const __u32)*p;
62157 }
62158 static inline __le16 __cpu_to_le16p(const __u16 *p)
62159 {
62160 - return (__force __le16)*p;
62161 + return (__force const __le16)*p;
62162 }
62163 static inline __u16 __le16_to_cpup(const __le16 *p)
62164 {
62165 - return (__force __u16)*p;
62166 + return (__force const __u16)*p;
62167 }
62168 static inline __be64 __cpu_to_be64p(const __u64 *p)
62169 {
62170 - return (__force __be64)__swab64p(p);
62171 + return (__force const __be64)__swab64p(p);
62172 }
62173 static inline __u64 __be64_to_cpup(const __be64 *p)
62174 {
62175 - return __swab64p((__u64 *)p);
62176 + return __swab64p((const __u64 *)p);
62177 }
62178 static inline __be32 __cpu_to_be32p(const __u32 *p)
62179 {
62180 - return (__force __be32)__swab32p(p);
62181 + return (__force const __be32)__swab32p(p);
62182 }
62183 static inline __u32 __be32_to_cpup(const __be32 *p)
62184 {
62185 - return __swab32p((__u32 *)p);
62186 + return __swab32p((const __u32 *)p);
62187 }
62188 static inline __be16 __cpu_to_be16p(const __u16 *p)
62189 {
62190 - return (__force __be16)__swab16p(p);
62191 + return (__force const __be16)__swab16p(p);
62192 }
62193 static inline __u16 __be16_to_cpup(const __be16 *p)
62194 {
62195 - return __swab16p((__u16 *)p);
62196 + return __swab16p((const __u16 *)p);
62197 }
62198 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
62199 #define __le64_to_cpus(x) do { (void)(x); } while (0)
62200 diff -urNp linux-2.6.39.3/include/linux/cache.h linux-2.6.39.3/include/linux/cache.h
62201 --- linux-2.6.39.3/include/linux/cache.h 2011-05-19 00:06:34.000000000 -0400
62202 +++ linux-2.6.39.3/include/linux/cache.h 2011-05-22 19:36:32.000000000 -0400
62203 @@ -16,6 +16,10 @@
62204 #define __read_mostly
62205 #endif
62206
62207 +#ifndef __read_only
62208 +#define __read_only __read_mostly
62209 +#endif
62210 +
62211 #ifndef ____cacheline_aligned
62212 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
62213 #endif
62214 diff -urNp linux-2.6.39.3/include/linux/capability.h linux-2.6.39.3/include/linux/capability.h
62215 --- linux-2.6.39.3/include/linux/capability.h 2011-05-19 00:06:34.000000000 -0400
62216 +++ linux-2.6.39.3/include/linux/capability.h 2011-05-22 21:02:47.000000000 -0400
62217 @@ -547,6 +547,9 @@ extern bool capable(int cap);
62218 extern bool ns_capable(struct user_namespace *ns, int cap);
62219 extern bool task_ns_capable(struct task_struct *t, int cap);
62220 extern bool nsown_capable(int cap);
62221 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
62222 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
62223 +extern bool capable_nolog(int cap);
62224
62225 /* audit system wants to get cap info from files as well */
62226 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
62227 diff -urNp linux-2.6.39.3/include/linux/compiler-gcc4.h linux-2.6.39.3/include/linux/compiler-gcc4.h
62228 --- linux-2.6.39.3/include/linux/compiler-gcc4.h 2011-05-19 00:06:34.000000000 -0400
62229 +++ linux-2.6.39.3/include/linux/compiler-gcc4.h 2011-05-22 19:36:32.000000000 -0400
62230 @@ -46,6 +46,11 @@
62231 #define __noclone __attribute__((__noclone__))
62232
62233 #endif
62234 +
62235 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
62236 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
62237 +#define __bos0(ptr) __bos((ptr), 0)
62238 +#define __bos1(ptr) __bos((ptr), 1)
62239 #endif
62240
62241 #if __GNUC_MINOR__ > 0
62242 diff -urNp linux-2.6.39.3/include/linux/compiler.h linux-2.6.39.3/include/linux/compiler.h
62243 --- linux-2.6.39.3/include/linux/compiler.h 2011-05-19 00:06:34.000000000 -0400
62244 +++ linux-2.6.39.3/include/linux/compiler.h 2011-05-22 19:36:32.000000000 -0400
62245 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
62246 #define __cold
62247 #endif
62248
62249 +#ifndef __alloc_size
62250 +#define __alloc_size
62251 +#endif
62252 +
62253 +#ifndef __bos
62254 +#define __bos
62255 +#endif
62256 +
62257 +#ifndef __bos0
62258 +#define __bos0
62259 +#endif
62260 +
62261 +#ifndef __bos1
62262 +#define __bos1
62263 +#endif
62264 +
62265 /* Simple shorthand for a section definition */
62266 #ifndef __section
62267 # define __section(S) __attribute__ ((__section__(#S)))
62268 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
62269 * use is to mediate communication between process-level code and irq/NMI
62270 * handlers, all running on the same CPU.
62271 */
62272 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
62273 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
62274 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
62275
62276 #endif /* __LINUX_COMPILER_H */
62277 diff -urNp linux-2.6.39.3/include/linux/concap.h linux-2.6.39.3/include/linux/concap.h
62278 --- linux-2.6.39.3/include/linux/concap.h 2011-05-19 00:06:34.000000000 -0400
62279 +++ linux-2.6.39.3/include/linux/concap.h 2011-05-22 19:36:32.000000000 -0400
62280 @@ -30,7 +30,7 @@ struct concap_device_ops;
62281 struct concap_proto{
62282 struct net_device *net_dev; /* net device using our service */
62283 struct concap_device_ops *dops; /* callbacks provided by device */
62284 - struct concap_proto_ops *pops; /* callbacks provided by us */
62285 + const struct concap_proto_ops *pops; /* callbacks provided by us */
62286 spinlock_t lock;
62287 int flags;
62288 void *proto_data; /* protocol specific private data, to
62289 diff -urNp linux-2.6.39.3/include/linux/configfs.h linux-2.6.39.3/include/linux/configfs.h
62290 --- linux-2.6.39.3/include/linux/configfs.h 2011-05-19 00:06:34.000000000 -0400
62291 +++ linux-2.6.39.3/include/linux/configfs.h 2011-05-22 19:36:32.000000000 -0400
62292 @@ -82,7 +82,7 @@ extern void config_item_put(struct confi
62293 struct config_item_type {
62294 struct module *ct_owner;
62295 struct configfs_item_operations *ct_item_ops;
62296 - struct configfs_group_operations *ct_group_ops;
62297 + const struct configfs_group_operations *ct_group_ops;
62298 struct configfs_attribute **ct_attrs;
62299 };
62300
62301 diff -urNp linux-2.6.39.3/include/linux/cpuset.h linux-2.6.39.3/include/linux/cpuset.h
62302 --- linux-2.6.39.3/include/linux/cpuset.h 2011-05-19 00:06:34.000000000 -0400
62303 +++ linux-2.6.39.3/include/linux/cpuset.h 2011-05-22 19:36:32.000000000 -0400
62304 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
62305 * nodemask.
62306 */
62307 smp_mb();
62308 - --ACCESS_ONCE(current->mems_allowed_change_disable);
62309 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
62310 }
62311
62312 static inline void set_mems_allowed(nodemask_t nodemask)
62313 diff -urNp linux-2.6.39.3/include/linux/dca.h linux-2.6.39.3/include/linux/dca.h
62314 --- linux-2.6.39.3/include/linux/dca.h 2011-05-19 00:06:34.000000000 -0400
62315 +++ linux-2.6.39.3/include/linux/dca.h 2011-05-22 19:36:32.000000000 -0400
62316 @@ -34,7 +34,7 @@ void dca_unregister_notify(struct notifi
62317
62318 struct dca_provider {
62319 struct list_head node;
62320 - struct dca_ops *ops;
62321 + const struct dca_ops *ops;
62322 struct device *cd;
62323 int id;
62324 };
62325 @@ -53,7 +53,7 @@ struct dca_ops {
62326 int (*dev_managed) (struct dca_provider *, struct device *);
62327 };
62328
62329 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size);
62330 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size);
62331 void free_dca_provider(struct dca_provider *dca);
62332 int register_dca_provider(struct dca_provider *dca, struct device *dev);
62333 void unregister_dca_provider(struct dca_provider *dca, struct device *dev);
62334 diff -urNp linux-2.6.39.3/include/linux/decompress/mm.h linux-2.6.39.3/include/linux/decompress/mm.h
62335 --- linux-2.6.39.3/include/linux/decompress/mm.h 2011-05-19 00:06:34.000000000 -0400
62336 +++ linux-2.6.39.3/include/linux/decompress/mm.h 2011-05-22 19:36:33.000000000 -0400
62337 @@ -77,7 +77,7 @@ static void free(void *where)
62338 * warnings when not needed (indeed large_malloc / large_free are not
62339 * needed by inflate */
62340
62341 -#define malloc(a) kmalloc(a, GFP_KERNEL)
62342 +#define malloc(a) kmalloc((a), GFP_KERNEL)
62343 #define free(a) kfree(a)
62344
62345 #define large_malloc(a) vmalloc(a)
62346 diff -urNp linux-2.6.39.3/include/linux/dma-mapping.h linux-2.6.39.3/include/linux/dma-mapping.h
62347 --- linux-2.6.39.3/include/linux/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
62348 +++ linux-2.6.39.3/include/linux/dma-mapping.h 2011-05-22 19:36:33.000000000 -0400
62349 @@ -16,40 +16,40 @@ enum dma_data_direction {
62350 };
62351
62352 struct dma_map_ops {
62353 - void* (*alloc_coherent)(struct device *dev, size_t size,
62354 + void* (* const alloc_coherent)(struct device *dev, size_t size,
62355 dma_addr_t *dma_handle, gfp_t gfp);
62356 - void (*free_coherent)(struct device *dev, size_t size,
62357 + void (* const free_coherent)(struct device *dev, size_t size,
62358 void *vaddr, dma_addr_t dma_handle);
62359 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
62360 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
62361 unsigned long offset, size_t size,
62362 enum dma_data_direction dir,
62363 struct dma_attrs *attrs);
62364 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
62365 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
62366 size_t size, enum dma_data_direction dir,
62367 struct dma_attrs *attrs);
62368 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
62369 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
62370 int nents, enum dma_data_direction dir,
62371 struct dma_attrs *attrs);
62372 - void (*unmap_sg)(struct device *dev,
62373 + void (* const unmap_sg)(struct device *dev,
62374 struct scatterlist *sg, int nents,
62375 enum dma_data_direction dir,
62376 struct dma_attrs *attrs);
62377 - void (*sync_single_for_cpu)(struct device *dev,
62378 + void (* const sync_single_for_cpu)(struct device *dev,
62379 dma_addr_t dma_handle, size_t size,
62380 enum dma_data_direction dir);
62381 - void (*sync_single_for_device)(struct device *dev,
62382 + void (* const sync_single_for_device)(struct device *dev,
62383 dma_addr_t dma_handle, size_t size,
62384 enum dma_data_direction dir);
62385 - void (*sync_sg_for_cpu)(struct device *dev,
62386 + void (* const sync_sg_for_cpu)(struct device *dev,
62387 struct scatterlist *sg, int nents,
62388 enum dma_data_direction dir);
62389 - void (*sync_sg_for_device)(struct device *dev,
62390 + void (* const sync_sg_for_device)(struct device *dev,
62391 struct scatterlist *sg, int nents,
62392 enum dma_data_direction dir);
62393 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
62394 - int (*dma_supported)(struct device *dev, u64 mask);
62395 - int (*set_dma_mask)(struct device *dev, u64 mask);
62396 - int is_phys;
62397 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
62398 + int (* const dma_supported)(struct device *dev, u64 mask);
62399 + int (* set_dma_mask)(struct device *dev, u64 mask);
62400 + const int is_phys;
62401 };
62402
62403 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
62404 diff -urNp linux-2.6.39.3/include/linux/elf.h linux-2.6.39.3/include/linux/elf.h
62405 --- linux-2.6.39.3/include/linux/elf.h 2011-05-19 00:06:34.000000000 -0400
62406 +++ linux-2.6.39.3/include/linux/elf.h 2011-05-22 19:36:33.000000000 -0400
62407 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
62408 #define PT_GNU_EH_FRAME 0x6474e550
62409
62410 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
62411 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
62412 +
62413 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
62414 +
62415 +/* Constants for the e_flags field */
62416 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62417 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
62418 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
62419 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
62420 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62421 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62422
62423 /*
62424 * Extended Numbering
62425 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
62426 #define DT_DEBUG 21
62427 #define DT_TEXTREL 22
62428 #define DT_JMPREL 23
62429 +#define DT_FLAGS 30
62430 + #define DF_TEXTREL 0x00000004
62431 #define DT_ENCODING 32
62432 #define OLD_DT_LOOS 0x60000000
62433 #define DT_LOOS 0x6000000d
62434 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
62435 #define PF_W 0x2
62436 #define PF_X 0x1
62437
62438 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
62439 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
62440 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
62441 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
62442 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
62443 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
62444 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
62445 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
62446 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
62447 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
62448 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
62449 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
62450 +
62451 typedef struct elf32_phdr{
62452 Elf32_Word p_type;
62453 Elf32_Off p_offset;
62454 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
62455 #define EI_OSABI 7
62456 #define EI_PAD 8
62457
62458 +#define EI_PAX 14
62459 +
62460 #define ELFMAG0 0x7f /* EI_MAG */
62461 #define ELFMAG1 'E'
62462 #define ELFMAG2 'L'
62463 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
62464 #define elf_note elf32_note
62465 #define elf_addr_t Elf32_Off
62466 #define Elf_Half Elf32_Half
62467 +#define elf_dyn Elf32_Dyn
62468
62469 #else
62470
62471 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
62472 #define elf_note elf64_note
62473 #define elf_addr_t Elf64_Off
62474 #define Elf_Half Elf64_Half
62475 +#define elf_dyn Elf64_Dyn
62476
62477 #endif
62478
62479 diff -urNp linux-2.6.39.3/include/linux/enclosure.h linux-2.6.39.3/include/linux/enclosure.h
62480 --- linux-2.6.39.3/include/linux/enclosure.h 2011-05-19 00:06:34.000000000 -0400
62481 +++ linux-2.6.39.3/include/linux/enclosure.h 2011-05-22 19:36:33.000000000 -0400
62482 @@ -98,7 +98,7 @@ struct enclosure_device {
62483 void *scratch;
62484 struct list_head node;
62485 struct device edev;
62486 - struct enclosure_component_callbacks *cb;
62487 + const struct enclosure_component_callbacks *cb;
62488 int components;
62489 struct enclosure_component component[0];
62490 };
62491 diff -urNp linux-2.6.39.3/include/linux/fscache-cache.h linux-2.6.39.3/include/linux/fscache-cache.h
62492 --- linux-2.6.39.3/include/linux/fscache-cache.h 2011-05-19 00:06:34.000000000 -0400
62493 +++ linux-2.6.39.3/include/linux/fscache-cache.h 2011-05-22 19:36:33.000000000 -0400
62494 @@ -113,7 +113,7 @@ struct fscache_operation {
62495 #endif
62496 };
62497
62498 -extern atomic_t fscache_op_debug_id;
62499 +extern atomic_unchecked_t fscache_op_debug_id;
62500 extern void fscache_op_work_func(struct work_struct *work);
62501
62502 extern void fscache_enqueue_operation(struct fscache_operation *);
62503 @@ -133,7 +133,7 @@ static inline void fscache_operation_ini
62504 {
62505 INIT_WORK(&op->work, fscache_op_work_func);
62506 atomic_set(&op->usage, 1);
62507 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
62508 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
62509 op->processor = processor;
62510 op->release = release;
62511 INIT_LIST_HEAD(&op->pend_link);
62512 diff -urNp linux-2.6.39.3/include/linux/fs.h linux-2.6.39.3/include/linux/fs.h
62513 --- linux-2.6.39.3/include/linux/fs.h 2011-05-19 00:06:34.000000000 -0400
62514 +++ linux-2.6.39.3/include/linux/fs.h 2011-05-22 19:41:42.000000000 -0400
62515 @@ -108,6 +108,11 @@ struct inodes_stat_t {
62516 /* File was opened by fanotify and shouldn't generate fanotify events */
62517 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
62518
62519 +/* Hack for grsec so as not to require read permission simply to execute
62520 + * a binary
62521 + */
62522 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
62523 +
62524 /*
62525 * The below are the various read and write types that we support. Some of
62526 * them include behavioral modifiers that send information down to the
62527 @@ -575,41 +580,41 @@ typedef int (*read_actor_t)(read_descrip
62528 unsigned long, unsigned long);
62529
62530 struct address_space_operations {
62531 - int (*writepage)(struct page *page, struct writeback_control *wbc);
62532 - int (*readpage)(struct file *, struct page *);
62533 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
62534 + int (* const readpage)(struct file *, struct page *);
62535
62536 /* Write back some dirty pages from this mapping. */
62537 - int (*writepages)(struct address_space *, struct writeback_control *);
62538 + int (* const writepages)(struct address_space *, struct writeback_control *);
62539
62540 /* Set a page dirty. Return true if this dirtied it */
62541 - int (*set_page_dirty)(struct page *page);
62542 + int (* const set_page_dirty)(struct page *page);
62543
62544 - int (*readpages)(struct file *filp, struct address_space *mapping,
62545 + int (* const readpages)(struct file *filp, struct address_space *mapping,
62546 struct list_head *pages, unsigned nr_pages);
62547
62548 - int (*write_begin)(struct file *, struct address_space *mapping,
62549 + int (* const write_begin)(struct file *, struct address_space *mapping,
62550 loff_t pos, unsigned len, unsigned flags,
62551 struct page **pagep, void **fsdata);
62552 - int (*write_end)(struct file *, struct address_space *mapping,
62553 + int (* const write_end)(struct file *, struct address_space *mapping,
62554 loff_t pos, unsigned len, unsigned copied,
62555 struct page *page, void *fsdata);
62556
62557 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
62558 - sector_t (*bmap)(struct address_space *, sector_t);
62559 - void (*invalidatepage) (struct page *, unsigned long);
62560 - int (*releasepage) (struct page *, gfp_t);
62561 - void (*freepage)(struct page *);
62562 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
62563 + sector_t (* const bmap)(struct address_space *, sector_t);
62564 + void (* const invalidatepage) (struct page *, unsigned long);
62565 + int (* const releasepage) (struct page *, gfp_t);
62566 + void (* const freepage)(struct page *);
62567 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
62568 loff_t offset, unsigned long nr_segs);
62569 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
62570 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
62571 void **, unsigned long *);
62572 /* migrate the contents of a page to the specified target */
62573 - int (*migratepage) (struct address_space *,
62574 + int (* const migratepage) (struct address_space *,
62575 struct page *, struct page *);
62576 - int (*launder_page) (struct page *);
62577 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
62578 + int (* const launder_page) (struct page *);
62579 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
62580 unsigned long);
62581 - int (*error_remove_page)(struct address_space *, struct page *);
62582 + int (* const error_remove_page)(struct address_space *, struct page *);
62583 };
62584
62585 extern const struct address_space_operations empty_aops;
62586 @@ -1060,17 +1065,17 @@ static inline int file_check_writeable(s
62587 typedef struct files_struct *fl_owner_t;
62588
62589 struct file_lock_operations {
62590 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62591 - void (*fl_release_private)(struct file_lock *);
62592 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62593 + void (* const fl_release_private)(struct file_lock *);
62594 };
62595
62596 struct lock_manager_operations {
62597 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
62598 - void (*fl_notify)(struct file_lock *); /* unblock callback */
62599 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
62600 - void (*fl_release_private)(struct file_lock *);
62601 - void (*fl_break)(struct file_lock *);
62602 - int (*fl_change)(struct file_lock **, int);
62603 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
62604 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
62605 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
62606 + void (* const fl_release_private)(struct file_lock *);
62607 + void (* const fl_break)(struct file_lock *);
62608 + int (* const fl_change)(struct file_lock **, int);
62609 };
62610
62611 struct lock_manager {
62612 @@ -1611,31 +1616,31 @@ extern ssize_t vfs_writev(struct file *,
62613 unsigned long, loff_t *);
62614
62615 struct super_operations {
62616 - struct inode *(*alloc_inode)(struct super_block *sb);
62617 - void (*destroy_inode)(struct inode *);
62618 + struct inode *(* const alloc_inode)(struct super_block *sb);
62619 + void (* const destroy_inode)(struct inode *);
62620
62621 - void (*dirty_inode) (struct inode *);
62622 - int (*write_inode) (struct inode *, struct writeback_control *wbc);
62623 - int (*drop_inode) (struct inode *);
62624 - void (*evict_inode) (struct inode *);
62625 - void (*put_super) (struct super_block *);
62626 - void (*write_super) (struct super_block *);
62627 - int (*sync_fs)(struct super_block *sb, int wait);
62628 - int (*freeze_fs) (struct super_block *);
62629 - int (*unfreeze_fs) (struct super_block *);
62630 - int (*statfs) (struct dentry *, struct kstatfs *);
62631 - int (*remount_fs) (struct super_block *, int *, char *);
62632 - void (*umount_begin) (struct super_block *);
62633 -
62634 - int (*show_options)(struct seq_file *, struct vfsmount *);
62635 - int (*show_devname)(struct seq_file *, struct vfsmount *);
62636 - int (*show_path)(struct seq_file *, struct vfsmount *);
62637 - int (*show_stats)(struct seq_file *, struct vfsmount *);
62638 + void (* const dirty_inode) (struct inode *);
62639 + int (* const write_inode) (struct inode *, struct writeback_control *wbc);
62640 + int (* const drop_inode) (struct inode *);
62641 + void (* const evict_inode) (struct inode *);
62642 + void (* const put_super) (struct super_block *);
62643 + void (* const write_super) (struct super_block *);
62644 + int (* const sync_fs)(struct super_block *sb, int wait);
62645 + int (* const freeze_fs) (struct super_block *);
62646 + int (* const unfreeze_fs) (struct super_block *);
62647 + int (* const statfs) (struct dentry *, struct kstatfs *);
62648 + int (* const remount_fs) (struct super_block *, int *, char *);
62649 + void (* const umount_begin) (struct super_block *);
62650 +
62651 + int (* const show_options)(struct seq_file *, struct vfsmount *);
62652 + int (* const show_devname)(struct seq_file *, struct vfsmount *);
62653 + int (* const show_path)(struct seq_file *, struct vfsmount *);
62654 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
62655 #ifdef CONFIG_QUOTA
62656 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
62657 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62658 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
62659 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62660 #endif
62661 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62662 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62663 };
62664
62665 /*
62666 diff -urNp linux-2.6.39.3/include/linux/fs_struct.h linux-2.6.39.3/include/linux/fs_struct.h
62667 --- linux-2.6.39.3/include/linux/fs_struct.h 2011-05-19 00:06:34.000000000 -0400
62668 +++ linux-2.6.39.3/include/linux/fs_struct.h 2011-05-22 19:36:33.000000000 -0400
62669 @@ -6,7 +6,7 @@
62670 #include <linux/seqlock.h>
62671
62672 struct fs_struct {
62673 - int users;
62674 + atomic_t users;
62675 spinlock_t lock;
62676 seqcount_t seq;
62677 int umask;
62678 diff -urNp linux-2.6.39.3/include/linux/ftrace_event.h linux-2.6.39.3/include/linux/ftrace_event.h
62679 --- linux-2.6.39.3/include/linux/ftrace_event.h 2011-05-19 00:06:34.000000000 -0400
62680 +++ linux-2.6.39.3/include/linux/ftrace_event.h 2011-05-22 19:36:33.000000000 -0400
62681 @@ -235,7 +235,7 @@ extern int trace_define_field(struct ftr
62682 extern int trace_add_event_call(struct ftrace_event_call *call);
62683 extern void trace_remove_event_call(struct ftrace_event_call *call);
62684
62685 -#define is_signed_type(type) (((type)(-1)) < 0)
62686 +#define is_signed_type(type) (((type)(-1)) < (type)1)
62687
62688 int trace_set_clr_event(const char *system, const char *event, int set);
62689
62690 diff -urNp linux-2.6.39.3/include/linux/ftrace.h linux-2.6.39.3/include/linux/ftrace.h
62691 --- linux-2.6.39.3/include/linux/ftrace.h 2011-05-19 00:06:34.000000000 -0400
62692 +++ linux-2.6.39.3/include/linux/ftrace.h 2011-05-22 19:36:33.000000000 -0400
62693 @@ -140,7 +140,7 @@ extern void
62694 unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
62695 void *data);
62696 extern void
62697 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops);
62698 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops);
62699 extern void unregister_ftrace_function_probe_all(char *glob);
62700
62701 extern int ftrace_text_reserved(void *start, void *end);
62702 diff -urNp linux-2.6.39.3/include/linux/genhd.h linux-2.6.39.3/include/linux/genhd.h
62703 --- linux-2.6.39.3/include/linux/genhd.h 2011-06-03 00:04:14.000000000 -0400
62704 +++ linux-2.6.39.3/include/linux/genhd.h 2011-06-03 00:32:08.000000000 -0400
62705 @@ -184,7 +184,7 @@ struct gendisk {
62706 struct kobject *slave_dir;
62707
62708 struct timer_rand_state *random;
62709 - atomic_t sync_io; /* RAID */
62710 + atomic_unchecked_t sync_io; /* RAID */
62711 struct disk_events *ev;
62712 #ifdef CONFIG_BLK_DEV_INTEGRITY
62713 struct blk_integrity *integrity;
62714 diff -urNp linux-2.6.39.3/include/linux/gracl.h linux-2.6.39.3/include/linux/gracl.h
62715 --- linux-2.6.39.3/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
62716 +++ linux-2.6.39.3/include/linux/gracl.h 2011-05-22 19:41:42.000000000 -0400
62717 @@ -0,0 +1,317 @@
62718 +#ifndef GR_ACL_H
62719 +#define GR_ACL_H
62720 +
62721 +#include <linux/grdefs.h>
62722 +#include <linux/resource.h>
62723 +#include <linux/capability.h>
62724 +#include <linux/dcache.h>
62725 +#include <asm/resource.h>
62726 +
62727 +/* Major status information */
62728 +
62729 +#define GR_VERSION "grsecurity 2.2.2"
62730 +#define GRSECURITY_VERSION 0x2202
62731 +
62732 +enum {
62733 + GR_SHUTDOWN = 0,
62734 + GR_ENABLE = 1,
62735 + GR_SPROLE = 2,
62736 + GR_RELOAD = 3,
62737 + GR_SEGVMOD = 4,
62738 + GR_STATUS = 5,
62739 + GR_UNSPROLE = 6,
62740 + GR_PASSSET = 7,
62741 + GR_SPROLEPAM = 8,
62742 +};
62743 +
62744 +/* Password setup definitions
62745 + * kernel/grhash.c */
62746 +enum {
62747 + GR_PW_LEN = 128,
62748 + GR_SALT_LEN = 16,
62749 + GR_SHA_LEN = 32,
62750 +};
62751 +
62752 +enum {
62753 + GR_SPROLE_LEN = 64,
62754 +};
62755 +
62756 +enum {
62757 + GR_NO_GLOB = 0,
62758 + GR_REG_GLOB,
62759 + GR_CREATE_GLOB
62760 +};
62761 +
62762 +#define GR_NLIMITS 32
62763 +
62764 +/* Begin Data Structures */
62765 +
62766 +struct sprole_pw {
62767 + unsigned char *rolename;
62768 + unsigned char salt[GR_SALT_LEN];
62769 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
62770 +};
62771 +
62772 +struct name_entry {
62773 + __u32 key;
62774 + ino_t inode;
62775 + dev_t device;
62776 + char *name;
62777 + __u16 len;
62778 + __u8 deleted;
62779 + struct name_entry *prev;
62780 + struct name_entry *next;
62781 +};
62782 +
62783 +struct inodev_entry {
62784 + struct name_entry *nentry;
62785 + struct inodev_entry *prev;
62786 + struct inodev_entry *next;
62787 +};
62788 +
62789 +struct acl_role_db {
62790 + struct acl_role_label **r_hash;
62791 + __u32 r_size;
62792 +};
62793 +
62794 +struct inodev_db {
62795 + struct inodev_entry **i_hash;
62796 + __u32 i_size;
62797 +};
62798 +
62799 +struct name_db {
62800 + struct name_entry **n_hash;
62801 + __u32 n_size;
62802 +};
62803 +
62804 +struct crash_uid {
62805 + uid_t uid;
62806 + unsigned long expires;
62807 +};
62808 +
62809 +struct gr_hash_struct {
62810 + void **table;
62811 + void **nametable;
62812 + void *first;
62813 + __u32 table_size;
62814 + __u32 used_size;
62815 + int type;
62816 +};
62817 +
62818 +/* Userspace Grsecurity ACL data structures */
62819 +
62820 +struct acl_subject_label {
62821 + char *filename;
62822 + ino_t inode;
62823 + dev_t device;
62824 + __u32 mode;
62825 + kernel_cap_t cap_mask;
62826 + kernel_cap_t cap_lower;
62827 + kernel_cap_t cap_invert_audit;
62828 +
62829 + struct rlimit res[GR_NLIMITS];
62830 + __u32 resmask;
62831 +
62832 + __u8 user_trans_type;
62833 + __u8 group_trans_type;
62834 + uid_t *user_transitions;
62835 + gid_t *group_transitions;
62836 + __u16 user_trans_num;
62837 + __u16 group_trans_num;
62838 +
62839 + __u32 sock_families[2];
62840 + __u32 ip_proto[8];
62841 + __u32 ip_type;
62842 + struct acl_ip_label **ips;
62843 + __u32 ip_num;
62844 + __u32 inaddr_any_override;
62845 +
62846 + __u32 crashes;
62847 + unsigned long expires;
62848 +
62849 + struct acl_subject_label *parent_subject;
62850 + struct gr_hash_struct *hash;
62851 + struct acl_subject_label *prev;
62852 + struct acl_subject_label *next;
62853 +
62854 + struct acl_object_label **obj_hash;
62855 + __u32 obj_hash_size;
62856 + __u16 pax_flags;
62857 +};
62858 +
62859 +struct role_allowed_ip {
62860 + __u32 addr;
62861 + __u32 netmask;
62862 +
62863 + struct role_allowed_ip *prev;
62864 + struct role_allowed_ip *next;
62865 +};
62866 +
62867 +struct role_transition {
62868 + char *rolename;
62869 +
62870 + struct role_transition *prev;
62871 + struct role_transition *next;
62872 +};
62873 +
62874 +struct acl_role_label {
62875 + char *rolename;
62876 + uid_t uidgid;
62877 + __u16 roletype;
62878 +
62879 + __u16 auth_attempts;
62880 + unsigned long expires;
62881 +
62882 + struct acl_subject_label *root_label;
62883 + struct gr_hash_struct *hash;
62884 +
62885 + struct acl_role_label *prev;
62886 + struct acl_role_label *next;
62887 +
62888 + struct role_transition *transitions;
62889 + struct role_allowed_ip *allowed_ips;
62890 + uid_t *domain_children;
62891 + __u16 domain_child_num;
62892 +
62893 + struct acl_subject_label **subj_hash;
62894 + __u32 subj_hash_size;
62895 +};
62896 +
62897 +struct user_acl_role_db {
62898 + struct acl_role_label **r_table;
62899 + __u32 num_pointers; /* Number of allocations to track */
62900 + __u32 num_roles; /* Number of roles */
62901 + __u32 num_domain_children; /* Number of domain children */
62902 + __u32 num_subjects; /* Number of subjects */
62903 + __u32 num_objects; /* Number of objects */
62904 +};
62905 +
62906 +struct acl_object_label {
62907 + char *filename;
62908 + ino_t inode;
62909 + dev_t device;
62910 + __u32 mode;
62911 +
62912 + struct acl_subject_label *nested;
62913 + struct acl_object_label *globbed;
62914 +
62915 + /* next two structures not used */
62916 +
62917 + struct acl_object_label *prev;
62918 + struct acl_object_label *next;
62919 +};
62920 +
62921 +struct acl_ip_label {
62922 + char *iface;
62923 + __u32 addr;
62924 + __u32 netmask;
62925 + __u16 low, high;
62926 + __u8 mode;
62927 + __u32 type;
62928 + __u32 proto[8];
62929 +
62930 + /* next two structures not used */
62931 +
62932 + struct acl_ip_label *prev;
62933 + struct acl_ip_label *next;
62934 +};
62935 +
62936 +struct gr_arg {
62937 + struct user_acl_role_db role_db;
62938 + unsigned char pw[GR_PW_LEN];
62939 + unsigned char salt[GR_SALT_LEN];
62940 + unsigned char sum[GR_SHA_LEN];
62941 + unsigned char sp_role[GR_SPROLE_LEN];
62942 + struct sprole_pw *sprole_pws;
62943 + dev_t segv_device;
62944 + ino_t segv_inode;
62945 + uid_t segv_uid;
62946 + __u16 num_sprole_pws;
62947 + __u16 mode;
62948 +};
62949 +
62950 +struct gr_arg_wrapper {
62951 + struct gr_arg *arg;
62952 + __u32 version;
62953 + __u32 size;
62954 +};
62955 +
62956 +struct subject_map {
62957 + struct acl_subject_label *user;
62958 + struct acl_subject_label *kernel;
62959 + struct subject_map *prev;
62960 + struct subject_map *next;
62961 +};
62962 +
62963 +struct acl_subj_map_db {
62964 + struct subject_map **s_hash;
62965 + __u32 s_size;
62966 +};
62967 +
62968 +/* End Data Structures Section */
62969 +
62970 +/* Hash functions generated by empirical testing by Brad Spengler
62971 + Makes good use of the low bits of the inode. Generally 0-1 times
62972 + in loop for successful match. 0-3 for unsuccessful match.
62973 + Shift/add algorithm with modulus of table size and an XOR*/
62974 +
62975 +static __inline__ unsigned int
62976 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
62977 +{
62978 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
62979 +}
62980 +
62981 + static __inline__ unsigned int
62982 +shash(const struct acl_subject_label *userp, const unsigned int sz)
62983 +{
62984 + return ((const unsigned long)userp % sz);
62985 +}
62986 +
62987 +static __inline__ unsigned int
62988 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
62989 +{
62990 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
62991 +}
62992 +
62993 +static __inline__ unsigned int
62994 +nhash(const char *name, const __u16 len, const unsigned int sz)
62995 +{
62996 + return full_name_hash((const unsigned char *)name, len) % sz;
62997 +}
62998 +
62999 +#define FOR_EACH_ROLE_START(role) \
63000 + role = role_list; \
63001 + while (role) {
63002 +
63003 +#define FOR_EACH_ROLE_END(role) \
63004 + role = role->prev; \
63005 + }
63006 +
63007 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
63008 + subj = NULL; \
63009 + iter = 0; \
63010 + while (iter < role->subj_hash_size) { \
63011 + if (subj == NULL) \
63012 + subj = role->subj_hash[iter]; \
63013 + if (subj == NULL) { \
63014 + iter++; \
63015 + continue; \
63016 + }
63017 +
63018 +#define FOR_EACH_SUBJECT_END(subj,iter) \
63019 + subj = subj->next; \
63020 + if (subj == NULL) \
63021 + iter++; \
63022 + }
63023 +
63024 +
63025 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
63026 + subj = role->hash->first; \
63027 + while (subj != NULL) {
63028 +
63029 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
63030 + subj = subj->next; \
63031 + }
63032 +
63033 +#endif
63034 +
63035 diff -urNp linux-2.6.39.3/include/linux/gralloc.h linux-2.6.39.3/include/linux/gralloc.h
63036 --- linux-2.6.39.3/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
63037 +++ linux-2.6.39.3/include/linux/gralloc.h 2011-05-22 19:41:42.000000000 -0400
63038 @@ -0,0 +1,9 @@
63039 +#ifndef __GRALLOC_H
63040 +#define __GRALLOC_H
63041 +
63042 +void acl_free_all(void);
63043 +int acl_alloc_stack_init(unsigned long size);
63044 +void *acl_alloc(unsigned long len);
63045 +void *acl_alloc_num(unsigned long num, unsigned long len);
63046 +
63047 +#endif
63048 diff -urNp linux-2.6.39.3/include/linux/grdefs.h linux-2.6.39.3/include/linux/grdefs.h
63049 --- linux-2.6.39.3/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
63050 +++ linux-2.6.39.3/include/linux/grdefs.h 2011-06-11 16:24:51.000000000 -0400
63051 @@ -0,0 +1,140 @@
63052 +#ifndef GRDEFS_H
63053 +#define GRDEFS_H
63054 +
63055 +/* Begin grsecurity status declarations */
63056 +
63057 +enum {
63058 + GR_READY = 0x01,
63059 + GR_STATUS_INIT = 0x00 // disabled state
63060 +};
63061 +
63062 +/* Begin ACL declarations */
63063 +
63064 +/* Role flags */
63065 +
63066 +enum {
63067 + GR_ROLE_USER = 0x0001,
63068 + GR_ROLE_GROUP = 0x0002,
63069 + GR_ROLE_DEFAULT = 0x0004,
63070 + GR_ROLE_SPECIAL = 0x0008,
63071 + GR_ROLE_AUTH = 0x0010,
63072 + GR_ROLE_NOPW = 0x0020,
63073 + GR_ROLE_GOD = 0x0040,
63074 + GR_ROLE_LEARN = 0x0080,
63075 + GR_ROLE_TPE = 0x0100,
63076 + GR_ROLE_DOMAIN = 0x0200,
63077 + GR_ROLE_PAM = 0x0400,
63078 + GR_ROLE_PERSIST = 0x0800
63079 +};
63080 +
63081 +/* ACL Subject and Object mode flags */
63082 +enum {
63083 + GR_DELETED = 0x80000000
63084 +};
63085 +
63086 +/* ACL Object-only mode flags */
63087 +enum {
63088 + GR_READ = 0x00000001,
63089 + GR_APPEND = 0x00000002,
63090 + GR_WRITE = 0x00000004,
63091 + GR_EXEC = 0x00000008,
63092 + GR_FIND = 0x00000010,
63093 + GR_INHERIT = 0x00000020,
63094 + GR_SETID = 0x00000040,
63095 + GR_CREATE = 0x00000080,
63096 + GR_DELETE = 0x00000100,
63097 + GR_LINK = 0x00000200,
63098 + GR_AUDIT_READ = 0x00000400,
63099 + GR_AUDIT_APPEND = 0x00000800,
63100 + GR_AUDIT_WRITE = 0x00001000,
63101 + GR_AUDIT_EXEC = 0x00002000,
63102 + GR_AUDIT_FIND = 0x00004000,
63103 + GR_AUDIT_INHERIT= 0x00008000,
63104 + GR_AUDIT_SETID = 0x00010000,
63105 + GR_AUDIT_CREATE = 0x00020000,
63106 + GR_AUDIT_DELETE = 0x00040000,
63107 + GR_AUDIT_LINK = 0x00080000,
63108 + GR_PTRACERD = 0x00100000,
63109 + GR_NOPTRACE = 0x00200000,
63110 + GR_SUPPRESS = 0x00400000,
63111 + GR_NOLEARN = 0x00800000,
63112 + GR_INIT_TRANSFER= 0x01000000
63113 +};
63114 +
63115 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
63116 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
63117 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
63118 +
63119 +/* ACL subject-only mode flags */
63120 +enum {
63121 + GR_KILL = 0x00000001,
63122 + GR_VIEW = 0x00000002,
63123 + GR_PROTECTED = 0x00000004,
63124 + GR_LEARN = 0x00000008,
63125 + GR_OVERRIDE = 0x00000010,
63126 + /* just a placeholder, this mode is only used in userspace */
63127 + GR_DUMMY = 0x00000020,
63128 + GR_PROTSHM = 0x00000040,
63129 + GR_KILLPROC = 0x00000080,
63130 + GR_KILLIPPROC = 0x00000100,
63131 + /* just a placeholder, this mode is only used in userspace */
63132 + GR_NOTROJAN = 0x00000200,
63133 + GR_PROTPROCFD = 0x00000400,
63134 + GR_PROCACCT = 0x00000800,
63135 + GR_RELAXPTRACE = 0x00001000,
63136 + GR_NESTED = 0x00002000,
63137 + GR_INHERITLEARN = 0x00004000,
63138 + GR_PROCFIND = 0x00008000,
63139 + GR_POVERRIDE = 0x00010000,
63140 + GR_KERNELAUTH = 0x00020000,
63141 + GR_ATSECURE = 0x00040000,
63142 + GR_SHMEXEC = 0x00080000
63143 +};
63144 +
63145 +enum {
63146 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
63147 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
63148 + GR_PAX_ENABLE_MPROTECT = 0x0004,
63149 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
63150 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
63151 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
63152 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
63153 + GR_PAX_DISABLE_MPROTECT = 0x0400,
63154 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
63155 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
63156 +};
63157 +
63158 +enum {
63159 + GR_ID_USER = 0x01,
63160 + GR_ID_GROUP = 0x02,
63161 +};
63162 +
63163 +enum {
63164 + GR_ID_ALLOW = 0x01,
63165 + GR_ID_DENY = 0x02,
63166 +};
63167 +
63168 +#define GR_CRASH_RES 31
63169 +#define GR_UIDTABLE_MAX 500
63170 +
63171 +/* begin resource learning section */
63172 +enum {
63173 + GR_RLIM_CPU_BUMP = 60,
63174 + GR_RLIM_FSIZE_BUMP = 50000,
63175 + GR_RLIM_DATA_BUMP = 10000,
63176 + GR_RLIM_STACK_BUMP = 1000,
63177 + GR_RLIM_CORE_BUMP = 10000,
63178 + GR_RLIM_RSS_BUMP = 500000,
63179 + GR_RLIM_NPROC_BUMP = 1,
63180 + GR_RLIM_NOFILE_BUMP = 5,
63181 + GR_RLIM_MEMLOCK_BUMP = 50000,
63182 + GR_RLIM_AS_BUMP = 500000,
63183 + GR_RLIM_LOCKS_BUMP = 2,
63184 + GR_RLIM_SIGPENDING_BUMP = 5,
63185 + GR_RLIM_MSGQUEUE_BUMP = 10000,
63186 + GR_RLIM_NICE_BUMP = 1,
63187 + GR_RLIM_RTPRIO_BUMP = 1,
63188 + GR_RLIM_RTTIME_BUMP = 1000000
63189 +};
63190 +
63191 +#endif
63192 diff -urNp linux-2.6.39.3/include/linux/grinternal.h linux-2.6.39.3/include/linux/grinternal.h
63193 --- linux-2.6.39.3/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
63194 +++ linux-2.6.39.3/include/linux/grinternal.h 2011-07-14 21:03:15.000000000 -0400
63195 @@ -0,0 +1,219 @@
63196 +#ifndef __GRINTERNAL_H
63197 +#define __GRINTERNAL_H
63198 +
63199 +#ifdef CONFIG_GRKERNSEC
63200 +
63201 +#include <linux/fs.h>
63202 +#include <linux/mnt_namespace.h>
63203 +#include <linux/nsproxy.h>
63204 +#include <linux/gracl.h>
63205 +#include <linux/grdefs.h>
63206 +#include <linux/grmsg.h>
63207 +
63208 +void gr_add_learn_entry(const char *fmt, ...)
63209 + __attribute__ ((format (printf, 1, 2)));
63210 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
63211 + const struct vfsmount *mnt);
63212 +__u32 gr_check_create(const struct dentry *new_dentry,
63213 + const struct dentry *parent,
63214 + const struct vfsmount *mnt, const __u32 mode);
63215 +int gr_check_protected_task(const struct task_struct *task);
63216 +__u32 to_gr_audit(const __u32 reqmode);
63217 +int gr_set_acls(const int type);
63218 +int gr_apply_subject_to_task(struct task_struct *task);
63219 +int gr_acl_is_enabled(void);
63220 +char gr_roletype_to_char(void);
63221 +
63222 +void gr_handle_alertkill(struct task_struct *task);
63223 +char *gr_to_filename(const struct dentry *dentry,
63224 + const struct vfsmount *mnt);
63225 +char *gr_to_filename1(const struct dentry *dentry,
63226 + const struct vfsmount *mnt);
63227 +char *gr_to_filename2(const struct dentry *dentry,
63228 + const struct vfsmount *mnt);
63229 +char *gr_to_filename3(const struct dentry *dentry,
63230 + const struct vfsmount *mnt);
63231 +
63232 +extern int grsec_enable_harden_ptrace;
63233 +extern int grsec_enable_link;
63234 +extern int grsec_enable_fifo;
63235 +extern int grsec_enable_execve;
63236 +extern int grsec_enable_shm;
63237 +extern int grsec_enable_execlog;
63238 +extern int grsec_enable_signal;
63239 +extern int grsec_enable_audit_ptrace;
63240 +extern int grsec_enable_forkfail;
63241 +extern int grsec_enable_time;
63242 +extern int grsec_enable_rofs;
63243 +extern int grsec_enable_chroot_shmat;
63244 +extern int grsec_enable_chroot_mount;
63245 +extern int grsec_enable_chroot_double;
63246 +extern int grsec_enable_chroot_pivot;
63247 +extern int grsec_enable_chroot_chdir;
63248 +extern int grsec_enable_chroot_chmod;
63249 +extern int grsec_enable_chroot_mknod;
63250 +extern int grsec_enable_chroot_fchdir;
63251 +extern int grsec_enable_chroot_nice;
63252 +extern int grsec_enable_chroot_execlog;
63253 +extern int grsec_enable_chroot_caps;
63254 +extern int grsec_enable_chroot_sysctl;
63255 +extern int grsec_enable_chroot_unix;
63256 +extern int grsec_enable_tpe;
63257 +extern int grsec_tpe_gid;
63258 +extern int grsec_enable_tpe_all;
63259 +extern int grsec_enable_tpe_invert;
63260 +extern int grsec_enable_socket_all;
63261 +extern int grsec_socket_all_gid;
63262 +extern int grsec_enable_socket_client;
63263 +extern int grsec_socket_client_gid;
63264 +extern int grsec_enable_socket_server;
63265 +extern int grsec_socket_server_gid;
63266 +extern int grsec_audit_gid;
63267 +extern int grsec_enable_group;
63268 +extern int grsec_enable_audit_textrel;
63269 +extern int grsec_enable_log_rwxmaps;
63270 +extern int grsec_enable_mount;
63271 +extern int grsec_enable_chdir;
63272 +extern int grsec_resource_logging;
63273 +extern int grsec_enable_blackhole;
63274 +extern int grsec_lastack_retries;
63275 +extern int grsec_enable_brute;
63276 +extern int grsec_lock;
63277 +
63278 +extern spinlock_t grsec_alert_lock;
63279 +extern unsigned long grsec_alert_wtime;
63280 +extern unsigned long grsec_alert_fyet;
63281 +
63282 +extern spinlock_t grsec_audit_lock;
63283 +
63284 +extern rwlock_t grsec_exec_file_lock;
63285 +
63286 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
63287 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
63288 + (tsk)->exec_file->f_vfsmnt) : "/")
63289 +
63290 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
63291 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
63292 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63293 +
63294 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
63295 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
63296 + (tsk)->exec_file->f_vfsmnt) : "/")
63297 +
63298 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
63299 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
63300 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63301 +
63302 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
63303 +
63304 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
63305 +
63306 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
63307 + (task)->pid, (cred)->uid, \
63308 + (cred)->euid, (cred)->gid, (cred)->egid, \
63309 + gr_parent_task_fullpath(task), \
63310 + (task)->real_parent->comm, (task)->real_parent->pid, \
63311 + (pcred)->uid, (pcred)->euid, \
63312 + (pcred)->gid, (pcred)->egid
63313 +
63314 +#define GR_CHROOT_CAPS {{ \
63315 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
63316 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
63317 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
63318 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
63319 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
63320 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
63321 +
63322 +#define security_learn(normal_msg,args...) \
63323 +({ \
63324 + read_lock(&grsec_exec_file_lock); \
63325 + gr_add_learn_entry(normal_msg "\n", ## args); \
63326 + read_unlock(&grsec_exec_file_lock); \
63327 +})
63328 +
63329 +enum {
63330 + GR_DO_AUDIT,
63331 + GR_DONT_AUDIT,
63332 + /* used for non-audit messages that we shouldn't kill the task on */
63333 + GR_DONT_AUDIT_GOOD
63334 +};
63335 +
63336 +enum {
63337 + GR_TTYSNIFF,
63338 + GR_RBAC,
63339 + GR_RBAC_STR,
63340 + GR_STR_RBAC,
63341 + GR_RBAC_MODE2,
63342 + GR_RBAC_MODE3,
63343 + GR_FILENAME,
63344 + GR_SYSCTL_HIDDEN,
63345 + GR_NOARGS,
63346 + GR_ONE_INT,
63347 + GR_ONE_INT_TWO_STR,
63348 + GR_ONE_STR,
63349 + GR_STR_INT,
63350 + GR_TWO_STR_INT,
63351 + GR_TWO_INT,
63352 + GR_TWO_U64,
63353 + GR_THREE_INT,
63354 + GR_FIVE_INT_TWO_STR,
63355 + GR_TWO_STR,
63356 + GR_THREE_STR,
63357 + GR_FOUR_STR,
63358 + GR_STR_FILENAME,
63359 + GR_FILENAME_STR,
63360 + GR_FILENAME_TWO_INT,
63361 + GR_FILENAME_TWO_INT_STR,
63362 + GR_TEXTREL,
63363 + GR_PTRACE,
63364 + GR_RESOURCE,
63365 + GR_CAP,
63366 + GR_SIG,
63367 + GR_SIG2,
63368 + GR_CRASH1,
63369 + GR_CRASH2,
63370 + GR_PSACCT,
63371 + GR_RWXMAP
63372 +};
63373 +
63374 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
63375 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
63376 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
63377 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
63378 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
63379 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
63380 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
63381 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
63382 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
63383 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
63384 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
63385 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
63386 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
63387 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
63388 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
63389 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
63390 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
63391 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
63392 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
63393 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
63394 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
63395 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
63396 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
63397 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
63398 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
63399 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
63400 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
63401 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
63402 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
63403 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
63404 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
63405 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
63406 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
63407 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
63408 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
63409 +
63410 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
63411 +
63412 +#endif
63413 +
63414 +#endif
63415 diff -urNp linux-2.6.39.3/include/linux/grmsg.h linux-2.6.39.3/include/linux/grmsg.h
63416 --- linux-2.6.39.3/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
63417 +++ linux-2.6.39.3/include/linux/grmsg.h 2011-05-22 19:41:42.000000000 -0400
63418 @@ -0,0 +1,108 @@
63419 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
63420 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
63421 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
63422 +#define GR_STOPMOD_MSG "denied modification of module state by "
63423 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
63424 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
63425 +#define GR_IOPERM_MSG "denied use of ioperm() by "
63426 +#define GR_IOPL_MSG "denied use of iopl() by "
63427 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
63428 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
63429 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
63430 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
63431 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
63432 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
63433 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
63434 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
63435 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
63436 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
63437 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
63438 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
63439 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
63440 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
63441 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
63442 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
63443 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
63444 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
63445 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
63446 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
63447 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
63448 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
63449 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
63450 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
63451 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
63452 +#define GR_NPROC_MSG "denied overstep of process limit by "
63453 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
63454 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
63455 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
63456 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
63457 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
63458 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
63459 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
63460 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
63461 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
63462 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
63463 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
63464 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
63465 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
63466 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
63467 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
63468 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
63469 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
63470 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
63471 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
63472 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
63473 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
63474 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
63475 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
63476 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
63477 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
63478 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
63479 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
63480 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
63481 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
63482 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
63483 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
63484 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
63485 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
63486 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
63487 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
63488 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
63489 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
63490 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
63491 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
63492 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
63493 +#define GR_NICE_CHROOT_MSG "denied priority change by "
63494 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
63495 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
63496 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
63497 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
63498 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
63499 +#define GR_TIME_MSG "time set by "
63500 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
63501 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
63502 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
63503 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
63504 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
63505 +#define GR_BIND_MSG "denied bind() by "
63506 +#define GR_CONNECT_MSG "denied connect() by "
63507 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
63508 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
63509 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
63510 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
63511 +#define GR_CAP_ACL_MSG "use of %s denied for "
63512 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
63513 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
63514 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
63515 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
63516 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
63517 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
63518 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
63519 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
63520 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
63521 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
63522 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
63523 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
63524 +#define GR_VM86_MSG "denied use of vm86 by "
63525 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
63526 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
63527 diff -urNp linux-2.6.39.3/include/linux/grsecurity.h linux-2.6.39.3/include/linux/grsecurity.h
63528 --- linux-2.6.39.3/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
63529 +++ linux-2.6.39.3/include/linux/grsecurity.h 2011-07-16 15:28:00.000000000 -0400
63530 @@ -0,0 +1,215 @@
63531 +#ifndef GR_SECURITY_H
63532 +#define GR_SECURITY_H
63533 +#include <linux/fs.h>
63534 +#include <linux/fs_struct.h>
63535 +#include <linux/binfmts.h>
63536 +#include <linux/gracl.h>
63537 +#include <linux/compat.h>
63538 +
63539 +/* notify of brain-dead configs */
63540 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
63541 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
63542 +#endif
63543 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63544 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63545 +#endif
63546 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63547 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63548 +#endif
63549 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
63550 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
63551 +#endif
63552 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
63553 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
63554 +#endif
63555 +
63556 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
63557 +void gr_handle_brute_check(void);
63558 +void gr_handle_kernel_exploit(void);
63559 +int gr_process_user_ban(void);
63560 +
63561 +char gr_roletype_to_char(void);
63562 +
63563 +int gr_acl_enable_at_secure(void);
63564 +
63565 +int gr_check_user_change(int real, int effective, int fs);
63566 +int gr_check_group_change(int real, int effective, int fs);
63567 +
63568 +void gr_del_task_from_ip_table(struct task_struct *p);
63569 +
63570 +int gr_pid_is_chrooted(struct task_struct *p);
63571 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
63572 +int gr_handle_chroot_nice(void);
63573 +int gr_handle_chroot_sysctl(const int op);
63574 +int gr_handle_chroot_setpriority(struct task_struct *p,
63575 + const int niceval);
63576 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
63577 +int gr_handle_chroot_chroot(const struct dentry *dentry,
63578 + const struct vfsmount *mnt);
63579 +int gr_handle_chroot_caps(struct path *path);
63580 +void gr_handle_chroot_chdir(struct path *path);
63581 +int gr_handle_chroot_chmod(const struct dentry *dentry,
63582 + const struct vfsmount *mnt, const int mode);
63583 +int gr_handle_chroot_mknod(const struct dentry *dentry,
63584 + const struct vfsmount *mnt, const int mode);
63585 +int gr_handle_chroot_mount(const struct dentry *dentry,
63586 + const struct vfsmount *mnt,
63587 + const char *dev_name);
63588 +int gr_handle_chroot_pivot(void);
63589 +int gr_handle_chroot_unix(const pid_t pid);
63590 +
63591 +int gr_handle_rawio(const struct inode *inode);
63592 +int gr_handle_nproc(void);
63593 +
63594 +void gr_handle_ioperm(void);
63595 +void gr_handle_iopl(void);
63596 +
63597 +int gr_tpe_allow(const struct file *file);
63598 +
63599 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
63600 +void gr_clear_chroot_entries(struct task_struct *task);
63601 +
63602 +void gr_log_forkfail(const int retval);
63603 +void gr_log_timechange(void);
63604 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
63605 +void gr_log_chdir(const struct dentry *dentry,
63606 + const struct vfsmount *mnt);
63607 +void gr_log_chroot_exec(const struct dentry *dentry,
63608 + const struct vfsmount *mnt);
63609 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
63610 +#ifdef CONFIG_COMPAT
63611 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
63612 +#endif
63613 +void gr_log_remount(const char *devname, const int retval);
63614 +void gr_log_unmount(const char *devname, const int retval);
63615 +void gr_log_mount(const char *from, const char *to, const int retval);
63616 +void gr_log_textrel(struct vm_area_struct *vma);
63617 +void gr_log_rwxmmap(struct file *file);
63618 +void gr_log_rwxmprotect(struct file *file);
63619 +
63620 +int gr_handle_follow_link(const struct inode *parent,
63621 + const struct inode *inode,
63622 + const struct dentry *dentry,
63623 + const struct vfsmount *mnt);
63624 +int gr_handle_fifo(const struct dentry *dentry,
63625 + const struct vfsmount *mnt,
63626 + const struct dentry *dir, const int flag,
63627 + const int acc_mode);
63628 +int gr_handle_hardlink(const struct dentry *dentry,
63629 + const struct vfsmount *mnt,
63630 + struct inode *inode,
63631 + const int mode, const char *to);
63632 +
63633 +int gr_is_capable(const int cap);
63634 +int gr_is_capable_nolog(const int cap);
63635 +void gr_learn_resource(const struct task_struct *task, const int limit,
63636 + const unsigned long wanted, const int gt);
63637 +void gr_copy_label(struct task_struct *tsk);
63638 +void gr_handle_crash(struct task_struct *task, const int sig);
63639 +int gr_handle_signal(const struct task_struct *p, const int sig);
63640 +int gr_check_crash_uid(const uid_t uid);
63641 +int gr_check_protected_task(const struct task_struct *task);
63642 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
63643 +int gr_acl_handle_mmap(const struct file *file,
63644 + const unsigned long prot);
63645 +int gr_acl_handle_mprotect(const struct file *file,
63646 + const unsigned long prot);
63647 +int gr_check_hidden_task(const struct task_struct *tsk);
63648 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
63649 + const struct vfsmount *mnt);
63650 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
63651 + const struct vfsmount *mnt);
63652 +__u32 gr_acl_handle_access(const struct dentry *dentry,
63653 + const struct vfsmount *mnt, const int fmode);
63654 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
63655 + const struct vfsmount *mnt, mode_t mode);
63656 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
63657 + const struct vfsmount *mnt, mode_t mode);
63658 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
63659 + const struct vfsmount *mnt);
63660 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
63661 + const struct vfsmount *mnt);
63662 +int gr_handle_ptrace(struct task_struct *task, const long request);
63663 +int gr_handle_proc_ptrace(struct task_struct *task);
63664 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
63665 + const struct vfsmount *mnt);
63666 +int gr_check_crash_exec(const struct file *filp);
63667 +int gr_acl_is_enabled(void);
63668 +void gr_set_kernel_label(struct task_struct *task);
63669 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
63670 + const gid_t gid);
63671 +int gr_set_proc_label(const struct dentry *dentry,
63672 + const struct vfsmount *mnt,
63673 + const int unsafe_share);
63674 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
63675 + const struct vfsmount *mnt);
63676 +__u32 gr_acl_handle_open(const struct dentry *dentry,
63677 + const struct vfsmount *mnt, const int fmode);
63678 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
63679 + const struct dentry *p_dentry,
63680 + const struct vfsmount *p_mnt, const int fmode,
63681 + const int imode);
63682 +void gr_handle_create(const struct dentry *dentry,
63683 + const struct vfsmount *mnt);
63684 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
63685 + const struct dentry *parent_dentry,
63686 + const struct vfsmount *parent_mnt,
63687 + const int mode);
63688 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
63689 + const struct dentry *parent_dentry,
63690 + const struct vfsmount *parent_mnt);
63691 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
63692 + const struct vfsmount *mnt);
63693 +void gr_handle_delete(const ino_t ino, const dev_t dev);
63694 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
63695 + const struct vfsmount *mnt);
63696 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
63697 + const struct dentry *parent_dentry,
63698 + const struct vfsmount *parent_mnt,
63699 + const char *from);
63700 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
63701 + const struct dentry *parent_dentry,
63702 + const struct vfsmount *parent_mnt,
63703 + const struct dentry *old_dentry,
63704 + const struct vfsmount *old_mnt, const char *to);
63705 +int gr_acl_handle_rename(struct dentry *new_dentry,
63706 + struct dentry *parent_dentry,
63707 + const struct vfsmount *parent_mnt,
63708 + struct dentry *old_dentry,
63709 + struct inode *old_parent_inode,
63710 + struct vfsmount *old_mnt, const char *newname);
63711 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63712 + struct dentry *old_dentry,
63713 + struct dentry *new_dentry,
63714 + struct vfsmount *mnt, const __u8 replace);
63715 +__u32 gr_check_link(const struct dentry *new_dentry,
63716 + const struct dentry *parent_dentry,
63717 + const struct vfsmount *parent_mnt,
63718 + const struct dentry *old_dentry,
63719 + const struct vfsmount *old_mnt);
63720 +int gr_acl_handle_filldir(const struct file *file, const char *name,
63721 + const unsigned int namelen, const ino_t ino);
63722 +
63723 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
63724 + const struct vfsmount *mnt);
63725 +void gr_acl_handle_exit(void);
63726 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
63727 +int gr_acl_handle_procpidmem(const struct task_struct *task);
63728 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
63729 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
63730 +void gr_audit_ptrace(struct task_struct *task);
63731 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
63732 +
63733 +#ifdef CONFIG_GRKERNSEC
63734 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
63735 +void gr_handle_vm86(void);
63736 +void gr_handle_mem_readwrite(u64 from, u64 to);
63737 +
63738 +extern int grsec_enable_dmesg;
63739 +extern int grsec_disable_privio;
63740 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
63741 +extern int grsec_enable_chroot_findtask;
63742 +#endif
63743 +#endif
63744 +
63745 +#endif
63746 diff -urNp linux-2.6.39.3/include/linux/grsock.h linux-2.6.39.3/include/linux/grsock.h
63747 --- linux-2.6.39.3/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
63748 +++ linux-2.6.39.3/include/linux/grsock.h 2011-05-22 19:41:42.000000000 -0400
63749 @@ -0,0 +1,19 @@
63750 +#ifndef __GRSOCK_H
63751 +#define __GRSOCK_H
63752 +
63753 +extern void gr_attach_curr_ip(const struct sock *sk);
63754 +extern int gr_handle_sock_all(const int family, const int type,
63755 + const int protocol);
63756 +extern int gr_handle_sock_server(const struct sockaddr *sck);
63757 +extern int gr_handle_sock_server_other(const struct sock *sck);
63758 +extern int gr_handle_sock_client(const struct sockaddr *sck);
63759 +extern int gr_search_connect(struct socket * sock,
63760 + struct sockaddr_in * addr);
63761 +extern int gr_search_bind(struct socket * sock,
63762 + struct sockaddr_in * addr);
63763 +extern int gr_search_listen(struct socket * sock);
63764 +extern int gr_search_accept(struct socket * sock);
63765 +extern int gr_search_socket(const int domain, const int type,
63766 + const int protocol);
63767 +
63768 +#endif
63769 diff -urNp linux-2.6.39.3/include/linux/highmem.h linux-2.6.39.3/include/linux/highmem.h
63770 --- linux-2.6.39.3/include/linux/highmem.h 2011-05-19 00:06:34.000000000 -0400
63771 +++ linux-2.6.39.3/include/linux/highmem.h 2011-05-22 19:36:33.000000000 -0400
63772 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
63773 kunmap_atomic(kaddr, KM_USER0);
63774 }
63775
63776 +static inline void sanitize_highpage(struct page *page)
63777 +{
63778 + void *kaddr;
63779 + unsigned long flags;
63780 +
63781 + local_irq_save(flags);
63782 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
63783 + clear_page(kaddr);
63784 + kunmap_atomic(kaddr, KM_CLEARPAGE);
63785 + local_irq_restore(flags);
63786 +}
63787 +
63788 static inline void zero_user_segments(struct page *page,
63789 unsigned start1, unsigned end1,
63790 unsigned start2, unsigned end2)
63791 diff -urNp linux-2.6.39.3/include/linux/i2o.h linux-2.6.39.3/include/linux/i2o.h
63792 --- linux-2.6.39.3/include/linux/i2o.h 2011-05-19 00:06:34.000000000 -0400
63793 +++ linux-2.6.39.3/include/linux/i2o.h 2011-05-22 19:36:33.000000000 -0400
63794 @@ -564,7 +564,7 @@ struct i2o_controller {
63795 struct i2o_device *exec; /* Executive */
63796 #if BITS_PER_LONG == 64
63797 spinlock_t context_list_lock; /* lock for context_list */
63798 - atomic_t context_list_counter; /* needed for unique contexts */
63799 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
63800 struct list_head context_list; /* list of context id's
63801 and pointers */
63802 #endif
63803 diff -urNp linux-2.6.39.3/include/linux/if_phonet.h linux-2.6.39.3/include/linux/if_phonet.h
63804 --- linux-2.6.39.3/include/linux/if_phonet.h 2011-05-19 00:06:34.000000000 -0400
63805 +++ linux-2.6.39.3/include/linux/if_phonet.h 2011-05-22 19:36:33.000000000 -0400
63806 @@ -13,7 +13,7 @@
63807 #define PHONET_DEV_MTU PHONET_MAX_MTU
63808
63809 #ifdef __KERNEL__
63810 -extern struct header_ops phonet_header_ops;
63811 +extern const struct header_ops phonet_header_ops;
63812 #endif
63813
63814 #endif
63815 diff -urNp linux-2.6.39.3/include/linux/init.h linux-2.6.39.3/include/linux/init.h
63816 --- linux-2.6.39.3/include/linux/init.h 2011-05-19 00:06:34.000000000 -0400
63817 +++ linux-2.6.39.3/include/linux/init.h 2011-05-22 19:36:33.000000000 -0400
63818 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
63819
63820 /* Each module must use one module_init(). */
63821 #define module_init(initfn) \
63822 - static inline initcall_t __inittest(void) \
63823 + static inline __used initcall_t __inittest(void) \
63824 { return initfn; } \
63825 int init_module(void) __attribute__((alias(#initfn)));
63826
63827 /* This is only required if you want to be unloadable. */
63828 #define module_exit(exitfn) \
63829 - static inline exitcall_t __exittest(void) \
63830 + static inline __used exitcall_t __exittest(void) \
63831 { return exitfn; } \
63832 void cleanup_module(void) __attribute__((alias(#exitfn)));
63833
63834 diff -urNp linux-2.6.39.3/include/linux/init_task.h linux-2.6.39.3/include/linux/init_task.h
63835 --- linux-2.6.39.3/include/linux/init_task.h 2011-05-19 00:06:34.000000000 -0400
63836 +++ linux-2.6.39.3/include/linux/init_task.h 2011-05-22 19:36:33.000000000 -0400
63837 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
63838 #define INIT_IDS
63839 #endif
63840
63841 +#ifdef CONFIG_X86
63842 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
63843 +#else
63844 +#define INIT_TASK_THREAD_INFO
63845 +#endif
63846 +
63847 /*
63848 * Because of the reduced scope of CAP_SETPCAP when filesystem
63849 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
63850 @@ -163,6 +169,7 @@ extern struct cred init_cred;
63851 RCU_INIT_POINTER(.cred, &init_cred), \
63852 .comm = "swapper", \
63853 .thread = INIT_THREAD, \
63854 + INIT_TASK_THREAD_INFO \
63855 .fs = &init_fs, \
63856 .files = &init_files, \
63857 .signal = &init_signals, \
63858 diff -urNp linux-2.6.39.3/include/linux/interrupt.h linux-2.6.39.3/include/linux/interrupt.h
63859 --- linux-2.6.39.3/include/linux/interrupt.h 2011-05-19 00:06:34.000000000 -0400
63860 +++ linux-2.6.39.3/include/linux/interrupt.h 2011-05-22 19:36:33.000000000 -0400
63861 @@ -422,7 +422,7 @@ enum
63862 /* map softirq index to softirq name. update 'softirq_to_name' in
63863 * kernel/softirq.c when adding a new softirq.
63864 */
63865 -extern char *softirq_to_name[NR_SOFTIRQS];
63866 +extern const char * const softirq_to_name[NR_SOFTIRQS];
63867
63868 /* softirq mask and active fields moved to irq_cpustat_t in
63869 * asm/hardirq.h to get better cache usage. KAO
63870 @@ -430,12 +430,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
63871
63872 struct softirq_action
63873 {
63874 - void (*action)(struct softirq_action *);
63875 + void (*action)(void);
63876 };
63877
63878 asmlinkage void do_softirq(void);
63879 asmlinkage void __do_softirq(void);
63880 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
63881 +extern void open_softirq(int nr, void (*action)(void));
63882 extern void softirq_init(void);
63883 static inline void __raise_softirq_irqoff(unsigned int nr)
63884 {
63885 diff -urNp linux-2.6.39.3/include/linux/iommu.h linux-2.6.39.3/include/linux/iommu.h
63886 --- linux-2.6.39.3/include/linux/iommu.h 2011-05-19 00:06:34.000000000 -0400
63887 +++ linux-2.6.39.3/include/linux/iommu.h 2011-05-22 19:36:33.000000000 -0400
63888 @@ -49,7 +49,7 @@ struct iommu_ops {
63889
63890 #ifdef CONFIG_IOMMU_API
63891
63892 -extern void register_iommu(struct iommu_ops *ops);
63893 +extern void register_iommu(const struct iommu_ops *ops);
63894 extern bool iommu_found(void);
63895 extern struct iommu_domain *iommu_domain_alloc(void);
63896 extern void iommu_domain_free(struct iommu_domain *domain);
63897 diff -urNp linux-2.6.39.3/include/linux/ipmi.h linux-2.6.39.3/include/linux/ipmi.h
63898 --- linux-2.6.39.3/include/linux/ipmi.h 2011-05-19 00:06:34.000000000 -0400
63899 +++ linux-2.6.39.3/include/linux/ipmi.h 2011-05-22 19:36:33.000000000 -0400
63900 @@ -282,7 +282,7 @@ struct ipmi_user_hndl {
63901
63902 /* Create a new user of the IPMI layer on the given interface number. */
63903 int ipmi_create_user(unsigned int if_num,
63904 - struct ipmi_user_hndl *handler,
63905 + const struct ipmi_user_hndl *handler,
63906 void *handler_data,
63907 ipmi_user_t *user);
63908
63909 diff -urNp linux-2.6.39.3/include/linux/kallsyms.h linux-2.6.39.3/include/linux/kallsyms.h
63910 --- linux-2.6.39.3/include/linux/kallsyms.h 2011-05-19 00:06:34.000000000 -0400
63911 +++ linux-2.6.39.3/include/linux/kallsyms.h 2011-05-22 22:52:54.000000000 -0400
63912 @@ -15,7 +15,8 @@
63913
63914 struct module;
63915
63916 -#ifdef CONFIG_KALLSYMS
63917 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
63918 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63919 /* Lookup the address for a symbol. Returns 0 if not found. */
63920 unsigned long kallsyms_lookup_name(const char *name);
63921
63922 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
63923 /* Stupid that this does nothing, but I didn't create this mess. */
63924 #define __print_symbol(fmt, addr)
63925 #endif /*CONFIG_KALLSYMS*/
63926 +#else /* when included by kallsyms.c, vsnprintf.c, or
63927 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
63928 +extern void __print_symbol(const char *fmt, unsigned long address);
63929 +extern int sprint_backtrace(char *buffer, unsigned long address);
63930 +extern int sprint_symbol(char *buffer, unsigned long address);
63931 +const char *kallsyms_lookup(unsigned long addr,
63932 + unsigned long *symbolsize,
63933 + unsigned long *offset,
63934 + char **modname, char *namebuf);
63935 +#endif
63936
63937 /* This macro allows us to keep printk typechecking */
63938 static void __check_printsym_format(const char *fmt, ...)
63939 diff -urNp linux-2.6.39.3/include/linux/kgdb.h linux-2.6.39.3/include/linux/kgdb.h
63940 --- linux-2.6.39.3/include/linux/kgdb.h 2011-05-19 00:06:34.000000000 -0400
63941 +++ linux-2.6.39.3/include/linux/kgdb.h 2011-05-22 19:36:33.000000000 -0400
63942 @@ -53,7 +53,7 @@ extern int kgdb_connected;
63943 extern int kgdb_io_module_registered;
63944
63945 extern atomic_t kgdb_setting_breakpoint;
63946 -extern atomic_t kgdb_cpu_doing_single_step;
63947 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
63948
63949 extern struct task_struct *kgdb_usethread;
63950 extern struct task_struct *kgdb_contthread;
63951 @@ -269,22 +269,22 @@ struct kgdb_arch {
63952 */
63953 struct kgdb_io {
63954 const char *name;
63955 - int (*read_char) (void);
63956 - void (*write_char) (u8);
63957 - void (*flush) (void);
63958 - int (*init) (void);
63959 - void (*pre_exception) (void);
63960 - void (*post_exception) (void);
63961 + int (* const read_char) (void);
63962 + void (* const write_char) (u8);
63963 + void (* const flush) (void);
63964 + int (* const init) (void);
63965 + void (* const pre_exception) (void);
63966 + void (* const post_exception) (void);
63967 int is_console;
63968 };
63969
63970 -extern struct kgdb_arch arch_kgdb_ops;
63971 +extern const struct kgdb_arch arch_kgdb_ops;
63972
63973 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
63974
63975 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
63976 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
63977 -extern struct kgdb_io *dbg_io_ops;
63978 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
63979 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
63980 +extern const struct kgdb_io *dbg_io_ops;
63981
63982 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
63983 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
63984 diff -urNp linux-2.6.39.3/include/linux/kmod.h linux-2.6.39.3/include/linux/kmod.h
63985 --- linux-2.6.39.3/include/linux/kmod.h 2011-05-19 00:06:34.000000000 -0400
63986 +++ linux-2.6.39.3/include/linux/kmod.h 2011-05-22 19:41:42.000000000 -0400
63987 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
63988 * usually useless though. */
63989 extern int __request_module(bool wait, const char *name, ...) \
63990 __attribute__((format(printf, 2, 3)));
63991 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
63992 + __attribute__((format(printf, 3, 4)));
63993 #define request_module(mod...) __request_module(true, mod)
63994 #define request_module_nowait(mod...) __request_module(false, mod)
63995 #define try_then_request_module(x, mod...) \
63996 diff -urNp linux-2.6.39.3/include/linux/kvm_host.h linux-2.6.39.3/include/linux/kvm_host.h
63997 --- linux-2.6.39.3/include/linux/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
63998 +++ linux-2.6.39.3/include/linux/kvm_host.h 2011-05-22 19:36:33.000000000 -0400
63999 @@ -302,7 +302,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
64000 void vcpu_load(struct kvm_vcpu *vcpu);
64001 void vcpu_put(struct kvm_vcpu *vcpu);
64002
64003 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
64004 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
64005 struct module *module);
64006 void kvm_exit(void);
64007
64008 @@ -442,7 +442,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
64009 struct kvm_guest_debug *dbg);
64010 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
64011
64012 -int kvm_arch_init(void *opaque);
64013 +int kvm_arch_init(const void *opaque);
64014 void kvm_arch_exit(void);
64015
64016 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
64017 diff -urNp linux-2.6.39.3/include/linux/lapb.h linux-2.6.39.3/include/linux/lapb.h
64018 --- linux-2.6.39.3/include/linux/lapb.h 2011-05-19 00:06:34.000000000 -0400
64019 +++ linux-2.6.39.3/include/linux/lapb.h 2011-05-22 19:36:33.000000000 -0400
64020 @@ -44,7 +44,7 @@ struct lapb_parms_struct {
64021 unsigned int mode;
64022 };
64023
64024 -extern int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks);
64025 +extern int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks);
64026 extern int lapb_unregister(struct net_device *dev);
64027 extern int lapb_getparms(struct net_device *dev, struct lapb_parms_struct *parms);
64028 extern int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms);
64029 diff -urNp linux-2.6.39.3/include/linux/lcd.h linux-2.6.39.3/include/linux/lcd.h
64030 --- linux-2.6.39.3/include/linux/lcd.h 2011-05-19 00:06:34.000000000 -0400
64031 +++ linux-2.6.39.3/include/linux/lcd.h 2011-05-22 19:36:33.000000000 -0400
64032 @@ -60,7 +60,7 @@ struct lcd_device {
64033 points to something in the body of that driver, it is also invalid. */
64034 struct mutex ops_lock;
64035 /* If this is NULL, the backing module is unloaded */
64036 - struct lcd_ops *ops;
64037 + const struct lcd_ops *ops;
64038 /* Serialise access to set_power method */
64039 struct mutex update_lock;
64040 /* The framebuffer notifier block */
64041 @@ -101,7 +101,7 @@ static inline void lcd_set_power(struct
64042 }
64043
64044 extern struct lcd_device *lcd_device_register(const char *name,
64045 - struct device *parent, void *devdata, struct lcd_ops *ops);
64046 + struct device *parent, void *devdata, const struct lcd_ops *ops);
64047 extern void lcd_device_unregister(struct lcd_device *ld);
64048
64049 #define to_lcd_device(obj) container_of(obj, struct lcd_device, dev)
64050 diff -urNp linux-2.6.39.3/include/linux/libata.h linux-2.6.39.3/include/linux/libata.h
64051 --- linux-2.6.39.3/include/linux/libata.h 2011-05-19 00:06:34.000000000 -0400
64052 +++ linux-2.6.39.3/include/linux/libata.h 2011-05-22 19:36:33.000000000 -0400
64053 @@ -524,11 +524,11 @@ struct ata_ioports {
64054
64055 struct ata_host {
64056 spinlock_t lock;
64057 - struct device *dev;
64058 + struct device *dev;
64059 void __iomem * const *iomap;
64060 unsigned int n_ports;
64061 void *private_data;
64062 - struct ata_port_operations *ops;
64063 + const struct ata_port_operations *ops;
64064 unsigned long flags;
64065
64066 struct mutex eh_mutex;
64067 @@ -719,7 +719,7 @@ struct ata_link {
64068
64069 struct ata_port {
64070 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
64071 - struct ata_port_operations *ops;
64072 + const struct ata_port_operations *ops;
64073 spinlock_t *lock;
64074 /* Flags owned by the EH context. Only EH should touch these once the
64075 port is active */
64076 @@ -907,7 +907,7 @@ struct ata_port_info {
64077 unsigned long pio_mask;
64078 unsigned long mwdma_mask;
64079 unsigned long udma_mask;
64080 - struct ata_port_operations *port_ops;
64081 + const struct ata_port_operations *port_ops;
64082 void *private_data;
64083 };
64084
64085 @@ -931,7 +931,7 @@ extern const unsigned long sata_deb_timi
64086 extern const unsigned long sata_deb_timing_hotplug[];
64087 extern const unsigned long sata_deb_timing_long[];
64088
64089 -extern struct ata_port_operations ata_dummy_port_ops;
64090 +extern const struct ata_port_operations ata_dummy_port_ops;
64091 extern const struct ata_port_info ata_dummy_port_info;
64092
64093 static inline const unsigned long *
64094 @@ -977,7 +977,7 @@ extern int ata_host_activate(struct ata_
64095 struct scsi_host_template *sht);
64096 extern void ata_host_detach(struct ata_host *host);
64097 extern void ata_host_init(struct ata_host *, struct device *,
64098 - unsigned long, struct ata_port_operations *);
64099 + unsigned long, const struct ata_port_operations *);
64100 extern int ata_scsi_detect(struct scsi_host_template *sht);
64101 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
64102 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
64103 diff -urNp linux-2.6.39.3/include/linux/lockd/bind.h linux-2.6.39.3/include/linux/lockd/bind.h
64104 --- linux-2.6.39.3/include/linux/lockd/bind.h 2011-05-19 00:06:34.000000000 -0400
64105 +++ linux-2.6.39.3/include/linux/lockd/bind.h 2011-05-22 19:36:33.000000000 -0400
64106 @@ -23,13 +23,13 @@ struct svc_rqst;
64107 * This is the set of functions for lockd->nfsd communication
64108 */
64109 struct nlmsvc_binding {
64110 - __be32 (*fopen)(struct svc_rqst *,
64111 + __be32 (* const fopen)(struct svc_rqst *,
64112 struct nfs_fh *,
64113 struct file **);
64114 - void (*fclose)(struct file *);
64115 + void (* const fclose)(struct file *);
64116 };
64117
64118 -extern struct nlmsvc_binding * nlmsvc_ops;
64119 +extern const struct nlmsvc_binding * nlmsvc_ops;
64120
64121 /*
64122 * Similar to nfs_client_initdata, but without the NFS-specific
64123 diff -urNp linux-2.6.39.3/include/linux/mfd/abx500.h linux-2.6.39.3/include/linux/mfd/abx500.h
64124 --- linux-2.6.39.3/include/linux/mfd/abx500.h 2011-05-19 00:06:34.000000000 -0400
64125 +++ linux-2.6.39.3/include/linux/mfd/abx500.h 2011-05-22 19:36:33.000000000 -0400
64126 @@ -227,6 +227,6 @@ struct abx500_ops {
64127 int (*startup_irq_enabled) (struct device *, unsigned int);
64128 };
64129
64130 -int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
64131 +int abx500_register_ops(struct device *core_dev, const struct abx500_ops *ops);
64132 void abx500_remove_ops(struct device *dev);
64133 #endif
64134 diff -urNp linux-2.6.39.3/include/linux/mm.h linux-2.6.39.3/include/linux/mm.h
64135 --- linux-2.6.39.3/include/linux/mm.h 2011-05-19 00:06:34.000000000 -0400
64136 +++ linux-2.6.39.3/include/linux/mm.h 2011-05-22 19:36:33.000000000 -0400
64137 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
64138
64139 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
64140 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
64141 +
64142 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
64143 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
64144 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
64145 +#else
64146 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
64147 +#endif
64148 +
64149 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
64150 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
64151
64152 @@ -1010,34 +1017,6 @@ int set_page_dirty(struct page *page);
64153 int set_page_dirty_lock(struct page *page);
64154 int clear_page_dirty_for_io(struct page *page);
64155
64156 -/* Is the vma a continuation of the stack vma above it? */
64157 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
64158 -{
64159 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
64160 -}
64161 -
64162 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
64163 - unsigned long addr)
64164 -{
64165 - return (vma->vm_flags & VM_GROWSDOWN) &&
64166 - (vma->vm_start == addr) &&
64167 - !vma_growsdown(vma->vm_prev, addr);
64168 -}
64169 -
64170 -/* Is the vma a continuation of the stack vma below it? */
64171 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
64172 -{
64173 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
64174 -}
64175 -
64176 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
64177 - unsigned long addr)
64178 -{
64179 - return (vma->vm_flags & VM_GROWSUP) &&
64180 - (vma->vm_end == addr) &&
64181 - !vma_growsup(vma->vm_next, addr);
64182 -}
64183 -
64184 extern unsigned long move_page_tables(struct vm_area_struct *vma,
64185 unsigned long old_addr, struct vm_area_struct *new_vma,
64186 unsigned long new_addr, unsigned long len);
64187 @@ -1189,6 +1168,15 @@ struct shrinker {
64188 extern void register_shrinker(struct shrinker *);
64189 extern void unregister_shrinker(struct shrinker *);
64190
64191 +#ifdef CONFIG_MMU
64192 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
64193 +#else
64194 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64195 +{
64196 + return __pgprot(0);
64197 +}
64198 +#endif
64199 +
64200 int vma_wants_writenotify(struct vm_area_struct *vma);
64201
64202 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
64203 @@ -1476,6 +1464,7 @@ out:
64204 }
64205
64206 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
64207 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
64208
64209 extern unsigned long do_brk(unsigned long, unsigned long);
64210
64211 @@ -1532,6 +1521,10 @@ extern struct vm_area_struct * find_vma(
64212 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
64213 struct vm_area_struct **pprev);
64214
64215 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
64216 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
64217 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
64218 +
64219 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
64220 NULL if none. Assume start_addr < end_addr. */
64221 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
64222 @@ -1548,15 +1541,6 @@ static inline unsigned long vma_pages(st
64223 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
64224 }
64225
64226 -#ifdef CONFIG_MMU
64227 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
64228 -#else
64229 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64230 -{
64231 - return __pgprot(0);
64232 -}
64233 -#endif
64234 -
64235 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
64236 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
64237 unsigned long pfn, unsigned long size, pgprot_t);
64238 @@ -1668,7 +1652,7 @@ extern int unpoison_memory(unsigned long
64239 extern int sysctl_memory_failure_early_kill;
64240 extern int sysctl_memory_failure_recovery;
64241 extern void shake_page(struct page *p, int access);
64242 -extern atomic_long_t mce_bad_pages;
64243 +extern atomic_long_unchecked_t mce_bad_pages;
64244 extern int soft_offline_page(struct page *page, int flags);
64245
64246 extern void dump_page(struct page *page);
64247 @@ -1682,5 +1666,11 @@ extern void copy_user_huge_page(struct p
64248 unsigned int pages_per_huge_page);
64249 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
64250
64251 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64252 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
64253 +#else
64254 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
64255 +#endif
64256 +
64257 #endif /* __KERNEL__ */
64258 #endif /* _LINUX_MM_H */
64259 diff -urNp linux-2.6.39.3/include/linux/mm_types.h linux-2.6.39.3/include/linux/mm_types.h
64260 --- linux-2.6.39.3/include/linux/mm_types.h 2011-05-19 00:06:34.000000000 -0400
64261 +++ linux-2.6.39.3/include/linux/mm_types.h 2011-05-22 19:36:33.000000000 -0400
64262 @@ -183,6 +183,8 @@ struct vm_area_struct {
64263 #ifdef CONFIG_NUMA
64264 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
64265 #endif
64266 +
64267 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
64268 };
64269
64270 struct core_thread {
64271 @@ -317,6 +319,24 @@ struct mm_struct {
64272 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
64273 pgtable_t pmd_huge_pte; /* protected by page_table_lock */
64274 #endif
64275 +
64276 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64277 + unsigned long pax_flags;
64278 +#endif
64279 +
64280 +#ifdef CONFIG_PAX_DLRESOLVE
64281 + unsigned long call_dl_resolve;
64282 +#endif
64283 +
64284 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
64285 + unsigned long call_syscall;
64286 +#endif
64287 +
64288 +#ifdef CONFIG_PAX_ASLR
64289 + unsigned long delta_mmap; /* randomized offset */
64290 + unsigned long delta_stack; /* randomized offset */
64291 +#endif
64292 +
64293 };
64294
64295 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
64296 diff -urNp linux-2.6.39.3/include/linux/mmu_notifier.h linux-2.6.39.3/include/linux/mmu_notifier.h
64297 --- linux-2.6.39.3/include/linux/mmu_notifier.h 2011-05-19 00:06:34.000000000 -0400
64298 +++ linux-2.6.39.3/include/linux/mmu_notifier.h 2011-05-22 19:36:33.000000000 -0400
64299 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
64300 */
64301 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
64302 ({ \
64303 - pte_t __pte; \
64304 + pte_t ___pte; \
64305 struct vm_area_struct *___vma = __vma; \
64306 unsigned long ___address = __address; \
64307 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
64308 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
64309 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
64310 - __pte; \
64311 + ___pte; \
64312 })
64313
64314 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
64315 diff -urNp linux-2.6.39.3/include/linux/mmzone.h linux-2.6.39.3/include/linux/mmzone.h
64316 --- linux-2.6.39.3/include/linux/mmzone.h 2011-05-19 00:06:34.000000000 -0400
64317 +++ linux-2.6.39.3/include/linux/mmzone.h 2011-05-22 19:36:33.000000000 -0400
64318 @@ -355,7 +355,7 @@ struct zone {
64319 unsigned long flags; /* zone flags, see below */
64320
64321 /* Zone statistics */
64322 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64323 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64324
64325 /*
64326 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
64327 diff -urNp linux-2.6.39.3/include/linux/mod_devicetable.h linux-2.6.39.3/include/linux/mod_devicetable.h
64328 --- linux-2.6.39.3/include/linux/mod_devicetable.h 2011-05-19 00:06:34.000000000 -0400
64329 +++ linux-2.6.39.3/include/linux/mod_devicetable.h 2011-05-22 19:36:33.000000000 -0400
64330 @@ -12,7 +12,7 @@
64331 typedef unsigned long kernel_ulong_t;
64332 #endif
64333
64334 -#define PCI_ANY_ID (~0)
64335 +#define PCI_ANY_ID ((__u16)~0)
64336
64337 struct pci_device_id {
64338 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
64339 @@ -131,7 +131,7 @@ struct usb_device_id {
64340 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
64341 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
64342
64343 -#define HID_ANY_ID (~0)
64344 +#define HID_ANY_ID (~0U)
64345
64346 struct hid_device_id {
64347 __u16 bus;
64348 diff -urNp linux-2.6.39.3/include/linux/module.h linux-2.6.39.3/include/linux/module.h
64349 --- linux-2.6.39.3/include/linux/module.h 2011-05-19 00:06:34.000000000 -0400
64350 +++ linux-2.6.39.3/include/linux/module.h 2011-05-22 19:36:33.000000000 -0400
64351 @@ -324,19 +324,16 @@ struct module
64352 int (*init)(void);
64353
64354 /* If this is non-NULL, vfree after init() returns */
64355 - void *module_init;
64356 + void *module_init_rx, *module_init_rw;
64357
64358 /* Here is the actual code + data, vfree'd on unload. */
64359 - void *module_core;
64360 + void *module_core_rx, *module_core_rw;
64361
64362 /* Here are the sizes of the init and core sections */
64363 - unsigned int init_size, core_size;
64364 + unsigned int init_size_rw, core_size_rw;
64365
64366 /* The size of the executable code in each section. */
64367 - unsigned int init_text_size, core_text_size;
64368 -
64369 - /* Size of RO sections of the module (text+rodata) */
64370 - unsigned int init_ro_size, core_ro_size;
64371 + unsigned int init_size_rx, core_size_rx;
64372
64373 /* Arch-specific module values */
64374 struct mod_arch_specific arch;
64375 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
64376 bool is_module_percpu_address(unsigned long addr);
64377 bool is_module_text_address(unsigned long addr);
64378
64379 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
64380 +{
64381 +
64382 +#ifdef CONFIG_PAX_KERNEXEC
64383 + if (ktla_ktva(addr) >= (unsigned long)start &&
64384 + ktla_ktva(addr) < (unsigned long)start + size)
64385 + return 1;
64386 +#endif
64387 +
64388 + return ((void *)addr >= start && (void *)addr < start + size);
64389 +}
64390 +
64391 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
64392 +{
64393 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
64394 +}
64395 +
64396 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
64397 +{
64398 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
64399 +}
64400 +
64401 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
64402 +{
64403 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
64404 +}
64405 +
64406 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
64407 +{
64408 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
64409 +}
64410 +
64411 static inline int within_module_core(unsigned long addr, struct module *mod)
64412 {
64413 - return (unsigned long)mod->module_core <= addr &&
64414 - addr < (unsigned long)mod->module_core + mod->core_size;
64415 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
64416 }
64417
64418 static inline int within_module_init(unsigned long addr, struct module *mod)
64419 {
64420 - return (unsigned long)mod->module_init <= addr &&
64421 - addr < (unsigned long)mod->module_init + mod->init_size;
64422 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
64423 }
64424
64425 /* Search for module by name: must hold module_mutex. */
64426 diff -urNp linux-2.6.39.3/include/linux/moduleloader.h linux-2.6.39.3/include/linux/moduleloader.h
64427 --- linux-2.6.39.3/include/linux/moduleloader.h 2011-05-19 00:06:34.000000000 -0400
64428 +++ linux-2.6.39.3/include/linux/moduleloader.h 2011-05-22 19:36:33.000000000 -0400
64429 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
64430 sections. Returns NULL on failure. */
64431 void *module_alloc(unsigned long size);
64432
64433 +#ifdef CONFIG_PAX_KERNEXEC
64434 +void *module_alloc_exec(unsigned long size);
64435 +#else
64436 +#define module_alloc_exec(x) module_alloc(x)
64437 +#endif
64438 +
64439 /* Free memory returned from module_alloc. */
64440 void module_free(struct module *mod, void *module_region);
64441
64442 +#ifdef CONFIG_PAX_KERNEXEC
64443 +void module_free_exec(struct module *mod, void *module_region);
64444 +#else
64445 +#define module_free_exec(x, y) module_free((x), (y))
64446 +#endif
64447 +
64448 /* Apply the given relocation to the (simplified) ELF. Return -error
64449 or 0. */
64450 int apply_relocate(Elf_Shdr *sechdrs,
64451 diff -urNp linux-2.6.39.3/include/linux/moduleparam.h linux-2.6.39.3/include/linux/moduleparam.h
64452 --- linux-2.6.39.3/include/linux/moduleparam.h 2011-05-19 00:06:34.000000000 -0400
64453 +++ linux-2.6.39.3/include/linux/moduleparam.h 2011-05-22 19:36:33.000000000 -0400
64454 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
64455 * @len is usually just sizeof(string).
64456 */
64457 #define module_param_string(name, string, len, perm) \
64458 - static const struct kparam_string __param_string_##name \
64459 + static const struct kparam_string __param_string_##name __used \
64460 = { len, string }; \
64461 __module_param_call(MODULE_PARAM_PREFIX, name, \
64462 &param_ops_string, \
64463 @@ -285,48 +285,48 @@ static inline void destroy_params(const
64464 #define __param_check(name, p, type) \
64465 static inline type *__check_##name(void) { return(p); }
64466
64467 -extern struct kernel_param_ops param_ops_byte;
64468 +extern const struct kernel_param_ops param_ops_byte;
64469 extern int param_set_byte(const char *val, const struct kernel_param *kp);
64470 extern int param_get_byte(char *buffer, const struct kernel_param *kp);
64471 #define param_check_byte(name, p) __param_check(name, p, unsigned char)
64472
64473 -extern struct kernel_param_ops param_ops_short;
64474 +extern const struct kernel_param_ops param_ops_short;
64475 extern int param_set_short(const char *val, const struct kernel_param *kp);
64476 extern int param_get_short(char *buffer, const struct kernel_param *kp);
64477 #define param_check_short(name, p) __param_check(name, p, short)
64478
64479 -extern struct kernel_param_ops param_ops_ushort;
64480 +extern const struct kernel_param_ops param_ops_ushort;
64481 extern int param_set_ushort(const char *val, const struct kernel_param *kp);
64482 extern int param_get_ushort(char *buffer, const struct kernel_param *kp);
64483 #define param_check_ushort(name, p) __param_check(name, p, unsigned short)
64484
64485 -extern struct kernel_param_ops param_ops_int;
64486 +extern const struct kernel_param_ops param_ops_int;
64487 extern int param_set_int(const char *val, const struct kernel_param *kp);
64488 extern int param_get_int(char *buffer, const struct kernel_param *kp);
64489 #define param_check_int(name, p) __param_check(name, p, int)
64490
64491 -extern struct kernel_param_ops param_ops_uint;
64492 +extern const struct kernel_param_ops param_ops_uint;
64493 extern int param_set_uint(const char *val, const struct kernel_param *kp);
64494 extern int param_get_uint(char *buffer, const struct kernel_param *kp);
64495 #define param_check_uint(name, p) __param_check(name, p, unsigned int)
64496
64497 -extern struct kernel_param_ops param_ops_long;
64498 +extern const struct kernel_param_ops param_ops_long;
64499 extern int param_set_long(const char *val, const struct kernel_param *kp);
64500 extern int param_get_long(char *buffer, const struct kernel_param *kp);
64501 #define param_check_long(name, p) __param_check(name, p, long)
64502
64503 -extern struct kernel_param_ops param_ops_ulong;
64504 +extern const struct kernel_param_ops param_ops_ulong;
64505 extern int param_set_ulong(const char *val, const struct kernel_param *kp);
64506 extern int param_get_ulong(char *buffer, const struct kernel_param *kp);
64507 #define param_check_ulong(name, p) __param_check(name, p, unsigned long)
64508
64509 -extern struct kernel_param_ops param_ops_charp;
64510 +extern const struct kernel_param_ops param_ops_charp;
64511 extern int param_set_charp(const char *val, const struct kernel_param *kp);
64512 extern int param_get_charp(char *buffer, const struct kernel_param *kp);
64513 #define param_check_charp(name, p) __param_check(name, p, char *)
64514
64515 /* For historical reasons "bool" parameters can be (unsigned) "int". */
64516 -extern struct kernel_param_ops param_ops_bool;
64517 +extern const struct kernel_param_ops param_ops_bool;
64518 extern int param_set_bool(const char *val, const struct kernel_param *kp);
64519 extern int param_get_bool(char *buffer, const struct kernel_param *kp);
64520 #define param_check_bool(name, p) \
64521 @@ -337,7 +337,7 @@ extern int param_get_bool(char *buffer,
64522 !__same_type((p), int *)); \
64523 }
64524
64525 -extern struct kernel_param_ops param_ops_invbool;
64526 +extern const struct kernel_param_ops param_ops_invbool;
64527 extern int param_set_invbool(const char *val, const struct kernel_param *kp);
64528 extern int param_get_invbool(char *buffer, const struct kernel_param *kp);
64529 #define param_check_invbool(name, p) __param_check(name, p, bool)
64530 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
64531 * module_param_named() for why this might be necessary.
64532 */
64533 #define module_param_array_named(name, array, type, nump, perm) \
64534 - static const struct kparam_array __param_arr_##name \
64535 + static const struct kparam_array __param_arr_##name __used \
64536 = { ARRAY_SIZE(array), nump, &param_ops_##type, \
64537 sizeof(array[0]), array }; \
64538 __module_param_call(MODULE_PARAM_PREFIX, name, \
64539 @@ -379,9 +379,9 @@ extern int param_get_invbool(char *buffe
64540 __same_type(array[0], bool), perm); \
64541 __MODULE_PARM_TYPE(name, "array of " #type)
64542
64543 -extern struct kernel_param_ops param_array_ops;
64544 +extern const struct kernel_param_ops param_array_ops;
64545
64546 -extern struct kernel_param_ops param_ops_string;
64547 +extern const struct kernel_param_ops param_ops_string;
64548 extern int param_set_copystring(const char *val, const struct kernel_param *);
64549 extern int param_get_string(char *buffer, const struct kernel_param *kp);
64550
64551 diff -urNp linux-2.6.39.3/include/linux/mutex.h linux-2.6.39.3/include/linux/mutex.h
64552 --- linux-2.6.39.3/include/linux/mutex.h 2011-05-19 00:06:34.000000000 -0400
64553 +++ linux-2.6.39.3/include/linux/mutex.h 2011-05-22 19:36:33.000000000 -0400
64554 @@ -51,7 +51,7 @@ struct mutex {
64555 spinlock_t wait_lock;
64556 struct list_head wait_list;
64557 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
64558 - struct thread_info *owner;
64559 + struct task_struct *owner;
64560 #endif
64561 #ifdef CONFIG_DEBUG_MUTEXES
64562 const char *name;
64563 diff -urNp linux-2.6.39.3/include/linux/namei.h linux-2.6.39.3/include/linux/namei.h
64564 --- linux-2.6.39.3/include/linux/namei.h 2011-05-19 00:06:34.000000000 -0400
64565 +++ linux-2.6.39.3/include/linux/namei.h 2011-05-22 19:36:33.000000000 -0400
64566 @@ -24,7 +24,7 @@ struct nameidata {
64567 unsigned seq;
64568 int last_type;
64569 unsigned depth;
64570 - char *saved_names[MAX_NESTED_LINKS + 1];
64571 + const char *saved_names[MAX_NESTED_LINKS + 1];
64572
64573 /* Intent data */
64574 union {
64575 @@ -91,12 +91,12 @@ extern int follow_up(struct path *);
64576 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
64577 extern void unlock_rename(struct dentry *, struct dentry *);
64578
64579 -static inline void nd_set_link(struct nameidata *nd, char *path)
64580 +static inline void nd_set_link(struct nameidata *nd, const char *path)
64581 {
64582 nd->saved_names[nd->depth] = path;
64583 }
64584
64585 -static inline char *nd_get_link(struct nameidata *nd)
64586 +static inline const char *nd_get_link(const struct nameidata *nd)
64587 {
64588 return nd->saved_names[nd->depth];
64589 }
64590 diff -urNp linux-2.6.39.3/include/linux/netfilter/xt_gradm.h linux-2.6.39.3/include/linux/netfilter/xt_gradm.h
64591 --- linux-2.6.39.3/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
64592 +++ linux-2.6.39.3/include/linux/netfilter/xt_gradm.h 2011-05-22 19:41:42.000000000 -0400
64593 @@ -0,0 +1,9 @@
64594 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
64595 +#define _LINUX_NETFILTER_XT_GRADM_H 1
64596 +
64597 +struct xt_gradm_mtinfo {
64598 + __u16 flags;
64599 + __u16 invflags;
64600 +};
64601 +
64602 +#endif
64603 diff -urNp linux-2.6.39.3/include/linux/oprofile.h linux-2.6.39.3/include/linux/oprofile.h
64604 --- linux-2.6.39.3/include/linux/oprofile.h 2011-05-19 00:06:34.000000000 -0400
64605 +++ linux-2.6.39.3/include/linux/oprofile.h 2011-05-22 19:36:33.000000000 -0400
64606 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
64607 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
64608 char const * name, ulong * val);
64609
64610 -/** Create a file for read-only access to an atomic_t. */
64611 +/** Create a file for read-only access to an atomic_unchecked_t. */
64612 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
64613 - char const * name, atomic_t * val);
64614 + char const * name, atomic_unchecked_t * val);
64615
64616 /** create a directory */
64617 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
64618 diff -urNp linux-2.6.39.3/include/linux/padata.h linux-2.6.39.3/include/linux/padata.h
64619 --- linux-2.6.39.3/include/linux/padata.h 2011-05-19 00:06:34.000000000 -0400
64620 +++ linux-2.6.39.3/include/linux/padata.h 2011-05-22 19:36:33.000000000 -0400
64621 @@ -129,7 +129,7 @@ struct parallel_data {
64622 struct padata_instance *pinst;
64623 struct padata_parallel_queue __percpu *pqueue;
64624 struct padata_serial_queue __percpu *squeue;
64625 - atomic_t seq_nr;
64626 + atomic_unchecked_t seq_nr;
64627 atomic_t reorder_objects;
64628 atomic_t refcnt;
64629 unsigned int max_seq_nr;
64630 diff -urNp linux-2.6.39.3/include/linux/pci.h linux-2.6.39.3/include/linux/pci.h
64631 --- linux-2.6.39.3/include/linux/pci.h 2011-05-19 00:06:34.000000000 -0400
64632 +++ linux-2.6.39.3/include/linux/pci.h 2011-05-22 19:36:33.000000000 -0400
64633 @@ -411,7 +411,7 @@ struct pci_bus {
64634 struct resource *resource[PCI_BRIDGE_RESOURCE_NUM];
64635 struct list_head resources; /* address space routed to this bus */
64636
64637 - struct pci_ops *ops; /* configuration access functions */
64638 + const struct pci_ops *ops; /* configuration access functions */
64639 void *sysdata; /* hook for sys-specific extension */
64640 struct proc_dir_entry *procdir; /* directory entry in /proc/bus/pci */
64641
64642 @@ -550,7 +550,7 @@ struct pci_driver {
64643 int (*resume_early) (struct pci_dev *dev);
64644 int (*resume) (struct pci_dev *dev); /* Device woken up */
64645 void (*shutdown) (struct pci_dev *dev);
64646 - struct pci_error_handlers *err_handler;
64647 + const struct pci_error_handlers *err_handler;
64648 struct device_driver driver;
64649 struct pci_dynids dynids;
64650 };
64651 @@ -639,7 +639,7 @@ void pcibios_scan_specific_bus(int busn)
64652 extern struct pci_bus *pci_find_bus(int domain, int busnr);
64653 void pci_bus_add_devices(const struct pci_bus *bus);
64654 struct pci_bus *pci_scan_bus_parented(struct device *parent, int bus,
64655 - struct pci_ops *ops, void *sysdata);
64656 + const struct pci_ops *ops, void *sysdata);
64657 static inline struct pci_bus * __devinit pci_scan_bus(int bus, struct pci_ops *ops,
64658 void *sysdata)
64659 {
64660 @@ -650,7 +650,7 @@ static inline struct pci_bus * __devinit
64661 return root_bus;
64662 }
64663 struct pci_bus *pci_create_bus(struct device *parent, int bus,
64664 - struct pci_ops *ops, void *sysdata);
64665 + const struct pci_ops *ops, void *sysdata);
64666 struct pci_bus *pci_add_new_bus(struct pci_bus *parent, struct pci_dev *dev,
64667 int busnr);
64668 void pcie_update_link_speed(struct pci_bus *bus, u16 link_status);
64669 @@ -727,7 +727,7 @@ int pci_bus_write_config_word(struct pci
64670 int where, u16 val);
64671 int pci_bus_write_config_dword(struct pci_bus *bus, unsigned int devfn,
64672 int where, u32 val);
64673 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops);
64674 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops);
64675
64676 static inline int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val)
64677 {
64678 diff -urNp linux-2.6.39.3/include/linux/perf_event.h linux-2.6.39.3/include/linux/perf_event.h
64679 --- linux-2.6.39.3/include/linux/perf_event.h 2011-05-19 00:06:34.000000000 -0400
64680 +++ linux-2.6.39.3/include/linux/perf_event.h 2011-05-22 19:36:33.000000000 -0400
64681 @@ -759,8 +759,8 @@ struct perf_event {
64682
64683 enum perf_event_active_state state;
64684 unsigned int attach_state;
64685 - local64_t count;
64686 - atomic64_t child_count;
64687 + local64_t count; /* PaX: fix it one day */
64688 + atomic64_unchecked_t child_count;
64689
64690 /*
64691 * These are the total time in nanoseconds that the event
64692 @@ -811,8 +811,8 @@ struct perf_event {
64693 * These accumulate total time (in nanoseconds) that children
64694 * events have been enabled and running, respectively.
64695 */
64696 - atomic64_t child_total_time_enabled;
64697 - atomic64_t child_total_time_running;
64698 + atomic64_unchecked_t child_total_time_enabled;
64699 + atomic64_unchecked_t child_total_time_running;
64700
64701 /*
64702 * Protect attach/detach and child_list:
64703 @@ -1090,9 +1090,9 @@ void perf_event_task_sched_out(struct ta
64704 }
64705
64706 extern void perf_event_mmap(struct vm_area_struct *vma);
64707 -extern struct perf_guest_info_callbacks *perf_guest_cbs;
64708 -extern int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64709 -extern int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64710 +extern const struct perf_guest_info_callbacks *perf_guest_cbs;
64711 +extern int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64712 +extern int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64713
64714 extern void perf_event_comm(struct task_struct *tsk);
64715 extern void perf_event_fork(struct task_struct *tsk);
64716 diff -urNp linux-2.6.39.3/include/linux/pipe_fs_i.h linux-2.6.39.3/include/linux/pipe_fs_i.h
64717 --- linux-2.6.39.3/include/linux/pipe_fs_i.h 2011-05-19 00:06:34.000000000 -0400
64718 +++ linux-2.6.39.3/include/linux/pipe_fs_i.h 2011-05-22 19:36:33.000000000 -0400
64719 @@ -46,9 +46,9 @@ struct pipe_buffer {
64720 struct pipe_inode_info {
64721 wait_queue_head_t wait;
64722 unsigned int nrbufs, curbuf, buffers;
64723 - unsigned int readers;
64724 - unsigned int writers;
64725 - unsigned int waiting_writers;
64726 + atomic_t readers;
64727 + atomic_t writers;
64728 + atomic_t waiting_writers;
64729 unsigned int r_counter;
64730 unsigned int w_counter;
64731 struct page *tmp_page;
64732 diff -urNp linux-2.6.39.3/include/linux/pm.h linux-2.6.39.3/include/linux/pm.h
64733 --- linux-2.6.39.3/include/linux/pm.h 2011-07-09 09:18:51.000000000 -0400
64734 +++ linux-2.6.39.3/include/linux/pm.h 2011-07-09 09:19:24.000000000 -0400
64735 @@ -268,7 +268,7 @@ const struct dev_pm_ops name = { \
64736 * runtime PM, make the pm member point to generic_subsys_pm_ops.
64737 */
64738 #ifdef CONFIG_PM
64739 -extern struct dev_pm_ops generic_subsys_pm_ops;
64740 +extern const struct dev_pm_ops generic_subsys_pm_ops;
64741 #define GENERIC_SUBSYS_PM_OPS (&generic_subsys_pm_ops)
64742 #else
64743 #define GENERIC_SUBSYS_PM_OPS NULL
64744 @@ -472,7 +472,7 @@ extern void update_pm_runtime_accounting
64745 * subsystem-level and driver-level callbacks.
64746 */
64747 struct dev_power_domain {
64748 - struct dev_pm_ops ops;
64749 + const struct dev_pm_ops ops;
64750 };
64751
64752 /*
64753 diff -urNp linux-2.6.39.3/include/linux/pm_runtime.h linux-2.6.39.3/include/linux/pm_runtime.h
64754 --- linux-2.6.39.3/include/linux/pm_runtime.h 2011-05-19 00:06:34.000000000 -0400
64755 +++ linux-2.6.39.3/include/linux/pm_runtime.h 2011-05-22 19:36:33.000000000 -0400
64756 @@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
64757
64758 static inline void pm_runtime_mark_last_busy(struct device *dev)
64759 {
64760 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
64761 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
64762 }
64763
64764 #else /* !CONFIG_PM_RUNTIME */
64765 diff -urNp linux-2.6.39.3/include/linux/poison.h linux-2.6.39.3/include/linux/poison.h
64766 --- linux-2.6.39.3/include/linux/poison.h 2011-05-19 00:06:34.000000000 -0400
64767 +++ linux-2.6.39.3/include/linux/poison.h 2011-05-22 19:36:33.000000000 -0400
64768 @@ -19,8 +19,8 @@
64769 * under normal circumstances, used to verify that nobody uses
64770 * non-initialized list entries.
64771 */
64772 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
64773 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
64774 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
64775 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
64776
64777 /********** include/linux/timer.h **********/
64778 /*
64779 diff -urNp linux-2.6.39.3/include/linux/posix-timers.h linux-2.6.39.3/include/linux/posix-timers.h
64780 --- linux-2.6.39.3/include/linux/posix-timers.h 2011-05-19 00:06:34.000000000 -0400
64781 +++ linux-2.6.39.3/include/linux/posix-timers.h 2011-05-22 19:36:33.000000000 -0400
64782 @@ -102,10 +102,10 @@ struct k_clock {
64783 struct itimerspec * cur_setting);
64784 };
64785
64786 -extern struct k_clock clock_posix_cpu;
64787 -extern struct k_clock clock_posix_dynamic;
64788 +extern const struct k_clock clock_posix_cpu;
64789 +extern const struct k_clock clock_posix_dynamic;
64790
64791 -void posix_timers_register_clock(const clockid_t clock_id, struct k_clock *new_clock);
64792 +void posix_timers_register_clock(const clockid_t clock_id, const struct k_clock *new_clock);
64793
64794 /* function to call to trigger timer event */
64795 int posix_timer_event(struct k_itimer *timr, int si_private);
64796 diff -urNp linux-2.6.39.3/include/linux/proc_fs.h linux-2.6.39.3/include/linux/proc_fs.h
64797 --- linux-2.6.39.3/include/linux/proc_fs.h 2011-05-19 00:06:34.000000000 -0400
64798 +++ linux-2.6.39.3/include/linux/proc_fs.h 2011-05-22 19:41:42.000000000 -0400
64799 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
64800 return proc_create_data(name, mode, parent, proc_fops, NULL);
64801 }
64802
64803 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
64804 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
64805 +{
64806 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64807 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
64808 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64809 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
64810 +#else
64811 + return proc_create_data(name, mode, parent, proc_fops, NULL);
64812 +#endif
64813 +}
64814 +
64815 +
64816 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
64817 mode_t mode, struct proc_dir_entry *base,
64818 read_proc_t *read_proc, void * data)
64819 diff -urNp linux-2.6.39.3/include/linux/ptrace.h linux-2.6.39.3/include/linux/ptrace.h
64820 --- linux-2.6.39.3/include/linux/ptrace.h 2011-05-19 00:06:34.000000000 -0400
64821 +++ linux-2.6.39.3/include/linux/ptrace.h 2011-05-22 19:41:42.000000000 -0400
64822 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
64823 extern void exit_ptrace(struct task_struct *tracer);
64824 #define PTRACE_MODE_READ 1
64825 #define PTRACE_MODE_ATTACH 2
64826 -/* Returns 0 on success, -errno on denial. */
64827 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
64828 /* Returns true on success, false on denial. */
64829 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
64830 +/* Returns true on success, false on denial. */
64831 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
64832
64833 static inline int ptrace_reparented(struct task_struct *child)
64834 {
64835 diff -urNp linux-2.6.39.3/include/linux/random.h linux-2.6.39.3/include/linux/random.h
64836 --- linux-2.6.39.3/include/linux/random.h 2011-05-19 00:06:34.000000000 -0400
64837 +++ linux-2.6.39.3/include/linux/random.h 2011-05-22 19:36:33.000000000 -0400
64838 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
64839
64840 u32 prandom32(struct rnd_state *);
64841
64842 +static inline unsigned long pax_get_random_long(void)
64843 +{
64844 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
64845 +}
64846 +
64847 /*
64848 * Handle minimum values for seeds
64849 */
64850 static inline u32 __seed(u32 x, u32 m)
64851 {
64852 - return (x < m) ? x + m : x;
64853 + return (x <= m) ? x + m + 1 : x;
64854 }
64855
64856 /**
64857 diff -urNp linux-2.6.39.3/include/linux/reboot.h linux-2.6.39.3/include/linux/reboot.h
64858 --- linux-2.6.39.3/include/linux/reboot.h 2011-05-19 00:06:34.000000000 -0400
64859 +++ linux-2.6.39.3/include/linux/reboot.h 2011-05-22 19:36:33.000000000 -0400
64860 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
64861 * Architecture-specific implementations of sys_reboot commands.
64862 */
64863
64864 -extern void machine_restart(char *cmd);
64865 -extern void machine_halt(void);
64866 -extern void machine_power_off(void);
64867 +extern void machine_restart(char *cmd) __noreturn;
64868 +extern void machine_halt(void) __noreturn;
64869 +extern void machine_power_off(void) __noreturn;
64870
64871 extern void machine_shutdown(void);
64872 struct pt_regs;
64873 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
64874 */
64875
64876 extern void kernel_restart_prepare(char *cmd);
64877 -extern void kernel_restart(char *cmd);
64878 -extern void kernel_halt(void);
64879 -extern void kernel_power_off(void);
64880 +extern void kernel_restart(char *cmd) __noreturn;
64881 +extern void kernel_halt(void) __noreturn;
64882 +extern void kernel_power_off(void) __noreturn;
64883
64884 extern int C_A_D; /* for sysctl */
64885 void ctrl_alt_del(void);
64886 @@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
64887 * Emergency restart, callable from an interrupt handler.
64888 */
64889
64890 -extern void emergency_restart(void);
64891 +extern void emergency_restart(void) __noreturn;
64892 #include <asm/emergency-restart.h>
64893
64894 #endif
64895 diff -urNp linux-2.6.39.3/include/linux/reiserfs_fs.h linux-2.6.39.3/include/linux/reiserfs_fs.h
64896 --- linux-2.6.39.3/include/linux/reiserfs_fs.h 2011-05-19 00:06:34.000000000 -0400
64897 +++ linux-2.6.39.3/include/linux/reiserfs_fs.h 2011-05-22 19:36:33.000000000 -0400
64898 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
64899 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
64900
64901 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
64902 -#define get_generation(s) atomic_read (&fs_generation(s))
64903 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
64904 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
64905 #define __fs_changed(gen,s) (gen != get_generation (s))
64906 #define fs_changed(gen,s) \
64907 @@ -1618,24 +1618,24 @@ static inline struct super_block *sb_fro
64908 */
64909
64910 struct item_operations {
64911 - int (*bytes_number) (struct item_head * ih, int block_size);
64912 - void (*decrement_key) (struct cpu_key *);
64913 - int (*is_left_mergeable) (struct reiserfs_key * ih,
64914 + int (* const bytes_number) (struct item_head * ih, int block_size);
64915 + void (* const decrement_key) (struct cpu_key *);
64916 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
64917 unsigned long bsize);
64918 - void (*print_item) (struct item_head *, char *item);
64919 - void (*check_item) (struct item_head *, char *item);
64920 + void (* const print_item) (struct item_head *, char *item);
64921 + void (* const check_item) (struct item_head *, char *item);
64922
64923 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64924 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64925 int is_affected, int insert_size);
64926 - int (*check_left) (struct virtual_item * vi, int free,
64927 + int (* const check_left) (struct virtual_item * vi, int free,
64928 int start_skip, int end_skip);
64929 - int (*check_right) (struct virtual_item * vi, int free);
64930 - int (*part_size) (struct virtual_item * vi, int from, int to);
64931 - int (*unit_num) (struct virtual_item * vi);
64932 - void (*print_vi) (struct virtual_item * vi);
64933 + int (* const check_right) (struct virtual_item * vi, int free);
64934 + int (* const part_size) (struct virtual_item * vi, int from, int to);
64935 + int (* const unit_num) (struct virtual_item * vi);
64936 + void (* const print_vi) (struct virtual_item * vi);
64937 };
64938
64939 -extern struct item_operations *item_ops[TYPE_ANY + 1];
64940 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
64941
64942 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
64943 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
64944 diff -urNp linux-2.6.39.3/include/linux/reiserfs_fs_sb.h linux-2.6.39.3/include/linux/reiserfs_fs_sb.h
64945 --- linux-2.6.39.3/include/linux/reiserfs_fs_sb.h 2011-05-19 00:06:34.000000000 -0400
64946 +++ linux-2.6.39.3/include/linux/reiserfs_fs_sb.h 2011-05-22 19:36:33.000000000 -0400
64947 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
64948 /* Comment? -Hans */
64949 wait_queue_head_t s_wait;
64950 /* To be obsoleted soon by per buffer seals.. -Hans */
64951 - atomic_t s_generation_counter; // increased by one every time the
64952 + atomic_unchecked_t s_generation_counter; // increased by one every time the
64953 // tree gets re-balanced
64954 unsigned long s_properties; /* File system properties. Currently holds
64955 on-disk FS format */
64956 diff -urNp linux-2.6.39.3/include/linux/rmap.h linux-2.6.39.3/include/linux/rmap.h
64957 --- linux-2.6.39.3/include/linux/rmap.h 2011-05-19 00:06:34.000000000 -0400
64958 +++ linux-2.6.39.3/include/linux/rmap.h 2011-05-22 19:36:33.000000000 -0400
64959 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
64960 void anon_vma_init(void); /* create anon_vma_cachep */
64961 int anon_vma_prepare(struct vm_area_struct *);
64962 void unlink_anon_vmas(struct vm_area_struct *);
64963 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
64964 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
64965 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
64966 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
64967 void __anon_vma_link(struct vm_area_struct *);
64968
64969 static inline void anon_vma_merge(struct vm_area_struct *vma,
64970 diff -urNp linux-2.6.39.3/include/linux/sched.h linux-2.6.39.3/include/linux/sched.h
64971 --- linux-2.6.39.3/include/linux/sched.h 2011-05-19 00:06:34.000000000 -0400
64972 +++ linux-2.6.39.3/include/linux/sched.h 2011-07-14 21:03:15.000000000 -0400
64973 @@ -100,6 +100,7 @@ struct bio_list;
64974 struct fs_struct;
64975 struct perf_event_context;
64976 struct blk_plug;
64977 +struct linux_binprm;
64978
64979 /*
64980 * List of flags we want to share for kernel threads,
64981 @@ -360,7 +361,7 @@ extern signed long schedule_timeout_inte
64982 extern signed long schedule_timeout_killable(signed long timeout);
64983 extern signed long schedule_timeout_uninterruptible(signed long timeout);
64984 asmlinkage void schedule(void);
64985 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
64986 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
64987
64988 struct nsproxy;
64989 struct user_namespace;
64990 @@ -381,10 +382,13 @@ struct user_namespace;
64991 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
64992
64993 extern int sysctl_max_map_count;
64994 +extern unsigned long sysctl_heap_stack_gap;
64995
64996 #include <linux/aio.h>
64997
64998 #ifdef CONFIG_MMU
64999 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
65000 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
65001 extern void arch_pick_mmap_layout(struct mm_struct *mm);
65002 extern unsigned long
65003 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
65004 @@ -629,6 +633,17 @@ struct signal_struct {
65005 #ifdef CONFIG_TASKSTATS
65006 struct taskstats *stats;
65007 #endif
65008 +
65009 +#ifdef CONFIG_GRKERNSEC
65010 + u32 curr_ip;
65011 + u32 saved_ip;
65012 + u32 gr_saddr;
65013 + u32 gr_daddr;
65014 + u16 gr_sport;
65015 + u16 gr_dport;
65016 + u8 used_accept:1;
65017 +#endif
65018 +
65019 #ifdef CONFIG_AUDIT
65020 unsigned audit_tty;
65021 struct tty_audit_buf *tty_audit_buf;
65022 @@ -701,6 +716,11 @@ struct user_struct {
65023 struct key *session_keyring; /* UID's default session keyring */
65024 #endif
65025
65026 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
65027 + unsigned int banned;
65028 + unsigned long ban_expires;
65029 +#endif
65030 +
65031 /* Hash table maintenance information */
65032 struct hlist_node uidhash_node;
65033 uid_t uid;
65034 @@ -1310,8 +1330,8 @@ struct task_struct {
65035 struct list_head thread_group;
65036
65037 struct completion *vfork_done; /* for vfork() */
65038 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65039 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65040 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65041 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65042
65043 cputime_t utime, stime, utimescaled, stimescaled;
65044 cputime_t gtime;
65045 @@ -1327,13 +1347,6 @@ struct task_struct {
65046 struct task_cputime cputime_expires;
65047 struct list_head cpu_timers[3];
65048
65049 -/* process credentials */
65050 - const struct cred __rcu *real_cred; /* objective and real subjective task
65051 - * credentials (COW) */
65052 - const struct cred __rcu *cred; /* effective (overridable) subjective task
65053 - * credentials (COW) */
65054 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65055 -
65056 char comm[TASK_COMM_LEN]; /* executable name excluding path
65057 - access with [gs]et_task_comm (which lock
65058 it with task_lock())
65059 @@ -1350,8 +1363,16 @@ struct task_struct {
65060 #endif
65061 /* CPU-specific state of this task */
65062 struct thread_struct thread;
65063 +/* thread_info moved to task_struct */
65064 +#ifdef CONFIG_X86
65065 + struct thread_info tinfo;
65066 +#endif
65067 /* filesystem information */
65068 struct fs_struct *fs;
65069 +
65070 + const struct cred __rcu *cred; /* effective (overridable) subjective task
65071 + * credentials (COW) */
65072 +
65073 /* open file information */
65074 struct files_struct *files;
65075 /* namespaces */
65076 @@ -1398,6 +1419,11 @@ struct task_struct {
65077 struct rt_mutex_waiter *pi_blocked_on;
65078 #endif
65079
65080 +/* process credentials */
65081 + const struct cred __rcu *real_cred; /* objective and real subjective task
65082 + * credentials (COW) */
65083 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65084 +
65085 #ifdef CONFIG_DEBUG_MUTEXES
65086 /* mutex deadlock detection */
65087 struct mutex_waiter *blocked_on;
65088 @@ -1508,6 +1534,21 @@ struct task_struct {
65089 unsigned long default_timer_slack_ns;
65090
65091 struct list_head *scm_work_list;
65092 +
65093 +#ifdef CONFIG_GRKERNSEC
65094 + /* grsecurity */
65095 + struct dentry *gr_chroot_dentry;
65096 + struct acl_subject_label *acl;
65097 + struct acl_role_label *role;
65098 + struct file *exec_file;
65099 + u16 acl_role_id;
65100 + /* is this the task that authenticated to the special role */
65101 + u8 acl_sp_role;
65102 + u8 is_writable;
65103 + u8 brute;
65104 + u8 gr_is_chrooted;
65105 +#endif
65106 +
65107 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
65108 /* Index of current stored address in ret_stack */
65109 int curr_ret_stack;
65110 @@ -1542,6 +1583,57 @@ struct task_struct {
65111 #endif
65112 };
65113
65114 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65115 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65116 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65117 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65118 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65119 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65120 +
65121 +#ifdef CONFIG_PAX_SOFTMODE
65122 +extern unsigned int pax_softmode;
65123 +#endif
65124 +
65125 +extern int pax_check_flags(unsigned long *);
65126 +
65127 +/* if tsk != current then task_lock must be held on it */
65128 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65129 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
65130 +{
65131 + if (likely(tsk->mm))
65132 + return tsk->mm->pax_flags;
65133 + else
65134 + return 0UL;
65135 +}
65136 +
65137 +/* if tsk != current then task_lock must be held on it */
65138 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65139 +{
65140 + if (likely(tsk->mm)) {
65141 + tsk->mm->pax_flags = flags;
65142 + return 0;
65143 + }
65144 + return -EINVAL;
65145 +}
65146 +#endif
65147 +
65148 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65149 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
65150 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65151 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65152 +#endif
65153 +
65154 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
65155 +extern void pax_report_insns(void *pc, void *sp);
65156 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
65157 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
65158 +
65159 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
65160 +extern void pax_track_stack(void);
65161 +#else
65162 +static inline void pax_track_stack(void) {}
65163 +#endif
65164 +
65165 /* Future-safe accessor for struct task_struct's cpus_allowed. */
65166 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
65167
65168 @@ -2009,7 +2101,9 @@ void yield(void);
65169 extern struct exec_domain default_exec_domain;
65170
65171 union thread_union {
65172 +#ifndef CONFIG_X86
65173 struct thread_info thread_info;
65174 +#endif
65175 unsigned long stack[THREAD_SIZE/sizeof(long)];
65176 };
65177
65178 @@ -2042,6 +2136,7 @@ extern struct pid_namespace init_pid_ns;
65179 */
65180
65181 extern struct task_struct *find_task_by_vpid(pid_t nr);
65182 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
65183 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
65184 struct pid_namespace *ns);
65185
65186 @@ -2179,7 +2274,7 @@ extern void __cleanup_sighand(struct sig
65187 extern void exit_itimers(struct signal_struct *);
65188 extern void flush_itimer_signals(void);
65189
65190 -extern NORET_TYPE void do_group_exit(int);
65191 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
65192
65193 extern void daemonize(const char *, ...);
65194 extern int allow_signal(int);
65195 @@ -2320,13 +2415,17 @@ static inline unsigned long *end_of_stac
65196
65197 #endif
65198
65199 -static inline int object_is_on_stack(void *obj)
65200 +static inline int object_starts_on_stack(void *obj)
65201 {
65202 - void *stack = task_stack_page(current);
65203 + const void *stack = task_stack_page(current);
65204
65205 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
65206 }
65207
65208 +#ifdef CONFIG_PAX_USERCOPY
65209 +extern int object_is_on_stack(const void *obj, unsigned long len);
65210 +#endif
65211 +
65212 extern void thread_info_cache_init(void);
65213
65214 #ifdef CONFIG_DEBUG_STACK_USAGE
65215 diff -urNp linux-2.6.39.3/include/linux/screen_info.h linux-2.6.39.3/include/linux/screen_info.h
65216 --- linux-2.6.39.3/include/linux/screen_info.h 2011-05-19 00:06:34.000000000 -0400
65217 +++ linux-2.6.39.3/include/linux/screen_info.h 2011-05-22 19:36:33.000000000 -0400
65218 @@ -43,7 +43,8 @@ struct screen_info {
65219 __u16 pages; /* 0x32 */
65220 __u16 vesa_attributes; /* 0x34 */
65221 __u32 capabilities; /* 0x36 */
65222 - __u8 _reserved[6]; /* 0x3a */
65223 + __u16 vesapm_size; /* 0x3a */
65224 + __u8 _reserved[4]; /* 0x3c */
65225 } __attribute__((packed));
65226
65227 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
65228 diff -urNp linux-2.6.39.3/include/linux/security.h linux-2.6.39.3/include/linux/security.h
65229 --- linux-2.6.39.3/include/linux/security.h 2011-05-19 00:06:34.000000000 -0400
65230 +++ linux-2.6.39.3/include/linux/security.h 2011-05-22 19:41:42.000000000 -0400
65231 @@ -36,6 +36,7 @@
65232 #include <linux/key.h>
65233 #include <linux/xfrm.h>
65234 #include <linux/slab.h>
65235 +#include <linux/grsecurity.h>
65236 #include <net/flow.h>
65237
65238 /* Maximum number of letters for an LSM name string */
65239 diff -urNp linux-2.6.39.3/include/linux/shm.h linux-2.6.39.3/include/linux/shm.h
65240 --- linux-2.6.39.3/include/linux/shm.h 2011-05-19 00:06:34.000000000 -0400
65241 +++ linux-2.6.39.3/include/linux/shm.h 2011-05-22 19:41:42.000000000 -0400
65242 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
65243 pid_t shm_cprid;
65244 pid_t shm_lprid;
65245 struct user_struct *mlock_user;
65246 +#ifdef CONFIG_GRKERNSEC
65247 + time_t shm_createtime;
65248 + pid_t shm_lapid;
65249 +#endif
65250 };
65251
65252 /* shm_mode upper byte flags */
65253 diff -urNp linux-2.6.39.3/include/linux/skbuff.h linux-2.6.39.3/include/linux/skbuff.h
65254 --- linux-2.6.39.3/include/linux/skbuff.h 2011-05-19 00:06:34.000000000 -0400
65255 +++ linux-2.6.39.3/include/linux/skbuff.h 2011-07-06 20:00:13.000000000 -0400
65256 @@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
65257 */
65258 static inline int skb_queue_empty(const struct sk_buff_head *list)
65259 {
65260 - return list->next == (struct sk_buff *)list;
65261 + return list->next == (const struct sk_buff *)list;
65262 }
65263
65264 /**
65265 @@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
65266 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
65267 const struct sk_buff *skb)
65268 {
65269 - return skb->next == (struct sk_buff *)list;
65270 + return skb->next == (const struct sk_buff *)list;
65271 }
65272
65273 /**
65274 @@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
65275 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
65276 const struct sk_buff *skb)
65277 {
65278 - return skb->prev == (struct sk_buff *)list;
65279 + return skb->prev == (const struct sk_buff *)list;
65280 }
65281
65282 /**
65283 @@ -1435,7 +1435,7 @@ static inline int pskb_network_may_pull(
65284 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
65285 */
65286 #ifndef NET_SKB_PAD
65287 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
65288 +#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
65289 #endif
65290
65291 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
65292 diff -urNp linux-2.6.39.3/include/linux/slab_def.h linux-2.6.39.3/include/linux/slab_def.h
65293 --- linux-2.6.39.3/include/linux/slab_def.h 2011-05-19 00:06:34.000000000 -0400
65294 +++ linux-2.6.39.3/include/linux/slab_def.h 2011-05-22 19:36:33.000000000 -0400
65295 @@ -96,10 +96,10 @@ struct kmem_cache {
65296 unsigned long node_allocs;
65297 unsigned long node_frees;
65298 unsigned long node_overflow;
65299 - atomic_t allochit;
65300 - atomic_t allocmiss;
65301 - atomic_t freehit;
65302 - atomic_t freemiss;
65303 + atomic_unchecked_t allochit;
65304 + atomic_unchecked_t allocmiss;
65305 + atomic_unchecked_t freehit;
65306 + atomic_unchecked_t freemiss;
65307
65308 /*
65309 * If debugging is enabled, then the allocator can add additional
65310 diff -urNp linux-2.6.39.3/include/linux/slab.h linux-2.6.39.3/include/linux/slab.h
65311 --- linux-2.6.39.3/include/linux/slab.h 2011-05-19 00:06:34.000000000 -0400
65312 +++ linux-2.6.39.3/include/linux/slab.h 2011-05-23 17:07:00.000000000 -0400
65313 @@ -11,12 +11,20 @@
65314
65315 #include <linux/gfp.h>
65316 #include <linux/types.h>
65317 +#include <linux/err.h>
65318
65319 /*
65320 * Flags to pass to kmem_cache_create().
65321 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
65322 */
65323 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
65324 +
65325 +#ifdef CONFIG_PAX_USERCOPY
65326 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
65327 +#else
65328 +#define SLAB_USERCOPY 0x00000000UL
65329 +#endif
65330 +
65331 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
65332 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
65333 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
65334 @@ -87,10 +95,13 @@
65335 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
65336 * Both make kfree a no-op.
65337 */
65338 -#define ZERO_SIZE_PTR ((void *)16)
65339 +#define ZERO_SIZE_PTR \
65340 +({ \
65341 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
65342 + (void *)(-MAX_ERRNO-1L); \
65343 +})
65344
65345 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
65346 - (unsigned long)ZERO_SIZE_PTR)
65347 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
65348
65349 /*
65350 * struct kmem_cache related prototypes
65351 @@ -141,6 +152,7 @@ void * __must_check krealloc(const void
65352 void kfree(const void *);
65353 void kzfree(const void *);
65354 size_t ksize(const void *);
65355 +void check_object_size(const void *ptr, unsigned long n, bool to);
65356
65357 /*
65358 * Allocator specific definitions. These are mainly used to establish optimized
65359 @@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
65360
65361 void __init kmem_cache_init_late(void);
65362
65363 +#define kmalloc(x, y) \
65364 +({ \
65365 + void *___retval; \
65366 + intoverflow_t ___x = (intoverflow_t)x; \
65367 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
65368 + ___retval = NULL; \
65369 + else \
65370 + ___retval = kmalloc((size_t)___x, (y)); \
65371 + ___retval; \
65372 +})
65373 +
65374 +#define kmalloc_node(x, y, z) \
65375 +({ \
65376 + void *___retval; \
65377 + intoverflow_t ___x = (intoverflow_t)x; \
65378 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
65379 + ___retval = NULL; \
65380 + else \
65381 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
65382 + ___retval; \
65383 +})
65384 +
65385 +#define kzalloc(x, y) \
65386 +({ \
65387 + void *___retval; \
65388 + intoverflow_t ___x = (intoverflow_t)x; \
65389 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
65390 + ___retval = NULL; \
65391 + else \
65392 + ___retval = kzalloc((size_t)___x, (y)); \
65393 + ___retval; \
65394 +})
65395 +
65396 +#define __krealloc(x, y, z) \
65397 +({ \
65398 + void *___retval; \
65399 + intoverflow_t ___y = (intoverflow_t)y; \
65400 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
65401 + ___retval = NULL; \
65402 + else \
65403 + ___retval = __krealloc((x), (size_t)___y, (z)); \
65404 + ___retval; \
65405 +})
65406 +
65407 +#define krealloc(x, y, z) \
65408 +({ \
65409 + void *___retval; \
65410 + intoverflow_t ___y = (intoverflow_t)y; \
65411 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
65412 + ___retval = NULL; \
65413 + else \
65414 + ___retval = krealloc((x), (size_t)___y, (z)); \
65415 + ___retval; \
65416 +})
65417 +
65418 #endif /* _LINUX_SLAB_H */
65419 diff -urNp linux-2.6.39.3/include/linux/slub_def.h linux-2.6.39.3/include/linux/slub_def.h
65420 --- linux-2.6.39.3/include/linux/slub_def.h 2011-05-19 00:06:34.000000000 -0400
65421 +++ linux-2.6.39.3/include/linux/slub_def.h 2011-05-22 19:36:33.000000000 -0400
65422 @@ -84,7 +84,7 @@ struct kmem_cache {
65423 struct kmem_cache_order_objects max;
65424 struct kmem_cache_order_objects min;
65425 gfp_t allocflags; /* gfp flags to use on each alloc */
65426 - int refcount; /* Refcount for slab cache destroy */
65427 + atomic_t refcount; /* Refcount for slab cache destroy */
65428 void (*ctor)(void *);
65429 int inuse; /* Offset to metadata */
65430 int align; /* Alignment */
65431 diff -urNp linux-2.6.39.3/include/linux/sonet.h linux-2.6.39.3/include/linux/sonet.h
65432 --- linux-2.6.39.3/include/linux/sonet.h 2011-05-19 00:06:34.000000000 -0400
65433 +++ linux-2.6.39.3/include/linux/sonet.h 2011-05-22 19:36:33.000000000 -0400
65434 @@ -61,7 +61,7 @@ struct sonet_stats {
65435 #include <asm/atomic.h>
65436
65437 struct k_sonet_stats {
65438 -#define __HANDLE_ITEM(i) atomic_t i
65439 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
65440 __SONET_ITEMS
65441 #undef __HANDLE_ITEM
65442 };
65443 diff -urNp linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h
65444 --- linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h 2011-05-19 00:06:34.000000000 -0400
65445 +++ linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h 2011-05-22 19:36:33.000000000 -0400
65446 @@ -44,7 +44,7 @@ struct ssb_gige {
65447
65448 /* The PCI controller device. */
65449 struct pci_controller pci_controller;
65450 - struct pci_ops pci_ops;
65451 + const struct pci_ops pci_ops;
65452 struct resource mem_resource;
65453 struct resource io_resource;
65454 };
65455 diff -urNp linux-2.6.39.3/include/linux/sunrpc/clnt.h linux-2.6.39.3/include/linux/sunrpc/clnt.h
65456 --- linux-2.6.39.3/include/linux/sunrpc/clnt.h 2011-05-19 00:06:34.000000000 -0400
65457 +++ linux-2.6.39.3/include/linux/sunrpc/clnt.h 2011-05-22 19:36:33.000000000 -0400
65458 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
65459 {
65460 switch (sap->sa_family) {
65461 case AF_INET:
65462 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
65463 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
65464 case AF_INET6:
65465 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
65466 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
65467 }
65468 return 0;
65469 }
65470 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
65471 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
65472 const struct sockaddr *src)
65473 {
65474 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
65475 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
65476 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
65477
65478 dsin->sin_family = ssin->sin_family;
65479 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
65480 if (sa->sa_family != AF_INET6)
65481 return 0;
65482
65483 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
65484 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
65485 }
65486
65487 #endif /* __KERNEL__ */
65488 diff -urNp linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h
65489 --- linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h 2011-05-19 00:06:34.000000000 -0400
65490 +++ linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h 2011-05-22 19:36:33.000000000 -0400
65491 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
65492 extern unsigned int svcrdma_max_requests;
65493 extern unsigned int svcrdma_max_req_size;
65494
65495 -extern atomic_t rdma_stat_recv;
65496 -extern atomic_t rdma_stat_read;
65497 -extern atomic_t rdma_stat_write;
65498 -extern atomic_t rdma_stat_sq_starve;
65499 -extern atomic_t rdma_stat_rq_starve;
65500 -extern atomic_t rdma_stat_rq_poll;
65501 -extern atomic_t rdma_stat_rq_prod;
65502 -extern atomic_t rdma_stat_sq_poll;
65503 -extern atomic_t rdma_stat_sq_prod;
65504 +extern atomic_unchecked_t rdma_stat_recv;
65505 +extern atomic_unchecked_t rdma_stat_read;
65506 +extern atomic_unchecked_t rdma_stat_write;
65507 +extern atomic_unchecked_t rdma_stat_sq_starve;
65508 +extern atomic_unchecked_t rdma_stat_rq_starve;
65509 +extern atomic_unchecked_t rdma_stat_rq_poll;
65510 +extern atomic_unchecked_t rdma_stat_rq_prod;
65511 +extern atomic_unchecked_t rdma_stat_sq_poll;
65512 +extern atomic_unchecked_t rdma_stat_sq_prod;
65513
65514 #define RPCRDMA_VERSION 1
65515
65516 diff -urNp linux-2.6.39.3/include/linux/suspend.h linux-2.6.39.3/include/linux/suspend.h
65517 --- linux-2.6.39.3/include/linux/suspend.h 2011-05-19 00:06:34.000000000 -0400
65518 +++ linux-2.6.39.3/include/linux/suspend.h 2011-05-22 19:36:33.000000000 -0400
65519 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
65520 * which require special recovery actions in that situation.
65521 */
65522 struct platform_suspend_ops {
65523 - int (*valid)(suspend_state_t state);
65524 - int (*begin)(suspend_state_t state);
65525 - int (*prepare)(void);
65526 - int (*prepare_late)(void);
65527 - int (*enter)(suspend_state_t state);
65528 - void (*wake)(void);
65529 - void (*finish)(void);
65530 - void (*end)(void);
65531 - void (*recover)(void);
65532 + int (* const valid)(suspend_state_t state);
65533 + int (* const begin)(suspend_state_t state);
65534 + int (* const prepare)(void);
65535 + int (* const prepare_late)(void);
65536 + int (* const enter)(suspend_state_t state);
65537 + void (* const wake)(void);
65538 + void (* const finish)(void);
65539 + void (* const end)(void);
65540 + void (* const recover)(void);
65541 };
65542
65543 #ifdef CONFIG_SUSPEND
65544 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
65545 * platforms which require special recovery actions in that situation.
65546 */
65547 struct platform_hibernation_ops {
65548 - int (*begin)(void);
65549 - void (*end)(void);
65550 - int (*pre_snapshot)(void);
65551 - void (*finish)(void);
65552 - int (*prepare)(void);
65553 - int (*enter)(void);
65554 - void (*leave)(void);
65555 - int (*pre_restore)(void);
65556 - void (*restore_cleanup)(void);
65557 - void (*recover)(void);
65558 + int (* const begin)(void);
65559 + void (* const end)(void);
65560 + int (* const pre_snapshot)(void);
65561 + void (* const finish)(void);
65562 + int (* const prepare)(void);
65563 + int (* const enter)(void);
65564 + void (* const leave)(void);
65565 + int (* const pre_restore)(void);
65566 + void (* const restore_cleanup)(void);
65567 + void (* const recover)(void);
65568 };
65569
65570 #ifdef CONFIG_HIBERNATION
65571 diff -urNp linux-2.6.39.3/include/linux/sysctl.h linux-2.6.39.3/include/linux/sysctl.h
65572 --- linux-2.6.39.3/include/linux/sysctl.h 2011-05-19 00:06:34.000000000 -0400
65573 +++ linux-2.6.39.3/include/linux/sysctl.h 2011-05-22 19:41:42.000000000 -0400
65574 @@ -155,7 +155,11 @@ enum
65575 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
65576 };
65577
65578 -
65579 +#ifdef CONFIG_PAX_SOFTMODE
65580 +enum {
65581 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65582 +};
65583 +#endif
65584
65585 /* CTL_VM names: */
65586 enum
65587 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
65588
65589 extern int proc_dostring(struct ctl_table *, int,
65590 void __user *, size_t *, loff_t *);
65591 +extern int proc_dostring_modpriv(struct ctl_table *, int,
65592 + void __user *, size_t *, loff_t *);
65593 extern int proc_dointvec(struct ctl_table *, int,
65594 void __user *, size_t *, loff_t *);
65595 extern int proc_dointvec_minmax(struct ctl_table *, int,
65596 diff -urNp linux-2.6.39.3/include/linux/sysfs.h linux-2.6.39.3/include/linux/sysfs.h
65597 --- linux-2.6.39.3/include/linux/sysfs.h 2011-05-19 00:06:34.000000000 -0400
65598 +++ linux-2.6.39.3/include/linux/sysfs.h 2011-05-22 19:36:33.000000000 -0400
65599 @@ -110,8 +110,8 @@ struct bin_attribute {
65600 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
65601
65602 struct sysfs_ops {
65603 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
65604 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
65605 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
65606 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
65607 };
65608
65609 struct sysfs_dirent;
65610 diff -urNp linux-2.6.39.3/include/linux/tty.h linux-2.6.39.3/include/linux/tty.h
65611 --- linux-2.6.39.3/include/linux/tty.h 2011-05-19 00:06:34.000000000 -0400
65612 +++ linux-2.6.39.3/include/linux/tty.h 2011-05-22 19:36:33.000000000 -0400
65613 @@ -13,6 +13,7 @@
65614 #include <linux/tty_driver.h>
65615 #include <linux/tty_ldisc.h>
65616 #include <linux/mutex.h>
65617 +#include <linux/poll.h>
65618
65619 #include <asm/system.h>
65620
65621 @@ -466,7 +467,6 @@ extern int tty_perform_flush(struct tty_
65622 extern dev_t tty_devnum(struct tty_struct *tty);
65623 extern void proc_clear_tty(struct task_struct *p);
65624 extern struct tty_struct *get_current_tty(void);
65625 -extern void tty_default_fops(struct file_operations *fops);
65626 extern struct tty_struct *alloc_tty_struct(void);
65627 extern int tty_add_file(struct tty_struct *tty, struct file *file);
65628 extern void free_tty_struct(struct tty_struct *tty);
65629 @@ -529,6 +529,18 @@ extern void tty_ldisc_begin(void);
65630 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
65631 extern void tty_ldisc_enable(struct tty_struct *tty);
65632
65633 +/* tty_io.c */
65634 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
65635 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
65636 +extern unsigned int tty_poll(struct file *, poll_table *);
65637 +#ifdef CONFIG_COMPAT
65638 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
65639 + unsigned long arg);
65640 +#else
65641 +#define tty_compat_ioctl NULL
65642 +#endif
65643 +extern int tty_release(struct inode *, struct file *);
65644 +extern int tty_fasync(int fd, struct file *filp, int on);
65645
65646 /* n_tty.c */
65647 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
65648 diff -urNp linux-2.6.39.3/include/linux/tty_ldisc.h linux-2.6.39.3/include/linux/tty_ldisc.h
65649 --- linux-2.6.39.3/include/linux/tty_ldisc.h 2011-05-19 00:06:34.000000000 -0400
65650 +++ linux-2.6.39.3/include/linux/tty_ldisc.h 2011-05-22 19:36:33.000000000 -0400
65651 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
65652
65653 struct module *owner;
65654
65655 - int refcount;
65656 + atomic_t refcount;
65657 };
65658
65659 struct tty_ldisc {
65660 diff -urNp linux-2.6.39.3/include/linux/types.h linux-2.6.39.3/include/linux/types.h
65661 --- linux-2.6.39.3/include/linux/types.h 2011-05-19 00:06:34.000000000 -0400
65662 +++ linux-2.6.39.3/include/linux/types.h 2011-05-22 19:36:33.000000000 -0400
65663 @@ -213,10 +213,26 @@ typedef struct {
65664 int counter;
65665 } atomic_t;
65666
65667 +#ifdef CONFIG_PAX_REFCOUNT
65668 +typedef struct {
65669 + int counter;
65670 +} atomic_unchecked_t;
65671 +#else
65672 +typedef atomic_t atomic_unchecked_t;
65673 +#endif
65674 +
65675 #ifdef CONFIG_64BIT
65676 typedef struct {
65677 long counter;
65678 } atomic64_t;
65679 +
65680 +#ifdef CONFIG_PAX_REFCOUNT
65681 +typedef struct {
65682 + long counter;
65683 +} atomic64_unchecked_t;
65684 +#else
65685 +typedef atomic64_t atomic64_unchecked_t;
65686 +#endif
65687 #endif
65688
65689 struct list_head {
65690 diff -urNp linux-2.6.39.3/include/linux/uaccess.h linux-2.6.39.3/include/linux/uaccess.h
65691 --- linux-2.6.39.3/include/linux/uaccess.h 2011-05-19 00:06:34.000000000 -0400
65692 +++ linux-2.6.39.3/include/linux/uaccess.h 2011-05-22 19:36:33.000000000 -0400
65693 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65694 long ret; \
65695 mm_segment_t old_fs = get_fs(); \
65696 \
65697 - set_fs(KERNEL_DS); \
65698 pagefault_disable(); \
65699 + set_fs(KERNEL_DS); \
65700 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
65701 - pagefault_enable(); \
65702 set_fs(old_fs); \
65703 + pagefault_enable(); \
65704 ret; \
65705 })
65706
65707 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
65708 * Safely read from address @src to the buffer at @dst. If a kernel fault
65709 * happens, handle that and return -EFAULT.
65710 */
65711 -extern long probe_kernel_read(void *dst, void *src, size_t size);
65712 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
65713 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
65714 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
65715
65716 /*
65717 * probe_kernel_write(): safely attempt to write to a location
65718 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
65719 * Safely write to address @dst from the buffer at @src. If a kernel fault
65720 * happens, handle that and return -EFAULT.
65721 */
65722 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
65723 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
65724 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
65725 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
65726
65727 #endif /* __LINUX_UACCESS_H__ */
65728 diff -urNp linux-2.6.39.3/include/linux/unaligned/access_ok.h linux-2.6.39.3/include/linux/unaligned/access_ok.h
65729 --- linux-2.6.39.3/include/linux/unaligned/access_ok.h 2011-05-19 00:06:34.000000000 -0400
65730 +++ linux-2.6.39.3/include/linux/unaligned/access_ok.h 2011-05-22 19:36:33.000000000 -0400
65731 @@ -6,32 +6,32 @@
65732
65733 static inline u16 get_unaligned_le16(const void *p)
65734 {
65735 - return le16_to_cpup((__le16 *)p);
65736 + return le16_to_cpup((const __le16 *)p);
65737 }
65738
65739 static inline u32 get_unaligned_le32(const void *p)
65740 {
65741 - return le32_to_cpup((__le32 *)p);
65742 + return le32_to_cpup((const __le32 *)p);
65743 }
65744
65745 static inline u64 get_unaligned_le64(const void *p)
65746 {
65747 - return le64_to_cpup((__le64 *)p);
65748 + return le64_to_cpup((const __le64 *)p);
65749 }
65750
65751 static inline u16 get_unaligned_be16(const void *p)
65752 {
65753 - return be16_to_cpup((__be16 *)p);
65754 + return be16_to_cpup((const __be16 *)p);
65755 }
65756
65757 static inline u32 get_unaligned_be32(const void *p)
65758 {
65759 - return be32_to_cpup((__be32 *)p);
65760 + return be32_to_cpup((const __be32 *)p);
65761 }
65762
65763 static inline u64 get_unaligned_be64(const void *p)
65764 {
65765 - return be64_to_cpup((__be64 *)p);
65766 + return be64_to_cpup((const __be64 *)p);
65767 }
65768
65769 static inline void put_unaligned_le16(u16 val, void *p)
65770 diff -urNp linux-2.6.39.3/include/linux/usb/hcd.h linux-2.6.39.3/include/linux/usb/hcd.h
65771 --- linux-2.6.39.3/include/linux/usb/hcd.h 2011-05-19 00:06:34.000000000 -0400
65772 +++ linux-2.6.39.3/include/linux/usb/hcd.h 2011-05-22 19:36:33.000000000 -0400
65773 @@ -615,7 +615,7 @@ struct usb_mon_operations {
65774 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
65775 };
65776
65777 -extern struct usb_mon_operations *mon_ops;
65778 +extern const struct usb_mon_operations *mon_ops;
65779
65780 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
65781 {
65782 @@ -637,7 +637,7 @@ static inline void usbmon_urb_complete(s
65783 (*mon_ops->urb_complete)(bus, urb, status);
65784 }
65785
65786 -int usb_mon_register(struct usb_mon_operations *ops);
65787 +int usb_mon_register(const struct usb_mon_operations *ops);
65788 void usb_mon_deregister(void);
65789
65790 #else
65791 diff -urNp linux-2.6.39.3/include/linux/usb/intel_mid_otg.h linux-2.6.39.3/include/linux/usb/intel_mid_otg.h
65792 --- linux-2.6.39.3/include/linux/usb/intel_mid_otg.h 2011-05-19 00:06:34.000000000 -0400
65793 +++ linux-2.6.39.3/include/linux/usb/intel_mid_otg.h 2011-05-22 19:36:33.000000000 -0400
65794 @@ -115,7 +115,7 @@ struct intel_mid_otg_xceiv {
65795 void __iomem *base;
65796
65797 /* ops to access ulpi */
65798 - struct iotg_ulpi_access_ops ulpi_ops;
65799 + const struct iotg_ulpi_access_ops ulpi_ops;
65800
65801 /* atomic notifier for interrupt context */
65802 struct atomic_notifier_head iotg_notifier;
65803 diff -urNp linux-2.6.39.3/include/linux/usb/ulpi.h linux-2.6.39.3/include/linux/usb/ulpi.h
65804 --- linux-2.6.39.3/include/linux/usb/ulpi.h 2011-05-19 00:06:34.000000000 -0400
65805 +++ linux-2.6.39.3/include/linux/usb/ulpi.h 2011-05-22 19:36:33.000000000 -0400
65806 @@ -186,7 +186,7 @@ struct otg_transceiver *otg_ulpi_create(
65807
65808 #ifdef CONFIG_USB_ULPI_VIEWPORT
65809 /* access ops for controllers with a viewport register */
65810 -extern struct otg_io_access_ops ulpi_viewport_access_ops;
65811 +extern const struct otg_io_access_ops ulpi_viewport_access_ops;
65812 #endif
65813
65814 #endif /* __LINUX_USB_ULPI_H */
65815 diff -urNp linux-2.6.39.3/include/linux/vga_switcheroo.h linux-2.6.39.3/include/linux/vga_switcheroo.h
65816 --- linux-2.6.39.3/include/linux/vga_switcheroo.h 2011-05-19 00:06:34.000000000 -0400
65817 +++ linux-2.6.39.3/include/linux/vga_switcheroo.h 2011-05-22 19:36:33.000000000 -0400
65818 @@ -39,7 +39,7 @@ int vga_switcheroo_register_client(struc
65819 void vga_switcheroo_client_fb_set(struct pci_dev *dev,
65820 struct fb_info *info);
65821
65822 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler);
65823 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler);
65824 void vga_switcheroo_unregister_handler(void);
65825
65826 int vga_switcheroo_process_delayed_switch(void);
65827 @@ -52,7 +52,7 @@ static inline int vga_switcheroo_registe
65828 void (*reprobe)(struct pci_dev *dev),
65829 bool (*can_switch)(struct pci_dev *dev)) { return 0; }
65830 static inline void vga_switcheroo_client_fb_set(struct pci_dev *dev, struct fb_info *info) {}
65831 -static inline int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler) { return 0; }
65832 +static inline int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler) { return 0; }
65833 static inline void vga_switcheroo_unregister_handler(void) {}
65834 static inline int vga_switcheroo_process_delayed_switch(void) { return 0; }
65835
65836 diff -urNp linux-2.6.39.3/include/linux/virtio.h linux-2.6.39.3/include/linux/virtio.h
65837 --- linux-2.6.39.3/include/linux/virtio.h 2011-05-19 00:06:34.000000000 -0400
65838 +++ linux-2.6.39.3/include/linux/virtio.h 2011-05-22 19:36:33.000000000 -0400
65839 @@ -102,7 +102,7 @@ struct virtio_device {
65840 int index;
65841 struct device dev;
65842 struct virtio_device_id id;
65843 - struct virtio_config_ops *config;
65844 + const struct virtio_config_ops *config;
65845 struct list_head vqs;
65846 /* Note that this is a Linux set_bit-style bitmap. */
65847 unsigned long features[1];
65848 diff -urNp linux-2.6.39.3/include/linux/vmalloc.h linux-2.6.39.3/include/linux/vmalloc.h
65849 --- linux-2.6.39.3/include/linux/vmalloc.h 2011-05-19 00:06:34.000000000 -0400
65850 +++ linux-2.6.39.3/include/linux/vmalloc.h 2011-05-22 19:36:33.000000000 -0400
65851 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
65852 #define VM_MAP 0x00000004 /* vmap()ed pages */
65853 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
65854 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
65855 +
65856 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65857 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
65858 +#endif
65859 +
65860 /* bits [20..32] reserved for arch specific ioremap internals */
65861
65862 /*
65863 @@ -155,4 +160,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
65864 # endif
65865 #endif
65866
65867 +#define vmalloc(x) \
65868 +({ \
65869 + void *___retval; \
65870 + intoverflow_t ___x = (intoverflow_t)x; \
65871 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
65872 + ___retval = NULL; \
65873 + else \
65874 + ___retval = vmalloc((unsigned long)___x); \
65875 + ___retval; \
65876 +})
65877 +
65878 +#define vzalloc(x) \
65879 +({ \
65880 + void *___retval; \
65881 + intoverflow_t ___x = (intoverflow_t)x; \
65882 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
65883 + ___retval = NULL; \
65884 + else \
65885 + ___retval = vzalloc((unsigned long)___x); \
65886 + ___retval; \
65887 +})
65888 +
65889 +#define __vmalloc(x, y, z) \
65890 +({ \
65891 + void *___retval; \
65892 + intoverflow_t ___x = (intoverflow_t)x; \
65893 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
65894 + ___retval = NULL; \
65895 + else \
65896 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
65897 + ___retval; \
65898 +})
65899 +
65900 +#define vmalloc_user(x) \
65901 +({ \
65902 + void *___retval; \
65903 + intoverflow_t ___x = (intoverflow_t)x; \
65904 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
65905 + ___retval = NULL; \
65906 + else \
65907 + ___retval = vmalloc_user((unsigned long)___x); \
65908 + ___retval; \
65909 +})
65910 +
65911 +#define vmalloc_exec(x) \
65912 +({ \
65913 + void *___retval; \
65914 + intoverflow_t ___x = (intoverflow_t)x; \
65915 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
65916 + ___retval = NULL; \
65917 + else \
65918 + ___retval = vmalloc_exec((unsigned long)___x); \
65919 + ___retval; \
65920 +})
65921 +
65922 +#define vmalloc_node(x, y) \
65923 +({ \
65924 + void *___retval; \
65925 + intoverflow_t ___x = (intoverflow_t)x; \
65926 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
65927 + ___retval = NULL; \
65928 + else \
65929 + ___retval = vmalloc_node((unsigned long)___x, (y));\
65930 + ___retval; \
65931 +})
65932 +
65933 +#define vzalloc_node(x, y) \
65934 +({ \
65935 + void *___retval; \
65936 + intoverflow_t ___x = (intoverflow_t)x; \
65937 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
65938 + ___retval = NULL; \
65939 + else \
65940 + ___retval = vzalloc_node((unsigned long)___x, (y));\
65941 + ___retval; \
65942 +})
65943 +
65944 +#define vmalloc_32(x) \
65945 +({ \
65946 + void *___retval; \
65947 + intoverflow_t ___x = (intoverflow_t)x; \
65948 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
65949 + ___retval = NULL; \
65950 + else \
65951 + ___retval = vmalloc_32((unsigned long)___x); \
65952 + ___retval; \
65953 +})
65954 +
65955 +#define vmalloc_32_user(x) \
65956 +({ \
65957 +void *___retval; \
65958 + intoverflow_t ___x = (intoverflow_t)x; \
65959 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
65960 + ___retval = NULL; \
65961 + else \
65962 + ___retval = vmalloc_32_user((unsigned long)___x);\
65963 + ___retval; \
65964 +})
65965 +
65966 #endif /* _LINUX_VMALLOC_H */
65967 diff -urNp linux-2.6.39.3/include/linux/vmstat.h linux-2.6.39.3/include/linux/vmstat.h
65968 --- linux-2.6.39.3/include/linux/vmstat.h 2011-05-19 00:06:34.000000000 -0400
65969 +++ linux-2.6.39.3/include/linux/vmstat.h 2011-05-22 19:36:33.000000000 -0400
65970 @@ -147,18 +147,18 @@ static inline void vm_events_fold_cpu(in
65971 /*
65972 * Zone based page accounting with per cpu differentials.
65973 */
65974 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65975 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65976
65977 static inline void zone_page_state_add(long x, struct zone *zone,
65978 enum zone_stat_item item)
65979 {
65980 - atomic_long_add(x, &zone->vm_stat[item]);
65981 - atomic_long_add(x, &vm_stat[item]);
65982 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
65983 + atomic_long_add_unchecked(x, &vm_stat[item]);
65984 }
65985
65986 static inline unsigned long global_page_state(enum zone_stat_item item)
65987 {
65988 - long x = atomic_long_read(&vm_stat[item]);
65989 + long x = atomic_long_read_unchecked(&vm_stat[item]);
65990 #ifdef CONFIG_SMP
65991 if (x < 0)
65992 x = 0;
65993 @@ -169,7 +169,7 @@ static inline unsigned long global_page_
65994 static inline unsigned long zone_page_state(struct zone *zone,
65995 enum zone_stat_item item)
65996 {
65997 - long x = atomic_long_read(&zone->vm_stat[item]);
65998 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
65999 #ifdef CONFIG_SMP
66000 if (x < 0)
66001 x = 0;
66002 @@ -186,7 +186,7 @@ static inline unsigned long zone_page_st
66003 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
66004 enum zone_stat_item item)
66005 {
66006 - long x = atomic_long_read(&zone->vm_stat[item]);
66007 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66008
66009 #ifdef CONFIG_SMP
66010 int cpu;
66011 @@ -280,8 +280,8 @@ static inline void __mod_zone_page_state
66012
66013 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
66014 {
66015 - atomic_long_inc(&zone->vm_stat[item]);
66016 - atomic_long_inc(&vm_stat[item]);
66017 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
66018 + atomic_long_inc_unchecked(&vm_stat[item]);
66019 }
66020
66021 static inline void __inc_zone_page_state(struct page *page,
66022 @@ -292,8 +292,8 @@ static inline void __inc_zone_page_state
66023
66024 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
66025 {
66026 - atomic_long_dec(&zone->vm_stat[item]);
66027 - atomic_long_dec(&vm_stat[item]);
66028 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
66029 + atomic_long_dec_unchecked(&vm_stat[item]);
66030 }
66031
66032 static inline void __dec_zone_page_state(struct page *page,
66033 diff -urNp linux-2.6.39.3/include/media/saa7146_vv.h linux-2.6.39.3/include/media/saa7146_vv.h
66034 --- linux-2.6.39.3/include/media/saa7146_vv.h 2011-05-19 00:06:34.000000000 -0400
66035 +++ linux-2.6.39.3/include/media/saa7146_vv.h 2011-05-22 19:36:33.000000000 -0400
66036 @@ -202,13 +202,13 @@ void saa7146_set_gpio(struct saa7146_dev
66037
66038 /* from saa7146_video.c */
66039 extern const struct v4l2_ioctl_ops saa7146_video_ioctl_ops;
66040 -extern struct saa7146_use_ops saa7146_video_uops;
66041 +extern const struct saa7146_use_ops saa7146_video_uops;
66042 int saa7146_start_preview(struct saa7146_fh *fh);
66043 int saa7146_stop_preview(struct saa7146_fh *fh);
66044 long saa7146_video_do_ioctl(struct file *file, unsigned int cmd, void *arg);
66045
66046 /* from saa7146_vbi.c */
66047 -extern struct saa7146_use_ops saa7146_vbi_uops;
66048 +extern const struct saa7146_use_ops saa7146_vbi_uops;
66049
66050 /* resource management functions */
66051 int saa7146_res_get(struct saa7146_fh *fh, unsigned int bit);
66052 diff -urNp linux-2.6.39.3/include/media/v4l2-device.h linux-2.6.39.3/include/media/v4l2-device.h
66053 --- linux-2.6.39.3/include/media/v4l2-device.h 2011-05-19 00:06:34.000000000 -0400
66054 +++ linux-2.6.39.3/include/media/v4l2-device.h 2011-05-22 19:36:33.000000000 -0400
66055 @@ -95,7 +95,7 @@ int __must_check v4l2_device_register(st
66056 this function returns 0. If the name ends with a digit (e.g. cx18),
66057 then the name will be set to cx18-0 since cx180 looks really odd. */
66058 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
66059 - atomic_t *instance);
66060 + atomic_unchecked_t *instance);
66061
66062 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
66063 Since the parent disappears this ensures that v4l2_dev doesn't have an
66064 diff -urNp linux-2.6.39.3/include/net/caif/cfctrl.h linux-2.6.39.3/include/net/caif/cfctrl.h
66065 --- linux-2.6.39.3/include/net/caif/cfctrl.h 2011-05-19 00:06:34.000000000 -0400
66066 +++ linux-2.6.39.3/include/net/caif/cfctrl.h 2011-05-22 19:36:33.000000000 -0400
66067 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
66068 struct cfctrl {
66069 struct cfsrvl serv;
66070 struct cfctrl_rsp res;
66071 - atomic_t req_seq_no;
66072 - atomic_t rsp_seq_no;
66073 + atomic_unchecked_t req_seq_no;
66074 + atomic_unchecked_t rsp_seq_no;
66075 struct list_head list;
66076 /* Protects from simultaneous access to first_req list */
66077 spinlock_t info_list_lock;
66078 diff -urNp linux-2.6.39.3/include/net/flow.h linux-2.6.39.3/include/net/flow.h
66079 --- linux-2.6.39.3/include/net/flow.h 2011-05-19 00:06:34.000000000 -0400
66080 +++ linux-2.6.39.3/include/net/flow.h 2011-05-22 19:36:33.000000000 -0400
66081 @@ -167,6 +167,6 @@ extern struct flow_cache_object *flow_ca
66082 u8 dir, flow_resolve_t resolver, void *ctx);
66083
66084 extern void flow_cache_flush(void);
66085 -extern atomic_t flow_cache_genid;
66086 +extern atomic_unchecked_t flow_cache_genid;
66087
66088 #endif
66089 diff -urNp linux-2.6.39.3/include/net/inetpeer.h linux-2.6.39.3/include/net/inetpeer.h
66090 --- linux-2.6.39.3/include/net/inetpeer.h 2011-05-19 00:06:34.000000000 -0400
66091 +++ linux-2.6.39.3/include/net/inetpeer.h 2011-05-22 19:36:33.000000000 -0400
66092 @@ -43,8 +43,8 @@ struct inet_peer {
66093 */
66094 union {
66095 struct {
66096 - atomic_t rid; /* Frag reception counter */
66097 - atomic_t ip_id_count; /* IP ID for the next packet */
66098 + atomic_unchecked_t rid; /* Frag reception counter */
66099 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
66100 __u32 tcp_ts;
66101 __u32 tcp_ts_stamp;
66102 u32 metrics[RTAX_MAX];
66103 @@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
66104 {
66105 more++;
66106 inet_peer_refcheck(p);
66107 - return atomic_add_return(more, &p->ip_id_count) - more;
66108 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
66109 }
66110
66111 #endif /* _NET_INETPEER_H */
66112 diff -urNp linux-2.6.39.3/include/net/ip_fib.h linux-2.6.39.3/include/net/ip_fib.h
66113 --- linux-2.6.39.3/include/net/ip_fib.h 2011-05-19 00:06:34.000000000 -0400
66114 +++ linux-2.6.39.3/include/net/ip_fib.h 2011-05-22 19:36:33.000000000 -0400
66115 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
66116
66117 #define FIB_RES_SADDR(net, res) \
66118 ((FIB_RES_NH(res).nh_saddr_genid == \
66119 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
66120 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
66121 FIB_RES_NH(res).nh_saddr : \
66122 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
66123 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
66124 diff -urNp linux-2.6.39.3/include/net/ip_vs.h linux-2.6.39.3/include/net/ip_vs.h
66125 --- linux-2.6.39.3/include/net/ip_vs.h 2011-07-09 09:18:51.000000000 -0400
66126 +++ linux-2.6.39.3/include/net/ip_vs.h 2011-07-09 09:19:24.000000000 -0400
66127 @@ -512,7 +512,7 @@ struct ip_vs_conn {
66128 struct ip_vs_conn *control; /* Master control connection */
66129 atomic_t n_control; /* Number of controlled ones */
66130 struct ip_vs_dest *dest; /* real server */
66131 - atomic_t in_pkts; /* incoming packet counter */
66132 + atomic_unchecked_t in_pkts; /* incoming packet counter */
66133
66134 /* packet transmitter for different forwarding methods. If it
66135 mangles the packet, it must return NF_DROP or better NF_STOLEN,
66136 @@ -650,7 +650,7 @@ struct ip_vs_dest {
66137 __be16 port; /* port number of the server */
66138 union nf_inet_addr addr; /* IP address of the server */
66139 volatile unsigned flags; /* dest status flags */
66140 - atomic_t conn_flags; /* flags to copy to conn */
66141 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
66142 atomic_t weight; /* server weight */
66143
66144 atomic_t refcnt; /* reference counter */
66145 diff -urNp linux-2.6.39.3/include/net/irda/ircomm_tty.h linux-2.6.39.3/include/net/irda/ircomm_tty.h
66146 --- linux-2.6.39.3/include/net/irda/ircomm_tty.h 2011-05-19 00:06:34.000000000 -0400
66147 +++ linux-2.6.39.3/include/net/irda/ircomm_tty.h 2011-05-22 19:36:33.000000000 -0400
66148 @@ -35,6 +35,7 @@
66149 #include <linux/termios.h>
66150 #include <linux/timer.h>
66151 #include <linux/tty.h> /* struct tty_struct */
66152 +#include <asm/local.h>
66153
66154 #include <net/irda/irias_object.h>
66155 #include <net/irda/ircomm_core.h>
66156 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
66157 unsigned short close_delay;
66158 unsigned short closing_wait; /* time to wait before closing */
66159
66160 - int open_count;
66161 - int blocked_open; /* # of blocked opens */
66162 + local_t open_count;
66163 + local_t blocked_open; /* # of blocked opens */
66164
66165 /* Protect concurent access to :
66166 * o self->open_count
66167 diff -urNp linux-2.6.39.3/include/net/iucv/af_iucv.h linux-2.6.39.3/include/net/iucv/af_iucv.h
66168 --- linux-2.6.39.3/include/net/iucv/af_iucv.h 2011-05-19 00:06:34.000000000 -0400
66169 +++ linux-2.6.39.3/include/net/iucv/af_iucv.h 2011-05-22 19:36:33.000000000 -0400
66170 @@ -87,7 +87,7 @@ struct iucv_sock {
66171 struct iucv_sock_list {
66172 struct hlist_head head;
66173 rwlock_t lock;
66174 - atomic_t autobind_name;
66175 + atomic_unchecked_t autobind_name;
66176 };
66177
66178 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
66179 diff -urNp linux-2.6.39.3/include/net/neighbour.h linux-2.6.39.3/include/net/neighbour.h
66180 --- linux-2.6.39.3/include/net/neighbour.h 2011-05-19 00:06:34.000000000 -0400
66181 +++ linux-2.6.39.3/include/net/neighbour.h 2011-05-22 19:36:33.000000000 -0400
66182 @@ -118,12 +118,12 @@ struct neighbour {
66183
66184 struct neigh_ops {
66185 int family;
66186 - void (*solicit)(struct neighbour *, struct sk_buff*);
66187 - void (*error_report)(struct neighbour *, struct sk_buff*);
66188 - int (*output)(struct sk_buff*);
66189 - int (*connected_output)(struct sk_buff*);
66190 - int (*hh_output)(struct sk_buff*);
66191 - int (*queue_xmit)(struct sk_buff*);
66192 + void (* const solicit)(struct neighbour *, struct sk_buff*);
66193 + void (* const error_report)(struct neighbour *, struct sk_buff*);
66194 + int (* const output)(struct sk_buff*);
66195 + int (* const connected_output)(struct sk_buff*);
66196 + int (* const hh_output)(struct sk_buff*);
66197 + int (* const queue_xmit)(struct sk_buff*);
66198 };
66199
66200 struct pneigh_entry {
66201 diff -urNp linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h
66202 --- linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h 2011-05-19 00:06:34.000000000 -0400
66203 +++ linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h 2011-05-22 19:36:33.000000000 -0400
66204 @@ -95,7 +95,7 @@ nf_conntrack_eventmask_report(unsigned i
66205 int report)
66206 {
66207 int ret = 0;
66208 - struct nf_ct_event_notifier *notify;
66209 + const struct nf_ct_event_notifier *notify;
66210 struct nf_conntrack_ecache *e;
66211
66212 rcu_read_lock();
66213 @@ -174,7 +174,7 @@ nf_ct_expect_event_report(enum ip_conntr
66214 u32 pid,
66215 int report)
66216 {
66217 - struct nf_exp_event_notifier *notify;
66218 + const struct nf_exp_event_notifier *notify;
66219 struct nf_conntrack_ecache *e;
66220
66221 rcu_read_lock();
66222 diff -urNp linux-2.6.39.3/include/net/netlink.h linux-2.6.39.3/include/net/netlink.h
66223 --- linux-2.6.39.3/include/net/netlink.h 2011-05-19 00:06:34.000000000 -0400
66224 +++ linux-2.6.39.3/include/net/netlink.h 2011-05-22 19:36:33.000000000 -0400
66225 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
66226 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
66227 {
66228 if (mark)
66229 - skb_trim(skb, (unsigned char *) mark - skb->data);
66230 + skb_trim(skb, (const unsigned char *) mark - skb->data);
66231 }
66232
66233 /**
66234 diff -urNp linux-2.6.39.3/include/net/netns/ipv4.h linux-2.6.39.3/include/net/netns/ipv4.h
66235 --- linux-2.6.39.3/include/net/netns/ipv4.h 2011-05-19 00:06:34.000000000 -0400
66236 +++ linux-2.6.39.3/include/net/netns/ipv4.h 2011-05-22 19:36:33.000000000 -0400
66237 @@ -54,8 +54,8 @@ struct netns_ipv4 {
66238 int sysctl_rt_cache_rebuild_count;
66239 int current_rt_cache_rebuild_count;
66240
66241 - atomic_t rt_genid;
66242 - atomic_t dev_addr_genid;
66243 + atomic_unchecked_t rt_genid;
66244 + atomic_unchecked_t dev_addr_genid;
66245
66246 #ifdef CONFIG_IP_MROUTE
66247 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
66248 diff -urNp linux-2.6.39.3/include/net/sctp/sctp.h linux-2.6.39.3/include/net/sctp/sctp.h
66249 --- linux-2.6.39.3/include/net/sctp/sctp.h 2011-05-19 00:06:34.000000000 -0400
66250 +++ linux-2.6.39.3/include/net/sctp/sctp.h 2011-05-22 19:36:33.000000000 -0400
66251 @@ -316,9 +316,9 @@ do { \
66252
66253 #else /* SCTP_DEBUG */
66254
66255 -#define SCTP_DEBUG_PRINTK(whatever...)
66256 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
66257 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
66258 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
66259 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
66260 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
66261 #define SCTP_ENABLE_DEBUG
66262 #define SCTP_DISABLE_DEBUG
66263 #define SCTP_ASSERT(expr, str, func)
66264 diff -urNp linux-2.6.39.3/include/net/sock.h linux-2.6.39.3/include/net/sock.h
66265 --- linux-2.6.39.3/include/net/sock.h 2011-05-19 00:06:34.000000000 -0400
66266 +++ linux-2.6.39.3/include/net/sock.h 2011-05-22 19:36:33.000000000 -0400
66267 @@ -277,7 +277,7 @@ struct sock {
66268 #ifdef CONFIG_RPS
66269 __u32 sk_rxhash;
66270 #endif
66271 - atomic_t sk_drops;
66272 + atomic_unchecked_t sk_drops;
66273 int sk_rcvbuf;
66274
66275 struct sk_filter __rcu *sk_filter;
66276 diff -urNp linux-2.6.39.3/include/net/tcp.h linux-2.6.39.3/include/net/tcp.h
66277 --- linux-2.6.39.3/include/net/tcp.h 2011-05-19 00:06:34.000000000 -0400
66278 +++ linux-2.6.39.3/include/net/tcp.h 2011-05-22 19:36:33.000000000 -0400
66279 @@ -1374,7 +1374,7 @@ enum tcp_seq_states {
66280 struct tcp_seq_afinfo {
66281 char *name;
66282 sa_family_t family;
66283 - struct file_operations seq_fops;
66284 + struct file_operations seq_fops; /* cannot be const */
66285 struct seq_operations seq_ops;
66286 };
66287
66288 diff -urNp linux-2.6.39.3/include/net/udp.h linux-2.6.39.3/include/net/udp.h
66289 --- linux-2.6.39.3/include/net/udp.h 2011-05-19 00:06:34.000000000 -0400
66290 +++ linux-2.6.39.3/include/net/udp.h 2011-05-22 19:36:33.000000000 -0400
66291 @@ -234,7 +234,7 @@ struct udp_seq_afinfo {
66292 char *name;
66293 sa_family_t family;
66294 struct udp_table *udp_table;
66295 - struct file_operations seq_fops;
66296 + struct file_operations seq_fops; /* cannot be const */
66297 struct seq_operations seq_ops;
66298 };
66299
66300 diff -urNp linux-2.6.39.3/include/net/xfrm.h linux-2.6.39.3/include/net/xfrm.h
66301 --- linux-2.6.39.3/include/net/xfrm.h 2011-05-19 00:06:34.000000000 -0400
66302 +++ linux-2.6.39.3/include/net/xfrm.h 2011-05-22 19:36:33.000000000 -0400
66303 @@ -505,7 +505,7 @@ struct xfrm_policy {
66304 struct timer_list timer;
66305
66306 struct flow_cache_object flo;
66307 - atomic_t genid;
66308 + atomic_unchecked_t genid;
66309 u32 priority;
66310 u32 index;
66311 struct xfrm_mark mark;
66312 diff -urNp linux-2.6.39.3/include/pcmcia/ss.h linux-2.6.39.3/include/pcmcia/ss.h
66313 --- linux-2.6.39.3/include/pcmcia/ss.h 2011-05-19 00:06:34.000000000 -0400
66314 +++ linux-2.6.39.3/include/pcmcia/ss.h 2011-05-22 19:36:33.000000000 -0400
66315 @@ -241,9 +241,9 @@ struct pcmcia_socket {
66316 * "select PCCARD_NONSTATIC" in Kconfig.
66317 *
66318 */
66319 -extern struct pccard_resource_ops pccard_static_ops;
66320 +extern const struct pccard_resource_ops pccard_static_ops;
66321 #if defined(CONFIG_PCMCIA) || defined(CONFIG_PCMCIA_MODULE)
66322 -extern struct pccard_resource_ops pccard_iodyn_ops;
66323 +extern const struct pccard_resource_ops pccard_iodyn_ops;
66324 extern struct pccard_resource_ops pccard_nonstatic_ops;
66325 #else
66326 /* If PCMCIA is not used, but only CARDBUS, these functions are not used
66327 diff -urNp linux-2.6.39.3/include/rdma/ib_verbs.h linux-2.6.39.3/include/rdma/ib_verbs.h
66328 --- linux-2.6.39.3/include/rdma/ib_verbs.h 2011-05-19 00:06:34.000000000 -0400
66329 +++ linux-2.6.39.3/include/rdma/ib_verbs.h 2011-05-22 19:36:33.000000000 -0400
66330 @@ -1149,7 +1149,7 @@ struct ib_device {
66331 struct ib_mad *in_mad,
66332 struct ib_mad *out_mad);
66333
66334 - struct ib_dma_mapping_ops *dma_ops;
66335 + const struct ib_dma_mapping_ops *dma_ops;
66336
66337 struct module *owner;
66338 struct device dev;
66339 diff -urNp linux-2.6.39.3/include/scsi/libfc.h linux-2.6.39.3/include/scsi/libfc.h
66340 --- linux-2.6.39.3/include/scsi/libfc.h 2011-05-19 00:06:34.000000000 -0400
66341 +++ linux-2.6.39.3/include/scsi/libfc.h 2011-05-22 19:36:33.000000000 -0400
66342 @@ -202,7 +202,7 @@ struct fc_rport_priv {
66343 struct mutex rp_mutex;
66344 struct delayed_work retry_work;
66345 enum fc_rport_event event;
66346 - struct fc_rport_operations *ops;
66347 + const struct fc_rport_operations *ops;
66348 struct list_head peers;
66349 struct work_struct event_work;
66350 u32 supported_classes;
66351 diff -urNp linux-2.6.39.3/include/scsi/scsi_device.h linux-2.6.39.3/include/scsi/scsi_device.h
66352 --- linux-2.6.39.3/include/scsi/scsi_device.h 2011-05-19 00:06:34.000000000 -0400
66353 +++ linux-2.6.39.3/include/scsi/scsi_device.h 2011-05-22 19:36:33.000000000 -0400
66354 @@ -161,9 +161,9 @@ struct scsi_device {
66355 unsigned int max_device_blocked; /* what device_blocked counts down from */
66356 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
66357
66358 - atomic_t iorequest_cnt;
66359 - atomic_t iodone_cnt;
66360 - atomic_t ioerr_cnt;
66361 + atomic_unchecked_t iorequest_cnt;
66362 + atomic_unchecked_t iodone_cnt;
66363 + atomic_unchecked_t ioerr_cnt;
66364
66365 struct device sdev_gendev,
66366 sdev_dev;
66367 diff -urNp linux-2.6.39.3/include/sound/ac97_codec.h linux-2.6.39.3/include/sound/ac97_codec.h
66368 --- linux-2.6.39.3/include/sound/ac97_codec.h 2011-05-19 00:06:34.000000000 -0400
66369 +++ linux-2.6.39.3/include/sound/ac97_codec.h 2011-05-22 19:36:33.000000000 -0400
66370 @@ -424,15 +424,15 @@
66371 struct snd_ac97;
66372
66373 struct snd_ac97_build_ops {
66374 - int (*build_3d) (struct snd_ac97 *ac97);
66375 - int (*build_specific) (struct snd_ac97 *ac97);
66376 - int (*build_spdif) (struct snd_ac97 *ac97);
66377 - int (*build_post_spdif) (struct snd_ac97 *ac97);
66378 + int (* const build_3d) (struct snd_ac97 *ac97);
66379 + int (* const build_specific) (struct snd_ac97 *ac97);
66380 + int (* const build_spdif) (struct snd_ac97 *ac97);
66381 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
66382 #ifdef CONFIG_PM
66383 - void (*suspend) (struct snd_ac97 *ac97);
66384 - void (*resume) (struct snd_ac97 *ac97);
66385 + void (* const suspend) (struct snd_ac97 *ac97);
66386 + void (* const resume) (struct snd_ac97 *ac97);
66387 #endif
66388 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66389 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66390 };
66391
66392 struct snd_ac97_bus_ops {
66393 @@ -446,7 +446,7 @@ struct snd_ac97_bus_ops {
66394
66395 struct snd_ac97_bus {
66396 /* -- lowlevel (hardware) driver specific -- */
66397 - struct snd_ac97_bus_ops *ops;
66398 + const struct snd_ac97_bus_ops *ops;
66399 void *private_data;
66400 void (*private_free) (struct snd_ac97_bus *bus);
66401 /* --- */
66402 @@ -556,7 +556,7 @@ static inline int ac97_can_spdif(struct
66403
66404 /* functions */
66405 /* create new AC97 bus */
66406 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
66407 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
66408 void *private_data, struct snd_ac97_bus **rbus);
66409 /* create mixer controls */
66410 int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
66411 diff -urNp linux-2.6.39.3/include/sound/core.h linux-2.6.39.3/include/sound/core.h
66412 --- linux-2.6.39.3/include/sound/core.h 2011-05-19 00:06:34.000000000 -0400
66413 +++ linux-2.6.39.3/include/sound/core.h 2011-05-22 19:36:33.000000000 -0400
66414 @@ -88,7 +88,7 @@ struct snd_device {
66415 snd_device_state_t state; /* state of the device */
66416 snd_device_type_t type; /* device type */
66417 void *device_data; /* device structure */
66418 - struct snd_device_ops *ops; /* operations */
66419 + const struct snd_device_ops *ops; /* operations */
66420 };
66421
66422 #define snd_device(n) list_entry(n, struct snd_device, list)
66423 @@ -301,7 +301,7 @@ int snd_card_file_remove(struct snd_card
66424 /* device.c */
66425
66426 int snd_device_new(struct snd_card *card, snd_device_type_t type,
66427 - void *device_data, struct snd_device_ops *ops);
66428 + void *device_data, const struct snd_device_ops *ops);
66429 int snd_device_register(struct snd_card *card, void *device_data);
66430 int snd_device_register_all(struct snd_card *card);
66431 int snd_device_disconnect(struct snd_card *card, void *device_data);
66432 diff -urNp linux-2.6.39.3/include/sound/pcm.h linux-2.6.39.3/include/sound/pcm.h
66433 --- linux-2.6.39.3/include/sound/pcm.h 2011-05-19 00:06:34.000000000 -0400
66434 +++ linux-2.6.39.3/include/sound/pcm.h 2011-05-22 19:36:33.000000000 -0400
66435 @@ -379,7 +379,7 @@ struct snd_pcm_substream {
66436 unsigned int dma_buf_id;
66437 size_t dma_max;
66438 /* -- hardware operations -- */
66439 - struct snd_pcm_ops *ops;
66440 + const struct snd_pcm_ops *ops;
66441 /* -- runtime information -- */
66442 struct snd_pcm_runtime *runtime;
66443 /* -- timer section -- */
66444 @@ -845,7 +845,7 @@ const unsigned char *snd_pcm_format_sile
66445 int snd_pcm_format_set_silence(snd_pcm_format_t format, void *buf, unsigned int frames);
66446 snd_pcm_format_t snd_pcm_build_linear_format(int width, int unsignd, int big_endian);
66447
66448 -void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, struct snd_pcm_ops *ops);
66449 +void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, const struct snd_pcm_ops *ops);
66450 void snd_pcm_set_sync(struct snd_pcm_substream *substream);
66451 int snd_pcm_lib_interleave_len(struct snd_pcm_substream *substream);
66452 int snd_pcm_lib_ioctl(struct snd_pcm_substream *substream,
66453 diff -urNp linux-2.6.39.3/include/sound/rawmidi.h linux-2.6.39.3/include/sound/rawmidi.h
66454 --- linux-2.6.39.3/include/sound/rawmidi.h 2011-05-19 00:06:34.000000000 -0400
66455 +++ linux-2.6.39.3/include/sound/rawmidi.h 2011-05-22 19:36:33.000000000 -0400
66456 @@ -100,7 +100,7 @@ struct snd_rawmidi_substream {
66457 struct snd_rawmidi_runtime *runtime;
66458 struct pid *pid;
66459 /* hardware layer */
66460 - struct snd_rawmidi_ops *ops;
66461 + const struct snd_rawmidi_ops *ops;
66462 };
66463
66464 struct snd_rawmidi_file {
66465 @@ -127,7 +127,7 @@ struct snd_rawmidi {
66466 int ossreg;
66467 #endif
66468
66469 - struct snd_rawmidi_global_ops *ops;
66470 + const struct snd_rawmidi_global_ops *ops;
66471
66472 struct snd_rawmidi_str streams[2];
66473
66474 @@ -151,7 +151,7 @@ int snd_rawmidi_new(struct snd_card *car
66475 int output_count, int input_count,
66476 struct snd_rawmidi **rmidi);
66477 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
66478 - struct snd_rawmidi_ops *ops);
66479 + const struct snd_rawmidi_ops *ops);
66480
66481 /* callbacks */
66482
66483 diff -urNp linux-2.6.39.3/include/sound/seq_device.h linux-2.6.39.3/include/sound/seq_device.h
66484 --- linux-2.6.39.3/include/sound/seq_device.h 2011-05-19 00:06:34.000000000 -0400
66485 +++ linux-2.6.39.3/include/sound/seq_device.h 2011-05-22 19:36:33.000000000 -0400
66486 @@ -69,7 +69,7 @@ struct snd_seq_dev_ops {
66487 */
66488 void snd_seq_device_load_drivers(void);
66489 int snd_seq_device_new(struct snd_card *card, int device, char *id, int argsize, struct snd_seq_device **result);
66490 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry, int argsize);
66491 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry, int argsize);
66492 int snd_seq_device_unregister_driver(char *id);
66493
66494 #define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
66495 diff -urNp linux-2.6.39.3/include/sound/snd_wavefront.h linux-2.6.39.3/include/sound/snd_wavefront.h
66496 --- linux-2.6.39.3/include/sound/snd_wavefront.h 2011-05-19 00:06:34.000000000 -0400
66497 +++ linux-2.6.39.3/include/sound/snd_wavefront.h 2011-05-22 19:36:33.000000000 -0400
66498 @@ -37,8 +37,8 @@ struct _snd_wavefront_midi {
66499 #define MPU_ACK 0xFE
66500 #define UART_MODE_ON 0x3F
66501
66502 -extern struct snd_rawmidi_ops snd_wavefront_midi_output;
66503 -extern struct snd_rawmidi_ops snd_wavefront_midi_input;
66504 +extern const struct snd_rawmidi_ops snd_wavefront_midi_output;
66505 +extern const struct snd_rawmidi_ops snd_wavefront_midi_input;
66506
66507 extern void snd_wavefront_midi_enable_virtual (snd_wavefront_card_t *);
66508 extern void snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *);
66509 diff -urNp linux-2.6.39.3/include/sound/soc.h linux-2.6.39.3/include/sound/soc.h
66510 --- linux-2.6.39.3/include/sound/soc.h 2011-05-19 00:06:34.000000000 -0400
66511 +++ linux-2.6.39.3/include/sound/soc.h 2011-05-22 19:36:33.000000000 -0400
66512 @@ -245,7 +245,7 @@ struct snd_soc_jack_gpio;
66513
66514 typedef int (*hw_write_t)(void *,const char* ,int);
66515
66516 -extern struct snd_ac97_bus_ops soc_ac97_ops;
66517 +extern const struct snd_ac97_bus_ops soc_ac97_ops;
66518
66519 enum snd_soc_control_type {
66520 SND_SOC_CUSTOM,
66521 diff -urNp linux-2.6.39.3/include/sound/ymfpci.h linux-2.6.39.3/include/sound/ymfpci.h
66522 --- linux-2.6.39.3/include/sound/ymfpci.h 2011-05-19 00:06:34.000000000 -0400
66523 +++ linux-2.6.39.3/include/sound/ymfpci.h 2011-05-22 19:36:33.000000000 -0400
66524 @@ -358,7 +358,7 @@ struct snd_ymfpci {
66525 spinlock_t reg_lock;
66526 spinlock_t voice_lock;
66527 wait_queue_head_t interrupt_sleep;
66528 - atomic_t interrupt_sleep_count;
66529 + atomic_unchecked_t interrupt_sleep_count;
66530 struct snd_info_entry *proc_entry;
66531 const struct firmware *dsp_microcode;
66532 const struct firmware *controller_microcode;
66533 diff -urNp linux-2.6.39.3/include/target/target_core_base.h linux-2.6.39.3/include/target/target_core_base.h
66534 --- linux-2.6.39.3/include/target/target_core_base.h 2011-06-03 00:04:14.000000000 -0400
66535 +++ linux-2.6.39.3/include/target/target_core_base.h 2011-06-03 00:32:08.000000000 -0400
66536 @@ -432,8 +432,8 @@ struct se_transport_task {
66537 atomic_t t_task_cdbs_left;
66538 atomic_t t_task_cdbs_ex_left;
66539 atomic_t t_task_cdbs_timeout_left;
66540 - atomic_t t_task_cdbs_sent;
66541 - atomic_t t_transport_aborted;
66542 + atomic_unchecked_t t_task_cdbs_sent;
66543 + atomic_unchecked_t t_transport_aborted;
66544 atomic_t t_transport_active;
66545 atomic_t t_transport_complete;
66546 atomic_t t_transport_queue_active;
66547 @@ -774,7 +774,7 @@ struct se_device {
66548 atomic_t active_cmds;
66549 atomic_t simple_cmds;
66550 atomic_t depth_left;
66551 - atomic_t dev_ordered_id;
66552 + atomic_unchecked_t dev_ordered_id;
66553 atomic_t dev_tur_active;
66554 atomic_t execute_tasks;
66555 atomic_t dev_status_thr_count;
66556 diff -urNp linux-2.6.39.3/include/trace/events/irq.h linux-2.6.39.3/include/trace/events/irq.h
66557 --- linux-2.6.39.3/include/trace/events/irq.h 2011-05-19 00:06:34.000000000 -0400
66558 +++ linux-2.6.39.3/include/trace/events/irq.h 2011-05-22 19:36:33.000000000 -0400
66559 @@ -36,7 +36,7 @@ struct softirq_action;
66560 */
66561 TRACE_EVENT(irq_handler_entry,
66562
66563 - TP_PROTO(int irq, struct irqaction *action),
66564 + TP_PROTO(int irq, const struct irqaction *action),
66565
66566 TP_ARGS(irq, action),
66567
66568 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
66569 */
66570 TRACE_EVENT(irq_handler_exit,
66571
66572 - TP_PROTO(int irq, struct irqaction *action, int ret),
66573 + TP_PROTO(int irq, const struct irqaction *action, int ret),
66574
66575 TP_ARGS(irq, action, ret),
66576
66577 diff -urNp linux-2.6.39.3/include/video/udlfb.h linux-2.6.39.3/include/video/udlfb.h
66578 --- linux-2.6.39.3/include/video/udlfb.h 2011-05-19 00:06:34.000000000 -0400
66579 +++ linux-2.6.39.3/include/video/udlfb.h 2011-05-22 19:36:33.000000000 -0400
66580 @@ -51,10 +51,10 @@ struct dlfb_data {
66581 int base8;
66582 u32 pseudo_palette[256];
66583 /* blit-only rendering path metrics, exposed through sysfs */
66584 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66585 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
66586 - atomic_t bytes_sent; /* to usb, after compression including overhead */
66587 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
66588 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66589 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
66590 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
66591 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
66592 };
66593
66594 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
66595 diff -urNp linux-2.6.39.3/include/video/uvesafb.h linux-2.6.39.3/include/video/uvesafb.h
66596 --- linux-2.6.39.3/include/video/uvesafb.h 2011-05-19 00:06:34.000000000 -0400
66597 +++ linux-2.6.39.3/include/video/uvesafb.h 2011-05-22 19:36:33.000000000 -0400
66598 @@ -177,6 +177,7 @@ struct uvesafb_par {
66599 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
66600 u8 pmi_setpal; /* PMI for palette changes */
66601 u16 *pmi_base; /* protected mode interface location */
66602 + u8 *pmi_code; /* protected mode code location */
66603 void *pmi_start;
66604 void *pmi_pal;
66605 u8 *vbe_state_orig; /*
66606 diff -urNp linux-2.6.39.3/init/do_mounts.c linux-2.6.39.3/init/do_mounts.c
66607 --- linux-2.6.39.3/init/do_mounts.c 2011-05-19 00:06:34.000000000 -0400
66608 +++ linux-2.6.39.3/init/do_mounts.c 2011-05-22 19:36:33.000000000 -0400
66609 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
66610
66611 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
66612 {
66613 - int err = sys_mount(name, "/root", fs, flags, data);
66614 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
66615 if (err)
66616 return err;
66617
66618 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
66619 va_start(args, fmt);
66620 vsprintf(buf, fmt, args);
66621 va_end(args);
66622 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
66623 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
66624 if (fd >= 0) {
66625 sys_ioctl(fd, FDEJECT, 0);
66626 sys_close(fd);
66627 }
66628 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
66629 - fd = sys_open("/dev/console", O_RDWR, 0);
66630 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
66631 if (fd >= 0) {
66632 sys_ioctl(fd, TCGETS, (long)&termios);
66633 termios.c_lflag &= ~ICANON;
66634 sys_ioctl(fd, TCSETSF, (long)&termios);
66635 - sys_read(fd, &c, 1);
66636 + sys_read(fd, (char __user *)&c, 1);
66637 termios.c_lflag |= ICANON;
66638 sys_ioctl(fd, TCSETSF, (long)&termios);
66639 sys_close(fd);
66640 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
66641 mount_root();
66642 out:
66643 devtmpfs_mount("dev");
66644 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66645 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66646 sys_chroot((const char __user __force *)".");
66647 }
66648 diff -urNp linux-2.6.39.3/init/do_mounts.h linux-2.6.39.3/init/do_mounts.h
66649 --- linux-2.6.39.3/init/do_mounts.h 2011-05-19 00:06:34.000000000 -0400
66650 +++ linux-2.6.39.3/init/do_mounts.h 2011-05-22 19:36:33.000000000 -0400
66651 @@ -15,15 +15,15 @@ extern int root_mountflags;
66652
66653 static inline int create_dev(char *name, dev_t dev)
66654 {
66655 - sys_unlink(name);
66656 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
66657 + sys_unlink((__force char __user *)name);
66658 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
66659 }
66660
66661 #if BITS_PER_LONG == 32
66662 static inline u32 bstat(char *name)
66663 {
66664 struct stat64 stat;
66665 - if (sys_stat64(name, &stat) != 0)
66666 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
66667 return 0;
66668 if (!S_ISBLK(stat.st_mode))
66669 return 0;
66670 diff -urNp linux-2.6.39.3/init/do_mounts_initrd.c linux-2.6.39.3/init/do_mounts_initrd.c
66671 --- linux-2.6.39.3/init/do_mounts_initrd.c 2011-05-19 00:06:34.000000000 -0400
66672 +++ linux-2.6.39.3/init/do_mounts_initrd.c 2011-05-22 19:36:33.000000000 -0400
66673 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
66674 create_dev("/dev/root.old", Root_RAM0);
66675 /* mount initrd on rootfs' /root */
66676 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
66677 - sys_mkdir("/old", 0700);
66678 - root_fd = sys_open("/", 0, 0);
66679 - old_fd = sys_open("/old", 0, 0);
66680 + sys_mkdir((__force const char __user *)"/old", 0700);
66681 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
66682 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
66683 /* move initrd over / and chdir/chroot in initrd root */
66684 - sys_chdir("/root");
66685 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66686 - sys_chroot(".");
66687 + sys_chdir((__force const char __user *)"/root");
66688 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66689 + sys_chroot((__force const char __user *)".");
66690
66691 /*
66692 * In case that a resume from disk is carried out by linuxrc or one of
66693 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
66694
66695 /* move initrd to rootfs' /old */
66696 sys_fchdir(old_fd);
66697 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
66698 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
66699 /* switch root and cwd back to / of rootfs */
66700 sys_fchdir(root_fd);
66701 - sys_chroot(".");
66702 + sys_chroot((__force const char __user *)".");
66703 sys_close(old_fd);
66704 sys_close(root_fd);
66705
66706 if (new_decode_dev(real_root_dev) == Root_RAM0) {
66707 - sys_chdir("/old");
66708 + sys_chdir((__force const char __user *)"/old");
66709 return;
66710 }
66711
66712 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
66713 mount_root();
66714
66715 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
66716 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
66717 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
66718 if (!error)
66719 printk("okay\n");
66720 else {
66721 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
66722 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
66723 if (error == -ENOENT)
66724 printk("/initrd does not exist. Ignored.\n");
66725 else
66726 printk("failed\n");
66727 printk(KERN_NOTICE "Unmounting old root\n");
66728 - sys_umount("/old", MNT_DETACH);
66729 + sys_umount((__force char __user *)"/old", MNT_DETACH);
66730 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
66731 if (fd < 0) {
66732 error = fd;
66733 @@ -116,11 +116,11 @@ int __init initrd_load(void)
66734 * mounted in the normal path.
66735 */
66736 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
66737 - sys_unlink("/initrd.image");
66738 + sys_unlink((__force const char __user *)"/initrd.image");
66739 handle_initrd();
66740 return 1;
66741 }
66742 }
66743 - sys_unlink("/initrd.image");
66744 + sys_unlink((__force const char __user *)"/initrd.image");
66745 return 0;
66746 }
66747 diff -urNp linux-2.6.39.3/init/do_mounts_md.c linux-2.6.39.3/init/do_mounts_md.c
66748 --- linux-2.6.39.3/init/do_mounts_md.c 2011-05-19 00:06:34.000000000 -0400
66749 +++ linux-2.6.39.3/init/do_mounts_md.c 2011-05-22 19:36:33.000000000 -0400
66750 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
66751 partitioned ? "_d" : "", minor,
66752 md_setup_args[ent].device_names);
66753
66754 - fd = sys_open(name, 0, 0);
66755 + fd = sys_open((__force char __user *)name, 0, 0);
66756 if (fd < 0) {
66757 printk(KERN_ERR "md: open failed - cannot start "
66758 "array %s\n", name);
66759 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
66760 * array without it
66761 */
66762 sys_close(fd);
66763 - fd = sys_open(name, 0, 0);
66764 + fd = sys_open((__force char __user *)name, 0, 0);
66765 sys_ioctl(fd, BLKRRPART, 0);
66766 }
66767 sys_close(fd);
66768 diff -urNp linux-2.6.39.3/init/initramfs.c linux-2.6.39.3/init/initramfs.c
66769 --- linux-2.6.39.3/init/initramfs.c 2011-05-19 00:06:34.000000000 -0400
66770 +++ linux-2.6.39.3/init/initramfs.c 2011-05-22 19:36:33.000000000 -0400
66771 @@ -74,7 +74,7 @@ static void __init free_hash(void)
66772 }
66773 }
66774
66775 -static long __init do_utime(char __user *filename, time_t mtime)
66776 +static long __init do_utime(__force char __user *filename, time_t mtime)
66777 {
66778 struct timespec t[2];
66779
66780 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
66781 struct dir_entry *de, *tmp;
66782 list_for_each_entry_safe(de, tmp, &dir_list, list) {
66783 list_del(&de->list);
66784 - do_utime(de->name, de->mtime);
66785 + do_utime((__force char __user *)de->name, de->mtime);
66786 kfree(de->name);
66787 kfree(de);
66788 }
66789 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
66790 if (nlink >= 2) {
66791 char *old = find_link(major, minor, ino, mode, collected);
66792 if (old)
66793 - return (sys_link(old, collected) < 0) ? -1 : 1;
66794 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
66795 }
66796 return 0;
66797 }
66798 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
66799 {
66800 struct stat st;
66801
66802 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
66803 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
66804 if (S_ISDIR(st.st_mode))
66805 - sys_rmdir(path);
66806 + sys_rmdir((__force char __user *)path);
66807 else
66808 - sys_unlink(path);
66809 + sys_unlink((__force char __user *)path);
66810 }
66811 }
66812
66813 @@ -305,7 +305,7 @@ static int __init do_name(void)
66814 int openflags = O_WRONLY|O_CREAT;
66815 if (ml != 1)
66816 openflags |= O_TRUNC;
66817 - wfd = sys_open(collected, openflags, mode);
66818 + wfd = sys_open((__force char __user *)collected, openflags, mode);
66819
66820 if (wfd >= 0) {
66821 sys_fchown(wfd, uid, gid);
66822 @@ -317,17 +317,17 @@ static int __init do_name(void)
66823 }
66824 }
66825 } else if (S_ISDIR(mode)) {
66826 - sys_mkdir(collected, mode);
66827 - sys_chown(collected, uid, gid);
66828 - sys_chmod(collected, mode);
66829 + sys_mkdir((__force char __user *)collected, mode);
66830 + sys_chown((__force char __user *)collected, uid, gid);
66831 + sys_chmod((__force char __user *)collected, mode);
66832 dir_add(collected, mtime);
66833 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
66834 S_ISFIFO(mode) || S_ISSOCK(mode)) {
66835 if (maybe_link() == 0) {
66836 - sys_mknod(collected, mode, rdev);
66837 - sys_chown(collected, uid, gid);
66838 - sys_chmod(collected, mode);
66839 - do_utime(collected, mtime);
66840 + sys_mknod((__force char __user *)collected, mode, rdev);
66841 + sys_chown((__force char __user *)collected, uid, gid);
66842 + sys_chmod((__force char __user *)collected, mode);
66843 + do_utime((__force char __user *)collected, mtime);
66844 }
66845 }
66846 return 0;
66847 @@ -336,15 +336,15 @@ static int __init do_name(void)
66848 static int __init do_copy(void)
66849 {
66850 if (count >= body_len) {
66851 - sys_write(wfd, victim, body_len);
66852 + sys_write(wfd, (__force char __user *)victim, body_len);
66853 sys_close(wfd);
66854 - do_utime(vcollected, mtime);
66855 + do_utime((__force char __user *)vcollected, mtime);
66856 kfree(vcollected);
66857 eat(body_len);
66858 state = SkipIt;
66859 return 0;
66860 } else {
66861 - sys_write(wfd, victim, count);
66862 + sys_write(wfd, (__force char __user *)victim, count);
66863 body_len -= count;
66864 eat(count);
66865 return 1;
66866 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
66867 {
66868 collected[N_ALIGN(name_len) + body_len] = '\0';
66869 clean_path(collected, 0);
66870 - sys_symlink(collected + N_ALIGN(name_len), collected);
66871 - sys_lchown(collected, uid, gid);
66872 - do_utime(collected, mtime);
66873 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
66874 + sys_lchown((__force char __user *)collected, uid, gid);
66875 + do_utime((__force char __user *)collected, mtime);
66876 state = SkipIt;
66877 next_state = Reset;
66878 return 0;
66879 diff -urNp linux-2.6.39.3/init/Kconfig linux-2.6.39.3/init/Kconfig
66880 --- linux-2.6.39.3/init/Kconfig 2011-05-19 00:06:34.000000000 -0400
66881 +++ linux-2.6.39.3/init/Kconfig 2011-05-22 19:36:33.000000000 -0400
66882 @@ -1202,7 +1202,7 @@ config SLUB_DEBUG
66883
66884 config COMPAT_BRK
66885 bool "Disable heap randomization"
66886 - default y
66887 + default n
66888 help
66889 Randomizing heap placement makes heap exploits harder, but it
66890 also breaks ancient binaries (including anything libc5 based).
66891 diff -urNp linux-2.6.39.3/init/main.c linux-2.6.39.3/init/main.c
66892 --- linux-2.6.39.3/init/main.c 2011-06-03 00:04:14.000000000 -0400
66893 +++ linux-2.6.39.3/init/main.c 2011-06-03 00:32:08.000000000 -0400
66894 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
66895 extern void tc_init(void);
66896 #endif
66897
66898 +extern void grsecurity_init(void);
66899 +
66900 /*
66901 * Debug helper: via this flag we know that we are in 'early bootup code'
66902 * where only the boot processor is running with IRQ disabled. This means
66903 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
66904
66905 __setup("reset_devices", set_reset_devices);
66906
66907 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
66908 +extern char pax_enter_kernel_user[];
66909 +extern char pax_exit_kernel_user[];
66910 +extern pgdval_t clone_pgd_mask;
66911 +#endif
66912 +
66913 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
66914 +static int __init setup_pax_nouderef(char *str)
66915 +{
66916 +#ifdef CONFIG_X86_32
66917 + unsigned int cpu;
66918 + struct desc_struct *gdt;
66919 +
66920 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
66921 + gdt = get_cpu_gdt_table(cpu);
66922 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
66923 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
66924 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
66925 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
66926 + }
66927 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
66928 +#else
66929 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
66930 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
66931 + clone_pgd_mask = ~(pgdval_t)0UL;
66932 +#endif
66933 +
66934 + return 0;
66935 +}
66936 +early_param("pax_nouderef", setup_pax_nouderef);
66937 +#endif
66938 +
66939 +#ifdef CONFIG_PAX_SOFTMODE
66940 +unsigned int pax_softmode;
66941 +
66942 +static int __init setup_pax_softmode(char *str)
66943 +{
66944 + get_option(&str, &pax_softmode);
66945 + return 1;
66946 +}
66947 +__setup("pax_softmode=", setup_pax_softmode);
66948 +#endif
66949 +
66950 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66951 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66952 static const char *panic_later, *panic_param;
66953 @@ -663,6 +708,7 @@ int __init_or_module do_one_initcall(ini
66954 {
66955 int count = preempt_count();
66956 int ret;
66957 + const char *msg1 = "", *msg2 = "";
66958
66959 if (initcall_debug)
66960 ret = do_one_initcall_debug(fn);
66961 @@ -675,15 +721,15 @@ int __init_or_module do_one_initcall(ini
66962 sprintf(msgbuf, "error code %d ", ret);
66963
66964 if (preempt_count() != count) {
66965 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
66966 + msg1 = " preemption imbalance";
66967 preempt_count() = count;
66968 }
66969 if (irqs_disabled()) {
66970 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
66971 + msg2 = " disabled interrupts";
66972 local_irq_enable();
66973 }
66974 - if (msgbuf[0]) {
66975 - printk("initcall %pF returned with %s\n", fn, msgbuf);
66976 + if (msgbuf[0] || *msg1 || *msg2) {
66977 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
66978 }
66979
66980 return ret;
66981 @@ -801,7 +847,7 @@ static int __init kernel_init(void * unu
66982 do_basic_setup();
66983
66984 /* Open the /dev/console on the rootfs, this should never fail */
66985 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
66986 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
66987 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
66988
66989 (void) sys_dup(0);
66990 @@ -814,11 +860,13 @@ static int __init kernel_init(void * unu
66991 if (!ramdisk_execute_command)
66992 ramdisk_execute_command = "/init";
66993
66994 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
66995 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
66996 ramdisk_execute_command = NULL;
66997 prepare_namespace();
66998 }
66999
67000 + grsecurity_init();
67001 +
67002 /*
67003 * Ok, we have completed the initial bootup, and
67004 * we're essentially up and running. Get rid of the
67005 diff -urNp linux-2.6.39.3/ipc/mqueue.c linux-2.6.39.3/ipc/mqueue.c
67006 --- linux-2.6.39.3/ipc/mqueue.c 2011-05-19 00:06:34.000000000 -0400
67007 +++ linux-2.6.39.3/ipc/mqueue.c 2011-05-22 19:41:42.000000000 -0400
67008 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
67009 mq_bytes = (mq_msg_tblsz +
67010 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
67011
67012 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
67013 spin_lock(&mq_lock);
67014 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
67015 u->mq_bytes + mq_bytes >
67016 diff -urNp linux-2.6.39.3/ipc/sem.c linux-2.6.39.3/ipc/sem.c
67017 --- linux-2.6.39.3/ipc/sem.c 2011-05-19 00:06:34.000000000 -0400
67018 +++ linux-2.6.39.3/ipc/sem.c 2011-05-22 19:36:33.000000000 -0400
67019 @@ -854,6 +854,8 @@ static int semctl_main(struct ipc_namesp
67020 int nsems;
67021 struct list_head tasks;
67022
67023 + pax_track_stack();
67024 +
67025 sma = sem_lock_check(ns, semid);
67026 if (IS_ERR(sma))
67027 return PTR_ERR(sma);
67028 @@ -1301,6 +1303,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
67029 struct ipc_namespace *ns;
67030 struct list_head tasks;
67031
67032 + pax_track_stack();
67033 +
67034 ns = current->nsproxy->ipc_ns;
67035
67036 if (nsops < 1 || semid < 0)
67037 diff -urNp linux-2.6.39.3/ipc/shm.c linux-2.6.39.3/ipc/shm.c
67038 --- linux-2.6.39.3/ipc/shm.c 2011-05-19 00:06:34.000000000 -0400
67039 +++ linux-2.6.39.3/ipc/shm.c 2011-05-22 19:41:42.000000000 -0400
67040 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
67041 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
67042 #endif
67043
67044 +#ifdef CONFIG_GRKERNSEC
67045 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67046 + const time_t shm_createtime, const uid_t cuid,
67047 + const int shmid);
67048 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67049 + const time_t shm_createtime);
67050 +#endif
67051 +
67052 void shm_init_ns(struct ipc_namespace *ns)
67053 {
67054 ns->shm_ctlmax = SHMMAX;
67055 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
67056 shp->shm_lprid = 0;
67057 shp->shm_atim = shp->shm_dtim = 0;
67058 shp->shm_ctim = get_seconds();
67059 +#ifdef CONFIG_GRKERNSEC
67060 + {
67061 + struct timespec timeval;
67062 + do_posix_clock_monotonic_gettime(&timeval);
67063 +
67064 + shp->shm_createtime = timeval.tv_sec;
67065 + }
67066 +#endif
67067 shp->shm_segsz = size;
67068 shp->shm_nattch = 0;
67069 shp->shm_file = file;
67070 @@ -762,8 +778,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
67071 case SHM_LOCK:
67072 case SHM_UNLOCK:
67073 {
67074 - struct file *uninitialized_var(shm_file);
67075 -
67076 lru_add_drain_all(); /* drain pagevecs to lru lists */
67077
67078 shp = shm_lock_check(ns, shmid);
67079 @@ -896,9 +910,21 @@ long do_shmat(int shmid, char __user *sh
67080 if (err)
67081 goto out_unlock;
67082
67083 +#ifdef CONFIG_GRKERNSEC
67084 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
67085 + shp->shm_perm.cuid, shmid) ||
67086 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
67087 + err = -EACCES;
67088 + goto out_unlock;
67089 + }
67090 +#endif
67091 +
67092 path = shp->shm_file->f_path;
67093 path_get(&path);
67094 shp->shm_nattch++;
67095 +#ifdef CONFIG_GRKERNSEC
67096 + shp->shm_lapid = current->pid;
67097 +#endif
67098 size = i_size_read(path.dentry->d_inode);
67099 shm_unlock(shp);
67100
67101 diff -urNp linux-2.6.39.3/kernel/acct.c linux-2.6.39.3/kernel/acct.c
67102 --- linux-2.6.39.3/kernel/acct.c 2011-05-19 00:06:34.000000000 -0400
67103 +++ linux-2.6.39.3/kernel/acct.c 2011-05-22 19:36:33.000000000 -0400
67104 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
67105 */
67106 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
67107 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
67108 - file->f_op->write(file, (char *)&ac,
67109 + file->f_op->write(file, (__force char __user *)&ac,
67110 sizeof(acct_t), &file->f_pos);
67111 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
67112 set_fs(fs);
67113 diff -urNp linux-2.6.39.3/kernel/audit.c linux-2.6.39.3/kernel/audit.c
67114 --- linux-2.6.39.3/kernel/audit.c 2011-05-19 00:06:34.000000000 -0400
67115 +++ linux-2.6.39.3/kernel/audit.c 2011-05-22 19:36:33.000000000 -0400
67116 @@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
67117 3) suppressed due to audit_rate_limit
67118 4) suppressed due to audit_backlog_limit
67119 */
67120 -static atomic_t audit_lost = ATOMIC_INIT(0);
67121 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
67122
67123 /* The netlink socket. */
67124 static struct sock *audit_sock;
67125 @@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
67126 unsigned long now;
67127 int print;
67128
67129 - atomic_inc(&audit_lost);
67130 + atomic_inc_unchecked(&audit_lost);
67131
67132 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
67133
67134 @@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
67135 printk(KERN_WARNING
67136 "audit: audit_lost=%d audit_rate_limit=%d "
67137 "audit_backlog_limit=%d\n",
67138 - atomic_read(&audit_lost),
67139 + atomic_read_unchecked(&audit_lost),
67140 audit_rate_limit,
67141 audit_backlog_limit);
67142 audit_panic(message);
67143 @@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
67144 status_set.pid = audit_pid;
67145 status_set.rate_limit = audit_rate_limit;
67146 status_set.backlog_limit = audit_backlog_limit;
67147 - status_set.lost = atomic_read(&audit_lost);
67148 + status_set.lost = atomic_read_unchecked(&audit_lost);
67149 status_set.backlog = skb_queue_len(&audit_skb_queue);
67150 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
67151 &status_set, sizeof(status_set));
67152 diff -urNp linux-2.6.39.3/kernel/auditsc.c linux-2.6.39.3/kernel/auditsc.c
67153 --- linux-2.6.39.3/kernel/auditsc.c 2011-05-19 00:06:34.000000000 -0400
67154 +++ linux-2.6.39.3/kernel/auditsc.c 2011-05-22 19:36:33.000000000 -0400
67155 @@ -2111,7 +2111,7 @@ int auditsc_get_stamp(struct audit_conte
67156 }
67157
67158 /* global counter which is incremented every time something logs in */
67159 -static atomic_t session_id = ATOMIC_INIT(0);
67160 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
67161
67162 /**
67163 * audit_set_loginuid - set a task's audit_context loginuid
67164 @@ -2124,7 +2124,7 @@ static atomic_t session_id = ATOMIC_INIT
67165 */
67166 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
67167 {
67168 - unsigned int sessionid = atomic_inc_return(&session_id);
67169 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
67170 struct audit_context *context = task->audit_context;
67171
67172 if (context && context->in_syscall) {
67173 diff -urNp linux-2.6.39.3/kernel/capability.c linux-2.6.39.3/kernel/capability.c
67174 --- linux-2.6.39.3/kernel/capability.c 2011-05-19 00:06:34.000000000 -0400
67175 +++ linux-2.6.39.3/kernel/capability.c 2011-05-22 21:02:23.000000000 -0400
67176 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
67177 * before modification is attempted and the application
67178 * fails.
67179 */
67180 + if (tocopy > ARRAY_SIZE(kdata))
67181 + return -EFAULT;
67182 +
67183 if (copy_to_user(dataptr, kdata, tocopy
67184 * sizeof(struct __user_cap_data_struct))) {
67185 return -EFAULT;
67186 @@ -378,7 +381,7 @@ bool ns_capable(struct user_namespace *n
67187 BUG();
67188 }
67189
67190 - if (security_capable(ns, current_cred(), cap) == 0) {
67191 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
67192 current->flags |= PF_SUPERPRIV;
67193 return true;
67194 }
67195 @@ -386,6 +389,27 @@ bool ns_capable(struct user_namespace *n
67196 }
67197 EXPORT_SYMBOL(ns_capable);
67198
67199 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
67200 +{
67201 + if (unlikely(!cap_valid(cap))) {
67202 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
67203 + BUG();
67204 + }
67205 +
67206 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
67207 + current->flags |= PF_SUPERPRIV;
67208 + return true;
67209 + }
67210 + return false;
67211 +}
67212 +EXPORT_SYMBOL(ns_capable_nolog);
67213 +
67214 +bool capable_nolog(int cap)
67215 +{
67216 + return ns_capable_nolog(&init_user_ns, cap);
67217 +}
67218 +EXPORT_SYMBOL(capable_nolog);
67219 +
67220 /**
67221 * task_ns_capable - Determine whether current task has a superior
67222 * capability targeted at a specific task's user namespace.
67223 @@ -400,6 +424,12 @@ bool task_ns_capable(struct task_struct
67224 }
67225 EXPORT_SYMBOL(task_ns_capable);
67226
67227 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
67228 +{
67229 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
67230 +}
67231 +EXPORT_SYMBOL(task_ns_capable_nolog);
67232 +
67233 /**
67234 * nsown_capable - Check superior capability to one's own user_ns
67235 * @cap: The capability in question
67236 diff -urNp linux-2.6.39.3/kernel/cgroup.c linux-2.6.39.3/kernel/cgroup.c
67237 --- linux-2.6.39.3/kernel/cgroup.c 2011-05-19 00:06:34.000000000 -0400
67238 +++ linux-2.6.39.3/kernel/cgroup.c 2011-05-22 19:36:33.000000000 -0400
67239 @@ -598,6 +598,8 @@ static struct css_set *find_css_set(
67240 struct hlist_head *hhead;
67241 struct cg_cgroup_link *link;
67242
67243 + pax_track_stack();
67244 +
67245 /* First see if we already have a cgroup group that matches
67246 * the desired set */
67247 read_lock(&css_set_lock);
67248 diff -urNp linux-2.6.39.3/kernel/compat.c linux-2.6.39.3/kernel/compat.c
67249 --- linux-2.6.39.3/kernel/compat.c 2011-05-19 00:06:34.000000000 -0400
67250 +++ linux-2.6.39.3/kernel/compat.c 2011-05-22 19:41:42.000000000 -0400
67251 @@ -13,6 +13,7 @@
67252
67253 #include <linux/linkage.h>
67254 #include <linux/compat.h>
67255 +#include <linux/module.h>
67256 #include <linux/errno.h>
67257 #include <linux/time.h>
67258 #include <linux/signal.h>
67259 diff -urNp linux-2.6.39.3/kernel/configs.c linux-2.6.39.3/kernel/configs.c
67260 --- linux-2.6.39.3/kernel/configs.c 2011-05-19 00:06:34.000000000 -0400
67261 +++ linux-2.6.39.3/kernel/configs.c 2011-05-22 19:41:42.000000000 -0400
67262 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
67263 struct proc_dir_entry *entry;
67264
67265 /* create the current config file */
67266 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
67267 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
67268 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
67269 + &ikconfig_file_ops);
67270 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67271 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
67272 + &ikconfig_file_ops);
67273 +#endif
67274 +#else
67275 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
67276 &ikconfig_file_ops);
67277 +#endif
67278 +
67279 if (!entry)
67280 return -ENOMEM;
67281
67282 diff -urNp linux-2.6.39.3/kernel/cred.c linux-2.6.39.3/kernel/cred.c
67283 --- linux-2.6.39.3/kernel/cred.c 2011-05-19 00:06:34.000000000 -0400
67284 +++ linux-2.6.39.3/kernel/cred.c 2011-05-22 19:41:42.000000000 -0400
67285 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
67286 */
67287 void __put_cred(struct cred *cred)
67288 {
67289 + pax_track_stack();
67290 +
67291 kdebug("__put_cred(%p{%d,%d})", cred,
67292 atomic_read(&cred->usage),
67293 read_cred_subscribers(cred));
67294 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
67295 {
67296 struct cred *cred;
67297
67298 + pax_track_stack();
67299 +
67300 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
67301 atomic_read(&tsk->cred->usage),
67302 read_cred_subscribers(tsk->cred));
67303 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
67304 {
67305 const struct cred *cred;
67306
67307 + pax_track_stack();
67308 +
67309 rcu_read_lock();
67310
67311 do {
67312 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
67313 {
67314 struct cred *new;
67315
67316 + pax_track_stack();
67317 +
67318 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
67319 if (!new)
67320 return NULL;
67321 @@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
67322 const struct cred *old;
67323 struct cred *new;
67324
67325 + pax_track_stack();
67326 +
67327 validate_process_creds();
67328
67329 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67330 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
67331 struct thread_group_cred *tgcred = NULL;
67332 struct cred *new;
67333
67334 + pax_track_stack();
67335 +
67336 #ifdef CONFIG_KEYS
67337 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
67338 if (!tgcred)
67339 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
67340 struct cred *new;
67341 int ret;
67342
67343 + pax_track_stack();
67344 +
67345 if (
67346 #ifdef CONFIG_KEYS
67347 !p->cred->thread_keyring &&
67348 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
67349 struct task_struct *task = current;
67350 const struct cred *old = task->real_cred;
67351
67352 + pax_track_stack();
67353 +
67354 kdebug("commit_creds(%p{%d,%d})", new,
67355 atomic_read(&new->usage),
67356 read_cred_subscribers(new));
67357 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
67358
67359 get_cred(new); /* we will require a ref for the subj creds too */
67360
67361 + gr_set_role_label(task, new->uid, new->gid);
67362 +
67363 /* dumpability changes */
67364 if (old->euid != new->euid ||
67365 old->egid != new->egid ||
67366 @@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
67367 */
67368 void abort_creds(struct cred *new)
67369 {
67370 + pax_track_stack();
67371 +
67372 kdebug("abort_creds(%p{%d,%d})", new,
67373 atomic_read(&new->usage),
67374 read_cred_subscribers(new));
67375 @@ -574,6 +594,8 @@ const struct cred *override_creds(const
67376 {
67377 const struct cred *old = current->cred;
67378
67379 + pax_track_stack();
67380 +
67381 kdebug("override_creds(%p{%d,%d})", new,
67382 atomic_read(&new->usage),
67383 read_cred_subscribers(new));
67384 @@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
67385 {
67386 const struct cred *override = current->cred;
67387
67388 + pax_track_stack();
67389 +
67390 kdebug("revert_creds(%p{%d,%d})", old,
67391 atomic_read(&old->usage),
67392 read_cred_subscribers(old));
67393 @@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct
67394 const struct cred *old;
67395 struct cred *new;
67396
67397 + pax_track_stack();
67398 +
67399 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67400 if (!new)
67401 return NULL;
67402 @@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
67403 */
67404 int set_security_override(struct cred *new, u32 secid)
67405 {
67406 + pax_track_stack();
67407 +
67408 return security_kernel_act_as(new, secid);
67409 }
67410 EXPORT_SYMBOL(set_security_override);
67411 @@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
67412 u32 secid;
67413 int ret;
67414
67415 + pax_track_stack();
67416 +
67417 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
67418 if (ret < 0)
67419 return ret;
67420 diff -urNp linux-2.6.39.3/kernel/debug/debug_core.c linux-2.6.39.3/kernel/debug/debug_core.c
67421 --- linux-2.6.39.3/kernel/debug/debug_core.c 2011-05-19 00:06:34.000000000 -0400
67422 +++ linux-2.6.39.3/kernel/debug/debug_core.c 2011-05-22 19:36:33.000000000 -0400
67423 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
67424 /* Guard for recursive entry */
67425 static int exception_level;
67426
67427 -struct kgdb_io *dbg_io_ops;
67428 +const struct kgdb_io *dbg_io_ops;
67429 static DEFINE_SPINLOCK(kgdb_registration_lock);
67430
67431 /* kgdb console driver is loaded */
67432 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
67433 */
67434 static atomic_t masters_in_kgdb;
67435 static atomic_t slaves_in_kgdb;
67436 -static atomic_t kgdb_break_tasklet_var;
67437 +static atomic_unchecked_t kgdb_break_tasklet_var;
67438 atomic_t kgdb_setting_breakpoint;
67439
67440 struct task_struct *kgdb_usethread;
67441 @@ -129,7 +129,7 @@ int kgdb_single_step;
67442 static pid_t kgdb_sstep_pid;
67443
67444 /* to keep track of the CPU which is doing the single stepping*/
67445 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67446 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67447
67448 /*
67449 * If you are debugging a problem where roundup (the collection of
67450 @@ -542,7 +542,7 @@ return_normal:
67451 * kernel will only try for the value of sstep_tries before
67452 * giving up and continuing on.
67453 */
67454 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
67455 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
67456 (kgdb_info[cpu].task &&
67457 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
67458 atomic_set(&kgdb_active, -1);
67459 @@ -636,8 +636,8 @@ cpu_master_loop:
67460 }
67461
67462 kgdb_restore:
67463 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
67464 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
67465 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
67466 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
67467 if (kgdb_info[sstep_cpu].task)
67468 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
67469 else
67470 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
67471 static void kgdb_tasklet_bpt(unsigned long ing)
67472 {
67473 kgdb_breakpoint();
67474 - atomic_set(&kgdb_break_tasklet_var, 0);
67475 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
67476 }
67477
67478 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
67479
67480 void kgdb_schedule_breakpoint(void)
67481 {
67482 - if (atomic_read(&kgdb_break_tasklet_var) ||
67483 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
67484 atomic_read(&kgdb_active) != -1 ||
67485 atomic_read(&kgdb_setting_breakpoint))
67486 return;
67487 - atomic_inc(&kgdb_break_tasklet_var);
67488 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
67489 tasklet_schedule(&kgdb_tasklet_breakpoint);
67490 }
67491 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
67492 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
67493 *
67494 * Register it with the KGDB core.
67495 */
67496 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
67497 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
67498 {
67499 int err;
67500
67501 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
67502 *
67503 * Unregister it with the KGDB core.
67504 */
67505 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
67506 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
67507 {
67508 BUG_ON(kgdb_connected);
67509
67510 diff -urNp linux-2.6.39.3/kernel/debug/kdb/kdb_main.c linux-2.6.39.3/kernel/debug/kdb/kdb_main.c
67511 --- linux-2.6.39.3/kernel/debug/kdb/kdb_main.c 2011-05-19 00:06:34.000000000 -0400
67512 +++ linux-2.6.39.3/kernel/debug/kdb/kdb_main.c 2011-05-22 19:36:33.000000000 -0400
67513 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
67514 list_for_each_entry(mod, kdb_modules, list) {
67515
67516 kdb_printf("%-20s%8u 0x%p ", mod->name,
67517 - mod->core_size, (void *)mod);
67518 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
67519 #ifdef CONFIG_MODULE_UNLOAD
67520 kdb_printf("%4d ", module_refcount(mod));
67521 #endif
67522 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
67523 kdb_printf(" (Loading)");
67524 else
67525 kdb_printf(" (Live)");
67526 - kdb_printf(" 0x%p", mod->module_core);
67527 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67528
67529 #ifdef CONFIG_MODULE_UNLOAD
67530 {
67531 diff -urNp linux-2.6.39.3/kernel/exit.c linux-2.6.39.3/kernel/exit.c
67532 --- linux-2.6.39.3/kernel/exit.c 2011-05-19 00:06:34.000000000 -0400
67533 +++ linux-2.6.39.3/kernel/exit.c 2011-05-22 20:02:30.000000000 -0400
67534 @@ -57,6 +57,10 @@
67535 #include <asm/pgtable.h>
67536 #include <asm/mmu_context.h>
67537
67538 +#ifdef CONFIG_GRKERNSEC
67539 +extern rwlock_t grsec_exec_file_lock;
67540 +#endif
67541 +
67542 static void exit_mm(struct task_struct * tsk);
67543
67544 static void __unhash_process(struct task_struct *p, bool group_dead)
67545 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
67546 struct task_struct *leader;
67547 int zap_leader;
67548 repeat:
67549 + gr_del_task_from_ip_table(p);
67550 +
67551 tracehook_prepare_release_task(p);
67552 /* don't need to get the RCU readlock here - the process is dead and
67553 * can't be modifying its own credentials. But shut RCU-lockdep up */
67554 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
67555 {
67556 write_lock_irq(&tasklist_lock);
67557
67558 +#ifdef CONFIG_GRKERNSEC
67559 + write_lock(&grsec_exec_file_lock);
67560 + if (current->exec_file) {
67561 + fput(current->exec_file);
67562 + current->exec_file = NULL;
67563 + }
67564 + write_unlock(&grsec_exec_file_lock);
67565 +#endif
67566 +
67567 ptrace_unlink(current);
67568 /* Reparent to init */
67569 current->real_parent = current->parent = kthreadd_task;
67570 list_move_tail(&current->sibling, &current->real_parent->children);
67571
67572 + gr_set_kernel_label(current);
67573 +
67574 /* Set the exit signal to SIGCHLD so we signal init on exit */
67575 current->exit_signal = SIGCHLD;
67576
67577 @@ -394,7 +411,7 @@ int allow_signal(int sig)
67578 * know it'll be handled, so that they don't get converted to
67579 * SIGKILL or just silently dropped.
67580 */
67581 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
67582 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
67583 recalc_sigpending();
67584 spin_unlock_irq(&current->sighand->siglock);
67585 return 0;
67586 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
67587 vsnprintf(current->comm, sizeof(current->comm), name, args);
67588 va_end(args);
67589
67590 +#ifdef CONFIG_GRKERNSEC
67591 + write_lock(&grsec_exec_file_lock);
67592 + if (current->exec_file) {
67593 + fput(current->exec_file);
67594 + current->exec_file = NULL;
67595 + }
67596 + write_unlock(&grsec_exec_file_lock);
67597 +#endif
67598 +
67599 + gr_set_kernel_label(current);
67600 +
67601 /*
67602 * If we were started as result of loading a module, close all of the
67603 * user space pages. We don't need them, and if we didn't close them
67604 @@ -905,15 +933,8 @@ NORET_TYPE void do_exit(long code)
67605 struct task_struct *tsk = current;
67606 int group_dead;
67607
67608 - profile_task_exit(tsk);
67609 -
67610 - WARN_ON(atomic_read(&tsk->fs_excl));
67611 - WARN_ON(blk_needs_flush_plug(tsk));
67612 -
67613 if (unlikely(in_interrupt()))
67614 panic("Aiee, killing interrupt handler!");
67615 - if (unlikely(!tsk->pid))
67616 - panic("Attempted to kill the idle task!");
67617
67618 /*
67619 * If do_exit is called because this processes oopsed, it's possible
67620 @@ -924,6 +945,14 @@ NORET_TYPE void do_exit(long code)
67621 */
67622 set_fs(USER_DS);
67623
67624 + profile_task_exit(tsk);
67625 +
67626 + WARN_ON(atomic_read(&tsk->fs_excl));
67627 + WARN_ON(blk_needs_flush_plug(tsk));
67628 +
67629 + if (unlikely(!tsk->pid))
67630 + panic("Attempted to kill the idle task!");
67631 +
67632 tracehook_report_exit(&code);
67633
67634 validate_creds_for_do_exit(tsk);
67635 @@ -984,6 +1013,9 @@ NORET_TYPE void do_exit(long code)
67636 tsk->exit_code = code;
67637 taskstats_exit(tsk, group_dead);
67638
67639 + gr_acl_handle_psacct(tsk, code);
67640 + gr_acl_handle_exit();
67641 +
67642 exit_mm(tsk);
67643
67644 if (group_dead)
67645 diff -urNp linux-2.6.39.3/kernel/fork.c linux-2.6.39.3/kernel/fork.c
67646 --- linux-2.6.39.3/kernel/fork.c 2011-05-19 00:06:34.000000000 -0400
67647 +++ linux-2.6.39.3/kernel/fork.c 2011-05-22 19:41:42.000000000 -0400
67648 @@ -287,7 +287,7 @@ static struct task_struct *dup_task_stru
67649 *stackend = STACK_END_MAGIC; /* for overflow detection */
67650
67651 #ifdef CONFIG_CC_STACKPROTECTOR
67652 - tsk->stack_canary = get_random_int();
67653 + tsk->stack_canary = pax_get_random_long();
67654 #endif
67655
67656 /* One for us, one for whoever does the "release_task()" (usually parent) */
67657 @@ -309,13 +309,78 @@ out:
67658 }
67659
67660 #ifdef CONFIG_MMU
67661 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
67662 +{
67663 + struct vm_area_struct *tmp;
67664 + unsigned long charge;
67665 + struct mempolicy *pol;
67666 + struct file *file;
67667 +
67668 + charge = 0;
67669 + if (mpnt->vm_flags & VM_ACCOUNT) {
67670 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67671 + if (security_vm_enough_memory(len))
67672 + goto fail_nomem;
67673 + charge = len;
67674 + }
67675 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67676 + if (!tmp)
67677 + goto fail_nomem;
67678 + *tmp = *mpnt;
67679 + tmp->vm_mm = mm;
67680 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
67681 + pol = mpol_dup(vma_policy(mpnt));
67682 + if (IS_ERR(pol))
67683 + goto fail_nomem_policy;
67684 + vma_set_policy(tmp, pol);
67685 + if (anon_vma_fork(tmp, mpnt))
67686 + goto fail_nomem_anon_vma_fork;
67687 + tmp->vm_flags &= ~VM_LOCKED;
67688 + tmp->vm_next = tmp->vm_prev = NULL;
67689 + tmp->vm_mirror = NULL;
67690 + file = tmp->vm_file;
67691 + if (file) {
67692 + struct inode *inode = file->f_path.dentry->d_inode;
67693 + struct address_space *mapping = file->f_mapping;
67694 +
67695 + get_file(file);
67696 + if (tmp->vm_flags & VM_DENYWRITE)
67697 + atomic_dec(&inode->i_writecount);
67698 + spin_lock(&mapping->i_mmap_lock);
67699 + if (tmp->vm_flags & VM_SHARED)
67700 + mapping->i_mmap_writable++;
67701 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
67702 + flush_dcache_mmap_lock(mapping);
67703 + /* insert tmp into the share list, just after mpnt */
67704 + vma_prio_tree_add(tmp, mpnt);
67705 + flush_dcache_mmap_unlock(mapping);
67706 + spin_unlock(&mapping->i_mmap_lock);
67707 + }
67708 +
67709 + /*
67710 + * Clear hugetlb-related page reserves for children. This only
67711 + * affects MAP_PRIVATE mappings. Faults generated by the child
67712 + * are not guaranteed to succeed, even if read-only
67713 + */
67714 + if (is_vm_hugetlb_page(tmp))
67715 + reset_vma_resv_huge_pages(tmp);
67716 +
67717 + return tmp;
67718 +
67719 +fail_nomem_anon_vma_fork:
67720 + mpol_put(pol);
67721 +fail_nomem_policy:
67722 + kmem_cache_free(vm_area_cachep, tmp);
67723 +fail_nomem:
67724 + vm_unacct_memory(charge);
67725 + return NULL;
67726 +}
67727 +
67728 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
67729 {
67730 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
67731 struct rb_node **rb_link, *rb_parent;
67732 int retval;
67733 - unsigned long charge;
67734 - struct mempolicy *pol;
67735
67736 down_write(&oldmm->mmap_sem);
67737 flush_cache_dup_mm(oldmm);
67738 @@ -327,8 +392,8 @@ static int dup_mmap(struct mm_struct *mm
67739 mm->locked_vm = 0;
67740 mm->mmap = NULL;
67741 mm->mmap_cache = NULL;
67742 - mm->free_area_cache = oldmm->mmap_base;
67743 - mm->cached_hole_size = ~0UL;
67744 + mm->free_area_cache = oldmm->free_area_cache;
67745 + mm->cached_hole_size = oldmm->cached_hole_size;
67746 mm->map_count = 0;
67747 cpumask_clear(mm_cpumask(mm));
67748 mm->mm_rb = RB_ROOT;
67749 @@ -344,8 +409,6 @@ static int dup_mmap(struct mm_struct *mm
67750
67751 prev = NULL;
67752 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
67753 - struct file *file;
67754 -
67755 if (mpnt->vm_flags & VM_DONTCOPY) {
67756 long pages = vma_pages(mpnt);
67757 mm->total_vm -= pages;
67758 @@ -353,56 +416,13 @@ static int dup_mmap(struct mm_struct *mm
67759 -pages);
67760 continue;
67761 }
67762 - charge = 0;
67763 - if (mpnt->vm_flags & VM_ACCOUNT) {
67764 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67765 - if (security_vm_enough_memory(len))
67766 - goto fail_nomem;
67767 - charge = len;
67768 - }
67769 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67770 - if (!tmp)
67771 - goto fail_nomem;
67772 - *tmp = *mpnt;
67773 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
67774 - pol = mpol_dup(vma_policy(mpnt));
67775 - retval = PTR_ERR(pol);
67776 - if (IS_ERR(pol))
67777 - goto fail_nomem_policy;
67778 - vma_set_policy(tmp, pol);
67779 - tmp->vm_mm = mm;
67780 - if (anon_vma_fork(tmp, mpnt))
67781 - goto fail_nomem_anon_vma_fork;
67782 - tmp->vm_flags &= ~VM_LOCKED;
67783 - tmp->vm_next = tmp->vm_prev = NULL;
67784 - file = tmp->vm_file;
67785 - if (file) {
67786 - struct inode *inode = file->f_path.dentry->d_inode;
67787 - struct address_space *mapping = file->f_mapping;
67788 -
67789 - get_file(file);
67790 - if (tmp->vm_flags & VM_DENYWRITE)
67791 - atomic_dec(&inode->i_writecount);
67792 - spin_lock(&mapping->i_mmap_lock);
67793 - if (tmp->vm_flags & VM_SHARED)
67794 - mapping->i_mmap_writable++;
67795 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
67796 - flush_dcache_mmap_lock(mapping);
67797 - /* insert tmp into the share list, just after mpnt */
67798 - vma_prio_tree_add(tmp, mpnt);
67799 - flush_dcache_mmap_unlock(mapping);
67800 - spin_unlock(&mapping->i_mmap_lock);
67801 + tmp = dup_vma(mm, mpnt);
67802 + if (!tmp) {
67803 + retval = -ENOMEM;
67804 + goto out;
67805 }
67806
67807 /*
67808 - * Clear hugetlb-related page reserves for children. This only
67809 - * affects MAP_PRIVATE mappings. Faults generated by the child
67810 - * are not guaranteed to succeed, even if read-only
67811 - */
67812 - if (is_vm_hugetlb_page(tmp))
67813 - reset_vma_resv_huge_pages(tmp);
67814 -
67815 - /*
67816 * Link in the new vma and copy the page table entries.
67817 */
67818 *pprev = tmp;
67819 @@ -423,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm
67820 if (retval)
67821 goto out;
67822 }
67823 +
67824 +#ifdef CONFIG_PAX_SEGMEXEC
67825 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
67826 + struct vm_area_struct *mpnt_m;
67827 +
67828 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
67829 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
67830 +
67831 + if (!mpnt->vm_mirror)
67832 + continue;
67833 +
67834 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
67835 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
67836 + mpnt->vm_mirror = mpnt_m;
67837 + } else {
67838 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
67839 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
67840 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
67841 + mpnt->vm_mirror->vm_mirror = mpnt;
67842 + }
67843 + }
67844 + BUG_ON(mpnt_m);
67845 + }
67846 +#endif
67847 +
67848 /* a new mm has just been created */
67849 arch_dup_mmap(oldmm, mm);
67850 retval = 0;
67851 @@ -431,14 +476,6 @@ out:
67852 flush_tlb_mm(oldmm);
67853 up_write(&oldmm->mmap_sem);
67854 return retval;
67855 -fail_nomem_anon_vma_fork:
67856 - mpol_put(pol);
67857 -fail_nomem_policy:
67858 - kmem_cache_free(vm_area_cachep, tmp);
67859 -fail_nomem:
67860 - retval = -ENOMEM;
67861 - vm_unacct_memory(charge);
67862 - goto out;
67863 }
67864
67865 static inline int mm_alloc_pgd(struct mm_struct * mm)
67866 @@ -785,13 +822,14 @@ static int copy_fs(unsigned long clone_f
67867 spin_unlock(&fs->lock);
67868 return -EAGAIN;
67869 }
67870 - fs->users++;
67871 + atomic_inc(&fs->users);
67872 spin_unlock(&fs->lock);
67873 return 0;
67874 }
67875 tsk->fs = copy_fs_struct(fs);
67876 if (!tsk->fs)
67877 return -ENOMEM;
67878 + gr_set_chroot_entries(tsk, &tsk->fs->root);
67879 return 0;
67880 }
67881
67882 @@ -1049,10 +1087,13 @@ static struct task_struct *copy_process(
67883 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
67884 #endif
67885 retval = -EAGAIN;
67886 +
67887 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
67888 +
67889 if (atomic_read(&p->real_cred->user->processes) >=
67890 task_rlimit(p, RLIMIT_NPROC)) {
67891 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
67892 - p->real_cred->user != INIT_USER)
67893 + if (p->real_cred->user != INIT_USER &&
67894 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
67895 goto bad_fork_free;
67896 }
67897
67898 @@ -1200,6 +1241,8 @@ static struct task_struct *copy_process(
67899 goto bad_fork_free_pid;
67900 }
67901
67902 + gr_copy_label(p);
67903 +
67904 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
67905 /*
67906 * Clear TID on mm_release()?
67907 @@ -1360,6 +1403,8 @@ bad_fork_cleanup_count:
67908 bad_fork_free:
67909 free_task(p);
67910 fork_out:
67911 + gr_log_forkfail(retval);
67912 +
67913 return ERR_PTR(retval);
67914 }
67915
67916 @@ -1448,6 +1493,8 @@ long do_fork(unsigned long clone_flags,
67917 if (clone_flags & CLONE_PARENT_SETTID)
67918 put_user(nr, parent_tidptr);
67919
67920 + gr_handle_brute_check();
67921 +
67922 if (clone_flags & CLONE_VFORK) {
67923 p->vfork_done = &vfork;
67924 init_completion(&vfork);
67925 @@ -1549,7 +1596,7 @@ static int unshare_fs(unsigned long unsh
67926 return 0;
67927
67928 /* don't need lock here; in the worst case we'll do useless copy */
67929 - if (fs->users == 1)
67930 + if (atomic_read(&fs->users) == 1)
67931 return 0;
67932
67933 *new_fsp = copy_fs_struct(fs);
67934 @@ -1636,7 +1683,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
67935 fs = current->fs;
67936 spin_lock(&fs->lock);
67937 current->fs = new_fs;
67938 - if (--fs->users)
67939 + gr_set_chroot_entries(current, &current->fs->root);
67940 + if (atomic_dec_return(&fs->users))
67941 new_fs = NULL;
67942 else
67943 new_fs = fs;
67944 diff -urNp linux-2.6.39.3/kernel/futex.c linux-2.6.39.3/kernel/futex.c
67945 --- linux-2.6.39.3/kernel/futex.c 2011-05-19 00:06:34.000000000 -0400
67946 +++ linux-2.6.39.3/kernel/futex.c 2011-05-22 22:41:57.000000000 -0400
67947 @@ -54,6 +54,7 @@
67948 #include <linux/mount.h>
67949 #include <linux/pagemap.h>
67950 #include <linux/syscalls.h>
67951 +#include <linux/ptrace.h>
67952 #include <linux/signal.h>
67953 #include <linux/module.h>
67954 #include <linux/magic.h>
67955 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
67956 struct page *page, *page_head;
67957 int err;
67958
67959 +#ifdef CONFIG_PAX_SEGMEXEC
67960 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
67961 + return -EFAULT;
67962 +#endif
67963 +
67964 /*
67965 * The futex address must be "naturally" aligned.
67966 */
67967 @@ -1833,6 +1839,8 @@ static int futex_wait(u32 __user *uaddr,
67968 struct futex_q q = futex_q_init;
67969 int ret;
67970
67971 + pax_track_stack();
67972 +
67973 if (!bitset)
67974 return -EINVAL;
67975 q.bitset = bitset;
67976 @@ -2229,6 +2237,8 @@ static int futex_wait_requeue_pi(u32 __u
67977 struct futex_q q = futex_q_init;
67978 int res, ret;
67979
67980 + pax_track_stack();
67981 +
67982 if (!bitset)
67983 return -EINVAL;
67984
67985 @@ -2401,7 +2411,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67986 {
67987 struct robust_list_head __user *head;
67988 unsigned long ret;
67989 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
67990 const struct cred *cred = current_cred(), *pcred;
67991 +#endif
67992
67993 if (!futex_cmpxchg_enabled)
67994 return -ENOSYS;
67995 @@ -2417,6 +2429,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
67996 if (!p)
67997 goto err_unlock;
67998 ret = -EPERM;
67999 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68000 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68001 + goto err_unlock;
68002 +#else
68003 pcred = __task_cred(p);
68004 /* If victim is in different user_ns, then uids are not
68005 comparable, so we must have CAP_SYS_PTRACE */
68006 @@ -2431,6 +2447,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68007 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
68008 goto err_unlock;
68009 ok:
68010 +#endif
68011 head = p->robust_list;
68012 rcu_read_unlock();
68013 }
68014 @@ -2682,6 +2699,7 @@ static int __init futex_init(void)
68015 {
68016 u32 curval;
68017 int i;
68018 + mm_segment_t oldfs;
68019
68020 /*
68021 * This will fail and we want it. Some arch implementations do
68022 @@ -2693,8 +2711,11 @@ static int __init futex_init(void)
68023 * implementation, the non-functional ones will return
68024 * -ENOSYS.
68025 */
68026 + oldfs = get_fs();
68027 + set_fs(USER_DS);
68028 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
68029 futex_cmpxchg_enabled = 1;
68030 + set_fs(oldfs);
68031
68032 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
68033 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
68034 diff -urNp linux-2.6.39.3/kernel/futex_compat.c linux-2.6.39.3/kernel/futex_compat.c
68035 --- linux-2.6.39.3/kernel/futex_compat.c 2011-05-19 00:06:34.000000000 -0400
68036 +++ linux-2.6.39.3/kernel/futex_compat.c 2011-05-22 22:42:09.000000000 -0400
68037 @@ -10,6 +10,7 @@
68038 #include <linux/compat.h>
68039 #include <linux/nsproxy.h>
68040 #include <linux/futex.h>
68041 +#include <linux/ptrace.h>
68042
68043 #include <asm/uaccess.h>
68044
68045 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
68046 {
68047 struct compat_robust_list_head __user *head;
68048 unsigned long ret;
68049 - const struct cred *cred = current_cred(), *pcred;
68050 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68051 + const struct cred *cred = current_cred();
68052 + const struct cred *pcred;
68053 +#endif
68054
68055 if (!futex_cmpxchg_enabled)
68056 return -ENOSYS;
68057 @@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
68058 if (!p)
68059 goto err_unlock;
68060 ret = -EPERM;
68061 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68062 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68063 + goto err_unlock;
68064 +#else
68065 pcred = __task_cred(p);
68066 /* If victim is in different user_ns, then uids are not
68067 comparable, so we must have CAP_SYS_PTRACE */
68068 @@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
68069 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
68070 goto err_unlock;
68071 ok:
68072 +#endif
68073 head = p->compat_robust_list;
68074 rcu_read_unlock();
68075 }
68076 diff -urNp linux-2.6.39.3/kernel/gcov/base.c linux-2.6.39.3/kernel/gcov/base.c
68077 --- linux-2.6.39.3/kernel/gcov/base.c 2011-05-19 00:06:34.000000000 -0400
68078 +++ linux-2.6.39.3/kernel/gcov/base.c 2011-05-22 19:36:33.000000000 -0400
68079 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
68080 }
68081
68082 #ifdef CONFIG_MODULES
68083 -static inline int within(void *addr, void *start, unsigned long size)
68084 -{
68085 - return ((addr >= start) && (addr < start + size));
68086 -}
68087 -
68088 /* Update list and generate events when modules are unloaded. */
68089 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
68090 void *data)
68091 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
68092 prev = NULL;
68093 /* Remove entries located in module from linked list. */
68094 for (info = gcov_info_head; info; info = info->next) {
68095 - if (within(info, mod->module_core, mod->core_size)) {
68096 + if (within_module_core_rw((unsigned long)info, mod)) {
68097 if (prev)
68098 prev->next = info->next;
68099 else
68100 diff -urNp linux-2.6.39.3/kernel/hrtimer.c linux-2.6.39.3/kernel/hrtimer.c
68101 --- linux-2.6.39.3/kernel/hrtimer.c 2011-05-19 00:06:34.000000000 -0400
68102 +++ linux-2.6.39.3/kernel/hrtimer.c 2011-05-22 19:36:33.000000000 -0400
68103 @@ -1383,7 +1383,7 @@ void hrtimer_peek_ahead_timers(void)
68104 local_irq_restore(flags);
68105 }
68106
68107 -static void run_hrtimer_softirq(struct softirq_action *h)
68108 +static void run_hrtimer_softirq(void)
68109 {
68110 hrtimer_peek_ahead_timers();
68111 }
68112 diff -urNp linux-2.6.39.3/kernel/irq/manage.c linux-2.6.39.3/kernel/irq/manage.c
68113 --- linux-2.6.39.3/kernel/irq/manage.c 2011-05-19 00:06:34.000000000 -0400
68114 +++ linux-2.6.39.3/kernel/irq/manage.c 2011-06-13 17:09:06.000000000 -0400
68115 @@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u
68116 struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
68117 int ret = 0;
68118
68119 + if (!desc)
68120 + return -EINVAL;
68121 +
68122 /* wakeup-capable irqs can be shared between drivers that
68123 * don't need to have the same sleep mode behaviors.
68124 */
68125 diff -urNp linux-2.6.39.3/kernel/jump_label.c linux-2.6.39.3/kernel/jump_label.c
68126 --- linux-2.6.39.3/kernel/jump_label.c 2011-05-19 00:06:34.000000000 -0400
68127 +++ linux-2.6.39.3/kernel/jump_label.c 2011-05-22 19:36:33.000000000 -0400
68128 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
68129 mutex_unlock(&jump_label_mutex);
68130 }
68131
68132 +static void jump_label_swap(void *a, void *b, int size)
68133 +{
68134 + struct jump_entry t;
68135 +
68136 + t = *(struct jump_entry *)a;
68137 + pax_open_kernel();
68138 + *(struct jump_entry *)a = *(struct jump_entry *)b;
68139 + *(struct jump_entry *)b = t;
68140 + pax_close_kernel();
68141 +}
68142 +
68143 static int jump_label_cmp(const void *a, const void *b)
68144 {
68145 const struct jump_entry *jea = a;
68146 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
68147
68148 size = (((unsigned long)stop - (unsigned long)start)
68149 / sizeof(struct jump_entry));
68150 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
68151 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
68152 }
68153
68154 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
68155 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
68156 count = e_module->nr_entries;
68157 iter = e_module->table;
68158 while (count--) {
68159 - if (within_module_init(iter->code, mod))
68160 + if (within_module_init(iter->code, mod)) {
68161 + pax_open_kernel();
68162 iter->key = 0;
68163 + pax_close_kernel();
68164 + }
68165 iter++;
68166 }
68167 }
68168 diff -urNp linux-2.6.39.3/kernel/kallsyms.c linux-2.6.39.3/kernel/kallsyms.c
68169 --- linux-2.6.39.3/kernel/kallsyms.c 2011-05-19 00:06:34.000000000 -0400
68170 +++ linux-2.6.39.3/kernel/kallsyms.c 2011-05-22 19:41:42.000000000 -0400
68171 @@ -11,6 +11,9 @@
68172 * Changed the compression method from stem compression to "table lookup"
68173 * compression (see scripts/kallsyms.c for a more complete description)
68174 */
68175 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68176 +#define __INCLUDED_BY_HIDESYM 1
68177 +#endif
68178 #include <linux/kallsyms.h>
68179 #include <linux/module.h>
68180 #include <linux/init.h>
68181 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
68182
68183 static inline int is_kernel_inittext(unsigned long addr)
68184 {
68185 + if (system_state != SYSTEM_BOOTING)
68186 + return 0;
68187 +
68188 if (addr >= (unsigned long)_sinittext
68189 && addr <= (unsigned long)_einittext)
68190 return 1;
68191 return 0;
68192 }
68193
68194 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68195 +#ifdef CONFIG_MODULES
68196 +static inline int is_module_text(unsigned long addr)
68197 +{
68198 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
68199 + return 1;
68200 +
68201 + addr = ktla_ktva(addr);
68202 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
68203 +}
68204 +#else
68205 +static inline int is_module_text(unsigned long addr)
68206 +{
68207 + return 0;
68208 +}
68209 +#endif
68210 +#endif
68211 +
68212 static inline int is_kernel_text(unsigned long addr)
68213 {
68214 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
68215 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
68216
68217 static inline int is_kernel(unsigned long addr)
68218 {
68219 +
68220 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68221 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
68222 + return 1;
68223 +
68224 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
68225 +#else
68226 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
68227 +#endif
68228 +
68229 return 1;
68230 return in_gate_area_no_mm(addr);
68231 }
68232
68233 static int is_ksym_addr(unsigned long addr)
68234 {
68235 +
68236 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68237 + if (is_module_text(addr))
68238 + return 0;
68239 +#endif
68240 +
68241 if (all_var)
68242 return is_kernel(addr);
68243
68244 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
68245
68246 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
68247 {
68248 - iter->name[0] = '\0';
68249 iter->nameoff = get_symbol_offset(new_pos);
68250 iter->pos = new_pos;
68251 }
68252 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
68253 {
68254 struct kallsym_iter *iter = m->private;
68255
68256 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68257 + if (current_uid())
68258 + return 0;
68259 +#endif
68260 +
68261 /* Some debugging symbols have no name. Ignore them. */
68262 if (!iter->name[0])
68263 return 0;
68264 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
68265 struct kallsym_iter *iter;
68266 int ret;
68267
68268 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
68269 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
68270 if (!iter)
68271 return -ENOMEM;
68272 reset_iter(iter, 0);
68273 diff -urNp linux-2.6.39.3/kernel/kmod.c linux-2.6.39.3/kernel/kmod.c
68274 --- linux-2.6.39.3/kernel/kmod.c 2011-05-19 00:06:34.000000000 -0400
68275 +++ linux-2.6.39.3/kernel/kmod.c 2011-05-22 19:41:42.000000000 -0400
68276 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
68277 * If module auto-loading support is disabled then this function
68278 * becomes a no-operation.
68279 */
68280 -int __request_module(bool wait, const char *fmt, ...)
68281 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
68282 {
68283 - va_list args;
68284 char module_name[MODULE_NAME_LEN];
68285 unsigned int max_modprobes;
68286 int ret;
68287 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
68288 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
68289 static char *envp[] = { "HOME=/",
68290 "TERM=linux",
68291 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
68292 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
68293 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
68294 static int kmod_loop_msg;
68295
68296 - va_start(args, fmt);
68297 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
68298 - va_end(args);
68299 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
68300 if (ret >= MODULE_NAME_LEN)
68301 return -ENAMETOOLONG;
68302
68303 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
68304 if (ret)
68305 return ret;
68306
68307 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68308 + if (!current_uid()) {
68309 + /* hack to workaround consolekit/udisks stupidity */
68310 + read_lock(&tasklist_lock);
68311 + if (!strcmp(current->comm, "mount") &&
68312 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
68313 + read_unlock(&tasklist_lock);
68314 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
68315 + return -EPERM;
68316 + }
68317 + read_unlock(&tasklist_lock);
68318 + }
68319 +#endif
68320 +
68321 /* If modprobe needs a service that is in a module, we get a recursive
68322 * loop. Limit the number of running kmod threads to max_threads/2 or
68323 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
68324 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
68325 atomic_dec(&kmod_concurrent);
68326 return ret;
68327 }
68328 +
68329 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
68330 +{
68331 + va_list args;
68332 + int ret;
68333 +
68334 + va_start(args, fmt);
68335 + ret = ____request_module(wait, module_param, fmt, args);
68336 + va_end(args);
68337 +
68338 + return ret;
68339 +}
68340 +
68341 +int __request_module(bool wait, const char *fmt, ...)
68342 +{
68343 + va_list args;
68344 + int ret;
68345 +
68346 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68347 + if (current_uid()) {
68348 + char module_param[MODULE_NAME_LEN];
68349 +
68350 + memset(module_param, 0, sizeof(module_param));
68351 +
68352 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
68353 +
68354 + va_start(args, fmt);
68355 + ret = ____request_module(wait, module_param, fmt, args);
68356 + va_end(args);
68357 +
68358 + return ret;
68359 + }
68360 +#endif
68361 +
68362 + va_start(args, fmt);
68363 + ret = ____request_module(wait, NULL, fmt, args);
68364 + va_end(args);
68365 +
68366 + return ret;
68367 +}
68368 +
68369 EXPORT_SYMBOL(__request_module);
68370 #endif /* CONFIG_MODULES */
68371
68372 diff -urNp linux-2.6.39.3/kernel/kprobes.c linux-2.6.39.3/kernel/kprobes.c
68373 --- linux-2.6.39.3/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
68374 +++ linux-2.6.39.3/kernel/kprobes.c 2011-05-22 19:36:33.000000000 -0400
68375 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
68376 * kernel image and loaded module images reside. This is required
68377 * so x86_64 can correctly handle the %rip-relative fixups.
68378 */
68379 - kip->insns = module_alloc(PAGE_SIZE);
68380 + kip->insns = module_alloc_exec(PAGE_SIZE);
68381 if (!kip->insns) {
68382 kfree(kip);
68383 return NULL;
68384 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
68385 */
68386 if (!list_is_singular(&kip->list)) {
68387 list_del(&kip->list);
68388 - module_free(NULL, kip->insns);
68389 + module_free_exec(NULL, kip->insns);
68390 kfree(kip);
68391 }
68392 return 1;
68393 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
68394 {
68395 int i, err = 0;
68396 unsigned long offset = 0, size = 0;
68397 - char *modname, namebuf[128];
68398 + char *modname, namebuf[KSYM_NAME_LEN];
68399 const char *symbol_name;
68400 void *addr;
68401 struct kprobe_blackpoint *kb;
68402 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
68403 const char *sym = NULL;
68404 unsigned int i = *(loff_t *) v;
68405 unsigned long offset = 0;
68406 - char *modname, namebuf[128];
68407 + char *modname, namebuf[KSYM_NAME_LEN];
68408
68409 head = &kprobe_table[i];
68410 preempt_disable();
68411 diff -urNp linux-2.6.39.3/kernel/lockdep.c linux-2.6.39.3/kernel/lockdep.c
68412 --- linux-2.6.39.3/kernel/lockdep.c 2011-06-25 12:55:23.000000000 -0400
68413 +++ linux-2.6.39.3/kernel/lockdep.c 2011-06-25 13:00:28.000000000 -0400
68414 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
68415 end = (unsigned long) &_end,
68416 addr = (unsigned long) obj;
68417
68418 +#ifdef CONFIG_PAX_KERNEXEC
68419 + start = ktla_ktva(start);
68420 +#endif
68421 +
68422 /*
68423 * static variable?
68424 */
68425 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
68426 if (!static_obj(lock->key)) {
68427 debug_locks_off();
68428 printk("INFO: trying to register non-static key.\n");
68429 + printk("lock:%pS key:%pS.\n", lock, lock->key);
68430 printk("the code is fine but needs lockdep annotation.\n");
68431 printk("turning off the locking correctness validator.\n");
68432 dump_stack();
68433 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
68434 if (!class)
68435 return 0;
68436 }
68437 - atomic_inc((atomic_t *)&class->ops);
68438 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
68439 if (very_verbose(class)) {
68440 printk("\nacquire class [%p] %s", class->key, class->name);
68441 if (class->name_version > 1)
68442 diff -urNp linux-2.6.39.3/kernel/lockdep_proc.c linux-2.6.39.3/kernel/lockdep_proc.c
68443 --- linux-2.6.39.3/kernel/lockdep_proc.c 2011-05-19 00:06:34.000000000 -0400
68444 +++ linux-2.6.39.3/kernel/lockdep_proc.c 2011-05-22 19:36:33.000000000 -0400
68445 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
68446
68447 static void print_name(struct seq_file *m, struct lock_class *class)
68448 {
68449 - char str[128];
68450 + char str[KSYM_NAME_LEN];
68451 const char *name = class->name;
68452
68453 if (!name) {
68454 diff -urNp linux-2.6.39.3/kernel/module.c linux-2.6.39.3/kernel/module.c
68455 --- linux-2.6.39.3/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
68456 +++ linux-2.6.39.3/kernel/module.c 2011-05-22 19:41:42.000000000 -0400
68457 @@ -57,6 +57,7 @@
68458 #include <linux/kmemleak.h>
68459 #include <linux/jump_label.h>
68460 #include <linux/pfn.h>
68461 +#include <linux/grsecurity.h>
68462
68463 #define CREATE_TRACE_POINTS
68464 #include <trace/events/module.h>
68465 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
68466
68467 /* Bounds of module allocation, for speeding __module_address.
68468 * Protected by module_mutex. */
68469 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
68470 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
68471 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
68472
68473 int register_module_notifier(struct notifier_block * nb)
68474 {
68475 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
68476 return true;
68477
68478 list_for_each_entry_rcu(mod, &modules, list) {
68479 - struct symsearch arr[] = {
68480 + struct symsearch modarr[] = {
68481 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
68482 NOT_GPL_ONLY, false },
68483 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
68484 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
68485 #endif
68486 };
68487
68488 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
68489 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
68490 return true;
68491 }
68492 return false;
68493 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
68494 static int percpu_modalloc(struct module *mod,
68495 unsigned long size, unsigned long align)
68496 {
68497 - if (align > PAGE_SIZE) {
68498 + if (align-1 >= PAGE_SIZE) {
68499 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
68500 mod->name, align, PAGE_SIZE);
68501 align = PAGE_SIZE;
68502 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
68503 */
68504 #ifdef CONFIG_SYSFS
68505
68506 -#ifdef CONFIG_KALLSYMS
68507 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
68508 static inline bool sect_empty(const Elf_Shdr *sect)
68509 {
68510 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
68511 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
68512 {
68513 unsigned long total_pages;
68514
68515 - if (mod->module_core == module_region) {
68516 + if (mod->module_core_rx == module_region) {
68517 /* Set core as NX+RW */
68518 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
68519 - set_memory_nx((unsigned long)mod->module_core, total_pages);
68520 - set_memory_rw((unsigned long)mod->module_core, total_pages);
68521 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
68522 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
68523 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
68524
68525 - } else if (mod->module_init == module_region) {
68526 + } else if (mod->module_init_rx == module_region) {
68527 /* Set init as NX+RW */
68528 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
68529 - set_memory_nx((unsigned long)mod->module_init, total_pages);
68530 - set_memory_rw((unsigned long)mod->module_init, total_pages);
68531 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
68532 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
68533 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
68534 }
68535 }
68536
68537 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
68538
68539 mutex_lock(&module_mutex);
68540 list_for_each_entry_rcu(mod, &modules, list) {
68541 - if ((mod->module_core) && (mod->core_text_size)) {
68542 - set_page_attributes(mod->module_core,
68543 - mod->module_core + mod->core_text_size,
68544 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68545 + set_page_attributes(mod->module_core_rx,
68546 + mod->module_core_rx + mod->core_size_rx,
68547 set_memory_rw);
68548 }
68549 - if ((mod->module_init) && (mod->init_text_size)) {
68550 - set_page_attributes(mod->module_init,
68551 - mod->module_init + mod->init_text_size,
68552 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68553 + set_page_attributes(mod->module_init_rx,
68554 + mod->module_init_rx + mod->init_size_rx,
68555 set_memory_rw);
68556 }
68557 }
68558 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
68559
68560 mutex_lock(&module_mutex);
68561 list_for_each_entry_rcu(mod, &modules, list) {
68562 - if ((mod->module_core) && (mod->core_text_size)) {
68563 - set_page_attributes(mod->module_core,
68564 - mod->module_core + mod->core_text_size,
68565 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68566 + set_page_attributes(mod->module_core_rx,
68567 + mod->module_core_rx + mod->core_size_rx,
68568 set_memory_ro);
68569 }
68570 - if ((mod->module_init) && (mod->init_text_size)) {
68571 - set_page_attributes(mod->module_init,
68572 - mod->module_init + mod->init_text_size,
68573 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68574 + set_page_attributes(mod->module_init_rx,
68575 + mod->module_init_rx + mod->init_size_rx,
68576 set_memory_ro);
68577 }
68578 }
68579 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
68580 destroy_params(mod->kp, mod->num_kp);
68581
68582 /* This may be NULL, but that's OK */
68583 - unset_section_ro_nx(mod, mod->module_init);
68584 - module_free(mod, mod->module_init);
68585 + unset_section_ro_nx(mod, mod->module_init_rx);
68586 + module_free(mod, mod->module_init_rw);
68587 + module_free_exec(mod, mod->module_init_rx);
68588 kfree(mod->args);
68589 percpu_modfree(mod);
68590
68591 /* Free lock-classes: */
68592 - lockdep_free_key_range(mod->module_core, mod->core_size);
68593 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
68594 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
68595
68596 /* Finally, free the core (containing the module structure) */
68597 - unset_section_ro_nx(mod, mod->module_core);
68598 - module_free(mod, mod->module_core);
68599 + unset_section_ro_nx(mod, mod->module_core_rx);
68600 + module_free_exec(mod, mod->module_core_rx);
68601 + module_free(mod, mod->module_core_rw);
68602
68603 #ifdef CONFIG_MPU
68604 update_protections(current->mm);
68605 @@ -1775,10 +1780,31 @@ static int simplify_symbols(struct modul
68606 unsigned int i;
68607 int ret = 0;
68608 const struct kernel_symbol *ksym;
68609 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68610 + int is_fs_load = 0;
68611 + int register_filesystem_found = 0;
68612 + char *p;
68613 +
68614 + p = strstr(mod->args, "grsec_modharden_fs");
68615 + if (p) {
68616 + char *endptr = p + strlen("grsec_modharden_fs");
68617 + /* copy \0 as well */
68618 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
68619 + is_fs_load = 1;
68620 + }
68621 +#endif
68622
68623 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
68624 const char *name = info->strtab + sym[i].st_name;
68625
68626 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68627 + /* it's a real shame this will never get ripped and copied
68628 + upstream! ;(
68629 + */
68630 + if (is_fs_load && !strcmp(name, "register_filesystem"))
68631 + register_filesystem_found = 1;
68632 +#endif
68633 +
68634 switch (sym[i].st_shndx) {
68635 case SHN_COMMON:
68636 /* We compiled with -fno-common. These are not
68637 @@ -1799,7 +1825,9 @@ static int simplify_symbols(struct modul
68638 ksym = resolve_symbol_wait(mod, info, name);
68639 /* Ok if resolved. */
68640 if (ksym && !IS_ERR(ksym)) {
68641 + pax_open_kernel();
68642 sym[i].st_value = ksym->value;
68643 + pax_close_kernel();
68644 break;
68645 }
68646
68647 @@ -1818,11 +1846,20 @@ static int simplify_symbols(struct modul
68648 secbase = (unsigned long)mod_percpu(mod);
68649 else
68650 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
68651 + pax_open_kernel();
68652 sym[i].st_value += secbase;
68653 + pax_close_kernel();
68654 break;
68655 }
68656 }
68657
68658 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68659 + if (is_fs_load && !register_filesystem_found) {
68660 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
68661 + ret = -EPERM;
68662 + }
68663 +#endif
68664 +
68665 return ret;
68666 }
68667
68668 @@ -1906,22 +1943,12 @@ static void layout_sections(struct modul
68669 || s->sh_entsize != ~0UL
68670 || strstarts(sname, ".init"))
68671 continue;
68672 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
68673 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68674 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
68675 + else
68676 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
68677 DEBUGP("\t%s\n", name);
68678 }
68679 - switch (m) {
68680 - case 0: /* executable */
68681 - mod->core_size = debug_align(mod->core_size);
68682 - mod->core_text_size = mod->core_size;
68683 - break;
68684 - case 1: /* RO: text and ro-data */
68685 - mod->core_size = debug_align(mod->core_size);
68686 - mod->core_ro_size = mod->core_size;
68687 - break;
68688 - case 3: /* whole core */
68689 - mod->core_size = debug_align(mod->core_size);
68690 - break;
68691 - }
68692 }
68693
68694 DEBUGP("Init section allocation order:\n");
68695 @@ -1935,23 +1962,13 @@ static void layout_sections(struct modul
68696 || s->sh_entsize != ~0UL
68697 || !strstarts(sname, ".init"))
68698 continue;
68699 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
68700 - | INIT_OFFSET_MASK);
68701 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68702 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
68703 + else
68704 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
68705 + s->sh_entsize |= INIT_OFFSET_MASK;
68706 DEBUGP("\t%s\n", sname);
68707 }
68708 - switch (m) {
68709 - case 0: /* executable */
68710 - mod->init_size = debug_align(mod->init_size);
68711 - mod->init_text_size = mod->init_size;
68712 - break;
68713 - case 1: /* RO: text and ro-data */
68714 - mod->init_size = debug_align(mod->init_size);
68715 - mod->init_ro_size = mod->init_size;
68716 - break;
68717 - case 3: /* whole init */
68718 - mod->init_size = debug_align(mod->init_size);
68719 - break;
68720 - }
68721 }
68722 }
68723
68724 @@ -2119,7 +2136,7 @@ static void layout_symtab(struct module
68725
68726 /* Put symbol section at end of init part of module. */
68727 symsect->sh_flags |= SHF_ALLOC;
68728 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
68729 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
68730 info->index.sym) | INIT_OFFSET_MASK;
68731 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
68732
68733 @@ -2136,19 +2153,19 @@ static void layout_symtab(struct module
68734 }
68735
68736 /* Append room for core symbols at end of core part. */
68737 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
68738 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
68739 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
68740 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
68741
68742 /* Put string table section at end of init part of module. */
68743 strsect->sh_flags |= SHF_ALLOC;
68744 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
68745 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
68746 info->index.str) | INIT_OFFSET_MASK;
68747 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
68748
68749 /* Append room for core symbols' strings at end of core part. */
68750 - info->stroffs = mod->core_size;
68751 + info->stroffs = mod->core_size_rx;
68752 __set_bit(0, info->strmap);
68753 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
68754 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
68755 }
68756
68757 static void add_kallsyms(struct module *mod, const struct load_info *info)
68758 @@ -2164,11 +2181,13 @@ static void add_kallsyms(struct module *
68759 /* Make sure we get permanent strtab: don't use info->strtab. */
68760 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
68761
68762 + pax_open_kernel();
68763 +
68764 /* Set types up while we still have access to sections. */
68765 for (i = 0; i < mod->num_symtab; i++)
68766 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
68767
68768 - mod->core_symtab = dst = mod->module_core + info->symoffs;
68769 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
68770 src = mod->symtab;
68771 *dst = *src;
68772 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
68773 @@ -2181,10 +2200,12 @@ static void add_kallsyms(struct module *
68774 }
68775 mod->core_num_syms = ndst;
68776
68777 - mod->core_strtab = s = mod->module_core + info->stroffs;
68778 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
68779 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
68780 if (test_bit(i, info->strmap))
68781 *++s = mod->strtab[i];
68782 +
68783 + pax_close_kernel();
68784 }
68785 #else
68786 static inline void layout_symtab(struct module *mod, struct load_info *info)
68787 @@ -2213,17 +2234,33 @@ static void dynamic_debug_remove(struct
68788 ddebug_remove_module(debug->modname);
68789 }
68790
68791 -static void *module_alloc_update_bounds(unsigned long size)
68792 +static void *module_alloc_update_bounds_rw(unsigned long size)
68793 {
68794 void *ret = module_alloc(size);
68795
68796 if (ret) {
68797 mutex_lock(&module_mutex);
68798 /* Update module bounds. */
68799 - if ((unsigned long)ret < module_addr_min)
68800 - module_addr_min = (unsigned long)ret;
68801 - if ((unsigned long)ret + size > module_addr_max)
68802 - module_addr_max = (unsigned long)ret + size;
68803 + if ((unsigned long)ret < module_addr_min_rw)
68804 + module_addr_min_rw = (unsigned long)ret;
68805 + if ((unsigned long)ret + size > module_addr_max_rw)
68806 + module_addr_max_rw = (unsigned long)ret + size;
68807 + mutex_unlock(&module_mutex);
68808 + }
68809 + return ret;
68810 +}
68811 +
68812 +static void *module_alloc_update_bounds_rx(unsigned long size)
68813 +{
68814 + void *ret = module_alloc_exec(size);
68815 +
68816 + if (ret) {
68817 + mutex_lock(&module_mutex);
68818 + /* Update module bounds. */
68819 + if ((unsigned long)ret < module_addr_min_rx)
68820 + module_addr_min_rx = (unsigned long)ret;
68821 + if ((unsigned long)ret + size > module_addr_max_rx)
68822 + module_addr_max_rx = (unsigned long)ret + size;
68823 mutex_unlock(&module_mutex);
68824 }
68825 return ret;
68826 @@ -2516,7 +2553,7 @@ static int move_module(struct module *mo
68827 void *ptr;
68828
68829 /* Do the allocs. */
68830 - ptr = module_alloc_update_bounds(mod->core_size);
68831 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
68832 /*
68833 * The pointer to this block is stored in the module structure
68834 * which is inside the block. Just mark it as not being a
68835 @@ -2526,23 +2563,50 @@ static int move_module(struct module *mo
68836 if (!ptr)
68837 return -ENOMEM;
68838
68839 - memset(ptr, 0, mod->core_size);
68840 - mod->module_core = ptr;
68841 + memset(ptr, 0, mod->core_size_rw);
68842 + mod->module_core_rw = ptr;
68843
68844 - ptr = module_alloc_update_bounds(mod->init_size);
68845 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
68846 /*
68847 * The pointer to this block is stored in the module structure
68848 * which is inside the block. This block doesn't need to be
68849 * scanned as it contains data and code that will be freed
68850 * after the module is initialized.
68851 */
68852 - kmemleak_ignore(ptr);
68853 - if (!ptr && mod->init_size) {
68854 - module_free(mod, mod->module_core);
68855 + kmemleak_not_leak(ptr);
68856 + if (!ptr && mod->init_size_rw) {
68857 + module_free(mod, mod->module_core_rw);
68858 return -ENOMEM;
68859 }
68860 - memset(ptr, 0, mod->init_size);
68861 - mod->module_init = ptr;
68862 + memset(ptr, 0, mod->init_size_rw);
68863 + mod->module_init_rw = ptr;
68864 +
68865 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
68866 + kmemleak_not_leak(ptr);
68867 + if (!ptr) {
68868 + module_free(mod, mod->module_init_rw);
68869 + module_free(mod, mod->module_core_rw);
68870 + return -ENOMEM;
68871 + }
68872 +
68873 + pax_open_kernel();
68874 + memset(ptr, 0, mod->core_size_rx);
68875 + pax_close_kernel();
68876 + mod->module_core_rx = ptr;
68877 +
68878 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
68879 + kmemleak_not_leak(ptr);
68880 + if (!ptr && mod->init_size_rx) {
68881 + module_free_exec(mod, mod->module_core_rx);
68882 + module_free(mod, mod->module_init_rw);
68883 + module_free(mod, mod->module_core_rw);
68884 + return -ENOMEM;
68885 + }
68886 +
68887 + pax_open_kernel();
68888 + memset(ptr, 0, mod->init_size_rx);
68889 + pax_close_kernel();
68890 + mod->module_init_rx = ptr;
68891
68892 /* Transfer each section which specifies SHF_ALLOC */
68893 DEBUGP("final section addresses:\n");
68894 @@ -2553,16 +2617,45 @@ static int move_module(struct module *mo
68895 if (!(shdr->sh_flags & SHF_ALLOC))
68896 continue;
68897
68898 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
68899 - dest = mod->module_init
68900 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68901 - else
68902 - dest = mod->module_core + shdr->sh_entsize;
68903 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
68904 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68905 + dest = mod->module_init_rw
68906 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68907 + else
68908 + dest = mod->module_init_rx
68909 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68910 + } else {
68911 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68912 + dest = mod->module_core_rw + shdr->sh_entsize;
68913 + else
68914 + dest = mod->module_core_rx + shdr->sh_entsize;
68915 + }
68916 +
68917 + if (shdr->sh_type != SHT_NOBITS) {
68918 +
68919 +#ifdef CONFIG_PAX_KERNEXEC
68920 +#ifdef CONFIG_X86_64
68921 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
68922 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
68923 +#endif
68924 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
68925 + pax_open_kernel();
68926 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68927 + pax_close_kernel();
68928 + } else
68929 +#endif
68930
68931 - if (shdr->sh_type != SHT_NOBITS)
68932 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68933 + }
68934 /* Update sh_addr to point to copy in image. */
68935 - shdr->sh_addr = (unsigned long)dest;
68936 +
68937 +#ifdef CONFIG_PAX_KERNEXEC
68938 + if (shdr->sh_flags & SHF_EXECINSTR)
68939 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
68940 + else
68941 +#endif
68942 +
68943 + shdr->sh_addr = (unsigned long)dest;
68944 DEBUGP("\t0x%lx %s\n",
68945 shdr->sh_addr, info->secstrings + shdr->sh_name);
68946 }
68947 @@ -2613,12 +2706,12 @@ static void flush_module_icache(const st
68948 * Do it before processing of module parameters, so the module
68949 * can provide parameter accessor functions of its own.
68950 */
68951 - if (mod->module_init)
68952 - flush_icache_range((unsigned long)mod->module_init,
68953 - (unsigned long)mod->module_init
68954 - + mod->init_size);
68955 - flush_icache_range((unsigned long)mod->module_core,
68956 - (unsigned long)mod->module_core + mod->core_size);
68957 + if (mod->module_init_rx)
68958 + flush_icache_range((unsigned long)mod->module_init_rx,
68959 + (unsigned long)mod->module_init_rx
68960 + + mod->init_size_rx);
68961 + flush_icache_range((unsigned long)mod->module_core_rx,
68962 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
68963
68964 set_fs(old_fs);
68965 }
68966 @@ -2690,8 +2783,10 @@ static void module_deallocate(struct mod
68967 {
68968 kfree(info->strmap);
68969 percpu_modfree(mod);
68970 - module_free(mod, mod->module_init);
68971 - module_free(mod, mod->module_core);
68972 + module_free_exec(mod, mod->module_init_rx);
68973 + module_free_exec(mod, mod->module_core_rx);
68974 + module_free(mod, mod->module_init_rw);
68975 + module_free(mod, mod->module_core_rw);
68976 }
68977
68978 static int post_relocation(struct module *mod, const struct load_info *info)
68979 @@ -2748,9 +2843,38 @@ static struct module *load_module(void _
68980 if (err)
68981 goto free_unload;
68982
68983 + /* Now copy in args */
68984 + mod->args = strndup_user(uargs, ~0UL >> 1);
68985 + if (IS_ERR(mod->args)) {
68986 + err = PTR_ERR(mod->args);
68987 + goto free_unload;
68988 + }
68989 +
68990 /* Set up MODINFO_ATTR fields */
68991 setup_modinfo(mod, &info);
68992
68993 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68994 + {
68995 + char *p, *p2;
68996 +
68997 + if (strstr(mod->args, "grsec_modharden_netdev")) {
68998 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
68999 + err = -EPERM;
69000 + goto free_modinfo;
69001 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
69002 + p += strlen("grsec_modharden_normal");
69003 + p2 = strstr(p, "_");
69004 + if (p2) {
69005 + *p2 = '\0';
69006 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
69007 + *p2 = '_';
69008 + }
69009 + err = -EPERM;
69010 + goto free_modinfo;
69011 + }
69012 + }
69013 +#endif
69014 +
69015 /* Fix up syms, so that st_value is a pointer to location. */
69016 err = simplify_symbols(mod, &info);
69017 if (err < 0)
69018 @@ -2766,13 +2890,6 @@ static struct module *load_module(void _
69019
69020 flush_module_icache(mod);
69021
69022 - /* Now copy in args */
69023 - mod->args = strndup_user(uargs, ~0UL >> 1);
69024 - if (IS_ERR(mod->args)) {
69025 - err = PTR_ERR(mod->args);
69026 - goto free_arch_cleanup;
69027 - }
69028 -
69029 /* Mark state as coming so strong_try_module_get() ignores us. */
69030 mod->state = MODULE_STATE_COMING;
69031
69032 @@ -2832,11 +2949,10 @@ static struct module *load_module(void _
69033 unlock:
69034 mutex_unlock(&module_mutex);
69035 synchronize_sched();
69036 - kfree(mod->args);
69037 - free_arch_cleanup:
69038 module_arch_cleanup(mod);
69039 free_modinfo:
69040 free_modinfo(mod);
69041 + kfree(mod->args);
69042 free_unload:
69043 module_unload_free(mod);
69044 free_module:
69045 @@ -2877,16 +2993,16 @@ SYSCALL_DEFINE3(init_module, void __user
69046 MODULE_STATE_COMING, mod);
69047
69048 /* Set RO and NX regions for core */
69049 - set_section_ro_nx(mod->module_core,
69050 - mod->core_text_size,
69051 - mod->core_ro_size,
69052 - mod->core_size);
69053 + set_section_ro_nx(mod->module_core_rx,
69054 + mod->core_size_rx,
69055 + mod->core_size_rx,
69056 + mod->core_size_rx);
69057
69058 /* Set RO and NX regions for init */
69059 - set_section_ro_nx(mod->module_init,
69060 - mod->init_text_size,
69061 - mod->init_ro_size,
69062 - mod->init_size);
69063 + set_section_ro_nx(mod->module_init_rx,
69064 + mod->init_size_rx,
69065 + mod->init_size_rx,
69066 + mod->init_size_rx);
69067
69068 do_mod_ctors(mod);
69069 /* Start the module */
69070 @@ -2931,11 +3047,13 @@ SYSCALL_DEFINE3(init_module, void __user
69071 mod->symtab = mod->core_symtab;
69072 mod->strtab = mod->core_strtab;
69073 #endif
69074 - unset_section_ro_nx(mod, mod->module_init);
69075 - module_free(mod, mod->module_init);
69076 - mod->module_init = NULL;
69077 - mod->init_size = 0;
69078 - mod->init_text_size = 0;
69079 + unset_section_ro_nx(mod, mod->module_init_rx);
69080 + module_free(mod, mod->module_init_rw);
69081 + module_free_exec(mod, mod->module_init_rx);
69082 + mod->module_init_rw = NULL;
69083 + mod->module_init_rx = NULL;
69084 + mod->init_size_rw = 0;
69085 + mod->init_size_rx = 0;
69086 mutex_unlock(&module_mutex);
69087
69088 return 0;
69089 @@ -2966,10 +3084,16 @@ static const char *get_ksymbol(struct mo
69090 unsigned long nextval;
69091
69092 /* At worse, next value is at end of module */
69093 - if (within_module_init(addr, mod))
69094 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
69095 + if (within_module_init_rx(addr, mod))
69096 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
69097 + else if (within_module_init_rw(addr, mod))
69098 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
69099 + else if (within_module_core_rx(addr, mod))
69100 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
69101 + else if (within_module_core_rw(addr, mod))
69102 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
69103 else
69104 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
69105 + return NULL;
69106
69107 /* Scan for closest preceding symbol, and next symbol. (ELF
69108 starts real symbols at 1). */
69109 @@ -3215,7 +3339,7 @@ static int m_show(struct seq_file *m, vo
69110 char buf[8];
69111
69112 seq_printf(m, "%s %u",
69113 - mod->name, mod->init_size + mod->core_size);
69114 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
69115 print_unload_info(m, mod);
69116
69117 /* Informative for users. */
69118 @@ -3224,7 +3348,7 @@ static int m_show(struct seq_file *m, vo
69119 mod->state == MODULE_STATE_COMING ? "Loading":
69120 "Live");
69121 /* Used by oprofile and other similar tools. */
69122 - seq_printf(m, " 0x%pK", mod->module_core);
69123 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
69124
69125 /* Taints info */
69126 if (mod->taints)
69127 @@ -3260,7 +3384,17 @@ static const struct file_operations proc
69128
69129 static int __init proc_modules_init(void)
69130 {
69131 +#ifndef CONFIG_GRKERNSEC_HIDESYM
69132 +#ifdef CONFIG_GRKERNSEC_PROC_USER
69133 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69134 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69135 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
69136 +#else
69137 proc_create("modules", 0, NULL, &proc_modules_operations);
69138 +#endif
69139 +#else
69140 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69141 +#endif
69142 return 0;
69143 }
69144 module_init(proc_modules_init);
69145 @@ -3319,12 +3453,12 @@ struct module *__module_address(unsigned
69146 {
69147 struct module *mod;
69148
69149 - if (addr < module_addr_min || addr > module_addr_max)
69150 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
69151 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
69152 return NULL;
69153
69154 list_for_each_entry_rcu(mod, &modules, list)
69155 - if (within_module_core(addr, mod)
69156 - || within_module_init(addr, mod))
69157 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
69158 return mod;
69159 return NULL;
69160 }
69161 @@ -3358,11 +3492,20 @@ bool is_module_text_address(unsigned lon
69162 */
69163 struct module *__module_text_address(unsigned long addr)
69164 {
69165 - struct module *mod = __module_address(addr);
69166 + struct module *mod;
69167 +
69168 +#ifdef CONFIG_X86_32
69169 + addr = ktla_ktva(addr);
69170 +#endif
69171 +
69172 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
69173 + return NULL;
69174 +
69175 + mod = __module_address(addr);
69176 +
69177 if (mod) {
69178 /* Make sure it's within the text section. */
69179 - if (!within(addr, mod->module_init, mod->init_text_size)
69180 - && !within(addr, mod->module_core, mod->core_text_size))
69181 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
69182 mod = NULL;
69183 }
69184 return mod;
69185 diff -urNp linux-2.6.39.3/kernel/mutex.c linux-2.6.39.3/kernel/mutex.c
69186 --- linux-2.6.39.3/kernel/mutex.c 2011-05-19 00:06:34.000000000 -0400
69187 +++ linux-2.6.39.3/kernel/mutex.c 2011-05-22 19:36:33.000000000 -0400
69188 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
69189 */
69190
69191 for (;;) {
69192 - struct thread_info *owner;
69193 + struct task_struct *owner;
69194
69195 /*
69196 * If we own the BKL, then don't spin. The owner of
69197 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
69198 spin_lock_mutex(&lock->wait_lock, flags);
69199
69200 debug_mutex_lock_common(lock, &waiter);
69201 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
69202 + debug_mutex_add_waiter(lock, &waiter, task);
69203
69204 /* add waiting tasks to the end of the waitqueue (FIFO): */
69205 list_add_tail(&waiter.list, &lock->wait_list);
69206 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
69207 * TASK_UNINTERRUPTIBLE case.)
69208 */
69209 if (unlikely(signal_pending_state(state, task))) {
69210 - mutex_remove_waiter(lock, &waiter,
69211 - task_thread_info(task));
69212 + mutex_remove_waiter(lock, &waiter, task);
69213 mutex_release(&lock->dep_map, 1, ip);
69214 spin_unlock_mutex(&lock->wait_lock, flags);
69215
69216 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
69217 done:
69218 lock_acquired(&lock->dep_map, ip);
69219 /* got the lock - rejoice! */
69220 - mutex_remove_waiter(lock, &waiter, current_thread_info());
69221 + mutex_remove_waiter(lock, &waiter, task);
69222 mutex_set_owner(lock);
69223
69224 /* set it to 0 if there are no waiters left: */
69225 diff -urNp linux-2.6.39.3/kernel/mutex-debug.c linux-2.6.39.3/kernel/mutex-debug.c
69226 --- linux-2.6.39.3/kernel/mutex-debug.c 2011-05-19 00:06:34.000000000 -0400
69227 +++ linux-2.6.39.3/kernel/mutex-debug.c 2011-05-22 19:36:33.000000000 -0400
69228 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
69229 }
69230
69231 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69232 - struct thread_info *ti)
69233 + struct task_struct *task)
69234 {
69235 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
69236
69237 /* Mark the current thread as blocked on the lock: */
69238 - ti->task->blocked_on = waiter;
69239 + task->blocked_on = waiter;
69240 }
69241
69242 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69243 - struct thread_info *ti)
69244 + struct task_struct *task)
69245 {
69246 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
69247 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
69248 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
69249 - ti->task->blocked_on = NULL;
69250 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
69251 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
69252 + task->blocked_on = NULL;
69253
69254 list_del_init(&waiter->list);
69255 waiter->task = NULL;
69256 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
69257 return;
69258
69259 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
69260 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
69261 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
69262 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
69263 mutex_clear_owner(lock);
69264 }
69265 diff -urNp linux-2.6.39.3/kernel/mutex-debug.h linux-2.6.39.3/kernel/mutex-debug.h
69266 --- linux-2.6.39.3/kernel/mutex-debug.h 2011-05-19 00:06:34.000000000 -0400
69267 +++ linux-2.6.39.3/kernel/mutex-debug.h 2011-05-22 19:36:33.000000000 -0400
69268 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
69269 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
69270 extern void debug_mutex_add_waiter(struct mutex *lock,
69271 struct mutex_waiter *waiter,
69272 - struct thread_info *ti);
69273 + struct task_struct *task);
69274 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69275 - struct thread_info *ti);
69276 + struct task_struct *task);
69277 extern void debug_mutex_unlock(struct mutex *lock);
69278 extern void debug_mutex_init(struct mutex *lock, const char *name,
69279 struct lock_class_key *key);
69280
69281 static inline void mutex_set_owner(struct mutex *lock)
69282 {
69283 - lock->owner = current_thread_info();
69284 + lock->owner = current;
69285 }
69286
69287 static inline void mutex_clear_owner(struct mutex *lock)
69288 diff -urNp linux-2.6.39.3/kernel/mutex.h linux-2.6.39.3/kernel/mutex.h
69289 --- linux-2.6.39.3/kernel/mutex.h 2011-05-19 00:06:34.000000000 -0400
69290 +++ linux-2.6.39.3/kernel/mutex.h 2011-05-22 19:36:33.000000000 -0400
69291 @@ -19,7 +19,7 @@
69292 #ifdef CONFIG_SMP
69293 static inline void mutex_set_owner(struct mutex *lock)
69294 {
69295 - lock->owner = current_thread_info();
69296 + lock->owner = current;
69297 }
69298
69299 static inline void mutex_clear_owner(struct mutex *lock)
69300 diff -urNp linux-2.6.39.3/kernel/padata.c linux-2.6.39.3/kernel/padata.c
69301 --- linux-2.6.39.3/kernel/padata.c 2011-05-19 00:06:34.000000000 -0400
69302 +++ linux-2.6.39.3/kernel/padata.c 2011-05-22 19:36:33.000000000 -0400
69303 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
69304 padata->pd = pd;
69305 padata->cb_cpu = cb_cpu;
69306
69307 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
69308 - atomic_set(&pd->seq_nr, -1);
69309 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
69310 + atomic_set_unchecked(&pd->seq_nr, -1);
69311
69312 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
69313 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
69314
69315 target_cpu = padata_cpu_hash(padata);
69316 queue = per_cpu_ptr(pd->pqueue, target_cpu);
69317 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
69318 padata_init_pqueues(pd);
69319 padata_init_squeues(pd);
69320 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
69321 - atomic_set(&pd->seq_nr, -1);
69322 + atomic_set_unchecked(&pd->seq_nr, -1);
69323 atomic_set(&pd->reorder_objects, 0);
69324 atomic_set(&pd->refcnt, 0);
69325 pd->pinst = pinst;
69326 diff -urNp linux-2.6.39.3/kernel/panic.c linux-2.6.39.3/kernel/panic.c
69327 --- linux-2.6.39.3/kernel/panic.c 2011-05-19 00:06:34.000000000 -0400
69328 +++ linux-2.6.39.3/kernel/panic.c 2011-05-22 19:41:42.000000000 -0400
69329 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
69330 const char *board;
69331
69332 printk(KERN_WARNING "------------[ cut here ]------------\n");
69333 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
69334 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
69335 board = dmi_get_system_info(DMI_PRODUCT_NAME);
69336 if (board)
69337 printk(KERN_WARNING "Hardware name: %s\n", board);
69338 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
69339 */
69340 void __stack_chk_fail(void)
69341 {
69342 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
69343 + dump_stack();
69344 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
69345 __builtin_return_address(0));
69346 }
69347 EXPORT_SYMBOL(__stack_chk_fail);
69348 diff -urNp linux-2.6.39.3/kernel/params.c linux-2.6.39.3/kernel/params.c
69349 --- linux-2.6.39.3/kernel/params.c 2011-05-19 00:06:34.000000000 -0400
69350 +++ linux-2.6.39.3/kernel/params.c 2011-05-22 19:36:33.000000000 -0400
69351 @@ -234,7 +234,7 @@ int parse_args(const char *name,
69352 { \
69353 return sprintf(buffer, format, *((type *)kp->arg)); \
69354 } \
69355 - struct kernel_param_ops param_ops_##name = { \
69356 + const struct kernel_param_ops param_ops_##name = { \
69357 .set = param_set_##name, \
69358 .get = param_get_##name, \
69359 }; \
69360 @@ -286,7 +286,7 @@ static void param_free_charp(void *arg)
69361 maybe_kfree_parameter(*((char **)arg));
69362 }
69363
69364 -struct kernel_param_ops param_ops_charp = {
69365 +const struct kernel_param_ops param_ops_charp = {
69366 .set = param_set_charp,
69367 .get = param_get_charp,
69368 .free = param_free_charp,
69369 @@ -334,7 +334,7 @@ int param_get_bool(char *buffer, const s
69370 }
69371 EXPORT_SYMBOL(param_get_bool);
69372
69373 -struct kernel_param_ops param_ops_bool = {
69374 +const struct kernel_param_ops param_ops_bool = {
69375 .set = param_set_bool,
69376 .get = param_get_bool,
69377 };
69378 @@ -362,7 +362,7 @@ int param_get_invbool(char *buffer, cons
69379 }
69380 EXPORT_SYMBOL(param_get_invbool);
69381
69382 -struct kernel_param_ops param_ops_invbool = {
69383 +const struct kernel_param_ops param_ops_invbool = {
69384 .set = param_set_invbool,
69385 .get = param_get_invbool,
69386 };
69387 @@ -460,7 +460,7 @@ static void param_array_free(void *arg)
69388 arr->ops->free(arr->elem + arr->elemsize * i);
69389 }
69390
69391 -struct kernel_param_ops param_array_ops = {
69392 +const struct kernel_param_ops param_array_ops = {
69393 .set = param_array_set,
69394 .get = param_array_get,
69395 .free = param_array_free,
69396 @@ -488,7 +488,7 @@ int param_get_string(char *buffer, const
69397 }
69398 EXPORT_SYMBOL(param_get_string);
69399
69400 -struct kernel_param_ops param_ops_string = {
69401 +const struct kernel_param_ops param_ops_string = {
69402 .set = param_set_copystring,
69403 .get = param_get_string,
69404 };
69405 diff -urNp linux-2.6.39.3/kernel/perf_event.c linux-2.6.39.3/kernel/perf_event.c
69406 --- linux-2.6.39.3/kernel/perf_event.c 2011-05-19 00:06:34.000000000 -0400
69407 +++ linux-2.6.39.3/kernel/perf_event.c 2011-05-22 19:36:33.000000000 -0400
69408 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
69409 return 0;
69410 }
69411
69412 -static atomic64_t perf_event_id;
69413 +static atomic64_unchecked_t perf_event_id;
69414
69415 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
69416 enum event_type_t event_type);
69417 @@ -2496,7 +2496,7 @@ static void __perf_event_read(void *info
69418
69419 static inline u64 perf_event_count(struct perf_event *event)
69420 {
69421 - return local64_read(&event->count) + atomic64_read(&event->child_count);
69422 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
69423 }
69424
69425 static u64 perf_event_read(struct perf_event *event)
69426 @@ -3031,9 +3031,9 @@ u64 perf_event_read_value(struct perf_ev
69427 mutex_lock(&event->child_mutex);
69428 total += perf_event_read(event);
69429 *enabled += event->total_time_enabled +
69430 - atomic64_read(&event->child_total_time_enabled);
69431 + atomic64_read_unchecked(&event->child_total_time_enabled);
69432 *running += event->total_time_running +
69433 - atomic64_read(&event->child_total_time_running);
69434 + atomic64_read_unchecked(&event->child_total_time_running);
69435
69436 list_for_each_entry(child, &event->child_list, child_list) {
69437 total += perf_event_read(child);
69438 @@ -3396,10 +3396,10 @@ void perf_event_update_userpage(struct p
69439 userpg->offset -= local64_read(&event->hw.prev_count);
69440
69441 userpg->time_enabled = event->total_time_enabled +
69442 - atomic64_read(&event->child_total_time_enabled);
69443 + atomic64_read_unchecked(&event->child_total_time_enabled);
69444
69445 userpg->time_running = event->total_time_running +
69446 - atomic64_read(&event->child_total_time_running);
69447 + atomic64_read_unchecked(&event->child_total_time_running);
69448
69449 barrier();
69450 ++userpg->lock;
69451 @@ -3884,16 +3884,16 @@ static void perf_pending_event(struct ir
69452 * Later on, we might change it to a list if there is
69453 * another virtualization implementation supporting the callbacks.
69454 */
69455 -struct perf_guest_info_callbacks *perf_guest_cbs;
69456 +const struct perf_guest_info_callbacks *perf_guest_cbs;
69457
69458 -int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69459 +int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69460 {
69461 perf_guest_cbs = cbs;
69462 return 0;
69463 }
69464 EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks);
69465
69466 -int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69467 +int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69468 {
69469 perf_guest_cbs = NULL;
69470 return 0;
69471 @@ -4196,11 +4196,11 @@ static void perf_output_read_one(struct
69472 values[n++] = perf_event_count(event);
69473 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69474 values[n++] = enabled +
69475 - atomic64_read(&event->child_total_time_enabled);
69476 + atomic64_read_unchecked(&event->child_total_time_enabled);
69477 }
69478 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69479 values[n++] = running +
69480 - atomic64_read(&event->child_total_time_running);
69481 + atomic64_read_unchecked(&event->child_total_time_running);
69482 }
69483 if (read_format & PERF_FORMAT_ID)
69484 values[n++] = primary_event_id(event);
69485 @@ -6201,7 +6201,7 @@ perf_event_alloc(struct perf_event_attr
69486 event->parent = parent_event;
69487
69488 event->ns = get_pid_ns(current->nsproxy->pid_ns);
69489 - event->id = atomic64_inc_return(&perf_event_id);
69490 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
69491
69492 event->state = PERF_EVENT_STATE_INACTIVE;
69493
69494 @@ -6724,10 +6724,10 @@ static void sync_child_event(struct perf
69495 /*
69496 * Add back the child's count to the parent's count:
69497 */
69498 - atomic64_add(child_val, &parent_event->child_count);
69499 - atomic64_add(child_event->total_time_enabled,
69500 + atomic64_add_unchecked(child_val, &parent_event->child_count);
69501 + atomic64_add_unchecked(child_event->total_time_enabled,
69502 &parent_event->child_total_time_enabled);
69503 - atomic64_add(child_event->total_time_running,
69504 + atomic64_add_unchecked(child_event->total_time_running,
69505 &parent_event->child_total_time_running);
69506
69507 /*
69508 diff -urNp linux-2.6.39.3/kernel/pid.c linux-2.6.39.3/kernel/pid.c
69509 --- linux-2.6.39.3/kernel/pid.c 2011-05-19 00:06:34.000000000 -0400
69510 +++ linux-2.6.39.3/kernel/pid.c 2011-07-16 15:42:36.000000000 -0400
69511 @@ -33,6 +33,7 @@
69512 #include <linux/rculist.h>
69513 #include <linux/bootmem.h>
69514 #include <linux/hash.h>
69515 +#include <linux/security.h>
69516 #include <linux/pid_namespace.h>
69517 #include <linux/init_task.h>
69518 #include <linux/syscalls.h>
69519 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
69520
69521 int pid_max = PID_MAX_DEFAULT;
69522
69523 -#define RESERVED_PIDS 300
69524 +#define RESERVED_PIDS 500
69525
69526 int pid_max_min = RESERVED_PIDS + 1;
69527 int pid_max_max = PID_MAX_LIMIT;
69528 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
69529 */
69530 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
69531 {
69532 + struct task_struct *task;
69533 +
69534 rcu_lockdep_assert(rcu_read_lock_held());
69535 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69536 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69537 +
69538 + if (gr_pid_is_chrooted(task))
69539 + return NULL;
69540 +
69541 + return task;
69542 }
69543
69544 struct task_struct *find_task_by_vpid(pid_t vnr)
69545 @@ -428,6 +436,12 @@ struct task_struct *find_task_by_vpid(pi
69546 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
69547 }
69548
69549 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
69550 +{
69551 + rcu_lockdep_assert(rcu_read_lock_held());
69552 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
69553 +}
69554 +
69555 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
69556 {
69557 struct pid *pid;
69558 diff -urNp linux-2.6.39.3/kernel/posix-cpu-timers.c linux-2.6.39.3/kernel/posix-cpu-timers.c
69559 --- linux-2.6.39.3/kernel/posix-cpu-timers.c 2011-05-19 00:06:34.000000000 -0400
69560 +++ linux-2.6.39.3/kernel/posix-cpu-timers.c 2011-05-22 19:41:42.000000000 -0400
69561 @@ -6,6 +6,7 @@
69562 #include <linux/posix-timers.h>
69563 #include <linux/errno.h>
69564 #include <linux/math64.h>
69565 +#include <linux/security.h>
69566 #include <asm/uaccess.h>
69567 #include <linux/kernel_stat.h>
69568 #include <trace/events/timer.h>
69569 @@ -1590,7 +1591,7 @@ static int thread_cpu_timer_create(struc
69570 return posix_cpu_timer_create(timer);
69571 }
69572
69573 -struct k_clock clock_posix_cpu = {
69574 +const struct k_clock clock_posix_cpu = {
69575 .clock_getres = posix_cpu_clock_getres,
69576 .clock_set = posix_cpu_clock_set,
69577 .clock_get = posix_cpu_clock_get,
69578 @@ -1604,14 +1605,14 @@ struct k_clock clock_posix_cpu = {
69579
69580 static __init int init_posix_cpu_timers(void)
69581 {
69582 - struct k_clock process = {
69583 + const struct k_clock process = {
69584 .clock_getres = process_cpu_clock_getres,
69585 .clock_get = process_cpu_clock_get,
69586 .timer_create = process_cpu_timer_create,
69587 .nsleep = process_cpu_nsleep,
69588 .nsleep_restart = process_cpu_nsleep_restart,
69589 };
69590 - struct k_clock thread = {
69591 + const struct k_clock thread = {
69592 .clock_getres = thread_cpu_clock_getres,
69593 .clock_get = thread_cpu_clock_get,
69594 .timer_create = thread_cpu_timer_create,
69595 diff -urNp linux-2.6.39.3/kernel/posix-timers.c linux-2.6.39.3/kernel/posix-timers.c
69596 --- linux-2.6.39.3/kernel/posix-timers.c 2011-05-19 00:06:34.000000000 -0400
69597 +++ linux-2.6.39.3/kernel/posix-timers.c 2011-05-22 20:13:41.000000000 -0400
69598 @@ -43,6 +43,7 @@
69599 #include <linux/idr.h>
69600 #include <linux/posix-clock.h>
69601 #include <linux/posix-timers.h>
69602 +#include <linux/grsecurity.h>
69603 #include <linux/syscalls.h>
69604 #include <linux/wait.h>
69605 #include <linux/workqueue.h>
69606 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
69607 */
69608 static __init int init_posix_timers(void)
69609 {
69610 - struct k_clock clock_realtime = {
69611 + const struct k_clock clock_realtime = {
69612 .clock_getres = hrtimer_get_res,
69613 .clock_get = posix_clock_realtime_get,
69614 .clock_set = posix_clock_realtime_set,
69615 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
69616 .timer_get = common_timer_get,
69617 .timer_del = common_timer_del,
69618 };
69619 - struct k_clock clock_monotonic = {
69620 + const struct k_clock clock_monotonic = {
69621 .clock_getres = hrtimer_get_res,
69622 .clock_get = posix_ktime_get_ts,
69623 .nsleep = common_nsleep,
69624 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
69625 .timer_get = common_timer_get,
69626 .timer_del = common_timer_del,
69627 };
69628 - struct k_clock clock_monotonic_raw = {
69629 + const struct k_clock clock_monotonic_raw = {
69630 .clock_getres = hrtimer_get_res,
69631 .clock_get = posix_get_monotonic_raw,
69632 };
69633 - struct k_clock clock_realtime_coarse = {
69634 + const struct k_clock clock_realtime_coarse = {
69635 .clock_getres = posix_get_coarse_res,
69636 .clock_get = posix_get_realtime_coarse,
69637 };
69638 - struct k_clock clock_monotonic_coarse = {
69639 + const struct k_clock clock_monotonic_coarse = {
69640 .clock_getres = posix_get_coarse_res,
69641 .clock_get = posix_get_monotonic_coarse,
69642 };
69643 - struct k_clock clock_boottime = {
69644 + const struct k_clock clock_boottime = {
69645 .clock_getres = hrtimer_get_res,
69646 .clock_get = posix_get_boottime,
69647 .nsleep = common_nsleep,
69648 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
69649 .timer_del = common_timer_del,
69650 };
69651
69652 + pax_track_stack();
69653 +
69654 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
69655 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
69656 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
69657 @@ -454,7 +457,7 @@ static struct pid *good_sigevent(sigeven
69658 }
69659
69660 void posix_timers_register_clock(const clockid_t clock_id,
69661 - struct k_clock *new_clock)
69662 + const struct k_clock *new_clock)
69663 {
69664 if ((unsigned) clock_id >= MAX_CLOCKS) {
69665 printk(KERN_WARNING "POSIX clock register failed for clock_id %d\n",
69666 @@ -506,7 +509,7 @@ static void release_posix_timer(struct k
69667 kmem_cache_free(posix_timers_cache, tmr);
69668 }
69669
69670 -static struct k_clock *clockid_to_kclock(const clockid_t id)
69671 +static const struct k_clock *clockid_to_kclock(const clockid_t id)
69672 {
69673 if (id < 0)
69674 return (id & CLOCKFD_MASK) == CLOCKFD ?
69675 @@ -529,7 +532,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
69676 struct sigevent __user *, timer_event_spec,
69677 timer_t __user *, created_timer_id)
69678 {
69679 - struct k_clock *kc = clockid_to_kclock(which_clock);
69680 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69681 struct k_itimer *new_timer;
69682 int error, new_timer_id;
69683 sigevent_t event;
69684 @@ -714,7 +717,7 @@ SYSCALL_DEFINE2(timer_gettime, timer_t,
69685 {
69686 struct itimerspec cur_setting;
69687 struct k_itimer *timr;
69688 - struct k_clock *kc;
69689 + const struct k_clock *kc;
69690 unsigned long flags;
69691 int ret = 0;
69692
69693 @@ -822,7 +825,7 @@ SYSCALL_DEFINE4(timer_settime, timer_t,
69694 int error = 0;
69695 unsigned long flag;
69696 struct itimerspec *rtn = old_setting ? &old_spec : NULL;
69697 - struct k_clock *kc;
69698 + const struct k_clock *kc;
69699
69700 if (!new_setting)
69701 return -EINVAL;
69702 @@ -868,7 +871,7 @@ static int common_timer_del(struct k_iti
69703
69704 static inline int timer_delete_hook(struct k_itimer *timer)
69705 {
69706 - struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69707 + const struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69708
69709 if (WARN_ON_ONCE(!kc || !kc->timer_del))
69710 return -EINVAL;
69711 @@ -947,7 +950,7 @@ void exit_itimers(struct signal_struct *
69712 SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
69713 const struct timespec __user *, tp)
69714 {
69715 - struct k_clock *kc = clockid_to_kclock(which_clock);
69716 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69717 struct timespec new_tp;
69718
69719 if (!kc || !kc->clock_set)
69720 @@ -956,13 +959,20 @@ SYSCALL_DEFINE2(clock_settime, const clo
69721 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
69722 return -EFAULT;
69723
69724 + /* only the CLOCK_REALTIME clock can be set, all other clocks
69725 + have their clock_set fptr set to a nosettime dummy function
69726 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
69727 + call common_clock_set, which calls do_sys_settimeofday, which
69728 + we hook
69729 + */
69730 +
69731 return kc->clock_set(which_clock, &new_tp);
69732 }
69733
69734 SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock,
69735 struct timespec __user *,tp)
69736 {
69737 - struct k_clock *kc = clockid_to_kclock(which_clock);
69738 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69739 struct timespec kernel_tp;
69740 int error;
69741
69742 @@ -980,7 +990,7 @@ SYSCALL_DEFINE2(clock_gettime, const clo
69743 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
69744 struct timex __user *, utx)
69745 {
69746 - struct k_clock *kc = clockid_to_kclock(which_clock);
69747 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69748 struct timex ktx;
69749 int err;
69750
69751 @@ -1003,7 +1013,7 @@ SYSCALL_DEFINE2(clock_adjtime, const clo
69752 SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock,
69753 struct timespec __user *, tp)
69754 {
69755 - struct k_clock *kc = clockid_to_kclock(which_clock);
69756 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69757 struct timespec rtn_tp;
69758 int error;
69759
69760 @@ -1033,7 +1043,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69761 const struct timespec __user *, rqtp,
69762 struct timespec __user *, rmtp)
69763 {
69764 - struct k_clock *kc = clockid_to_kclock(which_clock);
69765 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69766 struct timespec t;
69767
69768 if (!kc)
69769 @@ -1057,7 +1067,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69770 long clock_nanosleep_restart(struct restart_block *restart_block)
69771 {
69772 clockid_t which_clock = restart_block->nanosleep.index;
69773 - struct k_clock *kc = clockid_to_kclock(which_clock);
69774 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69775
69776 if (WARN_ON_ONCE(!kc || !kc->nsleep_restart))
69777 return -EINVAL;
69778 diff -urNp linux-2.6.39.3/kernel/power/poweroff.c linux-2.6.39.3/kernel/power/poweroff.c
69779 --- linux-2.6.39.3/kernel/power/poweroff.c 2011-05-19 00:06:34.000000000 -0400
69780 +++ linux-2.6.39.3/kernel/power/poweroff.c 2011-05-22 19:36:33.000000000 -0400
69781 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
69782 .enable_mask = SYSRQ_ENABLE_BOOT,
69783 };
69784
69785 -static int pm_sysrq_init(void)
69786 +static int __init pm_sysrq_init(void)
69787 {
69788 register_sysrq_key('o', &sysrq_poweroff_op);
69789 return 0;
69790 diff -urNp linux-2.6.39.3/kernel/power/process.c linux-2.6.39.3/kernel/power/process.c
69791 --- linux-2.6.39.3/kernel/power/process.c 2011-05-19 00:06:34.000000000 -0400
69792 +++ linux-2.6.39.3/kernel/power/process.c 2011-05-22 19:36:33.000000000 -0400
69793 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
69794 u64 elapsed_csecs64;
69795 unsigned int elapsed_csecs;
69796 bool wakeup = false;
69797 + bool timedout = false;
69798
69799 do_gettimeofday(&start);
69800
69801 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
69802
69803 while (true) {
69804 todo = 0;
69805 + if (time_after(jiffies, end_time))
69806 + timedout = true;
69807 read_lock(&tasklist_lock);
69808 do_each_thread(g, p) {
69809 if (frozen(p) || !freezable(p))
69810 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
69811 * try_to_stop() after schedule() in ptrace/signal
69812 * stop sees TIF_FREEZE.
69813 */
69814 - if (!task_is_stopped_or_traced(p) &&
69815 - !freezer_should_skip(p))
69816 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
69817 todo++;
69818 + if (timedout) {
69819 + printk(KERN_ERR "Task refusing to freeze:\n");
69820 + sched_show_task(p);
69821 + }
69822 + }
69823 } while_each_thread(g, p);
69824 read_unlock(&tasklist_lock);
69825
69826 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
69827 todo += wq_busy;
69828 }
69829
69830 - if (!todo || time_after(jiffies, end_time))
69831 + if (!todo || timedout)
69832 break;
69833
69834 if (pm_wakeup_pending()) {
69835 diff -urNp linux-2.6.39.3/kernel/printk.c linux-2.6.39.3/kernel/printk.c
69836 --- linux-2.6.39.3/kernel/printk.c 2011-05-19 00:06:34.000000000 -0400
69837 +++ linux-2.6.39.3/kernel/printk.c 2011-05-22 19:41:42.000000000 -0400
69838 @@ -284,12 +284,17 @@ static int check_syslog_permissions(int
69839 if (from_file && type != SYSLOG_ACTION_OPEN)
69840 return 0;
69841
69842 +#ifdef CONFIG_GRKERNSEC_DMESG
69843 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
69844 + return -EPERM;
69845 +#endif
69846 +
69847 if (syslog_action_restricted(type)) {
69848 if (capable(CAP_SYSLOG))
69849 return 0;
69850 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
69851 if (capable(CAP_SYS_ADMIN)) {
69852 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
69853 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
69854 "but no CAP_SYSLOG (deprecated).\n");
69855 return 0;
69856 }
69857 diff -urNp linux-2.6.39.3/kernel/profile.c linux-2.6.39.3/kernel/profile.c
69858 --- linux-2.6.39.3/kernel/profile.c 2011-05-19 00:06:34.000000000 -0400
69859 +++ linux-2.6.39.3/kernel/profile.c 2011-05-22 19:36:33.000000000 -0400
69860 @@ -39,7 +39,7 @@ struct profile_hit {
69861 /* Oprofile timer tick hook */
69862 static int (*timer_hook)(struct pt_regs *) __read_mostly;
69863
69864 -static atomic_t *prof_buffer;
69865 +static atomic_unchecked_t *prof_buffer;
69866 static unsigned long prof_len, prof_shift;
69867
69868 int prof_on __read_mostly;
69869 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
69870 hits[i].pc = 0;
69871 continue;
69872 }
69873 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69874 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69875 hits[i].hits = hits[i].pc = 0;
69876 }
69877 }
69878 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
69879 * Add the current hit(s) and flush the write-queue out
69880 * to the global buffer:
69881 */
69882 - atomic_add(nr_hits, &prof_buffer[pc]);
69883 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
69884 for (i = 0; i < NR_PROFILE_HIT; ++i) {
69885 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69886 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69887 hits[i].pc = hits[i].hits = 0;
69888 }
69889 out:
69890 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
69891 if (prof_on != type || !prof_buffer)
69892 return;
69893 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
69894 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69895 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69896 }
69897 #endif /* !CONFIG_SMP */
69898 EXPORT_SYMBOL_GPL(profile_hits);
69899 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
69900 return -EFAULT;
69901 buf++; p++; count--; read++;
69902 }
69903 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
69904 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
69905 if (copy_to_user(buf, (void *)pnt, count))
69906 return -EFAULT;
69907 read += count;
69908 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
69909 }
69910 #endif
69911 profile_discard_flip_buffers();
69912 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
69913 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
69914 return count;
69915 }
69916
69917 diff -urNp linux-2.6.39.3/kernel/ptrace.c linux-2.6.39.3/kernel/ptrace.c
69918 --- linux-2.6.39.3/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
69919 +++ linux-2.6.39.3/kernel/ptrace.c 2011-05-23 17:07:00.000000000 -0400
69920 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
69921 return ret;
69922 }
69923
69924 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
69925 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
69926 + unsigned int log)
69927 {
69928 const struct cred *cred = current_cred(), *tcred;
69929
69930 @@ -143,7 +144,8 @@ int __ptrace_may_access(struct task_stru
69931 cred->gid == tcred->sgid &&
69932 cred->gid == tcred->gid))
69933 goto ok;
69934 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
69935 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
69936 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
69937 goto ok;
69938 rcu_read_unlock();
69939 return -EPERM;
69940 @@ -152,7 +154,9 @@ ok:
69941 smp_rmb();
69942 if (task->mm)
69943 dumpable = get_dumpable(task->mm);
69944 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
69945 + if (!dumpable &&
69946 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
69947 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
69948 return -EPERM;
69949
69950 return security_ptrace_access_check(task, mode);
69951 @@ -162,7 +166,16 @@ bool ptrace_may_access(struct task_struc
69952 {
69953 int err;
69954 task_lock(task);
69955 - err = __ptrace_may_access(task, mode);
69956 + err = __ptrace_may_access(task, mode, 0);
69957 + task_unlock(task);
69958 + return !err;
69959 +}
69960 +
69961 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
69962 +{
69963 + int err;
69964 + task_lock(task);
69965 + err = __ptrace_may_access(task, mode, 1);
69966 task_unlock(task);
69967 return !err;
69968 }
69969 @@ -189,7 +202,7 @@ static int ptrace_attach(struct task_str
69970 goto out;
69971
69972 task_lock(task);
69973 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
69974 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
69975 task_unlock(task);
69976 if (retval)
69977 goto unlock_creds;
69978 @@ -202,7 +215,7 @@ static int ptrace_attach(struct task_str
69979 goto unlock_tasklist;
69980
69981 task->ptrace = PT_PTRACED;
69982 - if (task_ns_capable(task, CAP_SYS_PTRACE))
69983 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
69984 task->ptrace |= PT_PTRACE_CAP;
69985
69986 __ptrace_link(task, current);
69987 @@ -362,6 +375,8 @@ int ptrace_readdata(struct task_struct *
69988 {
69989 int copied = 0;
69990
69991 + pax_track_stack();
69992 +
69993 while (len > 0) {
69994 char buf[128];
69995 int this_len, retval;
69996 @@ -373,7 +388,7 @@ int ptrace_readdata(struct task_struct *
69997 break;
69998 return -EIO;
69999 }
70000 - if (copy_to_user(dst, buf, retval))
70001 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
70002 return -EFAULT;
70003 copied += retval;
70004 src += retval;
70005 @@ -387,6 +402,8 @@ int ptrace_writedata(struct task_struct
70006 {
70007 int copied = 0;
70008
70009 + pax_track_stack();
70010 +
70011 while (len > 0) {
70012 char buf[128];
70013 int this_len, retval;
70014 @@ -569,9 +586,11 @@ int ptrace_request(struct task_struct *c
70015 {
70016 int ret = -EIO;
70017 siginfo_t siginfo;
70018 - void __user *datavp = (void __user *) data;
70019 + void __user *datavp = (__force void __user *) data;
70020 unsigned long __user *datalp = datavp;
70021
70022 + pax_track_stack();
70023 +
70024 switch (request) {
70025 case PTRACE_PEEKTEXT:
70026 case PTRACE_PEEKDATA:
70027 @@ -717,14 +736,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
70028 goto out;
70029 }
70030
70031 + if (gr_handle_ptrace(child, request)) {
70032 + ret = -EPERM;
70033 + goto out_put_task_struct;
70034 + }
70035 +
70036 if (request == PTRACE_ATTACH) {
70037 ret = ptrace_attach(child);
70038 /*
70039 * Some architectures need to do book-keeping after
70040 * a ptrace attach.
70041 */
70042 - if (!ret)
70043 + if (!ret) {
70044 arch_ptrace_attach(child);
70045 + gr_audit_ptrace(child);
70046 + }
70047 goto out_put_task_struct;
70048 }
70049
70050 @@ -749,7 +775,7 @@ int generic_ptrace_peekdata(struct task_
70051 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
70052 if (copied != sizeof(tmp))
70053 return -EIO;
70054 - return put_user(tmp, (unsigned long __user *)data);
70055 + return put_user(tmp, (__force unsigned long __user *)data);
70056 }
70057
70058 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
70059 @@ -772,6 +798,8 @@ int compat_ptrace_request(struct task_st
70060 siginfo_t siginfo;
70061 int ret;
70062
70063 + pax_track_stack();
70064 +
70065 switch (request) {
70066 case PTRACE_PEEKTEXT:
70067 case PTRACE_PEEKDATA:
70068 @@ -859,14 +887,21 @@ asmlinkage long compat_sys_ptrace(compat
70069 goto out;
70070 }
70071
70072 + if (gr_handle_ptrace(child, request)) {
70073 + ret = -EPERM;
70074 + goto out_put_task_struct;
70075 + }
70076 +
70077 if (request == PTRACE_ATTACH) {
70078 ret = ptrace_attach(child);
70079 /*
70080 * Some architectures need to do book-keeping after
70081 * a ptrace attach.
70082 */
70083 - if (!ret)
70084 + if (!ret) {
70085 arch_ptrace_attach(child);
70086 + gr_audit_ptrace(child);
70087 + }
70088 goto out_put_task_struct;
70089 }
70090
70091 diff -urNp linux-2.6.39.3/kernel/rcutorture.c linux-2.6.39.3/kernel/rcutorture.c
70092 --- linux-2.6.39.3/kernel/rcutorture.c 2011-05-19 00:06:34.000000000 -0400
70093 +++ linux-2.6.39.3/kernel/rcutorture.c 2011-05-22 19:36:33.000000000 -0400
70094 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
70095 { 0 };
70096 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
70097 { 0 };
70098 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70099 -static atomic_t n_rcu_torture_alloc;
70100 -static atomic_t n_rcu_torture_alloc_fail;
70101 -static atomic_t n_rcu_torture_free;
70102 -static atomic_t n_rcu_torture_mberror;
70103 -static atomic_t n_rcu_torture_error;
70104 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70105 +static atomic_unchecked_t n_rcu_torture_alloc;
70106 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
70107 +static atomic_unchecked_t n_rcu_torture_free;
70108 +static atomic_unchecked_t n_rcu_torture_mberror;
70109 +static atomic_unchecked_t n_rcu_torture_error;
70110 static long n_rcu_torture_boost_ktrerror;
70111 static long n_rcu_torture_boost_rterror;
70112 static long n_rcu_torture_boost_allocerror;
70113 @@ -225,11 +225,11 @@ rcu_torture_alloc(void)
70114
70115 spin_lock_bh(&rcu_torture_lock);
70116 if (list_empty(&rcu_torture_freelist)) {
70117 - atomic_inc(&n_rcu_torture_alloc_fail);
70118 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
70119 spin_unlock_bh(&rcu_torture_lock);
70120 return NULL;
70121 }
70122 - atomic_inc(&n_rcu_torture_alloc);
70123 + atomic_inc_unchecked(&n_rcu_torture_alloc);
70124 p = rcu_torture_freelist.next;
70125 list_del_init(p);
70126 spin_unlock_bh(&rcu_torture_lock);
70127 @@ -242,7 +242,7 @@ rcu_torture_alloc(void)
70128 static void
70129 rcu_torture_free(struct rcu_torture *p)
70130 {
70131 - atomic_inc(&n_rcu_torture_free);
70132 + atomic_inc_unchecked(&n_rcu_torture_free);
70133 spin_lock_bh(&rcu_torture_lock);
70134 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
70135 spin_unlock_bh(&rcu_torture_lock);
70136 @@ -362,7 +362,7 @@ rcu_torture_cb(struct rcu_head *p)
70137 i = rp->rtort_pipe_count;
70138 if (i > RCU_TORTURE_PIPE_LEN)
70139 i = RCU_TORTURE_PIPE_LEN;
70140 - atomic_inc(&rcu_torture_wcount[i]);
70141 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70142 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70143 rp->rtort_mbtest = 0;
70144 rcu_torture_free(rp);
70145 @@ -409,7 +409,7 @@ static void rcu_sync_torture_deferred_fr
70146 i = rp->rtort_pipe_count;
70147 if (i > RCU_TORTURE_PIPE_LEN)
70148 i = RCU_TORTURE_PIPE_LEN;
70149 - atomic_inc(&rcu_torture_wcount[i]);
70150 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70151 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70152 rp->rtort_mbtest = 0;
70153 list_del(&rp->rtort_free);
70154 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
70155 i = old_rp->rtort_pipe_count;
70156 if (i > RCU_TORTURE_PIPE_LEN)
70157 i = RCU_TORTURE_PIPE_LEN;
70158 - atomic_inc(&rcu_torture_wcount[i]);
70159 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70160 old_rp->rtort_pipe_count++;
70161 cur_ops->deferred_free(old_rp);
70162 }
70163 @@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
70164 return;
70165 }
70166 if (p->rtort_mbtest == 0)
70167 - atomic_inc(&n_rcu_torture_mberror);
70168 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70169 spin_lock(&rand_lock);
70170 cur_ops->read_delay(&rand);
70171 n_rcu_torture_timers++;
70172 @@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
70173 continue;
70174 }
70175 if (p->rtort_mbtest == 0)
70176 - atomic_inc(&n_rcu_torture_mberror);
70177 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70178 cur_ops->read_delay(&rand);
70179 preempt_disable();
70180 pipe_count = p->rtort_pipe_count;
70181 @@ -1072,10 +1072,10 @@ rcu_torture_printk(char *page)
70182 rcu_torture_current,
70183 rcu_torture_current_version,
70184 list_empty(&rcu_torture_freelist),
70185 - atomic_read(&n_rcu_torture_alloc),
70186 - atomic_read(&n_rcu_torture_alloc_fail),
70187 - atomic_read(&n_rcu_torture_free),
70188 - atomic_read(&n_rcu_torture_mberror),
70189 + atomic_read_unchecked(&n_rcu_torture_alloc),
70190 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
70191 + atomic_read_unchecked(&n_rcu_torture_free),
70192 + atomic_read_unchecked(&n_rcu_torture_mberror),
70193 n_rcu_torture_boost_ktrerror,
70194 n_rcu_torture_boost_rterror,
70195 n_rcu_torture_boost_allocerror,
70196 @@ -1083,7 +1083,7 @@ rcu_torture_printk(char *page)
70197 n_rcu_torture_boost_failure,
70198 n_rcu_torture_boosts,
70199 n_rcu_torture_timers);
70200 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
70201 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
70202 n_rcu_torture_boost_ktrerror != 0 ||
70203 n_rcu_torture_boost_rterror != 0 ||
70204 n_rcu_torture_boost_allocerror != 0 ||
70205 @@ -1093,7 +1093,7 @@ rcu_torture_printk(char *page)
70206 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
70207 if (i > 1) {
70208 cnt += sprintf(&page[cnt], "!!! ");
70209 - atomic_inc(&n_rcu_torture_error);
70210 + atomic_inc_unchecked(&n_rcu_torture_error);
70211 WARN_ON_ONCE(1);
70212 }
70213 cnt += sprintf(&page[cnt], "Reader Pipe: ");
70214 @@ -1107,7 +1107,7 @@ rcu_torture_printk(char *page)
70215 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
70216 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70217 cnt += sprintf(&page[cnt], " %d",
70218 - atomic_read(&rcu_torture_wcount[i]));
70219 + atomic_read_unchecked(&rcu_torture_wcount[i]));
70220 }
70221 cnt += sprintf(&page[cnt], "\n");
70222 if (cur_ops->stats)
70223 @@ -1415,7 +1415,7 @@ rcu_torture_cleanup(void)
70224
70225 if (cur_ops->cleanup)
70226 cur_ops->cleanup();
70227 - if (atomic_read(&n_rcu_torture_error))
70228 + if (atomic_read_unchecked(&n_rcu_torture_error))
70229 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
70230 else
70231 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
70232 @@ -1479,11 +1479,11 @@ rcu_torture_init(void)
70233
70234 rcu_torture_current = NULL;
70235 rcu_torture_current_version = 0;
70236 - atomic_set(&n_rcu_torture_alloc, 0);
70237 - atomic_set(&n_rcu_torture_alloc_fail, 0);
70238 - atomic_set(&n_rcu_torture_free, 0);
70239 - atomic_set(&n_rcu_torture_mberror, 0);
70240 - atomic_set(&n_rcu_torture_error, 0);
70241 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
70242 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
70243 + atomic_set_unchecked(&n_rcu_torture_free, 0);
70244 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
70245 + atomic_set_unchecked(&n_rcu_torture_error, 0);
70246 n_rcu_torture_boost_ktrerror = 0;
70247 n_rcu_torture_boost_rterror = 0;
70248 n_rcu_torture_boost_allocerror = 0;
70249 @@ -1491,7 +1491,7 @@ rcu_torture_init(void)
70250 n_rcu_torture_boost_failure = 0;
70251 n_rcu_torture_boosts = 0;
70252 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
70253 - atomic_set(&rcu_torture_wcount[i], 0);
70254 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
70255 for_each_possible_cpu(cpu) {
70256 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70257 per_cpu(rcu_torture_count, cpu)[i] = 0;
70258 diff -urNp linux-2.6.39.3/kernel/rcutree.c linux-2.6.39.3/kernel/rcutree.c
70259 --- linux-2.6.39.3/kernel/rcutree.c 2011-05-19 00:06:34.000000000 -0400
70260 +++ linux-2.6.39.3/kernel/rcutree.c 2011-05-22 19:36:33.000000000 -0400
70261 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
70262 /*
70263 * Do softirq processing for the current CPU.
70264 */
70265 -static void rcu_process_callbacks(struct softirq_action *unused)
70266 +static void rcu_process_callbacks(void)
70267 {
70268 /*
70269 * Memory references from any prior RCU read-side critical sections
70270 diff -urNp linux-2.6.39.3/kernel/rcutree_plugin.h linux-2.6.39.3/kernel/rcutree_plugin.h
70271 --- linux-2.6.39.3/kernel/rcutree_plugin.h 2011-05-19 00:06:34.000000000 -0400
70272 +++ linux-2.6.39.3/kernel/rcutree_plugin.h 2011-05-22 19:36:33.000000000 -0400
70273 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
70274
70275 /* Clean up and exit. */
70276 smp_mb(); /* ensure expedited GP seen before counter increment. */
70277 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
70278 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
70279 unlock_mb_ret:
70280 mutex_unlock(&sync_rcu_preempt_exp_mutex);
70281 mb_ret:
70282 @@ -1025,8 +1025,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
70283
70284 #else /* #ifndef CONFIG_SMP */
70285
70286 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
70287 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
70288 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
70289 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
70290
70291 static int synchronize_sched_expedited_cpu_stop(void *data)
70292 {
70293 @@ -1081,7 +1081,7 @@ void synchronize_sched_expedited(void)
70294 int firstsnap, s, snap, trycount = 0;
70295
70296 /* Note that atomic_inc_return() implies full memory barrier. */
70297 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
70298 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
70299 get_online_cpus();
70300
70301 /*
70302 @@ -1102,7 +1102,7 @@ void synchronize_sched_expedited(void)
70303 }
70304
70305 /* Check to see if someone else did our work for us. */
70306 - s = atomic_read(&sync_sched_expedited_done);
70307 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70308 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
70309 smp_mb(); /* ensure test happens before caller kfree */
70310 return;
70311 @@ -1117,7 +1117,7 @@ void synchronize_sched_expedited(void)
70312 * grace period works for us.
70313 */
70314 get_online_cpus();
70315 - snap = atomic_read(&sync_sched_expedited_started) - 1;
70316 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
70317 smp_mb(); /* ensure read is before try_stop_cpus(). */
70318 }
70319
70320 @@ -1128,12 +1128,12 @@ void synchronize_sched_expedited(void)
70321 * than we did beat us to the punch.
70322 */
70323 do {
70324 - s = atomic_read(&sync_sched_expedited_done);
70325 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70326 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
70327 smp_mb(); /* ensure test happens before caller kfree */
70328 break;
70329 }
70330 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
70331 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
70332
70333 put_online_cpus();
70334 }
70335 diff -urNp linux-2.6.39.3/kernel/relay.c linux-2.6.39.3/kernel/relay.c
70336 --- linux-2.6.39.3/kernel/relay.c 2011-05-19 00:06:34.000000000 -0400
70337 +++ linux-2.6.39.3/kernel/relay.c 2011-05-22 19:36:33.000000000 -0400
70338 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
70339 };
70340 ssize_t ret;
70341
70342 + pax_track_stack();
70343 +
70344 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
70345 return 0;
70346 if (splice_grow_spd(pipe, &spd))
70347 diff -urNp linux-2.6.39.3/kernel/resource.c linux-2.6.39.3/kernel/resource.c
70348 --- linux-2.6.39.3/kernel/resource.c 2011-05-19 00:06:34.000000000 -0400
70349 +++ linux-2.6.39.3/kernel/resource.c 2011-05-22 19:41:42.000000000 -0400
70350 @@ -133,8 +133,18 @@ static const struct file_operations proc
70351
70352 static int __init ioresources_init(void)
70353 {
70354 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70355 +#ifdef CONFIG_GRKERNSEC_PROC_USER
70356 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
70357 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
70358 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70359 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
70360 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
70361 +#endif
70362 +#else
70363 proc_create("ioports", 0, NULL, &proc_ioports_operations);
70364 proc_create("iomem", 0, NULL, &proc_iomem_operations);
70365 +#endif
70366 return 0;
70367 }
70368 __initcall(ioresources_init);
70369 diff -urNp linux-2.6.39.3/kernel/rtmutex-tester.c linux-2.6.39.3/kernel/rtmutex-tester.c
70370 --- linux-2.6.39.3/kernel/rtmutex-tester.c 2011-05-19 00:06:34.000000000 -0400
70371 +++ linux-2.6.39.3/kernel/rtmutex-tester.c 2011-05-22 19:36:33.000000000 -0400
70372 @@ -20,7 +20,7 @@
70373 #define MAX_RT_TEST_MUTEXES 8
70374
70375 static spinlock_t rttest_lock;
70376 -static atomic_t rttest_event;
70377 +static atomic_unchecked_t rttest_event;
70378
70379 struct test_thread_data {
70380 int opcode;
70381 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
70382
70383 case RTTEST_LOCKCONT:
70384 td->mutexes[td->opdata] = 1;
70385 - td->event = atomic_add_return(1, &rttest_event);
70386 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70387 return 0;
70388
70389 case RTTEST_RESET:
70390 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
70391 return 0;
70392
70393 case RTTEST_RESETEVENT:
70394 - atomic_set(&rttest_event, 0);
70395 + atomic_set_unchecked(&rttest_event, 0);
70396 return 0;
70397
70398 default:
70399 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
70400 return ret;
70401
70402 td->mutexes[id] = 1;
70403 - td->event = atomic_add_return(1, &rttest_event);
70404 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70405 rt_mutex_lock(&mutexes[id]);
70406 - td->event = atomic_add_return(1, &rttest_event);
70407 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70408 td->mutexes[id] = 4;
70409 return 0;
70410
70411 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
70412 return ret;
70413
70414 td->mutexes[id] = 1;
70415 - td->event = atomic_add_return(1, &rttest_event);
70416 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70417 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
70418 - td->event = atomic_add_return(1, &rttest_event);
70419 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70420 td->mutexes[id] = ret ? 0 : 4;
70421 return ret ? -EINTR : 0;
70422
70423 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
70424 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
70425 return ret;
70426
70427 - td->event = atomic_add_return(1, &rttest_event);
70428 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70429 rt_mutex_unlock(&mutexes[id]);
70430 - td->event = atomic_add_return(1, &rttest_event);
70431 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70432 td->mutexes[id] = 0;
70433 return 0;
70434
70435 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
70436 break;
70437
70438 td->mutexes[dat] = 2;
70439 - td->event = atomic_add_return(1, &rttest_event);
70440 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70441 break;
70442
70443 default:
70444 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
70445 return;
70446
70447 td->mutexes[dat] = 3;
70448 - td->event = atomic_add_return(1, &rttest_event);
70449 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70450 break;
70451
70452 case RTTEST_LOCKNOWAIT:
70453 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
70454 return;
70455
70456 td->mutexes[dat] = 1;
70457 - td->event = atomic_add_return(1, &rttest_event);
70458 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70459 return;
70460
70461 default:
70462 diff -urNp linux-2.6.39.3/kernel/sched_autogroup.c linux-2.6.39.3/kernel/sched_autogroup.c
70463 --- linux-2.6.39.3/kernel/sched_autogroup.c 2011-05-19 00:06:34.000000000 -0400
70464 +++ linux-2.6.39.3/kernel/sched_autogroup.c 2011-05-22 19:36:33.000000000 -0400
70465 @@ -7,7 +7,7 @@
70466
70467 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
70468 static struct autogroup autogroup_default;
70469 -static atomic_t autogroup_seq_nr;
70470 +static atomic_unchecked_t autogroup_seq_nr;
70471
70472 static void __init autogroup_init(struct task_struct *init_task)
70473 {
70474 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
70475
70476 kref_init(&ag->kref);
70477 init_rwsem(&ag->lock);
70478 - ag->id = atomic_inc_return(&autogroup_seq_nr);
70479 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
70480 ag->tg = tg;
70481 #ifdef CONFIG_RT_GROUP_SCHED
70482 /*
70483 diff -urNp linux-2.6.39.3/kernel/sched.c linux-2.6.39.3/kernel/sched.c
70484 --- linux-2.6.39.3/kernel/sched.c 2011-05-19 00:06:34.000000000 -0400
70485 +++ linux-2.6.39.3/kernel/sched.c 2011-05-23 17:07:00.000000000 -0400
70486 @@ -4078,6 +4078,8 @@ asmlinkage void __sched schedule(void)
70487 struct rq *rq;
70488 int cpu;
70489
70490 + pax_track_stack();
70491 +
70492 need_resched:
70493 preempt_disable();
70494 cpu = smp_processor_id();
70495 @@ -4165,7 +4167,7 @@ EXPORT_SYMBOL(schedule);
70496 * Look out! "owner" is an entirely speculative pointer
70497 * access and not reliable.
70498 */
70499 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
70500 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
70501 {
70502 unsigned int cpu;
70503 struct rq *rq;
70504 @@ -4179,10 +4181,10 @@ int mutex_spin_on_owner(struct mutex *lo
70505 * DEBUG_PAGEALLOC could have unmapped it if
70506 * the mutex owner just released it and exited.
70507 */
70508 - if (probe_kernel_address(&owner->cpu, cpu))
70509 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
70510 return 0;
70511 #else
70512 - cpu = owner->cpu;
70513 + cpu = task_thread_info(owner)->cpu;
70514 #endif
70515
70516 /*
70517 @@ -4219,7 +4221,7 @@ int mutex_spin_on_owner(struct mutex *lo
70518 /*
70519 * Is that owner really running on that cpu?
70520 */
70521 - if (task_thread_info(rq->curr) != owner || need_resched())
70522 + if (rq->curr != owner || need_resched())
70523 return 0;
70524
70525 arch_mutex_cpu_relax();
70526 @@ -4778,6 +4780,8 @@ int can_nice(const struct task_struct *p
70527 /* convert nice value [19,-20] to rlimit style value [1,40] */
70528 int nice_rlim = 20 - nice;
70529
70530 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
70531 +
70532 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
70533 capable(CAP_SYS_NICE));
70534 }
70535 @@ -4811,7 +4815,8 @@ SYSCALL_DEFINE1(nice, int, increment)
70536 if (nice > 19)
70537 nice = 19;
70538
70539 - if (increment < 0 && !can_nice(current, nice))
70540 + if (increment < 0 && (!can_nice(current, nice) ||
70541 + gr_handle_chroot_nice()))
70542 return -EPERM;
70543
70544 retval = security_task_setnice(current, nice);
70545 @@ -4957,6 +4962,7 @@ recheck:
70546 unsigned long rlim_rtprio =
70547 task_rlimit(p, RLIMIT_RTPRIO);
70548
70549 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
70550 /* can't set/change the rt policy */
70551 if (policy != p->policy && !rlim_rtprio)
70552 return -EPERM;
70553 @@ -7164,7 +7170,7 @@ static void init_sched_groups_power(int
70554 long power;
70555 int weight;
70556
70557 - WARN_ON(!sd || !sd->groups);
70558 + BUG_ON(!sd || !sd->groups);
70559
70560 if (cpu != group_first_cpu(sd->groups))
70561 return;
70562 diff -urNp linux-2.6.39.3/kernel/sched_fair.c linux-2.6.39.3/kernel/sched_fair.c
70563 --- linux-2.6.39.3/kernel/sched_fair.c 2011-05-19 00:06:34.000000000 -0400
70564 +++ linux-2.6.39.3/kernel/sched_fair.c 2011-05-22 19:36:33.000000000 -0400
70565 @@ -3999,7 +3999,7 @@ static void nohz_idle_balance(int this_c
70566 * run_rebalance_domains is triggered when needed from the scheduler tick.
70567 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
70568 */
70569 -static void run_rebalance_domains(struct softirq_action *h)
70570 +static void run_rebalance_domains(void)
70571 {
70572 int this_cpu = smp_processor_id();
70573 struct rq *this_rq = cpu_rq(this_cpu);
70574 diff -urNp linux-2.6.39.3/kernel/signal.c linux-2.6.39.3/kernel/signal.c
70575 --- linux-2.6.39.3/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
70576 +++ linux-2.6.39.3/kernel/signal.c 2011-07-14 21:03:15.000000000 -0400
70577 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
70578
70579 int print_fatal_signals __read_mostly;
70580
70581 -static void __user *sig_handler(struct task_struct *t, int sig)
70582 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
70583 {
70584 return t->sighand->action[sig - 1].sa.sa_handler;
70585 }
70586
70587 -static int sig_handler_ignored(void __user *handler, int sig)
70588 +static int sig_handler_ignored(__sighandler_t handler, int sig)
70589 {
70590 /* Is it explicitly or implicitly ignored? */
70591 return handler == SIG_IGN ||
70592 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
70593 static int sig_task_ignored(struct task_struct *t, int sig,
70594 int from_ancestor_ns)
70595 {
70596 - void __user *handler;
70597 + __sighandler_t handler;
70598
70599 handler = sig_handler(t, sig);
70600
70601 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
70602 atomic_inc(&user->sigpending);
70603 rcu_read_unlock();
70604
70605 + if (!override_rlimit)
70606 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
70607 +
70608 if (override_rlimit ||
70609 atomic_read(&user->sigpending) <=
70610 task_rlimit(t, RLIMIT_SIGPENDING)) {
70611 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
70612
70613 int unhandled_signal(struct task_struct *tsk, int sig)
70614 {
70615 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
70616 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
70617 if (is_global_init(tsk))
70618 return 1;
70619 if (handler != SIG_IGN && handler != SIG_DFL)
70620 @@ -693,6 +696,12 @@ static int check_kill_permission(int sig
70621 }
70622 }
70623
70624 + /* allow glibc communication via tgkill to other threads in our
70625 + thread group */
70626 + if ((info->si_code != SI_TKILL || sig != (SIGRTMIN+1) ||
70627 + task_tgid_vnr(t) != info->si_pid) && gr_handle_signal(t, sig))
70628 + return -EPERM;
70629 +
70630 return security_task_kill(t, info, sig, 0);
70631 }
70632
70633 @@ -1041,7 +1050,7 @@ __group_send_sig_info(int sig, struct si
70634 return send_signal(sig, info, p, 1);
70635 }
70636
70637 -static int
70638 +int
70639 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70640 {
70641 return send_signal(sig, info, t, 0);
70642 @@ -1078,6 +1087,7 @@ force_sig_info(int sig, struct siginfo *
70643 unsigned long int flags;
70644 int ret, blocked, ignored;
70645 struct k_sigaction *action;
70646 + int is_unhandled = 0;
70647
70648 spin_lock_irqsave(&t->sighand->siglock, flags);
70649 action = &t->sighand->action[sig-1];
70650 @@ -1092,9 +1102,18 @@ force_sig_info(int sig, struct siginfo *
70651 }
70652 if (action->sa.sa_handler == SIG_DFL)
70653 t->signal->flags &= ~SIGNAL_UNKILLABLE;
70654 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
70655 + is_unhandled = 1;
70656 ret = specific_send_sig_info(sig, info, t);
70657 spin_unlock_irqrestore(&t->sighand->siglock, flags);
70658
70659 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
70660 + normal operation */
70661 + if (is_unhandled) {
70662 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
70663 + gr_handle_crash(t, sig);
70664 + }
70665 +
70666 return ret;
70667 }
70668
70669 @@ -1153,8 +1172,11 @@ int group_send_sig_info(int sig, struct
70670 ret = check_kill_permission(sig, info, p);
70671 rcu_read_unlock();
70672
70673 - if (!ret && sig)
70674 + if (!ret && sig) {
70675 ret = do_send_sig_info(sig, info, p, true);
70676 + if (!ret)
70677 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
70678 + }
70679
70680 return ret;
70681 }
70682 @@ -1718,6 +1740,8 @@ void ptrace_notify(int exit_code)
70683 {
70684 siginfo_t info;
70685
70686 + pax_track_stack();
70687 +
70688 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
70689
70690 memset(&info, 0, sizeof info);
70691 @@ -2393,7 +2417,15 @@ do_send_specific(pid_t tgid, pid_t pid,
70692 int error = -ESRCH;
70693
70694 rcu_read_lock();
70695 - p = find_task_by_vpid(pid);
70696 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
70697 + /* allow glibc communication via tgkill to other threads in our
70698 + thread group */
70699 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
70700 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
70701 + p = find_task_by_vpid_unrestricted(pid);
70702 + else
70703 +#endif
70704 + p = find_task_by_vpid(pid);
70705 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
70706 error = check_kill_permission(sig, info, p);
70707 /*
70708 diff -urNp linux-2.6.39.3/kernel/smp.c linux-2.6.39.3/kernel/smp.c
70709 --- linux-2.6.39.3/kernel/smp.c 2011-05-19 00:06:34.000000000 -0400
70710 +++ linux-2.6.39.3/kernel/smp.c 2011-05-22 19:36:33.000000000 -0400
70711 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
70712 }
70713 EXPORT_SYMBOL(smp_call_function);
70714
70715 -void ipi_call_lock(void)
70716 +void ipi_call_lock(void) __acquires(call_function.lock)
70717 {
70718 raw_spin_lock(&call_function.lock);
70719 }
70720
70721 -void ipi_call_unlock(void)
70722 +void ipi_call_unlock(void) __releases(call_function.lock)
70723 {
70724 raw_spin_unlock(&call_function.lock);
70725 }
70726
70727 -void ipi_call_lock_irq(void)
70728 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
70729 {
70730 raw_spin_lock_irq(&call_function.lock);
70731 }
70732
70733 -void ipi_call_unlock_irq(void)
70734 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
70735 {
70736 raw_spin_unlock_irq(&call_function.lock);
70737 }
70738 diff -urNp linux-2.6.39.3/kernel/softirq.c linux-2.6.39.3/kernel/softirq.c
70739 --- linux-2.6.39.3/kernel/softirq.c 2011-05-19 00:06:34.000000000 -0400
70740 +++ linux-2.6.39.3/kernel/softirq.c 2011-05-22 19:36:33.000000000 -0400
70741 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
70742
70743 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
70744
70745 -char *softirq_to_name[NR_SOFTIRQS] = {
70746 +const char * const softirq_to_name[NR_SOFTIRQS] = {
70747 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
70748 "TASKLET", "SCHED", "HRTIMER", "RCU"
70749 };
70750 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
70751
70752 asmlinkage void __do_softirq(void)
70753 {
70754 - struct softirq_action *h;
70755 + const struct softirq_action *h;
70756 __u32 pending;
70757 int max_restart = MAX_SOFTIRQ_RESTART;
70758 int cpu;
70759 @@ -235,7 +235,7 @@ restart:
70760 kstat_incr_softirqs_this_cpu(vec_nr);
70761
70762 trace_softirq_entry(vec_nr);
70763 - h->action(h);
70764 + h->action();
70765 trace_softirq_exit(vec_nr);
70766 if (unlikely(prev_count != preempt_count())) {
70767 printk(KERN_ERR "huh, entered softirq %u %s %p"
70768 @@ -377,7 +377,7 @@ void raise_softirq(unsigned int nr)
70769 local_irq_restore(flags);
70770 }
70771
70772 -void open_softirq(int nr, void (*action)(struct softirq_action *))
70773 +void open_softirq(int nr, void (*action)(void))
70774 {
70775 softirq_vec[nr].action = action;
70776 }
70777 @@ -433,7 +433,7 @@ void __tasklet_hi_schedule_first(struct
70778
70779 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
70780
70781 -static void tasklet_action(struct softirq_action *a)
70782 +static void tasklet_action(void)
70783 {
70784 struct tasklet_struct *list;
70785
70786 @@ -468,7 +468,7 @@ static void tasklet_action(struct softir
70787 }
70788 }
70789
70790 -static void tasklet_hi_action(struct softirq_action *a)
70791 +static void tasklet_hi_action(void)
70792 {
70793 struct tasklet_struct *list;
70794
70795 diff -urNp linux-2.6.39.3/kernel/sys.c linux-2.6.39.3/kernel/sys.c
70796 --- linux-2.6.39.3/kernel/sys.c 2011-05-19 00:06:34.000000000 -0400
70797 +++ linux-2.6.39.3/kernel/sys.c 2011-05-22 21:08:10.000000000 -0400
70798 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
70799 error = -EACCES;
70800 goto out;
70801 }
70802 +
70803 + if (gr_handle_chroot_setpriority(p, niceval)) {
70804 + error = -EACCES;
70805 + goto out;
70806 + }
70807 +
70808 no_nice = security_task_setnice(p, niceval);
70809 if (no_nice) {
70810 error = no_nice;
70811 @@ -538,6 +544,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
70812 goto error;
70813 }
70814
70815 + if (gr_check_group_change(new->gid, new->egid, -1))
70816 + goto error;
70817 +
70818 if (rgid != (gid_t) -1 ||
70819 (egid != (gid_t) -1 && egid != old->gid))
70820 new->sgid = new->egid;
70821 @@ -567,6 +576,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
70822 old = current_cred();
70823
70824 retval = -EPERM;
70825 +
70826 + if (gr_check_group_change(gid, gid, gid))
70827 + goto error;
70828 +
70829 if (nsown_capable(CAP_SETGID))
70830 new->gid = new->egid = new->sgid = new->fsgid = gid;
70831 else if (gid == old->gid || gid == old->sgid)
70832 @@ -647,6 +660,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
70833 goto error;
70834 }
70835
70836 + if (gr_check_user_change(new->uid, new->euid, -1))
70837 + goto error;
70838 +
70839 if (new->uid != old->uid) {
70840 retval = set_user(new);
70841 if (retval < 0)
70842 @@ -691,6 +707,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
70843 old = current_cred();
70844
70845 retval = -EPERM;
70846 +
70847 + if (gr_check_crash_uid(uid))
70848 + goto error;
70849 + if (gr_check_user_change(uid, uid, uid))
70850 + goto error;
70851 +
70852 if (nsown_capable(CAP_SETUID)) {
70853 new->suid = new->uid = uid;
70854 if (uid != old->uid) {
70855 @@ -745,6 +767,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
70856 goto error;
70857 }
70858
70859 + if (gr_check_user_change(ruid, euid, -1))
70860 + goto error;
70861 +
70862 if (ruid != (uid_t) -1) {
70863 new->uid = ruid;
70864 if (ruid != old->uid) {
70865 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
70866 goto error;
70867 }
70868
70869 + if (gr_check_group_change(rgid, egid, -1))
70870 + goto error;
70871 +
70872 if (rgid != (gid_t) -1)
70873 new->gid = rgid;
70874 if (egid != (gid_t) -1)
70875 @@ -855,6 +883,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70876 old = current_cred();
70877 old_fsuid = old->fsuid;
70878
70879 + if (gr_check_user_change(-1, -1, uid))
70880 + goto error;
70881 +
70882 if (uid == old->uid || uid == old->euid ||
70883 uid == old->suid || uid == old->fsuid ||
70884 nsown_capable(CAP_SETUID)) {
70885 @@ -865,6 +896,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70886 }
70887 }
70888
70889 +error:
70890 abort_creds(new);
70891 return old_fsuid;
70892
70893 @@ -891,12 +923,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
70894 if (gid == old->gid || gid == old->egid ||
70895 gid == old->sgid || gid == old->fsgid ||
70896 nsown_capable(CAP_SETGID)) {
70897 + if (gr_check_group_change(-1, -1, gid))
70898 + goto error;
70899 +
70900 if (gid != old_fsgid) {
70901 new->fsgid = gid;
70902 goto change_okay;
70903 }
70904 }
70905
70906 +error:
70907 abort_creds(new);
70908 return old_fsgid;
70909
70910 @@ -1643,7 +1679,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
70911 error = get_dumpable(me->mm);
70912 break;
70913 case PR_SET_DUMPABLE:
70914 - if (arg2 < 0 || arg2 > 1) {
70915 + if (arg2 > 1) {
70916 error = -EINVAL;
70917 break;
70918 }
70919 diff -urNp linux-2.6.39.3/kernel/sysctl.c linux-2.6.39.3/kernel/sysctl.c
70920 --- linux-2.6.39.3/kernel/sysctl.c 2011-05-19 00:06:34.000000000 -0400
70921 +++ linux-2.6.39.3/kernel/sysctl.c 2011-05-22 20:23:10.000000000 -0400
70922 @@ -84,6 +84,13 @@
70923
70924
70925 #if defined(CONFIG_SYSCTL)
70926 +#include <linux/grsecurity.h>
70927 +#include <linux/grinternal.h>
70928 +
70929 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
70930 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
70931 + const int op);
70932 +extern int gr_handle_chroot_sysctl(const int op);
70933
70934 /* External variables not in a header file. */
70935 extern int sysctl_overcommit_memory;
70936 @@ -196,6 +203,7 @@ static int sysrq_sysctl_handler(ctl_tabl
70937 }
70938
70939 #endif
70940 +extern struct ctl_table grsecurity_table[];
70941
70942 static struct ctl_table root_table[];
70943 static struct ctl_table_root sysctl_table_root;
70944 @@ -225,6 +233,20 @@ extern struct ctl_table epoll_table[];
70945 int sysctl_legacy_va_layout;
70946 #endif
70947
70948 +#ifdef CONFIG_PAX_SOFTMODE
70949 +static ctl_table pax_table[] = {
70950 + {
70951 + .procname = "softmode",
70952 + .data = &pax_softmode,
70953 + .maxlen = sizeof(unsigned int),
70954 + .mode = 0600,
70955 + .proc_handler = &proc_dointvec,
70956 + },
70957 +
70958 + { }
70959 +};
70960 +#endif
70961 +
70962 /* The default sysctl tables: */
70963
70964 static struct ctl_table root_table[] = {
70965 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
70966 #endif
70967
70968 static struct ctl_table kern_table[] = {
70969 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
70970 + {
70971 + .procname = "grsecurity",
70972 + .mode = 0500,
70973 + .child = grsecurity_table,
70974 + },
70975 +#endif
70976 +
70977 +#ifdef CONFIG_PAX_SOFTMODE
70978 + {
70979 + .procname = "pax",
70980 + .mode = 0500,
70981 + .child = pax_table,
70982 + },
70983 +#endif
70984 +
70985 {
70986 .procname = "sched_child_runs_first",
70987 .data = &sysctl_sched_child_runs_first,
70988 @@ -545,7 +583,7 @@ static struct ctl_table kern_table[] = {
70989 .data = &modprobe_path,
70990 .maxlen = KMOD_PATH_LEN,
70991 .mode = 0644,
70992 - .proc_handler = proc_dostring,
70993 + .proc_handler = proc_dostring_modpriv,
70994 },
70995 {
70996 .procname = "modules_disabled",
70997 @@ -707,16 +745,20 @@ static struct ctl_table kern_table[] = {
70998 .extra1 = &zero,
70999 .extra2 = &one,
71000 },
71001 +#endif
71002 {
71003 .procname = "kptr_restrict",
71004 .data = &kptr_restrict,
71005 .maxlen = sizeof(int),
71006 .mode = 0644,
71007 .proc_handler = proc_dmesg_restrict,
71008 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71009 + .extra1 = &two,
71010 +#else
71011 .extra1 = &zero,
71012 +#endif
71013 .extra2 = &two,
71014 },
71015 -#endif
71016 {
71017 .procname = "ngroups_max",
71018 .data = &ngroups_max,
71019 @@ -1189,6 +1231,13 @@ static struct ctl_table vm_table[] = {
71020 .proc_handler = proc_dointvec_minmax,
71021 .extra1 = &zero,
71022 },
71023 + {
71024 + .procname = "heap_stack_gap",
71025 + .data = &sysctl_heap_stack_gap,
71026 + .maxlen = sizeof(sysctl_heap_stack_gap),
71027 + .mode = 0644,
71028 + .proc_handler = proc_doulongvec_minmax,
71029 + },
71030 #else
71031 {
71032 .procname = "nr_trim_pages",
71033 @@ -1698,6 +1747,17 @@ static int test_perm(int mode, int op)
71034 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
71035 {
71036 int mode;
71037 + int error;
71038 +
71039 + if (table->parent != NULL && table->parent->procname != NULL &&
71040 + table->procname != NULL &&
71041 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71042 + return -EACCES;
71043 + if (gr_handle_chroot_sysctl(op))
71044 + return -EACCES;
71045 + error = gr_handle_sysctl(table, op);
71046 + if (error)
71047 + return error;
71048
71049 if (root->permissions)
71050 mode = root->permissions(root, current->nsproxy, table);
71051 @@ -2102,6 +2162,16 @@ int proc_dostring(struct ctl_table *tabl
71052 buffer, lenp, ppos);
71053 }
71054
71055 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71056 + void __user *buffer, size_t *lenp, loff_t *ppos)
71057 +{
71058 + if (write && !capable(CAP_SYS_MODULE))
71059 + return -EPERM;
71060 +
71061 + return _proc_do_string(table->data, table->maxlen, write,
71062 + buffer, lenp, ppos);
71063 +}
71064 +
71065 static size_t proc_skip_spaces(char **buf)
71066 {
71067 size_t ret;
71068 @@ -2207,6 +2277,8 @@ static int proc_put_long(void __user **b
71069 len = strlen(tmp);
71070 if (len > *size)
71071 len = *size;
71072 + if (len > sizeof(tmp))
71073 + len = sizeof(tmp);
71074 if (copy_to_user(*buf, tmp, len))
71075 return -EFAULT;
71076 *size -= len;
71077 @@ -2523,8 +2595,11 @@ static int __do_proc_doulongvec_minmax(v
71078 *i = val;
71079 } else {
71080 val = convdiv * (*i) / convmul;
71081 - if (!first)
71082 + if (!first) {
71083 err = proc_put_char(&buffer, &left, '\t');
71084 + if (err)
71085 + break;
71086 + }
71087 err = proc_put_long(&buffer, &left, val, false);
71088 if (err)
71089 break;
71090 @@ -2919,6 +2994,12 @@ int proc_dostring(struct ctl_table *tabl
71091 return -ENOSYS;
71092 }
71093
71094 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71095 + void __user *buffer, size_t *lenp, loff_t *ppos)
71096 +{
71097 + return -ENOSYS;
71098 +}
71099 +
71100 int proc_dointvec(struct ctl_table *table, int write,
71101 void __user *buffer, size_t *lenp, loff_t *ppos)
71102 {
71103 @@ -2975,6 +3056,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
71104 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
71105 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
71106 EXPORT_SYMBOL(proc_dostring);
71107 +EXPORT_SYMBOL(proc_dostring_modpriv);
71108 EXPORT_SYMBOL(proc_doulongvec_minmax);
71109 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
71110 EXPORT_SYMBOL(register_sysctl_table);
71111 diff -urNp linux-2.6.39.3/kernel/sysctl_check.c linux-2.6.39.3/kernel/sysctl_check.c
71112 --- linux-2.6.39.3/kernel/sysctl_check.c 2011-05-19 00:06:34.000000000 -0400
71113 +++ linux-2.6.39.3/kernel/sysctl_check.c 2011-05-22 19:41:42.000000000 -0400
71114 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
71115 set_fail(&fail, table, "Directory with extra2");
71116 } else {
71117 if ((table->proc_handler == proc_dostring) ||
71118 + (table->proc_handler == proc_dostring_modpriv) ||
71119 (table->proc_handler == proc_dointvec) ||
71120 (table->proc_handler == proc_dointvec_minmax) ||
71121 (table->proc_handler == proc_dointvec_jiffies) ||
71122 diff -urNp linux-2.6.39.3/kernel/taskstats.c linux-2.6.39.3/kernel/taskstats.c
71123 --- linux-2.6.39.3/kernel/taskstats.c 2011-07-09 09:18:51.000000000 -0400
71124 +++ linux-2.6.39.3/kernel/taskstats.c 2011-07-09 09:19:24.000000000 -0400
71125 @@ -27,9 +27,12 @@
71126 #include <linux/cgroup.h>
71127 #include <linux/fs.h>
71128 #include <linux/file.h>
71129 +#include <linux/grsecurity.h>
71130 #include <net/genetlink.h>
71131 #include <asm/atomic.h>
71132
71133 +extern int gr_is_taskstats_denied(int pid);
71134 +
71135 /*
71136 * Maximum length of a cpumask that can be specified in
71137 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
71138 @@ -558,6 +561,9 @@ err:
71139
71140 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
71141 {
71142 + if (gr_is_taskstats_denied(current->pid))
71143 + return -EACCES;
71144 +
71145 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
71146 return cmd_attr_register_cpumask(info);
71147 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
71148 diff -urNp linux-2.6.39.3/kernel/time/posix-clock.c linux-2.6.39.3/kernel/time/posix-clock.c
71149 --- linux-2.6.39.3/kernel/time/posix-clock.c 2011-05-19 00:06:34.000000000 -0400
71150 +++ linux-2.6.39.3/kernel/time/posix-clock.c 2011-05-22 19:36:33.000000000 -0400
71151 @@ -433,7 +433,7 @@ static int pc_timer_settime(struct k_iti
71152 return err;
71153 }
71154
71155 -struct k_clock clock_posix_dynamic = {
71156 +const struct k_clock clock_posix_dynamic = {
71157 .clock_getres = pc_clock_getres,
71158 .clock_set = pc_clock_settime,
71159 .clock_get = pc_clock_gettime,
71160 diff -urNp linux-2.6.39.3/kernel/time/tick-broadcast.c linux-2.6.39.3/kernel/time/tick-broadcast.c
71161 --- linux-2.6.39.3/kernel/time/tick-broadcast.c 2011-05-19 00:06:34.000000000 -0400
71162 +++ linux-2.6.39.3/kernel/time/tick-broadcast.c 2011-05-22 19:36:33.000000000 -0400
71163 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
71164 * then clear the broadcast bit.
71165 */
71166 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
71167 - int cpu = smp_processor_id();
71168 + cpu = smp_processor_id();
71169
71170 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
71171 tick_broadcast_clear_oneshot(cpu);
71172 diff -urNp linux-2.6.39.3/kernel/time/timekeeping.c linux-2.6.39.3/kernel/time/timekeeping.c
71173 --- linux-2.6.39.3/kernel/time/timekeeping.c 2011-05-19 00:06:34.000000000 -0400
71174 +++ linux-2.6.39.3/kernel/time/timekeeping.c 2011-05-22 20:40:50.000000000 -0400
71175 @@ -14,6 +14,7 @@
71176 #include <linux/init.h>
71177 #include <linux/mm.h>
71178 #include <linux/sched.h>
71179 +#include <linux/grsecurity.h>
71180 #include <linux/syscore_ops.h>
71181 #include <linux/clocksource.h>
71182 #include <linux/jiffies.h>
71183 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
71184 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
71185 return -EINVAL;
71186
71187 + gr_log_timechange();
71188 +
71189 write_seqlock_irqsave(&xtime_lock, flags);
71190
71191 timekeeping_forward_now();
71192 diff -urNp linux-2.6.39.3/kernel/time/timer_list.c linux-2.6.39.3/kernel/time/timer_list.c
71193 --- linux-2.6.39.3/kernel/time/timer_list.c 2011-05-19 00:06:34.000000000 -0400
71194 +++ linux-2.6.39.3/kernel/time/timer_list.c 2011-05-22 19:41:42.000000000 -0400
71195 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
71196
71197 static void print_name_offset(struct seq_file *m, void *sym)
71198 {
71199 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71200 + SEQ_printf(m, "<%p>", NULL);
71201 +#else
71202 char symname[KSYM_NAME_LEN];
71203
71204 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
71205 SEQ_printf(m, "<%pK>", sym);
71206 else
71207 SEQ_printf(m, "%s", symname);
71208 +#endif
71209 }
71210
71211 static void
71212 @@ -112,7 +116,11 @@ next_one:
71213 static void
71214 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
71215 {
71216 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71217 + SEQ_printf(m, " .base: %p\n", NULL);
71218 +#else
71219 SEQ_printf(m, " .base: %pK\n", base);
71220 +#endif
71221 SEQ_printf(m, " .index: %d\n",
71222 base->index);
71223 SEQ_printf(m, " .resolution: %Lu nsecs\n",
71224 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
71225 {
71226 struct proc_dir_entry *pe;
71227
71228 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71229 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
71230 +#else
71231 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
71232 +#endif
71233 if (!pe)
71234 return -ENOMEM;
71235 return 0;
71236 diff -urNp linux-2.6.39.3/kernel/time/timer_stats.c linux-2.6.39.3/kernel/time/timer_stats.c
71237 --- linux-2.6.39.3/kernel/time/timer_stats.c 2011-05-19 00:06:34.000000000 -0400
71238 +++ linux-2.6.39.3/kernel/time/timer_stats.c 2011-05-22 19:41:42.000000000 -0400
71239 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
71240 static unsigned long nr_entries;
71241 static struct entry entries[MAX_ENTRIES];
71242
71243 -static atomic_t overflow_count;
71244 +static atomic_unchecked_t overflow_count;
71245
71246 /*
71247 * The entries are in a hash-table, for fast lookup:
71248 @@ -140,7 +140,7 @@ static void reset_entries(void)
71249 nr_entries = 0;
71250 memset(entries, 0, sizeof(entries));
71251 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
71252 - atomic_set(&overflow_count, 0);
71253 + atomic_set_unchecked(&overflow_count, 0);
71254 }
71255
71256 static struct entry *alloc_entry(void)
71257 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
71258 if (likely(entry))
71259 entry->count++;
71260 else
71261 - atomic_inc(&overflow_count);
71262 + atomic_inc_unchecked(&overflow_count);
71263
71264 out_unlock:
71265 raw_spin_unlock_irqrestore(lock, flags);
71266 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
71267
71268 static void print_name_offset(struct seq_file *m, unsigned long addr)
71269 {
71270 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71271 + seq_printf(m, "<%p>", NULL);
71272 +#else
71273 char symname[KSYM_NAME_LEN];
71274
71275 if (lookup_symbol_name(addr, symname) < 0)
71276 seq_printf(m, "<%p>", (void *)addr);
71277 else
71278 seq_printf(m, "%s", symname);
71279 +#endif
71280 }
71281
71282 static int tstats_show(struct seq_file *m, void *v)
71283 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
71284
71285 seq_puts(m, "Timer Stats Version: v0.2\n");
71286 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
71287 - if (atomic_read(&overflow_count))
71288 + if (atomic_read_unchecked(&overflow_count))
71289 seq_printf(m, "Overflow: %d entries\n",
71290 - atomic_read(&overflow_count));
71291 + atomic_read_unchecked(&overflow_count));
71292
71293 for (i = 0; i < nr_entries; i++) {
71294 entry = entries + i;
71295 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
71296 {
71297 struct proc_dir_entry *pe;
71298
71299 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71300 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
71301 +#else
71302 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
71303 +#endif
71304 if (!pe)
71305 return -ENOMEM;
71306 return 0;
71307 diff -urNp linux-2.6.39.3/kernel/time.c linux-2.6.39.3/kernel/time.c
71308 --- linux-2.6.39.3/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
71309 +++ linux-2.6.39.3/kernel/time.c 2011-05-22 19:41:42.000000000 -0400
71310 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
71311 return error;
71312
71313 if (tz) {
71314 + /* we log in do_settimeofday called below, so don't log twice
71315 + */
71316 + if (!tv)
71317 + gr_log_timechange();
71318 +
71319 /* SMP safe, global irq locking makes it work. */
71320 sys_tz = *tz;
71321 update_vsyscall_tz();
71322 diff -urNp linux-2.6.39.3/kernel/timer.c linux-2.6.39.3/kernel/timer.c
71323 --- linux-2.6.39.3/kernel/timer.c 2011-05-19 00:06:34.000000000 -0400
71324 +++ linux-2.6.39.3/kernel/timer.c 2011-05-22 19:36:33.000000000 -0400
71325 @@ -1305,7 +1305,7 @@ void update_process_times(int user_tick)
71326 /*
71327 * This function runs timers and the timer-tq in bottom half context.
71328 */
71329 -static void run_timer_softirq(struct softirq_action *h)
71330 +static void run_timer_softirq(void)
71331 {
71332 struct tvec_base *base = __this_cpu_read(tvec_bases);
71333
71334 diff -urNp linux-2.6.39.3/kernel/trace/blktrace.c linux-2.6.39.3/kernel/trace/blktrace.c
71335 --- linux-2.6.39.3/kernel/trace/blktrace.c 2011-05-19 00:06:34.000000000 -0400
71336 +++ linux-2.6.39.3/kernel/trace/blktrace.c 2011-05-22 19:36:33.000000000 -0400
71337 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
71338 struct blk_trace *bt = filp->private_data;
71339 char buf[16];
71340
71341 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
71342 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
71343
71344 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
71345 }
71346 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
71347 return 1;
71348
71349 bt = buf->chan->private_data;
71350 - atomic_inc(&bt->dropped);
71351 + atomic_inc_unchecked(&bt->dropped);
71352 return 0;
71353 }
71354
71355 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
71356
71357 bt->dir = dir;
71358 bt->dev = dev;
71359 - atomic_set(&bt->dropped, 0);
71360 + atomic_set_unchecked(&bt->dropped, 0);
71361
71362 ret = -EIO;
71363 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
71364 diff -urNp linux-2.6.39.3/kernel/trace/ftrace.c linux-2.6.39.3/kernel/trace/ftrace.c
71365 --- linux-2.6.39.3/kernel/trace/ftrace.c 2011-06-03 00:04:14.000000000 -0400
71366 +++ linux-2.6.39.3/kernel/trace/ftrace.c 2011-06-03 00:32:08.000000000 -0400
71367 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
71368
71369 ip = rec->ip;
71370
71371 + ret = ftrace_arch_code_modify_prepare();
71372 + FTRACE_WARN_ON(ret);
71373 + if (ret)
71374 + return 0;
71375 +
71376 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
71377 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
71378 if (ret) {
71379 ftrace_bug(ret, ip);
71380 rec->flags |= FTRACE_FL_FAILED;
71381 - return 0;
71382 }
71383 - return 1;
71384 + return ret ? 0 : 1;
71385 }
71386
71387 /*
71388 @@ -2011,7 +2016,7 @@ static void ftrace_free_entry_rcu(struct
71389
71390 int
71391 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71392 - void *data)
71393 + void *data)
71394 {
71395 struct ftrace_func_probe *entry;
71396 struct ftrace_page *pg;
71397 @@ -2083,7 +2088,7 @@ enum {
71398 };
71399
71400 static void
71401 -__unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71402 +__unregister_ftrace_function_probe(char *glob, const struct ftrace_probe_ops *ops,
71403 void *data, int flags)
71404 {
71405 struct ftrace_func_probe *entry;
71406 @@ -2144,7 +2149,7 @@ unregister_ftrace_function_probe(char *g
71407 }
71408
71409 void
71410 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops)
71411 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops)
71412 {
71413 __unregister_ftrace_function_probe(glob, ops, NULL, PROBE_TEST_FUNC);
71414 }
71415 diff -urNp linux-2.6.39.3/kernel/trace/trace.c linux-2.6.39.3/kernel/trace/trace.c
71416 --- linux-2.6.39.3/kernel/trace/trace.c 2011-05-19 00:06:34.000000000 -0400
71417 +++ linux-2.6.39.3/kernel/trace/trace.c 2011-05-22 19:36:33.000000000 -0400
71418 @@ -3330,6 +3330,8 @@ static ssize_t tracing_splice_read_pipe(
71419 size_t rem;
71420 unsigned int i;
71421
71422 + pax_track_stack();
71423 +
71424 if (splice_grow_spd(pipe, &spd))
71425 return -ENOMEM;
71426
71427 @@ -3813,6 +3815,8 @@ tracing_buffers_splice_read(struct file
71428 int entries, size, i;
71429 size_t ret;
71430
71431 + pax_track_stack();
71432 +
71433 if (splice_grow_spd(pipe, &spd))
71434 return -ENOMEM;
71435
71436 @@ -3981,10 +3985,9 @@ static const struct file_operations trac
71437 };
71438 #endif
71439
71440 -static struct dentry *d_tracer;
71441 -
71442 struct dentry *tracing_init_dentry(void)
71443 {
71444 + static struct dentry *d_tracer;
71445 static int once;
71446
71447 if (d_tracer)
71448 @@ -4004,10 +4007,9 @@ struct dentry *tracing_init_dentry(void)
71449 return d_tracer;
71450 }
71451
71452 -static struct dentry *d_percpu;
71453 -
71454 struct dentry *tracing_dentry_percpu(void)
71455 {
71456 + static struct dentry *d_percpu;
71457 static int once;
71458 struct dentry *d_tracer;
71459
71460 diff -urNp linux-2.6.39.3/kernel/trace/trace_events.c linux-2.6.39.3/kernel/trace/trace_events.c
71461 --- linux-2.6.39.3/kernel/trace/trace_events.c 2011-05-19 00:06:34.000000000 -0400
71462 +++ linux-2.6.39.3/kernel/trace/trace_events.c 2011-05-22 19:36:33.000000000 -0400
71463 @@ -1241,10 +1241,10 @@ static LIST_HEAD(ftrace_module_file_list
71464 struct ftrace_module_file_ops {
71465 struct list_head list;
71466 struct module *mod;
71467 - struct file_operations id;
71468 - struct file_operations enable;
71469 - struct file_operations format;
71470 - struct file_operations filter;
71471 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
71472 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
71473 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
71474 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
71475 };
71476
71477 static struct ftrace_module_file_ops *
71478 diff -urNp linux-2.6.39.3/kernel/trace/trace_functions.c linux-2.6.39.3/kernel/trace/trace_functions.c
71479 --- linux-2.6.39.3/kernel/trace/trace_functions.c 2011-05-19 00:06:34.000000000 -0400
71480 +++ linux-2.6.39.3/kernel/trace/trace_functions.c 2011-05-22 19:36:33.000000000 -0400
71481 @@ -308,7 +308,7 @@ ftrace_trace_onoff_print(struct seq_file
71482 static int
71483 ftrace_trace_onoff_unreg(char *glob, char *cmd, char *param)
71484 {
71485 - struct ftrace_probe_ops *ops;
71486 + const struct ftrace_probe_ops *ops;
71487
71488 /* we register both traceon and traceoff to this callback */
71489 if (strcmp(cmd, "traceon") == 0)
71490 diff -urNp linux-2.6.39.3/kernel/trace/trace_mmiotrace.c linux-2.6.39.3/kernel/trace/trace_mmiotrace.c
71491 --- linux-2.6.39.3/kernel/trace/trace_mmiotrace.c 2011-05-19 00:06:34.000000000 -0400
71492 +++ linux-2.6.39.3/kernel/trace/trace_mmiotrace.c 2011-05-22 19:36:33.000000000 -0400
71493 @@ -24,7 +24,7 @@ struct header_iter {
71494 static struct trace_array *mmio_trace_array;
71495 static bool overrun_detected;
71496 static unsigned long prev_overruns;
71497 -static atomic_t dropped_count;
71498 +static atomic_unchecked_t dropped_count;
71499
71500 static void mmio_reset_data(struct trace_array *tr)
71501 {
71502 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
71503
71504 static unsigned long count_overruns(struct trace_iterator *iter)
71505 {
71506 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
71507 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
71508 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
71509
71510 if (over > prev_overruns)
71511 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
71512 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
71513 sizeof(*entry), 0, pc);
71514 if (!event) {
71515 - atomic_inc(&dropped_count);
71516 + atomic_inc_unchecked(&dropped_count);
71517 return;
71518 }
71519 entry = ring_buffer_event_data(event);
71520 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
71521 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
71522 sizeof(*entry), 0, pc);
71523 if (!event) {
71524 - atomic_inc(&dropped_count);
71525 + atomic_inc_unchecked(&dropped_count);
71526 return;
71527 }
71528 entry = ring_buffer_event_data(event);
71529 diff -urNp linux-2.6.39.3/kernel/trace/trace_output.c linux-2.6.39.3/kernel/trace/trace_output.c
71530 --- linux-2.6.39.3/kernel/trace/trace_output.c 2011-05-19 00:06:34.000000000 -0400
71531 +++ linux-2.6.39.3/kernel/trace/trace_output.c 2011-05-22 19:36:33.000000000 -0400
71532 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
71533
71534 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
71535 if (!IS_ERR(p)) {
71536 - p = mangle_path(s->buffer + s->len, p, "\n");
71537 + p = mangle_path(s->buffer + s->len, p, "\n\\");
71538 if (p) {
71539 s->len = p - s->buffer;
71540 return 1;
71541 diff -urNp linux-2.6.39.3/kernel/trace/trace_stack.c linux-2.6.39.3/kernel/trace/trace_stack.c
71542 --- linux-2.6.39.3/kernel/trace/trace_stack.c 2011-05-19 00:06:34.000000000 -0400
71543 +++ linux-2.6.39.3/kernel/trace/trace_stack.c 2011-05-22 19:36:33.000000000 -0400
71544 @@ -50,7 +50,7 @@ static inline void check_stack(void)
71545 return;
71546
71547 /* we do not handle interrupt stacks yet */
71548 - if (!object_is_on_stack(&this_size))
71549 + if (!object_starts_on_stack(&this_size))
71550 return;
71551
71552 local_irq_save(flags);
71553 diff -urNp linux-2.6.39.3/kernel/trace/trace_workqueue.c linux-2.6.39.3/kernel/trace/trace_workqueue.c
71554 --- linux-2.6.39.3/kernel/trace/trace_workqueue.c 2011-05-19 00:06:34.000000000 -0400
71555 +++ linux-2.6.39.3/kernel/trace/trace_workqueue.c 2011-05-22 19:36:33.000000000 -0400
71556 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
71557 int cpu;
71558 pid_t pid;
71559 /* Can be inserted from interrupt or user context, need to be atomic */
71560 - atomic_t inserted;
71561 + atomic_unchecked_t inserted;
71562 /*
71563 * Don't need to be atomic, works are serialized in a single workqueue thread
71564 * on a single CPU.
71565 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
71566 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
71567 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
71568 if (node->pid == wq_thread->pid) {
71569 - atomic_inc(&node->inserted);
71570 + atomic_inc_unchecked(&node->inserted);
71571 goto found;
71572 }
71573 }
71574 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
71575 tsk = get_pid_task(pid, PIDTYPE_PID);
71576 if (tsk) {
71577 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
71578 - atomic_read(&cws->inserted), cws->executed,
71579 + atomic_read_unchecked(&cws->inserted), cws->executed,
71580 tsk->comm);
71581 put_task_struct(tsk);
71582 }
71583 diff -urNp linux-2.6.39.3/lib/bug.c linux-2.6.39.3/lib/bug.c
71584 --- linux-2.6.39.3/lib/bug.c 2011-05-19 00:06:34.000000000 -0400
71585 +++ linux-2.6.39.3/lib/bug.c 2011-05-22 19:36:33.000000000 -0400
71586 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
71587 return BUG_TRAP_TYPE_NONE;
71588
71589 bug = find_bug(bugaddr);
71590 + if (!bug)
71591 + return BUG_TRAP_TYPE_NONE;
71592
71593 file = NULL;
71594 line = 0;
71595 diff -urNp linux-2.6.39.3/lib/debugobjects.c linux-2.6.39.3/lib/debugobjects.c
71596 --- linux-2.6.39.3/lib/debugobjects.c 2011-07-09 09:18:51.000000000 -0400
71597 +++ linux-2.6.39.3/lib/debugobjects.c 2011-07-09 09:19:24.000000000 -0400
71598 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
71599 if (limit > 4)
71600 return;
71601
71602 - is_on_stack = object_is_on_stack(addr);
71603 + is_on_stack = object_starts_on_stack(addr);
71604 if (is_on_stack == onstack)
71605 return;
71606
71607 diff -urNp linux-2.6.39.3/lib/dma-debug.c linux-2.6.39.3/lib/dma-debug.c
71608 --- linux-2.6.39.3/lib/dma-debug.c 2011-05-19 00:06:34.000000000 -0400
71609 +++ linux-2.6.39.3/lib/dma-debug.c 2011-05-22 19:36:33.000000000 -0400
71610 @@ -862,7 +862,7 @@ out:
71611
71612 static void check_for_stack(struct device *dev, void *addr)
71613 {
71614 - if (object_is_on_stack(addr))
71615 + if (object_starts_on_stack(addr))
71616 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
71617 "stack [addr=%p]\n", addr);
71618 }
71619 diff -urNp linux-2.6.39.3/lib/inflate.c linux-2.6.39.3/lib/inflate.c
71620 --- linux-2.6.39.3/lib/inflate.c 2011-05-19 00:06:34.000000000 -0400
71621 +++ linux-2.6.39.3/lib/inflate.c 2011-05-22 19:36:33.000000000 -0400
71622 @@ -269,7 +269,7 @@ static void free(void *where)
71623 malloc_ptr = free_mem_ptr;
71624 }
71625 #else
71626 -#define malloc(a) kmalloc(a, GFP_KERNEL)
71627 +#define malloc(a) kmalloc((a), GFP_KERNEL)
71628 #define free(a) kfree(a)
71629 #endif
71630
71631 diff -urNp linux-2.6.39.3/lib/Kconfig.debug linux-2.6.39.3/lib/Kconfig.debug
71632 --- linux-2.6.39.3/lib/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
71633 +++ linux-2.6.39.3/lib/Kconfig.debug 2011-05-22 19:41:42.000000000 -0400
71634 @@ -1078,6 +1078,7 @@ config LATENCYTOP
71635 depends on DEBUG_KERNEL
71636 depends on STACKTRACE_SUPPORT
71637 depends on PROC_FS
71638 + depends on !GRKERNSEC_HIDESYM
71639 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
71640 select KALLSYMS
71641 select KALLSYMS_ALL
71642 diff -urNp linux-2.6.39.3/lib/kref.c linux-2.6.39.3/lib/kref.c
71643 --- linux-2.6.39.3/lib/kref.c 2011-05-19 00:06:34.000000000 -0400
71644 +++ linux-2.6.39.3/lib/kref.c 2011-05-22 19:36:33.000000000 -0400
71645 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
71646 */
71647 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
71648 {
71649 - WARN_ON(release == NULL);
71650 + BUG_ON(release == NULL);
71651 WARN_ON(release == (void (*)(struct kref *))kfree);
71652
71653 if (atomic_dec_and_test(&kref->refcount)) {
71654 diff -urNp linux-2.6.39.3/lib/radix-tree.c linux-2.6.39.3/lib/radix-tree.c
71655 --- linux-2.6.39.3/lib/radix-tree.c 2011-05-19 00:06:34.000000000 -0400
71656 +++ linux-2.6.39.3/lib/radix-tree.c 2011-05-22 19:36:33.000000000 -0400
71657 @@ -80,7 +80,7 @@ struct radix_tree_preload {
71658 int nr;
71659 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71660 };
71661 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71662 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
71663
71664 static inline void *ptr_to_indirect(void *ptr)
71665 {
71666 diff -urNp linux-2.6.39.3/lib/vsprintf.c linux-2.6.39.3/lib/vsprintf.c
71667 --- linux-2.6.39.3/lib/vsprintf.c 2011-05-19 00:06:34.000000000 -0400
71668 +++ linux-2.6.39.3/lib/vsprintf.c 2011-05-22 20:54:59.000000000 -0400
71669 @@ -16,6 +16,9 @@
71670 * - scnprintf and vscnprintf
71671 */
71672
71673 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71674 +#define __INCLUDED_BY_HIDESYM 1
71675 +#endif
71676 #include <stdarg.h>
71677 #include <linux/module.h>
71678 #include <linux/types.h>
71679 @@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
71680 char sym[KSYM_SYMBOL_LEN];
71681 if (ext == 'B')
71682 sprint_backtrace(sym, value);
71683 - else if (ext != 'f' && ext != 's')
71684 + else if (ext != 'f' && ext != 's' && ext != 'a')
71685 sprint_symbol(sym, value);
71686 else
71687 kallsyms_lookup(value, NULL, NULL, NULL, sym);
71688 @@ -797,7 +800,11 @@ char *uuid_string(char *buf, char *end,
71689 return string(buf, end, uuid, spec);
71690 }
71691
71692 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71693 +int kptr_restrict __read_mostly = 2;
71694 +#else
71695 int kptr_restrict __read_mostly;
71696 +#endif
71697
71698 /*
71699 * Show a '%p' thing. A kernel extension is that the '%p' is followed
71700 @@ -811,6 +818,8 @@ int kptr_restrict __read_mostly;
71701 * - 'S' For symbolic direct pointers with offset
71702 * - 's' For symbolic direct pointers without offset
71703 * - 'B' For backtraced symbolic direct pointers with offset
71704 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
71705 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
71706 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
71707 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
71708 * - 'M' For a 6-byte MAC address, it prints the address in the
71709 @@ -855,12 +864,12 @@ char *pointer(const char *fmt, char *buf
71710 {
71711 if (!ptr && *fmt != 'K') {
71712 /*
71713 - * Print (null) with the same width as a pointer so it makes
71714 + * Print (nil) with the same width as a pointer so it makes
71715 * tabular output look nice.
71716 */
71717 if (spec.field_width == -1)
71718 spec.field_width = 2 * sizeof(void *);
71719 - return string(buf, end, "(null)", spec);
71720 + return string(buf, end, "(nil)", spec);
71721 }
71722
71723 switch (*fmt) {
71724 @@ -870,6 +879,13 @@ char *pointer(const char *fmt, char *buf
71725 /* Fallthrough */
71726 case 'S':
71727 case 's':
71728 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71729 + break;
71730 +#else
71731 + return symbol_string(buf, end, ptr, spec, *fmt);
71732 +#endif
71733 + case 'A':
71734 + case 'a':
71735 case 'B':
71736 return symbol_string(buf, end, ptr, spec, *fmt);
71737 case 'R':
71738 @@ -1632,11 +1648,11 @@ int bstr_printf(char *buf, size_t size,
71739 typeof(type) value; \
71740 if (sizeof(type) == 8) { \
71741 args = PTR_ALIGN(args, sizeof(u32)); \
71742 - *(u32 *)&value = *(u32 *)args; \
71743 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
71744 + *(u32 *)&value = *(const u32 *)args; \
71745 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
71746 } else { \
71747 args = PTR_ALIGN(args, sizeof(type)); \
71748 - value = *(typeof(type) *)args; \
71749 + value = *(const typeof(type) *)args; \
71750 } \
71751 args += sizeof(type); \
71752 value; \
71753 @@ -1699,7 +1715,7 @@ int bstr_printf(char *buf, size_t size,
71754 case FORMAT_TYPE_STR: {
71755 const char *str_arg = args;
71756 args += strlen(str_arg) + 1;
71757 - str = string(str, end, (char *)str_arg, spec);
71758 + str = string(str, end, str_arg, spec);
71759 break;
71760 }
71761
71762 diff -urNp linux-2.6.39.3/localversion-grsec linux-2.6.39.3/localversion-grsec
71763 --- linux-2.6.39.3/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71764 +++ linux-2.6.39.3/localversion-grsec 2011-05-22 19:41:42.000000000 -0400
71765 @@ -0,0 +1 @@
71766 +-grsec
71767 diff -urNp linux-2.6.39.3/Makefile linux-2.6.39.3/Makefile
71768 --- linux-2.6.39.3/Makefile 2011-07-09 09:18:51.000000000 -0400
71769 +++ linux-2.6.39.3/Makefile 2011-07-09 09:19:18.000000000 -0400
71770 @@ -237,8 +237,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71771
71772 HOSTCC = gcc
71773 HOSTCXX = g++
71774 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
71775 -HOSTCXXFLAGS = -O2
71776 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
71777 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
71778 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
71779
71780 # Decide whether to build built-in, modular, or both.
71781 # Normally, just do built-in.
71782 @@ -356,10 +357,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
71783 KBUILD_CPPFLAGS := -D__KERNEL__
71784
71785 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71786 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
71787 -fno-strict-aliasing -fno-common \
71788 -Werror-implicit-function-declaration \
71789 -Wno-format-security \
71790 -fno-delete-null-pointer-checks
71791 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
71792 KBUILD_AFLAGS_KERNEL :=
71793 KBUILD_CFLAGS_KERNEL :=
71794 KBUILD_AFLAGS := -D__ASSEMBLY__
71795 @@ -397,8 +400,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
71796 # Rules shared between *config targets and build targets
71797
71798 # Basic helpers built in scripts/
71799 -PHONY += scripts_basic
71800 -scripts_basic:
71801 +PHONY += scripts_basic pax-plugin
71802 +scripts_basic: pax-plugin
71803 $(Q)$(MAKE) $(build)=scripts/basic
71804 $(Q)rm -f .tmp_quiet_recordmcount
71805
71806 @@ -550,6 +553,18 @@ endif
71807
71808 include $(srctree)/arch/$(SRCARCH)/Makefile
71809
71810 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71811 +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0405, -fplugin=$(objtree)/tools/gcc/pax_plugin.so -fplugin-arg-pax_plugin-track-lowest-sp=100)
71812 +endif
71813 +pax-plugin:
71814 +ifneq (,$(findstring pax_plugin, $(KBUILD_CFLAGS)))
71815 + $(Q)$(MAKE) $(build)=tools/gcc
71816 +else
71817 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71818 + $(Q)echo "warning, your gcc does not support plugins, PAX_MEMORY_STACKLEAK will be less secure"
71819 +endif
71820 +endif
71821 +
71822 ifneq ($(CONFIG_FRAME_WARN),0)
71823 KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
71824 endif
71825 @@ -685,7 +700,7 @@ export mod_strip_cmd
71826
71827
71828 ifeq ($(KBUILD_EXTMOD),)
71829 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71830 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71831
71832 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71833 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71834 @@ -947,7 +962,7 @@ ifneq ($(KBUILD_SRC),)
71835 endif
71836
71837 # prepare2 creates a makefile if using a separate output directory
71838 -prepare2: prepare3 outputmakefile
71839 +prepare2: prepare3 outputmakefile pax-plugin
71840
71841 prepare1: prepare2 include/linux/version.h include/generated/utsrelease.h \
71842 include/config/auto.conf
71843 @@ -1375,7 +1390,7 @@ clean: $(clean-dirs)
71844 $(call cmd,rmdirs)
71845 $(call cmd,rmfiles)
71846 @find $(if $(KBUILD_EXTMOD), $(KBUILD_EXTMOD), .) $(RCS_FIND_IGNORE) \
71847 - \( -name '*.[oas]' -o -name '*.ko' -o -name '.*.cmd' \
71848 + \( -name '*.[oas]' -o -name '*.[ks]o' -o -name '.*.cmd' \
71849 -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \
71850 -o -name '*.symtypes' -o -name 'modules.order' \
71851 -o -name modules.builtin -o -name '.tmp_*.o.*' \
71852 diff -urNp linux-2.6.39.3/mm/filemap.c linux-2.6.39.3/mm/filemap.c
71853 --- linux-2.6.39.3/mm/filemap.c 2011-05-19 00:06:34.000000000 -0400
71854 +++ linux-2.6.39.3/mm/filemap.c 2011-05-22 19:41:42.000000000 -0400
71855 @@ -1724,7 +1724,7 @@ int generic_file_mmap(struct file * file
71856 struct address_space *mapping = file->f_mapping;
71857
71858 if (!mapping->a_ops->readpage)
71859 - return -ENOEXEC;
71860 + return -ENODEV;
71861 file_accessed(file);
71862 vma->vm_ops = &generic_file_vm_ops;
71863 vma->vm_flags |= VM_CAN_NONLINEAR;
71864 @@ -2120,6 +2120,7 @@ inline int generic_write_checks(struct f
71865 *pos = i_size_read(inode);
71866
71867 if (limit != RLIM_INFINITY) {
71868 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71869 if (*pos >= limit) {
71870 send_sig(SIGXFSZ, current, 0);
71871 return -EFBIG;
71872 diff -urNp linux-2.6.39.3/mm/fremap.c linux-2.6.39.3/mm/fremap.c
71873 --- linux-2.6.39.3/mm/fremap.c 2011-05-19 00:06:34.000000000 -0400
71874 +++ linux-2.6.39.3/mm/fremap.c 2011-05-22 19:36:33.000000000 -0400
71875 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71876 retry:
71877 vma = find_vma(mm, start);
71878
71879 +#ifdef CONFIG_PAX_SEGMEXEC
71880 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71881 + goto out;
71882 +#endif
71883 +
71884 /*
71885 * Make sure the vma is shared, that it supports prefaulting,
71886 * and that the remapped range is valid and fully within
71887 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71888 /*
71889 * drop PG_Mlocked flag for over-mapped range
71890 */
71891 - unsigned int saved_flags = vma->vm_flags;
71892 + unsigned long saved_flags = vma->vm_flags;
71893 munlock_vma_pages_range(vma, start, start + size);
71894 vma->vm_flags = saved_flags;
71895 }
71896 diff -urNp linux-2.6.39.3/mm/highmem.c linux-2.6.39.3/mm/highmem.c
71897 --- linux-2.6.39.3/mm/highmem.c 2011-05-19 00:06:34.000000000 -0400
71898 +++ linux-2.6.39.3/mm/highmem.c 2011-05-22 19:36:33.000000000 -0400
71899 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
71900 * So no dangers, even with speculative execution.
71901 */
71902 page = pte_page(pkmap_page_table[i]);
71903 + pax_open_kernel();
71904 pte_clear(&init_mm, (unsigned long)page_address(page),
71905 &pkmap_page_table[i]);
71906 -
71907 + pax_close_kernel();
71908 set_page_address(page, NULL);
71909 need_flush = 1;
71910 }
71911 @@ -186,9 +187,11 @@ start:
71912 }
71913 }
71914 vaddr = PKMAP_ADDR(last_pkmap_nr);
71915 +
71916 + pax_open_kernel();
71917 set_pte_at(&init_mm, vaddr,
71918 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71919 -
71920 + pax_close_kernel();
71921 pkmap_count[last_pkmap_nr] = 1;
71922 set_page_address(page, (void *)vaddr);
71923
71924 diff -urNp linux-2.6.39.3/mm/huge_memory.c linux-2.6.39.3/mm/huge_memory.c
71925 --- linux-2.6.39.3/mm/huge_memory.c 2011-05-19 00:06:34.000000000 -0400
71926 +++ linux-2.6.39.3/mm/huge_memory.c 2011-05-22 19:36:33.000000000 -0400
71927 @@ -702,7 +702,7 @@ out:
71928 * run pte_offset_map on the pmd, if an huge pmd could
71929 * materialize from under us from a different thread.
71930 */
71931 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
71932 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
71933 return VM_FAULT_OOM;
71934 /* if an huge pmd materialized from under us just retry later */
71935 if (unlikely(pmd_trans_huge(*pmd)))
71936 diff -urNp linux-2.6.39.3/mm/hugetlb.c linux-2.6.39.3/mm/hugetlb.c
71937 --- linux-2.6.39.3/mm/hugetlb.c 2011-07-09 09:18:51.000000000 -0400
71938 +++ linux-2.6.39.3/mm/hugetlb.c 2011-07-09 09:19:24.000000000 -0400
71939 @@ -2339,6 +2339,27 @@ static int unmap_ref_private(struct mm_s
71940 return 1;
71941 }
71942
71943 +#ifdef CONFIG_PAX_SEGMEXEC
71944 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71945 +{
71946 + struct mm_struct *mm = vma->vm_mm;
71947 + struct vm_area_struct *vma_m;
71948 + unsigned long address_m;
71949 + pte_t *ptep_m;
71950 +
71951 + vma_m = pax_find_mirror_vma(vma);
71952 + if (!vma_m)
71953 + return;
71954 +
71955 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71956 + address_m = address + SEGMEXEC_TASK_SIZE;
71957 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71958 + get_page(page_m);
71959 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
71960 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71961 +}
71962 +#endif
71963 +
71964 /*
71965 * Hugetlb_cow() should be called with page lock of the original hugepage held.
71966 */
71967 @@ -2440,6 +2461,11 @@ retry_avoidcopy:
71968 make_huge_pte(vma, new_page, 1));
71969 page_remove_rmap(old_page);
71970 hugepage_add_new_anon_rmap(new_page, vma, address);
71971 +
71972 +#ifdef CONFIG_PAX_SEGMEXEC
71973 + pax_mirror_huge_pte(vma, address, new_page);
71974 +#endif
71975 +
71976 /* Make the old page be freed below */
71977 new_page = old_page;
71978 mmu_notifier_invalidate_range_end(mm,
71979 @@ -2591,6 +2617,10 @@ retry:
71980 && (vma->vm_flags & VM_SHARED)));
71981 set_huge_pte_at(mm, address, ptep, new_pte);
71982
71983 +#ifdef CONFIG_PAX_SEGMEXEC
71984 + pax_mirror_huge_pte(vma, address, page);
71985 +#endif
71986 +
71987 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
71988 /* Optimization, do the COW without a second fault */
71989 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
71990 @@ -2620,6 +2650,10 @@ int hugetlb_fault(struct mm_struct *mm,
71991 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71992 struct hstate *h = hstate_vma(vma);
71993
71994 +#ifdef CONFIG_PAX_SEGMEXEC
71995 + struct vm_area_struct *vma_m;
71996 +#endif
71997 +
71998 ptep = huge_pte_offset(mm, address);
71999 if (ptep) {
72000 entry = huge_ptep_get(ptep);
72001 @@ -2631,6 +2665,26 @@ int hugetlb_fault(struct mm_struct *mm,
72002 VM_FAULT_SET_HINDEX(h - hstates);
72003 }
72004
72005 +#ifdef CONFIG_PAX_SEGMEXEC
72006 + vma_m = pax_find_mirror_vma(vma);
72007 + if (vma_m) {
72008 + unsigned long address_m;
72009 +
72010 + if (vma->vm_start > vma_m->vm_start) {
72011 + address_m = address;
72012 + address -= SEGMEXEC_TASK_SIZE;
72013 + vma = vma_m;
72014 + h = hstate_vma(vma);
72015 + } else
72016 + address_m = address + SEGMEXEC_TASK_SIZE;
72017 +
72018 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
72019 + return VM_FAULT_OOM;
72020 + address_m &= HPAGE_MASK;
72021 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
72022 + }
72023 +#endif
72024 +
72025 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
72026 if (!ptep)
72027 return VM_FAULT_OOM;
72028 diff -urNp linux-2.6.39.3/mm/internal.h linux-2.6.39.3/mm/internal.h
72029 --- linux-2.6.39.3/mm/internal.h 2011-05-19 00:06:34.000000000 -0400
72030 +++ linux-2.6.39.3/mm/internal.h 2011-07-09 09:12:54.000000000 -0400
72031 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
72032 * in mm/page_alloc.c
72033 */
72034 extern void __free_pages_bootmem(struct page *page, unsigned int order);
72035 +extern void free_compound_page(struct page *page);
72036 extern void prep_compound_page(struct page *page, unsigned long order);
72037 #ifdef CONFIG_MEMORY_FAILURE
72038 extern bool is_free_buddy_page(struct page *page);
72039 diff -urNp linux-2.6.39.3/mm/Kconfig linux-2.6.39.3/mm/Kconfig
72040 --- linux-2.6.39.3/mm/Kconfig 2011-05-19 00:06:34.000000000 -0400
72041 +++ linux-2.6.39.3/mm/Kconfig 2011-05-22 19:41:42.000000000 -0400
72042 @@ -240,7 +240,7 @@ config KSM
72043 config DEFAULT_MMAP_MIN_ADDR
72044 int "Low address space to protect from user allocation"
72045 depends on MMU
72046 - default 4096
72047 + default 65536
72048 help
72049 This is the portion of low virtual memory which should be protected
72050 from userspace allocation. Keeping a user from writing to low pages
72051 diff -urNp linux-2.6.39.3/mm/kmemleak.c linux-2.6.39.3/mm/kmemleak.c
72052 --- linux-2.6.39.3/mm/kmemleak.c 2011-06-03 00:04:14.000000000 -0400
72053 +++ linux-2.6.39.3/mm/kmemleak.c 2011-06-03 00:32:08.000000000 -0400
72054 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
72055
72056 for (i = 0; i < object->trace_len; i++) {
72057 void *ptr = (void *)object->trace[i];
72058 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
72059 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
72060 }
72061 }
72062
72063 diff -urNp linux-2.6.39.3/mm/maccess.c linux-2.6.39.3/mm/maccess.c
72064 --- linux-2.6.39.3/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
72065 +++ linux-2.6.39.3/mm/maccess.c 2011-05-22 19:36:33.000000000 -0400
72066 @@ -15,10 +15,10 @@
72067 * happens, handle that and return -EFAULT.
72068 */
72069
72070 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
72071 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
72072 __attribute__((alias("__probe_kernel_read")));
72073
72074 -long __probe_kernel_read(void *dst, void *src, size_t size)
72075 +long __probe_kernel_read(void *dst, const void *src, size_t size)
72076 {
72077 long ret;
72078 mm_segment_t old_fs = get_fs();
72079 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
72080 * Safely write to address @dst from the buffer at @src. If a kernel fault
72081 * happens, handle that and return -EFAULT.
72082 */
72083 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
72084 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
72085 __attribute__((alias("__probe_kernel_write")));
72086
72087 -long __probe_kernel_write(void *dst, void *src, size_t size)
72088 +long __probe_kernel_write(void *dst, const void *src, size_t size)
72089 {
72090 long ret;
72091 mm_segment_t old_fs = get_fs();
72092 diff -urNp linux-2.6.39.3/mm/madvise.c linux-2.6.39.3/mm/madvise.c
72093 --- linux-2.6.39.3/mm/madvise.c 2011-05-19 00:06:34.000000000 -0400
72094 +++ linux-2.6.39.3/mm/madvise.c 2011-05-22 19:36:33.000000000 -0400
72095 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
72096 pgoff_t pgoff;
72097 unsigned long new_flags = vma->vm_flags;
72098
72099 +#ifdef CONFIG_PAX_SEGMEXEC
72100 + struct vm_area_struct *vma_m;
72101 +#endif
72102 +
72103 switch (behavior) {
72104 case MADV_NORMAL:
72105 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
72106 @@ -110,6 +114,13 @@ success:
72107 /*
72108 * vm_flags is protected by the mmap_sem held in write mode.
72109 */
72110 +
72111 +#ifdef CONFIG_PAX_SEGMEXEC
72112 + vma_m = pax_find_mirror_vma(vma);
72113 + if (vma_m)
72114 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
72115 +#endif
72116 +
72117 vma->vm_flags = new_flags;
72118
72119 out:
72120 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
72121 struct vm_area_struct ** prev,
72122 unsigned long start, unsigned long end)
72123 {
72124 +
72125 +#ifdef CONFIG_PAX_SEGMEXEC
72126 + struct vm_area_struct *vma_m;
72127 +#endif
72128 +
72129 *prev = vma;
72130 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
72131 return -EINVAL;
72132 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
72133 zap_page_range(vma, start, end - start, &details);
72134 } else
72135 zap_page_range(vma, start, end - start, NULL);
72136 +
72137 +#ifdef CONFIG_PAX_SEGMEXEC
72138 + vma_m = pax_find_mirror_vma(vma);
72139 + if (vma_m) {
72140 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
72141 + struct zap_details details = {
72142 + .nonlinear_vma = vma_m,
72143 + .last_index = ULONG_MAX,
72144 + };
72145 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
72146 + } else
72147 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
72148 + }
72149 +#endif
72150 +
72151 return 0;
72152 }
72153
72154 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
72155 if (end < start)
72156 goto out;
72157
72158 +#ifdef CONFIG_PAX_SEGMEXEC
72159 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
72160 + if (end > SEGMEXEC_TASK_SIZE)
72161 + goto out;
72162 + } else
72163 +#endif
72164 +
72165 + if (end > TASK_SIZE)
72166 + goto out;
72167 +
72168 error = 0;
72169 if (end == start)
72170 goto out;
72171 diff -urNp linux-2.6.39.3/mm/memory.c linux-2.6.39.3/mm/memory.c
72172 --- linux-2.6.39.3/mm/memory.c 2011-05-19 00:06:34.000000000 -0400
72173 +++ linux-2.6.39.3/mm/memory.c 2011-05-22 19:36:33.000000000 -0400
72174 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
72175 return;
72176
72177 pmd = pmd_offset(pud, start);
72178 +
72179 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
72180 pud_clear(pud);
72181 pmd_free_tlb(tlb, pmd, start);
72182 +#endif
72183 +
72184 }
72185
72186 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
72187 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
72188 if (end - 1 > ceiling - 1)
72189 return;
72190
72191 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
72192 pud = pud_offset(pgd, start);
72193 pgd_clear(pgd);
72194 pud_free_tlb(tlb, pud, start);
72195 +#endif
72196 +
72197 }
72198
72199 /*
72200 @@ -1410,12 +1417,6 @@ no_page_table:
72201 return page;
72202 }
72203
72204 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
72205 -{
72206 - return stack_guard_page_start(vma, addr) ||
72207 - stack_guard_page_end(vma, addr+PAGE_SIZE);
72208 -}
72209 -
72210 /**
72211 * __get_user_pages() - pin user pages in memory
72212 * @tsk: task_struct of target task
72213 @@ -1488,10 +1489,10 @@ int __get_user_pages(struct task_struct
72214 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
72215 i = 0;
72216
72217 - do {
72218 + while (nr_pages) {
72219 struct vm_area_struct *vma;
72220
72221 - vma = find_extend_vma(mm, start);
72222 + vma = find_vma(mm, start);
72223 if (!vma && in_gate_area(mm, start)) {
72224 unsigned long pg = start & PAGE_MASK;
72225 pgd_t *pgd;
72226 @@ -1539,7 +1540,7 @@ int __get_user_pages(struct task_struct
72227 goto next_page;
72228 }
72229
72230 - if (!vma ||
72231 + if (!vma || start < vma->vm_start ||
72232 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
72233 !(vm_flags & vma->vm_flags))
72234 return i ? : -EFAULT;
72235 @@ -1566,11 +1567,6 @@ int __get_user_pages(struct task_struct
72236 int ret;
72237 unsigned int fault_flags = 0;
72238
72239 - /* For mlock, just skip the stack guard page. */
72240 - if (foll_flags & FOLL_MLOCK) {
72241 - if (stack_guard_page(vma, start))
72242 - goto next_page;
72243 - }
72244 if (foll_flags & FOLL_WRITE)
72245 fault_flags |= FAULT_FLAG_WRITE;
72246 if (nonblocking)
72247 @@ -1644,7 +1640,7 @@ next_page:
72248 start += PAGE_SIZE;
72249 nr_pages--;
72250 } while (nr_pages && start < vma->vm_end);
72251 - } while (nr_pages);
72252 + }
72253 return i;
72254 }
72255 EXPORT_SYMBOL(__get_user_pages);
72256 @@ -1795,6 +1791,10 @@ static int insert_page(struct vm_area_st
72257 page_add_file_rmap(page);
72258 set_pte_at(mm, addr, pte, mk_pte(page, prot));
72259
72260 +#ifdef CONFIG_PAX_SEGMEXEC
72261 + pax_mirror_file_pte(vma, addr, page, ptl);
72262 +#endif
72263 +
72264 retval = 0;
72265 pte_unmap_unlock(pte, ptl);
72266 return retval;
72267 @@ -1829,10 +1829,22 @@ out:
72268 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
72269 struct page *page)
72270 {
72271 +
72272 +#ifdef CONFIG_PAX_SEGMEXEC
72273 + struct vm_area_struct *vma_m;
72274 +#endif
72275 +
72276 if (addr < vma->vm_start || addr >= vma->vm_end)
72277 return -EFAULT;
72278 if (!page_count(page))
72279 return -EINVAL;
72280 +
72281 +#ifdef CONFIG_PAX_SEGMEXEC
72282 + vma_m = pax_find_mirror_vma(vma);
72283 + if (vma_m)
72284 + vma_m->vm_flags |= VM_INSERTPAGE;
72285 +#endif
72286 +
72287 vma->vm_flags |= VM_INSERTPAGE;
72288 return insert_page(vma, addr, page, vma->vm_page_prot);
72289 }
72290 @@ -1918,6 +1930,7 @@ int vm_insert_mixed(struct vm_area_struc
72291 unsigned long pfn)
72292 {
72293 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
72294 + BUG_ON(vma->vm_mirror);
72295
72296 if (addr < vma->vm_start || addr >= vma->vm_end)
72297 return -EFAULT;
72298 @@ -2233,6 +2246,186 @@ static inline void cow_user_page(struct
72299 copy_user_highpage(dst, src, va, vma);
72300 }
72301
72302 +#ifdef CONFIG_PAX_SEGMEXEC
72303 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
72304 +{
72305 + struct mm_struct *mm = vma->vm_mm;
72306 + spinlock_t *ptl;
72307 + pte_t *pte, entry;
72308 +
72309 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
72310 + entry = *pte;
72311 + if (!pte_present(entry)) {
72312 + if (!pte_none(entry)) {
72313 + BUG_ON(pte_file(entry));
72314 + free_swap_and_cache(pte_to_swp_entry(entry));
72315 + pte_clear_not_present_full(mm, address, pte, 0);
72316 + }
72317 + } else {
72318 + struct page *page;
72319 +
72320 + flush_cache_page(vma, address, pte_pfn(entry));
72321 + entry = ptep_clear_flush(vma, address, pte);
72322 + BUG_ON(pte_dirty(entry));
72323 + page = vm_normal_page(vma, address, entry);
72324 + if (page) {
72325 + update_hiwater_rss(mm);
72326 + if (PageAnon(page))
72327 + dec_mm_counter_fast(mm, MM_ANONPAGES);
72328 + else
72329 + dec_mm_counter_fast(mm, MM_FILEPAGES);
72330 + page_remove_rmap(page);
72331 + page_cache_release(page);
72332 + }
72333 + }
72334 + pte_unmap_unlock(pte, ptl);
72335 +}
72336 +
72337 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
72338 + *
72339 + * the ptl of the lower mapped page is held on entry and is not released on exit
72340 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
72341 + */
72342 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72343 +{
72344 + struct mm_struct *mm = vma->vm_mm;
72345 + unsigned long address_m;
72346 + spinlock_t *ptl_m;
72347 + struct vm_area_struct *vma_m;
72348 + pmd_t *pmd_m;
72349 + pte_t *pte_m, entry_m;
72350 +
72351 + BUG_ON(!page_m || !PageAnon(page_m));
72352 +
72353 + vma_m = pax_find_mirror_vma(vma);
72354 + if (!vma_m)
72355 + return;
72356 +
72357 + BUG_ON(!PageLocked(page_m));
72358 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72359 + address_m = address + SEGMEXEC_TASK_SIZE;
72360 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72361 + pte_m = pte_offset_map(pmd_m, address_m);
72362 + ptl_m = pte_lockptr(mm, pmd_m);
72363 + if (ptl != ptl_m) {
72364 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72365 + if (!pte_none(*pte_m))
72366 + goto out;
72367 + }
72368 +
72369 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72370 + page_cache_get(page_m);
72371 + page_add_anon_rmap(page_m, vma_m, address_m);
72372 + inc_mm_counter_fast(mm, MM_ANONPAGES);
72373 + set_pte_at(mm, address_m, pte_m, entry_m);
72374 + update_mmu_cache(vma_m, address_m, entry_m);
72375 +out:
72376 + if (ptl != ptl_m)
72377 + spin_unlock(ptl_m);
72378 + pte_unmap(pte_m);
72379 + unlock_page(page_m);
72380 +}
72381 +
72382 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72383 +{
72384 + struct mm_struct *mm = vma->vm_mm;
72385 + unsigned long address_m;
72386 + spinlock_t *ptl_m;
72387 + struct vm_area_struct *vma_m;
72388 + pmd_t *pmd_m;
72389 + pte_t *pte_m, entry_m;
72390 +
72391 + BUG_ON(!page_m || PageAnon(page_m));
72392 +
72393 + vma_m = pax_find_mirror_vma(vma);
72394 + if (!vma_m)
72395 + return;
72396 +
72397 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72398 + address_m = address + SEGMEXEC_TASK_SIZE;
72399 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72400 + pte_m = pte_offset_map(pmd_m, address_m);
72401 + ptl_m = pte_lockptr(mm, pmd_m);
72402 + if (ptl != ptl_m) {
72403 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72404 + if (!pte_none(*pte_m))
72405 + goto out;
72406 + }
72407 +
72408 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72409 + page_cache_get(page_m);
72410 + page_add_file_rmap(page_m);
72411 + inc_mm_counter_fast(mm, MM_FILEPAGES);
72412 + set_pte_at(mm, address_m, pte_m, entry_m);
72413 + update_mmu_cache(vma_m, address_m, entry_m);
72414 +out:
72415 + if (ptl != ptl_m)
72416 + spin_unlock(ptl_m);
72417 + pte_unmap(pte_m);
72418 +}
72419 +
72420 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
72421 +{
72422 + struct mm_struct *mm = vma->vm_mm;
72423 + unsigned long address_m;
72424 + spinlock_t *ptl_m;
72425 + struct vm_area_struct *vma_m;
72426 + pmd_t *pmd_m;
72427 + pte_t *pte_m, entry_m;
72428 +
72429 + vma_m = pax_find_mirror_vma(vma);
72430 + if (!vma_m)
72431 + return;
72432 +
72433 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72434 + address_m = address + SEGMEXEC_TASK_SIZE;
72435 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72436 + pte_m = pte_offset_map(pmd_m, address_m);
72437 + ptl_m = pte_lockptr(mm, pmd_m);
72438 + if (ptl != ptl_m) {
72439 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72440 + if (!pte_none(*pte_m))
72441 + goto out;
72442 + }
72443 +
72444 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
72445 + set_pte_at(mm, address_m, pte_m, entry_m);
72446 +out:
72447 + if (ptl != ptl_m)
72448 + spin_unlock(ptl_m);
72449 + pte_unmap(pte_m);
72450 +}
72451 +
72452 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72453 +{
72454 + struct page *page_m;
72455 + pte_t entry;
72456 +
72457 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72458 + goto out;
72459 +
72460 + entry = *pte;
72461 + page_m = vm_normal_page(vma, address, entry);
72462 + if (!page_m)
72463 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72464 + else if (PageAnon(page_m)) {
72465 + if (pax_find_mirror_vma(vma)) {
72466 + pte_unmap_unlock(pte, ptl);
72467 + lock_page(page_m);
72468 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72469 + if (pte_same(entry, *pte))
72470 + pax_mirror_anon_pte(vma, address, page_m, ptl);
72471 + else
72472 + unlock_page(page_m);
72473 + }
72474 + } else
72475 + pax_mirror_file_pte(vma, address, page_m, ptl);
72476 +
72477 +out:
72478 + pte_unmap_unlock(pte, ptl);
72479 +}
72480 +#endif
72481 +
72482 /*
72483 * This routine handles present pages, when users try to write
72484 * to a shared page. It is done by copying the page to a new address
72485 @@ -2444,6 +2637,12 @@ gotten:
72486 */
72487 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72488 if (likely(pte_same(*page_table, orig_pte))) {
72489 +
72490 +#ifdef CONFIG_PAX_SEGMEXEC
72491 + if (pax_find_mirror_vma(vma))
72492 + BUG_ON(!trylock_page(new_page));
72493 +#endif
72494 +
72495 if (old_page) {
72496 if (!PageAnon(old_page)) {
72497 dec_mm_counter_fast(mm, MM_FILEPAGES);
72498 @@ -2495,6 +2694,10 @@ gotten:
72499 page_remove_rmap(old_page);
72500 }
72501
72502 +#ifdef CONFIG_PAX_SEGMEXEC
72503 + pax_mirror_anon_pte(vma, address, new_page, ptl);
72504 +#endif
72505 +
72506 /* Free the old page.. */
72507 new_page = old_page;
72508 ret |= VM_FAULT_WRITE;
72509 @@ -2905,6 +3108,11 @@ static int do_swap_page(struct mm_struct
72510 swap_free(entry);
72511 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
72512 try_to_free_swap(page);
72513 +
72514 +#ifdef CONFIG_PAX_SEGMEXEC
72515 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
72516 +#endif
72517 +
72518 unlock_page(page);
72519 if (swapcache) {
72520 /*
72521 @@ -2928,6 +3136,11 @@ static int do_swap_page(struct mm_struct
72522
72523 /* No need to invalidate - it was non-present before */
72524 update_mmu_cache(vma, address, page_table);
72525 +
72526 +#ifdef CONFIG_PAX_SEGMEXEC
72527 + pax_mirror_anon_pte(vma, address, page, ptl);
72528 +#endif
72529 +
72530 unlock:
72531 pte_unmap_unlock(page_table, ptl);
72532 out:
72533 @@ -2947,40 +3160,6 @@ out_release:
72534 }
72535
72536 /*
72537 - * This is like a special single-page "expand_{down|up}wards()",
72538 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
72539 - * doesn't hit another vma.
72540 - */
72541 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
72542 -{
72543 - address &= PAGE_MASK;
72544 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
72545 - struct vm_area_struct *prev = vma->vm_prev;
72546 -
72547 - /*
72548 - * Is there a mapping abutting this one below?
72549 - *
72550 - * That's only ok if it's the same stack mapping
72551 - * that has gotten split..
72552 - */
72553 - if (prev && prev->vm_end == address)
72554 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
72555 -
72556 - expand_stack(vma, address - PAGE_SIZE);
72557 - }
72558 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
72559 - struct vm_area_struct *next = vma->vm_next;
72560 -
72561 - /* As VM_GROWSDOWN but s/below/above/ */
72562 - if (next && next->vm_start == address + PAGE_SIZE)
72563 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
72564 -
72565 - expand_upwards(vma, address + PAGE_SIZE);
72566 - }
72567 - return 0;
72568 -}
72569 -
72570 -/*
72571 * We enter with non-exclusive mmap_sem (to exclude vma changes,
72572 * but allow concurrent faults), and pte mapped but not yet locked.
72573 * We return with mmap_sem still held, but pte unmapped and unlocked.
72574 @@ -2989,27 +3168,23 @@ static int do_anonymous_page(struct mm_s
72575 unsigned long address, pte_t *page_table, pmd_t *pmd,
72576 unsigned int flags)
72577 {
72578 - struct page *page;
72579 + struct page *page = NULL;
72580 spinlock_t *ptl;
72581 pte_t entry;
72582
72583 - pte_unmap(page_table);
72584 -
72585 - /* Check if we need to add a guard page to the stack */
72586 - if (check_stack_guard_page(vma, address) < 0)
72587 - return VM_FAULT_SIGBUS;
72588 -
72589 - /* Use the zero-page for reads */
72590 if (!(flags & FAULT_FLAG_WRITE)) {
72591 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
72592 vma->vm_page_prot));
72593 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72594 + ptl = pte_lockptr(mm, pmd);
72595 + spin_lock(ptl);
72596 if (!pte_none(*page_table))
72597 goto unlock;
72598 goto setpte;
72599 }
72600
72601 /* Allocate our own private page. */
72602 + pte_unmap(page_table);
72603 +
72604 if (unlikely(anon_vma_prepare(vma)))
72605 goto oom;
72606 page = alloc_zeroed_user_highpage_movable(vma, address);
72607 @@ -3028,6 +3203,11 @@ static int do_anonymous_page(struct mm_s
72608 if (!pte_none(*page_table))
72609 goto release;
72610
72611 +#ifdef CONFIG_PAX_SEGMEXEC
72612 + if (pax_find_mirror_vma(vma))
72613 + BUG_ON(!trylock_page(page));
72614 +#endif
72615 +
72616 inc_mm_counter_fast(mm, MM_ANONPAGES);
72617 page_add_new_anon_rmap(page, vma, address);
72618 setpte:
72619 @@ -3035,6 +3215,12 @@ setpte:
72620
72621 /* No need to invalidate - it was non-present before */
72622 update_mmu_cache(vma, address, page_table);
72623 +
72624 +#ifdef CONFIG_PAX_SEGMEXEC
72625 + if (page)
72626 + pax_mirror_anon_pte(vma, address, page, ptl);
72627 +#endif
72628 +
72629 unlock:
72630 pte_unmap_unlock(page_table, ptl);
72631 return 0;
72632 @@ -3172,6 +3358,12 @@ static int __do_fault(struct mm_struct *
72633 */
72634 /* Only go through if we didn't race with anybody else... */
72635 if (likely(pte_same(*page_table, orig_pte))) {
72636 +
72637 +#ifdef CONFIG_PAX_SEGMEXEC
72638 + if (anon && pax_find_mirror_vma(vma))
72639 + BUG_ON(!trylock_page(page));
72640 +#endif
72641 +
72642 flush_icache_page(vma, page);
72643 entry = mk_pte(page, vma->vm_page_prot);
72644 if (flags & FAULT_FLAG_WRITE)
72645 @@ -3191,6 +3383,14 @@ static int __do_fault(struct mm_struct *
72646
72647 /* no need to invalidate: a not-present page won't be cached */
72648 update_mmu_cache(vma, address, page_table);
72649 +
72650 +#ifdef CONFIG_PAX_SEGMEXEC
72651 + if (anon)
72652 + pax_mirror_anon_pte(vma, address, page, ptl);
72653 + else
72654 + pax_mirror_file_pte(vma, address, page, ptl);
72655 +#endif
72656 +
72657 } else {
72658 if (charged)
72659 mem_cgroup_uncharge_page(page);
72660 @@ -3338,6 +3538,12 @@ int handle_pte_fault(struct mm_struct *m
72661 if (flags & FAULT_FLAG_WRITE)
72662 flush_tlb_fix_spurious_fault(vma, address);
72663 }
72664 +
72665 +#ifdef CONFIG_PAX_SEGMEXEC
72666 + pax_mirror_pte(vma, address, pte, pmd, ptl);
72667 + return 0;
72668 +#endif
72669 +
72670 unlock:
72671 pte_unmap_unlock(pte, ptl);
72672 return 0;
72673 @@ -3354,6 +3560,10 @@ int handle_mm_fault(struct mm_struct *mm
72674 pmd_t *pmd;
72675 pte_t *pte;
72676
72677 +#ifdef CONFIG_PAX_SEGMEXEC
72678 + struct vm_area_struct *vma_m;
72679 +#endif
72680 +
72681 __set_current_state(TASK_RUNNING);
72682
72683 count_vm_event(PGFAULT);
72684 @@ -3364,6 +3574,34 @@ int handle_mm_fault(struct mm_struct *mm
72685 if (unlikely(is_vm_hugetlb_page(vma)))
72686 return hugetlb_fault(mm, vma, address, flags);
72687
72688 +#ifdef CONFIG_PAX_SEGMEXEC
72689 + vma_m = pax_find_mirror_vma(vma);
72690 + if (vma_m) {
72691 + unsigned long address_m;
72692 + pgd_t *pgd_m;
72693 + pud_t *pud_m;
72694 + pmd_t *pmd_m;
72695 +
72696 + if (vma->vm_start > vma_m->vm_start) {
72697 + address_m = address;
72698 + address -= SEGMEXEC_TASK_SIZE;
72699 + vma = vma_m;
72700 + } else
72701 + address_m = address + SEGMEXEC_TASK_SIZE;
72702 +
72703 + pgd_m = pgd_offset(mm, address_m);
72704 + pud_m = pud_alloc(mm, pgd_m, address_m);
72705 + if (!pud_m)
72706 + return VM_FAULT_OOM;
72707 + pmd_m = pmd_alloc(mm, pud_m, address_m);
72708 + if (!pmd_m)
72709 + return VM_FAULT_OOM;
72710 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
72711 + return VM_FAULT_OOM;
72712 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
72713 + }
72714 +#endif
72715 +
72716 pgd = pgd_offset(mm, address);
72717 pud = pud_alloc(mm, pgd, address);
72718 if (!pud)
72719 @@ -3393,7 +3631,7 @@ int handle_mm_fault(struct mm_struct *mm
72720 * run pte_offset_map on the pmd, if an huge pmd could
72721 * materialize from under us from a different thread.
72722 */
72723 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
72724 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
72725 return VM_FAULT_OOM;
72726 /* if an huge pmd materialized from under us just retry later */
72727 if (unlikely(pmd_trans_huge(*pmd)))
72728 @@ -3497,7 +3735,7 @@ static int __init gate_vma_init(void)
72729 gate_vma.vm_start = FIXADDR_USER_START;
72730 gate_vma.vm_end = FIXADDR_USER_END;
72731 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
72732 - gate_vma.vm_page_prot = __P101;
72733 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
72734 /*
72735 * Make sure the vDSO gets into every core dump.
72736 * Dumping its contents makes post-mortem fully interpretable later
72737 diff -urNp linux-2.6.39.3/mm/memory-failure.c linux-2.6.39.3/mm/memory-failure.c
72738 --- linux-2.6.39.3/mm/memory-failure.c 2011-07-09 09:18:51.000000000 -0400
72739 +++ linux-2.6.39.3/mm/memory-failure.c 2011-07-09 09:19:26.000000000 -0400
72740 @@ -59,7 +59,7 @@ int sysctl_memory_failure_early_kill __r
72741
72742 int sysctl_memory_failure_recovery __read_mostly = 1;
72743
72744 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72745 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72746
72747 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
72748
72749 @@ -1013,7 +1013,7 @@ int __memory_failure(unsigned long pfn,
72750 }
72751
72752 nr_pages = 1 << compound_trans_order(hpage);
72753 - atomic_long_add(nr_pages, &mce_bad_pages);
72754 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
72755
72756 /*
72757 * We need/can do nothing about count=0 pages.
72758 @@ -1043,7 +1043,7 @@ int __memory_failure(unsigned long pfn,
72759 if (!PageHWPoison(hpage)
72760 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
72761 || (p != hpage && TestSetPageHWPoison(hpage))) {
72762 - atomic_long_sub(nr_pages, &mce_bad_pages);
72763 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72764 return 0;
72765 }
72766 set_page_hwpoison_huge_page(hpage);
72767 @@ -1101,7 +1101,7 @@ int __memory_failure(unsigned long pfn,
72768 }
72769 if (hwpoison_filter(p)) {
72770 if (TestClearPageHWPoison(p))
72771 - atomic_long_sub(nr_pages, &mce_bad_pages);
72772 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72773 unlock_page(hpage);
72774 put_page(hpage);
72775 return 0;
72776 @@ -1227,7 +1227,7 @@ int unpoison_memory(unsigned long pfn)
72777 return 0;
72778 }
72779 if (TestClearPageHWPoison(p))
72780 - atomic_long_sub(nr_pages, &mce_bad_pages);
72781 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72782 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
72783 return 0;
72784 }
72785 @@ -1241,7 +1241,7 @@ int unpoison_memory(unsigned long pfn)
72786 */
72787 if (TestClearPageHWPoison(page)) {
72788 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
72789 - atomic_long_sub(nr_pages, &mce_bad_pages);
72790 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72791 freeit = 1;
72792 if (PageHuge(page))
72793 clear_page_hwpoison_huge_page(page);
72794 @@ -1354,7 +1354,7 @@ static int soft_offline_huge_page(struct
72795 }
72796 done:
72797 if (!PageHWPoison(hpage))
72798 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
72799 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
72800 set_page_hwpoison_huge_page(hpage);
72801 dequeue_hwpoisoned_huge_page(hpage);
72802 /* keep elevated page count for bad page */
72803 @@ -1484,7 +1484,7 @@ int soft_offline_page(struct page *page,
72804 return ret;
72805
72806 done:
72807 - atomic_long_add(1, &mce_bad_pages);
72808 + atomic_long_add_unchecked(1, &mce_bad_pages);
72809 SetPageHWPoison(page);
72810 /* keep elevated page count for bad page */
72811 return ret;
72812 diff -urNp linux-2.6.39.3/mm/mempolicy.c linux-2.6.39.3/mm/mempolicy.c
72813 --- linux-2.6.39.3/mm/mempolicy.c 2011-05-19 00:06:34.000000000 -0400
72814 +++ linux-2.6.39.3/mm/mempolicy.c 2011-05-22 19:41:42.000000000 -0400
72815 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
72816 unsigned long vmstart;
72817 unsigned long vmend;
72818
72819 +#ifdef CONFIG_PAX_SEGMEXEC
72820 + struct vm_area_struct *vma_m;
72821 +#endif
72822 +
72823 vma = find_vma_prev(mm, start, &prev);
72824 if (!vma || vma->vm_start > start)
72825 return -EFAULT;
72826 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
72827 err = policy_vma(vma, new_pol);
72828 if (err)
72829 goto out;
72830 +
72831 +#ifdef CONFIG_PAX_SEGMEXEC
72832 + vma_m = pax_find_mirror_vma(vma);
72833 + if (vma_m) {
72834 + err = policy_vma(vma_m, new_pol);
72835 + if (err)
72836 + goto out;
72837 + }
72838 +#endif
72839 +
72840 }
72841
72842 out:
72843 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
72844
72845 if (end < start)
72846 return -EINVAL;
72847 +
72848 +#ifdef CONFIG_PAX_SEGMEXEC
72849 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72850 + if (end > SEGMEXEC_TASK_SIZE)
72851 + return -EINVAL;
72852 + } else
72853 +#endif
72854 +
72855 + if (end > TASK_SIZE)
72856 + return -EINVAL;
72857 +
72858 if (end == start)
72859 return 0;
72860
72861 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72862 if (!mm)
72863 goto out;
72864
72865 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72866 + if (mm != current->mm &&
72867 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72868 + err = -EPERM;
72869 + goto out;
72870 + }
72871 +#endif
72872 +
72873 /*
72874 * Check if this process has the right to modify the specified
72875 * process. The right exists if the process has administrative
72876 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72877 rcu_read_lock();
72878 tcred = __task_cred(task);
72879 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72880 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72881 - !capable(CAP_SYS_NICE)) {
72882 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72883 rcu_read_unlock();
72884 err = -EPERM;
72885 goto out;
72886 @@ -2634,7 +2666,7 @@ int show_numa_map(struct seq_file *m, vo
72887
72888 if (file) {
72889 seq_printf(m, " file=");
72890 - seq_path(m, &file->f_path, "\n\t= ");
72891 + seq_path(m, &file->f_path, "\n\t\\= ");
72892 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
72893 seq_printf(m, " heap");
72894 } else if (vma->vm_start <= mm->start_stack &&
72895 diff -urNp linux-2.6.39.3/mm/migrate.c linux-2.6.39.3/mm/migrate.c
72896 --- linux-2.6.39.3/mm/migrate.c 2011-07-09 09:18:51.000000000 -0400
72897 +++ linux-2.6.39.3/mm/migrate.c 2011-07-09 09:19:26.000000000 -0400
72898 @@ -1133,6 +1133,8 @@ static int do_pages_move(struct mm_struc
72899 unsigned long chunk_start;
72900 int err;
72901
72902 + pax_track_stack();
72903 +
72904 task_nodes = cpuset_mems_allowed(task);
72905
72906 err = -ENOMEM;
72907 @@ -1317,6 +1319,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72908 if (!mm)
72909 return -EINVAL;
72910
72911 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72912 + if (mm != current->mm &&
72913 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72914 + err = -EPERM;
72915 + goto out;
72916 + }
72917 +#endif
72918 +
72919 /*
72920 * Check if this process has the right to modify the specified
72921 * process. The right exists if the process has administrative
72922 @@ -1326,8 +1336,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72923 rcu_read_lock();
72924 tcred = __task_cred(task);
72925 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72926 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72927 - !capable(CAP_SYS_NICE)) {
72928 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72929 rcu_read_unlock();
72930 err = -EPERM;
72931 goto out;
72932 diff -urNp linux-2.6.39.3/mm/mlock.c linux-2.6.39.3/mm/mlock.c
72933 --- linux-2.6.39.3/mm/mlock.c 2011-05-19 00:06:34.000000000 -0400
72934 +++ linux-2.6.39.3/mm/mlock.c 2011-05-22 19:41:42.000000000 -0400
72935 @@ -13,6 +13,7 @@
72936 #include <linux/pagemap.h>
72937 #include <linux/mempolicy.h>
72938 #include <linux/syscalls.h>
72939 +#include <linux/security.h>
72940 #include <linux/sched.h>
72941 #include <linux/module.h>
72942 #include <linux/rmap.h>
72943 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
72944 return -EINVAL;
72945 if (end == start)
72946 return 0;
72947 + if (end > TASK_SIZE)
72948 + return -EINVAL;
72949 +
72950 vma = find_vma_prev(current->mm, start, &prev);
72951 if (!vma || vma->vm_start > start)
72952 return -ENOMEM;
72953 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
72954 for (nstart = start ; ; ) {
72955 unsigned int newflags;
72956
72957 +#ifdef CONFIG_PAX_SEGMEXEC
72958 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72959 + break;
72960 +#endif
72961 +
72962 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
72963
72964 newflags = vma->vm_flags | VM_LOCKED;
72965 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
72966 lock_limit >>= PAGE_SHIFT;
72967
72968 /* check against resource limits */
72969 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72970 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72971 error = do_mlock(start, len, 1);
72972 up_write(&current->mm->mmap_sem);
72973 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
72974 static int do_mlockall(int flags)
72975 {
72976 struct vm_area_struct * vma, * prev = NULL;
72977 - unsigned int def_flags = 0;
72978
72979 if (flags & MCL_FUTURE)
72980 - def_flags = VM_LOCKED;
72981 - current->mm->def_flags = def_flags;
72982 + current->mm->def_flags |= VM_LOCKED;
72983 + else
72984 + current->mm->def_flags &= ~VM_LOCKED;
72985 if (flags == MCL_FUTURE)
72986 goto out;
72987
72988 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72989 - unsigned int newflags;
72990 + unsigned long newflags;
72991 +
72992 +#ifdef CONFIG_PAX_SEGMEXEC
72993 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72994 + break;
72995 +#endif
72996
72997 + BUG_ON(vma->vm_end > TASK_SIZE);
72998 newflags = vma->vm_flags | VM_LOCKED;
72999 if (!(flags & MCL_CURRENT))
73000 newflags &= ~VM_LOCKED;
73001 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
73002 lock_limit >>= PAGE_SHIFT;
73003
73004 ret = -ENOMEM;
73005 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
73006 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
73007 capable(CAP_IPC_LOCK))
73008 ret = do_mlockall(flags);
73009 diff -urNp linux-2.6.39.3/mm/mmap.c linux-2.6.39.3/mm/mmap.c
73010 --- linux-2.6.39.3/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
73011 +++ linux-2.6.39.3/mm/mmap.c 2011-05-22 19:41:42.000000000 -0400
73012 @@ -46,6 +46,16 @@
73013 #define arch_rebalance_pgtables(addr, len) (addr)
73014 #endif
73015
73016 +static inline void verify_mm_writelocked(struct mm_struct *mm)
73017 +{
73018 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
73019 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73020 + up_read(&mm->mmap_sem);
73021 + BUG();
73022 + }
73023 +#endif
73024 +}
73025 +
73026 static void unmap_region(struct mm_struct *mm,
73027 struct vm_area_struct *vma, struct vm_area_struct *prev,
73028 unsigned long start, unsigned long end);
73029 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
73030 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
73031 *
73032 */
73033 -pgprot_t protection_map[16] = {
73034 +pgprot_t protection_map[16] __read_only = {
73035 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
73036 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
73037 };
73038
73039 pgprot_t vm_get_page_prot(unsigned long vm_flags)
73040 {
73041 - return __pgprot(pgprot_val(protection_map[vm_flags &
73042 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
73043 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
73044 pgprot_val(arch_vm_get_page_prot(vm_flags)));
73045 +
73046 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73047 + if (!(__supported_pte_mask & _PAGE_NX) &&
73048 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
73049 + (vm_flags & (VM_READ | VM_WRITE)))
73050 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
73051 +#endif
73052 +
73053 + return prot;
73054 }
73055 EXPORT_SYMBOL(vm_get_page_prot);
73056
73057 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
73058 int sysctl_overcommit_ratio = 50; /* default is 50% */
73059 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
73060 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
73061 struct percpu_counter vm_committed_as;
73062
73063 /*
73064 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
73065 struct vm_area_struct *next = vma->vm_next;
73066
73067 might_sleep();
73068 + BUG_ON(vma->vm_mirror);
73069 if (vma->vm_ops && vma->vm_ops->close)
73070 vma->vm_ops->close(vma);
73071 if (vma->vm_file) {
73072 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
73073 * not page aligned -Ram Gupta
73074 */
73075 rlim = rlimit(RLIMIT_DATA);
73076 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
73077 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
73078 (mm->end_data - mm->start_data) > rlim)
73079 goto out;
73080 @@ -719,6 +741,12 @@ static int
73081 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
73082 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
73083 {
73084 +
73085 +#ifdef CONFIG_PAX_SEGMEXEC
73086 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
73087 + return 0;
73088 +#endif
73089 +
73090 if (is_mergeable_vma(vma, file, vm_flags) &&
73091 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
73092 if (vma->vm_pgoff == vm_pgoff)
73093 @@ -738,6 +766,12 @@ static int
73094 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
73095 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
73096 {
73097 +
73098 +#ifdef CONFIG_PAX_SEGMEXEC
73099 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
73100 + return 0;
73101 +#endif
73102 +
73103 if (is_mergeable_vma(vma, file, vm_flags) &&
73104 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
73105 pgoff_t vm_pglen;
73106 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
73107 struct vm_area_struct *vma_merge(struct mm_struct *mm,
73108 struct vm_area_struct *prev, unsigned long addr,
73109 unsigned long end, unsigned long vm_flags,
73110 - struct anon_vma *anon_vma, struct file *file,
73111 + struct anon_vma *anon_vma, struct file *file,
73112 pgoff_t pgoff, struct mempolicy *policy)
73113 {
73114 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
73115 struct vm_area_struct *area, *next;
73116 int err;
73117
73118 +#ifdef CONFIG_PAX_SEGMEXEC
73119 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
73120 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
73121 +
73122 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
73123 +#endif
73124 +
73125 /*
73126 * We later require that vma->vm_flags == vm_flags,
73127 * so this tests vma->vm_flags & VM_SPECIAL, too.
73128 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
73129 if (next && next->vm_end == end) /* cases 6, 7, 8 */
73130 next = next->vm_next;
73131
73132 +#ifdef CONFIG_PAX_SEGMEXEC
73133 + if (prev)
73134 + prev_m = pax_find_mirror_vma(prev);
73135 + if (area)
73136 + area_m = pax_find_mirror_vma(area);
73137 + if (next)
73138 + next_m = pax_find_mirror_vma(next);
73139 +#endif
73140 +
73141 /*
73142 * Can it merge with the predecessor?
73143 */
73144 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
73145 /* cases 1, 6 */
73146 err = vma_adjust(prev, prev->vm_start,
73147 next->vm_end, prev->vm_pgoff, NULL);
73148 - } else /* cases 2, 5, 7 */
73149 +
73150 +#ifdef CONFIG_PAX_SEGMEXEC
73151 + if (!err && prev_m)
73152 + err = vma_adjust(prev_m, prev_m->vm_start,
73153 + next_m->vm_end, prev_m->vm_pgoff, NULL);
73154 +#endif
73155 +
73156 + } else { /* cases 2, 5, 7 */
73157 err = vma_adjust(prev, prev->vm_start,
73158 end, prev->vm_pgoff, NULL);
73159 +
73160 +#ifdef CONFIG_PAX_SEGMEXEC
73161 + if (!err && prev_m)
73162 + err = vma_adjust(prev_m, prev_m->vm_start,
73163 + end_m, prev_m->vm_pgoff, NULL);
73164 +#endif
73165 +
73166 + }
73167 if (err)
73168 return NULL;
73169 khugepaged_enter_vma_merge(prev);
73170 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
73171 mpol_equal(policy, vma_policy(next)) &&
73172 can_vma_merge_before(next, vm_flags,
73173 anon_vma, file, pgoff+pglen)) {
73174 - if (prev && addr < prev->vm_end) /* case 4 */
73175 + if (prev && addr < prev->vm_end) { /* case 4 */
73176 err = vma_adjust(prev, prev->vm_start,
73177 addr, prev->vm_pgoff, NULL);
73178 - else /* cases 3, 8 */
73179 +
73180 +#ifdef CONFIG_PAX_SEGMEXEC
73181 + if (!err && prev_m)
73182 + err = vma_adjust(prev_m, prev_m->vm_start,
73183 + addr_m, prev_m->vm_pgoff, NULL);
73184 +#endif
73185 +
73186 + } else { /* cases 3, 8 */
73187 err = vma_adjust(area, addr, next->vm_end,
73188 next->vm_pgoff - pglen, NULL);
73189 +
73190 +#ifdef CONFIG_PAX_SEGMEXEC
73191 + if (!err && area_m)
73192 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
73193 + next_m->vm_pgoff - pglen, NULL);
73194 +#endif
73195 +
73196 + }
73197 if (err)
73198 return NULL;
73199 khugepaged_enter_vma_merge(area);
73200 @@ -958,14 +1038,11 @@ none:
73201 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
73202 struct file *file, long pages)
73203 {
73204 - const unsigned long stack_flags
73205 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
73206 -
73207 if (file) {
73208 mm->shared_vm += pages;
73209 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
73210 mm->exec_vm += pages;
73211 - } else if (flags & stack_flags)
73212 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
73213 mm->stack_vm += pages;
73214 if (flags & (VM_RESERVED|VM_IO))
73215 mm->reserved_vm += pages;
73216 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
73217 * (the exception is when the underlying filesystem is noexec
73218 * mounted, in which case we dont add PROT_EXEC.)
73219 */
73220 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73221 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73222 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
73223 prot |= PROT_EXEC;
73224
73225 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
73226 /* Obtain the address to map to. we verify (or select) it and ensure
73227 * that it represents a valid section of the address space.
73228 */
73229 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
73230 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
73231 if (addr & ~PAGE_MASK)
73232 return addr;
73233
73234 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
73235 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
73236 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
73237
73238 +#ifdef CONFIG_PAX_MPROTECT
73239 + if (mm->pax_flags & MF_PAX_MPROTECT) {
73240 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
73241 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
73242 + gr_log_rwxmmap(file);
73243 +
73244 +#ifdef CONFIG_PAX_EMUPLT
73245 + vm_flags &= ~VM_EXEC;
73246 +#else
73247 + return -EPERM;
73248 +#endif
73249 +
73250 + }
73251 +
73252 + if (!(vm_flags & VM_EXEC))
73253 + vm_flags &= ~VM_MAYEXEC;
73254 +#else
73255 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73256 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73257 +#endif
73258 + else
73259 + vm_flags &= ~VM_MAYWRITE;
73260 + }
73261 +#endif
73262 +
73263 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73264 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
73265 + vm_flags &= ~VM_PAGEEXEC;
73266 +#endif
73267 +
73268 if (flags & MAP_LOCKED)
73269 if (!can_do_mlock())
73270 return -EPERM;
73271 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
73272 locked += mm->locked_vm;
73273 lock_limit = rlimit(RLIMIT_MEMLOCK);
73274 lock_limit >>= PAGE_SHIFT;
73275 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73276 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73277 return -EAGAIN;
73278 }
73279 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
73280 if (error)
73281 return error;
73282
73283 + if (!gr_acl_handle_mmap(file, prot))
73284 + return -EACCES;
73285 +
73286 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
73287 }
73288 EXPORT_SYMBOL(do_mmap_pgoff);
73289 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
73290 */
73291 int vma_wants_writenotify(struct vm_area_struct *vma)
73292 {
73293 - unsigned int vm_flags = vma->vm_flags;
73294 + unsigned long vm_flags = vma->vm_flags;
73295
73296 /* If it was private or non-writable, the write bit is already clear */
73297 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
73298 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
73299 return 0;
73300
73301 /* The backer wishes to know when pages are first written to? */
73302 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
73303 unsigned long charged = 0;
73304 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
73305
73306 +#ifdef CONFIG_PAX_SEGMEXEC
73307 + struct vm_area_struct *vma_m = NULL;
73308 +#endif
73309 +
73310 + /*
73311 + * mm->mmap_sem is required to protect against another thread
73312 + * changing the mappings in case we sleep.
73313 + */
73314 + verify_mm_writelocked(mm);
73315 +
73316 /* Clear old maps */
73317 error = -ENOMEM;
73318 -munmap_back:
73319 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73320 if (vma && vma->vm_start < addr + len) {
73321 if (do_munmap(mm, addr, len))
73322 return -ENOMEM;
73323 - goto munmap_back;
73324 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73325 + BUG_ON(vma && vma->vm_start < addr + len);
73326 }
73327
73328 /* Check against address space limit. */
73329 @@ -1295,6 +1416,16 @@ munmap_back:
73330 goto unacct_error;
73331 }
73332
73333 +#ifdef CONFIG_PAX_SEGMEXEC
73334 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
73335 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73336 + if (!vma_m) {
73337 + error = -ENOMEM;
73338 + goto free_vma;
73339 + }
73340 + }
73341 +#endif
73342 +
73343 vma->vm_mm = mm;
73344 vma->vm_start = addr;
73345 vma->vm_end = addr + len;
73346 @@ -1318,6 +1449,19 @@ munmap_back:
73347 error = file->f_op->mmap(file, vma);
73348 if (error)
73349 goto unmap_and_free_vma;
73350 +
73351 +#ifdef CONFIG_PAX_SEGMEXEC
73352 + if (vma_m && (vm_flags & VM_EXECUTABLE))
73353 + added_exe_file_vma(mm);
73354 +#endif
73355 +
73356 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73357 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
73358 + vma->vm_flags |= VM_PAGEEXEC;
73359 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73360 + }
73361 +#endif
73362 +
73363 if (vm_flags & VM_EXECUTABLE)
73364 added_exe_file_vma(mm);
73365
73366 @@ -1353,6 +1497,11 @@ munmap_back:
73367 vma_link(mm, vma, prev, rb_link, rb_parent);
73368 file = vma->vm_file;
73369
73370 +#ifdef CONFIG_PAX_SEGMEXEC
73371 + if (vma_m)
73372 + BUG_ON(pax_mirror_vma(vma_m, vma));
73373 +#endif
73374 +
73375 /* Once vma denies write, undo our temporary denial count */
73376 if (correct_wcount)
73377 atomic_inc(&inode->i_writecount);
73378 @@ -1361,6 +1510,7 @@ out:
73379
73380 mm->total_vm += len >> PAGE_SHIFT;
73381 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
73382 + track_exec_limit(mm, addr, addr + len, vm_flags);
73383 if (vm_flags & VM_LOCKED) {
73384 if (!mlock_vma_pages_range(vma, addr, addr + len))
73385 mm->locked_vm += (len >> PAGE_SHIFT);
73386 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
73387 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
73388 charged = 0;
73389 free_vma:
73390 +
73391 +#ifdef CONFIG_PAX_SEGMEXEC
73392 + if (vma_m)
73393 + kmem_cache_free(vm_area_cachep, vma_m);
73394 +#endif
73395 +
73396 kmem_cache_free(vm_area_cachep, vma);
73397 unacct_error:
73398 if (charged)
73399 @@ -1385,6 +1541,44 @@ unacct_error:
73400 return error;
73401 }
73402
73403 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
73404 +{
73405 + if (!vma) {
73406 +#ifdef CONFIG_STACK_GROWSUP
73407 + if (addr > sysctl_heap_stack_gap)
73408 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
73409 + else
73410 + vma = find_vma(current->mm, 0);
73411 + if (vma && (vma->vm_flags & VM_GROWSUP))
73412 + return false;
73413 +#endif
73414 + return true;
73415 + }
73416 +
73417 + if (addr + len > vma->vm_start)
73418 + return false;
73419 +
73420 + if (vma->vm_flags & VM_GROWSDOWN)
73421 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
73422 +#ifdef CONFIG_STACK_GROWSUP
73423 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
73424 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
73425 +#endif
73426 +
73427 + return true;
73428 +}
73429 +
73430 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
73431 +{
73432 + if (vma->vm_start < len)
73433 + return -ENOMEM;
73434 + if (!(vma->vm_flags & VM_GROWSDOWN))
73435 + return vma->vm_start - len;
73436 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
73437 + return vma->vm_start - len - sysctl_heap_stack_gap;
73438 + return -ENOMEM;
73439 +}
73440 +
73441 /* Get an address range which is currently unmapped.
73442 * For shmat() with addr=0.
73443 *
73444 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
73445 if (flags & MAP_FIXED)
73446 return addr;
73447
73448 +#ifdef CONFIG_PAX_RANDMMAP
73449 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73450 +#endif
73451 +
73452 if (addr) {
73453 addr = PAGE_ALIGN(addr);
73454 - vma = find_vma(mm, addr);
73455 - if (TASK_SIZE - len >= addr &&
73456 - (!vma || addr + len <= vma->vm_start))
73457 - return addr;
73458 + if (TASK_SIZE - len >= addr) {
73459 + vma = find_vma(mm, addr);
73460 + if (check_heap_stack_gap(vma, addr, len))
73461 + return addr;
73462 + }
73463 }
73464 if (len > mm->cached_hole_size) {
73465 - start_addr = addr = mm->free_area_cache;
73466 + start_addr = addr = mm->free_area_cache;
73467 } else {
73468 - start_addr = addr = TASK_UNMAPPED_BASE;
73469 - mm->cached_hole_size = 0;
73470 + start_addr = addr = mm->mmap_base;
73471 + mm->cached_hole_size = 0;
73472 }
73473
73474 full_search:
73475 @@ -1433,34 +1632,40 @@ full_search:
73476 * Start a new search - just in case we missed
73477 * some holes.
73478 */
73479 - if (start_addr != TASK_UNMAPPED_BASE) {
73480 - addr = TASK_UNMAPPED_BASE;
73481 - start_addr = addr;
73482 + if (start_addr != mm->mmap_base) {
73483 + start_addr = addr = mm->mmap_base;
73484 mm->cached_hole_size = 0;
73485 goto full_search;
73486 }
73487 return -ENOMEM;
73488 }
73489 - if (!vma || addr + len <= vma->vm_start) {
73490 - /*
73491 - * Remember the place where we stopped the search:
73492 - */
73493 - mm->free_area_cache = addr + len;
73494 - return addr;
73495 - }
73496 + if (check_heap_stack_gap(vma, addr, len))
73497 + break;
73498 if (addr + mm->cached_hole_size < vma->vm_start)
73499 mm->cached_hole_size = vma->vm_start - addr;
73500 addr = vma->vm_end;
73501 }
73502 +
73503 + /*
73504 + * Remember the place where we stopped the search:
73505 + */
73506 + mm->free_area_cache = addr + len;
73507 + return addr;
73508 }
73509 #endif
73510
73511 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
73512 {
73513 +
73514 +#ifdef CONFIG_PAX_SEGMEXEC
73515 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73516 + return;
73517 +#endif
73518 +
73519 /*
73520 * Is this a new hole at the lowest possible address?
73521 */
73522 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
73523 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
73524 mm->free_area_cache = addr;
73525 mm->cached_hole_size = ~0UL;
73526 }
73527 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
73528 {
73529 struct vm_area_struct *vma;
73530 struct mm_struct *mm = current->mm;
73531 - unsigned long addr = addr0;
73532 + unsigned long base = mm->mmap_base, addr = addr0;
73533
73534 /* requested length too big for entire address space */
73535 if (len > TASK_SIZE)
73536 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
73537 if (flags & MAP_FIXED)
73538 return addr;
73539
73540 +#ifdef CONFIG_PAX_RANDMMAP
73541 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73542 +#endif
73543 +
73544 /* requesting a specific address */
73545 if (addr) {
73546 addr = PAGE_ALIGN(addr);
73547 - vma = find_vma(mm, addr);
73548 - if (TASK_SIZE - len >= addr &&
73549 - (!vma || addr + len <= vma->vm_start))
73550 - return addr;
73551 + if (TASK_SIZE - len >= addr) {
73552 + vma = find_vma(mm, addr);
73553 + if (check_heap_stack_gap(vma, addr, len))
73554 + return addr;
73555 + }
73556 }
73557
73558 /* check if free_area_cache is useful for us */
73559 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
73560 /* make sure it can fit in the remaining address space */
73561 if (addr > len) {
73562 vma = find_vma(mm, addr-len);
73563 - if (!vma || addr <= vma->vm_start)
73564 + if (check_heap_stack_gap(vma, addr - len, len))
73565 /* remember the address as a hint for next time */
73566 return (mm->free_area_cache = addr-len);
73567 }
73568 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
73569 * return with success:
73570 */
73571 vma = find_vma(mm, addr);
73572 - if (!vma || addr+len <= vma->vm_start)
73573 + if (check_heap_stack_gap(vma, addr, len))
73574 /* remember the address as a hint for next time */
73575 return (mm->free_area_cache = addr);
73576
73577 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
73578 mm->cached_hole_size = vma->vm_start - addr;
73579
73580 /* try just below the current vma->vm_start */
73581 - addr = vma->vm_start-len;
73582 - } while (len < vma->vm_start);
73583 + addr = skip_heap_stack_gap(vma, len);
73584 + } while (!IS_ERR_VALUE(addr));
73585
73586 bottomup:
73587 /*
73588 @@ -1544,13 +1754,21 @@ bottomup:
73589 * can happen with large stack limits and large mmap()
73590 * allocations.
73591 */
73592 + mm->mmap_base = TASK_UNMAPPED_BASE;
73593 +
73594 +#ifdef CONFIG_PAX_RANDMMAP
73595 + if (mm->pax_flags & MF_PAX_RANDMMAP)
73596 + mm->mmap_base += mm->delta_mmap;
73597 +#endif
73598 +
73599 + mm->free_area_cache = mm->mmap_base;
73600 mm->cached_hole_size = ~0UL;
73601 - mm->free_area_cache = TASK_UNMAPPED_BASE;
73602 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
73603 /*
73604 * Restore the topdown base:
73605 */
73606 - mm->free_area_cache = mm->mmap_base;
73607 + mm->mmap_base = base;
73608 + mm->free_area_cache = base;
73609 mm->cached_hole_size = ~0UL;
73610
73611 return addr;
73612 @@ -1559,6 +1777,12 @@ bottomup:
73613
73614 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
73615 {
73616 +
73617 +#ifdef CONFIG_PAX_SEGMEXEC
73618 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73619 + return;
73620 +#endif
73621 +
73622 /*
73623 * Is this a new hole at the highest possible address?
73624 */
73625 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
73626 mm->free_area_cache = addr;
73627
73628 /* dont allow allocations above current base */
73629 - if (mm->free_area_cache > mm->mmap_base)
73630 + if (mm->free_area_cache > mm->mmap_base) {
73631 mm->free_area_cache = mm->mmap_base;
73632 + mm->cached_hole_size = ~0UL;
73633 + }
73634 }
73635
73636 unsigned long
73637 @@ -1675,6 +1901,28 @@ out:
73638 return prev ? prev->vm_next : vma;
73639 }
73640
73641 +#ifdef CONFIG_PAX_SEGMEXEC
73642 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
73643 +{
73644 + struct vm_area_struct *vma_m;
73645 +
73646 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
73647 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
73648 + BUG_ON(vma->vm_mirror);
73649 + return NULL;
73650 + }
73651 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
73652 + vma_m = vma->vm_mirror;
73653 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
73654 + BUG_ON(vma->vm_file != vma_m->vm_file);
73655 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
73656 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
73657 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
73658 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
73659 + return vma_m;
73660 +}
73661 +#endif
73662 +
73663 /*
73664 * Verify that the stack growth is acceptable and
73665 * update accounting. This is shared with both the
73666 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
73667 return -ENOMEM;
73668
73669 /* Stack limit test */
73670 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
73671 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
73672 return -ENOMEM;
73673
73674 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
73675 locked = mm->locked_vm + grow;
73676 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
73677 limit >>= PAGE_SHIFT;
73678 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73679 if (locked > limit && !capable(CAP_IPC_LOCK))
73680 return -ENOMEM;
73681 }
73682 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
73683 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
73684 * vma is the last one with address > vma->vm_end. Have to extend vma.
73685 */
73686 +#ifndef CONFIG_IA64
73687 +static
73688 +#endif
73689 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
73690 {
73691 int error;
73692 + bool locknext;
73693
73694 if (!(vma->vm_flags & VM_GROWSUP))
73695 return -EFAULT;
73696
73697 + /* Also guard against wrapping around to address 0. */
73698 + if (address < PAGE_ALIGN(address+1))
73699 + address = PAGE_ALIGN(address+1);
73700 + else
73701 + return -ENOMEM;
73702 +
73703 /*
73704 * We must make sure the anon_vma is allocated
73705 * so that the anon_vma locking is not a noop.
73706 */
73707 if (unlikely(anon_vma_prepare(vma)))
73708 return -ENOMEM;
73709 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
73710 + if (locknext && anon_vma_prepare(vma->vm_next))
73711 + return -ENOMEM;
73712 vma_lock_anon_vma(vma);
73713 + if (locknext)
73714 + vma_lock_anon_vma(vma->vm_next);
73715
73716 /*
73717 * vma->vm_start/vm_end cannot change under us because the caller
73718 * is required to hold the mmap_sem in read mode. We need the
73719 - * anon_vma lock to serialize against concurrent expand_stacks.
73720 - * Also guard against wrapping around to address 0.
73721 + * anon_vma locks to serialize against concurrent expand_stacks
73722 + * and expand_upwards.
73723 */
73724 - if (address < PAGE_ALIGN(address+4))
73725 - address = PAGE_ALIGN(address+4);
73726 - else {
73727 - vma_unlock_anon_vma(vma);
73728 - return -ENOMEM;
73729 - }
73730 error = 0;
73731
73732 /* Somebody else might have raced and expanded it already */
73733 - if (address > vma->vm_end) {
73734 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
73735 + error = -ENOMEM;
73736 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
73737 unsigned long size, grow;
73738
73739 size = address - vma->vm_start;
73740 @@ -1776,6 +2037,8 @@ int expand_upwards(struct vm_area_struct
73741 }
73742 }
73743 }
73744 + if (locknext)
73745 + vma_unlock_anon_vma(vma->vm_next);
73746 vma_unlock_anon_vma(vma);
73747 khugepaged_enter_vma_merge(vma);
73748 return error;
73749 @@ -1789,6 +2052,8 @@ static int expand_downwards(struct vm_ar
73750 unsigned long address)
73751 {
73752 int error;
73753 + bool lockprev = false;
73754 + struct vm_area_struct *prev;
73755
73756 /*
73757 * We must make sure the anon_vma is allocated
73758 @@ -1802,6 +2067,15 @@ static int expand_downwards(struct vm_ar
73759 if (error)
73760 return error;
73761
73762 + prev = vma->vm_prev;
73763 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
73764 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
73765 +#endif
73766 + if (lockprev && anon_vma_prepare(prev))
73767 + return -ENOMEM;
73768 + if (lockprev)
73769 + vma_lock_anon_vma(prev);
73770 +
73771 vma_lock_anon_vma(vma);
73772
73773 /*
73774 @@ -1811,9 +2085,17 @@ static int expand_downwards(struct vm_ar
73775 */
73776
73777 /* Somebody else might have raced and expanded it already */
73778 - if (address < vma->vm_start) {
73779 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
73780 + error = -ENOMEM;
73781 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
73782 unsigned long size, grow;
73783
73784 +#ifdef CONFIG_PAX_SEGMEXEC
73785 + struct vm_area_struct *vma_m;
73786 +
73787 + vma_m = pax_find_mirror_vma(vma);
73788 +#endif
73789 +
73790 size = vma->vm_end - address;
73791 grow = (vma->vm_start - address) >> PAGE_SHIFT;
73792
73793 @@ -1823,11 +2105,22 @@ static int expand_downwards(struct vm_ar
73794 if (!error) {
73795 vma->vm_start = address;
73796 vma->vm_pgoff -= grow;
73797 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
73798 +
73799 +#ifdef CONFIG_PAX_SEGMEXEC
73800 + if (vma_m) {
73801 + vma_m->vm_start -= grow << PAGE_SHIFT;
73802 + vma_m->vm_pgoff -= grow;
73803 + }
73804 +#endif
73805 +
73806 perf_event_mmap(vma);
73807 }
73808 }
73809 }
73810 vma_unlock_anon_vma(vma);
73811 + if (lockprev)
73812 + vma_unlock_anon_vma(prev);
73813 khugepaged_enter_vma_merge(vma);
73814 return error;
73815 }
73816 @@ -1902,6 +2195,13 @@ static void remove_vma_list(struct mm_st
73817 do {
73818 long nrpages = vma_pages(vma);
73819
73820 +#ifdef CONFIG_PAX_SEGMEXEC
73821 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
73822 + vma = remove_vma(vma);
73823 + continue;
73824 + }
73825 +#endif
73826 +
73827 mm->total_vm -= nrpages;
73828 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
73829 vma = remove_vma(vma);
73830 @@ -1947,6 +2247,16 @@ detach_vmas_to_be_unmapped(struct mm_str
73831 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
73832 vma->vm_prev = NULL;
73833 do {
73834 +
73835 +#ifdef CONFIG_PAX_SEGMEXEC
73836 + if (vma->vm_mirror) {
73837 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
73838 + vma->vm_mirror->vm_mirror = NULL;
73839 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
73840 + vma->vm_mirror = NULL;
73841 + }
73842 +#endif
73843 +
73844 rb_erase(&vma->vm_rb, &mm->mm_rb);
73845 mm->map_count--;
73846 tail_vma = vma;
73847 @@ -1975,14 +2285,33 @@ static int __split_vma(struct mm_struct
73848 struct vm_area_struct *new;
73849 int err = -ENOMEM;
73850
73851 +#ifdef CONFIG_PAX_SEGMEXEC
73852 + struct vm_area_struct *vma_m, *new_m = NULL;
73853 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
73854 +#endif
73855 +
73856 if (is_vm_hugetlb_page(vma) && (addr &
73857 ~(huge_page_mask(hstate_vma(vma)))))
73858 return -EINVAL;
73859
73860 +#ifdef CONFIG_PAX_SEGMEXEC
73861 + vma_m = pax_find_mirror_vma(vma);
73862 +#endif
73863 +
73864 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73865 if (!new)
73866 goto out_err;
73867
73868 +#ifdef CONFIG_PAX_SEGMEXEC
73869 + if (vma_m) {
73870 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73871 + if (!new_m) {
73872 + kmem_cache_free(vm_area_cachep, new);
73873 + goto out_err;
73874 + }
73875 + }
73876 +#endif
73877 +
73878 /* most fields are the same, copy all, and then fixup */
73879 *new = *vma;
73880
73881 @@ -1995,6 +2324,22 @@ static int __split_vma(struct mm_struct
73882 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
73883 }
73884
73885 +#ifdef CONFIG_PAX_SEGMEXEC
73886 + if (vma_m) {
73887 + *new_m = *vma_m;
73888 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
73889 + new_m->vm_mirror = new;
73890 + new->vm_mirror = new_m;
73891 +
73892 + if (new_below)
73893 + new_m->vm_end = addr_m;
73894 + else {
73895 + new_m->vm_start = addr_m;
73896 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
73897 + }
73898 + }
73899 +#endif
73900 +
73901 pol = mpol_dup(vma_policy(vma));
73902 if (IS_ERR(pol)) {
73903 err = PTR_ERR(pol);
73904 @@ -2020,6 +2365,42 @@ static int __split_vma(struct mm_struct
73905 else
73906 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
73907
73908 +#ifdef CONFIG_PAX_SEGMEXEC
73909 + if (!err && vma_m) {
73910 + if (anon_vma_clone(new_m, vma_m))
73911 + goto out_free_mpol;
73912 +
73913 + mpol_get(pol);
73914 + vma_set_policy(new_m, pol);
73915 +
73916 + if (new_m->vm_file) {
73917 + get_file(new_m->vm_file);
73918 + if (vma_m->vm_flags & VM_EXECUTABLE)
73919 + added_exe_file_vma(mm);
73920 + }
73921 +
73922 + if (new_m->vm_ops && new_m->vm_ops->open)
73923 + new_m->vm_ops->open(new_m);
73924 +
73925 + if (new_below)
73926 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
73927 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73928 + else
73929 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73930 +
73931 + if (err) {
73932 + if (new_m->vm_ops && new_m->vm_ops->close)
73933 + new_m->vm_ops->close(new_m);
73934 + if (new_m->vm_file) {
73935 + if (vma_m->vm_flags & VM_EXECUTABLE)
73936 + removed_exe_file_vma(mm);
73937 + fput(new_m->vm_file);
73938 + }
73939 + mpol_put(pol);
73940 + }
73941 + }
73942 +#endif
73943 +
73944 /* Success. */
73945 if (!err)
73946 return 0;
73947 @@ -2032,10 +2413,18 @@ static int __split_vma(struct mm_struct
73948 removed_exe_file_vma(mm);
73949 fput(new->vm_file);
73950 }
73951 - unlink_anon_vmas(new);
73952 out_free_mpol:
73953 mpol_put(pol);
73954 out_free_vma:
73955 +
73956 +#ifdef CONFIG_PAX_SEGMEXEC
73957 + if (new_m) {
73958 + unlink_anon_vmas(new_m);
73959 + kmem_cache_free(vm_area_cachep, new_m);
73960 + }
73961 +#endif
73962 +
73963 + unlink_anon_vmas(new);
73964 kmem_cache_free(vm_area_cachep, new);
73965 out_err:
73966 return err;
73967 @@ -2048,6 +2437,15 @@ static int __split_vma(struct mm_struct
73968 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
73969 unsigned long addr, int new_below)
73970 {
73971 +
73972 +#ifdef CONFIG_PAX_SEGMEXEC
73973 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73974 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
73975 + if (mm->map_count >= sysctl_max_map_count-1)
73976 + return -ENOMEM;
73977 + } else
73978 +#endif
73979 +
73980 if (mm->map_count >= sysctl_max_map_count)
73981 return -ENOMEM;
73982
73983 @@ -2059,11 +2457,30 @@ int split_vma(struct mm_struct *mm, stru
73984 * work. This now handles partial unmappings.
73985 * Jeremy Fitzhardinge <jeremy@goop.org>
73986 */
73987 +#ifdef CONFIG_PAX_SEGMEXEC
73988 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73989 +{
73990 + int ret = __do_munmap(mm, start, len);
73991 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73992 + return ret;
73993 +
73994 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73995 +}
73996 +
73997 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73998 +#else
73999 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
74000 +#endif
74001 {
74002 unsigned long end;
74003 struct vm_area_struct *vma, *prev, *last;
74004
74005 + /*
74006 + * mm->mmap_sem is required to protect against another thread
74007 + * changing the mappings in case we sleep.
74008 + */
74009 + verify_mm_writelocked(mm);
74010 +
74011 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
74012 return -EINVAL;
74013
74014 @@ -2137,6 +2554,8 @@ int do_munmap(struct mm_struct *mm, unsi
74015 /* Fix up all other VM information */
74016 remove_vma_list(mm, vma);
74017
74018 + track_exec_limit(mm, start, end, 0UL);
74019 +
74020 return 0;
74021 }
74022
74023 @@ -2149,22 +2568,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
74024
74025 profile_munmap(addr);
74026
74027 +#ifdef CONFIG_PAX_SEGMEXEC
74028 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
74029 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
74030 + return -EINVAL;
74031 +#endif
74032 +
74033 down_write(&mm->mmap_sem);
74034 ret = do_munmap(mm, addr, len);
74035 up_write(&mm->mmap_sem);
74036 return ret;
74037 }
74038
74039 -static inline void verify_mm_writelocked(struct mm_struct *mm)
74040 -{
74041 -#ifdef CONFIG_DEBUG_VM
74042 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
74043 - WARN_ON(1);
74044 - up_read(&mm->mmap_sem);
74045 - }
74046 -#endif
74047 -}
74048 -
74049 /*
74050 * this is really a simplified "do_mmap". it only handles
74051 * anonymous maps. eventually we may be able to do some
74052 @@ -2178,6 +2593,7 @@ unsigned long do_brk(unsigned long addr,
74053 struct rb_node ** rb_link, * rb_parent;
74054 pgoff_t pgoff = addr >> PAGE_SHIFT;
74055 int error;
74056 + unsigned long charged;
74057
74058 len = PAGE_ALIGN(len);
74059 if (!len)
74060 @@ -2189,16 +2605,30 @@ unsigned long do_brk(unsigned long addr,
74061
74062 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
74063
74064 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
74065 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74066 + flags &= ~VM_EXEC;
74067 +
74068 +#ifdef CONFIG_PAX_MPROTECT
74069 + if (mm->pax_flags & MF_PAX_MPROTECT)
74070 + flags &= ~VM_MAYEXEC;
74071 +#endif
74072 +
74073 + }
74074 +#endif
74075 +
74076 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
74077 if (error & ~PAGE_MASK)
74078 return error;
74079
74080 + charged = len >> PAGE_SHIFT;
74081 +
74082 /*
74083 * mlock MCL_FUTURE?
74084 */
74085 if (mm->def_flags & VM_LOCKED) {
74086 unsigned long locked, lock_limit;
74087 - locked = len >> PAGE_SHIFT;
74088 + locked = charged;
74089 locked += mm->locked_vm;
74090 lock_limit = rlimit(RLIMIT_MEMLOCK);
74091 lock_limit >>= PAGE_SHIFT;
74092 @@ -2215,22 +2645,22 @@ unsigned long do_brk(unsigned long addr,
74093 /*
74094 * Clear old maps. this also does some error checking for us
74095 */
74096 - munmap_back:
74097 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74098 if (vma && vma->vm_start < addr + len) {
74099 if (do_munmap(mm, addr, len))
74100 return -ENOMEM;
74101 - goto munmap_back;
74102 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74103 + BUG_ON(vma && vma->vm_start < addr + len);
74104 }
74105
74106 /* Check against address space limits *after* clearing old maps... */
74107 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
74108 + if (!may_expand_vm(mm, charged))
74109 return -ENOMEM;
74110
74111 if (mm->map_count > sysctl_max_map_count)
74112 return -ENOMEM;
74113
74114 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
74115 + if (security_vm_enough_memory(charged))
74116 return -ENOMEM;
74117
74118 /* Can we just expand an old private anonymous mapping? */
74119 @@ -2244,7 +2674,7 @@ unsigned long do_brk(unsigned long addr,
74120 */
74121 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74122 if (!vma) {
74123 - vm_unacct_memory(len >> PAGE_SHIFT);
74124 + vm_unacct_memory(charged);
74125 return -ENOMEM;
74126 }
74127
74128 @@ -2258,11 +2688,12 @@ unsigned long do_brk(unsigned long addr,
74129 vma_link(mm, vma, prev, rb_link, rb_parent);
74130 out:
74131 perf_event_mmap(vma);
74132 - mm->total_vm += len >> PAGE_SHIFT;
74133 + mm->total_vm += charged;
74134 if (flags & VM_LOCKED) {
74135 if (!mlock_vma_pages_range(vma, addr, addr + len))
74136 - mm->locked_vm += (len >> PAGE_SHIFT);
74137 + mm->locked_vm += charged;
74138 }
74139 + track_exec_limit(mm, addr, addr + len, flags);
74140 return addr;
74141 }
74142
74143 @@ -2309,8 +2740,10 @@ void exit_mmap(struct mm_struct *mm)
74144 * Walk the list again, actually closing and freeing it,
74145 * with preemption enabled, without holding any MM locks.
74146 */
74147 - while (vma)
74148 + while (vma) {
74149 + vma->vm_mirror = NULL;
74150 vma = remove_vma(vma);
74151 + }
74152
74153 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
74154 }
74155 @@ -2324,6 +2757,13 @@ int insert_vm_struct(struct mm_struct *
74156 struct vm_area_struct * __vma, * prev;
74157 struct rb_node ** rb_link, * rb_parent;
74158
74159 +#ifdef CONFIG_PAX_SEGMEXEC
74160 + struct vm_area_struct *vma_m = NULL;
74161 +#endif
74162 +
74163 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
74164 + return -EPERM;
74165 +
74166 /*
74167 * The vm_pgoff of a purely anonymous vma should be irrelevant
74168 * until its first write fault, when page's anon_vma and index
74169 @@ -2346,7 +2786,22 @@ int insert_vm_struct(struct mm_struct *
74170 if ((vma->vm_flags & VM_ACCOUNT) &&
74171 security_vm_enough_memory_mm(mm, vma_pages(vma)))
74172 return -ENOMEM;
74173 +
74174 +#ifdef CONFIG_PAX_SEGMEXEC
74175 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
74176 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74177 + if (!vma_m)
74178 + return -ENOMEM;
74179 + }
74180 +#endif
74181 +
74182 vma_link(mm, vma, prev, rb_link, rb_parent);
74183 +
74184 +#ifdef CONFIG_PAX_SEGMEXEC
74185 + if (vma_m)
74186 + BUG_ON(pax_mirror_vma(vma_m, vma));
74187 +#endif
74188 +
74189 return 0;
74190 }
74191
74192 @@ -2364,6 +2819,8 @@ struct vm_area_struct *copy_vma(struct v
74193 struct rb_node **rb_link, *rb_parent;
74194 struct mempolicy *pol;
74195
74196 + BUG_ON(vma->vm_mirror);
74197 +
74198 /*
74199 * If anonymous vma has not yet been faulted, update new pgoff
74200 * to match new location, to increase its chance of merging.
74201 @@ -2413,6 +2870,39 @@ struct vm_area_struct *copy_vma(struct v
74202 kmem_cache_free(vm_area_cachep, new_vma);
74203 return NULL;
74204 }
74205 +
74206 +#ifdef CONFIG_PAX_SEGMEXEC
74207 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
74208 +{
74209 + struct vm_area_struct *prev_m;
74210 + struct rb_node **rb_link_m, *rb_parent_m;
74211 + struct mempolicy *pol_m;
74212 +
74213 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
74214 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
74215 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
74216 + *vma_m = *vma;
74217 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
74218 + if (anon_vma_clone(vma_m, vma))
74219 + return -ENOMEM;
74220 + pol_m = vma_policy(vma_m);
74221 + mpol_get(pol_m);
74222 + vma_set_policy(vma_m, pol_m);
74223 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
74224 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
74225 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
74226 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
74227 + if (vma_m->vm_file)
74228 + get_file(vma_m->vm_file);
74229 + if (vma_m->vm_ops && vma_m->vm_ops->open)
74230 + vma_m->vm_ops->open(vma_m);
74231 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
74232 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
74233 + vma_m->vm_mirror = vma;
74234 + vma->vm_mirror = vma_m;
74235 + return 0;
74236 +}
74237 +#endif
74238
74239 /*
74240 * Return true if the calling process may expand its vm space by the passed
74241 @@ -2424,7 +2914,7 @@ int may_expand_vm(struct mm_struct *mm,
74242 unsigned long lim;
74243
74244 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
74245 -
74246 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
74247 if (cur + npages > lim)
74248 return 0;
74249 return 1;
74250 @@ -2495,6 +2985,22 @@ int install_special_mapping(struct mm_st
74251 vma->vm_start = addr;
74252 vma->vm_end = addr + len;
74253
74254 +#ifdef CONFIG_PAX_MPROTECT
74255 + if (mm->pax_flags & MF_PAX_MPROTECT) {
74256 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
74257 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
74258 + return -EPERM;
74259 + if (!(vm_flags & VM_EXEC))
74260 + vm_flags &= ~VM_MAYEXEC;
74261 +#else
74262 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74263 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74264 +#endif
74265 + else
74266 + vm_flags &= ~VM_MAYWRITE;
74267 + }
74268 +#endif
74269 +
74270 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
74271 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74272
74273 diff -urNp linux-2.6.39.3/mm/mprotect.c linux-2.6.39.3/mm/mprotect.c
74274 --- linux-2.6.39.3/mm/mprotect.c 2011-05-19 00:06:34.000000000 -0400
74275 +++ linux-2.6.39.3/mm/mprotect.c 2011-05-22 19:41:42.000000000 -0400
74276 @@ -23,10 +23,16 @@
74277 #include <linux/mmu_notifier.h>
74278 #include <linux/migrate.h>
74279 #include <linux/perf_event.h>
74280 +
74281 +#ifdef CONFIG_PAX_MPROTECT
74282 +#include <linux/elf.h>
74283 +#endif
74284 +
74285 #include <asm/uaccess.h>
74286 #include <asm/pgtable.h>
74287 #include <asm/cacheflush.h>
74288 #include <asm/tlbflush.h>
74289 +#include <asm/mmu_context.h>
74290
74291 #ifndef pgprot_modify
74292 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
74293 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
74294 flush_tlb_range(vma, start, end);
74295 }
74296
74297 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74298 +/* called while holding the mmap semaphor for writing except stack expansion */
74299 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
74300 +{
74301 + unsigned long oldlimit, newlimit = 0UL;
74302 +
74303 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
74304 + return;
74305 +
74306 + spin_lock(&mm->page_table_lock);
74307 + oldlimit = mm->context.user_cs_limit;
74308 + if ((prot & VM_EXEC) && oldlimit < end)
74309 + /* USER_CS limit moved up */
74310 + newlimit = end;
74311 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
74312 + /* USER_CS limit moved down */
74313 + newlimit = start;
74314 +
74315 + if (newlimit) {
74316 + mm->context.user_cs_limit = newlimit;
74317 +
74318 +#ifdef CONFIG_SMP
74319 + wmb();
74320 + cpus_clear(mm->context.cpu_user_cs_mask);
74321 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
74322 +#endif
74323 +
74324 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
74325 + }
74326 + spin_unlock(&mm->page_table_lock);
74327 + if (newlimit == end) {
74328 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
74329 +
74330 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
74331 + if (is_vm_hugetlb_page(vma))
74332 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
74333 + else
74334 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
74335 + }
74336 +}
74337 +#endif
74338 +
74339 int
74340 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
74341 unsigned long start, unsigned long end, unsigned long newflags)
74342 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
74343 int error;
74344 int dirty_accountable = 0;
74345
74346 +#ifdef CONFIG_PAX_SEGMEXEC
74347 + struct vm_area_struct *vma_m = NULL;
74348 + unsigned long start_m, end_m;
74349 +
74350 + start_m = start + SEGMEXEC_TASK_SIZE;
74351 + end_m = end + SEGMEXEC_TASK_SIZE;
74352 +#endif
74353 +
74354 if (newflags == oldflags) {
74355 *pprev = vma;
74356 return 0;
74357 }
74358
74359 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
74360 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
74361 +
74362 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
74363 + return -ENOMEM;
74364 +
74365 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
74366 + return -ENOMEM;
74367 + }
74368 +
74369 /*
74370 * If we make a private mapping writable we increase our commit;
74371 * but (without finer accounting) cannot reduce our commit if we
74372 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
74373 }
74374 }
74375
74376 +#ifdef CONFIG_PAX_SEGMEXEC
74377 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
74378 + if (start != vma->vm_start) {
74379 + error = split_vma(mm, vma, start, 1);
74380 + if (error)
74381 + goto fail;
74382 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
74383 + *pprev = (*pprev)->vm_next;
74384 + }
74385 +
74386 + if (end != vma->vm_end) {
74387 + error = split_vma(mm, vma, end, 0);
74388 + if (error)
74389 + goto fail;
74390 + }
74391 +
74392 + if (pax_find_mirror_vma(vma)) {
74393 + error = __do_munmap(mm, start_m, end_m - start_m);
74394 + if (error)
74395 + goto fail;
74396 + } else {
74397 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74398 + if (!vma_m) {
74399 + error = -ENOMEM;
74400 + goto fail;
74401 + }
74402 + vma->vm_flags = newflags;
74403 + error = pax_mirror_vma(vma_m, vma);
74404 + if (error) {
74405 + vma->vm_flags = oldflags;
74406 + goto fail;
74407 + }
74408 + }
74409 + }
74410 +#endif
74411 +
74412 /*
74413 * First try to merge with previous and/or next vma.
74414 */
74415 @@ -204,9 +306,21 @@ success:
74416 * vm_flags and vm_page_prot are protected by the mmap_sem
74417 * held in write mode.
74418 */
74419 +
74420 +#ifdef CONFIG_PAX_SEGMEXEC
74421 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
74422 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
74423 +#endif
74424 +
74425 vma->vm_flags = newflags;
74426 +
74427 +#ifdef CONFIG_PAX_MPROTECT
74428 + if (mm->binfmt && mm->binfmt->handle_mprotect)
74429 + mm->binfmt->handle_mprotect(vma, newflags);
74430 +#endif
74431 +
74432 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
74433 - vm_get_page_prot(newflags));
74434 + vm_get_page_prot(vma->vm_flags));
74435
74436 if (vma_wants_writenotify(vma)) {
74437 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
74438 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74439 end = start + len;
74440 if (end <= start)
74441 return -ENOMEM;
74442 +
74443 +#ifdef CONFIG_PAX_SEGMEXEC
74444 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
74445 + if (end > SEGMEXEC_TASK_SIZE)
74446 + return -EINVAL;
74447 + } else
74448 +#endif
74449 +
74450 + if (end > TASK_SIZE)
74451 + return -EINVAL;
74452 +
74453 if (!arch_validate_prot(prot))
74454 return -EINVAL;
74455
74456 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74457 /*
74458 * Does the application expect PROT_READ to imply PROT_EXEC:
74459 */
74460 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74461 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74462 prot |= PROT_EXEC;
74463
74464 vm_flags = calc_vm_prot_bits(prot);
74465 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74466 if (start > vma->vm_start)
74467 prev = vma;
74468
74469 +#ifdef CONFIG_PAX_MPROTECT
74470 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
74471 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
74472 +#endif
74473 +
74474 for (nstart = start ; ; ) {
74475 unsigned long newflags;
74476
74477 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74478
74479 /* newflags >> 4 shift VM_MAY% in place of VM_% */
74480 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
74481 + if (prot & (PROT_WRITE | PROT_EXEC))
74482 + gr_log_rwxmprotect(vma->vm_file);
74483 +
74484 + error = -EACCES;
74485 + goto out;
74486 + }
74487 +
74488 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
74489 error = -EACCES;
74490 goto out;
74491 }
74492 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74493 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
74494 if (error)
74495 goto out;
74496 +
74497 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
74498 +
74499 nstart = tmp;
74500
74501 if (nstart < prev->vm_end)
74502 diff -urNp linux-2.6.39.3/mm/mremap.c linux-2.6.39.3/mm/mremap.c
74503 --- linux-2.6.39.3/mm/mremap.c 2011-05-19 00:06:34.000000000 -0400
74504 +++ linux-2.6.39.3/mm/mremap.c 2011-05-22 19:36:33.000000000 -0400
74505 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
74506 continue;
74507 pte = ptep_clear_flush(vma, old_addr, old_pte);
74508 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
74509 +
74510 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74511 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
74512 + pte = pte_exprotect(pte);
74513 +#endif
74514 +
74515 set_pte_at(mm, new_addr, new_pte, pte);
74516 }
74517
74518 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
74519 if (is_vm_hugetlb_page(vma))
74520 goto Einval;
74521
74522 +#ifdef CONFIG_PAX_SEGMEXEC
74523 + if (pax_find_mirror_vma(vma))
74524 + goto Einval;
74525 +#endif
74526 +
74527 /* We can't remap across vm area boundaries */
74528 if (old_len > vma->vm_end - addr)
74529 goto Efault;
74530 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
74531 unsigned long ret = -EINVAL;
74532 unsigned long charged = 0;
74533 unsigned long map_flags;
74534 + unsigned long pax_task_size = TASK_SIZE;
74535
74536 if (new_addr & ~PAGE_MASK)
74537 goto out;
74538
74539 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
74540 +#ifdef CONFIG_PAX_SEGMEXEC
74541 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74542 + pax_task_size = SEGMEXEC_TASK_SIZE;
74543 +#endif
74544 +
74545 + pax_task_size -= PAGE_SIZE;
74546 +
74547 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
74548 goto out;
74549
74550 /* Check if the location we're moving into overlaps the
74551 * old location at all, and fail if it does.
74552 */
74553 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
74554 - goto out;
74555 -
74556 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
74557 + if (addr + old_len > new_addr && new_addr + new_len > addr)
74558 goto out;
74559
74560 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74561 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
74562 struct vm_area_struct *vma;
74563 unsigned long ret = -EINVAL;
74564 unsigned long charged = 0;
74565 + unsigned long pax_task_size = TASK_SIZE;
74566
74567 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
74568 goto out;
74569 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
74570 if (!new_len)
74571 goto out;
74572
74573 +#ifdef CONFIG_PAX_SEGMEXEC
74574 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74575 + pax_task_size = SEGMEXEC_TASK_SIZE;
74576 +#endif
74577 +
74578 + pax_task_size -= PAGE_SIZE;
74579 +
74580 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
74581 + old_len > pax_task_size || addr > pax_task_size-old_len)
74582 + goto out;
74583 +
74584 if (flags & MREMAP_FIXED) {
74585 if (flags & MREMAP_MAYMOVE)
74586 ret = mremap_to(addr, old_len, new_addr, new_len);
74587 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
74588 addr + new_len);
74589 }
74590 ret = addr;
74591 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
74592 goto out;
74593 }
74594 }
74595 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
74596 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74597 if (ret)
74598 goto out;
74599 +
74600 + map_flags = vma->vm_flags;
74601 ret = move_vma(vma, addr, old_len, new_len, new_addr);
74602 + if (!(ret & ~PAGE_MASK)) {
74603 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
74604 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
74605 + }
74606 }
74607 out:
74608 if (ret & ~PAGE_MASK)
74609 diff -urNp linux-2.6.39.3/mm/nobootmem.c linux-2.6.39.3/mm/nobootmem.c
74610 --- linux-2.6.39.3/mm/nobootmem.c 2011-05-19 00:06:34.000000000 -0400
74611 +++ linux-2.6.39.3/mm/nobootmem.c 2011-05-22 19:36:33.000000000 -0400
74612 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
74613 unsigned long __init free_all_memory_core_early(int nodeid)
74614 {
74615 int i;
74616 - u64 start, end;
74617 + u64 start, end, startrange, endrange;
74618 unsigned long count = 0;
74619 - struct range *range = NULL;
74620 + struct range *range = NULL, rangerange = { 0, 0 };
74621 int nr_range;
74622
74623 nr_range = get_free_all_memory_range(&range, nodeid);
74624 + startrange = __pa(range) >> PAGE_SHIFT;
74625 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
74626
74627 for (i = 0; i < nr_range; i++) {
74628 start = range[i].start;
74629 end = range[i].end;
74630 + if (start <= endrange && startrange < end) {
74631 + BUG_ON(rangerange.start | rangerange.end);
74632 + rangerange = range[i];
74633 + continue;
74634 + }
74635 count += end - start;
74636 __free_pages_memory(start, end);
74637 }
74638 + start = rangerange.start;
74639 + end = rangerange.end;
74640 + count += end - start;
74641 + __free_pages_memory(start, end);
74642
74643 return count;
74644 }
74645 diff -urNp linux-2.6.39.3/mm/nommu.c linux-2.6.39.3/mm/nommu.c
74646 --- linux-2.6.39.3/mm/nommu.c 2011-05-19 00:06:34.000000000 -0400
74647 +++ linux-2.6.39.3/mm/nommu.c 2011-05-22 19:36:33.000000000 -0400
74648 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
74649 int sysctl_overcommit_ratio = 50; /* default is 50% */
74650 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
74651 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
74652 -int heap_stack_gap = 0;
74653
74654 atomic_long_t mmap_pages_allocated;
74655
74656 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
74657 EXPORT_SYMBOL(find_vma);
74658
74659 /*
74660 - * find a VMA
74661 - * - we don't extend stack VMAs under NOMMU conditions
74662 - */
74663 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
74664 -{
74665 - return find_vma(mm, addr);
74666 -}
74667 -
74668 -/*
74669 * expand a stack to a given address
74670 * - not supported under NOMMU conditions
74671 */
74672 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
74673
74674 /* most fields are the same, copy all, and then fixup */
74675 *new = *vma;
74676 + INIT_LIST_HEAD(&new->anon_vma_chain);
74677 *region = *vma->vm_region;
74678 new->vm_region = region;
74679
74680 diff -urNp linux-2.6.39.3/mm/page_alloc.c linux-2.6.39.3/mm/page_alloc.c
74681 --- linux-2.6.39.3/mm/page_alloc.c 2011-06-03 00:04:14.000000000 -0400
74682 +++ linux-2.6.39.3/mm/page_alloc.c 2011-07-09 09:12:54.000000000 -0400
74683 @@ -337,7 +337,7 @@ out:
74684 * This usage means that zero-order pages may not be compound.
74685 */
74686
74687 -static void free_compound_page(struct page *page)
74688 +void free_compound_page(struct page *page)
74689 {
74690 __free_pages_ok(page, compound_order(page));
74691 }
74692 @@ -650,6 +650,10 @@ static bool free_pages_prepare(struct pa
74693 int i;
74694 int bad = 0;
74695
74696 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74697 + unsigned long index = 1UL << order;
74698 +#endif
74699 +
74700 trace_mm_page_free_direct(page, order);
74701 kmemcheck_free_shadow(page, order);
74702
74703 @@ -665,6 +669,12 @@ static bool free_pages_prepare(struct pa
74704 debug_check_no_obj_freed(page_address(page),
74705 PAGE_SIZE << order);
74706 }
74707 +
74708 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74709 + for (; index; --index)
74710 + sanitize_highpage(page + index - 1);
74711 +#endif
74712 +
74713 arch_free_page(page, order);
74714 kernel_map_pages(page, 1 << order, 0);
74715
74716 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
74717 arch_alloc_page(page, order);
74718 kernel_map_pages(page, 1 << order, 1);
74719
74720 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
74721 if (gfp_flags & __GFP_ZERO)
74722 prep_zero_page(page, order, gfp_flags);
74723 +#endif
74724
74725 if (order && (gfp_flags & __GFP_COMP))
74726 prep_compound_page(page, order);
74727 @@ -2504,6 +2516,8 @@ void __show_free_areas(unsigned int filt
74728 int cpu;
74729 struct zone *zone;
74730
74731 + pax_track_stack();
74732 +
74733 for_each_populated_zone(zone) {
74734 if (skip_free_areas_zone(filter, zone))
74735 continue;
74736 diff -urNp linux-2.6.39.3/mm/percpu.c linux-2.6.39.3/mm/percpu.c
74737 --- linux-2.6.39.3/mm/percpu.c 2011-05-19 00:06:34.000000000 -0400
74738 +++ linux-2.6.39.3/mm/percpu.c 2011-05-22 19:36:33.000000000 -0400
74739 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
74740 static unsigned int pcpu_last_unit_cpu __read_mostly;
74741
74742 /* the address of the first chunk which starts with the kernel static area */
74743 -void *pcpu_base_addr __read_mostly;
74744 +void *pcpu_base_addr __read_only;
74745 EXPORT_SYMBOL_GPL(pcpu_base_addr);
74746
74747 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
74748 diff -urNp linux-2.6.39.3/mm/rmap.c linux-2.6.39.3/mm/rmap.c
74749 --- linux-2.6.39.3/mm/rmap.c 2011-05-19 00:06:34.000000000 -0400
74750 +++ linux-2.6.39.3/mm/rmap.c 2011-05-22 19:36:33.000000000 -0400
74751 @@ -131,6 +131,10 @@ int anon_vma_prepare(struct vm_area_stru
74752 struct anon_vma *anon_vma = vma->anon_vma;
74753 struct anon_vma_chain *avc;
74754
74755 +#ifdef CONFIG_PAX_SEGMEXEC
74756 + struct anon_vma_chain *avc_m = NULL;
74757 +#endif
74758 +
74759 might_sleep();
74760 if (unlikely(!anon_vma)) {
74761 struct mm_struct *mm = vma->vm_mm;
74762 @@ -140,6 +144,12 @@ int anon_vma_prepare(struct vm_area_stru
74763 if (!avc)
74764 goto out_enomem;
74765
74766 +#ifdef CONFIG_PAX_SEGMEXEC
74767 + avc_m = anon_vma_chain_alloc();
74768 + if (!avc_m)
74769 + goto out_enomem_free_avc;
74770 +#endif
74771 +
74772 anon_vma = find_mergeable_anon_vma(vma);
74773 allocated = NULL;
74774 if (!anon_vma) {
74775 @@ -153,6 +163,21 @@ int anon_vma_prepare(struct vm_area_stru
74776 /* page_table_lock to protect against threads */
74777 spin_lock(&mm->page_table_lock);
74778 if (likely(!vma->anon_vma)) {
74779 +
74780 +#ifdef CONFIG_PAX_SEGMEXEC
74781 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
74782 +
74783 + if (vma_m) {
74784 + BUG_ON(vma_m->anon_vma);
74785 + vma_m->anon_vma = anon_vma;
74786 + avc_m->anon_vma = anon_vma;
74787 + avc_m->vma = vma;
74788 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
74789 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
74790 + avc_m = NULL;
74791 + }
74792 +#endif
74793 +
74794 vma->anon_vma = anon_vma;
74795 avc->anon_vma = anon_vma;
74796 avc->vma = vma;
74797 @@ -166,12 +191,24 @@ int anon_vma_prepare(struct vm_area_stru
74798
74799 if (unlikely(allocated))
74800 put_anon_vma(allocated);
74801 +
74802 +#ifdef CONFIG_PAX_SEGMEXEC
74803 + if (unlikely(avc_m))
74804 + anon_vma_chain_free(avc_m);
74805 +#endif
74806 +
74807 if (unlikely(avc))
74808 anon_vma_chain_free(avc);
74809 }
74810 return 0;
74811
74812 out_enomem_free_avc:
74813 +
74814 +#ifdef CONFIG_PAX_SEGMEXEC
74815 + if (avc_m)
74816 + anon_vma_chain_free(avc_m);
74817 +#endif
74818 +
74819 anon_vma_chain_free(avc);
74820 out_enomem:
74821 return -ENOMEM;
74822 @@ -198,7 +235,7 @@ static void anon_vma_chain_link(struct v
74823 * Attach the anon_vmas from src to dst.
74824 * Returns 0 on success, -ENOMEM on failure.
74825 */
74826 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
74827 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
74828 {
74829 struct anon_vma_chain *avc, *pavc;
74830
74831 @@ -220,7 +257,7 @@ int anon_vma_clone(struct vm_area_struct
74832 * the corresponding VMA in the parent process is attached to.
74833 * Returns 0 on success, non-zero on failure.
74834 */
74835 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
74836 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
74837 {
74838 struct anon_vma_chain *avc;
74839 struct anon_vma *anon_vma;
74840 diff -urNp linux-2.6.39.3/mm/shmem.c linux-2.6.39.3/mm/shmem.c
74841 --- linux-2.6.39.3/mm/shmem.c 2011-06-03 00:04:14.000000000 -0400
74842 +++ linux-2.6.39.3/mm/shmem.c 2011-06-03 00:32:08.000000000 -0400
74843 @@ -31,7 +31,7 @@
74844 #include <linux/percpu_counter.h>
74845 #include <linux/swap.h>
74846
74847 -static struct vfsmount *shm_mnt;
74848 +struct vfsmount *shm_mnt;
74849
74850 #ifdef CONFIG_SHMEM
74851 /*
74852 @@ -1087,6 +1087,8 @@ static int shmem_writepage(struct page *
74853 goto unlock;
74854 }
74855 entry = shmem_swp_entry(info, index, NULL);
74856 + if (!entry)
74857 + goto unlock;
74858 if (entry->val) {
74859 /*
74860 * The more uptodate page coming down from a stacked
74861 @@ -1158,6 +1160,8 @@ static struct page *shmem_swapin(swp_ent
74862 struct vm_area_struct pvma;
74863 struct page *page;
74864
74865 + pax_track_stack();
74866 +
74867 spol = mpol_cond_copy(&mpol,
74868 mpol_shared_policy_lookup(&info->policy, idx));
74869
74870 @@ -2014,7 +2018,7 @@ static int shmem_symlink(struct inode *d
74871
74872 info = SHMEM_I(inode);
74873 inode->i_size = len-1;
74874 - if (len <= (char *)inode - (char *)info) {
74875 + if (len <= (char *)inode - (char *)info && len <= 64) {
74876 /* do it inline */
74877 memcpy(info, symname, len);
74878 inode->i_op = &shmem_symlink_inline_operations;
74879 @@ -2362,8 +2366,7 @@ int shmem_fill_super(struct super_block
74880 int err = -ENOMEM;
74881
74882 /* Round up to L1_CACHE_BYTES to resist false sharing */
74883 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
74884 - L1_CACHE_BYTES), GFP_KERNEL);
74885 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
74886 if (!sbinfo)
74887 return -ENOMEM;
74888
74889 diff -urNp linux-2.6.39.3/mm/slab.c linux-2.6.39.3/mm/slab.c
74890 --- linux-2.6.39.3/mm/slab.c 2011-05-19 00:06:34.000000000 -0400
74891 +++ linux-2.6.39.3/mm/slab.c 2011-05-22 19:41:42.000000000 -0400
74892 @@ -150,7 +150,7 @@
74893
74894 /* Legal flag mask for kmem_cache_create(). */
74895 #if DEBUG
74896 -# define CREATE_MASK (SLAB_RED_ZONE | \
74897 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
74898 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
74899 SLAB_CACHE_DMA | \
74900 SLAB_STORE_USER | \
74901 @@ -158,7 +158,7 @@
74902 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74903 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
74904 #else
74905 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
74906 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
74907 SLAB_CACHE_DMA | \
74908 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
74909 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74910 @@ -287,7 +287,7 @@ struct kmem_list3 {
74911 * Need this for bootstrapping a per node allocator.
74912 */
74913 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
74914 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
74915 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
74916 #define CACHE_CACHE 0
74917 #define SIZE_AC MAX_NUMNODES
74918 #define SIZE_L3 (2 * MAX_NUMNODES)
74919 @@ -388,10 +388,10 @@ static void kmem_list3_init(struct kmem_
74920 if ((x)->max_freeable < i) \
74921 (x)->max_freeable = i; \
74922 } while (0)
74923 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
74924 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
74925 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
74926 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
74927 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
74928 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
74929 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
74930 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
74931 #else
74932 #define STATS_INC_ACTIVE(x) do { } while (0)
74933 #define STATS_DEC_ACTIVE(x) do { } while (0)
74934 @@ -537,7 +537,7 @@ static inline void *index_to_obj(struct
74935 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
74936 */
74937 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
74938 - const struct slab *slab, void *obj)
74939 + const struct slab *slab, const void *obj)
74940 {
74941 u32 offset = (obj - slab->s_mem);
74942 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
74943 @@ -563,7 +563,7 @@ struct cache_names {
74944 static struct cache_names __initdata cache_names[] = {
74945 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
74946 #include <linux/kmalloc_sizes.h>
74947 - {NULL,}
74948 + {NULL}
74949 #undef CACHE
74950 };
74951
74952 @@ -1529,7 +1529,7 @@ void __init kmem_cache_init(void)
74953 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
74954 sizes[INDEX_AC].cs_size,
74955 ARCH_KMALLOC_MINALIGN,
74956 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74957 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74958 NULL);
74959
74960 if (INDEX_AC != INDEX_L3) {
74961 @@ -1537,7 +1537,7 @@ void __init kmem_cache_init(void)
74962 kmem_cache_create(names[INDEX_L3].name,
74963 sizes[INDEX_L3].cs_size,
74964 ARCH_KMALLOC_MINALIGN,
74965 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74966 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74967 NULL);
74968 }
74969
74970 @@ -1555,7 +1555,7 @@ void __init kmem_cache_init(void)
74971 sizes->cs_cachep = kmem_cache_create(names->name,
74972 sizes->cs_size,
74973 ARCH_KMALLOC_MINALIGN,
74974 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74975 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74976 NULL);
74977 }
74978 #ifdef CONFIG_ZONE_DMA
74979 @@ -4270,10 +4270,10 @@ static int s_show(struct seq_file *m, vo
74980 }
74981 /* cpu stats */
74982 {
74983 - unsigned long allochit = atomic_read(&cachep->allochit);
74984 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
74985 - unsigned long freehit = atomic_read(&cachep->freehit);
74986 - unsigned long freemiss = atomic_read(&cachep->freemiss);
74987 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
74988 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
74989 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
74990 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
74991
74992 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
74993 allochit, allocmiss, freehit, freemiss);
74994 @@ -4530,15 +4530,66 @@ static const struct file_operations proc
74995
74996 static int __init slab_proc_init(void)
74997 {
74998 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
74999 + mode_t gr_mode = S_IRUGO;
75000 +
75001 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75002 + gr_mode = S_IRUSR;
75003 +#endif
75004 +
75005 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
75006 #ifdef CONFIG_DEBUG_SLAB_LEAK
75007 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
75008 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
75009 #endif
75010 return 0;
75011 }
75012 module_init(slab_proc_init);
75013 #endif
75014
75015 +void check_object_size(const void *ptr, unsigned long n, bool to)
75016 +{
75017 +
75018 +#ifdef CONFIG_PAX_USERCOPY
75019 + struct page *page;
75020 + struct kmem_cache *cachep = NULL;
75021 + struct slab *slabp;
75022 + unsigned int objnr;
75023 + unsigned long offset;
75024 +
75025 + if (!n)
75026 + return;
75027 +
75028 + if (ZERO_OR_NULL_PTR(ptr))
75029 + goto report;
75030 +
75031 + if (!virt_addr_valid(ptr))
75032 + return;
75033 +
75034 + page = virt_to_head_page(ptr);
75035 +
75036 + if (!PageSlab(page)) {
75037 + if (object_is_on_stack(ptr, n) == -1)
75038 + goto report;
75039 + return;
75040 + }
75041 +
75042 + cachep = page_get_cache(page);
75043 + if (!(cachep->flags & SLAB_USERCOPY))
75044 + goto report;
75045 +
75046 + slabp = page_get_slab(page);
75047 + objnr = obj_to_index(cachep, slabp, ptr);
75048 + BUG_ON(objnr >= cachep->num);
75049 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
75050 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
75051 + return;
75052 +
75053 +report:
75054 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
75055 +#endif
75056 +
75057 +}
75058 +EXPORT_SYMBOL(check_object_size);
75059 +
75060 /**
75061 * ksize - get the actual amount of memory allocated for a given object
75062 * @objp: Pointer to the object
75063 diff -urNp linux-2.6.39.3/mm/slob.c linux-2.6.39.3/mm/slob.c
75064 --- linux-2.6.39.3/mm/slob.c 2011-05-19 00:06:34.000000000 -0400
75065 +++ linux-2.6.39.3/mm/slob.c 2011-07-06 20:00:13.000000000 -0400
75066 @@ -29,7 +29,7 @@
75067 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
75068 * alloc_pages() directly, allocating compound pages so the page order
75069 * does not have to be separately tracked, and also stores the exact
75070 - * allocation size in page->private so that it can be used to accurately
75071 + * allocation size in slob_page->size so that it can be used to accurately
75072 * provide ksize(). These objects are detected in kfree() because slob_page()
75073 * is false for them.
75074 *
75075 @@ -58,6 +58,7 @@
75076 */
75077
75078 #include <linux/kernel.h>
75079 +#include <linux/sched.h>
75080 #include <linux/slab.h>
75081 #include <linux/mm.h>
75082 #include <linux/swap.h> /* struct reclaim_state */
75083 @@ -102,7 +103,8 @@ struct slob_page {
75084 unsigned long flags; /* mandatory */
75085 atomic_t _count; /* mandatory */
75086 slobidx_t units; /* free units left in page */
75087 - unsigned long pad[2];
75088 + unsigned long pad[1];
75089 + unsigned long size; /* size when >=PAGE_SIZE */
75090 slob_t *free; /* first free slob_t in page */
75091 struct list_head list; /* linked list of free pages */
75092 };
75093 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
75094 */
75095 static inline int is_slob_page(struct slob_page *sp)
75096 {
75097 - return PageSlab((struct page *)sp);
75098 + return PageSlab((struct page *)sp) && !sp->size;
75099 }
75100
75101 static inline void set_slob_page(struct slob_page *sp)
75102 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
75103
75104 static inline struct slob_page *slob_page(const void *addr)
75105 {
75106 - return (struct slob_page *)virt_to_page(addr);
75107 + return (struct slob_page *)virt_to_head_page(addr);
75108 }
75109
75110 /*
75111 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
75112 /*
75113 * Return the size of a slob block.
75114 */
75115 -static slobidx_t slob_units(slob_t *s)
75116 +static slobidx_t slob_units(const slob_t *s)
75117 {
75118 if (s->units > 0)
75119 return s->units;
75120 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
75121 /*
75122 * Return the next free slob block pointer after this one.
75123 */
75124 -static slob_t *slob_next(slob_t *s)
75125 +static slob_t *slob_next(const slob_t *s)
75126 {
75127 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
75128 slobidx_t next;
75129 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
75130 /*
75131 * Returns true if s is the last free block in its page.
75132 */
75133 -static int slob_last(slob_t *s)
75134 +static int slob_last(const slob_t *s)
75135 {
75136 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
75137 }
75138 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
75139 if (!page)
75140 return NULL;
75141
75142 + set_slob_page(page);
75143 return page_address(page);
75144 }
75145
75146 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
75147 if (!b)
75148 return NULL;
75149 sp = slob_page(b);
75150 - set_slob_page(sp);
75151
75152 spin_lock_irqsave(&slob_lock, flags);
75153 sp->units = SLOB_UNITS(PAGE_SIZE);
75154 sp->free = b;
75155 + sp->size = 0;
75156 INIT_LIST_HEAD(&sp->list);
75157 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
75158 set_slob_page_free(sp, slob_list);
75159 @@ -476,10 +479,9 @@ out:
75160 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
75161 */
75162
75163 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
75164 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
75165 {
75166 - unsigned int *m;
75167 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75168 + slob_t *m;
75169 void *ret;
75170
75171 lockdep_trace_alloc(gfp);
75172 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
75173
75174 if (!m)
75175 return NULL;
75176 - *m = size;
75177 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
75178 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
75179 + m[0].units = size;
75180 + m[1].units = align;
75181 ret = (void *)m + align;
75182
75183 trace_kmalloc_node(_RET_IP_, ret,
75184 @@ -504,16 +509,25 @@ void *__kmalloc_node(size_t size, gfp_t
75185 gfp |= __GFP_COMP;
75186 ret = slob_new_pages(gfp, order, node);
75187 if (ret) {
75188 - struct page *page;
75189 - page = virt_to_page(ret);
75190 - page->private = size;
75191 + struct slob_page *sp;
75192 + sp = slob_page(ret);
75193 + sp->size = size;
75194 }
75195
75196 trace_kmalloc_node(_RET_IP_, ret,
75197 size, PAGE_SIZE << order, gfp, node);
75198 }
75199
75200 - kmemleak_alloc(ret, size, 1, gfp);
75201 + return ret;
75202 +}
75203 +
75204 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
75205 +{
75206 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75207 + void *ret = __kmalloc_node_align(size, gfp, node, align);
75208 +
75209 + if (!ZERO_OR_NULL_PTR(ret))
75210 + kmemleak_alloc(ret, size, 1, gfp);
75211 return ret;
75212 }
75213 EXPORT_SYMBOL(__kmalloc_node);
75214 @@ -531,13 +545,88 @@ void kfree(const void *block)
75215 sp = slob_page(block);
75216 if (is_slob_page(sp)) {
75217 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75218 - unsigned int *m = (unsigned int *)(block - align);
75219 - slob_free(m, *m + align);
75220 - } else
75221 + slob_t *m = (slob_t *)(block - align);
75222 + slob_free(m, m[0].units + align);
75223 + } else {
75224 + clear_slob_page(sp);
75225 + free_slob_page(sp);
75226 + sp->size = 0;
75227 put_page(&sp->page);
75228 + }
75229 }
75230 EXPORT_SYMBOL(kfree);
75231
75232 +void check_object_size(const void *ptr, unsigned long n, bool to)
75233 +{
75234 +
75235 +#ifdef CONFIG_PAX_USERCOPY
75236 + struct slob_page *sp;
75237 + const slob_t *free;
75238 + const void *base;
75239 + unsigned long flags;
75240 +
75241 + if (!n)
75242 + return;
75243 +
75244 + if (ZERO_OR_NULL_PTR(ptr))
75245 + goto report;
75246 +
75247 + if (!virt_addr_valid(ptr))
75248 + return;
75249 +
75250 + sp = slob_page(ptr);
75251 + if (!PageSlab((struct page*)sp)) {
75252 + if (object_is_on_stack(ptr, n) == -1)
75253 + goto report;
75254 + return;
75255 + }
75256 +
75257 + if (sp->size) {
75258 + base = page_address(&sp->page);
75259 + if (base <= ptr && n <= sp->size - (ptr - base))
75260 + return;
75261 + goto report;
75262 + }
75263 +
75264 + /* some tricky double walking to find the chunk */
75265 + spin_lock_irqsave(&slob_lock, flags);
75266 + base = (void *)((unsigned long)ptr & PAGE_MASK);
75267 + free = sp->free;
75268 +
75269 + while (!slob_last(free) && (void *)free <= ptr) {
75270 + base = free + slob_units(free);
75271 + free = slob_next(free);
75272 + }
75273 +
75274 + while (base < (void *)free) {
75275 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
75276 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
75277 + int offset;
75278 +
75279 + if (ptr < base + align)
75280 + break;
75281 +
75282 + offset = ptr - base - align;
75283 + if (offset >= m) {
75284 + base += size;
75285 + continue;
75286 + }
75287 +
75288 + if (n > m - offset)
75289 + break;
75290 +
75291 + spin_unlock_irqrestore(&slob_lock, flags);
75292 + return;
75293 + }
75294 +
75295 + spin_unlock_irqrestore(&slob_lock, flags);
75296 +report:
75297 + pax_report_usercopy(ptr, n, to, NULL);
75298 +#endif
75299 +
75300 +}
75301 +EXPORT_SYMBOL(check_object_size);
75302 +
75303 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
75304 size_t ksize(const void *block)
75305 {
75306 @@ -550,10 +639,10 @@ size_t ksize(const void *block)
75307 sp = slob_page(block);
75308 if (is_slob_page(sp)) {
75309 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75310 - unsigned int *m = (unsigned int *)(block - align);
75311 - return SLOB_UNITS(*m) * SLOB_UNIT;
75312 + slob_t *m = (slob_t *)(block - align);
75313 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
75314 } else
75315 - return sp->page.private;
75316 + return sp->size;
75317 }
75318 EXPORT_SYMBOL(ksize);
75319
75320 @@ -569,8 +658,13 @@ struct kmem_cache *kmem_cache_create(con
75321 {
75322 struct kmem_cache *c;
75323
75324 +#ifdef CONFIG_PAX_USERCOPY
75325 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
75326 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
75327 +#else
75328 c = slob_alloc(sizeof(struct kmem_cache),
75329 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
75330 +#endif
75331
75332 if (c) {
75333 c->name = name;
75334 @@ -608,17 +702,25 @@ void *kmem_cache_alloc_node(struct kmem_
75335 {
75336 void *b;
75337
75338 +#ifdef CONFIG_PAX_USERCOPY
75339 + b = __kmalloc_node_align(c->size, flags, node, c->align);
75340 +#else
75341 if (c->size < PAGE_SIZE) {
75342 b = slob_alloc(c->size, flags, c->align, node);
75343 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75344 SLOB_UNITS(c->size) * SLOB_UNIT,
75345 flags, node);
75346 } else {
75347 + struct slob_page *sp;
75348 +
75349 b = slob_new_pages(flags, get_order(c->size), node);
75350 + sp = slob_page(b);
75351 + sp->size = c->size;
75352 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75353 PAGE_SIZE << get_order(c->size),
75354 flags, node);
75355 }
75356 +#endif
75357
75358 if (c->ctor)
75359 c->ctor(b);
75360 @@ -630,10 +732,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
75361
75362 static void __kmem_cache_free(void *b, int size)
75363 {
75364 - if (size < PAGE_SIZE)
75365 + struct slob_page *sp = slob_page(b);
75366 +
75367 + if (is_slob_page(sp))
75368 slob_free(b, size);
75369 - else
75370 + else {
75371 + clear_slob_page(sp);
75372 + free_slob_page(sp);
75373 + sp->size = 0;
75374 slob_free_pages(b, get_order(size));
75375 + }
75376 }
75377
75378 static void kmem_rcu_free(struct rcu_head *head)
75379 @@ -646,17 +754,31 @@ static void kmem_rcu_free(struct rcu_hea
75380
75381 void kmem_cache_free(struct kmem_cache *c, void *b)
75382 {
75383 + int size = c->size;
75384 +
75385 +#ifdef CONFIG_PAX_USERCOPY
75386 + if (size + c->align < PAGE_SIZE) {
75387 + size += c->align;
75388 + b -= c->align;
75389 + }
75390 +#endif
75391 +
75392 kmemleak_free_recursive(b, c->flags);
75393 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
75394 struct slob_rcu *slob_rcu;
75395 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
75396 - slob_rcu->size = c->size;
75397 + slob_rcu = b + (size - sizeof(struct slob_rcu));
75398 + slob_rcu->size = size;
75399 call_rcu(&slob_rcu->head, kmem_rcu_free);
75400 } else {
75401 - __kmem_cache_free(b, c->size);
75402 + __kmem_cache_free(b, size);
75403 }
75404
75405 +#ifdef CONFIG_PAX_USERCOPY
75406 + trace_kfree(_RET_IP_, b);
75407 +#else
75408 trace_kmem_cache_free(_RET_IP_, b);
75409 +#endif
75410 +
75411 }
75412 EXPORT_SYMBOL(kmem_cache_free);
75413
75414 diff -urNp linux-2.6.39.3/mm/slub.c linux-2.6.39.3/mm/slub.c
75415 --- linux-2.6.39.3/mm/slub.c 2011-06-03 00:04:14.000000000 -0400
75416 +++ linux-2.6.39.3/mm/slub.c 2011-06-03 00:32:08.000000000 -0400
75417 @@ -431,7 +431,7 @@ static void print_track(const char *s, s
75418 if (!t->addr)
75419 return;
75420
75421 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
75422 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
75423 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
75424 }
75425
75426 @@ -2183,6 +2183,8 @@ void kmem_cache_free(struct kmem_cache *
75427
75428 page = virt_to_head_page(x);
75429
75430 + BUG_ON(!PageSlab(page));
75431 +
75432 slab_free(s, page, x, _RET_IP_);
75433
75434 trace_kmem_cache_free(_RET_IP_, x);
75435 @@ -2216,7 +2218,7 @@ static int slub_min_objects;
75436 * Merge control. If this is set then no merging of slab caches will occur.
75437 * (Could be removed. This was introduced to pacify the merge skeptics.)
75438 */
75439 -static int slub_nomerge;
75440 +static int slub_nomerge = 1;
75441
75442 /*
75443 * Calculate the order of allocation given an slab object size.
75444 @@ -2644,7 +2646,7 @@ static int kmem_cache_open(struct kmem_c
75445 * list to avoid pounding the page allocator excessively.
75446 */
75447 set_min_partial(s, ilog2(s->size));
75448 - s->refcount = 1;
75449 + atomic_set(&s->refcount, 1);
75450 #ifdef CONFIG_NUMA
75451 s->remote_node_defrag_ratio = 1000;
75452 #endif
75453 @@ -2750,8 +2752,7 @@ static inline int kmem_cache_close(struc
75454 void kmem_cache_destroy(struct kmem_cache *s)
75455 {
75456 down_write(&slub_lock);
75457 - s->refcount--;
75458 - if (!s->refcount) {
75459 + if (atomic_dec_and_test(&s->refcount)) {
75460 list_del(&s->list);
75461 if (kmem_cache_close(s)) {
75462 printk(KERN_ERR "SLUB %s: %s called for cache that "
75463 @@ -2961,6 +2962,46 @@ void *__kmalloc_node(size_t size, gfp_t
75464 EXPORT_SYMBOL(__kmalloc_node);
75465 #endif
75466
75467 +void check_object_size(const void *ptr, unsigned long n, bool to)
75468 +{
75469 +
75470 +#ifdef CONFIG_PAX_USERCOPY
75471 + struct page *page;
75472 + struct kmem_cache *s = NULL;
75473 + unsigned long offset;
75474 +
75475 + if (!n)
75476 + return;
75477 +
75478 + if (ZERO_OR_NULL_PTR(ptr))
75479 + goto report;
75480 +
75481 + if (!virt_addr_valid(ptr))
75482 + return;
75483 +
75484 + page = virt_to_head_page(ptr);
75485 +
75486 + if (!PageSlab(page)) {
75487 + if (object_is_on_stack(ptr, n) == -1)
75488 + goto report;
75489 + return;
75490 + }
75491 +
75492 + s = page->slab;
75493 + if (!(s->flags & SLAB_USERCOPY))
75494 + goto report;
75495 +
75496 + offset = (ptr - page_address(page)) % s->size;
75497 + if (offset <= s->objsize && n <= s->objsize - offset)
75498 + return;
75499 +
75500 +report:
75501 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
75502 +#endif
75503 +
75504 +}
75505 +EXPORT_SYMBOL(check_object_size);
75506 +
75507 size_t ksize(const void *object)
75508 {
75509 struct page *page;
75510 @@ -3205,7 +3246,7 @@ static void __init kmem_cache_bootstrap_
75511 int node;
75512
75513 list_add(&s->list, &slab_caches);
75514 - s->refcount = -1;
75515 + atomic_set(&s->refcount, -1);
75516
75517 for_each_node_state(node, N_NORMAL_MEMORY) {
75518 struct kmem_cache_node *n = get_node(s, node);
75519 @@ -3322,17 +3363,17 @@ void __init kmem_cache_init(void)
75520
75521 /* Caches that are not of the two-to-the-power-of size */
75522 if (KMALLOC_MIN_SIZE <= 32) {
75523 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
75524 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
75525 caches++;
75526 }
75527
75528 if (KMALLOC_MIN_SIZE <= 64) {
75529 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
75530 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
75531 caches++;
75532 }
75533
75534 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
75535 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
75536 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
75537 caches++;
75538 }
75539
75540 @@ -3400,7 +3441,7 @@ static int slab_unmergeable(struct kmem_
75541 /*
75542 * We may have set a slab to be unmergeable during bootstrap.
75543 */
75544 - if (s->refcount < 0)
75545 + if (atomic_read(&s->refcount) < 0)
75546 return 1;
75547
75548 return 0;
75549 @@ -3459,7 +3500,7 @@ struct kmem_cache *kmem_cache_create(con
75550 down_write(&slub_lock);
75551 s = find_mergeable(size, align, flags, name, ctor);
75552 if (s) {
75553 - s->refcount++;
75554 + atomic_inc(&s->refcount);
75555 /*
75556 * Adjust the object sizes so that we clear
75557 * the complete object on kzalloc.
75558 @@ -3468,7 +3509,7 @@ struct kmem_cache *kmem_cache_create(con
75559 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
75560
75561 if (sysfs_slab_alias(s, name)) {
75562 - s->refcount--;
75563 + atomic_dec(&s->refcount);
75564 goto err;
75565 }
75566 up_write(&slub_lock);
75567 @@ -4201,7 +4242,7 @@ SLAB_ATTR_RO(ctor);
75568
75569 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
75570 {
75571 - return sprintf(buf, "%d\n", s->refcount - 1);
75572 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
75573 }
75574 SLAB_ATTR_RO(aliases);
75575
75576 @@ -4945,7 +4986,13 @@ static const struct file_operations proc
75577
75578 static int __init slab_proc_init(void)
75579 {
75580 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
75581 + mode_t gr_mode = S_IRUGO;
75582 +
75583 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75584 + gr_mode = S_IRUSR;
75585 +#endif
75586 +
75587 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
75588 return 0;
75589 }
75590 module_init(slab_proc_init);
75591 diff -urNp linux-2.6.39.3/mm/swap.c linux-2.6.39.3/mm/swap.c
75592 --- linux-2.6.39.3/mm/swap.c 2011-05-19 00:06:34.000000000 -0400
75593 +++ linux-2.6.39.3/mm/swap.c 2011-07-09 09:12:54.000000000 -0400
75594 @@ -31,6 +31,7 @@
75595 #include <linux/backing-dev.h>
75596 #include <linux/memcontrol.h>
75597 #include <linux/gfp.h>
75598 +#include <linux/hugetlb.h>
75599
75600 #include "internal.h"
75601
75602 @@ -71,6 +72,8 @@ static void __put_compound_page(struct p
75603
75604 __page_cache_release(page);
75605 dtor = get_compound_page_dtor(page);
75606 + if (!PageHuge(page))
75607 + BUG_ON(dtor != free_compound_page);
75608 (*dtor)(page);
75609 }
75610
75611 diff -urNp linux-2.6.39.3/mm/swapfile.c linux-2.6.39.3/mm/swapfile.c
75612 --- linux-2.6.39.3/mm/swapfile.c 2011-05-19 00:06:34.000000000 -0400
75613 +++ linux-2.6.39.3/mm/swapfile.c 2011-05-22 19:36:33.000000000 -0400
75614 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
75615
75616 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
75617 /* Activity counter to indicate that a swapon or swapoff has occurred */
75618 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
75619 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
75620
75621 static inline unsigned char swap_count(unsigned char ent)
75622 {
75623 @@ -1669,7 +1669,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
75624 }
75625 filp_close(swap_file, NULL);
75626 err = 0;
75627 - atomic_inc(&proc_poll_event);
75628 + atomic_inc_unchecked(&proc_poll_event);
75629 wake_up_interruptible(&proc_poll_wait);
75630
75631 out_dput:
75632 @@ -1690,8 +1690,8 @@ static unsigned swaps_poll(struct file *
75633
75634 poll_wait(file, &proc_poll_wait, wait);
75635
75636 - if (s->event != atomic_read(&proc_poll_event)) {
75637 - s->event = atomic_read(&proc_poll_event);
75638 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
75639 + s->event = atomic_read_unchecked(&proc_poll_event);
75640 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
75641 }
75642
75643 @@ -1797,7 +1797,7 @@ static int swaps_open(struct inode *inod
75644 }
75645
75646 s->seq.private = s;
75647 - s->event = atomic_read(&proc_poll_event);
75648 + s->event = atomic_read_unchecked(&proc_poll_event);
75649 return ret;
75650 }
75651
75652 @@ -2131,7 +2131,7 @@ SYSCALL_DEFINE2(swapon, const char __use
75653 (p->flags & SWP_DISCARDABLE) ? "D" : "");
75654
75655 mutex_unlock(&swapon_mutex);
75656 - atomic_inc(&proc_poll_event);
75657 + atomic_inc_unchecked(&proc_poll_event);
75658 wake_up_interruptible(&proc_poll_wait);
75659
75660 if (S_ISREG(inode->i_mode))
75661 diff -urNp linux-2.6.39.3/mm/util.c linux-2.6.39.3/mm/util.c
75662 --- linux-2.6.39.3/mm/util.c 2011-05-19 00:06:34.000000000 -0400
75663 +++ linux-2.6.39.3/mm/util.c 2011-05-23 17:07:00.000000000 -0400
75664 @@ -112,6 +112,7 @@ EXPORT_SYMBOL(memdup_user);
75665 * allocated buffer. Use this if you don't want to free the buffer immediately
75666 * like, for example, with RCU.
75667 */
75668 +#undef __krealloc
75669 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
75670 {
75671 void *ret;
75672 @@ -145,6 +146,7 @@ EXPORT_SYMBOL(__krealloc);
75673 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
75674 * %NULL pointer, the object pointed to is freed.
75675 */
75676 +#undef krealloc
75677 void *krealloc(const void *p, size_t new_size, gfp_t flags)
75678 {
75679 void *ret;
75680 @@ -219,6 +221,12 @@ EXPORT_SYMBOL(strndup_user);
75681 void arch_pick_mmap_layout(struct mm_struct *mm)
75682 {
75683 mm->mmap_base = TASK_UNMAPPED_BASE;
75684 +
75685 +#ifdef CONFIG_PAX_RANDMMAP
75686 + if (mm->pax_flags & MF_PAX_RANDMMAP)
75687 + mm->mmap_base += mm->delta_mmap;
75688 +#endif
75689 +
75690 mm->get_unmapped_area = arch_get_unmapped_area;
75691 mm->unmap_area = arch_unmap_area;
75692 }
75693 diff -urNp linux-2.6.39.3/mm/vmalloc.c linux-2.6.39.3/mm/vmalloc.c
75694 --- linux-2.6.39.3/mm/vmalloc.c 2011-05-19 00:06:34.000000000 -0400
75695 +++ linux-2.6.39.3/mm/vmalloc.c 2011-05-22 19:36:33.000000000 -0400
75696 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
75697
75698 pte = pte_offset_kernel(pmd, addr);
75699 do {
75700 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75701 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75702 +
75703 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75704 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
75705 + BUG_ON(!pte_exec(*pte));
75706 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
75707 + continue;
75708 + }
75709 +#endif
75710 +
75711 + {
75712 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75713 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75714 + }
75715 } while (pte++, addr += PAGE_SIZE, addr != end);
75716 }
75717
75718 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
75719 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
75720 {
75721 pte_t *pte;
75722 + int ret = -ENOMEM;
75723
75724 /*
75725 * nr is a running index into the array which helps higher level
75726 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
75727 pte = pte_alloc_kernel(pmd, addr);
75728 if (!pte)
75729 return -ENOMEM;
75730 +
75731 + pax_open_kernel();
75732 do {
75733 struct page *page = pages[*nr];
75734
75735 - if (WARN_ON(!pte_none(*pte)))
75736 - return -EBUSY;
75737 - if (WARN_ON(!page))
75738 - return -ENOMEM;
75739 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75740 + if (pgprot_val(prot) & _PAGE_NX)
75741 +#endif
75742 +
75743 + if (WARN_ON(!pte_none(*pte))) {
75744 + ret = -EBUSY;
75745 + goto out;
75746 + }
75747 + if (WARN_ON(!page)) {
75748 + ret = -ENOMEM;
75749 + goto out;
75750 + }
75751 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
75752 (*nr)++;
75753 } while (pte++, addr += PAGE_SIZE, addr != end);
75754 - return 0;
75755 + ret = 0;
75756 +out:
75757 + pax_close_kernel();
75758 + return ret;
75759 }
75760
75761 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
75762 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
75763 * and fall back on vmalloc() if that fails. Others
75764 * just put it in the vmalloc space.
75765 */
75766 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
75767 +#ifdef CONFIG_MODULES
75768 +#ifdef MODULES_VADDR
75769 unsigned long addr = (unsigned long)x;
75770 if (addr >= MODULES_VADDR && addr < MODULES_END)
75771 return 1;
75772 #endif
75773 +
75774 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75775 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
75776 + return 1;
75777 +#endif
75778 +
75779 +#endif
75780 +
75781 return is_vmalloc_addr(x);
75782 }
75783
75784 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
75785
75786 if (!pgd_none(*pgd)) {
75787 pud_t *pud = pud_offset(pgd, addr);
75788 +#ifdef CONFIG_X86
75789 + if (!pud_large(*pud))
75790 +#endif
75791 if (!pud_none(*pud)) {
75792 pmd_t *pmd = pmd_offset(pud, addr);
75793 +#ifdef CONFIG_X86
75794 + if (!pmd_large(*pmd))
75795 +#endif
75796 if (!pmd_none(*pmd)) {
75797 pte_t *ptep, pte;
75798
75799 @@ -1296,6 +1336,16 @@ static struct vm_struct *__get_vm_area_n
75800 struct vm_struct *area;
75801
75802 BUG_ON(in_interrupt());
75803 +
75804 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75805 + if (flags & VM_KERNEXEC) {
75806 + if (start != VMALLOC_START || end != VMALLOC_END)
75807 + return NULL;
75808 + start = (unsigned long)MODULES_EXEC_VADDR;
75809 + end = (unsigned long)MODULES_EXEC_END;
75810 + }
75811 +#endif
75812 +
75813 if (flags & VM_IOREMAP) {
75814 int bit = fls(size);
75815
75816 @@ -1514,6 +1564,11 @@ void *vmap(struct page **pages, unsigned
75817 if (count > totalram_pages)
75818 return NULL;
75819
75820 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75821 + if (!(pgprot_val(prot) & _PAGE_NX))
75822 + flags |= VM_KERNEXEC;
75823 +#endif
75824 +
75825 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
75826 __builtin_return_address(0));
75827 if (!area)
75828 @@ -1610,6 +1665,13 @@ void *__vmalloc_node_range(unsigned long
75829 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
75830 return NULL;
75831
75832 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75833 + if (!(pgprot_val(prot) & _PAGE_NX))
75834 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
75835 + node, gfp_mask, caller);
75836 + else
75837 +#endif
75838 +
75839 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
75840 gfp_mask, caller);
75841
75842 @@ -1649,6 +1711,7 @@ static void *__vmalloc_node(unsigned lon
75843 gfp_mask, prot, node, caller);
75844 }
75845
75846 +#undef __vmalloc
75847 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
75848 {
75849 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
75850 @@ -1672,6 +1735,7 @@ static inline void *__vmalloc_node_flags
75851 * For tight control over page level allocator and protection flags
75852 * use __vmalloc() instead.
75853 */
75854 +#undef vmalloc
75855 void *vmalloc(unsigned long size)
75856 {
75857 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
75858 @@ -1688,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc);
75859 * For tight control over page level allocator and protection flags
75860 * use __vmalloc() instead.
75861 */
75862 +#undef vzalloc
75863 void *vzalloc(unsigned long size)
75864 {
75865 return __vmalloc_node_flags(size, -1,
75866 @@ -1702,6 +1767,7 @@ EXPORT_SYMBOL(vzalloc);
75867 * The resulting memory area is zeroed so it can be mapped to userspace
75868 * without leaking data.
75869 */
75870 +#undef vmalloc_user
75871 void *vmalloc_user(unsigned long size)
75872 {
75873 struct vm_struct *area;
75874 @@ -1729,6 +1795,7 @@ EXPORT_SYMBOL(vmalloc_user);
75875 * For tight control over page level allocator and protection flags
75876 * use __vmalloc() instead.
75877 */
75878 +#undef vmalloc_node
75879 void *vmalloc_node(unsigned long size, int node)
75880 {
75881 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75882 @@ -1748,6 +1815,7 @@ EXPORT_SYMBOL(vmalloc_node);
75883 * For tight control over page level allocator and protection flags
75884 * use __vmalloc_node() instead.
75885 */
75886 +#undef vzalloc_node
75887 void *vzalloc_node(unsigned long size, int node)
75888 {
75889 return __vmalloc_node_flags(size, node,
75890 @@ -1770,10 +1838,10 @@ EXPORT_SYMBOL(vzalloc_node);
75891 * For tight control over page level allocator and protection flags
75892 * use __vmalloc() instead.
75893 */
75894 -
75895 +#undef vmalloc_exec
75896 void *vmalloc_exec(unsigned long size)
75897 {
75898 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
75899 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
75900 -1, __builtin_return_address(0));
75901 }
75902
75903 @@ -1792,6 +1860,7 @@ void *vmalloc_exec(unsigned long size)
75904 * Allocate enough 32bit PA addressable pages to cover @size from the
75905 * page level allocator and map them into contiguous kernel virtual space.
75906 */
75907 +#undef vmalloc_32
75908 void *vmalloc_32(unsigned long size)
75909 {
75910 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
75911 @@ -1806,6 +1875,7 @@ EXPORT_SYMBOL(vmalloc_32);
75912 * The resulting memory area is 32bit addressable and zeroed so it can be
75913 * mapped to userspace without leaking data.
75914 */
75915 +#undef vmalloc_32_user
75916 void *vmalloc_32_user(unsigned long size)
75917 {
75918 struct vm_struct *area;
75919 @@ -2068,6 +2138,8 @@ int remap_vmalloc_range(struct vm_area_s
75920 unsigned long uaddr = vma->vm_start;
75921 unsigned long usize = vma->vm_end - vma->vm_start;
75922
75923 + BUG_ON(vma->vm_mirror);
75924 +
75925 if ((PAGE_SIZE-1) & (unsigned long)addr)
75926 return -EINVAL;
75927
75928 diff -urNp linux-2.6.39.3/mm/vmstat.c linux-2.6.39.3/mm/vmstat.c
75929 --- linux-2.6.39.3/mm/vmstat.c 2011-05-19 00:06:34.000000000 -0400
75930 +++ linux-2.6.39.3/mm/vmstat.c 2011-05-22 19:41:42.000000000 -0400
75931 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
75932 *
75933 * vm_stat contains the global counters
75934 */
75935 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75936 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75937 EXPORT_SYMBOL(vm_stat);
75938
75939 #ifdef CONFIG_SMP
75940 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
75941 v = p->vm_stat_diff[i];
75942 p->vm_stat_diff[i] = 0;
75943 local_irq_restore(flags);
75944 - atomic_long_add(v, &zone->vm_stat[i]);
75945 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
75946 global_diff[i] += v;
75947 #ifdef CONFIG_NUMA
75948 /* 3 seconds idle till flush */
75949 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
75950
75951 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
75952 if (global_diff[i])
75953 - atomic_long_add(global_diff[i], &vm_stat[i]);
75954 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
75955 }
75956
75957 #endif
75958 @@ -1205,10 +1205,20 @@ static int __init setup_vmstat(void)
75959 start_cpu_timer(cpu);
75960 #endif
75961 #ifdef CONFIG_PROC_FS
75962 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
75963 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
75964 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
75965 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
75966 + {
75967 + mode_t gr_mode = S_IRUGO;
75968 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75969 + gr_mode = S_IRUSR;
75970 +#endif
75971 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
75972 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
75973 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
75974 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
75975 +#else
75976 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
75977 +#endif
75978 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
75979 + }
75980 #endif
75981 return 0;
75982 }
75983 diff -urNp linux-2.6.39.3/net/8021q/vlan.c linux-2.6.39.3/net/8021q/vlan.c
75984 --- linux-2.6.39.3/net/8021q/vlan.c 2011-05-19 00:06:34.000000000 -0400
75985 +++ linux-2.6.39.3/net/8021q/vlan.c 2011-05-22 19:36:33.000000000 -0400
75986 @@ -592,8 +592,7 @@ static int vlan_ioctl_handler(struct net
75987 err = -EPERM;
75988 if (!capable(CAP_NET_ADMIN))
75989 break;
75990 - if ((args.u.name_type >= 0) &&
75991 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
75992 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
75993 struct vlan_net *vn;
75994
75995 vn = net_generic(net, vlan_net_id);
75996 diff -urNp linux-2.6.39.3/net/atm/atm_misc.c linux-2.6.39.3/net/atm/atm_misc.c
75997 --- linux-2.6.39.3/net/atm/atm_misc.c 2011-05-19 00:06:34.000000000 -0400
75998 +++ linux-2.6.39.3/net/atm/atm_misc.c 2011-05-22 19:36:33.000000000 -0400
75999 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
76000 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
76001 return 1;
76002 atm_return(vcc, truesize);
76003 - atomic_inc(&vcc->stats->rx_drop);
76004 + atomic_inc_unchecked(&vcc->stats->rx_drop);
76005 return 0;
76006 }
76007 EXPORT_SYMBOL(atm_charge);
76008 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
76009 }
76010 }
76011 atm_return(vcc, guess);
76012 - atomic_inc(&vcc->stats->rx_drop);
76013 + atomic_inc_unchecked(&vcc->stats->rx_drop);
76014 return NULL;
76015 }
76016 EXPORT_SYMBOL(atm_alloc_charge);
76017 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
76018
76019 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
76020 {
76021 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
76022 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
76023 __SONET_ITEMS
76024 #undef __HANDLE_ITEM
76025 }
76026 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
76027
76028 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
76029 {
76030 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
76031 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
76032 __SONET_ITEMS
76033 #undef __HANDLE_ITEM
76034 }
76035 diff -urNp linux-2.6.39.3/net/atm/mpoa_caches.c linux-2.6.39.3/net/atm/mpoa_caches.c
76036 --- linux-2.6.39.3/net/atm/mpoa_caches.c 2011-05-19 00:06:34.000000000 -0400
76037 +++ linux-2.6.39.3/net/atm/mpoa_caches.c 2011-05-22 19:36:33.000000000 -0400
76038 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
76039 struct timeval now;
76040 struct k_message msg;
76041
76042 + pax_track_stack();
76043 +
76044 do_gettimeofday(&now);
76045
76046 read_lock_bh(&client->ingress_lock);
76047 diff -urNp linux-2.6.39.3/net/atm/proc.c linux-2.6.39.3/net/atm/proc.c
76048 --- linux-2.6.39.3/net/atm/proc.c 2011-05-19 00:06:34.000000000 -0400
76049 +++ linux-2.6.39.3/net/atm/proc.c 2011-05-22 19:41:42.000000000 -0400
76050 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
76051 const struct k_atm_aal_stats *stats)
76052 {
76053 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
76054 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
76055 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
76056 - atomic_read(&stats->rx_drop));
76057 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
76058 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
76059 + atomic_read_unchecked(&stats->rx_drop));
76060 }
76061
76062 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
76063 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
76064 {
76065 struct sock *sk = sk_atm(vcc);
76066
76067 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76068 + seq_printf(seq, "%p ", NULL);
76069 +#else
76070 seq_printf(seq, "%p ", vcc);
76071 +#endif
76072 +
76073 if (!vcc->dev)
76074 seq_printf(seq, "Unassigned ");
76075 else
76076 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
76077 {
76078 if (!vcc->dev)
76079 seq_printf(seq, sizeof(void *) == 4 ?
76080 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76081 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
76082 +#else
76083 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
76084 +#endif
76085 else
76086 seq_printf(seq, "%3d %3d %5d ",
76087 vcc->dev->number, vcc->vpi, vcc->vci);
76088 diff -urNp linux-2.6.39.3/net/atm/resources.c linux-2.6.39.3/net/atm/resources.c
76089 --- linux-2.6.39.3/net/atm/resources.c 2011-05-19 00:06:34.000000000 -0400
76090 +++ linux-2.6.39.3/net/atm/resources.c 2011-05-22 19:36:33.000000000 -0400
76091 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
76092 static void copy_aal_stats(struct k_atm_aal_stats *from,
76093 struct atm_aal_stats *to)
76094 {
76095 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
76096 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
76097 __AAL_STAT_ITEMS
76098 #undef __HANDLE_ITEM
76099 }
76100 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
76101 static void subtract_aal_stats(struct k_atm_aal_stats *from,
76102 struct atm_aal_stats *to)
76103 {
76104 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
76105 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
76106 __AAL_STAT_ITEMS
76107 #undef __HANDLE_ITEM
76108 }
76109 diff -urNp linux-2.6.39.3/net/batman-adv/hard-interface.c linux-2.6.39.3/net/batman-adv/hard-interface.c
76110 --- linux-2.6.39.3/net/batman-adv/hard-interface.c 2011-05-19 00:06:34.000000000 -0400
76111 +++ linux-2.6.39.3/net/batman-adv/hard-interface.c 2011-05-22 19:36:33.000000000 -0400
76112 @@ -339,8 +339,8 @@ int hardif_enable_interface(struct hard_
76113 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
76114 dev_add_pack(&hard_iface->batman_adv_ptype);
76115
76116 - atomic_set(&hard_iface->seqno, 1);
76117 - atomic_set(&hard_iface->frag_seqno, 1);
76118 + atomic_set_unchecked(&hard_iface->seqno, 1);
76119 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
76120 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
76121 hard_iface->net_dev->name);
76122
76123 diff -urNp linux-2.6.39.3/net/batman-adv/routing.c linux-2.6.39.3/net/batman-adv/routing.c
76124 --- linux-2.6.39.3/net/batman-adv/routing.c 2011-05-19 00:06:34.000000000 -0400
76125 +++ linux-2.6.39.3/net/batman-adv/routing.c 2011-05-22 19:36:33.000000000 -0400
76126 @@ -625,7 +625,7 @@ void receive_bat_packet(struct ethhdr *e
76127 return;
76128
76129 /* could be changed by schedule_own_packet() */
76130 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
76131 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
76132
76133 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
76134
76135 diff -urNp linux-2.6.39.3/net/batman-adv/send.c linux-2.6.39.3/net/batman-adv/send.c
76136 --- linux-2.6.39.3/net/batman-adv/send.c 2011-05-19 00:06:34.000000000 -0400
76137 +++ linux-2.6.39.3/net/batman-adv/send.c 2011-05-22 19:36:33.000000000 -0400
76138 @@ -277,7 +277,7 @@ void schedule_own_packet(struct hard_ifa
76139
76140 /* change sequence number to network order */
76141 batman_packet->seqno =
76142 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
76143 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
76144
76145 if (vis_server == VIS_TYPE_SERVER_SYNC)
76146 batman_packet->flags |= VIS_SERVER;
76147 @@ -291,7 +291,7 @@ void schedule_own_packet(struct hard_ifa
76148 else
76149 batman_packet->gw_flags = 0;
76150
76151 - atomic_inc(&hard_iface->seqno);
76152 + atomic_inc_unchecked(&hard_iface->seqno);
76153
76154 slide_own_bcast_window(hard_iface);
76155 send_time = own_send_time(bat_priv);
76156 diff -urNp linux-2.6.39.3/net/batman-adv/soft-interface.c linux-2.6.39.3/net/batman-adv/soft-interface.c
76157 --- linux-2.6.39.3/net/batman-adv/soft-interface.c 2011-05-19 00:06:34.000000000 -0400
76158 +++ linux-2.6.39.3/net/batman-adv/soft-interface.c 2011-05-22 19:36:33.000000000 -0400
76159 @@ -386,7 +386,7 @@ int interface_tx(struct sk_buff *skb, st
76160
76161 /* set broadcast sequence number */
76162 bcast_packet->seqno =
76163 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
76164 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
76165
76166 add_bcast_packet_to_list(bat_priv, skb);
76167
76168 @@ -579,7 +579,7 @@ struct net_device *softif_create(char *n
76169 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
76170
76171 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
76172 - atomic_set(&bat_priv->bcast_seqno, 1);
76173 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
76174 atomic_set(&bat_priv->hna_local_changed, 0);
76175
76176 bat_priv->primary_if = NULL;
76177 diff -urNp linux-2.6.39.3/net/batman-adv/types.h linux-2.6.39.3/net/batman-adv/types.h
76178 --- linux-2.6.39.3/net/batman-adv/types.h 2011-05-19 00:06:34.000000000 -0400
76179 +++ linux-2.6.39.3/net/batman-adv/types.h 2011-05-22 19:36:33.000000000 -0400
76180 @@ -38,8 +38,8 @@ struct hard_iface {
76181 int16_t if_num;
76182 char if_status;
76183 struct net_device *net_dev;
76184 - atomic_t seqno;
76185 - atomic_t frag_seqno;
76186 + atomic_unchecked_t seqno;
76187 + atomic_unchecked_t frag_seqno;
76188 unsigned char *packet_buff;
76189 int packet_len;
76190 struct kobject *hardif_obj;
76191 @@ -141,7 +141,7 @@ struct bat_priv {
76192 atomic_t orig_interval; /* uint */
76193 atomic_t hop_penalty; /* uint */
76194 atomic_t log_level; /* uint */
76195 - atomic_t bcast_seqno;
76196 + atomic_unchecked_t bcast_seqno;
76197 atomic_t bcast_queue_left;
76198 atomic_t batman_queue_left;
76199 char num_ifaces;
76200 diff -urNp linux-2.6.39.3/net/batman-adv/unicast.c linux-2.6.39.3/net/batman-adv/unicast.c
76201 --- linux-2.6.39.3/net/batman-adv/unicast.c 2011-05-19 00:06:34.000000000 -0400
76202 +++ linux-2.6.39.3/net/batman-adv/unicast.c 2011-05-22 19:36:33.000000000 -0400
76203 @@ -263,7 +263,7 @@ int frag_send_skb(struct sk_buff *skb, s
76204 frag1->flags = UNI_FRAG_HEAD | large_tail;
76205 frag2->flags = large_tail;
76206
76207 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
76208 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
76209 frag1->seqno = htons(seqno - 1);
76210 frag2->seqno = htons(seqno);
76211
76212 diff -urNp linux-2.6.39.3/net/bluetooth/l2cap_core.c linux-2.6.39.3/net/bluetooth/l2cap_core.c
76213 --- linux-2.6.39.3/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400
76214 +++ linux-2.6.39.3/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400
76215 @@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
76216
76217 /* Reject if config buffer is too small. */
76218 len = cmd_len - sizeof(*req);
76219 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
76220 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
76221 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
76222 l2cap_build_conf_rsp(sk, rsp,
76223 L2CAP_CONF_REJECT, flags), rsp);
76224 diff -urNp linux-2.6.39.3/net/bluetooth/l2cap_sock.c linux-2.6.39.3/net/bluetooth/l2cap_sock.c
76225 --- linux-2.6.39.3/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
76226 +++ linux-2.6.39.3/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
76227 @@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
76228 break;
76229 }
76230
76231 + memset(&cinfo, 0, sizeof(cinfo));
76232 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
76233 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
76234
76235 diff -urNp linux-2.6.39.3/net/bluetooth/rfcomm/sock.c linux-2.6.39.3/net/bluetooth/rfcomm/sock.c
76236 --- linux-2.6.39.3/net/bluetooth/rfcomm/sock.c 2011-05-19 00:06:34.000000000 -0400
76237 +++ linux-2.6.39.3/net/bluetooth/rfcomm/sock.c 2011-06-12 06:36:42.000000000 -0400
76238 @@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st
76239
76240 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
76241
76242 + memset(&cinfo, 0, sizeof(cinfo));
76243 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
76244 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
76245
76246 diff -urNp linux-2.6.39.3/net/bridge/br_multicast.c linux-2.6.39.3/net/bridge/br_multicast.c
76247 --- linux-2.6.39.3/net/bridge/br_multicast.c 2011-05-19 00:06:34.000000000 -0400
76248 +++ linux-2.6.39.3/net/bridge/br_multicast.c 2011-05-22 19:36:33.000000000 -0400
76249 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
76250 nexthdr = ip6h->nexthdr;
76251 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
76252
76253 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
76254 + if (nexthdr != IPPROTO_ICMPV6)
76255 return 0;
76256
76257 /* Okay, we found ICMPv6 header */
76258 diff -urNp linux-2.6.39.3/net/bridge/netfilter/ebtables.c linux-2.6.39.3/net/bridge/netfilter/ebtables.c
76259 --- linux-2.6.39.3/net/bridge/netfilter/ebtables.c 2011-05-19 00:06:34.000000000 -0400
76260 +++ linux-2.6.39.3/net/bridge/netfilter/ebtables.c 2011-05-22 19:36:33.000000000 -0400
76261 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
76262 tmp.valid_hooks = t->table->valid_hooks;
76263 }
76264 mutex_unlock(&ebt_mutex);
76265 - if (copy_to_user(user, &tmp, *len) != 0){
76266 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
76267 BUGPRINT("c2u Didn't work\n");
76268 ret = -EFAULT;
76269 break;
76270 @@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
76271 int ret;
76272 void __user *pos;
76273
76274 + pax_track_stack();
76275 +
76276 memset(&tinfo, 0, sizeof(tinfo));
76277
76278 if (cmd == EBT_SO_GET_ENTRIES) {
76279 diff -urNp linux-2.6.39.3/net/caif/caif_socket.c linux-2.6.39.3/net/caif/caif_socket.c
76280 --- linux-2.6.39.3/net/caif/caif_socket.c 2011-05-19 00:06:34.000000000 -0400
76281 +++ linux-2.6.39.3/net/caif/caif_socket.c 2011-05-22 19:36:33.000000000 -0400
76282 @@ -48,18 +48,19 @@ static struct dentry *debugfsdir;
76283 #ifdef CONFIG_DEBUG_FS
76284 struct debug_fs_counter {
76285 atomic_t caif_nr_socks;
76286 - atomic_t num_connect_req;
76287 - atomic_t num_connect_resp;
76288 - atomic_t num_connect_fail_resp;
76289 - atomic_t num_disconnect;
76290 - atomic_t num_remote_shutdown_ind;
76291 - atomic_t num_tx_flow_off_ind;
76292 - atomic_t num_tx_flow_on_ind;
76293 - atomic_t num_rx_flow_off;
76294 - atomic_t num_rx_flow_on;
76295 + atomic_unchecked_t num_connect_req;
76296 + atomic_unchecked_t num_connect_resp;
76297 + atomic_unchecked_t num_connect_fail_resp;
76298 + atomic_unchecked_t num_disconnect;
76299 + atomic_unchecked_t num_remote_shutdown_ind;
76300 + atomic_unchecked_t num_tx_flow_off_ind;
76301 + atomic_unchecked_t num_tx_flow_on_ind;
76302 + atomic_unchecked_t num_rx_flow_off;
76303 + atomic_unchecked_t num_rx_flow_on;
76304 };
76305 static struct debug_fs_counter cnt;
76306 #define dbfs_atomic_inc(v) atomic_inc(v)
76307 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_unchecked(v)
76308 #define dbfs_atomic_dec(v) atomic_dec(v)
76309 #else
76310 #define dbfs_atomic_inc(v)
76311 @@ -159,7 +160,7 @@ static int caif_queue_rcv_skb(struct soc
76312 atomic_read(&cf_sk->sk.sk_rmem_alloc),
76313 sk_rcvbuf_lowwater(cf_sk));
76314 set_rx_flow_off(cf_sk);
76315 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76316 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76317 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76318 }
76319
76320 @@ -169,7 +170,7 @@ static int caif_queue_rcv_skb(struct soc
76321 if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
76322 set_rx_flow_off(cf_sk);
76323 pr_debug("sending flow OFF due to rmem_schedule\n");
76324 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76325 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76326 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76327 }
76328 skb->dev = NULL;
76329 @@ -218,21 +219,21 @@ static void caif_ctrl_cb(struct cflayer
76330 switch (flow) {
76331 case CAIF_CTRLCMD_FLOW_ON_IND:
76332 /* OK from modem to start sending again */
76333 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
76334 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
76335 set_tx_flow_on(cf_sk);
76336 cf_sk->sk.sk_state_change(&cf_sk->sk);
76337 break;
76338
76339 case CAIF_CTRLCMD_FLOW_OFF_IND:
76340 /* Modem asks us to shut up */
76341 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
76342 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
76343 set_tx_flow_off(cf_sk);
76344 cf_sk->sk.sk_state_change(&cf_sk->sk);
76345 break;
76346
76347 case CAIF_CTRLCMD_INIT_RSP:
76348 /* We're now connected */
76349 - dbfs_atomic_inc(&cnt.num_connect_resp);
76350 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
76351 cf_sk->sk.sk_state = CAIF_CONNECTED;
76352 set_tx_flow_on(cf_sk);
76353 cf_sk->sk.sk_state_change(&cf_sk->sk);
76354 @@ -247,7 +248,7 @@ static void caif_ctrl_cb(struct cflayer
76355
76356 case CAIF_CTRLCMD_INIT_FAIL_RSP:
76357 /* Connect request failed */
76358 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
76359 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
76360 cf_sk->sk.sk_err = ECONNREFUSED;
76361 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
76362 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76363 @@ -261,7 +262,7 @@ static void caif_ctrl_cb(struct cflayer
76364
76365 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
76366 /* Modem has closed this connection, or device is down. */
76367 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
76368 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
76369 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76370 cf_sk->sk.sk_err = ECONNRESET;
76371 set_rx_flow_on(cf_sk);
76372 @@ -281,7 +282,7 @@ static void caif_check_flow_release(stru
76373 return;
76374
76375 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
76376 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
76377 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
76378 set_rx_flow_on(cf_sk);
76379 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
76380 }
76381 @@ -864,7 +865,7 @@ static int caif_connect(struct socket *s
76382 /*ifindex = id of the interface.*/
76383 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
76384
76385 - dbfs_atomic_inc(&cnt.num_connect_req);
76386 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
76387 cf_sk->layer.receive = caif_sktrecv_cb;
76388 err = caif_connect_client(&cf_sk->conn_req,
76389 &cf_sk->layer, &ifindex, &headroom, &tailroom);
76390 @@ -952,7 +953,7 @@ static int caif_release(struct socket *s
76391 spin_unlock(&sk->sk_receive_queue.lock);
76392 sock->sk = NULL;
76393
76394 - dbfs_atomic_inc(&cnt.num_disconnect);
76395 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
76396
76397 if (cf_sk->debugfs_socket_dir != NULL)
76398 debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
76399 diff -urNp linux-2.6.39.3/net/caif/cfctrl.c linux-2.6.39.3/net/caif/cfctrl.c
76400 --- linux-2.6.39.3/net/caif/cfctrl.c 2011-05-19 00:06:34.000000000 -0400
76401 +++ linux-2.6.39.3/net/caif/cfctrl.c 2011-05-22 19:36:33.000000000 -0400
76402 @@ -9,6 +9,7 @@
76403 #include <linux/stddef.h>
76404 #include <linux/spinlock.h>
76405 #include <linux/slab.h>
76406 +#include <linux/sched.h>
76407 #include <net/caif/caif_layer.h>
76408 #include <net/caif/cfpkt.h>
76409 #include <net/caif/cfctrl.h>
76410 @@ -46,8 +47,8 @@ struct cflayer *cfctrl_create(void)
76411 dev_info.id = 0xff;
76412 memset(this, 0, sizeof(*this));
76413 cfsrvl_init(&this->serv, 0, &dev_info, false);
76414 - atomic_set(&this->req_seq_no, 1);
76415 - atomic_set(&this->rsp_seq_no, 1);
76416 + atomic_set_unchecked(&this->req_seq_no, 1);
76417 + atomic_set_unchecked(&this->rsp_seq_no, 1);
76418 this->serv.layer.receive = cfctrl_recv;
76419 sprintf(this->serv.layer.name, "ctrl");
76420 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
76421 @@ -116,8 +117,8 @@ void cfctrl_insert_req(struct cfctrl *ct
76422 struct cfctrl_request_info *req)
76423 {
76424 spin_lock(&ctrl->info_list_lock);
76425 - atomic_inc(&ctrl->req_seq_no);
76426 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
76427 + atomic_inc_unchecked(&ctrl->req_seq_no);
76428 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
76429 list_add_tail(&req->list, &ctrl->list);
76430 spin_unlock(&ctrl->info_list_lock);
76431 }
76432 @@ -136,7 +137,7 @@ struct cfctrl_request_info *cfctrl_remov
76433 if (p != first)
76434 pr_warn("Requests are not received in order\n");
76435
76436 - atomic_set(&ctrl->rsp_seq_no,
76437 + atomic_set_unchecked(&ctrl->rsp_seq_no,
76438 p->sequence_no);
76439 list_del(&p->list);
76440 goto out;
76441 @@ -385,6 +386,7 @@ static int cfctrl_recv(struct cflayer *l
76442 struct cfctrl *cfctrl = container_obj(layer);
76443 struct cfctrl_request_info rsp, *req;
76444
76445 + pax_track_stack();
76446
76447 cfpkt_extr_head(pkt, &cmdrsp, 1);
76448 cmd = cmdrsp & CFCTRL_CMD_MASK;
76449 diff -urNp linux-2.6.39.3/net/can/bcm.c linux-2.6.39.3/net/can/bcm.c
76450 --- linux-2.6.39.3/net/can/bcm.c 2011-05-19 00:06:34.000000000 -0400
76451 +++ linux-2.6.39.3/net/can/bcm.c 2011-05-22 19:41:42.000000000 -0400
76452 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
76453 struct bcm_sock *bo = bcm_sk(sk);
76454 struct bcm_op *op;
76455
76456 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76457 + seq_printf(m, ">>> socket %p", NULL);
76458 + seq_printf(m, " / sk %p", NULL);
76459 + seq_printf(m, " / bo %p", NULL);
76460 +#else
76461 seq_printf(m, ">>> socket %p", sk->sk_socket);
76462 seq_printf(m, " / sk %p", sk);
76463 seq_printf(m, " / bo %p", bo);
76464 +#endif
76465 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
76466 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
76467 seq_printf(m, " <<<\n");
76468 diff -urNp linux-2.6.39.3/net/core/datagram.c linux-2.6.39.3/net/core/datagram.c
76469 --- linux-2.6.39.3/net/core/datagram.c 2011-05-19 00:06:34.000000000 -0400
76470 +++ linux-2.6.39.3/net/core/datagram.c 2011-05-22 19:36:33.000000000 -0400
76471 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
76472 }
76473
76474 kfree_skb(skb);
76475 - atomic_inc(&sk->sk_drops);
76476 + atomic_inc_unchecked(&sk->sk_drops);
76477 sk_mem_reclaim_partial(sk);
76478
76479 return err;
76480 diff -urNp linux-2.6.39.3/net/core/dev.c linux-2.6.39.3/net/core/dev.c
76481 --- linux-2.6.39.3/net/core/dev.c 2011-06-03 00:04:14.000000000 -0400
76482 +++ linux-2.6.39.3/net/core/dev.c 2011-06-03 00:32:08.000000000 -0400
76483 @@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
76484 if (no_module && capable(CAP_NET_ADMIN))
76485 no_module = request_module("netdev-%s", name);
76486 if (no_module && capable(CAP_SYS_MODULE)) {
76487 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
76488 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
76489 +#else
76490 if (!request_module("%s", name))
76491 pr_err("Loading kernel module for a network device "
76492 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
76493 "instead\n", name);
76494 +#endif
76495 }
76496 }
76497 EXPORT_SYMBOL(dev_load);
76498 @@ -1957,7 +1961,7 @@ struct dev_gso_cb {
76499
76500 static void dev_gso_skb_destructor(struct sk_buff *skb)
76501 {
76502 - struct dev_gso_cb *cb;
76503 + const struct dev_gso_cb *cb;
76504
76505 do {
76506 struct sk_buff *nskb = skb->next;
76507 @@ -2901,7 +2905,7 @@ int netif_rx_ni(struct sk_buff *skb)
76508 }
76509 EXPORT_SYMBOL(netif_rx_ni);
76510
76511 -static void net_tx_action(struct softirq_action *h)
76512 +static void net_tx_action(void)
76513 {
76514 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76515
76516 @@ -3765,7 +3769,7 @@ void netif_napi_del(struct napi_struct *
76517 }
76518 EXPORT_SYMBOL(netif_napi_del);
76519
76520 -static void net_rx_action(struct softirq_action *h)
76521 +static void net_rx_action(void)
76522 {
76523 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76524 unsigned long time_limit = jiffies + 2;
76525 diff -urNp linux-2.6.39.3/net/core/flow.c linux-2.6.39.3/net/core/flow.c
76526 --- linux-2.6.39.3/net/core/flow.c 2011-05-19 00:06:34.000000000 -0400
76527 +++ linux-2.6.39.3/net/core/flow.c 2011-05-22 19:36:34.000000000 -0400
76528 @@ -60,7 +60,7 @@ struct flow_cache {
76529 struct timer_list rnd_timer;
76530 };
76531
76532 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
76533 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
76534 EXPORT_SYMBOL(flow_cache_genid);
76535 static struct flow_cache flow_cache_global;
76536 static struct kmem_cache *flow_cachep __read_mostly;
76537 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
76538
76539 static int flow_entry_valid(struct flow_cache_entry *fle)
76540 {
76541 - if (atomic_read(&flow_cache_genid) != fle->genid)
76542 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
76543 return 0;
76544 if (fle->object && !fle->object->ops->check(fle->object))
76545 return 0;
76546 @@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, const
76547 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
76548 fcp->hash_count++;
76549 }
76550 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
76551 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
76552 flo = fle->object;
76553 if (!flo)
76554 goto ret_object;
76555 @@ -274,7 +274,7 @@ nocache:
76556 }
76557 flo = resolver(net, key, family, dir, flo, ctx);
76558 if (fle) {
76559 - fle->genid = atomic_read(&flow_cache_genid);
76560 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
76561 if (!IS_ERR(flo))
76562 fle->object = flo;
76563 else
76564 diff -urNp linux-2.6.39.3/net/core/skbuff.c linux-2.6.39.3/net/core/skbuff.c
76565 --- linux-2.6.39.3/net/core/skbuff.c 2011-06-03 00:04:14.000000000 -0400
76566 +++ linux-2.6.39.3/net/core/skbuff.c 2011-06-03 00:32:08.000000000 -0400
76567 @@ -1542,6 +1542,8 @@ int skb_splice_bits(struct sk_buff *skb,
76568 struct sock *sk = skb->sk;
76569 int ret = 0;
76570
76571 + pax_track_stack();
76572 +
76573 if (splice_grow_spd(pipe, &spd))
76574 return -ENOMEM;
76575
76576 diff -urNp linux-2.6.39.3/net/core/sock.c linux-2.6.39.3/net/core/sock.c
76577 --- linux-2.6.39.3/net/core/sock.c 2011-05-19 00:06:34.000000000 -0400
76578 +++ linux-2.6.39.3/net/core/sock.c 2011-05-22 19:36:34.000000000 -0400
76579 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76580 */
76581 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
76582 (unsigned)sk->sk_rcvbuf) {
76583 - atomic_inc(&sk->sk_drops);
76584 + atomic_inc_unchecked(&sk->sk_drops);
76585 return -ENOMEM;
76586 }
76587
76588 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76589 return err;
76590
76591 if (!sk_rmem_schedule(sk, skb->truesize)) {
76592 - atomic_inc(&sk->sk_drops);
76593 + atomic_inc_unchecked(&sk->sk_drops);
76594 return -ENOBUFS;
76595 }
76596
76597 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76598 skb_dst_force(skb);
76599
76600 spin_lock_irqsave(&list->lock, flags);
76601 - skb->dropcount = atomic_read(&sk->sk_drops);
76602 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
76603 __skb_queue_tail(list, skb);
76604 spin_unlock_irqrestore(&list->lock, flags);
76605
76606 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
76607 skb->dev = NULL;
76608
76609 if (sk_rcvqueues_full(sk, skb)) {
76610 - atomic_inc(&sk->sk_drops);
76611 + atomic_inc_unchecked(&sk->sk_drops);
76612 goto discard_and_relse;
76613 }
76614 if (nested)
76615 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
76616 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
76617 } else if (sk_add_backlog(sk, skb)) {
76618 bh_unlock_sock(sk);
76619 - atomic_inc(&sk->sk_drops);
76620 + atomic_inc_unchecked(&sk->sk_drops);
76621 goto discard_and_relse;
76622 }
76623
76624 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
76625 return -ENOTCONN;
76626 if (lv < len)
76627 return -EINVAL;
76628 - if (copy_to_user(optval, address, len))
76629 + if (len > sizeof(address) || copy_to_user(optval, address, len))
76630 return -EFAULT;
76631 goto lenout;
76632 }
76633 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
76634
76635 if (len > lv)
76636 len = lv;
76637 - if (copy_to_user(optval, &v, len))
76638 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
76639 return -EFAULT;
76640 lenout:
76641 if (put_user(len, optlen))
76642 @@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
76643 */
76644 smp_wmb();
76645 atomic_set(&sk->sk_refcnt, 1);
76646 - atomic_set(&sk->sk_drops, 0);
76647 + atomic_set_unchecked(&sk->sk_drops, 0);
76648 }
76649 EXPORT_SYMBOL(sock_init_data);
76650
76651 diff -urNp linux-2.6.39.3/net/decnet/sysctl_net_decnet.c linux-2.6.39.3/net/decnet/sysctl_net_decnet.c
76652 --- linux-2.6.39.3/net/decnet/sysctl_net_decnet.c 2011-05-19 00:06:34.000000000 -0400
76653 +++ linux-2.6.39.3/net/decnet/sysctl_net_decnet.c 2011-05-22 19:36:34.000000000 -0400
76654 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
76655
76656 if (len > *lenp) len = *lenp;
76657
76658 - if (copy_to_user(buffer, addr, len))
76659 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
76660 return -EFAULT;
76661
76662 *lenp = len;
76663 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
76664
76665 if (len > *lenp) len = *lenp;
76666
76667 - if (copy_to_user(buffer, devname, len))
76668 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
76669 return -EFAULT;
76670
76671 *lenp = len;
76672 diff -urNp linux-2.6.39.3/net/econet/Kconfig linux-2.6.39.3/net/econet/Kconfig
76673 --- linux-2.6.39.3/net/econet/Kconfig 2011-05-19 00:06:34.000000000 -0400
76674 +++ linux-2.6.39.3/net/econet/Kconfig 2011-05-22 19:41:42.000000000 -0400
76675 @@ -4,7 +4,7 @@
76676
76677 config ECONET
76678 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
76679 - depends on EXPERIMENTAL && INET
76680 + depends on EXPERIMENTAL && INET && BROKEN
76681 ---help---
76682 Econet is a fairly old and slow networking protocol mainly used by
76683 Acorn computers to access file and print servers. It uses native
76684 diff -urNp linux-2.6.39.3/net/ipv4/fib_frontend.c linux-2.6.39.3/net/ipv4/fib_frontend.c
76685 --- linux-2.6.39.3/net/ipv4/fib_frontend.c 2011-05-19 00:06:34.000000000 -0400
76686 +++ linux-2.6.39.3/net/ipv4/fib_frontend.c 2011-05-22 19:36:34.000000000 -0400
76687 @@ -968,12 +968,12 @@ static int fib_inetaddr_event(struct not
76688 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76689 fib_sync_up(dev);
76690 #endif
76691 - atomic_inc(&net->ipv4.dev_addr_genid);
76692 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76693 rt_cache_flush(dev_net(dev), -1);
76694 break;
76695 case NETDEV_DOWN:
76696 fib_del_ifaddr(ifa, NULL);
76697 - atomic_inc(&net->ipv4.dev_addr_genid);
76698 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76699 if (ifa->ifa_dev->ifa_list == NULL) {
76700 /* Last address was deleted from this interface.
76701 * Disable IP.
76702 @@ -1009,7 +1009,7 @@ static int fib_netdev_event(struct notif
76703 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76704 fib_sync_up(dev);
76705 #endif
76706 - atomic_inc(&net->ipv4.dev_addr_genid);
76707 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76708 rt_cache_flush(dev_net(dev), -1);
76709 break;
76710 case NETDEV_DOWN:
76711 diff -urNp linux-2.6.39.3/net/ipv4/fib_semantics.c linux-2.6.39.3/net/ipv4/fib_semantics.c
76712 --- linux-2.6.39.3/net/ipv4/fib_semantics.c 2011-05-19 00:06:34.000000000 -0400
76713 +++ linux-2.6.39.3/net/ipv4/fib_semantics.c 2011-05-22 19:36:34.000000000 -0400
76714 @@ -701,7 +701,7 @@ __be32 fib_info_update_nh_saddr(struct n
76715 nh->nh_saddr = inet_select_addr(nh->nh_dev,
76716 nh->nh_gw,
76717 nh->nh_parent->fib_scope);
76718 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
76719 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
76720
76721 return nh->nh_saddr;
76722 }
76723 diff -urNp linux-2.6.39.3/net/ipv4/inet_diag.c linux-2.6.39.3/net/ipv4/inet_diag.c
76724 --- linux-2.6.39.3/net/ipv4/inet_diag.c 2011-07-09 09:18:51.000000000 -0400
76725 +++ linux-2.6.39.3/net/ipv4/inet_diag.c 2011-06-20 19:27:58.000000000 -0400
76726 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
76727 r->idiag_retrans = 0;
76728
76729 r->id.idiag_if = sk->sk_bound_dev_if;
76730 +
76731 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76732 + r->id.idiag_cookie[0] = 0;
76733 + r->id.idiag_cookie[1] = 0;
76734 +#else
76735 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
76736 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
76737 +#endif
76738
76739 r->id.idiag_sport = inet->inet_sport;
76740 r->id.idiag_dport = inet->inet_dport;
76741 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
76742 r->idiag_family = tw->tw_family;
76743 r->idiag_retrans = 0;
76744 r->id.idiag_if = tw->tw_bound_dev_if;
76745 +
76746 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76747 + r->id.idiag_cookie[0] = 0;
76748 + r->id.idiag_cookie[1] = 0;
76749 +#else
76750 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
76751 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
76752 +#endif
76753 +
76754 r->id.idiag_sport = tw->tw_sport;
76755 r->id.idiag_dport = tw->tw_dport;
76756 r->id.idiag_src[0] = tw->tw_rcv_saddr;
76757 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
76758 if (sk == NULL)
76759 goto unlock;
76760
76761 +#ifndef CONFIG_GRKERNSEC_HIDESYM
76762 err = -ESTALE;
76763 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
76764 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
76765 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
76766 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
76767 goto out;
76768 +#endif
76769
76770 err = -ENOMEM;
76771 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
76772 @@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
76773 r->idiag_retrans = req->retrans;
76774
76775 r->id.idiag_if = sk->sk_bound_dev_if;
76776 +
76777 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76778 + r->id.idiag_cookie[0] = 0;
76779 + r->id.idiag_cookie[1] = 0;
76780 +#else
76781 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
76782 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
76783 +#endif
76784
76785 tmo = req->expires - jiffies;
76786 if (tmo < 0)
76787 diff -urNp linux-2.6.39.3/net/ipv4/inet_hashtables.c linux-2.6.39.3/net/ipv4/inet_hashtables.c
76788 --- linux-2.6.39.3/net/ipv4/inet_hashtables.c 2011-05-19 00:06:34.000000000 -0400
76789 +++ linux-2.6.39.3/net/ipv4/inet_hashtables.c 2011-05-22 19:41:42.000000000 -0400
76790 @@ -18,11 +18,14 @@
76791 #include <linux/sched.h>
76792 #include <linux/slab.h>
76793 #include <linux/wait.h>
76794 +#include <linux/security.h>
76795
76796 #include <net/inet_connection_sock.h>
76797 #include <net/inet_hashtables.h>
76798 #include <net/ip.h>
76799
76800 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
76801 +
76802 /*
76803 * Allocate and initialize a new local port bind bucket.
76804 * The bindhash mutex for snum's hash chain must be held here.
76805 @@ -529,6 +532,8 @@ ok:
76806 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
76807 spin_unlock(&head->lock);
76808
76809 + gr_update_task_in_ip_table(current, inet_sk(sk));
76810 +
76811 if (tw) {
76812 inet_twsk_deschedule(tw, death_row);
76813 while (twrefcnt) {
76814 diff -urNp linux-2.6.39.3/net/ipv4/inetpeer.c linux-2.6.39.3/net/ipv4/inetpeer.c
76815 --- linux-2.6.39.3/net/ipv4/inetpeer.c 2011-07-09 09:18:51.000000000 -0400
76816 +++ linux-2.6.39.3/net/ipv4/inetpeer.c 2011-07-09 09:21:38.000000000 -0400
76817 @@ -480,6 +480,8 @@ struct inet_peer *inet_getpeer(struct in
76818 unsigned int sequence;
76819 int invalidated, newrefcnt = 0;
76820
76821 + pax_track_stack();
76822 +
76823 /* Look up for the address quickly, lockless.
76824 * Because of a concurrent writer, we might not find an existing entry.
76825 */
76826 @@ -516,8 +518,8 @@ found: /* The existing node has been fo
76827 if (p) {
76828 p->daddr = *daddr;
76829 atomic_set(&p->refcnt, 1);
76830 - atomic_set(&p->rid, 0);
76831 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76832 + atomic_set_unchecked(&p->rid, 0);
76833 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76834 p->tcp_ts_stamp = 0;
76835 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
76836 p->rate_tokens = 0;
76837 diff -urNp linux-2.6.39.3/net/ipv4/ip_fragment.c linux-2.6.39.3/net/ipv4/ip_fragment.c
76838 --- linux-2.6.39.3/net/ipv4/ip_fragment.c 2011-05-19 00:06:34.000000000 -0400
76839 +++ linux-2.6.39.3/net/ipv4/ip_fragment.c 2011-05-22 19:36:34.000000000 -0400
76840 @@ -297,7 +297,7 @@ static inline int ip_frag_too_far(struct
76841 return 0;
76842
76843 start = qp->rid;
76844 - end = atomic_inc_return(&peer->rid);
76845 + end = atomic_inc_return_unchecked(&peer->rid);
76846 qp->rid = end;
76847
76848 rc = qp->q.fragments && (end - start) > max;
76849 diff -urNp linux-2.6.39.3/net/ipv4/ip_sockglue.c linux-2.6.39.3/net/ipv4/ip_sockglue.c
76850 --- linux-2.6.39.3/net/ipv4/ip_sockglue.c 2011-05-19 00:06:34.000000000 -0400
76851 +++ linux-2.6.39.3/net/ipv4/ip_sockglue.c 2011-05-22 19:36:34.000000000 -0400
76852 @@ -1064,6 +1064,8 @@ static int do_ip_getsockopt(struct sock
76853 int val;
76854 int len;
76855
76856 + pax_track_stack();
76857 +
76858 if (level != SOL_IP)
76859 return -EOPNOTSUPP;
76860
76861 diff -urNp linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c
76862 --- linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-19 00:06:34.000000000 -0400
76863 +++ linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-22 19:36:34.000000000 -0400
76864 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
76865
76866 *len = 0;
76867
76868 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
76869 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
76870 if (*octets == NULL) {
76871 if (net_ratelimit())
76872 pr_notice("OOM in bsalg (%d)\n", __LINE__);
76873 diff -urNp linux-2.6.39.3/net/ipv4/raw.c linux-2.6.39.3/net/ipv4/raw.c
76874 --- linux-2.6.39.3/net/ipv4/raw.c 2011-05-19 00:06:34.000000000 -0400
76875 +++ linux-2.6.39.3/net/ipv4/raw.c 2011-05-22 19:41:42.000000000 -0400
76876 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
76877 int raw_rcv(struct sock *sk, struct sk_buff *skb)
76878 {
76879 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
76880 - atomic_inc(&sk->sk_drops);
76881 + atomic_inc_unchecked(&sk->sk_drops);
76882 kfree_skb(skb);
76883 return NET_RX_DROP;
76884 }
76885 @@ -730,15 +730,19 @@ static int raw_init(struct sock *sk)
76886
76887 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
76888 {
76889 + struct icmp_filter filter;
76890 +
76891 if (optlen > sizeof(struct icmp_filter))
76892 optlen = sizeof(struct icmp_filter);
76893 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
76894 + if (copy_from_user(&filter, optval, optlen))
76895 return -EFAULT;
76896 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
76897 return 0;
76898 }
76899
76900 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
76901 {
76902 + struct icmp_filter filter;
76903 int len, ret = -EFAULT;
76904
76905 if (get_user(len, optlen))
76906 @@ -749,8 +753,9 @@ static int raw_geticmpfilter(struct sock
76907 if (len > sizeof(struct icmp_filter))
76908 len = sizeof(struct icmp_filter);
76909 ret = -EFAULT;
76910 + memcpy(&filter, &raw_sk(sk)->filter, len);
76911 if (put_user(len, optlen) ||
76912 - copy_to_user(optval, &raw_sk(sk)->filter, len))
76913 + copy_to_user(optval, &filter, len))
76914 goto out;
76915 ret = 0;
76916 out: return ret;
76917 @@ -978,7 +983,13 @@ static void raw_sock_seq_show(struct seq
76918 sk_wmem_alloc_get(sp),
76919 sk_rmem_alloc_get(sp),
76920 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76921 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76922 + atomic_read(&sp->sk_refcnt),
76923 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76924 + NULL,
76925 +#else
76926 + sp,
76927 +#endif
76928 + atomic_read_unchecked(&sp->sk_drops));
76929 }
76930
76931 static int raw_seq_show(struct seq_file *seq, void *v)
76932 diff -urNp linux-2.6.39.3/net/ipv4/route.c linux-2.6.39.3/net/ipv4/route.c
76933 --- linux-2.6.39.3/net/ipv4/route.c 2011-07-09 09:18:51.000000000 -0400
76934 +++ linux-2.6.39.3/net/ipv4/route.c 2011-07-09 09:19:27.000000000 -0400
76935 @@ -303,7 +303,7 @@ static inline unsigned int rt_hash(__be3
76936
76937 static inline int rt_genid(struct net *net)
76938 {
76939 - return atomic_read(&net->ipv4.rt_genid);
76940 + return atomic_read_unchecked(&net->ipv4.rt_genid);
76941 }
76942
76943 #ifdef CONFIG_PROC_FS
76944 @@ -831,7 +831,7 @@ static void rt_cache_invalidate(struct n
76945 unsigned char shuffle;
76946
76947 get_random_bytes(&shuffle, sizeof(shuffle));
76948 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
76949 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
76950 }
76951
76952 /*
76953 @@ -2833,7 +2833,7 @@ static int rt_fill_info(struct net *net,
76954 rt->peer->pmtu_expires - jiffies : 0;
76955 if (rt->peer) {
76956 inet_peer_refcheck(rt->peer);
76957 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
76958 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
76959 if (rt->peer->tcp_ts_stamp) {
76960 ts = rt->peer->tcp_ts;
76961 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
76962 diff -urNp linux-2.6.39.3/net/ipv4/tcp.c linux-2.6.39.3/net/ipv4/tcp.c
76963 --- linux-2.6.39.3/net/ipv4/tcp.c 2011-05-19 00:06:34.000000000 -0400
76964 +++ linux-2.6.39.3/net/ipv4/tcp.c 2011-05-22 19:36:34.000000000 -0400
76965 @@ -2121,6 +2121,8 @@ static int do_tcp_setsockopt(struct sock
76966 int val;
76967 int err = 0;
76968
76969 + pax_track_stack();
76970 +
76971 /* These are data/string values, all the others are ints */
76972 switch (optname) {
76973 case TCP_CONGESTION: {
76974 @@ -2500,6 +2502,8 @@ static int do_tcp_getsockopt(struct sock
76975 struct tcp_sock *tp = tcp_sk(sk);
76976 int val, len;
76977
76978 + pax_track_stack();
76979 +
76980 if (get_user(len, optlen))
76981 return -EFAULT;
76982
76983 diff -urNp linux-2.6.39.3/net/ipv4/tcp_ipv4.c linux-2.6.39.3/net/ipv4/tcp_ipv4.c
76984 --- linux-2.6.39.3/net/ipv4/tcp_ipv4.c 2011-05-19 00:06:34.000000000 -0400
76985 +++ linux-2.6.39.3/net/ipv4/tcp_ipv4.c 2011-05-22 19:41:42.000000000 -0400
76986 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
76987 int sysctl_tcp_low_latency __read_mostly;
76988 EXPORT_SYMBOL(sysctl_tcp_low_latency);
76989
76990 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76991 +extern int grsec_enable_blackhole;
76992 +#endif
76993
76994 #ifdef CONFIG_TCP_MD5SIG
76995 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
76996 @@ -1594,6 +1597,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
76997 return 0;
76998
76999 reset:
77000 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77001 + if (!grsec_enable_blackhole)
77002 +#endif
77003 tcp_v4_send_reset(rsk, skb);
77004 discard:
77005 kfree_skb(skb);
77006 @@ -1656,12 +1662,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
77007 TCP_SKB_CB(skb)->sacked = 0;
77008
77009 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77010 - if (!sk)
77011 + if (!sk) {
77012 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77013 + ret = 1;
77014 +#endif
77015 goto no_tcp_socket;
77016 -
77017 + }
77018 process:
77019 - if (sk->sk_state == TCP_TIME_WAIT)
77020 + if (sk->sk_state == TCP_TIME_WAIT) {
77021 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77022 + ret = 2;
77023 +#endif
77024 goto do_time_wait;
77025 + }
77026
77027 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
77028 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77029 @@ -1711,6 +1724,10 @@ no_tcp_socket:
77030 bad_packet:
77031 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77032 } else {
77033 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77034 + if (!grsec_enable_blackhole || (ret == 1 &&
77035 + (skb->dev->flags & IFF_LOOPBACK)))
77036 +#endif
77037 tcp_v4_send_reset(NULL, skb);
77038 }
77039
77040 @@ -2374,7 +2391,11 @@ static void get_openreq4(struct sock *sk
77041 0, /* non standard timer */
77042 0, /* open_requests have no inode */
77043 atomic_read(&sk->sk_refcnt),
77044 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77045 + NULL,
77046 +#else
77047 req,
77048 +#endif
77049 len);
77050 }
77051
77052 @@ -2424,7 +2445,12 @@ static void get_tcp4_sock(struct sock *s
77053 sock_i_uid(sk),
77054 icsk->icsk_probes_out,
77055 sock_i_ino(sk),
77056 - atomic_read(&sk->sk_refcnt), sk,
77057 + atomic_read(&sk->sk_refcnt),
77058 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77059 + NULL,
77060 +#else
77061 + sk,
77062 +#endif
77063 jiffies_to_clock_t(icsk->icsk_rto),
77064 jiffies_to_clock_t(icsk->icsk_ack.ato),
77065 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
77066 @@ -2452,7 +2478,13 @@ static void get_timewait4_sock(struct in
77067 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
77068 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
77069 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77070 - atomic_read(&tw->tw_refcnt), tw, len);
77071 + atomic_read(&tw->tw_refcnt),
77072 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77073 + NULL,
77074 +#else
77075 + tw,
77076 +#endif
77077 + len);
77078 }
77079
77080 #define TMPSZ 150
77081 diff -urNp linux-2.6.39.3/net/ipv4/tcp_minisocks.c linux-2.6.39.3/net/ipv4/tcp_minisocks.c
77082 --- linux-2.6.39.3/net/ipv4/tcp_minisocks.c 2011-05-19 00:06:34.000000000 -0400
77083 +++ linux-2.6.39.3/net/ipv4/tcp_minisocks.c 2011-05-22 19:41:42.000000000 -0400
77084 @@ -27,6 +27,10 @@
77085 #include <net/inet_common.h>
77086 #include <net/xfrm.h>
77087
77088 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77089 +extern int grsec_enable_blackhole;
77090 +#endif
77091 +
77092 int sysctl_tcp_syncookies __read_mostly = 1;
77093 EXPORT_SYMBOL(sysctl_tcp_syncookies);
77094
77095 @@ -745,6 +749,10 @@ listen_overflow:
77096
77097 embryonic_reset:
77098 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
77099 +
77100 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77101 + if (!grsec_enable_blackhole)
77102 +#endif
77103 if (!(flg & TCP_FLAG_RST))
77104 req->rsk_ops->send_reset(sk, skb);
77105
77106 diff -urNp linux-2.6.39.3/net/ipv4/tcp_output.c linux-2.6.39.3/net/ipv4/tcp_output.c
77107 --- linux-2.6.39.3/net/ipv4/tcp_output.c 2011-05-19 00:06:34.000000000 -0400
77108 +++ linux-2.6.39.3/net/ipv4/tcp_output.c 2011-05-22 19:36:34.000000000 -0400
77109 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
77110 int mss;
77111 int s_data_desired = 0;
77112
77113 + pax_track_stack();
77114 +
77115 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
77116 s_data_desired = cvp->s_data_desired;
77117 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
77118 diff -urNp linux-2.6.39.3/net/ipv4/tcp_probe.c linux-2.6.39.3/net/ipv4/tcp_probe.c
77119 --- linux-2.6.39.3/net/ipv4/tcp_probe.c 2011-05-19 00:06:34.000000000 -0400
77120 +++ linux-2.6.39.3/net/ipv4/tcp_probe.c 2011-05-22 19:36:34.000000000 -0400
77121 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
77122 if (cnt + width >= len)
77123 break;
77124
77125 - if (copy_to_user(buf + cnt, tbuf, width))
77126 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
77127 return -EFAULT;
77128 cnt += width;
77129 }
77130 diff -urNp linux-2.6.39.3/net/ipv4/tcp_timer.c linux-2.6.39.3/net/ipv4/tcp_timer.c
77131 --- linux-2.6.39.3/net/ipv4/tcp_timer.c 2011-05-19 00:06:34.000000000 -0400
77132 +++ linux-2.6.39.3/net/ipv4/tcp_timer.c 2011-05-22 19:41:42.000000000 -0400
77133 @@ -22,6 +22,10 @@
77134 #include <linux/gfp.h>
77135 #include <net/tcp.h>
77136
77137 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77138 +extern int grsec_lastack_retries;
77139 +#endif
77140 +
77141 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
77142 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
77143 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
77144 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
77145 }
77146 }
77147
77148 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77149 + if ((sk->sk_state == TCP_LAST_ACK) &&
77150 + (grsec_lastack_retries > 0) &&
77151 + (grsec_lastack_retries < retry_until))
77152 + retry_until = grsec_lastack_retries;
77153 +#endif
77154 +
77155 if (retransmits_timed_out(sk, retry_until,
77156 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
77157 /* Has it gone just too far? */
77158 diff -urNp linux-2.6.39.3/net/ipv4/udp.c linux-2.6.39.3/net/ipv4/udp.c
77159 --- linux-2.6.39.3/net/ipv4/udp.c 2011-07-09 09:18:51.000000000 -0400
77160 +++ linux-2.6.39.3/net/ipv4/udp.c 2011-07-09 09:19:27.000000000 -0400
77161 @@ -86,6 +86,7 @@
77162 #include <linux/types.h>
77163 #include <linux/fcntl.h>
77164 #include <linux/module.h>
77165 +#include <linux/security.h>
77166 #include <linux/socket.h>
77167 #include <linux/sockios.h>
77168 #include <linux/igmp.h>
77169 @@ -107,6 +108,10 @@
77170 #include <net/xfrm.h>
77171 #include "udp_impl.h"
77172
77173 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77174 +extern int grsec_enable_blackhole;
77175 +#endif
77176 +
77177 struct udp_table udp_table __read_mostly;
77178 EXPORT_SYMBOL(udp_table);
77179
77180 @@ -564,6 +569,9 @@ found:
77181 return s;
77182 }
77183
77184 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
77185 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
77186 +
77187 /*
77188 * This routine is called by the ICMP module when it gets some
77189 * sort of error condition. If err < 0 then the socket should
77190 @@ -853,9 +861,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
77191 dport = usin->sin_port;
77192 if (dport == 0)
77193 return -EINVAL;
77194 +
77195 + err = gr_search_udp_sendmsg(sk, usin);
77196 + if (err)
77197 + return err;
77198 } else {
77199 if (sk->sk_state != TCP_ESTABLISHED)
77200 return -EDESTADDRREQ;
77201 +
77202 + err = gr_search_udp_sendmsg(sk, NULL);
77203 + if (err)
77204 + return err;
77205 +
77206 daddr = inet->inet_daddr;
77207 dport = inet->inet_dport;
77208 /* Open fast path for connected socket.
77209 @@ -1090,7 +1107,7 @@ static unsigned int first_packet_length(
77210 udp_lib_checksum_complete(skb)) {
77211 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77212 IS_UDPLITE(sk));
77213 - atomic_inc(&sk->sk_drops);
77214 + atomic_inc_unchecked(&sk->sk_drops);
77215 __skb_unlink(skb, rcvq);
77216 __skb_queue_tail(&list_kill, skb);
77217 }
77218 @@ -1176,6 +1193,10 @@ try_again:
77219 if (!skb)
77220 goto out;
77221
77222 + err = gr_search_udp_recvmsg(sk, skb);
77223 + if (err)
77224 + goto out_free;
77225 +
77226 ulen = skb->len - sizeof(struct udphdr);
77227 if (len > ulen)
77228 len = ulen;
77229 @@ -1475,7 +1496,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
77230
77231 drop:
77232 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77233 - atomic_inc(&sk->sk_drops);
77234 + atomic_inc_unchecked(&sk->sk_drops);
77235 kfree_skb(skb);
77236 return -1;
77237 }
77238 @@ -1494,7 +1515,7 @@ static void flush_stack(struct sock **st
77239 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
77240
77241 if (!skb1) {
77242 - atomic_inc(&sk->sk_drops);
77243 + atomic_inc_unchecked(&sk->sk_drops);
77244 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
77245 IS_UDPLITE(sk));
77246 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77247 @@ -1663,6 +1684,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
77248 goto csum_error;
77249
77250 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
77251 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77252 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77253 +#endif
77254 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
77255
77256 /*
77257 @@ -2090,8 +2114,13 @@ static void udp4_format_sock(struct sock
77258 sk_wmem_alloc_get(sp),
77259 sk_rmem_alloc_get(sp),
77260 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
77261 - atomic_read(&sp->sk_refcnt), sp,
77262 - atomic_read(&sp->sk_drops), len);
77263 + atomic_read(&sp->sk_refcnt),
77264 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77265 + NULL,
77266 +#else
77267 + sp,
77268 +#endif
77269 + atomic_read_unchecked(&sp->sk_drops), len);
77270 }
77271
77272 int udp4_seq_show(struct seq_file *seq, void *v)
77273 diff -urNp linux-2.6.39.3/net/ipv6/inet6_connection_sock.c linux-2.6.39.3/net/ipv6/inet6_connection_sock.c
77274 --- linux-2.6.39.3/net/ipv6/inet6_connection_sock.c 2011-05-19 00:06:34.000000000 -0400
77275 +++ linux-2.6.39.3/net/ipv6/inet6_connection_sock.c 2011-05-22 19:36:34.000000000 -0400
77276 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
77277 #ifdef CONFIG_XFRM
77278 {
77279 struct rt6_info *rt = (struct rt6_info *)dst;
77280 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
77281 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
77282 }
77283 #endif
77284 }
77285 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
77286 #ifdef CONFIG_XFRM
77287 if (dst) {
77288 struct rt6_info *rt = (struct rt6_info *)dst;
77289 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
77290 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
77291 __sk_dst_reset(sk);
77292 dst = NULL;
77293 }
77294 diff -urNp linux-2.6.39.3/net/ipv6/ipv6_sockglue.c linux-2.6.39.3/net/ipv6/ipv6_sockglue.c
77295 --- linux-2.6.39.3/net/ipv6/ipv6_sockglue.c 2011-05-19 00:06:34.000000000 -0400
77296 +++ linux-2.6.39.3/net/ipv6/ipv6_sockglue.c 2011-05-22 19:36:34.000000000 -0400
77297 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
77298 int val, valbool;
77299 int retv = -ENOPROTOOPT;
77300
77301 + pax_track_stack();
77302 +
77303 if (optval == NULL)
77304 val=0;
77305 else {
77306 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
77307 int len;
77308 int val;
77309
77310 + pax_track_stack();
77311 +
77312 if (ip6_mroute_opt(optname))
77313 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
77314
77315 diff -urNp linux-2.6.39.3/net/ipv6/raw.c linux-2.6.39.3/net/ipv6/raw.c
77316 --- linux-2.6.39.3/net/ipv6/raw.c 2011-05-19 00:06:34.000000000 -0400
77317 +++ linux-2.6.39.3/net/ipv6/raw.c 2011-05-22 19:41:42.000000000 -0400
77318 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
77319 {
77320 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
77321 skb_checksum_complete(skb)) {
77322 - atomic_inc(&sk->sk_drops);
77323 + atomic_inc_unchecked(&sk->sk_drops);
77324 kfree_skb(skb);
77325 return NET_RX_DROP;
77326 }
77327 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77328 struct raw6_sock *rp = raw6_sk(sk);
77329
77330 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
77331 - atomic_inc(&sk->sk_drops);
77332 + atomic_inc_unchecked(&sk->sk_drops);
77333 kfree_skb(skb);
77334 return NET_RX_DROP;
77335 }
77336 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77337
77338 if (inet->hdrincl) {
77339 if (skb_checksum_complete(skb)) {
77340 - atomic_inc(&sk->sk_drops);
77341 + atomic_inc_unchecked(&sk->sk_drops);
77342 kfree_skb(skb);
77343 return NET_RX_DROP;
77344 }
77345 @@ -601,7 +601,7 @@ out:
77346 return err;
77347 }
77348
77349 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
77350 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
77351 struct flowi6 *fl6, struct dst_entry **dstp,
77352 unsigned int flags)
77353 {
77354 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
77355 u16 proto;
77356 int err;
77357
77358 + pax_track_stack();
77359 +
77360 /* Rough check on arithmetic overflow,
77361 better check is made in ip6_append_data().
77362 */
77363 @@ -909,12 +911,15 @@ do_confirm:
77364 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
77365 char __user *optval, int optlen)
77366 {
77367 + struct icmp6_filter filter;
77368 +
77369 switch (optname) {
77370 case ICMPV6_FILTER:
77371 if (optlen > sizeof(struct icmp6_filter))
77372 optlen = sizeof(struct icmp6_filter);
77373 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
77374 + if (copy_from_user(&filter, optval, optlen))
77375 return -EFAULT;
77376 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
77377 return 0;
77378 default:
77379 return -ENOPROTOOPT;
77380 @@ -926,6 +931,7 @@ static int rawv6_seticmpfilter(struct so
77381 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
77382 char __user *optval, int __user *optlen)
77383 {
77384 + struct icmp6_filter filter;
77385 int len;
77386
77387 switch (optname) {
77388 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
77389 len = sizeof(struct icmp6_filter);
77390 if (put_user(len, optlen))
77391 return -EFAULT;
77392 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
77393 + memcpy(&filter, &raw6_sk(sk)->filter, len);
77394 + if (copy_to_user(optval, &filter, len))
77395 return -EFAULT;
77396 return 0;
77397 default:
77398 @@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
77399 0, 0L, 0,
77400 sock_i_uid(sp), 0,
77401 sock_i_ino(sp),
77402 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77403 + atomic_read(&sp->sk_refcnt),
77404 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77405 + NULL,
77406 +#else
77407 + sp,
77408 +#endif
77409 + atomic_read_unchecked(&sp->sk_drops));
77410 }
77411
77412 static int raw6_seq_show(struct seq_file *seq, void *v)
77413 diff -urNp linux-2.6.39.3/net/ipv6/tcp_ipv6.c linux-2.6.39.3/net/ipv6/tcp_ipv6.c
77414 --- linux-2.6.39.3/net/ipv6/tcp_ipv6.c 2011-05-19 00:06:34.000000000 -0400
77415 +++ linux-2.6.39.3/net/ipv6/tcp_ipv6.c 2011-05-22 19:41:42.000000000 -0400
77416 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
77417 }
77418 #endif
77419
77420 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77421 +extern int grsec_enable_blackhole;
77422 +#endif
77423 +
77424 static void tcp_v6_hash(struct sock *sk)
77425 {
77426 if (sk->sk_state != TCP_CLOSE) {
77427 @@ -1660,6 +1664,9 @@ static int tcp_v6_do_rcv(struct sock *sk
77428 return 0;
77429
77430 reset:
77431 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77432 + if (!grsec_enable_blackhole)
77433 +#endif
77434 tcp_v6_send_reset(sk, skb);
77435 discard:
77436 if (opt_skb)
77437 @@ -1739,12 +1746,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
77438 TCP_SKB_CB(skb)->sacked = 0;
77439
77440 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77441 - if (!sk)
77442 + if (!sk) {
77443 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77444 + ret = 1;
77445 +#endif
77446 goto no_tcp_socket;
77447 + }
77448
77449 process:
77450 - if (sk->sk_state == TCP_TIME_WAIT)
77451 + if (sk->sk_state == TCP_TIME_WAIT) {
77452 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77453 + ret = 2;
77454 +#endif
77455 goto do_time_wait;
77456 + }
77457
77458 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
77459 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77460 @@ -1792,6 +1807,10 @@ no_tcp_socket:
77461 bad_packet:
77462 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77463 } else {
77464 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77465 + if (!grsec_enable_blackhole || (ret == 1 &&
77466 + (skb->dev->flags & IFF_LOOPBACK)))
77467 +#endif
77468 tcp_v6_send_reset(NULL, skb);
77469 }
77470
77471 @@ -2052,7 +2071,13 @@ static void get_openreq6(struct seq_file
77472 uid,
77473 0, /* non standard timer */
77474 0, /* open_requests have no inode */
77475 - 0, req);
77476 + 0,
77477 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77478 + NULL
77479 +#else
77480 + req
77481 +#endif
77482 + );
77483 }
77484
77485 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
77486 @@ -2102,7 +2127,12 @@ static void get_tcp6_sock(struct seq_fil
77487 sock_i_uid(sp),
77488 icsk->icsk_probes_out,
77489 sock_i_ino(sp),
77490 - atomic_read(&sp->sk_refcnt), sp,
77491 + atomic_read(&sp->sk_refcnt),
77492 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77493 + NULL,
77494 +#else
77495 + sp,
77496 +#endif
77497 jiffies_to_clock_t(icsk->icsk_rto),
77498 jiffies_to_clock_t(icsk->icsk_ack.ato),
77499 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
77500 @@ -2137,7 +2167,13 @@ static void get_timewait6_sock(struct se
77501 dest->s6_addr32[2], dest->s6_addr32[3], destp,
77502 tw->tw_substate, 0, 0,
77503 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77504 - atomic_read(&tw->tw_refcnt), tw);
77505 + atomic_read(&tw->tw_refcnt),
77506 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77507 + NULL
77508 +#else
77509 + tw
77510 +#endif
77511 + );
77512 }
77513
77514 static int tcp6_seq_show(struct seq_file *seq, void *v)
77515 diff -urNp linux-2.6.39.3/net/ipv6/udp.c linux-2.6.39.3/net/ipv6/udp.c
77516 --- linux-2.6.39.3/net/ipv6/udp.c 2011-07-09 09:18:51.000000000 -0400
77517 +++ linux-2.6.39.3/net/ipv6/udp.c 2011-07-09 09:19:27.000000000 -0400
77518 @@ -50,6 +50,10 @@
77519 #include <linux/seq_file.h>
77520 #include "udp_impl.h"
77521
77522 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77523 +extern int grsec_enable_blackhole;
77524 +#endif
77525 +
77526 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
77527 {
77528 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
77529 @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
77530
77531 return 0;
77532 drop:
77533 - atomic_inc(&sk->sk_drops);
77534 + atomic_inc_unchecked(&sk->sk_drops);
77535 drop_no_sk_drops_inc:
77536 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77537 kfree_skb(skb);
77538 @@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
77539 continue;
77540 }
77541 drop:
77542 - atomic_inc(&sk->sk_drops);
77543 + atomic_inc_unchecked(&sk->sk_drops);
77544 UDP6_INC_STATS_BH(sock_net(sk),
77545 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
77546 UDP6_INC_STATS_BH(sock_net(sk),
77547 @@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77548 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
77549 proto == IPPROTO_UDPLITE);
77550
77551 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77552 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77553 +#endif
77554 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
77555
77556 kfree_skb(skb);
77557 @@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77558 if (!sock_owned_by_user(sk))
77559 udpv6_queue_rcv_skb(sk, skb);
77560 else if (sk_add_backlog(sk, skb)) {
77561 - atomic_inc(&sk->sk_drops);
77562 + atomic_inc_unchecked(&sk->sk_drops);
77563 bh_unlock_sock(sk);
77564 sock_put(sk);
77565 goto discard;
77566 @@ -1406,8 +1413,13 @@ static void udp6_sock_seq_show(struct se
77567 0, 0L, 0,
77568 sock_i_uid(sp), 0,
77569 sock_i_ino(sp),
77570 - atomic_read(&sp->sk_refcnt), sp,
77571 - atomic_read(&sp->sk_drops));
77572 + atomic_read(&sp->sk_refcnt),
77573 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77574 + NULL,
77575 +#else
77576 + sp,
77577 +#endif
77578 + atomic_read_unchecked(&sp->sk_drops));
77579 }
77580
77581 int udp6_seq_show(struct seq_file *seq, void *v)
77582 diff -urNp linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c
77583 --- linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c 2011-05-19 00:06:34.000000000 -0400
77584 +++ linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c 2011-05-22 19:36:34.000000000 -0400
77585 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
77586 add_wait_queue(&self->open_wait, &wait);
77587
77588 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
77589 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77590 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77591
77592 /* As far as I can see, we protect open_count - Jean II */
77593 spin_lock_irqsave(&self->spinlock, flags);
77594 if (!tty_hung_up_p(filp)) {
77595 extra_count = 1;
77596 - self->open_count--;
77597 + local_dec(&self->open_count);
77598 }
77599 spin_unlock_irqrestore(&self->spinlock, flags);
77600 - self->blocked_open++;
77601 + local_inc(&self->blocked_open);
77602
77603 while (1) {
77604 if (tty->termios->c_cflag & CBAUD) {
77605 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
77606 }
77607
77608 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
77609 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77610 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77611
77612 schedule();
77613 }
77614 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
77615 if (extra_count) {
77616 /* ++ is not atomic, so this should be protected - Jean II */
77617 spin_lock_irqsave(&self->spinlock, flags);
77618 - self->open_count++;
77619 + local_inc(&self->open_count);
77620 spin_unlock_irqrestore(&self->spinlock, flags);
77621 }
77622 - self->blocked_open--;
77623 + local_dec(&self->blocked_open);
77624
77625 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
77626 - __FILE__,__LINE__, tty->driver->name, self->open_count);
77627 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
77628
77629 if (!retval)
77630 self->flags |= ASYNC_NORMAL_ACTIVE;
77631 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
77632 }
77633 /* ++ is not atomic, so this should be protected - Jean II */
77634 spin_lock_irqsave(&self->spinlock, flags);
77635 - self->open_count++;
77636 + local_inc(&self->open_count);
77637
77638 tty->driver_data = self;
77639 self->tty = tty;
77640 spin_unlock_irqrestore(&self->spinlock, flags);
77641
77642 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
77643 - self->line, self->open_count);
77644 + self->line, local_read(&self->open_count));
77645
77646 /* Not really used by us, but lets do it anyway */
77647 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
77648 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
77649 return;
77650 }
77651
77652 - if ((tty->count == 1) && (self->open_count != 1)) {
77653 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
77654 /*
77655 * Uh, oh. tty->count is 1, which means that the tty
77656 * structure will be freed. state->count should always
77657 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
77658 */
77659 IRDA_DEBUG(0, "%s(), bad serial port count; "
77660 "tty->count is 1, state->count is %d\n", __func__ ,
77661 - self->open_count);
77662 - self->open_count = 1;
77663 + local_read(&self->open_count));
77664 + local_set(&self->open_count, 1);
77665 }
77666
77667 - if (--self->open_count < 0) {
77668 + if (local_dec_return(&self->open_count) < 0) {
77669 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
77670 - __func__, self->line, self->open_count);
77671 - self->open_count = 0;
77672 + __func__, self->line, local_read(&self->open_count));
77673 + local_set(&self->open_count, 0);
77674 }
77675 - if (self->open_count) {
77676 + if (local_read(&self->open_count)) {
77677 spin_unlock_irqrestore(&self->spinlock, flags);
77678
77679 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
77680 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
77681 tty->closing = 0;
77682 self->tty = NULL;
77683
77684 - if (self->blocked_open) {
77685 + if (local_read(&self->blocked_open)) {
77686 if (self->close_delay)
77687 schedule_timeout_interruptible(self->close_delay);
77688 wake_up_interruptible(&self->open_wait);
77689 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
77690 spin_lock_irqsave(&self->spinlock, flags);
77691 self->flags &= ~ASYNC_NORMAL_ACTIVE;
77692 self->tty = NULL;
77693 - self->open_count = 0;
77694 + local_set(&self->open_count, 0);
77695 spin_unlock_irqrestore(&self->spinlock, flags);
77696
77697 wake_up_interruptible(&self->open_wait);
77698 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
77699 seq_putc(m, '\n');
77700
77701 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
77702 - seq_printf(m, "Open count: %d\n", self->open_count);
77703 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
77704 seq_printf(m, "Max data size: %d\n", self->max_data_size);
77705 seq_printf(m, "Max header size: %d\n", self->max_header_size);
77706
77707 diff -urNp linux-2.6.39.3/net/iucv/af_iucv.c linux-2.6.39.3/net/iucv/af_iucv.c
77708 --- linux-2.6.39.3/net/iucv/af_iucv.c 2011-05-19 00:06:34.000000000 -0400
77709 +++ linux-2.6.39.3/net/iucv/af_iucv.c 2011-05-22 19:36:34.000000000 -0400
77710 @@ -653,10 +653,10 @@ static int iucv_sock_autobind(struct soc
77711
77712 write_lock_bh(&iucv_sk_list.lock);
77713
77714 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
77715 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77716 while (__iucv_get_sock_by_name(name)) {
77717 sprintf(name, "%08x",
77718 - atomic_inc_return(&iucv_sk_list.autobind_name));
77719 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77720 }
77721
77722 write_unlock_bh(&iucv_sk_list.lock);
77723 diff -urNp linux-2.6.39.3/net/key/af_key.c linux-2.6.39.3/net/key/af_key.c
77724 --- linux-2.6.39.3/net/key/af_key.c 2011-05-19 00:06:34.000000000 -0400
77725 +++ linux-2.6.39.3/net/key/af_key.c 2011-05-22 19:41:42.000000000 -0400
77726 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
77727 struct xfrm_migrate m[XFRM_MAX_DEPTH];
77728 struct xfrm_kmaddress k;
77729
77730 + pax_track_stack();
77731 +
77732 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
77733 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
77734 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
77735 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
77736 static u32 get_acqseq(void)
77737 {
77738 u32 res;
77739 - static atomic_t acqseq;
77740 + static atomic_unchecked_t acqseq;
77741
77742 do {
77743 - res = atomic_inc_return(&acqseq);
77744 + res = atomic_inc_return_unchecked(&acqseq);
77745 } while (!res);
77746 return res;
77747 }
77748 @@ -3657,7 +3659,11 @@ static int pfkey_seq_show(struct seq_fil
77749 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
77750 else
77751 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
77752 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77753 + NULL,
77754 +#else
77755 s,
77756 +#endif
77757 atomic_read(&s->sk_refcnt),
77758 sk_rmem_alloc_get(s),
77759 sk_wmem_alloc_get(s),
77760 diff -urNp linux-2.6.39.3/net/l2tp/l2tp_ip.c linux-2.6.39.3/net/l2tp/l2tp_ip.c
77761 --- linux-2.6.39.3/net/l2tp/l2tp_ip.c 2011-05-19 00:06:34.000000000 -0400
77762 +++ linux-2.6.39.3/net/l2tp/l2tp_ip.c 2011-05-22 19:36:34.000000000 -0400
77763 @@ -625,7 +625,7 @@ static struct inet_protosw l2tp_ip_proto
77764 .no_check = 0,
77765 };
77766
77767 -static struct net_protocol l2tp_ip_protocol __read_mostly = {
77768 +static const struct net_protocol l2tp_ip_protocol = {
77769 .handler = l2tp_ip_recv,
77770 };
77771
77772 diff -urNp linux-2.6.39.3/net/lapb/lapb_iface.c linux-2.6.39.3/net/lapb/lapb_iface.c
77773 --- linux-2.6.39.3/net/lapb/lapb_iface.c 2011-05-19 00:06:34.000000000 -0400
77774 +++ linux-2.6.39.3/net/lapb/lapb_iface.c 2011-05-22 19:36:34.000000000 -0400
77775 @@ -138,8 +138,7 @@ static struct lapb_cb *lapb_create_cb(vo
77776 out:
77777 return lapb;
77778 }
77779 -
77780 -int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks)
77781 +int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks)
77782 {
77783 struct lapb_cb *lapb;
77784 int rc = LAPB_BADTOKEN;
77785 diff -urNp linux-2.6.39.3/net/mac80211/cfg.c linux-2.6.39.3/net/mac80211/cfg.c
77786 --- linux-2.6.39.3/net/mac80211/cfg.c 2011-06-03 00:04:14.000000000 -0400
77787 +++ linux-2.6.39.3/net/mac80211/cfg.c 2011-06-03 00:32:08.000000000 -0400
77788 @@ -2031,7 +2031,7 @@ static void ieee80211_get_ringparam(stru
77789 drv_get_ringparam(local, tx, tx_max, rx, rx_max);
77790 }
77791
77792 -struct cfg80211_ops mac80211_config_ops = {
77793 +const struct cfg80211_ops mac80211_config_ops = {
77794 .add_virtual_intf = ieee80211_add_iface,
77795 .del_virtual_intf = ieee80211_del_iface,
77796 .change_virtual_intf = ieee80211_change_iface,
77797 diff -urNp linux-2.6.39.3/net/mac80211/cfg.h linux-2.6.39.3/net/mac80211/cfg.h
77798 --- linux-2.6.39.3/net/mac80211/cfg.h 2011-05-19 00:06:34.000000000 -0400
77799 +++ linux-2.6.39.3/net/mac80211/cfg.h 2011-05-22 19:36:34.000000000 -0400
77800 @@ -4,6 +4,6 @@
77801 #ifndef __CFG_H
77802 #define __CFG_H
77803
77804 -extern struct cfg80211_ops mac80211_config_ops;
77805 +extern const struct cfg80211_ops mac80211_config_ops;
77806
77807 #endif /* __CFG_H */
77808 diff -urNp linux-2.6.39.3/net/mac80211/debugfs_sta.c linux-2.6.39.3/net/mac80211/debugfs_sta.c
77809 --- linux-2.6.39.3/net/mac80211/debugfs_sta.c 2011-05-19 00:06:34.000000000 -0400
77810 +++ linux-2.6.39.3/net/mac80211/debugfs_sta.c 2011-05-22 19:36:34.000000000 -0400
77811 @@ -115,6 +115,8 @@ static ssize_t sta_agg_status_read(struc
77812 struct tid_ampdu_rx *tid_rx;
77813 struct tid_ampdu_tx *tid_tx;
77814
77815 + pax_track_stack();
77816 +
77817 rcu_read_lock();
77818
77819 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
77820 @@ -215,6 +217,8 @@ static ssize_t sta_ht_capa_read(struct f
77821 struct sta_info *sta = file->private_data;
77822 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
77823
77824 + pax_track_stack();
77825 +
77826 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
77827 htc->ht_supported ? "" : "not ");
77828 if (htc->ht_supported) {
77829 diff -urNp linux-2.6.39.3/net/mac80211/ieee80211_i.h linux-2.6.39.3/net/mac80211/ieee80211_i.h
77830 --- linux-2.6.39.3/net/mac80211/ieee80211_i.h 2011-05-19 00:06:34.000000000 -0400
77831 +++ linux-2.6.39.3/net/mac80211/ieee80211_i.h 2011-05-22 19:36:34.000000000 -0400
77832 @@ -27,6 +27,7 @@
77833 #include <net/ieee80211_radiotap.h>
77834 #include <net/cfg80211.h>
77835 #include <net/mac80211.h>
77836 +#include <asm/local.h>
77837 #include "key.h"
77838 #include "sta_info.h"
77839
77840 @@ -714,7 +715,7 @@ struct ieee80211_local {
77841 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
77842 spinlock_t queue_stop_reason_lock;
77843
77844 - int open_count;
77845 + local_t open_count;
77846 int monitors, cooked_mntrs;
77847 /* number of interfaces with corresponding FIF_ flags */
77848 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
77849 diff -urNp linux-2.6.39.3/net/mac80211/iface.c linux-2.6.39.3/net/mac80211/iface.c
77850 --- linux-2.6.39.3/net/mac80211/iface.c 2011-05-19 00:06:34.000000000 -0400
77851 +++ linux-2.6.39.3/net/mac80211/iface.c 2011-05-22 19:36:34.000000000 -0400
77852 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
77853 break;
77854 }
77855
77856 - if (local->open_count == 0) {
77857 + if (local_read(&local->open_count) == 0) {
77858 res = drv_start(local);
77859 if (res)
77860 goto err_del_bss;
77861 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
77862 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
77863
77864 if (!is_valid_ether_addr(dev->dev_addr)) {
77865 - if (!local->open_count)
77866 + if (!local_read(&local->open_count))
77867 drv_stop(local);
77868 return -EADDRNOTAVAIL;
77869 }
77870 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
77871 mutex_unlock(&local->mtx);
77872
77873 if (coming_up)
77874 - local->open_count++;
77875 + local_inc(&local->open_count);
77876
77877 if (hw_reconf_flags) {
77878 ieee80211_hw_config(local, hw_reconf_flags);
77879 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
77880 err_del_interface:
77881 drv_remove_interface(local, &sdata->vif);
77882 err_stop:
77883 - if (!local->open_count)
77884 + if (!local_read(&local->open_count))
77885 drv_stop(local);
77886 err_del_bss:
77887 sdata->bss = NULL;
77888 @@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
77889 }
77890
77891 if (going_down)
77892 - local->open_count--;
77893 + local_dec(&local->open_count);
77894
77895 switch (sdata->vif.type) {
77896 case NL80211_IFTYPE_AP_VLAN:
77897 @@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
77898
77899 ieee80211_recalc_ps(local, -1);
77900
77901 - if (local->open_count == 0) {
77902 + if (local_read(&local->open_count) == 0) {
77903 if (local->ops->napi_poll)
77904 napi_disable(&local->napi);
77905 ieee80211_clear_tx_pending(local);
77906 diff -urNp linux-2.6.39.3/net/mac80211/main.c linux-2.6.39.3/net/mac80211/main.c
77907 --- linux-2.6.39.3/net/mac80211/main.c 2011-05-19 00:06:34.000000000 -0400
77908 +++ linux-2.6.39.3/net/mac80211/main.c 2011-05-22 19:36:34.000000000 -0400
77909 @@ -215,7 +215,7 @@ int ieee80211_hw_config(struct ieee80211
77910 local->hw.conf.power_level = power;
77911 }
77912
77913 - if (changed && local->open_count) {
77914 + if (changed && local_read(&local->open_count)) {
77915 ret = drv_config(local, changed);
77916 /*
77917 * Goal:
77918 diff -urNp linux-2.6.39.3/net/mac80211/mlme.c linux-2.6.39.3/net/mac80211/mlme.c
77919 --- linux-2.6.39.3/net/mac80211/mlme.c 2011-06-03 00:04:14.000000000 -0400
77920 +++ linux-2.6.39.3/net/mac80211/mlme.c 2011-06-03 00:32:08.000000000 -0400
77921 @@ -1431,6 +1431,8 @@ static bool ieee80211_assoc_success(stru
77922 bool have_higher_than_11mbit = false;
77923 u16 ap_ht_cap_flags;
77924
77925 + pax_track_stack();
77926 +
77927 /* AssocResp and ReassocResp have identical structure */
77928
77929 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
77930 diff -urNp linux-2.6.39.3/net/mac80211/pm.c linux-2.6.39.3/net/mac80211/pm.c
77931 --- linux-2.6.39.3/net/mac80211/pm.c 2011-05-19 00:06:34.000000000 -0400
77932 +++ linux-2.6.39.3/net/mac80211/pm.c 2011-05-22 19:36:34.000000000 -0400
77933 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
77934 }
77935
77936 /* stop hardware - this must stop RX */
77937 - if (local->open_count)
77938 + if (local_read(&local->open_count))
77939 ieee80211_stop_device(local);
77940
77941 local->suspended = true;
77942 diff -urNp linux-2.6.39.3/net/mac80211/rate.c linux-2.6.39.3/net/mac80211/rate.c
77943 --- linux-2.6.39.3/net/mac80211/rate.c 2011-05-19 00:06:34.000000000 -0400
77944 +++ linux-2.6.39.3/net/mac80211/rate.c 2011-05-22 19:36:34.000000000 -0400
77945 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
77946
77947 ASSERT_RTNL();
77948
77949 - if (local->open_count)
77950 + if (local_read(&local->open_count))
77951 return -EBUSY;
77952
77953 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
77954 diff -urNp linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c
77955 --- linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c 2011-05-19 00:06:34.000000000 -0400
77956 +++ linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c 2011-05-22 19:36:34.000000000 -0400
77957 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
77958
77959 spin_unlock_irqrestore(&events->lock, status);
77960
77961 - if (copy_to_user(buf, pb, p))
77962 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
77963 return -EFAULT;
77964
77965 return p;
77966 diff -urNp linux-2.6.39.3/net/mac80211/util.c linux-2.6.39.3/net/mac80211/util.c
77967 --- linux-2.6.39.3/net/mac80211/util.c 2011-05-19 00:06:34.000000000 -0400
77968 +++ linux-2.6.39.3/net/mac80211/util.c 2011-05-22 19:36:34.000000000 -0400
77969 @@ -1129,7 +1129,7 @@ int ieee80211_reconfig(struct ieee80211_
77970 local->resuming = true;
77971
77972 /* restart hardware */
77973 - if (local->open_count) {
77974 + if (local_read(&local->open_count)) {
77975 /*
77976 * Upon resume hardware can sometimes be goofy due to
77977 * various platform / driver / bus issues, so restarting
77978 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c
77979 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c 2011-07-09 09:18:51.000000000 -0400
77980 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c 2011-07-09 09:19:27.000000000 -0400
77981 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
77982 /* Increase the refcnt counter of the dest */
77983 atomic_inc(&dest->refcnt);
77984
77985 - conn_flags = atomic_read(&dest->conn_flags);
77986 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
77987 if (cp->protocol != IPPROTO_UDP)
77988 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
77989 /* Bind with the destination and its corresponding transmitter */
77990 @@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
77991 atomic_set(&cp->refcnt, 1);
77992
77993 atomic_set(&cp->n_control, 0);
77994 - atomic_set(&cp->in_pkts, 0);
77995 + atomic_set_unchecked(&cp->in_pkts, 0);
77996
77997 atomic_inc(&ipvs->conn_count);
77998 if (flags & IP_VS_CONN_F_NO_CPORT)
77999 @@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
78000
78001 /* Don't drop the entry if its number of incoming packets is not
78002 located in [0, 8] */
78003 - i = atomic_read(&cp->in_pkts);
78004 + i = atomic_read_unchecked(&cp->in_pkts);
78005 if (i > 8 || i < 0) return 0;
78006
78007 if (!todrop_rate[i]) return 0;
78008 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c
78009 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c 2011-07-09 09:18:51.000000000 -0400
78010 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c 2011-07-09 09:19:27.000000000 -0400
78011 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
78012 ret = cp->packet_xmit(skb, cp, pd->pp);
78013 /* do not touch skb anymore */
78014
78015 - atomic_inc(&cp->in_pkts);
78016 + atomic_inc_unchecked(&cp->in_pkts);
78017 ip_vs_conn_put(cp);
78018 return ret;
78019 }
78020 @@ -1633,7 +1633,7 @@ ip_vs_in(unsigned int hooknum, struct sk
78021 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
78022 pkts = sysctl_sync_threshold(ipvs);
78023 else
78024 - pkts = atomic_add_return(1, &cp->in_pkts);
78025 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
78026
78027 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
78028 cp->protocol == IPPROTO_SCTP) {
78029 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c
78030 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-19 00:06:34.000000000 -0400
78031 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-22 19:36:34.000000000 -0400
78032 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
78033 ip_vs_rs_hash(ipvs, dest);
78034 write_unlock_bh(&ipvs->rs_lock);
78035 }
78036 - atomic_set(&dest->conn_flags, conn_flags);
78037 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
78038
78039 /* bind the service */
78040 if (!dest->svc) {
78041 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
78042 " %-7s %-6d %-10d %-10d\n",
78043 &dest->addr.in6,
78044 ntohs(dest->port),
78045 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
78046 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
78047 atomic_read(&dest->weight),
78048 atomic_read(&dest->activeconns),
78049 atomic_read(&dest->inactconns));
78050 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
78051 "%-7s %-6d %-10d %-10d\n",
78052 ntohl(dest->addr.ip),
78053 ntohs(dest->port),
78054 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
78055 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
78056 atomic_read(&dest->weight),
78057 atomic_read(&dest->activeconns),
78058 atomic_read(&dest->inactconns));
78059 @@ -2287,6 +2287,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
78060 struct ip_vs_dest_user *udest_compat;
78061 struct ip_vs_dest_user_kern udest;
78062
78063 + pax_track_stack();
78064 +
78065 if (!capable(CAP_NET_ADMIN))
78066 return -EPERM;
78067
78068 @@ -2501,7 +2503,7 @@ __ip_vs_get_dest_entries(struct net *net
78069
78070 entry.addr = dest->addr.ip;
78071 entry.port = dest->port;
78072 - entry.conn_flags = atomic_read(&dest->conn_flags);
78073 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
78074 entry.weight = atomic_read(&dest->weight);
78075 entry.u_threshold = dest->u_threshold;
78076 entry.l_threshold = dest->l_threshold;
78077 @@ -3029,7 +3031,7 @@ static int ip_vs_genl_fill_dest(struct s
78078 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
78079
78080 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
78081 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
78082 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
78083 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
78084 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
78085 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
78086 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c
78087 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c 2011-05-19 00:06:34.000000000 -0400
78088 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c 2011-05-22 19:36:34.000000000 -0400
78089 @@ -648,7 +648,7 @@ control:
78090 * i.e only increment in_pkts for Templates.
78091 */
78092 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
78093 - int pkts = atomic_add_return(1, &cp->in_pkts);
78094 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
78095
78096 if (pkts % sysctl_sync_period(ipvs) != 1)
78097 return;
78098 @@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
78099
78100 if (opt)
78101 memcpy(&cp->in_seq, opt, sizeof(*opt));
78102 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
78103 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
78104 cp->state = state;
78105 cp->old_state = cp->state;
78106 /*
78107 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c
78108 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-19 00:06:34.000000000 -0400
78109 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-22 19:36:34.000000000 -0400
78110 @@ -1127,7 +1127,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
78111 else
78112 rc = NF_ACCEPT;
78113 /* do not touch skb anymore */
78114 - atomic_inc(&cp->in_pkts);
78115 + atomic_inc_unchecked(&cp->in_pkts);
78116 goto out;
78117 }
78118
78119 @@ -1245,7 +1245,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
78120 else
78121 rc = NF_ACCEPT;
78122 /* do not touch skb anymore */
78123 - atomic_inc(&cp->in_pkts);
78124 + atomic_inc_unchecked(&cp->in_pkts);
78125 goto out;
78126 }
78127
78128 diff -urNp linux-2.6.39.3/net/netfilter/Kconfig linux-2.6.39.3/net/netfilter/Kconfig
78129 --- linux-2.6.39.3/net/netfilter/Kconfig 2011-05-19 00:06:34.000000000 -0400
78130 +++ linux-2.6.39.3/net/netfilter/Kconfig 2011-05-22 19:41:42.000000000 -0400
78131 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
78132
78133 To compile it as a module, choose M here. If unsure, say N.
78134
78135 +config NETFILTER_XT_MATCH_GRADM
78136 + tristate '"gradm" match support'
78137 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
78138 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
78139 + ---help---
78140 + The gradm match allows to match on grsecurity RBAC being enabled.
78141 + It is useful when iptables rules are applied early on bootup to
78142 + prevent connections to the machine (except from a trusted host)
78143 + while the RBAC system is disabled.
78144 +
78145 config NETFILTER_XT_MATCH_HASHLIMIT
78146 tristate '"hashlimit" match support'
78147 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
78148 diff -urNp linux-2.6.39.3/net/netfilter/Makefile linux-2.6.39.3/net/netfilter/Makefile
78149 --- linux-2.6.39.3/net/netfilter/Makefile 2011-05-19 00:06:34.000000000 -0400
78150 +++ linux-2.6.39.3/net/netfilter/Makefile 2011-05-22 20:40:16.000000000 -0400
78151 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
78152 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
78153 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
78154 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
78155 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
78156 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
78157 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
78158 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
78159 diff -urNp linux-2.6.39.3/net/netfilter/nfnetlink_log.c linux-2.6.39.3/net/netfilter/nfnetlink_log.c
78160 --- linux-2.6.39.3/net/netfilter/nfnetlink_log.c 2011-05-19 00:06:34.000000000 -0400
78161 +++ linux-2.6.39.3/net/netfilter/nfnetlink_log.c 2011-05-22 19:36:35.000000000 -0400
78162 @@ -70,7 +70,7 @@ struct nfulnl_instance {
78163 };
78164
78165 static DEFINE_SPINLOCK(instances_lock);
78166 -static atomic_t global_seq;
78167 +static atomic_unchecked_t global_seq;
78168
78169 #define INSTANCE_BUCKETS 16
78170 static struct hlist_head instance_table[INSTANCE_BUCKETS];
78171 @@ -506,7 +506,7 @@ __build_packet_message(struct nfulnl_ins
78172 /* global sequence number */
78173 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
78174 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
78175 - htonl(atomic_inc_return(&global_seq)));
78176 + htonl(atomic_inc_return_unchecked(&global_seq)));
78177
78178 if (data_len) {
78179 struct nlattr *nla;
78180 diff -urNp linux-2.6.39.3/net/netfilter/nfnetlink_queue.c linux-2.6.39.3/net/netfilter/nfnetlink_queue.c
78181 --- linux-2.6.39.3/net/netfilter/nfnetlink_queue.c 2011-05-19 00:06:34.000000000 -0400
78182 +++ linux-2.6.39.3/net/netfilter/nfnetlink_queue.c 2011-05-22 19:36:35.000000000 -0400
78183 @@ -58,7 +58,7 @@ struct nfqnl_instance {
78184 */
78185 spinlock_t lock;
78186 unsigned int queue_total;
78187 - atomic_t id_sequence; /* 'sequence' of pkt ids */
78188 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
78189 struct list_head queue_list; /* packets in queue */
78190 };
78191
78192 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
78193 nfmsg->version = NFNETLINK_V0;
78194 nfmsg->res_id = htons(queue->queue_num);
78195
78196 - entry->id = atomic_inc_return(&queue->id_sequence);
78197 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
78198 pmsg.packet_id = htonl(entry->id);
78199 pmsg.hw_protocol = entskb->protocol;
78200 pmsg.hook = entry->hook;
78201 @@ -869,7 +869,7 @@ static int seq_show(struct seq_file *s,
78202 inst->peer_pid, inst->queue_total,
78203 inst->copy_mode, inst->copy_range,
78204 inst->queue_dropped, inst->queue_user_dropped,
78205 - atomic_read(&inst->id_sequence), 1);
78206 + atomic_read_unchecked(&inst->id_sequence), 1);
78207 }
78208
78209 static const struct seq_operations nfqnl_seq_ops = {
78210 diff -urNp linux-2.6.39.3/net/netfilter/xt_gradm.c linux-2.6.39.3/net/netfilter/xt_gradm.c
78211 --- linux-2.6.39.3/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
78212 +++ linux-2.6.39.3/net/netfilter/xt_gradm.c 2011-05-22 19:41:42.000000000 -0400
78213 @@ -0,0 +1,51 @@
78214 +/*
78215 + * gradm match for netfilter
78216 + * Copyright © Zbigniew Krzystolik, 2010
78217 + *
78218 + * This program is free software; you can redistribute it and/or modify
78219 + * it under the terms of the GNU General Public License; either version
78220 + * 2 or 3 as published by the Free Software Foundation.
78221 + */
78222 +#include <linux/module.h>
78223 +#include <linux/moduleparam.h>
78224 +#include <linux/skbuff.h>
78225 +#include <linux/netfilter/x_tables.h>
78226 +#include <linux/grsecurity.h>
78227 +#include <linux/netfilter/xt_gradm.h>
78228 +
78229 +static bool
78230 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
78231 +{
78232 + const struct xt_gradm_mtinfo *info = par->matchinfo;
78233 + bool retval = false;
78234 + if (gr_acl_is_enabled())
78235 + retval = true;
78236 + return retval ^ info->invflags;
78237 +}
78238 +
78239 +static struct xt_match gradm_mt_reg __read_mostly = {
78240 + .name = "gradm",
78241 + .revision = 0,
78242 + .family = NFPROTO_UNSPEC,
78243 + .match = gradm_mt,
78244 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
78245 + .me = THIS_MODULE,
78246 +};
78247 +
78248 +static int __init gradm_mt_init(void)
78249 +{
78250 + return xt_register_match(&gradm_mt_reg);
78251 +}
78252 +
78253 +static void __exit gradm_mt_exit(void)
78254 +{
78255 + xt_unregister_match(&gradm_mt_reg);
78256 +}
78257 +
78258 +module_init(gradm_mt_init);
78259 +module_exit(gradm_mt_exit);
78260 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
78261 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
78262 +MODULE_LICENSE("GPL");
78263 +MODULE_ALIAS("ipt_gradm");
78264 +MODULE_ALIAS("ip6t_gradm");
78265 diff -urNp linux-2.6.39.3/net/netfilter/xt_statistic.c linux-2.6.39.3/net/netfilter/xt_statistic.c
78266 --- linux-2.6.39.3/net/netfilter/xt_statistic.c 2011-05-19 00:06:34.000000000 -0400
78267 +++ linux-2.6.39.3/net/netfilter/xt_statistic.c 2011-05-22 19:36:35.000000000 -0400
78268 @@ -18,7 +18,7 @@
78269 #include <linux/netfilter/x_tables.h>
78270
78271 struct xt_statistic_priv {
78272 - atomic_t count;
78273 + atomic_unchecked_t count;
78274 } ____cacheline_aligned_in_smp;
78275
78276 MODULE_LICENSE("GPL");
78277 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
78278 break;
78279 case XT_STATISTIC_MODE_NTH:
78280 do {
78281 - oval = atomic_read(&info->master->count);
78282 + oval = atomic_read_unchecked(&info->master->count);
78283 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
78284 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
78285 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
78286 if (nval == 0)
78287 ret = !ret;
78288 break;
78289 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
78290 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
78291 if (info->master == NULL)
78292 return -ENOMEM;
78293 - atomic_set(&info->master->count, info->u.nth.count);
78294 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
78295
78296 return 0;
78297 }
78298 diff -urNp linux-2.6.39.3/net/netlink/af_netlink.c linux-2.6.39.3/net/netlink/af_netlink.c
78299 --- linux-2.6.39.3/net/netlink/af_netlink.c 2011-05-19 00:06:34.000000000 -0400
78300 +++ linux-2.6.39.3/net/netlink/af_netlink.c 2011-05-22 19:41:42.000000000 -0400
78301 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
78302 sk->sk_error_report(sk);
78303 }
78304 }
78305 - atomic_inc(&sk->sk_drops);
78306 + atomic_inc_unchecked(&sk->sk_drops);
78307 }
78308
78309 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
78310 @@ -1992,15 +1992,23 @@ static int netlink_seq_show(struct seq_f
78311 struct netlink_sock *nlk = nlk_sk(s);
78312
78313 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
78314 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78315 + NULL,
78316 +#else
78317 s,
78318 +#endif
78319 s->sk_protocol,
78320 nlk->pid,
78321 nlk->groups ? (u32)nlk->groups[0] : 0,
78322 sk_rmem_alloc_get(s),
78323 sk_wmem_alloc_get(s),
78324 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78325 + NULL,
78326 +#else
78327 nlk->cb,
78328 +#endif
78329 atomic_read(&s->sk_refcnt),
78330 - atomic_read(&s->sk_drops),
78331 + atomic_read_unchecked(&s->sk_drops),
78332 sock_i_ino(s)
78333 );
78334
78335 diff -urNp linux-2.6.39.3/net/netrom/af_netrom.c linux-2.6.39.3/net/netrom/af_netrom.c
78336 --- linux-2.6.39.3/net/netrom/af_netrom.c 2011-05-19 00:06:34.000000000 -0400
78337 +++ linux-2.6.39.3/net/netrom/af_netrom.c 2011-05-22 19:41:42.000000000 -0400
78338 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
78339 struct sock *sk = sock->sk;
78340 struct nr_sock *nr = nr_sk(sk);
78341
78342 + memset(sax, 0, sizeof(*sax));
78343 lock_sock(sk);
78344 if (peer != 0) {
78345 if (sk->sk_state != TCP_ESTABLISHED) {
78346 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
78347 *uaddr_len = sizeof(struct full_sockaddr_ax25);
78348 } else {
78349 sax->fsa_ax25.sax25_family = AF_NETROM;
78350 - sax->fsa_ax25.sax25_ndigis = 0;
78351 sax->fsa_ax25.sax25_call = nr->source_addr;
78352 *uaddr_len = sizeof(struct sockaddr_ax25);
78353 }
78354 diff -urNp linux-2.6.39.3/net/packet/af_packet.c linux-2.6.39.3/net/packet/af_packet.c
78355 --- linux-2.6.39.3/net/packet/af_packet.c 2011-07-09 09:18:51.000000000 -0400
78356 +++ linux-2.6.39.3/net/packet/af_packet.c 2011-07-09 09:19:27.000000000 -0400
78357 @@ -647,14 +647,14 @@ static int packet_rcv(struct sk_buff *sk
78358
78359 spin_lock(&sk->sk_receive_queue.lock);
78360 po->stats.tp_packets++;
78361 - skb->dropcount = atomic_read(&sk->sk_drops);
78362 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
78363 __skb_queue_tail(&sk->sk_receive_queue, skb);
78364 spin_unlock(&sk->sk_receive_queue.lock);
78365 sk->sk_data_ready(sk, skb->len);
78366 return 0;
78367
78368 drop_n_acct:
78369 - po->stats.tp_drops = atomic_inc_return(&sk->sk_drops);
78370 + po->stats.tp_drops = atomic_inc_return_unchecked(&sk->sk_drops);
78371
78372 drop_n_restore:
78373 if (skb_head != skb->data && skb_shared(skb)) {
78374 @@ -2159,7 +2159,7 @@ static int packet_getsockopt(struct sock
78375 case PACKET_HDRLEN:
78376 if (len > sizeof(int))
78377 len = sizeof(int);
78378 - if (copy_from_user(&val, optval, len))
78379 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
78380 return -EFAULT;
78381 switch (val) {
78382 case TPACKET_V1:
78383 @@ -2197,7 +2197,7 @@ static int packet_getsockopt(struct sock
78384
78385 if (put_user(len, optlen))
78386 return -EFAULT;
78387 - if (copy_to_user(optval, data, len))
78388 + if (len > sizeof(st) || copy_to_user(optval, data, len))
78389 return -EFAULT;
78390 return 0;
78391 }
78392 @@ -2709,7 +2709,11 @@ static int packet_seq_show(struct seq_fi
78393
78394 seq_printf(seq,
78395 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
78396 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78397 + NULL,
78398 +#else
78399 s,
78400 +#endif
78401 atomic_read(&s->sk_refcnt),
78402 s->sk_type,
78403 ntohs(po->num),
78404 diff -urNp linux-2.6.39.3/net/phonet/af_phonet.c linux-2.6.39.3/net/phonet/af_phonet.c
78405 --- linux-2.6.39.3/net/phonet/af_phonet.c 2011-05-19 00:06:34.000000000 -0400
78406 +++ linux-2.6.39.3/net/phonet/af_phonet.c 2011-05-22 19:41:42.000000000 -0400
78407 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
78408 {
78409 struct phonet_protocol *pp;
78410
78411 - if (protocol >= PHONET_NPROTO)
78412 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78413 return NULL;
78414
78415 rcu_read_lock();
78416 @@ -149,7 +149,7 @@ static int pn_header_parse(const struct
78417 return 1;
78418 }
78419
78420 -struct header_ops phonet_header_ops = {
78421 +const struct header_ops phonet_header_ops = {
78422 .create = pn_header_create,
78423 .parse = pn_header_parse,
78424 };
78425 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
78426 {
78427 int err = 0;
78428
78429 - if (protocol >= PHONET_NPROTO)
78430 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78431 return -EINVAL;
78432
78433 err = proto_register(pp->prot, 1);
78434 diff -urNp linux-2.6.39.3/net/phonet/pep.c linux-2.6.39.3/net/phonet/pep.c
78435 --- linux-2.6.39.3/net/phonet/pep.c 2011-05-19 00:06:34.000000000 -0400
78436 +++ linux-2.6.39.3/net/phonet/pep.c 2011-05-22 19:36:35.000000000 -0400
78437 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
78438
78439 case PNS_PEP_CTRL_REQ:
78440 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
78441 - atomic_inc(&sk->sk_drops);
78442 + atomic_inc_unchecked(&sk->sk_drops);
78443 break;
78444 }
78445 __skb_pull(skb, 4);
78446 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
78447 }
78448
78449 if (pn->rx_credits == 0) {
78450 - atomic_inc(&sk->sk_drops);
78451 + atomic_inc_unchecked(&sk->sk_drops);
78452 err = -ENOBUFS;
78453 break;
78454 }
78455 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
78456 }
78457
78458 if (pn->rx_credits == 0) {
78459 - atomic_inc(&sk->sk_drops);
78460 + atomic_inc_unchecked(&sk->sk_drops);
78461 err = NET_RX_DROP;
78462 break;
78463 }
78464 diff -urNp linux-2.6.39.3/net/phonet/socket.c linux-2.6.39.3/net/phonet/socket.c
78465 --- linux-2.6.39.3/net/phonet/socket.c 2011-05-19 00:06:34.000000000 -0400
78466 +++ linux-2.6.39.3/net/phonet/socket.c 2011-05-22 20:39:26.000000000 -0400
78467 @@ -613,8 +613,13 @@ static int pn_sock_seq_show(struct seq_f
78468 pn->resource, sk->sk_state,
78469 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
78470 sock_i_uid(sk), sock_i_ino(sk),
78471 - atomic_read(&sk->sk_refcnt), sk,
78472 - atomic_read(&sk->sk_drops), &len);
78473 + atomic_read(&sk->sk_refcnt),
78474 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78475 + NULL,
78476 +#else
78477 + sk,
78478 +#endif
78479 + atomic_read_unchecked(&sk->sk_drops), &len);
78480 }
78481 seq_printf(seq, "%*s\n", 127 - len, "");
78482 return 0;
78483 diff -urNp linux-2.6.39.3/net/rds/cong.c linux-2.6.39.3/net/rds/cong.c
78484 --- linux-2.6.39.3/net/rds/cong.c 2011-05-19 00:06:34.000000000 -0400
78485 +++ linux-2.6.39.3/net/rds/cong.c 2011-05-22 19:36:35.000000000 -0400
78486 @@ -77,7 +77,7 @@
78487 * finds that the saved generation number is smaller than the global generation
78488 * number, it wakes up the process.
78489 */
78490 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
78491 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
78492
78493 /*
78494 * Congestion monitoring
78495 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
78496 rdsdebug("waking map %p for %pI4\n",
78497 map, &map->m_addr);
78498 rds_stats_inc(s_cong_update_received);
78499 - atomic_inc(&rds_cong_generation);
78500 + atomic_inc_unchecked(&rds_cong_generation);
78501 if (waitqueue_active(&map->m_waitq))
78502 wake_up(&map->m_waitq);
78503 if (waitqueue_active(&rds_poll_waitq))
78504 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
78505
78506 int rds_cong_updated_since(unsigned long *recent)
78507 {
78508 - unsigned long gen = atomic_read(&rds_cong_generation);
78509 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
78510
78511 if (likely(*recent == gen))
78512 return 0;
78513 diff -urNp linux-2.6.39.3/net/rds/ib_cm.c linux-2.6.39.3/net/rds/ib_cm.c
78514 --- linux-2.6.39.3/net/rds/ib_cm.c 2011-05-19 00:06:34.000000000 -0400
78515 +++ linux-2.6.39.3/net/rds/ib_cm.c 2011-05-22 19:36:35.000000000 -0400
78516 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
78517 /* Clear the ACK state */
78518 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78519 #ifdef KERNEL_HAS_ATOMIC64
78520 - atomic64_set(&ic->i_ack_next, 0);
78521 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78522 #else
78523 ic->i_ack_next = 0;
78524 #endif
78525 diff -urNp linux-2.6.39.3/net/rds/ib.h linux-2.6.39.3/net/rds/ib.h
78526 --- linux-2.6.39.3/net/rds/ib.h 2011-05-19 00:06:34.000000000 -0400
78527 +++ linux-2.6.39.3/net/rds/ib.h 2011-05-22 19:36:35.000000000 -0400
78528 @@ -127,7 +127,7 @@ struct rds_ib_connection {
78529 /* sending acks */
78530 unsigned long i_ack_flags;
78531 #ifdef KERNEL_HAS_ATOMIC64
78532 - atomic64_t i_ack_next; /* next ACK to send */
78533 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78534 #else
78535 spinlock_t i_ack_lock; /* protect i_ack_next */
78536 u64 i_ack_next; /* next ACK to send */
78537 diff -urNp linux-2.6.39.3/net/rds/ib_recv.c linux-2.6.39.3/net/rds/ib_recv.c
78538 --- linux-2.6.39.3/net/rds/ib_recv.c 2011-05-19 00:06:34.000000000 -0400
78539 +++ linux-2.6.39.3/net/rds/ib_recv.c 2011-05-22 19:36:35.000000000 -0400
78540 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78541 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
78542 int ack_required)
78543 {
78544 - atomic64_set(&ic->i_ack_next, seq);
78545 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78546 if (ack_required) {
78547 smp_mb__before_clear_bit();
78548 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78549 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78550 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78551 smp_mb__after_clear_bit();
78552
78553 - return atomic64_read(&ic->i_ack_next);
78554 + return atomic64_read_unchecked(&ic->i_ack_next);
78555 }
78556 #endif
78557
78558 diff -urNp linux-2.6.39.3/net/rds/iw_cm.c linux-2.6.39.3/net/rds/iw_cm.c
78559 --- linux-2.6.39.3/net/rds/iw_cm.c 2011-05-19 00:06:34.000000000 -0400
78560 +++ linux-2.6.39.3/net/rds/iw_cm.c 2011-05-22 19:36:35.000000000 -0400
78561 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
78562 /* Clear the ACK state */
78563 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78564 #ifdef KERNEL_HAS_ATOMIC64
78565 - atomic64_set(&ic->i_ack_next, 0);
78566 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78567 #else
78568 ic->i_ack_next = 0;
78569 #endif
78570 diff -urNp linux-2.6.39.3/net/rds/iw.h linux-2.6.39.3/net/rds/iw.h
78571 --- linux-2.6.39.3/net/rds/iw.h 2011-05-19 00:06:34.000000000 -0400
78572 +++ linux-2.6.39.3/net/rds/iw.h 2011-05-22 19:36:35.000000000 -0400
78573 @@ -133,7 +133,7 @@ struct rds_iw_connection {
78574 /* sending acks */
78575 unsigned long i_ack_flags;
78576 #ifdef KERNEL_HAS_ATOMIC64
78577 - atomic64_t i_ack_next; /* next ACK to send */
78578 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78579 #else
78580 spinlock_t i_ack_lock; /* protect i_ack_next */
78581 u64 i_ack_next; /* next ACK to send */
78582 diff -urNp linux-2.6.39.3/net/rds/iw_rdma.c linux-2.6.39.3/net/rds/iw_rdma.c
78583 --- linux-2.6.39.3/net/rds/iw_rdma.c 2011-05-19 00:06:34.000000000 -0400
78584 +++ linux-2.6.39.3/net/rds/iw_rdma.c 2011-05-22 19:36:35.000000000 -0400
78585 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
78586 struct rdma_cm_id *pcm_id;
78587 int rc;
78588
78589 + pax_track_stack();
78590 +
78591 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
78592 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
78593
78594 diff -urNp linux-2.6.39.3/net/rds/iw_recv.c linux-2.6.39.3/net/rds/iw_recv.c
78595 --- linux-2.6.39.3/net/rds/iw_recv.c 2011-05-19 00:06:34.000000000 -0400
78596 +++ linux-2.6.39.3/net/rds/iw_recv.c 2011-05-22 19:36:35.000000000 -0400
78597 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78598 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
78599 int ack_required)
78600 {
78601 - atomic64_set(&ic->i_ack_next, seq);
78602 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78603 if (ack_required) {
78604 smp_mb__before_clear_bit();
78605 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78606 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78607 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78608 smp_mb__after_clear_bit();
78609
78610 - return atomic64_read(&ic->i_ack_next);
78611 + return atomic64_read_unchecked(&ic->i_ack_next);
78612 }
78613 #endif
78614
78615 diff -urNp linux-2.6.39.3/net/rxrpc/af_rxrpc.c linux-2.6.39.3/net/rxrpc/af_rxrpc.c
78616 --- linux-2.6.39.3/net/rxrpc/af_rxrpc.c 2011-05-19 00:06:34.000000000 -0400
78617 +++ linux-2.6.39.3/net/rxrpc/af_rxrpc.c 2011-05-22 19:36:35.000000000 -0400
78618 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
78619 __be32 rxrpc_epoch;
78620
78621 /* current debugging ID */
78622 -atomic_t rxrpc_debug_id;
78623 +atomic_unchecked_t rxrpc_debug_id;
78624
78625 /* count of skbs currently in use */
78626 atomic_t rxrpc_n_skbs;
78627 diff -urNp linux-2.6.39.3/net/rxrpc/ar-ack.c linux-2.6.39.3/net/rxrpc/ar-ack.c
78628 --- linux-2.6.39.3/net/rxrpc/ar-ack.c 2011-05-19 00:06:34.000000000 -0400
78629 +++ linux-2.6.39.3/net/rxrpc/ar-ack.c 2011-05-22 19:36:35.000000000 -0400
78630 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
78631
78632 _enter("{%d,%d,%d,%d},",
78633 call->acks_hard, call->acks_unacked,
78634 - atomic_read(&call->sequence),
78635 + atomic_read_unchecked(&call->sequence),
78636 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
78637
78638 stop = 0;
78639 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
78640
78641 /* each Tx packet has a new serial number */
78642 sp->hdr.serial =
78643 - htonl(atomic_inc_return(&call->conn->serial));
78644 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
78645
78646 hdr = (struct rxrpc_header *) txb->head;
78647 hdr->serial = sp->hdr.serial;
78648 @@ -405,7 +405,7 @@ static void rxrpc_rotate_tx_window(struc
78649 */
78650 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
78651 {
78652 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
78653 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
78654 }
78655
78656 /*
78657 @@ -631,7 +631,7 @@ process_further:
78658
78659 latest = ntohl(sp->hdr.serial);
78660 hard = ntohl(ack.firstPacket);
78661 - tx = atomic_read(&call->sequence);
78662 + tx = atomic_read_unchecked(&call->sequence);
78663
78664 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78665 latest,
78666 @@ -844,6 +844,8 @@ void rxrpc_process_call(struct work_stru
78667 u32 abort_code = RX_PROTOCOL_ERROR;
78668 u8 *acks = NULL;
78669
78670 + pax_track_stack();
78671 +
78672 //printk("\n--------------------\n");
78673 _enter("{%d,%s,%lx} [%lu]",
78674 call->debug_id, rxrpc_call_states[call->state], call->events,
78675 @@ -1163,7 +1165,7 @@ void rxrpc_process_call(struct work_stru
78676 goto maybe_reschedule;
78677
78678 send_ACK_with_skew:
78679 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
78680 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
78681 ntohl(ack.serial));
78682 send_ACK:
78683 mtu = call->conn->trans->peer->if_mtu;
78684 @@ -1175,7 +1177,7 @@ send_ACK:
78685 ackinfo.rxMTU = htonl(5692);
78686 ackinfo.jumbo_max = htonl(4);
78687
78688 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78689 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78690 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78691 ntohl(hdr.serial),
78692 ntohs(ack.maxSkew),
78693 @@ -1193,7 +1195,7 @@ send_ACK:
78694 send_message:
78695 _debug("send message");
78696
78697 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78698 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78699 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
78700 send_message_2:
78701
78702 diff -urNp linux-2.6.39.3/net/rxrpc/ar-call.c linux-2.6.39.3/net/rxrpc/ar-call.c
78703 --- linux-2.6.39.3/net/rxrpc/ar-call.c 2011-05-19 00:06:34.000000000 -0400
78704 +++ linux-2.6.39.3/net/rxrpc/ar-call.c 2011-05-22 19:36:35.000000000 -0400
78705 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
78706 spin_lock_init(&call->lock);
78707 rwlock_init(&call->state_lock);
78708 atomic_set(&call->usage, 1);
78709 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
78710 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78711 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
78712
78713 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
78714 diff -urNp linux-2.6.39.3/net/rxrpc/ar-connection.c linux-2.6.39.3/net/rxrpc/ar-connection.c
78715 --- linux-2.6.39.3/net/rxrpc/ar-connection.c 2011-05-19 00:06:34.000000000 -0400
78716 +++ linux-2.6.39.3/net/rxrpc/ar-connection.c 2011-05-22 19:36:35.000000000 -0400
78717 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
78718 rwlock_init(&conn->lock);
78719 spin_lock_init(&conn->state_lock);
78720 atomic_set(&conn->usage, 1);
78721 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
78722 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78723 conn->avail_calls = RXRPC_MAXCALLS;
78724 conn->size_align = 4;
78725 conn->header_size = sizeof(struct rxrpc_header);
78726 diff -urNp linux-2.6.39.3/net/rxrpc/ar-connevent.c linux-2.6.39.3/net/rxrpc/ar-connevent.c
78727 --- linux-2.6.39.3/net/rxrpc/ar-connevent.c 2011-05-19 00:06:34.000000000 -0400
78728 +++ linux-2.6.39.3/net/rxrpc/ar-connevent.c 2011-05-22 19:36:35.000000000 -0400
78729 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
78730
78731 len = iov[0].iov_len + iov[1].iov_len;
78732
78733 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78734 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78735 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
78736
78737 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78738 diff -urNp linux-2.6.39.3/net/rxrpc/ar-input.c linux-2.6.39.3/net/rxrpc/ar-input.c
78739 --- linux-2.6.39.3/net/rxrpc/ar-input.c 2011-05-19 00:06:34.000000000 -0400
78740 +++ linux-2.6.39.3/net/rxrpc/ar-input.c 2011-05-22 19:36:35.000000000 -0400
78741 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
78742 /* track the latest serial number on this connection for ACK packet
78743 * information */
78744 serial = ntohl(sp->hdr.serial);
78745 - hi_serial = atomic_read(&call->conn->hi_serial);
78746 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
78747 while (serial > hi_serial)
78748 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
78749 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
78750 serial);
78751
78752 /* request ACK generation for any ACK or DATA packet that requests
78753 diff -urNp linux-2.6.39.3/net/rxrpc/ar-internal.h linux-2.6.39.3/net/rxrpc/ar-internal.h
78754 --- linux-2.6.39.3/net/rxrpc/ar-internal.h 2011-05-19 00:06:34.000000000 -0400
78755 +++ linux-2.6.39.3/net/rxrpc/ar-internal.h 2011-05-22 19:36:35.000000000 -0400
78756 @@ -272,8 +272,8 @@ struct rxrpc_connection {
78757 int error; /* error code for local abort */
78758 int debug_id; /* debug ID for printks */
78759 unsigned call_counter; /* call ID counter */
78760 - atomic_t serial; /* packet serial number counter */
78761 - atomic_t hi_serial; /* highest serial number received */
78762 + atomic_unchecked_t serial; /* packet serial number counter */
78763 + atomic_unchecked_t hi_serial; /* highest serial number received */
78764 u8 avail_calls; /* number of calls available */
78765 u8 size_align; /* data size alignment (for security) */
78766 u8 header_size; /* rxrpc + security header size */
78767 @@ -346,7 +346,7 @@ struct rxrpc_call {
78768 spinlock_t lock;
78769 rwlock_t state_lock; /* lock for state transition */
78770 atomic_t usage;
78771 - atomic_t sequence; /* Tx data packet sequence counter */
78772 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
78773 u32 abort_code; /* local/remote abort code */
78774 enum { /* current state of call */
78775 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
78776 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
78777 */
78778 extern atomic_t rxrpc_n_skbs;
78779 extern __be32 rxrpc_epoch;
78780 -extern atomic_t rxrpc_debug_id;
78781 +extern atomic_unchecked_t rxrpc_debug_id;
78782 extern struct workqueue_struct *rxrpc_workqueue;
78783
78784 /*
78785 diff -urNp linux-2.6.39.3/net/rxrpc/ar-local.c linux-2.6.39.3/net/rxrpc/ar-local.c
78786 --- linux-2.6.39.3/net/rxrpc/ar-local.c 2011-05-19 00:06:34.000000000 -0400
78787 +++ linux-2.6.39.3/net/rxrpc/ar-local.c 2011-05-22 19:36:35.000000000 -0400
78788 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
78789 spin_lock_init(&local->lock);
78790 rwlock_init(&local->services_lock);
78791 atomic_set(&local->usage, 1);
78792 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
78793 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78794 memcpy(&local->srx, srx, sizeof(*srx));
78795 }
78796
78797 diff -urNp linux-2.6.39.3/net/rxrpc/ar-output.c linux-2.6.39.3/net/rxrpc/ar-output.c
78798 --- linux-2.6.39.3/net/rxrpc/ar-output.c 2011-05-19 00:06:34.000000000 -0400
78799 +++ linux-2.6.39.3/net/rxrpc/ar-output.c 2011-05-22 19:36:35.000000000 -0400
78800 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
78801 sp->hdr.cid = call->cid;
78802 sp->hdr.callNumber = call->call_id;
78803 sp->hdr.seq =
78804 - htonl(atomic_inc_return(&call->sequence));
78805 + htonl(atomic_inc_return_unchecked(&call->sequence));
78806 sp->hdr.serial =
78807 - htonl(atomic_inc_return(&conn->serial));
78808 + htonl(atomic_inc_return_unchecked(&conn->serial));
78809 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
78810 sp->hdr.userStatus = 0;
78811 sp->hdr.securityIndex = conn->security_ix;
78812 diff -urNp linux-2.6.39.3/net/rxrpc/ar-peer.c linux-2.6.39.3/net/rxrpc/ar-peer.c
78813 --- linux-2.6.39.3/net/rxrpc/ar-peer.c 2011-05-19 00:06:34.000000000 -0400
78814 +++ linux-2.6.39.3/net/rxrpc/ar-peer.c 2011-05-22 19:36:35.000000000 -0400
78815 @@ -71,7 +71,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
78816 INIT_LIST_HEAD(&peer->error_targets);
78817 spin_lock_init(&peer->lock);
78818 atomic_set(&peer->usage, 1);
78819 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
78820 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78821 memcpy(&peer->srx, srx, sizeof(*srx));
78822
78823 rxrpc_assess_MTU_size(peer);
78824 diff -urNp linux-2.6.39.3/net/rxrpc/ar-proc.c linux-2.6.39.3/net/rxrpc/ar-proc.c
78825 --- linux-2.6.39.3/net/rxrpc/ar-proc.c 2011-05-19 00:06:34.000000000 -0400
78826 +++ linux-2.6.39.3/net/rxrpc/ar-proc.c 2011-05-22 19:36:35.000000000 -0400
78827 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
78828 atomic_read(&conn->usage),
78829 rxrpc_conn_states[conn->state],
78830 key_serial(conn->key),
78831 - atomic_read(&conn->serial),
78832 - atomic_read(&conn->hi_serial));
78833 + atomic_read_unchecked(&conn->serial),
78834 + atomic_read_unchecked(&conn->hi_serial));
78835
78836 return 0;
78837 }
78838 diff -urNp linux-2.6.39.3/net/rxrpc/ar-transport.c linux-2.6.39.3/net/rxrpc/ar-transport.c
78839 --- linux-2.6.39.3/net/rxrpc/ar-transport.c 2011-05-19 00:06:34.000000000 -0400
78840 +++ linux-2.6.39.3/net/rxrpc/ar-transport.c 2011-05-22 19:36:35.000000000 -0400
78841 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
78842 spin_lock_init(&trans->client_lock);
78843 rwlock_init(&trans->conn_lock);
78844 atomic_set(&trans->usage, 1);
78845 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
78846 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78847
78848 if (peer->srx.transport.family == AF_INET) {
78849 switch (peer->srx.transport_type) {
78850 diff -urNp linux-2.6.39.3/net/rxrpc/rxkad.c linux-2.6.39.3/net/rxrpc/rxkad.c
78851 --- linux-2.6.39.3/net/rxrpc/rxkad.c 2011-05-19 00:06:34.000000000 -0400
78852 +++ linux-2.6.39.3/net/rxrpc/rxkad.c 2011-05-22 19:36:35.000000000 -0400
78853 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
78854 u16 check;
78855 int nsg;
78856
78857 + pax_track_stack();
78858 +
78859 sp = rxrpc_skb(skb);
78860
78861 _enter("");
78862 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
78863 u16 check;
78864 int nsg;
78865
78866 + pax_track_stack();
78867 +
78868 _enter("");
78869
78870 sp = rxrpc_skb(skb);
78871 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
78872
78873 len = iov[0].iov_len + iov[1].iov_len;
78874
78875 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78876 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78877 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
78878
78879 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78880 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
78881
78882 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
78883
78884 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
78885 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78886 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
78887
78888 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
78889 diff -urNp linux-2.6.39.3/net/sched/em_meta.c linux-2.6.39.3/net/sched/em_meta.c
78890 --- linux-2.6.39.3/net/sched/em_meta.c 2011-05-19 00:06:34.000000000 -0400
78891 +++ linux-2.6.39.3/net/sched/em_meta.c 2011-05-22 19:36:35.000000000 -0400
78892 @@ -832,7 +832,7 @@ static int em_meta_dump(struct sk_buff *
78893 {
78894 struct meta_match *meta = (struct meta_match *) em->data;
78895 struct tcf_meta_hdr hdr;
78896 - struct meta_type_ops *ops;
78897 + const struct meta_type_ops *ops;
78898
78899 memset(&hdr, 0, sizeof(hdr));
78900 memcpy(&hdr.left, &meta->lvalue.hdr, sizeof(hdr.left));
78901 diff -urNp linux-2.6.39.3/net/sctp/proc.c linux-2.6.39.3/net/sctp/proc.c
78902 --- linux-2.6.39.3/net/sctp/proc.c 2011-05-19 00:06:34.000000000 -0400
78903 +++ linux-2.6.39.3/net/sctp/proc.c 2011-05-22 19:41:42.000000000 -0400
78904 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
78905 sctp_for_each_hentry(epb, node, &head->chain) {
78906 ep = sctp_ep(epb);
78907 sk = epb->sk;
78908 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
78909 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
78910 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78911 + NULL, NULL,
78912 +#else
78913 + ep, sk,
78914 +#endif
78915 sctp_sk(sk)->type, sk->sk_state, hash,
78916 epb->bind_addr.port,
78917 sock_i_uid(sk), sock_i_ino(sk));
78918 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
78919 seq_printf(seq,
78920 "%8p %8p %-3d %-3d %-2d %-4d "
78921 "%4d %8d %8d %7d %5lu %-5d %5d ",
78922 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
78923 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78924 + NULL, NULL,
78925 +#else
78926 + assoc, sk,
78927 +#endif
78928 + sctp_sk(sk)->type, sk->sk_state,
78929 assoc->state, hash,
78930 assoc->assoc_id,
78931 assoc->sndbuf_used,
78932 diff -urNp linux-2.6.39.3/net/sctp/socket.c linux-2.6.39.3/net/sctp/socket.c
78933 --- linux-2.6.39.3/net/sctp/socket.c 2011-05-19 00:06:34.000000000 -0400
78934 +++ linux-2.6.39.3/net/sctp/socket.c 2011-05-22 19:36:35.000000000 -0400
78935 @@ -4433,7 +4433,7 @@ static int sctp_getsockopt_peer_addrs(st
78936 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
78937 if (space_left < addrlen)
78938 return -ENOMEM;
78939 - if (copy_to_user(to, &temp, addrlen))
78940 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
78941 return -EFAULT;
78942 to += addrlen;
78943 cnt++;
78944 diff -urNp linux-2.6.39.3/net/socket.c linux-2.6.39.3/net/socket.c
78945 --- linux-2.6.39.3/net/socket.c 2011-06-03 00:04:14.000000000 -0400
78946 +++ linux-2.6.39.3/net/socket.c 2011-06-03 00:32:08.000000000 -0400
78947 @@ -88,6 +88,7 @@
78948 #include <linux/nsproxy.h>
78949 #include <linux/magic.h>
78950 #include <linux/slab.h>
78951 +#include <linux/in.h>
78952
78953 #include <asm/uaccess.h>
78954 #include <asm/unistd.h>
78955 @@ -105,6 +106,8 @@
78956 #include <linux/sockios.h>
78957 #include <linux/atalk.h>
78958
78959 +#include <linux/grsock.h>
78960 +
78961 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
78962 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
78963 unsigned long nr_segs, loff_t pos);
78964 @@ -330,7 +333,7 @@ static struct dentry *sockfs_mount(struc
78965 &sockfs_dentry_operations, SOCKFS_MAGIC);
78966 }
78967
78968 -static struct vfsmount *sock_mnt __read_mostly;
78969 +struct vfsmount *sock_mnt __read_mostly;
78970
78971 static struct file_system_type sock_fs_type = {
78972 .name = "sockfs",
78973 @@ -1179,6 +1182,8 @@ int __sock_create(struct net *net, int f
78974 return -EAFNOSUPPORT;
78975 if (type < 0 || type >= SOCK_MAX)
78976 return -EINVAL;
78977 + if (protocol < 0)
78978 + return -EINVAL;
78979
78980 /* Compatibility.
78981
78982 @@ -1311,6 +1316,16 @@ SYSCALL_DEFINE3(socket, int, family, int
78983 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
78984 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
78985
78986 + if(!gr_search_socket(family, type, protocol)) {
78987 + retval = -EACCES;
78988 + goto out;
78989 + }
78990 +
78991 + if (gr_handle_sock_all(family, type, protocol)) {
78992 + retval = -EACCES;
78993 + goto out;
78994 + }
78995 +
78996 retval = sock_create(family, type, protocol, &sock);
78997 if (retval < 0)
78998 goto out;
78999 @@ -1423,6 +1438,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
79000 if (sock) {
79001 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
79002 if (err >= 0) {
79003 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
79004 + err = -EACCES;
79005 + goto error;
79006 + }
79007 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
79008 + if (err)
79009 + goto error;
79010 +
79011 err = security_socket_bind(sock,
79012 (struct sockaddr *)&address,
79013 addrlen);
79014 @@ -1431,6 +1454,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
79015 (struct sockaddr *)
79016 &address, addrlen);
79017 }
79018 +error:
79019 fput_light(sock->file, fput_needed);
79020 }
79021 return err;
79022 @@ -1454,10 +1478,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
79023 if ((unsigned)backlog > somaxconn)
79024 backlog = somaxconn;
79025
79026 + if (gr_handle_sock_server_other(sock->sk)) {
79027 + err = -EPERM;
79028 + goto error;
79029 + }
79030 +
79031 + err = gr_search_listen(sock);
79032 + if (err)
79033 + goto error;
79034 +
79035 err = security_socket_listen(sock, backlog);
79036 if (!err)
79037 err = sock->ops->listen(sock, backlog);
79038
79039 +error:
79040 fput_light(sock->file, fput_needed);
79041 }
79042 return err;
79043 @@ -1501,6 +1535,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79044 newsock->type = sock->type;
79045 newsock->ops = sock->ops;
79046
79047 + if (gr_handle_sock_server_other(sock->sk)) {
79048 + err = -EPERM;
79049 + sock_release(newsock);
79050 + goto out_put;
79051 + }
79052 +
79053 + err = gr_search_accept(sock);
79054 + if (err) {
79055 + sock_release(newsock);
79056 + goto out_put;
79057 + }
79058 +
79059 /*
79060 * We don't need try_module_get here, as the listening socket (sock)
79061 * has the protocol module (sock->ops->owner) held.
79062 @@ -1539,6 +1585,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79063 fd_install(newfd, newfile);
79064 err = newfd;
79065
79066 + gr_attach_curr_ip(newsock->sk);
79067 +
79068 out_put:
79069 fput_light(sock->file, fput_needed);
79070 out:
79071 @@ -1571,6 +1619,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
79072 int, addrlen)
79073 {
79074 struct socket *sock;
79075 + struct sockaddr *sck;
79076 struct sockaddr_storage address;
79077 int err, fput_needed;
79078
79079 @@ -1581,6 +1630,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
79080 if (err < 0)
79081 goto out_put;
79082
79083 + sck = (struct sockaddr *)&address;
79084 +
79085 + if (gr_handle_sock_client(sck)) {
79086 + err = -EACCES;
79087 + goto out_put;
79088 + }
79089 +
79090 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
79091 + if (err)
79092 + goto out_put;
79093 +
79094 err =
79095 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
79096 if (err)
79097 @@ -1882,6 +1942,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
79098 int err, ctl_len, iov_size, total_len;
79099 int fput_needed;
79100
79101 + pax_track_stack();
79102 +
79103 err = -EFAULT;
79104 if (MSG_CMSG_COMPAT & flags) {
79105 if (get_compat_msghdr(&msg_sys, msg_compat))
79106 diff -urNp linux-2.6.39.3/net/sunrpc/sched.c linux-2.6.39.3/net/sunrpc/sched.c
79107 --- linux-2.6.39.3/net/sunrpc/sched.c 2011-07-09 09:18:51.000000000 -0400
79108 +++ linux-2.6.39.3/net/sunrpc/sched.c 2011-07-09 09:19:27.000000000 -0400
79109 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
79110 #ifdef RPC_DEBUG
79111 static void rpc_task_set_debuginfo(struct rpc_task *task)
79112 {
79113 - static atomic_t rpc_pid;
79114 + static atomic_unchecked_t rpc_pid;
79115
79116 - task->tk_pid = atomic_inc_return(&rpc_pid);
79117 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
79118 }
79119 #else
79120 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
79121 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c
79122 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-19 00:06:34.000000000 -0400
79123 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-22 19:36:35.000000000 -0400
79124 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
79125 static unsigned int min_max_inline = 4096;
79126 static unsigned int max_max_inline = 65536;
79127
79128 -atomic_t rdma_stat_recv;
79129 -atomic_t rdma_stat_read;
79130 -atomic_t rdma_stat_write;
79131 -atomic_t rdma_stat_sq_starve;
79132 -atomic_t rdma_stat_rq_starve;
79133 -atomic_t rdma_stat_rq_poll;
79134 -atomic_t rdma_stat_rq_prod;
79135 -atomic_t rdma_stat_sq_poll;
79136 -atomic_t rdma_stat_sq_prod;
79137 +atomic_unchecked_t rdma_stat_recv;
79138 +atomic_unchecked_t rdma_stat_read;
79139 +atomic_unchecked_t rdma_stat_write;
79140 +atomic_unchecked_t rdma_stat_sq_starve;
79141 +atomic_unchecked_t rdma_stat_rq_starve;
79142 +atomic_unchecked_t rdma_stat_rq_poll;
79143 +atomic_unchecked_t rdma_stat_rq_prod;
79144 +atomic_unchecked_t rdma_stat_sq_poll;
79145 +atomic_unchecked_t rdma_stat_sq_prod;
79146
79147 /* Temporary NFS request map and context caches */
79148 struct kmem_cache *svc_rdma_map_cachep;
79149 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
79150 len -= *ppos;
79151 if (len > *lenp)
79152 len = *lenp;
79153 - if (len && copy_to_user(buffer, str_buf, len))
79154 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
79155 return -EFAULT;
79156 *lenp = len;
79157 *ppos += len;
79158 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
79159 {
79160 .procname = "rdma_stat_read",
79161 .data = &rdma_stat_read,
79162 - .maxlen = sizeof(atomic_t),
79163 + .maxlen = sizeof(atomic_unchecked_t),
79164 .mode = 0644,
79165 .proc_handler = read_reset_stat,
79166 },
79167 {
79168 .procname = "rdma_stat_recv",
79169 .data = &rdma_stat_recv,
79170 - .maxlen = sizeof(atomic_t),
79171 + .maxlen = sizeof(atomic_unchecked_t),
79172 .mode = 0644,
79173 .proc_handler = read_reset_stat,
79174 },
79175 {
79176 .procname = "rdma_stat_write",
79177 .data = &rdma_stat_write,
79178 - .maxlen = sizeof(atomic_t),
79179 + .maxlen = sizeof(atomic_unchecked_t),
79180 .mode = 0644,
79181 .proc_handler = read_reset_stat,
79182 },
79183 {
79184 .procname = "rdma_stat_sq_starve",
79185 .data = &rdma_stat_sq_starve,
79186 - .maxlen = sizeof(atomic_t),
79187 + .maxlen = sizeof(atomic_unchecked_t),
79188 .mode = 0644,
79189 .proc_handler = read_reset_stat,
79190 },
79191 {
79192 .procname = "rdma_stat_rq_starve",
79193 .data = &rdma_stat_rq_starve,
79194 - .maxlen = sizeof(atomic_t),
79195 + .maxlen = sizeof(atomic_unchecked_t),
79196 .mode = 0644,
79197 .proc_handler = read_reset_stat,
79198 },
79199 {
79200 .procname = "rdma_stat_rq_poll",
79201 .data = &rdma_stat_rq_poll,
79202 - .maxlen = sizeof(atomic_t),
79203 + .maxlen = sizeof(atomic_unchecked_t),
79204 .mode = 0644,
79205 .proc_handler = read_reset_stat,
79206 },
79207 {
79208 .procname = "rdma_stat_rq_prod",
79209 .data = &rdma_stat_rq_prod,
79210 - .maxlen = sizeof(atomic_t),
79211 + .maxlen = sizeof(atomic_unchecked_t),
79212 .mode = 0644,
79213 .proc_handler = read_reset_stat,
79214 },
79215 {
79216 .procname = "rdma_stat_sq_poll",
79217 .data = &rdma_stat_sq_poll,
79218 - .maxlen = sizeof(atomic_t),
79219 + .maxlen = sizeof(atomic_unchecked_t),
79220 .mode = 0644,
79221 .proc_handler = read_reset_stat,
79222 },
79223 {
79224 .procname = "rdma_stat_sq_prod",
79225 .data = &rdma_stat_sq_prod,
79226 - .maxlen = sizeof(atomic_t),
79227 + .maxlen = sizeof(atomic_unchecked_t),
79228 .mode = 0644,
79229 .proc_handler = read_reset_stat,
79230 },
79231 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
79232 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-19 00:06:34.000000000 -0400
79233 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-22 19:36:35.000000000 -0400
79234 @@ -499,7 +499,7 @@ next_sge:
79235 svc_rdma_put_context(ctxt, 0);
79236 goto out;
79237 }
79238 - atomic_inc(&rdma_stat_read);
79239 + atomic_inc_unchecked(&rdma_stat_read);
79240
79241 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
79242 chl_map->ch[ch_no].count -= read_wr.num_sge;
79243 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79244 dto_q);
79245 list_del_init(&ctxt->dto_q);
79246 } else {
79247 - atomic_inc(&rdma_stat_rq_starve);
79248 + atomic_inc_unchecked(&rdma_stat_rq_starve);
79249 clear_bit(XPT_DATA, &xprt->xpt_flags);
79250 ctxt = NULL;
79251 }
79252 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79253 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
79254 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
79255 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
79256 - atomic_inc(&rdma_stat_recv);
79257 + atomic_inc_unchecked(&rdma_stat_recv);
79258
79259 /* Build up the XDR from the receive buffers. */
79260 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
79261 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c
79262 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-19 00:06:34.000000000 -0400
79263 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-22 19:36:35.000000000 -0400
79264 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
79265 write_wr.wr.rdma.remote_addr = to;
79266
79267 /* Post It */
79268 - atomic_inc(&rdma_stat_write);
79269 + atomic_inc_unchecked(&rdma_stat_write);
79270 if (svc_rdma_send(xprt, &write_wr))
79271 goto err;
79272 return 0;
79273 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c
79274 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-19 00:06:34.000000000 -0400
79275 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-22 19:36:35.000000000 -0400
79276 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
79277 return;
79278
79279 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
79280 - atomic_inc(&rdma_stat_rq_poll);
79281 + atomic_inc_unchecked(&rdma_stat_rq_poll);
79282
79283 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
79284 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
79285 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
79286 }
79287
79288 if (ctxt)
79289 - atomic_inc(&rdma_stat_rq_prod);
79290 + atomic_inc_unchecked(&rdma_stat_rq_prod);
79291
79292 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
79293 /*
79294 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
79295 return;
79296
79297 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
79298 - atomic_inc(&rdma_stat_sq_poll);
79299 + atomic_inc_unchecked(&rdma_stat_sq_poll);
79300 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
79301 if (wc.status != IB_WC_SUCCESS)
79302 /* Close the transport */
79303 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
79304 }
79305
79306 if (ctxt)
79307 - atomic_inc(&rdma_stat_sq_prod);
79308 + atomic_inc_unchecked(&rdma_stat_sq_prod);
79309 }
79310
79311 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
79312 @@ -1271,7 +1271,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
79313 spin_lock_bh(&xprt->sc_lock);
79314 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
79315 spin_unlock_bh(&xprt->sc_lock);
79316 - atomic_inc(&rdma_stat_sq_starve);
79317 + atomic_inc_unchecked(&rdma_stat_sq_starve);
79318
79319 /* See if we can opportunistically reap SQ WR to make room */
79320 sq_cq_reap(xprt);
79321 diff -urNp linux-2.6.39.3/net/sysctl_net.c linux-2.6.39.3/net/sysctl_net.c
79322 --- linux-2.6.39.3/net/sysctl_net.c 2011-05-19 00:06:34.000000000 -0400
79323 +++ linux-2.6.39.3/net/sysctl_net.c 2011-05-22 19:41:42.000000000 -0400
79324 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
79325 struct ctl_table *table)
79326 {
79327 /* Allow network administrator to have same access as root. */
79328 - if (capable(CAP_NET_ADMIN)) {
79329 + if (capable_nolog(CAP_NET_ADMIN)) {
79330 int mode = (table->mode >> 6) & 7;
79331 return (mode << 6) | (mode << 3) | mode;
79332 }
79333 diff -urNp linux-2.6.39.3/net/unix/af_unix.c linux-2.6.39.3/net/unix/af_unix.c
79334 --- linux-2.6.39.3/net/unix/af_unix.c 2011-05-19 00:06:34.000000000 -0400
79335 +++ linux-2.6.39.3/net/unix/af_unix.c 2011-07-16 15:36:42.000000000 -0400
79336 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
79337 err = -ECONNREFUSED;
79338 if (!S_ISSOCK(inode->i_mode))
79339 goto put_fail;
79340 +
79341 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
79342 + err = -EACCES;
79343 + goto put_fail;
79344 + }
79345 +
79346 u = unix_find_socket_byinode(inode);
79347 if (!u)
79348 goto put_fail;
79349 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
79350 if (u) {
79351 struct dentry *dentry;
79352 dentry = unix_sk(u)->dentry;
79353 +
79354 + if (!gr_handle_chroot_unix(pid_vnr(u->sk_peer_pid))) {
79355 + err = -EPERM;
79356 + sock_put(u);
79357 + goto fail;
79358 + }
79359 +
79360 if (dentry)
79361 touch_atime(unix_sk(u)->mnt, dentry);
79362 } else
79363 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
79364 err = security_path_mknod(&nd.path, dentry, mode, 0);
79365 if (err)
79366 goto out_mknod_drop_write;
79367 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
79368 + err = -EACCES;
79369 + goto out_mknod_drop_write;
79370 + }
79371 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
79372 out_mknod_drop_write:
79373 mnt_drop_write(nd.path.mnt);
79374 if (err)
79375 goto out_mknod_dput;
79376 +
79377 + gr_handle_create(dentry, nd.path.mnt);
79378 +
79379 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
79380 dput(nd.path.dentry);
79381 nd.path.dentry = dentry;
79382 @@ -894,6 +914,11 @@ out_mknod_drop_write:
79383 goto out_unlock;
79384 }
79385
79386 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
79387 + put_pid(sk->sk_peer_pid);
79388 + sk->sk_peer_pid = get_pid(task_tgid(current));
79389 +#endif
79390 +
79391 list = &unix_socket_table[addr->hash];
79392 } else {
79393 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
79394 @@ -2255,7 +2280,11 @@ static int unix_seq_show(struct seq_file
79395 unix_state_lock(s);
79396
79397 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
79398 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79399 + NULL,
79400 +#else
79401 s,
79402 +#endif
79403 atomic_read(&s->sk_refcnt),
79404 0,
79405 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
79406 diff -urNp linux-2.6.39.3/net/wireless/wext-core.c linux-2.6.39.3/net/wireless/wext-core.c
79407 --- linux-2.6.39.3/net/wireless/wext-core.c 2011-05-19 00:06:34.000000000 -0400
79408 +++ linux-2.6.39.3/net/wireless/wext-core.c 2011-05-22 19:36:35.000000000 -0400
79409 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
79410 */
79411
79412 /* Support for very large requests */
79413 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
79414 - (user_length > descr->max_tokens)) {
79415 + if (user_length > descr->max_tokens) {
79416 /* Allow userspace to GET more than max so
79417 * we can support any size GET requests.
79418 * There is still a limit : -ENOMEM.
79419 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
79420 }
79421 }
79422
79423 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
79424 - /*
79425 - * If this is a GET, but not NOMAX, it means that the extra
79426 - * data is not bounded by userspace, but by max_tokens. Thus
79427 - * set the length to max_tokens. This matches the extra data
79428 - * allocation.
79429 - * The driver should fill it with the number of tokens it
79430 - * provided, and it may check iwp->length rather than having
79431 - * knowledge of max_tokens. If the driver doesn't change the
79432 - * iwp->length, this ioctl just copies back max_token tokens
79433 - * filled with zeroes. Hopefully the driver isn't claiming
79434 - * them to be valid data.
79435 - */
79436 - iwp->length = descr->max_tokens;
79437 - }
79438 -
79439 err = handler(dev, info, (union iwreq_data *) iwp, extra);
79440
79441 iwp->length += essid_compat;
79442 diff -urNp linux-2.6.39.3/net/xfrm/xfrm_policy.c linux-2.6.39.3/net/xfrm/xfrm_policy.c
79443 --- linux-2.6.39.3/net/xfrm/xfrm_policy.c 2011-05-19 00:06:34.000000000 -0400
79444 +++ linux-2.6.39.3/net/xfrm/xfrm_policy.c 2011-05-22 19:36:35.000000000 -0400
79445 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
79446 {
79447 policy->walk.dead = 1;
79448
79449 - atomic_inc(&policy->genid);
79450 + atomic_inc_unchecked(&policy->genid);
79451
79452 if (del_timer(&policy->timer))
79453 xfrm_pol_put(policy);
79454 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
79455 hlist_add_head(&policy->bydst, chain);
79456 xfrm_pol_hold(policy);
79457 net->xfrm.policy_count[dir]++;
79458 - atomic_inc(&flow_cache_genid);
79459 + atomic_inc_unchecked(&flow_cache_genid);
79460 if (delpol)
79461 __xfrm_policy_unlink(delpol, dir);
79462 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
79463 @@ -1527,7 +1527,7 @@ free_dst:
79464 goto out;
79465 }
79466
79467 -static int inline
79468 +static inline int
79469 xfrm_dst_alloc_copy(void **target, const void *src, int size)
79470 {
79471 if (!*target) {
79472 @@ -1539,7 +1539,7 @@ xfrm_dst_alloc_copy(void **target, const
79473 return 0;
79474 }
79475
79476 -static int inline
79477 +static inline int
79478 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
79479 {
79480 #ifdef CONFIG_XFRM_SUB_POLICY
79481 @@ -1551,7 +1551,7 @@ xfrm_dst_update_parent(struct dst_entry
79482 #endif
79483 }
79484
79485 -static int inline
79486 +static inline int
79487 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
79488 {
79489 #ifdef CONFIG_XFRM_SUB_POLICY
79490 @@ -1645,7 +1645,7 @@ xfrm_resolve_and_create_bundle(struct xf
79491
79492 xdst->num_pols = num_pols;
79493 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
79494 - xdst->policy_genid = atomic_read(&pols[0]->genid);
79495 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
79496
79497 return xdst;
79498 }
79499 @@ -2332,7 +2332,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
79500 if (xdst->xfrm_genid != dst->xfrm->genid)
79501 return 0;
79502 if (xdst->num_pols > 0 &&
79503 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
79504 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
79505 return 0;
79506
79507 mtu = dst_mtu(dst->child);
79508 @@ -2860,7 +2860,7 @@ static int xfrm_policy_migrate(struct xf
79509 sizeof(pol->xfrm_vec[i].saddr));
79510 pol->xfrm_vec[i].encap_family = mp->new_family;
79511 /* flush bundles */
79512 - atomic_inc(&pol->genid);
79513 + atomic_inc_unchecked(&pol->genid);
79514 }
79515 }
79516
79517 diff -urNp linux-2.6.39.3/net/xfrm/xfrm_user.c linux-2.6.39.3/net/xfrm/xfrm_user.c
79518 --- linux-2.6.39.3/net/xfrm/xfrm_user.c 2011-05-19 00:06:34.000000000 -0400
79519 +++ linux-2.6.39.3/net/xfrm/xfrm_user.c 2011-05-22 19:36:35.000000000 -0400
79520 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
79521 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
79522 int i;
79523
79524 + pax_track_stack();
79525 +
79526 if (xp->xfrm_nr == 0)
79527 return 0;
79528
79529 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
79530 int err;
79531 int n = 0;
79532
79533 + pax_track_stack();
79534 +
79535 if (attrs[XFRMA_MIGRATE] == NULL)
79536 return -EINVAL;
79537
79538 diff -urNp linux-2.6.39.3/scripts/basic/fixdep.c linux-2.6.39.3/scripts/basic/fixdep.c
79539 --- linux-2.6.39.3/scripts/basic/fixdep.c 2011-05-19 00:06:34.000000000 -0400
79540 +++ linux-2.6.39.3/scripts/basic/fixdep.c 2011-05-22 19:36:35.000000000 -0400
79541 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
79542
79543 static void parse_config_file(const char *map, size_t len)
79544 {
79545 - const int *end = (const int *) (map + len);
79546 + const unsigned int *end = (const unsigned int *) (map + len);
79547 /* start at +1, so that p can never be < map */
79548 - const int *m = (const int *) map + 1;
79549 + const unsigned int *m = (const unsigned int *) map + 1;
79550 const char *p, *q;
79551
79552 for (; m < end; m++) {
79553 @@ -405,7 +405,7 @@ static void print_deps(void)
79554 static void traps(void)
79555 {
79556 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
79557 - int *p = (int *)test;
79558 + unsigned int *p = (unsigned int *)test;
79559
79560 if (*p != INT_CONF) {
79561 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
79562 diff -urNp linux-2.6.39.3/scripts/dtc/flattree.c linux-2.6.39.3/scripts/dtc/flattree.c
79563 --- linux-2.6.39.3/scripts/dtc/flattree.c 2011-05-19 00:06:34.000000000 -0400
79564 +++ linux-2.6.39.3/scripts/dtc/flattree.c 2011-05-22 19:36:35.000000000 -0400
79565 @@ -104,7 +104,7 @@ static void bin_emit_property(void *e, s
79566 bin_emit_cell(e, FDT_PROP);
79567 }
79568
79569 -static struct emitter bin_emitter = {
79570 +static const struct emitter bin_emitter = {
79571 .cell = bin_emit_cell,
79572 .string = bin_emit_string,
79573 .align = bin_emit_align,
79574 @@ -230,7 +230,7 @@ static void asm_emit_property(void *e, s
79575 asm_emit_cell(e, FDT_PROP);
79576 }
79577
79578 -static struct emitter asm_emitter = {
79579 +static const struct emitter asm_emitter = {
79580 .cell = asm_emit_cell,
79581 .string = asm_emit_string,
79582 .align = asm_emit_align,
79583 diff -urNp linux-2.6.39.3/scripts/Makefile.build linux-2.6.39.3/scripts/Makefile.build
79584 --- linux-2.6.39.3/scripts/Makefile.build 2011-05-19 00:06:34.000000000 -0400
79585 +++ linux-2.6.39.3/scripts/Makefile.build 2011-06-03 01:15:00.000000000 -0400
79586 @@ -93,7 +93,7 @@ endif
79587 endif
79588
79589 # Do not include host rules unless needed
79590 -ifneq ($(hostprogs-y)$(hostprogs-m),)
79591 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
79592 include scripts/Makefile.host
79593 endif
79594
79595 diff -urNp linux-2.6.39.3/scripts/Makefile.clean linux-2.6.39.3/scripts/Makefile.clean
79596 --- linux-2.6.39.3/scripts/Makefile.clean 2011-05-19 00:06:34.000000000 -0400
79597 +++ linux-2.6.39.3/scripts/Makefile.clean 2011-06-03 01:16:02.000000000 -0400
79598 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
79599 __clean-files := $(extra-y) $(always) \
79600 $(targets) $(clean-files) \
79601 $(host-progs) \
79602 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
79603 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
79604 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
79605
79606 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
79607
79608 diff -urNp linux-2.6.39.3/scripts/Makefile.host linux-2.6.39.3/scripts/Makefile.host
79609 --- linux-2.6.39.3/scripts/Makefile.host 2011-05-19 00:06:34.000000000 -0400
79610 +++ linux-2.6.39.3/scripts/Makefile.host 2011-06-03 01:17:12.000000000 -0400
79611 @@ -31,6 +31,7 @@
79612 # Note: Shared libraries consisting of C++ files are not supported
79613
79614 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
79615 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
79616
79617 # C code
79618 # Executables compiled from a single .c file
79619 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
79620 # Shared libaries (only .c supported)
79621 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
79622 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
79623 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
79624 # Remove .so files from "xxx-objs"
79625 host-cobjs := $(filter-out %.so,$(host-cobjs))
79626
79627 diff -urNp linux-2.6.39.3/scripts/mod/file2alias.c linux-2.6.39.3/scripts/mod/file2alias.c
79628 --- linux-2.6.39.3/scripts/mod/file2alias.c 2011-05-19 00:06:34.000000000 -0400
79629 +++ linux-2.6.39.3/scripts/mod/file2alias.c 2011-05-22 19:36:35.000000000 -0400
79630 @@ -72,7 +72,7 @@ static void device_id_check(const char *
79631 unsigned long size, unsigned long id_size,
79632 void *symval)
79633 {
79634 - int i;
79635 + unsigned int i;
79636
79637 if (size % id_size || size < id_size) {
79638 if (cross_build != 0)
79639 @@ -102,7 +102,7 @@ static void device_id_check(const char *
79640 /* USB is special because the bcdDevice can be matched against a numeric range */
79641 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
79642 static void do_usb_entry(struct usb_device_id *id,
79643 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
79644 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
79645 unsigned char range_lo, unsigned char range_hi,
79646 unsigned char max, struct module *mod)
79647 {
79648 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
79649 for (i = 0; i < count; i++) {
79650 const char *id = (char *)devs[i].id;
79651 char acpi_id[sizeof(devs[0].id)];
79652 - int j;
79653 + unsigned int j;
79654
79655 buf_printf(&mod->dev_table_buf,
79656 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79657 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
79658
79659 for (j = 0; j < PNP_MAX_DEVICES; j++) {
79660 const char *id = (char *)card->devs[j].id;
79661 - int i2, j2;
79662 + unsigned int i2, j2;
79663 int dup = 0;
79664
79665 if (!id[0])
79666 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
79667 /* add an individual alias for every device entry */
79668 if (!dup) {
79669 char acpi_id[sizeof(card->devs[0].id)];
79670 - int k;
79671 + unsigned int k;
79672
79673 buf_printf(&mod->dev_table_buf,
79674 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79675 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
79676 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
79677 char *alias)
79678 {
79679 - int i, j;
79680 + unsigned int i, j;
79681
79682 sprintf(alias, "dmi*");
79683
79684 diff -urNp linux-2.6.39.3/scripts/mod/modpost.c linux-2.6.39.3/scripts/mod/modpost.c
79685 --- linux-2.6.39.3/scripts/mod/modpost.c 2011-05-19 00:06:34.000000000 -0400
79686 +++ linux-2.6.39.3/scripts/mod/modpost.c 2011-07-06 20:00:13.000000000 -0400
79687 @@ -896,6 +896,7 @@ enum mismatch {
79688 ANY_INIT_TO_ANY_EXIT,
79689 ANY_EXIT_TO_ANY_INIT,
79690 EXPORT_TO_INIT_EXIT,
79691 + DATA_TO_TEXT
79692 };
79693
79694 struct sectioncheck {
79695 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
79696 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
79697 .mismatch = EXPORT_TO_INIT_EXIT,
79698 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
79699 +},
79700 +/* Do not reference code from writable data */
79701 +{
79702 + .fromsec = { DATA_SECTIONS, NULL },
79703 + .tosec = { TEXT_SECTIONS, NULL },
79704 + .mismatch = DATA_TO_TEXT
79705 }
79706 };
79707
79708 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
79709 continue;
79710 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
79711 continue;
79712 - if (sym->st_value == addr)
79713 - return sym;
79714 /* Find a symbol nearby - addr are maybe negative */
79715 d = sym->st_value - addr;
79716 + if (d == 0)
79717 + return sym;
79718 if (d < 0)
79719 d = addr - sym->st_value;
79720 if (d < distance) {
79721 @@ -1408,6 +1415,14 @@ static void report_sec_mismatch(const ch
79722 tosym, prl_to, prl_to, tosym);
79723 free(prl_to);
79724 break;
79725 + case DATA_TO_TEXT:
79726 +/*
79727 + fprintf(stderr,
79728 + "The variable %s references\n"
79729 + "the %s %s%s%s\n",
79730 + fromsym, to, sec2annotation(tosec), tosym, to_p);
79731 +*/
79732 + break;
79733 }
79734 fprintf(stderr, "\n");
79735 }
79736 @@ -1633,7 +1648,7 @@ static void section_rel(const char *modn
79737 static void check_sec_ref(struct module *mod, const char *modname,
79738 struct elf_info *elf)
79739 {
79740 - int i;
79741 + unsigned int i;
79742 Elf_Shdr *sechdrs = elf->sechdrs;
79743
79744 /* Walk through all sections */
79745 @@ -1731,7 +1746,7 @@ void __attribute__((format(printf, 2, 3)
79746 va_end(ap);
79747 }
79748
79749 -void buf_write(struct buffer *buf, const char *s, int len)
79750 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
79751 {
79752 if (buf->size - buf->pos < len) {
79753 buf->size += len + SZ;
79754 @@ -1943,7 +1958,7 @@ static void write_if_changed(struct buff
79755 if (fstat(fileno(file), &st) < 0)
79756 goto close_write;
79757
79758 - if (st.st_size != b->pos)
79759 + if (st.st_size != (off_t)b->pos)
79760 goto close_write;
79761
79762 tmp = NOFAIL(malloc(b->pos));
79763 diff -urNp linux-2.6.39.3/scripts/mod/modpost.h linux-2.6.39.3/scripts/mod/modpost.h
79764 --- linux-2.6.39.3/scripts/mod/modpost.h 2011-05-19 00:06:34.000000000 -0400
79765 +++ linux-2.6.39.3/scripts/mod/modpost.h 2011-05-22 19:36:35.000000000 -0400
79766 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
79767
79768 struct buffer {
79769 char *p;
79770 - int pos;
79771 - int size;
79772 + unsigned int pos;
79773 + unsigned int size;
79774 };
79775
79776 void __attribute__((format(printf, 2, 3)))
79777 buf_printf(struct buffer *buf, const char *fmt, ...);
79778
79779 void
79780 -buf_write(struct buffer *buf, const char *s, int len);
79781 +buf_write(struct buffer *buf, const char *s, unsigned int len);
79782
79783 struct module {
79784 struct module *next;
79785 diff -urNp linux-2.6.39.3/scripts/mod/sumversion.c linux-2.6.39.3/scripts/mod/sumversion.c
79786 --- linux-2.6.39.3/scripts/mod/sumversion.c 2011-05-19 00:06:34.000000000 -0400
79787 +++ linux-2.6.39.3/scripts/mod/sumversion.c 2011-05-22 19:36:35.000000000 -0400
79788 @@ -470,7 +470,7 @@ static void write_version(const char *fi
79789 goto out;
79790 }
79791
79792 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
79793 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
79794 warn("writing sum in %s failed: %s\n",
79795 filename, strerror(errno));
79796 goto out;
79797 diff -urNp linux-2.6.39.3/scripts/pnmtologo.c linux-2.6.39.3/scripts/pnmtologo.c
79798 --- linux-2.6.39.3/scripts/pnmtologo.c 2011-05-19 00:06:34.000000000 -0400
79799 +++ linux-2.6.39.3/scripts/pnmtologo.c 2011-05-22 19:36:35.000000000 -0400
79800 @@ -237,14 +237,14 @@ static void write_header(void)
79801 fprintf(out, " * Linux logo %s\n", logoname);
79802 fputs(" */\n\n", out);
79803 fputs("#include <linux/linux_logo.h>\n\n", out);
79804 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
79805 + fprintf(out, "static unsigned char %s_data[] = {\n",
79806 logoname);
79807 }
79808
79809 static void write_footer(void)
79810 {
79811 fputs("\n};\n\n", out);
79812 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
79813 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
79814 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
79815 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
79816 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
79817 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
79818 fputs("\n};\n\n", out);
79819
79820 /* write logo clut */
79821 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
79822 + fprintf(out, "static unsigned char %s_clut[] = {\n",
79823 logoname);
79824 write_hex_cnt = 0;
79825 for (i = 0; i < logo_clutsize; i++) {
79826 diff -urNp linux-2.6.39.3/security/apparmor/lsm.c linux-2.6.39.3/security/apparmor/lsm.c
79827 --- linux-2.6.39.3/security/apparmor/lsm.c 2011-06-25 12:55:23.000000000 -0400
79828 +++ linux-2.6.39.3/security/apparmor/lsm.c 2011-06-25 13:00:28.000000000 -0400
79829 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
79830 return error;
79831 }
79832
79833 -static struct security_operations apparmor_ops = {
79834 +static struct security_operations apparmor_ops __read_only = {
79835 .name = "apparmor",
79836
79837 .ptrace_access_check = apparmor_ptrace_access_check,
79838 @@ -672,7 +672,7 @@ static struct security_operations apparm
79839 static int param_set_aabool(const char *val, const struct kernel_param *kp);
79840 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
79841 #define param_check_aabool(name, p) __param_check(name, p, int)
79842 -static struct kernel_param_ops param_ops_aabool = {
79843 +static const struct kernel_param_ops param_ops_aabool = {
79844 .set = param_set_aabool,
79845 .get = param_get_aabool
79846 };
79847 @@ -680,7 +680,7 @@ static struct kernel_param_ops param_ops
79848 static int param_set_aauint(const char *val, const struct kernel_param *kp);
79849 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
79850 #define param_check_aauint(name, p) __param_check(name, p, int)
79851 -static struct kernel_param_ops param_ops_aauint = {
79852 +static const struct kernel_param_ops param_ops_aauint = {
79853 .set = param_set_aauint,
79854 .get = param_get_aauint
79855 };
79856 @@ -688,7 +688,7 @@ static struct kernel_param_ops param_ops
79857 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
79858 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
79859 #define param_check_aalockpolicy(name, p) __param_check(name, p, int)
79860 -static struct kernel_param_ops param_ops_aalockpolicy = {
79861 +static const struct kernel_param_ops param_ops_aalockpolicy = {
79862 .set = param_set_aalockpolicy,
79863 .get = param_get_aalockpolicy
79864 };
79865 diff -urNp linux-2.6.39.3/security/commoncap.c linux-2.6.39.3/security/commoncap.c
79866 --- linux-2.6.39.3/security/commoncap.c 2011-05-19 00:06:34.000000000 -0400
79867 +++ linux-2.6.39.3/security/commoncap.c 2011-05-22 20:28:59.000000000 -0400
79868 @@ -28,6 +28,7 @@
79869 #include <linux/prctl.h>
79870 #include <linux/securebits.h>
79871 #include <linux/user_namespace.h>
79872 +#include <net/sock.h>
79873
79874 /*
79875 * If a non-root user executes a setuid-root binary in
79876 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
79877
79878 int cap_netlink_recv(struct sk_buff *skb, int cap)
79879 {
79880 - if (!cap_raised(current_cap(), cap))
79881 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
79882 return -EPERM;
79883 return 0;
79884 }
79885 @@ -580,6 +581,9 @@ int cap_bprm_secureexec(struct linux_bin
79886 {
79887 const struct cred *cred = current_cred();
79888
79889 + if (gr_acl_enable_at_secure())
79890 + return 1;
79891 +
79892 if (cred->uid != 0) {
79893 if (bprm->cap_effective)
79894 return 1;
79895 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_api.c linux-2.6.39.3/security/integrity/ima/ima_api.c
79896 --- linux-2.6.39.3/security/integrity/ima/ima_api.c 2011-05-19 00:06:34.000000000 -0400
79897 +++ linux-2.6.39.3/security/integrity/ima/ima_api.c 2011-05-22 19:36:35.000000000 -0400
79898 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
79899 int result;
79900
79901 /* can overflow, only indicator */
79902 - atomic_long_inc(&ima_htable.violations);
79903 + atomic_long_inc_unchecked(&ima_htable.violations);
79904
79905 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
79906 if (!entry) {
79907 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_fs.c linux-2.6.39.3/security/integrity/ima/ima_fs.c
79908 --- linux-2.6.39.3/security/integrity/ima/ima_fs.c 2011-05-19 00:06:34.000000000 -0400
79909 +++ linux-2.6.39.3/security/integrity/ima/ima_fs.c 2011-05-22 19:36:35.000000000 -0400
79910 @@ -28,12 +28,12 @@
79911 static int valid_policy = 1;
79912 #define TMPBUFLEN 12
79913 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
79914 - loff_t *ppos, atomic_long_t *val)
79915 + loff_t *ppos, atomic_long_unchecked_t *val)
79916 {
79917 char tmpbuf[TMPBUFLEN];
79918 ssize_t len;
79919
79920 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
79921 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
79922 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
79923 }
79924
79925 diff -urNp linux-2.6.39.3/security/integrity/ima/ima.h linux-2.6.39.3/security/integrity/ima/ima.h
79926 --- linux-2.6.39.3/security/integrity/ima/ima.h 2011-05-19 00:06:34.000000000 -0400
79927 +++ linux-2.6.39.3/security/integrity/ima/ima.h 2011-05-22 19:36:35.000000000 -0400
79928 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
79929 extern spinlock_t ima_queue_lock;
79930
79931 struct ima_h_table {
79932 - atomic_long_t len; /* number of stored measurements in the list */
79933 - atomic_long_t violations;
79934 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
79935 + atomic_long_unchecked_t violations;
79936 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
79937 };
79938 extern struct ima_h_table ima_htable;
79939 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_queue.c linux-2.6.39.3/security/integrity/ima/ima_queue.c
79940 --- linux-2.6.39.3/security/integrity/ima/ima_queue.c 2011-05-19 00:06:34.000000000 -0400
79941 +++ linux-2.6.39.3/security/integrity/ima/ima_queue.c 2011-05-22 19:36:35.000000000 -0400
79942 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
79943 INIT_LIST_HEAD(&qe->later);
79944 list_add_tail_rcu(&qe->later, &ima_measurements);
79945
79946 - atomic_long_inc(&ima_htable.len);
79947 + atomic_long_inc_unchecked(&ima_htable.len);
79948 key = ima_hash_key(entry->digest);
79949 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
79950 return 0;
79951 diff -urNp linux-2.6.39.3/security/Kconfig linux-2.6.39.3/security/Kconfig
79952 --- linux-2.6.39.3/security/Kconfig 2011-05-19 00:06:34.000000000 -0400
79953 +++ linux-2.6.39.3/security/Kconfig 2011-07-06 19:58:46.000000000 -0400
79954 @@ -4,6 +4,554 @@
79955
79956 menu "Security options"
79957
79958 +source grsecurity/Kconfig
79959 +
79960 +menu "PaX"
79961 +
79962 + config ARCH_TRACK_EXEC_LIMIT
79963 + bool
79964 +
79965 + config PAX_PER_CPU_PGD
79966 + bool
79967 +
79968 + config TASK_SIZE_MAX_SHIFT
79969 + int
79970 + depends on X86_64
79971 + default 47 if !PAX_PER_CPU_PGD
79972 + default 42 if PAX_PER_CPU_PGD
79973 +
79974 + config PAX_ENABLE_PAE
79975 + bool
79976 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
79977 +
79978 +config PAX
79979 + bool "Enable various PaX features"
79980 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
79981 + help
79982 + This allows you to enable various PaX features. PaX adds
79983 + intrusion prevention mechanisms to the kernel that reduce
79984 + the risks posed by exploitable memory corruption bugs.
79985 +
79986 +menu "PaX Control"
79987 + depends on PAX
79988 +
79989 +config PAX_SOFTMODE
79990 + bool 'Support soft mode'
79991 + select PAX_PT_PAX_FLAGS
79992 + help
79993 + Enabling this option will allow you to run PaX in soft mode, that
79994 + is, PaX features will not be enforced by default, only on executables
79995 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
79996 + is the only way to mark executables for soft mode use.
79997 +
79998 + Soft mode can be activated by using the "pax_softmode=1" kernel command
79999 + line option on boot. Furthermore you can control various PaX features
80000 + at runtime via the entries in /proc/sys/kernel/pax.
80001 +
80002 +config PAX_EI_PAX
80003 + bool 'Use legacy ELF header marking'
80004 + help
80005 + Enabling this option will allow you to control PaX features on
80006 + a per executable basis via the 'chpax' utility available at
80007 + http://pax.grsecurity.net/. The control flags will be read from
80008 + an otherwise reserved part of the ELF header. This marking has
80009 + numerous drawbacks (no support for soft-mode, toolchain does not
80010 + know about the non-standard use of the ELF header) therefore it
80011 + has been deprecated in favour of PT_PAX_FLAGS support.
80012 +
80013 + Note that if you enable PT_PAX_FLAGS marking support as well,
80014 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
80015 +
80016 +config PAX_PT_PAX_FLAGS
80017 + bool 'Use ELF program header marking'
80018 + help
80019 + Enabling this option will allow you to control PaX features on
80020 + a per executable basis via the 'paxctl' utility available at
80021 + http://pax.grsecurity.net/. The control flags will be read from
80022 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
80023 + has the benefits of supporting both soft mode and being fully
80024 + integrated into the toolchain (the binutils patch is available
80025 + from http://pax.grsecurity.net).
80026 +
80027 + If your toolchain does not support PT_PAX_FLAGS markings,
80028 + you can create one in most cases with 'paxctl -C'.
80029 +
80030 + Note that if you enable the legacy EI_PAX marking support as well,
80031 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
80032 +
80033 +choice
80034 + prompt 'MAC system integration'
80035 + default PAX_HAVE_ACL_FLAGS
80036 + help
80037 + Mandatory Access Control systems have the option of controlling
80038 + PaX flags on a per executable basis, choose the method supported
80039 + by your particular system.
80040 +
80041 + - "none": if your MAC system does not interact with PaX,
80042 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
80043 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
80044 +
80045 + NOTE: this option is for developers/integrators only.
80046 +
80047 + config PAX_NO_ACL_FLAGS
80048 + bool 'none'
80049 +
80050 + config PAX_HAVE_ACL_FLAGS
80051 + bool 'direct'
80052 +
80053 + config PAX_HOOK_ACL_FLAGS
80054 + bool 'hook'
80055 +endchoice
80056 +
80057 +endmenu
80058 +
80059 +menu "Non-executable pages"
80060 + depends on PAX
80061 +
80062 +config PAX_NOEXEC
80063 + bool "Enforce non-executable pages"
80064 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
80065 + help
80066 + By design some architectures do not allow for protecting memory
80067 + pages against execution or even if they do, Linux does not make
80068 + use of this feature. In practice this means that if a page is
80069 + readable (such as the stack or heap) it is also executable.
80070 +
80071 + There is a well known exploit technique that makes use of this
80072 + fact and a common programming mistake where an attacker can
80073 + introduce code of his choice somewhere in the attacked program's
80074 + memory (typically the stack or the heap) and then execute it.
80075 +
80076 + If the attacked program was running with different (typically
80077 + higher) privileges than that of the attacker, then he can elevate
80078 + his own privilege level (e.g. get a root shell, write to files for
80079 + which he does not have write access to, etc).
80080 +
80081 + Enabling this option will let you choose from various features
80082 + that prevent the injection and execution of 'foreign' code in
80083 + a program.
80084 +
80085 + This will also break programs that rely on the old behaviour and
80086 + expect that dynamically allocated memory via the malloc() family
80087 + of functions is executable (which it is not). Notable examples
80088 + are the XFree86 4.x server, the java runtime and wine.
80089 +
80090 +config PAX_PAGEEXEC
80091 + bool "Paging based non-executable pages"
80092 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
80093 + select S390_SWITCH_AMODE if S390
80094 + select S390_EXEC_PROTECT if S390
80095 + select ARCH_TRACK_EXEC_LIMIT if X86_32
80096 + help
80097 + This implementation is based on the paging feature of the CPU.
80098 + On i386 without hardware non-executable bit support there is a
80099 + variable but usually low performance impact, however on Intel's
80100 + P4 core based CPUs it is very high so you should not enable this
80101 + for kernels meant to be used on such CPUs.
80102 +
80103 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
80104 + with hardware non-executable bit support there is no performance
80105 + impact, on ppc the impact is negligible.
80106 +
80107 + Note that several architectures require various emulations due to
80108 + badly designed userland ABIs, this will cause a performance impact
80109 + but will disappear as soon as userland is fixed. For example, ppc
80110 + userland MUST have been built with secure-plt by a recent toolchain.
80111 +
80112 +config PAX_SEGMEXEC
80113 + bool "Segmentation based non-executable pages"
80114 + depends on PAX_NOEXEC && X86_32
80115 + help
80116 + This implementation is based on the segmentation feature of the
80117 + CPU and has a very small performance impact, however applications
80118 + will be limited to a 1.5 GB address space instead of the normal
80119 + 3 GB.
80120 +
80121 +config PAX_EMUTRAMP
80122 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
80123 + default y if PARISC
80124 + help
80125 + There are some programs and libraries that for one reason or
80126 + another attempt to execute special small code snippets from
80127 + non-executable memory pages. Most notable examples are the
80128 + signal handler return code generated by the kernel itself and
80129 + the GCC trampolines.
80130 +
80131 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
80132 + such programs will no longer work under your kernel.
80133 +
80134 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
80135 + utilities to enable trampoline emulation for the affected programs
80136 + yet still have the protection provided by the non-executable pages.
80137 +
80138 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
80139 + your system will not even boot.
80140 +
80141 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
80142 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
80143 + for the affected files.
80144 +
80145 + NOTE: enabling this feature *may* open up a loophole in the
80146 + protection provided by non-executable pages that an attacker
80147 + could abuse. Therefore the best solution is to not have any
80148 + files on your system that would require this option. This can
80149 + be achieved by not using libc5 (which relies on the kernel
80150 + signal handler return code) and not using or rewriting programs
80151 + that make use of the nested function implementation of GCC.
80152 + Skilled users can just fix GCC itself so that it implements
80153 + nested function calls in a way that does not interfere with PaX.
80154 +
80155 +config PAX_EMUSIGRT
80156 + bool "Automatically emulate sigreturn trampolines"
80157 + depends on PAX_EMUTRAMP && PARISC
80158 + default y
80159 + help
80160 + Enabling this option will have the kernel automatically detect
80161 + and emulate signal return trampolines executing on the stack
80162 + that would otherwise lead to task termination.
80163 +
80164 + This solution is intended as a temporary one for users with
80165 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
80166 + Modula-3 runtime, etc) or executables linked to such, basically
80167 + everything that does not specify its own SA_RESTORER function in
80168 + normal executable memory like glibc 2.1+ does.
80169 +
80170 + On parisc you MUST enable this option, otherwise your system will
80171 + not even boot.
80172 +
80173 + NOTE: this feature cannot be disabled on a per executable basis
80174 + and since it *does* open up a loophole in the protection provided
80175 + by non-executable pages, the best solution is to not have any
80176 + files on your system that would require this option.
80177 +
80178 +config PAX_MPROTECT
80179 + bool "Restrict mprotect()"
80180 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
80181 + help
80182 + Enabling this option will prevent programs from
80183 + - changing the executable status of memory pages that were
80184 + not originally created as executable,
80185 + - making read-only executable pages writable again,
80186 + - creating executable pages from anonymous memory,
80187 + - making read-only-after-relocations (RELRO) data pages writable again.
80188 +
80189 + You should say Y here to complete the protection provided by
80190 + the enforcement of non-executable pages.
80191 +
80192 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80193 + this feature on a per file basis.
80194 +
80195 +config PAX_MPROTECT_COMPAT
80196 + bool "Use legacy/compat protection demoting (read help)"
80197 + depends on PAX_MPROTECT
80198 + default n
80199 + help
80200 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
80201 + by sending the proper error code to the application. For some broken
80202 + userland, this can cause problems with Python or other applications. The
80203 + current implementation however allows for applications like clamav to
80204 + detect if JIT compilation/execution is allowed and to fall back gracefully
80205 + to an interpreter-based mode if it does not. While we encourage everyone
80206 + to use the current implementation as-is and push upstream to fix broken
80207 + userland (note that the RWX logging option can assist with this), in some
80208 + environments this may not be possible. Having to disable MPROTECT
80209 + completely on certain binaries reduces the security benefit of PaX,
80210 + so this option is provided for those environments to revert to the old
80211 + behavior.
80212 +
80213 +config PAX_ELFRELOCS
80214 + bool "Allow ELF text relocations (read help)"
80215 + depends on PAX_MPROTECT
80216 + default n
80217 + help
80218 + Non-executable pages and mprotect() restrictions are effective
80219 + in preventing the introduction of new executable code into an
80220 + attacked task's address space. There remain only two venues
80221 + for this kind of attack: if the attacker can execute already
80222 + existing code in the attacked task then he can either have it
80223 + create and mmap() a file containing his code or have it mmap()
80224 + an already existing ELF library that does not have position
80225 + independent code in it and use mprotect() on it to make it
80226 + writable and copy his code there. While protecting against
80227 + the former approach is beyond PaX, the latter can be prevented
80228 + by having only PIC ELF libraries on one's system (which do not
80229 + need to relocate their code). If you are sure this is your case,
80230 + as is the case with all modern Linux distributions, then leave
80231 + this option disabled. You should say 'n' here.
80232 +
80233 +config PAX_ETEXECRELOCS
80234 + bool "Allow ELF ET_EXEC text relocations"
80235 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
80236 + select PAX_ELFRELOCS
80237 + default y
80238 + help
80239 + On some architectures there are incorrectly created applications
80240 + that require text relocations and would not work without enabling
80241 + this option. If you are an alpha, ia64 or parisc user, you should
80242 + enable this option and disable it once you have made sure that
80243 + none of your applications need it.
80244 +
80245 +config PAX_EMUPLT
80246 + bool "Automatically emulate ELF PLT"
80247 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
80248 + default y
80249 + help
80250 + Enabling this option will have the kernel automatically detect
80251 + and emulate the Procedure Linkage Table entries in ELF files.
80252 + On some architectures such entries are in writable memory, and
80253 + become non-executable leading to task termination. Therefore
80254 + it is mandatory that you enable this option on alpha, parisc,
80255 + sparc and sparc64, otherwise your system would not even boot.
80256 +
80257 + NOTE: this feature *does* open up a loophole in the protection
80258 + provided by the non-executable pages, therefore the proper
80259 + solution is to modify the toolchain to produce a PLT that does
80260 + not need to be writable.
80261 +
80262 +config PAX_DLRESOLVE
80263 + bool 'Emulate old glibc resolver stub'
80264 + depends on PAX_EMUPLT && SPARC
80265 + default n
80266 + help
80267 + This option is needed if userland has an old glibc (before 2.4)
80268 + that puts a 'save' instruction into the runtime generated resolver
80269 + stub that needs special emulation.
80270 +
80271 +config PAX_KERNEXEC
80272 + bool "Enforce non-executable kernel pages"
80273 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
80274 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
80275 + help
80276 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
80277 + that is, enabling this option will make it harder to inject
80278 + and execute 'foreign' code in kernel memory itself.
80279 +
80280 + Note that on x86_64 kernels there is a known regression when
80281 + this feature and KVM/VMX are both enabled in the host kernel.
80282 +
80283 +config PAX_KERNEXEC_MODULE_TEXT
80284 + int "Minimum amount of memory reserved for module code"
80285 + default "4"
80286 + depends on PAX_KERNEXEC && X86_32 && MODULES
80287 + help
80288 + Due to implementation details the kernel must reserve a fixed
80289 + amount of memory for module code at compile time that cannot be
80290 + changed at runtime. Here you can specify the minimum amount
80291 + in MB that will be reserved. Due to the same implementation
80292 + details this size will always be rounded up to the next 2/4 MB
80293 + boundary (depends on PAE) so the actually available memory for
80294 + module code will usually be more than this minimum.
80295 +
80296 + The default 4 MB should be enough for most users but if you have
80297 + an excessive number of modules (e.g., most distribution configs
80298 + compile many drivers as modules) or use huge modules such as
80299 + nvidia's kernel driver, you will need to adjust this amount.
80300 + A good rule of thumb is to look at your currently loaded kernel
80301 + modules and add up their sizes.
80302 +
80303 +endmenu
80304 +
80305 +menu "Address Space Layout Randomization"
80306 + depends on PAX
80307 +
80308 +config PAX_ASLR
80309 + bool "Address Space Layout Randomization"
80310 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
80311 + help
80312 + Many if not most exploit techniques rely on the knowledge of
80313 + certain addresses in the attacked program. The following options
80314 + will allow the kernel to apply a certain amount of randomization
80315 + to specific parts of the program thereby forcing an attacker to
80316 + guess them in most cases. Any failed guess will most likely crash
80317 + the attacked program which allows the kernel to detect such attempts
80318 + and react on them. PaX itself provides no reaction mechanisms,
80319 + instead it is strongly encouraged that you make use of Nergal's
80320 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
80321 + (http://www.grsecurity.net/) built-in crash detection features or
80322 + develop one yourself.
80323 +
80324 + By saying Y here you can choose to randomize the following areas:
80325 + - top of the task's kernel stack
80326 + - top of the task's userland stack
80327 + - base address for mmap() requests that do not specify one
80328 + (this includes all libraries)
80329 + - base address of the main executable
80330 +
80331 + It is strongly recommended to say Y here as address space layout
80332 + randomization has negligible impact on performance yet it provides
80333 + a very effective protection.
80334 +
80335 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80336 + this feature on a per file basis.
80337 +
80338 +config PAX_RANDKSTACK
80339 + bool "Randomize kernel stack base"
80340 + depends on PAX_ASLR && X86_TSC && X86
80341 + help
80342 + By saying Y here the kernel will randomize every task's kernel
80343 + stack on every system call. This will not only force an attacker
80344 + to guess it but also prevent him from making use of possible
80345 + leaked information about it.
80346 +
80347 + Since the kernel stack is a rather scarce resource, randomization
80348 + may cause unexpected stack overflows, therefore you should very
80349 + carefully test your system. Note that once enabled in the kernel
80350 + configuration, this feature cannot be disabled on a per file basis.
80351 +
80352 +config PAX_RANDUSTACK
80353 + bool "Randomize user stack base"
80354 + depends on PAX_ASLR
80355 + help
80356 + By saying Y here the kernel will randomize every task's userland
80357 + stack. The randomization is done in two steps where the second
80358 + one may apply a big amount of shift to the top of the stack and
80359 + cause problems for programs that want to use lots of memory (more
80360 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
80361 + For this reason the second step can be controlled by 'chpax' or
80362 + 'paxctl' on a per file basis.
80363 +
80364 +config PAX_RANDMMAP
80365 + bool "Randomize mmap() base"
80366 + depends on PAX_ASLR
80367 + help
80368 + By saying Y here the kernel will use a randomized base address for
80369 + mmap() requests that do not specify one themselves. As a result
80370 + all dynamically loaded libraries will appear at random addresses
80371 + and therefore be harder to exploit by a technique where an attacker
80372 + attempts to execute library code for his purposes (e.g. spawn a
80373 + shell from an exploited program that is running at an elevated
80374 + privilege level).
80375 +
80376 + Furthermore, if a program is relinked as a dynamic ELF file, its
80377 + base address will be randomized as well, completing the full
80378 + randomization of the address space layout. Attacking such programs
80379 + becomes a guess game. You can find an example of doing this at
80380 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
80381 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
80382 +
80383 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
80384 + feature on a per file basis.
80385 +
80386 +endmenu
80387 +
80388 +menu "Miscellaneous hardening features"
80389 +
80390 +config PAX_MEMORY_SANITIZE
80391 + bool "Sanitize all freed memory"
80392 + help
80393 + By saying Y here the kernel will erase memory pages as soon as they
80394 + are freed. This in turn reduces the lifetime of data stored in the
80395 + pages, making it less likely that sensitive information such as
80396 + passwords, cryptographic secrets, etc stay in memory for too long.
80397 +
80398 + This is especially useful for programs whose runtime is short, long
80399 + lived processes and the kernel itself benefit from this as long as
80400 + they operate on whole memory pages and ensure timely freeing of pages
80401 + that may hold sensitive information.
80402 +
80403 + The tradeoff is performance impact, on a single CPU system kernel
80404 + compilation sees a 3% slowdown, other systems and workloads may vary
80405 + and you are advised to test this feature on your expected workload
80406 + before deploying it.
80407 +
80408 + Note that this feature does not protect data stored in live pages,
80409 + e.g., process memory swapped to disk may stay there for a long time.
80410 +
80411 +config PAX_MEMORY_STACKLEAK
80412 + bool "Sanitize kernel stack"
80413 + depends on X86
80414 + help
80415 + By saying Y here the kernel will erase the kernel stack before it
80416 + returns from a system call. This in turn reduces the information
80417 + that a kernel stack leak bug can reveal.
80418 +
80419 + Note that such a bug can still leak information that was put on
80420 + the stack by the current system call (the one eventually triggering
80421 + the bug) but traces of earlier system calls on the kernel stack
80422 + cannot leak anymore.
80423 +
80424 + The tradeoff is performance impact: on a single CPU system kernel
80425 + compilation sees a 1% slowdown, other systems and workloads may vary
80426 + and you are advised to test this feature on your expected workload
80427 + before deploying it.
80428 +
80429 + Note: full support for this feature requires gcc with plugin support
80430 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
80431 + is not supported). Using older gcc versions means that functions
80432 + with large enough stack frames may leave uninitialized memory behind
80433 + that may be exposed to a later syscall leaking the stack.
80434 +
80435 +config PAX_MEMORY_UDEREF
80436 + bool "Prevent invalid userland pointer dereference"
80437 + depends on X86 && !UML_X86 && !XEN
80438 + select PAX_PER_CPU_PGD if X86_64
80439 + help
80440 + By saying Y here the kernel will be prevented from dereferencing
80441 + userland pointers in contexts where the kernel expects only kernel
80442 + pointers. This is both a useful runtime debugging feature and a
80443 + security measure that prevents exploiting a class of kernel bugs.
80444 +
80445 + The tradeoff is that some virtualization solutions may experience
80446 + a huge slowdown and therefore you should not enable this feature
80447 + for kernels meant to run in such environments. Whether a given VM
80448 + solution is affected or not is best determined by simply trying it
80449 + out, the performance impact will be obvious right on boot as this
80450 + mechanism engages from very early on. A good rule of thumb is that
80451 + VMs running on CPUs without hardware virtualization support (i.e.,
80452 + the majority of IA-32 CPUs) will likely experience the slowdown.
80453 +
80454 +config PAX_REFCOUNT
80455 + bool "Prevent various kernel object reference counter overflows"
80456 + depends on GRKERNSEC && (X86 || SPARC64)
80457 + help
80458 + By saying Y here the kernel will detect and prevent overflowing
80459 + various (but not all) kinds of object reference counters. Such
80460 + overflows can normally occur due to bugs only and are often, if
80461 + not always, exploitable.
80462 +
80463 + The tradeoff is that data structures protected by an overflowed
80464 + refcount will never be freed and therefore will leak memory. Note
80465 + that this leak also happens even without this protection but in
80466 + that case the overflow can eventually trigger the freeing of the
80467 + data structure while it is still being used elsewhere, resulting
80468 + in the exploitable situation that this feature prevents.
80469 +
80470 + Since this has a negligible performance impact, you should enable
80471 + this feature.
80472 +
80473 +config PAX_USERCOPY
80474 + bool "Harden heap object copies between kernel and userland"
80475 + depends on X86 || PPC || SPARC || ARM
80476 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
80477 + help
80478 + By saying Y here the kernel will enforce the size of heap objects
80479 + when they are copied in either direction between the kernel and
80480 + userland, even if only a part of the heap object is copied.
80481 +
80482 + Specifically, this checking prevents information leaking from the
80483 + kernel heap during kernel to userland copies (if the kernel heap
80484 + object is otherwise fully initialized) and prevents kernel heap
80485 + overflows during userland to kernel copies.
80486 +
80487 + Note that the current implementation provides the strictest bounds
80488 + checks for the SLUB allocator.
80489 +
80490 + Enabling this option also enables per-slab cache protection against
80491 + data in a given cache being copied into/out of via userland
80492 + accessors. Though the whitelist of regions will be reduced over
80493 + time, it notably protects important data structures like task structs.
80494 +
80495 + If frame pointers are enabled on x86, this option will also restrict
80496 + copies into and out of the kernel stack to local variables within a
80497 + single frame.
80498 +
80499 + Since this has a negligible performance impact, you should enable
80500 + this feature.
80501 +
80502 +endmenu
80503 +
80504 +endmenu
80505 +
80506 config KEYS
80507 bool "Enable access key retention support"
80508 help
80509 @@ -167,7 +715,7 @@ config INTEL_TXT
80510 config LSM_MMAP_MIN_ADDR
80511 int "Low address space for LSM to protect from user allocation"
80512 depends on SECURITY && SECURITY_SELINUX
80513 - default 65536
80514 + default 32768
80515 help
80516 This is the portion of low virtual memory which should be protected
80517 from userspace allocation. Keeping a user from writing to low pages
80518 diff -urNp linux-2.6.39.3/security/keys/keyring.c linux-2.6.39.3/security/keys/keyring.c
80519 --- linux-2.6.39.3/security/keys/keyring.c 2011-05-19 00:06:34.000000000 -0400
80520 +++ linux-2.6.39.3/security/keys/keyring.c 2011-05-22 19:36:35.000000000 -0400
80521 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
80522 ret = -EFAULT;
80523
80524 for (loop = 0; loop < klist->nkeys; loop++) {
80525 + key_serial_t serial;
80526 key = klist->keys[loop];
80527 + serial = key->serial;
80528
80529 tmp = sizeof(key_serial_t);
80530 if (tmp > buflen)
80531 tmp = buflen;
80532
80533 - if (copy_to_user(buffer,
80534 - &key->serial,
80535 - tmp) != 0)
80536 + if (copy_to_user(buffer, &serial, tmp))
80537 goto error;
80538
80539 buflen -= tmp;
80540 diff -urNp linux-2.6.39.3/security/min_addr.c linux-2.6.39.3/security/min_addr.c
80541 --- linux-2.6.39.3/security/min_addr.c 2011-05-19 00:06:34.000000000 -0400
80542 +++ linux-2.6.39.3/security/min_addr.c 2011-05-22 19:41:42.000000000 -0400
80543 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
80544 */
80545 static void update_mmap_min_addr(void)
80546 {
80547 +#ifndef SPARC
80548 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
80549 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
80550 mmap_min_addr = dac_mmap_min_addr;
80551 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
80552 #else
80553 mmap_min_addr = dac_mmap_min_addr;
80554 #endif
80555 +#endif
80556 }
80557
80558 /*
80559 diff -urNp linux-2.6.39.3/security/security.c linux-2.6.39.3/security/security.c
80560 --- linux-2.6.39.3/security/security.c 2011-05-19 00:06:34.000000000 -0400
80561 +++ linux-2.6.39.3/security/security.c 2011-05-22 19:41:42.000000000 -0400
80562 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
80563 /* things that live in capability.c */
80564 extern void __init security_fixup_ops(struct security_operations *ops);
80565
80566 -static struct security_operations *security_ops;
80567 -static struct security_operations default_security_ops = {
80568 +static struct security_operations *security_ops __read_only;
80569 +static struct security_operations default_security_ops __read_only = {
80570 .name = "default",
80571 };
80572
80573 @@ -67,7 +67,9 @@ int __init security_init(void)
80574
80575 void reset_security_ops(void)
80576 {
80577 + pax_open_kernel();
80578 security_ops = &default_security_ops;
80579 + pax_close_kernel();
80580 }
80581
80582 /* Save user chosen LSM */
80583 diff -urNp linux-2.6.39.3/security/selinux/hooks.c linux-2.6.39.3/security/selinux/hooks.c
80584 --- linux-2.6.39.3/security/selinux/hooks.c 2011-05-19 00:06:34.000000000 -0400
80585 +++ linux-2.6.39.3/security/selinux/hooks.c 2011-05-22 19:41:42.000000000 -0400
80586 @@ -93,7 +93,6 @@
80587 #define NUM_SEL_MNT_OPTS 5
80588
80589 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
80590 -extern struct security_operations *security_ops;
80591
80592 /* SECMARK reference count */
80593 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
80594 @@ -5431,7 +5430,7 @@ static int selinux_key_getsecurity(struc
80595
80596 #endif
80597
80598 -static struct security_operations selinux_ops = {
80599 +static struct security_operations selinux_ops __read_only = {
80600 .name = "selinux",
80601
80602 .ptrace_access_check = selinux_ptrace_access_check,
80603 diff -urNp linux-2.6.39.3/security/selinux/include/xfrm.h linux-2.6.39.3/security/selinux/include/xfrm.h
80604 --- linux-2.6.39.3/security/selinux/include/xfrm.h 2011-05-19 00:06:34.000000000 -0400
80605 +++ linux-2.6.39.3/security/selinux/include/xfrm.h 2011-05-22 19:36:35.000000000 -0400
80606 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
80607
80608 static inline void selinux_xfrm_notify_policyload(void)
80609 {
80610 - atomic_inc(&flow_cache_genid);
80611 + atomic_inc_unchecked(&flow_cache_genid);
80612 }
80613 #else
80614 static inline int selinux_xfrm_enabled(void)
80615 diff -urNp linux-2.6.39.3/security/selinux/ss/services.c linux-2.6.39.3/security/selinux/ss/services.c
80616 --- linux-2.6.39.3/security/selinux/ss/services.c 2011-05-19 00:06:34.000000000 -0400
80617 +++ linux-2.6.39.3/security/selinux/ss/services.c 2011-05-22 19:36:35.000000000 -0400
80618 @@ -1806,6 +1806,8 @@ int security_load_policy(void *data, siz
80619 int rc = 0;
80620 struct policy_file file = { data, len }, *fp = &file;
80621
80622 + pax_track_stack();
80623 +
80624 if (!ss_initialized) {
80625 avtab_cache_init();
80626 rc = policydb_read(&policydb, fp);
80627 diff -urNp linux-2.6.39.3/security/smack/smack_lsm.c linux-2.6.39.3/security/smack/smack_lsm.c
80628 --- linux-2.6.39.3/security/smack/smack_lsm.c 2011-05-19 00:06:34.000000000 -0400
80629 +++ linux-2.6.39.3/security/smack/smack_lsm.c 2011-05-22 19:36:35.000000000 -0400
80630 @@ -3386,7 +3386,7 @@ static int smack_inode_getsecctx(struct
80631 return 0;
80632 }
80633
80634 -struct security_operations smack_ops = {
80635 +struct security_operations smack_ops __read_only = {
80636 .name = "smack",
80637
80638 .ptrace_access_check = smack_ptrace_access_check,
80639 diff -urNp linux-2.6.39.3/security/tomoyo/tomoyo.c linux-2.6.39.3/security/tomoyo/tomoyo.c
80640 --- linux-2.6.39.3/security/tomoyo/tomoyo.c 2011-05-19 00:06:34.000000000 -0400
80641 +++ linux-2.6.39.3/security/tomoyo/tomoyo.c 2011-05-22 19:36:35.000000000 -0400
80642 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
80643 * tomoyo_security_ops is a "struct security_operations" which is used for
80644 * registering TOMOYO.
80645 */
80646 -static struct security_operations tomoyo_security_ops = {
80647 +static struct security_operations tomoyo_security_ops __read_only = {
80648 .name = "tomoyo",
80649 .cred_alloc_blank = tomoyo_cred_alloc_blank,
80650 .cred_prepare = tomoyo_cred_prepare,
80651 diff -urNp linux-2.6.39.3/sound/aoa/aoa.h linux-2.6.39.3/sound/aoa/aoa.h
80652 --- linux-2.6.39.3/sound/aoa/aoa.h 2011-05-19 00:06:34.000000000 -0400
80653 +++ linux-2.6.39.3/sound/aoa/aoa.h 2011-05-22 19:36:35.000000000 -0400
80654 @@ -122,8 +122,8 @@ extern struct snd_card *aoa_get_card(voi
80655 extern int aoa_snd_ctl_add(struct snd_kcontrol* control);
80656
80657 /* GPIO stuff */
80658 -extern struct gpio_methods *pmf_gpio_methods;
80659 -extern struct gpio_methods *ftr_gpio_methods;
80660 +extern const struct gpio_methods *pmf_gpio_methods;
80661 +extern const struct gpio_methods *ftr_gpio_methods;
80662 /* extern struct gpio_methods *map_gpio_methods; */
80663
80664 #endif /* __AOA_H */
80665 diff -urNp linux-2.6.39.3/sound/aoa/codecs/onyx.c linux-2.6.39.3/sound/aoa/codecs/onyx.c
80666 --- linux-2.6.39.3/sound/aoa/codecs/onyx.c 2011-05-19 00:06:34.000000000 -0400
80667 +++ linux-2.6.39.3/sound/aoa/codecs/onyx.c 2011-05-22 19:36:35.000000000 -0400
80668 @@ -54,7 +54,7 @@ struct onyx {
80669 spdif_locked:1,
80670 analog_locked:1,
80671 original_mute:2;
80672 - int open_count;
80673 + local_t open_count;
80674 struct codec_info *codec_info;
80675
80676 /* mutex serializes concurrent access to the device
80677 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
80678 struct onyx *onyx = cii->codec_data;
80679
80680 mutex_lock(&onyx->mutex);
80681 - onyx->open_count++;
80682 + local_inc(&onyx->open_count);
80683 mutex_unlock(&onyx->mutex);
80684
80685 return 0;
80686 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
80687 struct onyx *onyx = cii->codec_data;
80688
80689 mutex_lock(&onyx->mutex);
80690 - onyx->open_count--;
80691 - if (!onyx->open_count)
80692 + if (local_dec_and_test(&onyx->open_count))
80693 onyx->spdif_locked = onyx->analog_locked = 0;
80694 mutex_unlock(&onyx->mutex);
80695
80696 diff -urNp linux-2.6.39.3/sound/aoa/codecs/onyx.h linux-2.6.39.3/sound/aoa/codecs/onyx.h
80697 --- linux-2.6.39.3/sound/aoa/codecs/onyx.h 2011-05-19 00:06:34.000000000 -0400
80698 +++ linux-2.6.39.3/sound/aoa/codecs/onyx.h 2011-05-22 19:36:35.000000000 -0400
80699 @@ -11,6 +11,7 @@
80700 #include <linux/i2c.h>
80701 #include <asm/pmac_low_i2c.h>
80702 #include <asm/prom.h>
80703 +#include <asm/local.h>
80704
80705 /* PCM3052 register definitions */
80706
80707 diff -urNp linux-2.6.39.3/sound/arm/aaci.c linux-2.6.39.3/sound/arm/aaci.c
80708 --- linux-2.6.39.3/sound/arm/aaci.c 2011-05-19 00:06:34.000000000 -0400
80709 +++ linux-2.6.39.3/sound/arm/aaci.c 2011-05-22 19:36:35.000000000 -0400
80710 @@ -635,7 +635,7 @@ static int aaci_pcm_playback_trigger(str
80711 return ret;
80712 }
80713
80714 -static struct snd_pcm_ops aaci_playback_ops = {
80715 +static const struct snd_pcm_ops aaci_playback_ops = {
80716 .open = aaci_pcm_open,
80717 .close = aaci_pcm_close,
80718 .ioctl = snd_pcm_lib_ioctl,
80719 @@ -738,7 +738,7 @@ static int aaci_pcm_capture_prepare(stru
80720 return 0;
80721 }
80722
80723 -static struct snd_pcm_ops aaci_capture_ops = {
80724 +static const struct snd_pcm_ops aaci_capture_ops = {
80725 .open = aaci_pcm_open,
80726 .close = aaci_pcm_close,
80727 .ioctl = snd_pcm_lib_ioctl,
80728 @@ -827,7 +827,7 @@ static struct ac97_pcm ac97_defs[] __dev
80729 }
80730 };
80731
80732 -static struct snd_ac97_bus_ops aaci_bus_ops = {
80733 +static const struct snd_ac97_bus_ops aaci_bus_ops = {
80734 .write = aaci_ac97_write,
80735 .read = aaci_ac97_read,
80736 };
80737 diff -urNp linux-2.6.39.3/sound/arm/pxa2xx-ac97.c linux-2.6.39.3/sound/arm/pxa2xx-ac97.c
80738 --- linux-2.6.39.3/sound/arm/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
80739 +++ linux-2.6.39.3/sound/arm/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
80740 @@ -34,7 +34,7 @@ static void pxa2xx_ac97_reset(struct snd
80741 pxa2xx_ac97_finish_reset(ac97);
80742 }
80743
80744 -static struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80745 +static const struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80746 .read = pxa2xx_ac97_read,
80747 .write = pxa2xx_ac97_write,
80748 .reset = pxa2xx_ac97_reset,
80749 diff -urNp linux-2.6.39.3/sound/atmel/abdac.c linux-2.6.39.3/sound/atmel/abdac.c
80750 --- linux-2.6.39.3/sound/atmel/abdac.c 2011-05-19 00:06:34.000000000 -0400
80751 +++ linux-2.6.39.3/sound/atmel/abdac.c 2011-05-22 19:36:35.000000000 -0400
80752 @@ -297,7 +297,7 @@ static irqreturn_t abdac_interrupt(int i
80753 return IRQ_HANDLED;
80754 }
80755
80756 -static struct snd_pcm_ops atmel_abdac_ops = {
80757 +static const struct snd_pcm_ops atmel_abdac_ops = {
80758 .open = atmel_abdac_open,
80759 .close = atmel_abdac_close,
80760 .ioctl = snd_pcm_lib_ioctl,
80761 diff -urNp linux-2.6.39.3/sound/atmel/ac97c.c linux-2.6.39.3/sound/atmel/ac97c.c
80762 --- linux-2.6.39.3/sound/atmel/ac97c.c 2011-05-19 00:06:34.000000000 -0400
80763 +++ linux-2.6.39.3/sound/atmel/ac97c.c 2011-05-22 19:36:35.000000000 -0400
80764 @@ -626,7 +626,7 @@ atmel_ac97c_capture_pointer(struct snd_p
80765 return frames;
80766 }
80767
80768 -static struct snd_pcm_ops atmel_ac97_playback_ops = {
80769 +static const struct snd_pcm_ops atmel_ac97_playback_ops = {
80770 .open = atmel_ac97c_playback_open,
80771 .close = atmel_ac97c_playback_close,
80772 .ioctl = snd_pcm_lib_ioctl,
80773 @@ -637,7 +637,7 @@ static struct snd_pcm_ops atmel_ac97_pla
80774 .pointer = atmel_ac97c_playback_pointer,
80775 };
80776
80777 -static struct snd_pcm_ops atmel_ac97_capture_ops = {
80778 +static const struct snd_pcm_ops atmel_ac97_capture_ops = {
80779 .open = atmel_ac97c_capture_open,
80780 .close = atmel_ac97c_capture_close,
80781 .ioctl = snd_pcm_lib_ioctl,
80782 @@ -909,7 +909,7 @@ static int __devinit atmel_ac97c_probe(s
80783 struct resource *regs;
80784 struct ac97c_platform_data *pdata;
80785 struct clk *pclk;
80786 - static struct snd_ac97_bus_ops ops = {
80787 + static const struct snd_ac97_bus_ops ops = {
80788 .write = atmel_ac97c_write,
80789 .read = atmel_ac97c_read,
80790 };
80791 diff -urNp linux-2.6.39.3/sound/core/control.c linux-2.6.39.3/sound/core/control.c
80792 --- linux-2.6.39.3/sound/core/control.c 2011-05-19 00:06:34.000000000 -0400
80793 +++ linux-2.6.39.3/sound/core/control.c 2011-05-22 19:36:35.000000000 -0400
80794 @@ -1520,7 +1520,7 @@ static int snd_ctl_dev_free(struct snd_d
80795 */
80796 int snd_ctl_create(struct snd_card *card)
80797 {
80798 - static struct snd_device_ops ops = {
80799 + static const struct snd_device_ops ops = {
80800 .dev_free = snd_ctl_dev_free,
80801 .dev_register = snd_ctl_dev_register,
80802 .dev_disconnect = snd_ctl_dev_disconnect,
80803 diff -urNp linux-2.6.39.3/sound/core/device.c linux-2.6.39.3/sound/core/device.c
80804 --- linux-2.6.39.3/sound/core/device.c 2011-05-19 00:06:34.000000000 -0400
80805 +++ linux-2.6.39.3/sound/core/device.c 2011-05-22 19:36:35.000000000 -0400
80806 @@ -41,7 +41,7 @@
80807 * Returns zero if successful, or a negative error code on failure.
80808 */
80809 int snd_device_new(struct snd_card *card, snd_device_type_t type,
80810 - void *device_data, struct snd_device_ops *ops)
80811 + void *device_data, const struct snd_device_ops *ops)
80812 {
80813 struct snd_device *dev;
80814
80815 diff -urNp linux-2.6.39.3/sound/core/hwdep.c linux-2.6.39.3/sound/core/hwdep.c
80816 --- linux-2.6.39.3/sound/core/hwdep.c 2011-05-19 00:06:34.000000000 -0400
80817 +++ linux-2.6.39.3/sound/core/hwdep.c 2011-05-22 19:36:35.000000000 -0400
80818 @@ -348,7 +348,7 @@ int snd_hwdep_new(struct snd_card *card,
80819 {
80820 struct snd_hwdep *hwdep;
80821 int err;
80822 - static struct snd_device_ops ops = {
80823 + static const struct snd_device_ops ops = {
80824 .dev_free = snd_hwdep_dev_free,
80825 .dev_register = snd_hwdep_dev_register,
80826 .dev_disconnect = snd_hwdep_dev_disconnect,
80827 diff -urNp linux-2.6.39.3/sound/core/info.c linux-2.6.39.3/sound/core/info.c
80828 --- linux-2.6.39.3/sound/core/info.c 2011-05-19 00:06:34.000000000 -0400
80829 +++ linux-2.6.39.3/sound/core/info.c 2011-05-22 19:36:35.000000000 -0400
80830 @@ -897,7 +897,7 @@ static int snd_info_dev_register_entry(s
80831 int snd_card_proc_new(struct snd_card *card, const char *name,
80832 struct snd_info_entry **entryp)
80833 {
80834 - static struct snd_device_ops ops = {
80835 + static const struct snd_device_ops ops = {
80836 .dev_free = snd_info_dev_free_entry,
80837 .dev_register = snd_info_dev_register_entry,
80838 /* disconnect is done via snd_info_card_disconnect() */
80839 diff -urNp linux-2.6.39.3/sound/core/jack.c linux-2.6.39.3/sound/core/jack.c
80840 --- linux-2.6.39.3/sound/core/jack.c 2011-05-19 00:06:34.000000000 -0400
80841 +++ linux-2.6.39.3/sound/core/jack.c 2011-05-22 19:36:35.000000000 -0400
80842 @@ -105,7 +105,7 @@ int snd_jack_new(struct snd_card *card,
80843 struct snd_jack *jack;
80844 int err;
80845 int i;
80846 - static struct snd_device_ops ops = {
80847 + static const struct snd_device_ops ops = {
80848 .dev_free = snd_jack_dev_free,
80849 .dev_register = snd_jack_dev_register,
80850 };
80851 diff -urNp linux-2.6.39.3/sound/core/pcm.c linux-2.6.39.3/sound/core/pcm.c
80852 --- linux-2.6.39.3/sound/core/pcm.c 2011-05-19 00:06:34.000000000 -0400
80853 +++ linux-2.6.39.3/sound/core/pcm.c 2011-05-22 19:36:35.000000000 -0400
80854 @@ -717,7 +717,7 @@ int snd_pcm_new(struct snd_card *card, c
80855 {
80856 struct snd_pcm *pcm;
80857 int err;
80858 - static struct snd_device_ops ops = {
80859 + static const struct snd_device_ops ops = {
80860 .dev_free = snd_pcm_dev_free,
80861 .dev_register = snd_pcm_dev_register,
80862 .dev_disconnect = snd_pcm_dev_disconnect,
80863 diff -urNp linux-2.6.39.3/sound/core/pcm_lib.c linux-2.6.39.3/sound/core/pcm_lib.c
80864 --- linux-2.6.39.3/sound/core/pcm_lib.c 2011-05-19 00:06:34.000000000 -0400
80865 +++ linux-2.6.39.3/sound/core/pcm_lib.c 2011-05-22 19:36:35.000000000 -0400
80866 @@ -505,7 +505,7 @@ int snd_pcm_update_hw_ptr(struct snd_pcm
80867 *
80868 * Sets the given PCM operators to the pcm instance.
80869 */
80870 -void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, struct snd_pcm_ops *ops)
80871 +void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, const struct snd_pcm_ops *ops)
80872 {
80873 struct snd_pcm_str *stream = &pcm->streams[direction];
80874 struct snd_pcm_substream *substream;
80875 diff -urNp linux-2.6.39.3/sound/core/pcm_native.c linux-2.6.39.3/sound/core/pcm_native.c
80876 --- linux-2.6.39.3/sound/core/pcm_native.c 2011-05-19 00:06:34.000000000 -0400
80877 +++ linux-2.6.39.3/sound/core/pcm_native.c 2011-05-22 19:36:35.000000000 -0400
80878 @@ -702,7 +702,7 @@ struct action_ops {
80879 * Note: the stream state might be changed also on failure
80880 * Note2: call with calling stream lock + link lock
80881 */
80882 -static int snd_pcm_action_group(struct action_ops *ops,
80883 +static int snd_pcm_action_group(const struct action_ops *ops,
80884 struct snd_pcm_substream *substream,
80885 int state, int do_lock)
80886 {
80887 @@ -751,7 +751,7 @@ static int snd_pcm_action_group(struct a
80888 /*
80889 * Note: call with stream lock
80890 */
80891 -static int snd_pcm_action_single(struct action_ops *ops,
80892 +static int snd_pcm_action_single(const struct action_ops *ops,
80893 struct snd_pcm_substream *substream,
80894 int state)
80895 {
80896 @@ -771,7 +771,7 @@ static int snd_pcm_action_single(struct
80897 /*
80898 * Note: call with stream lock
80899 */
80900 -static int snd_pcm_action(struct action_ops *ops,
80901 +static int snd_pcm_action(const struct action_ops *ops,
80902 struct snd_pcm_substream *substream,
80903 int state)
80904 {
80905 @@ -794,7 +794,7 @@ static int snd_pcm_action(struct action_
80906 /*
80907 * Note: don't use any locks before
80908 */
80909 -static int snd_pcm_action_lock_irq(struct action_ops *ops,
80910 +static int snd_pcm_action_lock_irq(const struct action_ops *ops,
80911 struct snd_pcm_substream *substream,
80912 int state)
80913 {
80914 @@ -818,7 +818,7 @@ static int snd_pcm_action_lock_irq(struc
80915
80916 /*
80917 */
80918 -static int snd_pcm_action_nonatomic(struct action_ops *ops,
80919 +static int snd_pcm_action_nonatomic(const struct action_ops *ops,
80920 struct snd_pcm_substream *substream,
80921 int state)
80922 {
80923 @@ -877,7 +877,7 @@ static void snd_pcm_post_start(struct sn
80924 &runtime->trigger_tstamp);
80925 }
80926
80927 -static struct action_ops snd_pcm_action_start = {
80928 +static const struct action_ops snd_pcm_action_start = {
80929 .pre_action = snd_pcm_pre_start,
80930 .do_action = snd_pcm_do_start,
80931 .undo_action = snd_pcm_undo_start,
80932 @@ -928,7 +928,7 @@ static void snd_pcm_post_stop(struct snd
80933 wake_up(&runtime->tsleep);
80934 }
80935
80936 -static struct action_ops snd_pcm_action_stop = {
80937 +static const struct action_ops snd_pcm_action_stop = {
80938 .pre_action = snd_pcm_pre_stop,
80939 .do_action = snd_pcm_do_stop,
80940 .post_action = snd_pcm_post_stop
80941 @@ -1025,7 +1025,7 @@ static void snd_pcm_post_pause(struct sn
80942 }
80943 }
80944
80945 -static struct action_ops snd_pcm_action_pause = {
80946 +static const struct action_ops snd_pcm_action_pause = {
80947 .pre_action = snd_pcm_pre_pause,
80948 .do_action = snd_pcm_do_pause,
80949 .undo_action = snd_pcm_undo_pause,
80950 @@ -1076,7 +1076,7 @@ static void snd_pcm_post_suspend(struct
80951 wake_up(&runtime->tsleep);
80952 }
80953
80954 -static struct action_ops snd_pcm_action_suspend = {
80955 +static const struct action_ops snd_pcm_action_suspend = {
80956 .pre_action = snd_pcm_pre_suspend,
80957 .do_action = snd_pcm_do_suspend,
80958 .post_action = snd_pcm_post_suspend
80959 @@ -1175,7 +1175,7 @@ static void snd_pcm_post_resume(struct s
80960 runtime->status->state = runtime->status->suspended_state;
80961 }
80962
80963 -static struct action_ops snd_pcm_action_resume = {
80964 +static const struct action_ops snd_pcm_action_resume = {
80965 .pre_action = snd_pcm_pre_resume,
80966 .do_action = snd_pcm_do_resume,
80967 .undo_action = snd_pcm_undo_resume,
80968 @@ -1278,7 +1278,7 @@ static void snd_pcm_post_reset(struct sn
80969 snd_pcm_playback_silence(substream, ULONG_MAX);
80970 }
80971
80972 -static struct action_ops snd_pcm_action_reset = {
80973 +static const struct action_ops snd_pcm_action_reset = {
80974 .pre_action = snd_pcm_pre_reset,
80975 .do_action = snd_pcm_do_reset,
80976 .post_action = snd_pcm_post_reset
80977 @@ -1322,7 +1322,7 @@ static void snd_pcm_post_prepare(struct
80978 runtime->status->state = SNDRV_PCM_STATE_PREPARED;
80979 }
80980
80981 -static struct action_ops snd_pcm_action_prepare = {
80982 +static const struct action_ops snd_pcm_action_prepare = {
80983 .pre_action = snd_pcm_pre_prepare,
80984 .do_action = snd_pcm_do_prepare,
80985 .post_action = snd_pcm_post_prepare
80986 @@ -1397,7 +1397,7 @@ static void snd_pcm_post_drain_init(stru
80987 {
80988 }
80989
80990 -static struct action_ops snd_pcm_action_drain_init = {
80991 +static const struct action_ops snd_pcm_action_drain_init = {
80992 .pre_action = snd_pcm_pre_drain_init,
80993 .do_action = snd_pcm_do_drain_init,
80994 .post_action = snd_pcm_post_drain_init
80995 diff -urNp linux-2.6.39.3/sound/core/rawmidi.c linux-2.6.39.3/sound/core/rawmidi.c
80996 --- linux-2.6.39.3/sound/core/rawmidi.c 2011-05-19 00:06:34.000000000 -0400
80997 +++ linux-2.6.39.3/sound/core/rawmidi.c 2011-05-22 19:36:35.000000000 -0400
80998 @@ -1449,7 +1449,7 @@ int snd_rawmidi_new(struct snd_card *car
80999 {
81000 struct snd_rawmidi *rmidi;
81001 int err;
81002 - static struct snd_device_ops ops = {
81003 + static const struct snd_device_ops ops = {
81004 .dev_free = snd_rawmidi_dev_free,
81005 .dev_register = snd_rawmidi_dev_register,
81006 .dev_disconnect = snd_rawmidi_dev_disconnect,
81007 @@ -1654,7 +1654,7 @@ static int snd_rawmidi_dev_disconnect(st
81008 * Sets the rawmidi operators for the given stream direction.
81009 */
81010 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
81011 - struct snd_rawmidi_ops *ops)
81012 + const struct snd_rawmidi_ops *ops)
81013 {
81014 struct snd_rawmidi_substream *substream;
81015
81016 diff -urNp linux-2.6.39.3/sound/core/seq/seq_device.c linux-2.6.39.3/sound/core/seq/seq_device.c
81017 --- linux-2.6.39.3/sound/core/seq/seq_device.c 2011-05-19 00:06:34.000000000 -0400
81018 +++ linux-2.6.39.3/sound/core/seq/seq_device.c 2011-05-22 19:36:35.000000000 -0400
81019 @@ -178,7 +178,7 @@ int snd_seq_device_new(struct snd_card *
81020 struct snd_seq_device *dev;
81021 struct ops_list *ops;
81022 int err;
81023 - static struct snd_device_ops dops = {
81024 + static const struct snd_device_ops dops = {
81025 .dev_free = snd_seq_device_dev_free,
81026 .dev_register = snd_seq_device_dev_register,
81027 .dev_disconnect = snd_seq_device_dev_disconnect,
81028 @@ -307,7 +307,7 @@ static int snd_seq_device_dev_disconnect
81029 * id = driver id
81030 * entry = driver operators - duplicated to each instance
81031 */
81032 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry,
81033 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry,
81034 int argsize)
81035 {
81036 struct ops_list *ops;
81037 diff -urNp linux-2.6.39.3/sound/core/seq/seq_midi.c linux-2.6.39.3/sound/core/seq/seq_midi.c
81038 --- linux-2.6.39.3/sound/core/seq/seq_midi.c 2011-05-19 00:06:34.000000000 -0400
81039 +++ linux-2.6.39.3/sound/core/seq/seq_midi.c 2011-05-22 19:36:35.000000000 -0400
81040 @@ -461,7 +461,7 @@ snd_seq_midisynth_unregister_port(struct
81041
81042 static int __init alsa_seq_midi_init(void)
81043 {
81044 - static struct snd_seq_dev_ops ops = {
81045 + static const struct snd_seq_dev_ops ops = {
81046 snd_seq_midisynth_register_port,
81047 snd_seq_midisynth_unregister_port,
81048 };
81049 diff -urNp linux-2.6.39.3/sound/core/seq/seq_virmidi.c linux-2.6.39.3/sound/core/seq/seq_virmidi.c
81050 --- linux-2.6.39.3/sound/core/seq/seq_virmidi.c 2011-05-19 00:06:34.000000000 -0400
81051 +++ linux-2.6.39.3/sound/core/seq/seq_virmidi.c 2011-05-22 19:36:35.000000000 -0400
81052 @@ -337,13 +337,13 @@ static int snd_virmidi_unuse(void *priva
81053 * Register functions
81054 */
81055
81056 -static struct snd_rawmidi_ops snd_virmidi_input_ops = {
81057 +static const struct snd_rawmidi_ops snd_virmidi_input_ops = {
81058 .open = snd_virmidi_input_open,
81059 .close = snd_virmidi_input_close,
81060 .trigger = snd_virmidi_input_trigger,
81061 };
81062
81063 -static struct snd_rawmidi_ops snd_virmidi_output_ops = {
81064 +static const struct snd_rawmidi_ops snd_virmidi_output_ops = {
81065 .open = snd_virmidi_output_open,
81066 .close = snd_virmidi_output_close,
81067 .trigger = snd_virmidi_output_trigger,
81068 @@ -467,7 +467,7 @@ static int snd_virmidi_dev_unregister(st
81069 /*
81070 *
81071 */
81072 -static struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
81073 +static const struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
81074 .dev_register = snd_virmidi_dev_register,
81075 .dev_unregister = snd_virmidi_dev_unregister,
81076 };
81077 diff -urNp linux-2.6.39.3/sound/core/timer.c linux-2.6.39.3/sound/core/timer.c
81078 --- linux-2.6.39.3/sound/core/timer.c 2011-05-19 00:06:34.000000000 -0400
81079 +++ linux-2.6.39.3/sound/core/timer.c 2011-05-22 19:36:35.000000000 -0400
81080 @@ -756,7 +756,7 @@ int snd_timer_new(struct snd_card *card,
81081 {
81082 struct snd_timer *timer;
81083 int err;
81084 - static struct snd_device_ops ops = {
81085 + static const struct snd_device_ops ops = {
81086 .dev_free = snd_timer_dev_free,
81087 .dev_register = snd_timer_dev_register,
81088 .dev_disconnect = snd_timer_dev_disconnect,
81089 diff -urNp linux-2.6.39.3/sound/drivers/aloop.c linux-2.6.39.3/sound/drivers/aloop.c
81090 --- linux-2.6.39.3/sound/drivers/aloop.c 2011-05-19 00:06:34.000000000 -0400
81091 +++ linux-2.6.39.3/sound/drivers/aloop.c 2011-05-22 19:36:35.000000000 -0400
81092 @@ -731,7 +731,7 @@ static int loopback_close(struct snd_pcm
81093 return 0;
81094 }
81095
81096 -static struct snd_pcm_ops loopback_playback_ops = {
81097 +static const struct snd_pcm_ops loopback_playback_ops = {
81098 .open = loopback_open,
81099 .close = loopback_close,
81100 .ioctl = snd_pcm_lib_ioctl,
81101 @@ -742,7 +742,7 @@ static struct snd_pcm_ops loopback_playb
81102 .pointer = loopback_pointer,
81103 };
81104
81105 -static struct snd_pcm_ops loopback_capture_ops = {
81106 +static const struct snd_pcm_ops loopback_capture_ops = {
81107 .open = loopback_open,
81108 .close = loopback_close,
81109 .ioctl = snd_pcm_lib_ioctl,
81110 diff -urNp linux-2.6.39.3/sound/drivers/dummy.c linux-2.6.39.3/sound/drivers/dummy.c
81111 --- linux-2.6.39.3/sound/drivers/dummy.c 2011-05-19 00:06:34.000000000 -0400
81112 +++ linux-2.6.39.3/sound/drivers/dummy.c 2011-05-22 19:36:35.000000000 -0400
81113 @@ -350,7 +350,7 @@ static void dummy_systimer_free(struct s
81114 kfree(substream->runtime->private_data);
81115 }
81116
81117 -static struct dummy_timer_ops dummy_systimer_ops = {
81118 +static const struct dummy_timer_ops dummy_systimer_ops = {
81119 .create = dummy_systimer_create,
81120 .free = dummy_systimer_free,
81121 .prepare = dummy_systimer_prepare,
81122 @@ -474,7 +474,7 @@ static void dummy_hrtimer_free(struct sn
81123 kfree(dpcm);
81124 }
81125
81126 -static struct dummy_timer_ops dummy_hrtimer_ops = {
81127 +static const struct dummy_timer_ops dummy_hrtimer_ops = {
81128 .create = dummy_hrtimer_create,
81129 .free = dummy_hrtimer_free,
81130 .prepare = dummy_hrtimer_prepare,
81131 @@ -660,7 +660,7 @@ static struct page *dummy_pcm_page(struc
81132 return virt_to_page(dummy_page[substream->stream]); /* the same page */
81133 }
81134
81135 -static struct snd_pcm_ops dummy_pcm_ops = {
81136 +static const struct snd_pcm_ops dummy_pcm_ops = {
81137 .open = dummy_pcm_open,
81138 .close = dummy_pcm_close,
81139 .ioctl = snd_pcm_lib_ioctl,
81140 @@ -671,7 +671,7 @@ static struct snd_pcm_ops dummy_pcm_ops
81141 .pointer = dummy_pcm_pointer,
81142 };
81143
81144 -static struct snd_pcm_ops dummy_pcm_ops_no_buf = {
81145 +static const struct snd_pcm_ops dummy_pcm_ops_no_buf = {
81146 .open = dummy_pcm_open,
81147 .close = dummy_pcm_close,
81148 .ioctl = snd_pcm_lib_ioctl,
81149 @@ -689,7 +689,7 @@ static int __devinit snd_card_dummy_pcm(
81150 int substreams)
81151 {
81152 struct snd_pcm *pcm;
81153 - struct snd_pcm_ops *ops;
81154 + const struct snd_pcm_ops *ops;
81155 int err;
81156
81157 err = snd_pcm_new(dummy->card, "Dummy PCM", device,
81158 diff -urNp linux-2.6.39.3/sound/drivers/ml403-ac97cr.c linux-2.6.39.3/sound/drivers/ml403-ac97cr.c
81159 --- linux-2.6.39.3/sound/drivers/ml403-ac97cr.c 2011-05-19 00:06:34.000000000 -0400
81160 +++ linux-2.6.39.3/sound/drivers/ml403-ac97cr.c 2011-05-22 19:36:35.000000000 -0400
81161 @@ -759,7 +759,7 @@ static int snd_ml403_ac97cr_capture_clos
81162 return 0;
81163 }
81164
81165 -static struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
81166 +static const struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
81167 .open = snd_ml403_ac97cr_playback_open,
81168 .close = snd_ml403_ac97cr_playback_close,
81169 .ioctl = snd_pcm_lib_ioctl,
81170 @@ -770,7 +770,7 @@ static struct snd_pcm_ops snd_ml403_ac97
81171 .pointer = snd_ml403_ac97cr_pcm_pointer,
81172 };
81173
81174 -static struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
81175 +static const struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
81176 .open = snd_ml403_ac97cr_capture_open,
81177 .close = snd_ml403_ac97cr_capture_close,
81178 .ioctl = snd_pcm_lib_ioctl,
81179 @@ -1114,7 +1114,7 @@ snd_ml403_ac97cr_create(struct snd_card
81180 {
81181 struct snd_ml403_ac97cr *ml403_ac97cr;
81182 int err;
81183 - static struct snd_device_ops ops = {
81184 + static const struct snd_device_ops ops = {
81185 .dev_free = snd_ml403_ac97cr_dev_free,
81186 };
81187 struct resource *resource;
81188 @@ -1210,7 +1210,7 @@ snd_ml403_ac97cr_mixer(struct snd_ml403_
81189 struct snd_ac97_bus *bus;
81190 struct snd_ac97_template ac97;
81191 int err;
81192 - static struct snd_ac97_bus_ops ops = {
81193 + static const struct snd_ac97_bus_ops ops = {
81194 .write = snd_ml403_ac97cr_codec_write,
81195 .read = snd_ml403_ac97cr_codec_read,
81196 };
81197 diff -urNp linux-2.6.39.3/sound/drivers/mtpav.c linux-2.6.39.3/sound/drivers/mtpav.c
81198 --- linux-2.6.39.3/sound/drivers/mtpav.c 2011-05-19 00:06:34.000000000 -0400
81199 +++ linux-2.6.39.3/sound/drivers/mtpav.c 2011-05-22 19:36:35.000000000 -0400
81200 @@ -601,13 +601,13 @@ static int __devinit snd_mtpav_get_ISA(s
81201 /*
81202 */
81203
81204 -static struct snd_rawmidi_ops snd_mtpav_output = {
81205 +static const struct snd_rawmidi_ops snd_mtpav_output = {
81206 .open = snd_mtpav_output_open,
81207 .close = snd_mtpav_output_close,
81208 .trigger = snd_mtpav_output_trigger,
81209 };
81210
81211 -static struct snd_rawmidi_ops snd_mtpav_input = {
81212 +static const struct snd_rawmidi_ops snd_mtpav_input = {
81213 .open = snd_mtpav_input_open,
81214 .close = snd_mtpav_input_close,
81215 .trigger = snd_mtpav_input_trigger,
81216 diff -urNp linux-2.6.39.3/sound/drivers/mts64.c linux-2.6.39.3/sound/drivers/mts64.c
81217 --- linux-2.6.39.3/sound/drivers/mts64.c 2011-05-19 00:06:34.000000000 -0400
81218 +++ linux-2.6.39.3/sound/drivers/mts64.c 2011-05-22 19:36:35.000000000 -0400
81219 @@ -28,6 +28,7 @@
81220 #include <sound/initval.h>
81221 #include <sound/rawmidi.h>
81222 #include <sound/control.h>
81223 +#include <asm/local.h>
81224
81225 #define CARD_NAME "Miditerminal 4140"
81226 #define DRIVER_NAME "MTS64"
81227 @@ -66,7 +67,7 @@ struct mts64 {
81228 struct pardevice *pardev;
81229 int pardev_claimed;
81230
81231 - int open_count;
81232 + local_t open_count;
81233 int current_midi_output_port;
81234 int current_midi_input_port;
81235 u8 mode[MTS64_NUM_INPUT_PORTS];
81236 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
81237 {
81238 struct mts64 *mts = substream->rmidi->private_data;
81239
81240 - if (mts->open_count == 0) {
81241 + if (local_read(&mts->open_count) == 0) {
81242 /* We don't need a spinlock here, because this is just called
81243 if the device has not been opened before.
81244 So there aren't any IRQs from the device */
81245 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
81246
81247 msleep(50);
81248 }
81249 - ++(mts->open_count);
81250 + local_inc(&mts->open_count);
81251
81252 return 0;
81253 }
81254 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
81255 struct mts64 *mts = substream->rmidi->private_data;
81256 unsigned long flags;
81257
81258 - --(mts->open_count);
81259 - if (mts->open_count == 0) {
81260 + if (local_dec_return(&mts->open_count) == 0) {
81261 /* We need the spinlock_irqsave here because we can still
81262 have IRQs at this point */
81263 spin_lock_irqsave(&mts->lock, flags);
81264 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
81265
81266 msleep(500);
81267
81268 - } else if (mts->open_count < 0)
81269 - mts->open_count = 0;
81270 + } else if (local_read(&mts->open_count) < 0)
81271 + local_set(&mts->open_count, 0);
81272
81273 return 0;
81274 }
81275 @@ -760,13 +760,13 @@ static void snd_mts64_rawmidi_input_trig
81276 spin_unlock_irqrestore(&mts->lock, flags);
81277 }
81278
81279 -static struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81280 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81281 .open = snd_mts64_rawmidi_open,
81282 .close = snd_mts64_rawmidi_close,
81283 .trigger = snd_mts64_rawmidi_output_trigger
81284 };
81285
81286 -static struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81287 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81288 .open = snd_mts64_rawmidi_open,
81289 .close = snd_mts64_rawmidi_close,
81290 .trigger = snd_mts64_rawmidi_input_trigger
81291 diff -urNp linux-2.6.39.3/sound/drivers/pcsp/pcsp.c linux-2.6.39.3/sound/drivers/pcsp/pcsp.c
81292 --- linux-2.6.39.3/sound/drivers/pcsp/pcsp.c 2011-05-19 00:06:34.000000000 -0400
81293 +++ linux-2.6.39.3/sound/drivers/pcsp/pcsp.c 2011-05-22 19:36:35.000000000 -0400
81294 @@ -41,7 +41,7 @@ struct snd_pcsp pcsp_chip;
81295
81296 static int __devinit snd_pcsp_create(struct snd_card *card)
81297 {
81298 - static struct snd_device_ops ops = { };
81299 + static const struct snd_device_ops ops = { };
81300 struct timespec tp;
81301 int err;
81302 int div, min_div, order;
81303 diff -urNp linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c
81304 --- linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c 2011-05-19 00:06:34.000000000 -0400
81305 +++ linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c 2011-05-22 19:36:35.000000000 -0400
81306 @@ -323,7 +323,7 @@ static int snd_pcsp_playback_open(struct
81307 return 0;
81308 }
81309
81310 -static struct snd_pcm_ops snd_pcsp_playback_ops = {
81311 +static const struct snd_pcm_ops snd_pcsp_playback_ops = {
81312 .open = snd_pcsp_playback_open,
81313 .close = snd_pcsp_playback_close,
81314 .ioctl = snd_pcm_lib_ioctl,
81315 diff -urNp linux-2.6.39.3/sound/drivers/portman2x4.c linux-2.6.39.3/sound/drivers/portman2x4.c
81316 --- linux-2.6.39.3/sound/drivers/portman2x4.c 2011-05-19 00:06:34.000000000 -0400
81317 +++ linux-2.6.39.3/sound/drivers/portman2x4.c 2011-05-22 19:36:35.000000000 -0400
81318 @@ -47,6 +47,7 @@
81319 #include <sound/initval.h>
81320 #include <sound/rawmidi.h>
81321 #include <sound/control.h>
81322 +#include <asm/local.h>
81323
81324 #define CARD_NAME "Portman 2x4"
81325 #define DRIVER_NAME "portman"
81326 @@ -84,7 +85,7 @@ struct portman {
81327 struct pardevice *pardev;
81328 int pardev_claimed;
81329
81330 - int open_count;
81331 + local_t open_count;
81332 int mode[PORTMAN_NUM_INPUT_PORTS];
81333 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
81334 };
81335 @@ -547,13 +548,13 @@ static void snd_portman_midi_output_trig
81336 spin_unlock_irqrestore(&pm->reg_lock, flags);
81337 }
81338
81339 -static struct snd_rawmidi_ops snd_portman_midi_output = {
81340 +static const struct snd_rawmidi_ops snd_portman_midi_output = {
81341 .open = snd_portman_midi_open,
81342 .close = snd_portman_midi_close,
81343 .trigger = snd_portman_midi_output_trigger,
81344 };
81345
81346 -static struct snd_rawmidi_ops snd_portman_midi_input = {
81347 +static const struct snd_rawmidi_ops snd_portman_midi_input = {
81348 .open = snd_portman_midi_open,
81349 .close = snd_portman_midi_close,
81350 .trigger = snd_portman_midi_input_trigger,
81351 diff -urNp linux-2.6.39.3/sound/drivers/serial-u16550.c linux-2.6.39.3/sound/drivers/serial-u16550.c
81352 --- linux-2.6.39.3/sound/drivers/serial-u16550.c 2011-05-19 00:06:34.000000000 -0400
81353 +++ linux-2.6.39.3/sound/drivers/serial-u16550.c 2011-05-22 19:36:35.000000000 -0400
81354 @@ -754,15 +754,13 @@ static void snd_uart16550_output_trigger
81355 snd_uart16550_output_write(substream);
81356 }
81357
81358 -static struct snd_rawmidi_ops snd_uart16550_output =
81359 -{
81360 +static const struct snd_rawmidi_ops snd_uart16550_output = {
81361 .open = snd_uart16550_output_open,
81362 .close = snd_uart16550_output_close,
81363 .trigger = snd_uart16550_output_trigger,
81364 };
81365
81366 -static struct snd_rawmidi_ops snd_uart16550_input =
81367 -{
81368 +static const struct snd_rawmidi_ops snd_uart16550_input = {
81369 .open = snd_uart16550_input_open,
81370 .close = snd_uart16550_input_close,
81371 .trigger = snd_uart16550_input_trigger,
81372 @@ -792,7 +790,7 @@ static int __devinit snd_uart16550_creat
81373 int droponfull,
81374 struct snd_uart16550 **ruart)
81375 {
81376 - static struct snd_device_ops ops = {
81377 + static const struct snd_device_ops ops = {
81378 .dev_free = snd_uart16550_dev_free,
81379 };
81380 struct snd_uart16550 *uart;
81381 diff -urNp linux-2.6.39.3/sound/drivers/vx/vx_pcm.c linux-2.6.39.3/sound/drivers/vx/vx_pcm.c
81382 --- linux-2.6.39.3/sound/drivers/vx/vx_pcm.c 2011-05-19 00:06:34.000000000 -0400
81383 +++ linux-2.6.39.3/sound/drivers/vx/vx_pcm.c 2011-05-22 19:36:35.000000000 -0400
81384 @@ -895,7 +895,7 @@ static int vx_pcm_prepare(struct snd_pcm
81385 /*
81386 * operators for PCM playback
81387 */
81388 -static struct snd_pcm_ops vx_pcm_playback_ops = {
81389 +static const struct snd_pcm_ops vx_pcm_playback_ops = {
81390 .open = vx_pcm_playback_open,
81391 .close = vx_pcm_playback_close,
81392 .ioctl = snd_pcm_lib_ioctl,
81393 @@ -1116,7 +1116,7 @@ static snd_pcm_uframes_t vx_pcm_capture_
81394 /*
81395 * operators for PCM capture
81396 */
81397 -static struct snd_pcm_ops vx_pcm_capture_ops = {
81398 +static const struct snd_pcm_ops vx_pcm_capture_ops = {
81399 .open = vx_pcm_capture_open,
81400 .close = vx_pcm_capture_close,
81401 .ioctl = snd_pcm_lib_ioctl,
81402 diff -urNp linux-2.6.39.3/sound/firewire/amdtp.c linux-2.6.39.3/sound/firewire/amdtp.c
81403 --- linux-2.6.39.3/sound/firewire/amdtp.c 2011-05-19 00:06:34.000000000 -0400
81404 +++ linux-2.6.39.3/sound/firewire/amdtp.c 2011-05-22 19:36:35.000000000 -0400
81405 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
81406 ptr = s->pcm_buffer_pointer + data_blocks;
81407 if (ptr >= pcm->runtime->buffer_size)
81408 ptr -= pcm->runtime->buffer_size;
81409 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
81410 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
81411
81412 s->pcm_period_pointer += data_blocks;
81413 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
81414 @@ -510,7 +510,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
81415 */
81416 void amdtp_out_stream_update(struct amdtp_out_stream *s)
81417 {
81418 - ACCESS_ONCE(s->source_node_id_field) =
81419 + ACCESS_ONCE_RW(s->source_node_id_field) =
81420 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
81421 }
81422 EXPORT_SYMBOL(amdtp_out_stream_update);
81423 diff -urNp linux-2.6.39.3/sound/firewire/amdtp.h linux-2.6.39.3/sound/firewire/amdtp.h
81424 --- linux-2.6.39.3/sound/firewire/amdtp.h 2011-05-19 00:06:34.000000000 -0400
81425 +++ linux-2.6.39.3/sound/firewire/amdtp.h 2011-05-22 19:36:35.000000000 -0400
81426 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
81427 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
81428 struct snd_pcm_substream *pcm)
81429 {
81430 - ACCESS_ONCE(s->pcm) = pcm;
81431 + ACCESS_ONCE_RW(s->pcm) = pcm;
81432 }
81433
81434 /**
81435 diff -urNp linux-2.6.39.3/sound/i2c/i2c.c linux-2.6.39.3/sound/i2c/i2c.c
81436 --- linux-2.6.39.3/sound/i2c/i2c.c 2011-05-19 00:06:34.000000000 -0400
81437 +++ linux-2.6.39.3/sound/i2c/i2c.c 2011-05-22 19:36:35.000000000 -0400
81438 @@ -80,7 +80,7 @@ int snd_i2c_bus_create(struct snd_card *
81439 {
81440 struct snd_i2c_bus *bus;
81441 int err;
81442 - static struct snd_device_ops ops = {
81443 + static const struct snd_device_ops ops = {
81444 .dev_free = snd_i2c_bus_dev_free,
81445 };
81446
81447 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4113.c linux-2.6.39.3/sound/i2c/other/ak4113.c
81448 --- linux-2.6.39.3/sound/i2c/other/ak4113.c 2011-05-19 00:06:34.000000000 -0400
81449 +++ linux-2.6.39.3/sound/i2c/other/ak4113.c 2011-05-22 19:36:35.000000000 -0400
81450 @@ -75,7 +75,7 @@ int snd_ak4113_create(struct snd_card *c
81451 struct ak4113 *chip;
81452 int err = 0;
81453 unsigned char reg;
81454 - static struct snd_device_ops ops = {
81455 + static const struct snd_device_ops ops = {
81456 .dev_free = snd_ak4113_dev_free,
81457 };
81458
81459 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4114.c linux-2.6.39.3/sound/i2c/other/ak4114.c
81460 --- linux-2.6.39.3/sound/i2c/other/ak4114.c 2011-05-19 00:06:34.000000000 -0400
81461 +++ linux-2.6.39.3/sound/i2c/other/ak4114.c 2011-05-22 19:36:35.000000000 -0400
81462 @@ -86,7 +86,7 @@ int snd_ak4114_create(struct snd_card *c
81463 struct ak4114 *chip;
81464 int err = 0;
81465 unsigned char reg;
81466 - static struct snd_device_ops ops = {
81467 + static const struct snd_device_ops ops = {
81468 .dev_free = snd_ak4114_dev_free,
81469 };
81470
81471 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4117.c linux-2.6.39.3/sound/i2c/other/ak4117.c
81472 --- linux-2.6.39.3/sound/i2c/other/ak4117.c 2011-05-19 00:06:34.000000000 -0400
81473 +++ linux-2.6.39.3/sound/i2c/other/ak4117.c 2011-05-22 19:36:35.000000000 -0400
81474 @@ -78,7 +78,7 @@ int snd_ak4117_create(struct snd_card *c
81475 struct ak4117 *chip;
81476 int err = 0;
81477 unsigned char reg;
81478 - static struct snd_device_ops ops = {
81479 + static const struct snd_device_ops ops = {
81480 .dev_free = snd_ak4117_dev_free,
81481 };
81482
81483 diff -urNp linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c
81484 --- linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c 2011-05-19 00:06:34.000000000 -0400
81485 +++ linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c 2011-05-22 19:36:35.000000000 -0400
81486 @@ -575,7 +575,7 @@ int __devinit snd_ad1816a_create(struct
81487 unsigned long port, int irq, int dma1, int dma2,
81488 struct snd_ad1816a **rchip)
81489 {
81490 - static struct snd_device_ops ops = {
81491 + static const struct snd_device_ops ops = {
81492 .dev_free = snd_ad1816a_dev_free,
81493 };
81494 int error;
81495 diff -urNp linux-2.6.39.3/sound/isa/es1688/es1688_lib.c linux-2.6.39.3/sound/isa/es1688/es1688_lib.c
81496 --- linux-2.6.39.3/sound/isa/es1688/es1688_lib.c 2011-05-19 00:06:34.000000000 -0400
81497 +++ linux-2.6.39.3/sound/isa/es1688/es1688_lib.c 2011-05-22 19:36:35.000000000 -0400
81498 @@ -646,7 +646,7 @@ int snd_es1688_create(struct snd_card *c
81499 int dma8,
81500 unsigned short hardware)
81501 {
81502 - static struct snd_device_ops ops = {
81503 + static const struct snd_device_ops ops = {
81504 .dev_free = snd_es1688_dev_free,
81505 };
81506
81507 diff -urNp linux-2.6.39.3/sound/isa/es18xx.c linux-2.6.39.3/sound/isa/es18xx.c
81508 --- linux-2.6.39.3/sound/isa/es18xx.c 2011-05-19 00:06:34.000000000 -0400
81509 +++ linux-2.6.39.3/sound/isa/es18xx.c 2011-05-22 19:36:35.000000000 -0400
81510 @@ -1658,7 +1658,7 @@ static int __devinit snd_es18xx_probe(st
81511 return snd_es18xx_initialize(chip, mpu_port, fm_port);
81512 }
81513
81514 -static struct snd_pcm_ops snd_es18xx_playback_ops = {
81515 +static const struct snd_pcm_ops snd_es18xx_playback_ops = {
81516 .open = snd_es18xx_playback_open,
81517 .close = snd_es18xx_playback_close,
81518 .ioctl = snd_pcm_lib_ioctl,
81519 @@ -1669,7 +1669,7 @@ static struct snd_pcm_ops snd_es18xx_pla
81520 .pointer = snd_es18xx_playback_pointer,
81521 };
81522
81523 -static struct snd_pcm_ops snd_es18xx_capture_ops = {
81524 +static const struct snd_pcm_ops snd_es18xx_capture_ops = {
81525 .open = snd_es18xx_capture_open,
81526 .close = snd_es18xx_capture_close,
81527 .ioctl = snd_pcm_lib_ioctl,
81528 @@ -1784,7 +1784,7 @@ static int __devinit snd_es18xx_new_devi
81529 int irq, int dma1, int dma2)
81530 {
81531 struct snd_es18xx *chip = card->private_data;
81532 - static struct snd_device_ops ops = {
81533 + static const struct snd_device_ops ops = {
81534 .dev_free = snd_es18xx_dev_free,
81535 };
81536 int err;
81537 diff -urNp linux-2.6.39.3/sound/isa/gus/gus_main.c linux-2.6.39.3/sound/isa/gus/gus_main.c
81538 --- linux-2.6.39.3/sound/isa/gus/gus_main.c 2011-05-19 00:06:34.000000000 -0400
81539 +++ linux-2.6.39.3/sound/isa/gus/gus_main.c 2011-05-22 19:36:35.000000000 -0400
81540 @@ -139,7 +139,7 @@ int snd_gus_create(struct snd_card *card
81541 {
81542 struct snd_gus_card *gus;
81543 int err;
81544 - static struct snd_device_ops ops = {
81545 + static const struct snd_device_ops ops = {
81546 .dev_free = snd_gus_dev_free,
81547 };
81548
81549 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd.c linux-2.6.39.3/sound/isa/msnd/msnd.c
81550 --- linux-2.6.39.3/sound/isa/msnd/msnd.c 2011-05-19 00:06:34.000000000 -0400
81551 +++ linux-2.6.39.3/sound/isa/msnd/msnd.c 2011-05-22 19:36:35.000000000 -0400
81552 @@ -570,7 +570,7 @@ snd_msnd_playback_pointer(struct snd_pcm
81553 }
81554
81555
81556 -static struct snd_pcm_ops snd_msnd_playback_ops = {
81557 +static const struct snd_pcm_ops snd_msnd_playback_ops = {
81558 .open = snd_msnd_playback_open,
81559 .close = snd_msnd_playback_close,
81560 .ioctl = snd_pcm_lib_ioctl,
81561 @@ -667,7 +667,7 @@ static int snd_msnd_capture_hw_params(st
81562 }
81563
81564
81565 -static struct snd_pcm_ops snd_msnd_capture_ops = {
81566 +static const struct snd_pcm_ops snd_msnd_capture_ops = {
81567 .open = snd_msnd_capture_open,
81568 .close = snd_msnd_capture_close,
81569 .ioctl = snd_pcm_lib_ioctl,
81570 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd_midi.c linux-2.6.39.3/sound/isa/msnd/msnd_midi.c
81571 --- linux-2.6.39.3/sound/isa/msnd/msnd_midi.c 2011-05-19 00:06:34.000000000 -0400
81572 +++ linux-2.6.39.3/sound/isa/msnd/msnd_midi.c 2011-05-22 19:36:35.000000000 -0400
81573 @@ -141,7 +141,7 @@ void snd_msndmidi_input_read(void *mpuv)
81574 }
81575 EXPORT_SYMBOL(snd_msndmidi_input_read);
81576
81577 -static struct snd_rawmidi_ops snd_msndmidi_input = {
81578 +static const struct snd_rawmidi_ops snd_msndmidi_input = {
81579 .open = snd_msndmidi_input_open,
81580 .close = snd_msndmidi_input_close,
81581 .trigger = snd_msndmidi_input_trigger,
81582 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c
81583 --- linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c 2011-05-19 00:06:34.000000000 -0400
81584 +++ linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c 2011-05-22 19:36:35.000000000 -0400
81585 @@ -539,7 +539,7 @@ static int __devinit snd_msnd_attach(str
81586 {
81587 struct snd_msnd *chip = card->private_data;
81588 int err;
81589 - static struct snd_device_ops ops = {
81590 + static const struct snd_device_ops ops = {
81591 .dev_free = snd_msnd_dev_free,
81592 };
81593
81594 diff -urNp linux-2.6.39.3/sound/isa/sb/emu8000.c linux-2.6.39.3/sound/isa/sb/emu8000.c
81595 --- linux-2.6.39.3/sound/isa/sb/emu8000.c 2011-05-19 00:06:34.000000000 -0400
81596 +++ linux-2.6.39.3/sound/isa/sb/emu8000.c 2011-05-22 19:36:35.000000000 -0400
81597 @@ -1079,7 +1079,7 @@ snd_emu8000_new(struct snd_card *card, i
81598 struct snd_seq_device *awe;
81599 struct snd_emu8000 *hw;
81600 int err;
81601 - static struct snd_device_ops ops = {
81602 + static const struct snd_device_ops ops = {
81603 .dev_free = snd_emu8000_dev_free,
81604 };
81605
81606 diff -urNp linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c
81607 --- linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c 2011-05-19 00:06:34.000000000 -0400
81608 +++ linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c 2011-05-22 19:36:35.000000000 -0400
81609 @@ -667,7 +667,7 @@ static snd_pcm_uframes_t emu8k_pcm_point
81610 }
81611
81612
81613 -static struct snd_pcm_ops emu8k_pcm_ops = {
81614 +static const struct snd_pcm_ops emu8k_pcm_ops = {
81615 .open = emu8k_pcm_open,
81616 .close = emu8k_pcm_close,
81617 .ioctl = snd_pcm_lib_ioctl,
81618 diff -urNp linux-2.6.39.3/sound/isa/sb/sb_common.c linux-2.6.39.3/sound/isa/sb/sb_common.c
81619 --- linux-2.6.39.3/sound/isa/sb/sb_common.c 2011-05-19 00:06:34.000000000 -0400
81620 +++ linux-2.6.39.3/sound/isa/sb/sb_common.c 2011-05-22 19:36:35.000000000 -0400
81621 @@ -218,7 +218,7 @@ int snd_sbdsp_create(struct snd_card *ca
81622 {
81623 struct snd_sb *chip;
81624 int err;
81625 - static struct snd_device_ops ops = {
81626 + static const struct snd_device_ops ops = {
81627 .dev_free = snd_sbdsp_dev_free,
81628 };
81629
81630 diff -urNp linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c
81631 --- linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c 2011-05-19 00:06:34.000000000 -0400
81632 +++ linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c 2011-05-22 19:36:35.000000000 -0400
81633 @@ -561,14 +561,14 @@ snd_wavefront_midi_start (snd_wavefront_
81634 return 0;
81635 }
81636
81637 -struct snd_rawmidi_ops snd_wavefront_midi_output =
81638 +const struct snd_rawmidi_ops snd_wavefront_midi_output =
81639 {
81640 .open = snd_wavefront_midi_output_open,
81641 .close = snd_wavefront_midi_output_close,
81642 .trigger = snd_wavefront_midi_output_trigger,
81643 };
81644
81645 -struct snd_rawmidi_ops snd_wavefront_midi_input =
81646 +const struct snd_rawmidi_ops snd_wavefront_midi_input =
81647 {
81648 .open = snd_wavefront_midi_input_open,
81649 .close = snd_wavefront_midi_input_close,
81650 diff -urNp linux-2.6.39.3/sound/isa/wss/wss_lib.c linux-2.6.39.3/sound/isa/wss/wss_lib.c
81651 --- linux-2.6.39.3/sound/isa/wss/wss_lib.c 2011-05-19 00:06:34.000000000 -0400
81652 +++ linux-2.6.39.3/sound/isa/wss/wss_lib.c 2011-05-22 19:36:35.000000000 -0400
81653 @@ -1801,7 +1801,7 @@ int snd_wss_create(struct snd_card *card
81654 unsigned short hwshare,
81655 struct snd_wss **rchip)
81656 {
81657 - static struct snd_device_ops ops = {
81658 + static const struct snd_device_ops ops = {
81659 .dev_free = snd_wss_dev_free,
81660 };
81661 struct snd_wss *chip;
81662 diff -urNp linux-2.6.39.3/sound/mips/au1x00.c linux-2.6.39.3/sound/mips/au1x00.c
81663 --- linux-2.6.39.3/sound/mips/au1x00.c 2011-05-19 00:06:34.000000000 -0400
81664 +++ linux-2.6.39.3/sound/mips/au1x00.c 2011-05-22 19:36:35.000000000 -0400
81665 @@ -416,7 +416,7 @@ snd_au1000_pointer(struct snd_pcm_substr
81666 return bytes_to_frames(runtime,location);
81667 }
81668
81669 -static struct snd_pcm_ops snd_card_au1000_playback_ops = {
81670 +static const struct snd_pcm_ops snd_card_au1000_playback_ops = {
81671 .open = snd_au1000_playback_open,
81672 .close = snd_au1000_playback_close,
81673 .ioctl = snd_pcm_lib_ioctl,
81674 @@ -427,7 +427,7 @@ static struct snd_pcm_ops snd_card_au100
81675 .pointer = snd_au1000_pointer,
81676 };
81677
81678 -static struct snd_pcm_ops snd_card_au1000_capture_ops = {
81679 +static const struct snd_pcm_ops snd_card_au1000_capture_ops = {
81680 .open = snd_au1000_capture_open,
81681 .close = snd_au1000_capture_close,
81682 .ioctl = snd_pcm_lib_ioctl,
81683 @@ -557,7 +557,7 @@ snd_au1000_ac97_new(struct snd_au1000 *a
81684 int err;
81685 struct snd_ac97_bus *pbus;
81686 struct snd_ac97_template ac97;
81687 - static struct snd_ac97_bus_ops ops = {
81688 + static const struct snd_ac97_bus_ops ops = {
81689 .write = snd_au1000_ac97_write,
81690 .read = snd_au1000_ac97_read,
81691 };
81692 diff -urNp linux-2.6.39.3/sound/mips/hal2.c linux-2.6.39.3/sound/mips/hal2.c
81693 --- linux-2.6.39.3/sound/mips/hal2.c 2011-05-19 00:06:34.000000000 -0400
81694 +++ linux-2.6.39.3/sound/mips/hal2.c 2011-05-22 19:36:35.000000000 -0400
81695 @@ -708,7 +708,7 @@ static int hal2_capture_ack(struct snd_p
81696 return 0;
81697 }
81698
81699 -static struct snd_pcm_ops hal2_playback_ops = {
81700 +static const struct snd_pcm_ops hal2_playback_ops = {
81701 .open = hal2_playback_open,
81702 .close = hal2_playback_close,
81703 .ioctl = snd_pcm_lib_ioctl,
81704 @@ -720,7 +720,7 @@ static struct snd_pcm_ops hal2_playback_
81705 .ack = hal2_playback_ack,
81706 };
81707
81708 -static struct snd_pcm_ops hal2_capture_ops = {
81709 +static const struct snd_pcm_ops hal2_capture_ops = {
81710 .open = hal2_capture_open,
81711 .close = hal2_capture_close,
81712 .ioctl = snd_pcm_lib_ioctl,
81713 @@ -766,7 +766,7 @@ static int hal2_dev_free(struct snd_devi
81714 return 0;
81715 }
81716
81717 -static struct snd_device_ops hal2_ops = {
81718 +static const struct snd_device_ops hal2_ops = {
81719 .dev_free = hal2_dev_free,
81720 };
81721
81722 diff -urNp linux-2.6.39.3/sound/mips/sgio2audio.c linux-2.6.39.3/sound/mips/sgio2audio.c
81723 --- linux-2.6.39.3/sound/mips/sgio2audio.c 2011-05-19 00:06:34.000000000 -0400
81724 +++ linux-2.6.39.3/sound/mips/sgio2audio.c 2011-05-22 19:36:35.000000000 -0400
81725 @@ -681,7 +681,7 @@ snd_sgio2audio_pcm_pointer(struct snd_pc
81726 }
81727
81728 /* operators */
81729 -static struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81730 +static const struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81731 .open = snd_sgio2audio_playback1_open,
81732 .close = snd_sgio2audio_pcm_close,
81733 .ioctl = snd_pcm_lib_ioctl,
81734 @@ -694,7 +694,7 @@ static struct snd_pcm_ops snd_sgio2audio
81735 .mmap = snd_pcm_lib_mmap_vmalloc,
81736 };
81737
81738 -static struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81739 +static const struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81740 .open = snd_sgio2audio_playback2_open,
81741 .close = snd_sgio2audio_pcm_close,
81742 .ioctl = snd_pcm_lib_ioctl,
81743 @@ -707,7 +707,7 @@ static struct snd_pcm_ops snd_sgio2audio
81744 .mmap = snd_pcm_lib_mmap_vmalloc,
81745 };
81746
81747 -static struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81748 +static const struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81749 .open = snd_sgio2audio_capture_open,
81750 .close = snd_sgio2audio_pcm_close,
81751 .ioctl = snd_pcm_lib_ioctl,
81752 @@ -829,7 +829,7 @@ static int snd_sgio2audio_dev_free(struc
81753 return snd_sgio2audio_free(chip);
81754 }
81755
81756 -static struct snd_device_ops ops = {
81757 +static const struct snd_device_ops ops = {
81758 .dev_free = snd_sgio2audio_dev_free,
81759 };
81760
81761 diff -urNp linux-2.6.39.3/sound/oss/ac97_codec.c linux-2.6.39.3/sound/oss/ac97_codec.c
81762 --- linux-2.6.39.3/sound/oss/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81763 +++ linux-2.6.39.3/sound/oss/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81764 @@ -99,23 +99,23 @@ static int generic_digital_control(struc
81765 * operations yet
81766 */
81767
81768 -static struct ac97_ops null_ops = { NULL, NULL, NULL };
81769 -static struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81770 -static struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81771 -static struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81772 -static struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81773 -static struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81774 -static struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81775 -static struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81776 -static struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81777 -static struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81778 -static struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81779 -static struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81780 -static struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81781 -static struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81782 -static struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81783 -static struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81784 -static struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81785 +static const struct ac97_ops null_ops = { NULL, NULL, NULL };
81786 +static const struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81787 +static const struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81788 +static const struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81789 +static const struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81790 +static const struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81791 +static const struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81792 +static const struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81793 +static const struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81794 +static const struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81795 +static const struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81796 +static const struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81797 +static const struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81798 +static const struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81799 +static const struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81800 +static const struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81801 +static const struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81802
81803 /* sorted by vendor/device id */
81804 static const struct {
81805 diff -urNp linux-2.6.39.3/sound/oss/sb_audio.c linux-2.6.39.3/sound/oss/sb_audio.c
81806 --- linux-2.6.39.3/sound/oss/sb_audio.c 2011-05-19 00:06:34.000000000 -0400
81807 +++ linux-2.6.39.3/sound/oss/sb_audio.c 2011-05-22 19:36:35.000000000 -0400
81808 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
81809 buf16 = (signed short *)(localbuf + localoffs);
81810 while (c)
81811 {
81812 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81813 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81814 if (copy_from_user(lbuf8,
81815 userbuf+useroffs + p,
81816 locallen))
81817 diff -urNp linux-2.6.39.3/sound/oss/swarm_cs4297a.c linux-2.6.39.3/sound/oss/swarm_cs4297a.c
81818 --- linux-2.6.39.3/sound/oss/swarm_cs4297a.c 2011-05-19 00:06:34.000000000 -0400
81819 +++ linux-2.6.39.3/sound/oss/swarm_cs4297a.c 2011-05-22 19:36:35.000000000 -0400
81820 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
81821 {
81822 struct cs4297a_state *s;
81823 u32 pwr, id;
81824 - mm_segment_t fs;
81825 int rval;
81826 #ifndef CONFIG_BCM_CS4297A_CSWARM
81827 u64 cfg;
81828 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
81829 if (!rval) {
81830 char *sb1250_duart_present;
81831
81832 +#if 0
81833 + mm_segment_t fs;
81834 fs = get_fs();
81835 set_fs(KERNEL_DS);
81836 -#if 0
81837 val = SOUND_MASK_LINE;
81838 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
81839 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
81840 val = initvol[i].vol;
81841 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
81842 }
81843 + set_fs(fs);
81844 // cs4297a_write_ac97(s, 0x18, 0x0808);
81845 #else
81846 // cs4297a_write_ac97(s, 0x5e, 0x180);
81847 cs4297a_write_ac97(s, 0x02, 0x0808);
81848 cs4297a_write_ac97(s, 0x18, 0x0808);
81849 #endif
81850 - set_fs(fs);
81851
81852 list_add(&s->list, &cs4297a_devs);
81853
81854 diff -urNp linux-2.6.39.3/sound/parisc/harmony.c linux-2.6.39.3/sound/parisc/harmony.c
81855 --- linux-2.6.39.3/sound/parisc/harmony.c 2011-05-19 00:06:34.000000000 -0400
81856 +++ linux-2.6.39.3/sound/parisc/harmony.c 2011-05-22 19:36:35.000000000 -0400
81857 @@ -596,7 +596,7 @@ snd_harmony_hw_free(struct snd_pcm_subst
81858 return snd_pcm_lib_free_pages(ss);
81859 }
81860
81861 -static struct snd_pcm_ops snd_harmony_playback_ops = {
81862 +static const struct snd_pcm_ops snd_harmony_playback_ops = {
81863 .open = snd_harmony_playback_open,
81864 .close = snd_harmony_playback_close,
81865 .ioctl = snd_pcm_lib_ioctl,
81866 @@ -607,7 +607,7 @@ static struct snd_pcm_ops snd_harmony_pl
81867 .pointer = snd_harmony_playback_pointer,
81868 };
81869
81870 -static struct snd_pcm_ops snd_harmony_capture_ops = {
81871 +static const struct snd_pcm_ops snd_harmony_capture_ops = {
81872 .open = snd_harmony_capture_open,
81873 .close = snd_harmony_capture_close,
81874 .ioctl = snd_pcm_lib_ioctl,
81875 @@ -922,7 +922,7 @@ snd_harmony_create(struct snd_card *card
81876 {
81877 int err;
81878 struct snd_harmony *h;
81879 - static struct snd_device_ops ops = {
81880 + static const struct snd_device_ops ops = {
81881 .dev_free = snd_harmony_dev_free,
81882 };
81883
81884 diff -urNp linux-2.6.39.3/sound/pci/ac97/ac97_codec.c linux-2.6.39.3/sound/pci/ac97/ac97_codec.c
81885 --- linux-2.6.39.3/sound/pci/ac97/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81886 +++ linux-2.6.39.3/sound/pci/ac97/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81887 @@ -1910,12 +1910,12 @@ static int ac97_reset_wait(struct snd_ac
81888 *
81889 * Returns zero if successful, or a negative error code on failure.
81890 */
81891 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
81892 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
81893 void *private_data, struct snd_ac97_bus **rbus)
81894 {
81895 int err;
81896 struct snd_ac97_bus *bus;
81897 - static struct snd_device_ops dev_ops = {
81898 + static const struct snd_device_ops dev_ops = {
81899 .dev_free = snd_ac97_bus_dev_free,
81900 };
81901
81902 @@ -2015,7 +2015,7 @@ int snd_ac97_mixer(struct snd_ac97_bus *
81903 unsigned long end_time;
81904 unsigned int reg;
81905 const struct ac97_codec_id *pid;
81906 - static struct snd_device_ops ops = {
81907 + static const struct snd_device_ops ops = {
81908 .dev_free = snd_ac97_dev_free,
81909 .dev_register = snd_ac97_dev_register,
81910 .dev_disconnect = snd_ac97_dev_disconnect,
81911 diff -urNp linux-2.6.39.3/sound/pci/ad1889.c linux-2.6.39.3/sound/pci/ad1889.c
81912 --- linux-2.6.39.3/sound/pci/ad1889.c 2011-05-19 00:06:34.000000000 -0400
81913 +++ linux-2.6.39.3/sound/pci/ad1889.c 2011-05-22 19:36:35.000000000 -0400
81914 @@ -574,7 +574,7 @@ snd_ad1889_capture_pointer(struct snd_pc
81915 return bytes_to_frames(ss->runtime, ptr);
81916 }
81917
81918 -static struct snd_pcm_ops snd_ad1889_playback_ops = {
81919 +static const struct snd_pcm_ops snd_ad1889_playback_ops = {
81920 .open = snd_ad1889_playback_open,
81921 .close = snd_ad1889_playback_close,
81922 .ioctl = snd_pcm_lib_ioctl,
81923 @@ -585,7 +585,7 @@ static struct snd_pcm_ops snd_ad1889_pla
81924 .pointer = snd_ad1889_playback_pointer,
81925 };
81926
81927 -static struct snd_pcm_ops snd_ad1889_capture_ops = {
81928 +static const struct snd_pcm_ops snd_ad1889_capture_ops = {
81929 .open = snd_ad1889_capture_open,
81930 .close = snd_ad1889_capture_close,
81931 .ioctl = snd_pcm_lib_ioctl,
81932 @@ -809,7 +809,7 @@ snd_ad1889_ac97_init(struct snd_ad1889 *
81933 {
81934 int err;
81935 struct snd_ac97_template ac97;
81936 - static struct snd_ac97_bus_ops ops = {
81937 + static const struct snd_ac97_bus_ops ops = {
81938 .write = snd_ad1889_ac97_write,
81939 .read = snd_ad1889_ac97_read,
81940 };
81941 @@ -899,7 +899,7 @@ snd_ad1889_create(struct snd_card *card,
81942 int err;
81943
81944 struct snd_ad1889 *chip;
81945 - static struct snd_device_ops ops = {
81946 + static const struct snd_device_ops ops = {
81947 .dev_free = snd_ad1889_dev_free,
81948 };
81949
81950 diff -urNp linux-2.6.39.3/sound/pci/ak4531_codec.c linux-2.6.39.3/sound/pci/ak4531_codec.c
81951 --- linux-2.6.39.3/sound/pci/ak4531_codec.c 2011-05-19 00:06:34.000000000 -0400
81952 +++ linux-2.6.39.3/sound/pci/ak4531_codec.c 2011-05-22 19:36:35.000000000 -0400
81953 @@ -389,7 +389,7 @@ int __devinit snd_ak4531_mixer(struct sn
81954 unsigned int idx;
81955 int err;
81956 struct snd_ak4531 *ak4531;
81957 - static struct snd_device_ops ops = {
81958 + static const struct snd_device_ops ops = {
81959 .dev_free = snd_ak4531_dev_free,
81960 };
81961
81962 diff -urNp linux-2.6.39.3/sound/pci/ali5451/ali5451.c linux-2.6.39.3/sound/pci/ali5451/ali5451.c
81963 --- linux-2.6.39.3/sound/pci/ali5451/ali5451.c 2011-05-19 00:06:34.000000000 -0400
81964 +++ linux-2.6.39.3/sound/pci/ali5451/ali5451.c 2011-05-22 19:36:35.000000000 -0400
81965 @@ -1847,7 +1847,7 @@ static int __devinit snd_ali_mixer(struc
81966 struct snd_ac97_template ac97;
81967 unsigned int idx;
81968 int i, err;
81969 - static struct snd_ac97_bus_ops ops = {
81970 + static const struct snd_ac97_bus_ops ops = {
81971 .write = snd_ali_codec_write,
81972 .read = snd_ali_codec_read,
81973 };
81974 @@ -2114,7 +2114,7 @@ static int __devinit snd_ali_create(stru
81975 struct snd_ali *codec;
81976 int i, err;
81977 unsigned short cmdw;
81978 - static struct snd_device_ops ops = {
81979 + static const struct snd_device_ops ops = {
81980 .dev_free = snd_ali_dev_free,
81981 };
81982
81983 diff -urNp linux-2.6.39.3/sound/pci/als300.c linux-2.6.39.3/sound/pci/als300.c
81984 --- linux-2.6.39.3/sound/pci/als300.c 2011-05-19 00:06:34.000000000 -0400
81985 +++ linux-2.6.39.3/sound/pci/als300.c 2011-05-22 19:36:35.000000000 -0400
81986 @@ -319,7 +319,7 @@ static int snd_als300_ac97(struct snd_al
81987 struct snd_ac97_bus *bus;
81988 struct snd_ac97_template ac97;
81989 int err;
81990 - static struct snd_ac97_bus_ops ops = {
81991 + static const struct snd_ac97_bus_ops ops = {
81992 .write = snd_als300_ac97_write,
81993 .read = snd_als300_ac97_read,
81994 };
81995 @@ -589,7 +589,7 @@ static snd_pcm_uframes_t snd_als300_poin
81996 return bytes_to_frames(substream->runtime, current_ptr);
81997 }
81998
81999 -static struct snd_pcm_ops snd_als300_playback_ops = {
82000 +static const struct snd_pcm_ops snd_als300_playback_ops = {
82001 .open = snd_als300_playback_open,
82002 .close = snd_als300_playback_close,
82003 .ioctl = snd_pcm_lib_ioctl,
82004 @@ -600,7 +600,7 @@ static struct snd_pcm_ops snd_als300_pla
82005 .pointer = snd_als300_pointer,
82006 };
82007
82008 -static struct snd_pcm_ops snd_als300_capture_ops = {
82009 +static const struct snd_pcm_ops snd_als300_capture_ops = {
82010 .open = snd_als300_capture_open,
82011 .close = snd_als300_capture_close,
82012 .ioctl = snd_pcm_lib_ioctl,
82013 @@ -680,7 +680,7 @@ static int __devinit snd_als300_create(s
82014 void *irq_handler;
82015 int err;
82016
82017 - static struct snd_device_ops ops = {
82018 + static const struct snd_device_ops ops = {
82019 .dev_free = snd_als300_dev_free,
82020 };
82021 *rchip = NULL;
82022 diff -urNp linux-2.6.39.3/sound/pci/als4000.c linux-2.6.39.3/sound/pci/als4000.c
82023 --- linux-2.6.39.3/sound/pci/als4000.c 2011-05-19 00:06:34.000000000 -0400
82024 +++ linux-2.6.39.3/sound/pci/als4000.c 2011-05-22 19:36:35.000000000 -0400
82025 @@ -672,7 +672,7 @@ static int snd_als4000_capture_close(str
82026
82027 /******************************************************************/
82028
82029 -static struct snd_pcm_ops snd_als4000_playback_ops = {
82030 +static const struct snd_pcm_ops snd_als4000_playback_ops = {
82031 .open = snd_als4000_playback_open,
82032 .close = snd_als4000_playback_close,
82033 .ioctl = snd_pcm_lib_ioctl,
82034 @@ -683,7 +683,7 @@ static struct snd_pcm_ops snd_als4000_pl
82035 .pointer = snd_als4000_playback_pointer
82036 };
82037
82038 -static struct snd_pcm_ops snd_als4000_capture_ops = {
82039 +static const struct snd_pcm_ops snd_als4000_capture_ops = {
82040 .open = snd_als4000_capture_open,
82041 .close = snd_als4000_capture_close,
82042 .ioctl = snd_pcm_lib_ioctl,
82043 diff -urNp linux-2.6.39.3/sound/pci/asihpi/asihpi.c linux-2.6.39.3/sound/pci/asihpi/asihpi.c
82044 --- linux-2.6.39.3/sound/pci/asihpi/asihpi.c 2011-05-19 00:06:34.000000000 -0400
82045 +++ linux-2.6.39.3/sound/pci/asihpi/asihpi.c 2011-05-22 19:36:35.000000000 -0400
82046 @@ -1067,7 +1067,7 @@ static int snd_card_asihpi_playback_sile
82047 return 0;
82048 }
82049
82050 -static struct snd_pcm_ops snd_card_asihpi_playback_ops = {
82051 +static const struct snd_pcm_ops snd_card_asihpi_playback_ops = {
82052 .open = snd_card_asihpi_playback_open,
82053 .close = snd_card_asihpi_playback_close,
82054 .ioctl = snd_card_asihpi_playback_ioctl,
82055 @@ -1080,7 +1080,7 @@ static struct snd_pcm_ops snd_card_asihp
82056 .silence = snd_card_asihpi_playback_silence,
82057 };
82058
82059 -static struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
82060 +static const struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
82061 .open = snd_card_asihpi_playback_open,
82062 .close = snd_card_asihpi_playback_close,
82063 .ioctl = snd_card_asihpi_playback_ioctl,
82064 @@ -1268,7 +1268,7 @@ static int snd_card_asihpi_capture_copy(
82065 return 0;
82066 }
82067
82068 -static struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
82069 +static const struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
82070 .open = snd_card_asihpi_capture_open,
82071 .close = snd_card_asihpi_capture_close,
82072 .ioctl = snd_card_asihpi_capture_ioctl,
82073 @@ -1279,7 +1279,7 @@ static struct snd_pcm_ops snd_card_asihp
82074 .pointer = snd_card_asihpi_capture_pointer,
82075 };
82076
82077 -static struct snd_pcm_ops snd_card_asihpi_capture_ops = {
82078 +static const struct snd_pcm_ops snd_card_asihpi_capture_ops = {
82079 .open = snd_card_asihpi_capture_open,
82080 .close = snd_card_asihpi_capture_close,
82081 .ioctl = snd_card_asihpi_capture_ioctl,
82082 diff -urNp linux-2.6.39.3/sound/pci/atiixp.c linux-2.6.39.3/sound/pci/atiixp.c
82083 --- linux-2.6.39.3/sound/pci/atiixp.c 2011-05-19 00:06:34.000000000 -0400
82084 +++ linux-2.6.39.3/sound/pci/atiixp.c 2011-05-22 19:36:35.000000000 -0400
82085 @@ -1148,7 +1148,7 @@ static int snd_atiixp_spdif_close(struct
82086 }
82087
82088 /* AC97 playback */
82089 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
82090 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
82091 .open = snd_atiixp_playback_open,
82092 .close = snd_atiixp_playback_close,
82093 .ioctl = snd_pcm_lib_ioctl,
82094 @@ -1160,7 +1160,7 @@ static struct snd_pcm_ops snd_atiixp_pla
82095 };
82096
82097 /* AC97 capture */
82098 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
82099 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
82100 .open = snd_atiixp_capture_open,
82101 .close = snd_atiixp_capture_close,
82102 .ioctl = snd_pcm_lib_ioctl,
82103 @@ -1172,7 +1172,7 @@ static struct snd_pcm_ops snd_atiixp_cap
82104 };
82105
82106 /* SPDIF playback */
82107 -static struct snd_pcm_ops snd_atiixp_spdif_ops = {
82108 +static const struct snd_pcm_ops snd_atiixp_spdif_ops = {
82109 .open = snd_atiixp_spdif_open,
82110 .close = snd_atiixp_spdif_close,
82111 .ioctl = snd_pcm_lib_ioctl,
82112 @@ -1410,7 +1410,7 @@ static int __devinit snd_atiixp_mixer_ne
82113 struct snd_ac97_template ac97;
82114 int i, err;
82115 int codec_count;
82116 - static struct snd_ac97_bus_ops ops = {
82117 + static const struct snd_ac97_bus_ops ops = {
82118 .write = snd_atiixp_ac97_write,
82119 .read = snd_atiixp_ac97_read,
82120 };
82121 @@ -1590,7 +1590,7 @@ static int __devinit snd_atiixp_create(s
82122 struct pci_dev *pci,
82123 struct atiixp **r_chip)
82124 {
82125 - static struct snd_device_ops ops = {
82126 + static const struct snd_device_ops ops = {
82127 .dev_free = snd_atiixp_dev_free,
82128 };
82129 struct atiixp *chip;
82130 diff -urNp linux-2.6.39.3/sound/pci/atiixp_modem.c linux-2.6.39.3/sound/pci/atiixp_modem.c
82131 --- linux-2.6.39.3/sound/pci/atiixp_modem.c 2011-05-19 00:06:34.000000000 -0400
82132 +++ linux-2.6.39.3/sound/pci/atiixp_modem.c 2011-05-22 19:36:35.000000000 -0400
82133 @@ -947,7 +947,7 @@ static int snd_atiixp_capture_close(stru
82134
82135
82136 /* AC97 playback */
82137 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
82138 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
82139 .open = snd_atiixp_playback_open,
82140 .close = snd_atiixp_playback_close,
82141 .ioctl = snd_pcm_lib_ioctl,
82142 @@ -959,7 +959,7 @@ static struct snd_pcm_ops snd_atiixp_pla
82143 };
82144
82145 /* AC97 capture */
82146 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
82147 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
82148 .open = snd_atiixp_capture_open,
82149 .close = snd_atiixp_capture_close,
82150 .ioctl = snd_pcm_lib_ioctl,
82151 @@ -1067,7 +1067,7 @@ static int __devinit snd_atiixp_mixer_ne
82152 struct snd_ac97_template ac97;
82153 int i, err;
82154 int codec_count;
82155 - static struct snd_ac97_bus_ops ops = {
82156 + static const struct snd_ac97_bus_ops ops = {
82157 .write = snd_atiixp_ac97_write,
82158 .read = snd_atiixp_ac97_read,
82159 };
82160 @@ -1226,7 +1226,7 @@ static int __devinit snd_atiixp_create(s
82161 struct pci_dev *pci,
82162 struct atiixp_modem **r_chip)
82163 {
82164 - static struct snd_device_ops ops = {
82165 + static const struct snd_device_ops ops = {
82166 .dev_free = snd_atiixp_dev_free,
82167 };
82168 struct atiixp_modem *chip;
82169 diff -urNp linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c
82170 --- linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c 2011-05-19 00:06:34.000000000 -0400
82171 +++ linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c 2011-05-22 19:36:35.000000000 -0400
82172 @@ -409,7 +409,7 @@ static snd_pcm_uframes_t snd_vortex_pcm_
82173 }
82174
82175 /* operators */
82176 -static struct snd_pcm_ops snd_vortex_playback_ops = {
82177 +static const struct snd_pcm_ops snd_vortex_playback_ops = {
82178 .open = snd_vortex_pcm_open,
82179 .close = snd_vortex_pcm_close,
82180 .ioctl = snd_pcm_lib_ioctl,
82181 diff -urNp linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c
82182 --- linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c 2011-05-19 00:06:34.000000000 -0400
82183 +++ linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c 2011-05-22 19:36:35.000000000 -0400
82184 @@ -178,7 +178,7 @@ static struct pci_driver driver = {
82185 };
82186
82187 /* operators for playback PCM alsa interface */
82188 -static struct snd_pcm_ops snd_aw2_playback_ops = {
82189 +static const struct snd_pcm_ops snd_aw2_playback_ops = {
82190 .open = snd_aw2_pcm_playback_open,
82191 .close = snd_aw2_pcm_playback_close,
82192 .ioctl = snd_pcm_lib_ioctl,
82193 @@ -190,7 +190,7 @@ static struct snd_pcm_ops snd_aw2_playba
82194 };
82195
82196 /* operators for capture PCM alsa interface */
82197 -static struct snd_pcm_ops snd_aw2_capture_ops = {
82198 +static const struct snd_pcm_ops snd_aw2_capture_ops = {
82199 .open = snd_aw2_pcm_capture_open,
82200 .close = snd_aw2_pcm_capture_close,
82201 .ioctl = snd_pcm_lib_ioctl,
82202 @@ -263,7 +263,7 @@ static int __devinit snd_aw2_create(stru
82203 {
82204 struct aw2 *chip;
82205 int err;
82206 - static struct snd_device_ops ops = {
82207 + static const struct snd_device_ops ops = {
82208 .dev_free = snd_aw2_dev_free,
82209 };
82210
82211 diff -urNp linux-2.6.39.3/sound/pci/azt3328.c linux-2.6.39.3/sound/pci/azt3328.c
82212 --- linux-2.6.39.3/sound/pci/azt3328.c 2011-05-19 00:06:34.000000000 -0400
82213 +++ linux-2.6.39.3/sound/pci/azt3328.c 2011-05-22 19:36:35.000000000 -0400
82214 @@ -822,7 +822,7 @@ snd_azf3328_mixer_new(struct snd_azf3328
82215 {
82216 struct snd_ac97_bus *bus;
82217 struct snd_ac97_template ac97;
82218 - static struct snd_ac97_bus_ops ops = {
82219 + static const struct snd_ac97_bus_ops ops = {
82220 .write = snd_azf3328_mixer_ac97_write,
82221 .read = snd_azf3328_mixer_ac97_read,
82222 };
82223 @@ -2179,7 +2179,7 @@ snd_azf3328_pcm_close(struct snd_pcm_sub
82224
82225 /******************************************************************/
82226
82227 -static struct snd_pcm_ops snd_azf3328_playback_ops = {
82228 +static const struct snd_pcm_ops snd_azf3328_playback_ops = {
82229 .open = snd_azf3328_pcm_playback_open,
82230 .close = snd_azf3328_pcm_close,
82231 .ioctl = snd_pcm_lib_ioctl,
82232 @@ -2190,7 +2190,7 @@ static struct snd_pcm_ops snd_azf3328_pl
82233 .pointer = snd_azf3328_pcm_pointer
82234 };
82235
82236 -static struct snd_pcm_ops snd_azf3328_capture_ops = {
82237 +static const struct snd_pcm_ops snd_azf3328_capture_ops = {
82238 .open = snd_azf3328_pcm_capture_open,
82239 .close = snd_azf3328_pcm_close,
82240 .ioctl = snd_pcm_lib_ioctl,
82241 @@ -2201,7 +2201,7 @@ static struct snd_pcm_ops snd_azf3328_ca
82242 .pointer = snd_azf3328_pcm_pointer
82243 };
82244
82245 -static struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82246 +static const struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82247 .open = snd_azf3328_pcm_i2s_out_open,
82248 .close = snd_azf3328_pcm_close,
82249 .ioctl = snd_pcm_lib_ioctl,
82250 @@ -2497,7 +2497,7 @@ snd_azf3328_create(struct snd_card *card
82251 {
82252 struct snd_azf3328 *chip;
82253 int err;
82254 - static struct snd_device_ops ops = {
82255 + static const struct snd_device_ops ops = {
82256 .dev_free = snd_azf3328_dev_free,
82257 };
82258 u8 dma_init;
82259 diff -urNp linux-2.6.39.3/sound/pci/bt87x.c linux-2.6.39.3/sound/pci/bt87x.c
82260 --- linux-2.6.39.3/sound/pci/bt87x.c 2011-05-19 00:06:34.000000000 -0400
82261 +++ linux-2.6.39.3/sound/pci/bt87x.c 2011-05-22 19:36:35.000000000 -0400
82262 @@ -542,7 +542,7 @@ static snd_pcm_uframes_t snd_bt87x_point
82263 return (snd_pcm_uframes_t)bytes_to_frames(runtime, chip->current_line * chip->line_bytes);
82264 }
82265
82266 -static struct snd_pcm_ops snd_bt87x_pcm_ops = {
82267 +static const struct snd_pcm_ops snd_bt87x_pcm_ops = {
82268 .open = snd_bt87x_pcm_open,
82269 .close = snd_bt87x_close,
82270 .ioctl = snd_pcm_lib_ioctl,
82271 @@ -720,7 +720,7 @@ static int __devinit snd_bt87x_create(st
82272 {
82273 struct snd_bt87x *chip;
82274 int err;
82275 - static struct snd_device_ops ops = {
82276 + static const struct snd_device_ops ops = {
82277 .dev_free = snd_bt87x_dev_free
82278 };
82279
82280 diff -urNp linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c
82281 --- linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c 2011-05-19 00:06:34.000000000 -0400
82282 +++ linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c 2011-05-22 19:36:35.000000000 -0400
82283 @@ -1103,7 +1103,7 @@ snd_ca0106_pcm_pointer_capture(struct sn
82284 }
82285
82286 /* operators */
82287 -static struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82288 +static const struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82289 .open = snd_ca0106_pcm_open_playback_front,
82290 .close = snd_ca0106_pcm_close_playback,
82291 .ioctl = snd_pcm_lib_ioctl,
82292 @@ -1114,7 +1114,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82293 .pointer = snd_ca0106_pcm_pointer_playback,
82294 };
82295
82296 -static struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82297 +static const struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82298 .open = snd_ca0106_pcm_open_0_capture,
82299 .close = snd_ca0106_pcm_close_capture,
82300 .ioctl = snd_pcm_lib_ioctl,
82301 @@ -1125,7 +1125,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82302 .pointer = snd_ca0106_pcm_pointer_capture,
82303 };
82304
82305 -static struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82306 +static const struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82307 .open = snd_ca0106_pcm_open_1_capture,
82308 .close = snd_ca0106_pcm_close_capture,
82309 .ioctl = snd_pcm_lib_ioctl,
82310 @@ -1136,7 +1136,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82311 .pointer = snd_ca0106_pcm_pointer_capture,
82312 };
82313
82314 -static struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82315 +static const struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82316 .open = snd_ca0106_pcm_open_2_capture,
82317 .close = snd_ca0106_pcm_close_capture,
82318 .ioctl = snd_pcm_lib_ioctl,
82319 @@ -1147,7 +1147,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82320 .pointer = snd_ca0106_pcm_pointer_capture,
82321 };
82322
82323 -static struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82324 +static const struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82325 .open = snd_ca0106_pcm_open_3_capture,
82326 .close = snd_ca0106_pcm_close_capture,
82327 .ioctl = snd_pcm_lib_ioctl,
82328 @@ -1158,7 +1158,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82329 .pointer = snd_ca0106_pcm_pointer_capture,
82330 };
82331
82332 -static struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82333 +static const struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82334 .open = snd_ca0106_pcm_open_playback_center_lfe,
82335 .close = snd_ca0106_pcm_close_playback,
82336 .ioctl = snd_pcm_lib_ioctl,
82337 @@ -1169,7 +1169,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82338 .pointer = snd_ca0106_pcm_pointer_playback,
82339 };
82340
82341 -static struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82342 +static const struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82343 .open = snd_ca0106_pcm_open_playback_unknown,
82344 .close = snd_ca0106_pcm_close_playback,
82345 .ioctl = snd_pcm_lib_ioctl,
82346 @@ -1180,7 +1180,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82347 .pointer = snd_ca0106_pcm_pointer_playback,
82348 };
82349
82350 -static struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82351 +static const struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82352 .open = snd_ca0106_pcm_open_playback_rear,
82353 .close = snd_ca0106_pcm_close_playback,
82354 .ioctl = snd_pcm_lib_ioctl,
82355 @@ -1223,7 +1223,7 @@ static int snd_ca0106_ac97(struct snd_ca
82356 struct snd_ac97_bus *pbus;
82357 struct snd_ac97_template ac97;
82358 int err;
82359 - static struct snd_ac97_bus_ops ops = {
82360 + static const struct snd_ac97_bus_ops ops = {
82361 .write = snd_ca0106_ac97_write,
82362 .read = snd_ca0106_ac97_read,
82363 };
82364 @@ -1629,7 +1629,7 @@ static int __devinit snd_ca0106_create(i
82365 struct snd_ca0106 *chip;
82366 struct snd_ca0106_details *c;
82367 int err;
82368 - static struct snd_device_ops ops = {
82369 + static const struct snd_device_ops ops = {
82370 .dev_free = snd_ca0106_dev_free,
82371 };
82372
82373 diff -urNp linux-2.6.39.3/sound/pci/ca0106/ca_midi.c linux-2.6.39.3/sound/pci/ca0106/ca_midi.c
82374 --- linux-2.6.39.3/sound/pci/ca0106/ca_midi.c 2011-05-19 00:06:34.000000000 -0400
82375 +++ linux-2.6.39.3/sound/pci/ca0106/ca_midi.c 2011-05-22 19:36:35.000000000 -0400
82376 @@ -255,15 +255,13 @@ static void ca_midi_output_trigger(struc
82377 }
82378 }
82379
82380 -static struct snd_rawmidi_ops ca_midi_output =
82381 -{
82382 +static const struct snd_rawmidi_ops ca_midi_output = {
82383 .open = ca_midi_output_open,
82384 .close = ca_midi_output_close,
82385 .trigger = ca_midi_output_trigger,
82386 };
82387
82388 -static struct snd_rawmidi_ops ca_midi_input =
82389 -{
82390 +static const struct snd_rawmidi_ops ca_midi_input = {
82391 .open = ca_midi_input_open,
82392 .close = ca_midi_input_close,
82393 .trigger = ca_midi_input_trigger,
82394 diff -urNp linux-2.6.39.3/sound/pci/cmipci.c linux-2.6.39.3/sound/pci/cmipci.c
82395 --- linux-2.6.39.3/sound/pci/cmipci.c 2011-05-19 00:06:34.000000000 -0400
82396 +++ linux-2.6.39.3/sound/pci/cmipci.c 2011-05-22 19:36:35.000000000 -0400
82397 @@ -1838,7 +1838,7 @@ static int snd_cmipci_capture_spdif_clos
82398 /*
82399 */
82400
82401 -static struct snd_pcm_ops snd_cmipci_playback_ops = {
82402 +static const struct snd_pcm_ops snd_cmipci_playback_ops = {
82403 .open = snd_cmipci_playback_open,
82404 .close = snd_cmipci_playback_close,
82405 .ioctl = snd_pcm_lib_ioctl,
82406 @@ -1849,7 +1849,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82407 .pointer = snd_cmipci_playback_pointer,
82408 };
82409
82410 -static struct snd_pcm_ops snd_cmipci_capture_ops = {
82411 +static const struct snd_pcm_ops snd_cmipci_capture_ops = {
82412 .open = snd_cmipci_capture_open,
82413 .close = snd_cmipci_capture_close,
82414 .ioctl = snd_pcm_lib_ioctl,
82415 @@ -1860,7 +1860,7 @@ static struct snd_pcm_ops snd_cmipci_cap
82416 .pointer = snd_cmipci_capture_pointer,
82417 };
82418
82419 -static struct snd_pcm_ops snd_cmipci_playback2_ops = {
82420 +static const struct snd_pcm_ops snd_cmipci_playback2_ops = {
82421 .open = snd_cmipci_playback2_open,
82422 .close = snd_cmipci_playback2_close,
82423 .ioctl = snd_pcm_lib_ioctl,
82424 @@ -1871,7 +1871,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82425 .pointer = snd_cmipci_capture_pointer, /* channel B */
82426 };
82427
82428 -static struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82429 +static const struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82430 .open = snd_cmipci_playback_spdif_open,
82431 .close = snd_cmipci_playback_spdif_close,
82432 .ioctl = snd_pcm_lib_ioctl,
82433 @@ -1882,7 +1882,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82434 .pointer = snd_cmipci_playback_pointer,
82435 };
82436
82437 -static struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82438 +static const struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82439 .open = snd_cmipci_capture_spdif_open,
82440 .close = snd_cmipci_capture_spdif_close,
82441 .ioctl = snd_pcm_lib_ioctl,
82442 @@ -3011,7 +3011,7 @@ static int __devinit snd_cmipci_create(s
82443 {
82444 struct cmipci *cm;
82445 int err;
82446 - static struct snd_device_ops ops = {
82447 + static const struct snd_device_ops ops = {
82448 .dev_free = snd_cmipci_dev_free,
82449 };
82450 unsigned int val;
82451 diff -urNp linux-2.6.39.3/sound/pci/cs4281.c linux-2.6.39.3/sound/pci/cs4281.c
82452 --- linux-2.6.39.3/sound/pci/cs4281.c 2011-05-19 00:06:34.000000000 -0400
82453 +++ linux-2.6.39.3/sound/pci/cs4281.c 2011-05-22 19:36:35.000000000 -0400
82454 @@ -947,7 +947,7 @@ static int snd_cs4281_capture_close(stru
82455 return 0;
82456 }
82457
82458 -static struct snd_pcm_ops snd_cs4281_playback_ops = {
82459 +static const struct snd_pcm_ops snd_cs4281_playback_ops = {
82460 .open = snd_cs4281_playback_open,
82461 .close = snd_cs4281_playback_close,
82462 .ioctl = snd_pcm_lib_ioctl,
82463 @@ -958,7 +958,7 @@ static struct snd_pcm_ops snd_cs4281_pla
82464 .pointer = snd_cs4281_pointer,
82465 };
82466
82467 -static struct snd_pcm_ops snd_cs4281_capture_ops = {
82468 +static const struct snd_pcm_ops snd_cs4281_capture_ops = {
82469 .open = snd_cs4281_capture_open,
82470 .close = snd_cs4281_capture_close,
82471 .ioctl = snd_pcm_lib_ioctl,
82472 @@ -1098,7 +1098,7 @@ static int __devinit snd_cs4281_mixer(st
82473 struct snd_card *card = chip->card;
82474 struct snd_ac97_template ac97;
82475 int err;
82476 - static struct snd_ac97_bus_ops ops = {
82477 + static const struct snd_ac97_bus_ops ops = {
82478 .write = snd_cs4281_ac97_write,
82479 .read = snd_cs4281_ac97_read,
82480 };
82481 @@ -1343,7 +1343,7 @@ static int __devinit snd_cs4281_create(s
82482 struct cs4281 *chip;
82483 unsigned int tmp;
82484 int err;
82485 - static struct snd_device_ops ops = {
82486 + static const struct snd_device_ops ops = {
82487 .dev_free = snd_cs4281_dev_free,
82488 };
82489
82490 @@ -1765,15 +1765,13 @@ static void snd_cs4281_midi_output_trigg
82491 spin_unlock_irqrestore(&chip->reg_lock, flags);
82492 }
82493
82494 -static struct snd_rawmidi_ops snd_cs4281_midi_output =
82495 -{
82496 +static const struct snd_rawmidi_ops snd_cs4281_midi_output = {
82497 .open = snd_cs4281_midi_output_open,
82498 .close = snd_cs4281_midi_output_close,
82499 .trigger = snd_cs4281_midi_output_trigger,
82500 };
82501
82502 -static struct snd_rawmidi_ops snd_cs4281_midi_input =
82503 -{
82504 +static const struct snd_rawmidi_ops snd_cs4281_midi_input = {
82505 .open = snd_cs4281_midi_input_open,
82506 .close = snd_cs4281_midi_input_close,
82507 .trigger = snd_cs4281_midi_input_trigger,
82508 diff -urNp linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c
82509 --- linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c 2011-05-19 00:06:34.000000000 -0400
82510 +++ linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c 2011-05-22 19:36:35.000000000 -0400
82511 @@ -3722,7 +3722,7 @@ int __devinit snd_cs46xx_create(struct s
82512 struct snd_cs46xx_region *region;
82513 struct cs_card_type *cp;
82514 u16 ss_card, ss_vendor;
82515 - static struct snd_device_ops ops = {
82516 + static const struct snd_device_ops ops = {
82517 .dev_free = snd_cs46xx_dev_free,
82518 };
82519
82520 diff -urNp linux-2.6.39.3/sound/pci/cs5530.c linux-2.6.39.3/sound/pci/cs5530.c
82521 --- linux-2.6.39.3/sound/pci/cs5530.c 2011-05-19 00:06:34.000000000 -0400
82522 +++ linux-2.6.39.3/sound/pci/cs5530.c 2011-05-22 19:36:35.000000000 -0400
82523 @@ -107,7 +107,7 @@ static int __devinit snd_cs5530_create(s
82524 void __iomem *mem;
82525 int err;
82526
82527 - static struct snd_device_ops ops = {
82528 + static const struct snd_device_ops ops = {
82529 .dev_free = snd_cs5530_dev_free,
82530 };
82531 *rchip = NULL;
82532 diff -urNp linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c
82533 --- linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c 2011-05-19 00:06:34.000000000 -0400
82534 +++ linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c 2011-05-22 19:36:35.000000000 -0400
82535 @@ -150,7 +150,7 @@ static int __devinit snd_cs5535audio_mix
82536 struct snd_ac97_bus *pbus;
82537 struct snd_ac97_template ac97;
82538 int err;
82539 - static struct snd_ac97_bus_ops ops = {
82540 + static const struct snd_ac97_bus_ops ops = {
82541 .write = snd_cs5535audio_ac97_codec_write,
82542 .read = snd_cs5535audio_ac97_codec_read,
82543 };
82544 @@ -277,7 +277,7 @@ static int __devinit snd_cs5535audio_cre
82545 struct cs5535audio *cs5535au;
82546
82547 int err;
82548 - static struct snd_device_ops ops = {
82549 + static const struct snd_device_ops ops = {
82550 .dev_free = snd_cs5535audio_dev_free,
82551 };
82552
82553 diff -urNp linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c
82554 --- linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-19 00:06:34.000000000 -0400
82555 +++ linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-22 19:36:35.000000000 -0400
82556 @@ -380,7 +380,7 @@ static int snd_cs5535audio_capture_prepa
82557 substream->runtime->rate);
82558 }
82559
82560 -static struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82561 +static const struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82562 .open = snd_cs5535audio_playback_open,
82563 .close = snd_cs5535audio_playback_close,
82564 .ioctl = snd_pcm_lib_ioctl,
82565 @@ -391,7 +391,7 @@ static struct snd_pcm_ops snd_cs5535audi
82566 .pointer = snd_cs5535audio_pcm_pointer,
82567 };
82568
82569 -static struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82570 +static const struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82571 .open = snd_cs5535audio_capture_open,
82572 .close = snd_cs5535audio_capture_close,
82573 .ioctl = snd_pcm_lib_ioctl,
82574 diff -urNp linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c
82575 --- linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c 2011-05-19 00:06:34.000000000 -0400
82576 +++ linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c 2011-05-22 19:36:35.000000000 -0400
82577 @@ -370,7 +370,7 @@ ct_pcm_capture_pointer(struct snd_pcm_su
82578 }
82579
82580 /* PCM operators for playback */
82581 -static struct snd_pcm_ops ct_pcm_playback_ops = {
82582 +static const struct snd_pcm_ops ct_pcm_playback_ops = {
82583 .open = ct_pcm_playback_open,
82584 .close = ct_pcm_playback_close,
82585 .ioctl = snd_pcm_lib_ioctl,
82586 @@ -383,7 +383,7 @@ static struct snd_pcm_ops ct_pcm_playbac
82587 };
82588
82589 /* PCM operators for capture */
82590 -static struct snd_pcm_ops ct_pcm_capture_ops = {
82591 +static const struct snd_pcm_ops ct_pcm_capture_ops = {
82592 .open = ct_pcm_capture_open,
82593 .close = ct_pcm_capture_close,
82594 .ioctl = snd_pcm_lib_ioctl,
82595 diff -urNp linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c
82596 --- linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c 2011-05-19 00:06:34.000000000 -0400
82597 +++ linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c 2011-05-22 19:36:35.000000000 -0400
82598 @@ -831,7 +831,7 @@ static snd_pcm_uframes_t pcm_pointer(str
82599
82600
82601 /* pcm *_ops structures */
82602 -static struct snd_pcm_ops analog_playback_ops = {
82603 +static const struct snd_pcm_ops analog_playback_ops = {
82604 .open = pcm_analog_out_open,
82605 .close = pcm_close,
82606 .ioctl = snd_pcm_lib_ioctl,
82607 @@ -842,7 +842,7 @@ static struct snd_pcm_ops analog_playbac
82608 .pointer = pcm_pointer,
82609 .page = snd_pcm_sgbuf_ops_page,
82610 };
82611 -static struct snd_pcm_ops analog_capture_ops = {
82612 +static const struct snd_pcm_ops analog_capture_ops = {
82613 .open = pcm_analog_in_open,
82614 .close = pcm_close,
82615 .ioctl = snd_pcm_lib_ioctl,
82616 @@ -855,7 +855,7 @@ static struct snd_pcm_ops analog_capture
82617 };
82618 #ifdef ECHOCARD_HAS_DIGITAL_IO
82619 #ifndef ECHOCARD_HAS_VMIXER
82620 -static struct snd_pcm_ops digital_playback_ops = {
82621 +static const struct snd_pcm_ops digital_playback_ops = {
82622 .open = pcm_digital_out_open,
82623 .close = pcm_close,
82624 .ioctl = snd_pcm_lib_ioctl,
82625 @@ -867,7 +867,7 @@ static struct snd_pcm_ops digital_playba
82626 .page = snd_pcm_sgbuf_ops_page,
82627 };
82628 #endif /* !ECHOCARD_HAS_VMIXER */
82629 -static struct snd_pcm_ops digital_capture_ops = {
82630 +static const struct snd_pcm_ops digital_capture_ops = {
82631 .open = pcm_digital_in_open,
82632 .close = pcm_close,
82633 .ioctl = snd_pcm_lib_ioctl,
82634 @@ -1945,7 +1945,7 @@ static __devinit int snd_echo_create(str
82635 struct echoaudio *chip;
82636 int err;
82637 size_t sz;
82638 - static struct snd_device_ops ops = {
82639 + static const struct snd_device_ops ops = {
82640 .dev_free = snd_echo_dev_free,
82641 };
82642
82643 diff -urNp linux-2.6.39.3/sound/pci/echoaudio/midi.c linux-2.6.39.3/sound/pci/echoaudio/midi.c
82644 --- linux-2.6.39.3/sound/pci/echoaudio/midi.c 2011-05-19 00:06:34.000000000 -0400
82645 +++ linux-2.6.39.3/sound/pci/echoaudio/midi.c 2011-05-22 19:36:35.000000000 -0400
82646 @@ -292,13 +292,13 @@ static int snd_echo_midi_output_close(st
82647
82648
82649
82650 -static struct snd_rawmidi_ops snd_echo_midi_input = {
82651 +static const struct snd_rawmidi_ops snd_echo_midi_input = {
82652 .open = snd_echo_midi_input_open,
82653 .close = snd_echo_midi_input_close,
82654 .trigger = snd_echo_midi_input_trigger,
82655 };
82656
82657 -static struct snd_rawmidi_ops snd_echo_midi_output = {
82658 +static const struct snd_rawmidi_ops snd_echo_midi_output = {
82659 .open = snd_echo_midi_output_open,
82660 .close = snd_echo_midi_output_close,
82661 .trigger = snd_echo_midi_output_trigger,
82662 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c
82663 --- linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c 2011-05-19 00:06:34.000000000 -0400
82664 +++ linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c 2011-05-22 19:36:35.000000000 -0400
82665 @@ -1722,7 +1722,7 @@ int __devinit snd_emu10k1_create(struct
82666 int is_audigy;
82667 unsigned int silent_page;
82668 const struct snd_emu_chip_details *c;
82669 - static struct snd_device_ops ops = {
82670 + static const struct snd_device_ops ops = {
82671 .dev_free = snd_emu10k1_dev_free,
82672 };
82673
82674 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c
82675 --- linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c 2011-05-19 00:06:34.000000000 -0400
82676 +++ linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c 2011-05-22 19:36:35.000000000 -0400
82677 @@ -543,7 +543,7 @@ snd_emu10k1x_pcm_pointer(struct snd_pcm_
82678 }
82679
82680 /* operators */
82681 -static struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82682 +static const struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82683 .open = snd_emu10k1x_playback_open,
82684 .close = snd_emu10k1x_playback_close,
82685 .ioctl = snd_pcm_lib_ioctl,
82686 @@ -689,7 +689,7 @@ snd_emu10k1x_pcm_pointer_capture(struct
82687 return ptr;
82688 }
82689
82690 -static struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82691 +static const struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82692 .open = snd_emu10k1x_pcm_open_capture,
82693 .close = snd_emu10k1x_pcm_close_capture,
82694 .ioctl = snd_pcm_lib_ioctl,
82695 @@ -731,7 +731,7 @@ static int snd_emu10k1x_ac97(struct emu1
82696 struct snd_ac97_bus *pbus;
82697 struct snd_ac97_template ac97;
82698 int err;
82699 - static struct snd_ac97_bus_ops ops = {
82700 + static const struct snd_ac97_bus_ops ops = {
82701 .write = snd_emu10k1x_ac97_write,
82702 .read = snd_emu10k1x_ac97_read,
82703 };
82704 @@ -888,7 +888,7 @@ static int __devinit snd_emu10k1x_create
82705 struct emu10k1x *chip;
82706 int err;
82707 int ch;
82708 - static struct snd_device_ops ops = {
82709 + static const struct snd_device_ops ops = {
82710 .dev_free = snd_emu10k1x_dev_free,
82711 };
82712
82713 @@ -1465,15 +1465,13 @@ static void snd_emu10k1x_midi_output_tri
82714
82715 */
82716
82717 -static struct snd_rawmidi_ops snd_emu10k1x_midi_output =
82718 -{
82719 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_output = {
82720 .open = snd_emu10k1x_midi_output_open,
82721 .close = snd_emu10k1x_midi_output_close,
82722 .trigger = snd_emu10k1x_midi_output_trigger,
82723 };
82724
82725 -static struct snd_rawmidi_ops snd_emu10k1x_midi_input =
82726 -{
82727 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_input = {
82728 .open = snd_emu10k1x_midi_input_open,
82729 .close = snd_emu10k1x_midi_input_close,
82730 .trigger = snd_emu10k1x_midi_input_trigger,
82731 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/p16v.c linux-2.6.39.3/sound/pci/emu10k1/p16v.c
82732 --- linux-2.6.39.3/sound/pci/emu10k1/p16v.c 2011-05-19 00:06:34.000000000 -0400
82733 +++ linux-2.6.39.3/sound/pci/emu10k1/p16v.c 2011-05-22 19:36:35.000000000 -0400
82734 @@ -601,7 +601,7 @@ snd_p16v_pcm_pointer_capture(struct snd_
82735 }
82736
82737 /* operators */
82738 -static struct snd_pcm_ops snd_p16v_playback_front_ops = {
82739 +static const struct snd_pcm_ops snd_p16v_playback_front_ops = {
82740 .open = snd_p16v_pcm_open_playback_front,
82741 .close = snd_p16v_pcm_close_playback,
82742 .ioctl = snd_pcm_lib_ioctl,
82743 @@ -612,7 +612,7 @@ static struct snd_pcm_ops snd_p16v_playb
82744 .pointer = snd_p16v_pcm_pointer_playback,
82745 };
82746
82747 -static struct snd_pcm_ops snd_p16v_capture_ops = {
82748 +static const struct snd_pcm_ops snd_p16v_capture_ops = {
82749 .open = snd_p16v_pcm_open_capture,
82750 .close = snd_p16v_pcm_close_capture,
82751 .ioctl = snd_pcm_lib_ioctl,
82752 diff -urNp linux-2.6.39.3/sound/pci/ens1370.c linux-2.6.39.3/sound/pci/ens1370.c
82753 --- linux-2.6.39.3/sound/pci/ens1370.c 2011-05-19 00:06:34.000000000 -0400
82754 +++ linux-2.6.39.3/sound/pci/ens1370.c 2011-05-22 19:36:35.000000000 -0400
82755 @@ -1225,7 +1225,7 @@ static int snd_ensoniq_capture_close(str
82756 return 0;
82757 }
82758
82759 -static struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82760 +static const struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82761 .open = snd_ensoniq_playback1_open,
82762 .close = snd_ensoniq_playback1_close,
82763 .ioctl = snd_pcm_lib_ioctl,
82764 @@ -1236,7 +1236,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82765 .pointer = snd_ensoniq_playback1_pointer,
82766 };
82767
82768 -static struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82769 +static const struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82770 .open = snd_ensoniq_playback2_open,
82771 .close = snd_ensoniq_playback2_close,
82772 .ioctl = snd_pcm_lib_ioctl,
82773 @@ -1247,7 +1247,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82774 .pointer = snd_ensoniq_playback2_pointer,
82775 };
82776
82777 -static struct snd_pcm_ops snd_ensoniq_capture_ops = {
82778 +static const struct snd_pcm_ops snd_ensoniq_capture_ops = {
82779 .open = snd_ensoniq_capture_open,
82780 .close = snd_ensoniq_capture_close,
82781 .ioctl = snd_pcm_lib_ioctl,
82782 @@ -1633,7 +1633,7 @@ static int __devinit snd_ensoniq_1371_mi
82783 struct snd_ac97_bus *pbus;
82784 struct snd_ac97_template ac97;
82785 int err;
82786 - static struct snd_ac97_bus_ops ops = {
82787 + static const struct snd_ac97_bus_ops ops = {
82788 .write = snd_es1371_codec_write,
82789 .read = snd_es1371_codec_read,
82790 .wait = snd_es1371_codec_wait,
82791 @@ -2096,7 +2096,7 @@ static int __devinit snd_ensoniq_create(
82792 {
82793 struct ensoniq *ensoniq;
82794 int err;
82795 - static struct snd_device_ops ops = {
82796 + static const struct snd_device_ops ops = {
82797 .dev_free = snd_ensoniq_dev_free,
82798 };
82799
82800 @@ -2331,15 +2331,13 @@ static void snd_ensoniq_midi_output_trig
82801 spin_unlock_irqrestore(&ensoniq->reg_lock, flags);
82802 }
82803
82804 -static struct snd_rawmidi_ops snd_ensoniq_midi_output =
82805 -{
82806 +static const struct snd_rawmidi_ops snd_ensoniq_midi_output = {
82807 .open = snd_ensoniq_midi_output_open,
82808 .close = snd_ensoniq_midi_output_close,
82809 .trigger = snd_ensoniq_midi_output_trigger,
82810 };
82811
82812 -static struct snd_rawmidi_ops snd_ensoniq_midi_input =
82813 -{
82814 +static const struct snd_rawmidi_ops snd_ensoniq_midi_input = {
82815 .open = snd_ensoniq_midi_input_open,
82816 .close = snd_ensoniq_midi_input_close,
82817 .trigger = snd_ensoniq_midi_input_trigger,
82818 diff -urNp linux-2.6.39.3/sound/pci/es1938.c linux-2.6.39.3/sound/pci/es1938.c
82819 --- linux-2.6.39.3/sound/pci/es1938.c 2011-05-19 00:06:34.000000000 -0400
82820 +++ linux-2.6.39.3/sound/pci/es1938.c 2011-05-22 19:36:35.000000000 -0400
82821 @@ -1004,7 +1004,7 @@ static int snd_es1938_playback_close(str
82822 return 0;
82823 }
82824
82825 -static struct snd_pcm_ops snd_es1938_playback_ops = {
82826 +static const struct snd_pcm_ops snd_es1938_playback_ops = {
82827 .open = snd_es1938_playback_open,
82828 .close = snd_es1938_playback_close,
82829 .ioctl = snd_pcm_lib_ioctl,
82830 @@ -1015,7 +1015,7 @@ static struct snd_pcm_ops snd_es1938_pla
82831 .pointer = snd_es1938_playback_pointer,
82832 };
82833
82834 -static struct snd_pcm_ops snd_es1938_capture_ops = {
82835 +static const struct snd_pcm_ops snd_es1938_capture_ops = {
82836 .open = snd_es1938_capture_open,
82837 .close = snd_es1938_capture_close,
82838 .ioctl = snd_pcm_lib_ioctl,
82839 @@ -1598,7 +1598,7 @@ static int __devinit snd_es1938_create(s
82840 {
82841 struct es1938 *chip;
82842 int err;
82843 - static struct snd_device_ops ops = {
82844 + static const struct snd_device_ops ops = {
82845 .dev_free = snd_es1938_dev_free,
82846 };
82847
82848 diff -urNp linux-2.6.39.3/sound/pci/es1968.c linux-2.6.39.3/sound/pci/es1968.c
82849 --- linux-2.6.39.3/sound/pci/es1968.c 2011-05-19 00:06:34.000000000 -0400
82850 +++ linux-2.6.39.3/sound/pci/es1968.c 2011-05-22 19:36:35.000000000 -0400
82851 @@ -1682,7 +1682,7 @@ static int snd_es1968_capture_close(stru
82852 return 0;
82853 }
82854
82855 -static struct snd_pcm_ops snd_es1968_playback_ops = {
82856 +static const struct snd_pcm_ops snd_es1968_playback_ops = {
82857 .open = snd_es1968_playback_open,
82858 .close = snd_es1968_playback_close,
82859 .ioctl = snd_pcm_lib_ioctl,
82860 @@ -1693,7 +1693,7 @@ static struct snd_pcm_ops snd_es1968_pla
82861 .pointer = snd_es1968_pcm_pointer,
82862 };
82863
82864 -static struct snd_pcm_ops snd_es1968_capture_ops = {
82865 +static const struct snd_pcm_ops snd_es1968_capture_ops = {
82866 .open = snd_es1968_capture_open,
82867 .close = snd_es1968_capture_close,
82868 .ioctl = snd_pcm_lib_ioctl,
82869 @@ -2053,7 +2053,7 @@ snd_es1968_mixer(struct es1968 *chip)
82870 struct snd_ctl_elem_id elem_id;
82871 #endif
82872 int err;
82873 - static struct snd_ac97_bus_ops ops = {
82874 + static const struct snd_ac97_bus_ops ops = {
82875 .write = snd_es1968_ac97_write,
82876 .read = snd_es1968_ac97_read,
82877 };
82878 @@ -2627,7 +2627,7 @@ static int __devinit snd_es1968_create(s
82879 int do_pm,
82880 struct es1968 **chip_ret)
82881 {
82882 - static struct snd_device_ops ops = {
82883 + static const struct snd_device_ops ops = {
82884 .dev_free = snd_es1968_dev_free,
82885 };
82886 struct es1968 *chip;
82887 diff -urNp linux-2.6.39.3/sound/pci/fm801.c linux-2.6.39.3/sound/pci/fm801.c
82888 --- linux-2.6.39.3/sound/pci/fm801.c 2011-05-19 00:06:34.000000000 -0400
82889 +++ linux-2.6.39.3/sound/pci/fm801.c 2011-05-22 19:36:35.000000000 -0400
82890 @@ -662,7 +662,7 @@ static int snd_fm801_capture_close(struc
82891 return 0;
82892 }
82893
82894 -static struct snd_pcm_ops snd_fm801_playback_ops = {
82895 +static const struct snd_pcm_ops snd_fm801_playback_ops = {
82896 .open = snd_fm801_playback_open,
82897 .close = snd_fm801_playback_close,
82898 .ioctl = snd_pcm_lib_ioctl,
82899 @@ -673,7 +673,7 @@ static struct snd_pcm_ops snd_fm801_play
82900 .pointer = snd_fm801_playback_pointer,
82901 };
82902
82903 -static struct snd_pcm_ops snd_fm801_capture_ops = {
82904 +static const struct snd_pcm_ops snd_fm801_capture_ops = {
82905 .open = snd_fm801_capture_open,
82906 .close = snd_fm801_capture_close,
82907 .ioctl = snd_pcm_lib_ioctl,
82908 @@ -1236,7 +1236,7 @@ static int __devinit snd_fm801_mixer(str
82909 struct snd_ac97_template ac97;
82910 unsigned int i;
82911 int err;
82912 - static struct snd_ac97_bus_ops ops = {
82913 + static const struct snd_ac97_bus_ops ops = {
82914 .write = snd_fm801_codec_write,
82915 .read = snd_fm801_codec_read,
82916 };
82917 @@ -1396,7 +1396,7 @@ static int __devinit snd_fm801_create(st
82918 {
82919 struct fm801 *chip;
82920 int err;
82921 - static struct snd_device_ops ops = {
82922 + static const struct snd_device_ops ops = {
82923 .dev_free = snd_fm801_dev_free,
82924 };
82925
82926 diff -urNp linux-2.6.39.3/sound/pci/hda/hda_generic.c linux-2.6.39.3/sound/pci/hda/hda_generic.c
82927 --- linux-2.6.39.3/sound/pci/hda/hda_generic.c 2011-05-19 00:06:34.000000000 -0400
82928 +++ linux-2.6.39.3/sound/pci/hda/hda_generic.c 2011-05-22 19:36:35.000000000 -0400
82929 @@ -1038,7 +1038,7 @@ static int generic_check_power_status(st
82930
82931 /*
82932 */
82933 -static struct hda_codec_ops generic_patch_ops = {
82934 +static const struct hda_codec_ops generic_patch_ops = {
82935 .build_controls = build_generic_controls,
82936 .build_pcms = build_generic_pcms,
82937 .free = snd_hda_generic_free,
82938 diff -urNp linux-2.6.39.3/sound/pci/hda/hda_intel.c linux-2.6.39.3/sound/pci/hda/hda_intel.c
82939 --- linux-2.6.39.3/sound/pci/hda/hda_intel.c 2011-06-03 00:04:14.000000000 -0400
82940 +++ linux-2.6.39.3/sound/pci/hda/hda_intel.c 2011-06-03 00:32:08.000000000 -0400
82941 @@ -2459,7 +2459,7 @@ static int __devinit azx_create(struct s
82942 struct azx *chip;
82943 int i, err;
82944 unsigned short gcap;
82945 - static struct snd_device_ops ops = {
82946 + static const struct snd_device_ops ops = {
82947 .dev_free = azx_dev_free,
82948 };
82949
82950 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_ca0110.c linux-2.6.39.3/sound/pci/hda/patch_ca0110.c
82951 --- linux-2.6.39.3/sound/pci/hda/patch_ca0110.c 2011-05-19 00:06:34.000000000 -0400
82952 +++ linux-2.6.39.3/sound/pci/hda/patch_ca0110.c 2011-05-22 19:36:35.000000000 -0400
82953 @@ -389,7 +389,7 @@ static void ca0110_free(struct hda_codec
82954 kfree(codec->spec);
82955 }
82956
82957 -static struct hda_codec_ops ca0110_patch_ops = {
82958 +static const struct hda_codec_ops ca0110_patch_ops = {
82959 .build_controls = ca0110_build_controls,
82960 .build_pcms = ca0110_build_pcms,
82961 .init = ca0110_init,
82962 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_cirrus.c linux-2.6.39.3/sound/pci/hda/patch_cirrus.c
82963 --- linux-2.6.39.3/sound/pci/hda/patch_cirrus.c 2011-05-19 00:06:34.000000000 -0400
82964 +++ linux-2.6.39.3/sound/pci/hda/patch_cirrus.c 2011-05-22 19:36:35.000000000 -0400
82965 @@ -1126,7 +1126,7 @@ static void cs_unsol_event(struct hda_co
82966 }
82967 }
82968
82969 -static struct hda_codec_ops cs_patch_ops = {
82970 +static const struct hda_codec_ops cs_patch_ops = {
82971 .build_controls = cs_build_controls,
82972 .build_pcms = cs_build_pcms,
82973 .init = cs_init,
82974 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_cmedia.c linux-2.6.39.3/sound/pci/hda/patch_cmedia.c
82975 --- linux-2.6.39.3/sound/pci/hda/patch_cmedia.c 2011-05-19 00:06:34.000000000 -0400
82976 +++ linux-2.6.39.3/sound/pci/hda/patch_cmedia.c 2011-05-22 19:36:35.000000000 -0400
82977 @@ -624,7 +624,7 @@ static struct snd_pci_quirk cmi9880_cfg_
82978 {} /* terminator */
82979 };
82980
82981 -static struct hda_codec_ops cmi9880_patch_ops = {
82982 +static const struct hda_codec_ops cmi9880_patch_ops = {
82983 .build_controls = cmi9880_build_controls,
82984 .build_pcms = cmi9880_build_pcms,
82985 .init = cmi9880_init,
82986 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_conexant.c linux-2.6.39.3/sound/pci/hda/patch_conexant.c
82987 --- linux-2.6.39.3/sound/pci/hda/patch_conexant.c 2011-07-09 09:18:51.000000000 -0400
82988 +++ linux-2.6.39.3/sound/pci/hda/patch_conexant.c 2011-07-09 09:19:27.000000000 -0400
82989 @@ -546,7 +546,7 @@ static int conexant_suspend(struct hda_c
82990 }
82991 #endif
82992
82993 -static struct hda_codec_ops conexant_patch_ops = {
82994 +static const struct hda_codec_ops conexant_patch_ops = {
82995 .build_controls = conexant_build_controls,
82996 .build_pcms = conexant_build_pcms,
82997 .init = conexant_init,
82998 @@ -3792,7 +3792,7 @@ static int cx_auto_build_controls(struct
82999 return conexant_build_controls(codec);
83000 }
83001
83002 -static struct hda_codec_ops cx_auto_patch_ops = {
83003 +static const struct hda_codec_ops cx_auto_patch_ops = {
83004 .build_controls = cx_auto_build_controls,
83005 .build_pcms = conexant_build_pcms,
83006 .init = cx_auto_init,
83007 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_hdmi.c linux-2.6.39.3/sound/pci/hda/patch_hdmi.c
83008 --- linux-2.6.39.3/sound/pci/hda/patch_hdmi.c 2011-05-19 00:06:34.000000000 -0400
83009 +++ linux-2.6.39.3/sound/pci/hda/patch_hdmi.c 2011-05-22 19:36:35.000000000 -0400
83010 @@ -1124,7 +1124,7 @@ static void generic_hdmi_free(struct hda
83011 kfree(spec);
83012 }
83013
83014 -static struct hda_codec_ops generic_hdmi_patch_ops = {
83015 +static const struct hda_codec_ops generic_hdmi_patch_ops = {
83016 .init = generic_hdmi_init,
83017 .free = generic_hdmi_free,
83018 .build_pcms = generic_hdmi_build_pcms,
83019 @@ -1465,14 +1465,14 @@ static struct hda_pcm_stream nvhdmi_pcm_
83020 },
83021 };
83022
83023 -static struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
83024 +static const struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
83025 .build_controls = generic_hdmi_build_controls,
83026 .build_pcms = generic_hdmi_build_pcms,
83027 .init = nvhdmi_7x_init,
83028 .free = generic_hdmi_free,
83029 };
83030
83031 -static struct hda_codec_ops nvhdmi_patch_ops_2ch = {
83032 +static const struct hda_codec_ops nvhdmi_patch_ops_2ch = {
83033 .build_controls = generic_hdmi_build_controls,
83034 .build_pcms = generic_hdmi_build_pcms,
83035 .init = nvhdmi_7x_init,
83036 @@ -1599,7 +1599,7 @@ static int atihdmi_init(struct hda_codec
83037 return 0;
83038 }
83039
83040 -static struct hda_codec_ops atihdmi_patch_ops = {
83041 +static const struct hda_codec_ops atihdmi_patch_ops = {
83042 .build_controls = generic_hdmi_build_controls,
83043 .build_pcms = generic_hdmi_build_pcms,
83044 .init = atihdmi_init,
83045 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_realtek.c linux-2.6.39.3/sound/pci/hda/patch_realtek.c
83046 --- linux-2.6.39.3/sound/pci/hda/patch_realtek.c 2011-07-09 09:18:51.000000000 -0400
83047 +++ linux-2.6.39.3/sound/pci/hda/patch_realtek.c 2011-07-09 09:19:27.000000000 -0400
83048 @@ -4273,7 +4273,7 @@ static int alc_resume(struct hda_codec *
83049
83050 /*
83051 */
83052 -static struct hda_codec_ops alc_patch_ops = {
83053 +static const struct hda_codec_ops alc_patch_ops = {
83054 .build_controls = alc_build_controls,
83055 .build_pcms = alc_build_pcms,
83056 .init = alc_init,
83057 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_si3054.c linux-2.6.39.3/sound/pci/hda/patch_si3054.c
83058 --- linux-2.6.39.3/sound/pci/hda/patch_si3054.c 2011-05-19 00:06:34.000000000 -0400
83059 +++ linux-2.6.39.3/sound/pci/hda/patch_si3054.c 2011-05-22 19:36:35.000000000 -0400
83060 @@ -263,7 +263,7 @@ static void si3054_free(struct hda_codec
83061 /*
83062 */
83063
83064 -static struct hda_codec_ops si3054_patch_ops = {
83065 +static const struct hda_codec_ops si3054_patch_ops = {
83066 .build_controls = si3054_build_controls,
83067 .build_pcms = si3054_build_pcms,
83068 .init = si3054_init,
83069 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c
83070 --- linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:04:14.000000000 -0400
83071 +++ linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:32:08.000000000 -0400
83072 @@ -4968,7 +4968,7 @@ static int stac92xx_suspend(struct hda_c
83073 }
83074 #endif
83075
83076 -static struct hda_codec_ops stac92xx_patch_ops = {
83077 +static const struct hda_codec_ops stac92xx_patch_ops = {
83078 .build_controls = stac92xx_build_controls,
83079 .build_pcms = stac92xx_build_pcms,
83080 .init = stac92xx_init,
83081 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_via.c linux-2.6.39.3/sound/pci/hda/patch_via.c
83082 --- linux-2.6.39.3/sound/pci/hda/patch_via.c 2011-05-19 00:06:34.000000000 -0400
83083 +++ linux-2.6.39.3/sound/pci/hda/patch_via.c 2011-05-22 19:36:35.000000000 -0400
83084 @@ -2254,7 +2254,7 @@ static int via_check_power_status(struct
83085
83086 /*
83087 */
83088 -static struct hda_codec_ops via_patch_ops = {
83089 +static const struct hda_codec_ops via_patch_ops = {
83090 .build_controls = via_build_controls,
83091 .build_pcms = via_build_pcms,
83092 .init = via_init,
83093 diff -urNp linux-2.6.39.3/sound/pci/ice1712/ice1712.c linux-2.6.39.3/sound/pci/ice1712/ice1712.c
83094 --- linux-2.6.39.3/sound/pci/ice1712/ice1712.c 2011-05-19 00:06:34.000000000 -0400
83095 +++ linux-2.6.39.3/sound/pci/ice1712/ice1712.c 2011-05-22 19:36:35.000000000 -0400
83096 @@ -2541,7 +2541,7 @@ static int __devinit snd_ice1712_create(
83097 {
83098 struct snd_ice1712 *ice;
83099 int err;
83100 - static struct snd_device_ops ops = {
83101 + static const struct snd_device_ops ops = {
83102 .dev_free = snd_ice1712_dev_free,
83103 };
83104
83105 diff -urNp linux-2.6.39.3/sound/pci/ice1712/ice1724.c linux-2.6.39.3/sound/pci/ice1712/ice1724.c
83106 --- linux-2.6.39.3/sound/pci/ice1712/ice1724.c 2011-05-19 00:06:34.000000000 -0400
83107 +++ linux-2.6.39.3/sound/pci/ice1712/ice1724.c 2011-05-22 19:36:35.000000000 -0400
83108 @@ -367,7 +367,7 @@ static void vt1724_midi_output_drain(str
83109 } while (time_after(timeout, jiffies));
83110 }
83111
83112 -static struct snd_rawmidi_ops vt1724_midi_output_ops = {
83113 +static const struct snd_rawmidi_ops vt1724_midi_output_ops = {
83114 .open = vt1724_midi_output_open,
83115 .close = vt1724_midi_output_close,
83116 .trigger = vt1724_midi_output_trigger,
83117 @@ -402,7 +402,7 @@ static void vt1724_midi_input_trigger(st
83118 spin_unlock_irqrestore(&ice->reg_lock, flags);
83119 }
83120
83121 -static struct snd_rawmidi_ops vt1724_midi_input_ops = {
83122 +static const struct snd_rawmidi_ops vt1724_midi_input_ops = {
83123 .open = vt1724_midi_input_open,
83124 .close = vt1724_midi_input_close,
83125 .trigger = vt1724_midi_input_trigger,
83126 @@ -2463,7 +2463,7 @@ static int __devinit snd_vt1724_create(s
83127 {
83128 struct snd_ice1712 *ice;
83129 int err;
83130 - static struct snd_device_ops ops = {
83131 + static const struct snd_device_ops ops = {
83132 .dev_free = snd_vt1724_dev_free,
83133 };
83134
83135 diff -urNp linux-2.6.39.3/sound/pci/intel8x0.c linux-2.6.39.3/sound/pci/intel8x0.c
83136 --- linux-2.6.39.3/sound/pci/intel8x0.c 2011-05-19 00:06:34.000000000 -0400
83137 +++ linux-2.6.39.3/sound/pci/intel8x0.c 2011-05-22 19:36:35.000000000 -0400
83138 @@ -2152,12 +2152,12 @@ static int __devinit snd_intel8x0_mixer(
83139 int err;
83140 unsigned int i, codecs;
83141 unsigned int glob_sta = 0;
83142 - struct snd_ac97_bus_ops *ops;
83143 - static struct snd_ac97_bus_ops standard_bus_ops = {
83144 + const struct snd_ac97_bus_ops *ops;
83145 + static const struct snd_ac97_bus_ops standard_bus_ops = {
83146 .write = snd_intel8x0_codec_write,
83147 .read = snd_intel8x0_codec_read,
83148 };
83149 - static struct snd_ac97_bus_ops ali_bus_ops = {
83150 + static const struct snd_ac97_bus_ops ali_bus_ops = {
83151 .write = snd_intel8x0_ali_codec_write,
83152 .read = snd_intel8x0_ali_codec_read,
83153 };
83154 @@ -2921,7 +2921,7 @@ static int __devinit snd_intel8x0_create
83155 unsigned int i;
83156 unsigned int int_sta_masks;
83157 struct ichdev *ichdev;
83158 - static struct snd_device_ops ops = {
83159 + static const struct snd_device_ops ops = {
83160 .dev_free = snd_intel8x0_dev_free,
83161 };
83162
83163 diff -urNp linux-2.6.39.3/sound/pci/intel8x0m.c linux-2.6.39.3/sound/pci/intel8x0m.c
83164 --- linux-2.6.39.3/sound/pci/intel8x0m.c 2011-05-19 00:06:34.000000000 -0400
83165 +++ linux-2.6.39.3/sound/pci/intel8x0m.c 2011-05-22 19:36:35.000000000 -0400
83166 @@ -826,7 +826,7 @@ static int __devinit snd_intel8x0m_mixer
83167 struct snd_ac97 *x97;
83168 int err;
83169 unsigned int glob_sta = 0;
83170 - static struct snd_ac97_bus_ops ops = {
83171 + static const struct snd_ac97_bus_ops ops = {
83172 .write = snd_intel8x0m_codec_write,
83173 .read = snd_intel8x0m_codec_read,
83174 };
83175 @@ -1116,7 +1116,7 @@ static int __devinit snd_intel8x0m_creat
83176 unsigned int i;
83177 unsigned int int_sta_masks;
83178 struct ichdev *ichdev;
83179 - static struct snd_device_ops ops = {
83180 + static const struct snd_device_ops ops = {
83181 .dev_free = snd_intel8x0m_dev_free,
83182 };
83183 static struct ich_reg_info intel_regs[2] = {
83184 @@ -1265,7 +1265,7 @@ static struct shortname_table {
83185 { 0x5455, "ALi M5455" },
83186 { 0x746d, "AMD AMD8111" },
83187 #endif
83188 - { 0 },
83189 + { 0, },
83190 };
83191
83192 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
83193 diff -urNp linux-2.6.39.3/sound/pci/korg1212/korg1212.c linux-2.6.39.3/sound/pci/korg1212/korg1212.c
83194 --- linux-2.6.39.3/sound/pci/korg1212/korg1212.c 2011-05-19 00:06:34.000000000 -0400
83195 +++ linux-2.6.39.3/sound/pci/korg1212/korg1212.c 2011-05-22 19:36:35.000000000 -0400
83196 @@ -1682,7 +1682,7 @@ static int snd_korg1212_capture_copy(str
83197 return snd_korg1212_copy_to(korg1212, dst, pos, count, 0, korg1212->channels * 2);
83198 }
83199
83200 -static struct snd_pcm_ops snd_korg1212_playback_ops = {
83201 +static const struct snd_pcm_ops snd_korg1212_playback_ops = {
83202 .open = snd_korg1212_playback_open,
83203 .close = snd_korg1212_playback_close,
83204 .ioctl = snd_korg1212_ioctl,
83205 @@ -1694,7 +1694,7 @@ static struct snd_pcm_ops snd_korg1212_p
83206 .silence = snd_korg1212_playback_silence,
83207 };
83208
83209 -static struct snd_pcm_ops snd_korg1212_capture_ops = {
83210 +static const struct snd_pcm_ops snd_korg1212_capture_ops = {
83211 .open = snd_korg1212_capture_open,
83212 .close = snd_korg1212_capture_close,
83213 .ioctl = snd_korg1212_ioctl,
83214 @@ -2164,7 +2164,7 @@ static int __devinit snd_korg1212_create
83215 struct snd_korg1212 * korg1212;
83216 const struct firmware *dsp_code;
83217
83218 - static struct snd_device_ops ops = {
83219 + static const struct snd_device_ops ops = {
83220 .dev_free = snd_korg1212_dev_free,
83221 };
83222
83223 diff -urNp linux-2.6.39.3/sound/pci/maestro3.c linux-2.6.39.3/sound/pci/maestro3.c
83224 --- linux-2.6.39.3/sound/pci/maestro3.c 2011-05-19 00:06:34.000000000 -0400
83225 +++ linux-2.6.39.3/sound/pci/maestro3.c 2011-05-22 19:36:35.000000000 -0400
83226 @@ -1926,7 +1926,7 @@ snd_m3_capture_close(struct snd_pcm_subs
83227 * create pcm instance
83228 */
83229
83230 -static struct snd_pcm_ops snd_m3_playback_ops = {
83231 +static const struct snd_pcm_ops snd_m3_playback_ops = {
83232 .open = snd_m3_playback_open,
83233 .close = snd_m3_playback_close,
83234 .ioctl = snd_pcm_lib_ioctl,
83235 @@ -1937,7 +1937,7 @@ static struct snd_pcm_ops snd_m3_playbac
83236 .pointer = snd_m3_pcm_pointer,
83237 };
83238
83239 -static struct snd_pcm_ops snd_m3_capture_ops = {
83240 +static const struct snd_pcm_ops snd_m3_capture_ops = {
83241 .open = snd_m3_capture_open,
83242 .close = snd_m3_capture_close,
83243 .ioctl = snd_pcm_lib_ioctl,
83244 @@ -2150,7 +2150,7 @@ static int __devinit snd_m3_mixer(struct
83245 struct snd_ctl_elem_id elem_id;
83246 #endif
83247 int err;
83248 - static struct snd_ac97_bus_ops ops = {
83249 + static const struct snd_ac97_bus_ops ops = {
83250 .write = snd_m3_ac97_write,
83251 .read = snd_m3_ac97_read,
83252 };
83253 @@ -2643,7 +2643,7 @@ snd_m3_create(struct snd_card *card, str
83254 struct snd_m3 *chip;
83255 int i, err;
83256 const struct snd_pci_quirk *quirk;
83257 - static struct snd_device_ops ops = {
83258 + static const struct snd_device_ops ops = {
83259 .dev_free = snd_m3_dev_free,
83260 };
83261
83262 diff -urNp linux-2.6.39.3/sound/pci/mixart/mixart.c linux-2.6.39.3/sound/pci/mixart/mixart.c
83263 --- linux-2.6.39.3/sound/pci/mixart/mixart.c 2011-05-19 00:06:34.000000000 -0400
83264 +++ linux-2.6.39.3/sound/pci/mixart/mixart.c 2011-05-22 19:36:35.000000000 -0400
83265 @@ -887,7 +887,7 @@ static snd_pcm_uframes_t snd_mixart_stre
83266
83267
83268
83269 -static struct snd_pcm_ops snd_mixart_playback_ops = {
83270 +static const struct snd_pcm_ops snd_mixart_playback_ops = {
83271 .open = snd_mixart_playback_open,
83272 .close = snd_mixart_close,
83273 .ioctl = snd_pcm_lib_ioctl,
83274 @@ -898,7 +898,7 @@ static struct snd_pcm_ops snd_mixart_pla
83275 .pointer = snd_mixart_stream_pointer,
83276 };
83277
83278 -static struct snd_pcm_ops snd_mixart_capture_ops = {
83279 +static const struct snd_pcm_ops snd_mixart_capture_ops = {
83280 .open = snd_mixart_capture_open,
83281 .close = snd_mixart_close,
83282 .ioctl = snd_pcm_lib_ioctl,
83283 @@ -1008,7 +1008,7 @@ static int __devinit snd_mixart_create(s
83284 {
83285 int err;
83286 struct snd_mixart *chip;
83287 - static struct snd_device_ops ops = {
83288 + static const struct snd_device_ops ops = {
83289 .dev_free = snd_mixart_chip_dev_free,
83290 };
83291
83292 diff -urNp linux-2.6.39.3/sound/pci/nm256/nm256.c linux-2.6.39.3/sound/pci/nm256/nm256.c
83293 --- linux-2.6.39.3/sound/pci/nm256/nm256.c 2011-05-19 00:06:34.000000000 -0400
83294 +++ linux-2.6.39.3/sound/pci/nm256/nm256.c 2011-05-22 19:36:35.000000000 -0400
83295 @@ -899,7 +899,7 @@ snd_nm256_capture_close(struct snd_pcm_s
83296 /*
83297 * create a pcm instance
83298 */
83299 -static struct snd_pcm_ops snd_nm256_playback_ops = {
83300 +static const struct snd_pcm_ops snd_nm256_playback_ops = {
83301 .open = snd_nm256_playback_open,
83302 .close = snd_nm256_playback_close,
83303 .ioctl = snd_pcm_lib_ioctl,
83304 @@ -914,7 +914,7 @@ static struct snd_pcm_ops snd_nm256_play
83305 .mmap = snd_pcm_lib_mmap_iomem,
83306 };
83307
83308 -static struct snd_pcm_ops snd_nm256_capture_ops = {
83309 +static const struct snd_pcm_ops snd_nm256_capture_ops = {
83310 .open = snd_nm256_capture_open,
83311 .close = snd_nm256_capture_close,
83312 .ioctl = snd_pcm_lib_ioctl,
83313 @@ -1301,7 +1301,7 @@ snd_nm256_mixer(struct nm256 *chip)
83314 struct snd_ac97_bus *pbus;
83315 struct snd_ac97_template ac97;
83316 int err;
83317 - static struct snd_ac97_bus_ops ops = {
83318 + static const struct snd_ac97_bus_ops ops = {
83319 .reset = snd_nm256_ac97_reset,
83320 .write = snd_nm256_ac97_write,
83321 .read = snd_nm256_ac97_read,
83322 @@ -1471,7 +1471,7 @@ snd_nm256_create(struct snd_card *card,
83323 {
83324 struct nm256 *chip;
83325 int err, pval;
83326 - static struct snd_device_ops ops = {
83327 + static const struct snd_device_ops ops = {
83328 .dev_free = snd_nm256_dev_free,
83329 };
83330 u32 addr;
83331 diff -urNp linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c
83332 --- linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c 2011-05-19 00:06:34.000000000 -0400
83333 +++ linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c 2011-05-22 19:36:35.000000000 -0400
83334 @@ -606,7 +606,7 @@ static snd_pcm_uframes_t oxygen_pointer(
83335 return bytes_to_frames(runtime, curr_addr - (u32)runtime->dma_addr);
83336 }
83337
83338 -static struct snd_pcm_ops oxygen_rec_a_ops = {
83339 +static const struct snd_pcm_ops oxygen_rec_a_ops = {
83340 .open = oxygen_rec_a_open,
83341 .close = oxygen_close,
83342 .ioctl = snd_pcm_lib_ioctl,
83343 @@ -617,7 +617,7 @@ static struct snd_pcm_ops oxygen_rec_a_o
83344 .pointer = oxygen_pointer,
83345 };
83346
83347 -static struct snd_pcm_ops oxygen_rec_b_ops = {
83348 +static const struct snd_pcm_ops oxygen_rec_b_ops = {
83349 .open = oxygen_rec_b_open,
83350 .close = oxygen_close,
83351 .ioctl = snd_pcm_lib_ioctl,
83352 @@ -628,7 +628,7 @@ static struct snd_pcm_ops oxygen_rec_b_o
83353 .pointer = oxygen_pointer,
83354 };
83355
83356 -static struct snd_pcm_ops oxygen_rec_c_ops = {
83357 +static const struct snd_pcm_ops oxygen_rec_c_ops = {
83358 .open = oxygen_rec_c_open,
83359 .close = oxygen_close,
83360 .ioctl = snd_pcm_lib_ioctl,
83361 @@ -639,7 +639,7 @@ static struct snd_pcm_ops oxygen_rec_c_o
83362 .pointer = oxygen_pointer,
83363 };
83364
83365 -static struct snd_pcm_ops oxygen_spdif_ops = {
83366 +static const struct snd_pcm_ops oxygen_spdif_ops = {
83367 .open = oxygen_spdif_open,
83368 .close = oxygen_close,
83369 .ioctl = snd_pcm_lib_ioctl,
83370 @@ -650,7 +650,7 @@ static struct snd_pcm_ops oxygen_spdif_o
83371 .pointer = oxygen_pointer,
83372 };
83373
83374 -static struct snd_pcm_ops oxygen_multich_ops = {
83375 +static const struct snd_pcm_ops oxygen_multich_ops = {
83376 .open = oxygen_multich_open,
83377 .close = oxygen_close,
83378 .ioctl = snd_pcm_lib_ioctl,
83379 @@ -661,7 +661,7 @@ static struct snd_pcm_ops oxygen_multich
83380 .pointer = oxygen_pointer,
83381 };
83382
83383 -static struct snd_pcm_ops oxygen_ac97_ops = {
83384 +static const struct snd_pcm_ops oxygen_ac97_ops = {
83385 .open = oxygen_ac97_open,
83386 .close = oxygen_close,
83387 .ioctl = snd_pcm_lib_ioctl,
83388 diff -urNp linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c
83389 --- linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c 2011-05-19 00:06:34.000000000 -0400
83390 +++ linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c 2011-05-22 19:36:35.000000000 -0400
83391 @@ -1121,7 +1121,7 @@ static snd_pcm_uframes_t pcxhr_stream_po
83392 }
83393
83394
83395 -static struct snd_pcm_ops pcxhr_ops = {
83396 +static const struct snd_pcm_ops pcxhr_ops = {
83397 .open = pcxhr_open,
83398 .close = pcxhr_close,
83399 .ioctl = snd_pcm_lib_ioctl,
83400 @@ -1184,7 +1184,7 @@ static int __devinit pcxhr_create(struct
83401 {
83402 int err;
83403 struct snd_pcxhr *chip;
83404 - static struct snd_device_ops ops = {
83405 + static const struct snd_device_ops ops = {
83406 .dev_free = pcxhr_chip_dev_free,
83407 };
83408
83409 diff -urNp linux-2.6.39.3/sound/pci/riptide/riptide.c linux-2.6.39.3/sound/pci/riptide/riptide.c
83410 --- linux-2.6.39.3/sound/pci/riptide/riptide.c 2011-05-19 00:06:34.000000000 -0400
83411 +++ linux-2.6.39.3/sound/pci/riptide/riptide.c 2011-05-22 19:36:35.000000000 -0400
83412 @@ -1675,7 +1675,7 @@ static int snd_riptide_capture_close(str
83413 return 0;
83414 }
83415
83416 -static struct snd_pcm_ops snd_riptide_playback_ops = {
83417 +static const struct snd_pcm_ops snd_riptide_playback_ops = {
83418 .open = snd_riptide_playback_open,
83419 .close = snd_riptide_playback_close,
83420 .ioctl = snd_pcm_lib_ioctl,
83421 @@ -1686,7 +1686,7 @@ static struct snd_pcm_ops snd_riptide_pl
83422 .trigger = snd_riptide_trigger,
83423 .pointer = snd_riptide_pointer,
83424 };
83425 -static struct snd_pcm_ops snd_riptide_capture_ops = {
83426 +static const struct snd_pcm_ops snd_riptide_capture_ops = {
83427 .open = snd_riptide_capture_open,
83428 .close = snd_riptide_capture_close,
83429 .ioctl = snd_pcm_lib_ioctl,
83430 @@ -1857,7 +1857,7 @@ snd_riptide_create(struct snd_card *card
83431 struct snd_riptide *chip;
83432 struct riptideport *hwport;
83433 int err;
83434 - static struct snd_device_ops ops = {
83435 + static const struct snd_device_ops ops = {
83436 .dev_free = snd_riptide_dev_free,
83437 };
83438
83439 @@ -1999,7 +1999,7 @@ static int __devinit snd_riptide_mixer(s
83440 struct snd_ac97_bus *pbus;
83441 struct snd_ac97_template ac97;
83442 int err = 0;
83443 - static struct snd_ac97_bus_ops ops = {
83444 + static const struct snd_ac97_bus_ops ops = {
83445 .write = snd_riptide_codec_write,
83446 .read = snd_riptide_codec_read,
83447 };
83448 diff -urNp linux-2.6.39.3/sound/pci/rme32.c linux-2.6.39.3/sound/pci/rme32.c
83449 --- linux-2.6.39.3/sound/pci/rme32.c 2011-05-19 00:06:34.000000000 -0400
83450 +++ linux-2.6.39.3/sound/pci/rme32.c 2011-05-22 19:36:35.000000000 -0400
83451 @@ -1197,7 +1197,7 @@ snd_rme32_capture_fd_pointer(struct snd_
83452 }
83453
83454 /* for halfduplex mode */
83455 -static struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83456 +static const struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83457 .open = snd_rme32_playback_spdif_open,
83458 .close = snd_rme32_playback_close,
83459 .ioctl = snd_pcm_lib_ioctl,
83460 @@ -1211,7 +1211,7 @@ static struct snd_pcm_ops snd_rme32_play
83461 .mmap = snd_pcm_lib_mmap_iomem,
83462 };
83463
83464 -static struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83465 +static const struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83466 .open = snd_rme32_capture_spdif_open,
83467 .close = snd_rme32_capture_close,
83468 .ioctl = snd_pcm_lib_ioctl,
83469 @@ -1224,7 +1224,7 @@ static struct snd_pcm_ops snd_rme32_capt
83470 .mmap = snd_pcm_lib_mmap_iomem,
83471 };
83472
83473 -static struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83474 +static const struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83475 .open = snd_rme32_playback_adat_open,
83476 .close = snd_rme32_playback_close,
83477 .ioctl = snd_pcm_lib_ioctl,
83478 @@ -1237,7 +1237,7 @@ static struct snd_pcm_ops snd_rme32_play
83479 .mmap = snd_pcm_lib_mmap_iomem,
83480 };
83481
83482 -static struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83483 +static const struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83484 .open = snd_rme32_capture_adat_open,
83485 .close = snd_rme32_capture_close,
83486 .ioctl = snd_pcm_lib_ioctl,
83487 @@ -1250,7 +1250,7 @@ static struct snd_pcm_ops snd_rme32_capt
83488 };
83489
83490 /* for fullduplex mode */
83491 -static struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83492 +static const struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83493 .open = snd_rme32_playback_spdif_open,
83494 .close = snd_rme32_playback_close,
83495 .ioctl = snd_pcm_lib_ioctl,
83496 @@ -1262,7 +1262,7 @@ static struct snd_pcm_ops snd_rme32_play
83497 .ack = snd_rme32_playback_fd_ack,
83498 };
83499
83500 -static struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83501 +static const struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83502 .open = snd_rme32_capture_spdif_open,
83503 .close = snd_rme32_capture_close,
83504 .ioctl = snd_pcm_lib_ioctl,
83505 @@ -1274,7 +1274,7 @@ static struct snd_pcm_ops snd_rme32_capt
83506 .ack = snd_rme32_capture_fd_ack,
83507 };
83508
83509 -static struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83510 +static const struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83511 .open = snd_rme32_playback_adat_open,
83512 .close = snd_rme32_playback_close,
83513 .ioctl = snd_pcm_lib_ioctl,
83514 @@ -1285,7 +1285,7 @@ static struct snd_pcm_ops snd_rme32_play
83515 .ack = snd_rme32_playback_fd_ack,
83516 };
83517
83518 -static struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83519 +static const struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83520 .open = snd_rme32_capture_adat_open,
83521 .close = snd_rme32_capture_close,
83522 .ioctl = snd_pcm_lib_ioctl,
83523 diff -urNp linux-2.6.39.3/sound/pci/rme9652/hdsp.c linux-2.6.39.3/sound/pci/rme9652/hdsp.c
83524 --- linux-2.6.39.3/sound/pci/rme9652/hdsp.c 2011-05-19 00:06:34.000000000 -0400
83525 +++ linux-2.6.39.3/sound/pci/rme9652/hdsp.c 2011-05-22 19:36:35.000000000 -0400
83526 @@ -1469,15 +1469,13 @@ static int snd_hdsp_midi_output_close(st
83527 return 0;
83528 }
83529
83530 -static struct snd_rawmidi_ops snd_hdsp_midi_output =
83531 -{
83532 +static const struct snd_rawmidi_ops snd_hdsp_midi_output = {
83533 .open = snd_hdsp_midi_output_open,
83534 .close = snd_hdsp_midi_output_close,
83535 .trigger = snd_hdsp_midi_output_trigger,
83536 };
83537
83538 -static struct snd_rawmidi_ops snd_hdsp_midi_input =
83539 -{
83540 +static const struct snd_rawmidi_ops snd_hdsp_midi_input = {
83541 .open = snd_hdsp_midi_input_open,
83542 .close = snd_hdsp_midi_input_close,
83543 .trigger = snd_hdsp_midi_input_trigger,
83544 @@ -5135,7 +5133,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
83545 return 0;
83546 }
83547
83548 -static struct snd_pcm_ops snd_hdsp_playback_ops = {
83549 +static const struct snd_pcm_ops snd_hdsp_playback_ops = {
83550 .open = snd_hdsp_playback_open,
83551 .close = snd_hdsp_playback_release,
83552 .ioctl = snd_hdsp_ioctl,
83553 @@ -5147,7 +5145,7 @@ static struct snd_pcm_ops snd_hdsp_playb
83554 .silence = snd_hdsp_hw_silence,
83555 };
83556
83557 -static struct snd_pcm_ops snd_hdsp_capture_ops = {
83558 +static const struct snd_pcm_ops snd_hdsp_capture_ops = {
83559 .open = snd_hdsp_capture_open,
83560 .close = snd_hdsp_capture_release,
83561 .ioctl = snd_hdsp_ioctl,
83562 diff -urNp linux-2.6.39.3/sound/pci/rme9652/hdspm.c linux-2.6.39.3/sound/pci/rme9652/hdspm.c
83563 --- linux-2.6.39.3/sound/pci/rme9652/hdspm.c 2011-05-19 00:06:34.000000000 -0400
83564 +++ linux-2.6.39.3/sound/pci/rme9652/hdspm.c 2011-05-22 19:36:35.000000000 -0400
83565 @@ -1773,15 +1773,13 @@ static int snd_hdspm_midi_output_close(s
83566 return 0;
83567 }
83568
83569 -static struct snd_rawmidi_ops snd_hdspm_midi_output =
83570 -{
83571 +static const struct snd_rawmidi_ops snd_hdspm_midi_output = {
83572 .open = snd_hdspm_midi_output_open,
83573 .close = snd_hdspm_midi_output_close,
83574 .trigger = snd_hdspm_midi_output_trigger,
83575 };
83576
83577 -static struct snd_rawmidi_ops snd_hdspm_midi_input =
83578 -{
83579 +static const struct snd_rawmidi_ops snd_hdspm_midi_input = {
83580 .open = snd_hdspm_midi_input_open,
83581 .close = snd_hdspm_midi_input_close,
83582 .trigger = snd_hdspm_midi_input_trigger,
83583 @@ -6172,7 +6170,7 @@ static int snd_hdspm_hwdep_ioctl(struct
83584 return 0;
83585 }
83586
83587 -static struct snd_pcm_ops snd_hdspm_playback_ops = {
83588 +static const struct snd_pcm_ops snd_hdspm_playback_ops = {
83589 .open = snd_hdspm_playback_open,
83590 .close = snd_hdspm_playback_release,
83591 .ioctl = snd_hdspm_ioctl,
83592 @@ -6184,7 +6182,7 @@ static struct snd_pcm_ops snd_hdspm_play
83593 .page = snd_pcm_sgbuf_ops_page,
83594 };
83595
83596 -static struct snd_pcm_ops snd_hdspm_capture_ops = {
83597 +static const struct snd_pcm_ops snd_hdspm_capture_ops = {
83598 .open = snd_hdspm_capture_open,
83599 .close = snd_hdspm_capture_release,
83600 .ioctl = snd_hdspm_ioctl,
83601 diff -urNp linux-2.6.39.3/sound/pci/rme9652/rme9652.c linux-2.6.39.3/sound/pci/rme9652/rme9652.c
83602 --- linux-2.6.39.3/sound/pci/rme9652/rme9652.c 2011-05-19 00:06:34.000000000 -0400
83603 +++ linux-2.6.39.3/sound/pci/rme9652/rme9652.c 2011-05-22 19:36:35.000000000 -0400
83604 @@ -2391,7 +2391,7 @@ static int snd_rme9652_capture_release(s
83605 return 0;
83606 }
83607
83608 -static struct snd_pcm_ops snd_rme9652_playback_ops = {
83609 +static const struct snd_pcm_ops snd_rme9652_playback_ops = {
83610 .open = snd_rme9652_playback_open,
83611 .close = snd_rme9652_playback_release,
83612 .ioctl = snd_rme9652_ioctl,
83613 @@ -2403,7 +2403,7 @@ static struct snd_pcm_ops snd_rme9652_pl
83614 .silence = snd_rme9652_hw_silence,
83615 };
83616
83617 -static struct snd_pcm_ops snd_rme9652_capture_ops = {
83618 +static const struct snd_pcm_ops snd_rme9652_capture_ops = {
83619 .open = snd_rme9652_capture_open,
83620 .close = snd_rme9652_capture_release,
83621 .ioctl = snd_rme9652_ioctl,
83622 diff -urNp linux-2.6.39.3/sound/pci/rme96.c linux-2.6.39.3/sound/pci/rme96.c
83623 --- linux-2.6.39.3/sound/pci/rme96.c 2011-05-19 00:06:34.000000000 -0400
83624 +++ linux-2.6.39.3/sound/pci/rme96.c 2011-05-22 19:36:35.000000000 -0400
83625 @@ -1447,7 +1447,7 @@ snd_rme96_capture_pointer(struct snd_pcm
83626 return snd_rme96_capture_ptr(rme96);
83627 }
83628
83629 -static struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83630 +static const struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83631 .open = snd_rme96_playback_spdif_open,
83632 .close = snd_rme96_playback_close,
83633 .ioctl = snd_pcm_lib_ioctl,
83634 @@ -1460,7 +1460,7 @@ static struct snd_pcm_ops snd_rme96_play
83635 .mmap = snd_pcm_lib_mmap_iomem,
83636 };
83637
83638 -static struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83639 +static const struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83640 .open = snd_rme96_capture_spdif_open,
83641 .close = snd_rme96_capture_close,
83642 .ioctl = snd_pcm_lib_ioctl,
83643 @@ -1472,7 +1472,7 @@ static struct snd_pcm_ops snd_rme96_capt
83644 .mmap = snd_pcm_lib_mmap_iomem,
83645 };
83646
83647 -static struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83648 +static const struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83649 .open = snd_rme96_playback_adat_open,
83650 .close = snd_rme96_playback_close,
83651 .ioctl = snd_pcm_lib_ioctl,
83652 @@ -1485,7 +1485,7 @@ static struct snd_pcm_ops snd_rme96_play
83653 .mmap = snd_pcm_lib_mmap_iomem,
83654 };
83655
83656 -static struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83657 +static const struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83658 .open = snd_rme96_capture_adat_open,
83659 .close = snd_rme96_capture_close,
83660 .ioctl = snd_pcm_lib_ioctl,
83661 diff -urNp linux-2.6.39.3/sound/pci/sis7019.c linux-2.6.39.3/sound/pci/sis7019.c
83662 --- linux-2.6.39.3/sound/pci/sis7019.c 2011-05-19 00:06:34.000000000 -0400
83663 +++ linux-2.6.39.3/sound/pci/sis7019.c 2011-05-22 19:36:35.000000000 -0400
83664 @@ -1011,7 +1011,7 @@ static int __devinit sis_mixer_create(st
83665 {
83666 struct snd_ac97_bus *bus;
83667 struct snd_ac97_template ac97;
83668 - static struct snd_ac97_bus_ops ops = {
83669 + static const struct snd_ac97_bus_ops ops = {
83670 .write = sis_ac97_write,
83671 .read = sis_ac97_read,
83672 };
83673 @@ -1293,7 +1293,7 @@ static int __devinit sis_chip_create(str
83674 {
83675 struct sis7019 *sis = card->private_data;
83676 struct voice *voice;
83677 - static struct snd_device_ops ops = {
83678 + static const struct snd_device_ops ops = {
83679 .dev_free = sis_dev_free,
83680 };
83681 int rc;
83682 diff -urNp linux-2.6.39.3/sound/pci/sonicvibes.c linux-2.6.39.3/sound/pci/sonicvibes.c
83683 --- linux-2.6.39.3/sound/pci/sonicvibes.c 2011-05-19 00:06:34.000000000 -0400
83684 +++ linux-2.6.39.3/sound/pci/sonicvibes.c 2011-05-22 19:36:35.000000000 -0400
83685 @@ -855,7 +855,7 @@ static int snd_sonicvibes_capture_close(
83686 return 0;
83687 }
83688
83689 -static struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83690 +static const struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83691 .open = snd_sonicvibes_playback_open,
83692 .close = snd_sonicvibes_playback_close,
83693 .ioctl = snd_pcm_lib_ioctl,
83694 @@ -866,7 +866,7 @@ static struct snd_pcm_ops snd_sonicvibes
83695 .pointer = snd_sonicvibes_playback_pointer,
83696 };
83697
83698 -static struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83699 +static const struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83700 .open = snd_sonicvibes_capture_open,
83701 .close = snd_sonicvibes_capture_close,
83702 .ioctl = snd_pcm_lib_ioctl,
83703 @@ -1255,7 +1255,7 @@ static int __devinit snd_sonicvibes_crea
83704 struct sonicvibes *sonic;
83705 unsigned int dmaa, dmac;
83706 int err;
83707 - static struct snd_device_ops ops = {
83708 + static const struct snd_device_ops ops = {
83709 .dev_free = snd_sonicvibes_dev_free,
83710 };
83711
83712 diff -urNp linux-2.6.39.3/sound/pci/trident/trident_main.c linux-2.6.39.3/sound/pci/trident/trident_main.c
83713 --- linux-2.6.39.3/sound/pci/trident/trident_main.c 2011-05-19 00:06:34.000000000 -0400
83714 +++ linux-2.6.39.3/sound/pci/trident/trident_main.c 2011-05-22 19:36:35.000000000 -0400
83715 @@ -3549,7 +3549,7 @@ int __devinit snd_trident_create(struct
83716 int i, err;
83717 struct snd_trident_voice *voice;
83718 struct snd_trident_pcm_mixer *tmix;
83719 - static struct snd_device_ops ops = {
83720 + static const struct snd_device_ops ops = {
83721 .dev_free = snd_trident_dev_free,
83722 };
83723
83724 diff -urNp linux-2.6.39.3/sound/pci/via82xx.c linux-2.6.39.3/sound/pci/via82xx.c
83725 --- linux-2.6.39.3/sound/pci/via82xx.c 2011-05-19 00:06:34.000000000 -0400
83726 +++ linux-2.6.39.3/sound/pci/via82xx.c 2011-05-22 19:36:35.000000000 -0400
83727 @@ -1352,7 +1352,7 @@ static int snd_via8233_playback_close(st
83728
83729
83730 /* via686 playback callbacks */
83731 -static struct snd_pcm_ops snd_via686_playback_ops = {
83732 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83733 .open = snd_via686_playback_open,
83734 .close = snd_via82xx_pcm_close,
83735 .ioctl = snd_pcm_lib_ioctl,
83736 @@ -1365,7 +1365,7 @@ static struct snd_pcm_ops snd_via686_pla
83737 };
83738
83739 /* via686 capture callbacks */
83740 -static struct snd_pcm_ops snd_via686_capture_ops = {
83741 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83742 .open = snd_via82xx_capture_open,
83743 .close = snd_via82xx_pcm_close,
83744 .ioctl = snd_pcm_lib_ioctl,
83745 @@ -1378,7 +1378,7 @@ static struct snd_pcm_ops snd_via686_cap
83746 };
83747
83748 /* via823x DSX playback callbacks */
83749 -static struct snd_pcm_ops snd_via8233_playback_ops = {
83750 +static const struct snd_pcm_ops snd_via8233_playback_ops = {
83751 .open = snd_via8233_playback_open,
83752 .close = snd_via8233_playback_close,
83753 .ioctl = snd_pcm_lib_ioctl,
83754 @@ -1391,7 +1391,7 @@ static struct snd_pcm_ops snd_via8233_pl
83755 };
83756
83757 /* via823x multi-channel playback callbacks */
83758 -static struct snd_pcm_ops snd_via8233_multi_ops = {
83759 +static const struct snd_pcm_ops snd_via8233_multi_ops = {
83760 .open = snd_via8233_multi_open,
83761 .close = snd_via82xx_pcm_close,
83762 .ioctl = snd_pcm_lib_ioctl,
83763 @@ -1404,7 +1404,7 @@ static struct snd_pcm_ops snd_via8233_mu
83764 };
83765
83766 /* via823x capture callbacks */
83767 -static struct snd_pcm_ops snd_via8233_capture_ops = {
83768 +static const struct snd_pcm_ops snd_via8233_capture_ops = {
83769 .open = snd_via82xx_capture_open,
83770 .close = snd_via82xx_pcm_close,
83771 .ioctl = snd_pcm_lib_ioctl,
83772 @@ -1868,7 +1868,7 @@ static int __devinit snd_via82xx_mixer_n
83773 {
83774 struct snd_ac97_template ac97;
83775 int err;
83776 - static struct snd_ac97_bus_ops ops = {
83777 + static const struct snd_ac97_bus_ops ops = {
83778 .write = snd_via82xx_codec_write,
83779 .read = snd_via82xx_codec_read,
83780 .wait = snd_via82xx_codec_wait,
83781 @@ -2340,7 +2340,7 @@ static int __devinit snd_via82xx_create(
83782 {
83783 struct via82xx *chip;
83784 int err;
83785 - static struct snd_device_ops ops = {
83786 + static const struct snd_device_ops ops = {
83787 .dev_free = snd_via82xx_dev_free,
83788 };
83789
83790 diff -urNp linux-2.6.39.3/sound/pci/via82xx_modem.c linux-2.6.39.3/sound/pci/via82xx_modem.c
83791 --- linux-2.6.39.3/sound/pci/via82xx_modem.c 2011-05-19 00:06:34.000000000 -0400
83792 +++ linux-2.6.39.3/sound/pci/via82xx_modem.c 2011-05-22 19:36:35.000000000 -0400
83793 @@ -799,7 +799,7 @@ static int snd_via82xx_pcm_close(struct
83794
83795
83796 /* via686 playback callbacks */
83797 -static struct snd_pcm_ops snd_via686_playback_ops = {
83798 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83799 .open = snd_via82xx_playback_open,
83800 .close = snd_via82xx_pcm_close,
83801 .ioctl = snd_pcm_lib_ioctl,
83802 @@ -812,7 +812,7 @@ static struct snd_pcm_ops snd_via686_pla
83803 };
83804
83805 /* via686 capture callbacks */
83806 -static struct snd_pcm_ops snd_via686_capture_ops = {
83807 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83808 .open = snd_via82xx_capture_open,
83809 .close = snd_via82xx_pcm_close,
83810 .ioctl = snd_pcm_lib_ioctl,
83811 @@ -889,7 +889,7 @@ static int __devinit snd_via82xx_mixer_n
83812 {
83813 struct snd_ac97_template ac97;
83814 int err;
83815 - static struct snd_ac97_bus_ops ops = {
83816 + static const struct snd_ac97_bus_ops ops = {
83817 .write = snd_via82xx_codec_write,
83818 .read = snd_via82xx_codec_read,
83819 .wait = snd_via82xx_codec_wait,
83820 @@ -1105,7 +1105,7 @@ static int __devinit snd_via82xx_create(
83821 {
83822 struct via82xx_modem *chip;
83823 int err;
83824 - static struct snd_device_ops ops = {
83825 + static const struct snd_device_ops ops = {
83826 .dev_free = snd_via82xx_dev_free,
83827 };
83828
83829 diff -urNp linux-2.6.39.3/sound/pci/vx222/vx222.c linux-2.6.39.3/sound/pci/vx222/vx222.c
83830 --- linux-2.6.39.3/sound/pci/vx222/vx222.c 2011-05-19 00:06:34.000000000 -0400
83831 +++ linux-2.6.39.3/sound/pci/vx222/vx222.c 2011-05-22 19:36:35.000000000 -0400
83832 @@ -141,7 +141,7 @@ static int __devinit snd_vx222_create(st
83833 struct vx_core *chip;
83834 struct snd_vx222 *vx;
83835 int i, err;
83836 - static struct snd_device_ops ops = {
83837 + static const struct snd_device_ops ops = {
83838 .dev_free = snd_vx222_dev_free,
83839 };
83840 struct snd_vx_ops *vx_ops;
83841 diff -urNp linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c
83842 --- linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c 2011-05-19 00:06:34.000000000 -0400
83843 +++ linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c 2011-05-22 19:36:35.000000000 -0400
83844 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
83845 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
83846 break;
83847 }
83848 - if (atomic_read(&chip->interrupt_sleep_count)) {
83849 - atomic_set(&chip->interrupt_sleep_count, 0);
83850 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83851 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83852 wake_up(&chip->interrupt_sleep);
83853 }
83854 __end:
83855 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
83856 continue;
83857 init_waitqueue_entry(&wait, current);
83858 add_wait_queue(&chip->interrupt_sleep, &wait);
83859 - atomic_inc(&chip->interrupt_sleep_count);
83860 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
83861 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
83862 remove_wait_queue(&chip->interrupt_sleep, &wait);
83863 }
83864 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
83865 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
83866 spin_unlock(&chip->reg_lock);
83867
83868 - if (atomic_read(&chip->interrupt_sleep_count)) {
83869 - atomic_set(&chip->interrupt_sleep_count, 0);
83870 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83871 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83872 wake_up(&chip->interrupt_sleep);
83873 }
83874 }
83875 @@ -2344,7 +2344,7 @@ int __devinit snd_ymfpci_create(struct s
83876 {
83877 struct snd_ymfpci *chip;
83878 int err;
83879 - static struct snd_device_ops ops = {
83880 + static const struct snd_device_ops ops = {
83881 .dev_free = snd_ymfpci_dev_free,
83882 };
83883
83884 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
83885 spin_lock_init(&chip->reg_lock);
83886 spin_lock_init(&chip->voice_lock);
83887 init_waitqueue_head(&chip->interrupt_sleep);
83888 - atomic_set(&chip->interrupt_sleep_count, 0);
83889 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83890 chip->card = card;
83891 chip->pci = pci;
83892 chip->irq = -1;
83893 diff -urNp linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c
83894 --- linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-19 00:06:34.000000000 -0400
83895 +++ linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-22 19:36:35.000000000 -0400
83896 @@ -94,7 +94,7 @@ static int snd_pdacf_probe(struct pcmcia
83897 int i, err;
83898 struct snd_pdacf *pdacf;
83899 struct snd_card *card;
83900 - static struct snd_device_ops ops = {
83901 + static const struct snd_device_ops ops = {
83902 .dev_free = snd_pdacf_dev_free,
83903 };
83904
83905 diff -urNp linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c
83906 --- linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c 2011-05-19 00:06:34.000000000 -0400
83907 +++ linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c 2011-05-22 19:36:35.000000000 -0400
83908 @@ -137,7 +137,7 @@ static int snd_vxpocket_new(struct snd_c
83909 {
83910 struct vx_core *chip;
83911 struct snd_vxpocket *vxp;
83912 - static struct snd_device_ops ops = {
83913 + static const struct snd_device_ops ops = {
83914 .dev_free = snd_vxpocket_dev_free,
83915 };
83916 int err;
83917 diff -urNp linux-2.6.39.3/sound/ppc/pmac.c linux-2.6.39.3/sound/ppc/pmac.c
83918 --- linux-2.6.39.3/sound/ppc/pmac.c 2011-05-19 00:06:34.000000000 -0400
83919 +++ linux-2.6.39.3/sound/ppc/pmac.c 2011-05-22 19:36:35.000000000 -0400
83920 @@ -1186,7 +1186,7 @@ int __devinit snd_pmac_new(struct snd_ca
83921 int i, err;
83922 unsigned int irq;
83923 unsigned long ctrl_addr, txdma_addr, rxdma_addr;
83924 - static struct snd_device_ops ops = {
83925 + static const struct snd_device_ops ops = {
83926 .dev_free = snd_pmac_dev_free,
83927 };
83928
83929 diff -urNp linux-2.6.39.3/sound/ppc/snd_ps3.c linux-2.6.39.3/sound/ppc/snd_ps3.c
83930 --- linux-2.6.39.3/sound/ppc/snd_ps3.c 2011-05-19 00:06:34.000000000 -0400
83931 +++ linux-2.6.39.3/sound/ppc/snd_ps3.c 2011-05-22 19:36:35.000000000 -0400
83932 @@ -773,7 +773,7 @@ static struct snd_kcontrol_new spdif_ctl
83933 },
83934 };
83935
83936 -static struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83937 +static const struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83938 .open = snd_ps3_pcm_open,
83939 .close = snd_ps3_pcm_close,
83940 .ioctl = snd_pcm_lib_ioctl,
83941 diff -urNp linux-2.6.39.3/sound/sh/aica.c linux-2.6.39.3/sound/sh/aica.c
83942 --- linux-2.6.39.3/sound/sh/aica.c 2011-05-19 00:06:34.000000000 -0400
83943 +++ linux-2.6.39.3/sound/sh/aica.c 2011-05-22 19:36:35.000000000 -0400
83944 @@ -441,7 +441,7 @@ static unsigned long snd_aicapcm_pcm_poi
83945 return readl(AICA_CONTROL_CHANNEL_SAMPLE_NUMBER);
83946 }
83947
83948 -static struct snd_pcm_ops snd_aicapcm_playback_ops = {
83949 +static const struct snd_pcm_ops snd_aicapcm_playback_ops = {
83950 .open = snd_aicapcm_pcm_open,
83951 .close = snd_aicapcm_pcm_close,
83952 .ioctl = snd_pcm_lib_ioctl,
83953 diff -urNp linux-2.6.39.3/sound/sh/sh_dac_audio.c linux-2.6.39.3/sound/sh/sh_dac_audio.c
83954 --- linux-2.6.39.3/sound/sh/sh_dac_audio.c 2011-05-19 00:06:34.000000000 -0400
83955 +++ linux-2.6.39.3/sound/sh/sh_dac_audio.c 2011-05-22 19:36:35.000000000 -0400
83956 @@ -246,7 +246,7 @@ snd_pcm_uframes_t snd_sh_dac_pcm_pointer
83957 }
83958
83959 /* pcm ops */
83960 -static struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83961 +static const struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83962 .open = snd_sh_dac_pcm_open,
83963 .close = snd_sh_dac_pcm_close,
83964 .ioctl = snd_pcm_lib_ioctl,
83965 @@ -352,7 +352,7 @@ static int __devinit snd_sh_dac_create(s
83966 struct snd_sh_dac *chip;
83967 int err;
83968
83969 - static struct snd_device_ops ops = {
83970 + static const struct snd_device_ops ops = {
83971 .dev_free = snd_sh_dac_dev_free,
83972 };
83973
83974 diff -urNp linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c
83975 --- linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c 2011-05-19 00:06:34.000000000 -0400
83976 +++ linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c 2011-05-22 19:36:35.000000000 -0400
83977 @@ -346,7 +346,7 @@ static int atmel_pcm_mmap(struct snd_pcm
83978 vma->vm_end - vma->vm_start, vma->vm_page_prot);
83979 }
83980
83981 -static struct snd_pcm_ops atmel_pcm_ops = {
83982 +static const struct snd_pcm_ops atmel_pcm_ops = {
83983 .open = atmel_pcm_open,
83984 .close = atmel_pcm_close,
83985 .ioctl = snd_pcm_lib_ioctl,
83986 diff -urNp linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c
83987 --- linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c 2011-05-19 00:06:34.000000000 -0400
83988 +++ linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c 2011-05-22 19:36:35.000000000 -0400
83989 @@ -289,7 +289,7 @@ static int playpaq_wm8510_hw_params(stru
83990
83991
83992
83993 -static struct snd_soc_ops playpaq_wm8510_ops = {
83994 +static const struct snd_soc_ops playpaq_wm8510_ops = {
83995 .hw_params = playpaq_wm8510_hw_params,
83996 };
83997
83998 diff -urNp linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c
83999 --- linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c 2011-05-19 00:06:34.000000000 -0400
84000 +++ linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c 2011-05-22 19:36:35.000000000 -0400
84001 @@ -87,7 +87,7 @@ static int at91sam9g20ek_hw_params(struc
84002 return 0;
84003 }
84004
84005 -static struct snd_soc_ops at91sam9g20ek_ops = {
84006 +static const struct snd_soc_ops at91sam9g20ek_ops = {
84007 .hw_params = at91sam9g20ek_hw_params,
84008 };
84009
84010 diff -urNp linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c
84011 --- linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-19 00:06:34.000000000 -0400
84012 +++ linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-22 19:36:35.000000000 -0400
84013 @@ -81,7 +81,7 @@ static int afeb9260_hw_params(struct snd
84014 return err;
84015 }
84016
84017 -static struct snd_soc_ops afeb9260_ops = {
84018 +static const struct snd_soc_ops afeb9260_ops = {
84019 .hw_params = afeb9260_hw_params,
84020 };
84021
84022 diff -urNp linux-2.6.39.3/sound/soc/au1x/db1200.c linux-2.6.39.3/sound/soc/au1x/db1200.c
84023 --- linux-2.6.39.3/sound/soc/au1x/db1200.c 2011-05-19 00:06:34.000000000 -0400
84024 +++ linux-2.6.39.3/sound/soc/au1x/db1200.c 2011-05-22 19:36:35.000000000 -0400
84025 @@ -67,7 +67,7 @@ out:
84026 return ret;
84027 }
84028
84029 -static struct snd_soc_ops db1200_i2s_wm8731_ops = {
84030 +static const struct snd_soc_ops db1200_i2s_wm8731_ops = {
84031 .startup = db1200_i2s_startup,
84032 };
84033
84034 diff -urNp linux-2.6.39.3/sound/soc/au1x/dbdma2.c linux-2.6.39.3/sound/soc/au1x/dbdma2.c
84035 --- linux-2.6.39.3/sound/soc/au1x/dbdma2.c 2011-05-19 00:06:34.000000000 -0400
84036 +++ linux-2.6.39.3/sound/soc/au1x/dbdma2.c 2011-05-22 19:36:35.000000000 -0400
84037 @@ -303,7 +303,7 @@ static int au1xpsc_pcm_close(struct snd_
84038 return 0;
84039 }
84040
84041 -static struct snd_pcm_ops au1xpsc_pcm_ops = {
84042 +static const struct snd_pcm_ops au1xpsc_pcm_ops = {
84043 .open = au1xpsc_pcm_open,
84044 .close = au1xpsc_pcm_close,
84045 .ioctl = snd_pcm_lib_ioctl,
84046 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c
84047 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84048 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84049 @@ -244,7 +244,7 @@ static void bf5xx_ac97_cold_reset(struct
84050 #endif
84051 }
84052
84053 -struct snd_ac97_bus_ops soc_ac97_ops = {
84054 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84055 .read = bf5xx_ac97_read,
84056 .write = bf5xx_ac97_write,
84057 .warm_reset = bf5xx_ac97_warm_reset,
84058 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h
84059 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84060 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84061 @@ -9,7 +9,7 @@
84062 #ifndef _BF5XX_AC97_H
84063 #define _BF5XX_AC97_H
84064
84065 -extern struct snd_ac97_bus_ops bf5xx_ac97_ops;
84066 +extern const struct snd_ac97_bus_ops bf5xx_ac97_ops;
84067 extern struct snd_ac97 *ac97;
84068 /* Frame format in memory, only support stereo currently */
84069 struct ac97_frame {
84070 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c
84071 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-19 00:06:34.000000000 -0400
84072 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-22 19:36:35.000000000 -0400
84073 @@ -297,7 +297,7 @@ static int bf5xx_pcm_copy(struct snd_pcm
84074 }
84075 #endif
84076
84077 -static struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
84078 +static const struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
84079 .open = bf5xx_pcm_open,
84080 .ioctl = snd_pcm_lib_ioctl,
84081 .hw_params = bf5xx_pcm_hw_params,
84082 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c
84083 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-19 00:06:34.000000000 -0400
84084 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-22 19:36:35.000000000 -0400
84085 @@ -74,7 +74,7 @@ static int bf5xx_ad1836_hw_params(struct
84086 return 0;
84087 }
84088
84089 -static struct snd_soc_ops bf5xx_ad1836_ops = {
84090 +static const struct snd_soc_ops bf5xx_ad1836_ops = {
84091 .startup = bf5xx_ad1836_startup,
84092 .hw_params = bf5xx_ad1836_hw_params,
84093 };
84094 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c
84095 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-19 00:06:34.000000000 -0400
84096 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-22 19:36:35.000000000 -0400
84097 @@ -88,7 +88,7 @@ static int bf5xx_ad193x_hw_params(struct
84098 return 0;
84099 }
84100
84101 -static struct snd_soc_ops bf5xx_ad193x_ops = {
84102 +static const struct snd_soc_ops bf5xx_ad193x_ops = {
84103 .startup = bf5xx_ad193x_startup,
84104 .hw_params = bf5xx_ad193x_hw_params,
84105 };
84106 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c
84107 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-19 00:06:34.000000000 -0400
84108 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-22 19:36:35.000000000 -0400
84109 @@ -63,7 +63,7 @@ static int bf5xx_board_startup(struct sn
84110 return 0;
84111 }
84112
84113 -static struct snd_soc_ops bf5xx_board_ops = {
84114 +static const struct snd_soc_ops bf5xx_board_ops = {
84115 .startup = bf5xx_board_startup,
84116 };
84117
84118 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c
84119 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-19 00:06:34.000000000 -0400
84120 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-22 19:36:35.000000000 -0400
84121 @@ -175,7 +175,7 @@ static int bf5xx_ad73311_hw_params(struc
84122 }
84123
84124
84125 -static struct snd_soc_ops bf5xx_ad73311_ops = {
84126 +static const struct snd_soc_ops bf5xx_ad73311_ops = {
84127 .startup = bf5xx_ad73311_startup,
84128 .hw_params = bf5xx_ad73311_hw_params,
84129 };
84130 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c
84131 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-19 00:06:34.000000000 -0400
84132 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-22 19:36:35.000000000 -0400
84133 @@ -183,7 +183,7 @@ static int bf5xx_pcm_mmap(struct snd_pcm
84134 return 0 ;
84135 }
84136
84137 -static struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
84138 +static const struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
84139 .open = bf5xx_pcm_open,
84140 .ioctl = snd_pcm_lib_ioctl,
84141 .hw_params = bf5xx_pcm_hw_params,
84142 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c
84143 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-19 00:06:34.000000000 -0400
84144 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-22 19:36:35.000000000 -0400
84145 @@ -108,7 +108,7 @@ static int bf5xx_ssm2602_hw_params(struc
84146 return 0;
84147 }
84148
84149 -static struct snd_soc_ops bf5xx_ssm2602_ops = {
84150 +static const struct snd_soc_ops bf5xx_ssm2602_ops = {
84151 .startup = bf5xx_ssm2602_startup,
84152 .hw_params = bf5xx_ssm2602_hw_params,
84153 };
84154 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c
84155 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-19 00:06:34.000000000 -0400
84156 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-22 19:36:35.000000000 -0400
84157 @@ -220,7 +220,7 @@ static int bf5xx_pcm_silence(struct snd_
84158 }
84159
84160
84161 -struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
84162 +const struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
84163 .open = bf5xx_pcm_open,
84164 .ioctl = snd_pcm_lib_ioctl,
84165 .hw_params = bf5xx_pcm_hw_params,
84166 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-evm.c linux-2.6.39.3/sound/soc/davinci/davinci-evm.c
84167 --- linux-2.6.39.3/sound/soc/davinci/davinci-evm.c 2011-05-19 00:06:34.000000000 -0400
84168 +++ linux-2.6.39.3/sound/soc/davinci/davinci-evm.c 2011-05-22 19:36:35.000000000 -0400
84169 @@ -88,11 +88,11 @@ static int evm_spdif_hw_params(struct sn
84170 return snd_soc_dai_set_fmt(cpu_dai, AUDIO_FORMAT);
84171 }
84172
84173 -static struct snd_soc_ops evm_ops = {
84174 +static const struct snd_soc_ops evm_ops = {
84175 .hw_params = evm_hw_params,
84176 };
84177
84178 -static struct snd_soc_ops evm_spdif_ops = {
84179 +static const struct snd_soc_ops evm_spdif_ops = {
84180 .hw_params = evm_spdif_hw_params,
84181 };
84182
84183 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c
84184 --- linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c 2011-05-19 00:06:34.000000000 -0400
84185 +++ linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c 2011-05-22 19:36:35.000000000 -0400
84186 @@ -748,7 +748,7 @@ static int davinci_pcm_mmap(struct snd_p
84187 runtime->dma_bytes);
84188 }
84189
84190 -static struct snd_pcm_ops davinci_pcm_ops = {
84191 +static const struct snd_pcm_ops davinci_pcm_ops = {
84192 .open = davinci_pcm_open,
84193 .close = davinci_pcm_close,
84194 .ioctl = snd_pcm_lib_ioctl,
84195 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c
84196 --- linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c 2011-05-19 00:06:34.000000000 -0400
84197 +++ linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c 2011-05-22 19:36:35.000000000 -0400
84198 @@ -75,7 +75,7 @@ static int sffsdr_hw_params(struct snd_p
84199 #endif
84200 }
84201
84202 -static struct snd_soc_ops sffsdr_ops = {
84203 +static const struct snd_soc_ops sffsdr_ops = {
84204 .hw_params = sffsdr_hw_params,
84205 };
84206
84207 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c
84208 --- linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c 2011-05-19 00:06:34.000000000 -0400
84209 +++ linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c 2011-05-22 19:36:35.000000000 -0400
84210 @@ -74,7 +74,7 @@ static int edb93xx_hw_params(struct snd_
84211 SND_SOC_CLOCK_OUT);
84212 }
84213
84214 -static struct snd_soc_ops edb93xx_ops = {
84215 +static const struct snd_soc_ops edb93xx_ops = {
84216 .hw_params = edb93xx_hw_params,
84217 };
84218
84219 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c
84220 --- linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84221 +++ linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84222 @@ -239,7 +239,7 @@ static irqreturn_t ep93xx_ac97_interrupt
84223 return IRQ_HANDLED;
84224 }
84225
84226 -struct snd_ac97_bus_ops soc_ac97_ops = {
84227 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84228 .read = ep93xx_ac97_read,
84229 .write = ep93xx_ac97_write,
84230 .reset = ep93xx_ac97_cold_reset,
84231 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c
84232 --- linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-19 00:06:34.000000000 -0400
84233 +++ linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-22 19:36:35.000000000 -0400
84234 @@ -216,7 +216,7 @@ static int ep93xx_pcm_mmap(struct snd_pc
84235 runtime->dma_bytes);
84236 }
84237
84238 -static struct snd_pcm_ops ep93xx_pcm_ops = {
84239 +static const struct snd_pcm_ops ep93xx_pcm_ops = {
84240 .open = ep93xx_pcm_open,
84241 .close = ep93xx_pcm_close,
84242 .ioctl = snd_pcm_lib_ioctl,
84243 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c
84244 --- linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c 2011-05-19 00:06:34.000000000 -0400
84245 +++ linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c 2011-05-22 19:36:35.000000000 -0400
84246 @@ -55,7 +55,7 @@ static int snappercl15_hw_params(struct
84247 return 0;
84248 }
84249
84250 -static struct snd_soc_ops snappercl15_ops = {
84251 +static const struct snd_soc_ops snappercl15_ops = {
84252 .hw_params = snappercl15_hw_params,
84253 };
84254
84255 diff -urNp linux-2.6.39.3/sound/soc/fsl/fsl_dma.c linux-2.6.39.3/sound/soc/fsl/fsl_dma.c
84256 --- linux-2.6.39.3/sound/soc/fsl/fsl_dma.c 2011-05-19 00:06:34.000000000 -0400
84257 +++ linux-2.6.39.3/sound/soc/fsl/fsl_dma.c 2011-05-22 19:36:35.000000000 -0400
84258 @@ -887,7 +887,7 @@ static struct device_node *find_ssi_node
84259 return NULL;
84260 }
84261
84262 -static struct snd_pcm_ops fsl_dma_ops = {
84263 +static const struct snd_pcm_ops fsl_dma_ops = {
84264 .open = fsl_dma_open,
84265 .close = fsl_dma_close,
84266 .ioctl = snd_pcm_lib_ioctl,
84267 diff -urNp linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c
84268 --- linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c 2011-05-19 00:06:34.000000000 -0400
84269 +++ linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c 2011-05-22 19:36:35.000000000 -0400
84270 @@ -175,7 +175,7 @@ static int mpc8610_hpcd_machine_remove(s
84271 /**
84272 * mpc8610_hpcd_ops: ASoC machine driver operations
84273 */
84274 -static struct snd_soc_ops mpc8610_hpcd_ops = {
84275 +static const struct snd_soc_ops mpc8610_hpcd_ops = {
84276 .startup = mpc8610_hpcd_startup,
84277 };
84278
84279 diff -urNp linux-2.6.39.3/sound/soc/fsl/p1022_ds.c linux-2.6.39.3/sound/soc/fsl/p1022_ds.c
84280 --- linux-2.6.39.3/sound/soc/fsl/p1022_ds.c 2011-05-19 00:06:34.000000000 -0400
84281 +++ linux-2.6.39.3/sound/soc/fsl/p1022_ds.c 2011-05-22 19:36:35.000000000 -0400
84282 @@ -185,7 +185,7 @@ static int p1022_ds_machine_remove(struc
84283 /**
84284 * p1022_ds_ops: ASoC machine driver operations
84285 */
84286 -static struct snd_soc_ops p1022_ds_ops = {
84287 +static const struct snd_soc_ops p1022_ds_ops = {
84288 .startup = p1022_ds_startup,
84289 };
84290
84291 diff -urNp linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c
84292 --- linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c 2011-05-19 00:06:34.000000000 -0400
84293 +++ linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c 2011-05-22 19:36:35.000000000 -0400
84294 @@ -71,7 +71,7 @@ static int eukrea_tlv320_hw_params(struc
84295 return 0;
84296 }
84297
84298 -static struct snd_soc_ops eukrea_tlv320_snd_ops = {
84299 +static const struct snd_soc_ops eukrea_tlv320_snd_ops = {
84300 .hw_params = eukrea_tlv320_hw_params,
84301 };
84302
84303 diff -urNp linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c
84304 --- linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-19 00:06:34.000000000 -0400
84305 +++ linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-22 19:36:35.000000000 -0400
84306 @@ -283,7 +283,7 @@ static int snd_imx_close(struct snd_pcm_
84307 return 0;
84308 }
84309
84310 -static struct snd_pcm_ops imx_pcm_ops = {
84311 +static const struct snd_pcm_ops imx_pcm_ops = {
84312 .open = snd_imx_open,
84313 .close = snd_imx_close,
84314 .ioctl = snd_pcm_lib_ioctl,
84315 diff -urNp linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c
84316 --- linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c 2011-05-19 00:06:34.000000000 -0400
84317 +++ linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c 2011-05-22 19:36:35.000000000 -0400
84318 @@ -225,7 +225,7 @@ static int snd_imx_close(struct snd_pcm_
84319 return 0;
84320 }
84321
84322 -static struct snd_pcm_ops imx_pcm_ops = {
84323 +static const struct snd_pcm_ops imx_pcm_ops = {
84324 .open = snd_imx_open,
84325 .close = snd_imx_close,
84326 .ioctl = snd_pcm_lib_ioctl,
84327 diff -urNp linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c
84328 --- linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c 2011-05-19 00:06:34.000000000 -0400
84329 +++ linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c 2011-05-22 19:36:35.000000000 -0400
84330 @@ -70,7 +70,7 @@ static int mx27vis_aic32x4_hw_params(str
84331 return 0;
84332 }
84333
84334 -static struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84335 +static const struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84336 .hw_params = mx27vis_aic32x4_hw_params,
84337 };
84338
84339 diff -urNp linux-2.6.39.3/sound/soc/imx/phycore-ac97.c linux-2.6.39.3/sound/soc/imx/phycore-ac97.c
84340 --- linux-2.6.39.3/sound/soc/imx/phycore-ac97.c 2011-05-19 00:06:34.000000000 -0400
84341 +++ linux-2.6.39.3/sound/soc/imx/phycore-ac97.c 2011-05-22 19:36:35.000000000 -0400
84342 @@ -21,7 +21,7 @@
84343
84344 static struct snd_soc_card imx_phycore;
84345
84346 -static struct snd_soc_ops imx_phycore_hifi_ops = {
84347 +static const struct snd_soc_ops imx_phycore_hifi_ops = {
84348 };
84349
84350 static struct snd_soc_dai_link imx_phycore_dai_ac97[] = {
84351 diff -urNp linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c
84352 --- linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c 2011-05-19 00:06:34.000000000 -0400
84353 +++ linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c 2011-05-22 19:36:35.000000000 -0400
84354 @@ -149,7 +149,7 @@ static int wm1133_ev1_hw_params(struct s
84355 return 0;
84356 }
84357
84358 -static struct snd_soc_ops wm1133_ev1_ops = {
84359 +static const struct snd_soc_ops wm1133_ev1_ops = {
84360 .hw_params = wm1133_ev1_hw_params,
84361 };
84362
84363 diff -urNp linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c
84364 --- linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c 2011-05-19 00:06:34.000000000 -0400
84365 +++ linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c 2011-05-22 19:36:35.000000000 -0400
84366 @@ -244,7 +244,7 @@ static int jz4740_pcm_mmap(struct snd_pc
84367 vma->vm_end - vma->vm_start, vma->vm_page_prot);
84368 }
84369
84370 -static struct snd_pcm_ops jz4740_pcm_ops = {
84371 +static const struct snd_pcm_ops jz4740_pcm_ops = {
84372 .open = jz4740_pcm_open,
84373 .close = jz4740_pcm_close,
84374 .ioctl = snd_pcm_lib_ioctl,
84375 diff -urNp linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c
84376 --- linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-19 00:06:34.000000000 -0400
84377 +++ linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-22 19:36:35.000000000 -0400
84378 @@ -56,7 +56,7 @@ static int openrd_client_hw_params(struc
84379
84380 }
84381
84382 -static struct snd_soc_ops openrd_client_ops = {
84383 +static const struct snd_soc_ops openrd_client_ops = {
84384 .hw_params = openrd_client_hw_params,
84385 };
84386
84387 diff -urNp linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c
84388 --- linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-19 00:06:34.000000000 -0400
84389 +++ linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-22 19:36:35.000000000 -0400
84390 @@ -44,7 +44,7 @@ static int t5325_hw_params(struct snd_pc
84391
84392 }
84393
84394 -static struct snd_soc_ops t5325_ops = {
84395 +static const struct snd_soc_ops t5325_ops = {
84396 .hw_params = t5325_hw_params,
84397 };
84398
84399 diff -urNp linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c
84400 --- linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c 2011-05-19 00:06:34.000000000 -0400
84401 +++ linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c 2011-05-22 19:36:35.000000000 -0400
84402 @@ -381,7 +381,7 @@ static int sst_platform_pcm_hw_free(stru
84403 return snd_pcm_lib_free_pages(substream);
84404 }
84405
84406 -static struct snd_pcm_ops sst_platform_ops = {
84407 +static const struct snd_pcm_ops sst_platform_ops = {
84408 .open = sst_platform_open,
84409 .close = sst_platform_close,
84410 .ioctl = snd_pcm_lib_ioctl,
84411 diff -urNp linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c
84412 --- linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c 2011-05-19 00:06:34.000000000 -0400
84413 +++ linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c 2011-05-22 19:36:35.000000000 -0400
84414 @@ -297,7 +297,7 @@ static int nuc900_dma_mmap(struct snd_pc
84415 runtime->dma_bytes);
84416 }
84417
84418 -static struct snd_pcm_ops nuc900_dma_ops = {
84419 +static const struct snd_pcm_ops nuc900_dma_ops = {
84420 .open = nuc900_dma_open,
84421 .close = nuc900_dma_close,
84422 .ioctl = snd_pcm_lib_ioctl,
84423 diff -urNp linux-2.6.39.3/sound/soc/omap/am3517evm.c linux-2.6.39.3/sound/soc/omap/am3517evm.c
84424 --- linux-2.6.39.3/sound/soc/omap/am3517evm.c 2011-05-19 00:06:34.000000000 -0400
84425 +++ linux-2.6.39.3/sound/soc/omap/am3517evm.c 2011-05-22 19:36:35.000000000 -0400
84426 @@ -88,7 +88,7 @@ static int am3517evm_hw_params(struct sn
84427 return 0;
84428 }
84429
84430 -static struct snd_soc_ops am3517evm_ops = {
84431 +static const struct snd_soc_ops am3517evm_ops = {
84432 .hw_params = am3517evm_hw_params,
84433 };
84434
84435 diff -urNp linux-2.6.39.3/sound/soc/omap/ams-delta.c linux-2.6.39.3/sound/soc/omap/ams-delta.c
84436 --- linux-2.6.39.3/sound/soc/omap/ams-delta.c 2011-05-19 00:06:34.000000000 -0400
84437 +++ linux-2.6.39.3/sound/soc/omap/ams-delta.c 2011-05-22 19:36:35.000000000 -0400
84438 @@ -420,7 +420,7 @@ static int ams_delta_hw_params(struct sn
84439 SND_SOC_DAIFMT_CBM_CFM);
84440 }
84441
84442 -static struct snd_soc_ops ams_delta_ops = {
84443 +static const struct snd_soc_ops ams_delta_ops = {
84444 .hw_params = ams_delta_hw_params,
84445 };
84446
84447 diff -urNp linux-2.6.39.3/sound/soc/omap/igep0020.c linux-2.6.39.3/sound/soc/omap/igep0020.c
84448 --- linux-2.6.39.3/sound/soc/omap/igep0020.c 2011-05-19 00:06:34.000000000 -0400
84449 +++ linux-2.6.39.3/sound/soc/omap/igep0020.c 2011-05-22 19:36:35.000000000 -0400
84450 @@ -72,7 +72,7 @@ static int igep2_hw_params(struct snd_pc
84451 return 0;
84452 }
84453
84454 -static struct snd_soc_ops igep2_ops = {
84455 +static const struct snd_soc_ops igep2_ops = {
84456 .hw_params = igep2_hw_params,
84457 };
84458
84459 diff -urNp linux-2.6.39.3/sound/soc/omap/n810.c linux-2.6.39.3/sound/soc/omap/n810.c
84460 --- linux-2.6.39.3/sound/soc/omap/n810.c 2011-05-19 00:06:34.000000000 -0400
84461 +++ linux-2.6.39.3/sound/soc/omap/n810.c 2011-05-22 19:36:35.000000000 -0400
84462 @@ -141,7 +141,7 @@ static int n810_hw_params(struct snd_pcm
84463 return err;
84464 }
84465
84466 -static struct snd_soc_ops n810_ops = {
84467 +static const struct snd_soc_ops n810_ops = {
84468 .startup = n810_startup,
84469 .hw_params = n810_hw_params,
84470 .shutdown = n810_shutdown,
84471 diff -urNp linux-2.6.39.3/sound/soc/omap/omap2evm.c linux-2.6.39.3/sound/soc/omap/omap2evm.c
84472 --- linux-2.6.39.3/sound/soc/omap/omap2evm.c 2011-05-19 00:06:34.000000000 -0400
84473 +++ linux-2.6.39.3/sound/soc/omap/omap2evm.c 2011-05-22 19:36:35.000000000 -0400
84474 @@ -74,7 +74,7 @@ static int omap2evm_hw_params(struct snd
84475 return 0;
84476 }
84477
84478 -static struct snd_soc_ops omap2evm_ops = {
84479 +static const struct snd_soc_ops omap2evm_ops = {
84480 .hw_params = omap2evm_hw_params,
84481 };
84482
84483 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3beagle.c linux-2.6.39.3/sound/soc/omap/omap3beagle.c
84484 --- linux-2.6.39.3/sound/soc/omap/omap3beagle.c 2011-05-19 00:06:34.000000000 -0400
84485 +++ linux-2.6.39.3/sound/soc/omap/omap3beagle.c 2011-05-22 19:36:35.000000000 -0400
84486 @@ -82,7 +82,7 @@ static int omap3beagle_hw_params(struct
84487 return 0;
84488 }
84489
84490 -static struct snd_soc_ops omap3beagle_ops = {
84491 +static const struct snd_soc_ops omap3beagle_ops = {
84492 .hw_params = omap3beagle_hw_params,
84493 };
84494
84495 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3evm.c linux-2.6.39.3/sound/soc/omap/omap3evm.c
84496 --- linux-2.6.39.3/sound/soc/omap/omap3evm.c 2011-05-19 00:06:34.000000000 -0400
84497 +++ linux-2.6.39.3/sound/soc/omap/omap3evm.c 2011-05-22 19:36:35.000000000 -0400
84498 @@ -70,7 +70,7 @@ static int omap3evm_hw_params(struct snd
84499 return 0;
84500 }
84501
84502 -static struct snd_soc_ops omap3evm_ops = {
84503 +static const struct snd_soc_ops omap3evm_ops = {
84504 .hw_params = omap3evm_hw_params,
84505 };
84506
84507 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3pandora.c linux-2.6.39.3/sound/soc/omap/omap3pandora.c
84508 --- linux-2.6.39.3/sound/soc/omap/omap3pandora.c 2011-05-19 00:06:34.000000000 -0400
84509 +++ linux-2.6.39.3/sound/soc/omap/omap3pandora.c 2011-05-22 19:36:35.000000000 -0400
84510 @@ -218,7 +218,7 @@ static int omap3pandora_in_init(struct s
84511 return snd_soc_dapm_sync(dapm);
84512 }
84513
84514 -static struct snd_soc_ops omap3pandora_ops = {
84515 +static const struct snd_soc_ops omap3pandora_ops = {
84516 .hw_params = omap3pandora_hw_params,
84517 };
84518
84519 diff -urNp linux-2.6.39.3/sound/soc/omap/omap-pcm.c linux-2.6.39.3/sound/soc/omap/omap-pcm.c
84520 --- linux-2.6.39.3/sound/soc/omap/omap-pcm.c 2011-05-19 00:06:34.000000000 -0400
84521 +++ linux-2.6.39.3/sound/soc/omap/omap-pcm.c 2011-05-22 19:36:35.000000000 -0400
84522 @@ -311,7 +311,7 @@ static int omap_pcm_mmap(struct snd_pcm_
84523 runtime->dma_bytes);
84524 }
84525
84526 -static struct snd_pcm_ops omap_pcm_ops = {
84527 +static const struct snd_pcm_ops omap_pcm_ops = {
84528 .open = omap_pcm_open,
84529 .close = omap_pcm_close,
84530 .ioctl = snd_pcm_lib_ioctl,
84531 diff -urNp linux-2.6.39.3/sound/soc/omap/osk5912.c linux-2.6.39.3/sound/soc/omap/osk5912.c
84532 --- linux-2.6.39.3/sound/soc/omap/osk5912.c 2011-05-19 00:06:34.000000000 -0400
84533 +++ linux-2.6.39.3/sound/soc/omap/osk5912.c 2011-05-22 19:36:35.000000000 -0400
84534 @@ -90,7 +90,7 @@ static int osk_hw_params(struct snd_pcm_
84535 return err;
84536 }
84537
84538 -static struct snd_soc_ops osk_ops = {
84539 +static const struct snd_soc_ops osk_ops = {
84540 .startup = osk_startup,
84541 .hw_params = osk_hw_params,
84542 .shutdown = osk_shutdown,
84543 diff -urNp linux-2.6.39.3/sound/soc/omap/overo.c linux-2.6.39.3/sound/soc/omap/overo.c
84544 --- linux-2.6.39.3/sound/soc/omap/overo.c 2011-05-19 00:06:34.000000000 -0400
84545 +++ linux-2.6.39.3/sound/soc/omap/overo.c 2011-05-22 19:36:35.000000000 -0400
84546 @@ -72,7 +72,7 @@ static int overo_hw_params(struct snd_pc
84547 return 0;
84548 }
84549
84550 -static struct snd_soc_ops overo_ops = {
84551 +static const struct snd_soc_ops overo_ops = {
84552 .hw_params = overo_hw_params,
84553 };
84554
84555 diff -urNp linux-2.6.39.3/sound/soc/omap/rx51.c linux-2.6.39.3/sound/soc/omap/rx51.c
84556 --- linux-2.6.39.3/sound/soc/omap/rx51.c 2011-05-19 00:06:34.000000000 -0400
84557 +++ linux-2.6.39.3/sound/soc/omap/rx51.c 2011-05-22 19:36:35.000000000 -0400
84558 @@ -139,7 +139,7 @@ static int rx51_hw_params(struct snd_pcm
84559 SND_SOC_CLOCK_IN);
84560 }
84561
84562 -static struct snd_soc_ops rx51_ops = {
84563 +static const struct snd_soc_ops rx51_ops = {
84564 .startup = rx51_startup,
84565 .hw_params = rx51_hw_params,
84566 };
84567 diff -urNp linux-2.6.39.3/sound/soc/omap/sdp3430.c linux-2.6.39.3/sound/soc/omap/sdp3430.c
84568 --- linux-2.6.39.3/sound/soc/omap/sdp3430.c 2011-05-19 00:06:34.000000000 -0400
84569 +++ linux-2.6.39.3/sound/soc/omap/sdp3430.c 2011-05-22 19:36:35.000000000 -0400
84570 @@ -87,7 +87,7 @@ static int sdp3430_hw_params(struct snd_
84571 return 0;
84572 }
84573
84574 -static struct snd_soc_ops sdp3430_ops = {
84575 +static const struct snd_soc_ops sdp3430_ops = {
84576 .hw_params = sdp3430_hw_params,
84577 };
84578
84579 @@ -130,7 +130,7 @@ static int sdp3430_hw_voice_params(struc
84580 return 0;
84581 }
84582
84583 -static struct snd_soc_ops sdp3430_voice_ops = {
84584 +static const struct snd_soc_ops sdp3430_voice_ops = {
84585 .hw_params = sdp3430_hw_voice_params,
84586 };
84587
84588 diff -urNp linux-2.6.39.3/sound/soc/omap/sdp4430.c linux-2.6.39.3/sound/soc/omap/sdp4430.c
84589 --- linux-2.6.39.3/sound/soc/omap/sdp4430.c 2011-05-19 00:06:34.000000000 -0400
84590 +++ linux-2.6.39.3/sound/soc/omap/sdp4430.c 2011-05-22 19:36:35.000000000 -0400
84591 @@ -62,7 +62,7 @@ static int sdp4430_hw_params(struct snd_
84592 return ret;
84593 }
84594
84595 -static struct snd_soc_ops sdp4430_ops = {
84596 +static const struct snd_soc_ops sdp4430_ops = {
84597 .hw_params = sdp4430_hw_params,
84598 };
84599
84600 diff -urNp linux-2.6.39.3/sound/soc/omap/zoom2.c linux-2.6.39.3/sound/soc/omap/zoom2.c
84601 --- linux-2.6.39.3/sound/soc/omap/zoom2.c 2011-05-19 00:06:34.000000000 -0400
84602 +++ linux-2.6.39.3/sound/soc/omap/zoom2.c 2011-05-22 19:36:35.000000000 -0400
84603 @@ -78,7 +78,7 @@ static int zoom2_hw_params(struct snd_pc
84604 return 0;
84605 }
84606
84607 -static struct snd_soc_ops zoom2_ops = {
84608 +static const struct snd_soc_ops zoom2_ops = {
84609 .hw_params = zoom2_hw_params,
84610 };
84611
84612 @@ -121,7 +121,7 @@ static int zoom2_hw_voice_params(struct
84613 return 0;
84614 }
84615
84616 -static struct snd_soc_ops zoom2_voice_ops = {
84617 +static const struct snd_soc_ops zoom2_voice_ops = {
84618 .hw_params = zoom2_hw_voice_params,
84619 };
84620
84621 diff -urNp linux-2.6.39.3/sound/soc/pxa/corgi.c linux-2.6.39.3/sound/soc/pxa/corgi.c
84622 --- linux-2.6.39.3/sound/soc/pxa/corgi.c 2011-05-19 00:06:34.000000000 -0400
84623 +++ linux-2.6.39.3/sound/soc/pxa/corgi.c 2011-05-22 19:36:35.000000000 -0400
84624 @@ -169,7 +169,7 @@ static int corgi_hw_params(struct snd_pc
84625 return 0;
84626 }
84627
84628 -static struct snd_soc_ops corgi_ops = {
84629 +static const struct snd_soc_ops corgi_ops = {
84630 .startup = corgi_startup,
84631 .hw_params = corgi_hw_params,
84632 .shutdown = corgi_shutdown,
84633 diff -urNp linux-2.6.39.3/sound/soc/pxa/imote2.c linux-2.6.39.3/sound/soc/pxa/imote2.c
84634 --- linux-2.6.39.3/sound/soc/pxa/imote2.c 2011-05-19 00:06:34.000000000 -0400
84635 +++ linux-2.6.39.3/sound/soc/pxa/imote2.c 2011-05-22 19:36:35.000000000 -0400
84636 @@ -56,7 +56,7 @@ static int imote2_asoc_hw_params(struct
84637 return ret;
84638 }
84639
84640 -static struct snd_soc_ops imote2_asoc_ops = {
84641 +static const struct snd_soc_ops imote2_asoc_ops = {
84642 .hw_params = imote2_asoc_hw_params,
84643 };
84644
84645 diff -urNp linux-2.6.39.3/sound/soc/pxa/magician.c linux-2.6.39.3/sound/soc/pxa/magician.c
84646 --- linux-2.6.39.3/sound/soc/pxa/magician.c 2011-05-19 00:06:34.000000000 -0400
84647 +++ linux-2.6.39.3/sound/soc/pxa/magician.c 2011-05-22 19:36:35.000000000 -0400
84648 @@ -258,12 +258,12 @@ static int magician_capture_hw_params(st
84649 return 0;
84650 }
84651
84652 -static struct snd_soc_ops magician_capture_ops = {
84653 +static const struct snd_soc_ops magician_capture_ops = {
84654 .startup = magician_startup,
84655 .hw_params = magician_capture_hw_params,
84656 };
84657
84658 -static struct snd_soc_ops magician_playback_ops = {
84659 +static const struct snd_soc_ops magician_playback_ops = {
84660 .startup = magician_startup,
84661 .hw_params = magician_playback_hw_params,
84662 };
84663 diff -urNp linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c
84664 --- linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c 2011-05-19 00:06:34.000000000 -0400
84665 +++ linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c 2011-05-22 19:36:35.000000000 -0400
84666 @@ -156,7 +156,7 @@ static int mioa701_wm9713_init(struct sn
84667 return 0;
84668 }
84669
84670 -static struct snd_soc_ops mioa701_ops;
84671 +static const struct snd_soc_ops mioa701_ops;
84672
84673 static struct snd_soc_dai_link mioa701_dai[] = {
84674 {
84675 diff -urNp linux-2.6.39.3/sound/soc/pxa/poodle.c linux-2.6.39.3/sound/soc/pxa/poodle.c
84676 --- linux-2.6.39.3/sound/soc/pxa/poodle.c 2011-05-19 00:06:34.000000000 -0400
84677 +++ linux-2.6.39.3/sound/soc/pxa/poodle.c 2011-05-22 19:36:35.000000000 -0400
84678 @@ -148,7 +148,7 @@ static int poodle_hw_params(struct snd_p
84679 return 0;
84680 }
84681
84682 -static struct snd_soc_ops poodle_ops = {
84683 +static const struct snd_soc_ops poodle_ops = {
84684 .startup = poodle_startup,
84685 .hw_params = poodle_hw_params,
84686 .shutdown = poodle_shutdown,
84687 diff -urNp linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c
84688 --- linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84689 +++ linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84690 @@ -40,7 +40,7 @@ static void pxa2xx_ac97_cold_reset(struc
84691 pxa2xx_ac97_finish_reset(ac97);
84692 }
84693
84694 -struct snd_ac97_bus_ops soc_ac97_ops = {
84695 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84696 .read = pxa2xx_ac97_read,
84697 .write = pxa2xx_ac97_write,
84698 .warm_reset = pxa2xx_ac97_warm_reset,
84699 diff -urNp linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h
84700 --- linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84701 +++ linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84702 @@ -15,6 +15,6 @@
84703 #define PXA2XX_DAI_AC97_MIC 2
84704
84705 /* platform data */
84706 -extern struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84707 +extern const struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84708
84709 #endif
84710 diff -urNp linux-2.6.39.3/sound/soc/pxa/raumfeld.c linux-2.6.39.3/sound/soc/pxa/raumfeld.c
84711 --- linux-2.6.39.3/sound/soc/pxa/raumfeld.c 2011-06-03 00:04:14.000000000 -0400
84712 +++ linux-2.6.39.3/sound/soc/pxa/raumfeld.c 2011-06-03 00:32:09.000000000 -0400
84713 @@ -145,7 +145,7 @@ static int raumfeld_cs4270_hw_params(str
84714 return 0;
84715 }
84716
84717 -static struct snd_soc_ops raumfeld_cs4270_ops = {
84718 +static const struct snd_soc_ops raumfeld_cs4270_ops = {
84719 .startup = raumfeld_cs4270_startup,
84720 .shutdown = raumfeld_cs4270_shutdown,
84721 .hw_params = raumfeld_cs4270_hw_params,
84722 @@ -221,7 +221,7 @@ static int raumfeld_ak4104_hw_params(str
84723 return 0;
84724 }
84725
84726 -static struct snd_soc_ops raumfeld_ak4104_ops = {
84727 +static const struct snd_soc_ops raumfeld_ak4104_ops = {
84728 .hw_params = raumfeld_ak4104_hw_params,
84729 };
84730
84731 diff -urNp linux-2.6.39.3/sound/soc/pxa/saarb.c linux-2.6.39.3/sound/soc/pxa/saarb.c
84732 --- linux-2.6.39.3/sound/soc/pxa/saarb.c 2011-05-19 00:06:34.000000000 -0400
84733 +++ linux-2.6.39.3/sound/soc/pxa/saarb.c 2011-05-22 19:36:35.000000000 -0400
84734 @@ -106,7 +106,7 @@ static int saarb_i2s_hw_params(struct sn
84735 return ret;
84736 }
84737
84738 -static struct snd_soc_ops saarb_i2s_ops = {
84739 +static const struct snd_soc_ops saarb_i2s_ops = {
84740 .hw_params = saarb_i2s_hw_params,
84741 };
84742
84743 diff -urNp linux-2.6.39.3/sound/soc/pxa/spitz.c linux-2.6.39.3/sound/soc/pxa/spitz.c
84744 --- linux-2.6.39.3/sound/soc/pxa/spitz.c 2011-05-19 00:06:34.000000000 -0400
84745 +++ linux-2.6.39.3/sound/soc/pxa/spitz.c 2011-05-22 19:36:35.000000000 -0400
84746 @@ -169,7 +169,7 @@ static int spitz_hw_params(struct snd_pc
84747 return 0;
84748 }
84749
84750 -static struct snd_soc_ops spitz_ops = {
84751 +static const struct snd_soc_ops spitz_ops = {
84752 .startup = spitz_startup,
84753 .hw_params = spitz_hw_params,
84754 };
84755 diff -urNp linux-2.6.39.3/sound/soc/pxa/tavorevb3.c linux-2.6.39.3/sound/soc/pxa/tavorevb3.c
84756 --- linux-2.6.39.3/sound/soc/pxa/tavorevb3.c 2011-05-19 00:06:34.000000000 -0400
84757 +++ linux-2.6.39.3/sound/soc/pxa/tavorevb3.c 2011-05-22 19:36:35.000000000 -0400
84758 @@ -106,7 +106,7 @@ static int evb3_i2s_hw_params(struct snd
84759 return ret;
84760 }
84761
84762 -static struct snd_soc_ops evb3_i2s_ops = {
84763 +static const struct snd_soc_ops evb3_i2s_ops = {
84764 .hw_params = evb3_i2s_hw_params,
84765 };
84766
84767 diff -urNp linux-2.6.39.3/sound/soc/pxa/tosa.c linux-2.6.39.3/sound/soc/pxa/tosa.c
84768 --- linux-2.6.39.3/sound/soc/pxa/tosa.c 2011-05-19 00:06:34.000000000 -0400
84769 +++ linux-2.6.39.3/sound/soc/pxa/tosa.c 2011-05-22 19:36:35.000000000 -0400
84770 @@ -92,7 +92,7 @@ static int tosa_startup(struct snd_pcm_s
84771 return 0;
84772 }
84773
84774 -static struct snd_soc_ops tosa_ops = {
84775 +static const struct snd_soc_ops tosa_ops = {
84776 .startup = tosa_startup,
84777 };
84778
84779 diff -urNp linux-2.6.39.3/sound/soc/pxa/z2.c linux-2.6.39.3/sound/soc/pxa/z2.c
84780 --- linux-2.6.39.3/sound/soc/pxa/z2.c 2011-05-19 00:06:34.000000000 -0400
84781 +++ linux-2.6.39.3/sound/soc/pxa/z2.c 2011-05-22 19:36:35.000000000 -0400
84782 @@ -187,7 +187,7 @@ err:
84783 return ret;
84784 }
84785
84786 -static struct snd_soc_ops z2_ops = {
84787 +static const struct snd_soc_ops z2_ops = {
84788 .hw_params = z2_hw_params,
84789 };
84790
84791 diff -urNp linux-2.6.39.3/sound/soc/pxa/zylonite.c linux-2.6.39.3/sound/soc/pxa/zylonite.c
84792 --- linux-2.6.39.3/sound/soc/pxa/zylonite.c 2011-05-19 00:06:34.000000000 -0400
84793 +++ linux-2.6.39.3/sound/soc/pxa/zylonite.c 2011-05-22 19:36:35.000000000 -0400
84794 @@ -156,7 +156,7 @@ static int zylonite_voice_hw_params(stru
84795 return 0;
84796 }
84797
84798 -static struct snd_soc_ops zylonite_voice_ops = {
84799 +static const struct snd_soc_ops zylonite_voice_ops = {
84800 .hw_params = zylonite_voice_hw_params,
84801 };
84802
84803 diff -urNp linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c
84804 --- linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c 2011-05-19 00:06:34.000000000 -0400
84805 +++ linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c 2011-05-22 19:36:35.000000000 -0400
84806 @@ -420,7 +420,7 @@ static int s6000_pcm_hw_free(struct snd_
84807 return snd_pcm_lib_free_pages(substream);
84808 }
84809
84810 -static struct snd_pcm_ops s6000_pcm_ops = {
84811 +static const struct snd_pcm_ops s6000_pcm_ops = {
84812 .open = s6000_pcm_open,
84813 .close = s6000_pcm_close,
84814 .ioctl = snd_pcm_lib_ioctl,
84815 diff -urNp linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c
84816 --- linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c 2011-05-19 00:06:34.000000000 -0400
84817 +++ linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c 2011-05-22 19:36:35.000000000 -0400
84818 @@ -55,7 +55,7 @@ static int s6105_hw_params(struct snd_pc
84819 return 0;
84820 }
84821
84822 -static struct snd_soc_ops s6105_ops = {
84823 +static const struct snd_soc_ops s6105_ops = {
84824 .hw_params = s6105_hw_params,
84825 };
84826
84827 diff -urNp linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c
84828 --- linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c 2011-05-19 00:06:34.000000000 -0400
84829 +++ linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c 2011-05-22 19:36:35.000000000 -0400
84830 @@ -176,7 +176,7 @@ static int goni_hifi_hw_params(struct sn
84831 return 0;
84832 }
84833
84834 -static struct snd_soc_ops goni_hifi_ops = {
84835 +static const struct snd_soc_ops goni_hifi_ops = {
84836 .hw_params = goni_hifi_hw_params,
84837 };
84838
84839 @@ -227,7 +227,7 @@ static struct snd_soc_dai_driver voice_d
84840 .formats = SNDRV_PCM_FMTBIT_S16_LE,},
84841 };
84842
84843 -static struct snd_soc_ops goni_voice_ops = {
84844 +static const struct snd_soc_ops goni_voice_ops = {
84845 .hw_params = goni_voice_hw_params,
84846 };
84847
84848 diff -urNp linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c
84849 --- linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84850 +++ linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84851 @@ -136,7 +136,7 @@ static int h1940_hw_params(struct snd_pc
84852 return 0;
84853 }
84854
84855 -static struct snd_soc_ops h1940_ops = {
84856 +static const struct snd_soc_ops h1940_ops = {
84857 .startup = h1940_startup,
84858 .hw_params = h1940_hw_params,
84859 };
84860 diff -urNp linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c
84861 --- linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c 2011-05-19 00:06:34.000000000 -0400
84862 +++ linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c 2011-05-22 19:36:35.000000000 -0400
84863 @@ -92,7 +92,7 @@ static int jive_hw_params(struct snd_pcm
84864 return 0;
84865 }
84866
84867 -static struct snd_soc_ops jive_ops = {
84868 +static const struct snd_soc_ops jive_ops = {
84869 .hw_params = jive_hw_params,
84870 };
84871
84872 diff -urNp linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c
84873 --- linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c 2011-05-19 00:06:34.000000000 -0400
84874 +++ linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c 2011-05-22 19:36:35.000000000 -0400
84875 @@ -128,7 +128,7 @@ static int neo1973_hifi_hw_free(struct s
84876 /*
84877 * Neo1973 WM8753 HiFi DAI opserations.
84878 */
84879 -static struct snd_soc_ops neo1973_hifi_ops = {
84880 +static const struct snd_soc_ops neo1973_hifi_ops = {
84881 .hw_params = neo1973_hifi_hw_params,
84882 .hw_free = neo1973_hifi_hw_free,
84883 };
84884 @@ -187,7 +187,7 @@ static int neo1973_voice_hw_free(struct
84885 return snd_soc_dai_set_pll(codec_dai, WM8753_PLL2, 0, 0, 0);
84886 }
84887
84888 -static struct snd_soc_ops neo1973_voice_ops = {
84889 +static const struct snd_soc_ops neo1973_voice_ops = {
84890 .hw_params = neo1973_voice_hw_params,
84891 .hw_free = neo1973_voice_hw_free,
84892 };
84893 diff -urNp linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c
84894 --- linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84895 +++ linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84896 @@ -70,7 +70,7 @@ static struct snd_soc_jack_gpio hp_jack_
84897 },
84898 };
84899
84900 -static struct snd_soc_ops rx1950_ops = {
84901 +static const struct snd_soc_ops rx1950_ops = {
84902 .startup = rx1950_startup,
84903 .hw_params = rx1950_hw_params,
84904 };
84905 diff -urNp linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c
84906 --- linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c 2011-05-19 00:06:34.000000000 -0400
84907 +++ linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c 2011-05-22 19:36:35.000000000 -0400
84908 @@ -228,7 +228,7 @@ static int simtec_call_startup(struct s3
84909 return 0;
84910 }
84911
84912 -static struct snd_soc_ops simtec_snd_ops = {
84913 +static const struct snd_soc_ops simtec_snd_ops = {
84914 .hw_params = simtec_hw_params,
84915 };
84916
84917 diff -urNp linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c
84918 --- linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-19 00:06:34.000000000 -0400
84919 +++ linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-22 19:36:35.000000000 -0400
84920 @@ -210,7 +210,7 @@ static int s3c24xx_uda134x_hw_params(str
84921 return 0;
84922 }
84923
84924 -static struct snd_soc_ops s3c24xx_uda134x_ops = {
84925 +static const struct snd_soc_ops s3c24xx_uda134x_ops = {
84926 .startup = s3c24xx_uda134x_startup,
84927 .shutdown = s3c24xx_uda134x_shutdown,
84928 .hw_params = s3c24xx_uda134x_hw_params,
84929 diff -urNp linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c
84930 --- linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c 2011-05-19 00:06:34.000000000 -0400
84931 +++ linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c 2011-05-22 19:36:35.000000000 -0400
84932 @@ -92,7 +92,7 @@ static int smartq_hifi_hw_params(struct
84933 /*
84934 * SmartQ WM8987 HiFi DAI operations.
84935 */
84936 -static struct snd_soc_ops smartq_hifi_ops = {
84937 +static const struct snd_soc_ops smartq_hifi_ops = {
84938 .hw_params = smartq_hifi_hw_params,
84939 };
84940
84941 diff -urNp linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c
84942 --- linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c 2011-05-19 00:06:34.000000000 -0400
84943 +++ linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c 2011-05-22 19:36:35.000000000 -0400
84944 @@ -143,7 +143,7 @@ static int smdk_hw_params(struct snd_pcm
84945 return ret;
84946 }
84947
84948 -static struct snd_soc_ops smdk_spdif_ops = {
84949 +static const struct snd_soc_ops smdk_spdif_ops = {
84950 .hw_params = smdk_hw_params,
84951 };
84952
84953 diff -urNp linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c
84954 --- linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c 2011-05-19 00:06:34.000000000 -0400
84955 +++ linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c 2011-05-22 19:36:35.000000000 -0400
84956 @@ -114,7 +114,7 @@ static int smdk_hw_params(struct snd_pcm
84957 /*
84958 * SMDK WM8580 DAI operations.
84959 */
84960 -static struct snd_soc_ops smdk_ops = {
84961 +static const struct snd_soc_ops smdk_ops = {
84962 .hw_params = smdk_hw_params,
84963 };
84964
84965 diff -urNp linux-2.6.39.3/sound/soc/sh/dma-sh7760.c linux-2.6.39.3/sound/soc/sh/dma-sh7760.c
84966 --- linux-2.6.39.3/sound/soc/sh/dma-sh7760.c 2011-05-19 00:06:34.000000000 -0400
84967 +++ linux-2.6.39.3/sound/soc/sh/dma-sh7760.c 2011-05-22 19:36:35.000000000 -0400
84968 @@ -311,7 +311,7 @@ static snd_pcm_uframes_t camelot_pos(str
84969 return bytes_to_frames(runtime, pos);
84970 }
84971
84972 -static struct snd_pcm_ops camelot_pcm_ops = {
84973 +static const struct snd_pcm_ops camelot_pcm_ops = {
84974 .open = camelot_pcm_open,
84975 .close = camelot_pcm_close,
84976 .ioctl = snd_pcm_lib_ioctl,
84977 diff -urNp linux-2.6.39.3/sound/soc/sh/hac.c linux-2.6.39.3/sound/soc/sh/hac.c
84978 --- linux-2.6.39.3/sound/soc/sh/hac.c 2011-05-19 00:06:34.000000000 -0400
84979 +++ linux-2.6.39.3/sound/soc/sh/hac.c 2011-05-22 19:36:35.000000000 -0400
84980 @@ -227,7 +227,7 @@ static void hac_ac97_coldrst(struct snd_
84981 hac_ac97_warmrst(ac97);
84982 }
84983
84984 -struct snd_ac97_bus_ops soc_ac97_ops = {
84985 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84986 .read = hac_ac97_read,
84987 .write = hac_ac97_write,
84988 .reset = hac_ac97_coldrst,
84989 diff -urNp linux-2.6.39.3/sound/soc/sh/migor.c linux-2.6.39.3/sound/soc/sh/migor.c
84990 --- linux-2.6.39.3/sound/soc/sh/migor.c 2011-05-19 00:06:34.000000000 -0400
84991 +++ linux-2.6.39.3/sound/soc/sh/migor.c 2011-05-22 19:36:35.000000000 -0400
84992 @@ -108,7 +108,7 @@ static int migor_hw_free(struct snd_pcm_
84993 return 0;
84994 }
84995
84996 -static struct snd_soc_ops migor_dai_ops = {
84997 +static const struct snd_soc_ops migor_dai_ops = {
84998 .hw_params = migor_hw_params,
84999 .hw_free = migor_hw_free,
85000 };
85001 diff -urNp linux-2.6.39.3/sound/soc/sh/siu_pcm.c linux-2.6.39.3/sound/soc/sh/siu_pcm.c
85002 --- linux-2.6.39.3/sound/soc/sh/siu_pcm.c 2011-05-19 00:06:34.000000000 -0400
85003 +++ linux-2.6.39.3/sound/soc/sh/siu_pcm.c 2011-05-22 19:36:35.000000000 -0400
85004 @@ -597,7 +597,7 @@ static void siu_pcm_free(struct snd_pcm
85005 dev_dbg(pcm->card->dev, "%s\n", __func__);
85006 }
85007
85008 -static struct snd_pcm_ops siu_pcm_ops = {
85009 +static const struct snd_pcm_ops siu_pcm_ops = {
85010 .open = siu_pcm_open,
85011 .close = siu_pcm_close,
85012 .ioctl = snd_pcm_lib_ioctl,
85013 diff -urNp linux-2.6.39.3/sound/soc/tegra/harmony.c linux-2.6.39.3/sound/soc/tegra/harmony.c
85014 --- linux-2.6.39.3/sound/soc/tegra/harmony.c 2011-05-19 00:06:34.000000000 -0400
85015 +++ linux-2.6.39.3/sound/soc/tegra/harmony.c 2011-05-22 19:36:35.000000000 -0400
85016 @@ -126,7 +126,7 @@ static int harmony_asoc_hw_params(struct
85017 return 0;
85018 }
85019
85020 -static struct snd_soc_ops harmony_asoc_ops = {
85021 +static const struct snd_soc_ops harmony_asoc_ops = {
85022 .hw_params = harmony_asoc_hw_params,
85023 };
85024
85025 diff -urNp linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c
85026 --- linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c 2011-05-19 00:06:34.000000000 -0400
85027 +++ linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c 2011-05-22 19:36:36.000000000 -0400
85028 @@ -277,7 +277,7 @@ static int tegra_pcm_mmap(struct snd_pcm
85029 runtime->dma_bytes);
85030 }
85031
85032 -static struct snd_pcm_ops tegra_pcm_ops = {
85033 +static const struct snd_pcm_ops tegra_pcm_ops = {
85034 .open = tegra_pcm_open,
85035 .close = tegra_pcm_close,
85036 .ioctl = snd_pcm_lib_ioctl,
85037 diff -urNp linux-2.6.39.3/sound/soc/txx9/txx9aclc.c linux-2.6.39.3/sound/soc/txx9/txx9aclc.c
85038 --- linux-2.6.39.3/sound/soc/txx9/txx9aclc.c 2011-05-19 00:06:34.000000000 -0400
85039 +++ linux-2.6.39.3/sound/soc/txx9/txx9aclc.c 2011-05-22 19:36:36.000000000 -0400
85040 @@ -272,7 +272,7 @@ static int txx9aclc_pcm_close(struct snd
85041 return 0;
85042 }
85043
85044 -static struct snd_pcm_ops txx9aclc_pcm_ops = {
85045 +static const struct snd_pcm_ops txx9aclc_pcm_ops = {
85046 .open = txx9aclc_pcm_open,
85047 .close = txx9aclc_pcm_close,
85048 .ioctl = snd_pcm_lib_ioctl,
85049 diff -urNp linux-2.6.39.3/sound/sparc/amd7930.c linux-2.6.39.3/sound/sparc/amd7930.c
85050 --- linux-2.6.39.3/sound/sparc/amd7930.c 2011-05-19 00:06:34.000000000 -0400
85051 +++ linux-2.6.39.3/sound/sparc/amd7930.c 2011-05-22 19:36:36.000000000 -0400
85052 @@ -733,7 +733,7 @@ static int snd_amd7930_hw_free(struct sn
85053 return snd_pcm_lib_free_pages(substream);
85054 }
85055
85056 -static struct snd_pcm_ops snd_amd7930_playback_ops = {
85057 +static const struct snd_pcm_ops snd_amd7930_playback_ops = {
85058 .open = snd_amd7930_playback_open,
85059 .close = snd_amd7930_playback_close,
85060 .ioctl = snd_pcm_lib_ioctl,
85061 @@ -744,7 +744,7 @@ static struct snd_pcm_ops snd_amd7930_pl
85062 .pointer = snd_amd7930_playback_pointer,
85063 };
85064
85065 -static struct snd_pcm_ops snd_amd7930_capture_ops = {
85066 +static const struct snd_pcm_ops snd_amd7930_capture_ops = {
85067 .open = snd_amd7930_capture_open,
85068 .close = snd_amd7930_capture_close,
85069 .ioctl = snd_pcm_lib_ioctl,
85070 @@ -929,7 +929,7 @@ static int snd_amd7930_dev_free(struct s
85071 return snd_amd7930_free(amd);
85072 }
85073
85074 -static struct snd_device_ops snd_amd7930_dev_ops = {
85075 +static const struct snd_device_ops snd_amd7930_dev_ops = {
85076 .dev_free = snd_amd7930_dev_free,
85077 };
85078
85079 diff -urNp linux-2.6.39.3/sound/sparc/cs4231.c linux-2.6.39.3/sound/sparc/cs4231.c
85080 --- linux-2.6.39.3/sound/sparc/cs4231.c 2011-05-19 00:06:34.000000000 -0400
85081 +++ linux-2.6.39.3/sound/sparc/cs4231.c 2011-05-22 19:36:36.000000000 -0400
85082 @@ -1196,7 +1196,7 @@ static int snd_cs4231_capture_close(stru
85083 * XXX the audio AUXIO register...
85084 */
85085
85086 -static struct snd_pcm_ops snd_cs4231_playback_ops = {
85087 +static const struct snd_pcm_ops snd_cs4231_playback_ops = {
85088 .open = snd_cs4231_playback_open,
85089 .close = snd_cs4231_playback_close,
85090 .ioctl = snd_pcm_lib_ioctl,
85091 @@ -1207,7 +1207,7 @@ static struct snd_pcm_ops snd_cs4231_pla
85092 .pointer = snd_cs4231_playback_pointer,
85093 };
85094
85095 -static struct snd_pcm_ops snd_cs4231_capture_ops = {
85096 +static const struct snd_pcm_ops snd_cs4231_capture_ops = {
85097 .open = snd_cs4231_capture_open,
85098 .close = snd_cs4231_capture_close,
85099 .ioctl = snd_pcm_lib_ioctl,
85100 @@ -1789,7 +1789,7 @@ static int snd_cs4231_sbus_dev_free(stru
85101 return snd_cs4231_sbus_free(cp);
85102 }
85103
85104 -static struct snd_device_ops snd_cs4231_sbus_dev_ops = {
85105 +static const struct snd_device_ops snd_cs4231_sbus_dev_ops = {
85106 .dev_free = snd_cs4231_sbus_dev_free,
85107 };
85108
85109 @@ -1955,7 +1955,7 @@ static int snd_cs4231_ebus_dev_free(stru
85110 return snd_cs4231_ebus_free(cp);
85111 }
85112
85113 -static struct snd_device_ops snd_cs4231_ebus_dev_ops = {
85114 +static const struct snd_device_ops snd_cs4231_ebus_dev_ops = {
85115 .dev_free = snd_cs4231_ebus_dev_free,
85116 };
85117
85118 diff -urNp linux-2.6.39.3/sound/sparc/dbri.c linux-2.6.39.3/sound/sparc/dbri.c
85119 --- linux-2.6.39.3/sound/sparc/dbri.c 2011-05-19 00:06:34.000000000 -0400
85120 +++ linux-2.6.39.3/sound/sparc/dbri.c 2011-05-22 19:36:36.000000000 -0400
85121 @@ -2205,7 +2205,7 @@ static snd_pcm_uframes_t snd_dbri_pointe
85122 return ret;
85123 }
85124
85125 -static struct snd_pcm_ops snd_dbri_ops = {
85126 +static const struct snd_pcm_ops snd_dbri_ops = {
85127 .open = snd_dbri_open,
85128 .close = snd_dbri_close,
85129 .ioctl = snd_pcm_lib_ioctl,
85130 diff -urNp linux-2.6.39.3/sound/spi/at73c213.c linux-2.6.39.3/sound/spi/at73c213.c
85131 --- linux-2.6.39.3/sound/spi/at73c213.c 2011-05-19 00:06:34.000000000 -0400
85132 +++ linux-2.6.39.3/sound/spi/at73c213.c 2011-05-22 19:36:36.000000000 -0400
85133 @@ -319,7 +319,7 @@ snd_at73c213_pcm_pointer(struct snd_pcm_
85134 return pos;
85135 }
85136
85137 -static struct snd_pcm_ops at73c213_playback_ops = {
85138 +static const struct snd_pcm_ops at73c213_playback_ops = {
85139 .open = snd_at73c213_pcm_open,
85140 .close = snd_at73c213_pcm_close,
85141 .ioctl = snd_pcm_lib_ioctl,
85142 @@ -882,7 +882,7 @@ static int snd_at73c213_dev_free(struct
85143 static int __devinit snd_at73c213_dev_init(struct snd_card *card,
85144 struct spi_device *spi)
85145 {
85146 - static struct snd_device_ops ops = {
85147 + static const struct snd_device_ops ops = {
85148 .dev_free = snd_at73c213_dev_free,
85149 };
85150 struct snd_at73c213 *chip = get_chip(card);
85151 diff -urNp linux-2.6.39.3/sound/usb/6fire/midi.c linux-2.6.39.3/sound/usb/6fire/midi.c
85152 --- linux-2.6.39.3/sound/usb/6fire/midi.c 2011-05-19 00:06:34.000000000 -0400
85153 +++ linux-2.6.39.3/sound/usb/6fire/midi.c 2011-05-22 19:36:36.000000000 -0400
85154 @@ -134,14 +134,14 @@ static void usb6fire_midi_in_trigger(
85155 spin_unlock_irqrestore(&rt->in_lock, flags);
85156 }
85157
85158 -static struct snd_rawmidi_ops out_ops = {
85159 +static const struct snd_rawmidi_ops out_ops = {
85160 .open = usb6fire_midi_out_open,
85161 .close = usb6fire_midi_out_close,
85162 .trigger = usb6fire_midi_out_trigger,
85163 .drain = usb6fire_midi_out_drain
85164 };
85165
85166 -static struct snd_rawmidi_ops in_ops = {
85167 +static const struct snd_rawmidi_ops in_ops = {
85168 .open = usb6fire_midi_in_open,
85169 .close = usb6fire_midi_in_close,
85170 .trigger = usb6fire_midi_in_trigger
85171 diff -urNp linux-2.6.39.3/sound/usb/caiaq/audio.c linux-2.6.39.3/sound/usb/caiaq/audio.c
85172 --- linux-2.6.39.3/sound/usb/caiaq/audio.c 2011-05-19 00:06:34.000000000 -0400
85173 +++ linux-2.6.39.3/sound/usb/caiaq/audio.c 2011-05-22 19:36:36.000000000 -0400
85174 @@ -322,7 +322,7 @@ snd_usb_caiaq_pcm_pointer(struct snd_pcm
85175 }
85176
85177 /* operators for both playback and capture */
85178 -static struct snd_pcm_ops snd_usb_caiaq_ops = {
85179 +static const struct snd_pcm_ops snd_usb_caiaq_ops = {
85180 .open = snd_usb_caiaq_substream_open,
85181 .close = snd_usb_caiaq_substream_close,
85182 .ioctl = snd_pcm_lib_ioctl,
85183 diff -urNp linux-2.6.39.3/sound/usb/caiaq/midi.c linux-2.6.39.3/sound/usb/caiaq/midi.c
85184 --- linux-2.6.39.3/sound/usb/caiaq/midi.c 2011-05-19 00:06:34.000000000 -0400
85185 +++ linux-2.6.39.3/sound/usb/caiaq/midi.c 2011-05-22 19:36:36.000000000 -0400
85186 @@ -100,15 +100,13 @@ static void snd_usb_caiaq_midi_output_tr
85187 }
85188
85189
85190 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_output =
85191 -{
85192 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_output = {
85193 .open = snd_usb_caiaq_midi_output_open,
85194 .close = snd_usb_caiaq_midi_output_close,
85195 .trigger = snd_usb_caiaq_midi_output_trigger,
85196 };
85197
85198 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_input =
85199 -{
85200 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_input = {
85201 .open = snd_usb_caiaq_midi_input_open,
85202 .close = snd_usb_caiaq_midi_input_close,
85203 .trigger = snd_usb_caiaq_midi_input_trigger,
85204 diff -urNp linux-2.6.39.3/sound/usb/card.c linux-2.6.39.3/sound/usb/card.c
85205 --- linux-2.6.39.3/sound/usb/card.c 2011-05-19 00:06:34.000000000 -0400
85206 +++ linux-2.6.39.3/sound/usb/card.c 2011-05-22 19:36:36.000000000 -0400
85207 @@ -305,7 +305,7 @@ static int snd_usb_audio_create(struct u
85208 struct snd_usb_audio *chip;
85209 int err, len;
85210 char component[14];
85211 - static struct snd_device_ops ops = {
85212 + static const struct snd_device_ops ops = {
85213 .dev_free = snd_usb_audio_dev_free,
85214 };
85215
85216 diff -urNp linux-2.6.39.3/sound/usb/midi.c linux-2.6.39.3/sound/usb/midi.c
85217 --- linux-2.6.39.3/sound/usb/midi.c 2011-05-19 00:06:34.000000000 -0400
85218 +++ linux-2.6.39.3/sound/usb/midi.c 2011-05-22 19:36:36.000000000 -0400
85219 @@ -1146,14 +1146,14 @@ static void snd_usbmidi_input_trigger(st
85220 clear_bit(substream->number, &umidi->input_triggered);
85221 }
85222
85223 -static struct snd_rawmidi_ops snd_usbmidi_output_ops = {
85224 +static const struct snd_rawmidi_ops snd_usbmidi_output_ops = {
85225 .open = snd_usbmidi_output_open,
85226 .close = snd_usbmidi_output_close,
85227 .trigger = snd_usbmidi_output_trigger,
85228 .drain = snd_usbmidi_output_drain,
85229 };
85230
85231 -static struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85232 +static const struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85233 .open = snd_usbmidi_input_open,
85234 .close = snd_usbmidi_input_close,
85235 .trigger = snd_usbmidi_input_trigger
85236 diff -urNp linux-2.6.39.3/sound/usb/misc/ua101.c linux-2.6.39.3/sound/usb/misc/ua101.c
85237 --- linux-2.6.39.3/sound/usb/misc/ua101.c 2011-05-19 00:06:34.000000000 -0400
85238 +++ linux-2.6.39.3/sound/usb/misc/ua101.c 2011-05-22 19:36:36.000000000 -0400
85239 @@ -886,7 +886,7 @@ static snd_pcm_uframes_t playback_pcm_po
85240 return ua101_pcm_pointer(ua, &ua->playback);
85241 }
85242
85243 -static struct snd_pcm_ops capture_pcm_ops = {
85244 +static const struct snd_pcm_ops capture_pcm_ops = {
85245 .open = capture_pcm_open,
85246 .close = capture_pcm_close,
85247 .ioctl = snd_pcm_lib_ioctl,
85248 @@ -899,7 +899,7 @@ static struct snd_pcm_ops capture_pcm_op
85249 .mmap = snd_pcm_lib_mmap_vmalloc,
85250 };
85251
85252 -static struct snd_pcm_ops playback_pcm_ops = {
85253 +static const struct snd_pcm_ops playback_pcm_ops = {
85254 .open = playback_pcm_open,
85255 .close = playback_pcm_close,
85256 .ioctl = snd_pcm_lib_ioctl,
85257 diff -urNp linux-2.6.39.3/sound/usb/mixer.c linux-2.6.39.3/sound/usb/mixer.c
85258 --- linux-2.6.39.3/sound/usb/mixer.c 2011-05-19 00:06:34.000000000 -0400
85259 +++ linux-2.6.39.3/sound/usb/mixer.c 2011-05-22 19:36:36.000000000 -0400
85260 @@ -2201,7 +2201,7 @@ static int snd_usb_mixer_status_create(s
85261 int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
85262 int ignore_error)
85263 {
85264 - static struct snd_device_ops dev_ops = {
85265 + static const struct snd_device_ops dev_ops = {
85266 .dev_free = snd_usb_mixer_dev_free
85267 };
85268 struct usb_mixer_interface *mixer;
85269 diff -urNp linux-2.6.39.3/sound/usb/pcm.c linux-2.6.39.3/sound/usb/pcm.c
85270 --- linux-2.6.39.3/sound/usb/pcm.c 2011-05-19 00:06:34.000000000 -0400
85271 +++ linux-2.6.39.3/sound/usb/pcm.c 2011-05-22 19:36:36.000000000 -0400
85272 @@ -844,7 +844,7 @@ static int snd_usb_capture_close(struct
85273 return snd_usb_pcm_close(substream, SNDRV_PCM_STREAM_CAPTURE);
85274 }
85275
85276 -static struct snd_pcm_ops snd_usb_playback_ops = {
85277 +static const struct snd_pcm_ops snd_usb_playback_ops = {
85278 .open = snd_usb_playback_open,
85279 .close = snd_usb_playback_close,
85280 .ioctl = snd_pcm_lib_ioctl,
85281 @@ -857,7 +857,7 @@ static struct snd_pcm_ops snd_usb_playba
85282 .mmap = snd_pcm_lib_mmap_vmalloc,
85283 };
85284
85285 -static struct snd_pcm_ops snd_usb_capture_ops = {
85286 +static const struct snd_pcm_ops snd_usb_capture_ops = {
85287 .open = snd_usb_capture_open,
85288 .close = snd_usb_capture_close,
85289 .ioctl = snd_pcm_lib_ioctl,
85290 diff -urNp linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c
85291 --- linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c 2011-05-19 00:06:34.000000000 -0400
85292 +++ linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c 2011-05-22 19:36:36.000000000 -0400
85293 @@ -919,8 +919,7 @@ static int snd_usX2Y_pcm_close(struct sn
85294 }
85295
85296
85297 -static struct snd_pcm_ops snd_usX2Y_pcm_ops =
85298 -{
85299 +static const struct snd_pcm_ops snd_usX2Y_pcm_ops = {
85300 .open = snd_usX2Y_pcm_open,
85301 .close = snd_usX2Y_pcm_close,
85302 .ioctl = snd_pcm_lib_ioctl,
85303 diff -urNp linux-2.6.39.3/tools/gcc/Makefile linux-2.6.39.3/tools/gcc/Makefile
85304 --- linux-2.6.39.3/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
85305 +++ linux-2.6.39.3/tools/gcc/Makefile 2011-06-03 01:19:01.000000000 -0400
85306 @@ -0,0 +1,11 @@
85307 +#CC := gcc
85308 +#PLUGIN_SOURCE_FILES := pax_plugin.c
85309 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
85310 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
85311 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
85312 +
85313 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
85314 +
85315 +hostlibs-y := pax_plugin.so
85316 +always := $(hostlibs-y)
85317 +pax_plugin-objs := pax_plugin.o
85318 diff -urNp linux-2.6.39.3/tools/gcc/pax_plugin.c linux-2.6.39.3/tools/gcc/pax_plugin.c
85319 --- linux-2.6.39.3/tools/gcc/pax_plugin.c 1969-12-31 19:00:00.000000000 -0500
85320 +++ linux-2.6.39.3/tools/gcc/pax_plugin.c 2011-07-06 20:00:13.000000000 -0400
85321 @@ -0,0 +1,243 @@
85322 +/*
85323 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
85324 + * Licensed under the GPL v2
85325 + *
85326 + * Note: the choice of the license means that the compilation process is
85327 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
85328 + * but for the kernel it doesn't matter since it doesn't link against
85329 + * any of the gcc libraries
85330 + *
85331 + * gcc plugin to help implement various PaX features
85332 + *
85333 + * - track lowest stack pointer
85334 + *
85335 + * TODO:
85336 + * - initialize all local variables
85337 + *
85338 + * BUGS:
85339 + * - cloned functions are instrumented twice
85340 + */
85341 +#include "gcc-plugin.h"
85342 +#include "plugin-version.h"
85343 +#include "config.h"
85344 +#include "system.h"
85345 +#include "coretypes.h"
85346 +#include "tm.h"
85347 +#include "toplev.h"
85348 +#include "basic-block.h"
85349 +#include "gimple.h"
85350 +//#include "expr.h" where are you...
85351 +#include "diagnostic.h"
85352 +#include "rtl.h"
85353 +#include "emit-rtl.h"
85354 +#include "function.h"
85355 +#include "tree.h"
85356 +#include "tree-pass.h"
85357 +#include "intl.h"
85358 +
85359 +int plugin_is_GPL_compatible;
85360 +
85361 +static int track_frame_size = -1;
85362 +static const char track_function[] = "pax_track_stack";
85363 +static bool init_locals;
85364 +
85365 +static struct plugin_info pax_plugin_info = {
85366 + .version = "201106030000",
85367 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
85368 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
85369 +};
85370 +
85371 +static bool gate_pax_track_stack(void);
85372 +static unsigned int execute_pax_tree_instrument(void);
85373 +static unsigned int execute_pax_final(void);
85374 +
85375 +static struct gimple_opt_pass pax_tree_instrument_pass = {
85376 + .pass = {
85377 + .type = GIMPLE_PASS,
85378 + .name = "pax_tree_instrument",
85379 + .gate = gate_pax_track_stack,
85380 + .execute = execute_pax_tree_instrument,
85381 + .sub = NULL,
85382 + .next = NULL,
85383 + .static_pass_number = 0,
85384 + .tv_id = TV_NONE,
85385 + .properties_required = PROP_gimple_leh | PROP_cfg,
85386 + .properties_provided = 0,
85387 + .properties_destroyed = 0,
85388 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
85389 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
85390 + }
85391 +};
85392 +
85393 +static struct rtl_opt_pass pax_final_rtl_opt_pass = {
85394 + .pass = {
85395 + .type = RTL_PASS,
85396 + .name = "pax_final",
85397 + .gate = gate_pax_track_stack,
85398 + .execute = execute_pax_final,
85399 + .sub = NULL,
85400 + .next = NULL,
85401 + .static_pass_number = 0,
85402 + .tv_id = TV_NONE,
85403 + .properties_required = 0,
85404 + .properties_provided = 0,
85405 + .properties_destroyed = 0,
85406 + .todo_flags_start = 0,
85407 + .todo_flags_finish = 0
85408 + }
85409 +};
85410 +
85411 +static bool gate_pax_track_stack(void)
85412 +{
85413 + return track_frame_size >= 0;
85414 +}
85415 +
85416 +static void pax_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
85417 +{
85418 + gimple call;
85419 + tree decl, type;
85420 +
85421 + // insert call to void pax_track_stack(void)
85422 + type = build_function_type_list(void_type_node, NULL_TREE);
85423 + decl = build_fn_decl(track_function, type);
85424 + DECL_ASSEMBLER_NAME(decl); // for LTO
85425 + call = gimple_build_call(decl, 0);
85426 + if (before)
85427 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
85428 + else
85429 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
85430 +}
85431 +
85432 +static unsigned int execute_pax_tree_instrument(void)
85433 +{
85434 + basic_block bb;
85435 + gimple_stmt_iterator gsi;
85436 +
85437 + // 1. loop through BBs and GIMPLE statements
85438 + FOR_EACH_BB(bb) {
85439 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
85440 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
85441 + tree decl;
85442 + gimple stmt = gsi_stmt(gsi);
85443 +
85444 + if (!is_gimple_call(stmt))
85445 + continue;
85446 + decl = gimple_call_fndecl(stmt);
85447 + if (!decl)
85448 + continue;
85449 + if (TREE_CODE(decl) != FUNCTION_DECL)
85450 + continue;
85451 + if (!DECL_BUILT_IN(decl))
85452 + continue;
85453 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
85454 + continue;
85455 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
85456 + continue;
85457 +
85458 + // 2. insert track call after each __builtin_alloca call
85459 + pax_add_instrumentation(&gsi, false);
85460 +// print_node(stderr, "pax", decl, 4);
85461 + }
85462 + }
85463 +
85464 + // 3. insert track call at the beginning
85465 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
85466 + gsi = gsi_start_bb(bb);
85467 + pax_add_instrumentation(&gsi, true);
85468 +
85469 + return 0;
85470 +}
85471 +
85472 +static unsigned int execute_pax_final(void)
85473 +{
85474 + rtx insn;
85475 +
85476 + if (cfun->calls_alloca)
85477 + return 0;
85478 +
85479 + // 1. find pax_track_stack calls
85480 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
85481 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
85482 + rtx body;
85483 +
85484 + if (!CALL_P(insn))
85485 + continue;
85486 + body = PATTERN(insn);
85487 + if (GET_CODE(body) != CALL)
85488 + continue;
85489 + body = XEXP(body, 0);
85490 + if (GET_CODE(body) != MEM)
85491 + continue;
85492 + body = XEXP(body, 0);
85493 + if (GET_CODE(body) != SYMBOL_REF)
85494 + continue;
85495 + if (strcmp(XSTR(body, 0), track_function))
85496 + continue;
85497 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85498 + // 2. delete call if function frame is not big enough
85499 + if (get_frame_size() >= track_frame_size)
85500 + continue;
85501 + delete_insn_and_edges(insn);
85502 + }
85503 +
85504 +// print_simple_rtl(stderr, get_insns());
85505 +// print_rtl(stderr, get_insns());
85506 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85507 +
85508 + return 0;
85509 +}
85510 +
85511 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
85512 +{
85513 + const char * const plugin_name = plugin_info->base_name;
85514 + const int argc = plugin_info->argc;
85515 + const struct plugin_argument * const argv = plugin_info->argv;
85516 + int i;
85517 + struct register_pass_info pax_tree_instrument_pass_info = {
85518 + .pass = &pax_tree_instrument_pass.pass,
85519 +// .reference_pass_name = "tree_profile",
85520 + .reference_pass_name = "optimized",
85521 + .ref_pass_instance_number = 0,
85522 + .pos_op = PASS_POS_INSERT_AFTER
85523 + };
85524 + struct register_pass_info pax_final_pass_info = {
85525 + .pass = &pax_final_rtl_opt_pass.pass,
85526 + .reference_pass_name = "final",
85527 + .ref_pass_instance_number = 0,
85528 + .pos_op = PASS_POS_INSERT_BEFORE
85529 + };
85530 +
85531 + if (!plugin_default_version_check(version, &gcc_version)) {
85532 + error(G_("incompatible gcc/plugin versions"));
85533 + return 1;
85534 + }
85535 +
85536 + register_callback(plugin_name, PLUGIN_INFO, NULL, &pax_plugin_info);
85537 +
85538 + for (i = 0; i < argc; ++i) {
85539 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
85540 + if (!argv[i].value) {
85541 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85542 + continue;
85543 + }
85544 + track_frame_size = atoi(argv[i].value);
85545 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
85546 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85547 + continue;
85548 + }
85549 + if (!strcmp(argv[i].key, "initialize-locals")) {
85550 + if (argv[i].value) {
85551 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85552 + continue;
85553 + }
85554 + init_locals = true;
85555 + continue;
85556 + }
85557 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85558 + }
85559 +
85560 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_tree_instrument_pass_info);
85561 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_final_pass_info);
85562 +
85563 + return 0;
85564 +}
85565 diff -urNp linux-2.6.39.3/tools/perf/builtin-lock.c linux-2.6.39.3/tools/perf/builtin-lock.c
85566 --- linux-2.6.39.3/tools/perf/builtin-lock.c 2011-05-19 00:06:34.000000000 -0400
85567 +++ linux-2.6.39.3/tools/perf/builtin-lock.c 2011-05-22 19:36:36.000000000 -0400
85568 @@ -635,14 +635,14 @@ end:
85569
85570 /* lock oriented handlers */
85571 /* TODO: handlers for CPU oriented, thread oriented */
85572 -static struct trace_lock_handler report_lock_ops = {
85573 +static const struct trace_lock_handler report_lock_ops = {
85574 .acquire_event = report_lock_acquire_event,
85575 .acquired_event = report_lock_acquired_event,
85576 .contended_event = report_lock_contended_event,
85577 .release_event = report_lock_release_event,
85578 };
85579
85580 -static struct trace_lock_handler *trace_handler;
85581 +static const struct trace_lock_handler *trace_handler;
85582
85583 static void
85584 process_lock_acquire_event(void *data,
85585 diff -urNp linux-2.6.39.3/tools/perf/builtin-sched.c linux-2.6.39.3/tools/perf/builtin-sched.c
85586 --- linux-2.6.39.3/tools/perf/builtin-sched.c 2011-05-19 00:06:34.000000000 -0400
85587 +++ linux-2.6.39.3/tools/perf/builtin-sched.c 2011-05-22 19:36:36.000000000 -0400
85588 @@ -845,7 +845,7 @@ replay_fork_event(struct trace_fork_even
85589 register_pid(fork_event->child_pid, fork_event->child_comm);
85590 }
85591
85592 -static struct trace_sched_handler replay_ops = {
85593 +static const struct trace_sched_handler replay_ops = {
85594 .wakeup_event = replay_wakeup_event,
85595 .switch_event = replay_switch_event,
85596 .fork_event = replay_fork_event,
85597 @@ -1183,7 +1183,7 @@ latency_migrate_task_event(struct trace_
85598 nr_unordered_timestamps++;
85599 }
85600
85601 -static struct trace_sched_handler lat_ops = {
85602 +static const struct trace_sched_handler lat_ops = {
85603 .wakeup_event = latency_wakeup_event,
85604 .switch_event = latency_switch_event,
85605 .runtime_event = latency_runtime_event,
85606 @@ -1353,7 +1353,7 @@ static void sort_lat(void)
85607 }
85608 }
85609
85610 -static struct trace_sched_handler *trace_handler;
85611 +static const struct trace_sched_handler *trace_handler;
85612
85613 static void
85614 process_sched_wakeup_event(void *data, struct perf_session *session,
85615 @@ -1719,7 +1719,7 @@ static void __cmd_lat(void)
85616
85617 }
85618
85619 -static struct trace_sched_handler map_ops = {
85620 +static const struct trace_sched_handler map_ops = {
85621 .wakeup_event = NULL,
85622 .switch_event = map_switch_event,
85623 .runtime_event = NULL,
85624 diff -urNp linux-2.6.39.3/usr/gen_init_cpio.c linux-2.6.39.3/usr/gen_init_cpio.c
85625 --- linux-2.6.39.3/usr/gen_init_cpio.c 2011-05-19 00:06:34.000000000 -0400
85626 +++ linux-2.6.39.3/usr/gen_init_cpio.c 2011-05-22 19:36:36.000000000 -0400
85627 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
85628 int retval;
85629 int rc = -1;
85630 int namesize;
85631 - int i;
85632 + unsigned int i;
85633
85634 mode |= S_IFREG;
85635
85636 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
85637 *env_var = *expanded = '\0';
85638 strncat(env_var, start + 2, end - start - 2);
85639 strncat(expanded, new_location, start - new_location);
85640 - strncat(expanded, getenv(env_var), PATH_MAX);
85641 - strncat(expanded, end + 1, PATH_MAX);
85642 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
85643 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
85644 strncpy(new_location, expanded, PATH_MAX);
85645 + new_location[PATH_MAX] = 0;
85646 } else
85647 break;
85648 }
85649 diff -urNp linux-2.6.39.3/virt/kvm/kvm_main.c linux-2.6.39.3/virt/kvm/kvm_main.c
85650 --- linux-2.6.39.3/virt/kvm/kvm_main.c 2011-05-19 00:06:34.000000000 -0400
85651 +++ linux-2.6.39.3/virt/kvm/kvm_main.c 2011-05-22 19:36:36.000000000 -0400
85652 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
85653
85654 static cpumask_var_t cpus_hardware_enabled;
85655 static int kvm_usage_count = 0;
85656 -static atomic_t hardware_enable_failed;
85657 +static atomic_unchecked_t hardware_enable_failed;
85658
85659 struct kmem_cache *kvm_vcpu_cache;
85660 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
85661 @@ -1594,7 +1594,7 @@ static int kvm_vcpu_release(struct inode
85662 return 0;
85663 }
85664
85665 -static struct file_operations kvm_vcpu_fops = {
85666 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
85667 .release = kvm_vcpu_release,
85668 .unlocked_ioctl = kvm_vcpu_ioctl,
85669 .compat_ioctl = kvm_vcpu_ioctl,
85670 @@ -2063,7 +2063,7 @@ static int kvm_vm_mmap(struct file *file
85671 return 0;
85672 }
85673
85674 -static struct file_operations kvm_vm_fops = {
85675 +static struct file_operations kvm_vm_fops = { /* cannot be const */
85676 .release = kvm_vm_release,
85677 .unlocked_ioctl = kvm_vm_ioctl,
85678 #ifdef CONFIG_COMPAT
85679 @@ -2161,7 +2161,7 @@ out:
85680 return r;
85681 }
85682
85683 -static struct file_operations kvm_chardev_ops = {
85684 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
85685 .unlocked_ioctl = kvm_dev_ioctl,
85686 .compat_ioctl = kvm_dev_ioctl,
85687 .llseek = noop_llseek,
85688 @@ -2187,7 +2187,7 @@ static void hardware_enable_nolock(void
85689
85690 if (r) {
85691 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
85692 - atomic_inc(&hardware_enable_failed);
85693 + atomic_inc_unchecked(&hardware_enable_failed);
85694 printk(KERN_INFO "kvm: enabling virtualization on "
85695 "CPU%d failed\n", cpu);
85696 }
85697 @@ -2241,10 +2241,10 @@ static int hardware_enable_all(void)
85698
85699 kvm_usage_count++;
85700 if (kvm_usage_count == 1) {
85701 - atomic_set(&hardware_enable_failed, 0);
85702 + atomic_set_unchecked(&hardware_enable_failed, 0);
85703 on_each_cpu(hardware_enable_nolock, NULL, 1);
85704
85705 - if (atomic_read(&hardware_enable_failed)) {
85706 + if (atomic_read_unchecked(&hardware_enable_failed)) {
85707 hardware_disable_all_nolock();
85708 r = -EBUSY;
85709 }
85710 @@ -2509,7 +2509,7 @@ static void kvm_sched_out(struct preempt
85711 kvm_arch_vcpu_put(vcpu);
85712 }
85713
85714 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85715 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85716 struct module *module)
85717 {
85718 int r;
85719 @@ -2572,7 +2572,7 @@ int kvm_init(void *opaque, unsigned vcpu
85720 if (!vcpu_align)
85721 vcpu_align = __alignof__(struct kvm_vcpu);
85722 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
85723 - 0, NULL);
85724 + SLAB_USERCOPY, NULL);
85725 if (!kvm_vcpu_cache) {
85726 r = -ENOMEM;
85727 goto out_free_3;
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)