]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.39.3-201107191826.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.39.3-201107191826.patch
1 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3 +++ linux-2.6.39.3/arch/alpha/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
4 @@ -3,9 +3,9 @@
5
6 #include <linux/dma-attrs.h>
7
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
10
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
13 {
14 return dma_ops;
15 }
16 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/elf.h linux-2.6.39.3/arch/alpha/include/asm/elf.h
17 --- linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
18 +++ linux-2.6.39.3/arch/alpha/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
20
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
22
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25 +
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
28 +#endif
29 +
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.39.3/arch/alpha/include/asm/pgtable.h linux-2.6.39.3/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
35 +++ linux-2.6.39.3/arch/alpha/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
40 +
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
45 +#else
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
49 +#endif
50 +
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
52
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_apecs.c linux-2.6.39.3/arch/alpha/kernel/core_apecs.c
55 --- linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-19 00:06:34.000000000 -0400
56 +++ linux-2.6.39.3/arch/alpha/kernel/core_apecs.c 2011-05-22 19:36:30.000000000 -0400
57 @@ -305,7 +305,7 @@ apecs_write_config(struct pci_bus *bus,
58 return PCIBIOS_SUCCESSFUL;
59 }
60
61 -struct pci_ops apecs_pci_ops =
62 +const struct pci_ops apecs_pci_ops =
63 {
64 .read = apecs_read_config,
65 .write = apecs_write_config,
66 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_cia.c linux-2.6.39.3/arch/alpha/kernel/core_cia.c
67 --- linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-19 00:06:34.000000000 -0400
68 +++ linux-2.6.39.3/arch/alpha/kernel/core_cia.c 2011-05-22 19:36:30.000000000 -0400
69 @@ -239,7 +239,7 @@ cia_write_config(struct pci_bus *bus, un
70 return PCIBIOS_SUCCESSFUL;
71 }
72
73 -struct pci_ops cia_pci_ops =
74 +const struct pci_ops cia_pci_ops =
75 {
76 .read = cia_read_config,
77 .write = cia_write_config,
78 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_irongate.c linux-2.6.39.3/arch/alpha/kernel/core_irongate.c
79 --- linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-19 00:06:34.000000000 -0400
80 +++ linux-2.6.39.3/arch/alpha/kernel/core_irongate.c 2011-05-22 19:36:30.000000000 -0400
81 @@ -155,7 +155,7 @@ irongate_write_config(struct pci_bus *bu
82 return PCIBIOS_SUCCESSFUL;
83 }
84
85 -struct pci_ops irongate_pci_ops =
86 +const struct pci_ops irongate_pci_ops =
87 {
88 .read = irongate_read_config,
89 .write = irongate_write_config,
90 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_lca.c linux-2.6.39.3/arch/alpha/kernel/core_lca.c
91 --- linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-19 00:06:34.000000000 -0400
92 +++ linux-2.6.39.3/arch/alpha/kernel/core_lca.c 2011-05-22 19:36:30.000000000 -0400
93 @@ -231,7 +231,7 @@ lca_write_config(struct pci_bus *bus, un
94 return PCIBIOS_SUCCESSFUL;
95 }
96
97 -struct pci_ops lca_pci_ops =
98 +const struct pci_ops lca_pci_ops =
99 {
100 .read = lca_read_config,
101 .write = lca_write_config,
102 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_marvel.c linux-2.6.39.3/arch/alpha/kernel/core_marvel.c
103 --- linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-19 00:06:34.000000000 -0400
104 +++ linux-2.6.39.3/arch/alpha/kernel/core_marvel.c 2011-05-22 19:36:30.000000000 -0400
105 @@ -588,7 +588,7 @@ marvel_write_config(struct pci_bus *bus,
106 return PCIBIOS_SUCCESSFUL;
107 }
108
109 -struct pci_ops marvel_pci_ops =
110 +const struct pci_ops marvel_pci_ops =
111 {
112 .read = marvel_read_config,
113 .write = marvel_write_config,
114 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c
115 --- linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-19 00:06:34.000000000 -0400
116 +++ linux-2.6.39.3/arch/alpha/kernel/core_mcpcia.c 2011-05-22 19:36:30.000000000 -0400
117 @@ -235,7 +235,7 @@ mcpcia_write_config(struct pci_bus *bus,
118 return PCIBIOS_SUCCESSFUL;
119 }
120
121 -struct pci_ops mcpcia_pci_ops =
122 +const struct pci_ops mcpcia_pci_ops =
123 {
124 .read = mcpcia_read_config,
125 .write = mcpcia_write_config,
126 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_polaris.c linux-2.6.39.3/arch/alpha/kernel/core_polaris.c
127 --- linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-19 00:06:34.000000000 -0400
128 +++ linux-2.6.39.3/arch/alpha/kernel/core_polaris.c 2011-05-22 19:36:30.000000000 -0400
129 @@ -136,7 +136,7 @@ polaris_write_config(struct pci_bus *bus
130 return PCIBIOS_SUCCESSFUL;
131 }
132
133 -struct pci_ops polaris_pci_ops =
134 +const struct pci_ops polaris_pci_ops =
135 {
136 .read = polaris_read_config,
137 .write = polaris_write_config,
138 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_t2.c linux-2.6.39.3/arch/alpha/kernel/core_t2.c
139 --- linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-19 00:06:34.000000000 -0400
140 +++ linux-2.6.39.3/arch/alpha/kernel/core_t2.c 2011-05-22 19:36:30.000000000 -0400
141 @@ -314,7 +314,7 @@ t2_write_config(struct pci_bus *bus, uns
142 return PCIBIOS_SUCCESSFUL;
143 }
144
145 -struct pci_ops t2_pci_ops =
146 +const struct pci_ops t2_pci_ops =
147 {
148 .read = t2_read_config,
149 .write = t2_write_config,
150 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_titan.c linux-2.6.39.3/arch/alpha/kernel/core_titan.c
151 --- linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-19 00:06:34.000000000 -0400
152 +++ linux-2.6.39.3/arch/alpha/kernel/core_titan.c 2011-05-22 19:36:30.000000000 -0400
153 @@ -191,7 +191,7 @@ titan_write_config(struct pci_bus *bus,
154 return PCIBIOS_SUCCESSFUL;
155 }
156
157 -struct pci_ops titan_pci_ops =
158 +const struct pci_ops titan_pci_ops =
159 {
160 .read = titan_read_config,
161 .write = titan_write_config,
162 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c
163 --- linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-19 00:06:34.000000000 -0400
164 +++ linux-2.6.39.3/arch/alpha/kernel/core_tsunami.c 2011-05-22 19:36:30.000000000 -0400
165 @@ -166,7 +166,7 @@ tsunami_write_config(struct pci_bus *bus
166 return PCIBIOS_SUCCESSFUL;
167 }
168
169 -struct pci_ops tsunami_pci_ops =
170 +const struct pci_ops tsunami_pci_ops =
171 {
172 .read = tsunami_read_config,
173 .write = tsunami_write_config,
174 diff -urNp linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c
175 --- linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-19 00:06:34.000000000 -0400
176 +++ linux-2.6.39.3/arch/alpha/kernel/core_wildfire.c 2011-05-22 19:36:30.000000000 -0400
177 @@ -431,7 +431,7 @@ wildfire_write_config(struct pci_bus *bu
178 return PCIBIOS_SUCCESSFUL;
179 }
180
181 -struct pci_ops wildfire_pci_ops =
182 +const struct pci_ops wildfire_pci_ops =
183 {
184 .read = wildfire_read_config,
185 .write = wildfire_write_config,
186 diff -urNp linux-2.6.39.3/arch/alpha/kernel/module.c linux-2.6.39.3/arch/alpha/kernel/module.c
187 --- linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
188 +++ linux-2.6.39.3/arch/alpha/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
189 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
190
191 /* The small sections were sorted to the end of the segment.
192 The following should definitely cover them. */
193 - gp = (u64)me->module_core + me->core_size - 0x8000;
194 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
195 got = sechdrs[me->arch.gotsecindex].sh_addr;
196
197 for (i = 0; i < n; i++) {
198 diff -urNp linux-2.6.39.3/arch/alpha/kernel/osf_sys.c linux-2.6.39.3/arch/alpha/kernel/osf_sys.c
199 --- linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-05-19 00:06:34.000000000 -0400
200 +++ linux-2.6.39.3/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:07.000000000 -0400
201 @@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
202 return -EFAULT;
203
204 len = namelen;
205 - if (namelen > 32)
206 + if (len > 32)
207 len = 32;
208
209 down_read(&uts_sem);
210 @@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
211 down_read(&uts_sem);
212 res = sysinfo_table[offset];
213 len = strlen(res)+1;
214 - if (len > count)
215 + if ((unsigned long)len > (unsigned long)count)
216 len = count;
217 if (copy_to_user(buf, res, len))
218 err = -EFAULT;
219 @@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
220 return 1;
221
222 case GSI_GET_HWRPB:
223 - if (nbytes < sizeof(*hwrpb))
224 + if (nbytes > sizeof(*hwrpb))
225 return -EINVAL;
226 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
227 return -EFAULT;
228 @@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
229 {
230 struct rusage r;
231 long ret, err;
232 + unsigned int status = 0;
233 mm_segment_t old_fs;
234
235 if (!ur)
236 @@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
237 old_fs = get_fs();
238
239 set_fs (KERNEL_DS);
240 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
241 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
242 + (struct rusage __user *) &r);
243 set_fs (old_fs);
244
245 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
246 return -EFAULT;
247
248 err = 0;
249 + err |= put_user(status, ustatus);
250 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
251 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
252 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
253 @@ -1142,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
254 /* At this point: (!vma || addr < vma->vm_end). */
255 if (limit - len < addr)
256 return -ENOMEM;
257 - if (!vma || addr + len <= vma->vm_start)
258 + if (check_heap_stack_gap(vma, addr, len))
259 return addr;
260 addr = vma->vm_end;
261 vma = vma->vm_next;
262 @@ -1178,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
263 merely specific addresses, but regions of memory -- perhaps
264 this feature should be incorporated into all ports? */
265
266 +#ifdef CONFIG_PAX_RANDMMAP
267 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
268 +#endif
269 +
270 if (addr) {
271 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
272 if (addr != (unsigned long) -ENOMEM)
273 @@ -1185,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
274 }
275
276 /* Next, try allocating at TASK_UNMAPPED_BASE. */
277 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
278 - len, limit);
279 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
280 +
281 if (addr != (unsigned long) -ENOMEM)
282 return addr;
283
284 diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c
285 --- linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-19 00:06:34.000000000 -0400
286 +++ linux-2.6.39.3/arch/alpha/kernel/pci_iommu.c 2011-05-22 19:36:30.000000000 -0400
287 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
288 return 0;
289 }
290
291 -struct dma_map_ops alpha_pci_ops = {
292 +const struct dma_map_ops alpha_pci_ops = {
293 .alloc_coherent = alpha_pci_alloc_coherent,
294 .free_coherent = alpha_pci_free_coherent,
295 .map_page = alpha_pci_map_page,
296 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
297 .set_dma_mask = alpha_pci_set_mask,
298 };
299
300 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
301 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
302 EXPORT_SYMBOL(dma_ops);
303 diff -urNp linux-2.6.39.3/arch/alpha/kernel/pci-noop.c linux-2.6.39.3/arch/alpha/kernel/pci-noop.c
304 --- linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-19 00:06:34.000000000 -0400
305 +++ linux-2.6.39.3/arch/alpha/kernel/pci-noop.c 2011-05-22 19:36:30.000000000 -0400
306 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
307 return 0;
308 }
309
310 -struct dma_map_ops alpha_noop_ops = {
311 +const struct dma_map_ops alpha_noop_ops = {
312 .alloc_coherent = alpha_noop_alloc_coherent,
313 .free_coherent = alpha_noop_free_coherent,
314 .map_page = alpha_noop_map_page,
315 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
316 .set_dma_mask = alpha_noop_set_mask,
317 };
318
319 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
320 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
321 EXPORT_SYMBOL(dma_ops);
322
323 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
324 diff -urNp linux-2.6.39.3/arch/alpha/kernel/proto.h linux-2.6.39.3/arch/alpha/kernel/proto.h
325 --- linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-19 00:06:34.000000000 -0400
326 +++ linux-2.6.39.3/arch/alpha/kernel/proto.h 2011-05-22 19:36:30.000000000 -0400
327 @@ -17,14 +17,14 @@ struct pci_dev;
328 struct pci_controller;
329
330 /* core_apecs.c */
331 -extern struct pci_ops apecs_pci_ops;
332 +extern const struct pci_ops apecs_pci_ops;
333 extern void apecs_init_arch(void);
334 extern void apecs_pci_clr_err(void);
335 extern void apecs_machine_check(unsigned long vector, unsigned long la_ptr);
336 extern void apecs_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
337
338 /* core_cia.c */
339 -extern struct pci_ops cia_pci_ops;
340 +extern const struct pci_ops cia_pci_ops;
341 extern void cia_init_pci(void);
342 extern void cia_init_arch(void);
343 extern void pyxis_init_arch(void);
344 @@ -33,19 +33,19 @@ extern void cia_machine_check(unsigned l
345 extern void cia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
346
347 /* core_irongate.c */
348 -extern struct pci_ops irongate_pci_ops;
349 +extern const struct pci_ops irongate_pci_ops;
350 extern int irongate_pci_clr_err(void);
351 extern void irongate_init_arch(void);
352 #define irongate_pci_tbi ((void *)0)
353
354 /* core_lca.c */
355 -extern struct pci_ops lca_pci_ops;
356 +extern const struct pci_ops lca_pci_ops;
357 extern void lca_init_arch(void);
358 extern void lca_machine_check(unsigned long vector, unsigned long la_ptr);
359 extern void lca_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
360
361 /* core_marvel.c */
362 -extern struct pci_ops marvel_pci_ops;
363 +extern const struct pci_ops marvel_pci_ops;
364 extern void marvel_init_arch(void);
365 extern void marvel_kill_arch(int);
366 extern void marvel_machine_check(unsigned long, unsigned long);
367 @@ -60,14 +60,14 @@ struct io7 *marvel_next_io7(struct io7 *
368 void io7_clear_errors(struct io7 *io7);
369
370 /* core_mcpcia.c */
371 -extern struct pci_ops mcpcia_pci_ops;
372 +extern const struct pci_ops mcpcia_pci_ops;
373 extern void mcpcia_init_arch(void);
374 extern void mcpcia_init_hoses(void);
375 extern void mcpcia_machine_check(unsigned long vector, unsigned long la_ptr);
376 extern void mcpcia_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
377
378 /* core_polaris.c */
379 -extern struct pci_ops polaris_pci_ops;
380 +extern const struct pci_ops polaris_pci_ops;
381 extern int polaris_read_config_dword(struct pci_dev *, int, u32 *);
382 extern int polaris_write_config_dword(struct pci_dev *, int, u32);
383 extern void polaris_init_arch(void);
384 @@ -75,14 +75,14 @@ extern void polaris_machine_check(unsign
385 #define polaris_pci_tbi ((void *)0)
386
387 /* core_t2.c */
388 -extern struct pci_ops t2_pci_ops;
389 +extern const struct pci_ops t2_pci_ops;
390 extern void t2_init_arch(void);
391 extern void t2_kill_arch(int);
392 extern void t2_machine_check(unsigned long vector, unsigned long la_ptr);
393 extern void t2_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
394
395 /* core_titan.c */
396 -extern struct pci_ops titan_pci_ops;
397 +extern const struct pci_ops titan_pci_ops;
398 extern void titan_init_arch(void);
399 extern void titan_kill_arch(int);
400 extern void titan_machine_check(unsigned long, unsigned long);
401 @@ -90,14 +90,14 @@ extern void titan_pci_tbi(struct pci_con
402 extern struct _alpha_agp_info *titan_agp_info(void);
403
404 /* core_tsunami.c */
405 -extern struct pci_ops tsunami_pci_ops;
406 +extern const struct pci_ops tsunami_pci_ops;
407 extern void tsunami_init_arch(void);
408 extern void tsunami_kill_arch(int);
409 extern void tsunami_machine_check(unsigned long vector, unsigned long la_ptr);
410 extern void tsunami_pci_tbi(struct pci_controller *, dma_addr_t, dma_addr_t);
411
412 /* core_wildfire.c */
413 -extern struct pci_ops wildfire_pci_ops;
414 +extern const struct pci_ops wildfire_pci_ops;
415 extern void wildfire_init_arch(void);
416 extern void wildfire_kill_arch(int);
417 extern void wildfire_machine_check(unsigned long vector, unsigned long la_ptr);
418 diff -urNp linux-2.6.39.3/arch/alpha/mm/fault.c linux-2.6.39.3/arch/alpha/mm/fault.c
419 --- linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
420 +++ linux-2.6.39.3/arch/alpha/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
421 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
422 __reload_thread(pcb);
423 }
424
425 +#ifdef CONFIG_PAX_PAGEEXEC
426 +/*
427 + * PaX: decide what to do with offenders (regs->pc = fault address)
428 + *
429 + * returns 1 when task should be killed
430 + * 2 when patched PLT trampoline was detected
431 + * 3 when unpatched PLT trampoline was detected
432 + */
433 +static int pax_handle_fetch_fault(struct pt_regs *regs)
434 +{
435 +
436 +#ifdef CONFIG_PAX_EMUPLT
437 + int err;
438 +
439 + do { /* PaX: patched PLT emulation #1 */
440 + unsigned int ldah, ldq, jmp;
441 +
442 + err = get_user(ldah, (unsigned int *)regs->pc);
443 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
444 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
445 +
446 + if (err)
447 + break;
448 +
449 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
450 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
451 + jmp == 0x6BFB0000U)
452 + {
453 + unsigned long r27, addr;
454 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
455 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
456 +
457 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
458 + err = get_user(r27, (unsigned long *)addr);
459 + if (err)
460 + break;
461 +
462 + regs->r27 = r27;
463 + regs->pc = r27;
464 + return 2;
465 + }
466 + } while (0);
467 +
468 + do { /* PaX: patched PLT emulation #2 */
469 + unsigned int ldah, lda, br;
470 +
471 + err = get_user(ldah, (unsigned int *)regs->pc);
472 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
473 + err |= get_user(br, (unsigned int *)(regs->pc+8));
474 +
475 + if (err)
476 + break;
477 +
478 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
479 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
480 + (br & 0xFFE00000U) == 0xC3E00000U)
481 + {
482 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
483 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
484 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
485 +
486 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
487 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
488 + return 2;
489 + }
490 + } while (0);
491 +
492 + do { /* PaX: unpatched PLT emulation */
493 + unsigned int br;
494 +
495 + err = get_user(br, (unsigned int *)regs->pc);
496 +
497 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
498 + unsigned int br2, ldq, nop, jmp;
499 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
500 +
501 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
502 + err = get_user(br2, (unsigned int *)addr);
503 + err |= get_user(ldq, (unsigned int *)(addr+4));
504 + err |= get_user(nop, (unsigned int *)(addr+8));
505 + err |= get_user(jmp, (unsigned int *)(addr+12));
506 + err |= get_user(resolver, (unsigned long *)(addr+16));
507 +
508 + if (err)
509 + break;
510 +
511 + if (br2 == 0xC3600000U &&
512 + ldq == 0xA77B000CU &&
513 + nop == 0x47FF041FU &&
514 + jmp == 0x6B7B0000U)
515 + {
516 + regs->r28 = regs->pc+4;
517 + regs->r27 = addr+16;
518 + regs->pc = resolver;
519 + return 3;
520 + }
521 + }
522 + } while (0);
523 +#endif
524 +
525 + return 1;
526 +}
527 +
528 +void pax_report_insns(void *pc, void *sp)
529 +{
530 + unsigned long i;
531 +
532 + printk(KERN_ERR "PAX: bytes at PC: ");
533 + for (i = 0; i < 5; i++) {
534 + unsigned int c;
535 + if (get_user(c, (unsigned int *)pc+i))
536 + printk(KERN_CONT "???????? ");
537 + else
538 + printk(KERN_CONT "%08x ", c);
539 + }
540 + printk("\n");
541 +}
542 +#endif
543
544 /*
545 * This routine handles page faults. It determines the address,
546 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
547 good_area:
548 si_code = SEGV_ACCERR;
549 if (cause < 0) {
550 - if (!(vma->vm_flags & VM_EXEC))
551 + if (!(vma->vm_flags & VM_EXEC)) {
552 +
553 +#ifdef CONFIG_PAX_PAGEEXEC
554 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
555 + goto bad_area;
556 +
557 + up_read(&mm->mmap_sem);
558 + switch (pax_handle_fetch_fault(regs)) {
559 +
560 +#ifdef CONFIG_PAX_EMUPLT
561 + case 2:
562 + case 3:
563 + return;
564 +#endif
565 +
566 + }
567 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
568 + do_group_exit(SIGKILL);
569 +#else
570 goto bad_area;
571 +#endif
572 +
573 + }
574 } else if (!cause) {
575 /* Allow reads even for write-only mappings */
576 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
577 diff -urNp linux-2.6.39.3/arch/arm/common/it8152.c linux-2.6.39.3/arch/arm/common/it8152.c
578 --- linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-19 00:06:34.000000000 -0400
579 +++ linux-2.6.39.3/arch/arm/common/it8152.c 2011-05-22 19:36:30.000000000 -0400
580 @@ -221,7 +221,7 @@ static int it8152_pci_write_config(struc
581 return PCIBIOS_SUCCESSFUL;
582 }
583
584 -static struct pci_ops it8152_ops = {
585 +static const struct pci_ops it8152_ops = {
586 .read = it8152_pci_read_config,
587 .write = it8152_pci_write_config,
588 };
589 diff -urNp linux-2.6.39.3/arch/arm/common/via82c505.c linux-2.6.39.3/arch/arm/common/via82c505.c
590 --- linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-19 00:06:34.000000000 -0400
591 +++ linux-2.6.39.3/arch/arm/common/via82c505.c 2011-05-22 19:36:30.000000000 -0400
592 @@ -52,7 +52,7 @@ via82c505_write_config(struct pci_bus *b
593 return PCIBIOS_SUCCESSFUL;
594 }
595
596 -static struct pci_ops via82c505_ops = {
597 +static const struct pci_ops via82c505_ops = {
598 .read = via82c505_read_config,
599 .write = via82c505_write_config,
600 };
601 diff -urNp linux-2.6.39.3/arch/arm/include/asm/cacheflush.h linux-2.6.39.3/arch/arm/include/asm/cacheflush.h
602 --- linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
603 +++ linux-2.6.39.3/arch/arm/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
604 @@ -115,7 +115,7 @@ struct cpu_cache_fns {
605 */
606 #ifdef MULTI_CACHE
607
608 -extern struct cpu_cache_fns cpu_cache;
609 +extern const struct cpu_cache_fns cpu_cache;
610
611 #define __cpuc_flush_icache_all cpu_cache.flush_icache_all
612 #define __cpuc_flush_kern_all cpu_cache.flush_kern_all
613 diff -urNp linux-2.6.39.3/arch/arm/include/asm/elf.h linux-2.6.39.3/arch/arm/include/asm/elf.h
614 --- linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
615 +++ linux-2.6.39.3/arch/arm/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
616 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
617 the loader. We need to make sure that it is out of the way of the program
618 that it will "exec", and that there is sufficient room for the brk. */
619
620 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
621 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
622 +
623 +#ifdef CONFIG_PAX_ASLR
624 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
625 +
626 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
627 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
628 +#endif
629
630 /* When the program starts, a1 contains a pointer to a function to be
631 registered with atexit, as per the SVR4 ABI. A value of 0 means we
632 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
633 extern void elf_set_personality(const struct elf32_hdr *);
634 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
635
636 -struct mm_struct;
637 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
638 -#define arch_randomize_brk arch_randomize_brk
639 -
640 extern int vectors_user_mapping(void);
641 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
642 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
643 diff -urNp linux-2.6.39.3/arch/arm/include/asm/kmap_types.h linux-2.6.39.3/arch/arm/include/asm/kmap_types.h
644 --- linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
645 +++ linux-2.6.39.3/arch/arm/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
646 @@ -21,6 +21,7 @@ enum km_type {
647 KM_L1_CACHE,
648 KM_L2_CACHE,
649 KM_KDB,
650 + KM_CLEARPAGE,
651 KM_TYPE_NR
652 };
653
654 diff -urNp linux-2.6.39.3/arch/arm/include/asm/outercache.h linux-2.6.39.3/arch/arm/include/asm/outercache.h
655 --- linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-19 00:06:34.000000000 -0400
656 +++ linux-2.6.39.3/arch/arm/include/asm/outercache.h 2011-05-22 19:36:30.000000000 -0400
657 @@ -38,7 +38,7 @@ struct outer_cache_fns {
658
659 #ifdef CONFIG_OUTER_CACHE
660
661 -extern struct outer_cache_fns outer_cache;
662 +extern const struct outer_cache_fns outer_cache;
663
664 static inline void outer_inv_range(phys_addr_t start, phys_addr_t end)
665 {
666 diff -urNp linux-2.6.39.3/arch/arm/include/asm/page.h linux-2.6.39.3/arch/arm/include/asm/page.h
667 --- linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
668 +++ linux-2.6.39.3/arch/arm/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
669 @@ -126,7 +126,7 @@ struct cpu_user_fns {
670 };
671
672 #ifdef MULTI_USER
673 -extern struct cpu_user_fns cpu_user;
674 +extern const struct cpu_user_fns cpu_user;
675
676 #define __cpu_clear_user_highpage cpu_user.cpu_clear_user_highpage
677 #define __cpu_copy_user_highpage cpu_user.cpu_copy_user_highpage
678 diff -urNp linux-2.6.39.3/arch/arm/include/asm/uaccess.h linux-2.6.39.3/arch/arm/include/asm/uaccess.h
679 --- linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
680 +++ linux-2.6.39.3/arch/arm/include/asm/uaccess.h 2011-06-29 21:04:12.000000000 -0400
681 @@ -22,6 +22,8 @@
682 #define VERIFY_READ 0
683 #define VERIFY_WRITE 1
684
685 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
686 +
687 /*
688 * The exception table consists of pairs of addresses: the first is the
689 * address of an instruction that is allowed to fault, and the second is
690 @@ -387,8 +389,23 @@ do { \
691
692
693 #ifdef CONFIG_MMU
694 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
695 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
696 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
697 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
698 +
699 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
700 +{
701 + if (!__builtin_constant_p(n))
702 + check_object_size(to, n, false);
703 + return ___copy_from_user(to, from, n);
704 +}
705 +
706 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
707 +{
708 + if (!__builtin_constant_p(n))
709 + check_object_size(from, n, true);
710 + return ___copy_to_user(to, from, n);
711 +}
712 +
713 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
714 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
715 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
716 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
717
718 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
719 {
720 + if ((long)n < 0)
721 + return n;
722 +
723 if (access_ok(VERIFY_READ, from, n))
724 n = __copy_from_user(to, from, n);
725 else /* security hole - plug it */
726 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
727
728 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
729 {
730 + if ((long)n < 0)
731 + return n;
732 +
733 if (access_ok(VERIFY_WRITE, to, n))
734 n = __copy_to_user(to, from, n);
735 return n;
736 diff -urNp linux-2.6.39.3/arch/arm/kernel/armksyms.c linux-2.6.39.3/arch/arm/kernel/armksyms.c
737 --- linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-05-19 00:06:34.000000000 -0400
738 +++ linux-2.6.39.3/arch/arm/kernel/armksyms.c 2011-07-06 19:52:45.000000000 -0400
739 @@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
740 #ifdef CONFIG_MMU
741 EXPORT_SYMBOL(copy_page);
742
743 -EXPORT_SYMBOL(__copy_from_user);
744 -EXPORT_SYMBOL(__copy_to_user);
745 +EXPORT_SYMBOL(___copy_from_user);
746 +EXPORT_SYMBOL(___copy_to_user);
747 EXPORT_SYMBOL(__clear_user);
748
749 EXPORT_SYMBOL(__get_user_1);
750 diff -urNp linux-2.6.39.3/arch/arm/kernel/kgdb.c linux-2.6.39.3/arch/arm/kernel/kgdb.c
751 --- linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
752 +++ linux-2.6.39.3/arch/arm/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
753 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
754 * and we handle the normal undef case within the do_undefinstr
755 * handler.
756 */
757 -struct kgdb_arch arch_kgdb_ops = {
758 +const struct kgdb_arch arch_kgdb_ops = {
759 #ifndef __ARMEB__
760 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
761 #else /* ! __ARMEB__ */
762 diff -urNp linux-2.6.39.3/arch/arm/kernel/process.c linux-2.6.39.3/arch/arm/kernel/process.c
763 --- linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
764 +++ linux-2.6.39.3/arch/arm/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
765 @@ -28,7 +28,6 @@
766 #include <linux/tick.h>
767 #include <linux/utsname.h>
768 #include <linux/uaccess.h>
769 -#include <linux/random.h>
770 #include <linux/hw_breakpoint.h>
771
772 #include <asm/cacheflush.h>
773 @@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
774 return 0;
775 }
776
777 -unsigned long arch_randomize_brk(struct mm_struct *mm)
778 -{
779 - unsigned long range_end = mm->brk + 0x02000000;
780 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
781 -}
782 -
783 #ifdef CONFIG_MMU
784 /*
785 * The vectors page is always readable from user space for the
786 diff -urNp linux-2.6.39.3/arch/arm/kernel/traps.c linux-2.6.39.3/arch/arm/kernel/traps.c
787 --- linux-2.6.39.3/arch/arm/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
788 +++ linux-2.6.39.3/arch/arm/kernel/traps.c 2011-06-13 21:30:34.000000000 -0400
789 @@ -258,6 +258,8 @@ static int __die(const char *str, int er
790
791 static DEFINE_SPINLOCK(die_lock);
792
793 +extern void gr_handle_kernel_exploit(void);
794 +
795 /*
796 * This function is protected against re-entrancy.
797 */
798 @@ -285,6 +287,9 @@ void die(const char *str, struct pt_regs
799 panic("Fatal exception in interrupt");
800 if (panic_on_oops)
801 panic("Fatal exception");
802 +
803 + gr_handle_kernel_exploit();
804 +
805 if (ret != NOTIFY_STOP)
806 do_exit(SIGSEGV);
807 }
808 diff -urNp linux-2.6.39.3/arch/arm/lib/copy_from_user.S linux-2.6.39.3/arch/arm/lib/copy_from_user.S
809 --- linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-05-19 00:06:34.000000000 -0400
810 +++ linux-2.6.39.3/arch/arm/lib/copy_from_user.S 2011-06-29 20:58:18.000000000 -0400
811 @@ -16,7 +16,7 @@
812 /*
813 * Prototype:
814 *
815 - * size_t __copy_from_user(void *to, const void *from, size_t n)
816 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
817 *
818 * Purpose:
819 *
820 @@ -84,11 +84,11 @@
821
822 .text
823
824 -ENTRY(__copy_from_user)
825 +ENTRY(___copy_from_user)
826
827 #include "copy_template.S"
828
829 -ENDPROC(__copy_from_user)
830 +ENDPROC(___copy_from_user)
831
832 .pushsection .fixup,"ax"
833 .align 0
834 diff -urNp linux-2.6.39.3/arch/arm/lib/copy_to_user.S linux-2.6.39.3/arch/arm/lib/copy_to_user.S
835 --- linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-05-19 00:06:34.000000000 -0400
836 +++ linux-2.6.39.3/arch/arm/lib/copy_to_user.S 2011-06-29 20:59:20.000000000 -0400
837 @@ -16,7 +16,7 @@
838 /*
839 * Prototype:
840 *
841 - * size_t __copy_to_user(void *to, const void *from, size_t n)
842 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
843 *
844 * Purpose:
845 *
846 @@ -88,11 +88,11 @@
847 .text
848
849 ENTRY(__copy_to_user_std)
850 -WEAK(__copy_to_user)
851 +WEAK(___copy_to_user)
852
853 #include "copy_template.S"
854
855 -ENDPROC(__copy_to_user)
856 +ENDPROC(___copy_to_user)
857 ENDPROC(__copy_to_user_std)
858
859 .pushsection .fixup,"ax"
860 diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess.S linux-2.6.39.3/arch/arm/lib/uaccess.S
861 --- linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-05-19 00:06:34.000000000 -0400
862 +++ linux-2.6.39.3/arch/arm/lib/uaccess.S 2011-06-29 20:59:01.000000000 -0400
863 @@ -20,7 +20,7 @@
864
865 #define PAGE_SHIFT 12
866
867 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
868 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
869 * Purpose : copy a block to user memory from kernel memory
870 * Params : to - user memory
871 * : from - kernel memory
872 @@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
873 sub r2, r2, ip
874 b .Lc2u_dest_aligned
875
876 -ENTRY(__copy_to_user)
877 +ENTRY(___copy_to_user)
878 stmfd sp!, {r2, r4 - r7, lr}
879 cmp r2, #4
880 blt .Lc2u_not_enough
881 @@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
882 ldrgtb r3, [r1], #0
883 USER( T(strgtb) r3, [r0], #1) @ May fault
884 b .Lc2u_finished
885 -ENDPROC(__copy_to_user)
886 +ENDPROC(___copy_to_user)
887
888 .pushsection .fixup,"ax"
889 .align 0
890 9001: ldmfd sp!, {r0, r4 - r7, pc}
891 .popsection
892
893 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
894 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
895 * Purpose : copy a block from user memory to kernel memory
896 * Params : to - kernel memory
897 * : from - user memory
898 @@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
899 sub r2, r2, ip
900 b .Lcfu_dest_aligned
901
902 -ENTRY(__copy_from_user)
903 +ENTRY(___copy_from_user)
904 stmfd sp!, {r0, r2, r4 - r7, lr}
905 cmp r2, #4
906 blt .Lcfu_not_enough
907 @@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
908 USER( T(ldrgtb) r3, [r1], #1) @ May fault
909 strgtb r3, [r0], #1
910 b .Lcfu_finished
911 -ENDPROC(__copy_from_user)
912 +ENDPROC(___copy_from_user)
913
914 .pushsection .fixup,"ax"
915 .align 0
916 diff -urNp linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c
917 --- linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-05-19 00:06:34.000000000 -0400
918 +++ linux-2.6.39.3/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:59:55.000000000 -0400
919 @@ -103,7 +103,7 @@ out:
920 }
921
922 unsigned long
923 -__copy_to_user(void __user *to, const void *from, unsigned long n)
924 +___copy_to_user(void __user *to, const void *from, unsigned long n)
925 {
926 /*
927 * This test is stubbed out of the main function above to keep
928 diff -urNp linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c
929 --- linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-19 00:06:34.000000000 -0400
930 +++ linux-2.6.39.3/arch/arm/mach-cns3xxx/pcie.c 2011-05-22 19:36:30.000000000 -0400
931 @@ -162,7 +162,7 @@ static int cns3xxx_pci_setup(int nr, str
932 return 1;
933 }
934
935 -static struct pci_ops cns3xxx_pcie_ops = {
936 +static const struct pci_ops cns3xxx_pcie_ops = {
937 .read = cns3xxx_pci_read_config,
938 .write = cns3xxx_pci_write_config,
939 };
940 diff -urNp linux-2.6.39.3/arch/arm/mach-dove/pcie.c linux-2.6.39.3/arch/arm/mach-dove/pcie.c
941 --- linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-19 00:06:34.000000000 -0400
942 +++ linux-2.6.39.3/arch/arm/mach-dove/pcie.c 2011-05-22 19:36:30.000000000 -0400
943 @@ -155,7 +155,7 @@ static int pcie_wr_conf(struct pci_bus *
944 return ret;
945 }
946
947 -static struct pci_ops pcie_ops = {
948 +static const struct pci_ops pcie_ops = {
949 .read = pcie_rd_conf,
950 .write = pcie_wr_conf,
951 };
952 diff -urNp linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c
953 --- linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-19 00:06:34.000000000 -0400
954 +++ linux-2.6.39.3/arch/arm/mach-footbridge/dc21285.c 2011-05-22 19:36:30.000000000 -0400
955 @@ -129,7 +129,7 @@ dc21285_write_config(struct pci_bus *bus
956 return PCIBIOS_SUCCESSFUL;
957 }
958
959 -static struct pci_ops dc21285_ops = {
960 +static const struct pci_ops dc21285_ops = {
961 .read = dc21285_read_config,
962 .write = dc21285_write_config,
963 };
964 diff -urNp linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c
965 --- linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-19 00:06:34.000000000 -0400
966 +++ linux-2.6.39.3/arch/arm/mach-integrator/pci_v3.c 2011-05-22 19:36:30.000000000 -0400
967 @@ -340,7 +340,7 @@ static int v3_write_config(struct pci_bu
968 return PCIBIOS_SUCCESSFUL;
969 }
970
971 -static struct pci_ops pci_v3_ops = {
972 +static const struct pci_ops pci_v3_ops = {
973 .read = v3_read_config,
974 .write = v3_write_config,
975 };
976 diff -urNp linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c
977 --- linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-19 00:06:34.000000000 -0400
978 +++ linux-2.6.39.3/arch/arm/mach-iop13xx/pci.c 2011-05-22 19:36:30.000000000 -0400
979 @@ -324,7 +324,7 @@ iop13xx_atux_write_config(struct pci_bus
980 return PCIBIOS_SUCCESSFUL;
981 }
982
983 -static struct pci_ops iop13xx_atux_ops = {
984 +static const struct pci_ops iop13xx_atux_ops = {
985 .read = iop13xx_atux_read_config,
986 .write = iop13xx_atux_write_config,
987 };
988 @@ -471,7 +471,7 @@ iop13xx_atue_write_config(struct pci_bus
989 return PCIBIOS_SUCCESSFUL;
990 }
991
992 -static struct pci_ops iop13xx_atue_ops = {
993 +static const struct pci_ops iop13xx_atue_ops = {
994 .read = iop13xx_atue_read_config,
995 .write = iop13xx_atue_write_config,
996 };
997 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c
998 --- linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-19 00:06:34.000000000 -0400
999 +++ linux-2.6.39.3/arch/arm/mach-ixp2000/enp2611.c 2011-05-22 19:36:30.000000000 -0400
1000 @@ -137,7 +137,7 @@ static int enp2611_pci_write_config(stru
1001 return PCIBIOS_DEVICE_NOT_FOUND;
1002 }
1003
1004 -static struct pci_ops enp2611_pci_ops = {
1005 +static const struct pci_ops enp2611_pci_ops = {
1006 .read = enp2611_pci_read_config,
1007 .write = enp2611_pci_write_config
1008 };
1009 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c
1010 --- linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-19 00:06:34.000000000 -0400
1011 +++ linux-2.6.39.3/arch/arm/mach-ixp2000/pci.c 2011-05-22 19:36:30.000000000 -0400
1012 @@ -125,7 +125,7 @@ int ixp2000_pci_write_config(struct pci_
1013 }
1014
1015
1016 -static struct pci_ops ixp2000_pci_ops = {
1017 +static const struct pci_ops ixp2000_pci_ops = {
1018 .read = ixp2000_pci_read_config,
1019 .write = ixp2000_pci_write_config
1020 };
1021 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c
1022 --- linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-19 00:06:34.000000000 -0400
1023 +++ linux-2.6.39.3/arch/arm/mach-ixp23xx/pci.c 2011-05-22 19:36:30.000000000 -0400
1024 @@ -136,7 +136,7 @@ static int ixp23xx_pci_write_config(stru
1025 return PCIBIOS_SUCCESSFUL;
1026 }
1027
1028 -struct pci_ops ixp23xx_pci_ops = {
1029 +const struct pci_ops ixp23xx_pci_ops = {
1030 .read = ixp23xx_pci_read_config,
1031 .write = ixp23xx_pci_write_config,
1032 };
1033 diff -urNp linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c
1034 --- linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-19 00:06:34.000000000 -0400
1035 +++ linux-2.6.39.3/arch/arm/mach-ixp4xx/common-pci.c 2011-05-22 19:36:30.000000000 -0400
1036 @@ -283,7 +283,7 @@ static int ixp4xx_pci_write_config(struc
1037 return PCIBIOS_SUCCESSFUL;
1038 }
1039
1040 -struct pci_ops ixp4xx_ops = {
1041 +const struct pci_ops ixp4xx_ops = {
1042 .read = ixp4xx_pci_read_config,
1043 .write = ixp4xx_pci_write_config,
1044 };
1045 diff -urNp linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c
1046 --- linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-19 00:06:34.000000000 -0400
1047 +++ linux-2.6.39.3/arch/arm/mach-kirkwood/pcie.c 2011-05-22 19:36:30.000000000 -0400
1048 @@ -111,7 +111,7 @@ static int pcie_wr_conf(struct pci_bus *
1049 return ret;
1050 }
1051
1052 -static struct pci_ops pcie_ops = {
1053 +static const struct pci_ops pcie_ops = {
1054 .read = pcie_rd_conf,
1055 .write = pcie_wr_conf,
1056 };
1057 diff -urNp linux-2.6.39.3/arch/arm/mach-ks8695/pci.c linux-2.6.39.3/arch/arm/mach-ks8695/pci.c
1058 --- linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-19 00:06:34.000000000 -0400
1059 +++ linux-2.6.39.3/arch/arm/mach-ks8695/pci.c 2011-05-22 19:36:30.000000000 -0400
1060 @@ -136,7 +136,7 @@ static void ks8695_local_writeconfig(int
1061 __raw_writel(value, KS8695_PCI_VA + KS8695_PBCD);
1062 }
1063
1064 -static struct pci_ops ks8695_pci_ops = {
1065 +static const struct pci_ops ks8695_pci_ops = {
1066 .read = ks8695_pci_readconfig,
1067 .write = ks8695_pci_writeconfig,
1068 };
1069 diff -urNp linux-2.6.39.3/arch/arm/mach-mmp/clock.c linux-2.6.39.3/arch/arm/mach-mmp/clock.c
1070 --- linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-19 00:06:34.000000000 -0400
1071 +++ linux-2.6.39.3/arch/arm/mach-mmp/clock.c 2011-05-22 19:36:30.000000000 -0400
1072 @@ -29,7 +29,7 @@ static void apbc_clk_disable(struct clk
1073 __raw_writel(0, clk->clk_rst);
1074 }
1075
1076 -struct clkops apbc_clk_ops = {
1077 +const struct clkops apbc_clk_ops = {
1078 .enable = apbc_clk_enable,
1079 .disable = apbc_clk_disable,
1080 };
1081 @@ -44,7 +44,7 @@ static void apmu_clk_disable(struct clk
1082 __raw_writel(0, clk->clk_rst);
1083 }
1084
1085 -struct clkops apmu_clk_ops = {
1086 +const struct clkops apmu_clk_ops = {
1087 .enable = apmu_clk_enable,
1088 .disable = apmu_clk_disable,
1089 };
1090 diff -urNp linux-2.6.39.3/arch/arm/mach-msm/iommu.c linux-2.6.39.3/arch/arm/mach-msm/iommu.c
1091 --- linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-19 00:06:34.000000000 -0400
1092 +++ linux-2.6.39.3/arch/arm/mach-msm/iommu.c 2011-05-22 19:36:30.000000000 -0400
1093 @@ -669,7 +669,7 @@ fail:
1094 return 0;
1095 }
1096
1097 -static struct iommu_ops msm_iommu_ops = {
1098 +static const struct iommu_ops msm_iommu_ops = {
1099 .domain_init = msm_iommu_domain_init,
1100 .domain_destroy = msm_iommu_domain_destroy,
1101 .attach_dev = msm_iommu_attach_dev,
1102 diff -urNp linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c
1103 --- linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-19 00:06:34.000000000 -0400
1104 +++ linux-2.6.39.3/arch/arm/mach-msm/last_radio_log.c 2011-05-22 19:36:30.000000000 -0400
1105 @@ -48,6 +48,7 @@ static ssize_t last_radio_log_read(struc
1106 }
1107
1108 static struct file_operations last_radio_log_fops = {
1109 + /* cannot be const, see msm_init_last_radio_log */
1110 .read = last_radio_log_read,
1111 .llseek = default_llseek,
1112 };
1113 diff -urNp linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c
1114 --- linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-19 00:06:34.000000000 -0400
1115 +++ linux-2.6.39.3/arch/arm/mach-mv78xx0/pcie.c 2011-05-22 19:36:30.000000000 -0400
1116 @@ -222,7 +222,7 @@ static int pcie_wr_conf(struct pci_bus *
1117 return ret;
1118 }
1119
1120 -static struct pci_ops pcie_ops = {
1121 +static const struct pci_ops pcie_ops = {
1122 .read = pcie_rd_conf,
1123 .write = pcie_wr_conf,
1124 };
1125 diff -urNp linux-2.6.39.3/arch/arm/mach-orion5x/pci.c linux-2.6.39.3/arch/arm/mach-orion5x/pci.c
1126 --- linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-19 00:06:34.000000000 -0400
1127 +++ linux-2.6.39.3/arch/arm/mach-orion5x/pci.c 2011-05-22 19:36:30.000000000 -0400
1128 @@ -130,7 +130,7 @@ static int pcie_wr_conf(struct pci_bus *
1129 return ret;
1130 }
1131
1132 -static struct pci_ops pcie_ops = {
1133 +static const struct pci_ops pcie_ops = {
1134 .read = pcie_rd_conf,
1135 .write = pcie_wr_conf,
1136 };
1137 @@ -368,7 +368,7 @@ static int orion5x_pci_wr_conf(struct pc
1138 PCI_FUNC(devfn), where, size, val);
1139 }
1140
1141 -static struct pci_ops pci_ops = {
1142 +static const struct pci_ops pci_ops = {
1143 .read = orion5x_pci_rd_conf,
1144 .write = orion5x_pci_wr_conf,
1145 };
1146 diff -urNp linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c
1147 --- linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-19 00:06:34.000000000 -0400
1148 +++ linux-2.6.39.3/arch/arm/mach-sa1100/pci-nanoengine.c 2011-05-22 19:36:30.000000000 -0400
1149 @@ -117,7 +117,7 @@ static int nanoengine_write_config(struc
1150 return PCIBIOS_SUCCESSFUL;
1151 }
1152
1153 -static struct pci_ops pci_nano_ops = {
1154 +static const struct pci_ops pci_nano_ops = {
1155 .read = nanoengine_read_config,
1156 .write = nanoengine_write_config,
1157 };
1158 diff -urNp linux-2.6.39.3/arch/arm/mach-tegra/pcie.c linux-2.6.39.3/arch/arm/mach-tegra/pcie.c
1159 --- linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-19 00:06:34.000000000 -0400
1160 +++ linux-2.6.39.3/arch/arm/mach-tegra/pcie.c 2011-05-22 19:36:30.000000000 -0400
1161 @@ -336,7 +336,7 @@ static int tegra_pcie_write_conf(struct
1162 return PCIBIOS_SUCCESSFUL;
1163 }
1164
1165 -static struct pci_ops tegra_pcie_ops = {
1166 +static const struct pci_ops tegra_pcie_ops = {
1167 .read = tegra_pcie_read_conf,
1168 .write = tegra_pcie_write_conf,
1169 };
1170 diff -urNp linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c
1171 --- linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-19 00:06:34.000000000 -0400
1172 +++ linux-2.6.39.3/arch/arm/mach-ux500/mbox-db5500.c 2011-05-22 19:41:32.000000000 -0400
1173 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
1174 return sprintf(buf, "0x%X\n", mbox_value);
1175 }
1176
1177 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1178 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
1179
1180 static int mbox_show(struct seq_file *s, void *data)
1181 {
1182 diff -urNp linux-2.6.39.3/arch/arm/mach-versatile/pci.c linux-2.6.39.3/arch/arm/mach-versatile/pci.c
1183 --- linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-19 00:06:34.000000000 -0400
1184 +++ linux-2.6.39.3/arch/arm/mach-versatile/pci.c 2011-05-22 19:36:30.000000000 -0400
1185 @@ -165,7 +165,7 @@ static int versatile_write_config(struct
1186 return PCIBIOS_SUCCESSFUL;
1187 }
1188
1189 -static struct pci_ops pci_versatile_ops = {
1190 +static const struct pci_ops pci_versatile_ops = {
1191 .read = versatile_read_config,
1192 .write = versatile_write_config,
1193 };
1194 diff -urNp linux-2.6.39.3/arch/arm/mm/fault.c linux-2.6.39.3/arch/arm/mm/fault.c
1195 --- linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1196 +++ linux-2.6.39.3/arch/arm/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1197 @@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
1198 }
1199 #endif
1200
1201 +#ifdef CONFIG_PAX_PAGEEXEC
1202 + if (fsr & FSR_LNX_PF) {
1203 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
1204 + do_group_exit(SIGKILL);
1205 + }
1206 +#endif
1207 +
1208 tsk->thread.address = addr;
1209 tsk->thread.error_code = fsr;
1210 tsk->thread.trap_no = 14;
1211 @@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
1212 }
1213 #endif /* CONFIG_MMU */
1214
1215 +#ifdef CONFIG_PAX_PAGEEXEC
1216 +void pax_report_insns(void *pc, void *sp)
1217 +{
1218 + long i;
1219 +
1220 + printk(KERN_ERR "PAX: bytes at PC: ");
1221 + for (i = 0; i < 20; i++) {
1222 + unsigned char c;
1223 + if (get_user(c, (__force unsigned char __user *)pc+i))
1224 + printk(KERN_CONT "?? ");
1225 + else
1226 + printk(KERN_CONT "%02x ", c);
1227 + }
1228 + printk("\n");
1229 +
1230 + printk(KERN_ERR "PAX: bytes at SP-4: ");
1231 + for (i = -1; i < 20; i++) {
1232 + unsigned long c;
1233 + if (get_user(c, (__force unsigned long __user *)sp+i))
1234 + printk(KERN_CONT "???????? ");
1235 + else
1236 + printk(KERN_CONT "%08lx ", c);
1237 + }
1238 + printk("\n");
1239 +}
1240 +#endif
1241 +
1242 /*
1243 * First Level Translation Fault Handler
1244 *
1245 diff -urNp linux-2.6.39.3/arch/arm/mm/mmap.c linux-2.6.39.3/arch/arm/mm/mmap.c
1246 --- linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
1247 +++ linux-2.6.39.3/arch/arm/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
1248 @@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
1249 if (len > TASK_SIZE)
1250 return -ENOMEM;
1251
1252 +#ifdef CONFIG_PAX_RANDMMAP
1253 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
1254 +#endif
1255 +
1256 if (addr) {
1257 if (do_align)
1258 addr = COLOUR_ALIGN(addr, pgoff);
1259 @@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
1260 addr = PAGE_ALIGN(addr);
1261
1262 vma = find_vma(mm, addr);
1263 - if (TASK_SIZE - len >= addr &&
1264 - (!vma || addr + len <= vma->vm_start))
1265 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1266 return addr;
1267 }
1268 if (len > mm->cached_hole_size) {
1269 - start_addr = addr = mm->free_area_cache;
1270 + start_addr = addr = mm->free_area_cache;
1271 } else {
1272 - start_addr = addr = TASK_UNMAPPED_BASE;
1273 - mm->cached_hole_size = 0;
1274 + start_addr = addr = mm->mmap_base;
1275 + mm->cached_hole_size = 0;
1276 }
1277 /* 8 bits of randomness in 20 address space bits */
1278 if ((current->flags & PF_RANDOMIZE) &&
1279 @@ -100,14 +103,14 @@ full_search:
1280 * Start a new search - just in case we missed
1281 * some holes.
1282 */
1283 - if (start_addr != TASK_UNMAPPED_BASE) {
1284 - start_addr = addr = TASK_UNMAPPED_BASE;
1285 + if (start_addr != mm->mmap_base) {
1286 + start_addr = addr = mm->mmap_base;
1287 mm->cached_hole_size = 0;
1288 goto full_search;
1289 }
1290 return -ENOMEM;
1291 }
1292 - if (!vma || addr + len <= vma->vm_start) {
1293 + if (check_heap_stack_gap(vma, addr, len)) {
1294 /*
1295 * Remember the place where we stopped the search:
1296 */
1297 diff -urNp linux-2.6.39.3/arch/arm/plat-iop/pci.c linux-2.6.39.3/arch/arm/plat-iop/pci.c
1298 --- linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-19 00:06:34.000000000 -0400
1299 +++ linux-2.6.39.3/arch/arm/plat-iop/pci.c 2011-05-22 19:36:30.000000000 -0400
1300 @@ -161,7 +161,7 @@ iop3xx_write_config(struct pci_bus *bus,
1301 return PCIBIOS_SUCCESSFUL;
1302 }
1303
1304 -static struct pci_ops iop3xx_ops = {
1305 +static const struct pci_ops iop3xx_ops = {
1306 .read = iop3xx_read_config,
1307 .write = iop3xx_write_config,
1308 };
1309 diff -urNp linux-2.6.39.3/arch/avr32/include/asm/elf.h linux-2.6.39.3/arch/avr32/include/asm/elf.h
1310 --- linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1311 +++ linux-2.6.39.3/arch/avr32/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1312 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
1313 the loader. We need to make sure that it is out of the way of the program
1314 that it will "exec", and that there is sufficient room for the brk. */
1315
1316 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1317 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1318
1319 +#ifdef CONFIG_PAX_ASLR
1320 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
1321 +
1322 +#define PAX_DELTA_MMAP_LEN 15
1323 +#define PAX_DELTA_STACK_LEN 15
1324 +#endif
1325
1326 /* This yields a mask that user programs can use to figure out what
1327 instruction set this CPU supports. This could be done in user space,
1328 diff -urNp linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h
1329 --- linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1330 +++ linux-2.6.39.3/arch/avr32/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1331 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
1332 D(11) KM_IRQ1,
1333 D(12) KM_SOFTIRQ0,
1334 D(13) KM_SOFTIRQ1,
1335 -D(14) KM_TYPE_NR
1336 +D(14) KM_CLEARPAGE,
1337 +D(15) KM_TYPE_NR
1338 };
1339
1340 #undef D
1341 diff -urNp linux-2.6.39.3/arch/avr32/mm/fault.c linux-2.6.39.3/arch/avr32/mm/fault.c
1342 --- linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1343 +++ linux-2.6.39.3/arch/avr32/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1344 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
1345
1346 int exception_trace = 1;
1347
1348 +#ifdef CONFIG_PAX_PAGEEXEC
1349 +void pax_report_insns(void *pc, void *sp)
1350 +{
1351 + unsigned long i;
1352 +
1353 + printk(KERN_ERR "PAX: bytes at PC: ");
1354 + for (i = 0; i < 20; i++) {
1355 + unsigned char c;
1356 + if (get_user(c, (unsigned char *)pc+i))
1357 + printk(KERN_CONT "???????? ");
1358 + else
1359 + printk(KERN_CONT "%02x ", c);
1360 + }
1361 + printk("\n");
1362 +}
1363 +#endif
1364 +
1365 /*
1366 * This routine handles page faults. It determines the address and the
1367 * problem, and then passes it off to one of the appropriate routines.
1368 @@ -156,6 +173,16 @@ bad_area:
1369 up_read(&mm->mmap_sem);
1370
1371 if (user_mode(regs)) {
1372 +
1373 +#ifdef CONFIG_PAX_PAGEEXEC
1374 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1375 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1376 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1377 + do_group_exit(SIGKILL);
1378 + }
1379 + }
1380 +#endif
1381 +
1382 if (exception_trace && printk_ratelimit())
1383 printk("%s%s[%d]: segfault at %08lx pc %08lx "
1384 "sp %08lx ecr %lu\n",
1385 diff -urNp linux-2.6.39.3/arch/blackfin/kernel/kgdb.c linux-2.6.39.3/arch/blackfin/kernel/kgdb.c
1386 --- linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
1387 +++ linux-2.6.39.3/arch/blackfin/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
1388 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
1389 return -1; /* this means that we do not want to exit from the handler */
1390 }
1391
1392 -struct kgdb_arch arch_kgdb_ops = {
1393 +const struct kgdb_arch arch_kgdb_ops = {
1394 .gdb_bpt_instr = {0xa1},
1395 .flags = KGDB_HW_BREAKPOINT,
1396 .set_hw_breakpoint = bfin_set_hw_break,
1397 diff -urNp linux-2.6.39.3/arch/blackfin/mm/maccess.c linux-2.6.39.3/arch/blackfin/mm/maccess.c
1398 --- linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
1399 +++ linux-2.6.39.3/arch/blackfin/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
1400 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
1401 return bfin_mem_access_type(addr, size);
1402 }
1403
1404 -long probe_kernel_read(void *dst, void *src, size_t size)
1405 +long probe_kernel_read(void *dst, const void *src, size_t size)
1406 {
1407 unsigned long lsrc = (unsigned long)src;
1408 int mem_type;
1409 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
1410 return -EFAULT;
1411 }
1412
1413 -long probe_kernel_write(void *dst, void *src, size_t size)
1414 +long probe_kernel_write(void *dst, const void *src, size_t size)
1415 {
1416 unsigned long ldst = (unsigned long)dst;
1417 int mem_type;
1418 diff -urNp linux-2.6.39.3/arch/frv/include/asm/kmap_types.h linux-2.6.39.3/arch/frv/include/asm/kmap_types.h
1419 --- linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
1420 +++ linux-2.6.39.3/arch/frv/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
1421 @@ -23,6 +23,7 @@ enum km_type {
1422 KM_IRQ1,
1423 KM_SOFTIRQ0,
1424 KM_SOFTIRQ1,
1425 + KM_CLEARPAGE,
1426 KM_TYPE_NR
1427 };
1428
1429 diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h
1430 --- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-19 00:06:34.000000000 -0400
1431 +++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-frv.h 2011-05-22 19:36:30.000000000 -0400
1432 @@ -34,7 +34,7 @@ void pcibios_resource_survey(void);
1433
1434 extern int __nongpreldata pcibios_last_bus;
1435 extern struct pci_bus *__nongpreldata pci_root_bus;
1436 -extern struct pci_ops *__nongpreldata pci_root_ops;
1437 +extern const struct pci_ops *__nongpreldata pci_root_ops;
1438
1439 /* pci-irq.c */
1440 extern unsigned int pcibios_irq_mask;
1441 diff -urNp linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c
1442 --- linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-19 00:06:34.000000000 -0400
1443 +++ linux-2.6.39.3/arch/frv/mb93090-mb00/pci-vdk.c 2011-05-22 19:36:30.000000000 -0400
1444 @@ -27,7 +27,7 @@ unsigned int __nongpreldata pci_probe =
1445
1446 int __nongpreldata pcibios_last_bus = -1;
1447 struct pci_bus *__nongpreldata pci_root_bus;
1448 -struct pci_ops *__nongpreldata pci_root_ops;
1449 +const struct pci_ops *__nongpreldata pci_root_ops;
1450
1451 /*
1452 * The accessible PCI window does not cover the entire CPU address space, but
1453 @@ -169,7 +169,7 @@ static int pci_frv_write_config(struct p
1454 return PCIBIOS_SUCCESSFUL;
1455 }
1456
1457 -static struct pci_ops pci_direct_frv = {
1458 +static const struct pci_ops pci_direct_frv = {
1459 pci_frv_read_config,
1460 pci_frv_write_config,
1461 };
1462 @@ -356,7 +356,7 @@ void __init pcibios_fixup_bus(struct pci
1463
1464 int __init pcibios_init(void)
1465 {
1466 - struct pci_ops *dir = NULL;
1467 + const struct pci_ops *dir = NULL;
1468
1469 if (!mb93090_mb00_detected)
1470 return -ENXIO;
1471 diff -urNp linux-2.6.39.3/arch/frv/mm/elf-fdpic.c linux-2.6.39.3/arch/frv/mm/elf-fdpic.c
1472 --- linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-19 00:06:34.000000000 -0400
1473 +++ linux-2.6.39.3/arch/frv/mm/elf-fdpic.c 2011-05-22 19:36:30.000000000 -0400
1474 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1475 if (addr) {
1476 addr = PAGE_ALIGN(addr);
1477 vma = find_vma(current->mm, addr);
1478 - if (TASK_SIZE - len >= addr &&
1479 - (!vma || addr + len <= vma->vm_start))
1480 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1481 goto success;
1482 }
1483
1484 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1485 for (; vma; vma = vma->vm_next) {
1486 if (addr > limit)
1487 break;
1488 - if (addr + len <= vma->vm_start)
1489 + if (check_heap_stack_gap(vma, addr, len))
1490 goto success;
1491 addr = vma->vm_end;
1492 }
1493 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1494 for (; vma; vma = vma->vm_next) {
1495 if (addr > limit)
1496 break;
1497 - if (addr + len <= vma->vm_start)
1498 + if (check_heap_stack_gap(vma, addr, len))
1499 goto success;
1500 addr = vma->vm_end;
1501 }
1502 diff -urNp linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c
1503 --- linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-19 00:06:34.000000000 -0400
1504 +++ linux-2.6.39.3/arch/ia64/hp/common/hwsw_iommu.c 2011-05-22 19:36:30.000000000 -0400
1505 @@ -17,7 +17,7 @@
1506 #include <linux/swiotlb.h>
1507 #include <asm/machvec.h>
1508
1509 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1510 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
1511
1512 /* swiotlb declarations & definitions: */
1513 extern int swiotlb_late_init_with_default_size (size_t size);
1514 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
1515 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
1516 }
1517
1518 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1519 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
1520 {
1521 if (use_swiotlb(dev))
1522 return &swiotlb_dma_ops;
1523 diff -urNp linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c
1524 --- linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-19 00:06:34.000000000 -0400
1525 +++ linux-2.6.39.3/arch/ia64/hp/common/sba_iommu.c 2011-05-22 19:36:30.000000000 -0400
1526 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
1527 },
1528 };
1529
1530 -extern struct dma_map_ops swiotlb_dma_ops;
1531 +extern const struct dma_map_ops swiotlb_dma_ops;
1532
1533 static int __init
1534 sba_init(void)
1535 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
1536
1537 __setup("sbapagesize=",sba_page_override);
1538
1539 -struct dma_map_ops sba_dma_ops = {
1540 +const struct dma_map_ops sba_dma_ops = {
1541 .alloc_coherent = sba_alloc_coherent,
1542 .free_coherent = sba_free_coherent,
1543 .map_page = sba_map_page,
1544 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h
1545 --- linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
1546 +++ linux-2.6.39.3/arch/ia64/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
1547 @@ -14,7 +14,7 @@
1548
1549 #define DMA_ERROR_CODE 0
1550
1551 -extern struct dma_map_ops *dma_ops;
1552 +extern const struct dma_map_ops *dma_ops;
1553 extern struct ia64_machine_vector ia64_mv;
1554 extern void set_iommu_machvec(void);
1555
1556 @@ -26,7 +26,7 @@ extern void machvec_dma_sync_sg(struct d
1557 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1558 dma_addr_t *daddr, gfp_t gfp)
1559 {
1560 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1561 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1562 void *caddr;
1563
1564 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1565 @@ -37,7 +37,7 @@ static inline void *dma_alloc_coherent(s
1566 static inline void dma_free_coherent(struct device *dev, size_t size,
1567 void *caddr, dma_addr_t daddr)
1568 {
1569 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1570 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1571 debug_dma_free_coherent(dev, size, caddr, daddr);
1572 ops->free_coherent(dev, size, caddr, daddr);
1573 }
1574 @@ -51,13 +51,13 @@ static inline void dma_free_coherent(str
1575
1576 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1577 {
1578 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1579 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1580 return ops->mapping_error(dev, daddr);
1581 }
1582
1583 static inline int dma_supported(struct device *dev, u64 mask)
1584 {
1585 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1586 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1587 return ops->dma_supported(dev, mask);
1588 }
1589
1590 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/elf.h linux-2.6.39.3/arch/ia64/include/asm/elf.h
1591 --- linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
1592 +++ linux-2.6.39.3/arch/ia64/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
1593 @@ -42,6 +42,13 @@
1594 */
1595 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1596
1597 +#ifdef CONFIG_PAX_ASLR
1598 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1599 +
1600 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1601 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1602 +#endif
1603 +
1604 #define PT_IA_64_UNWIND 0x70000001
1605
1606 /* IA-64 relocations: */
1607 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/machvec.h linux-2.6.39.3/arch/ia64/include/asm/machvec.h
1608 --- linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-19 00:06:34.000000000 -0400
1609 +++ linux-2.6.39.3/arch/ia64/include/asm/machvec.h 2011-05-22 19:36:30.000000000 -0400
1610 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1611 /* DMA-mapping interface: */
1612 typedef void ia64_mv_dma_init (void);
1613 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1614 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1615 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1616
1617 /*
1618 * WARNING: The legacy I/O space is _architected_. Platforms are
1619 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1620 # endif /* CONFIG_IA64_GENERIC */
1621
1622 extern void swiotlb_dma_init(void);
1623 -extern struct dma_map_ops *dma_get_ops(struct device *);
1624 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1625
1626 /*
1627 * Define default versions so we can extend machvec for new platforms without having
1628 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/pgtable.h linux-2.6.39.3/arch/ia64/include/asm/pgtable.h
1629 --- linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
1630 +++ linux-2.6.39.3/arch/ia64/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
1631 @@ -12,7 +12,7 @@
1632 * David Mosberger-Tang <davidm@hpl.hp.com>
1633 */
1634
1635 -
1636 +#include <linux/const.h>
1637 #include <asm/mman.h>
1638 #include <asm/page.h>
1639 #include <asm/processor.h>
1640 @@ -143,6 +143,17 @@
1641 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1642 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1643 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1644 +
1645 +#ifdef CONFIG_PAX_PAGEEXEC
1646 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1647 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1648 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1649 +#else
1650 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1651 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1652 +# define PAGE_COPY_NOEXEC PAGE_COPY
1653 +#endif
1654 +
1655 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1656 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1657 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1658 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/spinlock.h linux-2.6.39.3/arch/ia64/include/asm/spinlock.h
1659 --- linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
1660 +++ linux-2.6.39.3/arch/ia64/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
1661 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1662 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1663
1664 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1665 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1666 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1667 }
1668
1669 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
1670 diff -urNp linux-2.6.39.3/arch/ia64/include/asm/uaccess.h linux-2.6.39.3/arch/ia64/include/asm/uaccess.h
1671 --- linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
1672 +++ linux-2.6.39.3/arch/ia64/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
1673 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1674 const void *__cu_from = (from); \
1675 long __cu_len = (n); \
1676 \
1677 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1678 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1679 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1680 __cu_len; \
1681 })
1682 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1683 long __cu_len = (n); \
1684 \
1685 __chk_user_ptr(__cu_from); \
1686 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1687 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1688 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1689 __cu_len; \
1690 })
1691 diff -urNp linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c
1692 --- linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-19 00:06:34.000000000 -0400
1693 +++ linux-2.6.39.3/arch/ia64/kernel/dma-mapping.c 2011-05-22 19:36:30.000000000 -0400
1694 @@ -3,7 +3,7 @@
1695 /* Set this to 1 if there is a HW IOMMU in the system */
1696 int iommu_detected __read_mostly;
1697
1698 -struct dma_map_ops *dma_ops;
1699 +const struct dma_map_ops *dma_ops;
1700 EXPORT_SYMBOL(dma_ops);
1701
1702 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1703 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1704 }
1705 fs_initcall(dma_init);
1706
1707 -struct dma_map_ops *dma_get_ops(struct device *dev)
1708 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1709 {
1710 return dma_ops;
1711 }
1712 diff -urNp linux-2.6.39.3/arch/ia64/kernel/module.c linux-2.6.39.3/arch/ia64/kernel/module.c
1713 --- linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
1714 +++ linux-2.6.39.3/arch/ia64/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
1715 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1716 void
1717 module_free (struct module *mod, void *module_region)
1718 {
1719 - if (mod && mod->arch.init_unw_table &&
1720 - module_region == mod->module_init) {
1721 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1722 unw_remove_unwind_table(mod->arch.init_unw_table);
1723 mod->arch.init_unw_table = NULL;
1724 }
1725 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1726 }
1727
1728 static inline int
1729 +in_init_rx (const struct module *mod, uint64_t addr)
1730 +{
1731 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1732 +}
1733 +
1734 +static inline int
1735 +in_init_rw (const struct module *mod, uint64_t addr)
1736 +{
1737 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1738 +}
1739 +
1740 +static inline int
1741 in_init (const struct module *mod, uint64_t addr)
1742 {
1743 - return addr - (uint64_t) mod->module_init < mod->init_size;
1744 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1745 +}
1746 +
1747 +static inline int
1748 +in_core_rx (const struct module *mod, uint64_t addr)
1749 +{
1750 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1751 +}
1752 +
1753 +static inline int
1754 +in_core_rw (const struct module *mod, uint64_t addr)
1755 +{
1756 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1757 }
1758
1759 static inline int
1760 in_core (const struct module *mod, uint64_t addr)
1761 {
1762 - return addr - (uint64_t) mod->module_core < mod->core_size;
1763 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1764 }
1765
1766 static inline int
1767 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1768 break;
1769
1770 case RV_BDREL:
1771 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1772 + if (in_init_rx(mod, val))
1773 + val -= (uint64_t) mod->module_init_rx;
1774 + else if (in_init_rw(mod, val))
1775 + val -= (uint64_t) mod->module_init_rw;
1776 + else if (in_core_rx(mod, val))
1777 + val -= (uint64_t) mod->module_core_rx;
1778 + else if (in_core_rw(mod, val))
1779 + val -= (uint64_t) mod->module_core_rw;
1780 break;
1781
1782 case RV_LTV:
1783 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1784 * addresses have been selected...
1785 */
1786 uint64_t gp;
1787 - if (mod->core_size > MAX_LTOFF)
1788 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1789 /*
1790 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1791 * at the end of the module.
1792 */
1793 - gp = mod->core_size - MAX_LTOFF / 2;
1794 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1795 else
1796 - gp = mod->core_size / 2;
1797 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1798 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1799 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1800 mod->arch.gp = gp;
1801 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1802 }
1803 diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-dma.c linux-2.6.39.3/arch/ia64/kernel/pci-dma.c
1804 --- linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
1805 +++ linux-2.6.39.3/arch/ia64/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
1806 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1807 .dma_mask = &fallback_dev.coherent_dma_mask,
1808 };
1809
1810 -extern struct dma_map_ops intel_dma_ops;
1811 +extern const struct dma_map_ops intel_dma_ops;
1812
1813 static int __init pci_iommu_init(void)
1814 {
1815 diff -urNp linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c
1816 --- linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
1817 +++ linux-2.6.39.3/arch/ia64/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
1818 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1819 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1820 }
1821
1822 -struct dma_map_ops swiotlb_dma_ops = {
1823 +const struct dma_map_ops swiotlb_dma_ops = {
1824 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1825 .free_coherent = swiotlb_free_coherent,
1826 .map_page = swiotlb_map_page,
1827 diff -urNp linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c
1828 --- linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-19 00:06:34.000000000 -0400
1829 +++ linux-2.6.39.3/arch/ia64/kernel/sys_ia64.c 2011-05-22 19:36:30.000000000 -0400
1830 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1831 if (REGION_NUMBER(addr) == RGN_HPAGE)
1832 addr = 0;
1833 #endif
1834 +
1835 +#ifdef CONFIG_PAX_RANDMMAP
1836 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1837 + addr = mm->free_area_cache;
1838 + else
1839 +#endif
1840 +
1841 if (!addr)
1842 addr = mm->free_area_cache;
1843
1844 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1845 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1846 /* At this point: (!vma || addr < vma->vm_end). */
1847 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1848 - if (start_addr != TASK_UNMAPPED_BASE) {
1849 + if (start_addr != mm->mmap_base) {
1850 /* Start a new search --- just in case we missed some holes. */
1851 - addr = TASK_UNMAPPED_BASE;
1852 + addr = mm->mmap_base;
1853 goto full_search;
1854 }
1855 return -ENOMEM;
1856 }
1857 - if (!vma || addr + len <= vma->vm_start) {
1858 + if (check_heap_stack_gap(vma, addr, len)) {
1859 /* Remember the address where we stopped this search: */
1860 mm->free_area_cache = addr + len;
1861 return addr;
1862 diff -urNp linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S
1863 --- linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
1864 +++ linux-2.6.39.3/arch/ia64/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
1865 @@ -199,7 +199,7 @@ SECTIONS {
1866 /* Per-cpu data: */
1867 . = ALIGN(PERCPU_PAGE_SIZE);
1868 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
1869 - __phys_per_cpu_start = __per_cpu_load;
1870 + __phys_per_cpu_start = per_cpu_load;
1871 /*
1872 * ensure percpu data fits
1873 * into percpu page size
1874 diff -urNp linux-2.6.39.3/arch/ia64/mm/fault.c linux-2.6.39.3/arch/ia64/mm/fault.c
1875 --- linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
1876 +++ linux-2.6.39.3/arch/ia64/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
1877 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1878 return pte_present(pte);
1879 }
1880
1881 +#ifdef CONFIG_PAX_PAGEEXEC
1882 +void pax_report_insns(void *pc, void *sp)
1883 +{
1884 + unsigned long i;
1885 +
1886 + printk(KERN_ERR "PAX: bytes at PC: ");
1887 + for (i = 0; i < 8; i++) {
1888 + unsigned int c;
1889 + if (get_user(c, (unsigned int *)pc+i))
1890 + printk(KERN_CONT "???????? ");
1891 + else
1892 + printk(KERN_CONT "%08x ", c);
1893 + }
1894 + printk("\n");
1895 +}
1896 +#endif
1897 +
1898 void __kprobes
1899 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1900 {
1901 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1902 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1903 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1904
1905 - if ((vma->vm_flags & mask) != mask)
1906 + if ((vma->vm_flags & mask) != mask) {
1907 +
1908 +#ifdef CONFIG_PAX_PAGEEXEC
1909 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1910 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1911 + goto bad_area;
1912 +
1913 + up_read(&mm->mmap_sem);
1914 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1915 + do_group_exit(SIGKILL);
1916 + }
1917 +#endif
1918 +
1919 goto bad_area;
1920
1921 + }
1922 +
1923 /*
1924 * If for any reason at all we couldn't handle the fault, make
1925 * sure we exit gracefully rather than endlessly redo the
1926 diff -urNp linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c
1927 --- linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
1928 +++ linux-2.6.39.3/arch/ia64/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
1929 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1930 /* At this point: (!vmm || addr < vmm->vm_end). */
1931 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1932 return -ENOMEM;
1933 - if (!vmm || (addr + len) <= vmm->vm_start)
1934 + if (check_heap_stack_gap(vmm, addr, len))
1935 return addr;
1936 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1937 }
1938 diff -urNp linux-2.6.39.3/arch/ia64/mm/init.c linux-2.6.39.3/arch/ia64/mm/init.c
1939 --- linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-19 00:06:34.000000000 -0400
1940 +++ linux-2.6.39.3/arch/ia64/mm/init.c 2011-05-22 19:36:30.000000000 -0400
1941 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1942 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1943 vma->vm_end = vma->vm_start + PAGE_SIZE;
1944 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1945 +
1946 +#ifdef CONFIG_PAX_PAGEEXEC
1947 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1948 + vma->vm_flags &= ~VM_EXEC;
1949 +
1950 +#ifdef CONFIG_PAX_MPROTECT
1951 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1952 + vma->vm_flags &= ~VM_MAYEXEC;
1953 +#endif
1954 +
1955 + }
1956 +#endif
1957 +
1958 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1959 down_write(&current->mm->mmap_sem);
1960 if (insert_vm_struct(current->mm, vma)) {
1961 diff -urNp linux-2.6.39.3/arch/ia64/pci/pci.c linux-2.6.39.3/arch/ia64/pci/pci.c
1962 --- linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
1963 +++ linux-2.6.39.3/arch/ia64/pci/pci.c 2011-05-22 19:36:30.000000000 -0400
1964 @@ -109,7 +109,7 @@ static int pci_write(struct pci_bus *bus
1965 devfn, where, size, value);
1966 }
1967
1968 -struct pci_ops pci_root_ops = {
1969 +const struct pci_ops pci_root_ops = {
1970 .read = pci_read,
1971 .write = pci_write,
1972 };
1973 diff -urNp linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c
1974 --- linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-19 00:06:34.000000000 -0400
1975 +++ linux-2.6.39.3/arch/ia64/sn/pci/pci_dma.c 2011-05-22 19:36:30.000000000 -0400
1976 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1977 return ret;
1978 }
1979
1980 -static struct dma_map_ops sn_dma_ops = {
1981 +static const struct dma_map_ops sn_dma_ops = {
1982 .alloc_coherent = sn_dma_alloc_coherent,
1983 .free_coherent = sn_dma_free_coherent,
1984 .map_page = sn_dma_map_page,
1985 diff -urNp linux-2.6.39.3/arch/m32r/lib/usercopy.c linux-2.6.39.3/arch/m32r/lib/usercopy.c
1986 --- linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-19 00:06:34.000000000 -0400
1987 +++ linux-2.6.39.3/arch/m32r/lib/usercopy.c 2011-05-22 19:36:30.000000000 -0400
1988 @@ -14,6 +14,9 @@
1989 unsigned long
1990 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1991 {
1992 + if ((long)n < 0)
1993 + return n;
1994 +
1995 prefetch(from);
1996 if (access_ok(VERIFY_WRITE, to, n))
1997 __copy_user(to,from,n);
1998 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1999 unsigned long
2000 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
2001 {
2002 + if ((long)n < 0)
2003 + return n;
2004 +
2005 prefetchw(to);
2006 if (access_ok(VERIFY_READ, from, n))
2007 __copy_user_zeroing(to,from,n);
2008 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/device.h linux-2.6.39.3/arch/microblaze/include/asm/device.h
2009 --- linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2010 +++ linux-2.6.39.3/arch/microblaze/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2011 @@ -13,7 +13,7 @@ struct device_node;
2012
2013 struct dev_archdata {
2014 /* DMA operations on that device */
2015 - struct dma_map_ops *dma_ops;
2016 + const struct dma_map_ops *dma_ops;
2017 void *dma_data;
2018 };
2019
2020 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h
2021 --- linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2022 +++ linux-2.6.39.3/arch/microblaze/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2023 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
2024 return 0xfffffffful;
2025 }
2026
2027 -extern struct dma_map_ops *dma_ops;
2028 +extern const struct dma_map_ops *dma_ops;
2029
2030 /*
2031 * Available generic sets of operations
2032 */
2033 -extern struct dma_map_ops dma_direct_ops;
2034 +extern const struct dma_map_ops dma_direct_ops;
2035
2036 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2037 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2038 {
2039 /* We don't handle the NULL dev case for ISA for now. We could
2040 * do it via an out of line call but it is not needed for now. The
2041 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
2042 return dev->archdata.dma_ops;
2043 }
2044
2045 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2046 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2047 {
2048 dev->archdata.dma_ops = ops;
2049 }
2050
2051 static inline int dma_supported(struct device *dev, u64 mask)
2052 {
2053 - struct dma_map_ops *ops = get_dma_ops(dev);
2054 + const struct dma_map_ops *ops = get_dma_ops(dev);
2055
2056 if (unlikely(!ops))
2057 return 0;
2058 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
2059
2060 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2061 {
2062 - struct dma_map_ops *ops = get_dma_ops(dev);
2063 + const struct dma_map_ops *ops = get_dma_ops(dev);
2064
2065 if (unlikely(ops == NULL))
2066 return -EIO;
2067 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
2068
2069 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2070 {
2071 - struct dma_map_ops *ops = get_dma_ops(dev);
2072 + const struct dma_map_ops *ops = get_dma_ops(dev);
2073 if (ops->mapping_error)
2074 return ops->mapping_error(dev, dma_addr);
2075
2076 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
2077 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2078 dma_addr_t *dma_handle, gfp_t flag)
2079 {
2080 - struct dma_map_ops *ops = get_dma_ops(dev);
2081 + const struct dma_map_ops *ops = get_dma_ops(dev);
2082 void *memory;
2083
2084 BUG_ON(!ops);
2085 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
2086 static inline void dma_free_coherent(struct device *dev, size_t size,
2087 void *cpu_addr, dma_addr_t dma_handle)
2088 {
2089 - struct dma_map_ops *ops = get_dma_ops(dev);
2090 + const struct dma_map_ops *ops = get_dma_ops(dev);
2091
2092 BUG_ON(!ops);
2093 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
2094 diff -urNp linux-2.6.39.3/arch/microblaze/include/asm/pci.h linux-2.6.39.3/arch/microblaze/include/asm/pci.h
2095 --- linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
2096 +++ linux-2.6.39.3/arch/microblaze/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
2097 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
2098 }
2099
2100 #ifdef CONFIG_PCI
2101 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2102 -extern struct dma_map_ops *get_pci_dma_ops(void);
2103 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2104 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2105 #else /* CONFIG_PCI */
2106 #define set_pci_dma_ops(d)
2107 #define get_pci_dma_ops() NULL
2108 diff -urNp linux-2.6.39.3/arch/microblaze/kernel/dma.c linux-2.6.39.3/arch/microblaze/kernel/dma.c
2109 --- linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
2110 +++ linux-2.6.39.3/arch/microblaze/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
2111 @@ -134,7 +134,7 @@ static inline void dma_direct_unmap_page
2112 __dma_sync_page(dma_address, 0 , size, direction);
2113 }
2114
2115 -struct dma_map_ops dma_direct_ops = {
2116 +const struct dma_map_ops dma_direct_ops = {
2117 .alloc_coherent = dma_direct_alloc_coherent,
2118 .free_coherent = dma_direct_free_coherent,
2119 .map_sg = dma_direct_map_sg,
2120 diff -urNp linux-2.6.39.3/arch/microblaze/kernel/kgdb.c linux-2.6.39.3/arch/microblaze/kernel/kgdb.c
2121 --- linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2122 +++ linux-2.6.39.3/arch/microblaze/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2123 @@ -141,7 +141,7 @@ void kgdb_arch_exit(void)
2124 /*
2125 * Global data
2126 */
2127 -struct kgdb_arch arch_kgdb_ops = {
2128 +const struct kgdb_arch arch_kgdb_ops = {
2129 #ifdef __MICROBLAZEEL__
2130 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
2131 #else
2132 diff -urNp linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c
2133 --- linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
2134 +++ linux-2.6.39.3/arch/microblaze/pci/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
2135 @@ -140,7 +140,7 @@ indirect_write_config(struct pci_bus *bu
2136 return PCIBIOS_SUCCESSFUL;
2137 }
2138
2139 -static struct pci_ops indirect_pci_ops = {
2140 +static const struct pci_ops indirect_pci_ops = {
2141 .read = indirect_read_config,
2142 .write = indirect_write_config,
2143 };
2144 diff -urNp linux-2.6.39.3/arch/microblaze/pci/pci-common.c linux-2.6.39.3/arch/microblaze/pci/pci-common.c
2145 --- linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-19 00:06:34.000000000 -0400
2146 +++ linux-2.6.39.3/arch/microblaze/pci/pci-common.c 2011-05-22 19:36:30.000000000 -0400
2147 @@ -48,14 +48,14 @@ resource_size_t isa_mem_base;
2148 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
2149 unsigned int pci_flags;
2150
2151 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2152 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2153
2154 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2155 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2156 {
2157 pci_dma_ops = dma_ops;
2158 }
2159
2160 -struct dma_map_ops *get_pci_dma_ops(void)
2161 +const struct dma_map_ops *get_pci_dma_ops(void)
2162 {
2163 return pci_dma_ops;
2164 }
2165 @@ -1583,7 +1583,7 @@ null_write_config(struct pci_bus *bus, u
2166 return PCIBIOS_DEVICE_NOT_FOUND;
2167 }
2168
2169 -static struct pci_ops null_pci_ops = {
2170 +static const struct pci_ops null_pci_ops = {
2171 .read = null_read_config,
2172 .write = null_write_config,
2173 };
2174 diff -urNp linux-2.6.39.3/arch/mips/alchemy/common/pci.c linux-2.6.39.3/arch/mips/alchemy/common/pci.c
2175 --- linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2176 +++ linux-2.6.39.3/arch/mips/alchemy/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2177 @@ -51,7 +51,7 @@ static struct resource pci_mem_resource
2178 .flags = IORESOURCE_MEM
2179 };
2180
2181 -extern struct pci_ops au1x_pci_ops;
2182 +extern const struct pci_ops au1x_pci_ops;
2183
2184 static struct pci_controller au1x_controller = {
2185 .pci_ops = &au1x_pci_ops,
2186 diff -urNp linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c
2187 --- linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-19 00:06:34.000000000 -0400
2188 +++ linux-2.6.39.3/arch/mips/cavium-octeon/dma-octeon.c 2011-05-22 19:36:30.000000000 -0400
2189 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
2190 }
2191
2192 struct octeon_dma_map_ops {
2193 - struct dma_map_ops dma_map_ops;
2194 + const struct dma_map_ops dma_map_ops;
2195 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
2196 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
2197 };
2198 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
2199 },
2200 };
2201
2202 -struct dma_map_ops *octeon_pci_dma_map_ops;
2203 +const struct dma_map_ops *octeon_pci_dma_map_ops;
2204
2205 void __init octeon_pci_dma_init(void)
2206 {
2207 diff -urNp linux-2.6.39.3/arch/mips/cobalt/pci.c linux-2.6.39.3/arch/mips/cobalt/pci.c
2208 --- linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-19 00:06:34.000000000 -0400
2209 +++ linux-2.6.39.3/arch/mips/cobalt/pci.c 2011-05-22 19:36:30.000000000 -0400
2210 @@ -14,7 +14,7 @@
2211
2212 #include <asm/gt64120.h>
2213
2214 -extern struct pci_ops gt64xxx_pci0_ops;
2215 +extern const struct pci_ops gt64xxx_pci0_ops;
2216
2217 static struct resource cobalt_mem_resource = {
2218 .start = GT_DEF_PCI0_MEM0_BASE,
2219 diff -urNp linux-2.6.39.3/arch/mips/include/asm/device.h linux-2.6.39.3/arch/mips/include/asm/device.h
2220 --- linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
2221 +++ linux-2.6.39.3/arch/mips/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
2222 @@ -10,7 +10,7 @@ struct dma_map_ops;
2223
2224 struct dev_archdata {
2225 /* DMA operations on that device */
2226 - struct dma_map_ops *dma_ops;
2227 + const struct dma_map_ops *dma_ops;
2228 };
2229
2230 struct pdev_archdata {
2231 diff -urNp linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h
2232 --- linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
2233 +++ linux-2.6.39.3/arch/mips/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
2234 @@ -9,9 +9,9 @@
2235 #include <dma-coherence.h>
2236 #endif
2237
2238 -extern struct dma_map_ops *mips_dma_map_ops;
2239 +extern const struct dma_map_ops *mips_dma_map_ops;
2240
2241 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2242 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2243 {
2244 if (dev && dev->archdata.dma_ops)
2245 return dev->archdata.dma_ops;
2246 @@ -33,13 +33,13 @@ static inline void dma_mark_clean(void *
2247
2248 static inline int dma_supported(struct device *dev, u64 mask)
2249 {
2250 - struct dma_map_ops *ops = get_dma_ops(dev);
2251 + const struct dma_map_ops *ops = get_dma_ops(dev);
2252 return ops->dma_supported(dev, mask);
2253 }
2254
2255 static inline int dma_mapping_error(struct device *dev, u64 mask)
2256 {
2257 - struct dma_map_ops *ops = get_dma_ops(dev);
2258 + const struct dma_map_ops *ops = get_dma_ops(dev);
2259 return ops->mapping_error(dev, mask);
2260 }
2261
2262 @@ -61,7 +61,7 @@ static inline void *dma_alloc_coherent(s
2263 dma_addr_t *dma_handle, gfp_t gfp)
2264 {
2265 void *ret;
2266 - struct dma_map_ops *ops = get_dma_ops(dev);
2267 + const struct dma_map_ops *ops = get_dma_ops(dev);
2268
2269 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
2270
2271 @@ -73,7 +73,7 @@ static inline void *dma_alloc_coherent(s
2272 static inline void dma_free_coherent(struct device *dev, size_t size,
2273 void *vaddr, dma_addr_t dma_handle)
2274 {
2275 - struct dma_map_ops *ops = get_dma_ops(dev);
2276 + const struct dma_map_ops *ops = get_dma_ops(dev);
2277
2278 ops->free_coherent(dev, size, vaddr, dma_handle);
2279
2280 diff -urNp linux-2.6.39.3/arch/mips/include/asm/elf.h linux-2.6.39.3/arch/mips/include/asm/elf.h
2281 --- linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
2282 +++ linux-2.6.39.3/arch/mips/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
2283 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
2284 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
2285 #endif
2286
2287 +#ifdef CONFIG_PAX_ASLR
2288 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2289 +
2290 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2291 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2292 +#endif
2293 +
2294 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2295 struct linux_binprm;
2296 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
2297 int uses_interp);
2298
2299 -struct mm_struct;
2300 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2301 -#define arch_randomize_brk arch_randomize_brk
2302 -
2303 #endif /* _ASM_ELF_H */
2304 diff -urNp linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
2305 --- linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-19 00:06:34.000000000 -0400
2306 +++ linux-2.6.39.3/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-05-22 19:36:30.000000000 -0400
2307 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
2308 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
2309
2310 struct dma_map_ops;
2311 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
2312 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
2313 extern char *octeon_swiotlb;
2314
2315 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
2316 diff -urNp linux-2.6.39.3/arch/mips/include/asm/page.h linux-2.6.39.3/arch/mips/include/asm/page.h
2317 --- linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
2318 +++ linux-2.6.39.3/arch/mips/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
2319 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
2320 #ifdef CONFIG_CPU_MIPS32
2321 typedef struct { unsigned long pte_low, pte_high; } pte_t;
2322 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
2323 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
2324 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
2325 #else
2326 typedef struct { unsigned long long pte; } pte_t;
2327 #define pte_val(x) ((x).pte)
2328 diff -urNp linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h
2329 --- linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-19 00:06:34.000000000 -0400
2330 +++ linux-2.6.39.3/arch/mips/include/asm/pci/bridge.h 2011-05-22 19:36:30.000000000 -0400
2331 @@ -849,6 +849,6 @@ struct bridge_controller {
2332 extern void register_bridge_irq(unsigned int irq);
2333 extern int request_bridge_irq(struct bridge_controller *bc);
2334
2335 -extern struct pci_ops bridge_pci_ops;
2336 +extern const struct pci_ops bridge_pci_ops;
2337
2338 #endif /* _ASM_PCI_BRIDGE_H */
2339 diff -urNp linux-2.6.39.3/arch/mips/include/asm/system.h linux-2.6.39.3/arch/mips/include/asm/system.h
2340 --- linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
2341 +++ linux-2.6.39.3/arch/mips/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
2342 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
2343 */
2344 #define __ARCH_WANT_UNLOCKED_CTXSW
2345
2346 -extern unsigned long arch_align_stack(unsigned long sp);
2347 +#define arch_align_stack(x) ((x) & ~0xfUL)
2348
2349 #endif /* _ASM_SYSTEM_H */
2350 diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c
2351 --- linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-19 00:06:34.000000000 -0400
2352 +++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfn32.c 2011-05-22 19:36:30.000000000 -0400
2353 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2354 #undef ELF_ET_DYN_BASE
2355 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2356
2357 +#ifdef CONFIG_PAX_ASLR
2358 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2359 +
2360 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2361 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2362 +#endif
2363 +
2364 #include <asm/processor.h>
2365 #include <linux/module.h>
2366 #include <linux/elfcore.h>
2367 diff -urNp linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c
2368 --- linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-19 00:06:34.000000000 -0400
2369 +++ linux-2.6.39.3/arch/mips/kernel/binfmt_elfo32.c 2011-05-22 19:36:30.000000000 -0400
2370 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
2371 #undef ELF_ET_DYN_BASE
2372 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
2373
2374 +#ifdef CONFIG_PAX_ASLR
2375 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
2376 +
2377 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2378 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
2379 +#endif
2380 +
2381 #include <asm/processor.h>
2382
2383 /*
2384 diff -urNp linux-2.6.39.3/arch/mips/kernel/kgdb.c linux-2.6.39.3/arch/mips/kernel/kgdb.c
2385 --- linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
2386 +++ linux-2.6.39.3/arch/mips/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
2387 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
2388 return -1;
2389 }
2390
2391 -struct kgdb_arch arch_kgdb_ops;
2392 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
2393
2394 /*
2395 * We use kgdb_early_setup so that functions we need to call now don't
2396 diff -urNp linux-2.6.39.3/arch/mips/kernel/process.c linux-2.6.39.3/arch/mips/kernel/process.c
2397 --- linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
2398 +++ linux-2.6.39.3/arch/mips/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
2399 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
2400 out:
2401 return pc;
2402 }
2403 -
2404 -/*
2405 - * Don't forget that the stack pointer must be aligned on a 8 bytes
2406 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
2407 - */
2408 -unsigned long arch_align_stack(unsigned long sp)
2409 -{
2410 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2411 - sp -= get_random_int() & ~PAGE_MASK;
2412 -
2413 - return sp & ALMASK;
2414 -}
2415 diff -urNp linux-2.6.39.3/arch/mips/kernel/syscall.c linux-2.6.39.3/arch/mips/kernel/syscall.c
2416 --- linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-19 00:06:34.000000000 -0400
2417 +++ linux-2.6.39.3/arch/mips/kernel/syscall.c 2011-05-22 19:36:30.000000000 -0400
2418 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
2419 do_color_align = 0;
2420 if (filp || (flags & MAP_SHARED))
2421 do_color_align = 1;
2422 +
2423 +#ifdef CONFIG_PAX_RANDMMAP
2424 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
2425 +#endif
2426 +
2427 if (addr) {
2428 if (do_color_align)
2429 addr = COLOUR_ALIGN(addr, pgoff);
2430 else
2431 addr = PAGE_ALIGN(addr);
2432 vmm = find_vma(current->mm, addr);
2433 - if (task_size - len >= addr &&
2434 - (!vmm || addr + len <= vmm->vm_start))
2435 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
2436 return addr;
2437 }
2438 addr = current->mm->mmap_base;
2439 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
2440 /* At this point: (!vmm || addr < vmm->vm_end). */
2441 if (task_size - len < addr)
2442 return -ENOMEM;
2443 - if (!vmm || addr + len <= vmm->vm_start)
2444 + if (check_heap_stack_gap(vmm, addr, len))
2445 return addr;
2446 addr = vmm->vm_end;
2447 if (do_color_align)
2448 @@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str
2449 mm->unmap_area = arch_unmap_area;
2450 }
2451
2452 -static inline unsigned long brk_rnd(void)
2453 -{
2454 - unsigned long rnd = get_random_int();
2455 -
2456 - rnd = rnd << PAGE_SHIFT;
2457 - /* 8MB for 32bit, 256MB for 64bit */
2458 - if (TASK_IS_32BIT_ADDR)
2459 - rnd = rnd & 0x7ffffful;
2460 - else
2461 - rnd = rnd & 0xffffffful;
2462 -
2463 - return rnd;
2464 -}
2465 -
2466 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2467 -{
2468 - unsigned long base = mm->brk;
2469 - unsigned long ret;
2470 -
2471 - ret = PAGE_ALIGN(base + brk_rnd());
2472 -
2473 - if (ret < mm->brk)
2474 - return mm->brk;
2475 -
2476 - return ret;
2477 -}
2478 -
2479 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
2480 unsigned long, prot, unsigned long, flags, unsigned long,
2481 fd, off_t, offset)
2482 diff -urNp linux-2.6.39.3/arch/mips/mm/dma-default.c linux-2.6.39.3/arch/mips/mm/dma-default.c
2483 --- linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-19 00:06:34.000000000 -0400
2484 +++ linux-2.6.39.3/arch/mips/mm/dma-default.c 2011-05-22 19:36:30.000000000 -0400
2485 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
2486
2487 EXPORT_SYMBOL(dma_cache_sync);
2488
2489 -static struct dma_map_ops mips_default_dma_map_ops = {
2490 +static const struct dma_map_ops mips_default_dma_map_ops = {
2491 .alloc_coherent = mips_dma_alloc_coherent,
2492 .free_coherent = mips_dma_free_coherent,
2493 .map_page = mips_dma_map_page,
2494 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
2495 .dma_supported = mips_dma_supported
2496 };
2497
2498 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2499 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
2500 EXPORT_SYMBOL(mips_dma_map_ops);
2501
2502 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
2503 diff -urNp linux-2.6.39.3/arch/mips/mm/fault.c linux-2.6.39.3/arch/mips/mm/fault.c
2504 --- linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
2505 +++ linux-2.6.39.3/arch/mips/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
2506 @@ -28,6 +28,23 @@
2507 #include <asm/highmem.h> /* For VMALLOC_END */
2508 #include <linux/kdebug.h>
2509
2510 +#ifdef CONFIG_PAX_PAGEEXEC
2511 +void pax_report_insns(void *pc, void *sp)
2512 +{
2513 + unsigned long i;
2514 +
2515 + printk(KERN_ERR "PAX: bytes at PC: ");
2516 + for (i = 0; i < 5; i++) {
2517 + unsigned int c;
2518 + if (get_user(c, (unsigned int *)pc+i))
2519 + printk(KERN_CONT "???????? ");
2520 + else
2521 + printk(KERN_CONT "%08x ", c);
2522 + }
2523 + printk("\n");
2524 +}
2525 +#endif
2526 +
2527 /*
2528 * This routine handles page faults. It determines the address,
2529 * and the problem, and then passes it off to one of the appropriate
2530 diff -urNp linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c
2531 --- linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-19 00:06:34.000000000 -0400
2532 +++ linux-2.6.39.3/arch/mips/mti-malta/malta-pci.c 2011-05-22 19:36:30.000000000 -0400
2533 @@ -64,9 +64,9 @@ static struct resource msc_io_resource =
2534 .flags = IORESOURCE_IO,
2535 };
2536
2537 -extern struct pci_ops bonito64_pci_ops;
2538 -extern struct pci_ops gt64xxx_pci0_ops;
2539 -extern struct pci_ops msc_pci_ops;
2540 +extern const struct pci_ops bonito64_pci_ops;
2541 +extern const struct pci_ops gt64xxx_pci0_ops;
2542 +extern const struct pci_ops msc_pci_ops;
2543
2544 static struct pci_controller bonito64_controller = {
2545 .pci_ops = &bonito64_pci_ops,
2546 diff -urNp linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c
2547 --- linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2548 +++ linux-2.6.39.3/arch/mips/nxp/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2549 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2550 .flags = IORESOURCE_MEM
2551 };
2552
2553 -extern struct pci_ops pnx8550_pci_ops;
2554 +extern const struct pci_ops pnx8550_pci_ops;
2555
2556 static struct pci_controller pnx8550_controller = {
2557 .pci_ops = &pnx8550_pci_ops,
2558 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-au1000.c linux-2.6.39.3/arch/mips/pci/ops-au1000.c
2559 --- linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-19 00:06:34.000000000 -0400
2560 +++ linux-2.6.39.3/arch/mips/pci/ops-au1000.c 2011-05-22 19:36:30.000000000 -0400
2561 @@ -302,7 +302,7 @@ static int config_write(struct pci_bus *
2562 }
2563 }
2564
2565 -struct pci_ops au1x_pci_ops = {
2566 +const struct pci_ops au1x_pci_ops = {
2567 config_read,
2568 config_write
2569 };
2570 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c
2571 --- linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-19 00:06:34.000000000 -0400
2572 +++ linux-2.6.39.3/arch/mips/pci/ops-bcm63xx.c 2011-05-22 19:36:30.000000000 -0400
2573 @@ -173,7 +173,7 @@ static int bcm63xx_pci_write(struct pci_
2574 where, size, val);
2575 }
2576
2577 -struct pci_ops bcm63xx_pci_ops = {
2578 +const struct pci_ops bcm63xx_pci_ops = {
2579 .read = bcm63xx_pci_read,
2580 .write = bcm63xx_pci_write
2581 };
2582 @@ -402,7 +402,7 @@ static int bcm63xx_cb_write(struct pci_b
2583 return PCIBIOS_DEVICE_NOT_FOUND;
2584 }
2585
2586 -struct pci_ops bcm63xx_cb_ops = {
2587 +const struct pci_ops bcm63xx_cb_ops = {
2588 .read = bcm63xx_cb_read,
2589 .write = bcm63xx_cb_write,
2590 };
2591 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bonito64.c linux-2.6.39.3/arch/mips/pci/ops-bonito64.c
2592 --- linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-19 00:06:34.000000000 -0400
2593 +++ linux-2.6.39.3/arch/mips/pci/ops-bonito64.c 2011-05-22 19:36:30.000000000 -0400
2594 @@ -155,7 +155,7 @@ static int bonito64_pcibios_write(struct
2595 return PCIBIOS_SUCCESSFUL;
2596 }
2597
2598 -struct pci_ops bonito64_pci_ops = {
2599 +const struct pci_ops bonito64_pci_ops = {
2600 .read = bonito64_pcibios_read,
2601 .write = bonito64_pcibios_write
2602 };
2603 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-bridge.c linux-2.6.39.3/arch/mips/pci/ops-bridge.c
2604 --- linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-19 00:06:34.000000000 -0400
2605 +++ linux-2.6.39.3/arch/mips/pci/ops-bridge.c 2011-05-22 19:36:30.000000000 -0400
2606 @@ -316,7 +316,7 @@ static int pci_write_config(struct pci_b
2607 return pci_conf0_write_config(bus, devfn, where, size, value);
2608 }
2609
2610 -struct pci_ops bridge_pci_ops = {
2611 +const struct pci_ops bridge_pci_ops = {
2612 .read = pci_read_config,
2613 .write = pci_write_config,
2614 };
2615 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c
2616 --- linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2617 +++ linux-2.6.39.3/arch/mips/pci/ops-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2618 @@ -176,7 +176,7 @@ static int pci_config_write(struct pci_b
2619 return PCIBIOS_SUCCESSFUL;
2620 }
2621
2622 -struct pci_ops emma2rh_pci_ops = {
2623 +const struct pci_ops emma2rh_pci_ops = {
2624 .read = pci_config_read,
2625 .write = pci_config_write,
2626 };
2627 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c
2628 --- linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-19 00:06:34.000000000 -0400
2629 +++ linux-2.6.39.3/arch/mips/pci/ops-gt64xxx_pci0.c 2011-05-22 19:36:30.000000000 -0400
2630 @@ -146,7 +146,7 @@ static int gt64xxx_pci0_pcibios_write(st
2631 return PCIBIOS_SUCCESSFUL;
2632 }
2633
2634 -struct pci_ops gt64xxx_pci0_ops = {
2635 +const struct pci_ops gt64xxx_pci0_ops = {
2636 .read = gt64xxx_pci0_pcibios_read,
2637 .write = gt64xxx_pci0_pcibios_write
2638 };
2639 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-loongson2.c linux-2.6.39.3/arch/mips/pci/ops-loongson2.c
2640 --- linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-19 00:06:34.000000000 -0400
2641 +++ linux-2.6.39.3/arch/mips/pci/ops-loongson2.c 2011-05-22 19:36:30.000000000 -0400
2642 @@ -174,7 +174,7 @@ static int loongson_pcibios_write(struct
2643 return PCIBIOS_SUCCESSFUL;
2644 }
2645
2646 -struct pci_ops loongson_pci_ops = {
2647 +const struct pci_ops loongson_pci_ops = {
2648 .read = loongson_pcibios_read,
2649 .write = loongson_pcibios_write
2650 };
2651 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-mace.c linux-2.6.39.3/arch/mips/pci/ops-mace.c
2652 --- linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-19 00:06:34.000000000 -0400
2653 +++ linux-2.6.39.3/arch/mips/pci/ops-mace.c 2011-05-22 19:36:30.000000000 -0400
2654 @@ -96,7 +96,7 @@ mace_pci_write_config(struct pci_bus *bu
2655 return PCIBIOS_SUCCESSFUL;
2656 }
2657
2658 -struct pci_ops mace_pci_ops = {
2659 +const struct pci_ops mace_pci_ops = {
2660 .read = mace_pci_read_config,
2661 .write = mace_pci_write_config,
2662 };
2663 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-msc.c linux-2.6.39.3/arch/mips/pci/ops-msc.c
2664 --- linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-19 00:06:34.000000000 -0400
2665 +++ linux-2.6.39.3/arch/mips/pci/ops-msc.c 2011-05-22 19:36:30.000000000 -0400
2666 @@ -142,7 +142,7 @@ static int msc_pcibios_write(struct pci_
2667 return PCIBIOS_SUCCESSFUL;
2668 }
2669
2670 -struct pci_ops msc_pci_ops = {
2671 +const struct pci_ops msc_pci_ops = {
2672 .read = msc_pcibios_read,
2673 .write = msc_pcibios_write
2674 };
2675 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-nile4.c linux-2.6.39.3/arch/mips/pci/ops-nile4.c
2676 --- linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-19 00:06:34.000000000 -0400
2677 +++ linux-2.6.39.3/arch/mips/pci/ops-nile4.c 2011-05-22 19:36:30.000000000 -0400
2678 @@ -141,7 +141,7 @@ static int nile4_pcibios_write(struct pc
2679 return PCIBIOS_SUCCESSFUL;
2680 }
2681
2682 -struct pci_ops nile4_pci_ops = {
2683 +const struct pci_ops nile4_pci_ops = {
2684 .read = nile4_pcibios_read,
2685 .write = nile4_pcibios_write,
2686 };
2687 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c
2688 --- linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
2689 +++ linux-2.6.39.3/arch/mips/pci/ops-pmcmsp.c 2011-05-22 19:36:30.000000000 -0400
2690 @@ -904,7 +904,7 @@ msp_pcibios_write_config(struct pci_bus
2691 * write - function for Linux to generate PCI Configuration writes.
2692 *
2693 ****************************************************************************/
2694 -struct pci_ops msp_pci_ops = {
2695 +const struct pci_ops msp_pci_ops = {
2696 .read = msp_pcibios_read_config,
2697 .write = msp_pcibios_write_config
2698 };
2699 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c
2700 --- linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-19 00:06:34.000000000 -0400
2701 +++ linux-2.6.39.3/arch/mips/pci/ops-pnx8550.c 2011-05-22 19:36:30.000000000 -0400
2702 @@ -276,7 +276,7 @@ static int config_write(struct pci_bus *
2703 }
2704 }
2705
2706 -struct pci_ops pnx8550_pci_ops = {
2707 +const struct pci_ops pnx8550_pci_ops = {
2708 config_read,
2709 config_write
2710 };
2711 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-rc32434.c linux-2.6.39.3/arch/mips/pci/ops-rc32434.c
2712 --- linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2713 +++ linux-2.6.39.3/arch/mips/pci/ops-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2714 @@ -201,7 +201,7 @@ static int pci_config_write(struct pci_b
2715 }
2716 }
2717
2718 -struct pci_ops rc32434_pci_ops = {
2719 +const struct pci_ops rc32434_pci_ops = {
2720 .read = pci_config_read,
2721 .write = pci_config_write,
2722 };
2723 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-sni.c linux-2.6.39.3/arch/mips/pci/ops-sni.c
2724 --- linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-19 00:06:34.000000000 -0400
2725 +++ linux-2.6.39.3/arch/mips/pci/ops-sni.c 2011-05-22 19:36:30.000000000 -0400
2726 @@ -83,7 +83,7 @@ static int pcimt_write(struct pci_bus *b
2727 return 0;
2728 }
2729
2730 -struct pci_ops sni_pcimt_ops = {
2731 +const struct pci_ops sni_pcimt_ops = {
2732 .read = pcimt_read,
2733 .write = pcimt_write,
2734 };
2735 @@ -158,7 +158,7 @@ static int pcit_write(struct pci_bus *bu
2736 }
2737
2738
2739 -struct pci_ops sni_pcit_ops = {
2740 +const struct pci_ops sni_pcit_ops = {
2741 .read = pcit_read,
2742 .write = pcit_write,
2743 };
2744 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan.c linux-2.6.39.3/arch/mips/pci/ops-titan.c
2745 --- linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-19 00:06:34.000000000 -0400
2746 +++ linux-2.6.39.3/arch/mips/pci/ops-titan.c 2011-05-22 19:36:30.000000000 -0400
2747 @@ -105,7 +105,7 @@ static int titan_write_config(struct pci
2748 /*
2749 * Titan PCI structure
2750 */
2751 -struct pci_ops titan_pci_ops = {
2752 +const struct pci_ops titan_pci_ops = {
2753 titan_read_config,
2754 titan_write_config,
2755 };
2756 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c
2757 --- linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-19 00:06:34.000000000 -0400
2758 +++ linux-2.6.39.3/arch/mips/pci/ops-titan-ht.c 2011-05-22 19:36:30.000000000 -0400
2759 @@ -118,7 +118,7 @@ static int titan_ht_config_write(struct
2760 return PCIBIOS_SUCCESSFUL;
2761 }
2762
2763 -struct pci_ops titan_ht_pci_ops = {
2764 +const struct pci_ops titan_ht_pci_ops = {
2765 .read = titan_ht_config_read,
2766 .write = titan_ht_config_write,
2767 };
2768 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-tx3927.c linux-2.6.39.3/arch/mips/pci/ops-tx3927.c
2769 --- linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-19 00:06:34.000000000 -0400
2770 +++ linux-2.6.39.3/arch/mips/pci/ops-tx3927.c 2011-05-22 19:36:30.000000000 -0400
2771 @@ -121,7 +121,7 @@ static int tx3927_pci_write_config(struc
2772 return check_abort();
2773 }
2774
2775 -static struct pci_ops tx3927_pci_ops = {
2776 +static const struct pci_ops tx3927_pci_ops = {
2777 .read = tx3927_pci_read_config,
2778 .write = tx3927_pci_write_config,
2779 };
2780 diff -urNp linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c
2781 --- linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2782 +++ linux-2.6.39.3/arch/mips/pci/ops-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2783 @@ -120,7 +120,7 @@ static int pci_config_write(struct pci_b
2784 return PCIBIOS_SUCCESSFUL;
2785 }
2786
2787 -struct pci_ops vr41xx_pci_ops = {
2788 +const struct pci_ops vr41xx_pci_ops = {
2789 .read = pci_config_read,
2790 .write = pci_config_write,
2791 };
2792 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c
2793 --- linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-19 00:06:34.000000000 -0400
2794 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480.c 2011-05-22 19:36:30.000000000 -0400
2795 @@ -171,7 +171,7 @@ static int bcm1480_pcibios_write(struct
2796 return PCIBIOS_SUCCESSFUL;
2797 }
2798
2799 -struct pci_ops bcm1480_pci_ops = {
2800 +const struct pci_ops bcm1480_pci_ops = {
2801 bcm1480_pcibios_read,
2802 bcm1480_pcibios_write,
2803 };
2804 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c
2805 --- linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-19 00:06:34.000000000 -0400
2806 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm1480ht.c 2011-05-22 19:36:30.000000000 -0400
2807 @@ -166,7 +166,7 @@ static int bcm1480ht_pcibios_get_busno(v
2808 return 0;
2809 }
2810
2811 -struct pci_ops bcm1480ht_pci_ops = {
2812 +const struct pci_ops bcm1480ht_pci_ops = {
2813 .read = bcm1480ht_pcibios_read,
2814 .write = bcm1480ht_pcibios_write,
2815 };
2816 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h
2817 --- linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-19 00:06:34.000000000 -0400
2818 +++ linux-2.6.39.3/arch/mips/pci/pci-bcm63xx.h 2011-05-22 19:36:30.000000000 -0400
2819 @@ -16,8 +16,8 @@
2820 /*
2821 * defined in ops-bcm63xx.c
2822 */
2823 -extern struct pci_ops bcm63xx_pci_ops;
2824 -extern struct pci_ops bcm63xx_cb_ops;
2825 +extern const struct pci_ops bcm63xx_pci_ops;
2826 +extern const struct pci_ops bcm63xx_cb_ops;
2827
2828 /*
2829 * defined in pci-bcm63xx.c
2830 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c
2831 --- linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-19 00:06:34.000000000 -0400
2832 +++ linux-2.6.39.3/arch/mips/pci/pci-emma2rh.c 2011-05-22 19:36:30.000000000 -0400
2833 @@ -43,7 +43,7 @@ static struct resource pci_mem_resource
2834 .flags = IORESOURCE_MEM,
2835 };
2836
2837 -extern struct pci_ops emma2rh_pci_ops;
2838 +extern const struct pci_ops emma2rh_pci_ops;
2839
2840 static struct pci_controller emma2rh_pci_controller = {
2841 .pci_ops = &emma2rh_pci_ops,
2842 diff -urNp linux-2.6.39.3/arch/mips/pci/pcie-octeon.c linux-2.6.39.3/arch/mips/pci/pcie-octeon.c
2843 --- linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-19 00:06:34.000000000 -0400
2844 +++ linux-2.6.39.3/arch/mips/pci/pcie-octeon.c 2011-05-22 19:36:30.000000000 -0400
2845 @@ -1237,7 +1237,7 @@ static int octeon_pcie1_write_config(str
2846 return octeon_pcie_write_config(1, bus, devfn, reg, size, val);
2847 }
2848
2849 -static struct pci_ops octeon_pcie0_ops = {
2850 +static const struct pci_ops octeon_pcie0_ops = {
2851 octeon_pcie0_read_config,
2852 octeon_pcie0_write_config,
2853 };
2854 @@ -1258,7 +1258,7 @@ static struct pci_controller octeon_pcie
2855 .io_resource = &octeon_pcie0_io_resource,
2856 };
2857
2858 -static struct pci_ops octeon_pcie1_ops = {
2859 +static const struct pci_ops octeon_pcie1_ops = {
2860 octeon_pcie1_read_config,
2861 octeon_pcie1_write_config,
2862 };
2863 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip27.c linux-2.6.39.3/arch/mips/pci/pci-ip27.c
2864 --- linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-19 00:06:34.000000000 -0400
2865 +++ linux-2.6.39.3/arch/mips/pci/pci-ip27.c 2011-05-22 19:36:30.000000000 -0400
2866 @@ -39,7 +39,7 @@ static struct bridge_controller bridges[
2867 struct bridge_controller *irq_to_bridge[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2868 int irq_to_slot[MAX_PCI_BUSSES * MAX_DEVICES_PER_PCIBUS];
2869
2870 -extern struct pci_ops bridge_pci_ops;
2871 +extern const struct pci_ops bridge_pci_ops;
2872
2873 int __cpuinit bridge_probe(nasid_t nasid, int widget_id, int masterwid)
2874 {
2875 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-ip32.c linux-2.6.39.3/arch/mips/pci/pci-ip32.c
2876 --- linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-19 00:06:34.000000000 -0400
2877 +++ linux-2.6.39.3/arch/mips/pci/pci-ip32.c 2011-05-22 19:36:30.000000000 -0400
2878 @@ -82,7 +82,7 @@ static irqreturn_t macepci_error(int irq
2879 }
2880
2881
2882 -extern struct pci_ops mace_pci_ops;
2883 +extern const struct pci_ops mace_pci_ops;
2884 #ifdef CONFIG_64BIT
2885 static struct resource mace_pci_mem_resource = {
2886 .name = "SGI O2 PCI MEM",
2887 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-lasat.c linux-2.6.39.3/arch/mips/pci/pci-lasat.c
2888 --- linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-19 00:06:34.000000000 -0400
2889 +++ linux-2.6.39.3/arch/mips/pci/pci-lasat.c 2011-05-22 19:36:30.000000000 -0400
2890 @@ -14,8 +14,8 @@
2891
2892 #include <irq.h>
2893
2894 -extern struct pci_ops nile4_pci_ops;
2895 -extern struct pci_ops gt64xxx_pci0_ops;
2896 +extern const struct pci_ops nile4_pci_ops;
2897 +extern const struct pci_ops gt64xxx_pci0_ops;
2898 static struct resource lasat_pci_mem_resource = {
2899 .name = "LASAT PCI MEM",
2900 .start = 0x18000000,
2901 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-octeon.c linux-2.6.39.3/arch/mips/pci/pci-octeon.c
2902 --- linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-19 00:06:34.000000000 -0400
2903 +++ linux-2.6.39.3/arch/mips/pci/pci-octeon.c 2011-05-22 19:36:30.000000000 -0400
2904 @@ -334,7 +334,7 @@ static int octeon_write_config(struct pc
2905 }
2906
2907
2908 -static struct pci_ops octeon_pci_ops = {
2909 +static const struct pci_ops octeon_pci_ops = {
2910 octeon_read_config,
2911 octeon_write_config,
2912 };
2913 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-rc32434.c linux-2.6.39.3/arch/mips/pci/pci-rc32434.c
2914 --- linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-19 00:06:34.000000000 -0400
2915 +++ linux-2.6.39.3/arch/mips/pci/pci-rc32434.c 2011-05-22 19:36:30.000000000 -0400
2916 @@ -75,7 +75,7 @@ static struct resource rc32434_res_pci_i
2917 .flags = IORESOURCE_IO,
2918 };
2919
2920 -extern struct pci_ops rc32434_pci_ops;
2921 +extern const struct pci_ops rc32434_pci_ops;
2922
2923 #define PCI_MEM1_START PCI_ADDR_START
2924 #define PCI_MEM1_END (PCI_ADDR_START + CPUTOPCI_MEM_WIN - 1)
2925 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-sb1250.c linux-2.6.39.3/arch/mips/pci/pci-sb1250.c
2926 --- linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-19 00:06:34.000000000 -0400
2927 +++ linux-2.6.39.3/arch/mips/pci/pci-sb1250.c 2011-05-22 19:36:30.000000000 -0400
2928 @@ -181,7 +181,7 @@ static int sb1250_pcibios_write(struct p
2929 return PCIBIOS_SUCCESSFUL;
2930 }
2931
2932 -struct pci_ops sb1250_pci_ops = {
2933 +const struct pci_ops sb1250_pci_ops = {
2934 .read = sb1250_pcibios_read,
2935 .write = sb1250_pcibios_write,
2936 };
2937 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c
2938 --- linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-19 00:06:34.000000000 -0400
2939 +++ linux-2.6.39.3/arch/mips/pci/pci-vr41xx.c 2011-05-22 19:36:30.000000000 -0400
2940 @@ -36,7 +36,7 @@
2941
2942 #include "pci-vr41xx.h"
2943
2944 -extern struct pci_ops vr41xx_pci_ops;
2945 +extern const struct pci_ops vr41xx_pci_ops;
2946
2947 static void __iomem *pciu_base;
2948
2949 diff -urNp linux-2.6.39.3/arch/mips/pci/pci-yosemite.c linux-2.6.39.3/arch/mips/pci/pci-yosemite.c
2950 --- linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-19 00:06:34.000000000 -0400
2951 +++ linux-2.6.39.3/arch/mips/pci/pci-yosemite.c 2011-05-22 19:36:30.000000000 -0400
2952 @@ -11,7 +11,7 @@
2953 #include <linux/pci.h>
2954 #include <asm/titan_dep.h>
2955
2956 -extern struct pci_ops titan_pci_ops;
2957 +extern const struct pci_ops titan_pci_ops;
2958
2959 static struct resource py_mem_resource = {
2960 .start = 0xe0000000UL,
2961 diff -urNp linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c
2962 --- linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-19 00:06:34.000000000 -0400
2963 +++ linux-2.6.39.3/arch/mips/pmc-sierra/yosemite/ht.c 2011-05-22 19:36:30.000000000 -0400
2964 @@ -366,7 +366,7 @@ resource_size_t pcibios_align_resource(v
2965 return start;
2966 }
2967
2968 -struct pci_ops titan_pci_ops = {
2969 +const struct pci_ops titan_pci_ops = {
2970 titan_ht_config_read_byte,
2971 titan_ht_config_read_word,
2972 titan_ht_config_read_dword,
2973 diff -urNp linux-2.6.39.3/arch/mips/pnx8550/common/pci.c linux-2.6.39.3/arch/mips/pnx8550/common/pci.c
2974 --- linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-19 00:06:34.000000000 -0400
2975 +++ linux-2.6.39.3/arch/mips/pnx8550/common/pci.c 2011-05-22 19:36:30.000000000 -0400
2976 @@ -40,7 +40,7 @@ static struct resource pci_mem_resource
2977 .flags = IORESOURCE_MEM
2978 };
2979
2980 -extern struct pci_ops pnx8550_pci_ops;
2981 +extern const struct pci_ops pnx8550_pci_ops;
2982
2983 static struct pci_controller pnx8550_controller = {
2984 .pci_ops = &pnx8550_pci_ops,
2985 diff -urNp linux-2.6.39.3/arch/mips/sni/pcimt.c linux-2.6.39.3/arch/mips/sni/pcimt.c
2986 --- linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-19 00:06:34.000000000 -0400
2987 +++ linux-2.6.39.3/arch/mips/sni/pcimt.c 2011-05-22 19:36:30.000000000 -0400
2988 @@ -183,7 +183,7 @@ static void __init sni_pcimt_resource_in
2989 request_resource(&sni_mem_resource, pcimt_mem_resources + i);
2990 }
2991
2992 -extern struct pci_ops sni_pcimt_ops;
2993 +extern const struct pci_ops sni_pcimt_ops;
2994
2995 static struct pci_controller sni_controller = {
2996 .pci_ops = &sni_pcimt_ops,
2997 diff -urNp linux-2.6.39.3/arch/mips/sni/pcit.c linux-2.6.39.3/arch/mips/sni/pcit.c
2998 --- linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-19 00:06:34.000000000 -0400
2999 +++ linux-2.6.39.3/arch/mips/sni/pcit.c 2011-05-22 19:36:30.000000000 -0400
3000 @@ -145,7 +145,7 @@ static void __init sni_pcit_resource_ini
3001 }
3002
3003
3004 -extern struct pci_ops sni_pcit_ops;
3005 +extern const struct pci_ops sni_pcit_ops;
3006
3007 static struct pci_controller sni_pcit_controller = {
3008 .pci_ops = &sni_pcit_ops,
3009 diff -urNp linux-2.6.39.3/arch/mips/wrppmc/pci.c linux-2.6.39.3/arch/mips/wrppmc/pci.c
3010 --- linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-19 00:06:34.000000000 -0400
3011 +++ linux-2.6.39.3/arch/mips/wrppmc/pci.c 2011-05-22 19:36:30.000000000 -0400
3012 @@ -14,7 +14,7 @@
3013
3014 #include <asm/gt64120.h>
3015
3016 -extern struct pci_ops gt64xxx_pci0_ops;
3017 +extern const struct pci_ops gt64xxx_pci0_ops;
3018
3019 static struct resource pci0_io_resource = {
3020 .name = "pci_0 io",
3021 diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h
3022 --- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-19 00:06:34.000000000 -0400
3023 +++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci-asb2305.h 2011-05-22 19:36:30.000000000 -0400
3024 @@ -39,7 +39,7 @@ extern void pcibios_resource_survey(void
3025
3026 extern int pcibios_last_bus;
3027 extern struct pci_bus *pci_root_bus;
3028 -extern struct pci_ops *pci_root_ops;
3029 +extern const struct pci_ops *pci_root_ops;
3030
3031 extern struct irq_routing_table *pcibios_get_irq_routing_table(void);
3032 extern int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq);
3033 diff -urNp linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c
3034 --- linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-19 00:06:34.000000000 -0400
3035 +++ linux-2.6.39.3/arch/mn10300/unit-asb2305/pci.c 2011-05-22 19:36:30.000000000 -0400
3036 @@ -24,7 +24,7 @@ unsigned int pci_probe = 1;
3037
3038 int pcibios_last_bus = -1;
3039 struct pci_bus *pci_root_bus;
3040 -struct pci_ops *pci_root_ops;
3041 +const struct pci_ops *pci_root_ops;
3042
3043 /*
3044 * The accessible PCI window does not cover the entire CPU address space, but
3045 @@ -274,7 +274,7 @@ static int pci_ampci_write_config(struct
3046 }
3047 }
3048
3049 -static struct pci_ops pci_direct_ampci = {
3050 +static const struct pci_ops pci_direct_ampci = {
3051 pci_ampci_read_config,
3052 pci_ampci_write_config,
3053 };
3054 @@ -289,7 +289,7 @@ static struct pci_ops pci_direct_ampci =
3055 * This should be close to trivial, but it isn't, because there are buggy
3056 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
3057 */
3058 -static int __init pci_sanity_check(struct pci_ops *o)
3059 +static int __init pci_sanity_check(const struct pci_ops *o)
3060 {
3061 struct pci_bus bus; /* Fake bus and device */
3062 u32 x;
3063 diff -urNp linux-2.6.39.3/arch/parisc/include/asm/elf.h linux-2.6.39.3/arch/parisc/include/asm/elf.h
3064 --- linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3065 +++ linux-2.6.39.3/arch/parisc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3066 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
3067
3068 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
3069
3070 +#ifdef CONFIG_PAX_ASLR
3071 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3072 +
3073 +#define PAX_DELTA_MMAP_LEN 16
3074 +#define PAX_DELTA_STACK_LEN 16
3075 +#endif
3076 +
3077 /* This yields a mask that user programs can use to figure out what
3078 instruction set this CPU supports. This could be done in user space,
3079 but it's not easy, and we've already done it here. */
3080 diff -urNp linux-2.6.39.3/arch/parisc/include/asm/pgtable.h linux-2.6.39.3/arch/parisc/include/asm/pgtable.h
3081 --- linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3082 +++ linux-2.6.39.3/arch/parisc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3083 @@ -207,6 +207,17 @@ struct vm_area_struct;
3084 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
3085 #define PAGE_COPY PAGE_EXECREAD
3086 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
3087 +
3088 +#ifdef CONFIG_PAX_PAGEEXEC
3089 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
3090 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3091 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
3092 +#else
3093 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3094 +# define PAGE_COPY_NOEXEC PAGE_COPY
3095 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3096 +#endif
3097 +
3098 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
3099 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
3100 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
3101 diff -urNp linux-2.6.39.3/arch/parisc/kernel/module.c linux-2.6.39.3/arch/parisc/kernel/module.c
3102 --- linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
3103 +++ linux-2.6.39.3/arch/parisc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
3104 @@ -96,16 +96,38 @@
3105
3106 /* three functions to determine where in the module core
3107 * or init pieces the location is */
3108 +static inline int in_init_rx(struct module *me, void *loc)
3109 +{
3110 + return (loc >= me->module_init_rx &&
3111 + loc < (me->module_init_rx + me->init_size_rx));
3112 +}
3113 +
3114 +static inline int in_init_rw(struct module *me, void *loc)
3115 +{
3116 + return (loc >= me->module_init_rw &&
3117 + loc < (me->module_init_rw + me->init_size_rw));
3118 +}
3119 +
3120 static inline int in_init(struct module *me, void *loc)
3121 {
3122 - return (loc >= me->module_init &&
3123 - loc <= (me->module_init + me->init_size));
3124 + return in_init_rx(me, loc) || in_init_rw(me, loc);
3125 +}
3126 +
3127 +static inline int in_core_rx(struct module *me, void *loc)
3128 +{
3129 + return (loc >= me->module_core_rx &&
3130 + loc < (me->module_core_rx + me->core_size_rx));
3131 +}
3132 +
3133 +static inline int in_core_rw(struct module *me, void *loc)
3134 +{
3135 + return (loc >= me->module_core_rw &&
3136 + loc < (me->module_core_rw + me->core_size_rw));
3137 }
3138
3139 static inline int in_core(struct module *me, void *loc)
3140 {
3141 - return (loc >= me->module_core &&
3142 - loc <= (me->module_core + me->core_size));
3143 + return in_core_rx(me, loc) || in_core_rw(me, loc);
3144 }
3145
3146 static inline int in_local(struct module *me, void *loc)
3147 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
3148 }
3149
3150 /* align things a bit */
3151 - me->core_size = ALIGN(me->core_size, 16);
3152 - me->arch.got_offset = me->core_size;
3153 - me->core_size += gots * sizeof(struct got_entry);
3154 -
3155 - me->core_size = ALIGN(me->core_size, 16);
3156 - me->arch.fdesc_offset = me->core_size;
3157 - me->core_size += fdescs * sizeof(Elf_Fdesc);
3158 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3159 + me->arch.got_offset = me->core_size_rw;
3160 + me->core_size_rw += gots * sizeof(struct got_entry);
3161 +
3162 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
3163 + me->arch.fdesc_offset = me->core_size_rw;
3164 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
3165
3166 me->arch.got_max = gots;
3167 me->arch.fdesc_max = fdescs;
3168 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
3169
3170 BUG_ON(value == 0);
3171
3172 - got = me->module_core + me->arch.got_offset;
3173 + got = me->module_core_rw + me->arch.got_offset;
3174 for (i = 0; got[i].addr; i++)
3175 if (got[i].addr == value)
3176 goto out;
3177 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
3178 #ifdef CONFIG_64BIT
3179 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
3180 {
3181 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
3182 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
3183
3184 if (!value) {
3185 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
3186 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
3187
3188 /* Create new one */
3189 fdesc->addr = value;
3190 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3191 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3192 return (Elf_Addr)fdesc;
3193 }
3194 #endif /* CONFIG_64BIT */
3195 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
3196
3197 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
3198 end = table + sechdrs[me->arch.unwind_section].sh_size;
3199 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
3200 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
3201
3202 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
3203 me->arch.unwind_section, table, end, gp);
3204 diff -urNp linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c
3205 --- linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-19 00:06:34.000000000 -0400
3206 +++ linux-2.6.39.3/arch/parisc/kernel/sys_parisc.c 2011-05-22 19:36:30.000000000 -0400
3207 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
3208 /* At this point: (!vma || addr < vma->vm_end). */
3209 if (TASK_SIZE - len < addr)
3210 return -ENOMEM;
3211 - if (!vma || addr + len <= vma->vm_start)
3212 + if (check_heap_stack_gap(vma, addr, len))
3213 return addr;
3214 addr = vma->vm_end;
3215 }
3216 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
3217 /* At this point: (!vma || addr < vma->vm_end). */
3218 if (TASK_SIZE - len < addr)
3219 return -ENOMEM;
3220 - if (!vma || addr + len <= vma->vm_start)
3221 + if (check_heap_stack_gap(vma, addr, len))
3222 return addr;
3223 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
3224 if (addr < vma->vm_end) /* handle wraparound */
3225 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
3226 if (flags & MAP_FIXED)
3227 return addr;
3228 if (!addr)
3229 - addr = TASK_UNMAPPED_BASE;
3230 + addr = current->mm->mmap_base;
3231
3232 if (filp) {
3233 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
3234 diff -urNp linux-2.6.39.3/arch/parisc/kernel/traps.c linux-2.6.39.3/arch/parisc/kernel/traps.c
3235 --- linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
3236 +++ linux-2.6.39.3/arch/parisc/kernel/traps.c 2011-05-22 19:36:30.000000000 -0400
3237 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
3238
3239 down_read(&current->mm->mmap_sem);
3240 vma = find_vma(current->mm,regs->iaoq[0]);
3241 - if (vma && (regs->iaoq[0] >= vma->vm_start)
3242 - && (vma->vm_flags & VM_EXEC)) {
3243 -
3244 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
3245 fault_address = regs->iaoq[0];
3246 fault_space = regs->iasq[0];
3247
3248 diff -urNp linux-2.6.39.3/arch/parisc/mm/fault.c linux-2.6.39.3/arch/parisc/mm/fault.c
3249 --- linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
3250 +++ linux-2.6.39.3/arch/parisc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
3251 @@ -15,6 +15,7 @@
3252 #include <linux/sched.h>
3253 #include <linux/interrupt.h>
3254 #include <linux/module.h>
3255 +#include <linux/unistd.h>
3256
3257 #include <asm/uaccess.h>
3258 #include <asm/traps.h>
3259 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
3260 static unsigned long
3261 parisc_acctyp(unsigned long code, unsigned int inst)
3262 {
3263 - if (code == 6 || code == 16)
3264 + if (code == 6 || code == 7 || code == 16)
3265 return VM_EXEC;
3266
3267 switch (inst & 0xf0000000) {
3268 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
3269 }
3270 #endif
3271
3272 +#ifdef CONFIG_PAX_PAGEEXEC
3273 +/*
3274 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
3275 + *
3276 + * returns 1 when task should be killed
3277 + * 2 when rt_sigreturn trampoline was detected
3278 + * 3 when unpatched PLT trampoline was detected
3279 + */
3280 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3281 +{
3282 +
3283 +#ifdef CONFIG_PAX_EMUPLT
3284 + int err;
3285 +
3286 + do { /* PaX: unpatched PLT emulation */
3287 + unsigned int bl, depwi;
3288 +
3289 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
3290 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
3291 +
3292 + if (err)
3293 + break;
3294 +
3295 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
3296 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
3297 +
3298 + err = get_user(ldw, (unsigned int *)addr);
3299 + err |= get_user(bv, (unsigned int *)(addr+4));
3300 + err |= get_user(ldw2, (unsigned int *)(addr+8));
3301 +
3302 + if (err)
3303 + break;
3304 +
3305 + if (ldw == 0x0E801096U &&
3306 + bv == 0xEAC0C000U &&
3307 + ldw2 == 0x0E881095U)
3308 + {
3309 + unsigned int resolver, map;
3310 +
3311 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
3312 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
3313 + if (err)
3314 + break;
3315 +
3316 + regs->gr[20] = instruction_pointer(regs)+8;
3317 + regs->gr[21] = map;
3318 + regs->gr[22] = resolver;
3319 + regs->iaoq[0] = resolver | 3UL;
3320 + regs->iaoq[1] = regs->iaoq[0] + 4;
3321 + return 3;
3322 + }
3323 + }
3324 + } while (0);
3325 +#endif
3326 +
3327 +#ifdef CONFIG_PAX_EMUTRAMP
3328 +
3329 +#ifndef CONFIG_PAX_EMUSIGRT
3330 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
3331 + return 1;
3332 +#endif
3333 +
3334 + do { /* PaX: rt_sigreturn emulation */
3335 + unsigned int ldi1, ldi2, bel, nop;
3336 +
3337 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
3338 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
3339 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
3340 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
3341 +
3342 + if (err)
3343 + break;
3344 +
3345 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
3346 + ldi2 == 0x3414015AU &&
3347 + bel == 0xE4008200U &&
3348 + nop == 0x08000240U)
3349 + {
3350 + regs->gr[25] = (ldi1 & 2) >> 1;
3351 + regs->gr[20] = __NR_rt_sigreturn;
3352 + regs->gr[31] = regs->iaoq[1] + 16;
3353 + regs->sr[0] = regs->iasq[1];
3354 + regs->iaoq[0] = 0x100UL;
3355 + regs->iaoq[1] = regs->iaoq[0] + 4;
3356 + regs->iasq[0] = regs->sr[2];
3357 + regs->iasq[1] = regs->sr[2];
3358 + return 2;
3359 + }
3360 + } while (0);
3361 +#endif
3362 +
3363 + return 1;
3364 +}
3365 +
3366 +void pax_report_insns(void *pc, void *sp)
3367 +{
3368 + unsigned long i;
3369 +
3370 + printk(KERN_ERR "PAX: bytes at PC: ");
3371 + for (i = 0; i < 5; i++) {
3372 + unsigned int c;
3373 + if (get_user(c, (unsigned int *)pc+i))
3374 + printk(KERN_CONT "???????? ");
3375 + else
3376 + printk(KERN_CONT "%08x ", c);
3377 + }
3378 + printk("\n");
3379 +}
3380 +#endif
3381 +
3382 int fixup_exception(struct pt_regs *regs)
3383 {
3384 const struct exception_table_entry *fix;
3385 @@ -192,8 +303,33 @@ good_area:
3386
3387 acc_type = parisc_acctyp(code,regs->iir);
3388
3389 - if ((vma->vm_flags & acc_type) != acc_type)
3390 + if ((vma->vm_flags & acc_type) != acc_type) {
3391 +
3392 +#ifdef CONFIG_PAX_PAGEEXEC
3393 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
3394 + (address & ~3UL) == instruction_pointer(regs))
3395 + {
3396 + up_read(&mm->mmap_sem);
3397 + switch (pax_handle_fetch_fault(regs)) {
3398 +
3399 +#ifdef CONFIG_PAX_EMUPLT
3400 + case 3:
3401 + return;
3402 +#endif
3403 +
3404 +#ifdef CONFIG_PAX_EMUTRAMP
3405 + case 2:
3406 + return;
3407 +#endif
3408 +
3409 + }
3410 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
3411 + do_group_exit(SIGKILL);
3412 + }
3413 +#endif
3414 +
3415 goto bad_area;
3416 + }
3417
3418 /*
3419 * If for any reason at all we couldn't handle the fault, make
3420 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/device.h linux-2.6.39.3/arch/powerpc/include/asm/device.h
3421 --- linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
3422 +++ linux-2.6.39.3/arch/powerpc/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
3423 @@ -17,7 +17,7 @@ struct device_node;
3424 */
3425 struct dev_archdata {
3426 /* DMA operations on that device */
3427 - struct dma_map_ops *dma_ops;
3428 + const struct dma_map_ops *dma_ops;
3429
3430 /*
3431 * When an iommu is in use, dma_data is used as a ptr to the base of the
3432 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h
3433 --- linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
3434 +++ linux-2.6.39.3/arch/powerpc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
3435 @@ -67,12 +67,13 @@ static inline unsigned long device_to_ma
3436 /*
3437 * Available generic sets of operations
3438 */
3439 +/* cannot be const */
3440 #ifdef CONFIG_PPC64
3441 -extern struct dma_map_ops dma_iommu_ops;
3442 +extern const struct dma_map_ops dma_iommu_ops;
3443 #endif
3444 -extern struct dma_map_ops dma_direct_ops;
3445 +extern const struct dma_map_ops dma_direct_ops;
3446
3447 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3448 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3449 {
3450 /* We don't handle the NULL dev case for ISA for now. We could
3451 * do it via an out of line call but it is not needed for now. The
3452 @@ -85,7 +86,7 @@ static inline struct dma_map_ops *get_dm
3453 return dev->archdata.dma_ops;
3454 }
3455
3456 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
3457 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
3458 {
3459 dev->archdata.dma_ops = ops;
3460 }
3461 @@ -119,7 +120,7 @@ static inline void set_dma_offset(struct
3462
3463 static inline int dma_supported(struct device *dev, u64 mask)
3464 {
3465 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3466 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3467
3468 if (unlikely(dma_ops == NULL))
3469 return 0;
3470 @@ -133,7 +134,7 @@ extern int dma_set_mask(struct device *d
3471 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3472 dma_addr_t *dma_handle, gfp_t flag)
3473 {
3474 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3475 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3476 void *cpu_addr;
3477
3478 BUG_ON(!dma_ops);
3479 @@ -148,7 +149,7 @@ static inline void *dma_alloc_coherent(s
3480 static inline void dma_free_coherent(struct device *dev, size_t size,
3481 void *cpu_addr, dma_addr_t dma_handle)
3482 {
3483 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3484 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3485
3486 BUG_ON(!dma_ops);
3487
3488 @@ -159,7 +160,7 @@ static inline void dma_free_coherent(str
3489
3490 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3491 {
3492 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3493 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3494
3495 if (dma_ops->mapping_error)
3496 return dma_ops->mapping_error(dev, dma_addr);
3497 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/elf.h linux-2.6.39.3/arch/powerpc/include/asm/elf.h
3498 --- linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
3499 +++ linux-2.6.39.3/arch/powerpc/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
3500 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
3501 the loader. We need to make sure that it is out of the way of the program
3502 that it will "exec", and that there is sufficient room for the brk. */
3503
3504 -extern unsigned long randomize_et_dyn(unsigned long base);
3505 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
3506 +#define ELF_ET_DYN_BASE (0x20000000)
3507 +
3508 +#ifdef CONFIG_PAX_ASLR
3509 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
3510 +
3511 +#ifdef __powerpc64__
3512 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
3513 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
3514 +#else
3515 +#define PAX_DELTA_MMAP_LEN 15
3516 +#define PAX_DELTA_STACK_LEN 15
3517 +#endif
3518 +#endif
3519
3520 /*
3521 * Our registers are always unsigned longs, whether we're a 32 bit
3522 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
3523 (0x7ff >> (PAGE_SHIFT - 12)) : \
3524 (0x3ffff >> (PAGE_SHIFT - 12)))
3525
3526 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3527 -#define arch_randomize_brk arch_randomize_brk
3528 -
3529 #endif /* __KERNEL__ */
3530
3531 /*
3532 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/iommu.h linux-2.6.39.3/arch/powerpc/include/asm/iommu.h
3533 --- linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
3534 +++ linux-2.6.39.3/arch/powerpc/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
3535 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
3536 extern void iommu_init_early_dart(void);
3537 extern void iommu_init_early_pasemi(void);
3538
3539 +/* dma-iommu.c */
3540 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
3541 +
3542 #ifdef CONFIG_PCI
3543 extern void pci_iommu_init(void);
3544 extern void pci_direct_iommu_init(void);
3545 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h
3546 --- linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
3547 +++ linux-2.6.39.3/arch/powerpc/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
3548 @@ -27,6 +27,7 @@ enum km_type {
3549 KM_PPC_SYNC_PAGE,
3550 KM_PPC_SYNC_ICACHE,
3551 KM_KDB,
3552 + KM_CLEARPAGE,
3553 KM_TYPE_NR
3554 };
3555
3556 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page_64.h linux-2.6.39.3/arch/powerpc/include/asm/page_64.h
3557 --- linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-19 00:06:34.000000000 -0400
3558 +++ linux-2.6.39.3/arch/powerpc/include/asm/page_64.h 2011-05-22 19:36:30.000000000 -0400
3559 @@ -172,15 +172,18 @@ do { \
3560 * stack by default, so in the absence of a PT_GNU_STACK program header
3561 * we turn execute permission off.
3562 */
3563 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3564 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3565 +#define VM_STACK_DEFAULT_FLAGS32 \
3566 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3567 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3568
3569 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3570 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3571
3572 +#ifndef CONFIG_PAX_PAGEEXEC
3573 #define VM_STACK_DEFAULT_FLAGS \
3574 (is_32bit_task() ? \
3575 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
3576 +#endif
3577
3578 #include <asm-generic/getorder.h>
3579
3580 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/page.h linux-2.6.39.3/arch/powerpc/include/asm/page.h
3581 --- linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
3582 +++ linux-2.6.39.3/arch/powerpc/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
3583 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
3584 * and needs to be executable. This means the whole heap ends
3585 * up being executable.
3586 */
3587 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
3588 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3589 +#define VM_DATA_DEFAULT_FLAGS32 \
3590 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
3591 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3592
3593 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
3594 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
3595 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
3596 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
3597 #endif
3598
3599 +#define ktla_ktva(addr) (addr)
3600 +#define ktva_ktla(addr) (addr)
3601 +
3602 #ifndef __ASSEMBLY__
3603
3604 #undef STRICT_MM_TYPECHECKS
3605 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pci.h linux-2.6.39.3/arch/powerpc/include/asm/pci.h
3606 --- linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-19 00:06:34.000000000 -0400
3607 +++ linux-2.6.39.3/arch/powerpc/include/asm/pci.h 2011-05-22 19:36:30.000000000 -0400
3608 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
3609 }
3610
3611 #ifdef CONFIG_PCI
3612 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
3613 -extern struct dma_map_ops *get_pci_dma_ops(void);
3614 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
3615 +extern const struct dma_map_ops *get_pci_dma_ops(void);
3616 #else /* CONFIG_PCI */
3617 #define set_pci_dma_ops(d)
3618 #define get_pci_dma_ops() NULL
3619 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h
3620 --- linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
3621 +++ linux-2.6.39.3/arch/powerpc/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
3622 @@ -2,6 +2,7 @@
3623 #define _ASM_POWERPC_PGTABLE_H
3624 #ifdef __KERNEL__
3625
3626 +#include <linux/const.h>
3627 #ifndef __ASSEMBLY__
3628 #include <asm/processor.h> /* For TASK_SIZE */
3629 #include <asm/mmu.h>
3630 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h
3631 --- linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-19 00:06:34.000000000 -0400
3632 +++ linux-2.6.39.3/arch/powerpc/include/asm/pte-hash32.h 2011-05-22 19:36:30.000000000 -0400
3633 @@ -21,6 +21,7 @@
3634 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
3635 #define _PAGE_USER 0x004 /* usermode access allowed */
3636 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
3637 +#define _PAGE_EXEC _PAGE_GUARDED
3638 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
3639 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
3640 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
3641 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/reg.h linux-2.6.39.3/arch/powerpc/include/asm/reg.h
3642 --- linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-19 00:06:34.000000000 -0400
3643 +++ linux-2.6.39.3/arch/powerpc/include/asm/reg.h 2011-05-22 19:36:30.000000000 -0400
3644 @@ -201,6 +201,7 @@
3645 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
3646 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
3647 #define DSISR_NOHPTE 0x40000000 /* no translation found */
3648 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
3649 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
3650 #define DSISR_ISSTORE 0x02000000 /* access was a store */
3651 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
3652 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h
3653 --- linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-19 00:06:34.000000000 -0400
3654 +++ linux-2.6.39.3/arch/powerpc/include/asm/swiotlb.h 2011-05-22 19:36:30.000000000 -0400
3655 @@ -13,7 +13,7 @@
3656
3657 #include <linux/swiotlb.h>
3658
3659 -extern struct dma_map_ops swiotlb_dma_ops;
3660 +extern const struct dma_map_ops swiotlb_dma_ops;
3661
3662 static inline void dma_mark_clean(void *addr, size_t size) {}
3663
3664 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/system.h linux-2.6.39.3/arch/powerpc/include/asm/system.h
3665 --- linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
3666 +++ linux-2.6.39.3/arch/powerpc/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
3667 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
3668 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
3669 #endif
3670
3671 -extern unsigned long arch_align_stack(unsigned long sp);
3672 +#define arch_align_stack(x) ((x) & ~0xfUL)
3673
3674 /* Used in very early kernel initialization. */
3675 extern unsigned long reloc_offset(void);
3676 diff -urNp linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h
3677 --- linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
3678 +++ linux-2.6.39.3/arch/powerpc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
3679 @@ -13,6 +13,8 @@
3680 #define VERIFY_READ 0
3681 #define VERIFY_WRITE 1
3682
3683 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3684 +
3685 /*
3686 * The fs value determines whether argument validity checking should be
3687 * performed or not. If get_fs() == USER_DS, checking is performed, with
3688 @@ -327,52 +329,6 @@ do { \
3689 extern unsigned long __copy_tofrom_user(void __user *to,
3690 const void __user *from, unsigned long size);
3691
3692 -#ifndef __powerpc64__
3693 -
3694 -static inline unsigned long copy_from_user(void *to,
3695 - const void __user *from, unsigned long n)
3696 -{
3697 - unsigned long over;
3698 -
3699 - if (access_ok(VERIFY_READ, from, n))
3700 - return __copy_tofrom_user((__force void __user *)to, from, n);
3701 - if ((unsigned long)from < TASK_SIZE) {
3702 - over = (unsigned long)from + n - TASK_SIZE;
3703 - return __copy_tofrom_user((__force void __user *)to, from,
3704 - n - over) + over;
3705 - }
3706 - return n;
3707 -}
3708 -
3709 -static inline unsigned long copy_to_user(void __user *to,
3710 - const void *from, unsigned long n)
3711 -{
3712 - unsigned long over;
3713 -
3714 - if (access_ok(VERIFY_WRITE, to, n))
3715 - return __copy_tofrom_user(to, (__force void __user *)from, n);
3716 - if ((unsigned long)to < TASK_SIZE) {
3717 - over = (unsigned long)to + n - TASK_SIZE;
3718 - return __copy_tofrom_user(to, (__force void __user *)from,
3719 - n - over) + over;
3720 - }
3721 - return n;
3722 -}
3723 -
3724 -#else /* __powerpc64__ */
3725 -
3726 -#define __copy_in_user(to, from, size) \
3727 - __copy_tofrom_user((to), (from), (size))
3728 -
3729 -extern unsigned long copy_from_user(void *to, const void __user *from,
3730 - unsigned long n);
3731 -extern unsigned long copy_to_user(void __user *to, const void *from,
3732 - unsigned long n);
3733 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
3734 - unsigned long n);
3735 -
3736 -#endif /* __powerpc64__ */
3737 -
3738 static inline unsigned long __copy_from_user_inatomic(void *to,
3739 const void __user *from, unsigned long n)
3740 {
3741 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
3742 if (ret == 0)
3743 return 0;
3744 }
3745 +
3746 + if (!__builtin_constant_p(n))
3747 + check_object_size(to, n, false);
3748 +
3749 return __copy_tofrom_user((__force void __user *)to, from, n);
3750 }
3751
3752 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
3753 if (ret == 0)
3754 return 0;
3755 }
3756 +
3757 + if (!__builtin_constant_p(n))
3758 + check_object_size(from, n, true);
3759 +
3760 return __copy_tofrom_user(to, (__force const void __user *)from, n);
3761 }
3762
3763 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
3764 return __copy_to_user_inatomic(to, from, size);
3765 }
3766
3767 +#ifndef __powerpc64__
3768 +
3769 +static inline unsigned long __must_check copy_from_user(void *to,
3770 + const void __user *from, unsigned long n)
3771 +{
3772 + unsigned long over;
3773 +
3774 + if ((long)n < 0)
3775 + return n;
3776 +
3777 + if (access_ok(VERIFY_READ, from, n)) {
3778 + if (!__builtin_constant_p(n))
3779 + check_object_size(to, n, false);
3780 + return __copy_tofrom_user((__force void __user *)to, from, n);
3781 + }
3782 + if ((unsigned long)from < TASK_SIZE) {
3783 + over = (unsigned long)from + n - TASK_SIZE;
3784 + if (!__builtin_constant_p(n - over))
3785 + check_object_size(to, n - over, false);
3786 + return __copy_tofrom_user((__force void __user *)to, from,
3787 + n - over) + over;
3788 + }
3789 + return n;
3790 +}
3791 +
3792 +static inline unsigned long __must_check copy_to_user(void __user *to,
3793 + const void *from, unsigned long n)
3794 +{
3795 + unsigned long over;
3796 +
3797 + if ((long)n < 0)
3798 + return n;
3799 +
3800 + if (access_ok(VERIFY_WRITE, to, n)) {
3801 + if (!__builtin_constant_p(n))
3802 + check_object_size(from, n, true);
3803 + return __copy_tofrom_user(to, (__force void __user *)from, n);
3804 + }
3805 + if ((unsigned long)to < TASK_SIZE) {
3806 + over = (unsigned long)to + n - TASK_SIZE;
3807 + if (!__builtin_constant_p(n))
3808 + check_object_size(from, n - over, true);
3809 + return __copy_tofrom_user(to, (__force void __user *)from,
3810 + n - over) + over;
3811 + }
3812 + return n;
3813 +}
3814 +
3815 +#else /* __powerpc64__ */
3816 +
3817 +#define __copy_in_user(to, from, size) \
3818 + __copy_tofrom_user((to), (from), (size))
3819 +
3820 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
3821 +{
3822 + if ((long)n < 0 || n > INT_MAX)
3823 + return n;
3824 +
3825 + if (!__builtin_constant_p(n))
3826 + check_object_size(to, n, false);
3827 +
3828 + if (likely(access_ok(VERIFY_READ, from, n)))
3829 + n = __copy_from_user(to, from, n);
3830 + else
3831 + memset(to, 0, n);
3832 + return n;
3833 +}
3834 +
3835 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
3836 +{
3837 + if ((long)n < 0 || n > INT_MAX)
3838 + return n;
3839 +
3840 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
3841 + if (!__builtin_constant_p(n))
3842 + check_object_size(from, n, true);
3843 + n = __copy_to_user(to, from, n);
3844 + }
3845 + return n;
3846 +}
3847 +
3848 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
3849 + unsigned long n);
3850 +
3851 +#endif /* __powerpc64__ */
3852 +
3853 extern unsigned long __clear_user(void __user *addr, unsigned long size);
3854
3855 static inline unsigned long clear_user(void __user *addr, unsigned long size)
3856 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma.c linux-2.6.39.3/arch/powerpc/kernel/dma.c
3857 --- linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-19 00:06:34.000000000 -0400
3858 +++ linux-2.6.39.3/arch/powerpc/kernel/dma.c 2011-05-22 19:36:30.000000000 -0400
3859 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
3860 }
3861 #endif
3862
3863 -struct dma_map_ops dma_direct_ops = {
3864 +const struct dma_map_ops dma_direct_ops = {
3865 .alloc_coherent = dma_direct_alloc_coherent,
3866 .free_coherent = dma_direct_free_coherent,
3867 .map_sg = dma_direct_map_sg,
3868 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
3869
3870 int dma_set_mask(struct device *dev, u64 dma_mask)
3871 {
3872 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
3873 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
3874
3875 if (ppc_md.dma_set_mask)
3876 return ppc_md.dma_set_mask(dev, dma_mask);
3877 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c
3878 --- linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-19 00:06:34.000000000 -0400
3879 +++ linux-2.6.39.3/arch/powerpc/kernel/dma-iommu.c 2011-05-22 19:36:30.000000000 -0400
3880 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
3881 }
3882
3883 /* We support DMA to/from any memory page via the iommu */
3884 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
3885 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
3886 {
3887 struct iommu_table *tbl = get_iommu_table_base(dev);
3888
3889 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
3890 return 1;
3891 }
3892
3893 -struct dma_map_ops dma_iommu_ops = {
3894 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
3895 .alloc_coherent = dma_iommu_alloc_coherent,
3896 .free_coherent = dma_iommu_free_coherent,
3897 .map_sg = dma_iommu_map_sg,
3898 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c
3899 --- linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
3900 +++ linux-2.6.39.3/arch/powerpc/kernel/dma-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
3901 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
3902 * map_page, and unmap_page on highmem, use normal dma_ops
3903 * for everything else.
3904 */
3905 -struct dma_map_ops swiotlb_dma_ops = {
3906 +const struct dma_map_ops swiotlb_dma_ops = {
3907 .alloc_coherent = dma_direct_alloc_coherent,
3908 .free_coherent = dma_direct_free_coherent,
3909 .map_sg = swiotlb_map_sg_attrs,
3910 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S
3911 --- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-19 00:06:34.000000000 -0400
3912 +++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64e.S 2011-05-22 19:36:30.000000000 -0400
3913 @@ -495,6 +495,7 @@ storage_fault_common:
3914 std r14,_DAR(r1)
3915 std r15,_DSISR(r1)
3916 addi r3,r1,STACK_FRAME_OVERHEAD
3917 + bl .save_nvgprs
3918 mr r4,r14
3919 mr r5,r15
3920 ld r14,PACA_EXGEN+EX_R14(r13)
3921 @@ -504,8 +505,7 @@ storage_fault_common:
3922 cmpdi r3,0
3923 bne- 1f
3924 b .ret_from_except_lite
3925 -1: bl .save_nvgprs
3926 - mr r5,r3
3927 +1: mr r5,r3
3928 addi r3,r1,STACK_FRAME_OVERHEAD
3929 ld r4,_DAR(r1)
3930 bl .bad_page_fault
3931 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S
3932 --- linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-19 00:06:34.000000000 -0400
3933 +++ linux-2.6.39.3/arch/powerpc/kernel/exceptions-64s.S 2011-05-22 19:36:30.000000000 -0400
3934 @@ -848,10 +848,10 @@ handle_page_fault:
3935 11: ld r4,_DAR(r1)
3936 ld r5,_DSISR(r1)
3937 addi r3,r1,STACK_FRAME_OVERHEAD
3938 + bl .save_nvgprs
3939 bl .do_page_fault
3940 cmpdi r3,0
3941 beq+ 13f
3942 - bl .save_nvgprs
3943 mr r5,r3
3944 addi r3,r1,STACK_FRAME_OVERHEAD
3945 lwz r4,_DAR(r1)
3946 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c
3947 --- linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-19 00:06:34.000000000 -0400
3948 +++ linux-2.6.39.3/arch/powerpc/kernel/ibmebus.c 2011-05-22 19:36:30.000000000 -0400
3949 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
3950 return 1;
3951 }
3952
3953 -static struct dma_map_ops ibmebus_dma_ops = {
3954 +static const struct dma_map_ops ibmebus_dma_ops = {
3955 .alloc_coherent = ibmebus_alloc_coherent,
3956 .free_coherent = ibmebus_free_coherent,
3957 .map_sg = ibmebus_map_sg,
3958 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/kgdb.c linux-2.6.39.3/arch/powerpc/kernel/kgdb.c
3959 --- linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
3960 +++ linux-2.6.39.3/arch/powerpc/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
3961 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
3962 /*
3963 * Global data
3964 */
3965 -struct kgdb_arch arch_kgdb_ops = {
3966 +const struct kgdb_arch arch_kgdb_ops = {
3967 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
3968 };
3969
3970 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module_32.c linux-2.6.39.3/arch/powerpc/kernel/module_32.c
3971 --- linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-19 00:06:34.000000000 -0400
3972 +++ linux-2.6.39.3/arch/powerpc/kernel/module_32.c 2011-05-22 19:36:30.000000000 -0400
3973 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
3974 me->arch.core_plt_section = i;
3975 }
3976 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
3977 - printk("Module doesn't contain .plt or .init.plt sections.\n");
3978 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
3979 return -ENOEXEC;
3980 }
3981
3982 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
3983
3984 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
3985 /* Init, or core PLT? */
3986 - if (location >= mod->module_core
3987 - && location < mod->module_core + mod->core_size)
3988 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
3989 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
3990 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3991 - else
3992 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
3993 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
3994 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3995 + else {
3996 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
3997 + return ~0UL;
3998 + }
3999
4000 /* Find this entry, or if that fails, the next avail. entry */
4001 while (entry->jump[0]) {
4002 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/module.c linux-2.6.39.3/arch/powerpc/kernel/module.c
4003 --- linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4004 +++ linux-2.6.39.3/arch/powerpc/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4005 @@ -31,11 +31,24 @@
4006
4007 LIST_HEAD(module_bug_list);
4008
4009 +#ifdef CONFIG_PAX_KERNEXEC
4010 void *module_alloc(unsigned long size)
4011 {
4012 if (size == 0)
4013 return NULL;
4014
4015 + return vmalloc(size);
4016 +}
4017 +
4018 +void *module_alloc_exec(unsigned long size)
4019 +#else
4020 +void *module_alloc(unsigned long size)
4021 +#endif
4022 +
4023 +{
4024 + if (size == 0)
4025 + return NULL;
4026 +
4027 return vmalloc_exec(size);
4028 }
4029
4030 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
4031 vfree(module_region);
4032 }
4033
4034 +#ifdef CONFIG_PAX_KERNEXEC
4035 +void module_free_exec(struct module *mod, void *module_region)
4036 +{
4037 + module_free(mod, module_region);
4038 +}
4039 +#endif
4040 +
4041 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
4042 const Elf_Shdr *sechdrs,
4043 const char *name)
4044 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/pci-common.c linux-2.6.39.3/arch/powerpc/kernel/pci-common.c
4045 --- linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-19 00:06:34.000000000 -0400
4046 +++ linux-2.6.39.3/arch/powerpc/kernel/pci-common.c 2011-05-22 19:36:30.000000000 -0400
4047 @@ -53,14 +53,14 @@ resource_size_t isa_mem_base;
4048 unsigned int ppc_pci_flags = 0;
4049
4050
4051 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4052 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
4053
4054 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
4055 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
4056 {
4057 pci_dma_ops = dma_ops;
4058 }
4059
4060 -struct dma_map_ops *get_pci_dma_ops(void)
4061 +const struct dma_map_ops *get_pci_dma_ops(void)
4062 {
4063 return pci_dma_ops;
4064 }
4065 @@ -1639,7 +1639,7 @@ null_write_config(struct pci_bus *bus, u
4066 return PCIBIOS_DEVICE_NOT_FOUND;
4067 }
4068
4069 -static struct pci_ops null_pci_ops =
4070 +static const struct pci_ops null_pci_ops =
4071 {
4072 .read = null_read_config,
4073 .write = null_write_config,
4074 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/process.c linux-2.6.39.3/arch/powerpc/kernel/process.c
4075 --- linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4076 +++ linux-2.6.39.3/arch/powerpc/kernel/process.c 2011-05-22 19:41:32.000000000 -0400
4077 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
4078 * Lookup NIP late so we have the best change of getting the
4079 * above info out without failing
4080 */
4081 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
4082 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
4083 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
4084 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
4085 #endif
4086 show_stack(current, (unsigned long *) regs->gpr[1]);
4087 if (!user_mode(regs))
4088 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
4089 newsp = stack[0];
4090 ip = stack[STACK_FRAME_LR_SAVE];
4091 if (!firstframe || ip != lr) {
4092 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
4093 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
4094 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4095 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
4096 - printk(" (%pS)",
4097 + printk(" (%pA)",
4098 (void *)current->ret_stack[curr_frame].ret);
4099 curr_frame--;
4100 }
4101 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
4102 struct pt_regs *regs = (struct pt_regs *)
4103 (sp + STACK_FRAME_OVERHEAD);
4104 lr = regs->link;
4105 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
4106 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
4107 regs->trap, (void *)regs->nip, (void *)lr);
4108 firstframe = 1;
4109 }
4110 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
4111 }
4112
4113 #endif /* THREAD_SHIFT < PAGE_SHIFT */
4114 -
4115 -unsigned long arch_align_stack(unsigned long sp)
4116 -{
4117 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4118 - sp -= get_random_int() & ~PAGE_MASK;
4119 - return sp & ~0xf;
4120 -}
4121 -
4122 -static inline unsigned long brk_rnd(void)
4123 -{
4124 - unsigned long rnd = 0;
4125 -
4126 - /* 8MB for 32bit, 1GB for 64bit */
4127 - if (is_32bit_task())
4128 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
4129 - else
4130 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
4131 -
4132 - return rnd << PAGE_SHIFT;
4133 -}
4134 -
4135 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4136 -{
4137 - unsigned long base = mm->brk;
4138 - unsigned long ret;
4139 -
4140 -#ifdef CONFIG_PPC_STD_MMU_64
4141 - /*
4142 - * If we are using 1TB segments and we are allowed to randomise
4143 - * the heap, we can put it above 1TB so it is backed by a 1TB
4144 - * segment. Otherwise the heap will be in the bottom 1TB
4145 - * which always uses 256MB segments and this may result in a
4146 - * performance penalty.
4147 - */
4148 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
4149 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
4150 -#endif
4151 -
4152 - ret = PAGE_ALIGN(base + brk_rnd());
4153 -
4154 - if (ret < mm->brk)
4155 - return mm->brk;
4156 -
4157 - return ret;
4158 -}
4159 -
4160 -unsigned long randomize_et_dyn(unsigned long base)
4161 -{
4162 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4163 -
4164 - if (ret < base)
4165 - return base;
4166 -
4167 - return ret;
4168 -}
4169 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c
4170 --- linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-19 00:06:34.000000000 -0400
4171 +++ linux-2.6.39.3/arch/powerpc/kernel/rtas_pci.c 2011-05-22 19:36:30.000000000 -0400
4172 @@ -149,7 +149,7 @@ static int rtas_pci_write_config(struct
4173 return PCIBIOS_DEVICE_NOT_FOUND;
4174 }
4175
4176 -static struct pci_ops rtas_pci_ops = {
4177 +static const struct pci_ops rtas_pci_ops = {
4178 .read = rtas_pci_read_config,
4179 .write = rtas_pci_write_config,
4180 };
4181 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_32.c linux-2.6.39.3/arch/powerpc/kernel/signal_32.c
4182 --- linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-19 00:06:34.000000000 -0400
4183 +++ linux-2.6.39.3/arch/powerpc/kernel/signal_32.c 2011-05-22 19:36:30.000000000 -0400
4184 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
4185 /* Save user registers on the stack */
4186 frame = &rt_sf->uc.uc_mcontext;
4187 addr = frame;
4188 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
4189 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4190 if (save_user_regs(regs, frame, 0, 1))
4191 goto badframe;
4192 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
4193 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/signal_64.c linux-2.6.39.3/arch/powerpc/kernel/signal_64.c
4194 --- linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-19 00:06:34.000000000 -0400
4195 +++ linux-2.6.39.3/arch/powerpc/kernel/signal_64.c 2011-05-22 19:36:30.000000000 -0400
4196 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
4197 current->thread.fpscr.val = 0;
4198
4199 /* Set up to return from userspace. */
4200 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
4201 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
4202 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
4203 } else {
4204 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
4205 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/traps.c linux-2.6.39.3/arch/powerpc/kernel/traps.c
4206 --- linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
4207 +++ linux-2.6.39.3/arch/powerpc/kernel/traps.c 2011-06-13 21:33:04.000000000 -0400
4208 @@ -96,6 +96,8 @@ static void pmac_backlight_unblank(void)
4209 static inline void pmac_backlight_unblank(void) { }
4210 #endif
4211
4212 +extern void gr_handle_kernel_exploit(void);
4213 +
4214 int die(const char *str, struct pt_regs *regs, long err)
4215 {
4216 static struct {
4217 @@ -170,6 +172,8 @@ int die(const char *str, struct pt_regs
4218 if (panic_on_oops)
4219 panic("Fatal exception");
4220
4221 + gr_handle_kernel_exploit();
4222 +
4223 oops_exit();
4224 do_exit(err);
4225
4226 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vdso.c linux-2.6.39.3/arch/powerpc/kernel/vdso.c
4227 --- linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-19 00:06:34.000000000 -0400
4228 +++ linux-2.6.39.3/arch/powerpc/kernel/vdso.c 2011-05-22 19:36:30.000000000 -0400
4229 @@ -36,6 +36,7 @@
4230 #include <asm/firmware.h>
4231 #include <asm/vdso.h>
4232 #include <asm/vdso_datapage.h>
4233 +#include <asm/mman.h>
4234
4235 #include "setup.h"
4236
4237 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
4238 vdso_base = VDSO32_MBASE;
4239 #endif
4240
4241 - current->mm->context.vdso_base = 0;
4242 + current->mm->context.vdso_base = ~0UL;
4243
4244 /* vDSO has a problem and was disabled, just don't "enable" it for the
4245 * process
4246 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
4247 vdso_base = get_unmapped_area(NULL, vdso_base,
4248 (vdso_pages << PAGE_SHIFT) +
4249 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
4250 - 0, 0);
4251 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
4252 if (IS_ERR_VALUE(vdso_base)) {
4253 rc = vdso_base;
4254 goto fail_mmapsem;
4255 diff -urNp linux-2.6.39.3/arch/powerpc/kernel/vio.c linux-2.6.39.3/arch/powerpc/kernel/vio.c
4256 --- linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-19 00:06:34.000000000 -0400
4257 +++ linux-2.6.39.3/arch/powerpc/kernel/vio.c 2011-05-22 19:36:30.000000000 -0400
4258 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
4259 return dma_iommu_ops.dma_supported(dev, mask);
4260 }
4261
4262 -struct dma_map_ops vio_dma_mapping_ops = {
4263 +const struct dma_map_ops vio_dma_mapping_ops = {
4264 .alloc_coherent = vio_dma_iommu_alloc_coherent,
4265 .free_coherent = vio_dma_iommu_free_coherent,
4266 .map_sg = vio_dma_iommu_map_sg,
4267 .unmap_sg = vio_dma_iommu_unmap_sg,
4268 + .dma_supported = dma_iommu_dma_supported,
4269 .map_page = vio_dma_iommu_map_page,
4270 .unmap_page = vio_dma_iommu_unmap_page,
4271 .dma_supported = vio_dma_iommu_dma_supported,
4272 diff -urNp linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c
4273 --- linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
4274 +++ linux-2.6.39.3/arch/powerpc/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
4275 @@ -9,22 +9,6 @@
4276 #include <linux/module.h>
4277 #include <asm/uaccess.h>
4278
4279 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4280 -{
4281 - if (likely(access_ok(VERIFY_READ, from, n)))
4282 - n = __copy_from_user(to, from, n);
4283 - else
4284 - memset(to, 0, n);
4285 - return n;
4286 -}
4287 -
4288 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4289 -{
4290 - if (likely(access_ok(VERIFY_WRITE, to, n)))
4291 - n = __copy_to_user(to, from, n);
4292 - return n;
4293 -}
4294 -
4295 unsigned long copy_in_user(void __user *to, const void __user *from,
4296 unsigned long n)
4297 {
4298 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
4299 return n;
4300 }
4301
4302 -EXPORT_SYMBOL(copy_from_user);
4303 -EXPORT_SYMBOL(copy_to_user);
4304 EXPORT_SYMBOL(copy_in_user);
4305
4306 diff -urNp linux-2.6.39.3/arch/powerpc/mm/fault.c linux-2.6.39.3/arch/powerpc/mm/fault.c
4307 --- linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
4308 +++ linux-2.6.39.3/arch/powerpc/mm/fault.c 2011-05-22 19:36:30.000000000 -0400
4309 @@ -31,6 +31,10 @@
4310 #include <linux/kdebug.h>
4311 #include <linux/perf_event.h>
4312 #include <linux/magic.h>
4313 +#include <linux/slab.h>
4314 +#include <linux/pagemap.h>
4315 +#include <linux/compiler.h>
4316 +#include <linux/unistd.h>
4317
4318 #include <asm/firmware.h>
4319 #include <asm/page.h>
4320 @@ -42,6 +46,7 @@
4321 #include <asm/tlbflush.h>
4322 #include <asm/siginfo.h>
4323 #include <mm/mmu_decl.h>
4324 +#include <asm/ptrace.h>
4325
4326 #ifdef CONFIG_KPROBES
4327 static inline int notify_page_fault(struct pt_regs *regs)
4328 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
4329 }
4330 #endif
4331
4332 +#ifdef CONFIG_PAX_PAGEEXEC
4333 +/*
4334 + * PaX: decide what to do with offenders (regs->nip = fault address)
4335 + *
4336 + * returns 1 when task should be killed
4337 + */
4338 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4339 +{
4340 + return 1;
4341 +}
4342 +
4343 +void pax_report_insns(void *pc, void *sp)
4344 +{
4345 + unsigned long i;
4346 +
4347 + printk(KERN_ERR "PAX: bytes at PC: ");
4348 + for (i = 0; i < 5; i++) {
4349 + unsigned int c;
4350 + if (get_user(c, (unsigned int __user *)pc+i))
4351 + printk(KERN_CONT "???????? ");
4352 + else
4353 + printk(KERN_CONT "%08x ", c);
4354 + }
4355 + printk("\n");
4356 +}
4357 +#endif
4358 +
4359 /*
4360 * Check whether the instruction at regs->nip is a store using
4361 * an update addressing form which will update r1.
4362 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
4363 * indicate errors in DSISR but can validly be set in SRR1.
4364 */
4365 if (trap == 0x400)
4366 - error_code &= 0x48200000;
4367 + error_code &= 0x58200000;
4368 else
4369 is_write = error_code & DSISR_ISSTORE;
4370 #else
4371 @@ -258,7 +290,7 @@ good_area:
4372 * "undefined". Of those that can be set, this is the only
4373 * one which seems bad.
4374 */
4375 - if (error_code & 0x10000000)
4376 + if (error_code & DSISR_GUARDED)
4377 /* Guarded storage error. */
4378 goto bad_area;
4379 #endif /* CONFIG_8xx */
4380 @@ -273,7 +305,7 @@ good_area:
4381 * processors use the same I/D cache coherency mechanism
4382 * as embedded.
4383 */
4384 - if (error_code & DSISR_PROTFAULT)
4385 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
4386 goto bad_area;
4387 #endif /* CONFIG_PPC_STD_MMU */
4388
4389 @@ -342,6 +374,23 @@ bad_area:
4390 bad_area_nosemaphore:
4391 /* User mode accesses cause a SIGSEGV */
4392 if (user_mode(regs)) {
4393 +
4394 +#ifdef CONFIG_PAX_PAGEEXEC
4395 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4396 +#ifdef CONFIG_PPC_STD_MMU
4397 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
4398 +#else
4399 + if (is_exec && regs->nip == address) {
4400 +#endif
4401 + switch (pax_handle_fetch_fault(regs)) {
4402 + }
4403 +
4404 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
4405 + do_group_exit(SIGKILL);
4406 + }
4407 + }
4408 +#endif
4409 +
4410 _exception(SIGSEGV, regs, code, address);
4411 return 0;
4412 }
4413 diff -urNp linux-2.6.39.3/arch/powerpc/mm/mmap_64.c linux-2.6.39.3/arch/powerpc/mm/mmap_64.c
4414 --- linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-19 00:06:34.000000000 -0400
4415 +++ linux-2.6.39.3/arch/powerpc/mm/mmap_64.c 2011-05-22 19:36:30.000000000 -0400
4416 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
4417 */
4418 if (mmap_is_legacy()) {
4419 mm->mmap_base = TASK_UNMAPPED_BASE;
4420 +
4421 +#ifdef CONFIG_PAX_RANDMMAP
4422 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4423 + mm->mmap_base += mm->delta_mmap;
4424 +#endif
4425 +
4426 mm->get_unmapped_area = arch_get_unmapped_area;
4427 mm->unmap_area = arch_unmap_area;
4428 } else {
4429 mm->mmap_base = mmap_base();
4430 +
4431 +#ifdef CONFIG_PAX_RANDMMAP
4432 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4433 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4434 +#endif
4435 +
4436 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4437 mm->unmap_area = arch_unmap_area_topdown;
4438 }
4439 diff -urNp linux-2.6.39.3/arch/powerpc/mm/slice.c linux-2.6.39.3/arch/powerpc/mm/slice.c
4440 --- linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-19 00:06:34.000000000 -0400
4441 +++ linux-2.6.39.3/arch/powerpc/mm/slice.c 2011-05-22 19:36:30.000000000 -0400
4442 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
4443 if ((mm->task_size - len) < addr)
4444 return 0;
4445 vma = find_vma(mm, addr);
4446 - return (!vma || (addr + len) <= vma->vm_start);
4447 + return check_heap_stack_gap(vma, addr, len);
4448 }
4449
4450 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
4451 @@ -256,7 +256,7 @@ full_search:
4452 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
4453 continue;
4454 }
4455 - if (!vma || addr + len <= vma->vm_start) {
4456 + if (check_heap_stack_gap(vma, addr, len)) {
4457 /*
4458 * Remember the place where we stopped the search:
4459 */
4460 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
4461 }
4462 }
4463
4464 - addr = mm->mmap_base;
4465 - while (addr > len) {
4466 + if (mm->mmap_base < len)
4467 + addr = -ENOMEM;
4468 + else
4469 + addr = mm->mmap_base - len;
4470 +
4471 + while (!IS_ERR_VALUE(addr)) {
4472 /* Go down by chunk size */
4473 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
4474 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
4475
4476 /* Check for hit with different page size */
4477 mask = slice_range_to_mask(addr, len);
4478 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
4479 * return with success:
4480 */
4481 vma = find_vma(mm, addr);
4482 - if (!vma || (addr + len) <= vma->vm_start) {
4483 + if (check_heap_stack_gap(vma, addr, len)) {
4484 /* remember the address as a hint for next time */
4485 if (use_cache)
4486 mm->free_area_cache = addr;
4487 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
4488 mm->cached_hole_size = vma->vm_start - addr;
4489
4490 /* try just below the current vma->vm_start */
4491 - addr = vma->vm_start;
4492 + addr = skip_heap_stack_gap(vma, len);
4493 }
4494
4495 /*
4496 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
4497 if (fixed && addr > (mm->task_size - len))
4498 return -EINVAL;
4499
4500 +#ifdef CONFIG_PAX_RANDMMAP
4501 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
4502 + addr = 0;
4503 +#endif
4504 +
4505 /* If hint, make sure it matches our alignment restrictions */
4506 if (!fixed && addr) {
4507 addr = _ALIGN_UP(addr, 1ul << pshift);
4508 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c
4509 --- linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-19 00:06:34.000000000 -0400
4510 +++ linux-2.6.39.3/arch/powerpc/platforms/52xx/efika.c 2011-05-22 19:36:30.000000000 -0400
4511 @@ -60,7 +60,7 @@ static int rtas_write_config(struct pci_
4512 return rval ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
4513 }
4514
4515 -static struct pci_ops rtas_pci_ops = {
4516 +static const struct pci_ops rtas_pci_ops = {
4517 .read = rtas_read_config,
4518 .write = rtas_write_config,
4519 };
4520 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c
4521 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-19 00:06:34.000000000 -0400
4522 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_pci.c 2011-05-22 19:36:30.000000000 -0400
4523 @@ -234,7 +234,7 @@ static int celleb_fake_pci_write_config(
4524 return PCIBIOS_SUCCESSFUL;
4525 }
4526
4527 -static struct pci_ops celleb_fake_pci_ops = {
4528 +static const struct pci_ops celleb_fake_pci_ops = {
4529 .read = celleb_fake_pci_read_config,
4530 .write = celleb_fake_pci_write_config,
4531 };
4532 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c
4533 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-19 00:06:34.000000000 -0400
4534 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_epci.c 2011-05-22 19:36:30.000000000 -0400
4535 @@ -245,7 +245,7 @@ static int celleb_epci_write_config(stru
4536 return celleb_epci_check_abort(hose, addr);
4537 }
4538
4539 -struct pci_ops celleb_epci_ops = {
4540 +const struct pci_ops celleb_epci_ops = {
4541 .read = celleb_epci_read_config,
4542 .write = celleb_epci_write_config,
4543 };
4544 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c
4545 --- linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-19 00:06:34.000000000 -0400
4546 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/celleb_scc_pciex.c 2011-05-22 19:36:30.000000000 -0400
4547 @@ -399,7 +399,7 @@ static int scc_pciex_write_config(struct
4548 return PCIBIOS_SUCCESSFUL;
4549 }
4550
4551 -static struct pci_ops scc_pciex_pci_ops = {
4552 +static const struct pci_ops scc_pciex_pci_ops = {
4553 scc_pciex_read_config,
4554 scc_pciex_write_config,
4555 };
4556 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c
4557 --- linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-19 00:06:34.000000000 -0400
4558 +++ linux-2.6.39.3/arch/powerpc/platforms/cell/iommu.c 2011-05-22 19:36:30.000000000 -0400
4559 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
4560
4561 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
4562
4563 -struct dma_map_ops dma_iommu_fixed_ops = {
4564 +const struct dma_map_ops dma_iommu_fixed_ops = {
4565 .alloc_coherent = dma_fixed_alloc_coherent,
4566 .free_coherent = dma_fixed_free_coherent,
4567 .map_sg = dma_fixed_map_sg,
4568 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c
4569 --- linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-19 00:06:34.000000000 -0400
4570 +++ linux-2.6.39.3/arch/powerpc/platforms/chrp/pci.c 2011-05-22 19:36:30.000000000 -0400
4571 @@ -84,7 +84,7 @@ int gg2_write_config(struct pci_bus *bus
4572 return PCIBIOS_SUCCESSFUL;
4573 }
4574
4575 -static struct pci_ops gg2_pci_ops =
4576 +static const struct pci_ops gg2_pci_ops =
4577 {
4578 .read = gg2_read_config,
4579 .write = gg2_write_config,
4580 @@ -122,7 +122,7 @@ int rtas_write_config(struct pci_bus *bu
4581 return rval? PCIBIOS_DEVICE_NOT_FOUND: PCIBIOS_SUCCESSFUL;
4582 }
4583
4584 -static struct pci_ops rtas_pci_ops =
4585 +static const struct pci_ops rtas_pci_ops =
4586 {
4587 .read = rtas_read_config,
4588 .write = rtas_write_config,
4589 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c
4590 --- linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-19 00:06:34.000000000 -0400
4591 +++ linux-2.6.39.3/arch/powerpc/platforms/iseries/pci.c 2011-05-22 19:36:30.000000000 -0400
4592 @@ -533,7 +533,7 @@ static int iSeries_pci_write_config(stru
4593 return 0;
4594 }
4595
4596 -static struct pci_ops iSeries_pci_ops = {
4597 +static const struct pci_ops iSeries_pci_ops = {
4598 .read = iSeries_pci_read_config,
4599 .write = iSeries_pci_write_config
4600 };
4601 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c
4602 --- linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-19 00:06:34.000000000 -0400
4603 +++ linux-2.6.39.3/arch/powerpc/platforms/maple/pci.c 2011-05-22 19:36:30.000000000 -0400
4604 @@ -180,7 +180,7 @@ static int u3_agp_write_config(struct pc
4605 return PCIBIOS_SUCCESSFUL;
4606 }
4607
4608 -static struct pci_ops u3_agp_pci_ops =
4609 +static const struct pci_ops u3_agp_pci_ops =
4610 {
4611 .read = u3_agp_read_config,
4612 .write = u3_agp_write_config,
4613 @@ -276,7 +276,7 @@ static int u3_ht_write_config(struct pci
4614 return PCIBIOS_SUCCESSFUL;
4615 }
4616
4617 -static struct pci_ops u3_ht_pci_ops =
4618 +static const struct pci_ops u3_ht_pci_ops =
4619 {
4620 .read = u3_ht_read_config,
4621 .write = u3_ht_write_config,
4622 @@ -381,7 +381,7 @@ static int u4_pcie_write_config(struct p
4623 return PCIBIOS_SUCCESSFUL;
4624 }
4625
4626 -static struct pci_ops u4_pcie_pci_ops =
4627 +static const struct pci_ops u4_pcie_pci_ops =
4628 {
4629 .read = u4_pcie_read_config,
4630 .write = u4_pcie_write_config,
4631 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c
4632 --- linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-19 00:06:34.000000000 -0400
4633 +++ linux-2.6.39.3/arch/powerpc/platforms/pasemi/pci.c 2011-05-22 19:36:30.000000000 -0400
4634 @@ -176,7 +176,7 @@ static int pa_pxp_write_config(struct pc
4635 return PCIBIOS_SUCCESSFUL;
4636 }
4637
4638 -static struct pci_ops pa_pxp_ops = {
4639 +static const struct pci_ops pa_pxp_ops = {
4640 .read = pa_pxp_read_config,
4641 .write = pa_pxp_write_config,
4642 };
4643 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c
4644 --- linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-19 00:06:34.000000000 -0400
4645 +++ linux-2.6.39.3/arch/powerpc/platforms/powermac/pci.c 2011-05-22 19:36:30.000000000 -0400
4646 @@ -218,7 +218,7 @@ static int macrisc_write_config(struct p
4647 return PCIBIOS_SUCCESSFUL;
4648 }
4649
4650 -static struct pci_ops macrisc_pci_ops =
4651 +static const struct pci_ops macrisc_pci_ops =
4652 {
4653 .read = macrisc_read_config,
4654 .write = macrisc_write_config,
4655 @@ -273,7 +273,7 @@ chaos_write_config(struct pci_bus *bus,
4656 return macrisc_write_config(bus, devfn, offset, len, val);
4657 }
4658
4659 -static struct pci_ops chaos_pci_ops =
4660 +static const struct pci_ops chaos_pci_ops =
4661 {
4662 .read = chaos_read_config,
4663 .write = chaos_write_config,
4664 diff -urNp linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c
4665 --- linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-19 00:06:34.000000000 -0400
4666 +++ linux-2.6.39.3/arch/powerpc/platforms/ps3/system-bus.c 2011-05-22 19:36:30.000000000 -0400
4667 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
4668 return mask >= DMA_BIT_MASK(32);
4669 }
4670
4671 -static struct dma_map_ops ps3_sb_dma_ops = {
4672 +static const struct dma_map_ops ps3_sb_dma_ops = {
4673 .alloc_coherent = ps3_alloc_coherent,
4674 .free_coherent = ps3_free_coherent,
4675 .map_sg = ps3_sb_map_sg,
4676 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
4677 .unmap_page = ps3_unmap_page,
4678 };
4679
4680 -static struct dma_map_ops ps3_ioc0_dma_ops = {
4681 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
4682 .alloc_coherent = ps3_alloc_coherent,
4683 .free_coherent = ps3_free_coherent,
4684 .map_sg = ps3_ioc0_map_sg,
4685 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c
4686 --- linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-19 00:06:34.000000000 -0400
4687 +++ linux-2.6.39.3/arch/powerpc/sysdev/fsl_pci.c 2011-05-22 19:36:30.000000000 -0400
4688 @@ -573,7 +573,7 @@ static int mpc83xx_pcie_write_config(str
4689 return PCIBIOS_SUCCESSFUL;
4690 }
4691
4692 -static struct pci_ops mpc83xx_pcie_ops = {
4693 +static const struct pci_ops mpc83xx_pcie_ops = {
4694 .read = mpc83xx_pcie_read_config,
4695 .write = mpc83xx_pcie_write_config,
4696 };
4697 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c
4698 --- linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-19 00:06:34.000000000 -0400
4699 +++ linux-2.6.39.3/arch/powerpc/sysdev/indirect_pci.c 2011-05-22 19:36:30.000000000 -0400
4700 @@ -148,7 +148,7 @@ indirect_write_config(struct pci_bus *bu
4701 return PCIBIOS_SUCCESSFUL;
4702 }
4703
4704 -static struct pci_ops indirect_pci_ops =
4705 +static const struct pci_ops indirect_pci_ops =
4706 {
4707 .read = indirect_read_config,
4708 .write = indirect_write_config,
4709 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c
4710 --- linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-19 00:06:34.000000000 -0400
4711 +++ linux-2.6.39.3/arch/powerpc/sysdev/ppc4xx_pci.c 2011-05-22 19:36:30.000000000 -0400
4712 @@ -1514,7 +1514,7 @@ static int ppc4xx_pciex_write_config(str
4713 return PCIBIOS_SUCCESSFUL;
4714 }
4715
4716 -static struct pci_ops ppc4xx_pciex_pci_ops =
4717 +static const struct pci_ops ppc4xx_pciex_pci_ops =
4718 {
4719 .read = ppc4xx_pciex_read_config,
4720 .write = ppc4xx_pciex_write_config,
4721 diff -urNp linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c
4722 --- linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-19 00:06:34.000000000 -0400
4723 +++ linux-2.6.39.3/arch/powerpc/sysdev/tsi108_pci.c 2011-05-22 19:36:30.000000000 -0400
4724 @@ -190,7 +190,7 @@ void tsi108_clear_pci_cfg_error(void)
4725 tsi108_clear_pci_error(tsi108_pci_cfg_phys);
4726 }
4727
4728 -static struct pci_ops tsi108_direct_pci_ops = {
4729 +static const struct pci_ops tsi108_direct_pci_ops = {
4730 .read = tsi108_direct_read_config,
4731 .write = tsi108_direct_write_config,
4732 };
4733 diff -urNp linux-2.6.39.3/arch/s390/include/asm/elf.h linux-2.6.39.3/arch/s390/include/asm/elf.h
4734 --- linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
4735 +++ linux-2.6.39.3/arch/s390/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
4736 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
4737 the loader. We need to make sure that it is out of the way of the program
4738 that it will "exec", and that there is sufficient room for the brk. */
4739
4740 -extern unsigned long randomize_et_dyn(unsigned long base);
4741 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
4742 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
4743 +
4744 +#ifdef CONFIG_PAX_ASLR
4745 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
4746 +
4747 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4748 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
4749 +#endif
4750
4751 /* This yields a mask that user programs can use to figure out what
4752 instruction set this CPU supports. */
4753 @@ -222,7 +228,4 @@ struct linux_binprm;
4754 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
4755 int arch_setup_additional_pages(struct linux_binprm *, int);
4756
4757 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
4758 -#define arch_randomize_brk arch_randomize_brk
4759 -
4760 #endif
4761 diff -urNp linux-2.6.39.3/arch/s390/include/asm/system.h linux-2.6.39.3/arch/s390/include/asm/system.h
4762 --- linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
4763 +++ linux-2.6.39.3/arch/s390/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
4764 @@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
4765 extern void (*_machine_halt)(void);
4766 extern void (*_machine_power_off)(void);
4767
4768 -extern unsigned long arch_align_stack(unsigned long sp);
4769 +#define arch_align_stack(x) ((x) & ~0xfUL)
4770
4771 static inline int tprot(unsigned long addr)
4772 {
4773 diff -urNp linux-2.6.39.3/arch/s390/include/asm/uaccess.h linux-2.6.39.3/arch/s390/include/asm/uaccess.h
4774 --- linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
4775 +++ linux-2.6.39.3/arch/s390/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
4776 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
4777 copy_to_user(void __user *to, const void *from, unsigned long n)
4778 {
4779 might_fault();
4780 +
4781 + if ((long)n < 0)
4782 + return n;
4783 +
4784 if (access_ok(VERIFY_WRITE, to, n))
4785 n = __copy_to_user(to, from, n);
4786 return n;
4787 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
4788 static inline unsigned long __must_check
4789 __copy_from_user(void *to, const void __user *from, unsigned long n)
4790 {
4791 + if ((long)n < 0)
4792 + return n;
4793 +
4794 if (__builtin_constant_p(n) && (n <= 256))
4795 return uaccess.copy_from_user_small(n, from, to);
4796 else
4797 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
4798 unsigned int sz = __compiletime_object_size(to);
4799
4800 might_fault();
4801 +
4802 + if ((long)n < 0)
4803 + return n;
4804 +
4805 if (unlikely(sz != -1 && sz < n)) {
4806 copy_from_user_overflow();
4807 return n;
4808 diff -urNp linux-2.6.39.3/arch/s390/Kconfig linux-2.6.39.3/arch/s390/Kconfig
4809 --- linux-2.6.39.3/arch/s390/Kconfig 2011-05-19 00:06:34.000000000 -0400
4810 +++ linux-2.6.39.3/arch/s390/Kconfig 2011-05-22 19:36:30.000000000 -0400
4811 @@ -234,11 +234,9 @@ config S390_EXEC_PROTECT
4812 prompt "Data execute protection"
4813 help
4814 This option allows to enable a buffer overflow protection for user
4815 - space programs and it also selects the addressing mode option above.
4816 - The kernel parameter noexec=on will enable this feature and also
4817 - switch the addressing modes, default is disabled. Enabling this (via
4818 - kernel parameter) on machines earlier than IBM System z9 this will
4819 - reduce system performance.
4820 + space programs.
4821 + Enabling this (via kernel parameter) on machines earlier than IBM
4822 + System z9 this will reduce system performance.
4823
4824 comment "Code generation options"
4825
4826 diff -urNp linux-2.6.39.3/arch/s390/kernel/module.c linux-2.6.39.3/arch/s390/kernel/module.c
4827 --- linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
4828 +++ linux-2.6.39.3/arch/s390/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
4829 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
4830
4831 /* Increase core size by size of got & plt and set start
4832 offsets for got and plt. */
4833 - me->core_size = ALIGN(me->core_size, 4);
4834 - me->arch.got_offset = me->core_size;
4835 - me->core_size += me->arch.got_size;
4836 - me->arch.plt_offset = me->core_size;
4837 - me->core_size += me->arch.plt_size;
4838 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
4839 + me->arch.got_offset = me->core_size_rw;
4840 + me->core_size_rw += me->arch.got_size;
4841 + me->arch.plt_offset = me->core_size_rx;
4842 + me->core_size_rx += me->arch.plt_size;
4843 return 0;
4844 }
4845
4846 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4847 if (info->got_initialized == 0) {
4848 Elf_Addr *gotent;
4849
4850 - gotent = me->module_core + me->arch.got_offset +
4851 + gotent = me->module_core_rw + me->arch.got_offset +
4852 info->got_offset;
4853 *gotent = val;
4854 info->got_initialized = 1;
4855 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4856 else if (r_type == R_390_GOTENT ||
4857 r_type == R_390_GOTPLTENT)
4858 *(unsigned int *) loc =
4859 - (val + (Elf_Addr) me->module_core - loc) >> 1;
4860 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
4861 else if (r_type == R_390_GOT64 ||
4862 r_type == R_390_GOTPLT64)
4863 *(unsigned long *) loc = val;
4864 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4865 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
4866 if (info->plt_initialized == 0) {
4867 unsigned int *ip;
4868 - ip = me->module_core + me->arch.plt_offset +
4869 + ip = me->module_core_rx + me->arch.plt_offset +
4870 info->plt_offset;
4871 #ifndef CONFIG_64BIT
4872 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
4873 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4874 val - loc + 0xffffUL < 0x1ffffeUL) ||
4875 (r_type == R_390_PLT32DBL &&
4876 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
4877 - val = (Elf_Addr) me->module_core +
4878 + val = (Elf_Addr) me->module_core_rx +
4879 me->arch.plt_offset +
4880 info->plt_offset;
4881 val += rela->r_addend - loc;
4882 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4883 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
4884 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
4885 val = val + rela->r_addend -
4886 - ((Elf_Addr) me->module_core + me->arch.got_offset);
4887 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
4888 if (r_type == R_390_GOTOFF16)
4889 *(unsigned short *) loc = val;
4890 else if (r_type == R_390_GOTOFF32)
4891 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
4892 break;
4893 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
4894 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
4895 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
4896 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
4897 rela->r_addend - loc;
4898 if (r_type == R_390_GOTPC)
4899 *(unsigned int *) loc = val;
4900 diff -urNp linux-2.6.39.3/arch/s390/kernel/process.c linux-2.6.39.3/arch/s390/kernel/process.c
4901 --- linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
4902 +++ linux-2.6.39.3/arch/s390/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
4903 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
4904 }
4905 return 0;
4906 }
4907 -
4908 -unsigned long arch_align_stack(unsigned long sp)
4909 -{
4910 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
4911 - sp -= get_random_int() & ~PAGE_MASK;
4912 - return sp & ~0xf;
4913 -}
4914 -
4915 -static inline unsigned long brk_rnd(void)
4916 -{
4917 - /* 8MB for 32bit, 1GB for 64bit */
4918 - if (is_32bit_task())
4919 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
4920 - else
4921 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
4922 -}
4923 -
4924 -unsigned long arch_randomize_brk(struct mm_struct *mm)
4925 -{
4926 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
4927 -
4928 - if (ret < mm->brk)
4929 - return mm->brk;
4930 - return ret;
4931 -}
4932 -
4933 -unsigned long randomize_et_dyn(unsigned long base)
4934 -{
4935 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
4936 -
4937 - if (!(current->flags & PF_RANDOMIZE))
4938 - return base;
4939 - if (ret < base)
4940 - return base;
4941 - return ret;
4942 -}
4943 diff -urNp linux-2.6.39.3/arch/s390/kernel/setup.c linux-2.6.39.3/arch/s390/kernel/setup.c
4944 --- linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-19 00:06:34.000000000 -0400
4945 +++ linux-2.6.39.3/arch/s390/kernel/setup.c 2011-05-22 19:36:30.000000000 -0400
4946 @@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
4947 }
4948 early_param("mem", early_parse_mem);
4949
4950 -unsigned int user_mode = HOME_SPACE_MODE;
4951 +unsigned int user_mode = SECONDARY_SPACE_MODE;
4952 EXPORT_SYMBOL_GPL(user_mode);
4953
4954 static int set_amode_and_uaccess(unsigned long user_amode,
4955 @@ -300,17 +300,6 @@ static int set_amode_and_uaccess(unsigne
4956 }
4957 }
4958
4959 -/*
4960 - * Switch kernel/user addressing modes?
4961 - */
4962 -static int __init early_parse_switch_amode(char *p)
4963 -{
4964 - if (user_mode != SECONDARY_SPACE_MODE)
4965 - user_mode = PRIMARY_SPACE_MODE;
4966 - return 0;
4967 -}
4968 -early_param("switch_amode", early_parse_switch_amode);
4969 -
4970 static int __init early_parse_user_mode(char *p)
4971 {
4972 if (p && strcmp(p, "primary") == 0)
4973 @@ -327,20 +316,6 @@ static int __init early_parse_user_mode(
4974 }
4975 early_param("user_mode", early_parse_user_mode);
4976
4977 -#ifdef CONFIG_S390_EXEC_PROTECT
4978 -/*
4979 - * Enable execute protection?
4980 - */
4981 -static int __init early_parse_noexec(char *p)
4982 -{
4983 - if (!strncmp(p, "off", 3))
4984 - return 0;
4985 - user_mode = SECONDARY_SPACE_MODE;
4986 - return 0;
4987 -}
4988 -early_param("noexec", early_parse_noexec);
4989 -#endif /* CONFIG_S390_EXEC_PROTECT */
4990 -
4991 static void setup_addressing_mode(void)
4992 {
4993 if (user_mode == SECONDARY_SPACE_MODE) {
4994 diff -urNp linux-2.6.39.3/arch/s390/mm/maccess.c linux-2.6.39.3/arch/s390/mm/maccess.c
4995 --- linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
4996 +++ linux-2.6.39.3/arch/s390/mm/maccess.c 2011-05-22 19:36:30.000000000 -0400
4997 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
4998 return rc ? rc : count;
4999 }
5000
5001 -long probe_kernel_write(void *dst, void *src, size_t size)
5002 +long probe_kernel_write(void *dst, const void *src, size_t size)
5003 {
5004 long copied = 0;
5005
5006 diff -urNp linux-2.6.39.3/arch/s390/mm/mmap.c linux-2.6.39.3/arch/s390/mm/mmap.c
5007 --- linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5008 +++ linux-2.6.39.3/arch/s390/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5009 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
5010 */
5011 if (mmap_is_legacy()) {
5012 mm->mmap_base = TASK_UNMAPPED_BASE;
5013 +
5014 +#ifdef CONFIG_PAX_RANDMMAP
5015 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5016 + mm->mmap_base += mm->delta_mmap;
5017 +#endif
5018 +
5019 mm->get_unmapped_area = arch_get_unmapped_area;
5020 mm->unmap_area = arch_unmap_area;
5021 } else {
5022 mm->mmap_base = mmap_base();
5023 +
5024 +#ifdef CONFIG_PAX_RANDMMAP
5025 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5026 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5027 +#endif
5028 +
5029 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5030 mm->unmap_area = arch_unmap_area_topdown;
5031 }
5032 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
5033 */
5034 if (mmap_is_legacy()) {
5035 mm->mmap_base = TASK_UNMAPPED_BASE;
5036 +
5037 +#ifdef CONFIG_PAX_RANDMMAP
5038 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5039 + mm->mmap_base += mm->delta_mmap;
5040 +#endif
5041 +
5042 mm->get_unmapped_area = s390_get_unmapped_area;
5043 mm->unmap_area = arch_unmap_area;
5044 } else {
5045 mm->mmap_base = mmap_base();
5046 +
5047 +#ifdef CONFIG_PAX_RANDMMAP
5048 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5049 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5050 +#endif
5051 +
5052 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
5053 mm->unmap_area = arch_unmap_area_topdown;
5054 }
5055 diff -urNp linux-2.6.39.3/arch/score/include/asm/system.h linux-2.6.39.3/arch/score/include/asm/system.h
5056 --- linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
5057 +++ linux-2.6.39.3/arch/score/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
5058 @@ -17,7 +17,7 @@ do { \
5059 #define finish_arch_switch(prev) do {} while (0)
5060
5061 typedef void (*vi_handler_t)(void);
5062 -extern unsigned long arch_align_stack(unsigned long sp);
5063 +#define arch_align_stack(x) (x)
5064
5065 #define mb() barrier()
5066 #define rmb() barrier()
5067 diff -urNp linux-2.6.39.3/arch/score/kernel/process.c linux-2.6.39.3/arch/score/kernel/process.c
5068 --- linux-2.6.39.3/arch/score/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
5069 +++ linux-2.6.39.3/arch/score/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
5070 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
5071
5072 return task_pt_regs(task)->cp0_epc;
5073 }
5074 -
5075 -unsigned long arch_align_stack(unsigned long sp)
5076 -{
5077 - return sp;
5078 -}
5079 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c
5080 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-19 00:06:34.000000000 -0400
5081 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-dreamcast.c 2011-05-22 19:36:30.000000000 -0400
5082 @@ -76,7 +76,7 @@ static int gapspci_write(struct pci_bus
5083 return PCIBIOS_SUCCESSFUL;
5084 }
5085
5086 -struct pci_ops gapspci_pci_ops = {
5087 +const struct pci_ops gapspci_pci_ops = {
5088 .read = gapspci_read,
5089 .write = gapspci_write,
5090 };
5091 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c
5092 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-19 00:06:34.000000000 -0400
5093 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh4.c 2011-05-22 19:36:30.000000000 -0400
5094 @@ -96,7 +96,7 @@ static int sh4_pci_write(struct pci_bus
5095 return PCIBIOS_SUCCESSFUL;
5096 }
5097
5098 -struct pci_ops sh4_pci_ops = {
5099 +const struct pci_ops sh4_pci_ops = {
5100 .read = sh4_pci_read,
5101 .write = sh4_pci_write,
5102 };
5103 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c
5104 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-19 00:06:34.000000000 -0400
5105 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh5.c 2011-05-22 19:36:30.000000000 -0400
5106 @@ -62,7 +62,7 @@ static int sh5pci_write(struct pci_bus *
5107 return PCIBIOS_SUCCESSFUL;
5108 }
5109
5110 -struct pci_ops sh5_pci_ops = {
5111 +const struct pci_ops sh5_pci_ops = {
5112 .read = sh5pci_read,
5113 .write = sh5pci_write,
5114 };
5115 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c
5116 --- linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5117 +++ linux-2.6.39.3/arch/sh/drivers/pci/ops-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5118 @@ -165,7 +165,7 @@ out:
5119 return ret;
5120 }
5121
5122 -struct pci_ops sh7786_pci_ops = {
5123 +const struct pci_ops sh7786_pci_ops = {
5124 .read = sh7786_pcie_read,
5125 .write = sh7786_pcie_write,
5126 };
5127 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c
5128 --- linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-19 00:06:34.000000000 -0400
5129 +++ linux-2.6.39.3/arch/sh/drivers/pci/pcie-sh7786.c 2011-05-22 19:36:30.000000000 -0400
5130 @@ -109,7 +109,7 @@ static struct resource sh7786_pci2_resou
5131 },
5132 };
5133
5134 -extern struct pci_ops sh7786_pci_ops;
5135 +extern const struct pci_ops sh7786_pci_ops;
5136
5137 #define DEFINE_CONTROLLER(start, idx) \
5138 { \
5139 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h
5140 --- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-19 00:06:34.000000000 -0400
5141 +++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh4.h 2011-05-22 19:36:30.000000000 -0400
5142 @@ -161,7 +161,7 @@
5143 #define SH4_PCIPDR 0x220 /* Port IO Data Register */
5144
5145 /* arch/sh/kernel/drivers/pci/ops-sh4.c */
5146 -extern struct pci_ops sh4_pci_ops;
5147 +extern const struct pci_ops sh4_pci_ops;
5148 int pci_fixup_pcic(struct pci_channel *chan);
5149
5150 struct sh4_pci_address_space {
5151 diff -urNp linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h
5152 --- linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-19 00:06:34.000000000 -0400
5153 +++ linux-2.6.39.3/arch/sh/drivers/pci/pci-sh5.h 2011-05-22 19:36:30.000000000 -0400
5154 @@ -105,6 +105,6 @@ extern unsigned long pcicr_virt;
5155 #define PCISH5_MEM_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5156 #define PCISH5_IO_SIZCONV(x) (((x / 0x40000) - 1) << 18)
5157
5158 -extern struct pci_ops sh5_pci_ops;
5159 +extern const struct pci_ops sh5_pci_ops;
5160
5161 #endif /* __PCI_SH5_H */
5162 diff -urNp linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h
5163 --- linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5164 +++ linux-2.6.39.3/arch/sh/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5165 @@ -1,10 +1,10 @@
5166 #ifndef __ASM_SH_DMA_MAPPING_H
5167 #define __ASM_SH_DMA_MAPPING_H
5168
5169 -extern struct dma_map_ops *dma_ops;
5170 +extern const struct dma_map_ops *dma_ops;
5171 extern void no_iommu_init(void);
5172
5173 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5174 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5175 {
5176 return dma_ops;
5177 }
5178 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
5179
5180 static inline int dma_supported(struct device *dev, u64 mask)
5181 {
5182 - struct dma_map_ops *ops = get_dma_ops(dev);
5183 + const struct dma_map_ops *ops = get_dma_ops(dev);
5184
5185 if (ops->dma_supported)
5186 return ops->dma_supported(dev, mask);
5187 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
5188
5189 static inline int dma_set_mask(struct device *dev, u64 mask)
5190 {
5191 - struct dma_map_ops *ops = get_dma_ops(dev);
5192 + const struct dma_map_ops *ops = get_dma_ops(dev);
5193
5194 if (!dev->dma_mask || !dma_supported(dev, mask))
5195 return -EIO;
5196 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
5197
5198 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
5199 {
5200 - struct dma_map_ops *ops = get_dma_ops(dev);
5201 + const struct dma_map_ops *ops = get_dma_ops(dev);
5202
5203 if (ops->mapping_error)
5204 return ops->mapping_error(dev, dma_addr);
5205 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
5206 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5207 dma_addr_t *dma_handle, gfp_t gfp)
5208 {
5209 - struct dma_map_ops *ops = get_dma_ops(dev);
5210 + const struct dma_map_ops *ops = get_dma_ops(dev);
5211 void *memory;
5212
5213 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
5214 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
5215 static inline void dma_free_coherent(struct device *dev, size_t size,
5216 void *vaddr, dma_addr_t dma_handle)
5217 {
5218 - struct dma_map_ops *ops = get_dma_ops(dev);
5219 + const struct dma_map_ops *ops = get_dma_ops(dev);
5220
5221 if (dma_release_from_coherent(dev, get_order(size), vaddr))
5222 return;
5223 diff -urNp linux-2.6.39.3/arch/sh/kernel/dma-nommu.c linux-2.6.39.3/arch/sh/kernel/dma-nommu.c
5224 --- linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-19 00:06:34.000000000 -0400
5225 +++ linux-2.6.39.3/arch/sh/kernel/dma-nommu.c 2011-05-22 19:36:30.000000000 -0400
5226 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
5227 }
5228 #endif
5229
5230 -struct dma_map_ops nommu_dma_ops = {
5231 +const struct dma_map_ops nommu_dma_ops = {
5232 .alloc_coherent = dma_generic_alloc_coherent,
5233 .free_coherent = dma_generic_free_coherent,
5234 .map_page = nommu_map_page,
5235 diff -urNp linux-2.6.39.3/arch/sh/kernel/kgdb.c linux-2.6.39.3/arch/sh/kernel/kgdb.c
5236 --- linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
5237 +++ linux-2.6.39.3/arch/sh/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
5238 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
5239 unregister_die_notifier(&kgdb_notifier);
5240 }
5241
5242 -struct kgdb_arch arch_kgdb_ops = {
5243 +const struct kgdb_arch arch_kgdb_ops = {
5244 /* Breakpoint instruction: trapa #0x3c */
5245 #ifdef CONFIG_CPU_LITTLE_ENDIAN
5246 .gdb_bpt_instr = { 0x3c, 0xc3 },
5247 diff -urNp linux-2.6.39.3/arch/sh/mm/consistent.c linux-2.6.39.3/arch/sh/mm/consistent.c
5248 --- linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-19 00:06:34.000000000 -0400
5249 +++ linux-2.6.39.3/arch/sh/mm/consistent.c 2011-05-22 19:36:30.000000000 -0400
5250 @@ -22,7 +22,7 @@
5251
5252 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
5253
5254 -struct dma_map_ops *dma_ops;
5255 +const struct dma_map_ops *dma_ops;
5256 EXPORT_SYMBOL(dma_ops);
5257
5258 static int __init dma_init(void)
5259 diff -urNp linux-2.6.39.3/arch/sh/mm/mmap.c linux-2.6.39.3/arch/sh/mm/mmap.c
5260 --- linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
5261 +++ linux-2.6.39.3/arch/sh/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
5262 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
5263 addr = PAGE_ALIGN(addr);
5264
5265 vma = find_vma(mm, addr);
5266 - if (TASK_SIZE - len >= addr &&
5267 - (!vma || addr + len <= vma->vm_start))
5268 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5269 return addr;
5270 }
5271
5272 @@ -106,7 +105,7 @@ full_search:
5273 }
5274 return -ENOMEM;
5275 }
5276 - if (likely(!vma || addr + len <= vma->vm_start)) {
5277 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5278 /*
5279 * Remember the place where we stopped the search:
5280 */
5281 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
5282 addr = PAGE_ALIGN(addr);
5283
5284 vma = find_vma(mm, addr);
5285 - if (TASK_SIZE - len >= addr &&
5286 - (!vma || addr + len <= vma->vm_start))
5287 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
5288 return addr;
5289 }
5290
5291 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
5292 /* make sure it can fit in the remaining address space */
5293 if (likely(addr > len)) {
5294 vma = find_vma(mm, addr-len);
5295 - if (!vma || addr <= vma->vm_start) {
5296 + if (check_heap_stack_gap(vma, addr - len, len)) {
5297 /* remember the address as a hint for next time */
5298 return (mm->free_area_cache = addr-len);
5299 }
5300 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
5301 if (unlikely(mm->mmap_base < len))
5302 goto bottomup;
5303
5304 - addr = mm->mmap_base-len;
5305 - if (do_colour_align)
5306 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5307 + addr = mm->mmap_base - len;
5308
5309 do {
5310 + if (do_colour_align)
5311 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5312 /*
5313 * Lookup failure means no vma is above this address,
5314 * else if new region fits below vma->vm_start,
5315 * return with success:
5316 */
5317 vma = find_vma(mm, addr);
5318 - if (likely(!vma || addr+len <= vma->vm_start)) {
5319 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5320 /* remember the address as a hint for next time */
5321 return (mm->free_area_cache = addr);
5322 }
5323 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
5324 mm->cached_hole_size = vma->vm_start - addr;
5325
5326 /* try just below the current vma->vm_start */
5327 - addr = vma->vm_start-len;
5328 - if (do_colour_align)
5329 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
5330 - } while (likely(len < vma->vm_start));
5331 + addr = skip_heap_stack_gap(vma, len);
5332 + } while (!IS_ERR_VALUE(addr));
5333
5334 bottomup:
5335 /*
5336 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h
5337 --- linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-19 00:06:34.000000000 -0400
5338 +++ linux-2.6.39.3/arch/sparc/include/asm/atomic_64.h 2011-05-22 19:36:30.000000000 -0400
5339 @@ -14,18 +14,40 @@
5340 #define ATOMIC64_INIT(i) { (i) }
5341
5342 #define atomic_read(v) (*(volatile int *)&(v)->counter)
5343 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5344 +{
5345 + return v->counter;
5346 +}
5347 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
5348 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
5349 +{
5350 + return v->counter;
5351 +}
5352
5353 #define atomic_set(v, i) (((v)->counter) = i)
5354 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5355 +{
5356 + v->counter = i;
5357 +}
5358 #define atomic64_set(v, i) (((v)->counter) = i)
5359 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
5360 +{
5361 + v->counter = i;
5362 +}
5363
5364 extern void atomic_add(int, atomic_t *);
5365 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
5366 extern void atomic64_add(long, atomic64_t *);
5367 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
5368 extern void atomic_sub(int, atomic_t *);
5369 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
5370 extern void atomic64_sub(long, atomic64_t *);
5371 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
5372
5373 extern int atomic_add_ret(int, atomic_t *);
5374 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
5375 extern long atomic64_add_ret(long, atomic64_t *);
5376 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
5377 extern int atomic_sub_ret(int, atomic_t *);
5378 extern long atomic64_sub_ret(long, atomic64_t *);
5379
5380 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
5381 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
5382
5383 #define atomic_inc_return(v) atomic_add_ret(1, v)
5384 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
5385 +{
5386 + return atomic_add_ret_unchecked(1, v);
5387 +}
5388 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
5389 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
5390 +{
5391 + return atomic64_add_ret_unchecked(1, v);
5392 +}
5393
5394 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
5395 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
5396
5397 #define atomic_add_return(i, v) atomic_add_ret(i, v)
5398 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5399 +{
5400 + return atomic_add_ret_unchecked(i, v);
5401 +}
5402 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
5403
5404 /*
5405 @@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi
5406 * other cases.
5407 */
5408 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
5409 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
5410 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
5411
5412 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
5413 @@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi
5414 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
5415
5416 #define atomic_inc(v) atomic_add(1, v)
5417 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5418 +{
5419 + atomic_add_unchecked(1, v);
5420 +}
5421 #define atomic64_inc(v) atomic64_add(1, v)
5422 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
5423 +{
5424 + atomic64_add_unchecked(1, v);
5425 +}
5426
5427 #define atomic_dec(v) atomic_sub(1, v)
5428 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
5429 +{
5430 + atomic_sub_unchecked(1, v);
5431 +}
5432 #define atomic64_dec(v) atomic64_sub(1, v)
5433 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
5434 +{
5435 + atomic64_sub_unchecked(1, v);
5436 +}
5437
5438 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
5439 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
5440
5441 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5442 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
5443 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
5444 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
5445
5446 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5447 {
5448 - int c, old;
5449 + int c, old, new;
5450 c = atomic_read(v);
5451 for (;;) {
5452 - if (unlikely(c == (u)))
5453 + if (unlikely(c == u))
5454 break;
5455 - old = atomic_cmpxchg((v), c, c + (a));
5456 +
5457 + asm volatile("addcc %2, %0, %0\n"
5458 +
5459 +#ifdef CONFIG_PAX_REFCOUNT
5460 + "tvs %%icc, 6\n"
5461 +#endif
5462 +
5463 + : "=r" (new)
5464 + : "0" (c), "ir" (a)
5465 + : "cc");
5466 +
5467 + old = atomic_cmpxchg(v, c, new);
5468 if (likely(old == c))
5469 break;
5470 c = old;
5471 }
5472 - return c != (u);
5473 + return c != u;
5474 }
5475
5476 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5477 @@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom
5478
5479 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
5480 {
5481 - long c, old;
5482 + long c, old, new;
5483 c = atomic64_read(v);
5484 for (;;) {
5485 - if (unlikely(c == (u)))
5486 + if (unlikely(c == u))
5487 break;
5488 - old = atomic64_cmpxchg((v), c, c + (a));
5489 +
5490 + asm volatile("addcc %2, %0, %0\n"
5491 +
5492 +#ifdef CONFIG_PAX_REFCOUNT
5493 + "tvs %%xcc, 6\n"
5494 +#endif
5495 +
5496 + : "=r" (new)
5497 + : "0" (c), "ir" (a)
5498 + : "cc");
5499 +
5500 + old = atomic64_cmpxchg(v, c, new);
5501 if (likely(old == c))
5502 break;
5503 c = old;
5504 }
5505 - return c != (u);
5506 + return c != u;
5507 }
5508
5509 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
5510 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/cache.h linux-2.6.39.3/arch/sparc/include/asm/cache.h
5511 --- linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
5512 +++ linux-2.6.39.3/arch/sparc/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400
5513 @@ -10,7 +10,7 @@
5514 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
5515
5516 #define L1_CACHE_SHIFT 5
5517 -#define L1_CACHE_BYTES 32
5518 +#define L1_CACHE_BYTES 32UL
5519
5520 #ifdef CONFIG_SPARC32
5521 #define SMP_CACHE_BYTES_SHIFT 5
5522 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h
5523 --- linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
5524 +++ linux-2.6.39.3/arch/sparc/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
5525 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
5526 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
5527 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
5528
5529 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
5530 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
5531 extern struct bus_type pci_bus_type;
5532
5533 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
5534 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
5535 {
5536 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
5537 if (dev->bus == &pci_bus_type)
5538 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
5539 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
5540 dma_addr_t *dma_handle, gfp_t flag)
5541 {
5542 - struct dma_map_ops *ops = get_dma_ops(dev);
5543 + const struct dma_map_ops *ops = get_dma_ops(dev);
5544 void *cpu_addr;
5545
5546 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
5547 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
5548 static inline void dma_free_coherent(struct device *dev, size_t size,
5549 void *cpu_addr, dma_addr_t dma_handle)
5550 {
5551 - struct dma_map_ops *ops = get_dma_ops(dev);
5552 + const struct dma_map_ops *ops = get_dma_ops(dev);
5553
5554 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
5555 ops->free_coherent(dev, size, cpu_addr, dma_handle);
5556 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_32.h linux-2.6.39.3/arch/sparc/include/asm/elf_32.h
5557 --- linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-19 00:06:34.000000000 -0400
5558 +++ linux-2.6.39.3/arch/sparc/include/asm/elf_32.h 2011-05-22 19:36:30.000000000 -0400
5559 @@ -114,6 +114,13 @@ typedef struct {
5560
5561 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
5562
5563 +#ifdef CONFIG_PAX_ASLR
5564 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
5565 +
5566 +#define PAX_DELTA_MMAP_LEN 16
5567 +#define PAX_DELTA_STACK_LEN 16
5568 +#endif
5569 +
5570 /* This yields a mask that user programs can use to figure out what
5571 instruction set this cpu supports. This can NOT be done in userspace
5572 on Sparc. */
5573 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/elf_64.h linux-2.6.39.3/arch/sparc/include/asm/elf_64.h
5574 --- linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-19 00:06:34.000000000 -0400
5575 +++ linux-2.6.39.3/arch/sparc/include/asm/elf_64.h 2011-05-22 19:36:30.000000000 -0400
5576 @@ -162,6 +162,12 @@ typedef struct {
5577 #define ELF_ET_DYN_BASE 0x0000010000000000UL
5578 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
5579
5580 +#ifdef CONFIG_PAX_ASLR
5581 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
5582 +
5583 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
5584 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
5585 +#endif
5586
5587 /* This yields a mask that user programs can use to figure out what
5588 instruction set this cpu supports. */
5589 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h
5590 --- linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
5591 +++ linux-2.6.39.3/arch/sparc/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
5592 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
5593 BTFIXUPDEF_INT(page_none)
5594 BTFIXUPDEF_INT(page_copy)
5595 BTFIXUPDEF_INT(page_readonly)
5596 +
5597 +#ifdef CONFIG_PAX_PAGEEXEC
5598 +BTFIXUPDEF_INT(page_shared_noexec)
5599 +BTFIXUPDEF_INT(page_copy_noexec)
5600 +BTFIXUPDEF_INT(page_readonly_noexec)
5601 +#endif
5602 +
5603 BTFIXUPDEF_INT(page_kernel)
5604
5605 #define PMD_SHIFT SUN4C_PMD_SHIFT
5606 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
5607 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
5608 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
5609
5610 +#ifdef CONFIG_PAX_PAGEEXEC
5611 +extern pgprot_t PAGE_SHARED_NOEXEC;
5612 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
5613 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
5614 +#else
5615 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
5616 +# define PAGE_COPY_NOEXEC PAGE_COPY
5617 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
5618 +#endif
5619 +
5620 extern unsigned long page_kernel;
5621
5622 #ifdef MODULE
5623 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h
5624 --- linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-19 00:06:34.000000000 -0400
5625 +++ linux-2.6.39.3/arch/sparc/include/asm/pgtsrmmu.h 2011-05-22 19:36:30.000000000 -0400
5626 @@ -115,6 +115,13 @@
5627 SRMMU_EXEC | SRMMU_REF)
5628 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
5629 SRMMU_EXEC | SRMMU_REF)
5630 +
5631 +#ifdef CONFIG_PAX_PAGEEXEC
5632 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
5633 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5634 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
5635 +#endif
5636 +
5637 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
5638 SRMMU_DIRTY | SRMMU_REF)
5639
5640 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h
5641 --- linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-19 00:06:34.000000000 -0400
5642 +++ linux-2.6.39.3/arch/sparc/include/asm/spinlock_64.h 2011-05-22 19:36:30.000000000 -0400
5643 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
5644
5645 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
5646
5647 -static void inline arch_read_lock(arch_rwlock_t *lock)
5648 +static inline void arch_read_lock(arch_rwlock_t *lock)
5649 {
5650 unsigned long tmp1, tmp2;
5651
5652 __asm__ __volatile__ (
5653 "1: ldsw [%2], %0\n"
5654 " brlz,pn %0, 2f\n"
5655 -"4: add %0, 1, %1\n"
5656 +"4: addcc %0, 1, %1\n"
5657 +
5658 +#ifdef CONFIG_PAX_REFCOUNT
5659 +" tvs %%icc, 6\n"
5660 +#endif
5661 +
5662 " cas [%2], %0, %1\n"
5663 " cmp %0, %1\n"
5664 " bne,pn %%icc, 1b\n"
5665 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
5666 " .previous"
5667 : "=&r" (tmp1), "=&r" (tmp2)
5668 : "r" (lock)
5669 - : "memory");
5670 + : "memory", "cc");
5671 }
5672
5673 -static int inline arch_read_trylock(arch_rwlock_t *lock)
5674 +static inline int arch_read_trylock(arch_rwlock_t *lock)
5675 {
5676 int tmp1, tmp2;
5677
5678 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
5679 "1: ldsw [%2], %0\n"
5680 " brlz,a,pn %0, 2f\n"
5681 " mov 0, %0\n"
5682 -" add %0, 1, %1\n"
5683 +" addcc %0, 1, %1\n"
5684 +
5685 +#ifdef CONFIG_PAX_REFCOUNT
5686 +" tvs %%icc, 6\n"
5687 +#endif
5688 +
5689 " cas [%2], %0, %1\n"
5690 " cmp %0, %1\n"
5691 " bne,pn %%icc, 1b\n"
5692 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
5693 return tmp1;
5694 }
5695
5696 -static void inline arch_read_unlock(arch_rwlock_t *lock)
5697 +static inline void arch_read_unlock(arch_rwlock_t *lock)
5698 {
5699 unsigned long tmp1, tmp2;
5700
5701 __asm__ __volatile__(
5702 "1: lduw [%2], %0\n"
5703 -" sub %0, 1, %1\n"
5704 +" subcc %0, 1, %1\n"
5705 +
5706 +#ifdef CONFIG_PAX_REFCOUNT
5707 +" tvs %%icc, 6\n"
5708 +#endif
5709 +
5710 " cas [%2], %0, %1\n"
5711 " cmp %0, %1\n"
5712 " bne,pn %%xcc, 1b\n"
5713 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
5714 : "memory");
5715 }
5716
5717 -static void inline arch_write_lock(arch_rwlock_t *lock)
5718 +static inline void arch_write_lock(arch_rwlock_t *lock)
5719 {
5720 unsigned long mask, tmp1, tmp2;
5721
5722 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
5723 : "memory");
5724 }
5725
5726 -static void inline arch_write_unlock(arch_rwlock_t *lock)
5727 +static inline void arch_write_unlock(arch_rwlock_t *lock)
5728 {
5729 __asm__ __volatile__(
5730 " stw %%g0, [%0]"
5731 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
5732 : "memory");
5733 }
5734
5735 -static int inline arch_write_trylock(arch_rwlock_t *lock)
5736 +static inline int arch_write_trylock(arch_rwlock_t *lock)
5737 {
5738 unsigned long mask, tmp1, tmp2, result;
5739
5740 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h
5741 --- linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-05-19 00:06:34.000000000 -0400
5742 +++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_32.h 2011-06-03 01:14:03.000000000 -0400
5743 @@ -50,6 +50,8 @@ struct thread_info {
5744 unsigned long w_saved;
5745
5746 struct restart_block restart_block;
5747 +
5748 + unsigned long lowest_stack;
5749 };
5750
5751 /*
5752 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h
5753 --- linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-05-19 00:06:34.000000000 -0400
5754 +++ linux-2.6.39.3/arch/sparc/include/asm/thread_info_64.h 2011-06-03 01:14:21.000000000 -0400
5755 @@ -63,6 +63,8 @@ struct thread_info {
5756 struct pt_regs *kern_una_regs;
5757 unsigned int kern_una_insn;
5758
5759 + unsigned long lowest_stack;
5760 +
5761 unsigned long fpregs[0] __attribute__ ((aligned(64)));
5762 };
5763
5764 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h
5765 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
5766 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
5767 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
5768
5769 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
5770 {
5771 - if (n && __access_ok((unsigned long) to, n))
5772 + if ((long)n < 0)
5773 + return n;
5774 +
5775 + if (n && __access_ok((unsigned long) to, n)) {
5776 + if (!__builtin_constant_p(n))
5777 + check_object_size(from, n, true);
5778 return __copy_user(to, (__force void __user *) from, n);
5779 - else
5780 + } else
5781 return n;
5782 }
5783
5784 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
5785 {
5786 + if ((long)n < 0)
5787 + return n;
5788 +
5789 + if (!__builtin_constant_p(n))
5790 + check_object_size(from, n, true);
5791 +
5792 return __copy_user(to, (__force void __user *) from, n);
5793 }
5794
5795 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
5796 {
5797 - if (n && __access_ok((unsigned long) from, n))
5798 + if ((long)n < 0)
5799 + return n;
5800 +
5801 + if (n && __access_ok((unsigned long) from, n)) {
5802 + if (!__builtin_constant_p(n))
5803 + check_object_size(to, n, false);
5804 return __copy_user((__force void __user *) to, from, n);
5805 - else
5806 + } else
5807 return n;
5808 }
5809
5810 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
5811 {
5812 + if ((long)n < 0)
5813 + return n;
5814 +
5815 return __copy_user((__force void __user *) to, from, n);
5816 }
5817
5818 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h
5819 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
5820 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
5821 @@ -10,6 +10,7 @@
5822 #include <linux/compiler.h>
5823 #include <linux/string.h>
5824 #include <linux/thread_info.h>
5825 +#include <linux/kernel.h>
5826 #include <asm/asi.h>
5827 #include <asm/system.h>
5828 #include <asm/spitfire.h>
5829 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
5830 static inline unsigned long __must_check
5831 copy_from_user(void *to, const void __user *from, unsigned long size)
5832 {
5833 - unsigned long ret = ___copy_from_user(to, from, size);
5834 + unsigned long ret;
5835
5836 + if ((long)size < 0 || size > INT_MAX)
5837 + return size;
5838 +
5839 + if (!__builtin_constant_p(size))
5840 + check_object_size(to, size, false);
5841 +
5842 + ret = ___copy_from_user(to, from, size);
5843 if (unlikely(ret))
5844 ret = copy_from_user_fixup(to, from, size);
5845
5846 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
5847 static inline unsigned long __must_check
5848 copy_to_user(void __user *to, const void *from, unsigned long size)
5849 {
5850 - unsigned long ret = ___copy_to_user(to, from, size);
5851 + unsigned long ret;
5852 +
5853 + if ((long)size < 0 || size > INT_MAX)
5854 + return size;
5855 +
5856 + if (!__builtin_constant_p(size))
5857 + check_object_size(from, size, true);
5858
5859 + ret = ___copy_to_user(to, from, size);
5860 if (unlikely(ret))
5861 ret = copy_to_user_fixup(to, from, size);
5862 return ret;
5863 diff -urNp linux-2.6.39.3/arch/sparc/include/asm/uaccess.h linux-2.6.39.3/arch/sparc/include/asm/uaccess.h
5864 --- linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-19 00:06:34.000000000 -0400
5865 +++ linux-2.6.39.3/arch/sparc/include/asm/uaccess.h 2011-05-22 19:36:30.000000000 -0400
5866 @@ -1,5 +1,13 @@
5867 #ifndef ___ASM_SPARC_UACCESS_H
5868 #define ___ASM_SPARC_UACCESS_H
5869 +
5870 +#ifdef __KERNEL__
5871 +#ifndef __ASSEMBLY__
5872 +#include <linux/types.h>
5873 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
5874 +#endif
5875 +#endif
5876 +
5877 #if defined(__sparc__) && defined(__arch64__)
5878 #include <asm/uaccess_64.h>
5879 #else
5880 diff -urNp linux-2.6.39.3/arch/sparc/kernel/iommu.c linux-2.6.39.3/arch/sparc/kernel/iommu.c
5881 --- linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-19 00:06:34.000000000 -0400
5882 +++ linux-2.6.39.3/arch/sparc/kernel/iommu.c 2011-05-22 19:36:30.000000000 -0400
5883 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
5884 spin_unlock_irqrestore(&iommu->lock, flags);
5885 }
5886
5887 -static struct dma_map_ops sun4u_dma_ops = {
5888 +static const struct dma_map_ops sun4u_dma_ops = {
5889 .alloc_coherent = dma_4u_alloc_coherent,
5890 .free_coherent = dma_4u_free_coherent,
5891 .map_page = dma_4u_map_page,
5892 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
5893 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
5894 };
5895
5896 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5897 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
5898 EXPORT_SYMBOL(dma_ops);
5899
5900 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
5901 diff -urNp linux-2.6.39.3/arch/sparc/kernel/ioport.c linux-2.6.39.3/arch/sparc/kernel/ioport.c
5902 --- linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
5903 +++ linux-2.6.39.3/arch/sparc/kernel/ioport.c 2011-05-22 19:36:30.000000000 -0400
5904 @@ -402,7 +402,7 @@ static void sbus_sync_sg_for_device(stru
5905 BUG();
5906 }
5907
5908 -struct dma_map_ops sbus_dma_ops = {
5909 +const struct dma_map_ops sbus_dma_ops = {
5910 .alloc_coherent = sbus_alloc_coherent,
5911 .free_coherent = sbus_free_coherent,
5912 .map_page = sbus_map_page,
5913 @@ -653,7 +653,7 @@ static void pci32_sync_sg_for_device(str
5914 }
5915 }
5916
5917 -struct dma_map_ops pci32_dma_ops = {
5918 +const struct dma_map_ops pci32_dma_ops = {
5919 .alloc_coherent = pci32_alloc_coherent,
5920 .free_coherent = pci32_free_coherent,
5921 .map_page = pci32_map_page,
5922 diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c
5923 --- linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-19 00:06:34.000000000 -0400
5924 +++ linux-2.6.39.3/arch/sparc/kernel/kgdb_32.c 2011-05-22 19:36:30.000000000 -0400
5925 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5926 regs->npc = regs->pc + 4;
5927 }
5928
5929 -struct kgdb_arch arch_kgdb_ops = {
5930 +const struct kgdb_arch arch_kgdb_ops = {
5931 /* Breakpoint instruction: ta 0x7d */
5932 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
5933 };
5934 diff -urNp linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c
5935 --- linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-19 00:06:34.000000000 -0400
5936 +++ linux-2.6.39.3/arch/sparc/kernel/kgdb_64.c 2011-05-22 19:36:30.000000000 -0400
5937 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
5938 regs->tnpc = regs->tpc + 4;
5939 }
5940
5941 -struct kgdb_arch arch_kgdb_ops = {
5942 +const struct kgdb_arch arch_kgdb_ops = {
5943 /* Breakpoint instruction: ta 0x72 */
5944 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
5945 };
5946 diff -urNp linux-2.6.39.3/arch/sparc/kernel/Makefile linux-2.6.39.3/arch/sparc/kernel/Makefile
5947 --- linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-19 00:06:34.000000000 -0400
5948 +++ linux-2.6.39.3/arch/sparc/kernel/Makefile 2011-05-22 19:36:30.000000000 -0400
5949 @@ -3,7 +3,7 @@
5950 #
5951
5952 asflags-y := -ansi
5953 -ccflags-y := -Werror
5954 +#ccflags-y := -Werror
5955
5956 extra-y := head_$(BITS).o
5957 extra-y += init_task.o
5958 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pcic.c linux-2.6.39.3/arch/sparc/kernel/pcic.c
5959 --- linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-19 00:06:34.000000000 -0400
5960 +++ linux-2.6.39.3/arch/sparc/kernel/pcic.c 2011-05-22 19:36:30.000000000 -0400
5961 @@ -268,7 +268,7 @@ static int pcic_write_config(struct pci_
5962 return -EINVAL;
5963 }
5964
5965 -static struct pci_ops pcic_ops = {
5966 +static const struct pci_ops pcic_ops = {
5967 .read = pcic_read_config,
5968 .write = pcic_write_config,
5969 };
5970 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_common.c linux-2.6.39.3/arch/sparc/kernel/pci_common.c
5971 --- linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-19 00:06:34.000000000 -0400
5972 +++ linux-2.6.39.3/arch/sparc/kernel/pci_common.c 2011-05-22 19:36:30.000000000 -0400
5973 @@ -249,7 +249,7 @@ static int sun4u_write_pci_cfg(struct pc
5974 return PCIBIOS_SUCCESSFUL;
5975 }
5976
5977 -struct pci_ops sun4u_pci_ops = {
5978 +const struct pci_ops sun4u_pci_ops = {
5979 .read = sun4u_read_pci_cfg,
5980 .write = sun4u_write_pci_cfg,
5981 };
5982 @@ -310,7 +310,7 @@ static int sun4v_write_pci_cfg(struct pc
5983 return PCIBIOS_SUCCESSFUL;
5984 }
5985
5986 -struct pci_ops sun4v_pci_ops = {
5987 +const struct pci_ops sun4v_pci_ops = {
5988 .read = sun4v_read_pci_cfg,
5989 .write = sun4v_write_pci_cfg,
5990 };
5991 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_impl.h linux-2.6.39.3/arch/sparc/kernel/pci_impl.h
5992 --- linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-19 00:06:34.000000000 -0400
5993 +++ linux-2.6.39.3/arch/sparc/kernel/pci_impl.h 2011-05-22 19:36:30.000000000 -0400
5994 @@ -175,8 +175,8 @@ extern void pci_config_write8(u8 *addr,
5995 extern void pci_config_write16(u16 *addr, u16 val);
5996 extern void pci_config_write32(u32 *addr, u32 val);
5997
5998 -extern struct pci_ops sun4u_pci_ops;
5999 -extern struct pci_ops sun4v_pci_ops;
6000 +extern const struct pci_ops sun4u_pci_ops;
6001 +extern const struct pci_ops sun4v_pci_ops;
6002
6003 extern volatile int pci_poke_in_progress;
6004 extern volatile int pci_poke_cpu;
6005 diff -urNp linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c
6006 --- linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-19 00:06:34.000000000 -0400
6007 +++ linux-2.6.39.3/arch/sparc/kernel/pci_sun4v.c 2011-05-22 19:36:30.000000000 -0400
6008 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
6009 spin_unlock_irqrestore(&iommu->lock, flags);
6010 }
6011
6012 -static struct dma_map_ops sun4v_dma_ops = {
6013 +static const struct dma_map_ops sun4v_dma_ops = {
6014 .alloc_coherent = dma_4v_alloc_coherent,
6015 .free_coherent = dma_4v_free_coherent,
6016 .map_page = dma_4v_map_page,
6017 diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_32.c linux-2.6.39.3/arch/sparc/kernel/process_32.c
6018 --- linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-19 00:06:34.000000000 -0400
6019 +++ linux-2.6.39.3/arch/sparc/kernel/process_32.c 2011-05-22 19:41:32.000000000 -0400
6020 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
6021 rw->ins[4], rw->ins[5],
6022 rw->ins[6],
6023 rw->ins[7]);
6024 - printk("%pS\n", (void *) rw->ins[7]);
6025 + printk("%pA\n", (void *) rw->ins[7]);
6026 rw = (struct reg_window32 *) rw->ins[6];
6027 }
6028 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
6029 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
6030
6031 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
6032 r->psr, r->pc, r->npc, r->y, print_tainted());
6033 - printk("PC: <%pS>\n", (void *) r->pc);
6034 + printk("PC: <%pA>\n", (void *) r->pc);
6035 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6036 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
6037 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
6038 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6039 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
6040 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
6041 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
6042 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
6043
6044 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
6045 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
6046 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
6047 rw = (struct reg_window32 *) fp;
6048 pc = rw->ins[7];
6049 printk("[%08lx : ", pc);
6050 - printk("%pS ] ", (void *) pc);
6051 + printk("%pA ] ", (void *) pc);
6052 fp = rw->ins[6];
6053 } while (++count < 16);
6054 printk("\n");
6055 diff -urNp linux-2.6.39.3/arch/sparc/kernel/process_64.c linux-2.6.39.3/arch/sparc/kernel/process_64.c
6056 --- linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-19 00:06:34.000000000 -0400
6057 +++ linux-2.6.39.3/arch/sparc/kernel/process_64.c 2011-05-22 19:41:32.000000000 -0400
6058 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
6059 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
6060 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
6061 if (regs->tstate & TSTATE_PRIV)
6062 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
6063 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
6064 }
6065
6066 void show_regs(struct pt_regs *regs)
6067 {
6068 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
6069 regs->tpc, regs->tnpc, regs->y, print_tainted());
6070 - printk("TPC: <%pS>\n", (void *) regs->tpc);
6071 + printk("TPC: <%pA>\n", (void *) regs->tpc);
6072 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
6073 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
6074 regs->u_regs[3]);
6075 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
6076 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
6077 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
6078 regs->u_regs[15]);
6079 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
6080 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
6081 show_regwindow(regs);
6082 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
6083 }
6084 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
6085 ((tp && tp->task) ? tp->task->pid : -1));
6086
6087 if (gp->tstate & TSTATE_PRIV) {
6088 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
6089 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
6090 (void *) gp->tpc,
6091 (void *) gp->o7,
6092 (void *) gp->i7,
6093 diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c
6094 --- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-19 00:06:34.000000000 -0400
6095 +++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_32.c 2011-05-22 19:36:30.000000000 -0400
6096 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
6097 if (ARCH_SUN4C && len > 0x20000000)
6098 return -ENOMEM;
6099 if (!addr)
6100 - addr = TASK_UNMAPPED_BASE;
6101 + addr = current->mm->mmap_base;
6102
6103 if (flags & MAP_SHARED)
6104 addr = COLOUR_ALIGN(addr);
6105 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
6106 }
6107 if (TASK_SIZE - PAGE_SIZE - len < addr)
6108 return -ENOMEM;
6109 - if (!vmm || addr + len <= vmm->vm_start)
6110 + if (check_heap_stack_gap(vmm, addr, len))
6111 return addr;
6112 addr = vmm->vm_end;
6113 if (flags & MAP_SHARED)
6114 diff -urNp linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c
6115 --- linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-19 00:06:34.000000000 -0400
6116 +++ linux-2.6.39.3/arch/sparc/kernel/sys_sparc_64.c 2011-05-22 19:36:30.000000000 -0400
6117 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
6118 /* We do not accept a shared mapping if it would violate
6119 * cache aliasing constraints.
6120 */
6121 - if ((flags & MAP_SHARED) &&
6122 + if ((filp || (flags & MAP_SHARED)) &&
6123 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6124 return -EINVAL;
6125 return addr;
6126 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
6127 if (filp || (flags & MAP_SHARED))
6128 do_color_align = 1;
6129
6130 +#ifdef CONFIG_PAX_RANDMMAP
6131 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
6132 +#endif
6133 +
6134 if (addr) {
6135 if (do_color_align)
6136 addr = COLOUR_ALIGN(addr, pgoff);
6137 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
6138 addr = PAGE_ALIGN(addr);
6139
6140 vma = find_vma(mm, addr);
6141 - if (task_size - len >= addr &&
6142 - (!vma || addr + len <= vma->vm_start))
6143 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6144 return addr;
6145 }
6146
6147 if (len > mm->cached_hole_size) {
6148 - start_addr = addr = mm->free_area_cache;
6149 + start_addr = addr = mm->free_area_cache;
6150 } else {
6151 - start_addr = addr = TASK_UNMAPPED_BASE;
6152 + start_addr = addr = mm->mmap_base;
6153 mm->cached_hole_size = 0;
6154 }
6155
6156 @@ -174,14 +177,14 @@ full_search:
6157 vma = find_vma(mm, VA_EXCLUDE_END);
6158 }
6159 if (unlikely(task_size < addr)) {
6160 - if (start_addr != TASK_UNMAPPED_BASE) {
6161 - start_addr = addr = TASK_UNMAPPED_BASE;
6162 + if (start_addr != mm->mmap_base) {
6163 + start_addr = addr = mm->mmap_base;
6164 mm->cached_hole_size = 0;
6165 goto full_search;
6166 }
6167 return -ENOMEM;
6168 }
6169 - if (likely(!vma || addr + len <= vma->vm_start)) {
6170 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6171 /*
6172 * Remember the place where we stopped the search:
6173 */
6174 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
6175 /* We do not accept a shared mapping if it would violate
6176 * cache aliasing constraints.
6177 */
6178 - if ((flags & MAP_SHARED) &&
6179 + if ((filp || (flags & MAP_SHARED)) &&
6180 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
6181 return -EINVAL;
6182 return addr;
6183 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
6184 addr = PAGE_ALIGN(addr);
6185
6186 vma = find_vma(mm, addr);
6187 - if (task_size - len >= addr &&
6188 - (!vma || addr + len <= vma->vm_start))
6189 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6190 return addr;
6191 }
6192
6193 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
6194 /* make sure it can fit in the remaining address space */
6195 if (likely(addr > len)) {
6196 vma = find_vma(mm, addr-len);
6197 - if (!vma || addr <= vma->vm_start) {
6198 + if (check_heap_stack_gap(vma, addr - len, len)) {
6199 /* remember the address as a hint for next time */
6200 return (mm->free_area_cache = addr-len);
6201 }
6202 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
6203 if (unlikely(mm->mmap_base < len))
6204 goto bottomup;
6205
6206 - addr = mm->mmap_base-len;
6207 - if (do_color_align)
6208 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6209 + addr = mm->mmap_base - len;
6210
6211 do {
6212 + if (do_color_align)
6213 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6214 /*
6215 * Lookup failure means no vma is above this address,
6216 * else if new region fits below vma->vm_start,
6217 * return with success:
6218 */
6219 vma = find_vma(mm, addr);
6220 - if (likely(!vma || addr+len <= vma->vm_start)) {
6221 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6222 /* remember the address as a hint for next time */
6223 return (mm->free_area_cache = addr);
6224 }
6225 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
6226 mm->cached_hole_size = vma->vm_start - addr;
6227
6228 /* try just below the current vma->vm_start */
6229 - addr = vma->vm_start-len;
6230 - if (do_color_align)
6231 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
6232 - } while (likely(len < vma->vm_start));
6233 + addr = skip_heap_stack_gap(vma, len);
6234 + } while (!IS_ERR_VALUE(addr));
6235
6236 bottomup:
6237 /*
6238 @@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
6239 gap == RLIM_INFINITY ||
6240 sysctl_legacy_va_layout) {
6241 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
6242 +
6243 +#ifdef CONFIG_PAX_RANDMMAP
6244 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6245 + mm->mmap_base += mm->delta_mmap;
6246 +#endif
6247 +
6248 mm->get_unmapped_area = arch_get_unmapped_area;
6249 mm->unmap_area = arch_unmap_area;
6250 } else {
6251 @@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
6252 gap = (task_size / 6 * 5);
6253
6254 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
6255 +
6256 +#ifdef CONFIG_PAX_RANDMMAP
6257 + if (mm->pax_flags & MF_PAX_RANDMMAP)
6258 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
6259 +#endif
6260 +
6261 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
6262 mm->unmap_area = arch_unmap_area_topdown;
6263 }
6264 diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_32.c linux-2.6.39.3/arch/sparc/kernel/traps_32.c
6265 --- linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-05-19 00:06:34.000000000 -0400
6266 +++ linux-2.6.39.3/arch/sparc/kernel/traps_32.c 2011-06-13 21:29:23.000000000 -0400
6267 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
6268 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
6269 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
6270
6271 +extern void gr_handle_kernel_exploit(void);
6272 +
6273 void die_if_kernel(char *str, struct pt_regs *regs)
6274 {
6275 static int die_counter;
6276 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
6277 count++ < 30 &&
6278 (((unsigned long) rw) >= PAGE_OFFSET) &&
6279 !(((unsigned long) rw) & 0x7)) {
6280 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
6281 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
6282 (void *) rw->ins[7]);
6283 rw = (struct reg_window32 *)rw->ins[6];
6284 }
6285 }
6286 printk("Instruction DUMP:");
6287 instruction_dump ((unsigned long *) regs->pc);
6288 - if(regs->psr & PSR_PS)
6289 + if(regs->psr & PSR_PS) {
6290 + gr_handle_kernel_exploit();
6291 do_exit(SIGKILL);
6292 + }
6293 do_exit(SIGSEGV);
6294 }
6295
6296 diff -urNp linux-2.6.39.3/arch/sparc/kernel/traps_64.c linux-2.6.39.3/arch/sparc/kernel/traps_64.c
6297 --- linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-05-19 00:06:34.000000000 -0400
6298 +++ linux-2.6.39.3/arch/sparc/kernel/traps_64.c 2011-06-13 21:28:54.000000000 -0400
6299 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
6300 i + 1,
6301 p->trapstack[i].tstate, p->trapstack[i].tpc,
6302 p->trapstack[i].tnpc, p->trapstack[i].tt);
6303 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
6304 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
6305 }
6306 }
6307
6308 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
6309
6310 lvl -= 0x100;
6311 if (regs->tstate & TSTATE_PRIV) {
6312 +
6313 +#ifdef CONFIG_PAX_REFCOUNT
6314 + if (lvl == 6)
6315 + pax_report_refcount_overflow(regs);
6316 +#endif
6317 +
6318 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
6319 die_if_kernel(buffer, regs);
6320 }
6321 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
6322 void bad_trap_tl1(struct pt_regs *regs, long lvl)
6323 {
6324 char buffer[32];
6325 -
6326 +
6327 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
6328 0, lvl, SIGTRAP) == NOTIFY_STOP)
6329 return;
6330
6331 +#ifdef CONFIG_PAX_REFCOUNT
6332 + if (lvl == 6)
6333 + pax_report_refcount_overflow(regs);
6334 +#endif
6335 +
6336 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
6337
6338 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
6339 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
6340 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
6341 printk("%s" "ERROR(%d): ",
6342 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
6343 - printk("TPC<%pS>\n", (void *) regs->tpc);
6344 + printk("TPC<%pA>\n", (void *) regs->tpc);
6345 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
6346 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
6347 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
6348 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
6349 smp_processor_id(),
6350 (type & 0x1) ? 'I' : 'D',
6351 regs->tpc);
6352 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
6353 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
6354 panic("Irrecoverable Cheetah+ parity error.");
6355 }
6356
6357 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
6358 smp_processor_id(),
6359 (type & 0x1) ? 'I' : 'D',
6360 regs->tpc);
6361 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
6362 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
6363 }
6364
6365 struct sun4v_error_entry {
6366 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
6367
6368 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
6369 regs->tpc, tl);
6370 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
6371 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
6372 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6373 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
6374 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
6375 (void *) regs->u_regs[UREG_I7]);
6376 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
6377 "pte[%lx] error[%lx]\n",
6378 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
6379
6380 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
6381 regs->tpc, tl);
6382 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
6383 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
6384 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
6385 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
6386 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
6387 (void *) regs->u_regs[UREG_I7]);
6388 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
6389 "pte[%lx] error[%lx]\n",
6390 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
6391 fp = (unsigned long)sf->fp + STACK_BIAS;
6392 }
6393
6394 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6395 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6396 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
6397 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
6398 int index = tsk->curr_ret_stack;
6399 if (tsk->ret_stack && index >= graph) {
6400 pc = tsk->ret_stack[index - graph].ret;
6401 - printk(" [%016lx] %pS\n", pc, (void *) pc);
6402 + printk(" [%016lx] %pA\n", pc, (void *) pc);
6403 graph++;
6404 }
6405 }
6406 @@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
6407 return (struct reg_window *) (fp + STACK_BIAS);
6408 }
6409
6410 +extern void gr_handle_kernel_exploit(void);
6411 +
6412 void die_if_kernel(char *str, struct pt_regs *regs)
6413 {
6414 static int die_counter;
6415 @@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
6416 while (rw &&
6417 count++ < 30 &&
6418 kstack_valid(tp, (unsigned long) rw)) {
6419 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
6420 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
6421 (void *) rw->ins[7]);
6422
6423 rw = kernel_stack_up(rw);
6424 @@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
6425 }
6426 user_instruction_dump ((unsigned int __user *) regs->tpc);
6427 }
6428 - if (regs->tstate & TSTATE_PRIV)
6429 + if (regs->tstate & TSTATE_PRIV) {
6430 + gr_handle_kernel_exploit();
6431 do_exit(SIGKILL);
6432 + }
6433 do_exit(SIGSEGV);
6434 }
6435 EXPORT_SYMBOL(die_if_kernel);
6436 diff -urNp linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c
6437 --- linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-19 00:06:34.000000000 -0400
6438 +++ linux-2.6.39.3/arch/sparc/kernel/unaligned_64.c 2011-05-22 19:41:32.000000000 -0400
6439 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
6440 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
6441
6442 if (__ratelimit(&ratelimit)) {
6443 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
6444 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
6445 regs->tpc, (void *) regs->tpc);
6446 }
6447 }
6448 diff -urNp linux-2.6.39.3/arch/sparc/lib/atomic_64.S linux-2.6.39.3/arch/sparc/lib/atomic_64.S
6449 --- linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-19 00:06:34.000000000 -0400
6450 +++ linux-2.6.39.3/arch/sparc/lib/atomic_64.S 2011-05-22 19:36:30.000000000 -0400
6451 @@ -18,7 +18,12 @@
6452 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
6453 BACKOFF_SETUP(%o2)
6454 1: lduw [%o1], %g1
6455 - add %g1, %o0, %g7
6456 + addcc %g1, %o0, %g7
6457 +
6458 +#ifdef CONFIG_PAX_REFCOUNT
6459 + tvs %icc, 6
6460 +#endif
6461 +
6462 cas [%o1], %g1, %g7
6463 cmp %g1, %g7
6464 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6465 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
6466 2: BACKOFF_SPIN(%o2, %o3, 1b)
6467 .size atomic_add, .-atomic_add
6468
6469 + .globl atomic_add_unchecked
6470 + .type atomic_add_unchecked,#function
6471 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6472 + BACKOFF_SETUP(%o2)
6473 +1: lduw [%o1], %g1
6474 + add %g1, %o0, %g7
6475 + cas [%o1], %g1, %g7
6476 + cmp %g1, %g7
6477 + bne,pn %icc, 2f
6478 + nop
6479 + retl
6480 + nop
6481 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6482 + .size atomic_add_unchecked, .-atomic_add_unchecked
6483 +
6484 .globl atomic_sub
6485 .type atomic_sub,#function
6486 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6487 BACKOFF_SETUP(%o2)
6488 1: lduw [%o1], %g1
6489 - sub %g1, %o0, %g7
6490 + subcc %g1, %o0, %g7
6491 +
6492 +#ifdef CONFIG_PAX_REFCOUNT
6493 + tvs %icc, 6
6494 +#endif
6495 +
6496 cas [%o1], %g1, %g7
6497 cmp %g1, %g7
6498 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6499 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
6500 2: BACKOFF_SPIN(%o2, %o3, 1b)
6501 .size atomic_sub, .-atomic_sub
6502
6503 + .globl atomic_sub_unchecked
6504 + .type atomic_sub_unchecked,#function
6505 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6506 + BACKOFF_SETUP(%o2)
6507 +1: lduw [%o1], %g1
6508 + sub %g1, %o0, %g7
6509 + cas [%o1], %g1, %g7
6510 + cmp %g1, %g7
6511 + bne,pn %icc, 2f
6512 + nop
6513 + retl
6514 + nop
6515 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6516 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
6517 +
6518 .globl atomic_add_ret
6519 .type atomic_add_ret,#function
6520 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6521 BACKOFF_SETUP(%o2)
6522 1: lduw [%o1], %g1
6523 - add %g1, %o0, %g7
6524 + addcc %g1, %o0, %g7
6525 +
6526 +#ifdef CONFIG_PAX_REFCOUNT
6527 + tvs %icc, 6
6528 +#endif
6529 +
6530 cas [%o1], %g1, %g7
6531 cmp %g1, %g7
6532 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6533 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
6534 2: BACKOFF_SPIN(%o2, %o3, 1b)
6535 .size atomic_add_ret, .-atomic_add_ret
6536
6537 + .globl atomic_add_ret_unchecked
6538 + .type atomic_add_ret_unchecked,#function
6539 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6540 + BACKOFF_SETUP(%o2)
6541 +1: lduw [%o1], %g1
6542 + addcc %g1, %o0, %g7
6543 + cas [%o1], %g1, %g7
6544 + cmp %g1, %g7
6545 + bne,pn %icc, 2f
6546 + add %g7, %o0, %g7
6547 + sra %g7, 0, %o0
6548 + retl
6549 + nop
6550 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6551 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
6552 +
6553 .globl atomic_sub_ret
6554 .type atomic_sub_ret,#function
6555 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6556 BACKOFF_SETUP(%o2)
6557 1: lduw [%o1], %g1
6558 - sub %g1, %o0, %g7
6559 + subcc %g1, %o0, %g7
6560 +
6561 +#ifdef CONFIG_PAX_REFCOUNT
6562 + tvs %icc, 6
6563 +#endif
6564 +
6565 cas [%o1], %g1, %g7
6566 cmp %g1, %g7
6567 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
6568 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
6569 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
6570 BACKOFF_SETUP(%o2)
6571 1: ldx [%o1], %g1
6572 - add %g1, %o0, %g7
6573 + addcc %g1, %o0, %g7
6574 +
6575 +#ifdef CONFIG_PAX_REFCOUNT
6576 + tvs %xcc, 6
6577 +#endif
6578 +
6579 casx [%o1], %g1, %g7
6580 cmp %g1, %g7
6581 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6582 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
6583 2: BACKOFF_SPIN(%o2, %o3, 1b)
6584 .size atomic64_add, .-atomic64_add
6585
6586 + .globl atomic64_add_unchecked
6587 + .type atomic64_add_unchecked,#function
6588 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6589 + BACKOFF_SETUP(%o2)
6590 +1: ldx [%o1], %g1
6591 + addcc %g1, %o0, %g7
6592 + casx [%o1], %g1, %g7
6593 + cmp %g1, %g7
6594 + bne,pn %xcc, 2f
6595 + nop
6596 + retl
6597 + nop
6598 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6599 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
6600 +
6601 .globl atomic64_sub
6602 .type atomic64_sub,#function
6603 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
6604 BACKOFF_SETUP(%o2)
6605 1: ldx [%o1], %g1
6606 - sub %g1, %o0, %g7
6607 + subcc %g1, %o0, %g7
6608 +
6609 +#ifdef CONFIG_PAX_REFCOUNT
6610 + tvs %xcc, 6
6611 +#endif
6612 +
6613 casx [%o1], %g1, %g7
6614 cmp %g1, %g7
6615 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6616 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
6617 2: BACKOFF_SPIN(%o2, %o3, 1b)
6618 .size atomic64_sub, .-atomic64_sub
6619
6620 + .globl atomic64_sub_unchecked
6621 + .type atomic64_sub_unchecked,#function
6622 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
6623 + BACKOFF_SETUP(%o2)
6624 +1: ldx [%o1], %g1
6625 + subcc %g1, %o0, %g7
6626 + casx [%o1], %g1, %g7
6627 + cmp %g1, %g7
6628 + bne,pn %xcc, 2f
6629 + nop
6630 + retl
6631 + nop
6632 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6633 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
6634 +
6635 .globl atomic64_add_ret
6636 .type atomic64_add_ret,#function
6637 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
6638 BACKOFF_SETUP(%o2)
6639 1: ldx [%o1], %g1
6640 - add %g1, %o0, %g7
6641 + addcc %g1, %o0, %g7
6642 +
6643 +#ifdef CONFIG_PAX_REFCOUNT
6644 + tvs %xcc, 6
6645 +#endif
6646 +
6647 casx [%o1], %g1, %g7
6648 cmp %g1, %g7
6649 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6650 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
6651 2: BACKOFF_SPIN(%o2, %o3, 1b)
6652 .size atomic64_add_ret, .-atomic64_add_ret
6653
6654 + .globl atomic64_add_ret_unchecked
6655 + .type atomic64_add_ret_unchecked,#function
6656 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
6657 + BACKOFF_SETUP(%o2)
6658 +1: ldx [%o1], %g1
6659 + addcc %g1, %o0, %g7
6660 + casx [%o1], %g1, %g7
6661 + cmp %g1, %g7
6662 + bne,pn %xcc, 2f
6663 + add %g7, %o0, %g7
6664 + mov %g7, %o0
6665 + retl
6666 + nop
6667 +2: BACKOFF_SPIN(%o2, %o3, 1b)
6668 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
6669 +
6670 .globl atomic64_sub_ret
6671 .type atomic64_sub_ret,#function
6672 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
6673 BACKOFF_SETUP(%o2)
6674 1: ldx [%o1], %g1
6675 - sub %g1, %o0, %g7
6676 + subcc %g1, %o0, %g7
6677 +
6678 +#ifdef CONFIG_PAX_REFCOUNT
6679 + tvs %xcc, 6
6680 +#endif
6681 +
6682 casx [%o1], %g1, %g7
6683 cmp %g1, %g7
6684 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
6685 diff -urNp linux-2.6.39.3/arch/sparc/lib/ksyms.c linux-2.6.39.3/arch/sparc/lib/ksyms.c
6686 --- linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-19 00:06:34.000000000 -0400
6687 +++ linux-2.6.39.3/arch/sparc/lib/ksyms.c 2011-05-22 19:36:30.000000000 -0400
6688 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
6689
6690 /* Atomic counter implementation. */
6691 EXPORT_SYMBOL(atomic_add);
6692 +EXPORT_SYMBOL(atomic_add_unchecked);
6693 EXPORT_SYMBOL(atomic_add_ret);
6694 EXPORT_SYMBOL(atomic_sub);
6695 +EXPORT_SYMBOL(atomic_sub_unchecked);
6696 EXPORT_SYMBOL(atomic_sub_ret);
6697 EXPORT_SYMBOL(atomic64_add);
6698 +EXPORT_SYMBOL(atomic64_add_unchecked);
6699 EXPORT_SYMBOL(atomic64_add_ret);
6700 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
6701 EXPORT_SYMBOL(atomic64_sub);
6702 +EXPORT_SYMBOL(atomic64_sub_unchecked);
6703 EXPORT_SYMBOL(atomic64_sub_ret);
6704
6705 /* Atomic bit operations. */
6706 diff -urNp linux-2.6.39.3/arch/sparc/lib/Makefile linux-2.6.39.3/arch/sparc/lib/Makefile
6707 --- linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-19 00:06:34.000000000 -0400
6708 +++ linux-2.6.39.3/arch/sparc/lib/Makefile 2011-05-22 19:36:30.000000000 -0400
6709 @@ -2,7 +2,7 @@
6710 #
6711
6712 asflags-y := -ansi -DST_DIV0=0x02
6713 -ccflags-y := -Werror
6714 +#ccflags-y := -Werror
6715
6716 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
6717 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
6718 diff -urNp linux-2.6.39.3/arch/sparc/Makefile linux-2.6.39.3/arch/sparc/Makefile
6719 --- linux-2.6.39.3/arch/sparc/Makefile 2011-05-19 00:06:34.000000000 -0400
6720 +++ linux-2.6.39.3/arch/sparc/Makefile 2011-05-22 19:41:32.000000000 -0400
6721 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
6722 # Export what is needed by arch/sparc/boot/Makefile
6723 export VMLINUX_INIT VMLINUX_MAIN
6724 VMLINUX_INIT := $(head-y) $(init-y)
6725 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
6726 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
6727 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
6728 VMLINUX_MAIN += $(drivers-y) $(net-y)
6729
6730 diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_32.c linux-2.6.39.3/arch/sparc/mm/fault_32.c
6731 --- linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-19 00:06:34.000000000 -0400
6732 +++ linux-2.6.39.3/arch/sparc/mm/fault_32.c 2011-05-22 19:36:30.000000000 -0400
6733 @@ -22,6 +22,9 @@
6734 #include <linux/interrupt.h>
6735 #include <linux/module.h>
6736 #include <linux/kdebug.h>
6737 +#include <linux/slab.h>
6738 +#include <linux/pagemap.h>
6739 +#include <linux/compiler.h>
6740
6741 #include <asm/system.h>
6742 #include <asm/page.h>
6743 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
6744 return safe_compute_effective_address(regs, insn);
6745 }
6746
6747 +#ifdef CONFIG_PAX_PAGEEXEC
6748 +#ifdef CONFIG_PAX_DLRESOLVE
6749 +static void pax_emuplt_close(struct vm_area_struct *vma)
6750 +{
6751 + vma->vm_mm->call_dl_resolve = 0UL;
6752 +}
6753 +
6754 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
6755 +{
6756 + unsigned int *kaddr;
6757 +
6758 + vmf->page = alloc_page(GFP_HIGHUSER);
6759 + if (!vmf->page)
6760 + return VM_FAULT_OOM;
6761 +
6762 + kaddr = kmap(vmf->page);
6763 + memset(kaddr, 0, PAGE_SIZE);
6764 + kaddr[0] = 0x9DE3BFA8U; /* save */
6765 + flush_dcache_page(vmf->page);
6766 + kunmap(vmf->page);
6767 + return VM_FAULT_MAJOR;
6768 +}
6769 +
6770 +static const struct vm_operations_struct pax_vm_ops = {
6771 + .close = pax_emuplt_close,
6772 + .fault = pax_emuplt_fault
6773 +};
6774 +
6775 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
6776 +{
6777 + int ret;
6778 +
6779 + INIT_LIST_HEAD(&vma->anon_vma_chain);
6780 + vma->vm_mm = current->mm;
6781 + vma->vm_start = addr;
6782 + vma->vm_end = addr + PAGE_SIZE;
6783 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
6784 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
6785 + vma->vm_ops = &pax_vm_ops;
6786 +
6787 + ret = insert_vm_struct(current->mm, vma);
6788 + if (ret)
6789 + return ret;
6790 +
6791 + ++current->mm->total_vm;
6792 + return 0;
6793 +}
6794 +#endif
6795 +
6796 +/*
6797 + * PaX: decide what to do with offenders (regs->pc = fault address)
6798 + *
6799 + * returns 1 when task should be killed
6800 + * 2 when patched PLT trampoline was detected
6801 + * 3 when unpatched PLT trampoline was detected
6802 + */
6803 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6804 +{
6805 +
6806 +#ifdef CONFIG_PAX_EMUPLT
6807 + int err;
6808 +
6809 + do { /* PaX: patched PLT emulation #1 */
6810 + unsigned int sethi1, sethi2, jmpl;
6811 +
6812 + err = get_user(sethi1, (unsigned int *)regs->pc);
6813 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
6814 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
6815 +
6816 + if (err)
6817 + break;
6818 +
6819 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
6820 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
6821 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
6822 + {
6823 + unsigned int addr;
6824 +
6825 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
6826 + addr = regs->u_regs[UREG_G1];
6827 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6828 + regs->pc = addr;
6829 + regs->npc = addr+4;
6830 + return 2;
6831 + }
6832 + } while (0);
6833 +
6834 + { /* PaX: patched PLT emulation #2 */
6835 + unsigned int ba;
6836 +
6837 + err = get_user(ba, (unsigned int *)regs->pc);
6838 +
6839 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
6840 + unsigned int addr;
6841 +
6842 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6843 + regs->pc = addr;
6844 + regs->npc = addr+4;
6845 + return 2;
6846 + }
6847 + }
6848 +
6849 + do { /* PaX: patched PLT emulation #3 */
6850 + unsigned int sethi, jmpl, nop;
6851 +
6852 + err = get_user(sethi, (unsigned int *)regs->pc);
6853 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
6854 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6855 +
6856 + if (err)
6857 + break;
6858 +
6859 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6860 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
6861 + nop == 0x01000000U)
6862 + {
6863 + unsigned int addr;
6864 +
6865 + addr = (sethi & 0x003FFFFFU) << 10;
6866 + regs->u_regs[UREG_G1] = addr;
6867 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6868 + regs->pc = addr;
6869 + regs->npc = addr+4;
6870 + return 2;
6871 + }
6872 + } while (0);
6873 +
6874 + do { /* PaX: unpatched PLT emulation step 1 */
6875 + unsigned int sethi, ba, nop;
6876 +
6877 + err = get_user(sethi, (unsigned int *)regs->pc);
6878 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
6879 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
6880 +
6881 + if (err)
6882 + break;
6883 +
6884 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
6885 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
6886 + nop == 0x01000000U)
6887 + {
6888 + unsigned int addr, save, call;
6889 +
6890 + if ((ba & 0xFFC00000U) == 0x30800000U)
6891 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
6892 + else
6893 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
6894 +
6895 + err = get_user(save, (unsigned int *)addr);
6896 + err |= get_user(call, (unsigned int *)(addr+4));
6897 + err |= get_user(nop, (unsigned int *)(addr+8));
6898 + if (err)
6899 + break;
6900 +
6901 +#ifdef CONFIG_PAX_DLRESOLVE
6902 + if (save == 0x9DE3BFA8U &&
6903 + (call & 0xC0000000U) == 0x40000000U &&
6904 + nop == 0x01000000U)
6905 + {
6906 + struct vm_area_struct *vma;
6907 + unsigned long call_dl_resolve;
6908 +
6909 + down_read(&current->mm->mmap_sem);
6910 + call_dl_resolve = current->mm->call_dl_resolve;
6911 + up_read(&current->mm->mmap_sem);
6912 + if (likely(call_dl_resolve))
6913 + goto emulate;
6914 +
6915 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
6916 +
6917 + down_write(&current->mm->mmap_sem);
6918 + if (current->mm->call_dl_resolve) {
6919 + call_dl_resolve = current->mm->call_dl_resolve;
6920 + up_write(&current->mm->mmap_sem);
6921 + if (vma)
6922 + kmem_cache_free(vm_area_cachep, vma);
6923 + goto emulate;
6924 + }
6925 +
6926 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
6927 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
6928 + up_write(&current->mm->mmap_sem);
6929 + if (vma)
6930 + kmem_cache_free(vm_area_cachep, vma);
6931 + return 1;
6932 + }
6933 +
6934 + if (pax_insert_vma(vma, call_dl_resolve)) {
6935 + up_write(&current->mm->mmap_sem);
6936 + kmem_cache_free(vm_area_cachep, vma);
6937 + return 1;
6938 + }
6939 +
6940 + current->mm->call_dl_resolve = call_dl_resolve;
6941 + up_write(&current->mm->mmap_sem);
6942 +
6943 +emulate:
6944 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6945 + regs->pc = call_dl_resolve;
6946 + regs->npc = addr+4;
6947 + return 3;
6948 + }
6949 +#endif
6950 +
6951 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
6952 + if ((save & 0xFFC00000U) == 0x05000000U &&
6953 + (call & 0xFFFFE000U) == 0x85C0A000U &&
6954 + nop == 0x01000000U)
6955 + {
6956 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
6957 + regs->u_regs[UREG_G2] = addr + 4;
6958 + addr = (save & 0x003FFFFFU) << 10;
6959 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
6960 + regs->pc = addr;
6961 + regs->npc = addr+4;
6962 + return 3;
6963 + }
6964 + }
6965 + } while (0);
6966 +
6967 + do { /* PaX: unpatched PLT emulation step 2 */
6968 + unsigned int save, call, nop;
6969 +
6970 + err = get_user(save, (unsigned int *)(regs->pc-4));
6971 + err |= get_user(call, (unsigned int *)regs->pc);
6972 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
6973 + if (err)
6974 + break;
6975 +
6976 + if (save == 0x9DE3BFA8U &&
6977 + (call & 0xC0000000U) == 0x40000000U &&
6978 + nop == 0x01000000U)
6979 + {
6980 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
6981 +
6982 + regs->u_regs[UREG_RETPC] = regs->pc;
6983 + regs->pc = dl_resolve;
6984 + regs->npc = dl_resolve+4;
6985 + return 3;
6986 + }
6987 + } while (0);
6988 +#endif
6989 +
6990 + return 1;
6991 +}
6992 +
6993 +void pax_report_insns(void *pc, void *sp)
6994 +{
6995 + unsigned long i;
6996 +
6997 + printk(KERN_ERR "PAX: bytes at PC: ");
6998 + for (i = 0; i < 8; i++) {
6999 + unsigned int c;
7000 + if (get_user(c, (unsigned int *)pc+i))
7001 + printk(KERN_CONT "???????? ");
7002 + else
7003 + printk(KERN_CONT "%08x ", c);
7004 + }
7005 + printk("\n");
7006 +}
7007 +#endif
7008 +
7009 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
7010 int text_fault)
7011 {
7012 @@ -281,6 +546,24 @@ good_area:
7013 if(!(vma->vm_flags & VM_WRITE))
7014 goto bad_area;
7015 } else {
7016 +
7017 +#ifdef CONFIG_PAX_PAGEEXEC
7018 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
7019 + up_read(&mm->mmap_sem);
7020 + switch (pax_handle_fetch_fault(regs)) {
7021 +
7022 +#ifdef CONFIG_PAX_EMUPLT
7023 + case 2:
7024 + case 3:
7025 + return;
7026 +#endif
7027 +
7028 + }
7029 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
7030 + do_group_exit(SIGKILL);
7031 + }
7032 +#endif
7033 +
7034 /* Allow reads even for write-only mappings */
7035 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
7036 goto bad_area;
7037 diff -urNp linux-2.6.39.3/arch/sparc/mm/fault_64.c linux-2.6.39.3/arch/sparc/mm/fault_64.c
7038 --- linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-19 00:06:34.000000000 -0400
7039 +++ linux-2.6.39.3/arch/sparc/mm/fault_64.c 2011-05-22 19:41:32.000000000 -0400
7040 @@ -21,6 +21,9 @@
7041 #include <linux/kprobes.h>
7042 #include <linux/kdebug.h>
7043 #include <linux/percpu.h>
7044 +#include <linux/slab.h>
7045 +#include <linux/pagemap.h>
7046 +#include <linux/compiler.h>
7047
7048 #include <asm/page.h>
7049 #include <asm/pgtable.h>
7050 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
7051 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
7052 regs->tpc);
7053 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
7054 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
7055 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
7056 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
7057 dump_stack();
7058 unhandled_fault(regs->tpc, current, regs);
7059 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
7060 show_regs(regs);
7061 }
7062
7063 +#ifdef CONFIG_PAX_PAGEEXEC
7064 +#ifdef CONFIG_PAX_DLRESOLVE
7065 +static void pax_emuplt_close(struct vm_area_struct *vma)
7066 +{
7067 + vma->vm_mm->call_dl_resolve = 0UL;
7068 +}
7069 +
7070 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
7071 +{
7072 + unsigned int *kaddr;
7073 +
7074 + vmf->page = alloc_page(GFP_HIGHUSER);
7075 + if (!vmf->page)
7076 + return VM_FAULT_OOM;
7077 +
7078 + kaddr = kmap(vmf->page);
7079 + memset(kaddr, 0, PAGE_SIZE);
7080 + kaddr[0] = 0x9DE3BFA8U; /* save */
7081 + flush_dcache_page(vmf->page);
7082 + kunmap(vmf->page);
7083 + return VM_FAULT_MAJOR;
7084 +}
7085 +
7086 +static const struct vm_operations_struct pax_vm_ops = {
7087 + .close = pax_emuplt_close,
7088 + .fault = pax_emuplt_fault
7089 +};
7090 +
7091 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
7092 +{
7093 + int ret;
7094 +
7095 + INIT_LIST_HEAD(&vma->anon_vma_chain);
7096 + vma->vm_mm = current->mm;
7097 + vma->vm_start = addr;
7098 + vma->vm_end = addr + PAGE_SIZE;
7099 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
7100 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
7101 + vma->vm_ops = &pax_vm_ops;
7102 +
7103 + ret = insert_vm_struct(current->mm, vma);
7104 + if (ret)
7105 + return ret;
7106 +
7107 + ++current->mm->total_vm;
7108 + return 0;
7109 +}
7110 +#endif
7111 +
7112 +/*
7113 + * PaX: decide what to do with offenders (regs->tpc = fault address)
7114 + *
7115 + * returns 1 when task should be killed
7116 + * 2 when patched PLT trampoline was detected
7117 + * 3 when unpatched PLT trampoline was detected
7118 + */
7119 +static int pax_handle_fetch_fault(struct pt_regs *regs)
7120 +{
7121 +
7122 +#ifdef CONFIG_PAX_EMUPLT
7123 + int err;
7124 +
7125 + do { /* PaX: patched PLT emulation #1 */
7126 + unsigned int sethi1, sethi2, jmpl;
7127 +
7128 + err = get_user(sethi1, (unsigned int *)regs->tpc);
7129 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
7130 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
7131 +
7132 + if (err)
7133 + break;
7134 +
7135 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
7136 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
7137 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
7138 + {
7139 + unsigned long addr;
7140 +
7141 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
7142 + addr = regs->u_regs[UREG_G1];
7143 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7144 +
7145 + if (test_thread_flag(TIF_32BIT))
7146 + addr &= 0xFFFFFFFFUL;
7147 +
7148 + regs->tpc = addr;
7149 + regs->tnpc = addr+4;
7150 + return 2;
7151 + }
7152 + } while (0);
7153 +
7154 + { /* PaX: patched PLT emulation #2 */
7155 + unsigned int ba;
7156 +
7157 + err = get_user(ba, (unsigned int *)regs->tpc);
7158 +
7159 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
7160 + unsigned long addr;
7161 +
7162 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7163 +
7164 + if (test_thread_flag(TIF_32BIT))
7165 + addr &= 0xFFFFFFFFUL;
7166 +
7167 + regs->tpc = addr;
7168 + regs->tnpc = addr+4;
7169 + return 2;
7170 + }
7171 + }
7172 +
7173 + do { /* PaX: patched PLT emulation #3 */
7174 + unsigned int sethi, jmpl, nop;
7175 +
7176 + err = get_user(sethi, (unsigned int *)regs->tpc);
7177 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
7178 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7179 +
7180 + if (err)
7181 + break;
7182 +
7183 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7184 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
7185 + nop == 0x01000000U)
7186 + {
7187 + unsigned long addr;
7188 +
7189 + addr = (sethi & 0x003FFFFFU) << 10;
7190 + regs->u_regs[UREG_G1] = addr;
7191 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7192 +
7193 + if (test_thread_flag(TIF_32BIT))
7194 + addr &= 0xFFFFFFFFUL;
7195 +
7196 + regs->tpc = addr;
7197 + regs->tnpc = addr+4;
7198 + return 2;
7199 + }
7200 + } while (0);
7201 +
7202 + do { /* PaX: patched PLT emulation #4 */
7203 + unsigned int sethi, mov1, call, mov2;
7204 +
7205 + err = get_user(sethi, (unsigned int *)regs->tpc);
7206 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
7207 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
7208 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
7209 +
7210 + if (err)
7211 + break;
7212 +
7213 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7214 + mov1 == 0x8210000FU &&
7215 + (call & 0xC0000000U) == 0x40000000U &&
7216 + mov2 == 0x9E100001U)
7217 + {
7218 + unsigned long addr;
7219 +
7220 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
7221 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7222 +
7223 + if (test_thread_flag(TIF_32BIT))
7224 + addr &= 0xFFFFFFFFUL;
7225 +
7226 + regs->tpc = addr;
7227 + regs->tnpc = addr+4;
7228 + return 2;
7229 + }
7230 + } while (0);
7231 +
7232 + do { /* PaX: patched PLT emulation #5 */
7233 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
7234 +
7235 + err = get_user(sethi, (unsigned int *)regs->tpc);
7236 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7237 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7238 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
7239 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
7240 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
7241 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
7242 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
7243 +
7244 + if (err)
7245 + break;
7246 +
7247 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7248 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7249 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7250 + (or1 & 0xFFFFE000U) == 0x82106000U &&
7251 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7252 + sllx == 0x83287020U &&
7253 + jmpl == 0x81C04005U &&
7254 + nop == 0x01000000U)
7255 + {
7256 + unsigned long addr;
7257 +
7258 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7259 + regs->u_regs[UREG_G1] <<= 32;
7260 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7261 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7262 + regs->tpc = addr;
7263 + regs->tnpc = addr+4;
7264 + return 2;
7265 + }
7266 + } while (0);
7267 +
7268 + do { /* PaX: patched PLT emulation #6 */
7269 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
7270 +
7271 + err = get_user(sethi, (unsigned int *)regs->tpc);
7272 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
7273 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
7274 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
7275 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
7276 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
7277 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
7278 +
7279 + if (err)
7280 + break;
7281 +
7282 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7283 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
7284 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7285 + sllx == 0x83287020U &&
7286 + (or & 0xFFFFE000U) == 0x8A116000U &&
7287 + jmpl == 0x81C04005U &&
7288 + nop == 0x01000000U)
7289 + {
7290 + unsigned long addr;
7291 +
7292 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
7293 + regs->u_regs[UREG_G1] <<= 32;
7294 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
7295 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
7296 + regs->tpc = addr;
7297 + regs->tnpc = addr+4;
7298 + return 2;
7299 + }
7300 + } while (0);
7301 +
7302 + do { /* PaX: unpatched PLT emulation step 1 */
7303 + unsigned int sethi, ba, nop;
7304 +
7305 + err = get_user(sethi, (unsigned int *)regs->tpc);
7306 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7307 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7308 +
7309 + if (err)
7310 + break;
7311 +
7312 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7313 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
7314 + nop == 0x01000000U)
7315 + {
7316 + unsigned long addr;
7317 + unsigned int save, call;
7318 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
7319 +
7320 + if ((ba & 0xFFC00000U) == 0x30800000U)
7321 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
7322 + else
7323 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7324 +
7325 + if (test_thread_flag(TIF_32BIT))
7326 + addr &= 0xFFFFFFFFUL;
7327 +
7328 + err = get_user(save, (unsigned int *)addr);
7329 + err |= get_user(call, (unsigned int *)(addr+4));
7330 + err |= get_user(nop, (unsigned int *)(addr+8));
7331 + if (err)
7332 + break;
7333 +
7334 +#ifdef CONFIG_PAX_DLRESOLVE
7335 + if (save == 0x9DE3BFA8U &&
7336 + (call & 0xC0000000U) == 0x40000000U &&
7337 + nop == 0x01000000U)
7338 + {
7339 + struct vm_area_struct *vma;
7340 + unsigned long call_dl_resolve;
7341 +
7342 + down_read(&current->mm->mmap_sem);
7343 + call_dl_resolve = current->mm->call_dl_resolve;
7344 + up_read(&current->mm->mmap_sem);
7345 + if (likely(call_dl_resolve))
7346 + goto emulate;
7347 +
7348 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
7349 +
7350 + down_write(&current->mm->mmap_sem);
7351 + if (current->mm->call_dl_resolve) {
7352 + call_dl_resolve = current->mm->call_dl_resolve;
7353 + up_write(&current->mm->mmap_sem);
7354 + if (vma)
7355 + kmem_cache_free(vm_area_cachep, vma);
7356 + goto emulate;
7357 + }
7358 +
7359 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
7360 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
7361 + up_write(&current->mm->mmap_sem);
7362 + if (vma)
7363 + kmem_cache_free(vm_area_cachep, vma);
7364 + return 1;
7365 + }
7366 +
7367 + if (pax_insert_vma(vma, call_dl_resolve)) {
7368 + up_write(&current->mm->mmap_sem);
7369 + kmem_cache_free(vm_area_cachep, vma);
7370 + return 1;
7371 + }
7372 +
7373 + current->mm->call_dl_resolve = call_dl_resolve;
7374 + up_write(&current->mm->mmap_sem);
7375 +
7376 +emulate:
7377 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7378 + regs->tpc = call_dl_resolve;
7379 + regs->tnpc = addr+4;
7380 + return 3;
7381 + }
7382 +#endif
7383 +
7384 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
7385 + if ((save & 0xFFC00000U) == 0x05000000U &&
7386 + (call & 0xFFFFE000U) == 0x85C0A000U &&
7387 + nop == 0x01000000U)
7388 + {
7389 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7390 + regs->u_regs[UREG_G2] = addr + 4;
7391 + addr = (save & 0x003FFFFFU) << 10;
7392 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
7393 +
7394 + if (test_thread_flag(TIF_32BIT))
7395 + addr &= 0xFFFFFFFFUL;
7396 +
7397 + regs->tpc = addr;
7398 + regs->tnpc = addr+4;
7399 + return 3;
7400 + }
7401 +
7402 + /* PaX: 64-bit PLT stub */
7403 + err = get_user(sethi1, (unsigned int *)addr);
7404 + err |= get_user(sethi2, (unsigned int *)(addr+4));
7405 + err |= get_user(or1, (unsigned int *)(addr+8));
7406 + err |= get_user(or2, (unsigned int *)(addr+12));
7407 + err |= get_user(sllx, (unsigned int *)(addr+16));
7408 + err |= get_user(add, (unsigned int *)(addr+20));
7409 + err |= get_user(jmpl, (unsigned int *)(addr+24));
7410 + err |= get_user(nop, (unsigned int *)(addr+28));
7411 + if (err)
7412 + break;
7413 +
7414 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
7415 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
7416 + (or1 & 0xFFFFE000U) == 0x88112000U &&
7417 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
7418 + sllx == 0x89293020U &&
7419 + add == 0x8A010005U &&
7420 + jmpl == 0x89C14000U &&
7421 + nop == 0x01000000U)
7422 + {
7423 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
7424 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
7425 + regs->u_regs[UREG_G4] <<= 32;
7426 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
7427 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
7428 + regs->u_regs[UREG_G4] = addr + 24;
7429 + addr = regs->u_regs[UREG_G5];
7430 + regs->tpc = addr;
7431 + regs->tnpc = addr+4;
7432 + return 3;
7433 + }
7434 + }
7435 + } while (0);
7436 +
7437 +#ifdef CONFIG_PAX_DLRESOLVE
7438 + do { /* PaX: unpatched PLT emulation step 2 */
7439 + unsigned int save, call, nop;
7440 +
7441 + err = get_user(save, (unsigned int *)(regs->tpc-4));
7442 + err |= get_user(call, (unsigned int *)regs->tpc);
7443 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
7444 + if (err)
7445 + break;
7446 +
7447 + if (save == 0x9DE3BFA8U &&
7448 + (call & 0xC0000000U) == 0x40000000U &&
7449 + nop == 0x01000000U)
7450 + {
7451 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
7452 +
7453 + if (test_thread_flag(TIF_32BIT))
7454 + dl_resolve &= 0xFFFFFFFFUL;
7455 +
7456 + regs->u_regs[UREG_RETPC] = regs->tpc;
7457 + regs->tpc = dl_resolve;
7458 + regs->tnpc = dl_resolve+4;
7459 + return 3;
7460 + }
7461 + } while (0);
7462 +#endif
7463 +
7464 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
7465 + unsigned int sethi, ba, nop;
7466 +
7467 + err = get_user(sethi, (unsigned int *)regs->tpc);
7468 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
7469 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
7470 +
7471 + if (err)
7472 + break;
7473 +
7474 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
7475 + (ba & 0xFFF00000U) == 0x30600000U &&
7476 + nop == 0x01000000U)
7477 + {
7478 + unsigned long addr;
7479 +
7480 + addr = (sethi & 0x003FFFFFU) << 10;
7481 + regs->u_regs[UREG_G1] = addr;
7482 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
7483 +
7484 + if (test_thread_flag(TIF_32BIT))
7485 + addr &= 0xFFFFFFFFUL;
7486 +
7487 + regs->tpc = addr;
7488 + regs->tnpc = addr+4;
7489 + return 2;
7490 + }
7491 + } while (0);
7492 +
7493 +#endif
7494 +
7495 + return 1;
7496 +}
7497 +
7498 +void pax_report_insns(void *pc, void *sp)
7499 +{
7500 + unsigned long i;
7501 +
7502 + printk(KERN_ERR "PAX: bytes at PC: ");
7503 + for (i = 0; i < 8; i++) {
7504 + unsigned int c;
7505 + if (get_user(c, (unsigned int *)pc+i))
7506 + printk(KERN_CONT "???????? ");
7507 + else
7508 + printk(KERN_CONT "%08x ", c);
7509 + }
7510 + printk("\n");
7511 +}
7512 +#endif
7513 +
7514 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
7515 {
7516 struct mm_struct *mm = current->mm;
7517 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
7518 if (!vma)
7519 goto bad_area;
7520
7521 +#ifdef CONFIG_PAX_PAGEEXEC
7522 + /* PaX: detect ITLB misses on non-exec pages */
7523 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
7524 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
7525 + {
7526 + if (address != regs->tpc)
7527 + goto good_area;
7528 +
7529 + up_read(&mm->mmap_sem);
7530 + switch (pax_handle_fetch_fault(regs)) {
7531 +
7532 +#ifdef CONFIG_PAX_EMUPLT
7533 + case 2:
7534 + case 3:
7535 + return;
7536 +#endif
7537 +
7538 + }
7539 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
7540 + do_group_exit(SIGKILL);
7541 + }
7542 +#endif
7543 +
7544 /* Pure DTLB misses do not tell us whether the fault causing
7545 * load/store/atomic was a write or not, it only says that there
7546 * was no match. So in such a case we (carefully) read the
7547 diff -urNp linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c
7548 --- linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
7549 +++ linux-2.6.39.3/arch/sparc/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
7550 @@ -68,7 +68,7 @@ full_search:
7551 }
7552 return -ENOMEM;
7553 }
7554 - if (likely(!vma || addr + len <= vma->vm_start)) {
7555 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7556 /*
7557 * Remember the place where we stopped the search:
7558 */
7559 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
7560 /* make sure it can fit in the remaining address space */
7561 if (likely(addr > len)) {
7562 vma = find_vma(mm, addr-len);
7563 - if (!vma || addr <= vma->vm_start) {
7564 + if (check_heap_stack_gap(vma, addr - len, len)) {
7565 /* remember the address as a hint for next time */
7566 return (mm->free_area_cache = addr-len);
7567 }
7568 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
7569 if (unlikely(mm->mmap_base < len))
7570 goto bottomup;
7571
7572 - addr = (mm->mmap_base-len) & HPAGE_MASK;
7573 + addr = mm->mmap_base - len;
7574
7575 do {
7576 + addr &= HPAGE_MASK;
7577 /*
7578 * Lookup failure means no vma is above this address,
7579 * else if new region fits below vma->vm_start,
7580 * return with success:
7581 */
7582 vma = find_vma(mm, addr);
7583 - if (likely(!vma || addr+len <= vma->vm_start)) {
7584 + if (likely(check_heap_stack_gap(vma, addr, len))) {
7585 /* remember the address as a hint for next time */
7586 return (mm->free_area_cache = addr);
7587 }
7588 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
7589 mm->cached_hole_size = vma->vm_start - addr;
7590
7591 /* try just below the current vma->vm_start */
7592 - addr = (vma->vm_start-len) & HPAGE_MASK;
7593 - } while (likely(len < vma->vm_start));
7594 + addr = skip_heap_stack_gap(vma, len);
7595 + } while (!IS_ERR_VALUE(addr));
7596
7597 bottomup:
7598 /*
7599 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
7600 if (addr) {
7601 addr = ALIGN(addr, HPAGE_SIZE);
7602 vma = find_vma(mm, addr);
7603 - if (task_size - len >= addr &&
7604 - (!vma || addr + len <= vma->vm_start))
7605 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
7606 return addr;
7607 }
7608 if (mm->get_unmapped_area == arch_get_unmapped_area)
7609 diff -urNp linux-2.6.39.3/arch/sparc/mm/init_32.c linux-2.6.39.3/arch/sparc/mm/init_32.c
7610 --- linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
7611 +++ linux-2.6.39.3/arch/sparc/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
7612 @@ -318,6 +318,9 @@ extern void device_scan(void);
7613 pgprot_t PAGE_SHARED __read_mostly;
7614 EXPORT_SYMBOL(PAGE_SHARED);
7615
7616 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
7617 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
7618 +
7619 void __init paging_init(void)
7620 {
7621 switch(sparc_cpu_model) {
7622 @@ -346,17 +349,17 @@ void __init paging_init(void)
7623
7624 /* Initialize the protection map with non-constant, MMU dependent values. */
7625 protection_map[0] = PAGE_NONE;
7626 - protection_map[1] = PAGE_READONLY;
7627 - protection_map[2] = PAGE_COPY;
7628 - protection_map[3] = PAGE_COPY;
7629 + protection_map[1] = PAGE_READONLY_NOEXEC;
7630 + protection_map[2] = PAGE_COPY_NOEXEC;
7631 + protection_map[3] = PAGE_COPY_NOEXEC;
7632 protection_map[4] = PAGE_READONLY;
7633 protection_map[5] = PAGE_READONLY;
7634 protection_map[6] = PAGE_COPY;
7635 protection_map[7] = PAGE_COPY;
7636 protection_map[8] = PAGE_NONE;
7637 - protection_map[9] = PAGE_READONLY;
7638 - protection_map[10] = PAGE_SHARED;
7639 - protection_map[11] = PAGE_SHARED;
7640 + protection_map[9] = PAGE_READONLY_NOEXEC;
7641 + protection_map[10] = PAGE_SHARED_NOEXEC;
7642 + protection_map[11] = PAGE_SHARED_NOEXEC;
7643 protection_map[12] = PAGE_READONLY;
7644 protection_map[13] = PAGE_READONLY;
7645 protection_map[14] = PAGE_SHARED;
7646 diff -urNp linux-2.6.39.3/arch/sparc/mm/Makefile linux-2.6.39.3/arch/sparc/mm/Makefile
7647 --- linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-19 00:06:34.000000000 -0400
7648 +++ linux-2.6.39.3/arch/sparc/mm/Makefile 2011-05-22 19:36:30.000000000 -0400
7649 @@ -2,7 +2,7 @@
7650 #
7651
7652 asflags-y := -ansi
7653 -ccflags-y := -Werror
7654 +#ccflags-y := -Werror
7655
7656 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
7657 obj-y += fault_$(BITS).o
7658 diff -urNp linux-2.6.39.3/arch/sparc/mm/srmmu.c linux-2.6.39.3/arch/sparc/mm/srmmu.c
7659 --- linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-19 00:06:34.000000000 -0400
7660 +++ linux-2.6.39.3/arch/sparc/mm/srmmu.c 2011-05-22 19:36:30.000000000 -0400
7661 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
7662 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
7663 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
7664 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
7665 +
7666 +#ifdef CONFIG_PAX_PAGEEXEC
7667 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
7668 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
7669 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
7670 +#endif
7671 +
7672 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
7673 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
7674
7675 diff -urNp linux-2.6.39.3/arch/tile/kernel/pci.c linux-2.6.39.3/arch/tile/kernel/pci.c
7676 --- linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 12:55:22.000000000 -0400
7677 +++ linux-2.6.39.3/arch/tile/kernel/pci.c 2011-06-25 13:00:25.000000000 -0400
7678 @@ -60,7 +60,7 @@ int __write_once tile_plx_gen1;
7679 static struct pci_controller controllers[TILE_NUM_PCIE];
7680 static int num_controllers;
7681
7682 -static struct pci_ops tile_cfg_ops;
7683 +static const struct pci_ops tile_cfg_ops;
7684
7685
7686 /*
7687 @@ -563,7 +563,7 @@ static int __devinit tile_cfg_write(stru
7688 }
7689
7690
7691 -static struct pci_ops tile_cfg_ops = {
7692 +static const struct pci_ops tile_cfg_ops = {
7693 .read = tile_cfg_read,
7694 .write = tile_cfg_write,
7695 };
7696 diff -urNp linux-2.6.39.3/arch/um/include/asm/kmap_types.h linux-2.6.39.3/arch/um/include/asm/kmap_types.h
7697 --- linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
7698 +++ linux-2.6.39.3/arch/um/include/asm/kmap_types.h 2011-05-22 19:36:30.000000000 -0400
7699 @@ -23,6 +23,7 @@ enum km_type {
7700 KM_IRQ1,
7701 KM_SOFTIRQ0,
7702 KM_SOFTIRQ1,
7703 + KM_CLEARPAGE,
7704 KM_TYPE_NR
7705 };
7706
7707 diff -urNp linux-2.6.39.3/arch/um/include/asm/page.h linux-2.6.39.3/arch/um/include/asm/page.h
7708 --- linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-19 00:06:34.000000000 -0400
7709 +++ linux-2.6.39.3/arch/um/include/asm/page.h 2011-05-22 19:36:30.000000000 -0400
7710 @@ -14,6 +14,9 @@
7711 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
7712 #define PAGE_MASK (~(PAGE_SIZE-1))
7713
7714 +#define ktla_ktva(addr) (addr)
7715 +#define ktva_ktla(addr) (addr)
7716 +
7717 #ifndef __ASSEMBLY__
7718
7719 struct page;
7720 diff -urNp linux-2.6.39.3/arch/um/kernel/process.c linux-2.6.39.3/arch/um/kernel/process.c
7721 --- linux-2.6.39.3/arch/um/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
7722 +++ linux-2.6.39.3/arch/um/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
7723 @@ -404,22 +404,6 @@ int singlestepping(void * t)
7724 return 2;
7725 }
7726
7727 -/*
7728 - * Only x86 and x86_64 have an arch_align_stack().
7729 - * All other arches have "#define arch_align_stack(x) (x)"
7730 - * in their asm/system.h
7731 - * As this is included in UML from asm-um/system-generic.h,
7732 - * we can use it to behave as the subarch does.
7733 - */
7734 -#ifndef arch_align_stack
7735 -unsigned long arch_align_stack(unsigned long sp)
7736 -{
7737 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7738 - sp -= get_random_int() % 8192;
7739 - return sp & ~0xf;
7740 -}
7741 -#endif
7742 -
7743 unsigned long get_wchan(struct task_struct *p)
7744 {
7745 unsigned long stack_page, sp, ip;
7746 diff -urNp linux-2.6.39.3/arch/um/sys-i386/syscalls.c linux-2.6.39.3/arch/um/sys-i386/syscalls.c
7747 --- linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-19 00:06:34.000000000 -0400
7748 +++ linux-2.6.39.3/arch/um/sys-i386/syscalls.c 2011-05-22 19:36:30.000000000 -0400
7749 @@ -11,6 +11,21 @@
7750 #include "asm/uaccess.h"
7751 #include "asm/unistd.h"
7752
7753 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7754 +{
7755 + unsigned long pax_task_size = TASK_SIZE;
7756 +
7757 +#ifdef CONFIG_PAX_SEGMEXEC
7758 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7759 + pax_task_size = SEGMEXEC_TASK_SIZE;
7760 +#endif
7761 +
7762 + if (len > pax_task_size || addr > pax_task_size - len)
7763 + return -EINVAL;
7764 +
7765 + return 0;
7766 +}
7767 +
7768 /*
7769 * The prototype on i386 is:
7770 *
7771 diff -urNp linux-2.6.39.3/arch/unicore32/kernel/pci.c linux-2.6.39.3/arch/unicore32/kernel/pci.c
7772 --- linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-19 00:06:34.000000000 -0400
7773 +++ linux-2.6.39.3/arch/unicore32/kernel/pci.c 2011-05-22 19:36:30.000000000 -0400
7774 @@ -66,7 +66,7 @@ puv3_write_config(struct pci_bus *bus, u
7775 return PCIBIOS_SUCCESSFUL;
7776 }
7777
7778 -struct pci_ops pci_puv3_ops = {
7779 +const struct pci_ops pci_puv3_ops = {
7780 .read = puv3_read_config,
7781 .write = puv3_write_config,
7782 };
7783 diff -urNp linux-2.6.39.3/arch/x86/boot/bitops.h linux-2.6.39.3/arch/x86/boot/bitops.h
7784 --- linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-19 00:06:34.000000000 -0400
7785 +++ linux-2.6.39.3/arch/x86/boot/bitops.h 2011-05-22 19:36:30.000000000 -0400
7786 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
7787 u8 v;
7788 const u32 *p = (const u32 *)addr;
7789
7790 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7791 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
7792 return v;
7793 }
7794
7795 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
7796
7797 static inline void set_bit(int nr, void *addr)
7798 {
7799 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7800 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
7801 }
7802
7803 #endif /* BOOT_BITOPS_H */
7804 diff -urNp linux-2.6.39.3/arch/x86/boot/boot.h linux-2.6.39.3/arch/x86/boot/boot.h
7805 --- linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-19 00:06:34.000000000 -0400
7806 +++ linux-2.6.39.3/arch/x86/boot/boot.h 2011-05-22 19:36:30.000000000 -0400
7807 @@ -85,7 +85,7 @@ static inline void io_delay(void)
7808 static inline u16 ds(void)
7809 {
7810 u16 seg;
7811 - asm("movw %%ds,%0" : "=rm" (seg));
7812 + asm volatile("movw %%ds,%0" : "=rm" (seg));
7813 return seg;
7814 }
7815
7816 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
7817 static inline int memcmp(const void *s1, const void *s2, size_t len)
7818 {
7819 u8 diff;
7820 - asm("repe; cmpsb; setnz %0"
7821 + asm volatile("repe; cmpsb; setnz %0"
7822 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
7823 return diff;
7824 }
7825 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_32.S linux-2.6.39.3/arch/x86/boot/compressed/head_32.S
7826 --- linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-19 00:06:34.000000000 -0400
7827 +++ linux-2.6.39.3/arch/x86/boot/compressed/head_32.S 2011-05-22 19:36:30.000000000 -0400
7828 @@ -76,7 +76,7 @@ ENTRY(startup_32)
7829 notl %eax
7830 andl %eax, %ebx
7831 #else
7832 - movl $LOAD_PHYSICAL_ADDR, %ebx
7833 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7834 #endif
7835
7836 /* Target address to relocate to for decompression */
7837 @@ -162,7 +162,7 @@ relocated:
7838 * and where it was actually loaded.
7839 */
7840 movl %ebp, %ebx
7841 - subl $LOAD_PHYSICAL_ADDR, %ebx
7842 + subl $____LOAD_PHYSICAL_ADDR, %ebx
7843 jz 2f /* Nothing to be done if loaded at compiled addr. */
7844 /*
7845 * Process relocations.
7846 @@ -170,8 +170,7 @@ relocated:
7847
7848 1: subl $4, %edi
7849 movl (%edi), %ecx
7850 - testl %ecx, %ecx
7851 - jz 2f
7852 + jecxz 2f
7853 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
7854 jmp 1b
7855 2:
7856 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/head_64.S linux-2.6.39.3/arch/x86/boot/compressed/head_64.S
7857 --- linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-19 00:06:34.000000000 -0400
7858 +++ linux-2.6.39.3/arch/x86/boot/compressed/head_64.S 2011-05-22 19:36:30.000000000 -0400
7859 @@ -91,7 +91,7 @@ ENTRY(startup_32)
7860 notl %eax
7861 andl %eax, %ebx
7862 #else
7863 - movl $LOAD_PHYSICAL_ADDR, %ebx
7864 + movl $____LOAD_PHYSICAL_ADDR, %ebx
7865 #endif
7866
7867 /* Target address to relocate to for decompression */
7868 @@ -233,7 +233,7 @@ ENTRY(startup_64)
7869 notq %rax
7870 andq %rax, %rbp
7871 #else
7872 - movq $LOAD_PHYSICAL_ADDR, %rbp
7873 + movq $____LOAD_PHYSICAL_ADDR, %rbp
7874 #endif
7875
7876 /* Target address to relocate to for decompression */
7877 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/misc.c linux-2.6.39.3/arch/x86/boot/compressed/misc.c
7878 --- linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-19 00:06:34.000000000 -0400
7879 +++ linux-2.6.39.3/arch/x86/boot/compressed/misc.c 2011-05-22 19:36:30.000000000 -0400
7880 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
7881 case PT_LOAD:
7882 #ifdef CONFIG_RELOCATABLE
7883 dest = output;
7884 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
7885 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
7886 #else
7887 dest = (void *)(phdr->p_paddr);
7888 #endif
7889 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
7890 error("Destination address too large");
7891 #endif
7892 #ifndef CONFIG_RELOCATABLE
7893 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
7894 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
7895 error("Wrong destination address");
7896 #endif
7897
7898 diff -urNp linux-2.6.39.3/arch/x86/boot/compressed/relocs.c linux-2.6.39.3/arch/x86/boot/compressed/relocs.c
7899 --- linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-19 00:06:34.000000000 -0400
7900 +++ linux-2.6.39.3/arch/x86/boot/compressed/relocs.c 2011-05-22 19:36:30.000000000 -0400
7901 @@ -13,8 +13,11 @@
7902
7903 static void die(char *fmt, ...);
7904
7905 +#include "../../../../include/generated/autoconf.h"
7906 +
7907 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
7908 static Elf32_Ehdr ehdr;
7909 +static Elf32_Phdr *phdr;
7910 static unsigned long reloc_count, reloc_idx;
7911 static unsigned long *relocs;
7912
7913 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
7914 }
7915 }
7916
7917 +static void read_phdrs(FILE *fp)
7918 +{
7919 + unsigned int i;
7920 +
7921 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
7922 + if (!phdr) {
7923 + die("Unable to allocate %d program headers\n",
7924 + ehdr.e_phnum);
7925 + }
7926 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
7927 + die("Seek to %d failed: %s\n",
7928 + ehdr.e_phoff, strerror(errno));
7929 + }
7930 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
7931 + die("Cannot read ELF program headers: %s\n",
7932 + strerror(errno));
7933 + }
7934 + for(i = 0; i < ehdr.e_phnum; i++) {
7935 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
7936 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
7937 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
7938 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
7939 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
7940 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
7941 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
7942 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
7943 + }
7944 +
7945 +}
7946 +
7947 static void read_shdrs(FILE *fp)
7948 {
7949 - int i;
7950 + unsigned int i;
7951 Elf32_Shdr shdr;
7952
7953 secs = calloc(ehdr.e_shnum, sizeof(struct section));
7954 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
7955
7956 static void read_strtabs(FILE *fp)
7957 {
7958 - int i;
7959 + unsigned int i;
7960 for (i = 0; i < ehdr.e_shnum; i++) {
7961 struct section *sec = &secs[i];
7962 if (sec->shdr.sh_type != SHT_STRTAB) {
7963 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
7964
7965 static void read_symtabs(FILE *fp)
7966 {
7967 - int i,j;
7968 + unsigned int i,j;
7969 for (i = 0; i < ehdr.e_shnum; i++) {
7970 struct section *sec = &secs[i];
7971 if (sec->shdr.sh_type != SHT_SYMTAB) {
7972 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
7973
7974 static void read_relocs(FILE *fp)
7975 {
7976 - int i,j;
7977 + unsigned int i,j;
7978 + uint32_t base;
7979 +
7980 for (i = 0; i < ehdr.e_shnum; i++) {
7981 struct section *sec = &secs[i];
7982 if (sec->shdr.sh_type != SHT_REL) {
7983 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
7984 die("Cannot read symbol table: %s\n",
7985 strerror(errno));
7986 }
7987 + base = 0;
7988 + for (j = 0; j < ehdr.e_phnum; j++) {
7989 + if (phdr[j].p_type != PT_LOAD )
7990 + continue;
7991 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
7992 + continue;
7993 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
7994 + break;
7995 + }
7996 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
7997 Elf32_Rel *rel = &sec->reltab[j];
7998 - rel->r_offset = elf32_to_cpu(rel->r_offset);
7999 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
8000 rel->r_info = elf32_to_cpu(rel->r_info);
8001 }
8002 }
8003 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
8004
8005 static void print_absolute_symbols(void)
8006 {
8007 - int i;
8008 + unsigned int i;
8009 printf("Absolute symbols\n");
8010 printf(" Num: Value Size Type Bind Visibility Name\n");
8011 for (i = 0; i < ehdr.e_shnum; i++) {
8012 struct section *sec = &secs[i];
8013 char *sym_strtab;
8014 Elf32_Sym *sh_symtab;
8015 - int j;
8016 + unsigned int j;
8017
8018 if (sec->shdr.sh_type != SHT_SYMTAB) {
8019 continue;
8020 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
8021
8022 static void print_absolute_relocs(void)
8023 {
8024 - int i, printed = 0;
8025 + unsigned int i, printed = 0;
8026
8027 for (i = 0; i < ehdr.e_shnum; i++) {
8028 struct section *sec = &secs[i];
8029 struct section *sec_applies, *sec_symtab;
8030 char *sym_strtab;
8031 Elf32_Sym *sh_symtab;
8032 - int j;
8033 + unsigned int j;
8034 if (sec->shdr.sh_type != SHT_REL) {
8035 continue;
8036 }
8037 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
8038
8039 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
8040 {
8041 - int i;
8042 + unsigned int i;
8043 /* Walk through the relocations */
8044 for (i = 0; i < ehdr.e_shnum; i++) {
8045 char *sym_strtab;
8046 Elf32_Sym *sh_symtab;
8047 struct section *sec_applies, *sec_symtab;
8048 - int j;
8049 + unsigned int j;
8050 struct section *sec = &secs[i];
8051
8052 if (sec->shdr.sh_type != SHT_REL) {
8053 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
8054 !is_rel_reloc(sym_name(sym_strtab, sym))) {
8055 continue;
8056 }
8057 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
8058 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
8059 + continue;
8060 +
8061 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
8062 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
8063 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
8064 + continue;
8065 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
8066 + continue;
8067 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
8068 + continue;
8069 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
8070 + continue;
8071 +#endif
8072 +
8073 switch (r_type) {
8074 case R_386_NONE:
8075 case R_386_PC32:
8076 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
8077
8078 static void emit_relocs(int as_text)
8079 {
8080 - int i;
8081 + unsigned int i;
8082 /* Count how many relocations I have and allocate space for them. */
8083 reloc_count = 0;
8084 walk_relocs(count_reloc);
8085 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
8086 fname, strerror(errno));
8087 }
8088 read_ehdr(fp);
8089 + read_phdrs(fp);
8090 read_shdrs(fp);
8091 read_strtabs(fp);
8092 read_symtabs(fp);
8093 diff -urNp linux-2.6.39.3/arch/x86/boot/cpucheck.c linux-2.6.39.3/arch/x86/boot/cpucheck.c
8094 --- linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-19 00:06:34.000000000 -0400
8095 +++ linux-2.6.39.3/arch/x86/boot/cpucheck.c 2011-05-22 19:36:30.000000000 -0400
8096 @@ -74,7 +74,7 @@ static int has_fpu(void)
8097 u16 fcw = -1, fsw = -1;
8098 u32 cr0;
8099
8100 - asm("movl %%cr0,%0" : "=r" (cr0));
8101 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
8102 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
8103 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
8104 asm volatile("movl %0,%%cr0" : : "r" (cr0));
8105 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
8106 {
8107 u32 f0, f1;
8108
8109 - asm("pushfl ; "
8110 + asm volatile("pushfl ; "
8111 "pushfl ; "
8112 "popl %0 ; "
8113 "movl %0,%1 ; "
8114 @@ -115,7 +115,7 @@ static void get_flags(void)
8115 set_bit(X86_FEATURE_FPU, cpu.flags);
8116
8117 if (has_eflag(X86_EFLAGS_ID)) {
8118 - asm("cpuid"
8119 + asm volatile("cpuid"
8120 : "=a" (max_intel_level),
8121 "=b" (cpu_vendor[0]),
8122 "=d" (cpu_vendor[1]),
8123 @@ -124,7 +124,7 @@ static void get_flags(void)
8124
8125 if (max_intel_level >= 0x00000001 &&
8126 max_intel_level <= 0x0000ffff) {
8127 - asm("cpuid"
8128 + asm volatile("cpuid"
8129 : "=a" (tfms),
8130 "=c" (cpu.flags[4]),
8131 "=d" (cpu.flags[0])
8132 @@ -136,7 +136,7 @@ static void get_flags(void)
8133 cpu.model += ((tfms >> 16) & 0xf) << 4;
8134 }
8135
8136 - asm("cpuid"
8137 + asm volatile("cpuid"
8138 : "=a" (max_amd_level)
8139 : "a" (0x80000000)
8140 : "ebx", "ecx", "edx");
8141 @@ -144,7 +144,7 @@ static void get_flags(void)
8142 if (max_amd_level >= 0x80000001 &&
8143 max_amd_level <= 0x8000ffff) {
8144 u32 eax = 0x80000001;
8145 - asm("cpuid"
8146 + asm volatile("cpuid"
8147 : "+a" (eax),
8148 "=c" (cpu.flags[6]),
8149 "=d" (cpu.flags[1])
8150 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8151 u32 ecx = MSR_K7_HWCR;
8152 u32 eax, edx;
8153
8154 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8155 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8156 eax &= ~(1 << 15);
8157 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8158 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8159
8160 get_flags(); /* Make sure it really did something */
8161 err = check_flags();
8162 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
8163 u32 ecx = MSR_VIA_FCR;
8164 u32 eax, edx;
8165
8166 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8167 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8168 eax |= (1<<1)|(1<<7);
8169 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8170 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8171
8172 set_bit(X86_FEATURE_CX8, cpu.flags);
8173 err = check_flags();
8174 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
8175 u32 eax, edx;
8176 u32 level = 1;
8177
8178 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8179 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8180 - asm("cpuid"
8181 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
8182 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
8183 + asm volatile("cpuid"
8184 : "+a" (level), "=d" (cpu.flags[0])
8185 : : "ecx", "ebx");
8186 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8187 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
8188
8189 err = check_flags();
8190 }
8191 diff -urNp linux-2.6.39.3/arch/x86/boot/header.S linux-2.6.39.3/arch/x86/boot/header.S
8192 --- linux-2.6.39.3/arch/x86/boot/header.S 2011-05-19 00:06:34.000000000 -0400
8193 +++ linux-2.6.39.3/arch/x86/boot/header.S 2011-05-22 19:36:30.000000000 -0400
8194 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
8195 # single linked list of
8196 # struct setup_data
8197
8198 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
8199 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
8200
8201 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
8202 #define VO_INIT_SIZE (VO__end - VO__text)
8203 diff -urNp linux-2.6.39.3/arch/x86/boot/memory.c linux-2.6.39.3/arch/x86/boot/memory.c
8204 --- linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-19 00:06:34.000000000 -0400
8205 +++ linux-2.6.39.3/arch/x86/boot/memory.c 2011-05-22 19:36:30.000000000 -0400
8206 @@ -19,7 +19,7 @@
8207
8208 static int detect_memory_e820(void)
8209 {
8210 - int count = 0;
8211 + unsigned int count = 0;
8212 struct biosregs ireg, oreg;
8213 struct e820entry *desc = boot_params.e820_map;
8214 static struct e820entry buf; /* static so it is zeroed */
8215 diff -urNp linux-2.6.39.3/arch/x86/boot/video.c linux-2.6.39.3/arch/x86/boot/video.c
8216 --- linux-2.6.39.3/arch/x86/boot/video.c 2011-05-19 00:06:34.000000000 -0400
8217 +++ linux-2.6.39.3/arch/x86/boot/video.c 2011-05-22 19:36:30.000000000 -0400
8218 @@ -96,7 +96,7 @@ static void store_mode_params(void)
8219 static unsigned int get_entry(void)
8220 {
8221 char entry_buf[4];
8222 - int i, len = 0;
8223 + unsigned int i, len = 0;
8224 int key;
8225 unsigned int v;
8226
8227 diff -urNp linux-2.6.39.3/arch/x86/boot/video-vesa.c linux-2.6.39.3/arch/x86/boot/video-vesa.c
8228 --- linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-19 00:06:34.000000000 -0400
8229 +++ linux-2.6.39.3/arch/x86/boot/video-vesa.c 2011-05-22 19:36:30.000000000 -0400
8230 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
8231
8232 boot_params.screen_info.vesapm_seg = oreg.es;
8233 boot_params.screen_info.vesapm_off = oreg.di;
8234 + boot_params.screen_info.vesapm_size = oreg.cx;
8235 }
8236
8237 /*
8238 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_aout.c linux-2.6.39.3/arch/x86/ia32/ia32_aout.c
8239 --- linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-19 00:06:34.000000000 -0400
8240 +++ linux-2.6.39.3/arch/x86/ia32/ia32_aout.c 2011-05-22 19:41:32.000000000 -0400
8241 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
8242 unsigned long dump_start, dump_size;
8243 struct user32 dump;
8244
8245 + memset(&dump, 0, sizeof(dump));
8246 +
8247 fs = get_fs();
8248 set_fs(KERNEL_DS);
8249 has_dumped = 1;
8250 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32entry.S linux-2.6.39.3/arch/x86/ia32/ia32entry.S
8251 --- linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-19 00:06:34.000000000 -0400
8252 +++ linux-2.6.39.3/arch/x86/ia32/ia32entry.S 2011-05-23 17:16:01.000000000 -0400
8253 @@ -13,6 +13,7 @@
8254 #include <asm/thread_info.h>
8255 #include <asm/segment.h>
8256 #include <asm/irqflags.h>
8257 +#include <asm/pgtable.h>
8258 #include <linux/linkage.h>
8259
8260 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
8261 @@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
8262 ENDPROC(native_irq_enable_sysexit)
8263 #endif
8264
8265 + .macro pax_enter_kernel_user
8266 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8267 + call pax_enter_kernel_user
8268 +#endif
8269 + .endm
8270 +
8271 + .macro pax_exit_kernel_user
8272 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8273 + call pax_exit_kernel_user
8274 +#endif
8275 +#ifdef CONFIG_PAX_RANDKSTACK
8276 + pushq %rax
8277 + call pax_randomize_kstack
8278 + popq %rax
8279 +#endif
8280 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8281 + call pax_erase_kstack
8282 +#endif
8283 + .endm
8284 +
8285 + .macro pax_erase_kstack
8286 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
8287 + call pax_erase_kstack
8288 +#endif
8289 + .endm
8290 +
8291 /*
8292 * 32bit SYSENTER instruction entry.
8293 *
8294 @@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
8295 CFI_REGISTER rsp,rbp
8296 SWAPGS_UNSAFE_STACK
8297 movq PER_CPU_VAR(kernel_stack), %rsp
8298 - addq $(KERNEL_STACK_OFFSET),%rsp
8299 + pax_enter_kernel_user
8300 /*
8301 * No need to follow this irqs on/off section: the syscall
8302 * disabled irqs, here we enable it straight after entry:
8303 @@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
8304 CFI_REL_OFFSET rsp,0
8305 pushfq_cfi
8306 /*CFI_REL_OFFSET rflags,0*/
8307 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
8308 + GET_THREAD_INFO(%r10)
8309 + movl TI_sysenter_return(%r10), %r10d
8310 CFI_REGISTER rip,r10
8311 pushq_cfi $__USER32_CS
8312 /*CFI_REL_OFFSET cs,0*/
8313 @@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
8314 SAVE_ARGS 0,0,1
8315 /* no need to do an access_ok check here because rbp has been
8316 32bit zero extended */
8317 +
8318 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8319 + mov $PAX_USER_SHADOW_BASE,%r10
8320 + add %r10,%rbp
8321 +#endif
8322 +
8323 1: movl (%rbp),%ebp
8324 .section __ex_table,"a"
8325 .quad 1b,ia32_badarg
8326 @@ -168,6 +202,7 @@ sysenter_dispatch:
8327 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8328 jnz sysexit_audit
8329 sysexit_from_sys_call:
8330 + pax_exit_kernel_user
8331 andl $~TS_COMPAT,TI_status(%r10)
8332 /* clear IF, that popfq doesn't enable interrupts early */
8333 andl $~0x200,EFLAGS-R11(%rsp)
8334 @@ -194,6 +229,9 @@ sysexit_from_sys_call:
8335 movl %eax,%esi /* 2nd arg: syscall number */
8336 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
8337 call audit_syscall_entry
8338 +
8339 + pax_erase_kstack
8340 +
8341 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
8342 cmpq $(IA32_NR_syscalls-1),%rax
8343 ja ia32_badsys
8344 @@ -246,6 +284,9 @@ sysenter_tracesys:
8345 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
8346 movq %rsp,%rdi /* &pt_regs -> arg1 */
8347 call syscall_trace_enter
8348 +
8349 + pax_erase_kstack
8350 +
8351 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8352 RESTORE_REST
8353 cmpq $(IA32_NR_syscalls-1),%rax
8354 @@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
8355 ENTRY(ia32_cstar_target)
8356 CFI_STARTPROC32 simple
8357 CFI_SIGNAL_FRAME
8358 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
8359 + CFI_DEF_CFA rsp,0
8360 CFI_REGISTER rip,rcx
8361 /*CFI_REGISTER rflags,r11*/
8362 SWAPGS_UNSAFE_STACK
8363 movl %esp,%r8d
8364 CFI_REGISTER rsp,r8
8365 movq PER_CPU_VAR(kernel_stack),%rsp
8366 +
8367 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8368 + pax_enter_kernel_user
8369 +#endif
8370 +
8371 /*
8372 * No need to follow this irqs on/off section: the syscall
8373 * disabled irqs and here we enable it straight after entry:
8374 */
8375 ENABLE_INTERRUPTS(CLBR_NONE)
8376 - SAVE_ARGS 8,1,1
8377 + SAVE_ARGS 8*6,1,1
8378 movl %eax,%eax /* zero extension */
8379 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
8380 movq %rcx,RIP-ARGOFFSET(%rsp)
8381 @@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
8382 /* no need to do an access_ok check here because r8 has been
8383 32bit zero extended */
8384 /* hardware stack frame is complete now */
8385 +
8386 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8387 + mov $PAX_USER_SHADOW_BASE,%r10
8388 + add %r10,%r8
8389 +#endif
8390 +
8391 1: movl (%r8),%r9d
8392 .section __ex_table,"a"
8393 .quad 1b,ia32_badarg
8394 @@ -327,6 +379,7 @@ cstar_dispatch:
8395 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
8396 jnz sysretl_audit
8397 sysretl_from_sys_call:
8398 + pax_exit_kernel_user
8399 andl $~TS_COMPAT,TI_status(%r10)
8400 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
8401 movl RIP-ARGOFFSET(%rsp),%ecx
8402 @@ -364,6 +417,9 @@ cstar_tracesys:
8403 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8404 movq %rsp,%rdi /* &pt_regs -> arg1 */
8405 call syscall_trace_enter
8406 +
8407 + pax_erase_kstack
8408 +
8409 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
8410 RESTORE_REST
8411 xchgl %ebp,%r9d
8412 @@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
8413 CFI_REL_OFFSET rip,RIP-RIP
8414 PARAVIRT_ADJUST_EXCEPTION_FRAME
8415 SWAPGS
8416 + pax_enter_kernel_user
8417 /*
8418 * No need to follow this irqs on/off section: the syscall
8419 * disabled irqs and here we enable it straight after entry:
8420 @@ -441,6 +498,9 @@ ia32_tracesys:
8421 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
8422 movq %rsp,%rdi /* &pt_regs -> arg1 */
8423 call syscall_trace_enter
8424 +
8425 + pax_erase_kstack
8426 +
8427 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
8428 RESTORE_REST
8429 cmpq $(IA32_NR_syscalls-1),%rax
8430 diff -urNp linux-2.6.39.3/arch/x86/ia32/ia32_signal.c linux-2.6.39.3/arch/x86/ia32/ia32_signal.c
8431 --- linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-19 00:06:34.000000000 -0400
8432 +++ linux-2.6.39.3/arch/x86/ia32/ia32_signal.c 2011-05-22 19:36:30.000000000 -0400
8433 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
8434 sp -= frame_size;
8435 /* Align the stack pointer according to the i386 ABI,
8436 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
8437 - sp = ((sp + 4) & -16ul) - 4;
8438 + sp = ((sp - 12) & -16ul) - 4;
8439 return (void __user *) sp;
8440 }
8441
8442 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
8443 * These are actually not used anymore, but left because some
8444 * gdb versions depend on them as a marker.
8445 */
8446 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8447 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8448 } put_user_catch(err);
8449
8450 if (err)
8451 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
8452 0xb8,
8453 __NR_ia32_rt_sigreturn,
8454 0x80cd,
8455 - 0,
8456 + 0
8457 };
8458
8459 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
8460 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
8461
8462 if (ka->sa.sa_flags & SA_RESTORER)
8463 restorer = ka->sa.sa_restorer;
8464 + else if (current->mm->context.vdso)
8465 + /* Return stub is in 32bit vsyscall page */
8466 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
8467 else
8468 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
8469 - rt_sigreturn);
8470 + restorer = &frame->retcode;
8471 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
8472
8473 /*
8474 * Not actually used anymore, but left because some gdb
8475 * versions need it.
8476 */
8477 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
8478 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
8479 } put_user_catch(err);
8480
8481 if (err)
8482 diff -urNp linux-2.6.39.3/arch/x86/include/asm/alternative.h linux-2.6.39.3/arch/x86/include/asm/alternative.h
8483 --- linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-19 00:06:34.000000000 -0400
8484 +++ linux-2.6.39.3/arch/x86/include/asm/alternative.h 2011-05-22 19:36:30.000000000 -0400
8485 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
8486 ".section .discard,\"aw\",@progbits\n" \
8487 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
8488 ".previous\n" \
8489 - ".section .altinstr_replacement, \"ax\"\n" \
8490 + ".section .altinstr_replacement, \"a\"\n" \
8491 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
8492 ".previous"
8493
8494 diff -urNp linux-2.6.39.3/arch/x86/include/asm/apm.h linux-2.6.39.3/arch/x86/include/asm/apm.h
8495 --- linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-19 00:06:34.000000000 -0400
8496 +++ linux-2.6.39.3/arch/x86/include/asm/apm.h 2011-05-22 19:36:30.000000000 -0400
8497 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
8498 __asm__ __volatile__(APM_DO_ZERO_SEGS
8499 "pushl %%edi\n\t"
8500 "pushl %%ebp\n\t"
8501 - "lcall *%%cs:apm_bios_entry\n\t"
8502 + "lcall *%%ss:apm_bios_entry\n\t"
8503 "setc %%al\n\t"
8504 "popl %%ebp\n\t"
8505 "popl %%edi\n\t"
8506 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
8507 __asm__ __volatile__(APM_DO_ZERO_SEGS
8508 "pushl %%edi\n\t"
8509 "pushl %%ebp\n\t"
8510 - "lcall *%%cs:apm_bios_entry\n\t"
8511 + "lcall *%%ss:apm_bios_entry\n\t"
8512 "setc %%bl\n\t"
8513 "popl %%ebp\n\t"
8514 "popl %%edi\n\t"
8515 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h
8516 --- linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-19 00:06:34.000000000 -0400
8517 +++ linux-2.6.39.3/arch/x86/include/asm/atomic64_32.h 2011-05-22 19:36:30.000000000 -0400
8518 @@ -12,6 +12,14 @@ typedef struct {
8519 u64 __aligned(8) counter;
8520 } atomic64_t;
8521
8522 +#ifdef CONFIG_PAX_REFCOUNT
8523 +typedef struct {
8524 + u64 __aligned(8) counter;
8525 +} atomic64_unchecked_t;
8526 +#else
8527 +typedef atomic64_t atomic64_unchecked_t;
8528 +#endif
8529 +
8530 #define ATOMIC64_INIT(val) { (val) }
8531
8532 #ifdef CONFIG_X86_CMPXCHG64
8533 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
8534 }
8535
8536 /**
8537 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
8538 + * @p: pointer to type atomic64_unchecked_t
8539 + * @o: expected value
8540 + * @n: new value
8541 + *
8542 + * Atomically sets @v to @n if it was equal to @o and returns
8543 + * the old value.
8544 + */
8545 +
8546 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
8547 +{
8548 + return cmpxchg64(&v->counter, o, n);
8549 +}
8550 +
8551 +/**
8552 * atomic64_xchg - xchg atomic64 variable
8553 * @v: pointer to type atomic64_t
8554 * @n: value to assign
8555 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
8556 }
8557
8558 /**
8559 + * atomic64_set_unchecked - set atomic64 variable
8560 + * @v: pointer to type atomic64_unchecked_t
8561 + * @n: value to assign
8562 + *
8563 + * Atomically sets the value of @v to @n.
8564 + */
8565 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
8566 +{
8567 + unsigned high = (unsigned)(i >> 32);
8568 + unsigned low = (unsigned)i;
8569 + asm volatile(ATOMIC64_ALTERNATIVE(set)
8570 + : "+b" (low), "+c" (high)
8571 + : "S" (v)
8572 + : "eax", "edx", "memory"
8573 + );
8574 +}
8575 +
8576 +/**
8577 * atomic64_read - read atomic64 variable
8578 * @v: pointer to type atomic64_t
8579 *
8580 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
8581 }
8582
8583 /**
8584 + * atomic64_read_unchecked - read atomic64 variable
8585 + * @v: pointer to type atomic64_unchecked_t
8586 + *
8587 + * Atomically reads the value of @v and returns it.
8588 + */
8589 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
8590 +{
8591 + long long r;
8592 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
8593 + : "=A" (r), "+c" (v)
8594 + : : "memory"
8595 + );
8596 + return r;
8597 + }
8598 +
8599 +/**
8600 * atomic64_add_return - add and return
8601 * @i: integer value to add
8602 * @v: pointer to type atomic64_t
8603 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
8604 return i;
8605 }
8606
8607 +/**
8608 + * atomic64_add_return_unchecked - add and return
8609 + * @i: integer value to add
8610 + * @v: pointer to type atomic64_unchecked_t
8611 + *
8612 + * Atomically adds @i to @v and returns @i + *@v
8613 + */
8614 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
8615 +{
8616 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
8617 + : "+A" (i), "+c" (v)
8618 + : : "memory"
8619 + );
8620 + return i;
8621 +}
8622 +
8623 /*
8624 * Other variants with different arithmetic operators:
8625 */
8626 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
8627 return a;
8628 }
8629
8630 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8631 +{
8632 + long long a;
8633 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
8634 + : "=A" (a)
8635 + : "S" (v)
8636 + : "memory", "ecx"
8637 + );
8638 + return a;
8639 +}
8640 +
8641 static inline long long atomic64_dec_return(atomic64_t *v)
8642 {
8643 long long a;
8644 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
8645 }
8646
8647 /**
8648 + * atomic64_add_unchecked - add integer to atomic64 variable
8649 + * @i: integer value to add
8650 + * @v: pointer to type atomic64_unchecked_t
8651 + *
8652 + * Atomically adds @i to @v.
8653 + */
8654 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
8655 +{
8656 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
8657 + : "+A" (i), "+c" (v)
8658 + : : "memory"
8659 + );
8660 + return i;
8661 +}
8662 +
8663 +/**
8664 * atomic64_sub - subtract the atomic64 variable
8665 * @i: integer value to subtract
8666 * @v: pointer to type atomic64_t
8667 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h
8668 --- linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-19 00:06:34.000000000 -0400
8669 +++ linux-2.6.39.3/arch/x86/include/asm/atomic64_64.h 2011-05-22 19:36:30.000000000 -0400
8670 @@ -18,7 +18,19 @@
8671 */
8672 static inline long atomic64_read(const atomic64_t *v)
8673 {
8674 - return (*(volatile long *)&(v)->counter);
8675 + return (*(volatile const long *)&(v)->counter);
8676 +}
8677 +
8678 +/**
8679 + * atomic64_read_unchecked - read atomic64 variable
8680 + * @v: pointer of type atomic64_unchecked_t
8681 + *
8682 + * Atomically reads the value of @v.
8683 + * Doesn't imply a read memory barrier.
8684 + */
8685 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8686 +{
8687 + return (*(volatile const long *)&(v)->counter);
8688 }
8689
8690 /**
8691 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
8692 }
8693
8694 /**
8695 + * atomic64_set_unchecked - set atomic64 variable
8696 + * @v: pointer to type atomic64_unchecked_t
8697 + * @i: required value
8698 + *
8699 + * Atomically sets the value of @v to @i.
8700 + */
8701 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8702 +{
8703 + v->counter = i;
8704 +}
8705 +
8706 +/**
8707 * atomic64_add - add integer to atomic64 variable
8708 * @i: integer value to add
8709 * @v: pointer to type atomic64_t
8710 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
8711 */
8712 static inline void atomic64_add(long i, atomic64_t *v)
8713 {
8714 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8715 +
8716 +#ifdef CONFIG_PAX_REFCOUNT
8717 + "jno 0f\n"
8718 + LOCK_PREFIX "subq %1,%0\n"
8719 + "int $4\n0:\n"
8720 + _ASM_EXTABLE(0b, 0b)
8721 +#endif
8722 +
8723 + : "=m" (v->counter)
8724 + : "er" (i), "m" (v->counter));
8725 +}
8726 +
8727 +/**
8728 + * atomic64_add_unchecked - add integer to atomic64 variable
8729 + * @i: integer value to add
8730 + * @v: pointer to type atomic64_unchecked_t
8731 + *
8732 + * Atomically adds @i to @v.
8733 + */
8734 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8735 +{
8736 asm volatile(LOCK_PREFIX "addq %1,%0"
8737 : "=m" (v->counter)
8738 : "er" (i), "m" (v->counter));
8739 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
8740 */
8741 static inline void atomic64_sub(long i, atomic64_t *v)
8742 {
8743 - asm volatile(LOCK_PREFIX "subq %1,%0"
8744 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8745 +
8746 +#ifdef CONFIG_PAX_REFCOUNT
8747 + "jno 0f\n"
8748 + LOCK_PREFIX "addq %1,%0\n"
8749 + "int $4\n0:\n"
8750 + _ASM_EXTABLE(0b, 0b)
8751 +#endif
8752 +
8753 + : "=m" (v->counter)
8754 + : "er" (i), "m" (v->counter));
8755 +}
8756 +
8757 +/**
8758 + * atomic64_sub_unchecked - subtract the atomic64 variable
8759 + * @i: integer value to subtract
8760 + * @v: pointer to type atomic64_unchecked_t
8761 + *
8762 + * Atomically subtracts @i from @v.
8763 + */
8764 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
8765 +{
8766 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8767 : "=m" (v->counter)
8768 : "er" (i), "m" (v->counter));
8769 }
8770 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
8771 {
8772 unsigned char c;
8773
8774 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8775 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8776 +
8777 +#ifdef CONFIG_PAX_REFCOUNT
8778 + "jno 0f\n"
8779 + LOCK_PREFIX "addq %2,%0\n"
8780 + "int $4\n0:\n"
8781 + _ASM_EXTABLE(0b, 0b)
8782 +#endif
8783 +
8784 + "sete %1\n"
8785 : "=m" (v->counter), "=qm" (c)
8786 : "er" (i), "m" (v->counter) : "memory");
8787 return c;
8788 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
8789 */
8790 static inline void atomic64_inc(atomic64_t *v)
8791 {
8792 + asm volatile(LOCK_PREFIX "incq %0\n"
8793 +
8794 +#ifdef CONFIG_PAX_REFCOUNT
8795 + "jno 0f\n"
8796 + LOCK_PREFIX "decq %0\n"
8797 + "int $4\n0:\n"
8798 + _ASM_EXTABLE(0b, 0b)
8799 +#endif
8800 +
8801 + : "=m" (v->counter)
8802 + : "m" (v->counter));
8803 +}
8804 +
8805 +/**
8806 + * atomic64_inc_unchecked - increment atomic64 variable
8807 + * @v: pointer to type atomic64_unchecked_t
8808 + *
8809 + * Atomically increments @v by 1.
8810 + */
8811 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8812 +{
8813 asm volatile(LOCK_PREFIX "incq %0"
8814 : "=m" (v->counter)
8815 : "m" (v->counter));
8816 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
8817 */
8818 static inline void atomic64_dec(atomic64_t *v)
8819 {
8820 - asm volatile(LOCK_PREFIX "decq %0"
8821 + asm volatile(LOCK_PREFIX "decq %0\n"
8822 +
8823 +#ifdef CONFIG_PAX_REFCOUNT
8824 + "jno 0f\n"
8825 + LOCK_PREFIX "incq %0\n"
8826 + "int $4\n0:\n"
8827 + _ASM_EXTABLE(0b, 0b)
8828 +#endif
8829 +
8830 + : "=m" (v->counter)
8831 + : "m" (v->counter));
8832 +}
8833 +
8834 +/**
8835 + * atomic64_dec_unchecked - decrement atomic64 variable
8836 + * @v: pointer to type atomic64_t
8837 + *
8838 + * Atomically decrements @v by 1.
8839 + */
8840 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8841 +{
8842 + asm volatile(LOCK_PREFIX "decq %0\n"
8843 : "=m" (v->counter)
8844 : "m" (v->counter));
8845 }
8846 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
8847 {
8848 unsigned char c;
8849
8850 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8851 + asm volatile(LOCK_PREFIX "decq %0\n"
8852 +
8853 +#ifdef CONFIG_PAX_REFCOUNT
8854 + "jno 0f\n"
8855 + LOCK_PREFIX "incq %0\n"
8856 + "int $4\n0:\n"
8857 + _ASM_EXTABLE(0b, 0b)
8858 +#endif
8859 +
8860 + "sete %1\n"
8861 : "=m" (v->counter), "=qm" (c)
8862 : "m" (v->counter) : "memory");
8863 return c != 0;
8864 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
8865 {
8866 unsigned char c;
8867
8868 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8869 + asm volatile(LOCK_PREFIX "incq %0\n"
8870 +
8871 +#ifdef CONFIG_PAX_REFCOUNT
8872 + "jno 0f\n"
8873 + LOCK_PREFIX "decq %0\n"
8874 + "int $4\n0:\n"
8875 + _ASM_EXTABLE(0b, 0b)
8876 +#endif
8877 +
8878 + "sete %1\n"
8879 : "=m" (v->counter), "=qm" (c)
8880 : "m" (v->counter) : "memory");
8881 return c != 0;
8882 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
8883 {
8884 unsigned char c;
8885
8886 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8887 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8888 +
8889 +#ifdef CONFIG_PAX_REFCOUNT
8890 + "jno 0f\n"
8891 + LOCK_PREFIX "subq %2,%0\n"
8892 + "int $4\n0:\n"
8893 + _ASM_EXTABLE(0b, 0b)
8894 +#endif
8895 +
8896 + "sets %1\n"
8897 : "=m" (v->counter), "=qm" (c)
8898 : "er" (i), "m" (v->counter) : "memory");
8899 return c;
8900 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
8901 static inline long atomic64_add_return(long i, atomic64_t *v)
8902 {
8903 long __i = i;
8904 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8905 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8906 +
8907 +#ifdef CONFIG_PAX_REFCOUNT
8908 + "jno 0f\n"
8909 + "movq %0, %1\n"
8910 + "int $4\n0:\n"
8911 + _ASM_EXTABLE(0b, 0b)
8912 +#endif
8913 +
8914 + : "+r" (i), "+m" (v->counter)
8915 + : : "memory");
8916 + return i + __i;
8917 +}
8918 +
8919 +/**
8920 + * atomic64_add_return_unchecked - add and return
8921 + * @i: integer value to add
8922 + * @v: pointer to type atomic64_unchecked_t
8923 + *
8924 + * Atomically adds @i to @v and returns @i + @v
8925 + */
8926 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8927 +{
8928 + long __i = i;
8929 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8930 : "+r" (i), "+m" (v->counter)
8931 : : "memory");
8932 return i + __i;
8933 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
8934 }
8935
8936 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8937 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8938 +{
8939 + return atomic64_add_return_unchecked(1, v);
8940 +}
8941 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8942
8943 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8944 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
8945 return cmpxchg(&v->counter, old, new);
8946 }
8947
8948 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8949 +{
8950 + return cmpxchg(&v->counter, old, new);
8951 +}
8952 +
8953 static inline long atomic64_xchg(atomic64_t *v, long new)
8954 {
8955 return xchg(&v->counter, new);
8956 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
8957 */
8958 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8959 {
8960 - long c, old;
8961 + long c, old, new;
8962 c = atomic64_read(v);
8963 for (;;) {
8964 - if (unlikely(c == (u)))
8965 + if (unlikely(c == u))
8966 break;
8967 - old = atomic64_cmpxchg((v), c, c + (a));
8968 +
8969 + asm volatile("add %2,%0\n"
8970 +
8971 +#ifdef CONFIG_PAX_REFCOUNT
8972 + "jno 0f\n"
8973 + "sub %2,%0\n"
8974 + "int $4\n0:\n"
8975 + _ASM_EXTABLE(0b, 0b)
8976 +#endif
8977 +
8978 + : "=r" (new)
8979 + : "0" (c), "ir" (a));
8980 +
8981 + old = atomic64_cmpxchg(v, c, new);
8982 if (likely(old == c))
8983 break;
8984 c = old;
8985 }
8986 - return c != (u);
8987 + return c != u;
8988 }
8989
8990 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
8991 diff -urNp linux-2.6.39.3/arch/x86/include/asm/atomic.h linux-2.6.39.3/arch/x86/include/asm/atomic.h
8992 --- linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-19 00:06:34.000000000 -0400
8993 +++ linux-2.6.39.3/arch/x86/include/asm/atomic.h 2011-05-22 19:36:30.000000000 -0400
8994 @@ -22,7 +22,18 @@
8995 */
8996 static inline int atomic_read(const atomic_t *v)
8997 {
8998 - return (*(volatile int *)&(v)->counter);
8999 + return (*(volatile const int *)&(v)->counter);
9000 +}
9001 +
9002 +/**
9003 + * atomic_read_unchecked - read atomic variable
9004 + * @v: pointer of type atomic_unchecked_t
9005 + *
9006 + * Atomically reads the value of @v.
9007 + */
9008 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
9009 +{
9010 + return (*(volatile const int *)&(v)->counter);
9011 }
9012
9013 /**
9014 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
9015 }
9016
9017 /**
9018 + * atomic_set_unchecked - set atomic variable
9019 + * @v: pointer of type atomic_unchecked_t
9020 + * @i: required value
9021 + *
9022 + * Atomically sets the value of @v to @i.
9023 + */
9024 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
9025 +{
9026 + v->counter = i;
9027 +}
9028 +
9029 +/**
9030 * atomic_add - add integer to atomic variable
9031 * @i: integer value to add
9032 * @v: pointer of type atomic_t
9033 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
9034 */
9035 static inline void atomic_add(int i, atomic_t *v)
9036 {
9037 - asm volatile(LOCK_PREFIX "addl %1,%0"
9038 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9039 +
9040 +#ifdef CONFIG_PAX_REFCOUNT
9041 + "jno 0f\n"
9042 + LOCK_PREFIX "subl %1,%0\n"
9043 + "int $4\n0:\n"
9044 + _ASM_EXTABLE(0b, 0b)
9045 +#endif
9046 +
9047 + : "+m" (v->counter)
9048 + : "ir" (i));
9049 +}
9050 +
9051 +/**
9052 + * atomic_add_unchecked - add integer to atomic variable
9053 + * @i: integer value to add
9054 + * @v: pointer of type atomic_unchecked_t
9055 + *
9056 + * Atomically adds @i to @v.
9057 + */
9058 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
9059 +{
9060 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
9061 : "+m" (v->counter)
9062 : "ir" (i));
9063 }
9064 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
9065 */
9066 static inline void atomic_sub(int i, atomic_t *v)
9067 {
9068 - asm volatile(LOCK_PREFIX "subl %1,%0"
9069 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9070 +
9071 +#ifdef CONFIG_PAX_REFCOUNT
9072 + "jno 0f\n"
9073 + LOCK_PREFIX "addl %1,%0\n"
9074 + "int $4\n0:\n"
9075 + _ASM_EXTABLE(0b, 0b)
9076 +#endif
9077 +
9078 + : "+m" (v->counter)
9079 + : "ir" (i));
9080 +}
9081 +
9082 +/**
9083 + * atomic_sub_unchecked - subtract integer from atomic variable
9084 + * @i: integer value to subtract
9085 + * @v: pointer of type atomic_unchecked_t
9086 + *
9087 + * Atomically subtracts @i from @v.
9088 + */
9089 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
9090 +{
9091 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
9092 : "+m" (v->counter)
9093 : "ir" (i));
9094 }
9095 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
9096 {
9097 unsigned char c;
9098
9099 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
9100 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
9101 +
9102 +#ifdef CONFIG_PAX_REFCOUNT
9103 + "jno 0f\n"
9104 + LOCK_PREFIX "addl %2,%0\n"
9105 + "int $4\n0:\n"
9106 + _ASM_EXTABLE(0b, 0b)
9107 +#endif
9108 +
9109 + "sete %1\n"
9110 : "+m" (v->counter), "=qm" (c)
9111 : "ir" (i) : "memory");
9112 return c;
9113 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
9114 */
9115 static inline void atomic_inc(atomic_t *v)
9116 {
9117 - asm volatile(LOCK_PREFIX "incl %0"
9118 + asm volatile(LOCK_PREFIX "incl %0\n"
9119 +
9120 +#ifdef CONFIG_PAX_REFCOUNT
9121 + "jno 0f\n"
9122 + LOCK_PREFIX "decl %0\n"
9123 + "int $4\n0:\n"
9124 + _ASM_EXTABLE(0b, 0b)
9125 +#endif
9126 +
9127 + : "+m" (v->counter));
9128 +}
9129 +
9130 +/**
9131 + * atomic_inc_unchecked - increment atomic variable
9132 + * @v: pointer of type atomic_unchecked_t
9133 + *
9134 + * Atomically increments @v by 1.
9135 + */
9136 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
9137 +{
9138 + asm volatile(LOCK_PREFIX "incl %0\n"
9139 : "+m" (v->counter));
9140 }
9141
9142 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
9143 */
9144 static inline void atomic_dec(atomic_t *v)
9145 {
9146 - asm volatile(LOCK_PREFIX "decl %0"
9147 + asm volatile(LOCK_PREFIX "decl %0\n"
9148 +
9149 +#ifdef CONFIG_PAX_REFCOUNT
9150 + "jno 0f\n"
9151 + LOCK_PREFIX "incl %0\n"
9152 + "int $4\n0:\n"
9153 + _ASM_EXTABLE(0b, 0b)
9154 +#endif
9155 +
9156 + : "+m" (v->counter));
9157 +}
9158 +
9159 +/**
9160 + * atomic_dec_unchecked - decrement atomic variable
9161 + * @v: pointer of type atomic_unchecked_t
9162 + *
9163 + * Atomically decrements @v by 1.
9164 + */
9165 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
9166 +{
9167 + asm volatile(LOCK_PREFIX "decl %0\n"
9168 : "+m" (v->counter));
9169 }
9170
9171 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
9172 {
9173 unsigned char c;
9174
9175 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
9176 + asm volatile(LOCK_PREFIX "decl %0\n"
9177 +
9178 +#ifdef CONFIG_PAX_REFCOUNT
9179 + "jno 0f\n"
9180 + LOCK_PREFIX "incl %0\n"
9181 + "int $4\n0:\n"
9182 + _ASM_EXTABLE(0b, 0b)
9183 +#endif
9184 +
9185 + "sete %1\n"
9186 : "+m" (v->counter), "=qm" (c)
9187 : : "memory");
9188 return c != 0;
9189 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
9190 {
9191 unsigned char c;
9192
9193 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
9194 + asm volatile(LOCK_PREFIX "incl %0\n"
9195 +
9196 +#ifdef CONFIG_PAX_REFCOUNT
9197 + "jno 0f\n"
9198 + LOCK_PREFIX "decl %0\n"
9199 + "int $4\n0:\n"
9200 + _ASM_EXTABLE(0b, 0b)
9201 +#endif
9202 +
9203 + "sete %1\n"
9204 + : "+m" (v->counter), "=qm" (c)
9205 + : : "memory");
9206 + return c != 0;
9207 +}
9208 +
9209 +/**
9210 + * atomic_inc_and_test_unchecked - increment and test
9211 + * @v: pointer of type atomic_unchecked_t
9212 + *
9213 + * Atomically increments @v by 1
9214 + * and returns true if the result is zero, or false for all
9215 + * other cases.
9216 + */
9217 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
9218 +{
9219 + unsigned char c;
9220 +
9221 + asm volatile(LOCK_PREFIX "incl %0\n"
9222 + "sete %1\n"
9223 : "+m" (v->counter), "=qm" (c)
9224 : : "memory");
9225 return c != 0;
9226 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
9227 {
9228 unsigned char c;
9229
9230 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
9231 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
9232 +
9233 +#ifdef CONFIG_PAX_REFCOUNT
9234 + "jno 0f\n"
9235 + LOCK_PREFIX "subl %2,%0\n"
9236 + "int $4\n0:\n"
9237 + _ASM_EXTABLE(0b, 0b)
9238 +#endif
9239 +
9240 + "sets %1\n"
9241 : "+m" (v->counter), "=qm" (c)
9242 : "ir" (i) : "memory");
9243 return c;
9244 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
9245 #endif
9246 /* Modern 486+ processor */
9247 __i = i;
9248 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
9249 +
9250 +#ifdef CONFIG_PAX_REFCOUNT
9251 + "jno 0f\n"
9252 + "movl %0, %1\n"
9253 + "int $4\n0:\n"
9254 + _ASM_EXTABLE(0b, 0b)
9255 +#endif
9256 +
9257 + : "+r" (i), "+m" (v->counter)
9258 + : : "memory");
9259 + return i + __i;
9260 +
9261 +#ifdef CONFIG_M386
9262 +no_xadd: /* Legacy 386 processor */
9263 + local_irq_save(flags);
9264 + __i = atomic_read(v);
9265 + atomic_set(v, i + __i);
9266 + local_irq_restore(flags);
9267 + return i + __i;
9268 +#endif
9269 +}
9270 +
9271 +/**
9272 + * atomic_add_return_unchecked - add integer and return
9273 + * @v: pointer of type atomic_unchecked_t
9274 + * @i: integer value to add
9275 + *
9276 + * Atomically adds @i to @v and returns @i + @v
9277 + */
9278 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
9279 +{
9280 + int __i;
9281 +#ifdef CONFIG_M386
9282 + unsigned long flags;
9283 + if (unlikely(boot_cpu_data.x86 <= 3))
9284 + goto no_xadd;
9285 +#endif
9286 + /* Modern 486+ processor */
9287 + __i = i;
9288 asm volatile(LOCK_PREFIX "xaddl %0, %1"
9289 : "+r" (i), "+m" (v->counter)
9290 : : "memory");
9291 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
9292 }
9293
9294 #define atomic_inc_return(v) (atomic_add_return(1, v))
9295 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
9296 +{
9297 + return atomic_add_return_unchecked(1, v);
9298 +}
9299 #define atomic_dec_return(v) (atomic_sub_return(1, v))
9300
9301 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
9302 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
9303 return cmpxchg(&v->counter, old, new);
9304 }
9305
9306 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
9307 +{
9308 + return cmpxchg(&v->counter, old, new);
9309 +}
9310 +
9311 static inline int atomic_xchg(atomic_t *v, int new)
9312 {
9313 return xchg(&v->counter, new);
9314 }
9315
9316 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
9317 +{
9318 + return xchg(&v->counter, new);
9319 +}
9320 +
9321 /**
9322 * atomic_add_unless - add unless the number is already a given value
9323 * @v: pointer of type atomic_t
9324 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
9325 */
9326 static inline int atomic_add_unless(atomic_t *v, int a, int u)
9327 {
9328 - int c, old;
9329 + int c, old, new;
9330 c = atomic_read(v);
9331 for (;;) {
9332 - if (unlikely(c == (u)))
9333 + if (unlikely(c == u))
9334 break;
9335 - old = atomic_cmpxchg((v), c, c + (a));
9336 +
9337 + asm volatile("addl %2,%0\n"
9338 +
9339 +#ifdef CONFIG_PAX_REFCOUNT
9340 + "jno 0f\n"
9341 + "subl %2,%0\n"
9342 + "int $4\n0:\n"
9343 + _ASM_EXTABLE(0b, 0b)
9344 +#endif
9345 +
9346 + : "=r" (new)
9347 + : "0" (c), "ir" (a));
9348 +
9349 + old = atomic_cmpxchg(v, c, new);
9350 if (likely(old == c))
9351 break;
9352 c = old;
9353 }
9354 - return c != (u);
9355 + return c != u;
9356 }
9357
9358 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
9359
9360 +/**
9361 + * atomic_inc_not_zero_hint - increment if not null
9362 + * @v: pointer of type atomic_t
9363 + * @hint: probable value of the atomic before the increment
9364 + *
9365 + * This version of atomic_inc_not_zero() gives a hint of probable
9366 + * value of the atomic. This helps processor to not read the memory
9367 + * before doing the atomic read/modify/write cycle, lowering
9368 + * number of bus transactions on some arches.
9369 + *
9370 + * Returns: 0 if increment was not done, 1 otherwise.
9371 + */
9372 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
9373 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
9374 +{
9375 + int val, c = hint, new;
9376 +
9377 + /* sanity test, should be removed by compiler if hint is a constant */
9378 + if (!hint)
9379 + return atomic_inc_not_zero(v);
9380 +
9381 + do {
9382 + asm volatile("incl %0\n"
9383 +
9384 +#ifdef CONFIG_PAX_REFCOUNT
9385 + "jno 0f\n"
9386 + "decl %0\n"
9387 + "int $4\n0:\n"
9388 + _ASM_EXTABLE(0b, 0b)
9389 +#endif
9390 +
9391 + : "=r" (new)
9392 + : "0" (c));
9393 +
9394 + val = atomic_cmpxchg(v, c, new);
9395 + if (val == c)
9396 + return 1;
9397 + c = val;
9398 + } while (c);
9399 +
9400 + return 0;
9401 +}
9402 +
9403 /*
9404 * atomic_dec_if_positive - decrement by 1 if old value positive
9405 * @v: pointer of type atomic_t
9406 diff -urNp linux-2.6.39.3/arch/x86/include/asm/bitops.h linux-2.6.39.3/arch/x86/include/asm/bitops.h
9407 --- linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-19 00:06:34.000000000 -0400
9408 +++ linux-2.6.39.3/arch/x86/include/asm/bitops.h 2011-05-22 19:36:30.000000000 -0400
9409 @@ -38,7 +38,7 @@
9410 * a mask operation on a byte.
9411 */
9412 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
9413 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
9414 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
9415 #define CONST_MASK(nr) (1 << ((nr) & 7))
9416
9417 /**
9418 diff -urNp linux-2.6.39.3/arch/x86/include/asm/boot.h linux-2.6.39.3/arch/x86/include/asm/boot.h
9419 --- linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-19 00:06:34.000000000 -0400
9420 +++ linux-2.6.39.3/arch/x86/include/asm/boot.h 2011-05-22 19:36:30.000000000 -0400
9421 @@ -11,10 +11,15 @@
9422 #include <asm/pgtable_types.h>
9423
9424 /* Physical address where kernel should be loaded. */
9425 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9426 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
9427 + (CONFIG_PHYSICAL_ALIGN - 1)) \
9428 & ~(CONFIG_PHYSICAL_ALIGN - 1))
9429
9430 +#ifndef __ASSEMBLY__
9431 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
9432 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
9433 +#endif
9434 +
9435 /* Minimum kernel alignment, as a power of two */
9436 #ifdef CONFIG_X86_64
9437 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
9438 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cacheflush.h linux-2.6.39.3/arch/x86/include/asm/cacheflush.h
9439 --- linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-19 00:06:34.000000000 -0400
9440 +++ linux-2.6.39.3/arch/x86/include/asm/cacheflush.h 2011-05-22 19:36:30.000000000 -0400
9441 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
9442 unsigned long pg_flags = pg->flags & _PGMT_MASK;
9443
9444 if (pg_flags == _PGMT_DEFAULT)
9445 - return -1;
9446 + return ~0UL;
9447 else if (pg_flags == _PGMT_WC)
9448 return _PAGE_CACHE_WC;
9449 else if (pg_flags == _PGMT_UC_MINUS)
9450 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cache.h linux-2.6.39.3/arch/x86/include/asm/cache.h
9451 --- linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-05-19 00:06:34.000000000 -0400
9452 +++ linux-2.6.39.3/arch/x86/include/asm/cache.h 2011-07-06 20:00:13.000000000 -0400
9453 @@ -5,12 +5,13 @@
9454
9455 /* L1 cache line size */
9456 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
9457 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9458 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9459
9460 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9461 +#define __read_only __attribute__((__section__(".data..read_only")))
9462
9463 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
9464 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
9465 +#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
9466
9467 #ifdef CONFIG_X86_VSMP
9468 #ifdef CONFIG_SMP
9469 diff -urNp linux-2.6.39.3/arch/x86/include/asm/checksum_32.h linux-2.6.39.3/arch/x86/include/asm/checksum_32.h
9470 --- linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-19 00:06:34.000000000 -0400
9471 +++ linux-2.6.39.3/arch/x86/include/asm/checksum_32.h 2011-05-22 19:36:30.000000000 -0400
9472 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
9473 int len, __wsum sum,
9474 int *src_err_ptr, int *dst_err_ptr);
9475
9476 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
9477 + int len, __wsum sum,
9478 + int *src_err_ptr, int *dst_err_ptr);
9479 +
9480 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
9481 + int len, __wsum sum,
9482 + int *src_err_ptr, int *dst_err_ptr);
9483 +
9484 /*
9485 * Note: when you get a NULL pointer exception here this means someone
9486 * passed in an incorrect kernel address to one of these functions.
9487 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
9488 int *err_ptr)
9489 {
9490 might_sleep();
9491 - return csum_partial_copy_generic((__force void *)src, dst,
9492 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
9493 len, sum, err_ptr, NULL);
9494 }
9495
9496 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
9497 {
9498 might_sleep();
9499 if (access_ok(VERIFY_WRITE, dst, len))
9500 - return csum_partial_copy_generic(src, (__force void *)dst,
9501 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
9502 len, sum, NULL, err_ptr);
9503
9504 if (len)
9505 diff -urNp linux-2.6.39.3/arch/x86/include/asm/cpufeature.h linux-2.6.39.3/arch/x86/include/asm/cpufeature.h
9506 --- linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:04:13.000000000 -0400
9507 +++ linux-2.6.39.3/arch/x86/include/asm/cpufeature.h 2011-06-03 00:32:04.000000000 -0400
9508 @@ -351,7 +351,7 @@ static __always_inline __pure bool __sta
9509 ".section .discard,\"aw\",@progbits\n"
9510 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
9511 ".previous\n"
9512 - ".section .altinstr_replacement,\"ax\"\n"
9513 + ".section .altinstr_replacement,\"a\"\n"
9514 "3: movb $1,%0\n"
9515 "4:\n"
9516 ".previous\n"
9517 diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc_defs.h linux-2.6.39.3/arch/x86/include/asm/desc_defs.h
9518 --- linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-19 00:06:34.000000000 -0400
9519 +++ linux-2.6.39.3/arch/x86/include/asm/desc_defs.h 2011-05-22 19:36:30.000000000 -0400
9520 @@ -31,6 +31,12 @@ struct desc_struct {
9521 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
9522 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
9523 };
9524 + struct {
9525 + u16 offset_low;
9526 + u16 seg;
9527 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
9528 + unsigned offset_high: 16;
9529 + } gate;
9530 };
9531 } __attribute__((packed));
9532
9533 diff -urNp linux-2.6.39.3/arch/x86/include/asm/desc.h linux-2.6.39.3/arch/x86/include/asm/desc.h
9534 --- linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-19 00:06:34.000000000 -0400
9535 +++ linux-2.6.39.3/arch/x86/include/asm/desc.h 2011-05-22 19:36:30.000000000 -0400
9536 @@ -4,6 +4,7 @@
9537 #include <asm/desc_defs.h>
9538 #include <asm/ldt.h>
9539 #include <asm/mmu.h>
9540 +#include <asm/pgtable.h>
9541 #include <linux/smp.h>
9542
9543 static inline void fill_ldt(struct desc_struct *desc,
9544 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
9545 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
9546 desc->type = (info->read_exec_only ^ 1) << 1;
9547 desc->type |= info->contents << 2;
9548 + desc->type |= info->seg_not_present ^ 1;
9549 desc->s = 1;
9550 desc->dpl = 0x3;
9551 desc->p = info->seg_not_present ^ 1;
9552 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
9553 }
9554
9555 extern struct desc_ptr idt_descr;
9556 -extern gate_desc idt_table[];
9557 -
9558 -struct gdt_page {
9559 - struct desc_struct gdt[GDT_ENTRIES];
9560 -} __attribute__((aligned(PAGE_SIZE)));
9561 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
9562 +extern gate_desc idt_table[256];
9563
9564 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
9565 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
9566 {
9567 - return per_cpu(gdt_page, cpu).gdt;
9568 + return cpu_gdt_table[cpu];
9569 }
9570
9571 #ifdef CONFIG_X86_64
9572 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
9573 unsigned long base, unsigned dpl, unsigned flags,
9574 unsigned short seg)
9575 {
9576 - gate->a = (seg << 16) | (base & 0xffff);
9577 - gate->b = (base & 0xffff0000) |
9578 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
9579 + gate->gate.offset_low = base;
9580 + gate->gate.seg = seg;
9581 + gate->gate.reserved = 0;
9582 + gate->gate.type = type;
9583 + gate->gate.s = 0;
9584 + gate->gate.dpl = dpl;
9585 + gate->gate.p = 1;
9586 + gate->gate.offset_high = base >> 16;
9587 }
9588
9589 #endif
9590 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
9591 static inline void native_write_idt_entry(gate_desc *idt, int entry,
9592 const gate_desc *gate)
9593 {
9594 + pax_open_kernel();
9595 memcpy(&idt[entry], gate, sizeof(*gate));
9596 + pax_close_kernel();
9597 }
9598
9599 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
9600 const void *desc)
9601 {
9602 + pax_open_kernel();
9603 memcpy(&ldt[entry], desc, 8);
9604 + pax_close_kernel();
9605 }
9606
9607 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
9608 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
9609 size = sizeof(struct desc_struct);
9610 break;
9611 }
9612 +
9613 + pax_open_kernel();
9614 memcpy(&gdt[entry], desc, size);
9615 + pax_close_kernel();
9616 }
9617
9618 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
9619 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
9620
9621 static inline void native_load_tr_desc(void)
9622 {
9623 + pax_open_kernel();
9624 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
9625 + pax_close_kernel();
9626 }
9627
9628 static inline void native_load_gdt(const struct desc_ptr *dtr)
9629 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
9630 unsigned int i;
9631 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
9632
9633 + pax_open_kernel();
9634 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
9635 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
9636 + pax_close_kernel();
9637 }
9638
9639 #define _LDT_empty(info) \
9640 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
9641 desc->limit = (limit >> 16) & 0xf;
9642 }
9643
9644 -static inline void _set_gate(int gate, unsigned type, void *addr,
9645 +static inline void _set_gate(int gate, unsigned type, const void *addr,
9646 unsigned dpl, unsigned ist, unsigned seg)
9647 {
9648 gate_desc s;
9649 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
9650 * Pentium F0 0F bugfix can have resulted in the mapped
9651 * IDT being write-protected.
9652 */
9653 -static inline void set_intr_gate(unsigned int n, void *addr)
9654 +static inline void set_intr_gate(unsigned int n, const void *addr)
9655 {
9656 BUG_ON((unsigned)n > 0xFF);
9657 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
9658 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
9659 /*
9660 * This routine sets up an interrupt gate at directory privilege level 3.
9661 */
9662 -static inline void set_system_intr_gate(unsigned int n, void *addr)
9663 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
9664 {
9665 BUG_ON((unsigned)n > 0xFF);
9666 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
9667 }
9668
9669 -static inline void set_system_trap_gate(unsigned int n, void *addr)
9670 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
9671 {
9672 BUG_ON((unsigned)n > 0xFF);
9673 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
9674 }
9675
9676 -static inline void set_trap_gate(unsigned int n, void *addr)
9677 +static inline void set_trap_gate(unsigned int n, const void *addr)
9678 {
9679 BUG_ON((unsigned)n > 0xFF);
9680 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
9681 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
9682 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
9683 {
9684 BUG_ON((unsigned)n > 0xFF);
9685 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
9686 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
9687 }
9688
9689 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
9690 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
9691 {
9692 BUG_ON((unsigned)n > 0xFF);
9693 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
9694 }
9695
9696 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
9697 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
9698 {
9699 BUG_ON((unsigned)n > 0xFF);
9700 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
9701 }
9702
9703 +#ifdef CONFIG_X86_32
9704 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
9705 +{
9706 + struct desc_struct d;
9707 +
9708 + if (likely(limit))
9709 + limit = (limit - 1UL) >> PAGE_SHIFT;
9710 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
9711 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
9712 +}
9713 +#endif
9714 +
9715 #endif /* _ASM_X86_DESC_H */
9716 diff -urNp linux-2.6.39.3/arch/x86/include/asm/device.h linux-2.6.39.3/arch/x86/include/asm/device.h
9717 --- linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-19 00:06:34.000000000 -0400
9718 +++ linux-2.6.39.3/arch/x86/include/asm/device.h 2011-05-22 19:36:30.000000000 -0400
9719 @@ -6,7 +6,7 @@ struct dev_archdata {
9720 void *acpi_handle;
9721 #endif
9722 #ifdef CONFIG_X86_64
9723 -struct dma_map_ops *dma_ops;
9724 + const struct dma_map_ops *dma_ops;
9725 #endif
9726 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
9727 void *iommu; /* hook for IOMMU specific extension */
9728 diff -urNp linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h
9729 --- linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
9730 +++ linux-2.6.39.3/arch/x86/include/asm/dma-mapping.h 2011-05-22 19:36:30.000000000 -0400
9731 @@ -26,9 +26,9 @@ extern int iommu_merge;
9732 extern struct device x86_dma_fallback_dev;
9733 extern int panic_on_overflow;
9734
9735 -extern struct dma_map_ops *dma_ops;
9736 +extern const struct dma_map_ops *dma_ops;
9737
9738 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
9739 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
9740 {
9741 #ifdef CONFIG_X86_32
9742 return dma_ops;
9743 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
9744 /* Make sure we keep the same behaviour */
9745 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
9746 {
9747 - struct dma_map_ops *ops = get_dma_ops(dev);
9748 + const struct dma_map_ops *ops = get_dma_ops(dev);
9749 if (ops->mapping_error)
9750 return ops->mapping_error(dev, dma_addr);
9751
9752 @@ -115,7 +115,7 @@ static inline void *
9753 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
9754 gfp_t gfp)
9755 {
9756 - struct dma_map_ops *ops = get_dma_ops(dev);
9757 + const struct dma_map_ops *ops = get_dma_ops(dev);
9758 void *memory;
9759
9760 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
9761 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
9762 static inline void dma_free_coherent(struct device *dev, size_t size,
9763 void *vaddr, dma_addr_t bus)
9764 {
9765 - struct dma_map_ops *ops = get_dma_ops(dev);
9766 + const struct dma_map_ops *ops = get_dma_ops(dev);
9767
9768 WARN_ON(irqs_disabled()); /* for portability */
9769
9770 diff -urNp linux-2.6.39.3/arch/x86/include/asm/e820.h linux-2.6.39.3/arch/x86/include/asm/e820.h
9771 --- linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-19 00:06:34.000000000 -0400
9772 +++ linux-2.6.39.3/arch/x86/include/asm/e820.h 2011-05-22 19:36:30.000000000 -0400
9773 @@ -69,7 +69,7 @@ struct e820map {
9774 #define ISA_START_ADDRESS 0xa0000
9775 #define ISA_END_ADDRESS 0x100000
9776
9777 -#define BIOS_BEGIN 0x000a0000
9778 +#define BIOS_BEGIN 0x000c0000
9779 #define BIOS_END 0x00100000
9780
9781 #define BIOS_ROM_BASE 0xffe00000
9782 diff -urNp linux-2.6.39.3/arch/x86/include/asm/elf.h linux-2.6.39.3/arch/x86/include/asm/elf.h
9783 --- linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-19 00:06:34.000000000 -0400
9784 +++ linux-2.6.39.3/arch/x86/include/asm/elf.h 2011-05-22 19:36:30.000000000 -0400
9785 @@ -237,7 +237,25 @@ extern int force_personality32;
9786 the loader. We need to make sure that it is out of the way of the program
9787 that it will "exec", and that there is sufficient room for the brk. */
9788
9789 +#ifdef CONFIG_PAX_SEGMEXEC
9790 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
9791 +#else
9792 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
9793 +#endif
9794 +
9795 +#ifdef CONFIG_PAX_ASLR
9796 +#ifdef CONFIG_X86_32
9797 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
9798 +
9799 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9800 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
9801 +#else
9802 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
9803 +
9804 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9805 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
9806 +#endif
9807 +#endif
9808
9809 /* This yields a mask that user programs can use to figure out what
9810 instruction set this CPU supports. This could be done in user space,
9811 @@ -291,8 +309,7 @@ do { \
9812 #define ARCH_DLINFO \
9813 do { \
9814 if (vdso_enabled) \
9815 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
9816 - (unsigned long)current->mm->context.vdso); \
9817 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
9818 } while (0)
9819
9820 #define AT_SYSINFO 32
9821 @@ -303,7 +320,7 @@ do { \
9822
9823 #endif /* !CONFIG_X86_32 */
9824
9825 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
9826 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
9827
9828 #define VDSO_ENTRY \
9829 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
9830 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
9831 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
9832 #define compat_arch_setup_additional_pages syscall32_setup_pages
9833
9834 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
9835 -#define arch_randomize_brk arch_randomize_brk
9836 -
9837 #endif /* _ASM_X86_ELF_H */
9838 diff -urNp linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h
9839 --- linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-19 00:06:34.000000000 -0400
9840 +++ linux-2.6.39.3/arch/x86/include/asm/emergency-restart.h 2011-05-22 19:36:30.000000000 -0400
9841 @@ -15,6 +15,6 @@ enum reboot_type {
9842
9843 extern enum reboot_type reboot_type;
9844
9845 -extern void machine_emergency_restart(void);
9846 +extern void machine_emergency_restart(void) __noreturn;
9847
9848 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
9849 diff -urNp linux-2.6.39.3/arch/x86/include/asm/futex.h linux-2.6.39.3/arch/x86/include/asm/futex.h
9850 --- linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-19 00:06:34.000000000 -0400
9851 +++ linux-2.6.39.3/arch/x86/include/asm/futex.h 2011-05-22 19:36:30.000000000 -0400
9852 @@ -12,16 +12,18 @@
9853 #include <asm/system.h>
9854
9855 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
9856 + typecheck(u32 *, uaddr); \
9857 asm volatile("1:\t" insn "\n" \
9858 "2:\t.section .fixup,\"ax\"\n" \
9859 "3:\tmov\t%3, %1\n" \
9860 "\tjmp\t2b\n" \
9861 "\t.previous\n" \
9862 _ASM_EXTABLE(1b, 3b) \
9863 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
9864 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
9865 : "i" (-EFAULT), "0" (oparg), "1" (0))
9866
9867 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
9868 + typecheck(u32 *, uaddr); \
9869 asm volatile("1:\tmovl %2, %0\n" \
9870 "\tmovl\t%0, %3\n" \
9871 "\t" insn "\n" \
9872 @@ -34,7 +36,7 @@
9873 _ASM_EXTABLE(1b, 4b) \
9874 _ASM_EXTABLE(2b, 4b) \
9875 : "=&a" (oldval), "=&r" (ret), \
9876 - "+m" (*uaddr), "=&r" (tem) \
9877 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
9878 : "r" (oparg), "i" (-EFAULT), "1" (0))
9879
9880 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
9881 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
9882
9883 switch (op) {
9884 case FUTEX_OP_SET:
9885 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
9886 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
9887 break;
9888 case FUTEX_OP_ADD:
9889 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
9890 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9891 uaddr, oparg);
9892 break;
9893 case FUTEX_OP_OR:
9894 @@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
9895 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9896 return -EFAULT;
9897
9898 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
9899 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
9900 "2:\t.section .fixup, \"ax\"\n"
9901 "3:\tmov %3, %0\n"
9902 "\tjmp 2b\n"
9903 "\t.previous\n"
9904 _ASM_EXTABLE(1b, 3b)
9905 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
9906 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9907 : "i" (-EFAULT), "r" (newval), "1" (oldval)
9908 : "memory"
9909 );
9910 diff -urNp linux-2.6.39.3/arch/x86/include/asm/hw_irq.h linux-2.6.39.3/arch/x86/include/asm/hw_irq.h
9911 --- linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-19 00:06:34.000000000 -0400
9912 +++ linux-2.6.39.3/arch/x86/include/asm/hw_irq.h 2011-05-22 19:36:30.000000000 -0400
9913 @@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
9914 extern void enable_IO_APIC(void);
9915
9916 /* Statistics */
9917 -extern atomic_t irq_err_count;
9918 -extern atomic_t irq_mis_count;
9919 +extern atomic_unchecked_t irq_err_count;
9920 +extern atomic_unchecked_t irq_mis_count;
9921
9922 /* EISA */
9923 extern void eisa_set_level_irq(unsigned int irq);
9924 diff -urNp linux-2.6.39.3/arch/x86/include/asm/i387.h linux-2.6.39.3/arch/x86/include/asm/i387.h
9925 --- linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-19 00:06:34.000000000 -0400
9926 +++ linux-2.6.39.3/arch/x86/include/asm/i387.h 2011-05-22 19:36:30.000000000 -0400
9927 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
9928 {
9929 int err;
9930
9931 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9932 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9933 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9934 +#endif
9935 +
9936 /* See comment in fxsave() below. */
9937 #ifdef CONFIG_AS_FXSAVEQ
9938 asm volatile("1: fxrstorq %[fx]\n\t"
9939 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
9940 {
9941 int err;
9942
9943 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9944 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9945 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9946 +#endif
9947 +
9948 /*
9949 * Clear the bytes not touched by the fxsave and reserved
9950 * for the SW usage.
9951 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
9952 #endif /* CONFIG_X86_64 */
9953
9954 /* We need a safe address that is cheap to find and that is already
9955 - in L1 during context switch. The best choices are unfortunately
9956 - different for UP and SMP */
9957 -#ifdef CONFIG_SMP
9958 -#define safe_address (__per_cpu_offset[0])
9959 -#else
9960 -#define safe_address (kstat_cpu(0).cpustat.user)
9961 -#endif
9962 + in L1 during context switch. */
9963 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9964
9965 /*
9966 * These must be called with preempt disabled
9967 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
9968 struct thread_info *me = current_thread_info();
9969 preempt_disable();
9970 if (me->status & TS_USEDFPU)
9971 - __save_init_fpu(me->task);
9972 + __save_init_fpu(current);
9973 else
9974 clts();
9975 }
9976 diff -urNp linux-2.6.39.3/arch/x86/include/asm/io.h linux-2.6.39.3/arch/x86/include/asm/io.h
9977 --- linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-19 00:06:34.000000000 -0400
9978 +++ linux-2.6.39.3/arch/x86/include/asm/io.h 2011-05-22 19:36:30.000000000 -0400
9979 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
9980
9981 #include <linux/vmalloc.h>
9982
9983 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9984 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9985 +{
9986 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9987 +}
9988 +
9989 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9990 +{
9991 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9992 +}
9993 +
9994 /*
9995 * Convert a virtual cached pointer to an uncached pointer
9996 */
9997 diff -urNp linux-2.6.39.3/arch/x86/include/asm/iommu.h linux-2.6.39.3/arch/x86/include/asm/iommu.h
9998 --- linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-19 00:06:34.000000000 -0400
9999 +++ linux-2.6.39.3/arch/x86/include/asm/iommu.h 2011-05-22 19:36:30.000000000 -0400
10000 @@ -1,7 +1,7 @@
10001 #ifndef _ASM_X86_IOMMU_H
10002 #define _ASM_X86_IOMMU_H
10003
10004 -extern struct dma_map_ops nommu_dma_ops;
10005 +extern const struct dma_map_ops nommu_dma_ops;
10006 extern int force_iommu, no_iommu;
10007 extern int iommu_detected;
10008 extern int iommu_pass_through;
10009 diff -urNp linux-2.6.39.3/arch/x86/include/asm/irqflags.h linux-2.6.39.3/arch/x86/include/asm/irqflags.h
10010 --- linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-19 00:06:34.000000000 -0400
10011 +++ linux-2.6.39.3/arch/x86/include/asm/irqflags.h 2011-05-22 19:36:30.000000000 -0400
10012 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
10013 sti; \
10014 sysexit
10015
10016 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
10017 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
10018 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
10019 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
10020 +
10021 #else
10022 #define INTERRUPT_RETURN iret
10023 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
10024 diff -urNp linux-2.6.39.3/arch/x86/include/asm/kprobes.h linux-2.6.39.3/arch/x86/include/asm/kprobes.h
10025 --- linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-19 00:06:34.000000000 -0400
10026 +++ linux-2.6.39.3/arch/x86/include/asm/kprobes.h 2011-05-22 19:36:30.000000000 -0400
10027 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
10028 #define RELATIVEJUMP_SIZE 5
10029 #define RELATIVECALL_OPCODE 0xe8
10030 #define RELATIVE_ADDR_SIZE 4
10031 -#define MAX_STACK_SIZE 64
10032 -#define MIN_STACK_SIZE(ADDR) \
10033 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
10034 - THREAD_SIZE - (unsigned long)(ADDR))) \
10035 - ? (MAX_STACK_SIZE) \
10036 - : (((unsigned long)current_thread_info()) + \
10037 - THREAD_SIZE - (unsigned long)(ADDR)))
10038 +#define MAX_STACK_SIZE 64UL
10039 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
10040
10041 #define flush_insn_slot(p) do { } while (0)
10042
10043 diff -urNp linux-2.6.39.3/arch/x86/include/asm/kvm_host.h linux-2.6.39.3/arch/x86/include/asm/kvm_host.h
10044 --- linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
10045 +++ linux-2.6.39.3/arch/x86/include/asm/kvm_host.h 2011-05-22 19:36:30.000000000 -0400
10046 @@ -419,7 +419,7 @@ struct kvm_arch {
10047 unsigned int n_used_mmu_pages;
10048 unsigned int n_requested_mmu_pages;
10049 unsigned int n_max_mmu_pages;
10050 - atomic_t invlpg_counter;
10051 + atomic_unchecked_t invlpg_counter;
10052 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
10053 /*
10054 * Hash table of struct kvm_mmu_page.
10055 @@ -599,7 +599,7 @@ struct kvm_arch_async_pf {
10056 bool direct_map;
10057 };
10058
10059 -extern struct kvm_x86_ops *kvm_x86_ops;
10060 +extern const struct kvm_x86_ops *kvm_x86_ops;
10061
10062 int kvm_mmu_module_init(void);
10063 void kvm_mmu_module_exit(void);
10064 diff -urNp linux-2.6.39.3/arch/x86/include/asm/local.h linux-2.6.39.3/arch/x86/include/asm/local.h
10065 --- linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-19 00:06:34.000000000 -0400
10066 +++ linux-2.6.39.3/arch/x86/include/asm/local.h 2011-05-22 19:36:30.000000000 -0400
10067 @@ -18,26 +18,58 @@ typedef struct {
10068
10069 static inline void local_inc(local_t *l)
10070 {
10071 - asm volatile(_ASM_INC "%0"
10072 + asm volatile(_ASM_INC "%0\n"
10073 +
10074 +#ifdef CONFIG_PAX_REFCOUNT
10075 + "jno 0f\n"
10076 + _ASM_DEC "%0\n"
10077 + "int $4\n0:\n"
10078 + _ASM_EXTABLE(0b, 0b)
10079 +#endif
10080 +
10081 : "+m" (l->a.counter));
10082 }
10083
10084 static inline void local_dec(local_t *l)
10085 {
10086 - asm volatile(_ASM_DEC "%0"
10087 + asm volatile(_ASM_DEC "%0\n"
10088 +
10089 +#ifdef CONFIG_PAX_REFCOUNT
10090 + "jno 0f\n"
10091 + _ASM_INC "%0\n"
10092 + "int $4\n0:\n"
10093 + _ASM_EXTABLE(0b, 0b)
10094 +#endif
10095 +
10096 : "+m" (l->a.counter));
10097 }
10098
10099 static inline void local_add(long i, local_t *l)
10100 {
10101 - asm volatile(_ASM_ADD "%1,%0"
10102 + asm volatile(_ASM_ADD "%1,%0\n"
10103 +
10104 +#ifdef CONFIG_PAX_REFCOUNT
10105 + "jno 0f\n"
10106 + _ASM_SUB "%1,%0\n"
10107 + "int $4\n0:\n"
10108 + _ASM_EXTABLE(0b, 0b)
10109 +#endif
10110 +
10111 : "+m" (l->a.counter)
10112 : "ir" (i));
10113 }
10114
10115 static inline void local_sub(long i, local_t *l)
10116 {
10117 - asm volatile(_ASM_SUB "%1,%0"
10118 + asm volatile(_ASM_SUB "%1,%0\n"
10119 +
10120 +#ifdef CONFIG_PAX_REFCOUNT
10121 + "jno 0f\n"
10122 + _ASM_ADD "%1,%0\n"
10123 + "int $4\n0:\n"
10124 + _ASM_EXTABLE(0b, 0b)
10125 +#endif
10126 +
10127 : "+m" (l->a.counter)
10128 : "ir" (i));
10129 }
10130 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
10131 {
10132 unsigned char c;
10133
10134 - asm volatile(_ASM_SUB "%2,%0; sete %1"
10135 + asm volatile(_ASM_SUB "%2,%0\n"
10136 +
10137 +#ifdef CONFIG_PAX_REFCOUNT
10138 + "jno 0f\n"
10139 + _ASM_ADD "%2,%0\n"
10140 + "int $4\n0:\n"
10141 + _ASM_EXTABLE(0b, 0b)
10142 +#endif
10143 +
10144 + "sete %1\n"
10145 : "+m" (l->a.counter), "=qm" (c)
10146 : "ir" (i) : "memory");
10147 return c;
10148 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
10149 {
10150 unsigned char c;
10151
10152 - asm volatile(_ASM_DEC "%0; sete %1"
10153 + asm volatile(_ASM_DEC "%0\n"
10154 +
10155 +#ifdef CONFIG_PAX_REFCOUNT
10156 + "jno 0f\n"
10157 + _ASM_INC "%0\n"
10158 + "int $4\n0:\n"
10159 + _ASM_EXTABLE(0b, 0b)
10160 +#endif
10161 +
10162 + "sete %1\n"
10163 : "+m" (l->a.counter), "=qm" (c)
10164 : : "memory");
10165 return c != 0;
10166 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
10167 {
10168 unsigned char c;
10169
10170 - asm volatile(_ASM_INC "%0; sete %1"
10171 + asm volatile(_ASM_INC "%0\n"
10172 +
10173 +#ifdef CONFIG_PAX_REFCOUNT
10174 + "jno 0f\n"
10175 + _ASM_DEC "%0\n"
10176 + "int $4\n0:\n"
10177 + _ASM_EXTABLE(0b, 0b)
10178 +#endif
10179 +
10180 + "sete %1\n"
10181 : "+m" (l->a.counter), "=qm" (c)
10182 : : "memory");
10183 return c != 0;
10184 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
10185 {
10186 unsigned char c;
10187
10188 - asm volatile(_ASM_ADD "%2,%0; sets %1"
10189 + asm volatile(_ASM_ADD "%2,%0\n"
10190 +
10191 +#ifdef CONFIG_PAX_REFCOUNT
10192 + "jno 0f\n"
10193 + _ASM_SUB "%2,%0\n"
10194 + "int $4\n0:\n"
10195 + _ASM_EXTABLE(0b, 0b)
10196 +#endif
10197 +
10198 + "sets %1\n"
10199 : "+m" (l->a.counter), "=qm" (c)
10200 : "ir" (i) : "memory");
10201 return c;
10202 @@ -133,7 +201,15 @@ static inline long local_add_return(long
10203 #endif
10204 /* Modern 486+ processor */
10205 __i = i;
10206 - asm volatile(_ASM_XADD "%0, %1;"
10207 + asm volatile(_ASM_XADD "%0, %1\n"
10208 +
10209 +#ifdef CONFIG_PAX_REFCOUNT
10210 + "jno 0f\n"
10211 + _ASM_MOV "%0,%1\n"
10212 + "int $4\n0:\n"
10213 + _ASM_EXTABLE(0b, 0b)
10214 +#endif
10215 +
10216 : "+r" (i), "+m" (l->a.counter)
10217 : : "memory");
10218 return i + __i;
10219 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mce.h linux-2.6.39.3/arch/x86/include/asm/mce.h
10220 --- linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-19 00:06:34.000000000 -0400
10221 +++ linux-2.6.39.3/arch/x86/include/asm/mce.h 2011-05-22 19:36:30.000000000 -0400
10222 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
10223 void mce_notify_process(void);
10224
10225 DECLARE_PER_CPU(struct mce, injectm);
10226 -extern struct file_operations mce_chrdev_ops;
10227 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
10228
10229 /*
10230 * Exception handler
10231 diff -urNp linux-2.6.39.3/arch/x86/include/asm/microcode.h linux-2.6.39.3/arch/x86/include/asm/microcode.h
10232 --- linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-19 00:06:34.000000000 -0400
10233 +++ linux-2.6.39.3/arch/x86/include/asm/microcode.h 2011-05-22 19:36:30.000000000 -0400
10234 @@ -12,13 +12,13 @@ struct device;
10235 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
10236
10237 struct microcode_ops {
10238 - enum ucode_state (*request_microcode_user) (int cpu,
10239 + enum ucode_state (* const request_microcode_user) (int cpu,
10240 const void __user *buf, size_t size);
10241
10242 - enum ucode_state (*request_microcode_fw) (int cpu,
10243 + enum ucode_state (* const request_microcode_fw) (int cpu,
10244 struct device *device);
10245
10246 - void (*microcode_fini_cpu) (int cpu);
10247 + void (* const microcode_fini_cpu) (int cpu);
10248
10249 /*
10250 * The generic 'microcode_core' part guarantees that
10251 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
10252 extern struct ucode_cpu_info ucode_cpu_info[];
10253
10254 #ifdef CONFIG_MICROCODE_INTEL
10255 -extern struct microcode_ops * __init init_intel_microcode(void);
10256 +extern const struct microcode_ops * __init init_intel_microcode(void);
10257 #else
10258 -static inline struct microcode_ops * __init init_intel_microcode(void)
10259 +static inline const struct microcode_ops * __init init_intel_microcode(void)
10260 {
10261 return NULL;
10262 }
10263 #endif /* CONFIG_MICROCODE_INTEL */
10264
10265 #ifdef CONFIG_MICROCODE_AMD
10266 -extern struct microcode_ops * __init init_amd_microcode(void);
10267 +extern const struct microcode_ops * __init init_amd_microcode(void);
10268
10269 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
10270 {
10271 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
10272 }
10273
10274 #else
10275 -static inline struct microcode_ops * __init init_amd_microcode(void)
10276 +static inline const struct microcode_ops * __init init_amd_microcode(void)
10277 {
10278 return NULL;
10279 }
10280 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mman.h linux-2.6.39.3/arch/x86/include/asm/mman.h
10281 --- linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-19 00:06:34.000000000 -0400
10282 +++ linux-2.6.39.3/arch/x86/include/asm/mman.h 2011-05-22 19:36:30.000000000 -0400
10283 @@ -5,4 +5,14 @@
10284
10285 #include <asm-generic/mman.h>
10286
10287 +#ifdef __KERNEL__
10288 +#ifndef __ASSEMBLY__
10289 +#ifdef CONFIG_X86_32
10290 +#define arch_mmap_check i386_mmap_check
10291 +int i386_mmap_check(unsigned long addr, unsigned long len,
10292 + unsigned long flags);
10293 +#endif
10294 +#endif
10295 +#endif
10296 +
10297 #endif /* _ASM_X86_MMAN_H */
10298 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu_context.h linux-2.6.39.3/arch/x86/include/asm/mmu_context.h
10299 --- linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-19 00:06:34.000000000 -0400
10300 +++ linux-2.6.39.3/arch/x86/include/asm/mmu_context.h 2011-05-22 19:36:30.000000000 -0400
10301 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
10302
10303 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
10304 {
10305 +
10306 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10307 + unsigned int i;
10308 + pgd_t *pgd;
10309 +
10310 + pax_open_kernel();
10311 + pgd = get_cpu_pgd(smp_processor_id());
10312 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
10313 + if (paravirt_enabled())
10314 + set_pgd(pgd+i, native_make_pgd(0));
10315 + else
10316 + pgd[i] = native_make_pgd(0);
10317 + pax_close_kernel();
10318 +#endif
10319 +
10320 #ifdef CONFIG_SMP
10321 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
10322 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
10323 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
10324 struct task_struct *tsk)
10325 {
10326 unsigned cpu = smp_processor_id();
10327 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
10328 + int tlbstate = TLBSTATE_OK;
10329 +#endif
10330
10331 if (likely(prev != next)) {
10332 #ifdef CONFIG_SMP
10333 +#ifdef CONFIG_X86_32
10334 + tlbstate = percpu_read(cpu_tlbstate.state);
10335 +#endif
10336 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10337 percpu_write(cpu_tlbstate.active_mm, next);
10338 #endif
10339 cpumask_set_cpu(cpu, mm_cpumask(next));
10340
10341 /* Re-load page tables */
10342 +#ifdef CONFIG_PAX_PER_CPU_PGD
10343 + pax_open_kernel();
10344 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10345 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10346 + pax_close_kernel();
10347 + load_cr3(get_cpu_pgd(cpu));
10348 +#else
10349 load_cr3(next->pgd);
10350 +#endif
10351
10352 /* stop flush ipis for the previous mm */
10353 cpumask_clear_cpu(cpu, mm_cpumask(prev));
10354 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
10355 */
10356 if (unlikely(prev->context.ldt != next->context.ldt))
10357 load_LDT_nolock(&next->context);
10358 - }
10359 +
10360 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10361 + if (!(__supported_pte_mask & _PAGE_NX)) {
10362 + smp_mb__before_clear_bit();
10363 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
10364 + smp_mb__after_clear_bit();
10365 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10366 + }
10367 +#endif
10368 +
10369 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10370 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
10371 + prev->context.user_cs_limit != next->context.user_cs_limit))
10372 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10373 #ifdef CONFIG_SMP
10374 + else if (unlikely(tlbstate != TLBSTATE_OK))
10375 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10376 +#endif
10377 +#endif
10378 +
10379 + }
10380 else {
10381 +
10382 +#ifdef CONFIG_PAX_PER_CPU_PGD
10383 + pax_open_kernel();
10384 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
10385 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
10386 + pax_close_kernel();
10387 + load_cr3(get_cpu_pgd(cpu));
10388 +#endif
10389 +
10390 +#ifdef CONFIG_SMP
10391 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
10392 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
10393
10394 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
10395 * tlb flush IPI delivery. We must reload CR3
10396 * to make sure to use no freed page tables.
10397 */
10398 +
10399 +#ifndef CONFIG_PAX_PER_CPU_PGD
10400 load_cr3(next->pgd);
10401 +#endif
10402 +
10403 load_LDT_nolock(&next->context);
10404 +
10405 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
10406 + if (!(__supported_pte_mask & _PAGE_NX))
10407 + cpu_set(cpu, next->context.cpu_user_cs_mask);
10408 +#endif
10409 +
10410 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
10411 +#ifdef CONFIG_PAX_PAGEEXEC
10412 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
10413 +#endif
10414 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
10415 +#endif
10416 +
10417 }
10418 - }
10419 #endif
10420 + }
10421 }
10422
10423 #define activate_mm(prev, next) \
10424 diff -urNp linux-2.6.39.3/arch/x86/include/asm/mmu.h linux-2.6.39.3/arch/x86/include/asm/mmu.h
10425 --- linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-19 00:06:34.000000000 -0400
10426 +++ linux-2.6.39.3/arch/x86/include/asm/mmu.h 2011-05-22 19:36:30.000000000 -0400
10427 @@ -9,10 +9,22 @@
10428 * we put the segment information here.
10429 */
10430 typedef struct {
10431 - void *ldt;
10432 + struct desc_struct *ldt;
10433 int size;
10434 struct mutex lock;
10435 - void *vdso;
10436 + unsigned long vdso;
10437 +
10438 +#ifdef CONFIG_X86_32
10439 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10440 + unsigned long user_cs_base;
10441 + unsigned long user_cs_limit;
10442 +
10443 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
10444 + cpumask_t cpu_user_cs_mask;
10445 +#endif
10446 +
10447 +#endif
10448 +#endif
10449
10450 #ifdef CONFIG_X86_64
10451 /* True if mm supports a task running in 32 bit compatibility mode. */
10452 diff -urNp linux-2.6.39.3/arch/x86/include/asm/module.h linux-2.6.39.3/arch/x86/include/asm/module.h
10453 --- linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-19 00:06:34.000000000 -0400
10454 +++ linux-2.6.39.3/arch/x86/include/asm/module.h 2011-05-22 19:41:32.000000000 -0400
10455 @@ -5,6 +5,7 @@
10456
10457 #ifdef CONFIG_X86_64
10458 /* X86_64 does not define MODULE_PROC_FAMILY */
10459 +#define MODULE_PROC_FAMILY ""
10460 #elif defined CONFIG_M386
10461 #define MODULE_PROC_FAMILY "386 "
10462 #elif defined CONFIG_M486
10463 @@ -59,8 +60,30 @@
10464 #error unknown processor family
10465 #endif
10466
10467 -#ifdef CONFIG_X86_32
10468 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
10469 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10470 +#define MODULE_PAX_UDEREF "UDEREF "
10471 +#else
10472 +#define MODULE_PAX_UDEREF ""
10473 +#endif
10474 +
10475 +#ifdef CONFIG_PAX_KERNEXEC
10476 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
10477 +#else
10478 +#define MODULE_PAX_KERNEXEC ""
10479 #endif
10480
10481 +#ifdef CONFIG_PAX_REFCOUNT
10482 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
10483 +#else
10484 +#define MODULE_PAX_REFCOUNT ""
10485 +#endif
10486 +
10487 +#ifdef CONFIG_GRKERNSEC
10488 +#define MODULE_GRSEC "GRSECURITY "
10489 +#else
10490 +#define MODULE_GRSEC ""
10491 +#endif
10492 +
10493 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
10494 +
10495 #endif /* _ASM_X86_MODULE_H */
10496 diff -urNp linux-2.6.39.3/arch/x86/include/asm/page_64_types.h linux-2.6.39.3/arch/x86/include/asm/page_64_types.h
10497 --- linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-19 00:06:34.000000000 -0400
10498 +++ linux-2.6.39.3/arch/x86/include/asm/page_64_types.h 2011-05-22 19:36:30.000000000 -0400
10499 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
10500
10501 /* duplicated to the one in bootmem.h */
10502 extern unsigned long max_pfn;
10503 -extern unsigned long phys_base;
10504 +extern const unsigned long phys_base;
10505
10506 extern unsigned long __phys_addr(unsigned long);
10507 #define __phys_reloc_hide(x) (x)
10508 diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt.h linux-2.6.39.3/arch/x86/include/asm/paravirt.h
10509 --- linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-19 00:06:34.000000000 -0400
10510 +++ linux-2.6.39.3/arch/x86/include/asm/paravirt.h 2011-05-22 19:36:30.000000000 -0400
10511 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
10512 pv_mmu_ops.set_fixmap(idx, phys, flags);
10513 }
10514
10515 +#ifdef CONFIG_PAX_KERNEXEC
10516 +static inline unsigned long pax_open_kernel(void)
10517 +{
10518 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
10519 +}
10520 +
10521 +static inline unsigned long pax_close_kernel(void)
10522 +{
10523 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
10524 +}
10525 +#else
10526 +static inline unsigned long pax_open_kernel(void) { return 0; }
10527 +static inline unsigned long pax_close_kernel(void) { return 0; }
10528 +#endif
10529 +
10530 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
10531
10532 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
10533 @@ -955,7 +970,7 @@ extern void default_banner(void);
10534
10535 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
10536 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
10537 -#define PARA_INDIRECT(addr) *%cs:addr
10538 +#define PARA_INDIRECT(addr) *%ss:addr
10539 #endif
10540
10541 #define INTERRUPT_RETURN \
10542 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
10543 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
10544 CLBR_NONE, \
10545 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
10546 +
10547 +#define GET_CR0_INTO_RDI \
10548 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
10549 + mov %rax,%rdi
10550 +
10551 +#define SET_RDI_INTO_CR0 \
10552 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10553 +
10554 +#define GET_CR3_INTO_RDI \
10555 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
10556 + mov %rax,%rdi
10557 +
10558 +#define SET_RDI_INTO_CR3 \
10559 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
10560 +
10561 #endif /* CONFIG_X86_32 */
10562
10563 #endif /* __ASSEMBLY__ */
10564 diff -urNp linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h
10565 --- linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-19 00:06:34.000000000 -0400
10566 +++ linux-2.6.39.3/arch/x86/include/asm/paravirt_types.h 2011-05-22 19:36:30.000000000 -0400
10567 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
10568 an mfn. We can tell which is which from the index. */
10569 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
10570 phys_addr_t phys, pgprot_t flags);
10571 +
10572 +#ifdef CONFIG_PAX_KERNEXEC
10573 + unsigned long (*pax_open_kernel)(void);
10574 + unsigned long (*pax_close_kernel)(void);
10575 +#endif
10576 +
10577 };
10578
10579 struct arch_spinlock;
10580 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pci_x86.h linux-2.6.39.3/arch/x86/include/asm/pci_x86.h
10581 --- linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-19 00:06:34.000000000 -0400
10582 +++ linux-2.6.39.3/arch/x86/include/asm/pci_x86.h 2011-05-22 19:36:30.000000000 -0400
10583 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
10584 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
10585
10586 struct pci_raw_ops {
10587 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10588 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
10589 int reg, int len, u32 *val);
10590 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10591 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
10592 int reg, int len, u32 val);
10593 };
10594
10595 -extern struct pci_raw_ops *raw_pci_ops;
10596 -extern struct pci_raw_ops *raw_pci_ext_ops;
10597 +extern const struct pci_raw_ops *raw_pci_ops;
10598 +extern const struct pci_raw_ops *raw_pci_ext_ops;
10599
10600 -extern struct pci_raw_ops pci_direct_conf1;
10601 +extern const struct pci_raw_ops pci_direct_conf1;
10602 extern bool port_cf9_safe;
10603
10604 /* arch_initcall level */
10605 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgalloc.h linux-2.6.39.3/arch/x86/include/asm/pgalloc.h
10606 --- linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-19 00:06:34.000000000 -0400
10607 +++ linux-2.6.39.3/arch/x86/include/asm/pgalloc.h 2011-05-22 19:36:30.000000000 -0400
10608 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
10609 pmd_t *pmd, pte_t *pte)
10610 {
10611 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10612 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
10613 +}
10614 +
10615 +static inline void pmd_populate_user(struct mm_struct *mm,
10616 + pmd_t *pmd, pte_t *pte)
10617 +{
10618 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
10619 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
10620 }
10621
10622 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h
10623 --- linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-19 00:06:34.000000000 -0400
10624 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable-2level.h 2011-05-22 19:36:30.000000000 -0400
10625 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
10626
10627 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10628 {
10629 + pax_open_kernel();
10630 *pmdp = pmd;
10631 + pax_close_kernel();
10632 }
10633
10634 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
10635 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h
10636 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-19 00:06:34.000000000 -0400
10637 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32.h 2011-05-22 19:36:30.000000000 -0400
10638 @@ -25,9 +25,6 @@
10639 struct mm_struct;
10640 struct vm_area_struct;
10641
10642 -extern pgd_t swapper_pg_dir[1024];
10643 -extern pgd_t initial_page_table[1024];
10644 -
10645 static inline void pgtable_cache_init(void) { }
10646 static inline void check_pgt_cache(void) { }
10647 void paging_init(void);
10648 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
10649 # include <asm/pgtable-2level.h>
10650 #endif
10651
10652 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
10653 +extern pgd_t initial_page_table[PTRS_PER_PGD];
10654 +#ifdef CONFIG_X86_PAE
10655 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
10656 +#endif
10657 +
10658 #if defined(CONFIG_HIGHPTE)
10659 #define pte_offset_map(dir, address) \
10660 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
10661 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
10662 /* Clear a kernel PTE and flush it from the TLB */
10663 #define kpte_clear_flush(ptep, vaddr) \
10664 do { \
10665 + pax_open_kernel(); \
10666 pte_clear(&init_mm, (vaddr), (ptep)); \
10667 + pax_close_kernel(); \
10668 __flush_tlb_one((vaddr)); \
10669 } while (0)
10670
10671 @@ -74,6 +79,9 @@ do { \
10672
10673 #endif /* !__ASSEMBLY__ */
10674
10675 +#define HAVE_ARCH_UNMAPPED_AREA
10676 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
10677 +
10678 /*
10679 * kern_addr_valid() is (1) for FLATMEM and (0) for
10680 * SPARSEMEM and DISCONTIGMEM
10681 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h
10682 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-19 00:06:34.000000000 -0400
10683 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_32_types.h 2011-05-22 19:36:30.000000000 -0400
10684 @@ -8,7 +8,7 @@
10685 */
10686 #ifdef CONFIG_X86_PAE
10687 # include <asm/pgtable-3level_types.h>
10688 -# define PMD_SIZE (1UL << PMD_SHIFT)
10689 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
10690 # define PMD_MASK (~(PMD_SIZE - 1))
10691 #else
10692 # include <asm/pgtable-2level_types.h>
10693 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
10694 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
10695 #endif
10696
10697 +#ifdef CONFIG_PAX_KERNEXEC
10698 +#ifndef __ASSEMBLY__
10699 +extern unsigned char MODULES_EXEC_VADDR[];
10700 +extern unsigned char MODULES_EXEC_END[];
10701 +#endif
10702 +#include <asm/boot.h>
10703 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
10704 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
10705 +#else
10706 +#define ktla_ktva(addr) (addr)
10707 +#define ktva_ktla(addr) (addr)
10708 +#endif
10709 +
10710 #define MODULES_VADDR VMALLOC_START
10711 #define MODULES_END VMALLOC_END
10712 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
10713 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h
10714 --- linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-19 00:06:34.000000000 -0400
10715 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable-3level.h 2011-05-22 19:36:30.000000000 -0400
10716 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
10717
10718 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10719 {
10720 + pax_open_kernel();
10721 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
10722 + pax_close_kernel();
10723 }
10724
10725 static inline void native_set_pud(pud_t *pudp, pud_t pud)
10726 {
10727 + pax_open_kernel();
10728 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
10729 + pax_close_kernel();
10730 }
10731
10732 /*
10733 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h
10734 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-19 00:06:34.000000000 -0400
10735 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64.h 2011-05-22 19:36:30.000000000 -0400
10736 @@ -16,10 +16,13 @@
10737
10738 extern pud_t level3_kernel_pgt[512];
10739 extern pud_t level3_ident_pgt[512];
10740 +extern pud_t level3_vmalloc_pgt[512];
10741 +extern pud_t level3_vmemmap_pgt[512];
10742 +extern pud_t level2_vmemmap_pgt[512];
10743 extern pmd_t level2_kernel_pgt[512];
10744 extern pmd_t level2_fixmap_pgt[512];
10745 -extern pmd_t level2_ident_pgt[512];
10746 -extern pgd_t init_level4_pgt[];
10747 +extern pmd_t level2_ident_pgt[512*2];
10748 +extern pgd_t init_level4_pgt[512];
10749
10750 #define swapper_pg_dir init_level4_pgt
10751
10752 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
10753
10754 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
10755 {
10756 + pax_open_kernel();
10757 *pmdp = pmd;
10758 + pax_close_kernel();
10759 }
10760
10761 static inline void native_pmd_clear(pmd_t *pmd)
10762 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
10763
10764 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
10765 {
10766 + pax_open_kernel();
10767 *pgdp = pgd;
10768 + pax_close_kernel();
10769 }
10770
10771 static inline void native_pgd_clear(pgd_t *pgd)
10772 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h
10773 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-19 00:06:34.000000000 -0400
10774 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_64_types.h 2011-05-22 19:36:30.000000000 -0400
10775 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
10776 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
10777 #define MODULES_END _AC(0xffffffffff000000, UL)
10778 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
10779 +#define MODULES_EXEC_VADDR MODULES_VADDR
10780 +#define MODULES_EXEC_END MODULES_END
10781 +
10782 +#define ktla_ktva(addr) (addr)
10783 +#define ktva_ktla(addr) (addr)
10784
10785 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10786 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable.h linux-2.6.39.3/arch/x86/include/asm/pgtable.h
10787 --- linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-19 00:06:34.000000000 -0400
10788 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable.h 2011-05-22 19:36:30.000000000 -0400
10789 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
10790
10791 #define arch_end_context_switch(prev) do {} while(0)
10792
10793 +#define pax_open_kernel() native_pax_open_kernel()
10794 +#define pax_close_kernel() native_pax_close_kernel()
10795 #endif /* CONFIG_PARAVIRT */
10796
10797 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
10798 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10799 +
10800 +#ifdef CONFIG_PAX_KERNEXEC
10801 +static inline unsigned long native_pax_open_kernel(void)
10802 +{
10803 + unsigned long cr0;
10804 +
10805 + preempt_disable();
10806 + barrier();
10807 + cr0 = read_cr0() ^ X86_CR0_WP;
10808 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
10809 + write_cr0(cr0);
10810 + return cr0 ^ X86_CR0_WP;
10811 +}
10812 +
10813 +static inline unsigned long native_pax_close_kernel(void)
10814 +{
10815 + unsigned long cr0;
10816 +
10817 + cr0 = read_cr0() ^ X86_CR0_WP;
10818 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10819 + write_cr0(cr0);
10820 + barrier();
10821 + preempt_enable_no_resched();
10822 + return cr0 ^ X86_CR0_WP;
10823 +}
10824 +#else
10825 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10826 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10827 +#endif
10828 +
10829 /*
10830 * The following only work if pte_present() is true.
10831 * Undefined behaviour if not..
10832 */
10833 +static inline int pte_user(pte_t pte)
10834 +{
10835 + return pte_val(pte) & _PAGE_USER;
10836 +}
10837 +
10838 static inline int pte_dirty(pte_t pte)
10839 {
10840 return pte_flags(pte) & _PAGE_DIRTY;
10841 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
10842 return pte_clear_flags(pte, _PAGE_RW);
10843 }
10844
10845 +static inline pte_t pte_mkread(pte_t pte)
10846 +{
10847 + return __pte(pte_val(pte) | _PAGE_USER);
10848 +}
10849 +
10850 static inline pte_t pte_mkexec(pte_t pte)
10851 {
10852 - return pte_clear_flags(pte, _PAGE_NX);
10853 +#ifdef CONFIG_X86_PAE
10854 + if (__supported_pte_mask & _PAGE_NX)
10855 + return pte_clear_flags(pte, _PAGE_NX);
10856 + else
10857 +#endif
10858 + return pte_set_flags(pte, _PAGE_USER);
10859 +}
10860 +
10861 +static inline pte_t pte_exprotect(pte_t pte)
10862 +{
10863 +#ifdef CONFIG_X86_PAE
10864 + if (__supported_pte_mask & _PAGE_NX)
10865 + return pte_set_flags(pte, _PAGE_NX);
10866 + else
10867 +#endif
10868 + return pte_clear_flags(pte, _PAGE_USER);
10869 }
10870
10871 static inline pte_t pte_mkdirty(pte_t pte)
10872 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
10873 #endif
10874
10875 #ifndef __ASSEMBLY__
10876 +
10877 +#ifdef CONFIG_PAX_PER_CPU_PGD
10878 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10879 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10880 +{
10881 + return cpu_pgd[cpu];
10882 +}
10883 +#endif
10884 +
10885 #include <linux/mm_types.h>
10886
10887 static inline int pte_none(pte_t pte)
10888 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
10889
10890 static inline int pgd_bad(pgd_t pgd)
10891 {
10892 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10893 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10894 }
10895
10896 static inline int pgd_none(pgd_t pgd)
10897 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
10898 * pgd_offset() returns a (pgd_t *)
10899 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10900 */
10901 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10902 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10903 +
10904 +#ifdef CONFIG_PAX_PER_CPU_PGD
10905 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10906 +#endif
10907 +
10908 /*
10909 * a shortcut which implies the use of the kernel's pgd, instead
10910 * of a process's
10911 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
10912 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10913 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10914
10915 +#ifdef CONFIG_X86_32
10916 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10917 +#else
10918 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10919 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10920 +
10921 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10922 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10923 +#else
10924 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10925 +#endif
10926 +
10927 +#endif
10928 +
10929 #ifndef __ASSEMBLY__
10930
10931 extern int direct_gbpages;
10932 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
10933 * dst and src can be on the same page, but the range must not overlap,
10934 * and must not cross a page boundary.
10935 */
10936 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10937 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10938 {
10939 - memcpy(dst, src, count * sizeof(pgd_t));
10940 + pax_open_kernel();
10941 + while (count--)
10942 + *dst++ = *src++;
10943 + pax_close_kernel();
10944 }
10945
10946 +#ifdef CONFIG_PAX_PER_CPU_PGD
10947 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10948 +#endif
10949 +
10950 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10951 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10952 +#else
10953 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10954 +#endif
10955
10956 #include <asm-generic/pgtable.h>
10957 #endif /* __ASSEMBLY__ */
10958 diff -urNp linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h
10959 --- linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-19 00:06:34.000000000 -0400
10960 +++ linux-2.6.39.3/arch/x86/include/asm/pgtable_types.h 2011-05-22 19:36:30.000000000 -0400
10961 @@ -16,13 +16,12 @@
10962 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10963 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10964 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10965 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10966 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10967 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10968 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10969 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10970 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10971 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10972 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
10973 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10974 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
10975 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10976
10977 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10978 @@ -40,7 +39,6 @@
10979 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10980 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10981 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10982 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10983 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10984 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10985 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10986 @@ -57,8 +55,10 @@
10987
10988 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10989 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10990 -#else
10991 +#elif defined(CONFIG_KMEMCHECK)
10992 #define _PAGE_NX (_AT(pteval_t, 0))
10993 +#else
10994 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10995 #endif
10996
10997 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10998 @@ -96,6 +96,9 @@
10999 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
11000 _PAGE_ACCESSED)
11001
11002 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
11003 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
11004 +
11005 #define __PAGE_KERNEL_EXEC \
11006 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
11007 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
11008 @@ -106,8 +109,8 @@
11009 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
11010 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
11011 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
11012 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
11013 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
11014 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
11015 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
11016 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
11017 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
11018 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
11019 @@ -166,8 +169,8 @@
11020 * bits are combined, this will alow user to access the high address mapped
11021 * VDSO in the presence of CONFIG_COMPAT_VDSO
11022 */
11023 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
11024 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
11025 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11026 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
11027 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
11028 #endif
11029
11030 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
11031 {
11032 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
11033 }
11034 +#endif
11035
11036 +#if PAGETABLE_LEVELS == 3
11037 +#include <asm-generic/pgtable-nopud.h>
11038 +#endif
11039 +
11040 +#if PAGETABLE_LEVELS == 2
11041 +#include <asm-generic/pgtable-nopmd.h>
11042 +#endif
11043 +
11044 +#ifndef __ASSEMBLY__
11045 #if PAGETABLE_LEVELS > 3
11046 typedef struct { pudval_t pud; } pud_t;
11047
11048 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
11049 return pud.pud;
11050 }
11051 #else
11052 -#include <asm-generic/pgtable-nopud.h>
11053 -
11054 static inline pudval_t native_pud_val(pud_t pud)
11055 {
11056 return native_pgd_val(pud.pgd);
11057 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
11058 return pmd.pmd;
11059 }
11060 #else
11061 -#include <asm-generic/pgtable-nopmd.h>
11062 -
11063 static inline pmdval_t native_pmd_val(pmd_t pmd)
11064 {
11065 return native_pgd_val(pmd.pud.pgd);
11066 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
11067
11068 extern pteval_t __supported_pte_mask;
11069 extern void set_nx(void);
11070 -extern int nx_enabled;
11071
11072 #define pgprot_writecombine pgprot_writecombine
11073 extern pgprot_t pgprot_writecombine(pgprot_t prot);
11074 diff -urNp linux-2.6.39.3/arch/x86/include/asm/processor.h linux-2.6.39.3/arch/x86/include/asm/processor.h
11075 --- linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-19 00:06:34.000000000 -0400
11076 +++ linux-2.6.39.3/arch/x86/include/asm/processor.h 2011-05-22 19:36:30.000000000 -0400
11077 @@ -266,7 +266,7 @@ struct tss_struct {
11078
11079 } ____cacheline_aligned;
11080
11081 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
11082 +extern struct tss_struct init_tss[NR_CPUS];
11083
11084 /*
11085 * Save the original ist values for checking stack pointers during debugging
11086 @@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
11087 */
11088 #define TASK_SIZE PAGE_OFFSET
11089 #define TASK_SIZE_MAX TASK_SIZE
11090 +
11091 +#ifdef CONFIG_PAX_SEGMEXEC
11092 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
11093 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
11094 +#else
11095 #define STACK_TOP TASK_SIZE
11096 -#define STACK_TOP_MAX STACK_TOP
11097 +#endif
11098 +
11099 +#define STACK_TOP_MAX TASK_SIZE
11100
11101 #define INIT_THREAD { \
11102 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11103 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11104 .vm86_info = NULL, \
11105 .sysenter_cs = __KERNEL_CS, \
11106 .io_bitmap_ptr = NULL, \
11107 @@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
11108 */
11109 #define INIT_TSS { \
11110 .x86_tss = { \
11111 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
11112 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
11113 .ss0 = __KERNEL_DS, \
11114 .ss1 = __KERNEL_CS, \
11115 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
11116 @@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
11117 extern unsigned long thread_saved_pc(struct task_struct *tsk);
11118
11119 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
11120 -#define KSTK_TOP(info) \
11121 -({ \
11122 - unsigned long *__ptr = (unsigned long *)(info); \
11123 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
11124 -})
11125 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
11126
11127 /*
11128 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
11129 @@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
11130 #define task_pt_regs(task) \
11131 ({ \
11132 struct pt_regs *__regs__; \
11133 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
11134 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
11135 __regs__ - 1; \
11136 })
11137
11138 @@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
11139 /*
11140 * User space process size. 47bits minus one guard page.
11141 */
11142 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
11143 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
11144
11145 /* This decides where the kernel will search for a free chunk of vm
11146 * space during mmap's.
11147 */
11148 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
11149 - 0xc0000000 : 0xFFFFe000)
11150 + 0xc0000000 : 0xFFFFf000)
11151
11152 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
11153 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
11154 @@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
11155 #define STACK_TOP_MAX TASK_SIZE_MAX
11156
11157 #define INIT_THREAD { \
11158 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11159 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11160 }
11161
11162 #define INIT_TSS { \
11163 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
11164 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
11165 }
11166
11167 /*
11168 @@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
11169 */
11170 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
11171
11172 +#ifdef CONFIG_PAX_SEGMEXEC
11173 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
11174 +#endif
11175 +
11176 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
11177
11178 /* Get/set a process' ability to use the timestamp counter instruction */
11179 diff -urNp linux-2.6.39.3/arch/x86/include/asm/ptrace.h linux-2.6.39.3/arch/x86/include/asm/ptrace.h
11180 --- linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-19 00:06:34.000000000 -0400
11181 +++ linux-2.6.39.3/arch/x86/include/asm/ptrace.h 2011-05-22 19:36:30.000000000 -0400
11182 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
11183 }
11184
11185 /*
11186 - * user_mode_vm(regs) determines whether a register set came from user mode.
11187 + * user_mode(regs) determines whether a register set came from user mode.
11188 * This is true if V8086 mode was enabled OR if the register set was from
11189 * protected mode with RPL-3 CS value. This tricky test checks that with
11190 * one comparison. Many places in the kernel can bypass this full check
11191 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
11192 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
11193 + * be used.
11194 */
11195 -static inline int user_mode(struct pt_regs *regs)
11196 +static inline int user_mode_novm(struct pt_regs *regs)
11197 {
11198 #ifdef CONFIG_X86_32
11199 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
11200 #else
11201 - return !!(regs->cs & 3);
11202 + return !!(regs->cs & SEGMENT_RPL_MASK);
11203 #endif
11204 }
11205
11206 -static inline int user_mode_vm(struct pt_regs *regs)
11207 +static inline int user_mode(struct pt_regs *regs)
11208 {
11209 #ifdef CONFIG_X86_32
11210 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
11211 USER_RPL;
11212 #else
11213 - return user_mode(regs);
11214 + return user_mode_novm(regs);
11215 #endif
11216 }
11217
11218 diff -urNp linux-2.6.39.3/arch/x86/include/asm/reboot.h linux-2.6.39.3/arch/x86/include/asm/reboot.h
11219 --- linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-19 00:06:34.000000000 -0400
11220 +++ linux-2.6.39.3/arch/x86/include/asm/reboot.h 2011-05-22 19:36:30.000000000 -0400
11221 @@ -6,19 +6,19 @@
11222 struct pt_regs;
11223
11224 struct machine_ops {
11225 - void (*restart)(char *cmd);
11226 - void (*halt)(void);
11227 - void (*power_off)(void);
11228 + void (* __noreturn restart)(char *cmd);
11229 + void (* __noreturn halt)(void);
11230 + void (* __noreturn power_off)(void);
11231 void (*shutdown)(void);
11232 void (*crash_shutdown)(struct pt_regs *);
11233 - void (*emergency_restart)(void);
11234 + void (* __noreturn emergency_restart)(void);
11235 };
11236
11237 extern struct machine_ops machine_ops;
11238
11239 void native_machine_crash_shutdown(struct pt_regs *regs);
11240 void native_machine_shutdown(void);
11241 -void machine_real_restart(unsigned int type);
11242 +void machine_real_restart(unsigned int type) __noreturn;
11243 /* These must match dispatch_table in reboot_32.S */
11244 #define MRR_BIOS 0
11245 #define MRR_APM 1
11246 diff -urNp linux-2.6.39.3/arch/x86/include/asm/rwsem.h linux-2.6.39.3/arch/x86/include/asm/rwsem.h
11247 --- linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-19 00:06:34.000000000 -0400
11248 +++ linux-2.6.39.3/arch/x86/include/asm/rwsem.h 2011-05-22 19:36:30.000000000 -0400
11249 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw
11250 {
11251 asm volatile("# beginning down_read\n\t"
11252 LOCK_PREFIX _ASM_INC "(%1)\n\t"
11253 +
11254 +#ifdef CONFIG_PAX_REFCOUNT
11255 + "jno 0f\n"
11256 + LOCK_PREFIX _ASM_DEC "(%1)\n"
11257 + "int $4\n0:\n"
11258 + _ASM_EXTABLE(0b, 0b)
11259 +#endif
11260 +
11261 /* adds 0x00000001 */
11262 " jns 1f\n"
11263 " call call_rwsem_down_read_failed\n"
11264 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
11265 "1:\n\t"
11266 " mov %1,%2\n\t"
11267 " add %3,%2\n\t"
11268 +
11269 +#ifdef CONFIG_PAX_REFCOUNT
11270 + "jno 0f\n"
11271 + "sub %3,%2\n"
11272 + "int $4\n0:\n"
11273 + _ASM_EXTABLE(0b, 0b)
11274 +#endif
11275 +
11276 " jle 2f\n\t"
11277 LOCK_PREFIX " cmpxchg %2,%0\n\t"
11278 " jnz 1b\n\t"
11279 @@ -104,6 +120,14 @@ static inline void __down_write_nested(s
11280 long tmp;
11281 asm volatile("# beginning down_write\n\t"
11282 LOCK_PREFIX " xadd %1,(%2)\n\t"
11283 +
11284 +#ifdef CONFIG_PAX_REFCOUNT
11285 + "jno 0f\n"
11286 + "mov %1,(%2)\n"
11287 + "int $4\n0:\n"
11288 + _ASM_EXTABLE(0b, 0b)
11289 +#endif
11290 +
11291 /* adds 0xffff0001, returns the old value */
11292 " test %1,%1\n\t"
11293 /* was the count 0 before? */
11294 @@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
11295 long tmp;
11296 asm volatile("# beginning __up_read\n\t"
11297 LOCK_PREFIX " xadd %1,(%2)\n\t"
11298 +
11299 +#ifdef CONFIG_PAX_REFCOUNT
11300 + "jno 0f\n"
11301 + "mov %1,(%2)\n"
11302 + "int $4\n0:\n"
11303 + _ASM_EXTABLE(0b, 0b)
11304 +#endif
11305 +
11306 /* subtracts 1, returns the old value */
11307 " jns 1f\n\t"
11308 " call call_rwsem_wake\n" /* expects old value in %edx */
11309 @@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
11310 long tmp;
11311 asm volatile("# beginning __up_write\n\t"
11312 LOCK_PREFIX " xadd %1,(%2)\n\t"
11313 +
11314 +#ifdef CONFIG_PAX_REFCOUNT
11315 + "jno 0f\n"
11316 + "mov %1,(%2)\n"
11317 + "int $4\n0:\n"
11318 + _ASM_EXTABLE(0b, 0b)
11319 +#endif
11320 +
11321 /* subtracts 0xffff0001, returns the old value */
11322 " jns 1f\n\t"
11323 " call call_rwsem_wake\n" /* expects old value in %edx */
11324 @@ -176,6 +216,14 @@ static inline void __downgrade_write(str
11325 {
11326 asm volatile("# beginning __downgrade_write\n\t"
11327 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
11328 +
11329 +#ifdef CONFIG_PAX_REFCOUNT
11330 + "jno 0f\n"
11331 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
11332 + "int $4\n0:\n"
11333 + _ASM_EXTABLE(0b, 0b)
11334 +#endif
11335 +
11336 /*
11337 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
11338 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
11339 @@ -194,7 +242,15 @@ static inline void __downgrade_write(str
11340 */
11341 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
11342 {
11343 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
11344 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
11345 +
11346 +#ifdef CONFIG_PAX_REFCOUNT
11347 + "jno 0f\n"
11348 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
11349 + "int $4\n0:\n"
11350 + _ASM_EXTABLE(0b, 0b)
11351 +#endif
11352 +
11353 : "+m" (sem->count)
11354 : "er" (delta));
11355 }
11356 @@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
11357 {
11358 long tmp = delta;
11359
11360 - asm volatile(LOCK_PREFIX "xadd %0,%1"
11361 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
11362 +
11363 +#ifdef CONFIG_PAX_REFCOUNT
11364 + "jno 0f\n"
11365 + "mov %0,%1\n"
11366 + "int $4\n0:\n"
11367 + _ASM_EXTABLE(0b, 0b)
11368 +#endif
11369 +
11370 : "+r" (tmp), "+m" (sem->count)
11371 : : "memory");
11372
11373 diff -urNp linux-2.6.39.3/arch/x86/include/asm/segment.h linux-2.6.39.3/arch/x86/include/asm/segment.h
11374 --- linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-19 00:06:34.000000000 -0400
11375 +++ linux-2.6.39.3/arch/x86/include/asm/segment.h 2011-05-22 19:36:30.000000000 -0400
11376 @@ -64,8 +64,8 @@
11377 * 26 - ESPFIX small SS
11378 * 27 - per-cpu [ offset to per-cpu data area ]
11379 * 28 - stack_canary-20 [ for stack protector ]
11380 - * 29 - unused
11381 - * 30 - unused
11382 + * 29 - PCI BIOS CS
11383 + * 30 - PCI BIOS DS
11384 * 31 - TSS for double fault handler
11385 */
11386 #define GDT_ENTRY_TLS_MIN 6
11387 @@ -79,6 +79,8 @@
11388
11389 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
11390
11391 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
11392 +
11393 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
11394
11395 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
11396 @@ -104,6 +106,12 @@
11397 #define __KERNEL_STACK_CANARY 0
11398 #endif
11399
11400 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
11401 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
11402 +
11403 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
11404 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
11405 +
11406 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
11407
11408 /*
11409 @@ -141,7 +149,7 @@
11410 */
11411
11412 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
11413 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
11414 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
11415
11416
11417 #else
11418 @@ -165,6 +173,8 @@
11419 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
11420 #define __USER32_DS __USER_DS
11421
11422 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
11423 +
11424 #define GDT_ENTRY_TSS 8 /* needs two entries */
11425 #define GDT_ENTRY_LDT 10 /* needs two entries */
11426 #define GDT_ENTRY_TLS_MIN 12
11427 @@ -185,6 +195,7 @@
11428 #endif
11429
11430 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
11431 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
11432 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
11433 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
11434 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
11435 diff -urNp linux-2.6.39.3/arch/x86/include/asm/smp.h linux-2.6.39.3/arch/x86/include/asm/smp.h
11436 --- linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-19 00:06:34.000000000 -0400
11437 +++ linux-2.6.39.3/arch/x86/include/asm/smp.h 2011-05-22 19:36:30.000000000 -0400
11438 @@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
11439 /* cpus sharing the last level cache: */
11440 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
11441 DECLARE_PER_CPU(u16, cpu_llc_id);
11442 -DECLARE_PER_CPU(int, cpu_number);
11443 +DECLARE_PER_CPU(unsigned int, cpu_number);
11444
11445 static inline struct cpumask *cpu_sibling_mask(int cpu)
11446 {
11447 @@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
11448 extern int safe_smp_processor_id(void);
11449
11450 #elif defined(CONFIG_X86_64_SMP)
11451 -#define raw_smp_processor_id() (percpu_read(cpu_number))
11452 -
11453 -#define stack_smp_processor_id() \
11454 -({ \
11455 - struct thread_info *ti; \
11456 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
11457 - ti->cpu; \
11458 -})
11459 +#define raw_smp_processor_id() (percpu_read(cpu_number))
11460 +#define stack_smp_processor_id() raw_smp_processor_id()
11461 #define safe_smp_processor_id() smp_processor_id()
11462
11463 #endif
11464 diff -urNp linux-2.6.39.3/arch/x86/include/asm/spinlock.h linux-2.6.39.3/arch/x86/include/asm/spinlock.h
11465 --- linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-19 00:06:34.000000000 -0400
11466 +++ linux-2.6.39.3/arch/x86/include/asm/spinlock.h 2011-05-22 19:36:30.000000000 -0400
11467 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
11468 static inline void arch_read_lock(arch_rwlock_t *rw)
11469 {
11470 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
11471 +
11472 +#ifdef CONFIG_PAX_REFCOUNT
11473 + "jno 0f\n"
11474 + LOCK_PREFIX " addl $1,(%0)\n"
11475 + "int $4\n0:\n"
11476 + _ASM_EXTABLE(0b, 0b)
11477 +#endif
11478 +
11479 "jns 1f\n"
11480 "call __read_lock_failed\n\t"
11481 "1:\n"
11482 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
11483 static inline void arch_write_lock(arch_rwlock_t *rw)
11484 {
11485 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
11486 +
11487 +#ifdef CONFIG_PAX_REFCOUNT
11488 + "jno 0f\n"
11489 + LOCK_PREFIX " addl %1,(%0)\n"
11490 + "int $4\n0:\n"
11491 + _ASM_EXTABLE(0b, 0b)
11492 +#endif
11493 +
11494 "jz 1f\n"
11495 "call __write_lock_failed\n\t"
11496 "1:\n"
11497 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
11498
11499 static inline void arch_read_unlock(arch_rwlock_t *rw)
11500 {
11501 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
11502 + asm volatile(LOCK_PREFIX "incl %0\n"
11503 +
11504 +#ifdef CONFIG_PAX_REFCOUNT
11505 + "jno 0f\n"
11506 + LOCK_PREFIX "decl %0\n"
11507 + "int $4\n0:\n"
11508 + _ASM_EXTABLE(0b, 0b)
11509 +#endif
11510 +
11511 + :"+m" (rw->lock) : : "memory");
11512 }
11513
11514 static inline void arch_write_unlock(arch_rwlock_t *rw)
11515 {
11516 - asm volatile(LOCK_PREFIX "addl %1, %0"
11517 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
11518 +
11519 +#ifdef CONFIG_PAX_REFCOUNT
11520 + "jno 0f\n"
11521 + LOCK_PREFIX "subl %1, %0\n"
11522 + "int $4\n0:\n"
11523 + _ASM_EXTABLE(0b, 0b)
11524 +#endif
11525 +
11526 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
11527 }
11528
11529 diff -urNp linux-2.6.39.3/arch/x86/include/asm/stackprotector.h linux-2.6.39.3/arch/x86/include/asm/stackprotector.h
11530 --- linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-05-19 00:06:34.000000000 -0400
11531 +++ linux-2.6.39.3/arch/x86/include/asm/stackprotector.h 2011-07-06 20:00:13.000000000 -0400
11532 @@ -48,7 +48,7 @@
11533 * head_32 for boot CPU and setup_per_cpu_areas() for others.
11534 */
11535 #define GDT_STACK_CANARY_INIT \
11536 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
11537 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
11538
11539 /*
11540 * Initialize the stackprotector canary value.
11541 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
11542
11543 static inline void load_stack_canary_segment(void)
11544 {
11545 -#ifdef CONFIG_X86_32
11546 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
11547 asm volatile ("mov %0, %%gs" : : "r" (0));
11548 #endif
11549 }
11550 diff -urNp linux-2.6.39.3/arch/x86/include/asm/stacktrace.h linux-2.6.39.3/arch/x86/include/asm/stacktrace.h
11551 --- linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-19 00:06:34.000000000 -0400
11552 +++ linux-2.6.39.3/arch/x86/include/asm/stacktrace.h 2011-05-22 19:36:30.000000000 -0400
11553 @@ -11,28 +11,20 @@
11554
11555 extern int kstack_depth_to_print;
11556
11557 -struct thread_info;
11558 +struct task_struct;
11559 struct stacktrace_ops;
11560
11561 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
11562 - unsigned long *stack,
11563 - unsigned long bp,
11564 - const struct stacktrace_ops *ops,
11565 - void *data,
11566 - unsigned long *end,
11567 - int *graph);
11568 -
11569 -extern unsigned long
11570 -print_context_stack(struct thread_info *tinfo,
11571 - unsigned long *stack, unsigned long bp,
11572 - const struct stacktrace_ops *ops, void *data,
11573 - unsigned long *end, int *graph);
11574 -
11575 -extern unsigned long
11576 -print_context_stack_bp(struct thread_info *tinfo,
11577 - unsigned long *stack, unsigned long bp,
11578 - const struct stacktrace_ops *ops, void *data,
11579 - unsigned long *end, int *graph);
11580 +typedef unsigned long walk_stack_t(struct task_struct *task,
11581 + void *stack_start,
11582 + unsigned long *stack,
11583 + unsigned long bp,
11584 + const struct stacktrace_ops *ops,
11585 + void *data,
11586 + unsigned long *end,
11587 + int *graph);
11588 +
11589 +extern walk_stack_t print_context_stack;
11590 +extern walk_stack_t print_context_stack_bp;
11591
11592 /* Generic stack tracer with callbacks */
11593
11594 @@ -43,7 +35,7 @@ struct stacktrace_ops {
11595 void (*address)(void *data, unsigned long address, int reliable);
11596 /* On negative return stop dumping */
11597 int (*stack)(void *data, char *name);
11598 - walk_stack_t walk_stack;
11599 + walk_stack_t *walk_stack;
11600 };
11601
11602 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
11603 diff -urNp linux-2.6.39.3/arch/x86/include/asm/system.h linux-2.6.39.3/arch/x86/include/asm/system.h
11604 --- linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-19 00:06:34.000000000 -0400
11605 +++ linux-2.6.39.3/arch/x86/include/asm/system.h 2011-05-22 19:36:30.000000000 -0400
11606 @@ -129,7 +129,7 @@ do { \
11607 "call __switch_to\n\t" \
11608 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
11609 __switch_canary \
11610 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
11611 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
11612 "movq %%rax,%%rdi\n\t" \
11613 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
11614 "jnz ret_from_fork\n\t" \
11615 @@ -140,7 +140,7 @@ do { \
11616 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
11617 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
11618 [_tif_fork] "i" (_TIF_FORK), \
11619 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
11620 + [thread_info] "m" (current_tinfo), \
11621 [current_task] "m" (current_task) \
11622 __switch_canary_iparam \
11623 : "memory", "cc" __EXTRA_CLOBBER)
11624 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
11625 {
11626 unsigned long __limit;
11627 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
11628 - return __limit + 1;
11629 + return __limit;
11630 }
11631
11632 static inline void native_clts(void)
11633 @@ -340,12 +340,12 @@ void enable_hlt(void);
11634
11635 void cpu_idle_wait(void);
11636
11637 -extern unsigned long arch_align_stack(unsigned long sp);
11638 +#define arch_align_stack(x) ((x) & ~0xfUL)
11639 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
11640
11641 void default_idle(void);
11642
11643 -void stop_this_cpu(void *dummy);
11644 +void stop_this_cpu(void *dummy) __noreturn;
11645
11646 /*
11647 * Force strict CPU ordering.
11648 diff -urNp linux-2.6.39.3/arch/x86/include/asm/thread_info.h linux-2.6.39.3/arch/x86/include/asm/thread_info.h
11649 --- linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-19 00:06:34.000000000 -0400
11650 +++ linux-2.6.39.3/arch/x86/include/asm/thread_info.h 2011-05-22 19:36:30.000000000 -0400
11651 @@ -10,6 +10,7 @@
11652 #include <linux/compiler.h>
11653 #include <asm/page.h>
11654 #include <asm/types.h>
11655 +#include <asm/percpu.h>
11656
11657 /*
11658 * low level task data that entry.S needs immediate access to
11659 @@ -24,7 +25,6 @@ struct exec_domain;
11660 #include <asm/atomic.h>
11661
11662 struct thread_info {
11663 - struct task_struct *task; /* main task structure */
11664 struct exec_domain *exec_domain; /* execution domain */
11665 __u32 flags; /* low level flags */
11666 __u32 status; /* thread synchronous flags */
11667 @@ -34,18 +34,12 @@ struct thread_info {
11668 mm_segment_t addr_limit;
11669 struct restart_block restart_block;
11670 void __user *sysenter_return;
11671 -#ifdef CONFIG_X86_32
11672 - unsigned long previous_esp; /* ESP of the previous stack in
11673 - case of nested (IRQ) stacks
11674 - */
11675 - __u8 supervisor_stack[0];
11676 -#endif
11677 + unsigned long lowest_stack;
11678 int uaccess_err;
11679 };
11680
11681 -#define INIT_THREAD_INFO(tsk) \
11682 +#define INIT_THREAD_INFO \
11683 { \
11684 - .task = &tsk, \
11685 .exec_domain = &default_exec_domain, \
11686 .flags = 0, \
11687 .cpu = 0, \
11688 @@ -56,7 +50,7 @@ struct thread_info {
11689 }, \
11690 }
11691
11692 -#define init_thread_info (init_thread_union.thread_info)
11693 +#define init_thread_info (init_thread_union.stack)
11694 #define init_stack (init_thread_union.stack)
11695
11696 #else /* !__ASSEMBLY__ */
11697 @@ -170,6 +164,23 @@ struct thread_info {
11698 ret; \
11699 })
11700
11701 +#ifdef __ASSEMBLY__
11702 +/* how to get the thread information struct from ASM */
11703 +#define GET_THREAD_INFO(reg) \
11704 + mov PER_CPU_VAR(current_tinfo), reg
11705 +
11706 +/* use this one if reg already contains %esp */
11707 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
11708 +#else
11709 +/* how to get the thread information struct from C */
11710 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
11711 +
11712 +static __always_inline struct thread_info *current_thread_info(void)
11713 +{
11714 + return percpu_read_stable(current_tinfo);
11715 +}
11716 +#endif
11717 +
11718 #ifdef CONFIG_X86_32
11719
11720 #define STACK_WARN (THREAD_SIZE/8)
11721 @@ -180,35 +191,13 @@ struct thread_info {
11722 */
11723 #ifndef __ASSEMBLY__
11724
11725 -
11726 /* how to get the current stack pointer from C */
11727 register unsigned long current_stack_pointer asm("esp") __used;
11728
11729 -/* how to get the thread information struct from C */
11730 -static inline struct thread_info *current_thread_info(void)
11731 -{
11732 - return (struct thread_info *)
11733 - (current_stack_pointer & ~(THREAD_SIZE - 1));
11734 -}
11735 -
11736 -#else /* !__ASSEMBLY__ */
11737 -
11738 -/* how to get the thread information struct from ASM */
11739 -#define GET_THREAD_INFO(reg) \
11740 - movl $-THREAD_SIZE, reg; \
11741 - andl %esp, reg
11742 -
11743 -/* use this one if reg already contains %esp */
11744 -#define GET_THREAD_INFO_WITH_ESP(reg) \
11745 - andl $-THREAD_SIZE, reg
11746 -
11747 #endif
11748
11749 #else /* X86_32 */
11750
11751 -#include <asm/percpu.h>
11752 -#define KERNEL_STACK_OFFSET (5*8)
11753 -
11754 /*
11755 * macros/functions for gaining access to the thread information structure
11756 * preempt_count needs to be 1 initially, until the scheduler is functional.
11757 @@ -216,21 +205,8 @@ static inline struct thread_info *curren
11758 #ifndef __ASSEMBLY__
11759 DECLARE_PER_CPU(unsigned long, kernel_stack);
11760
11761 -static inline struct thread_info *current_thread_info(void)
11762 -{
11763 - struct thread_info *ti;
11764 - ti = (void *)(percpu_read_stable(kernel_stack) +
11765 - KERNEL_STACK_OFFSET - THREAD_SIZE);
11766 - return ti;
11767 -}
11768 -
11769 -#else /* !__ASSEMBLY__ */
11770 -
11771 -/* how to get the thread information struct from ASM */
11772 -#define GET_THREAD_INFO(reg) \
11773 - movq PER_CPU_VAR(kernel_stack),reg ; \
11774 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
11775 -
11776 +/* how to get the current stack pointer from C */
11777 +register unsigned long current_stack_pointer asm("rsp") __used;
11778 #endif
11779
11780 #endif /* !X86_32 */
11781 @@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
11782 extern void free_thread_info(struct thread_info *ti);
11783 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11784 #define arch_task_cache_init arch_task_cache_init
11785 +
11786 +#define __HAVE_THREAD_FUNCTIONS
11787 +#define task_thread_info(task) (&(task)->tinfo)
11788 +#define task_stack_page(task) ((task)->stack)
11789 +#define setup_thread_stack(p, org) do {} while (0)
11790 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11791 +
11792 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11793 +extern struct task_struct *alloc_task_struct_node(int node);
11794 +extern void free_task_struct(struct task_struct *);
11795 +
11796 #endif
11797 #endif /* _ASM_X86_THREAD_INFO_H */
11798 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h
11799 --- linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-19 00:06:34.000000000 -0400
11800 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess_32.h 2011-05-22 19:36:30.000000000 -0400
11801 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11802 static __always_inline unsigned long __must_check
11803 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11804 {
11805 + pax_track_stack();
11806 +
11807 + if ((long)n < 0)
11808 + return n;
11809 +
11810 if (__builtin_constant_p(n)) {
11811 unsigned long ret;
11812
11813 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11814 return ret;
11815 }
11816 }
11817 + if (!__builtin_constant_p(n))
11818 + check_object_size(from, n, true);
11819 return __copy_to_user_ll(to, from, n);
11820 }
11821
11822 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11823 __copy_to_user(void __user *to, const void *from, unsigned long n)
11824 {
11825 might_fault();
11826 +
11827 return __copy_to_user_inatomic(to, from, n);
11828 }
11829
11830 static __always_inline unsigned long
11831 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11832 {
11833 + if ((long)n < 0)
11834 + return n;
11835 +
11836 /* Avoid zeroing the tail if the copy fails..
11837 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11838 * but as the zeroing behaviour is only significant when n is not
11839 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11840 __copy_from_user(void *to, const void __user *from, unsigned long n)
11841 {
11842 might_fault();
11843 +
11844 + pax_track_stack();
11845 +
11846 + if ((long)n < 0)
11847 + return n;
11848 +
11849 if (__builtin_constant_p(n)) {
11850 unsigned long ret;
11851
11852 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11853 return ret;
11854 }
11855 }
11856 + if (!__builtin_constant_p(n))
11857 + check_object_size(to, n, false);
11858 return __copy_from_user_ll(to, from, n);
11859 }
11860
11861 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11862 const void __user *from, unsigned long n)
11863 {
11864 might_fault();
11865 +
11866 + if ((long)n < 0)
11867 + return n;
11868 +
11869 if (__builtin_constant_p(n)) {
11870 unsigned long ret;
11871
11872 @@ -182,15 +205,19 @@ static __always_inline unsigned long
11873 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11874 unsigned long n)
11875 {
11876 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11877 -}
11878 + if ((long)n < 0)
11879 + return n;
11880
11881 -unsigned long __must_check copy_to_user(void __user *to,
11882 - const void *from, unsigned long n);
11883 -unsigned long __must_check _copy_from_user(void *to,
11884 - const void __user *from,
11885 - unsigned long n);
11886 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11887 +}
11888
11889 +extern void copy_to_user_overflow(void)
11890 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11891 + __compiletime_error("copy_to_user() buffer size is not provably correct")
11892 +#else
11893 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
11894 +#endif
11895 +;
11896
11897 extern void copy_from_user_overflow(void)
11898 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
11899 @@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void
11900 #endif
11901 ;
11902
11903 -static inline unsigned long __must_check copy_from_user(void *to,
11904 - const void __user *from,
11905 - unsigned long n)
11906 +/**
11907 + * copy_to_user: - Copy a block of data into user space.
11908 + * @to: Destination address, in user space.
11909 + * @from: Source address, in kernel space.
11910 + * @n: Number of bytes to copy.
11911 + *
11912 + * Context: User context only. This function may sleep.
11913 + *
11914 + * Copy data from kernel space to user space.
11915 + *
11916 + * Returns number of bytes that could not be copied.
11917 + * On success, this will be zero.
11918 + */
11919 +static inline unsigned long __must_check
11920 +copy_to_user(void __user *to, const void *from, unsigned long n)
11921 +{
11922 + int sz = __compiletime_object_size(from);
11923 +
11924 + if (unlikely(sz != -1 && sz < n))
11925 + copy_to_user_overflow();
11926 + else if (access_ok(VERIFY_WRITE, to, n))
11927 + n = __copy_to_user(to, from, n);
11928 + return n;
11929 +}
11930 +
11931 +/**
11932 + * copy_from_user: - Copy a block of data from user space.
11933 + * @to: Destination address, in kernel space.
11934 + * @from: Source address, in user space.
11935 + * @n: Number of bytes to copy.
11936 + *
11937 + * Context: User context only. This function may sleep.
11938 + *
11939 + * Copy data from user space to kernel space.
11940 + *
11941 + * Returns number of bytes that could not be copied.
11942 + * On success, this will be zero.
11943 + *
11944 + * If some data could not be copied, this function will pad the copied
11945 + * data to the requested size using zero bytes.
11946 + */
11947 +static inline unsigned long __must_check
11948 +copy_from_user(void *to, const void __user *from, unsigned long n)
11949 {
11950 int sz = __compiletime_object_size(to);
11951
11952 - if (likely(sz == -1 || sz >= n))
11953 - n = _copy_from_user(to, from, n);
11954 - else
11955 + if (unlikely(sz != -1 && sz < n))
11956 copy_from_user_overflow();
11957 -
11958 + else if (access_ok(VERIFY_READ, from, n))
11959 + n = __copy_from_user(to, from, n);
11960 + else if ((long)n > 0) {
11961 + if (!__builtin_constant_p(n))
11962 + check_object_size(to, n, false);
11963 + memset(to, 0, n);
11964 + }
11965 return n;
11966 }
11967
11968 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h
11969 --- linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-19 00:06:34.000000000 -0400
11970 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess_64.h 2011-05-22 19:36:30.000000000 -0400
11971 @@ -11,6 +11,9 @@
11972 #include <asm/alternative.h>
11973 #include <asm/cpufeature.h>
11974 #include <asm/page.h>
11975 +#include <asm/pgtable.h>
11976 +
11977 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11978
11979 /*
11980 * Copy To/From Userspace
11981 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
11982 return ret;
11983 }
11984
11985 -__must_check unsigned long
11986 -_copy_to_user(void __user *to, const void *from, unsigned len);
11987 -__must_check unsigned long
11988 -_copy_from_user(void *to, const void __user *from, unsigned len);
11989 +static __always_inline __must_check unsigned long
11990 +__copy_to_user(void __user *to, const void *from, unsigned len);
11991 +static __always_inline __must_check unsigned long
11992 +__copy_from_user(void *to, const void __user *from, unsigned len);
11993 __must_check unsigned long
11994 copy_in_user(void __user *to, const void __user *from, unsigned len);
11995
11996 static inline unsigned long __must_check copy_from_user(void *to,
11997 const void __user *from,
11998 - unsigned long n)
11999 + unsigned n)
12000 {
12001 - int sz = __compiletime_object_size(to);
12002 -
12003 might_fault();
12004 - if (likely(sz == -1 || sz >= n))
12005 - n = _copy_from_user(to, from, n);
12006 -#ifdef CONFIG_DEBUG_VM
12007 - else
12008 - WARN(1, "Buffer overflow detected!\n");
12009 -#endif
12010 +
12011 + if (access_ok(VERIFY_READ, from, n))
12012 + n = __copy_from_user(to, from, n);
12013 + else if ((int)n > 0) {
12014 + if (!__builtin_constant_p(n))
12015 + check_object_size(to, n, false);
12016 + memset(to, 0, n);
12017 + }
12018 return n;
12019 }
12020
12021 @@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const
12022 {
12023 might_fault();
12024
12025 - return _copy_to_user(dst, src, size);
12026 + if (access_ok(VERIFY_WRITE, dst, size))
12027 + size = __copy_to_user(dst, src, size);
12028 + return size;
12029 }
12030
12031 static __always_inline __must_check
12032 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
12033 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
12034 {
12035 - int ret = 0;
12036 + int sz = __compiletime_object_size(dst);
12037 + unsigned ret = 0;
12038
12039 might_fault();
12040 - if (!__builtin_constant_p(size))
12041 - return copy_user_generic(dst, (__force void *)src, size);
12042 +
12043 + pax_track_stack();
12044 +
12045 + if ((int)size < 0)
12046 + return size;
12047 +
12048 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12049 + if (!__access_ok(VERIFY_READ, src, size))
12050 + return size;
12051 +#endif
12052 +
12053 + if (unlikely(sz != -1 && sz < size)) {
12054 +#ifdef CONFIG_DEBUG_VM
12055 + WARN(1, "Buffer overflow detected!\n");
12056 +#endif
12057 + return size;
12058 + }
12059 +
12060 + if (!__builtin_constant_p(size)) {
12061 + check_object_size(dst, size, false);
12062 +
12063 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12064 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12065 + src += PAX_USER_SHADOW_BASE;
12066 +#endif
12067 +
12068 + return copy_user_generic(dst, (__force const void *)src, size);
12069 + }
12070 switch (size) {
12071 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
12072 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
12073 ret, "b", "b", "=q", 1);
12074 return ret;
12075 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
12076 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
12077 ret, "w", "w", "=r", 2);
12078 return ret;
12079 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
12080 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
12081 ret, "l", "k", "=r", 4);
12082 return ret;
12083 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
12084 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12085 ret, "q", "", "=r", 8);
12086 return ret;
12087 case 10:
12088 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12089 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12090 ret, "q", "", "=r", 10);
12091 if (unlikely(ret))
12092 return ret;
12093 __get_user_asm(*(u16 *)(8 + (char *)dst),
12094 - (u16 __user *)(8 + (char __user *)src),
12095 + (const u16 __user *)(8 + (const char __user *)src),
12096 ret, "w", "w", "=r", 2);
12097 return ret;
12098 case 16:
12099 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
12100 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
12101 ret, "q", "", "=r", 16);
12102 if (unlikely(ret))
12103 return ret;
12104 __get_user_asm(*(u64 *)(8 + (char *)dst),
12105 - (u64 __user *)(8 + (char __user *)src),
12106 + (const u64 __user *)(8 + (const char __user *)src),
12107 ret, "q", "", "=r", 8);
12108 return ret;
12109 default:
12110 - return copy_user_generic(dst, (__force void *)src, size);
12111 +
12112 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12113 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12114 + src += PAX_USER_SHADOW_BASE;
12115 +#endif
12116 +
12117 + return copy_user_generic(dst, (__force const void *)src, size);
12118 }
12119 }
12120
12121 static __always_inline __must_check
12122 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
12123 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
12124 {
12125 - int ret = 0;
12126 + int sz = __compiletime_object_size(src);
12127 + unsigned ret = 0;
12128
12129 might_fault();
12130 - if (!__builtin_constant_p(size))
12131 +
12132 + pax_track_stack();
12133 +
12134 + if ((int)size < 0)
12135 + return size;
12136 +
12137 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12138 + if (!__access_ok(VERIFY_WRITE, dst, size))
12139 + return size;
12140 +#endif
12141 +
12142 + if (unlikely(sz != -1 && sz < size)) {
12143 +#ifdef CONFIG_DEBUG_VM
12144 + WARN(1, "Buffer overflow detected!\n");
12145 +#endif
12146 + return size;
12147 + }
12148 +
12149 + if (!__builtin_constant_p(size)) {
12150 + check_object_size(src, size, true);
12151 +
12152 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12153 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12154 + dst += PAX_USER_SHADOW_BASE;
12155 +#endif
12156 +
12157 return copy_user_generic((__force void *)dst, src, size);
12158 + }
12159 switch (size) {
12160 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
12161 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
12162 ret, "b", "b", "iq", 1);
12163 return ret;
12164 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
12165 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
12166 ret, "w", "w", "ir", 2);
12167 return ret;
12168 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
12169 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
12170 ret, "l", "k", "ir", 4);
12171 return ret;
12172 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
12173 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12174 ret, "q", "", "er", 8);
12175 return ret;
12176 case 10:
12177 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12178 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12179 ret, "q", "", "er", 10);
12180 if (unlikely(ret))
12181 return ret;
12182 asm("":::"memory");
12183 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
12184 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
12185 ret, "w", "w", "ir", 2);
12186 return ret;
12187 case 16:
12188 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
12189 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
12190 ret, "q", "", "er", 16);
12191 if (unlikely(ret))
12192 return ret;
12193 asm("":::"memory");
12194 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
12195 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
12196 ret, "q", "", "er", 8);
12197 return ret;
12198 default:
12199 +
12200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12201 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12202 + dst += PAX_USER_SHADOW_BASE;
12203 +#endif
12204 +
12205 return copy_user_generic((__force void *)dst, src, size);
12206 }
12207 }
12208
12209 static __always_inline __must_check
12210 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12211 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
12212 {
12213 - int ret = 0;
12214 + unsigned ret = 0;
12215
12216 might_fault();
12217 - if (!__builtin_constant_p(size))
12218 +
12219 + if ((int)size < 0)
12220 + return size;
12221 +
12222 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12223 + if (!__access_ok(VERIFY_READ, src, size))
12224 + return size;
12225 + if (!__access_ok(VERIFY_WRITE, dst, size))
12226 + return size;
12227 +#endif
12228 +
12229 + if (!__builtin_constant_p(size)) {
12230 +
12231 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12232 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12233 + src += PAX_USER_SHADOW_BASE;
12234 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12235 + dst += PAX_USER_SHADOW_BASE;
12236 +#endif
12237 +
12238 return copy_user_generic((__force void *)dst,
12239 - (__force void *)src, size);
12240 + (__force const void *)src, size);
12241 + }
12242 switch (size) {
12243 case 1: {
12244 u8 tmp;
12245 - __get_user_asm(tmp, (u8 __user *)src,
12246 + __get_user_asm(tmp, (const u8 __user *)src,
12247 ret, "b", "b", "=q", 1);
12248 if (likely(!ret))
12249 __put_user_asm(tmp, (u8 __user *)dst,
12250 @@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con
12251 }
12252 case 2: {
12253 u16 tmp;
12254 - __get_user_asm(tmp, (u16 __user *)src,
12255 + __get_user_asm(tmp, (const u16 __user *)src,
12256 ret, "w", "w", "=r", 2);
12257 if (likely(!ret))
12258 __put_user_asm(tmp, (u16 __user *)dst,
12259 @@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con
12260
12261 case 4: {
12262 u32 tmp;
12263 - __get_user_asm(tmp, (u32 __user *)src,
12264 + __get_user_asm(tmp, (const u32 __user *)src,
12265 ret, "l", "k", "=r", 4);
12266 if (likely(!ret))
12267 __put_user_asm(tmp, (u32 __user *)dst,
12268 @@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con
12269 }
12270 case 8: {
12271 u64 tmp;
12272 - __get_user_asm(tmp, (u64 __user *)src,
12273 + __get_user_asm(tmp, (const u64 __user *)src,
12274 ret, "q", "", "=r", 8);
12275 if (likely(!ret))
12276 __put_user_asm(tmp, (u64 __user *)dst,
12277 @@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con
12278 return ret;
12279 }
12280 default:
12281 +
12282 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12283 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12284 + src += PAX_USER_SHADOW_BASE;
12285 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12286 + dst += PAX_USER_SHADOW_BASE;
12287 +#endif
12288 +
12289 return copy_user_generic((__force void *)dst,
12290 - (__force void *)src, size);
12291 + (__force const void *)src, size);
12292 }
12293 }
12294
12295 @@ -222,33 +321,72 @@ __must_check unsigned long __clear_user(
12296 static __must_check __always_inline int
12297 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
12298 {
12299 + pax_track_stack();
12300 +
12301 + if ((int)size < 0)
12302 + return size;
12303 +
12304 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12305 + if (!__access_ok(VERIFY_READ, src, size))
12306 + return size;
12307 +
12308 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
12309 + src += PAX_USER_SHADOW_BASE;
12310 +#endif
12311 +
12312 return copy_user_generic(dst, (__force const void *)src, size);
12313 }
12314
12315 -static __must_check __always_inline int
12316 +static __must_check __always_inline unsigned long
12317 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
12318 {
12319 + if ((int)size < 0)
12320 + return size;
12321 +
12322 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12323 + if (!__access_ok(VERIFY_WRITE, dst, size))
12324 + return size;
12325 +
12326 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
12327 + dst += PAX_USER_SHADOW_BASE;
12328 +#endif
12329 +
12330 return copy_user_generic((__force void *)dst, src, size);
12331 }
12332
12333 -extern long __copy_user_nocache(void *dst, const void __user *src,
12334 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
12335 unsigned size, int zerorest);
12336
12337 -static inline int
12338 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12339 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
12340 {
12341 might_sleep();
12342 +
12343 + if ((int)size < 0)
12344 + return size;
12345 +
12346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12347 + if (!__access_ok(VERIFY_READ, src, size))
12348 + return size;
12349 +#endif
12350 +
12351 return __copy_user_nocache(dst, src, size, 1);
12352 }
12353
12354 -static inline int
12355 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12356 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
12357 unsigned size)
12358 {
12359 + if ((int)size < 0)
12360 + return size;
12361 +
12362 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12363 + if (!__access_ok(VERIFY_READ, src, size))
12364 + return size;
12365 +#endif
12366 +
12367 return __copy_user_nocache(dst, src, size, 0);
12368 }
12369
12370 -unsigned long
12371 +extern unsigned long
12372 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
12373
12374 #endif /* _ASM_X86_UACCESS_64_H */
12375 diff -urNp linux-2.6.39.3/arch/x86/include/asm/uaccess.h linux-2.6.39.3/arch/x86/include/asm/uaccess.h
12376 --- linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:04:13.000000000 -0400
12377 +++ linux-2.6.39.3/arch/x86/include/asm/uaccess.h 2011-06-03 00:32:04.000000000 -0400
12378 @@ -8,12 +8,15 @@
12379 #include <linux/thread_info.h>
12380 #include <linux/prefetch.h>
12381 #include <linux/string.h>
12382 +#include <linux/sched.h>
12383 #include <asm/asm.h>
12384 #include <asm/page.h>
12385
12386 #define VERIFY_READ 0
12387 #define VERIFY_WRITE 1
12388
12389 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
12390 +
12391 /*
12392 * The fs value determines whether argument validity checking should be
12393 * performed or not. If get_fs() == USER_DS, checking is performed, with
12394 @@ -29,7 +32,12 @@
12395
12396 #define get_ds() (KERNEL_DS)
12397 #define get_fs() (current_thread_info()->addr_limit)
12398 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12399 +void __set_fs(mm_segment_t x);
12400 +void set_fs(mm_segment_t x);
12401 +#else
12402 #define set_fs(x) (current_thread_info()->addr_limit = (x))
12403 +#endif
12404
12405 #define segment_eq(a, b) ((a).seg == (b).seg)
12406
12407 @@ -77,7 +85,33 @@
12408 * checks that the pointer is in the user space range - after calling
12409 * this function, memory access functions may still return -EFAULT.
12410 */
12411 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12412 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
12413 +#define access_ok(type, addr, size) \
12414 +({ \
12415 + long __size = size; \
12416 + unsigned long __addr = (unsigned long)addr; \
12417 + unsigned long __addr_ao = __addr & PAGE_MASK; \
12418 + unsigned long __end_ao = __addr + __size - 1; \
12419 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
12420 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
12421 + while(__addr_ao <= __end_ao) { \
12422 + char __c_ao; \
12423 + __addr_ao += PAGE_SIZE; \
12424 + if (__size > PAGE_SIZE) \
12425 + cond_resched(); \
12426 + if (__get_user(__c_ao, (char __user *)__addr)) \
12427 + break; \
12428 + if (type != VERIFY_WRITE) { \
12429 + __addr = __addr_ao; \
12430 + continue; \
12431 + } \
12432 + if (__put_user(__c_ao, (char __user *)__addr)) \
12433 + break; \
12434 + __addr = __addr_ao; \
12435 + } \
12436 + } \
12437 + __ret_ao; \
12438 +})
12439
12440 /*
12441 * The exception table consists of pairs of addresses: the first is the
12442 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
12443 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
12444 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
12445
12446 -
12447 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
12448 +#define __copyuser_seg "gs;"
12449 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
12450 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
12451 +#else
12452 +#define __copyuser_seg
12453 +#define __COPYUSER_SET_ES
12454 +#define __COPYUSER_RESTORE_ES
12455 +#endif
12456
12457 #ifdef CONFIG_X86_32
12458 #define __put_user_asm_u64(x, addr, err, errret) \
12459 - asm volatile("1: movl %%eax,0(%2)\n" \
12460 - "2: movl %%edx,4(%2)\n" \
12461 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
12462 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
12463 "3:\n" \
12464 ".section .fixup,\"ax\"\n" \
12465 "4: movl %3,%0\n" \
12466 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
12467 : "A" (x), "r" (addr), "i" (errret), "0" (err))
12468
12469 #define __put_user_asm_ex_u64(x, addr) \
12470 - asm volatile("1: movl %%eax,0(%1)\n" \
12471 - "2: movl %%edx,4(%1)\n" \
12472 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
12473 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
12474 "3:\n" \
12475 _ASM_EXTABLE(1b, 2b - 1b) \
12476 _ASM_EXTABLE(2b, 3b - 2b) \
12477 @@ -374,7 +416,7 @@ do { \
12478 } while (0)
12479
12480 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12481 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
12482 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
12483 "2:\n" \
12484 ".section .fixup,\"ax\"\n" \
12485 "3: mov %3,%0\n" \
12486 @@ -382,7 +424,7 @@ do { \
12487 " jmp 2b\n" \
12488 ".previous\n" \
12489 _ASM_EXTABLE(1b, 3b) \
12490 - : "=r" (err), ltype(x) \
12491 + : "=r" (err), ltype (x) \
12492 : "m" (__m(addr)), "i" (errret), "0" (err))
12493
12494 #define __get_user_size_ex(x, ptr, size) \
12495 @@ -407,7 +449,7 @@ do { \
12496 } while (0)
12497
12498 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
12499 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
12500 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
12501 "2:\n" \
12502 _ASM_EXTABLE(1b, 2b - 1b) \
12503 : ltype(x) : "m" (__m(addr)))
12504 @@ -424,13 +466,24 @@ do { \
12505 int __gu_err; \
12506 unsigned long __gu_val; \
12507 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
12508 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
12509 + (x) = (__typeof__(*(ptr)))__gu_val; \
12510 __gu_err; \
12511 })
12512
12513 /* FIXME: this hack is definitely wrong -AK */
12514 struct __large_struct { unsigned long buf[100]; };
12515 -#define __m(x) (*(struct __large_struct __user *)(x))
12516 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12517 +#define ____m(x) \
12518 +({ \
12519 + unsigned long ____x = (unsigned long)(x); \
12520 + if (____x < PAX_USER_SHADOW_BASE) \
12521 + ____x += PAX_USER_SHADOW_BASE; \
12522 + (void __user *)____x; \
12523 +})
12524 +#else
12525 +#define ____m(x) (x)
12526 +#endif
12527 +#define __m(x) (*(struct __large_struct __user *)____m(x))
12528
12529 /*
12530 * Tell gcc we read from memory instead of writing: this is because
12531 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
12532 * aliasing issues.
12533 */
12534 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
12535 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
12536 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
12537 "2:\n" \
12538 ".section .fixup,\"ax\"\n" \
12539 "3: mov %3,%0\n" \
12540 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
12541 ".previous\n" \
12542 _ASM_EXTABLE(1b, 3b) \
12543 : "=r"(err) \
12544 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
12545 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
12546
12547 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
12548 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
12549 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
12550 "2:\n" \
12551 _ASM_EXTABLE(1b, 2b - 1b) \
12552 : : ltype(x), "m" (__m(addr)))
12553 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
12554 * On error, the variable @x is set to zero.
12555 */
12556
12557 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12558 +#define __get_user(x, ptr) get_user((x), (ptr))
12559 +#else
12560 #define __get_user(x, ptr) \
12561 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
12562 +#endif
12563
12564 /**
12565 * __put_user: - Write a simple value into user space, with less checking.
12566 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
12567 * Returns zero on success, or -EFAULT on error.
12568 */
12569
12570 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12571 +#define __put_user(x, ptr) put_user((x), (ptr))
12572 +#else
12573 #define __put_user(x, ptr) \
12574 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
12575 +#endif
12576
12577 #define __get_user_unaligned __get_user
12578 #define __put_user_unaligned __put_user
12579 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
12580 #define get_user_ex(x, ptr) do { \
12581 unsigned long __gue_val; \
12582 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
12583 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
12584 + (x) = (__typeof__(*(ptr)))__gue_val; \
12585 } while (0)
12586
12587 #ifdef CONFIG_X86_WP_WORKS_OK
12588 @@ -567,6 +628,7 @@ extern struct movsl_mask {
12589
12590 #define ARCH_HAS_NOCACHE_UACCESS 1
12591
12592 +#define ARCH_HAS_SORT_EXTABLE
12593 #ifdef CONFIG_X86_32
12594 # include "uaccess_32.h"
12595 #else
12596 diff -urNp linux-2.6.39.3/arch/x86/include/asm/vgtod.h linux-2.6.39.3/arch/x86/include/asm/vgtod.h
12597 --- linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-19 00:06:34.000000000 -0400
12598 +++ linux-2.6.39.3/arch/x86/include/asm/vgtod.h 2011-05-22 19:36:30.000000000 -0400
12599 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
12600 int sysctl_enabled;
12601 struct timezone sys_tz;
12602 struct { /* extract of a clocksource struct */
12603 + char name[8];
12604 cycle_t (*vread)(void);
12605 cycle_t cycle_last;
12606 cycle_t mask;
12607 diff -urNp linux-2.6.39.3/arch/x86/include/asm/vsyscall.h linux-2.6.39.3/arch/x86/include/asm/vsyscall.h
12608 --- linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-19 00:06:34.000000000 -0400
12609 +++ linux-2.6.39.3/arch/x86/include/asm/vsyscall.h 2011-05-22 19:36:30.000000000 -0400
12610 @@ -15,9 +15,10 @@ enum vsyscall_num {
12611
12612 #ifdef __KERNEL__
12613 #include <linux/seqlock.h>
12614 +#include <linux/getcpu.h>
12615 +#include <linux/time.h>
12616
12617 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
12618 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
12619
12620 /* Definitions for CONFIG_GENERIC_TIME definitions */
12621 #define __section_vsyscall_gtod_data __attribute__ \
12622 @@ -31,7 +32,6 @@ enum vsyscall_num {
12623 #define VGETCPU_LSL 2
12624
12625 extern int __vgetcpu_mode;
12626 -extern volatile unsigned long __jiffies;
12627
12628 /* kernel space (writeable) */
12629 extern int vgetcpu_mode;
12630 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
12631
12632 extern void map_vsyscall(void);
12633
12634 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
12635 +extern time_t vtime(time_t *t);
12636 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
12637 #endif /* __KERNEL__ */
12638
12639 #endif /* _ASM_X86_VSYSCALL_H */
12640 diff -urNp linux-2.6.39.3/arch/x86/include/asm/xen/pci.h linux-2.6.39.3/arch/x86/include/asm/xen/pci.h
12641 --- linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-19 00:06:34.000000000 -0400
12642 +++ linux-2.6.39.3/arch/x86/include/asm/xen/pci.h 2011-05-22 19:36:30.000000000 -0400
12643 @@ -33,7 +33,7 @@ struct xen_pci_frontend_ops {
12644 void (*disable_msix)(struct pci_dev *dev);
12645 };
12646
12647 -extern struct xen_pci_frontend_ops *xen_pci_frontend;
12648 +extern const struct xen_pci_frontend_ops *xen_pci_frontend;
12649
12650 static inline int xen_pci_frontend_enable_msi(struct pci_dev *dev,
12651 int vectors[])
12652 diff -urNp linux-2.6.39.3/arch/x86/include/asm/xsave.h linux-2.6.39.3/arch/x86/include/asm/xsave.h
12653 --- linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-19 00:06:34.000000000 -0400
12654 +++ linux-2.6.39.3/arch/x86/include/asm/xsave.h 2011-05-22 19:36:30.000000000 -0400
12655 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
12656 {
12657 int err;
12658
12659 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12660 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
12661 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
12662 +#endif
12663 +
12664 /*
12665 * Clear the xsave header first, so that reserved fields are
12666 * initialized to zero.
12667 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
12668 u32 lmask = mask;
12669 u32 hmask = mask >> 32;
12670
12671 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
12672 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
12673 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
12674 +#endif
12675 +
12676 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
12677 "2:\n"
12678 ".section .fixup,\"ax\"\n"
12679 diff -urNp linux-2.6.39.3/arch/x86/Kconfig linux-2.6.39.3/arch/x86/Kconfig
12680 --- linux-2.6.39.3/arch/x86/Kconfig 2011-05-19 00:06:34.000000000 -0400
12681 +++ linux-2.6.39.3/arch/x86/Kconfig 2011-05-22 19:41:32.000000000 -0400
12682 @@ -224,7 +224,7 @@ config X86_HT
12683
12684 config X86_32_LAZY_GS
12685 def_bool y
12686 - depends on X86_32 && !CC_STACKPROTECTOR
12687 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12688
12689 config ARCH_HWEIGHT_CFLAGS
12690 string
12691 @@ -1022,7 +1022,7 @@ choice
12692
12693 config NOHIGHMEM
12694 bool "off"
12695 - depends on !X86_NUMAQ
12696 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12697 ---help---
12698 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12699 However, the address space of 32-bit x86 processors is only 4
12700 @@ -1059,7 +1059,7 @@ config NOHIGHMEM
12701
12702 config HIGHMEM4G
12703 bool "4GB"
12704 - depends on !X86_NUMAQ
12705 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12706 ---help---
12707 Select this if you have a 32-bit processor and between 1 and 4
12708 gigabytes of physical RAM.
12709 @@ -1113,7 +1113,7 @@ config PAGE_OFFSET
12710 hex
12711 default 0xB0000000 if VMSPLIT_3G_OPT
12712 default 0x80000000 if VMSPLIT_2G
12713 - default 0x78000000 if VMSPLIT_2G_OPT
12714 + default 0x70000000 if VMSPLIT_2G_OPT
12715 default 0x40000000 if VMSPLIT_1G
12716 default 0xC0000000
12717 depends on X86_32
12718 @@ -1457,7 +1457,7 @@ config ARCH_USES_PG_UNCACHED
12719
12720 config EFI
12721 bool "EFI runtime service support"
12722 - depends on ACPI
12723 + depends on ACPI && !PAX_KERNEXEC
12724 ---help---
12725 This enables the kernel to use EFI runtime services that are
12726 available (such as the EFI variable services).
12727 @@ -1487,6 +1487,7 @@ config SECCOMP
12728
12729 config CC_STACKPROTECTOR
12730 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12731 + depends on X86_64 || !PAX_MEMORY_UDEREF
12732 ---help---
12733 This option turns on the -fstack-protector GCC feature. This
12734 feature puts, at the beginning of functions, a canary value on
12735 @@ -1544,6 +1545,7 @@ config KEXEC_JUMP
12736 config PHYSICAL_START
12737 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
12738 default "0x1000000"
12739 + range 0x400000 0x40000000
12740 ---help---
12741 This gives the physical address where the kernel is loaded.
12742
12743 @@ -1607,6 +1609,7 @@ config X86_NEED_RELOCS
12744 config PHYSICAL_ALIGN
12745 hex "Alignment value to which kernel should be aligned" if X86_32
12746 default "0x1000000"
12747 + range 0x400000 0x1000000 if PAX_KERNEXEC
12748 range 0x2000 0x1000000
12749 ---help---
12750 This value puts the alignment restrictions on physical address
12751 @@ -1638,9 +1641,10 @@ config HOTPLUG_CPU
12752 Say N if you want to disable CPU hotplug.
12753
12754 config COMPAT_VDSO
12755 - def_bool y
12756 + def_bool n
12757 prompt "Compat VDSO support"
12758 depends on X86_32 || IA32_EMULATION
12759 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12760 ---help---
12761 Map the 32-bit VDSO to the predictable old-style address too.
12762
12763 diff -urNp linux-2.6.39.3/arch/x86/Kconfig.cpu linux-2.6.39.3/arch/x86/Kconfig.cpu
12764 --- linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-19 00:06:34.000000000 -0400
12765 +++ linux-2.6.39.3/arch/x86/Kconfig.cpu 2011-05-22 19:36:30.000000000 -0400
12766 @@ -334,7 +334,7 @@ config X86_PPRO_FENCE
12767
12768 config X86_F00F_BUG
12769 def_bool y
12770 - depends on M586MMX || M586TSC || M586 || M486 || M386
12771 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12772
12773 config X86_INVD_BUG
12774 def_bool y
12775 @@ -358,7 +358,7 @@ config X86_POPAD_OK
12776
12777 config X86_ALIGNMENT_16
12778 def_bool y
12779 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12780 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12781
12782 config X86_INTEL_USERCOPY
12783 def_bool y
12784 @@ -404,7 +404,7 @@ config X86_CMPXCHG64
12785 # generates cmov.
12786 config X86_CMOV
12787 def_bool y
12788 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12789 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12790
12791 config X86_MINIMUM_CPU_FAMILY
12792 int
12793 diff -urNp linux-2.6.39.3/arch/x86/Kconfig.debug linux-2.6.39.3/arch/x86/Kconfig.debug
12794 --- linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
12795 +++ linux-2.6.39.3/arch/x86/Kconfig.debug 2011-05-22 19:36:30.000000000 -0400
12796 @@ -101,7 +101,7 @@ config X86_PTDUMP
12797 config DEBUG_RODATA
12798 bool "Write protect kernel read-only data structures"
12799 default y
12800 - depends on DEBUG_KERNEL
12801 + depends on DEBUG_KERNEL && BROKEN
12802 ---help---
12803 Mark the kernel read-only data as write-protected in the pagetables,
12804 in order to catch accidental (and incorrect) writes to such const
12805 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
12806
12807 config DEBUG_SET_MODULE_RONX
12808 bool "Set loadable kernel module data as NX and text as RO"
12809 - depends on MODULES
12810 + depends on MODULES && BROKEN
12811 ---help---
12812 This option helps catch unintended modifications to loadable
12813 kernel module's text and read-only data. It also prevents execution
12814 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S
12815 --- linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:18:51.000000000 -0400
12816 +++ linux-2.6.39.3/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-09 09:19:18.000000000 -0400
12817 @@ -108,6 +108,9 @@ wakeup_code:
12818 /* Do any other stuff... */
12819
12820 #ifndef CONFIG_64BIT
12821 + /* Recheck NX bit overrides (64bit path does this in trampoline */
12822 + call verify_cpu
12823 +
12824 /* This could also be done in C code... */
12825 movl pmode_cr3, %eax
12826 movl %eax, %cr3
12827 @@ -131,6 +134,7 @@ wakeup_code:
12828 movl pmode_cr0, %eax
12829 movl %eax, %cr0
12830 jmp pmode_return
12831 +# include "../../verify_cpu.S"
12832 #else
12833 pushw $0
12834 pushw trampoline_segment
12835 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c
12836 --- linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:18:51.000000000 -0400
12837 +++ linux-2.6.39.3/arch/x86/kernel/acpi/sleep.c 2011-07-09 09:19:18.000000000 -0400
12838 @@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
12839 header->trampoline_segment = trampoline_address() >> 4;
12840 #ifdef CONFIG_SMP
12841 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12842 +
12843 + pax_open_kernel();
12844 early_gdt_descr.address =
12845 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12846 + pax_close_kernel();
12847 +
12848 initial_gs = per_cpu_offset(smp_processor_id());
12849 #endif
12850 initial_code = (unsigned long)wakeup_long64;
12851 diff -urNp linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S
12852 --- linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-19 00:06:34.000000000 -0400
12853 +++ linux-2.6.39.3/arch/x86/kernel/acpi/wakeup_32.S 2011-05-22 19:36:30.000000000 -0400
12854 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12855 # and restore the stack ... but you need gdt for this to work
12856 movl saved_context_esp, %esp
12857
12858 - movl %cs:saved_magic, %eax
12859 - cmpl $0x12345678, %eax
12860 + cmpl $0x12345678, saved_magic
12861 jne bogus_magic
12862
12863 # jump to place where we left off
12864 - movl saved_eip, %eax
12865 - jmp *%eax
12866 + jmp *(saved_eip)
12867
12868 bogus_magic:
12869 jmp bogus_magic
12870 diff -urNp linux-2.6.39.3/arch/x86/kernel/alternative.c linux-2.6.39.3/arch/x86/kernel/alternative.c
12871 --- linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-19 00:06:34.000000000 -0400
12872 +++ linux-2.6.39.3/arch/x86/kernel/alternative.c 2011-05-22 19:36:30.000000000 -0400
12873 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
12874 if (!*poff || ptr < text || ptr >= text_end)
12875 continue;
12876 /* turn DS segment override prefix into lock prefix */
12877 - if (*ptr == 0x3e)
12878 + if (*ktla_ktva(ptr) == 0x3e)
12879 text_poke(ptr, ((unsigned char []){0xf0}), 1);
12880 };
12881 mutex_unlock(&text_mutex);
12882 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
12883 if (!*poff || ptr < text || ptr >= text_end)
12884 continue;
12885 /* turn lock prefix into DS segment override prefix */
12886 - if (*ptr == 0xf0)
12887 + if (*ktla_ktva(ptr) == 0xf0)
12888 text_poke(ptr, ((unsigned char []){0x3E}), 1);
12889 };
12890 mutex_unlock(&text_mutex);
12891 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
12892
12893 BUG_ON(p->len > MAX_PATCH_LEN);
12894 /* prep the buffer with the original instructions */
12895 - memcpy(insnbuf, p->instr, p->len);
12896 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12897 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12898 (unsigned long)p->instr, p->len);
12899
12900 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
12901 if (smp_alt_once)
12902 free_init_pages("SMP alternatives",
12903 (unsigned long)__smp_locks,
12904 - (unsigned long)__smp_locks_end);
12905 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12906
12907 restart_nmi();
12908 }
12909 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
12910 * instructions. And on the local CPU you need to be protected again NMI or MCE
12911 * handlers seeing an inconsistent instruction while you patch.
12912 */
12913 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
12914 +void *__kprobes text_poke_early(void *addr, const void *opcode,
12915 size_t len)
12916 {
12917 unsigned long flags;
12918 local_irq_save(flags);
12919 - memcpy(addr, opcode, len);
12920 +
12921 + pax_open_kernel();
12922 + memcpy(ktla_ktva(addr), opcode, len);
12923 sync_core();
12924 + pax_close_kernel();
12925 +
12926 local_irq_restore(flags);
12927 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12928 that causes hangs on some VIA CPUs. */
12929 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
12930 */
12931 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12932 {
12933 - unsigned long flags;
12934 - char *vaddr;
12935 + unsigned char *vaddr = ktla_ktva(addr);
12936 struct page *pages[2];
12937 - int i;
12938 + size_t i;
12939
12940 if (!core_kernel_text((unsigned long)addr)) {
12941 - pages[0] = vmalloc_to_page(addr);
12942 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12943 + pages[0] = vmalloc_to_page(vaddr);
12944 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12945 } else {
12946 - pages[0] = virt_to_page(addr);
12947 + pages[0] = virt_to_page(vaddr);
12948 WARN_ON(!PageReserved(pages[0]));
12949 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12950 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12951 }
12952 BUG_ON(!pages[0]);
12953 - local_irq_save(flags);
12954 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12955 - if (pages[1])
12956 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12957 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12958 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12959 - clear_fixmap(FIX_TEXT_POKE0);
12960 - if (pages[1])
12961 - clear_fixmap(FIX_TEXT_POKE1);
12962 - local_flush_tlb();
12963 - sync_core();
12964 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12965 - that causes hangs on some VIA CPUs. */
12966 + text_poke_early(addr, opcode, len);
12967 for (i = 0; i < len; i++)
12968 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12969 - local_irq_restore(flags);
12970 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12971 return addr;
12972 }
12973
12974 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
12975 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
12976
12977 #ifdef CONFIG_X86_64
12978 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12979 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
12980 #else
12981 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12982 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
12983 #endif
12984
12985 void __init arch_init_ideal_nop5(void)
12986 diff -urNp linux-2.6.39.3/arch/x86/kernel/amd_iommu.c linux-2.6.39.3/arch/x86/kernel/amd_iommu.c
12987 --- linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 12:55:22.000000000 -0400
12988 +++ linux-2.6.39.3/arch/x86/kernel/amd_iommu.c 2011-06-25 13:00:25.000000000 -0400
12989 @@ -49,7 +49,7 @@ static DEFINE_SPINLOCK(iommu_pd_list_loc
12990 */
12991 static struct protection_domain *pt_domain;
12992
12993 -static struct iommu_ops amd_iommu_ops;
12994 +static const struct iommu_ops amd_iommu_ops;
12995
12996 /*
12997 * general struct to manage commands send to an IOMMU
12998 @@ -2307,7 +2307,7 @@ static void prealloc_protection_domains(
12999 }
13000 }
13001
13002 -static struct dma_map_ops amd_iommu_dma_ops = {
13003 +static const struct dma_map_ops amd_iommu_dma_ops = {
13004 .alloc_coherent = alloc_coherent,
13005 .free_coherent = free_coherent,
13006 .map_page = map_page,
13007 @@ -2624,7 +2624,7 @@ static int amd_iommu_domain_has_cap(stru
13008 return 0;
13009 }
13010
13011 -static struct iommu_ops amd_iommu_ops = {
13012 +static const struct iommu_ops amd_iommu_ops = {
13013 .domain_init = amd_iommu_domain_init,
13014 .domain_destroy = amd_iommu_domain_destroy,
13015 .attach_dev = amd_iommu_attach_device,
13016 diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/apic.c linux-2.6.39.3/arch/x86/kernel/apic/apic.c
13017 --- linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-19 00:06:34.000000000 -0400
13018 +++ linux-2.6.39.3/arch/x86/kernel/apic/apic.c 2011-05-22 19:36:30.000000000 -0400
13019 @@ -1821,7 +1821,7 @@ void smp_error_interrupt(struct pt_regs
13020 apic_write(APIC_ESR, 0);
13021 v1 = apic_read(APIC_ESR);
13022 ack_APIC_irq();
13023 - atomic_inc(&irq_err_count);
13024 + atomic_inc_unchecked(&irq_err_count);
13025
13026 /*
13027 * Here is what the APIC error bits mean:
13028 @@ -2204,6 +2204,8 @@ static int __cpuinit apic_cluster_num(vo
13029 u16 *bios_cpu_apicid;
13030 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
13031
13032 + pax_track_stack();
13033 +
13034 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
13035 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
13036
13037 diff -urNp linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c
13038 --- linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:04:13.000000000 -0400
13039 +++ linux-2.6.39.3/arch/x86/kernel/apic/io_apic.c 2011-06-03 00:42:37.000000000 -0400
13040 @@ -623,7 +623,7 @@ struct IO_APIC_route_entry **alloc_ioapi
13041 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
13042 GFP_ATOMIC);
13043 if (!ioapic_entries)
13044 - return 0;
13045 + return NULL;
13046
13047 for (apic = 0; apic < nr_ioapics; apic++) {
13048 ioapic_entries[apic] =
13049 @@ -640,7 +640,7 @@ nomem:
13050 kfree(ioapic_entries[apic]);
13051 kfree(ioapic_entries);
13052
13053 - return 0;
13054 + return NULL;
13055 }
13056
13057 /*
13058 @@ -1040,7 +1040,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
13059 }
13060 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
13061
13062 -void lock_vector_lock(void)
13063 +void lock_vector_lock(void) __acquires(vector_lock)
13064 {
13065 /* Used to the online set of cpus does not change
13066 * during assign_irq_vector.
13067 @@ -1048,7 +1048,7 @@ void lock_vector_lock(void)
13068 raw_spin_lock(&vector_lock);
13069 }
13070
13071 -void unlock_vector_lock(void)
13072 +void unlock_vector_lock(void) __releases(vector_lock)
13073 {
13074 raw_spin_unlock(&vector_lock);
13075 }
13076 @@ -2379,7 +2379,7 @@ static void ack_apic_edge(struct irq_dat
13077 ack_APIC_irq();
13078 }
13079
13080 -atomic_t irq_mis_count;
13081 +atomic_unchecked_t irq_mis_count;
13082
13083 /*
13084 * IO-APIC versions below 0x20 don't support EOI register.
13085 @@ -2487,7 +2487,7 @@ static void ack_apic_level(struct irq_da
13086 * at the cpu.
13087 */
13088 if (!(v & (1 << (i & 0x1f)))) {
13089 - atomic_inc(&irq_mis_count);
13090 + atomic_inc_unchecked(&irq_mis_count);
13091
13092 eoi_ioapic_irq(irq, cfg);
13093 }
13094 diff -urNp linux-2.6.39.3/arch/x86/kernel/apm_32.c linux-2.6.39.3/arch/x86/kernel/apm_32.c
13095 --- linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-19 00:06:34.000000000 -0400
13096 +++ linux-2.6.39.3/arch/x86/kernel/apm_32.c 2011-05-22 19:36:30.000000000 -0400
13097 @@ -412,7 +412,7 @@ static DEFINE_MUTEX(apm_mutex);
13098 * This is for buggy BIOS's that refer to (real mode) segment 0x40
13099 * even though they are called in protected mode.
13100 */
13101 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
13102 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
13103 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
13104
13105 static const char driver_version[] = "1.16ac"; /* no spaces */
13106 @@ -590,7 +590,10 @@ static long __apm_bios_call(void *_call)
13107 BUG_ON(cpu != 0);
13108 gdt = get_cpu_gdt_table(cpu);
13109 save_desc_40 = gdt[0x40 / 8];
13110 +
13111 + pax_open_kernel();
13112 gdt[0x40 / 8] = bad_bios_desc;
13113 + pax_close_kernel();
13114
13115 apm_irq_save(flags);
13116 APM_DO_SAVE_SEGS;
13117 @@ -599,7 +602,11 @@ static long __apm_bios_call(void *_call)
13118 &call->esi);
13119 APM_DO_RESTORE_SEGS;
13120 apm_irq_restore(flags);
13121 +
13122 + pax_open_kernel();
13123 gdt[0x40 / 8] = save_desc_40;
13124 + pax_close_kernel();
13125 +
13126 put_cpu();
13127
13128 return call->eax & 0xff;
13129 @@ -666,7 +673,10 @@ static long __apm_bios_call_simple(void
13130 BUG_ON(cpu != 0);
13131 gdt = get_cpu_gdt_table(cpu);
13132 save_desc_40 = gdt[0x40 / 8];
13133 +
13134 + pax_open_kernel();
13135 gdt[0x40 / 8] = bad_bios_desc;
13136 + pax_close_kernel();
13137
13138 apm_irq_save(flags);
13139 APM_DO_SAVE_SEGS;
13140 @@ -674,7 +684,11 @@ static long __apm_bios_call_simple(void
13141 &call->eax);
13142 APM_DO_RESTORE_SEGS;
13143 apm_irq_restore(flags);
13144 +
13145 + pax_open_kernel();
13146 gdt[0x40 / 8] = save_desc_40;
13147 + pax_close_kernel();
13148 +
13149 put_cpu();
13150 return error;
13151 }
13152 @@ -2351,12 +2365,15 @@ static int __init apm_init(void)
13153 * code to that CPU.
13154 */
13155 gdt = get_cpu_gdt_table(0);
13156 +
13157 + pax_open_kernel();
13158 set_desc_base(&gdt[APM_CS >> 3],
13159 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
13160 set_desc_base(&gdt[APM_CS_16 >> 3],
13161 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
13162 set_desc_base(&gdt[APM_DS >> 3],
13163 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
13164 + pax_close_kernel();
13165
13166 proc_create("apm", 0, NULL, &apm_file_ops);
13167
13168 diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c
13169 --- linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-19 00:06:34.000000000 -0400
13170 +++ linux-2.6.39.3/arch/x86/kernel/asm-offsets_64.c 2011-05-22 19:36:30.000000000 -0400
13171 @@ -69,6 +69,7 @@ int main(void)
13172 BLANK();
13173 #undef ENTRY
13174
13175 + DEFINE(TSS_size, sizeof(struct tss_struct));
13176 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
13177 BLANK();
13178
13179 diff -urNp linux-2.6.39.3/arch/x86/kernel/asm-offsets.c linux-2.6.39.3/arch/x86/kernel/asm-offsets.c
13180 --- linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-19 00:06:34.000000000 -0400
13181 +++ linux-2.6.39.3/arch/x86/kernel/asm-offsets.c 2011-05-25 17:35:48.000000000 -0400
13182 @@ -33,6 +33,8 @@ void common(void) {
13183 OFFSET(TI_status, thread_info, status);
13184 OFFSET(TI_addr_limit, thread_info, addr_limit);
13185 OFFSET(TI_preempt_count, thread_info, preempt_count);
13186 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
13187 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
13188
13189 BLANK();
13190 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
13191 @@ -53,8 +55,26 @@ void common(void) {
13192 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
13193 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
13194 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
13195 +
13196 +#ifdef CONFIG_PAX_KERNEXEC
13197 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
13198 +#endif
13199 +
13200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13201 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
13202 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
13203 +#ifdef CONFIG_X86_64
13204 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
13205 +#endif
13206 #endif
13207
13208 +#endif
13209 +
13210 + BLANK();
13211 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
13212 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
13213 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
13214 +
13215 #ifdef CONFIG_XEN
13216 BLANK();
13217 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
13218 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/amd.c linux-2.6.39.3/arch/x86/kernel/cpu/amd.c
13219 --- linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:04:13.000000000 -0400
13220 +++ linux-2.6.39.3/arch/x86/kernel/cpu/amd.c 2011-06-03 00:32:04.000000000 -0400
13221 @@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
13222 unsigned int size)
13223 {
13224 /* AMD errata T13 (order #21922) */
13225 - if ((c->x86 == 6)) {
13226 + if (c->x86 == 6) {
13227 /* Duron Rev A0 */
13228 if (c->x86_model == 3 && c->x86_mask == 0)
13229 size = 64;
13230 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/common.c linux-2.6.39.3/arch/x86/kernel/cpu/common.c
13231 --- linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:04:13.000000000 -0400
13232 +++ linux-2.6.39.3/arch/x86/kernel/cpu/common.c 2011-06-03 00:32:04.000000000 -0400
13233 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
13234
13235 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
13236
13237 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
13238 -#ifdef CONFIG_X86_64
13239 - /*
13240 - * We need valid kernel segments for data and code in long mode too
13241 - * IRET will check the segment types kkeil 2000/10/28
13242 - * Also sysret mandates a special GDT layout
13243 - *
13244 - * TLS descriptors are currently at a different place compared to i386.
13245 - * Hopefully nobody expects them at a fixed place (Wine?)
13246 - */
13247 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
13248 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
13249 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
13250 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
13251 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
13252 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
13253 -#else
13254 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
13255 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13256 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
13257 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
13258 - /*
13259 - * Segments used for calling PnP BIOS have byte granularity.
13260 - * They code segments and data segments have fixed 64k limits,
13261 - * the transfer segment sizes are set at run time.
13262 - */
13263 - /* 32-bit code */
13264 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13265 - /* 16-bit code */
13266 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13267 - /* 16-bit data */
13268 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
13269 - /* 16-bit data */
13270 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
13271 - /* 16-bit data */
13272 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
13273 - /*
13274 - * The APM segments have byte granularity and their bases
13275 - * are set at run time. All have 64k limits.
13276 - */
13277 - /* 32-bit code */
13278 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
13279 - /* 16-bit code */
13280 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
13281 - /* data */
13282 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
13283 -
13284 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13285 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
13286 - GDT_STACK_CANARY_INIT
13287 -#endif
13288 -} };
13289 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
13290 -
13291 static int __init x86_xsave_setup(char *s)
13292 {
13293 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
13294 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
13295 {
13296 struct desc_ptr gdt_descr;
13297
13298 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
13299 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13300 gdt_descr.size = GDT_SIZE - 1;
13301 load_gdt(&gdt_descr);
13302 /* Reload the per-cpu base */
13303 @@ -824,6 +770,10 @@ static void __cpuinit identify_cpu(struc
13304 /* Filter out anything that depends on CPUID levels we don't have */
13305 filter_cpuid_features(c, true);
13306
13307 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
13308 + setup_clear_cpu_cap(X86_FEATURE_SEP);
13309 +#endif
13310 +
13311 /* If the model name is still unset, do table lookup. */
13312 if (!c->x86_model_id[0]) {
13313 const char *p;
13314 @@ -1003,6 +953,9 @@ static __init int setup_disablecpuid(cha
13315 }
13316 __setup("clearcpuid=", setup_disablecpuid);
13317
13318 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
13319 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
13320 +
13321 #ifdef CONFIG_X86_64
13322 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
13323
13324 @@ -1018,7 +971,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
13325 EXPORT_PER_CPU_SYMBOL(current_task);
13326
13327 DEFINE_PER_CPU(unsigned long, kernel_stack) =
13328 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
13329 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
13330 EXPORT_PER_CPU_SYMBOL(kernel_stack);
13331
13332 DEFINE_PER_CPU(char *, irq_stack_ptr) =
13333 @@ -1083,7 +1036,7 @@ struct pt_regs * __cpuinit idle_regs(str
13334 {
13335 memset(regs, 0, sizeof(struct pt_regs));
13336 regs->fs = __KERNEL_PERCPU;
13337 - regs->gs = __KERNEL_STACK_CANARY;
13338 + savesegment(gs, regs->gs);
13339
13340 return regs;
13341 }
13342 @@ -1138,7 +1091,7 @@ void __cpuinit cpu_init(void)
13343 int i;
13344
13345 cpu = stack_smp_processor_id();
13346 - t = &per_cpu(init_tss, cpu);
13347 + t = init_tss + cpu;
13348 oist = &per_cpu(orig_ist, cpu);
13349
13350 #ifdef CONFIG_NUMA
13351 @@ -1164,7 +1117,7 @@ void __cpuinit cpu_init(void)
13352 switch_to_new_gdt(cpu);
13353 loadsegment(fs, 0);
13354
13355 - load_idt((const struct desc_ptr *)&idt_descr);
13356 + load_idt(&idt_descr);
13357
13358 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
13359 syscall_init();
13360 @@ -1173,7 +1126,6 @@ void __cpuinit cpu_init(void)
13361 wrmsrl(MSR_KERNEL_GS_BASE, 0);
13362 barrier();
13363
13364 - x86_configure_nx();
13365 if (cpu != 0)
13366 enable_x2apic();
13367
13368 @@ -1227,7 +1179,7 @@ void __cpuinit cpu_init(void)
13369 {
13370 int cpu = smp_processor_id();
13371 struct task_struct *curr = current;
13372 - struct tss_struct *t = &per_cpu(init_tss, cpu);
13373 + struct tss_struct *t = init_tss + cpu;
13374 struct thread_struct *thread = &curr->thread;
13375
13376 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
13377 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/intel.c linux-2.6.39.3/arch/x86/kernel/cpu/intel.c
13378 --- linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-19 00:06:34.000000000 -0400
13379 +++ linux-2.6.39.3/arch/x86/kernel/cpu/intel.c 2011-05-22 19:36:30.000000000 -0400
13380 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
13381 * Update the IDT descriptor and reload the IDT so that
13382 * it uses the read-only mapped virtual address.
13383 */
13384 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
13385 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
13386 load_idt(&idt_descr);
13387 }
13388 #endif
13389 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/Makefile linux-2.6.39.3/arch/x86/kernel/cpu/Makefile
13390 --- linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-19 00:06:34.000000000 -0400
13391 +++ linux-2.6.39.3/arch/x86/kernel/cpu/Makefile 2011-05-22 19:36:30.000000000 -0400
13392 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
13393 CFLAGS_REMOVE_perf_event.o = -pg
13394 endif
13395
13396 -# Make sure load_percpu_segment has no stackprotector
13397 -nostackp := $(call cc-option, -fno-stack-protector)
13398 -CFLAGS_common.o := $(nostackp)
13399 -
13400 obj-y := intel_cacheinfo.o scattered.o topology.o
13401 obj-y += proc.o capflags.o powerflags.o common.o
13402 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
13403 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c
13404 --- linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-19 00:06:34.000000000 -0400
13405 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-22 19:36:30.000000000 -0400
13406 @@ -46,6 +46,7 @@
13407 #include <asm/ipi.h>
13408 #include <asm/mce.h>
13409 #include <asm/msr.h>
13410 +#include <asm/local.h>
13411
13412 #include "mce-internal.h"
13413
13414 @@ -220,7 +221,7 @@ static void print_mce(struct mce *m)
13415 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
13416 m->cs, m->ip);
13417
13418 - if (m->cs == __KERNEL_CS)
13419 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
13420 print_symbol("{%s}", m->ip);
13421 pr_cont("\n");
13422 }
13423 @@ -244,10 +245,10 @@ static void print_mce(struct mce *m)
13424
13425 #define PANIC_TIMEOUT 5 /* 5 seconds */
13426
13427 -static atomic_t mce_paniced;
13428 +static atomic_unchecked_t mce_paniced;
13429
13430 static int fake_panic;
13431 -static atomic_t mce_fake_paniced;
13432 +static atomic_unchecked_t mce_fake_paniced;
13433
13434 /* Panic in progress. Enable interrupts and wait for final IPI */
13435 static void wait_for_panic(void)
13436 @@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
13437 /*
13438 * Make sure only one CPU runs in machine check panic
13439 */
13440 - if (atomic_inc_return(&mce_paniced) > 1)
13441 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
13442 wait_for_panic();
13443 barrier();
13444
13445 @@ -279,7 +280,7 @@ static void mce_panic(char *msg, struct
13446 console_verbose();
13447 } else {
13448 /* Don't log too much for fake panic */
13449 - if (atomic_inc_return(&mce_fake_paniced) > 1)
13450 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
13451 return;
13452 }
13453 /* First print corrected ones that are still unlogged */
13454 @@ -647,7 +648,7 @@ static int mce_timed_out(u64 *t)
13455 * might have been modified by someone else.
13456 */
13457 rmb();
13458 - if (atomic_read(&mce_paniced))
13459 + if (atomic_read_unchecked(&mce_paniced))
13460 wait_for_panic();
13461 if (!monarch_timeout)
13462 goto out;
13463 @@ -1461,14 +1462,14 @@ void __cpuinit mcheck_cpu_init(struct cp
13464 */
13465
13466 static DEFINE_SPINLOCK(mce_state_lock);
13467 -static int open_count; /* #times opened */
13468 +static local_t open_count; /* #times opened */
13469 static int open_exclu; /* already open exclusive? */
13470
13471 static int mce_open(struct inode *inode, struct file *file)
13472 {
13473 spin_lock(&mce_state_lock);
13474
13475 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
13476 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
13477 spin_unlock(&mce_state_lock);
13478
13479 return -EBUSY;
13480 @@ -1476,7 +1477,7 @@ static int mce_open(struct inode *inode,
13481
13482 if (file->f_flags & O_EXCL)
13483 open_exclu = 1;
13484 - open_count++;
13485 + local_inc(&open_count);
13486
13487 spin_unlock(&mce_state_lock);
13488
13489 @@ -1487,7 +1488,7 @@ static int mce_release(struct inode *ino
13490 {
13491 spin_lock(&mce_state_lock);
13492
13493 - open_count--;
13494 + local_dec(&open_count);
13495 open_exclu = 0;
13496
13497 spin_unlock(&mce_state_lock);
13498 @@ -2174,7 +2175,7 @@ struct dentry *mce_get_debugfs_dir(void)
13499 static void mce_reset(void)
13500 {
13501 cpu_missing = 0;
13502 - atomic_set(&mce_fake_paniced, 0);
13503 + atomic_set_unchecked(&mce_fake_paniced, 0);
13504 atomic_set(&mce_executing, 0);
13505 atomic_set(&mce_callin, 0);
13506 atomic_set(&global_nwo, 0);
13507 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c
13508 --- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-19 00:06:34.000000000 -0400
13509 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/main.c 2011-05-22 19:36:30.000000000 -0400
13510 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
13511 u64 size_or_mask, size_and_mask;
13512 static bool mtrr_aps_delayed_init;
13513
13514 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
13515 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
13516
13517 const struct mtrr_ops *mtrr_if;
13518
13519 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h
13520 --- linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-19 00:06:34.000000000 -0400
13521 +++ linux-2.6.39.3/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-05-22 19:36:30.000000000 -0400
13522 @@ -12,19 +12,19 @@
13523 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
13524
13525 struct mtrr_ops {
13526 - u32 vendor;
13527 - u32 use_intel_if;
13528 - void (*set)(unsigned int reg, unsigned long base,
13529 + const u32 vendor;
13530 + const u32 use_intel_if;
13531 + void (* const set)(unsigned int reg, unsigned long base,
13532 unsigned long size, mtrr_type type);
13533 - void (*set_all)(void);
13534 + void (* const set_all)(void);
13535
13536 - void (*get)(unsigned int reg, unsigned long *base,
13537 + void (* const get)(unsigned int reg, unsigned long *base,
13538 unsigned long *size, mtrr_type *type);
13539 - int (*get_free_region)(unsigned long base, unsigned long size,
13540 + int (* const get_free_region)(unsigned long base, unsigned long size,
13541 int replace_reg);
13542 - int (*validate_add_page)(unsigned long base, unsigned long size,
13543 + int (* const validate_add_page)(unsigned long base, unsigned long size,
13544 unsigned int type);
13545 - int (*have_wrcomb)(void);
13546 + int (* const have_wrcomb)(void);
13547 };
13548
13549 extern int generic_get_free_region(unsigned long base, unsigned long size,
13550 diff -urNp linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c
13551 --- linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-19 00:06:34.000000000 -0400
13552 +++ linux-2.6.39.3/arch/x86/kernel/cpu/perf_event.c 2011-05-22 19:36:30.000000000 -0400
13553 @@ -774,6 +774,8 @@ static int x86_schedule_events(struct cp
13554 int i, j, w, wmax, num = 0;
13555 struct hw_perf_event *hwc;
13556
13557 + pax_track_stack();
13558 +
13559 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
13560
13561 for (i = 0; i < n; i++) {
13562 @@ -1878,7 +1880,7 @@ perf_callchain_user(struct perf_callchai
13563 break;
13564
13565 perf_callchain_store(entry, frame.return_address);
13566 - fp = frame.next_frame;
13567 + fp = (__force const void __user *)frame.next_frame;
13568 }
13569 }
13570
13571 diff -urNp linux-2.6.39.3/arch/x86/kernel/crash.c linux-2.6.39.3/arch/x86/kernel/crash.c
13572 --- linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-19 00:06:34.000000000 -0400
13573 +++ linux-2.6.39.3/arch/x86/kernel/crash.c 2011-05-22 19:36:30.000000000 -0400
13574 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
13575 regs = args->regs;
13576
13577 #ifdef CONFIG_X86_32
13578 - if (!user_mode_vm(regs)) {
13579 + if (!user_mode(regs)) {
13580 crash_fixup_ss_esp(&fixed_regs, regs);
13581 regs = &fixed_regs;
13582 }
13583 diff -urNp linux-2.6.39.3/arch/x86/kernel/doublefault_32.c linux-2.6.39.3/arch/x86/kernel/doublefault_32.c
13584 --- linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-19 00:06:34.000000000 -0400
13585 +++ linux-2.6.39.3/arch/x86/kernel/doublefault_32.c 2011-05-22 19:36:30.000000000 -0400
13586 @@ -11,7 +11,7 @@
13587
13588 #define DOUBLEFAULT_STACKSIZE (1024)
13589 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13590 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13591 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13592
13593 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13594
13595 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13596 unsigned long gdt, tss;
13597
13598 store_gdt(&gdt_desc);
13599 - gdt = gdt_desc.address;
13600 + gdt = (unsigned long)gdt_desc.address;
13601
13602 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13603
13604 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13605 /* 0x2 bit is always set */
13606 .flags = X86_EFLAGS_SF | 0x2,
13607 .sp = STACK_START,
13608 - .es = __USER_DS,
13609 + .es = __KERNEL_DS,
13610 .cs = __KERNEL_CS,
13611 .ss = __KERNEL_DS,
13612 - .ds = __USER_DS,
13613 + .ds = __KERNEL_DS,
13614 .fs = __KERNEL_PERCPU,
13615
13616 .__cr3 = __pa_nodebug(swapper_pg_dir),
13617 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c
13618 --- linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-19 00:06:34.000000000 -0400
13619 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack_32.c 2011-05-22 19:36:30.000000000 -0400
13620 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
13621 bp = stack_frame(task, regs);
13622
13623 for (;;) {
13624 - struct thread_info *context;
13625 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13626
13627 - context = (struct thread_info *)
13628 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13629 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
13630 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13631
13632 - stack = (unsigned long *)context->previous_esp;
13633 - if (!stack)
13634 + if (stack_start == task_stack_page(task))
13635 break;
13636 + stack = *(unsigned long **)stack_start;
13637 if (ops->stack(data, "IRQ") < 0)
13638 break;
13639 touch_nmi_watchdog();
13640 @@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
13641 * When in-kernel, we also print out the stack and code at the
13642 * time of the fault..
13643 */
13644 - if (!user_mode_vm(regs)) {
13645 + if (!user_mode(regs)) {
13646 unsigned int code_prologue = code_bytes * 43 / 64;
13647 unsigned int code_len = code_bytes;
13648 unsigned char c;
13649 u8 *ip;
13650 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13651
13652 printk(KERN_EMERG "Stack:\n");
13653 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
13654
13655 printk(KERN_EMERG "Code: ");
13656
13657 - ip = (u8 *)regs->ip - code_prologue;
13658 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13659 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13660 /* try starting at IP */
13661 - ip = (u8 *)regs->ip;
13662 + ip = (u8 *)regs->ip + cs_base;
13663 code_len = code_len - code_prologue + 1;
13664 }
13665 for (i = 0; i < code_len; i++, ip++) {
13666 @@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
13667 printk(" Bad EIP value.");
13668 break;
13669 }
13670 - if (ip == (u8 *)regs->ip)
13671 + if (ip == (u8 *)regs->ip + cs_base)
13672 printk("<%02x> ", c);
13673 else
13674 printk("%02x ", c);
13675 @@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
13676 {
13677 unsigned short ud2;
13678
13679 + ip = ktla_ktva(ip);
13680 if (ip < PAGE_OFFSET)
13681 return 0;
13682 if (probe_kernel_address((unsigned short *)ip, ud2))
13683 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c
13684 --- linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-19 00:06:34.000000000 -0400
13685 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack_64.c 2011-05-22 19:36:30.000000000 -0400
13686 @@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
13687 unsigned long *irq_stack_end =
13688 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13689 unsigned used = 0;
13690 - struct thread_info *tinfo;
13691 int graph = 0;
13692 unsigned long dummy;
13693 + void *stack_start;
13694
13695 if (!task)
13696 task = current;
13697 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
13698 * current stack address. If the stacks consist of nested
13699 * exceptions
13700 */
13701 - tinfo = task_thread_info(task);
13702 for (;;) {
13703 char *id;
13704 unsigned long *estack_end;
13705 +
13706 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13707 &used, &id);
13708
13709 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
13710 if (ops->stack(data, id) < 0)
13711 break;
13712
13713 - bp = ops->walk_stack(tinfo, stack, bp, ops,
13714 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13715 data, estack_end, &graph);
13716 ops->stack(data, "<EOE>");
13717 /*
13718 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
13719 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
13720 if (ops->stack(data, "IRQ") < 0)
13721 break;
13722 - bp = ops->walk_stack(tinfo, stack, bp,
13723 + bp = ops->walk_stack(task, irq_stack, stack, bp,
13724 ops, data, irq_stack_end, &graph);
13725 /*
13726 * We link to the next stack (which would be
13727 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
13728 /*
13729 * This handles the process stack:
13730 */
13731 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13732 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13733 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13734 put_cpu();
13735 }
13736 EXPORT_SYMBOL(dump_trace);
13737 diff -urNp linux-2.6.39.3/arch/x86/kernel/dumpstack.c linux-2.6.39.3/arch/x86/kernel/dumpstack.c
13738 --- linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-19 00:06:34.000000000 -0400
13739 +++ linux-2.6.39.3/arch/x86/kernel/dumpstack.c 2011-05-22 19:41:32.000000000 -0400
13740 @@ -2,6 +2,9 @@
13741 * Copyright (C) 1991, 1992 Linus Torvalds
13742 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13743 */
13744 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13745 +#define __INCLUDED_BY_HIDESYM 1
13746 +#endif
13747 #include <linux/kallsyms.h>
13748 #include <linux/kprobes.h>
13749 #include <linux/uaccess.h>
13750 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
13751 static void
13752 print_ftrace_graph_addr(unsigned long addr, void *data,
13753 const struct stacktrace_ops *ops,
13754 - struct thread_info *tinfo, int *graph)
13755 + struct task_struct *task, int *graph)
13756 {
13757 - struct task_struct *task = tinfo->task;
13758 unsigned long ret_addr;
13759 int index = task->curr_ret_stack;
13760
13761 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
13762 static inline void
13763 print_ftrace_graph_addr(unsigned long addr, void *data,
13764 const struct stacktrace_ops *ops,
13765 - struct thread_info *tinfo, int *graph)
13766 + struct task_struct *task, int *graph)
13767 { }
13768 #endif
13769
13770 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
13771 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13772 */
13773
13774 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13775 - void *p, unsigned int size, void *end)
13776 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13777 {
13778 - void *t = tinfo;
13779 if (end) {
13780 if (p < end && p >= (end-THREAD_SIZE))
13781 return 1;
13782 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
13783 }
13784
13785 unsigned long
13786 -print_context_stack(struct thread_info *tinfo,
13787 +print_context_stack(struct task_struct *task, void *stack_start,
13788 unsigned long *stack, unsigned long bp,
13789 const struct stacktrace_ops *ops, void *data,
13790 unsigned long *end, int *graph)
13791 {
13792 struct stack_frame *frame = (struct stack_frame *)bp;
13793
13794 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13795 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13796 unsigned long addr;
13797
13798 addr = *stack;
13799 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
13800 } else {
13801 ops->address(data, addr, 0);
13802 }
13803 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13804 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13805 }
13806 stack++;
13807 }
13808 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
13809 EXPORT_SYMBOL_GPL(print_context_stack);
13810
13811 unsigned long
13812 -print_context_stack_bp(struct thread_info *tinfo,
13813 +print_context_stack_bp(struct task_struct *task, void *stack_start,
13814 unsigned long *stack, unsigned long bp,
13815 const struct stacktrace_ops *ops, void *data,
13816 unsigned long *end, int *graph)
13817 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
13818 struct stack_frame *frame = (struct stack_frame *)bp;
13819 unsigned long *ret_addr = &frame->return_address;
13820
13821 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
13822 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
13823 unsigned long addr = *ret_addr;
13824
13825 if (!__kernel_text_address(addr))
13826 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
13827 ops->address(data, addr, 1);
13828 frame = frame->next_frame;
13829 ret_addr = &frame->return_address;
13830 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13831 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13832 }
13833
13834 return (unsigned long)frame;
13835 @@ -202,7 +202,7 @@ void dump_stack(void)
13836
13837 bp = stack_frame(current, NULL);
13838 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13839 - current->pid, current->comm, print_tainted(),
13840 + task_pid_nr(current), current->comm, print_tainted(),
13841 init_utsname()->release,
13842 (int)strcspn(init_utsname()->version, " "),
13843 init_utsname()->version);
13844 @@ -238,6 +238,8 @@ unsigned __kprobes long oops_begin(void)
13845 }
13846 EXPORT_SYMBOL_GPL(oops_begin);
13847
13848 +extern void gr_handle_kernel_exploit(void);
13849 +
13850 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13851 {
13852 if (regs && kexec_should_crash(current))
13853 @@ -259,7 +261,10 @@ void __kprobes oops_end(unsigned long fl
13854 panic("Fatal exception in interrupt");
13855 if (panic_on_oops)
13856 panic("Fatal exception");
13857 - do_exit(signr);
13858 +
13859 + gr_handle_kernel_exploit();
13860 +
13861 + do_group_exit(signr);
13862 }
13863
13864 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13865 @@ -286,7 +291,7 @@ int __kprobes __die(const char *str, str
13866
13867 show_registers(regs);
13868 #ifdef CONFIG_X86_32
13869 - if (user_mode_vm(regs)) {
13870 + if (user_mode(regs)) {
13871 sp = regs->sp;
13872 ss = regs->ss & 0xffff;
13873 } else {
13874 @@ -314,7 +319,7 @@ void die(const char *str, struct pt_regs
13875 unsigned long flags = oops_begin();
13876 int sig = SIGSEGV;
13877
13878 - if (!user_mode_vm(regs))
13879 + if (!user_mode(regs))
13880 report_bug(regs->ip, regs);
13881
13882 if (__die(str, regs, err))
13883 diff -urNp linux-2.6.39.3/arch/x86/kernel/early_printk.c linux-2.6.39.3/arch/x86/kernel/early_printk.c
13884 --- linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-19 00:06:34.000000000 -0400
13885 +++ linux-2.6.39.3/arch/x86/kernel/early_printk.c 2011-05-22 19:36:30.000000000 -0400
13886 @@ -7,6 +7,7 @@
13887 #include <linux/pci_regs.h>
13888 #include <linux/pci_ids.h>
13889 #include <linux/errno.h>
13890 +#include <linux/sched.h>
13891 #include <asm/io.h>
13892 #include <asm/processor.h>
13893 #include <asm/fcntl.h>
13894 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
13895 int n;
13896 va_list ap;
13897
13898 + pax_track_stack();
13899 +
13900 va_start(ap, fmt);
13901 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13902 early_console->write(early_console, buf, n);
13903 diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_32.S linux-2.6.39.3/arch/x86/kernel/entry_32.S
13904 --- linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-19 00:06:34.000000000 -0400
13905 +++ linux-2.6.39.3/arch/x86/kernel/entry_32.S 2011-05-23 17:07:00.000000000 -0400
13906 @@ -185,13 +185,146 @@
13907 /*CFI_REL_OFFSET gs, PT_GS*/
13908 .endm
13909 .macro SET_KERNEL_GS reg
13910 +
13911 +#ifdef CONFIG_CC_STACKPROTECTOR
13912 movl $(__KERNEL_STACK_CANARY), \reg
13913 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13914 + movl $(__USER_DS), \reg
13915 +#else
13916 + xorl \reg, \reg
13917 +#endif
13918 +
13919 movl \reg, %gs
13920 .endm
13921
13922 #endif /* CONFIG_X86_32_LAZY_GS */
13923
13924 -.macro SAVE_ALL
13925 +.macro pax_enter_kernel
13926 +#ifdef CONFIG_PAX_KERNEXEC
13927 + call pax_enter_kernel
13928 +#endif
13929 +.endm
13930 +
13931 +.macro pax_exit_kernel
13932 +#ifdef CONFIG_PAX_KERNEXEC
13933 + call pax_exit_kernel
13934 +#endif
13935 +.endm
13936 +
13937 +#ifdef CONFIG_PAX_KERNEXEC
13938 +ENTRY(pax_enter_kernel)
13939 +#ifdef CONFIG_PARAVIRT
13940 + pushl %eax
13941 + pushl %ecx
13942 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13943 + mov %eax, %esi
13944 +#else
13945 + mov %cr0, %esi
13946 +#endif
13947 + bts $16, %esi
13948 + jnc 1f
13949 + mov %cs, %esi
13950 + cmp $__KERNEL_CS, %esi
13951 + jz 3f
13952 + ljmp $__KERNEL_CS, $3f
13953 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13954 +2:
13955 +#ifdef CONFIG_PARAVIRT
13956 + mov %esi, %eax
13957 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13958 +#else
13959 + mov %esi, %cr0
13960 +#endif
13961 +3:
13962 +#ifdef CONFIG_PARAVIRT
13963 + popl %ecx
13964 + popl %eax
13965 +#endif
13966 + ret
13967 +ENDPROC(pax_enter_kernel)
13968 +
13969 +ENTRY(pax_exit_kernel)
13970 +#ifdef CONFIG_PARAVIRT
13971 + pushl %eax
13972 + pushl %ecx
13973 +#endif
13974 + mov %cs, %esi
13975 + cmp $__KERNEXEC_KERNEL_CS, %esi
13976 + jnz 2f
13977 +#ifdef CONFIG_PARAVIRT
13978 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13979 + mov %eax, %esi
13980 +#else
13981 + mov %cr0, %esi
13982 +#endif
13983 + btr $16, %esi
13984 + ljmp $__KERNEL_CS, $1f
13985 +1:
13986 +#ifdef CONFIG_PARAVIRT
13987 + mov %esi, %eax
13988 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13989 +#else
13990 + mov %esi, %cr0
13991 +#endif
13992 +2:
13993 +#ifdef CONFIG_PARAVIRT
13994 + popl %ecx
13995 + popl %eax
13996 +#endif
13997 + ret
13998 +ENDPROC(pax_exit_kernel)
13999 +#endif
14000 +
14001 +.macro pax_erase_kstack
14002 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14003 + call pax_erase_kstack
14004 +#endif
14005 +.endm
14006 +
14007 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14008 +/*
14009 + * ebp: thread_info
14010 + * ecx, edx: can be clobbered
14011 + */
14012 +ENTRY(pax_erase_kstack)
14013 + pushl %edi
14014 + pushl %eax
14015 +
14016 + mov TI_lowest_stack(%ebp), %edi
14017 + mov $-0xBEEF, %eax
14018 + std
14019 +
14020 +1: mov %edi, %ecx
14021 + and $THREAD_SIZE_asm - 1, %ecx
14022 + shr $2, %ecx
14023 + repne scasl
14024 + jecxz 2f
14025 +
14026 + cmp $2*16, %ecx
14027 + jc 2f
14028 +
14029 + mov $2*16, %ecx
14030 + repe scasl
14031 + jecxz 2f
14032 + jne 1b
14033 +
14034 +2: cld
14035 + mov %esp, %ecx
14036 + sub %edi, %ecx
14037 + shr $2, %ecx
14038 + rep stosl
14039 +
14040 + mov TI_task_thread_sp0(%ebp), %edi
14041 + sub $128, %edi
14042 + mov %edi, TI_lowest_stack(%ebp)
14043 +
14044 + popl %eax
14045 + popl %edi
14046 + ret
14047 +ENDPROC(pax_erase_kstack)
14048 +#endif
14049 +
14050 +.macro __SAVE_ALL _DS
14051 cld
14052 PUSH_GS
14053 pushl_cfi %fs
14054 @@ -214,7 +347,7 @@
14055 CFI_REL_OFFSET ecx, 0
14056 pushl_cfi %ebx
14057 CFI_REL_OFFSET ebx, 0
14058 - movl $(__USER_DS), %edx
14059 + movl $\_DS, %edx
14060 movl %edx, %ds
14061 movl %edx, %es
14062 movl $(__KERNEL_PERCPU), %edx
14063 @@ -222,6 +355,15 @@
14064 SET_KERNEL_GS %edx
14065 .endm
14066
14067 +.macro SAVE_ALL
14068 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
14069 + __SAVE_ALL __KERNEL_DS
14070 + pax_enter_kernel
14071 +#else
14072 + __SAVE_ALL __USER_DS
14073 +#endif
14074 +.endm
14075 +
14076 .macro RESTORE_INT_REGS
14077 popl_cfi %ebx
14078 CFI_RESTORE ebx
14079 @@ -332,7 +474,15 @@ check_userspace:
14080 movb PT_CS(%esp), %al
14081 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
14082 cmpl $USER_RPL, %eax
14083 +
14084 +#ifdef CONFIG_PAX_KERNEXEC
14085 + jae resume_userspace
14086 +
14087 + PAX_EXIT_KERNEL
14088 + jmp resume_kernel
14089 +#else
14090 jb resume_kernel # not returning to v8086 or userspace
14091 +#endif
14092
14093 ENTRY(resume_userspace)
14094 LOCKDEP_SYS_EXIT
14095 @@ -344,7 +494,7 @@ ENTRY(resume_userspace)
14096 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
14097 # int/exception return?
14098 jne work_pending
14099 - jmp restore_all
14100 + jmp restore_all_pax
14101 END(ret_from_exception)
14102
14103 #ifdef CONFIG_PREEMPT
14104 @@ -394,23 +544,34 @@ sysenter_past_esp:
14105 /*CFI_REL_OFFSET cs, 0*/
14106 /*
14107 * Push current_thread_info()->sysenter_return to the stack.
14108 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
14109 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
14110 */
14111 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
14112 + pushl_cfi $0
14113 CFI_REL_OFFSET eip, 0
14114
14115 pushl_cfi %eax
14116 SAVE_ALL
14117 + GET_THREAD_INFO(%ebp)
14118 + movl TI_sysenter_return(%ebp),%ebp
14119 + movl %ebp,PT_EIP(%esp)
14120 ENABLE_INTERRUPTS(CLBR_NONE)
14121
14122 /*
14123 * Load the potential sixth argument from user stack.
14124 * Careful about security.
14125 */
14126 + movl PT_OLDESP(%esp),%ebp
14127 +
14128 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14129 + mov PT_OLDSS(%esp),%ds
14130 +1: movl %ds:(%ebp),%ebp
14131 + push %ss
14132 + pop %ds
14133 +#else
14134 cmpl $__PAGE_OFFSET-3,%ebp
14135 jae syscall_fault
14136 1: movl (%ebp),%ebp
14137 +#endif
14138 +
14139 movl %ebp,PT_EBP(%esp)
14140 .section __ex_table,"a"
14141 .align 4
14142 @@ -433,12 +594,23 @@ sysenter_do_call:
14143 testl $_TIF_ALLWORK_MASK, %ecx
14144 jne sysexit_audit
14145 sysenter_exit:
14146 +
14147 +#ifdef CONFIG_PAX_RANDKSTACK
14148 + pushl_cfi %eax
14149 + call pax_randomize_kstack
14150 + popl_cfi %eax
14151 +#endif
14152 +
14153 + pax_erase_kstack
14154 +
14155 /* if something modifies registers it must also disable sysexit */
14156 movl PT_EIP(%esp), %edx
14157 movl PT_OLDESP(%esp), %ecx
14158 xorl %ebp,%ebp
14159 TRACE_IRQS_ON
14160 1: mov PT_FS(%esp), %fs
14161 +2: mov PT_DS(%esp), %ds
14162 +3: mov PT_ES(%esp), %es
14163 PTGS_TO_GS
14164 ENABLE_INTERRUPTS_SYSEXIT
14165
14166 @@ -455,6 +627,9 @@ sysenter_audit:
14167 movl %eax,%edx /* 2nd arg: syscall number */
14168 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14169 call audit_syscall_entry
14170 +
14171 + pax_erase_kstack
14172 +
14173 pushl_cfi %ebx
14174 movl PT_EAX(%esp),%eax /* reload syscall number */
14175 jmp sysenter_do_call
14176 @@ -481,11 +656,17 @@ sysexit_audit:
14177
14178 CFI_ENDPROC
14179 .pushsection .fixup,"ax"
14180 -2: movl $0,PT_FS(%esp)
14181 +4: movl $0,PT_FS(%esp)
14182 + jmp 1b
14183 +5: movl $0,PT_DS(%esp)
14184 + jmp 1b
14185 +6: movl $0,PT_ES(%esp)
14186 jmp 1b
14187 .section __ex_table,"a"
14188 .align 4
14189 - .long 1b,2b
14190 + .long 1b,4b
14191 + .long 2b,5b
14192 + .long 3b,6b
14193 .popsection
14194 PTGS_TO_GS_EX
14195 ENDPROC(ia32_sysenter_target)
14196 @@ -518,6 +699,14 @@ syscall_exit:
14197 testl $_TIF_ALLWORK_MASK, %ecx # current->work
14198 jne syscall_exit_work
14199
14200 +restore_all_pax:
14201 +
14202 +#ifdef CONFIG_PAX_RANDKSTACK
14203 + call pax_randomize_kstack
14204 +#endif
14205 +
14206 + pax_erase_kstack
14207 +
14208 restore_all:
14209 TRACE_IRQS_IRET
14210 restore_all_notrace:
14211 @@ -577,14 +766,21 @@ ldt_ss:
14212 * compensating for the offset by changing to the ESPFIX segment with
14213 * a base address that matches for the difference.
14214 */
14215 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
14216 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
14217 mov %esp, %edx /* load kernel esp */
14218 mov PT_OLDESP(%esp), %eax /* load userspace esp */
14219 mov %dx, %ax /* eax: new kernel esp */
14220 sub %eax, %edx /* offset (low word is 0) */
14221 +#ifdef CONFIG_SMP
14222 + movl PER_CPU_VAR(cpu_number), %ebx
14223 + shll $PAGE_SHIFT_asm, %ebx
14224 + addl $cpu_gdt_table, %ebx
14225 +#else
14226 + movl $cpu_gdt_table, %ebx
14227 +#endif
14228 shr $16, %edx
14229 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
14230 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
14231 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
14232 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
14233 pushl_cfi $__ESPFIX_SS
14234 pushl_cfi %eax /* new kernel esp */
14235 /* Disable interrupts, but do not irqtrace this section: we
14236 @@ -613,29 +809,23 @@ work_resched:
14237 movl TI_flags(%ebp), %ecx
14238 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14239 # than syscall tracing?
14240 - jz restore_all
14241 + jz restore_all_pax
14242 testb $_TIF_NEED_RESCHED, %cl
14243 jnz work_resched
14244
14245 work_notifysig: # deal with pending signals and
14246 # notify-resume requests
14247 + movl %esp, %eax
14248 #ifdef CONFIG_VM86
14249 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14250 - movl %esp, %eax
14251 - jne work_notifysig_v86 # returning to kernel-space or
14252 + jz 1f # returning to kernel-space or
14253 # vm86-space
14254 - xorl %edx, %edx
14255 - call do_notify_resume
14256 - jmp resume_userspace_sig
14257
14258 - ALIGN
14259 -work_notifysig_v86:
14260 pushl_cfi %ecx # save ti_flags for do_notify_resume
14261 call save_v86_state # %eax contains pt_regs pointer
14262 popl_cfi %ecx
14263 movl %eax, %esp
14264 -#else
14265 - movl %esp, %eax
14266 +1:
14267 #endif
14268 xorl %edx, %edx
14269 call do_notify_resume
14270 @@ -648,6 +838,9 @@ syscall_trace_entry:
14271 movl $-ENOSYS,PT_EAX(%esp)
14272 movl %esp, %eax
14273 call syscall_trace_enter
14274 +
14275 + pax_erase_kstack
14276 +
14277 /* What it returned is what we'll actually use. */
14278 cmpl $(nr_syscalls), %eax
14279 jnae syscall_call
14280 @@ -670,6 +863,10 @@ END(syscall_exit_work)
14281
14282 RING0_INT_FRAME # can't unwind into user space anyway
14283 syscall_fault:
14284 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14285 + push %ss
14286 + pop %ds
14287 +#endif
14288 GET_THREAD_INFO(%ebp)
14289 movl $-EFAULT,PT_EAX(%esp)
14290 jmp resume_userspace
14291 @@ -752,6 +949,36 @@ ptregs_clone:
14292 CFI_ENDPROC
14293 ENDPROC(ptregs_clone)
14294
14295 + ALIGN;
14296 +ENTRY(kernel_execve)
14297 + CFI_STARTPROC
14298 + pushl_cfi %ebp
14299 + sub $PT_OLDSS+4,%esp
14300 + pushl_cfi %edi
14301 + pushl_cfi %ecx
14302 + pushl_cfi %eax
14303 + lea 3*4(%esp),%edi
14304 + mov $PT_OLDSS/4+1,%ecx
14305 + xorl %eax,%eax
14306 + rep stosl
14307 + popl_cfi %eax
14308 + popl_cfi %ecx
14309 + popl_cfi %edi
14310 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14311 + pushl_cfi %esp
14312 + call sys_execve
14313 + add $4,%esp
14314 + CFI_ADJUST_CFA_OFFSET -4
14315 + GET_THREAD_INFO(%ebp)
14316 + test %eax,%eax
14317 + jz syscall_exit
14318 + add $PT_OLDSS+4,%esp
14319 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
14320 + popl_cfi %ebp
14321 + ret
14322 + CFI_ENDPROC
14323 +ENDPROC(kernel_execve)
14324 +
14325 .macro FIXUP_ESPFIX_STACK
14326 /*
14327 * Switch back for ESPFIX stack to the normal zerobased stack
14328 @@ -761,8 +988,15 @@ ENDPROC(ptregs_clone)
14329 * normal stack and adjusts ESP with the matching offset.
14330 */
14331 /* fixup the stack */
14332 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
14333 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
14334 +#ifdef CONFIG_SMP
14335 + movl PER_CPU_VAR(cpu_number), %ebx
14336 + shll $PAGE_SHIFT_asm, %ebx
14337 + addl $cpu_gdt_table, %ebx
14338 +#else
14339 + movl $cpu_gdt_table, %ebx
14340 +#endif
14341 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
14342 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
14343 shl $16, %eax
14344 addl %esp, %eax /* the adjusted stack pointer */
14345 pushl_cfi $__KERNEL_DS
14346 @@ -1213,7 +1447,6 @@ return_to_handler:
14347 jmp *%ecx
14348 #endif
14349
14350 -.section .rodata,"a"
14351 #include "syscall_table_32.S"
14352
14353 syscall_table_size=(.-sys_call_table)
14354 @@ -1259,9 +1492,12 @@ error_code:
14355 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14356 REG_TO_PTGS %ecx
14357 SET_KERNEL_GS %ecx
14358 - movl $(__USER_DS), %ecx
14359 + movl $(__KERNEL_DS), %ecx
14360 movl %ecx, %ds
14361 movl %ecx, %es
14362 +
14363 + pax_enter_kernel
14364 +
14365 TRACE_IRQS_OFF
14366 movl %esp,%eax # pt_regs pointer
14367 call *%edi
14368 @@ -1346,6 +1582,9 @@ nmi_stack_correct:
14369 xorl %edx,%edx # zero error code
14370 movl %esp,%eax # pt_regs pointer
14371 call do_nmi
14372 +
14373 + pax_exit_kernel
14374 +
14375 jmp restore_all_notrace
14376 CFI_ENDPROC
14377
14378 @@ -1382,6 +1621,9 @@ nmi_espfix_stack:
14379 FIXUP_ESPFIX_STACK # %eax == %esp
14380 xorl %edx,%edx # zero error code
14381 call do_nmi
14382 +
14383 + pax_exit_kernel
14384 +
14385 RESTORE_REGS
14386 lss 12+4(%esp), %esp # back to espfix stack
14387 CFI_ADJUST_CFA_OFFSET -24
14388 diff -urNp linux-2.6.39.3/arch/x86/kernel/entry_64.S linux-2.6.39.3/arch/x86/kernel/entry_64.S
14389 --- linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-19 00:06:34.000000000 -0400
14390 +++ linux-2.6.39.3/arch/x86/kernel/entry_64.S 2011-05-23 17:10:49.000000000 -0400
14391 @@ -53,6 +53,7 @@
14392 #include <asm/paravirt.h>
14393 #include <asm/ftrace.h>
14394 #include <asm/percpu.h>
14395 +#include <asm/pgtable.h>
14396
14397 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14398 #include <linux/elf-em.h>
14399 @@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
14400 ENDPROC(native_usergs_sysret64)
14401 #endif /* CONFIG_PARAVIRT */
14402
14403 + .macro ljmpq sel, off
14404 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14405 + .byte 0x48; ljmp *1234f(%rip)
14406 + .pushsection .rodata
14407 + .align 16
14408 + 1234: .quad \off; .word \sel
14409 + .popsection
14410 +#else
14411 + pushq $\sel
14412 + pushq $\off
14413 + lretq
14414 +#endif
14415 + .endm
14416 +
14417 + .macro pax_enter_kernel
14418 +#ifdef CONFIG_PAX_KERNEXEC
14419 + call pax_enter_kernel
14420 +#endif
14421 + .endm
14422 +
14423 + .macro pax_exit_kernel
14424 +#ifdef CONFIG_PAX_KERNEXEC
14425 + call pax_exit_kernel
14426 +#endif
14427 + .endm
14428 +
14429 +#ifdef CONFIG_PAX_KERNEXEC
14430 +ENTRY(pax_enter_kernel)
14431 + pushq %rdi
14432 +
14433 +#ifdef CONFIG_PARAVIRT
14434 + PV_SAVE_REGS(CLBR_RDI)
14435 +#endif
14436 +
14437 + GET_CR0_INTO_RDI
14438 + bts $16,%rdi
14439 + jnc 1f
14440 + mov %cs,%edi
14441 + cmp $__KERNEL_CS,%edi
14442 + jz 3f
14443 + ljmpq __KERNEL_CS,3f
14444 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14445 +2: SET_RDI_INTO_CR0
14446 +3:
14447 +
14448 +#ifdef CONFIG_PARAVIRT
14449 + PV_RESTORE_REGS(CLBR_RDI)
14450 +#endif
14451 +
14452 + popq %rdi
14453 + retq
14454 +ENDPROC(pax_enter_kernel)
14455 +
14456 +ENTRY(pax_exit_kernel)
14457 + pushq %rdi
14458 +
14459 +#ifdef CONFIG_PARAVIRT
14460 + PV_SAVE_REGS(CLBR_RDI)
14461 +#endif
14462 +
14463 + mov %cs,%rdi
14464 + cmp $__KERNEXEC_KERNEL_CS,%edi
14465 + jnz 2f
14466 + GET_CR0_INTO_RDI
14467 + btr $16,%rdi
14468 + ljmpq __KERNEL_CS,1f
14469 +1: SET_RDI_INTO_CR0
14470 +2:
14471 +
14472 +#ifdef CONFIG_PARAVIRT
14473 + PV_RESTORE_REGS(CLBR_RDI);
14474 +#endif
14475 +
14476 + popq %rdi
14477 + retq
14478 +ENDPROC(pax_exit_kernel)
14479 +#endif
14480 +
14481 + .macro pax_enter_kernel_user
14482 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14483 + call pax_enter_kernel_user
14484 +#endif
14485 + .endm
14486 +
14487 + .macro pax_exit_kernel_user
14488 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14489 + call pax_exit_kernel_user
14490 +#endif
14491 +#ifdef CONFIG_PAX_RANDKSTACK
14492 + push %rax
14493 + call pax_randomize_kstack
14494 + pop %rax
14495 +#endif
14496 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14497 + call pax_erase_kstack
14498 +#endif
14499 + .endm
14500 +
14501 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14502 +ENTRY(pax_enter_kernel_user)
14503 + pushq %rdi
14504 + pushq %rbx
14505 +
14506 +#ifdef CONFIG_PARAVIRT
14507 + PV_SAVE_REGS(CLBR_RDI)
14508 +#endif
14509 +
14510 + GET_CR3_INTO_RDI
14511 + mov %rdi,%rbx
14512 + add $__START_KERNEL_map,%rbx
14513 + sub phys_base(%rip),%rbx
14514 +
14515 +#ifdef CONFIG_PARAVIRT
14516 + pushq %rdi
14517 + cmpl $0, pv_info+PARAVIRT_enabled
14518 + jz 1f
14519 + i = 0
14520 + .rept USER_PGD_PTRS
14521 + mov i*8(%rbx),%rsi
14522 + mov $0,%sil
14523 + lea i*8(%rbx),%rdi
14524 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14525 + i = i + 1
14526 + .endr
14527 + jmp 2f
14528 +1:
14529 +#endif
14530 +
14531 + i = 0
14532 + .rept USER_PGD_PTRS
14533 + movb $0,i*8(%rbx)
14534 + i = i + 1
14535 + .endr
14536 +
14537 +#ifdef CONFIG_PARAVIRT
14538 +2: popq %rdi
14539 +#endif
14540 + SET_RDI_INTO_CR3
14541 +
14542 +#ifdef CONFIG_PAX_KERNEXEC
14543 + GET_CR0_INTO_RDI
14544 + bts $16,%rdi
14545 + SET_RDI_INTO_CR0
14546 +#endif
14547 +
14548 +#ifdef CONFIG_PARAVIRT
14549 + PV_RESTORE_REGS(CLBR_RDI)
14550 +#endif
14551 +
14552 + popq %rbx
14553 + popq %rdi
14554 + retq
14555 +ENDPROC(pax_enter_kernel_user)
14556 +
14557 +ENTRY(pax_exit_kernel_user)
14558 + push %rdi
14559 +
14560 +#ifdef CONFIG_PARAVIRT
14561 + pushq %rbx
14562 + PV_SAVE_REGS(CLBR_RDI)
14563 +#endif
14564 +
14565 +#ifdef CONFIG_PAX_KERNEXEC
14566 + GET_CR0_INTO_RDI
14567 + btr $16,%rdi
14568 + SET_RDI_INTO_CR0
14569 +#endif
14570 +
14571 + GET_CR3_INTO_RDI
14572 + add $__START_KERNEL_map,%rdi
14573 + sub phys_base(%rip),%rdi
14574 +
14575 +#ifdef CONFIG_PARAVIRT
14576 + cmpl $0, pv_info+PARAVIRT_enabled
14577 + jz 1f
14578 + mov %rdi,%rbx
14579 + i = 0
14580 + .rept USER_PGD_PTRS
14581 + mov i*8(%rbx),%rsi
14582 + mov $0x67,%sil
14583 + lea i*8(%rbx),%rdi
14584 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
14585 + i = i + 1
14586 + .endr
14587 + jmp 2f
14588 +1:
14589 +#endif
14590 +
14591 + i = 0
14592 + .rept USER_PGD_PTRS
14593 + movb $0x67,i*8(%rdi)
14594 + i = i + 1
14595 + .endr
14596 +
14597 +#ifdef CONFIG_PARAVIRT
14598 +2: PV_RESTORE_REGS(CLBR_RDI)
14599 + popq %rbx
14600 +#endif
14601 +
14602 + popq %rdi
14603 + retq
14604 +ENDPROC(pax_exit_kernel_user)
14605 +#endif
14606 +
14607 + .macro pax_erase_kstack
14608 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14609 + call pax_erase_kstack
14610 +#endif
14611 + .endm
14612 +
14613 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14614 +/*
14615 + * r10: thread_info
14616 + * rcx, rdx: can be clobbered
14617 + */
14618 +ENTRY(pax_erase_kstack)
14619 + pushq %rdi
14620 + pushq %rax
14621 +
14622 + GET_THREAD_INFO(%r10)
14623 + mov TI_lowest_stack(%r10), %rdi
14624 + mov $-0xBEEF, %rax
14625 + std
14626 +
14627 +1: mov %edi, %ecx
14628 + and $THREAD_SIZE_asm - 1, %ecx
14629 + shr $3, %ecx
14630 + repne scasq
14631 + jecxz 2f
14632 +
14633 + cmp $2*8, %ecx
14634 + jc 2f
14635 +
14636 + mov $2*8, %ecx
14637 + repe scasq
14638 + jecxz 2f
14639 + jne 1b
14640 +
14641 +2: cld
14642 + mov %esp, %ecx
14643 + sub %edi, %ecx
14644 + shr $3, %ecx
14645 + rep stosq
14646 +
14647 + mov TI_task_thread_sp0(%r10), %rdi
14648 + sub $256, %rdi
14649 + mov %rdi, TI_lowest_stack(%r10)
14650 +
14651 + popq %rax
14652 + popq %rdi
14653 + ret
14654 +ENDPROC(pax_erase_kstack)
14655 +#endif
14656
14657 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14658 #ifdef CONFIG_TRACE_IRQFLAGS
14659 @@ -318,7 +572,7 @@ ENTRY(save_args)
14660 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
14661 movq_cfi rbp, 8 /* push %rbp */
14662 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14663 - testl $3, CS(%rdi)
14664 + testb $3, CS(%rdi)
14665 je 1f
14666 SWAPGS
14667 /*
14668 @@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
14669
14670 RESTORE_REST
14671
14672 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14673 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14674 je int_ret_from_sys_call
14675
14676 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14677 @@ -455,7 +709,7 @@ END(ret_from_fork)
14678 ENTRY(system_call)
14679 CFI_STARTPROC simple
14680 CFI_SIGNAL_FRAME
14681 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14682 + CFI_DEF_CFA rsp,0
14683 CFI_REGISTER rip,rcx
14684 /*CFI_REGISTER rflags,r11*/
14685 SWAPGS_UNSAFE_STACK
14686 @@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
14687
14688 movq %rsp,PER_CPU_VAR(old_rsp)
14689 movq PER_CPU_VAR(kernel_stack),%rsp
14690 + pax_enter_kernel_user
14691 /*
14692 * No need to follow this irqs off/on section - it's straight
14693 * and short:
14694 */
14695 ENABLE_INTERRUPTS(CLBR_NONE)
14696 - SAVE_ARGS 8,1
14697 + SAVE_ARGS 8*6,1
14698 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14699 movq %rcx,RIP-ARGOFFSET(%rsp)
14700 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14701 @@ -502,6 +757,7 @@ sysret_check:
14702 andl %edi,%edx
14703 jnz sysret_careful
14704 CFI_REMEMBER_STATE
14705 + pax_exit_kernel_user
14706 /*
14707 * sysretq will re-enable interrupts:
14708 */
14709 @@ -560,6 +816,9 @@ auditsys:
14710 movq %rax,%rsi /* 2nd arg: syscall number */
14711 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14712 call audit_syscall_entry
14713 +
14714 + pax_erase_kstack
14715 +
14716 LOAD_ARGS 0 /* reload call-clobbered registers */
14717 jmp system_call_fastpath
14718
14719 @@ -590,6 +849,9 @@ tracesys:
14720 FIXUP_TOP_OF_STACK %rdi
14721 movq %rsp,%rdi
14722 call syscall_trace_enter
14723 +
14724 + pax_erase_kstack
14725 +
14726 /*
14727 * Reload arg registers from stack in case ptrace changed them.
14728 * We don't reload %rax because syscall_trace_enter() returned
14729 @@ -611,7 +873,7 @@ tracesys:
14730 GLOBAL(int_ret_from_sys_call)
14731 DISABLE_INTERRUPTS(CLBR_NONE)
14732 TRACE_IRQS_OFF
14733 - testl $3,CS-ARGOFFSET(%rsp)
14734 + testb $3,CS-ARGOFFSET(%rsp)
14735 je retint_restore_args
14736 movl $_TIF_ALLWORK_MASK,%edi
14737 /* edi: mask to check */
14738 @@ -793,6 +1055,16 @@ END(interrupt)
14739 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
14740 call save_args
14741 PARTIAL_FRAME 0
14742 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14743 + testb $3, CS(%rdi)
14744 + jnz 1f
14745 + pax_enter_kernel
14746 + jmp 2f
14747 +1: pax_enter_kernel_user
14748 +2:
14749 +#else
14750 + pax_enter_kernel
14751 +#endif
14752 call \func
14753 .endm
14754
14755 @@ -825,7 +1097,7 @@ ret_from_intr:
14756 CFI_ADJUST_CFA_OFFSET -8
14757 exit_intr:
14758 GET_THREAD_INFO(%rcx)
14759 - testl $3,CS-ARGOFFSET(%rsp)
14760 + testb $3,CS-ARGOFFSET(%rsp)
14761 je retint_kernel
14762
14763 /* Interrupt came from user space */
14764 @@ -847,12 +1119,14 @@ retint_swapgs: /* return to user-space
14765 * The iretq could re-enable interrupts:
14766 */
14767 DISABLE_INTERRUPTS(CLBR_ANY)
14768 + pax_exit_kernel_user
14769 TRACE_IRQS_IRETQ
14770 SWAPGS
14771 jmp restore_args
14772
14773 retint_restore_args: /* return to kernel space */
14774 DISABLE_INTERRUPTS(CLBR_ANY)
14775 + pax_exit_kernel
14776 /*
14777 * The iretq could re-enable interrupts:
14778 */
14779 @@ -1027,6 +1301,16 @@ ENTRY(\sym)
14780 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14781 call error_entry
14782 DEFAULT_FRAME 0
14783 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14784 + testb $3, CS(%rsp)
14785 + jnz 1f
14786 + pax_enter_kernel
14787 + jmp 2f
14788 +1: pax_enter_kernel_user
14789 +2:
14790 +#else
14791 + pax_enter_kernel
14792 +#endif
14793 movq %rsp,%rdi /* pt_regs pointer */
14794 xorl %esi,%esi /* no error code */
14795 call \do_sym
14796 @@ -1044,6 +1328,16 @@ ENTRY(\sym)
14797 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14798 call save_paranoid
14799 TRACE_IRQS_OFF
14800 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14801 + testb $3, CS(%rsp)
14802 + jnz 1f
14803 + pax_enter_kernel
14804 + jmp 2f
14805 +1: pax_enter_kernel_user
14806 +2:
14807 +#else
14808 + pax_enter_kernel
14809 +#endif
14810 movq %rsp,%rdi /* pt_regs pointer */
14811 xorl %esi,%esi /* no error code */
14812 call \do_sym
14813 @@ -1052,7 +1346,7 @@ ENTRY(\sym)
14814 END(\sym)
14815 .endm
14816
14817 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
14818 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
14819 .macro paranoidzeroentry_ist sym do_sym ist
14820 ENTRY(\sym)
14821 INTR_FRAME
14822 @@ -1062,8 +1356,24 @@ ENTRY(\sym)
14823 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14824 call save_paranoid
14825 TRACE_IRQS_OFF
14826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14827 + testb $3, CS(%rsp)
14828 + jnz 1f
14829 + pax_enter_kernel
14830 + jmp 2f
14831 +1: pax_enter_kernel_user
14832 +2:
14833 +#else
14834 + pax_enter_kernel
14835 +#endif
14836 movq %rsp,%rdi /* pt_regs pointer */
14837 xorl %esi,%esi /* no error code */
14838 +#ifdef CONFIG_SMP
14839 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
14840 + lea init_tss(%r12), %r12
14841 +#else
14842 + lea init_tss(%rip), %r12
14843 +#endif
14844 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14845 call \do_sym
14846 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
14847 @@ -1080,6 +1390,16 @@ ENTRY(\sym)
14848 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14849 call error_entry
14850 DEFAULT_FRAME 0
14851 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14852 + testb $3, CS(%rsp)
14853 + jnz 1f
14854 + pax_enter_kernel
14855 + jmp 2f
14856 +1: pax_enter_kernel_user
14857 +2:
14858 +#else
14859 + pax_enter_kernel
14860 +#endif
14861 movq %rsp,%rdi /* pt_regs pointer */
14862 movq ORIG_RAX(%rsp),%rsi /* get error code */
14863 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14864 @@ -1099,6 +1419,16 @@ ENTRY(\sym)
14865 call save_paranoid
14866 DEFAULT_FRAME 0
14867 TRACE_IRQS_OFF
14868 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14869 + testb $3, CS(%rsp)
14870 + jnz 1f
14871 + pax_enter_kernel
14872 + jmp 2f
14873 +1: pax_enter_kernel_user
14874 +2:
14875 +#else
14876 + pax_enter_kernel
14877 +#endif
14878 movq %rsp,%rdi /* pt_regs pointer */
14879 movq ORIG_RAX(%rsp),%rsi /* get error code */
14880 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14881 @@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
14882 TRACE_IRQS_OFF
14883 testl %ebx,%ebx /* swapgs needed? */
14884 jnz paranoid_restore
14885 - testl $3,CS(%rsp)
14886 + testb $3,CS(%rsp)
14887 jnz paranoid_userspace
14888 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14889 + pax_exit_kernel
14890 + TRACE_IRQS_IRETQ 0
14891 + SWAPGS_UNSAFE_STACK
14892 + RESTORE_ALL 8
14893 + jmp irq_return
14894 +#endif
14895 paranoid_swapgs:
14896 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14897 + pax_exit_kernel_user
14898 +#else
14899 + pax_exit_kernel
14900 +#endif
14901 TRACE_IRQS_IRETQ 0
14902 SWAPGS_UNSAFE_STACK
14903 RESTORE_ALL 8
14904 jmp irq_return
14905 paranoid_restore:
14906 + pax_exit_kernel
14907 TRACE_IRQS_IRETQ 0
14908 RESTORE_ALL 8
14909 jmp irq_return
14910 @@ -1426,7 +1769,7 @@ ENTRY(error_entry)
14911 movq_cfi r14, R14+8
14912 movq_cfi r15, R15+8
14913 xorl %ebx,%ebx
14914 - testl $3,CS+8(%rsp)
14915 + testb $3,CS+8(%rsp)
14916 je error_kernelspace
14917 error_swapgs:
14918 SWAPGS
14919 @@ -1490,6 +1833,16 @@ ENTRY(nmi)
14920 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
14921 call save_paranoid
14922 DEFAULT_FRAME 0
14923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14924 + testb $3, CS(%rsp)
14925 + jnz 1f
14926 + pax_enter_kernel
14927 + jmp 2f
14928 +1: pax_enter_kernel_user
14929 +2:
14930 +#else
14931 + pax_enter_kernel
14932 +#endif
14933 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14934 movq %rsp,%rdi
14935 movq $-1,%rsi
14936 @@ -1500,11 +1853,25 @@ ENTRY(nmi)
14937 DISABLE_INTERRUPTS(CLBR_NONE)
14938 testl %ebx,%ebx /* swapgs needed? */
14939 jnz nmi_restore
14940 - testl $3,CS(%rsp)
14941 + testb $3,CS(%rsp)
14942 jnz nmi_userspace
14943 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14944 + pax_exit_kernel
14945 + SWAPGS_UNSAFE_STACK
14946 + RESTORE_ALL 8
14947 + jmp irq_return
14948 +#endif
14949 nmi_swapgs:
14950 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14951 + pax_exit_kernel_user
14952 +#else
14953 + pax_exit_kernel
14954 +#endif
14955 SWAPGS_UNSAFE_STACK
14956 + RESTORE_ALL 8
14957 + jmp irq_return
14958 nmi_restore:
14959 + pax_exit_kernel
14960 RESTORE_ALL 8
14961 jmp irq_return
14962 nmi_userspace:
14963 diff -urNp linux-2.6.39.3/arch/x86/kernel/ftrace.c linux-2.6.39.3/arch/x86/kernel/ftrace.c
14964 --- linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-19 00:06:34.000000000 -0400
14965 +++ linux-2.6.39.3/arch/x86/kernel/ftrace.c 2011-05-22 19:36:30.000000000 -0400
14966 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
14967 static void *mod_code_newcode; /* holds the text to write to the IP */
14968
14969 static unsigned nmi_wait_count;
14970 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14971 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14972
14973 int ftrace_arch_read_dyn_info(char *buf, int size)
14974 {
14975 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14976
14977 r = snprintf(buf, size, "%u %u",
14978 nmi_wait_count,
14979 - atomic_read(&nmi_update_count));
14980 + atomic_read_unchecked(&nmi_update_count));
14981 return r;
14982 }
14983
14984 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
14985
14986 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14987 smp_rmb();
14988 + pax_open_kernel();
14989 ftrace_mod_code();
14990 - atomic_inc(&nmi_update_count);
14991 + pax_close_kernel();
14992 + atomic_inc_unchecked(&nmi_update_count);
14993 }
14994 /* Must have previous changes seen before executions */
14995 smp_mb();
14996 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
14997 {
14998 unsigned char replaced[MCOUNT_INSN_SIZE];
14999
15000 + ip = ktla_ktva(ip);
15001 +
15002 /*
15003 * Note: Due to modules and __init, code can
15004 * disappear and change, we need to protect against faulting
15005 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
15006 unsigned char old[MCOUNT_INSN_SIZE], *new;
15007 int ret;
15008
15009 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
15010 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
15011 new = ftrace_call_replace(ip, (unsigned long)func);
15012 ret = ftrace_modify_code(ip, old, new);
15013
15014 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
15015 {
15016 unsigned char code[MCOUNT_INSN_SIZE];
15017
15018 + ip = ktla_ktva(ip);
15019 +
15020 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
15021 return -EFAULT;
15022
15023 diff -urNp linux-2.6.39.3/arch/x86/kernel/head32.c linux-2.6.39.3/arch/x86/kernel/head32.c
15024 --- linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-19 00:06:34.000000000 -0400
15025 +++ linux-2.6.39.3/arch/x86/kernel/head32.c 2011-05-22 19:36:30.000000000 -0400
15026 @@ -19,6 +19,7 @@
15027 #include <asm/io_apic.h>
15028 #include <asm/bios_ebda.h>
15029 #include <asm/tlbflush.h>
15030 +#include <asm/boot.h>
15031
15032 static void __init i386_default_early_setup(void)
15033 {
15034 @@ -34,7 +35,7 @@ void __init i386_start_kernel(void)
15035 {
15036 memblock_init();
15037
15038 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15039 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15040
15041 #ifdef CONFIG_BLK_DEV_INITRD
15042 /* Reserve INITRD */
15043 diff -urNp linux-2.6.39.3/arch/x86/kernel/head_32.S linux-2.6.39.3/arch/x86/kernel/head_32.S
15044 --- linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-05-19 00:06:34.000000000 -0400
15045 +++ linux-2.6.39.3/arch/x86/kernel/head_32.S 2011-07-06 20:00:13.000000000 -0400
15046 @@ -25,6 +25,12 @@
15047 /* Physical address */
15048 #define pa(X) ((X) - __PAGE_OFFSET)
15049
15050 +#ifdef CONFIG_PAX_KERNEXEC
15051 +#define ta(X) (X)
15052 +#else
15053 +#define ta(X) ((X) - __PAGE_OFFSET)
15054 +#endif
15055 +
15056 /*
15057 * References to members of the new_cpu_data structure.
15058 */
15059 @@ -54,11 +60,7 @@
15060 * and small than max_low_pfn, otherwise will waste some page table entries
15061 */
15062
15063 -#if PTRS_PER_PMD > 1
15064 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15065 -#else
15066 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15067 -#endif
15068 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15069
15070 /* Number of possible pages in the lowmem region */
15071 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
15072 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15073 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15074
15075 /*
15076 + * Real beginning of normal "text" segment
15077 + */
15078 +ENTRY(stext)
15079 +ENTRY(_stext)
15080 +
15081 +/*
15082 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15083 * %esi points to the real-mode code as a 32-bit pointer.
15084 * CS and DS must be 4 GB flat segments, but we don't depend on
15085 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15086 * can.
15087 */
15088 __HEAD
15089 +
15090 +#ifdef CONFIG_PAX_KERNEXEC
15091 + jmp startup_32
15092 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15093 +.fill PAGE_SIZE-5,1,0xcc
15094 +#endif
15095 +
15096 ENTRY(startup_32)
15097 movl pa(stack_start),%ecx
15098
15099 @@ -105,6 +120,57 @@ ENTRY(startup_32)
15100 2:
15101 leal -__PAGE_OFFSET(%ecx),%esp
15102
15103 +#ifdef CONFIG_SMP
15104 + movl $pa(cpu_gdt_table),%edi
15105 + movl $__per_cpu_load,%eax
15106 + movw %ax,__KERNEL_PERCPU + 2(%edi)
15107 + rorl $16,%eax
15108 + movb %al,__KERNEL_PERCPU + 4(%edi)
15109 + movb %ah,__KERNEL_PERCPU + 7(%edi)
15110 + movl $__per_cpu_end - 1,%eax
15111 + subl $__per_cpu_start,%eax
15112 + movw %ax,__KERNEL_PERCPU + 0(%edi)
15113 +#endif
15114 +
15115 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15116 + movl $NR_CPUS,%ecx
15117 + movl $pa(cpu_gdt_table),%edi
15118 +1:
15119 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15120 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15121 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15122 + addl $PAGE_SIZE_asm,%edi
15123 + loop 1b
15124 +#endif
15125 +
15126 +#ifdef CONFIG_PAX_KERNEXEC
15127 + movl $pa(boot_gdt),%edi
15128 + movl $__LOAD_PHYSICAL_ADDR,%eax
15129 + movw %ax,__BOOT_CS + 2(%edi)
15130 + rorl $16,%eax
15131 + movb %al,__BOOT_CS + 4(%edi)
15132 + movb %ah,__BOOT_CS + 7(%edi)
15133 + rorl $16,%eax
15134 +
15135 + ljmp $(__BOOT_CS),$1f
15136 +1:
15137 +
15138 + movl $NR_CPUS,%ecx
15139 + movl $pa(cpu_gdt_table),%edi
15140 + addl $__PAGE_OFFSET,%eax
15141 +1:
15142 + movw %ax,__KERNEL_CS + 2(%edi)
15143 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15144 + rorl $16,%eax
15145 + movb %al,__KERNEL_CS + 4(%edi)
15146 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15147 + movb %ah,__KERNEL_CS + 7(%edi)
15148 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15149 + rorl $16,%eax
15150 + addl $PAGE_SIZE_asm,%edi
15151 + loop 1b
15152 +#endif
15153 +
15154 /*
15155 * Clear BSS first so that there are no surprises...
15156 */
15157 @@ -195,8 +261,11 @@ ENTRY(startup_32)
15158 movl %eax, pa(max_pfn_mapped)
15159
15160 /* Do early initialization of the fixmap area */
15161 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15162 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
15163 +#ifdef CONFIG_COMPAT_VDSO
15164 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
15165 +#else
15166 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
15167 +#endif
15168 #else /* Not PAE */
15169
15170 page_pde_offset = (__PAGE_OFFSET >> 20);
15171 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15172 movl %eax, pa(max_pfn_mapped)
15173
15174 /* Do early initialization of the fixmap area */
15175 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
15176 - movl %eax,pa(initial_page_table+0xffc)
15177 +#ifdef CONFIG_COMPAT_VDSO
15178 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
15179 +#else
15180 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
15181 +#endif
15182 #endif
15183
15184 #ifdef CONFIG_PARAVIRT
15185 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15186 cmpl $num_subarch_entries, %eax
15187 jae bad_subarch
15188
15189 - movl pa(subarch_entries)(,%eax,4), %eax
15190 - subl $__PAGE_OFFSET, %eax
15191 - jmp *%eax
15192 + jmp *pa(subarch_entries)(,%eax,4)
15193
15194 bad_subarch:
15195 WEAK(lguest_entry)
15196 @@ -255,10 +325,10 @@ WEAK(xen_entry)
15197 __INITDATA
15198
15199 subarch_entries:
15200 - .long default_entry /* normal x86/PC */
15201 - .long lguest_entry /* lguest hypervisor */
15202 - .long xen_entry /* Xen hypervisor */
15203 - .long default_entry /* Moorestown MID */
15204 + .long ta(default_entry) /* normal x86/PC */
15205 + .long ta(lguest_entry) /* lguest hypervisor */
15206 + .long ta(xen_entry) /* Xen hypervisor */
15207 + .long ta(default_entry) /* Moorestown MID */
15208 num_subarch_entries = (. - subarch_entries) / 4
15209 .previous
15210 #else
15211 @@ -312,6 +382,7 @@ default_entry:
15212 orl %edx,%eax
15213 movl %eax,%cr4
15214
15215 +#ifdef CONFIG_X86_PAE
15216 testb $X86_CR4_PAE, %al # check if PAE is enabled
15217 jz 6f
15218
15219 @@ -340,6 +411,9 @@ default_entry:
15220 /* Make changes effective */
15221 wrmsr
15222
15223 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15224 +#endif
15225 +
15226 6:
15227
15228 /*
15229 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
15230 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15231 movl %eax,%ss # after changing gdt.
15232
15233 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
15234 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15235 movl %eax,%ds
15236 movl %eax,%es
15237
15238 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
15239 */
15240 cmpb $0,ready
15241 jne 1f
15242 - movl $gdt_page,%eax
15243 + movl $cpu_gdt_table,%eax
15244 movl $stack_canary,%ecx
15245 +#ifdef CONFIG_SMP
15246 + addl $__per_cpu_load,%ecx
15247 +#endif
15248 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15249 shrl $16, %ecx
15250 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15251 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15252 1:
15253 -#endif
15254 movl $(__KERNEL_STACK_CANARY),%eax
15255 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15256 + movl $(__USER_DS),%eax
15257 +#else
15258 + xorl %eax,%eax
15259 +#endif
15260 movl %eax,%gs
15261
15262 xorl %eax,%eax # Clear LDT
15263 @@ -558,22 +639,22 @@ early_page_fault:
15264 jmp early_fault
15265
15266 early_fault:
15267 - cld
15268 #ifdef CONFIG_PRINTK
15269 + cmpl $1,%ss:early_recursion_flag
15270 + je hlt_loop
15271 + incl %ss:early_recursion_flag
15272 + cld
15273 pusha
15274 movl $(__KERNEL_DS),%eax
15275 movl %eax,%ds
15276 movl %eax,%es
15277 - cmpl $2,early_recursion_flag
15278 - je hlt_loop
15279 - incl early_recursion_flag
15280 movl %cr2,%eax
15281 pushl %eax
15282 pushl %edx /* trapno */
15283 pushl $fault_msg
15284 call printk
15285 +; call dump_stack
15286 #endif
15287 - call dump_stack
15288 hlt_loop:
15289 hlt
15290 jmp hlt_loop
15291 @@ -581,8 +662,11 @@ hlt_loop:
15292 /* This is the default interrupt "handler" :-) */
15293 ALIGN
15294 ignore_int:
15295 - cld
15296 #ifdef CONFIG_PRINTK
15297 + cmpl $2,%ss:early_recursion_flag
15298 + je hlt_loop
15299 + incl %ss:early_recursion_flag
15300 + cld
15301 pushl %eax
15302 pushl %ecx
15303 pushl %edx
15304 @@ -591,9 +675,6 @@ ignore_int:
15305 movl $(__KERNEL_DS),%eax
15306 movl %eax,%ds
15307 movl %eax,%es
15308 - cmpl $2,early_recursion_flag
15309 - je hlt_loop
15310 - incl early_recursion_flag
15311 pushl 16(%esp)
15312 pushl 24(%esp)
15313 pushl 32(%esp)
15314 @@ -622,29 +703,43 @@ ENTRY(initial_code)
15315 /*
15316 * BSS section
15317 */
15318 -__PAGE_ALIGNED_BSS
15319 - .align PAGE_SIZE
15320 #ifdef CONFIG_X86_PAE
15321 +.section .initial_pg_pmd,"a",@progbits
15322 initial_pg_pmd:
15323 .fill 1024*KPMDS,4,0
15324 #else
15325 +.section .initial_page_table,"a",@progbits
15326 ENTRY(initial_page_table)
15327 .fill 1024,4,0
15328 #endif
15329 +.section .initial_pg_fixmap,"a",@progbits
15330 initial_pg_fixmap:
15331 .fill 1024,4,0
15332 +.section .empty_zero_page,"a",@progbits
15333 ENTRY(empty_zero_page)
15334 .fill 4096,1,0
15335 +.section .swapper_pg_dir,"a",@progbits
15336 ENTRY(swapper_pg_dir)
15337 +#ifdef CONFIG_X86_PAE
15338 + .fill 4,8,0
15339 +#else
15340 .fill 1024,4,0
15341 +#endif
15342 +
15343 +/*
15344 + * The IDT has to be page-aligned to simplify the Pentium
15345 + * F0 0F bug workaround.. We have a special link segment
15346 + * for this.
15347 + */
15348 +.section .idt,"a",@progbits
15349 +ENTRY(idt_table)
15350 + .fill 256,8,0
15351
15352 /*
15353 * This starts the data section.
15354 */
15355 #ifdef CONFIG_X86_PAE
15356 -__PAGE_ALIGNED_DATA
15357 - /* Page-aligned for the benefit of paravirt? */
15358 - .align PAGE_SIZE
15359 +.section .initial_page_table,"a",@progbits
15360 ENTRY(initial_page_table)
15361 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15362 # if KPMDS == 3
15363 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
15364 # error "Kernel PMDs should be 1, 2 or 3"
15365 # endif
15366 .align PAGE_SIZE /* needs to be page-sized too */
15367 +
15368 +#ifdef CONFIG_PAX_PER_CPU_PGD
15369 +ENTRY(cpu_pgd)
15370 + .rept NR_CPUS
15371 + .fill 4,8,0
15372 + .endr
15373 +#endif
15374 +
15375 #endif
15376
15377 .data
15378 .balign 4
15379 ENTRY(stack_start)
15380 - .long init_thread_union+THREAD_SIZE
15381 + .long init_thread_union+THREAD_SIZE-8
15382 +
15383 +ready: .byte 0
15384
15385 +.section .rodata,"a",@progbits
15386 early_recursion_flag:
15387 .long 0
15388
15389 -ready: .byte 0
15390 -
15391 int_msg:
15392 .asciz "Unknown interrupt or fault at: %p %p %p\n"
15393
15394 @@ -707,7 +811,7 @@ fault_msg:
15395 .word 0 # 32 bit align gdt_desc.address
15396 boot_gdt_descr:
15397 .word __BOOT_DS+7
15398 - .long boot_gdt - __PAGE_OFFSET
15399 + .long pa(boot_gdt)
15400
15401 .word 0 # 32-bit align idt_desc.address
15402 idt_descr:
15403 @@ -718,7 +822,7 @@ idt_descr:
15404 .word 0 # 32 bit align gdt_desc.address
15405 ENTRY(early_gdt_descr)
15406 .word GDT_ENTRIES*8-1
15407 - .long gdt_page /* Overwritten for secondary CPUs */
15408 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
15409
15410 /*
15411 * The boot_gdt must mirror the equivalent in setup.S and is
15412 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
15413 .align L1_CACHE_BYTES
15414 ENTRY(boot_gdt)
15415 .fill GDT_ENTRY_BOOT_CS,8,0
15416 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
15417 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
15418 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
15419 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
15420 +
15421 + .align PAGE_SIZE_asm
15422 +ENTRY(cpu_gdt_table)
15423 + .rept NR_CPUS
15424 + .quad 0x0000000000000000 /* NULL descriptor */
15425 + .quad 0x0000000000000000 /* 0x0b reserved */
15426 + .quad 0x0000000000000000 /* 0x13 reserved */
15427 + .quad 0x0000000000000000 /* 0x1b reserved */
15428 +
15429 +#ifdef CONFIG_PAX_KERNEXEC
15430 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
15431 +#else
15432 + .quad 0x0000000000000000 /* 0x20 unused */
15433 +#endif
15434 +
15435 + .quad 0x0000000000000000 /* 0x28 unused */
15436 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
15437 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
15438 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
15439 + .quad 0x0000000000000000 /* 0x4b reserved */
15440 + .quad 0x0000000000000000 /* 0x53 reserved */
15441 + .quad 0x0000000000000000 /* 0x5b reserved */
15442 +
15443 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
15444 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
15445 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
15446 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
15447 +
15448 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
15449 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
15450 +
15451 + /*
15452 + * Segments used for calling PnP BIOS have byte granularity.
15453 + * The code segments and data segments have fixed 64k limits,
15454 + * the transfer segment sizes are set at run time.
15455 + */
15456 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
15457 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
15458 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
15459 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
15460 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
15461 +
15462 + /*
15463 + * The APM segments have byte granularity and their bases
15464 + * are set at run time. All have 64k limits.
15465 + */
15466 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
15467 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
15468 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
15469 +
15470 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
15471 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
15472 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
15473 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
15474 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
15475 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
15476 +
15477 + /* Be sure this is zeroed to avoid false validations in Xen */
15478 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
15479 + .endr
15480 diff -urNp linux-2.6.39.3/arch/x86/kernel/head_64.S linux-2.6.39.3/arch/x86/kernel/head_64.S
15481 --- linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-19 00:06:34.000000000 -0400
15482 +++ linux-2.6.39.3/arch/x86/kernel/head_64.S 2011-05-22 19:36:30.000000000 -0400
15483 @@ -19,6 +19,7 @@
15484 #include <asm/cache.h>
15485 #include <asm/processor-flags.h>
15486 #include <asm/percpu.h>
15487 +#include <asm/cpufeature.h>
15488
15489 #ifdef CONFIG_PARAVIRT
15490 #include <asm/asm-offsets.h>
15491 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
15492 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
15493 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
15494 L3_START_KERNEL = pud_index(__START_KERNEL_map)
15495 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
15496 +L3_VMALLOC_START = pud_index(VMALLOC_START)
15497 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
15498 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
15499
15500 .text
15501 __HEAD
15502 @@ -85,35 +90,22 @@ startup_64:
15503 */
15504 addq %rbp, init_level4_pgt + 0(%rip)
15505 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
15506 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
15507 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
15508 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
15509
15510 addq %rbp, level3_ident_pgt + 0(%rip)
15511 +#ifndef CONFIG_XEN
15512 + addq %rbp, level3_ident_pgt + 8(%rip)
15513 +#endif
15514
15515 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
15516 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
15517 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
15518
15519 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15520 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
15521 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
15522
15523 - /* Add an Identity mapping if I am above 1G */
15524 - leaq _text(%rip), %rdi
15525 - andq $PMD_PAGE_MASK, %rdi
15526 -
15527 - movq %rdi, %rax
15528 - shrq $PUD_SHIFT, %rax
15529 - andq $(PTRS_PER_PUD - 1), %rax
15530 - jz ident_complete
15531 -
15532 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15533 - leaq level3_ident_pgt(%rip), %rbx
15534 - movq %rdx, 0(%rbx, %rax, 8)
15535 -
15536 - movq %rdi, %rax
15537 - shrq $PMD_SHIFT, %rax
15538 - andq $(PTRS_PER_PMD - 1), %rax
15539 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15540 - leaq level2_spare_pgt(%rip), %rbx
15541 - movq %rdx, 0(%rbx, %rax, 8)
15542 -ident_complete:
15543 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15544 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15545
15546 /*
15547 * Fixup the kernel text+data virtual addresses. Note that
15548 @@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
15549 * after the boot processor executes this code.
15550 */
15551
15552 - /* Enable PAE mode and PGE */
15553 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15554 + /* Enable PAE mode and PSE/PGE */
15555 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15556 movq %rax, %cr4
15557
15558 /* Setup early boot stage 4 level pagetables. */
15559 @@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
15560 movl $MSR_EFER, %ecx
15561 rdmsr
15562 btsl $_EFER_SCE, %eax /* Enable System Call */
15563 - btl $20,%edi /* No Execute supported? */
15564 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15565 jnc 1f
15566 btsl $_EFER_NX, %eax
15567 + leaq init_level4_pgt(%rip), %rdi
15568 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15569 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15570 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15571 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
15572 1: wrmsr /* Make changes effective */
15573
15574 /* Setup cr0 */
15575 @@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
15576 bad_address:
15577 jmp bad_address
15578
15579 - .section ".init.text","ax"
15580 + __INIT
15581 #ifdef CONFIG_EARLY_PRINTK
15582 .globl early_idt_handlers
15583 early_idt_handlers:
15584 @@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
15585 #endif /* EARLY_PRINTK */
15586 1: hlt
15587 jmp 1b
15588 + .previous
15589
15590 #ifdef CONFIG_EARLY_PRINTK
15591 + __INITDATA
15592 early_recursion_flag:
15593 .long 0
15594 + .previous
15595
15596 + .section .rodata,"a",@progbits
15597 early_idt_msg:
15598 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15599 early_idt_ripmsg:
15600 .asciz "RIP %s\n"
15601 -#endif /* CONFIG_EARLY_PRINTK */
15602 .previous
15603 +#endif /* CONFIG_EARLY_PRINTK */
15604
15605 + .section .rodata,"a",@progbits
15606 #define NEXT_PAGE(name) \
15607 .balign PAGE_SIZE; \
15608 ENTRY(name)
15609 @@ -338,7 +340,6 @@ ENTRY(name)
15610 i = i + 1 ; \
15611 .endr
15612
15613 - .data
15614 /*
15615 * This default setting generates an ident mapping at address 0x100000
15616 * and a mapping for the kernel that precisely maps virtual address
15617 @@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
15618 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15619 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15620 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15621 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15622 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15623 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15624 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15625 .org init_level4_pgt + L4_START_KERNEL*8, 0
15626 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15627 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15628
15629 +#ifdef CONFIG_PAX_PER_CPU_PGD
15630 +NEXT_PAGE(cpu_pgd)
15631 + .rept NR_CPUS
15632 + .fill 512,8,0
15633 + .endr
15634 +#endif
15635 +
15636 NEXT_PAGE(level3_ident_pgt)
15637 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15638 +#ifdef CONFIG_XEN
15639 .fill 511,8,0
15640 +#else
15641 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15642 + .fill 510,8,0
15643 +#endif
15644 +
15645 +NEXT_PAGE(level3_vmalloc_pgt)
15646 + .fill 512,8,0
15647 +
15648 +NEXT_PAGE(level3_vmemmap_pgt)
15649 + .fill L3_VMEMMAP_START,8,0
15650 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15651
15652 NEXT_PAGE(level3_kernel_pgt)
15653 .fill L3_START_KERNEL,8,0
15654 @@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
15655 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15656 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15657
15658 +NEXT_PAGE(level2_vmemmap_pgt)
15659 + .fill 512,8,0
15660 +
15661 NEXT_PAGE(level2_fixmap_pgt)
15662 - .fill 506,8,0
15663 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15664 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15665 - .fill 5,8,0
15666 + .fill 507,8,0
15667 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15668 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15669 + .fill 4,8,0
15670
15671 -NEXT_PAGE(level1_fixmap_pgt)
15672 +NEXT_PAGE(level1_vsyscall_pgt)
15673 .fill 512,8,0
15674
15675 -NEXT_PAGE(level2_ident_pgt)
15676 - /* Since I easily can, map the first 1G.
15677 + /* Since I easily can, map the first 2G.
15678 * Don't set NX because code runs from these pages.
15679 */
15680 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15681 +NEXT_PAGE(level2_ident_pgt)
15682 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15683
15684 NEXT_PAGE(level2_kernel_pgt)
15685 /*
15686 @@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
15687 * If you want to increase this then increase MODULES_VADDR
15688 * too.)
15689 */
15690 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15691 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15692 -
15693 -NEXT_PAGE(level2_spare_pgt)
15694 - .fill 512, 8, 0
15695 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15696
15697 #undef PMDS
15698 #undef NEXT_PAGE
15699
15700 - .data
15701 + .align PAGE_SIZE
15702 +ENTRY(cpu_gdt_table)
15703 + .rept NR_CPUS
15704 + .quad 0x0000000000000000 /* NULL descriptor */
15705 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15706 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15707 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15708 + .quad 0x00cffb000000ffff /* __USER32_CS */
15709 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15710 + .quad 0x00affb000000ffff /* __USER_CS */
15711 +
15712 +#ifdef CONFIG_PAX_KERNEXEC
15713 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15714 +#else
15715 + .quad 0x0 /* unused */
15716 +#endif
15717 +
15718 + .quad 0,0 /* TSS */
15719 + .quad 0,0 /* LDT */
15720 + .quad 0,0,0 /* three TLS descriptors */
15721 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15722 + /* asm/segment.h:GDT_ENTRIES must match this */
15723 +
15724 + /* zero the remaining page */
15725 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15726 + .endr
15727 +
15728 .align 16
15729 .globl early_gdt_descr
15730 early_gdt_descr:
15731 .word GDT_ENTRIES*8-1
15732 early_gdt_descr_base:
15733 - .quad INIT_PER_CPU_VAR(gdt_page)
15734 + .quad cpu_gdt_table
15735
15736 ENTRY(phys_base)
15737 /* This must match the first entry in level2_kernel_pgt */
15738 .quad 0x0000000000000000
15739
15740 #include "../../x86/xen/xen-head.S"
15741 -
15742 - .section .bss, "aw", @nobits
15743 +
15744 + .section .rodata,"a",@progbits
15745 .align L1_CACHE_BYTES
15746 ENTRY(idt_table)
15747 - .skip IDT_ENTRIES * 16
15748 + .fill 512,8,0
15749
15750 __PAGE_ALIGNED_BSS
15751 .align PAGE_SIZE
15752 diff -urNp linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c
15753 --- linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-19 00:06:34.000000000 -0400
15754 +++ linux-2.6.39.3/arch/x86/kernel/i386_ksyms_32.c 2011-05-22 19:36:30.000000000 -0400
15755 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15756 EXPORT_SYMBOL(cmpxchg8b_emu);
15757 #endif
15758
15759 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15760 +
15761 /* Networking helper routines. */
15762 EXPORT_SYMBOL(csum_partial_copy_generic);
15763 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15764 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15765
15766 EXPORT_SYMBOL(__get_user_1);
15767 EXPORT_SYMBOL(__get_user_2);
15768 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15769
15770 EXPORT_SYMBOL(csum_partial);
15771 EXPORT_SYMBOL(empty_zero_page);
15772 +
15773 +#ifdef CONFIG_PAX_KERNEXEC
15774 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15775 +#endif
15776 diff -urNp linux-2.6.39.3/arch/x86/kernel/i8259.c linux-2.6.39.3/arch/x86/kernel/i8259.c
15777 --- linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-19 00:06:34.000000000 -0400
15778 +++ linux-2.6.39.3/arch/x86/kernel/i8259.c 2011-05-22 19:36:30.000000000 -0400
15779 @@ -210,7 +210,7 @@ spurious_8259A_irq:
15780 "spurious 8259A interrupt: IRQ%d.\n", irq);
15781 spurious_irq_mask |= irqmask;
15782 }
15783 - atomic_inc(&irq_err_count);
15784 + atomic_inc_unchecked(&irq_err_count);
15785 /*
15786 * Theoretically we do not have to handle this IRQ,
15787 * but in Linux this does not cause problems and is
15788 diff -urNp linux-2.6.39.3/arch/x86/kernel/init_task.c linux-2.6.39.3/arch/x86/kernel/init_task.c
15789 --- linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-19 00:06:34.000000000 -0400
15790 +++ linux-2.6.39.3/arch/x86/kernel/init_task.c 2011-05-22 19:36:30.000000000 -0400
15791 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15792 * way process stacks are handled. This is done by having a special
15793 * "init_task" linker map entry..
15794 */
15795 -union thread_union init_thread_union __init_task_data =
15796 - { INIT_THREAD_INFO(init_task) };
15797 +union thread_union init_thread_union __init_task_data;
15798
15799 /*
15800 * Initial task structure.
15801 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15802 * section. Since TSS's are completely CPU-local, we want them
15803 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15804 */
15805 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15806 -
15807 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15808 +EXPORT_SYMBOL(init_tss);
15809 diff -urNp linux-2.6.39.3/arch/x86/kernel/ioport.c linux-2.6.39.3/arch/x86/kernel/ioport.c
15810 --- linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-19 00:06:34.000000000 -0400
15811 +++ linux-2.6.39.3/arch/x86/kernel/ioport.c 2011-05-22 19:41:32.000000000 -0400
15812 @@ -6,6 +6,7 @@
15813 #include <linux/sched.h>
15814 #include <linux/kernel.h>
15815 #include <linux/capability.h>
15816 +#include <linux/security.h>
15817 #include <linux/errno.h>
15818 #include <linux/types.h>
15819 #include <linux/ioport.h>
15820 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
15821
15822 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15823 return -EINVAL;
15824 +#ifdef CONFIG_GRKERNSEC_IO
15825 + if (turn_on && grsec_disable_privio) {
15826 + gr_handle_ioperm();
15827 + return -EPERM;
15828 + }
15829 +#endif
15830 if (turn_on && !capable(CAP_SYS_RAWIO))
15831 return -EPERM;
15832
15833 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
15834 * because the ->io_bitmap_max value must match the bitmap
15835 * contents:
15836 */
15837 - tss = &per_cpu(init_tss, get_cpu());
15838 + tss = init_tss + get_cpu();
15839
15840 if (turn_on)
15841 bitmap_clear(t->io_bitmap_ptr, from, num);
15842 @@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
15843 return -EINVAL;
15844 /* Trying to gain more privileges? */
15845 if (level > old) {
15846 +#ifdef CONFIG_GRKERNSEC_IO
15847 + if (grsec_disable_privio) {
15848 + gr_handle_iopl();
15849 + return -EPERM;
15850 + }
15851 +#endif
15852 if (!capable(CAP_SYS_RAWIO))
15853 return -EPERM;
15854 }
15855 diff -urNp linux-2.6.39.3/arch/x86/kernel/irq_32.c linux-2.6.39.3/arch/x86/kernel/irq_32.c
15856 --- linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-05-19 00:06:34.000000000 -0400
15857 +++ linux-2.6.39.3/arch/x86/kernel/irq_32.c 2011-07-06 20:00:13.000000000 -0400
15858 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
15859 __asm__ __volatile__("andl %%esp,%0" :
15860 "=r" (sp) : "0" (THREAD_SIZE - 1));
15861
15862 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15863 + return sp < STACK_WARN;
15864 }
15865
15866 static void print_stack_overflow(void)
15867 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
15868 * per-CPU IRQ handling contexts (thread information and stack)
15869 */
15870 union irq_ctx {
15871 - struct thread_info tinfo;
15872 - u32 stack[THREAD_SIZE/sizeof(u32)];
15873 + unsigned long previous_esp;
15874 + u32 stack[THREAD_SIZE/sizeof(u32)];
15875 } __attribute__((aligned(THREAD_SIZE)));
15876
15877 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15878 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
15879 static inline int
15880 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15881 {
15882 - union irq_ctx *curctx, *irqctx;
15883 + union irq_ctx *irqctx;
15884 u32 *isp, arg1, arg2;
15885
15886 - curctx = (union irq_ctx *) current_thread_info();
15887 irqctx = __this_cpu_read(hardirq_ctx);
15888
15889 /*
15890 @@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
15891 * handler) we can't do that and just have to keep using the
15892 * current stack (which is the irq stack already after all)
15893 */
15894 - if (unlikely(curctx == irqctx))
15895 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15896 return 0;
15897
15898 /* build the stack frame on the IRQ stack */
15899 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15900 - irqctx->tinfo.task = curctx->tinfo.task;
15901 - irqctx->tinfo.previous_esp = current_stack_pointer;
15902 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15903 + irqctx->previous_esp = current_stack_pointer;
15904
15905 - /*
15906 - * Copy the softirq bits in preempt_count so that the
15907 - * softirq checks work in the hardirq context.
15908 - */
15909 - irqctx->tinfo.preempt_count =
15910 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15911 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15912 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15913 + __set_fs(MAKE_MM_SEG(0));
15914 +#endif
15915
15916 if (unlikely(overflow))
15917 call_on_stack(print_stack_overflow, isp);
15918 @@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
15919 : "0" (irq), "1" (desc), "2" (isp),
15920 "D" (desc->handle_irq)
15921 : "memory", "cc", "ecx");
15922 +
15923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15924 + __set_fs(current_thread_info()->addr_limit);
15925 +#endif
15926 +
15927 return 1;
15928 }
15929
15930 @@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
15931 */
15932 void __cpuinit irq_ctx_init(int cpu)
15933 {
15934 - union irq_ctx *irqctx;
15935 -
15936 if (per_cpu(hardirq_ctx, cpu))
15937 return;
15938
15939 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15940 - THREAD_FLAGS,
15941 - THREAD_ORDER));
15942 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15943 - irqctx->tinfo.cpu = cpu;
15944 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15945 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15946 -
15947 - per_cpu(hardirq_ctx, cpu) = irqctx;
15948 -
15949 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
15950 - THREAD_FLAGS,
15951 - THREAD_ORDER));
15952 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
15953 - irqctx->tinfo.cpu = cpu;
15954 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15955 -
15956 - per_cpu(softirq_ctx, cpu) = irqctx;
15957 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15958 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
15959
15960 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15961 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15962 @@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
15963 asmlinkage void do_softirq(void)
15964 {
15965 unsigned long flags;
15966 - struct thread_info *curctx;
15967 union irq_ctx *irqctx;
15968 u32 *isp;
15969
15970 @@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
15971 local_irq_save(flags);
15972
15973 if (local_softirq_pending()) {
15974 - curctx = current_thread_info();
15975 irqctx = __this_cpu_read(softirq_ctx);
15976 - irqctx->tinfo.task = curctx->task;
15977 - irqctx->tinfo.previous_esp = current_stack_pointer;
15978 + irqctx->previous_esp = current_stack_pointer;
15979
15980 /* build the stack frame on the softirq stack */
15981 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15982 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15983 +
15984 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15985 + __set_fs(MAKE_MM_SEG(0));
15986 +#endif
15987
15988 call_on_stack(__do_softirq, isp);
15989 +
15990 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15991 + __set_fs(current_thread_info()->addr_limit);
15992 +#endif
15993 +
15994 /*
15995 * Shouldn't happen, we returned above if in_interrupt():
15996 */
15997 diff -urNp linux-2.6.39.3/arch/x86/kernel/irq.c linux-2.6.39.3/arch/x86/kernel/irq.c
15998 --- linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-19 00:06:34.000000000 -0400
15999 +++ linux-2.6.39.3/arch/x86/kernel/irq.c 2011-05-22 19:36:30.000000000 -0400
16000 @@ -17,7 +17,7 @@
16001 #include <asm/mce.h>
16002 #include <asm/hw_irq.h>
16003
16004 -atomic_t irq_err_count;
16005 +atomic_unchecked_t irq_err_count;
16006
16007 /* Function pointer for generic interrupt vector handling */
16008 void (*x86_platform_ipi_callback)(void) = NULL;
16009 @@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
16010 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
16011 seq_printf(p, " Machine check polls\n");
16012 #endif
16013 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
16014 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
16015 #if defined(CONFIG_X86_IO_APIC)
16016 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
16017 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
16018 #endif
16019 return 0;
16020 }
16021 @@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
16022
16023 u64 arch_irq_stat(void)
16024 {
16025 - u64 sum = atomic_read(&irq_err_count);
16026 + u64 sum = atomic_read_unchecked(&irq_err_count);
16027
16028 #ifdef CONFIG_X86_IO_APIC
16029 - sum += atomic_read(&irq_mis_count);
16030 + sum += atomic_read_unchecked(&irq_mis_count);
16031 #endif
16032 return sum;
16033 }
16034 diff -urNp linux-2.6.39.3/arch/x86/kernel/kgdb.c linux-2.6.39.3/arch/x86/kernel/kgdb.c
16035 --- linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-19 00:06:34.000000000 -0400
16036 +++ linux-2.6.39.3/arch/x86/kernel/kgdb.c 2011-05-22 19:36:30.000000000 -0400
16037 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
16038 #ifdef CONFIG_X86_32
16039 switch (regno) {
16040 case GDB_SS:
16041 - if (!user_mode_vm(regs))
16042 + if (!user_mode(regs))
16043 *(unsigned long *)mem = __KERNEL_DS;
16044 break;
16045 case GDB_SP:
16046 - if (!user_mode_vm(regs))
16047 + if (!user_mode(regs))
16048 *(unsigned long *)mem = kernel_stack_pointer(regs);
16049 break;
16050 case GDB_GS:
16051 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
16052 case 'k':
16053 /* clear the trace bit */
16054 linux_regs->flags &= ~X86_EFLAGS_TF;
16055 - atomic_set(&kgdb_cpu_doing_single_step, -1);
16056 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16057
16058 /* set the trace bit if we're stepping */
16059 if (remcomInBuffer[0] == 's') {
16060 linux_regs->flags |= X86_EFLAGS_TF;
16061 - atomic_set(&kgdb_cpu_doing_single_step,
16062 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16063 raw_smp_processor_id());
16064 }
16065
16066 @@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
16067 return NOTIFY_DONE;
16068
16069 case DIE_DEBUG:
16070 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
16071 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
16072 if (user_mode(regs))
16073 return single_step_cont(regs, args);
16074 break;
16075 @@ -710,7 +710,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
16076 regs->ip = ip;
16077 }
16078
16079 -struct kgdb_arch arch_kgdb_ops = {
16080 +const struct kgdb_arch arch_kgdb_ops = {
16081 /* Breakpoint instruction: */
16082 .gdb_bpt_instr = { 0xcc },
16083 .flags = KGDB_HW_BREAKPOINT,
16084 diff -urNp linux-2.6.39.3/arch/x86/kernel/kprobes.c linux-2.6.39.3/arch/x86/kernel/kprobes.c
16085 --- linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
16086 +++ linux-2.6.39.3/arch/x86/kernel/kprobes.c 2011-05-22 19:36:30.000000000 -0400
16087 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
16088 } __attribute__((packed)) *insn;
16089
16090 insn = (struct __arch_relative_insn *)from;
16091 +
16092 + pax_open_kernel();
16093 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
16094 insn->op = op;
16095 + pax_close_kernel();
16096 }
16097
16098 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
16099 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
16100 kprobe_opcode_t opcode;
16101 kprobe_opcode_t *orig_opcodes = opcodes;
16102
16103 - if (search_exception_tables((unsigned long)opcodes))
16104 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16105 return 0; /* Page fault may occur on this address. */
16106
16107 retry:
16108 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
16109 }
16110 }
16111 insn_get_length(&insn);
16112 + pax_open_kernel();
16113 memcpy(dest, insn.kaddr, insn.length);
16114 + pax_close_kernel();
16115
16116 #ifdef CONFIG_X86_64
16117 if (insn_rip_relative(&insn)) {
16118 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
16119 (u8 *) dest;
16120 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
16121 disp = (u8 *) dest + insn_offset_displacement(&insn);
16122 + pax_open_kernel();
16123 *(s32 *) disp = (s32) newdisp;
16124 + pax_close_kernel();
16125 }
16126 #endif
16127 return insn.length;
16128 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
16129 */
16130 __copy_instruction(p->ainsn.insn, p->addr, 0);
16131
16132 - if (can_boost(p->addr))
16133 + if (can_boost(ktla_ktva(p->addr)))
16134 p->ainsn.boostable = 0;
16135 else
16136 p->ainsn.boostable = -1;
16137
16138 - p->opcode = *p->addr;
16139 + p->opcode = *(ktla_ktva(p->addr));
16140 }
16141
16142 int __kprobes arch_prepare_kprobe(struct kprobe *p)
16143 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
16144 * nor set current_kprobe, because it doesn't use single
16145 * stepping.
16146 */
16147 - regs->ip = (unsigned long)p->ainsn.insn;
16148 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16149 preempt_enable_no_resched();
16150 return;
16151 }
16152 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
16153 if (p->opcode == BREAKPOINT_INSTRUCTION)
16154 regs->ip = (unsigned long)p->addr;
16155 else
16156 - regs->ip = (unsigned long)p->ainsn.insn;
16157 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16158 }
16159
16160 /*
16161 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
16162 setup_singlestep(p, regs, kcb, 0);
16163 return 1;
16164 }
16165 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
16166 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16167 /*
16168 * The breakpoint instruction was removed right
16169 * after we hit it. Another cpu has removed
16170 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
16171 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16172 {
16173 unsigned long *tos = stack_addr(regs);
16174 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16175 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16176 unsigned long orig_ip = (unsigned long)p->addr;
16177 kprobe_opcode_t *insn = p->ainsn.insn;
16178
16179 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
16180 struct die_args *args = data;
16181 int ret = NOTIFY_DONE;
16182
16183 - if (args->regs && user_mode_vm(args->regs))
16184 + if (args->regs && user_mode(args->regs))
16185 return ret;
16186
16187 switch (val) {
16188 @@ -1381,7 +1388,7 @@ int __kprobes arch_prepare_optimized_kpr
16189 * Verify if the address gap is in 2GB range, because this uses
16190 * a relative jump.
16191 */
16192 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
16193 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
16194 if (abs(rel) > 0x7fffffff)
16195 return -ERANGE;
16196
16197 @@ -1402,11 +1409,11 @@ int __kprobes arch_prepare_optimized_kpr
16198 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
16199
16200 /* Set probe function call */
16201 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
16202 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
16203
16204 /* Set returning jmp instruction at the tail of out-of-line buffer */
16205 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
16206 - (u8 *)op->kp.addr + op->optinsn.size);
16207 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
16208
16209 flush_icache_range((unsigned long) buf,
16210 (unsigned long) buf + TMPL_END_IDX +
16211 @@ -1428,7 +1435,7 @@ static void __kprobes setup_optimize_kpr
16212 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
16213
16214 /* Backup instructions which will be replaced by jump address */
16215 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
16216 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
16217 RELATIVE_ADDR_SIZE);
16218
16219 insn_buf[0] = RELATIVEJUMP_OPCODE;
16220 diff -urNp linux-2.6.39.3/arch/x86/kernel/ldt.c linux-2.6.39.3/arch/x86/kernel/ldt.c
16221 --- linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-19 00:06:34.000000000 -0400
16222 +++ linux-2.6.39.3/arch/x86/kernel/ldt.c 2011-05-22 19:36:30.000000000 -0400
16223 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
16224 if (reload) {
16225 #ifdef CONFIG_SMP
16226 preempt_disable();
16227 - load_LDT(pc);
16228 + load_LDT_nolock(pc);
16229 if (!cpumask_equal(mm_cpumask(current->mm),
16230 cpumask_of(smp_processor_id())))
16231 smp_call_function(flush_ldt, current->mm, 1);
16232 preempt_enable();
16233 #else
16234 - load_LDT(pc);
16235 + load_LDT_nolock(pc);
16236 #endif
16237 }
16238 if (oldsize) {
16239 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
16240 return err;
16241
16242 for (i = 0; i < old->size; i++)
16243 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16244 + write_ldt_entry(new->ldt, i, old->ldt + i);
16245 return 0;
16246 }
16247
16248 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
16249 retval = copy_ldt(&mm->context, &old_mm->context);
16250 mutex_unlock(&old_mm->context.lock);
16251 }
16252 +
16253 + if (tsk == current) {
16254 + mm->context.vdso = 0;
16255 +
16256 +#ifdef CONFIG_X86_32
16257 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16258 + mm->context.user_cs_base = 0UL;
16259 + mm->context.user_cs_limit = ~0UL;
16260 +
16261 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16262 + cpus_clear(mm->context.cpu_user_cs_mask);
16263 +#endif
16264 +
16265 +#endif
16266 +#endif
16267 +
16268 + }
16269 +
16270 return retval;
16271 }
16272
16273 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
16274 }
16275 }
16276
16277 +#ifdef CONFIG_PAX_SEGMEXEC
16278 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16279 + error = -EINVAL;
16280 + goto out_unlock;
16281 + }
16282 +#endif
16283 +
16284 fill_ldt(&ldt, &ldt_info);
16285 if (oldmode)
16286 ldt.avl = 0;
16287 diff -urNp linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c
16288 --- linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-19 00:06:34.000000000 -0400
16289 +++ linux-2.6.39.3/arch/x86/kernel/machine_kexec_32.c 2011-05-22 19:36:30.000000000 -0400
16290 @@ -27,7 +27,7 @@
16291 #include <asm/cacheflush.h>
16292 #include <asm/debugreg.h>
16293
16294 -static void set_idt(void *newidt, __u16 limit)
16295 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16296 {
16297 struct desc_ptr curidt;
16298
16299 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
16300 }
16301
16302
16303 -static void set_gdt(void *newgdt, __u16 limit)
16304 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16305 {
16306 struct desc_ptr curgdt;
16307
16308 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16309 }
16310
16311 control_page = page_address(image->control_code_page);
16312 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16313 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16314
16315 relocate_kernel_ptr = control_page;
16316 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16317 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_amd.c linux-2.6.39.3/arch/x86/kernel/microcode_amd.c
16318 --- linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-19 00:06:34.000000000 -0400
16319 +++ linux-2.6.39.3/arch/x86/kernel/microcode_amd.c 2011-05-22 19:36:30.000000000 -0400
16320 @@ -339,7 +339,7 @@ static void microcode_fini_cpu_amd(int c
16321 uci->mc = NULL;
16322 }
16323
16324 -static struct microcode_ops microcode_amd_ops = {
16325 +static const struct microcode_ops microcode_amd_ops = {
16326 .request_microcode_user = request_microcode_user,
16327 .request_microcode_fw = request_microcode_amd,
16328 .collect_cpu_info = collect_cpu_info_amd,
16329 @@ -347,7 +347,7 @@ static struct microcode_ops microcode_am
16330 .microcode_fini_cpu = microcode_fini_cpu_amd,
16331 };
16332
16333 -struct microcode_ops * __init init_amd_microcode(void)
16334 +const struct microcode_ops * __init init_amd_microcode(void)
16335 {
16336 return &microcode_amd_ops;
16337 }
16338 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_core.c linux-2.6.39.3/arch/x86/kernel/microcode_core.c
16339 --- linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-19 00:06:34.000000000 -0400
16340 +++ linux-2.6.39.3/arch/x86/kernel/microcode_core.c 2011-05-22 19:36:30.000000000 -0400
16341 @@ -93,7 +93,7 @@ MODULE_LICENSE("GPL");
16342
16343 #define MICROCODE_VERSION "2.00"
16344
16345 -static struct microcode_ops *microcode_ops;
16346 +static const struct microcode_ops *microcode_ops;
16347
16348 /*
16349 * Synchronization.
16350 diff -urNp linux-2.6.39.3/arch/x86/kernel/microcode_intel.c linux-2.6.39.3/arch/x86/kernel/microcode_intel.c
16351 --- linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-19 00:06:34.000000000 -0400
16352 +++ linux-2.6.39.3/arch/x86/kernel/microcode_intel.c 2011-05-22 19:36:30.000000000 -0400
16353 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
16354
16355 static int get_ucode_user(void *to, const void *from, size_t n)
16356 {
16357 - return copy_from_user(to, from, n);
16358 + return copy_from_user(to, (__force const void __user *)from, n);
16359 }
16360
16361 static enum ucode_state
16362 request_microcode_user(int cpu, const void __user *buf, size_t size)
16363 {
16364 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16365 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
16366 }
16367
16368 static void microcode_fini_cpu(int cpu)
16369 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
16370 uci->mc = NULL;
16371 }
16372
16373 -static struct microcode_ops microcode_intel_ops = {
16374 +static const struct microcode_ops microcode_intel_ops = {
16375 .request_microcode_user = request_microcode_user,
16376 .request_microcode_fw = request_microcode_fw,
16377 .collect_cpu_info = collect_cpu_info,
16378 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
16379 .microcode_fini_cpu = microcode_fini_cpu,
16380 };
16381
16382 -struct microcode_ops * __init init_intel_microcode(void)
16383 +const struct microcode_ops * __init init_intel_microcode(void)
16384 {
16385 return &microcode_intel_ops;
16386 }
16387 diff -urNp linux-2.6.39.3/arch/x86/kernel/module.c linux-2.6.39.3/arch/x86/kernel/module.c
16388 --- linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
16389 +++ linux-2.6.39.3/arch/x86/kernel/module.c 2011-05-22 19:36:30.000000000 -0400
16390 @@ -35,21 +35,66 @@
16391 #define DEBUGP(fmt...)
16392 #endif
16393
16394 -void *module_alloc(unsigned long size)
16395 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
16396 {
16397 if (PAGE_ALIGN(size) > MODULES_LEN)
16398 return NULL;
16399 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
16400 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
16401 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
16402 -1, __builtin_return_address(0));
16403 }
16404
16405 +void *module_alloc(unsigned long size)
16406 +{
16407 +
16408 +#ifdef CONFIG_PAX_KERNEXEC
16409 + return __module_alloc(size, PAGE_KERNEL);
16410 +#else
16411 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16412 +#endif
16413 +
16414 +}
16415 +
16416 /* Free memory returned from module_alloc */
16417 void module_free(struct module *mod, void *module_region)
16418 {
16419 vfree(module_region);
16420 }
16421
16422 +#ifdef CONFIG_PAX_KERNEXEC
16423 +#ifdef CONFIG_X86_32
16424 +void *module_alloc_exec(unsigned long size)
16425 +{
16426 + struct vm_struct *area;
16427 +
16428 + if (size == 0)
16429 + return NULL;
16430 +
16431 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16432 + return area ? area->addr : NULL;
16433 +}
16434 +EXPORT_SYMBOL(module_alloc_exec);
16435 +
16436 +void module_free_exec(struct module *mod, void *module_region)
16437 +{
16438 + vunmap(module_region);
16439 +}
16440 +EXPORT_SYMBOL(module_free_exec);
16441 +#else
16442 +void module_free_exec(struct module *mod, void *module_region)
16443 +{
16444 + module_free(mod, module_region);
16445 +}
16446 +EXPORT_SYMBOL(module_free_exec);
16447 +
16448 +void *module_alloc_exec(unsigned long size)
16449 +{
16450 + return __module_alloc(size, PAGE_KERNEL_RX);
16451 +}
16452 +EXPORT_SYMBOL(module_alloc_exec);
16453 +#endif
16454 +#endif
16455 +
16456 /* We don't need anything special. */
16457 int module_frob_arch_sections(Elf_Ehdr *hdr,
16458 Elf_Shdr *sechdrs,
16459 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16460 unsigned int i;
16461 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
16462 Elf32_Sym *sym;
16463 - uint32_t *location;
16464 + uint32_t *plocation, location;
16465
16466 DEBUGP("Applying relocate section %u to %u\n", relsec,
16467 sechdrs[relsec].sh_info);
16468 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
16469 /* This is where to make the change */
16470 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
16471 - + rel[i].r_offset;
16472 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
16473 + location = (uint32_t)plocation;
16474 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
16475 + plocation = ktla_ktva((void *)plocation);
16476 /* This is the symbol it is referring to. Note that all
16477 undefined symbols have been resolved. */
16478 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
16479 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16480 switch (ELF32_R_TYPE(rel[i].r_info)) {
16481 case R_386_32:
16482 /* We add the value into the location given */
16483 - *location += sym->st_value;
16484 + pax_open_kernel();
16485 + *plocation += sym->st_value;
16486 + pax_close_kernel();
16487 break;
16488 case R_386_PC32:
16489 /* Add the value, subtract its postition */
16490 - *location += sym->st_value - (uint32_t)location;
16491 + pax_open_kernel();
16492 + *plocation += sym->st_value - location;
16493 + pax_close_kernel();
16494 break;
16495 default:
16496 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
16497 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
16498 case R_X86_64_NONE:
16499 break;
16500 case R_X86_64_64:
16501 + pax_open_kernel();
16502 *(u64 *)loc = val;
16503 + pax_close_kernel();
16504 break;
16505 case R_X86_64_32:
16506 + pax_open_kernel();
16507 *(u32 *)loc = val;
16508 + pax_close_kernel();
16509 if (val != *(u32 *)loc)
16510 goto overflow;
16511 break;
16512 case R_X86_64_32S:
16513 + pax_open_kernel();
16514 *(s32 *)loc = val;
16515 + pax_close_kernel();
16516 if ((s64)val != *(s32 *)loc)
16517 goto overflow;
16518 break;
16519 case R_X86_64_PC32:
16520 val -= (u64)loc;
16521 + pax_open_kernel();
16522 *(u32 *)loc = val;
16523 + pax_close_kernel();
16524 +
16525 #if 0
16526 if ((s64)val != *(s32 *)loc)
16527 goto overflow;
16528 diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt.c linux-2.6.39.3/arch/x86/kernel/paravirt.c
16529 --- linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000000 -0400
16530 +++ linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-07-19 18:26:58.000000000 -0400
16531 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
16532 {
16533 return x;
16534 }
16535 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
16536 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
16537 +#endif
16538
16539 void __init default_banner(void)
16540 {
16541 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
16542 * corresponding structure. */
16543 static void *get_call_destination(u8 type)
16544 {
16545 - struct paravirt_patch_template tmpl = {
16546 + const struct paravirt_patch_template tmpl = {
16547 .pv_init_ops = pv_init_ops,
16548 .pv_time_ops = pv_time_ops,
16549 .pv_cpu_ops = pv_cpu_ops,
16550 @@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ
16551 .pv_lock_ops = pv_lock_ops,
16552 #endif
16553 };
16554 +
16555 + pax_track_stack();
16556 +
16557 return *((void **)&tmpl + type);
16558 }
16559
16560 @@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type,
16561 if (opfunc == NULL)
16562 /* If there's no function, patch it with a ud2a (BUG) */
16563 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16564 - else if (opfunc == _paravirt_nop)
16565 + else if (opfunc == (void *)_paravirt_nop)
16566 /* If the operation is a nop, then nop the callsite */
16567 ret = paravirt_patch_nop();
16568
16569 /* identity functions just return their single argument */
16570 - else if (opfunc == _paravirt_ident_32)
16571 + else if (opfunc == (void *)_paravirt_ident_32)
16572 ret = paravirt_patch_ident_32(insnbuf, len);
16573 - else if (opfunc == _paravirt_ident_64)
16574 + else if (opfunc == (void *)_paravirt_ident_64)
16575 ret = paravirt_patch_ident_64(insnbuf, len);
16576 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
16577 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
16578 + ret = paravirt_patch_ident_64(insnbuf, len);
16579 +#endif
16580
16581 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16582 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
16583 @@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn
16584 if (insn_len > len || start == NULL)
16585 insn_len = len;
16586 else
16587 - memcpy(insnbuf, start, insn_len);
16588 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16589
16590 return insn_len;
16591 }
16592 @@ -294,22 +304,22 @@ void arch_flush_lazy_mmu_mode(void)
16593 preempt_enable();
16594 }
16595
16596 -struct pv_info pv_info = {
16597 +struct pv_info pv_info __read_only = {
16598 .name = "bare hardware",
16599 .paravirt_enabled = 0,
16600 .kernel_rpl = 0,
16601 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16602 };
16603
16604 -struct pv_init_ops pv_init_ops = {
16605 +struct pv_init_ops pv_init_ops __read_only = {
16606 .patch = native_patch,
16607 };
16608
16609 -struct pv_time_ops pv_time_ops = {
16610 +struct pv_time_ops pv_time_ops __read_only = {
16611 .sched_clock = native_sched_clock,
16612 };
16613
16614 -struct pv_irq_ops pv_irq_ops = {
16615 +struct pv_irq_ops pv_irq_ops __read_only = {
16616 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16617 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16618 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16619 @@ -321,7 +331,7 @@ struct pv_irq_ops pv_irq_ops = {
16620 #endif
16621 };
16622
16623 -struct pv_cpu_ops pv_cpu_ops = {
16624 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16625 .cpuid = native_cpuid,
16626 .get_debugreg = native_get_debugreg,
16627 .set_debugreg = native_set_debugreg,
16628 @@ -382,21 +392,26 @@ struct pv_cpu_ops pv_cpu_ops = {
16629 .end_context_switch = paravirt_nop,
16630 };
16631
16632 -struct pv_apic_ops pv_apic_ops = {
16633 +struct pv_apic_ops pv_apic_ops __read_only = {
16634 #ifdef CONFIG_X86_LOCAL_APIC
16635 .startup_ipi_hook = paravirt_nop,
16636 #endif
16637 };
16638
16639 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
16640 +#ifdef CONFIG_X86_32
16641 +#ifdef CONFIG_X86_PAE
16642 +/* 64-bit pagetable entries */
16643 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
16644 +#else
16645 /* 32-bit pagetable entries */
16646 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
16647 +#endif
16648 #else
16649 /* 64-bit pagetable entries */
16650 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16651 #endif
16652
16653 -struct pv_mmu_ops pv_mmu_ops = {
16654 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16655
16656 .read_cr2 = native_read_cr2,
16657 .write_cr2 = native_write_cr2,
16658 @@ -465,6 +480,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16659 },
16660
16661 .set_fixmap = native_set_fixmap,
16662 +
16663 +#ifdef CONFIG_PAX_KERNEXEC
16664 + .pax_open_kernel = native_pax_open_kernel,
16665 + .pax_close_kernel = native_pax_close_kernel,
16666 +#endif
16667 +
16668 };
16669
16670 EXPORT_SYMBOL_GPL(pv_time_ops);
16671 diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c
16672 --- linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-19 00:06:34.000000000 -0400
16673 +++ linux-2.6.39.3/arch/x86/kernel/paravirt-spinlocks.c 2011-05-22 19:36:30.000000000 -0400
16674 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
16675 arch_spin_lock(lock);
16676 }
16677
16678 -struct pv_lock_ops pv_lock_ops = {
16679 +struct pv_lock_ops pv_lock_ops __read_only = {
16680 #ifdef CONFIG_SMP
16681 .spin_is_locked = __ticket_spin_is_locked,
16682 .spin_is_contended = __ticket_spin_is_contended,
16683 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c
16684 --- linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-19 00:06:34.000000000 -0400
16685 +++ linux-2.6.39.3/arch/x86/kernel/pci-calgary_64.c 2011-05-22 19:36:30.000000000 -0400
16686 @@ -179,13 +179,13 @@ static void calioc2_dump_error_regs(stru
16687 static void calgary_init_bitmap_from_tce_table(struct iommu_table *tbl);
16688 static void get_tce_space_from_tar(void);
16689
16690 -static struct cal_chipset_ops calgary_chip_ops = {
16691 +static const struct cal_chipset_ops calgary_chip_ops = {
16692 .handle_quirks = calgary_handle_quirks,
16693 .tce_cache_blast = calgary_tce_cache_blast,
16694 .dump_error_regs = calgary_dump_error_regs
16695 };
16696
16697 -static struct cal_chipset_ops calioc2_chip_ops = {
16698 +static const struct cal_chipset_ops calioc2_chip_ops = {
16699 .handle_quirks = calioc2_handle_quirks,
16700 .tce_cache_blast = calioc2_tce_cache_blast,
16701 .dump_error_regs = calioc2_dump_error_regs
16702 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
16703 free_pages((unsigned long)vaddr, get_order(size));
16704 }
16705
16706 -static struct dma_map_ops calgary_dma_ops = {
16707 +static const struct dma_map_ops calgary_dma_ops = {
16708 .alloc_coherent = calgary_alloc_coherent,
16709 .free_coherent = calgary_free_coherent,
16710 .map_sg = calgary_map_sg,
16711 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-dma.c linux-2.6.39.3/arch/x86/kernel/pci-dma.c
16712 --- linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-19 00:06:34.000000000 -0400
16713 +++ linux-2.6.39.3/arch/x86/kernel/pci-dma.c 2011-05-22 19:36:30.000000000 -0400
16714 @@ -16,7 +16,7 @@
16715
16716 static int forbid_dac __read_mostly;
16717
16718 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
16719 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
16720 EXPORT_SYMBOL(dma_ops);
16721
16722 static int iommu_sac_force __read_mostly;
16723 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
16724
16725 int dma_supported(struct device *dev, u64 mask)
16726 {
16727 - struct dma_map_ops *ops = get_dma_ops(dev);
16728 + const struct dma_map_ops *ops = get_dma_ops(dev);
16729
16730 #ifdef CONFIG_PCI
16731 if (mask > 0xffffffff && forbid_dac > 0) {
16732 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c
16733 --- linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-19 00:06:34.000000000 -0400
16734 +++ linux-2.6.39.3/arch/x86/kernel/pci-gart_64.c 2011-05-22 19:36:30.000000000 -0400
16735 @@ -695,7 +695,7 @@ static __init int init_amd_gatt(struct a
16736 return -1;
16737 }
16738
16739 -static struct dma_map_ops gart_dma_ops = {
16740 +static const struct dma_map_ops gart_dma_ops = {
16741 .map_sg = gart_map_sg,
16742 .unmap_sg = gart_unmap_sg,
16743 .map_page = gart_map_page,
16744 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c
16745 --- linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-19 00:06:34.000000000 -0400
16746 +++ linux-2.6.39.3/arch/x86/kernel/pci-iommu_table.c 2011-05-22 19:36:30.000000000 -0400
16747 @@ -2,7 +2,7 @@
16748 #include <asm/iommu_table.h>
16749 #include <linux/string.h>
16750 #include <linux/kallsyms.h>
16751 -
16752 +#include <linux/sched.h>
16753
16754 #define DEBUG 1
16755
16756 @@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i
16757 char sym_p[KSYM_SYMBOL_LEN];
16758 char sym_q[KSYM_SYMBOL_LEN];
16759
16760 + pax_track_stack();
16761 +
16762 /* Simple cyclic dependency checker. */
16763 for (p = start; p < finish; p++) {
16764 q = find_dependents_of(start, finish, p);
16765 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-nommu.c linux-2.6.39.3/arch/x86/kernel/pci-nommu.c
16766 --- linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-19 00:06:34.000000000 -0400
16767 +++ linux-2.6.39.3/arch/x86/kernel/pci-nommu.c 2011-05-22 19:36:30.000000000 -0400
16768 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
16769 flush_write_buffers();
16770 }
16771
16772 -struct dma_map_ops nommu_dma_ops = {
16773 +const struct dma_map_ops nommu_dma_ops = {
16774 .alloc_coherent = dma_generic_alloc_coherent,
16775 .free_coherent = nommu_free_coherent,
16776 .map_sg = nommu_map_sg,
16777 diff -urNp linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c
16778 --- linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-19 00:06:34.000000000 -0400
16779 +++ linux-2.6.39.3/arch/x86/kernel/pci-swiotlb.c 2011-05-22 19:36:30.000000000 -0400
16780 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
16781 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16782 }
16783
16784 -static struct dma_map_ops swiotlb_dma_ops = {
16785 +static const struct dma_map_ops swiotlb_dma_ops = {
16786 .mapping_error = swiotlb_dma_mapping_error,
16787 .alloc_coherent = x86_swiotlb_alloc_coherent,
16788 .free_coherent = swiotlb_free_coherent,
16789 diff -urNp linux-2.6.39.3/arch/x86/kernel/process_32.c linux-2.6.39.3/arch/x86/kernel/process_32.c
16790 --- linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 12:55:22.000000000 -0400
16791 +++ linux-2.6.39.3/arch/x86/kernel/process_32.c 2011-06-25 13:00:25.000000000 -0400
16792 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
16793 unsigned long thread_saved_pc(struct task_struct *tsk)
16794 {
16795 return ((unsigned long *)tsk->thread.sp)[3];
16796 +//XXX return tsk->thread.eip;
16797 }
16798
16799 #ifndef CONFIG_SMP
16800 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
16801 unsigned long sp;
16802 unsigned short ss, gs;
16803
16804 - if (user_mode_vm(regs)) {
16805 + if (user_mode(regs)) {
16806 sp = regs->sp;
16807 ss = regs->ss & 0xffff;
16808 - gs = get_user_gs(regs);
16809 } else {
16810 sp = kernel_stack_pointer(regs);
16811 savesegment(ss, ss);
16812 - savesegment(gs, gs);
16813 }
16814 + gs = get_user_gs(regs);
16815
16816 show_regs_common();
16817
16818 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
16819 struct task_struct *tsk;
16820 int err;
16821
16822 - childregs = task_pt_regs(p);
16823 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16824 *childregs = *regs;
16825 childregs->ax = 0;
16826 childregs->sp = sp;
16827
16828 p->thread.sp = (unsigned long) childregs;
16829 p->thread.sp0 = (unsigned long) (childregs+1);
16830 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16831
16832 p->thread.ip = (unsigned long) ret_from_fork;
16833
16834 @@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
16835 struct thread_struct *prev = &prev_p->thread,
16836 *next = &next_p->thread;
16837 int cpu = smp_processor_id();
16838 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16839 + struct tss_struct *tss = init_tss + cpu;
16840 bool preload_fpu;
16841
16842 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16843 @@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
16844 */
16845 lazy_save_gs(prev->gs);
16846
16847 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16848 + __set_fs(task_thread_info(next_p)->addr_limit);
16849 +#endif
16850 +
16851 /*
16852 * Load the per-thread Thread-Local Storage descriptor.
16853 */
16854 @@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
16855 */
16856 arch_end_context_switch(next_p);
16857
16858 + percpu_write(current_task, next_p);
16859 + percpu_write(current_tinfo, &next_p->tinfo);
16860 +
16861 if (preload_fpu)
16862 __math_state_restore();
16863
16864 @@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
16865 if (prev->gs | next->gs)
16866 lazy_load_gs(next->gs);
16867
16868 - percpu_write(current_task, next_p);
16869 -
16870 return prev_p;
16871 }
16872
16873 @@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru
16874 } while (count++ < 16);
16875 return 0;
16876 }
16877 -
16878 diff -urNp linux-2.6.39.3/arch/x86/kernel/process_64.c linux-2.6.39.3/arch/x86/kernel/process_64.c
16879 --- linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 12:55:22.000000000 -0400
16880 +++ linux-2.6.39.3/arch/x86/kernel/process_64.c 2011-06-25 13:00:25.000000000 -0400
16881 @@ -87,7 +87,7 @@ static void __exit_idle(void)
16882 void exit_idle(void)
16883 {
16884 /* idle loop has pid 0 */
16885 - if (current->pid)
16886 + if (task_pid_nr(current))
16887 return;
16888 __exit_idle();
16889 }
16890 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
16891 struct pt_regs *childregs;
16892 struct task_struct *me = current;
16893
16894 - childregs = ((struct pt_regs *)
16895 - (THREAD_SIZE + task_stack_page(p))) - 1;
16896 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16897 *childregs = *regs;
16898
16899 childregs->ax = 0;
16900 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
16901 p->thread.sp = (unsigned long) childregs;
16902 p->thread.sp0 = (unsigned long) (childregs+1);
16903 p->thread.usersp = me->thread.usersp;
16904 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16905
16906 set_tsk_thread_flag(p, TIF_FORK);
16907
16908 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
16909 struct thread_struct *prev = &prev_p->thread;
16910 struct thread_struct *next = &next_p->thread;
16911 int cpu = smp_processor_id();
16912 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16913 + struct tss_struct *tss = init_tss + cpu;
16914 unsigned fsindex, gsindex;
16915 bool preload_fpu;
16916
16917 @@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
16918 prev->usersp = percpu_read(old_rsp);
16919 percpu_write(old_rsp, next->usersp);
16920 percpu_write(current_task, next_p);
16921 + percpu_write(current_tinfo, &next_p->tinfo);
16922
16923 - percpu_write(kernel_stack,
16924 - (unsigned long)task_stack_page(next_p) +
16925 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16926 + percpu_write(kernel_stack, next->sp0);
16927
16928 /*
16929 * Now maybe reload the debug registers and handle I/O bitmaps
16930 @@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru
16931 if (!p || p == current || p->state == TASK_RUNNING)
16932 return 0;
16933 stack = (unsigned long)task_stack_page(p);
16934 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16935 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16936 return 0;
16937 fp = *(u64 *)(p->thread.sp);
16938 do {
16939 - if (fp < (unsigned long)stack ||
16940 - fp >= (unsigned long)stack+THREAD_SIZE)
16941 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16942 return 0;
16943 ip = *(u64 *)(fp+8);
16944 if (!in_sched_functions(ip))
16945 diff -urNp linux-2.6.39.3/arch/x86/kernel/process.c linux-2.6.39.3/arch/x86/kernel/process.c
16946 --- linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-19 00:06:34.000000000 -0400
16947 +++ linux-2.6.39.3/arch/x86/kernel/process.c 2011-05-22 19:36:30.000000000 -0400
16948 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
16949
16950 void free_thread_info(struct thread_info *ti)
16951 {
16952 - free_thread_xstate(ti->task);
16953 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16954 }
16955
16956 +static struct kmem_cache *task_struct_cachep;
16957 +
16958 void arch_task_cache_init(void)
16959 {
16960 - task_xstate_cachep =
16961 - kmem_cache_create("task_xstate", xstate_size,
16962 + /* create a slab on which task_structs can be allocated */
16963 + task_struct_cachep =
16964 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16965 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16966 +
16967 + task_xstate_cachep =
16968 + kmem_cache_create("task_xstate", xstate_size,
16969 __alignof__(union thread_xstate),
16970 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16971 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16972 +}
16973 +
16974 +struct task_struct *alloc_task_struct_node(int node)
16975 +{
16976 + return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
16977 +}
16978 +
16979 +void free_task_struct(struct task_struct *task)
16980 +{
16981 + free_thread_xstate(task);
16982 + kmem_cache_free(task_struct_cachep, task);
16983 }
16984
16985 /*
16986 @@ -70,7 +87,7 @@ void exit_thread(void)
16987 unsigned long *bp = t->io_bitmap_ptr;
16988
16989 if (bp) {
16990 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16991 + struct tss_struct *tss = init_tss + get_cpu();
16992
16993 t->io_bitmap_ptr = NULL;
16994 clear_thread_flag(TIF_IO_BITMAP);
16995 @@ -106,7 +123,7 @@ void show_regs_common(void)
16996
16997 printk(KERN_CONT "\n");
16998 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
16999 - current->pid, current->comm, print_tainted(),
17000 + task_pid_nr(current), current->comm, print_tainted(),
17001 init_utsname()->release,
17002 (int)strcspn(init_utsname()->version, " "),
17003 init_utsname()->version);
17004 @@ -120,6 +137,9 @@ void flush_thread(void)
17005 {
17006 struct task_struct *tsk = current;
17007
17008 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
17009 + loadsegment(gs, 0);
17010 +#endif
17011 flush_ptrace_hw_breakpoint(tsk);
17012 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
17013 /*
17014 @@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
17015 regs.di = (unsigned long) arg;
17016
17017 #ifdef CONFIG_X86_32
17018 - regs.ds = __USER_DS;
17019 - regs.es = __USER_DS;
17020 + regs.ds = __KERNEL_DS;
17021 + regs.es = __KERNEL_DS;
17022 regs.fs = __KERNEL_PERCPU;
17023 - regs.gs = __KERNEL_STACK_CANARY;
17024 + savesegment(gs, regs.gs);
17025 #else
17026 regs.ss = __KERNEL_DS;
17027 #endif
17028 @@ -401,7 +421,7 @@ void default_idle(void)
17029 EXPORT_SYMBOL(default_idle);
17030 #endif
17031
17032 -void stop_this_cpu(void *dummy)
17033 +__noreturn void stop_this_cpu(void *dummy)
17034 {
17035 local_irq_disable();
17036 /*
17037 @@ -665,16 +685,34 @@ static int __init idle_setup(char *str)
17038 }
17039 early_param("idle", idle_setup);
17040
17041 -unsigned long arch_align_stack(unsigned long sp)
17042 +#ifdef CONFIG_PAX_RANDKSTACK
17043 +asmlinkage void pax_randomize_kstack(void)
17044 {
17045 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
17046 - sp -= get_random_int() % 8192;
17047 - return sp & ~0xf;
17048 -}
17049 + struct thread_struct *thread = &current->thread;
17050 + unsigned long time;
17051
17052 -unsigned long arch_randomize_brk(struct mm_struct *mm)
17053 -{
17054 - unsigned long range_end = mm->brk + 0x02000000;
17055 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
17056 -}
17057 + if (!randomize_va_space)
17058 + return;
17059 +
17060 + rdtscl(time);
17061 +
17062 + /* P4 seems to return a 0 LSB, ignore it */
17063 +#ifdef CONFIG_MPENTIUM4
17064 + time &= 0x3EUL;
17065 + time <<= 2;
17066 +#elif defined(CONFIG_X86_64)
17067 + time &= 0xFUL;
17068 + time <<= 4;
17069 +#else
17070 + time &= 0x1FUL;
17071 + time <<= 3;
17072 +#endif
17073 +
17074 + thread->sp0 ^= time;
17075 + load_sp0(init_tss + smp_processor_id(), thread);
17076
17077 +#ifdef CONFIG_X86_64
17078 + percpu_write(kernel_stack, thread->sp0);
17079 +#endif
17080 +}
17081 +#endif
17082 diff -urNp linux-2.6.39.3/arch/x86/kernel/ptrace.c linux-2.6.39.3/arch/x86/kernel/ptrace.c
17083 --- linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
17084 +++ linux-2.6.39.3/arch/x86/kernel/ptrace.c 2011-05-22 19:36:30.000000000 -0400
17085 @@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
17086 unsigned long addr, unsigned long data)
17087 {
17088 int ret;
17089 - unsigned long __user *datap = (unsigned long __user *)data;
17090 + unsigned long __user *datap = (__force unsigned long __user *)data;
17091
17092 switch (request) {
17093 /* read the word at location addr in the USER area. */
17094 @@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
17095 if ((int) addr < 0)
17096 return -EIO;
17097 ret = do_get_thread_area(child, addr,
17098 - (struct user_desc __user *)data);
17099 + (__force struct user_desc __user *) data);
17100 break;
17101
17102 case PTRACE_SET_THREAD_AREA:
17103 if ((int) addr < 0)
17104 return -EIO;
17105 ret = do_set_thread_area(child, addr,
17106 - (struct user_desc __user *)data, 0);
17107 + (__force struct user_desc __user *) data, 0);
17108 break;
17109 #endif
17110
17111 @@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
17112 memset(info, 0, sizeof(*info));
17113 info->si_signo = SIGTRAP;
17114 info->si_code = si_code;
17115 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
17116 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
17117 }
17118
17119 void user_single_step_siginfo(struct task_struct *tsk,
17120 @@ -1363,7 +1363,7 @@ void send_sigtrap(struct task_struct *ts
17121 * We must return the syscall number to actually look up in the table.
17122 * This can be -1L to skip running any syscall at all.
17123 */
17124 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
17125 +long syscall_trace_enter(struct pt_regs *regs)
17126 {
17127 long ret = 0;
17128
17129 @@ -1408,7 +1408,7 @@ asmregparm long syscall_trace_enter(stru
17130 return ret ?: regs->orig_ax;
17131 }
17132
17133 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
17134 +void syscall_trace_leave(struct pt_regs *regs)
17135 {
17136 bool step;
17137
17138 diff -urNp linux-2.6.39.3/arch/x86/kernel/pvclock.c linux-2.6.39.3/arch/x86/kernel/pvclock.c
17139 --- linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-19 00:06:34.000000000 -0400
17140 +++ linux-2.6.39.3/arch/x86/kernel/pvclock.c 2011-05-22 19:36:30.000000000 -0400
17141 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
17142 return pv_tsc_khz;
17143 }
17144
17145 -static atomic64_t last_value = ATOMIC64_INIT(0);
17146 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
17147
17148 void pvclock_resume(void)
17149 {
17150 - atomic64_set(&last_value, 0);
17151 + atomic64_set_unchecked(&last_value, 0);
17152 }
17153
17154 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
17155 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
17156 * updating at the same time, and one of them could be slightly behind,
17157 * making the assumption that last_value always go forward fail to hold.
17158 */
17159 - last = atomic64_read(&last_value);
17160 + last = atomic64_read_unchecked(&last_value);
17161 do {
17162 if (ret < last)
17163 return last;
17164 - last = atomic64_cmpxchg(&last_value, last, ret);
17165 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
17166 } while (unlikely(last != ret));
17167
17168 return ret;
17169 diff -urNp linux-2.6.39.3/arch/x86/kernel/reboot.c linux-2.6.39.3/arch/x86/kernel/reboot.c
17170 --- linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-19 00:06:34.000000000 -0400
17171 +++ linux-2.6.39.3/arch/x86/kernel/reboot.c 2011-05-23 17:07:00.000000000 -0400
17172 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
17173 EXPORT_SYMBOL(pm_power_off);
17174
17175 static const struct desc_ptr no_idt = {};
17176 -static int reboot_mode;
17177 +static unsigned short reboot_mode;
17178 enum reboot_type reboot_type = BOOT_KBD;
17179 int reboot_force;
17180
17181 @@ -307,13 +307,17 @@ core_initcall(reboot_init);
17182 extern const unsigned char machine_real_restart_asm[];
17183 extern const u64 machine_real_restart_gdt[3];
17184
17185 -void machine_real_restart(unsigned int type)
17186 +__noreturn void machine_real_restart(unsigned int type)
17187 {
17188 void *restart_va;
17189 unsigned long restart_pa;
17190 - void (*restart_lowmem)(unsigned int);
17191 + void (* __noreturn restart_lowmem)(unsigned int);
17192 u64 *lowmem_gdt;
17193
17194 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17195 + struct desc_struct *gdt;
17196 +#endif
17197 +
17198 local_irq_disable();
17199
17200 /* Write zero to CMOS register number 0x0f, which the BIOS POST
17201 @@ -339,14 +343,14 @@ void machine_real_restart(unsigned int t
17202 boot)". This seems like a fairly standard thing that gets set by
17203 REBOOT.COM programs, and the previous reset routine did this
17204 too. */
17205 - *((unsigned short *)0x472) = reboot_mode;
17206 + *(unsigned short *)(__va(0x472)) = reboot_mode;
17207
17208 /* Patch the GDT in the low memory trampoline */
17209 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
17210
17211 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
17212 restart_pa = virt_to_phys(restart_va);
17213 - restart_lowmem = (void (*)(unsigned int))restart_pa;
17214 + restart_lowmem = (void *)restart_pa;
17215
17216 /* GDT[0]: GDT self-pointer */
17217 lowmem_gdt[0] =
17218 @@ -357,7 +361,33 @@ void machine_real_restart(unsigned int t
17219 GDT_ENTRY(0x009b, restart_pa, 0xffff);
17220
17221 /* Jump to the identity-mapped low memory code */
17222 +
17223 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
17224 + gdt = get_cpu_gdt_table(smp_processor_id());
17225 + pax_open_kernel();
17226 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17227 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
17228 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
17229 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
17230 +#endif
17231 +#ifdef CONFIG_PAX_KERNEXEC
17232 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
17233 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
17234 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
17235 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
17236 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
17237 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
17238 +#endif
17239 + pax_close_kernel();
17240 +#endif
17241 +
17242 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17243 + asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
17244 + unreachable();
17245 +#else
17246 restart_lowmem(type);
17247 +#endif
17248 +
17249 }
17250 #ifdef CONFIG_APM_MODULE
17251 EXPORT_SYMBOL(machine_real_restart);
17252 @@ -478,7 +508,7 @@ void __attribute__((weak)) mach_reboot_f
17253 {
17254 }
17255
17256 -static void native_machine_emergency_restart(void)
17257 +__noreturn static void native_machine_emergency_restart(void)
17258 {
17259 int i;
17260
17261 @@ -593,13 +623,13 @@ void native_machine_shutdown(void)
17262 #endif
17263 }
17264
17265 -static void __machine_emergency_restart(int emergency)
17266 +static __noreturn void __machine_emergency_restart(int emergency)
17267 {
17268 reboot_emergency = emergency;
17269 machine_ops.emergency_restart();
17270 }
17271
17272 -static void native_machine_restart(char *__unused)
17273 +static __noreturn void native_machine_restart(char *__unused)
17274 {
17275 printk("machine restart\n");
17276
17277 @@ -608,7 +638,7 @@ static void native_machine_restart(char
17278 __machine_emergency_restart(0);
17279 }
17280
17281 -static void native_machine_halt(void)
17282 +static __noreturn void native_machine_halt(void)
17283 {
17284 /* stop other cpus and apics */
17285 machine_shutdown();
17286 @@ -619,7 +649,7 @@ static void native_machine_halt(void)
17287 stop_this_cpu(NULL);
17288 }
17289
17290 -static void native_machine_power_off(void)
17291 +__noreturn static void native_machine_power_off(void)
17292 {
17293 if (pm_power_off) {
17294 if (!reboot_force)
17295 @@ -628,6 +658,7 @@ static void native_machine_power_off(voi
17296 }
17297 /* a fallback in case there is no PM info available */
17298 tboot_shutdown(TB_SHUTDOWN_HALT);
17299 + unreachable();
17300 }
17301
17302 struct machine_ops machine_ops = {
17303 diff -urNp linux-2.6.39.3/arch/x86/kernel/setup.c linux-2.6.39.3/arch/x86/kernel/setup.c
17304 --- linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 12:55:22.000000000 -0400
17305 +++ linux-2.6.39.3/arch/x86/kernel/setup.c 2011-06-25 13:00:25.000000000 -0400
17306 @@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
17307 * area (640->1Mb) as ram even though it is not.
17308 * take them out.
17309 */
17310 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
17311 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
17312 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
17313 }
17314
17315 @@ -775,14 +775,14 @@ void __init setup_arch(char **cmdline_p)
17316
17317 if (!boot_params.hdr.root_flags)
17318 root_mountflags &= ~MS_RDONLY;
17319 - init_mm.start_code = (unsigned long) _text;
17320 - init_mm.end_code = (unsigned long) _etext;
17321 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17322 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17323 init_mm.end_data = (unsigned long) _edata;
17324 init_mm.brk = _brk_end;
17325
17326 - code_resource.start = virt_to_phys(_text);
17327 - code_resource.end = virt_to_phys(_etext)-1;
17328 - data_resource.start = virt_to_phys(_etext);
17329 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17330 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17331 + data_resource.start = virt_to_phys(_sdata);
17332 data_resource.end = virt_to_phys(_edata)-1;
17333 bss_resource.start = virt_to_phys(&__bss_start);
17334 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17335 diff -urNp linux-2.6.39.3/arch/x86/kernel/setup_percpu.c linux-2.6.39.3/arch/x86/kernel/setup_percpu.c
17336 --- linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-05-19 00:06:34.000000000 -0400
17337 +++ linux-2.6.39.3/arch/x86/kernel/setup_percpu.c 2011-06-04 20:08:30.000000000 -0400
17338 @@ -21,19 +21,17 @@
17339 #include <asm/cpu.h>
17340 #include <asm/stackprotector.h>
17341
17342 -DEFINE_PER_CPU(int, cpu_number);
17343 +#ifdef CONFIG_SMP
17344 +DEFINE_PER_CPU(unsigned int, cpu_number);
17345 EXPORT_PER_CPU_SYMBOL(cpu_number);
17346 +#endif
17347
17348 -#ifdef CONFIG_X86_64
17349 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17350 -#else
17351 -#define BOOT_PERCPU_OFFSET 0
17352 -#endif
17353
17354 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17355 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17356
17357 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17358 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17359 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17360 };
17361 EXPORT_SYMBOL(__per_cpu_offset);
17362 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
17363 {
17364 #ifdef CONFIG_X86_32
17365 struct desc_struct gdt;
17366 + unsigned long base = per_cpu_offset(cpu);
17367
17368 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17369 - 0x2 | DESCTYPE_S, 0x8);
17370 - gdt.s = 1;
17371 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17372 + 0x83 | DESCTYPE_S, 0xC);
17373 write_gdt_entry(get_cpu_gdt_table(cpu),
17374 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17375 #endif
17376 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
17377 /* alrighty, percpu areas up and running */
17378 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17379 for_each_possible_cpu(cpu) {
17380 +#ifdef CONFIG_CC_STACKPROTECTOR
17381 +#ifdef CONFIG_X86_32
17382 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17383 +#endif
17384 +#endif
17385 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17386 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17387 per_cpu(cpu_number, cpu) = cpu;
17388 @@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
17389 */
17390 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
17391 #endif
17392 +#ifdef CONFIG_CC_STACKPROTECTOR
17393 +#ifdef CONFIG_X86_32
17394 + if (!cpu)
17395 + per_cpu(stack_canary.canary, cpu) = canary;
17396 +#endif
17397 +#endif
17398 /*
17399 * Up to this point, the boot CPU has been using .init.data
17400 * area. Reload any changed state for the boot CPU.
17401 diff -urNp linux-2.6.39.3/arch/x86/kernel/signal.c linux-2.6.39.3/arch/x86/kernel/signal.c
17402 --- linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
17403 +++ linux-2.6.39.3/arch/x86/kernel/signal.c 2011-05-23 17:07:00.000000000 -0400
17404 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
17405 * Align the stack pointer according to the i386 ABI,
17406 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17407 */
17408 - sp = ((sp + 4) & -16ul) - 4;
17409 + sp = ((sp - 12) & -16ul) - 4;
17410 #else /* !CONFIG_X86_32 */
17411 sp = round_down(sp, 16) - 8;
17412 #endif
17413 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
17414 * Return an always-bogus address instead so we will die with SIGSEGV.
17415 */
17416 if (onsigstack && !likely(on_sig_stack(sp)))
17417 - return (void __user *)-1L;
17418 + return (__force void __user *)-1L;
17419
17420 /* save i387 state */
17421 if (used_math() && save_i387_xstate(*fpstate) < 0)
17422 - return (void __user *)-1L;
17423 + return (__force void __user *)-1L;
17424
17425 return (void __user *)sp;
17426 }
17427 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
17428 }
17429
17430 if (current->mm->context.vdso)
17431 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17432 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17433 else
17434 - restorer = &frame->retcode;
17435 + restorer = (void __user *)&frame->retcode;
17436 if (ka->sa.sa_flags & SA_RESTORER)
17437 restorer = ka->sa.sa_restorer;
17438
17439 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
17440 * reasons and because gdb uses it as a signature to notice
17441 * signal handler stack frames.
17442 */
17443 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17444 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17445
17446 if (err)
17447 return -EFAULT;
17448 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
17449 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17450
17451 /* Set up to return from userspace. */
17452 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17453 + if (current->mm->context.vdso)
17454 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17455 + else
17456 + restorer = (void __user *)&frame->retcode;
17457 if (ka->sa.sa_flags & SA_RESTORER)
17458 restorer = ka->sa.sa_restorer;
17459 put_user_ex(restorer, &frame->pretcode);
17460 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
17461 * reasons and because gdb uses it as a signature to notice
17462 * signal handler stack frames.
17463 */
17464 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17465 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17466 } put_user_catch(err);
17467
17468 if (err)
17469 @@ -773,6 +776,8 @@ static void do_signal(struct pt_regs *re
17470 int signr;
17471 sigset_t *oldset;
17472
17473 + pax_track_stack();
17474 +
17475 /*
17476 * We want the common case to go fast, which is why we may in certain
17477 * cases get here from kernel mode. Just return without doing anything
17478 @@ -780,7 +785,7 @@ static void do_signal(struct pt_regs *re
17479 * X86_32: vm86 regs switched out by assembly code before reaching
17480 * here, so testing against kernel CS suffices.
17481 */
17482 - if (!user_mode(regs))
17483 + if (!user_mode_novm(regs))
17484 return;
17485
17486 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
17487 diff -urNp linux-2.6.39.3/arch/x86/kernel/smpboot.c linux-2.6.39.3/arch/x86/kernel/smpboot.c
17488 --- linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 12:55:22.000000000 -0400
17489 +++ linux-2.6.39.3/arch/x86/kernel/smpboot.c 2011-06-25 13:00:25.000000000 -0400
17490 @@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
17491 set_idle_for_cpu(cpu, c_idle.idle);
17492 do_rest:
17493 per_cpu(current_task, cpu) = c_idle.idle;
17494 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
17495 #ifdef CONFIG_X86_32
17496 /* Stack for startup_32 can be just as for start_secondary onwards */
17497 irq_ctx_init(cpu);
17498 #else
17499 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
17500 initial_gs = per_cpu_offset(cpu);
17501 - per_cpu(kernel_stack, cpu) =
17502 - (unsigned long)task_stack_page(c_idle.idle) -
17503 - KERNEL_STACK_OFFSET + THREAD_SIZE;
17504 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
17505 #endif
17506 +
17507 + pax_open_kernel();
17508 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
17509 + pax_close_kernel();
17510 +
17511 initial_code = (unsigned long)start_secondary;
17512 stack_start = c_idle.idle->thread.sp;
17513
17514 @@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
17515
17516 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
17517
17518 +#ifdef CONFIG_PAX_PER_CPU_PGD
17519 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
17520 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17521 + KERNEL_PGD_PTRS);
17522 +#endif
17523 +
17524 err = do_boot_cpu(apicid, cpu);
17525 if (err) {
17526 pr_debug("do_boot_cpu failed %d\n", err);
17527 diff -urNp linux-2.6.39.3/arch/x86/kernel/step.c linux-2.6.39.3/arch/x86/kernel/step.c
17528 --- linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-19 00:06:34.000000000 -0400
17529 +++ linux-2.6.39.3/arch/x86/kernel/step.c 2011-05-22 19:36:30.000000000 -0400
17530 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
17531 struct desc_struct *desc;
17532 unsigned long base;
17533
17534 - seg &= ~7UL;
17535 + seg >>= 3;
17536
17537 mutex_lock(&child->mm->context.lock);
17538 - if (unlikely((seg >> 3) >= child->mm->context.size))
17539 + if (unlikely(seg >= child->mm->context.size))
17540 addr = -1L; /* bogus selector, access would fault */
17541 else {
17542 desc = child->mm->context.ldt + seg;
17543 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
17544 addr += base;
17545 }
17546 mutex_unlock(&child->mm->context.lock);
17547 - }
17548 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
17549 + addr = ktla_ktva(addr);
17550
17551 return addr;
17552 }
17553 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
17554 unsigned char opcode[15];
17555 unsigned long addr = convert_ip_to_linear(child, regs);
17556
17557 + if (addr == -EINVAL)
17558 + return 0;
17559 +
17560 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
17561 for (i = 0; i < copied; i++) {
17562 switch (opcode[i]) {
17563 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
17564
17565 #ifdef CONFIG_X86_64
17566 case 0x40 ... 0x4f:
17567 - if (regs->cs != __USER_CS)
17568 + if ((regs->cs & 0xffff) != __USER_CS)
17569 /* 32-bit mode: register increment */
17570 return 0;
17571 /* 64-bit mode: REX prefix */
17572 diff -urNp linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S
17573 --- linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-19 00:06:34.000000000 -0400
17574 +++ linux-2.6.39.3/arch/x86/kernel/syscall_table_32.S 2011-05-22 19:36:30.000000000 -0400
17575 @@ -1,3 +1,4 @@
17576 +.section .rodata,"a",@progbits
17577 ENTRY(sys_call_table)
17578 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17579 .long sys_exit
17580 diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c
17581 --- linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-19 00:06:34.000000000 -0400
17582 +++ linux-2.6.39.3/arch/x86/kernel/sys_i386_32.c 2011-05-22 19:36:30.000000000 -0400
17583 @@ -24,17 +24,224 @@
17584
17585 #include <asm/syscalls.h>
17586
17587 -/*
17588 - * Do a system call from kernel instead of calling sys_execve so we
17589 - * end up with proper pt_regs.
17590 - */
17591 -int kernel_execve(const char *filename,
17592 - const char *const argv[],
17593 - const char *const envp[])
17594 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17595 {
17596 - long __res;
17597 - asm volatile ("int $0x80"
17598 - : "=a" (__res)
17599 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
17600 - return __res;
17601 + unsigned long pax_task_size = TASK_SIZE;
17602 +
17603 +#ifdef CONFIG_PAX_SEGMEXEC
17604 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17605 + pax_task_size = SEGMEXEC_TASK_SIZE;
17606 +#endif
17607 +
17608 + if (len > pax_task_size || addr > pax_task_size - len)
17609 + return -EINVAL;
17610 +
17611 + return 0;
17612 +}
17613 +
17614 +unsigned long
17615 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17616 + unsigned long len, unsigned long pgoff, unsigned long flags)
17617 +{
17618 + struct mm_struct *mm = current->mm;
17619 + struct vm_area_struct *vma;
17620 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17621 +
17622 +#ifdef CONFIG_PAX_SEGMEXEC
17623 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17624 + pax_task_size = SEGMEXEC_TASK_SIZE;
17625 +#endif
17626 +
17627 + pax_task_size -= PAGE_SIZE;
17628 +
17629 + if (len > pax_task_size)
17630 + return -ENOMEM;
17631 +
17632 + if (flags & MAP_FIXED)
17633 + return addr;
17634 +
17635 +#ifdef CONFIG_PAX_RANDMMAP
17636 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17637 +#endif
17638 +
17639 + if (addr) {
17640 + addr = PAGE_ALIGN(addr);
17641 + if (pax_task_size - len >= addr) {
17642 + vma = find_vma(mm, addr);
17643 + if (check_heap_stack_gap(vma, addr, len))
17644 + return addr;
17645 + }
17646 + }
17647 + if (len > mm->cached_hole_size) {
17648 + start_addr = addr = mm->free_area_cache;
17649 + } else {
17650 + start_addr = addr = mm->mmap_base;
17651 + mm->cached_hole_size = 0;
17652 + }
17653 +
17654 +#ifdef CONFIG_PAX_PAGEEXEC
17655 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17656 + start_addr = 0x00110000UL;
17657 +
17658 +#ifdef CONFIG_PAX_RANDMMAP
17659 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17660 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17661 +#endif
17662 +
17663 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17664 + start_addr = addr = mm->mmap_base;
17665 + else
17666 + addr = start_addr;
17667 + }
17668 +#endif
17669 +
17670 +full_search:
17671 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17672 + /* At this point: (!vma || addr < vma->vm_end). */
17673 + if (pax_task_size - len < addr) {
17674 + /*
17675 + * Start a new search - just in case we missed
17676 + * some holes.
17677 + */
17678 + if (start_addr != mm->mmap_base) {
17679 + start_addr = addr = mm->mmap_base;
17680 + mm->cached_hole_size = 0;
17681 + goto full_search;
17682 + }
17683 + return -ENOMEM;
17684 + }
17685 + if (check_heap_stack_gap(vma, addr, len))
17686 + break;
17687 + if (addr + mm->cached_hole_size < vma->vm_start)
17688 + mm->cached_hole_size = vma->vm_start - addr;
17689 + addr = vma->vm_end;
17690 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17691 + start_addr = addr = mm->mmap_base;
17692 + mm->cached_hole_size = 0;
17693 + goto full_search;
17694 + }
17695 + }
17696 +
17697 + /*
17698 + * Remember the place where we stopped the search:
17699 + */
17700 + mm->free_area_cache = addr + len;
17701 + return addr;
17702 +}
17703 +
17704 +unsigned long
17705 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17706 + const unsigned long len, const unsigned long pgoff,
17707 + const unsigned long flags)
17708 +{
17709 + struct vm_area_struct *vma;
17710 + struct mm_struct *mm = current->mm;
17711 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17712 +
17713 +#ifdef CONFIG_PAX_SEGMEXEC
17714 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17715 + pax_task_size = SEGMEXEC_TASK_SIZE;
17716 +#endif
17717 +
17718 + pax_task_size -= PAGE_SIZE;
17719 +
17720 + /* requested length too big for entire address space */
17721 + if (len > pax_task_size)
17722 + return -ENOMEM;
17723 +
17724 + if (flags & MAP_FIXED)
17725 + return addr;
17726 +
17727 +#ifdef CONFIG_PAX_PAGEEXEC
17728 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17729 + goto bottomup;
17730 +#endif
17731 +
17732 +#ifdef CONFIG_PAX_RANDMMAP
17733 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17734 +#endif
17735 +
17736 + /* requesting a specific address */
17737 + if (addr) {
17738 + addr = PAGE_ALIGN(addr);
17739 + if (pax_task_size - len >= addr) {
17740 + vma = find_vma(mm, addr);
17741 + if (check_heap_stack_gap(vma, addr, len))
17742 + return addr;
17743 + }
17744 + }
17745 +
17746 + /* check if free_area_cache is useful for us */
17747 + if (len <= mm->cached_hole_size) {
17748 + mm->cached_hole_size = 0;
17749 + mm->free_area_cache = mm->mmap_base;
17750 + }
17751 +
17752 + /* either no address requested or can't fit in requested address hole */
17753 + addr = mm->free_area_cache;
17754 +
17755 + /* make sure it can fit in the remaining address space */
17756 + if (addr > len) {
17757 + vma = find_vma(mm, addr-len);
17758 + if (check_heap_stack_gap(vma, addr - len, len))
17759 + /* remember the address as a hint for next time */
17760 + return (mm->free_area_cache = addr-len);
17761 + }
17762 +
17763 + if (mm->mmap_base < len)
17764 + goto bottomup;
17765 +
17766 + addr = mm->mmap_base-len;
17767 +
17768 + do {
17769 + /*
17770 + * Lookup failure means no vma is above this address,
17771 + * else if new region fits below vma->vm_start,
17772 + * return with success:
17773 + */
17774 + vma = find_vma(mm, addr);
17775 + if (check_heap_stack_gap(vma, addr, len))
17776 + /* remember the address as a hint for next time */
17777 + return (mm->free_area_cache = addr);
17778 +
17779 + /* remember the largest hole we saw so far */
17780 + if (addr + mm->cached_hole_size < vma->vm_start)
17781 + mm->cached_hole_size = vma->vm_start - addr;
17782 +
17783 + /* try just below the current vma->vm_start */
17784 + addr = skip_heap_stack_gap(vma, len);
17785 + } while (!IS_ERR_VALUE(addr));
17786 +
17787 +bottomup:
17788 + /*
17789 + * A failed mmap() very likely causes application failure,
17790 + * so fall back to the bottom-up function here. This scenario
17791 + * can happen with large stack limits and large mmap()
17792 + * allocations.
17793 + */
17794 +
17795 +#ifdef CONFIG_PAX_SEGMEXEC
17796 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17797 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17798 + else
17799 +#endif
17800 +
17801 + mm->mmap_base = TASK_UNMAPPED_BASE;
17802 +
17803 +#ifdef CONFIG_PAX_RANDMMAP
17804 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17805 + mm->mmap_base += mm->delta_mmap;
17806 +#endif
17807 +
17808 + mm->free_area_cache = mm->mmap_base;
17809 + mm->cached_hole_size = ~0UL;
17810 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17811 + /*
17812 + * Restore the topdown base:
17813 + */
17814 + mm->mmap_base = base;
17815 + mm->free_area_cache = base;
17816 + mm->cached_hole_size = ~0UL;
17817 +
17818 + return addr;
17819 }
17820 diff -urNp linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c
17821 --- linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-19 00:06:34.000000000 -0400
17822 +++ linux-2.6.39.3/arch/x86/kernel/sys_x86_64.c 2011-05-22 19:36:30.000000000 -0400
17823 @@ -32,8 +32,8 @@ out:
17824 return error;
17825 }
17826
17827 -static void find_start_end(unsigned long flags, unsigned long *begin,
17828 - unsigned long *end)
17829 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17830 + unsigned long *begin, unsigned long *end)
17831 {
17832 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17833 unsigned long new_begin;
17834 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17835 *begin = new_begin;
17836 }
17837 } else {
17838 - *begin = TASK_UNMAPPED_BASE;
17839 + *begin = mm->mmap_base;
17840 *end = TASK_SIZE;
17841 }
17842 }
17843 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17844 if (flags & MAP_FIXED)
17845 return addr;
17846
17847 - find_start_end(flags, &begin, &end);
17848 + find_start_end(mm, flags, &begin, &end);
17849
17850 if (len > end)
17851 return -ENOMEM;
17852
17853 +#ifdef CONFIG_PAX_RANDMMAP
17854 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17855 +#endif
17856 +
17857 if (addr) {
17858 addr = PAGE_ALIGN(addr);
17859 vma = find_vma(mm, addr);
17860 - if (end - len >= addr &&
17861 - (!vma || addr + len <= vma->vm_start))
17862 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17863 return addr;
17864 }
17865 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17866 @@ -106,7 +109,7 @@ full_search:
17867 }
17868 return -ENOMEM;
17869 }
17870 - if (!vma || addr + len <= vma->vm_start) {
17871 + if (check_heap_stack_gap(vma, addr, len)) {
17872 /*
17873 * Remember the place where we stopped the search:
17874 */
17875 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17876 {
17877 struct vm_area_struct *vma;
17878 struct mm_struct *mm = current->mm;
17879 - unsigned long addr = addr0;
17880 + unsigned long base = mm->mmap_base, addr = addr0;
17881
17882 /* requested length too big for entire address space */
17883 if (len > TASK_SIZE)
17884 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17885 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17886 goto bottomup;
17887
17888 +#ifdef CONFIG_PAX_RANDMMAP
17889 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17890 +#endif
17891 +
17892 /* requesting a specific address */
17893 if (addr) {
17894 addr = PAGE_ALIGN(addr);
17895 - vma = find_vma(mm, addr);
17896 - if (TASK_SIZE - len >= addr &&
17897 - (!vma || addr + len <= vma->vm_start))
17898 - return addr;
17899 + if (TASK_SIZE - len >= addr) {
17900 + vma = find_vma(mm, addr);
17901 + if (check_heap_stack_gap(vma, addr, len))
17902 + return addr;
17903 + }
17904 }
17905
17906 /* check if free_area_cache is useful for us */
17907 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17908 /* make sure it can fit in the remaining address space */
17909 if (addr > len) {
17910 vma = find_vma(mm, addr-len);
17911 - if (!vma || addr <= vma->vm_start)
17912 + if (check_heap_stack_gap(vma, addr - len, len))
17913 /* remember the address as a hint for next time */
17914 return mm->free_area_cache = addr-len;
17915 }
17916 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17917 * return with success:
17918 */
17919 vma = find_vma(mm, addr);
17920 - if (!vma || addr+len <= vma->vm_start)
17921 + if (check_heap_stack_gap(vma, addr, len))
17922 /* remember the address as a hint for next time */
17923 return mm->free_area_cache = addr;
17924
17925 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17926 mm->cached_hole_size = vma->vm_start - addr;
17927
17928 /* try just below the current vma->vm_start */
17929 - addr = vma->vm_start-len;
17930 - } while (len < vma->vm_start);
17931 + addr = skip_heap_stack_gap(vma, len);
17932 + } while (!IS_ERR_VALUE(addr));
17933
17934 bottomup:
17935 /*
17936 @@ -198,13 +206,21 @@ bottomup:
17937 * can happen with large stack limits and large mmap()
17938 * allocations.
17939 */
17940 + mm->mmap_base = TASK_UNMAPPED_BASE;
17941 +
17942 +#ifdef CONFIG_PAX_RANDMMAP
17943 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17944 + mm->mmap_base += mm->delta_mmap;
17945 +#endif
17946 +
17947 + mm->free_area_cache = mm->mmap_base;
17948 mm->cached_hole_size = ~0UL;
17949 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17950 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17951 /*
17952 * Restore the topdown base:
17953 */
17954 - mm->free_area_cache = mm->mmap_base;
17955 + mm->mmap_base = base;
17956 + mm->free_area_cache = base;
17957 mm->cached_hole_size = ~0UL;
17958
17959 return addr;
17960 diff -urNp linux-2.6.39.3/arch/x86/kernel/tboot.c linux-2.6.39.3/arch/x86/kernel/tboot.c
17961 --- linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-19 00:06:34.000000000 -0400
17962 +++ linux-2.6.39.3/arch/x86/kernel/tboot.c 2011-05-22 19:36:30.000000000 -0400
17963 @@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
17964
17965 void tboot_shutdown(u32 shutdown_type)
17966 {
17967 - void (*shutdown)(void);
17968 + void (* __noreturn shutdown)(void);
17969
17970 if (!tboot_enabled())
17971 return;
17972 @@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
17973
17974 switch_to_tboot_pt();
17975
17976 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17977 + shutdown = (void *)tboot->shutdown_entry;
17978 shutdown();
17979
17980 /* should not reach here */
17981 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17982 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17983 }
17984
17985 -static atomic_t ap_wfs_count;
17986 +static atomic_unchecked_t ap_wfs_count;
17987
17988 static int tboot_wait_for_aps(int num_aps)
17989 {
17990 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
17991 {
17992 switch (action) {
17993 case CPU_DYING:
17994 - atomic_inc(&ap_wfs_count);
17995 + atomic_inc_unchecked(&ap_wfs_count);
17996 if (num_online_cpus() == 1)
17997 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17998 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17999 return NOTIFY_BAD;
18000 break;
18001 }
18002 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
18003
18004 tboot_create_trampoline();
18005
18006 - atomic_set(&ap_wfs_count, 0);
18007 + atomic_set_unchecked(&ap_wfs_count, 0);
18008 register_hotcpu_notifier(&tboot_cpu_notifier);
18009 return 0;
18010 }
18011 diff -urNp linux-2.6.39.3/arch/x86/kernel/time.c linux-2.6.39.3/arch/x86/kernel/time.c
18012 --- linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
18013 +++ linux-2.6.39.3/arch/x86/kernel/time.c 2011-05-22 19:36:30.000000000 -0400
18014 @@ -22,17 +22,13 @@
18015 #include <asm/hpet.h>
18016 #include <asm/time.h>
18017
18018 -#ifdef CONFIG_X86_64
18019 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
18020 -#endif
18021 -
18022 unsigned long profile_pc(struct pt_regs *regs)
18023 {
18024 unsigned long pc = instruction_pointer(regs);
18025
18026 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
18027 + if (!user_mode(regs) && in_lock_functions(pc)) {
18028 #ifdef CONFIG_FRAME_POINTER
18029 - return *(unsigned long *)(regs->bp + sizeof(long));
18030 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
18031 #else
18032 unsigned long *sp =
18033 (unsigned long *)kernel_stack_pointer(regs);
18034 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
18035 * or above a saved flags. Eflags has bits 22-31 zero,
18036 * kernel addresses don't.
18037 */
18038 +
18039 +#ifdef CONFIG_PAX_KERNEXEC
18040 + return ktla_ktva(sp[0]);
18041 +#else
18042 if (sp[0] >> 22)
18043 return sp[0];
18044 if (sp[1] >> 22)
18045 return sp[1];
18046 #endif
18047 +
18048 +#endif
18049 }
18050 return pc;
18051 }
18052 diff -urNp linux-2.6.39.3/arch/x86/kernel/tls.c linux-2.6.39.3/arch/x86/kernel/tls.c
18053 --- linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-19 00:06:34.000000000 -0400
18054 +++ linux-2.6.39.3/arch/x86/kernel/tls.c 2011-05-22 19:36:30.000000000 -0400
18055 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
18056 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
18057 return -EINVAL;
18058
18059 +#ifdef CONFIG_PAX_SEGMEXEC
18060 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
18061 + return -EINVAL;
18062 +#endif
18063 +
18064 set_tls_desc(p, idx, &info, 1);
18065
18066 return 0;
18067 diff -urNp linux-2.6.39.3/arch/x86/kernel/trampoline_32.S linux-2.6.39.3/arch/x86/kernel/trampoline_32.S
18068 --- linux-2.6.39.3/arch/x86/kernel/trampoline_32.S 2011-05-19 00:06:34.000000000 -0400
18069 +++ linux-2.6.39.3/arch/x86/kernel/trampoline_32.S 2011-05-22 19:36:30.000000000 -0400
18070 @@ -32,6 +32,12 @@
18071 #include <asm/segment.h>
18072 #include <asm/page_types.h>
18073
18074 +#ifdef CONFIG_PAX_KERNEXEC
18075 +#define ta(X) (X)
18076 +#else
18077 +#define ta(X) ((X) - __PAGE_OFFSET)
18078 +#endif
18079 +
18080 #ifdef CONFIG_SMP
18081
18082 .section ".x86_trampoline","a"
18083 @@ -62,7 +68,7 @@ r_base = .
18084 inc %ax # protected mode (PE) bit
18085 lmsw %ax # into protected mode
18086 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18087 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18088 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
18089
18090 # These need to be in the same 64K segment as the above;
18091 # hence we don't use the boot_gdt_descr defined in head.S
18092 diff -urNp linux-2.6.39.3/arch/x86/kernel/trampoline_64.S linux-2.6.39.3/arch/x86/kernel/trampoline_64.S
18093 --- linux-2.6.39.3/arch/x86/kernel/trampoline_64.S 2011-05-19 00:06:34.000000000 -0400
18094 +++ linux-2.6.39.3/arch/x86/kernel/trampoline_64.S 2011-05-22 19:36:30.000000000 -0400
18095 @@ -90,7 +90,7 @@ startup_32:
18096 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18097 movl %eax, %ds
18098
18099 - movl $X86_CR4_PAE, %eax
18100 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18101 movl %eax, %cr4 # Enable PAE mode
18102
18103 # Setup trampoline 4 level pagetables
18104 @@ -138,7 +138,7 @@ tidt:
18105 # so the kernel can live anywhere
18106 .balign 4
18107 tgdt:
18108 - .short tgdt_end - tgdt # gdt limit
18109 + .short tgdt_end - tgdt - 1 # gdt limit
18110 .long tgdt - r_base
18111 .short 0
18112 .quad 0x00cf9b000000ffff # __KERNEL32_CS
18113 diff -urNp linux-2.6.39.3/arch/x86/kernel/traps.c linux-2.6.39.3/arch/x86/kernel/traps.c
18114 --- linux-2.6.39.3/arch/x86/kernel/traps.c 2011-05-19 00:06:34.000000000 -0400
18115 +++ linux-2.6.39.3/arch/x86/kernel/traps.c 2011-07-06 20:00:13.000000000 -0400
18116 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
18117
18118 /* Do we ignore FPU interrupts ? */
18119 char ignore_fpu_irq;
18120 -
18121 -/*
18122 - * The IDT has to be page-aligned to simplify the Pentium
18123 - * F0 0F bug workaround.
18124 - */
18125 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18126 #endif
18127
18128 DECLARE_BITMAP(used_vectors, NR_VECTORS);
18129 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
18130 }
18131
18132 static void __kprobes
18133 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18134 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18135 long error_code, siginfo_t *info)
18136 {
18137 struct task_struct *tsk = current;
18138
18139 #ifdef CONFIG_X86_32
18140 - if (regs->flags & X86_VM_MASK) {
18141 + if (v8086_mode(regs)) {
18142 /*
18143 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18144 * On nmi (interrupt 2), do_trap should not be called.
18145 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
18146 }
18147 #endif
18148
18149 - if (!user_mode(regs))
18150 + if (!user_mode_novm(regs))
18151 goto kernel_trap;
18152
18153 #ifdef CONFIG_X86_32
18154 @@ -157,7 +151,7 @@ trap_signal:
18155 printk_ratelimit()) {
18156 printk(KERN_INFO
18157 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18158 - tsk->comm, tsk->pid, str,
18159 + tsk->comm, task_pid_nr(tsk), str,
18160 regs->ip, regs->sp, error_code);
18161 print_vma_addr(" in ", regs->ip);
18162 printk("\n");
18163 @@ -174,8 +168,20 @@ kernel_trap:
18164 if (!fixup_exception(regs)) {
18165 tsk->thread.error_code = error_code;
18166 tsk->thread.trap_no = trapnr;
18167 +
18168 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18169 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18170 + str = "PAX: suspicious stack segment fault";
18171 +#endif
18172 +
18173 die(str, regs, error_code);
18174 }
18175 +
18176 +#ifdef CONFIG_PAX_REFCOUNT
18177 + if (trapnr == 4)
18178 + pax_report_refcount_overflow(regs);
18179 +#endif
18180 +
18181 return;
18182
18183 #ifdef CONFIG_X86_32
18184 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
18185 conditional_sti(regs);
18186
18187 #ifdef CONFIG_X86_32
18188 - if (regs->flags & X86_VM_MASK)
18189 + if (v8086_mode(regs))
18190 goto gp_in_vm86;
18191 #endif
18192
18193 tsk = current;
18194 - if (!user_mode(regs))
18195 + if (!user_mode_novm(regs))
18196 goto gp_in_kernel;
18197
18198 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18199 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18200 + struct mm_struct *mm = tsk->mm;
18201 + unsigned long limit;
18202 +
18203 + down_write(&mm->mmap_sem);
18204 + limit = mm->context.user_cs_limit;
18205 + if (limit < TASK_SIZE) {
18206 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18207 + up_write(&mm->mmap_sem);
18208 + return;
18209 + }
18210 + up_write(&mm->mmap_sem);
18211 + }
18212 +#endif
18213 +
18214 tsk->thread.error_code = error_code;
18215 tsk->thread.trap_no = 13;
18216
18217 @@ -304,6 +326,13 @@ gp_in_kernel:
18218 if (notify_die(DIE_GPF, "general protection fault", regs,
18219 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18220 return;
18221 +
18222 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18223 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18224 + die("PAX: suspicious general protection fault", regs, error_code);
18225 + else
18226 +#endif
18227 +
18228 die("general protection fault", regs, error_code);
18229 }
18230
18231 @@ -433,6 +462,17 @@ static notrace __kprobes void default_do
18232 dotraplinkage notrace __kprobes void
18233 do_nmi(struct pt_regs *regs, long error_code)
18234 {
18235 +
18236 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18237 + if (!user_mode(regs)) {
18238 + unsigned long cs = regs->cs & 0xFFFF;
18239 + unsigned long ip = ktva_ktla(regs->ip);
18240 +
18241 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18242 + regs->ip = ip;
18243 + }
18244 +#endif
18245 +
18246 nmi_enter();
18247
18248 inc_irq_stat(__nmi_count);
18249 @@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
18250 /* It's safe to allow irq's after DR6 has been saved */
18251 preempt_conditional_sti(regs);
18252
18253 - if (regs->flags & X86_VM_MASK) {
18254 + if (v8086_mode(regs)) {
18255 handle_vm86_trap((struct kernel_vm86_regs *) regs,
18256 error_code, 1);
18257 preempt_conditional_cli(regs);
18258 @@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
18259 * We already checked v86 mode above, so we can check for kernel mode
18260 * by just checking the CPL of CS.
18261 */
18262 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
18263 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
18264 tsk->thread.debugreg6 &= ~DR_STEP;
18265 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
18266 regs->flags &= ~X86_EFLAGS_TF;
18267 @@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
18268 return;
18269 conditional_sti(regs);
18270
18271 - if (!user_mode_vm(regs))
18272 + if (!user_mode(regs))
18273 {
18274 if (!fixup_exception(regs)) {
18275 task->thread.error_code = error_code;
18276 @@ -723,7 +763,7 @@ asmlinkage void __attribute__((weak)) sm
18277 void __math_state_restore(void)
18278 {
18279 struct thread_info *thread = current_thread_info();
18280 - struct task_struct *tsk = thread->task;
18281 + struct task_struct *tsk = current;
18282
18283 /*
18284 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18285 @@ -750,8 +790,7 @@ void __math_state_restore(void)
18286 */
18287 asmlinkage void math_state_restore(void)
18288 {
18289 - struct thread_info *thread = current_thread_info();
18290 - struct task_struct *tsk = thread->task;
18291 + struct task_struct *tsk = current;
18292
18293 if (!tsk_used_math(tsk)) {
18294 local_irq_enable();
18295 diff -urNp linux-2.6.39.3/arch/x86/kernel/verify_cpu.S linux-2.6.39.3/arch/x86/kernel/verify_cpu.S
18296 --- linux-2.6.39.3/arch/x86/kernel/verify_cpu.S 2011-05-19 00:06:34.000000000 -0400
18297 +++ linux-2.6.39.3/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:04.000000000 -0400
18298 @@ -20,6 +20,7 @@
18299 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
18300 * arch/x86/kernel/trampoline_64.S: secondary processor verification
18301 * arch/x86/kernel/head_32.S: processor startup
18302 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
18303 *
18304 * verify_cpu, returns the status of longmode and SSE in register %eax.
18305 * 0: Success 1: Failure
18306 diff -urNp linux-2.6.39.3/arch/x86/kernel/vm86_32.c linux-2.6.39.3/arch/x86/kernel/vm86_32.c
18307 --- linux-2.6.39.3/arch/x86/kernel/vm86_32.c 2011-05-19 00:06:34.000000000 -0400
18308 +++ linux-2.6.39.3/arch/x86/kernel/vm86_32.c 2011-05-22 19:41:32.000000000 -0400
18309 @@ -41,6 +41,7 @@
18310 #include <linux/ptrace.h>
18311 #include <linux/audit.h>
18312 #include <linux/stddef.h>
18313 +#include <linux/grsecurity.h>
18314
18315 #include <asm/uaccess.h>
18316 #include <asm/io.h>
18317 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
18318 do_exit(SIGSEGV);
18319 }
18320
18321 - tss = &per_cpu(init_tss, get_cpu());
18322 + tss = init_tss + get_cpu();
18323 current->thread.sp0 = current->thread.saved_sp0;
18324 current->thread.sysenter_cs = __KERNEL_CS;
18325 load_sp0(tss, &current->thread);
18326 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
18327 struct task_struct *tsk;
18328 int tmp, ret = -EPERM;
18329
18330 +#ifdef CONFIG_GRKERNSEC_VM86
18331 + if (!capable(CAP_SYS_RAWIO)) {
18332 + gr_handle_vm86();
18333 + goto out;
18334 + }
18335 +#endif
18336 +
18337 tsk = current;
18338 if (tsk->thread.saved_sp0)
18339 goto out;
18340 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
18341 int tmp, ret;
18342 struct vm86plus_struct __user *v86;
18343
18344 +#ifdef CONFIG_GRKERNSEC_VM86
18345 + if (!capable(CAP_SYS_RAWIO)) {
18346 + gr_handle_vm86();
18347 + ret = -EPERM;
18348 + goto out;
18349 + }
18350 +#endif
18351 +
18352 tsk = current;
18353 switch (cmd) {
18354 case VM86_REQUEST_IRQ:
18355 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18356 tsk->thread.saved_fs = info->regs32->fs;
18357 tsk->thread.saved_gs = get_user_gs(info->regs32);
18358
18359 - tss = &per_cpu(init_tss, get_cpu());
18360 + tss = init_tss + get_cpu();
18361 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18362 if (cpu_has_sep)
18363 tsk->thread.sysenter_cs = 0;
18364 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18365 goto cannot_handle;
18366 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18367 goto cannot_handle;
18368 - intr_ptr = (unsigned long __user *) (i << 2);
18369 + intr_ptr = (__force unsigned long __user *) (i << 2);
18370 if (get_user(segoffs, intr_ptr))
18371 goto cannot_handle;
18372 if ((segoffs >> 16) == BIOSSEG)
18373 diff -urNp linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S
18374 --- linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S 2011-05-19 00:06:34.000000000 -0400
18375 +++ linux-2.6.39.3/arch/x86/kernel/vmlinux.lds.S 2011-05-22 19:36:30.000000000 -0400
18376 @@ -26,6 +26,13 @@
18377 #include <asm/page_types.h>
18378 #include <asm/cache.h>
18379 #include <asm/boot.h>
18380 +#include <asm/segment.h>
18381 +
18382 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18383 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18384 +#else
18385 +#define __KERNEL_TEXT_OFFSET 0
18386 +#endif
18387
18388 #undef i386 /* in case the preprocessor is a 32bit one */
18389
18390 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18391 #ifdef CONFIG_X86_32
18392 OUTPUT_ARCH(i386)
18393 ENTRY(phys_startup_32)
18394 -jiffies = jiffies_64;
18395 #else
18396 OUTPUT_ARCH(i386:x86-64)
18397 ENTRY(phys_startup_64)
18398 -jiffies_64 = jiffies;
18399 #endif
18400
18401 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18402 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
18403
18404 PHDRS {
18405 text PT_LOAD FLAGS(5); /* R_E */
18406 +#ifdef CONFIG_X86_32
18407 + module PT_LOAD FLAGS(5); /* R_E */
18408 +#endif
18409 +#ifdef CONFIG_XEN
18410 + rodata PT_LOAD FLAGS(5); /* R_E */
18411 +#else
18412 + rodata PT_LOAD FLAGS(4); /* R__ */
18413 +#endif
18414 data PT_LOAD FLAGS(6); /* RW_ */
18415 #ifdef CONFIG_X86_64
18416 user PT_LOAD FLAGS(5); /* R_E */
18417 +#endif
18418 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18419 #ifdef CONFIG_SMP
18420 percpu PT_LOAD FLAGS(6); /* RW_ */
18421 #endif
18422 + text.init PT_LOAD FLAGS(5); /* R_E */
18423 + text.exit PT_LOAD FLAGS(5); /* R_E */
18424 init PT_LOAD FLAGS(7); /* RWE */
18425 -#endif
18426 note PT_NOTE FLAGS(0); /* ___ */
18427 }
18428
18429 SECTIONS
18430 {
18431 #ifdef CONFIG_X86_32
18432 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18433 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18434 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18435 #else
18436 - . = __START_KERNEL;
18437 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18438 + . = __START_KERNEL;
18439 #endif
18440
18441 /* Text and read-only data */
18442 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18443 - _text = .;
18444 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18445 /* bootstrapping code */
18446 +#ifdef CONFIG_X86_32
18447 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18448 +#else
18449 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18450 +#endif
18451 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18452 + _text = .;
18453 HEAD_TEXT
18454 #ifdef CONFIG_X86_32
18455 . = ALIGN(PAGE_SIZE);
18456 @@ -109,13 +129,47 @@ SECTIONS
18457 IRQENTRY_TEXT
18458 *(.fixup)
18459 *(.gnu.warning)
18460 - /* End of text section */
18461 - _etext = .;
18462 } :text = 0x9090
18463
18464 - NOTES :text :note
18465 + . += __KERNEL_TEXT_OFFSET;
18466 +
18467 +#ifdef CONFIG_X86_32
18468 + . = ALIGN(PAGE_SIZE);
18469 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18470 +
18471 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18472 + MODULES_EXEC_VADDR = .;
18473 + BYTE(0)
18474 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18475 + . = ALIGN(HPAGE_SIZE);
18476 + MODULES_EXEC_END = . - 1;
18477 +#endif
18478 +
18479 + } :module
18480 +#endif
18481 +
18482 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18483 + /* End of text section */
18484 + _etext = . - __KERNEL_TEXT_OFFSET;
18485 + }
18486
18487 - EXCEPTION_TABLE(16) :text = 0x9090
18488 +#ifdef CONFIG_X86_32
18489 + . = ALIGN(PAGE_SIZE);
18490 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18491 + *(.idt)
18492 + . = ALIGN(PAGE_SIZE);
18493 + *(.empty_zero_page)
18494 + *(.initial_pg_fixmap)
18495 + *(.initial_pg_pmd)
18496 + *(.initial_page_table)
18497 + *(.swapper_pg_dir)
18498 + } :rodata
18499 +#endif
18500 +
18501 + . = ALIGN(PAGE_SIZE);
18502 + NOTES :rodata :note
18503 +
18504 + EXCEPTION_TABLE(16) :rodata
18505
18506 #if defined(CONFIG_DEBUG_RODATA)
18507 /* .text should occupy whole number of pages */
18508 @@ -127,16 +181,20 @@ SECTIONS
18509
18510 /* Data */
18511 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18512 +
18513 +#ifdef CONFIG_PAX_KERNEXEC
18514 + . = ALIGN(HPAGE_SIZE);
18515 +#else
18516 + . = ALIGN(PAGE_SIZE);
18517 +#endif
18518 +
18519 /* Start of data section */
18520 _sdata = .;
18521
18522 /* init_task */
18523 INIT_TASK_DATA(THREAD_SIZE)
18524
18525 -#ifdef CONFIG_X86_32
18526 - /* 32 bit has nosave before _edata */
18527 NOSAVE_DATA
18528 -#endif
18529
18530 PAGE_ALIGNED_DATA(PAGE_SIZE)
18531
18532 @@ -145,6 +203,8 @@ SECTIONS
18533 DATA_DATA
18534 CONSTRUCTORS
18535
18536 + jiffies = jiffies_64;
18537 +
18538 /* rarely changed data like cpu maps */
18539 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
18540
18541 @@ -199,12 +259,6 @@ SECTIONS
18542 }
18543 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18544
18545 - . = ALIGN(L1_CACHE_BYTES);
18546 - .jiffies : AT(VLOAD(.jiffies)) {
18547 - *(.jiffies)
18548 - }
18549 - jiffies = VVIRT(.jiffies);
18550 -
18551 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18552 *(.vsyscall_3)
18553 }
18554 @@ -220,12 +274,19 @@ SECTIONS
18555 #endif /* CONFIG_X86_64 */
18556
18557 /* Init code and data - will be freed after init */
18558 - . = ALIGN(PAGE_SIZE);
18559 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18560 + BYTE(0)
18561 +
18562 +#ifdef CONFIG_PAX_KERNEXEC
18563 + . = ALIGN(HPAGE_SIZE);
18564 +#else
18565 + . = ALIGN(PAGE_SIZE);
18566 +#endif
18567 +
18568 __init_begin = .; /* paired with __init_end */
18569 - }
18570 + } :init.begin
18571
18572 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18573 +#ifdef CONFIG_SMP
18574 /*
18575 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18576 * output PHDR, so the next output section - .init.text - should
18577 @@ -234,12 +295,27 @@ SECTIONS
18578 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
18579 #endif
18580
18581 - INIT_TEXT_SECTION(PAGE_SIZE)
18582 -#ifdef CONFIG_X86_64
18583 - :init
18584 -#endif
18585 + . = ALIGN(PAGE_SIZE);
18586 + init_begin = .;
18587 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18588 + VMLINUX_SYMBOL(_sinittext) = .;
18589 + INIT_TEXT
18590 + VMLINUX_SYMBOL(_einittext) = .;
18591 + . = ALIGN(PAGE_SIZE);
18592 + } :text.init
18593
18594 - INIT_DATA_SECTION(16)
18595 + /*
18596 + * .exit.text is discard at runtime, not link time, to deal with
18597 + * references from .altinstructions and .eh_frame
18598 + */
18599 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18600 + EXIT_TEXT
18601 + . = ALIGN(16);
18602 + } :text.exit
18603 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18604 +
18605 + . = ALIGN(PAGE_SIZE);
18606 + INIT_DATA_SECTION(16) :init
18607
18608 /*
18609 * Code and data for a variety of lowlevel trampolines, to be
18610 @@ -306,19 +382,12 @@ SECTIONS
18611 }
18612
18613 . = ALIGN(8);
18614 - /*
18615 - * .exit.text is discard at runtime, not link time, to deal with
18616 - * references from .altinstructions and .eh_frame
18617 - */
18618 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18619 - EXIT_TEXT
18620 - }
18621
18622 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18623 EXIT_DATA
18624 }
18625
18626 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18627 +#ifndef CONFIG_SMP
18628 PERCPU(INTERNODE_CACHE_BYTES, PAGE_SIZE)
18629 #endif
18630
18631 @@ -337,16 +406,10 @@ SECTIONS
18632 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
18633 __smp_locks = .;
18634 *(.smp_locks)
18635 - . = ALIGN(PAGE_SIZE);
18636 __smp_locks_end = .;
18637 + . = ALIGN(PAGE_SIZE);
18638 }
18639
18640 -#ifdef CONFIG_X86_64
18641 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18642 - NOSAVE_DATA
18643 - }
18644 -#endif
18645 -
18646 /* BSS */
18647 . = ALIGN(PAGE_SIZE);
18648 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18649 @@ -362,6 +425,7 @@ SECTIONS
18650 __brk_base = .;
18651 . += 64 * 1024; /* 64k alignment slop space */
18652 *(.brk_reservation) /* areas brk users have reserved */
18653 + . = ALIGN(HPAGE_SIZE);
18654 __brk_limit = .;
18655 }
18656
18657 @@ -388,13 +452,12 @@ SECTIONS
18658 * for the boot processor.
18659 */
18660 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
18661 -INIT_PER_CPU(gdt_page);
18662 INIT_PER_CPU(irq_stack_union);
18663
18664 /*
18665 * Build-time check on the image size:
18666 */
18667 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18668 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18669 "kernel image bigger than KERNEL_IMAGE_SIZE");
18670
18671 #ifdef CONFIG_SMP
18672 diff -urNp linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c
18673 --- linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c 2011-05-19 00:06:34.000000000 -0400
18674 +++ linux-2.6.39.3/arch/x86/kernel/vsyscall_64.c 2011-05-22 19:36:30.000000000 -0400
18675 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18676
18677 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18678 /* copy vsyscall data */
18679 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18680 vsyscall_gtod_data.clock.vread = clock->vread;
18681 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18682 vsyscall_gtod_data.clock.mask = clock->mask;
18683 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18684 We do this here because otherwise user space would do it on
18685 its own in a likely inferior way (no access to jiffies).
18686 If you don't like it pass NULL. */
18687 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18688 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18689 p = tcache->blob[1];
18690 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18691 /* Load per CPU data from RDTSCP */
18692 diff -urNp linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c
18693 --- linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c 2011-05-19 00:06:34.000000000 -0400
18694 +++ linux-2.6.39.3/arch/x86/kernel/x8664_ksyms_64.c 2011-05-22 19:36:30.000000000 -0400
18695 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
18696 EXPORT_SYMBOL(copy_user_generic_string);
18697 EXPORT_SYMBOL(copy_user_generic_unrolled);
18698 EXPORT_SYMBOL(__copy_user_nocache);
18699 -EXPORT_SYMBOL(_copy_from_user);
18700 -EXPORT_SYMBOL(_copy_to_user);
18701
18702 EXPORT_SYMBOL(copy_page);
18703 EXPORT_SYMBOL(clear_page);
18704 diff -urNp linux-2.6.39.3/arch/x86/kernel/xsave.c linux-2.6.39.3/arch/x86/kernel/xsave.c
18705 --- linux-2.6.39.3/arch/x86/kernel/xsave.c 2011-05-19 00:06:34.000000000 -0400
18706 +++ linux-2.6.39.3/arch/x86/kernel/xsave.c 2011-05-22 19:36:30.000000000 -0400
18707 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
18708 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18709 return -EINVAL;
18710
18711 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18712 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18713 fx_sw_user->extended_size -
18714 FP_XSTATE_MAGIC2_SIZE));
18715 if (err)
18716 @@ -267,7 +267,7 @@ fx_only:
18717 * the other extended state.
18718 */
18719 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18720 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18721 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18722 }
18723
18724 /*
18725 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
18726 if (use_xsave())
18727 err = restore_user_xstate(buf);
18728 else
18729 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18730 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18731 buf);
18732 if (unlikely(err)) {
18733 /*
18734 diff -urNp linux-2.6.39.3/arch/x86/kvm/emulate.c linux-2.6.39.3/arch/x86/kvm/emulate.c
18735 --- linux-2.6.39.3/arch/x86/kvm/emulate.c 2011-05-19 00:06:34.000000000 -0400
18736 +++ linux-2.6.39.3/arch/x86/kvm/emulate.c 2011-05-22 19:36:30.000000000 -0400
18737 @@ -89,7 +89,7 @@
18738 #define Src2ImmByte (2<<29)
18739 #define Src2One (3<<29)
18740 #define Src2Imm (4<<29)
18741 -#define Src2Mask (7<<29)
18742 +#define Src2Mask (7U<<29)
18743
18744 #define X2(x...) x, x
18745 #define X3(x...) X2(x), x
18746 @@ -190,6 +190,7 @@ struct group_dual {
18747
18748 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
18749 do { \
18750 + unsigned long _tmp; \
18751 __asm__ __volatile__ ( \
18752 _PRE_EFLAGS("0", "4", "2") \
18753 _op _suffix " %"_x"3,%1; " \
18754 @@ -203,8 +204,6 @@ struct group_dual {
18755 /* Raw emulation: instruction has two explicit operands. */
18756 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18757 do { \
18758 - unsigned long _tmp; \
18759 - \
18760 switch ((_dst).bytes) { \
18761 case 2: \
18762 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
18763 @@ -220,7 +219,6 @@ struct group_dual {
18764
18765 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18766 do { \
18767 - unsigned long _tmp; \
18768 switch ((_dst).bytes) { \
18769 case 1: \
18770 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
18771 diff -urNp linux-2.6.39.3/arch/x86/kvm/lapic.c linux-2.6.39.3/arch/x86/kvm/lapic.c
18772 --- linux-2.6.39.3/arch/x86/kvm/lapic.c 2011-05-19 00:06:34.000000000 -0400
18773 +++ linux-2.6.39.3/arch/x86/kvm/lapic.c 2011-05-22 19:36:30.000000000 -0400
18774 @@ -53,7 +53,7 @@
18775 #define APIC_BUS_CYCLE_NS 1
18776
18777 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18778 -#define apic_debug(fmt, arg...)
18779 +#define apic_debug(fmt, arg...) do {} while (0)
18780
18781 #define APIC_LVT_NUM 6
18782 /* 14 is the version for Xeon and Pentium 8.4.8*/
18783 diff -urNp linux-2.6.39.3/arch/x86/kvm/mmu.c linux-2.6.39.3/arch/x86/kvm/mmu.c
18784 --- linux-2.6.39.3/arch/x86/kvm/mmu.c 2011-05-19 00:06:34.000000000 -0400
18785 +++ linux-2.6.39.3/arch/x86/kvm/mmu.c 2011-05-22 19:36:30.000000000 -0400
18786 @@ -3240,7 +3240,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18787
18788 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
18789
18790 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
18791 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
18792
18793 /*
18794 * Assume that the pte write on a page table of the same type
18795 @@ -3275,7 +3275,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
18796 smp_rmb();
18797
18798 spin_lock(&vcpu->kvm->mmu_lock);
18799 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18800 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
18801 gentry = 0;
18802 kvm_mmu_free_some_pages(vcpu);
18803 ++vcpu->kvm->stat.mmu_pte_write;
18804 diff -urNp linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h
18805 --- linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h 2011-05-19 00:06:34.000000000 -0400
18806 +++ linux-2.6.39.3/arch/x86/kvm/paging_tmpl.h 2011-05-22 19:36:30.000000000 -0400
18807 @@ -552,6 +552,8 @@ static int FNAME(page_fault)(struct kvm_
18808 unsigned long mmu_seq;
18809 bool map_writable;
18810
18811 + pax_track_stack();
18812 +
18813 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18814
18815 r = mmu_topup_memory_caches(vcpu);
18816 @@ -672,7 +674,7 @@ static void FNAME(invlpg)(struct kvm_vcp
18817 if (need_flush)
18818 kvm_flush_remote_tlbs(vcpu->kvm);
18819
18820 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
18821 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
18822
18823 spin_unlock(&vcpu->kvm->mmu_lock);
18824
18825 diff -urNp linux-2.6.39.3/arch/x86/kvm/svm.c linux-2.6.39.3/arch/x86/kvm/svm.c
18826 --- linux-2.6.39.3/arch/x86/kvm/svm.c 2011-05-19 00:06:34.000000000 -0400
18827 +++ linux-2.6.39.3/arch/x86/kvm/svm.c 2011-05-22 19:36:30.000000000 -0400
18828 @@ -3278,7 +3278,11 @@ static void reload_tss(struct kvm_vcpu *
18829 int cpu = raw_smp_processor_id();
18830
18831 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
18832 +
18833 + pax_open_kernel();
18834 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
18835 + pax_close_kernel();
18836 +
18837 load_TR_desc();
18838 }
18839
18840 @@ -3656,6 +3660,10 @@ static void svm_vcpu_run(struct kvm_vcpu
18841 #endif
18842 #endif
18843
18844 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18845 + __set_fs(current_thread_info()->addr_limit);
18846 +#endif
18847 +
18848 reload_tss(vcpu);
18849
18850 local_irq_disable();
18851 @@ -3871,7 +3879,7 @@ static void svm_fpu_deactivate(struct kv
18852 update_cr0_intercept(svm);
18853 }
18854
18855 -static struct kvm_x86_ops svm_x86_ops = {
18856 +static const struct kvm_x86_ops svm_x86_ops = {
18857 .cpu_has_kvm_support = has_svm,
18858 .disabled_by_bios = is_disabled,
18859 .hardware_setup = svm_hardware_setup,
18860 diff -urNp linux-2.6.39.3/arch/x86/kvm/vmx.c linux-2.6.39.3/arch/x86/kvm/vmx.c
18861 --- linux-2.6.39.3/arch/x86/kvm/vmx.c 2011-05-19 00:06:34.000000000 -0400
18862 +++ linux-2.6.39.3/arch/x86/kvm/vmx.c 2011-05-22 19:36:30.000000000 -0400
18863 @@ -725,7 +725,11 @@ static void reload_tss(void)
18864 struct desc_struct *descs;
18865
18866 descs = (void *)gdt->address;
18867 +
18868 + pax_open_kernel();
18869 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18870 + pax_close_kernel();
18871 +
18872 load_TR_desc();
18873 }
18874
18875 @@ -1648,8 +1652,11 @@ static __init int hardware_setup(void)
18876 if (!cpu_has_vmx_flexpriority())
18877 flexpriority_enabled = 0;
18878
18879 - if (!cpu_has_vmx_tpr_shadow())
18880 - kvm_x86_ops->update_cr8_intercept = NULL;
18881 + if (!cpu_has_vmx_tpr_shadow()) {
18882 + pax_open_kernel();
18883 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18884 + pax_close_kernel();
18885 + }
18886
18887 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18888 kvm_disable_largepages();
18889 @@ -2693,7 +2700,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18890 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
18891
18892 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18893 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18894 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18895 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18896 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18897 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
18898 @@ -4068,6 +4075,12 @@ static void __noclone vmx_vcpu_run(struc
18899 "jmp .Lkvm_vmx_return \n\t"
18900 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18901 ".Lkvm_vmx_return: "
18902 +
18903 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18904 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18905 + ".Lkvm_vmx_return2: "
18906 +#endif
18907 +
18908 /* Save guest registers, load host registers, keep flags */
18909 "mov %0, %c[wordsize](%%"R"sp) \n\t"
18910 "pop %0 \n\t"
18911 @@ -4116,6 +4129,11 @@ static void __noclone vmx_vcpu_run(struc
18912 #endif
18913 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
18914 [wordsize]"i"(sizeof(ulong))
18915 +
18916 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18917 + ,[cs]"i"(__KERNEL_CS)
18918 +#endif
18919 +
18920 : "cc", "memory"
18921 , R"ax", R"bx", R"di", R"si"
18922 #ifdef CONFIG_X86_64
18923 @@ -4130,7 +4148,16 @@ static void __noclone vmx_vcpu_run(struc
18924
18925 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
18926
18927 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18928 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18929 +
18930 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18931 + loadsegment(fs, __KERNEL_PERCPU);
18932 +#endif
18933 +
18934 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18935 + __set_fs(current_thread_info()->addr_limit);
18936 +#endif
18937 +
18938 vmx->launched = 1;
18939
18940 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
18941 @@ -4368,7 +4395,7 @@ static void vmx_set_supported_cpuid(u32
18942 {
18943 }
18944
18945 -static struct kvm_x86_ops vmx_x86_ops = {
18946 +static const struct kvm_x86_ops vmx_x86_ops = {
18947 .cpu_has_kvm_support = cpu_has_kvm_support,
18948 .disabled_by_bios = vmx_disabled_by_bios,
18949 .hardware_setup = hardware_setup,
18950 diff -urNp linux-2.6.39.3/arch/x86/kvm/x86.c linux-2.6.39.3/arch/x86/kvm/x86.c
18951 --- linux-2.6.39.3/arch/x86/kvm/x86.c 2011-05-19 00:06:34.000000000 -0400
18952 +++ linux-2.6.39.3/arch/x86/kvm/x86.c 2011-05-22 19:36:30.000000000 -0400
18953 @@ -94,7 +94,7 @@ static void update_cr8_intercept(struct
18954 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18955 struct kvm_cpuid_entry2 __user *entries);
18956
18957 -struct kvm_x86_ops *kvm_x86_ops;
18958 +const struct kvm_x86_ops *kvm_x86_ops;
18959 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18960
18961 int ignore_msrs = 0;
18962 @@ -2050,6 +2050,8 @@ long kvm_arch_dev_ioctl(struct file *fil
18963 if (n < msr_list.nmsrs)
18964 goto out;
18965 r = -EFAULT;
18966 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
18967 + goto out;
18968 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
18969 num_msrs_to_save * sizeof(u32)))
18970 goto out;
18971 @@ -2217,15 +2219,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18972 struct kvm_cpuid2 *cpuid,
18973 struct kvm_cpuid_entry2 __user *entries)
18974 {
18975 - int r;
18976 + int r, i;
18977
18978 r = -E2BIG;
18979 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18980 goto out;
18981 r = -EFAULT;
18982 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18983 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18984 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18985 goto out;
18986 + for (i = 0; i < cpuid->nent; ++i) {
18987 + struct kvm_cpuid_entry2 cpuid_entry;
18988 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18989 + goto out;
18990 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18991 + }
18992 vcpu->arch.cpuid_nent = cpuid->nent;
18993 kvm_apic_set_version(vcpu);
18994 kvm_x86_ops->cpuid_update(vcpu);
18995 @@ -2240,15 +2247,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18996 struct kvm_cpuid2 *cpuid,
18997 struct kvm_cpuid_entry2 __user *entries)
18998 {
18999 - int r;
19000 + int r, i;
19001
19002 r = -E2BIG;
19003 if (cpuid->nent < vcpu->arch.cpuid_nent)
19004 goto out;
19005 r = -EFAULT;
19006 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
19007 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19008 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19009 goto out;
19010 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
19011 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
19012 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
19013 + goto out;
19014 + }
19015 return 0;
19016
19017 out:
19018 @@ -2526,7 +2537,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
19019 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
19020 struct kvm_interrupt *irq)
19021 {
19022 - if (irq->irq < 0 || irq->irq >= 256)
19023 + if (irq->irq >= 256)
19024 return -EINVAL;
19025 if (irqchip_in_kernel(vcpu->kvm))
19026 return -ENXIO;
19027 @@ -4672,7 +4683,7 @@ static unsigned long kvm_get_guest_ip(vo
19028 return ip;
19029 }
19030
19031 -static struct perf_guest_info_callbacks kvm_guest_cbs = {
19032 +static const struct perf_guest_info_callbacks kvm_guest_cbs = {
19033 .is_in_guest = kvm_is_in_guest,
19034 .is_user_mode = kvm_is_user_mode,
19035 .get_guest_ip = kvm_get_guest_ip,
19036 @@ -4690,10 +4701,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
19037 }
19038 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
19039
19040 -int kvm_arch_init(void *opaque)
19041 +int kvm_arch_init(const void *opaque)
19042 {
19043 int r;
19044 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
19045 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
19046
19047 if (kvm_x86_ops) {
19048 printk(KERN_ERR "kvm: already loaded the other module\n");
19049 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_32.c linux-2.6.39.3/arch/x86/lib/atomic64_32.c
19050 --- linux-2.6.39.3/arch/x86/lib/atomic64_32.c 2011-05-19 00:06:34.000000000 -0400
19051 +++ linux-2.6.39.3/arch/x86/lib/atomic64_32.c 2011-05-22 19:36:30.000000000 -0400
19052 @@ -8,18 +8,30 @@
19053
19054 long long atomic64_read_cx8(long long, const atomic64_t *v);
19055 EXPORT_SYMBOL(atomic64_read_cx8);
19056 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
19057 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
19058 long long atomic64_set_cx8(long long, const atomic64_t *v);
19059 EXPORT_SYMBOL(atomic64_set_cx8);
19060 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
19061 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
19062 long long atomic64_xchg_cx8(long long, unsigned high);
19063 EXPORT_SYMBOL(atomic64_xchg_cx8);
19064 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
19065 EXPORT_SYMBOL(atomic64_add_return_cx8);
19066 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19067 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
19068 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
19069 EXPORT_SYMBOL(atomic64_sub_return_cx8);
19070 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19071 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
19072 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
19073 EXPORT_SYMBOL(atomic64_inc_return_cx8);
19074 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19075 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
19076 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
19077 EXPORT_SYMBOL(atomic64_dec_return_cx8);
19078 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
19079 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
19080 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
19081 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
19082 int atomic64_inc_not_zero_cx8(atomic64_t *v);
19083 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
19084 #ifndef CONFIG_X86_CMPXCHG64
19085 long long atomic64_read_386(long long, const atomic64_t *v);
19086 EXPORT_SYMBOL(atomic64_read_386);
19087 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
19088 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
19089 long long atomic64_set_386(long long, const atomic64_t *v);
19090 EXPORT_SYMBOL(atomic64_set_386);
19091 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
19092 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
19093 long long atomic64_xchg_386(long long, unsigned high);
19094 EXPORT_SYMBOL(atomic64_xchg_386);
19095 long long atomic64_add_return_386(long long a, atomic64_t *v);
19096 EXPORT_SYMBOL(atomic64_add_return_386);
19097 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19098 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
19099 long long atomic64_sub_return_386(long long a, atomic64_t *v);
19100 EXPORT_SYMBOL(atomic64_sub_return_386);
19101 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19102 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
19103 long long atomic64_inc_return_386(long long a, atomic64_t *v);
19104 EXPORT_SYMBOL(atomic64_inc_return_386);
19105 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19106 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
19107 long long atomic64_dec_return_386(long long a, atomic64_t *v);
19108 EXPORT_SYMBOL(atomic64_dec_return_386);
19109 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
19110 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
19111 long long atomic64_add_386(long long a, atomic64_t *v);
19112 EXPORT_SYMBOL(atomic64_add_386);
19113 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
19114 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
19115 long long atomic64_sub_386(long long a, atomic64_t *v);
19116 EXPORT_SYMBOL(atomic64_sub_386);
19117 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
19118 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
19119 long long atomic64_inc_386(long long a, atomic64_t *v);
19120 EXPORT_SYMBOL(atomic64_inc_386);
19121 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
19122 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
19123 long long atomic64_dec_386(long long a, atomic64_t *v);
19124 EXPORT_SYMBOL(atomic64_dec_386);
19125 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
19126 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
19127 long long atomic64_dec_if_positive_386(atomic64_t *v);
19128 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
19129 int atomic64_inc_not_zero_386(atomic64_t *v);
19130 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S
19131 --- linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S 2011-05-19 00:06:34.000000000 -0400
19132 +++ linux-2.6.39.3/arch/x86/lib/atomic64_386_32.S 2011-05-22 19:36:30.000000000 -0400
19133 @@ -48,6 +48,10 @@ BEGIN(read)
19134 movl (v), %eax
19135 movl 4(v), %edx
19136 RET_ENDP
19137 +BEGIN(read_unchecked)
19138 + movl (v), %eax
19139 + movl 4(v), %edx
19140 +RET_ENDP
19141 #undef v
19142
19143 #define v %esi
19144 @@ -55,6 +59,10 @@ BEGIN(set)
19145 movl %ebx, (v)
19146 movl %ecx, 4(v)
19147 RET_ENDP
19148 +BEGIN(set_unchecked)
19149 + movl %ebx, (v)
19150 + movl %ecx, 4(v)
19151 +RET_ENDP
19152 #undef v
19153
19154 #define v %esi
19155 @@ -70,6 +78,20 @@ RET_ENDP
19156 BEGIN(add)
19157 addl %eax, (v)
19158 adcl %edx, 4(v)
19159 +
19160 +#ifdef CONFIG_PAX_REFCOUNT
19161 + jno 0f
19162 + subl %eax, (v)
19163 + sbbl %edx, 4(v)
19164 + int $4
19165 +0:
19166 + _ASM_EXTABLE(0b, 0b)
19167 +#endif
19168 +
19169 +RET_ENDP
19170 +BEGIN(add_unchecked)
19171 + addl %eax, (v)
19172 + adcl %edx, 4(v)
19173 RET_ENDP
19174 #undef v
19175
19176 @@ -77,6 +99,24 @@ RET_ENDP
19177 BEGIN(add_return)
19178 addl (v), %eax
19179 adcl 4(v), %edx
19180 +
19181 +#ifdef CONFIG_PAX_REFCOUNT
19182 + into
19183 +1234:
19184 + _ASM_EXTABLE(1234b, 2f)
19185 +#endif
19186 +
19187 + movl %eax, (v)
19188 + movl %edx, 4(v)
19189 +
19190 +#ifdef CONFIG_PAX_REFCOUNT
19191 +2:
19192 +#endif
19193 +
19194 +RET_ENDP
19195 +BEGIN(add_return_unchecked)
19196 + addl (v), %eax
19197 + adcl 4(v), %edx
19198 movl %eax, (v)
19199 movl %edx, 4(v)
19200 RET_ENDP
19201 @@ -86,6 +126,20 @@ RET_ENDP
19202 BEGIN(sub)
19203 subl %eax, (v)
19204 sbbl %edx, 4(v)
19205 +
19206 +#ifdef CONFIG_PAX_REFCOUNT
19207 + jno 0f
19208 + addl %eax, (v)
19209 + adcl %edx, 4(v)
19210 + int $4
19211 +0:
19212 + _ASM_EXTABLE(0b, 0b)
19213 +#endif
19214 +
19215 +RET_ENDP
19216 +BEGIN(sub_unchecked)
19217 + subl %eax, (v)
19218 + sbbl %edx, 4(v)
19219 RET_ENDP
19220 #undef v
19221
19222 @@ -96,6 +150,27 @@ BEGIN(sub_return)
19223 sbbl $0, %edx
19224 addl (v), %eax
19225 adcl 4(v), %edx
19226 +
19227 +#ifdef CONFIG_PAX_REFCOUNT
19228 + into
19229 +1234:
19230 + _ASM_EXTABLE(1234b, 2f)
19231 +#endif
19232 +
19233 + movl %eax, (v)
19234 + movl %edx, 4(v)
19235 +
19236 +#ifdef CONFIG_PAX_REFCOUNT
19237 +2:
19238 +#endif
19239 +
19240 +RET_ENDP
19241 +BEGIN(sub_return_unchecked)
19242 + negl %edx
19243 + negl %eax
19244 + sbbl $0, %edx
19245 + addl (v), %eax
19246 + adcl 4(v), %edx
19247 movl %eax, (v)
19248 movl %edx, 4(v)
19249 RET_ENDP
19250 @@ -105,6 +180,20 @@ RET_ENDP
19251 BEGIN(inc)
19252 addl $1, (v)
19253 adcl $0, 4(v)
19254 +
19255 +#ifdef CONFIG_PAX_REFCOUNT
19256 + jno 0f
19257 + subl $1, (v)
19258 + sbbl $0, 4(v)
19259 + int $4
19260 +0:
19261 + _ASM_EXTABLE(0b, 0b)
19262 +#endif
19263 +
19264 +RET_ENDP
19265 +BEGIN(inc_unchecked)
19266 + addl $1, (v)
19267 + adcl $0, 4(v)
19268 RET_ENDP
19269 #undef v
19270
19271 @@ -114,6 +203,26 @@ BEGIN(inc_return)
19272 movl 4(v), %edx
19273 addl $1, %eax
19274 adcl $0, %edx
19275 +
19276 +#ifdef CONFIG_PAX_REFCOUNT
19277 + into
19278 +1234:
19279 + _ASM_EXTABLE(1234b, 2f)
19280 +#endif
19281 +
19282 + movl %eax, (v)
19283 + movl %edx, 4(v)
19284 +
19285 +#ifdef CONFIG_PAX_REFCOUNT
19286 +2:
19287 +#endif
19288 +
19289 +RET_ENDP
19290 +BEGIN(inc_return_unchecked)
19291 + movl (v), %eax
19292 + movl 4(v), %edx
19293 + addl $1, %eax
19294 + adcl $0, %edx
19295 movl %eax, (v)
19296 movl %edx, 4(v)
19297 RET_ENDP
19298 @@ -123,6 +232,20 @@ RET_ENDP
19299 BEGIN(dec)
19300 subl $1, (v)
19301 sbbl $0, 4(v)
19302 +
19303 +#ifdef CONFIG_PAX_REFCOUNT
19304 + jno 0f
19305 + addl $1, (v)
19306 + adcl $0, 4(v)
19307 + int $4
19308 +0:
19309 + _ASM_EXTABLE(0b, 0b)
19310 +#endif
19311 +
19312 +RET_ENDP
19313 +BEGIN(dec_unchecked)
19314 + subl $1, (v)
19315 + sbbl $0, 4(v)
19316 RET_ENDP
19317 #undef v
19318
19319 @@ -132,6 +255,26 @@ BEGIN(dec_return)
19320 movl 4(v), %edx
19321 subl $1, %eax
19322 sbbl $0, %edx
19323 +
19324 +#ifdef CONFIG_PAX_REFCOUNT
19325 + into
19326 +1234:
19327 + _ASM_EXTABLE(1234b, 2f)
19328 +#endif
19329 +
19330 + movl %eax, (v)
19331 + movl %edx, 4(v)
19332 +
19333 +#ifdef CONFIG_PAX_REFCOUNT
19334 +2:
19335 +#endif
19336 +
19337 +RET_ENDP
19338 +BEGIN(dec_return_unchecked)
19339 + movl (v), %eax
19340 + movl 4(v), %edx
19341 + subl $1, %eax
19342 + sbbl $0, %edx
19343 movl %eax, (v)
19344 movl %edx, 4(v)
19345 RET_ENDP
19346 @@ -143,6 +286,13 @@ BEGIN(add_unless)
19347 adcl %edx, %edi
19348 addl (v), %eax
19349 adcl 4(v), %edx
19350 +
19351 +#ifdef CONFIG_PAX_REFCOUNT
19352 + into
19353 +1234:
19354 + _ASM_EXTABLE(1234b, 2f)
19355 +#endif
19356 +
19357 cmpl %eax, %esi
19358 je 3f
19359 1:
19360 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
19361 1:
19362 addl $1, %eax
19363 adcl $0, %edx
19364 +
19365 +#ifdef CONFIG_PAX_REFCOUNT
19366 + into
19367 +1234:
19368 + _ASM_EXTABLE(1234b, 2f)
19369 +#endif
19370 +
19371 movl %eax, (v)
19372 movl %edx, 4(v)
19373 movl $1, %eax
19374 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
19375 movl 4(v), %edx
19376 subl $1, %eax
19377 sbbl $0, %edx
19378 +
19379 +#ifdef CONFIG_PAX_REFCOUNT
19380 + into
19381 +1234:
19382 + _ASM_EXTABLE(1234b, 1f)
19383 +#endif
19384 +
19385 js 1f
19386 movl %eax, (v)
19387 movl %edx, 4(v)
19388 diff -urNp linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S
19389 --- linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S 2011-05-19 00:06:34.000000000 -0400
19390 +++ linux-2.6.39.3/arch/x86/lib/atomic64_cx8_32.S 2011-05-22 19:36:30.000000000 -0400
19391 @@ -39,6 +39,14 @@ ENTRY(atomic64_read_cx8)
19392 CFI_ENDPROC
19393 ENDPROC(atomic64_read_cx8)
19394
19395 +ENTRY(atomic64_read_unchecked_cx8)
19396 + CFI_STARTPROC
19397 +
19398 + read64 %ecx
19399 + ret
19400 + CFI_ENDPROC
19401 +ENDPROC(atomic64_read_unchecked_cx8)
19402 +
19403 ENTRY(atomic64_set_cx8)
19404 CFI_STARTPROC
19405
19406 @@ -52,6 +60,19 @@ ENTRY(atomic64_set_cx8)
19407 CFI_ENDPROC
19408 ENDPROC(atomic64_set_cx8)
19409
19410 +ENTRY(atomic64_set_unchecked_cx8)
19411 + CFI_STARTPROC
19412 +
19413 +1:
19414 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
19415 + * are atomic on 586 and newer */
19416 + cmpxchg8b (%esi)
19417 + jne 1b
19418 +
19419 + ret
19420 + CFI_ENDPROC
19421 +ENDPROC(atomic64_set_unchecked_cx8)
19422 +
19423 ENTRY(atomic64_xchg_cx8)
19424 CFI_STARTPROC
19425
19426 @@ -66,8 +87,8 @@ ENTRY(atomic64_xchg_cx8)
19427 CFI_ENDPROC
19428 ENDPROC(atomic64_xchg_cx8)
19429
19430 -.macro addsub_return func ins insc
19431 -ENTRY(atomic64_\func\()_return_cx8)
19432 +.macro addsub_return func ins insc unchecked=""
19433 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19434 CFI_STARTPROC
19435 SAVE ebp
19436 SAVE ebx
19437 @@ -84,27 +105,43 @@ ENTRY(atomic64_\func\()_return_cx8)
19438 movl %edx, %ecx
19439 \ins\()l %esi, %ebx
19440 \insc\()l %edi, %ecx
19441 +
19442 +.ifb \unchecked
19443 +#ifdef CONFIG_PAX_REFCOUNT
19444 + into
19445 +2:
19446 + _ASM_EXTABLE(2b, 3f)
19447 +#endif
19448 +.endif
19449 +
19450 LOCK_PREFIX
19451 cmpxchg8b (%ebp)
19452 jne 1b
19453 -
19454 -10:
19455 movl %ebx, %eax
19456 movl %ecx, %edx
19457 +
19458 +.ifb \unchecked
19459 +#ifdef CONFIG_PAX_REFCOUNT
19460 +3:
19461 +#endif
19462 +.endif
19463 +
19464 RESTORE edi
19465 RESTORE esi
19466 RESTORE ebx
19467 RESTORE ebp
19468 ret
19469 CFI_ENDPROC
19470 -ENDPROC(atomic64_\func\()_return_cx8)
19471 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19472 .endm
19473
19474 addsub_return add add adc
19475 addsub_return sub sub sbb
19476 +addsub_return add add adc _unchecked
19477 +addsub_return sub sub sbb _unchecked
19478
19479 -.macro incdec_return func ins insc
19480 -ENTRY(atomic64_\func\()_return_cx8)
19481 +.macro incdec_return func ins insc unchecked
19482 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
19483 CFI_STARTPROC
19484 SAVE ebx
19485
19486 @@ -114,21 +151,38 @@ ENTRY(atomic64_\func\()_return_cx8)
19487 movl %edx, %ecx
19488 \ins\()l $1, %ebx
19489 \insc\()l $0, %ecx
19490 +
19491 +.ifb \unchecked
19492 +#ifdef CONFIG_PAX_REFCOUNT
19493 + into
19494 +2:
19495 + _ASM_EXTABLE(2b, 3f)
19496 +#endif
19497 +.endif
19498 +
19499 LOCK_PREFIX
19500 cmpxchg8b (%esi)
19501 jne 1b
19502
19503 -10:
19504 movl %ebx, %eax
19505 movl %ecx, %edx
19506 +
19507 +.ifb \unchecked
19508 +#ifdef CONFIG_PAX_REFCOUNT
19509 +3:
19510 +#endif
19511 +.endif
19512 +
19513 RESTORE ebx
19514 ret
19515 CFI_ENDPROC
19516 -ENDPROC(atomic64_\func\()_return_cx8)
19517 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
19518 .endm
19519
19520 incdec_return inc add adc
19521 incdec_return dec sub sbb
19522 +incdec_return inc add adc _unchecked
19523 +incdec_return dec sub sbb _unchecked
19524
19525 ENTRY(atomic64_dec_if_positive_cx8)
19526 CFI_STARTPROC
19527 @@ -140,6 +194,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
19528 movl %edx, %ecx
19529 subl $1, %ebx
19530 sbb $0, %ecx
19531 +
19532 +#ifdef CONFIG_PAX_REFCOUNT
19533 + into
19534 +1234:
19535 + _ASM_EXTABLE(1234b, 2f)
19536 +#endif
19537 +
19538 js 2f
19539 LOCK_PREFIX
19540 cmpxchg8b (%esi)
19541 @@ -174,6 +235,13 @@ ENTRY(atomic64_add_unless_cx8)
19542 movl %edx, %ecx
19543 addl %esi, %ebx
19544 adcl %edi, %ecx
19545 +
19546 +#ifdef CONFIG_PAX_REFCOUNT
19547 + into
19548 +1234:
19549 + _ASM_EXTABLE(1234b, 3f)
19550 +#endif
19551 +
19552 LOCK_PREFIX
19553 cmpxchg8b (%ebp)
19554 jne 1b
19555 @@ -206,6 +274,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
19556 movl %edx, %ecx
19557 addl $1, %ebx
19558 adcl $0, %ecx
19559 +
19560 +#ifdef CONFIG_PAX_REFCOUNT
19561 + into
19562 +1234:
19563 + _ASM_EXTABLE(1234b, 3f)
19564 +#endif
19565 +
19566 LOCK_PREFIX
19567 cmpxchg8b (%esi)
19568 jne 1b
19569 diff -urNp linux-2.6.39.3/arch/x86/lib/checksum_32.S linux-2.6.39.3/arch/x86/lib/checksum_32.S
19570 --- linux-2.6.39.3/arch/x86/lib/checksum_32.S 2011-05-19 00:06:34.000000000 -0400
19571 +++ linux-2.6.39.3/arch/x86/lib/checksum_32.S 2011-05-22 19:36:30.000000000 -0400
19572 @@ -28,7 +28,8 @@
19573 #include <linux/linkage.h>
19574 #include <asm/dwarf2.h>
19575 #include <asm/errno.h>
19576 -
19577 +#include <asm/segment.h>
19578 +
19579 /*
19580 * computes a partial checksum, e.g. for TCP/UDP fragments
19581 */
19582 @@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
19583
19584 #define ARGBASE 16
19585 #define FP 12
19586 -
19587 -ENTRY(csum_partial_copy_generic)
19588 +
19589 +ENTRY(csum_partial_copy_generic_to_user)
19590 CFI_STARTPROC
19591 +
19592 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19593 + pushl_cfi %gs
19594 + popl_cfi %es
19595 + jmp csum_partial_copy_generic
19596 +#endif
19597 +
19598 +ENTRY(csum_partial_copy_generic_from_user)
19599 +
19600 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19601 + pushl_cfi %gs
19602 + popl_cfi %ds
19603 +#endif
19604 +
19605 +ENTRY(csum_partial_copy_generic)
19606 subl $4,%esp
19607 CFI_ADJUST_CFA_OFFSET 4
19608 pushl_cfi %edi
19609 @@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
19610 jmp 4f
19611 SRC(1: movw (%esi), %bx )
19612 addl $2, %esi
19613 -DST( movw %bx, (%edi) )
19614 +DST( movw %bx, %es:(%edi) )
19615 addl $2, %edi
19616 addw %bx, %ax
19617 adcl $0, %eax
19618 @@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
19619 SRC(1: movl (%esi), %ebx )
19620 SRC( movl 4(%esi), %edx )
19621 adcl %ebx, %eax
19622 -DST( movl %ebx, (%edi) )
19623 +DST( movl %ebx, %es:(%edi) )
19624 adcl %edx, %eax
19625 -DST( movl %edx, 4(%edi) )
19626 +DST( movl %edx, %es:4(%edi) )
19627
19628 SRC( movl 8(%esi), %ebx )
19629 SRC( movl 12(%esi), %edx )
19630 adcl %ebx, %eax
19631 -DST( movl %ebx, 8(%edi) )
19632 +DST( movl %ebx, %es:8(%edi) )
19633 adcl %edx, %eax
19634 -DST( movl %edx, 12(%edi) )
19635 +DST( movl %edx, %es:12(%edi) )
19636
19637 SRC( movl 16(%esi), %ebx )
19638 SRC( movl 20(%esi), %edx )
19639 adcl %ebx, %eax
19640 -DST( movl %ebx, 16(%edi) )
19641 +DST( movl %ebx, %es:16(%edi) )
19642 adcl %edx, %eax
19643 -DST( movl %edx, 20(%edi) )
19644 +DST( movl %edx, %es:20(%edi) )
19645
19646 SRC( movl 24(%esi), %ebx )
19647 SRC( movl 28(%esi), %edx )
19648 adcl %ebx, %eax
19649 -DST( movl %ebx, 24(%edi) )
19650 +DST( movl %ebx, %es:24(%edi) )
19651 adcl %edx, %eax
19652 -DST( movl %edx, 28(%edi) )
19653 +DST( movl %edx, %es:28(%edi) )
19654
19655 lea 32(%esi), %esi
19656 lea 32(%edi), %edi
19657 @@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
19658 shrl $2, %edx # This clears CF
19659 SRC(3: movl (%esi), %ebx )
19660 adcl %ebx, %eax
19661 -DST( movl %ebx, (%edi) )
19662 +DST( movl %ebx, %es:(%edi) )
19663 lea 4(%esi), %esi
19664 lea 4(%edi), %edi
19665 dec %edx
19666 @@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
19667 jb 5f
19668 SRC( movw (%esi), %cx )
19669 leal 2(%esi), %esi
19670 -DST( movw %cx, (%edi) )
19671 +DST( movw %cx, %es:(%edi) )
19672 leal 2(%edi), %edi
19673 je 6f
19674 shll $16,%ecx
19675 SRC(5: movb (%esi), %cl )
19676 -DST( movb %cl, (%edi) )
19677 +DST( movb %cl, %es:(%edi) )
19678 6: addl %ecx, %eax
19679 adcl $0, %eax
19680 7:
19681 @@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
19682
19683 6001:
19684 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19685 - movl $-EFAULT, (%ebx)
19686 + movl $-EFAULT, %ss:(%ebx)
19687
19688 # zero the complete destination - computing the rest
19689 # is too much work
19690 @@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
19691
19692 6002:
19693 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19694 - movl $-EFAULT,(%ebx)
19695 + movl $-EFAULT,%ss:(%ebx)
19696 jmp 5000b
19697
19698 .previous
19699
19700 + pushl_cfi %ss
19701 + popl_cfi %ds
19702 + pushl_cfi %ss
19703 + popl_cfi %es
19704 popl_cfi %ebx
19705 CFI_RESTORE ebx
19706 popl_cfi %esi
19707 @@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
19708 popl_cfi %ecx # equivalent to addl $4,%esp
19709 ret
19710 CFI_ENDPROC
19711 -ENDPROC(csum_partial_copy_generic)
19712 +ENDPROC(csum_partial_copy_generic_to_user)
19713
19714 #else
19715
19716 /* Version for PentiumII/PPro */
19717
19718 #define ROUND1(x) \
19719 + nop; nop; nop; \
19720 SRC(movl x(%esi), %ebx ) ; \
19721 addl %ebx, %eax ; \
19722 - DST(movl %ebx, x(%edi) ) ;
19723 + DST(movl %ebx, %es:x(%edi)) ;
19724
19725 #define ROUND(x) \
19726 + nop; nop; nop; \
19727 SRC(movl x(%esi), %ebx ) ; \
19728 adcl %ebx, %eax ; \
19729 - DST(movl %ebx, x(%edi) ) ;
19730 + DST(movl %ebx, %es:x(%edi)) ;
19731
19732 #define ARGBASE 12
19733 -
19734 -ENTRY(csum_partial_copy_generic)
19735 +
19736 +ENTRY(csum_partial_copy_generic_to_user)
19737 CFI_STARTPROC
19738 +
19739 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19740 + pushl_cfi %gs
19741 + popl_cfi %es
19742 + jmp csum_partial_copy_generic
19743 +#endif
19744 +
19745 +ENTRY(csum_partial_copy_generic_from_user)
19746 +
19747 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19748 + pushl_cfi %gs
19749 + popl_cfi %ds
19750 +#endif
19751 +
19752 +ENTRY(csum_partial_copy_generic)
19753 pushl_cfi %ebx
19754 CFI_REL_OFFSET ebx, 0
19755 pushl_cfi %edi
19756 @@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
19757 subl %ebx, %edi
19758 lea -1(%esi),%edx
19759 andl $-32,%edx
19760 - lea 3f(%ebx,%ebx), %ebx
19761 + lea 3f(%ebx,%ebx,2), %ebx
19762 testl %esi, %esi
19763 jmp *%ebx
19764 1: addl $64,%esi
19765 @@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
19766 jb 5f
19767 SRC( movw (%esi), %dx )
19768 leal 2(%esi), %esi
19769 -DST( movw %dx, (%edi) )
19770 +DST( movw %dx, %es:(%edi) )
19771 leal 2(%edi), %edi
19772 je 6f
19773 shll $16,%edx
19774 5:
19775 SRC( movb (%esi), %dl )
19776 -DST( movb %dl, (%edi) )
19777 +DST( movb %dl, %es:(%edi) )
19778 6: addl %edx, %eax
19779 adcl $0, %eax
19780 7:
19781 .section .fixup, "ax"
19782 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19783 - movl $-EFAULT, (%ebx)
19784 + movl $-EFAULT, %ss:(%ebx)
19785 # zero the complete destination (computing the rest is too much work)
19786 movl ARGBASE+8(%esp),%edi # dst
19787 movl ARGBASE+12(%esp),%ecx # len
19788 @@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
19789 rep; stosb
19790 jmp 7b
19791 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19792 - movl $-EFAULT, (%ebx)
19793 + movl $-EFAULT, %ss:(%ebx)
19794 jmp 7b
19795 .previous
19796
19797 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19798 + pushl_cfi %ss
19799 + popl_cfi %ds
19800 + pushl_cfi %ss
19801 + popl_cfi %es
19802 +#endif
19803 +
19804 popl_cfi %esi
19805 CFI_RESTORE esi
19806 popl_cfi %edi
19807 @@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
19808 CFI_RESTORE ebx
19809 ret
19810 CFI_ENDPROC
19811 -ENDPROC(csum_partial_copy_generic)
19812 +ENDPROC(csum_partial_copy_generic_to_user)
19813
19814 #undef ROUND
19815 #undef ROUND1
19816 diff -urNp linux-2.6.39.3/arch/x86/lib/clear_page_64.S linux-2.6.39.3/arch/x86/lib/clear_page_64.S
19817 --- linux-2.6.39.3/arch/x86/lib/clear_page_64.S 2011-05-19 00:06:34.000000000 -0400
19818 +++ linux-2.6.39.3/arch/x86/lib/clear_page_64.S 2011-05-22 19:36:30.000000000 -0400
19819 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19820
19821 #include <asm/cpufeature.h>
19822
19823 - .section .altinstr_replacement,"ax"
19824 + .section .altinstr_replacement,"a"
19825 1: .byte 0xeb /* jmp <disp8> */
19826 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19827 2:
19828 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_page_64.S linux-2.6.39.3/arch/x86/lib/copy_page_64.S
19829 --- linux-2.6.39.3/arch/x86/lib/copy_page_64.S 2011-05-19 00:06:34.000000000 -0400
19830 +++ linux-2.6.39.3/arch/x86/lib/copy_page_64.S 2011-05-22 19:36:30.000000000 -0400
19831 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19832
19833 #include <asm/cpufeature.h>
19834
19835 - .section .altinstr_replacement,"ax"
19836 + .section .altinstr_replacement,"a"
19837 1: .byte 0xeb /* jmp <disp8> */
19838 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19839 2:
19840 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_user_64.S linux-2.6.39.3/arch/x86/lib/copy_user_64.S
19841 --- linux-2.6.39.3/arch/x86/lib/copy_user_64.S 2011-06-03 00:04:13.000000000 -0400
19842 +++ linux-2.6.39.3/arch/x86/lib/copy_user_64.S 2011-06-03 00:32:05.000000000 -0400
19843 @@ -15,13 +15,14 @@
19844 #include <asm/asm-offsets.h>
19845 #include <asm/thread_info.h>
19846 #include <asm/cpufeature.h>
19847 +#include <asm/pgtable.h>
19848
19849 .macro ALTERNATIVE_JUMP feature,orig,alt
19850 0:
19851 .byte 0xe9 /* 32bit jump */
19852 .long \orig-1f /* by default jump to orig */
19853 1:
19854 - .section .altinstr_replacement,"ax"
19855 + .section .altinstr_replacement,"a"
19856 2: .byte 0xe9 /* near jump with 32bit immediate */
19857 .long \alt-1b /* offset */ /* or alternatively to alt */
19858 .previous
19859 @@ -64,37 +65,13 @@
19860 #endif
19861 .endm
19862
19863 -/* Standard copy_to_user with segment limit checking */
19864 -ENTRY(_copy_to_user)
19865 - CFI_STARTPROC
19866 - GET_THREAD_INFO(%rax)
19867 - movq %rdi,%rcx
19868 - addq %rdx,%rcx
19869 - jc bad_to_user
19870 - cmpq TI_addr_limit(%rax),%rcx
19871 - ja bad_to_user
19872 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19873 - CFI_ENDPROC
19874 -ENDPROC(_copy_to_user)
19875 -
19876 -/* Standard copy_from_user with segment limit checking */
19877 -ENTRY(_copy_from_user)
19878 - CFI_STARTPROC
19879 - GET_THREAD_INFO(%rax)
19880 - movq %rsi,%rcx
19881 - addq %rdx,%rcx
19882 - jc bad_from_user
19883 - cmpq TI_addr_limit(%rax),%rcx
19884 - ja bad_from_user
19885 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19886 - CFI_ENDPROC
19887 -ENDPROC(_copy_from_user)
19888 -
19889 .section .fixup,"ax"
19890 /* must zero dest */
19891 ENTRY(bad_from_user)
19892 bad_from_user:
19893 CFI_STARTPROC
19894 + testl %edx,%edx
19895 + js bad_to_user
19896 movl %edx,%ecx
19897 xorl %eax,%eax
19898 rep
19899 diff -urNp linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S
19900 --- linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S 2011-05-19 00:06:34.000000000 -0400
19901 +++ linux-2.6.39.3/arch/x86/lib/copy_user_nocache_64.S 2011-05-22 19:36:30.000000000 -0400
19902 @@ -14,6 +14,7 @@
19903 #include <asm/current.h>
19904 #include <asm/asm-offsets.h>
19905 #include <asm/thread_info.h>
19906 +#include <asm/pgtable.h>
19907
19908 .macro ALIGN_DESTINATION
19909 #ifdef FIX_ALIGNMENT
19910 @@ -50,6 +51,15 @@
19911 */
19912 ENTRY(__copy_user_nocache)
19913 CFI_STARTPROC
19914 +
19915 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19916 + mov $PAX_USER_SHADOW_BASE,%rcx
19917 + cmp %rcx,%rsi
19918 + jae 1f
19919 + add %rcx,%rsi
19920 +1:
19921 +#endif
19922 +
19923 cmpl $8,%edx
19924 jb 20f /* less then 8 bytes, go to byte copy loop */
19925 ALIGN_DESTINATION
19926 diff -urNp linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c
19927 --- linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c 2011-05-19 00:06:34.000000000 -0400
19928 +++ linux-2.6.39.3/arch/x86/lib/csum-wrappers_64.c 2011-05-22 19:36:30.000000000 -0400
19929 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19930 len -= 2;
19931 }
19932 }
19933 +
19934 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19935 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19936 + src += PAX_USER_SHADOW_BASE;
19937 +#endif
19938 +
19939 isum = csum_partial_copy_generic((__force const void *)src,
19940 dst, len, isum, errp, NULL);
19941 if (unlikely(*errp))
19942 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19943 }
19944
19945 *errp = 0;
19946 +
19947 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19948 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19949 + dst += PAX_USER_SHADOW_BASE;
19950 +#endif
19951 +
19952 return csum_partial_copy_generic(src, (void __force *)dst,
19953 len, isum, NULL, errp);
19954 }
19955 diff -urNp linux-2.6.39.3/arch/x86/lib/getuser.S linux-2.6.39.3/arch/x86/lib/getuser.S
19956 --- linux-2.6.39.3/arch/x86/lib/getuser.S 2011-05-19 00:06:34.000000000 -0400
19957 +++ linux-2.6.39.3/arch/x86/lib/getuser.S 2011-05-22 19:36:30.000000000 -0400
19958 @@ -33,14 +33,35 @@
19959 #include <asm/asm-offsets.h>
19960 #include <asm/thread_info.h>
19961 #include <asm/asm.h>
19962 +#include <asm/segment.h>
19963 +#include <asm/pgtable.h>
19964 +
19965 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19966 +#define __copyuser_seg gs;
19967 +#else
19968 +#define __copyuser_seg
19969 +#endif
19970
19971 .text
19972 ENTRY(__get_user_1)
19973 CFI_STARTPROC
19974 +
19975 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19976 GET_THREAD_INFO(%_ASM_DX)
19977 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19978 jae bad_get_user
19979 -1: movzb (%_ASM_AX),%edx
19980 +
19981 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19982 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19983 + cmp %_ASM_DX,%_ASM_AX
19984 + jae 1234f
19985 + add %_ASM_DX,%_ASM_AX
19986 +1234:
19987 +#endif
19988 +
19989 +#endif
19990 +
19991 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19992 xor %eax,%eax
19993 ret
19994 CFI_ENDPROC
19995 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19996 ENTRY(__get_user_2)
19997 CFI_STARTPROC
19998 add $1,%_ASM_AX
19999 +
20000 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20001 jc bad_get_user
20002 GET_THREAD_INFO(%_ASM_DX)
20003 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20004 jae bad_get_user
20005 -2: movzwl -1(%_ASM_AX),%edx
20006 +
20007 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20008 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20009 + cmp %_ASM_DX,%_ASM_AX
20010 + jae 1234f
20011 + add %_ASM_DX,%_ASM_AX
20012 +1234:
20013 +#endif
20014 +
20015 +#endif
20016 +
20017 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
20018 xor %eax,%eax
20019 ret
20020 CFI_ENDPROC
20021 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
20022 ENTRY(__get_user_4)
20023 CFI_STARTPROC
20024 add $3,%_ASM_AX
20025 +
20026 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20027 jc bad_get_user
20028 GET_THREAD_INFO(%_ASM_DX)
20029 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20030 jae bad_get_user
20031 -3: mov -3(%_ASM_AX),%edx
20032 +
20033 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20034 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20035 + cmp %_ASM_DX,%_ASM_AX
20036 + jae 1234f
20037 + add %_ASM_DX,%_ASM_AX
20038 +1234:
20039 +#endif
20040 +
20041 +#endif
20042 +
20043 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
20044 xor %eax,%eax
20045 ret
20046 CFI_ENDPROC
20047 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
20048 GET_THREAD_INFO(%_ASM_DX)
20049 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20050 jae bad_get_user
20051 +
20052 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20053 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20054 + cmp %_ASM_DX,%_ASM_AX
20055 + jae 1234f
20056 + add %_ASM_DX,%_ASM_AX
20057 +1234:
20058 +#endif
20059 +
20060 4: movq -7(%_ASM_AX),%_ASM_DX
20061 xor %eax,%eax
20062 ret
20063 diff -urNp linux-2.6.39.3/arch/x86/lib/insn.c linux-2.6.39.3/arch/x86/lib/insn.c
20064 --- linux-2.6.39.3/arch/x86/lib/insn.c 2011-05-19 00:06:34.000000000 -0400
20065 +++ linux-2.6.39.3/arch/x86/lib/insn.c 2011-05-22 19:36:30.000000000 -0400
20066 @@ -21,6 +21,11 @@
20067 #include <linux/string.h>
20068 #include <asm/inat.h>
20069 #include <asm/insn.h>
20070 +#ifdef __KERNEL__
20071 +#include <asm/pgtable_types.h>
20072 +#else
20073 +#define ktla_ktva(addr) addr
20074 +#endif
20075
20076 #define get_next(t, insn) \
20077 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
20078 @@ -40,8 +45,8 @@
20079 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
20080 {
20081 memset(insn, 0, sizeof(*insn));
20082 - insn->kaddr = kaddr;
20083 - insn->next_byte = kaddr;
20084 + insn->kaddr = ktla_ktva(kaddr);
20085 + insn->next_byte = ktla_ktva(kaddr);
20086 insn->x86_64 = x86_64 ? 1 : 0;
20087 insn->opnd_bytes = 4;
20088 if (x86_64)
20089 diff -urNp linux-2.6.39.3/arch/x86/lib/mmx_32.c linux-2.6.39.3/arch/x86/lib/mmx_32.c
20090 --- linux-2.6.39.3/arch/x86/lib/mmx_32.c 2011-05-19 00:06:34.000000000 -0400
20091 +++ linux-2.6.39.3/arch/x86/lib/mmx_32.c 2011-05-22 19:36:30.000000000 -0400
20092 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
20093 {
20094 void *p;
20095 int i;
20096 + unsigned long cr0;
20097
20098 if (unlikely(in_interrupt()))
20099 return __memcpy(to, from, len);
20100 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
20101 kernel_fpu_begin();
20102
20103 __asm__ __volatile__ (
20104 - "1: prefetch (%0)\n" /* This set is 28 bytes */
20105 - " prefetch 64(%0)\n"
20106 - " prefetch 128(%0)\n"
20107 - " prefetch 192(%0)\n"
20108 - " prefetch 256(%0)\n"
20109 + "1: prefetch (%1)\n" /* This set is 28 bytes */
20110 + " prefetch 64(%1)\n"
20111 + " prefetch 128(%1)\n"
20112 + " prefetch 192(%1)\n"
20113 + " prefetch 256(%1)\n"
20114 "2: \n"
20115 ".section .fixup, \"ax\"\n"
20116 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20117 + "3: \n"
20118 +
20119 +#ifdef CONFIG_PAX_KERNEXEC
20120 + " movl %%cr0, %0\n"
20121 + " movl %0, %%eax\n"
20122 + " andl $0xFFFEFFFF, %%eax\n"
20123 + " movl %%eax, %%cr0\n"
20124 +#endif
20125 +
20126 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20127 +
20128 +#ifdef CONFIG_PAX_KERNEXEC
20129 + " movl %0, %%cr0\n"
20130 +#endif
20131 +
20132 " jmp 2b\n"
20133 ".previous\n"
20134 _ASM_EXTABLE(1b, 3b)
20135 - : : "r" (from));
20136 + : "=&r" (cr0) : "r" (from) : "ax");
20137
20138 for ( ; i > 5; i--) {
20139 __asm__ __volatile__ (
20140 - "1: prefetch 320(%0)\n"
20141 - "2: movq (%0), %%mm0\n"
20142 - " movq 8(%0), %%mm1\n"
20143 - " movq 16(%0), %%mm2\n"
20144 - " movq 24(%0), %%mm3\n"
20145 - " movq %%mm0, (%1)\n"
20146 - " movq %%mm1, 8(%1)\n"
20147 - " movq %%mm2, 16(%1)\n"
20148 - " movq %%mm3, 24(%1)\n"
20149 - " movq 32(%0), %%mm0\n"
20150 - " movq 40(%0), %%mm1\n"
20151 - " movq 48(%0), %%mm2\n"
20152 - " movq 56(%0), %%mm3\n"
20153 - " movq %%mm0, 32(%1)\n"
20154 - " movq %%mm1, 40(%1)\n"
20155 - " movq %%mm2, 48(%1)\n"
20156 - " movq %%mm3, 56(%1)\n"
20157 + "1: prefetch 320(%1)\n"
20158 + "2: movq (%1), %%mm0\n"
20159 + " movq 8(%1), %%mm1\n"
20160 + " movq 16(%1), %%mm2\n"
20161 + " movq 24(%1), %%mm3\n"
20162 + " movq %%mm0, (%2)\n"
20163 + " movq %%mm1, 8(%2)\n"
20164 + " movq %%mm2, 16(%2)\n"
20165 + " movq %%mm3, 24(%2)\n"
20166 + " movq 32(%1), %%mm0\n"
20167 + " movq 40(%1), %%mm1\n"
20168 + " movq 48(%1), %%mm2\n"
20169 + " movq 56(%1), %%mm3\n"
20170 + " movq %%mm0, 32(%2)\n"
20171 + " movq %%mm1, 40(%2)\n"
20172 + " movq %%mm2, 48(%2)\n"
20173 + " movq %%mm3, 56(%2)\n"
20174 ".section .fixup, \"ax\"\n"
20175 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20176 + "3:\n"
20177 +
20178 +#ifdef CONFIG_PAX_KERNEXEC
20179 + " movl %%cr0, %0\n"
20180 + " movl %0, %%eax\n"
20181 + " andl $0xFFFEFFFF, %%eax\n"
20182 + " movl %%eax, %%cr0\n"
20183 +#endif
20184 +
20185 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20186 +
20187 +#ifdef CONFIG_PAX_KERNEXEC
20188 + " movl %0, %%cr0\n"
20189 +#endif
20190 +
20191 " jmp 2b\n"
20192 ".previous\n"
20193 _ASM_EXTABLE(1b, 3b)
20194 - : : "r" (from), "r" (to) : "memory");
20195 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20196
20197 from += 64;
20198 to += 64;
20199 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
20200 static void fast_copy_page(void *to, void *from)
20201 {
20202 int i;
20203 + unsigned long cr0;
20204
20205 kernel_fpu_begin();
20206
20207 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
20208 * but that is for later. -AV
20209 */
20210 __asm__ __volatile__(
20211 - "1: prefetch (%0)\n"
20212 - " prefetch 64(%0)\n"
20213 - " prefetch 128(%0)\n"
20214 - " prefetch 192(%0)\n"
20215 - " prefetch 256(%0)\n"
20216 + "1: prefetch (%1)\n"
20217 + " prefetch 64(%1)\n"
20218 + " prefetch 128(%1)\n"
20219 + " prefetch 192(%1)\n"
20220 + " prefetch 256(%1)\n"
20221 "2: \n"
20222 ".section .fixup, \"ax\"\n"
20223 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20224 + "3: \n"
20225 +
20226 +#ifdef CONFIG_PAX_KERNEXEC
20227 + " movl %%cr0, %0\n"
20228 + " movl %0, %%eax\n"
20229 + " andl $0xFFFEFFFF, %%eax\n"
20230 + " movl %%eax, %%cr0\n"
20231 +#endif
20232 +
20233 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20234 +
20235 +#ifdef CONFIG_PAX_KERNEXEC
20236 + " movl %0, %%cr0\n"
20237 +#endif
20238 +
20239 " jmp 2b\n"
20240 ".previous\n"
20241 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20242 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20243
20244 for (i = 0; i < (4096-320)/64; i++) {
20245 __asm__ __volatile__ (
20246 - "1: prefetch 320(%0)\n"
20247 - "2: movq (%0), %%mm0\n"
20248 - " movntq %%mm0, (%1)\n"
20249 - " movq 8(%0), %%mm1\n"
20250 - " movntq %%mm1, 8(%1)\n"
20251 - " movq 16(%0), %%mm2\n"
20252 - " movntq %%mm2, 16(%1)\n"
20253 - " movq 24(%0), %%mm3\n"
20254 - " movntq %%mm3, 24(%1)\n"
20255 - " movq 32(%0), %%mm4\n"
20256 - " movntq %%mm4, 32(%1)\n"
20257 - " movq 40(%0), %%mm5\n"
20258 - " movntq %%mm5, 40(%1)\n"
20259 - " movq 48(%0), %%mm6\n"
20260 - " movntq %%mm6, 48(%1)\n"
20261 - " movq 56(%0), %%mm7\n"
20262 - " movntq %%mm7, 56(%1)\n"
20263 + "1: prefetch 320(%1)\n"
20264 + "2: movq (%1), %%mm0\n"
20265 + " movntq %%mm0, (%2)\n"
20266 + " movq 8(%1), %%mm1\n"
20267 + " movntq %%mm1, 8(%2)\n"
20268 + " movq 16(%1), %%mm2\n"
20269 + " movntq %%mm2, 16(%2)\n"
20270 + " movq 24(%1), %%mm3\n"
20271 + " movntq %%mm3, 24(%2)\n"
20272 + " movq 32(%1), %%mm4\n"
20273 + " movntq %%mm4, 32(%2)\n"
20274 + " movq 40(%1), %%mm5\n"
20275 + " movntq %%mm5, 40(%2)\n"
20276 + " movq 48(%1), %%mm6\n"
20277 + " movntq %%mm6, 48(%2)\n"
20278 + " movq 56(%1), %%mm7\n"
20279 + " movntq %%mm7, 56(%2)\n"
20280 ".section .fixup, \"ax\"\n"
20281 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20282 + "3:\n"
20283 +
20284 +#ifdef CONFIG_PAX_KERNEXEC
20285 + " movl %%cr0, %0\n"
20286 + " movl %0, %%eax\n"
20287 + " andl $0xFFFEFFFF, %%eax\n"
20288 + " movl %%eax, %%cr0\n"
20289 +#endif
20290 +
20291 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20292 +
20293 +#ifdef CONFIG_PAX_KERNEXEC
20294 + " movl %0, %%cr0\n"
20295 +#endif
20296 +
20297 " jmp 2b\n"
20298 ".previous\n"
20299 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
20300 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20301
20302 from += 64;
20303 to += 64;
20304 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
20305 static void fast_copy_page(void *to, void *from)
20306 {
20307 int i;
20308 + unsigned long cr0;
20309
20310 kernel_fpu_begin();
20311
20312 __asm__ __volatile__ (
20313 - "1: prefetch (%0)\n"
20314 - " prefetch 64(%0)\n"
20315 - " prefetch 128(%0)\n"
20316 - " prefetch 192(%0)\n"
20317 - " prefetch 256(%0)\n"
20318 + "1: prefetch (%1)\n"
20319 + " prefetch 64(%1)\n"
20320 + " prefetch 128(%1)\n"
20321 + " prefetch 192(%1)\n"
20322 + " prefetch 256(%1)\n"
20323 "2: \n"
20324 ".section .fixup, \"ax\"\n"
20325 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20326 + "3: \n"
20327 +
20328 +#ifdef CONFIG_PAX_KERNEXEC
20329 + " movl %%cr0, %0\n"
20330 + " movl %0, %%eax\n"
20331 + " andl $0xFFFEFFFF, %%eax\n"
20332 + " movl %%eax, %%cr0\n"
20333 +#endif
20334 +
20335 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20336 +
20337 +#ifdef CONFIG_PAX_KERNEXEC
20338 + " movl %0, %%cr0\n"
20339 +#endif
20340 +
20341 " jmp 2b\n"
20342 ".previous\n"
20343 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20344 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20345
20346 for (i = 0; i < 4096/64; i++) {
20347 __asm__ __volatile__ (
20348 - "1: prefetch 320(%0)\n"
20349 - "2: movq (%0), %%mm0\n"
20350 - " movq 8(%0), %%mm1\n"
20351 - " movq 16(%0), %%mm2\n"
20352 - " movq 24(%0), %%mm3\n"
20353 - " movq %%mm0, (%1)\n"
20354 - " movq %%mm1, 8(%1)\n"
20355 - " movq %%mm2, 16(%1)\n"
20356 - " movq %%mm3, 24(%1)\n"
20357 - " movq 32(%0), %%mm0\n"
20358 - " movq 40(%0), %%mm1\n"
20359 - " movq 48(%0), %%mm2\n"
20360 - " movq 56(%0), %%mm3\n"
20361 - " movq %%mm0, 32(%1)\n"
20362 - " movq %%mm1, 40(%1)\n"
20363 - " movq %%mm2, 48(%1)\n"
20364 - " movq %%mm3, 56(%1)\n"
20365 + "1: prefetch 320(%1)\n"
20366 + "2: movq (%1), %%mm0\n"
20367 + " movq 8(%1), %%mm1\n"
20368 + " movq 16(%1), %%mm2\n"
20369 + " movq 24(%1), %%mm3\n"
20370 + " movq %%mm0, (%2)\n"
20371 + " movq %%mm1, 8(%2)\n"
20372 + " movq %%mm2, 16(%2)\n"
20373 + " movq %%mm3, 24(%2)\n"
20374 + " movq 32(%1), %%mm0\n"
20375 + " movq 40(%1), %%mm1\n"
20376 + " movq 48(%1), %%mm2\n"
20377 + " movq 56(%1), %%mm3\n"
20378 + " movq %%mm0, 32(%2)\n"
20379 + " movq %%mm1, 40(%2)\n"
20380 + " movq %%mm2, 48(%2)\n"
20381 + " movq %%mm3, 56(%2)\n"
20382 ".section .fixup, \"ax\"\n"
20383 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20384 + "3:\n"
20385 +
20386 +#ifdef CONFIG_PAX_KERNEXEC
20387 + " movl %%cr0, %0\n"
20388 + " movl %0, %%eax\n"
20389 + " andl $0xFFFEFFFF, %%eax\n"
20390 + " movl %%eax, %%cr0\n"
20391 +#endif
20392 +
20393 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20394 +
20395 +#ifdef CONFIG_PAX_KERNEXEC
20396 + " movl %0, %%cr0\n"
20397 +#endif
20398 +
20399 " jmp 2b\n"
20400 ".previous\n"
20401 _ASM_EXTABLE(1b, 3b)
20402 - : : "r" (from), "r" (to) : "memory");
20403 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20404
20405 from += 64;
20406 to += 64;
20407 diff -urNp linux-2.6.39.3/arch/x86/lib/putuser.S linux-2.6.39.3/arch/x86/lib/putuser.S
20408 --- linux-2.6.39.3/arch/x86/lib/putuser.S 2011-05-19 00:06:34.000000000 -0400
20409 +++ linux-2.6.39.3/arch/x86/lib/putuser.S 2011-05-22 19:36:30.000000000 -0400
20410 @@ -15,7 +15,8 @@
20411 #include <asm/thread_info.h>
20412 #include <asm/errno.h>
20413 #include <asm/asm.h>
20414 -
20415 +#include <asm/segment.h>
20416 +#include <asm/pgtable.h>
20417
20418 /*
20419 * __put_user_X
20420 @@ -29,52 +30,119 @@
20421 * as they get called from within inline assembly.
20422 */
20423
20424 -#define ENTER CFI_STARTPROC ; \
20425 - GET_THREAD_INFO(%_ASM_BX)
20426 +#define ENTER CFI_STARTPROC
20427 #define EXIT ret ; \
20428 CFI_ENDPROC
20429
20430 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20431 +#define _DEST %_ASM_CX,%_ASM_BX
20432 +#else
20433 +#define _DEST %_ASM_CX
20434 +#endif
20435 +
20436 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20437 +#define __copyuser_seg gs;
20438 +#else
20439 +#define __copyuser_seg
20440 +#endif
20441 +
20442 .text
20443 ENTRY(__put_user_1)
20444 ENTER
20445 +
20446 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20447 + GET_THREAD_INFO(%_ASM_BX)
20448 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20449 jae bad_put_user
20450 -1: movb %al,(%_ASM_CX)
20451 +
20452 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20453 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20454 + cmp %_ASM_BX,%_ASM_CX
20455 + jb 1234f
20456 + xor %ebx,%ebx
20457 +1234:
20458 +#endif
20459 +
20460 +#endif
20461 +
20462 +1: __copyuser_seg movb %al,(_DEST)
20463 xor %eax,%eax
20464 EXIT
20465 ENDPROC(__put_user_1)
20466
20467 ENTRY(__put_user_2)
20468 ENTER
20469 +
20470 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20471 + GET_THREAD_INFO(%_ASM_BX)
20472 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20473 sub $1,%_ASM_BX
20474 cmp %_ASM_BX,%_ASM_CX
20475 jae bad_put_user
20476 -2: movw %ax,(%_ASM_CX)
20477 +
20478 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20479 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20480 + cmp %_ASM_BX,%_ASM_CX
20481 + jb 1234f
20482 + xor %ebx,%ebx
20483 +1234:
20484 +#endif
20485 +
20486 +#endif
20487 +
20488 +2: __copyuser_seg movw %ax,(_DEST)
20489 xor %eax,%eax
20490 EXIT
20491 ENDPROC(__put_user_2)
20492
20493 ENTRY(__put_user_4)
20494 ENTER
20495 +
20496 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20497 + GET_THREAD_INFO(%_ASM_BX)
20498 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20499 sub $3,%_ASM_BX
20500 cmp %_ASM_BX,%_ASM_CX
20501 jae bad_put_user
20502 -3: movl %eax,(%_ASM_CX)
20503 +
20504 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20505 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20506 + cmp %_ASM_BX,%_ASM_CX
20507 + jb 1234f
20508 + xor %ebx,%ebx
20509 +1234:
20510 +#endif
20511 +
20512 +#endif
20513 +
20514 +3: __copyuser_seg movl %eax,(_DEST)
20515 xor %eax,%eax
20516 EXIT
20517 ENDPROC(__put_user_4)
20518
20519 ENTRY(__put_user_8)
20520 ENTER
20521 +
20522 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20523 + GET_THREAD_INFO(%_ASM_BX)
20524 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20525 sub $7,%_ASM_BX
20526 cmp %_ASM_BX,%_ASM_CX
20527 jae bad_put_user
20528 -4: mov %_ASM_AX,(%_ASM_CX)
20529 +
20530 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20531 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20532 + cmp %_ASM_BX,%_ASM_CX
20533 + jb 1234f
20534 + xor %ebx,%ebx
20535 +1234:
20536 +#endif
20537 +
20538 +#endif
20539 +
20540 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20541 #ifdef CONFIG_X86_32
20542 -5: movl %edx,4(%_ASM_CX)
20543 +5: __copyuser_seg movl %edx,4(_DEST)
20544 #endif
20545 xor %eax,%eax
20546 EXIT
20547 diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_32.c linux-2.6.39.3/arch/x86/lib/usercopy_32.c
20548 --- linux-2.6.39.3/arch/x86/lib/usercopy_32.c 2011-05-19 00:06:34.000000000 -0400
20549 +++ linux-2.6.39.3/arch/x86/lib/usercopy_32.c 2011-05-22 19:36:30.000000000 -0400
20550 @@ -43,7 +43,7 @@ do { \
20551 __asm__ __volatile__( \
20552 " testl %1,%1\n" \
20553 " jz 2f\n" \
20554 - "0: lodsb\n" \
20555 + "0: "__copyuser_seg"lodsb\n" \
20556 " stosb\n" \
20557 " testb %%al,%%al\n" \
20558 " jz 1f\n" \
20559 @@ -128,10 +128,12 @@ do { \
20560 int __d0; \
20561 might_fault(); \
20562 __asm__ __volatile__( \
20563 + __COPYUSER_SET_ES \
20564 "0: rep; stosl\n" \
20565 " movl %2,%0\n" \
20566 "1: rep; stosb\n" \
20567 "2:\n" \
20568 + __COPYUSER_RESTORE_ES \
20569 ".section .fixup,\"ax\"\n" \
20570 "3: lea 0(%2,%0,4),%0\n" \
20571 " jmp 2b\n" \
20572 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20573 might_fault();
20574
20575 __asm__ __volatile__(
20576 + __COPYUSER_SET_ES
20577 " testl %0, %0\n"
20578 " jz 3f\n"
20579 " andl %0,%%ecx\n"
20580 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20581 " subl %%ecx,%0\n"
20582 " addl %0,%%eax\n"
20583 "1:\n"
20584 + __COPYUSER_RESTORE_ES
20585 ".section .fixup,\"ax\"\n"
20586 "2: xorl %%eax,%%eax\n"
20587 " jmp 1b\n"
20588 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20589
20590 #ifdef CONFIG_X86_INTEL_USERCOPY
20591 static unsigned long
20592 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20593 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20594 {
20595 int d0, d1;
20596 __asm__ __volatile__(
20597 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20598 " .align 2,0x90\n"
20599 "3: movl 0(%4), %%eax\n"
20600 "4: movl 4(%4), %%edx\n"
20601 - "5: movl %%eax, 0(%3)\n"
20602 - "6: movl %%edx, 4(%3)\n"
20603 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20604 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20605 "7: movl 8(%4), %%eax\n"
20606 "8: movl 12(%4),%%edx\n"
20607 - "9: movl %%eax, 8(%3)\n"
20608 - "10: movl %%edx, 12(%3)\n"
20609 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20610 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20611 "11: movl 16(%4), %%eax\n"
20612 "12: movl 20(%4), %%edx\n"
20613 - "13: movl %%eax, 16(%3)\n"
20614 - "14: movl %%edx, 20(%3)\n"
20615 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20616 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20617 "15: movl 24(%4), %%eax\n"
20618 "16: movl 28(%4), %%edx\n"
20619 - "17: movl %%eax, 24(%3)\n"
20620 - "18: movl %%edx, 28(%3)\n"
20621 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20622 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20623 "19: movl 32(%4), %%eax\n"
20624 "20: movl 36(%4), %%edx\n"
20625 - "21: movl %%eax, 32(%3)\n"
20626 - "22: movl %%edx, 36(%3)\n"
20627 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20628 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20629 "23: movl 40(%4), %%eax\n"
20630 "24: movl 44(%4), %%edx\n"
20631 - "25: movl %%eax, 40(%3)\n"
20632 - "26: movl %%edx, 44(%3)\n"
20633 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20634 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20635 "27: movl 48(%4), %%eax\n"
20636 "28: movl 52(%4), %%edx\n"
20637 - "29: movl %%eax, 48(%3)\n"
20638 - "30: movl %%edx, 52(%3)\n"
20639 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20640 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20641 "31: movl 56(%4), %%eax\n"
20642 "32: movl 60(%4), %%edx\n"
20643 - "33: movl %%eax, 56(%3)\n"
20644 - "34: movl %%edx, 60(%3)\n"
20645 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20646 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20647 " addl $-64, %0\n"
20648 " addl $64, %4\n"
20649 " addl $64, %3\n"
20650 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20651 " shrl $2, %0\n"
20652 " andl $3, %%eax\n"
20653 " cld\n"
20654 + __COPYUSER_SET_ES
20655 "99: rep; movsl\n"
20656 "36: movl %%eax, %0\n"
20657 "37: rep; movsb\n"
20658 "100:\n"
20659 + __COPYUSER_RESTORE_ES
20660 + ".section .fixup,\"ax\"\n"
20661 + "101: lea 0(%%eax,%0,4),%0\n"
20662 + " jmp 100b\n"
20663 + ".previous\n"
20664 + ".section __ex_table,\"a\"\n"
20665 + " .align 4\n"
20666 + " .long 1b,100b\n"
20667 + " .long 2b,100b\n"
20668 + " .long 3b,100b\n"
20669 + " .long 4b,100b\n"
20670 + " .long 5b,100b\n"
20671 + " .long 6b,100b\n"
20672 + " .long 7b,100b\n"
20673 + " .long 8b,100b\n"
20674 + " .long 9b,100b\n"
20675 + " .long 10b,100b\n"
20676 + " .long 11b,100b\n"
20677 + " .long 12b,100b\n"
20678 + " .long 13b,100b\n"
20679 + " .long 14b,100b\n"
20680 + " .long 15b,100b\n"
20681 + " .long 16b,100b\n"
20682 + " .long 17b,100b\n"
20683 + " .long 18b,100b\n"
20684 + " .long 19b,100b\n"
20685 + " .long 20b,100b\n"
20686 + " .long 21b,100b\n"
20687 + " .long 22b,100b\n"
20688 + " .long 23b,100b\n"
20689 + " .long 24b,100b\n"
20690 + " .long 25b,100b\n"
20691 + " .long 26b,100b\n"
20692 + " .long 27b,100b\n"
20693 + " .long 28b,100b\n"
20694 + " .long 29b,100b\n"
20695 + " .long 30b,100b\n"
20696 + " .long 31b,100b\n"
20697 + " .long 32b,100b\n"
20698 + " .long 33b,100b\n"
20699 + " .long 34b,100b\n"
20700 + " .long 35b,100b\n"
20701 + " .long 36b,100b\n"
20702 + " .long 37b,100b\n"
20703 + " .long 99b,101b\n"
20704 + ".previous"
20705 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20706 + : "1"(to), "2"(from), "0"(size)
20707 + : "eax", "edx", "memory");
20708 + return size;
20709 +}
20710 +
20711 +static unsigned long
20712 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20713 +{
20714 + int d0, d1;
20715 + __asm__ __volatile__(
20716 + " .align 2,0x90\n"
20717 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20718 + " cmpl $67, %0\n"
20719 + " jbe 3f\n"
20720 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20721 + " .align 2,0x90\n"
20722 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20723 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20724 + "5: movl %%eax, 0(%3)\n"
20725 + "6: movl %%edx, 4(%3)\n"
20726 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20727 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20728 + "9: movl %%eax, 8(%3)\n"
20729 + "10: movl %%edx, 12(%3)\n"
20730 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20731 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20732 + "13: movl %%eax, 16(%3)\n"
20733 + "14: movl %%edx, 20(%3)\n"
20734 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20735 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20736 + "17: movl %%eax, 24(%3)\n"
20737 + "18: movl %%edx, 28(%3)\n"
20738 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20739 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20740 + "21: movl %%eax, 32(%3)\n"
20741 + "22: movl %%edx, 36(%3)\n"
20742 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20743 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20744 + "25: movl %%eax, 40(%3)\n"
20745 + "26: movl %%edx, 44(%3)\n"
20746 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20747 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20748 + "29: movl %%eax, 48(%3)\n"
20749 + "30: movl %%edx, 52(%3)\n"
20750 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20751 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20752 + "33: movl %%eax, 56(%3)\n"
20753 + "34: movl %%edx, 60(%3)\n"
20754 + " addl $-64, %0\n"
20755 + " addl $64, %4\n"
20756 + " addl $64, %3\n"
20757 + " cmpl $63, %0\n"
20758 + " ja 1b\n"
20759 + "35: movl %0, %%eax\n"
20760 + " shrl $2, %0\n"
20761 + " andl $3, %%eax\n"
20762 + " cld\n"
20763 + "99: rep; "__copyuser_seg" movsl\n"
20764 + "36: movl %%eax, %0\n"
20765 + "37: rep; "__copyuser_seg" movsb\n"
20766 + "100:\n"
20767 ".section .fixup,\"ax\"\n"
20768 "101: lea 0(%%eax,%0,4),%0\n"
20769 " jmp 100b\n"
20770 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20771 int d0, d1;
20772 __asm__ __volatile__(
20773 " .align 2,0x90\n"
20774 - "0: movl 32(%4), %%eax\n"
20775 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20776 " cmpl $67, %0\n"
20777 " jbe 2f\n"
20778 - "1: movl 64(%4), %%eax\n"
20779 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20780 " .align 2,0x90\n"
20781 - "2: movl 0(%4), %%eax\n"
20782 - "21: movl 4(%4), %%edx\n"
20783 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20784 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20785 " movl %%eax, 0(%3)\n"
20786 " movl %%edx, 4(%3)\n"
20787 - "3: movl 8(%4), %%eax\n"
20788 - "31: movl 12(%4),%%edx\n"
20789 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20790 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20791 " movl %%eax, 8(%3)\n"
20792 " movl %%edx, 12(%3)\n"
20793 - "4: movl 16(%4), %%eax\n"
20794 - "41: movl 20(%4), %%edx\n"
20795 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20796 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20797 " movl %%eax, 16(%3)\n"
20798 " movl %%edx, 20(%3)\n"
20799 - "10: movl 24(%4), %%eax\n"
20800 - "51: movl 28(%4), %%edx\n"
20801 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20802 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20803 " movl %%eax, 24(%3)\n"
20804 " movl %%edx, 28(%3)\n"
20805 - "11: movl 32(%4), %%eax\n"
20806 - "61: movl 36(%4), %%edx\n"
20807 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20808 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20809 " movl %%eax, 32(%3)\n"
20810 " movl %%edx, 36(%3)\n"
20811 - "12: movl 40(%4), %%eax\n"
20812 - "71: movl 44(%4), %%edx\n"
20813 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20814 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20815 " movl %%eax, 40(%3)\n"
20816 " movl %%edx, 44(%3)\n"
20817 - "13: movl 48(%4), %%eax\n"
20818 - "81: movl 52(%4), %%edx\n"
20819 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20820 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20821 " movl %%eax, 48(%3)\n"
20822 " movl %%edx, 52(%3)\n"
20823 - "14: movl 56(%4), %%eax\n"
20824 - "91: movl 60(%4), %%edx\n"
20825 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20826 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20827 " movl %%eax, 56(%3)\n"
20828 " movl %%edx, 60(%3)\n"
20829 " addl $-64, %0\n"
20830 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20831 " shrl $2, %0\n"
20832 " andl $3, %%eax\n"
20833 " cld\n"
20834 - "6: rep; movsl\n"
20835 + "6: rep; "__copyuser_seg" movsl\n"
20836 " movl %%eax,%0\n"
20837 - "7: rep; movsb\n"
20838 + "7: rep; "__copyuser_seg" movsb\n"
20839 "8:\n"
20840 ".section .fixup,\"ax\"\n"
20841 "9: lea 0(%%eax,%0,4),%0\n"
20842 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20843
20844 __asm__ __volatile__(
20845 " .align 2,0x90\n"
20846 - "0: movl 32(%4), %%eax\n"
20847 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20848 " cmpl $67, %0\n"
20849 " jbe 2f\n"
20850 - "1: movl 64(%4), %%eax\n"
20851 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20852 " .align 2,0x90\n"
20853 - "2: movl 0(%4), %%eax\n"
20854 - "21: movl 4(%4), %%edx\n"
20855 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20856 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20857 " movnti %%eax, 0(%3)\n"
20858 " movnti %%edx, 4(%3)\n"
20859 - "3: movl 8(%4), %%eax\n"
20860 - "31: movl 12(%4),%%edx\n"
20861 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20862 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20863 " movnti %%eax, 8(%3)\n"
20864 " movnti %%edx, 12(%3)\n"
20865 - "4: movl 16(%4), %%eax\n"
20866 - "41: movl 20(%4), %%edx\n"
20867 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20868 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20869 " movnti %%eax, 16(%3)\n"
20870 " movnti %%edx, 20(%3)\n"
20871 - "10: movl 24(%4), %%eax\n"
20872 - "51: movl 28(%4), %%edx\n"
20873 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20874 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20875 " movnti %%eax, 24(%3)\n"
20876 " movnti %%edx, 28(%3)\n"
20877 - "11: movl 32(%4), %%eax\n"
20878 - "61: movl 36(%4), %%edx\n"
20879 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20880 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20881 " movnti %%eax, 32(%3)\n"
20882 " movnti %%edx, 36(%3)\n"
20883 - "12: movl 40(%4), %%eax\n"
20884 - "71: movl 44(%4), %%edx\n"
20885 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20886 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20887 " movnti %%eax, 40(%3)\n"
20888 " movnti %%edx, 44(%3)\n"
20889 - "13: movl 48(%4), %%eax\n"
20890 - "81: movl 52(%4), %%edx\n"
20891 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20892 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20893 " movnti %%eax, 48(%3)\n"
20894 " movnti %%edx, 52(%3)\n"
20895 - "14: movl 56(%4), %%eax\n"
20896 - "91: movl 60(%4), %%edx\n"
20897 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20898 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20899 " movnti %%eax, 56(%3)\n"
20900 " movnti %%edx, 60(%3)\n"
20901 " addl $-64, %0\n"
20902 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20903 " shrl $2, %0\n"
20904 " andl $3, %%eax\n"
20905 " cld\n"
20906 - "6: rep; movsl\n"
20907 + "6: rep; "__copyuser_seg" movsl\n"
20908 " movl %%eax,%0\n"
20909 - "7: rep; movsb\n"
20910 + "7: rep; "__copyuser_seg" movsb\n"
20911 "8:\n"
20912 ".section .fixup,\"ax\"\n"
20913 "9: lea 0(%%eax,%0,4),%0\n"
20914 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20915
20916 __asm__ __volatile__(
20917 " .align 2,0x90\n"
20918 - "0: movl 32(%4), %%eax\n"
20919 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20920 " cmpl $67, %0\n"
20921 " jbe 2f\n"
20922 - "1: movl 64(%4), %%eax\n"
20923 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20924 " .align 2,0x90\n"
20925 - "2: movl 0(%4), %%eax\n"
20926 - "21: movl 4(%4), %%edx\n"
20927 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20928 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20929 " movnti %%eax, 0(%3)\n"
20930 " movnti %%edx, 4(%3)\n"
20931 - "3: movl 8(%4), %%eax\n"
20932 - "31: movl 12(%4),%%edx\n"
20933 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20934 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20935 " movnti %%eax, 8(%3)\n"
20936 " movnti %%edx, 12(%3)\n"
20937 - "4: movl 16(%4), %%eax\n"
20938 - "41: movl 20(%4), %%edx\n"
20939 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20940 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20941 " movnti %%eax, 16(%3)\n"
20942 " movnti %%edx, 20(%3)\n"
20943 - "10: movl 24(%4), %%eax\n"
20944 - "51: movl 28(%4), %%edx\n"
20945 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20946 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20947 " movnti %%eax, 24(%3)\n"
20948 " movnti %%edx, 28(%3)\n"
20949 - "11: movl 32(%4), %%eax\n"
20950 - "61: movl 36(%4), %%edx\n"
20951 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20952 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20953 " movnti %%eax, 32(%3)\n"
20954 " movnti %%edx, 36(%3)\n"
20955 - "12: movl 40(%4), %%eax\n"
20956 - "71: movl 44(%4), %%edx\n"
20957 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20958 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20959 " movnti %%eax, 40(%3)\n"
20960 " movnti %%edx, 44(%3)\n"
20961 - "13: movl 48(%4), %%eax\n"
20962 - "81: movl 52(%4), %%edx\n"
20963 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20964 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20965 " movnti %%eax, 48(%3)\n"
20966 " movnti %%edx, 52(%3)\n"
20967 - "14: movl 56(%4), %%eax\n"
20968 - "91: movl 60(%4), %%edx\n"
20969 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20970 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20971 " movnti %%eax, 56(%3)\n"
20972 " movnti %%edx, 60(%3)\n"
20973 " addl $-64, %0\n"
20974 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20975 " shrl $2, %0\n"
20976 " andl $3, %%eax\n"
20977 " cld\n"
20978 - "6: rep; movsl\n"
20979 + "6: rep; "__copyuser_seg" movsl\n"
20980 " movl %%eax,%0\n"
20981 - "7: rep; movsb\n"
20982 + "7: rep; "__copyuser_seg" movsb\n"
20983 "8:\n"
20984 ".section .fixup,\"ax\"\n"
20985 "9: lea 0(%%eax,%0,4),%0\n"
20986 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20987 */
20988 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20989 unsigned long size);
20990 -unsigned long __copy_user_intel(void __user *to, const void *from,
20991 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20992 + unsigned long size);
20993 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20994 unsigned long size);
20995 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20996 const void __user *from, unsigned long size);
20997 #endif /* CONFIG_X86_INTEL_USERCOPY */
20998
20999 /* Generic arbitrary sized copy. */
21000 -#define __copy_user(to, from, size) \
21001 +#define __copy_user(to, from, size, prefix, set, restore) \
21002 do { \
21003 int __d0, __d1, __d2; \
21004 __asm__ __volatile__( \
21005 + set \
21006 " cmp $7,%0\n" \
21007 " jbe 1f\n" \
21008 " movl %1,%0\n" \
21009 " negl %0\n" \
21010 " andl $7,%0\n" \
21011 " subl %0,%3\n" \
21012 - "4: rep; movsb\n" \
21013 + "4: rep; "prefix"movsb\n" \
21014 " movl %3,%0\n" \
21015 " shrl $2,%0\n" \
21016 " andl $3,%3\n" \
21017 " .align 2,0x90\n" \
21018 - "0: rep; movsl\n" \
21019 + "0: rep; "prefix"movsl\n" \
21020 " movl %3,%0\n" \
21021 - "1: rep; movsb\n" \
21022 + "1: rep; "prefix"movsb\n" \
21023 "2:\n" \
21024 + restore \
21025 ".section .fixup,\"ax\"\n" \
21026 "5: addl %3,%0\n" \
21027 " jmp 2b\n" \
21028 @@ -682,14 +799,14 @@ do { \
21029 " negl %0\n" \
21030 " andl $7,%0\n" \
21031 " subl %0,%3\n" \
21032 - "4: rep; movsb\n" \
21033 + "4: rep; "__copyuser_seg"movsb\n" \
21034 " movl %3,%0\n" \
21035 " shrl $2,%0\n" \
21036 " andl $3,%3\n" \
21037 " .align 2,0x90\n" \
21038 - "0: rep; movsl\n" \
21039 + "0: rep; "__copyuser_seg"movsl\n" \
21040 " movl %3,%0\n" \
21041 - "1: rep; movsb\n" \
21042 + "1: rep; "__copyuser_seg"movsb\n" \
21043 "2:\n" \
21044 ".section .fixup,\"ax\"\n" \
21045 "5: addl %3,%0\n" \
21046 @@ -775,9 +892,9 @@ survive:
21047 }
21048 #endif
21049 if (movsl_is_ok(to, from, n))
21050 - __copy_user(to, from, n);
21051 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
21052 else
21053 - n = __copy_user_intel(to, from, n);
21054 + n = __generic_copy_to_user_intel(to, from, n);
21055 return n;
21056 }
21057 EXPORT_SYMBOL(__copy_to_user_ll);
21058 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
21059 unsigned long n)
21060 {
21061 if (movsl_is_ok(to, from, n))
21062 - __copy_user(to, from, n);
21063 + __copy_user(to, from, n, __copyuser_seg, "", "");
21064 else
21065 - n = __copy_user_intel((void __user *)to,
21066 - (const void *)from, n);
21067 + n = __generic_copy_from_user_intel(to, from, n);
21068 return n;
21069 }
21070 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
21071 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
21072 if (n > 64 && cpu_has_xmm2)
21073 n = __copy_user_intel_nocache(to, from, n);
21074 else
21075 - __copy_user(to, from, n);
21076 + __copy_user(to, from, n, __copyuser_seg, "", "");
21077 #else
21078 - __copy_user(to, from, n);
21079 + __copy_user(to, from, n, __copyuser_seg, "", "");
21080 #endif
21081 return n;
21082 }
21083 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
21084
21085 -/**
21086 - * copy_to_user: - Copy a block of data into user space.
21087 - * @to: Destination address, in user space.
21088 - * @from: Source address, in kernel space.
21089 - * @n: Number of bytes to copy.
21090 - *
21091 - * Context: User context only. This function may sleep.
21092 - *
21093 - * Copy data from kernel space to user space.
21094 - *
21095 - * Returns number of bytes that could not be copied.
21096 - * On success, this will be zero.
21097 - */
21098 -unsigned long
21099 -copy_to_user(void __user *to, const void *from, unsigned long n)
21100 +void copy_from_user_overflow(void)
21101 {
21102 - if (access_ok(VERIFY_WRITE, to, n))
21103 - n = __copy_to_user(to, from, n);
21104 - return n;
21105 + WARN(1, "Buffer overflow detected!\n");
21106 }
21107 -EXPORT_SYMBOL(copy_to_user);
21108 +EXPORT_SYMBOL(copy_from_user_overflow);
21109
21110 -/**
21111 - * copy_from_user: - Copy a block of data from user space.
21112 - * @to: Destination address, in kernel space.
21113 - * @from: Source address, in user space.
21114 - * @n: Number of bytes to copy.
21115 - *
21116 - * Context: User context only. This function may sleep.
21117 - *
21118 - * Copy data from user space to kernel space.
21119 - *
21120 - * Returns number of bytes that could not be copied.
21121 - * On success, this will be zero.
21122 - *
21123 - * If some data could not be copied, this function will pad the copied
21124 - * data to the requested size using zero bytes.
21125 - */
21126 -unsigned long
21127 -_copy_from_user(void *to, const void __user *from, unsigned long n)
21128 +void copy_to_user_overflow(void)
21129 {
21130 - if (access_ok(VERIFY_READ, from, n))
21131 - n = __copy_from_user(to, from, n);
21132 - else
21133 - memset(to, 0, n);
21134 - return n;
21135 + WARN(1, "Buffer overflow detected!\n");
21136 }
21137 -EXPORT_SYMBOL(_copy_from_user);
21138 +EXPORT_SYMBOL(copy_to_user_overflow);
21139
21140 -void copy_from_user_overflow(void)
21141 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21142 +void __set_fs(mm_segment_t x)
21143 {
21144 - WARN(1, "Buffer overflow detected!\n");
21145 + switch (x.seg) {
21146 + case 0:
21147 + loadsegment(gs, 0);
21148 + break;
21149 + case TASK_SIZE_MAX:
21150 + loadsegment(gs, __USER_DS);
21151 + break;
21152 + case -1UL:
21153 + loadsegment(gs, __KERNEL_DS);
21154 + break;
21155 + default:
21156 + BUG();
21157 + }
21158 + return;
21159 }
21160 -EXPORT_SYMBOL(copy_from_user_overflow);
21161 +EXPORT_SYMBOL(__set_fs);
21162 +
21163 +void set_fs(mm_segment_t x)
21164 +{
21165 + current_thread_info()->addr_limit = x;
21166 + __set_fs(x);
21167 +}
21168 +EXPORT_SYMBOL(set_fs);
21169 +#endif
21170 diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_64.c linux-2.6.39.3/arch/x86/lib/usercopy_64.c
21171 --- linux-2.6.39.3/arch/x86/lib/usercopy_64.c 2011-05-19 00:06:34.000000000 -0400
21172 +++ linux-2.6.39.3/arch/x86/lib/usercopy_64.c 2011-05-22 19:36:30.000000000 -0400
21173 @@ -42,6 +42,12 @@ long
21174 __strncpy_from_user(char *dst, const char __user *src, long count)
21175 {
21176 long res;
21177 +
21178 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21179 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
21180 + src += PAX_USER_SHADOW_BASE;
21181 +#endif
21182 +
21183 __do_strncpy_from_user(dst, src, count, res);
21184 return res;
21185 }
21186 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
21187 {
21188 long __d0;
21189 might_fault();
21190 +
21191 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21192 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
21193 + addr += PAX_USER_SHADOW_BASE;
21194 +#endif
21195 +
21196 /* no memory constraint because it doesn't change any memory gcc knows
21197 about */
21198 asm volatile(
21199 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
21200
21201 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
21202 {
21203 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21204 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21205 +
21206 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21207 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
21208 + to += PAX_USER_SHADOW_BASE;
21209 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
21210 + from += PAX_USER_SHADOW_BASE;
21211 +#endif
21212 +
21213 return copy_user_generic((__force void *)to, (__force void *)from, len);
21214 - }
21215 - return len;
21216 + }
21217 + return len;
21218 }
21219 EXPORT_SYMBOL(copy_in_user);
21220
21221 diff -urNp linux-2.6.39.3/arch/x86/Makefile linux-2.6.39.3/arch/x86/Makefile
21222 --- linux-2.6.39.3/arch/x86/Makefile 2011-05-19 00:06:34.000000000 -0400
21223 +++ linux-2.6.39.3/arch/x86/Makefile 2011-07-19 18:16:36.000000000 -0400
21224 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
21225 else
21226 BITS := 64
21227 UTS_MACHINE := x86_64
21228 + biarch := $(call cc-option,-m64)
21229 CHECKFLAGS += -D__x86_64__ -m64
21230
21231 KBUILD_AFLAGS += -m64
21232 @@ -195,3 +196,12 @@ define archhelp
21233 echo ' FDARGS="..." arguments for the booted kernel'
21234 echo ' FDINITRD=file initrd for the booted kernel'
21235 endef
21236 +
21237 +define OLD_LD
21238 +
21239 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
21240 +*** Please upgrade your binutils to 2.18 or newer
21241 +endef
21242 +
21243 +archprepare:
21244 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
21245 diff -urNp linux-2.6.39.3/arch/x86/mm/extable.c linux-2.6.39.3/arch/x86/mm/extable.c
21246 --- linux-2.6.39.3/arch/x86/mm/extable.c 2011-05-19 00:06:34.000000000 -0400
21247 +++ linux-2.6.39.3/arch/x86/mm/extable.c 2011-05-22 19:36:30.000000000 -0400
21248 @@ -1,14 +1,71 @@
21249 #include <linux/module.h>
21250 #include <linux/spinlock.h>
21251 +#include <linux/sort.h>
21252 #include <asm/uaccess.h>
21253 +#include <asm/pgtable.h>
21254
21255 +/*
21256 + * The exception table needs to be sorted so that the binary
21257 + * search that we use to find entries in it works properly.
21258 + * This is used both for the kernel exception table and for
21259 + * the exception tables of modules that get loaded.
21260 + */
21261 +static int cmp_ex(const void *a, const void *b)
21262 +{
21263 + const struct exception_table_entry *x = a, *y = b;
21264 +
21265 + /* avoid overflow */
21266 + if (x->insn > y->insn)
21267 + return 1;
21268 + if (x->insn < y->insn)
21269 + return -1;
21270 + return 0;
21271 +}
21272 +
21273 +static void swap_ex(void *a, void *b, int size)
21274 +{
21275 + struct exception_table_entry t, *x = a, *y = b;
21276 +
21277 + t = *x;
21278 +
21279 + pax_open_kernel();
21280 + *x = *y;
21281 + *y = t;
21282 + pax_close_kernel();
21283 +}
21284 +
21285 +void sort_extable(struct exception_table_entry *start,
21286 + struct exception_table_entry *finish)
21287 +{
21288 + sort(start, finish - start, sizeof(struct exception_table_entry),
21289 + cmp_ex, swap_ex);
21290 +}
21291 +
21292 +#ifdef CONFIG_MODULES
21293 +/*
21294 + * If the exception table is sorted, any referring to the module init
21295 + * will be at the beginning or the end.
21296 + */
21297 +void trim_init_extable(struct module *m)
21298 +{
21299 + /*trim the beginning*/
21300 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
21301 + m->extable++;
21302 + m->num_exentries--;
21303 + }
21304 + /*trim the end*/
21305 + while (m->num_exentries &&
21306 + within_module_init(m->extable[m->num_exentries-1].insn, m))
21307 + m->num_exentries--;
21308 +}
21309 +#endif /* CONFIG_MODULES */
21310
21311 int fixup_exception(struct pt_regs *regs)
21312 {
21313 const struct exception_table_entry *fixup;
21314
21315 #ifdef CONFIG_PNPBIOS
21316 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
21317 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
21318 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
21319 extern u32 pnp_bios_is_utter_crap;
21320 pnp_bios_is_utter_crap = 1;
21321 diff -urNp linux-2.6.39.3/arch/x86/mm/fault.c linux-2.6.39.3/arch/x86/mm/fault.c
21322 --- linux-2.6.39.3/arch/x86/mm/fault.c 2011-05-19 00:06:34.000000000 -0400
21323 +++ linux-2.6.39.3/arch/x86/mm/fault.c 2011-06-06 17:34:04.000000000 -0400
21324 @@ -12,10 +12,18 @@
21325 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
21326 #include <linux/perf_event.h> /* perf_sw_event */
21327 #include <linux/hugetlb.h> /* hstate_index_to_shift */
21328 +#include <linux/unistd.h>
21329 +#include <linux/compiler.h>
21330
21331 #include <asm/traps.h> /* dotraplinkage, ... */
21332 #include <asm/pgalloc.h> /* pgd_*(), ... */
21333 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
21334 +#include <asm/vsyscall.h>
21335 +#include <asm/tlbflush.h>
21336 +
21337 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21338 +#include <asm/stacktrace.h>
21339 +#endif
21340
21341 /*
21342 * Page fault error code bits:
21343 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
21344 int ret = 0;
21345
21346 /* kprobe_running() needs smp_processor_id() */
21347 - if (kprobes_built_in() && !user_mode_vm(regs)) {
21348 + if (kprobes_built_in() && !user_mode(regs)) {
21349 preempt_disable();
21350 if (kprobe_running() && kprobe_fault_handler(regs, 14))
21351 ret = 1;
21352 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
21353 return !instr_lo || (instr_lo>>1) == 1;
21354 case 0x00:
21355 /* Prefetch instruction is 0x0F0D or 0x0F18 */
21356 - if (probe_kernel_address(instr, opcode))
21357 + if (user_mode(regs)) {
21358 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21359 + return 0;
21360 + } else if (probe_kernel_address(instr, opcode))
21361 return 0;
21362
21363 *prefetch = (instr_lo == 0xF) &&
21364 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
21365 while (instr < max_instr) {
21366 unsigned char opcode;
21367
21368 - if (probe_kernel_address(instr, opcode))
21369 + if (user_mode(regs)) {
21370 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
21371 + break;
21372 + } else if (probe_kernel_address(instr, opcode))
21373 break;
21374
21375 instr++;
21376 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
21377 force_sig_info(si_signo, &info, tsk);
21378 }
21379
21380 +#ifdef CONFIG_PAX_EMUTRAMP
21381 +static int pax_handle_fetch_fault(struct pt_regs *regs);
21382 +#endif
21383 +
21384 +#ifdef CONFIG_PAX_PAGEEXEC
21385 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
21386 +{
21387 + pgd_t *pgd;
21388 + pud_t *pud;
21389 + pmd_t *pmd;
21390 +
21391 + pgd = pgd_offset(mm, address);
21392 + if (!pgd_present(*pgd))
21393 + return NULL;
21394 + pud = pud_offset(pgd, address);
21395 + if (!pud_present(*pud))
21396 + return NULL;
21397 + pmd = pmd_offset(pud, address);
21398 + if (!pmd_present(*pmd))
21399 + return NULL;
21400 + return pmd;
21401 +}
21402 +#endif
21403 +
21404 DEFINE_SPINLOCK(pgd_lock);
21405 LIST_HEAD(pgd_list);
21406
21407 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
21408 for (address = VMALLOC_START & PMD_MASK;
21409 address >= TASK_SIZE && address < FIXADDR_TOP;
21410 address += PMD_SIZE) {
21411 +
21412 +#ifdef CONFIG_PAX_PER_CPU_PGD
21413 + unsigned long cpu;
21414 +#else
21415 struct page *page;
21416 +#endif
21417
21418 spin_lock(&pgd_lock);
21419 +
21420 +#ifdef CONFIG_PAX_PER_CPU_PGD
21421 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21422 + pgd_t *pgd = get_cpu_pgd(cpu);
21423 + pmd_t *ret;
21424 +#else
21425 list_for_each_entry(page, &pgd_list, lru) {
21426 + pgd_t *pgd = page_address(page);
21427 spinlock_t *pgt_lock;
21428 pmd_t *ret;
21429
21430 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
21431 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21432
21433 spin_lock(pgt_lock);
21434 - ret = vmalloc_sync_one(page_address(page), address);
21435 +#endif
21436 +
21437 + ret = vmalloc_sync_one(pgd, address);
21438 +
21439 +#ifndef CONFIG_PAX_PER_CPU_PGD
21440 spin_unlock(pgt_lock);
21441 +#endif
21442
21443 if (!ret)
21444 break;
21445 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
21446 * an interrupt in the middle of a task switch..
21447 */
21448 pgd_paddr = read_cr3();
21449 +
21450 +#ifdef CONFIG_PAX_PER_CPU_PGD
21451 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
21452 +#endif
21453 +
21454 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21455 if (!pmd_k)
21456 return -1;
21457 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
21458 * happen within a race in page table update. In the later
21459 * case just flush:
21460 */
21461 +
21462 +#ifdef CONFIG_PAX_PER_CPU_PGD
21463 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21464 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21465 +#else
21466 pgd = pgd_offset(current->active_mm, address);
21467 +#endif
21468 +
21469 pgd_ref = pgd_offset_k(address);
21470 if (pgd_none(*pgd_ref))
21471 return -1;
21472 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
21473 static int is_errata100(struct pt_regs *regs, unsigned long address)
21474 {
21475 #ifdef CONFIG_X86_64
21476 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21477 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21478 return 1;
21479 #endif
21480 return 0;
21481 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
21482 }
21483
21484 static const char nx_warning[] = KERN_CRIT
21485 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21486 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21487
21488 static void
21489 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21490 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
21491 if (!oops_may_print())
21492 return;
21493
21494 - if (error_code & PF_INSTR) {
21495 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
21496 unsigned int level;
21497
21498 pte_t *pte = lookup_address(address, &level);
21499
21500 if (pte && pte_present(*pte) && !pte_exec(*pte))
21501 - printk(nx_warning, current_uid());
21502 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21503 }
21504
21505 +#ifdef CONFIG_PAX_KERNEXEC
21506 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21507 + if (current->signal->curr_ip)
21508 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21509 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21510 + else
21511 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21512 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21513 + }
21514 +#endif
21515 +
21516 printk(KERN_ALERT "BUG: unable to handle kernel ");
21517 if (address < PAGE_SIZE)
21518 printk(KERN_CONT "NULL pointer dereference");
21519 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
21520 unsigned long address, int si_code)
21521 {
21522 struct task_struct *tsk = current;
21523 + struct mm_struct *mm = tsk->mm;
21524 +
21525 +#ifdef CONFIG_X86_64
21526 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21527 + if (regs->ip == (unsigned long)vgettimeofday) {
21528 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21529 + return;
21530 + } else if (regs->ip == (unsigned long)vtime) {
21531 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21532 + return;
21533 + } else if (regs->ip == (unsigned long)vgetcpu) {
21534 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21535 + return;
21536 + }
21537 + }
21538 +#endif
21539 +
21540 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21541 + if (mm && (error_code & PF_USER)) {
21542 + unsigned long ip = regs->ip;
21543 +
21544 + if (v8086_mode(regs))
21545 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21546 +
21547 + /*
21548 + * It's possible to have interrupts off here:
21549 + */
21550 + local_irq_enable();
21551 +
21552 +#ifdef CONFIG_PAX_PAGEEXEC
21553 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21554 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21555 +
21556 +#ifdef CONFIG_PAX_EMUTRAMP
21557 + switch (pax_handle_fetch_fault(regs)) {
21558 + case 2:
21559 + return;
21560 + }
21561 +#endif
21562 +
21563 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21564 + do_group_exit(SIGKILL);
21565 + }
21566 +#endif
21567 +
21568 +#ifdef CONFIG_PAX_SEGMEXEC
21569 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21570 +
21571 +#ifdef CONFIG_PAX_EMUTRAMP
21572 + switch (pax_handle_fetch_fault(regs)) {
21573 + case 2:
21574 + return;
21575 + }
21576 +#endif
21577 +
21578 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21579 + do_group_exit(SIGKILL);
21580 + }
21581 +#endif
21582 +
21583 + }
21584 +#endif
21585
21586 /* User mode accesses just cause a SIGSEGV */
21587 if (error_code & PF_USER) {
21588 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
21589 return 1;
21590 }
21591
21592 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21593 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21594 +{
21595 + pte_t *pte;
21596 + pmd_t *pmd;
21597 + spinlock_t *ptl;
21598 + unsigned char pte_mask;
21599 +
21600 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21601 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21602 + return 0;
21603 +
21604 + /* PaX: it's our fault, let's handle it if we can */
21605 +
21606 + /* PaX: take a look at read faults before acquiring any locks */
21607 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21608 + /* instruction fetch attempt from a protected page in user mode */
21609 + up_read(&mm->mmap_sem);
21610 +
21611 +#ifdef CONFIG_PAX_EMUTRAMP
21612 + switch (pax_handle_fetch_fault(regs)) {
21613 + case 2:
21614 + return 1;
21615 + }
21616 +#endif
21617 +
21618 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21619 + do_group_exit(SIGKILL);
21620 + }
21621 +
21622 + pmd = pax_get_pmd(mm, address);
21623 + if (unlikely(!pmd))
21624 + return 0;
21625 +
21626 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21627 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21628 + pte_unmap_unlock(pte, ptl);
21629 + return 0;
21630 + }
21631 +
21632 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21633 + /* write attempt to a protected page in user mode */
21634 + pte_unmap_unlock(pte, ptl);
21635 + return 0;
21636 + }
21637 +
21638 +#ifdef CONFIG_SMP
21639 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21640 +#else
21641 + if (likely(address > get_limit(regs->cs)))
21642 +#endif
21643 + {
21644 + set_pte(pte, pte_mkread(*pte));
21645 + __flush_tlb_one(address);
21646 + pte_unmap_unlock(pte, ptl);
21647 + up_read(&mm->mmap_sem);
21648 + return 1;
21649 + }
21650 +
21651 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21652 +
21653 + /*
21654 + * PaX: fill DTLB with user rights and retry
21655 + */
21656 + __asm__ __volatile__ (
21657 + "orb %2,(%1)\n"
21658 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21659 +/*
21660 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21661 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21662 + * page fault when examined during a TLB load attempt. this is true not only
21663 + * for PTEs holding a non-present entry but also present entries that will
21664 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21665 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21666 + * for our target pages since their PTEs are simply not in the TLBs at all.
21667 +
21668 + * the best thing in omitting it is that we gain around 15-20% speed in the
21669 + * fast path of the page fault handler and can get rid of tracing since we
21670 + * can no longer flush unintended entries.
21671 + */
21672 + "invlpg (%0)\n"
21673 +#endif
21674 + __copyuser_seg"testb $0,(%0)\n"
21675 + "xorb %3,(%1)\n"
21676 + :
21677 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21678 + : "memory", "cc");
21679 + pte_unmap_unlock(pte, ptl);
21680 + up_read(&mm->mmap_sem);
21681 + return 1;
21682 +}
21683 +#endif
21684 +
21685 /*
21686 * Handle a spurious fault caused by a stale TLB entry.
21687 *
21688 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
21689 static inline int
21690 access_error(unsigned long error_code, struct vm_area_struct *vma)
21691 {
21692 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21693 + return 1;
21694 +
21695 if (error_code & PF_WRITE) {
21696 /* write, present and write, not present: */
21697 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21698 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
21699 {
21700 struct vm_area_struct *vma;
21701 struct task_struct *tsk;
21702 - unsigned long address;
21703 struct mm_struct *mm;
21704 int fault;
21705 int write = error_code & PF_WRITE;
21706 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
21707 (write ? FAULT_FLAG_WRITE : 0);
21708
21709 + /* Get the faulting address: */
21710 + unsigned long address = read_cr2();
21711 +
21712 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21713 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21714 + if (!search_exception_tables(regs->ip)) {
21715 + bad_area_nosemaphore(regs, error_code, address);
21716 + return;
21717 + }
21718 + if (address < PAX_USER_SHADOW_BASE) {
21719 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21720 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21721 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21722 + } else
21723 + address -= PAX_USER_SHADOW_BASE;
21724 + }
21725 +#endif
21726 +
21727 tsk = current;
21728 mm = tsk->mm;
21729
21730 - /* Get the faulting address: */
21731 - address = read_cr2();
21732 -
21733 /*
21734 * Detect and handle instructions that would cause a page fault for
21735 * both a tracked kernel page and a userspace page.
21736 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
21737 * User-mode registers count as a user access even for any
21738 * potential system fault or CPU buglet:
21739 */
21740 - if (user_mode_vm(regs)) {
21741 + if (user_mode(regs)) {
21742 local_irq_enable();
21743 error_code |= PF_USER;
21744 } else {
21745 @@ -1087,6 +1337,11 @@ retry:
21746 might_sleep();
21747 }
21748
21749 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21750 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21751 + return;
21752 +#endif
21753 +
21754 vma = find_vma(mm, address);
21755 if (unlikely(!vma)) {
21756 bad_area(regs, error_code, address);
21757 @@ -1098,18 +1353,24 @@ retry:
21758 bad_area(regs, error_code, address);
21759 return;
21760 }
21761 - if (error_code & PF_USER) {
21762 - /*
21763 - * Accessing the stack below %sp is always a bug.
21764 - * The large cushion allows instructions like enter
21765 - * and pusha to work. ("enter $65535, $31" pushes
21766 - * 32 pointers and then decrements %sp by 65535.)
21767 - */
21768 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21769 - bad_area(regs, error_code, address);
21770 - return;
21771 - }
21772 + /*
21773 + * Accessing the stack below %sp is always a bug.
21774 + * The large cushion allows instructions like enter
21775 + * and pusha to work. ("enter $65535, $31" pushes
21776 + * 32 pointers and then decrements %sp by 65535.)
21777 + */
21778 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21779 + bad_area(regs, error_code, address);
21780 + return;
21781 }
21782 +
21783 +#ifdef CONFIG_PAX_SEGMEXEC
21784 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21785 + bad_area(regs, error_code, address);
21786 + return;
21787 + }
21788 +#endif
21789 +
21790 if (unlikely(expand_stack(vma, address))) {
21791 bad_area(regs, error_code, address);
21792 return;
21793 @@ -1164,3 +1425,199 @@ good_area:
21794
21795 up_read(&mm->mmap_sem);
21796 }
21797 +
21798 +#ifdef CONFIG_PAX_EMUTRAMP
21799 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21800 +{
21801 + int err;
21802 +
21803 + do { /* PaX: gcc trampoline emulation #1 */
21804 + unsigned char mov1, mov2;
21805 + unsigned short jmp;
21806 + unsigned int addr1, addr2;
21807 +
21808 +#ifdef CONFIG_X86_64
21809 + if ((regs->ip + 11) >> 32)
21810 + break;
21811 +#endif
21812 +
21813 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21814 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21815 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21816 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21817 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21818 +
21819 + if (err)
21820 + break;
21821 +
21822 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21823 + regs->cx = addr1;
21824 + regs->ax = addr2;
21825 + regs->ip = addr2;
21826 + return 2;
21827 + }
21828 + } while (0);
21829 +
21830 + do { /* PaX: gcc trampoline emulation #2 */
21831 + unsigned char mov, jmp;
21832 + unsigned int addr1, addr2;
21833 +
21834 +#ifdef CONFIG_X86_64
21835 + if ((regs->ip + 9) >> 32)
21836 + break;
21837 +#endif
21838 +
21839 + err = get_user(mov, (unsigned char __user *)regs->ip);
21840 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21841 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21842 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21843 +
21844 + if (err)
21845 + break;
21846 +
21847 + if (mov == 0xB9 && jmp == 0xE9) {
21848 + regs->cx = addr1;
21849 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21850 + return 2;
21851 + }
21852 + } while (0);
21853 +
21854 + return 1; /* PaX in action */
21855 +}
21856 +
21857 +#ifdef CONFIG_X86_64
21858 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21859 +{
21860 + int err;
21861 +
21862 + do { /* PaX: gcc trampoline emulation #1 */
21863 + unsigned short mov1, mov2, jmp1;
21864 + unsigned char jmp2;
21865 + unsigned int addr1;
21866 + unsigned long addr2;
21867 +
21868 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21869 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21870 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21871 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21872 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21873 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21874 +
21875 + if (err)
21876 + break;
21877 +
21878 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21879 + regs->r11 = addr1;
21880 + regs->r10 = addr2;
21881 + regs->ip = addr1;
21882 + return 2;
21883 + }
21884 + } while (0);
21885 +
21886 + do { /* PaX: gcc trampoline emulation #2 */
21887 + unsigned short mov1, mov2, jmp1;
21888 + unsigned char jmp2;
21889 + unsigned long addr1, addr2;
21890 +
21891 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21892 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21893 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21894 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21895 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21896 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21897 +
21898 + if (err)
21899 + break;
21900 +
21901 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21902 + regs->r11 = addr1;
21903 + regs->r10 = addr2;
21904 + regs->ip = addr1;
21905 + return 2;
21906 + }
21907 + } while (0);
21908 +
21909 + return 1; /* PaX in action */
21910 +}
21911 +#endif
21912 +
21913 +/*
21914 + * PaX: decide what to do with offenders (regs->ip = fault address)
21915 + *
21916 + * returns 1 when task should be killed
21917 + * 2 when gcc trampoline was detected
21918 + */
21919 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21920 +{
21921 + if (v8086_mode(regs))
21922 + return 1;
21923 +
21924 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21925 + return 1;
21926 +
21927 +#ifdef CONFIG_X86_32
21928 + return pax_handle_fetch_fault_32(regs);
21929 +#else
21930 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21931 + return pax_handle_fetch_fault_32(regs);
21932 + else
21933 + return pax_handle_fetch_fault_64(regs);
21934 +#endif
21935 +}
21936 +#endif
21937 +
21938 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21939 +void pax_report_insns(void *pc, void *sp)
21940 +{
21941 + long i;
21942 +
21943 + printk(KERN_ERR "PAX: bytes at PC: ");
21944 + for (i = 0; i < 20; i++) {
21945 + unsigned char c;
21946 + if (get_user(c, (__force unsigned char __user *)pc+i))
21947 + printk(KERN_CONT "?? ");
21948 + else
21949 + printk(KERN_CONT "%02x ", c);
21950 + }
21951 + printk("\n");
21952 +
21953 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21954 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21955 + unsigned long c;
21956 + if (get_user(c, (__force unsigned long __user *)sp+i))
21957 +#ifdef CONFIG_X86_32
21958 + printk(KERN_CONT "???????? ");
21959 +#else
21960 + printk(KERN_CONT "???????????????? ");
21961 +#endif
21962 + else
21963 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21964 + }
21965 + printk("\n");
21966 +}
21967 +#endif
21968 +
21969 +/**
21970 + * probe_kernel_write(): safely attempt to write to a location
21971 + * @dst: address to write to
21972 + * @src: pointer to the data that shall be written
21973 + * @size: size of the data chunk
21974 + *
21975 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21976 + * happens, handle that and return -EFAULT.
21977 + */
21978 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21979 +{
21980 + long ret;
21981 + mm_segment_t old_fs = get_fs();
21982 +
21983 + set_fs(KERNEL_DS);
21984 + pagefault_disable();
21985 + pax_open_kernel();
21986 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21987 + pax_close_kernel();
21988 + pagefault_enable();
21989 + set_fs(old_fs);
21990 +
21991 + return ret ? -EFAULT : 0;
21992 +}
21993 diff -urNp linux-2.6.39.3/arch/x86/mm/gup.c linux-2.6.39.3/arch/x86/mm/gup.c
21994 --- linux-2.6.39.3/arch/x86/mm/gup.c 2011-05-19 00:06:34.000000000 -0400
21995 +++ linux-2.6.39.3/arch/x86/mm/gup.c 2011-05-22 19:36:30.000000000 -0400
21996 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
21997 addr = start;
21998 len = (unsigned long) nr_pages << PAGE_SHIFT;
21999 end = start + len;
22000 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
22001 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
22002 (void __user *)start, len)))
22003 return 0;
22004
22005 diff -urNp linux-2.6.39.3/arch/x86/mm/highmem_32.c linux-2.6.39.3/arch/x86/mm/highmem_32.c
22006 --- linux-2.6.39.3/arch/x86/mm/highmem_32.c 2011-05-19 00:06:34.000000000 -0400
22007 +++ linux-2.6.39.3/arch/x86/mm/highmem_32.c 2011-05-22 19:36:30.000000000 -0400
22008 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
22009 idx = type + KM_TYPE_NR*smp_processor_id();
22010 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22011 BUG_ON(!pte_none(*(kmap_pte-idx)));
22012 +
22013 + pax_open_kernel();
22014 set_pte(kmap_pte-idx, mk_pte(page, prot));
22015 + pax_close_kernel();
22016
22017 return (void *)vaddr;
22018 }
22019 diff -urNp linux-2.6.39.3/arch/x86/mm/hugetlbpage.c linux-2.6.39.3/arch/x86/mm/hugetlbpage.c
22020 --- linux-2.6.39.3/arch/x86/mm/hugetlbpage.c 2011-05-19 00:06:34.000000000 -0400
22021 +++ linux-2.6.39.3/arch/x86/mm/hugetlbpage.c 2011-05-22 19:36:30.000000000 -0400
22022 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
22023 struct hstate *h = hstate_file(file);
22024 struct mm_struct *mm = current->mm;
22025 struct vm_area_struct *vma;
22026 - unsigned long start_addr;
22027 + unsigned long start_addr, pax_task_size = TASK_SIZE;
22028 +
22029 +#ifdef CONFIG_PAX_SEGMEXEC
22030 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22031 + pax_task_size = SEGMEXEC_TASK_SIZE;
22032 +#endif
22033 +
22034 + pax_task_size -= PAGE_SIZE;
22035
22036 if (len > mm->cached_hole_size) {
22037 - start_addr = mm->free_area_cache;
22038 + start_addr = mm->free_area_cache;
22039 } else {
22040 - start_addr = TASK_UNMAPPED_BASE;
22041 - mm->cached_hole_size = 0;
22042 + start_addr = mm->mmap_base;
22043 + mm->cached_hole_size = 0;
22044 }
22045
22046 full_search:
22047 @@ -280,26 +287,27 @@ full_search:
22048
22049 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
22050 /* At this point: (!vma || addr < vma->vm_end). */
22051 - if (TASK_SIZE - len < addr) {
22052 + if (pax_task_size - len < addr) {
22053 /*
22054 * Start a new search - just in case we missed
22055 * some holes.
22056 */
22057 - if (start_addr != TASK_UNMAPPED_BASE) {
22058 - start_addr = TASK_UNMAPPED_BASE;
22059 + if (start_addr != mm->mmap_base) {
22060 + start_addr = mm->mmap_base;
22061 mm->cached_hole_size = 0;
22062 goto full_search;
22063 }
22064 return -ENOMEM;
22065 }
22066 - if (!vma || addr + len <= vma->vm_start) {
22067 - mm->free_area_cache = addr + len;
22068 - return addr;
22069 - }
22070 + if (check_heap_stack_gap(vma, addr, len))
22071 + break;
22072 if (addr + mm->cached_hole_size < vma->vm_start)
22073 mm->cached_hole_size = vma->vm_start - addr;
22074 addr = ALIGN(vma->vm_end, huge_page_size(h));
22075 }
22076 +
22077 + mm->free_area_cache = addr + len;
22078 + return addr;
22079 }
22080
22081 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
22082 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
22083 {
22084 struct hstate *h = hstate_file(file);
22085 struct mm_struct *mm = current->mm;
22086 - struct vm_area_struct *vma, *prev_vma;
22087 - unsigned long base = mm->mmap_base, addr = addr0;
22088 + struct vm_area_struct *vma;
22089 + unsigned long base = mm->mmap_base, addr;
22090 unsigned long largest_hole = mm->cached_hole_size;
22091 - int first_time = 1;
22092
22093 /* don't allow allocations above current base */
22094 if (mm->free_area_cache > base)
22095 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
22096 largest_hole = 0;
22097 mm->free_area_cache = base;
22098 }
22099 -try_again:
22100 +
22101 /* make sure it can fit in the remaining address space */
22102 if (mm->free_area_cache < len)
22103 goto fail;
22104
22105 /* either no address requested or can't fit in requested address hole */
22106 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
22107 + addr = (mm->free_area_cache - len);
22108 do {
22109 + addr &= huge_page_mask(h);
22110 + vma = find_vma(mm, addr);
22111 /*
22112 * Lookup failure means no vma is above this address,
22113 * i.e. return with success:
22114 - */
22115 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
22116 - return addr;
22117 -
22118 - /*
22119 * new region fits between prev_vma->vm_end and
22120 * vma->vm_start, use it:
22121 */
22122 - if (addr + len <= vma->vm_start &&
22123 - (!prev_vma || (addr >= prev_vma->vm_end))) {
22124 + if (check_heap_stack_gap(vma, addr, len)) {
22125 /* remember the address as a hint for next time */
22126 - mm->cached_hole_size = largest_hole;
22127 - return (mm->free_area_cache = addr);
22128 - } else {
22129 - /* pull free_area_cache down to the first hole */
22130 - if (mm->free_area_cache == vma->vm_end) {
22131 - mm->free_area_cache = vma->vm_start;
22132 - mm->cached_hole_size = largest_hole;
22133 - }
22134 + mm->cached_hole_size = largest_hole;
22135 + return (mm->free_area_cache = addr);
22136 + }
22137 + /* pull free_area_cache down to the first hole */
22138 + if (mm->free_area_cache == vma->vm_end) {
22139 + mm->free_area_cache = vma->vm_start;
22140 + mm->cached_hole_size = largest_hole;
22141 }
22142
22143 /* remember the largest hole we saw so far */
22144 if (addr + largest_hole < vma->vm_start)
22145 - largest_hole = vma->vm_start - addr;
22146 + largest_hole = vma->vm_start - addr;
22147
22148 /* try just below the current vma->vm_start */
22149 - addr = (vma->vm_start - len) & huge_page_mask(h);
22150 - } while (len <= vma->vm_start);
22151 + addr = skip_heap_stack_gap(vma, len);
22152 + } while (!IS_ERR_VALUE(addr));
22153
22154 fail:
22155 /*
22156 - * if hint left us with no space for the requested
22157 - * mapping then try again:
22158 - */
22159 - if (first_time) {
22160 - mm->free_area_cache = base;
22161 - largest_hole = 0;
22162 - first_time = 0;
22163 - goto try_again;
22164 - }
22165 - /*
22166 * A failed mmap() very likely causes application failure,
22167 * so fall back to the bottom-up function here. This scenario
22168 * can happen with large stack limits and large mmap()
22169 * allocations.
22170 */
22171 - mm->free_area_cache = TASK_UNMAPPED_BASE;
22172 +
22173 +#ifdef CONFIG_PAX_SEGMEXEC
22174 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22175 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
22176 + else
22177 +#endif
22178 +
22179 + mm->mmap_base = TASK_UNMAPPED_BASE;
22180 +
22181 +#ifdef CONFIG_PAX_RANDMMAP
22182 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22183 + mm->mmap_base += mm->delta_mmap;
22184 +#endif
22185 +
22186 + mm->free_area_cache = mm->mmap_base;
22187 mm->cached_hole_size = ~0UL;
22188 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
22189 len, pgoff, flags);
22190 @@ -386,6 +392,7 @@ fail:
22191 /*
22192 * Restore the topdown base:
22193 */
22194 + mm->mmap_base = base;
22195 mm->free_area_cache = base;
22196 mm->cached_hole_size = ~0UL;
22197
22198 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
22199 struct hstate *h = hstate_file(file);
22200 struct mm_struct *mm = current->mm;
22201 struct vm_area_struct *vma;
22202 + unsigned long pax_task_size = TASK_SIZE;
22203
22204 if (len & ~huge_page_mask(h))
22205 return -EINVAL;
22206 - if (len > TASK_SIZE)
22207 +
22208 +#ifdef CONFIG_PAX_SEGMEXEC
22209 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22210 + pax_task_size = SEGMEXEC_TASK_SIZE;
22211 +#endif
22212 +
22213 + pax_task_size -= PAGE_SIZE;
22214 +
22215 + if (len > pax_task_size)
22216 return -ENOMEM;
22217
22218 if (flags & MAP_FIXED) {
22219 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
22220 if (addr) {
22221 addr = ALIGN(addr, huge_page_size(h));
22222 vma = find_vma(mm, addr);
22223 - if (TASK_SIZE - len >= addr &&
22224 - (!vma || addr + len <= vma->vm_start))
22225 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
22226 return addr;
22227 }
22228 if (mm->get_unmapped_area == arch_get_unmapped_area)
22229 diff -urNp linux-2.6.39.3/arch/x86/mm/init_32.c linux-2.6.39.3/arch/x86/mm/init_32.c
22230 --- linux-2.6.39.3/arch/x86/mm/init_32.c 2011-05-19 00:06:34.000000000 -0400
22231 +++ linux-2.6.39.3/arch/x86/mm/init_32.c 2011-05-22 19:36:30.000000000 -0400
22232 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
22233 }
22234
22235 /*
22236 - * Creates a middle page table and puts a pointer to it in the
22237 - * given global directory entry. This only returns the gd entry
22238 - * in non-PAE compilation mode, since the middle layer is folded.
22239 - */
22240 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
22241 -{
22242 - pud_t *pud;
22243 - pmd_t *pmd_table;
22244 -
22245 -#ifdef CONFIG_X86_PAE
22246 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
22247 - if (after_bootmem)
22248 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
22249 - else
22250 - pmd_table = (pmd_t *)alloc_low_page();
22251 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
22252 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
22253 - pud = pud_offset(pgd, 0);
22254 - BUG_ON(pmd_table != pmd_offset(pud, 0));
22255 -
22256 - return pmd_table;
22257 - }
22258 -#endif
22259 - pud = pud_offset(pgd, 0);
22260 - pmd_table = pmd_offset(pud, 0);
22261 -
22262 - return pmd_table;
22263 -}
22264 -
22265 -/*
22266 * Create a page table and place a pointer to it in a middle page
22267 * directory entry:
22268 */
22269 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
22270 page_table = (pte_t *)alloc_low_page();
22271
22272 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
22273 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22274 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
22275 +#else
22276 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
22277 +#endif
22278 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
22279 }
22280
22281 return pte_offset_kernel(pmd, 0);
22282 }
22283
22284 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
22285 +{
22286 + pud_t *pud;
22287 + pmd_t *pmd_table;
22288 +
22289 + pud = pud_offset(pgd, 0);
22290 + pmd_table = pmd_offset(pud, 0);
22291 +
22292 + return pmd_table;
22293 +}
22294 +
22295 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
22296 {
22297 int pgd_idx = pgd_index(vaddr);
22298 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
22299 int pgd_idx, pmd_idx;
22300 unsigned long vaddr;
22301 pgd_t *pgd;
22302 + pud_t *pud;
22303 pmd_t *pmd;
22304 pte_t *pte = NULL;
22305
22306 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
22307 pgd = pgd_base + pgd_idx;
22308
22309 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
22310 - pmd = one_md_table_init(pgd);
22311 - pmd = pmd + pmd_index(vaddr);
22312 + pud = pud_offset(pgd, vaddr);
22313 + pmd = pmd_offset(pud, vaddr);
22314 +
22315 +#ifdef CONFIG_X86_PAE
22316 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22317 +#endif
22318 +
22319 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
22320 pmd++, pmd_idx++) {
22321 pte = page_table_kmap_check(one_page_table_init(pmd),
22322 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
22323 }
22324 }
22325
22326 -static inline int is_kernel_text(unsigned long addr)
22327 +static inline int is_kernel_text(unsigned long start, unsigned long end)
22328 {
22329 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
22330 - return 1;
22331 - return 0;
22332 + if ((start > ktla_ktva((unsigned long)_etext) ||
22333 + end <= ktla_ktva((unsigned long)_stext)) &&
22334 + (start > ktla_ktva((unsigned long)_einittext) ||
22335 + end <= ktla_ktva((unsigned long)_sinittext)) &&
22336 +
22337 +#ifdef CONFIG_ACPI_SLEEP
22338 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
22339 +#endif
22340 +
22341 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
22342 + return 0;
22343 + return 1;
22344 }
22345
22346 /*
22347 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
22348 unsigned long last_map_addr = end;
22349 unsigned long start_pfn, end_pfn;
22350 pgd_t *pgd_base = swapper_pg_dir;
22351 - int pgd_idx, pmd_idx, pte_ofs;
22352 + unsigned int pgd_idx, pmd_idx, pte_ofs;
22353 unsigned long pfn;
22354 pgd_t *pgd;
22355 + pud_t *pud;
22356 pmd_t *pmd;
22357 pte_t *pte;
22358 unsigned pages_2m, pages_4k;
22359 @@ -281,8 +282,13 @@ repeat:
22360 pfn = start_pfn;
22361 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22362 pgd = pgd_base + pgd_idx;
22363 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
22364 - pmd = one_md_table_init(pgd);
22365 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
22366 + pud = pud_offset(pgd, 0);
22367 + pmd = pmd_offset(pud, 0);
22368 +
22369 +#ifdef CONFIG_X86_PAE
22370 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22371 +#endif
22372
22373 if (pfn >= end_pfn)
22374 continue;
22375 @@ -294,14 +300,13 @@ repeat:
22376 #endif
22377 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
22378 pmd++, pmd_idx++) {
22379 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
22380 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
22381
22382 /*
22383 * Map with big pages if possible, otherwise
22384 * create normal page tables:
22385 */
22386 if (use_pse) {
22387 - unsigned int addr2;
22388 pgprot_t prot = PAGE_KERNEL_LARGE;
22389 /*
22390 * first pass will use the same initial
22391 @@ -311,11 +316,7 @@ repeat:
22392 __pgprot(PTE_IDENT_ATTR |
22393 _PAGE_PSE);
22394
22395 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
22396 - PAGE_OFFSET + PAGE_SIZE-1;
22397 -
22398 - if (is_kernel_text(addr) ||
22399 - is_kernel_text(addr2))
22400 + if (is_kernel_text(address, address + PMD_SIZE))
22401 prot = PAGE_KERNEL_LARGE_EXEC;
22402
22403 pages_2m++;
22404 @@ -332,7 +333,7 @@ repeat:
22405 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22406 pte += pte_ofs;
22407 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
22408 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
22409 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
22410 pgprot_t prot = PAGE_KERNEL;
22411 /*
22412 * first pass will use the same initial
22413 @@ -340,7 +341,7 @@ repeat:
22414 */
22415 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
22416
22417 - if (is_kernel_text(addr))
22418 + if (is_kernel_text(address, address + PAGE_SIZE))
22419 prot = PAGE_KERNEL_EXEC;
22420
22421 pages_4k++;
22422 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
22423
22424 pud = pud_offset(pgd, va);
22425 pmd = pmd_offset(pud, va);
22426 - if (!pmd_present(*pmd))
22427 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22428 break;
22429
22430 pte = pte_offset_kernel(pmd, va);
22431 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
22432
22433 static void __init pagetable_init(void)
22434 {
22435 - pgd_t *pgd_base = swapper_pg_dir;
22436 -
22437 - permanent_kmaps_init(pgd_base);
22438 + permanent_kmaps_init(swapper_pg_dir);
22439 }
22440
22441 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22442 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22443 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22444
22445 /* user-defined highmem size */
22446 @@ -754,6 +753,12 @@ void __init mem_init(void)
22447
22448 pci_iommu_alloc();
22449
22450 +#ifdef CONFIG_PAX_PER_CPU_PGD
22451 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22452 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22453 + KERNEL_PGD_PTRS);
22454 +#endif
22455 +
22456 #ifdef CONFIG_FLATMEM
22457 BUG_ON(!mem_map);
22458 #endif
22459 @@ -771,7 +776,7 @@ void __init mem_init(void)
22460 set_highmem_pages_init();
22461
22462 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22463 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22464 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22465 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22466
22467 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22468 @@ -812,10 +817,10 @@ void __init mem_init(void)
22469 ((unsigned long)&__init_end -
22470 (unsigned long)&__init_begin) >> 10,
22471
22472 - (unsigned long)&_etext, (unsigned long)&_edata,
22473 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22474 + (unsigned long)&_sdata, (unsigned long)&_edata,
22475 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22476
22477 - (unsigned long)&_text, (unsigned long)&_etext,
22478 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22479 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22480
22481 /*
22482 @@ -893,6 +898,7 @@ void set_kernel_text_rw(void)
22483 if (!kernel_set_to_readonly)
22484 return;
22485
22486 + start = ktla_ktva(start);
22487 pr_debug("Set kernel text: %lx - %lx for read write\n",
22488 start, start+size);
22489
22490 @@ -907,6 +913,7 @@ void set_kernel_text_ro(void)
22491 if (!kernel_set_to_readonly)
22492 return;
22493
22494 + start = ktla_ktva(start);
22495 pr_debug("Set kernel text: %lx - %lx for read only\n",
22496 start, start+size);
22497
22498 @@ -935,6 +942,7 @@ void mark_rodata_ro(void)
22499 unsigned long start = PFN_ALIGN(_text);
22500 unsigned long size = PFN_ALIGN(_etext) - start;
22501
22502 + start = ktla_ktva(start);
22503 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22504 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22505 size >> 10);
22506 diff -urNp linux-2.6.39.3/arch/x86/mm/init_64.c linux-2.6.39.3/arch/x86/mm/init_64.c
22507 --- linux-2.6.39.3/arch/x86/mm/init_64.c 2011-05-19 00:06:34.000000000 -0400
22508 +++ linux-2.6.39.3/arch/x86/mm/init_64.c 2011-05-22 19:36:30.000000000 -0400
22509 @@ -74,7 +74,7 @@ early_param("gbpages", parse_direct_gbpa
22510 * around without checking the pgd every time.
22511 */
22512
22513 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
22514 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
22515 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22516
22517 int force_personality32;
22518 @@ -107,12 +107,22 @@ void sync_global_pgds(unsigned long star
22519
22520 for (address = start; address <= end; address += PGDIR_SIZE) {
22521 const pgd_t *pgd_ref = pgd_offset_k(address);
22522 +
22523 +#ifdef CONFIG_PAX_PER_CPU_PGD
22524 + unsigned long cpu;
22525 +#else
22526 struct page *page;
22527 +#endif
22528
22529 if (pgd_none(*pgd_ref))
22530 continue;
22531
22532 spin_lock(&pgd_lock);
22533 +
22534 +#ifdef CONFIG_PAX_PER_CPU_PGD
22535 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22536 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
22537 +#else
22538 list_for_each_entry(page, &pgd_list, lru) {
22539 pgd_t *pgd;
22540 spinlock_t *pgt_lock;
22541 @@ -121,6 +131,7 @@ void sync_global_pgds(unsigned long star
22542 /* the pgt_lock only for Xen */
22543 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
22544 spin_lock(pgt_lock);
22545 +#endif
22546
22547 if (pgd_none(*pgd))
22548 set_pgd(pgd, *pgd_ref);
22549 @@ -128,7 +139,10 @@ void sync_global_pgds(unsigned long star
22550 BUG_ON(pgd_page_vaddr(*pgd)
22551 != pgd_page_vaddr(*pgd_ref));
22552
22553 +#ifndef CONFIG_PAX_PER_CPU_PGD
22554 spin_unlock(pgt_lock);
22555 +#endif
22556 +
22557 }
22558 spin_unlock(&pgd_lock);
22559 }
22560 @@ -202,7 +216,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22561 pmd = fill_pmd(pud, vaddr);
22562 pte = fill_pte(pmd, vaddr);
22563
22564 + pax_open_kernel();
22565 set_pte(pte, new_pte);
22566 + pax_close_kernel();
22567
22568 /*
22569 * It's enough to flush this one mapping.
22570 @@ -261,14 +277,12 @@ static void __init __init_extra_mapping(
22571 pgd = pgd_offset_k((unsigned long)__va(phys));
22572 if (pgd_none(*pgd)) {
22573 pud = (pud_t *) spp_getpage();
22574 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22575 - _PAGE_USER));
22576 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22577 }
22578 pud = pud_offset(pgd, (unsigned long)__va(phys));
22579 if (pud_none(*pud)) {
22580 pmd = (pmd_t *) spp_getpage();
22581 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22582 - _PAGE_USER));
22583 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22584 }
22585 pmd = pmd_offset(pud, phys);
22586 BUG_ON(!pmd_none(*pmd));
22587 @@ -698,6 +712,12 @@ void __init mem_init(void)
22588
22589 pci_iommu_alloc();
22590
22591 +#ifdef CONFIG_PAX_PER_CPU_PGD
22592 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22593 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22594 + KERNEL_PGD_PTRS);
22595 +#endif
22596 +
22597 /* clear_bss() already clear the empty_zero_page */
22598
22599 reservedpages = 0;
22600 @@ -858,8 +878,8 @@ int kern_addr_valid(unsigned long addr)
22601 static struct vm_area_struct gate_vma = {
22602 .vm_start = VSYSCALL_START,
22603 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22604 - .vm_page_prot = PAGE_READONLY_EXEC,
22605 - .vm_flags = VM_READ | VM_EXEC
22606 + .vm_page_prot = PAGE_READONLY,
22607 + .vm_flags = VM_READ
22608 };
22609
22610 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
22611 @@ -893,7 +913,7 @@ int in_gate_area_no_mm(unsigned long add
22612
22613 const char *arch_vma_name(struct vm_area_struct *vma)
22614 {
22615 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22616 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22617 return "[vdso]";
22618 if (vma == &gate_vma)
22619 return "[vsyscall]";
22620 diff -urNp linux-2.6.39.3/arch/x86/mm/init.c linux-2.6.39.3/arch/x86/mm/init.c
22621 --- linux-2.6.39.3/arch/x86/mm/init.c 2011-05-19 00:06:34.000000000 -0400
22622 +++ linux-2.6.39.3/arch/x86/mm/init.c 2011-06-07 19:41:11.000000000 -0400
22623 @@ -33,7 +33,7 @@ int direct_gbpages
22624 static void __init find_early_table_space(unsigned long end, int use_pse,
22625 int use_gbpages)
22626 {
22627 - unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
22628 + unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
22629 phys_addr_t base;
22630
22631 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
22632 @@ -315,12 +315,34 @@ unsigned long __init_refok init_memory_m
22633 */
22634 int devmem_is_allowed(unsigned long pagenr)
22635 {
22636 - if (pagenr <= 256)
22637 +#ifdef CONFIG_GRKERNSEC_KMEM
22638 + /* allow BDA */
22639 + if (!pagenr)
22640 + return 1;
22641 + /* allow EBDA */
22642 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22643 + return 1;
22644 +#else
22645 + if (!pagenr)
22646 + return 1;
22647 +#ifdef CONFIG_VM86
22648 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
22649 + return 1;
22650 +#endif
22651 +#endif
22652 +
22653 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22654 return 1;
22655 +#ifdef CONFIG_GRKERNSEC_KMEM
22656 + /* throw out everything else below 1MB */
22657 + if (pagenr <= 256)
22658 + return 0;
22659 +#endif
22660 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22661 return 0;
22662 if (!page_is_ram(pagenr))
22663 return 1;
22664 +
22665 return 0;
22666 }
22667
22668 @@ -375,6 +397,86 @@ void free_init_pages(char *what, unsigne
22669
22670 void free_initmem(void)
22671 {
22672 +
22673 +#ifdef CONFIG_PAX_KERNEXEC
22674 +#ifdef CONFIG_X86_32
22675 + /* PaX: limit KERNEL_CS to actual size */
22676 + unsigned long addr, limit;
22677 + struct desc_struct d;
22678 + int cpu;
22679 +
22680 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22681 + limit = (limit - 1UL) >> PAGE_SHIFT;
22682 +
22683 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22684 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22685 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22686 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22687 + }
22688 +
22689 + /* PaX: make KERNEL_CS read-only */
22690 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22691 + if (!paravirt_enabled())
22692 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22693 +/*
22694 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22695 + pgd = pgd_offset_k(addr);
22696 + pud = pud_offset(pgd, addr);
22697 + pmd = pmd_offset(pud, addr);
22698 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22699 + }
22700 +*/
22701 +#ifdef CONFIG_X86_PAE
22702 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22703 +/*
22704 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22705 + pgd = pgd_offset_k(addr);
22706 + pud = pud_offset(pgd, addr);
22707 + pmd = pmd_offset(pud, addr);
22708 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22709 + }
22710 +*/
22711 +#endif
22712 +
22713 +#ifdef CONFIG_MODULES
22714 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22715 +#endif
22716 +
22717 +#else
22718 + pgd_t *pgd;
22719 + pud_t *pud;
22720 + pmd_t *pmd;
22721 + unsigned long addr, end;
22722 +
22723 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22724 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22725 + pgd = pgd_offset_k(addr);
22726 + pud = pud_offset(pgd, addr);
22727 + pmd = pmd_offset(pud, addr);
22728 + if (!pmd_present(*pmd))
22729 + continue;
22730 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22731 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22732 + else
22733 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22734 + }
22735 +
22736 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22737 + end = addr + KERNEL_IMAGE_SIZE;
22738 + for (; addr < end; addr += PMD_SIZE) {
22739 + pgd = pgd_offset_k(addr);
22740 + pud = pud_offset(pgd, addr);
22741 + pmd = pmd_offset(pud, addr);
22742 + if (!pmd_present(*pmd))
22743 + continue;
22744 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22745 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22746 + }
22747 +#endif
22748 +
22749 + flush_tlb_all();
22750 +#endif
22751 +
22752 free_init_pages("unused kernel memory",
22753 (unsigned long)(&__init_begin),
22754 (unsigned long)(&__init_end));
22755 diff -urNp linux-2.6.39.3/arch/x86/mm/iomap_32.c linux-2.6.39.3/arch/x86/mm/iomap_32.c
22756 --- linux-2.6.39.3/arch/x86/mm/iomap_32.c 2011-05-19 00:06:34.000000000 -0400
22757 +++ linux-2.6.39.3/arch/x86/mm/iomap_32.c 2011-05-22 19:36:30.000000000 -0400
22758 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22759 type = kmap_atomic_idx_push();
22760 idx = type + KM_TYPE_NR * smp_processor_id();
22761 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22762 +
22763 + pax_open_kernel();
22764 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22765 + pax_close_kernel();
22766 +
22767 arch_flush_lazy_mmu_mode();
22768
22769 return (void *)vaddr;
22770 diff -urNp linux-2.6.39.3/arch/x86/mm/ioremap.c linux-2.6.39.3/arch/x86/mm/ioremap.c
22771 --- linux-2.6.39.3/arch/x86/mm/ioremap.c 2011-05-19 00:06:34.000000000 -0400
22772 +++ linux-2.6.39.3/arch/x86/mm/ioremap.c 2011-05-22 19:36:30.000000000 -0400
22773 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
22774 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
22775 int is_ram = page_is_ram(pfn);
22776
22777 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22778 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22779 return NULL;
22780 WARN_ON_ONCE(is_ram);
22781 }
22782 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
22783 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22784
22785 static __initdata int after_paging_init;
22786 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22787 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22788
22789 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22790 {
22791 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
22792 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22793
22794 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22795 - memset(bm_pte, 0, sizeof(bm_pte));
22796 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22797 + pmd_populate_user(&init_mm, pmd, bm_pte);
22798
22799 /*
22800 * The boot-ioremap range spans multiple pmds, for which
22801 diff -urNp linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c
22802 --- linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-19 00:06:34.000000000 -0400
22803 +++ linux-2.6.39.3/arch/x86/mm/kmemcheck/kmemcheck.c 2011-05-22 19:36:30.000000000 -0400
22804 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22805 * memory (e.g. tracked pages)? For now, we need this to avoid
22806 * invoking kmemcheck for PnP BIOS calls.
22807 */
22808 - if (regs->flags & X86_VM_MASK)
22809 + if (v8086_mode(regs))
22810 return false;
22811 - if (regs->cs != __KERNEL_CS)
22812 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22813 return false;
22814
22815 pte = kmemcheck_pte_lookup(address);
22816 diff -urNp linux-2.6.39.3/arch/x86/mm/mmap.c linux-2.6.39.3/arch/x86/mm/mmap.c
22817 --- linux-2.6.39.3/arch/x86/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
22818 +++ linux-2.6.39.3/arch/x86/mm/mmap.c 2011-05-22 19:36:30.000000000 -0400
22819 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22820 * Leave an at least ~128 MB hole with possible stack randomization.
22821 */
22822 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22823 -#define MAX_GAP (TASK_SIZE/6*5)
22824 +#define MAX_GAP (pax_task_size/6*5)
22825
22826 /*
22827 * True on X86_32 or when emulating IA32 on X86_64
22828 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22829 return rnd << PAGE_SHIFT;
22830 }
22831
22832 -static unsigned long mmap_base(void)
22833 +static unsigned long mmap_base(struct mm_struct *mm)
22834 {
22835 unsigned long gap = rlimit(RLIMIT_STACK);
22836 + unsigned long pax_task_size = TASK_SIZE;
22837 +
22838 +#ifdef CONFIG_PAX_SEGMEXEC
22839 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22840 + pax_task_size = SEGMEXEC_TASK_SIZE;
22841 +#endif
22842
22843 if (gap < MIN_GAP)
22844 gap = MIN_GAP;
22845 else if (gap > MAX_GAP)
22846 gap = MAX_GAP;
22847
22848 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22849 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22850 }
22851
22852 /*
22853 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22854 * does, but not when emulating X86_32
22855 */
22856 -static unsigned long mmap_legacy_base(void)
22857 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22858 {
22859 - if (mmap_is_ia32())
22860 + if (mmap_is_ia32()) {
22861 +
22862 +#ifdef CONFIG_PAX_SEGMEXEC
22863 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22864 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22865 + else
22866 +#endif
22867 +
22868 return TASK_UNMAPPED_BASE;
22869 - else
22870 + } else
22871 return TASK_UNMAPPED_BASE + mmap_rnd();
22872 }
22873
22874 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22875 void arch_pick_mmap_layout(struct mm_struct *mm)
22876 {
22877 if (mmap_is_legacy()) {
22878 - mm->mmap_base = mmap_legacy_base();
22879 + mm->mmap_base = mmap_legacy_base(mm);
22880 +
22881 +#ifdef CONFIG_PAX_RANDMMAP
22882 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22883 + mm->mmap_base += mm->delta_mmap;
22884 +#endif
22885 +
22886 mm->get_unmapped_area = arch_get_unmapped_area;
22887 mm->unmap_area = arch_unmap_area;
22888 } else {
22889 - mm->mmap_base = mmap_base();
22890 + mm->mmap_base = mmap_base(mm);
22891 +
22892 +#ifdef CONFIG_PAX_RANDMMAP
22893 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22894 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22895 +#endif
22896 +
22897 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22898 mm->unmap_area = arch_unmap_area_topdown;
22899 }
22900 diff -urNp linux-2.6.39.3/arch/x86/mm/mmio-mod.c linux-2.6.39.3/arch/x86/mm/mmio-mod.c
22901 --- linux-2.6.39.3/arch/x86/mm/mmio-mod.c 2011-05-19 00:06:34.000000000 -0400
22902 +++ linux-2.6.39.3/arch/x86/mm/mmio-mod.c 2011-07-06 20:00:13.000000000 -0400
22903 @@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
22904 break;
22905 default:
22906 {
22907 - unsigned char *ip = (unsigned char *)instptr;
22908 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
22909 my_trace->opcode = MMIO_UNKNOWN_OP;
22910 my_trace->width = 0;
22911 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
22912 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
22913 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22914 void __iomem *addr)
22915 {
22916 - static atomic_t next_id;
22917 + static atomic_unchecked_t next_id;
22918 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22919 /* These are page-unaligned. */
22920 struct mmiotrace_map map = {
22921 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
22922 .private = trace
22923 },
22924 .phys = offset,
22925 - .id = atomic_inc_return(&next_id)
22926 + .id = atomic_inc_return_unchecked(&next_id)
22927 };
22928 map.map_id = trace->id;
22929
22930 diff -urNp linux-2.6.39.3/arch/x86/mm/numa_32.c linux-2.6.39.3/arch/x86/mm/numa_32.c
22931 --- linux-2.6.39.3/arch/x86/mm/numa_32.c 2011-05-19 00:06:34.000000000 -0400
22932 +++ linux-2.6.39.3/arch/x86/mm/numa_32.c 2011-05-22 19:36:30.000000000 -0400
22933 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
22934 }
22935 #endif
22936
22937 -extern unsigned long find_max_low_pfn(void);
22938 extern unsigned long highend_pfn, highstart_pfn;
22939
22940 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22941 diff -urNp linux-2.6.39.3/arch/x86/mm/pageattr.c linux-2.6.39.3/arch/x86/mm/pageattr.c
22942 --- linux-2.6.39.3/arch/x86/mm/pageattr.c 2011-05-19 00:06:34.000000000 -0400
22943 +++ linux-2.6.39.3/arch/x86/mm/pageattr.c 2011-05-22 19:36:30.000000000 -0400
22944 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
22945 */
22946 #ifdef CONFIG_PCI_BIOS
22947 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22948 - pgprot_val(forbidden) |= _PAGE_NX;
22949 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22950 #endif
22951
22952 /*
22953 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
22954 * Does not cover __inittext since that is gone later on. On
22955 * 64bit we do not enforce !NX on the low mapping
22956 */
22957 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22958 - pgprot_val(forbidden) |= _PAGE_NX;
22959 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22960 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22961
22962 +#ifdef CONFIG_DEBUG_RODATA
22963 /*
22964 * The .rodata section needs to be read-only. Using the pfn
22965 * catches all aliases.
22966 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
22967 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22968 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22969 pgprot_val(forbidden) |= _PAGE_RW;
22970 +#endif
22971
22972 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
22973 /*
22974 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
22975 }
22976 #endif
22977
22978 +#ifdef CONFIG_PAX_KERNEXEC
22979 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22980 + pgprot_val(forbidden) |= _PAGE_RW;
22981 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22982 + }
22983 +#endif
22984 +
22985 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22986
22987 return prot;
22988 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22989 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22990 {
22991 /* change init_mm */
22992 + pax_open_kernel();
22993 set_pte_atomic(kpte, pte);
22994 +
22995 #ifdef CONFIG_X86_32
22996 if (!SHARED_KERNEL_PMD) {
22997 +
22998 +#ifdef CONFIG_PAX_PER_CPU_PGD
22999 + unsigned long cpu;
23000 +#else
23001 struct page *page;
23002 +#endif
23003
23004 +#ifdef CONFIG_PAX_PER_CPU_PGD
23005 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
23006 + pgd_t *pgd = get_cpu_pgd(cpu);
23007 +#else
23008 list_for_each_entry(page, &pgd_list, lru) {
23009 - pgd_t *pgd;
23010 + pgd_t *pgd = (pgd_t *)page_address(page);
23011 +#endif
23012 +
23013 pud_t *pud;
23014 pmd_t *pmd;
23015
23016 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
23017 + pgd += pgd_index(address);
23018 pud = pud_offset(pgd, address);
23019 pmd = pmd_offset(pud, address);
23020 set_pte_atomic((pte_t *)pmd, pte);
23021 }
23022 }
23023 #endif
23024 + pax_close_kernel();
23025 }
23026
23027 static int
23028 diff -urNp linux-2.6.39.3/arch/x86/mm/pageattr-test.c linux-2.6.39.3/arch/x86/mm/pageattr-test.c
23029 --- linux-2.6.39.3/arch/x86/mm/pageattr-test.c 2011-05-19 00:06:34.000000000 -0400
23030 +++ linux-2.6.39.3/arch/x86/mm/pageattr-test.c 2011-05-22 19:36:30.000000000 -0400
23031 @@ -36,7 +36,7 @@ enum {
23032
23033 static int pte_testbit(pte_t pte)
23034 {
23035 - return pte_flags(pte) & _PAGE_UNUSED1;
23036 + return pte_flags(pte) & _PAGE_CPA_TEST;
23037 }
23038
23039 struct split_state {
23040 diff -urNp linux-2.6.39.3/arch/x86/mm/pat.c linux-2.6.39.3/arch/x86/mm/pat.c
23041 --- linux-2.6.39.3/arch/x86/mm/pat.c 2011-05-19 00:06:34.000000000 -0400
23042 +++ linux-2.6.39.3/arch/x86/mm/pat.c 2011-05-22 19:36:30.000000000 -0400
23043 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
23044
23045 if (!entry) {
23046 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
23047 - current->comm, current->pid, start, end);
23048 + current->comm, task_pid_nr(current), start, end);
23049 return -EINVAL;
23050 }
23051
23052 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
23053 while (cursor < to) {
23054 if (!devmem_is_allowed(pfn)) {
23055 printk(KERN_INFO
23056 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
23057 - current->comm, from, to);
23058 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
23059 + current->comm, from, to, cursor);
23060 return 0;
23061 }
23062 cursor += PAGE_SIZE;
23063 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
23064 printk(KERN_INFO
23065 "%s:%d ioremap_change_attr failed %s "
23066 "for %Lx-%Lx\n",
23067 - current->comm, current->pid,
23068 + current->comm, task_pid_nr(current),
23069 cattr_name(flags),
23070 base, (unsigned long long)(base + size));
23071 return -EINVAL;
23072 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
23073 if (want_flags != flags) {
23074 printk(KERN_WARNING
23075 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
23076 - current->comm, current->pid,
23077 + current->comm, task_pid_nr(current),
23078 cattr_name(want_flags),
23079 (unsigned long long)paddr,
23080 (unsigned long long)(paddr + size),
23081 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
23082 free_memtype(paddr, paddr + size);
23083 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
23084 " for %Lx-%Lx, got %s\n",
23085 - current->comm, current->pid,
23086 + current->comm, task_pid_nr(current),
23087 cattr_name(want_flags),
23088 (unsigned long long)paddr,
23089 (unsigned long long)(paddr + size),
23090 diff -urNp linux-2.6.39.3/arch/x86/mm/pf_in.c linux-2.6.39.3/arch/x86/mm/pf_in.c
23091 --- linux-2.6.39.3/arch/x86/mm/pf_in.c 2011-05-19 00:06:34.000000000 -0400
23092 +++ linux-2.6.39.3/arch/x86/mm/pf_in.c 2011-07-06 20:00:13.000000000 -0400
23093 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
23094 int i;
23095 enum reason_type rv = OTHERS;
23096
23097 - p = (unsigned char *)ins_addr;
23098 + p = (unsigned char *)ktla_ktva(ins_addr);
23099 p += skip_prefix(p, &prf);
23100 p += get_opcode(p, &opcode);
23101
23102 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
23103 struct prefix_bits prf;
23104 int i;
23105
23106 - p = (unsigned char *)ins_addr;
23107 + p = (unsigned char *)ktla_ktva(ins_addr);
23108 p += skip_prefix(p, &prf);
23109 p += get_opcode(p, &opcode);
23110
23111 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
23112 struct prefix_bits prf;
23113 int i;
23114
23115 - p = (unsigned char *)ins_addr;
23116 + p = (unsigned char *)ktla_ktva(ins_addr);
23117 p += skip_prefix(p, &prf);
23118 p += get_opcode(p, &opcode);
23119
23120 @@ -416,7 +416,7 @@ unsigned long get_ins_reg_val(unsigned l
23121 int i;
23122 unsigned long rv;
23123
23124 - p = (unsigned char *)ins_addr;
23125 + p = (unsigned char *)ktla_ktva(ins_addr);
23126 p += skip_prefix(p, &prf);
23127 p += get_opcode(p, &opcode);
23128 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
23129 @@ -476,7 +476,7 @@ unsigned long get_ins_imm_val(unsigned l
23130 int i;
23131 unsigned long rv;
23132
23133 - p = (unsigned char *)ins_addr;
23134 + p = (unsigned char *)ktla_ktva(ins_addr);
23135 p += skip_prefix(p, &prf);
23136 p += get_opcode(p, &opcode);
23137 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
23138 diff -urNp linux-2.6.39.3/arch/x86/mm/pgtable_32.c linux-2.6.39.3/arch/x86/mm/pgtable_32.c
23139 --- linux-2.6.39.3/arch/x86/mm/pgtable_32.c 2011-05-19 00:06:34.000000000 -0400
23140 +++ linux-2.6.39.3/arch/x86/mm/pgtable_32.c 2011-05-22 19:36:30.000000000 -0400
23141 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
23142 return;
23143 }
23144 pte = pte_offset_kernel(pmd, vaddr);
23145 +
23146 + pax_open_kernel();
23147 if (pte_val(pteval))
23148 set_pte_at(&init_mm, vaddr, pte, pteval);
23149 else
23150 pte_clear(&init_mm, vaddr, pte);
23151 + pax_close_kernel();
23152
23153 /*
23154 * It's enough to flush this one mapping.
23155 diff -urNp linux-2.6.39.3/arch/x86/mm/pgtable.c linux-2.6.39.3/arch/x86/mm/pgtable.c
23156 --- linux-2.6.39.3/arch/x86/mm/pgtable.c 2011-05-19 00:06:34.000000000 -0400
23157 +++ linux-2.6.39.3/arch/x86/mm/pgtable.c 2011-05-22 19:36:30.000000000 -0400
23158 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
23159 list_del(&page->lru);
23160 }
23161
23162 -#define UNSHARED_PTRS_PER_PGD \
23163 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23164 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23165 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
23166
23167 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23168 +{
23169 + while (count--)
23170 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
23171 +}
23172 +#endif
23173 +
23174 +#ifdef CONFIG_PAX_PER_CPU_PGD
23175 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23176 +{
23177 + while (count--)
23178 +
23179 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23180 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
23181 +#else
23182 + *dst++ = *src++;
23183 +#endif
23184
23185 +}
23186 +#endif
23187 +
23188 +#ifdef CONFIG_X86_64
23189 +#define pxd_t pud_t
23190 +#define pyd_t pgd_t
23191 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
23192 +#define pxd_free(mm, pud) pud_free((mm), (pud))
23193 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
23194 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
23195 +#define PYD_SIZE PGDIR_SIZE
23196 +#else
23197 +#define pxd_t pmd_t
23198 +#define pyd_t pud_t
23199 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
23200 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
23201 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
23202 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
23203 +#define PYD_SIZE PUD_SIZE
23204 +#endif
23205 +
23206 +#ifdef CONFIG_PAX_PER_CPU_PGD
23207 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
23208 +static inline void pgd_dtor(pgd_t *pgd) {}
23209 +#else
23210 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
23211 {
23212 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
23213 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
23214 pgd_list_del(pgd);
23215 spin_unlock(&pgd_lock);
23216 }
23217 +#endif
23218
23219 /*
23220 * List of all pgd's needed for non-PAE so it can invalidate entries
23221 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
23222 * -- wli
23223 */
23224
23225 -#ifdef CONFIG_X86_PAE
23226 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23227 /*
23228 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
23229 * updating the top-level pagetable entries to guarantee the
23230 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
23231 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
23232 * and initialize the kernel pmds here.
23233 */
23234 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
23235 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23236
23237 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
23238 {
23239 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
23240 */
23241 flush_tlb_mm(mm);
23242 }
23243 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
23244 +#define PREALLOCATED_PXDS USER_PGD_PTRS
23245 #else /* !CONFIG_X86_PAE */
23246
23247 /* No need to prepopulate any pagetable entries in non-PAE modes. */
23248 -#define PREALLOCATED_PMDS 0
23249 +#define PREALLOCATED_PXDS 0
23250
23251 #endif /* CONFIG_X86_PAE */
23252
23253 -static void free_pmds(pmd_t *pmds[])
23254 +static void free_pxds(pxd_t *pxds[])
23255 {
23256 int i;
23257
23258 - for(i = 0; i < PREALLOCATED_PMDS; i++)
23259 - if (pmds[i])
23260 - free_page((unsigned long)pmds[i]);
23261 + for(i = 0; i < PREALLOCATED_PXDS; i++)
23262 + if (pxds[i])
23263 + free_page((unsigned long)pxds[i]);
23264 }
23265
23266 -static int preallocate_pmds(pmd_t *pmds[])
23267 +static int preallocate_pxds(pxd_t *pxds[])
23268 {
23269 int i;
23270 bool failed = false;
23271
23272 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23273 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
23274 - if (pmd == NULL)
23275 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23276 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
23277 + if (pxd == NULL)
23278 failed = true;
23279 - pmds[i] = pmd;
23280 + pxds[i] = pxd;
23281 }
23282
23283 if (failed) {
23284 - free_pmds(pmds);
23285 + free_pxds(pxds);
23286 return -ENOMEM;
23287 }
23288
23289 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
23290 * preallocate which never got a corresponding vma will need to be
23291 * freed manually.
23292 */
23293 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
23294 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
23295 {
23296 int i;
23297
23298 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23299 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23300 pgd_t pgd = pgdp[i];
23301
23302 if (pgd_val(pgd) != 0) {
23303 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
23304 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
23305
23306 - pgdp[i] = native_make_pgd(0);
23307 + set_pgd(pgdp + i, native_make_pgd(0));
23308
23309 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
23310 - pmd_free(mm, pmd);
23311 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
23312 + pxd_free(mm, pxd);
23313 }
23314 }
23315 }
23316
23317 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
23318 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
23319 {
23320 - pud_t *pud;
23321 + pyd_t *pyd;
23322 unsigned long addr;
23323 int i;
23324
23325 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
23326 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
23327 return;
23328
23329 - pud = pud_offset(pgd, 0);
23330 +#ifdef CONFIG_X86_64
23331 + pyd = pyd_offset(mm, 0L);
23332 +#else
23333 + pyd = pyd_offset(pgd, 0L);
23334 +#endif
23335
23336 - for (addr = i = 0; i < PREALLOCATED_PMDS;
23337 - i++, pud++, addr += PUD_SIZE) {
23338 - pmd_t *pmd = pmds[i];
23339 + for (addr = i = 0; i < PREALLOCATED_PXDS;
23340 + i++, pyd++, addr += PYD_SIZE) {
23341 + pxd_t *pxd = pxds[i];
23342
23343 if (i >= KERNEL_PGD_BOUNDARY)
23344 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23345 - sizeof(pmd_t) * PTRS_PER_PMD);
23346 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23347 + sizeof(pxd_t) * PTRS_PER_PMD);
23348
23349 - pud_populate(mm, pud, pmd);
23350 + pyd_populate(mm, pyd, pxd);
23351 }
23352 }
23353
23354 pgd_t *pgd_alloc(struct mm_struct *mm)
23355 {
23356 pgd_t *pgd;
23357 - pmd_t *pmds[PREALLOCATED_PMDS];
23358 + pxd_t *pxds[PREALLOCATED_PXDS];
23359
23360 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
23361
23362 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23363
23364 mm->pgd = pgd;
23365
23366 - if (preallocate_pmds(pmds) != 0)
23367 + if (preallocate_pxds(pxds) != 0)
23368 goto out_free_pgd;
23369
23370 if (paravirt_pgd_alloc(mm) != 0)
23371 - goto out_free_pmds;
23372 + goto out_free_pxds;
23373
23374 /*
23375 * Make sure that pre-populating the pmds is atomic with
23376 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23377 spin_lock(&pgd_lock);
23378
23379 pgd_ctor(mm, pgd);
23380 - pgd_prepopulate_pmd(mm, pgd, pmds);
23381 + pgd_prepopulate_pxd(mm, pgd, pxds);
23382
23383 spin_unlock(&pgd_lock);
23384
23385 return pgd;
23386
23387 -out_free_pmds:
23388 - free_pmds(pmds);
23389 +out_free_pxds:
23390 + free_pxds(pxds);
23391 out_free_pgd:
23392 free_page((unsigned long)pgd);
23393 out:
23394 @@ -295,7 +344,7 @@ out:
23395
23396 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
23397 {
23398 - pgd_mop_up_pmds(mm, pgd);
23399 + pgd_mop_up_pxds(mm, pgd);
23400 pgd_dtor(pgd);
23401 paravirt_pgd_free(mm, pgd);
23402 free_page((unsigned long)pgd);
23403 diff -urNp linux-2.6.39.3/arch/x86/mm/setup_nx.c linux-2.6.39.3/arch/x86/mm/setup_nx.c
23404 --- linux-2.6.39.3/arch/x86/mm/setup_nx.c 2011-05-19 00:06:34.000000000 -0400
23405 +++ linux-2.6.39.3/arch/x86/mm/setup_nx.c 2011-05-22 19:36:30.000000000 -0400
23406 @@ -5,8 +5,10 @@
23407 #include <asm/pgtable.h>
23408 #include <asm/proto.h>
23409
23410 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23411 static int disable_nx __cpuinitdata;
23412
23413 +#ifndef CONFIG_PAX_PAGEEXEC
23414 /*
23415 * noexec = on|off
23416 *
23417 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
23418 return 0;
23419 }
23420 early_param("noexec", noexec_setup);
23421 +#endif
23422 +
23423 +#endif
23424
23425 void __cpuinit x86_configure_nx(void)
23426 {
23427 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23428 if (cpu_has_nx && !disable_nx)
23429 __supported_pte_mask |= _PAGE_NX;
23430 else
23431 +#endif
23432 __supported_pte_mask &= ~_PAGE_NX;
23433 }
23434
23435 diff -urNp linux-2.6.39.3/arch/x86/mm/tlb.c linux-2.6.39.3/arch/x86/mm/tlb.c
23436 --- linux-2.6.39.3/arch/x86/mm/tlb.c 2011-05-19 00:06:34.000000000 -0400
23437 +++ linux-2.6.39.3/arch/x86/mm/tlb.c 2011-05-22 19:36:30.000000000 -0400
23438 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
23439 BUG();
23440 cpumask_clear_cpu(cpu,
23441 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23442 +
23443 +#ifndef CONFIG_PAX_PER_CPU_PGD
23444 load_cr3(swapper_pg_dir);
23445 +#endif
23446 +
23447 }
23448 EXPORT_SYMBOL_GPL(leave_mm);
23449
23450 diff -urNp linux-2.6.39.3/arch/x86/oprofile/backtrace.c linux-2.6.39.3/arch/x86/oprofile/backtrace.c
23451 --- linux-2.6.39.3/arch/x86/oprofile/backtrace.c 2011-05-19 00:06:34.000000000 -0400
23452 +++ linux-2.6.39.3/arch/x86/oprofile/backtrace.c 2011-05-22 19:36:30.000000000 -0400
23453 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
23454 struct stack_frame_ia32 *fp;
23455
23456 /* Also check accessibility of one struct frame_head beyond */
23457 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23458 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23459 return NULL;
23460 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23461 return NULL;
23462 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
23463 {
23464 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
23465
23466 - if (!user_mode_vm(regs)) {
23467 + if (!user_mode(regs)) {
23468 unsigned long stack = kernel_stack_pointer(regs);
23469 if (depth)
23470 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23471 diff -urNp linux-2.6.39.3/arch/x86/pci/ce4100.c linux-2.6.39.3/arch/x86/pci/ce4100.c
23472 --- linux-2.6.39.3/arch/x86/pci/ce4100.c 2011-05-19 00:06:34.000000000 -0400
23473 +++ linux-2.6.39.3/arch/x86/pci/ce4100.c 2011-05-22 19:36:30.000000000 -0400
23474 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
23475 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
23476 }
23477
23478 -struct pci_raw_ops ce4100_pci_conf = {
23479 +const struct pci_raw_ops ce4100_pci_conf = {
23480 .read = ce4100_conf_read,
23481 .write = ce4100_conf_write,
23482 };
23483 diff -urNp linux-2.6.39.3/arch/x86/pci/common.c linux-2.6.39.3/arch/x86/pci/common.c
23484 --- linux-2.6.39.3/arch/x86/pci/common.c 2011-05-19 00:06:34.000000000 -0400
23485 +++ linux-2.6.39.3/arch/x86/pci/common.c 2011-05-22 19:36:30.000000000 -0400
23486 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
23487 int pcibios_last_bus = -1;
23488 unsigned long pirq_table_addr;
23489 struct pci_bus *pci_root_bus;
23490 -struct pci_raw_ops *raw_pci_ops;
23491 -struct pci_raw_ops *raw_pci_ext_ops;
23492 +const struct pci_raw_ops *raw_pci_ops;
23493 +const struct pci_raw_ops *raw_pci_ext_ops;
23494
23495 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23496 int reg, int len, u32 *val)
23497 diff -urNp linux-2.6.39.3/arch/x86/pci/direct.c linux-2.6.39.3/arch/x86/pci/direct.c
23498 --- linux-2.6.39.3/arch/x86/pci/direct.c 2011-05-19 00:06:34.000000000 -0400
23499 +++ linux-2.6.39.3/arch/x86/pci/direct.c 2011-05-22 19:36:30.000000000 -0400
23500 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23501
23502 #undef PCI_CONF1_ADDRESS
23503
23504 -struct pci_raw_ops pci_direct_conf1 = {
23505 +const struct pci_raw_ops pci_direct_conf1 = {
23506 .read = pci_conf1_read,
23507 .write = pci_conf1_write,
23508 };
23509 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23510
23511 #undef PCI_CONF2_ADDRESS
23512
23513 -struct pci_raw_ops pci_direct_conf2 = {
23514 +const struct pci_raw_ops pci_direct_conf2 = {
23515 .read = pci_conf2_read,
23516 .write = pci_conf2_write,
23517 };
23518 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23519 * This should be close to trivial, but it isn't, because there are buggy
23520 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23521 */
23522 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23523 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23524 {
23525 u32 x = 0;
23526 int year, devfn;
23527 diff -urNp linux-2.6.39.3/arch/x86/pci/fixup.c linux-2.6.39.3/arch/x86/pci/fixup.c
23528 --- linux-2.6.39.3/arch/x86/pci/fixup.c 2011-05-19 00:06:34.000000000 -0400
23529 +++ linux-2.6.39.3/arch/x86/pci/fixup.c 2011-05-22 19:36:30.000000000 -0400
23530 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
23531 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
23532 },
23533 },
23534 - { }
23535 + {}
23536 };
23537
23538 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
23539 diff -urNp linux-2.6.39.3/arch/x86/pci/mmconfig_32.c linux-2.6.39.3/arch/x86/pci/mmconfig_32.c
23540 --- linux-2.6.39.3/arch/x86/pci/mmconfig_32.c 2011-05-19 00:06:34.000000000 -0400
23541 +++ linux-2.6.39.3/arch/x86/pci/mmconfig_32.c 2011-05-22 19:36:30.000000000 -0400
23542 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
23543 return 0;
23544 }
23545
23546 -static struct pci_raw_ops pci_mmcfg = {
23547 +static const struct pci_raw_ops pci_mmcfg = {
23548 .read = pci_mmcfg_read,
23549 .write = pci_mmcfg_write,
23550 };
23551 diff -urNp linux-2.6.39.3/arch/x86/pci/mmconfig_64.c linux-2.6.39.3/arch/x86/pci/mmconfig_64.c
23552 --- linux-2.6.39.3/arch/x86/pci/mmconfig_64.c 2011-05-19 00:06:34.000000000 -0400
23553 +++ linux-2.6.39.3/arch/x86/pci/mmconfig_64.c 2011-05-22 19:36:30.000000000 -0400
23554 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
23555 return 0;
23556 }
23557
23558 -static struct pci_raw_ops pci_mmcfg = {
23559 +static const struct pci_raw_ops pci_mmcfg = {
23560 .read = pci_mmcfg_read,
23561 .write = pci_mmcfg_write,
23562 };
23563 diff -urNp linux-2.6.39.3/arch/x86/pci/mrst.c linux-2.6.39.3/arch/x86/pci/mrst.c
23564 --- linux-2.6.39.3/arch/x86/pci/mrst.c 2011-05-19 00:06:34.000000000 -0400
23565 +++ linux-2.6.39.3/arch/x86/pci/mrst.c 2011-05-22 19:36:30.000000000 -0400
23566 @@ -218,7 +218,7 @@ static int mrst_pci_irq_enable(struct pc
23567 return 0;
23568 }
23569
23570 -struct pci_ops pci_mrst_ops = {
23571 +const struct pci_ops pci_mrst_ops = {
23572 .read = pci_read,
23573 .write = pci_write,
23574 };
23575 diff -urNp linux-2.6.39.3/arch/x86/pci/numaq_32.c linux-2.6.39.3/arch/x86/pci/numaq_32.c
23576 --- linux-2.6.39.3/arch/x86/pci/numaq_32.c 2011-05-19 00:06:34.000000000 -0400
23577 +++ linux-2.6.39.3/arch/x86/pci/numaq_32.c 2011-05-22 19:36:30.000000000 -0400
23578 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
23579
23580 #undef PCI_CONF1_MQ_ADDRESS
23581
23582 -static struct pci_raw_ops pci_direct_conf1_mq = {
23583 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23584 .read = pci_conf1_mq_read,
23585 .write = pci_conf1_mq_write
23586 };
23587 diff -urNp linux-2.6.39.3/arch/x86/pci/olpc.c linux-2.6.39.3/arch/x86/pci/olpc.c
23588 --- linux-2.6.39.3/arch/x86/pci/olpc.c 2011-05-19 00:06:34.000000000 -0400
23589 +++ linux-2.6.39.3/arch/x86/pci/olpc.c 2011-05-22 19:36:30.000000000 -0400
23590 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23591 return 0;
23592 }
23593
23594 -static struct pci_raw_ops pci_olpc_conf = {
23595 +static const struct pci_raw_ops pci_olpc_conf = {
23596 .read = pci_olpc_read,
23597 .write = pci_olpc_write,
23598 };
23599 diff -urNp linux-2.6.39.3/arch/x86/pci/pcbios.c linux-2.6.39.3/arch/x86/pci/pcbios.c
23600 --- linux-2.6.39.3/arch/x86/pci/pcbios.c 2011-05-19 00:06:34.000000000 -0400
23601 +++ linux-2.6.39.3/arch/x86/pci/pcbios.c 2011-05-22 19:36:30.000000000 -0400
23602 @@ -79,50 +79,93 @@ union bios32 {
23603 static struct {
23604 unsigned long address;
23605 unsigned short segment;
23606 -} bios32_indirect = { 0, __KERNEL_CS };
23607 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23608
23609 /*
23610 * Returns the entry point for the given service, NULL on error
23611 */
23612
23613 -static unsigned long bios32_service(unsigned long service)
23614 +static unsigned long __devinit bios32_service(unsigned long service)
23615 {
23616 unsigned char return_code; /* %al */
23617 unsigned long address; /* %ebx */
23618 unsigned long length; /* %ecx */
23619 unsigned long entry; /* %edx */
23620 unsigned long flags;
23621 + struct desc_struct d, *gdt;
23622
23623 local_irq_save(flags);
23624 - __asm__("lcall *(%%edi); cld"
23625 +
23626 + gdt = get_cpu_gdt_table(smp_processor_id());
23627 +
23628 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23629 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23630 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23631 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23632 +
23633 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23634 : "=a" (return_code),
23635 "=b" (address),
23636 "=c" (length),
23637 "=d" (entry)
23638 : "0" (service),
23639 "1" (0),
23640 - "D" (&bios32_indirect));
23641 + "D" (&bios32_indirect),
23642 + "r"(__PCIBIOS_DS)
23643 + : "memory");
23644 +
23645 + pax_open_kernel();
23646 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23647 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23648 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23649 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23650 + pax_close_kernel();
23651 +
23652 local_irq_restore(flags);
23653
23654 switch (return_code) {
23655 - case 0:
23656 - return address + entry;
23657 - case 0x80: /* Not present */
23658 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23659 - return 0;
23660 - default: /* Shouldn't happen */
23661 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23662 - service, return_code);
23663 + case 0: {
23664 + int cpu;
23665 + unsigned char flags;
23666 +
23667 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23668 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23669 + printk(KERN_WARNING "bios32_service: not valid\n");
23670 return 0;
23671 + }
23672 + address = address + PAGE_OFFSET;
23673 + length += 16UL; /* some BIOSs underreport this... */
23674 + flags = 4;
23675 + if (length >= 64*1024*1024) {
23676 + length >>= PAGE_SHIFT;
23677 + flags |= 8;
23678 + }
23679 +
23680 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23681 + gdt = get_cpu_gdt_table(cpu);
23682 + pack_descriptor(&d, address, length, 0x9b, flags);
23683 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23684 + pack_descriptor(&d, address, length, 0x93, flags);
23685 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23686 + }
23687 + return entry;
23688 + }
23689 + case 0x80: /* Not present */
23690 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23691 + return 0;
23692 + default: /* Shouldn't happen */
23693 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23694 + service, return_code);
23695 + return 0;
23696 }
23697 }
23698
23699 static struct {
23700 unsigned long address;
23701 unsigned short segment;
23702 -} pci_indirect = { 0, __KERNEL_CS };
23703 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23704
23705 -static int pci_bios_present;
23706 +static int pci_bios_present __read_only;
23707
23708 static int __devinit check_pcibios(void)
23709 {
23710 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
23711 unsigned long flags, pcibios_entry;
23712
23713 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23714 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23715 + pci_indirect.address = pcibios_entry;
23716
23717 local_irq_save(flags);
23718 - __asm__(
23719 - "lcall *(%%edi); cld\n\t"
23720 + __asm__("movw %w6, %%ds\n\t"
23721 + "lcall *%%ss:(%%edi); cld\n\t"
23722 + "push %%ss\n\t"
23723 + "pop %%ds\n\t"
23724 "jc 1f\n\t"
23725 "xor %%ah, %%ah\n"
23726 "1:"
23727 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
23728 "=b" (ebx),
23729 "=c" (ecx)
23730 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23731 - "D" (&pci_indirect)
23732 + "D" (&pci_indirect),
23733 + "r" (__PCIBIOS_DS)
23734 : "memory");
23735 local_irq_restore(flags);
23736
23737 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
23738
23739 switch (len) {
23740 case 1:
23741 - __asm__("lcall *(%%esi); cld\n\t"
23742 + __asm__("movw %w6, %%ds\n\t"
23743 + "lcall *%%ss:(%%esi); cld\n\t"
23744 + "push %%ss\n\t"
23745 + "pop %%ds\n\t"
23746 "jc 1f\n\t"
23747 "xor %%ah, %%ah\n"
23748 "1:"
23749 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
23750 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23751 "b" (bx),
23752 "D" ((long)reg),
23753 - "S" (&pci_indirect));
23754 + "S" (&pci_indirect),
23755 + "r" (__PCIBIOS_DS));
23756 /*
23757 * Zero-extend the result beyond 8 bits, do not trust the
23758 * BIOS having done it:
23759 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
23760 *value &= 0xff;
23761 break;
23762 case 2:
23763 - __asm__("lcall *(%%esi); cld\n\t"
23764 + __asm__("movw %w6, %%ds\n\t"
23765 + "lcall *%%ss:(%%esi); cld\n\t"
23766 + "push %%ss\n\t"
23767 + "pop %%ds\n\t"
23768 "jc 1f\n\t"
23769 "xor %%ah, %%ah\n"
23770 "1:"
23771 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
23772 : "1" (PCIBIOS_READ_CONFIG_WORD),
23773 "b" (bx),
23774 "D" ((long)reg),
23775 - "S" (&pci_indirect));
23776 + "S" (&pci_indirect),
23777 + "r" (__PCIBIOS_DS));
23778 /*
23779 * Zero-extend the result beyond 16 bits, do not trust the
23780 * BIOS having done it:
23781 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
23782 *value &= 0xffff;
23783 break;
23784 case 4:
23785 - __asm__("lcall *(%%esi); cld\n\t"
23786 + __asm__("movw %w6, %%ds\n\t"
23787 + "lcall *%%ss:(%%esi); cld\n\t"
23788 + "push %%ss\n\t"
23789 + "pop %%ds\n\t"
23790 "jc 1f\n\t"
23791 "xor %%ah, %%ah\n"
23792 "1:"
23793 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
23794 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23795 "b" (bx),
23796 "D" ((long)reg),
23797 - "S" (&pci_indirect));
23798 + "S" (&pci_indirect),
23799 + "r" (__PCIBIOS_DS));
23800 break;
23801 }
23802
23803 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
23804
23805 switch (len) {
23806 case 1:
23807 - __asm__("lcall *(%%esi); cld\n\t"
23808 + __asm__("movw %w6, %%ds\n\t"
23809 + "lcall *%%ss:(%%esi); cld\n\t"
23810 + "push %%ss\n\t"
23811 + "pop %%ds\n\t"
23812 "jc 1f\n\t"
23813 "xor %%ah, %%ah\n"
23814 "1:"
23815 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
23816 "c" (value),
23817 "b" (bx),
23818 "D" ((long)reg),
23819 - "S" (&pci_indirect));
23820 + "S" (&pci_indirect),
23821 + "r" (__PCIBIOS_DS));
23822 break;
23823 case 2:
23824 - __asm__("lcall *(%%esi); cld\n\t"
23825 + __asm__("movw %w6, %%ds\n\t"
23826 + "lcall *%%ss:(%%esi); cld\n\t"
23827 + "push %%ss\n\t"
23828 + "pop %%ds\n\t"
23829 "jc 1f\n\t"
23830 "xor %%ah, %%ah\n"
23831 "1:"
23832 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
23833 "c" (value),
23834 "b" (bx),
23835 "D" ((long)reg),
23836 - "S" (&pci_indirect));
23837 + "S" (&pci_indirect),
23838 + "r" (__PCIBIOS_DS));
23839 break;
23840 case 4:
23841 - __asm__("lcall *(%%esi); cld\n\t"
23842 + __asm__("movw %w6, %%ds\n\t"
23843 + "lcall *%%ss:(%%esi); cld\n\t"
23844 + "push %%ss\n\t"
23845 + "pop %%ds\n\t"
23846 "jc 1f\n\t"
23847 "xor %%ah, %%ah\n"
23848 "1:"
23849 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
23850 "c" (value),
23851 "b" (bx),
23852 "D" ((long)reg),
23853 - "S" (&pci_indirect));
23854 + "S" (&pci_indirect),
23855 + "r" (__PCIBIOS_DS));
23856 break;
23857 }
23858
23859 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
23860 * Function table for BIOS32 access
23861 */
23862
23863 -static struct pci_raw_ops pci_bios_access = {
23864 +static const struct pci_raw_ops pci_bios_access = {
23865 .read = pci_bios_read,
23866 .write = pci_bios_write
23867 };
23868 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
23869 * Try to find PCI BIOS.
23870 */
23871
23872 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23873 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23874 {
23875 union bios32 *check;
23876 unsigned char sum;
23877 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
23878
23879 DBG("PCI: Fetching IRQ routing table... ");
23880 __asm__("push %%es\n\t"
23881 + "movw %w8, %%ds\n\t"
23882 "push %%ds\n\t"
23883 "pop %%es\n\t"
23884 - "lcall *(%%esi); cld\n\t"
23885 + "lcall *%%ss:(%%esi); cld\n\t"
23886 "pop %%es\n\t"
23887 + "push %%ss\n\t"
23888 + "pop %%ds\n"
23889 "jc 1f\n\t"
23890 "xor %%ah, %%ah\n"
23891 "1:"
23892 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
23893 "1" (0),
23894 "D" ((long) &opt),
23895 "S" (&pci_indirect),
23896 - "m" (opt)
23897 + "m" (opt),
23898 + "r" (__PCIBIOS_DS)
23899 : "memory");
23900 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23901 if (ret & 0xff00)
23902 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
23903 {
23904 int ret;
23905
23906 - __asm__("lcall *(%%esi); cld\n\t"
23907 + __asm__("movw %w5, %%ds\n\t"
23908 + "lcall *%%ss:(%%esi); cld\n\t"
23909 + "push %%ss\n\t"
23910 + "pop %%ds\n"
23911 "jc 1f\n\t"
23912 "xor %%ah, %%ah\n"
23913 "1:"
23914 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
23915 : "0" (PCIBIOS_SET_PCI_HW_INT),
23916 "b" ((dev->bus->number << 8) | dev->devfn),
23917 "c" ((irq << 8) | (pin + 10)),
23918 - "S" (&pci_indirect));
23919 + "S" (&pci_indirect),
23920 + "r" (__PCIBIOS_DS));
23921 return !(ret & 0xff00);
23922 }
23923 EXPORT_SYMBOL(pcibios_set_irq_routing);
23924 diff -urNp linux-2.6.39.3/arch/x86/pci/xen.c linux-2.6.39.3/arch/x86/pci/xen.c
23925 --- linux-2.6.39.3/arch/x86/pci/xen.c 2011-07-09 09:18:51.000000000 -0400
23926 +++ linux-2.6.39.3/arch/x86/pci/xen.c 2011-07-09 09:19:18.000000000 -0400
23927 @@ -62,7 +62,7 @@ static int acpi_register_gsi_xen_hvm(str
23928 #include <linux/msi.h>
23929 #include <asm/msidef.h>
23930
23931 -struct xen_pci_frontend_ops *xen_pci_frontend;
23932 +const struct xen_pci_frontend_ops *xen_pci_frontend;
23933 EXPORT_SYMBOL_GPL(xen_pci_frontend);
23934
23935 #define XEN_PIRQ_MSI_DATA (MSI_DATA_TRIGGER_EDGE | \
23936 diff -urNp linux-2.6.39.3/arch/x86/platform/efi/efi_32.c linux-2.6.39.3/arch/x86/platform/efi/efi_32.c
23937 --- linux-2.6.39.3/arch/x86/platform/efi/efi_32.c 2011-05-19 00:06:34.000000000 -0400
23938 +++ linux-2.6.39.3/arch/x86/platform/efi/efi_32.c 2011-05-22 19:36:30.000000000 -0400
23939 @@ -38,70 +38,37 @@
23940 */
23941
23942 static unsigned long efi_rt_eflags;
23943 -static pgd_t efi_bak_pg_dir_pointer[2];
23944 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
23945
23946 -void efi_call_phys_prelog(void)
23947 +void __init efi_call_phys_prelog(void)
23948 {
23949 - unsigned long cr4;
23950 - unsigned long temp;
23951 struct desc_ptr gdt_descr;
23952
23953 local_irq_save(efi_rt_eflags);
23954
23955 - /*
23956 - * If I don't have PAE, I should just duplicate two entries in page
23957 - * directory. If I have PAE, I just need to duplicate one entry in
23958 - * page directory.
23959 - */
23960 - cr4 = read_cr4_safe();
23961 -
23962 - if (cr4 & X86_CR4_PAE) {
23963 - efi_bak_pg_dir_pointer[0].pgd =
23964 - swapper_pg_dir[pgd_index(0)].pgd;
23965 - swapper_pg_dir[0].pgd =
23966 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23967 - } else {
23968 - efi_bak_pg_dir_pointer[0].pgd =
23969 - swapper_pg_dir[pgd_index(0)].pgd;
23970 - efi_bak_pg_dir_pointer[1].pgd =
23971 - swapper_pg_dir[pgd_index(0x400000)].pgd;
23972 - swapper_pg_dir[pgd_index(0)].pgd =
23973 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
23974 - temp = PAGE_OFFSET + 0x400000;
23975 - swapper_pg_dir[pgd_index(0x400000)].pgd =
23976 - swapper_pg_dir[pgd_index(temp)].pgd;
23977 - }
23978 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
23979 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23980 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
23981
23982 /*
23983 * After the lock is released, the original page table is restored.
23984 */
23985 __flush_tlb_all();
23986
23987 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
23988 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
23989 gdt_descr.size = GDT_SIZE - 1;
23990 load_gdt(&gdt_descr);
23991 }
23992
23993 -void efi_call_phys_epilog(void)
23994 +void __init efi_call_phys_epilog(void)
23995 {
23996 - unsigned long cr4;
23997 struct desc_ptr gdt_descr;
23998
23999 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
24000 + gdt_descr.address = get_cpu_gdt_table(0);
24001 gdt_descr.size = GDT_SIZE - 1;
24002 load_gdt(&gdt_descr);
24003
24004 - cr4 = read_cr4_safe();
24005 -
24006 - if (cr4 & X86_CR4_PAE) {
24007 - swapper_pg_dir[pgd_index(0)].pgd =
24008 - efi_bak_pg_dir_pointer[0].pgd;
24009 - } else {
24010 - swapper_pg_dir[pgd_index(0)].pgd =
24011 - efi_bak_pg_dir_pointer[0].pgd;
24012 - swapper_pg_dir[pgd_index(0x400000)].pgd =
24013 - efi_bak_pg_dir_pointer[1].pgd;
24014 - }
24015 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
24016
24017 /*
24018 * After the lock is released, the original page table is restored.
24019 diff -urNp linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S
24020 --- linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S 2011-05-19 00:06:34.000000000 -0400
24021 +++ linux-2.6.39.3/arch/x86/platform/efi/efi_stub_32.S 2011-05-22 19:36:30.000000000 -0400
24022 @@ -6,6 +6,7 @@
24023 */
24024
24025 #include <linux/linkage.h>
24026 +#include <linux/init.h>
24027 #include <asm/page_types.h>
24028
24029 /*
24030 @@ -20,7 +21,7 @@
24031 * service functions will comply with gcc calling convention, too.
24032 */
24033
24034 -.text
24035 +__INIT
24036 ENTRY(efi_call_phys)
24037 /*
24038 * 0. The function can only be called in Linux kernel. So CS has been
24039 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
24040 * The mapping of lower virtual memory has been created in prelog and
24041 * epilog.
24042 */
24043 - movl $1f, %edx
24044 - subl $__PAGE_OFFSET, %edx
24045 - jmp *%edx
24046 + jmp 1f-__PAGE_OFFSET
24047 1:
24048
24049 /*
24050 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
24051 * parameter 2, ..., param n. To make things easy, we save the return
24052 * address of efi_call_phys in a global variable.
24053 */
24054 - popl %edx
24055 - movl %edx, saved_return_addr
24056 - /* get the function pointer into ECX*/
24057 - popl %ecx
24058 - movl %ecx, efi_rt_function_ptr
24059 - movl $2f, %edx
24060 - subl $__PAGE_OFFSET, %edx
24061 - pushl %edx
24062 + popl (saved_return_addr)
24063 + popl (efi_rt_function_ptr)
24064
24065 /*
24066 * 3. Clear PG bit in %CR0.
24067 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
24068 /*
24069 * 5. Call the physical function.
24070 */
24071 - jmp *%ecx
24072 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
24073
24074 -2:
24075 /*
24076 * 6. After EFI runtime service returns, control will return to
24077 * following instruction. We'd better readjust stack pointer first.
24078 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
24079 movl %cr0, %edx
24080 orl $0x80000000, %edx
24081 movl %edx, %cr0
24082 - jmp 1f
24083 -1:
24084 +
24085 /*
24086 * 8. Now restore the virtual mode from flat mode by
24087 * adding EIP with PAGE_OFFSET.
24088 */
24089 - movl $1f, %edx
24090 - jmp *%edx
24091 + jmp 1f+__PAGE_OFFSET
24092 1:
24093
24094 /*
24095 * 9. Balance the stack. And because EAX contain the return value,
24096 * we'd better not clobber it.
24097 */
24098 - leal efi_rt_function_ptr, %edx
24099 - movl (%edx), %ecx
24100 - pushl %ecx
24101 + pushl (efi_rt_function_ptr)
24102
24103 /*
24104 - * 10. Push the saved return address onto the stack and return.
24105 + * 10. Return to the saved return address.
24106 */
24107 - leal saved_return_addr, %edx
24108 - movl (%edx), %ecx
24109 - pushl %ecx
24110 - ret
24111 + jmpl *(saved_return_addr)
24112 ENDPROC(efi_call_phys)
24113 .previous
24114
24115 -.data
24116 +__INITDATA
24117 saved_return_addr:
24118 .long 0
24119 efi_rt_function_ptr:
24120 diff -urNp linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c
24121 --- linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c 2011-05-19 00:06:34.000000000 -0400
24122 +++ linux-2.6.39.3/arch/x86/platform/olpc/olpc_dt.c 2011-05-22 19:36:30.000000000 -0400
24123 @@ -154,7 +154,7 @@ void * __init prom_early_alloc(unsigned
24124 return res;
24125 }
24126
24127 -static struct of_pdt_ops prom_olpc_ops __initdata = {
24128 +static const struct of_pdt_ops prom_olpc_ops = {
24129 .nextprop = olpc_dt_nextprop,
24130 .getproplen = olpc_dt_getproplen,
24131 .getproperty = olpc_dt_getproperty,
24132 diff -urNp linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c
24133 --- linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c 2011-05-19 00:06:34.000000000 -0400
24134 +++ linux-2.6.39.3/arch/x86/platform/uv/tlb_uv.c 2011-05-22 19:36:30.000000000 -0400
24135 @@ -342,6 +342,8 @@ static void uv_reset_with_ipi(struct bau
24136 cpumask_t mask;
24137 struct reset_args reset_args;
24138
24139 + pax_track_stack();
24140 +
24141 reset_args.sender = sender;
24142
24143 cpus_clear(mask);
24144 diff -urNp linux-2.6.39.3/arch/x86/power/cpu.c linux-2.6.39.3/arch/x86/power/cpu.c
24145 --- linux-2.6.39.3/arch/x86/power/cpu.c 2011-05-19 00:06:34.000000000 -0400
24146 +++ linux-2.6.39.3/arch/x86/power/cpu.c 2011-05-22 19:36:30.000000000 -0400
24147 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
24148 static void fix_processor_context(void)
24149 {
24150 int cpu = smp_processor_id();
24151 - struct tss_struct *t = &per_cpu(init_tss, cpu);
24152 + struct tss_struct *t = init_tss + cpu;
24153
24154 set_tss_desc(cpu, t); /*
24155 * This just modifies memory; should not be
24156 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
24157 */
24158
24159 #ifdef CONFIG_X86_64
24160 + pax_open_kernel();
24161 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
24162 + pax_close_kernel();
24163
24164 syscall_init(); /* This sets MSR_*STAR and related */
24165 #endif
24166 diff -urNp linux-2.6.39.3/arch/x86/vdso/Makefile linux-2.6.39.3/arch/x86/vdso/Makefile
24167 --- linux-2.6.39.3/arch/x86/vdso/Makefile 2011-05-19 00:06:34.000000000 -0400
24168 +++ linux-2.6.39.3/arch/x86/vdso/Makefile 2011-05-22 19:36:30.000000000 -0400
24169 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
24170 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
24171 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
24172
24173 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24174 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24175 GCOV_PROFILE := n
24176
24177 #
24178 diff -urNp linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c
24179 --- linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c 2011-05-19 00:06:34.000000000 -0400
24180 +++ linux-2.6.39.3/arch/x86/vdso/vclock_gettime.c 2011-05-22 19:36:30.000000000 -0400
24181 @@ -22,24 +22,48 @@
24182 #include <asm/hpet.h>
24183 #include <asm/unistd.h>
24184 #include <asm/io.h>
24185 +#include <asm/fixmap.h>
24186 #include "vextern.h"
24187
24188 #define gtod vdso_vsyscall_gtod_data
24189
24190 +notrace noinline long __vdso_fallback_time(long *t)
24191 +{
24192 + long secs;
24193 + asm volatile("syscall"
24194 + : "=a" (secs)
24195 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
24196 + return secs;
24197 +}
24198 +
24199 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
24200 {
24201 long ret;
24202 asm("syscall" : "=a" (ret) :
24203 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
24204 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
24205 return ret;
24206 }
24207
24208 +notrace static inline cycle_t __vdso_vread_hpet(void)
24209 +{
24210 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
24211 +}
24212 +
24213 +notrace static inline cycle_t __vdso_vread_tsc(void)
24214 +{
24215 + cycle_t ret = (cycle_t)vget_cycles();
24216 +
24217 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
24218 +}
24219 +
24220 notrace static inline long vgetns(void)
24221 {
24222 long v;
24223 - cycles_t (*vread)(void);
24224 - vread = gtod->clock.vread;
24225 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
24226 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
24227 + v = __vdso_vread_tsc();
24228 + else
24229 + v = __vdso_vread_hpet();
24230 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
24231 return (v * gtod->clock.mult) >> gtod->clock.shift;
24232 }
24233
24234 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
24235
24236 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
24237 {
24238 - if (likely(gtod->sysctl_enabled))
24239 + if (likely(gtod->sysctl_enabled &&
24240 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24241 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24242 switch (clock) {
24243 case CLOCK_REALTIME:
24244 if (likely(gtod->clock.vread))
24245 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
24246 int clock_gettime(clockid_t, struct timespec *)
24247 __attribute__((weak, alias("__vdso_clock_gettime")));
24248
24249 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24250 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
24251 {
24252 long ret;
24253 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
24254 + asm("syscall" : "=a" (ret) :
24255 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
24256 + return ret;
24257 +}
24258 +
24259 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24260 +{
24261 + if (likely(gtod->sysctl_enabled &&
24262 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24263 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24264 + {
24265 if (likely(tv != NULL)) {
24266 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
24267 offsetof(struct timespec, tv_nsec) ||
24268 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
24269 }
24270 return 0;
24271 }
24272 - asm("syscall" : "=a" (ret) :
24273 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
24274 - return ret;
24275 + return __vdso_fallback_gettimeofday(tv, tz);
24276 }
24277 int gettimeofday(struct timeval *, struct timezone *)
24278 __attribute__((weak, alias("__vdso_gettimeofday")));
24279 diff -urNp linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c
24280 --- linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c 2011-05-19 00:06:34.000000000 -0400
24281 +++ linux-2.6.39.3/arch/x86/vdso/vdso32-setup.c 2011-05-22 19:36:30.000000000 -0400
24282 @@ -25,6 +25,7 @@
24283 #include <asm/tlbflush.h>
24284 #include <asm/vdso.h>
24285 #include <asm/proto.h>
24286 +#include <asm/mman.h>
24287
24288 enum {
24289 VDSO_DISABLED = 0,
24290 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
24291 void enable_sep_cpu(void)
24292 {
24293 int cpu = get_cpu();
24294 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
24295 + struct tss_struct *tss = init_tss + cpu;
24296
24297 if (!boot_cpu_has(X86_FEATURE_SEP)) {
24298 put_cpu();
24299 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
24300 gate_vma.vm_start = FIXADDR_USER_START;
24301 gate_vma.vm_end = FIXADDR_USER_END;
24302 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
24303 - gate_vma.vm_page_prot = __P101;
24304 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
24305 /*
24306 * Make sure the vDSO gets into every core dump.
24307 * Dumping its contents makes post-mortem fully interpretable later
24308 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
24309 if (compat)
24310 addr = VDSO_HIGH_BASE;
24311 else {
24312 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
24313 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
24314 if (IS_ERR_VALUE(addr)) {
24315 ret = addr;
24316 goto up_fail;
24317 }
24318 }
24319
24320 - current->mm->context.vdso = (void *)addr;
24321 + current->mm->context.vdso = addr;
24322
24323 if (compat_uses_vma || !compat) {
24324 /*
24325 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
24326 }
24327
24328 current_thread_info()->sysenter_return =
24329 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24330 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24331
24332 up_fail:
24333 if (ret)
24334 - current->mm->context.vdso = NULL;
24335 + current->mm->context.vdso = 0;
24336
24337 up_write(&mm->mmap_sem);
24338
24339 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
24340
24341 const char *arch_vma_name(struct vm_area_struct *vma)
24342 {
24343 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
24344 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
24345 return "[vdso]";
24346 +
24347 +#ifdef CONFIG_PAX_SEGMEXEC
24348 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
24349 + return "[vdso]";
24350 +#endif
24351 +
24352 return NULL;
24353 }
24354
24355 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
24356 * Check to see if the corresponding task was created in compat vdso
24357 * mode.
24358 */
24359 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
24360 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
24361 return &gate_vma;
24362 return NULL;
24363 }
24364 diff -urNp linux-2.6.39.3/arch/x86/vdso/vdso.lds.S linux-2.6.39.3/arch/x86/vdso/vdso.lds.S
24365 --- linux-2.6.39.3/arch/x86/vdso/vdso.lds.S 2011-05-19 00:06:34.000000000 -0400
24366 +++ linux-2.6.39.3/arch/x86/vdso/vdso.lds.S 2011-06-06 17:34:26.000000000 -0400
24367 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
24368 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
24369 #include "vextern.h"
24370 #undef VEXTERN
24371 +
24372 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
24373 +VEXTERN(fallback_gettimeofday)
24374 +VEXTERN(fallback_time)
24375 +VEXTERN(getcpu)
24376 +#undef VEXTERN
24377 diff -urNp linux-2.6.39.3/arch/x86/vdso/vextern.h linux-2.6.39.3/arch/x86/vdso/vextern.h
24378 --- linux-2.6.39.3/arch/x86/vdso/vextern.h 2011-05-19 00:06:34.000000000 -0400
24379 +++ linux-2.6.39.3/arch/x86/vdso/vextern.h 2011-05-22 19:36:30.000000000 -0400
24380 @@ -11,6 +11,5 @@
24381 put into vextern.h and be referenced as a pointer with vdso prefix.
24382 The main kernel later fills in the values. */
24383
24384 -VEXTERN(jiffies)
24385 VEXTERN(vgetcpu_mode)
24386 VEXTERN(vsyscall_gtod_data)
24387 diff -urNp linux-2.6.39.3/arch/x86/vdso/vma.c linux-2.6.39.3/arch/x86/vdso/vma.c
24388 --- linux-2.6.39.3/arch/x86/vdso/vma.c 2011-05-19 00:06:34.000000000 -0400
24389 +++ linux-2.6.39.3/arch/x86/vdso/vma.c 2011-05-22 19:36:30.000000000 -0400
24390 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
24391 if (!vbase)
24392 goto oom;
24393
24394 - if (memcmp(vbase, "\177ELF", 4)) {
24395 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
24396 printk("VDSO: I'm broken; not ELF\n");
24397 vdso_enabled = 0;
24398 }
24399 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
24400 goto up_fail;
24401 }
24402
24403 - current->mm->context.vdso = (void *)addr;
24404 + current->mm->context.vdso = addr;
24405
24406 ret = install_special_mapping(mm, addr, vdso_size,
24407 VM_READ|VM_EXEC|
24408 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
24409 VM_ALWAYSDUMP,
24410 vdso_pages);
24411 if (ret) {
24412 - current->mm->context.vdso = NULL;
24413 + current->mm->context.vdso = 0;
24414 goto up_fail;
24415 }
24416
24417 @@ -134,10 +134,3 @@ up_fail:
24418 up_write(&mm->mmap_sem);
24419 return ret;
24420 }
24421 -
24422 -static __init int vdso_setup(char *s)
24423 -{
24424 - vdso_enabled = simple_strtoul(s, NULL, 0);
24425 - return 0;
24426 -}
24427 -__setup("vdso=", vdso_setup);
24428 diff -urNp linux-2.6.39.3/arch/x86/xen/enlighten.c linux-2.6.39.3/arch/x86/xen/enlighten.c
24429 --- linux-2.6.39.3/arch/x86/xen/enlighten.c 2011-05-19 00:06:34.000000000 -0400
24430 +++ linux-2.6.39.3/arch/x86/xen/enlighten.c 2011-05-22 19:36:30.000000000 -0400
24431 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
24432
24433 struct shared_info xen_dummy_shared_info;
24434
24435 -void *xen_initial_gdt;
24436 -
24437 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
24438 __read_mostly int xen_have_vector_callback;
24439 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
24440 @@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
24441 #endif
24442 };
24443
24444 -static void xen_reboot(int reason)
24445 +static __noreturn void xen_reboot(int reason)
24446 {
24447 struct sched_shutdown r = { .reason = reason };
24448
24449 @@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
24450 BUG();
24451 }
24452
24453 -static void xen_restart(char *msg)
24454 +static __noreturn void xen_restart(char *msg)
24455 {
24456 xen_reboot(SHUTDOWN_reboot);
24457 }
24458
24459 -static void xen_emergency_restart(void)
24460 +static __noreturn void xen_emergency_restart(void)
24461 {
24462 xen_reboot(SHUTDOWN_reboot);
24463 }
24464
24465 -static void xen_machine_halt(void)
24466 +static __noreturn void xen_machine_halt(void)
24467 {
24468 xen_reboot(SHUTDOWN_poweroff);
24469 }
24470 @@ -1127,7 +1125,17 @@ asmlinkage void __init xen_start_kernel(
24471 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
24472
24473 /* Work out if we support NX */
24474 - x86_configure_nx();
24475 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24476 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
24477 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
24478 + unsigned l, h;
24479 +
24480 + __supported_pte_mask |= _PAGE_NX;
24481 + rdmsr(MSR_EFER, l, h);
24482 + l |= EFER_NX;
24483 + wrmsr(MSR_EFER, l, h);
24484 + }
24485 +#endif
24486
24487 xen_setup_features();
24488
24489 @@ -1158,13 +1166,6 @@ asmlinkage void __init xen_start_kernel(
24490
24491 machine_ops = xen_machine_ops;
24492
24493 - /*
24494 - * The only reliable way to retain the initial address of the
24495 - * percpu gdt_page is to remember it here, so we can go and
24496 - * mark it RW later, when the initial percpu area is freed.
24497 - */
24498 - xen_initial_gdt = &per_cpu(gdt_page, 0);
24499 -
24500 xen_smp_init();
24501
24502 #ifdef CONFIG_ACPI_NUMA
24503 diff -urNp linux-2.6.39.3/arch/x86/xen/mmu.c linux-2.6.39.3/arch/x86/xen/mmu.c
24504 --- linux-2.6.39.3/arch/x86/xen/mmu.c 2011-07-09 09:18:51.000000000 -0400
24505 +++ linux-2.6.39.3/arch/x86/xen/mmu.c 2011-07-09 09:19:18.000000000 -0400
24506 @@ -1801,6 +1801,8 @@ __init pgd_t *xen_setup_kernel_pagetable
24507 convert_pfn_mfn(init_level4_pgt);
24508 convert_pfn_mfn(level3_ident_pgt);
24509 convert_pfn_mfn(level3_kernel_pgt);
24510 + convert_pfn_mfn(level3_vmalloc_pgt);
24511 + convert_pfn_mfn(level3_vmemmap_pgt);
24512
24513 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
24514 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
24515 @@ -1819,7 +1821,10 @@ __init pgd_t *xen_setup_kernel_pagetable
24516 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
24517 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
24518 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
24519 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
24520 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
24521 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
24522 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
24523 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
24524 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
24525
24526 diff -urNp linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c
24527 --- linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c 2011-05-19 00:06:34.000000000 -0400
24528 +++ linux-2.6.39.3/arch/x86/xen/pci-swiotlb-xen.c 2011-05-22 19:36:30.000000000 -0400
24529 @@ -10,7 +10,7 @@
24530
24531 int xen_swiotlb __read_mostly;
24532
24533 -static struct dma_map_ops xen_swiotlb_dma_ops = {
24534 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
24535 .mapping_error = xen_swiotlb_dma_mapping_error,
24536 .alloc_coherent = xen_swiotlb_alloc_coherent,
24537 .free_coherent = xen_swiotlb_free_coherent,
24538 diff -urNp linux-2.6.39.3/arch/x86/xen/smp.c linux-2.6.39.3/arch/x86/xen/smp.c
24539 --- linux-2.6.39.3/arch/x86/xen/smp.c 2011-07-09 09:18:51.000000000 -0400
24540 +++ linux-2.6.39.3/arch/x86/xen/smp.c 2011-07-09 09:19:18.000000000 -0400
24541 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
24542 {
24543 BUG_ON(smp_processor_id() != 0);
24544 native_smp_prepare_boot_cpu();
24545 -
24546 - /* We've switched to the "real" per-cpu gdt, so make sure the
24547 - old memory can be recycled */
24548 - make_lowmem_page_readwrite(xen_initial_gdt);
24549 -
24550 xen_filter_cpu_maps();
24551 xen_setup_vcpu_info_placement();
24552 }
24553 @@ -266,12 +261,12 @@ cpu_initialize_context(unsigned int cpu,
24554 gdt = get_cpu_gdt_table(cpu);
24555
24556 ctxt->flags = VGCF_IN_KERNEL;
24557 - ctxt->user_regs.ds = __USER_DS;
24558 - ctxt->user_regs.es = __USER_DS;
24559 + ctxt->user_regs.ds = __KERNEL_DS;
24560 + ctxt->user_regs.es = __KERNEL_DS;
24561 ctxt->user_regs.ss = __KERNEL_DS;
24562 #ifdef CONFIG_X86_32
24563 ctxt->user_regs.fs = __KERNEL_PERCPU;
24564 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
24565 + savesegment(gs, ctxt->user_regs.gs);
24566 #else
24567 ctxt->gs_base_kernel = per_cpu_offset(cpu);
24568 #endif
24569 @@ -322,13 +317,12 @@ static int __cpuinit xen_cpu_up(unsigned
24570 int rc;
24571
24572 per_cpu(current_task, cpu) = idle;
24573 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24574 #ifdef CONFIG_X86_32
24575 irq_ctx_init(cpu);
24576 #else
24577 clear_tsk_thread_flag(idle, TIF_FORK);
24578 - per_cpu(kernel_stack, cpu) =
24579 - (unsigned long)task_stack_page(idle) -
24580 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24581 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24582 #endif
24583 xen_setup_runstate_info(cpu);
24584 xen_setup_timer(cpu);
24585 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-asm_32.S linux-2.6.39.3/arch/x86/xen/xen-asm_32.S
24586 --- linux-2.6.39.3/arch/x86/xen/xen-asm_32.S 2011-05-19 00:06:34.000000000 -0400
24587 +++ linux-2.6.39.3/arch/x86/xen/xen-asm_32.S 2011-05-22 19:36:30.000000000 -0400
24588 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24589 ESP_OFFSET=4 # bytes pushed onto stack
24590
24591 /*
24592 - * Store vcpu_info pointer for easy access. Do it this way to
24593 - * avoid having to reload %fs
24594 + * Store vcpu_info pointer for easy access.
24595 */
24596 #ifdef CONFIG_SMP
24597 - GET_THREAD_INFO(%eax)
24598 - movl TI_cpu(%eax), %eax
24599 - movl __per_cpu_offset(,%eax,4), %eax
24600 - mov xen_vcpu(%eax), %eax
24601 + push %fs
24602 + mov $(__KERNEL_PERCPU), %eax
24603 + mov %eax, %fs
24604 + mov PER_CPU_VAR(xen_vcpu), %eax
24605 + pop %fs
24606 #else
24607 movl xen_vcpu, %eax
24608 #endif
24609 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-head.S linux-2.6.39.3/arch/x86/xen/xen-head.S
24610 --- linux-2.6.39.3/arch/x86/xen/xen-head.S 2011-05-19 00:06:34.000000000 -0400
24611 +++ linux-2.6.39.3/arch/x86/xen/xen-head.S 2011-05-22 19:36:30.000000000 -0400
24612 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24613 #ifdef CONFIG_X86_32
24614 mov %esi,xen_start_info
24615 mov $init_thread_union+THREAD_SIZE,%esp
24616 +#ifdef CONFIG_SMP
24617 + movl $cpu_gdt_table,%edi
24618 + movl $__per_cpu_load,%eax
24619 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24620 + rorl $16,%eax
24621 + movb %al,__KERNEL_PERCPU + 4(%edi)
24622 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24623 + movl $__per_cpu_end - 1,%eax
24624 + subl $__per_cpu_start,%eax
24625 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24626 +#endif
24627 #else
24628 mov %rsi,xen_start_info
24629 mov $init_thread_union+THREAD_SIZE,%rsp
24630 diff -urNp linux-2.6.39.3/arch/x86/xen/xen-ops.h linux-2.6.39.3/arch/x86/xen/xen-ops.h
24631 --- linux-2.6.39.3/arch/x86/xen/xen-ops.h 2011-05-19 00:06:34.000000000 -0400
24632 +++ linux-2.6.39.3/arch/x86/xen/xen-ops.h 2011-05-22 19:36:30.000000000 -0400
24633 @@ -10,8 +10,6 @@
24634 extern const char xen_hypervisor_callback[];
24635 extern const char xen_failsafe_callback[];
24636
24637 -extern void *xen_initial_gdt;
24638 -
24639 struct trap_info;
24640 void xen_copy_trap_info(struct trap_info *traps);
24641
24642 diff -urNp linux-2.6.39.3/block/blk-iopoll.c linux-2.6.39.3/block/blk-iopoll.c
24643 --- linux-2.6.39.3/block/blk-iopoll.c 2011-05-19 00:06:34.000000000 -0400
24644 +++ linux-2.6.39.3/block/blk-iopoll.c 2011-05-22 19:36:30.000000000 -0400
24645 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24646 }
24647 EXPORT_SYMBOL(blk_iopoll_complete);
24648
24649 -static void blk_iopoll_softirq(struct softirq_action *h)
24650 +static void blk_iopoll_softirq(void)
24651 {
24652 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24653 int rearm = 0, budget = blk_iopoll_budget;
24654 diff -urNp linux-2.6.39.3/block/blk-map.c linux-2.6.39.3/block/blk-map.c
24655 --- linux-2.6.39.3/block/blk-map.c 2011-05-19 00:06:34.000000000 -0400
24656 +++ linux-2.6.39.3/block/blk-map.c 2011-05-22 19:36:30.000000000 -0400
24657 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
24658 if (!len || !kbuf)
24659 return -EINVAL;
24660
24661 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
24662 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
24663 if (do_copy)
24664 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24665 else
24666 diff -urNp linux-2.6.39.3/block/blk-softirq.c linux-2.6.39.3/block/blk-softirq.c
24667 --- linux-2.6.39.3/block/blk-softirq.c 2011-05-19 00:06:34.000000000 -0400
24668 +++ linux-2.6.39.3/block/blk-softirq.c 2011-05-22 19:36:30.000000000 -0400
24669 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24670 * Softirq action handler - move entries to local list and loop over them
24671 * while passing them to the queue registered handler.
24672 */
24673 -static void blk_done_softirq(struct softirq_action *h)
24674 +static void blk_done_softirq(void)
24675 {
24676 struct list_head *cpu_list, local_list;
24677
24678 diff -urNp linux-2.6.39.3/block/bsg.c linux-2.6.39.3/block/bsg.c
24679 --- linux-2.6.39.3/block/bsg.c 2011-05-19 00:06:34.000000000 -0400
24680 +++ linux-2.6.39.3/block/bsg.c 2011-05-22 19:36:30.000000000 -0400
24681 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24682 struct sg_io_v4 *hdr, struct bsg_device *bd,
24683 fmode_t has_write_perm)
24684 {
24685 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24686 + unsigned char *cmdptr;
24687 +
24688 if (hdr->request_len > BLK_MAX_CDB) {
24689 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24690 if (!rq->cmd)
24691 return -ENOMEM;
24692 - }
24693 + cmdptr = rq->cmd;
24694 + } else
24695 + cmdptr = tmpcmd;
24696
24697 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24698 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
24699 hdr->request_len))
24700 return -EFAULT;
24701
24702 + if (cmdptr != rq->cmd)
24703 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24704 +
24705 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24706 if (blk_verify_command(rq->cmd, has_write_perm))
24707 return -EPERM;
24708 diff -urNp linux-2.6.39.3/block/scsi_ioctl.c linux-2.6.39.3/block/scsi_ioctl.c
24709 --- linux-2.6.39.3/block/scsi_ioctl.c 2011-05-19 00:06:34.000000000 -0400
24710 +++ linux-2.6.39.3/block/scsi_ioctl.c 2011-05-22 19:36:30.000000000 -0400
24711 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
24712 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24713 struct sg_io_hdr *hdr, fmode_t mode)
24714 {
24715 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24716 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24717 + unsigned char *cmdptr;
24718 +
24719 + if (rq->cmd != rq->__cmd)
24720 + cmdptr = rq->cmd;
24721 + else
24722 + cmdptr = tmpcmd;
24723 +
24724 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24725 return -EFAULT;
24726 +
24727 + if (cmdptr != rq->cmd)
24728 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24729 +
24730 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24731 return -EPERM;
24732
24733 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
24734 int err;
24735 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24736 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24737 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24738 + unsigned char *cmdptr;
24739
24740 if (!sic)
24741 return -EINVAL;
24742 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
24743 */
24744 err = -EFAULT;
24745 rq->cmd_len = cmdlen;
24746 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24747 +
24748 + if (rq->cmd != rq->__cmd)
24749 + cmdptr = rq->cmd;
24750 + else
24751 + cmdptr = tmpcmd;
24752 +
24753 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24754 goto error;
24755
24756 + if (rq->cmd != cmdptr)
24757 + memcpy(rq->cmd, cmdptr, cmdlen);
24758 +
24759 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24760 goto error;
24761
24762 diff -urNp linux-2.6.39.3/crypto/gf128mul.c linux-2.6.39.3/crypto/gf128mul.c
24763 --- linux-2.6.39.3/crypto/gf128mul.c 2011-05-19 00:06:34.000000000 -0400
24764 +++ linux-2.6.39.3/crypto/gf128mul.c 2011-07-06 20:00:14.000000000 -0400
24765 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
24766 for (i = 0; i < 7; ++i)
24767 gf128mul_x_lle(&p[i + 1], &p[i]);
24768
24769 - memset(r, 0, sizeof(r));
24770 + memset(r, 0, sizeof(*r));
24771 for (i = 0;;) {
24772 u8 ch = ((u8 *)b)[15 - i];
24773
24774 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
24775 for (i = 0; i < 7; ++i)
24776 gf128mul_x_bbe(&p[i + 1], &p[i]);
24777
24778 - memset(r, 0, sizeof(r));
24779 + memset(r, 0, sizeof(*r));
24780 for (i = 0;;) {
24781 u8 ch = ((u8 *)b)[i];
24782
24783 diff -urNp linux-2.6.39.3/crypto/serpent.c linux-2.6.39.3/crypto/serpent.c
24784 --- linux-2.6.39.3/crypto/serpent.c 2011-05-19 00:06:34.000000000 -0400
24785 +++ linux-2.6.39.3/crypto/serpent.c 2011-05-22 19:36:30.000000000 -0400
24786 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
24787 u32 r0,r1,r2,r3,r4;
24788 int i;
24789
24790 + pax_track_stack();
24791 +
24792 /* Copy key, add padding */
24793
24794 for (i = 0; i < keylen; ++i)
24795 diff -urNp linux-2.6.39.3/Documentation/dontdiff linux-2.6.39.3/Documentation/dontdiff
24796 --- linux-2.6.39.3/Documentation/dontdiff 2011-05-19 00:06:34.000000000 -0400
24797 +++ linux-2.6.39.3/Documentation/dontdiff 2011-05-22 19:36:30.000000000 -0400
24798 @@ -1,13 +1,16 @@
24799 *.a
24800 *.aux
24801 *.bin
24802 +*.cis
24803 *.cpio
24804 *.csp
24805 +*.dbg
24806 *.dsp
24807 *.dvi
24808 *.elf
24809 *.eps
24810 *.fw
24811 +*.gcno
24812 *.gen.S
24813 *.gif
24814 *.grep
24815 @@ -38,8 +41,10 @@
24816 *.tab.h
24817 *.tex
24818 *.ver
24819 +*.vim
24820 *.xml
24821 *_MODULES
24822 +*_reg_safe.h
24823 *_vga16.c
24824 *~
24825 *.9
24826 @@ -49,11 +54,16 @@
24827 53c700_d.h
24828 CVS
24829 ChangeSet
24830 +GPATH
24831 +GRTAGS
24832 +GSYMS
24833 +GTAGS
24834 Image
24835 Kerntypes
24836 Module.markers
24837 Module.symvers
24838 PENDING
24839 +PERF*
24840 SCCS
24841 System.map*
24842 TAGS
24843 @@ -80,8 +90,11 @@ btfixupprep
24844 build
24845 bvmlinux
24846 bzImage*
24847 +capability_names.h
24848 capflags.c
24849 classlist.h*
24850 +clut_vga16.c
24851 +common-cmds.h
24852 comp*.log
24853 compile.h*
24854 conf
24855 @@ -106,16 +119,19 @@ fore200e_mkfirm
24856 fore200e_pca_fw.c*
24857 gconf
24858 gen-devlist
24859 +gen-kdb_cmds.c
24860 gen_crc32table
24861 gen_init_cpio
24862 generated
24863 genheaders
24864 genksyms
24865 *_gray256.c
24866 +hash
24867 ihex2fw
24868 ikconfig.h*
24869 inat-tables.c
24870 initramfs_data.cpio
24871 +initramfs_data.cpio.bz2
24872 initramfs_data.cpio.gz
24873 initramfs_list
24874 int16.c
24875 @@ -125,7 +141,6 @@ int32.c
24876 int4.c
24877 int8.c
24878 kallsyms
24879 -kconfig
24880 keywords.c
24881 ksym.c*
24882 ksym.h*
24883 @@ -149,7 +164,9 @@ mkboot
24884 mkbugboot
24885 mkcpustr
24886 mkdep
24887 +mkpiggy
24888 mkprep
24889 +mkregtable
24890 mktables
24891 mktree
24892 modpost
24893 @@ -165,6 +182,7 @@ parse.h
24894 patches*
24895 pca200e.bin
24896 pca200e_ecd.bin2
24897 +perf-archive
24898 piggy.gz
24899 piggyback
24900 piggy.S
24901 @@ -180,7 +198,9 @@ r600_reg_safe.h
24902 raid6altivec*.c
24903 raid6int*.c
24904 raid6tables.c
24905 +regdb.c
24906 relocs
24907 +rlim_names.h
24908 rn50_reg_safe.h
24909 rs600_reg_safe.h
24910 rv515_reg_safe.h
24911 @@ -189,6 +209,7 @@ setup
24912 setup.bin
24913 setup.elf
24914 sImage
24915 +slabinfo
24916 sm_tbl*
24917 split-include
24918 syscalltab.h
24919 @@ -213,13 +234,17 @@ version.h*
24920 vmlinux
24921 vmlinux-*
24922 vmlinux.aout
24923 +vmlinux.bin.all
24924 +vmlinux.bin.bz2
24925 vmlinux.lds
24926 +vmlinux.relocs
24927 voffset.h
24928 vsyscall.lds
24929 vsyscall_32.lds
24930 wanxlfw.inc
24931 uImage
24932 unifdef
24933 +utsrelease.h
24934 wakeup.bin
24935 wakeup.elf
24936 wakeup.lds
24937 diff -urNp linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c
24938 --- linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-19 00:06:34.000000000 -0400
24939 +++ linux-2.6.39.3/Documentation/filesystems/configfs/configfs_example_macros.c 2011-05-22 19:36:30.000000000 -0400
24940 @@ -368,7 +368,7 @@ static struct configfs_item_operations g
24941 * Note that, since no extra work is required on ->drop_item(),
24942 * no ->drop_item() is provided.
24943 */
24944 -static struct configfs_group_operations group_children_group_ops = {
24945 +static const struct configfs_group_operations group_children_group_ops = {
24946 .make_group = group_children_make_group,
24947 };
24948
24949 diff -urNp linux-2.6.39.3/Documentation/filesystems/sysfs.txt linux-2.6.39.3/Documentation/filesystems/sysfs.txt
24950 --- linux-2.6.39.3/Documentation/filesystems/sysfs.txt 2011-05-19 00:06:34.000000000 -0400
24951 +++ linux-2.6.39.3/Documentation/filesystems/sysfs.txt 2011-05-22 19:36:30.000000000 -0400
24952 @@ -125,8 +125,8 @@ set of sysfs operations for forwarding r
24953 show and store methods of the attribute owners.
24954
24955 struct sysfs_ops {
24956 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
24957 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
24958 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
24959 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
24960 };
24961
24962 [ Subsystems should have already defined a struct kobj_type as a
24963 diff -urNp linux-2.6.39.3/Documentation/kernel-parameters.txt linux-2.6.39.3/Documentation/kernel-parameters.txt
24964 --- linux-2.6.39.3/Documentation/kernel-parameters.txt 2011-06-25 12:55:22.000000000 -0400
24965 +++ linux-2.6.39.3/Documentation/kernel-parameters.txt 2011-06-25 13:00:25.000000000 -0400
24966 @@ -1879,6 +1879,13 @@ bytes respectively. Such letter suffixes
24967 the specified number of seconds. This is to be used if
24968 your oopses keep scrolling off the screen.
24969
24970 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24971 + virtualization environments that don't cope well with the
24972 + expand down segment used by UDEREF on X86-32 or the frequent
24973 + page table updates on X86-64.
24974 +
24975 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24976 +
24977 pcbit= [HW,ISDN]
24978
24979 pcd. [PARIDE]
24980 diff -urNp linux-2.6.39.3/drivers/acpi/acpi_ipmi.c linux-2.6.39.3/drivers/acpi/acpi_ipmi.c
24981 --- linux-2.6.39.3/drivers/acpi/acpi_ipmi.c 2011-05-19 00:06:34.000000000 -0400
24982 +++ linux-2.6.39.3/drivers/acpi/acpi_ipmi.c 2011-05-22 19:36:30.000000000 -0400
24983 @@ -70,7 +70,7 @@ struct acpi_ipmi_device {
24984 struct ipmi_driver_data {
24985 struct list_head ipmi_devices;
24986 struct ipmi_smi_watcher bmc_events;
24987 - struct ipmi_user_hndl ipmi_hndlrs;
24988 + const struct ipmi_user_hndl ipmi_hndlrs;
24989 struct mutex ipmi_lock;
24990 };
24991
24992 diff -urNp linux-2.6.39.3/drivers/acpi/apei/cper.c linux-2.6.39.3/drivers/acpi/apei/cper.c
24993 --- linux-2.6.39.3/drivers/acpi/apei/cper.c 2011-05-19 00:06:34.000000000 -0400
24994 +++ linux-2.6.39.3/drivers/acpi/apei/cper.c 2011-05-22 19:36:30.000000000 -0400
24995 @@ -38,12 +38,12 @@
24996 */
24997 u64 cper_next_record_id(void)
24998 {
24999 - static atomic64_t seq;
25000 + static atomic64_unchecked_t seq;
25001
25002 - if (!atomic64_read(&seq))
25003 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
25004 + if (!atomic64_read_unchecked(&seq))
25005 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
25006
25007 - return atomic64_inc_return(&seq);
25008 + return atomic64_inc_return_unchecked(&seq);
25009 }
25010 EXPORT_SYMBOL_GPL(cper_next_record_id);
25011
25012 diff -urNp linux-2.6.39.3/drivers/acpi/battery.c linux-2.6.39.3/drivers/acpi/battery.c
25013 --- linux-2.6.39.3/drivers/acpi/battery.c 2011-05-19 00:06:34.000000000 -0400
25014 +++ linux-2.6.39.3/drivers/acpi/battery.c 2011-05-22 19:36:30.000000000 -0400
25015 @@ -864,7 +864,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
25016 }
25017
25018 static struct battery_file {
25019 - struct file_operations ops;
25020 + const struct file_operations ops;
25021 mode_t mode;
25022 const char *name;
25023 } acpi_battery_file[] = {
25024 diff -urNp linux-2.6.39.3/drivers/acpi/dock.c linux-2.6.39.3/drivers/acpi/dock.c
25025 --- linux-2.6.39.3/drivers/acpi/dock.c 2011-05-19 00:06:34.000000000 -0400
25026 +++ linux-2.6.39.3/drivers/acpi/dock.c 2011-05-22 19:36:30.000000000 -0400
25027 @@ -77,7 +77,7 @@ struct dock_dependent_device {
25028 struct list_head list;
25029 struct list_head hotplug_list;
25030 acpi_handle handle;
25031 - struct acpi_dock_ops *ops;
25032 + const struct acpi_dock_ops *ops;
25033 void *context;
25034 };
25035
25036 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
25037 * the dock driver after _DCK is executed.
25038 */
25039 int
25040 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
25041 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
25042 void *context)
25043 {
25044 struct dock_dependent_device *dd;
25045 diff -urNp linux-2.6.39.3/drivers/acpi/ec_sys.c linux-2.6.39.3/drivers/acpi/ec_sys.c
25046 --- linux-2.6.39.3/drivers/acpi/ec_sys.c 2011-05-19 00:06:34.000000000 -0400
25047 +++ linux-2.6.39.3/drivers/acpi/ec_sys.c 2011-05-22 19:36:30.000000000 -0400
25048 @@ -92,7 +92,7 @@ static ssize_t acpi_ec_write_io(struct f
25049 return count;
25050 }
25051
25052 -static struct file_operations acpi_ec_io_ops = {
25053 +static const struct file_operations acpi_ec_io_ops = {
25054 .owner = THIS_MODULE,
25055 .open = acpi_ec_open_io,
25056 .read = acpi_ec_read_io,
25057 diff -urNp linux-2.6.39.3/drivers/acpi/fan.c linux-2.6.39.3/drivers/acpi/fan.c
25058 --- linux-2.6.39.3/drivers/acpi/fan.c 2011-05-19 00:06:34.000000000 -0400
25059 +++ linux-2.6.39.3/drivers/acpi/fan.c 2011-05-22 19:36:30.000000000 -0400
25060 @@ -110,7 +110,7 @@ fan_set_cur_state(struct thermal_cooling
25061 return result;
25062 }
25063
25064 -static struct thermal_cooling_device_ops fan_cooling_ops = {
25065 +static const struct thermal_cooling_device_ops fan_cooling_ops = {
25066 .get_max_state = fan_get_max_state,
25067 .get_cur_state = fan_get_cur_state,
25068 .set_cur_state = fan_set_cur_state,
25069 diff -urNp linux-2.6.39.3/drivers/acpi/power_meter.c linux-2.6.39.3/drivers/acpi/power_meter.c
25070 --- linux-2.6.39.3/drivers/acpi/power_meter.c 2011-05-19 00:06:34.000000000 -0400
25071 +++ linux-2.6.39.3/drivers/acpi/power_meter.c 2011-05-22 19:36:30.000000000 -0400
25072 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
25073 return res;
25074
25075 temp /= 1000;
25076 - if (temp < 0)
25077 - return -EINVAL;
25078
25079 mutex_lock(&resource->lock);
25080 resource->trip[attr->index - 7] = temp;
25081 diff -urNp linux-2.6.39.3/drivers/acpi/proc.c linux-2.6.39.3/drivers/acpi/proc.c
25082 --- linux-2.6.39.3/drivers/acpi/proc.c 2011-05-19 00:06:34.000000000 -0400
25083 +++ linux-2.6.39.3/drivers/acpi/proc.c 2011-05-22 19:36:30.000000000 -0400
25084 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
25085 size_t count, loff_t * ppos)
25086 {
25087 struct list_head *node, *next;
25088 - char strbuf[5];
25089 - char str[5] = "";
25090 - unsigned int len = count;
25091 -
25092 - if (len > 4)
25093 - len = 4;
25094 - if (len < 0)
25095 - return -EFAULT;
25096 + char strbuf[5] = {0};
25097
25098 - if (copy_from_user(strbuf, buffer, len))
25099 + if (count > 4)
25100 + count = 4;
25101 + if (copy_from_user(strbuf, buffer, count))
25102 return -EFAULT;
25103 - strbuf[len] = '\0';
25104 - sscanf(strbuf, "%s", str);
25105 + strbuf[count] = '\0';
25106
25107 mutex_lock(&acpi_device_lock);
25108 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
25109 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
25110 if (!dev->wakeup.flags.valid)
25111 continue;
25112
25113 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
25114 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
25115 if (device_can_wakeup(&dev->dev)) {
25116 bool enable = !device_may_wakeup(&dev->dev);
25117 device_set_wakeup_enable(&dev->dev, enable);
25118 diff -urNp linux-2.6.39.3/drivers/acpi/processor_driver.c linux-2.6.39.3/drivers/acpi/processor_driver.c
25119 --- linux-2.6.39.3/drivers/acpi/processor_driver.c 2011-05-19 00:06:34.000000000 -0400
25120 +++ linux-2.6.39.3/drivers/acpi/processor_driver.c 2011-05-22 19:36:30.000000000 -0400
25121 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
25122 return 0;
25123 #endif
25124
25125 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
25126 + BUG_ON(pr->id >= nr_cpu_ids);
25127
25128 /*
25129 * Buggy BIOS check
25130 diff -urNp linux-2.6.39.3/drivers/acpi/processor_idle.c linux-2.6.39.3/drivers/acpi/processor_idle.c
25131 --- linux-2.6.39.3/drivers/acpi/processor_idle.c 2011-05-19 00:06:34.000000000 -0400
25132 +++ linux-2.6.39.3/drivers/acpi/processor_idle.c 2011-05-22 19:36:30.000000000 -0400
25133 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
25134 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
25135 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
25136 (void *)1},
25137 - {},
25138 + {}
25139 };
25140
25141
25142 diff -urNp linux-2.6.39.3/drivers/acpi/processor_thermal.c linux-2.6.39.3/drivers/acpi/processor_thermal.c
25143 --- linux-2.6.39.3/drivers/acpi/processor_thermal.c 2011-05-19 00:06:34.000000000 -0400
25144 +++ linux-2.6.39.3/drivers/acpi/processor_thermal.c 2011-05-22 19:36:30.000000000 -0400
25145 @@ -244,7 +244,7 @@ processor_set_cur_state(struct thermal_c
25146 return result;
25147 }
25148
25149 -struct thermal_cooling_device_ops processor_cooling_ops = {
25150 +const struct thermal_cooling_device_ops processor_cooling_ops = {
25151 .get_max_state = processor_get_max_state,
25152 .get_cur_state = processor_get_cur_state,
25153 .set_cur_state = processor_set_cur_state,
25154 diff -urNp linux-2.6.39.3/drivers/acpi/sysfs.c linux-2.6.39.3/drivers/acpi/sysfs.c
25155 --- linux-2.6.39.3/drivers/acpi/sysfs.c 2011-05-19 00:06:34.000000000 -0400
25156 +++ linux-2.6.39.3/drivers/acpi/sysfs.c 2011-05-22 19:36:30.000000000 -0400
25157 @@ -149,12 +149,12 @@ static int param_get_debug_level(char *b
25158 return result;
25159 }
25160
25161 -static struct kernel_param_ops param_ops_debug_layer = {
25162 +static const struct kernel_param_ops param_ops_debug_layer = {
25163 .set = param_set_uint,
25164 .get = param_get_debug_layer,
25165 };
25166
25167 -static struct kernel_param_ops param_ops_debug_level = {
25168 +static const struct kernel_param_ops param_ops_debug_level = {
25169 .set = param_set_uint,
25170 .get = param_get_debug_level,
25171 };
25172 diff -urNp linux-2.6.39.3/drivers/acpi/thermal.c linux-2.6.39.3/drivers/acpi/thermal.c
25173 --- linux-2.6.39.3/drivers/acpi/thermal.c 2011-05-19 00:06:34.000000000 -0400
25174 +++ linux-2.6.39.3/drivers/acpi/thermal.c 2011-05-22 19:36:30.000000000 -0400
25175 @@ -812,7 +812,7 @@ acpi_thermal_unbind_cooling_device(struc
25176 thermal_zone_unbind_cooling_device);
25177 }
25178
25179 -static struct thermal_zone_device_ops acpi_thermal_zone_ops = {
25180 +static const struct thermal_zone_device_ops acpi_thermal_zone_ops = {
25181 .bind = acpi_thermal_bind_cooling_device,
25182 .unbind = acpi_thermal_unbind_cooling_device,
25183 .get_temp = thermal_get_temp,
25184 diff -urNp linux-2.6.39.3/drivers/acpi/video.c linux-2.6.39.3/drivers/acpi/video.c
25185 --- linux-2.6.39.3/drivers/acpi/video.c 2011-05-19 00:06:34.000000000 -0400
25186 +++ linux-2.6.39.3/drivers/acpi/video.c 2011-05-22 19:36:30.000000000 -0400
25187 @@ -308,7 +308,7 @@ video_set_cur_state(struct thermal_cooli
25188 return acpi_video_device_lcd_set_level(video, level);
25189 }
25190
25191 -static struct thermal_cooling_device_ops video_cooling_ops = {
25192 +static const struct thermal_cooling_device_ops video_cooling_ops = {
25193 .get_max_state = video_get_max_state,
25194 .get_cur_state = video_get_cur_state,
25195 .set_cur_state = video_set_cur_state,
25196 diff -urNp linux-2.6.39.3/drivers/ata/acard-ahci.c linux-2.6.39.3/drivers/ata/acard-ahci.c
25197 --- linux-2.6.39.3/drivers/ata/acard-ahci.c 2011-05-19 00:06:34.000000000 -0400
25198 +++ linux-2.6.39.3/drivers/ata/acard-ahci.c 2011-05-22 19:36:30.000000000 -0400
25199 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
25200 AHCI_SHT("acard-ahci"),
25201 };
25202
25203 -static struct ata_port_operations acard_ops = {
25204 +static const struct ata_port_operations acard_ops = {
25205 .inherits = &ahci_ops,
25206 .qc_prep = acard_ahci_qc_prep,
25207 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
25208 diff -urNp linux-2.6.39.3/drivers/ata/ahci.c linux-2.6.39.3/drivers/ata/ahci.c
25209 --- linux-2.6.39.3/drivers/ata/ahci.c 2011-05-19 00:06:34.000000000 -0400
25210 +++ linux-2.6.39.3/drivers/ata/ahci.c 2011-05-22 19:36:30.000000000 -0400
25211 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
25212 AHCI_SHT("ahci"),
25213 };
25214
25215 -static struct ata_port_operations ahci_vt8251_ops = {
25216 +static const struct ata_port_operations ahci_vt8251_ops = {
25217 .inherits = &ahci_ops,
25218 .hardreset = ahci_vt8251_hardreset,
25219 };
25220
25221 -static struct ata_port_operations ahci_p5wdh_ops = {
25222 +static const struct ata_port_operations ahci_p5wdh_ops = {
25223 .inherits = &ahci_ops,
25224 .hardreset = ahci_p5wdh_hardreset,
25225 };
25226
25227 -static struct ata_port_operations ahci_sb600_ops = {
25228 +static const struct ata_port_operations ahci_sb600_ops = {
25229 .inherits = &ahci_ops,
25230 .softreset = ahci_sb600_softreset,
25231 .pmp_softreset = ahci_sb600_softreset,
25232 diff -urNp linux-2.6.39.3/drivers/ata/ahci.h linux-2.6.39.3/drivers/ata/ahci.h
25233 --- linux-2.6.39.3/drivers/ata/ahci.h 2011-05-19 00:06:34.000000000 -0400
25234 +++ linux-2.6.39.3/drivers/ata/ahci.h 2011-05-22 19:36:30.000000000 -0400
25235 @@ -311,7 +311,7 @@ extern struct device_attribute *ahci_sde
25236 .shost_attrs = ahci_shost_attrs, \
25237 .sdev_attrs = ahci_sdev_attrs
25238
25239 -extern struct ata_port_operations ahci_ops;
25240 +extern const struct ata_port_operations ahci_ops;
25241
25242 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
25243 u32 opts);
25244 diff -urNp linux-2.6.39.3/drivers/ata/ata_generic.c linux-2.6.39.3/drivers/ata/ata_generic.c
25245 --- linux-2.6.39.3/drivers/ata/ata_generic.c 2011-05-19 00:06:34.000000000 -0400
25246 +++ linux-2.6.39.3/drivers/ata/ata_generic.c 2011-05-22 19:36:30.000000000 -0400
25247 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
25248 ATA_BMDMA_SHT(DRV_NAME),
25249 };
25250
25251 -static struct ata_port_operations generic_port_ops = {
25252 +static const struct ata_port_operations generic_port_ops = {
25253 .inherits = &ata_bmdma_port_ops,
25254 .cable_detect = ata_cable_unknown,
25255 .set_mode = generic_set_mode,
25256 diff -urNp linux-2.6.39.3/drivers/ata/ata_piix.c linux-2.6.39.3/drivers/ata/ata_piix.c
25257 --- linux-2.6.39.3/drivers/ata/ata_piix.c 2011-05-19 00:06:34.000000000 -0400
25258 +++ linux-2.6.39.3/drivers/ata/ata_piix.c 2011-05-22 19:36:30.000000000 -0400
25259 @@ -335,12 +335,12 @@ static struct scsi_host_template piix_sh
25260 ATA_BMDMA_SHT(DRV_NAME),
25261 };
25262
25263 -static struct ata_port_operations piix_sata_ops = {
25264 +static const struct ata_port_operations piix_sata_ops = {
25265 .inherits = &ata_bmdma32_port_ops,
25266 .sff_irq_check = piix_irq_check,
25267 };
25268
25269 -static struct ata_port_operations piix_pata_ops = {
25270 +static const struct ata_port_operations piix_pata_ops = {
25271 .inherits = &piix_sata_ops,
25272 .cable_detect = ata_cable_40wire,
25273 .set_piomode = piix_set_piomode,
25274 @@ -348,12 +348,12 @@ static struct ata_port_operations piix_p
25275 .prereset = piix_pata_prereset,
25276 };
25277
25278 -static struct ata_port_operations piix_vmw_ops = {
25279 +static const struct ata_port_operations piix_vmw_ops = {
25280 .inherits = &piix_pata_ops,
25281 .bmdma_status = piix_vmw_bmdma_status,
25282 };
25283
25284 -static struct ata_port_operations ich_pata_ops = {
25285 +static const struct ata_port_operations ich_pata_ops = {
25286 .inherits = &piix_pata_ops,
25287 .cable_detect = ich_pata_cable_detect,
25288 .set_dmamode = ich_set_dmamode,
25289 @@ -369,7 +369,7 @@ static struct scsi_host_template piix_si
25290 .shost_attrs = piix_sidpr_shost_attrs,
25291 };
25292
25293 -static struct ata_port_operations piix_sidpr_sata_ops = {
25294 +static const struct ata_port_operations piix_sidpr_sata_ops = {
25295 .inherits = &piix_sata_ops,
25296 .hardreset = sata_std_hardreset,
25297 .scr_read = piix_sidpr_scr_read,
25298 diff -urNp linux-2.6.39.3/drivers/ata/libahci.c linux-2.6.39.3/drivers/ata/libahci.c
25299 --- linux-2.6.39.3/drivers/ata/libahci.c 2011-05-19 00:06:34.000000000 -0400
25300 +++ linux-2.6.39.3/drivers/ata/libahci.c 2011-05-22 19:36:30.000000000 -0400
25301 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
25302 };
25303 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
25304
25305 -struct ata_port_operations ahci_ops = {
25306 +const struct ata_port_operations ahci_ops = {
25307 .inherits = &sata_pmp_port_ops,
25308
25309 .qc_defer = ahci_pmp_qc_defer,
25310 diff -urNp linux-2.6.39.3/drivers/ata/libata-acpi.c linux-2.6.39.3/drivers/ata/libata-acpi.c
25311 --- linux-2.6.39.3/drivers/ata/libata-acpi.c 2011-05-19 00:06:34.000000000 -0400
25312 +++ linux-2.6.39.3/drivers/ata/libata-acpi.c 2011-05-22 19:36:30.000000000 -0400
25313 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
25314 ata_acpi_uevent(dev->link->ap, dev, event);
25315 }
25316
25317 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25318 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25319 .handler = ata_acpi_dev_notify_dock,
25320 .uevent = ata_acpi_dev_uevent,
25321 };
25322
25323 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25324 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25325 .handler = ata_acpi_ap_notify_dock,
25326 .uevent = ata_acpi_ap_uevent,
25327 };
25328 diff -urNp linux-2.6.39.3/drivers/ata/libata-core.c linux-2.6.39.3/drivers/ata/libata-core.c
25329 --- linux-2.6.39.3/drivers/ata/libata-core.c 2011-05-19 00:06:34.000000000 -0400
25330 +++ linux-2.6.39.3/drivers/ata/libata-core.c 2011-05-22 19:36:30.000000000 -0400
25331 @@ -4747,7 +4747,7 @@ void ata_qc_free(struct ata_queued_cmd *
25332 struct ata_port *ap;
25333 unsigned int tag;
25334
25335 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25336 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25337 ap = qc->ap;
25338
25339 qc->flags = 0;
25340 @@ -4763,7 +4763,7 @@ void __ata_qc_complete(struct ata_queued
25341 struct ata_port *ap;
25342 struct ata_link *link;
25343
25344 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25345 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25346 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
25347 ap = qc->ap;
25348 link = qc->dev->link;
25349 @@ -5756,7 +5756,7 @@ static void ata_host_stop(struct device
25350 * LOCKING:
25351 * None.
25352 */
25353 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
25354 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
25355 {
25356 static DEFINE_SPINLOCK(lock);
25357 const struct ata_port_operations *cur;
25358 @@ -5768,6 +5768,7 @@ static void ata_finalize_port_ops(struct
25359 return;
25360
25361 spin_lock(&lock);
25362 + pax_open_kernel();
25363
25364 for (cur = ops->inherits; cur; cur = cur->inherits) {
25365 void **inherit = (void **)cur;
25366 @@ -5781,8 +5782,9 @@ static void ata_finalize_port_ops(struct
25367 if (IS_ERR(*pp))
25368 *pp = NULL;
25369
25370 - ops->inherits = NULL;
25371 + ((struct ata_port_operations *)ops)->inherits = NULL;
25372
25373 + pax_close_kernel();
25374 spin_unlock(&lock);
25375 }
25376
25377 @@ -5879,7 +5881,7 @@ int ata_host_start(struct ata_host *host
25378 */
25379 /* KILLME - the only user left is ipr */
25380 void ata_host_init(struct ata_host *host, struct device *dev,
25381 - unsigned long flags, struct ata_port_operations *ops)
25382 + unsigned long flags, const struct ata_port_operations *ops)
25383 {
25384 spin_lock_init(&host->lock);
25385 mutex_init(&host->eh_mutex);
25386 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
25387 /* truly dummy */
25388 }
25389
25390 -struct ata_port_operations ata_dummy_port_ops = {
25391 +const struct ata_port_operations ata_dummy_port_ops = {
25392 .qc_prep = ata_noop_qc_prep,
25393 .qc_issue = ata_dummy_qc_issue,
25394 .error_handler = ata_dummy_error_handler,
25395 diff -urNp linux-2.6.39.3/drivers/ata/libata-eh.c linux-2.6.39.3/drivers/ata/libata-eh.c
25396 --- linux-2.6.39.3/drivers/ata/libata-eh.c 2011-05-19 00:06:34.000000000 -0400
25397 +++ linux-2.6.39.3/drivers/ata/libata-eh.c 2011-05-22 19:36:30.000000000 -0400
25398 @@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
25399 {
25400 struct ata_link *link;
25401
25402 + pax_track_stack();
25403 +
25404 ata_for_each_link(link, ap, HOST_FIRST)
25405 ata_eh_link_report(link);
25406 }
25407 @@ -3922,7 +3924,7 @@ void ata_do_eh(struct ata_port *ap, ata_
25408 */
25409 void ata_std_error_handler(struct ata_port *ap)
25410 {
25411 - struct ata_port_operations *ops = ap->ops;
25412 + const struct ata_port_operations *ops = ap->ops;
25413 ata_reset_fn_t hardreset = ops->hardreset;
25414
25415 /* ignore built-in hardreset if SCR access is not available */
25416 diff -urNp linux-2.6.39.3/drivers/ata/libata-pmp.c linux-2.6.39.3/drivers/ata/libata-pmp.c
25417 --- linux-2.6.39.3/drivers/ata/libata-pmp.c 2011-05-19 00:06:34.000000000 -0400
25418 +++ linux-2.6.39.3/drivers/ata/libata-pmp.c 2011-05-22 19:36:30.000000000 -0400
25419 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
25420 */
25421 static int sata_pmp_eh_recover(struct ata_port *ap)
25422 {
25423 - struct ata_port_operations *ops = ap->ops;
25424 + const struct ata_port_operations *ops = ap->ops;
25425 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
25426 struct ata_link *pmp_link = &ap->link;
25427 struct ata_device *pmp_dev = pmp_link->device;
25428 diff -urNp linux-2.6.39.3/drivers/ata/pata_acpi.c linux-2.6.39.3/drivers/ata/pata_acpi.c
25429 --- linux-2.6.39.3/drivers/ata/pata_acpi.c 2011-05-19 00:06:34.000000000 -0400
25430 +++ linux-2.6.39.3/drivers/ata/pata_acpi.c 2011-05-22 19:36:30.000000000 -0400
25431 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
25432 ATA_BMDMA_SHT(DRV_NAME),
25433 };
25434
25435 -static struct ata_port_operations pacpi_ops = {
25436 +static const struct ata_port_operations pacpi_ops = {
25437 .inherits = &ata_bmdma_port_ops,
25438 .qc_issue = pacpi_qc_issue,
25439 .cable_detect = pacpi_cable_detect,
25440 diff -urNp linux-2.6.39.3/drivers/ata/pata_ali.c linux-2.6.39.3/drivers/ata/pata_ali.c
25441 --- linux-2.6.39.3/drivers/ata/pata_ali.c 2011-05-19 00:06:34.000000000 -0400
25442 +++ linux-2.6.39.3/drivers/ata/pata_ali.c 2011-05-22 19:36:30.000000000 -0400
25443 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
25444 * Port operations for PIO only ALi
25445 */
25446
25447 -static struct ata_port_operations ali_early_port_ops = {
25448 +static const struct ata_port_operations ali_early_port_ops = {
25449 .inherits = &ata_sff_port_ops,
25450 .cable_detect = ata_cable_40wire,
25451 .set_piomode = ali_set_piomode,
25452 @@ -380,7 +380,7 @@ static const struct ata_port_operations
25453 * Port operations for DMA capable ALi without cable
25454 * detect
25455 */
25456 -static struct ata_port_operations ali_20_port_ops = {
25457 +static const struct ata_port_operations ali_20_port_ops = {
25458 .inherits = &ali_dma_base_ops,
25459 .cable_detect = ata_cable_40wire,
25460 .mode_filter = ali_20_filter,
25461 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
25462 /*
25463 * Port operations for DMA capable ALi with cable detect
25464 */
25465 -static struct ata_port_operations ali_c2_port_ops = {
25466 +static const struct ata_port_operations ali_c2_port_ops = {
25467 .inherits = &ali_dma_base_ops,
25468 .check_atapi_dma = ali_check_atapi_dma,
25469 .cable_detect = ali_c2_cable_detect,
25470 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
25471 /*
25472 * Port operations for DMA capable ALi with cable detect
25473 */
25474 -static struct ata_port_operations ali_c4_port_ops = {
25475 +static const struct ata_port_operations ali_c4_port_ops = {
25476 .inherits = &ali_dma_base_ops,
25477 .check_atapi_dma = ali_check_atapi_dma,
25478 .cable_detect = ali_c2_cable_detect,
25479 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
25480 /*
25481 * Port operations for DMA capable ALi with cable detect and LBA48
25482 */
25483 -static struct ata_port_operations ali_c5_port_ops = {
25484 +static const struct ata_port_operations ali_c5_port_ops = {
25485 .inherits = &ali_dma_base_ops,
25486 .check_atapi_dma = ali_check_atapi_dma,
25487 .dev_config = ali_warn_atapi_dma,
25488 diff -urNp linux-2.6.39.3/drivers/ata/pata_amd.c linux-2.6.39.3/drivers/ata/pata_amd.c
25489 --- linux-2.6.39.3/drivers/ata/pata_amd.c 2011-05-19 00:06:34.000000000 -0400
25490 +++ linux-2.6.39.3/drivers/ata/pata_amd.c 2011-05-22 19:36:31.000000000 -0400
25491 @@ -397,28 +397,28 @@ static const struct ata_port_operations
25492 .prereset = amd_pre_reset,
25493 };
25494
25495 -static struct ata_port_operations amd33_port_ops = {
25496 +static const struct ata_port_operations amd33_port_ops = {
25497 .inherits = &amd_base_port_ops,
25498 .cable_detect = ata_cable_40wire,
25499 .set_piomode = amd33_set_piomode,
25500 .set_dmamode = amd33_set_dmamode,
25501 };
25502
25503 -static struct ata_port_operations amd66_port_ops = {
25504 +static const struct ata_port_operations amd66_port_ops = {
25505 .inherits = &amd_base_port_ops,
25506 .cable_detect = ata_cable_unknown,
25507 .set_piomode = amd66_set_piomode,
25508 .set_dmamode = amd66_set_dmamode,
25509 };
25510
25511 -static struct ata_port_operations amd100_port_ops = {
25512 +static const struct ata_port_operations amd100_port_ops = {
25513 .inherits = &amd_base_port_ops,
25514 .cable_detect = ata_cable_unknown,
25515 .set_piomode = amd100_set_piomode,
25516 .set_dmamode = amd100_set_dmamode,
25517 };
25518
25519 -static struct ata_port_operations amd133_port_ops = {
25520 +static const struct ata_port_operations amd133_port_ops = {
25521 .inherits = &amd_base_port_ops,
25522 .cable_detect = amd_cable_detect,
25523 .set_piomode = amd133_set_piomode,
25524 @@ -433,13 +433,13 @@ static const struct ata_port_operations
25525 .host_stop = nv_host_stop,
25526 };
25527
25528 -static struct ata_port_operations nv100_port_ops = {
25529 +static const struct ata_port_operations nv100_port_ops = {
25530 .inherits = &nv_base_port_ops,
25531 .set_piomode = nv100_set_piomode,
25532 .set_dmamode = nv100_set_dmamode,
25533 };
25534
25535 -static struct ata_port_operations nv133_port_ops = {
25536 +static const struct ata_port_operations nv133_port_ops = {
25537 .inherits = &nv_base_port_ops,
25538 .set_piomode = nv133_set_piomode,
25539 .set_dmamode = nv133_set_dmamode,
25540 diff -urNp linux-2.6.39.3/drivers/ata/pata_arasan_cf.c linux-2.6.39.3/drivers/ata/pata_arasan_cf.c
25541 --- linux-2.6.39.3/drivers/ata/pata_arasan_cf.c 2011-05-19 00:06:34.000000000 -0400
25542 +++ linux-2.6.39.3/drivers/ata/pata_arasan_cf.c 2011-05-22 19:36:31.000000000 -0400
25543 @@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
25544 /* Handle platform specific quirks */
25545 if (pdata->quirk) {
25546 if (pdata->quirk & CF_BROKEN_PIO) {
25547 - ap->ops->set_piomode = NULL;
25548 + pax_open_kernel();
25549 + *(void**)&ap->ops->set_piomode = NULL;
25550 + pax_close_kernel();
25551 ap->pio_mask = 0;
25552 }
25553 if (pdata->quirk & CF_BROKEN_MWDMA)
25554 diff -urNp linux-2.6.39.3/drivers/ata/pata_artop.c linux-2.6.39.3/drivers/ata/pata_artop.c
25555 --- linux-2.6.39.3/drivers/ata/pata_artop.c 2011-05-19 00:06:34.000000000 -0400
25556 +++ linux-2.6.39.3/drivers/ata/pata_artop.c 2011-05-22 19:36:31.000000000 -0400
25557 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
25558 ATA_BMDMA_SHT(DRV_NAME),
25559 };
25560
25561 -static struct ata_port_operations artop6210_ops = {
25562 +static const struct ata_port_operations artop6210_ops = {
25563 .inherits = &ata_bmdma_port_ops,
25564 .cable_detect = ata_cable_40wire,
25565 .set_piomode = artop6210_set_piomode,
25566 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
25567 .qc_defer = artop6210_qc_defer,
25568 };
25569
25570 -static struct ata_port_operations artop6260_ops = {
25571 +static const struct ata_port_operations artop6260_ops = {
25572 .inherits = &ata_bmdma_port_ops,
25573 .cable_detect = artop6260_cable_detect,
25574 .set_piomode = artop6260_set_piomode,
25575 diff -urNp linux-2.6.39.3/drivers/ata/pata_at32.c linux-2.6.39.3/drivers/ata/pata_at32.c
25576 --- linux-2.6.39.3/drivers/ata/pata_at32.c 2011-05-19 00:06:34.000000000 -0400
25577 +++ linux-2.6.39.3/drivers/ata/pata_at32.c 2011-05-22 19:36:31.000000000 -0400
25578 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
25579 ATA_PIO_SHT(DRV_NAME),
25580 };
25581
25582 -static struct ata_port_operations at32_port_ops = {
25583 +static const struct ata_port_operations at32_port_ops = {
25584 .inherits = &ata_sff_port_ops,
25585 .cable_detect = ata_cable_40wire,
25586 .set_piomode = pata_at32_set_piomode,
25587 diff -urNp linux-2.6.39.3/drivers/ata/pata_at91.c linux-2.6.39.3/drivers/ata/pata_at91.c
25588 --- linux-2.6.39.3/drivers/ata/pata_at91.c 2011-05-19 00:06:34.000000000 -0400
25589 +++ linux-2.6.39.3/drivers/ata/pata_at91.c 2011-05-22 19:36:31.000000000 -0400
25590 @@ -212,7 +212,7 @@ static struct scsi_host_template pata_at
25591 ATA_PIO_SHT(DRV_NAME),
25592 };
25593
25594 -static struct ata_port_operations pata_at91_port_ops = {
25595 +static const struct ata_port_operations pata_at91_port_ops = {
25596 .inherits = &ata_sff_port_ops,
25597
25598 .sff_data_xfer = pata_at91_data_xfer_noirq,
25599 diff -urNp linux-2.6.39.3/drivers/ata/pata_atiixp.c linux-2.6.39.3/drivers/ata/pata_atiixp.c
25600 --- linux-2.6.39.3/drivers/ata/pata_atiixp.c 2011-05-19 00:06:34.000000000 -0400
25601 +++ linux-2.6.39.3/drivers/ata/pata_atiixp.c 2011-05-22 19:36:31.000000000 -0400
25602 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
25603 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25604 };
25605
25606 -static struct ata_port_operations atiixp_port_ops = {
25607 +static const struct ata_port_operations atiixp_port_ops = {
25608 .inherits = &ata_bmdma_port_ops,
25609
25610 .qc_prep = ata_bmdma_dumb_qc_prep,
25611 diff -urNp linux-2.6.39.3/drivers/ata/pata_atp867x.c linux-2.6.39.3/drivers/ata/pata_atp867x.c
25612 --- linux-2.6.39.3/drivers/ata/pata_atp867x.c 2011-05-19 00:06:34.000000000 -0400
25613 +++ linux-2.6.39.3/drivers/ata/pata_atp867x.c 2011-05-22 19:36:31.000000000 -0400
25614 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
25615 ATA_BMDMA_SHT(DRV_NAME),
25616 };
25617
25618 -static struct ata_port_operations atp867x_ops = {
25619 +static const struct ata_port_operations atp867x_ops = {
25620 .inherits = &ata_bmdma_port_ops,
25621 .cable_detect = atp867x_cable_detect,
25622 .set_piomode = atp867x_set_piomode,
25623 diff -urNp linux-2.6.39.3/drivers/ata/pata_bf54x.c linux-2.6.39.3/drivers/ata/pata_bf54x.c
25624 --- linux-2.6.39.3/drivers/ata/pata_bf54x.c 2011-05-19 00:06:34.000000000 -0400
25625 +++ linux-2.6.39.3/drivers/ata/pata_bf54x.c 2011-05-22 19:36:31.000000000 -0400
25626 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
25627 .dma_boundary = ATA_DMA_BOUNDARY,
25628 };
25629
25630 -static struct ata_port_operations bfin_pata_ops = {
25631 +static const struct ata_port_operations bfin_pata_ops = {
25632 .inherits = &ata_bmdma_port_ops,
25633
25634 .set_piomode = bfin_set_piomode,
25635 diff -urNp linux-2.6.39.3/drivers/ata/pata_cmd640.c linux-2.6.39.3/drivers/ata/pata_cmd640.c
25636 --- linux-2.6.39.3/drivers/ata/pata_cmd640.c 2011-05-19 00:06:34.000000000 -0400
25637 +++ linux-2.6.39.3/drivers/ata/pata_cmd640.c 2011-05-22 19:36:31.000000000 -0400
25638 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
25639 ATA_PIO_SHT(DRV_NAME),
25640 };
25641
25642 -static struct ata_port_operations cmd640_port_ops = {
25643 +static const struct ata_port_operations cmd640_port_ops = {
25644 .inherits = &ata_sff_port_ops,
25645 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25646 .sff_data_xfer = ata_sff_data_xfer_noirq,
25647 diff -urNp linux-2.6.39.3/drivers/ata/pata_cmd64x.c linux-2.6.39.3/drivers/ata/pata_cmd64x.c
25648 --- linux-2.6.39.3/drivers/ata/pata_cmd64x.c 2011-06-03 00:04:13.000000000 -0400
25649 +++ linux-2.6.39.3/drivers/ata/pata_cmd64x.c 2011-06-03 00:32:05.000000000 -0400
25650 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25651 .set_dmamode = cmd64x_set_dmamode,
25652 };
25653
25654 -static struct ata_port_operations cmd64x_port_ops = {
25655 +static const struct ata_port_operations cmd64x_port_ops = {
25656 .inherits = &cmd64x_base_ops,
25657 .cable_detect = ata_cable_40wire,
25658 };
25659
25660 -static struct ata_port_operations cmd646r1_port_ops = {
25661 +static const struct ata_port_operations cmd646r1_port_ops = {
25662 .inherits = &cmd64x_base_ops,
25663 .bmdma_stop = cmd646r1_bmdma_stop,
25664 .cable_detect = ata_cable_40wire,
25665 };
25666
25667 -static struct ata_port_operations cmd648_port_ops = {
25668 +static const struct ata_port_operations cmd648_port_ops = {
25669 .inherits = &cmd64x_base_ops,
25670 .bmdma_stop = cmd648_bmdma_stop,
25671 .cable_detect = cmd648_cable_detect,
25672 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5520.c linux-2.6.39.3/drivers/ata/pata_cs5520.c
25673 --- linux-2.6.39.3/drivers/ata/pata_cs5520.c 2011-05-19 00:06:34.000000000 -0400
25674 +++ linux-2.6.39.3/drivers/ata/pata_cs5520.c 2011-05-22 19:36:31.000000000 -0400
25675 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
25676 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25677 };
25678
25679 -static struct ata_port_operations cs5520_port_ops = {
25680 +static const struct ata_port_operations cs5520_port_ops = {
25681 .inherits = &ata_bmdma_port_ops,
25682 .qc_prep = ata_bmdma_dumb_qc_prep,
25683 .cable_detect = ata_cable_40wire,
25684 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5530.c linux-2.6.39.3/drivers/ata/pata_cs5530.c
25685 --- linux-2.6.39.3/drivers/ata/pata_cs5530.c 2011-05-19 00:06:34.000000000 -0400
25686 +++ linux-2.6.39.3/drivers/ata/pata_cs5530.c 2011-05-22 19:36:31.000000000 -0400
25687 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25688 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25689 };
25690
25691 -static struct ata_port_operations cs5530_port_ops = {
25692 +static const struct ata_port_operations cs5530_port_ops = {
25693 .inherits = &ata_bmdma_port_ops,
25694
25695 .qc_prep = ata_bmdma_dumb_qc_prep,
25696 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5535.c linux-2.6.39.3/drivers/ata/pata_cs5535.c
25697 --- linux-2.6.39.3/drivers/ata/pata_cs5535.c 2011-05-19 00:06:34.000000000 -0400
25698 +++ linux-2.6.39.3/drivers/ata/pata_cs5535.c 2011-05-22 19:36:31.000000000 -0400
25699 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25700 ATA_BMDMA_SHT(DRV_NAME),
25701 };
25702
25703 -static struct ata_port_operations cs5535_port_ops = {
25704 +static const struct ata_port_operations cs5535_port_ops = {
25705 .inherits = &ata_bmdma_port_ops,
25706 .cable_detect = cs5535_cable_detect,
25707 .set_piomode = cs5535_set_piomode,
25708 diff -urNp linux-2.6.39.3/drivers/ata/pata_cs5536.c linux-2.6.39.3/drivers/ata/pata_cs5536.c
25709 --- linux-2.6.39.3/drivers/ata/pata_cs5536.c 2011-05-19 00:06:34.000000000 -0400
25710 +++ linux-2.6.39.3/drivers/ata/pata_cs5536.c 2011-05-22 19:36:31.000000000 -0400
25711 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
25712 ATA_BMDMA_SHT(DRV_NAME),
25713 };
25714
25715 -static struct ata_port_operations cs5536_port_ops = {
25716 +static const struct ata_port_operations cs5536_port_ops = {
25717 .inherits = &ata_bmdma32_port_ops,
25718 .cable_detect = cs5536_cable_detect,
25719 .set_piomode = cs5536_set_piomode,
25720 diff -urNp linux-2.6.39.3/drivers/ata/pata_cypress.c linux-2.6.39.3/drivers/ata/pata_cypress.c
25721 --- linux-2.6.39.3/drivers/ata/pata_cypress.c 2011-05-19 00:06:34.000000000 -0400
25722 +++ linux-2.6.39.3/drivers/ata/pata_cypress.c 2011-05-22 19:36:31.000000000 -0400
25723 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
25724 ATA_BMDMA_SHT(DRV_NAME),
25725 };
25726
25727 -static struct ata_port_operations cy82c693_port_ops = {
25728 +static const struct ata_port_operations cy82c693_port_ops = {
25729 .inherits = &ata_bmdma_port_ops,
25730 .cable_detect = ata_cable_40wire,
25731 .set_piomode = cy82c693_set_piomode,
25732 diff -urNp linux-2.6.39.3/drivers/ata/pata_efar.c linux-2.6.39.3/drivers/ata/pata_efar.c
25733 --- linux-2.6.39.3/drivers/ata/pata_efar.c 2011-05-19 00:06:34.000000000 -0400
25734 +++ linux-2.6.39.3/drivers/ata/pata_efar.c 2011-05-22 19:36:31.000000000 -0400
25735 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
25736 ATA_BMDMA_SHT(DRV_NAME),
25737 };
25738
25739 -static struct ata_port_operations efar_ops = {
25740 +static const struct ata_port_operations efar_ops = {
25741 .inherits = &ata_bmdma_port_ops,
25742 .cable_detect = efar_cable_detect,
25743 .set_piomode = efar_set_piomode,
25744 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt366.c linux-2.6.39.3/drivers/ata/pata_hpt366.c
25745 --- linux-2.6.39.3/drivers/ata/pata_hpt366.c 2011-05-19 00:06:34.000000000 -0400
25746 +++ linux-2.6.39.3/drivers/ata/pata_hpt366.c 2011-05-22 19:36:31.000000000 -0400
25747 @@ -276,7 +276,7 @@ static struct scsi_host_template hpt36x_
25748 * Configuration for HPT366/68
25749 */
25750
25751 -static struct ata_port_operations hpt366_port_ops = {
25752 +static const struct ata_port_operations hpt366_port_ops = {
25753 .inherits = &ata_bmdma_port_ops,
25754 .cable_detect = hpt36x_cable_detect,
25755 .mode_filter = hpt366_filter,
25756 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt37x.c linux-2.6.39.3/drivers/ata/pata_hpt37x.c
25757 --- linux-2.6.39.3/drivers/ata/pata_hpt37x.c 2011-05-19 00:06:34.000000000 -0400
25758 +++ linux-2.6.39.3/drivers/ata/pata_hpt37x.c 2011-05-22 19:36:31.000000000 -0400
25759 @@ -589,7 +589,7 @@ static struct scsi_host_template hpt37x_
25760 * Configuration for HPT370
25761 */
25762
25763 -static struct ata_port_operations hpt370_port_ops = {
25764 +static const struct ata_port_operations hpt370_port_ops = {
25765 .inherits = &ata_bmdma_port_ops,
25766
25767 .bmdma_stop = hpt370_bmdma_stop,
25768 @@ -605,7 +605,7 @@ static struct ata_port_operations hpt370
25769 * Configuration for HPT370A. Close to 370 but less filters
25770 */
25771
25772 -static struct ata_port_operations hpt370a_port_ops = {
25773 +static const struct ata_port_operations hpt370a_port_ops = {
25774 .inherits = &hpt370_port_ops,
25775 .mode_filter = hpt370a_filter,
25776 };
25777 @@ -615,7 +615,7 @@ static struct ata_port_operations hpt370
25778 * mode setting functionality.
25779 */
25780
25781 -static struct ata_port_operations hpt302_port_ops = {
25782 +static const struct ata_port_operations hpt302_port_ops = {
25783 .inherits = &ata_bmdma_port_ops,
25784
25785 .bmdma_stop = hpt37x_bmdma_stop,
25786 @@ -631,7 +631,7 @@ static struct ata_port_operations hpt302
25787 * but we have a mode filter.
25788 */
25789
25790 -static struct ata_port_operations hpt372_port_ops = {
25791 +static const struct ata_port_operations hpt372_port_ops = {
25792 .inherits = &hpt302_port_ops,
25793 .mode_filter = hpt372_filter,
25794 };
25795 @@ -641,7 +641,7 @@ static struct ata_port_operations hpt372
25796 * but we have a different cable detection procedure for function 1.
25797 */
25798
25799 -static struct ata_port_operations hpt374_fn1_port_ops = {
25800 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25801 .inherits = &hpt372_port_ops,
25802 .cable_detect = hpt374_fn1_cable_detect,
25803 };
25804 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c
25805 --- linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c 2011-05-19 00:06:34.000000000 -0400
25806 +++ linux-2.6.39.3/drivers/ata/pata_hpt3x2n.c 2011-05-22 19:36:31.000000000 -0400
25807 @@ -350,7 +350,7 @@ static struct scsi_host_template hpt3x2n
25808 * Configuration for HPT302N/371N.
25809 */
25810
25811 -static struct ata_port_operations hpt3xxn_port_ops = {
25812 +static const struct ata_port_operations hpt3xxn_port_ops = {
25813 .inherits = &ata_bmdma_port_ops,
25814
25815 .bmdma_stop = hpt3x2n_bmdma_stop,
25816 @@ -368,7 +368,7 @@ static struct ata_port_operations hpt3xx
25817 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
25818 */
25819
25820 -static struct ata_port_operations hpt372n_port_ops = {
25821 +static const struct ata_port_operations hpt372n_port_ops = {
25822 .inherits = &hpt3xxn_port_ops,
25823 .mode_filter = &hpt372n_filter,
25824 };
25825 diff -urNp linux-2.6.39.3/drivers/ata/pata_hpt3x3.c linux-2.6.39.3/drivers/ata/pata_hpt3x3.c
25826 --- linux-2.6.39.3/drivers/ata/pata_hpt3x3.c 2011-05-19 00:06:34.000000000 -0400
25827 +++ linux-2.6.39.3/drivers/ata/pata_hpt3x3.c 2011-05-22 19:36:31.000000000 -0400
25828 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25829 ATA_BMDMA_SHT(DRV_NAME),
25830 };
25831
25832 -static struct ata_port_operations hpt3x3_port_ops = {
25833 +static const struct ata_port_operations hpt3x3_port_ops = {
25834 .inherits = &ata_bmdma_port_ops,
25835 .cable_detect = ata_cable_40wire,
25836 .set_piomode = hpt3x3_set_piomode,
25837 diff -urNp linux-2.6.39.3/drivers/ata/pata_icside.c linux-2.6.39.3/drivers/ata/pata_icside.c
25838 --- linux-2.6.39.3/drivers/ata/pata_icside.c 2011-05-19 00:06:34.000000000 -0400
25839 +++ linux-2.6.39.3/drivers/ata/pata_icside.c 2011-05-22 19:36:31.000000000 -0400
25840 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
25841 }
25842 }
25843
25844 -static struct ata_port_operations pata_icside_port_ops = {
25845 +static const struct ata_port_operations pata_icside_port_ops = {
25846 .inherits = &ata_bmdma_port_ops,
25847 /* no need to build any PRD tables for DMA */
25848 .qc_prep = ata_noop_qc_prep,
25849 diff -urNp linux-2.6.39.3/drivers/ata/pata_isapnp.c linux-2.6.39.3/drivers/ata/pata_isapnp.c
25850 --- linux-2.6.39.3/drivers/ata/pata_isapnp.c 2011-05-19 00:06:34.000000000 -0400
25851 +++ linux-2.6.39.3/drivers/ata/pata_isapnp.c 2011-05-22 19:36:31.000000000 -0400
25852 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25853 ATA_PIO_SHT(DRV_NAME),
25854 };
25855
25856 -static struct ata_port_operations isapnp_port_ops = {
25857 +static const struct ata_port_operations isapnp_port_ops = {
25858 .inherits = &ata_sff_port_ops,
25859 .cable_detect = ata_cable_40wire,
25860 };
25861
25862 -static struct ata_port_operations isapnp_noalt_port_ops = {
25863 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25864 .inherits = &ata_sff_port_ops,
25865 .cable_detect = ata_cable_40wire,
25866 /* No altstatus so we don't want to use the lost interrupt poll */
25867 diff -urNp linux-2.6.39.3/drivers/ata/pata_it8213.c linux-2.6.39.3/drivers/ata/pata_it8213.c
25868 --- linux-2.6.39.3/drivers/ata/pata_it8213.c 2011-05-19 00:06:34.000000000 -0400
25869 +++ linux-2.6.39.3/drivers/ata/pata_it8213.c 2011-05-22 19:36:31.000000000 -0400
25870 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
25871 };
25872
25873
25874 -static struct ata_port_operations it8213_ops = {
25875 +static const struct ata_port_operations it8213_ops = {
25876 .inherits = &ata_bmdma_port_ops,
25877 .cable_detect = it8213_cable_detect,
25878 .set_piomode = it8213_set_piomode,
25879 diff -urNp linux-2.6.39.3/drivers/ata/pata_it821x.c linux-2.6.39.3/drivers/ata/pata_it821x.c
25880 --- linux-2.6.39.3/drivers/ata/pata_it821x.c 2011-05-19 00:06:34.000000000 -0400
25881 +++ linux-2.6.39.3/drivers/ata/pata_it821x.c 2011-05-22 19:36:31.000000000 -0400
25882 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
25883 ATA_BMDMA_SHT(DRV_NAME),
25884 };
25885
25886 -static struct ata_port_operations it821x_smart_port_ops = {
25887 +static const struct ata_port_operations it821x_smart_port_ops = {
25888 .inherits = &ata_bmdma_port_ops,
25889
25890 .check_atapi_dma= it821x_check_atapi_dma,
25891 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
25892 .port_start = it821x_port_start,
25893 };
25894
25895 -static struct ata_port_operations it821x_passthru_port_ops = {
25896 +static const struct ata_port_operations it821x_passthru_port_ops = {
25897 .inherits = &ata_bmdma_port_ops,
25898
25899 .check_atapi_dma= it821x_check_atapi_dma,
25900 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
25901 .port_start = it821x_port_start,
25902 };
25903
25904 -static struct ata_port_operations it821x_rdc_port_ops = {
25905 +static const struct ata_port_operations it821x_rdc_port_ops = {
25906 .inherits = &ata_bmdma_port_ops,
25907
25908 .check_atapi_dma= it821x_check_atapi_dma,
25909 diff -urNp linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c
25910 --- linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c 2011-05-19 00:06:34.000000000 -0400
25911 +++ linux-2.6.39.3/drivers/ata/pata_ixp4xx_cf.c 2011-05-22 19:36:31.000000000 -0400
25912 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25913 ATA_PIO_SHT(DRV_NAME),
25914 };
25915
25916 -static struct ata_port_operations ixp4xx_port_ops = {
25917 +static const struct ata_port_operations ixp4xx_port_ops = {
25918 .inherits = &ata_sff_port_ops,
25919 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25920 .cable_detect = ata_cable_40wire,
25921 diff -urNp linux-2.6.39.3/drivers/ata/pata_jmicron.c linux-2.6.39.3/drivers/ata/pata_jmicron.c
25922 --- linux-2.6.39.3/drivers/ata/pata_jmicron.c 2011-05-19 00:06:34.000000000 -0400
25923 +++ linux-2.6.39.3/drivers/ata/pata_jmicron.c 2011-05-22 19:36:31.000000000 -0400
25924 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25925 ATA_BMDMA_SHT(DRV_NAME),
25926 };
25927
25928 -static struct ata_port_operations jmicron_ops = {
25929 +static const struct ata_port_operations jmicron_ops = {
25930 .inherits = &ata_bmdma_port_ops,
25931 .prereset = jmicron_pre_reset,
25932 };
25933 diff -urNp linux-2.6.39.3/drivers/ata/pata_legacy.c linux-2.6.39.3/drivers/ata/pata_legacy.c
25934 --- linux-2.6.39.3/drivers/ata/pata_legacy.c 2011-05-19 00:06:34.000000000 -0400
25935 +++ linux-2.6.39.3/drivers/ata/pata_legacy.c 2011-05-22 19:36:31.000000000 -0400
25936 @@ -116,7 +116,7 @@ struct legacy_probe {
25937
25938 struct legacy_controller {
25939 const char *name;
25940 - struct ata_port_operations *ops;
25941 + const struct ata_port_operations *ops;
25942 unsigned int pio_mask;
25943 unsigned int flags;
25944 unsigned int pflags;
25945 @@ -239,12 +239,12 @@ static const struct ata_port_operations
25946 * pio_mask as well.
25947 */
25948
25949 -static struct ata_port_operations simple_port_ops = {
25950 +static const struct ata_port_operations simple_port_ops = {
25951 .inherits = &legacy_base_port_ops,
25952 .sff_data_xfer = ata_sff_data_xfer_noirq,
25953 };
25954
25955 -static struct ata_port_operations legacy_port_ops = {
25956 +static const struct ata_port_operations legacy_port_ops = {
25957 .inherits = &legacy_base_port_ops,
25958 .sff_data_xfer = ata_sff_data_xfer_noirq,
25959 .set_mode = legacy_set_mode,
25960 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
25961 return buflen;
25962 }
25963
25964 -static struct ata_port_operations pdc20230_port_ops = {
25965 +static const struct ata_port_operations pdc20230_port_ops = {
25966 .inherits = &legacy_base_port_ops,
25967 .set_piomode = pdc20230_set_piomode,
25968 .sff_data_xfer = pdc_data_xfer_vlb,
25969 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
25970 ioread8(ap->ioaddr.status_addr);
25971 }
25972
25973 -static struct ata_port_operations ht6560a_port_ops = {
25974 +static const struct ata_port_operations ht6560a_port_ops = {
25975 .inherits = &legacy_base_port_ops,
25976 .set_piomode = ht6560a_set_piomode,
25977 };
25978 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
25979 ioread8(ap->ioaddr.status_addr);
25980 }
25981
25982 -static struct ata_port_operations ht6560b_port_ops = {
25983 +static const struct ata_port_operations ht6560b_port_ops = {
25984 .inherits = &legacy_base_port_ops,
25985 .set_piomode = ht6560b_set_piomode,
25986 };
25987 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
25988 }
25989
25990
25991 -static struct ata_port_operations opti82c611a_port_ops = {
25992 +static const struct ata_port_operations opti82c611a_port_ops = {
25993 .inherits = &legacy_base_port_ops,
25994 .set_piomode = opti82c611a_set_piomode,
25995 };
25996 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
25997 return ata_sff_qc_issue(qc);
25998 }
25999
26000 -static struct ata_port_operations opti82c46x_port_ops = {
26001 +static const struct ata_port_operations opti82c46x_port_ops = {
26002 .inherits = &legacy_base_port_ops,
26003 .set_piomode = opti82c46x_set_piomode,
26004 .qc_issue = opti82c46x_qc_issue,
26005 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
26006 return 0;
26007 }
26008
26009 -static struct ata_port_operations qdi6500_port_ops = {
26010 +static const struct ata_port_operations qdi6500_port_ops = {
26011 .inherits = &legacy_base_port_ops,
26012 .set_piomode = qdi6500_set_piomode,
26013 .qc_issue = qdi_qc_issue,
26014 .sff_data_xfer = vlb32_data_xfer,
26015 };
26016
26017 -static struct ata_port_operations qdi6580_port_ops = {
26018 +static const struct ata_port_operations qdi6580_port_ops = {
26019 .inherits = &legacy_base_port_ops,
26020 .set_piomode = qdi6580_set_piomode,
26021 .sff_data_xfer = vlb32_data_xfer,
26022 };
26023
26024 -static struct ata_port_operations qdi6580dp_port_ops = {
26025 +static const struct ata_port_operations qdi6580dp_port_ops = {
26026 .inherits = &legacy_base_port_ops,
26027 .set_piomode = qdi6580dp_set_piomode,
26028 .qc_issue = qdi_qc_issue,
26029 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
26030 return 0;
26031 }
26032
26033 -static struct ata_port_operations winbond_port_ops = {
26034 +static const struct ata_port_operations winbond_port_ops = {
26035 .inherits = &legacy_base_port_ops,
26036 .set_piomode = winbond_set_piomode,
26037 .sff_data_xfer = vlb32_data_xfer,
26038 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
26039 int pio_modes = controller->pio_mask;
26040 unsigned long io = probe->port;
26041 u32 mask = (1 << probe->slot);
26042 - struct ata_port_operations *ops = controller->ops;
26043 + const struct ata_port_operations *ops = controller->ops;
26044 struct legacy_data *ld = &legacy_data[probe->slot];
26045 struct ata_host *host = NULL;
26046 struct ata_port *ap;
26047 diff -urNp linux-2.6.39.3/drivers/ata/pata_macio.c linux-2.6.39.3/drivers/ata/pata_macio.c
26048 --- linux-2.6.39.3/drivers/ata/pata_macio.c 2011-05-19 00:06:34.000000000 -0400
26049 +++ linux-2.6.39.3/drivers/ata/pata_macio.c 2011-05-22 19:36:31.000000000 -0400
26050 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
26051 .slave_configure = pata_macio_slave_config,
26052 };
26053
26054 -static struct ata_port_operations pata_macio_ops = {
26055 +static const struct ata_port_operations pata_macio_ops = {
26056 .inherits = &ata_bmdma_port_ops,
26057 -
26058 .freeze = pata_macio_freeze,
26059 .set_piomode = pata_macio_set_timings,
26060 .set_dmamode = pata_macio_set_timings,
26061 diff -urNp linux-2.6.39.3/drivers/ata/pata_marvell.c linux-2.6.39.3/drivers/ata/pata_marvell.c
26062 --- linux-2.6.39.3/drivers/ata/pata_marvell.c 2011-05-19 00:06:34.000000000 -0400
26063 +++ linux-2.6.39.3/drivers/ata/pata_marvell.c 2011-05-22 19:36:31.000000000 -0400
26064 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26065 ATA_BMDMA_SHT(DRV_NAME),
26066 };
26067
26068 -static struct ata_port_operations marvell_ops = {
26069 +static const struct ata_port_operations marvell_ops = {
26070 .inherits = &ata_bmdma_port_ops,
26071 .cable_detect = marvell_cable_detect,
26072 .prereset = marvell_pre_reset,
26073 diff -urNp linux-2.6.39.3/drivers/ata/pata_mpc52xx.c linux-2.6.39.3/drivers/ata/pata_mpc52xx.c
26074 --- linux-2.6.39.3/drivers/ata/pata_mpc52xx.c 2011-05-19 00:06:34.000000000 -0400
26075 +++ linux-2.6.39.3/drivers/ata/pata_mpc52xx.c 2011-05-22 19:36:31.000000000 -0400
26076 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
26077 ATA_PIO_SHT(DRV_NAME),
26078 };
26079
26080 -static struct ata_port_operations mpc52xx_ata_port_ops = {
26081 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
26082 .inherits = &ata_bmdma_port_ops,
26083 .sff_dev_select = mpc52xx_ata_dev_select,
26084 .set_piomode = mpc52xx_ata_set_piomode,
26085 diff -urNp linux-2.6.39.3/drivers/ata/pata_mpiix.c linux-2.6.39.3/drivers/ata/pata_mpiix.c
26086 --- linux-2.6.39.3/drivers/ata/pata_mpiix.c 2011-05-19 00:06:34.000000000 -0400
26087 +++ linux-2.6.39.3/drivers/ata/pata_mpiix.c 2011-05-22 19:36:31.000000000 -0400
26088 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
26089 ATA_PIO_SHT(DRV_NAME),
26090 };
26091
26092 -static struct ata_port_operations mpiix_port_ops = {
26093 +static const struct ata_port_operations mpiix_port_ops = {
26094 .inherits = &ata_sff_port_ops,
26095 .qc_issue = mpiix_qc_issue,
26096 .cable_detect = ata_cable_40wire,
26097 diff -urNp linux-2.6.39.3/drivers/ata/pata_netcell.c linux-2.6.39.3/drivers/ata/pata_netcell.c
26098 --- linux-2.6.39.3/drivers/ata/pata_netcell.c 2011-05-19 00:06:34.000000000 -0400
26099 +++ linux-2.6.39.3/drivers/ata/pata_netcell.c 2011-05-22 19:36:31.000000000 -0400
26100 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
26101 ATA_BMDMA_SHT(DRV_NAME),
26102 };
26103
26104 -static struct ata_port_operations netcell_ops = {
26105 +static const struct ata_port_operations netcell_ops = {
26106 .inherits = &ata_bmdma_port_ops,
26107 .cable_detect = ata_cable_80wire,
26108 .read_id = netcell_read_id,
26109 diff -urNp linux-2.6.39.3/drivers/ata/pata_ninja32.c linux-2.6.39.3/drivers/ata/pata_ninja32.c
26110 --- linux-2.6.39.3/drivers/ata/pata_ninja32.c 2011-05-19 00:06:34.000000000 -0400
26111 +++ linux-2.6.39.3/drivers/ata/pata_ninja32.c 2011-05-22 19:36:31.000000000 -0400
26112 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
26113 ATA_BMDMA_SHT(DRV_NAME),
26114 };
26115
26116 -static struct ata_port_operations ninja32_port_ops = {
26117 +static const struct ata_port_operations ninja32_port_ops = {
26118 .inherits = &ata_bmdma_port_ops,
26119 .sff_dev_select = ninja32_dev_select,
26120 .cable_detect = ata_cable_40wire,
26121 diff -urNp linux-2.6.39.3/drivers/ata/pata_ns87410.c linux-2.6.39.3/drivers/ata/pata_ns87410.c
26122 --- linux-2.6.39.3/drivers/ata/pata_ns87410.c 2011-05-19 00:06:34.000000000 -0400
26123 +++ linux-2.6.39.3/drivers/ata/pata_ns87410.c 2011-05-22 19:36:31.000000000 -0400
26124 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
26125 ATA_PIO_SHT(DRV_NAME),
26126 };
26127
26128 -static struct ata_port_operations ns87410_port_ops = {
26129 +static const struct ata_port_operations ns87410_port_ops = {
26130 .inherits = &ata_sff_port_ops,
26131 .qc_issue = ns87410_qc_issue,
26132 .cable_detect = ata_cable_40wire,
26133 diff -urNp linux-2.6.39.3/drivers/ata/pata_ns87415.c linux-2.6.39.3/drivers/ata/pata_ns87415.c
26134 --- linux-2.6.39.3/drivers/ata/pata_ns87415.c 2011-05-19 00:06:34.000000000 -0400
26135 +++ linux-2.6.39.3/drivers/ata/pata_ns87415.c 2011-05-22 19:36:31.000000000 -0400
26136 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
26137 }
26138 #endif /* 87560 SuperIO Support */
26139
26140 -static struct ata_port_operations ns87415_pata_ops = {
26141 +static const struct ata_port_operations ns87415_pata_ops = {
26142 .inherits = &ata_bmdma_port_ops,
26143
26144 .check_atapi_dma = ns87415_check_atapi_dma,
26145 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
26146 };
26147
26148 #if defined(CONFIG_SUPERIO)
26149 -static struct ata_port_operations ns87560_pata_ops = {
26150 +static const struct ata_port_operations ns87560_pata_ops = {
26151 .inherits = &ns87415_pata_ops,
26152 .sff_tf_read = ns87560_tf_read,
26153 .sff_check_status = ns87560_check_status,
26154 diff -urNp linux-2.6.39.3/drivers/ata/pata_octeon_cf.c linux-2.6.39.3/drivers/ata/pata_octeon_cf.c
26155 --- linux-2.6.39.3/drivers/ata/pata_octeon_cf.c 2011-05-19 00:06:34.000000000 -0400
26156 +++ linux-2.6.39.3/drivers/ata/pata_octeon_cf.c 2011-05-22 19:36:31.000000000 -0400
26157 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
26158 return 0;
26159 }
26160
26161 -static struct ata_port_operations octeon_cf_ops = {
26162 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
26163 .inherits = &ata_sff_port_ops,
26164 .check_atapi_dma = octeon_cf_check_atapi_dma,
26165 .qc_prep = ata_noop_qc_prep,
26166 diff -urNp linux-2.6.39.3/drivers/ata/pata_oldpiix.c linux-2.6.39.3/drivers/ata/pata_oldpiix.c
26167 --- linux-2.6.39.3/drivers/ata/pata_oldpiix.c 2011-05-19 00:06:34.000000000 -0400
26168 +++ linux-2.6.39.3/drivers/ata/pata_oldpiix.c 2011-05-22 19:36:31.000000000 -0400
26169 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
26170 ATA_BMDMA_SHT(DRV_NAME),
26171 };
26172
26173 -static struct ata_port_operations oldpiix_pata_ops = {
26174 +static const struct ata_port_operations oldpiix_pata_ops = {
26175 .inherits = &ata_bmdma_port_ops,
26176 .qc_issue = oldpiix_qc_issue,
26177 .cable_detect = ata_cable_40wire,
26178 diff -urNp linux-2.6.39.3/drivers/ata/pata_opti.c linux-2.6.39.3/drivers/ata/pata_opti.c
26179 --- linux-2.6.39.3/drivers/ata/pata_opti.c 2011-05-19 00:06:34.000000000 -0400
26180 +++ linux-2.6.39.3/drivers/ata/pata_opti.c 2011-05-22 19:36:31.000000000 -0400
26181 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
26182 ATA_PIO_SHT(DRV_NAME),
26183 };
26184
26185 -static struct ata_port_operations opti_port_ops = {
26186 +static const struct ata_port_operations opti_port_ops = {
26187 .inherits = &ata_sff_port_ops,
26188 .cable_detect = ata_cable_40wire,
26189 .set_piomode = opti_set_piomode,
26190 diff -urNp linux-2.6.39.3/drivers/ata/pata_optidma.c linux-2.6.39.3/drivers/ata/pata_optidma.c
26191 --- linux-2.6.39.3/drivers/ata/pata_optidma.c 2011-05-19 00:06:34.000000000 -0400
26192 +++ linux-2.6.39.3/drivers/ata/pata_optidma.c 2011-05-22 19:36:31.000000000 -0400
26193 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
26194 ATA_BMDMA_SHT(DRV_NAME),
26195 };
26196
26197 -static struct ata_port_operations optidma_port_ops = {
26198 +static const struct ata_port_operations optidma_port_ops = {
26199 .inherits = &ata_bmdma_port_ops,
26200 .cable_detect = ata_cable_40wire,
26201 .set_piomode = optidma_set_pio_mode,
26202 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
26203 .prereset = optidma_pre_reset,
26204 };
26205
26206 -static struct ata_port_operations optiplus_port_ops = {
26207 +static const struct ata_port_operations optiplus_port_ops = {
26208 .inherits = &optidma_port_ops,
26209 .set_piomode = optiplus_set_pio_mode,
26210 .set_dmamode = optiplus_set_dma_mode,
26211 diff -urNp linux-2.6.39.3/drivers/ata/pata_palmld.c linux-2.6.39.3/drivers/ata/pata_palmld.c
26212 --- linux-2.6.39.3/drivers/ata/pata_palmld.c 2011-05-19 00:06:34.000000000 -0400
26213 +++ linux-2.6.39.3/drivers/ata/pata_palmld.c 2011-05-22 19:36:31.000000000 -0400
26214 @@ -42,7 +42,7 @@ static struct scsi_host_template palmld_
26215 ATA_PIO_SHT(DRV_NAME),
26216 };
26217
26218 -static struct ata_port_operations palmld_port_ops = {
26219 +static const struct ata_port_operations palmld_port_ops = {
26220 .inherits = &ata_sff_port_ops,
26221 .sff_data_xfer = ata_sff_data_xfer_noirq,
26222 .cable_detect = ata_cable_40wire,
26223 diff -urNp linux-2.6.39.3/drivers/ata/pata_pcmcia.c linux-2.6.39.3/drivers/ata/pata_pcmcia.c
26224 --- linux-2.6.39.3/drivers/ata/pata_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
26225 +++ linux-2.6.39.3/drivers/ata/pata_pcmcia.c 2011-05-22 19:36:31.000000000 -0400
26226 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
26227 ATA_PIO_SHT(DRV_NAME),
26228 };
26229
26230 -static struct ata_port_operations pcmcia_port_ops = {
26231 +static const struct ata_port_operations pcmcia_port_ops = {
26232 .inherits = &ata_sff_port_ops,
26233 .sff_data_xfer = ata_sff_data_xfer_noirq,
26234 .cable_detect = ata_cable_40wire,
26235 .set_mode = pcmcia_set_mode,
26236 };
26237
26238 -static struct ata_port_operations pcmcia_8bit_port_ops = {
26239 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
26240 .inherits = &ata_sff_port_ops,
26241 .sff_data_xfer = ata_data_xfer_8bit,
26242 .cable_detect = ata_cable_40wire,
26243 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
26244 unsigned long io_base, ctl_base;
26245 void __iomem *io_addr, *ctl_addr;
26246 int n_ports = 1;
26247 - struct ata_port_operations *ops = &pcmcia_port_ops;
26248 + const struct ata_port_operations *ops = &pcmcia_port_ops;
26249
26250 /* Set up attributes in order to probe card and get resources */
26251 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
26252 diff -urNp linux-2.6.39.3/drivers/ata/pata_pdc2027x.c linux-2.6.39.3/drivers/ata/pata_pdc2027x.c
26253 --- linux-2.6.39.3/drivers/ata/pata_pdc2027x.c 2011-05-19 00:06:34.000000000 -0400
26254 +++ linux-2.6.39.3/drivers/ata/pata_pdc2027x.c 2011-05-22 19:36:31.000000000 -0400
26255 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
26256 ATA_BMDMA_SHT(DRV_NAME),
26257 };
26258
26259 -static struct ata_port_operations pdc2027x_pata100_ops = {
26260 +static const struct ata_port_operations pdc2027x_pata100_ops = {
26261 .inherits = &ata_bmdma_port_ops,
26262 .check_atapi_dma = pdc2027x_check_atapi_dma,
26263 .cable_detect = pdc2027x_cable_detect,
26264 .prereset = pdc2027x_prereset,
26265 };
26266
26267 -static struct ata_port_operations pdc2027x_pata133_ops = {
26268 +static const struct ata_port_operations pdc2027x_pata133_ops = {
26269 .inherits = &pdc2027x_pata100_ops,
26270 .mode_filter = pdc2027x_mode_filter,
26271 .set_piomode = pdc2027x_set_piomode,
26272 diff -urNp linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c
26273 --- linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c 2011-05-19 00:06:34.000000000 -0400
26274 +++ linux-2.6.39.3/drivers/ata/pata_pdc202xx_old.c 2011-05-22 19:36:31.000000000 -0400
26275 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
26276 ATA_BMDMA_SHT(DRV_NAME),
26277 };
26278
26279 -static struct ata_port_operations pdc2024x_port_ops = {
26280 +static const struct ata_port_operations pdc2024x_port_ops = {
26281 .inherits = &ata_bmdma_port_ops,
26282
26283 .cable_detect = ata_cable_40wire,
26284 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
26285 .sff_irq_check = pdc202xx_irq_check,
26286 };
26287
26288 -static struct ata_port_operations pdc2026x_port_ops = {
26289 +static const struct ata_port_operations pdc2026x_port_ops = {
26290 .inherits = &pdc2024x_port_ops,
26291
26292 .check_atapi_dma = pdc2026x_check_atapi_dma,
26293 diff -urNp linux-2.6.39.3/drivers/ata/pata_piccolo.c linux-2.6.39.3/drivers/ata/pata_piccolo.c
26294 --- linux-2.6.39.3/drivers/ata/pata_piccolo.c 2011-05-19 00:06:34.000000000 -0400
26295 +++ linux-2.6.39.3/drivers/ata/pata_piccolo.c 2011-05-22 19:36:31.000000000 -0400
26296 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
26297 ATA_BMDMA_SHT(DRV_NAME),
26298 };
26299
26300 -static struct ata_port_operations tosh_port_ops = {
26301 +static const struct ata_port_operations tosh_port_ops = {
26302 .inherits = &ata_bmdma_port_ops,
26303 .cable_detect = ata_cable_unknown,
26304 .set_piomode = tosh_set_piomode,
26305 diff -urNp linux-2.6.39.3/drivers/ata/pata_platform.c linux-2.6.39.3/drivers/ata/pata_platform.c
26306 --- linux-2.6.39.3/drivers/ata/pata_platform.c 2011-05-19 00:06:34.000000000 -0400
26307 +++ linux-2.6.39.3/drivers/ata/pata_platform.c 2011-05-22 19:36:31.000000000 -0400
26308 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
26309 ATA_PIO_SHT(DRV_NAME),
26310 };
26311
26312 -static struct ata_port_operations pata_platform_port_ops = {
26313 +static const struct ata_port_operations pata_platform_port_ops = {
26314 .inherits = &ata_sff_port_ops,
26315 .sff_data_xfer = ata_sff_data_xfer_noirq,
26316 .cable_detect = ata_cable_unknown,
26317 diff -urNp linux-2.6.39.3/drivers/ata/pata_pxa.c linux-2.6.39.3/drivers/ata/pata_pxa.c
26318 --- linux-2.6.39.3/drivers/ata/pata_pxa.c 2011-05-19 00:06:34.000000000 -0400
26319 +++ linux-2.6.39.3/drivers/ata/pata_pxa.c 2011-05-22 19:36:31.000000000 -0400
26320 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
26321 ATA_BMDMA_SHT(DRV_NAME),
26322 };
26323
26324 -static struct ata_port_operations pxa_ata_port_ops = {
26325 +static const struct ata_port_operations pxa_ata_port_ops = {
26326 .inherits = &ata_bmdma_port_ops,
26327 .cable_detect = ata_cable_40wire,
26328
26329 diff -urNp linux-2.6.39.3/drivers/ata/pata_qdi.c linux-2.6.39.3/drivers/ata/pata_qdi.c
26330 --- linux-2.6.39.3/drivers/ata/pata_qdi.c 2011-05-19 00:06:34.000000000 -0400
26331 +++ linux-2.6.39.3/drivers/ata/pata_qdi.c 2011-05-22 19:36:31.000000000 -0400
26332 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
26333 ATA_PIO_SHT(DRV_NAME),
26334 };
26335
26336 -static struct ata_port_operations qdi6500_port_ops = {
26337 +static const struct ata_port_operations qdi6500_port_ops = {
26338 .inherits = &ata_sff_port_ops,
26339 .qc_issue = qdi_qc_issue,
26340 .sff_data_xfer = qdi_data_xfer,
26341 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
26342 .set_piomode = qdi6500_set_piomode,
26343 };
26344
26345 -static struct ata_port_operations qdi6580_port_ops = {
26346 +static const struct ata_port_operations qdi6580_port_ops = {
26347 .inherits = &qdi6500_port_ops,
26348 .set_piomode = qdi6580_set_piomode,
26349 };
26350 diff -urNp linux-2.6.39.3/drivers/ata/pata_radisys.c linux-2.6.39.3/drivers/ata/pata_radisys.c
26351 --- linux-2.6.39.3/drivers/ata/pata_radisys.c 2011-05-19 00:06:34.000000000 -0400
26352 +++ linux-2.6.39.3/drivers/ata/pata_radisys.c 2011-05-22 19:36:31.000000000 -0400
26353 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
26354 ATA_BMDMA_SHT(DRV_NAME),
26355 };
26356
26357 -static struct ata_port_operations radisys_pata_ops = {
26358 +static const struct ata_port_operations radisys_pata_ops = {
26359 .inherits = &ata_bmdma_port_ops,
26360 .qc_issue = radisys_qc_issue,
26361 .cable_detect = ata_cable_unknown,
26362 diff -urNp linux-2.6.39.3/drivers/ata/pata_rb532_cf.c linux-2.6.39.3/drivers/ata/pata_rb532_cf.c
26363 --- linux-2.6.39.3/drivers/ata/pata_rb532_cf.c 2011-05-19 00:06:34.000000000 -0400
26364 +++ linux-2.6.39.3/drivers/ata/pata_rb532_cf.c 2011-05-22 19:36:31.000000000 -0400
26365 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
26366 return IRQ_HANDLED;
26367 }
26368
26369 -static struct ata_port_operations rb532_pata_port_ops = {
26370 +static const struct ata_port_operations rb532_pata_port_ops = {
26371 .inherits = &ata_sff_port_ops,
26372 .sff_data_xfer = ata_sff_data_xfer32,
26373 };
26374 diff -urNp linux-2.6.39.3/drivers/ata/pata_rdc.c linux-2.6.39.3/drivers/ata/pata_rdc.c
26375 --- linux-2.6.39.3/drivers/ata/pata_rdc.c 2011-05-19 00:06:34.000000000 -0400
26376 +++ linux-2.6.39.3/drivers/ata/pata_rdc.c 2011-05-22 19:36:31.000000000 -0400
26377 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
26378 pci_write_config_byte(dev, 0x48, udma_enable);
26379 }
26380
26381 -static struct ata_port_operations rdc_pata_ops = {
26382 +static const struct ata_port_operations rdc_pata_ops = {
26383 .inherits = &ata_bmdma32_port_ops,
26384 .cable_detect = rdc_pata_cable_detect,
26385 .set_piomode = rdc_set_piomode,
26386 diff -urNp linux-2.6.39.3/drivers/ata/pata_rz1000.c linux-2.6.39.3/drivers/ata/pata_rz1000.c
26387 --- linux-2.6.39.3/drivers/ata/pata_rz1000.c 2011-05-19 00:06:34.000000000 -0400
26388 +++ linux-2.6.39.3/drivers/ata/pata_rz1000.c 2011-05-22 19:36:31.000000000 -0400
26389 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
26390 ATA_PIO_SHT(DRV_NAME),
26391 };
26392
26393 -static struct ata_port_operations rz1000_port_ops = {
26394 +static const struct ata_port_operations rz1000_port_ops = {
26395 .inherits = &ata_sff_port_ops,
26396 .cable_detect = ata_cable_40wire,
26397 .set_mode = rz1000_set_mode,
26398 diff -urNp linux-2.6.39.3/drivers/ata/pata_samsung_cf.c linux-2.6.39.3/drivers/ata/pata_samsung_cf.c
26399 --- linux-2.6.39.3/drivers/ata/pata_samsung_cf.c 2011-05-19 00:06:34.000000000 -0400
26400 +++ linux-2.6.39.3/drivers/ata/pata_samsung_cf.c 2011-05-22 19:36:31.000000000 -0400
26401 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
26402 ATA_PIO_SHT(DRV_NAME),
26403 };
26404
26405 -static struct ata_port_operations pata_s3c_port_ops = {
26406 +static const struct ata_port_operations pata_s3c_port_ops = {
26407 .inherits = &ata_sff_port_ops,
26408 .sff_check_status = pata_s3c_check_status,
26409 .sff_check_altstatus = pata_s3c_check_altstatus,
26410 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
26411 .set_piomode = pata_s3c_set_piomode,
26412 };
26413
26414 -static struct ata_port_operations pata_s5p_port_ops = {
26415 +static const struct ata_port_operations pata_s5p_port_ops = {
26416 .inherits = &ata_sff_port_ops,
26417 .set_piomode = pata_s3c_set_piomode,
26418 };
26419 diff -urNp linux-2.6.39.3/drivers/ata/pata_sc1200.c linux-2.6.39.3/drivers/ata/pata_sc1200.c
26420 --- linux-2.6.39.3/drivers/ata/pata_sc1200.c 2011-05-19 00:06:34.000000000 -0400
26421 +++ linux-2.6.39.3/drivers/ata/pata_sc1200.c 2011-05-22 19:36:31.000000000 -0400
26422 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
26423 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26424 };
26425
26426 -static struct ata_port_operations sc1200_port_ops = {
26427 +static const struct ata_port_operations sc1200_port_ops = {
26428 .inherits = &ata_bmdma_port_ops,
26429 .qc_prep = ata_bmdma_dumb_qc_prep,
26430 .qc_issue = sc1200_qc_issue,
26431 diff -urNp linux-2.6.39.3/drivers/ata/pata_scc.c linux-2.6.39.3/drivers/ata/pata_scc.c
26432 --- linux-2.6.39.3/drivers/ata/pata_scc.c 2011-05-19 00:06:34.000000000 -0400
26433 +++ linux-2.6.39.3/drivers/ata/pata_scc.c 2011-05-22 19:36:31.000000000 -0400
26434 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
26435 ATA_BMDMA_SHT(DRV_NAME),
26436 };
26437
26438 -static struct ata_port_operations scc_pata_ops = {
26439 +static const struct ata_port_operations scc_pata_ops = {
26440 .inherits = &ata_bmdma_port_ops,
26441
26442 .set_piomode = scc_set_piomode,
26443 diff -urNp linux-2.6.39.3/drivers/ata/pata_sch.c linux-2.6.39.3/drivers/ata/pata_sch.c
26444 --- linux-2.6.39.3/drivers/ata/pata_sch.c 2011-05-19 00:06:34.000000000 -0400
26445 +++ linux-2.6.39.3/drivers/ata/pata_sch.c 2011-05-22 19:36:31.000000000 -0400
26446 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
26447 ATA_BMDMA_SHT(DRV_NAME),
26448 };
26449
26450 -static struct ata_port_operations sch_pata_ops = {
26451 +static const struct ata_port_operations sch_pata_ops = {
26452 .inherits = &ata_bmdma_port_ops,
26453 .cable_detect = ata_cable_unknown,
26454 .set_piomode = sch_set_piomode,
26455 diff -urNp linux-2.6.39.3/drivers/ata/pata_serverworks.c linux-2.6.39.3/drivers/ata/pata_serverworks.c
26456 --- linux-2.6.39.3/drivers/ata/pata_serverworks.c 2011-05-19 00:06:34.000000000 -0400
26457 +++ linux-2.6.39.3/drivers/ata/pata_serverworks.c 2011-05-22 19:36:31.000000000 -0400
26458 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
26459 ATA_BMDMA_SHT(DRV_NAME),
26460 };
26461
26462 -static struct ata_port_operations serverworks_osb4_port_ops = {
26463 +static const struct ata_port_operations serverworks_osb4_port_ops = {
26464 .inherits = &ata_bmdma_port_ops,
26465 .cable_detect = serverworks_cable_detect,
26466 .mode_filter = serverworks_osb4_filter,
26467 @@ -308,7 +308,7 @@ static struct ata_port_operations server
26468 .set_dmamode = serverworks_set_dmamode,
26469 };
26470
26471 -static struct ata_port_operations serverworks_csb_port_ops = {
26472 +static const struct ata_port_operations serverworks_csb_port_ops = {
26473 .inherits = &serverworks_osb4_port_ops,
26474 .mode_filter = serverworks_csb_filter,
26475 };
26476 diff -urNp linux-2.6.39.3/drivers/ata/pata_sil680.c linux-2.6.39.3/drivers/ata/pata_sil680.c
26477 --- linux-2.6.39.3/drivers/ata/pata_sil680.c 2011-05-19 00:06:34.000000000 -0400
26478 +++ linux-2.6.39.3/drivers/ata/pata_sil680.c 2011-05-22 19:36:31.000000000 -0400
26479 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
26480 ATA_BMDMA_SHT(DRV_NAME),
26481 };
26482
26483 -
26484 -static struct ata_port_operations sil680_port_ops = {
26485 +static const struct ata_port_operations sil680_port_ops = {
26486 .inherits = &ata_bmdma32_port_ops,
26487 .sff_exec_command = sil680_sff_exec_command,
26488 .sff_irq_check = sil680_sff_irq_check,
26489 diff -urNp linux-2.6.39.3/drivers/ata/pata_sis.c linux-2.6.39.3/drivers/ata/pata_sis.c
26490 --- linux-2.6.39.3/drivers/ata/pata_sis.c 2011-05-19 00:06:34.000000000 -0400
26491 +++ linux-2.6.39.3/drivers/ata/pata_sis.c 2011-05-22 19:36:31.000000000 -0400
26492 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
26493 ATA_BMDMA_SHT(DRV_NAME),
26494 };
26495
26496 -static struct ata_port_operations sis_133_for_sata_ops = {
26497 +static const struct ata_port_operations sis_133_for_sata_ops = {
26498 .inherits = &ata_bmdma_port_ops,
26499 .set_piomode = sis_133_set_piomode,
26500 .set_dmamode = sis_133_set_dmamode,
26501 .cable_detect = sis_133_cable_detect,
26502 };
26503
26504 -static struct ata_port_operations sis_base_ops = {
26505 +static const struct ata_port_operations sis_base_ops = {
26506 .inherits = &ata_bmdma_port_ops,
26507 .prereset = sis_pre_reset,
26508 };
26509
26510 -static struct ata_port_operations sis_133_ops = {
26511 +static const struct ata_port_operations sis_133_ops = {
26512 .inherits = &sis_base_ops,
26513 .set_piomode = sis_133_set_piomode,
26514 .set_dmamode = sis_133_set_dmamode,
26515 .cable_detect = sis_133_cable_detect,
26516 };
26517
26518 -static struct ata_port_operations sis_133_early_ops = {
26519 +static const struct ata_port_operations sis_133_early_ops = {
26520 .inherits = &sis_base_ops,
26521 .set_piomode = sis_100_set_piomode,
26522 .set_dmamode = sis_133_early_set_dmamode,
26523 .cable_detect = sis_66_cable_detect,
26524 };
26525
26526 -static struct ata_port_operations sis_100_ops = {
26527 +static const struct ata_port_operations sis_100_ops = {
26528 .inherits = &sis_base_ops,
26529 .set_piomode = sis_100_set_piomode,
26530 .set_dmamode = sis_100_set_dmamode,
26531 .cable_detect = sis_66_cable_detect,
26532 };
26533
26534 -static struct ata_port_operations sis_66_ops = {
26535 +static const struct ata_port_operations sis_66_ops = {
26536 .inherits = &sis_base_ops,
26537 .set_piomode = sis_old_set_piomode,
26538 .set_dmamode = sis_66_set_dmamode,
26539 .cable_detect = sis_66_cable_detect,
26540 };
26541
26542 -static struct ata_port_operations sis_old_ops = {
26543 +static const struct ata_port_operations sis_old_ops = {
26544 .inherits = &sis_base_ops,
26545 .set_piomode = sis_old_set_piomode,
26546 .set_dmamode = sis_old_set_dmamode,
26547 diff -urNp linux-2.6.39.3/drivers/ata/pata_sl82c105.c linux-2.6.39.3/drivers/ata/pata_sl82c105.c
26548 --- linux-2.6.39.3/drivers/ata/pata_sl82c105.c 2011-05-19 00:06:34.000000000 -0400
26549 +++ linux-2.6.39.3/drivers/ata/pata_sl82c105.c 2011-05-22 19:36:31.000000000 -0400
26550 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
26551 ATA_BMDMA_SHT(DRV_NAME),
26552 };
26553
26554 -static struct ata_port_operations sl82c105_port_ops = {
26555 +static const struct ata_port_operations sl82c105_port_ops = {
26556 .inherits = &ata_bmdma_port_ops,
26557 .qc_defer = sl82c105_qc_defer,
26558 .bmdma_start = sl82c105_bmdma_start,
26559 diff -urNp linux-2.6.39.3/drivers/ata/pata_triflex.c linux-2.6.39.3/drivers/ata/pata_triflex.c
26560 --- linux-2.6.39.3/drivers/ata/pata_triflex.c 2011-05-19 00:06:34.000000000 -0400
26561 +++ linux-2.6.39.3/drivers/ata/pata_triflex.c 2011-05-22 19:36:31.000000000 -0400
26562 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
26563 ATA_BMDMA_SHT(DRV_NAME),
26564 };
26565
26566 -static struct ata_port_operations triflex_port_ops = {
26567 +static const struct ata_port_operations triflex_port_ops = {
26568 .inherits = &ata_bmdma_port_ops,
26569 .bmdma_start = triflex_bmdma_start,
26570 .bmdma_stop = triflex_bmdma_stop,
26571 diff -urNp linux-2.6.39.3/drivers/ata/pata_via.c linux-2.6.39.3/drivers/ata/pata_via.c
26572 --- linux-2.6.39.3/drivers/ata/pata_via.c 2011-05-19 00:06:34.000000000 -0400
26573 +++ linux-2.6.39.3/drivers/ata/pata_via.c 2011-05-22 19:36:31.000000000 -0400
26574 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
26575 ATA_BMDMA_SHT(DRV_NAME),
26576 };
26577
26578 -static struct ata_port_operations via_port_ops = {
26579 +static const struct ata_port_operations via_port_ops = {
26580 .inherits = &ata_bmdma_port_ops,
26581 .cable_detect = via_cable_detect,
26582 .set_piomode = via_set_piomode,
26583 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
26584 .mode_filter = via_mode_filter,
26585 };
26586
26587 -static struct ata_port_operations via_port_ops_noirq = {
26588 +static const struct ata_port_operations via_port_ops_noirq = {
26589 .inherits = &via_port_ops,
26590 .sff_data_xfer = ata_sff_data_xfer_noirq,
26591 };
26592 diff -urNp linux-2.6.39.3/drivers/ata/pdc_adma.c linux-2.6.39.3/drivers/ata/pdc_adma.c
26593 --- linux-2.6.39.3/drivers/ata/pdc_adma.c 2011-05-19 00:06:34.000000000 -0400
26594 +++ linux-2.6.39.3/drivers/ata/pdc_adma.c 2011-05-22 19:36:31.000000000 -0400
26595 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
26596 .dma_boundary = ADMA_DMA_BOUNDARY,
26597 };
26598
26599 -static struct ata_port_operations adma_ata_ops = {
26600 +static const struct ata_port_operations adma_ata_ops = {
26601 .inherits = &ata_sff_port_ops,
26602
26603 .lost_interrupt = ATA_OP_NULL,
26604 diff -urNp linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c
26605 --- linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c 2011-05-19 00:06:34.000000000 -0400
26606 +++ linux-2.6.39.3/drivers/ata/sata_dwc_460ex.c 2011-05-22 19:36:31.000000000 -0400
26607 @@ -1598,7 +1598,7 @@ static struct scsi_host_template sata_dw
26608 .dma_boundary = ATA_DMA_BOUNDARY,
26609 };
26610
26611 -static struct ata_port_operations sata_dwc_ops = {
26612 +static const struct ata_port_operations sata_dwc_ops = {
26613 .inherits = &ata_sff_port_ops,
26614
26615 .error_handler = sata_dwc_error_handler,
26616 diff -urNp linux-2.6.39.3/drivers/ata/sata_fsl.c linux-2.6.39.3/drivers/ata/sata_fsl.c
26617 --- linux-2.6.39.3/drivers/ata/sata_fsl.c 2011-05-19 00:06:34.000000000 -0400
26618 +++ linux-2.6.39.3/drivers/ata/sata_fsl.c 2011-05-22 19:36:31.000000000 -0400
26619 @@ -1268,7 +1268,7 @@ static struct scsi_host_template sata_fs
26620 .dma_boundary = ATA_DMA_BOUNDARY,
26621 };
26622
26623 -static struct ata_port_operations sata_fsl_ops = {
26624 +static const struct ata_port_operations sata_fsl_ops = {
26625 .inherits = &sata_pmp_port_ops,
26626
26627 .qc_defer = ata_std_qc_defer,
26628 diff -urNp linux-2.6.39.3/drivers/ata/sata_inic162x.c linux-2.6.39.3/drivers/ata/sata_inic162x.c
26629 --- linux-2.6.39.3/drivers/ata/sata_inic162x.c 2011-05-19 00:06:34.000000000 -0400
26630 +++ linux-2.6.39.3/drivers/ata/sata_inic162x.c 2011-05-22 19:36:31.000000000 -0400
26631 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
26632 return 0;
26633 }
26634
26635 -static struct ata_port_operations inic_port_ops = {
26636 +static const struct ata_port_operations inic_port_ops = {
26637 .inherits = &sata_port_ops,
26638
26639 .check_atapi_dma = inic_check_atapi_dma,
26640 diff -urNp linux-2.6.39.3/drivers/ata/sata_mv.c linux-2.6.39.3/drivers/ata/sata_mv.c
26641 --- linux-2.6.39.3/drivers/ata/sata_mv.c 2011-05-19 00:06:34.000000000 -0400
26642 +++ linux-2.6.39.3/drivers/ata/sata_mv.c 2011-05-22 19:36:31.000000000 -0400
26643 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
26644 .dma_boundary = MV_DMA_BOUNDARY,
26645 };
26646
26647 -static struct ata_port_operations mv5_ops = {
26648 +static const struct ata_port_operations mv5_ops = {
26649 .inherits = &ata_sff_port_ops,
26650
26651 .lost_interrupt = ATA_OP_NULL,
26652 @@ -682,7 +682,7 @@ static struct ata_port_operations mv5_op
26653 .port_stop = mv_port_stop,
26654 };
26655
26656 -static struct ata_port_operations mv6_ops = {
26657 +static const struct ata_port_operations mv6_ops = {
26658 .inherits = &ata_bmdma_port_ops,
26659
26660 .lost_interrupt = ATA_OP_NULL,
26661 @@ -716,7 +716,7 @@ static struct ata_port_operations mv6_op
26662 .port_stop = mv_port_stop,
26663 };
26664
26665 -static struct ata_port_operations mv_iie_ops = {
26666 +static const struct ata_port_operations mv_iie_ops = {
26667 .inherits = &mv6_ops,
26668 .dev_config = ATA_OP_NULL,
26669 .qc_prep = mv_qc_prep_iie,
26670 diff -urNp linux-2.6.39.3/drivers/ata/sata_nv.c linux-2.6.39.3/drivers/ata/sata_nv.c
26671 --- linux-2.6.39.3/drivers/ata/sata_nv.c 2011-05-19 00:06:34.000000000 -0400
26672 +++ linux-2.6.39.3/drivers/ata/sata_nv.c 2011-05-22 19:36:31.000000000 -0400
26673 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
26674 * cases. Define nv_hardreset() which only kicks in for post-boot
26675 * probing and use it for all variants.
26676 */
26677 -static struct ata_port_operations nv_generic_ops = {
26678 +static const struct ata_port_operations nv_generic_ops = {
26679 .inherits = &ata_bmdma_port_ops,
26680 .lost_interrupt = ATA_OP_NULL,
26681 .scr_read = nv_scr_read,
26682 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
26683 .hardreset = nv_hardreset,
26684 };
26685
26686 -static struct ata_port_operations nv_nf2_ops = {
26687 +static const struct ata_port_operations nv_nf2_ops = {
26688 .inherits = &nv_generic_ops,
26689 .freeze = nv_nf2_freeze,
26690 .thaw = nv_nf2_thaw,
26691 };
26692
26693 -static struct ata_port_operations nv_ck804_ops = {
26694 +static const struct ata_port_operations nv_ck804_ops = {
26695 .inherits = &nv_generic_ops,
26696 .freeze = nv_ck804_freeze,
26697 .thaw = nv_ck804_thaw,
26698 .host_stop = nv_ck804_host_stop,
26699 };
26700
26701 -static struct ata_port_operations nv_adma_ops = {
26702 +static const struct ata_port_operations nv_adma_ops = {
26703 .inherits = &nv_ck804_ops,
26704
26705 .check_atapi_dma = nv_adma_check_atapi_dma,
26706 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
26707 .host_stop = nv_adma_host_stop,
26708 };
26709
26710 -static struct ata_port_operations nv_swncq_ops = {
26711 +static const struct ata_port_operations nv_swncq_ops = {
26712 .inherits = &nv_generic_ops,
26713
26714 .qc_defer = ata_std_qc_defer,
26715 diff -urNp linux-2.6.39.3/drivers/ata/sata_promise.c linux-2.6.39.3/drivers/ata/sata_promise.c
26716 --- linux-2.6.39.3/drivers/ata/sata_promise.c 2011-05-19 00:06:34.000000000 -0400
26717 +++ linux-2.6.39.3/drivers/ata/sata_promise.c 2011-05-22 19:36:31.000000000 -0400
26718 @@ -194,7 +194,7 @@ static const struct ata_port_operations
26719 .error_handler = pdc_error_handler,
26720 };
26721
26722 -static struct ata_port_operations pdc_sata_ops = {
26723 +static const struct ata_port_operations pdc_sata_ops = {
26724 .inherits = &pdc_common_ops,
26725 .cable_detect = pdc_sata_cable_detect,
26726 .freeze = pdc_sata_freeze,
26727 @@ -207,14 +207,14 @@ static struct ata_port_operations pdc_sa
26728
26729 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26730 and ->freeze/thaw that ignore the hotplug controls. */
26731 -static struct ata_port_operations pdc_old_sata_ops = {
26732 +static const struct ata_port_operations pdc_old_sata_ops = {
26733 .inherits = &pdc_sata_ops,
26734 .freeze = pdc_freeze,
26735 .thaw = pdc_thaw,
26736 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26737 };
26738
26739 -static struct ata_port_operations pdc_pata_ops = {
26740 +static const struct ata_port_operations pdc_pata_ops = {
26741 .inherits = &pdc_common_ops,
26742 .cable_detect = pdc_pata_cable_detect,
26743 .freeze = pdc_freeze,
26744 diff -urNp linux-2.6.39.3/drivers/ata/sata_qstor.c linux-2.6.39.3/drivers/ata/sata_qstor.c
26745 --- linux-2.6.39.3/drivers/ata/sata_qstor.c 2011-05-19 00:06:34.000000000 -0400
26746 +++ linux-2.6.39.3/drivers/ata/sata_qstor.c 2011-05-22 19:36:31.000000000 -0400
26747 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
26748 .dma_boundary = QS_DMA_BOUNDARY,
26749 };
26750
26751 -static struct ata_port_operations qs_ata_ops = {
26752 +static const struct ata_port_operations qs_ata_ops = {
26753 .inherits = &ata_sff_port_ops,
26754
26755 .check_atapi_dma = qs_check_atapi_dma,
26756 diff -urNp linux-2.6.39.3/drivers/ata/sata_sil24.c linux-2.6.39.3/drivers/ata/sata_sil24.c
26757 --- linux-2.6.39.3/drivers/ata/sata_sil24.c 2011-05-19 00:06:34.000000000 -0400
26758 +++ linux-2.6.39.3/drivers/ata/sata_sil24.c 2011-05-22 19:36:31.000000000 -0400
26759 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26760 .dma_boundary = ATA_DMA_BOUNDARY,
26761 };
26762
26763 -static struct ata_port_operations sil24_ops = {
26764 +static const struct ata_port_operations sil24_ops = {
26765 .inherits = &sata_pmp_port_ops,
26766
26767 .qc_defer = sil24_qc_defer,
26768 diff -urNp linux-2.6.39.3/drivers/ata/sata_sil.c linux-2.6.39.3/drivers/ata/sata_sil.c
26769 --- linux-2.6.39.3/drivers/ata/sata_sil.c 2011-05-19 00:06:34.000000000 -0400
26770 +++ linux-2.6.39.3/drivers/ata/sata_sil.c 2011-05-22 19:36:31.000000000 -0400
26771 @@ -181,7 +181,7 @@ static struct scsi_host_template sil_sht
26772 .sg_tablesize = ATA_MAX_PRD
26773 };
26774
26775 -static struct ata_port_operations sil_ops = {
26776 +static const struct ata_port_operations sil_ops = {
26777 .inherits = &ata_bmdma32_port_ops,
26778 .dev_config = sil_dev_config,
26779 .set_mode = sil_set_mode,
26780 diff -urNp linux-2.6.39.3/drivers/ata/sata_sis.c linux-2.6.39.3/drivers/ata/sata_sis.c
26781 --- linux-2.6.39.3/drivers/ata/sata_sis.c 2011-05-19 00:06:34.000000000 -0400
26782 +++ linux-2.6.39.3/drivers/ata/sata_sis.c 2011-05-22 19:36:31.000000000 -0400
26783 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26784 ATA_BMDMA_SHT(DRV_NAME),
26785 };
26786
26787 -static struct ata_port_operations sis_ops = {
26788 +static const struct ata_port_operations sis_ops = {
26789 .inherits = &ata_bmdma_port_ops,
26790 .scr_read = sis_scr_read,
26791 .scr_write = sis_scr_write,
26792 diff -urNp linux-2.6.39.3/drivers/ata/sata_svw.c linux-2.6.39.3/drivers/ata/sata_svw.c
26793 --- linux-2.6.39.3/drivers/ata/sata_svw.c 2011-05-19 00:06:34.000000000 -0400
26794 +++ linux-2.6.39.3/drivers/ata/sata_svw.c 2011-05-22 19:36:31.000000000 -0400
26795 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26796 };
26797
26798
26799 -static struct ata_port_operations k2_sata_ops = {
26800 +static const struct ata_port_operations k2_sata_ops = {
26801 .inherits = &ata_bmdma_port_ops,
26802 .sff_tf_load = k2_sata_tf_load,
26803 .sff_tf_read = k2_sata_tf_read,
26804 diff -urNp linux-2.6.39.3/drivers/ata/sata_sx4.c linux-2.6.39.3/drivers/ata/sata_sx4.c
26805 --- linux-2.6.39.3/drivers/ata/sata_sx4.c 2011-05-19 00:06:34.000000000 -0400
26806 +++ linux-2.6.39.3/drivers/ata/sata_sx4.c 2011-05-22 19:36:31.000000000 -0400
26807 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
26808 };
26809
26810 /* TODO: inherit from base port_ops after converting to new EH */
26811 -static struct ata_port_operations pdc_20621_ops = {
26812 +static const struct ata_port_operations pdc_20621_ops = {
26813 .inherits = &ata_sff_port_ops,
26814
26815 .check_atapi_dma = pdc_check_atapi_dma,
26816 diff -urNp linux-2.6.39.3/drivers/ata/sata_uli.c linux-2.6.39.3/drivers/ata/sata_uli.c
26817 --- linux-2.6.39.3/drivers/ata/sata_uli.c 2011-05-19 00:06:34.000000000 -0400
26818 +++ linux-2.6.39.3/drivers/ata/sata_uli.c 2011-05-22 19:36:31.000000000 -0400
26819 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
26820 ATA_BMDMA_SHT(DRV_NAME),
26821 };
26822
26823 -static struct ata_port_operations uli_ops = {
26824 +static const struct ata_port_operations uli_ops = {
26825 .inherits = &ata_bmdma_port_ops,
26826 .scr_read = uli_scr_read,
26827 .scr_write = uli_scr_write,
26828 diff -urNp linux-2.6.39.3/drivers/ata/sata_via.c linux-2.6.39.3/drivers/ata/sata_via.c
26829 --- linux-2.6.39.3/drivers/ata/sata_via.c 2011-05-19 00:06:34.000000000 -0400
26830 +++ linux-2.6.39.3/drivers/ata/sata_via.c 2011-05-22 19:36:31.000000000 -0400
26831 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26832 ATA_BMDMA_SHT(DRV_NAME),
26833 };
26834
26835 -static struct ata_port_operations svia_base_ops = {
26836 +static const struct ata_port_operations svia_base_ops = {
26837 .inherits = &ata_bmdma_port_ops,
26838 .sff_tf_load = svia_tf_load,
26839 };
26840
26841 -static struct ata_port_operations vt6420_sata_ops = {
26842 +static const struct ata_port_operations vt6420_sata_ops = {
26843 .inherits = &svia_base_ops,
26844 .freeze = svia_noop_freeze,
26845 .prereset = vt6420_prereset,
26846 .bmdma_start = vt6420_bmdma_start,
26847 };
26848
26849 -static struct ata_port_operations vt6421_pata_ops = {
26850 +static const struct ata_port_operations vt6421_pata_ops = {
26851 .inherits = &svia_base_ops,
26852 .cable_detect = vt6421_pata_cable_detect,
26853 .set_piomode = vt6421_set_pio_mode,
26854 .set_dmamode = vt6421_set_dma_mode,
26855 };
26856
26857 -static struct ata_port_operations vt6421_sata_ops = {
26858 +static const struct ata_port_operations vt6421_sata_ops = {
26859 .inherits = &svia_base_ops,
26860 .scr_read = svia_scr_read,
26861 .scr_write = svia_scr_write,
26862 };
26863
26864 -static struct ata_port_operations vt8251_ops = {
26865 +static const struct ata_port_operations vt8251_ops = {
26866 .inherits = &svia_base_ops,
26867 .hardreset = sata_std_hardreset,
26868 .scr_read = vt8251_scr_read,
26869 diff -urNp linux-2.6.39.3/drivers/ata/sata_vsc.c linux-2.6.39.3/drivers/ata/sata_vsc.c
26870 --- linux-2.6.39.3/drivers/ata/sata_vsc.c 2011-05-19 00:06:34.000000000 -0400
26871 +++ linux-2.6.39.3/drivers/ata/sata_vsc.c 2011-05-22 19:36:31.000000000 -0400
26872 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
26873 };
26874
26875
26876 -static struct ata_port_operations vsc_sata_ops = {
26877 +static const struct ata_port_operations vsc_sata_ops = {
26878 .inherits = &ata_bmdma_port_ops,
26879 /* The IRQ handling is not quite standard SFF behaviour so we
26880 cannot use the default lost interrupt handler */
26881 diff -urNp linux-2.6.39.3/drivers/atm/adummy.c linux-2.6.39.3/drivers/atm/adummy.c
26882 --- linux-2.6.39.3/drivers/atm/adummy.c 2011-05-19 00:06:34.000000000 -0400
26883 +++ linux-2.6.39.3/drivers/atm/adummy.c 2011-05-22 19:36:31.000000000 -0400
26884 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
26885 vcc->pop(vcc, skb);
26886 else
26887 dev_kfree_skb_any(skb);
26888 - atomic_inc(&vcc->stats->tx);
26889 + atomic_inc_unchecked(&vcc->stats->tx);
26890
26891 return 0;
26892 }
26893 diff -urNp linux-2.6.39.3/drivers/atm/ambassador.c linux-2.6.39.3/drivers/atm/ambassador.c
26894 --- linux-2.6.39.3/drivers/atm/ambassador.c 2011-05-19 00:06:34.000000000 -0400
26895 +++ linux-2.6.39.3/drivers/atm/ambassador.c 2011-05-22 19:36:31.000000000 -0400
26896 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
26897 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26898
26899 // VC layer stats
26900 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26901 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26902
26903 // free the descriptor
26904 kfree (tx_descr);
26905 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
26906 dump_skb ("<<<", vc, skb);
26907
26908 // VC layer stats
26909 - atomic_inc(&atm_vcc->stats->rx);
26910 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26911 __net_timestamp(skb);
26912 // end of our responsibility
26913 atm_vcc->push (atm_vcc, skb);
26914 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
26915 } else {
26916 PRINTK (KERN_INFO, "dropped over-size frame");
26917 // should we count this?
26918 - atomic_inc(&atm_vcc->stats->rx_drop);
26919 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26920 }
26921
26922 } else {
26923 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
26924 }
26925
26926 if (check_area (skb->data, skb->len)) {
26927 - atomic_inc(&atm_vcc->stats->tx_err);
26928 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26929 return -ENOMEM; // ?
26930 }
26931
26932 diff -urNp linux-2.6.39.3/drivers/atm/atmtcp.c linux-2.6.39.3/drivers/atm/atmtcp.c
26933 --- linux-2.6.39.3/drivers/atm/atmtcp.c 2011-05-19 00:06:34.000000000 -0400
26934 +++ linux-2.6.39.3/drivers/atm/atmtcp.c 2011-05-22 19:36:31.000000000 -0400
26935 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
26936 if (vcc->pop) vcc->pop(vcc,skb);
26937 else dev_kfree_skb(skb);
26938 if (dev_data) return 0;
26939 - atomic_inc(&vcc->stats->tx_err);
26940 + atomic_inc_unchecked(&vcc->stats->tx_err);
26941 return -ENOLINK;
26942 }
26943 size = skb->len+sizeof(struct atmtcp_hdr);
26944 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
26945 if (!new_skb) {
26946 if (vcc->pop) vcc->pop(vcc,skb);
26947 else dev_kfree_skb(skb);
26948 - atomic_inc(&vcc->stats->tx_err);
26949 + atomic_inc_unchecked(&vcc->stats->tx_err);
26950 return -ENOBUFS;
26951 }
26952 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26953 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
26954 if (vcc->pop) vcc->pop(vcc,skb);
26955 else dev_kfree_skb(skb);
26956 out_vcc->push(out_vcc,new_skb);
26957 - atomic_inc(&vcc->stats->tx);
26958 - atomic_inc(&out_vcc->stats->rx);
26959 + atomic_inc_unchecked(&vcc->stats->tx);
26960 + atomic_inc_unchecked(&out_vcc->stats->rx);
26961 return 0;
26962 }
26963
26964 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
26965 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26966 read_unlock(&vcc_sklist_lock);
26967 if (!out_vcc) {
26968 - atomic_inc(&vcc->stats->tx_err);
26969 + atomic_inc_unchecked(&vcc->stats->tx_err);
26970 goto done;
26971 }
26972 skb_pull(skb,sizeof(struct atmtcp_hdr));
26973 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
26974 __net_timestamp(new_skb);
26975 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26976 out_vcc->push(out_vcc,new_skb);
26977 - atomic_inc(&vcc->stats->tx);
26978 - atomic_inc(&out_vcc->stats->rx);
26979 + atomic_inc_unchecked(&vcc->stats->tx);
26980 + atomic_inc_unchecked(&out_vcc->stats->rx);
26981 done:
26982 if (vcc->pop) vcc->pop(vcc,skb);
26983 else dev_kfree_skb(skb);
26984 diff -urNp linux-2.6.39.3/drivers/atm/eni.c linux-2.6.39.3/drivers/atm/eni.c
26985 --- linux-2.6.39.3/drivers/atm/eni.c 2011-05-19 00:06:34.000000000 -0400
26986 +++ linux-2.6.39.3/drivers/atm/eni.c 2011-05-22 19:36:31.000000000 -0400
26987 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26988 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26989 vcc->dev->number);
26990 length = 0;
26991 - atomic_inc(&vcc->stats->rx_err);
26992 + atomic_inc_unchecked(&vcc->stats->rx_err);
26993 }
26994 else {
26995 length = ATM_CELL_SIZE-1; /* no HEC */
26996 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26997 size);
26998 }
26999 eff = length = 0;
27000 - atomic_inc(&vcc->stats->rx_err);
27001 + atomic_inc_unchecked(&vcc->stats->rx_err);
27002 }
27003 else {
27004 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
27005 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27006 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
27007 vcc->dev->number,vcc->vci,length,size << 2,descr);
27008 length = eff = 0;
27009 - atomic_inc(&vcc->stats->rx_err);
27010 + atomic_inc_unchecked(&vcc->stats->rx_err);
27011 }
27012 }
27013 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
27014 @@ -771,7 +771,7 @@ rx_dequeued++;
27015 vcc->push(vcc,skb);
27016 pushed++;
27017 }
27018 - atomic_inc(&vcc->stats->rx);
27019 + atomic_inc_unchecked(&vcc->stats->rx);
27020 }
27021 wake_up(&eni_dev->rx_wait);
27022 }
27023 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
27024 PCI_DMA_TODEVICE);
27025 if (vcc->pop) vcc->pop(vcc,skb);
27026 else dev_kfree_skb_irq(skb);
27027 - atomic_inc(&vcc->stats->tx);
27028 + atomic_inc_unchecked(&vcc->stats->tx);
27029 wake_up(&eni_dev->tx_wait);
27030 dma_complete++;
27031 }
27032 diff -urNp linux-2.6.39.3/drivers/atm/firestream.c linux-2.6.39.3/drivers/atm/firestream.c
27033 --- linux-2.6.39.3/drivers/atm/firestream.c 2011-05-19 00:06:34.000000000 -0400
27034 +++ linux-2.6.39.3/drivers/atm/firestream.c 2011-05-22 19:36:31.000000000 -0400
27035 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
27036 }
27037 }
27038
27039 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27040 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27041
27042 fs_dprintk (FS_DEBUG_TXMEM, "i");
27043 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27044 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
27045 #endif
27046 skb_put (skb, qe->p1 & 0xffff);
27047 ATM_SKB(skb)->vcc = atm_vcc;
27048 - atomic_inc(&atm_vcc->stats->rx);
27049 + atomic_inc_unchecked(&atm_vcc->stats->rx);
27050 __net_timestamp(skb);
27051 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27052 atm_vcc->push (atm_vcc, skb);
27053 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
27054 kfree (pe);
27055 }
27056 if (atm_vcc)
27057 - atomic_inc(&atm_vcc->stats->rx_drop);
27058 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27059 break;
27060 case 0x1f: /* Reassembly abort: no buffers. */
27061 /* Silently increment error counter. */
27062 if (atm_vcc)
27063 - atomic_inc(&atm_vcc->stats->rx_drop);
27064 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27065 break;
27066 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27067 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27068 diff -urNp linux-2.6.39.3/drivers/atm/fore200e.c linux-2.6.39.3/drivers/atm/fore200e.c
27069 --- linux-2.6.39.3/drivers/atm/fore200e.c 2011-05-19 00:06:34.000000000 -0400
27070 +++ linux-2.6.39.3/drivers/atm/fore200e.c 2011-05-22 19:36:31.000000000 -0400
27071 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
27072 #endif
27073 /* check error condition */
27074 if (*entry->status & STATUS_ERROR)
27075 - atomic_inc(&vcc->stats->tx_err);
27076 + atomic_inc_unchecked(&vcc->stats->tx_err);
27077 else
27078 - atomic_inc(&vcc->stats->tx);
27079 + atomic_inc_unchecked(&vcc->stats->tx);
27080 }
27081 }
27082
27083 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
27084 if (skb == NULL) {
27085 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27086
27087 - atomic_inc(&vcc->stats->rx_drop);
27088 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27089 return -ENOMEM;
27090 }
27091
27092 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
27093
27094 dev_kfree_skb_any(skb);
27095
27096 - atomic_inc(&vcc->stats->rx_drop);
27097 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27098 return -ENOMEM;
27099 }
27100
27101 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27102
27103 vcc->push(vcc, skb);
27104 - atomic_inc(&vcc->stats->rx);
27105 + atomic_inc_unchecked(&vcc->stats->rx);
27106
27107 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27108
27109 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
27110 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
27111 fore200e->atm_dev->number,
27112 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
27113 - atomic_inc(&vcc->stats->rx_err);
27114 + atomic_inc_unchecked(&vcc->stats->rx_err);
27115 }
27116 }
27117
27118 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
27119 goto retry_here;
27120 }
27121
27122 - atomic_inc(&vcc->stats->tx_err);
27123 + atomic_inc_unchecked(&vcc->stats->tx_err);
27124
27125 fore200e->tx_sat++;
27126 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
27127 diff -urNp linux-2.6.39.3/drivers/atm/he.c linux-2.6.39.3/drivers/atm/he.c
27128 --- linux-2.6.39.3/drivers/atm/he.c 2011-05-19 00:06:34.000000000 -0400
27129 +++ linux-2.6.39.3/drivers/atm/he.c 2011-05-22 19:36:31.000000000 -0400
27130 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27131
27132 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
27133 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
27134 - atomic_inc(&vcc->stats->rx_drop);
27135 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27136 goto return_host_buffers;
27137 }
27138
27139 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27140 RBRQ_LEN_ERR(he_dev->rbrq_head)
27141 ? "LEN_ERR" : "",
27142 vcc->vpi, vcc->vci);
27143 - atomic_inc(&vcc->stats->rx_err);
27144 + atomic_inc_unchecked(&vcc->stats->rx_err);
27145 goto return_host_buffers;
27146 }
27147
27148 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27149 vcc->push(vcc, skb);
27150 spin_lock(&he_dev->global_lock);
27151
27152 - atomic_inc(&vcc->stats->rx);
27153 + atomic_inc_unchecked(&vcc->stats->rx);
27154
27155 return_host_buffers:
27156 ++pdus_assembled;
27157 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
27158 tpd->vcc->pop(tpd->vcc, tpd->skb);
27159 else
27160 dev_kfree_skb_any(tpd->skb);
27161 - atomic_inc(&tpd->vcc->stats->tx_err);
27162 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
27163 }
27164 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
27165 return;
27166 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27167 vcc->pop(vcc, skb);
27168 else
27169 dev_kfree_skb_any(skb);
27170 - atomic_inc(&vcc->stats->tx_err);
27171 + atomic_inc_unchecked(&vcc->stats->tx_err);
27172 return -EINVAL;
27173 }
27174
27175 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27176 vcc->pop(vcc, skb);
27177 else
27178 dev_kfree_skb_any(skb);
27179 - atomic_inc(&vcc->stats->tx_err);
27180 + atomic_inc_unchecked(&vcc->stats->tx_err);
27181 return -EINVAL;
27182 }
27183 #endif
27184 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27185 vcc->pop(vcc, skb);
27186 else
27187 dev_kfree_skb_any(skb);
27188 - atomic_inc(&vcc->stats->tx_err);
27189 + atomic_inc_unchecked(&vcc->stats->tx_err);
27190 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27191 return -ENOMEM;
27192 }
27193 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27194 vcc->pop(vcc, skb);
27195 else
27196 dev_kfree_skb_any(skb);
27197 - atomic_inc(&vcc->stats->tx_err);
27198 + atomic_inc_unchecked(&vcc->stats->tx_err);
27199 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27200 return -ENOMEM;
27201 }
27202 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27203 __enqueue_tpd(he_dev, tpd, cid);
27204 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27205
27206 - atomic_inc(&vcc->stats->tx);
27207 + atomic_inc_unchecked(&vcc->stats->tx);
27208
27209 return 0;
27210 }
27211 diff -urNp linux-2.6.39.3/drivers/atm/horizon.c linux-2.6.39.3/drivers/atm/horizon.c
27212 --- linux-2.6.39.3/drivers/atm/horizon.c 2011-05-19 00:06:34.000000000 -0400
27213 +++ linux-2.6.39.3/drivers/atm/horizon.c 2011-05-22 19:36:31.000000000 -0400
27214 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
27215 {
27216 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
27217 // VC layer stats
27218 - atomic_inc(&vcc->stats->rx);
27219 + atomic_inc_unchecked(&vcc->stats->rx);
27220 __net_timestamp(skb);
27221 // end of our responsibility
27222 vcc->push (vcc, skb);
27223 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
27224 dev->tx_iovec = NULL;
27225
27226 // VC layer stats
27227 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27228 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27229
27230 // free the skb
27231 hrz_kfree_skb (skb);
27232 diff -urNp linux-2.6.39.3/drivers/atm/idt77252.c linux-2.6.39.3/drivers/atm/idt77252.c
27233 --- linux-2.6.39.3/drivers/atm/idt77252.c 2011-05-19 00:06:34.000000000 -0400
27234 +++ linux-2.6.39.3/drivers/atm/idt77252.c 2011-05-22 19:36:31.000000000 -0400
27235 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
27236 else
27237 dev_kfree_skb(skb);
27238
27239 - atomic_inc(&vcc->stats->tx);
27240 + atomic_inc_unchecked(&vcc->stats->tx);
27241 }
27242
27243 atomic_dec(&scq->used);
27244 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
27245 if ((sb = dev_alloc_skb(64)) == NULL) {
27246 printk("%s: Can't allocate buffers for aal0.\n",
27247 card->name);
27248 - atomic_add(i, &vcc->stats->rx_drop);
27249 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27250 break;
27251 }
27252 if (!atm_charge(vcc, sb->truesize)) {
27253 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
27254 card->name);
27255 - atomic_add(i - 1, &vcc->stats->rx_drop);
27256 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
27257 dev_kfree_skb(sb);
27258 break;
27259 }
27260 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
27261 ATM_SKB(sb)->vcc = vcc;
27262 __net_timestamp(sb);
27263 vcc->push(vcc, sb);
27264 - atomic_inc(&vcc->stats->rx);
27265 + atomic_inc_unchecked(&vcc->stats->rx);
27266
27267 cell += ATM_CELL_PAYLOAD;
27268 }
27269 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
27270 "(CDC: %08x)\n",
27271 card->name, len, rpp->len, readl(SAR_REG_CDC));
27272 recycle_rx_pool_skb(card, rpp);
27273 - atomic_inc(&vcc->stats->rx_err);
27274 + atomic_inc_unchecked(&vcc->stats->rx_err);
27275 return;
27276 }
27277 if (stat & SAR_RSQE_CRC) {
27278 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
27279 recycle_rx_pool_skb(card, rpp);
27280 - atomic_inc(&vcc->stats->rx_err);
27281 + atomic_inc_unchecked(&vcc->stats->rx_err);
27282 return;
27283 }
27284 if (skb_queue_len(&rpp->queue) > 1) {
27285 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
27286 RXPRINTK("%s: Can't alloc RX skb.\n",
27287 card->name);
27288 recycle_rx_pool_skb(card, rpp);
27289 - atomic_inc(&vcc->stats->rx_err);
27290 + atomic_inc_unchecked(&vcc->stats->rx_err);
27291 return;
27292 }
27293 if (!atm_charge(vcc, skb->truesize)) {
27294 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
27295 __net_timestamp(skb);
27296
27297 vcc->push(vcc, skb);
27298 - atomic_inc(&vcc->stats->rx);
27299 + atomic_inc_unchecked(&vcc->stats->rx);
27300
27301 return;
27302 }
27303 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
27304 __net_timestamp(skb);
27305
27306 vcc->push(vcc, skb);
27307 - atomic_inc(&vcc->stats->rx);
27308 + atomic_inc_unchecked(&vcc->stats->rx);
27309
27310 if (skb->truesize > SAR_FB_SIZE_3)
27311 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
27312 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
27313 if (vcc->qos.aal != ATM_AAL0) {
27314 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
27315 card->name, vpi, vci);
27316 - atomic_inc(&vcc->stats->rx_drop);
27317 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27318 goto drop;
27319 }
27320
27321 if ((sb = dev_alloc_skb(64)) == NULL) {
27322 printk("%s: Can't allocate buffers for AAL0.\n",
27323 card->name);
27324 - atomic_inc(&vcc->stats->rx_err);
27325 + atomic_inc_unchecked(&vcc->stats->rx_err);
27326 goto drop;
27327 }
27328
27329 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
27330 ATM_SKB(sb)->vcc = vcc;
27331 __net_timestamp(sb);
27332 vcc->push(vcc, sb);
27333 - atomic_inc(&vcc->stats->rx);
27334 + atomic_inc_unchecked(&vcc->stats->rx);
27335
27336 drop:
27337 skb_pull(queue, 64);
27338 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27339
27340 if (vc == NULL) {
27341 printk("%s: NULL connection in send().\n", card->name);
27342 - atomic_inc(&vcc->stats->tx_err);
27343 + atomic_inc_unchecked(&vcc->stats->tx_err);
27344 dev_kfree_skb(skb);
27345 return -EINVAL;
27346 }
27347 if (!test_bit(VCF_TX, &vc->flags)) {
27348 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
27349 - atomic_inc(&vcc->stats->tx_err);
27350 + atomic_inc_unchecked(&vcc->stats->tx_err);
27351 dev_kfree_skb(skb);
27352 return -EINVAL;
27353 }
27354 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27355 break;
27356 default:
27357 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
27358 - atomic_inc(&vcc->stats->tx_err);
27359 + atomic_inc_unchecked(&vcc->stats->tx_err);
27360 dev_kfree_skb(skb);
27361 return -EINVAL;
27362 }
27363
27364 if (skb_shinfo(skb)->nr_frags != 0) {
27365 printk("%s: No scatter-gather yet.\n", card->name);
27366 - atomic_inc(&vcc->stats->tx_err);
27367 + atomic_inc_unchecked(&vcc->stats->tx_err);
27368 dev_kfree_skb(skb);
27369 return -EINVAL;
27370 }
27371 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27372
27373 err = queue_skb(card, vc, skb, oam);
27374 if (err) {
27375 - atomic_inc(&vcc->stats->tx_err);
27376 + atomic_inc_unchecked(&vcc->stats->tx_err);
27377 dev_kfree_skb(skb);
27378 return err;
27379 }
27380 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
27381 skb = dev_alloc_skb(64);
27382 if (!skb) {
27383 printk("%s: Out of memory in send_oam().\n", card->name);
27384 - atomic_inc(&vcc->stats->tx_err);
27385 + atomic_inc_unchecked(&vcc->stats->tx_err);
27386 return -ENOMEM;
27387 }
27388 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
27389 diff -urNp linux-2.6.39.3/drivers/atm/iphase.c linux-2.6.39.3/drivers/atm/iphase.c
27390 --- linux-2.6.39.3/drivers/atm/iphase.c 2011-05-19 00:06:34.000000000 -0400
27391 +++ linux-2.6.39.3/drivers/atm/iphase.c 2011-05-22 19:36:31.000000000 -0400
27392 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
27393 status = (u_short) (buf_desc_ptr->desc_mode);
27394 if (status & (RX_CER | RX_PTE | RX_OFL))
27395 {
27396 - atomic_inc(&vcc->stats->rx_err);
27397 + atomic_inc_unchecked(&vcc->stats->rx_err);
27398 IF_ERR(printk("IA: bad packet, dropping it");)
27399 if (status & RX_CER) {
27400 IF_ERR(printk(" cause: packet CRC error\n");)
27401 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
27402 len = dma_addr - buf_addr;
27403 if (len > iadev->rx_buf_sz) {
27404 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
27405 - atomic_inc(&vcc->stats->rx_err);
27406 + atomic_inc_unchecked(&vcc->stats->rx_err);
27407 goto out_free_desc;
27408 }
27409
27410 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
27411 ia_vcc = INPH_IA_VCC(vcc);
27412 if (ia_vcc == NULL)
27413 {
27414 - atomic_inc(&vcc->stats->rx_err);
27415 + atomic_inc_unchecked(&vcc->stats->rx_err);
27416 dev_kfree_skb_any(skb);
27417 atm_return(vcc, atm_guess_pdu2truesize(len));
27418 goto INCR_DLE;
27419 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
27420 if ((length > iadev->rx_buf_sz) || (length >
27421 (skb->len - sizeof(struct cpcs_trailer))))
27422 {
27423 - atomic_inc(&vcc->stats->rx_err);
27424 + atomic_inc_unchecked(&vcc->stats->rx_err);
27425 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
27426 length, skb->len);)
27427 dev_kfree_skb_any(skb);
27428 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
27429
27430 IF_RX(printk("rx_dle_intr: skb push");)
27431 vcc->push(vcc,skb);
27432 - atomic_inc(&vcc->stats->rx);
27433 + atomic_inc_unchecked(&vcc->stats->rx);
27434 iadev->rx_pkt_cnt++;
27435 }
27436 INCR_DLE:
27437 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
27438 {
27439 struct k_sonet_stats *stats;
27440 stats = &PRIV(_ia_dev[board])->sonet_stats;
27441 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
27442 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
27443 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
27444 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
27445 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
27446 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
27447 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
27448 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
27449 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
27450 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
27451 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
27452 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
27453 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
27454 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
27455 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
27456 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
27457 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
27458 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
27459 }
27460 ia_cmds.status = 0;
27461 break;
27462 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
27463 if ((desc == 0) || (desc > iadev->num_tx_desc))
27464 {
27465 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
27466 - atomic_inc(&vcc->stats->tx);
27467 + atomic_inc_unchecked(&vcc->stats->tx);
27468 if (vcc->pop)
27469 vcc->pop(vcc, skb);
27470 else
27471 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
27472 ATM_DESC(skb) = vcc->vci;
27473 skb_queue_tail(&iadev->tx_dma_q, skb);
27474
27475 - atomic_inc(&vcc->stats->tx);
27476 + atomic_inc_unchecked(&vcc->stats->tx);
27477 iadev->tx_pkt_cnt++;
27478 /* Increment transaction counter */
27479 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
27480
27481 #if 0
27482 /* add flow control logic */
27483 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
27484 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
27485 if (iavcc->vc_desc_cnt > 10) {
27486 vcc->tx_quota = vcc->tx_quota * 3 / 4;
27487 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
27488 diff -urNp linux-2.6.39.3/drivers/atm/lanai.c linux-2.6.39.3/drivers/atm/lanai.c
27489 --- linux-2.6.39.3/drivers/atm/lanai.c 2011-05-19 00:06:34.000000000 -0400
27490 +++ linux-2.6.39.3/drivers/atm/lanai.c 2011-05-22 19:36:31.000000000 -0400
27491 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
27492 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
27493 lanai_endtx(lanai, lvcc);
27494 lanai_free_skb(lvcc->tx.atmvcc, skb);
27495 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
27496 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
27497 }
27498
27499 /* Try to fill the buffer - don't call unless there is backlog */
27500 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
27501 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
27502 __net_timestamp(skb);
27503 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
27504 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
27505 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
27506 out:
27507 lvcc->rx.buf.ptr = end;
27508 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
27509 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
27510 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
27511 "vcc %d\n", lanai->number, (unsigned int) s, vci);
27512 lanai->stats.service_rxnotaal5++;
27513 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27514 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27515 return 0;
27516 }
27517 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
27518 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
27519 int bytes;
27520 read_unlock(&vcc_sklist_lock);
27521 DPRINTK("got trashed rx pdu on vci %d\n", vci);
27522 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27523 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27524 lvcc->stats.x.aal5.service_trash++;
27525 bytes = (SERVICE_GET_END(s) * 16) -
27526 (((unsigned long) lvcc->rx.buf.ptr) -
27527 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
27528 }
27529 if (s & SERVICE_STREAM) {
27530 read_unlock(&vcc_sklist_lock);
27531 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27532 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27533 lvcc->stats.x.aal5.service_stream++;
27534 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
27535 "PDU on VCI %d!\n", lanai->number, vci);
27536 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
27537 return 0;
27538 }
27539 DPRINTK("got rx crc error on vci %d\n", vci);
27540 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27541 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27542 lvcc->stats.x.aal5.service_rxcrc++;
27543 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
27544 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
27545 diff -urNp linux-2.6.39.3/drivers/atm/nicstar.c linux-2.6.39.3/drivers/atm/nicstar.c
27546 --- linux-2.6.39.3/drivers/atm/nicstar.c 2011-05-19 00:06:34.000000000 -0400
27547 +++ linux-2.6.39.3/drivers/atm/nicstar.c 2011-05-22 19:36:31.000000000 -0400
27548 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
27549 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
27550 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
27551 card->index);
27552 - atomic_inc(&vcc->stats->tx_err);
27553 + atomic_inc_unchecked(&vcc->stats->tx_err);
27554 dev_kfree_skb_any(skb);
27555 return -EINVAL;
27556 }
27557 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
27558 if (!vc->tx) {
27559 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
27560 card->index);
27561 - atomic_inc(&vcc->stats->tx_err);
27562 + atomic_inc_unchecked(&vcc->stats->tx_err);
27563 dev_kfree_skb_any(skb);
27564 return -EINVAL;
27565 }
27566 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
27567 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
27568 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
27569 card->index);
27570 - atomic_inc(&vcc->stats->tx_err);
27571 + atomic_inc_unchecked(&vcc->stats->tx_err);
27572 dev_kfree_skb_any(skb);
27573 return -EINVAL;
27574 }
27575
27576 if (skb_shinfo(skb)->nr_frags != 0) {
27577 printk("nicstar%d: No scatter-gather yet.\n", card->index);
27578 - atomic_inc(&vcc->stats->tx_err);
27579 + atomic_inc_unchecked(&vcc->stats->tx_err);
27580 dev_kfree_skb_any(skb);
27581 return -EINVAL;
27582 }
27583 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
27584 }
27585
27586 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
27587 - atomic_inc(&vcc->stats->tx_err);
27588 + atomic_inc_unchecked(&vcc->stats->tx_err);
27589 dev_kfree_skb_any(skb);
27590 return -EIO;
27591 }
27592 - atomic_inc(&vcc->stats->tx);
27593 + atomic_inc_unchecked(&vcc->stats->tx);
27594
27595 return 0;
27596 }
27597 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
27598 printk
27599 ("nicstar%d: Can't allocate buffers for aal0.\n",
27600 card->index);
27601 - atomic_add(i, &vcc->stats->rx_drop);
27602 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27603 break;
27604 }
27605 if (!atm_charge(vcc, sb->truesize)) {
27606 RXPRINTK
27607 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
27608 card->index);
27609 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27610 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
27611 dev_kfree_skb_any(sb);
27612 break;
27613 }
27614 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
27615 ATM_SKB(sb)->vcc = vcc;
27616 __net_timestamp(sb);
27617 vcc->push(vcc, sb);
27618 - atomic_inc(&vcc->stats->rx);
27619 + atomic_inc_unchecked(&vcc->stats->rx);
27620 cell += ATM_CELL_PAYLOAD;
27621 }
27622
27623 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
27624 if (iovb == NULL) {
27625 printk("nicstar%d: Out of iovec buffers.\n",
27626 card->index);
27627 - atomic_inc(&vcc->stats->rx_drop);
27628 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27629 recycle_rx_buf(card, skb);
27630 return;
27631 }
27632 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
27633 small or large buffer itself. */
27634 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
27635 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
27636 - atomic_inc(&vcc->stats->rx_err);
27637 + atomic_inc_unchecked(&vcc->stats->rx_err);
27638 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27639 NS_MAX_IOVECS);
27640 NS_PRV_IOVCNT(iovb) = 0;
27641 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
27642 ("nicstar%d: Expected a small buffer, and this is not one.\n",
27643 card->index);
27644 which_list(card, skb);
27645 - atomic_inc(&vcc->stats->rx_err);
27646 + atomic_inc_unchecked(&vcc->stats->rx_err);
27647 recycle_rx_buf(card, skb);
27648 vc->rx_iov = NULL;
27649 recycle_iov_buf(card, iovb);
27650 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
27651 ("nicstar%d: Expected a large buffer, and this is not one.\n",
27652 card->index);
27653 which_list(card, skb);
27654 - atomic_inc(&vcc->stats->rx_err);
27655 + atomic_inc_unchecked(&vcc->stats->rx_err);
27656 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27657 NS_PRV_IOVCNT(iovb));
27658 vc->rx_iov = NULL;
27659 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
27660 printk(" - PDU size mismatch.\n");
27661 else
27662 printk(".\n");
27663 - atomic_inc(&vcc->stats->rx_err);
27664 + atomic_inc_unchecked(&vcc->stats->rx_err);
27665 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
27666 NS_PRV_IOVCNT(iovb));
27667 vc->rx_iov = NULL;
27668 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
27669 /* skb points to a small buffer */
27670 if (!atm_charge(vcc, skb->truesize)) {
27671 push_rxbufs(card, skb);
27672 - atomic_inc(&vcc->stats->rx_drop);
27673 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27674 } else {
27675 skb_put(skb, len);
27676 dequeue_sm_buf(card, skb);
27677 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
27678 ATM_SKB(skb)->vcc = vcc;
27679 __net_timestamp(skb);
27680 vcc->push(vcc, skb);
27681 - atomic_inc(&vcc->stats->rx);
27682 + atomic_inc_unchecked(&vcc->stats->rx);
27683 }
27684 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
27685 struct sk_buff *sb;
27686 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
27687 if (len <= NS_SMBUFSIZE) {
27688 if (!atm_charge(vcc, sb->truesize)) {
27689 push_rxbufs(card, sb);
27690 - atomic_inc(&vcc->stats->rx_drop);
27691 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27692 } else {
27693 skb_put(sb, len);
27694 dequeue_sm_buf(card, sb);
27695 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
27696 ATM_SKB(sb)->vcc = vcc;
27697 __net_timestamp(sb);
27698 vcc->push(vcc, sb);
27699 - atomic_inc(&vcc->stats->rx);
27700 + atomic_inc_unchecked(&vcc->stats->rx);
27701 }
27702
27703 push_rxbufs(card, skb);
27704 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
27705
27706 if (!atm_charge(vcc, skb->truesize)) {
27707 push_rxbufs(card, skb);
27708 - atomic_inc(&vcc->stats->rx_drop);
27709 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27710 } else {
27711 dequeue_lg_buf(card, skb);
27712 #ifdef NS_USE_DESTRUCTORS
27713 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
27714 ATM_SKB(skb)->vcc = vcc;
27715 __net_timestamp(skb);
27716 vcc->push(vcc, skb);
27717 - atomic_inc(&vcc->stats->rx);
27718 + atomic_inc_unchecked(&vcc->stats->rx);
27719 }
27720
27721 push_rxbufs(card, sb);
27722 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
27723 printk
27724 ("nicstar%d: Out of huge buffers.\n",
27725 card->index);
27726 - atomic_inc(&vcc->stats->rx_drop);
27727 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27728 recycle_iovec_rx_bufs(card,
27729 (struct iovec *)
27730 iovb->data,
27731 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
27732 card->hbpool.count++;
27733 } else
27734 dev_kfree_skb_any(hb);
27735 - atomic_inc(&vcc->stats->rx_drop);
27736 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27737 } else {
27738 /* Copy the small buffer to the huge buffer */
27739 sb = (struct sk_buff *)iov->iov_base;
27740 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
27741 #endif /* NS_USE_DESTRUCTORS */
27742 __net_timestamp(hb);
27743 vcc->push(vcc, hb);
27744 - atomic_inc(&vcc->stats->rx);
27745 + atomic_inc_unchecked(&vcc->stats->rx);
27746 }
27747 }
27748
27749 diff -urNp linux-2.6.39.3/drivers/atm/solos-pci.c linux-2.6.39.3/drivers/atm/solos-pci.c
27750 --- linux-2.6.39.3/drivers/atm/solos-pci.c 2011-05-19 00:06:34.000000000 -0400
27751 +++ linux-2.6.39.3/drivers/atm/solos-pci.c 2011-05-22 19:36:31.000000000 -0400
27752 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
27753 }
27754 atm_charge(vcc, skb->truesize);
27755 vcc->push(vcc, skb);
27756 - atomic_inc(&vcc->stats->rx);
27757 + atomic_inc_unchecked(&vcc->stats->rx);
27758 break;
27759
27760 case PKT_STATUS:
27761 @@ -900,6 +900,8 @@ static int print_buffer(struct sk_buff *
27762 char msg[500];
27763 char item[10];
27764
27765 + pax_track_stack();
27766 +
27767 len = buf->len;
27768 for (i = 0; i < len; i++){
27769 if(i % 8 == 0)
27770 @@ -1009,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
27771 vcc = SKB_CB(oldskb)->vcc;
27772
27773 if (vcc) {
27774 - atomic_inc(&vcc->stats->tx);
27775 + atomic_inc_unchecked(&vcc->stats->tx);
27776 solos_pop(vcc, oldskb);
27777 } else
27778 dev_kfree_skb_irq(oldskb);
27779 diff -urNp linux-2.6.39.3/drivers/atm/suni.c linux-2.6.39.3/drivers/atm/suni.c
27780 --- linux-2.6.39.3/drivers/atm/suni.c 2011-05-19 00:06:34.000000000 -0400
27781 +++ linux-2.6.39.3/drivers/atm/suni.c 2011-05-22 19:36:31.000000000 -0400
27782 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27783
27784
27785 #define ADD_LIMITED(s,v) \
27786 - atomic_add((v),&stats->s); \
27787 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27788 + atomic_add_unchecked((v),&stats->s); \
27789 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27790
27791
27792 static void suni_hz(unsigned long from_timer)
27793 diff -urNp linux-2.6.39.3/drivers/atm/uPD98402.c linux-2.6.39.3/drivers/atm/uPD98402.c
27794 --- linux-2.6.39.3/drivers/atm/uPD98402.c 2011-05-19 00:06:34.000000000 -0400
27795 +++ linux-2.6.39.3/drivers/atm/uPD98402.c 2011-05-22 19:36:31.000000000 -0400
27796 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
27797 struct sonet_stats tmp;
27798 int error = 0;
27799
27800 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27801 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27802 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27803 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27804 if (zero && !error) {
27805 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
27806
27807
27808 #define ADD_LIMITED(s,v) \
27809 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27810 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27811 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27812 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27813 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27814 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27815
27816
27817 static void stat_event(struct atm_dev *dev)
27818 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
27819 if (reason & uPD98402_INT_PFM) stat_event(dev);
27820 if (reason & uPD98402_INT_PCO) {
27821 (void) GET(PCOCR); /* clear interrupt cause */
27822 - atomic_add(GET(HECCT),
27823 + atomic_add_unchecked(GET(HECCT),
27824 &PRIV(dev)->sonet_stats.uncorr_hcs);
27825 }
27826 if ((reason & uPD98402_INT_RFO) &&
27827 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
27828 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27829 uPD98402_INT_LOS),PIMR); /* enable them */
27830 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27831 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27832 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27833 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27834 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27835 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27836 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27837 return 0;
27838 }
27839
27840 diff -urNp linux-2.6.39.3/drivers/atm/zatm.c linux-2.6.39.3/drivers/atm/zatm.c
27841 --- linux-2.6.39.3/drivers/atm/zatm.c 2011-05-19 00:06:34.000000000 -0400
27842 +++ linux-2.6.39.3/drivers/atm/zatm.c 2011-05-22 19:36:31.000000000 -0400
27843 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27844 }
27845 if (!size) {
27846 dev_kfree_skb_irq(skb);
27847 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27848 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27849 continue;
27850 }
27851 if (!atm_charge(vcc,skb->truesize)) {
27852 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27853 skb->len = size;
27854 ATM_SKB(skb)->vcc = vcc;
27855 vcc->push(vcc,skb);
27856 - atomic_inc(&vcc->stats->rx);
27857 + atomic_inc_unchecked(&vcc->stats->rx);
27858 }
27859 zout(pos & 0xffff,MTA(mbx));
27860 #if 0 /* probably a stupid idea */
27861 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27862 skb_queue_head(&zatm_vcc->backlog,skb);
27863 break;
27864 }
27865 - atomic_inc(&vcc->stats->tx);
27866 + atomic_inc_unchecked(&vcc->stats->tx);
27867 wake_up(&zatm_vcc->tx_wait);
27868 }
27869
27870 diff -urNp linux-2.6.39.3/drivers/base/iommu.c linux-2.6.39.3/drivers/base/iommu.c
27871 --- linux-2.6.39.3/drivers/base/iommu.c 2011-05-19 00:06:34.000000000 -0400
27872 +++ linux-2.6.39.3/drivers/base/iommu.c 2011-05-22 19:36:31.000000000 -0400
27873 @@ -23,9 +23,8 @@
27874 #include <linux/errno.h>
27875 #include <linux/iommu.h>
27876
27877 -static struct iommu_ops *iommu_ops;
27878 -
27879 -void register_iommu(struct iommu_ops *ops)
27880 +static const struct iommu_ops *iommu_ops;
27881 +void register_iommu(const struct iommu_ops *ops)
27882 {
27883 if (iommu_ops)
27884 BUG();
27885 diff -urNp linux-2.6.39.3/drivers/base/power/generic_ops.c linux-2.6.39.3/drivers/base/power/generic_ops.c
27886 --- linux-2.6.39.3/drivers/base/power/generic_ops.c 2011-05-19 00:06:34.000000000 -0400
27887 +++ linux-2.6.39.3/drivers/base/power/generic_ops.c 2011-05-22 19:36:31.000000000 -0400
27888 @@ -215,7 +215,7 @@ int pm_generic_restore(struct device *de
27889 EXPORT_SYMBOL_GPL(pm_generic_restore);
27890 #endif /* CONFIG_PM_SLEEP */
27891
27892 -struct dev_pm_ops generic_subsys_pm_ops = {
27893 +const struct dev_pm_ops generic_subsys_pm_ops = {
27894 #ifdef CONFIG_PM_SLEEP
27895 .suspend = pm_generic_suspend,
27896 .resume = pm_generic_resume,
27897 diff -urNp linux-2.6.39.3/drivers/base/power/wakeup.c linux-2.6.39.3/drivers/base/power/wakeup.c
27898 --- linux-2.6.39.3/drivers/base/power/wakeup.c 2011-05-19 00:06:34.000000000 -0400
27899 +++ linux-2.6.39.3/drivers/base/power/wakeup.c 2011-05-22 19:36:31.000000000 -0400
27900 @@ -29,14 +29,14 @@ bool events_check_enabled;
27901 * They need to be modified together atomically, so it's better to use one
27902 * atomic variable to hold them both.
27903 */
27904 -static atomic_t combined_event_count = ATOMIC_INIT(0);
27905 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
27906
27907 #define IN_PROGRESS_BITS (sizeof(int) * 4)
27908 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
27909
27910 static void split_counters(unsigned int *cnt, unsigned int *inpr)
27911 {
27912 - unsigned int comb = atomic_read(&combined_event_count);
27913 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
27914
27915 *cnt = (comb >> IN_PROGRESS_BITS);
27916 *inpr = comb & MAX_IN_PROGRESS;
27917 @@ -351,7 +351,7 @@ static void wakeup_source_activate(struc
27918 ws->last_time = ktime_get();
27919
27920 /* Increment the counter of events in progress. */
27921 - atomic_inc(&combined_event_count);
27922 + atomic_inc_unchecked(&combined_event_count);
27923 }
27924
27925 /**
27926 @@ -441,7 +441,7 @@ static void wakeup_source_deactivate(str
27927 * Increment the counter of registered wakeup events and decrement the
27928 * couter of wakeup events in progress simultaneously.
27929 */
27930 - atomic_add(MAX_IN_PROGRESS, &combined_event_count);
27931 + atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
27932 }
27933
27934 /**
27935 diff -urNp linux-2.6.39.3/drivers/block/cciss.c linux-2.6.39.3/drivers/block/cciss.c
27936 --- linux-2.6.39.3/drivers/block/cciss.c 2011-05-19 00:06:34.000000000 -0400
27937 +++ linux-2.6.39.3/drivers/block/cciss.c 2011-05-22 19:41:32.000000000 -0400
27938 @@ -103,7 +103,7 @@ MODULE_DEVICE_TABLE(pci, cciss_pci_devic
27939 * product = Marketing Name for the board
27940 * access = Address of the struct of function pointers
27941 */
27942 -static struct board_type products[] = {
27943 +static const struct board_type products[] = {
27944 {0x40700E11, "Smart Array 5300", &SA5_access},
27945 {0x40800E11, "Smart Array 5i", &SA5B_access},
27946 {0x40820E11, "Smart Array 532", &SA5B_access},
27947 @@ -1151,6 +1151,8 @@ static int cciss_ioctl32_passthru(struct
27948 int err;
27949 u32 cp;
27950
27951 + memset(&arg64, 0, sizeof(arg64));
27952 +
27953 err = 0;
27954 err |=
27955 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27956 diff -urNp linux-2.6.39.3/drivers/block/cciss.h linux-2.6.39.3/drivers/block/cciss.h
27957 --- linux-2.6.39.3/drivers/block/cciss.h 2011-05-19 00:06:34.000000000 -0400
27958 +++ linux-2.6.39.3/drivers/block/cciss.h 2011-05-22 19:36:31.000000000 -0400
27959 @@ -393,7 +393,7 @@ static bool SA5_performant_intr_pending(
27960 return register_value & SA5_OUTDB_STATUS_PERF_BIT;
27961 }
27962
27963 -static struct access_method SA5_access = {
27964 +static const struct access_method SA5_access = {
27965 SA5_submit_command,
27966 SA5_intr_mask,
27967 SA5_fifo_full,
27968 @@ -401,7 +401,7 @@ static struct access_method SA5_access =
27969 SA5_completed,
27970 };
27971
27972 -static struct access_method SA5B_access = {
27973 +static const struct access_method SA5B_access = {
27974 SA5_submit_command,
27975 SA5B_intr_mask,
27976 SA5_fifo_full,
27977 @@ -409,7 +409,7 @@ static struct access_method SA5B_access
27978 SA5_completed,
27979 };
27980
27981 -static struct access_method SA5_performant_access = {
27982 +static const struct access_method SA5_performant_access = {
27983 SA5_submit_command,
27984 SA5_performant_intr_mask,
27985 SA5_fifo_full,
27986 @@ -420,7 +420,7 @@ static struct access_method SA5_performa
27987 struct board_type {
27988 __u32 board_id;
27989 char *product_name;
27990 - struct access_method *access;
27991 + const struct access_method *access;
27992 int nr_cmds; /* Max cmds this kind of ctlr can handle. */
27993 };
27994
27995 diff -urNp linux-2.6.39.3/drivers/block/cpqarray.c linux-2.6.39.3/drivers/block/cpqarray.c
27996 --- linux-2.6.39.3/drivers/block/cpqarray.c 2011-05-19 00:06:34.000000000 -0400
27997 +++ linux-2.6.39.3/drivers/block/cpqarray.c 2011-05-22 19:36:31.000000000 -0400
27998 @@ -80,7 +80,7 @@ static int eisa[8];
27999 * product = Marketing Name for the board
28000 * access = Address of the struct of function pointers
28001 */
28002 -static struct board_type products[] = {
28003 +static const struct board_type products[] = {
28004 { 0x0040110E, "IDA", &smart1_access },
28005 { 0x0140110E, "IDA-2", &smart1_access },
28006 { 0x1040110E, "IAES", &smart1_access },
28007 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
28008 struct scatterlist tmp_sg[SG_MAX];
28009 int i, dir, seg;
28010
28011 + pax_track_stack();
28012 +
28013 queue_next:
28014 creq = blk_peek_request(q);
28015 if (!creq)
28016 diff -urNp linux-2.6.39.3/drivers/block/cpqarray.h linux-2.6.39.3/drivers/block/cpqarray.h
28017 --- linux-2.6.39.3/drivers/block/cpqarray.h 2011-05-19 00:06:34.000000000 -0400
28018 +++ linux-2.6.39.3/drivers/block/cpqarray.h 2011-05-22 19:36:31.000000000 -0400
28019 @@ -69,7 +69,7 @@ struct access_method {
28020 struct board_type {
28021 __u32 board_id;
28022 char *product_name;
28023 - struct access_method *access;
28024 + const struct access_method *access;
28025 };
28026
28027 struct ctlr_info {
28028 diff -urNp linux-2.6.39.3/drivers/block/DAC960.c linux-2.6.39.3/drivers/block/DAC960.c
28029 --- linux-2.6.39.3/drivers/block/DAC960.c 2011-05-19 00:06:34.000000000 -0400
28030 +++ linux-2.6.39.3/drivers/block/DAC960.c 2011-05-22 19:36:31.000000000 -0400
28031 @@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
28032 unsigned long flags;
28033 int Channel, TargetID;
28034
28035 + pax_track_stack();
28036 +
28037 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
28038 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
28039 sizeof(DAC960_SCSI_Inquiry_T) +
28040 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_int.h linux-2.6.39.3/drivers/block/drbd/drbd_int.h
28041 --- linux-2.6.39.3/drivers/block/drbd/drbd_int.h 2011-05-19 00:06:34.000000000 -0400
28042 +++ linux-2.6.39.3/drivers/block/drbd/drbd_int.h 2011-05-22 19:36:31.000000000 -0400
28043 @@ -736,7 +736,7 @@ struct drbd_request;
28044 struct drbd_epoch {
28045 struct list_head list;
28046 unsigned int barrier_nr;
28047 - atomic_t epoch_size; /* increased on every request added. */
28048 + atomic_unchecked_t epoch_size; /* increased on every request added. */
28049 atomic_t active; /* increased on every req. added, and dec on every finished. */
28050 unsigned long flags;
28051 };
28052 @@ -1108,7 +1108,7 @@ struct drbd_conf {
28053 void *int_dig_in;
28054 void *int_dig_vv;
28055 wait_queue_head_t seq_wait;
28056 - atomic_t packet_seq;
28057 + atomic_unchecked_t packet_seq;
28058 unsigned int peer_seq;
28059 spinlock_t peer_seq_lock;
28060 unsigned int minor;
28061 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_main.c linux-2.6.39.3/drivers/block/drbd/drbd_main.c
28062 --- linux-2.6.39.3/drivers/block/drbd/drbd_main.c 2011-05-19 00:06:34.000000000 -0400
28063 +++ linux-2.6.39.3/drivers/block/drbd/drbd_main.c 2011-05-22 19:36:31.000000000 -0400
28064 @@ -2387,7 +2387,7 @@ static int _drbd_send_ack(struct drbd_co
28065 p.sector = sector;
28066 p.block_id = block_id;
28067 p.blksize = blksize;
28068 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
28069 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
28070
28071 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
28072 return false;
28073 @@ -2686,7 +2686,7 @@ int drbd_send_dblock(struct drbd_conf *m
28074 p.sector = cpu_to_be64(req->sector);
28075 p.block_id = (unsigned long)req;
28076 p.seq_num = cpu_to_be32(req->seq_num =
28077 - atomic_add_return(1, &mdev->packet_seq));
28078 + atomic_add_return_unchecked(1, &mdev->packet_seq));
28079
28080 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
28081
28082 @@ -2971,7 +2971,7 @@ void drbd_init_set_defaults(struct drbd_
28083 atomic_set(&mdev->unacked_cnt, 0);
28084 atomic_set(&mdev->local_cnt, 0);
28085 atomic_set(&mdev->net_cnt, 0);
28086 - atomic_set(&mdev->packet_seq, 0);
28087 + atomic_set_unchecked(&mdev->packet_seq, 0);
28088 atomic_set(&mdev->pp_in_use, 0);
28089 atomic_set(&mdev->pp_in_use_by_net, 0);
28090 atomic_set(&mdev->rs_sect_in, 0);
28091 @@ -3051,8 +3051,8 @@ void drbd_mdev_cleanup(struct drbd_conf
28092 mdev->receiver.t_state);
28093
28094 /* no need to lock it, I'm the only thread alive */
28095 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
28096 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
28097 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
28098 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
28099 mdev->al_writ_cnt =
28100 mdev->bm_writ_cnt =
28101 mdev->read_cnt =
28102 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_nl.c linux-2.6.39.3/drivers/block/drbd/drbd_nl.c
28103 --- linux-2.6.39.3/drivers/block/drbd/drbd_nl.c 2011-05-19 00:06:34.000000000 -0400
28104 +++ linux-2.6.39.3/drivers/block/drbd/drbd_nl.c 2011-05-22 19:36:31.000000000 -0400
28105 @@ -2298,7 +2298,7 @@ static void drbd_connector_callback(stru
28106 module_put(THIS_MODULE);
28107 }
28108
28109 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
28110 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
28111
28112 static unsigned short *
28113 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
28114 @@ -2369,7 +2369,7 @@ void drbd_bcast_state(struct drbd_conf *
28115 cn_reply->id.idx = CN_IDX_DRBD;
28116 cn_reply->id.val = CN_VAL_DRBD;
28117
28118 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28119 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28120 cn_reply->ack = 0; /* not used here. */
28121 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28122 (int)((char *)tl - (char *)reply->tag_list);
28123 @@ -2401,7 +2401,7 @@ void drbd_bcast_ev_helper(struct drbd_co
28124 cn_reply->id.idx = CN_IDX_DRBD;
28125 cn_reply->id.val = CN_VAL_DRBD;
28126
28127 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28128 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28129 cn_reply->ack = 0; /* not used here. */
28130 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28131 (int)((char *)tl - (char *)reply->tag_list);
28132 @@ -2479,7 +2479,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
28133 cn_reply->id.idx = CN_IDX_DRBD;
28134 cn_reply->id.val = CN_VAL_DRBD;
28135
28136 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
28137 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
28138 cn_reply->ack = 0; // not used here.
28139 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28140 (int)((char*)tl - (char*)reply->tag_list);
28141 @@ -2518,7 +2518,7 @@ void drbd_bcast_sync_progress(struct drb
28142 cn_reply->id.idx = CN_IDX_DRBD;
28143 cn_reply->id.val = CN_VAL_DRBD;
28144
28145 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
28146 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
28147 cn_reply->ack = 0; /* not used here. */
28148 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
28149 (int)((char *)tl - (char *)reply->tag_list);
28150 diff -urNp linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c
28151 --- linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c 2011-05-19 00:06:34.000000000 -0400
28152 +++ linux-2.6.39.3/drivers/block/drbd/drbd_receiver.c 2011-05-22 19:36:31.000000000 -0400
28153 @@ -894,7 +894,7 @@ retry:
28154 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
28155 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
28156
28157 - atomic_set(&mdev->packet_seq, 0);
28158 + atomic_set_unchecked(&mdev->packet_seq, 0);
28159 mdev->peer_seq = 0;
28160
28161 drbd_thread_start(&mdev->asender);
28162 @@ -990,7 +990,7 @@ static enum finish_epoch drbd_may_finish
28163 do {
28164 next_epoch = NULL;
28165
28166 - epoch_size = atomic_read(&epoch->epoch_size);
28167 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
28168
28169 switch (ev & ~EV_CLEANUP) {
28170 case EV_PUT:
28171 @@ -1025,7 +1025,7 @@ static enum finish_epoch drbd_may_finish
28172 rv = FE_DESTROYED;
28173 } else {
28174 epoch->flags = 0;
28175 - atomic_set(&epoch->epoch_size, 0);
28176 + atomic_set_unchecked(&epoch->epoch_size, 0);
28177 /* atomic_set(&epoch->active, 0); is already zero */
28178 if (rv == FE_STILL_LIVE)
28179 rv = FE_RECYCLED;
28180 @@ -1196,14 +1196,14 @@ static int receive_Barrier(struct drbd_c
28181 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
28182 drbd_flush(mdev);
28183
28184 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28185 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28186 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
28187 if (epoch)
28188 break;
28189 }
28190
28191 epoch = mdev->current_epoch;
28192 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
28193 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
28194
28195 D_ASSERT(atomic_read(&epoch->active) == 0);
28196 D_ASSERT(epoch->flags == 0);
28197 @@ -1215,11 +1215,11 @@ static int receive_Barrier(struct drbd_c
28198 }
28199
28200 epoch->flags = 0;
28201 - atomic_set(&epoch->epoch_size, 0);
28202 + atomic_set_unchecked(&epoch->epoch_size, 0);
28203 atomic_set(&epoch->active, 0);
28204
28205 spin_lock(&mdev->epoch_lock);
28206 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
28207 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
28208 list_add(&epoch->list, &mdev->current_epoch->list);
28209 mdev->current_epoch = epoch;
28210 mdev->epochs++;
28211 @@ -1668,7 +1668,7 @@ static int receive_Data(struct drbd_conf
28212 spin_unlock(&mdev->peer_seq_lock);
28213
28214 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
28215 - atomic_inc(&mdev->current_epoch->epoch_size);
28216 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
28217 return drbd_drain_block(mdev, data_size);
28218 }
28219
28220 @@ -1694,7 +1694,7 @@ static int receive_Data(struct drbd_conf
28221
28222 spin_lock(&mdev->epoch_lock);
28223 e->epoch = mdev->current_epoch;
28224 - atomic_inc(&e->epoch->epoch_size);
28225 + atomic_inc_unchecked(&e->epoch->epoch_size);
28226 atomic_inc(&e->epoch->active);
28227 spin_unlock(&mdev->epoch_lock);
28228
28229 @@ -3905,7 +3905,7 @@ static void drbd_disconnect(struct drbd_
28230 D_ASSERT(list_empty(&mdev->done_ee));
28231
28232 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
28233 - atomic_set(&mdev->current_epoch->epoch_size, 0);
28234 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
28235 D_ASSERT(list_empty(&mdev->current_epoch->list));
28236 }
28237
28238 diff -urNp linux-2.6.39.3/drivers/block/nbd.c linux-2.6.39.3/drivers/block/nbd.c
28239 --- linux-2.6.39.3/drivers/block/nbd.c 2011-06-25 12:55:22.000000000 -0400
28240 +++ linux-2.6.39.3/drivers/block/nbd.c 2011-06-25 13:00:25.000000000 -0400
28241 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
28242 struct kvec iov;
28243 sigset_t blocked, oldset;
28244
28245 + pax_track_stack();
28246 +
28247 if (unlikely(!sock)) {
28248 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
28249 lo->disk->disk_name, (send ? "send" : "recv"));
28250 @@ -571,6 +573,8 @@ static void do_nbd_request(struct reques
28251 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
28252 unsigned int cmd, unsigned long arg)
28253 {
28254 + pax_track_stack();
28255 +
28256 switch (cmd) {
28257 case NBD_DISCONNECT: {
28258 struct request sreq;
28259 diff -urNp linux-2.6.39.3/drivers/block/smart1,2.h linux-2.6.39.3/drivers/block/smart1,2.h
28260 --- linux-2.6.39.3/drivers/block/smart1,2.h 2011-05-19 00:06:34.000000000 -0400
28261 +++ linux-2.6.39.3/drivers/block/smart1,2.h 2011-05-22 19:36:31.000000000 -0400
28262 @@ -107,7 +107,7 @@ static unsigned long smart4_intr_pending
28263 return 0 ;
28264 }
28265
28266 -static struct access_method smart4_access = {
28267 +static const struct access_method smart4_access = {
28268 smart4_submit_command,
28269 smart4_intr_mask,
28270 smart4_fifo_full,
28271 @@ -143,7 +143,7 @@ static unsigned long smart2_intr_pending
28272 return readl(h->vaddr + INTR_PENDING);
28273 }
28274
28275 -static struct access_method smart2_access = {
28276 +static const struct access_method smart2_access = {
28277 smart2_submit_command,
28278 smart2_intr_mask,
28279 smart2_fifo_full,
28280 @@ -179,7 +179,7 @@ static unsigned long smart2e_intr_pendin
28281 return inl(h->io_mem_addr + INTR_PENDING);
28282 }
28283
28284 -static struct access_method smart2e_access = {
28285 +static const struct access_method smart2e_access = {
28286 smart2e_submit_command,
28287 smart2e_intr_mask,
28288 smart2e_fifo_full,
28289 @@ -269,7 +269,7 @@ static unsigned long smart1_intr_pending
28290 return chan;
28291 }
28292
28293 -static struct access_method smart1_access = {
28294 +static const struct access_method smart1_access = {
28295 smart1_submit_command,
28296 smart1_intr_mask,
28297 smart1_fifo_full,
28298 diff -urNp linux-2.6.39.3/drivers/block/xsysace.c linux-2.6.39.3/drivers/block/xsysace.c
28299 --- linux-2.6.39.3/drivers/block/xsysace.c 2011-05-19 00:06:34.000000000 -0400
28300 +++ linux-2.6.39.3/drivers/block/xsysace.c 2011-05-22 19:36:31.000000000 -0400
28301 @@ -262,7 +262,7 @@ static void ace_dataout_8(struct ace_dev
28302 ace->data_ptr = src;
28303 }
28304
28305 -static struct ace_reg_ops ace_reg_8_ops = {
28306 +static const struct ace_reg_ops ace_reg_8_ops = {
28307 .in = ace_in_8,
28308 .out = ace_out_8,
28309 .datain = ace_datain_8,
28310 @@ -327,14 +327,14 @@ static void ace_dataout_le16(struct ace_
28311 ace->data_ptr = src;
28312 }
28313
28314 -static struct ace_reg_ops ace_reg_be16_ops = {
28315 +static const struct ace_reg_ops ace_reg_be16_ops = {
28316 .in = ace_in_be16,
28317 .out = ace_out_be16,
28318 .datain = ace_datain_be16,
28319 .dataout = ace_dataout_be16,
28320 };
28321
28322 -static struct ace_reg_ops ace_reg_le16_ops = {
28323 +static const struct ace_reg_ops ace_reg_le16_ops = {
28324 .in = ace_in_le16,
28325 .out = ace_out_le16,
28326 .datain = ace_datain_le16,
28327 diff -urNp linux-2.6.39.3/drivers/char/agp/frontend.c linux-2.6.39.3/drivers/char/agp/frontend.c
28328 --- linux-2.6.39.3/drivers/char/agp/frontend.c 2011-05-19 00:06:34.000000000 -0400
28329 +++ linux-2.6.39.3/drivers/char/agp/frontend.c 2011-05-22 19:36:31.000000000 -0400
28330 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
28331 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
28332 return -EFAULT;
28333
28334 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
28335 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
28336 return -EFAULT;
28337
28338 client = agp_find_client_by_pid(reserve.pid);
28339 diff -urNp linux-2.6.39.3/drivers/char/briq_panel.c linux-2.6.39.3/drivers/char/briq_panel.c
28340 --- linux-2.6.39.3/drivers/char/briq_panel.c 2011-05-19 00:06:34.000000000 -0400
28341 +++ linux-2.6.39.3/drivers/char/briq_panel.c 2011-05-22 19:41:32.000000000 -0400
28342 @@ -9,6 +9,7 @@
28343 #include <linux/types.h>
28344 #include <linux/errno.h>
28345 #include <linux/tty.h>
28346 +#include <linux/mutex.h>
28347 #include <linux/timer.h>
28348 #include <linux/kernel.h>
28349 #include <linux/wait.h>
28350 @@ -34,6 +35,7 @@ static int vfd_is_open;
28351 static unsigned char vfd[40];
28352 static int vfd_cursor;
28353 static unsigned char ledpb, led;
28354 +static DEFINE_MUTEX(vfd_mutex);
28355
28356 static void update_vfd(void)
28357 {
28358 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
28359 if (!vfd_is_open)
28360 return -EBUSY;
28361
28362 + mutex_lock(&vfd_mutex);
28363 for (;;) {
28364 char c;
28365 if (!indx)
28366 break;
28367 - if (get_user(c, buf))
28368 + if (get_user(c, buf)) {
28369 + mutex_unlock(&vfd_mutex);
28370 return -EFAULT;
28371 + }
28372 if (esc) {
28373 set_led(c);
28374 esc = 0;
28375 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
28376 buf++;
28377 }
28378 update_vfd();
28379 + mutex_unlock(&vfd_mutex);
28380
28381 return len;
28382 }
28383 diff -urNp linux-2.6.39.3/drivers/char/genrtc.c linux-2.6.39.3/drivers/char/genrtc.c
28384 --- linux-2.6.39.3/drivers/char/genrtc.c 2011-05-19 00:06:34.000000000 -0400
28385 +++ linux-2.6.39.3/drivers/char/genrtc.c 2011-05-22 19:41:32.000000000 -0400
28386 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
28387 switch (cmd) {
28388
28389 case RTC_PLL_GET:
28390 + memset(&pll, 0, sizeof(pll));
28391 if (get_rtc_pll(&pll))
28392 return -EINVAL;
28393 else
28394 diff -urNp linux-2.6.39.3/drivers/char/hpet.c linux-2.6.39.3/drivers/char/hpet.c
28395 --- linux-2.6.39.3/drivers/char/hpet.c 2011-05-19 00:06:34.000000000 -0400
28396 +++ linux-2.6.39.3/drivers/char/hpet.c 2011-05-22 19:36:31.000000000 -0400
28397 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
28398 }
28399
28400 static int
28401 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
28402 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
28403 struct hpet_info *info)
28404 {
28405 struct hpet_timer __iomem *timer;
28406 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c
28407 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c 2011-05-19 00:06:34.000000000 -0400
28408 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_devintf.c 2011-05-22 19:36:31.000000000 -0400
28409 @@ -109,8 +109,7 @@ static int ipmi_fasync(int fd, struct fi
28410 return (result);
28411 }
28412
28413 -static struct ipmi_user_hndl ipmi_hndlrs =
28414 -{
28415 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28416 .ipmi_recv_hndl = file_receive_handler,
28417 };
28418
28419 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c
28420 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c 2011-05-19 00:06:34.000000000 -0400
28421 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_msghandler.c 2011-05-22 19:36:31.000000000 -0400
28422 @@ -82,7 +82,7 @@ struct ipmi_user {
28423 struct kref refcount;
28424
28425 /* The upper layer that handles receive messages. */
28426 - struct ipmi_user_hndl *handler;
28427 + const struct ipmi_user_hndl *handler;
28428 void *handler_data;
28429
28430 /* The interface this user is bound to. */
28431 @@ -414,7 +414,7 @@ struct ipmi_smi {
28432 struct proc_dir_entry *proc_dir;
28433 char proc_dir_name[10];
28434
28435 - atomic_t stats[IPMI_NUM_STATS];
28436 + atomic_unchecked_t stats[IPMI_NUM_STATS];
28437
28438 /*
28439 * run_to_completion duplicate of smb_info, smi_info
28440 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
28441
28442
28443 #define ipmi_inc_stat(intf, stat) \
28444 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
28445 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
28446 #define ipmi_get_stat(intf, stat) \
28447 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
28448 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
28449
28450 static int is_lan_addr(struct ipmi_addr *addr)
28451 {
28452 @@ -875,7 +875,7 @@ static int intf_err_seq(ipmi_smi_t int
28453
28454
28455 int ipmi_create_user(unsigned int if_num,
28456 - struct ipmi_user_hndl *handler,
28457 + const struct ipmi_user_hndl *handler,
28458 void *handler_data,
28459 ipmi_user_t *user)
28460 {
28461 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
28462 INIT_LIST_HEAD(&intf->cmd_rcvrs);
28463 init_waitqueue_head(&intf->waitq);
28464 for (i = 0; i < IPMI_NUM_STATS; i++)
28465 - atomic_set(&intf->stats[i], 0);
28466 + atomic_set_unchecked(&intf->stats[i], 0);
28467
28468 intf->proc_dir = NULL;
28469
28470 @@ -4196,6 +4196,8 @@ static void send_panic_events(char *str)
28471 struct ipmi_smi_msg smi_msg;
28472 struct ipmi_recv_msg recv_msg;
28473
28474 + pax_track_stack();
28475 +
28476 si = (struct ipmi_system_interface_addr *) &addr;
28477 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
28478 si->channel = IPMI_BMC_CHANNEL;
28479 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c
28480 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c 2011-05-19 00:06:34.000000000 -0400
28481 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_poweroff.c 2011-05-22 19:36:31.000000000 -0400
28482 @@ -133,7 +133,7 @@ static void receive_handler(struct ipmi_
28483 complete(comp);
28484 }
28485
28486 -static struct ipmi_user_hndl ipmi_poweroff_handler = {
28487 +static const struct ipmi_user_hndl ipmi_poweroff_handler = {
28488 .ipmi_recv_hndl = receive_handler
28489 };
28490
28491 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c
28492 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c 2011-05-19 00:06:34.000000000 -0400
28493 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_si_intf.c 2011-05-22 19:36:31.000000000 -0400
28494 @@ -276,7 +276,7 @@ struct smi_info {
28495 unsigned char slave_addr;
28496
28497 /* Counters and things for the proc filesystem. */
28498 - atomic_t stats[SI_NUM_STATS];
28499 + atomic_unchecked_t stats[SI_NUM_STATS];
28500
28501 struct task_struct *thread;
28502
28503 @@ -285,9 +285,9 @@ struct smi_info {
28504 };
28505
28506 #define smi_inc_stat(smi, stat) \
28507 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28508 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28509 #define smi_get_stat(smi, stat) \
28510 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28511 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28512
28513 #define SI_MAX_PARMS 4
28514
28515 @@ -3198,7 +3198,7 @@ static int try_smi_init(struct smi_info
28516 atomic_set(&new_smi->req_events, 0);
28517 new_smi->run_to_completion = 0;
28518 for (i = 0; i < SI_NUM_STATS; i++)
28519 - atomic_set(&new_smi->stats[i], 0);
28520 + atomic_set_unchecked(&new_smi->stats[i], 0);
28521
28522 new_smi->interrupt_disabled = 1;
28523 atomic_set(&new_smi->stop_operation, 0);
28524 diff -urNp linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c
28525 --- linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c 2011-05-19 00:06:34.000000000 -0400
28526 +++ linux-2.6.39.3/drivers/char/ipmi/ipmi_watchdog.c 2011-05-22 19:36:31.000000000 -0400
28527 @@ -216,7 +216,7 @@ static int set_param_timeout(const char
28528 return rv;
28529 }
28530
28531 -static struct kernel_param_ops param_ops_timeout = {
28532 +static const struct kernel_param_ops param_ops_timeout = {
28533 .set = set_param_timeout,
28534 .get = param_get_int,
28535 };
28536 @@ -278,14 +278,14 @@ static int set_param_wdog_ifnum(const ch
28537 return 0;
28538 }
28539
28540 -static struct kernel_param_ops param_ops_wdog_ifnum = {
28541 +static const struct kernel_param_ops param_ops_wdog_ifnum = {
28542 .set = set_param_wdog_ifnum,
28543 .get = param_get_int,
28544 };
28545
28546 #define param_check_wdog_ifnum param_check_int
28547
28548 -static struct kernel_param_ops param_ops_str = {
28549 +static const struct kernel_param_ops param_ops_str = {
28550 .set = set_param_str,
28551 .get = get_param_str,
28552 };
28553 @@ -953,7 +953,7 @@ static void ipmi_wdog_pretimeout_handler
28554 pretimeout_since_last_heartbeat = 1;
28555 }
28556
28557 -static struct ipmi_user_hndl ipmi_hndlrs = {
28558 +static const struct ipmi_user_hndl ipmi_hndlrs = {
28559 .ipmi_recv_hndl = ipmi_wdog_msg_handler,
28560 .ipmi_watchdog_pretimeout = ipmi_wdog_pretimeout_handler
28561 };
28562 diff -urNp linux-2.6.39.3/drivers/char/Kconfig linux-2.6.39.3/drivers/char/Kconfig
28563 --- linux-2.6.39.3/drivers/char/Kconfig 2011-05-19 00:06:34.000000000 -0400
28564 +++ linux-2.6.39.3/drivers/char/Kconfig 2011-05-22 19:41:37.000000000 -0400
28565 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
28566
28567 config DEVKMEM
28568 bool "/dev/kmem virtual device support"
28569 - default y
28570 + default n
28571 + depends on !GRKERNSEC_KMEM
28572 help
28573 Say Y here if you want to support the /dev/kmem device. The
28574 /dev/kmem device is rarely used, but can be used for certain
28575 @@ -596,6 +597,7 @@ config DEVPORT
28576 bool
28577 depends on !M68K
28578 depends on ISA || PCI
28579 + depends on !GRKERNSEC_KMEM
28580 default y
28581
28582 source "drivers/s390/char/Kconfig"
28583 diff -urNp linux-2.6.39.3/drivers/char/mem.c linux-2.6.39.3/drivers/char/mem.c
28584 --- linux-2.6.39.3/drivers/char/mem.c 2011-05-19 00:06:34.000000000 -0400
28585 +++ linux-2.6.39.3/drivers/char/mem.c 2011-05-22 19:41:37.000000000 -0400
28586 @@ -18,6 +18,7 @@
28587 #include <linux/raw.h>
28588 #include <linux/tty.h>
28589 #include <linux/capability.h>
28590 +#include <linux/security.h>
28591 #include <linux/ptrace.h>
28592 #include <linux/device.h>
28593 #include <linux/highmem.h>
28594 @@ -34,6 +35,10 @@
28595 # include <linux/efi.h>
28596 #endif
28597
28598 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28599 +extern struct file_operations grsec_fops;
28600 +#endif
28601 +
28602 static inline unsigned long size_inside_page(unsigned long start,
28603 unsigned long size)
28604 {
28605 @@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
28606
28607 while (cursor < to) {
28608 if (!devmem_is_allowed(pfn)) {
28609 +#ifdef CONFIG_GRKERNSEC_KMEM
28610 + gr_handle_mem_readwrite(from, to);
28611 +#else
28612 printk(KERN_INFO
28613 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28614 current->comm, from, to);
28615 +#endif
28616 return 0;
28617 }
28618 cursor += PAGE_SIZE;
28619 @@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
28620 }
28621 return 1;
28622 }
28623 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28624 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28625 +{
28626 + return 0;
28627 +}
28628 #else
28629 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28630 {
28631 @@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
28632
28633 while (count > 0) {
28634 unsigned long remaining;
28635 + char *temp;
28636
28637 sz = size_inside_page(p, count);
28638
28639 @@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
28640 if (!ptr)
28641 return -EFAULT;
28642
28643 - remaining = copy_to_user(buf, ptr, sz);
28644 +#ifdef CONFIG_PAX_USERCOPY
28645 + temp = kmalloc(sz, GFP_KERNEL);
28646 + if (!temp) {
28647 + unxlate_dev_mem_ptr(p, ptr);
28648 + return -ENOMEM;
28649 + }
28650 + memcpy(temp, ptr, sz);
28651 +#else
28652 + temp = ptr;
28653 +#endif
28654 +
28655 + remaining = copy_to_user(buf, temp, sz);
28656 +
28657 +#ifdef CONFIG_PAX_USERCOPY
28658 + kfree(temp);
28659 +#endif
28660 +
28661 unxlate_dev_mem_ptr(p, ptr);
28662 if (remaining)
28663 return -EFAULT;
28664 @@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
28665 size_t count, loff_t *ppos)
28666 {
28667 unsigned long p = *ppos;
28668 - ssize_t low_count, read, sz;
28669 + ssize_t low_count, read, sz, err = 0;
28670 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28671 - int err = 0;
28672
28673 read = 0;
28674 if (p < (unsigned long) high_memory) {
28675 @@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
28676 }
28677 #endif
28678 while (low_count > 0) {
28679 + char *temp;
28680 +
28681 sz = size_inside_page(p, low_count);
28682
28683 /*
28684 @@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
28685 */
28686 kbuf = xlate_dev_kmem_ptr((char *)p);
28687
28688 - if (copy_to_user(buf, kbuf, sz))
28689 +#ifdef CONFIG_PAX_USERCOPY
28690 + temp = kmalloc(sz, GFP_KERNEL);
28691 + if (!temp)
28692 + return -ENOMEM;
28693 + memcpy(temp, kbuf, sz);
28694 +#else
28695 + temp = kbuf;
28696 +#endif
28697 +
28698 + err = copy_to_user(buf, temp, sz);
28699 +
28700 +#ifdef CONFIG_PAX_USERCOPY
28701 + kfree(temp);
28702 +#endif
28703 +
28704 + if (err)
28705 return -EFAULT;
28706 buf += sz;
28707 p += sz;
28708 @@ -854,6 +901,9 @@ static const struct memdev {
28709 #ifdef CONFIG_CRASH_DUMP
28710 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28711 #endif
28712 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28713 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28714 +#endif
28715 };
28716
28717 static int memory_open(struct inode *inode, struct file *filp)
28718 diff -urNp linux-2.6.39.3/drivers/char/mmtimer.c linux-2.6.39.3/drivers/char/mmtimer.c
28719 --- linux-2.6.39.3/drivers/char/mmtimer.c 2011-05-19 00:06:34.000000000 -0400
28720 +++ linux-2.6.39.3/drivers/char/mmtimer.c 2011-05-22 19:36:31.000000000 -0400
28721 @@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
28722
28723 #define RTC_BITS 55 /* 55 bits for this implementation */
28724
28725 -static struct k_clock sgi_clock;
28726 +static const struct k_clock sgi_clock;
28727
28728 extern unsigned long sn_rtc_cycles_per_second;
28729
28730 @@ -772,7 +772,7 @@ static int sgi_clock_getres(const clocki
28731 return 0;
28732 }
28733
28734 -static struct k_clock sgi_clock = {
28735 +static const struct k_clock sgi_clock = {
28736 .clock_set = sgi_clock_set,
28737 .clock_get = sgi_clock_get,
28738 .clock_getres = sgi_clock_getres,
28739 diff -urNp linux-2.6.39.3/drivers/char/nvram.c linux-2.6.39.3/drivers/char/nvram.c
28740 --- linux-2.6.39.3/drivers/char/nvram.c 2011-05-19 00:06:34.000000000 -0400
28741 +++ linux-2.6.39.3/drivers/char/nvram.c 2011-05-22 19:36:31.000000000 -0400
28742 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
28743
28744 spin_unlock_irq(&rtc_lock);
28745
28746 - if (copy_to_user(buf, contents, tmp - contents))
28747 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
28748 return -EFAULT;
28749
28750 *ppos = i;
28751 diff -urNp linux-2.6.39.3/drivers/char/random.c linux-2.6.39.3/drivers/char/random.c
28752 --- linux-2.6.39.3/drivers/char/random.c 2011-05-19 00:06:34.000000000 -0400
28753 +++ linux-2.6.39.3/drivers/char/random.c 2011-05-22 19:41:37.000000000 -0400
28754 @@ -261,8 +261,13 @@
28755 /*
28756 * Configuration information
28757 */
28758 +#ifdef CONFIG_GRKERNSEC_RANDNET
28759 +#define INPUT_POOL_WORDS 512
28760 +#define OUTPUT_POOL_WORDS 128
28761 +#else
28762 #define INPUT_POOL_WORDS 128
28763 #define OUTPUT_POOL_WORDS 32
28764 +#endif
28765 #define SEC_XFER_SIZE 512
28766 #define EXTRACT_SIZE 10
28767
28768 @@ -300,10 +305,17 @@ static struct poolinfo {
28769 int poolwords;
28770 int tap1, tap2, tap3, tap4, tap5;
28771 } poolinfo_table[] = {
28772 +#ifdef CONFIG_GRKERNSEC_RANDNET
28773 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28774 + { 512, 411, 308, 208, 104, 1 },
28775 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28776 + { 128, 103, 76, 51, 25, 1 },
28777 +#else
28778 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28779 { 128, 103, 76, 51, 25, 1 },
28780 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28781 { 32, 26, 20, 14, 7, 1 },
28782 +#endif
28783 #if 0
28784 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28785 { 2048, 1638, 1231, 819, 411, 1 },
28786 @@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
28787
28788 extract_buf(r, tmp);
28789 i = min_t(int, nbytes, EXTRACT_SIZE);
28790 - if (copy_to_user(buf, tmp, i)) {
28791 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
28792 ret = -EFAULT;
28793 break;
28794 }
28795 @@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28796 #include <linux/sysctl.h>
28797
28798 static int min_read_thresh = 8, min_write_thresh;
28799 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28800 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28801 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28802 static char sysctl_bootid[16];
28803
28804 diff -urNp linux-2.6.39.3/drivers/char/sonypi.c linux-2.6.39.3/drivers/char/sonypi.c
28805 --- linux-2.6.39.3/drivers/char/sonypi.c 2011-05-19 00:06:34.000000000 -0400
28806 +++ linux-2.6.39.3/drivers/char/sonypi.c 2011-05-22 19:36:31.000000000 -0400
28807 @@ -55,6 +55,7 @@
28808 #include <asm/uaccess.h>
28809 #include <asm/io.h>
28810 #include <asm/system.h>
28811 +#include <asm/local.h>
28812
28813 #include <linux/sonypi.h>
28814
28815 @@ -491,7 +492,7 @@ static struct sonypi_device {
28816 spinlock_t fifo_lock;
28817 wait_queue_head_t fifo_proc_list;
28818 struct fasync_struct *fifo_async;
28819 - int open_count;
28820 + local_t open_count;
28821 int model;
28822 struct input_dev *input_jog_dev;
28823 struct input_dev *input_key_dev;
28824 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
28825 static int sonypi_misc_release(struct inode *inode, struct file *file)
28826 {
28827 mutex_lock(&sonypi_device.lock);
28828 - sonypi_device.open_count--;
28829 + local_dec(&sonypi_device.open_count);
28830 mutex_unlock(&sonypi_device.lock);
28831 return 0;
28832 }
28833 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
28834 {
28835 mutex_lock(&sonypi_device.lock);
28836 /* Flush input queue on first open */
28837 - if (!sonypi_device.open_count)
28838 + if (!local_read(&sonypi_device.open_count))
28839 kfifo_reset(&sonypi_device.fifo);
28840 - sonypi_device.open_count++;
28841 + local_inc(&sonypi_device.open_count);
28842 mutex_unlock(&sonypi_device.lock);
28843
28844 return 0;
28845 diff -urNp linux-2.6.39.3/drivers/char/tpm/tpm_bios.c linux-2.6.39.3/drivers/char/tpm/tpm_bios.c
28846 --- linux-2.6.39.3/drivers/char/tpm/tpm_bios.c 2011-05-19 00:06:34.000000000 -0400
28847 +++ linux-2.6.39.3/drivers/char/tpm/tpm_bios.c 2011-05-22 19:36:31.000000000 -0400
28848 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
28849 event = addr;
28850
28851 if ((event->event_type == 0 && event->event_size == 0) ||
28852 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28853 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28854 return NULL;
28855
28856 return addr;
28857 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
28858 return NULL;
28859
28860 if ((event->event_type == 0 && event->event_size == 0) ||
28861 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28862 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28863 return NULL;
28864
28865 (*pos)++;
28866 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
28867 int i;
28868
28869 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28870 - seq_putc(m, data[i]);
28871 + if (!seq_putc(m, data[i]))
28872 + return -EFAULT;
28873
28874 return 0;
28875 }
28876 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
28877 log->bios_event_log_end = log->bios_event_log + len;
28878
28879 virt = acpi_os_map_memory(start, len);
28880 + if (!virt) {
28881 + kfree(log->bios_event_log);
28882 + log->bios_event_log = NULL;
28883 + return -EFAULT;
28884 + }
28885
28886 memcpy(log->bios_event_log, virt, len);
28887
28888 diff -urNp linux-2.6.39.3/drivers/char/tpm/tpm.c linux-2.6.39.3/drivers/char/tpm/tpm.c
28889 --- linux-2.6.39.3/drivers/char/tpm/tpm.c 2011-05-19 00:06:34.000000000 -0400
28890 +++ linux-2.6.39.3/drivers/char/tpm/tpm.c 2011-05-22 19:36:31.000000000 -0400
28891 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
28892 chip->vendor.req_complete_val)
28893 goto out_recv;
28894
28895 - if ((status == chip->vendor.req_canceled)) {
28896 + if (status == chip->vendor.req_canceled) {
28897 dev_err(chip->dev, "Operation Canceled\n");
28898 rc = -ECANCELED;
28899 goto out;
28900 @@ -844,6 +844,8 @@ ssize_t tpm_show_pubek(struct device *de
28901
28902 struct tpm_chip *chip = dev_get_drvdata(dev);
28903
28904 + pax_track_stack();
28905 +
28906 tpm_cmd.header.in = tpm_readpubek_header;
28907 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28908 "attempting to read the PUBEK");
28909 diff -urNp linux-2.6.39.3/drivers/char/ttyprintk.c linux-2.6.39.3/drivers/char/ttyprintk.c
28910 --- linux-2.6.39.3/drivers/char/ttyprintk.c 2011-05-19 00:06:34.000000000 -0400
28911 +++ linux-2.6.39.3/drivers/char/ttyprintk.c 2011-05-22 19:36:31.000000000 -0400
28912 @@ -170,7 +170,7 @@ static const struct tty_operations ttypr
28913 .ioctl = tpk_ioctl,
28914 };
28915
28916 -struct tty_port_operations null_ops = { };
28917 +const struct tty_port_operations null_ops = { };
28918
28919 static struct tty_driver *ttyprintk_driver;
28920
28921 diff -urNp linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c
28922 --- linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-19 00:06:34.000000000 -0400
28923 +++ linux-2.6.39.3/drivers/char/xilinx_hwicap/xilinx_hwicap.c 2011-05-22 19:36:31.000000000 -0400
28924 @@ -678,14 +678,14 @@ static int __devinit hwicap_setup(struct
28925 return retval;
28926 }
28927
28928 -static struct hwicap_driver_config buffer_icap_config = {
28929 +static const struct hwicap_driver_config buffer_icap_config = {
28930 .get_configuration = buffer_icap_get_configuration,
28931 .set_configuration = buffer_icap_set_configuration,
28932 .get_status = buffer_icap_get_status,
28933 .reset = buffer_icap_reset,
28934 };
28935
28936 -static struct hwicap_driver_config fifo_icap_config = {
28937 +static const struct hwicap_driver_config fifo_icap_config = {
28938 .get_configuration = fifo_icap_get_configuration,
28939 .set_configuration = fifo_icap_set_configuration,
28940 .get_status = fifo_icap_get_status,
28941 diff -urNp linux-2.6.39.3/drivers/crypto/hifn_795x.c linux-2.6.39.3/drivers/crypto/hifn_795x.c
28942 --- linux-2.6.39.3/drivers/crypto/hifn_795x.c 2011-05-19 00:06:34.000000000 -0400
28943 +++ linux-2.6.39.3/drivers/crypto/hifn_795x.c 2011-05-22 19:36:31.000000000 -0400
28944 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28945 0xCA, 0x34, 0x2B, 0x2E};
28946 struct scatterlist sg;
28947
28948 + pax_track_stack();
28949 +
28950 memset(src, 0, sizeof(src));
28951 memset(ctx.key, 0, sizeof(ctx.key));
28952
28953 diff -urNp linux-2.6.39.3/drivers/crypto/padlock-aes.c linux-2.6.39.3/drivers/crypto/padlock-aes.c
28954 --- linux-2.6.39.3/drivers/crypto/padlock-aes.c 2011-05-19 00:06:34.000000000 -0400
28955 +++ linux-2.6.39.3/drivers/crypto/padlock-aes.c 2011-05-22 19:36:31.000000000 -0400
28956 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
28957 struct crypto_aes_ctx gen_aes;
28958 int cpu;
28959
28960 + pax_track_stack();
28961 +
28962 if (key_len % 8) {
28963 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28964 return -EINVAL;
28965 diff -urNp linux-2.6.39.3/drivers/dca/dca-core.c linux-2.6.39.3/drivers/dca/dca-core.c
28966 --- linux-2.6.39.3/drivers/dca/dca-core.c 2011-05-19 00:06:34.000000000 -0400
28967 +++ linux-2.6.39.3/drivers/dca/dca-core.c 2011-05-22 19:36:31.000000000 -0400
28968 @@ -325,7 +325,7 @@ EXPORT_SYMBOL_GPL(dca_get_tag);
28969 * @ops - pointer to struct of dca operation function pointers
28970 * @priv_size - size of extra mem to be added for provider's needs
28971 */
28972 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size)
28973 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size)
28974 {
28975 struct dca_provider *dca;
28976 int alloc_size;
28977 diff -urNp linux-2.6.39.3/drivers/dma/ioat/dca.c linux-2.6.39.3/drivers/dma/ioat/dca.c
28978 --- linux-2.6.39.3/drivers/dma/ioat/dca.c 2011-05-19 00:06:34.000000000 -0400
28979 +++ linux-2.6.39.3/drivers/dma/ioat/dca.c 2011-05-22 19:36:31.000000000 -0400
28980 @@ -234,7 +234,7 @@ static int ioat_dca_dev_managed(struct d
28981 return 0;
28982 }
28983
28984 -static struct dca_ops ioat_dca_ops = {
28985 +static const struct dca_ops ioat_dca_ops = {
28986 .add_requester = ioat_dca_add_requester,
28987 .remove_requester = ioat_dca_remove_requester,
28988 .get_tag = ioat_dca_get_tag,
28989 @@ -384,7 +384,7 @@ static u8 ioat2_dca_get_tag(struct dca_p
28990 return tag;
28991 }
28992
28993 -static struct dca_ops ioat2_dca_ops = {
28994 +static const struct dca_ops ioat2_dca_ops = {
28995 .add_requester = ioat2_dca_add_requester,
28996 .remove_requester = ioat2_dca_remove_requester,
28997 .get_tag = ioat2_dca_get_tag,
28998 @@ -579,7 +579,7 @@ static u8 ioat3_dca_get_tag(struct dca_p
28999 return tag;
29000 }
29001
29002 -static struct dca_ops ioat3_dca_ops = {
29003 +static const struct dca_ops ioat3_dca_ops = {
29004 .add_requester = ioat3_dca_add_requester,
29005 .remove_requester = ioat3_dca_remove_requester,
29006 .get_tag = ioat3_dca_get_tag,
29007 diff -urNp linux-2.6.39.3/drivers/edac/amd64_edac.h linux-2.6.39.3/drivers/edac/amd64_edac.h
29008 --- linux-2.6.39.3/drivers/edac/amd64_edac.h 2011-05-19 00:06:34.000000000 -0400
29009 +++ linux-2.6.39.3/drivers/edac/amd64_edac.h 2011-05-22 19:36:31.000000000 -0400
29010 @@ -333,7 +333,7 @@ struct chip_select {
29011 };
29012
29013 struct amd64_pvt {
29014 - struct low_ops *ops;
29015 + const struct low_ops *ops;
29016
29017 /* pci_device handles which we utilize */
29018 struct pci_dev *F1, *F2, *F3;
29019 @@ -443,7 +443,7 @@ struct low_ops {
29020 struct amd64_family_type {
29021 const char *ctl_name;
29022 u16 f1_id, f3_id;
29023 - struct low_ops ops;
29024 + const struct low_ops ops;
29025 };
29026
29027 int __amd64_write_pci_cfg_dword(struct pci_dev *pdev, int offset,
29028 diff -urNp linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c
29029 --- linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c 2011-05-19 00:06:34.000000000 -0400
29030 +++ linux-2.6.39.3/drivers/edac/edac_mc_sysfs.c 2011-05-22 19:36:31.000000000 -0400
29031 @@ -760,7 +760,7 @@ static void edac_inst_grp_release(struct
29032 }
29033
29034 /* Intermediate show/store table */
29035 -static struct sysfs_ops inst_grp_ops = {
29036 +static const struct sysfs_ops inst_grp_ops = {
29037 .show = inst_grp_show,
29038 .store = inst_grp_store
29039 };
29040 diff -urNp linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c
29041 --- linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c 2011-05-19 00:06:34.000000000 -0400
29042 +++ linux-2.6.39.3/drivers/edac/edac_pci_sysfs.c 2011-05-22 19:36:31.000000000 -0400
29043 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
29044 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
29045 static int edac_pci_poll_msec = 1000; /* one second workq period */
29046
29047 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
29048 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
29049 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
29050 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
29051
29052 static struct kobject *edac_pci_top_main_kobj;
29053 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
29054 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
29055 edac_printk(KERN_CRIT, EDAC_PCI,
29056 "Signaled System Error on %s\n",
29057 pci_name(dev));
29058 - atomic_inc(&pci_nonparity_count);
29059 + atomic_inc_unchecked(&pci_nonparity_count);
29060 }
29061
29062 if (status & (PCI_STATUS_PARITY)) {
29063 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
29064 "Master Data Parity Error on %s\n",
29065 pci_name(dev));
29066
29067 - atomic_inc(&pci_parity_count);
29068 + atomic_inc_unchecked(&pci_parity_count);
29069 }
29070
29071 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29072 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
29073 "Detected Parity Error on %s\n",
29074 pci_name(dev));
29075
29076 - atomic_inc(&pci_parity_count);
29077 + atomic_inc_unchecked(&pci_parity_count);
29078 }
29079 }
29080
29081 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
29082 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
29083 "Signaled System Error on %s\n",
29084 pci_name(dev));
29085 - atomic_inc(&pci_nonparity_count);
29086 + atomic_inc_unchecked(&pci_nonparity_count);
29087 }
29088
29089 if (status & (PCI_STATUS_PARITY)) {
29090 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
29091 "Master Data Parity Error on "
29092 "%s\n", pci_name(dev));
29093
29094 - atomic_inc(&pci_parity_count);
29095 + atomic_inc_unchecked(&pci_parity_count);
29096 }
29097
29098 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29099 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
29100 "Detected Parity Error on %s\n",
29101 pci_name(dev));
29102
29103 - atomic_inc(&pci_parity_count);
29104 + atomic_inc_unchecked(&pci_parity_count);
29105 }
29106 }
29107 }
29108 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
29109 if (!check_pci_errors)
29110 return;
29111
29112 - before_count = atomic_read(&pci_parity_count);
29113 + before_count = atomic_read_unchecked(&pci_parity_count);
29114
29115 /* scan all PCI devices looking for a Parity Error on devices and
29116 * bridges.
29117 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
29118 /* Only if operator has selected panic on PCI Error */
29119 if (edac_pci_get_panic_on_pe()) {
29120 /* If the count is different 'after' from 'before' */
29121 - if (before_count != atomic_read(&pci_parity_count))
29122 + if (before_count != atomic_read_unchecked(&pci_parity_count))
29123 panic("EDAC: PCI Parity Error");
29124 }
29125 }
29126 diff -urNp linux-2.6.39.3/drivers/edac/i7core_edac.c linux-2.6.39.3/drivers/edac/i7core_edac.c
29127 --- linux-2.6.39.3/drivers/edac/i7core_edac.c 2011-05-19 00:06:34.000000000 -0400
29128 +++ linux-2.6.39.3/drivers/edac/i7core_edac.c 2011-07-06 20:00:14.000000000 -0400
29129 @@ -1670,7 +1670,7 @@ static void i7core_mce_output_error(stru
29130 char *type, *optype, *err, *msg;
29131 unsigned long error = m->status & 0x1ff0000l;
29132 u32 optypenum = (m->status >> 4) & 0x07;
29133 - u32 core_err_cnt = (m->status >> 38) && 0x7fff;
29134 + u32 core_err_cnt = (m->status >> 38) & 0x7fff;
29135 u32 dimm = (m->misc >> 16) & 0x3;
29136 u32 channel = (m->misc >> 18) & 0x3;
29137 u32 syndrome = m->misc >> 32;
29138 diff -urNp linux-2.6.39.3/drivers/firewire/core-cdev.c linux-2.6.39.3/drivers/firewire/core-cdev.c
29139 --- linux-2.6.39.3/drivers/firewire/core-cdev.c 2011-05-19 00:06:34.000000000 -0400
29140 +++ linux-2.6.39.3/drivers/firewire/core-cdev.c 2011-05-22 19:36:31.000000000 -0400
29141 @@ -1312,8 +1312,7 @@ static int init_iso_resource(struct clie
29142 int ret;
29143
29144 if ((request->channels == 0 && request->bandwidth == 0) ||
29145 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
29146 - request->bandwidth < 0)
29147 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
29148 return -EINVAL;
29149
29150 r = kmalloc(sizeof(*r), GFP_KERNEL);
29151 diff -urNp linux-2.6.39.3/drivers/firewire/core-transaction.c linux-2.6.39.3/drivers/firewire/core-transaction.c
29152 --- linux-2.6.39.3/drivers/firewire/core-transaction.c 2011-05-19 00:06:34.000000000 -0400
29153 +++ linux-2.6.39.3/drivers/firewire/core-transaction.c 2011-05-22 19:36:31.000000000 -0400
29154 @@ -36,6 +36,7 @@
29155 #include <linux/string.h>
29156 #include <linux/timer.h>
29157 #include <linux/types.h>
29158 +#include <linux/sched.h>
29159
29160 #include <asm/byteorder.h>
29161
29162 @@ -420,6 +421,8 @@ int fw_run_transaction(struct fw_card *c
29163 struct transaction_callback_data d;
29164 struct fw_transaction t;
29165
29166 + pax_track_stack();
29167 +
29168 init_timer_on_stack(&t.split_timeout_timer);
29169 init_completion(&d.done);
29170 d.payload = payload;
29171 diff -urNp linux-2.6.39.3/drivers/firmware/dmi_scan.c linux-2.6.39.3/drivers/firmware/dmi_scan.c
29172 --- linux-2.6.39.3/drivers/firmware/dmi_scan.c 2011-05-19 00:06:34.000000000 -0400
29173 +++ linux-2.6.39.3/drivers/firmware/dmi_scan.c 2011-05-22 19:36:31.000000000 -0400
29174 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
29175 }
29176 }
29177 else {
29178 - /*
29179 - * no iounmap() for that ioremap(); it would be a no-op, but
29180 - * it's so early in setup that sucker gets confused into doing
29181 - * what it shouldn't if we actually call it.
29182 - */
29183 p = dmi_ioremap(0xF0000, 0x10000);
29184 if (p == NULL)
29185 goto error;
29186 diff -urNp linux-2.6.39.3/drivers/gpio/vr41xx_giu.c linux-2.6.39.3/drivers/gpio/vr41xx_giu.c
29187 --- linux-2.6.39.3/drivers/gpio/vr41xx_giu.c 2011-05-19 00:06:34.000000000 -0400
29188 +++ linux-2.6.39.3/drivers/gpio/vr41xx_giu.c 2011-05-22 19:36:31.000000000 -0400
29189 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
29190 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
29191 maskl, pendl, maskh, pendh);
29192
29193 - atomic_inc(&irq_err_count);
29194 + atomic_inc_unchecked(&irq_err_count);
29195
29196 return -EINVAL;
29197 }
29198 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c
29199 --- linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c 2011-05-19 00:06:34.000000000 -0400
29200 +++ linux-2.6.39.3/drivers/gpu/drm/drm_crtc_helper.c 2011-05-22 19:36:31.000000000 -0400
29201 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
29202 struct drm_crtc *tmp;
29203 int crtc_mask = 1;
29204
29205 - WARN(!crtc, "checking null crtc?\n");
29206 + BUG_ON(!crtc);
29207
29208 dev = crtc->dev;
29209
29210 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
29211 struct drm_encoder *encoder;
29212 bool ret = true;
29213
29214 + pax_track_stack();
29215 +
29216 crtc->enabled = drm_helper_crtc_in_use(crtc);
29217 if (!crtc->enabled)
29218 return true;
29219 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_drv.c linux-2.6.39.3/drivers/gpu/drm/drm_drv.c
29220 --- linux-2.6.39.3/drivers/gpu/drm/drm_drv.c 2011-05-19 00:06:34.000000000 -0400
29221 +++ linux-2.6.39.3/drivers/gpu/drm/drm_drv.c 2011-05-22 19:36:31.000000000 -0400
29222 @@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
29223
29224 dev = file_priv->minor->dev;
29225 atomic_inc(&dev->ioctl_count);
29226 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
29227 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
29228 ++file_priv->ioctl_count;
29229
29230 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
29231 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_fops.c linux-2.6.39.3/drivers/gpu/drm/drm_fops.c
29232 --- linux-2.6.39.3/drivers/gpu/drm/drm_fops.c 2011-05-19 00:06:34.000000000 -0400
29233 +++ linux-2.6.39.3/drivers/gpu/drm/drm_fops.c 2011-05-22 19:36:31.000000000 -0400
29234 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
29235 }
29236
29237 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
29238 - atomic_set(&dev->counts[i], 0);
29239 + atomic_set_unchecked(&dev->counts[i], 0);
29240
29241 dev->sigdata.lock = NULL;
29242
29243 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
29244
29245 retcode = drm_open_helper(inode, filp, dev);
29246 if (!retcode) {
29247 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
29248 - if (!dev->open_count++)
29249 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
29250 + if (local_inc_return(&dev->open_count) == 1)
29251 retcode = drm_setup(dev);
29252 }
29253 if (!retcode) {
29254 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
29255
29256 mutex_lock(&drm_global_mutex);
29257
29258 - DRM_DEBUG("open_count = %d\n", dev->open_count);
29259 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
29260
29261 if (dev->driver->preclose)
29262 dev->driver->preclose(dev, file_priv);
29263 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
29264 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
29265 task_pid_nr(current),
29266 (long)old_encode_dev(file_priv->minor->device),
29267 - dev->open_count);
29268 + local_read(&dev->open_count));
29269
29270 /* if the master has gone away we can't do anything with the lock */
29271 if (file_priv->minor->master)
29272 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
29273 * End inline drm_release
29274 */
29275
29276 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
29277 - if (!--dev->open_count) {
29278 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
29279 + if (local_dec_and_test(&dev->open_count)) {
29280 if (atomic_read(&dev->ioctl_count)) {
29281 DRM_ERROR("Device busy: %d\n",
29282 atomic_read(&dev->ioctl_count));
29283 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_global.c linux-2.6.39.3/drivers/gpu/drm/drm_global.c
29284 --- linux-2.6.39.3/drivers/gpu/drm/drm_global.c 2011-05-19 00:06:34.000000000 -0400
29285 +++ linux-2.6.39.3/drivers/gpu/drm/drm_global.c 2011-05-22 19:36:31.000000000 -0400
29286 @@ -36,7 +36,7 @@
29287 struct drm_global_item {
29288 struct mutex mutex;
29289 void *object;
29290 - int refcount;
29291 + atomic_t refcount;
29292 };
29293
29294 static struct drm_global_item glob[DRM_GLOBAL_NUM];
29295 @@ -49,7 +49,7 @@ void drm_global_init(void)
29296 struct drm_global_item *item = &glob[i];
29297 mutex_init(&item->mutex);
29298 item->object = NULL;
29299 - item->refcount = 0;
29300 + atomic_set(&item->refcount, 0);
29301 }
29302 }
29303
29304 @@ -59,7 +59,7 @@ void drm_global_release(void)
29305 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
29306 struct drm_global_item *item = &glob[i];
29307 BUG_ON(item->object != NULL);
29308 - BUG_ON(item->refcount != 0);
29309 + BUG_ON(atomic_read(&item->refcount) != 0);
29310 }
29311 }
29312
29313 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
29314 void *object;
29315
29316 mutex_lock(&item->mutex);
29317 - if (item->refcount == 0) {
29318 + if (atomic_read(&item->refcount) == 0) {
29319 item->object = kzalloc(ref->size, GFP_KERNEL);
29320 if (unlikely(item->object == NULL)) {
29321 ret = -ENOMEM;
29322 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
29323 goto out_err;
29324
29325 }
29326 - ++item->refcount;
29327 + atomic_inc(&item->refcount);
29328 ref->object = item->object;
29329 object = item->object;
29330 mutex_unlock(&item->mutex);
29331 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
29332 struct drm_global_item *item = &glob[ref->global_type];
29333
29334 mutex_lock(&item->mutex);
29335 - BUG_ON(item->refcount == 0);
29336 + BUG_ON(atomic_read(&item->refcount) == 0);
29337 BUG_ON(ref->object != item->object);
29338 - if (--item->refcount == 0) {
29339 + if (atomic_dec_and_test(&item->refcount)) {
29340 ref->release(ref);
29341 item->object = NULL;
29342 }
29343 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_info.c linux-2.6.39.3/drivers/gpu/drm/drm_info.c
29344 --- linux-2.6.39.3/drivers/gpu/drm/drm_info.c 2011-05-19 00:06:34.000000000 -0400
29345 +++ linux-2.6.39.3/drivers/gpu/drm/drm_info.c 2011-05-22 19:41:37.000000000 -0400
29346 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
29347 struct drm_local_map *map;
29348 struct drm_map_list *r_list;
29349
29350 - /* Hardcoded from _DRM_FRAME_BUFFER,
29351 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
29352 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
29353 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
29354 + static const char * const types[] = {
29355 + [_DRM_FRAME_BUFFER] = "FB",
29356 + [_DRM_REGISTERS] = "REG",
29357 + [_DRM_SHM] = "SHM",
29358 + [_DRM_AGP] = "AGP",
29359 + [_DRM_SCATTER_GATHER] = "SG",
29360 + [_DRM_CONSISTENT] = "PCI",
29361 + [_DRM_GEM] = "GEM" };
29362 const char *type;
29363 int i;
29364
29365 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
29366 map = r_list->map;
29367 if (!map)
29368 continue;
29369 - if (map->type < 0 || map->type > 5)
29370 + if (map->type >= ARRAY_SIZE(types))
29371 type = "??";
29372 else
29373 type = types[map->type];
29374 @@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
29375 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
29376 vma->vm_flags & VM_LOCKED ? 'l' : '-',
29377 vma->vm_flags & VM_IO ? 'i' : '-',
29378 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29379 + 0);
29380 +#else
29381 vma->vm_pgoff);
29382 +#endif
29383
29384 #if defined(__i386__)
29385 pgprot = pgprot_val(vma->vm_page_prot);
29386 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c
29387 --- linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c 2011-05-19 00:06:34.000000000 -0400
29388 +++ linux-2.6.39.3/drivers/gpu/drm/drm_ioctl.c 2011-05-22 19:36:31.000000000 -0400
29389 @@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
29390 stats->data[i].value =
29391 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
29392 else
29393 - stats->data[i].value = atomic_read(&dev->counts[i]);
29394 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
29395 stats->data[i].type = dev->types[i];
29396 }
29397
29398 diff -urNp linux-2.6.39.3/drivers/gpu/drm/drm_lock.c linux-2.6.39.3/drivers/gpu/drm/drm_lock.c
29399 --- linux-2.6.39.3/drivers/gpu/drm/drm_lock.c 2011-05-19 00:06:34.000000000 -0400
29400 +++ linux-2.6.39.3/drivers/gpu/drm/drm_lock.c 2011-05-22 19:36:31.000000000 -0400
29401 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
29402 if (drm_lock_take(&master->lock, lock->context)) {
29403 master->lock.file_priv = file_priv;
29404 master->lock.lock_time = jiffies;
29405 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
29406 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
29407 break; /* Got lock */
29408 }
29409
29410 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
29411 return -EINVAL;
29412 }
29413
29414 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
29415 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
29416
29417 if (drm_lock_free(&master->lock, lock->context)) {
29418 /* FIXME: Should really bail out here. */
29419 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c
29420 --- linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c 2011-05-19 00:06:34.000000000 -0400
29421 +++ linux-2.6.39.3/drivers/gpu/drm/i810/i810_dma.c 2011-05-22 19:36:31.000000000 -0400
29422 @@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
29423 dma->buflist[vertex->idx],
29424 vertex->discard, vertex->used);
29425
29426 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29427 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29428 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29429 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29430 sarea_priv->last_enqueue = dev_priv->counter - 1;
29431 sarea_priv->last_dispatch = (int)hw_status[5];
29432
29433 @@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
29434 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29435 mc->last_render);
29436
29437 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29438 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29439 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29440 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29441 sarea_priv->last_enqueue = dev_priv->counter - 1;
29442 sarea_priv->last_dispatch = (int)hw_status[5];
29443
29444 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h
29445 --- linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h 2011-05-19 00:06:34.000000000 -0400
29446 +++ linux-2.6.39.3/drivers/gpu/drm/i810/i810_drv.h 2011-05-22 19:36:31.000000000 -0400
29447 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29448 int page_flipping;
29449
29450 wait_queue_head_t irq_queue;
29451 - atomic_t irq_received;
29452 - atomic_t irq_emitted;
29453 + atomic_unchecked_t irq_received;
29454 + atomic_unchecked_t irq_emitted;
29455
29456 int front_offset;
29457 } drm_i810_private_t;
29458 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c
29459 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-19 00:06:34.000000000 -0400
29460 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7017.c 2011-05-22 19:36:31.000000000 -0400
29461 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
29462 }
29463 }
29464
29465 -struct intel_dvo_dev_ops ch7017_ops = {
29466 +const struct intel_dvo_dev_ops ch7017_ops = {
29467 .init = ch7017_init,
29468 .detect = ch7017_detect,
29469 .mode_valid = ch7017_mode_valid,
29470 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c
29471 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-19 00:06:34.000000000 -0400
29472 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-05-22 19:36:31.000000000 -0400
29473 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
29474 }
29475 }
29476
29477 -struct intel_dvo_dev_ops ch7xxx_ops = {
29478 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29479 .init = ch7xxx_init,
29480 .detect = ch7xxx_detect,
29481 .mode_valid = ch7xxx_mode_valid,
29482 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h
29483 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h 2011-05-19 00:06:34.000000000 -0400
29484 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo.h 2011-05-22 19:36:31.000000000 -0400
29485 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
29486 *
29487 * \return singly-linked list of modes or NULL if no modes found.
29488 */
29489 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29490 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29491
29492 /**
29493 * Clean up driver-specific bits of the output
29494 */
29495 - void (*destroy) (struct intel_dvo_device *dvo);
29496 + void (* const destroy) (struct intel_dvo_device *dvo);
29497
29498 /**
29499 * Debugging hook to dump device registers to log file
29500 */
29501 - void (*dump_regs)(struct intel_dvo_device *dvo);
29502 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29503 };
29504
29505 -extern struct intel_dvo_dev_ops sil164_ops;
29506 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29507 -extern struct intel_dvo_dev_ops ivch_ops;
29508 -extern struct intel_dvo_dev_ops tfp410_ops;
29509 -extern struct intel_dvo_dev_ops ch7017_ops;
29510 +extern const struct intel_dvo_dev_ops sil164_ops;
29511 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29512 +extern const struct intel_dvo_dev_ops ivch_ops;
29513 +extern const struct intel_dvo_dev_ops tfp410_ops;
29514 +extern const struct intel_dvo_dev_ops ch7017_ops;
29515
29516 #endif /* _INTEL_DVO_H */
29517 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c
29518 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-19 00:06:34.000000000 -0400
29519 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_ivch.c 2011-05-22 19:36:31.000000000 -0400
29520 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
29521 }
29522 }
29523
29524 -struct intel_dvo_dev_ops ivch_ops= {
29525 +const struct intel_dvo_dev_ops ivch_ops= {
29526 .init = ivch_init,
29527 .dpms = ivch_dpms,
29528 .mode_valid = ivch_mode_valid,
29529 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c
29530 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-19 00:06:34.000000000 -0400
29531 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_sil164.c 2011-05-22 19:36:31.000000000 -0400
29532 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
29533 }
29534 }
29535
29536 -struct intel_dvo_dev_ops sil164_ops = {
29537 +const struct intel_dvo_dev_ops sil164_ops = {
29538 .init = sil164_init,
29539 .detect = sil164_detect,
29540 .mode_valid = sil164_mode_valid,
29541 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c
29542 --- linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-19 00:06:34.000000000 -0400
29543 +++ linux-2.6.39.3/drivers/gpu/drm/i915/dvo_tfp410.c 2011-05-22 19:36:31.000000000 -0400
29544 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
29545 }
29546 }
29547
29548 -struct intel_dvo_dev_ops tfp410_ops = {
29549 +const struct intel_dvo_dev_ops tfp410_ops = {
29550 .init = tfp410_init,
29551 .detect = tfp410_detect,
29552 .mode_valid = tfp410_mode_valid,
29553 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c
29554 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-19 00:06:34.000000000 -0400
29555 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-22 19:36:31.000000000 -0400
29556 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct se
29557 I915_READ(GTIMR));
29558 }
29559 seq_printf(m, "Interrupts received: %d\n",
29560 - atomic_read(&dev_priv->irq_received));
29561 + atomic_read_unchecked(&dev_priv->irq_received));
29562 for (i = 0; i < I915_NUM_RINGS; i++) {
29563 if (IS_GEN6(dev)) {
29564 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
29565 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c
29566 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c 2011-05-19 00:06:34.000000000 -0400
29567 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_dma.c 2011-05-22 19:36:31.000000000 -0400
29568 @@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
29569 bool can_switch;
29570
29571 spin_lock(&dev->count_lock);
29572 - can_switch = (dev->open_count == 0);
29573 + can_switch = (local_read(&dev->open_count) == 0);
29574 spin_unlock(&dev->count_lock);
29575 return can_switch;
29576 }
29577 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c
29578 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c 2011-05-19 00:06:34.000000000 -0400
29579 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.c 2011-05-22 19:36:31.000000000 -0400
29580 @@ -679,7 +679,7 @@ static const struct dev_pm_ops i915_pm_o
29581 .restore = i915_pm_resume,
29582 };
29583
29584 -static struct vm_operations_struct i915_gem_vm_ops = {
29585 +static const struct vm_operations_struct i915_gem_vm_ops = {
29586 .fault = i915_gem_fault,
29587 .open = drm_gem_vm_open,
29588 .close = drm_gem_vm_close,
29589 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h
29590 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h 2011-05-19 00:06:34.000000000 -0400
29591 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_drv.h 2011-05-22 19:36:31.000000000 -0400
29592 @@ -287,7 +287,7 @@ typedef struct drm_i915_private {
29593 int current_page;
29594 int page_flipping;
29595
29596 - atomic_t irq_received;
29597 + atomic_unchecked_t irq_received;
29598
29599 /* protects the irq masks */
29600 spinlock_t irq_lock;
29601 @@ -848,7 +848,7 @@ struct drm_i915_gem_object {
29602 * will be page flipped away on the next vblank. When it
29603 * reaches 0, dev_priv->pending_flip_queue will be woken up.
29604 */
29605 - atomic_t pending_flip;
29606 + atomic_unchecked_t pending_flip;
29607 };
29608
29609 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
29610 @@ -1232,7 +1232,7 @@ extern int intel_setup_gmbus(struct drm_
29611 extern void intel_teardown_gmbus(struct drm_device *dev);
29612 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
29613 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
29614 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29615 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
29616 {
29617 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
29618 }
29619 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c
29620 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-19 00:06:34.000000000 -0400
29621 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-05-22 19:36:31.000000000 -0400
29622 @@ -192,7 +192,7 @@ i915_gem_object_set_to_gpu_domain(struct
29623 i915_gem_release_mmap(obj);
29624
29625 if (obj->base.pending_write_domain)
29626 - cd->flips |= atomic_read(&obj->pending_flip);
29627 + cd->flips |= atomic_read_unchecked(&obj->pending_flip);
29628
29629 /* The actual obj->write_domain will be updated with
29630 * pending_write_domain after we emit the accumulated flush for all
29631 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c
29632 --- linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c 2011-07-09 09:18:51.000000000 -0400
29633 +++ linux-2.6.39.3/drivers/gpu/drm/i915/i915_irq.c 2011-07-09 09:19:18.000000000 -0400
29634 @@ -1101,7 +1101,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29635 int ret = IRQ_NONE, pipe;
29636 bool blc_event = false;
29637
29638 - atomic_inc(&dev_priv->irq_received);
29639 + atomic_inc_unchecked(&dev_priv->irq_received);
29640
29641 if (HAS_PCH_SPLIT(dev))
29642 return ironlake_irq_handler(dev);
29643 @@ -1666,7 +1666,7 @@ void i915_driver_irq_preinstall(struct d
29644 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29645 int pipe;
29646
29647 - atomic_set(&dev_priv->irq_received, 0);
29648 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29649
29650 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29651 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29652 diff -urNp linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c
29653 --- linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c 2011-05-19 00:06:34.000000000 -0400
29654 +++ linux-2.6.39.3/drivers/gpu/drm/i915/intel_display.c 2011-05-22 19:36:31.000000000 -0400
29655 @@ -2244,7 +2244,7 @@ intel_pipe_set_base(struct drm_crtc *crt
29656
29657 wait_event(dev_priv->pending_flip_queue,
29658 atomic_read(&dev_priv->mm.wedged) ||
29659 - atomic_read(&obj->pending_flip) == 0);
29660 + atomic_read_unchecked(&obj->pending_flip) == 0);
29661
29662 /* Big Hammer, we also need to ensure that any pending
29663 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
29664 @@ -2712,7 +2712,7 @@ static void intel_crtc_wait_for_pending_
29665 obj = to_intel_framebuffer(crtc->fb)->obj;
29666 dev_priv = crtc->dev->dev_private;
29667 wait_event(dev_priv->pending_flip_queue,
29668 - atomic_read(&obj->pending_flip) == 0);
29669 + atomic_read_unchecked(&obj->pending_flip) == 0);
29670 }
29671
29672 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
29673 @@ -6016,7 +6016,7 @@ static void do_intel_finish_page_flip(st
29674
29675 atomic_clear_mask(1 << intel_crtc->plane,
29676 &obj->pending_flip.counter);
29677 - if (atomic_read(&obj->pending_flip) == 0)
29678 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
29679 wake_up(&dev_priv->pending_flip_queue);
29680
29681 schedule_work(&work->work);
29682 @@ -6145,7 +6145,7 @@ static int intel_crtc_page_flip(struct d
29683 /* Block clients from rendering to the new back buffer until
29684 * the flip occurs and the object is no longer visible.
29685 */
29686 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29687 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
29688
29689 switch (INTEL_INFO(dev)->gen) {
29690 case 2:
29691 diff -urNp linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h
29692 --- linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h 2011-05-19 00:06:34.000000000 -0400
29693 +++ linux-2.6.39.3/drivers/gpu/drm/mga/mga_drv.h 2011-05-22 19:36:31.000000000 -0400
29694 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29695 u32 clear_cmd;
29696 u32 maccess;
29697
29698 - atomic_t vbl_received; /**< Number of vblanks received. */
29699 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29700 wait_queue_head_t fence_queue;
29701 - atomic_t last_fence_retired;
29702 + atomic_unchecked_t last_fence_retired;
29703 u32 next_fence_to_post;
29704
29705 unsigned int fb_cpp;
29706 diff -urNp linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c
29707 --- linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c 2011-05-19 00:06:34.000000000 -0400
29708 +++ linux-2.6.39.3/drivers/gpu/drm/mga/mga_irq.c 2011-05-22 19:36:31.000000000 -0400
29709 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29710 if (crtc != 0)
29711 return 0;
29712
29713 - return atomic_read(&dev_priv->vbl_received);
29714 + return atomic_read_unchecked(&dev_priv->vbl_received);
29715 }
29716
29717
29718 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29719 /* VBLANK interrupt */
29720 if (status & MGA_VLINEPEN) {
29721 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29722 - atomic_inc(&dev_priv->vbl_received);
29723 + atomic_inc_unchecked(&dev_priv->vbl_received);
29724 drm_handle_vblank(dev, 0);
29725 handled = 1;
29726 }
29727 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29728 if ((prim_start & ~0x03) != (prim_end & ~0x03))
29729 MGA_WRITE(MGA_PRIMEND, prim_end);
29730
29731 - atomic_inc(&dev_priv->last_fence_retired);
29732 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29733 DRM_WAKEUP(&dev_priv->fence_queue);
29734 handled = 1;
29735 }
29736 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
29737 * using fences.
29738 */
29739 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29740 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29741 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29742 - *sequence) <= (1 << 23)));
29743
29744 *sequence = cur_fence;
29745 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c
29746 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-19 00:06:34.000000000 -0400
29747 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_acpi.c 2011-05-22 19:36:31.000000000 -0400
29748 @@ -141,7 +141,7 @@ static int nouveau_dsm_get_client_id(str
29749 return VGA_SWITCHEROO_DIS;
29750 }
29751
29752 -static struct vga_switcheroo_handler nouveau_dsm_handler = {
29753 +static const struct vga_switcheroo_handler nouveau_dsm_handler = {
29754 .switchto = nouveau_dsm_switchto,
29755 .power_state = nouveau_dsm_power_state,
29756 .init = nouveau_dsm_init,
29757 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h
29758 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-05-19 00:06:34.000000000 -0400
29759 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-06-07 18:07:24.000000000 -0400
29760 @@ -228,7 +228,7 @@ struct nouveau_channel {
29761 struct list_head pending;
29762 uint32_t sequence;
29763 uint32_t sequence_ack;
29764 - atomic_t last_sequence_irq;
29765 + atomic_unchecked_t last_sequence_irq;
29766 } fence;
29767
29768 /* DMA push buffer */
29769 @@ -662,7 +662,7 @@ struct drm_nouveau_private {
29770 struct drm_global_reference mem_global_ref;
29771 struct ttm_bo_global_ref bo_global_ref;
29772 struct ttm_bo_device bdev;
29773 - atomic_t validate_sequence;
29774 + atomic_unchecked_t validate_sequence;
29775 } ttm;
29776
29777 struct {
29778 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c
29779 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-19 00:06:34.000000000 -0400
29780 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-05-22 19:36:31.000000000 -0400
29781 @@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
29782 if (USE_REFCNT(dev))
29783 sequence = nvchan_rd32(chan, 0x48);
29784 else
29785 - sequence = atomic_read(&chan->fence.last_sequence_irq);
29786 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
29787
29788 if (chan->fence.sequence_ack == sequence)
29789 goto out;
29790 @@ -553,7 +553,7 @@ nouveau_fence_channel_init(struct nouvea
29791 out_initialised:
29792 INIT_LIST_HEAD(&chan->fence.pending);
29793 spin_lock_init(&chan->fence.lock);
29794 - atomic_set(&chan->fence.last_sequence_irq, 0);
29795 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
29796 return 0;
29797 }
29798
29799 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c
29800 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-19 00:06:34.000000000 -0400
29801 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-05-22 19:36:31.000000000 -0400
29802 @@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
29803 int trycnt = 0;
29804 int ret, i;
29805
29806 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
29807 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
29808 retry:
29809 if (++trycnt > 100000) {
29810 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
29811 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c
29812 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-19 00:06:34.000000000 -0400
29813 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nouveau_state.c 2011-05-22 19:36:31.000000000 -0400
29814 @@ -583,7 +583,7 @@ static bool nouveau_switcheroo_can_switc
29815 bool can_switch;
29816
29817 spin_lock(&dev->count_lock);
29818 - can_switch = (dev->open_count == 0);
29819 + can_switch = (local_read(&dev->open_count) == 0);
29820 spin_unlock(&dev->count_lock);
29821 return can_switch;
29822 }
29823 diff -urNp linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c
29824 --- linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-19 00:06:34.000000000 -0400
29825 +++ linux-2.6.39.3/drivers/gpu/drm/nouveau/nv04_graph.c 2011-05-22 19:36:31.000000000 -0400
29826 @@ -552,7 +552,7 @@ static int
29827 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
29828 u32 class, u32 mthd, u32 data)
29829 {
29830 - atomic_set(&chan->fence.last_sequence_irq, data);
29831 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
29832 return 0;
29833 }
29834
29835 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c
29836 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c 2011-05-19 00:06:34.000000000 -0400
29837 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_cce.c 2011-05-22 19:36:31.000000000 -0400
29838 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29839
29840 /* GH: Simple idle check.
29841 */
29842 - atomic_set(&dev_priv->idle_count, 0);
29843 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29844
29845 /* We don't support anything other than bus-mastering ring mode,
29846 * but the ring can be in either AGP or PCI space for the ring
29847 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h
29848 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h 2011-05-19 00:06:34.000000000 -0400
29849 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_drv.h 2011-05-22 19:36:31.000000000 -0400
29850 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29851 int is_pci;
29852 unsigned long cce_buffers_offset;
29853
29854 - atomic_t idle_count;
29855 + atomic_unchecked_t idle_count;
29856
29857 int page_flipping;
29858 int current_page;
29859 u32 crtc_offset;
29860 u32 crtc_offset_cntl;
29861
29862 - atomic_t vbl_received;
29863 + atomic_unchecked_t vbl_received;
29864
29865 u32 color_fmt;
29866 unsigned int front_offset;
29867 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c
29868 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c 2011-05-19 00:06:34.000000000 -0400
29869 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_irq.c 2011-05-22 19:36:31.000000000 -0400
29870 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29871 if (crtc != 0)
29872 return 0;
29873
29874 - return atomic_read(&dev_priv->vbl_received);
29875 + return atomic_read_unchecked(&dev_priv->vbl_received);
29876 }
29877
29878 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29879 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29880 /* VBLANK interrupt */
29881 if (status & R128_CRTC_VBLANK_INT) {
29882 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29883 - atomic_inc(&dev_priv->vbl_received);
29884 + atomic_inc_unchecked(&dev_priv->vbl_received);
29885 drm_handle_vblank(dev, 0);
29886 return IRQ_HANDLED;
29887 }
29888 diff -urNp linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c
29889 --- linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c 2011-05-19 00:06:34.000000000 -0400
29890 +++ linux-2.6.39.3/drivers/gpu/drm/r128/r128_state.c 2011-05-22 19:36:31.000000000 -0400
29891 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
29892
29893 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
29894 {
29895 - if (atomic_read(&dev_priv->idle_count) == 0)
29896 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
29897 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29898 else
29899 - atomic_set(&dev_priv->idle_count, 0);
29900 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29901 }
29902
29903 #endif
29904 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c
29905 --- linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c 2011-05-19 00:06:34.000000000 -0400
29906 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/atom.c 2011-05-22 19:36:31.000000000 -0400
29907 @@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
29908 char name[512];
29909 int i;
29910
29911 + pax_track_stack();
29912 +
29913 ctx->card = card;
29914 ctx->bios = bios;
29915
29916 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c
29917 --- linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c 2011-05-19 00:06:34.000000000 -0400
29918 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/mkregtable.c 2011-05-22 19:36:31.000000000 -0400
29919 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29920 regex_t mask_rex;
29921 regmatch_t match[4];
29922 char buf[1024];
29923 - size_t end;
29924 + long end;
29925 int len;
29926 int done = 0;
29927 int r;
29928 unsigned o;
29929 struct offset *offset;
29930 char last_reg_s[10];
29931 - int last_reg;
29932 + unsigned long last_reg;
29933
29934 if (regcomp
29935 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29936 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c
29937 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-19 00:06:34.000000000 -0400
29938 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-22 19:36:31.000000000 -0400
29939 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
29940 struct radeon_gpio_rec gpio;
29941 struct radeon_hpd hpd;
29942
29943 + pax_track_stack();
29944 +
29945 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
29946 return false;
29947
29948 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c
29949 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-19 00:06:34.000000000 -0400
29950 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_atpx_handler.c 2011-05-22 19:36:31.000000000 -0400
29951 @@ -234,7 +234,7 @@ static int radeon_atpx_get_client_id(str
29952 return VGA_SWITCHEROO_DIS;
29953 }
29954
29955 -static struct vga_switcheroo_handler radeon_atpx_handler = {
29956 +static const struct vga_switcheroo_handler radeon_atpx_handler = {
29957 .switchto = radeon_atpx_switchto,
29958 .power_state = radeon_atpx_power_state,
29959 .init = radeon_atpx_init,
29960 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c
29961 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 12:55:22.000000000 -0400
29962 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_device.c 2011-06-25 13:00:25.000000000 -0400
29963 @@ -674,7 +674,7 @@ static bool radeon_switcheroo_can_switch
29964 bool can_switch;
29965
29966 spin_lock(&dev->count_lock);
29967 - can_switch = (dev->open_count == 0);
29968 + can_switch = (local_read(&dev->open_count) == 0);
29969 spin_unlock(&dev->count_lock);
29970 return can_switch;
29971 }
29972 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c
29973 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c 2011-05-19 00:06:34.000000000 -0400
29974 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_display.c 2011-05-22 19:36:31.000000000 -0400
29975 @@ -934,6 +934,8 @@ void radeon_compute_pll_legacy(struct ra
29976 uint32_t post_div;
29977 u32 pll_out_min, pll_out_max;
29978
29979 + pax_track_stack();
29980 +
29981 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
29982 freq = freq * 1000;
29983
29984 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h
29985 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-19 00:06:34.000000000 -0400
29986 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-22 19:36:31.000000000 -0400
29987 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
29988
29989 /* SW interrupt */
29990 wait_queue_head_t swi_queue;
29991 - atomic_t swi_emitted;
29992 + atomic_unchecked_t swi_emitted;
29993 int vblank_crtc;
29994 uint32_t irq_enable_reg;
29995 uint32_t r500_disp_irq_reg;
29996 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c
29997 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-19 00:06:34.000000000 -0400
29998 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-22 19:36:31.000000000 -0400
29999 @@ -49,7 +49,7 @@ int radeon_fence_emit(struct radeon_devi
30000 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
30001 return 0;
30002 }
30003 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
30004 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
30005 if (!rdev->cp.ready) {
30006 /* FIXME: cp is not running assume everythings is done right
30007 * away
30008 @@ -352,7 +352,7 @@ int radeon_fence_driver_init(struct rade
30009 return r;
30010 }
30011 WREG32(rdev->fence_drv.scratch_reg, 0);
30012 - atomic_set(&rdev->fence_drv.seq, 0);
30013 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
30014 INIT_LIST_HEAD(&rdev->fence_drv.created);
30015 INIT_LIST_HEAD(&rdev->fence_drv.emited);
30016 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
30017 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h
30018 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h 2011-05-19 00:06:34.000000000 -0400
30019 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon.h 2011-05-22 19:36:31.000000000 -0400
30020 @@ -189,7 +189,7 @@ extern int sumo_get_temp(struct radeon_d
30021 */
30022 struct radeon_fence_driver {
30023 uint32_t scratch_reg;
30024 - atomic_t seq;
30025 + atomic_unchecked_t seq;
30026 uint32_t last_seq;
30027 unsigned long last_jiffies;
30028 unsigned long last_timeout;
30029 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c
30030 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-19 00:06:34.000000000 -0400
30031 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-05-22 19:36:31.000000000 -0400
30032 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
30033 request = compat_alloc_user_space(sizeof(*request));
30034 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
30035 || __put_user(req32.param, &request->param)
30036 - || __put_user((void __user *)(unsigned long)req32.value,
30037 + || __put_user((unsigned long)req32.value,
30038 &request->value))
30039 return -EFAULT;
30040
30041 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c
30042 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-19 00:06:34.000000000 -0400
30043 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-22 19:36:31.000000000 -0400
30044 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
30045 unsigned int ret;
30046 RING_LOCALS;
30047
30048 - atomic_inc(&dev_priv->swi_emitted);
30049 - ret = atomic_read(&dev_priv->swi_emitted);
30050 + atomic_inc_unchecked(&dev_priv->swi_emitted);
30051 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
30052
30053 BEGIN_RING(4);
30054 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
30055 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
30056 drm_radeon_private_t *dev_priv =
30057 (drm_radeon_private_t *) dev->dev_private;
30058
30059 - atomic_set(&dev_priv->swi_emitted, 0);
30060 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
30061 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
30062
30063 dev->max_vblank_count = 0x001fffff;
30064 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c
30065 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c 2011-05-19 00:06:34.000000000 -0400
30066 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_state.c 2011-05-22 19:36:31.000000000 -0400
30067 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
30068 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
30069 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
30070
30071 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
30072 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
30073 sarea_priv->nbox * sizeof(depth_boxes[0])))
30074 return -EFAULT;
30075
30076 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
30077 {
30078 drm_radeon_private_t *dev_priv = dev->dev_private;
30079 drm_radeon_getparam_t *param = data;
30080 - int value;
30081 + int value = 0;
30082
30083 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
30084
30085 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c
30086 --- linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-19 00:06:34.000000000 -0400
30087 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/radeon_ttm.c 2011-05-22 19:36:31.000000000 -0400
30088 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
30089 man->size = size >> PAGE_SHIFT;
30090 }
30091
30092 -static struct vm_operations_struct radeon_ttm_vm_ops;
30093 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
30094 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
30095 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
30096 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
30097
30098 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30099 {
30100 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
30101 struct radeon_device *rdev;
30102 int r;
30103
30104 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
30105 - if (bo == NULL) {
30106 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
30107 + if (!bo)
30108 return VM_FAULT_NOPAGE;
30109 - }
30110 rdev = radeon_get_rdev(bo->bdev);
30111 mutex_lock(&rdev->vram_mutex);
30112 - r = ttm_vm_ops->fault(vma, vmf);
30113 + r = ttm_bo_vm_fault(vma, vmf);
30114 mutex_unlock(&rdev->vram_mutex);
30115 return r;
30116 }
30117
30118 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
30119 + .fault = radeon_ttm_fault,
30120 + .open = ttm_bo_vm_open,
30121 + .close = ttm_bo_vm_close
30122 +};
30123 +
30124 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
30125 {
30126 struct drm_file *file_priv;
30127 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
30128
30129 file_priv = filp->private_data;
30130 rdev = file_priv->minor->dev->dev_private;
30131 - if (rdev == NULL) {
30132 + if (!rdev)
30133 return -EINVAL;
30134 - }
30135 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30136 - if (unlikely(r != 0)) {
30137 + if (r)
30138 return r;
30139 - }
30140 - if (unlikely(ttm_vm_ops == NULL)) {
30141 - ttm_vm_ops = vma->vm_ops;
30142 - radeon_ttm_vm_ops = *ttm_vm_ops;
30143 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
30144 - }
30145 vma->vm_ops = &radeon_ttm_vm_ops;
30146 return 0;
30147 }
30148 diff -urNp linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c
30149 --- linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c 2011-05-19 00:06:34.000000000 -0400
30150 +++ linux-2.6.39.3/drivers/gpu/drm/radeon/rs690.c 2011-05-22 19:36:31.000000000 -0400
30151 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
30152 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
30153 rdev->pm.sideport_bandwidth.full)
30154 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
30155 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
30156 + read_delay_latency.full = dfixed_const(800 * 1000);
30157 read_delay_latency.full = dfixed_div(read_delay_latency,
30158 rdev->pm.igp_sideport_mclk);
30159 + a.full = dfixed_const(370);
30160 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
30161 } else {
30162 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
30163 rdev->pm.k8_bandwidth.full)
30164 diff -urNp linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c
30165 --- linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-19 00:06:34.000000000 -0400
30166 +++ linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-05-22 19:36:31.000000000 -0400
30167 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
30168 return best_bo;
30169 }
30170
30171 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30172 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30173 {
30174 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
30175 vma->vm_private_data;
30176 - struct ttm_bo_device *bdev = bo->bdev;
30177 + struct ttm_bo_device *bdev;
30178 unsigned long page_offset;
30179 unsigned long page_last;
30180 unsigned long pfn;
30181 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
30182 int i;
30183 unsigned long address = (unsigned long)vmf->virtual_address;
30184 int retval = VM_FAULT_NOPAGE;
30185 - struct ttm_mem_type_manager *man =
30186 - &bdev->man[bo->mem.mem_type];
30187 + struct ttm_mem_type_manager *man;
30188 +
30189 + if (!bo)
30190 + return VM_FAULT_NOPAGE;
30191 + bdev = bo->bdev;
30192 + man = &bdev->man[bo->mem.mem_type];
30193
30194 /*
30195 * Work around locking order reversal in fault / nopfn
30196 @@ -219,22 +223,25 @@ out_unlock:
30197 ttm_bo_unreserve(bo);
30198 return retval;
30199 }
30200 +EXPORT_SYMBOL(ttm_bo_vm_fault);
30201
30202 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
30203 +void ttm_bo_vm_open(struct vm_area_struct *vma)
30204 {
30205 struct ttm_buffer_object *bo =
30206 (struct ttm_buffer_object *)vma->vm_private_data;
30207
30208 (void)ttm_bo_reference(bo);
30209 }
30210 +EXPORT_SYMBOL(ttm_bo_vm_open);
30211
30212 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
30213 +void ttm_bo_vm_close(struct vm_area_struct *vma)
30214 {
30215 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
30216
30217 ttm_bo_unref(&bo);
30218 vma->vm_private_data = NULL;
30219 }
30220 +EXPORT_SYMBOL(ttm_bo_vm_close);
30221
30222 static const struct vm_operations_struct ttm_bo_vm_ops = {
30223 .fault = ttm_bo_vm_fault,
30224 diff -urNp linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c
30225 --- linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-19 00:06:34.000000000 -0400
30226 +++ linux-2.6.39.3/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-05-22 19:36:31.000000000 -0400
30227 @@ -397,9 +397,9 @@ static int ttm_pool_get_num_unused_pages
30228 */
30229 static int ttm_pool_mm_shrink(struct shrinker *shrink, int shrink_pages, gfp_t gfp_mask)
30230 {
30231 - static atomic_t start_pool = ATOMIC_INIT(0);
30232 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
30233 unsigned i;
30234 - unsigned pool_offset = atomic_add_return(1, &start_pool);
30235 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
30236 struct ttm_page_pool *pool;
30237
30238 pool_offset = pool_offset % NUM_POOLS;
30239 diff -urNp linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h
30240 --- linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h 2011-05-19 00:06:34.000000000 -0400
30241 +++ linux-2.6.39.3/drivers/gpu/drm/via/via_drv.h 2011-05-22 19:36:31.000000000 -0400
30242 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
30243 typedef uint32_t maskarray_t[5];
30244
30245 typedef struct drm_via_irq {
30246 - atomic_t irq_received;
30247 + atomic_unchecked_t irq_received;
30248 uint32_t pending_mask;
30249 uint32_t enable_mask;
30250 wait_queue_head_t irq_queue;
30251 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
30252 struct timeval last_vblank;
30253 int last_vblank_valid;
30254 unsigned usec_per_vblank;
30255 - atomic_t vbl_received;
30256 + atomic_unchecked_t vbl_received;
30257 drm_via_state_t hc_state;
30258 char pci_buf[VIA_PCI_BUF_SIZE];
30259 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
30260 diff -urNp linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c
30261 --- linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c 2011-05-19 00:06:34.000000000 -0400
30262 +++ linux-2.6.39.3/drivers/gpu/drm/via/via_irq.c 2011-05-22 19:36:31.000000000 -0400
30263 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
30264 if (crtc != 0)
30265 return 0;
30266
30267 - return atomic_read(&dev_priv->vbl_received);
30268 + return atomic_read_unchecked(&dev_priv->vbl_received);
30269 }
30270
30271 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
30272 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
30273
30274 status = VIA_READ(VIA_REG_INTERRUPT);
30275 if (status & VIA_IRQ_VBLANK_PENDING) {
30276 - atomic_inc(&dev_priv->vbl_received);
30277 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
30278 + atomic_inc_unchecked(&dev_priv->vbl_received);
30279 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
30280 do_gettimeofday(&cur_vblank);
30281 if (dev_priv->last_vblank_valid) {
30282 dev_priv->usec_per_vblank =
30283 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30284 dev_priv->last_vblank = cur_vblank;
30285 dev_priv->last_vblank_valid = 1;
30286 }
30287 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
30288 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
30289 DRM_DEBUG("US per vblank is: %u\n",
30290 dev_priv->usec_per_vblank);
30291 }
30292 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30293
30294 for (i = 0; i < dev_priv->num_irqs; ++i) {
30295 if (status & cur_irq->pending_mask) {
30296 - atomic_inc(&cur_irq->irq_received);
30297 + atomic_inc_unchecked(&cur_irq->irq_received);
30298 DRM_WAKEUP(&cur_irq->irq_queue);
30299 handled = 1;
30300 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
30301 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
30302 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30303 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
30304 masks[irq][4]));
30305 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
30306 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
30307 } else {
30308 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30309 (((cur_irq_sequence =
30310 - atomic_read(&cur_irq->irq_received)) -
30311 + atomic_read_unchecked(&cur_irq->irq_received)) -
30312 *sequence) <= (1 << 23)));
30313 }
30314 *sequence = cur_irq_sequence;
30315 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
30316 }
30317
30318 for (i = 0; i < dev_priv->num_irqs; ++i) {
30319 - atomic_set(&cur_irq->irq_received, 0);
30320 + atomic_set_unchecked(&cur_irq->irq_received, 0);
30321 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
30322 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
30323 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
30324 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
30325 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
30326 case VIA_IRQ_RELATIVE:
30327 irqwait->request.sequence +=
30328 - atomic_read(&cur_irq->irq_received);
30329 + atomic_read_unchecked(&cur_irq->irq_received);
30330 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
30331 case VIA_IRQ_ABSOLUTE:
30332 break;
30333 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
30334 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-19 00:06:34.000000000 -0400
30335 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-05-22 19:36:31.000000000 -0400
30336 @@ -240,7 +240,7 @@ struct vmw_private {
30337 * Fencing and IRQs.
30338 */
30339
30340 - atomic_t fence_seq;
30341 + atomic_unchecked_t fence_seq;
30342 wait_queue_head_t fence_queue;
30343 wait_queue_head_t fifo_queue;
30344 atomic_t fence_queue_waiters;
30345 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
30346 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-19 00:06:34.000000000 -0400
30347 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-05-22 19:36:31.000000000 -0400
30348 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
30349 while (!vmw_lag_lt(queue, us)) {
30350 spin_lock(&queue->lock);
30351 if (list_empty(&queue->head))
30352 - sequence = atomic_read(&dev_priv->fence_seq);
30353 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30354 else {
30355 fence = list_first_entry(&queue->head,
30356 struct vmw_fence, head);
30357 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
30358 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-19 00:06:34.000000000 -0400
30359 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-05-22 19:36:31.000000000 -0400
30360 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
30361 (unsigned int) min,
30362 (unsigned int) fifo->capabilities);
30363
30364 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30365 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
30366 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
30367 vmw_fence_queue_init(&fifo->fence_queue);
30368 return vmw_fifo_send_fence(dev_priv, &dummy);
30369 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30370
30371 fm = vmw_fifo_reserve(dev_priv, bytes);
30372 if (unlikely(fm == NULL)) {
30373 - *sequence = atomic_read(&dev_priv->fence_seq);
30374 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
30375 ret = -ENOMEM;
30376 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
30377 false, 3*HZ);
30378 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
30379 }
30380
30381 do {
30382 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
30383 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
30384 } while (*sequence == 0);
30385
30386 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
30387 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
30388 return VM_FAULT_SIGBUS;
30389 }
30390
30391 -static struct vm_operations_struct vmw_fifo_vm_ops = {
30392 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
30393 .fault = vmw_fifo_vm_fault,
30394 .open = NULL,
30395 .close = NULL
30396 diff -urNp linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
30397 --- linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-19 00:06:34.000000000 -0400
30398 +++ linux-2.6.39.3/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-05-22 19:36:31.000000000 -0400
30399 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
30400 * emitted. Then the fence is stale and signaled.
30401 */
30402
30403 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
30404 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
30405 > VMW_FENCE_WRAP);
30406
30407 return ret;
30408 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
30409
30410 if (fifo_idle)
30411 down_read(&fifo_state->rwsem);
30412 - signal_seq = atomic_read(&dev_priv->fence_seq);
30413 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
30414 ret = 0;
30415
30416 for (;;) {
30417 diff -urNp linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c
30418 --- linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c 2011-05-19 00:06:34.000000000 -0400
30419 +++ linux-2.6.39.3/drivers/gpu/vga/vga_switcheroo.c 2011-05-22 19:36:31.000000000 -0400
30420 @@ -53,7 +53,7 @@ struct vgasr_priv {
30421 int registered_clients;
30422 struct vga_switcheroo_client clients[VGA_SWITCHEROO_MAX_CLIENTS];
30423
30424 - struct vga_switcheroo_handler *handler;
30425 + const struct vga_switcheroo_handler *handler;
30426 };
30427
30428 static int vga_switcheroo_debugfs_init(struct vgasr_priv *priv);
30429 @@ -62,7 +62,7 @@ static void vga_switcheroo_debugfs_fini(
30430 /* only one switcheroo per system */
30431 static struct vgasr_priv vgasr_priv;
30432
30433 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler)
30434 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler)
30435 {
30436 mutex_lock(&vgasr_mutex);
30437 if (vgasr_priv.handler) {
30438 diff -urNp linux-2.6.39.3/drivers/hid/hid-core.c linux-2.6.39.3/drivers/hid/hid-core.c
30439 --- linux-2.6.39.3/drivers/hid/hid-core.c 2011-05-19 00:06:34.000000000 -0400
30440 +++ linux-2.6.39.3/drivers/hid/hid-core.c 2011-05-22 19:36:31.000000000 -0400
30441 @@ -1888,7 +1888,7 @@ static bool hid_ignore(struct hid_device
30442
30443 int hid_add_device(struct hid_device *hdev)
30444 {
30445 - static atomic_t id = ATOMIC_INIT(0);
30446 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30447 int ret;
30448
30449 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30450 @@ -1903,7 +1903,7 @@ int hid_add_device(struct hid_device *hd
30451 /* XXX hack, any other cleaner solution after the driver core
30452 * is converted to allow more than 20 bytes as the device name? */
30453 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30454 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30455 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30456
30457 hid_debug_register(hdev, dev_name(&hdev->dev));
30458 ret = device_add(&hdev->dev);
30459 diff -urNp linux-2.6.39.3/drivers/hid/hid-picolcd.c linux-2.6.39.3/drivers/hid/hid-picolcd.c
30460 --- linux-2.6.39.3/drivers/hid/hid-picolcd.c 2011-05-19 00:06:34.000000000 -0400
30461 +++ linux-2.6.39.3/drivers/hid/hid-picolcd.c 2011-05-22 19:36:31.000000000 -0400
30462 @@ -1037,7 +1037,7 @@ static int picolcd_check_lcd_fb(struct l
30463 return fb && fb == picolcd_fbinfo((struct picolcd_data *)lcd_get_data(ldev));
30464 }
30465
30466 -static struct lcd_ops picolcd_lcdops = {
30467 +static const struct lcd_ops picolcd_lcdops = {
30468 .get_contrast = picolcd_get_contrast,
30469 .set_contrast = picolcd_set_contrast,
30470 .check_fb = picolcd_check_lcd_fb,
30471 diff -urNp linux-2.6.39.3/drivers/hid/usbhid/hiddev.c linux-2.6.39.3/drivers/hid/usbhid/hiddev.c
30472 --- linux-2.6.39.3/drivers/hid/usbhid/hiddev.c 2011-05-19 00:06:34.000000000 -0400
30473 +++ linux-2.6.39.3/drivers/hid/usbhid/hiddev.c 2011-05-22 19:36:31.000000000 -0400
30474 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
30475 break;
30476
30477 case HIDIOCAPPLICATION:
30478 - if (arg < 0 || arg >= hid->maxapplication)
30479 + if (arg >= hid->maxapplication)
30480 break;
30481
30482 for (i = 0; i < hid->maxcollection; i++)
30483 diff -urNp linux-2.6.39.3/drivers/hwmon/ibmaem.c linux-2.6.39.3/drivers/hwmon/ibmaem.c
30484 --- linux-2.6.39.3/drivers/hwmon/ibmaem.c 2011-07-09 09:18:51.000000000 -0400
30485 +++ linux-2.6.39.3/drivers/hwmon/ibmaem.c 2011-07-09 09:19:18.000000000 -0400
30486 @@ -238,7 +238,7 @@ struct aem_read_sensor_resp {
30487 struct aem_driver_data {
30488 struct list_head aem_devices;
30489 struct ipmi_smi_watcher bmc_events;
30490 - struct ipmi_user_hndl ipmi_hndlrs;
30491 + const struct ipmi_user_hndl ipmi_hndlrs;
30492 };
30493
30494 static void aem_register_bmc(int iface, struct device *dev);
30495 diff -urNp linux-2.6.39.3/drivers/hwmon/ibmpex.c linux-2.6.39.3/drivers/hwmon/ibmpex.c
30496 --- linux-2.6.39.3/drivers/hwmon/ibmpex.c 2011-07-09 09:18:51.000000000 -0400
30497 +++ linux-2.6.39.3/drivers/hwmon/ibmpex.c 2011-07-09 09:19:18.000000000 -0400
30498 @@ -110,7 +110,7 @@ struct ibmpex_bmc_data {
30499 struct ibmpex_driver_data {
30500 struct list_head bmc_data;
30501 struct ipmi_smi_watcher bmc_events;
30502 - struct ipmi_user_hndl ipmi_hndlrs;
30503 + const struct ipmi_user_hndl ipmi_hndlrs;
30504 };
30505
30506 static struct ibmpex_driver_data driver_data = {
30507 diff -urNp linux-2.6.39.3/drivers/hwmon/sht15.c linux-2.6.39.3/drivers/hwmon/sht15.c
30508 --- linux-2.6.39.3/drivers/hwmon/sht15.c 2011-05-19 00:06:34.000000000 -0400
30509 +++ linux-2.6.39.3/drivers/hwmon/sht15.c 2011-05-22 19:36:31.000000000 -0400
30510 @@ -113,7 +113,7 @@ struct sht15_data {
30511 int supply_uV;
30512 int supply_uV_valid;
30513 struct work_struct update_supply_work;
30514 - atomic_t interrupt_handled;
30515 + atomic_unchecked_t interrupt_handled;
30516 };
30517
30518 /**
30519 @@ -246,13 +246,13 @@ static inline int sht15_update_single_va
30520 return ret;
30521
30522 gpio_direction_input(data->pdata->gpio_data);
30523 - atomic_set(&data->interrupt_handled, 0);
30524 + atomic_set_unchecked(&data->interrupt_handled, 0);
30525
30526 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30527 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30528 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30529 /* Only relevant if the interrupt hasn't occurred. */
30530 - if (!atomic_read(&data->interrupt_handled))
30531 + if (!atomic_read_unchecked(&data->interrupt_handled))
30532 schedule_work(&data->read_work);
30533 }
30534 ret = wait_event_timeout(data->wait_queue,
30535 @@ -399,7 +399,7 @@ static irqreturn_t sht15_interrupt_fired
30536 struct sht15_data *data = d;
30537 /* First disable the interrupt */
30538 disable_irq_nosync(irq);
30539 - atomic_inc(&data->interrupt_handled);
30540 + atomic_inc_unchecked(&data->interrupt_handled);
30541 /* Then schedule a reading work struct */
30542 if (data->flag != SHT15_READING_NOTHING)
30543 schedule_work(&data->read_work);
30544 @@ -450,11 +450,11 @@ static void sht15_bh_read_data(struct wo
30545 here as could have gone low in meantime so verify
30546 it hasn't!
30547 */
30548 - atomic_set(&data->interrupt_handled, 0);
30549 + atomic_set_unchecked(&data->interrupt_handled, 0);
30550 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30551 /* If still not occurred or another handler has been scheduled */
30552 if (gpio_get_value(data->pdata->gpio_data)
30553 - || atomic_read(&data->interrupt_handled))
30554 + || atomic_read_unchecked(&data->interrupt_handled))
30555 return;
30556 }
30557 /* Read the data back from the device */
30558 diff -urNp linux-2.6.39.3/drivers/hwmon/w83791d.c linux-2.6.39.3/drivers/hwmon/w83791d.c
30559 --- linux-2.6.39.3/drivers/hwmon/w83791d.c 2011-05-19 00:06:34.000000000 -0400
30560 +++ linux-2.6.39.3/drivers/hwmon/w83791d.c 2011-05-22 19:36:31.000000000 -0400
30561 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
30562 struct i2c_board_info *info);
30563 static int w83791d_remove(struct i2c_client *client);
30564
30565 -static int w83791d_read(struct i2c_client *client, u8 register);
30566 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30567 +static int w83791d_read(struct i2c_client *client, u8 reg);
30568 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30569 static struct w83791d_data *w83791d_update_device(struct device *dev);
30570
30571 #ifdef DEBUG
30572 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c
30573 --- linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c 2011-05-19 00:06:34.000000000 -0400
30574 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-at91.c 2011-05-22 19:36:31.000000000 -0400
30575 @@ -181,7 +181,7 @@ static u32 at91_func(struct i2c_adapter
30576 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30577 }
30578
30579 -static struct i2c_algorithm at91_algorithm = {
30580 +static const struct i2c_algorithm at91_algorithm = {
30581 .master_xfer = at91_xfer,
30582 .functionality = at91_func,
30583 };
30584 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c
30585 --- linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-19 00:06:34.000000000 -0400
30586 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-bfin-twi.c 2011-05-22 19:36:31.000000000 -0400
30587 @@ -599,7 +599,7 @@ static u32 bfin_twi_functionality(struct
30588 I2C_FUNC_I2C | I2C_FUNC_SMBUS_I2C_BLOCK;
30589 }
30590
30591 -static struct i2c_algorithm bfin_twi_algorithm = {
30592 +static const struct i2c_algorithm bfin_twi_algorithm = {
30593 .master_xfer = bfin_twi_master_xfer,
30594 .smbus_xfer = bfin_twi_smbus_xfer,
30595 .functionality = bfin_twi_functionality,
30596 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c
30597 --- linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c 2011-05-19 00:06:34.000000000 -0400
30598 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-davinci.c 2011-05-22 19:36:31.000000000 -0400
30599 @@ -630,7 +630,7 @@ static inline void i2c_davinci_cpufreq_d
30600 }
30601 #endif
30602
30603 -static struct i2c_algorithm i2c_davinci_algo = {
30604 +static const struct i2c_algorithm i2c_davinci_algo = {
30605 .master_xfer = i2c_davinci_xfer,
30606 .functionality = i2c_davinci_func,
30607 };
30608 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c
30609 --- linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c 2011-05-19 00:06:34.000000000 -0400
30610 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-designware.c 2011-05-22 19:36:31.000000000 -0400
30611 @@ -689,7 +689,7 @@ tx_aborted:
30612 return IRQ_HANDLED;
30613 }
30614
30615 -static struct i2c_algorithm i2c_dw_algo = {
30616 +static const struct i2c_algorithm i2c_dw_algo = {
30617 .master_xfer = i2c_dw_xfer,
30618 .functionality = i2c_dw_func,
30619 };
30620 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c
30621 --- linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c 2011-05-19 00:06:34.000000000 -0400
30622 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-eg20t.c 2011-05-22 19:36:31.000000000 -0400
30623 @@ -708,7 +708,7 @@ static u32 pch_i2c_func(struct i2c_adapt
30624 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL | I2C_FUNC_10BIT_ADDR;
30625 }
30626
30627 -static struct i2c_algorithm pch_algorithm = {
30628 +static const struct i2c_algorithm pch_algorithm = {
30629 .master_xfer = pch_i2c_xfer,
30630 .functionality = pch_i2c_func
30631 };
30632 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c
30633 --- linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c 2011-05-19 00:06:34.000000000 -0400
30634 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-imx.c 2011-05-22 19:36:31.000000000 -0400
30635 @@ -457,7 +457,7 @@ static u32 i2c_imx_func(struct i2c_adapt
30636 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30637 }
30638
30639 -static struct i2c_algorithm i2c_imx_algo = {
30640 +static const struct i2c_algorithm i2c_imx_algo = {
30641 .master_xfer = i2c_imx_xfer,
30642 .functionality = i2c_imx_func,
30643 };
30644 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c
30645 --- linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c 2011-05-19 00:06:34.000000000 -0400
30646 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-intel-mid.c 2011-05-22 19:36:31.000000000 -0400
30647 @@ -917,7 +917,7 @@ err:
30648 return IRQ_HANDLED;
30649 }
30650
30651 -static struct i2c_algorithm intel_mid_i2c_algorithm = {
30652 +static const struct i2c_algorithm intel_mid_i2c_algorithm = {
30653 .master_xfer = intel_mid_i2c_xfer,
30654 .functionality = intel_mid_i2c_func,
30655 };
30656 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c
30657 --- linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c 2011-05-19 00:06:34.000000000 -0400
30658 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-nforce2.c 2011-05-22 19:36:31.000000000 -0400
30659 @@ -303,7 +303,7 @@ static u32 nforce2_func(struct i2c_adapt
30660 I2C_FUNC_SMBUS_BLOCK_DATA : 0);
30661 }
30662
30663 -static struct i2c_algorithm smbus_algorithm = {
30664 +static const struct i2c_algorithm smbus_algorithm = {
30665 .smbus_xfer = nforce2_access,
30666 .functionality = nforce2_func,
30667 };
30668 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c
30669 --- linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-19 00:06:34.000000000 -0400
30670 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-pmcmsp.c 2011-05-22 19:36:31.000000000 -0400
30671 @@ -615,7 +615,7 @@ static u32 pmcmsptwi_i2c_func(struct i2c
30672
30673 /* -- Initialization -- */
30674
30675 -static struct i2c_algorithm pmcmsptwi_algo = {
30676 +static const struct i2c_algorithm pmcmsptwi_algo = {
30677 .master_xfer = pmcmsptwi_master_xfer,
30678 .functionality = pmcmsptwi_i2c_func,
30679 };
30680 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c
30681 --- linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c 2011-05-19 00:06:34.000000000 -0400
30682 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-pnx.c 2011-05-22 19:36:31.000000000 -0400
30683 @@ -535,7 +535,7 @@ static u32 i2c_pnx_func(struct i2c_adapt
30684 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30685 }
30686
30687 -static struct i2c_algorithm pnx_algorithm = {
30688 +static const struct i2c_algorithm pnx_algorithm = {
30689 .master_xfer = i2c_pnx_xfer,
30690 .functionality = i2c_pnx_func,
30691 };
30692 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c
30693 --- linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c 2011-05-19 00:06:34.000000000 -0400
30694 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-puv3.c 2011-05-22 19:36:31.000000000 -0400
30695 @@ -176,7 +176,7 @@ static u32 puv3_i2c_func(struct i2c_adap
30696 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30697 }
30698
30699 -static struct i2c_algorithm puv3_i2c_algorithm = {
30700 +static const struct i2c_algorithm puv3_i2c_algorithm = {
30701 .master_xfer = puv3_i2c_xfer,
30702 .functionality = puv3_i2c_func,
30703 };
30704 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c
30705 --- linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c 2011-05-19 00:06:34.000000000 -0400
30706 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-s6000.c 2011-05-22 19:36:31.000000000 -0400
30707 @@ -243,7 +243,7 @@ static u32 s6i2c_functionality(struct i2
30708 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30709 }
30710
30711 -static struct i2c_algorithm s6i2c_algorithm = {
30712 +static const struct i2c_algorithm s6i2c_algorithm = {
30713 .master_xfer = s6i2c_master_xfer,
30714 .functionality = s6i2c_functionality,
30715 };
30716 diff -urNp linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c
30717 --- linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-19 00:06:34.000000000 -0400
30718 +++ linux-2.6.39.3/drivers/i2c/busses/i2c-sh_mobile.c 2011-05-22 19:36:31.000000000 -0400
30719 @@ -529,7 +529,7 @@ static u32 sh_mobile_i2c_func(struct i2c
30720 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
30721 }
30722
30723 -static struct i2c_algorithm sh_mobile_i2c_algorithm = {
30724 +static const struct i2c_algorithm sh_mobile_i2c_algorithm = {
30725 .functionality = sh_mobile_i2c_func,
30726 .master_xfer = sh_mobile_i2c_xfer,
30727 };
30728 diff -urNp linux-2.6.39.3/drivers/ide/ide-cd.c linux-2.6.39.3/drivers/ide/ide-cd.c
30729 --- linux-2.6.39.3/drivers/ide/ide-cd.c 2011-06-03 00:04:14.000000000 -0400
30730 +++ linux-2.6.39.3/drivers/ide/ide-cd.c 2011-06-03 00:32:05.000000000 -0400
30731 @@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
30732 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30733 if ((unsigned long)buf & alignment
30734 || blk_rq_bytes(rq) & q->dma_pad_mask
30735 - || object_is_on_stack(buf))
30736 + || object_starts_on_stack(buf))
30737 drive->dma = 0;
30738 }
30739 }
30740 diff -urNp linux-2.6.39.3/drivers/ide/ide-floppy.c linux-2.6.39.3/drivers/ide/ide-floppy.c
30741 --- linux-2.6.39.3/drivers/ide/ide-floppy.c 2011-05-19 00:06:34.000000000 -0400
30742 +++ linux-2.6.39.3/drivers/ide/ide-floppy.c 2011-05-22 19:36:31.000000000 -0400
30743 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
30744 u8 pc_buf[256], header_len, desc_cnt;
30745 int i, rc = 1, blocks, length;
30746
30747 + pax_track_stack();
30748 +
30749 ide_debug_log(IDE_DBG_FUNC, "enter");
30750
30751 drive->bios_cyl = 0;
30752 diff -urNp linux-2.6.39.3/drivers/ide/it821x.c linux-2.6.39.3/drivers/ide/it821x.c
30753 --- linux-2.6.39.3/drivers/ide/it821x.c 2011-05-19 00:06:34.000000000 -0400
30754 +++ linux-2.6.39.3/drivers/ide/it821x.c 2011-05-22 19:36:31.000000000 -0400
30755 @@ -508,7 +508,7 @@ static void it821x_quirkproc(ide_drive_t
30756
30757 }
30758
30759 -static struct ide_dma_ops it821x_pass_through_dma_ops = {
30760 +static const struct ide_dma_ops it821x_pass_through_dma_ops = {
30761 .dma_host_set = ide_dma_host_set,
30762 .dma_setup = ide_dma_setup,
30763 .dma_start = it821x_dma_start,
30764 diff -urNp linux-2.6.39.3/drivers/ide/setup-pci.c linux-2.6.39.3/drivers/ide/setup-pci.c
30765 --- linux-2.6.39.3/drivers/ide/setup-pci.c 2011-05-19 00:06:34.000000000 -0400
30766 +++ linux-2.6.39.3/drivers/ide/setup-pci.c 2011-05-22 19:36:31.000000000 -0400
30767 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30768 int ret, i, n_ports = dev2 ? 4 : 2;
30769 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30770
30771 + pax_track_stack();
30772 +
30773 for (i = 0; i < n_ports / 2; i++) {
30774 ret = ide_setup_pci_controller(pdev[i], d, !i);
30775 if (ret < 0)
30776 diff -urNp linux-2.6.39.3/drivers/ide/trm290.c linux-2.6.39.3/drivers/ide/trm290.c
30777 --- linux-2.6.39.3/drivers/ide/trm290.c 2011-05-19 00:06:34.000000000 -0400
30778 +++ linux-2.6.39.3/drivers/ide/trm290.c 2011-05-22 19:36:31.000000000 -0400
30779 @@ -314,7 +314,7 @@ static const struct ide_tp_ops trm290_tp
30780 .output_data = ide_output_data,
30781 };
30782
30783 -static struct ide_dma_ops trm290_dma_ops = {
30784 +static const struct ide_dma_ops trm290_dma_ops = {
30785 .dma_host_set = trm290_dma_host_set,
30786 .dma_setup = trm290_dma_setup,
30787 .dma_start = trm290_dma_start,
30788 diff -urNp linux-2.6.39.3/drivers/infiniband/core/cm.c linux-2.6.39.3/drivers/infiniband/core/cm.c
30789 --- linux-2.6.39.3/drivers/infiniband/core/cm.c 2011-05-19 00:06:34.000000000 -0400
30790 +++ linux-2.6.39.3/drivers/infiniband/core/cm.c 2011-05-22 19:36:31.000000000 -0400
30791 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
30792
30793 struct cm_counter_group {
30794 struct kobject obj;
30795 - atomic_long_t counter[CM_ATTR_COUNT];
30796 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30797 };
30798
30799 struct cm_counter_attribute {
30800 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
30801 struct ib_mad_send_buf *msg = NULL;
30802 int ret;
30803
30804 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30805 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30806 counter[CM_REQ_COUNTER]);
30807
30808 /* Quick state check to discard duplicate REQs. */
30809 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
30810 if (!cm_id_priv)
30811 return;
30812
30813 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30814 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30815 counter[CM_REP_COUNTER]);
30816 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30817 if (ret)
30818 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
30819 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30820 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30821 spin_unlock_irq(&cm_id_priv->lock);
30822 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30823 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30824 counter[CM_RTU_COUNTER]);
30825 goto out;
30826 }
30827 @@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
30828 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30829 dreq_msg->local_comm_id);
30830 if (!cm_id_priv) {
30831 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30832 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30833 counter[CM_DREQ_COUNTER]);
30834 cm_issue_drep(work->port, work->mad_recv_wc);
30835 return -EINVAL;
30836 @@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
30837 case IB_CM_MRA_REP_RCVD:
30838 break;
30839 case IB_CM_TIMEWAIT:
30840 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30841 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30842 counter[CM_DREQ_COUNTER]);
30843 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30844 goto unlock;
30845 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
30846 cm_free_msg(msg);
30847 goto deref;
30848 case IB_CM_DREQ_RCVD:
30849 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30850 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30851 counter[CM_DREQ_COUNTER]);
30852 goto unlock;
30853 default:
30854 @@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
30855 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30856 cm_id_priv->msg, timeout)) {
30857 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30858 - atomic_long_inc(&work->port->
30859 + atomic_long_inc_unchecked(&work->port->
30860 counter_group[CM_RECV_DUPLICATES].
30861 counter[CM_MRA_COUNTER]);
30862 goto out;
30863 @@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
30864 break;
30865 case IB_CM_MRA_REQ_RCVD:
30866 case IB_CM_MRA_REP_RCVD:
30867 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30868 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30869 counter[CM_MRA_COUNTER]);
30870 /* fall through */
30871 default:
30872 @@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
30873 case IB_CM_LAP_IDLE:
30874 break;
30875 case IB_CM_MRA_LAP_SENT:
30876 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30877 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30878 counter[CM_LAP_COUNTER]);
30879 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30880 goto unlock;
30881 @@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
30882 cm_free_msg(msg);
30883 goto deref;
30884 case IB_CM_LAP_RCVD:
30885 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30886 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30887 counter[CM_LAP_COUNTER]);
30888 goto unlock;
30889 default:
30890 @@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
30891 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30892 if (cur_cm_id_priv) {
30893 spin_unlock_irq(&cm.lock);
30894 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30895 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30896 counter[CM_SIDR_REQ_COUNTER]);
30897 goto out; /* Duplicate message. */
30898 }
30899 @@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
30900 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30901 msg->retries = 1;
30902
30903 - atomic_long_add(1 + msg->retries,
30904 + atomic_long_add_unchecked(1 + msg->retries,
30905 &port->counter_group[CM_XMIT].counter[attr_index]);
30906 if (msg->retries)
30907 - atomic_long_add(msg->retries,
30908 + atomic_long_add_unchecked(msg->retries,
30909 &port->counter_group[CM_XMIT_RETRIES].
30910 counter[attr_index]);
30911
30912 @@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
30913 }
30914
30915 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30916 - atomic_long_inc(&port->counter_group[CM_RECV].
30917 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30918 counter[attr_id - CM_ATTR_ID_OFFSET]);
30919
30920 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30921 @@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
30922 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30923
30924 return sprintf(buf, "%ld\n",
30925 - atomic_long_read(&group->counter[cm_attr->index]));
30926 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30927 }
30928
30929 static const struct sysfs_ops cm_counter_ops = {
30930 diff -urNp linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c
30931 --- linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c 2011-05-19 00:06:34.000000000 -0400
30932 +++ linux-2.6.39.3/drivers/infiniband/core/fmr_pool.c 2011-05-22 19:36:31.000000000 -0400
30933 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30934
30935 struct task_struct *thread;
30936
30937 - atomic_t req_ser;
30938 - atomic_t flush_ser;
30939 + atomic_unchecked_t req_ser;
30940 + atomic_unchecked_t flush_ser;
30941
30942 wait_queue_head_t force_wait;
30943 };
30944 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30945 struct ib_fmr_pool *pool = pool_ptr;
30946
30947 do {
30948 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30949 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30950 ib_fmr_batch_release(pool);
30951
30952 - atomic_inc(&pool->flush_ser);
30953 + atomic_inc_unchecked(&pool->flush_ser);
30954 wake_up_interruptible(&pool->force_wait);
30955
30956 if (pool->flush_function)
30957 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30958 }
30959
30960 set_current_state(TASK_INTERRUPTIBLE);
30961 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30962 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30963 !kthread_should_stop())
30964 schedule();
30965 __set_current_state(TASK_RUNNING);
30966 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30967 pool->dirty_watermark = params->dirty_watermark;
30968 pool->dirty_len = 0;
30969 spin_lock_init(&pool->pool_lock);
30970 - atomic_set(&pool->req_ser, 0);
30971 - atomic_set(&pool->flush_ser, 0);
30972 + atomic_set_unchecked(&pool->req_ser, 0);
30973 + atomic_set_unchecked(&pool->flush_ser, 0);
30974 init_waitqueue_head(&pool->force_wait);
30975
30976 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30977 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30978 }
30979 spin_unlock_irq(&pool->pool_lock);
30980
30981 - serial = atomic_inc_return(&pool->req_ser);
30982 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30983 wake_up_process(pool->thread);
30984
30985 if (wait_event_interruptible(pool->force_wait,
30986 - atomic_read(&pool->flush_ser) - serial >= 0))
30987 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30988 return -EINTR;
30989
30990 return 0;
30991 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30992 } else {
30993 list_add_tail(&fmr->list, &pool->dirty_list);
30994 if (++pool->dirty_len >= pool->dirty_watermark) {
30995 - atomic_inc(&pool->req_ser);
30996 + atomic_inc_unchecked(&pool->req_ser);
30997 wake_up_process(pool->thread);
30998 }
30999 }
31000 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c
31001 --- linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c 2011-05-19 00:06:34.000000000 -0400
31002 +++ linux-2.6.39.3/drivers/infiniband/hw/cxgb4/mem.c 2011-05-22 19:36:31.000000000 -0400
31003 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
31004 int err;
31005 struct fw_ri_tpte tpt;
31006 u32 stag_idx;
31007 - static atomic_t key;
31008 + static atomic_unchecked_t key;
31009
31010 if (c4iw_fatal_error(rdev))
31011 return -EIO;
31012 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
31013 &rdev->resource.tpt_fifo_lock);
31014 if (!stag_idx)
31015 return -ENOMEM;
31016 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
31017 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
31018 }
31019 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
31020 __func__, stag_state, type, pdid, stag_idx);
31021 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c
31022 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-19 00:06:34.000000000 -0400
31023 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_dma.c 2011-05-22 19:36:31.000000000 -0400
31024 @@ -175,7 +175,7 @@ static void ipath_dma_free_coherent(stru
31025 free_pages((unsigned long) cpu_addr, get_order(size));
31026 }
31027
31028 -struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
31029 +const struct ib_dma_mapping_ops ipath_dma_mapping_ops = {
31030 ipath_mapping_error,
31031 ipath_dma_map_single,
31032 ipath_dma_unmap_single,
31033 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c
31034 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-19 00:06:34.000000000 -0400
31035 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-22 19:36:31.000000000 -0400
31036 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
31037 struct infinipath_counters counters;
31038 struct ipath_devdata *dd;
31039
31040 + pax_track_stack();
31041 +
31042 dd = file->f_path.dentry->d_inode->i_private;
31043 dd->ipath_f_read_counters(dd, &counters);
31044
31045 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c
31046 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-19 00:06:34.000000000 -0400
31047 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-22 19:36:31.000000000 -0400
31048 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
31049 struct ib_atomic_eth *ateth;
31050 struct ipath_ack_entry *e;
31051 u64 vaddr;
31052 - atomic64_t *maddr;
31053 + atomic64_unchecked_t *maddr;
31054 u64 sdata;
31055 u32 rkey;
31056 u8 next;
31057 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
31058 IB_ACCESS_REMOTE_ATOMIC)))
31059 goto nack_acc_unlck;
31060 /* Perform atomic OP and save result. */
31061 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
31062 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
31063 sdata = be64_to_cpu(ateth->swap_data);
31064 e = &qp->s_ack_queue[qp->r_head_ack_queue];
31065 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
31066 - (u64) atomic64_add_return(sdata, maddr) - sdata :
31067 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
31068 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
31069 be64_to_cpu(ateth->compare_data),
31070 sdata);
31071 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c
31072 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-19 00:06:34.000000000 -0400
31073 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-22 19:36:31.000000000 -0400
31074 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
31075 unsigned long flags;
31076 struct ib_wc wc;
31077 u64 sdata;
31078 - atomic64_t *maddr;
31079 + atomic64_unchecked_t *maddr;
31080 enum ib_wc_status send_status;
31081
31082 /*
31083 @@ -382,11 +382,11 @@ again:
31084 IB_ACCESS_REMOTE_ATOMIC)))
31085 goto acc_err;
31086 /* Perform atomic OP and save result. */
31087 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
31088 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
31089 sdata = wqe->wr.wr.atomic.compare_add;
31090 *(u64 *) sqp->s_sge.sge.vaddr =
31091 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
31092 - (u64) atomic64_add_return(sdata, maddr) - sdata :
31093 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
31094 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
31095 sdata, wqe->wr.wr.atomic.swap);
31096 goto send_comp;
31097 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h
31098 --- linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-19 00:06:34.000000000 -0400
31099 +++ linux-2.6.39.3/drivers/infiniband/hw/ipath/ipath_verbs.h 2011-05-22 19:36:31.000000000 -0400
31100 @@ -931,6 +931,6 @@ extern unsigned int ib_ipath_max_srq_wrs
31101
31102 extern const u32 ib_ipath_rnr_table[];
31103
31104 -extern struct ib_dma_mapping_ops ipath_dma_mapping_ops;
31105 +extern const struct ib_dma_mapping_ops ipath_dma_mapping_ops;
31106
31107 #endif /* IPATH_VERBS_H */
31108 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c
31109 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c 2011-05-19 00:06:34.000000000 -0400
31110 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes.c 2011-05-22 19:36:31.000000000 -0400
31111 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
31112 LIST_HEAD(nes_adapter_list);
31113 static LIST_HEAD(nes_dev_list);
31114
31115 -atomic_t qps_destroyed;
31116 +atomic_unchecked_t qps_destroyed;
31117
31118 static unsigned int ee_flsh_adapter;
31119 static unsigned int sysfs_nonidx_addr;
31120 @@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
31121 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
31122 struct nes_adapter *nesadapter = nesdev->nesadapter;
31123
31124 - atomic_inc(&qps_destroyed);
31125 + atomic_inc_unchecked(&qps_destroyed);
31126
31127 /* Free the control structures */
31128
31129 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c
31130 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c 2011-05-19 00:06:34.000000000 -0400
31131 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_cm.c 2011-05-22 19:36:31.000000000 -0400
31132 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
31133 u32 cm_packets_retrans;
31134 u32 cm_packets_created;
31135 u32 cm_packets_received;
31136 -atomic_t cm_listens_created;
31137 -atomic_t cm_listens_destroyed;
31138 +atomic_unchecked_t cm_listens_created;
31139 +atomic_unchecked_t cm_listens_destroyed;
31140 u32 cm_backlog_drops;
31141 -atomic_t cm_loopbacks;
31142 -atomic_t cm_nodes_created;
31143 -atomic_t cm_nodes_destroyed;
31144 -atomic_t cm_accel_dropped_pkts;
31145 -atomic_t cm_resets_recvd;
31146 +atomic_unchecked_t cm_loopbacks;
31147 +atomic_unchecked_t cm_nodes_created;
31148 +atomic_unchecked_t cm_nodes_destroyed;
31149 +atomic_unchecked_t cm_accel_dropped_pkts;
31150 +atomic_unchecked_t cm_resets_recvd;
31151
31152 static inline int mini_cm_accelerated(struct nes_cm_core *,
31153 struct nes_cm_node *);
31154 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
31155
31156 static struct nes_cm_core *g_cm_core;
31157
31158 -atomic_t cm_connects;
31159 -atomic_t cm_accepts;
31160 -atomic_t cm_disconnects;
31161 -atomic_t cm_closes;
31162 -atomic_t cm_connecteds;
31163 -atomic_t cm_connect_reqs;
31164 -atomic_t cm_rejects;
31165 +atomic_unchecked_t cm_connects;
31166 +atomic_unchecked_t cm_accepts;
31167 +atomic_unchecked_t cm_disconnects;
31168 +atomic_unchecked_t cm_closes;
31169 +atomic_unchecked_t cm_connecteds;
31170 +atomic_unchecked_t cm_connect_reqs;
31171 +atomic_unchecked_t cm_rejects;
31172
31173
31174 /**
31175 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
31176 kfree(listener);
31177 listener = NULL;
31178 ret = 0;
31179 - atomic_inc(&cm_listens_destroyed);
31180 + atomic_inc_unchecked(&cm_listens_destroyed);
31181 } else {
31182 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
31183 }
31184 @@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
31185 cm_node->rem_mac);
31186
31187 add_hte_node(cm_core, cm_node);
31188 - atomic_inc(&cm_nodes_created);
31189 + atomic_inc_unchecked(&cm_nodes_created);
31190
31191 return cm_node;
31192 }
31193 @@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
31194 }
31195
31196 atomic_dec(&cm_core->node_cnt);
31197 - atomic_inc(&cm_nodes_destroyed);
31198 + atomic_inc_unchecked(&cm_nodes_destroyed);
31199 nesqp = cm_node->nesqp;
31200 if (nesqp) {
31201 nesqp->cm_node = NULL;
31202 @@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
31203
31204 static void drop_packet(struct sk_buff *skb)
31205 {
31206 - atomic_inc(&cm_accel_dropped_pkts);
31207 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31208 dev_kfree_skb_any(skb);
31209 }
31210
31211 @@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
31212 {
31213
31214 int reset = 0; /* whether to send reset in case of err.. */
31215 - atomic_inc(&cm_resets_recvd);
31216 + atomic_inc_unchecked(&cm_resets_recvd);
31217 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
31218 " refcnt=%d\n", cm_node, cm_node->state,
31219 atomic_read(&cm_node->ref_count));
31220 @@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
31221 rem_ref_cm_node(cm_node->cm_core, cm_node);
31222 return NULL;
31223 }
31224 - atomic_inc(&cm_loopbacks);
31225 + atomic_inc_unchecked(&cm_loopbacks);
31226 loopbackremotenode->loopbackpartner = cm_node;
31227 loopbackremotenode->tcp_cntxt.rcv_wscale =
31228 NES_CM_DEFAULT_RCV_WND_SCALE;
31229 @@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
31230 add_ref_cm_node(cm_node);
31231 } else if (cm_node->state == NES_CM_STATE_TSA) {
31232 rem_ref_cm_node(cm_core, cm_node);
31233 - atomic_inc(&cm_accel_dropped_pkts);
31234 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31235 dev_kfree_skb_any(skb);
31236 break;
31237 }
31238 @@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
31239
31240 if ((cm_id) && (cm_id->event_handler)) {
31241 if (issue_disconn) {
31242 - atomic_inc(&cm_disconnects);
31243 + atomic_inc_unchecked(&cm_disconnects);
31244 cm_event.event = IW_CM_EVENT_DISCONNECT;
31245 cm_event.status = disconn_status;
31246 cm_event.local_addr = cm_id->local_addr;
31247 @@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
31248 }
31249
31250 if (issue_close) {
31251 - atomic_inc(&cm_closes);
31252 + atomic_inc_unchecked(&cm_closes);
31253 nes_disconnect(nesqp, 1);
31254
31255 cm_id->provider_data = nesqp;
31256 @@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
31257
31258 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
31259 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
31260 - atomic_inc(&cm_accepts);
31261 + atomic_inc_unchecked(&cm_accepts);
31262
31263 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
31264 netdev_refcnt_read(nesvnic->netdev));
31265 @@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
31266
31267 struct nes_cm_core *cm_core;
31268
31269 - atomic_inc(&cm_rejects);
31270 + atomic_inc_unchecked(&cm_rejects);
31271 cm_node = (struct nes_cm_node *) cm_id->provider_data;
31272 loopback = cm_node->loopbackpartner;
31273 cm_core = cm_node->cm_core;
31274 @@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
31275 ntohl(cm_id->local_addr.sin_addr.s_addr),
31276 ntohs(cm_id->local_addr.sin_port));
31277
31278 - atomic_inc(&cm_connects);
31279 + atomic_inc_unchecked(&cm_connects);
31280 nesqp->active_conn = 1;
31281
31282 /* cache the cm_id in the qp */
31283 @@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
31284 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
31285 return err;
31286 }
31287 - atomic_inc(&cm_listens_created);
31288 + atomic_inc_unchecked(&cm_listens_created);
31289 }
31290
31291 cm_id->add_ref(cm_id);
31292 @@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
31293 if (nesqp->destroyed) {
31294 return;
31295 }
31296 - atomic_inc(&cm_connecteds);
31297 + atomic_inc_unchecked(&cm_connecteds);
31298 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
31299 " local port 0x%04X. jiffies = %lu.\n",
31300 nesqp->hwqp.qp_id,
31301 @@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
31302
31303 cm_id->add_ref(cm_id);
31304 ret = cm_id->event_handler(cm_id, &cm_event);
31305 - atomic_inc(&cm_closes);
31306 + atomic_inc_unchecked(&cm_closes);
31307 cm_event.event = IW_CM_EVENT_CLOSE;
31308 cm_event.status = IW_CM_EVENT_STATUS_OK;
31309 cm_event.provider_data = cm_id->provider_data;
31310 @@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
31311 return;
31312 cm_id = cm_node->cm_id;
31313
31314 - atomic_inc(&cm_connect_reqs);
31315 + atomic_inc_unchecked(&cm_connect_reqs);
31316 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31317 cm_node, cm_id, jiffies);
31318
31319 @@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
31320 return;
31321 cm_id = cm_node->cm_id;
31322
31323 - atomic_inc(&cm_connect_reqs);
31324 + atomic_inc_unchecked(&cm_connect_reqs);
31325 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31326 cm_node, cm_id, jiffies);
31327
31328 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h
31329 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h 2011-05-19 00:06:34.000000000 -0400
31330 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes.h 2011-05-22 19:36:31.000000000 -0400
31331 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
31332 extern unsigned int wqm_quanta;
31333 extern struct list_head nes_adapter_list;
31334
31335 -extern atomic_t cm_connects;
31336 -extern atomic_t cm_accepts;
31337 -extern atomic_t cm_disconnects;
31338 -extern atomic_t cm_closes;
31339 -extern atomic_t cm_connecteds;
31340 -extern atomic_t cm_connect_reqs;
31341 -extern atomic_t cm_rejects;
31342 -extern atomic_t mod_qp_timouts;
31343 -extern atomic_t qps_created;
31344 -extern atomic_t qps_destroyed;
31345 -extern atomic_t sw_qps_destroyed;
31346 +extern atomic_unchecked_t cm_connects;
31347 +extern atomic_unchecked_t cm_accepts;
31348 +extern atomic_unchecked_t cm_disconnects;
31349 +extern atomic_unchecked_t cm_closes;
31350 +extern atomic_unchecked_t cm_connecteds;
31351 +extern atomic_unchecked_t cm_connect_reqs;
31352 +extern atomic_unchecked_t cm_rejects;
31353 +extern atomic_unchecked_t mod_qp_timouts;
31354 +extern atomic_unchecked_t qps_created;
31355 +extern atomic_unchecked_t qps_destroyed;
31356 +extern atomic_unchecked_t sw_qps_destroyed;
31357 extern u32 mh_detected;
31358 extern u32 mh_pauses_sent;
31359 extern u32 cm_packets_sent;
31360 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
31361 extern u32 cm_packets_received;
31362 extern u32 cm_packets_dropped;
31363 extern u32 cm_packets_retrans;
31364 -extern atomic_t cm_listens_created;
31365 -extern atomic_t cm_listens_destroyed;
31366 +extern atomic_unchecked_t cm_listens_created;
31367 +extern atomic_unchecked_t cm_listens_destroyed;
31368 extern u32 cm_backlog_drops;
31369 -extern atomic_t cm_loopbacks;
31370 -extern atomic_t cm_nodes_created;
31371 -extern atomic_t cm_nodes_destroyed;
31372 -extern atomic_t cm_accel_dropped_pkts;
31373 -extern atomic_t cm_resets_recvd;
31374 +extern atomic_unchecked_t cm_loopbacks;
31375 +extern atomic_unchecked_t cm_nodes_created;
31376 +extern atomic_unchecked_t cm_nodes_destroyed;
31377 +extern atomic_unchecked_t cm_accel_dropped_pkts;
31378 +extern atomic_unchecked_t cm_resets_recvd;
31379
31380 extern u32 int_mod_timer_init;
31381 extern u32 int_mod_cq_depth_256;
31382 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c
31383 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c 2011-05-19 00:06:34.000000000 -0400
31384 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_nic.c 2011-05-22 19:36:31.000000000 -0400
31385 @@ -1302,31 +1302,31 @@ static void nes_netdev_get_ethtool_stats
31386 target_stat_values[++index] = mh_detected;
31387 target_stat_values[++index] = mh_pauses_sent;
31388 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
31389 - target_stat_values[++index] = atomic_read(&cm_connects);
31390 - target_stat_values[++index] = atomic_read(&cm_accepts);
31391 - target_stat_values[++index] = atomic_read(&cm_disconnects);
31392 - target_stat_values[++index] = atomic_read(&cm_connecteds);
31393 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
31394 - target_stat_values[++index] = atomic_read(&cm_rejects);
31395 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
31396 - target_stat_values[++index] = atomic_read(&qps_created);
31397 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
31398 - target_stat_values[++index] = atomic_read(&qps_destroyed);
31399 - target_stat_values[++index] = atomic_read(&cm_closes);
31400 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
31401 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
31402 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
31403 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
31404 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
31405 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
31406 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
31407 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
31408 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
31409 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
31410 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
31411 target_stat_values[++index] = cm_packets_sent;
31412 target_stat_values[++index] = cm_packets_bounced;
31413 target_stat_values[++index] = cm_packets_created;
31414 target_stat_values[++index] = cm_packets_received;
31415 target_stat_values[++index] = cm_packets_dropped;
31416 target_stat_values[++index] = cm_packets_retrans;
31417 - target_stat_values[++index] = atomic_read(&cm_listens_created);
31418 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
31419 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
31420 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
31421 target_stat_values[++index] = cm_backlog_drops;
31422 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
31423 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
31424 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
31425 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
31426 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
31427 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
31428 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
31429 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
31430 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
31431 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
31432 target_stat_values[++index] = nesadapter->free_4kpbl;
31433 target_stat_values[++index] = nesadapter->free_256pbl;
31434 target_stat_values[++index] = int_mod_timer_init;
31435 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c
31436 --- linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-19 00:06:34.000000000 -0400
31437 +++ linux-2.6.39.3/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-22 19:36:31.000000000 -0400
31438 @@ -46,9 +46,9 @@
31439
31440 #include <rdma/ib_umem.h>
31441
31442 -atomic_t mod_qp_timouts;
31443 -atomic_t qps_created;
31444 -atomic_t sw_qps_destroyed;
31445 +atomic_unchecked_t mod_qp_timouts;
31446 +atomic_unchecked_t qps_created;
31447 +atomic_unchecked_t sw_qps_destroyed;
31448
31449 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31450
31451 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
31452 if (init_attr->create_flags)
31453 return ERR_PTR(-EINVAL);
31454
31455 - atomic_inc(&qps_created);
31456 + atomic_inc_unchecked(&qps_created);
31457 switch (init_attr->qp_type) {
31458 case IB_QPT_RC:
31459 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31460 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
31461 struct iw_cm_event cm_event;
31462 int ret;
31463
31464 - atomic_inc(&sw_qps_destroyed);
31465 + atomic_inc_unchecked(&sw_qps_destroyed);
31466 nesqp->destroyed = 1;
31467
31468 /* Blow away the connection if it exists. */
31469 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h
31470 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h 2011-05-19 00:06:34.000000000 -0400
31471 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib.h 2011-05-22 19:36:31.000000000 -0400
31472 @@ -51,6 +51,7 @@
31473 #include <linux/completion.h>
31474 #include <linux/kref.h>
31475 #include <linux/sched.h>
31476 +#include <linux/slab.h>
31477
31478 #include "qib_common.h"
31479 #include "qib_verbs.h"
31480 @@ -87,7 +88,7 @@ struct qlogic_ib_stats {
31481 };
31482
31483 extern struct qlogic_ib_stats qib_stats;
31484 -extern struct pci_error_handlers qib_pci_err_handler;
31485 +extern const struct pci_error_handlers qib_pci_err_handler;
31486 extern struct pci_driver qib_driver;
31487
31488 #define QIB_CHIP_SWVERSION QIB_CHIP_VERS_MAJ
31489 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c
31490 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-19 00:06:34.000000000 -0400
31491 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib_mmap.c 2011-05-22 19:36:31.000000000 -0400
31492 @@ -75,7 +75,7 @@ static void qib_vma_close(struct vm_area
31493 kref_put(&ip->ref, qib_release_mmap_info);
31494 }
31495
31496 -static struct vm_operations_struct qib_vm_ops = {
31497 +static const struct vm_operations_struct qib_vm_ops = {
31498 .open = qib_vma_open,
31499 .close = qib_vma_close,
31500 };
31501 diff -urNp linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c
31502 --- linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-19 00:06:34.000000000 -0400
31503 +++ linux-2.6.39.3/drivers/infiniband/hw/qib/qib_pcie.c 2011-05-22 19:36:31.000000000 -0400
31504 @@ -735,7 +735,7 @@ qib_pci_resume(struct pci_dev *pdev)
31505 qib_init(dd, 1); /* same as re-init after reset */
31506 }
31507
31508 -struct pci_error_handlers qib_pci_err_handler = {
31509 +const struct pci_error_handlers qib_pci_err_handler = {
31510 .error_detected = qib_pci_error_detected,
31511 .mmio_enabled = qib_pci_mmio_enabled,
31512 .link_reset = qib_pci_link_reset,
31513 diff -urNp linux-2.6.39.3/drivers/input/gameport/gameport.c linux-2.6.39.3/drivers/input/gameport/gameport.c
31514 --- linux-2.6.39.3/drivers/input/gameport/gameport.c 2011-05-19 00:06:34.000000000 -0400
31515 +++ linux-2.6.39.3/drivers/input/gameport/gameport.c 2011-05-22 19:36:31.000000000 -0400
31516 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
31517 */
31518 static void gameport_init_port(struct gameport *gameport)
31519 {
31520 - static atomic_t gameport_no = ATOMIC_INIT(0);
31521 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
31522
31523 __module_get(THIS_MODULE);
31524
31525 mutex_init(&gameport->drv_mutex);
31526 device_initialize(&gameport->dev);
31527 dev_set_name(&gameport->dev, "gameport%lu",
31528 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
31529 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
31530 gameport->dev.bus = &gameport_bus;
31531 gameport->dev.release = gameport_release_port;
31532 if (gameport->parent)
31533 diff -urNp linux-2.6.39.3/drivers/input/input.c linux-2.6.39.3/drivers/input/input.c
31534 --- linux-2.6.39.3/drivers/input/input.c 2011-07-09 09:18:51.000000000 -0400
31535 +++ linux-2.6.39.3/drivers/input/input.c 2011-07-09 09:19:18.000000000 -0400
31536 @@ -1815,7 +1815,7 @@ static void input_cleanse_bitmasks(struc
31537 */
31538 int input_register_device(struct input_dev *dev)
31539 {
31540 - static atomic_t input_no = ATOMIC_INIT(0);
31541 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
31542 struct input_handler *handler;
31543 const char *path;
31544 int error;
31545 @@ -1852,7 +1852,7 @@ int input_register_device(struct input_d
31546 dev->setkeycode = input_default_setkeycode;
31547
31548 dev_set_name(&dev->dev, "input%ld",
31549 - (unsigned long) atomic_inc_return(&input_no) - 1);
31550 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
31551
31552 error = device_add(&dev->dev);
31553 if (error)
31554 diff -urNp linux-2.6.39.3/drivers/input/joystick/sidewinder.c linux-2.6.39.3/drivers/input/joystick/sidewinder.c
31555 --- linux-2.6.39.3/drivers/input/joystick/sidewinder.c 2011-05-19 00:06:34.000000000 -0400
31556 +++ linux-2.6.39.3/drivers/input/joystick/sidewinder.c 2011-05-22 19:36:31.000000000 -0400
31557 @@ -30,6 +30,7 @@
31558 #include <linux/kernel.h>
31559 #include <linux/module.h>
31560 #include <linux/slab.h>
31561 +#include <linux/sched.h>
31562 #include <linux/init.h>
31563 #include <linux/input.h>
31564 #include <linux/gameport.h>
31565 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
31566 unsigned char buf[SW_LENGTH];
31567 int i;
31568
31569 + pax_track_stack();
31570 +
31571 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31572
31573 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31574 diff -urNp linux-2.6.39.3/drivers/input/joystick/xpad.c linux-2.6.39.3/drivers/input/joystick/xpad.c
31575 --- linux-2.6.39.3/drivers/input/joystick/xpad.c 2011-05-19 00:06:34.000000000 -0400
31576 +++ linux-2.6.39.3/drivers/input/joystick/xpad.c 2011-05-22 19:36:31.000000000 -0400
31577 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
31578
31579 static int xpad_led_probe(struct usb_xpad *xpad)
31580 {
31581 - static atomic_t led_seq = ATOMIC_INIT(0);
31582 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31583 long led_no;
31584 struct xpad_led *led;
31585 struct led_classdev *led_cdev;
31586 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
31587 if (!led)
31588 return -ENOMEM;
31589
31590 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31591 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31592
31593 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31594 led->xpad = xpad;
31595 diff -urNp linux-2.6.39.3/drivers/input/mousedev.c linux-2.6.39.3/drivers/input/mousedev.c
31596 --- linux-2.6.39.3/drivers/input/mousedev.c 2011-07-09 09:18:51.000000000 -0400
31597 +++ linux-2.6.39.3/drivers/input/mousedev.c 2011-07-09 09:19:18.000000000 -0400
31598 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
31599
31600 spin_unlock_irq(&client->packet_lock);
31601
31602 - if (copy_to_user(buffer, data, count))
31603 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
31604 return -EFAULT;
31605
31606 return count;
31607 diff -urNp linux-2.6.39.3/drivers/input/serio/serio.c linux-2.6.39.3/drivers/input/serio/serio.c
31608 --- linux-2.6.39.3/drivers/input/serio/serio.c 2011-05-19 00:06:34.000000000 -0400
31609 +++ linux-2.6.39.3/drivers/input/serio/serio.c 2011-05-22 19:36:31.000000000 -0400
31610 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
31611 */
31612 static void serio_init_port(struct serio *serio)
31613 {
31614 - static atomic_t serio_no = ATOMIC_INIT(0);
31615 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31616
31617 __module_get(THIS_MODULE);
31618
31619 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
31620 mutex_init(&serio->drv_mutex);
31621 device_initialize(&serio->dev);
31622 dev_set_name(&serio->dev, "serio%ld",
31623 - (long)atomic_inc_return(&serio_no) - 1);
31624 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31625 serio->dev.bus = &serio_bus;
31626 serio->dev.release = serio_release_port;
31627 serio->dev.groups = serio_device_attr_groups;
31628 diff -urNp linux-2.6.39.3/drivers/isdn/capi/capi.c linux-2.6.39.3/drivers/isdn/capi/capi.c
31629 --- linux-2.6.39.3/drivers/isdn/capi/capi.c 2011-05-19 00:06:34.000000000 -0400
31630 +++ linux-2.6.39.3/drivers/isdn/capi/capi.c 2011-05-22 19:36:31.000000000 -0400
31631 @@ -89,8 +89,8 @@ struct capiminor {
31632
31633 struct capi20_appl *ap;
31634 u32 ncci;
31635 - atomic_t datahandle;
31636 - atomic_t msgid;
31637 + atomic_unchecked_t datahandle;
31638 + atomic_unchecked_t msgid;
31639
31640 struct tty_port port;
31641 int ttyinstop;
31642 @@ -414,7 +414,7 @@ gen_data_b3_resp_for(struct capiminor *m
31643 capimsg_setu16(s, 2, mp->ap->applid);
31644 capimsg_setu8 (s, 4, CAPI_DATA_B3);
31645 capimsg_setu8 (s, 5, CAPI_RESP);
31646 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
31647 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
31648 capimsg_setu32(s, 8, mp->ncci);
31649 capimsg_setu16(s, 12, datahandle);
31650 }
31651 @@ -547,14 +547,14 @@ static void handle_minor_send(struct cap
31652 mp->outbytes -= len;
31653 spin_unlock_bh(&mp->outlock);
31654
31655 - datahandle = atomic_inc_return(&mp->datahandle);
31656 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
31657 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
31658 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31659 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
31660 capimsg_setu16(skb->data, 2, mp->ap->applid);
31661 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
31662 capimsg_setu8 (skb->data, 5, CAPI_REQ);
31663 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
31664 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
31665 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
31666 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
31667 capimsg_setu16(skb->data, 16, len); /* Data length */
31668 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/common.c linux-2.6.39.3/drivers/isdn/gigaset/common.c
31669 --- linux-2.6.39.3/drivers/isdn/gigaset/common.c 2011-05-19 00:06:34.000000000 -0400
31670 +++ linux-2.6.39.3/drivers/isdn/gigaset/common.c 2011-05-22 19:36:31.000000000 -0400
31671 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
31672 cs->commands_pending = 0;
31673 cs->cur_at_seq = 0;
31674 cs->gotfwver = -1;
31675 - cs->open_count = 0;
31676 + local_set(&cs->open_count, 0);
31677 cs->dev = NULL;
31678 cs->tty = NULL;
31679 cs->tty_dev = NULL;
31680 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h
31681 --- linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h 2011-05-19 00:06:34.000000000 -0400
31682 +++ linux-2.6.39.3/drivers/isdn/gigaset/gigaset.h 2011-05-22 19:36:31.000000000 -0400
31683 @@ -35,6 +35,7 @@
31684 #include <linux/tty_driver.h>
31685 #include <linux/list.h>
31686 #include <asm/atomic.h>
31687 +#include <asm/local.h>
31688
31689 #define GIG_VERSION {0, 5, 0, 0}
31690 #define GIG_COMPAT {0, 4, 0, 0}
31691 @@ -433,7 +434,7 @@ struct cardstate {
31692 spinlock_t cmdlock;
31693 unsigned curlen, cmdbytes;
31694
31695 - unsigned open_count;
31696 + local_t open_count;
31697 struct tty_struct *tty;
31698 struct tasklet_struct if_wake_tasklet;
31699 unsigned control_state;
31700 diff -urNp linux-2.6.39.3/drivers/isdn/gigaset/interface.c linux-2.6.39.3/drivers/isdn/gigaset/interface.c
31701 --- linux-2.6.39.3/drivers/isdn/gigaset/interface.c 2011-05-19 00:06:34.000000000 -0400
31702 +++ linux-2.6.39.3/drivers/isdn/gigaset/interface.c 2011-05-22 19:36:31.000000000 -0400
31703 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
31704 return -ERESTARTSYS;
31705 tty->driver_data = cs;
31706
31707 - ++cs->open_count;
31708 -
31709 - if (cs->open_count == 1) {
31710 + if (local_inc_return(&cs->open_count) == 1) {
31711 spin_lock_irqsave(&cs->lock, flags);
31712 cs->tty = tty;
31713 spin_unlock_irqrestore(&cs->lock, flags);
31714 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
31715
31716 if (!cs->connected)
31717 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31718 - else if (!cs->open_count)
31719 + else if (!local_read(&cs->open_count))
31720 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31721 else {
31722 - if (!--cs->open_count) {
31723 + if (!local_dec_return(&cs->open_count)) {
31724 spin_lock_irqsave(&cs->lock, flags);
31725 cs->tty = NULL;
31726 spin_unlock_irqrestore(&cs->lock, flags);
31727 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
31728 if (!cs->connected) {
31729 gig_dbg(DEBUG_IF, "not connected");
31730 retval = -ENODEV;
31731 - } else if (!cs->open_count)
31732 + } else if (!local_read(&cs->open_count))
31733 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31734 else {
31735 retval = 0;
31736 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
31737 retval = -ENODEV;
31738 goto done;
31739 }
31740 - if (!cs->open_count) {
31741 + if (!local_read(&cs->open_count)) {
31742 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31743 retval = -ENODEV;
31744 goto done;
31745 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
31746 if (!cs->connected) {
31747 gig_dbg(DEBUG_IF, "not connected");
31748 retval = -ENODEV;
31749 - } else if (!cs->open_count)
31750 + } else if (!local_read(&cs->open_count))
31751 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31752 else if (cs->mstate != MS_LOCKED) {
31753 dev_warn(cs->dev, "can't write to unlocked device\n");
31754 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
31755
31756 if (!cs->connected)
31757 gig_dbg(DEBUG_IF, "not connected");
31758 - else if (!cs->open_count)
31759 + else if (!local_read(&cs->open_count))
31760 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31761 else if (cs->mstate != MS_LOCKED)
31762 dev_warn(cs->dev, "can't write to unlocked device\n");
31763 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
31764
31765 if (!cs->connected)
31766 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31767 - else if (!cs->open_count)
31768 + else if (!local_read(&cs->open_count))
31769 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31770 else
31771 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31772 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
31773
31774 if (!cs->connected)
31775 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31776 - else if (!cs->open_count)
31777 + else if (!local_read(&cs->open_count))
31778 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31779 else
31780 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
31781 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
31782 goto out;
31783 }
31784
31785 - if (!cs->open_count) {
31786 + if (!local_read(&cs->open_count)) {
31787 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31788 goto out;
31789 }
31790 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c
31791 --- linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c 2011-05-19 00:06:34.000000000 -0400
31792 +++ linux-2.6.39.3/drivers/isdn/hardware/avm/b1.c 2011-05-22 19:36:31.000000000 -0400
31793 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
31794 }
31795 if (left) {
31796 if (t4file->user) {
31797 - if (copy_from_user(buf, dp, left))
31798 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31799 return -EFAULT;
31800 } else {
31801 memcpy(buf, dp, left);
31802 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
31803 }
31804 if (left) {
31805 if (config->user) {
31806 - if (copy_from_user(buf, dp, left))
31807 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31808 return -EFAULT;
31809 } else {
31810 memcpy(buf, dp, left);
31811 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c
31812 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-19 00:06:34.000000000 -0400
31813 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-22 19:36:31.000000000 -0400
31814 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31815 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31816 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31817
31818 + pax_track_stack();
31819
31820 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31821 {
31822 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c
31823 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c 2011-05-19 00:06:34.000000000 -0400
31824 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/capifunc.c 2011-05-22 19:36:31.000000000 -0400
31825 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31826 IDI_SYNC_REQ req;
31827 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31828
31829 + pax_track_stack();
31830 +
31831 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31832
31833 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31834 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c
31835 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-19 00:06:34.000000000 -0400
31836 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-22 19:36:31.000000000 -0400
31837 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31838 IDI_SYNC_REQ req;
31839 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31840
31841 + pax_track_stack();
31842 +
31843 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31844
31845 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31846 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c
31847 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-19 00:06:34.000000000 -0400
31848 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-22 19:36:31.000000000 -0400
31849 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31850 IDI_SYNC_REQ req;
31851 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31852
31853 + pax_track_stack();
31854 +
31855 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31856
31857 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31858 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c
31859 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c 2011-05-19 00:06:34.000000000 -0400
31860 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/idifunc.c 2011-05-22 19:36:31.000000000 -0400
31861 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31862 IDI_SYNC_REQ req;
31863 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31864
31865 + pax_track_stack();
31866 +
31867 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31868
31869 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31870 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c
31871 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c 2011-05-19 00:06:34.000000000 -0400
31872 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/message.c 2011-05-22 19:36:31.000000000 -0400
31873 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31874 dword d;
31875 word w;
31876
31877 + pax_track_stack();
31878 +
31879 a = plci->adapter;
31880 Id = ((word)plci->Id<<8)|a->Id;
31881 PUT_WORD(&SS_Ind[4],0x0000);
31882 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31883 word j, n, w;
31884 dword d;
31885
31886 + pax_track_stack();
31887 +
31888
31889 for(i=0;i<8;i++) bp_parms[i].length = 0;
31890 for(i=0;i<2;i++) global_config[i].length = 0;
31891 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31892 const byte llc3[] = {4,3,2,2,6,6,0};
31893 const byte header[] = {0,2,3,3,0,0,0};
31894
31895 + pax_track_stack();
31896 +
31897 for(i=0;i<8;i++) bp_parms[i].length = 0;
31898 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31899 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31900 @@ -14760,6 +14766,8 @@ static void group_optimization(DIVA_CAPI
31901 word appl_number_group_type[MAX_APPL];
31902 PLCI *auxplci;
31903
31904 + pax_track_stack();
31905 +
31906 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31907
31908 if(!a->group_optimization_enabled)
31909 diff -urNp linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c
31910 --- linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-19 00:06:34.000000000 -0400
31911 +++ linux-2.6.39.3/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-22 19:36:31.000000000 -0400
31912 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31913 IDI_SYNC_REQ req;
31914 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31915
31916 + pax_track_stack();
31917 +
31918 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31919
31920 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31921 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c
31922 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c 2011-05-19 00:06:34.000000000 -0400
31923 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_common.c 2011-05-22 19:36:31.000000000 -0400
31924 @@ -1292,6 +1292,8 @@ isdn_ioctl(struct file *file, uint cmd,
31925 } iocpar;
31926 void __user *argp = (void __user *)arg;
31927
31928 + pax_track_stack();
31929 +
31930 #define name iocpar.name
31931 #define bname iocpar.bname
31932 #define iocts iocpar.iocts
31933 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c
31934 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c 2011-05-19 00:06:34.000000000 -0400
31935 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_net.c 2011-05-22 19:36:31.000000000 -0400
31936 @@ -400,7 +400,7 @@ isdn_net_stat_callback(int idx, isdn_ctr
31937 isdn_net_local *lp = p->local;
31938 #ifdef CONFIG_ISDN_X25
31939 struct concap_proto *cprot = lp->netdev->cprot;
31940 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31941 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31942 #endif
31943 switch (cmd) {
31944 case ISDN_STAT_BSENT:
31945 @@ -831,7 +831,7 @@ isdn_net_hangup(struct net_device *d)
31946 isdn_ctrl cmd;
31947 #ifdef CONFIG_ISDN_X25
31948 struct concap_proto *cprot = lp->netdev->cprot;
31949 - struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31950 + const struct concap_proto_ops *pops = cprot ? cprot->pops : NULL;
31951 #endif
31952
31953 if (lp->flags & ISDN_NET_CONNECTED) {
31954 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c
31955 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c 2011-05-19 00:06:34.000000000 -0400
31956 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.c 2011-05-22 19:36:31.000000000 -0400
31957 @@ -52,7 +52,7 @@ static int isdn_x25iface_connect_ind( st
31958 static int isdn_x25iface_disconn_ind( struct concap_proto * );
31959
31960
31961 -static struct concap_proto_ops ix25_pops = {
31962 +static const struct concap_proto_ops ix25_pops = {
31963 &isdn_x25iface_proto_new,
31964 &isdn_x25iface_proto_del,
31965 &isdn_x25iface_proto_restart,
31966 diff -urNp linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h
31967 --- linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h 2011-05-19 00:06:34.000000000 -0400
31968 +++ linux-2.6.39.3/drivers/isdn/i4l/isdn_x25iface.h 2011-05-22 19:36:31.000000000 -0400
31969 @@ -23,7 +23,7 @@
31970 #include <linux/isdn.h>
31971 #include <linux/concap.h>
31972
31973 -extern struct concap_proto_ops * isdn_x25iface_concap_proto_ops_pt;
31974 +extern const struct concap_proto_ops *isdn_x25iface_concap_proto_ops_pt;
31975 extern struct concap_proto * isdn_x25iface_proto_new(void);
31976
31977
31978 diff -urNp linux-2.6.39.3/drivers/isdn/icn/icn.c linux-2.6.39.3/drivers/isdn/icn/icn.c
31979 --- linux-2.6.39.3/drivers/isdn/icn/icn.c 2011-05-19 00:06:34.000000000 -0400
31980 +++ linux-2.6.39.3/drivers/isdn/icn/icn.c 2011-05-22 19:36:31.000000000 -0400
31981 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
31982 if (count > len)
31983 count = len;
31984 if (user) {
31985 - if (copy_from_user(msg, buf, count))
31986 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31987 return -EFAULT;
31988 } else
31989 memcpy(msg, buf, count);
31990 diff -urNp linux-2.6.39.3/drivers/lguest/core.c linux-2.6.39.3/drivers/lguest/core.c
31991 --- linux-2.6.39.3/drivers/lguest/core.c 2011-05-19 00:06:34.000000000 -0400
31992 +++ linux-2.6.39.3/drivers/lguest/core.c 2011-05-22 19:36:31.000000000 -0400
31993 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
31994 * it's worked so far. The end address needs +1 because __get_vm_area
31995 * allocates an extra guard page, so we need space for that.
31996 */
31997 +
31998 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31999 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
32000 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
32001 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
32002 +#else
32003 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
32004 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
32005 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
32006 +#endif
32007 +
32008 if (!switcher_vma) {
32009 err = -ENOMEM;
32010 printk("lguest: could not map switcher pages high\n");
32011 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
32012 * Now the Switcher is mapped at the right address, we can't fail!
32013 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
32014 */
32015 - memcpy(switcher_vma->addr, start_switcher_text,
32016 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
32017 end_switcher_text - start_switcher_text);
32018
32019 printk(KERN_INFO "lguest: mapped switcher at %p\n",
32020 diff -urNp linux-2.6.39.3/drivers/lguest/lguest_device.c linux-2.6.39.3/drivers/lguest/lguest_device.c
32021 --- linux-2.6.39.3/drivers/lguest/lguest_device.c 2011-05-19 00:06:34.000000000 -0400
32022 +++ linux-2.6.39.3/drivers/lguest/lguest_device.c 2011-05-22 19:36:31.000000000 -0400
32023 @@ -374,7 +374,7 @@ error:
32024 }
32025
32026 /* The ops structure which hooks everything together. */
32027 -static struct virtio_config_ops lguest_config_ops = {
32028 +static const struct virtio_config_ops lguest_config_ops = {
32029 .get_features = lg_get_features,
32030 .finalize_features = lg_finalize_features,
32031 .get = lg_get,
32032 diff -urNp linux-2.6.39.3/drivers/lguest/x86/core.c linux-2.6.39.3/drivers/lguest/x86/core.c
32033 --- linux-2.6.39.3/drivers/lguest/x86/core.c 2011-05-19 00:06:34.000000000 -0400
32034 +++ linux-2.6.39.3/drivers/lguest/x86/core.c 2011-05-22 19:36:31.000000000 -0400
32035 @@ -59,7 +59,7 @@ static struct {
32036 /* Offset from where switcher.S was compiled to where we've copied it */
32037 static unsigned long switcher_offset(void)
32038 {
32039 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
32040 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
32041 }
32042
32043 /* This cpu's struct lguest_pages. */
32044 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
32045 * These copies are pretty cheap, so we do them unconditionally: */
32046 /* Save the current Host top-level page directory.
32047 */
32048 +
32049 +#ifdef CONFIG_PAX_PER_CPU_PGD
32050 + pages->state.host_cr3 = read_cr3();
32051 +#else
32052 pages->state.host_cr3 = __pa(current->mm->pgd);
32053 +#endif
32054 +
32055 /*
32056 * Set up the Guest's page tables to see this CPU's pages (and no
32057 * other CPU's pages).
32058 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
32059 * compiled-in switcher code and the high-mapped copy we just made.
32060 */
32061 for (i = 0; i < IDT_ENTRIES; i++)
32062 - default_idt_entries[i] += switcher_offset();
32063 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
32064
32065 /*
32066 * Set up the Switcher's per-cpu areas.
32067 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
32068 * it will be undisturbed when we switch. To change %cs and jump we
32069 * need this structure to feed to Intel's "lcall" instruction.
32070 */
32071 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
32072 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
32073 lguest_entry.segment = LGUEST_CS;
32074
32075 /*
32076 diff -urNp linux-2.6.39.3/drivers/lguest/x86/switcher_32.S linux-2.6.39.3/drivers/lguest/x86/switcher_32.S
32077 --- linux-2.6.39.3/drivers/lguest/x86/switcher_32.S 2011-05-19 00:06:34.000000000 -0400
32078 +++ linux-2.6.39.3/drivers/lguest/x86/switcher_32.S 2011-05-22 19:36:31.000000000 -0400
32079 @@ -87,6 +87,7 @@
32080 #include <asm/page.h>
32081 #include <asm/segment.h>
32082 #include <asm/lguest.h>
32083 +#include <asm/processor-flags.h>
32084
32085 // We mark the start of the code to copy
32086 // It's placed in .text tho it's never run here
32087 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
32088 // Changes type when we load it: damn Intel!
32089 // For after we switch over our page tables
32090 // That entry will be read-only: we'd crash.
32091 +
32092 +#ifdef CONFIG_PAX_KERNEXEC
32093 + mov %cr0, %edx
32094 + xor $X86_CR0_WP, %edx
32095 + mov %edx, %cr0
32096 +#endif
32097 +
32098 movl $(GDT_ENTRY_TSS*8), %edx
32099 ltr %dx
32100
32101 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
32102 // Let's clear it again for our return.
32103 // The GDT descriptor of the Host
32104 // Points to the table after two "size" bytes
32105 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
32106 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
32107 // Clear "used" from type field (byte 5, bit 2)
32108 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
32109 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
32110 +
32111 +#ifdef CONFIG_PAX_KERNEXEC
32112 + mov %cr0, %eax
32113 + xor $X86_CR0_WP, %eax
32114 + mov %eax, %cr0
32115 +#endif
32116
32117 // Once our page table's switched, the Guest is live!
32118 // The Host fades as we run this final step.
32119 @@ -295,13 +309,12 @@ deliver_to_host:
32120 // I consulted gcc, and it gave
32121 // These instructions, which I gladly credit:
32122 leal (%edx,%ebx,8), %eax
32123 - movzwl (%eax),%edx
32124 - movl 4(%eax), %eax
32125 - xorw %ax, %ax
32126 - orl %eax, %edx
32127 + movl 4(%eax), %edx
32128 + movw (%eax), %dx
32129 // Now the address of the handler's in %edx
32130 // We call it now: its "iret" drops us home.
32131 - jmp *%edx
32132 + ljmp $__KERNEL_CS, $1f
32133 +1: jmp *%edx
32134
32135 // Every interrupt can come to us here
32136 // But we must truly tell each apart.
32137 diff -urNp linux-2.6.39.3/drivers/md/dm.c linux-2.6.39.3/drivers/md/dm.c
32138 --- linux-2.6.39.3/drivers/md/dm.c 2011-05-19 00:06:34.000000000 -0400
32139 +++ linux-2.6.39.3/drivers/md/dm.c 2011-05-22 19:36:31.000000000 -0400
32140 @@ -162,9 +162,9 @@ struct mapped_device {
32141 /*
32142 * Event handling.
32143 */
32144 - atomic_t event_nr;
32145 + atomic_unchecked_t event_nr;
32146 wait_queue_head_t eventq;
32147 - atomic_t uevent_seq;
32148 + atomic_unchecked_t uevent_seq;
32149 struct list_head uevent_list;
32150 spinlock_t uevent_lock; /* Protect access to uevent_list */
32151
32152 @@ -1836,8 +1836,8 @@ static struct mapped_device *alloc_dev(i
32153 rwlock_init(&md->map_lock);
32154 atomic_set(&md->holders, 1);
32155 atomic_set(&md->open_count, 0);
32156 - atomic_set(&md->event_nr, 0);
32157 - atomic_set(&md->uevent_seq, 0);
32158 + atomic_set_unchecked(&md->event_nr, 0);
32159 + atomic_set_unchecked(&md->uevent_seq, 0);
32160 INIT_LIST_HEAD(&md->uevent_list);
32161 spin_lock_init(&md->uevent_lock);
32162
32163 @@ -1971,7 +1971,7 @@ static void event_callback(void *context
32164
32165 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
32166
32167 - atomic_inc(&md->event_nr);
32168 + atomic_inc_unchecked(&md->event_nr);
32169 wake_up(&md->eventq);
32170 }
32171
32172 @@ -2547,18 +2547,18 @@ int dm_kobject_uevent(struct mapped_devi
32173
32174 uint32_t dm_next_uevent_seq(struct mapped_device *md)
32175 {
32176 - return atomic_add_return(1, &md->uevent_seq);
32177 + return atomic_add_return_unchecked(1, &md->uevent_seq);
32178 }
32179
32180 uint32_t dm_get_event_nr(struct mapped_device *md)
32181 {
32182 - return atomic_read(&md->event_nr);
32183 + return atomic_read_unchecked(&md->event_nr);
32184 }
32185
32186 int dm_wait_event(struct mapped_device *md, int event_nr)
32187 {
32188 return wait_event_interruptible(md->eventq,
32189 - (event_nr != atomic_read(&md->event_nr)));
32190 + (event_nr != atomic_read_unchecked(&md->event_nr)));
32191 }
32192
32193 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
32194 diff -urNp linux-2.6.39.3/drivers/md/dm-crypt.c linux-2.6.39.3/drivers/md/dm-crypt.c
32195 --- linux-2.6.39.3/drivers/md/dm-crypt.c 2011-05-19 00:06:34.000000000 -0400
32196 +++ linux-2.6.39.3/drivers/md/dm-crypt.c 2011-05-22 19:36:31.000000000 -0400
32197 @@ -138,7 +138,7 @@ struct crypt_config {
32198 char *cipher;
32199 char *cipher_string;
32200
32201 - struct crypt_iv_operations *iv_gen_ops;
32202 + const struct crypt_iv_operations *iv_gen_ops;
32203 union {
32204 struct iv_essiv_private essiv;
32205 struct iv_benbi_private benbi;
32206 @@ -620,15 +620,15 @@ static int crypt_iv_lmk_post(struct cryp
32207 return r;
32208 }
32209
32210 -static struct crypt_iv_operations crypt_iv_plain_ops = {
32211 +static const struct crypt_iv_operations crypt_iv_plain_ops = {
32212 .generator = crypt_iv_plain_gen
32213 };
32214
32215 -static struct crypt_iv_operations crypt_iv_plain64_ops = {
32216 +static const struct crypt_iv_operations crypt_iv_plain64_ops = {
32217 .generator = crypt_iv_plain64_gen
32218 };
32219
32220 -static struct crypt_iv_operations crypt_iv_essiv_ops = {
32221 +static const struct crypt_iv_operations crypt_iv_essiv_ops = {
32222 .ctr = crypt_iv_essiv_ctr,
32223 .dtr = crypt_iv_essiv_dtr,
32224 .init = crypt_iv_essiv_init,
32225 @@ -636,17 +636,17 @@ static struct crypt_iv_operations crypt_
32226 .generator = crypt_iv_essiv_gen
32227 };
32228
32229 -static struct crypt_iv_operations crypt_iv_benbi_ops = {
32230 +static const struct crypt_iv_operations crypt_iv_benbi_ops = {
32231 .ctr = crypt_iv_benbi_ctr,
32232 .dtr = crypt_iv_benbi_dtr,
32233 .generator = crypt_iv_benbi_gen
32234 };
32235
32236 -static struct crypt_iv_operations crypt_iv_null_ops = {
32237 +static const struct crypt_iv_operations crypt_iv_null_ops = {
32238 .generator = crypt_iv_null_gen
32239 };
32240
32241 -static struct crypt_iv_operations crypt_iv_lmk_ops = {
32242 +static const struct crypt_iv_operations crypt_iv_lmk_ops = {
32243 .ctr = crypt_iv_lmk_ctr,
32244 .dtr = crypt_iv_lmk_dtr,
32245 .init = crypt_iv_lmk_init,
32246 diff -urNp linux-2.6.39.3/drivers/md/dm-ioctl.c linux-2.6.39.3/drivers/md/dm-ioctl.c
32247 --- linux-2.6.39.3/drivers/md/dm-ioctl.c 2011-05-19 00:06:34.000000000 -0400
32248 +++ linux-2.6.39.3/drivers/md/dm-ioctl.c 2011-05-22 19:36:31.000000000 -0400
32249 @@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
32250 cmd == DM_LIST_VERSIONS_CMD)
32251 return 0;
32252
32253 - if ((cmd == DM_DEV_CREATE_CMD)) {
32254 + if (cmd == DM_DEV_CREATE_CMD) {
32255 if (!*param->name) {
32256 DMWARN("name not supplied when creating device");
32257 return -EINVAL;
32258 diff -urNp linux-2.6.39.3/drivers/md/dm-raid1.c linux-2.6.39.3/drivers/md/dm-raid1.c
32259 --- linux-2.6.39.3/drivers/md/dm-raid1.c 2011-05-19 00:06:34.000000000 -0400
32260 +++ linux-2.6.39.3/drivers/md/dm-raid1.c 2011-05-22 19:36:31.000000000 -0400
32261 @@ -42,7 +42,7 @@ enum dm_raid1_error {
32262
32263 struct mirror {
32264 struct mirror_set *ms;
32265 - atomic_t error_count;
32266 + atomic_unchecked_t error_count;
32267 unsigned long error_type;
32268 struct dm_dev *dev;
32269 sector_t offset;
32270 @@ -187,7 +187,7 @@ static struct mirror *get_valid_mirror(s
32271 struct mirror *m;
32272
32273 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
32274 - if (!atomic_read(&m->error_count))
32275 + if (!atomic_read_unchecked(&m->error_count))
32276 return m;
32277
32278 return NULL;
32279 @@ -219,7 +219,7 @@ static void fail_mirror(struct mirror *m
32280 * simple way to tell if a device has encountered
32281 * errors.
32282 */
32283 - atomic_inc(&m->error_count);
32284 + atomic_inc_unchecked(&m->error_count);
32285
32286 if (test_and_set_bit(error_type, &m->error_type))
32287 return;
32288 @@ -410,7 +410,7 @@ static struct mirror *choose_mirror(stru
32289 struct mirror *m = get_default_mirror(ms);
32290
32291 do {
32292 - if (likely(!atomic_read(&m->error_count)))
32293 + if (likely(!atomic_read_unchecked(&m->error_count)))
32294 return m;
32295
32296 if (m-- == ms->mirror)
32297 @@ -424,7 +424,7 @@ static int default_ok(struct mirror *m)
32298 {
32299 struct mirror *default_mirror = get_default_mirror(m->ms);
32300
32301 - return !atomic_read(&default_mirror->error_count);
32302 + return !atomic_read_unchecked(&default_mirror->error_count);
32303 }
32304
32305 static int mirror_available(struct mirror_set *ms, struct bio *bio)
32306 @@ -561,7 +561,7 @@ static void do_reads(struct mirror_set *
32307 */
32308 if (likely(region_in_sync(ms, region, 1)))
32309 m = choose_mirror(ms, bio->bi_sector);
32310 - else if (m && atomic_read(&m->error_count))
32311 + else if (m && atomic_read_unchecked(&m->error_count))
32312 m = NULL;
32313
32314 if (likely(m))
32315 @@ -939,7 +939,7 @@ static int get_mirror(struct mirror_set
32316 }
32317
32318 ms->mirror[mirror].ms = ms;
32319 - atomic_set(&(ms->mirror[mirror].error_count), 0);
32320 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
32321 ms->mirror[mirror].error_type = 0;
32322 ms->mirror[mirror].offset = offset;
32323
32324 @@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
32325 */
32326 static char device_status_char(struct mirror *m)
32327 {
32328 - if (!atomic_read(&(m->error_count)))
32329 + if (!atomic_read_unchecked(&(m->error_count)))
32330 return 'A';
32331
32332 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
32333 diff -urNp linux-2.6.39.3/drivers/md/dm-stripe.c linux-2.6.39.3/drivers/md/dm-stripe.c
32334 --- linux-2.6.39.3/drivers/md/dm-stripe.c 2011-05-19 00:06:34.000000000 -0400
32335 +++ linux-2.6.39.3/drivers/md/dm-stripe.c 2011-05-22 19:36:31.000000000 -0400
32336 @@ -20,7 +20,7 @@ struct stripe {
32337 struct dm_dev *dev;
32338 sector_t physical_start;
32339
32340 - atomic_t error_count;
32341 + atomic_unchecked_t error_count;
32342 };
32343
32344 struct stripe_c {
32345 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
32346 kfree(sc);
32347 return r;
32348 }
32349 - atomic_set(&(sc->stripe[i].error_count), 0);
32350 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
32351 }
32352
32353 ti->private = sc;
32354 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
32355 DMEMIT("%d ", sc->stripes);
32356 for (i = 0; i < sc->stripes; i++) {
32357 DMEMIT("%s ", sc->stripe[i].dev->name);
32358 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
32359 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
32360 'D' : 'A';
32361 }
32362 buffer[i] = '\0';
32363 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
32364 */
32365 for (i = 0; i < sc->stripes; i++)
32366 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
32367 - atomic_inc(&(sc->stripe[i].error_count));
32368 - if (atomic_read(&(sc->stripe[i].error_count)) <
32369 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
32370 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
32371 DM_IO_ERROR_THRESHOLD)
32372 schedule_work(&sc->trigger_event);
32373 }
32374 diff -urNp linux-2.6.39.3/drivers/md/dm-table.c linux-2.6.39.3/drivers/md/dm-table.c
32375 --- linux-2.6.39.3/drivers/md/dm-table.c 2011-06-03 00:04:14.000000000 -0400
32376 +++ linux-2.6.39.3/drivers/md/dm-table.c 2011-06-03 00:32:05.000000000 -0400
32377 @@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
32378 if (!dev_size)
32379 return 0;
32380
32381 - if ((start >= dev_size) || (start + len > dev_size)) {
32382 + if ((start >= dev_size) || (len > dev_size - start)) {
32383 DMWARN("%s: %s too small for target: "
32384 "start=%llu, len=%llu, dev_size=%llu",
32385 dm_device_name(ti->table->md), bdevname(bdev, b),
32386 diff -urNp linux-2.6.39.3/drivers/md/md.c linux-2.6.39.3/drivers/md/md.c
32387 --- linux-2.6.39.3/drivers/md/md.c 2011-07-09 09:18:51.000000000 -0400
32388 +++ linux-2.6.39.3/drivers/md/md.c 2011-07-09 09:19:18.000000000 -0400
32389 @@ -226,10 +226,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
32390 * start build, activate spare
32391 */
32392 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
32393 -static atomic_t md_event_count;
32394 +static atomic_unchecked_t md_event_count;
32395 void md_new_event(mddev_t *mddev)
32396 {
32397 - atomic_inc(&md_event_count);
32398 + atomic_inc_unchecked(&md_event_count);
32399 wake_up(&md_event_waiters);
32400 }
32401 EXPORT_SYMBOL_GPL(md_new_event);
32402 @@ -239,7 +239,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
32403 */
32404 static void md_new_event_inintr(mddev_t *mddev)
32405 {
32406 - atomic_inc(&md_event_count);
32407 + atomic_inc_unchecked(&md_event_count);
32408 wake_up(&md_event_waiters);
32409 }
32410
32411 @@ -1454,7 +1454,7 @@ static int super_1_load(mdk_rdev_t *rdev
32412
32413 rdev->preferred_minor = 0xffff;
32414 rdev->data_offset = le64_to_cpu(sb->data_offset);
32415 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32416 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32417
32418 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
32419 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
32420 @@ -1632,7 +1632,7 @@ static void super_1_sync(mddev_t *mddev,
32421 else
32422 sb->resync_offset = cpu_to_le64(0);
32423
32424 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
32425 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
32426
32427 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
32428 sb->size = cpu_to_le64(mddev->dev_sectors);
32429 @@ -2414,7 +2414,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
32430 static ssize_t
32431 errors_show(mdk_rdev_t *rdev, char *page)
32432 {
32433 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
32434 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32435 }
32436
32437 static ssize_t
32438 @@ -2423,7 +2423,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32439 char *e;
32440 unsigned long n = simple_strtoul(buf, &e, 10);
32441 if (*buf && (*e == 0 || *e == '\n')) {
32442 - atomic_set(&rdev->corrected_errors, n);
32443 + atomic_set_unchecked(&rdev->corrected_errors, n);
32444 return len;
32445 }
32446 return -EINVAL;
32447 @@ -2779,8 +2779,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
32448 rdev->last_read_error.tv_sec = 0;
32449 rdev->last_read_error.tv_nsec = 0;
32450 atomic_set(&rdev->nr_pending, 0);
32451 - atomic_set(&rdev->read_errors, 0);
32452 - atomic_set(&rdev->corrected_errors, 0);
32453 + atomic_set_unchecked(&rdev->read_errors, 0);
32454 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32455
32456 INIT_LIST_HEAD(&rdev->same_set);
32457 init_waitqueue_head(&rdev->blocked_wait);
32458 @@ -6388,7 +6388,7 @@ static int md_seq_show(struct seq_file *
32459
32460 spin_unlock(&pers_lock);
32461 seq_printf(seq, "\n");
32462 - mi->event = atomic_read(&md_event_count);
32463 + mi->event = atomic_read_unchecked(&md_event_count);
32464 return 0;
32465 }
32466 if (v == (void*)2) {
32467 @@ -6477,7 +6477,7 @@ static int md_seq_show(struct seq_file *
32468 chunk_kb ? "KB" : "B");
32469 if (bitmap->file) {
32470 seq_printf(seq, ", file: ");
32471 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32472 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32473 }
32474
32475 seq_printf(seq, "\n");
32476 @@ -6511,7 +6511,7 @@ static int md_seq_open(struct inode *ino
32477 else {
32478 struct seq_file *p = file->private_data;
32479 p->private = mi;
32480 - mi->event = atomic_read(&md_event_count);
32481 + mi->event = atomic_read_unchecked(&md_event_count);
32482 }
32483 return error;
32484 }
32485 @@ -6527,7 +6527,7 @@ static unsigned int mdstat_poll(struct f
32486 /* always allow read */
32487 mask = POLLIN | POLLRDNORM;
32488
32489 - if (mi->event != atomic_read(&md_event_count))
32490 + if (mi->event != atomic_read_unchecked(&md_event_count))
32491 mask |= POLLERR | POLLPRI;
32492 return mask;
32493 }
32494 @@ -6571,7 +6571,7 @@ static int is_mddev_idle(mddev_t *mddev,
32495 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32496 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32497 (int)part_stat_read(&disk->part0, sectors[1]) -
32498 - atomic_read(&disk->sync_io);
32499 + atomic_read_unchecked(&disk->sync_io);
32500 /* sync IO will cause sync_io to increase before the disk_stats
32501 * as sync_io is counted when a request starts, and
32502 * disk_stats is counted when it completes.
32503 diff -urNp linux-2.6.39.3/drivers/md/md.h linux-2.6.39.3/drivers/md/md.h
32504 --- linux-2.6.39.3/drivers/md/md.h 2011-05-19 00:06:34.000000000 -0400
32505 +++ linux-2.6.39.3/drivers/md/md.h 2011-05-22 19:36:31.000000000 -0400
32506 @@ -97,13 +97,13 @@ struct mdk_rdev_s
32507 * only maintained for arrays that
32508 * support hot removal
32509 */
32510 - atomic_t read_errors; /* number of consecutive read errors that
32511 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32512 * we have tried to ignore.
32513 */
32514 struct timespec last_read_error; /* monotonic time since our
32515 * last read error
32516 */
32517 - atomic_t corrected_errors; /* number of corrected read errors,
32518 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32519 * for reporting to userspace and storing
32520 * in superblock.
32521 */
32522 @@ -342,7 +342,7 @@ static inline void rdev_dec_pending(mdk_
32523
32524 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
32525 {
32526 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32527 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32528 }
32529
32530 struct mdk_personality
32531 diff -urNp linux-2.6.39.3/drivers/md/raid10.c linux-2.6.39.3/drivers/md/raid10.c
32532 --- linux-2.6.39.3/drivers/md/raid10.c 2011-05-19 00:06:34.000000000 -0400
32533 +++ linux-2.6.39.3/drivers/md/raid10.c 2011-05-22 19:36:31.000000000 -0400
32534 @@ -1209,7 +1209,7 @@ static void end_sync_read(struct bio *bi
32535 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
32536 set_bit(R10BIO_Uptodate, &r10_bio->state);
32537 else {
32538 - atomic_add(r10_bio->sectors,
32539 + atomic_add_unchecked(r10_bio->sectors,
32540 &conf->mirrors[d].rdev->corrected_errors);
32541 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
32542 md_error(r10_bio->mddev,
32543 @@ -1417,7 +1417,7 @@ static void check_decay_read_errors(mdde
32544 {
32545 struct timespec cur_time_mon;
32546 unsigned long hours_since_last;
32547 - unsigned int read_errors = atomic_read(&rdev->read_errors);
32548 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
32549
32550 ktime_get_ts(&cur_time_mon);
32551
32552 @@ -1439,9 +1439,9 @@ static void check_decay_read_errors(mdde
32553 * overflowing the shift of read_errors by hours_since_last.
32554 */
32555 if (hours_since_last >= 8 * sizeof(read_errors))
32556 - atomic_set(&rdev->read_errors, 0);
32557 + atomic_set_unchecked(&rdev->read_errors, 0);
32558 else
32559 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
32560 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
32561 }
32562
32563 /*
32564 @@ -1476,8 +1476,8 @@ static void fix_read_error(conf_t *conf,
32565 }
32566
32567 check_decay_read_errors(mddev, rdev);
32568 - atomic_inc(&rdev->read_errors);
32569 - cur_read_error_count = atomic_read(&rdev->read_errors);
32570 + atomic_inc_unchecked(&rdev->read_errors);
32571 + cur_read_error_count = atomic_read_unchecked(&rdev->read_errors);
32572 if (cur_read_error_count > max_read_errors) {
32573 rcu_read_unlock();
32574 printk(KERN_NOTICE
32575 @@ -1550,7 +1550,7 @@ static void fix_read_error(conf_t *conf,
32576 test_bit(In_sync, &rdev->flags)) {
32577 atomic_inc(&rdev->nr_pending);
32578 rcu_read_unlock();
32579 - atomic_add(s, &rdev->corrected_errors);
32580 + atomic_add_unchecked(s, &rdev->corrected_errors);
32581 if (sync_page_io(rdev,
32582 r10_bio->devs[sl].addr +
32583 sect,
32584 diff -urNp linux-2.6.39.3/drivers/md/raid1.c linux-2.6.39.3/drivers/md/raid1.c
32585 --- linux-2.6.39.3/drivers/md/raid1.c 2011-05-19 00:06:34.000000000 -0400
32586 +++ linux-2.6.39.3/drivers/md/raid1.c 2011-05-22 19:36:31.000000000 -0400
32587 @@ -1342,7 +1342,7 @@ static void sync_request_write(mddev_t *
32588 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
32589 continue;
32590 rdev = conf->mirrors[d].rdev;
32591 - atomic_add(s, &rdev->corrected_errors);
32592 + atomic_add_unchecked(s, &rdev->corrected_errors);
32593 if (sync_page_io(rdev,
32594 sect,
32595 s<<9,
32596 @@ -1488,7 +1488,7 @@ static void fix_read_error(conf_t *conf,
32597 /* Well, this device is dead */
32598 md_error(mddev, rdev);
32599 else {
32600 - atomic_add(s, &rdev->corrected_errors);
32601 + atomic_add_unchecked(s, &rdev->corrected_errors);
32602 printk(KERN_INFO
32603 "md/raid1:%s: read error corrected "
32604 "(%d sectors at %llu on %s)\n",
32605 diff -urNp linux-2.6.39.3/drivers/md/raid5.c linux-2.6.39.3/drivers/md/raid5.c
32606 --- linux-2.6.39.3/drivers/md/raid5.c 2011-06-25 12:55:22.000000000 -0400
32607 +++ linux-2.6.39.3/drivers/md/raid5.c 2011-06-25 13:01:13.000000000 -0400
32608 @@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
32609 bi->bi_next = NULL;
32610 if ((rw & WRITE) &&
32611 test_bit(R5_ReWrite, &sh->dev[i].flags))
32612 - atomic_add(STRIPE_SECTORS,
32613 + atomic_add_unchecked(STRIPE_SECTORS,
32614 &rdev->corrected_errors);
32615 generic_make_request(bi);
32616 } else {
32617 @@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
32618 clear_bit(R5_ReadError, &sh->dev[i].flags);
32619 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32620 }
32621 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32622 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32623 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32624 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32625 } else {
32626 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32627 int retry = 0;
32628 rdev = conf->disks[i].rdev;
32629
32630 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32631 - atomic_inc(&rdev->read_errors);
32632 + atomic_inc_unchecked(&rdev->read_errors);
32633 if (conf->mddev->degraded >= conf->max_degraded)
32634 printk_rl(KERN_WARNING
32635 "md/raid:%s: read error not correctable "
32636 @@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
32637 (unsigned long long)(sh->sector
32638 + rdev->data_offset),
32639 bdn);
32640 - else if (atomic_read(&rdev->read_errors)
32641 + else if (atomic_read_unchecked(&rdev->read_errors)
32642 > conf->max_nr_stripes)
32643 printk(KERN_WARNING
32644 "md/raid:%s: Too many read errors, failing device %s.\n",
32645 @@ -1947,6 +1947,7 @@ static sector_t compute_blocknr(struct s
32646 sector_t r_sector;
32647 struct stripe_head sh2;
32648
32649 + pax_track_stack();
32650
32651 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32652 stripe = new_sector;
32653 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_hlp.c linux-2.6.39.3/drivers/media/common/saa7146_hlp.c
32654 --- linux-2.6.39.3/drivers/media/common/saa7146_hlp.c 2011-05-19 00:06:34.000000000 -0400
32655 +++ linux-2.6.39.3/drivers/media/common/saa7146_hlp.c 2011-05-22 19:36:31.000000000 -0400
32656 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32657
32658 int x[32], y[32], w[32], h[32];
32659
32660 + pax_track_stack();
32661 +
32662 /* clear out memory */
32663 memset(&line_list[0], 0x00, sizeof(u32)*32);
32664 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32665 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_vbi.c linux-2.6.39.3/drivers/media/common/saa7146_vbi.c
32666 --- linux-2.6.39.3/drivers/media/common/saa7146_vbi.c 2011-05-19 00:06:34.000000000 -0400
32667 +++ linux-2.6.39.3/drivers/media/common/saa7146_vbi.c 2011-05-22 19:36:31.000000000 -0400
32668 @@ -501,7 +501,7 @@ static ssize_t vbi_read(struct file *fil
32669 return ret;
32670 }
32671
32672 -struct saa7146_use_ops saa7146_vbi_uops = {
32673 +const struct saa7146_use_ops saa7146_vbi_uops = {
32674 .init = vbi_init,
32675 .open = vbi_open,
32676 .release = vbi_close,
32677 diff -urNp linux-2.6.39.3/drivers/media/common/saa7146_video.c linux-2.6.39.3/drivers/media/common/saa7146_video.c
32678 --- linux-2.6.39.3/drivers/media/common/saa7146_video.c 2011-05-19 00:06:34.000000000 -0400
32679 +++ linux-2.6.39.3/drivers/media/common/saa7146_video.c 2011-05-22 19:36:31.000000000 -0400
32680 @@ -1420,7 +1420,7 @@ out:
32681 return ret;
32682 }
32683
32684 -struct saa7146_use_ops saa7146_video_uops = {
32685 +const struct saa7146_use_ops saa7146_video_uops = {
32686 .init = video_init,
32687 .open = video_open,
32688 .release = video_close,
32689 diff -urNp linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c
32690 --- linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c 2011-05-19 00:06:34.000000000 -0400
32691 +++ linux-2.6.39.3/drivers/media/dvb/dm1105/dm1105.c 2011-05-22 19:36:31.000000000 -0400
32692 @@ -418,7 +418,7 @@ static u32 functionality(struct i2c_adap
32693 return I2C_FUNC_I2C;
32694 }
32695
32696 -static struct i2c_algorithm dm1105_algo = {
32697 +static const struct i2c_algorithm dm1105_algo = {
32698 .master_xfer = dm1105_i2c_xfer,
32699 .functionality = functionality,
32700 };
32701 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32702 --- linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-19 00:06:34.000000000 -0400
32703 +++ linux-2.6.39.3/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-22 19:36:31.000000000 -0400
32704 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32705 u8 buf[HOST_LINK_BUF_SIZE];
32706 int i;
32707
32708 + pax_track_stack();
32709 +
32710 dprintk("%s\n", __func__);
32711
32712 /* check if we have space for a link buf in the rx_buffer */
32713 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32714 unsigned long timeout;
32715 int written;
32716
32717 + pax_track_stack();
32718 +
32719 dprintk("%s\n", __func__);
32720
32721 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32722 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c
32723 --- linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-19 00:06:34.000000000 -0400
32724 +++ linux-2.6.39.3/drivers/media/dvb/dvb-core/dvbdev.c 2011-05-22 19:36:31.000000000 -0400
32725 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
32726 const struct dvb_device *template, void *priv, int type)
32727 {
32728 struct dvb_device *dvbdev;
32729 - struct file_operations *dvbdevfops;
32730 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
32731 struct device *clsdev;
32732 int minor;
32733 int id;
32734 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c
32735 --- linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-19 00:06:34.000000000 -0400
32736 +++ linux-2.6.39.3/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-22 19:36:31.000000000 -0400
32737 @@ -391,6 +391,8 @@ int dib0700_download_firmware(struct usb
32738
32739 u8 buf[260];
32740
32741 + pax_track_stack();
32742 +
32743 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32744 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
32745 hx.addr, hx.len, hx.chk);
32746 diff -urNp linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c
32747 --- linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-19 00:06:34.000000000 -0400
32748 +++ linux-2.6.39.3/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-22 19:36:31.000000000 -0400
32749 @@ -663,6 +663,7 @@ static int lme2510_download_firmware(str
32750 packet_size = 0x31;
32751 len_in = 1;
32752
32753 + pax_track_stack();
32754
32755 info("FRM Starting Firmware Download");
32756
32757 @@ -715,6 +716,8 @@ static void lme_coldreset(struct usb_dev
32758 int ret = 0, len_in;
32759 u8 data[512] = {0};
32760
32761 + pax_track_stack();
32762 +
32763 data[0] = 0x0a;
32764 len_in = 1;
32765 info("FRM Firmware Cold Reset");
32766 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c
32767 --- linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:04:14.000000000 -0400
32768 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dib7000p.c 2011-06-03 00:32:05.000000000 -0400
32769 @@ -1945,7 +1945,7 @@ static u32 dib7000p_i2c_func(struct i2c_
32770 return I2C_FUNC_I2C;
32771 }
32772
32773 -static struct i2c_algorithm dib7090_tuner_xfer_algo = {
32774 +static const struct i2c_algorithm dib7090_tuner_xfer_algo = {
32775 .master_xfer = dib7090_tuner_xfer,
32776 .functionality = dib7000p_i2c_func,
32777 };
32778 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c
32779 --- linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:04:14.000000000 -0400
32780 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dib9000.c 2011-06-03 00:32:05.000000000 -0400
32781 @@ -1676,12 +1676,12 @@ static u32 dib9000_i2c_func(struct i2c_a
32782 return I2C_FUNC_I2C;
32783 }
32784
32785 -static struct i2c_algorithm dib9000_tuner_algo = {
32786 +static const struct i2c_algorithm dib9000_tuner_algo = {
32787 .master_xfer = dib9000_tuner_xfer,
32788 .functionality = dib9000_i2c_func,
32789 };
32790
32791 -static struct i2c_algorithm dib9000_component_bus_algo = {
32792 +static const struct i2c_algorithm dib9000_component_bus_algo = {
32793 .master_xfer = dib9000_fw_component_bus_xfer,
32794 .functionality = dib9000_i2c_func,
32795 };
32796 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c
32797 --- linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:04:14.000000000 -0400
32798 +++ linux-2.6.39.3/drivers/media/dvb/frontends/dibx000_common.c 2011-06-03 00:37:36.000000000 -0400
32799 @@ -221,12 +221,12 @@ static int dibx000_i2c_master_xfer_gpio3
32800 return num;
32801 }
32802
32803 -static struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32804 +static const struct i2c_algorithm dibx000_i2c_master_gpio12_xfer_algo = {
32805 .master_xfer = dibx000_i2c_master_xfer_gpio12,
32806 .functionality = dibx000_i2c_func,
32807 };
32808
32809 -static struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32810 +static const struct i2c_algorithm dibx000_i2c_master_gpio34_xfer_algo = {
32811 .master_xfer = dibx000_i2c_master_xfer_gpio34,
32812 .functionality = dibx000_i2c_func,
32813 };
32814 @@ -285,7 +285,7 @@ static int dibx000_i2c_gated_gpio67_xfer
32815 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32816 }
32817
32818 -static struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32819 +static const struct i2c_algorithm dibx000_i2c_gated_gpio67_algo = {
32820 .master_xfer = dibx000_i2c_gated_gpio67_xfer,
32821 .functionality = dibx000_i2c_func,
32822 };
32823 @@ -322,7 +322,7 @@ static int dibx000_i2c_gated_tuner_xfer(
32824 return i2c_transfer(mst->i2c_adap, mst->msg, 2 + num) == 2 + num ? num : -EIO;
32825 }
32826
32827 -static struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32828 +static const struct i2c_algorithm dibx000_i2c_gated_tuner_algo = {
32829 .master_xfer = dibx000_i2c_gated_tuner_xfer,
32830 .functionality = dibx000_i2c_func,
32831 };
32832 @@ -375,7 +375,7 @@ void dibx000_reset_i2c_master(struct dib
32833 EXPORT_SYMBOL(dibx000_reset_i2c_master);
32834
32835 static int i2c_adapter_init(struct i2c_adapter *i2c_adap,
32836 - struct i2c_algorithm *algo, const char *name,
32837 + const struct i2c_algorithm *algo, const char *name,
32838 struct dibx000_i2c_master *mst)
32839 {
32840 strncpy(i2c_adap->name, name, sizeof(i2c_adap->name));
32841 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c
32842 --- linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c 2011-05-19 00:06:34.000000000 -0400
32843 +++ linux-2.6.39.3/drivers/media/dvb/frontends/mb86a16.c 2011-05-22 19:36:31.000000000 -0400
32844 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
32845 int ret = -1;
32846 int sync;
32847
32848 + pax_track_stack();
32849 +
32850 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
32851
32852 fcp = 3000;
32853 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c
32854 --- linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c 2011-05-19 00:06:34.000000000 -0400
32855 +++ linux-2.6.39.3/drivers/media/dvb/frontends/or51211.c 2011-05-22 19:36:31.000000000 -0400
32856 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32857 u8 tudata[585];
32858 int i;
32859
32860 + pax_track_stack();
32861 +
32862 dprintk("Firmware is %zd bytes\n",fw->size);
32863
32864 /* Get eprom data */
32865 diff -urNp linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c
32866 --- linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c 2011-05-19 00:06:34.000000000 -0400
32867 +++ linux-2.6.39.3/drivers/media/dvb/frontends/s5h1420.c 2011-05-22 19:36:31.000000000 -0400
32868 @@ -870,7 +870,7 @@ static int s5h1420_tuner_i2c_tuner_xfer(
32869 return i2c_transfer(state->i2c, m, 1+num) == 1 + num ? num : -EIO;
32870 }
32871
32872 -static struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32873 +static const struct i2c_algorithm s5h1420_tuner_i2c_algo = {
32874 .master_xfer = s5h1420_tuner_i2c_tuner_xfer,
32875 .functionality = s5h1420_tuner_i2c_func,
32876 };
32877 diff -urNp linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c
32878 --- linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-19 00:06:34.000000000 -0400
32879 +++ linux-2.6.39.3/drivers/media/dvb/mantis/mantis_i2c.c 2011-05-22 19:36:31.000000000 -0400
32880 @@ -212,7 +212,7 @@ static u32 mantis_i2c_func(struct i2c_ad
32881 return I2C_FUNC_SMBUS_EMUL;
32882 }
32883
32884 -static struct i2c_algorithm mantis_algo = {
32885 +static const struct i2c_algorithm mantis_algo = {
32886 .master_xfer = mantis_i2c_xfer,
32887 .functionality = mantis_i2c_func,
32888 };
32889 diff -urNp linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c
32890 --- linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-19 00:06:34.000000000 -0400
32891 +++ linux-2.6.39.3/drivers/media/dvb/ttusb-dec/ttusb_dec.c 2011-05-22 19:36:31.000000000 -0400
32892 @@ -1614,7 +1614,7 @@ static int fe_send_command(struct dvb_fr
32893 return ttusb_dec_send_command(dec, command, param_length, params, result_length, cmd_result);
32894 }
32895
32896 -static struct ttusbdecfe_config fe_config = {
32897 +static const struct ttusbdecfe_config fe_config = {
32898 .send_command = fe_send_command
32899 };
32900
32901 diff -urNp linux-2.6.39.3/drivers/media/radio/radio-cadet.c linux-2.6.39.3/drivers/media/radio/radio-cadet.c
32902 --- linux-2.6.39.3/drivers/media/radio/radio-cadet.c 2011-05-19 00:06:34.000000000 -0400
32903 +++ linux-2.6.39.3/drivers/media/radio/radio-cadet.c 2011-05-22 19:36:31.000000000 -0400
32904 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
32905 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32906 mutex_unlock(&dev->lock);
32907
32908 - if (copy_to_user(data, readbuf, i))
32909 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32910 return -EFAULT;
32911 return i;
32912 }
32913 diff -urNp linux-2.6.39.3/drivers/media/radio/radio-si4713.c linux-2.6.39.3/drivers/media/radio/radio-si4713.c
32914 --- linux-2.6.39.3/drivers/media/radio/radio-si4713.c 2011-05-19 00:06:34.000000000 -0400
32915 +++ linux-2.6.39.3/drivers/media/radio/radio-si4713.c 2011-05-22 19:36:31.000000000 -0400
32916 @@ -231,7 +231,7 @@ static long radio_si4713_default(struct
32917 ioctl, cmd, arg);
32918 }
32919
32920 -static struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32921 +static const struct v4l2_ioctl_ops radio_si4713_ioctl_ops = {
32922 .vidioc_enumaudout = radio_si4713_enumaudout,
32923 .vidioc_g_audout = radio_si4713_g_audout,
32924 .vidioc_s_audout = radio_si4713_s_audout,
32925 diff -urNp linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c
32926 --- linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c 2011-05-19 00:06:34.000000000 -0400
32927 +++ linux-2.6.39.3/drivers/media/rc/ir-lirc-codec.c 2011-05-22 19:36:31.000000000 -0400
32928 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
32929 return;
32930 }
32931
32932 -static struct file_operations lirc_fops = {
32933 +static const struct file_operations lirc_fops = {
32934 .owner = THIS_MODULE,
32935 .write = ir_lirc_transmit_ir,
32936 .unlocked_ioctl = ir_lirc_ioctl,
32937 diff -urNp linux-2.6.39.3/drivers/media/rc/lirc_dev.c linux-2.6.39.3/drivers/media/rc/lirc_dev.c
32938 --- linux-2.6.39.3/drivers/media/rc/lirc_dev.c 2011-05-19 00:06:34.000000000 -0400
32939 +++ linux-2.6.39.3/drivers/media/rc/lirc_dev.c 2011-05-22 19:36:31.000000000 -0400
32940 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
32941 }
32942
32943
32944 -static struct file_operations lirc_dev_fops = {
32945 +static const struct file_operations lirc_dev_fops = {
32946 .owner = THIS_MODULE,
32947 .read = lirc_dev_fop_read,
32948 .write = lirc_dev_fop_write,
32949 diff -urNp linux-2.6.39.3/drivers/media/rc/rc-main.c linux-2.6.39.3/drivers/media/rc/rc-main.c
32950 --- linux-2.6.39.3/drivers/media/rc/rc-main.c 2011-05-19 00:06:34.000000000 -0400
32951 +++ linux-2.6.39.3/drivers/media/rc/rc-main.c 2011-05-22 19:36:31.000000000 -0400
32952 @@ -996,7 +996,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
32953
32954 int rc_register_device(struct rc_dev *dev)
32955 {
32956 - static atomic_t devno = ATOMIC_INIT(0);
32957 + static atomic_unchecked_t devno = ATOMIC_INIT(0);
32958 struct rc_map *rc_map;
32959 const char *path;
32960 int rc;
32961 @@ -1019,7 +1019,7 @@ int rc_register_device(struct rc_dev *de
32962 if (dev->close)
32963 dev->input_dev->close = ir_close;
32964
32965 - dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
32966 + dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
32967 dev_set_name(&dev->dev, "rc%ld", dev->devno);
32968 dev_set_drvdata(&dev->dev, dev);
32969 rc = device_add(&dev->dev);
32970 diff -urNp linux-2.6.39.3/drivers/media/video/cafe_ccic.c linux-2.6.39.3/drivers/media/video/cafe_ccic.c
32971 --- linux-2.6.39.3/drivers/media/video/cafe_ccic.c 2011-05-19 00:06:34.000000000 -0400
32972 +++ linux-2.6.39.3/drivers/media/video/cafe_ccic.c 2011-05-22 19:36:31.000000000 -0400
32973 @@ -520,7 +520,7 @@ static u32 cafe_smbus_func(struct i2c_ad
32974 I2C_FUNC_SMBUS_WRITE_BYTE_DATA;
32975 }
32976
32977 -static struct i2c_algorithm cafe_smbus_algo = {
32978 +static const struct i2c_algorithm cafe_smbus_algo = {
32979 .smbus_xfer = cafe_smbus_xfer,
32980 .functionality = cafe_smbus_func
32981 };
32982 diff -urNp linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c
32983 --- linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-19 00:06:34.000000000 -0400
32984 +++ linux-2.6.39.3/drivers/media/video/cx18/cx18-alsa-pcm.c 2011-05-22 19:36:31.000000000 -0400
32985 @@ -314,7 +314,7 @@ static struct page *snd_pcm_get_vmalloc_
32986 return vmalloc_to_page(pageptr);
32987 }
32988
32989 -static struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32990 +static const struct snd_pcm_ops snd_cx18_pcm_capture_ops = {
32991 .open = snd_cx18_pcm_capture_open,
32992 .close = snd_cx18_pcm_capture_close,
32993 .ioctl = snd_cx18_pcm_ioctl,
32994 diff -urNp linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c
32995 --- linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c 2011-05-19 00:06:34.000000000 -0400
32996 +++ linux-2.6.39.3/drivers/media/video/cx18/cx18-driver.c 2011-05-22 19:36:31.000000000 -0400
32997 @@ -61,7 +61,7 @@ static struct pci_device_id cx18_pci_tbl
32998
32999 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
33000
33001 -static atomic_t cx18_instance = ATOMIC_INIT(0);
33002 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
33003
33004 /* Parameter declarations */
33005 static int cardtype[CX18_MAX_CARDS];
33006 @@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
33007 struct i2c_client c;
33008 u8 eedata[256];
33009
33010 + pax_track_stack();
33011 +
33012 memset(&c, 0, sizeof(c));
33013 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
33014 c.adapter = &cx->i2c_adap[0];
33015 @@ -892,7 +894,7 @@ static int __devinit cx18_probe(struct p
33016 struct cx18 *cx;
33017
33018 /* FIXME - module parameter arrays constrain max instances */
33019 - i = atomic_inc_return(&cx18_instance) - 1;
33020 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
33021 if (i >= CX18_MAX_CARDS) {
33022 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
33023 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
33024 diff -urNp linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c
33025 --- linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-19 00:06:34.000000000 -0400
33026 +++ linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-audio.c 2011-05-22 19:36:31.000000000 -0400
33027 @@ -613,7 +613,7 @@ static struct page *snd_pcm_get_vmalloc_
33028 return vmalloc_to_page(pageptr);
33029 }
33030
33031 -static struct snd_pcm_ops snd_cx231xx_pcm_capture = {
33032 +static const struct snd_pcm_ops snd_cx231xx_pcm_capture = {
33033 .open = snd_cx231xx_capture_open,
33034 .close = snd_cx231xx_pcm_close,
33035 .ioctl = snd_pcm_lib_ioctl,
33036 diff -urNp linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c
33037 --- linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
33038 +++ linux-2.6.39.3/drivers/media/video/cx231xx/cx231xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
33039 @@ -435,7 +435,7 @@ static u32 functionality(struct i2c_adap
33040 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33041 }
33042
33043 -static struct i2c_algorithm cx231xx_algo = {
33044 +static const struct i2c_algorithm cx231xx_algo = {
33045 .master_xfer = cx231xx_i2c_xfer,
33046 .functionality = functionality,
33047 };
33048 diff -urNp linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c
33049 --- linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c 2011-05-19 00:06:34.000000000 -0400
33050 +++ linux-2.6.39.3/drivers/media/video/cx23885/cx23885-input.c 2011-05-22 19:36:31.000000000 -0400
33051 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
33052 bool handle = false;
33053 struct ir_raw_event ir_core_event[64];
33054
33055 + pax_track_stack();
33056 +
33057 do {
33058 num = 0;
33059 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
33060 diff -urNp linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c
33061 --- linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c 2011-05-19 00:06:34.000000000 -0400
33062 +++ linux-2.6.39.3/drivers/media/video/cx88/cx88-alsa.c 2011-05-22 19:36:31.000000000 -0400
33063 @@ -519,7 +519,7 @@ static struct page *snd_cx88_page(struct
33064 /*
33065 * operators
33066 */
33067 -static struct snd_pcm_ops snd_cx88_pcm_ops = {
33068 +static const struct snd_pcm_ops snd_cx88_pcm_ops = {
33069 .open = snd_cx88_pcm_open,
33070 .close = snd_cx88_close,
33071 .ioctl = snd_pcm_lib_ioctl,
33072 diff -urNp linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h
33073 --- linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-19 00:06:34.000000000 -0400
33074 +++ linux-2.6.39.3/drivers/media/video/davinci/ccdc_hw_device.h 2011-05-22 19:36:31.000000000 -0400
33075 @@ -99,7 +99,7 @@ struct ccdc_hw_device {
33076 /* module owner */
33077 struct module *owner;
33078 /* hw ops */
33079 - struct ccdc_hw_ops hw_ops;
33080 + const struct ccdc_hw_ops hw_ops;
33081 };
33082
33083 /* Used by CCDC module to register & unregister with vpfe capture driver */
33084 diff -urNp linux-2.6.39.3/drivers/media/video/davinci/vpss.c linux-2.6.39.3/drivers/media/video/davinci/vpss.c
33085 --- linux-2.6.39.3/drivers/media/video/davinci/vpss.c 2011-05-19 00:06:34.000000000 -0400
33086 +++ linux-2.6.39.3/drivers/media/video/davinci/vpss.c 2011-05-22 19:36:31.000000000 -0400
33087 @@ -103,7 +103,7 @@ struct vpss_oper_config {
33088 __iomem void *vpss_regs_base1;
33089 enum vpss_platform_type platform;
33090 spinlock_t vpss_lock;
33091 - struct vpss_hw_ops hw_ops;
33092 + const struct vpss_hw_ops hw_ops;
33093 };
33094
33095 static struct vpss_oper_config oper_cfg;
33096 diff -urNp linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c
33097 --- linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c 2011-05-19 00:06:34.000000000 -0400
33098 +++ linux-2.6.39.3/drivers/media/video/em28xx/em28xx-audio.c 2011-05-22 19:36:31.000000000 -0400
33099 @@ -432,7 +432,7 @@ static struct page *snd_pcm_get_vmalloc_
33100 return vmalloc_to_page(pageptr);
33101 }
33102
33103 -static struct snd_pcm_ops snd_em28xx_pcm_capture = {
33104 +static const struct snd_pcm_ops snd_em28xx_pcm_capture = {
33105 .open = snd_em28xx_capture_open,
33106 .close = snd_em28xx_pcm_close,
33107 .ioctl = snd_pcm_lib_ioctl,
33108 diff -urNp linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c
33109 --- linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-19 00:06:34.000000000 -0400
33110 +++ linux-2.6.39.3/drivers/media/video/em28xx/em28xx-i2c.c 2011-05-22 19:36:31.000000000 -0400
33111 @@ -451,7 +451,7 @@ static u32 functionality(struct i2c_adap
33112 return I2C_FUNC_SMBUS_EMUL;
33113 }
33114
33115 -static struct i2c_algorithm em28xx_algo = {
33116 +static const struct i2c_algorithm em28xx_algo = {
33117 .master_xfer = em28xx_i2c_xfer,
33118 .functionality = functionality,
33119 };
33120 diff -urNp linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c
33121 --- linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-19 00:06:34.000000000 -0400
33122 +++ linux-2.6.39.3/drivers/media/video/hdpvr/hdpvr-i2c.c 2011-05-22 19:36:31.000000000 -0400
33123 @@ -179,7 +179,7 @@ static u32 hdpvr_functionality(struct i2
33124 return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
33125 }
33126
33127 -static struct i2c_algorithm hdpvr_algo = {
33128 +static const struct i2c_algorithm hdpvr_algo = {
33129 .master_xfer = hdpvr_transfer,
33130 .functionality = hdpvr_functionality,
33131 };
33132 diff -urNp linux-2.6.39.3/drivers/media/video/imx074.c linux-2.6.39.3/drivers/media/video/imx074.c
33133 --- linux-2.6.39.3/drivers/media/video/imx074.c 2011-05-19 00:06:34.000000000 -0400
33134 +++ linux-2.6.39.3/drivers/media/video/imx074.c 2011-05-22 19:36:31.000000000 -0400
33135 @@ -267,7 +267,7 @@ static int imx074_g_chip_ident(struct v4
33136 return 0;
33137 }
33138
33139 -static struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
33140 +static const struct v4l2_subdev_video_ops imx074_subdev_video_ops = {
33141 .s_stream = imx074_s_stream,
33142 .s_mbus_fmt = imx074_s_fmt,
33143 .g_mbus_fmt = imx074_g_fmt,
33144 @@ -277,7 +277,7 @@ static struct v4l2_subdev_video_ops imx0
33145 .cropcap = imx074_cropcap,
33146 };
33147
33148 -static struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
33149 +static const struct v4l2_subdev_core_ops imx074_subdev_core_ops = {
33150 .g_chip_ident = imx074_g_chip_ident,
33151 };
33152
33153 diff -urNp linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c
33154 --- linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c 2011-05-19 00:06:34.000000000 -0400
33155 +++ linux-2.6.39.3/drivers/media/video/ivtv/ivtv-driver.c 2011-05-22 19:36:31.000000000 -0400
33156 @@ -80,7 +80,7 @@ static struct pci_device_id ivtv_pci_tbl
33157 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
33158
33159 /* ivtv instance counter */
33160 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
33161 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
33162
33163 /* Parameter declarations */
33164 static int cardtype[IVTV_MAX_CARDS];
33165 diff -urNp linux-2.6.39.3/drivers/media/video/mt9m001.c linux-2.6.39.3/drivers/media/video/mt9m001.c
33166 --- linux-2.6.39.3/drivers/media/video/mt9m001.c 2011-05-19 00:06:34.000000000 -0400
33167 +++ linux-2.6.39.3/drivers/media/video/mt9m001.c 2011-05-22 19:36:31.000000000 -0400
33168 @@ -691,7 +691,7 @@ static int mt9m001_g_skip_top_lines(stru
33169 return 0;
33170 }
33171
33172 -static struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
33173 +static const struct v4l2_subdev_core_ops mt9m001_subdev_core_ops = {
33174 .g_ctrl = mt9m001_g_ctrl,
33175 .s_ctrl = mt9m001_s_ctrl,
33176 .g_chip_ident = mt9m001_g_chip_ident,
33177 @@ -714,7 +714,7 @@ static int mt9m001_enum_fmt(struct v4l2_
33178 return 0;
33179 }
33180
33181 -static struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
33182 +static const struct v4l2_subdev_video_ops mt9m001_subdev_video_ops = {
33183 .s_stream = mt9m001_s_stream,
33184 .s_mbus_fmt = mt9m001_s_fmt,
33185 .g_mbus_fmt = mt9m001_g_fmt,
33186 @@ -725,7 +725,7 @@ static struct v4l2_subdev_video_ops mt9m
33187 .enum_mbus_fmt = mt9m001_enum_fmt,
33188 };
33189
33190 -static struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
33191 +static const struct v4l2_subdev_sensor_ops mt9m001_subdev_sensor_ops = {
33192 .g_skip_top_lines = mt9m001_g_skip_top_lines,
33193 };
33194
33195 diff -urNp linux-2.6.39.3/drivers/media/video/mt9t031.c linux-2.6.39.3/drivers/media/video/mt9t031.c
33196 --- linux-2.6.39.3/drivers/media/video/mt9t031.c 2011-05-19 00:06:34.000000000 -0400
33197 +++ linux-2.6.39.3/drivers/media/video/mt9t031.c 2011-05-22 19:36:31.000000000 -0400
33198 @@ -725,7 +725,7 @@ static int mt9t031_runtime_resume(struct
33199 return 0;
33200 }
33201
33202 -static struct dev_pm_ops mt9t031_dev_pm_ops = {
33203 +static const struct dev_pm_ops mt9t031_dev_pm_ops = {
33204 .runtime_suspend = mt9t031_runtime_suspend,
33205 .runtime_resume = mt9t031_runtime_resume,
33206 };
33207 @@ -788,7 +788,7 @@ static int mt9t031_g_skip_top_lines(stru
33208 return 0;
33209 }
33210
33211 -static struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33212 +static const struct v4l2_subdev_core_ops mt9t031_subdev_core_ops = {
33213 .g_ctrl = mt9t031_g_ctrl,
33214 .s_ctrl = mt9t031_s_ctrl,
33215 .g_chip_ident = mt9t031_g_chip_ident,
33216 @@ -808,7 +808,7 @@ static int mt9t031_enum_fmt(struct v4l2_
33217 return 0;
33218 }
33219
33220 -static struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33221 +static const struct v4l2_subdev_video_ops mt9t031_subdev_video_ops = {
33222 .s_stream = mt9t031_s_stream,
33223 .s_mbus_fmt = mt9t031_s_fmt,
33224 .g_mbus_fmt = mt9t031_g_fmt,
33225 @@ -819,7 +819,7 @@ static struct v4l2_subdev_video_ops mt9t
33226 .enum_mbus_fmt = mt9t031_enum_fmt,
33227 };
33228
33229 -static struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33230 +static const struct v4l2_subdev_sensor_ops mt9t031_subdev_sensor_ops = {
33231 .g_skip_top_lines = mt9t031_g_skip_top_lines,
33232 };
33233
33234 diff -urNp linux-2.6.39.3/drivers/media/video/mt9v022.c linux-2.6.39.3/drivers/media/video/mt9v022.c
33235 --- linux-2.6.39.3/drivers/media/video/mt9v022.c 2011-05-19 00:06:34.000000000 -0400
33236 +++ linux-2.6.39.3/drivers/media/video/mt9v022.c 2011-05-22 19:36:31.000000000 -0400
33237 @@ -825,7 +825,7 @@ static int mt9v022_g_skip_top_lines(stru
33238 return 0;
33239 }
33240
33241 -static struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33242 +static const struct v4l2_subdev_core_ops mt9v022_subdev_core_ops = {
33243 .g_ctrl = mt9v022_g_ctrl,
33244 .s_ctrl = mt9v022_s_ctrl,
33245 .g_chip_ident = mt9v022_g_chip_ident,
33246 @@ -848,7 +848,7 @@ static int mt9v022_enum_fmt(struct v4l2_
33247 return 0;
33248 }
33249
33250 -static struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33251 +static const struct v4l2_subdev_video_ops mt9v022_subdev_video_ops = {
33252 .s_stream = mt9v022_s_stream,
33253 .s_mbus_fmt = mt9v022_s_fmt,
33254 .g_mbus_fmt = mt9v022_g_fmt,
33255 @@ -859,7 +859,7 @@ static struct v4l2_subdev_video_ops mt9v
33256 .enum_mbus_fmt = mt9v022_enum_fmt,
33257 };
33258
33259 -static struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33260 +static const struct v4l2_subdev_sensor_ops mt9v022_subdev_sensor_ops = {
33261 .g_skip_top_lines = mt9v022_g_skip_top_lines,
33262 };
33263
33264 diff -urNp linux-2.6.39.3/drivers/media/video/mx2_camera.c linux-2.6.39.3/drivers/media/video/mx2_camera.c
33265 --- linux-2.6.39.3/drivers/media/video/mx2_camera.c 2011-05-19 00:06:34.000000000 -0400
33266 +++ linux-2.6.39.3/drivers/media/video/mx2_camera.c 2011-05-22 19:36:31.000000000 -0400
33267 @@ -668,7 +668,7 @@ static void mx2_videobuf_release(struct
33268 free_buffer(vq, buf);
33269 }
33270
33271 -static struct videobuf_queue_ops mx2_videobuf_ops = {
33272 +static const struct videobuf_queue_ops mx2_videobuf_ops = {
33273 .buf_setup = mx2_videobuf_setup,
33274 .buf_prepare = mx2_videobuf_prepare,
33275 .buf_queue = mx2_videobuf_queue,
33276 diff -urNp linux-2.6.39.3/drivers/media/video/omap24xxcam.c linux-2.6.39.3/drivers/media/video/omap24xxcam.c
33277 --- linux-2.6.39.3/drivers/media/video/omap24xxcam.c 2011-05-19 00:06:34.000000000 -0400
33278 +++ linux-2.6.39.3/drivers/media/video/omap24xxcam.c 2011-05-22 19:36:31.000000000 -0400
33279 @@ -403,7 +403,7 @@ static void omap24xxcam_vbq_complete(str
33280 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
33281
33282 do_gettimeofday(&vb->ts);
33283 - vb->field_count = atomic_add_return(2, &fh->field_count);
33284 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
33285 if (csr & csr_error) {
33286 vb->state = VIDEOBUF_ERROR;
33287 if (!atomic_read(&fh->cam->in_reset)) {
33288 diff -urNp linux-2.6.39.3/drivers/media/video/omap24xxcam.h linux-2.6.39.3/drivers/media/video/omap24xxcam.h
33289 --- linux-2.6.39.3/drivers/media/video/omap24xxcam.h 2011-05-19 00:06:34.000000000 -0400
33290 +++ linux-2.6.39.3/drivers/media/video/omap24xxcam.h 2011-05-22 19:36:31.000000000 -0400
33291 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
33292 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
33293 struct videobuf_queue vbq;
33294 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
33295 - atomic_t field_count; /* field counter for videobuf_buffer */
33296 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
33297 /* accessing cam here doesn't need serialisation: it's constant */
33298 struct omap24xxcam_device *cam;
33299 };
33300 diff -urNp linux-2.6.39.3/drivers/media/video/omap3isp/isp.h linux-2.6.39.3/drivers/media/video/omap3isp/isp.h
33301 --- linux-2.6.39.3/drivers/media/video/omap3isp/isp.h 2011-05-19 00:06:34.000000000 -0400
33302 +++ linux-2.6.39.3/drivers/media/video/omap3isp/isp.h 2011-05-22 19:36:31.000000000 -0400
33303 @@ -290,7 +290,7 @@ struct isp_device {
33304
33305 struct iommu *iommu;
33306
33307 - struct isp_platform_callback platform_cb;
33308 + const struct isp_platform_callback platform_cb;
33309 };
33310
33311 #define v4l2_dev_to_isp_device(dev) \
33312 diff -urNp linux-2.6.39.3/drivers/media/video/ov2640.c linux-2.6.39.3/drivers/media/video/ov2640.c
33313 --- linux-2.6.39.3/drivers/media/video/ov2640.c 2011-05-19 00:06:34.000000000 -0400
33314 +++ linux-2.6.39.3/drivers/media/video/ov2640.c 2011-05-22 19:36:31.000000000 -0400
33315 @@ -1080,7 +1080,7 @@ static struct soc_camera_ops ov2640_ops
33316 .num_controls = ARRAY_SIZE(ov2640_controls),
33317 };
33318
33319 -static struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33320 +static const struct v4l2_subdev_core_ops ov2640_subdev_core_ops = {
33321 .g_ctrl = ov2640_g_ctrl,
33322 .s_ctrl = ov2640_s_ctrl,
33323 .g_chip_ident = ov2640_g_chip_ident,
33324 @@ -1090,7 +1090,7 @@ static struct v4l2_subdev_core_ops ov264
33325 #endif
33326 };
33327
33328 -static struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33329 +static const struct v4l2_subdev_video_ops ov2640_subdev_video_ops = {
33330 .s_stream = ov2640_s_stream,
33331 .g_mbus_fmt = ov2640_g_fmt,
33332 .s_mbus_fmt = ov2640_s_fmt,
33333 diff -urNp linux-2.6.39.3/drivers/media/video/ov772x.c linux-2.6.39.3/drivers/media/video/ov772x.c
33334 --- linux-2.6.39.3/drivers/media/video/ov772x.c 2011-05-19 00:06:34.000000000 -0400
33335 +++ linux-2.6.39.3/drivers/media/video/ov772x.c 2011-05-22 19:36:31.000000000 -0400
33336 @@ -1079,7 +1079,7 @@ static struct soc_camera_ops ov772x_ops
33337 .num_controls = ARRAY_SIZE(ov772x_controls),
33338 };
33339
33340 -static struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33341 +static const struct v4l2_subdev_core_ops ov772x_subdev_core_ops = {
33342 .g_ctrl = ov772x_g_ctrl,
33343 .s_ctrl = ov772x_s_ctrl,
33344 .g_chip_ident = ov772x_g_chip_ident,
33345 @@ -1099,7 +1099,7 @@ static int ov772x_enum_fmt(struct v4l2_s
33346 return 0;
33347 }
33348
33349 -static struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33350 +static const struct v4l2_subdev_video_ops ov772x_subdev_video_ops = {
33351 .s_stream = ov772x_s_stream,
33352 .g_mbus_fmt = ov772x_g_fmt,
33353 .s_mbus_fmt = ov772x_s_fmt,
33354 diff -urNp linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
33355 --- linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-19 00:06:34.000000000 -0400
33356 +++ linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-22 19:36:31.000000000 -0400
33357 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
33358 u8 *eeprom;
33359 struct tveeprom tvdata;
33360
33361 + pax_track_stack();
33362 +
33363 memset(&tvdata,0,sizeof(tvdata));
33364
33365 eeprom = pvr2_eeprom_fetch(hdw);
33366 diff -urNp linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c
33367 --- linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-19 00:06:34.000000000 -0400
33368 +++ linux-2.6.39.3/drivers/media/video/pvrusb2/pvrusb2-i2c-core.c 2011-05-22 19:36:31.000000000 -0400
33369 @@ -527,7 +527,7 @@ static u32 pvr2_i2c_functionality(struct
33370 return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
33371 }
33372
33373 -static struct i2c_algorithm pvr2_i2c_algo_template = {
33374 +static const struct i2c_algorithm pvr2_i2c_algo_template = {
33375 .master_xfer = pvr2_i2c_xfer,
33376 .functionality = pvr2_i2c_functionality,
33377 };
33378 diff -urNp linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c
33379 --- linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c 2011-05-19 00:06:34.000000000 -0400
33380 +++ linux-2.6.39.3/drivers/media/video/rj54n1cb0c.c 2011-05-22 19:36:31.000000000 -0400
33381 @@ -1327,7 +1327,7 @@ static int rj54n1_s_ctrl(struct v4l2_sub
33382 return 0;
33383 }
33384
33385 -static struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33386 +static const struct v4l2_subdev_core_ops rj54n1_subdev_core_ops = {
33387 .g_ctrl = rj54n1_g_ctrl,
33388 .s_ctrl = rj54n1_s_ctrl,
33389 .g_chip_ident = rj54n1_g_chip_ident,
33390 @@ -1337,7 +1337,7 @@ static struct v4l2_subdev_core_ops rj54n
33391 #endif
33392 };
33393
33394 -static struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33395 +static const struct v4l2_subdev_video_ops rj54n1_subdev_video_ops = {
33396 .s_stream = rj54n1_s_stream,
33397 .s_mbus_fmt = rj54n1_s_fmt,
33398 .g_mbus_fmt = rj54n1_g_fmt,
33399 diff -urNp linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c
33400 --- linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-19 00:06:34.000000000 -0400
33401 +++ linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-capture.c 2011-05-22 19:36:31.000000000 -0400
33402 @@ -376,7 +376,7 @@ static void fimc_unlock(struct vb2_queue
33403 mutex_unlock(&ctx->fimc_dev->lock);
33404 }
33405
33406 -static struct vb2_ops fimc_capture_qops = {
33407 +static const struct vb2_ops fimc_capture_qops = {
33408 .queue_setup = queue_setup,
33409 .buf_prepare = buffer_prepare,
33410 .buf_queue = buffer_queue,
33411 diff -urNp linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c
33412 --- linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-19 00:06:34.000000000 -0400
33413 +++ linux-2.6.39.3/drivers/media/video/s5p-fimc/fimc-core.c 2011-05-22 19:36:31.000000000 -0400
33414 @@ -768,7 +768,7 @@ static void fimc_unlock(struct vb2_queue
33415 mutex_unlock(&ctx->fimc_dev->lock);
33416 }
33417
33418 -static struct vb2_ops fimc_qops = {
33419 +static const struct vb2_ops fimc_qops = {
33420 .queue_setup = fimc_queue_setup,
33421 .buf_prepare = fimc_buf_prepare,
33422 .buf_queue = fimc_buf_queue,
33423 diff -urNp linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c
33424 --- linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c 2011-05-19 00:06:34.000000000 -0400
33425 +++ linux-2.6.39.3/drivers/media/video/saa7134/saa6752hs.c 2011-05-22 19:36:31.000000000 -0400
33426 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
33427 unsigned char localPAT[256];
33428 unsigned char localPMT[256];
33429
33430 + pax_track_stack();
33431 +
33432 /* Set video format - must be done first as it resets other settings */
33433 set_reg8(client, 0x41, h->video_format);
33434
33435 diff -urNp linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c
33436 --- linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-19 00:06:34.000000000 -0400
33437 +++ linux-2.6.39.3/drivers/media/video/saa7134/saa7134-alsa.c 2011-05-22 19:36:31.000000000 -0400
33438 @@ -808,7 +808,7 @@ static struct page *snd_card_saa7134_pag
33439 * ALSA capture callbacks definition
33440 */
33441
33442 -static struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33443 +static const struct snd_pcm_ops snd_card_saa7134_capture_ops = {
33444 .open = snd_card_saa7134_capture_open,
33445 .close = snd_card_saa7134_capture_close,
33446 .ioctl = snd_pcm_lib_ioctl,
33447 diff -urNp linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c
33448 --- linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-19 00:06:34.000000000 -0400
33449 +++ linux-2.6.39.3/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-22 19:36:31.000000000 -0400
33450 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
33451 u8 tmp[512];
33452 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33453
33454 + pax_track_stack();
33455 +
33456 /* While any outstand message on the bus exists... */
33457 do {
33458
33459 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
33460 u8 tmp[512];
33461 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33462
33463 + pax_track_stack();
33464 +
33465 while (loop) {
33466
33467 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
33468 diff -urNp linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c
33469 --- linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c 2011-05-19 00:06:34.000000000 -0400
33470 +++ linux-2.6.39.3/drivers/media/video/sh_mobile_csi2.c 2011-05-22 19:36:31.000000000 -0400
33471 @@ -127,12 +127,12 @@ static int sh_csi2_s_fmt(struct v4l2_sub
33472 return 0;
33473 }
33474
33475 -static struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33476 +static const struct v4l2_subdev_video_ops sh_csi2_subdev_video_ops = {
33477 .s_mbus_fmt = sh_csi2_s_fmt,
33478 .try_mbus_fmt = sh_csi2_try_fmt,
33479 };
33480
33481 -static struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33482 +static const struct v4l2_subdev_core_ops sh_csi2_subdev_core_ops;
33483
33484 static struct v4l2_subdev_ops sh_csi2_subdev_ops = {
33485 .core = &sh_csi2_subdev_core_ops,
33486 diff -urNp linux-2.6.39.3/drivers/media/video/soc_camera_platform.c linux-2.6.39.3/drivers/media/video/soc_camera_platform.c
33487 --- linux-2.6.39.3/drivers/media/video/soc_camera_platform.c 2011-05-19 00:06:34.000000000 -0400
33488 +++ linux-2.6.39.3/drivers/media/video/soc_camera_platform.c 2011-05-22 19:36:31.000000000 -0400
33489 @@ -70,7 +70,7 @@ static int soc_camera_platform_fill_fmt(
33490 return 0;
33491 }
33492
33493 -static struct v4l2_subdev_core_ops platform_subdev_core_ops;
33494 +static const struct v4l2_subdev_core_ops platform_subdev_core_ops;
33495
33496 static int soc_camera_platform_enum_fmt(struct v4l2_subdev *sd, unsigned int index,
33497 enum v4l2_mbus_pixelcode *code)
33498 @@ -115,7 +115,7 @@ static int soc_camera_platform_cropcap(s
33499 return 0;
33500 }
33501
33502 -static struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33503 +static const struct v4l2_subdev_video_ops platform_subdev_video_ops = {
33504 .s_stream = soc_camera_platform_s_stream,
33505 .enum_mbus_fmt = soc_camera_platform_enum_fmt,
33506 .cropcap = soc_camera_platform_cropcap,
33507 diff -urNp linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c
33508 --- linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c 2011-05-19 00:06:34.000000000 -0400
33509 +++ linux-2.6.39.3/drivers/media/video/tlg2300/pd-alsa.c 2011-05-22 19:36:31.000000000 -0400
33510 @@ -265,7 +265,7 @@ static struct page *snd_pcm_pd_get_page(
33511 return vmalloc_to_page(pageptr);
33512 }
33513
33514 -static struct snd_pcm_ops pcm_capture_ops = {
33515 +static const struct snd_pcm_ops pcm_capture_ops = {
33516 .open = snd_pd_capture_open,
33517 .close = snd_pd_pcm_close,
33518 .ioctl = snd_pcm_lib_ioctl,
33519 diff -urNp linux-2.6.39.3/drivers/media/video/tw9910.c linux-2.6.39.3/drivers/media/video/tw9910.c
33520 --- linux-2.6.39.3/drivers/media/video/tw9910.c 2011-05-19 00:06:34.000000000 -0400
33521 +++ linux-2.6.39.3/drivers/media/video/tw9910.c 2011-05-22 19:36:31.000000000 -0400
33522 @@ -894,7 +894,7 @@ static struct soc_camera_ops tw9910_ops
33523 .enum_input = tw9910_enum_input,
33524 };
33525
33526 -static struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33527 +static const struct v4l2_subdev_core_ops tw9910_subdev_core_ops = {
33528 .g_chip_ident = tw9910_g_chip_ident,
33529 .s_std = tw9910_s_std,
33530 #ifdef CONFIG_VIDEO_ADV_DEBUG
33531 @@ -913,7 +913,7 @@ static int tw9910_enum_fmt(struct v4l2_s
33532 return 0;
33533 }
33534
33535 -static struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33536 +static const struct v4l2_subdev_video_ops tw9910_subdev_video_ops = {
33537 .s_stream = tw9910_s_stream,
33538 .g_mbus_fmt = tw9910_g_fmt,
33539 .s_mbus_fmt = tw9910_s_fmt,
33540 diff -urNp linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c
33541 --- linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c 2011-05-19 00:06:34.000000000 -0400
33542 +++ linux-2.6.39.3/drivers/media/video/usbvision/usbvision-core.c 2011-05-22 19:36:31.000000000 -0400
33543 @@ -799,6 +799,8 @@ static enum parse_state usbvision_parse_
33544 unsigned char rv, gv, bv;
33545 static unsigned char *Y, *U, *V;
33546
33547 + pax_track_stack();
33548 +
33549 frame = usbvision->cur_frame;
33550 image_size = frame->frmwidth * frame->frmheight;
33551 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
33552 diff -urNp linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c
33553 --- linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-19 00:06:34.000000000 -0400
33554 +++ linux-2.6.39.3/drivers/media/video/usbvision/usbvision-i2c.c 2011-05-22 19:36:31.000000000 -0400
33555 @@ -189,7 +189,7 @@ static u32 functionality(struct i2c_adap
33556
33557 /* -----exported algorithm data: ------------------------------------- */
33558
33559 -static struct i2c_algorithm usbvision_algo = {
33560 +static const struct i2c_algorithm usbvision_algo = {
33561 .master_xfer = usbvision_i2c_xfer,
33562 .smbus_xfer = NULL,
33563 .functionality = functionality,
33564 diff -urNp linux-2.6.39.3/drivers/media/video/v4l2-device.c linux-2.6.39.3/drivers/media/video/v4l2-device.c
33565 --- linux-2.6.39.3/drivers/media/video/v4l2-device.c 2011-05-19 00:06:34.000000000 -0400
33566 +++ linux-2.6.39.3/drivers/media/video/v4l2-device.c 2011-05-22 19:36:31.000000000 -0400
33567 @@ -71,9 +71,9 @@ int v4l2_device_put(struct v4l2_device *
33568 EXPORT_SYMBOL_GPL(v4l2_device_put);
33569
33570 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
33571 - atomic_t *instance)
33572 + atomic_unchecked_t *instance)
33573 {
33574 - int num = atomic_inc_return(instance) - 1;
33575 + int num = atomic_inc_return_unchecked(instance) - 1;
33576 int len = strlen(basename);
33577
33578 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
33579 diff -urNp linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c
33580 --- linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c 2011-05-19 00:06:34.000000000 -0400
33581 +++ linux-2.6.39.3/drivers/media/video/videobuf-dma-sg.c 2011-05-22 19:36:31.000000000 -0400
33582 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
33583 {
33584 struct videobuf_queue q;
33585
33586 + pax_track_stack();
33587 +
33588 /* Required to make generic handler to call __videobuf_alloc */
33589 q.int_ops = &sg_ops;
33590
33591 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptbase.c linux-2.6.39.3/drivers/message/fusion/mptbase.c
33592 --- linux-2.6.39.3/drivers/message/fusion/mptbase.c 2011-05-19 00:06:34.000000000 -0400
33593 +++ linux-2.6.39.3/drivers/message/fusion/mptbase.c 2011-05-22 19:41:37.000000000 -0400
33594 @@ -143,7 +143,7 @@ static int MptDriverClass[MPT_MAX_PRO
33595 static MPT_EVHANDLER MptEvHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33596 /* Reset handler lookup table */
33597 static MPT_RESETHANDLER MptResetHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33598 -static struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33599 +static const struct mpt_pci_driver *MptDeviceDriverHandlers[MPT_MAX_PROTOCOL_DRIVERS];
33600
33601 #ifdef CONFIG_PROC_FS
33602 static struct proc_dir_entry *mpt_proc_root_dir;
33603 @@ -772,7 +772,7 @@ mpt_reset_deregister(u8 cb_idx)
33604 * @cb_idx: MPT protocol driver index
33605 */
33606 int
33607 -mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33608 +mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx)
33609 {
33610 MPT_ADAPTER *ioc;
33611 const struct pci_device_id *id;
33612 @@ -801,7 +801,7 @@ mpt_device_driver_register(struct mpt_pc
33613 void
33614 mpt_device_driver_deregister(u8 cb_idx)
33615 {
33616 - struct mpt_pci_driver *dd_cbfunc;
33617 + const struct mpt_pci_driver *dd_cbfunc;
33618 MPT_ADAPTER *ioc;
33619
33620 if (!cb_idx || cb_idx >= MPT_MAX_PROTOCOL_DRIVERS)
33621 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
33622 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
33623 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
33624
33625 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33626 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
33627 +#else
33628 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33629 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
33630 +#endif
33631 +
33632 /*
33633 * Rounding UP to nearest 4-kB boundary here...
33634 */
33635 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptbase.h linux-2.6.39.3/drivers/message/fusion/mptbase.h
33636 --- linux-2.6.39.3/drivers/message/fusion/mptbase.h 2011-05-19 00:06:34.000000000 -0400
33637 +++ linux-2.6.39.3/drivers/message/fusion/mptbase.h 2011-05-22 19:36:31.000000000 -0400
33638 @@ -908,7 +908,7 @@ extern int mpt_event_register(u8 cb_idx
33639 extern void mpt_event_deregister(u8 cb_idx);
33640 extern int mpt_reset_register(u8 cb_idx, MPT_RESETHANDLER reset_func);
33641 extern void mpt_reset_deregister(u8 cb_idx);
33642 -extern int mpt_device_driver_register(struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33643 +extern int mpt_device_driver_register(const struct mpt_pci_driver * dd_cbfunc, u8 cb_idx);
33644 extern void mpt_device_driver_deregister(u8 cb_idx);
33645 extern MPT_FRAME_HDR *mpt_get_msg_frame(u8 cb_idx, MPT_ADAPTER *ioc);
33646 extern void mpt_free_msg_frame(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf);
33647 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptctl.c linux-2.6.39.3/drivers/message/fusion/mptctl.c
33648 --- linux-2.6.39.3/drivers/message/fusion/mptctl.c 2011-05-19 00:06:34.000000000 -0400
33649 +++ linux-2.6.39.3/drivers/message/fusion/mptctl.c 2011-05-22 19:36:31.000000000 -0400
33650 @@ -3000,7 +3000,7 @@ mptctl_remove(struct pci_dev *pdev)
33651 {
33652 }
33653
33654 -static struct mpt_pci_driver mptctl_driver = {
33655 +static const struct mpt_pci_driver mptctl_driver = {
33656 .probe = mptctl_probe,
33657 .remove = mptctl_remove,
33658 };
33659 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptsas.c linux-2.6.39.3/drivers/message/fusion/mptsas.c
33660 --- linux-2.6.39.3/drivers/message/fusion/mptsas.c 2011-05-19 00:06:34.000000000 -0400
33661 +++ linux-2.6.39.3/drivers/message/fusion/mptsas.c 2011-05-22 19:36:31.000000000 -0400
33662 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
33663 return 0;
33664 }
33665
33666 +static inline void
33667 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33668 +{
33669 + if (phy_info->port_details) {
33670 + phy_info->port_details->rphy = rphy;
33671 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33672 + ioc->name, rphy));
33673 + }
33674 +
33675 + if (rphy) {
33676 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33677 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33678 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33679 + ioc->name, rphy, rphy->dev.release));
33680 + }
33681 +}
33682 +
33683 /* no mutex */
33684 static void
33685 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
33686 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
33687 return NULL;
33688 }
33689
33690 -static inline void
33691 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33692 -{
33693 - if (phy_info->port_details) {
33694 - phy_info->port_details->rphy = rphy;
33695 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33696 - ioc->name, rphy));
33697 - }
33698 -
33699 - if (rphy) {
33700 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33701 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33702 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33703 - ioc->name, rphy, rphy->dev.release));
33704 - }
33705 -}
33706 -
33707 static inline struct sas_port *
33708 mptsas_get_port(struct mptsas_phyinfo *phy_info)
33709 {
33710 diff -urNp linux-2.6.39.3/drivers/message/fusion/mptscsih.c linux-2.6.39.3/drivers/message/fusion/mptscsih.c
33711 --- linux-2.6.39.3/drivers/message/fusion/mptscsih.c 2011-05-19 00:06:34.000000000 -0400
33712 +++ linux-2.6.39.3/drivers/message/fusion/mptscsih.c 2011-05-22 19:36:31.000000000 -0400
33713 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
33714
33715 h = shost_priv(SChost);
33716
33717 - if (h) {
33718 - if (h->info_kbuf == NULL)
33719 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33720 - return h->info_kbuf;
33721 - h->info_kbuf[0] = '\0';
33722 + if (!h)
33723 + return NULL;
33724
33725 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33726 - h->info_kbuf[size-1] = '\0';
33727 - }
33728 + if (h->info_kbuf == NULL)
33729 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33730 + return h->info_kbuf;
33731 + h->info_kbuf[0] = '\0';
33732 +
33733 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33734 + h->info_kbuf[size-1] = '\0';
33735
33736 return h->info_kbuf;
33737 }
33738 diff -urNp linux-2.6.39.3/drivers/message/i2o/i2o_config.c linux-2.6.39.3/drivers/message/i2o/i2o_config.c
33739 --- linux-2.6.39.3/drivers/message/i2o/i2o_config.c 2011-05-19 00:06:34.000000000 -0400
33740 +++ linux-2.6.39.3/drivers/message/i2o/i2o_config.c 2011-05-22 19:36:31.000000000 -0400
33741 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
33742 struct i2o_message *msg;
33743 unsigned int iop;
33744
33745 + pax_track_stack();
33746 +
33747 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
33748 return -EFAULT;
33749
33750 diff -urNp linux-2.6.39.3/drivers/message/i2o/i2o_proc.c linux-2.6.39.3/drivers/message/i2o/i2o_proc.c
33751 --- linux-2.6.39.3/drivers/message/i2o/i2o_proc.c 2011-05-19 00:06:34.000000000 -0400
33752 +++ linux-2.6.39.3/drivers/message/i2o/i2o_proc.c 2011-05-22 19:36:31.000000000 -0400
33753 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
33754 "Array Controller Device"
33755 };
33756
33757 -static char *chtostr(u8 * chars, int n)
33758 -{
33759 - char tmp[256];
33760 - tmp[0] = 0;
33761 - return strncat(tmp, (char *)chars, n);
33762 -}
33763 -
33764 static int i2o_report_query_status(struct seq_file *seq, int block_status,
33765 char *group)
33766 {
33767 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
33768
33769 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
33770 seq_printf(seq, "%-#8x", ddm_table.module_id);
33771 - seq_printf(seq, "%-29s",
33772 - chtostr(ddm_table.module_name_version, 28));
33773 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
33774 seq_printf(seq, "%9d ", ddm_table.data_size);
33775 seq_printf(seq, "%8d", ddm_table.code_size);
33776
33777 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
33778
33779 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
33780 seq_printf(seq, "%-#8x", dst->module_id);
33781 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
33782 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
33783 + seq_printf(seq, "%-.28s", dst->module_name_version);
33784 + seq_printf(seq, "%-.8s", dst->date);
33785 seq_printf(seq, "%8d ", dst->module_size);
33786 seq_printf(seq, "%8d ", dst->mpb_size);
33787 seq_printf(seq, "0x%04x", dst->module_flags);
33788 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
33789 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
33790 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
33791 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
33792 - seq_printf(seq, "Vendor info : %s\n",
33793 - chtostr((u8 *) (work32 + 2), 16));
33794 - seq_printf(seq, "Product info : %s\n",
33795 - chtostr((u8 *) (work32 + 6), 16));
33796 - seq_printf(seq, "Description : %s\n",
33797 - chtostr((u8 *) (work32 + 10), 16));
33798 - seq_printf(seq, "Product rev. : %s\n",
33799 - chtostr((u8 *) (work32 + 14), 8));
33800 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
33801 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
33802 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
33803 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
33804
33805 seq_printf(seq, "Serial number : ");
33806 print_serial_number(seq, (u8 *) (work32 + 16),
33807 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
33808 }
33809
33810 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
33811 - seq_printf(seq, "Module name : %s\n",
33812 - chtostr(result.module_name, 24));
33813 - seq_printf(seq, "Module revision : %s\n",
33814 - chtostr(result.module_rev, 8));
33815 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
33816 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
33817
33818 seq_printf(seq, "Serial number : ");
33819 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
33820 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
33821 return 0;
33822 }
33823
33824 - seq_printf(seq, "Device name : %s\n",
33825 - chtostr(result.device_name, 64));
33826 - seq_printf(seq, "Service name : %s\n",
33827 - chtostr(result.service_name, 64));
33828 - seq_printf(seq, "Physical name : %s\n",
33829 - chtostr(result.physical_location, 64));
33830 - seq_printf(seq, "Instance number : %s\n",
33831 - chtostr(result.instance_number, 4));
33832 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
33833 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
33834 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
33835 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
33836
33837 return 0;
33838 }
33839 diff -urNp linux-2.6.39.3/drivers/message/i2o/iop.c linux-2.6.39.3/drivers/message/i2o/iop.c
33840 --- linux-2.6.39.3/drivers/message/i2o/iop.c 2011-05-19 00:06:34.000000000 -0400
33841 +++ linux-2.6.39.3/drivers/message/i2o/iop.c 2011-05-22 19:36:31.000000000 -0400
33842 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
33843
33844 spin_lock_irqsave(&c->context_list_lock, flags);
33845
33846 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
33847 - atomic_inc(&c->context_list_counter);
33848 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
33849 + atomic_inc_unchecked(&c->context_list_counter);
33850
33851 - entry->context = atomic_read(&c->context_list_counter);
33852 + entry->context = atomic_read_unchecked(&c->context_list_counter);
33853
33854 list_add(&entry->list, &c->context_list);
33855
33856 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
33857
33858 #if BITS_PER_LONG == 64
33859 spin_lock_init(&c->context_list_lock);
33860 - atomic_set(&c->context_list_counter, 0);
33861 + atomic_set_unchecked(&c->context_list_counter, 0);
33862 INIT_LIST_HEAD(&c->context_list);
33863 #endif
33864
33865 diff -urNp linux-2.6.39.3/drivers/mfd/ab3100-core.c linux-2.6.39.3/drivers/mfd/ab3100-core.c
33866 --- linux-2.6.39.3/drivers/mfd/ab3100-core.c 2011-05-19 00:06:34.000000000 -0400
33867 +++ linux-2.6.39.3/drivers/mfd/ab3100-core.c 2011-05-22 19:36:31.000000000 -0400
33868 @@ -385,7 +385,7 @@ static int ab3100_event_registers_startu
33869 return 0;
33870 }
33871
33872 -static struct abx500_ops ab3100_ops = {
33873 +static const struct abx500_ops ab3100_ops = {
33874 .get_chip_id = ab3100_get_chip_id,
33875 .set_register = set_register_interruptible,
33876 .get_register = get_register_interruptible,
33877 diff -urNp linux-2.6.39.3/drivers/mfd/ab3550-core.c linux-2.6.39.3/drivers/mfd/ab3550-core.c
33878 --- linux-2.6.39.3/drivers/mfd/ab3550-core.c 2011-05-19 00:06:34.000000000 -0400
33879 +++ linux-2.6.39.3/drivers/mfd/ab3550-core.c 2011-05-22 19:36:31.000000000 -0400
33880 @@ -676,7 +676,7 @@ static int ab3550_startup_irq_enabled(st
33881 return val;
33882 }
33883
33884 -static struct abx500_ops ab3550_ops = {
33885 +static const struct abx500_ops ab3550_ops = {
33886 .get_chip_id = ab3550_get_chip_id,
33887 .get_register = ab3550_get_register_interruptible,
33888 .set_register = ab3550_set_register_interruptible,
33889 diff -urNp linux-2.6.39.3/drivers/mfd/ab8500-core.c linux-2.6.39.3/drivers/mfd/ab8500-core.c
33890 --- linux-2.6.39.3/drivers/mfd/ab8500-core.c 2011-05-19 00:06:34.000000000 -0400
33891 +++ linux-2.6.39.3/drivers/mfd/ab8500-core.c 2011-05-22 19:36:31.000000000 -0400
33892 @@ -223,7 +223,7 @@ static int ab8500_mask_and_set_register(
33893
33894 }
33895
33896 -static struct abx500_ops ab8500_ops = {
33897 +static const struct abx500_ops ab8500_ops = {
33898 .get_chip_id = ab8500_get_chip_id,
33899 .get_register = ab8500_get_register,
33900 .set_register = ab8500_set_register,
33901 diff -urNp linux-2.6.39.3/drivers/mfd/abx500-core.c linux-2.6.39.3/drivers/mfd/abx500-core.c
33902 --- linux-2.6.39.3/drivers/mfd/abx500-core.c 2011-05-19 00:06:34.000000000 -0400
33903 +++ linux-2.6.39.3/drivers/mfd/abx500-core.c 2011-05-22 19:36:31.000000000 -0400
33904 @@ -18,7 +18,7 @@ struct abx500_device_entry {
33905 struct device *dev;
33906 };
33907
33908 -static void lookup_ops(struct device *dev, struct abx500_ops **ops)
33909 +static void lookup_ops(struct device *dev, const struct abx500_ops **ops)
33910 {
33911 struct abx500_device_entry *dev_entry;
33912
33913 @@ -31,7 +31,7 @@ static void lookup_ops(struct device *de
33914 }
33915 }
33916
33917 -int abx500_register_ops(struct device *dev, struct abx500_ops *ops)
33918 +int abx500_register_ops(struct device *dev, const struct abx500_ops *ops)
33919 {
33920 struct abx500_device_entry *dev_entry;
33921
33922 @@ -65,7 +65,7 @@ EXPORT_SYMBOL(abx500_remove_ops);
33923 int abx500_set_register_interruptible(struct device *dev, u8 bank, u8 reg,
33924 u8 value)
33925 {
33926 - struct abx500_ops *ops;
33927 + const struct abx500_ops *ops;
33928
33929 lookup_ops(dev->parent, &ops);
33930 if ((ops != NULL) && (ops->set_register != NULL))
33931 @@ -78,7 +78,7 @@ EXPORT_SYMBOL(abx500_set_register_interr
33932 int abx500_get_register_interruptible(struct device *dev, u8 bank, u8 reg,
33933 u8 *value)
33934 {
33935 - struct abx500_ops *ops;
33936 + const struct abx500_ops *ops;
33937
33938 lookup_ops(dev->parent, &ops);
33939 if ((ops != NULL) && (ops->get_register != NULL))
33940 @@ -91,7 +91,7 @@ EXPORT_SYMBOL(abx500_get_register_interr
33941 int abx500_get_register_page_interruptible(struct device *dev, u8 bank,
33942 u8 first_reg, u8 *regvals, u8 numregs)
33943 {
33944 - struct abx500_ops *ops;
33945 + const struct abx500_ops *ops;
33946
33947 lookup_ops(dev->parent, &ops);
33948 if ((ops != NULL) && (ops->get_register_page != NULL))
33949 @@ -105,7 +105,7 @@ EXPORT_SYMBOL(abx500_get_register_page_i
33950 int abx500_mask_and_set_register_interruptible(struct device *dev, u8 bank,
33951 u8 reg, u8 bitmask, u8 bitvalues)
33952 {
33953 - struct abx500_ops *ops;
33954 + const struct abx500_ops *ops;
33955
33956 lookup_ops(dev->parent, &ops);
33957 if ((ops != NULL) && (ops->mask_and_set_register != NULL))
33958 @@ -118,7 +118,7 @@ EXPORT_SYMBOL(abx500_mask_and_set_regist
33959
33960 int abx500_get_chip_id(struct device *dev)
33961 {
33962 - struct abx500_ops *ops;
33963 + const struct abx500_ops *ops;
33964
33965 lookup_ops(dev->parent, &ops);
33966 if ((ops != NULL) && (ops->get_chip_id != NULL))
33967 @@ -130,7 +130,7 @@ EXPORT_SYMBOL(abx500_get_chip_id);
33968
33969 int abx500_event_registers_startup_state_get(struct device *dev, u8 *event)
33970 {
33971 - struct abx500_ops *ops;
33972 + const struct abx500_ops *ops;
33973
33974 lookup_ops(dev->parent, &ops);
33975 if ((ops != NULL) && (ops->event_registers_startup_state_get != NULL))
33976 @@ -142,7 +142,7 @@ EXPORT_SYMBOL(abx500_event_registers_sta
33977
33978 int abx500_startup_irq_enabled(struct device *dev, unsigned int irq)
33979 {
33980 - struct abx500_ops *ops;
33981 + const struct abx500_ops *ops;
33982
33983 lookup_ops(dev->parent, &ops);
33984 if ((ops != NULL) && (ops->startup_irq_enabled != NULL))
33985 diff -urNp linux-2.6.39.3/drivers/mfd/janz-cmodio.c linux-2.6.39.3/drivers/mfd/janz-cmodio.c
33986 --- linux-2.6.39.3/drivers/mfd/janz-cmodio.c 2011-05-19 00:06:34.000000000 -0400
33987 +++ linux-2.6.39.3/drivers/mfd/janz-cmodio.c 2011-05-22 19:36:31.000000000 -0400
33988 @@ -13,6 +13,7 @@
33989
33990 #include <linux/kernel.h>
33991 #include <linux/module.h>
33992 +#include <linux/slab.h>
33993 #include <linux/init.h>
33994 #include <linux/pci.h>
33995 #include <linux/interrupt.h>
33996 diff -urNp linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c
33997 --- linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c 2011-05-19 00:06:34.000000000 -0400
33998 +++ linux-2.6.39.3/drivers/mfd/mcp-sa11x0.c 2011-05-22 19:36:31.000000000 -0400
33999 @@ -128,7 +128,7 @@ static void mcp_sa11x0_disable(struct mc
34000 /*
34001 * Our methods.
34002 */
34003 -static struct mcp_ops mcp_sa11x0 = {
34004 +static const struct mcp_ops mcp_sa11x0 = {
34005 .set_telecom_divisor = mcp_sa11x0_set_telecom_divisor,
34006 .set_audio_divisor = mcp_sa11x0_set_audio_divisor,
34007 .reg_write = mcp_sa11x0_write,
34008 diff -urNp linux-2.6.39.3/drivers/mfd/wm8350-i2c.c linux-2.6.39.3/drivers/mfd/wm8350-i2c.c
34009 --- linux-2.6.39.3/drivers/mfd/wm8350-i2c.c 2011-05-19 00:06:34.000000000 -0400
34010 +++ linux-2.6.39.3/drivers/mfd/wm8350-i2c.c 2011-05-22 19:36:31.000000000 -0400
34011 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
34012 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
34013 int ret;
34014
34015 + pax_track_stack();
34016 +
34017 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
34018 return -EINVAL;
34019
34020 diff -urNp linux-2.6.39.3/drivers/misc/enclosure.c linux-2.6.39.3/drivers/misc/enclosure.c
34021 --- linux-2.6.39.3/drivers/misc/enclosure.c 2011-05-19 00:06:34.000000000 -0400
34022 +++ linux-2.6.39.3/drivers/misc/enclosure.c 2011-05-22 19:36:31.000000000 -0400
34023 @@ -161,7 +161,7 @@ enclosure_register(struct device *dev, c
34024 }
34025 EXPORT_SYMBOL_GPL(enclosure_register);
34026
34027 -static struct enclosure_component_callbacks enclosure_null_callbacks;
34028 +static const struct enclosure_component_callbacks enclosure_null_callbacks;
34029
34030 /**
34031 * enclosure_unregister - remove an enclosure
34032 diff -urNp linux-2.6.39.3/drivers/misc/kgdbts.c linux-2.6.39.3/drivers/misc/kgdbts.c
34033 --- linux-2.6.39.3/drivers/misc/kgdbts.c 2011-05-19 00:06:34.000000000 -0400
34034 +++ linux-2.6.39.3/drivers/misc/kgdbts.c 2011-05-22 19:36:31.000000000 -0400
34035 @@ -118,7 +118,7 @@
34036 } while (0)
34037 #define MAX_CONFIG_LEN 40
34038
34039 -static struct kgdb_io kgdbts_io_ops;
34040 +static const struct kgdb_io kgdbts_io_ops;
34041 static char get_buf[BUFMAX];
34042 static int get_buf_cnt;
34043 static char put_buf[BUFMAX];
34044 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
34045 module_put(THIS_MODULE);
34046 }
34047
34048 -static struct kgdb_io kgdbts_io_ops = {
34049 +static const struct kgdb_io kgdbts_io_ops = {
34050 .name = "kgdbts",
34051 .read_char = kgdbts_get_char,
34052 .write_char = kgdbts_put_char,
34053 diff -urNp linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c
34054 --- linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-19 00:06:34.000000000 -0400
34055 +++ linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.c 2011-05-22 19:36:31.000000000 -0400
34056 @@ -435,7 +435,7 @@ static irqreturn_t lis302dl_interrupt(in
34057 * the lid is closed. This leads to interrupts as soon as a little move
34058 * is done.
34059 */
34060 - atomic_inc(&lis3_dev.count);
34061 + atomic_inc_unchecked(&lis3_dev.count);
34062
34063 wake_up_interruptible(&lis3_dev.misc_wait);
34064 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
34065 @@ -518,7 +518,7 @@ static int lis3lv02d_misc_open(struct in
34066 if (lis3_dev.pm_dev)
34067 pm_runtime_get_sync(lis3_dev.pm_dev);
34068
34069 - atomic_set(&lis3_dev.count, 0);
34070 + atomic_set_unchecked(&lis3_dev.count, 0);
34071 return 0;
34072 }
34073
34074 @@ -545,7 +545,7 @@ static ssize_t lis3lv02d_misc_read(struc
34075 add_wait_queue(&lis3_dev.misc_wait, &wait);
34076 while (true) {
34077 set_current_state(TASK_INTERRUPTIBLE);
34078 - data = atomic_xchg(&lis3_dev.count, 0);
34079 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
34080 if (data)
34081 break;
34082
34083 @@ -583,7 +583,7 @@ out:
34084 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
34085 {
34086 poll_wait(file, &lis3_dev.misc_wait, wait);
34087 - if (atomic_read(&lis3_dev.count))
34088 + if (atomic_read_unchecked(&lis3_dev.count))
34089 return POLLIN | POLLRDNORM;
34090 return 0;
34091 }
34092 diff -urNp linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h
34093 --- linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-19 00:06:34.000000000 -0400
34094 +++ linux-2.6.39.3/drivers/misc/lis3lv02d/lis3lv02d.h 2011-05-22 19:36:31.000000000 -0400
34095 @@ -265,7 +265,7 @@ struct lis3lv02d {
34096 struct input_polled_dev *idev; /* input device */
34097 struct platform_device *pdev; /* platform device */
34098 struct regulator_bulk_data regulators[2];
34099 - atomic_t count; /* interrupt count after last read */
34100 + atomic_unchecked_t count; /* interrupt count after last read */
34101 union axis_conversion ac; /* hw -> logical axis */
34102 int mapped_btns[3];
34103
34104 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c
34105 --- linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c 2011-05-19 00:06:34.000000000 -0400
34106 +++ linux-2.6.39.3/drivers/misc/sgi-gru/gruhandles.c 2011-05-22 19:36:31.000000000 -0400
34107 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
34108 unsigned long nsec;
34109
34110 nsec = CLKS2NSEC(clks);
34111 - atomic_long_inc(&mcs_op_statistics[op].count);
34112 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
34113 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
34114 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
34115 if (mcs_op_statistics[op].max < nsec)
34116 mcs_op_statistics[op].max = nsec;
34117 }
34118 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c
34119 --- linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c 2011-05-19 00:06:34.000000000 -0400
34120 +++ linux-2.6.39.3/drivers/misc/sgi-gru/gruprocfs.c 2011-05-22 19:36:31.000000000 -0400
34121 @@ -32,9 +32,9 @@
34122
34123 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
34124
34125 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
34126 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
34127 {
34128 - unsigned long val = atomic_long_read(v);
34129 + unsigned long val = atomic_long_read_unchecked(v);
34130
34131 seq_printf(s, "%16lu %s\n", val, id);
34132 }
34133 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
34134
34135 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
34136 for (op = 0; op < mcsop_last; op++) {
34137 - count = atomic_long_read(&mcs_op_statistics[op].count);
34138 - total = atomic_long_read(&mcs_op_statistics[op].total);
34139 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
34140 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
34141 max = mcs_op_statistics[op].max;
34142 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
34143 count ? total / count : 0, max);
34144 diff -urNp linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h
34145 --- linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h 2011-05-19 00:06:34.000000000 -0400
34146 +++ linux-2.6.39.3/drivers/misc/sgi-gru/grutables.h 2011-05-22 19:36:31.000000000 -0400
34147 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
34148 * GRU statistics.
34149 */
34150 struct gru_stats_s {
34151 - atomic_long_t vdata_alloc;
34152 - atomic_long_t vdata_free;
34153 - atomic_long_t gts_alloc;
34154 - atomic_long_t gts_free;
34155 - atomic_long_t gms_alloc;
34156 - atomic_long_t gms_free;
34157 - atomic_long_t gts_double_allocate;
34158 - atomic_long_t assign_context;
34159 - atomic_long_t assign_context_failed;
34160 - atomic_long_t free_context;
34161 - atomic_long_t load_user_context;
34162 - atomic_long_t load_kernel_context;
34163 - atomic_long_t lock_kernel_context;
34164 - atomic_long_t unlock_kernel_context;
34165 - atomic_long_t steal_user_context;
34166 - atomic_long_t steal_kernel_context;
34167 - atomic_long_t steal_context_failed;
34168 - atomic_long_t nopfn;
34169 - atomic_long_t asid_new;
34170 - atomic_long_t asid_next;
34171 - atomic_long_t asid_wrap;
34172 - atomic_long_t asid_reuse;
34173 - atomic_long_t intr;
34174 - atomic_long_t intr_cbr;
34175 - atomic_long_t intr_tfh;
34176 - atomic_long_t intr_spurious;
34177 - atomic_long_t intr_mm_lock_failed;
34178 - atomic_long_t call_os;
34179 - atomic_long_t call_os_wait_queue;
34180 - atomic_long_t user_flush_tlb;
34181 - atomic_long_t user_unload_context;
34182 - atomic_long_t user_exception;
34183 - atomic_long_t set_context_option;
34184 - atomic_long_t check_context_retarget_intr;
34185 - atomic_long_t check_context_unload;
34186 - atomic_long_t tlb_dropin;
34187 - atomic_long_t tlb_preload_page;
34188 - atomic_long_t tlb_dropin_fail_no_asid;
34189 - atomic_long_t tlb_dropin_fail_upm;
34190 - atomic_long_t tlb_dropin_fail_invalid;
34191 - atomic_long_t tlb_dropin_fail_range_active;
34192 - atomic_long_t tlb_dropin_fail_idle;
34193 - atomic_long_t tlb_dropin_fail_fmm;
34194 - atomic_long_t tlb_dropin_fail_no_exception;
34195 - atomic_long_t tfh_stale_on_fault;
34196 - atomic_long_t mmu_invalidate_range;
34197 - atomic_long_t mmu_invalidate_page;
34198 - atomic_long_t flush_tlb;
34199 - atomic_long_t flush_tlb_gru;
34200 - atomic_long_t flush_tlb_gru_tgh;
34201 - atomic_long_t flush_tlb_gru_zero_asid;
34202 -
34203 - atomic_long_t copy_gpa;
34204 - atomic_long_t read_gpa;
34205 -
34206 - atomic_long_t mesq_receive;
34207 - atomic_long_t mesq_receive_none;
34208 - atomic_long_t mesq_send;
34209 - atomic_long_t mesq_send_failed;
34210 - atomic_long_t mesq_noop;
34211 - atomic_long_t mesq_send_unexpected_error;
34212 - atomic_long_t mesq_send_lb_overflow;
34213 - atomic_long_t mesq_send_qlimit_reached;
34214 - atomic_long_t mesq_send_amo_nacked;
34215 - atomic_long_t mesq_send_put_nacked;
34216 - atomic_long_t mesq_page_overflow;
34217 - atomic_long_t mesq_qf_locked;
34218 - atomic_long_t mesq_qf_noop_not_full;
34219 - atomic_long_t mesq_qf_switch_head_failed;
34220 - atomic_long_t mesq_qf_unexpected_error;
34221 - atomic_long_t mesq_noop_unexpected_error;
34222 - atomic_long_t mesq_noop_lb_overflow;
34223 - atomic_long_t mesq_noop_qlimit_reached;
34224 - atomic_long_t mesq_noop_amo_nacked;
34225 - atomic_long_t mesq_noop_put_nacked;
34226 - atomic_long_t mesq_noop_page_overflow;
34227 + atomic_long_unchecked_t vdata_alloc;
34228 + atomic_long_unchecked_t vdata_free;
34229 + atomic_long_unchecked_t gts_alloc;
34230 + atomic_long_unchecked_t gts_free;
34231 + atomic_long_unchecked_t gms_alloc;
34232 + atomic_long_unchecked_t gms_free;
34233 + atomic_long_unchecked_t gts_double_allocate;
34234 + atomic_long_unchecked_t assign_context;
34235 + atomic_long_unchecked_t assign_context_failed;
34236 + atomic_long_unchecked_t free_context;
34237 + atomic_long_unchecked_t load_user_context;
34238 + atomic_long_unchecked_t load_kernel_context;
34239 + atomic_long_unchecked_t lock_kernel_context;
34240 + atomic_long_unchecked_t unlock_kernel_context;
34241 + atomic_long_unchecked_t steal_user_context;
34242 + atomic_long_unchecked_t steal_kernel_context;
34243 + atomic_long_unchecked_t steal_context_failed;
34244 + atomic_long_unchecked_t nopfn;
34245 + atomic_long_unchecked_t asid_new;
34246 + atomic_long_unchecked_t asid_next;
34247 + atomic_long_unchecked_t asid_wrap;
34248 + atomic_long_unchecked_t asid_reuse;
34249 + atomic_long_unchecked_t intr;
34250 + atomic_long_unchecked_t intr_cbr;
34251 + atomic_long_unchecked_t intr_tfh;
34252 + atomic_long_unchecked_t intr_spurious;
34253 + atomic_long_unchecked_t intr_mm_lock_failed;
34254 + atomic_long_unchecked_t call_os;
34255 + atomic_long_unchecked_t call_os_wait_queue;
34256 + atomic_long_unchecked_t user_flush_tlb;
34257 + atomic_long_unchecked_t user_unload_context;
34258 + atomic_long_unchecked_t user_exception;
34259 + atomic_long_unchecked_t set_context_option;
34260 + atomic_long_unchecked_t check_context_retarget_intr;
34261 + atomic_long_unchecked_t check_context_unload;
34262 + atomic_long_unchecked_t tlb_dropin;
34263 + atomic_long_unchecked_t tlb_preload_page;
34264 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
34265 + atomic_long_unchecked_t tlb_dropin_fail_upm;
34266 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
34267 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
34268 + atomic_long_unchecked_t tlb_dropin_fail_idle;
34269 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
34270 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
34271 + atomic_long_unchecked_t tfh_stale_on_fault;
34272 + atomic_long_unchecked_t mmu_invalidate_range;
34273 + atomic_long_unchecked_t mmu_invalidate_page;
34274 + atomic_long_unchecked_t flush_tlb;
34275 + atomic_long_unchecked_t flush_tlb_gru;
34276 + atomic_long_unchecked_t flush_tlb_gru_tgh;
34277 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
34278 +
34279 + atomic_long_unchecked_t copy_gpa;
34280 + atomic_long_unchecked_t read_gpa;
34281 +
34282 + atomic_long_unchecked_t mesq_receive;
34283 + atomic_long_unchecked_t mesq_receive_none;
34284 + atomic_long_unchecked_t mesq_send;
34285 + atomic_long_unchecked_t mesq_send_failed;
34286 + atomic_long_unchecked_t mesq_noop;
34287 + atomic_long_unchecked_t mesq_send_unexpected_error;
34288 + atomic_long_unchecked_t mesq_send_lb_overflow;
34289 + atomic_long_unchecked_t mesq_send_qlimit_reached;
34290 + atomic_long_unchecked_t mesq_send_amo_nacked;
34291 + atomic_long_unchecked_t mesq_send_put_nacked;
34292 + atomic_long_unchecked_t mesq_page_overflow;
34293 + atomic_long_unchecked_t mesq_qf_locked;
34294 + atomic_long_unchecked_t mesq_qf_noop_not_full;
34295 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
34296 + atomic_long_unchecked_t mesq_qf_unexpected_error;
34297 + atomic_long_unchecked_t mesq_noop_unexpected_error;
34298 + atomic_long_unchecked_t mesq_noop_lb_overflow;
34299 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
34300 + atomic_long_unchecked_t mesq_noop_amo_nacked;
34301 + atomic_long_unchecked_t mesq_noop_put_nacked;
34302 + atomic_long_unchecked_t mesq_noop_page_overflow;
34303
34304 };
34305
34306 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
34307 tghop_invalidate, mcsop_last};
34308
34309 struct mcs_op_statistic {
34310 - atomic_long_t count;
34311 - atomic_long_t total;
34312 + atomic_long_unchecked_t count;
34313 + atomic_long_unchecked_t total;
34314 unsigned long max;
34315 };
34316
34317 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
34318
34319 #define STAT(id) do { \
34320 if (gru_options & OPT_STATS) \
34321 - atomic_long_inc(&gru_stats.id); \
34322 + atomic_long_inc_unchecked(&gru_stats.id); \
34323 } while (0)
34324
34325 #ifdef CONFIG_SGI_GRU_DEBUG
34326 diff -urNp linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c
34327 --- linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-19 00:06:34.000000000 -0400
34328 +++ linux-2.6.39.3/drivers/misc/sgi-xp/xpc_sn2.c 2011-05-22 19:36:31.000000000 -0400
34329 @@ -2351,7 +2351,7 @@ xpc_received_payload_sn2(struct xpc_chan
34330 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
34331 }
34332
34333 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
34334 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
34335 .setup_partitions = xpc_setup_partitions_sn2,
34336 .teardown_partitions = xpc_teardown_partitions_sn2,
34337 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
34338 diff -urNp linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c
34339 --- linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c 2011-05-19 00:06:34.000000000 -0400
34340 +++ linux-2.6.39.3/drivers/misc/sgi-xp/xpc_uv.c 2011-05-22 19:36:31.000000000 -0400
34341 @@ -1674,7 +1674,7 @@ xpc_received_payload_uv(struct xpc_chann
34342 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
34343 }
34344
34345 -static struct xpc_arch_operations xpc_arch_ops_uv = {
34346 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
34347 .setup_partitions = xpc_setup_partitions_uv,
34348 .teardown_partitions = xpc_teardown_partitions_uv,
34349 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
34350 diff -urNp linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c
34351 --- linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c 2011-05-19 00:06:34.000000000 -0400
34352 +++ linux-2.6.39.3/drivers/misc/spear13xx_pcie_gadget.c 2011-05-22 19:36:31.000000000 -0400
34353 @@ -644,7 +644,7 @@ static ssize_t pcie_gadget_target_attr_s
34354 return ret;
34355 }
34356
34357 -static struct configfs_item_operations pcie_gadget_target_item_ops = {
34358 +static const struct configfs_item_operations pcie_gadget_target_item_ops = {
34359 .show_attribute = pcie_gadget_target_attr_show,
34360 .store_attribute = pcie_gadget_target_attr_store,
34361 };
34362 diff -urNp linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c
34363 --- linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c 2011-05-19 00:06:34.000000000 -0400
34364 +++ linux-2.6.39.3/drivers/mmc/host/davinci_mmc.c 2011-05-22 19:36:31.000000000 -0400
34365 @@ -1133,7 +1133,7 @@ static void mmc_davinci_enable_sdio_irq(
34366 }
34367 }
34368
34369 -static struct mmc_host_ops mmc_davinci_ops = {
34370 +static const struct mmc_host_ops mmc_davinci_ops = {
34371 .request = mmc_davinci_request,
34372 .set_ios = mmc_davinci_set_ios,
34373 .get_cd = mmc_davinci_get_cd,
34374 diff -urNp linux-2.6.39.3/drivers/mmc/host/dw_mmc.c linux-2.6.39.3/drivers/mmc/host/dw_mmc.c
34375 --- linux-2.6.39.3/drivers/mmc/host/dw_mmc.c 2011-05-19 00:06:34.000000000 -0400
34376 +++ linux-2.6.39.3/drivers/mmc/host/dw_mmc.c 2011-05-22 19:36:31.000000000 -0400
34377 @@ -417,7 +417,7 @@ static int dw_mci_idmac_init(struct dw_m
34378 return 0;
34379 }
34380
34381 -static struct dw_mci_dma_ops dw_mci_idmac_ops = {
34382 +static const struct dw_mci_dma_ops dw_mci_idmac_ops = {
34383 .init = dw_mci_idmac_init,
34384 .start = dw_mci_idmac_start_dma,
34385 .stop = dw_mci_idmac_stop_dma,
34386 diff -urNp linux-2.6.39.3/drivers/mmc/host/s3cmci.c linux-2.6.39.3/drivers/mmc/host/s3cmci.c
34387 --- linux-2.6.39.3/drivers/mmc/host/s3cmci.c 2011-05-19 00:06:34.000000000 -0400
34388 +++ linux-2.6.39.3/drivers/mmc/host/s3cmci.c 2011-05-22 19:36:31.000000000 -0400
34389 @@ -1349,7 +1349,7 @@ static void s3cmci_enable_sdio_irq(struc
34390 s3cmci_check_sdio_irq(host);
34391 }
34392
34393 -static struct mmc_host_ops s3cmci_ops = {
34394 +static const struct mmc_host_ops s3cmci_ops = {
34395 .request = s3cmci_request,
34396 .set_ios = s3cmci_set_ios,
34397 .get_ro = s3cmci_get_ro,
34398 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c
34399 --- linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-19 00:06:34.000000000 -0400
34400 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-cns3xxx.c 2011-05-22 19:36:31.000000000 -0400
34401 @@ -81,7 +81,7 @@ out:
34402 host->clock = clock;
34403 }
34404
34405 -static struct sdhci_ops sdhci_cns3xxx_ops = {
34406 +static const struct sdhci_ops sdhci_cns3xxx_ops = {
34407 .get_max_clock = sdhci_cns3xxx_get_max_clk,
34408 .set_clock = sdhci_cns3xxx_set_clock,
34409 };
34410 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c
34411 --- linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c 2011-05-19 00:06:34.000000000 -0400
34412 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-dove.c 2011-05-22 19:36:31.000000000 -0400
34413 @@ -56,7 +56,7 @@ static u32 sdhci_dove_readl(struct sdhci
34414 return ret;
34415 }
34416
34417 -static struct sdhci_ops sdhci_dove_ops = {
34418 +static const struct sdhci_ops sdhci_dove_ops = {
34419 .read_w = sdhci_dove_readw,
34420 .read_l = sdhci_dove_readl,
34421 };
34422 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c
34423 --- linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-19 00:06:34.000000000 -0400
34424 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-esdhc-imx.c 2011-05-22 19:36:31.000000000 -0400
34425 @@ -201,7 +201,7 @@ static unsigned int esdhc_pltfm_get_ro(s
34426 return -ENOSYS;
34427 }
34428
34429 -static struct sdhci_ops sdhci_esdhc_ops = {
34430 +static const struct sdhci_ops sdhci_esdhc_ops = {
34431 .read_l = esdhc_readl_le,
34432 .read_w = esdhc_readw_le,
34433 .write_l = esdhc_writel_le,
34434 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-of.h linux-2.6.39.3/drivers/mmc/host/sdhci-of.h
34435 --- linux-2.6.39.3/drivers/mmc/host/sdhci-of.h 2011-05-19 00:06:34.000000000 -0400
34436 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-of.h 2011-05-22 19:36:31.000000000 -0400
34437 @@ -21,7 +21,7 @@
34438
34439 struct sdhci_of_data {
34440 unsigned int quirks;
34441 - struct sdhci_ops ops;
34442 + const struct sdhci_ops ops;
34443 };
34444
34445 struct sdhci_of_host {
34446 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c
34447 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c 2011-05-19 00:06:34.000000000 -0400
34448 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pci.c 2011-05-22 19:36:31.000000000 -0400
34449 @@ -786,7 +786,7 @@ static int sdhci_pci_enable_dma(struct s
34450 return 0;
34451 }
34452
34453 -static struct sdhci_ops sdhci_pci_ops = {
34454 +static const struct sdhci_ops sdhci_pci_ops = {
34455 .enable_dma = sdhci_pci_enable_dma,
34456 };
34457
34458 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c
34459 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c 2011-05-19 00:06:34.000000000 -0400
34460 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pltfm.c 2011-05-22 19:36:31.000000000 -0400
34461 @@ -41,7 +41,7 @@
34462 * *
34463 \*****************************************************************************/
34464
34465 -static struct sdhci_ops sdhci_pltfm_ops = {
34466 +static const struct sdhci_ops sdhci_pltfm_ops = {
34467 };
34468
34469 /*****************************************************************************\
34470 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c
34471 --- linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c 2011-05-19 00:06:34.000000000 -0400
34472 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-pxa.c 2011-05-22 19:36:31.000000000 -0400
34473 @@ -69,7 +69,7 @@ static void set_clock(struct sdhci_host
34474 }
34475 }
34476
34477 -static struct sdhci_ops sdhci_pxa_ops = {
34478 +static const struct sdhci_ops sdhci_pxa_ops = {
34479 .set_clock = set_clock,
34480 };
34481
34482 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c
34483 --- linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c 2011-05-19 00:06:34.000000000 -0400
34484 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-s3c.c 2011-05-22 19:36:31.000000000 -0400
34485 @@ -309,7 +309,7 @@ static int sdhci_s3c_platform_8bit_width
34486 return 0;
34487 }
34488
34489 -static struct sdhci_ops sdhci_s3c_ops = {
34490 +static const struct sdhci_ops sdhci_s3c_ops = {
34491 .get_max_clock = sdhci_s3c_get_max_clk,
34492 .set_clock = sdhci_s3c_set_clock,
34493 .get_min_clock = sdhci_s3c_get_min_clock,
34494 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c
34495 --- linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c 2011-05-19 00:06:34.000000000 -0400
34496 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-spear.c 2011-05-22 19:36:31.000000000 -0400
34497 @@ -32,7 +32,7 @@ struct spear_sdhci {
34498 };
34499
34500 /* sdhci ops */
34501 -static struct sdhci_ops sdhci_pltfm_ops = {
34502 +static const struct sdhci_ops sdhci_pltfm_ops = {
34503 /* Nothing to do for now. */
34504 };
34505
34506 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c
34507 --- linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c 2011-05-19 00:06:34.000000000 -0400
34508 +++ linux-2.6.39.3/drivers/mmc/host/sdhci-tegra.c 2011-05-22 19:36:31.000000000 -0400
34509 @@ -242,7 +242,7 @@ static void tegra_sdhci_pltfm_exit(struc
34510 clk_put(pltfm_host->clk);
34511 }
34512
34513 -static struct sdhci_ops tegra_sdhci_ops = {
34514 +static const struct sdhci_ops tegra_sdhci_ops = {
34515 .get_ro = tegra_sdhci_get_ro,
34516 .read_l = tegra_sdhci_readl,
34517 .read_w = tegra_sdhci_readw,
34518 diff -urNp linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c
34519 --- linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c 2011-05-19 00:06:34.000000000 -0400
34520 +++ linux-2.6.39.3/drivers/mmc/host/sdricoh_cs.c 2011-05-22 19:36:31.000000000 -0400
34521 @@ -387,7 +387,7 @@ static int sdricoh_get_ro(struct mmc_hos
34522 return (status & STATUS_CARD_LOCKED);
34523 }
34524
34525 -static struct mmc_host_ops sdricoh_ops = {
34526 +static const struct mmc_host_ops sdricoh_ops = {
34527 .request = sdricoh_request,
34528 .set_ios = sdricoh_set_ios,
34529 .get_ro = sdricoh_get_ro,
34530 diff -urNp linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c
34531 --- linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c 2011-05-19 00:06:34.000000000 -0400
34532 +++ linux-2.6.39.3/drivers/mmc/host/sh_mmcif.c 2011-05-22 19:36:31.000000000 -0400
34533 @@ -872,7 +872,7 @@ static int sh_mmcif_get_cd(struct mmc_ho
34534 return p->get_cd(host->pd);
34535 }
34536
34537 -static struct mmc_host_ops sh_mmcif_ops = {
34538 +static const struct mmc_host_ops sh_mmcif_ops = {
34539 .request = sh_mmcif_request,
34540 .set_ios = sh_mmcif_set_ios,
34541 .get_cd = sh_mmcif_get_cd,
34542 diff -urNp linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c
34543 --- linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-19 00:06:34.000000000 -0400
34544 +++ linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-22 19:36:31.000000000 -0400
34545 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
34546 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34547 unsigned long timeo = jiffies + HZ;
34548
34549 + pax_track_stack();
34550 +
34551 /* Prevent setting state FL_SYNCING for chip in suspended state. */
34552 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34553 goto sleep;
34554 @@ -1657,6 +1659,8 @@ static int __xipram do_write_buffer(stru
34555 unsigned long initial_adr;
34556 int initial_len = len;
34557
34558 + pax_track_stack();
34559 +
34560 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34561 adr += chip->start;
34562 initial_adr = adr;
34563 @@ -1875,6 +1879,8 @@ static int __xipram do_erase_oneblock(st
34564 int retries = 3;
34565 int ret;
34566
34567 + pax_track_stack();
34568 +
34569 adr += chip->start;
34570
34571 retry:
34572 diff -urNp linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c
34573 --- linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-19 00:06:34.000000000 -0400
34574 +++ linux-2.6.39.3/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-22 19:36:31.000000000 -0400
34575 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34576 unsigned long cmd_addr;
34577 struct cfi_private *cfi = map->fldrv_priv;
34578
34579 + pax_track_stack();
34580 +
34581 adr += chip->start;
34582
34583 /* Ensure cmd read/writes are aligned. */
34584 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34585 DECLARE_WAITQUEUE(wait, current);
34586 int wbufsize, z;
34587
34588 + pax_track_stack();
34589 +
34590 /* M58LW064A requires bus alignment for buffer wriets -- saw */
34591 if (adr & (map_bankwidth(map)-1))
34592 return -EINVAL;
34593 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34594 DECLARE_WAITQUEUE(wait, current);
34595 int ret = 0;
34596
34597 + pax_track_stack();
34598 +
34599 adr += chip->start;
34600
34601 /* Let's determine this according to the interleave only once */
34602 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34603 unsigned long timeo = jiffies + HZ;
34604 DECLARE_WAITQUEUE(wait, current);
34605
34606 + pax_track_stack();
34607 +
34608 adr += chip->start;
34609
34610 /* Let's determine this according to the interleave only once */
34611 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34612 unsigned long timeo = jiffies + HZ;
34613 DECLARE_WAITQUEUE(wait, current);
34614
34615 + pax_track_stack();
34616 +
34617 adr += chip->start;
34618
34619 /* Let's determine this according to the interleave only once */
34620 diff -urNp linux-2.6.39.3/drivers/mtd/devices/doc2000.c linux-2.6.39.3/drivers/mtd/devices/doc2000.c
34621 --- linux-2.6.39.3/drivers/mtd/devices/doc2000.c 2011-05-19 00:06:34.000000000 -0400
34622 +++ linux-2.6.39.3/drivers/mtd/devices/doc2000.c 2011-05-22 19:36:31.000000000 -0400
34623 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34624
34625 /* The ECC will not be calculated correctly if less than 512 is written */
34626 /* DBB-
34627 - if (len != 0x200 && eccbuf)
34628 + if (len != 0x200)
34629 printk(KERN_WARNING
34630 "ECC needs a full sector write (adr: %lx size %lx)\n",
34631 (long) to, (long) len);
34632 diff -urNp linux-2.6.39.3/drivers/mtd/devices/doc2001.c linux-2.6.39.3/drivers/mtd/devices/doc2001.c
34633 --- linux-2.6.39.3/drivers/mtd/devices/doc2001.c 2011-05-19 00:06:34.000000000 -0400
34634 +++ linux-2.6.39.3/drivers/mtd/devices/doc2001.c 2011-05-22 19:36:31.000000000 -0400
34635 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34636 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34637
34638 /* Don't allow read past end of device */
34639 - if (from >= this->totlen)
34640 + if (from >= this->totlen || !len)
34641 return -EINVAL;
34642
34643 /* Don't allow a single read to cross a 512-byte block boundary */
34644 diff -urNp linux-2.6.39.3/drivers/mtd/ftl.c linux-2.6.39.3/drivers/mtd/ftl.c
34645 --- linux-2.6.39.3/drivers/mtd/ftl.c 2011-05-19 00:06:34.000000000 -0400
34646 +++ linux-2.6.39.3/drivers/mtd/ftl.c 2011-05-22 19:36:31.000000000 -0400
34647 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34648 loff_t offset;
34649 uint16_t srcunitswap = cpu_to_le16(srcunit);
34650
34651 + pax_track_stack();
34652 +
34653 eun = &part->EUNInfo[srcunit];
34654 xfer = &part->XferInfo[xferunit];
34655 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34656 diff -urNp linux-2.6.39.3/drivers/mtd/inftlcore.c linux-2.6.39.3/drivers/mtd/inftlcore.c
34657 --- linux-2.6.39.3/drivers/mtd/inftlcore.c 2011-05-19 00:06:34.000000000 -0400
34658 +++ linux-2.6.39.3/drivers/mtd/inftlcore.c 2011-05-22 19:36:31.000000000 -0400
34659 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
34660 struct inftl_oob oob;
34661 size_t retlen;
34662
34663 + pax_track_stack();
34664 +
34665 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34666 "pending=%d)\n", inftl, thisVUC, pendingblock);
34667
34668 diff -urNp linux-2.6.39.3/drivers/mtd/inftlmount.c linux-2.6.39.3/drivers/mtd/inftlmount.c
34669 --- linux-2.6.39.3/drivers/mtd/inftlmount.c 2011-05-19 00:06:34.000000000 -0400
34670 +++ linux-2.6.39.3/drivers/mtd/inftlmount.c 2011-05-22 19:36:31.000000000 -0400
34671 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
34672 struct INFTLPartition *ip;
34673 size_t retlen;
34674
34675 + pax_track_stack();
34676 +
34677 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34678
34679 /*
34680 diff -urNp linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c
34681 --- linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c 2011-05-19 00:06:34.000000000 -0400
34682 +++ linux-2.6.39.3/drivers/mtd/lpddr/qinfo_probe.c 2011-05-22 19:36:31.000000000 -0400
34683 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34684 {
34685 map_word pfow_val[4];
34686
34687 + pax_track_stack();
34688 +
34689 /* Check identification string */
34690 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34691 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34692 diff -urNp linux-2.6.39.3/drivers/mtd/mtdchar.c linux-2.6.39.3/drivers/mtd/mtdchar.c
34693 --- linux-2.6.39.3/drivers/mtd/mtdchar.c 2011-05-19 00:06:34.000000000 -0400
34694 +++ linux-2.6.39.3/drivers/mtd/mtdchar.c 2011-05-22 19:36:31.000000000 -0400
34695 @@ -560,6 +560,8 @@ static int mtd_ioctl(struct file *file,
34696 u_long size;
34697 struct mtd_info_user info;
34698
34699 + pax_track_stack();
34700 +
34701 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34702
34703 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34704 diff -urNp linux-2.6.39.3/drivers/mtd/nand/denali.c linux-2.6.39.3/drivers/mtd/nand/denali.c
34705 --- linux-2.6.39.3/drivers/mtd/nand/denali.c 2011-05-19 00:06:34.000000000 -0400
34706 +++ linux-2.6.39.3/drivers/mtd/nand/denali.c 2011-05-22 19:36:31.000000000 -0400
34707 @@ -25,6 +25,7 @@
34708 #include <linux/pci.h>
34709 #include <linux/mtd/mtd.h>
34710 #include <linux/module.h>
34711 +#include <linux/slab.h>
34712
34713 #include "denali.h"
34714
34715 diff -urNp linux-2.6.39.3/drivers/mtd/nftlcore.c linux-2.6.39.3/drivers/mtd/nftlcore.c
34716 --- linux-2.6.39.3/drivers/mtd/nftlcore.c 2011-05-19 00:06:34.000000000 -0400
34717 +++ linux-2.6.39.3/drivers/mtd/nftlcore.c 2011-05-22 19:36:31.000000000 -0400
34718 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
34719 int inplace = 1;
34720 size_t retlen;
34721
34722 + pax_track_stack();
34723 +
34724 memset(BlockMap, 0xff, sizeof(BlockMap));
34725 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34726
34727 diff -urNp linux-2.6.39.3/drivers/mtd/nftlmount.c linux-2.6.39.3/drivers/mtd/nftlmount.c
34728 --- linux-2.6.39.3/drivers/mtd/nftlmount.c 2011-05-19 00:06:34.000000000 -0400
34729 +++ linux-2.6.39.3/drivers/mtd/nftlmount.c 2011-05-22 19:36:31.000000000 -0400
34730 @@ -24,6 +24,7 @@
34731 #include <asm/errno.h>
34732 #include <linux/delay.h>
34733 #include <linux/slab.h>
34734 +#include <linux/sched.h>
34735 #include <linux/mtd/mtd.h>
34736 #include <linux/mtd/nand.h>
34737 #include <linux/mtd/nftl.h>
34738 @@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
34739 struct mtd_info *mtd = nftl->mbd.mtd;
34740 unsigned int i;
34741
34742 + pax_track_stack();
34743 +
34744 /* Assume logical EraseSize == physical erasesize for starting the scan.
34745 We'll sort it out later if we find a MediaHeader which says otherwise */
34746 /* Actually, we won't. The new DiskOnChip driver has already scanned
34747 diff -urNp linux-2.6.39.3/drivers/mtd/ubi/build.c linux-2.6.39.3/drivers/mtd/ubi/build.c
34748 --- linux-2.6.39.3/drivers/mtd/ubi/build.c 2011-05-19 00:06:34.000000000 -0400
34749 +++ linux-2.6.39.3/drivers/mtd/ubi/build.c 2011-05-22 19:36:31.000000000 -0400
34750 @@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
34751 static int __init bytes_str_to_int(const char *str)
34752 {
34753 char *endp;
34754 - unsigned long result;
34755 + unsigned long result, scale = 1;
34756
34757 result = simple_strtoul(str, &endp, 0);
34758 if (str == endp || result >= INT_MAX) {
34759 @@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
34760
34761 switch (*endp) {
34762 case 'G':
34763 - result *= 1024;
34764 + scale *= 1024;
34765 case 'M':
34766 - result *= 1024;
34767 + scale *= 1024;
34768 case 'K':
34769 - result *= 1024;
34770 + scale *= 1024;
34771 if (endp[1] == 'i' && endp[2] == 'B')
34772 endp += 2;
34773 case '\0':
34774 @@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
34775 return -EINVAL;
34776 }
34777
34778 - return result;
34779 + if ((intoverflow_t)result*scale >= INT_MAX) {
34780 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
34781 + str);
34782 + return -EINVAL;
34783 + }
34784 +
34785 + return result*scale;
34786 }
34787
34788 /**
34789 diff -urNp linux-2.6.39.3/drivers/net/bcm63xx_enet.c linux-2.6.39.3/drivers/net/bcm63xx_enet.c
34790 --- linux-2.6.39.3/drivers/net/bcm63xx_enet.c 2011-05-19 00:06:34.000000000 -0400
34791 +++ linux-2.6.39.3/drivers/net/bcm63xx_enet.c 2011-05-22 19:36:31.000000000 -0400
34792 @@ -1469,7 +1469,7 @@ static int bcm_enet_set_pauseparam(struc
34793 return 0;
34794 }
34795
34796 -static struct ethtool_ops bcm_enet_ethtool_ops = {
34797 +static const struct ethtool_ops bcm_enet_ethtool_ops = {
34798 .get_strings = bcm_enet_get_strings,
34799 .get_sset_count = bcm_enet_get_sset_count,
34800 .get_ethtool_stats = bcm_enet_get_ethtool_stats,
34801 diff -urNp linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c
34802 --- linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34803 +++ linux-2.6.39.3/drivers/net/bna/bnad_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34804 @@ -1242,7 +1242,7 @@ bnad_get_sset_count(struct net_device *n
34805 }
34806 }
34807
34808 -static struct ethtool_ops bnad_ethtool_ops = {
34809 +static const struct ethtool_ops bnad_ethtool_ops = {
34810 .get_settings = bnad_get_settings,
34811 .set_settings = bnad_set_settings,
34812 .get_drvinfo = bnad_get_drvinfo,
34813 diff -urNp linux-2.6.39.3/drivers/net/bnx2.c linux-2.6.39.3/drivers/net/bnx2.c
34814 --- linux-2.6.39.3/drivers/net/bnx2.c 2011-05-19 00:06:34.000000000 -0400
34815 +++ linux-2.6.39.3/drivers/net/bnx2.c 2011-05-22 19:36:31.000000000 -0400
34816 @@ -5828,6 +5828,8 @@ bnx2_test_nvram(struct bnx2 *bp)
34817 int rc = 0;
34818 u32 magic, csum;
34819
34820 + pax_track_stack();
34821 +
34822 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
34823 goto test_nvram_done;
34824
34825 diff -urNp linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c
34826 --- linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-19 00:06:34.000000000 -0400
34827 +++ linux-2.6.39.3/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-22 19:36:31.000000000 -0400
34828 @@ -1788,6 +1788,8 @@ static int bnx2x_test_nvram(struct bnx2x
34829 int i, rc;
34830 u32 magic, crc;
34831
34832 + pax_track_stack();
34833 +
34834 if (BP_NOMCP(bp))
34835 return 0;
34836
34837 diff -urNp linux-2.6.39.3/drivers/net/chelsio/pm3393.c linux-2.6.39.3/drivers/net/chelsio/pm3393.c
34838 --- linux-2.6.39.3/drivers/net/chelsio/pm3393.c 2011-05-19 00:06:34.000000000 -0400
34839 +++ linux-2.6.39.3/drivers/net/chelsio/pm3393.c 2011-05-22 19:36:31.000000000 -0400
34840 @@ -571,7 +571,7 @@ static void pm3393_destroy(struct cmac *
34841 kfree(cmac);
34842 }
34843
34844 -static struct cmac_ops pm3393_ops = {
34845 +static const struct cmac_ops pm3393_ops = {
34846 .destroy = pm3393_destroy,
34847 .reset = pm3393_reset,
34848 .interrupt_enable = pm3393_interrupt_enable,
34849 diff -urNp linux-2.6.39.3/drivers/net/chelsio/vsc7326.c linux-2.6.39.3/drivers/net/chelsio/vsc7326.c
34850 --- linux-2.6.39.3/drivers/net/chelsio/vsc7326.c 2011-05-19 00:06:34.000000000 -0400
34851 +++ linux-2.6.39.3/drivers/net/chelsio/vsc7326.c 2011-05-22 19:36:31.000000000 -0400
34852 @@ -666,7 +666,7 @@ static void mac_destroy(struct cmac *mac
34853 kfree(mac);
34854 }
34855
34856 -static struct cmac_ops vsc7326_ops = {
34857 +static const struct cmac_ops vsc7326_ops = {
34858 .destroy = mac_destroy,
34859 .reset = mac_reset,
34860 .interrupt_handler = mac_intr_handler,
34861 diff -urNp linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c
34862 --- linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c 2011-05-19 00:06:34.000000000 -0400
34863 +++ linux-2.6.39.3/drivers/net/cxgb4/cxgb4_main.c 2011-05-22 19:36:31.000000000 -0400
34864 @@ -3428,6 +3428,8 @@ static int __devinit enable_msix(struct
34865 unsigned int nchan = adap->params.nports;
34866 struct msix_entry entries[MAX_INGQ + 1];
34867
34868 + pax_track_stack();
34869 +
34870 for (i = 0; i < ARRAY_SIZE(entries); ++i)
34871 entries[i].entry = i;
34872
34873 diff -urNp linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c
34874 --- linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c 2011-05-19 00:06:34.000000000 -0400
34875 +++ linux-2.6.39.3/drivers/net/cxgb4/t4_hw.c 2011-05-22 19:36:31.000000000 -0400
34876 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
34877 u8 vpd[VPD_LEN], csum;
34878 unsigned int vpdr_len, kw_offset, id_len;
34879
34880 + pax_track_stack();
34881 +
34882 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
34883 if (ret < 0)
34884 return ret;
34885 diff -urNp linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c
34886 --- linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-19 00:06:34.000000000 -0400
34887 +++ linux-2.6.39.3/drivers/net/cxgb4vf/cxgb4vf_main.c 2011-05-22 19:36:31.000000000 -0400
34888 @@ -1572,7 +1572,7 @@ static int cxgb4vf_set_tso(struct net_de
34889 return 0;
34890 }
34891
34892 -static struct ethtool_ops cxgb4vf_ethtool_ops = {
34893 +static const struct ethtool_ops cxgb4vf_ethtool_ops = {
34894 .get_settings = cxgb4vf_get_settings,
34895 .get_drvinfo = cxgb4vf_get_drvinfo,
34896 .get_msglevel = cxgb4vf_get_msglevel,
34897 diff -urNp linux-2.6.39.3/drivers/net/e1000e/82571.c linux-2.6.39.3/drivers/net/e1000e/82571.c
34898 --- linux-2.6.39.3/drivers/net/e1000e/82571.c 2011-05-19 00:06:34.000000000 -0400
34899 +++ linux-2.6.39.3/drivers/net/e1000e/82571.c 2011-05-22 19:36:31.000000000 -0400
34900 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
34901 {
34902 struct e1000_hw *hw = &adapter->hw;
34903 struct e1000_mac_info *mac = &hw->mac;
34904 - struct e1000_mac_operations *func = &mac->ops;
34905 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34906 u32 swsm = 0;
34907 u32 swsm2 = 0;
34908 bool force_clear_smbi = false;
34909 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
34910 er32(ICRXDMTC);
34911 }
34912
34913 -static struct e1000_mac_operations e82571_mac_ops = {
34914 +static const struct e1000_mac_operations e82571_mac_ops = {
34915 /* .check_mng_mode: mac type dependent */
34916 /* .check_for_link: media type dependent */
34917 .id_led_init = e1000e_id_led_init,
34918 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
34919 .read_mac_addr = e1000_read_mac_addr_82571,
34920 };
34921
34922 -static struct e1000_phy_operations e82_phy_ops_igp = {
34923 +static const struct e1000_phy_operations e82_phy_ops_igp = {
34924 .acquire = e1000_get_hw_semaphore_82571,
34925 .check_polarity = e1000_check_polarity_igp,
34926 .check_reset_block = e1000e_check_reset_block_generic,
34927 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
34928 .cfg_on_link_up = NULL,
34929 };
34930
34931 -static struct e1000_phy_operations e82_phy_ops_m88 = {
34932 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
34933 .acquire = e1000_get_hw_semaphore_82571,
34934 .check_polarity = e1000_check_polarity_m88,
34935 .check_reset_block = e1000e_check_reset_block_generic,
34936 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
34937 .cfg_on_link_up = NULL,
34938 };
34939
34940 -static struct e1000_phy_operations e82_phy_ops_bm = {
34941 +static const struct e1000_phy_operations e82_phy_ops_bm = {
34942 .acquire = e1000_get_hw_semaphore_82571,
34943 .check_polarity = e1000_check_polarity_m88,
34944 .check_reset_block = e1000e_check_reset_block_generic,
34945 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
34946 .cfg_on_link_up = NULL,
34947 };
34948
34949 -static struct e1000_nvm_operations e82571_nvm_ops = {
34950 +static const struct e1000_nvm_operations e82571_nvm_ops = {
34951 .acquire = e1000_acquire_nvm_82571,
34952 .read = e1000e_read_nvm_eerd,
34953 .release = e1000_release_nvm_82571,
34954 diff -urNp linux-2.6.39.3/drivers/net/e1000e/e1000.h linux-2.6.39.3/drivers/net/e1000e/e1000.h
34955 --- linux-2.6.39.3/drivers/net/e1000e/e1000.h 2011-05-19 00:06:34.000000000 -0400
34956 +++ linux-2.6.39.3/drivers/net/e1000e/e1000.h 2011-05-22 19:36:31.000000000 -0400
34957 @@ -409,9 +409,9 @@ struct e1000_info {
34958 u32 pba;
34959 u32 max_hw_frame_size;
34960 s32 (*get_variants)(struct e1000_adapter *);
34961 - struct e1000_mac_operations *mac_ops;
34962 - struct e1000_phy_operations *phy_ops;
34963 - struct e1000_nvm_operations *nvm_ops;
34964 + const struct e1000_mac_operations *mac_ops;
34965 + const struct e1000_phy_operations *phy_ops;
34966 + const struct e1000_nvm_operations *nvm_ops;
34967 };
34968
34969 /* hardware capability, feature, and workaround flags */
34970 diff -urNp linux-2.6.39.3/drivers/net/e1000e/es2lan.c linux-2.6.39.3/drivers/net/e1000e/es2lan.c
34971 --- linux-2.6.39.3/drivers/net/e1000e/es2lan.c 2011-05-19 00:06:34.000000000 -0400
34972 +++ linux-2.6.39.3/drivers/net/e1000e/es2lan.c 2011-05-22 19:36:31.000000000 -0400
34973 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
34974 {
34975 struct e1000_hw *hw = &adapter->hw;
34976 struct e1000_mac_info *mac = &hw->mac;
34977 - struct e1000_mac_operations *func = &mac->ops;
34978 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
34979
34980 /* Set media type */
34981 switch (adapter->pdev->device) {
34982 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
34983 er32(ICRXDMTC);
34984 }
34985
34986 -static struct e1000_mac_operations es2_mac_ops = {
34987 +static const struct e1000_mac_operations es2_mac_ops = {
34988 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
34989 .id_led_init = e1000e_id_led_init,
34990 .check_mng_mode = e1000e_check_mng_mode_generic,
34991 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
34992 .setup_led = e1000e_setup_led_generic,
34993 };
34994
34995 -static struct e1000_phy_operations es2_phy_ops = {
34996 +static const struct e1000_phy_operations es2_phy_ops = {
34997 .acquire = e1000_acquire_phy_80003es2lan,
34998 .check_polarity = e1000_check_polarity_m88,
34999 .check_reset_block = e1000e_check_reset_block_generic,
35000 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
35001 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
35002 };
35003
35004 -static struct e1000_nvm_operations es2_nvm_ops = {
35005 +static const struct e1000_nvm_operations es2_nvm_ops = {
35006 .acquire = e1000_acquire_nvm_80003es2lan,
35007 .read = e1000e_read_nvm_eerd,
35008 .release = e1000_release_nvm_80003es2lan,
35009 diff -urNp linux-2.6.39.3/drivers/net/e1000e/hw.h linux-2.6.39.3/drivers/net/e1000e/hw.h
35010 --- linux-2.6.39.3/drivers/net/e1000e/hw.h 2011-05-19 00:06:34.000000000 -0400
35011 +++ linux-2.6.39.3/drivers/net/e1000e/hw.h 2011-05-22 19:36:31.000000000 -0400
35012 @@ -811,6 +811,7 @@ struct e1000_nvm_operations {
35013 };
35014
35015 struct e1000_mac_info {
35016 + /* cannot be const see e1000_init_mac_params_ich8lan */
35017 struct e1000_mac_operations ops;
35018 u8 addr[ETH_ALEN];
35019 u8 perm_addr[ETH_ALEN];
35020 @@ -852,6 +853,7 @@ struct e1000_mac_info {
35021 };
35022
35023 struct e1000_phy_info {
35024 + /* Cannot be const see e1000_init_phy_params_82571() */
35025 struct e1000_phy_operations ops;
35026
35027 enum e1000_phy_type type;
35028 @@ -886,6 +888,7 @@ struct e1000_phy_info {
35029 };
35030
35031 struct e1000_nvm_info {
35032 + /* cannot be const */
35033 struct e1000_nvm_operations ops;
35034
35035 enum e1000_nvm_type type;
35036 diff -urNp linux-2.6.39.3/drivers/net/e1000e/ich8lan.c linux-2.6.39.3/drivers/net/e1000e/ich8lan.c
35037 --- linux-2.6.39.3/drivers/net/e1000e/ich8lan.c 2011-05-19 00:06:34.000000000 -0400
35038 +++ linux-2.6.39.3/drivers/net/e1000e/ich8lan.c 2011-05-22 19:36:31.000000000 -0400
35039 @@ -3866,7 +3866,7 @@ static void e1000_clear_hw_cntrs_ich8lan
35040 }
35041 }
35042
35043 -static struct e1000_mac_operations ich8_mac_ops = {
35044 +static const struct e1000_mac_operations ich8_mac_ops = {
35045 .id_led_init = e1000e_id_led_init,
35046 /* check_mng_mode dependent on mac type */
35047 .check_for_link = e1000_check_for_copper_link_ich8lan,
35048 @@ -3885,7 +3885,7 @@ static struct e1000_mac_operations ich8_
35049 /* id_led_init dependent on mac type */
35050 };
35051
35052 -static struct e1000_phy_operations ich8_phy_ops = {
35053 +static const struct e1000_phy_operations ich8_phy_ops = {
35054 .acquire = e1000_acquire_swflag_ich8lan,
35055 .check_reset_block = e1000_check_reset_block_ich8lan,
35056 .commit = NULL,
35057 @@ -3899,7 +3899,7 @@ static struct e1000_phy_operations ich8_
35058 .write_reg = e1000e_write_phy_reg_igp,
35059 };
35060
35061 -static struct e1000_nvm_operations ich8_nvm_ops = {
35062 +static const struct e1000_nvm_operations ich8_nvm_ops = {
35063 .acquire = e1000_acquire_nvm_ich8lan,
35064 .read = e1000_read_nvm_ich8lan,
35065 .release = e1000_release_nvm_ich8lan,
35066 diff -urNp linux-2.6.39.3/drivers/net/greth.c linux-2.6.39.3/drivers/net/greth.c
35067 --- linux-2.6.39.3/drivers/net/greth.c 2011-05-19 00:06:34.000000000 -0400
35068 +++ linux-2.6.39.3/drivers/net/greth.c 2011-05-22 19:36:31.000000000 -0400
35069 @@ -1192,7 +1192,7 @@ static const struct ethtool_ops greth_et
35070 .get_link = ethtool_op_get_link,
35071 };
35072
35073 -static struct net_device_ops greth_netdev_ops = {
35074 +static const struct net_device_ops greth_netdev_ops = {
35075 .ndo_open = greth_open,
35076 .ndo_stop = greth_close,
35077 .ndo_start_xmit = greth_start_xmit,
35078 diff -urNp linux-2.6.39.3/drivers/net/hamradio/6pack.c linux-2.6.39.3/drivers/net/hamradio/6pack.c
35079 --- linux-2.6.39.3/drivers/net/hamradio/6pack.c 2011-07-09 09:18:51.000000000 -0400
35080 +++ linux-2.6.39.3/drivers/net/hamradio/6pack.c 2011-07-09 09:19:18.000000000 -0400
35081 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
35082 unsigned char buf[512];
35083 int count1;
35084
35085 + pax_track_stack();
35086 +
35087 if (!count)
35088 return;
35089
35090 diff -urNp linux-2.6.39.3/drivers/net/ibm_newemac/phy.c linux-2.6.39.3/drivers/net/ibm_newemac/phy.c
35091 --- linux-2.6.39.3/drivers/net/ibm_newemac/phy.c 2011-05-19 00:06:34.000000000 -0400
35092 +++ linux-2.6.39.3/drivers/net/ibm_newemac/phy.c 2011-05-22 19:36:31.000000000 -0400
35093 @@ -273,7 +273,7 @@ static int genmii_read_link(struct mii_p
35094 }
35095
35096 /* Generic implementation for most 10/100/1000 PHYs */
35097 -static struct mii_phy_ops generic_phy_ops = {
35098 +static const struct mii_phy_ops generic_phy_ops = {
35099 .setup_aneg = genmii_setup_aneg,
35100 .setup_forced = genmii_setup_forced,
35101 .poll_link = genmii_poll_link,
35102 @@ -337,7 +337,7 @@ static int cis8201_init(struct mii_phy *
35103 return 0;
35104 }
35105
35106 -static struct mii_phy_ops cis8201_phy_ops = {
35107 +static const struct mii_phy_ops cis8201_phy_ops = {
35108 .init = cis8201_init,
35109 .setup_aneg = genmii_setup_aneg,
35110 .setup_forced = genmii_setup_forced,
35111 @@ -417,7 +417,7 @@ static int et1011c_init(struct mii_phy *
35112 return 0;
35113 }
35114
35115 -static struct mii_phy_ops et1011c_phy_ops = {
35116 +static const struct mii_phy_ops et1011c_phy_ops = {
35117 .init = et1011c_init,
35118 .setup_aneg = genmii_setup_aneg,
35119 .setup_forced = genmii_setup_forced,
35120 @@ -436,7 +436,7 @@ static struct mii_phy_def et1011c_phy_de
35121
35122
35123
35124 -static struct mii_phy_ops m88e1111_phy_ops = {
35125 +static const struct mii_phy_ops m88e1111_phy_ops = {
35126 .init = m88e1111_init,
35127 .setup_aneg = genmii_setup_aneg,
35128 .setup_forced = genmii_setup_forced,
35129 @@ -452,7 +452,7 @@ static struct mii_phy_def m88e1111_phy_d
35130 .ops = &m88e1111_phy_ops,
35131 };
35132
35133 -static struct mii_phy_ops m88e1112_phy_ops = {
35134 +static const struct mii_phy_ops m88e1112_phy_ops = {
35135 .init = m88e1112_init,
35136 .setup_aneg = genmii_setup_aneg,
35137 .setup_forced = genmii_setup_forced,
35138 diff -urNp linux-2.6.39.3/drivers/net/ibmveth.c linux-2.6.39.3/drivers/net/ibmveth.c
35139 --- linux-2.6.39.3/drivers/net/ibmveth.c 2011-05-19 00:06:34.000000000 -0400
35140 +++ linux-2.6.39.3/drivers/net/ibmveth.c 2011-05-22 19:36:31.000000000 -0400
35141 @@ -1625,7 +1625,7 @@ static struct vio_device_id ibmveth_devi
35142 };
35143 MODULE_DEVICE_TABLE(vio, ibmveth_device_table);
35144
35145 -static struct dev_pm_ops ibmveth_pm_ops = {
35146 +static const struct dev_pm_ops ibmveth_pm_ops = {
35147 .resume = ibmveth_resume
35148 };
35149
35150 diff -urNp linux-2.6.39.3/drivers/net/igb/e1000_82575.c linux-2.6.39.3/drivers/net/igb/e1000_82575.c
35151 --- linux-2.6.39.3/drivers/net/igb/e1000_82575.c 2011-05-19 00:06:34.000000000 -0400
35152 +++ linux-2.6.39.3/drivers/net/igb/e1000_82575.c 2011-05-22 19:36:31.000000000 -0400
35153 @@ -2029,7 +2029,7 @@ out:
35154 return ret_val;
35155 }
35156
35157 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
35158 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
35159 .init_hw = igb_init_hw_82575,
35160 .check_for_link = igb_check_for_link_82575,
35161 .rar_set = igb_rar_set,
35162 @@ -2037,13 +2037,13 @@ static struct e1000_mac_operations e1000
35163 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
35164 };
35165
35166 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
35167 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
35168 .acquire = igb_acquire_phy_82575,
35169 .get_cfg_done = igb_get_cfg_done_82575,
35170 .release = igb_release_phy_82575,
35171 };
35172
35173 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35174 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
35175 .acquire = igb_acquire_nvm_82575,
35176 .read = igb_read_nvm_eerd,
35177 .release = igb_release_nvm_82575,
35178 diff -urNp linux-2.6.39.3/drivers/net/igb/e1000_hw.h linux-2.6.39.3/drivers/net/igb/e1000_hw.h
35179 --- linux-2.6.39.3/drivers/net/igb/e1000_hw.h 2011-05-19 00:06:34.000000000 -0400
35180 +++ linux-2.6.39.3/drivers/net/igb/e1000_hw.h 2011-05-22 19:36:31.000000000 -0400
35181 @@ -342,14 +342,15 @@ struct e1000_nvm_operations {
35182
35183 struct e1000_info {
35184 s32 (*get_invariants)(struct e1000_hw *);
35185 - struct e1000_mac_operations *mac_ops;
35186 - struct e1000_phy_operations *phy_ops;
35187 - struct e1000_nvm_operations *nvm_ops;
35188 + const struct e1000_mac_operations *mac_ops;
35189 + const struct e1000_phy_operations *phy_ops;
35190 + const struct e1000_nvm_operations *nvm_ops;
35191 };
35192
35193 extern const struct e1000_info e1000_82575_info;
35194
35195 struct e1000_mac_info {
35196 + /* cannot be const see igb_get_invariants_82575() */
35197 struct e1000_mac_operations ops;
35198
35199 u8 addr[6];
35200 @@ -388,6 +389,7 @@ struct e1000_mac_info {
35201 };
35202
35203 struct e1000_phy_info {
35204 + /* cannot be const see igb_get_invariants_82575() */
35205 struct e1000_phy_operations ops;
35206
35207 enum e1000_phy_type type;
35208 @@ -423,6 +425,7 @@ struct e1000_phy_info {
35209 };
35210
35211 struct e1000_nvm_info {
35212 + /* cannot be const */
35213 struct e1000_nvm_operations ops;
35214 enum e1000_nvm_type type;
35215 enum e1000_nvm_override override;
35216 diff -urNp linux-2.6.39.3/drivers/net/igbvf/vf.h linux-2.6.39.3/drivers/net/igbvf/vf.h
35217 --- linux-2.6.39.3/drivers/net/igbvf/vf.h 2011-05-19 00:06:34.000000000 -0400
35218 +++ linux-2.6.39.3/drivers/net/igbvf/vf.h 2011-05-22 19:36:31.000000000 -0400
35219 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
35220 };
35221
35222 struct e1000_mac_info {
35223 + /* cannot be const see e1000_init_mac_params_vf() */
35224 struct e1000_mac_operations ops;
35225 u8 addr[6];
35226 u8 perm_addr[6];
35227 diff -urNp linux-2.6.39.3/drivers/net/irda/sh_irda.c linux-2.6.39.3/drivers/net/irda/sh_irda.c
35228 --- linux-2.6.39.3/drivers/net/irda/sh_irda.c 2011-05-19 00:06:34.000000000 -0400
35229 +++ linux-2.6.39.3/drivers/net/irda/sh_irda.c 2011-05-22 19:36:31.000000000 -0400
35230 @@ -307,7 +307,7 @@ static int xir_fte(struct sh_irda_self *
35231 return 0;
35232 }
35233
35234 -static struct sh_irda_xir_func xir_func = {
35235 +static const struct sh_irda_xir_func xir_func = {
35236 .xir_fre = xir_fre,
35237 .xir_trov = xir_trov,
35238 .xir_9 = xir_9,
35239 @@ -321,7 +321,7 @@ static struct sh_irda_xir_func xir_func
35240 *
35241 * MIR/FIR are not supported now
35242 *=====================================*/
35243 -static struct sh_irda_xir_func mfir_func = {
35244 +static const struct sh_irda_xir_func mfir_func = {
35245 .xir_fre = xir_fre,
35246 .xir_trov = xir_trov,
35247 .xir_9 = xir_9,
35248 @@ -400,7 +400,7 @@ static int sir_fte(struct sh_irda_self *
35249 return 0;
35250 }
35251
35252 -static struct sh_irda_xir_func sir_func = {
35253 +static const struct sh_irda_xir_func sir_func = {
35254 .xir_fre = sir_fre,
35255 .xir_trov = sir_trov,
35256 .xir_9 = sir_tot,
35257 @@ -411,7 +411,7 @@ static struct sh_irda_xir_func sir_func
35258 static void sh_irda_set_mode(struct sh_irda_self *self, enum sh_irda_mode mode)
35259 {
35260 struct device *dev = &self->ndev->dev;
35261 - struct sh_irda_xir_func *func;
35262 + const struct sh_irda_xir_func *func;
35263 const char *name;
35264 u16 data;
35265
35266 diff -urNp linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c
35267 --- linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c 2011-05-19 00:06:34.000000000 -0400
35268 +++ linux-2.6.39.3/drivers/net/ixgb/ixgb_main.c 2011-05-22 19:36:31.000000000 -0400
35269 @@ -1069,6 +1069,8 @@ ixgb_set_multi(struct net_device *netdev
35270 u32 rctl;
35271 int i;
35272
35273 + pax_track_stack();
35274 +
35275 /* Check for Promiscuous and All Multicast modes */
35276
35277 rctl = IXGB_READ_REG(hw, RCTL);
35278 diff -urNp linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c
35279 --- linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c 2011-05-19 00:06:34.000000000 -0400
35280 +++ linux-2.6.39.3/drivers/net/ixgb/ixgb_param.c 2011-05-22 19:36:31.000000000 -0400
35281 @@ -261,6 +261,9 @@ void __devinit
35282 ixgb_check_options(struct ixgb_adapter *adapter)
35283 {
35284 int bd = adapter->bd_number;
35285 +
35286 + pax_track_stack();
35287 +
35288 if (bd >= IXGB_MAX_NIC) {
35289 pr_notice("Warning: no configuration for board #%i\n", bd);
35290 pr_notice("Using defaults for all values\n");
35291 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c
35292 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c 2011-05-19 00:06:34.000000000 -0400
35293 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe_82599.c 2011-05-22 19:36:31.000000000 -0400
35294 @@ -2099,7 +2099,7 @@ static struct ixgbe_phy_operations phy_o
35295 .check_overtemp = &ixgbe_tn_check_overtemp,
35296 };
35297
35298 -struct ixgbe_info ixgbe_82599_info = {
35299 +const struct ixgbe_info ixgbe_82599_info = {
35300 .mac = ixgbe_mac_82599EB,
35301 .get_invariants = &ixgbe_get_invariants_82599,
35302 .mac_ops = &mac_ops_82599,
35303 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h
35304 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h 2011-05-19 00:06:34.000000000 -0400
35305 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe.h 2011-05-22 19:36:31.000000000 -0400
35306 @@ -493,8 +493,8 @@ enum ixgbe_boards {
35307 };
35308
35309 extern struct ixgbe_info ixgbe_82598_info;
35310 -extern struct ixgbe_info ixgbe_82599_info;
35311 -extern struct ixgbe_info ixgbe_X540_info;
35312 +extern const struct ixgbe_info ixgbe_82599_info;
35313 +extern const struct ixgbe_info ixgbe_X540_info;
35314 #ifdef CONFIG_IXGBE_DCB
35315 extern const struct dcbnl_rtnl_ops dcbnl_ops;
35316 extern int ixgbe_copy_dcb_cfg(struct ixgbe_dcb_config *src_dcb_cfg,
35317 diff -urNp linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c
35318 --- linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c 2011-05-19 00:06:34.000000000 -0400
35319 +++ linux-2.6.39.3/drivers/net/ixgbe/ixgbe_x540.c 2011-05-22 19:36:31.000000000 -0400
35320 @@ -727,7 +727,7 @@ static struct ixgbe_phy_operations phy_o
35321 .check_overtemp = &ixgbe_tn_check_overtemp,
35322 };
35323
35324 -struct ixgbe_info ixgbe_X540_info = {
35325 +const struct ixgbe_info ixgbe_X540_info = {
35326 .mac = ixgbe_mac_X540,
35327 .get_invariants = &ixgbe_get_invariants_X540,
35328 .mac_ops = &mac_ops_X540,
35329 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c
35330 --- linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c 2011-05-19 00:06:34.000000000 -0400
35331 +++ linux-2.6.39.3/drivers/net/ixgbevf/ethtool.c 2011-05-22 19:36:31.000000000 -0400
35332 @@ -709,7 +709,7 @@ static int ixgbevf_nway_reset(struct net
35333 return 0;
35334 }
35335
35336 -static struct ethtool_ops ixgbevf_ethtool_ops = {
35337 +static const struct ethtool_ops ixgbevf_ethtool_ops = {
35338 .get_settings = ixgbevf_get_settings,
35339 .get_drvinfo = ixgbevf_get_drvinfo,
35340 .get_regs_len = ixgbevf_get_regs_len,
35341 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h
35342 --- linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h 2011-05-19 00:06:34.000000000 -0400
35343 +++ linux-2.6.39.3/drivers/net/ixgbevf/ixgbevf.h 2011-05-22 19:36:31.000000000 -0400
35344 @@ -279,7 +279,7 @@ enum ixgbevf_boards {
35345
35346 extern struct ixgbevf_info ixgbevf_82599_vf_info;
35347 extern struct ixgbevf_info ixgbevf_X540_vf_info;
35348 -extern struct ixgbe_mac_operations ixgbevf_mbx_ops;
35349 +extern const struct ixgbe_mac_operations ixgbevf_mbx_ops;
35350
35351 /* needed by ethtool.c */
35352 extern char ixgbevf_driver_name[];
35353 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/vf.c linux-2.6.39.3/drivers/net/ixgbevf/vf.c
35354 --- linux-2.6.39.3/drivers/net/ixgbevf/vf.c 2011-05-19 00:06:34.000000000 -0400
35355 +++ linux-2.6.39.3/drivers/net/ixgbevf/vf.c 2011-05-22 19:36:31.000000000 -0400
35356 @@ -368,7 +368,7 @@ static s32 ixgbevf_check_mac_link_vf(str
35357 return 0;
35358 }
35359
35360 -static struct ixgbe_mac_operations ixgbevf_mac_ops = {
35361 +static const struct ixgbe_mac_operations ixgbevf_mac_ops = {
35362 .init_hw = ixgbevf_init_hw_vf,
35363 .reset_hw = ixgbevf_reset_hw_vf,
35364 .start_hw = ixgbevf_start_hw_vf,
35365 @@ -381,12 +381,12 @@ static struct ixgbe_mac_operations ixgbe
35366 .set_vfta = ixgbevf_set_vfta_vf,
35367 };
35368
35369 -struct ixgbevf_info ixgbevf_82599_vf_info = {
35370 +const struct ixgbevf_info ixgbevf_82599_vf_info = {
35371 .mac = ixgbe_mac_82599_vf,
35372 .mac_ops = &ixgbevf_mac_ops,
35373 };
35374
35375 -struct ixgbevf_info ixgbevf_X540_vf_info = {
35376 +const struct ixgbevf_info ixgbevf_X540_vf_info = {
35377 .mac = ixgbe_mac_X540_vf,
35378 .mac_ops = &ixgbevf_mac_ops,
35379 };
35380 diff -urNp linux-2.6.39.3/drivers/net/ixgbevf/vf.h linux-2.6.39.3/drivers/net/ixgbevf/vf.h
35381 --- linux-2.6.39.3/drivers/net/ixgbevf/vf.h 2011-05-19 00:06:34.000000000 -0400
35382 +++ linux-2.6.39.3/drivers/net/ixgbevf/vf.h 2011-05-22 19:36:31.000000000 -0400
35383 @@ -166,7 +166,7 @@ struct ixgbevf_hw_stats {
35384
35385 struct ixgbevf_info {
35386 enum ixgbe_mac_type mac;
35387 - struct ixgbe_mac_operations *mac_ops;
35388 + const struct ixgbe_mac_operations *mac_ops;
35389 };
35390
35391 #endif /* __IXGBE_VF_H__ */
35392 diff -urNp linux-2.6.39.3/drivers/net/ksz884x.c linux-2.6.39.3/drivers/net/ksz884x.c
35393 --- linux-2.6.39.3/drivers/net/ksz884x.c 2011-05-19 00:06:34.000000000 -0400
35394 +++ linux-2.6.39.3/drivers/net/ksz884x.c 2011-05-22 19:36:31.000000000 -0400
35395 @@ -6536,6 +6536,8 @@ static void netdev_get_ethtool_stats(str
35396 int rc;
35397 u64 counter[TOTAL_PORT_COUNTER_NUM];
35398
35399 + pax_track_stack();
35400 +
35401 mutex_lock(&hw_priv->lock);
35402 n = SWITCH_PORT_NUM;
35403 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
35404 @@ -6637,7 +6639,7 @@ static int netdev_set_rx_csum(struct net
35405 return 0;
35406 }
35407
35408 -static struct ethtool_ops netdev_ethtool_ops = {
35409 +static const struct ethtool_ops netdev_ethtool_ops = {
35410 .get_settings = netdev_get_settings,
35411 .set_settings = netdev_set_settings,
35412 .nway_reset = netdev_nway_reset,
35413 diff -urNp linux-2.6.39.3/drivers/net/mlx4/main.c linux-2.6.39.3/drivers/net/mlx4/main.c
35414 --- linux-2.6.39.3/drivers/net/mlx4/main.c 2011-05-19 00:06:34.000000000 -0400
35415 +++ linux-2.6.39.3/drivers/net/mlx4/main.c 2011-05-22 19:36:31.000000000 -0400
35416 @@ -40,6 +40,7 @@
35417 #include <linux/dma-mapping.h>
35418 #include <linux/slab.h>
35419 #include <linux/io-mapping.h>
35420 +#include <linux/sched.h>
35421
35422 #include <linux/mlx4/device.h>
35423 #include <linux/mlx4/doorbell.h>
35424 @@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
35425 u64 icm_size;
35426 int err;
35427
35428 + pax_track_stack();
35429 +
35430 err = mlx4_QUERY_FW(dev);
35431 if (err) {
35432 if (err == -EACCES)
35433 diff -urNp linux-2.6.39.3/drivers/net/netconsole.c linux-2.6.39.3/drivers/net/netconsole.c
35434 --- linux-2.6.39.3/drivers/net/netconsole.c 2011-05-19 00:06:34.000000000 -0400
35435 +++ linux-2.6.39.3/drivers/net/netconsole.c 2011-05-22 19:36:31.000000000 -0400
35436 @@ -634,7 +634,7 @@ static void drop_netconsole_target(struc
35437 config_item_put(&nt->item);
35438 }
35439
35440 -static struct configfs_group_operations netconsole_subsys_group_ops = {
35441 +static const struct configfs_group_operations netconsole_subsys_group_ops = {
35442 .make_item = make_netconsole_target,
35443 .drop_item = drop_netconsole_target,
35444 };
35445 diff -urNp linux-2.6.39.3/drivers/net/niu.c linux-2.6.39.3/drivers/net/niu.c
35446 --- linux-2.6.39.3/drivers/net/niu.c 2011-05-19 00:06:34.000000000 -0400
35447 +++ linux-2.6.39.3/drivers/net/niu.c 2011-05-22 19:36:31.000000000 -0400
35448 @@ -9067,6 +9067,8 @@ static void __devinit niu_try_msix(struc
35449 int i, num_irqs, err;
35450 u8 first_ldg;
35451
35452 + pax_track_stack();
35453 +
35454 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
35455 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
35456 ldg_num_map[i] = first_ldg + i;
35457 diff -urNp linux-2.6.39.3/drivers/net/pcnet32.c linux-2.6.39.3/drivers/net/pcnet32.c
35458 --- linux-2.6.39.3/drivers/net/pcnet32.c 2011-05-19 00:06:34.000000000 -0400
35459 +++ linux-2.6.39.3/drivers/net/pcnet32.c 2011-05-22 19:36:31.000000000 -0400
35460 @@ -82,7 +82,7 @@ static int cards_found;
35461 /*
35462 * VLB I/O addresses
35463 */
35464 -static unsigned int pcnet32_portlist[] __initdata =
35465 +static unsigned int pcnet32_portlist[] __devinitdata =
35466 { 0x300, 0x320, 0x340, 0x360, 0 };
35467
35468 static int pcnet32_debug;
35469 @@ -379,7 +379,7 @@ static int pcnet32_wio_check(unsigned lo
35470 return inw(addr + PCNET32_WIO_RAP) == 88;
35471 }
35472
35473 -static struct pcnet32_access pcnet32_wio = {
35474 +static const struct pcnet32_access pcnet32_wio = {
35475 .read_csr = pcnet32_wio_read_csr,
35476 .write_csr = pcnet32_wio_write_csr,
35477 .read_bcr = pcnet32_wio_read_bcr,
35478 @@ -434,7 +434,7 @@ static int pcnet32_dwio_check(unsigned l
35479 return (inl(addr + PCNET32_DWIO_RAP) & 0xffff) == 88;
35480 }
35481
35482 -static struct pcnet32_access pcnet32_dwio = {
35483 +static const struct pcnet32_access pcnet32_dwio = {
35484 .read_csr = pcnet32_dwio_read_csr,
35485 .write_csr = pcnet32_dwio_write_csr,
35486 .read_bcr = pcnet32_dwio_read_bcr,
35487 @@ -1546,7 +1546,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35488 int chip_version;
35489 char *chipname;
35490 struct net_device *dev;
35491 - struct pcnet32_access *a = NULL;
35492 + const struct pcnet32_access *a = NULL;
35493 u8 promaddr[6];
35494 int ret = -ENODEV;
35495
35496 diff -urNp linux-2.6.39.3/drivers/net/ppp_generic.c linux-2.6.39.3/drivers/net/ppp_generic.c
35497 --- linux-2.6.39.3/drivers/net/ppp_generic.c 2011-05-19 00:06:34.000000000 -0400
35498 +++ linux-2.6.39.3/drivers/net/ppp_generic.c 2011-05-22 19:36:31.000000000 -0400
35499 @@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
35500 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
35501 struct ppp_stats stats;
35502 struct ppp_comp_stats cstats;
35503 - char *vers;
35504
35505 switch (cmd) {
35506 case SIOCGPPPSTATS:
35507 @@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
35508 break;
35509
35510 case SIOCGPPPVER:
35511 - vers = PPP_VERSION;
35512 - if (copy_to_user(addr, vers, strlen(vers) + 1))
35513 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
35514 break;
35515 err = 0;
35516 break;
35517 diff -urNp linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h
35518 --- linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h 2011-05-19 00:06:34.000000000 -0400
35519 +++ linux-2.6.39.3/drivers/net/qlcnic/qlcnic.h 2011-05-22 19:36:31.000000000 -0400
35520 @@ -1037,7 +1037,7 @@ struct qlcnic_adapter {
35521 struct vlan_group *vlgrp;
35522 struct qlcnic_npar_info *npars;
35523 struct qlcnic_eswitch *eswitch;
35524 - struct qlcnic_nic_template *nic_ops;
35525 + const struct qlcnic_nic_template *nic_ops;
35526
35527 struct qlcnic_adapter_stats stats;
35528
35529 diff -urNp linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c
35530 --- linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c 2011-05-19 00:06:34.000000000 -0400
35531 +++ linux-2.6.39.3/drivers/net/qlcnic/qlcnic_main.c 2011-05-22 19:36:31.000000000 -0400
35532 @@ -340,13 +340,13 @@ static const struct net_device_ops qlcni
35533 #endif
35534 };
35535
35536 -static struct qlcnic_nic_template qlcnic_ops = {
35537 +static const struct qlcnic_nic_template qlcnic_ops = {
35538 .config_bridged_mode = qlcnic_config_bridged_mode,
35539 .config_led = qlcnic_config_led,
35540 .start_firmware = qlcnic_start_firmware
35541 };
35542
35543 -static struct qlcnic_nic_template qlcnic_vf_ops = {
35544 +static const struct qlcnic_nic_template qlcnic_vf_ops = {
35545 .config_bridged_mode = qlcnicvf_config_bridged_mode,
35546 .config_led = qlcnicvf_config_led,
35547 .start_firmware = qlcnicvf_start_firmware
35548 diff -urNp linux-2.6.39.3/drivers/net/qlge/qlge.h linux-2.6.39.3/drivers/net/qlge/qlge.h
35549 --- linux-2.6.39.3/drivers/net/qlge/qlge.h 2011-05-19 00:06:34.000000000 -0400
35550 +++ linux-2.6.39.3/drivers/net/qlge/qlge.h 2011-05-22 19:36:31.000000000 -0400
35551 @@ -2134,7 +2134,7 @@ struct ql_adapter {
35552 struct delayed_work mpi_idc_work;
35553 struct delayed_work mpi_core_to_log;
35554 struct completion ide_completion;
35555 - struct nic_operations *nic_ops;
35556 + const struct nic_operations *nic_ops;
35557 u16 device_id;
35558 struct timer_list timer;
35559 atomic_t lb_count;
35560 diff -urNp linux-2.6.39.3/drivers/net/qlge/qlge_main.c linux-2.6.39.3/drivers/net/qlge/qlge_main.c
35561 --- linux-2.6.39.3/drivers/net/qlge/qlge_main.c 2011-05-19 00:06:34.000000000 -0400
35562 +++ linux-2.6.39.3/drivers/net/qlge/qlge_main.c 2011-05-22 19:36:31.000000000 -0400
35563 @@ -4412,12 +4412,12 @@ error:
35564 rtnl_unlock();
35565 }
35566
35567 -static struct nic_operations qla8012_nic_ops = {
35568 +static const struct nic_operations qla8012_nic_ops = {
35569 .get_flash = ql_get_8012_flash_params,
35570 .port_initialize = ql_8012_port_initialize,
35571 };
35572
35573 -static struct nic_operations qla8000_nic_ops = {
35574 +static const struct nic_operations qla8000_nic_ops = {
35575 .get_flash = ql_get_8000_flash_params,
35576 .port_initialize = ql_8000_port_initialize,
35577 };
35578 diff -urNp linux-2.6.39.3/drivers/net/sfc/falcon.c linux-2.6.39.3/drivers/net/sfc/falcon.c
35579 --- linux-2.6.39.3/drivers/net/sfc/falcon.c 2011-05-19 00:06:34.000000000 -0400
35580 +++ linux-2.6.39.3/drivers/net/sfc/falcon.c 2011-05-22 19:36:31.000000000 -0400
35581 @@ -1703,7 +1703,7 @@ static int falcon_set_wol(struct efx_nic
35582 **************************************************************************
35583 */
35584
35585 -struct efx_nic_type falcon_a1_nic_type = {
35586 +const struct efx_nic_type falcon_a1_nic_type = {
35587 .probe = falcon_probe_nic,
35588 .remove = falcon_remove_nic,
35589 .init = falcon_init_nic,
35590 @@ -1744,7 +1744,7 @@ struct efx_nic_type falcon_a1_nic_type =
35591 .reset_world_flags = ETH_RESET_IRQ,
35592 };
35593
35594 -struct efx_nic_type falcon_b0_nic_type = {
35595 +const struct efx_nic_type falcon_b0_nic_type = {
35596 .probe = falcon_probe_nic,
35597 .remove = falcon_remove_nic,
35598 .init = falcon_init_nic,
35599 diff -urNp linux-2.6.39.3/drivers/net/sfc/mtd.c linux-2.6.39.3/drivers/net/sfc/mtd.c
35600 --- linux-2.6.39.3/drivers/net/sfc/mtd.c 2011-05-19 00:06:34.000000000 -0400
35601 +++ linux-2.6.39.3/drivers/net/sfc/mtd.c 2011-05-22 19:36:31.000000000 -0400
35602 @@ -382,7 +382,7 @@ static int falcon_mtd_sync(struct mtd_in
35603 return rc;
35604 }
35605
35606 -static struct efx_mtd_ops falcon_mtd_ops = {
35607 +static const struct efx_mtd_ops falcon_mtd_ops = {
35608 .read = falcon_mtd_read,
35609 .erase = falcon_mtd_erase,
35610 .write = falcon_mtd_write,
35611 @@ -560,7 +560,7 @@ static int siena_mtd_sync(struct mtd_inf
35612 return rc;
35613 }
35614
35615 -static struct efx_mtd_ops siena_mtd_ops = {
35616 +static const struct efx_mtd_ops siena_mtd_ops = {
35617 .read = siena_mtd_read,
35618 .erase = siena_mtd_erase,
35619 .write = siena_mtd_write,
35620 diff -urNp linux-2.6.39.3/drivers/net/sfc/nic.h linux-2.6.39.3/drivers/net/sfc/nic.h
35621 --- linux-2.6.39.3/drivers/net/sfc/nic.h 2011-05-19 00:06:34.000000000 -0400
35622 +++ linux-2.6.39.3/drivers/net/sfc/nic.h 2011-05-22 19:36:31.000000000 -0400
35623 @@ -152,9 +152,9 @@ struct siena_nic_data {
35624 int wol_filter_id;
35625 };
35626
35627 -extern struct efx_nic_type falcon_a1_nic_type;
35628 -extern struct efx_nic_type falcon_b0_nic_type;
35629 -extern struct efx_nic_type siena_a0_nic_type;
35630 +extern const struct efx_nic_type falcon_a1_nic_type;
35631 +extern const struct efx_nic_type falcon_b0_nic_type;
35632 +extern const struct efx_nic_type siena_a0_nic_type;
35633
35634 /**************************************************************************
35635 *
35636 diff -urNp linux-2.6.39.3/drivers/net/sfc/siena.c linux-2.6.39.3/drivers/net/sfc/siena.c
35637 --- linux-2.6.39.3/drivers/net/sfc/siena.c 2011-05-19 00:06:34.000000000 -0400
35638 +++ linux-2.6.39.3/drivers/net/sfc/siena.c 2011-05-22 19:36:31.000000000 -0400
35639 @@ -599,7 +599,7 @@ static void siena_init_wol(struct efx_ni
35640 **************************************************************************
35641 */
35642
35643 -struct efx_nic_type siena_a0_nic_type = {
35644 +const struct efx_nic_type siena_a0_nic_type = {
35645 .probe = siena_probe_nic,
35646 .remove = siena_remove_nic,
35647 .init = siena_init_nic,
35648 diff -urNp linux-2.6.39.3/drivers/net/sh_eth.c linux-2.6.39.3/drivers/net/sh_eth.c
35649 --- linux-2.6.39.3/drivers/net/sh_eth.c 2011-05-19 00:06:34.000000000 -0400
35650 +++ linux-2.6.39.3/drivers/net/sh_eth.c 2011-05-22 19:36:31.000000000 -0400
35651 @@ -1360,7 +1360,7 @@ static void sh_eth_get_strings(struct ne
35652 }
35653 }
35654
35655 -static struct ethtool_ops sh_eth_ethtool_ops = {
35656 +static const struct ethtool_ops sh_eth_ethtool_ops = {
35657 .get_settings = sh_eth_get_settings,
35658 .set_settings = sh_eth_set_settings,
35659 .nway_reset = sh_eth_nway_reset,
35660 diff -urNp linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c
35661 --- linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c 2011-05-19 00:06:34.000000000 -0400
35662 +++ linux-2.6.39.3/drivers/net/stmmac/stmmac_ethtool.c 2011-05-22 19:36:31.000000000 -0400
35663 @@ -348,7 +348,7 @@ static int stmmac_set_wol(struct net_dev
35664 return 0;
35665 }
35666
35667 -static struct ethtool_ops stmmac_ethtool_ops = {
35668 +static const struct ethtool_ops stmmac_ethtool_ops = {
35669 .begin = stmmac_check_if_running,
35670 .get_drvinfo = stmmac_ethtool_getdrvinfo,
35671 .get_settings = stmmac_ethtool_getsettings,
35672 diff -urNp linux-2.6.39.3/drivers/net/sungem_phy.c linux-2.6.39.3/drivers/net/sungem_phy.c
35673 --- linux-2.6.39.3/drivers/net/sungem_phy.c 2011-05-19 00:06:34.000000000 -0400
35674 +++ linux-2.6.39.3/drivers/net/sungem_phy.c 2011-05-22 19:36:31.000000000 -0400
35675 @@ -886,7 +886,7 @@ static int marvell_read_link(struct mii_
35676 SUPPORTED_1000baseT_Half | SUPPORTED_1000baseT_Full)
35677
35678 /* Broadcom BCM 5201 */
35679 -static struct mii_phy_ops bcm5201_phy_ops = {
35680 +static const struct mii_phy_ops bcm5201_phy_ops = {
35681 .init = bcm5201_init,
35682 .suspend = bcm5201_suspend,
35683 .setup_aneg = genmii_setup_aneg,
35684 @@ -905,7 +905,7 @@ static struct mii_phy_def bcm5201_phy_de
35685 };
35686
35687 /* Broadcom BCM 5221 */
35688 -static struct mii_phy_ops bcm5221_phy_ops = {
35689 +static const struct mii_phy_ops bcm5221_phy_ops = {
35690 .suspend = bcm5221_suspend,
35691 .init = bcm5221_init,
35692 .setup_aneg = genmii_setup_aneg,
35693 @@ -924,7 +924,7 @@ static struct mii_phy_def bcm5221_phy_de
35694 };
35695
35696 /* Broadcom BCM 5241 */
35697 -static struct mii_phy_ops bcm5241_phy_ops = {
35698 +static const struct mii_phy_ops bcm5241_phy_ops = {
35699 .suspend = bcm5241_suspend,
35700 .init = bcm5241_init,
35701 .setup_aneg = genmii_setup_aneg,
35702 @@ -942,7 +942,7 @@ static struct mii_phy_def bcm5241_phy_de
35703 };
35704
35705 /* Broadcom BCM 5400 */
35706 -static struct mii_phy_ops bcm5400_phy_ops = {
35707 +static const struct mii_phy_ops bcm5400_phy_ops = {
35708 .init = bcm5400_init,
35709 .suspend = bcm5400_suspend,
35710 .setup_aneg = bcm54xx_setup_aneg,
35711 @@ -961,7 +961,7 @@ static struct mii_phy_def bcm5400_phy_de
35712 };
35713
35714 /* Broadcom BCM 5401 */
35715 -static struct mii_phy_ops bcm5401_phy_ops = {
35716 +static const struct mii_phy_ops bcm5401_phy_ops = {
35717 .init = bcm5401_init,
35718 .suspend = bcm5401_suspend,
35719 .setup_aneg = bcm54xx_setup_aneg,
35720 @@ -980,7 +980,7 @@ static struct mii_phy_def bcm5401_phy_de
35721 };
35722
35723 /* Broadcom BCM 5411 */
35724 -static struct mii_phy_ops bcm5411_phy_ops = {
35725 +static const struct mii_phy_ops bcm5411_phy_ops = {
35726 .init = bcm5411_init,
35727 .suspend = generic_suspend,
35728 .setup_aneg = bcm54xx_setup_aneg,
35729 @@ -999,7 +999,7 @@ static struct mii_phy_def bcm5411_phy_de
35730 };
35731
35732 /* Broadcom BCM 5421 */
35733 -static struct mii_phy_ops bcm5421_phy_ops = {
35734 +static const struct mii_phy_ops bcm5421_phy_ops = {
35735 .init = bcm5421_init,
35736 .suspend = generic_suspend,
35737 .setup_aneg = bcm54xx_setup_aneg,
35738 @@ -1019,7 +1019,7 @@ static struct mii_phy_def bcm5421_phy_de
35739 };
35740
35741 /* Broadcom BCM 5421 built-in K2 */
35742 -static struct mii_phy_ops bcm5421k2_phy_ops = {
35743 +static const struct mii_phy_ops bcm5421k2_phy_ops = {
35744 .init = bcm5421_init,
35745 .suspend = generic_suspend,
35746 .setup_aneg = bcm54xx_setup_aneg,
35747 @@ -1037,7 +1037,7 @@ static struct mii_phy_def bcm5421k2_phy_
35748 .ops = &bcm5421k2_phy_ops
35749 };
35750
35751 -static struct mii_phy_ops bcm5461_phy_ops = {
35752 +static const struct mii_phy_ops bcm5461_phy_ops = {
35753 .init = bcm5421_init,
35754 .suspend = generic_suspend,
35755 .setup_aneg = bcm54xx_setup_aneg,
35756 @@ -1057,7 +1057,7 @@ static struct mii_phy_def bcm5461_phy_de
35757 };
35758
35759 /* Broadcom BCM 5462 built-in Vesta */
35760 -static struct mii_phy_ops bcm5462V_phy_ops = {
35761 +static const struct mii_phy_ops bcm5462V_phy_ops = {
35762 .init = bcm5421_init,
35763 .suspend = generic_suspend,
35764 .setup_aneg = bcm54xx_setup_aneg,
35765 @@ -1076,7 +1076,7 @@ static struct mii_phy_def bcm5462V_phy_d
35766 };
35767
35768 /* Marvell 88E1101 amd 88E1111 */
35769 -static struct mii_phy_ops marvell88e1101_phy_ops = {
35770 +static const struct mii_phy_ops marvell88e1101_phy_ops = {
35771 .suspend = generic_suspend,
35772 .setup_aneg = marvell_setup_aneg,
35773 .setup_forced = marvell_setup_forced,
35774 @@ -1084,7 +1084,7 @@ static struct mii_phy_ops marvell88e1101
35775 .read_link = marvell_read_link
35776 };
35777
35778 -static struct mii_phy_ops marvell88e1111_phy_ops = {
35779 +static const struct mii_phy_ops marvell88e1111_phy_ops = {
35780 .init = marvell88e1111_init,
35781 .suspend = generic_suspend,
35782 .setup_aneg = marvell_setup_aneg,
35783 @@ -1122,7 +1122,7 @@ static struct mii_phy_def marvell88e1111
35784 };
35785
35786 /* Generic implementation for most 10/100 PHYs */
35787 -static struct mii_phy_ops generic_phy_ops = {
35788 +static const struct mii_phy_ops generic_phy_ops = {
35789 .setup_aneg = genmii_setup_aneg,
35790 .setup_forced = genmii_setup_forced,
35791 .poll_link = genmii_poll_link,
35792 diff -urNp linux-2.6.39.3/drivers/net/tg3.h linux-2.6.39.3/drivers/net/tg3.h
35793 --- linux-2.6.39.3/drivers/net/tg3.h 2011-05-19 00:06:34.000000000 -0400
35794 +++ linux-2.6.39.3/drivers/net/tg3.h 2011-05-22 19:36:31.000000000 -0400
35795 @@ -131,6 +131,7 @@
35796 #define CHIPREV_ID_5750_A0 0x4000
35797 #define CHIPREV_ID_5750_A1 0x4001
35798 #define CHIPREV_ID_5750_A3 0x4003
35799 +#define CHIPREV_ID_5750_C1 0x4201
35800 #define CHIPREV_ID_5750_C2 0x4202
35801 #define CHIPREV_ID_5752_A0_HW 0x5000
35802 #define CHIPREV_ID_5752_A0 0x6000
35803 diff -urNp linux-2.6.39.3/drivers/net/tile/tilepro.c linux-2.6.39.3/drivers/net/tile/tilepro.c
35804 --- linux-2.6.39.3/drivers/net/tile/tilepro.c 2011-05-19 00:06:34.000000000 -0400
35805 +++ linux-2.6.39.3/drivers/net/tile/tilepro.c 2011-05-22 19:36:31.000000000 -0400
35806 @@ -2263,7 +2263,7 @@ static int tile_net_get_mac(struct net_d
35807 }
35808
35809
35810 -static struct net_device_ops tile_net_ops = {
35811 +static const struct net_device_ops tile_net_ops = {
35812 .ndo_open = tile_net_open,
35813 .ndo_stop = tile_net_stop,
35814 .ndo_start_xmit = tile_net_tx,
35815 diff -urNp linux-2.6.39.3/drivers/net/tulip/de2104x.c linux-2.6.39.3/drivers/net/tulip/de2104x.c
35816 --- linux-2.6.39.3/drivers/net/tulip/de2104x.c 2011-05-19 00:06:34.000000000 -0400
35817 +++ linux-2.6.39.3/drivers/net/tulip/de2104x.c 2011-05-22 19:36:31.000000000 -0400
35818 @@ -1817,6 +1817,8 @@ static void __devinit de21041_get_srom_i
35819 struct de_srom_info_leaf *il;
35820 void *bufp;
35821
35822 + pax_track_stack();
35823 +
35824 /* download entire eeprom */
35825 for (i = 0; i < DE_EEPROM_WORDS; i++)
35826 ((__le16 *)ee_data)[i] =
35827 diff -urNp linux-2.6.39.3/drivers/net/tulip/de4x5.c linux-2.6.39.3/drivers/net/tulip/de4x5.c
35828 --- linux-2.6.39.3/drivers/net/tulip/de4x5.c 2011-05-19 00:06:34.000000000 -0400
35829 +++ linux-2.6.39.3/drivers/net/tulip/de4x5.c 2011-05-22 19:36:31.000000000 -0400
35830 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
35831 for (i=0; i<ETH_ALEN; i++) {
35832 tmp.addr[i] = dev->dev_addr[i];
35833 }
35834 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35835 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35836 break;
35837
35838 case DE4X5_SET_HWADDR: /* Set the hardware address */
35839 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
35840 spin_lock_irqsave(&lp->lock, flags);
35841 memcpy(&statbuf, &lp->pktStats, ioc->len);
35842 spin_unlock_irqrestore(&lp->lock, flags);
35843 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
35844 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
35845 return -EFAULT;
35846 break;
35847 }
35848 diff -urNp linux-2.6.39.3/drivers/net/usb/asix.c linux-2.6.39.3/drivers/net/usb/asix.c
35849 --- linux-2.6.39.3/drivers/net/usb/asix.c 2011-05-19 00:06:34.000000000 -0400
35850 +++ linux-2.6.39.3/drivers/net/usb/asix.c 2011-05-22 19:36:31.000000000 -0400
35851 @@ -1098,7 +1098,7 @@ out:
35852 return ret;
35853 }
35854
35855 -static struct ethtool_ops ax88178_ethtool_ops = {
35856 +static const struct ethtool_ops ax88178_ethtool_ops = {
35857 .get_drvinfo = asix_get_drvinfo,
35858 .get_link = asix_get_link,
35859 .get_msglevel = usbnet_get_msglevel,
35860 diff -urNp linux-2.6.39.3/drivers/net/usb/cdc_ncm.c linux-2.6.39.3/drivers/net/usb/cdc_ncm.c
35861 --- linux-2.6.39.3/drivers/net/usb/cdc_ncm.c 2011-06-25 12:55:22.000000000 -0400
35862 +++ linux-2.6.39.3/drivers/net/usb/cdc_ncm.c 2011-06-25 13:00:26.000000000 -0400
35863 @@ -141,7 +141,7 @@ struct cdc_ncm_ctx {
35864 static void cdc_ncm_tx_timeout(unsigned long arg);
35865 static const struct driver_info cdc_ncm_info;
35866 static struct usb_driver cdc_ncm_driver;
35867 -static struct ethtool_ops cdc_ncm_ethtool_ops;
35868 +static const struct ethtool_ops cdc_ncm_ethtool_ops;
35869
35870 static const struct usb_device_id cdc_devs[] = {
35871 { USB_INTERFACE_INFO(USB_CLASS_COMM,
35872 @@ -1258,7 +1258,7 @@ static struct usb_driver cdc_ncm_driver
35873 .supports_autosuspend = 1,
35874 };
35875
35876 -static struct ethtool_ops cdc_ncm_ethtool_ops = {
35877 +static const struct ethtool_ops cdc_ncm_ethtool_ops = {
35878 .get_drvinfo = cdc_ncm_get_drvinfo,
35879 .get_link = usbnet_get_link,
35880 .get_msglevel = usbnet_get_msglevel,
35881 diff -urNp linux-2.6.39.3/drivers/net/usb/hso.c linux-2.6.39.3/drivers/net/usb/hso.c
35882 --- linux-2.6.39.3/drivers/net/usb/hso.c 2011-05-19 00:06:34.000000000 -0400
35883 +++ linux-2.6.39.3/drivers/net/usb/hso.c 2011-05-22 19:36:31.000000000 -0400
35884 @@ -71,7 +71,7 @@
35885 #include <asm/byteorder.h>
35886 #include <linux/serial_core.h>
35887 #include <linux/serial.h>
35888 -
35889 +#include <asm/local.h>
35890
35891 #define MOD_AUTHOR "Option Wireless"
35892 #define MOD_DESCRIPTION "USB High Speed Option driver"
35893 @@ -257,7 +257,7 @@ struct hso_serial {
35894
35895 /* from usb_serial_port */
35896 struct tty_struct *tty;
35897 - int open_count;
35898 + local_t open_count;
35899 spinlock_t serial_lock;
35900
35901 int (*write_data) (struct hso_serial *serial);
35902 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
35903 struct urb *urb;
35904
35905 urb = serial->rx_urb[0];
35906 - if (serial->open_count > 0) {
35907 + if (local_read(&serial->open_count) > 0) {
35908 count = put_rxbuf_data(urb, serial);
35909 if (count == -1)
35910 return;
35911 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
35912 DUMP1(urb->transfer_buffer, urb->actual_length);
35913
35914 /* Anyone listening? */
35915 - if (serial->open_count == 0)
35916 + if (local_read(&serial->open_count) == 0)
35917 return;
35918
35919 if (status == 0) {
35920 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35921 spin_unlock_irq(&serial->serial_lock);
35922
35923 /* check for port already opened, if not set the termios */
35924 - serial->open_count++;
35925 - if (serial->open_count == 1) {
35926 + if (local_inc_return(&serial->open_count) == 1) {
35927 serial->rx_state = RX_IDLE;
35928 /* Force default termio settings */
35929 _hso_serial_set_termios(tty, NULL);
35930 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
35931 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35932 if (result) {
35933 hso_stop_serial_device(serial->parent);
35934 - serial->open_count--;
35935 + local_dec(&serial->open_count);
35936 kref_put(&serial->parent->ref, hso_serial_ref_free);
35937 }
35938 } else {
35939 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
35940
35941 /* reset the rts and dtr */
35942 /* do the actual close */
35943 - serial->open_count--;
35944 + local_dec(&serial->open_count);
35945
35946 - if (serial->open_count <= 0) {
35947 - serial->open_count = 0;
35948 + if (local_read(&serial->open_count) <= 0) {
35949 + local_set(&serial->open_count, 0);
35950 spin_lock_irq(&serial->serial_lock);
35951 if (serial->tty == tty) {
35952 serial->tty->driver_data = NULL;
35953 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
35954
35955 /* the actual setup */
35956 spin_lock_irqsave(&serial->serial_lock, flags);
35957 - if (serial->open_count)
35958 + if (local_read(&serial->open_count))
35959 _hso_serial_set_termios(tty, old);
35960 else
35961 tty->termios = old;
35962 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
35963 D1("Pending read interrupt on port %d\n", i);
35964 spin_lock(&serial->serial_lock);
35965 if (serial->rx_state == RX_IDLE &&
35966 - serial->open_count > 0) {
35967 + local_read(&serial->open_count) > 0) {
35968 /* Setup and send a ctrl req read on
35969 * port i */
35970 if (!serial->rx_urb_filled[0]) {
35971 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35972 /* Start all serial ports */
35973 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35974 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35975 - if (dev2ser(serial_table[i])->open_count) {
35976 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35977 result =
35978 hso_start_serial_device(serial_table[i], GFP_NOIO);
35979 hso_kick_transmit(dev2ser(serial_table[i]));
35980 diff -urNp linux-2.6.39.3/drivers/net/usb/ipheth.c linux-2.6.39.3/drivers/net/usb/ipheth.c
35981 --- linux-2.6.39.3/drivers/net/usb/ipheth.c 2011-05-19 00:06:34.000000000 -0400
35982 +++ linux-2.6.39.3/drivers/net/usb/ipheth.c 2011-05-22 19:36:31.000000000 -0400
35983 @@ -421,7 +421,7 @@ static u32 ipheth_ethtool_op_get_link(st
35984 return netif_carrier_ok(dev->net);
35985 }
35986
35987 -static struct ethtool_ops ops = {
35988 +static const struct ethtool_ops ops = {
35989 .get_link = ipheth_ethtool_op_get_link
35990 };
35991
35992 diff -urNp linux-2.6.39.3/drivers/net/usb/sierra_net.c linux-2.6.39.3/drivers/net/usb/sierra_net.c
35993 --- linux-2.6.39.3/drivers/net/usb/sierra_net.c 2011-05-19 00:06:34.000000000 -0400
35994 +++ linux-2.6.39.3/drivers/net/usb/sierra_net.c 2011-05-22 19:36:31.000000000 -0400
35995 @@ -618,7 +618,7 @@ static u32 sierra_net_get_link(struct ne
35996 return sierra_net_get_private(dev)->link_up && netif_running(net);
35997 }
35998
35999 -static struct ethtool_ops sierra_net_ethtool_ops = {
36000 +static const struct ethtool_ops sierra_net_ethtool_ops = {
36001 .get_drvinfo = sierra_net_get_drvinfo,
36002 .get_link = sierra_net_get_link,
36003 .get_msglevel = usbnet_get_msglevel,
36004 diff -urNp linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c
36005 --- linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-19 00:06:34.000000000 -0400
36006 +++ linux-2.6.39.3/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-05-22 19:36:31.000000000 -0400
36007 @@ -631,8 +631,7 @@ vmxnet3_set_rss_indir(struct net_device
36008 * Return with error code if any of the queue indices
36009 * is out of range
36010 */
36011 - if (p->ring_index[i] < 0 ||
36012 - p->ring_index[i] >= adapter->num_rx_queues)
36013 + if (p->ring_index[i] >= adapter->num_rx_queues)
36014 return -EINVAL;
36015 }
36016
36017 diff -urNp linux-2.6.39.3/drivers/net/vxge/vxge-main.c linux-2.6.39.3/drivers/net/vxge/vxge-main.c
36018 --- linux-2.6.39.3/drivers/net/vxge/vxge-main.c 2011-05-19 00:06:34.000000000 -0400
36019 +++ linux-2.6.39.3/drivers/net/vxge/vxge-main.c 2011-05-22 19:36:31.000000000 -0400
36020 @@ -97,6 +97,8 @@ static inline void VXGE_COMPLETE_VPATH_T
36021 struct sk_buff *completed[NR_SKB_COMPLETED];
36022 int more;
36023
36024 + pax_track_stack();
36025 +
36026 do {
36027 more = 0;
36028 skb_ptr = completed;
36029 @@ -1927,6 +1929,8 @@ static enum vxge_hw_status vxge_rth_conf
36030 u8 mtable[256] = {0}; /* CPU to vpath mapping */
36031 int index;
36032
36033 + pax_track_stack();
36034 +
36035 /*
36036 * Filling
36037 * - itable with bucket numbers
36038 diff -urNp linux-2.6.39.3/drivers/net/wan/cycx_x25.c linux-2.6.39.3/drivers/net/wan/cycx_x25.c
36039 --- linux-2.6.39.3/drivers/net/wan/cycx_x25.c 2011-05-19 00:06:34.000000000 -0400
36040 +++ linux-2.6.39.3/drivers/net/wan/cycx_x25.c 2011-05-22 19:36:31.000000000 -0400
36041 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
36042 unsigned char hex[1024],
36043 * phex = hex;
36044
36045 + pax_track_stack();
36046 +
36047 if (len >= (sizeof(hex) / 2))
36048 len = (sizeof(hex) / 2) - 1;
36049
36050 diff -urNp linux-2.6.39.3/drivers/net/wan/lapbether.c linux-2.6.39.3/drivers/net/wan/lapbether.c
36051 --- linux-2.6.39.3/drivers/net/wan/lapbether.c 2011-05-19 00:06:34.000000000 -0400
36052 +++ linux-2.6.39.3/drivers/net/wan/lapbether.c 2011-05-22 19:36:31.000000000 -0400
36053 @@ -259,7 +259,7 @@ static int lapbeth_set_mac_address(struc
36054 }
36055
36056
36057 -static struct lapb_register_struct lapbeth_callbacks = {
36058 +static const struct lapb_register_struct lapbeth_callbacks = {
36059 .connect_confirmation = lapbeth_connected,
36060 .connect_indication = lapbeth_connected,
36061 .disconnect_confirmation = lapbeth_disconnected,
36062 diff -urNp linux-2.6.39.3/drivers/net/wan/x25_asy.c linux-2.6.39.3/drivers/net/wan/x25_asy.c
36063 --- linux-2.6.39.3/drivers/net/wan/x25_asy.c 2011-05-19 00:06:34.000000000 -0400
36064 +++ linux-2.6.39.3/drivers/net/wan/x25_asy.c 2011-05-22 19:36:31.000000000 -0400
36065 @@ -434,7 +434,7 @@ static void x25_asy_disconnected(struct
36066 netif_rx(skb);
36067 }
36068
36069 -static struct lapb_register_struct x25_asy_callbacks = {
36070 +static const struct lapb_register_struct x25_asy_callbacks = {
36071 .connect_confirmation = x25_asy_connected,
36072 .connect_indication = x25_asy_connected,
36073 .disconnect_confirmation = x25_asy_disconnected,
36074 diff -urNp linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c
36075 --- linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c 2011-05-19 00:06:34.000000000 -0400
36076 +++ linux-2.6.39.3/drivers/net/wimax/i2400m/usb-fw.c 2011-05-22 19:36:31.000000000 -0400
36077 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
36078 int do_autopm = 1;
36079 DECLARE_COMPLETION_ONSTACK(notif_completion);
36080
36081 + pax_track_stack();
36082 +
36083 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
36084 i2400m, ack, ack_size);
36085 BUG_ON(_ack == i2400m->bm_ack_buf);
36086 diff -urNp linux-2.6.39.3/drivers/net/wireless/airo.c linux-2.6.39.3/drivers/net/wireless/airo.c
36087 --- linux-2.6.39.3/drivers/net/wireless/airo.c 2011-05-19 00:06:34.000000000 -0400
36088 +++ linux-2.6.39.3/drivers/net/wireless/airo.c 2011-05-22 19:36:31.000000000 -0400
36089 @@ -3001,6 +3001,8 @@ static void airo_process_scan_results (s
36090 BSSListElement * loop_net;
36091 BSSListElement * tmp_net;
36092
36093 + pax_track_stack();
36094 +
36095 /* Blow away current list of scan results */
36096 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
36097 list_move_tail (&loop_net->list, &ai->network_free_list);
36098 @@ -3792,6 +3794,8 @@ static u16 setup_card(struct airo_info *
36099 WepKeyRid wkr;
36100 int rc;
36101
36102 + pax_track_stack();
36103 +
36104 memset( &mySsid, 0, sizeof( mySsid ) );
36105 kfree (ai->flash);
36106 ai->flash = NULL;
36107 @@ -4760,6 +4764,8 @@ static int proc_stats_rid_open( struct i
36108 __le32 *vals = stats.vals;
36109 int len;
36110
36111 + pax_track_stack();
36112 +
36113 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36114 return -ENOMEM;
36115 data = file->private_data;
36116 @@ -5483,6 +5489,8 @@ static int proc_BSSList_open( struct ino
36117 /* If doLoseSync is not 1, we won't do a Lose Sync */
36118 int doLoseSync = -1;
36119
36120 + pax_track_stack();
36121 +
36122 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
36123 return -ENOMEM;
36124 data = file->private_data;
36125 @@ -7190,6 +7198,8 @@ static int airo_get_aplist(struct net_de
36126 int i;
36127 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
36128
36129 + pax_track_stack();
36130 +
36131 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
36132 if (!qual)
36133 return -ENOMEM;
36134 @@ -7750,6 +7760,8 @@ static void airo_read_wireless_stats(str
36135 CapabilityRid cap_rid;
36136 __le32 *vals = stats_rid.vals;
36137
36138 + pax_track_stack();
36139 +
36140 /* Get stats out of the card */
36141 clear_bit(JOB_WSTATS, &local->jobs);
36142 if (local->power.event) {
36143 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c
36144 --- linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c 2011-05-19 00:06:34.000000000 -0400
36145 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath5k/debug.c 2011-05-22 19:36:31.000000000 -0400
36146 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
36147 unsigned int v;
36148 u64 tsf;
36149
36150 + pax_track_stack();
36151 +
36152 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
36153 len += snprintf(buf+len, sizeof(buf)-len,
36154 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
36155 @@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
36156 unsigned int len = 0;
36157 unsigned int i;
36158
36159 + pax_track_stack();
36160 +
36161 len += snprintf(buf+len, sizeof(buf)-len,
36162 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
36163
36164 @@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
36165 unsigned int i;
36166 unsigned int v;
36167
36168 + pax_track_stack();
36169 +
36170 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
36171 sc->ah->ah_ant_mode);
36172 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
36173 @@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
36174 unsigned int len = 0;
36175 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
36176
36177 + pax_track_stack();
36178 +
36179 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
36180 sc->bssidmask);
36181 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
36182 @@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
36183 unsigned int len = 0;
36184 int i;
36185
36186 + pax_track_stack();
36187 +
36188 len += snprintf(buf+len, sizeof(buf)-len,
36189 "RX\n---------------------\n");
36190 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
36191 @@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
36192 char buf[700];
36193 unsigned int len = 0;
36194
36195 + pax_track_stack();
36196 +
36197 len += snprintf(buf+len, sizeof(buf)-len,
36198 "HW has PHY error counters:\t%s\n",
36199 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
36200 @@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
36201 struct ath5k_buf *bf, *bf0;
36202 int i, n;
36203
36204 + pax_track_stack();
36205 +
36206 len += snprintf(buf+len, sizeof(buf)-len,
36207 "available txbuffers: %d\n", sc->txbuf_len);
36208
36209 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c
36210 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-19 00:06:34.000000000 -0400
36211 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-22 19:36:31.000000000 -0400
36212 @@ -734,6 +734,8 @@ static void ar9003_hw_tx_iq_cal(struct a
36213 s32 i, j, ip, im, nmeasurement;
36214 u8 nchains = get_streams(common->tx_chainmask);
36215
36216 + pax_track_stack();
36217 +
36218 for (ip = 0; ip < MPASS; ip++) {
36219 REG_RMW_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_1,
36220 AR_PHY_TX_IQCAQL_CONTROL_1_IQCORR_I_Q_COFF_DELPT,
36221 @@ -856,6 +858,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
36222 int i, ip, im, j;
36223 int nmeasurement;
36224
36225 + pax_track_stack();
36226 +
36227 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
36228 if (ah->txchainmask & (1 << i))
36229 num_chains++;
36230 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
36231 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-19 00:06:34.000000000 -0400
36232 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-22 19:36:31.000000000 -0400
36233 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
36234 int theta_low_bin = 0;
36235 int i;
36236
36237 + pax_track_stack();
36238 +
36239 /* disregard any bin that contains <= 16 samples */
36240 thresh_accum_cnt = 16;
36241 scale_factor = 5;
36242 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c
36243 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c 2011-05-19 00:06:34.000000000 -0400
36244 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/debug.c 2011-05-22 19:36:31.000000000 -0400
36245 @@ -335,6 +335,8 @@ static ssize_t read_file_interrupt(struc
36246 char buf[512];
36247 unsigned int len = 0;
36248
36249 + pax_track_stack();
36250 +
36251 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
36252 len += snprintf(buf + len, sizeof(buf) - len,
36253 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
36254 @@ -422,6 +424,8 @@ static ssize_t read_file_wiphy(struct fi
36255 u8 addr[ETH_ALEN];
36256 u32 tmp;
36257
36258 + pax_track_stack();
36259 +
36260 len += snprintf(buf + len, sizeof(buf) - len,
36261 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
36262 wiphy_name(sc->hw->wiphy),
36263 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c
36264 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-19 00:06:34.000000000 -0400
36265 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-22 19:36:31.000000000 -0400
36266 @@ -737,6 +737,8 @@ static ssize_t read_file_tgt_stats(struc
36267 unsigned int len = 0;
36268 int ret = 0;
36269
36270 + pax_track_stack();
36271 +
36272 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
36273
36274 WMI_CMD(WMI_TGT_STATS_CMDID);
36275 @@ -782,6 +784,8 @@ static ssize_t read_file_xmit(struct fil
36276 char buf[512];
36277 unsigned int len = 0;
36278
36279 + pax_track_stack();
36280 +
36281 len += snprintf(buf + len, sizeof(buf) - len,
36282 "%20s : %10u\n", "Buffers queued",
36283 priv->debug.tx_stats.buf_queued);
36284 @@ -831,6 +835,8 @@ static ssize_t read_file_recv(struct fil
36285 char buf[512];
36286 unsigned int len = 0;
36287
36288 + pax_track_stack();
36289 +
36290 len += snprintf(buf + len, sizeof(buf) - len,
36291 "%20s : %10u\n", "SKBs allocated",
36292 priv->debug.rx_stats.skb_allocated);
36293 @@ -1816,7 +1822,7 @@ static void ath9k_htc_set_coverage_class
36294 mutex_unlock(&priv->mutex);
36295 }
36296
36297 -struct ieee80211_ops ath9k_htc_ops = {
36298 +const struct ieee80211_ops ath9k_htc_ops = {
36299 .tx = ath9k_htc_tx,
36300 .start = ath9k_htc_start,
36301 .stop = ath9k_htc_stop,
36302 diff -urNp linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h
36303 --- linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h 2011-05-19 00:06:34.000000000 -0400
36304 +++ linux-2.6.39.3/drivers/net/wireless/ath/ath9k/htc.h 2011-05-22 19:36:31.000000000 -0400
36305 @@ -42,7 +42,7 @@
36306 #define TSF_TO_TU(_h, _l) \
36307 ((((u32)(_h)) << 22) | (((u32)(_l)) >> 10))
36308
36309 -extern struct ieee80211_ops ath9k_htc_ops;
36310 +extern const struct ieee80211_ops ath9k_htc_ops;
36311 extern int htc_modparam_nohwcrypt;
36312
36313 enum htc_phymode {
36314 diff -urNp linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c
36315 --- linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36316 +++ linux-2.6.39.3/drivers/net/wireless/b43/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36317 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
36318 struct b43_debugfs_fops {
36319 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
36320 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
36321 - struct file_operations fops;
36322 + const struct file_operations fops;
36323 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
36324 size_t file_struct_offset;
36325 };
36326 diff -urNp linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c
36327 --- linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36328 +++ linux-2.6.39.3/drivers/net/wireless/b43legacy/debugfs.c 2011-05-22 19:36:31.000000000 -0400
36329 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
36330 struct b43legacy_debugfs_fops {
36331 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
36332 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
36333 - struct file_operations fops;
36334 + const struct file_operations fops;
36335 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
36336 size_t file_struct_offset;
36337 /* Take wl->irq_lock before calling read/write? */
36338 diff -urNp linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c
36339 --- linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-19 00:06:34.000000000 -0400
36340 +++ linux-2.6.39.3/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-22 19:36:31.000000000 -0400
36341 @@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
36342 int err;
36343 DECLARE_SSID_BUF(ssid);
36344
36345 + pax_track_stack();
36346 +
36347 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
36348
36349 if (ssid_len)
36350 @@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
36351 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
36352 int err;
36353
36354 + pax_track_stack();
36355 +
36356 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
36357 idx, keylen, len);
36358
36359 diff -urNp linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c
36360 --- linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-19 00:06:34.000000000 -0400
36361 +++ linux-2.6.39.3/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-22 19:36:31.000000000 -0400
36362 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
36363 unsigned long flags;
36364 DECLARE_SSID_BUF(ssid);
36365
36366 + pax_track_stack();
36367 +
36368 LIBIPW_DEBUG_SCAN("'%s' (%pM"
36369 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
36370 print_ssid(ssid, info_element->data, info_element->len),
36371 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c
36372 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-19 00:06:34.000000000 -0400
36373 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-3945.c 2011-05-22 19:36:31.000000000 -0400
36374 @@ -2630,7 +2630,7 @@ static int iwl3945_load_bsm(struct iwl_p
36375 return 0;
36376 }
36377
36378 -static struct iwl_hcmd_ops iwl3945_hcmd = {
36379 +static const struct iwl_hcmd_ops iwl3945_hcmd = {
36380 .rxon_assoc = iwl3945_send_rxon_assoc,
36381 .commit_rxon = iwl3945_commit_rxon,
36382 };
36383 @@ -2675,7 +2675,7 @@ static const struct iwl_legacy_ops iwl39
36384 .manage_ibss_station = iwl3945_manage_ibss_station,
36385 };
36386
36387 -static struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36388 +static const struct iwl_hcmd_utils_ops iwl3945_hcmd_utils = {
36389 .get_hcmd_size = iwl3945_get_hcmd_size,
36390 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
36391 .request_scan = iwl3945_request_scan,
36392 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c
36393 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 12:55:22.000000000 -0400
36394 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.c 2011-06-25 13:00:26.000000000 -0400
36395 @@ -1902,7 +1902,7 @@ static void iwl4965_rx_handler_setup(str
36396 priv->rx_handlers[BEACON_NOTIFICATION] = iwl4965_rx_beacon_notif;
36397 }
36398
36399 -static struct iwl_hcmd_ops iwl4965_hcmd = {
36400 +static const struct iwl_hcmd_ops iwl4965_hcmd = {
36401 .rxon_assoc = iwl4965_send_rxon_assoc,
36402 .commit_rxon = iwl4965_commit_rxon,
36403 .set_rxon_chain = iwl4965_set_rxon_chain,
36404 @@ -2054,7 +2054,7 @@ static void iwl4965_config_ap(struct iwl
36405 iwl4965_send_beacon_cmd(priv);
36406 }
36407
36408 -static struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36409 +static const struct iwl_hcmd_utils_ops iwl4965_hcmd_utils = {
36410 .get_hcmd_size = iwl4965_get_hcmd_size,
36411 .build_addsta_hcmd = iwl4965_build_addsta_hcmd,
36412 .request_scan = iwl4965_request_scan,
36413 @@ -2112,7 +2112,7 @@ static const struct iwl_legacy_ops iwl49
36414 .update_bcast_stations = iwl4965_update_bcast_stations,
36415 };
36416
36417 -struct ieee80211_ops iwl4965_hw_ops = {
36418 +const struct ieee80211_ops iwl4965_hw_ops = {
36419 .tx = iwl4965_mac_tx,
36420 .start = iwl4965_mac_start,
36421 .stop = iwl4965_mac_stop,
36422 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h
36423 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-19 00:06:34.000000000 -0400
36424 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-4965.h 2011-05-22 19:36:32.000000000 -0400
36425 @@ -70,7 +70,7 @@ extern struct iwl_cfg iwl4965_cfg;
36426
36427 extern struct iwl_mod_params iwl4965_mod_params;
36428
36429 -extern struct ieee80211_ops iwl4965_hw_ops;
36430 +extern const struct ieee80211_ops iwl4965_hw_ops;
36431
36432 /* tx queue */
36433 void iwl4965_free_tfds_in_queue(struct iwl_priv *priv,
36434 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h
36435 --- linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36436 +++ linux-2.6.39.3/drivers/net/wireless/iwlegacy/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36437 @@ -150,7 +150,7 @@ struct iwl_lib_ops {
36438 int (*set_channel_switch)(struct iwl_priv *priv,
36439 struct ieee80211_channel_switch *ch_switch);
36440 /* power management */
36441 - struct iwl_apm_ops apm_ops;
36442 + const struct iwl_apm_ops apm_ops;
36443
36444 /* power */
36445 int (*send_tx_power) (struct iwl_priv *priv);
36446 @@ -160,12 +160,12 @@ struct iwl_lib_ops {
36447 struct iwl_eeprom_ops eeprom_ops;
36448
36449 /* temperature */
36450 - struct iwl_temp_ops temp_ops;
36451 + const struct iwl_temp_ops temp_ops;
36452 /* check for plcp health */
36453 bool (*check_plcp_health)(struct iwl_priv *priv,
36454 struct iwl_rx_packet *pkt);
36455
36456 - struct iwl_debugfs_ops debugfs_ops;
36457 + const struct iwl_debugfs_ops debugfs_ops;
36458
36459 };
36460
36461 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c
36462 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 12:55:22.000000000 -0400
36463 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-06-25 13:00:26.000000000 -0400
36464 @@ -420,11 +420,11 @@ static struct iwl_lib_ops iwl6030_lib =
36465 }
36466 };
36467
36468 -static struct iwl_nic_ops iwl6050_nic_ops = {
36469 +static const struct iwl_nic_ops iwl6050_nic_ops = {
36470 .additional_nic_config = &iwl6050_additional_nic_config,
36471 };
36472
36473 -static struct iwl_nic_ops iwl6150_nic_ops = {
36474 +static const struct iwl_nic_ops iwl6150_nic_ops = {
36475 .additional_nic_config = &iwl6150_additional_nic_config,
36476 };
36477
36478 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h
36479 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-19 00:06:34.000000000 -0400
36480 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn.h 2011-05-22 19:36:32.000000000 -0400
36481 @@ -109,9 +109,9 @@ extern struct iwl_cfg iwl230_bg_cfg;
36482 extern struct iwl_cfg iwl230_bgn_cfg;
36483
36484 extern struct iwl_mod_params iwlagn_mod_params;
36485 -extern struct iwl_hcmd_ops iwlagn_hcmd;
36486 -extern struct iwl_hcmd_ops iwlagn_bt_hcmd;
36487 -extern struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36488 +extern const struct iwl_hcmd_ops iwlagn_hcmd;
36489 +extern const struct iwl_hcmd_ops iwlagn_bt_hcmd;
36490 +extern const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils;
36491
36492 extern struct ieee80211_ops iwlagn_hw_ops;
36493 extern struct ieee80211_ops iwl4965_hw_ops;
36494 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c
36495 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 12:55:22.000000000 -0400
36496 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-hcmd.c 2011-06-25 13:00:26.000000000 -0400
36497 @@ -355,7 +355,7 @@ static int iwlagn_set_pan_params(struct
36498 return ret;
36499 }
36500
36501 -struct iwl_hcmd_ops iwlagn_hcmd = {
36502 +const struct iwl_hcmd_ops iwlagn_hcmd = {
36503 .rxon_assoc = iwlagn_send_rxon_assoc,
36504 .commit_rxon = iwlagn_commit_rxon,
36505 .set_rxon_chain = iwlagn_set_rxon_chain,
36506 @@ -364,7 +364,7 @@ struct iwl_hcmd_ops iwlagn_hcmd = {
36507 .set_pan_params = iwlagn_set_pan_params,
36508 };
36509
36510 -struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36511 +const struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36512 .rxon_assoc = iwlagn_send_rxon_assoc,
36513 .commit_rxon = iwlagn_commit_rxon,
36514 .set_rxon_chain = iwlagn_set_rxon_chain,
36515 @@ -373,7 +373,7 @@ struct iwl_hcmd_ops iwlagn_bt_hcmd = {
36516 .set_pan_params = iwlagn_set_pan_params,
36517 };
36518
36519 -struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36520 +const struct iwl_hcmd_utils_ops iwlagn_hcmd_utils = {
36521 .get_hcmd_size = iwlagn_get_hcmd_size,
36522 .build_addsta_hcmd = iwlagn_build_addsta_hcmd,
36523 .gain_computation = iwlagn_gain_computation,
36524 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36525 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-19 00:06:34.000000000 -0400
36526 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-22 19:36:32.000000000 -0400
36527 @@ -883,6 +883,8 @@ static void rs_tx_status(void *priv_r, s
36528 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
36529 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
36530
36531 + pax_track_stack();
36532 +
36533 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36534
36535 /* Treat uninitialized rate scaling data same as non-existing. */
36536 @@ -2894,6 +2896,8 @@ static void rs_fill_link_cmd(struct iwl_
36537 container_of(lq_sta, struct iwl_station_priv, lq_sta);
36538 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36539
36540 + pax_track_stack();
36541 +
36542 /* Override starting rate (index 0) if needed for debug purposes */
36543 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36544
36545 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h
36546 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 12:55:22.000000000 -0400
36547 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-core.h 2011-06-25 13:00:26.000000000 -0400
36548 @@ -198,28 +198,25 @@ struct iwl_lib_ops {
36549 int (*set_channel_switch)(struct iwl_priv *priv,
36550 struct ieee80211_channel_switch *ch_switch);
36551 /* power management */
36552 - struct iwl_apm_ops apm_ops;
36553 + const struct iwl_apm_ops apm_ops;
36554
36555 /* power */
36556 int (*send_tx_power) (struct iwl_priv *priv);
36557 void (*update_chain_flags)(struct iwl_priv *priv);
36558
36559 /* isr */
36560 - struct iwl_isr_ops isr_ops;
36561 + const struct iwl_isr_ops isr_ops;
36562
36563 /* eeprom operations (as defined in iwl-eeprom.h) */
36564 struct iwl_eeprom_ops eeprom_ops;
36565
36566 /* temperature */
36567 - struct iwl_temp_ops temp_ops;
36568 + const struct iwl_temp_ops temp_ops;
36569
36570 int (*txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36571 void (*dev_txfifo_flush)(struct iwl_priv *priv, u16 flush_control);
36572
36573 - struct iwl_debugfs_ops debugfs_ops;
36574 -
36575 - /* thermal throttling */
36576 - struct iwl_tt_ops tt_ops;
36577 + const struct iwl_debugfs_ops debugfs_ops;const struct iwl_tt_ops tt_ops;
36578 };
36579
36580 struct iwl_led_ops {
36581 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36582 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-19 00:06:34.000000000 -0400
36583 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-22 19:36:32.000000000 -0400
36584 @@ -549,6 +549,8 @@ static ssize_t iwl_dbgfs_status_read(str
36585 int pos = 0;
36586 const size_t bufsz = sizeof(buf);
36587
36588 + pax_track_stack();
36589 +
36590 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36591 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36592 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
36593 @@ -681,6 +683,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36594 char buf[256 * NUM_IWL_RXON_CTX];
36595 const size_t bufsz = sizeof(buf);
36596
36597 + pax_track_stack();
36598 +
36599 for_each_context(priv, ctx) {
36600 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
36601 ctx->ctxid);
36602 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h
36603 --- linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-19 00:06:34.000000000 -0400
36604 +++ linux-2.6.39.3/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-05-22 19:36:32.000000000 -0400
36605 @@ -68,8 +68,8 @@ do {
36606 } while (0)
36607
36608 #else
36609 -#define IWL_DEBUG(__priv, level, fmt, args...)
36610 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36611 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36612 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36613 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36614 const void *p, u32 len)
36615 {}
36616 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c
36617 --- linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
36618 +++ linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
36619 @@ -763,7 +763,7 @@ static int iwm_cfg80211_flush_pmksa(stru
36620 }
36621
36622
36623 -static struct cfg80211_ops iwm_cfg80211_ops = {
36624 +static const struct cfg80211_ops iwm_cfg80211_ops = {
36625 .change_virtual_intf = iwm_cfg80211_change_iface,
36626 .add_key = iwm_cfg80211_add_key,
36627 .get_key = iwm_cfg80211_get_key,
36628 diff -urNp linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c
36629 --- linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36630 +++ linux-2.6.39.3/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36631 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36632 int buf_len = 512;
36633 size_t len = 0;
36634
36635 + pax_track_stack();
36636 +
36637 if (*ppos != 0)
36638 return 0;
36639 if (count < sizeof(buf))
36640 diff -urNp linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c
36641 --- linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c 2011-05-19 00:06:34.000000000 -0400
36642 +++ linux-2.6.39.3/drivers/net/wireless/libertas/cfg.c 2011-05-22 19:36:32.000000000 -0400
36643 @@ -2003,7 +2003,7 @@ static int lbs_leave_ibss(struct wiphy *
36644 * Initialization
36645 */
36646
36647 -static struct cfg80211_ops lbs_cfg80211_ops = {
36648 +static const struct cfg80211_ops lbs_cfg80211_ops = {
36649 .set_channel = lbs_cfg_set_channel,
36650 .scan = lbs_cfg_scan,
36651 .connect = lbs_cfg_connect,
36652 diff -urNp linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c
36653 --- linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c 2011-05-19 00:06:34.000000000 -0400
36654 +++ linux-2.6.39.3/drivers/net/wireless/libertas/debugfs.c 2011-05-22 19:36:32.000000000 -0400
36655 @@ -702,7 +702,7 @@ out_unlock:
36656 struct lbs_debugfs_files {
36657 const char *name;
36658 int perm;
36659 - struct file_operations fops;
36660 + const struct file_operations fops;
36661 };
36662
36663 static const struct lbs_debugfs_files debugfs_files[] = {
36664 diff -urNp linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c
36665 --- linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c 2011-05-19 00:06:34.000000000 -0400
36666 +++ linux-2.6.39.3/drivers/net/wireless/rndis_wlan.c 2011-05-22 19:36:32.000000000 -0400
36667 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
36668
36669 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
36670
36671 - if (rts_threshold < 0 || rts_threshold > 2347)
36672 + if (rts_threshold > 2347)
36673 rts_threshold = 2347;
36674
36675 tmp = cpu_to_le32(rts_threshold);
36676 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c
36677 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c 2011-05-19 00:06:34.000000000 -0400
36678 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.c 2011-05-22 19:36:32.000000000 -0400
36679 @@ -1869,7 +1869,7 @@ int rtl_pci_resume(struct pci_dev *pdev)
36680 }
36681 EXPORT_SYMBOL(rtl_pci_resume);
36682
36683 -struct rtl_intf_ops rtl_pci_ops = {
36684 +const struct rtl_intf_ops rtl_pci_ops = {
36685 .adapter_start = rtl_pci_start,
36686 .adapter_stop = rtl_pci_stop,
36687 .adapter_tx = rtl_pci_tx,
36688 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h
36689 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h 2011-05-19 00:06:34.000000000 -0400
36690 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/pci.h 2011-05-22 19:36:32.000000000 -0400
36691 @@ -234,7 +234,7 @@ struct rtl_pci_priv {
36692
36693 int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw);
36694
36695 -extern struct rtl_intf_ops rtl_pci_ops;
36696 +extern const struct rtl_intf_ops rtl_pci_ops;
36697
36698 int __devinit rtl_pci_probe(struct pci_dev *pdev,
36699 const struct pci_device_id *id);
36700 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
36701 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-19 00:06:34.000000000 -0400
36702 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-05-22 19:36:32.000000000 -0400
36703 @@ -827,6 +827,8 @@ static bool _rtl92c_phy_sw_chnl_step_by_
36704 u8 rfpath;
36705 u8 num_total_rfpath = rtlphy->num_total_rfpath;
36706
36707 + pax_track_stack();
36708 +
36709 precommoncmdcnt = 0;
36710 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
36711 MAX_PRECMD_CNT,
36712 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
36713 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-19 00:06:34.000000000 -0400
36714 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c 2011-05-22 19:36:32.000000000 -0400
36715 @@ -96,7 +96,7 @@ void rtl92c_deinit_sw_vars(struct ieee80
36716 }
36717 }
36718
36719 -static struct rtl_hal_ops rtl8192ce_hal_ops = {
36720 +static const struct rtl_hal_ops rtl8192ce_hal_ops = {
36721 .init_sw_vars = rtl92c_init_sw_vars,
36722 .deinit_sw_vars = rtl92c_deinit_sw_vars,
36723 .read_eeprom_info = rtl92ce_read_eeprom_info,
36724 @@ -151,7 +151,7 @@ static struct rtl_mod_params rtl92ce_mod
36725 .sw_crypto = 0,
36726 };
36727
36728 -static struct rtl_hal_cfg rtl92ce_hal_cfg = {
36729 +static const struct rtl_hal_cfg rtl92ce_hal_cfg = {
36730 .name = "rtl92c_pci",
36731 .fw_name = "rtlwifi/rtl8192cfw.bin",
36732 .ops = &rtl8192ce_hal_ops,
36733 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
36734 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-19 00:06:34.000000000 -0400
36735 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c 2011-05-22 19:36:32.000000000 -0400
36736 @@ -77,7 +77,7 @@ static void rtl92cu_deinit_sw_vars(struc
36737 }
36738 }
36739
36740 -static struct rtl_hal_ops rtl8192cu_hal_ops = {
36741 +static const struct rtl_hal_ops rtl8192cu_hal_ops = {
36742 .init_sw_vars = rtl92cu_init_sw_vars,
36743 .deinit_sw_vars = rtl92cu_deinit_sw_vars,
36744 .read_chip_version = rtl92c_read_chip_version,
36745 @@ -147,7 +147,7 @@ static struct rtl_hal_usbint_cfg rtl92cu
36746 .usb_mq_to_hwq = rtl8192cu_mq_to_hwq,
36747 };
36748
36749 -static struct rtl_hal_cfg rtl92cu_hal_cfg = {
36750 +static const struct rtl_hal_cfg rtl92cu_hal_cfg = {
36751 .name = "rtl92c_usb",
36752 .fw_name = "rtlwifi/rtl8192cufw.bin",
36753 .ops = &rtl8192cu_hal_ops,
36754 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c
36755 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c 2011-05-19 00:06:34.000000000 -0400
36756 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/usb.c 2011-05-22 19:36:32.000000000 -0400
36757 @@ -913,7 +913,7 @@ static bool rtl_usb_tx_chk_waitq_insert(
36758 return false;
36759 }
36760
36761 -static struct rtl_intf_ops rtl_usb_ops = {
36762 +static const struct rtl_intf_ops rtl_usb_ops = {
36763 .adapter_start = rtl_usb_start,
36764 .adapter_stop = rtl_usb_stop,
36765 .adapter_tx = rtl_usb_tx,
36766 diff -urNp linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h
36767 --- linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h 2011-05-19 00:06:34.000000000 -0400
36768 +++ linux-2.6.39.3/drivers/net/wireless/rtlwifi/wifi.h 2011-05-22 19:36:32.000000000 -0400
36769 @@ -1447,7 +1447,7 @@ struct rtl_hal_cfg {
36770 u8 bar_id;
36771 char *name;
36772 char *fw_name;
36773 - struct rtl_hal_ops *ops;
36774 + const struct rtl_hal_ops *ops;
36775 struct rtl_mod_params *mod_params;
36776 struct rtl_hal_usbint_cfg *usb_interface_cfg;
36777
36778 @@ -1533,7 +1533,7 @@ struct rtl_priv {
36779 *intf_ops : for diff interrface usb/pcie
36780 */
36781 struct rtl_hal_cfg *cfg;
36782 - struct rtl_intf_ops *intf_ops;
36783 + const struct rtl_intf_ops *intf_ops;
36784
36785 /*this var will be set by set_bit,
36786 and was used to indicate status of
36787 diff -urNp linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c
36788 --- linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c 2011-05-19 00:06:34.000000000 -0400
36789 +++ linux-2.6.39.3/drivers/net/wireless/wl12xx/spi.c 2011-05-22 19:36:32.000000000 -0400
36790 @@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
36791 u32 chunk_len;
36792 int i;
36793
36794 + pax_track_stack();
36795 +
36796 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
36797
36798 spi_message_init(&m);
36799 diff -urNp linux-2.6.39.3/drivers/net/xen-netback/interface.c linux-2.6.39.3/drivers/net/xen-netback/interface.c
36800 --- linux-2.6.39.3/drivers/net/xen-netback/interface.c 2011-05-19 00:06:34.000000000 -0400
36801 +++ linux-2.6.39.3/drivers/net/xen-netback/interface.c 2011-05-22 19:36:32.000000000 -0400
36802 @@ -273,7 +273,7 @@ static void xenvif_get_strings(struct ne
36803 }
36804 }
36805
36806 -static struct ethtool_ops xenvif_ethtool_ops = {
36807 +static const struct ethtool_ops xenvif_ethtool_ops = {
36808 .get_tx_csum = ethtool_op_get_tx_csum,
36809 .set_tx_csum = xenvif_set_tx_csum,
36810 .get_sg = ethtool_op_get_sg,
36811 diff -urNp linux-2.6.39.3/drivers/net/xilinx_emaclite.c linux-2.6.39.3/drivers/net/xilinx_emaclite.c
36812 --- linux-2.6.39.3/drivers/net/xilinx_emaclite.c 2011-05-19 00:06:34.000000000 -0400
36813 +++ linux-2.6.39.3/drivers/net/xilinx_emaclite.c 2011-05-22 19:36:32.000000000 -0400
36814 @@ -1085,7 +1085,7 @@ static bool get_bool(struct platform_dev
36815 }
36816 }
36817
36818 -static struct net_device_ops xemaclite_netdev_ops;
36819 +static const struct net_device_ops xemaclite_netdev_ops;
36820
36821 /**
36822 * xemaclite_of_probe - Probe method for the Emaclite device.
36823 @@ -1264,7 +1264,7 @@ xemaclite_poll_controller(struct net_dev
36824 }
36825 #endif
36826
36827 -static struct net_device_ops xemaclite_netdev_ops = {
36828 +static const struct net_device_ops xemaclite_netdev_ops = {
36829 .ndo_open = xemaclite_open,
36830 .ndo_stop = xemaclite_close,
36831 .ndo_start_xmit = xemaclite_send,
36832 diff -urNp linux-2.6.39.3/drivers/nfc/pn544.c linux-2.6.39.3/drivers/nfc/pn544.c
36833 --- linux-2.6.39.3/drivers/nfc/pn544.c 2011-05-19 00:06:34.000000000 -0400
36834 +++ linux-2.6.39.3/drivers/nfc/pn544.c 2011-05-22 19:36:32.000000000 -0400
36835 @@ -89,7 +89,7 @@ static ssize_t pn544_test(struct device
36836
36837 static int pn544_enable(struct pn544_info *info, int mode)
36838 {
36839 - struct pn544_nfc_platform_data *pdata;
36840 + const struct pn544_nfc_platform_data *pdata;
36841 struct i2c_client *client = info->i2c_dev;
36842
36843 int r;
36844 @@ -118,7 +118,7 @@ static int pn544_enable(struct pn544_inf
36845
36846 static void pn544_disable(struct pn544_info *info)
36847 {
36848 - struct pn544_nfc_platform_data *pdata;
36849 + const struct pn544_nfc_platform_data *pdata;
36850 struct i2c_client *client = info->i2c_dev;
36851
36852 pdata = client->dev.platform_data;
36853 @@ -509,7 +509,7 @@ static long pn544_ioctl(struct file *fil
36854 struct pn544_info *info = container_of(file->private_data,
36855 struct pn544_info, miscdev);
36856 struct i2c_client *client = info->i2c_dev;
36857 - struct pn544_nfc_platform_data *pdata;
36858 + const struct pn544_nfc_platform_data *pdata;
36859 unsigned int val;
36860 int r = 0;
36861
36862 @@ -715,7 +715,7 @@ static int __devinit pn544_probe(struct
36863 const struct i2c_device_id *id)
36864 {
36865 struct pn544_info *info;
36866 - struct pn544_nfc_platform_data *pdata;
36867 + const struct pn544_nfc_platform_data *pdata;
36868 int r = 0;
36869
36870 dev_dbg(&client->dev, "%s\n", __func__);
36871 diff -urNp linux-2.6.39.3/drivers/of/pdt.c linux-2.6.39.3/drivers/of/pdt.c
36872 --- linux-2.6.39.3/drivers/of/pdt.c 2011-05-19 00:06:34.000000000 -0400
36873 +++ linux-2.6.39.3/drivers/of/pdt.c 2011-05-22 19:36:32.000000000 -0400
36874 @@ -24,7 +24,7 @@
36875 #include <linux/of_pdt.h>
36876 #include <asm/prom.h>
36877
36878 -static struct of_pdt_ops *of_pdt_prom_ops __initdata;
36879 +static const struct of_pdt_ops *of_pdt_prom_ops;
36880
36881 void __initdata (*of_pdt_build_more)(struct device_node *dp,
36882 struct device_node ***nextp);
36883 diff -urNp linux-2.6.39.3/drivers/oprofile/buffer_sync.c linux-2.6.39.3/drivers/oprofile/buffer_sync.c
36884 --- linux-2.6.39.3/drivers/oprofile/buffer_sync.c 2011-06-25 12:55:22.000000000 -0400
36885 +++ linux-2.6.39.3/drivers/oprofile/buffer_sync.c 2011-06-25 13:00:26.000000000 -0400
36886 @@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
36887 if (cookie == NO_COOKIE)
36888 offset = pc;
36889 if (cookie == INVALID_COOKIE) {
36890 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36891 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36892 offset = pc;
36893 }
36894 if (cookie != last_cookie) {
36895 @@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
36896 /* add userspace sample */
36897
36898 if (!mm) {
36899 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
36900 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36901 return 0;
36902 }
36903
36904 cookie = lookup_dcookie(mm, s->eip, &offset);
36905
36906 if (cookie == INVALID_COOKIE) {
36907 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36908 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36909 return 0;
36910 }
36911
36912 @@ -563,7 +563,7 @@ void sync_buffer(int cpu)
36913 /* ignore backtraces if failed to add a sample */
36914 if (state == sb_bt_start) {
36915 state = sb_bt_ignore;
36916 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36917 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36918 }
36919 }
36920 release_mm(mm);
36921 diff -urNp linux-2.6.39.3/drivers/oprofile/event_buffer.c linux-2.6.39.3/drivers/oprofile/event_buffer.c
36922 --- linux-2.6.39.3/drivers/oprofile/event_buffer.c 2011-05-19 00:06:34.000000000 -0400
36923 +++ linux-2.6.39.3/drivers/oprofile/event_buffer.c 2011-05-22 19:36:32.000000000 -0400
36924 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36925 }
36926
36927 if (buffer_pos == buffer_size) {
36928 - atomic_inc(&oprofile_stats.event_lost_overflow);
36929 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36930 return;
36931 }
36932
36933 diff -urNp linux-2.6.39.3/drivers/oprofile/oprof.c linux-2.6.39.3/drivers/oprofile/oprof.c
36934 --- linux-2.6.39.3/drivers/oprofile/oprof.c 2011-05-19 00:06:34.000000000 -0400
36935 +++ linux-2.6.39.3/drivers/oprofile/oprof.c 2011-05-22 19:36:32.000000000 -0400
36936 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36937 if (oprofile_ops.switch_events())
36938 return;
36939
36940 - atomic_inc(&oprofile_stats.multiplex_counter);
36941 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36942 start_switch_worker();
36943 }
36944
36945 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofilefs.c linux-2.6.39.3/drivers/oprofile/oprofilefs.c
36946 --- linux-2.6.39.3/drivers/oprofile/oprofilefs.c 2011-05-19 00:06:34.000000000 -0400
36947 +++ linux-2.6.39.3/drivers/oprofile/oprofilefs.c 2011-05-22 19:36:32.000000000 -0400
36948 @@ -186,7 +186,7 @@ static const struct file_operations atom
36949
36950
36951 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36952 - char const *name, atomic_t *val)
36953 + char const *name, atomic_unchecked_t *val)
36954 {
36955 return __oprofilefs_create_file(sb, root, name,
36956 &atomic_ro_fops, 0444, val);
36957 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofile_stats.c linux-2.6.39.3/drivers/oprofile/oprofile_stats.c
36958 --- linux-2.6.39.3/drivers/oprofile/oprofile_stats.c 2011-05-19 00:06:34.000000000 -0400
36959 +++ linux-2.6.39.3/drivers/oprofile/oprofile_stats.c 2011-05-22 19:36:32.000000000 -0400
36960 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36961 cpu_buf->sample_invalid_eip = 0;
36962 }
36963
36964 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36965 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36966 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
36967 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36968 - atomic_set(&oprofile_stats.multiplex_counter, 0);
36969 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36970 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36971 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36972 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36973 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36974 }
36975
36976
36977 diff -urNp linux-2.6.39.3/drivers/oprofile/oprofile_stats.h linux-2.6.39.3/drivers/oprofile/oprofile_stats.h
36978 --- linux-2.6.39.3/drivers/oprofile/oprofile_stats.h 2011-05-19 00:06:34.000000000 -0400
36979 +++ linux-2.6.39.3/drivers/oprofile/oprofile_stats.h 2011-05-22 19:36:32.000000000 -0400
36980 @@ -13,11 +13,11 @@
36981 #include <asm/atomic.h>
36982
36983 struct oprofile_stat_struct {
36984 - atomic_t sample_lost_no_mm;
36985 - atomic_t sample_lost_no_mapping;
36986 - atomic_t bt_lost_no_mapping;
36987 - atomic_t event_lost_overflow;
36988 - atomic_t multiplex_counter;
36989 + atomic_unchecked_t sample_lost_no_mm;
36990 + atomic_unchecked_t sample_lost_no_mapping;
36991 + atomic_unchecked_t bt_lost_no_mapping;
36992 + atomic_unchecked_t event_lost_overflow;
36993 + atomic_unchecked_t multiplex_counter;
36994 };
36995
36996 extern struct oprofile_stat_struct oprofile_stats;
36997 diff -urNp linux-2.6.39.3/drivers/parisc/dino.c linux-2.6.39.3/drivers/parisc/dino.c
36998 --- linux-2.6.39.3/drivers/parisc/dino.c 2011-05-19 00:06:34.000000000 -0400
36999 +++ linux-2.6.39.3/drivers/parisc/dino.c 2011-05-22 19:36:32.000000000 -0400
37000 @@ -238,7 +238,7 @@ static int dino_cfg_write(struct pci_bus
37001 return 0;
37002 }
37003
37004 -static struct pci_ops dino_cfg_ops = {
37005 +static const struct pci_ops dino_cfg_ops = {
37006 .read = dino_cfg_read,
37007 .write = dino_cfg_write,
37008 };
37009 diff -urNp linux-2.6.39.3/drivers/parisc/lba_pci.c linux-2.6.39.3/drivers/parisc/lba_pci.c
37010 --- linux-2.6.39.3/drivers/parisc/lba_pci.c 2011-05-19 00:06:34.000000000 -0400
37011 +++ linux-2.6.39.3/drivers/parisc/lba_pci.c 2011-05-22 19:36:32.000000000 -0400
37012 @@ -468,7 +468,7 @@ static int elroy_cfg_write(struct pci_bu
37013 }
37014
37015
37016 -static struct pci_ops elroy_cfg_ops = {
37017 +static const struct pci_ops elroy_cfg_ops = {
37018 .read = elroy_cfg_read,
37019 .write = elroy_cfg_write,
37020 };
37021 @@ -541,7 +541,7 @@ static int mercury_cfg_write(struct pci_
37022 return 0;
37023 }
37024
37025 -static struct pci_ops mercury_cfg_ops = {
37026 +static const struct pci_ops mercury_cfg_ops = {
37027 .read = mercury_cfg_read,
37028 .write = mercury_cfg_write,
37029 };
37030 @@ -1405,7 +1405,7 @@ lba_driver_probe(struct parisc_device *d
37031 {
37032 struct lba_device *lba_dev;
37033 struct pci_bus *lba_bus;
37034 - struct pci_ops *cfg_ops;
37035 + const struct pci_ops *cfg_ops;
37036 u32 func_class;
37037 void *tmp_obj;
37038 char *version;
37039 diff -urNp linux-2.6.39.3/drivers/parport/procfs.c linux-2.6.39.3/drivers/parport/procfs.c
37040 --- linux-2.6.39.3/drivers/parport/procfs.c 2011-05-19 00:06:34.000000000 -0400
37041 +++ linux-2.6.39.3/drivers/parport/procfs.c 2011-05-22 19:36:32.000000000 -0400
37042 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
37043
37044 *ppos += len;
37045
37046 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
37047 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
37048 }
37049
37050 #ifdef CONFIG_PARPORT_1284
37051 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
37052
37053 *ppos += len;
37054
37055 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
37056 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
37057 }
37058 #endif /* IEEE1284.3 support. */
37059
37060 diff -urNp linux-2.6.39.3/drivers/pci/access.c linux-2.6.39.3/drivers/pci/access.c
37061 --- linux-2.6.39.3/drivers/pci/access.c 2011-05-19 00:06:34.000000000 -0400
37062 +++ linux-2.6.39.3/drivers/pci/access.c 2011-05-22 19:36:32.000000000 -0400
37063 @@ -74,9 +74,9 @@ EXPORT_SYMBOL(pci_bus_write_config_dword
37064 *
37065 * Return previous raw operations
37066 */
37067 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops)
37068 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops)
37069 {
37070 - struct pci_ops *old_ops;
37071 + const struct pci_ops *old_ops;
37072 unsigned long flags;
37073
37074 raw_spin_lock_irqsave(&pci_lock, flags);
37075 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c
37076 --- linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c 2011-05-19 00:06:34.000000000 -0400
37077 +++ linux-2.6.39.3/drivers/pci/hotplug/acpiphp_glue.c 2011-05-22 19:36:32.000000000 -0400
37078 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
37079 }
37080
37081
37082 -static struct acpi_dock_ops acpiphp_dock_ops = {
37083 +static const struct acpi_dock_ops acpiphp_dock_ops = {
37084 .handler = handle_hotplug_event_func,
37085 };
37086
37087 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c
37088 --- linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-19 00:06:34.000000000 -0400
37089 +++ linux-2.6.39.3/drivers/pci/hotplug/cpqphp_nvram.c 2011-05-22 19:36:32.000000000 -0400
37090 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
37091
37092 void compaq_nvram_init (void __iomem *rom_start)
37093 {
37094 +
37095 +#ifndef CONFIG_PAX_KERNEXEC
37096 if (rom_start) {
37097 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
37098 }
37099 +#endif
37100 +
37101 dbg("int15 entry = %p\n", compaq_int15_entry_point);
37102
37103 /* initialize our int15 lock */
37104 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/shpchp.h linux-2.6.39.3/drivers/pci/hotplug/shpchp.h
37105 --- linux-2.6.39.3/drivers/pci/hotplug/shpchp.h 2011-05-19 00:06:34.000000000 -0400
37106 +++ linux-2.6.39.3/drivers/pci/hotplug/shpchp.h 2011-05-22 19:36:32.000000000 -0400
37107 @@ -86,7 +86,7 @@ struct slot {
37108 u8 presence_save;
37109 u8 pwr_save;
37110 struct controller *ctrl;
37111 - struct hpc_ops *hpc_ops;
37112 + const struct hpc_ops *hpc_ops;
37113 struct hotplug_slot *hotplug_slot;
37114 struct list_head slot_list;
37115 struct delayed_work work; /* work for button event */
37116 @@ -107,7 +107,7 @@ struct controller {
37117 int slot_num_inc; /* 1 or -1 */
37118 struct pci_dev *pci_dev;
37119 struct list_head slot_list;
37120 - struct hpc_ops *hpc_ops;
37121 + const struct hpc_ops *hpc_ops;
37122 wait_queue_head_t queue; /* sleep & wake process */
37123 u8 slot_device_offset;
37124 u32 pcix_misc2_reg; /* for amd pogo errata */
37125 diff -urNp linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c
37126 --- linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c 2011-05-19 00:06:34.000000000 -0400
37127 +++ linux-2.6.39.3/drivers/pci/hotplug/shpchp_hpc.c 2011-05-22 19:36:32.000000000 -0400
37128 @@ -910,7 +910,7 @@ static int shpc_get_max_bus_speed(struct
37129 return retval;
37130 }
37131
37132 -static struct hpc_ops shpchp_hpc_ops = {
37133 +static const struct hpc_ops shpchp_hpc_ops = {
37134 .power_on_slot = hpc_power_on_slot,
37135 .slot_enable = hpc_slot_enable,
37136 .slot_disable = hpc_slot_disable,
37137 diff -urNp linux-2.6.39.3/drivers/pci/intel-iommu.c linux-2.6.39.3/drivers/pci/intel-iommu.c
37138 --- linux-2.6.39.3/drivers/pci/intel-iommu.c 2011-06-25 12:55:22.000000000 -0400
37139 +++ linux-2.6.39.3/drivers/pci/intel-iommu.c 2011-06-25 13:00:26.000000000 -0400
37140 @@ -393,7 +393,7 @@ static int intel_iommu_strict;
37141 static DEFINE_SPINLOCK(device_domain_lock);
37142 static LIST_HEAD(device_domain_list);
37143
37144 -static struct iommu_ops intel_iommu_ops;
37145 +static const struct iommu_ops intel_iommu_ops;
37146
37147 static int __init intel_iommu_setup(char *str)
37148 {
37149 @@ -2964,7 +2964,7 @@ static int intel_mapping_error(struct de
37150 return !dma_addr;
37151 }
37152
37153 -struct dma_map_ops intel_dma_ops = {
37154 +const struct dma_map_ops intel_dma_ops = {
37155 .alloc_coherent = intel_alloc_coherent,
37156 .free_coherent = intel_free_coherent,
37157 .map_sg = intel_map_sg,
37158 @@ -3761,7 +3761,7 @@ static int intel_iommu_domain_has_cap(st
37159 return 0;
37160 }
37161
37162 -static struct iommu_ops intel_iommu_ops = {
37163 +static const struct iommu_ops intel_iommu_ops = {
37164 .domain_init = intel_iommu_domain_init,
37165 .domain_destroy = intel_iommu_domain_destroy,
37166 .attach_dev = intel_iommu_attach_device,
37167 diff -urNp linux-2.6.39.3/drivers/pci/pci-acpi.c linux-2.6.39.3/drivers/pci/pci-acpi.c
37168 --- linux-2.6.39.3/drivers/pci/pci-acpi.c 2011-05-19 00:06:34.000000000 -0400
37169 +++ linux-2.6.39.3/drivers/pci/pci-acpi.c 2011-05-22 19:36:32.000000000 -0400
37170 @@ -332,7 +332,7 @@ static int acpi_pci_run_wake(struct pci_
37171 return 0;
37172 }
37173
37174 -static struct pci_platform_pm_ops acpi_pci_platform_pm = {
37175 +static const struct pci_platform_pm_ops acpi_pci_platform_pm = {
37176 .is_manageable = acpi_pci_power_manageable,
37177 .set_state = acpi_pci_set_power_state,
37178 .choose_state = acpi_pci_choose_state,
37179 diff -urNp linux-2.6.39.3/drivers/pci/pci.c linux-2.6.39.3/drivers/pci/pci.c
37180 --- linux-2.6.39.3/drivers/pci/pci.c 2011-05-19 00:06:34.000000000 -0400
37181 +++ linux-2.6.39.3/drivers/pci/pci.c 2011-05-22 19:36:32.000000000 -0400
37182 @@ -480,9 +480,9 @@ pci_restore_bars(struct pci_dev *dev)
37183 pci_update_resource(dev, i);
37184 }
37185
37186 -static struct pci_platform_pm_ops *pci_platform_pm;
37187 +static const struct pci_platform_pm_ops *pci_platform_pm;
37188
37189 -int pci_set_platform_pm(struct pci_platform_pm_ops *ops)
37190 +int pci_set_platform_pm(const struct pci_platform_pm_ops *ops)
37191 {
37192 if (!ops->is_manageable || !ops->set_state || !ops->choose_state
37193 || !ops->sleep_wake || !ops->can_wakeup)
37194 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c
37195 --- linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-19 00:06:34.000000000 -0400
37196 +++ linux-2.6.39.3/drivers/pci/pcie/aer/aerdrv_core.c 2011-05-22 19:36:32.000000000 -0400
37197 @@ -239,7 +239,7 @@ static bool find_source_device(struct pc
37198 static int report_error_detected(struct pci_dev *dev, void *data)
37199 {
37200 pci_ers_result_t vote;
37201 - struct pci_error_handlers *err_handler;
37202 + const struct pci_error_handlers *err_handler;
37203 struct aer_broadcast_data *result_data;
37204 result_data = (struct aer_broadcast_data *) data;
37205
37206 @@ -273,7 +273,7 @@ static int report_error_detected(struct
37207 static int report_mmio_enabled(struct pci_dev *dev, void *data)
37208 {
37209 pci_ers_result_t vote;
37210 - struct pci_error_handlers *err_handler;
37211 + const struct pci_error_handlers *err_handler;
37212 struct aer_broadcast_data *result_data;
37213 result_data = (struct aer_broadcast_data *) data;
37214
37215 @@ -291,7 +291,7 @@ static int report_mmio_enabled(struct pc
37216 static int report_slot_reset(struct pci_dev *dev, void *data)
37217 {
37218 pci_ers_result_t vote;
37219 - struct pci_error_handlers *err_handler;
37220 + const struct pci_error_handlers *err_handler;
37221 struct aer_broadcast_data *result_data;
37222 result_data = (struct aer_broadcast_data *) data;
37223
37224 @@ -308,7 +308,7 @@ static int report_slot_reset(struct pci_
37225
37226 static int report_resume(struct pci_dev *dev, void *data)
37227 {
37228 - struct pci_error_handlers *err_handler;
37229 + const struct pci_error_handlers *err_handler;
37230
37231 dev->error_state = pci_channel_io_normal;
37232
37233 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c
37234 --- linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c 2011-05-19 00:06:34.000000000 -0400
37235 +++ linux-2.6.39.3/drivers/pci/pcie/aer/aer_inject.c 2011-05-22 19:36:32.000000000 -0400
37236 @@ -64,7 +64,7 @@ struct aer_error {
37237 struct pci_bus_ops {
37238 struct list_head list;
37239 struct pci_bus *bus;
37240 - struct pci_ops *ops;
37241 + const struct pci_ops *ops;
37242 };
37243
37244 static LIST_HEAD(einjected);
37245 @@ -110,7 +110,7 @@ static struct aer_error *__find_aer_erro
37246 }
37247
37248 /* inject_lock must be held before calling */
37249 -static struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37250 +static const struct pci_ops *__find_pci_bus_ops(struct pci_bus *bus)
37251 {
37252 struct pci_bus_ops *bus_ops;
37253
37254 @@ -187,7 +187,7 @@ static int pci_read_aer(struct pci_bus *
37255 u32 *sim;
37256 struct aer_error *err;
37257 unsigned long flags;
37258 - struct pci_ops *ops;
37259 + const struct pci_ops *ops;
37260 int domain;
37261
37262 spin_lock_irqsave(&inject_lock, flags);
37263 @@ -219,7 +219,7 @@ int pci_write_aer(struct pci_bus *bus, u
37264 struct aer_error *err;
37265 unsigned long flags;
37266 int rw1cs;
37267 - struct pci_ops *ops;
37268 + const struct pci_ops *ops;
37269 int domain;
37270
37271 spin_lock_irqsave(&inject_lock, flags);
37272 @@ -254,7 +254,7 @@ static struct pci_ops pci_ops_aer = {
37273
37274 static void pci_bus_ops_init(struct pci_bus_ops *bus_ops,
37275 struct pci_bus *bus,
37276 - struct pci_ops *ops)
37277 + const struct pci_ops *ops)
37278 {
37279 INIT_LIST_HEAD(&bus_ops->list);
37280 bus_ops->bus = bus;
37281 @@ -263,7 +263,7 @@ static void pci_bus_ops_init(struct pci_
37282
37283 static int pci_bus_set_aer_ops(struct pci_bus *bus)
37284 {
37285 - struct pci_ops *ops;
37286 + const struct pci_ops *ops;
37287 struct pci_bus_ops *bus_ops;
37288 unsigned long flags;
37289
37290 diff -urNp linux-2.6.39.3/drivers/pci/pcie/aspm.c linux-2.6.39.3/drivers/pci/pcie/aspm.c
37291 --- linux-2.6.39.3/drivers/pci/pcie/aspm.c 2011-05-19 00:06:34.000000000 -0400
37292 +++ linux-2.6.39.3/drivers/pci/pcie/aspm.c 2011-05-22 19:36:32.000000000 -0400
37293 @@ -27,9 +27,9 @@
37294 #define MODULE_PARAM_PREFIX "pcie_aspm."
37295
37296 /* Note: those are not register definitions */
37297 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
37298 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
37299 -#define ASPM_STATE_L1 (4) /* L1 state */
37300 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
37301 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
37302 +#define ASPM_STATE_L1 (4U) /* L1 state */
37303 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
37304 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
37305
37306 diff -urNp linux-2.6.39.3/drivers/pci/pci.h linux-2.6.39.3/drivers/pci/pci.h
37307 --- linux-2.6.39.3/drivers/pci/pci.h 2011-05-19 00:06:34.000000000 -0400
37308 +++ linux-2.6.39.3/drivers/pci/pci.h 2011-05-22 19:36:32.000000000 -0400
37309 @@ -65,7 +65,7 @@ struct pci_platform_pm_ops {
37310 int (*run_wake)(struct pci_dev *dev, bool enable);
37311 };
37312
37313 -extern int pci_set_platform_pm(struct pci_platform_pm_ops *ops);
37314 +extern int pci_set_platform_pm(const struct pci_platform_pm_ops *ops);
37315 extern void pci_update_current_state(struct pci_dev *dev, pci_power_t state);
37316 extern void pci_disable_enabled_device(struct pci_dev *dev);
37317 extern int pci_finish_runtime_suspend(struct pci_dev *dev);
37318 diff -urNp linux-2.6.39.3/drivers/pci/probe.c linux-2.6.39.3/drivers/pci/probe.c
37319 --- linux-2.6.39.3/drivers/pci/probe.c 2011-05-19 00:06:34.000000000 -0400
37320 +++ linux-2.6.39.3/drivers/pci/probe.c 2011-05-22 19:36:32.000000000 -0400
37321 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
37322 return ret;
37323 }
37324
37325 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
37326 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
37327 struct device_attribute *attr,
37328 char *buf)
37329 {
37330 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
37331 }
37332
37333 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
37334 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
37335 struct device_attribute *attr,
37336 char *buf)
37337 {
37338 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
37339 u32 l, sz, mask;
37340 u16 orig_cmd;
37341
37342 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
37343 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
37344
37345 if (!dev->mmio_always_on) {
37346 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
37347 @@ -1407,7 +1407,7 @@ unsigned int __devinit pci_scan_child_bu
37348 }
37349
37350 struct pci_bus * pci_create_bus(struct device *parent,
37351 - int bus, struct pci_ops *ops, void *sysdata)
37352 + int bus, const struct pci_ops *ops, void *sysdata)
37353 {
37354 int error;
37355 struct pci_bus *b, *b2;
37356 @@ -1483,7 +1483,7 @@ err_out:
37357 }
37358
37359 struct pci_bus * __devinit pci_scan_bus_parented(struct device *parent,
37360 - int bus, struct pci_ops *ops, void *sysdata)
37361 + int bus, const struct pci_ops *ops, void *sysdata)
37362 {
37363 struct pci_bus *b;
37364
37365 diff -urNp linux-2.6.39.3/drivers/pci/proc.c linux-2.6.39.3/drivers/pci/proc.c
37366 --- linux-2.6.39.3/drivers/pci/proc.c 2011-05-19 00:06:34.000000000 -0400
37367 +++ linux-2.6.39.3/drivers/pci/proc.c 2011-05-22 19:41:37.000000000 -0400
37368 @@ -476,7 +476,16 @@ static const struct file_operations proc
37369 static int __init pci_proc_init(void)
37370 {
37371 struct pci_dev *dev = NULL;
37372 +
37373 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
37374 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37375 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
37376 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37377 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
37378 +#endif
37379 +#else
37380 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
37381 +#endif
37382 proc_create("devices", 0, proc_bus_pci_dir,
37383 &proc_bus_pci_dev_operations);
37384 proc_initialized = 1;
37385 diff -urNp linux-2.6.39.3/drivers/pci/xen-pcifront.c linux-2.6.39.3/drivers/pci/xen-pcifront.c
37386 --- linux-2.6.39.3/drivers/pci/xen-pcifront.c 2011-05-19 00:06:34.000000000 -0400
37387 +++ linux-2.6.39.3/drivers/pci/xen-pcifront.c 2011-05-22 19:36:32.000000000 -0400
37388 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
37389 struct pcifront_sd *sd = bus->sysdata;
37390 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37391
37392 + pax_track_stack();
37393 +
37394 if (verbose_request)
37395 dev_info(&pdev->xdev->dev,
37396 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
37397 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
37398 struct pcifront_sd *sd = bus->sysdata;
37399 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37400
37401 + pax_track_stack();
37402 +
37403 if (verbose_request)
37404 dev_info(&pdev->xdev->dev,
37405 "write dev=%04x:%02x:%02x.%01x - "
37406 @@ -236,7 +240,7 @@ static int pcifront_bus_write(struct pci
37407 return errno_to_pcibios_err(do_pci_op(pdev, &op));
37408 }
37409
37410 -struct pci_ops pcifront_bus_ops = {
37411 +const struct pci_ops pcifront_bus_ops = {
37412 .read = pcifront_bus_read,
37413 .write = pcifront_bus_write,
37414 };
37415 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
37416 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37417 struct msi_desc *entry;
37418
37419 + pax_track_stack();
37420 +
37421 if (nvec > SH_INFO_MAX_VEC) {
37422 dev_err(&dev->dev, "too much vector for pci frontend: %x."
37423 " Increase SH_INFO_MAX_VEC.\n", nvec);
37424 @@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
37425 struct pcifront_sd *sd = dev->bus->sysdata;
37426 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37427
37428 + pax_track_stack();
37429 +
37430 err = do_pci_op(pdev, &op);
37431
37432 /* What should do for error ? */
37433 @@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
37434 struct pcifront_sd *sd = dev->bus->sysdata;
37435 struct pcifront_device *pdev = pcifront_get_pdev(sd);
37436
37437 + pax_track_stack();
37438 +
37439 err = do_pci_op(pdev, &op);
37440 if (likely(!err)) {
37441 vector[0] = op.value;
37442 @@ -368,7 +378,7 @@ static void pci_frontend_disable_msi(str
37443 printk(KERN_DEBUG "get fake response frombackend\n");
37444 }
37445
37446 -static struct xen_pci_frontend_ops pci_frontend_ops = {
37447 +static const struct xen_pci_frontend_ops pci_frontend_ops = {
37448 .enable_msi = pci_frontend_enable_msi,
37449 .disable_msi = pci_frontend_disable_msi,
37450 .enable_msix = pci_frontend_enable_msix,
37451 diff -urNp linux-2.6.39.3/drivers/pcmcia/at91_cf.c linux-2.6.39.3/drivers/pcmcia/at91_cf.c
37452 --- linux-2.6.39.3/drivers/pcmcia/at91_cf.c 2011-05-19 00:06:34.000000000 -0400
37453 +++ linux-2.6.39.3/drivers/pcmcia/at91_cf.c 2011-05-22 19:36:32.000000000 -0400
37454 @@ -203,7 +203,7 @@ at91_cf_set_mem_map(struct pcmcia_socket
37455 return 0;
37456 }
37457
37458 -static struct pccard_operations at91_cf_ops = {
37459 +static const struct pccard_operations at91_cf_ops = {
37460 .init = at91_cf_ss_init,
37461 .suspend = at91_cf_ss_suspend,
37462 .get_status = at91_cf_get_status,
37463 diff -urNp linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c
37464 --- linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37465 +++ linux-2.6.39.3/drivers/pcmcia/bfin_cf_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37466 @@ -184,7 +184,7 @@ bfin_cf_set_mem_map(struct pcmcia_socket
37467 return 0;
37468 }
37469
37470 -static struct pccard_operations bfin_cf_ops = {
37471 +static const struct pccard_operations bfin_cf_ops = {
37472 .init = bfin_cf_ss_init,
37473 .suspend = bfin_cf_ss_suspend,
37474 .get_status = bfin_cf_get_status,
37475 diff -urNp linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c
37476 --- linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c 2011-05-19 00:06:34.000000000 -0400
37477 +++ linux-2.6.39.3/drivers/pcmcia/db1xxx_ss.c 2011-05-22 19:36:32.000000000 -0400
37478 @@ -384,7 +384,7 @@ static int au1x00_pcmcia_set_mem_map(str
37479 return 0;
37480 }
37481
37482 -static struct pccard_operations db1x_pcmcia_operations = {
37483 +static const struct pccard_operations db1x_pcmcia_operations = {
37484 .init = db1x_pcmcia_sock_init,
37485 .suspend = db1x_pcmcia_sock_suspend,
37486 .get_status = db1x_pcmcia_get_status,
37487 diff -urNp linux-2.6.39.3/drivers/pcmcia/electra_cf.c linux-2.6.39.3/drivers/pcmcia/electra_cf.c
37488 --- linux-2.6.39.3/drivers/pcmcia/electra_cf.c 2011-05-19 00:06:34.000000000 -0400
37489 +++ linux-2.6.39.3/drivers/pcmcia/electra_cf.c 2011-05-22 19:36:32.000000000 -0400
37490 @@ -173,7 +173,7 @@ static int electra_cf_set_mem_map(struct
37491 return 0;
37492 }
37493
37494 -static struct pccard_operations electra_cf_ops = {
37495 +static const struct pccard_operations electra_cf_ops = {
37496 .init = electra_cf_ss_init,
37497 .get_status = electra_cf_get_status,
37498 .set_socket = electra_cf_set_socket,
37499 diff -urNp linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c
37500 --- linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c 2011-05-19 00:06:34.000000000 -0400
37501 +++ linux-2.6.39.3/drivers/pcmcia/m32r_cfc.c 2011-05-22 19:36:32.000000000 -0400
37502 @@ -674,7 +674,7 @@ static int pcc_init(struct pcmcia_socket
37503 return 0;
37504 }
37505
37506 -static struct pccard_operations pcc_operations = {
37507 +static const struct pccard_operations pcc_operations = {
37508 .init = pcc_init,
37509 .get_status = pcc_get_status,
37510 .set_socket = pcc_set_socket,
37511 diff -urNp linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c
37512 --- linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c 2011-05-19 00:06:34.000000000 -0400
37513 +++ linux-2.6.39.3/drivers/pcmcia/m32r_pcc.c 2011-05-22 19:36:32.000000000 -0400
37514 @@ -652,7 +652,7 @@ static int pcc_init(struct pcmcia_socket
37515 return 0;
37516 }
37517
37518 -static struct pccard_operations pcc_operations = {
37519 +static const struct pccard_operations pcc_operations = {
37520 .init = pcc_init,
37521 .get_status = pcc_get_status,
37522 .set_socket = pcc_set_socket,
37523 diff -urNp linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c
37524 --- linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c 2011-05-19 00:06:34.000000000 -0400
37525 +++ linux-2.6.39.3/drivers/pcmcia/m8xx_pcmcia.c 2011-05-22 19:36:32.000000000 -0400
37526 @@ -1139,7 +1139,7 @@ static int m8xx_sock_suspend(struct pcmc
37527 return m8xx_set_socket(sock, &dead_socket);
37528 }
37529
37530 -static struct pccard_operations m8xx_services = {
37531 +static const struct pccard_operations m8xx_services = {
37532 .init = m8xx_sock_init,
37533 .suspend = m8xx_sock_suspend,
37534 .get_status = m8xx_get_status,
37535 diff -urNp linux-2.6.39.3/drivers/pcmcia/omap_cf.c linux-2.6.39.3/drivers/pcmcia/omap_cf.c
37536 --- linux-2.6.39.3/drivers/pcmcia/omap_cf.c 2011-05-19 00:06:34.000000000 -0400
37537 +++ linux-2.6.39.3/drivers/pcmcia/omap_cf.c 2011-05-22 19:36:32.000000000 -0400
37538 @@ -185,7 +185,7 @@ omap_cf_set_mem_map(struct pcmcia_socket
37539 return 0;
37540 }
37541
37542 -static struct pccard_operations omap_cf_ops = {
37543 +static const struct pccard_operations omap_cf_ops = {
37544 .init = omap_cf_ss_init,
37545 .suspend = omap_cf_ss_suspend,
37546 .get_status = omap_cf_get_status,
37547 diff -urNp linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c
37548 --- linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c 2011-05-19 00:06:34.000000000 -0400
37549 +++ linux-2.6.39.3/drivers/pcmcia/rsrc_iodyn.c 2011-05-22 19:36:32.000000000 -0400
37550 @@ -161,7 +161,7 @@ static int iodyn_find_io(struct pcmcia_s
37551 }
37552
37553
37554 -struct pccard_resource_ops pccard_iodyn_ops = {
37555 +const struct pccard_resource_ops pccard_iodyn_ops = {
37556 .validate_mem = NULL,
37557 .find_io = iodyn_find_io,
37558 .find_mem = NULL,
37559 diff -urNp linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c
37560 --- linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c 2011-05-19 00:06:34.000000000 -0400
37561 +++ linux-2.6.39.3/drivers/pcmcia/rsrc_mgr.c 2011-05-22 19:36:32.000000000 -0400
37562 @@ -57,7 +57,7 @@ static int static_find_io(struct pcmcia_
37563 }
37564
37565
37566 -struct pccard_resource_ops pccard_static_ops = {
37567 +const struct pccard_resource_ops pccard_static_ops = {
37568 .validate_mem = NULL,
37569 .find_io = static_find_io,
37570 .find_mem = NULL,
37571 diff -urNp linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c
37572 --- linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c 2011-05-19 00:06:34.000000000 -0400
37573 +++ linux-2.6.39.3/drivers/pcmcia/vrc4171_card.c 2011-05-22 19:36:32.000000000 -0400
37574 @@ -479,7 +479,7 @@ static int pccard_set_mem_map(struct pcm
37575 return 0;
37576 }
37577
37578 -static struct pccard_operations vrc4171_pccard_operations = {
37579 +static const struct pccard_operations vrc4171_pccard_operations = {
37580 .init = pccard_init,
37581 .get_status = pccard_get_status,
37582 .set_socket = pccard_set_socket,
37583 diff -urNp linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c
37584 --- linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c 2011-05-19 00:06:34.000000000 -0400
37585 +++ linux-2.6.39.3/drivers/pcmcia/vrc4173_cardu.c 2011-05-22 19:36:32.000000000 -0400
37586 @@ -384,7 +384,7 @@ static void cardu_proc_setup(unsigned in
37587 {
37588 }
37589
37590 -static struct pccard_operations cardu_operations = {
37591 +static const struct pccard_operations cardu_operations = {
37592 .init = cardu_init,
37593 .register_callback = cardu_register_callback,
37594 .inquire_socket = cardu_inquire_socket,
37595 diff -urNp linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c
37596 --- linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c 2011-05-19 00:06:34.000000000 -0400
37597 +++ linux-2.6.39.3/drivers/pcmcia/xxs1500_ss.c 2011-05-22 19:36:32.000000000 -0400
37598 @@ -196,7 +196,7 @@ static int au1x00_pcmcia_set_mem_map(str
37599 return 0;
37600 }
37601
37602 -static struct pccard_operations xxs1500_pcmcia_operations = {
37603 +static const struct pccard_operations xxs1500_pcmcia_operations = {
37604 .init = xxs1500_pcmcia_sock_init,
37605 .suspend = xxs1500_pcmcia_sock_suspend,
37606 .get_status = xxs1500_pcmcia_get_status,
37607 diff -urNp linux-2.6.39.3/drivers/platform/x86/acerhdf.c linux-2.6.39.3/drivers/platform/x86/acerhdf.c
37608 --- linux-2.6.39.3/drivers/platform/x86/acerhdf.c 2011-05-19 00:06:34.000000000 -0400
37609 +++ linux-2.6.39.3/drivers/platform/x86/acerhdf.c 2011-05-22 19:36:32.000000000 -0400
37610 @@ -406,7 +406,7 @@ static int acerhdf_get_crit_temp(struct
37611 }
37612
37613 /* bind callback functions to thermalzone */
37614 -static struct thermal_zone_device_ops acerhdf_dev_ops = {
37615 +static const struct thermal_zone_device_ops acerhdf_dev_ops = {
37616 .bind = acerhdf_bind,
37617 .unbind = acerhdf_unbind,
37618 .get_temp = acerhdf_get_ec_temp,
37619 @@ -481,7 +481,7 @@ err_out:
37620 }
37621
37622 /* bind fan callbacks to fan device */
37623 -static struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37624 +static const struct thermal_cooling_device_ops acerhdf_cooling_ops = {
37625 .get_max_state = acerhdf_get_max_state,
37626 .get_cur_state = acerhdf_get_cur_state,
37627 .set_cur_state = acerhdf_set_cur_state,
37628 diff -urNp linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c
37629 --- linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c 2011-05-19 00:06:34.000000000 -0400
37630 +++ linux-2.6.39.3/drivers/platform/x86/ideapad-laptop.c 2011-05-22 19:36:32.000000000 -0400
37631 @@ -207,7 +207,7 @@ static int ideapad_rfk_set(void *data, b
37632 return write_ec_cmd(ideapad_handle, opcode, !blocked);
37633 }
37634
37635 -static struct rfkill_ops ideapad_rfk_ops = {
37636 +static const struct rfkill_ops ideapad_rfk_ops = {
37637 .set_block = ideapad_rfk_set,
37638 };
37639
37640 diff -urNp linux-2.6.39.3/drivers/platform/x86/intel_menlow.c linux-2.6.39.3/drivers/platform/x86/intel_menlow.c
37641 --- linux-2.6.39.3/drivers/platform/x86/intel_menlow.c 2011-05-19 00:06:34.000000000 -0400
37642 +++ linux-2.6.39.3/drivers/platform/x86/intel_menlow.c 2011-05-22 19:36:32.000000000 -0400
37643 @@ -143,7 +143,7 @@ static int memory_set_cur_bandwidth(stru
37644 return 0;
37645 }
37646
37647 -static struct thermal_cooling_device_ops memory_cooling_ops = {
37648 +static const struct thermal_cooling_device_ops memory_cooling_ops = {
37649 .get_max_state = memory_get_max_bandwidth,
37650 .get_cur_state = memory_get_cur_bandwidth,
37651 .set_cur_state = memory_set_cur_bandwidth,
37652 diff -urNp linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c
37653 --- linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c 2011-05-19 00:06:34.000000000 -0400
37654 +++ linux-2.6.39.3/drivers/platform/x86/intel_mid_thermal.c 2011-05-22 19:36:32.000000000 -0400
37655 @@ -458,7 +458,7 @@ static int read_curr_temp(struct thermal
37656 }
37657
37658 /* Can't be const */
37659 -static struct thermal_zone_device_ops tzd_ops = {
37660 +static const struct thermal_zone_device_ops tzd_ops = {
37661 .get_temp = read_curr_temp,
37662 };
37663
37664 diff -urNp linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c
37665 --- linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c 2011-05-19 00:06:34.000000000 -0400
37666 +++ linux-2.6.39.3/drivers/platform/x86/samsung-laptop.c 2011-05-22 19:36:32.000000000 -0400
37667 @@ -419,7 +419,7 @@ static int rfkill_set(void *data, bool b
37668 return 0;
37669 }
37670
37671 -static struct rfkill_ops rfkill_ops = {
37672 +static const struct rfkill_ops rfkill_ops = {
37673 .set_block = rfkill_set,
37674 };
37675
37676 diff -urNp linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c
37677 --- linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c 2011-05-19 00:06:34.000000000 -0400
37678 +++ linux-2.6.39.3/drivers/pnp/pnpbios/bioscalls.c 2011-05-22 19:36:32.000000000 -0400
37679 @@ -59,7 +59,7 @@ do { \
37680 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
37681 } while(0)
37682
37683 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
37684 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
37685 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
37686
37687 /*
37688 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
37689
37690 cpu = get_cpu();
37691 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
37692 +
37693 + pax_open_kernel();
37694 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
37695 + pax_close_kernel();
37696
37697 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
37698 spin_lock_irqsave(&pnp_bios_lock, flags);
37699 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
37700 :"memory");
37701 spin_unlock_irqrestore(&pnp_bios_lock, flags);
37702
37703 + pax_open_kernel();
37704 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
37705 + pax_close_kernel();
37706 +
37707 put_cpu();
37708
37709 /* If we get here and this is set then the PnP BIOS faulted on us. */
37710 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
37711 return status;
37712 }
37713
37714 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
37715 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
37716 {
37717 int i;
37718
37719 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
37720 pnp_bios_callpoint.offset = header->fields.pm16offset;
37721 pnp_bios_callpoint.segment = PNP_CS16;
37722
37723 + pax_open_kernel();
37724 +
37725 for_each_possible_cpu(i) {
37726 struct desc_struct *gdt = get_cpu_gdt_table(i);
37727 if (!gdt)
37728 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
37729 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
37730 (unsigned long)__va(header->fields.pm16dseg));
37731 }
37732 +
37733 + pax_close_kernel();
37734 }
37735 diff -urNp linux-2.6.39.3/drivers/pnp/resource.c linux-2.6.39.3/drivers/pnp/resource.c
37736 --- linux-2.6.39.3/drivers/pnp/resource.c 2011-05-19 00:06:34.000000000 -0400
37737 +++ linux-2.6.39.3/drivers/pnp/resource.c 2011-05-22 19:36:32.000000000 -0400
37738 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
37739 return 1;
37740
37741 /* check if the resource is valid */
37742 - if (*irq < 0 || *irq > 15)
37743 + if (*irq > 15)
37744 return 0;
37745
37746 /* check if the resource is reserved */
37747 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
37748 return 1;
37749
37750 /* check if the resource is valid */
37751 - if (*dma < 0 || *dma == 4 || *dma > 7)
37752 + if (*dma == 4 || *dma > 7)
37753 return 0;
37754
37755 /* check if the resource is reserved */
37756 diff -urNp linux-2.6.39.3/drivers/power/max8925_power.c linux-2.6.39.3/drivers/power/max8925_power.c
37757 --- linux-2.6.39.3/drivers/power/max8925_power.c 2011-05-19 00:06:34.000000000 -0400
37758 +++ linux-2.6.39.3/drivers/power/max8925_power.c 2011-05-22 19:36:32.000000000 -0400
37759 @@ -426,7 +426,7 @@ static __devinit int max8925_power_probe
37760 {
37761 struct max8925_chip *chip = dev_get_drvdata(pdev->dev.parent);
37762 struct max8925_platform_data *max8925_pdata;
37763 - struct max8925_power_pdata *pdata = NULL;
37764 + const struct max8925_power_pdata *pdata = NULL;
37765 struct max8925_power_info *info;
37766 int ret;
37767
37768 diff -urNp linux-2.6.39.3/drivers/regulator/core.c linux-2.6.39.3/drivers/regulator/core.c
37769 --- linux-2.6.39.3/drivers/regulator/core.c 2011-05-19 00:06:34.000000000 -0400
37770 +++ linux-2.6.39.3/drivers/regulator/core.c 2011-05-22 19:36:32.000000000 -0400
37771 @@ -2883,7 +2883,7 @@ core_initcall(regulator_init);
37772 static int __init regulator_init_complete(void)
37773 {
37774 struct regulator_dev *rdev;
37775 - struct regulator_ops *ops;
37776 + const struct regulator_ops *ops;
37777 struct regulation_constraints *c;
37778 int enabled, ret;
37779
37780 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c
37781 --- linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c 2011-05-19 00:06:34.000000000 -0400
37782 +++ linux-2.6.39.3/drivers/rtc/rtc-at32ap700x.c 2011-05-22 19:36:32.000000000 -0400
37783 @@ -187,7 +187,7 @@ static irqreturn_t at32_rtc_interrupt(in
37784 return ret;
37785 }
37786
37787 -static struct rtc_class_ops at32_rtc_ops = {
37788 +static const struct rtc_class_ops at32_rtc_ops = {
37789 .read_time = at32_rtc_readtime,
37790 .set_time = at32_rtc_settime,
37791 .read_alarm = at32_rtc_readalarm,
37792 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c
37793 --- linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c 2011-05-19 00:06:34.000000000 -0400
37794 +++ linux-2.6.39.3/drivers/rtc/rtc-au1xxx.c 2011-05-22 19:36:32.000000000 -0400
37795 @@ -57,7 +57,7 @@ static int au1xtoy_rtc_set_time(struct d
37796 return 0;
37797 }
37798
37799 -static struct rtc_class_ops au1xtoy_rtc_ops = {
37800 +static const struct rtc_class_ops au1xtoy_rtc_ops = {
37801 .read_time = au1xtoy_rtc_read_time,
37802 .set_time = au1xtoy_rtc_set_time,
37803 };
37804 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-bfin.c linux-2.6.39.3/drivers/rtc/rtc-bfin.c
37805 --- linux-2.6.39.3/drivers/rtc/rtc-bfin.c 2011-05-19 00:06:34.000000000 -0400
37806 +++ linux-2.6.39.3/drivers/rtc/rtc-bfin.c 2011-05-22 19:36:32.000000000 -0400
37807 @@ -333,7 +333,7 @@ static int bfin_rtc_proc(struct device *
37808 #undef yesno
37809 }
37810
37811 -static struct rtc_class_ops bfin_rtc_ops = {
37812 +static const struct rtc_class_ops bfin_rtc_ops = {
37813 .read_time = bfin_rtc_read_time,
37814 .set_time = bfin_rtc_set_time,
37815 .read_alarm = bfin_rtc_read_alarm,
37816 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-coh901331.c linux-2.6.39.3/drivers/rtc/rtc-coh901331.c
37817 --- linux-2.6.39.3/drivers/rtc/rtc-coh901331.c 2011-05-19 00:06:34.000000000 -0400
37818 +++ linux-2.6.39.3/drivers/rtc/rtc-coh901331.c 2011-05-22 19:36:32.000000000 -0400
37819 @@ -142,7 +142,7 @@ static int coh901331_alarm_irq_enable(st
37820 return 0;
37821 }
37822
37823 -static struct rtc_class_ops coh901331_ops = {
37824 +static const struct rtc_class_ops coh901331_ops = {
37825 .read_time = coh901331_read_time,
37826 .set_mmss = coh901331_set_mmss,
37827 .read_alarm = coh901331_read_alarm,
37828 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-davinci.c linux-2.6.39.3/drivers/rtc/rtc-davinci.c
37829 --- linux-2.6.39.3/drivers/rtc/rtc-davinci.c 2011-05-19 00:06:34.000000000 -0400
37830 +++ linux-2.6.39.3/drivers/rtc/rtc-davinci.c 2011-05-22 19:36:32.000000000 -0400
37831 @@ -469,7 +469,7 @@ static int davinci_rtc_set_alarm(struct
37832 return 0;
37833 }
37834
37835 -static struct rtc_class_ops davinci_rtc_ops = {
37836 +static const struct rtc_class_ops davinci_rtc_ops = {
37837 .ioctl = davinci_rtc_ioctl,
37838 .read_time = davinci_rtc_read_time,
37839 .set_time = davinci_rtc_set_time,
37840 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-dev.c linux-2.6.39.3/drivers/rtc/rtc-dev.c
37841 --- linux-2.6.39.3/drivers/rtc/rtc-dev.c 2011-05-19 00:06:34.000000000 -0400
37842 +++ linux-2.6.39.3/drivers/rtc/rtc-dev.c 2011-05-22 19:41:37.000000000 -0400
37843 @@ -14,6 +14,7 @@
37844 #include <linux/module.h>
37845 #include <linux/rtc.h>
37846 #include <linux/sched.h>
37847 +#include <linux/grsecurity.h>
37848 #include "rtc-core.h"
37849
37850 static dev_t rtc_devt;
37851 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
37852 if (copy_from_user(&tm, uarg, sizeof(tm)))
37853 return -EFAULT;
37854
37855 + gr_log_timechange();
37856 +
37857 return rtc_set_time(rtc, &tm);
37858
37859 case RTC_PIE_ON:
37860 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c
37861 --- linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c 2011-05-19 00:06:34.000000000 -0400
37862 +++ linux-2.6.39.3/drivers/rtc/rtc-dm355evm.c 2011-05-22 19:36:32.000000000 -0400
37863 @@ -115,7 +115,7 @@ static int dm355evm_rtc_set_time(struct
37864 return 0;
37865 }
37866
37867 -static struct rtc_class_ops dm355evm_rtc_ops = {
37868 +static const struct rtc_class_ops dm355evm_rtc_ops = {
37869 .read_time = dm355evm_rtc_read_time,
37870 .set_time = dm355evm_rtc_set_time,
37871 };
37872 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-ds1302.c linux-2.6.39.3/drivers/rtc/rtc-ds1302.c
37873 --- linux-2.6.39.3/drivers/rtc/rtc-ds1302.c 2011-05-19 00:06:34.000000000 -0400
37874 +++ linux-2.6.39.3/drivers/rtc/rtc-ds1302.c 2011-05-22 19:36:32.000000000 -0400
37875 @@ -199,7 +199,7 @@ static int ds1302_rtc_ioctl(struct devic
37876 return -ENOIOCTLCMD;
37877 }
37878
37879 -static struct rtc_class_ops ds1302_rtc_ops = {
37880 +static const struct rtc_class_ops ds1302_rtc_ops = {
37881 .read_time = ds1302_rtc_read_time,
37882 .set_time = ds1302_rtc_set_time,
37883 .ioctl = ds1302_rtc_ioctl,
37884 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-imxdi.c linux-2.6.39.3/drivers/rtc/rtc-imxdi.c
37885 --- linux-2.6.39.3/drivers/rtc/rtc-imxdi.c 2011-05-19 00:06:34.000000000 -0400
37886 +++ linux-2.6.39.3/drivers/rtc/rtc-imxdi.c 2011-05-22 19:36:32.000000000 -0400
37887 @@ -290,7 +290,7 @@ static int dryice_rtc_set_alarm(struct d
37888 return 0;
37889 }
37890
37891 -static struct rtc_class_ops dryice_rtc_ops = {
37892 +static const struct rtc_class_ops dryice_rtc_ops = {
37893 .read_time = dryice_rtc_read_time,
37894 .set_mmss = dryice_rtc_set_mmss,
37895 .alarm_irq_enable = dryice_rtc_alarm_irq_enable,
37896 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-jz4740.c linux-2.6.39.3/drivers/rtc/rtc-jz4740.c
37897 --- linux-2.6.39.3/drivers/rtc/rtc-jz4740.c 2011-05-19 00:06:34.000000000 -0400
37898 +++ linux-2.6.39.3/drivers/rtc/rtc-jz4740.c 2011-05-22 19:36:32.000000000 -0400
37899 @@ -174,7 +174,7 @@ static int jz4740_rtc_alarm_irq_enable(s
37900 return jz4740_rtc_ctrl_set_bits(rtc, JZ_RTC_CTRL_AF_IRQ, enable);
37901 }
37902
37903 -static struct rtc_class_ops jz4740_rtc_ops = {
37904 +static const struct rtc_class_ops jz4740_rtc_ops = {
37905 .read_time = jz4740_rtc_read_time,
37906 .set_mmss = jz4740_rtc_set_mmss,
37907 .read_alarm = jz4740_rtc_read_alarm,
37908 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-m41t80.c linux-2.6.39.3/drivers/rtc/rtc-m41t80.c
37909 --- linux-2.6.39.3/drivers/rtc/rtc-m41t80.c 2011-05-19 00:06:34.000000000 -0400
37910 +++ linux-2.6.39.3/drivers/rtc/rtc-m41t80.c 2011-05-22 19:36:32.000000000 -0400
37911 @@ -354,7 +354,7 @@ static int m41t80_rtc_read_alarm(struct
37912 return 0;
37913 }
37914
37915 -static struct rtc_class_ops m41t80_rtc_ops = {
37916 +static const struct rtc_class_ops m41t80_rtc_ops = {
37917 .read_time = m41t80_rtc_read_time,
37918 .set_time = m41t80_rtc_set_time,
37919 .read_alarm = m41t80_rtc_read_alarm,
37920 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-mxc.c linux-2.6.39.3/drivers/rtc/rtc-mxc.c
37921 --- linux-2.6.39.3/drivers/rtc/rtc-mxc.c 2011-05-19 00:06:34.000000000 -0400
37922 +++ linux-2.6.39.3/drivers/rtc/rtc-mxc.c 2011-05-22 19:36:32.000000000 -0400
37923 @@ -355,7 +355,7 @@ static int mxc_rtc_set_alarm(struct devi
37924 }
37925
37926 /* RTC layer */
37927 -static struct rtc_class_ops mxc_rtc_ops = {
37928 +static const struct rtc_class_ops mxc_rtc_ops = {
37929 .release = mxc_rtc_release,
37930 .read_time = mxc_rtc_read_time,
37931 .set_mmss = mxc_rtc_set_mmss,
37932 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-nuc900.c linux-2.6.39.3/drivers/rtc/rtc-nuc900.c
37933 --- linux-2.6.39.3/drivers/rtc/rtc-nuc900.c 2011-05-19 00:06:34.000000000 -0400
37934 +++ linux-2.6.39.3/drivers/rtc/rtc-nuc900.c 2011-05-22 19:36:32.000000000 -0400
37935 @@ -214,7 +214,7 @@ static int nuc900_rtc_set_alarm(struct d
37936 return 0;
37937 }
37938
37939 -static struct rtc_class_ops nuc900_rtc_ops = {
37940 +static const struct rtc_class_ops nuc900_rtc_ops = {
37941 .read_time = nuc900_rtc_read_time,
37942 .set_time = nuc900_rtc_set_time,
37943 .read_alarm = nuc900_rtc_read_alarm,
37944 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-omap.c linux-2.6.39.3/drivers/rtc/rtc-omap.c
37945 --- linux-2.6.39.3/drivers/rtc/rtc-omap.c 2011-05-19 00:06:34.000000000 -0400
37946 +++ linux-2.6.39.3/drivers/rtc/rtc-omap.c 2011-05-22 19:36:32.000000000 -0400
37947 @@ -274,7 +274,7 @@ static int omap_rtc_set_alarm(struct dev
37948 return 0;
37949 }
37950
37951 -static struct rtc_class_ops omap_rtc_ops = {
37952 +static const struct rtc_class_ops omap_rtc_ops = {
37953 .read_time = omap_rtc_read_time,
37954 .set_time = omap_rtc_set_time,
37955 .read_alarm = omap_rtc_read_alarm,
37956 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c
37957 --- linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c 2011-05-19 00:06:34.000000000 -0400
37958 +++ linux-2.6.39.3/drivers/rtc/rtc-pcf50633.c 2011-05-22 19:36:32.000000000 -0400
37959 @@ -238,7 +238,7 @@ static int pcf50633_rtc_set_alarm(struct
37960 return ret;
37961 }
37962
37963 -static struct rtc_class_ops pcf50633_rtc_ops = {
37964 +static const struct rtc_class_ops pcf50633_rtc_ops = {
37965 .read_time = pcf50633_rtc_read_time,
37966 .set_time = pcf50633_rtc_set_time,
37967 .read_alarm = pcf50633_rtc_read_alarm,
37968 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-pl031.c linux-2.6.39.3/drivers/rtc/rtc-pl031.c
37969 --- linux-2.6.39.3/drivers/rtc/rtc-pl031.c 2011-05-19 00:06:34.000000000 -0400
37970 +++ linux-2.6.39.3/drivers/rtc/rtc-pl031.c 2011-05-22 19:36:32.000000000 -0400
37971 @@ -374,7 +374,7 @@ err_req:
37972 }
37973
37974 /* Operations for the original ARM version */
37975 -static struct rtc_class_ops arm_pl031_ops = {
37976 +static const struct rtc_class_ops arm_pl031_ops = {
37977 .read_time = pl031_read_time,
37978 .set_time = pl031_set_time,
37979 .read_alarm = pl031_read_alarm,
37980 @@ -383,7 +383,7 @@ static struct rtc_class_ops arm_pl031_op
37981 };
37982
37983 /* The First ST derivative */
37984 -static struct rtc_class_ops stv1_pl031_ops = {
37985 +static const struct rtc_class_ops stv1_pl031_ops = {
37986 .read_time = pl031_read_time,
37987 .set_time = pl031_set_time,
37988 .read_alarm = pl031_read_alarm,
37989 @@ -392,7 +392,7 @@ static struct rtc_class_ops stv1_pl031_o
37990 };
37991
37992 /* And the second ST derivative */
37993 -static struct rtc_class_ops stv2_pl031_ops = {
37994 +static const struct rtc_class_ops stv2_pl031_ops = {
37995 .read_time = pl031_stv2_read_time,
37996 .set_time = pl031_stv2_set_time,
37997 .read_alarm = pl031_stv2_read_alarm,
37998 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-rx8025.c linux-2.6.39.3/drivers/rtc/rtc-rx8025.c
37999 --- linux-2.6.39.3/drivers/rtc/rtc-rx8025.c 2011-05-19 00:06:34.000000000 -0400
38000 +++ linux-2.6.39.3/drivers/rtc/rtc-rx8025.c 2011-05-22 19:36:32.000000000 -0400
38001 @@ -424,7 +424,7 @@ static int rx8025_alarm_irq_enable(struc
38002 return 0;
38003 }
38004
38005 -static struct rtc_class_ops rx8025_rtc_ops = {
38006 +static const struct rtc_class_ops rx8025_rtc_ops = {
38007 .read_time = rx8025_get_time,
38008 .set_time = rx8025_set_time,
38009 .read_alarm = rx8025_read_alarm,
38010 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-sh.c linux-2.6.39.3/drivers/rtc/rtc-sh.c
38011 --- linux-2.6.39.3/drivers/rtc/rtc-sh.c 2011-05-19 00:06:34.000000000 -0400
38012 +++ linux-2.6.39.3/drivers/rtc/rtc-sh.c 2011-05-22 19:36:32.000000000 -0400
38013 @@ -576,7 +576,7 @@ static int sh_rtc_set_alarm(struct devic
38014 return 0;
38015 }
38016
38017 -static struct rtc_class_ops sh_rtc_ops = {
38018 +static const struct rtc_class_ops sh_rtc_ops = {
38019 .read_time = sh_rtc_read_time,
38020 .set_time = sh_rtc_set_time,
38021 .read_alarm = sh_rtc_read_alarm,
38022 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c
38023 --- linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c 2011-05-19 00:06:34.000000000 -0400
38024 +++ linux-2.6.39.3/drivers/rtc/rtc-stmp3xxx.c 2011-05-22 19:36:32.000000000 -0400
38025 @@ -133,7 +133,7 @@ static int stmp3xxx_rtc_set_alarm(struct
38026 return 0;
38027 }
38028
38029 -static struct rtc_class_ops stmp3xxx_rtc_ops = {
38030 +static const struct rtc_class_ops stmp3xxx_rtc_ops = {
38031 .alarm_irq_enable =
38032 stmp3xxx_alarm_irq_enable,
38033 .read_time = stmp3xxx_rtc_gettime,
38034 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-tegra.c linux-2.6.39.3/drivers/rtc/rtc-tegra.c
38035 --- linux-2.6.39.3/drivers/rtc/rtc-tegra.c 2011-05-19 00:06:34.000000000 -0400
38036 +++ linux-2.6.39.3/drivers/rtc/rtc-tegra.c 2011-05-22 19:36:32.000000000 -0400
38037 @@ -294,7 +294,7 @@ static irqreturn_t tegra_rtc_irq_handler
38038 return IRQ_HANDLED;
38039 }
38040
38041 -static struct rtc_class_ops tegra_rtc_ops = {
38042 +static const struct rtc_class_ops tegra_rtc_ops = {
38043 .read_time = tegra_rtc_read_time,
38044 .set_time = tegra_rtc_set_time,
38045 .read_alarm = tegra_rtc_read_alarm,
38046 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-twl.c linux-2.6.39.3/drivers/rtc/rtc-twl.c
38047 --- linux-2.6.39.3/drivers/rtc/rtc-twl.c 2011-05-19 00:06:34.000000000 -0400
38048 +++ linux-2.6.39.3/drivers/rtc/rtc-twl.c 2011-05-22 19:36:32.000000000 -0400
38049 @@ -415,7 +415,7 @@ out:
38050 return ret;
38051 }
38052
38053 -static struct rtc_class_ops twl_rtc_ops = {
38054 +static const struct rtc_class_ops twl_rtc_ops = {
38055 .read_time = twl_rtc_read_time,
38056 .set_time = twl_rtc_set_time,
38057 .read_alarm = twl_rtc_read_alarm,
38058 diff -urNp linux-2.6.39.3/drivers/rtc/rtc-v3020.c linux-2.6.39.3/drivers/rtc/rtc-v3020.c
38059 --- linux-2.6.39.3/drivers/rtc/rtc-v3020.c 2011-05-19 00:06:34.000000000 -0400
38060 +++ linux-2.6.39.3/drivers/rtc/rtc-v3020.c 2011-05-22 19:36:32.000000000 -0400
38061 @@ -62,7 +62,7 @@ struct v3020 {
38062 /* GPIO access */
38063 struct v3020_gpio *gpio;
38064
38065 - struct v3020_chip_ops *ops;
38066 + const struct v3020_chip_ops *ops;
38067
38068 struct rtc_device *rtc;
38069 };
38070 @@ -100,7 +100,7 @@ static unsigned char v3020_mmio_read_bit
38071 return !!(readl(chip->ioaddress) & (1 << chip->leftshift));
38072 }
38073
38074 -static struct v3020_chip_ops v3020_mmio_ops = {
38075 +static const struct v3020_chip_ops v3020_mmio_ops = {
38076 .map_io = v3020_mmio_map,
38077 .unmap_io = v3020_mmio_unmap,
38078 .read_bit = v3020_mmio_read_bit,
38079 @@ -177,7 +177,7 @@ static unsigned char v3020_gpio_read_bit
38080 return bit;
38081 }
38082
38083 -static struct v3020_chip_ops v3020_gpio_ops = {
38084 +static const struct v3020_chip_ops v3020_gpio_ops = {
38085 .map_io = v3020_gpio_map,
38086 .unmap_io = v3020_gpio_unmap,
38087 .read_bit = v3020_gpio_read_bit,
38088 diff -urNp linux-2.6.39.3/drivers/s390/char/con3270.c linux-2.6.39.3/drivers/s390/char/con3270.c
38089 --- linux-2.6.39.3/drivers/s390/char/con3270.c 2011-05-19 00:06:34.000000000 -0400
38090 +++ linux-2.6.39.3/drivers/s390/char/con3270.c 2011-05-22 19:36:32.000000000 -0400
38091 @@ -28,7 +28,7 @@
38092 #define CON3270_OUTPUT_BUFFER_SIZE 1024
38093 #define CON3270_STRING_PAGES 4
38094
38095 -static struct raw3270_fn con3270_fn;
38096 +static const struct raw3270_fn con3270_fn;
38097
38098 /*
38099 * Main 3270 console view data structure.
38100 @@ -413,7 +413,7 @@ con3270_irq(struct con3270 *cp, struct r
38101 }
38102
38103 /* Console view to a 3270 device. */
38104 -static struct raw3270_fn con3270_fn = {
38105 +static const struct raw3270_fn con3270_fn = {
38106 .activate = con3270_activate,
38107 .deactivate = con3270_deactivate,
38108 .intv = (void *) con3270_irq
38109 diff -urNp linux-2.6.39.3/drivers/s390/char/fs3270.c linux-2.6.39.3/drivers/s390/char/fs3270.c
38110 --- linux-2.6.39.3/drivers/s390/char/fs3270.c 2011-05-19 00:06:34.000000000 -0400
38111 +++ linux-2.6.39.3/drivers/s390/char/fs3270.c 2011-05-22 19:36:32.000000000 -0400
38112 @@ -24,7 +24,7 @@
38113 #include "raw3270.h"
38114 #include "ctrlchar.h"
38115
38116 -static struct raw3270_fn fs3270_fn;
38117 +static const struct raw3270_fn fs3270_fn;
38118
38119 struct fs3270 {
38120 struct raw3270_view view;
38121 @@ -413,7 +413,7 @@ fs3270_release(struct raw3270_view *view
38122 }
38123
38124 /* View to a 3270 device. Can be console, tty or fullscreen. */
38125 -static struct raw3270_fn fs3270_fn = {
38126 +static const struct raw3270_fn fs3270_fn = {
38127 .activate = fs3270_activate,
38128 .deactivate = fs3270_deactivate,
38129 .intv = (void *) fs3270_irq,
38130 diff -urNp linux-2.6.39.3/drivers/s390/char/raw3270.c linux-2.6.39.3/drivers/s390/char/raw3270.c
38131 --- linux-2.6.39.3/drivers/s390/char/raw3270.c 2011-05-19 00:06:34.000000000 -0400
38132 +++ linux-2.6.39.3/drivers/s390/char/raw3270.c 2011-05-22 19:36:32.000000000 -0400
38133 @@ -488,7 +488,7 @@ raw3270_init_irq(struct raw3270_view *vi
38134 return RAW3270_IO_DONE;
38135 }
38136
38137 -static struct raw3270_fn raw3270_init_fn = {
38138 +static const struct raw3270_fn raw3270_init_fn = {
38139 .intv = raw3270_init_irq
38140 };
38141
38142 diff -urNp linux-2.6.39.3/drivers/s390/char/tty3270.c linux-2.6.39.3/drivers/s390/char/tty3270.c
38143 --- linux-2.6.39.3/drivers/s390/char/tty3270.c 2011-05-19 00:06:34.000000000 -0400
38144 +++ linux-2.6.39.3/drivers/s390/char/tty3270.c 2011-05-22 19:36:32.000000000 -0400
38145 @@ -37,7 +37,7 @@
38146 struct tty_driver *tty3270_driver;
38147 static int tty3270_max_index;
38148
38149 -static struct raw3270_fn tty3270_fn;
38150 +static const struct raw3270_fn tty3270_fn;
38151
38152 struct tty3270_cell {
38153 unsigned char character;
38154 @@ -834,7 +834,7 @@ tty3270_del_views(void)
38155 }
38156 }
38157
38158 -static struct raw3270_fn tty3270_fn = {
38159 +static const struct raw3270_fn tty3270_fn = {
38160 .activate = tty3270_activate,
38161 .deactivate = tty3270_deactivate,
38162 .intv = (void *) tty3270_irq,
38163 diff -urNp linux-2.6.39.3/drivers/s390/cio/qdio_debug.c linux-2.6.39.3/drivers/s390/cio/qdio_debug.c
38164 --- linux-2.6.39.3/drivers/s390/cio/qdio_debug.c 2011-05-19 00:06:34.000000000 -0400
38165 +++ linux-2.6.39.3/drivers/s390/cio/qdio_debug.c 2011-05-22 19:36:32.000000000 -0400
38166 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
38167 filp->f_path.dentry->d_inode->i_private);
38168 }
38169
38170 -static struct file_operations debugfs_perf_fops = {
38171 +static const struct file_operations debugfs_perf_fops = {
38172 .owner = THIS_MODULE,
38173 .open = qperf_seq_open,
38174 .read = seq_read,
38175 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c
38176 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-19 00:06:34.000000000 -0400
38177 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_cex2a.c 2011-05-22 19:36:32.000000000 -0400
38178 @@ -415,7 +415,7 @@ out_free:
38179 /**
38180 * The crypto operations for a CEX2A card.
38181 */
38182 -static struct zcrypt_ops zcrypt_cex2a_ops = {
38183 +static const struct zcrypt_ops zcrypt_cex2a_ops = {
38184 .rsa_modexpo = zcrypt_cex2a_modexpo,
38185 .rsa_modexpo_crt = zcrypt_cex2a_modexpo_crt,
38186 };
38187 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c
38188 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c 2011-05-19 00:06:34.000000000 -0400
38189 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcica.c 2011-05-22 19:36:32.000000000 -0400
38190 @@ -347,7 +347,7 @@ out_free:
38191 /**
38192 * The crypto operations for a PCICA card.
38193 */
38194 -static struct zcrypt_ops zcrypt_pcica_ops = {
38195 +static const struct zcrypt_ops zcrypt_pcica_ops = {
38196 .rsa_modexpo = zcrypt_pcica_modexpo,
38197 .rsa_modexpo_crt = zcrypt_pcica_modexpo_crt,
38198 };
38199 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c
38200 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-19 00:06:34.000000000 -0400
38201 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcicc.c 2011-05-22 19:36:32.000000000 -0400
38202 @@ -553,7 +553,7 @@ out_free:
38203 /**
38204 * The crypto operations for a PCICC card.
38205 */
38206 -static struct zcrypt_ops zcrypt_pcicc_ops = {
38207 +static const struct zcrypt_ops zcrypt_pcicc_ops = {
38208 .rsa_modexpo = zcrypt_pcicc_modexpo,
38209 .rsa_modexpo_crt = zcrypt_pcicc_modexpo_crt,
38210 };
38211 diff -urNp linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c
38212 --- linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-19 00:06:34.000000000 -0400
38213 +++ linux-2.6.39.3/drivers/s390/crypto/zcrypt_pcixcc.c 2011-05-22 19:36:32.000000000 -0400
38214 @@ -851,13 +851,13 @@ static long zcrypt_pcixcc_rng(struct zcr
38215 /**
38216 * The crypto operations for a PCIXCC/CEX2C card.
38217 */
38218 -static struct zcrypt_ops zcrypt_pcixcc_ops = {
38219 +static const struct zcrypt_ops zcrypt_pcixcc_ops = {
38220 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38221 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38222 .send_cprb = zcrypt_pcixcc_send_cprb,
38223 };
38224
38225 -static struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38226 +static const struct zcrypt_ops zcrypt_pcixcc_with_rng_ops = {
38227 .rsa_modexpo = zcrypt_pcixcc_modexpo,
38228 .rsa_modexpo_crt = zcrypt_pcixcc_modexpo_crt,
38229 .send_cprb = zcrypt_pcixcc_send_cprb,
38230 diff -urNp linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c
38231 --- linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c 2011-05-19 00:06:34.000000000 -0400
38232 +++ linux-2.6.39.3/drivers/s390/kvm/kvm_virtio.c 2011-05-22 19:36:32.000000000 -0400
38233 @@ -266,7 +266,7 @@ error:
38234 /*
38235 * The config ops structure as defined by virtio config
38236 */
38237 -static struct virtio_config_ops kvm_vq_configspace_ops = {
38238 +static const struct virtio_config_ops kvm_vq_configspace_ops = {
38239 .get_features = kvm_get_features,
38240 .finalize_features = kvm_finalize_features,
38241 .get = kvm_get,
38242 diff -urNp linux-2.6.39.3/drivers/s390/net/qeth_core.h linux-2.6.39.3/drivers/s390/net/qeth_core.h
38243 --- linux-2.6.39.3/drivers/s390/net/qeth_core.h 2011-05-19 00:06:34.000000000 -0400
38244 +++ linux-2.6.39.3/drivers/s390/net/qeth_core.h 2011-05-22 19:36:32.000000000 -0400
38245 @@ -743,7 +743,7 @@ struct qeth_card {
38246 struct qeth_qdio_info qdio;
38247 struct qeth_perf_stats perf_stats;
38248 int read_or_write_problem;
38249 - struct qeth_osn_info osn_info;
38250 + const struct qeth_osn_info osn_info;
38251 struct qeth_discipline discipline;
38252 atomic_t force_alloc_skb;
38253 struct service_level qeth_service_level;
38254 diff -urNp linux-2.6.39.3/drivers/scsi/53c700.c linux-2.6.39.3/drivers/scsi/53c700.c
38255 --- linux-2.6.39.3/drivers/scsi/53c700.c 2011-05-19 00:06:34.000000000 -0400
38256 +++ linux-2.6.39.3/drivers/scsi/53c700.c 2011-05-22 19:36:32.000000000 -0400
38257 @@ -2153,7 +2153,7 @@ EXPORT_SYMBOL(NCR_700_detect);
38258 EXPORT_SYMBOL(NCR_700_release);
38259 EXPORT_SYMBOL(NCR_700_intr);
38260
38261 -static struct spi_function_template NCR_700_transport_functions = {
38262 +static struct spi_function_template NCR_700_transport_functions = {
38263 .set_period = NCR_700_set_period,
38264 .show_period = 1,
38265 .set_offset = NCR_700_set_offset,
38266 diff -urNp linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c
38267 --- linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c 2011-05-19 00:06:34.000000000 -0400
38268 +++ linux-2.6.39.3/drivers/scsi/aacraid/commctrl.c 2011-05-22 19:36:32.000000000 -0400
38269 @@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
38270 u32 actual_fibsize64, actual_fibsize = 0;
38271 int i;
38272
38273 + pax_track_stack();
38274
38275 if (dev->in_reset) {
38276 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
38277 diff -urNp linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c
38278 --- linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-19 00:06:34.000000000 -0400
38279 +++ linux-2.6.39.3/drivers/scsi/aic94xx/aic94xx_init.c 2011-05-22 19:41:37.000000000 -0400
38280 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
38281 flash_error_table[i].reason);
38282 }
38283
38284 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
38285 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
38286 asd_show_update_bios, asd_store_update_bios);
38287
38288 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
38289 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c
38290 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c 2011-05-19 00:06:34.000000000 -0400
38291 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_core.c 2011-05-22 19:36:32.000000000 -0400
38292 @@ -24,7 +24,7 @@ BFA_TRC_FILE(HAL, CORE);
38293 /*
38294 * BFA module list terminated by NULL
38295 */
38296 -static struct bfa_module_s *hal_mods[] = {
38297 +static const struct bfa_module_s *hal_mods[] = {
38298 &hal_mod_sgpg,
38299 &hal_mod_fcport,
38300 &hal_mod_fcxp,
38301 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfad.c linux-2.6.39.3/drivers/scsi/bfa/bfad.c
38302 --- linux-2.6.39.3/drivers/scsi/bfa/bfad.c 2011-05-19 00:06:34.000000000 -0400
38303 +++ linux-2.6.39.3/drivers/scsi/bfa/bfad.c 2011-05-22 19:36:32.000000000 -0400
38304 @@ -1027,6 +1027,8 @@ bfad_start_ops(struct bfad_s *bfad) {
38305 struct bfad_vport_s *vport, *vport_new;
38306 struct bfa_fcs_driver_info_s driver_info;
38307
38308 + pax_track_stack();
38309 +
38310 /* Fill the driver_info info to fcs*/
38311 memset(&driver_info, 0, sizeof(driver_info));
38312 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
38313 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c
38314 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c 2011-05-19 00:06:34.000000000 -0400
38315 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs.c 2011-05-22 19:36:32.000000000 -0400
38316 @@ -70,7 +70,7 @@ bfa_fcs_attach(struct bfa_fcs_s *fcs, st
38317 bfa_boolean_t min_cfg)
38318 {
38319 int i;
38320 - struct bfa_fcs_mod_s *mod;
38321 + const struct bfa_fcs_mod_s *mod;
38322
38323 fcs->bfa = bfa;
38324 fcs->bfad = bfad;
38325 @@ -93,7 +93,7 @@ void
38326 bfa_fcs_init(struct bfa_fcs_s *fcs)
38327 {
38328 int i, npbc_vports;
38329 - struct bfa_fcs_mod_s *mod;
38330 + const struct bfa_fcs_mod_s *mod;
38331 struct bfi_pbc_vport_s pbc_vports[BFI_PBC_MAX_VPORTS];
38332
38333 for (i = 0; i < sizeof(fcs_modules) / sizeof(fcs_modules[0]); i++) {
38334 @@ -140,7 +140,7 @@ bfa_fcs_driver_info_init(struct bfa_fcs_
38335 void
38336 bfa_fcs_exit(struct bfa_fcs_s *fcs)
38337 {
38338 - struct bfa_fcs_mod_s *mod;
38339 + const struct bfa_fcs_mod_s *mod;
38340 int nmods, i;
38341
38342 bfa_wc_init(&fcs->wc, bfa_fcs_exit_comp, fcs);
38343 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c
38344 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-19 00:06:34.000000000 -0400
38345 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-22 19:36:32.000000000 -0400
38346 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
38347 u16 len, count;
38348 u16 templen;
38349
38350 + pax_track_stack();
38351 +
38352 /*
38353 * get hba attributes
38354 */
38355 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
38356 u8 count = 0;
38357 u16 templen;
38358
38359 + pax_track_stack();
38360 +
38361 /*
38362 * get port attributes
38363 */
38364 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c
38365 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-19 00:06:34.000000000 -0400
38366 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-22 19:36:32.000000000 -0400
38367 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
38368 struct fc_rpsc_speed_info_s speeds;
38369 struct bfa_port_attr_s pport_attr;
38370
38371 + pax_track_stack();
38372 +
38373 bfa_trc(port->fcs, rx_fchs->s_id);
38374 bfa_trc(port->fcs, rx_fchs->d_id);
38375
38376 diff -urNp linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h
38377 --- linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h 2011-05-19 00:06:34.000000000 -0400
38378 +++ linux-2.6.39.3/drivers/scsi/bfa/bfa_modules.h 2011-05-22 19:36:32.000000000 -0400
38379 @@ -68,8 +68,8 @@ enum {
38380 static void bfa_ ## __mod ## _stop(struct bfa_s *bfa); \
38381 static void bfa_ ## __mod ## _iocdisable(struct bfa_s *bfa); \
38382 \
38383 - extern struct bfa_module_s hal_mod_ ## __mod; \
38384 - struct bfa_module_s hal_mod_ ## __mod = { \
38385 + extern const struct bfa_module_s hal_mod_ ## __mod; \
38386 + const struct bfa_module_s hal_mod_ ## __mod = { \
38387 bfa_ ## __mod ## _meminfo, \
38388 bfa_ ## __mod ## _attach, \
38389 bfa_ ## __mod ## _detach, \
38390 @@ -116,12 +116,12 @@ struct bfa_s {
38391 };
38392
38393 extern bfa_boolean_t bfa_auto_recover;
38394 -extern struct bfa_module_s hal_mod_sgpg;
38395 -extern struct bfa_module_s hal_mod_fcport;
38396 -extern struct bfa_module_s hal_mod_fcxp;
38397 -extern struct bfa_module_s hal_mod_lps;
38398 -extern struct bfa_module_s hal_mod_uf;
38399 -extern struct bfa_module_s hal_mod_rport;
38400 -extern struct bfa_module_s hal_mod_fcpim;
38401 +extern const struct bfa_module_s hal_mod_sgpg;
38402 +extern const struct bfa_module_s hal_mod_fcport;
38403 +extern const struct bfa_module_s hal_mod_fcxp;
38404 +extern const struct bfa_module_s hal_mod_lps;
38405 +extern const struct bfa_module_s hal_mod_uf;
38406 +extern const struct bfa_module_s hal_mod_rport;
38407 +extern const struct bfa_module_s hal_mod_fcpim;
38408
38409 #endif /* __BFA_MODULES_H__ */
38410 diff -urNp linux-2.6.39.3/drivers/scsi/BusLogic.c linux-2.6.39.3/drivers/scsi/BusLogic.c
38411 --- linux-2.6.39.3/drivers/scsi/BusLogic.c 2011-05-19 00:06:34.000000000 -0400
38412 +++ linux-2.6.39.3/drivers/scsi/BusLogic.c 2011-05-22 19:36:32.000000000 -0400
38413 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
38414 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
38415 *PrototypeHostAdapter)
38416 {
38417 + pax_track_stack();
38418 +
38419 /*
38420 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
38421 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
38422 diff -urNp linux-2.6.39.3/drivers/scsi/dpt_i2o.c linux-2.6.39.3/drivers/scsi/dpt_i2o.c
38423 --- linux-2.6.39.3/drivers/scsi/dpt_i2o.c 2011-05-19 00:06:34.000000000 -0400
38424 +++ linux-2.6.39.3/drivers/scsi/dpt_i2o.c 2011-05-22 19:36:32.000000000 -0400
38425 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
38426 dma_addr_t addr;
38427 ulong flags = 0;
38428
38429 + pax_track_stack();
38430 +
38431 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
38432 // get user msg size in u32s
38433 if(get_user(size, &user_msg[0])){
38434 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38435 s32 rcode;
38436 dma_addr_t addr;
38437
38438 + pax_track_stack();
38439 +
38440 memset(msg, 0 , sizeof(msg));
38441 len = scsi_bufflen(cmd);
38442 direction = 0x00000000;
38443 diff -urNp linux-2.6.39.3/drivers/scsi/eata.c linux-2.6.39.3/drivers/scsi/eata.c
38444 --- linux-2.6.39.3/drivers/scsi/eata.c 2011-05-19 00:06:34.000000000 -0400
38445 +++ linux-2.6.39.3/drivers/scsi/eata.c 2011-05-22 19:36:32.000000000 -0400
38446 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38447 struct hostdata *ha;
38448 char name[16];
38449
38450 + pax_track_stack();
38451 +
38452 sprintf(name, "%s%d", driver_name, j);
38453
38454 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38455 diff -urNp linux-2.6.39.3/drivers/scsi/esp_scsi.c linux-2.6.39.3/drivers/scsi/esp_scsi.c
38456 --- linux-2.6.39.3/drivers/scsi/esp_scsi.c 2011-05-19 00:06:34.000000000 -0400
38457 +++ linux-2.6.39.3/drivers/scsi/esp_scsi.c 2011-05-22 19:36:32.000000000 -0400
38458 @@ -2680,7 +2680,7 @@ static void esp_set_width(struct scsi_ta
38459 tp->flags |= ESP_TGT_CHECK_NEGO;
38460 }
38461
38462 -static struct spi_function_template esp_transport_ops = {
38463 +static const struct spi_function_template esp_transport_ops = {
38464 .set_offset = esp_set_offset,
38465 .show_offset = 1,
38466 .set_period = esp_set_period,
38467 diff -urNp linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c
38468 --- linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c 2011-05-19 00:06:34.000000000 -0400
38469 +++ linux-2.6.39.3/drivers/scsi/fcoe/fcoe.c 2011-05-22 19:36:32.000000000 -0400
38470 @@ -138,7 +138,7 @@ static int fcoe_vport_disable(struct fc_
38471 static void fcoe_set_vport_symbolic_name(struct fc_vport *);
38472 static void fcoe_set_port_id(struct fc_lport *, u32, struct fc_frame *);
38473
38474 -static struct libfc_function_template fcoe_libfc_fcn_templ = {
38475 +static const struct libfc_function_template fcoe_libfc_fcn_templ = {
38476 .frame_send = fcoe_xmit,
38477 .ddp_setup = fcoe_ddp_setup,
38478 .ddp_done = fcoe_ddp_done,
38479 diff -urNp linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c
38480 --- linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-19 00:06:34.000000000 -0400
38481 +++ linux-2.6.39.3/drivers/scsi/fcoe/fcoe_ctlr.c 2011-05-22 19:36:32.000000000 -0400
38482 @@ -1912,7 +1912,7 @@ static void fcoe_ctlr_vn_rport_callback(
38483 mutex_unlock(&fip->ctlr_mutex);
38484 }
38485
38486 -static struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38487 +static const struct fc_rport_operations fcoe_ctlr_vn_rport_ops = {
38488 .event_callback = fcoe_ctlr_vn_rport_callback,
38489 };
38490
38491 @@ -2458,6 +2458,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
38492 } buf;
38493 int rc;
38494
38495 + pax_track_stack();
38496 +
38497 fiph = (struct fip_header *)skb->data;
38498 sub = fiph->fip_subcode;
38499
38500 diff -urNp linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c
38501 --- linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c 2011-05-19 00:06:34.000000000 -0400
38502 +++ linux-2.6.39.3/drivers/scsi/fnic/fnic_main.c 2011-05-22 19:36:32.000000000 -0400
38503 @@ -69,7 +69,7 @@ module_param(fnic_log_level, int, S_IRUG
38504 MODULE_PARM_DESC(fnic_log_level, "bit mask of fnic logging levels");
38505
38506
38507 -static struct libfc_function_template fnic_transport_template = {
38508 +static const struct libfc_function_template fnic_transport_template = {
38509 .frame_send = fnic_send,
38510 .lport_set_port_id = fnic_set_port_id,
38511 .fcp_abort_io = fnic_empty_scsi_cleanup,
38512 diff -urNp linux-2.6.39.3/drivers/scsi/gdth.c linux-2.6.39.3/drivers/scsi/gdth.c
38513 --- linux-2.6.39.3/drivers/scsi/gdth.c 2011-05-19 00:06:34.000000000 -0400
38514 +++ linux-2.6.39.3/drivers/scsi/gdth.c 2011-05-22 19:36:32.000000000 -0400
38515 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
38516 unsigned long flags;
38517 gdth_ha_str *ha;
38518
38519 + pax_track_stack();
38520 +
38521 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38522 return -EFAULT;
38523 ha = gdth_find_ha(ldrv.ionode);
38524 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
38525 gdth_ha_str *ha;
38526 int rval;
38527
38528 + pax_track_stack();
38529 +
38530 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38531 res.number >= MAX_HDRIVES)
38532 return -EFAULT;
38533 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
38534 gdth_ha_str *ha;
38535 int rval;
38536
38537 + pax_track_stack();
38538 +
38539 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38540 return -EFAULT;
38541 ha = gdth_find_ha(gen.ionode);
38542 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
38543 int i;
38544 gdth_cmd_str gdtcmd;
38545 char cmnd[MAX_COMMAND_SIZE];
38546 +
38547 + pax_track_stack();
38548 +
38549 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38550
38551 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38552 diff -urNp linux-2.6.39.3/drivers/scsi/gdth_proc.c linux-2.6.39.3/drivers/scsi/gdth_proc.c
38553 --- linux-2.6.39.3/drivers/scsi/gdth_proc.c 2011-05-19 00:06:34.000000000 -0400
38554 +++ linux-2.6.39.3/drivers/scsi/gdth_proc.c 2011-05-22 19:36:32.000000000 -0400
38555 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
38556 u64 paddr;
38557
38558 char cmnd[MAX_COMMAND_SIZE];
38559 +
38560 + pax_track_stack();
38561 +
38562 memset(cmnd, 0xff, 12);
38563 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38564
38565 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
38566 gdth_hget_str *phg;
38567 char cmnd[MAX_COMMAND_SIZE];
38568
38569 + pax_track_stack();
38570 +
38571 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38572 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38573 if (!gdtcmd || !estr)
38574 diff -urNp linux-2.6.39.3/drivers/scsi/hosts.c linux-2.6.39.3/drivers/scsi/hosts.c
38575 --- linux-2.6.39.3/drivers/scsi/hosts.c 2011-05-19 00:06:34.000000000 -0400
38576 +++ linux-2.6.39.3/drivers/scsi/hosts.c 2011-05-22 19:36:32.000000000 -0400
38577 @@ -42,7 +42,7 @@
38578 #include "scsi_logging.h"
38579
38580
38581 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
38582 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38583
38584
38585 static void scsi_host_cls_release(struct device *dev)
38586 @@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38587 * subtract one because we increment first then return, but we need to
38588 * know what the next host number was before increment
38589 */
38590 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38591 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38592 shost->dma_channel = 0xff;
38593
38594 /* These three are default values which can be overridden */
38595 diff -urNp linux-2.6.39.3/drivers/scsi/hpsa.h linux-2.6.39.3/drivers/scsi/hpsa.h
38596 --- linux-2.6.39.3/drivers/scsi/hpsa.h 2011-05-19 00:06:34.000000000 -0400
38597 +++ linux-2.6.39.3/drivers/scsi/hpsa.h 2011-05-22 19:36:32.000000000 -0400
38598 @@ -347,7 +347,7 @@ static struct access_method SA5_access =
38599 SA5_completed,
38600 };
38601
38602 -static struct access_method SA5_performant_access = {
38603 +static const struct access_method SA5_performant_access = {
38604 SA5_submit_command,
38605 SA5_performant_intr_mask,
38606 SA5_fifo_full,
38607 diff -urNp linux-2.6.39.3/drivers/scsi/hptiop.c linux-2.6.39.3/drivers/scsi/hptiop.c
38608 --- linux-2.6.39.3/drivers/scsi/hptiop.c 2011-05-19 00:06:34.000000000 -0400
38609 +++ linux-2.6.39.3/drivers/scsi/hptiop.c 2011-05-22 19:36:32.000000000 -0400
38610 @@ -1226,7 +1226,7 @@ static void hptiop_remove(struct pci_dev
38611 scsi_host_put(host);
38612 }
38613
38614 -static struct hptiop_adapter_ops hptiop_itl_ops = {
38615 +static const struct hptiop_adapter_ops hptiop_itl_ops = {
38616 .iop_wait_ready = iop_wait_ready_itl,
38617 .internal_memalloc = NULL,
38618 .internal_memfree = NULL,
38619 @@ -1241,7 +1241,7 @@ static struct hptiop_adapter_ops hptiop_
38620 .post_req = hptiop_post_req_itl,
38621 };
38622
38623 -static struct hptiop_adapter_ops hptiop_mv_ops = {
38624 +static const struct hptiop_adapter_ops hptiop_mv_ops = {
38625 .iop_wait_ready = iop_wait_ready_mv,
38626 .internal_memalloc = hptiop_internal_memalloc_mv,
38627 .internal_memfree = hptiop_internal_memfree_mv,
38628 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c
38629 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-19 00:06:34.000000000 -0400
38630 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvfc.c 2011-05-22 19:36:32.000000000 -0400
38631 @@ -4881,7 +4881,7 @@ static struct vio_device_id ibmvfc_devic
38632 };
38633 MODULE_DEVICE_TABLE(vio, ibmvfc_device_table);
38634
38635 -static struct dev_pm_ops ibmvfc_pm_ops = {
38636 +static const struct dev_pm_ops ibmvfc_pm_ops = {
38637 .resume = ibmvfc_resume
38638 };
38639
38640 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c
38641 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-19 00:06:34.000000000 -0400
38642 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.c 2011-05-22 19:36:32.000000000 -0400
38643 @@ -104,7 +104,7 @@ static struct scsi_transport_template *i
38644
38645 #define IBMVSCSI_VERSION "1.5.9"
38646
38647 -static struct ibmvscsi_ops *ibmvscsi_ops;
38648 +static const struct ibmvscsi_ops *ibmvscsi_ops;
38649
38650 MODULE_DESCRIPTION("IBM Virtual SCSI");
38651 MODULE_AUTHOR("Dave Boutcher");
38652 @@ -2059,7 +2059,7 @@ static struct vio_device_id ibmvscsi_dev
38653 };
38654 MODULE_DEVICE_TABLE(vio, ibmvscsi_device_table);
38655
38656 -static struct dev_pm_ops ibmvscsi_pm_ops = {
38657 +static const struct dev_pm_ops ibmvscsi_pm_ops = {
38658 .resume = ibmvscsi_resume
38659 };
38660
38661 @@ -2075,7 +2075,7 @@ static struct vio_driver ibmvscsi_driver
38662 }
38663 };
38664
38665 -static struct srp_function_template ibmvscsi_transport_functions = {
38666 +static const struct srp_function_template ibmvscsi_transport_functions = {
38667 };
38668
38669 int __init ibmvscsi_module_init(void)
38670 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h
38671 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-19 00:06:34.000000000 -0400
38672 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvscsi.h 2011-05-22 19:36:32.000000000 -0400
38673 @@ -127,7 +127,7 @@ struct ibmvscsi_ops {
38674 int (*resume) (struct ibmvscsi_host_data *hostdata);
38675 };
38676
38677 -extern struct ibmvscsi_ops iseriesvscsi_ops;
38678 -extern struct ibmvscsi_ops rpavscsi_ops;
38679 +extern const struct ibmvscsi_ops iseriesvscsi_ops;
38680 +extern const struct ibmvscsi_ops rpavscsi_ops;
38681
38682 #endif /* IBMVSCSI_H */
38683 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c
38684 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-19 00:06:34.000000000 -0400
38685 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/ibmvstgt.c 2011-05-22 19:36:32.000000000 -0400
38686 @@ -951,7 +951,7 @@ static int get_system_info(void)
38687 return 0;
38688 }
38689
38690 -static struct srp_function_template ibmvstgt_transport_functions = {
38691 +static const struct srp_function_template ibmvstgt_transport_functions = {
38692 .tsk_mgmt_response = ibmvstgt_tsk_mgmt_response,
38693 .it_nexus_response = ibmvstgt_it_nexus_response,
38694 };
38695 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c
38696 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38697 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/iseries_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38698 @@ -163,7 +163,7 @@ static int iseriesvscsi_resume(struct ib
38699 return 0;
38700 }
38701
38702 -struct ibmvscsi_ops iseriesvscsi_ops = {
38703 +const struct ibmvscsi_ops iseriesvscsi_ops = {
38704 .init_crq_queue = iseriesvscsi_init_crq_queue,
38705 .release_crq_queue = iseriesvscsi_release_crq_queue,
38706 .reset_crq_queue = iseriesvscsi_reset_crq_queue,
38707 diff -urNp linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c
38708 --- linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-19 00:06:34.000000000 -0400
38709 +++ linux-2.6.39.3/drivers/scsi/ibmvscsi/rpa_vscsi.c 2011-05-22 19:36:32.000000000 -0400
38710 @@ -358,7 +358,7 @@ static int rpavscsi_resume(struct ibmvsc
38711 return 0;
38712 }
38713
38714 -struct ibmvscsi_ops rpavscsi_ops = {
38715 +const struct ibmvscsi_ops rpavscsi_ops = {
38716 .init_crq_queue = rpavscsi_init_crq_queue,
38717 .release_crq_queue = rpavscsi_release_crq_queue,
38718 .reset_crq_queue = rpavscsi_reset_crq_queue,
38719 diff -urNp linux-2.6.39.3/drivers/scsi/ipr.c linux-2.6.39.3/drivers/scsi/ipr.c
38720 --- linux-2.6.39.3/drivers/scsi/ipr.c 2011-05-19 00:06:34.000000000 -0400
38721 +++ linux-2.6.39.3/drivers/scsi/ipr.c 2011-05-22 19:36:32.000000000 -0400
38722 @@ -6210,7 +6210,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38723 return true;
38724 }
38725
38726 -static struct ata_port_operations ipr_sata_ops = {
38727 +static const struct ata_port_operations ipr_sata_ops = {
38728 .phy_reset = ipr_ata_phy_reset,
38729 .hardreset = ipr_sata_reset,
38730 .post_internal_cmd = ipr_ata_post_internal,
38731 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c
38732 --- linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c 2011-05-19 00:06:34.000000000 -0400
38733 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_exch.c 2011-05-22 19:36:32.000000000 -0400
38734 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
38735 * all together if not used XXX
38736 */
38737 struct {
38738 - atomic_t no_free_exch;
38739 - atomic_t no_free_exch_xid;
38740 - atomic_t xid_not_found;
38741 - atomic_t xid_busy;
38742 - atomic_t seq_not_found;
38743 - atomic_t non_bls_resp;
38744 + atomic_unchecked_t no_free_exch;
38745 + atomic_unchecked_t no_free_exch_xid;
38746 + atomic_unchecked_t xid_not_found;
38747 + atomic_unchecked_t xid_busy;
38748 + atomic_unchecked_t seq_not_found;
38749 + atomic_unchecked_t non_bls_resp;
38750 } stats;
38751 };
38752
38753 @@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
38754 /* allocate memory for exchange */
38755 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38756 if (!ep) {
38757 - atomic_inc(&mp->stats.no_free_exch);
38758 + atomic_inc_unchecked(&mp->stats.no_free_exch);
38759 goto out;
38760 }
38761 memset(ep, 0, sizeof(*ep));
38762 @@ -761,7 +761,7 @@ out:
38763 return ep;
38764 err:
38765 spin_unlock_bh(&pool->lock);
38766 - atomic_inc(&mp->stats.no_free_exch_xid);
38767 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38768 mempool_free(ep, mp->ep_pool);
38769 return NULL;
38770 }
38771 @@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38772 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38773 ep = fc_exch_find(mp, xid);
38774 if (!ep) {
38775 - atomic_inc(&mp->stats.xid_not_found);
38776 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38777 reject = FC_RJT_OX_ID;
38778 goto out;
38779 }
38780 @@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38781 ep = fc_exch_find(mp, xid);
38782 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38783 if (ep) {
38784 - atomic_inc(&mp->stats.xid_busy);
38785 + atomic_inc_unchecked(&mp->stats.xid_busy);
38786 reject = FC_RJT_RX_ID;
38787 goto rel;
38788 }
38789 @@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38790 }
38791 xid = ep->xid; /* get our XID */
38792 } else if (!ep) {
38793 - atomic_inc(&mp->stats.xid_not_found);
38794 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38795 reject = FC_RJT_RX_ID; /* XID not found */
38796 goto out;
38797 }
38798 @@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38799 } else {
38800 sp = &ep->seq;
38801 if (sp->id != fh->fh_seq_id) {
38802 - atomic_inc(&mp->stats.seq_not_found);
38803 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38804 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38805 goto rel;
38806 }
38807 @@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
38808
38809 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38810 if (!ep) {
38811 - atomic_inc(&mp->stats.xid_not_found);
38812 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38813 goto out;
38814 }
38815 if (ep->esb_stat & ESB_ST_COMPLETE) {
38816 - atomic_inc(&mp->stats.xid_not_found);
38817 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38818 goto rel;
38819 }
38820 if (ep->rxid == FC_XID_UNKNOWN)
38821 ep->rxid = ntohs(fh->fh_rx_id);
38822 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38823 - atomic_inc(&mp->stats.xid_not_found);
38824 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38825 goto rel;
38826 }
38827 if (ep->did != ntoh24(fh->fh_s_id) &&
38828 ep->did != FC_FID_FLOGI) {
38829 - atomic_inc(&mp->stats.xid_not_found);
38830 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38831 goto rel;
38832 }
38833 sof = fr_sof(fp);
38834 @@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
38835 sp->ssb_stat |= SSB_ST_RESP;
38836 sp->id = fh->fh_seq_id;
38837 } else if (sp->id != fh->fh_seq_id) {
38838 - atomic_inc(&mp->stats.seq_not_found);
38839 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38840 goto rel;
38841 }
38842
38843 @@ -1479,9 +1479,9 @@ static void fc_exch_recv_resp(struct fc_
38844 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38845
38846 if (!sp)
38847 - atomic_inc(&mp->stats.xid_not_found);
38848 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38849 else
38850 - atomic_inc(&mp->stats.non_bls_resp);
38851 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
38852
38853 fc_frame_free(fp);
38854 }
38855 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c
38856 --- linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c 2011-05-19 00:06:34.000000000 -0400
38857 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_lport.c 2011-05-22 19:36:32.000000000 -0400
38858 @@ -1299,7 +1299,7 @@ static void fc_lport_enter_ns(struct fc_
38859 fc_lport_error(lport, fp);
38860 }
38861
38862 -static struct fc_rport_operations fc_lport_rport_ops = {
38863 +static const struct fc_rport_operations fc_lport_rport_ops = {
38864 .event_callback = fc_lport_rport_callback,
38865 };
38866
38867 diff -urNp linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c
38868 --- linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c 2011-05-19 00:06:34.000000000 -0400
38869 +++ linux-2.6.39.3/drivers/scsi/libfc/fc_rport.c 2011-05-22 19:36:32.000000000 -0400
38870 @@ -256,7 +256,7 @@ static void fc_rport_work(struct work_st
38871 struct fc_rport_libfc_priv *rpriv;
38872 enum fc_rport_event event;
38873 struct fc_lport *lport = rdata->local_port;
38874 - struct fc_rport_operations *rport_ops;
38875 + const struct fc_rport_operations *rport_ops;
38876 struct fc_rport_identifiers ids;
38877 struct fc_rport *rport;
38878 struct fc4_prov *prov;
38879 diff -urNp linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c
38880 --- linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c 2011-05-19 00:06:34.000000000 -0400
38881 +++ linux-2.6.39.3/drivers/scsi/libsas/sas_ata.c 2011-05-22 19:36:32.000000000 -0400
38882 @@ -307,14 +307,14 @@ static void sas_ata_post_internal(struct
38883 }
38884 }
38885
38886 -static struct ata_port_operations sas_sata_ops = {
38887 +static const struct ata_port_operations sas_sata_ops = {
38888 .prereset = ata_std_prereset,
38889 .softreset = NULL,
38890 .hardreset = sas_ata_hard_reset,
38891 .postreset = ata_std_postreset,
38892 .error_handler = ata_std_error_handler,
38893 .post_internal_cmd = sas_ata_post_internal,
38894 - .qc_defer = ata_std_qc_defer,
38895 + .qc_defer = ata_std_qc_defer,
38896 .qc_prep = ata_noop_qc_prep,
38897 .qc_issue = sas_ata_qc_issue,
38898 .qc_fill_rtf = sas_ata_qc_fill_rtf,
38899 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c
38900 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-19 00:06:34.000000000 -0400
38901 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-22 19:36:32.000000000 -0400
38902 @@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
38903
38904 #include <linux/debugfs.h>
38905
38906 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38907 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38908 static unsigned long lpfc_debugfs_start_time = 0L;
38909
38910 /* iDiag */
38911 @@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38912 lpfc_debugfs_enable = 0;
38913
38914 len = 0;
38915 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38916 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38917 (lpfc_debugfs_max_disc_trc - 1);
38918 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38919 dtp = vport->disc_trc + i;
38920 @@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38921 lpfc_debugfs_enable = 0;
38922
38923 len = 0;
38924 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38925 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38926 (lpfc_debugfs_max_slow_ring_trc - 1);
38927 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38928 dtp = phba->slow_ring_trc + i;
38929 @@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38930 uint32_t *ptr;
38931 char buffer[1024];
38932
38933 + pax_track_stack();
38934 +
38935 off = 0;
38936 spin_lock_irq(&phba->hbalock);
38937
38938 @@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38939 !vport || !vport->disc_trc)
38940 return;
38941
38942 - index = atomic_inc_return(&vport->disc_trc_cnt) &
38943 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
38944 (lpfc_debugfs_max_disc_trc - 1);
38945 dtp = vport->disc_trc + index;
38946 dtp->fmt = fmt;
38947 dtp->data1 = data1;
38948 dtp->data2 = data2;
38949 dtp->data3 = data3;
38950 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38951 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38952 dtp->jif = jiffies;
38953 #endif
38954 return;
38955 @@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
38956 !phba || !phba->slow_ring_trc)
38957 return;
38958
38959 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
38960 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
38961 (lpfc_debugfs_max_slow_ring_trc - 1);
38962 dtp = phba->slow_ring_trc + index;
38963 dtp->fmt = fmt;
38964 dtp->data1 = data1;
38965 dtp->data2 = data2;
38966 dtp->data3 = data3;
38967 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
38968 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
38969 dtp->jif = jiffies;
38970 #endif
38971 return;
38972 @@ -2145,7 +2147,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38973 "slow_ring buffer\n");
38974 goto debug_failed;
38975 }
38976 - atomic_set(&phba->slow_ring_trc_cnt, 0);
38977 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
38978 memset(phba->slow_ring_trc, 0,
38979 (sizeof(struct lpfc_debugfs_trc) *
38980 lpfc_debugfs_max_slow_ring_trc));
38981 @@ -2191,7 +2193,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
38982 "buffer\n");
38983 goto debug_failed;
38984 }
38985 - atomic_set(&vport->disc_trc_cnt, 0);
38986 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
38987
38988 snprintf(name, sizeof(name), "discovery_trace");
38989 vport->debug_disc_trc =
38990 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h
38991 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h 2011-05-19 00:06:34.000000000 -0400
38992 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc.h 2011-05-22 19:36:32.000000000 -0400
38993 @@ -419,7 +419,7 @@ struct lpfc_vport {
38994 struct dentry *debug_nodelist;
38995 struct dentry *vport_debugfs_root;
38996 struct lpfc_debugfs_trc *disc_trc;
38997 - atomic_t disc_trc_cnt;
38998 + atomic_unchecked_t disc_trc_cnt;
38999 #endif
39000 uint8_t stat_data_enabled;
39001 uint8_t stat_data_blocked;
39002 @@ -785,8 +785,8 @@ struct lpfc_hba {
39003 struct timer_list fabric_block_timer;
39004 unsigned long bit_flags;
39005 #define FABRIC_COMANDS_BLOCKED 0
39006 - atomic_t num_rsrc_err;
39007 - atomic_t num_cmd_success;
39008 + atomic_unchecked_t num_rsrc_err;
39009 + atomic_unchecked_t num_cmd_success;
39010 unsigned long last_rsrc_error_time;
39011 unsigned long last_ramp_down_time;
39012 unsigned long last_ramp_up_time;
39013 @@ -800,7 +800,7 @@ struct lpfc_hba {
39014 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
39015 struct dentry *debug_slow_ring_trc;
39016 struct lpfc_debugfs_trc *slow_ring_trc;
39017 - atomic_t slow_ring_trc_cnt;
39018 + atomic_unchecked_t slow_ring_trc_cnt;
39019 /* iDiag debugfs sub-directory */
39020 struct dentry *idiag_root;
39021 struct dentry *idiag_pci_cfg;
39022 diff -urNp linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c
39023 --- linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-19 00:06:34.000000000 -0400
39024 +++ linux-2.6.39.3/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-22 19:36:32.000000000 -0400
39025 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
39026 uint32_t evt_posted;
39027
39028 spin_lock_irqsave(&phba->hbalock, flags);
39029 - atomic_inc(&phba->num_rsrc_err);
39030 + atomic_inc_unchecked(&phba->num_rsrc_err);
39031 phba->last_rsrc_error_time = jiffies;
39032
39033 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
39034 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
39035 unsigned long flags;
39036 struct lpfc_hba *phba = vport->phba;
39037 uint32_t evt_posted;
39038 - atomic_inc(&phba->num_cmd_success);
39039 + atomic_inc_unchecked(&phba->num_cmd_success);
39040
39041 if (vport->cfg_lun_queue_depth <= queue_depth)
39042 return;
39043 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39044 unsigned long num_rsrc_err, num_cmd_success;
39045 int i;
39046
39047 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
39048 - num_cmd_success = atomic_read(&phba->num_cmd_success);
39049 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
39050 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
39051
39052 vports = lpfc_create_vport_work_array(phba);
39053 if (vports != NULL)
39054 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39055 }
39056 }
39057 lpfc_destroy_vport_work_array(phba, vports);
39058 - atomic_set(&phba->num_rsrc_err, 0);
39059 - atomic_set(&phba->num_cmd_success, 0);
39060 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39061 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39062 }
39063
39064 /**
39065 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
39066 }
39067 }
39068 lpfc_destroy_vport_work_array(phba, vports);
39069 - atomic_set(&phba->num_rsrc_err, 0);
39070 - atomic_set(&phba->num_cmd_success, 0);
39071 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39072 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39073 }
39074
39075 /**
39076 diff -urNp linux-2.6.39.3/drivers/scsi/mac_esp.c linux-2.6.39.3/drivers/scsi/mac_esp.c
39077 --- linux-2.6.39.3/drivers/scsi/mac_esp.c 2011-05-19 00:06:34.000000000 -0400
39078 +++ linux-2.6.39.3/drivers/scsi/mac_esp.c 2011-05-22 19:36:32.000000000 -0400
39079 @@ -473,7 +473,7 @@ static irqreturn_t mac_scsi_esp_intr(int
39080 return IRQ_HANDLED;
39081 }
39082
39083 -static struct esp_driver_ops mac_esp_ops = {
39084 +static const struct esp_driver_ops mac_esp_ops = {
39085 .esp_write8 = mac_esp_write8,
39086 .esp_read8 = mac_esp_read8,
39087 .map_single = mac_esp_map_single,
39088 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c
39089 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-19 00:06:34.000000000 -0400
39090 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-22 19:36:32.000000000 -0400
39091 @@ -3510,6 +3510,8 @@ megaraid_cmm_register(adapter_t *adapter
39092 int rval;
39093 int i;
39094
39095 + pax_track_stack();
39096 +
39097 // Allocate memory for the base list of scb for management module.
39098 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
39099
39100 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c
39101 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-19 00:06:34.000000000 -0400
39102 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_base.c 2011-05-22 19:36:32.000000000 -0400
39103 @@ -366,7 +366,7 @@ megasas_check_reset_xscale(struct megasa
39104 return 0;
39105 }
39106
39107 -static struct megasas_instance_template megasas_instance_template_xscale = {
39108 +static const struct megasas_instance_template megasas_instance_template_xscale = {
39109
39110 .fire_cmd = megasas_fire_cmd_xscale,
39111 .enable_intr = megasas_enable_intr_xscale,
39112 @@ -497,7 +497,7 @@ megasas_check_reset_ppc(struct megasas_i
39113 {
39114 return 0;
39115 }
39116 -static struct megasas_instance_template megasas_instance_template_ppc = {
39117 +static const struct megasas_instance_template megasas_instance_template_ppc = {
39118
39119 .fire_cmd = megasas_fire_cmd_ppc,
39120 .enable_intr = megasas_enable_intr_ppc,
39121 @@ -623,7 +623,7 @@ megasas_check_reset_skinny(struct megasa
39122 return 0;
39123 }
39124
39125 -static struct megasas_instance_template megasas_instance_template_skinny = {
39126 +static const struct megasas_instance_template megasas_instance_template_skinny = {
39127
39128 .fire_cmd = megasas_fire_cmd_skinny,
39129 .enable_intr = megasas_enable_intr_skinny,
39130 @@ -810,7 +810,7 @@ megasas_check_reset_gen2(struct megasas_
39131 return 0;
39132 }
39133
39134 -static struct megasas_instance_template megasas_instance_template_gen2 = {
39135 +static const struct megasas_instance_template megasas_instance_template_gen2 = {
39136
39137 .fire_cmd = megasas_fire_cmd_gen2,
39138 .enable_intr = megasas_enable_intr_gen2,
39139 @@ -834,7 +834,7 @@ static struct megasas_instance_template
39140 /*
39141 * Template added for TB (Fusion)
39142 */
39143 -extern struct megasas_instance_template megasas_instance_template_fusion;
39144 +extern const struct megasas_instance_template megasas_instance_template_fusion;
39145
39146 /**
39147 * megasas_issue_polled - Issues a polling command
39148 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c
39149 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-19 00:06:34.000000000 -0400
39150 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas_fusion.c 2011-05-22 19:36:32.000000000 -0400
39151 @@ -2236,7 +2236,7 @@ void megasas_fusion_ocr_wq(struct work_s
39152 megasas_reset_fusion(instance->host);
39153 }
39154
39155 -struct megasas_instance_template megasas_instance_template_fusion = {
39156 +const struct megasas_instance_template megasas_instance_template_fusion = {
39157 .fire_cmd = megasas_fire_cmd_fusion,
39158 .enable_intr = megasas_enable_intr_fusion,
39159 .disable_intr = megasas_disable_intr_fusion,
39160 diff -urNp linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h
39161 --- linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h 2011-05-19 00:06:34.000000000 -0400
39162 +++ linux-2.6.39.3/drivers/scsi/megaraid/megaraid_sas.h 2011-05-22 19:36:32.000000000 -0400
39163 @@ -1330,7 +1330,7 @@ struct megasas_instance {
39164 atomic_t fw_outstanding;
39165 atomic_t fw_reset_no_pci_access;
39166
39167 - struct megasas_instance_template *instancet;
39168 + const struct megasas_instance_template *instancet;
39169 struct tasklet_struct isr_tasklet;
39170 struct work_struct work_init;
39171
39172 diff -urNp linux-2.6.39.3/drivers/scsi/ncr53c8xx.c linux-2.6.39.3/drivers/scsi/ncr53c8xx.c
39173 --- linux-2.6.39.3/drivers/scsi/ncr53c8xx.c 2011-05-19 00:06:34.000000000 -0400
39174 +++ linux-2.6.39.3/drivers/scsi/ncr53c8xx.c 2011-05-22 19:36:32.000000000 -0400
39175 @@ -8606,7 +8606,7 @@ static void ncr53c8xx_get_signalling(str
39176 spi_signalling(shost) = type;
39177 }
39178
39179 -static struct spi_function_template ncr53c8xx_transport_functions = {
39180 +static struct spi_function_template ncr53c8xx_transport_functions = {
39181 .set_period = ncr53c8xx_set_period,
39182 .show_period = 1,
39183 .set_offset = ncr53c8xx_set_offset,
39184 diff -urNp linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c
39185 --- linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c 2011-05-19 00:06:34.000000000 -0400
39186 +++ linux-2.6.39.3/drivers/scsi/osd/osd_initiator.c 2011-05-22 19:36:32.000000000 -0400
39187 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
39188 int nelem = ARRAY_SIZE(get_attrs), a = 0;
39189 int ret;
39190
39191 + pax_track_stack();
39192 +
39193 or = osd_start_request(od, GFP_KERNEL);
39194 if (!or)
39195 return -ENOMEM;
39196 diff -urNp linux-2.6.39.3/drivers/scsi/pmcraid.c linux-2.6.39.3/drivers/scsi/pmcraid.c
39197 --- linux-2.6.39.3/drivers/scsi/pmcraid.c 2011-05-19 00:06:34.000000000 -0400
39198 +++ linux-2.6.39.3/drivers/scsi/pmcraid.c 2011-05-22 19:36:32.000000000 -0400
39199 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
39200 res->scsi_dev = scsi_dev;
39201 scsi_dev->hostdata = res;
39202 res->change_detected = 0;
39203 - atomic_set(&res->read_failures, 0);
39204 - atomic_set(&res->write_failures, 0);
39205 + atomic_set_unchecked(&res->read_failures, 0);
39206 + atomic_set_unchecked(&res->write_failures, 0);
39207 rc = 0;
39208 }
39209 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
39210 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
39211
39212 /* If this was a SCSI read/write command keep count of errors */
39213 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
39214 - atomic_inc(&res->read_failures);
39215 + atomic_inc_unchecked(&res->read_failures);
39216 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
39217 - atomic_inc(&res->write_failures);
39218 + atomic_inc_unchecked(&res->write_failures);
39219
39220 if (!RES_IS_GSCSI(res->cfg_entry) &&
39221 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
39222 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
39223 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39224 * hrrq_id assigned here in queuecommand
39225 */
39226 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39227 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39228 pinstance->num_hrrq;
39229 cmd->cmd_done = pmcraid_io_done;
39230
39231 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
39232 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
39233 * hrrq_id assigned here in queuecommand
39234 */
39235 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
39236 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
39237 pinstance->num_hrrq;
39238
39239 if (request_size) {
39240 @@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(stru
39241
39242 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
39243 /* add resources only after host is added into system */
39244 - if (!atomic_read(&pinstance->expose_resources))
39245 + if (!atomic_read_unchecked(&pinstance->expose_resources))
39246 return;
39247
39248 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
39249 @@ -5329,8 +5329,8 @@ static int __devinit pmcraid_init_instan
39250 init_waitqueue_head(&pinstance->reset_wait_q);
39251
39252 atomic_set(&pinstance->outstanding_cmds, 0);
39253 - atomic_set(&pinstance->last_message_id, 0);
39254 - atomic_set(&pinstance->expose_resources, 0);
39255 + atomic_set_unchecked(&pinstance->last_message_id, 0);
39256 + atomic_set_unchecked(&pinstance->expose_resources, 0);
39257
39258 INIT_LIST_HEAD(&pinstance->free_res_q);
39259 INIT_LIST_HEAD(&pinstance->used_res_q);
39260 @@ -6045,7 +6045,7 @@ static int __devinit pmcraid_probe(
39261 /* Schedule worker thread to handle CCN and take care of adding and
39262 * removing devices to OS
39263 */
39264 - atomic_set(&pinstance->expose_resources, 1);
39265 + atomic_set_unchecked(&pinstance->expose_resources, 1);
39266 schedule_work(&pinstance->worker_q);
39267 return rc;
39268
39269 diff -urNp linux-2.6.39.3/drivers/scsi/pmcraid.h linux-2.6.39.3/drivers/scsi/pmcraid.h
39270 --- linux-2.6.39.3/drivers/scsi/pmcraid.h 2011-05-19 00:06:34.000000000 -0400
39271 +++ linux-2.6.39.3/drivers/scsi/pmcraid.h 2011-05-22 19:36:32.000000000 -0400
39272 @@ -750,7 +750,7 @@ struct pmcraid_instance {
39273 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
39274
39275 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
39276 - atomic_t last_message_id;
39277 + atomic_unchecked_t last_message_id;
39278
39279 /* configuration table */
39280 struct pmcraid_config_table *cfg_table;
39281 @@ -779,7 +779,7 @@ struct pmcraid_instance {
39282 atomic_t outstanding_cmds;
39283
39284 /* should add/delete resources to mid-layer now ?*/
39285 - atomic_t expose_resources;
39286 + atomic_unchecked_t expose_resources;
39287
39288
39289
39290 @@ -815,8 +815,8 @@ struct pmcraid_resource_entry {
39291 struct pmcraid_config_table_entry_ext cfg_entry_ext;
39292 };
39293 struct scsi_device *scsi_dev; /* Link scsi_device structure */
39294 - atomic_t read_failures; /* count of failed READ commands */
39295 - atomic_t write_failures; /* count of failed WRITE commands */
39296 + atomic_unchecked_t read_failures; /* count of failed READ commands */
39297 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
39298
39299 /* To indicate add/delete/modify during CCN */
39300 u8 change_detected;
39301 diff -urNp linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c
39302 --- linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:04:14.000000000 -0400
39303 +++ linux-2.6.39.3/drivers/scsi/qla2xxx/qla_os.c 2011-06-03 00:32:06.000000000 -0400
39304 @@ -4103,7 +4103,7 @@ static struct pci_driver qla2xxx_pci_dri
39305 .err_handler = &qla2xxx_err_handler,
39306 };
39307
39308 -static struct file_operations apidev_fops = {
39309 +static const struct file_operations apidev_fops = {
39310 .owner = THIS_MODULE,
39311 .llseek = noop_llseek,
39312 };
39313 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h
39314 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h 2011-05-19 00:06:34.000000000 -0400
39315 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_def.h 2011-05-22 19:36:32.000000000 -0400
39316 @@ -256,7 +256,7 @@ struct ddb_entry {
39317 atomic_t retry_relogin_timer; /* Min Time between relogins
39318 * (4000 only) */
39319 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
39320 - atomic_t relogin_retry_count; /* Num of times relogin has been
39321 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
39322 * retried */
39323
39324 uint16_t port;
39325 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c
39326 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c 2011-05-19 00:06:34.000000000 -0400
39327 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_init.c 2011-05-22 19:36:32.000000000 -0400
39328 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
39329 ddb_entry->fw_ddb_index = fw_ddb_index;
39330 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
39331 atomic_set(&ddb_entry->relogin_timer, 0);
39332 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39333 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39334 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39335 list_add_tail(&ddb_entry->list, &ha->ddb_list);
39336 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
39337 @@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
39338 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
39339 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
39340 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39341 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39342 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39343 atomic_set(&ddb_entry->relogin_timer, 0);
39344 clear_bit(DF_RELOGIN, &ddb_entry->flags);
39345 iscsi_unblock_session(ddb_entry->sess);
39346 diff -urNp linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c
39347 --- linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c 2011-05-19 00:06:34.000000000 -0400
39348 +++ linux-2.6.39.3/drivers/scsi/qla4xxx/ql4_os.c 2011-05-22 19:36:32.000000000 -0400
39349 @@ -802,13 +802,13 @@ static void qla4xxx_timer(struct scsi_ql
39350 ddb_entry->fw_ddb_device_state ==
39351 DDB_DS_SESSION_FAILED) {
39352 /* Reset retry relogin timer */
39353 - atomic_inc(&ddb_entry->relogin_retry_count);
39354 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
39355 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
39356 " timed out-retrying"
39357 " relogin (%d)\n",
39358 ha->host_no,
39359 ddb_entry->fw_ddb_index,
39360 - atomic_read(&ddb_entry->
39361 + atomic_read_unchecked(&ddb_entry->
39362 relogin_retry_count))
39363 );
39364 start_dpc++;
39365 diff -urNp linux-2.6.39.3/drivers/scsi/scsi.c linux-2.6.39.3/drivers/scsi/scsi.c
39366 --- linux-2.6.39.3/drivers/scsi/scsi.c 2011-05-19 00:06:34.000000000 -0400
39367 +++ linux-2.6.39.3/drivers/scsi/scsi.c 2011-05-22 19:36:32.000000000 -0400
39368 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
39369 unsigned long timeout;
39370 int rtn = 0;
39371
39372 - atomic_inc(&cmd->device->iorequest_cnt);
39373 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39374
39375 /* check if the device is still usable */
39376 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
39377 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_debug.c linux-2.6.39.3/drivers/scsi/scsi_debug.c
39378 --- linux-2.6.39.3/drivers/scsi/scsi_debug.c 2011-05-19 00:06:34.000000000 -0400
39379 +++ linux-2.6.39.3/drivers/scsi/scsi_debug.c 2011-05-22 19:36:32.000000000 -0400
39380 @@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
39381 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
39382 unsigned char *cmd = (unsigned char *)scp->cmnd;
39383
39384 + pax_track_stack();
39385 +
39386 if ((errsts = check_readiness(scp, 1, devip)))
39387 return errsts;
39388 memset(arr, 0, sizeof(arr));
39389 @@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
39390 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
39391 unsigned char *cmd = (unsigned char *)scp->cmnd;
39392
39393 + pax_track_stack();
39394 +
39395 if ((errsts = check_readiness(scp, 1, devip)))
39396 return errsts;
39397 memset(arr, 0, sizeof(arr));
39398 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_lib.c linux-2.6.39.3/drivers/scsi/scsi_lib.c
39399 --- linux-2.6.39.3/drivers/scsi/scsi_lib.c 2011-05-19 00:06:34.000000000 -0400
39400 +++ linux-2.6.39.3/drivers/scsi/scsi_lib.c 2011-05-22 19:36:32.000000000 -0400
39401 @@ -1410,7 +1410,7 @@ static void scsi_kill_request(struct req
39402 shost = sdev->host;
39403 scsi_init_cmd_errh(cmd);
39404 cmd->result = DID_NO_CONNECT << 16;
39405 - atomic_inc(&cmd->device->iorequest_cnt);
39406 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39407
39408 /*
39409 * SCSI request completion path will do scsi_device_unbusy(),
39410 @@ -1436,9 +1436,9 @@ static void scsi_softirq_done(struct req
39411
39412 INIT_LIST_HEAD(&cmd->eh_entry);
39413
39414 - atomic_inc(&cmd->device->iodone_cnt);
39415 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
39416 if (cmd->result)
39417 - atomic_inc(&cmd->device->ioerr_cnt);
39418 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
39419
39420 disposition = scsi_decide_disposition(cmd);
39421 if (disposition != SUCCESS &&
39422 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_sysfs.c linux-2.6.39.3/drivers/scsi/scsi_sysfs.c
39423 --- linux-2.6.39.3/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:22.000000000 -0400
39424 +++ linux-2.6.39.3/drivers/scsi/scsi_sysfs.c 2011-06-25 13:00:26.000000000 -0400
39425 @@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
39426 char *buf) \
39427 { \
39428 struct scsi_device *sdev = to_scsi_device(dev); \
39429 - unsigned long long count = atomic_read(&sdev->field); \
39430 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
39431 return snprintf(buf, 20, "0x%llx\n", count); \
39432 } \
39433 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
39434 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c
39435 --- linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c 2011-05-19 00:06:34.000000000 -0400
39436 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_fc.c 2011-05-22 19:36:32.000000000 -0400
39437 @@ -485,7 +485,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
39438 * Netlink Infrastructure
39439 */
39440
39441 -static atomic_t fc_event_seq;
39442 +static atomic_unchecked_t fc_event_seq;
39443
39444 /**
39445 * fc_get_event_number - Obtain the next sequential FC event number
39446 @@ -498,7 +498,7 @@ static atomic_t fc_event_seq;
39447 u32
39448 fc_get_event_number(void)
39449 {
39450 - return atomic_add_return(1, &fc_event_seq);
39451 + return atomic_add_return_unchecked(1, &fc_event_seq);
39452 }
39453 EXPORT_SYMBOL(fc_get_event_number);
39454
39455 @@ -646,7 +646,7 @@ static __init int fc_transport_init(void
39456 {
39457 int error;
39458
39459 - atomic_set(&fc_event_seq, 0);
39460 + atomic_set_unchecked(&fc_event_seq, 0);
39461
39462 error = transport_class_register(&fc_host_class);
39463 if (error)
39464 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
39465 char *cp;
39466
39467 *val = simple_strtoul(buf, &cp, 0);
39468 - if ((*cp && (*cp != '\n')) || (*val < 0))
39469 + if (*cp && (*cp != '\n'))
39470 return -EINVAL;
39471 /*
39472 * Check for overflow; dev_loss_tmo is u32
39473 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c
39474 --- linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c 2011-05-19 00:06:34.000000000 -0400
39475 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_iscsi.c 2011-05-22 19:36:32.000000000 -0400
39476 @@ -83,7 +83,7 @@ struct iscsi_internal {
39477 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39478 };
39479
39480 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39481 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39482 static struct workqueue_struct *iscsi_eh_timer_workq;
39483
39484 /*
39485 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
39486 int err;
39487
39488 ihost = shost->shost_data;
39489 - session->sid = atomic_add_return(1, &iscsi_session_nr);
39490 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39491
39492 if (id == ISCSI_MAX_TARGET) {
39493 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39494 @@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
39495 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39496 ISCSI_TRANSPORT_VERSION);
39497
39498 - atomic_set(&iscsi_session_nr, 0);
39499 + atomic_set_unchecked(&iscsi_session_nr, 0);
39500
39501 err = class_register(&iscsi_transport_class);
39502 if (err)
39503 diff -urNp linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c
39504 --- linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c 2011-05-19 00:06:34.000000000 -0400
39505 +++ linux-2.6.39.3/drivers/scsi/scsi_transport_srp.c 2011-05-22 19:36:32.000000000 -0400
39506 @@ -33,7 +33,7 @@
39507 #include "scsi_transport_srp_internal.h"
39508
39509 struct srp_host_attrs {
39510 - atomic_t next_port_id;
39511 + atomic_unchecked_t next_port_id;
39512 };
39513 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39514
39515 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39516 struct Scsi_Host *shost = dev_to_shost(dev);
39517 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39518
39519 - atomic_set(&srp_host->next_port_id, 0);
39520 + atomic_set_unchecked(&srp_host->next_port_id, 0);
39521 return 0;
39522 }
39523
39524 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39525 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39526 rport->roles = ids->roles;
39527
39528 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39529 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39530 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39531
39532 transport_setup_device(&rport->dev);
39533 diff -urNp linux-2.6.39.3/drivers/scsi/sg.c linux-2.6.39.3/drivers/scsi/sg.c
39534 --- linux-2.6.39.3/drivers/scsi/sg.c 2011-05-19 00:06:34.000000000 -0400
39535 +++ linux-2.6.39.3/drivers/scsi/sg.c 2011-05-22 19:36:32.000000000 -0400
39536 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
39537 const struct file_operations * fops;
39538 };
39539
39540 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39541 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39542 {"allow_dio", &adio_fops},
39543 {"debug", &debug_fops},
39544 {"def_reserved_size", &dressz_fops},
39545 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
39546 {
39547 int k, mask;
39548 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39549 - struct sg_proc_leaf * leaf;
39550 + const struct sg_proc_leaf * leaf;
39551
39552 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39553 if (!sg_proc_sgp)
39554 diff -urNp linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c
39555 --- linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-19 00:06:34.000000000 -0400
39556 +++ linux-2.6.39.3/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-22 19:36:32.000000000 -0400
39557 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
39558 int do_iounmap = 0;
39559 int do_disable_device = 1;
39560
39561 + pax_track_stack();
39562 +
39563 memset(&sym_dev, 0, sizeof(sym_dev));
39564 memset(&nvram, 0, sizeof(nvram));
39565 sym_dev.pdev = pdev;
39566 diff -urNp linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c
39567 --- linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c 2011-05-19 00:06:34.000000000 -0400
39568 +++ linux-2.6.39.3/drivers/scsi/vmw_pvscsi.c 2011-05-22 19:36:32.000000000 -0400
39569 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
39570 dma_addr_t base;
39571 unsigned i;
39572
39573 + pax_track_stack();
39574 +
39575 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
39576 cmd.reqRingNumPages = adapter->req_pages;
39577 cmd.cmpRingNumPages = adapter->cmp_pages;
39578 diff -urNp linux-2.6.39.3/drivers/sh/clk/cpg.c linux-2.6.39.3/drivers/sh/clk/cpg.c
39579 --- linux-2.6.39.3/drivers/sh/clk/cpg.c 2011-06-03 00:04:14.000000000 -0400
39580 +++ linux-2.6.39.3/drivers/sh/clk/cpg.c 2011-06-03 00:32:06.000000000 -0400
39581 @@ -26,7 +26,7 @@ static void sh_clk_mstp32_disable(struct
39582 clk->enable_reg);
39583 }
39584
39585 -static struct clk_ops sh_clk_mstp32_clk_ops = {
39586 +static const struct clk_ops sh_clk_mstp32_clk_ops = {
39587 .enable = sh_clk_mstp32_enable,
39588 .disable = sh_clk_mstp32_disable,
39589 .recalc = followparent_recalc,
39590 @@ -150,7 +150,7 @@ static void sh_clk_div6_disable(struct c
39591 __raw_writel(value, clk->enable_reg);
39592 }
39593
39594 -static struct clk_ops sh_clk_div6_clk_ops = {
39595 +static const struct clk_ops sh_clk_div6_clk_ops = {
39596 .recalc = sh_clk_div6_recalc,
39597 .round_rate = sh_clk_div_round_rate,
39598 .set_rate = sh_clk_div6_set_rate,
39599 @@ -158,7 +158,7 @@ static struct clk_ops sh_clk_div6_clk_op
39600 .disable = sh_clk_div6_disable,
39601 };
39602
39603 -static struct clk_ops sh_clk_div6_reparent_clk_ops = {
39604 +static const struct clk_ops sh_clk_div6_reparent_clk_ops = {
39605 .recalc = sh_clk_div6_recalc,
39606 .round_rate = sh_clk_div_round_rate,
39607 .set_rate = sh_clk_div6_set_rate,
39608 @@ -282,13 +282,13 @@ static void sh_clk_div4_disable(struct c
39609 __raw_writel(__raw_readl(clk->enable_reg) | (1 << 8), clk->enable_reg);
39610 }
39611
39612 -static struct clk_ops sh_clk_div4_clk_ops = {
39613 +static const struct clk_ops sh_clk_div4_clk_ops = {
39614 .recalc = sh_clk_div4_recalc,
39615 .set_rate = sh_clk_div4_set_rate,
39616 .round_rate = sh_clk_div_round_rate,
39617 };
39618
39619 -static struct clk_ops sh_clk_div4_enable_clk_ops = {
39620 +static const struct clk_ops sh_clk_div4_enable_clk_ops = {
39621 .recalc = sh_clk_div4_recalc,
39622 .set_rate = sh_clk_div4_set_rate,
39623 .round_rate = sh_clk_div_round_rate,
39624 @@ -296,7 +296,7 @@ static struct clk_ops sh_clk_div4_enable
39625 .disable = sh_clk_div4_disable,
39626 };
39627
39628 -static struct clk_ops sh_clk_div4_reparent_clk_ops = {
39629 +static const struct clk_ops sh_clk_div4_reparent_clk_ops = {
39630 .recalc = sh_clk_div4_recalc,
39631 .set_rate = sh_clk_div4_set_rate,
39632 .round_rate = sh_clk_div_round_rate,
39633 diff -urNp linux-2.6.39.3/drivers/spi/dw_spi.h linux-2.6.39.3/drivers/spi/dw_spi.h
39634 --- linux-2.6.39.3/drivers/spi/dw_spi.h 2011-05-19 00:06:34.000000000 -0400
39635 +++ linux-2.6.39.3/drivers/spi/dw_spi.h 2011-05-22 19:36:32.000000000 -0400
39636 @@ -151,7 +151,7 @@ struct dw_spi {
39637 int dma_chan_done;
39638 struct device *dma_dev;
39639 dma_addr_t dma_addr; /* phy address of the Data register */
39640 - struct dw_spi_dma_ops *dma_ops;
39641 + const struct dw_spi_dma_ops *dma_ops;
39642 void *dma_priv; /* platform relate info */
39643 struct pci_dev *dmac;
39644
39645 diff -urNp linux-2.6.39.3/drivers/spi/dw_spi_mid.c linux-2.6.39.3/drivers/spi/dw_spi_mid.c
39646 --- linux-2.6.39.3/drivers/spi/dw_spi_mid.c 2011-05-19 00:06:34.000000000 -0400
39647 +++ linux-2.6.39.3/drivers/spi/dw_spi_mid.c 2011-05-22 19:36:32.000000000 -0400
39648 @@ -180,7 +180,7 @@ static int mid_spi_dma_transfer(struct d
39649 return 0;
39650 }
39651
39652 -static struct dw_spi_dma_ops mid_dma_ops = {
39653 +static const struct dw_spi_dma_ops mid_dma_ops = {
39654 .dma_init = mid_spi_dma_init,
39655 .dma_exit = mid_spi_dma_exit,
39656 .dma_transfer = mid_spi_dma_transfer,
39657 diff -urNp linux-2.6.39.3/drivers/spi/spi.c linux-2.6.39.3/drivers/spi/spi.c
39658 --- linux-2.6.39.3/drivers/spi/spi.c 2011-05-19 00:06:34.000000000 -0400
39659 +++ linux-2.6.39.3/drivers/spi/spi.c 2011-05-22 19:36:32.000000000 -0400
39660 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
39661 EXPORT_SYMBOL_GPL(spi_bus_unlock);
39662
39663 /* portable code must never pass more than 32 bytes */
39664 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39665 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39666
39667 static u8 *buf;
39668
39669 diff -urNp linux-2.6.39.3/drivers/ssb/driver_pcicore.c linux-2.6.39.3/drivers/ssb/driver_pcicore.c
39670 --- linux-2.6.39.3/drivers/ssb/driver_pcicore.c 2011-05-19 00:06:34.000000000 -0400
39671 +++ linux-2.6.39.3/drivers/ssb/driver_pcicore.c 2011-05-22 19:36:32.000000000 -0400
39672 @@ -223,7 +223,7 @@ static int ssb_pcicore_write_config(stru
39673 return err ? PCIBIOS_DEVICE_NOT_FOUND : PCIBIOS_SUCCESSFUL;
39674 }
39675
39676 -static struct pci_ops ssb_pcicore_pciops = {
39677 +static const struct pci_ops ssb_pcicore_pciops = {
39678 .read = ssb_pcicore_read_config,
39679 .write = ssb_pcicore_write_config,
39680 };
39681 diff -urNp linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c
39682 --- linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39683 +++ linux-2.6.39.3/drivers/staging/ath6kl/os/linux/cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39684 @@ -1391,8 +1391,7 @@ u32 cipher_suites[] = {
39685 WLAN_CIPHER_SUITE_CCMP,
39686 };
39687
39688 -static struct
39689 -cfg80211_ops ar6k_cfg80211_ops = {
39690 +static const struct cfg80211_ops ar6k_cfg80211_ops = {
39691 .change_virtual_intf = ar6k_cfg80211_change_iface,
39692 .add_virtual_intf = ar6k_cfg80211_add_virtual_intf,
39693 .del_virtual_intf = ar6k_cfg80211_del_virtual_intf,
39694 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
39695 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-19 00:06:34.000000000 -0400
39696 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-05-22 19:36:32.000000000 -0400
39697 @@ -857,14 +857,14 @@ static void dhd_op_if(dhd_if_t *ifp)
39698 free_netdev(ifp->net);
39699 }
39700 /* Allocate etherdev, including space for private structure */
39701 - ifp->net = alloc_etherdev(sizeof(dhd));
39702 + ifp->net = alloc_etherdev(sizeof(*dhd));
39703 if (!ifp->net) {
39704 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39705 ret = -ENOMEM;
39706 }
39707 if (ret == 0) {
39708 strcpy(ifp->net->name, ifp->name);
39709 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
39710 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
39711 err = dhd_net_attach(&dhd->pub, ifp->idx);
39712 if (err != 0) {
39713 DHD_ERROR(("%s: dhd_net_attach failed, "
39714 @@ -1500,7 +1500,7 @@ static void dhd_ethtool_get_drvinfo(stru
39715 sprintf(info->bus_info, "%s", dev_name(&wl_cfg80211_get_sdio_func()->dev));
39716 }
39717
39718 -struct ethtool_ops dhd_ethtool_ops = {
39719 +const struct ethtool_ops dhd_ethtool_ops = {
39720 .get_drvinfo = dhd_ethtool_get_drvinfo
39721 };
39722
39723 @@ -1923,7 +1923,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39724 strcpy(nv_path, nvram_path);
39725
39726 /* Allocate etherdev, including space for private structure */
39727 - net = alloc_etherdev(sizeof(dhd));
39728 + net = alloc_etherdev(sizeof(*dhd));
39729 if (!net) {
39730 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
39731 goto fail;
39732 @@ -1939,7 +1939,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39733 /*
39734 * Save the dhd_info into the priv
39735 */
39736 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39737 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39738
39739 /* Set network interface name if it was provided as module parameter */
39740 if (iface_name[0]) {
39741 @@ -2056,7 +2056,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
39742 /*
39743 * Save the dhd_info into the priv
39744 */
39745 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
39746 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
39747
39748 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
39749 g_bus = bus;
39750 @@ -2206,7 +2206,7 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, cha
39751 return ret;
39752 }
39753
39754 -static struct net_device_ops dhd_ops_pri = {
39755 +static const struct net_device_ops dhd_ops_pri = {
39756 .ndo_open = dhd_open,
39757 .ndo_stop = dhd_stop,
39758 .ndo_get_stats = dhd_get_stats,
39759 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c
39760 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-19 00:06:34.000000000 -0400
39761 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_cfg80211.c 2011-05-22 19:36:32.000000000 -0400
39762 @@ -2109,7 +2109,7 @@ wl_cfg80211_flush_pmksa(struct wiphy *wi
39763
39764 }
39765
39766 -static struct cfg80211_ops wl_cfg80211_ops = {
39767 +static const struct cfg80211_ops wl_cfg80211_ops = {
39768 .change_virtual_intf = wl_cfg80211_change_iface,
39769 .scan = wl_cfg80211_scan,
39770 .set_wiphy_params = wl_cfg80211_set_wiphy_params,
39771 diff -urNp linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c
39772 --- linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-19 00:06:34.000000000 -0400
39773 +++ linux-2.6.39.3/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-05-22 19:36:32.000000000 -0400
39774 @@ -495,7 +495,7 @@ wl_iw_get_range(struct net_device *dev,
39775 list = (wl_u32_list_t *) channels;
39776
39777 dwrq->length = sizeof(struct iw_range);
39778 - memset(range, 0, sizeof(range));
39779 + memset(range, 0, sizeof(*range));
39780
39781 range->min_nwid = range->max_nwid = 0;
39782
39783 diff -urNp linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c
39784 --- linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c 2011-05-19 00:06:34.000000000 -0400
39785 +++ linux-2.6.39.3/drivers/staging/comedi/comedi_fops.c 2011-05-22 19:36:32.000000000 -0400
39786 @@ -1445,7 +1445,7 @@ static void comedi_unmap(struct vm_area_
39787 mutex_unlock(&dev->mutex);
39788 }
39789
39790 -static struct vm_operations_struct comedi_vm_ops = {
39791 +static const struct vm_operations_struct comedi_vm_ops = {
39792 .close = comedi_unmap,
39793 };
39794
39795 diff -urNp linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c
39796 --- linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c 2011-05-19 00:06:34.000000000 -0400
39797 +++ linux-2.6.39.3/drivers/staging/cx25821/cx25821-alsa.c 2011-05-22 19:36:32.000000000 -0400
39798 @@ -586,7 +586,7 @@ static struct page *snd_cx25821_page(str
39799 /*
39800 * operators
39801 */
39802 -static struct snd_pcm_ops snd_cx25821_pcm_ops = {
39803 +static const struct snd_pcm_ops snd_cx25821_pcm_ops = {
39804 .open = snd_cx25821_pcm_open,
39805 .close = snd_cx25821_close,
39806 .ioctl = snd_pcm_lib_ioctl,
39807 diff -urNp linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c
39808 --- linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c 2011-05-19 00:06:34.000000000 -0400
39809 +++ linux-2.6.39.3/drivers/staging/cx25821/cx25821-i2c.c 2011-05-22 19:36:32.000000000 -0400
39810 @@ -282,7 +282,7 @@ static u32 cx25821_functionality(struct
39811 I2C_FUNC_SMBUS_READ_WORD_DATA | I2C_FUNC_SMBUS_WRITE_WORD_DATA;
39812 }
39813
39814 -static struct i2c_algorithm cx25821_i2c_algo_template = {
39815 +static const struct i2c_algorithm cx25821_i2c_algo_template = {
39816 .master_xfer = i2c_xfer,
39817 .functionality = cx25821_functionality,
39818 #ifdef NEED_ALGO_CONTROL
39819 diff -urNp linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c
39820 --- linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c 2011-05-19 00:06:34.000000000 -0400
39821 +++ linux-2.6.39.3/drivers/staging/et131x/et1310_tx.c 2011-05-22 19:36:32.000000000 -0400
39822 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
39823 struct net_device_stats *stats = &etdev->net_stats;
39824
39825 if (tcb->flags & fMP_DEST_BROAD)
39826 - atomic_inc(&etdev->Stats.brdcstxmt);
39827 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39828 else if (tcb->flags & fMP_DEST_MULTI)
39829 - atomic_inc(&etdev->Stats.multixmt);
39830 + atomic_inc_unchecked(&etdev->Stats.multixmt);
39831 else
39832 - atomic_inc(&etdev->Stats.unixmt);
39833 + atomic_inc_unchecked(&etdev->Stats.unixmt);
39834
39835 if (tcb->skb) {
39836 stats->tx_bytes += tcb->skb->len;
39837 diff -urNp linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h
39838 --- linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h 2011-05-19 00:06:34.000000000 -0400
39839 +++ linux-2.6.39.3/drivers/staging/et131x/et131x_adapter.h 2011-05-22 19:36:32.000000000 -0400
39840 @@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
39841 * operations
39842 */
39843 u32 unircv; /* # multicast packets received */
39844 - atomic_t unixmt; /* # multicast packets for Tx */
39845 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39846 u32 multircv; /* # multicast packets received */
39847 - atomic_t multixmt; /* # multicast packets for Tx */
39848 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39849 u32 brdcstrcv; /* # broadcast packets received */
39850 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
39851 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39852 u32 norcvbuf; /* # Rx packets discarded */
39853 u32 noxmtbuf; /* # Tx packets discarded */
39854
39855 diff -urNp linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
39856 --- linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-19 00:06:34.000000000 -0400
39857 +++ linux-2.6.39.3/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-05-22 19:36:32.000000000 -0400
39858 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
39859 //
39860 // Table of entry-point routines for char device
39861 //
39862 -static struct file_operations ft1000fops =
39863 +static const struct file_operations ft1000fops =
39864 {
39865 .unlocked_ioctl = ft1000_ioctl,
39866 .poll = ft1000_poll_dev,
39867 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c
39868 --- linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-19 00:06:34.000000000 -0400
39869 +++ linux-2.6.39.3/drivers/staging/generic_serial/rio/rio_linux.c 2011-05-22 19:36:32.000000000 -0400
39870 @@ -221,7 +221,7 @@ module_param(rio_poll, int, 0);
39871 module_param(rio_debug, int, 0644);
39872 module_param(rio_irqmask, long, 0);
39873
39874 -static struct real_driver rio_real_driver = {
39875 +static const struct real_driver rio_real_driver = {
39876 rio_disable_tx_interrupts,
39877 rio_enable_tx_interrupts,
39878 rio_disable_rx_interrupts,
39879 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c
39880 --- linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c 2011-05-19 00:06:34.000000000 -0400
39881 +++ linux-2.6.39.3/drivers/staging/generic_serial/ser_a2232.c 2011-05-22 19:36:32.000000000 -0400
39882 @@ -144,7 +144,7 @@ static int a2232_open(struct tty_struct
39883 /*---------------------------------------------------------------------------
39884 * Interface from generic_serial.c back here
39885 *--------------------------------------------------------------------------*/
39886 -static struct real_driver a2232_real_driver = {
39887 +static const struct real_driver a2232_real_driver = {
39888 a2232_disable_tx_interrupts,
39889 a2232_enable_tx_interrupts,
39890 a2232_disable_rx_interrupts,
39891 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/sx.c linux-2.6.39.3/drivers/staging/generic_serial/sx.c
39892 --- linux-2.6.39.3/drivers/staging/generic_serial/sx.c 2011-05-19 00:06:34.000000000 -0400
39893 +++ linux-2.6.39.3/drivers/staging/generic_serial/sx.c 2011-05-22 19:36:32.000000000 -0400
39894 @@ -355,7 +355,7 @@ module_param(sx_irqmask, int, 0);
39895
39896 MODULE_LICENSE("GPL");
39897
39898 -static struct real_driver sx_real_driver = {
39899 +static const struct real_driver sx_real_driver = {
39900 sx_disable_tx_interrupts,
39901 sx_enable_tx_interrupts,
39902 sx_disable_rx_interrupts,
39903 diff -urNp linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c
39904 --- linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c 2011-05-19 00:06:34.000000000 -0400
39905 +++ linux-2.6.39.3/drivers/staging/generic_serial/vme_scc.c 2011-05-22 19:36:32.000000000 -0400
39906 @@ -94,7 +94,7 @@ static struct scc_port scc_ports[2];
39907 * Interface from generic_serial.c back here
39908 *--------------------------------------------------------------------------*/
39909
39910 -static struct real_driver scc_real_driver = {
39911 +static const struct real_driver scc_real_driver = {
39912 scc_disable_tx_interrupts,
39913 scc_enable_tx_interrupts,
39914 scc_disable_rx_interrupts,
39915 diff -urNp linux-2.6.39.3/drivers/staging/gma500/psb_fb.c linux-2.6.39.3/drivers/staging/gma500/psb_fb.c
39916 --- linux-2.6.39.3/drivers/staging/gma500/psb_fb.c 2011-06-25 12:55:22.000000000 -0400
39917 +++ linux-2.6.39.3/drivers/staging/gma500/psb_fb.c 2011-06-25 13:00:26.000000000 -0400
39918 @@ -230,7 +230,7 @@ static void psbfb_vm_close(struct vm_are
39919 DRM_DEBUG("vm_close\n");
39920 }
39921
39922 -static struct vm_operations_struct psbfb_vm_ops = {
39923 +static const struct vm_operations_struct psbfb_vm_ops = {
39924 .fault = psbfb_vm_fault,
39925 .open = psbfb_vm_open,
39926 .close = psbfb_vm_close
39927 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c
39928 --- linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c 2011-05-19 00:06:34.000000000 -0400
39929 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-i2c.c 2011-05-22 19:36:32.000000000 -0400
39930 @@ -198,7 +198,7 @@ static u32 go7007_functionality(struct i
39931 return I2C_FUNC_SMBUS_BYTE_DATA;
39932 }
39933
39934 -static struct i2c_algorithm go7007_algo = {
39935 +static const struct i2c_algorithm go7007_algo = {
39936 .smbus_xfer = go7007_smbus_xfer,
39937 .master_xfer = go7007_i2c_master_xfer,
39938 .functionality = go7007_functionality,
39939 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c
39940 --- linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c 2011-05-19 00:06:34.000000000 -0400
39941 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-usb.c 2011-05-22 19:36:32.000000000 -0400
39942 @@ -849,7 +849,7 @@ static int go7007_usb_send_firmware(stru
39943 &transferred, timeout);
39944 }
39945
39946 -static struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39947 +static const struct go7007_hpi_ops go7007_usb_ezusb_hpi_ops = {
39948 .interface_reset = go7007_usb_interface_reset,
39949 .write_interrupt = go7007_usb_ezusb_write_interrupt,
39950 .read_interrupt = go7007_usb_read_interrupt,
39951 @@ -858,7 +858,7 @@ static struct go7007_hpi_ops go7007_usb_
39952 .send_firmware = go7007_usb_send_firmware,
39953 };
39954
39955 -static struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39956 +static const struct go7007_hpi_ops go7007_usb_onboard_hpi_ops = {
39957 .interface_reset = go7007_usb_interface_reset,
39958 .write_interrupt = go7007_usb_onboard_write_interrupt,
39959 .read_interrupt = go7007_usb_read_interrupt,
39960 @@ -950,7 +950,7 @@ static u32 go7007_usb_functionality(stru
39961 return (I2C_FUNC_SMBUS_EMUL) & ~I2C_FUNC_SMBUS_QUICK;
39962 }
39963
39964 -static struct i2c_algorithm go7007_usb_algo = {
39965 +static const struct i2c_algorithm go7007_usb_algo = {
39966 .master_xfer = go7007_usb_i2c_master_xfer,
39967 .functionality = go7007_usb_functionality,
39968 };
39969 diff -urNp linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c
39970 --- linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c 2011-05-19 00:06:34.000000000 -0400
39971 +++ linux-2.6.39.3/drivers/staging/go7007/go7007-v4l2.c 2011-05-22 19:36:32.000000000 -0400
39972 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
39973 return 0;
39974 }
39975
39976 -static struct vm_operations_struct go7007_vm_ops = {
39977 +static const struct vm_operations_struct go7007_vm_ops = {
39978 .open = go7007_vm_open,
39979 .close = go7007_vm_close,
39980 .fault = go7007_vm_fault,
39981 diff -urNp linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c
39982 --- linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c 2011-05-19 00:06:34.000000000 -0400
39983 +++ linux-2.6.39.3/drivers/staging/go7007/saa7134-go7007.c 2011-05-22 19:36:32.000000000 -0400
39984 @@ -421,7 +421,7 @@ static int saa7134_go7007_send_command(s
39985
39986 }
39987
39988 -static struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39989 +static const struct go7007_hpi_ops saa7134_go7007_hpi_ops = {
39990 .interface_reset = saa7134_go7007_interface_reset,
39991 .write_interrupt = saa7134_go7007_write_interrupt,
39992 .read_interrupt = saa7134_go7007_read_interrupt,
39993 diff -urNp linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c
39994 --- linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c 2011-05-19 00:06:34.000000000 -0400
39995 +++ linux-2.6.39.3/drivers/staging/go7007/snd-go7007.c 2011-05-22 19:36:32.000000000 -0400
39996 @@ -204,7 +204,7 @@ static struct page *go7007_snd_pcm_page(
39997 return vmalloc_to_page(substream->runtime->dma_area + offset);
39998 }
39999
40000 -static struct snd_pcm_ops go7007_snd_capture_ops = {
40001 +static const struct snd_pcm_ops go7007_snd_capture_ops = {
40002 .open = go7007_snd_capture_open,
40003 .close = go7007_snd_capture_close,
40004 .ioctl = snd_pcm_lib_ioctl,
40005 @@ -227,7 +227,7 @@ static int go7007_snd_free(struct snd_de
40006 return 0;
40007 }
40008
40009 -static struct snd_device_ops go7007_snd_device_ops = {
40010 +static const struct snd_device_ops go7007_snd_device_ops = {
40011 .dev_free = go7007_snd_free,
40012 };
40013
40014 diff -urNp linux-2.6.39.3/drivers/staging/hv/channel.c linux-2.6.39.3/drivers/staging/hv/channel.c
40015 --- linux-2.6.39.3/drivers/staging/hv/channel.c 2011-05-19 00:06:34.000000000 -0400
40016 +++ linux-2.6.39.3/drivers/staging/hv/channel.c 2011-05-22 19:36:32.000000000 -0400
40017 @@ -509,8 +509,8 @@ int vmbus_establish_gpadl(struct vmbus_c
40018 unsigned long flags;
40019 int ret = 0;
40020
40021 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
40022 - atomic_inc(&vmbus_connection.next_gpadl_handle);
40023 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
40024 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
40025
40026 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
40027 if (ret)
40028 diff -urNp linux-2.6.39.3/drivers/staging/hv/hv.c linux-2.6.39.3/drivers/staging/hv/hv.c
40029 --- linux-2.6.39.3/drivers/staging/hv/hv.c 2011-05-19 00:06:34.000000000 -0400
40030 +++ linux-2.6.39.3/drivers/staging/hv/hv.c 2011-05-22 19:36:32.000000000 -0400
40031 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
40032 u64 output_address = (output) ? virt_to_phys(output) : 0;
40033 u32 output_address_hi = output_address >> 32;
40034 u32 output_address_lo = output_address & 0xFFFFFFFF;
40035 - volatile void *hypercall_page = hv_context.hypercall_page;
40036 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
40037
40038 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
40039 control, input, output);
40040 diff -urNp linux-2.6.39.3/drivers/staging/hv/rndis_filter.c linux-2.6.39.3/drivers/staging/hv/rndis_filter.c
40041 --- linux-2.6.39.3/drivers/staging/hv/rndis_filter.c 2011-05-19 00:06:34.000000000 -0400
40042 +++ linux-2.6.39.3/drivers/staging/hv/rndis_filter.c 2011-05-22 19:36:32.000000000 -0400
40043 @@ -49,7 +49,7 @@ struct rndis_device {
40044
40045 enum rndis_device_state state;
40046 u32 link_stat;
40047 - atomic_t new_req_id;
40048 + atomic_unchecked_t new_req_id;
40049
40050 spinlock_t request_lock;
40051 struct list_head req_list;
40052 @@ -144,7 +144,7 @@ static struct rndis_request *get_rndis_r
40053 * template
40054 */
40055 set = &rndis_msg->msg.set_req;
40056 - set->req_id = atomic_inc_return(&dev->new_req_id);
40057 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
40058
40059 /* Add to the request list */
40060 spin_lock_irqsave(&dev->request_lock, flags);
40061 @@ -709,7 +709,7 @@ static void rndis_filter_halt_device(str
40062
40063 /* Setup the rndis set */
40064 halt = &request->request_msg.msg.halt_req;
40065 - halt->req_id = atomic_inc_return(&dev->new_req_id);
40066 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
40067
40068 /* Ignore return since this msg is optional. */
40069 rndis_filter_send_request(dev, request);
40070 diff -urNp linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c
40071 --- linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c 2011-05-19 00:06:34.000000000 -0400
40072 +++ linux-2.6.39.3/drivers/staging/hv/vmbus_drv.c 2011-05-22 19:36:32.000000000 -0400
40073 @@ -661,14 +661,14 @@ int vmbus_child_device_register(struct h
40074 {
40075 int ret = 0;
40076
40077 - static atomic_t device_num = ATOMIC_INIT(0);
40078 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
40079
40080 DPRINT_DBG(VMBUS_DRV, "child device (%p) registering",
40081 child_device_obj);
40082
40083 /* Set the device name. Otherwise, device_register() will fail. */
40084 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
40085 - atomic_inc_return(&device_num));
40086 + atomic_inc_return_unchecked(&device_num));
40087
40088 /* The new device belongs to this bus */
40089 child_device_obj->device.bus = &vmbus_drv.bus; /* device->dev.bus; */
40090 diff -urNp linux-2.6.39.3/drivers/staging/hv/vmbus_private.h linux-2.6.39.3/drivers/staging/hv/vmbus_private.h
40091 --- linux-2.6.39.3/drivers/staging/hv/vmbus_private.h 2011-05-19 00:06:34.000000000 -0400
40092 +++ linux-2.6.39.3/drivers/staging/hv/vmbus_private.h 2011-05-22 19:36:32.000000000 -0400
40093 @@ -58,7 +58,7 @@ enum vmbus_connect_state {
40094 struct vmbus_connection {
40095 enum vmbus_connect_state conn_state;
40096
40097 - atomic_t next_gpadl_handle;
40098 + atomic_unchecked_t next_gpadl_handle;
40099
40100 /*
40101 * Represents channel interrupts. Each bit position represents a
40102 diff -urNp linux-2.6.39.3/drivers/staging/iio/ring_generic.h linux-2.6.39.3/drivers/staging/iio/ring_generic.h
40103 --- linux-2.6.39.3/drivers/staging/iio/ring_generic.h 2011-05-19 00:06:34.000000000 -0400
40104 +++ linux-2.6.39.3/drivers/staging/iio/ring_generic.h 2011-05-25 16:55:27.000000000 -0400
40105 @@ -134,7 +134,7 @@ struct iio_ring_buffer {
40106 struct iio_handler access_handler;
40107 struct iio_event_interface ev_int;
40108 struct iio_shared_ev_pointer shared_ev_pointer;
40109 - struct iio_ring_access_funcs access;
40110 + struct iio_ring_access_funcs access;
40111 int (*preenable)(struct iio_dev *);
40112 int (*postenable)(struct iio_dev *);
40113 int (*predisable)(struct iio_dev *);
40114 diff -urNp linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c
40115 --- linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-19 00:06:34.000000000 -0400
40116 +++ linux-2.6.39.3/drivers/staging/intel_sst/intelmid_ctrl.c 2011-05-22 19:36:32.000000000 -0400
40117 @@ -494,7 +494,7 @@ static int snd_intelmad_device_set(struc
40118 struct snd_intelmad *intelmaddata;
40119 struct snd_pmic_ops *scard_ops;
40120 int ret_val = 0, vendor, status;
40121 - struct intel_sst_pcm_control *pcm_control;
40122 + const struct intel_sst_pcm_control *pcm_control;
40123
40124 pr_debug("snd_intelmad_device_set called\n");
40125
40126 diff -urNp linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c
40127 --- linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-19 00:06:34.000000000 -0400
40128 +++ linux-2.6.39.3/drivers/staging/intel_sst/intel_sst_drv_interface.c 2011-05-22 19:36:32.000000000 -0400
40129 @@ -470,7 +470,7 @@ int sst_device_control(int cmd, void *ar
40130 }
40131
40132
40133 -struct intel_sst_pcm_control pcm_ops = {
40134 +const struct intel_sst_pcm_control pcm_ops = {
40135 .open = sst_open_pcm_stream,
40136 .device_control = sst_device_control,
40137 .close = sst_close_pcm_stream,
40138 diff -urNp linux-2.6.39.3/drivers/staging/line6/capture.c linux-2.6.39.3/drivers/staging/line6/capture.c
40139 --- linux-2.6.39.3/drivers/staging/line6/capture.c 2011-05-19 00:06:34.000000000 -0400
40140 +++ linux-2.6.39.3/drivers/staging/line6/capture.c 2011-05-22 19:36:32.000000000 -0400
40141 @@ -378,7 +378,7 @@ snd_line6_capture_pointer(struct snd_pcm
40142 }
40143
40144 /* capture operators */
40145 -struct snd_pcm_ops snd_line6_capture_ops = {
40146 +const struct snd_pcm_ops snd_line6_capture_ops = {
40147 .open = snd_line6_capture_open,
40148 .close = snd_line6_capture_close,
40149 .ioctl = snd_pcm_lib_ioctl,
40150 diff -urNp linux-2.6.39.3/drivers/staging/line6/capture.h linux-2.6.39.3/drivers/staging/line6/capture.h
40151 --- linux-2.6.39.3/drivers/staging/line6/capture.h 2011-05-19 00:06:34.000000000 -0400
40152 +++ linux-2.6.39.3/drivers/staging/line6/capture.h 2011-05-22 19:36:32.000000000 -0400
40153 @@ -17,7 +17,7 @@
40154 #include "driver.h"
40155 #include "pcm.h"
40156
40157 -extern struct snd_pcm_ops snd_line6_capture_ops;
40158 +extern const struct snd_pcm_ops snd_line6_capture_ops;
40159
40160 extern void line6_capture_copy(struct snd_line6_pcm *line6pcm, char *fbuf,
40161 int fsize);
40162 diff -urNp linux-2.6.39.3/drivers/staging/line6/midi.c linux-2.6.39.3/drivers/staging/line6/midi.c
40163 --- linux-2.6.39.3/drivers/staging/line6/midi.c 2011-05-19 00:06:34.000000000 -0400
40164 +++ linux-2.6.39.3/drivers/staging/line6/midi.c 2011-05-22 19:36:32.000000000 -0400
40165 @@ -239,14 +239,14 @@ static void line6_midi_input_trigger(str
40166 line6->line6midi->substream_receive = 0;
40167 }
40168
40169 -static struct snd_rawmidi_ops line6_midi_output_ops = {
40170 +static const struct snd_rawmidi_ops line6_midi_output_ops = {
40171 .open = line6_midi_output_open,
40172 .close = line6_midi_output_close,
40173 .trigger = line6_midi_output_trigger,
40174 .drain = line6_midi_output_drain,
40175 };
40176
40177 -static struct snd_rawmidi_ops line6_midi_input_ops = {
40178 +static const struct snd_rawmidi_ops line6_midi_input_ops = {
40179 .open = line6_midi_input_open,
40180 .close = line6_midi_input_close,
40181 .trigger = line6_midi_input_trigger,
40182 @@ -373,7 +373,7 @@ static int snd_line6_midi_free(struct sn
40183 */
40184 int line6_init_midi(struct usb_line6 *line6)
40185 {
40186 - static struct snd_device_ops midi_ops = {
40187 + static const struct snd_device_ops midi_ops = {
40188 .dev_free = snd_line6_midi_free,
40189 };
40190
40191 diff -urNp linux-2.6.39.3/drivers/staging/line6/pcm.c linux-2.6.39.3/drivers/staging/line6/pcm.c
40192 --- linux-2.6.39.3/drivers/staging/line6/pcm.c 2011-05-19 00:06:34.000000000 -0400
40193 +++ linux-2.6.39.3/drivers/staging/line6/pcm.c 2011-05-22 19:36:32.000000000 -0400
40194 @@ -384,7 +384,7 @@ void line6_pcm_disconnect(struct snd_lin
40195 int line6_init_pcm(struct usb_line6 *line6,
40196 struct line6_pcm_properties *properties)
40197 {
40198 - static struct snd_device_ops pcm_ops = {
40199 + static const struct snd_device_ops pcm_ops = {
40200 .dev_free = snd_line6_pcm_free,
40201 };
40202
40203 diff -urNp linux-2.6.39.3/drivers/staging/line6/playback.c linux-2.6.39.3/drivers/staging/line6/playback.c
40204 --- linux-2.6.39.3/drivers/staging/line6/playback.c 2011-05-19 00:06:34.000000000 -0400
40205 +++ linux-2.6.39.3/drivers/staging/line6/playback.c 2011-05-22 19:36:32.000000000 -0400
40206 @@ -536,7 +536,7 @@ snd_line6_playback_pointer(struct snd_pc
40207 }
40208
40209 /* playback operators */
40210 -struct snd_pcm_ops snd_line6_playback_ops = {
40211 +const struct snd_pcm_ops snd_line6_playback_ops = {
40212 .open = snd_line6_playback_open,
40213 .close = snd_line6_playback_close,
40214 .ioctl = snd_pcm_lib_ioctl,
40215 diff -urNp linux-2.6.39.3/drivers/staging/line6/playback.h linux-2.6.39.3/drivers/staging/line6/playback.h
40216 --- linux-2.6.39.3/drivers/staging/line6/playback.h 2011-05-19 00:06:34.000000000 -0400
40217 +++ linux-2.6.39.3/drivers/staging/line6/playback.h 2011-05-22 19:36:32.000000000 -0400
40218 @@ -27,7 +27,7 @@
40219 */
40220 #define USE_CLEAR_BUFFER_WORKAROUND 1
40221
40222 -extern struct snd_pcm_ops snd_line6_playback_ops;
40223 +extern const struct snd_pcm_ops snd_line6_playback_ops;
40224
40225 extern int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm);
40226 extern int line6_submit_audio_out_all_urbs(struct snd_line6_pcm *line6pcm);
40227 diff -urNp linux-2.6.39.3/drivers/staging/msm/staging-devices.c linux-2.6.39.3/drivers/staging/msm/staging-devices.c
40228 --- linux-2.6.39.3/drivers/staging/msm/staging-devices.c 2011-05-19 00:06:34.000000000 -0400
40229 +++ linux-2.6.39.3/drivers/staging/msm/staging-devices.c 2011-05-22 19:36:32.000000000 -0400
40230 @@ -211,7 +211,7 @@ static int msm_fb_lcdc_gpio_config(int o
40231 }
40232
40233
40234 -static struct lcdc_platform_data lcdc_pdata = {
40235 +static const struct lcdc_platform_data lcdc_pdata = {
40236 .lcdc_gpio_config = msm_fb_lcdc_gpio_config,
40237 };
40238
40239 diff -urNp linux-2.6.39.3/drivers/staging/octeon/ethernet.c linux-2.6.39.3/drivers/staging/octeon/ethernet.c
40240 --- linux-2.6.39.3/drivers/staging/octeon/ethernet.c 2011-05-19 00:06:34.000000000 -0400
40241 +++ linux-2.6.39.3/drivers/staging/octeon/ethernet.c 2011-05-22 19:36:32.000000000 -0400
40242 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
40243 * since the RX tasklet also increments it.
40244 */
40245 #ifdef CONFIG_64BIT
40246 - atomic64_add(rx_status.dropped_packets,
40247 - (atomic64_t *)&priv->stats.rx_dropped);
40248 + atomic64_add_unchecked(rx_status.dropped_packets,
40249 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40250 #else
40251 - atomic_add(rx_status.dropped_packets,
40252 - (atomic_t *)&priv->stats.rx_dropped);
40253 + atomic_add_unchecked(rx_status.dropped_packets,
40254 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
40255 #endif
40256 }
40257
40258 diff -urNp linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c
40259 --- linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c 2011-05-19 00:06:34.000000000 -0400
40260 +++ linux-2.6.39.3/drivers/staging/octeon/ethernet-rx.c 2011-05-22 19:36:32.000000000 -0400
40261 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
40262 /* Increment RX stats for virtual ports */
40263 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
40264 #ifdef CONFIG_64BIT
40265 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
40266 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
40267 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
40268 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
40269 #else
40270 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
40271 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
40272 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
40273 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
40274 #endif
40275 }
40276 netif_receive_skb(skb);
40277 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
40278 dev->name);
40279 */
40280 #ifdef CONFIG_64BIT
40281 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
40282 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
40283 #else
40284 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
40285 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
40286 #endif
40287 dev_kfree_skb_irq(skb);
40288 }
40289 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c
40290 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-19 00:06:34.000000000 -0400
40291 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.c 2011-05-22 19:36:32.000000000 -0400
40292 @@ -43,7 +43,7 @@ module_param(noinit, int, 0444);
40293 static int useaa = 1;
40294 module_param(useaa, int, 0444);
40295
40296 -static struct dcon_platform_data *pdata;
40297 +static const struct dcon_platform_data *pdata;
40298
40299 /* I2C structures */
40300
40301 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h
40302 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-19 00:06:34.000000000 -0400
40303 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon.h 2011-05-22 19:36:32.000000000 -0400
40304 @@ -92,11 +92,11 @@ struct dcon_platform_data {
40305 extern irqreturn_t dcon_interrupt(int irq, void *id);
40306
40307 #ifdef CONFIG_FB_OLPC_DCON_1
40308 -extern struct dcon_platform_data dcon_pdata_xo_1;
40309 +extern const struct dcon_platform_data dcon_pdata_xo_1;
40310 #endif
40311
40312 #ifdef CONFIG_FB_OLPC_DCON_1_5
40313 -extern struct dcon_platform_data dcon_pdata_xo_1_5;
40314 +extern const struct dcon_platform_data dcon_pdata_xo_1_5;
40315 #endif
40316
40317 #endif
40318 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c
40319 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-19 00:06:34.000000000 -0400
40320 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1_5.c 2011-05-22 19:36:32.000000000 -0400
40321 @@ -185,7 +185,7 @@ static u8 dcon_read_status_xo_1_5(void)
40322 return status;
40323 }
40324
40325 -struct dcon_platform_data dcon_pdata_xo_1_5 = {
40326 +const struct dcon_platform_data dcon_pdata_xo_1_5 = {
40327 .init = dcon_init_xo_1_5,
40328 .bus_stabilize_wiggle = dcon_wiggle_xo_1_5,
40329 .set_dconload = dcon_set_dconload_xo_1_5,
40330 diff -urNp linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c
40331 --- linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-19 00:06:34.000000000 -0400
40332 +++ linux-2.6.39.3/drivers/staging/olpc_dcon/olpc_dcon_xo_1.c 2011-05-22 19:36:32.000000000 -0400
40333 @@ -196,7 +196,7 @@ static u8 dcon_read_status_xo_1(void)
40334 return status;
40335 }
40336
40337 -struct dcon_platform_data dcon_pdata_xo_1 = {
40338 +const struct dcon_platform_data dcon_pdata_xo_1 = {
40339 .init = dcon_init_xo_1,
40340 .bus_stabilize_wiggle = dcon_wiggle_xo_1,
40341 .set_dconload = dcon_set_dconload_1,
40342 diff -urNp linux-2.6.39.3/drivers/staging/phison/phison.c linux-2.6.39.3/drivers/staging/phison/phison.c
40343 --- linux-2.6.39.3/drivers/staging/phison/phison.c 2011-05-19 00:06:34.000000000 -0400
40344 +++ linux-2.6.39.3/drivers/staging/phison/phison.c 2011-05-22 19:36:32.000000000 -0400
40345 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
40346 ATA_BMDMA_SHT(DRV_NAME),
40347 };
40348
40349 -static struct ata_port_operations phison_ops = {
40350 +static const struct ata_port_operations phison_ops = {
40351 .inherits = &ata_bmdma_port_ops,
40352 .prereset = phison_pre_reset,
40353 };
40354 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/inode.c linux-2.6.39.3/drivers/staging/pohmelfs/inode.c
40355 --- linux-2.6.39.3/drivers/staging/pohmelfs/inode.c 2011-05-19 00:06:34.000000000 -0400
40356 +++ linux-2.6.39.3/drivers/staging/pohmelfs/inode.c 2011-05-22 19:36:32.000000000 -0400
40357 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
40358 mutex_init(&psb->mcache_lock);
40359 psb->mcache_root = RB_ROOT;
40360 psb->mcache_timeout = msecs_to_jiffies(5000);
40361 - atomic_long_set(&psb->mcache_gen, 0);
40362 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
40363
40364 psb->trans_max_pages = 100;
40365
40366 @@ -1870,7 +1870,7 @@ static int pohmelfs_fill_super(struct su
40367 INIT_LIST_HEAD(&psb->crypto_ready_list);
40368 INIT_LIST_HEAD(&psb->crypto_active_list);
40369
40370 - atomic_set(&psb->trans_gen, 1);
40371 + atomic_set_unchecked(&psb->trans_gen, 1);
40372 atomic_long_set(&psb->total_inodes, 0);
40373
40374 mutex_init(&psb->state_lock);
40375 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c
40376 --- linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c 2011-05-19 00:06:34.000000000 -0400
40377 +++ linux-2.6.39.3/drivers/staging/pohmelfs/mcache.c 2011-05-22 19:36:32.000000000 -0400
40378 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
40379 m->data = data;
40380 m->start = start;
40381 m->size = size;
40382 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
40383 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
40384
40385 mutex_lock(&psb->mcache_lock);
40386 err = pohmelfs_mcache_insert(psb, m);
40387 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h
40388 --- linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h 2011-05-19 00:06:34.000000000 -0400
40389 +++ linux-2.6.39.3/drivers/staging/pohmelfs/netfs.h 2011-05-22 19:36:32.000000000 -0400
40390 @@ -571,14 +571,14 @@ struct pohmelfs_config;
40391 struct pohmelfs_sb {
40392 struct rb_root mcache_root;
40393 struct mutex mcache_lock;
40394 - atomic_long_t mcache_gen;
40395 + atomic_long_unchecked_t mcache_gen;
40396 unsigned long mcache_timeout;
40397
40398 unsigned int idx;
40399
40400 unsigned int trans_retries;
40401
40402 - atomic_t trans_gen;
40403 + atomic_unchecked_t trans_gen;
40404
40405 unsigned int crypto_attached_size;
40406 unsigned int crypto_align_size;
40407 diff -urNp linux-2.6.39.3/drivers/staging/pohmelfs/trans.c linux-2.6.39.3/drivers/staging/pohmelfs/trans.c
40408 --- linux-2.6.39.3/drivers/staging/pohmelfs/trans.c 2011-05-19 00:06:34.000000000 -0400
40409 +++ linux-2.6.39.3/drivers/staging/pohmelfs/trans.c 2011-05-22 19:36:32.000000000 -0400
40410 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
40411 int err;
40412 struct netfs_cmd *cmd = t->iovec.iov_base;
40413
40414 - t->gen = atomic_inc_return(&psb->trans_gen);
40415 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
40416
40417 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
40418 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
40419 diff -urNp linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c
40420 --- linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-19 00:06:34.000000000 -0400
40421 +++ linux-2.6.39.3/drivers/staging/rtl8192u/ieee80211/proc.c 2011-05-22 19:36:32.000000000 -0400
40422 @@ -87,7 +87,7 @@ static int c_show(struct seq_file *m, vo
40423 return 0;
40424 }
40425
40426 -static struct seq_operations crypto_seq_ops = {
40427 +static const struct seq_operations crypto_seq_ops = {
40428 .start = c_start,
40429 .next = c_next,
40430 .stop = c_stop,
40431 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
40432 return seq_open(file, &crypto_seq_ops);
40433 }
40434
40435 -static struct file_operations proc_crypto_ops = {
40436 +static const struct file_operations proc_crypto_ops = {
40437 .open = crypto_info_open,
40438 .read = seq_read,
40439 .llseek = seq_lseek,
40440 diff -urNp linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h
40441 --- linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h 2011-05-19 00:06:34.000000000 -0400
40442 +++ linux-2.6.39.3/drivers/staging/rtl8712/rtl871x_io.h 2011-05-22 19:36:32.000000000 -0400
40443 @@ -107,7 +107,7 @@ struct intf_hdl {
40444 void (*intf_hdl_unload)(u8 *priv);
40445 void (*intf_hdl_open)(u8 *priv);
40446 void (*intf_hdl_close)(u8 *priv);
40447 - struct _io_ops io_ops;
40448 + const struct _io_ops io_ops;
40449 };
40450
40451 struct reg_protocol_rd {
40452 diff -urNp linux-2.6.39.3/drivers/staging/solo6x10/g723.c linux-2.6.39.3/drivers/staging/solo6x10/g723.c
40453 --- linux-2.6.39.3/drivers/staging/solo6x10/g723.c 2011-05-19 00:06:34.000000000 -0400
40454 +++ linux-2.6.39.3/drivers/staging/solo6x10/g723.c 2011-05-22 19:36:32.000000000 -0400
40455 @@ -237,7 +237,7 @@ static int snd_solo_pcm_copy(struct snd_
40456 return 0;
40457 }
40458
40459 -static struct snd_pcm_ops snd_solo_pcm_ops = {
40460 +static const struct snd_pcm_ops snd_solo_pcm_ops = {
40461 .open = snd_solo_pcm_open,
40462 .close = snd_solo_pcm_close,
40463 .ioctl = snd_pcm_lib_ioctl,
40464 @@ -334,7 +334,7 @@ static int solo_snd_pcm_init(struct solo
40465
40466 int solo_g723_init(struct solo_dev *solo_dev)
40467 {
40468 - static struct snd_device_ops ops = { NULL };
40469 + static const struct snd_device_ops ops = { NULL };
40470 struct snd_card *card;
40471 struct snd_kcontrol_new kctl;
40472 char name[32];
40473 diff -urNp linux-2.6.39.3/drivers/staging/spectra/ffsport.c linux-2.6.39.3/drivers/staging/spectra/ffsport.c
40474 --- linux-2.6.39.3/drivers/staging/spectra/ffsport.c 2011-05-19 00:06:34.000000000 -0400
40475 +++ linux-2.6.39.3/drivers/staging/spectra/ffsport.c 2011-05-22 19:36:32.000000000 -0400
40476 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
40477 return ret;
40478 }
40479
40480 -static struct block_device_operations GLOB_SBD_ops = {
40481 +static const struct block_device_operations GLOB_SBD_ops = {
40482 .owner = THIS_MODULE,
40483 .open = GLOB_SBD_open,
40484 .release = GLOB_SBD_release,
40485 diff -urNp linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c
40486 --- linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c 2011-05-19 00:06:34.000000000 -0400
40487 +++ linux-2.6.39.3/drivers/staging/tm6000/tm6000-alsa.c 2011-05-22 19:36:32.000000000 -0400
40488 @@ -380,7 +380,7 @@ static snd_pcm_uframes_t snd_tm6000_poin
40489 /*
40490 * operators
40491 */
40492 -static struct snd_pcm_ops snd_tm6000_pcm_ops = {
40493 +static const struct snd_pcm_ops snd_tm6000_pcm_ops = {
40494 .open = snd_tm6000_pcm_open,
40495 .close = snd_tm6000_close,
40496 .ioctl = snd_pcm_lib_ioctl,
40497 diff -urNp linux-2.6.39.3/drivers/staging/tty/istallion.c linux-2.6.39.3/drivers/staging/tty/istallion.c
40498 --- linux-2.6.39.3/drivers/staging/tty/istallion.c 2011-05-19 00:06:34.000000000 -0400
40499 +++ linux-2.6.39.3/drivers/staging/tty/istallion.c 2011-05-22 20:49:07.000000000 -0400
40500 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
40501 * re-used for each stats call.
40502 */
40503 static comstats_t stli_comstats;
40504 -static combrd_t stli_brdstats;
40505 static struct asystats stli_cdkstats;
40506
40507 /*****************************************************************************/
40508 @@ -4003,6 +4002,7 @@ out:
40509
40510 static int stli_getbrdstats(combrd_t __user *bp)
40511 {
40512 + combrd_t stli_brdstats;
40513 struct stlibrd *brdp;
40514 unsigned int i;
40515
40516 @@ -4226,6 +4226,8 @@ static int stli_getportstruct(struct stl
40517 struct stliport stli_dummyport;
40518 struct stliport *portp;
40519
40520 + pax_track_stack();
40521 +
40522 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
40523 return -EFAULT;
40524 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
40525 @@ -4248,6 +4250,8 @@ static int stli_getbrdstruct(struct stli
40526 struct stlibrd stli_dummybrd;
40527 struct stlibrd *brdp;
40528
40529 + pax_track_stack();
40530 +
40531 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
40532 return -EFAULT;
40533 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
40534 diff -urNp linux-2.6.39.3/drivers/staging/tty/stallion.c linux-2.6.39.3/drivers/staging/tty/stallion.c
40535 --- linux-2.6.39.3/drivers/staging/tty/stallion.c 2011-05-19 00:06:34.000000000 -0400
40536 +++ linux-2.6.39.3/drivers/staging/tty/stallion.c 2011-05-22 19:36:32.000000000 -0400
40537 @@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
40538 struct stlport stl_dummyport;
40539 struct stlport *portp;
40540
40541 + pax_track_stack();
40542 +
40543 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
40544 return -EFAULT;
40545 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
40546 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci.h linux-2.6.39.3/drivers/staging/usbip/vhci.h
40547 --- linux-2.6.39.3/drivers/staging/usbip/vhci.h 2011-05-19 00:06:34.000000000 -0400
40548 +++ linux-2.6.39.3/drivers/staging/usbip/vhci.h 2011-05-22 19:36:32.000000000 -0400
40549 @@ -92,7 +92,7 @@ struct vhci_hcd {
40550 unsigned resuming:1;
40551 unsigned long re_timeout;
40552
40553 - atomic_t seqnum;
40554 + atomic_unchecked_t seqnum;
40555
40556 /*
40557 * NOTE:
40558 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c
40559 --- linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c 2011-05-19 00:06:34.000000000 -0400
40560 +++ linux-2.6.39.3/drivers/staging/usbip/vhci_hcd.c 2011-05-22 19:36:32.000000000 -0400
40561 @@ -536,7 +536,7 @@ static void vhci_tx_urb(struct urb *urb)
40562 return;
40563 }
40564
40565 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40566 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40567 if (priv->seqnum == 0xffff)
40568 usbip_uinfo("seqnum max\n");
40569
40570 @@ -795,7 +795,7 @@ static int vhci_urb_dequeue(struct usb_h
40571 return -ENOMEM;
40572 }
40573
40574 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40575 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40576 if (unlink->seqnum == 0xffff)
40577 usbip_uinfo("seqnum max\n");
40578
40579 @@ -992,7 +992,7 @@ static int vhci_start(struct usb_hcd *hc
40580 vdev->rhport = rhport;
40581 }
40582
40583 - atomic_set(&vhci->seqnum, 0);
40584 + atomic_set_unchecked(&vhci->seqnum, 0);
40585 spin_lock_init(&vhci->lock);
40586
40587
40588 diff -urNp linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c
40589 --- linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c 2011-05-19 00:06:34.000000000 -0400
40590 +++ linux-2.6.39.3/drivers/staging/usbip/vhci_rx.c 2011-05-22 19:36:32.000000000 -0400
40591 @@ -81,7 +81,7 @@ static void vhci_recv_ret_submit(struct
40592 usbip_uerr("cannot find a urb of seqnum %u\n",
40593 pdu->base.seqnum);
40594 usbip_uinfo("max seqnum %d\n",
40595 - atomic_read(&the_controller->seqnum));
40596 + atomic_read_unchecked(&the_controller->seqnum));
40597 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40598 return;
40599 }
40600 diff -urNp linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c
40601 --- linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c 2011-05-19 00:06:34.000000000 -0400
40602 +++ linux-2.6.39.3/drivers/staging/vme/devices/vme_user.c 2011-05-22 19:36:32.000000000 -0400
40603 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
40604 static int __devinit vme_user_probe(struct device *, int, int);
40605 static int __devexit vme_user_remove(struct device *, int, int);
40606
40607 -static struct file_operations vme_user_fops = {
40608 +static const struct file_operations vme_user_fops = {
40609 .open = vme_user_open,
40610 .release = vme_user_release,
40611 .read = vme_user_read,
40612 diff -urNp linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
40613 --- linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-19 00:06:34.000000000 -0400
40614 +++ linux-2.6.39.3/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-05-22 19:36:32.000000000 -0400
40615 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
40616
40617
40618 /*standard block device driver interface */
40619 -static struct block_device_operations cyasblkdev_bdops = {
40620 +static const struct block_device_operations cyasblkdev_bdops = {
40621 .open = cyasblkdev_blk_open,
40622 .release = cyasblkdev_blk_release,
40623 .ioctl = cyasblkdev_blk_ioctl,
40624 diff -urNp linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c
40625 --- linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-19 00:06:34.000000000 -0400
40626 +++ linux-2.6.39.3/drivers/staging/wlags49_h2/wl_netdev.c 2011-05-22 19:36:32.000000000 -0400
40627 @@ -474,7 +474,7 @@ static void wl_get_drvinfo(struct net_de
40628 }
40629 } // wl_get_drvinfo
40630
40631 -static struct ethtool_ops wl_ethtool_ops = {
40632 +static const struct ethtool_ops wl_ethtool_ops = {
40633 .get_drvinfo = wl_get_drvinfo,
40634 .get_link = ethtool_op_get_link,
40635 };
40636 diff -urNp linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c
40637 --- linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-19 00:06:34.000000000 -0400
40638 +++ linux-2.6.39.3/drivers/staging/wlan-ng/hfa384x_usb.c 2011-05-22 19:36:32.000000000 -0400
40639 @@ -671,7 +671,7 @@ struct usbctlx_cmd_completor {
40640 hfa384x_cmdresult_t *result;
40641 };
40642
40643 -static inline int usbctlx_cmd_completor_fn(struct usbctlx_completor *head)
40644 +static inline int usbctlx_cmd_completor_fn(const struct usbctlx_completor *head)
40645 {
40646 struct usbctlx_cmd_completor *complete;
40647
40648 @@ -705,7 +705,7 @@ struct usbctlx_rrid_completor {
40649 unsigned int riddatalen;
40650 };
40651
40652 -static int usbctlx_rrid_completor_fn(struct usbctlx_completor *head)
40653 +static int usbctlx_rrid_completor_fn(const struct usbctlx_completor *head)
40654 {
40655 struct usbctlx_rrid_completor *complete;
40656 hfa384x_rridresult_t rridresult;
40657 @@ -768,7 +768,7 @@ struct usbctlx_rmem_completor {
40658 };
40659 typedef struct usbctlx_rmem_completor usbctlx_rmem_completor_t;
40660
40661 -static int usbctlx_rmem_completor_fn(struct usbctlx_completor *head)
40662 +static int usbctlx_rmem_completor_fn(const struct usbctlx_completor *head)
40663 {
40664 usbctlx_rmem_completor_t *complete = (usbctlx_rmem_completor_t *) head;
40665
40666 diff -urNp linux-2.6.39.3/drivers/staging/zcache/tmem.c linux-2.6.39.3/drivers/staging/zcache/tmem.c
40667 --- linux-2.6.39.3/drivers/staging/zcache/tmem.c 2011-05-19 00:06:34.000000000 -0400
40668 +++ linux-2.6.39.3/drivers/staging/zcache/tmem.c 2011-05-22 19:36:32.000000000 -0400
40669 @@ -39,7 +39,7 @@
40670 * A tmem host implementation must use this function to register callbacks
40671 * for memory allocation.
40672 */
40673 -static struct tmem_hostops tmem_hostops;
40674 +static const struct tmem_hostops tmem_hostops;
40675
40676 static void tmem_objnode_tree_init(void);
40677
40678 @@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
40679 * A tmem host implementation must use this function to register
40680 * callbacks for a page-accessible memory (PAM) implementation
40681 */
40682 -static struct tmem_pamops tmem_pamops;
40683 +static const struct tmem_pamops tmem_pamops;
40684
40685 void tmem_register_pamops(struct tmem_pamops *m)
40686 {
40687 diff -urNp linux-2.6.39.3/drivers/staging/zcache/zcache.c linux-2.6.39.3/drivers/staging/zcache/zcache.c
40688 --- linux-2.6.39.3/drivers/staging/zcache/zcache.c 2011-05-19 00:06:34.000000000 -0400
40689 +++ linux-2.6.39.3/drivers/staging/zcache/zcache.c 2011-05-22 19:36:32.000000000 -0400
40690 @@ -882,7 +882,7 @@ static void zcache_obj_free(struct tmem_
40691 kmem_cache_free(zcache_obj_cache, obj);
40692 }
40693
40694 -static struct tmem_hostops zcache_hostops = {
40695 +static const struct tmem_hostops zcache_hostops = {
40696 .obj_alloc = zcache_obj_alloc,
40697 .obj_free = zcache_obj_free,
40698 .objnode_alloc = zcache_objnode_alloc,
40699 @@ -987,7 +987,7 @@ static void zcache_pampd_free(void *pamp
40700 }
40701 }
40702
40703 -static struct tmem_pamops zcache_pamops = {
40704 +static const struct tmem_pamops zcache_pamops = {
40705 .create = zcache_pampd_create,
40706 .get_data = zcache_pampd_get_data,
40707 .free = zcache_pampd_free,
40708 diff -urNp linux-2.6.39.3/drivers/target/target_core_alua.c linux-2.6.39.3/drivers/target/target_core_alua.c
40709 --- linux-2.6.39.3/drivers/target/target_core_alua.c 2011-05-19 00:06:34.000000000 -0400
40710 +++ linux-2.6.39.3/drivers/target/target_core_alua.c 2011-05-22 19:36:32.000000000 -0400
40711 @@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
40712 char path[ALUA_METADATA_PATH_LEN];
40713 int len;
40714
40715 + pax_track_stack();
40716 +
40717 memset(path, 0, ALUA_METADATA_PATH_LEN);
40718
40719 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
40720 @@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
40721 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
40722 int len;
40723
40724 + pax_track_stack();
40725 +
40726 memset(path, 0, ALUA_METADATA_PATH_LEN);
40727 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
40728
40729 diff -urNp linux-2.6.39.3/drivers/target/target_core_cdb.c linux-2.6.39.3/drivers/target/target_core_cdb.c
40730 --- linux-2.6.39.3/drivers/target/target_core_cdb.c 2011-05-19 00:06:34.000000000 -0400
40731 +++ linux-2.6.39.3/drivers/target/target_core_cdb.c 2011-05-22 19:36:32.000000000 -0400
40732 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
40733 int length = 0;
40734 unsigned char buf[SE_MODE_PAGE_BUF];
40735
40736 + pax_track_stack();
40737 +
40738 memset(buf, 0, SE_MODE_PAGE_BUF);
40739
40740 switch (cdb[2] & 0x3f) {
40741 diff -urNp linux-2.6.39.3/drivers/target/target_core_configfs.c linux-2.6.39.3/drivers/target/target_core_configfs.c
40742 --- linux-2.6.39.3/drivers/target/target_core_configfs.c 2011-05-19 00:06:34.000000000 -0400
40743 +++ linux-2.6.39.3/drivers/target/target_core_configfs.c 2011-05-22 19:36:32.000000000 -0400
40744 @@ -1280,6 +1280,8 @@ static ssize_t target_core_dev_pr_show_a
40745 ssize_t len = 0;
40746 int reg_count = 0, prf_isid;
40747
40748 + pax_track_stack();
40749 +
40750 if (!(su_dev->se_dev_ptr))
40751 return -ENODEV;
40752
40753 @@ -2682,7 +2684,7 @@ static void target_core_alua_drop_tg_pt_
40754 config_item_put(item);
40755 }
40756
40757 -static struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40758 +static const struct configfs_group_operations target_core_alua_tg_pt_gps_group_ops = {
40759 .make_group = &target_core_alua_create_tg_pt_gp,
40760 .drop_item = &target_core_alua_drop_tg_pt_gp,
40761 };
40762 @@ -2726,7 +2728,7 @@ static void target_core_stat_rmdir(
40763 return;
40764 }
40765
40766 -static struct configfs_group_operations target_core_stat_group_ops = {
40767 +static const struct configfs_group_operations target_core_stat_group_ops = {
40768 .make_group = &target_core_stat_mkdir,
40769 .drop_item = &target_core_stat_rmdir,
40770 };
40771 @@ -2939,7 +2941,7 @@ static void target_core_drop_subdev(
40772 mutex_unlock(&hba->hba_access_mutex);
40773 }
40774
40775 -static struct configfs_group_operations target_core_hba_group_ops = {
40776 +static const struct configfs_group_operations target_core_hba_group_ops = {
40777 .make_group = target_core_make_subdev,
40778 .drop_item = target_core_drop_subdev,
40779 };
40780 @@ -3117,7 +3119,7 @@ static void target_core_call_delhbafromt
40781 config_item_put(item);
40782 }
40783
40784 -static struct configfs_group_operations target_core_group_ops = {
40785 +static const struct configfs_group_operations target_core_group_ops = {
40786 .make_group = target_core_call_addhbatotarget,
40787 .drop_item = target_core_call_delhbafromtarget,
40788 };
40789 diff -urNp linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c
40790 --- linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c 2011-05-19 00:06:34.000000000 -0400
40791 +++ linux-2.6.39.3/drivers/target/target_core_fabric_configfs.c 2011-05-22 19:36:32.000000000 -0400
40792 @@ -1174,7 +1174,7 @@ static void target_fabric_drop_wwn(
40793 config_item_put(item);
40794 }
40795
40796 -static struct configfs_group_operations target_fabric_wwn_group_ops = {
40797 +static const struct configfs_group_operations target_fabric_wwn_group_ops = {
40798 .make_group = target_fabric_make_wwn,
40799 .drop_item = target_fabric_drop_wwn,
40800 };
40801 diff -urNp linux-2.6.39.3/drivers/target/target_core_pr.c linux-2.6.39.3/drivers/target/target_core_pr.c
40802 --- linux-2.6.39.3/drivers/target/target_core_pr.c 2011-05-19 00:06:34.000000000 -0400
40803 +++ linux-2.6.39.3/drivers/target/target_core_pr.c 2011-05-22 19:36:32.000000000 -0400
40804 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
40805 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
40806 u16 tpgt;
40807
40808 + pax_track_stack();
40809 +
40810 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
40811 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
40812 /*
40813 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
40814 ssize_t len = 0;
40815 int reg_count = 0;
40816
40817 + pax_track_stack();
40818 +
40819 memset(buf, 0, pr_aptpl_buf_len);
40820 /*
40821 * Called to clear metadata once APTPL has been deactivated.
40822 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
40823 char path[512];
40824 int ret;
40825
40826 + pax_track_stack();
40827 +
40828 memset(iov, 0, sizeof(struct iovec));
40829 memset(path, 0, 512);
40830
40831 diff -urNp linux-2.6.39.3/drivers/target/target_core_tmr.c linux-2.6.39.3/drivers/target/target_core_tmr.c
40832 --- linux-2.6.39.3/drivers/target/target_core_tmr.c 2011-06-03 00:04:14.000000000 -0400
40833 +++ linux-2.6.39.3/drivers/target/target_core_tmr.c 2011-06-03 00:32:07.000000000 -0400
40834 @@ -263,7 +263,7 @@ int core_tmr_lun_reset(
40835 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
40836 T_TASK(cmd)->t_task_cdbs,
40837 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40838 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40839 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40840 atomic_read(&T_TASK(cmd)->t_transport_active),
40841 atomic_read(&T_TASK(cmd)->t_transport_stop),
40842 atomic_read(&T_TASK(cmd)->t_transport_sent));
40843 @@ -305,7 +305,7 @@ int core_tmr_lun_reset(
40844 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
40845 " task: %p, t_fe_count: %d dev: %p\n", task,
40846 fe_count, dev);
40847 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40848 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40849 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
40850 flags);
40851 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40852 @@ -315,7 +315,7 @@ int core_tmr_lun_reset(
40853 }
40854 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
40855 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
40856 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
40857 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
40858 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
40859 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
40860
40861 diff -urNp linux-2.6.39.3/drivers/target/target_core_transport.c linux-2.6.39.3/drivers/target/target_core_transport.c
40862 --- linux-2.6.39.3/drivers/target/target_core_transport.c 2011-06-03 00:04:14.000000000 -0400
40863 +++ linux-2.6.39.3/drivers/target/target_core_transport.c 2011-06-03 00:32:07.000000000 -0400
40864 @@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
40865
40866 dev->queue_depth = dev_limits->queue_depth;
40867 atomic_set(&dev->depth_left, dev->queue_depth);
40868 - atomic_set(&dev->dev_ordered_id, 0);
40869 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
40870
40871 se_dev_set_default_attribs(dev, dev_limits);
40872
40873 @@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
40874 * Used to determine when ORDERED commands should go from
40875 * Dormant to Active status.
40876 */
40877 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
40878 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
40879 smp_mb__after_atomic_inc();
40880 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
40881 cmd->se_ordered_id, cmd->sam_task_attr,
40882 @@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
40883 " t_transport_active: %d t_transport_stop: %d"
40884 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
40885 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40886 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40887 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40888 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
40889 atomic_read(&T_TASK(cmd)->t_transport_active),
40890 atomic_read(&T_TASK(cmd)->t_transport_stop),
40891 @@ -2673,9 +2673,9 @@ check_depth:
40892 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
40893 atomic_set(&task->task_active, 1);
40894 atomic_set(&task->task_sent, 1);
40895 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
40896 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
40897
40898 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
40899 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
40900 T_TASK(cmd)->t_task_cdbs)
40901 atomic_set(&cmd->transport_sent, 1);
40902
40903 @@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
40904 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
40905 }
40906 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
40907 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
40908 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
40909 goto remove;
40910
40911 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
40912 @@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
40913 {
40914 int ret = 0;
40915
40916 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
40917 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
40918 if (!(send_status) ||
40919 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
40920 return 1;
40921 @@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
40922 */
40923 if (cmd->data_direction == DMA_TO_DEVICE) {
40924 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
40925 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
40926 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
40927 smp_mb__after_atomic_inc();
40928 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
40929 transport_new_cmd_failure(cmd);
40930 @@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
40931 CMD_TFO(cmd)->get_task_tag(cmd),
40932 T_TASK(cmd)->t_task_cdbs,
40933 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
40934 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
40935 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
40936 atomic_read(&T_TASK(cmd)->t_transport_active),
40937 atomic_read(&T_TASK(cmd)->t_transport_stop),
40938 atomic_read(&T_TASK(cmd)->t_transport_sent));
40939 diff -urNp linux-2.6.39.3/drivers/telephony/ixj.c linux-2.6.39.3/drivers/telephony/ixj.c
40940 --- linux-2.6.39.3/drivers/telephony/ixj.c 2011-05-19 00:06:34.000000000 -0400
40941 +++ linux-2.6.39.3/drivers/telephony/ixj.c 2011-05-22 19:36:32.000000000 -0400
40942 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40943 bool mContinue;
40944 char *pIn, *pOut;
40945
40946 + pax_track_stack();
40947 +
40948 if (!SCI_Prepare(j))
40949 return 0;
40950
40951 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_console.h linux-2.6.39.3/drivers/tty/hvc/hvc_console.h
40952 --- linux-2.6.39.3/drivers/tty/hvc/hvc_console.h 2011-05-19 00:06:34.000000000 -0400
40953 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_console.h 2011-05-22 19:36:32.000000000 -0400
40954 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
40955 /* register a vterm for hvc tty operation (module_init or hotplug add) */
40956 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
40957 const struct hv_ops *ops, int outbuf_size);
40958 +
40959 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
40960 extern int hvc_remove(struct hvc_struct *hp);
40961
40962 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c
40963 --- linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c 2011-05-19 00:06:34.000000000 -0400
40964 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_iucv.c 2011-05-22 19:36:32.000000000 -0400
40965 @@ -1203,7 +1203,7 @@ static int param_get_vmidfilter(char *bu
40966
40967 #define param_check_vmidfilter(name, p) __param_check(name, p, void)
40968
40969 -static struct kernel_param_ops param_ops_vmidfilter = {
40970 +static const struct kernel_param_ops param_ops_vmidfilter = {
40971 .set = param_set_vmidfilter,
40972 .get = param_get_vmidfilter,
40973 };
40974 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvcs.c linux-2.6.39.3/drivers/tty/hvc/hvcs.c
40975 --- linux-2.6.39.3/drivers/tty/hvc/hvcs.c 2011-05-19 00:06:34.000000000 -0400
40976 +++ linux-2.6.39.3/drivers/tty/hvc/hvcs.c 2011-05-22 19:36:32.000000000 -0400
40977 @@ -83,6 +83,7 @@
40978 #include <asm/hvcserver.h>
40979 #include <asm/uaccess.h>
40980 #include <asm/vio.h>
40981 +#include <asm/local.h>
40982
40983 /*
40984 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
40985 @@ -270,7 +271,7 @@ struct hvcs_struct {
40986 unsigned int index;
40987
40988 struct tty_struct *tty;
40989 - int open_count;
40990 + local_t open_count;
40991
40992 /*
40993 * Used to tell the driver kernel_thread what operations need to take
40994 @@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
40995
40996 spin_lock_irqsave(&hvcsd->lock, flags);
40997
40998 - if (hvcsd->open_count > 0) {
40999 + if (local_read(&hvcsd->open_count) > 0) {
41000 spin_unlock_irqrestore(&hvcsd->lock, flags);
41001 printk(KERN_INFO "HVCS: vterm state unchanged. "
41002 "The hvcs device node is still in use.\n");
41003 @@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
41004 if ((retval = hvcs_partner_connect(hvcsd)))
41005 goto error_release;
41006
41007 - hvcsd->open_count = 1;
41008 + local_set(&hvcsd->open_count, 1);
41009 hvcsd->tty = tty;
41010 tty->driver_data = hvcsd;
41011
41012 @@ -1179,7 +1180,7 @@ fast_open:
41013
41014 spin_lock_irqsave(&hvcsd->lock, flags);
41015 kref_get(&hvcsd->kref);
41016 - hvcsd->open_count++;
41017 + local_inc(&hvcsd->open_count);
41018 hvcsd->todo_mask |= HVCS_SCHED_READ;
41019 spin_unlock_irqrestore(&hvcsd->lock, flags);
41020
41021 @@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
41022 hvcsd = tty->driver_data;
41023
41024 spin_lock_irqsave(&hvcsd->lock, flags);
41025 - if (--hvcsd->open_count == 0) {
41026 + if (local_dec_and_test(&hvcsd->open_count)) {
41027
41028 vio_disable_interrupts(hvcsd->vdev);
41029
41030 @@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
41031 free_irq(irq, hvcsd);
41032 kref_put(&hvcsd->kref, destroy_hvcs_struct);
41033 return;
41034 - } else if (hvcsd->open_count < 0) {
41035 + } else if (local_read(&hvcsd->open_count) < 0) {
41036 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
41037 " is missmanaged.\n",
41038 - hvcsd->vdev->unit_address, hvcsd->open_count);
41039 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
41040 }
41041
41042 spin_unlock_irqrestore(&hvcsd->lock, flags);
41043 @@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
41044
41045 spin_lock_irqsave(&hvcsd->lock, flags);
41046 /* Preserve this so that we know how many kref refs to put */
41047 - temp_open_count = hvcsd->open_count;
41048 + temp_open_count = local_read(&hvcsd->open_count);
41049
41050 /*
41051 * Don't kref put inside the spinlock because the destruction
41052 @@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
41053 hvcsd->tty->driver_data = NULL;
41054 hvcsd->tty = NULL;
41055
41056 - hvcsd->open_count = 0;
41057 + local_set(&hvcsd->open_count, 0);
41058
41059 /* This will drop any buffered data on the floor which is OK in a hangup
41060 * scenario. */
41061 @@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
41062 * the middle of a write operation? This is a crummy place to do this
41063 * but we want to keep it all in the spinlock.
41064 */
41065 - if (hvcsd->open_count <= 0) {
41066 + if (local_read(&hvcsd->open_count) <= 0) {
41067 spin_unlock_irqrestore(&hvcsd->lock, flags);
41068 return -ENODEV;
41069 }
41070 @@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
41071 {
41072 struct hvcs_struct *hvcsd = tty->driver_data;
41073
41074 - if (!hvcsd || hvcsd->open_count <= 0)
41075 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
41076 return 0;
41077
41078 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
41079 diff -urNp linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c
41080 --- linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c 2011-05-19 00:06:34.000000000 -0400
41081 +++ linux-2.6.39.3/drivers/tty/hvc/hvc_xen.c 2011-05-22 19:36:32.000000000 -0400
41082 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
41083 return recv;
41084 }
41085
41086 -static struct hv_ops domU_hvc_ops = {
41087 +static const struct hv_ops domU_hvc_ops = {
41088 .get_chars = domU_read_console,
41089 .put_chars = domU_write_console,
41090 .notifier_add = notifier_add_irq,
41091 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
41092 return len;
41093 }
41094
41095 -static struct hv_ops dom0_hvc_ops = {
41096 +static const struct hv_ops dom0_hvc_ops = {
41097 .get_chars = dom0_read_console,
41098 .put_chars = dom0_write_console,
41099 .notifier_add = notifier_add_irq,
41100 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
41101 static int __init xen_hvc_init(void)
41102 {
41103 struct hvc_struct *hp;
41104 - struct hv_ops *ops;
41105 + const struct hv_ops *ops;
41106
41107 if (!xen_pv_domain())
41108 return -ENODEV;
41109 @@ -205,7 +205,7 @@ static void __exit xen_hvc_fini(void)
41110
41111 static int xen_cons_init(void)
41112 {
41113 - struct hv_ops *ops;
41114 + const struct hv_ops *ops;
41115
41116 if (!xen_pv_domain())
41117 return 0;
41118 diff -urNp linux-2.6.39.3/drivers/tty/ipwireless/tty.c linux-2.6.39.3/drivers/tty/ipwireless/tty.c
41119 --- linux-2.6.39.3/drivers/tty/ipwireless/tty.c 2011-05-19 00:06:34.000000000 -0400
41120 +++ linux-2.6.39.3/drivers/tty/ipwireless/tty.c 2011-05-22 19:36:32.000000000 -0400
41121 @@ -29,6 +29,7 @@
41122 #include <linux/tty_driver.h>
41123 #include <linux/tty_flip.h>
41124 #include <linux/uaccess.h>
41125 +#include <asm/local.h>
41126
41127 #include "tty.h"
41128 #include "network.h"
41129 @@ -51,7 +52,7 @@ struct ipw_tty {
41130 int tty_type;
41131 struct ipw_network *network;
41132 struct tty_struct *linux_tty;
41133 - int open_count;
41134 + local_t open_count;
41135 unsigned int control_lines;
41136 struct mutex ipw_tty_mutex;
41137 int tx_bytes_queued;
41138 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
41139 mutex_unlock(&tty->ipw_tty_mutex);
41140 return -ENODEV;
41141 }
41142 - if (tty->open_count == 0)
41143 + if (local_read(&tty->open_count) == 0)
41144 tty->tx_bytes_queued = 0;
41145
41146 - tty->open_count++;
41147 + local_inc(&tty->open_count);
41148
41149 tty->linux_tty = linux_tty;
41150 linux_tty->driver_data = tty;
41151 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
41152
41153 static void do_ipw_close(struct ipw_tty *tty)
41154 {
41155 - tty->open_count--;
41156 -
41157 - if (tty->open_count == 0) {
41158 + if (local_dec_return(&tty->open_count) == 0) {
41159 struct tty_struct *linux_tty = tty->linux_tty;
41160
41161 if (linux_tty != NULL) {
41162 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
41163 return;
41164
41165 mutex_lock(&tty->ipw_tty_mutex);
41166 - if (tty->open_count == 0) {
41167 + if (local_read(&tty->open_count) == 0) {
41168 mutex_unlock(&tty->ipw_tty_mutex);
41169 return;
41170 }
41171 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
41172 return;
41173 }
41174
41175 - if (!tty->open_count) {
41176 + if (!local_read(&tty->open_count)) {
41177 mutex_unlock(&tty->ipw_tty_mutex);
41178 return;
41179 }
41180 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
41181 return -ENODEV;
41182
41183 mutex_lock(&tty->ipw_tty_mutex);
41184 - if (!tty->open_count) {
41185 + if (!local_read(&tty->open_count)) {
41186 mutex_unlock(&tty->ipw_tty_mutex);
41187 return -EINVAL;
41188 }
41189 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
41190 if (!tty)
41191 return -ENODEV;
41192
41193 - if (!tty->open_count)
41194 + if (!local_read(&tty->open_count))
41195 return -EINVAL;
41196
41197 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
41198 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
41199 if (!tty)
41200 return 0;
41201
41202 - if (!tty->open_count)
41203 + if (!local_read(&tty->open_count))
41204 return 0;
41205
41206 return tty->tx_bytes_queued;
41207 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
41208 if (!tty)
41209 return -ENODEV;
41210
41211 - if (!tty->open_count)
41212 + if (!local_read(&tty->open_count))
41213 return -EINVAL;
41214
41215 return get_control_lines(tty);
41216 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
41217 if (!tty)
41218 return -ENODEV;
41219
41220 - if (!tty->open_count)
41221 + if (!local_read(&tty->open_count))
41222 return -EINVAL;
41223
41224 return set_control_lines(tty, set, clear);
41225 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
41226 if (!tty)
41227 return -ENODEV;
41228
41229 - if (!tty->open_count)
41230 + if (!local_read(&tty->open_count))
41231 return -EINVAL;
41232
41233 /* FIXME: Exactly how is the tty object locked here .. */
41234 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
41235 against a parallel ioctl etc */
41236 mutex_lock(&ttyj->ipw_tty_mutex);
41237 }
41238 - while (ttyj->open_count)
41239 + while (local_read(&ttyj->open_count))
41240 do_ipw_close(ttyj);
41241 ipwireless_disassociate_network_ttys(network,
41242 ttyj->channel_idx);
41243 diff -urNp linux-2.6.39.3/drivers/tty/mxser.c linux-2.6.39.3/drivers/tty/mxser.c
41244 --- linux-2.6.39.3/drivers/tty/mxser.c 2011-05-19 00:06:34.000000000 -0400
41245 +++ linux-2.6.39.3/drivers/tty/mxser.c 2011-05-22 19:36:32.000000000 -0400
41246 @@ -2340,7 +2340,7 @@ static const struct tty_operations mxser
41247 .get_icount = mxser_get_icount,
41248 };
41249
41250 -struct tty_port_operations mxser_port_ops = {
41251 +const struct tty_port_operations mxser_port_ops = {
41252 .carrier_raised = mxser_carrier_raised,
41253 .dtr_rts = mxser_dtr_rts,
41254 .activate = mxser_activate,
41255 diff -urNp linux-2.6.39.3/drivers/tty/n_gsm.c linux-2.6.39.3/drivers/tty/n_gsm.c
41256 --- linux-2.6.39.3/drivers/tty/n_gsm.c 2011-05-19 00:06:34.000000000 -0400
41257 +++ linux-2.6.39.3/drivers/tty/n_gsm.c 2011-05-22 19:36:32.000000000 -0400
41258 @@ -1588,7 +1588,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
41259 return NULL;
41260 spin_lock_init(&dlci->lock);
41261 dlci->fifo = &dlci->_fifo;
41262 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
41263 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
41264 kfree(dlci);
41265 return NULL;
41266 }
41267 diff -urNp linux-2.6.39.3/drivers/tty/n_tty.c linux-2.6.39.3/drivers/tty/n_tty.c
41268 --- linux-2.6.39.3/drivers/tty/n_tty.c 2011-05-19 00:06:34.000000000 -0400
41269 +++ linux-2.6.39.3/drivers/tty/n_tty.c 2011-05-22 19:36:32.000000000 -0400
41270 @@ -2122,6 +2122,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
41271 {
41272 *ops = tty_ldisc_N_TTY;
41273 ops->owner = NULL;
41274 - ops->refcount = ops->flags = 0;
41275 + atomic_set(&ops->refcount, 0);
41276 + ops->flags = 0;
41277 }
41278 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
41279 diff -urNp linux-2.6.39.3/drivers/tty/pty.c linux-2.6.39.3/drivers/tty/pty.c
41280 --- linux-2.6.39.3/drivers/tty/pty.c 2011-05-19 00:06:34.000000000 -0400
41281 +++ linux-2.6.39.3/drivers/tty/pty.c 2011-05-22 19:36:32.000000000 -0400
41282 @@ -699,7 +699,18 @@ out:
41283 return retval;
41284 }
41285
41286 -static struct file_operations ptmx_fops;
41287 +static const struct file_operations ptmx_fops = {
41288 + .llseek = no_llseek,
41289 + .read = tty_read,
41290 + .write = tty_write,
41291 + .poll = tty_poll,
41292 + .unlocked_ioctl = tty_ioctl,
41293 + .compat_ioctl = tty_compat_ioctl,
41294 + .open = ptmx_open,
41295 + .release = tty_release,
41296 + .fasync = tty_fasync,
41297 +};
41298 +
41299
41300 static void __init unix98_pty_init(void)
41301 {
41302 @@ -752,10 +763,6 @@ static void __init unix98_pty_init(void)
41303
41304 register_sysctl_table(pty_root_table);
41305
41306 - /* Now create the /dev/ptmx special device */
41307 - tty_default_fops(&ptmx_fops);
41308 - ptmx_fops.open = ptmx_open;
41309 -
41310 cdev_init(&ptmx_cdev, &ptmx_fops);
41311 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
41312 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
41313 diff -urNp linux-2.6.39.3/drivers/tty/rocket.c linux-2.6.39.3/drivers/tty/rocket.c
41314 --- linux-2.6.39.3/drivers/tty/rocket.c 2011-05-19 00:06:34.000000000 -0400
41315 +++ linux-2.6.39.3/drivers/tty/rocket.c 2011-05-22 19:36:32.000000000 -0400
41316 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
41317 struct rocket_ports tmp;
41318 int board;
41319
41320 + pax_track_stack();
41321 +
41322 if (!retports)
41323 return -EFAULT;
41324 memset(&tmp, 0, sizeof (tmp));
41325 diff -urNp linux-2.6.39.3/drivers/tty/serial/21285.c linux-2.6.39.3/drivers/tty/serial/21285.c
41326 --- linux-2.6.39.3/drivers/tty/serial/21285.c 2011-05-19 00:06:34.000000000 -0400
41327 +++ linux-2.6.39.3/drivers/tty/serial/21285.c 2011-05-22 19:36:32.000000000 -0400
41328 @@ -340,7 +340,7 @@ static int serial21285_verify_port(struc
41329 return ret;
41330 }
41331
41332 -static struct uart_ops serial21285_ops = {
41333 +static const struct uart_ops serial21285_ops = {
41334 .tx_empty = serial21285_tx_empty,
41335 .get_mctrl = serial21285_get_mctrl,
41336 .set_mctrl = serial21285_set_mctrl,
41337 diff -urNp linux-2.6.39.3/drivers/tty/serial/8250.c linux-2.6.39.3/drivers/tty/serial/8250.c
41338 --- linux-2.6.39.3/drivers/tty/serial/8250.c 2011-05-19 00:06:34.000000000 -0400
41339 +++ linux-2.6.39.3/drivers/tty/serial/8250.c 2011-05-22 19:36:32.000000000 -0400
41340 @@ -2708,7 +2708,7 @@ serial8250_type(struct uart_port *port)
41341 return uart_config[type].name;
41342 }
41343
41344 -static struct uart_ops serial8250_pops = {
41345 +static const struct uart_ops serial8250_pops = {
41346 .tx_empty = serial8250_tx_empty,
41347 .set_mctrl = serial8250_set_mctrl,
41348 .get_mctrl = serial8250_get_mctrl,
41349 diff -urNp linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c
41350 --- linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c 2011-05-19 00:06:34.000000000 -0400
41351 +++ linux-2.6.39.3/drivers/tty/serial/altera_jtaguart.c 2011-05-22 19:36:32.000000000 -0400
41352 @@ -281,7 +281,7 @@ static int altera_jtaguart_verify_port(s
41353 /*
41354 * Define the basic serial functions we support.
41355 */
41356 -static struct uart_ops altera_jtaguart_ops = {
41357 +static const struct uart_ops altera_jtaguart_ops = {
41358 .tx_empty = altera_jtaguart_tx_empty,
41359 .get_mctrl = altera_jtaguart_get_mctrl,
41360 .set_mctrl = altera_jtaguart_set_mctrl,
41361 diff -urNp linux-2.6.39.3/drivers/tty/serial/altera_uart.c linux-2.6.39.3/drivers/tty/serial/altera_uart.c
41362 --- linux-2.6.39.3/drivers/tty/serial/altera_uart.c 2011-05-19 00:06:34.000000000 -0400
41363 +++ linux-2.6.39.3/drivers/tty/serial/altera_uart.c 2011-05-22 19:36:32.000000000 -0400
41364 @@ -380,7 +380,7 @@ static int altera_uart_verify_port(struc
41365 /*
41366 * Define the basic serial functions we support.
41367 */
41368 -static struct uart_ops altera_uart_ops = {
41369 +static const struct uart_ops altera_uart_ops = {
41370 .tx_empty = altera_uart_tx_empty,
41371 .get_mctrl = altera_uart_get_mctrl,
41372 .set_mctrl = altera_uart_set_mctrl,
41373 diff -urNp linux-2.6.39.3/drivers/tty/serial/amba-pl010.c linux-2.6.39.3/drivers/tty/serial/amba-pl010.c
41374 --- linux-2.6.39.3/drivers/tty/serial/amba-pl010.c 2011-05-19 00:06:34.000000000 -0400
41375 +++ linux-2.6.39.3/drivers/tty/serial/amba-pl010.c 2011-05-22 19:36:32.000000000 -0400
41376 @@ -529,7 +529,7 @@ static int pl010_verify_port(struct uart
41377 return ret;
41378 }
41379
41380 -static struct uart_ops amba_pl010_pops = {
41381 +static const struct uart_ops amba_pl010_pops = {
41382 .tx_empty = pl010_tx_empty,
41383 .set_mctrl = pl010_set_mctrl,
41384 .get_mctrl = pl010_get_mctrl,
41385 diff -urNp linux-2.6.39.3/drivers/tty/serial/amba-pl011.c linux-2.6.39.3/drivers/tty/serial/amba-pl011.c
41386 --- linux-2.6.39.3/drivers/tty/serial/amba-pl011.c 2011-05-19 00:06:34.000000000 -0400
41387 +++ linux-2.6.39.3/drivers/tty/serial/amba-pl011.c 2011-05-22 19:36:32.000000000 -0400
41388 @@ -1581,7 +1581,7 @@ static int pl010_verify_port(struct uart
41389 return ret;
41390 }
41391
41392 -static struct uart_ops amba_pl011_pops = {
41393 +static const struct uart_ops amba_pl011_pops = {
41394 .tx_empty = pl01x_tx_empty,
41395 .set_mctrl = pl011_set_mctrl,
41396 .get_mctrl = pl01x_get_mctrl,
41397 diff -urNp linux-2.6.39.3/drivers/tty/serial/apbuart.c linux-2.6.39.3/drivers/tty/serial/apbuart.c
41398 --- linux-2.6.39.3/drivers/tty/serial/apbuart.c 2011-05-19 00:06:34.000000000 -0400
41399 +++ linux-2.6.39.3/drivers/tty/serial/apbuart.c 2011-05-22 19:36:32.000000000 -0400
41400 @@ -328,7 +328,7 @@ static int apbuart_verify_port(struct ua
41401 return ret;
41402 }
41403
41404 -static struct uart_ops grlib_apbuart_ops = {
41405 +static const struct uart_ops grlib_apbuart_ops = {
41406 .tx_empty = apbuart_tx_empty,
41407 .set_mctrl = apbuart_set_mctrl,
41408 .get_mctrl = apbuart_get_mctrl,
41409 diff -urNp linux-2.6.39.3/drivers/tty/serial/atmel_serial.c linux-2.6.39.3/drivers/tty/serial/atmel_serial.c
41410 --- linux-2.6.39.3/drivers/tty/serial/atmel_serial.c 2011-05-19 00:06:34.000000000 -0400
41411 +++ linux-2.6.39.3/drivers/tty/serial/atmel_serial.c 2011-05-22 19:36:32.000000000 -0400
41412 @@ -1382,7 +1382,7 @@ atmel_ioctl(struct uart_port *port, unsi
41413
41414
41415
41416 -static struct uart_ops atmel_pops = {
41417 +static const struct uart_ops atmel_pops = {
41418 .tx_empty = atmel_tx_empty,
41419 .set_mctrl = atmel_set_mctrl,
41420 .get_mctrl = atmel_get_mctrl,
41421 diff -urNp linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c
41422 --- linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41423 +++ linux-2.6.39.3/drivers/tty/serial/bcm63xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41424 @@ -636,7 +636,7 @@ static int bcm_uart_verify_port(struct u
41425 }
41426
41427 /* serial core callbacks */
41428 -static struct uart_ops bcm_uart_ops = {
41429 +static const struct uart_ops bcm_uart_ops = {
41430 .tx_empty = bcm_uart_tx_empty,
41431 .get_mctrl = bcm_uart_get_mctrl,
41432 .set_mctrl = bcm_uart_set_mctrl,
41433 diff -urNp linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c
41434 --- linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c 2011-05-19 00:06:34.000000000 -0400
41435 +++ linux-2.6.39.3/drivers/tty/serial/bfin_5xx.c 2011-05-22 19:36:32.000000000 -0400
41436 @@ -1036,7 +1036,7 @@ static int bfin_kgdboc_port_startup(stru
41437 }
41438 #endif
41439
41440 -static struct uart_ops bfin_serial_pops = {
41441 +static const struct uart_ops bfin_serial_pops = {
41442 .tx_empty = bfin_serial_tx_empty,
41443 .set_mctrl = bfin_serial_set_mctrl,
41444 .get_mctrl = bfin_serial_get_mctrl,
41445 diff -urNp linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c
41446 --- linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c 2011-05-19 00:06:34.000000000 -0400
41447 +++ linux-2.6.39.3/drivers/tty/serial/bfin_sport_uart.c 2011-05-22 19:36:32.000000000 -0400
41448 @@ -571,7 +571,7 @@ static void sport_set_termios(struct uar
41449 spin_unlock_irqrestore(&up->port.lock, flags);
41450 }
41451
41452 -struct uart_ops sport_uart_ops = {
41453 +const struct uart_ops sport_uart_ops = {
41454 .tx_empty = sport_tx_empty,
41455 .set_mctrl = sport_set_mctrl,
41456 .get_mctrl = sport_get_mctrl,
41457 diff -urNp linux-2.6.39.3/drivers/tty/serial/clps711x.c linux-2.6.39.3/drivers/tty/serial/clps711x.c
41458 --- linux-2.6.39.3/drivers/tty/serial/clps711x.c 2011-05-19 00:06:34.000000000 -0400
41459 +++ linux-2.6.39.3/drivers/tty/serial/clps711x.c 2011-05-22 19:36:32.000000000 -0400
41460 @@ -380,7 +380,7 @@ static int clps711xuart_request_port(str
41461 return 0;
41462 }
41463
41464 -static struct uart_ops clps711x_pops = {
41465 +static const struct uart_ops clps711x_pops = {
41466 .tx_empty = clps711xuart_tx_empty,
41467 .set_mctrl = clps711xuart_set_mctrl_null,
41468 .get_mctrl = clps711xuart_get_mctrl,
41469 diff -urNp linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c
41470 --- linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-19 00:06:34.000000000 -0400
41471 +++ linux-2.6.39.3/drivers/tty/serial/cpm_uart/cpm_uart_core.c 2011-05-22 19:36:32.000000000 -0400
41472 @@ -1099,7 +1099,7 @@ static void cpm_put_poll_char(struct uar
41473 }
41474 #endif /* CONFIG_CONSOLE_POLL */
41475
41476 -static struct uart_ops cpm_uart_pops = {
41477 +static const struct uart_ops cpm_uart_pops = {
41478 .tx_empty = cpm_uart_tx_empty,
41479 .set_mctrl = cpm_uart_set_mctrl,
41480 .get_mctrl = cpm_uart_get_mctrl,
41481 diff -urNp linux-2.6.39.3/drivers/tty/serial/dz.c linux-2.6.39.3/drivers/tty/serial/dz.c
41482 --- linux-2.6.39.3/drivers/tty/serial/dz.c 2011-05-19 00:06:34.000000000 -0400
41483 +++ linux-2.6.39.3/drivers/tty/serial/dz.c 2011-05-22 19:36:32.000000000 -0400
41484 @@ -746,7 +746,7 @@ static int dz_verify_port(struct uart_po
41485 return ret;
41486 }
41487
41488 -static struct uart_ops dz_ops = {
41489 +static const struct uart_ops dz_ops = {
41490 .tx_empty = dz_tx_empty,
41491 .get_mctrl = dz_get_mctrl,
41492 .set_mctrl = dz_set_mctrl,
41493 diff -urNp linux-2.6.39.3/drivers/tty/serial/imx.c linux-2.6.39.3/drivers/tty/serial/imx.c
41494 --- linux-2.6.39.3/drivers/tty/serial/imx.c 2011-05-19 00:06:34.000000000 -0400
41495 +++ linux-2.6.39.3/drivers/tty/serial/imx.c 2011-05-22 19:36:32.000000000 -0400
41496 @@ -1018,7 +1018,7 @@ imx_verify_port(struct uart_port *port,
41497 return ret;
41498 }
41499
41500 -static struct uart_ops imx_pops = {
41501 +static const struct uart_ops imx_pops = {
41502 .tx_empty = imx_tx_empty,
41503 .set_mctrl = imx_set_mctrl,
41504 .get_mctrl = imx_get_mctrl,
41505 diff -urNp linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c
41506 --- linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c 2011-05-19 00:06:34.000000000 -0400
41507 +++ linux-2.6.39.3/drivers/tty/serial/ioc3_serial.c 2011-05-22 19:36:32.000000000 -0400
41508 @@ -1874,7 +1874,7 @@ static int ic3_request_port(struct uart_
41509 }
41510
41511 /* Associate the uart functions above - given to serial core */
41512 -static struct uart_ops ioc3_ops = {
41513 +static const struct uart_ops ioc3_ops = {
41514 .tx_empty = ic3_tx_empty,
41515 .set_mctrl = ic3_set_mctrl,
41516 .get_mctrl = ic3_get_mctrl,
41517 diff -urNp linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c
41518 --- linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c 2011-05-19 00:06:34.000000000 -0400
41519 +++ linux-2.6.39.3/drivers/tty/serial/ioc4_serial.c 2011-05-22 19:36:32.000000000 -0400
41520 @@ -2593,7 +2593,7 @@ static int ic4_request_port(struct uart_
41521
41522 /* Associate the uart functions above - given to serial core */
41523
41524 -static struct uart_ops ioc4_ops = {
41525 +static const struct uart_ops ioc4_ops = {
41526 .tx_empty = ic4_tx_empty,
41527 .set_mctrl = ic4_set_mctrl,
41528 .get_mctrl = ic4_get_mctrl,
41529 diff -urNp linux-2.6.39.3/drivers/tty/serial/ip22zilog.c linux-2.6.39.3/drivers/tty/serial/ip22zilog.c
41530 --- linux-2.6.39.3/drivers/tty/serial/ip22zilog.c 2011-05-19 00:06:34.000000000 -0400
41531 +++ linux-2.6.39.3/drivers/tty/serial/ip22zilog.c 2011-05-22 19:36:32.000000000 -0400
41532 @@ -928,7 +928,7 @@ static int ip22zilog_verify_port(struct
41533 return -EINVAL;
41534 }
41535
41536 -static struct uart_ops ip22zilog_pops = {
41537 +static const struct uart_ops ip22zilog_pops = {
41538 .tx_empty = ip22zilog_tx_empty,
41539 .set_mctrl = ip22zilog_set_mctrl,
41540 .get_mctrl = ip22zilog_get_mctrl,
41541 diff -urNp linux-2.6.39.3/drivers/tty/serial/kgdboc.c linux-2.6.39.3/drivers/tty/serial/kgdboc.c
41542 --- linux-2.6.39.3/drivers/tty/serial/kgdboc.c 2011-05-19 00:06:34.000000000 -0400
41543 +++ linux-2.6.39.3/drivers/tty/serial/kgdboc.c 2011-05-22 19:36:32.000000000 -0400
41544 @@ -22,7 +22,7 @@
41545
41546 #define MAX_CONFIG_LEN 40
41547
41548 -static struct kgdb_io kgdboc_io_ops;
41549 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
41550
41551 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
41552 static int configured = -1;
41553 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
41554 kgdboc_restore_input();
41555 }
41556
41557 -static struct kgdb_io kgdboc_io_ops = {
41558 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
41559 .name = "kgdboc",
41560 .read_char = kgdboc_get_char,
41561 .write_char = kgdboc_put_char,
41562 diff -urNp linux-2.6.39.3/drivers/tty/serial/m32r_sio.c linux-2.6.39.3/drivers/tty/serial/m32r_sio.c
41563 --- linux-2.6.39.3/drivers/tty/serial/m32r_sio.c 2011-05-19 00:06:34.000000000 -0400
41564 +++ linux-2.6.39.3/drivers/tty/serial/m32r_sio.c 2011-05-22 19:36:32.000000000 -0400
41565 @@ -939,7 +939,7 @@ m32r_sio_type(struct uart_port *port)
41566 return uart_config[type].name;
41567 }
41568
41569 -static struct uart_ops m32r_sio_pops = {
41570 +static const struct uart_ops m32r_sio_pops = {
41571 .tx_empty = m32r_sio_tx_empty,
41572 .set_mctrl = m32r_sio_set_mctrl,
41573 .get_mctrl = m32r_sio_get_mctrl,
41574 diff -urNp linux-2.6.39.3/drivers/tty/serial/max3100.c linux-2.6.39.3/drivers/tty/serial/max3100.c
41575 --- linux-2.6.39.3/drivers/tty/serial/max3100.c 2011-05-19 00:06:34.000000000 -0400
41576 +++ linux-2.6.39.3/drivers/tty/serial/max3100.c 2011-05-22 19:36:32.000000000 -0400
41577 @@ -710,7 +710,7 @@ static void max3100_break_ctl(struct uar
41578 dev_dbg(&s->spi->dev, "%s\n", __func__);
41579 }
41580
41581 -static struct uart_ops max3100_ops = {
41582 +static const struct uart_ops max3100_ops = {
41583 .tx_empty = max3100_tx_empty,
41584 .set_mctrl = max3100_set_mctrl,
41585 .get_mctrl = max3100_get_mctrl,
41586 diff -urNp linux-2.6.39.3/drivers/tty/serial/max3107.c linux-2.6.39.3/drivers/tty/serial/max3107.c
41587 --- linux-2.6.39.3/drivers/tty/serial/max3107.c 2011-05-19 00:06:34.000000000 -0400
41588 +++ linux-2.6.39.3/drivers/tty/serial/max3107.c 2011-05-22 19:36:32.000000000 -0400
41589 @@ -910,7 +910,7 @@ static void max3107_break_ctl(struct uar
41590
41591
41592 /* Port functions */
41593 -static struct uart_ops max3107_ops = {
41594 +static const struct uart_ops max3107_ops = {
41595 .tx_empty = max3107_tx_empty,
41596 .set_mctrl = max3107_set_mctrl,
41597 .get_mctrl = max3107_get_mctrl,
41598 diff -urNp linux-2.6.39.3/drivers/tty/serial/mfd.c linux-2.6.39.3/drivers/tty/serial/mfd.c
41599 --- linux-2.6.39.3/drivers/tty/serial/mfd.c 2011-05-19 00:06:34.000000000 -0400
41600 +++ linux-2.6.39.3/drivers/tty/serial/mfd.c 2011-05-22 19:36:32.000000000 -0400
41601 @@ -1178,7 +1178,7 @@ static struct console serial_hsu_console
41602 };
41603 #endif
41604
41605 -struct uart_ops serial_hsu_pops = {
41606 +const struct uart_ops serial_hsu_pops = {
41607 .tx_empty = serial_hsu_tx_empty,
41608 .set_mctrl = serial_hsu_set_mctrl,
41609 .get_mctrl = serial_hsu_get_mctrl,
41610 diff -urNp linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c
41611 --- linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c 2011-05-19 00:06:34.000000000 -0400
41612 +++ linux-2.6.39.3/drivers/tty/serial/mpc52xx_uart.c 2011-05-22 19:36:32.000000000 -0400
41613 @@ -283,7 +283,7 @@ static irqreturn_t mpc52xx_psc_handle_ir
41614 return mpc5xxx_uart_process_int(port);
41615 }
41616
41617 -static struct psc_ops mpc52xx_psc_ops = {
41618 +static const struct psc_ops mpc52xx_psc_ops = {
41619 .fifo_init = mpc52xx_psc_fifo_init,
41620 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41621 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41622 @@ -304,7 +304,7 @@ static struct psc_ops mpc52xx_psc_ops =
41623 .handle_irq = mpc52xx_psc_handle_irq,
41624 };
41625
41626 -static struct psc_ops mpc5200b_psc_ops = {
41627 +static const struct psc_ops mpc5200b_psc_ops = {
41628 .fifo_init = mpc52xx_psc_fifo_init,
41629 .raw_rx_rdy = mpc52xx_psc_raw_rx_rdy,
41630 .raw_tx_rdy = mpc52xx_psc_raw_tx_rdy,
41631 @@ -571,7 +571,7 @@ static void mpc512x_psc_get_irq(struct u
41632 port->irq = psc_fifoc_irq;
41633 }
41634
41635 -static struct psc_ops mpc512x_psc_ops = {
41636 +static const struct psc_ops mpc512x_psc_ops = {
41637 .fifo_init = mpc512x_psc_fifo_init,
41638 .raw_rx_rdy = mpc512x_psc_raw_rx_rdy,
41639 .raw_tx_rdy = mpc512x_psc_raw_tx_rdy,
41640 @@ -596,7 +596,7 @@ static struct psc_ops mpc512x_psc_ops =
41641 };
41642 #endif
41643
41644 -static struct psc_ops *psc_ops;
41645 +static const struct psc_ops *psc_ops;
41646
41647 /* ======================================================================== */
41648 /* UART operations */
41649 @@ -905,7 +905,7 @@ mpc52xx_uart_verify_port(struct uart_por
41650 }
41651
41652
41653 -static struct uart_ops mpc52xx_uart_ops = {
41654 +static const struct uart_ops mpc52xx_uart_ops = {
41655 .tx_empty = mpc52xx_uart_tx_empty,
41656 .set_mctrl = mpc52xx_uart_set_mctrl,
41657 .get_mctrl = mpc52xx_uart_get_mctrl,
41658 diff -urNp linux-2.6.39.3/drivers/tty/serial/mpsc.c linux-2.6.39.3/drivers/tty/serial/mpsc.c
41659 --- linux-2.6.39.3/drivers/tty/serial/mpsc.c 2011-05-19 00:06:34.000000000 -0400
41660 +++ linux-2.6.39.3/drivers/tty/serial/mpsc.c 2011-05-22 19:36:32.000000000 -0400
41661 @@ -1663,7 +1663,7 @@ static void mpsc_put_poll_char(struct ua
41662 }
41663 #endif
41664
41665 -static struct uart_ops mpsc_pops = {
41666 +static const struct uart_ops mpsc_pops = {
41667 .tx_empty = mpsc_tx_empty,
41668 .set_mctrl = mpsc_set_mctrl,
41669 .get_mctrl = mpsc_get_mctrl,
41670 diff -urNp linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c
41671 --- linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c 2011-05-19 00:06:34.000000000 -0400
41672 +++ linux-2.6.39.3/drivers/tty/serial/mrst_max3110.c 2011-05-22 19:36:32.000000000 -0400
41673 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
41674 int loop = 1, num, total = 0;
41675 u8 recv_buf[512], *pbuf;
41676
41677 + pax_track_stack();
41678 +
41679 pbuf = recv_buf;
41680 do {
41681 num = max3110_read_multi(max, pbuf);
41682 @@ -726,7 +728,7 @@ static void serial_m3110_enable_ms(struc
41683 {
41684 }
41685
41686 -struct uart_ops serial_m3110_ops = {
41687 +const struct uart_ops serial_m3110_ops = {
41688 .tx_empty = serial_m3110_tx_empty,
41689 .set_mctrl = serial_m3110_set_mctrl,
41690 .get_mctrl = serial_m3110_get_mctrl,
41691 diff -urNp linux-2.6.39.3/drivers/tty/serial/msm_serial.c linux-2.6.39.3/drivers/tty/serial/msm_serial.c
41692 --- linux-2.6.39.3/drivers/tty/serial/msm_serial.c 2011-05-19 00:06:34.000000000 -0400
41693 +++ linux-2.6.39.3/drivers/tty/serial/msm_serial.c 2011-05-22 19:36:32.000000000 -0400
41694 @@ -702,7 +702,7 @@ static void msm_power(struct uart_port *
41695 }
41696 }
41697
41698 -static struct uart_ops msm_uart_pops = {
41699 +static const struct uart_ops msm_uart_pops = {
41700 .tx_empty = msm_tx_empty,
41701 .set_mctrl = msm_set_mctrl,
41702 .get_mctrl = msm_get_mctrl,
41703 diff -urNp linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c
41704 --- linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c 2011-05-19 00:06:34.000000000 -0400
41705 +++ linux-2.6.39.3/drivers/tty/serial/msm_serial_hs.c 2011-05-22 19:36:32.000000000 -0400
41706 @@ -360,7 +360,7 @@ struct msm_hs_port {
41707 static struct msm_hs_port q_uart_port[UARTDM_NR];
41708 static struct platform_driver msm_serial_hs_platform_driver;
41709 static struct uart_driver msm_hs_driver;
41710 -static struct uart_ops msm_hs_ops;
41711 +static const struct uart_ops msm_hs_ops;
41712 static struct workqueue_struct *msm_hs_workqueue;
41713
41714 #define UARTDM_TO_MSM(uart_port) \
41715 @@ -1856,7 +1856,7 @@ static struct uart_driver msm_hs_driver
41716 .cons = 0,
41717 };
41718
41719 -static struct uart_ops msm_hs_ops = {
41720 +static const struct uart_ops msm_hs_ops = {
41721 .tx_empty = msm_hs_tx_empty,
41722 .set_mctrl = msm_hs_set_mctrl_locked,
41723 .get_mctrl = msm_hs_get_mctrl_locked,
41724 diff -urNp linux-2.6.39.3/drivers/tty/serial/mux.c linux-2.6.39.3/drivers/tty/serial/mux.c
41725 --- linux-2.6.39.3/drivers/tty/serial/mux.c 2011-05-19 00:06:34.000000000 -0400
41726 +++ linux-2.6.39.3/drivers/tty/serial/mux.c 2011-05-22 19:36:32.000000000 -0400
41727 @@ -442,7 +442,7 @@ static struct console mux_console = {
41728 #define MUX_CONSOLE NULL
41729 #endif
41730
41731 -static struct uart_ops mux_pops = {
41732 +static const struct uart_ops mux_pops = {
41733 .tx_empty = mux_tx_empty,
41734 .set_mctrl = mux_set_mctrl,
41735 .get_mctrl = mux_get_mctrl,
41736 diff -urNp linux-2.6.39.3/drivers/tty/serial/mxs-auart.c linux-2.6.39.3/drivers/tty/serial/mxs-auart.c
41737 --- linux-2.6.39.3/drivers/tty/serial/mxs-auart.c 2011-05-19 00:06:34.000000000 -0400
41738 +++ linux-2.6.39.3/drivers/tty/serial/mxs-auart.c 2011-05-22 19:36:32.000000000 -0400
41739 @@ -499,7 +499,7 @@ static void mxs_auart_enable_ms(struct u
41740 /* just empty */
41741 }
41742
41743 -static struct uart_ops mxs_auart_ops = {
41744 +static const struct uart_ops mxs_auart_ops = {
41745 .tx_empty = mxs_auart_tx_empty,
41746 .start_tx = mxs_auart_start_tx,
41747 .stop_tx = mxs_auart_stop_tx,
41748 diff -urNp linux-2.6.39.3/drivers/tty/serial/netx-serial.c linux-2.6.39.3/drivers/tty/serial/netx-serial.c
41749 --- linux-2.6.39.3/drivers/tty/serial/netx-serial.c 2011-05-19 00:06:34.000000000 -0400
41750 +++ linux-2.6.39.3/drivers/tty/serial/netx-serial.c 2011-05-22 19:36:32.000000000 -0400
41751 @@ -464,7 +464,7 @@ netx_verify_port(struct uart_port *port,
41752 return ret;
41753 }
41754
41755 -static struct uart_ops netx_pops = {
41756 +static const struct uart_ops netx_pops = {
41757 .tx_empty = netx_tx_empty,
41758 .set_mctrl = netx_set_mctrl,
41759 .get_mctrl = netx_get_mctrl,
41760 diff -urNp linux-2.6.39.3/drivers/tty/serial/nwpserial.c linux-2.6.39.3/drivers/tty/serial/nwpserial.c
41761 --- linux-2.6.39.3/drivers/tty/serial/nwpserial.c 2011-05-19 00:06:34.000000000 -0400
41762 +++ linux-2.6.39.3/drivers/tty/serial/nwpserial.c 2011-05-22 19:36:32.000000000 -0400
41763 @@ -303,7 +303,7 @@ static unsigned int nwpserial_tx_empty(s
41764 return ret & UART_LSR_TEMT ? TIOCSER_TEMT : 0;
41765 }
41766
41767 -static struct uart_ops nwpserial_pops = {
41768 +static const struct uart_ops nwpserial_pops = {
41769 .tx_empty = nwpserial_tx_empty,
41770 .set_mctrl = nwpserial_set_mctrl,
41771 .get_mctrl = nwpserial_get_mctrl,
41772 diff -urNp linux-2.6.39.3/drivers/tty/serial/omap-serial.c linux-2.6.39.3/drivers/tty/serial/omap-serial.c
41773 --- linux-2.6.39.3/drivers/tty/serial/omap-serial.c 2011-05-19 00:06:34.000000000 -0400
41774 +++ linux-2.6.39.3/drivers/tty/serial/omap-serial.c 2011-05-22 19:36:32.000000000 -0400
41775 @@ -1029,7 +1029,7 @@ static inline void serial_omap_add_conso
41776
41777 #endif
41778
41779 -static struct uart_ops serial_omap_pops = {
41780 +static const struct uart_ops serial_omap_pops = {
41781 .tx_empty = serial_omap_tx_empty,
41782 .set_mctrl = serial_omap_set_mctrl,
41783 .get_mctrl = serial_omap_get_mctrl,
41784 diff -urNp linux-2.6.39.3/drivers/tty/serial/pch_uart.c linux-2.6.39.3/drivers/tty/serial/pch_uart.c
41785 --- linux-2.6.39.3/drivers/tty/serial/pch_uart.c 2011-07-09 09:18:51.000000000 -0400
41786 +++ linux-2.6.39.3/drivers/tty/serial/pch_uart.c 2011-07-09 09:19:18.000000000 -0400
41787 @@ -1351,7 +1351,7 @@ static int pch_uart_verify_port(struct u
41788 return 0;
41789 }
41790
41791 -static struct uart_ops pch_uart_ops = {
41792 +static const struct uart_ops pch_uart_ops = {
41793 .tx_empty = pch_uart_tx_empty,
41794 .set_mctrl = pch_uart_set_mctrl,
41795 .get_mctrl = pch_uart_get_mctrl,
41796 diff -urNp linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c
41797 --- linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c 2011-05-19 00:06:34.000000000 -0400
41798 +++ linux-2.6.39.3/drivers/tty/serial/pmac_zilog.c 2011-05-22 19:36:32.000000000 -0400
41799 @@ -1427,7 +1427,7 @@ static void pmz_poll_put_char(struct uar
41800
41801 #endif /* CONFIG_CONSOLE_POLL */
41802
41803 -static struct uart_ops pmz_pops = {
41804 +static const struct uart_ops pmz_pops = {
41805 .tx_empty = pmz_tx_empty,
41806 .set_mctrl = pmz_set_mctrl,
41807 .get_mctrl = pmz_get_mctrl,
41808 diff -urNp linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c
41809 --- linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c 2011-05-19 00:06:34.000000000 -0400
41810 +++ linux-2.6.39.3/drivers/tty/serial/pnx8xxx_uart.c 2011-05-22 19:36:32.000000000 -0400
41811 @@ -614,7 +614,7 @@ pnx8xxx_verify_port(struct uart_port *po
41812 return ret;
41813 }
41814
41815 -static struct uart_ops pnx8xxx_pops = {
41816 +static const struct uart_ops pnx8xxx_pops = {
41817 .tx_empty = pnx8xxx_tx_empty,
41818 .set_mctrl = pnx8xxx_set_mctrl,
41819 .get_mctrl = pnx8xxx_get_mctrl,
41820 diff -urNp linux-2.6.39.3/drivers/tty/serial/pxa.c linux-2.6.39.3/drivers/tty/serial/pxa.c
41821 --- linux-2.6.39.3/drivers/tty/serial/pxa.c 2011-05-19 00:06:34.000000000 -0400
41822 +++ linux-2.6.39.3/drivers/tty/serial/pxa.c 2011-05-22 19:36:32.000000000 -0400
41823 @@ -706,7 +706,7 @@ static struct console serial_pxa_console
41824 #define PXA_CONSOLE NULL
41825 #endif
41826
41827 -struct uart_ops serial_pxa_pops = {
41828 +const struct uart_ops serial_pxa_pops = {
41829 .tx_empty = serial_pxa_tx_empty,
41830 .set_mctrl = serial_pxa_set_mctrl,
41831 .get_mctrl = serial_pxa_get_mctrl,
41832 diff -urNp linux-2.6.39.3/drivers/tty/serial/sa1100.c linux-2.6.39.3/drivers/tty/serial/sa1100.c
41833 --- linux-2.6.39.3/drivers/tty/serial/sa1100.c 2011-05-19 00:06:34.000000000 -0400
41834 +++ linux-2.6.39.3/drivers/tty/serial/sa1100.c 2011-05-22 19:36:32.000000000 -0400
41835 @@ -577,7 +577,7 @@ sa1100_verify_port(struct uart_port *por
41836 return ret;
41837 }
41838
41839 -static struct uart_ops sa1100_pops = {
41840 +static const struct uart_ops sa1100_pops = {
41841 .tx_empty = sa1100_tx_empty,
41842 .set_mctrl = sa1100_set_mctrl,
41843 .get_mctrl = sa1100_get_mctrl,
41844 diff -urNp linux-2.6.39.3/drivers/tty/serial/samsung.c linux-2.6.39.3/drivers/tty/serial/samsung.c
41845 --- linux-2.6.39.3/drivers/tty/serial/samsung.c 2011-05-19 00:06:34.000000000 -0400
41846 +++ linux-2.6.39.3/drivers/tty/serial/samsung.c 2011-05-22 19:36:32.000000000 -0400
41847 @@ -860,7 +860,7 @@ static struct console s3c24xx_serial_con
41848 #define S3C24XX_SERIAL_CONSOLE NULL
41849 #endif
41850
41851 -static struct uart_ops s3c24xx_serial_ops = {
41852 +static const struct uart_ops s3c24xx_serial_ops = {
41853 .pm = s3c24xx_serial_pm,
41854 .tx_empty = s3c24xx_serial_tx_empty,
41855 .get_mctrl = s3c24xx_serial_get_mctrl,
41856 diff -urNp linux-2.6.39.3/drivers/tty/serial/sc26xx.c linux-2.6.39.3/drivers/tty/serial/sc26xx.c
41857 --- linux-2.6.39.3/drivers/tty/serial/sc26xx.c 2011-05-19 00:06:34.000000000 -0400
41858 +++ linux-2.6.39.3/drivers/tty/serial/sc26xx.c 2011-05-22 19:36:32.000000000 -0400
41859 @@ -515,7 +515,7 @@ static int sc26xx_verify_port(struct uar
41860 return -EINVAL;
41861 }
41862
41863 -static struct uart_ops sc26xx_ops = {
41864 +static const struct uart_ops sc26xx_ops = {
41865 .tx_empty = sc26xx_tx_empty,
41866 .set_mctrl = sc26xx_set_mctrl,
41867 .get_mctrl = sc26xx_get_mctrl,
41868 diff -urNp linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c
41869 --- linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c 2011-05-19 00:06:34.000000000 -0400
41870 +++ linux-2.6.39.3/drivers/tty/serial/serial_ks8695.c 2011-05-22 19:36:32.000000000 -0400
41871 @@ -528,7 +528,7 @@ static int ks8695uart_verify_port(struct
41872 return ret;
41873 }
41874
41875 -static struct uart_ops ks8695uart_pops = {
41876 +static const struct uart_ops ks8695uart_pops = {
41877 .tx_empty = ks8695uart_tx_empty,
41878 .set_mctrl = ks8695uart_set_mctrl,
41879 .get_mctrl = ks8695uart_get_mctrl,
41880 diff -urNp linux-2.6.39.3/drivers/tty/serial/serial_txx9.c linux-2.6.39.3/drivers/tty/serial/serial_txx9.c
41881 --- linux-2.6.39.3/drivers/tty/serial/serial_txx9.c 2011-05-19 00:06:34.000000000 -0400
41882 +++ linux-2.6.39.3/drivers/tty/serial/serial_txx9.c 2011-05-22 19:36:32.000000000 -0400
41883 @@ -857,7 +857,7 @@ serial_txx9_type(struct uart_port *port)
41884 return "txx9";
41885 }
41886
41887 -static struct uart_ops serial_txx9_pops = {
41888 +static const struct uart_ops serial_txx9_pops = {
41889 .tx_empty = serial_txx9_tx_empty,
41890 .set_mctrl = serial_txx9_set_mctrl,
41891 .get_mctrl = serial_txx9_get_mctrl,
41892 diff -urNp linux-2.6.39.3/drivers/tty/serial/sn_console.c linux-2.6.39.3/drivers/tty/serial/sn_console.c
41893 --- linux-2.6.39.3/drivers/tty/serial/sn_console.c 2011-05-19 00:06:34.000000000 -0400
41894 +++ linux-2.6.39.3/drivers/tty/serial/sn_console.c 2011-05-22 19:36:32.000000000 -0400
41895 @@ -388,7 +388,7 @@ static void snp_config_port(struct uart_
41896
41897 /* Associate the uart functions above - given to serial core */
41898
41899 -static struct uart_ops sn_console_ops = {
41900 +static const struct uart_ops sn_console_ops = {
41901 .tx_empty = snp_tx_empty,
41902 .set_mctrl = snp_set_mctrl,
41903 .get_mctrl = snp_get_mctrl,
41904 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunhv.c linux-2.6.39.3/drivers/tty/serial/sunhv.c
41905 --- linux-2.6.39.3/drivers/tty/serial/sunhv.c 2011-05-19 00:06:34.000000000 -0400
41906 +++ linux-2.6.39.3/drivers/tty/serial/sunhv.c 2011-05-22 19:36:32.000000000 -0400
41907 @@ -168,12 +168,12 @@ struct sunhv_ops {
41908 int (*receive_chars)(struct uart_port *port, struct tty_struct *tty);
41909 };
41910
41911 -static struct sunhv_ops bychar_ops = {
41912 +static const struct sunhv_ops bychar_ops = {
41913 .transmit_chars = transmit_chars_putchar,
41914 .receive_chars = receive_chars_getchar,
41915 };
41916
41917 -static struct sunhv_ops bywrite_ops = {
41918 +static const struct sunhv_ops bywrite_ops = {
41919 .transmit_chars = transmit_chars_write,
41920 .receive_chars = receive_chars_read,
41921 };
41922 @@ -370,7 +370,7 @@ static int sunhv_verify_port(struct uart
41923 return -EINVAL;
41924 }
41925
41926 -static struct uart_ops sunhv_pops = {
41927 +static const struct uart_ops sunhv_pops = {
41928 .tx_empty = sunhv_tx_empty,
41929 .set_mctrl = sunhv_set_mctrl,
41930 .get_mctrl = sunhv_get_mctrl,
41931 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunsab.c linux-2.6.39.3/drivers/tty/serial/sunsab.c
41932 --- linux-2.6.39.3/drivers/tty/serial/sunsab.c 2011-05-19 00:06:34.000000000 -0400
41933 +++ linux-2.6.39.3/drivers/tty/serial/sunsab.c 2011-05-22 19:36:32.000000000 -0400
41934 @@ -804,7 +804,7 @@ static int sunsab_verify_port(struct uar
41935 return -EINVAL;
41936 }
41937
41938 -static struct uart_ops sunsab_pops = {
41939 +static const struct uart_ops sunsab_pops = {
41940 .tx_empty = sunsab_tx_empty,
41941 .set_mctrl = sunsab_set_mctrl,
41942 .get_mctrl = sunsab_get_mctrl,
41943 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunsu.c linux-2.6.39.3/drivers/tty/serial/sunsu.c
41944 --- linux-2.6.39.3/drivers/tty/serial/sunsu.c 2011-05-19 00:06:34.000000000 -0400
41945 +++ linux-2.6.39.3/drivers/tty/serial/sunsu.c 2011-05-22 19:36:32.000000000 -0400
41946 @@ -946,7 +946,7 @@ sunsu_type(struct uart_port *port)
41947 return uart_config[type].name;
41948 }
41949
41950 -static struct uart_ops sunsu_pops = {
41951 +static const struct uart_ops sunsu_pops = {
41952 .tx_empty = sunsu_tx_empty,
41953 .set_mctrl = sunsu_set_mctrl,
41954 .get_mctrl = sunsu_get_mctrl,
41955 diff -urNp linux-2.6.39.3/drivers/tty/serial/sunzilog.c linux-2.6.39.3/drivers/tty/serial/sunzilog.c
41956 --- linux-2.6.39.3/drivers/tty/serial/sunzilog.c 2011-05-19 00:06:34.000000000 -0400
41957 +++ linux-2.6.39.3/drivers/tty/serial/sunzilog.c 2011-05-22 19:36:32.000000000 -0400
41958 @@ -1042,7 +1042,7 @@ static void sunzilog_put_poll_char(struc
41959 }
41960 #endif /* CONFIG_CONSOLE_POLL */
41961
41962 -static struct uart_ops sunzilog_pops = {
41963 +static const struct uart_ops sunzilog_pops = {
41964 .tx_empty = sunzilog_tx_empty,
41965 .set_mctrl = sunzilog_set_mctrl,
41966 .get_mctrl = sunzilog_get_mctrl,
41967 diff -urNp linux-2.6.39.3/drivers/tty/serial/timbuart.c linux-2.6.39.3/drivers/tty/serial/timbuart.c
41968 --- linux-2.6.39.3/drivers/tty/serial/timbuart.c 2011-05-19 00:06:34.000000000 -0400
41969 +++ linux-2.6.39.3/drivers/tty/serial/timbuart.c 2011-05-22 19:36:32.000000000 -0400
41970 @@ -394,7 +394,7 @@ static int timbuart_verify_port(struct u
41971 return -EINVAL;
41972 }
41973
41974 -static struct uart_ops timbuart_ops = {
41975 +static const struct uart_ops timbuart_ops = {
41976 .tx_empty = timbuart_tx_empty,
41977 .set_mctrl = timbuart_set_mctrl,
41978 .get_mctrl = timbuart_get_mctrl,
41979 diff -urNp linux-2.6.39.3/drivers/tty/serial/uartlite.c linux-2.6.39.3/drivers/tty/serial/uartlite.c
41980 --- linux-2.6.39.3/drivers/tty/serial/uartlite.c 2011-05-19 00:06:34.000000000 -0400
41981 +++ linux-2.6.39.3/drivers/tty/serial/uartlite.c 2011-05-22 19:36:32.000000000 -0400
41982 @@ -331,7 +331,7 @@ static void ulite_put_poll_char(struct u
41983 }
41984 #endif
41985
41986 -static struct uart_ops ulite_ops = {
41987 +static const struct uart_ops ulite_ops = {
41988 .tx_empty = ulite_tx_empty,
41989 .set_mctrl = ulite_set_mctrl,
41990 .get_mctrl = ulite_get_mctrl,
41991 diff -urNp linux-2.6.39.3/drivers/tty/serial/ucc_uart.c linux-2.6.39.3/drivers/tty/serial/ucc_uart.c
41992 --- linux-2.6.39.3/drivers/tty/serial/ucc_uart.c 2011-05-19 00:06:34.000000000 -0400
41993 +++ linux-2.6.39.3/drivers/tty/serial/ucc_uart.c 2011-05-22 19:36:32.000000000 -0400
41994 @@ -1088,7 +1088,7 @@ static int qe_uart_verify_port(struct ua
41995 *
41996 * Details on these functions can be found in Documentation/serial/driver
41997 */
41998 -static struct uart_ops qe_uart_pops = {
41999 +static const struct uart_ops qe_uart_pops = {
42000 .tx_empty = qe_uart_tx_empty,
42001 .set_mctrl = qe_uart_set_mctrl,
42002 .get_mctrl = qe_uart_get_mctrl,
42003 diff -urNp linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c
42004 --- linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c 2011-05-19 00:06:34.000000000 -0400
42005 +++ linux-2.6.39.3/drivers/tty/serial/vr41xx_siu.c 2011-05-22 19:36:32.000000000 -0400
42006 @@ -683,7 +683,7 @@ static int siu_verify_port(struct uart_p
42007 return 0;
42008 }
42009
42010 -static struct uart_ops siu_uart_ops = {
42011 +static const struct uart_ops siu_uart_ops = {
42012 .tx_empty = siu_tx_empty,
42013 .set_mctrl = siu_set_mctrl,
42014 .get_mctrl = siu_get_mctrl,
42015 diff -urNp linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c
42016 --- linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c 2011-05-19 00:06:34.000000000 -0400
42017 +++ linux-2.6.39.3/drivers/tty/serial/vt8500_serial.c 2011-05-22 19:36:32.000000000 -0400
42018 @@ -519,7 +519,7 @@ static struct console vt8500_console = {
42019 #define VT8500_CONSOLE NULL
42020 #endif
42021
42022 -static struct uart_ops vt8500_uart_pops = {
42023 +static const struct uart_ops vt8500_uart_pops = {
42024 .tx_empty = vt8500_tx_empty,
42025 .set_mctrl = vt8500_set_mctrl,
42026 .get_mctrl = vt8500_get_mctrl,
42027 diff -urNp linux-2.6.39.3/drivers/tty/serial/zs.c linux-2.6.39.3/drivers/tty/serial/zs.c
42028 --- linux-2.6.39.3/drivers/tty/serial/zs.c 2011-05-19 00:06:34.000000000 -0400
42029 +++ linux-2.6.39.3/drivers/tty/serial/zs.c 2011-05-22 19:36:32.000000000 -0400
42030 @@ -1044,7 +1044,7 @@ static int zs_verify_port(struct uart_po
42031 }
42032
42033
42034 -static struct uart_ops zs_ops = {
42035 +static const struct uart_ops zs_ops = {
42036 .tx_empty = zs_tx_empty,
42037 .set_mctrl = zs_set_mctrl,
42038 .get_mctrl = zs_get_mctrl,
42039 diff -urNp linux-2.6.39.3/drivers/tty/tty_io.c linux-2.6.39.3/drivers/tty/tty_io.c
42040 --- linux-2.6.39.3/drivers/tty/tty_io.c 2011-05-19 00:06:34.000000000 -0400
42041 +++ linux-2.6.39.3/drivers/tty/tty_io.c 2011-05-22 19:36:32.000000000 -0400
42042 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
42043 /* Spinlock to protect the tty->tty_files list */
42044 DEFINE_SPINLOCK(tty_files_lock);
42045
42046 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
42047 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
42048 ssize_t redirected_tty_write(struct file *, const char __user *,
42049 size_t, loff_t *);
42050 -static unsigned int tty_poll(struct file *, poll_table *);
42051 static int tty_open(struct inode *, struct file *);
42052 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
42053 -#ifdef CONFIG_COMPAT
42054 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
42055 - unsigned long arg);
42056 -#else
42057 -#define tty_compat_ioctl NULL
42058 -#endif
42059 static int __tty_fasync(int fd, struct file *filp, int on);
42060 -static int tty_fasync(int fd, struct file *filp, int on);
42061 static void release_tty(struct tty_struct *tty, int idx);
42062 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
42063 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
42064 @@ -937,7 +927,7 @@ EXPORT_SYMBOL(start_tty);
42065 * read calls may be outstanding in parallel.
42066 */
42067
42068 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
42069 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
42070 loff_t *ppos)
42071 {
42072 int i;
42073 @@ -963,6 +953,8 @@ static ssize_t tty_read(struct file *fil
42074 return i;
42075 }
42076
42077 +EXPORT_SYMBOL(tty_read);
42078 +
42079 void tty_write_unlock(struct tty_struct *tty)
42080 {
42081 mutex_unlock(&tty->atomic_write_lock);
42082 @@ -1112,7 +1104,7 @@ void tty_write_message(struct tty_struct
42083 * write method will not be invoked in parallel for each device.
42084 */
42085
42086 -static ssize_t tty_write(struct file *file, const char __user *buf,
42087 +ssize_t tty_write(struct file *file, const char __user *buf,
42088 size_t count, loff_t *ppos)
42089 {
42090 struct inode *inode = file->f_path.dentry->d_inode;
42091 @@ -1138,6 +1130,8 @@ static ssize_t tty_write(struct file *fi
42092 return ret;
42093 }
42094
42095 +EXPORT_SYMBOL(tty_write);
42096 +
42097 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
42098 size_t count, loff_t *ppos)
42099 {
42100 @@ -1777,6 +1771,8 @@ int tty_release(struct inode *inode, str
42101 return 0;
42102 }
42103
42104 +EXPORT_SYMBOL(tty_release);
42105 +
42106 /**
42107 * tty_open - open a tty device
42108 * @inode: inode of device file
42109 @@ -1968,7 +1964,7 @@ got_driver:
42110 * may be re-entered freely by other callers.
42111 */
42112
42113 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
42114 +unsigned int tty_poll(struct file *filp, poll_table *wait)
42115 {
42116 struct tty_struct *tty = file_tty(filp);
42117 struct tty_ldisc *ld;
42118 @@ -1984,6 +1980,8 @@ static unsigned int tty_poll(struct file
42119 return ret;
42120 }
42121
42122 +EXPORT_SYMBOL(tty_poll);
42123 +
42124 static int __tty_fasync(int fd, struct file *filp, int on)
42125 {
42126 struct tty_struct *tty = file_tty(filp);
42127 @@ -2025,7 +2023,7 @@ out:
42128 return retval;
42129 }
42130
42131 -static int tty_fasync(int fd, struct file *filp, int on)
42132 +int tty_fasync(int fd, struct file *filp, int on)
42133 {
42134 int retval;
42135 tty_lock();
42136 @@ -2034,6 +2032,8 @@ static int tty_fasync(int fd, struct fil
42137 return retval;
42138 }
42139
42140 +EXPORT_SYMBOL(tty_fasync);
42141 +
42142 /**
42143 * tiocsti - fake input character
42144 * @tty: tty to fake input into
42145 @@ -2695,8 +2695,10 @@ long tty_ioctl(struct file *file, unsign
42146 return retval;
42147 }
42148
42149 +EXPORT_SYMBOL(tty_ioctl);
42150 +
42151 #ifdef CONFIG_COMPAT
42152 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
42153 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
42154 unsigned long arg)
42155 {
42156 struct inode *inode = file->f_dentry->d_inode;
42157 @@ -2720,6 +2722,9 @@ static long tty_compat_ioctl(struct file
42158
42159 return retval;
42160 }
42161 +
42162 +EXPORT_SYMBOL(tty_compat_ioctl);
42163 +
42164 #endif
42165
42166 /*
42167 @@ -3198,11 +3203,6 @@ struct tty_struct *get_current_tty(void)
42168 }
42169 EXPORT_SYMBOL_GPL(get_current_tty);
42170
42171 -void tty_default_fops(struct file_operations *fops)
42172 -{
42173 - *fops = tty_fops;
42174 -}
42175 -
42176 /*
42177 * Initialize the console device. This is called *early*, so
42178 * we can't necessarily depend on lots of kernel help here.
42179 diff -urNp linux-2.6.39.3/drivers/tty/tty_ldisc.c linux-2.6.39.3/drivers/tty/tty_ldisc.c
42180 --- linux-2.6.39.3/drivers/tty/tty_ldisc.c 2011-07-09 09:18:51.000000000 -0400
42181 +++ linux-2.6.39.3/drivers/tty/tty_ldisc.c 2011-07-09 09:19:18.000000000 -0400
42182 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
42183 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
42184 struct tty_ldisc_ops *ldo = ld->ops;
42185
42186 - ldo->refcount--;
42187 + atomic_dec(&ldo->refcount);
42188 module_put(ldo->owner);
42189 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42190
42191 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
42192 spin_lock_irqsave(&tty_ldisc_lock, flags);
42193 tty_ldiscs[disc] = new_ldisc;
42194 new_ldisc->num = disc;
42195 - new_ldisc->refcount = 0;
42196 + atomic_set(&new_ldisc->refcount, 0);
42197 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42198
42199 return ret;
42200 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
42201 return -EINVAL;
42202
42203 spin_lock_irqsave(&tty_ldisc_lock, flags);
42204 - if (tty_ldiscs[disc]->refcount)
42205 + if (atomic_read(&tty_ldiscs[disc]->refcount))
42206 ret = -EBUSY;
42207 else
42208 tty_ldiscs[disc] = NULL;
42209 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
42210 if (ldops) {
42211 ret = ERR_PTR(-EAGAIN);
42212 if (try_module_get(ldops->owner)) {
42213 - ldops->refcount++;
42214 + atomic_inc(&ldops->refcount);
42215 ret = ldops;
42216 }
42217 }
42218 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
42219 unsigned long flags;
42220
42221 spin_lock_irqsave(&tty_ldisc_lock, flags);
42222 - ldops->refcount--;
42223 + atomic_dec(&ldops->refcount);
42224 module_put(ldops->owner);
42225 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
42226 }
42227 diff -urNp linux-2.6.39.3/drivers/tty/vt/keyboard.c linux-2.6.39.3/drivers/tty/vt/keyboard.c
42228 --- linux-2.6.39.3/drivers/tty/vt/keyboard.c 2011-05-19 00:06:34.000000000 -0400
42229 +++ linux-2.6.39.3/drivers/tty/vt/keyboard.c 2011-05-22 20:32:43.000000000 -0400
42230 @@ -658,6 +658,16 @@ static void k_spec(struct vc_data *vc, u
42231 kbd->kbdmode == VC_OFF) &&
42232 value != KVAL(K_SAK))
42233 return; /* SAK is allowed even in raw mode */
42234 +
42235 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42236 + {
42237 + void *func = fn_handler[value];
42238 + if (func == fn_show_state || func == fn_show_ptregs ||
42239 + func == fn_show_mem)
42240 + return;
42241 + }
42242 +#endif
42243 +
42244 fn_handler[value](vc);
42245 }
42246
42247 diff -urNp linux-2.6.39.3/drivers/tty/vt/vt.c linux-2.6.39.3/drivers/tty/vt/vt.c
42248 --- linux-2.6.39.3/drivers/tty/vt/vt.c 2011-05-19 00:06:34.000000000 -0400
42249 +++ linux-2.6.39.3/drivers/tty/vt/vt.c 2011-05-22 19:36:32.000000000 -0400
42250 @@ -261,7 +261,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
42251
42252 static void notify_write(struct vc_data *vc, unsigned int unicode)
42253 {
42254 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
42255 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
42256 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
42257 }
42258
42259 diff -urNp linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c
42260 --- linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c 2011-05-19 00:06:34.000000000 -0400
42261 +++ linux-2.6.39.3/drivers/tty/vt/vt_ioctl.c 2011-05-22 19:41:37.000000000 -0400
42262 @@ -209,9 +209,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42263 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
42264 return -EFAULT;
42265
42266 - if (!capable(CAP_SYS_TTY_CONFIG))
42267 - perm = 0;
42268 -
42269 switch (cmd) {
42270 case KDGKBENT:
42271 key_map = key_maps[s];
42272 @@ -223,6 +220,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
42273 val = (i ? K_HOLE : K_NOSUCHMAP);
42274 return put_user(val, &user_kbe->kb_value);
42275 case KDSKBENT:
42276 + if (!capable(CAP_SYS_TTY_CONFIG))
42277 + perm = 0;
42278 +
42279 if (!perm)
42280 return -EPERM;
42281 if (!i && v == K_NOSUCHMAP) {
42282 @@ -324,9 +324,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42283 int i, j, k;
42284 int ret;
42285
42286 - if (!capable(CAP_SYS_TTY_CONFIG))
42287 - perm = 0;
42288 -
42289 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
42290 if (!kbs) {
42291 ret = -ENOMEM;
42292 @@ -360,6 +357,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
42293 kfree(kbs);
42294 return ((p && *p) ? -EOVERFLOW : 0);
42295 case KDSKBSENT:
42296 + if (!capable(CAP_SYS_TTY_CONFIG))
42297 + perm = 0;
42298 +
42299 if (!perm) {
42300 ret = -EPERM;
42301 goto reterr;
42302 diff -urNp linux-2.6.39.3/drivers/uio/uio.c linux-2.6.39.3/drivers/uio/uio.c
42303 --- linux-2.6.39.3/drivers/uio/uio.c 2011-05-19 00:06:34.000000000 -0400
42304 +++ linux-2.6.39.3/drivers/uio/uio.c 2011-05-22 19:36:32.000000000 -0400
42305 @@ -25,6 +25,7 @@
42306 #include <linux/kobject.h>
42307 #include <linux/cdev.h>
42308 #include <linux/uio_driver.h>
42309 +#include <asm/local.h>
42310
42311 #define UIO_MAX_DEVICES (1U << MINORBITS)
42312
42313 @@ -32,10 +33,10 @@ struct uio_device {
42314 struct module *owner;
42315 struct device *dev;
42316 int minor;
42317 - atomic_t event;
42318 + atomic_unchecked_t event;
42319 struct fasync_struct *async_queue;
42320 wait_queue_head_t wait;
42321 - int vma_count;
42322 + local_t vma_count;
42323 struct uio_info *info;
42324 struct kobject *map_dir;
42325 struct kobject *portio_dir;
42326 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
42327 struct device_attribute *attr, char *buf)
42328 {
42329 struct uio_device *idev = dev_get_drvdata(dev);
42330 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
42331 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
42332 }
42333
42334 static struct device_attribute uio_class_attributes[] = {
42335 @@ -402,7 +403,7 @@ void uio_event_notify(struct uio_info *i
42336 {
42337 struct uio_device *idev = info->uio_dev;
42338
42339 - atomic_inc(&idev->event);
42340 + atomic_inc_unchecked(&idev->event);
42341 wake_up_interruptible(&idev->wait);
42342 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
42343 }
42344 @@ -455,7 +456,7 @@ static int uio_open(struct inode *inode,
42345 }
42346
42347 listener->dev = idev;
42348 - listener->event_count = atomic_read(&idev->event);
42349 + listener->event_count = atomic_read_unchecked(&idev->event);
42350 filep->private_data = listener;
42351
42352 if (idev->info->open) {
42353 @@ -506,7 +507,7 @@ static unsigned int uio_poll(struct file
42354 return -EIO;
42355
42356 poll_wait(filep, &idev->wait, wait);
42357 - if (listener->event_count != atomic_read(&idev->event))
42358 + if (listener->event_count != atomic_read_unchecked(&idev->event))
42359 return POLLIN | POLLRDNORM;
42360 return 0;
42361 }
42362 @@ -531,7 +532,7 @@ static ssize_t uio_read(struct file *fil
42363 do {
42364 set_current_state(TASK_INTERRUPTIBLE);
42365
42366 - event_count = atomic_read(&idev->event);
42367 + event_count = atomic_read_unchecked(&idev->event);
42368 if (event_count != listener->event_count) {
42369 if (copy_to_user(buf, &event_count, count))
42370 retval = -EFAULT;
42371 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
42372 static void uio_vma_open(struct vm_area_struct *vma)
42373 {
42374 struct uio_device *idev = vma->vm_private_data;
42375 - idev->vma_count++;
42376 + local_inc(&idev->vma_count);
42377 }
42378
42379 static void uio_vma_close(struct vm_area_struct *vma)
42380 {
42381 struct uio_device *idev = vma->vm_private_data;
42382 - idev->vma_count--;
42383 + local_dec(&idev->vma_count);
42384 }
42385
42386 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
42387 @@ -819,7 +820,7 @@ int __uio_register_device(struct module
42388 idev->owner = owner;
42389 idev->info = info;
42390 init_waitqueue_head(&idev->wait);
42391 - atomic_set(&idev->event, 0);
42392 + atomic_set_unchecked(&idev->event, 0);
42393
42394 ret = uio_get_minor(idev);
42395 if (ret)
42396 diff -urNp linux-2.6.39.3/drivers/usb/atm/cxacru.c linux-2.6.39.3/drivers/usb/atm/cxacru.c
42397 --- linux-2.6.39.3/drivers/usb/atm/cxacru.c 2011-05-19 00:06:34.000000000 -0400
42398 +++ linux-2.6.39.3/drivers/usb/atm/cxacru.c 2011-05-22 19:36:32.000000000 -0400
42399 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
42400 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
42401 if (ret < 2)
42402 return -EINVAL;
42403 - if (index < 0 || index > 0x7f)
42404 + if (index > 0x7f)
42405 return -EINVAL;
42406 pos += tmp;
42407
42408 diff -urNp linux-2.6.39.3/drivers/usb/atm/usbatm.c linux-2.6.39.3/drivers/usb/atm/usbatm.c
42409 --- linux-2.6.39.3/drivers/usb/atm/usbatm.c 2011-05-19 00:06:34.000000000 -0400
42410 +++ linux-2.6.39.3/drivers/usb/atm/usbatm.c 2011-05-22 19:36:32.000000000 -0400
42411 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
42412 if (printk_ratelimit())
42413 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
42414 __func__, vpi, vci);
42415 - atomic_inc(&vcc->stats->rx_err);
42416 + atomic_inc_unchecked(&vcc->stats->rx_err);
42417 return;
42418 }
42419
42420 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
42421 if (length > ATM_MAX_AAL5_PDU) {
42422 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
42423 __func__, length, vcc);
42424 - atomic_inc(&vcc->stats->rx_err);
42425 + atomic_inc_unchecked(&vcc->stats->rx_err);
42426 goto out;
42427 }
42428
42429 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
42430 if (sarb->len < pdu_length) {
42431 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
42432 __func__, pdu_length, sarb->len, vcc);
42433 - atomic_inc(&vcc->stats->rx_err);
42434 + atomic_inc_unchecked(&vcc->stats->rx_err);
42435 goto out;
42436 }
42437
42438 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
42439 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
42440 __func__, vcc);
42441 - atomic_inc(&vcc->stats->rx_err);
42442 + atomic_inc_unchecked(&vcc->stats->rx_err);
42443 goto out;
42444 }
42445
42446 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
42447 if (printk_ratelimit())
42448 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
42449 __func__, length);
42450 - atomic_inc(&vcc->stats->rx_drop);
42451 + atomic_inc_unchecked(&vcc->stats->rx_drop);
42452 goto out;
42453 }
42454
42455 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
42456
42457 vcc->push(vcc, skb);
42458
42459 - atomic_inc(&vcc->stats->rx);
42460 + atomic_inc_unchecked(&vcc->stats->rx);
42461 out:
42462 skb_trim(sarb, 0);
42463 }
42464 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
42465 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
42466
42467 usbatm_pop(vcc, skb);
42468 - atomic_inc(&vcc->stats->tx);
42469 + atomic_inc_unchecked(&vcc->stats->tx);
42470
42471 skb = skb_dequeue(&instance->sndqueue);
42472 }
42473 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
42474 if (!left--)
42475 return sprintf(page,
42476 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
42477 - atomic_read(&atm_dev->stats.aal5.tx),
42478 - atomic_read(&atm_dev->stats.aal5.tx_err),
42479 - atomic_read(&atm_dev->stats.aal5.rx),
42480 - atomic_read(&atm_dev->stats.aal5.rx_err),
42481 - atomic_read(&atm_dev->stats.aal5.rx_drop));
42482 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
42483 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
42484 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
42485 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
42486 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
42487
42488 if (!left--) {
42489 if (instance->disconnected)
42490 diff -urNp linux-2.6.39.3/drivers/usb/core/devices.c linux-2.6.39.3/drivers/usb/core/devices.c
42491 --- linux-2.6.39.3/drivers/usb/core/devices.c 2011-05-19 00:06:34.000000000 -0400
42492 +++ linux-2.6.39.3/drivers/usb/core/devices.c 2011-05-22 19:36:32.000000000 -0400
42493 @@ -126,7 +126,7 @@ static const char *format_endpt =
42494 * time it gets called.
42495 */
42496 static struct device_connect_event {
42497 - atomic_t count;
42498 + atomic_unchecked_t count;
42499 wait_queue_head_t wait;
42500 } device_event = {
42501 .count = ATOMIC_INIT(1),
42502 @@ -164,7 +164,7 @@ static const struct class_info clas_info
42503
42504 void usbfs_conn_disc_event(void)
42505 {
42506 - atomic_add(2, &device_event.count);
42507 + atomic_add_unchecked(2, &device_event.count);
42508 wake_up(&device_event.wait);
42509 }
42510
42511 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
42512
42513 poll_wait(file, &device_event.wait, wait);
42514
42515 - event_count = atomic_read(&device_event.count);
42516 + event_count = atomic_read_unchecked(&device_event.count);
42517 if (file->f_version != event_count) {
42518 file->f_version = event_count;
42519 return POLLIN | POLLRDNORM;
42520 diff -urNp linux-2.6.39.3/drivers/usb/core/hcd.c linux-2.6.39.3/drivers/usb/core/hcd.c
42521 --- linux-2.6.39.3/drivers/usb/core/hcd.c 2011-06-03 00:04:14.000000000 -0400
42522 +++ linux-2.6.39.3/drivers/usb/core/hcd.c 2011-06-03 00:32:07.000000000 -0400
42523 @@ -2574,7 +2574,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
42524
42525 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
42526
42527 -struct usb_mon_operations *mon_ops;
42528 +const struct usb_mon_operations *mon_ops;
42529
42530 /*
42531 * The registration is unlocked.
42532 @@ -2584,7 +2584,7 @@ struct usb_mon_operations *mon_ops;
42533 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
42534 */
42535
42536 -int usb_mon_register (struct usb_mon_operations *ops)
42537 +int usb_mon_register (const struct usb_mon_operations *ops)
42538 {
42539
42540 if (mon_ops)
42541 diff -urNp linux-2.6.39.3/drivers/usb/core/message.c linux-2.6.39.3/drivers/usb/core/message.c
42542 --- linux-2.6.39.3/drivers/usb/core/message.c 2011-07-09 09:18:51.000000000 -0400
42543 +++ linux-2.6.39.3/drivers/usb/core/message.c 2011-07-09 09:19:18.000000000 -0400
42544 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
42545 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
42546 if (buf) {
42547 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
42548 - if (len > 0) {
42549 - smallbuf = kmalloc(++len, GFP_NOIO);
42550 + if (len++ > 0) {
42551 + smallbuf = kmalloc(len, GFP_NOIO);
42552 if (!smallbuf)
42553 return buf;
42554 memcpy(smallbuf, buf, len);
42555 diff -urNp linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c
42556 --- linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c 2011-05-19 00:06:34.000000000 -0400
42557 +++ linux-2.6.39.3/drivers/usb/early/ehci-dbgp.c 2011-05-22 19:36:32.000000000 -0400
42558 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
42559 }
42560
42561 #ifdef CONFIG_KGDB
42562 -static struct kgdb_io kgdbdbgp_io_ops;
42563 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
42564 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
42565 #else
42566 #define dbgp_kgdb_mode (0)
42567 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
42568 early_dbgp_write(NULL, &chr, 1);
42569 }
42570
42571 -static struct kgdb_io kgdbdbgp_io_ops = {
42572 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
42573 .name = "kgdbdbgp",
42574 .read_char = kgdbdbgp_read_char,
42575 .write_char = kgdbdbgp_write_char,
42576 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c
42577 --- linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c 2011-05-19 00:06:34.000000000 -0400
42578 +++ linux-2.6.39.3/drivers/usb/gadget/fsl_qe_udc.c 2011-05-22 19:36:32.000000000 -0400
42579 @@ -1859,7 +1859,7 @@ out:
42580 return status;
42581 }
42582
42583 -static struct usb_ep_ops qe_ep_ops = {
42584 +static const struct usb_ep_ops qe_ep_ops = {
42585 .enable = qe_ep_enable,
42586 .disable = qe_ep_disable,
42587
42588 @@ -1928,7 +1928,7 @@ static int qe_pullup(struct usb_gadget *
42589 }
42590
42591 /* defined in usb_gadget.h */
42592 -static struct usb_gadget_ops qe_gadget_ops = {
42593 +static const struct usb_gadget_ops qe_gadget_ops = {
42594 .get_frame = qe_get_frame,
42595 .wakeup = qe_wakeup,
42596 /* .set_selfpowered = qe_set_selfpowered,*/ /* always selfpowered */
42597 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c
42598 --- linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42599 +++ linux-2.6.39.3/drivers/usb/gadget/fsl_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42600 @@ -1003,7 +1003,7 @@ static void fsl_ep_fifo_flush(struct usb
42601 } while (fsl_readl(&dr_regs->endptstatus) & bits);
42602 }
42603
42604 -static struct usb_ep_ops fsl_ep_ops = {
42605 +static const struct usb_ep_ops fsl_ep_ops = {
42606 .enable = fsl_ep_enable,
42607 .disable = fsl_ep_disable,
42608
42609 @@ -1114,7 +1114,7 @@ static int fsl_pullup(struct usb_gadget
42610 }
42611
42612 /* defined in gadget.h */
42613 -static struct usb_gadget_ops fsl_gadget_ops = {
42614 +static const struct usb_gadget_ops fsl_gadget_ops = {
42615 .get_frame = fsl_get_frame,
42616 .wakeup = fsl_wakeup,
42617 /* .set_selfpowered = fsl_set_selfpowered, */ /* Always selfpowered */
42618 diff -urNp linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c
42619 --- linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c 2011-05-19 00:06:34.000000000 -0400
42620 +++ linux-2.6.39.3/drivers/usb/gadget/fusb300_udc.c 2011-05-22 19:36:32.000000000 -0400
42621 @@ -527,7 +527,7 @@ static void fusb300_fifo_flush(struct us
42622 {
42623 }
42624
42625 -static struct usb_ep_ops fusb300_ep_ops = {
42626 +static const struct usb_ep_ops fusb300_ep_ops = {
42627 .enable = fusb300_enable,
42628 .disable = fusb300_disable,
42629
42630 @@ -1570,7 +1570,7 @@ static int fusb300_udc_pullup(struct usb
42631 return 0;
42632 }
42633
42634 -static struct usb_gadget_ops fusb300_gadget_ops = {
42635 +static const struct usb_gadget_ops fusb300_gadget_ops = {
42636 .pullup = fusb300_udc_pullup,
42637 };
42638
42639 diff -urNp linux-2.6.39.3/drivers/usb/gadget/goku_udc.c linux-2.6.39.3/drivers/usb/gadget/goku_udc.c
42640 --- linux-2.6.39.3/drivers/usb/gadget/goku_udc.c 2011-05-19 00:06:34.000000000 -0400
42641 +++ linux-2.6.39.3/drivers/usb/gadget/goku_udc.c 2011-05-22 19:36:32.000000000 -0400
42642 @@ -973,7 +973,7 @@ static void goku_fifo_flush(struct usb_e
42643 command(regs, COMMAND_FIFO_CLEAR, ep->num);
42644 }
42645
42646 -static struct usb_ep_ops goku_ep_ops = {
42647 +static const struct usb_ep_ops goku_ep_ops = {
42648 .enable = goku_ep_enable,
42649 .disable = goku_ep_disable,
42650
42651 diff -urNp linux-2.6.39.3/drivers/usb/gadget/imx_udc.c linux-2.6.39.3/drivers/usb/gadget/imx_udc.c
42652 --- linux-2.6.39.3/drivers/usb/gadget/imx_udc.c 2011-05-19 00:06:34.000000000 -0400
42653 +++ linux-2.6.39.3/drivers/usb/gadget/imx_udc.c 2011-05-22 19:36:32.000000000 -0400
42654 @@ -937,7 +937,7 @@ static void imx_ep_fifo_flush(struct usb
42655 local_irq_restore(flags);
42656 }
42657
42658 -static struct usb_ep_ops imx_ep_ops = {
42659 +static const struct usb_ep_ops imx_ep_ops = {
42660 .enable = imx_ep_enable,
42661 .disable = imx_ep_disable,
42662
42663 diff -urNp linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c
42664 --- linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c 2011-05-19 00:06:34.000000000 -0400
42665 +++ linux-2.6.39.3/drivers/usb/gadget/m66592-udc.c 2011-05-22 19:36:32.000000000 -0400
42666 @@ -1437,7 +1437,7 @@ static void m66592_fifo_flush(struct usb
42667 spin_unlock_irqrestore(&ep->m66592->lock, flags);
42668 }
42669
42670 -static struct usb_ep_ops m66592_ep_ops = {
42671 +static const struct usb_ep_ops m66592_ep_ops = {
42672 .enable = m66592_enable,
42673 .disable = m66592_disable,
42674
42675 @@ -1542,7 +1542,7 @@ static int m66592_get_frame(struct usb_g
42676 return m66592_read(m66592, M66592_FRMNUM) & 0x03FF;
42677 }
42678
42679 -static struct usb_gadget_ops m66592_gadget_ops = {
42680 +static const struct usb_gadget_ops m66592_gadget_ops = {
42681 .get_frame = m66592_get_frame,
42682 };
42683
42684 diff -urNp linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c
42685 --- linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c 2011-05-19 00:06:34.000000000 -0400
42686 +++ linux-2.6.39.3/drivers/usb/gadget/mv_udc_core.c 2011-05-22 19:36:32.000000000 -0400
42687 @@ -972,7 +972,7 @@ static int mv_ep_set_wedge(struct usb_ep
42688 return mv_ep_set_halt_wedge(_ep, 1, 1);
42689 }
42690
42691 -static struct usb_ep_ops mv_ep_ops = {
42692 +static const struct usb_ep_ops mv_ep_ops = {
42693 .enable = mv_ep_enable,
42694 .disable = mv_ep_disable,
42695
42696 diff -urNp linux-2.6.39.3/drivers/usb/gadget/omap_udc.c linux-2.6.39.3/drivers/usb/gadget/omap_udc.c
42697 --- linux-2.6.39.3/drivers/usb/gadget/omap_udc.c 2011-05-19 00:06:34.000000000 -0400
42698 +++ linux-2.6.39.3/drivers/usb/gadget/omap_udc.c 2011-05-22 19:36:32.000000000 -0400
42699 @@ -1177,7 +1177,7 @@ done:
42700 return status;
42701 }
42702
42703 -static struct usb_ep_ops omap_ep_ops = {
42704 +static const struct usb_ep_ops omap_ep_ops = {
42705 .enable = omap_ep_enable,
42706 .disable = omap_ep_disable,
42707
42708 @@ -1374,7 +1374,7 @@ static int omap_pullup(struct usb_gadget
42709 return 0;
42710 }
42711
42712 -static struct usb_gadget_ops omap_gadget_ops = {
42713 +static const struct usb_gadget_ops omap_gadget_ops = {
42714 .get_frame = omap_get_frame,
42715 .wakeup = omap_wakeup,
42716 .set_selfpowered = omap_set_selfpowered,
42717 diff -urNp linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c
42718 --- linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c 2011-05-19 00:06:34.000000000 -0400
42719 +++ linux-2.6.39.3/drivers/usb/gadget/pxa25x_udc.c 2011-05-22 19:36:32.000000000 -0400
42720 @@ -896,7 +896,7 @@ static void pxa25x_ep_fifo_flush(struct
42721 }
42722
42723
42724 -static struct usb_ep_ops pxa25x_ep_ops = {
42725 +static const struct usb_ep_ops pxa25x_ep_ops = {
42726 .enable = pxa25x_ep_enable,
42727 .disable = pxa25x_ep_disable,
42728
42729 diff -urNp linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c
42730 --- linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c 2011-05-19 00:06:34.000000000 -0400
42731 +++ linux-2.6.39.3/drivers/usb/gadget/pxa27x_udc.c 2011-05-22 19:36:32.000000000 -0400
42732 @@ -1491,7 +1491,7 @@ static int pxa_ep_disable(struct usb_ep
42733 return 0;
42734 }
42735
42736 -static struct usb_ep_ops pxa_ep_ops = {
42737 +static const struct usb_ep_ops pxa_ep_ops = {
42738 .enable = pxa_ep_enable,
42739 .disable = pxa_ep_disable,
42740
42741 diff -urNp linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c
42742 --- linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c 2011-05-19 00:06:34.000000000 -0400
42743 +++ linux-2.6.39.3/drivers/usb/gadget/r8a66597-udc.c 2011-05-22 19:36:32.000000000 -0400
42744 @@ -1392,7 +1392,7 @@ static void r8a66597_fifo_flush(struct u
42745 spin_unlock_irqrestore(&ep->r8a66597->lock, flags);
42746 }
42747
42748 -static struct usb_ep_ops r8a66597_ep_ops = {
42749 +static const struct usb_ep_ops r8a66597_ep_ops = {
42750 .enable = r8a66597_enable,
42751 .disable = r8a66597_disable,
42752
42753 @@ -1497,7 +1497,7 @@ static int r8a66597_get_frame(struct usb
42754 return r8a66597_read(r8a66597, FRMNUM) & 0x03FF;
42755 }
42756
42757 -static struct usb_gadget_ops r8a66597_gadget_ops = {
42758 +static const struct usb_gadget_ops r8a66597_gadget_ops = {
42759 .get_frame = r8a66597_get_frame,
42760 };
42761
42762 diff -urNp linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c
42763 --- linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c 2011-05-19 00:06:34.000000000 -0400
42764 +++ linux-2.6.39.3/drivers/usb/gadget/s3c-hsotg.c 2011-05-22 19:36:32.000000000 -0400
42765 @@ -2461,7 +2461,7 @@ static int s3c_hsotg_ep_sethalt(struct u
42766 return 0;
42767 }
42768
42769 -static struct usb_ep_ops s3c_hsotg_ep_ops = {
42770 +static const struct usb_ep_ops s3c_hsotg_ep_ops = {
42771 .enable = s3c_hsotg_ep_enable,
42772 .disable = s3c_hsotg_ep_disable,
42773 .alloc_request = s3c_hsotg_ep_alloc_request,
42774 @@ -2725,7 +2725,7 @@ static int s3c_hsotg_gadget_getframe(str
42775 return s3c_hsotg_read_frameno(to_hsotg(gadget));
42776 }
42777
42778 -static struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42779 +static const struct usb_gadget_ops s3c_hsotg_gadget_ops = {
42780 .get_frame = s3c_hsotg_gadget_getframe,
42781 };
42782
42783 diff -urNp linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c
42784 --- linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c 2011-05-19 00:06:34.000000000 -0400
42785 +++ linux-2.6.39.3/drivers/usb/gadget/uvc_queue.c 2011-05-22 19:36:32.000000000 -0400
42786 @@ -400,7 +400,7 @@ static void uvc_vm_close(struct vm_area_
42787 buffer->vma_use_count--;
42788 }
42789
42790 -static struct vm_operations_struct uvc_vm_ops = {
42791 +static const struct vm_operations_struct uvc_vm_ops = {
42792 .open = uvc_vm_open,
42793 .close = uvc_vm_close,
42794 };
42795 diff -urNp linux-2.6.39.3/drivers/usb/host/ehci-fsl.c linux-2.6.39.3/drivers/usb/host/ehci-fsl.c
42796 --- linux-2.6.39.3/drivers/usb/host/ehci-fsl.c 2011-05-19 00:06:34.000000000 -0400
42797 +++ linux-2.6.39.3/drivers/usb/host/ehci-fsl.c 2011-05-22 19:36:32.000000000 -0400
42798 @@ -380,7 +380,7 @@ static int ehci_fsl_drv_restore(struct d
42799 return 0;
42800 }
42801
42802 -static struct dev_pm_ops ehci_fsl_pm_ops = {
42803 +static const struct dev_pm_ops ehci_fsl_pm_ops = {
42804 .suspend = ehci_fsl_drv_suspend,
42805 .resume = ehci_fsl_drv_resume,
42806 .restore = ehci_fsl_drv_restore,
42807 diff -urNp linux-2.6.39.3/drivers/usb/host/xhci-mem.c linux-2.6.39.3/drivers/usb/host/xhci-mem.c
42808 --- linux-2.6.39.3/drivers/usb/host/xhci-mem.c 2011-06-25 12:55:23.000000000 -0400
42809 +++ linux-2.6.39.3/drivers/usb/host/xhci-mem.c 2011-06-25 13:00:26.000000000 -0400
42810 @@ -1680,6 +1680,8 @@ static int xhci_check_trb_in_td_math(str
42811 unsigned int num_tests;
42812 int i, ret;
42813
42814 + pax_track_stack();
42815 +
42816 num_tests = ARRAY_SIZE(simple_test_vector);
42817 for (i = 0; i < num_tests; i++) {
42818 ret = xhci_test_trb_in_td(xhci,
42819 diff -urNp linux-2.6.39.3/drivers/usb/mon/mon_main.c linux-2.6.39.3/drivers/usb/mon/mon_main.c
42820 --- linux-2.6.39.3/drivers/usb/mon/mon_main.c 2011-05-19 00:06:34.000000000 -0400
42821 +++ linux-2.6.39.3/drivers/usb/mon/mon_main.c 2011-05-22 19:36:32.000000000 -0400
42822 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
42823 /*
42824 * Ops
42825 */
42826 -static struct usb_mon_operations mon_ops_0 = {
42827 +static const struct usb_mon_operations mon_ops_0 = {
42828 .urb_submit = mon_submit,
42829 .urb_submit_error = mon_submit_error,
42830 .urb_complete = mon_complete,
42831 diff -urNp linux-2.6.39.3/drivers/usb/musb/cppi_dma.h linux-2.6.39.3/drivers/usb/musb/cppi_dma.h
42832 --- linux-2.6.39.3/drivers/usb/musb/cppi_dma.h 2011-05-19 00:06:34.000000000 -0400
42833 +++ linux-2.6.39.3/drivers/usb/musb/cppi_dma.h 2011-05-22 19:36:32.000000000 -0400
42834 @@ -113,7 +113,7 @@ struct cppi_channel {
42835
42836 /* CPPI DMA controller object */
42837 struct cppi {
42838 - struct dma_controller controller;
42839 + const struct dma_controller controller;
42840 struct musb *musb;
42841 void __iomem *mregs; /* Mentor regs */
42842 void __iomem *tibase; /* TI/CPPI regs */
42843 diff -urNp linux-2.6.39.3/drivers/usb/otg/msm_otg.c linux-2.6.39.3/drivers/usb/otg/msm_otg.c
42844 --- linux-2.6.39.3/drivers/usb/otg/msm_otg.c 2011-05-19 00:06:34.000000000 -0400
42845 +++ linux-2.6.39.3/drivers/usb/otg/msm_otg.c 2011-05-22 19:36:32.000000000 -0400
42846 @@ -95,7 +95,7 @@ static int ulpi_write(struct otg_transce
42847 return 0;
42848 }
42849
42850 -static struct otg_io_access_ops msm_otg_io_ops = {
42851 +static const struct otg_io_access_ops msm_otg_io_ops = {
42852 .read = ulpi_read,
42853 .write = ulpi_write,
42854 };
42855 diff -urNp linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c
42856 --- linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c 2011-05-19 00:06:34.000000000 -0400
42857 +++ linux-2.6.39.3/drivers/usb/otg/ulpi_viewport.c 2011-05-22 19:36:32.000000000 -0400
42858 @@ -74,7 +74,7 @@ static int ulpi_viewport_write(struct ot
42859 return ulpi_viewport_wait(view, ULPI_VIEW_RUN);
42860 }
42861
42862 -struct otg_io_access_ops ulpi_viewport_access_ops = {
42863 +const struct otg_io_access_ops ulpi_viewport_access_ops = {
42864 .read = ulpi_viewport_read,
42865 .write = ulpi_viewport_write,
42866 };
42867 diff -urNp linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c
42868 --- linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c 2011-07-09 09:18:51.000000000 -0400
42869 +++ linux-2.6.39.3/drivers/usb/serial/ftdi_sio.c 2011-07-09 09:19:18.000000000 -0400
42870 @@ -104,27 +104,27 @@ static int ftdi_stmclite_probe(struct
42871 static void ftdi_USB_UIRT_setup(struct ftdi_private *priv);
42872 static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv);
42873
42874 -static struct ftdi_sio_quirk ftdi_jtag_quirk = {
42875 +static const struct ftdi_sio_quirk ftdi_jtag_quirk = {
42876 .probe = ftdi_jtag_probe,
42877 };
42878
42879 -static struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42880 +static const struct ftdi_sio_quirk ftdi_mtxorb_hack_quirk = {
42881 .probe = ftdi_mtxorb_hack_setup,
42882 };
42883
42884 -static struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42885 +static const struct ftdi_sio_quirk ftdi_NDI_device_quirk = {
42886 .probe = ftdi_NDI_device_setup,
42887 };
42888
42889 -static struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42890 +static const struct ftdi_sio_quirk ftdi_USB_UIRT_quirk = {
42891 .port_probe = ftdi_USB_UIRT_setup,
42892 };
42893
42894 -static struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42895 +static const struct ftdi_sio_quirk ftdi_HE_TIRA1_quirk = {
42896 .port_probe = ftdi_HE_TIRA1_setup,
42897 };
42898
42899 -static struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42900 +static const struct ftdi_sio_quirk ftdi_stmclite_quirk = {
42901 .probe = ftdi_stmclite_probe,
42902 };
42903
42904 diff -urNp linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h
42905 --- linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h 2011-05-19 00:06:34.000000000 -0400
42906 +++ linux-2.6.39.3/drivers/usb/wusbcore/wa-hc.h 2011-05-22 19:36:32.000000000 -0400
42907 @@ -192,7 +192,7 @@ struct wahc {
42908 struct list_head xfer_delayed_list;
42909 spinlock_t xfer_list_lock;
42910 struct work_struct xfer_work;
42911 - atomic_t xfer_id_count;
42912 + atomic_unchecked_t xfer_id_count;
42913 };
42914
42915
42916 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
42917 INIT_LIST_HEAD(&wa->xfer_delayed_list);
42918 spin_lock_init(&wa->xfer_list_lock);
42919 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
42920 - atomic_set(&wa->xfer_id_count, 1);
42921 + atomic_set_unchecked(&wa->xfer_id_count, 1);
42922 }
42923
42924 /**
42925 diff -urNp linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c
42926 --- linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c 2011-05-19 00:06:34.000000000 -0400
42927 +++ linux-2.6.39.3/drivers/usb/wusbcore/wa-xfer.c 2011-05-22 19:36:32.000000000 -0400
42928 @@ -294,7 +294,7 @@ out:
42929 */
42930 static void wa_xfer_id_init(struct wa_xfer *xfer)
42931 {
42932 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
42933 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
42934 }
42935
42936 /*
42937 diff -urNp linux-2.6.39.3/drivers/vhost/vhost.c linux-2.6.39.3/drivers/vhost/vhost.c
42938 --- linux-2.6.39.3/drivers/vhost/vhost.c 2011-05-19 00:06:34.000000000 -0400
42939 +++ linux-2.6.39.3/drivers/vhost/vhost.c 2011-05-22 19:36:32.000000000 -0400
42940 @@ -580,7 +580,7 @@ static int init_used(struct vhost_virtqu
42941 return get_user(vq->last_used_idx, &used->idx);
42942 }
42943
42944 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
42945 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
42946 {
42947 struct file *eventfp, *filep = NULL,
42948 *pollstart = NULL, *pollstop = NULL;
42949 diff -urNp linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c
42950 --- linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c 2011-05-19 00:06:34.000000000 -0400
42951 +++ linux-2.6.39.3/drivers/video/backlight/corgi_lcd.c 2011-05-22 19:36:32.000000000 -0400
42952 @@ -383,7 +383,7 @@ static int corgi_lcd_get_power(struct lc
42953 return lcd->power;
42954 }
42955
42956 -static struct lcd_ops corgi_lcd_ops = {
42957 +static const struct lcd_ops corgi_lcd_ops = {
42958 .get_power = corgi_lcd_get_power,
42959 .set_power = corgi_lcd_set_power,
42960 .set_mode = corgi_lcd_set_mode,
42961 diff -urNp linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c
42962 --- linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c 2011-05-19 00:06:34.000000000 -0400
42963 +++ linux-2.6.39.3/drivers/video/backlight/cr_bllcd.c 2011-05-22 19:36:32.000000000 -0400
42964 @@ -165,7 +165,7 @@ static int cr_lcd_set_power(struct lcd_d
42965 return 0;
42966 }
42967
42968 -static struct lcd_ops cr_lcd_ops = {
42969 +static const struct lcd_ops cr_lcd_ops = {
42970 .set_power = cr_lcd_set_power,
42971 };
42972
42973 diff -urNp linux-2.6.39.3/drivers/video/backlight/ili9320.c linux-2.6.39.3/drivers/video/backlight/ili9320.c
42974 --- linux-2.6.39.3/drivers/video/backlight/ili9320.c 2011-05-19 00:06:34.000000000 -0400
42975 +++ linux-2.6.39.3/drivers/video/backlight/ili9320.c 2011-05-22 19:36:32.000000000 -0400
42976 @@ -166,7 +166,7 @@ static int ili9320_get_power(struct lcd_
42977 return lcd->power;
42978 }
42979
42980 -static struct lcd_ops ili9320_ops = {
42981 +static const struct lcd_ops ili9320_ops = {
42982 .get_power = ili9320_get_power,
42983 .set_power = ili9320_set_power,
42984 };
42985 diff -urNp linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c
42986 --- linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c 2011-05-19 00:06:34.000000000 -0400
42987 +++ linux-2.6.39.3/drivers/video/backlight/jornada720_lcd.c 2011-05-22 19:36:32.000000000 -0400
42988 @@ -87,7 +87,7 @@ static int jornada_lcd_set_power(struct
42989 return 0;
42990 }
42991
42992 -static struct lcd_ops jornada_lcd_props = {
42993 +static const struct lcd_ops jornada_lcd_props = {
42994 .get_contrast = jornada_lcd_get_contrast,
42995 .set_contrast = jornada_lcd_set_contrast,
42996 .get_power = jornada_lcd_get_power,
42997 diff -urNp linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c
42998 --- linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c 2011-05-19 00:06:34.000000000 -0400
42999 +++ linux-2.6.39.3/drivers/video/backlight/l4f00242t03.c 2011-05-22 19:36:32.000000000 -0400
43000 @@ -149,7 +149,7 @@ static int l4f00242t03_lcd_power_set(str
43001 return 0;
43002 }
43003
43004 -static struct lcd_ops l4f_ops = {
43005 +static const struct lcd_ops l4f_ops = {
43006 .set_power = l4f00242t03_lcd_power_set,
43007 .get_power = l4f00242t03_lcd_power_get,
43008 };
43009 diff -urNp linux-2.6.39.3/drivers/video/backlight/lcd.c linux-2.6.39.3/drivers/video/backlight/lcd.c
43010 --- linux-2.6.39.3/drivers/video/backlight/lcd.c 2011-05-19 00:06:34.000000000 -0400
43011 +++ linux-2.6.39.3/drivers/video/backlight/lcd.c 2011-05-22 19:36:32.000000000 -0400
43012 @@ -192,7 +192,7 @@ static struct device_attribute lcd_devic
43013 * or a pointer to the newly allocated device.
43014 */
43015 struct lcd_device *lcd_device_register(const char *name, struct device *parent,
43016 - void *devdata, struct lcd_ops *ops)
43017 + void *devdata, const struct lcd_ops *ops)
43018 {
43019 struct lcd_device *new_ld;
43020 int rc;
43021 diff -urNp linux-2.6.39.3/drivers/video/backlight/ld9040.c linux-2.6.39.3/drivers/video/backlight/ld9040.c
43022 --- linux-2.6.39.3/drivers/video/backlight/ld9040.c 2011-05-19 00:06:34.000000000 -0400
43023 +++ linux-2.6.39.3/drivers/video/backlight/ld9040.c 2011-05-22 19:36:32.000000000 -0400
43024 @@ -651,7 +651,7 @@ static int ld9040_set_brightness(struct
43025 return ret;
43026 }
43027
43028 -static struct lcd_ops ld9040_lcd_ops = {
43029 +static const struct lcd_ops ld9040_lcd_ops = {
43030 .set_power = ld9040_set_power,
43031 .get_power = ld9040_get_power,
43032 };
43033 diff -urNp linux-2.6.39.3/drivers/video/backlight/lms283gf05.c linux-2.6.39.3/drivers/video/backlight/lms283gf05.c
43034 --- linux-2.6.39.3/drivers/video/backlight/lms283gf05.c 2011-05-19 00:06:34.000000000 -0400
43035 +++ linux-2.6.39.3/drivers/video/backlight/lms283gf05.c 2011-05-22 19:36:32.000000000 -0400
43036 @@ -144,7 +144,7 @@ static int lms283gf05_power_set(struct l
43037 return 0;
43038 }
43039
43040 -static struct lcd_ops lms_ops = {
43041 +static const struct lcd_ops lms_ops = {
43042 .set_power = lms283gf05_power_set,
43043 .get_power = NULL,
43044 };
43045 diff -urNp linux-2.6.39.3/drivers/video/backlight/ltv350qv.c linux-2.6.39.3/drivers/video/backlight/ltv350qv.c
43046 --- linux-2.6.39.3/drivers/video/backlight/ltv350qv.c 2011-05-19 00:06:34.000000000 -0400
43047 +++ linux-2.6.39.3/drivers/video/backlight/ltv350qv.c 2011-05-22 19:36:32.000000000 -0400
43048 @@ -221,7 +221,7 @@ static int ltv350qv_get_power(struct lcd
43049 return lcd->power;
43050 }
43051
43052 -static struct lcd_ops ltv_ops = {
43053 +static const struct lcd_ops ltv_ops = {
43054 .get_power = ltv350qv_get_power,
43055 .set_power = ltv350qv_set_power,
43056 };
43057 diff -urNp linux-2.6.39.3/drivers/video/backlight/platform_lcd.c linux-2.6.39.3/drivers/video/backlight/platform_lcd.c
43058 --- linux-2.6.39.3/drivers/video/backlight/platform_lcd.c 2011-05-19 00:06:34.000000000 -0400
43059 +++ linux-2.6.39.3/drivers/video/backlight/platform_lcd.c 2011-05-22 19:36:32.000000000 -0400
43060 @@ -66,7 +66,7 @@ static int platform_lcd_match(struct lcd
43061 return plcd->us->parent == info->device;
43062 }
43063
43064 -static struct lcd_ops platform_lcd_ops = {
43065 +static const struct lcd_ops platform_lcd_ops = {
43066 .get_power = platform_lcd_get_power,
43067 .set_power = platform_lcd_set_power,
43068 .check_fb = platform_lcd_match,
43069 diff -urNp linux-2.6.39.3/drivers/video/backlight/s6e63m0.c linux-2.6.39.3/drivers/video/backlight/s6e63m0.c
43070 --- linux-2.6.39.3/drivers/video/backlight/s6e63m0.c 2011-05-19 00:06:34.000000000 -0400
43071 +++ linux-2.6.39.3/drivers/video/backlight/s6e63m0.c 2011-05-22 19:36:32.000000000 -0400
43072 @@ -644,7 +644,7 @@ static int s6e63m0_set_brightness(struct
43073 return ret;
43074 }
43075
43076 -static struct lcd_ops s6e63m0_lcd_ops = {
43077 +static const struct lcd_ops s6e63m0_lcd_ops = {
43078 .set_power = s6e63m0_set_power,
43079 .get_power = s6e63m0_get_power,
43080 };
43081 diff -urNp linux-2.6.39.3/drivers/video/backlight/tdo24m.c linux-2.6.39.3/drivers/video/backlight/tdo24m.c
43082 --- linux-2.6.39.3/drivers/video/backlight/tdo24m.c 2011-05-19 00:06:34.000000000 -0400
43083 +++ linux-2.6.39.3/drivers/video/backlight/tdo24m.c 2011-05-22 19:36:32.000000000 -0400
43084 @@ -322,7 +322,7 @@ static int tdo24m_set_mode(struct lcd_de
43085 return lcd->adj_mode(lcd, mode);
43086 }
43087
43088 -static struct lcd_ops tdo24m_ops = {
43089 +static const struct lcd_ops tdo24m_ops = {
43090 .get_power = tdo24m_get_power,
43091 .set_power = tdo24m_set_power,
43092 .set_mode = tdo24m_set_mode,
43093 diff -urNp linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c
43094 --- linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c 2011-05-19 00:06:34.000000000 -0400
43095 +++ linux-2.6.39.3/drivers/video/backlight/tosa_lcd.c 2011-05-22 19:36:32.000000000 -0400
43096 @@ -163,7 +163,7 @@ static int tosa_lcd_set_mode(struct lcd_
43097 return 0;
43098 }
43099
43100 -static struct lcd_ops tosa_lcd_ops = {
43101 +static const struct lcd_ops tosa_lcd_ops = {
43102 .set_power = tosa_lcd_set_power,
43103 .get_power = tosa_lcd_get_power,
43104 .set_mode = tosa_lcd_set_mode,
43105 diff -urNp linux-2.6.39.3/drivers/video/bf537-lq035.c linux-2.6.39.3/drivers/video/bf537-lq035.c
43106 --- linux-2.6.39.3/drivers/video/bf537-lq035.c 2011-05-19 00:06:34.000000000 -0400
43107 +++ linux-2.6.39.3/drivers/video/bf537-lq035.c 2011-05-22 19:36:32.000000000 -0400
43108 @@ -682,7 +682,7 @@ static int bfin_lcd_check_fb(struct lcd_
43109 return 0;
43110 }
43111
43112 -static struct lcd_ops bfin_lcd_ops = {
43113 +static const struct lcd_ops bfin_lcd_ops = {
43114 .get_power = bfin_lcd_get_power,
43115 .set_power = bfin_lcd_set_power,
43116 .get_contrast = bfin_lcd_get_contrast,
43117 diff -urNp linux-2.6.39.3/drivers/video/bf54x-lq043fb.c linux-2.6.39.3/drivers/video/bf54x-lq043fb.c
43118 --- linux-2.6.39.3/drivers/video/bf54x-lq043fb.c 2011-05-19 00:06:34.000000000 -0400
43119 +++ linux-2.6.39.3/drivers/video/bf54x-lq043fb.c 2011-05-22 19:36:32.000000000 -0400
43120 @@ -467,7 +467,7 @@ static int bfin_lcd_check_fb(struct lcd_
43121 return 0;
43122 }
43123
43124 -static struct lcd_ops bfin_lcd_ops = {
43125 +static const struct lcd_ops bfin_lcd_ops = {
43126 .get_power = bfin_lcd_get_power,
43127 .set_power = bfin_lcd_set_power,
43128 .get_contrast = bfin_lcd_get_contrast,
43129 diff -urNp linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c
43130 --- linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c 2011-05-19 00:06:34.000000000 -0400
43131 +++ linux-2.6.39.3/drivers/video/bfin-t350mcqb-fb.c 2011-05-22 19:36:32.000000000 -0400
43132 @@ -387,7 +387,7 @@ static int bfin_lcd_check_fb(struct lcd_
43133 return 0;
43134 }
43135
43136 -static struct lcd_ops bfin_lcd_ops = {
43137 +static const struct lcd_ops bfin_lcd_ops = {
43138 .get_power = bfin_lcd_get_power,
43139 .set_power = bfin_lcd_set_power,
43140 .get_contrast = bfin_lcd_get_contrast,
43141 diff -urNp linux-2.6.39.3/drivers/video/fbcmap.c linux-2.6.39.3/drivers/video/fbcmap.c
43142 --- linux-2.6.39.3/drivers/video/fbcmap.c 2011-05-19 00:06:34.000000000 -0400
43143 +++ linux-2.6.39.3/drivers/video/fbcmap.c 2011-05-22 19:36:32.000000000 -0400
43144 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
43145 rc = -ENODEV;
43146 goto out;
43147 }
43148 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
43149 - !info->fbops->fb_setcmap)) {
43150 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
43151 rc = -EINVAL;
43152 goto out1;
43153 }
43154 diff -urNp linux-2.6.39.3/drivers/video/fbmem.c linux-2.6.39.3/drivers/video/fbmem.c
43155 --- linux-2.6.39.3/drivers/video/fbmem.c 2011-05-19 00:06:34.000000000 -0400
43156 +++ linux-2.6.39.3/drivers/video/fbmem.c 2011-05-22 19:36:32.000000000 -0400
43157 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
43158 image->dx += image->width + 8;
43159 }
43160 } else if (rotate == FB_ROTATE_UD) {
43161 - for (x = 0; x < num && image->dx >= 0; x++) {
43162 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
43163 info->fbops->fb_imageblit(info, image);
43164 image->dx -= image->width + 8;
43165 }
43166 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
43167 image->dy += image->height + 8;
43168 }
43169 } else if (rotate == FB_ROTATE_CCW) {
43170 - for (x = 0; x < num && image->dy >= 0; x++) {
43171 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
43172 info->fbops->fb_imageblit(info, image);
43173 image->dy -= image->height + 8;
43174 }
43175 @@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
43176 int flags = info->flags;
43177 int ret = 0;
43178
43179 + pax_track_stack();
43180 +
43181 if (var->activate & FB_ACTIVATE_INV_MODE) {
43182 struct fb_videomode mode1, mode2;
43183
43184 @@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
43185 void __user *argp = (void __user *)arg;
43186 long ret = 0;
43187
43188 + pax_track_stack();
43189 +
43190 switch (cmd) {
43191 case FBIOGET_VSCREENINFO:
43192 if (!lock_fb_info(info))
43193 @@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
43194 return -EFAULT;
43195 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
43196 return -EINVAL;
43197 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
43198 + if (con2fb.framebuffer >= FB_MAX)
43199 return -EINVAL;
43200 if (!registered_fb[con2fb.framebuffer])
43201 request_module("fb%d", con2fb.framebuffer);
43202 diff -urNp linux-2.6.39.3/drivers/video/geode/display_gx1.c linux-2.6.39.3/drivers/video/geode/display_gx1.c
43203 --- linux-2.6.39.3/drivers/video/geode/display_gx1.c 2011-05-19 00:06:34.000000000 -0400
43204 +++ linux-2.6.39.3/drivers/video/geode/display_gx1.c 2011-05-22 19:36:32.000000000 -0400
43205 @@ -208,7 +208,7 @@ static void gx1_set_hw_palette_reg(struc
43206 writel(val, par->dc_regs + DC_PAL_DATA);
43207 }
43208
43209 -struct geode_dc_ops gx1_dc_ops = {
43210 +const struct geode_dc_ops gx1_dc_ops = {
43211 .set_mode = gx1_set_mode,
43212 .set_palette_reg = gx1_set_hw_palette_reg,
43213 };
43214 diff -urNp linux-2.6.39.3/drivers/video/geode/display_gx1.h linux-2.6.39.3/drivers/video/geode/display_gx1.h
43215 --- linux-2.6.39.3/drivers/video/geode/display_gx1.h 2011-05-19 00:06:34.000000000 -0400
43216 +++ linux-2.6.39.3/drivers/video/geode/display_gx1.h 2011-05-22 19:36:32.000000000 -0400
43217 @@ -18,7 +18,7 @@
43218 unsigned gx1_gx_base(void);
43219 int gx1_frame_buffer_size(void);
43220
43221 -extern struct geode_dc_ops gx1_dc_ops;
43222 +extern const struct geode_dc_ops gx1_dc_ops;
43223
43224 /* GX1 configuration I/O registers */
43225
43226 diff -urNp linux-2.6.39.3/drivers/video/geode/geodefb.h linux-2.6.39.3/drivers/video/geode/geodefb.h
43227 --- linux-2.6.39.3/drivers/video/geode/geodefb.h 2011-05-19 00:06:34.000000000 -0400
43228 +++ linux-2.6.39.3/drivers/video/geode/geodefb.h 2011-05-22 19:36:32.000000000 -0400
43229 @@ -31,8 +31,8 @@ struct geodefb_par {
43230 int panel_y;
43231 void __iomem *dc_regs;
43232 void __iomem *vid_regs;
43233 - struct geode_dc_ops *dc_ops;
43234 - struct geode_vid_ops *vid_ops;
43235 + const struct geode_dc_ops *dc_ops;
43236 + const struct geode_vid_ops *vid_ops;
43237 };
43238
43239 #endif /* !__GEODEFB_H__ */
43240 diff -urNp linux-2.6.39.3/drivers/video/geode/video_cs5530.c linux-2.6.39.3/drivers/video/geode/video_cs5530.c
43241 --- linux-2.6.39.3/drivers/video/geode/video_cs5530.c 2011-05-19 00:06:34.000000000 -0400
43242 +++ linux-2.6.39.3/drivers/video/geode/video_cs5530.c 2011-05-22 19:36:32.000000000 -0400
43243 @@ -186,7 +186,7 @@ static int cs5530_blank_display(struct f
43244 return 0;
43245 }
43246
43247 -struct geode_vid_ops cs5530_vid_ops = {
43248 +const struct geode_vid_ops cs5530_vid_ops = {
43249 .set_dclk = cs5530_set_dclk_frequency,
43250 .configure_display = cs5530_configure_display,
43251 .blank_display = cs5530_blank_display,
43252 diff -urNp linux-2.6.39.3/drivers/video/geode/video_cs5530.h linux-2.6.39.3/drivers/video/geode/video_cs5530.h
43253 --- linux-2.6.39.3/drivers/video/geode/video_cs5530.h 2011-05-19 00:06:34.000000000 -0400
43254 +++ linux-2.6.39.3/drivers/video/geode/video_cs5530.h 2011-05-22 19:36:32.000000000 -0400
43255 @@ -15,7 +15,7 @@
43256 #ifndef __VIDEO_CS5530_H__
43257 #define __VIDEO_CS5530_H__
43258
43259 -extern struct geode_vid_ops cs5530_vid_ops;
43260 +extern const struct geode_vid_ops cs5530_vid_ops;
43261
43262 /* CS5530 Video device registers */
43263
43264 diff -urNp linux-2.6.39.3/drivers/video/i810/i810_accel.c linux-2.6.39.3/drivers/video/i810/i810_accel.c
43265 --- linux-2.6.39.3/drivers/video/i810/i810_accel.c 2011-05-19 00:06:34.000000000 -0400
43266 +++ linux-2.6.39.3/drivers/video/i810/i810_accel.c 2011-05-22 19:36:32.000000000 -0400
43267 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
43268 }
43269 }
43270 printk("ringbuffer lockup!!!\n");
43271 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
43272 i810_report_error(mmio);
43273 par->dev_flags |= LOCKUP;
43274 info->pixmap.scan_align = 1;
43275 diff -urNp linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c
43276 --- linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c 2011-05-19 00:06:34.000000000 -0400
43277 +++ linux-2.6.39.3/drivers/video/matrox/matroxfb_base.c 2011-05-22 19:36:32.000000000 -0400
43278 @@ -1232,7 +1232,7 @@ static struct fb_ops matroxfb_ops = {
43279 #define RSText 0x7
43280 #define RSText8 0x8
43281 /* 9-F */
43282 -static struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43283 +static const struct { struct fb_bitfield red, green, blue, transp; int bits_per_pixel; } colors[] = {
43284 { { 0, 8, 0}, { 0, 8, 0}, { 0, 8, 0}, { 0, 0, 0}, 8 },
43285 { { 10, 5, 0}, { 5, 5, 0}, { 0, 5, 0}, { 15, 1, 0}, 16 },
43286 { { 11, 5, 0}, { 5, 6, 0}, { 0, 5, 0}, { 0, 0, 0}, 16 },
43287 diff -urNp linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c
43288 --- linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c 2011-05-19 00:06:34.000000000 -0400
43289 +++ linux-2.6.39.3/drivers/video/omap/lcd_ams_delta.c 2011-05-22 19:36:32.000000000 -0400
43290 @@ -87,7 +87,7 @@ static int ams_delta_lcd_get_contrast(st
43291 return ams_delta_lcd & AMS_DELTA_MAX_CONTRAST;
43292 }
43293
43294 -static struct lcd_ops ams_delta_lcd_ops = {
43295 +static const struct lcd_ops ams_delta_lcd_ops = {
43296 .get_power = ams_delta_lcd_get_power,
43297 .set_power = ams_delta_lcd_set_power,
43298 .get_contrast = ams_delta_lcd_get_contrast,
43299 diff -urNp linux-2.6.39.3/drivers/video/pxa3xx-gcu.c linux-2.6.39.3/drivers/video/pxa3xx-gcu.c
43300 --- linux-2.6.39.3/drivers/video/pxa3xx-gcu.c 2011-05-19 00:06:34.000000000 -0400
43301 +++ linux-2.6.39.3/drivers/video/pxa3xx-gcu.c 2011-05-22 19:36:32.000000000 -0400
43302 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
43303 dma_addr_t shared_phys;
43304 struct resource *resource_mem;
43305 struct miscdevice misc_dev;
43306 - struct file_operations misc_fops;
43307 + const struct file_operations misc_fops;
43308 wait_queue_head_t wait_idle;
43309 wait_queue_head_t wait_free;
43310 spinlock_t spinlock;
43311 diff -urNp linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c
43312 --- linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c 2011-05-19 00:06:34.000000000 -0400
43313 +++ linux-2.6.39.3/drivers/video/sh_mobile_lcdcfb.c 2011-05-22 19:36:32.000000000 -0400
43314 @@ -245,7 +245,7 @@ static unsigned long lcdc_sys_read_data(
43315 return lcdc_read(ch->lcdc, _LDDRDR) & 0x3ffff;
43316 }
43317
43318 -struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43319 +const struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
43320 lcdc_sys_write_index,
43321 lcdc_sys_write_data,
43322 lcdc_sys_read_data,
43323 diff -urNp linux-2.6.39.3/drivers/video/udlfb.c linux-2.6.39.3/drivers/video/udlfb.c
43324 --- linux-2.6.39.3/drivers/video/udlfb.c 2011-05-19 00:06:34.000000000 -0400
43325 +++ linux-2.6.39.3/drivers/video/udlfb.c 2011-05-22 19:36:32.000000000 -0400
43326 @@ -584,11 +584,11 @@ int dlfb_handle_damage(struct dlfb_data
43327 dlfb_urb_completion(urb);
43328
43329 error:
43330 - atomic_add(bytes_sent, &dev->bytes_sent);
43331 - atomic_add(bytes_identical, &dev->bytes_identical);
43332 - atomic_add(width*height*2, &dev->bytes_rendered);
43333 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43334 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43335 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
43336 end_cycles = get_cycles();
43337 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43338 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43339 >> 10)), /* Kcycles */
43340 &dev->cpu_kcycles_used);
43341
43342 @@ -709,11 +709,11 @@ static void dlfb_dpy_deferred_io(struct
43343 dlfb_urb_completion(urb);
43344
43345 error:
43346 - atomic_add(bytes_sent, &dev->bytes_sent);
43347 - atomic_add(bytes_identical, &dev->bytes_identical);
43348 - atomic_add(bytes_rendered, &dev->bytes_rendered);
43349 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
43350 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
43351 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
43352 end_cycles = get_cycles();
43353 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
43354 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
43355 >> 10)), /* Kcycles */
43356 &dev->cpu_kcycles_used);
43357 }
43358 @@ -1301,7 +1301,7 @@ static ssize_t metrics_bytes_rendered_sh
43359 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43360 struct dlfb_data *dev = fb_info->par;
43361 return snprintf(buf, PAGE_SIZE, "%u\n",
43362 - atomic_read(&dev->bytes_rendered));
43363 + atomic_read_unchecked(&dev->bytes_rendered));
43364 }
43365
43366 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
43367 @@ -1309,7 +1309,7 @@ static ssize_t metrics_bytes_identical_s
43368 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43369 struct dlfb_data *dev = fb_info->par;
43370 return snprintf(buf, PAGE_SIZE, "%u\n",
43371 - atomic_read(&dev->bytes_identical));
43372 + atomic_read_unchecked(&dev->bytes_identical));
43373 }
43374
43375 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
43376 @@ -1317,7 +1317,7 @@ static ssize_t metrics_bytes_sent_show(s
43377 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43378 struct dlfb_data *dev = fb_info->par;
43379 return snprintf(buf, PAGE_SIZE, "%u\n",
43380 - atomic_read(&dev->bytes_sent));
43381 + atomic_read_unchecked(&dev->bytes_sent));
43382 }
43383
43384 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
43385 @@ -1325,7 +1325,7 @@ static ssize_t metrics_cpu_kcycles_used_
43386 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43387 struct dlfb_data *dev = fb_info->par;
43388 return snprintf(buf, PAGE_SIZE, "%u\n",
43389 - atomic_read(&dev->cpu_kcycles_used));
43390 + atomic_read_unchecked(&dev->cpu_kcycles_used));
43391 }
43392
43393 static ssize_t edid_show(
43394 @@ -1382,10 +1382,10 @@ static ssize_t metrics_reset_store(struc
43395 struct fb_info *fb_info = dev_get_drvdata(fbdev);
43396 struct dlfb_data *dev = fb_info->par;
43397
43398 - atomic_set(&dev->bytes_rendered, 0);
43399 - atomic_set(&dev->bytes_identical, 0);
43400 - atomic_set(&dev->bytes_sent, 0);
43401 - atomic_set(&dev->cpu_kcycles_used, 0);
43402 + atomic_set_unchecked(&dev->bytes_rendered, 0);
43403 + atomic_set_unchecked(&dev->bytes_identical, 0);
43404 + atomic_set_unchecked(&dev->bytes_sent, 0);
43405 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
43406
43407 return count;
43408 }
43409 diff -urNp linux-2.6.39.3/drivers/video/uvesafb.c linux-2.6.39.3/drivers/video/uvesafb.c
43410 --- linux-2.6.39.3/drivers/video/uvesafb.c 2011-05-19 00:06:34.000000000 -0400
43411 +++ linux-2.6.39.3/drivers/video/uvesafb.c 2011-05-22 19:36:32.000000000 -0400
43412 @@ -19,6 +19,7 @@
43413 #include <linux/io.h>
43414 #include <linux/mutex.h>
43415 #include <linux/slab.h>
43416 +#include <linux/moduleloader.h>
43417 #include <video/edid.h>
43418 #include <video/uvesafb.h>
43419 #ifdef CONFIG_X86
43420 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
43421 NULL,
43422 };
43423
43424 - return call_usermodehelper(v86d_path, argv, envp, 1);
43425 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
43426 }
43427
43428 /*
43429 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
43430 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
43431 par->pmi_setpal = par->ypan = 0;
43432 } else {
43433 +
43434 +#ifdef CONFIG_PAX_KERNEXEC
43435 +#ifdef CONFIG_MODULES
43436 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43437 +#endif
43438 + if (!par->pmi_code) {
43439 + par->pmi_setpal = par->ypan = 0;
43440 + return 0;
43441 + }
43442 +#endif
43443 +
43444 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43445 + task->t.regs.edi);
43446 +
43447 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43448 + pax_open_kernel();
43449 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43450 + pax_close_kernel();
43451 +
43452 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43453 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43454 +#else
43455 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43456 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43457 +#endif
43458 +
43459 printk(KERN_INFO "uvesafb: protected mode interface info at "
43460 "%04x:%04x\n",
43461 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43462 @@ -1821,6 +1844,11 @@ out:
43463 if (par->vbe_modes)
43464 kfree(par->vbe_modes);
43465
43466 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43467 + if (par->pmi_code)
43468 + module_free_exec(NULL, par->pmi_code);
43469 +#endif
43470 +
43471 framebuffer_release(info);
43472 return err;
43473 }
43474 @@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
43475 kfree(par->vbe_state_orig);
43476 if (par->vbe_state_saved)
43477 kfree(par->vbe_state_saved);
43478 +
43479 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43480 + if (par->pmi_code)
43481 + module_free_exec(NULL, par->pmi_code);
43482 +#endif
43483 +
43484 }
43485
43486 framebuffer_release(info);
43487 @@ -2013,7 +2047,7 @@ static int param_set_scroll(const char *
43488
43489 return 0;
43490 }
43491 -static struct kernel_param_ops param_ops_scroll = {
43492 +static const struct kernel_param_ops param_ops_scroll = {
43493 .set = param_set_scroll,
43494 };
43495 #define param_check_scroll(name, p) __param_check(name, p, void)
43496 diff -urNp linux-2.6.39.3/drivers/video/vesafb.c linux-2.6.39.3/drivers/video/vesafb.c
43497 --- linux-2.6.39.3/drivers/video/vesafb.c 2011-05-19 00:06:34.000000000 -0400
43498 +++ linux-2.6.39.3/drivers/video/vesafb.c 2011-05-22 19:36:32.000000000 -0400
43499 @@ -9,6 +9,7 @@
43500 */
43501
43502 #include <linux/module.h>
43503 +#include <linux/moduleloader.h>
43504 #include <linux/kernel.h>
43505 #include <linux/errno.h>
43506 #include <linux/string.h>
43507 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
43508 static int vram_total __initdata; /* Set total amount of memory */
43509 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43510 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43511 -static void (*pmi_start)(void) __read_mostly;
43512 -static void (*pmi_pal) (void) __read_mostly;
43513 +static void (*pmi_start)(void) __read_only;
43514 +static void (*pmi_pal) (void) __read_only;
43515 static int depth __read_mostly;
43516 static int vga_compat __read_mostly;
43517 /* --------------------------------------------------------------------- */
43518 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
43519 unsigned int size_vmode;
43520 unsigned int size_remap;
43521 unsigned int size_total;
43522 + void *pmi_code = NULL;
43523
43524 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43525 return -ENODEV;
43526 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
43527 size_remap = size_total;
43528 vesafb_fix.smem_len = size_remap;
43529
43530 -#ifndef __i386__
43531 - screen_info.vesapm_seg = 0;
43532 -#endif
43533 -
43534 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43535 printk(KERN_WARNING
43536 "vesafb: cannot reserve video memory at 0x%lx\n",
43537 @@ -306,9 +304,21 @@ static int __init vesafb_probe(struct pl
43538 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43539 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43540
43541 +#ifdef __i386__
43542 +
43543 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43544 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
43545 + if (!pmi_code)
43546 +#elif !defined(CONFIG_PAX_KERNEXEC)
43547 + if (0)
43548 +#endif
43549 +
43550 +#endif
43551 + screen_info.vesapm_seg = 0;
43552 +
43553 if (screen_info.vesapm_seg) {
43554 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43555 - screen_info.vesapm_seg,screen_info.vesapm_off);
43556 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43557 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43558 }
43559
43560 if (screen_info.vesapm_seg < 0xc000)
43561 @@ -316,9 +326,25 @@ static int __init vesafb_probe(struct pl
43562
43563 if (ypan || pmi_setpal) {
43564 unsigned short *pmi_base;
43565 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43566 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43567 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43568 +
43569 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43570 +
43571 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43572 + pax_open_kernel();
43573 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43574 +#else
43575 + pmi_code = pmi_base;
43576 +#endif
43577 +
43578 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43579 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43580 +
43581 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43582 + pmi_start = ktva_ktla(pmi_start);
43583 + pmi_pal = ktva_ktla(pmi_pal);
43584 + pax_close_kernel();
43585 +#endif
43586 +
43587 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43588 if (pmi_base[3]) {
43589 printk(KERN_INFO "vesafb: pmi: ports = ");
43590 @@ -487,6 +513,11 @@ static int __init vesafb_probe(struct pl
43591 info->node, info->fix.id);
43592 return 0;
43593 err:
43594 +
43595 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43596 + module_free_exec(NULL, pmi_code);
43597 +#endif
43598 +
43599 if (info->screen_base)
43600 iounmap(info->screen_base);
43601 framebuffer_release(info);
43602 diff -urNp linux-2.6.39.3/drivers/virtio/virtio_balloon.c linux-2.6.39.3/drivers/virtio/virtio_balloon.c
43603 --- linux-2.6.39.3/drivers/virtio/virtio_balloon.c 2011-05-19 00:06:34.000000000 -0400
43604 +++ linux-2.6.39.3/drivers/virtio/virtio_balloon.c 2011-05-22 19:36:32.000000000 -0400
43605 @@ -176,6 +176,8 @@ static void update_balloon_stats(struct
43606 struct sysinfo i;
43607 int idx = 0;
43608
43609 + pax_track_stack();
43610 +
43611 all_vm_events(events);
43612 si_meminfo(&i);
43613
43614 diff -urNp linux-2.6.39.3/drivers/xen/gntalloc.c linux-2.6.39.3/drivers/xen/gntalloc.c
43615 --- linux-2.6.39.3/drivers/xen/gntalloc.c 2011-05-19 00:06:34.000000000 -0400
43616 +++ linux-2.6.39.3/drivers/xen/gntalloc.c 2011-05-22 19:36:32.000000000 -0400
43617 @@ -440,7 +440,7 @@ static void gntalloc_vma_close(struct vm
43618 spin_unlock(&gref_lock);
43619 }
43620
43621 -static struct vm_operations_struct gntalloc_vmops = {
43622 +static const struct vm_operations_struct gntalloc_vmops = {
43623 .close = gntalloc_vma_close,
43624 };
43625
43626 diff -urNp linux-2.6.39.3/drivers/xen/gntdev.c linux-2.6.39.3/drivers/xen/gntdev.c
43627 --- linux-2.6.39.3/drivers/xen/gntdev.c 2011-05-19 00:06:34.000000000 -0400
43628 +++ linux-2.6.39.3/drivers/xen/gntdev.c 2011-05-22 19:36:32.000000000 -0400
43629 @@ -340,7 +340,7 @@ static void gntdev_vma_close(struct vm_a
43630 gntdev_put_map(map);
43631 }
43632
43633 -static struct vm_operations_struct gntdev_vmops = {
43634 +static const struct vm_operations_struct gntdev_vmops = {
43635 .close = gntdev_vma_close,
43636 };
43637
43638 @@ -404,7 +404,7 @@ static void mn_release(struct mmu_notifi
43639 spin_unlock(&priv->lock);
43640 }
43641
43642 -struct mmu_notifier_ops gntdev_mmu_ops = {
43643 +const struct mmu_notifier_ops gntdev_mmu_ops = {
43644 .release = mn_release,
43645 .invalidate_page = mn_invl_page,
43646 .invalidate_range_start = mn_invl_range_start,
43647 diff -urNp linux-2.6.39.3/drivers/xen/xenfs/privcmd.c linux-2.6.39.3/drivers/xen/xenfs/privcmd.c
43648 --- linux-2.6.39.3/drivers/xen/xenfs/privcmd.c 2011-05-19 00:06:34.000000000 -0400
43649 +++ linux-2.6.39.3/drivers/xen/xenfs/privcmd.c 2011-05-22 19:36:32.000000000 -0400
43650 @@ -268,7 +268,7 @@ static int mmap_return_errors(void *data
43651 return put_user(*mfnp, st->user++);
43652 }
43653
43654 -static struct vm_operations_struct privcmd_vm_ops;
43655 +static const struct vm_operations_struct privcmd_vm_ops;
43656
43657 static long privcmd_ioctl_mmap_batch(void __user *udata)
43658 {
43659 @@ -369,7 +369,7 @@ static int privcmd_fault(struct vm_area_
43660 return VM_FAULT_SIGBUS;
43661 }
43662
43663 -static struct vm_operations_struct privcmd_vm_ops = {
43664 +static const struct vm_operations_struct privcmd_vm_ops = {
43665 .fault = privcmd_fault
43666 };
43667
43668 diff -urNp linux-2.6.39.3/fs/9p/vfs_inode.c linux-2.6.39.3/fs/9p/vfs_inode.c
43669 --- linux-2.6.39.3/fs/9p/vfs_inode.c 2011-05-19 00:06:34.000000000 -0400
43670 +++ linux-2.6.39.3/fs/9p/vfs_inode.c 2011-05-22 19:36:32.000000000 -0400
43671 @@ -1210,7 +1210,7 @@ static void *v9fs_vfs_follow_link(struct
43672 void
43673 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43674 {
43675 - char *s = nd_get_link(nd);
43676 + const char *s = nd_get_link(nd);
43677
43678 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43679 IS_ERR(s) ? "<error>" : s);
43680 diff -urNp linux-2.6.39.3/fs/aio.c linux-2.6.39.3/fs/aio.c
43681 --- linux-2.6.39.3/fs/aio.c 2011-05-19 00:06:34.000000000 -0400
43682 +++ linux-2.6.39.3/fs/aio.c 2011-06-03 01:00:34.000000000 -0400
43683 @@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
43684 size += sizeof(struct io_event) * nr_events;
43685 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43686
43687 - if (nr_pages < 0)
43688 + if (nr_pages <= 0)
43689 return -EINVAL;
43690
43691 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43692 @@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
43693 struct aio_timeout to;
43694 int retry = 0;
43695
43696 + pax_track_stack();
43697 +
43698 /* needed to zero any padding within an entry (there shouldn't be
43699 * any, but C is fun!
43700 */
43701 @@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
43702 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
43703 {
43704 ssize_t ret;
43705 + struct iovec iovstack;
43706
43707 #ifdef CONFIG_COMPAT
43708 if (compat)
43709 ret = compat_rw_copy_check_uvector(type,
43710 (struct compat_iovec __user *)kiocb->ki_buf,
43711 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43712 + kiocb->ki_nbytes, 1, &iovstack,
43713 &kiocb->ki_iovec);
43714 else
43715 #endif
43716 ret = rw_copy_check_uvector(type,
43717 (struct iovec __user *)kiocb->ki_buf,
43718 - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
43719 + kiocb->ki_nbytes, 1, &iovstack,
43720 &kiocb->ki_iovec);
43721 if (ret < 0)
43722 goto out;
43723
43724 + if (kiocb->ki_iovec == &iovstack) {
43725 + kiocb->ki_inline_vec = iovstack;
43726 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
43727 + }
43728 kiocb->ki_nr_segs = kiocb->ki_nbytes;
43729 kiocb->ki_cur_seg = 0;
43730 /* ki_nbytes/left now reflect bytes instead of segs */
43731 diff -urNp linux-2.6.39.3/fs/attr.c linux-2.6.39.3/fs/attr.c
43732 --- linux-2.6.39.3/fs/attr.c 2011-05-19 00:06:34.000000000 -0400
43733 +++ linux-2.6.39.3/fs/attr.c 2011-05-22 19:41:37.000000000 -0400
43734 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
43735 unsigned long limit;
43736
43737 limit = rlimit(RLIMIT_FSIZE);
43738 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
43739 if (limit != RLIM_INFINITY && offset > limit)
43740 goto out_sig;
43741 if (offset > inode->i_sb->s_maxbytes)
43742 diff -urNp linux-2.6.39.3/fs/befs/linuxvfs.c linux-2.6.39.3/fs/befs/linuxvfs.c
43743 --- linux-2.6.39.3/fs/befs/linuxvfs.c 2011-05-19 00:06:34.000000000 -0400
43744 +++ linux-2.6.39.3/fs/befs/linuxvfs.c 2011-05-22 19:36:32.000000000 -0400
43745 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
43746 {
43747 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
43748 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
43749 - char *link = nd_get_link(nd);
43750 + const char *link = nd_get_link(nd);
43751 if (!IS_ERR(link))
43752 kfree(link);
43753 }
43754 diff -urNp linux-2.6.39.3/fs/binfmt_aout.c linux-2.6.39.3/fs/binfmt_aout.c
43755 --- linux-2.6.39.3/fs/binfmt_aout.c 2011-05-19 00:06:34.000000000 -0400
43756 +++ linux-2.6.39.3/fs/binfmt_aout.c 2011-05-22 19:41:37.000000000 -0400
43757 @@ -16,6 +16,7 @@
43758 #include <linux/string.h>
43759 #include <linux/fs.h>
43760 #include <linux/file.h>
43761 +#include <linux/security.h>
43762 #include <linux/stat.h>
43763 #include <linux/fcntl.h>
43764 #include <linux/ptrace.h>
43765 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
43766 #endif
43767 # define START_STACK(u) ((void __user *)u.start_stack)
43768
43769 + memset(&dump, 0, sizeof(dump));
43770 +
43771 fs = get_fs();
43772 set_fs(KERNEL_DS);
43773 has_dumped = 1;
43774 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
43775
43776 /* If the size of the dump file exceeds the rlimit, then see what would happen
43777 if we wrote the stack, but not the data area. */
43778 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
43779 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
43780 dump.u_dsize = 0;
43781
43782 /* Make sure we have enough room to write the stack and data areas. */
43783 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
43784 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
43785 dump.u_ssize = 0;
43786
43787 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
43788 rlim = rlimit(RLIMIT_DATA);
43789 if (rlim >= RLIM_INFINITY)
43790 rlim = ~0;
43791 +
43792 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
43793 if (ex.a_data + ex.a_bss > rlim)
43794 return -ENOMEM;
43795
43796 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
43797 install_exec_creds(bprm);
43798 current->flags &= ~PF_FORKNOEXEC;
43799
43800 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43801 + current->mm->pax_flags = 0UL;
43802 +#endif
43803 +
43804 +#ifdef CONFIG_PAX_PAGEEXEC
43805 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
43806 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
43807 +
43808 +#ifdef CONFIG_PAX_EMUTRAMP
43809 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
43810 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
43811 +#endif
43812 +
43813 +#ifdef CONFIG_PAX_MPROTECT
43814 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
43815 + current->mm->pax_flags |= MF_PAX_MPROTECT;
43816 +#endif
43817 +
43818 + }
43819 +#endif
43820 +
43821 if (N_MAGIC(ex) == OMAGIC) {
43822 unsigned long text_addr, map_size;
43823 loff_t pos;
43824 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
43825
43826 down_write(&current->mm->mmap_sem);
43827 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
43828 - PROT_READ | PROT_WRITE | PROT_EXEC,
43829 + PROT_READ | PROT_WRITE,
43830 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
43831 fd_offset + ex.a_text);
43832 up_write(&current->mm->mmap_sem);
43833 diff -urNp linux-2.6.39.3/fs/binfmt_elf.c linux-2.6.39.3/fs/binfmt_elf.c
43834 --- linux-2.6.39.3/fs/binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
43835 +++ linux-2.6.39.3/fs/binfmt_elf.c 2011-05-22 19:41:37.000000000 -0400
43836 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
43837 #define elf_core_dump NULL
43838 #endif
43839
43840 +#ifdef CONFIG_PAX_MPROTECT
43841 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
43842 +#endif
43843 +
43844 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
43845 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
43846 #else
43847 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
43848 .load_binary = load_elf_binary,
43849 .load_shlib = load_elf_library,
43850 .core_dump = elf_core_dump,
43851 +
43852 +#ifdef CONFIG_PAX_MPROTECT
43853 + .handle_mprotect= elf_handle_mprotect,
43854 +#endif
43855 +
43856 .min_coredump = ELF_EXEC_PAGESIZE,
43857 };
43858
43859 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
43860
43861 static int set_brk(unsigned long start, unsigned long end)
43862 {
43863 + unsigned long e = end;
43864 +
43865 start = ELF_PAGEALIGN(start);
43866 end = ELF_PAGEALIGN(end);
43867 if (end > start) {
43868 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
43869 if (BAD_ADDR(addr))
43870 return addr;
43871 }
43872 - current->mm->start_brk = current->mm->brk = end;
43873 + current->mm->start_brk = current->mm->brk = e;
43874 return 0;
43875 }
43876
43877 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
43878 elf_addr_t __user *u_rand_bytes;
43879 const char *k_platform = ELF_PLATFORM;
43880 const char *k_base_platform = ELF_BASE_PLATFORM;
43881 - unsigned char k_rand_bytes[16];
43882 + u32 k_rand_bytes[4];
43883 int items;
43884 elf_addr_t *elf_info;
43885 int ei_index = 0;
43886 const struct cred *cred = current_cred();
43887 struct vm_area_struct *vma;
43888 + unsigned long saved_auxv[AT_VECTOR_SIZE];
43889 +
43890 + pax_track_stack();
43891
43892 /*
43893 * In some cases (e.g. Hyper-Threading), we want to avoid L1
43894 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
43895 * Generate 16 random bytes for userspace PRNG seeding.
43896 */
43897 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
43898 - u_rand_bytes = (elf_addr_t __user *)
43899 - STACK_ALLOC(p, sizeof(k_rand_bytes));
43900 + srandom32(k_rand_bytes[0] ^ random32());
43901 + srandom32(k_rand_bytes[1] ^ random32());
43902 + srandom32(k_rand_bytes[2] ^ random32());
43903 + srandom32(k_rand_bytes[3] ^ random32());
43904 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
43905 + u_rand_bytes = (elf_addr_t __user *) p;
43906 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
43907 return -EFAULT;
43908
43909 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
43910 return -EFAULT;
43911 current->mm->env_end = p;
43912
43913 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
43914 +
43915 /* Put the elf_info on the stack in the right place. */
43916 sp = (elf_addr_t __user *)envp + 1;
43917 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
43918 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
43919 return -EFAULT;
43920 return 0;
43921 }
43922 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
43923 {
43924 struct elf_phdr *elf_phdata;
43925 struct elf_phdr *eppnt;
43926 - unsigned long load_addr = 0;
43927 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
43928 int load_addr_set = 0;
43929 unsigned long last_bss = 0, elf_bss = 0;
43930 - unsigned long error = ~0UL;
43931 + unsigned long error = -EINVAL;
43932 unsigned long total_size;
43933 int retval, i, size;
43934
43935 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
43936 goto out_close;
43937 }
43938
43939 +#ifdef CONFIG_PAX_SEGMEXEC
43940 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
43941 + pax_task_size = SEGMEXEC_TASK_SIZE;
43942 +#endif
43943 +
43944 eppnt = elf_phdata;
43945 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
43946 if (eppnt->p_type == PT_LOAD) {
43947 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
43948 k = load_addr + eppnt->p_vaddr;
43949 if (BAD_ADDR(k) ||
43950 eppnt->p_filesz > eppnt->p_memsz ||
43951 - eppnt->p_memsz > TASK_SIZE ||
43952 - TASK_SIZE - eppnt->p_memsz < k) {
43953 + eppnt->p_memsz > pax_task_size ||
43954 + pax_task_size - eppnt->p_memsz < k) {
43955 error = -ENOMEM;
43956 goto out_close;
43957 }
43958 @@ -528,6 +553,193 @@ out:
43959 return error;
43960 }
43961
43962 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
43963 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
43964 +{
43965 + unsigned long pax_flags = 0UL;
43966 +
43967 +#ifdef CONFIG_PAX_PAGEEXEC
43968 + if (elf_phdata->p_flags & PF_PAGEEXEC)
43969 + pax_flags |= MF_PAX_PAGEEXEC;
43970 +#endif
43971 +
43972 +#ifdef CONFIG_PAX_SEGMEXEC
43973 + if (elf_phdata->p_flags & PF_SEGMEXEC)
43974 + pax_flags |= MF_PAX_SEGMEXEC;
43975 +#endif
43976 +
43977 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
43978 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43979 + if ((__supported_pte_mask & _PAGE_NX))
43980 + pax_flags &= ~MF_PAX_SEGMEXEC;
43981 + else
43982 + pax_flags &= ~MF_PAX_PAGEEXEC;
43983 + }
43984 +#endif
43985 +
43986 +#ifdef CONFIG_PAX_EMUTRAMP
43987 + if (elf_phdata->p_flags & PF_EMUTRAMP)
43988 + pax_flags |= MF_PAX_EMUTRAMP;
43989 +#endif
43990 +
43991 +#ifdef CONFIG_PAX_MPROTECT
43992 + if (elf_phdata->p_flags & PF_MPROTECT)
43993 + pax_flags |= MF_PAX_MPROTECT;
43994 +#endif
43995 +
43996 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
43997 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
43998 + pax_flags |= MF_PAX_RANDMMAP;
43999 +#endif
44000 +
44001 + return pax_flags;
44002 +}
44003 +#endif
44004 +
44005 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44006 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
44007 +{
44008 + unsigned long pax_flags = 0UL;
44009 +
44010 +#ifdef CONFIG_PAX_PAGEEXEC
44011 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
44012 + pax_flags |= MF_PAX_PAGEEXEC;
44013 +#endif
44014 +
44015 +#ifdef CONFIG_PAX_SEGMEXEC
44016 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
44017 + pax_flags |= MF_PAX_SEGMEXEC;
44018 +#endif
44019 +
44020 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44021 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44022 + if ((__supported_pte_mask & _PAGE_NX))
44023 + pax_flags &= ~MF_PAX_SEGMEXEC;
44024 + else
44025 + pax_flags &= ~MF_PAX_PAGEEXEC;
44026 + }
44027 +#endif
44028 +
44029 +#ifdef CONFIG_PAX_EMUTRAMP
44030 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
44031 + pax_flags |= MF_PAX_EMUTRAMP;
44032 +#endif
44033 +
44034 +#ifdef CONFIG_PAX_MPROTECT
44035 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
44036 + pax_flags |= MF_PAX_MPROTECT;
44037 +#endif
44038 +
44039 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44040 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
44041 + pax_flags |= MF_PAX_RANDMMAP;
44042 +#endif
44043 +
44044 + return pax_flags;
44045 +}
44046 +#endif
44047 +
44048 +#ifdef CONFIG_PAX_EI_PAX
44049 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
44050 +{
44051 + unsigned long pax_flags = 0UL;
44052 +
44053 +#ifdef CONFIG_PAX_PAGEEXEC
44054 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
44055 + pax_flags |= MF_PAX_PAGEEXEC;
44056 +#endif
44057 +
44058 +#ifdef CONFIG_PAX_SEGMEXEC
44059 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
44060 + pax_flags |= MF_PAX_SEGMEXEC;
44061 +#endif
44062 +
44063 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44064 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44065 + if ((__supported_pte_mask & _PAGE_NX))
44066 + pax_flags &= ~MF_PAX_SEGMEXEC;
44067 + else
44068 + pax_flags &= ~MF_PAX_PAGEEXEC;
44069 + }
44070 +#endif
44071 +
44072 +#ifdef CONFIG_PAX_EMUTRAMP
44073 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
44074 + pax_flags |= MF_PAX_EMUTRAMP;
44075 +#endif
44076 +
44077 +#ifdef CONFIG_PAX_MPROTECT
44078 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
44079 + pax_flags |= MF_PAX_MPROTECT;
44080 +#endif
44081 +
44082 +#ifdef CONFIG_PAX_ASLR
44083 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
44084 + pax_flags |= MF_PAX_RANDMMAP;
44085 +#endif
44086 +
44087 + return pax_flags;
44088 +}
44089 +#endif
44090 +
44091 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44092 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
44093 +{
44094 + unsigned long pax_flags = 0UL;
44095 +
44096 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44097 + unsigned long i;
44098 + int found_flags = 0;
44099 +#endif
44100 +
44101 +#ifdef CONFIG_PAX_EI_PAX
44102 + pax_flags = pax_parse_ei_pax(elf_ex);
44103 +#endif
44104 +
44105 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44106 + for (i = 0UL; i < elf_ex->e_phnum; i++)
44107 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
44108 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
44109 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
44110 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
44111 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
44112 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
44113 + return -EINVAL;
44114 +
44115 +#ifdef CONFIG_PAX_SOFTMODE
44116 + if (pax_softmode)
44117 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
44118 + else
44119 +#endif
44120 +
44121 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
44122 + found_flags = 1;
44123 + break;
44124 + }
44125 +#endif
44126 +
44127 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
44128 + if (found_flags == 0) {
44129 + struct elf_phdr phdr;
44130 + memset(&phdr, 0, sizeof(phdr));
44131 + phdr.p_flags = PF_NOEMUTRAMP;
44132 +#ifdef CONFIG_PAX_SOFTMODE
44133 + if (pax_softmode)
44134 + pax_flags = pax_parse_softmode(&phdr);
44135 + else
44136 +#endif
44137 + pax_flags = pax_parse_hardmode(&phdr);
44138 + }
44139 +#endif
44140 +
44141 + if (0 > pax_check_flags(&pax_flags))
44142 + return -EINVAL;
44143 +
44144 + current->mm->pax_flags = pax_flags;
44145 + return 0;
44146 +}
44147 +#endif
44148 +
44149 /*
44150 * These are the functions used to load ELF style executables and shared
44151 * libraries. There is no binary dependent code anywhere else.
44152 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
44153 {
44154 unsigned int random_variable = 0;
44155
44156 +#ifdef CONFIG_PAX_RANDUSTACK
44157 + if (randomize_va_space)
44158 + return stack_top - current->mm->delta_stack;
44159 +#endif
44160 +
44161 if ((current->flags & PF_RANDOMIZE) &&
44162 !(current->personality & ADDR_NO_RANDOMIZE)) {
44163 random_variable = get_random_int() & STACK_RND_MASK;
44164 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
44165 unsigned long load_addr = 0, load_bias = 0;
44166 int load_addr_set = 0;
44167 char * elf_interpreter = NULL;
44168 - unsigned long error;
44169 + unsigned long error = 0;
44170 struct elf_phdr *elf_ppnt, *elf_phdata;
44171 unsigned long elf_bss, elf_brk;
44172 int retval, i;
44173 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
44174 unsigned long start_code, end_code, start_data, end_data;
44175 unsigned long reloc_func_desc __maybe_unused = 0;
44176 int executable_stack = EXSTACK_DEFAULT;
44177 - unsigned long def_flags = 0;
44178 struct {
44179 struct elfhdr elf_ex;
44180 struct elfhdr interp_elf_ex;
44181 } *loc;
44182 + unsigned long pax_task_size = TASK_SIZE;
44183
44184 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
44185 if (!loc) {
44186 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
44187
44188 /* OK, This is the point of no return */
44189 current->flags &= ~PF_FORKNOEXEC;
44190 - current->mm->def_flags = def_flags;
44191 +
44192 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44193 + current->mm->pax_flags = 0UL;
44194 +#endif
44195 +
44196 +#ifdef CONFIG_PAX_DLRESOLVE
44197 + current->mm->call_dl_resolve = 0UL;
44198 +#endif
44199 +
44200 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
44201 + current->mm->call_syscall = 0UL;
44202 +#endif
44203 +
44204 +#ifdef CONFIG_PAX_ASLR
44205 + current->mm->delta_mmap = 0UL;
44206 + current->mm->delta_stack = 0UL;
44207 +#endif
44208 +
44209 + current->mm->def_flags = 0;
44210 +
44211 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44212 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
44213 + send_sig(SIGKILL, current, 0);
44214 + goto out_free_dentry;
44215 + }
44216 +#endif
44217 +
44218 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44219 + pax_set_initial_flags(bprm);
44220 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44221 + if (pax_set_initial_flags_func)
44222 + (pax_set_initial_flags_func)(bprm);
44223 +#endif
44224 +
44225 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
44226 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
44227 + current->mm->context.user_cs_limit = PAGE_SIZE;
44228 + current->mm->def_flags |= VM_PAGEEXEC;
44229 + }
44230 +#endif
44231 +
44232 +#ifdef CONFIG_PAX_SEGMEXEC
44233 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
44234 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
44235 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
44236 + pax_task_size = SEGMEXEC_TASK_SIZE;
44237 + current->mm->def_flags |= VM_NOHUGEPAGE;
44238 + }
44239 +#endif
44240 +
44241 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
44242 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44243 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
44244 + put_cpu();
44245 + }
44246 +#endif
44247
44248 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
44249 may depend on the personality. */
44250 SET_PERSONALITY(loc->elf_ex);
44251 +
44252 +#ifdef CONFIG_PAX_ASLR
44253 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
44254 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
44255 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
44256 + }
44257 +#endif
44258 +
44259 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44260 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44261 + executable_stack = EXSTACK_DISABLE_X;
44262 + current->personality &= ~READ_IMPLIES_EXEC;
44263 + } else
44264 +#endif
44265 +
44266 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
44267 current->personality |= READ_IMPLIES_EXEC;
44268
44269 @@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
44270 #else
44271 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44272 #endif
44273 +
44274 +#ifdef CONFIG_PAX_RANDMMAP
44275 + /* PaX: randomize base address at the default exe base if requested */
44276 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
44277 +#ifdef CONFIG_SPARC64
44278 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
44279 +#else
44280 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
44281 +#endif
44282 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
44283 + elf_flags |= MAP_FIXED;
44284 + }
44285 +#endif
44286 +
44287 }
44288
44289 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
44290 @@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
44291 * allowed task size. Note that p_filesz must always be
44292 * <= p_memsz so it is only necessary to check p_memsz.
44293 */
44294 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44295 - elf_ppnt->p_memsz > TASK_SIZE ||
44296 - TASK_SIZE - elf_ppnt->p_memsz < k) {
44297 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44298 + elf_ppnt->p_memsz > pax_task_size ||
44299 + pax_task_size - elf_ppnt->p_memsz < k) {
44300 /* set_brk can never work. Avoid overflows. */
44301 send_sig(SIGKILL, current, 0);
44302 retval = -EINVAL;
44303 @@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
44304 start_data += load_bias;
44305 end_data += load_bias;
44306
44307 +#ifdef CONFIG_PAX_RANDMMAP
44308 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
44309 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
44310 +#endif
44311 +
44312 /* Calling set_brk effectively mmaps the pages that we need
44313 * for the bss and break sections. We must do this before
44314 * mapping in the interpreter, to make sure it doesn't wind
44315 @@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
44316 goto out_free_dentry;
44317 }
44318 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
44319 - send_sig(SIGSEGV, current, 0);
44320 - retval = -EFAULT; /* Nobody gets to see this, but.. */
44321 - goto out_free_dentry;
44322 + /*
44323 + * This bss-zeroing can fail if the ELF
44324 + * file specifies odd protections. So
44325 + * we don't check the return value
44326 + */
44327 }
44328
44329 if (elf_interpreter) {
44330 @@ -1090,7 +1398,7 @@ out:
44331 * Decide what to dump of a segment, part, all or none.
44332 */
44333 static unsigned long vma_dump_size(struct vm_area_struct *vma,
44334 - unsigned long mm_flags)
44335 + unsigned long mm_flags, long signr)
44336 {
44337 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
44338
44339 @@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
44340 if (vma->vm_file == NULL)
44341 return 0;
44342
44343 - if (FILTER(MAPPED_PRIVATE))
44344 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
44345 goto whole;
44346
44347 /*
44348 @@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
44349 {
44350 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
44351 int i = 0;
44352 - do
44353 + do {
44354 i += 2;
44355 - while (auxv[i - 2] != AT_NULL);
44356 + } while (auxv[i - 2] != AT_NULL);
44357 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
44358 }
44359
44360 @@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
44361 }
44362
44363 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
44364 - unsigned long mm_flags)
44365 + struct coredump_params *cprm)
44366 {
44367 struct vm_area_struct *vma;
44368 size_t size = 0;
44369
44370 for (vma = first_vma(current, gate_vma); vma != NULL;
44371 vma = next_vma(vma, gate_vma))
44372 - size += vma_dump_size(vma, mm_flags);
44373 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44374 return size;
44375 }
44376
44377 @@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
44378
44379 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
44380
44381 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
44382 + offset += elf_core_vma_data_size(gate_vma, cprm);
44383 offset += elf_core_extra_data_size();
44384 e_shoff = offset;
44385
44386 @@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
44387 offset = dataoff;
44388
44389 size += sizeof(*elf);
44390 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44391 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
44392 goto end_coredump;
44393
44394 size += sizeof(*phdr4note);
44395 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44396 if (size > cprm->limit
44397 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
44398 goto end_coredump;
44399 @@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
44400 phdr.p_offset = offset;
44401 phdr.p_vaddr = vma->vm_start;
44402 phdr.p_paddr = 0;
44403 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
44404 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44405 phdr.p_memsz = vma->vm_end - vma->vm_start;
44406 offset += phdr.p_filesz;
44407 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
44408 @@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
44409 phdr.p_align = ELF_EXEC_PAGESIZE;
44410
44411 size += sizeof(phdr);
44412 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44413 if (size > cprm->limit
44414 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
44415 goto end_coredump;
44416 @@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
44417 unsigned long addr;
44418 unsigned long end;
44419
44420 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
44421 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
44422
44423 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
44424 struct page *page;
44425 @@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
44426 page = get_dump_page(addr);
44427 if (page) {
44428 void *kaddr = kmap(page);
44429 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
44430 stop = ((size += PAGE_SIZE) > cprm->limit) ||
44431 !dump_write(cprm->file, kaddr,
44432 PAGE_SIZE);
44433 @@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
44434
44435 if (e_phnum == PN_XNUM) {
44436 size += sizeof(*shdr4extnum);
44437 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
44438 if (size > cprm->limit
44439 || !dump_write(cprm->file, shdr4extnum,
44440 sizeof(*shdr4extnum)))
44441 @@ -2067,6 +2380,97 @@ out:
44442
44443 #endif /* CONFIG_ELF_CORE */
44444
44445 +#ifdef CONFIG_PAX_MPROTECT
44446 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
44447 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44448 + * we'll remove VM_MAYWRITE for good on RELRO segments.
44449 + *
44450 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44451 + * basis because we want to allow the common case and not the special ones.
44452 + */
44453 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44454 +{
44455 + struct elfhdr elf_h;
44456 + struct elf_phdr elf_p;
44457 + unsigned long i;
44458 + unsigned long oldflags;
44459 + bool is_textrel_rw, is_textrel_rx, is_relro;
44460 +
44461 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44462 + return;
44463 +
44464 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44465 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44466 +
44467 +#ifdef CONFIG_PAX_ELFRELOCS
44468 + /* possible TEXTREL */
44469 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44470 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44471 +#else
44472 + is_textrel_rw = false;
44473 + is_textrel_rx = false;
44474 +#endif
44475 +
44476 + /* possible RELRO */
44477 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44478 +
44479 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44480 + return;
44481 +
44482 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44483 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44484 +
44485 +#ifdef CONFIG_PAX_ETEXECRELOCS
44486 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44487 +#else
44488 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44489 +#endif
44490 +
44491 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44492 + !elf_check_arch(&elf_h) ||
44493 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44494 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44495 + return;
44496 +
44497 + for (i = 0UL; i < elf_h.e_phnum; i++) {
44498 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44499 + return;
44500 + switch (elf_p.p_type) {
44501 + case PT_DYNAMIC:
44502 + if (!is_textrel_rw && !is_textrel_rx)
44503 + continue;
44504 + i = 0UL;
44505 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44506 + elf_dyn dyn;
44507 +
44508 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44509 + return;
44510 + if (dyn.d_tag == DT_NULL)
44511 + return;
44512 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44513 + gr_log_textrel(vma);
44514 + if (is_textrel_rw)
44515 + vma->vm_flags |= VM_MAYWRITE;
44516 + else
44517 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44518 + vma->vm_flags &= ~VM_MAYWRITE;
44519 + return;
44520 + }
44521 + i++;
44522 + }
44523 + return;
44524 +
44525 + case PT_GNU_RELRO:
44526 + if (!is_relro)
44527 + continue;
44528 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44529 + vma->vm_flags &= ~VM_MAYWRITE;
44530 + return;
44531 + }
44532 + }
44533 +}
44534 +#endif
44535 +
44536 static int __init init_elf_binfmt(void)
44537 {
44538 return register_binfmt(&elf_format);
44539 diff -urNp linux-2.6.39.3/fs/binfmt_flat.c linux-2.6.39.3/fs/binfmt_flat.c
44540 --- linux-2.6.39.3/fs/binfmt_flat.c 2011-05-19 00:06:34.000000000 -0400
44541 +++ linux-2.6.39.3/fs/binfmt_flat.c 2011-05-22 19:36:32.000000000 -0400
44542 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
44543 realdatastart = (unsigned long) -ENOMEM;
44544 printk("Unable to allocate RAM for process data, errno %d\n",
44545 (int)-realdatastart);
44546 + down_write(&current->mm->mmap_sem);
44547 do_munmap(current->mm, textpos, text_len);
44548 + up_write(&current->mm->mmap_sem);
44549 ret = realdatastart;
44550 goto err;
44551 }
44552 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
44553 }
44554 if (IS_ERR_VALUE(result)) {
44555 printk("Unable to read data+bss, errno %d\n", (int)-result);
44556 + down_write(&current->mm->mmap_sem);
44557 do_munmap(current->mm, textpos, text_len);
44558 do_munmap(current->mm, realdatastart, len);
44559 + up_write(&current->mm->mmap_sem);
44560 ret = result;
44561 goto err;
44562 }
44563 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
44564 }
44565 if (IS_ERR_VALUE(result)) {
44566 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44567 + down_write(&current->mm->mmap_sem);
44568 do_munmap(current->mm, textpos, text_len + data_len + extra +
44569 MAX_SHARED_LIBS * sizeof(unsigned long));
44570 + up_write(&current->mm->mmap_sem);
44571 ret = result;
44572 goto err;
44573 }
44574 diff -urNp linux-2.6.39.3/fs/bio.c linux-2.6.39.3/fs/bio.c
44575 --- linux-2.6.39.3/fs/bio.c 2011-05-19 00:06:34.000000000 -0400
44576 +++ linux-2.6.39.3/fs/bio.c 2011-05-22 19:36:32.000000000 -0400
44577 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
44578 const int read = bio_data_dir(bio) == READ;
44579 struct bio_map_data *bmd = bio->bi_private;
44580 int i;
44581 - char *p = bmd->sgvecs[0].iov_base;
44582 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
44583
44584 __bio_for_each_segment(bvec, bio, i, 0) {
44585 char *addr = page_address(bvec->bv_page);
44586 diff -urNp linux-2.6.39.3/fs/block_dev.c linux-2.6.39.3/fs/block_dev.c
44587 --- linux-2.6.39.3/fs/block_dev.c 2011-07-09 09:18:51.000000000 -0400
44588 +++ linux-2.6.39.3/fs/block_dev.c 2011-07-09 09:19:18.000000000 -0400
44589 @@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
44590 else if (bdev->bd_contains == bdev)
44591 return true; /* is a whole device which isn't held */
44592
44593 - else if (whole->bd_holder == bd_may_claim)
44594 + else if (whole->bd_holder == (void *)bd_may_claim)
44595 return true; /* is a partition of a device that is being partitioned */
44596 else if (whole->bd_holder != NULL)
44597 return false; /* is a partition of a held device */
44598 diff -urNp linux-2.6.39.3/fs/btrfs/compression.c linux-2.6.39.3/fs/btrfs/compression.c
44599 --- linux-2.6.39.3/fs/btrfs/compression.c 2011-05-19 00:06:34.000000000 -0400
44600 +++ linux-2.6.39.3/fs/btrfs/compression.c 2011-05-22 19:36:32.000000000 -0400
44601 @@ -719,7 +719,7 @@ static int comp_num_workspace[BTRFS_COMP
44602 static atomic_t comp_alloc_workspace[BTRFS_COMPRESS_TYPES];
44603 static wait_queue_head_t comp_workspace_wait[BTRFS_COMPRESS_TYPES];
44604
44605 -struct btrfs_compress_op *btrfs_compress_op[] = {
44606 +const struct btrfs_compress_op *btrfs_compress_op[] = {
44607 &btrfs_zlib_compress,
44608 &btrfs_lzo_compress,
44609 };
44610 diff -urNp linux-2.6.39.3/fs/btrfs/compression.h linux-2.6.39.3/fs/btrfs/compression.h
44611 --- linux-2.6.39.3/fs/btrfs/compression.h 2011-05-19 00:06:34.000000000 -0400
44612 +++ linux-2.6.39.3/fs/btrfs/compression.h 2011-05-22 19:36:32.000000000 -0400
44613 @@ -77,7 +77,7 @@ struct btrfs_compress_op {
44614 size_t srclen, size_t destlen);
44615 };
44616
44617 -extern struct btrfs_compress_op btrfs_zlib_compress;
44618 -extern struct btrfs_compress_op btrfs_lzo_compress;
44619 +extern const struct btrfs_compress_op btrfs_zlib_compress;
44620 +extern const struct btrfs_compress_op btrfs_lzo_compress;
44621
44622 #endif
44623 diff -urNp linux-2.6.39.3/fs/btrfs/ctree.c linux-2.6.39.3/fs/btrfs/ctree.c
44624 --- linux-2.6.39.3/fs/btrfs/ctree.c 2011-05-19 00:06:34.000000000 -0400
44625 +++ linux-2.6.39.3/fs/btrfs/ctree.c 2011-05-22 19:36:32.000000000 -0400
44626 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44627 free_extent_buffer(buf);
44628 add_root_to_dirty_list(root);
44629 } else {
44630 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44631 - parent_start = parent->start;
44632 - else
44633 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44634 + if (parent)
44635 + parent_start = parent->start;
44636 + else
44637 + parent_start = 0;
44638 + } else
44639 parent_start = 0;
44640
44641 WARN_ON(trans->transid != btrfs_header_generation(parent));
44642 @@ -3647,7 +3650,6 @@ setup_items_for_insert(struct btrfs_tran
44643
44644 ret = 0;
44645 if (slot == 0) {
44646 - struct btrfs_disk_key disk_key;
44647 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44648 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44649 }
44650 diff -urNp linux-2.6.39.3/fs/btrfs/disk-io.c linux-2.6.39.3/fs/btrfs/disk-io.c
44651 --- linux-2.6.39.3/fs/btrfs/disk-io.c 2011-05-19 00:06:34.000000000 -0400
44652 +++ linux-2.6.39.3/fs/btrfs/disk-io.c 2011-05-22 19:36:32.000000000 -0400
44653 @@ -42,7 +42,7 @@
44654 #include "tree-log.h"
44655 #include "free-space-cache.h"
44656
44657 -static struct extent_io_ops btree_extent_io_ops;
44658 +static const struct extent_io_ops btree_extent_io_ops;
44659 static void end_workqueue_fn(struct btrfs_work *work);
44660 static void free_fs_root(struct btrfs_root *root);
44661 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
44662 @@ -3070,7 +3070,7 @@ static int btrfs_cleanup_transaction(str
44663 return 0;
44664 }
44665
44666 -static struct extent_io_ops btree_extent_io_ops = {
44667 +static const struct extent_io_ops btree_extent_io_ops = {
44668 .write_cache_pages_lock_hook = btree_lock_page_hook,
44669 .readpage_end_io_hook = btree_readpage_end_io_hook,
44670 .submit_bio_hook = btree_submit_bio_hook,
44671 diff -urNp linux-2.6.39.3/fs/btrfs/extent_io.h linux-2.6.39.3/fs/btrfs/extent_io.h
44672 --- linux-2.6.39.3/fs/btrfs/extent_io.h 2011-05-19 00:06:34.000000000 -0400
44673 +++ linux-2.6.39.3/fs/btrfs/extent_io.h 2011-05-22 19:36:32.000000000 -0400
44674 @@ -56,36 +56,36 @@ typedef int (extent_submit_bio_hook_t)(s
44675 struct bio *bio, int mirror_num,
44676 unsigned long bio_flags, u64 bio_offset);
44677 struct extent_io_ops {
44678 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44679 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44680 u64 start, u64 end, int *page_started,
44681 unsigned long *nr_written);
44682 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44683 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44684 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44685 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44686 extent_submit_bio_hook_t *submit_bio_hook;
44687 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
44688 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44689 size_t size, struct bio *bio,
44690 unsigned long bio_flags);
44691 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44692 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
44693 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
44694 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
44695 u64 start, u64 end,
44696 struct extent_state *state);
44697 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
44698 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
44699 u64 start, u64 end,
44700 struct extent_state *state);
44701 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44702 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44703 struct extent_state *state);
44704 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44705 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44706 struct extent_state *state, int uptodate);
44707 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
44708 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
44709 int *bits);
44710 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
44711 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
44712 int *bits);
44713 - int (*merge_extent_hook)(struct inode *inode,
44714 + int (* const merge_extent_hook)(struct inode *inode,
44715 struct extent_state *new,
44716 struct extent_state *other);
44717 - int (*split_extent_hook)(struct inode *inode,
44718 + int (* const split_extent_hook)(struct inode *inode,
44719 struct extent_state *orig, u64 split);
44720 - int (*write_cache_pages_lock_hook)(struct page *page);
44721 + int (* const write_cache_pages_lock_hook)(struct page *page);
44722 };
44723
44724 struct extent_io_tree {
44725 @@ -95,7 +95,7 @@ struct extent_io_tree {
44726 u64 dirty_bytes;
44727 spinlock_t lock;
44728 spinlock_t buffer_lock;
44729 - struct extent_io_ops *ops;
44730 + const struct extent_io_ops *ops;
44731 };
44732
44733 struct extent_state {
44734 diff -urNp linux-2.6.39.3/fs/btrfs/free-space-cache.c linux-2.6.39.3/fs/btrfs/free-space-cache.c
44735 --- linux-2.6.39.3/fs/btrfs/free-space-cache.c 2011-05-19 00:06:34.000000000 -0400
44736 +++ linux-2.6.39.3/fs/btrfs/free-space-cache.c 2011-05-22 19:36:32.000000000 -0400
44737 @@ -1910,8 +1910,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44738 while(1) {
44739 if (entry->bytes < bytes ||
44740 (!entry->bitmap && entry->offset < min_start)) {
44741 - struct rb_node *node;
44742 -
44743 node = rb_next(&entry->offset_index);
44744 if (!node)
44745 break;
44746 @@ -1925,7 +1923,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
44747 cluster, entry, bytes,
44748 min_start);
44749 if (ret == 0) {
44750 - struct rb_node *node;
44751 node = rb_next(&entry->offset_index);
44752 if (!node)
44753 break;
44754 diff -urNp linux-2.6.39.3/fs/btrfs/inode.c linux-2.6.39.3/fs/btrfs/inode.c
44755 --- linux-2.6.39.3/fs/btrfs/inode.c 2011-05-19 00:06:34.000000000 -0400
44756 +++ linux-2.6.39.3/fs/btrfs/inode.c 2011-05-22 20:42:42.000000000 -0400
44757 @@ -65,7 +65,7 @@ static const struct inode_operations btr
44758 static const struct address_space_operations btrfs_aops;
44759 static const struct address_space_operations btrfs_symlink_aops;
44760 static const struct file_operations btrfs_dir_file_operations;
44761 -static struct extent_io_ops btrfs_extent_io_ops;
44762 +static const struct extent_io_ops btrfs_extent_io_ops;
44763
44764 static struct kmem_cache *btrfs_inode_cachep;
44765 struct kmem_cache *btrfs_trans_handle_cachep;
44766 @@ -6947,7 +6947,7 @@ fail:
44767 return -ENOMEM;
44768 }
44769
44770 -static int btrfs_getattr(struct vfsmount *mnt,
44771 +int btrfs_getattr(struct vfsmount *mnt,
44772 struct dentry *dentry, struct kstat *stat)
44773 {
44774 struct inode *inode = dentry->d_inode;
44775 @@ -6959,6 +6959,14 @@ static int btrfs_getattr(struct vfsmount
44776 return 0;
44777 }
44778
44779 +EXPORT_SYMBOL(btrfs_getattr);
44780 +
44781 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
44782 +{
44783 + return BTRFS_I(inode)->root->anon_super.s_dev;
44784 +}
44785 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
44786 +
44787 /*
44788 * If a file is moved, it will inherit the cow and compression flags of the new
44789 * directory.
44790 @@ -7488,7 +7496,7 @@ static const struct file_operations btrf
44791 .fsync = btrfs_sync_file,
44792 };
44793
44794 -static struct extent_io_ops btrfs_extent_io_ops = {
44795 +static const struct extent_io_ops btrfs_extent_io_ops = {
44796 .fill_delalloc = run_delalloc_range,
44797 .submit_bio_hook = btrfs_submit_bio_hook,
44798 .merge_bio_hook = btrfs_merge_bio_hook,
44799 diff -urNp linux-2.6.39.3/fs/btrfs/ioctl.c linux-2.6.39.3/fs/btrfs/ioctl.c
44800 --- linux-2.6.39.3/fs/btrfs/ioctl.c 2011-05-19 00:06:34.000000000 -0400
44801 +++ linux-2.6.39.3/fs/btrfs/ioctl.c 2011-05-22 19:41:37.000000000 -0400
44802 @@ -2361,9 +2361,12 @@ long btrfs_ioctl_space_info(struct btrfs
44803 for (i = 0; i < num_types; i++) {
44804 struct btrfs_space_info *tmp;
44805
44806 + /* Don't copy in more than we allocated */
44807 if (!slot_count)
44808 break;
44809
44810 + slot_count--;
44811 +
44812 info = NULL;
44813 rcu_read_lock();
44814 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
44815 @@ -2385,10 +2388,7 @@ long btrfs_ioctl_space_info(struct btrfs
44816 memcpy(dest, &space, sizeof(space));
44817 dest++;
44818 space_args.total_spaces++;
44819 - slot_count--;
44820 }
44821 - if (!slot_count)
44822 - break;
44823 }
44824 up_read(&info->groups_sem);
44825 }
44826 diff -urNp linux-2.6.39.3/fs/btrfs/lzo.c linux-2.6.39.3/fs/btrfs/lzo.c
44827 --- linux-2.6.39.3/fs/btrfs/lzo.c 2011-05-19 00:06:34.000000000 -0400
44828 +++ linux-2.6.39.3/fs/btrfs/lzo.c 2011-05-22 19:36:32.000000000 -0400
44829 @@ -418,7 +418,7 @@ out:
44830 return ret;
44831 }
44832
44833 -struct btrfs_compress_op btrfs_lzo_compress = {
44834 +const struct btrfs_compress_op btrfs_lzo_compress = {
44835 .alloc_workspace = lzo_alloc_workspace,
44836 .free_workspace = lzo_free_workspace,
44837 .compress_pages = lzo_compress_pages,
44838 diff -urNp linux-2.6.39.3/fs/btrfs/relocation.c linux-2.6.39.3/fs/btrfs/relocation.c
44839 --- linux-2.6.39.3/fs/btrfs/relocation.c 2011-05-19 00:06:34.000000000 -0400
44840 +++ linux-2.6.39.3/fs/btrfs/relocation.c 2011-05-22 19:36:32.000000000 -0400
44841 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
44842 }
44843 spin_unlock(&rc->reloc_root_tree.lock);
44844
44845 - BUG_ON((struct btrfs_root *)node->data != root);
44846 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
44847
44848 if (!del) {
44849 spin_lock(&rc->reloc_root_tree.lock);
44850 diff -urNp linux-2.6.39.3/fs/btrfs/zlib.c linux-2.6.39.3/fs/btrfs/zlib.c
44851 --- linux-2.6.39.3/fs/btrfs/zlib.c 2011-05-19 00:06:34.000000000 -0400
44852 +++ linux-2.6.39.3/fs/btrfs/zlib.c 2011-05-22 19:36:32.000000000 -0400
44853 @@ -390,7 +390,7 @@ next:
44854 return ret;
44855 }
44856
44857 -struct btrfs_compress_op btrfs_zlib_compress = {
44858 +const struct btrfs_compress_op btrfs_zlib_compress = {
44859 .alloc_workspace = zlib_alloc_workspace,
44860 .free_workspace = zlib_free_workspace,
44861 .compress_pages = zlib_compress_pages,
44862 diff -urNp linux-2.6.39.3/fs/cachefiles/bind.c linux-2.6.39.3/fs/cachefiles/bind.c
44863 --- linux-2.6.39.3/fs/cachefiles/bind.c 2011-05-19 00:06:34.000000000 -0400
44864 +++ linux-2.6.39.3/fs/cachefiles/bind.c 2011-05-22 19:36:32.000000000 -0400
44865 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
44866 args);
44867
44868 /* start by checking things over */
44869 - ASSERT(cache->fstop_percent >= 0 &&
44870 - cache->fstop_percent < cache->fcull_percent &&
44871 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
44872 cache->fcull_percent < cache->frun_percent &&
44873 cache->frun_percent < 100);
44874
44875 - ASSERT(cache->bstop_percent >= 0 &&
44876 - cache->bstop_percent < cache->bcull_percent &&
44877 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
44878 cache->bcull_percent < cache->brun_percent &&
44879 cache->brun_percent < 100);
44880
44881 diff -urNp linux-2.6.39.3/fs/cachefiles/daemon.c linux-2.6.39.3/fs/cachefiles/daemon.c
44882 --- linux-2.6.39.3/fs/cachefiles/daemon.c 2011-05-19 00:06:34.000000000 -0400
44883 +++ linux-2.6.39.3/fs/cachefiles/daemon.c 2011-05-22 19:36:32.000000000 -0400
44884 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
44885 if (n > buflen)
44886 return -EMSGSIZE;
44887
44888 - if (copy_to_user(_buffer, buffer, n) != 0)
44889 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
44890 return -EFAULT;
44891
44892 return n;
44893 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
44894 if (test_bit(CACHEFILES_DEAD, &cache->flags))
44895 return -EIO;
44896
44897 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
44898 + if (datalen > PAGE_SIZE - 1)
44899 return -EOPNOTSUPP;
44900
44901 /* drag the command string into the kernel so we can parse it */
44902 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
44903 if (args[0] != '%' || args[1] != '\0')
44904 return -EINVAL;
44905
44906 - if (fstop < 0 || fstop >= cache->fcull_percent)
44907 + if (fstop >= cache->fcull_percent)
44908 return cachefiles_daemon_range_error(cache, args);
44909
44910 cache->fstop_percent = fstop;
44911 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
44912 if (args[0] != '%' || args[1] != '\0')
44913 return -EINVAL;
44914
44915 - if (bstop < 0 || bstop >= cache->bcull_percent)
44916 + if (bstop >= cache->bcull_percent)
44917 return cachefiles_daemon_range_error(cache, args);
44918
44919 cache->bstop_percent = bstop;
44920 diff -urNp linux-2.6.39.3/fs/cachefiles/internal.h linux-2.6.39.3/fs/cachefiles/internal.h
44921 --- linux-2.6.39.3/fs/cachefiles/internal.h 2011-05-19 00:06:34.000000000 -0400
44922 +++ linux-2.6.39.3/fs/cachefiles/internal.h 2011-05-22 19:36:32.000000000 -0400
44923 @@ -57,7 +57,7 @@ struct cachefiles_cache {
44924 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
44925 struct rb_root active_nodes; /* active nodes (can't be culled) */
44926 rwlock_t active_lock; /* lock for active_nodes */
44927 - atomic_t gravecounter; /* graveyard uniquifier */
44928 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
44929 unsigned frun_percent; /* when to stop culling (% files) */
44930 unsigned fcull_percent; /* when to start culling (% files) */
44931 unsigned fstop_percent; /* when to stop allocating (% files) */
44932 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
44933 * proc.c
44934 */
44935 #ifdef CONFIG_CACHEFILES_HISTOGRAM
44936 -extern atomic_t cachefiles_lookup_histogram[HZ];
44937 -extern atomic_t cachefiles_mkdir_histogram[HZ];
44938 -extern atomic_t cachefiles_create_histogram[HZ];
44939 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44940 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44941 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
44942
44943 extern int __init cachefiles_proc_init(void);
44944 extern void cachefiles_proc_cleanup(void);
44945 static inline
44946 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
44947 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
44948 {
44949 unsigned long jif = jiffies - start_jif;
44950 if (jif >= HZ)
44951 jif = HZ - 1;
44952 - atomic_inc(&histogram[jif]);
44953 + atomic_inc_unchecked(&histogram[jif]);
44954 }
44955
44956 #else
44957 diff -urNp linux-2.6.39.3/fs/cachefiles/namei.c linux-2.6.39.3/fs/cachefiles/namei.c
44958 --- linux-2.6.39.3/fs/cachefiles/namei.c 2011-05-19 00:06:34.000000000 -0400
44959 +++ linux-2.6.39.3/fs/cachefiles/namei.c 2011-05-22 19:36:32.000000000 -0400
44960 @@ -318,7 +318,7 @@ try_again:
44961 /* first step is to make up a grave dentry in the graveyard */
44962 sprintf(nbuffer, "%08x%08x",
44963 (uint32_t) get_seconds(),
44964 - (uint32_t) atomic_inc_return(&cache->gravecounter));
44965 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
44966
44967 /* do the multiway lock magic */
44968 trap = lock_rename(cache->graveyard, dir);
44969 diff -urNp linux-2.6.39.3/fs/cachefiles/proc.c linux-2.6.39.3/fs/cachefiles/proc.c
44970 --- linux-2.6.39.3/fs/cachefiles/proc.c 2011-05-19 00:06:34.000000000 -0400
44971 +++ linux-2.6.39.3/fs/cachefiles/proc.c 2011-05-22 19:36:32.000000000 -0400
44972 @@ -14,9 +14,9 @@
44973 #include <linux/seq_file.h>
44974 #include "internal.h"
44975
44976 -atomic_t cachefiles_lookup_histogram[HZ];
44977 -atomic_t cachefiles_mkdir_histogram[HZ];
44978 -atomic_t cachefiles_create_histogram[HZ];
44979 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
44980 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
44981 +atomic_unchecked_t cachefiles_create_histogram[HZ];
44982
44983 /*
44984 * display the latency histogram
44985 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
44986 return 0;
44987 default:
44988 index = (unsigned long) v - 3;
44989 - x = atomic_read(&cachefiles_lookup_histogram[index]);
44990 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
44991 - z = atomic_read(&cachefiles_create_histogram[index]);
44992 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
44993 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
44994 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
44995 if (x == 0 && y == 0 && z == 0)
44996 return 0;
44997
44998 diff -urNp linux-2.6.39.3/fs/cachefiles/rdwr.c linux-2.6.39.3/fs/cachefiles/rdwr.c
44999 --- linux-2.6.39.3/fs/cachefiles/rdwr.c 2011-05-19 00:06:34.000000000 -0400
45000 +++ linux-2.6.39.3/fs/cachefiles/rdwr.c 2011-05-22 19:36:32.000000000 -0400
45001 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
45002 old_fs = get_fs();
45003 set_fs(KERNEL_DS);
45004 ret = file->f_op->write(
45005 - file, (const void __user *) data, len, &pos);
45006 + file, (__force const void __user *) data, len, &pos);
45007 set_fs(old_fs);
45008 kunmap(page);
45009 if (ret != len)
45010 diff -urNp linux-2.6.39.3/fs/ceph/addr.c linux-2.6.39.3/fs/ceph/addr.c
45011 --- linux-2.6.39.3/fs/ceph/addr.c 2011-05-19 00:06:34.000000000 -0400
45012 +++ linux-2.6.39.3/fs/ceph/addr.c 2011-05-22 19:36:32.000000000 -0400
45013 @@ -1164,7 +1164,7 @@ out:
45014 return ret;
45015 }
45016
45017 -static struct vm_operations_struct ceph_vmops = {
45018 +static const struct vm_operations_struct ceph_vmops = {
45019 .fault = filemap_fault,
45020 .page_mkwrite = ceph_page_mkwrite,
45021 };
45022 diff -urNp linux-2.6.39.3/fs/ceph/dir.c linux-2.6.39.3/fs/ceph/dir.c
45023 --- linux-2.6.39.3/fs/ceph/dir.c 2011-05-19 00:06:34.000000000 -0400
45024 +++ linux-2.6.39.3/fs/ceph/dir.c 2011-05-22 19:36:32.000000000 -0400
45025 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
45026 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
45027 struct ceph_mds_client *mdsc = fsc->mdsc;
45028 unsigned frag = fpos_frag(filp->f_pos);
45029 - int off = fpos_off(filp->f_pos);
45030 + unsigned int off = fpos_off(filp->f_pos);
45031 int err;
45032 u32 ftype;
45033 struct ceph_mds_reply_info_parsed *rinfo;
45034 @@ -360,7 +360,7 @@ more:
45035 rinfo = &fi->last_readdir->r_reply_info;
45036 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
45037 rinfo->dir_nr, off, fi->offset);
45038 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
45039 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
45040 u64 pos = ceph_make_fpos(frag, off);
45041 struct ceph_mds_reply_inode *in =
45042 rinfo->dir_in[off - fi->offset].in;
45043 diff -urNp linux-2.6.39.3/fs/cifs/cifs_debug.c linux-2.6.39.3/fs/cifs/cifs_debug.c
45044 --- linux-2.6.39.3/fs/cifs/cifs_debug.c 2011-05-19 00:06:34.000000000 -0400
45045 +++ linux-2.6.39.3/fs/cifs/cifs_debug.c 2011-05-22 19:36:32.000000000 -0400
45046 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
45047 tcon = list_entry(tmp3,
45048 struct cifsTconInfo,
45049 tcon_list);
45050 - atomic_set(&tcon->num_smbs_sent, 0);
45051 - atomic_set(&tcon->num_writes, 0);
45052 - atomic_set(&tcon->num_reads, 0);
45053 - atomic_set(&tcon->num_oplock_brks, 0);
45054 - atomic_set(&tcon->num_opens, 0);
45055 - atomic_set(&tcon->num_posixopens, 0);
45056 - atomic_set(&tcon->num_posixmkdirs, 0);
45057 - atomic_set(&tcon->num_closes, 0);
45058 - atomic_set(&tcon->num_deletes, 0);
45059 - atomic_set(&tcon->num_mkdirs, 0);
45060 - atomic_set(&tcon->num_rmdirs, 0);
45061 - atomic_set(&tcon->num_renames, 0);
45062 - atomic_set(&tcon->num_t2renames, 0);
45063 - atomic_set(&tcon->num_ffirst, 0);
45064 - atomic_set(&tcon->num_fnext, 0);
45065 - atomic_set(&tcon->num_fclose, 0);
45066 - atomic_set(&tcon->num_hardlinks, 0);
45067 - atomic_set(&tcon->num_symlinks, 0);
45068 - atomic_set(&tcon->num_locks, 0);
45069 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
45070 + atomic_set_unchecked(&tcon->num_writes, 0);
45071 + atomic_set_unchecked(&tcon->num_reads, 0);
45072 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
45073 + atomic_set_unchecked(&tcon->num_opens, 0);
45074 + atomic_set_unchecked(&tcon->num_posixopens, 0);
45075 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
45076 + atomic_set_unchecked(&tcon->num_closes, 0);
45077 + atomic_set_unchecked(&tcon->num_deletes, 0);
45078 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
45079 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
45080 + atomic_set_unchecked(&tcon->num_renames, 0);
45081 + atomic_set_unchecked(&tcon->num_t2renames, 0);
45082 + atomic_set_unchecked(&tcon->num_ffirst, 0);
45083 + atomic_set_unchecked(&tcon->num_fnext, 0);
45084 + atomic_set_unchecked(&tcon->num_fclose, 0);
45085 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
45086 + atomic_set_unchecked(&tcon->num_symlinks, 0);
45087 + atomic_set_unchecked(&tcon->num_locks, 0);
45088 }
45089 }
45090 }
45091 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
45092 if (tcon->need_reconnect)
45093 seq_puts(m, "\tDISCONNECTED ");
45094 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
45095 - atomic_read(&tcon->num_smbs_sent),
45096 - atomic_read(&tcon->num_oplock_brks));
45097 + atomic_read_unchecked(&tcon->num_smbs_sent),
45098 + atomic_read_unchecked(&tcon->num_oplock_brks));
45099 seq_printf(m, "\nReads: %d Bytes: %lld",
45100 - atomic_read(&tcon->num_reads),
45101 + atomic_read_unchecked(&tcon->num_reads),
45102 (long long)(tcon->bytes_read));
45103 seq_printf(m, "\nWrites: %d Bytes: %lld",
45104 - atomic_read(&tcon->num_writes),
45105 + atomic_read_unchecked(&tcon->num_writes),
45106 (long long)(tcon->bytes_written));
45107 seq_printf(m, "\nFlushes: %d",
45108 - atomic_read(&tcon->num_flushes));
45109 + atomic_read_unchecked(&tcon->num_flushes));
45110 seq_printf(m, "\nLocks: %d HardLinks: %d "
45111 "Symlinks: %d",
45112 - atomic_read(&tcon->num_locks),
45113 - atomic_read(&tcon->num_hardlinks),
45114 - atomic_read(&tcon->num_symlinks));
45115 + atomic_read_unchecked(&tcon->num_locks),
45116 + atomic_read_unchecked(&tcon->num_hardlinks),
45117 + atomic_read_unchecked(&tcon->num_symlinks));
45118 seq_printf(m, "\nOpens: %d Closes: %d "
45119 "Deletes: %d",
45120 - atomic_read(&tcon->num_opens),
45121 - atomic_read(&tcon->num_closes),
45122 - atomic_read(&tcon->num_deletes));
45123 + atomic_read_unchecked(&tcon->num_opens),
45124 + atomic_read_unchecked(&tcon->num_closes),
45125 + atomic_read_unchecked(&tcon->num_deletes));
45126 seq_printf(m, "\nPosix Opens: %d "
45127 "Posix Mkdirs: %d",
45128 - atomic_read(&tcon->num_posixopens),
45129 - atomic_read(&tcon->num_posixmkdirs));
45130 + atomic_read_unchecked(&tcon->num_posixopens),
45131 + atomic_read_unchecked(&tcon->num_posixmkdirs));
45132 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
45133 - atomic_read(&tcon->num_mkdirs),
45134 - atomic_read(&tcon->num_rmdirs));
45135 + atomic_read_unchecked(&tcon->num_mkdirs),
45136 + atomic_read_unchecked(&tcon->num_rmdirs));
45137 seq_printf(m, "\nRenames: %d T2 Renames %d",
45138 - atomic_read(&tcon->num_renames),
45139 - atomic_read(&tcon->num_t2renames));
45140 + atomic_read_unchecked(&tcon->num_renames),
45141 + atomic_read_unchecked(&tcon->num_t2renames));
45142 seq_printf(m, "\nFindFirst: %d FNext %d "
45143 "FClose %d",
45144 - atomic_read(&tcon->num_ffirst),
45145 - atomic_read(&tcon->num_fnext),
45146 - atomic_read(&tcon->num_fclose));
45147 + atomic_read_unchecked(&tcon->num_ffirst),
45148 + atomic_read_unchecked(&tcon->num_fnext),
45149 + atomic_read_unchecked(&tcon->num_fclose));
45150 }
45151 }
45152 }
45153 diff -urNp linux-2.6.39.3/fs/cifs/cifsglob.h linux-2.6.39.3/fs/cifs/cifsglob.h
45154 --- linux-2.6.39.3/fs/cifs/cifsglob.h 2011-05-19 00:06:34.000000000 -0400
45155 +++ linux-2.6.39.3/fs/cifs/cifsglob.h 2011-05-22 19:36:32.000000000 -0400
45156 @@ -305,28 +305,28 @@ struct cifsTconInfo {
45157 __u16 Flags; /* optional support bits */
45158 enum statusEnum tidStatus;
45159 #ifdef CONFIG_CIFS_STATS
45160 - atomic_t num_smbs_sent;
45161 - atomic_t num_writes;
45162 - atomic_t num_reads;
45163 - atomic_t num_flushes;
45164 - atomic_t num_oplock_brks;
45165 - atomic_t num_opens;
45166 - atomic_t num_closes;
45167 - atomic_t num_deletes;
45168 - atomic_t num_mkdirs;
45169 - atomic_t num_posixopens;
45170 - atomic_t num_posixmkdirs;
45171 - atomic_t num_rmdirs;
45172 - atomic_t num_renames;
45173 - atomic_t num_t2renames;
45174 - atomic_t num_ffirst;
45175 - atomic_t num_fnext;
45176 - atomic_t num_fclose;
45177 - atomic_t num_hardlinks;
45178 - atomic_t num_symlinks;
45179 - atomic_t num_locks;
45180 - atomic_t num_acl_get;
45181 - atomic_t num_acl_set;
45182 + atomic_unchecked_t num_smbs_sent;
45183 + atomic_unchecked_t num_writes;
45184 + atomic_unchecked_t num_reads;
45185 + atomic_unchecked_t num_flushes;
45186 + atomic_unchecked_t num_oplock_brks;
45187 + atomic_unchecked_t num_opens;
45188 + atomic_unchecked_t num_closes;
45189 + atomic_unchecked_t num_deletes;
45190 + atomic_unchecked_t num_mkdirs;
45191 + atomic_unchecked_t num_posixopens;
45192 + atomic_unchecked_t num_posixmkdirs;
45193 + atomic_unchecked_t num_rmdirs;
45194 + atomic_unchecked_t num_renames;
45195 + atomic_unchecked_t num_t2renames;
45196 + atomic_unchecked_t num_ffirst;
45197 + atomic_unchecked_t num_fnext;
45198 + atomic_unchecked_t num_fclose;
45199 + atomic_unchecked_t num_hardlinks;
45200 + atomic_unchecked_t num_symlinks;
45201 + atomic_unchecked_t num_locks;
45202 + atomic_unchecked_t num_acl_get;
45203 + atomic_unchecked_t num_acl_set;
45204 #ifdef CONFIG_CIFS_STATS2
45205 unsigned long long time_writes;
45206 unsigned long long time_reads;
45207 @@ -509,7 +509,7 @@ static inline char CIFS_DIR_SEP(const st
45208 }
45209
45210 #ifdef CONFIG_CIFS_STATS
45211 -#define cifs_stats_inc atomic_inc
45212 +#define cifs_stats_inc atomic_inc_unchecked
45213
45214 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
45215 unsigned int bytes)
45216 diff -urNp linux-2.6.39.3/fs/cifs/link.c linux-2.6.39.3/fs/cifs/link.c
45217 --- linux-2.6.39.3/fs/cifs/link.c 2011-05-19 00:06:34.000000000 -0400
45218 +++ linux-2.6.39.3/fs/cifs/link.c 2011-05-22 19:36:32.000000000 -0400
45219 @@ -577,7 +577,7 @@ symlink_exit:
45220
45221 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
45222 {
45223 - char *p = nd_get_link(nd);
45224 + const char *p = nd_get_link(nd);
45225 if (!IS_ERR(p))
45226 kfree(p);
45227 }
45228 diff -urNp linux-2.6.39.3/fs/coda/cache.c linux-2.6.39.3/fs/coda/cache.c
45229 --- linux-2.6.39.3/fs/coda/cache.c 2011-05-19 00:06:34.000000000 -0400
45230 +++ linux-2.6.39.3/fs/coda/cache.c 2011-05-22 19:36:32.000000000 -0400
45231 @@ -24,7 +24,7 @@
45232 #include "coda_linux.h"
45233 #include "coda_cache.h"
45234
45235 -static atomic_t permission_epoch = ATOMIC_INIT(0);
45236 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
45237
45238 /* replace or extend an acl cache hit */
45239 void coda_cache_enter(struct inode *inode, int mask)
45240 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
45241 struct coda_inode_info *cii = ITOC(inode);
45242
45243 spin_lock(&cii->c_lock);
45244 - cii->c_cached_epoch = atomic_read(&permission_epoch);
45245 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
45246 if (cii->c_uid != current_fsuid()) {
45247 cii->c_uid = current_fsuid();
45248 cii->c_cached_perm = mask;
45249 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
45250 {
45251 struct coda_inode_info *cii = ITOC(inode);
45252 spin_lock(&cii->c_lock);
45253 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
45254 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
45255 spin_unlock(&cii->c_lock);
45256 }
45257
45258 /* remove all acl caches */
45259 void coda_cache_clear_all(struct super_block *sb)
45260 {
45261 - atomic_inc(&permission_epoch);
45262 + atomic_inc_unchecked(&permission_epoch);
45263 }
45264
45265
45266 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
45267 spin_lock(&cii->c_lock);
45268 hit = (mask & cii->c_cached_perm) == mask &&
45269 cii->c_uid == current_fsuid() &&
45270 - cii->c_cached_epoch == atomic_read(&permission_epoch);
45271 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
45272 spin_unlock(&cii->c_lock);
45273
45274 return hit;
45275 diff -urNp linux-2.6.39.3/fs/compat_binfmt_elf.c linux-2.6.39.3/fs/compat_binfmt_elf.c
45276 --- linux-2.6.39.3/fs/compat_binfmt_elf.c 2011-05-19 00:06:34.000000000 -0400
45277 +++ linux-2.6.39.3/fs/compat_binfmt_elf.c 2011-05-22 19:36:32.000000000 -0400
45278 @@ -30,11 +30,13 @@
45279 #undef elf_phdr
45280 #undef elf_shdr
45281 #undef elf_note
45282 +#undef elf_dyn
45283 #undef elf_addr_t
45284 #define elfhdr elf32_hdr
45285 #define elf_phdr elf32_phdr
45286 #define elf_shdr elf32_shdr
45287 #define elf_note elf32_note
45288 +#define elf_dyn Elf32_Dyn
45289 #define elf_addr_t Elf32_Addr
45290
45291 /*
45292 diff -urNp linux-2.6.39.3/fs/compat.c linux-2.6.39.3/fs/compat.c
45293 --- linux-2.6.39.3/fs/compat.c 2011-05-19 00:06:34.000000000 -0400
45294 +++ linux-2.6.39.3/fs/compat.c 2011-05-22 19:41:37.000000000 -0400
45295 @@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
45296 goto out;
45297
45298 ret = -EINVAL;
45299 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
45300 + if (nr_segs > UIO_MAXIOV)
45301 goto out;
45302 if (nr_segs > fast_segs) {
45303 ret = -ENOMEM;
45304 @@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
45305
45306 struct compat_readdir_callback {
45307 struct compat_old_linux_dirent __user *dirent;
45308 + struct file * file;
45309 int result;
45310 };
45311
45312 @@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
45313 buf->result = -EOVERFLOW;
45314 return -EOVERFLOW;
45315 }
45316 +
45317 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45318 + return 0;
45319 +
45320 buf->result++;
45321 dirent = buf->dirent;
45322 if (!access_ok(VERIFY_WRITE, dirent,
45323 @@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
45324
45325 buf.result = 0;
45326 buf.dirent = dirent;
45327 + buf.file = file;
45328
45329 error = vfs_readdir(file, compat_fillonedir, &buf);
45330 if (buf.result)
45331 @@ -917,6 +923,7 @@ struct compat_linux_dirent {
45332 struct compat_getdents_callback {
45333 struct compat_linux_dirent __user *current_dir;
45334 struct compat_linux_dirent __user *previous;
45335 + struct file * file;
45336 int count;
45337 int error;
45338 };
45339 @@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
45340 buf->error = -EOVERFLOW;
45341 return -EOVERFLOW;
45342 }
45343 +
45344 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45345 + return 0;
45346 +
45347 dirent = buf->previous;
45348 if (dirent) {
45349 if (__put_user(offset, &dirent->d_off))
45350 @@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
45351 buf.previous = NULL;
45352 buf.count = count;
45353 buf.error = 0;
45354 + buf.file = file;
45355
45356 error = vfs_readdir(file, compat_filldir, &buf);
45357 if (error >= 0)
45358 @@ -1006,6 +1018,7 @@ out:
45359 struct compat_getdents_callback64 {
45360 struct linux_dirent64 __user *current_dir;
45361 struct linux_dirent64 __user *previous;
45362 + struct file * file;
45363 int count;
45364 int error;
45365 };
45366 @@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
45367 buf->error = -EINVAL; /* only used if we fail.. */
45368 if (reclen > buf->count)
45369 return -EINVAL;
45370 +
45371 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45372 + return 0;
45373 +
45374 dirent = buf->previous;
45375
45376 if (dirent) {
45377 @@ -1073,6 +1090,7 @@ asmlinkage long compat_sys_getdents64(un
45378 buf.previous = NULL;
45379 buf.count = count;
45380 buf.error = 0;
45381 + buf.file = file;
45382
45383 error = vfs_readdir(file, compat_filldir64, &buf);
45384 if (error >= 0)
45385 @@ -1436,6 +1454,11 @@ int compat_do_execve(char * filename,
45386 compat_uptr_t __user *envp,
45387 struct pt_regs * regs)
45388 {
45389 +#ifdef CONFIG_GRKERNSEC
45390 + struct file *old_exec_file;
45391 + struct acl_subject_label *old_acl;
45392 + struct rlimit old_rlim[RLIM_NLIMITS];
45393 +#endif
45394 struct linux_binprm *bprm;
45395 struct file *file;
45396 struct files_struct *displaced;
45397 @@ -1472,6 +1495,19 @@ int compat_do_execve(char * filename,
45398 bprm->filename = filename;
45399 bprm->interp = filename;
45400
45401 + if (gr_process_user_ban()) {
45402 + retval = -EPERM;
45403 + goto out_file;
45404 + }
45405 +
45406 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45407 + retval = -EAGAIN;
45408 + if (gr_handle_nproc())
45409 + goto out_file;
45410 + retval = -EACCES;
45411 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
45412 + goto out_file;
45413 +
45414 retval = bprm_mm_init(bprm);
45415 if (retval)
45416 goto out_file;
45417 @@ -1501,9 +1537,40 @@ int compat_do_execve(char * filename,
45418 if (retval < 0)
45419 goto out;
45420
45421 + if (!gr_tpe_allow(file)) {
45422 + retval = -EACCES;
45423 + goto out;
45424 + }
45425 +
45426 + if (gr_check_crash_exec(file)) {
45427 + retval = -EACCES;
45428 + goto out;
45429 + }
45430 +
45431 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45432 +
45433 + gr_handle_exec_args_compat(bprm, argv);
45434 +
45435 +#ifdef CONFIG_GRKERNSEC
45436 + old_acl = current->acl;
45437 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45438 + old_exec_file = current->exec_file;
45439 + get_file(file);
45440 + current->exec_file = file;
45441 +#endif
45442 +
45443 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45444 + bprm->unsafe & LSM_UNSAFE_SHARE);
45445 + if (retval < 0)
45446 + goto out_fail;
45447 +
45448 retval = search_binary_handler(bprm, regs);
45449 if (retval < 0)
45450 - goto out;
45451 + goto out_fail;
45452 +#ifdef CONFIG_GRKERNSEC
45453 + if (old_exec_file)
45454 + fput(old_exec_file);
45455 +#endif
45456
45457 /* execve succeeded */
45458 current->fs->in_exec = 0;
45459 @@ -1514,6 +1581,14 @@ int compat_do_execve(char * filename,
45460 put_files_struct(displaced);
45461 return retval;
45462
45463 +out_fail:
45464 +#ifdef CONFIG_GRKERNSEC
45465 + current->acl = old_acl;
45466 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45467 + fput(current->exec_file);
45468 + current->exec_file = old_exec_file;
45469 +#endif
45470 +
45471 out:
45472 if (bprm->mm) {
45473 acct_arg_size(bprm, 0);
45474 @@ -1681,6 +1756,8 @@ int compat_core_sys_select(int n, compat
45475 struct fdtable *fdt;
45476 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45477
45478 + pax_track_stack();
45479 +
45480 if (n < 0)
45481 goto out_nofds;
45482
45483 diff -urNp linux-2.6.39.3/fs/compat_ioctl.c linux-2.6.39.3/fs/compat_ioctl.c
45484 --- linux-2.6.39.3/fs/compat_ioctl.c 2011-05-19 00:06:34.000000000 -0400
45485 +++ linux-2.6.39.3/fs/compat_ioctl.c 2011-05-22 19:36:32.000000000 -0400
45486 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
45487
45488 err = get_user(palp, &up->palette);
45489 err |= get_user(length, &up->length);
45490 + if (err)
45491 + return -EFAULT;
45492
45493 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45494 err = put_user(compat_ptr(palp), &up_native->palette);
45495 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
45496 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
45497 {
45498 unsigned int a, b;
45499 - a = *(unsigned int *)p;
45500 - b = *(unsigned int *)q;
45501 + a = *(const unsigned int *)p;
45502 + b = *(const unsigned int *)q;
45503 if (a > b)
45504 return 1;
45505 if (a < b)
45506 diff -urNp linux-2.6.39.3/fs/configfs/dir.c linux-2.6.39.3/fs/configfs/dir.c
45507 --- linux-2.6.39.3/fs/configfs/dir.c 2011-05-19 00:06:34.000000000 -0400
45508 +++ linux-2.6.39.3/fs/configfs/dir.c 2011-05-22 19:36:32.000000000 -0400
45509 @@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
45510 }
45511 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45512 struct configfs_dirent *next;
45513 - const char * name;
45514 + const unsigned char * name;
45515 + char d_name[sizeof(next->s_dentry->d_iname)];
45516 int len;
45517 struct inode *inode = NULL;
45518
45519 @@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
45520 continue;
45521
45522 name = configfs_get_name(next);
45523 - len = strlen(name);
45524 + if (next->s_dentry && name == next->s_dentry->d_iname) {
45525 + len = next->s_dentry->d_name.len;
45526 + memcpy(d_name, name, len);
45527 + name = d_name;
45528 + } else
45529 + len = strlen(name);
45530
45531 /*
45532 * We'll have a dentry and an inode for
45533 diff -urNp linux-2.6.39.3/fs/configfs/file.c linux-2.6.39.3/fs/configfs/file.c
45534 --- linux-2.6.39.3/fs/configfs/file.c 2011-05-19 00:06:34.000000000 -0400
45535 +++ linux-2.6.39.3/fs/configfs/file.c 2011-05-22 19:36:32.000000000 -0400
45536 @@ -215,7 +215,7 @@ static int check_perm(struct inode * ino
45537 struct config_item *item = configfs_get_config_item(file->f_path.dentry->d_parent);
45538 struct configfs_attribute * attr = to_attr(file->f_path.dentry);
45539 struct configfs_buffer * buffer;
45540 - struct configfs_item_operations * ops = NULL;
45541 + struct configfs_item_operations *ops = NULL;
45542 int error = 0;
45543
45544 if (!item || !attr)
45545 diff -urNp linux-2.6.39.3/fs/configfs/item.c linux-2.6.39.3/fs/configfs/item.c
45546 --- linux-2.6.39.3/fs/configfs/item.c 2011-05-19 00:06:34.000000000 -0400
45547 +++ linux-2.6.39.3/fs/configfs/item.c 2011-05-22 19:36:32.000000000 -0400
45548 @@ -123,7 +123,7 @@ void config_item_init_type_name(struct c
45549 EXPORT_SYMBOL(config_item_init_type_name);
45550
45551 void config_group_init_type_name(struct config_group *group, const char *name,
45552 - struct config_item_type *type)
45553 + struct config_item_type *type)
45554 {
45555 config_item_set_name(&group->cg_item, name);
45556 group->cg_item.ci_type = type;
45557 diff -urNp linux-2.6.39.3/fs/dcache.c linux-2.6.39.3/fs/dcache.c
45558 --- linux-2.6.39.3/fs/dcache.c 2011-05-19 00:06:34.000000000 -0400
45559 +++ linux-2.6.39.3/fs/dcache.c 2011-05-22 19:36:32.000000000 -0400
45560 @@ -3069,7 +3069,7 @@ void __init vfs_caches_init(unsigned lon
45561 mempages -= reserve;
45562
45563 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45564 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45565 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45566
45567 dcache_init();
45568 inode_init();
45569 diff -urNp linux-2.6.39.3/fs/dlm/lockspace.c linux-2.6.39.3/fs/dlm/lockspace.c
45570 --- linux-2.6.39.3/fs/dlm/lockspace.c 2011-05-19 00:06:34.000000000 -0400
45571 +++ linux-2.6.39.3/fs/dlm/lockspace.c 2011-05-22 19:36:32.000000000 -0400
45572 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
45573 return 0;
45574 }
45575
45576 -static struct kset_uevent_ops dlm_uevent_ops = {
45577 +static const struct kset_uevent_ops dlm_uevent_ops = {
45578 .uevent = dlm_uevent,
45579 };
45580
45581 diff -urNp linux-2.6.39.3/fs/ecryptfs/inode.c linux-2.6.39.3/fs/ecryptfs/inode.c
45582 --- linux-2.6.39.3/fs/ecryptfs/inode.c 2011-06-03 00:04:14.000000000 -0400
45583 +++ linux-2.6.39.3/fs/ecryptfs/inode.c 2011-06-03 00:32:07.000000000 -0400
45584 @@ -623,7 +623,7 @@ static int ecryptfs_readlink_lower(struc
45585 old_fs = get_fs();
45586 set_fs(get_ds());
45587 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45588 - (char __user *)lower_buf,
45589 + (__force char __user *)lower_buf,
45590 lower_bufsiz);
45591 set_fs(old_fs);
45592 if (rc < 0)
45593 @@ -669,7 +669,7 @@ static void *ecryptfs_follow_link(struct
45594 }
45595 old_fs = get_fs();
45596 set_fs(get_ds());
45597 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45598 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45599 set_fs(old_fs);
45600 if (rc < 0) {
45601 kfree(buf);
45602 @@ -684,7 +684,7 @@ out:
45603 static void
45604 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
45605 {
45606 - char *buf = nd_get_link(nd);
45607 + const char *buf = nd_get_link(nd);
45608 if (!IS_ERR(buf)) {
45609 /* Free the char* */
45610 kfree(buf);
45611 diff -urNp linux-2.6.39.3/fs/ecryptfs/miscdev.c linux-2.6.39.3/fs/ecryptfs/miscdev.c
45612 --- linux-2.6.39.3/fs/ecryptfs/miscdev.c 2011-05-19 00:06:34.000000000 -0400
45613 +++ linux-2.6.39.3/fs/ecryptfs/miscdev.c 2011-05-22 19:36:32.000000000 -0400
45614 @@ -328,7 +328,7 @@ check_list:
45615 goto out_unlock_msg_ctx;
45616 i = 5;
45617 if (msg_ctx->msg) {
45618 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
45619 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
45620 goto out_unlock_msg_ctx;
45621 i += packet_length_size;
45622 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
45623 diff -urNp linux-2.6.39.3/fs/exec.c linux-2.6.39.3/fs/exec.c
45624 --- linux-2.6.39.3/fs/exec.c 2011-06-25 12:55:23.000000000 -0400
45625 +++ linux-2.6.39.3/fs/exec.c 2011-07-06 20:00:13.000000000 -0400
45626 @@ -55,12 +55,24 @@
45627 #include <linux/fs_struct.h>
45628 #include <linux/pipe_fs_i.h>
45629 #include <linux/oom.h>
45630 +#include <linux/random.h>
45631 +#include <linux/seq_file.h>
45632 +
45633 +#ifdef CONFIG_PAX_REFCOUNT
45634 +#include <linux/kallsyms.h>
45635 +#include <linux/kdebug.h>
45636 +#endif
45637
45638 #include <asm/uaccess.h>
45639 #include <asm/mmu_context.h>
45640 #include <asm/tlb.h>
45641 #include "internal.h"
45642
45643 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
45644 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
45645 +EXPORT_SYMBOL(pax_set_initial_flags_func);
45646 +#endif
45647 +
45648 int core_uses_pid;
45649 char core_pattern[CORENAME_MAX_SIZE] = "core";
45650 unsigned int core_pipe_limit;
45651 @@ -70,7 +82,7 @@ struct core_name {
45652 char *corename;
45653 int used, size;
45654 };
45655 -static atomic_t call_count = ATOMIC_INIT(1);
45656 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
45657
45658 /* The maximal length of core_pattern is also specified in sysctl.c */
45659
45660 @@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
45661 char *tmp = getname(library);
45662 int error = PTR_ERR(tmp);
45663 static const struct open_flags uselib_flags = {
45664 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45665 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45666 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
45667 .intent = LOOKUP_OPEN
45668 };
45669 @@ -190,18 +202,10 @@ struct page *get_arg_page(struct linux_b
45670 int write)
45671 {
45672 struct page *page;
45673 - int ret;
45674
45675 -#ifdef CONFIG_STACK_GROWSUP
45676 - if (write) {
45677 - ret = expand_stack_downwards(bprm->vma, pos);
45678 - if (ret < 0)
45679 - return NULL;
45680 - }
45681 -#endif
45682 - ret = get_user_pages(current, bprm->mm, pos,
45683 - 1, write, 1, &page, NULL);
45684 - if (ret <= 0)
45685 + if (0 > expand_stack_downwards(bprm->vma, pos))
45686 + return NULL;
45687 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
45688 return NULL;
45689
45690 if (write) {
45691 @@ -276,6 +280,11 @@ static int __bprm_mm_init(struct linux_b
45692 vma->vm_end = STACK_TOP_MAX;
45693 vma->vm_start = vma->vm_end - PAGE_SIZE;
45694 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
45695 +
45696 +#ifdef CONFIG_PAX_SEGMEXEC
45697 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
45698 +#endif
45699 +
45700 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45701 INIT_LIST_HEAD(&vma->anon_vma_chain);
45702
45703 @@ -290,6 +299,12 @@ static int __bprm_mm_init(struct linux_b
45704 mm->stack_vm = mm->total_vm = 1;
45705 up_write(&mm->mmap_sem);
45706 bprm->p = vma->vm_end - sizeof(void *);
45707 +
45708 +#ifdef CONFIG_PAX_RANDUSTACK
45709 + if (randomize_va_space)
45710 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
45711 +#endif
45712 +
45713 return 0;
45714 err:
45715 up_write(&mm->mmap_sem);
45716 @@ -525,7 +540,7 @@ int copy_strings_kernel(int argc, const
45717 int r;
45718 mm_segment_t oldfs = get_fs();
45719 set_fs(KERNEL_DS);
45720 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
45721 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
45722 set_fs(oldfs);
45723 return r;
45724 }
45725 @@ -555,7 +570,8 @@ static int shift_arg_pages(struct vm_are
45726 unsigned long new_end = old_end - shift;
45727 struct mmu_gather *tlb;
45728
45729 - BUG_ON(new_start > new_end);
45730 + if (new_start >= new_end || new_start < mmap_min_addr)
45731 + return -ENOMEM;
45732
45733 /*
45734 * ensure there are no vmas between where we want to go
45735 @@ -564,6 +580,10 @@ static int shift_arg_pages(struct vm_are
45736 if (vma != find_vma(mm, new_start))
45737 return -EFAULT;
45738
45739 +#ifdef CONFIG_PAX_SEGMEXEC
45740 + BUG_ON(pax_find_mirror_vma(vma));
45741 +#endif
45742 +
45743 /*
45744 * cover the whole range: [new_start, old_end)
45745 */
45746 @@ -644,10 +664,6 @@ int setup_arg_pages(struct linux_binprm
45747 stack_top = arch_align_stack(stack_top);
45748 stack_top = PAGE_ALIGN(stack_top);
45749
45750 - if (unlikely(stack_top < mmap_min_addr) ||
45751 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
45752 - return -ENOMEM;
45753 -
45754 stack_shift = vma->vm_end - stack_top;
45755
45756 bprm->p -= stack_shift;
45757 @@ -659,8 +675,28 @@ int setup_arg_pages(struct linux_binprm
45758 bprm->exec -= stack_shift;
45759
45760 down_write(&mm->mmap_sem);
45761 +
45762 + /* Move stack pages down in memory. */
45763 + if (stack_shift) {
45764 + ret = shift_arg_pages(vma, stack_shift);
45765 + if (ret)
45766 + goto out_unlock;
45767 + }
45768 +
45769 vm_flags = VM_STACK_FLAGS;
45770
45771 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45772 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
45773 + vm_flags &= ~VM_EXEC;
45774 +
45775 +#ifdef CONFIG_PAX_MPROTECT
45776 + if (mm->pax_flags & MF_PAX_MPROTECT)
45777 + vm_flags &= ~VM_MAYEXEC;
45778 +#endif
45779 +
45780 + }
45781 +#endif
45782 +
45783 /*
45784 * Adjust stack execute permissions; explicitly enable for
45785 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
45786 @@ -679,13 +715,6 @@ int setup_arg_pages(struct linux_binprm
45787 goto out_unlock;
45788 BUG_ON(prev != vma);
45789
45790 - /* Move stack pages down in memory. */
45791 - if (stack_shift) {
45792 - ret = shift_arg_pages(vma, stack_shift);
45793 - if (ret)
45794 - goto out_unlock;
45795 - }
45796 -
45797 /* mprotect_fixup is overkill to remove the temporary stack flags */
45798 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
45799
45800 @@ -725,7 +754,7 @@ struct file *open_exec(const char *name)
45801 struct file *file;
45802 int err;
45803 static const struct open_flags open_exec_flags = {
45804 - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
45805 + .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
45806 .acc_mode = MAY_EXEC | MAY_OPEN,
45807 .intent = LOOKUP_OPEN
45808 };
45809 @@ -766,7 +795,7 @@ int kernel_read(struct file *file, loff_
45810 old_fs = get_fs();
45811 set_fs(get_ds());
45812 /* The cast to a user pointer is valid due to the set_fs() */
45813 - result = vfs_read(file, (void __user *)addr, count, &pos);
45814 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
45815 set_fs(old_fs);
45816 return result;
45817 }
45818 @@ -1189,7 +1218,7 @@ int check_unsafe_exec(struct linux_binpr
45819 }
45820 rcu_read_unlock();
45821
45822 - if (p->fs->users > n_fs) {
45823 + if (atomic_read(&p->fs->users) > n_fs) {
45824 bprm->unsafe |= LSM_UNSAFE_SHARE;
45825 } else {
45826 res = -EAGAIN;
45827 @@ -1381,6 +1410,11 @@ int do_execve(const char * filename,
45828 const char __user *const __user *envp,
45829 struct pt_regs * regs)
45830 {
45831 +#ifdef CONFIG_GRKERNSEC
45832 + struct file *old_exec_file;
45833 + struct acl_subject_label *old_acl;
45834 + struct rlimit old_rlim[RLIM_NLIMITS];
45835 +#endif
45836 struct linux_binprm *bprm;
45837 struct file *file;
45838 struct files_struct *displaced;
45839 @@ -1417,6 +1451,23 @@ int do_execve(const char * filename,
45840 bprm->filename = filename;
45841 bprm->interp = filename;
45842
45843 + if (gr_process_user_ban()) {
45844 + retval = -EPERM;
45845 + goto out_file;
45846 + }
45847 +
45848 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45849 +
45850 + if (gr_handle_nproc()) {
45851 + retval = -EAGAIN;
45852 + goto out_file;
45853 + }
45854 +
45855 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
45856 + retval = -EACCES;
45857 + goto out_file;
45858 + }
45859 +
45860 retval = bprm_mm_init(bprm);
45861 if (retval)
45862 goto out_file;
45863 @@ -1446,9 +1497,40 @@ int do_execve(const char * filename,
45864 if (retval < 0)
45865 goto out;
45866
45867 + if (!gr_tpe_allow(file)) {
45868 + retval = -EACCES;
45869 + goto out;
45870 + }
45871 +
45872 + if (gr_check_crash_exec(file)) {
45873 + retval = -EACCES;
45874 + goto out;
45875 + }
45876 +
45877 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45878 +
45879 + gr_handle_exec_args(bprm, argv);
45880 +
45881 +#ifdef CONFIG_GRKERNSEC
45882 + old_acl = current->acl;
45883 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45884 + old_exec_file = current->exec_file;
45885 + get_file(file);
45886 + current->exec_file = file;
45887 +#endif
45888 +
45889 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45890 + bprm->unsafe & LSM_UNSAFE_SHARE);
45891 + if (retval < 0)
45892 + goto out_fail;
45893 +
45894 retval = search_binary_handler(bprm,regs);
45895 if (retval < 0)
45896 - goto out;
45897 + goto out_fail;
45898 +#ifdef CONFIG_GRKERNSEC
45899 + if (old_exec_file)
45900 + fput(old_exec_file);
45901 +#endif
45902
45903 /* execve succeeded */
45904 current->fs->in_exec = 0;
45905 @@ -1459,6 +1541,14 @@ int do_execve(const char * filename,
45906 put_files_struct(displaced);
45907 return retval;
45908
45909 +out_fail:
45910 +#ifdef CONFIG_GRKERNSEC
45911 + current->acl = old_acl;
45912 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45913 + fput(current->exec_file);
45914 + current->exec_file = old_exec_file;
45915 +#endif
45916 +
45917 out:
45918 if (bprm->mm) {
45919 acct_arg_size(bprm, 0);
45920 @@ -1504,7 +1594,7 @@ static int expand_corename(struct core_n
45921 {
45922 char *old_corename = cn->corename;
45923
45924 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
45925 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
45926 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
45927
45928 if (!cn->corename) {
45929 @@ -1557,7 +1647,7 @@ static int format_corename(struct core_n
45930 int pid_in_pattern = 0;
45931 int err = 0;
45932
45933 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
45934 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
45935 cn->corename = kmalloc(cn->size, GFP_KERNEL);
45936 cn->used = 0;
45937
45938 @@ -1645,6 +1735,219 @@ out:
45939 return ispipe;
45940 }
45941
45942 +int pax_check_flags(unsigned long *flags)
45943 +{
45944 + int retval = 0;
45945 +
45946 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
45947 + if (*flags & MF_PAX_SEGMEXEC)
45948 + {
45949 + *flags &= ~MF_PAX_SEGMEXEC;
45950 + retval = -EINVAL;
45951 + }
45952 +#endif
45953 +
45954 + if ((*flags & MF_PAX_PAGEEXEC)
45955 +
45956 +#ifdef CONFIG_PAX_PAGEEXEC
45957 + && (*flags & MF_PAX_SEGMEXEC)
45958 +#endif
45959 +
45960 + )
45961 + {
45962 + *flags &= ~MF_PAX_PAGEEXEC;
45963 + retval = -EINVAL;
45964 + }
45965 +
45966 + if ((*flags & MF_PAX_MPROTECT)
45967 +
45968 +#ifdef CONFIG_PAX_MPROTECT
45969 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45970 +#endif
45971 +
45972 + )
45973 + {
45974 + *flags &= ~MF_PAX_MPROTECT;
45975 + retval = -EINVAL;
45976 + }
45977 +
45978 + if ((*flags & MF_PAX_EMUTRAMP)
45979 +
45980 +#ifdef CONFIG_PAX_EMUTRAMP
45981 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
45982 +#endif
45983 +
45984 + )
45985 + {
45986 + *flags &= ~MF_PAX_EMUTRAMP;
45987 + retval = -EINVAL;
45988 + }
45989 +
45990 + return retval;
45991 +}
45992 +
45993 +EXPORT_SYMBOL(pax_check_flags);
45994 +
45995 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
45996 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
45997 +{
45998 + struct task_struct *tsk = current;
45999 + struct mm_struct *mm = current->mm;
46000 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
46001 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
46002 + char *path_exec = NULL;
46003 + char *path_fault = NULL;
46004 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
46005 +
46006 + if (buffer_exec && buffer_fault) {
46007 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
46008 +
46009 + down_read(&mm->mmap_sem);
46010 + vma = mm->mmap;
46011 + while (vma && (!vma_exec || !vma_fault)) {
46012 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
46013 + vma_exec = vma;
46014 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
46015 + vma_fault = vma;
46016 + vma = vma->vm_next;
46017 + }
46018 + if (vma_exec) {
46019 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
46020 + if (IS_ERR(path_exec))
46021 + path_exec = "<path too long>";
46022 + else {
46023 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
46024 + if (path_exec) {
46025 + *path_exec = 0;
46026 + path_exec = buffer_exec;
46027 + } else
46028 + path_exec = "<path too long>";
46029 + }
46030 + }
46031 + if (vma_fault) {
46032 + start = vma_fault->vm_start;
46033 + end = vma_fault->vm_end;
46034 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
46035 + if (vma_fault->vm_file) {
46036 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
46037 + if (IS_ERR(path_fault))
46038 + path_fault = "<path too long>";
46039 + else {
46040 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
46041 + if (path_fault) {
46042 + *path_fault = 0;
46043 + path_fault = buffer_fault;
46044 + } else
46045 + path_fault = "<path too long>";
46046 + }
46047 + } else
46048 + path_fault = "<anonymous mapping>";
46049 + }
46050 + up_read(&mm->mmap_sem);
46051 + }
46052 + if (tsk->signal->curr_ip)
46053 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
46054 + else
46055 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
46056 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
46057 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
46058 + task_uid(tsk), task_euid(tsk), pc, sp);
46059 + free_page((unsigned long)buffer_exec);
46060 + free_page((unsigned long)buffer_fault);
46061 + pax_report_insns(pc, sp);
46062 + do_coredump(SIGKILL, SIGKILL, regs);
46063 +}
46064 +#endif
46065 +
46066 +#ifdef CONFIG_PAX_REFCOUNT
46067 +void pax_report_refcount_overflow(struct pt_regs *regs)
46068 +{
46069 + if (current->signal->curr_ip)
46070 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46071 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
46072 + else
46073 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46074 + current->comm, task_pid_nr(current), current_uid(), current_euid());
46075 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
46076 + show_regs(regs);
46077 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
46078 +}
46079 +#endif
46080 +
46081 +#ifdef CONFIG_PAX_USERCOPY
46082 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
46083 +int object_is_on_stack(const void *obj, unsigned long len)
46084 +{
46085 + const void * const stack = task_stack_page(current);
46086 + const void * const stackend = stack + THREAD_SIZE;
46087 +
46088 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46089 + const void *frame = NULL;
46090 + const void *oldframe;
46091 +#endif
46092 +
46093 + if (obj + len < obj)
46094 + return -1;
46095 +
46096 + if (obj + len <= stack || stackend <= obj)
46097 + return 0;
46098 +
46099 + if (obj < stack || stackend < obj + len)
46100 + return -1;
46101 +
46102 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46103 + oldframe = __builtin_frame_address(1);
46104 + if (oldframe)
46105 + frame = __builtin_frame_address(2);
46106 + /*
46107 + low ----------------------------------------------> high
46108 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
46109 + ^----------------^
46110 + allow copies only within here
46111 + */
46112 + while (stack <= frame && frame < stackend) {
46113 + /* if obj + len extends past the last frame, this
46114 + check won't pass and the next frame will be 0,
46115 + causing us to bail out and correctly report
46116 + the copy as invalid
46117 + */
46118 + if (obj + len <= frame)
46119 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
46120 + oldframe = frame;
46121 + frame = *(const void * const *)frame;
46122 + }
46123 + return -1;
46124 +#else
46125 + return 1;
46126 +#endif
46127 +}
46128 +
46129 +
46130 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
46131 +{
46132 + if (current->signal->curr_ip)
46133 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46134 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46135 + else
46136 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46137 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46138 + dump_stack();
46139 + gr_handle_kernel_exploit();
46140 + do_group_exit(SIGKILL);
46141 +}
46142 +#endif
46143 +
46144 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
46145 +void pax_track_stack(void)
46146 +{
46147 + unsigned long sp = (unsigned long)&sp;
46148 + if (sp < current_thread_info()->lowest_stack &&
46149 + sp > (unsigned long)task_stack_page(current))
46150 + current_thread_info()->lowest_stack = sp;
46151 +}
46152 +EXPORT_SYMBOL(pax_track_stack);
46153 +#endif
46154 +
46155 static int zap_process(struct task_struct *start, int exit_code)
46156 {
46157 struct task_struct *t;
46158 @@ -1855,17 +2158,17 @@ static void wait_for_dump_helpers(struct
46159 pipe = file->f_path.dentry->d_inode->i_pipe;
46160
46161 pipe_lock(pipe);
46162 - pipe->readers++;
46163 - pipe->writers--;
46164 + atomic_inc(&pipe->readers);
46165 + atomic_dec(&pipe->writers);
46166
46167 - while ((pipe->readers > 1) && (!signal_pending(current))) {
46168 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
46169 wake_up_interruptible_sync(&pipe->wait);
46170 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
46171 pipe_wait(pipe);
46172 }
46173
46174 - pipe->readers--;
46175 - pipe->writers++;
46176 + atomic_dec(&pipe->readers);
46177 + atomic_inc(&pipe->writers);
46178 pipe_unlock(pipe);
46179
46180 }
46181 @@ -1926,7 +2229,7 @@ void do_coredump(long signr, int exit_co
46182 int retval = 0;
46183 int flag = 0;
46184 int ispipe;
46185 - static atomic_t core_dump_count = ATOMIC_INIT(0);
46186 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
46187 struct coredump_params cprm = {
46188 .signr = signr,
46189 .regs = regs,
46190 @@ -1941,6 +2244,9 @@ void do_coredump(long signr, int exit_co
46191
46192 audit_core_dumps(signr);
46193
46194 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
46195 + gr_handle_brute_attach(current, cprm.mm_flags);
46196 +
46197 binfmt = mm->binfmt;
46198 if (!binfmt || !binfmt->core_dump)
46199 goto fail;
46200 @@ -1981,6 +2287,8 @@ void do_coredump(long signr, int exit_co
46201 goto fail_corename;
46202 }
46203
46204 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
46205 +
46206 if (ispipe) {
46207 int dump_count;
46208 char **helper_argv;
46209 @@ -2008,7 +2316,7 @@ void do_coredump(long signr, int exit_co
46210 }
46211 cprm.limit = RLIM_INFINITY;
46212
46213 - dump_count = atomic_inc_return(&core_dump_count);
46214 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
46215 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
46216 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
46217 task_tgid_vnr(current), current->comm);
46218 @@ -2078,7 +2386,7 @@ close_fail:
46219 filp_close(cprm.file, NULL);
46220 fail_dropcount:
46221 if (ispipe)
46222 - atomic_dec(&core_dump_count);
46223 + atomic_dec_unchecked(&core_dump_count);
46224 fail_unlock:
46225 kfree(cn.corename);
46226 fail_corename:
46227 diff -urNp linux-2.6.39.3/fs/ext2/balloc.c linux-2.6.39.3/fs/ext2/balloc.c
46228 --- linux-2.6.39.3/fs/ext2/balloc.c 2011-05-19 00:06:34.000000000 -0400
46229 +++ linux-2.6.39.3/fs/ext2/balloc.c 2011-05-22 19:41:37.000000000 -0400
46230 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
46231
46232 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46233 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46234 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46235 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46236 sbi->s_resuid != current_fsuid() &&
46237 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46238 return 0;
46239 diff -urNp linux-2.6.39.3/fs/ext3/balloc.c linux-2.6.39.3/fs/ext3/balloc.c
46240 --- linux-2.6.39.3/fs/ext3/balloc.c 2011-05-19 00:06:34.000000000 -0400
46241 +++ linux-2.6.39.3/fs/ext3/balloc.c 2011-05-22 19:41:37.000000000 -0400
46242 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
46243
46244 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46245 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46246 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46247 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46248 sbi->s_resuid != current_fsuid() &&
46249 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46250 return 0;
46251 diff -urNp linux-2.6.39.3/fs/ext4/balloc.c linux-2.6.39.3/fs/ext4/balloc.c
46252 --- linux-2.6.39.3/fs/ext4/balloc.c 2011-05-19 00:06:34.000000000 -0400
46253 +++ linux-2.6.39.3/fs/ext4/balloc.c 2011-05-22 19:41:37.000000000 -0400
46254 @@ -522,7 +522,7 @@ static int ext4_has_free_blocks(struct e
46255 /* Hm, nope. Are (enough) root reserved blocks available? */
46256 if (sbi->s_resuid == current_fsuid() ||
46257 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
46258 - capable(CAP_SYS_RESOURCE)) {
46259 + capable_nolog(CAP_SYS_RESOURCE)) {
46260 if (free_blocks >= (nblocks + dirty_blocks))
46261 return 1;
46262 }
46263 diff -urNp linux-2.6.39.3/fs/ext4/ext4.h linux-2.6.39.3/fs/ext4/ext4.h
46264 --- linux-2.6.39.3/fs/ext4/ext4.h 2011-06-03 00:04:14.000000000 -0400
46265 +++ linux-2.6.39.3/fs/ext4/ext4.h 2011-06-03 00:32:07.000000000 -0400
46266 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
46267 unsigned long s_mb_last_start;
46268
46269 /* stats for buddy allocator */
46270 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
46271 - atomic_t s_bal_success; /* we found long enough chunks */
46272 - atomic_t s_bal_allocated; /* in blocks */
46273 - atomic_t s_bal_ex_scanned; /* total extents scanned */
46274 - atomic_t s_bal_goals; /* goal hits */
46275 - atomic_t s_bal_breaks; /* too long searches */
46276 - atomic_t s_bal_2orders; /* 2^order hits */
46277 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
46278 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
46279 + atomic_unchecked_t s_bal_allocated; /* in blocks */
46280 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
46281 + atomic_unchecked_t s_bal_goals; /* goal hits */
46282 + atomic_unchecked_t s_bal_breaks; /* too long searches */
46283 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
46284 spinlock_t s_bal_lock;
46285 unsigned long s_mb_buddies_generated;
46286 unsigned long long s_mb_generation_time;
46287 - atomic_t s_mb_lost_chunks;
46288 - atomic_t s_mb_preallocated;
46289 - atomic_t s_mb_discarded;
46290 + atomic_unchecked_t s_mb_lost_chunks;
46291 + atomic_unchecked_t s_mb_preallocated;
46292 + atomic_unchecked_t s_mb_discarded;
46293 atomic_t s_lock_busy;
46294
46295 /* locality groups */
46296 diff -urNp linux-2.6.39.3/fs/ext4/mballoc.c linux-2.6.39.3/fs/ext4/mballoc.c
46297 --- linux-2.6.39.3/fs/ext4/mballoc.c 2011-06-03 00:04:14.000000000 -0400
46298 +++ linux-2.6.39.3/fs/ext4/mballoc.c 2011-06-03 00:32:07.000000000 -0400
46299 @@ -1853,7 +1853,7 @@ void ext4_mb_simple_scan_group(struct ex
46300 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
46301
46302 if (EXT4_SB(sb)->s_mb_stats)
46303 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
46304 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
46305
46306 break;
46307 }
46308 @@ -2147,7 +2147,7 @@ repeat:
46309 ac->ac_status = AC_STATUS_CONTINUE;
46310 ac->ac_flags |= EXT4_MB_HINT_FIRST;
46311 cr = 3;
46312 - atomic_inc(&sbi->s_mb_lost_chunks);
46313 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
46314 goto repeat;
46315 }
46316 }
46317 @@ -2190,6 +2190,8 @@ static int ext4_mb_seq_groups_show(struc
46318 ext4_grpblk_t counters[16];
46319 } sg;
46320
46321 + pax_track_stack();
46322 +
46323 group--;
46324 if (group == 0)
46325 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
46326 @@ -2613,25 +2615,25 @@ int ext4_mb_release(struct super_block *
46327 if (sbi->s_mb_stats) {
46328 printk(KERN_INFO
46329 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
46330 - atomic_read(&sbi->s_bal_allocated),
46331 - atomic_read(&sbi->s_bal_reqs),
46332 - atomic_read(&sbi->s_bal_success));
46333 + atomic_read_unchecked(&sbi->s_bal_allocated),
46334 + atomic_read_unchecked(&sbi->s_bal_reqs),
46335 + atomic_read_unchecked(&sbi->s_bal_success));
46336 printk(KERN_INFO
46337 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
46338 "%u 2^N hits, %u breaks, %u lost\n",
46339 - atomic_read(&sbi->s_bal_ex_scanned),
46340 - atomic_read(&sbi->s_bal_goals),
46341 - atomic_read(&sbi->s_bal_2orders),
46342 - atomic_read(&sbi->s_bal_breaks),
46343 - atomic_read(&sbi->s_mb_lost_chunks));
46344 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
46345 + atomic_read_unchecked(&sbi->s_bal_goals),
46346 + atomic_read_unchecked(&sbi->s_bal_2orders),
46347 + atomic_read_unchecked(&sbi->s_bal_breaks),
46348 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
46349 printk(KERN_INFO
46350 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
46351 sbi->s_mb_buddies_generated++,
46352 sbi->s_mb_generation_time);
46353 printk(KERN_INFO
46354 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
46355 - atomic_read(&sbi->s_mb_preallocated),
46356 - atomic_read(&sbi->s_mb_discarded));
46357 + atomic_read_unchecked(&sbi->s_mb_preallocated),
46358 + atomic_read_unchecked(&sbi->s_mb_discarded));
46359 }
46360
46361 free_percpu(sbi->s_locality_groups);
46362 @@ -3107,16 +3109,16 @@ static void ext4_mb_collect_stats(struct
46363 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
46364
46365 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
46366 - atomic_inc(&sbi->s_bal_reqs);
46367 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46368 + atomic_inc_unchecked(&sbi->s_bal_reqs);
46369 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46370 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
46371 - atomic_inc(&sbi->s_bal_success);
46372 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
46373 + atomic_inc_unchecked(&sbi->s_bal_success);
46374 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
46375 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
46376 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
46377 - atomic_inc(&sbi->s_bal_goals);
46378 + atomic_inc_unchecked(&sbi->s_bal_goals);
46379 if (ac->ac_found > sbi->s_mb_max_to_scan)
46380 - atomic_inc(&sbi->s_bal_breaks);
46381 + atomic_inc_unchecked(&sbi->s_bal_breaks);
46382 }
46383
46384 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
46385 @@ -3514,7 +3516,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
46386 trace_ext4_mb_new_inode_pa(ac, pa);
46387
46388 ext4_mb_use_inode_pa(ac, pa);
46389 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46390 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46391
46392 ei = EXT4_I(ac->ac_inode);
46393 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46394 @@ -3574,7 +3576,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
46395 trace_ext4_mb_new_group_pa(ac, pa);
46396
46397 ext4_mb_use_group_pa(ac, pa);
46398 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46399 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46400
46401 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46402 lg = ac->ac_lg;
46403 @@ -3661,7 +3663,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
46404 * from the bitmap and continue.
46405 */
46406 }
46407 - atomic_add(free, &sbi->s_mb_discarded);
46408 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
46409
46410 return err;
46411 }
46412 @@ -3679,7 +3681,7 @@ ext4_mb_release_group_pa(struct ext4_bud
46413 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
46414 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
46415 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
46416 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46417 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46418 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
46419
46420 return 0;
46421 diff -urNp linux-2.6.39.3/fs/fcntl.c linux-2.6.39.3/fs/fcntl.c
46422 --- linux-2.6.39.3/fs/fcntl.c 2011-05-19 00:06:34.000000000 -0400
46423 +++ linux-2.6.39.3/fs/fcntl.c 2011-05-22 20:45:50.000000000 -0400
46424 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
46425 if (err)
46426 return err;
46427
46428 + if (gr_handle_chroot_fowner(pid, type))
46429 + return -ENOENT;
46430 + if (gr_check_protected_task_fowner(pid, type))
46431 + return -EACCES;
46432 +
46433 f_modown(filp, pid, type, force);
46434 return 0;
46435 }
46436 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
46437 switch (cmd) {
46438 case F_DUPFD:
46439 case F_DUPFD_CLOEXEC:
46440 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46441 if (arg >= rlimit(RLIMIT_NOFILE))
46442 break;
46443 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46444 @@ -835,14 +841,14 @@ static int __init fcntl_init(void)
46445 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
46446 * is defined as O_NONBLOCK on some platforms and not on others.
46447 */
46448 - BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46449 + BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
46450 O_RDONLY | O_WRONLY | O_RDWR |
46451 O_CREAT | O_EXCL | O_NOCTTY |
46452 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
46453 __O_SYNC | O_DSYNC | FASYNC |
46454 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
46455 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
46456 - __FMODE_EXEC | O_PATH
46457 + __FMODE_EXEC | O_PATH | FMODE_GREXEC
46458 ));
46459
46460 fasync_cache = kmem_cache_create("fasync_cache",
46461 diff -urNp linux-2.6.39.3/fs/fifo.c linux-2.6.39.3/fs/fifo.c
46462 --- linux-2.6.39.3/fs/fifo.c 2011-05-19 00:06:34.000000000 -0400
46463 +++ linux-2.6.39.3/fs/fifo.c 2011-05-22 19:36:32.000000000 -0400
46464 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
46465 */
46466 filp->f_op = &read_pipefifo_fops;
46467 pipe->r_counter++;
46468 - if (pipe->readers++ == 0)
46469 + if (atomic_inc_return(&pipe->readers) == 1)
46470 wake_up_partner(inode);
46471
46472 - if (!pipe->writers) {
46473 + if (!atomic_read(&pipe->writers)) {
46474 if ((filp->f_flags & O_NONBLOCK)) {
46475 /* suppress POLLHUP until we have
46476 * seen a writer */
46477 @@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
46478 * errno=ENXIO when there is no process reading the FIFO.
46479 */
46480 ret = -ENXIO;
46481 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46482 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46483 goto err;
46484
46485 filp->f_op = &write_pipefifo_fops;
46486 pipe->w_counter++;
46487 - if (!pipe->writers++)
46488 + if (atomic_inc_return(&pipe->writers) == 1)
46489 wake_up_partner(inode);
46490
46491 - if (!pipe->readers) {
46492 + if (!atomic_read(&pipe->readers)) {
46493 wait_for_partner(inode, &pipe->r_counter);
46494 if (signal_pending(current))
46495 goto err_wr;
46496 @@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
46497 */
46498 filp->f_op = &rdwr_pipefifo_fops;
46499
46500 - pipe->readers++;
46501 - pipe->writers++;
46502 + atomic_inc(&pipe->readers);
46503 + atomic_inc(&pipe->writers);
46504 pipe->r_counter++;
46505 pipe->w_counter++;
46506 - if (pipe->readers == 1 || pipe->writers == 1)
46507 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46508 wake_up_partner(inode);
46509 break;
46510
46511 @@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
46512 return 0;
46513
46514 err_rd:
46515 - if (!--pipe->readers)
46516 + if (atomic_dec_and_test(&pipe->readers))
46517 wake_up_interruptible(&pipe->wait);
46518 ret = -ERESTARTSYS;
46519 goto err;
46520
46521 err_wr:
46522 - if (!--pipe->writers)
46523 + if (atomic_dec_and_test(&pipe->writers))
46524 wake_up_interruptible(&pipe->wait);
46525 ret = -ERESTARTSYS;
46526 goto err;
46527
46528 err:
46529 - if (!pipe->readers && !pipe->writers)
46530 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46531 free_pipe_info(inode);
46532
46533 err_nocleanup:
46534 diff -urNp linux-2.6.39.3/fs/file.c linux-2.6.39.3/fs/file.c
46535 --- linux-2.6.39.3/fs/file.c 2011-05-19 00:06:34.000000000 -0400
46536 +++ linux-2.6.39.3/fs/file.c 2011-05-22 19:41:37.000000000 -0400
46537 @@ -15,6 +15,7 @@
46538 #include <linux/slab.h>
46539 #include <linux/vmalloc.h>
46540 #include <linux/file.h>
46541 +#include <linux/security.h>
46542 #include <linux/fdtable.h>
46543 #include <linux/bitops.h>
46544 #include <linux/interrupt.h>
46545 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
46546 * N.B. For clone tasks sharing a files structure, this test
46547 * will limit the total number of files that can be opened.
46548 */
46549 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46550 if (nr >= rlimit(RLIMIT_NOFILE))
46551 return -EMFILE;
46552
46553 diff -urNp linux-2.6.39.3/fs/filesystems.c linux-2.6.39.3/fs/filesystems.c
46554 --- linux-2.6.39.3/fs/filesystems.c 2011-05-19 00:06:34.000000000 -0400
46555 +++ linux-2.6.39.3/fs/filesystems.c 2011-05-22 19:41:37.000000000 -0400
46556 @@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
46557 int len = dot ? dot - name : strlen(name);
46558
46559 fs = __get_fs_type(name, len);
46560 +
46561 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46562 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46563 +#else
46564 if (!fs && (request_module("%.*s", len, name) == 0))
46565 +#endif
46566 fs = __get_fs_type(name, len);
46567
46568 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46569 diff -urNp linux-2.6.39.3/fs/fscache/cookie.c linux-2.6.39.3/fs/fscache/cookie.c
46570 --- linux-2.6.39.3/fs/fscache/cookie.c 2011-05-19 00:06:34.000000000 -0400
46571 +++ linux-2.6.39.3/fs/fscache/cookie.c 2011-05-22 19:36:32.000000000 -0400
46572 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46573 parent ? (char *) parent->def->name : "<no-parent>",
46574 def->name, netfs_data);
46575
46576 - fscache_stat(&fscache_n_acquires);
46577 + fscache_stat_unchecked(&fscache_n_acquires);
46578
46579 /* if there's no parent cookie, then we don't create one here either */
46580 if (!parent) {
46581 - fscache_stat(&fscache_n_acquires_null);
46582 + fscache_stat_unchecked(&fscache_n_acquires_null);
46583 _leave(" [no parent]");
46584 return NULL;
46585 }
46586 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46587 /* allocate and initialise a cookie */
46588 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46589 if (!cookie) {
46590 - fscache_stat(&fscache_n_acquires_oom);
46591 + fscache_stat_unchecked(&fscache_n_acquires_oom);
46592 _leave(" [ENOMEM]");
46593 return NULL;
46594 }
46595 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46596
46597 switch (cookie->def->type) {
46598 case FSCACHE_COOKIE_TYPE_INDEX:
46599 - fscache_stat(&fscache_n_cookie_index);
46600 + fscache_stat_unchecked(&fscache_n_cookie_index);
46601 break;
46602 case FSCACHE_COOKIE_TYPE_DATAFILE:
46603 - fscache_stat(&fscache_n_cookie_data);
46604 + fscache_stat_unchecked(&fscache_n_cookie_data);
46605 break;
46606 default:
46607 - fscache_stat(&fscache_n_cookie_special);
46608 + fscache_stat_unchecked(&fscache_n_cookie_special);
46609 break;
46610 }
46611
46612 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46613 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46614 atomic_dec(&parent->n_children);
46615 __fscache_cookie_put(cookie);
46616 - fscache_stat(&fscache_n_acquires_nobufs);
46617 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46618 _leave(" = NULL");
46619 return NULL;
46620 }
46621 }
46622
46623 - fscache_stat(&fscache_n_acquires_ok);
46624 + fscache_stat_unchecked(&fscache_n_acquires_ok);
46625 _leave(" = %p", cookie);
46626 return cookie;
46627 }
46628 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46629 cache = fscache_select_cache_for_object(cookie->parent);
46630 if (!cache) {
46631 up_read(&fscache_addremove_sem);
46632 - fscache_stat(&fscache_n_acquires_no_cache);
46633 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46634 _leave(" = -ENOMEDIUM [no cache]");
46635 return -ENOMEDIUM;
46636 }
46637 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46638 object = cache->ops->alloc_object(cache, cookie);
46639 fscache_stat_d(&fscache_n_cop_alloc_object);
46640 if (IS_ERR(object)) {
46641 - fscache_stat(&fscache_n_object_no_alloc);
46642 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
46643 ret = PTR_ERR(object);
46644 goto error;
46645 }
46646
46647 - fscache_stat(&fscache_n_object_alloc);
46648 + fscache_stat_unchecked(&fscache_n_object_alloc);
46649
46650 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
46651
46652 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
46653 struct fscache_object *object;
46654 struct hlist_node *_p;
46655
46656 - fscache_stat(&fscache_n_updates);
46657 + fscache_stat_unchecked(&fscache_n_updates);
46658
46659 if (!cookie) {
46660 - fscache_stat(&fscache_n_updates_null);
46661 + fscache_stat_unchecked(&fscache_n_updates_null);
46662 _leave(" [no cookie]");
46663 return;
46664 }
46665 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
46666 struct fscache_object *object;
46667 unsigned long event;
46668
46669 - fscache_stat(&fscache_n_relinquishes);
46670 + fscache_stat_unchecked(&fscache_n_relinquishes);
46671 if (retire)
46672 - fscache_stat(&fscache_n_relinquishes_retire);
46673 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
46674
46675 if (!cookie) {
46676 - fscache_stat(&fscache_n_relinquishes_null);
46677 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
46678 _leave(" [no cookie]");
46679 return;
46680 }
46681 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
46682
46683 /* wait for the cookie to finish being instantiated (or to fail) */
46684 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
46685 - fscache_stat(&fscache_n_relinquishes_waitcrt);
46686 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
46687 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
46688 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
46689 }
46690 diff -urNp linux-2.6.39.3/fs/fscache/internal.h linux-2.6.39.3/fs/fscache/internal.h
46691 --- linux-2.6.39.3/fs/fscache/internal.h 2011-05-19 00:06:34.000000000 -0400
46692 +++ linux-2.6.39.3/fs/fscache/internal.h 2011-05-22 19:36:32.000000000 -0400
46693 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
46694 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
46695 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
46696
46697 -extern atomic_t fscache_n_op_pend;
46698 -extern atomic_t fscache_n_op_run;
46699 -extern atomic_t fscache_n_op_enqueue;
46700 -extern atomic_t fscache_n_op_deferred_release;
46701 -extern atomic_t fscache_n_op_release;
46702 -extern atomic_t fscache_n_op_gc;
46703 -extern atomic_t fscache_n_op_cancelled;
46704 -extern atomic_t fscache_n_op_rejected;
46705 -
46706 -extern atomic_t fscache_n_attr_changed;
46707 -extern atomic_t fscache_n_attr_changed_ok;
46708 -extern atomic_t fscache_n_attr_changed_nobufs;
46709 -extern atomic_t fscache_n_attr_changed_nomem;
46710 -extern atomic_t fscache_n_attr_changed_calls;
46711 -
46712 -extern atomic_t fscache_n_allocs;
46713 -extern atomic_t fscache_n_allocs_ok;
46714 -extern atomic_t fscache_n_allocs_wait;
46715 -extern atomic_t fscache_n_allocs_nobufs;
46716 -extern atomic_t fscache_n_allocs_intr;
46717 -extern atomic_t fscache_n_allocs_object_dead;
46718 -extern atomic_t fscache_n_alloc_ops;
46719 -extern atomic_t fscache_n_alloc_op_waits;
46720 -
46721 -extern atomic_t fscache_n_retrievals;
46722 -extern atomic_t fscache_n_retrievals_ok;
46723 -extern atomic_t fscache_n_retrievals_wait;
46724 -extern atomic_t fscache_n_retrievals_nodata;
46725 -extern atomic_t fscache_n_retrievals_nobufs;
46726 -extern atomic_t fscache_n_retrievals_intr;
46727 -extern atomic_t fscache_n_retrievals_nomem;
46728 -extern atomic_t fscache_n_retrievals_object_dead;
46729 -extern atomic_t fscache_n_retrieval_ops;
46730 -extern atomic_t fscache_n_retrieval_op_waits;
46731 -
46732 -extern atomic_t fscache_n_stores;
46733 -extern atomic_t fscache_n_stores_ok;
46734 -extern atomic_t fscache_n_stores_again;
46735 -extern atomic_t fscache_n_stores_nobufs;
46736 -extern atomic_t fscache_n_stores_oom;
46737 -extern atomic_t fscache_n_store_ops;
46738 -extern atomic_t fscache_n_store_calls;
46739 -extern atomic_t fscache_n_store_pages;
46740 -extern atomic_t fscache_n_store_radix_deletes;
46741 -extern atomic_t fscache_n_store_pages_over_limit;
46742 -
46743 -extern atomic_t fscache_n_store_vmscan_not_storing;
46744 -extern atomic_t fscache_n_store_vmscan_gone;
46745 -extern atomic_t fscache_n_store_vmscan_busy;
46746 -extern atomic_t fscache_n_store_vmscan_cancelled;
46747 -
46748 -extern atomic_t fscache_n_marks;
46749 -extern atomic_t fscache_n_uncaches;
46750 -
46751 -extern atomic_t fscache_n_acquires;
46752 -extern atomic_t fscache_n_acquires_null;
46753 -extern atomic_t fscache_n_acquires_no_cache;
46754 -extern atomic_t fscache_n_acquires_ok;
46755 -extern atomic_t fscache_n_acquires_nobufs;
46756 -extern atomic_t fscache_n_acquires_oom;
46757 -
46758 -extern atomic_t fscache_n_updates;
46759 -extern atomic_t fscache_n_updates_null;
46760 -extern atomic_t fscache_n_updates_run;
46761 -
46762 -extern atomic_t fscache_n_relinquishes;
46763 -extern atomic_t fscache_n_relinquishes_null;
46764 -extern atomic_t fscache_n_relinquishes_waitcrt;
46765 -extern atomic_t fscache_n_relinquishes_retire;
46766 -
46767 -extern atomic_t fscache_n_cookie_index;
46768 -extern atomic_t fscache_n_cookie_data;
46769 -extern atomic_t fscache_n_cookie_special;
46770 -
46771 -extern atomic_t fscache_n_object_alloc;
46772 -extern atomic_t fscache_n_object_no_alloc;
46773 -extern atomic_t fscache_n_object_lookups;
46774 -extern atomic_t fscache_n_object_lookups_negative;
46775 -extern atomic_t fscache_n_object_lookups_positive;
46776 -extern atomic_t fscache_n_object_lookups_timed_out;
46777 -extern atomic_t fscache_n_object_created;
46778 -extern atomic_t fscache_n_object_avail;
46779 -extern atomic_t fscache_n_object_dead;
46780 -
46781 -extern atomic_t fscache_n_checkaux_none;
46782 -extern atomic_t fscache_n_checkaux_okay;
46783 -extern atomic_t fscache_n_checkaux_update;
46784 -extern atomic_t fscache_n_checkaux_obsolete;
46785 +extern atomic_unchecked_t fscache_n_op_pend;
46786 +extern atomic_unchecked_t fscache_n_op_run;
46787 +extern atomic_unchecked_t fscache_n_op_enqueue;
46788 +extern atomic_unchecked_t fscache_n_op_deferred_release;
46789 +extern atomic_unchecked_t fscache_n_op_release;
46790 +extern atomic_unchecked_t fscache_n_op_gc;
46791 +extern atomic_unchecked_t fscache_n_op_cancelled;
46792 +extern atomic_unchecked_t fscache_n_op_rejected;
46793 +
46794 +extern atomic_unchecked_t fscache_n_attr_changed;
46795 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
46796 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
46797 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
46798 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
46799 +
46800 +extern atomic_unchecked_t fscache_n_allocs;
46801 +extern atomic_unchecked_t fscache_n_allocs_ok;
46802 +extern atomic_unchecked_t fscache_n_allocs_wait;
46803 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
46804 +extern atomic_unchecked_t fscache_n_allocs_intr;
46805 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
46806 +extern atomic_unchecked_t fscache_n_alloc_ops;
46807 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
46808 +
46809 +extern atomic_unchecked_t fscache_n_retrievals;
46810 +extern atomic_unchecked_t fscache_n_retrievals_ok;
46811 +extern atomic_unchecked_t fscache_n_retrievals_wait;
46812 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
46813 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
46814 +extern atomic_unchecked_t fscache_n_retrievals_intr;
46815 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
46816 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
46817 +extern atomic_unchecked_t fscache_n_retrieval_ops;
46818 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
46819 +
46820 +extern atomic_unchecked_t fscache_n_stores;
46821 +extern atomic_unchecked_t fscache_n_stores_ok;
46822 +extern atomic_unchecked_t fscache_n_stores_again;
46823 +extern atomic_unchecked_t fscache_n_stores_nobufs;
46824 +extern atomic_unchecked_t fscache_n_stores_oom;
46825 +extern atomic_unchecked_t fscache_n_store_ops;
46826 +extern atomic_unchecked_t fscache_n_store_calls;
46827 +extern atomic_unchecked_t fscache_n_store_pages;
46828 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
46829 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
46830 +
46831 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46832 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
46833 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
46834 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46835 +
46836 +extern atomic_unchecked_t fscache_n_marks;
46837 +extern atomic_unchecked_t fscache_n_uncaches;
46838 +
46839 +extern atomic_unchecked_t fscache_n_acquires;
46840 +extern atomic_unchecked_t fscache_n_acquires_null;
46841 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
46842 +extern atomic_unchecked_t fscache_n_acquires_ok;
46843 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
46844 +extern atomic_unchecked_t fscache_n_acquires_oom;
46845 +
46846 +extern atomic_unchecked_t fscache_n_updates;
46847 +extern atomic_unchecked_t fscache_n_updates_null;
46848 +extern atomic_unchecked_t fscache_n_updates_run;
46849 +
46850 +extern atomic_unchecked_t fscache_n_relinquishes;
46851 +extern atomic_unchecked_t fscache_n_relinquishes_null;
46852 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46853 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
46854 +
46855 +extern atomic_unchecked_t fscache_n_cookie_index;
46856 +extern atomic_unchecked_t fscache_n_cookie_data;
46857 +extern atomic_unchecked_t fscache_n_cookie_special;
46858 +
46859 +extern atomic_unchecked_t fscache_n_object_alloc;
46860 +extern atomic_unchecked_t fscache_n_object_no_alloc;
46861 +extern atomic_unchecked_t fscache_n_object_lookups;
46862 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
46863 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
46864 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
46865 +extern atomic_unchecked_t fscache_n_object_created;
46866 +extern atomic_unchecked_t fscache_n_object_avail;
46867 +extern atomic_unchecked_t fscache_n_object_dead;
46868 +
46869 +extern atomic_unchecked_t fscache_n_checkaux_none;
46870 +extern atomic_unchecked_t fscache_n_checkaux_okay;
46871 +extern atomic_unchecked_t fscache_n_checkaux_update;
46872 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
46873
46874 extern atomic_t fscache_n_cop_alloc_object;
46875 extern atomic_t fscache_n_cop_lookup_object;
46876 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
46877 atomic_inc(stat);
46878 }
46879
46880 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
46881 +{
46882 + atomic_inc_unchecked(stat);
46883 +}
46884 +
46885 static inline void fscache_stat_d(atomic_t *stat)
46886 {
46887 atomic_dec(stat);
46888 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
46889
46890 #define __fscache_stat(stat) (NULL)
46891 #define fscache_stat(stat) do {} while (0)
46892 +#define fscache_stat_unchecked(stat) do {} while (0)
46893 #define fscache_stat_d(stat) do {} while (0)
46894 #endif
46895
46896 diff -urNp linux-2.6.39.3/fs/fscache/object.c linux-2.6.39.3/fs/fscache/object.c
46897 --- linux-2.6.39.3/fs/fscache/object.c 2011-05-19 00:06:34.000000000 -0400
46898 +++ linux-2.6.39.3/fs/fscache/object.c 2011-05-22 19:36:32.000000000 -0400
46899 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
46900 /* update the object metadata on disk */
46901 case FSCACHE_OBJECT_UPDATING:
46902 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
46903 - fscache_stat(&fscache_n_updates_run);
46904 + fscache_stat_unchecked(&fscache_n_updates_run);
46905 fscache_stat(&fscache_n_cop_update_object);
46906 object->cache->ops->update_object(object);
46907 fscache_stat_d(&fscache_n_cop_update_object);
46908 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
46909 spin_lock(&object->lock);
46910 object->state = FSCACHE_OBJECT_DEAD;
46911 spin_unlock(&object->lock);
46912 - fscache_stat(&fscache_n_object_dead);
46913 + fscache_stat_unchecked(&fscache_n_object_dead);
46914 goto terminal_transit;
46915
46916 /* handle the parent cache of this object being withdrawn from
46917 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
46918 spin_lock(&object->lock);
46919 object->state = FSCACHE_OBJECT_DEAD;
46920 spin_unlock(&object->lock);
46921 - fscache_stat(&fscache_n_object_dead);
46922 + fscache_stat_unchecked(&fscache_n_object_dead);
46923 goto terminal_transit;
46924
46925 /* complain about the object being woken up once it is
46926 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
46927 parent->cookie->def->name, cookie->def->name,
46928 object->cache->tag->name);
46929
46930 - fscache_stat(&fscache_n_object_lookups);
46931 + fscache_stat_unchecked(&fscache_n_object_lookups);
46932 fscache_stat(&fscache_n_cop_lookup_object);
46933 ret = object->cache->ops->lookup_object(object);
46934 fscache_stat_d(&fscache_n_cop_lookup_object);
46935 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
46936 if (ret == -ETIMEDOUT) {
46937 /* probably stuck behind another object, so move this one to
46938 * the back of the queue */
46939 - fscache_stat(&fscache_n_object_lookups_timed_out);
46940 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
46941 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46942 }
46943
46944 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
46945
46946 spin_lock(&object->lock);
46947 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46948 - fscache_stat(&fscache_n_object_lookups_negative);
46949 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
46950
46951 /* transit here to allow write requests to begin stacking up
46952 * and read requests to begin returning ENODATA */
46953 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
46954 * result, in which case there may be data available */
46955 spin_lock(&object->lock);
46956 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
46957 - fscache_stat(&fscache_n_object_lookups_positive);
46958 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
46959
46960 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
46961
46962 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
46963 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
46964 } else {
46965 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
46966 - fscache_stat(&fscache_n_object_created);
46967 + fscache_stat_unchecked(&fscache_n_object_created);
46968
46969 object->state = FSCACHE_OBJECT_AVAILABLE;
46970 spin_unlock(&object->lock);
46971 @@ -602,7 +602,7 @@ static void fscache_object_available(str
46972 fscache_enqueue_dependents(object);
46973
46974 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
46975 - fscache_stat(&fscache_n_object_avail);
46976 + fscache_stat_unchecked(&fscache_n_object_avail);
46977
46978 _leave("");
46979 }
46980 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
46981 enum fscache_checkaux result;
46982
46983 if (!object->cookie->def->check_aux) {
46984 - fscache_stat(&fscache_n_checkaux_none);
46985 + fscache_stat_unchecked(&fscache_n_checkaux_none);
46986 return FSCACHE_CHECKAUX_OKAY;
46987 }
46988
46989 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
46990 switch (result) {
46991 /* entry okay as is */
46992 case FSCACHE_CHECKAUX_OKAY:
46993 - fscache_stat(&fscache_n_checkaux_okay);
46994 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
46995 break;
46996
46997 /* entry requires update */
46998 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
46999 - fscache_stat(&fscache_n_checkaux_update);
47000 + fscache_stat_unchecked(&fscache_n_checkaux_update);
47001 break;
47002
47003 /* entry requires deletion */
47004 case FSCACHE_CHECKAUX_OBSOLETE:
47005 - fscache_stat(&fscache_n_checkaux_obsolete);
47006 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
47007 break;
47008
47009 default:
47010 diff -urNp linux-2.6.39.3/fs/fscache/operation.c linux-2.6.39.3/fs/fscache/operation.c
47011 --- linux-2.6.39.3/fs/fscache/operation.c 2011-05-19 00:06:34.000000000 -0400
47012 +++ linux-2.6.39.3/fs/fscache/operation.c 2011-05-22 19:36:32.000000000 -0400
47013 @@ -17,7 +17,7 @@
47014 #include <linux/slab.h>
47015 #include "internal.h"
47016
47017 -atomic_t fscache_op_debug_id;
47018 +atomic_unchecked_t fscache_op_debug_id;
47019 EXPORT_SYMBOL(fscache_op_debug_id);
47020
47021 /**
47022 @@ -40,7 +40,7 @@ void fscache_enqueue_operation(struct fs
47023 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
47024 ASSERTCMP(atomic_read(&op->usage), >, 0);
47025
47026 - fscache_stat(&fscache_n_op_enqueue);
47027 + fscache_stat_unchecked(&fscache_n_op_enqueue);
47028 switch (op->flags & FSCACHE_OP_TYPE) {
47029 case FSCACHE_OP_ASYNC:
47030 _debug("queue async");
47031 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscach
47032 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
47033 if (op->processor)
47034 fscache_enqueue_operation(op);
47035 - fscache_stat(&fscache_n_op_run);
47036 + fscache_stat_unchecked(&fscache_n_op_run);
47037 }
47038
47039 /*
47040 @@ -104,11 +104,11 @@ int fscache_submit_exclusive_op(struct f
47041 if (object->n_ops > 1) {
47042 atomic_inc(&op->usage);
47043 list_add_tail(&op->pend_link, &object->pending_ops);
47044 - fscache_stat(&fscache_n_op_pend);
47045 + fscache_stat_unchecked(&fscache_n_op_pend);
47046 } else if (!list_empty(&object->pending_ops)) {
47047 atomic_inc(&op->usage);
47048 list_add_tail(&op->pend_link, &object->pending_ops);
47049 - fscache_stat(&fscache_n_op_pend);
47050 + fscache_stat_unchecked(&fscache_n_op_pend);
47051 fscache_start_operations(object);
47052 } else {
47053 ASSERTCMP(object->n_in_progress, ==, 0);
47054 @@ -124,7 +124,7 @@ int fscache_submit_exclusive_op(struct f
47055 object->n_exclusive++; /* reads and writes must wait */
47056 atomic_inc(&op->usage);
47057 list_add_tail(&op->pend_link, &object->pending_ops);
47058 - fscache_stat(&fscache_n_op_pend);
47059 + fscache_stat_unchecked(&fscache_n_op_pend);
47060 ret = 0;
47061 } else {
47062 /* not allowed to submit ops in any other state */
47063 @@ -211,11 +211,11 @@ int fscache_submit_op(struct fscache_obj
47064 if (object->n_exclusive > 0) {
47065 atomic_inc(&op->usage);
47066 list_add_tail(&op->pend_link, &object->pending_ops);
47067 - fscache_stat(&fscache_n_op_pend);
47068 + fscache_stat_unchecked(&fscache_n_op_pend);
47069 } else if (!list_empty(&object->pending_ops)) {
47070 atomic_inc(&op->usage);
47071 list_add_tail(&op->pend_link, &object->pending_ops);
47072 - fscache_stat(&fscache_n_op_pend);
47073 + fscache_stat_unchecked(&fscache_n_op_pend);
47074 fscache_start_operations(object);
47075 } else {
47076 ASSERTCMP(object->n_exclusive, ==, 0);
47077 @@ -227,12 +227,12 @@ int fscache_submit_op(struct fscache_obj
47078 object->n_ops++;
47079 atomic_inc(&op->usage);
47080 list_add_tail(&op->pend_link, &object->pending_ops);
47081 - fscache_stat(&fscache_n_op_pend);
47082 + fscache_stat_unchecked(&fscache_n_op_pend);
47083 ret = 0;
47084 } else if (object->state == FSCACHE_OBJECT_DYING ||
47085 object->state == FSCACHE_OBJECT_LC_DYING ||
47086 object->state == FSCACHE_OBJECT_WITHDRAWING) {
47087 - fscache_stat(&fscache_n_op_rejected);
47088 + fscache_stat_unchecked(&fscache_n_op_rejected);
47089 ret = -ENOBUFS;
47090 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
47091 fscache_report_unexpected_submission(object, op, ostate);
47092 @@ -302,7 +302,7 @@ int fscache_cancel_op(struct fscache_ope
47093
47094 ret = -EBUSY;
47095 if (!list_empty(&op->pend_link)) {
47096 - fscache_stat(&fscache_n_op_cancelled);
47097 + fscache_stat_unchecked(&fscache_n_op_cancelled);
47098 list_del_init(&op->pend_link);
47099 object->n_ops--;
47100 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
47101 @@ -341,7 +341,7 @@ void fscache_put_operation(struct fscach
47102 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
47103 BUG();
47104
47105 - fscache_stat(&fscache_n_op_release);
47106 + fscache_stat_unchecked(&fscache_n_op_release);
47107
47108 if (op->release) {
47109 op->release(op);
47110 @@ -358,7 +358,7 @@ void fscache_put_operation(struct fscach
47111 * lock, and defer it otherwise */
47112 if (!spin_trylock(&object->lock)) {
47113 _debug("defer put");
47114 - fscache_stat(&fscache_n_op_deferred_release);
47115 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
47116
47117 cache = object->cache;
47118 spin_lock(&cache->op_gc_list_lock);
47119 @@ -420,7 +420,7 @@ void fscache_operation_gc(struct work_st
47120
47121 _debug("GC DEFERRED REL OBJ%x OP%x",
47122 object->debug_id, op->debug_id);
47123 - fscache_stat(&fscache_n_op_gc);
47124 + fscache_stat_unchecked(&fscache_n_op_gc);
47125
47126 ASSERTCMP(atomic_read(&op->usage), ==, 0);
47127
47128 diff -urNp linux-2.6.39.3/fs/fscache/page.c linux-2.6.39.3/fs/fscache/page.c
47129 --- linux-2.6.39.3/fs/fscache/page.c 2011-07-09 09:18:51.000000000 -0400
47130 +++ linux-2.6.39.3/fs/fscache/page.c 2011-07-09 09:19:18.000000000 -0400
47131 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
47132 val = radix_tree_lookup(&cookie->stores, page->index);
47133 if (!val) {
47134 rcu_read_unlock();
47135 - fscache_stat(&fscache_n_store_vmscan_not_storing);
47136 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
47137 __fscache_uncache_page(cookie, page);
47138 return true;
47139 }
47140 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
47141 spin_unlock(&cookie->stores_lock);
47142
47143 if (xpage) {
47144 - fscache_stat(&fscache_n_store_vmscan_cancelled);
47145 - fscache_stat(&fscache_n_store_radix_deletes);
47146 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
47147 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47148 ASSERTCMP(xpage, ==, page);
47149 } else {
47150 - fscache_stat(&fscache_n_store_vmscan_gone);
47151 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
47152 }
47153
47154 wake_up_bit(&cookie->flags, 0);
47155 @@ -107,7 +107,7 @@ page_busy:
47156 /* we might want to wait here, but that could deadlock the allocator as
47157 * the work threads writing to the cache may all end up sleeping
47158 * on memory allocation */
47159 - fscache_stat(&fscache_n_store_vmscan_busy);
47160 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
47161 return false;
47162 }
47163 EXPORT_SYMBOL(__fscache_maybe_release_page);
47164 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
47165 FSCACHE_COOKIE_STORING_TAG);
47166 if (!radix_tree_tag_get(&cookie->stores, page->index,
47167 FSCACHE_COOKIE_PENDING_TAG)) {
47168 - fscache_stat(&fscache_n_store_radix_deletes);
47169 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47170 xpage = radix_tree_delete(&cookie->stores, page->index);
47171 }
47172 spin_unlock(&cookie->stores_lock);
47173 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
47174
47175 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
47176
47177 - fscache_stat(&fscache_n_attr_changed_calls);
47178 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
47179
47180 if (fscache_object_is_active(object)) {
47181 fscache_set_op_state(op, "CallFS");
47182 @@ -179,11 +179,11 @@ int __fscache_attr_changed(struct fscach
47183
47184 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47185
47186 - fscache_stat(&fscache_n_attr_changed);
47187 + fscache_stat_unchecked(&fscache_n_attr_changed);
47188
47189 op = kzalloc(sizeof(*op), GFP_KERNEL);
47190 if (!op) {
47191 - fscache_stat(&fscache_n_attr_changed_nomem);
47192 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
47193 _leave(" = -ENOMEM");
47194 return -ENOMEM;
47195 }
47196 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
47197 if (fscache_submit_exclusive_op(object, op) < 0)
47198 goto nobufs;
47199 spin_unlock(&cookie->lock);
47200 - fscache_stat(&fscache_n_attr_changed_ok);
47201 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
47202 fscache_put_operation(op);
47203 _leave(" = 0");
47204 return 0;
47205 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
47206 nobufs:
47207 spin_unlock(&cookie->lock);
47208 kfree(op);
47209 - fscache_stat(&fscache_n_attr_changed_nobufs);
47210 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
47211 _leave(" = %d", -ENOBUFS);
47212 return -ENOBUFS;
47213 }
47214 @@ -246,7 +246,7 @@ static struct fscache_retrieval *fscache
47215 /* allocate a retrieval operation and attempt to submit it */
47216 op = kzalloc(sizeof(*op), GFP_NOIO);
47217 if (!op) {
47218 - fscache_stat(&fscache_n_retrievals_nomem);
47219 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47220 return NULL;
47221 }
47222
47223 @@ -275,13 +275,13 @@ static int fscache_wait_for_deferred_loo
47224 return 0;
47225 }
47226
47227 - fscache_stat(&fscache_n_retrievals_wait);
47228 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
47229
47230 jif = jiffies;
47231 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
47232 fscache_wait_bit_interruptible,
47233 TASK_INTERRUPTIBLE) != 0) {
47234 - fscache_stat(&fscache_n_retrievals_intr);
47235 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47236 _leave(" = -ERESTARTSYS");
47237 return -ERESTARTSYS;
47238 }
47239 @@ -299,8 +299,8 @@ static int fscache_wait_for_deferred_loo
47240 */
47241 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
47242 struct fscache_retrieval *op,
47243 - atomic_t *stat_op_waits,
47244 - atomic_t *stat_object_dead)
47245 + atomic_unchecked_t *stat_op_waits,
47246 + atomic_unchecked_t *stat_object_dead)
47247 {
47248 int ret;
47249
47250 @@ -308,7 +308,7 @@ static int fscache_wait_for_retrieval_ac
47251 goto check_if_dead;
47252
47253 _debug(">>> WT");
47254 - fscache_stat(stat_op_waits);
47255 + fscache_stat_unchecked(stat_op_waits);
47256 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
47257 fscache_wait_bit_interruptible,
47258 TASK_INTERRUPTIBLE) < 0) {
47259 @@ -325,7 +325,7 @@ static int fscache_wait_for_retrieval_ac
47260
47261 check_if_dead:
47262 if (unlikely(fscache_object_is_dead(object))) {
47263 - fscache_stat(stat_object_dead);
47264 + fscache_stat_unchecked(stat_object_dead);
47265 return -ENOBUFS;
47266 }
47267 return 0;
47268 @@ -352,7 +352,7 @@ int __fscache_read_or_alloc_page(struct
47269
47270 _enter("%p,%p,,,", cookie, page);
47271
47272 - fscache_stat(&fscache_n_retrievals);
47273 + fscache_stat_unchecked(&fscache_n_retrievals);
47274
47275 if (hlist_empty(&cookie->backing_objects))
47276 goto nobufs;
47277 @@ -386,7 +386,7 @@ int __fscache_read_or_alloc_page(struct
47278 goto nobufs_unlock;
47279 spin_unlock(&cookie->lock);
47280
47281 - fscache_stat(&fscache_n_retrieval_ops);
47282 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47283
47284 /* pin the netfs read context in case we need to do the actual netfs
47285 * read because we've encountered a cache read failure */
47286 @@ -416,15 +416,15 @@ int __fscache_read_or_alloc_page(struct
47287
47288 error:
47289 if (ret == -ENOMEM)
47290 - fscache_stat(&fscache_n_retrievals_nomem);
47291 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47292 else if (ret == -ERESTARTSYS)
47293 - fscache_stat(&fscache_n_retrievals_intr);
47294 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47295 else if (ret == -ENODATA)
47296 - fscache_stat(&fscache_n_retrievals_nodata);
47297 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47298 else if (ret < 0)
47299 - fscache_stat(&fscache_n_retrievals_nobufs);
47300 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47301 else
47302 - fscache_stat(&fscache_n_retrievals_ok);
47303 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47304
47305 fscache_put_retrieval(op);
47306 _leave(" = %d", ret);
47307 @@ -434,7 +434,7 @@ nobufs_unlock:
47308 spin_unlock(&cookie->lock);
47309 kfree(op);
47310 nobufs:
47311 - fscache_stat(&fscache_n_retrievals_nobufs);
47312 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47313 _leave(" = -ENOBUFS");
47314 return -ENOBUFS;
47315 }
47316 @@ -472,7 +472,7 @@ int __fscache_read_or_alloc_pages(struct
47317
47318 _enter("%p,,%d,,,", cookie, *nr_pages);
47319
47320 - fscache_stat(&fscache_n_retrievals);
47321 + fscache_stat_unchecked(&fscache_n_retrievals);
47322
47323 if (hlist_empty(&cookie->backing_objects))
47324 goto nobufs;
47325 @@ -503,7 +503,7 @@ int __fscache_read_or_alloc_pages(struct
47326 goto nobufs_unlock;
47327 spin_unlock(&cookie->lock);
47328
47329 - fscache_stat(&fscache_n_retrieval_ops);
47330 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47331
47332 /* pin the netfs read context in case we need to do the actual netfs
47333 * read because we've encountered a cache read failure */
47334 @@ -533,15 +533,15 @@ int __fscache_read_or_alloc_pages(struct
47335
47336 error:
47337 if (ret == -ENOMEM)
47338 - fscache_stat(&fscache_n_retrievals_nomem);
47339 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47340 else if (ret == -ERESTARTSYS)
47341 - fscache_stat(&fscache_n_retrievals_intr);
47342 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47343 else if (ret == -ENODATA)
47344 - fscache_stat(&fscache_n_retrievals_nodata);
47345 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47346 else if (ret < 0)
47347 - fscache_stat(&fscache_n_retrievals_nobufs);
47348 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47349 else
47350 - fscache_stat(&fscache_n_retrievals_ok);
47351 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47352
47353 fscache_put_retrieval(op);
47354 _leave(" = %d", ret);
47355 @@ -551,7 +551,7 @@ nobufs_unlock:
47356 spin_unlock(&cookie->lock);
47357 kfree(op);
47358 nobufs:
47359 - fscache_stat(&fscache_n_retrievals_nobufs);
47360 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47361 _leave(" = -ENOBUFS");
47362 return -ENOBUFS;
47363 }
47364 @@ -575,7 +575,7 @@ int __fscache_alloc_page(struct fscache_
47365
47366 _enter("%p,%p,,,", cookie, page);
47367
47368 - fscache_stat(&fscache_n_allocs);
47369 + fscache_stat_unchecked(&fscache_n_allocs);
47370
47371 if (hlist_empty(&cookie->backing_objects))
47372 goto nobufs;
47373 @@ -602,7 +602,7 @@ int __fscache_alloc_page(struct fscache_
47374 goto nobufs_unlock;
47375 spin_unlock(&cookie->lock);
47376
47377 - fscache_stat(&fscache_n_alloc_ops);
47378 + fscache_stat_unchecked(&fscache_n_alloc_ops);
47379
47380 ret = fscache_wait_for_retrieval_activation(
47381 object, op,
47382 @@ -618,11 +618,11 @@ int __fscache_alloc_page(struct fscache_
47383
47384 error:
47385 if (ret == -ERESTARTSYS)
47386 - fscache_stat(&fscache_n_allocs_intr);
47387 + fscache_stat_unchecked(&fscache_n_allocs_intr);
47388 else if (ret < 0)
47389 - fscache_stat(&fscache_n_allocs_nobufs);
47390 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47391 else
47392 - fscache_stat(&fscache_n_allocs_ok);
47393 + fscache_stat_unchecked(&fscache_n_allocs_ok);
47394
47395 fscache_put_retrieval(op);
47396 _leave(" = %d", ret);
47397 @@ -632,7 +632,7 @@ nobufs_unlock:
47398 spin_unlock(&cookie->lock);
47399 kfree(op);
47400 nobufs:
47401 - fscache_stat(&fscache_n_allocs_nobufs);
47402 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47403 _leave(" = -ENOBUFS");
47404 return -ENOBUFS;
47405 }
47406 @@ -675,7 +675,7 @@ static void fscache_write_op(struct fsca
47407
47408 spin_lock(&cookie->stores_lock);
47409
47410 - fscache_stat(&fscache_n_store_calls);
47411 + fscache_stat_unchecked(&fscache_n_store_calls);
47412
47413 /* find a page to store */
47414 page = NULL;
47415 @@ -686,7 +686,7 @@ static void fscache_write_op(struct fsca
47416 page = results[0];
47417 _debug("gang %d [%lx]", n, page->index);
47418 if (page->index > op->store_limit) {
47419 - fscache_stat(&fscache_n_store_pages_over_limit);
47420 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
47421 goto superseded;
47422 }
47423
47424 @@ -699,7 +699,7 @@ static void fscache_write_op(struct fsca
47425 spin_unlock(&object->lock);
47426
47427 fscache_set_op_state(&op->op, "Store");
47428 - fscache_stat(&fscache_n_store_pages);
47429 + fscache_stat_unchecked(&fscache_n_store_pages);
47430 fscache_stat(&fscache_n_cop_write_page);
47431 ret = object->cache->ops->write_page(op, page);
47432 fscache_stat_d(&fscache_n_cop_write_page);
47433 @@ -769,7 +769,7 @@ int __fscache_write_page(struct fscache_
47434 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47435 ASSERT(PageFsCache(page));
47436
47437 - fscache_stat(&fscache_n_stores);
47438 + fscache_stat_unchecked(&fscache_n_stores);
47439
47440 op = kzalloc(sizeof(*op), GFP_NOIO);
47441 if (!op)
47442 @@ -821,7 +821,7 @@ int __fscache_write_page(struct fscache_
47443 spin_unlock(&cookie->stores_lock);
47444 spin_unlock(&object->lock);
47445
47446 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47447 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47448 op->store_limit = object->store_limit;
47449
47450 if (fscache_submit_op(object, &op->op) < 0)
47451 @@ -829,8 +829,8 @@ int __fscache_write_page(struct fscache_
47452
47453 spin_unlock(&cookie->lock);
47454 radix_tree_preload_end();
47455 - fscache_stat(&fscache_n_store_ops);
47456 - fscache_stat(&fscache_n_stores_ok);
47457 + fscache_stat_unchecked(&fscache_n_store_ops);
47458 + fscache_stat_unchecked(&fscache_n_stores_ok);
47459
47460 /* the work queue now carries its own ref on the object */
47461 fscache_put_operation(&op->op);
47462 @@ -838,14 +838,14 @@ int __fscache_write_page(struct fscache_
47463 return 0;
47464
47465 already_queued:
47466 - fscache_stat(&fscache_n_stores_again);
47467 + fscache_stat_unchecked(&fscache_n_stores_again);
47468 already_pending:
47469 spin_unlock(&cookie->stores_lock);
47470 spin_unlock(&object->lock);
47471 spin_unlock(&cookie->lock);
47472 radix_tree_preload_end();
47473 kfree(op);
47474 - fscache_stat(&fscache_n_stores_ok);
47475 + fscache_stat_unchecked(&fscache_n_stores_ok);
47476 _leave(" = 0");
47477 return 0;
47478
47479 @@ -864,14 +864,14 @@ nobufs:
47480 spin_unlock(&cookie->lock);
47481 radix_tree_preload_end();
47482 kfree(op);
47483 - fscache_stat(&fscache_n_stores_nobufs);
47484 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
47485 _leave(" = -ENOBUFS");
47486 return -ENOBUFS;
47487
47488 nomem_free:
47489 kfree(op);
47490 nomem:
47491 - fscache_stat(&fscache_n_stores_oom);
47492 + fscache_stat_unchecked(&fscache_n_stores_oom);
47493 _leave(" = -ENOMEM");
47494 return -ENOMEM;
47495 }
47496 @@ -889,7 +889,7 @@ void __fscache_uncache_page(struct fscac
47497 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47498 ASSERTCMP(page, !=, NULL);
47499
47500 - fscache_stat(&fscache_n_uncaches);
47501 + fscache_stat_unchecked(&fscache_n_uncaches);
47502
47503 /* cache withdrawal may beat us to it */
47504 if (!PageFsCache(page))
47505 @@ -942,7 +942,7 @@ void fscache_mark_pages_cached(struct fs
47506 unsigned long loop;
47507
47508 #ifdef CONFIG_FSCACHE_STATS
47509 - atomic_add(pagevec->nr, &fscache_n_marks);
47510 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47511 #endif
47512
47513 for (loop = 0; loop < pagevec->nr; loop++) {
47514 diff -urNp linux-2.6.39.3/fs/fscache/stats.c linux-2.6.39.3/fs/fscache/stats.c
47515 --- linux-2.6.39.3/fs/fscache/stats.c 2011-05-19 00:06:34.000000000 -0400
47516 +++ linux-2.6.39.3/fs/fscache/stats.c 2011-05-22 19:36:32.000000000 -0400
47517 @@ -18,95 +18,95 @@
47518 /*
47519 * operation counters
47520 */
47521 -atomic_t fscache_n_op_pend;
47522 -atomic_t fscache_n_op_run;
47523 -atomic_t fscache_n_op_enqueue;
47524 -atomic_t fscache_n_op_requeue;
47525 -atomic_t fscache_n_op_deferred_release;
47526 -atomic_t fscache_n_op_release;
47527 -atomic_t fscache_n_op_gc;
47528 -atomic_t fscache_n_op_cancelled;
47529 -atomic_t fscache_n_op_rejected;
47530 -
47531 -atomic_t fscache_n_attr_changed;
47532 -atomic_t fscache_n_attr_changed_ok;
47533 -atomic_t fscache_n_attr_changed_nobufs;
47534 -atomic_t fscache_n_attr_changed_nomem;
47535 -atomic_t fscache_n_attr_changed_calls;
47536 -
47537 -atomic_t fscache_n_allocs;
47538 -atomic_t fscache_n_allocs_ok;
47539 -atomic_t fscache_n_allocs_wait;
47540 -atomic_t fscache_n_allocs_nobufs;
47541 -atomic_t fscache_n_allocs_intr;
47542 -atomic_t fscache_n_allocs_object_dead;
47543 -atomic_t fscache_n_alloc_ops;
47544 -atomic_t fscache_n_alloc_op_waits;
47545 -
47546 -atomic_t fscache_n_retrievals;
47547 -atomic_t fscache_n_retrievals_ok;
47548 -atomic_t fscache_n_retrievals_wait;
47549 -atomic_t fscache_n_retrievals_nodata;
47550 -atomic_t fscache_n_retrievals_nobufs;
47551 -atomic_t fscache_n_retrievals_intr;
47552 -atomic_t fscache_n_retrievals_nomem;
47553 -atomic_t fscache_n_retrievals_object_dead;
47554 -atomic_t fscache_n_retrieval_ops;
47555 -atomic_t fscache_n_retrieval_op_waits;
47556 -
47557 -atomic_t fscache_n_stores;
47558 -atomic_t fscache_n_stores_ok;
47559 -atomic_t fscache_n_stores_again;
47560 -atomic_t fscache_n_stores_nobufs;
47561 -atomic_t fscache_n_stores_oom;
47562 -atomic_t fscache_n_store_ops;
47563 -atomic_t fscache_n_store_calls;
47564 -atomic_t fscache_n_store_pages;
47565 -atomic_t fscache_n_store_radix_deletes;
47566 -atomic_t fscache_n_store_pages_over_limit;
47567 -
47568 -atomic_t fscache_n_store_vmscan_not_storing;
47569 -atomic_t fscache_n_store_vmscan_gone;
47570 -atomic_t fscache_n_store_vmscan_busy;
47571 -atomic_t fscache_n_store_vmscan_cancelled;
47572 -
47573 -atomic_t fscache_n_marks;
47574 -atomic_t fscache_n_uncaches;
47575 -
47576 -atomic_t fscache_n_acquires;
47577 -atomic_t fscache_n_acquires_null;
47578 -atomic_t fscache_n_acquires_no_cache;
47579 -atomic_t fscache_n_acquires_ok;
47580 -atomic_t fscache_n_acquires_nobufs;
47581 -atomic_t fscache_n_acquires_oom;
47582 -
47583 -atomic_t fscache_n_updates;
47584 -atomic_t fscache_n_updates_null;
47585 -atomic_t fscache_n_updates_run;
47586 -
47587 -atomic_t fscache_n_relinquishes;
47588 -atomic_t fscache_n_relinquishes_null;
47589 -atomic_t fscache_n_relinquishes_waitcrt;
47590 -atomic_t fscache_n_relinquishes_retire;
47591 -
47592 -atomic_t fscache_n_cookie_index;
47593 -atomic_t fscache_n_cookie_data;
47594 -atomic_t fscache_n_cookie_special;
47595 -
47596 -atomic_t fscache_n_object_alloc;
47597 -atomic_t fscache_n_object_no_alloc;
47598 -atomic_t fscache_n_object_lookups;
47599 -atomic_t fscache_n_object_lookups_negative;
47600 -atomic_t fscache_n_object_lookups_positive;
47601 -atomic_t fscache_n_object_lookups_timed_out;
47602 -atomic_t fscache_n_object_created;
47603 -atomic_t fscache_n_object_avail;
47604 -atomic_t fscache_n_object_dead;
47605 -
47606 -atomic_t fscache_n_checkaux_none;
47607 -atomic_t fscache_n_checkaux_okay;
47608 -atomic_t fscache_n_checkaux_update;
47609 -atomic_t fscache_n_checkaux_obsolete;
47610 +atomic_unchecked_t fscache_n_op_pend;
47611 +atomic_unchecked_t fscache_n_op_run;
47612 +atomic_unchecked_t fscache_n_op_enqueue;
47613 +atomic_unchecked_t fscache_n_op_requeue;
47614 +atomic_unchecked_t fscache_n_op_deferred_release;
47615 +atomic_unchecked_t fscache_n_op_release;
47616 +atomic_unchecked_t fscache_n_op_gc;
47617 +atomic_unchecked_t fscache_n_op_cancelled;
47618 +atomic_unchecked_t fscache_n_op_rejected;
47619 +
47620 +atomic_unchecked_t fscache_n_attr_changed;
47621 +atomic_unchecked_t fscache_n_attr_changed_ok;
47622 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
47623 +atomic_unchecked_t fscache_n_attr_changed_nomem;
47624 +atomic_unchecked_t fscache_n_attr_changed_calls;
47625 +
47626 +atomic_unchecked_t fscache_n_allocs;
47627 +atomic_unchecked_t fscache_n_allocs_ok;
47628 +atomic_unchecked_t fscache_n_allocs_wait;
47629 +atomic_unchecked_t fscache_n_allocs_nobufs;
47630 +atomic_unchecked_t fscache_n_allocs_intr;
47631 +atomic_unchecked_t fscache_n_allocs_object_dead;
47632 +atomic_unchecked_t fscache_n_alloc_ops;
47633 +atomic_unchecked_t fscache_n_alloc_op_waits;
47634 +
47635 +atomic_unchecked_t fscache_n_retrievals;
47636 +atomic_unchecked_t fscache_n_retrievals_ok;
47637 +atomic_unchecked_t fscache_n_retrievals_wait;
47638 +atomic_unchecked_t fscache_n_retrievals_nodata;
47639 +atomic_unchecked_t fscache_n_retrievals_nobufs;
47640 +atomic_unchecked_t fscache_n_retrievals_intr;
47641 +atomic_unchecked_t fscache_n_retrievals_nomem;
47642 +atomic_unchecked_t fscache_n_retrievals_object_dead;
47643 +atomic_unchecked_t fscache_n_retrieval_ops;
47644 +atomic_unchecked_t fscache_n_retrieval_op_waits;
47645 +
47646 +atomic_unchecked_t fscache_n_stores;
47647 +atomic_unchecked_t fscache_n_stores_ok;
47648 +atomic_unchecked_t fscache_n_stores_again;
47649 +atomic_unchecked_t fscache_n_stores_nobufs;
47650 +atomic_unchecked_t fscache_n_stores_oom;
47651 +atomic_unchecked_t fscache_n_store_ops;
47652 +atomic_unchecked_t fscache_n_store_calls;
47653 +atomic_unchecked_t fscache_n_store_pages;
47654 +atomic_unchecked_t fscache_n_store_radix_deletes;
47655 +atomic_unchecked_t fscache_n_store_pages_over_limit;
47656 +
47657 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47658 +atomic_unchecked_t fscache_n_store_vmscan_gone;
47659 +atomic_unchecked_t fscache_n_store_vmscan_busy;
47660 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47661 +
47662 +atomic_unchecked_t fscache_n_marks;
47663 +atomic_unchecked_t fscache_n_uncaches;
47664 +
47665 +atomic_unchecked_t fscache_n_acquires;
47666 +atomic_unchecked_t fscache_n_acquires_null;
47667 +atomic_unchecked_t fscache_n_acquires_no_cache;
47668 +atomic_unchecked_t fscache_n_acquires_ok;
47669 +atomic_unchecked_t fscache_n_acquires_nobufs;
47670 +atomic_unchecked_t fscache_n_acquires_oom;
47671 +
47672 +atomic_unchecked_t fscache_n_updates;
47673 +atomic_unchecked_t fscache_n_updates_null;
47674 +atomic_unchecked_t fscache_n_updates_run;
47675 +
47676 +atomic_unchecked_t fscache_n_relinquishes;
47677 +atomic_unchecked_t fscache_n_relinquishes_null;
47678 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47679 +atomic_unchecked_t fscache_n_relinquishes_retire;
47680 +
47681 +atomic_unchecked_t fscache_n_cookie_index;
47682 +atomic_unchecked_t fscache_n_cookie_data;
47683 +atomic_unchecked_t fscache_n_cookie_special;
47684 +
47685 +atomic_unchecked_t fscache_n_object_alloc;
47686 +atomic_unchecked_t fscache_n_object_no_alloc;
47687 +atomic_unchecked_t fscache_n_object_lookups;
47688 +atomic_unchecked_t fscache_n_object_lookups_negative;
47689 +atomic_unchecked_t fscache_n_object_lookups_positive;
47690 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
47691 +atomic_unchecked_t fscache_n_object_created;
47692 +atomic_unchecked_t fscache_n_object_avail;
47693 +atomic_unchecked_t fscache_n_object_dead;
47694 +
47695 +atomic_unchecked_t fscache_n_checkaux_none;
47696 +atomic_unchecked_t fscache_n_checkaux_okay;
47697 +atomic_unchecked_t fscache_n_checkaux_update;
47698 +atomic_unchecked_t fscache_n_checkaux_obsolete;
47699
47700 atomic_t fscache_n_cop_alloc_object;
47701 atomic_t fscache_n_cop_lookup_object;
47702 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
47703 seq_puts(m, "FS-Cache statistics\n");
47704
47705 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
47706 - atomic_read(&fscache_n_cookie_index),
47707 - atomic_read(&fscache_n_cookie_data),
47708 - atomic_read(&fscache_n_cookie_special));
47709 + atomic_read_unchecked(&fscache_n_cookie_index),
47710 + atomic_read_unchecked(&fscache_n_cookie_data),
47711 + atomic_read_unchecked(&fscache_n_cookie_special));
47712
47713 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
47714 - atomic_read(&fscache_n_object_alloc),
47715 - atomic_read(&fscache_n_object_no_alloc),
47716 - atomic_read(&fscache_n_object_avail),
47717 - atomic_read(&fscache_n_object_dead));
47718 + atomic_read_unchecked(&fscache_n_object_alloc),
47719 + atomic_read_unchecked(&fscache_n_object_no_alloc),
47720 + atomic_read_unchecked(&fscache_n_object_avail),
47721 + atomic_read_unchecked(&fscache_n_object_dead));
47722 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
47723 - atomic_read(&fscache_n_checkaux_none),
47724 - atomic_read(&fscache_n_checkaux_okay),
47725 - atomic_read(&fscache_n_checkaux_update),
47726 - atomic_read(&fscache_n_checkaux_obsolete));
47727 + atomic_read_unchecked(&fscache_n_checkaux_none),
47728 + atomic_read_unchecked(&fscache_n_checkaux_okay),
47729 + atomic_read_unchecked(&fscache_n_checkaux_update),
47730 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
47731
47732 seq_printf(m, "Pages : mrk=%u unc=%u\n",
47733 - atomic_read(&fscache_n_marks),
47734 - atomic_read(&fscache_n_uncaches));
47735 + atomic_read_unchecked(&fscache_n_marks),
47736 + atomic_read_unchecked(&fscache_n_uncaches));
47737
47738 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
47739 " oom=%u\n",
47740 - atomic_read(&fscache_n_acquires),
47741 - atomic_read(&fscache_n_acquires_null),
47742 - atomic_read(&fscache_n_acquires_no_cache),
47743 - atomic_read(&fscache_n_acquires_ok),
47744 - atomic_read(&fscache_n_acquires_nobufs),
47745 - atomic_read(&fscache_n_acquires_oom));
47746 + atomic_read_unchecked(&fscache_n_acquires),
47747 + atomic_read_unchecked(&fscache_n_acquires_null),
47748 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
47749 + atomic_read_unchecked(&fscache_n_acquires_ok),
47750 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
47751 + atomic_read_unchecked(&fscache_n_acquires_oom));
47752
47753 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
47754 - atomic_read(&fscache_n_object_lookups),
47755 - atomic_read(&fscache_n_object_lookups_negative),
47756 - atomic_read(&fscache_n_object_lookups_positive),
47757 - atomic_read(&fscache_n_object_created),
47758 - atomic_read(&fscache_n_object_lookups_timed_out));
47759 + atomic_read_unchecked(&fscache_n_object_lookups),
47760 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
47761 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
47762 + atomic_read_unchecked(&fscache_n_object_created),
47763 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
47764
47765 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
47766 - atomic_read(&fscache_n_updates),
47767 - atomic_read(&fscache_n_updates_null),
47768 - atomic_read(&fscache_n_updates_run));
47769 + atomic_read_unchecked(&fscache_n_updates),
47770 + atomic_read_unchecked(&fscache_n_updates_null),
47771 + atomic_read_unchecked(&fscache_n_updates_run));
47772
47773 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
47774 - atomic_read(&fscache_n_relinquishes),
47775 - atomic_read(&fscache_n_relinquishes_null),
47776 - atomic_read(&fscache_n_relinquishes_waitcrt),
47777 - atomic_read(&fscache_n_relinquishes_retire));
47778 + atomic_read_unchecked(&fscache_n_relinquishes),
47779 + atomic_read_unchecked(&fscache_n_relinquishes_null),
47780 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
47781 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
47782
47783 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
47784 - atomic_read(&fscache_n_attr_changed),
47785 - atomic_read(&fscache_n_attr_changed_ok),
47786 - atomic_read(&fscache_n_attr_changed_nobufs),
47787 - atomic_read(&fscache_n_attr_changed_nomem),
47788 - atomic_read(&fscache_n_attr_changed_calls));
47789 + atomic_read_unchecked(&fscache_n_attr_changed),
47790 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
47791 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
47792 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
47793 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
47794
47795 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
47796 - atomic_read(&fscache_n_allocs),
47797 - atomic_read(&fscache_n_allocs_ok),
47798 - atomic_read(&fscache_n_allocs_wait),
47799 - atomic_read(&fscache_n_allocs_nobufs),
47800 - atomic_read(&fscache_n_allocs_intr));
47801 + atomic_read_unchecked(&fscache_n_allocs),
47802 + atomic_read_unchecked(&fscache_n_allocs_ok),
47803 + atomic_read_unchecked(&fscache_n_allocs_wait),
47804 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
47805 + atomic_read_unchecked(&fscache_n_allocs_intr));
47806 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
47807 - atomic_read(&fscache_n_alloc_ops),
47808 - atomic_read(&fscache_n_alloc_op_waits),
47809 - atomic_read(&fscache_n_allocs_object_dead));
47810 + atomic_read_unchecked(&fscache_n_alloc_ops),
47811 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
47812 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
47813
47814 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
47815 " int=%u oom=%u\n",
47816 - atomic_read(&fscache_n_retrievals),
47817 - atomic_read(&fscache_n_retrievals_ok),
47818 - atomic_read(&fscache_n_retrievals_wait),
47819 - atomic_read(&fscache_n_retrievals_nodata),
47820 - atomic_read(&fscache_n_retrievals_nobufs),
47821 - atomic_read(&fscache_n_retrievals_intr),
47822 - atomic_read(&fscache_n_retrievals_nomem));
47823 + atomic_read_unchecked(&fscache_n_retrievals),
47824 + atomic_read_unchecked(&fscache_n_retrievals_ok),
47825 + atomic_read_unchecked(&fscache_n_retrievals_wait),
47826 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
47827 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
47828 + atomic_read_unchecked(&fscache_n_retrievals_intr),
47829 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
47830 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
47831 - atomic_read(&fscache_n_retrieval_ops),
47832 - atomic_read(&fscache_n_retrieval_op_waits),
47833 - atomic_read(&fscache_n_retrievals_object_dead));
47834 + atomic_read_unchecked(&fscache_n_retrieval_ops),
47835 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
47836 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
47837
47838 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
47839 - atomic_read(&fscache_n_stores),
47840 - atomic_read(&fscache_n_stores_ok),
47841 - atomic_read(&fscache_n_stores_again),
47842 - atomic_read(&fscache_n_stores_nobufs),
47843 - atomic_read(&fscache_n_stores_oom));
47844 + atomic_read_unchecked(&fscache_n_stores),
47845 + atomic_read_unchecked(&fscache_n_stores_ok),
47846 + atomic_read_unchecked(&fscache_n_stores_again),
47847 + atomic_read_unchecked(&fscache_n_stores_nobufs),
47848 + atomic_read_unchecked(&fscache_n_stores_oom));
47849 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
47850 - atomic_read(&fscache_n_store_ops),
47851 - atomic_read(&fscache_n_store_calls),
47852 - atomic_read(&fscache_n_store_pages),
47853 - atomic_read(&fscache_n_store_radix_deletes),
47854 - atomic_read(&fscache_n_store_pages_over_limit));
47855 + atomic_read_unchecked(&fscache_n_store_ops),
47856 + atomic_read_unchecked(&fscache_n_store_calls),
47857 + atomic_read_unchecked(&fscache_n_store_pages),
47858 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
47859 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
47860
47861 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
47862 - atomic_read(&fscache_n_store_vmscan_not_storing),
47863 - atomic_read(&fscache_n_store_vmscan_gone),
47864 - atomic_read(&fscache_n_store_vmscan_busy),
47865 - atomic_read(&fscache_n_store_vmscan_cancelled));
47866 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
47867 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
47868 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
47869 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
47870
47871 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
47872 - atomic_read(&fscache_n_op_pend),
47873 - atomic_read(&fscache_n_op_run),
47874 - atomic_read(&fscache_n_op_enqueue),
47875 - atomic_read(&fscache_n_op_cancelled),
47876 - atomic_read(&fscache_n_op_rejected));
47877 + atomic_read_unchecked(&fscache_n_op_pend),
47878 + atomic_read_unchecked(&fscache_n_op_run),
47879 + atomic_read_unchecked(&fscache_n_op_enqueue),
47880 + atomic_read_unchecked(&fscache_n_op_cancelled),
47881 + atomic_read_unchecked(&fscache_n_op_rejected));
47882 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
47883 - atomic_read(&fscache_n_op_deferred_release),
47884 - atomic_read(&fscache_n_op_release),
47885 - atomic_read(&fscache_n_op_gc));
47886 + atomic_read_unchecked(&fscache_n_op_deferred_release),
47887 + atomic_read_unchecked(&fscache_n_op_release),
47888 + atomic_read_unchecked(&fscache_n_op_gc));
47889
47890 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
47891 atomic_read(&fscache_n_cop_alloc_object),
47892 diff -urNp linux-2.6.39.3/fs/fs_struct.c linux-2.6.39.3/fs/fs_struct.c
47893 --- linux-2.6.39.3/fs/fs_struct.c 2011-05-19 00:06:34.000000000 -0400
47894 +++ linux-2.6.39.3/fs/fs_struct.c 2011-05-22 19:41:37.000000000 -0400
47895 @@ -4,6 +4,7 @@
47896 #include <linux/path.h>
47897 #include <linux/slab.h>
47898 #include <linux/fs_struct.h>
47899 +#include <linux/grsecurity.h>
47900 #include "internal.h"
47901
47902 static inline void path_get_longterm(struct path *path)
47903 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
47904 old_root = fs->root;
47905 fs->root = *path;
47906 path_get_longterm(path);
47907 + gr_set_chroot_entries(current, path);
47908 write_seqcount_end(&fs->seq);
47909 spin_unlock(&fs->lock);
47910 if (old_root.dentry)
47911 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
47912 && fs->root.mnt == old_root->mnt) {
47913 path_get_longterm(new_root);
47914 fs->root = *new_root;
47915 + gr_set_chroot_entries(p, new_root);
47916 count++;
47917 }
47918 if (fs->pwd.dentry == old_root->dentry
47919 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
47920 spin_lock(&fs->lock);
47921 write_seqcount_begin(&fs->seq);
47922 tsk->fs = NULL;
47923 - kill = !--fs->users;
47924 + gr_clear_chroot_entries(tsk);
47925 + kill = !atomic_dec_return(&fs->users);
47926 write_seqcount_end(&fs->seq);
47927 spin_unlock(&fs->lock);
47928 task_unlock(tsk);
47929 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
47930 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
47931 /* We don't need to lock fs - think why ;-) */
47932 if (fs) {
47933 - fs->users = 1;
47934 + atomic_set(&fs->users, 1);
47935 fs->in_exec = 0;
47936 spin_lock_init(&fs->lock);
47937 seqcount_init(&fs->seq);
47938 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
47939 spin_lock(&old->lock);
47940 fs->root = old->root;
47941 path_get_longterm(&fs->root);
47942 + /* instead of calling gr_set_chroot_entries here,
47943 + we call it from every caller of this function
47944 + */
47945 fs->pwd = old->pwd;
47946 path_get_longterm(&fs->pwd);
47947 spin_unlock(&old->lock);
47948 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
47949
47950 task_lock(current);
47951 spin_lock(&fs->lock);
47952 - kill = !--fs->users;
47953 + kill = !atomic_dec_return(&fs->users);
47954 current->fs = new_fs;
47955 + gr_set_chroot_entries(current, &new_fs->root);
47956 spin_unlock(&fs->lock);
47957 task_unlock(current);
47958
47959 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
47960
47961 /* to be mentioned only in INIT_TASK */
47962 struct fs_struct init_fs = {
47963 - .users = 1,
47964 + .users = ATOMIC_INIT(1),
47965 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
47966 .seq = SEQCNT_ZERO,
47967 .umask = 0022,
47968 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
47969 task_lock(current);
47970
47971 spin_lock(&init_fs.lock);
47972 - init_fs.users++;
47973 + atomic_inc(&init_fs.users);
47974 spin_unlock(&init_fs.lock);
47975
47976 spin_lock(&fs->lock);
47977 current->fs = &init_fs;
47978 - kill = !--fs->users;
47979 + gr_set_chroot_entries(current, &current->fs->root);
47980 + kill = !atomic_dec_return(&fs->users);
47981 spin_unlock(&fs->lock);
47982
47983 task_unlock(current);
47984 diff -urNp linux-2.6.39.3/fs/fuse/cuse.c linux-2.6.39.3/fs/fuse/cuse.c
47985 --- linux-2.6.39.3/fs/fuse/cuse.c 2011-05-19 00:06:34.000000000 -0400
47986 +++ linux-2.6.39.3/fs/fuse/cuse.c 2011-05-22 19:36:32.000000000 -0400
47987 @@ -538,8 +538,18 @@ static int cuse_channel_release(struct i
47988 return rc;
47989 }
47990
47991 -static struct file_operations cuse_channel_fops; /* initialized during init */
47992 -
47993 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
47994 + .owner = THIS_MODULE,
47995 + .llseek = no_llseek,
47996 + .read = do_sync_read,
47997 + .aio_read = fuse_dev_read,
47998 + .write = do_sync_write,
47999 + .aio_write = fuse_dev_write,
48000 + .poll = fuse_dev_poll,
48001 + .open = cuse_channel_open,
48002 + .release = cuse_channel_release,
48003 + .fasync = fuse_dev_fasync,
48004 +};
48005
48006 /**************************************************************************
48007 * Misc stuff and module initializatiion
48008 @@ -585,12 +595,6 @@ static int __init cuse_init(void)
48009 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
48010 INIT_LIST_HEAD(&cuse_conntbl[i]);
48011
48012 - /* inherit and extend fuse_dev_operations */
48013 - cuse_channel_fops = fuse_dev_operations;
48014 - cuse_channel_fops.owner = THIS_MODULE;
48015 - cuse_channel_fops.open = cuse_channel_open;
48016 - cuse_channel_fops.release = cuse_channel_release;
48017 -
48018 cuse_class = class_create(THIS_MODULE, "cuse");
48019 if (IS_ERR(cuse_class))
48020 return PTR_ERR(cuse_class);
48021 diff -urNp linux-2.6.39.3/fs/fuse/dev.c linux-2.6.39.3/fs/fuse/dev.c
48022 --- linux-2.6.39.3/fs/fuse/dev.c 2011-05-19 00:06:34.000000000 -0400
48023 +++ linux-2.6.39.3/fs/fuse/dev.c 2011-05-22 19:36:32.000000000 -0400
48024 @@ -1181,7 +1181,7 @@ static ssize_t fuse_dev_do_read(struct f
48025 return err;
48026 }
48027
48028 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
48029 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
48030 unsigned long nr_segs, loff_t pos)
48031 {
48032 struct fuse_copy_state cs;
48033 @@ -1195,6 +1195,8 @@ static ssize_t fuse_dev_read(struct kioc
48034 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
48035 }
48036
48037 +EXPORT_SYMBOL_GPL(fuse_dev_read);
48038 +
48039 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
48040 struct pipe_buffer *buf)
48041 {
48042 @@ -1238,7 +1240,7 @@ static ssize_t fuse_dev_splice_read(stru
48043 ret = 0;
48044 pipe_lock(pipe);
48045
48046 - if (!pipe->readers) {
48047 + if (!atomic_read(&pipe->readers)) {
48048 send_sig(SIGPIPE, current, 0);
48049 if (!ret)
48050 ret = -EPIPE;
48051 @@ -1731,7 +1733,7 @@ static ssize_t fuse_dev_do_write(struct
48052 return err;
48053 }
48054
48055 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48056 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48057 unsigned long nr_segs, loff_t pos)
48058 {
48059 struct fuse_copy_state cs;
48060 @@ -1744,6 +1746,8 @@ static ssize_t fuse_dev_write(struct kio
48061 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
48062 }
48063
48064 +EXPORT_SYMBOL_GPL(fuse_dev_write);
48065 +
48066 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
48067 struct file *out, loff_t *ppos,
48068 size_t len, unsigned int flags)
48069 @@ -1822,7 +1826,7 @@ out:
48070 return ret;
48071 }
48072
48073 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
48074 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
48075 {
48076 unsigned mask = POLLOUT | POLLWRNORM;
48077 struct fuse_conn *fc = fuse_get_conn(file);
48078 @@ -1841,6 +1845,8 @@ static unsigned fuse_dev_poll(struct fil
48079 return mask;
48080 }
48081
48082 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
48083 +
48084 /*
48085 * Abort all requests on the given list (pending or processing)
48086 *
48087 @@ -1977,7 +1983,7 @@ int fuse_dev_release(struct inode *inode
48088 }
48089 EXPORT_SYMBOL_GPL(fuse_dev_release);
48090
48091 -static int fuse_dev_fasync(int fd, struct file *file, int on)
48092 +int fuse_dev_fasync(int fd, struct file *file, int on)
48093 {
48094 struct fuse_conn *fc = fuse_get_conn(file);
48095 if (!fc)
48096 @@ -1987,6 +1993,8 @@ static int fuse_dev_fasync(int fd, struc
48097 return fasync_helper(fd, file, on, &fc->fasync);
48098 }
48099
48100 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
48101 +
48102 const struct file_operations fuse_dev_operations = {
48103 .owner = THIS_MODULE,
48104 .llseek = no_llseek,
48105 diff -urNp linux-2.6.39.3/fs/fuse/dir.c linux-2.6.39.3/fs/fuse/dir.c
48106 --- linux-2.6.39.3/fs/fuse/dir.c 2011-05-19 00:06:34.000000000 -0400
48107 +++ linux-2.6.39.3/fs/fuse/dir.c 2011-05-22 19:36:32.000000000 -0400
48108 @@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
48109 return link;
48110 }
48111
48112 -static void free_link(char *link)
48113 +static void free_link(const char *link)
48114 {
48115 if (!IS_ERR(link))
48116 free_page((unsigned long) link);
48117 diff -urNp linux-2.6.39.3/fs/fuse/fuse_i.h linux-2.6.39.3/fs/fuse/fuse_i.h
48118 --- linux-2.6.39.3/fs/fuse/fuse_i.h 2011-05-19 00:06:34.000000000 -0400
48119 +++ linux-2.6.39.3/fs/fuse/fuse_i.h 2011-05-22 19:36:32.000000000 -0400
48120 @@ -540,6 +540,16 @@ extern const struct file_operations fuse
48121
48122 extern const struct dentry_operations fuse_dentry_operations;
48123
48124 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
48125 + unsigned long nr_segs, loff_t pos);
48126 +
48127 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
48128 + unsigned long nr_segs, loff_t pos);
48129 +
48130 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
48131 +
48132 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
48133 +
48134 /**
48135 * Inode to nodeid comparison.
48136 */
48137 diff -urNp linux-2.6.39.3/fs/gfs2/ops_inode.c linux-2.6.39.3/fs/gfs2/ops_inode.c
48138 --- linux-2.6.39.3/fs/gfs2/ops_inode.c 2011-05-19 00:06:34.000000000 -0400
48139 +++ linux-2.6.39.3/fs/gfs2/ops_inode.c 2011-05-22 19:36:32.000000000 -0400
48140 @@ -740,6 +740,8 @@ static int gfs2_rename(struct inode *odi
48141 unsigned int x;
48142 int error;
48143
48144 + pax_track_stack();
48145 +
48146 if (ndentry->d_inode) {
48147 nip = GFS2_I(ndentry->d_inode);
48148 if (ip == nip)
48149 @@ -1019,7 +1021,7 @@ out:
48150
48151 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
48152 {
48153 - char *s = nd_get_link(nd);
48154 + const char *s = nd_get_link(nd);
48155 if (!IS_ERR(s))
48156 kfree(s);
48157 }
48158 diff -urNp linux-2.6.39.3/fs/hfsplus/catalog.c linux-2.6.39.3/fs/hfsplus/catalog.c
48159 --- linux-2.6.39.3/fs/hfsplus/catalog.c 2011-05-19 00:06:34.000000000 -0400
48160 +++ linux-2.6.39.3/fs/hfsplus/catalog.c 2011-05-22 19:36:32.000000000 -0400
48161 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
48162 int err;
48163 u16 type;
48164
48165 + pax_track_stack();
48166 +
48167 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
48168 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
48169 if (err)
48170 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
48171 int entry_size;
48172 int err;
48173
48174 + pax_track_stack();
48175 +
48176 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
48177 str->name, cnid, inode->i_nlink);
48178 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
48179 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
48180 int entry_size, type;
48181 int err = 0;
48182
48183 + pax_track_stack();
48184 +
48185 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
48186 cnid, src_dir->i_ino, src_name->name,
48187 dst_dir->i_ino, dst_name->name);
48188 diff -urNp linux-2.6.39.3/fs/hfsplus/dir.c linux-2.6.39.3/fs/hfsplus/dir.c
48189 --- linux-2.6.39.3/fs/hfsplus/dir.c 2011-05-19 00:06:34.000000000 -0400
48190 +++ linux-2.6.39.3/fs/hfsplus/dir.c 2011-05-22 19:36:32.000000000 -0400
48191 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
48192 struct hfsplus_readdir_data *rd;
48193 u16 type;
48194
48195 + pax_track_stack();
48196 +
48197 if (filp->f_pos >= inode->i_size)
48198 return 0;
48199
48200 diff -urNp linux-2.6.39.3/fs/hfsplus/inode.c linux-2.6.39.3/fs/hfsplus/inode.c
48201 --- linux-2.6.39.3/fs/hfsplus/inode.c 2011-05-19 00:06:34.000000000 -0400
48202 +++ linux-2.6.39.3/fs/hfsplus/inode.c 2011-05-22 19:36:32.000000000 -0400
48203 @@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
48204 int res = 0;
48205 u16 type;
48206
48207 + pax_track_stack();
48208 +
48209 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
48210
48211 HFSPLUS_I(inode)->linkid = 0;
48212 @@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
48213 struct hfs_find_data fd;
48214 hfsplus_cat_entry entry;
48215
48216 + pax_track_stack();
48217 +
48218 if (HFSPLUS_IS_RSRC(inode))
48219 main_inode = HFSPLUS_I(inode)->rsrc_inode;
48220
48221 diff -urNp linux-2.6.39.3/fs/hfsplus/ioctl.c linux-2.6.39.3/fs/hfsplus/ioctl.c
48222 --- linux-2.6.39.3/fs/hfsplus/ioctl.c 2011-05-19 00:06:34.000000000 -0400
48223 +++ linux-2.6.39.3/fs/hfsplus/ioctl.c 2011-05-22 19:36:32.000000000 -0400
48224 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
48225 struct hfsplus_cat_file *file;
48226 int res;
48227
48228 + pax_track_stack();
48229 +
48230 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48231 return -EOPNOTSUPP;
48232
48233 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
48234 struct hfsplus_cat_file *file;
48235 ssize_t res = 0;
48236
48237 + pax_track_stack();
48238 +
48239 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48240 return -EOPNOTSUPP;
48241
48242 diff -urNp linux-2.6.39.3/fs/hfsplus/super.c linux-2.6.39.3/fs/hfsplus/super.c
48243 --- linux-2.6.39.3/fs/hfsplus/super.c 2011-05-19 00:06:34.000000000 -0400
48244 +++ linux-2.6.39.3/fs/hfsplus/super.c 2011-05-22 19:36:32.000000000 -0400
48245 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
48246 struct nls_table *nls = NULL;
48247 int err;
48248
48249 + pax_track_stack();
48250 +
48251 err = -EINVAL;
48252 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
48253 if (!sbi)
48254 diff -urNp linux-2.6.39.3/fs/hugetlbfs/inode.c linux-2.6.39.3/fs/hugetlbfs/inode.c
48255 --- linux-2.6.39.3/fs/hugetlbfs/inode.c 2011-05-19 00:06:34.000000000 -0400
48256 +++ linux-2.6.39.3/fs/hugetlbfs/inode.c 2011-05-22 19:41:37.000000000 -0400
48257 @@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
48258 .kill_sb = kill_litter_super,
48259 };
48260
48261 -static struct vfsmount *hugetlbfs_vfsmount;
48262 +struct vfsmount *hugetlbfs_vfsmount;
48263
48264 static int can_do_hugetlb_shm(void)
48265 {
48266 diff -urNp linux-2.6.39.3/fs/inode.c linux-2.6.39.3/fs/inode.c
48267 --- linux-2.6.39.3/fs/inode.c 2011-05-19 00:06:34.000000000 -0400
48268 +++ linux-2.6.39.3/fs/inode.c 2011-05-22 19:36:32.000000000 -0400
48269 @@ -862,8 +862,8 @@ unsigned int get_next_ino(void)
48270
48271 #ifdef CONFIG_SMP
48272 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
48273 - static atomic_t shared_last_ino;
48274 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
48275 + static atomic_unchecked_t shared_last_ino;
48276 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
48277
48278 res = next - LAST_INO_BATCH;
48279 }
48280 diff -urNp linux-2.6.39.3/fs/jbd/checkpoint.c linux-2.6.39.3/fs/jbd/checkpoint.c
48281 --- linux-2.6.39.3/fs/jbd/checkpoint.c 2011-05-19 00:06:34.000000000 -0400
48282 +++ linux-2.6.39.3/fs/jbd/checkpoint.c 2011-05-22 19:36:32.000000000 -0400
48283 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
48284 tid_t this_tid;
48285 int result;
48286
48287 + pax_track_stack();
48288 +
48289 jbd_debug(1, "Start checkpoint\n");
48290
48291 /*
48292 diff -urNp linux-2.6.39.3/fs/jffs2/compr_rtime.c linux-2.6.39.3/fs/jffs2/compr_rtime.c
48293 --- linux-2.6.39.3/fs/jffs2/compr_rtime.c 2011-05-19 00:06:34.000000000 -0400
48294 +++ linux-2.6.39.3/fs/jffs2/compr_rtime.c 2011-05-22 19:36:32.000000000 -0400
48295 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
48296 int outpos = 0;
48297 int pos=0;
48298
48299 + pax_track_stack();
48300 +
48301 memset(positions,0,sizeof(positions));
48302
48303 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
48304 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
48305 int outpos = 0;
48306 int pos=0;
48307
48308 + pax_track_stack();
48309 +
48310 memset(positions,0,sizeof(positions));
48311
48312 while (outpos<destlen) {
48313 diff -urNp linux-2.6.39.3/fs/jffs2/compr_rubin.c linux-2.6.39.3/fs/jffs2/compr_rubin.c
48314 --- linux-2.6.39.3/fs/jffs2/compr_rubin.c 2011-05-19 00:06:34.000000000 -0400
48315 +++ linux-2.6.39.3/fs/jffs2/compr_rubin.c 2011-05-22 19:36:32.000000000 -0400
48316 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
48317 int ret;
48318 uint32_t mysrclen, mydstlen;
48319
48320 + pax_track_stack();
48321 +
48322 mysrclen = *sourcelen;
48323 mydstlen = *dstlen - 8;
48324
48325 diff -urNp linux-2.6.39.3/fs/jffs2/erase.c linux-2.6.39.3/fs/jffs2/erase.c
48326 --- linux-2.6.39.3/fs/jffs2/erase.c 2011-05-19 00:06:34.000000000 -0400
48327 +++ linux-2.6.39.3/fs/jffs2/erase.c 2011-05-22 19:36:32.000000000 -0400
48328 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
48329 struct jffs2_unknown_node marker = {
48330 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
48331 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48332 - .totlen = cpu_to_je32(c->cleanmarker_size)
48333 + .totlen = cpu_to_je32(c->cleanmarker_size),
48334 + .hdr_crc = cpu_to_je32(0)
48335 };
48336
48337 jffs2_prealloc_raw_node_refs(c, jeb, 1);
48338 diff -urNp linux-2.6.39.3/fs/jffs2/wbuf.c linux-2.6.39.3/fs/jffs2/wbuf.c
48339 --- linux-2.6.39.3/fs/jffs2/wbuf.c 2011-05-19 00:06:34.000000000 -0400
48340 +++ linux-2.6.39.3/fs/jffs2/wbuf.c 2011-05-22 19:36:32.000000000 -0400
48341 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
48342 {
48343 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
48344 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48345 - .totlen = constant_cpu_to_je32(8)
48346 + .totlen = constant_cpu_to_je32(8),
48347 + .hdr_crc = constant_cpu_to_je32(0)
48348 };
48349
48350 /*
48351 diff -urNp linux-2.6.39.3/fs/jffs2/xattr.c linux-2.6.39.3/fs/jffs2/xattr.c
48352 --- linux-2.6.39.3/fs/jffs2/xattr.c 2011-05-19 00:06:34.000000000 -0400
48353 +++ linux-2.6.39.3/fs/jffs2/xattr.c 2011-05-22 19:36:32.000000000 -0400
48354 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
48355
48356 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
48357
48358 + pax_track_stack();
48359 +
48360 /* Phase.1 : Merge same xref */
48361 for (i=0; i < XREF_TMPHASH_SIZE; i++)
48362 xref_tmphash[i] = NULL;
48363 diff -urNp linux-2.6.39.3/fs/jfs/super.c linux-2.6.39.3/fs/jfs/super.c
48364 --- linux-2.6.39.3/fs/jfs/super.c 2011-05-19 00:06:34.000000000 -0400
48365 +++ linux-2.6.39.3/fs/jfs/super.c 2011-06-07 18:07:24.000000000 -0400
48366 @@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
48367
48368 jfs_inode_cachep =
48369 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
48370 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
48371 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
48372 init_once);
48373 if (jfs_inode_cachep == NULL)
48374 return -ENOMEM;
48375 diff -urNp linux-2.6.39.3/fs/Kconfig.binfmt linux-2.6.39.3/fs/Kconfig.binfmt
48376 --- linux-2.6.39.3/fs/Kconfig.binfmt 2011-05-19 00:06:34.000000000 -0400
48377 +++ linux-2.6.39.3/fs/Kconfig.binfmt 2011-05-22 19:36:32.000000000 -0400
48378 @@ -86,7 +86,7 @@ config HAVE_AOUT
48379
48380 config BINFMT_AOUT
48381 tristate "Kernel support for a.out and ECOFF binaries"
48382 - depends on HAVE_AOUT
48383 + depends on HAVE_AOUT && BROKEN
48384 ---help---
48385 A.out (Assembler.OUTput) is a set of formats for libraries and
48386 executables used in the earliest versions of UNIX. Linux used
48387 diff -urNp linux-2.6.39.3/fs/libfs.c linux-2.6.39.3/fs/libfs.c
48388 --- linux-2.6.39.3/fs/libfs.c 2011-05-19 00:06:34.000000000 -0400
48389 +++ linux-2.6.39.3/fs/libfs.c 2011-05-22 19:36:32.000000000 -0400
48390 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
48391
48392 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
48393 struct dentry *next;
48394 + char d_name[sizeof(next->d_iname)];
48395 + const unsigned char *name;
48396 +
48397 next = list_entry(p, struct dentry, d_u.d_child);
48398 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
48399 if (!simple_positive(next)) {
48400 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
48401
48402 spin_unlock(&next->d_lock);
48403 spin_unlock(&dentry->d_lock);
48404 - if (filldir(dirent, next->d_name.name,
48405 + name = next->d_name.name;
48406 + if (name == next->d_iname) {
48407 + memcpy(d_name, name, next->d_name.len);
48408 + name = d_name;
48409 + }
48410 + if (filldir(dirent, name,
48411 next->d_name.len, filp->f_pos,
48412 next->d_inode->i_ino,
48413 dt_type(next->d_inode)) < 0)
48414 diff -urNp linux-2.6.39.3/fs/lockd/clntproc.c linux-2.6.39.3/fs/lockd/clntproc.c
48415 --- linux-2.6.39.3/fs/lockd/clntproc.c 2011-07-09 09:18:51.000000000 -0400
48416 +++ linux-2.6.39.3/fs/lockd/clntproc.c 2011-07-09 09:19:18.000000000 -0400
48417 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
48418 /*
48419 * Cookie counter for NLM requests
48420 */
48421 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
48422 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
48423
48424 void nlmclnt_next_cookie(struct nlm_cookie *c)
48425 {
48426 - u32 cookie = atomic_inc_return(&nlm_cookie);
48427 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48428
48429 memcpy(c->data, &cookie, 4);
48430 c->len=4;
48431 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48432 struct nlm_rqst reqst, *req;
48433 int status;
48434
48435 + pax_track_stack();
48436 +
48437 req = &reqst;
48438 memset(req, 0, sizeof(*req));
48439 locks_init_lock(&req->a_args.lock.fl);
48440 diff -urNp linux-2.6.39.3/fs/lockd/svc.c linux-2.6.39.3/fs/lockd/svc.c
48441 --- linux-2.6.39.3/fs/lockd/svc.c 2011-05-19 00:06:34.000000000 -0400
48442 +++ linux-2.6.39.3/fs/lockd/svc.c 2011-05-22 19:36:32.000000000 -0400
48443 @@ -41,7 +41,7 @@
48444
48445 static struct svc_program nlmsvc_program;
48446
48447 -struct nlmsvc_binding * nlmsvc_ops;
48448 +const struct nlmsvc_binding * nlmsvc_ops;
48449 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48450
48451 static DEFINE_MUTEX(nlmsvc_mutex);
48452 diff -urNp linux-2.6.39.3/fs/locks.c linux-2.6.39.3/fs/locks.c
48453 --- linux-2.6.39.3/fs/locks.c 2011-07-09 09:18:51.000000000 -0400
48454 +++ linux-2.6.39.3/fs/locks.c 2011-07-06 19:44:53.000000000 -0400
48455 @@ -2043,16 +2043,16 @@ void locks_remove_flock(struct file *fil
48456 return;
48457
48458 if (filp->f_op && filp->f_op->flock) {
48459 - struct file_lock fl = {
48460 + struct file_lock flock = {
48461 .fl_pid = current->tgid,
48462 .fl_file = filp,
48463 .fl_flags = FL_FLOCK,
48464 .fl_type = F_UNLCK,
48465 .fl_end = OFFSET_MAX,
48466 };
48467 - filp->f_op->flock(filp, F_SETLKW, &fl);
48468 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
48469 - fl.fl_ops->fl_release_private(&fl);
48470 + filp->f_op->flock(filp, F_SETLKW, &flock);
48471 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
48472 + flock.fl_ops->fl_release_private(&flock);
48473 }
48474
48475 lock_flocks();
48476 diff -urNp linux-2.6.39.3/fs/logfs/super.c linux-2.6.39.3/fs/logfs/super.c
48477 --- linux-2.6.39.3/fs/logfs/super.c 2011-05-19 00:06:34.000000000 -0400
48478 +++ linux-2.6.39.3/fs/logfs/super.c 2011-05-22 19:36:32.000000000 -0400
48479 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
48480 struct logfs_disk_super _ds1, *ds1 = &_ds1;
48481 int err, valid0, valid1;
48482
48483 + pax_track_stack();
48484 +
48485 /* read first superblock */
48486 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
48487 if (err)
48488 diff -urNp linux-2.6.39.3/fs/namei.c linux-2.6.39.3/fs/namei.c
48489 --- linux-2.6.39.3/fs/namei.c 2011-06-03 00:04:14.000000000 -0400
48490 +++ linux-2.6.39.3/fs/namei.c 2011-06-03 00:32:07.000000000 -0400
48491 @@ -237,20 +237,30 @@ int generic_permission(struct inode *ino
48492 return ret;
48493
48494 /*
48495 - * Read/write DACs are always overridable.
48496 - * Executable DACs are overridable if at least one exec bit is set.
48497 + * Searching includes executable on directories, else just read.
48498 */
48499 - if (!(mask & MAY_EXEC) || execute_ok(inode))
48500 - if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48501 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48502 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
48503 +#ifdef CONFIG_GRKERNSEC
48504 + if (flags & IPERM_FLAG_RCU)
48505 + return -ECHILD;
48506 +#endif
48507 + if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48508 return 0;
48509 + }
48510
48511 /*
48512 - * Searching includes executable on directories, else just read.
48513 + * Read/write DACs are always overridable.
48514 + * Executable DACs are overridable if at least one exec bit is set.
48515 */
48516 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48517 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
48518 - if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
48519 + if (!(mask & MAY_EXEC) || execute_ok(inode)) {
48520 +#ifdef CONFIG_GRKERNSEC
48521 + if (flags & IPERM_FLAG_RCU)
48522 + return -ECHILD;
48523 +#endif
48524 + if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
48525 return 0;
48526 + }
48527
48528 return -EACCES;
48529 }
48530 @@ -626,6 +636,9 @@ static inline int handle_reval_path(stru
48531 struct dentry *dentry = nd->path.dentry;
48532 int status;
48533
48534 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
48535 + return -ENOENT;
48536 +
48537 if (likely(!(nd->flags & LOOKUP_JUMPED)))
48538 return 0;
48539
48540 @@ -671,9 +684,16 @@ static inline int exec_permission(struct
48541 if (ret == -ECHILD)
48542 return ret;
48543
48544 - if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
48545 - ns_capable(ns, CAP_DAC_READ_SEARCH))
48546 + if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
48547 goto ok;
48548 + else {
48549 +#ifdef CONFIG_GRKERNSEC
48550 + if (flags & IPERM_FLAG_RCU)
48551 + return -ECHILD;
48552 +#endif
48553 + if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
48554 + goto ok;
48555 + }
48556
48557 return ret;
48558 ok:
48559 @@ -781,11 +801,19 @@ follow_link(struct path *link, struct na
48560 return error;
48561 }
48562
48563 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
48564 + dentry->d_inode, dentry, nd->path.mnt)) {
48565 + error = -EACCES;
48566 + *p = ERR_PTR(error); /* no ->put_link(), please */
48567 + path_put(&nd->path);
48568 + return error;
48569 + }
48570 +
48571 nd->last_type = LAST_BIND;
48572 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
48573 error = PTR_ERR(*p);
48574 if (!IS_ERR(*p)) {
48575 - char *s = nd_get_link(nd);
48576 + const char *s = nd_get_link(nd);
48577 error = 0;
48578 if (s)
48579 error = __vfs_follow_link(nd, s);
48580 @@ -1697,6 +1725,9 @@ static int do_path_lookup(int dfd, const
48581 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
48582
48583 if (likely(!retval)) {
48584 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
48585 + return -ENOENT;
48586 +
48587 if (unlikely(!audit_dummy_context())) {
48588 if (nd->path.dentry && nd->inode)
48589 audit_inode(name, nd->path.dentry);
48590 @@ -2007,6 +2038,30 @@ int vfs_create(struct inode *dir, struct
48591 return error;
48592 }
48593
48594 +/*
48595 + * Note that while the flag value (low two bits) for sys_open means:
48596 + * 00 - read-only
48597 + * 01 - write-only
48598 + * 10 - read-write
48599 + * 11 - special
48600 + * it is changed into
48601 + * 00 - no permissions needed
48602 + * 01 - read-permission
48603 + * 10 - write-permission
48604 + * 11 - read-write
48605 + * for the internal routines (ie open_namei()/follow_link() etc)
48606 + * This is more logical, and also allows the 00 "no perm needed"
48607 + * to be used for symlinks (where the permissions are checked
48608 + * later).
48609 + *
48610 +*/
48611 +static inline int open_to_namei_flags(int flag)
48612 +{
48613 + if ((flag+1) & O_ACCMODE)
48614 + flag++;
48615 + return flag;
48616 +}
48617 +
48618 static int may_open(struct path *path, int acc_mode, int flag)
48619 {
48620 struct dentry *dentry = path->dentry;
48621 @@ -2059,7 +2114,27 @@ static int may_open(struct path *path, i
48622 /*
48623 * Ensure there are no outstanding leases on the file.
48624 */
48625 - return break_lease(inode, flag);
48626 + error = break_lease(inode, flag);
48627 +
48628 + if (error)
48629 + return error;
48630 +
48631 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
48632 + error = -EPERM;
48633 + goto exit;
48634 + }
48635 +
48636 + if (gr_handle_rawio(inode)) {
48637 + error = -EPERM;
48638 + goto exit;
48639 + }
48640 +
48641 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
48642 + error = -EACCES;
48643 + goto exit;
48644 + }
48645 +exit:
48646 + return error;
48647 }
48648
48649 static int handle_truncate(struct file *filp)
48650 @@ -2085,30 +2160,6 @@ static int handle_truncate(struct file *
48651 }
48652
48653 /*
48654 - * Note that while the flag value (low two bits) for sys_open means:
48655 - * 00 - read-only
48656 - * 01 - write-only
48657 - * 10 - read-write
48658 - * 11 - special
48659 - * it is changed into
48660 - * 00 - no permissions needed
48661 - * 01 - read-permission
48662 - * 10 - write-permission
48663 - * 11 - read-write
48664 - * for the internal routines (ie open_namei()/follow_link() etc)
48665 - * This is more logical, and also allows the 00 "no perm needed"
48666 - * to be used for symlinks (where the permissions are checked
48667 - * later).
48668 - *
48669 -*/
48670 -static inline int open_to_namei_flags(int flag)
48671 -{
48672 - if ((flag+1) & O_ACCMODE)
48673 - flag++;
48674 - return flag;
48675 -}
48676 -
48677 -/*
48678 * Handle the last step of open()
48679 */
48680 static struct file *do_last(struct nameidata *nd, struct path *path,
48681 @@ -2117,6 +2168,7 @@ static struct file *do_last(struct namei
48682 struct dentry *dir = nd->path.dentry;
48683 struct dentry *dentry;
48684 int open_flag = op->open_flag;
48685 + int flag = open_to_namei_flags(open_flag);
48686 int will_truncate = open_flag & O_TRUNC;
48687 int want_write = 0;
48688 int acc_mode = op->acc_mode;
48689 @@ -2212,6 +2264,12 @@ static struct file *do_last(struct namei
48690 /* Negative dentry, just create the file */
48691 if (!dentry->d_inode) {
48692 int mode = op->mode;
48693 +
48694 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
48695 + error = -EACCES;
48696 + goto exit_mutex_unlock;
48697 + }
48698 +
48699 if (!IS_POSIXACL(dir->d_inode))
48700 mode &= ~current_umask();
48701 /*
48702 @@ -2235,6 +2293,8 @@ static struct file *do_last(struct namei
48703 error = vfs_create(dir->d_inode, dentry, mode, nd);
48704 if (error)
48705 goto exit_mutex_unlock;
48706 + else
48707 + gr_handle_create(path->dentry, path->mnt);
48708 mutex_unlock(&dir->d_inode->i_mutex);
48709 dput(nd->path.dentry);
48710 nd->path.dentry = dentry;
48711 @@ -2244,6 +2304,14 @@ static struct file *do_last(struct namei
48712 /*
48713 * It already exists.
48714 */
48715 +
48716 + /* only check if O_CREAT is specified, all other checks need to go
48717 + into may_open */
48718 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
48719 + error = -EACCES;
48720 + goto exit_mutex_unlock;
48721 + }
48722 +
48723 mutex_unlock(&dir->d_inode->i_mutex);
48724 audit_inode(pathname, path->dentry);
48725
48726 @@ -2530,6 +2598,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48727 error = may_mknod(mode);
48728 if (error)
48729 goto out_dput;
48730 +
48731 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
48732 + error = -EPERM;
48733 + goto out_dput;
48734 + }
48735 +
48736 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
48737 + error = -EACCES;
48738 + goto out_dput;
48739 + }
48740 +
48741 error = mnt_want_write(nd.path.mnt);
48742 if (error)
48743 goto out_dput;
48744 @@ -2550,6 +2629,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
48745 }
48746 out_drop_write:
48747 mnt_drop_write(nd.path.mnt);
48748 +
48749 + if (!error)
48750 + gr_handle_create(dentry, nd.path.mnt);
48751 out_dput:
48752 dput(dentry);
48753 out_unlock:
48754 @@ -2602,6 +2684,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48755 if (IS_ERR(dentry))
48756 goto out_unlock;
48757
48758 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
48759 + error = -EACCES;
48760 + goto out_dput;
48761 + }
48762 +
48763 if (!IS_POSIXACL(nd.path.dentry->d_inode))
48764 mode &= ~current_umask();
48765 error = mnt_want_write(nd.path.mnt);
48766 @@ -2613,6 +2700,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
48767 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
48768 out_drop_write:
48769 mnt_drop_write(nd.path.mnt);
48770 +
48771 + if (!error)
48772 + gr_handle_create(dentry, nd.path.mnt);
48773 +
48774 out_dput:
48775 dput(dentry);
48776 out_unlock:
48777 @@ -2692,6 +2783,8 @@ static long do_rmdir(int dfd, const char
48778 char * name;
48779 struct dentry *dentry;
48780 struct nameidata nd;
48781 + ino_t saved_ino = 0;
48782 + dev_t saved_dev = 0;
48783
48784 error = user_path_parent(dfd, pathname, &nd, &name);
48785 if (error)
48786 @@ -2716,6 +2809,19 @@ static long do_rmdir(int dfd, const char
48787 error = PTR_ERR(dentry);
48788 if (IS_ERR(dentry))
48789 goto exit2;
48790 +
48791 + if (dentry->d_inode != NULL) {
48792 + if (dentry->d_inode->i_nlink <= 1) {
48793 + saved_ino = dentry->d_inode->i_ino;
48794 + saved_dev = gr_get_dev_from_dentry(dentry);
48795 + }
48796 +
48797 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
48798 + error = -EACCES;
48799 + goto exit3;
48800 + }
48801 + }
48802 +
48803 error = mnt_want_write(nd.path.mnt);
48804 if (error)
48805 goto exit3;
48806 @@ -2723,6 +2829,8 @@ static long do_rmdir(int dfd, const char
48807 if (error)
48808 goto exit4;
48809 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
48810 + if (!error && (saved_dev || saved_ino))
48811 + gr_handle_delete(saved_ino, saved_dev);
48812 exit4:
48813 mnt_drop_write(nd.path.mnt);
48814 exit3:
48815 @@ -2785,6 +2893,8 @@ static long do_unlinkat(int dfd, const c
48816 struct dentry *dentry;
48817 struct nameidata nd;
48818 struct inode *inode = NULL;
48819 + ino_t saved_ino = 0;
48820 + dev_t saved_dev = 0;
48821
48822 error = user_path_parent(dfd, pathname, &nd, &name);
48823 if (error)
48824 @@ -2804,8 +2914,17 @@ static long do_unlinkat(int dfd, const c
48825 if (nd.last.name[nd.last.len])
48826 goto slashes;
48827 inode = dentry->d_inode;
48828 - if (inode)
48829 + if (inode) {
48830 ihold(inode);
48831 + if (inode->i_nlink <= 1) {
48832 + saved_ino = inode->i_ino;
48833 + saved_dev = gr_get_dev_from_dentry(dentry);
48834 + }
48835 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
48836 + error = -EACCES;
48837 + goto exit2;
48838 + }
48839 + }
48840 error = mnt_want_write(nd.path.mnt);
48841 if (error)
48842 goto exit2;
48843 @@ -2813,6 +2932,8 @@ static long do_unlinkat(int dfd, const c
48844 if (error)
48845 goto exit3;
48846 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
48847 + if (!error && (saved_ino || saved_dev))
48848 + gr_handle_delete(saved_ino, saved_dev);
48849 exit3:
48850 mnt_drop_write(nd.path.mnt);
48851 exit2:
48852 @@ -2890,6 +3011,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
48853 if (IS_ERR(dentry))
48854 goto out_unlock;
48855
48856 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
48857 + error = -EACCES;
48858 + goto out_dput;
48859 + }
48860 +
48861 error = mnt_want_write(nd.path.mnt);
48862 if (error)
48863 goto out_dput;
48864 @@ -2897,6 +3023,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
48865 if (error)
48866 goto out_drop_write;
48867 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
48868 + if (!error)
48869 + gr_handle_create(dentry, nd.path.mnt);
48870 out_drop_write:
48871 mnt_drop_write(nd.path.mnt);
48872 out_dput:
48873 @@ -3005,6 +3133,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48874 error = PTR_ERR(new_dentry);
48875 if (IS_ERR(new_dentry))
48876 goto out_unlock;
48877 +
48878 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
48879 + old_path.dentry->d_inode,
48880 + old_path.dentry->d_inode->i_mode, to)) {
48881 + error = -EACCES;
48882 + goto out_dput;
48883 + }
48884 +
48885 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
48886 + old_path.dentry, old_path.mnt, to)) {
48887 + error = -EACCES;
48888 + goto out_dput;
48889 + }
48890 +
48891 error = mnt_want_write(nd.path.mnt);
48892 if (error)
48893 goto out_dput;
48894 @@ -3012,6 +3154,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
48895 if (error)
48896 goto out_drop_write;
48897 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
48898 + if (!error)
48899 + gr_handle_create(new_dentry, nd.path.mnt);
48900 out_drop_write:
48901 mnt_drop_write(nd.path.mnt);
48902 out_dput:
48903 @@ -3189,6 +3333,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48904 char *to;
48905 int error;
48906
48907 + pax_track_stack();
48908 +
48909 error = user_path_parent(olddfd, oldname, &oldnd, &from);
48910 if (error)
48911 goto exit;
48912 @@ -3245,6 +3391,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48913 if (new_dentry == trap)
48914 goto exit5;
48915
48916 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
48917 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
48918 + to);
48919 + if (error)
48920 + goto exit5;
48921 +
48922 error = mnt_want_write(oldnd.path.mnt);
48923 if (error)
48924 goto exit5;
48925 @@ -3254,6 +3406,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
48926 goto exit6;
48927 error = vfs_rename(old_dir->d_inode, old_dentry,
48928 new_dir->d_inode, new_dentry);
48929 + if (!error)
48930 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
48931 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
48932 exit6:
48933 mnt_drop_write(oldnd.path.mnt);
48934 exit5:
48935 @@ -3279,6 +3434,8 @@ SYSCALL_DEFINE2(rename, const char __use
48936
48937 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
48938 {
48939 + char tmpbuf[64];
48940 + const char *newlink;
48941 int len;
48942
48943 len = PTR_ERR(link);
48944 @@ -3288,7 +3445,14 @@ int vfs_readlink(struct dentry *dentry,
48945 len = strlen(link);
48946 if (len > (unsigned) buflen)
48947 len = buflen;
48948 - if (copy_to_user(buffer, link, len))
48949 +
48950 + if (len < sizeof(tmpbuf)) {
48951 + memcpy(tmpbuf, link, len);
48952 + newlink = tmpbuf;
48953 + } else
48954 + newlink = link;
48955 +
48956 + if (copy_to_user(buffer, newlink, len))
48957 len = -EFAULT;
48958 out:
48959 return len;
48960 diff -urNp linux-2.6.39.3/fs/namespace.c linux-2.6.39.3/fs/namespace.c
48961 --- linux-2.6.39.3/fs/namespace.c 2011-05-19 00:06:34.000000000 -0400
48962 +++ linux-2.6.39.3/fs/namespace.c 2011-05-22 20:43:58.000000000 -0400
48963 @@ -1328,6 +1328,9 @@ static int do_umount(struct vfsmount *mn
48964 if (!(sb->s_flags & MS_RDONLY))
48965 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
48966 up_write(&sb->s_umount);
48967 +
48968 + gr_log_remount(mnt->mnt_devname, retval);
48969 +
48970 return retval;
48971 }
48972
48973 @@ -1347,6 +1350,9 @@ static int do_umount(struct vfsmount *mn
48974 br_write_unlock(vfsmount_lock);
48975 up_write(&namespace_sem);
48976 release_mounts(&umount_list);
48977 +
48978 + gr_log_unmount(mnt->mnt_devname, retval);
48979 +
48980 return retval;
48981 }
48982
48983 @@ -2338,6 +2344,16 @@ long do_mount(char *dev_name, char *dir_
48984 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
48985 MS_STRICTATIME);
48986
48987 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
48988 + retval = -EPERM;
48989 + goto dput_out;
48990 + }
48991 +
48992 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
48993 + retval = -EPERM;
48994 + goto dput_out;
48995 + }
48996 +
48997 if (flags & MS_REMOUNT)
48998 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
48999 data_page);
49000 @@ -2352,6 +2368,9 @@ long do_mount(char *dev_name, char *dir_
49001 dev_name, data_page);
49002 dput_out:
49003 path_put(&path);
49004 +
49005 + gr_log_mount(dev_name, dir_name, retval);
49006 +
49007 return retval;
49008 }
49009
49010 @@ -2575,6 +2594,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
49011 if (error)
49012 goto out2;
49013
49014 + if (gr_handle_chroot_pivot()) {
49015 + error = -EPERM;
49016 + goto out2;
49017 + }
49018 +
49019 get_fs_root(current->fs, &root);
49020 error = lock_mount(&old);
49021 if (error)
49022 diff -urNp linux-2.6.39.3/fs/ncpfs/dir.c linux-2.6.39.3/fs/ncpfs/dir.c
49023 --- linux-2.6.39.3/fs/ncpfs/dir.c 2011-05-19 00:06:34.000000000 -0400
49024 +++ linux-2.6.39.3/fs/ncpfs/dir.c 2011-05-22 19:36:32.000000000 -0400
49025 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
49026 int res, val = 0, len;
49027 __u8 __name[NCP_MAXPATHLEN + 1];
49028
49029 + pax_track_stack();
49030 +
49031 if (dentry == dentry->d_sb->s_root)
49032 return 1;
49033
49034 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
49035 int error, res, len;
49036 __u8 __name[NCP_MAXPATHLEN + 1];
49037
49038 + pax_track_stack();
49039 +
49040 error = -EIO;
49041 if (!ncp_conn_valid(server))
49042 goto finished;
49043 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
49044 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
49045 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
49046
49047 + pax_track_stack();
49048 +
49049 ncp_age_dentry(server, dentry);
49050 len = sizeof(__name);
49051 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
49052 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
49053 int error, len;
49054 __u8 __name[NCP_MAXPATHLEN + 1];
49055
49056 + pax_track_stack();
49057 +
49058 DPRINTK("ncp_mkdir: making %s/%s\n",
49059 dentry->d_parent->d_name.name, dentry->d_name.name);
49060
49061 @@ -1135,6 +1143,8 @@ static int ncp_rename(struct inode *old_
49062 int old_len, new_len;
49063 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
49064
49065 + pax_track_stack();
49066 +
49067 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
49068 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
49069 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
49070 diff -urNp linux-2.6.39.3/fs/ncpfs/inode.c linux-2.6.39.3/fs/ncpfs/inode.c
49071 --- linux-2.6.39.3/fs/ncpfs/inode.c 2011-05-19 00:06:34.000000000 -0400
49072 +++ linux-2.6.39.3/fs/ncpfs/inode.c 2011-05-22 19:36:32.000000000 -0400
49073 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
49074 #endif
49075 struct ncp_entry_info finfo;
49076
49077 + pax_track_stack();
49078 +
49079 data.wdog_pid = NULL;
49080 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
49081 if (!server)
49082 diff -urNp linux-2.6.39.3/fs/nfs/inode.c linux-2.6.39.3/fs/nfs/inode.c
49083 --- linux-2.6.39.3/fs/nfs/inode.c 2011-07-09 09:18:51.000000000 -0400
49084 +++ linux-2.6.39.3/fs/nfs/inode.c 2011-07-09 09:19:24.000000000 -0400
49085 @@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
49086 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
49087 nfsi->attrtimeo_timestamp = jiffies;
49088
49089 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
49090 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
49091 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
49092 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
49093 else
49094 @@ -1000,16 +1000,16 @@ static int nfs_size_need_update(const st
49095 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
49096 }
49097
49098 -static atomic_long_t nfs_attr_generation_counter;
49099 +static atomic_long_unchecked_t nfs_attr_generation_counter;
49100
49101 static unsigned long nfs_read_attr_generation_counter(void)
49102 {
49103 - return atomic_long_read(&nfs_attr_generation_counter);
49104 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
49105 }
49106
49107 unsigned long nfs_inc_attr_generation_counter(void)
49108 {
49109 - return atomic_long_inc_return(&nfs_attr_generation_counter);
49110 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
49111 }
49112
49113 void nfs_fattr_init(struct nfs_fattr *fattr)
49114 diff -urNp linux-2.6.39.3/fs/nfs/nfs4proc.c linux-2.6.39.3/fs/nfs/nfs4proc.c
49115 --- linux-2.6.39.3/fs/nfs/nfs4proc.c 2011-07-09 09:18:51.000000000 -0400
49116 +++ linux-2.6.39.3/fs/nfs/nfs4proc.c 2011-07-09 09:19:24.000000000 -0400
49117 @@ -5858,14 +5858,14 @@ struct nfs4_state_recovery_ops nfs41_nog
49118 };
49119 #endif /* CONFIG_NFS_V4_1 */
49120
49121 -struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
49122 +const struct nfs4_state_maintenance_ops nfs40_state_renewal_ops = {
49123 .sched_state_renewal = nfs4_proc_async_renew,
49124 .get_state_renewal_cred_locked = nfs4_get_renew_cred_locked,
49125 .renew_lease = nfs4_proc_renew,
49126 };
49127
49128 #if defined(CONFIG_NFS_V4_1)
49129 -struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
49130 +const struct nfs4_state_maintenance_ops nfs41_state_renewal_ops = {
49131 .sched_state_renewal = nfs41_proc_async_sequence,
49132 .get_state_renewal_cred_locked = nfs4_get_machine_cred_locked,
49133 .renew_lease = nfs4_proc_sequence,
49134 diff -urNp linux-2.6.39.3/fs/nfsd/lockd.c linux-2.6.39.3/fs/nfsd/lockd.c
49135 --- linux-2.6.39.3/fs/nfsd/lockd.c 2011-05-19 00:06:34.000000000 -0400
49136 +++ linux-2.6.39.3/fs/nfsd/lockd.c 2011-05-22 19:36:32.000000000 -0400
49137 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
49138 fput(filp);
49139 }
49140
49141 -static struct nlmsvc_binding nfsd_nlm_ops = {
49142 +static const struct nlmsvc_binding nfsd_nlm_ops = {
49143 .fopen = nlm_fopen, /* open file for locking */
49144 .fclose = nlm_fclose, /* close file */
49145 };
49146 diff -urNp linux-2.6.39.3/fs/nfsd/nfs4state.c linux-2.6.39.3/fs/nfsd/nfs4state.c
49147 --- linux-2.6.39.3/fs/nfsd/nfs4state.c 2011-05-19 00:06:34.000000000 -0400
49148 +++ linux-2.6.39.3/fs/nfsd/nfs4state.c 2011-05-22 19:36:32.000000000 -0400
49149 @@ -3784,6 +3784,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
49150 unsigned int strhashval;
49151 int err;
49152
49153 + pax_track_stack();
49154 +
49155 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
49156 (long long) lock->lk_offset,
49157 (long long) lock->lk_length);
49158 diff -urNp linux-2.6.39.3/fs/nfsd/nfs4xdr.c linux-2.6.39.3/fs/nfsd/nfs4xdr.c
49159 --- linux-2.6.39.3/fs/nfsd/nfs4xdr.c 2011-05-19 00:06:34.000000000 -0400
49160 +++ linux-2.6.39.3/fs/nfsd/nfs4xdr.c 2011-05-22 19:36:32.000000000 -0400
49161 @@ -1793,6 +1793,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
49162 .dentry = dentry,
49163 };
49164
49165 + pax_track_stack();
49166 +
49167 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
49168 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
49169 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
49170 diff -urNp linux-2.6.39.3/fs/nfsd/nfsctl.c linux-2.6.39.3/fs/nfsd/nfsctl.c
49171 --- linux-2.6.39.3/fs/nfsd/nfsctl.c 2011-07-09 09:18:51.000000000 -0400
49172 +++ linux-2.6.39.3/fs/nfsd/nfsctl.c 2011-07-09 09:19:24.000000000 -0400
49173 @@ -183,7 +183,7 @@ static int export_features_open(struct i
49174 return single_open(file, export_features_show, NULL);
49175 }
49176
49177 -static struct file_operations export_features_operations = {
49178 +static const struct file_operations export_features_operations = {
49179 .open = export_features_open,
49180 .read = seq_read,
49181 .llseek = seq_lseek,
49182 diff -urNp linux-2.6.39.3/fs/nfsd/vfs.c linux-2.6.39.3/fs/nfsd/vfs.c
49183 --- linux-2.6.39.3/fs/nfsd/vfs.c 2011-07-09 09:18:51.000000000 -0400
49184 +++ linux-2.6.39.3/fs/nfsd/vfs.c 2011-07-09 09:19:24.000000000 -0400
49185 @@ -901,7 +901,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
49186 } else {
49187 oldfs = get_fs();
49188 set_fs(KERNEL_DS);
49189 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
49190 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
49191 set_fs(oldfs);
49192 }
49193
49194 @@ -1005,7 +1005,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
49195
49196 /* Write the data. */
49197 oldfs = get_fs(); set_fs(KERNEL_DS);
49198 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
49199 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
49200 set_fs(oldfs);
49201 if (host_err < 0)
49202 goto out_nfserr;
49203 @@ -1528,7 +1528,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
49204 */
49205
49206 oldfs = get_fs(); set_fs(KERNEL_DS);
49207 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
49208 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
49209 set_fs(oldfs);
49210
49211 if (host_err < 0)
49212 diff -urNp linux-2.6.39.3/fs/nilfs2/segment.c linux-2.6.39.3/fs/nilfs2/segment.c
49213 --- linux-2.6.39.3/fs/nilfs2/segment.c 2011-05-19 00:06:34.000000000 -0400
49214 +++ linux-2.6.39.3/fs/nilfs2/segment.c 2011-05-22 19:36:32.000000000 -0400
49215 @@ -555,7 +555,7 @@ static void nilfs_write_file_node_binfo(
49216 *vblocknr = binfo->bi_v.bi_vblocknr;
49217 }
49218
49219 -static struct nilfs_sc_operations nilfs_sc_file_ops = {
49220 +static const struct nilfs_sc_operations nilfs_sc_file_ops = {
49221 .collect_data = nilfs_collect_file_data,
49222 .collect_node = nilfs_collect_file_node,
49223 .collect_bmap = nilfs_collect_file_bmap,
49224 @@ -604,7 +604,7 @@ static void nilfs_write_dat_node_binfo(s
49225 *binfo_dat = binfo->bi_dat;
49226 }
49227
49228 -static struct nilfs_sc_operations nilfs_sc_dat_ops = {
49229 +static const struct nilfs_sc_operations nilfs_sc_dat_ops = {
49230 .collect_data = nilfs_collect_dat_data,
49231 .collect_node = nilfs_collect_file_node,
49232 .collect_bmap = nilfs_collect_dat_bmap,
49233 @@ -612,7 +612,7 @@ static struct nilfs_sc_operations nilfs_
49234 .write_node_binfo = nilfs_write_dat_node_binfo,
49235 };
49236
49237 -static struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49238 +static const struct nilfs_sc_operations nilfs_sc_dsync_ops = {
49239 .collect_data = nilfs_collect_file_data,
49240 .collect_node = NULL,
49241 .collect_bmap = NULL,
49242 @@ -971,7 +971,7 @@ static size_t nilfs_segctor_buffer_rest(
49243
49244 static int nilfs_segctor_scan_file(struct nilfs_sc_info *sci,
49245 struct inode *inode,
49246 - struct nilfs_sc_operations *sc_ops)
49247 + const struct nilfs_sc_operations *sc_ops)
49248 {
49249 LIST_HEAD(data_buffers);
49250 LIST_HEAD(node_buffers);
49251 @@ -1475,7 +1475,7 @@ nilfs_segctor_update_payload_blocknr(str
49252 sector_t blocknr;
49253 unsigned long nfinfo = segbuf->sb_sum.nfinfo;
49254 unsigned long nblocks = 0, ndatablk = 0;
49255 - struct nilfs_sc_operations *sc_op = NULL;
49256 + const struct nilfs_sc_operations *sc_op = NULL;
49257 struct nilfs_segsum_pointer ssp;
49258 struct nilfs_finfo *finfo = NULL;
49259 union nilfs_binfo binfo;
49260 diff -urNp linux-2.6.39.3/fs/notify/dnotify/dnotify.c linux-2.6.39.3/fs/notify/dnotify/dnotify.c
49261 --- linux-2.6.39.3/fs/notify/dnotify/dnotify.c 2011-05-19 00:06:34.000000000 -0400
49262 +++ linux-2.6.39.3/fs/notify/dnotify/dnotify.c 2011-05-22 19:36:32.000000000 -0400
49263 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
49264 kmem_cache_free(dnotify_mark_cache, dn_mark);
49265 }
49266
49267 -static struct fsnotify_ops dnotify_fsnotify_ops = {
49268 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
49269 .handle_event = dnotify_handle_event,
49270 .should_send_event = dnotify_should_send_event,
49271 .free_group_priv = NULL,
49272 diff -urNp linux-2.6.39.3/fs/notify/notification.c linux-2.6.39.3/fs/notify/notification.c
49273 --- linux-2.6.39.3/fs/notify/notification.c 2011-05-19 00:06:34.000000000 -0400
49274 +++ linux-2.6.39.3/fs/notify/notification.c 2011-05-22 19:36:32.000000000 -0400
49275 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
49276 * get set to 0 so it will never get 'freed'
49277 */
49278 static struct fsnotify_event *q_overflow_event;
49279 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49280 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49281
49282 /**
49283 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
49284 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
49285 */
49286 u32 fsnotify_get_cookie(void)
49287 {
49288 - return atomic_inc_return(&fsnotify_sync_cookie);
49289 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
49290 }
49291 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
49292
49293 diff -urNp linux-2.6.39.3/fs/ntfs/dir.c linux-2.6.39.3/fs/ntfs/dir.c
49294 --- linux-2.6.39.3/fs/ntfs/dir.c 2011-05-19 00:06:34.000000000 -0400
49295 +++ linux-2.6.39.3/fs/ntfs/dir.c 2011-05-22 19:36:32.000000000 -0400
49296 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
49297 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
49298 ~(s64)(ndir->itype.index.block_size - 1)));
49299 /* Bounds checks. */
49300 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49301 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49302 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
49303 "inode 0x%lx or driver bug.", vdir->i_ino);
49304 goto err_out;
49305 diff -urNp linux-2.6.39.3/fs/ntfs/file.c linux-2.6.39.3/fs/ntfs/file.c
49306 --- linux-2.6.39.3/fs/ntfs/file.c 2011-05-19 00:06:34.000000000 -0400
49307 +++ linux-2.6.39.3/fs/ntfs/file.c 2011-05-22 19:36:32.000000000 -0400
49308 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
49309 #endif /* NTFS_RW */
49310 };
49311
49312 -const struct file_operations ntfs_empty_file_ops = {};
49313 +const struct file_operations ntfs_empty_file_ops __read_only;
49314
49315 -const struct inode_operations ntfs_empty_inode_ops = {};
49316 +const struct inode_operations ntfs_empty_inode_ops __read_only;
49317 diff -urNp linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c
49318 --- linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c 2011-05-19 00:06:34.000000000 -0400
49319 +++ linux-2.6.39.3/fs/ocfs2/cluster/heartbeat.c 2011-05-22 19:36:32.000000000 -0400
49320 @@ -2261,7 +2261,7 @@ static struct configfs_item_operations o
49321 .store_attribute = o2hb_heartbeat_group_store,
49322 };
49323
49324 -static struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49325 +static const struct configfs_group_operations o2hb_heartbeat_group_group_ops = {
49326 .make_item = o2hb_heartbeat_group_make_item,
49327 .drop_item = o2hb_heartbeat_group_drop_item,
49328 };
49329 diff -urNp linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c
49330 --- linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c 2011-05-19 00:06:34.000000000 -0400
49331 +++ linux-2.6.39.3/fs/ocfs2/cluster/nodemanager.c 2011-05-22 19:36:32.000000000 -0400
49332 @@ -752,7 +752,7 @@ static void o2nm_node_group_drop_item(st
49333 config_item_put(item);
49334 }
49335
49336 -static struct configfs_group_operations o2nm_node_group_group_ops = {
49337 +static const struct configfs_group_operations o2nm_node_group_group_ops = {
49338 .make_item = o2nm_node_group_make_item,
49339 .drop_item = o2nm_node_group_drop_item,
49340 };
49341 @@ -869,7 +869,7 @@ static void o2nm_cluster_group_drop_item
49342 config_item_put(item);
49343 }
49344
49345 -static struct configfs_group_operations o2nm_cluster_group_group_ops = {
49346 +static const struct configfs_group_operations o2nm_cluster_group_group_ops = {
49347 .make_group = o2nm_cluster_group_make_group,
49348 .drop_item = o2nm_cluster_group_drop_item,
49349 };
49350 diff -urNp linux-2.6.39.3/fs/ocfs2/localalloc.c linux-2.6.39.3/fs/ocfs2/localalloc.c
49351 --- linux-2.6.39.3/fs/ocfs2/localalloc.c 2011-05-19 00:06:34.000000000 -0400
49352 +++ linux-2.6.39.3/fs/ocfs2/localalloc.c 2011-05-22 19:36:32.000000000 -0400
49353 @@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
49354 goto bail;
49355 }
49356
49357 - atomic_inc(&osb->alloc_stats.moves);
49358 + atomic_inc_unchecked(&osb->alloc_stats.moves);
49359
49360 bail:
49361 if (handle)
49362 diff -urNp linux-2.6.39.3/fs/ocfs2/namei.c linux-2.6.39.3/fs/ocfs2/namei.c
49363 --- linux-2.6.39.3/fs/ocfs2/namei.c 2011-05-19 00:06:34.000000000 -0400
49364 +++ linux-2.6.39.3/fs/ocfs2/namei.c 2011-05-22 19:36:32.000000000 -0400
49365 @@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
49366 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
49367 struct ocfs2_dir_lookup_result target_insert = { NULL, };
49368
49369 + pax_track_stack();
49370 +
49371 /* At some point it might be nice to break this function up a
49372 * bit. */
49373
49374 diff -urNp linux-2.6.39.3/fs/ocfs2/ocfs2.h linux-2.6.39.3/fs/ocfs2/ocfs2.h
49375 --- linux-2.6.39.3/fs/ocfs2/ocfs2.h 2011-05-19 00:06:34.000000000 -0400
49376 +++ linux-2.6.39.3/fs/ocfs2/ocfs2.h 2011-05-22 19:36:32.000000000 -0400
49377 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
49378
49379 struct ocfs2_alloc_stats
49380 {
49381 - atomic_t moves;
49382 - atomic_t local_data;
49383 - atomic_t bitmap_data;
49384 - atomic_t bg_allocs;
49385 - atomic_t bg_extends;
49386 + atomic_unchecked_t moves;
49387 + atomic_unchecked_t local_data;
49388 + atomic_unchecked_t bitmap_data;
49389 + atomic_unchecked_t bg_allocs;
49390 + atomic_unchecked_t bg_extends;
49391 };
49392
49393 enum ocfs2_local_alloc_state
49394 diff -urNp linux-2.6.39.3/fs/ocfs2/stackglue.h linux-2.6.39.3/fs/ocfs2/stackglue.h
49395 --- linux-2.6.39.3/fs/ocfs2/stackglue.h 2011-05-19 00:06:34.000000000 -0400
49396 +++ linux-2.6.39.3/fs/ocfs2/stackglue.h 2011-05-22 19:36:32.000000000 -0400
49397 @@ -221,13 +221,13 @@ struct ocfs2_stack_operations {
49398 };
49399
49400 /*
49401 - * Each stack plugin must describe itself by registering a
49402 + * Each stack plugin must describe itself by registerin const g a
49403 * ocfs2_stack_plugin structure. This is only seen by stackglue and the
49404 * stack driver.
49405 */
49406 struct ocfs2_stack_plugin {
49407 char *sp_name;
49408 - struct ocfs2_stack_operations *sp_ops;
49409 + const struct ocfs2_stack_operations *sp_ops;
49410 struct module *sp_owner;
49411
49412 /* These are managed by the stackglue code. */
49413 diff -urNp linux-2.6.39.3/fs/ocfs2/stack_o2cb.c linux-2.6.39.3/fs/ocfs2/stack_o2cb.c
49414 --- linux-2.6.39.3/fs/ocfs2/stack_o2cb.c 2011-05-19 00:06:34.000000000 -0400
49415 +++ linux-2.6.39.3/fs/ocfs2/stack_o2cb.c 2011-06-07 18:07:24.000000000 -0400
49416 @@ -358,7 +358,7 @@ static int o2cb_cluster_this_node(unsign
49417 return 0;
49418 }
49419
49420 -static struct ocfs2_stack_operations o2cb_stack_ops = {
49421 +static const struct ocfs2_stack_operations o2cb_stack_ops = {
49422 .connect = o2cb_cluster_connect,
49423 .disconnect = o2cb_cluster_disconnect,
49424 .this_node = o2cb_cluster_this_node,
49425 diff -urNp linux-2.6.39.3/fs/ocfs2/stack_user.c linux-2.6.39.3/fs/ocfs2/stack_user.c
49426 --- linux-2.6.39.3/fs/ocfs2/stack_user.c 2011-05-19 00:06:34.000000000 -0400
49427 +++ linux-2.6.39.3/fs/ocfs2/stack_user.c 2011-05-22 19:36:32.000000000 -0400
49428 @@ -399,7 +399,7 @@ static int ocfs2_control_do_setversion_m
49429 long major, minor;
49430 char *ptr = NULL;
49431 struct ocfs2_control_private *p = file->private_data;
49432 - struct ocfs2_protocol_version *max =
49433 + const struct ocfs2_protocol_version *max =
49434 &ocfs2_user_plugin.sp_max_proto;
49435
49436 if (ocfs2_control_get_handshake_state(file) !=
49437 @@ -861,7 +861,7 @@ static int user_cluster_this_node(unsign
49438 return 0;
49439 }
49440
49441 -static struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49442 +static const struct ocfs2_stack_operations ocfs2_user_plugin_ops = {
49443 .connect = user_cluster_connect,
49444 .disconnect = user_cluster_disconnect,
49445 .this_node = user_cluster_this_node,
49446 diff -urNp linux-2.6.39.3/fs/ocfs2/suballoc.c linux-2.6.39.3/fs/ocfs2/suballoc.c
49447 --- linux-2.6.39.3/fs/ocfs2/suballoc.c 2011-05-19 00:06:34.000000000 -0400
49448 +++ linux-2.6.39.3/fs/ocfs2/suballoc.c 2011-05-22 19:36:32.000000000 -0400
49449 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
49450 mlog_errno(status);
49451 goto bail;
49452 }
49453 - atomic_inc(&osb->alloc_stats.bg_extends);
49454 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49455
49456 /* You should never ask for this much metadata */
49457 BUG_ON(bits_wanted >
49458 @@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
49459 mlog_errno(status);
49460 goto bail;
49461 }
49462 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49463 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49464
49465 *suballoc_loc = res.sr_bg_blkno;
49466 *suballoc_bit_start = res.sr_bit_offset;
49467 @@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
49468 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
49469 res->sr_bits);
49470
49471 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49472 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49473
49474 BUG_ON(res->sr_bits != 1);
49475
49476 @@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
49477 mlog_errno(status);
49478 goto bail;
49479 }
49480 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49481 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
49482
49483 BUG_ON(res.sr_bits != 1);
49484
49485 @@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
49486 cluster_start,
49487 num_clusters);
49488 if (!status)
49489 - atomic_inc(&osb->alloc_stats.local_data);
49490 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
49491 } else {
49492 if (min_clusters > (osb->bitmap_cpg - 1)) {
49493 /* The only paths asking for contiguousness
49494 @@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
49495 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49496 res.sr_bg_blkno,
49497 res.sr_bit_offset);
49498 - atomic_inc(&osb->alloc_stats.bitmap_data);
49499 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49500 *num_clusters = res.sr_bits;
49501 }
49502 }
49503 diff -urNp linux-2.6.39.3/fs/ocfs2/super.c linux-2.6.39.3/fs/ocfs2/super.c
49504 --- linux-2.6.39.3/fs/ocfs2/super.c 2011-05-19 00:06:34.000000000 -0400
49505 +++ linux-2.6.39.3/fs/ocfs2/super.c 2011-05-22 19:36:32.000000000 -0400
49506 @@ -299,11 +299,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49507 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49508 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49509 "Stats",
49510 - atomic_read(&osb->alloc_stats.bitmap_data),
49511 - atomic_read(&osb->alloc_stats.local_data),
49512 - atomic_read(&osb->alloc_stats.bg_allocs),
49513 - atomic_read(&osb->alloc_stats.moves),
49514 - atomic_read(&osb->alloc_stats.bg_extends));
49515 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49516 + atomic_read_unchecked(&osb->alloc_stats.local_data),
49517 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49518 + atomic_read_unchecked(&osb->alloc_stats.moves),
49519 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49520
49521 out += snprintf(buf + out, len - out,
49522 "%10s => State: %u Descriptor: %llu Size: %u bits "
49523 @@ -2111,11 +2111,11 @@ static int ocfs2_initialize_super(struct
49524 spin_lock_init(&osb->osb_xattr_lock);
49525 ocfs2_init_steal_slots(osb);
49526
49527 - atomic_set(&osb->alloc_stats.moves, 0);
49528 - atomic_set(&osb->alloc_stats.local_data, 0);
49529 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
49530 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
49531 - atomic_set(&osb->alloc_stats.bg_extends, 0);
49532 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49533 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49534 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49535 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49536 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49537
49538 /* Copy the blockcheck stats from the superblock probe */
49539 osb->osb_ecc_stats = *stats;
49540 diff -urNp linux-2.6.39.3/fs/ocfs2/symlink.c linux-2.6.39.3/fs/ocfs2/symlink.c
49541 --- linux-2.6.39.3/fs/ocfs2/symlink.c 2011-05-19 00:06:34.000000000 -0400
49542 +++ linux-2.6.39.3/fs/ocfs2/symlink.c 2011-05-22 19:36:32.000000000 -0400
49543 @@ -142,7 +142,7 @@ bail:
49544
49545 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
49546 {
49547 - char *link = nd_get_link(nd);
49548 + const char *link = nd_get_link(nd);
49549 if (!IS_ERR(link))
49550 kfree(link);
49551 }
49552 diff -urNp linux-2.6.39.3/fs/open.c linux-2.6.39.3/fs/open.c
49553 --- linux-2.6.39.3/fs/open.c 2011-05-19 00:06:34.000000000 -0400
49554 +++ linux-2.6.39.3/fs/open.c 2011-05-22 20:46:51.000000000 -0400
49555 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
49556 error = locks_verify_truncate(inode, NULL, length);
49557 if (!error)
49558 error = security_path_truncate(&path);
49559 +
49560 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49561 + error = -EACCES;
49562 +
49563 if (!error)
49564 error = do_truncate(path.dentry, length, 0, NULL);
49565
49566 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49567 if (__mnt_is_readonly(path.mnt))
49568 res = -EROFS;
49569
49570 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49571 + res = -EACCES;
49572 +
49573 out_path_release:
49574 path_put(&path);
49575 out:
49576 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49577 if (error)
49578 goto dput_and_out;
49579
49580 + gr_log_chdir(path.dentry, path.mnt);
49581 +
49582 set_fs_pwd(current->fs, &path);
49583
49584 dput_and_out:
49585 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49586 goto out_putf;
49587
49588 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
49589 +
49590 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49591 + error = -EPERM;
49592 +
49593 + if (!error)
49594 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49595 +
49596 if (!error)
49597 set_fs_pwd(current->fs, &file->f_path);
49598 out_putf:
49599 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
49600 if (error)
49601 goto dput_and_out;
49602
49603 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49604 + goto dput_and_out;
49605 +
49606 + if (gr_handle_chroot_caps(&path)) {
49607 + error = -ENOMEM;
49608 + goto dput_and_out;
49609 + }
49610 +
49611 set_fs_root(current->fs, &path);
49612 +
49613 + gr_handle_chroot_chdir(&path);
49614 +
49615 error = 0;
49616 dput_and_out:
49617 path_put(&path);
49618 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49619 err = mnt_want_write_file(file);
49620 if (err)
49621 goto out_putf;
49622 +
49623 mutex_lock(&inode->i_mutex);
49624 +
49625 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
49626 + err = -EACCES;
49627 + goto out_unlock;
49628 + }
49629 +
49630 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
49631 if (err)
49632 goto out_unlock;
49633 if (mode == (mode_t) -1)
49634 mode = inode->i_mode;
49635 +
49636 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
49637 + err = -EACCES;
49638 + goto out_unlock;
49639 + }
49640 +
49641 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49642 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49643 err = notify_change(dentry, &newattrs);
49644 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49645 error = mnt_want_write(path.mnt);
49646 if (error)
49647 goto dput_and_out;
49648 +
49649 mutex_lock(&inode->i_mutex);
49650 +
49651 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49652 + error = -EACCES;
49653 + goto out_unlock;
49654 + }
49655 +
49656 error = security_path_chmod(path.dentry, path.mnt, mode);
49657 if (error)
49658 goto out_unlock;
49659 if (mode == (mode_t) -1)
49660 mode = inode->i_mode;
49661 +
49662 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49663 + error = -EACCES;
49664 + goto out_unlock;
49665 + }
49666 +
49667 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49668 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49669 error = notify_change(path.dentry, &newattrs);
49670 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
49671 int error;
49672 struct iattr newattrs;
49673
49674 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
49675 + return -EACCES;
49676 +
49677 newattrs.ia_valid = ATTR_CTIME;
49678 if (user != (uid_t) -1) {
49679 newattrs.ia_valid |= ATTR_UID;
49680 @@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u
49681 if (!IS_ERR(tmp)) {
49682 fd = get_unused_fd_flags(flags);
49683 if (fd >= 0) {
49684 - struct file *f = do_filp_open(dfd, tmp, &op, lookup);
49685 + struct file *f;
49686 + /* don't allow to be set by userland */
49687 + flags &= ~FMODE_GREXEC;
49688 + f = do_filp_open(dfd, tmp, &op, lookup);
49689 if (IS_ERR(f)) {
49690 put_unused_fd(fd);
49691 fd = PTR_ERR(f);
49692 diff -urNp linux-2.6.39.3/fs/partitions/ldm.c linux-2.6.39.3/fs/partitions/ldm.c
49693 --- linux-2.6.39.3/fs/partitions/ldm.c 2011-06-03 00:04:14.000000000 -0400
49694 +++ linux-2.6.39.3/fs/partitions/ldm.c 2011-06-03 00:32:07.000000000 -0400
49695 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
49696 ldm_error ("A VBLK claims to have %d parts.", num);
49697 return false;
49698 }
49699 +
49700 if (rec >= num) {
49701 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
49702 return false;
49703 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
49704 goto found;
49705 }
49706
49707 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
49708 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
49709 if (!f) {
49710 ldm_crit ("Out of memory.");
49711 return false;
49712 diff -urNp linux-2.6.39.3/fs/pipe.c linux-2.6.39.3/fs/pipe.c
49713 --- linux-2.6.39.3/fs/pipe.c 2011-05-19 00:06:34.000000000 -0400
49714 +++ linux-2.6.39.3/fs/pipe.c 2011-05-22 19:41:37.000000000 -0400
49715 @@ -420,9 +420,9 @@ redo:
49716 }
49717 if (bufs) /* More to do? */
49718 continue;
49719 - if (!pipe->writers)
49720 + if (!atomic_read(&pipe->writers))
49721 break;
49722 - if (!pipe->waiting_writers) {
49723 + if (!atomic_read(&pipe->waiting_writers)) {
49724 /* syscall merging: Usually we must not sleep
49725 * if O_NONBLOCK is set, or if we got some data.
49726 * But if a writer sleeps in kernel space, then
49727 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
49728 mutex_lock(&inode->i_mutex);
49729 pipe = inode->i_pipe;
49730
49731 - if (!pipe->readers) {
49732 + if (!atomic_read(&pipe->readers)) {
49733 send_sig(SIGPIPE, current, 0);
49734 ret = -EPIPE;
49735 goto out;
49736 @@ -530,7 +530,7 @@ redo1:
49737 for (;;) {
49738 int bufs;
49739
49740 - if (!pipe->readers) {
49741 + if (!atomic_read(&pipe->readers)) {
49742 send_sig(SIGPIPE, current, 0);
49743 if (!ret)
49744 ret = -EPIPE;
49745 @@ -616,9 +616,9 @@ redo2:
49746 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
49747 do_wakeup = 0;
49748 }
49749 - pipe->waiting_writers++;
49750 + atomic_inc(&pipe->waiting_writers);
49751 pipe_wait(pipe);
49752 - pipe->waiting_writers--;
49753 + atomic_dec(&pipe->waiting_writers);
49754 }
49755 out:
49756 mutex_unlock(&inode->i_mutex);
49757 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
49758 mask = 0;
49759 if (filp->f_mode & FMODE_READ) {
49760 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
49761 - if (!pipe->writers && filp->f_version != pipe->w_counter)
49762 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
49763 mask |= POLLHUP;
49764 }
49765
49766 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
49767 * Most Unices do not set POLLERR for FIFOs but on Linux they
49768 * behave exactly like pipes for poll().
49769 */
49770 - if (!pipe->readers)
49771 + if (!atomic_read(&pipe->readers))
49772 mask |= POLLERR;
49773 }
49774
49775 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
49776
49777 mutex_lock(&inode->i_mutex);
49778 pipe = inode->i_pipe;
49779 - pipe->readers -= decr;
49780 - pipe->writers -= decw;
49781 + atomic_sub(decr, &pipe->readers);
49782 + atomic_sub(decw, &pipe->writers);
49783
49784 - if (!pipe->readers && !pipe->writers) {
49785 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
49786 free_pipe_info(inode);
49787 } else {
49788 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
49789 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
49790
49791 if (inode->i_pipe) {
49792 ret = 0;
49793 - inode->i_pipe->readers++;
49794 + atomic_inc(&inode->i_pipe->readers);
49795 }
49796
49797 mutex_unlock(&inode->i_mutex);
49798 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
49799
49800 if (inode->i_pipe) {
49801 ret = 0;
49802 - inode->i_pipe->writers++;
49803 + atomic_inc(&inode->i_pipe->writers);
49804 }
49805
49806 mutex_unlock(&inode->i_mutex);
49807 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
49808 if (inode->i_pipe) {
49809 ret = 0;
49810 if (filp->f_mode & FMODE_READ)
49811 - inode->i_pipe->readers++;
49812 + atomic_inc(&inode->i_pipe->readers);
49813 if (filp->f_mode & FMODE_WRITE)
49814 - inode->i_pipe->writers++;
49815 + atomic_inc(&inode->i_pipe->writers);
49816 }
49817
49818 mutex_unlock(&inode->i_mutex);
49819 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
49820 inode->i_pipe = NULL;
49821 }
49822
49823 -static struct vfsmount *pipe_mnt __read_mostly;
49824 +struct vfsmount *pipe_mnt __read_mostly;
49825
49826 /*
49827 * pipefs_dname() is called from d_path().
49828 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
49829 goto fail_iput;
49830 inode->i_pipe = pipe;
49831
49832 - pipe->readers = pipe->writers = 1;
49833 + atomic_set(&pipe->readers, 1);
49834 + atomic_set(&pipe->writers, 1);
49835 inode->i_fop = &rdwr_pipefifo_fops;
49836
49837 /*
49838 diff -urNp linux-2.6.39.3/fs/proc/array.c linux-2.6.39.3/fs/proc/array.c
49839 --- linux-2.6.39.3/fs/proc/array.c 2011-05-19 00:06:34.000000000 -0400
49840 +++ linux-2.6.39.3/fs/proc/array.c 2011-05-22 19:41:37.000000000 -0400
49841 @@ -60,6 +60,7 @@
49842 #include <linux/tty.h>
49843 #include <linux/string.h>
49844 #include <linux/mman.h>
49845 +#include <linux/grsecurity.h>
49846 #include <linux/proc_fs.h>
49847 #include <linux/ioport.h>
49848 #include <linux/uaccess.h>
49849 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
49850 seq_putc(m, '\n');
49851 }
49852
49853 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49854 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
49855 +{
49856 + if (p->mm)
49857 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
49858 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
49859 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
49860 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
49861 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
49862 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
49863 + else
49864 + seq_printf(m, "PaX:\t-----\n");
49865 +}
49866 +#endif
49867 +
49868 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
49869 struct pid *pid, struct task_struct *task)
49870 {
49871 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
49872 task_cpus_allowed(m, task);
49873 cpuset_task_status_allowed(m, task);
49874 task_context_switch_counts(m, task);
49875 +
49876 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49877 + task_pax(m, task);
49878 +#endif
49879 +
49880 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
49881 + task_grsec_rbac(m, task);
49882 +#endif
49883 +
49884 return 0;
49885 }
49886
49887 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49888 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49889 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49890 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49891 +#endif
49892 +
49893 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
49894 struct pid *pid, struct task_struct *task, int whole)
49895 {
49896 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
49897 cputime_t cutime, cstime, utime, stime;
49898 cputime_t cgtime, gtime;
49899 unsigned long rsslim = 0;
49900 - char tcomm[sizeof(task->comm)];
49901 + char tcomm[sizeof(task->comm)] = { 0 };
49902 unsigned long flags;
49903
49904 + pax_track_stack();
49905 +
49906 state = *get_task_state(task);
49907 vsize = eip = esp = 0;
49908 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
49909 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
49910 gtime = task->gtime;
49911 }
49912
49913 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49914 + if (PAX_RAND_FLAGS(mm)) {
49915 + eip = 0;
49916 + esp = 0;
49917 + wchan = 0;
49918 + }
49919 +#endif
49920 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49921 + wchan = 0;
49922 + eip =0;
49923 + esp =0;
49924 +#endif
49925 +
49926 /* scale priority and nice values from timeslices to -20..20 */
49927 /* to make it look like a "normal" Unix priority/nice value */
49928 priority = task_prio(task);
49929 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
49930 vsize,
49931 mm ? get_mm_rss(mm) : 0,
49932 rsslim,
49933 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49934 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
49935 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
49936 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
49937 +#else
49938 mm ? (permitted ? mm->start_code : 1) : 0,
49939 mm ? (permitted ? mm->end_code : 1) : 0,
49940 (permitted && mm) ? mm->start_stack : 0,
49941 +#endif
49942 esp,
49943 eip,
49944 /* The signal information here is obsolete.
49945 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
49946
49947 return 0;
49948 }
49949 +
49950 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
49951 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
49952 +{
49953 + u32 curr_ip = 0;
49954 + unsigned long flags;
49955 +
49956 + if (lock_task_sighand(task, &flags)) {
49957 + curr_ip = task->signal->curr_ip;
49958 + unlock_task_sighand(task, &flags);
49959 + }
49960 +
49961 + return sprintf(buffer, "%pI4\n", &curr_ip);
49962 +}
49963 +#endif
49964 diff -urNp linux-2.6.39.3/fs/proc/base.c linux-2.6.39.3/fs/proc/base.c
49965 --- linux-2.6.39.3/fs/proc/base.c 2011-05-19 00:06:34.000000000 -0400
49966 +++ linux-2.6.39.3/fs/proc/base.c 2011-06-04 21:20:04.000000000 -0400
49967 @@ -104,6 +104,22 @@ struct pid_entry {
49968 union proc_op op;
49969 };
49970
49971 +struct getdents_callback {
49972 + struct linux_dirent __user * current_dir;
49973 + struct linux_dirent __user * previous;
49974 + struct file * file;
49975 + int count;
49976 + int error;
49977 +};
49978 +
49979 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
49980 + loff_t offset, u64 ino, unsigned int d_type)
49981 +{
49982 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
49983 + buf->error = -EINVAL;
49984 + return 0;
49985 +}
49986 +
49987 #define NOD(NAME, MODE, IOP, FOP, OP) { \
49988 .name = (NAME), \
49989 .len = sizeof(NAME) - 1, \
49990 @@ -206,6 +222,9 @@ static struct mm_struct *__check_mem_per
49991 if (task == current)
49992 return mm;
49993
49994 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
49995 + return ERR_PTR(-EPERM);
49996 +
49997 /*
49998 * If current is actively ptrace'ing, and would also be
49999 * permitted to freshly attach with ptrace now, permit it.
50000 @@ -279,6 +298,9 @@ static int proc_pid_cmdline(struct task_
50001 if (!mm->arg_end)
50002 goto out_mm; /* Shh! No looking before we're done */
50003
50004 + if (gr_acl_handle_procpidmem(task))
50005 + goto out_mm;
50006 +
50007 len = mm->arg_end - mm->arg_start;
50008
50009 if (len > PAGE_SIZE)
50010 @@ -306,12 +328,28 @@ out:
50011 return res;
50012 }
50013
50014 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50015 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50016 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50017 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50018 +#endif
50019 +
50020 static int proc_pid_auxv(struct task_struct *task, char *buffer)
50021 {
50022 struct mm_struct *mm = mm_for_maps(task);
50023 int res = PTR_ERR(mm);
50024 if (mm && !IS_ERR(mm)) {
50025 unsigned int nwords = 0;
50026 +
50027 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50028 + /* allow if we're currently ptracing this task */
50029 + if (PAX_RAND_FLAGS(mm) &&
50030 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
50031 + mmput(mm);
50032 + return res;
50033 + }
50034 +#endif
50035 +
50036 do {
50037 nwords += 2;
50038 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
50039 @@ -325,7 +363,7 @@ static int proc_pid_auxv(struct task_str
50040 }
50041
50042
50043 -#ifdef CONFIG_KALLSYMS
50044 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50045 /*
50046 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
50047 * Returns the resolved symbol. If that fails, simply return the address.
50048 @@ -364,7 +402,7 @@ static void unlock_trace(struct task_str
50049 mutex_unlock(&task->signal->cred_guard_mutex);
50050 }
50051
50052 -#ifdef CONFIG_STACKTRACE
50053 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50054
50055 #define MAX_STACK_TRACE_DEPTH 64
50056
50057 @@ -555,7 +593,7 @@ static int proc_pid_limits(struct task_s
50058 return count;
50059 }
50060
50061 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50062 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50063 static int proc_pid_syscall(struct task_struct *task, char *buffer)
50064 {
50065 long nr;
50066 @@ -584,7 +622,7 @@ static int proc_pid_syscall(struct task_
50067 /************************************************************************/
50068
50069 /* permission checks */
50070 -static int proc_fd_access_allowed(struct inode *inode)
50071 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
50072 {
50073 struct task_struct *task;
50074 int allowed = 0;
50075 @@ -594,7 +632,10 @@ static int proc_fd_access_allowed(struct
50076 */
50077 task = get_proc_task(inode);
50078 if (task) {
50079 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50080 + if (log)
50081 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
50082 + else
50083 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50084 put_task_struct(task);
50085 }
50086 return allowed;
50087 @@ -973,6 +1014,9 @@ static ssize_t environ_read(struct file
50088 if (!task)
50089 goto out_no_task;
50090
50091 + if (gr_acl_handle_procpidmem(task))
50092 + goto out;
50093 +
50094 ret = -ENOMEM;
50095 page = (char *)__get_free_page(GFP_TEMPORARY);
50096 if (!page)
50097 @@ -1660,7 +1704,7 @@ static void *proc_pid_follow_link(struct
50098 path_put(&nd->path);
50099
50100 /* Are we allowed to snoop on the tasks file descriptors? */
50101 - if (!proc_fd_access_allowed(inode))
50102 + if (!proc_fd_access_allowed(inode,0))
50103 goto out;
50104
50105 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
50106 @@ -1699,8 +1743,18 @@ static int proc_pid_readlink(struct dent
50107 struct path path;
50108
50109 /* Are we allowed to snoop on the tasks file descriptors? */
50110 - if (!proc_fd_access_allowed(inode))
50111 - goto out;
50112 + /* logging this is needed for learning on chromium to work properly,
50113 + but we don't want to flood the logs from 'ps' which does a readlink
50114 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
50115 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
50116 + */
50117 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
50118 + if (!proc_fd_access_allowed(inode,0))
50119 + goto out;
50120 + } else {
50121 + if (!proc_fd_access_allowed(inode,1))
50122 + goto out;
50123 + }
50124
50125 error = PROC_I(inode)->op.proc_get_link(inode, &path);
50126 if (error)
50127 @@ -1766,7 +1820,11 @@ static struct inode *proc_pid_make_inode
50128 rcu_read_lock();
50129 cred = __task_cred(task);
50130 inode->i_uid = cred->euid;
50131 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50132 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50133 +#else
50134 inode->i_gid = cred->egid;
50135 +#endif
50136 rcu_read_unlock();
50137 }
50138 security_task_to_inode(task, inode);
50139 @@ -1784,6 +1842,9 @@ static int pid_getattr(struct vfsmount *
50140 struct inode *inode = dentry->d_inode;
50141 struct task_struct *task;
50142 const struct cred *cred;
50143 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50144 + const struct cred *tmpcred = current_cred();
50145 +#endif
50146
50147 generic_fillattr(inode, stat);
50148
50149 @@ -1791,13 +1852,41 @@ static int pid_getattr(struct vfsmount *
50150 stat->uid = 0;
50151 stat->gid = 0;
50152 task = pid_task(proc_pid(inode), PIDTYPE_PID);
50153 +
50154 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
50155 + rcu_read_unlock();
50156 + return -ENOENT;
50157 + }
50158 +
50159 if (task) {
50160 + cred = __task_cred(task);
50161 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50162 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
50163 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50164 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50165 +#endif
50166 + ) {
50167 +#endif
50168 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50169 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50170 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50171 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50172 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50173 +#endif
50174 task_dumpable(task)) {
50175 - cred = __task_cred(task);
50176 stat->uid = cred->euid;
50177 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50178 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
50179 +#else
50180 stat->gid = cred->egid;
50181 +#endif
50182 }
50183 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50184 + } else {
50185 + rcu_read_unlock();
50186 + return -ENOENT;
50187 + }
50188 +#endif
50189 }
50190 rcu_read_unlock();
50191 return 0;
50192 @@ -1834,11 +1923,20 @@ static int pid_revalidate(struct dentry
50193
50194 if (task) {
50195 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50196 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50197 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50198 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50199 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50200 +#endif
50201 task_dumpable(task)) {
50202 rcu_read_lock();
50203 cred = __task_cred(task);
50204 inode->i_uid = cred->euid;
50205 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50206 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50207 +#else
50208 inode->i_gid = cred->egid;
50209 +#endif
50210 rcu_read_unlock();
50211 } else {
50212 inode->i_uid = 0;
50213 @@ -1959,7 +2057,8 @@ static int proc_fd_info(struct inode *in
50214 int fd = proc_fd(inode);
50215
50216 if (task) {
50217 - files = get_files_struct(task);
50218 + if (!gr_acl_handle_procpidmem(task))
50219 + files = get_files_struct(task);
50220 put_task_struct(task);
50221 }
50222 if (files) {
50223 @@ -2219,15 +2318,25 @@ static const struct file_operations proc
50224 */
50225 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
50226 {
50227 + struct task_struct *task;
50228 int rv;
50229
50230 if (flags & IPERM_FLAG_RCU)
50231 return -ECHILD;
50232 rv = generic_permission(inode, mask, flags, NULL);
50233 - if (rv == 0)
50234 - return 0;
50235 +
50236 if (task_pid(current) == proc_pid(inode))
50237 rv = 0;
50238 +
50239 + task = get_proc_task(inode);
50240 + if (task == NULL)
50241 + return rv;
50242 +
50243 + if (gr_acl_handle_procpidmem(task))
50244 + rv = -EACCES;
50245 +
50246 + put_task_struct(task);
50247 +
50248 return rv;
50249 }
50250
50251 @@ -2337,6 +2446,9 @@ static struct dentry *proc_pident_lookup
50252 if (!task)
50253 goto out_no_task;
50254
50255 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50256 + goto out;
50257 +
50258 /*
50259 * Yes, it does not scale. And it should not. Don't add
50260 * new entries into /proc/<tgid>/ without very good reasons.
50261 @@ -2381,6 +2493,9 @@ static int proc_pident_readdir(struct fi
50262 if (!task)
50263 goto out_no_task;
50264
50265 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50266 + goto out;
50267 +
50268 ret = 0;
50269 i = filp->f_pos;
50270 switch (i) {
50271 @@ -2651,7 +2766,7 @@ static void *proc_self_follow_link(struc
50272 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
50273 void *cookie)
50274 {
50275 - char *s = nd_get_link(nd);
50276 + const char *s = nd_get_link(nd);
50277 if (!IS_ERR(s))
50278 __putname(s);
50279 }
50280 @@ -2835,7 +2950,7 @@ static const struct pid_entry tgid_base_
50281 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
50282 #endif
50283 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50284 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50285 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50286 INF("syscall", S_IRUGO, proc_pid_syscall),
50287 #endif
50288 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50289 @@ -2860,10 +2975,10 @@ static const struct pid_entry tgid_base_
50290 #ifdef CONFIG_SECURITY
50291 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50292 #endif
50293 -#ifdef CONFIG_KALLSYMS
50294 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50295 INF("wchan", S_IRUGO, proc_pid_wchan),
50296 #endif
50297 -#ifdef CONFIG_STACKTRACE
50298 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50299 ONE("stack", S_IRUGO, proc_pid_stack),
50300 #endif
50301 #ifdef CONFIG_SCHEDSTATS
50302 @@ -2894,6 +3009,9 @@ static const struct pid_entry tgid_base_
50303 #ifdef CONFIG_TASK_IO_ACCOUNTING
50304 INF("io", S_IRUGO, proc_tgid_io_accounting),
50305 #endif
50306 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50307 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
50308 +#endif
50309 };
50310
50311 static int proc_tgid_base_readdir(struct file * filp,
50312 @@ -3019,7 +3137,14 @@ static struct dentry *proc_pid_instantia
50313 if (!inode)
50314 goto out;
50315
50316 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50317 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
50318 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50319 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50320 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
50321 +#else
50322 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
50323 +#endif
50324 inode->i_op = &proc_tgid_base_inode_operations;
50325 inode->i_fop = &proc_tgid_base_operations;
50326 inode->i_flags|=S_IMMUTABLE;
50327 @@ -3061,7 +3186,11 @@ struct dentry *proc_pid_lookup(struct in
50328 if (!task)
50329 goto out;
50330
50331 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50332 + goto out_put_task;
50333 +
50334 result = proc_pid_instantiate(dir, dentry, task, NULL);
50335 +out_put_task:
50336 put_task_struct(task);
50337 out:
50338 return result;
50339 @@ -3126,6 +3255,11 @@ int proc_pid_readdir(struct file * filp,
50340 {
50341 unsigned int nr;
50342 struct task_struct *reaper;
50343 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50344 + const struct cred *tmpcred = current_cred();
50345 + const struct cred *itercred;
50346 +#endif
50347 + filldir_t __filldir = filldir;
50348 struct tgid_iter iter;
50349 struct pid_namespace *ns;
50350
50351 @@ -3149,8 +3283,27 @@ int proc_pid_readdir(struct file * filp,
50352 for (iter = next_tgid(ns, iter);
50353 iter.task;
50354 iter.tgid += 1, iter = next_tgid(ns, iter)) {
50355 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50356 + rcu_read_lock();
50357 + itercred = __task_cred(iter.task);
50358 +#endif
50359 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
50360 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50361 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
50362 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50363 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50364 +#endif
50365 + )
50366 +#endif
50367 + )
50368 + __filldir = &gr_fake_filldir;
50369 + else
50370 + __filldir = filldir;
50371 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50372 + rcu_read_unlock();
50373 +#endif
50374 filp->f_pos = iter.tgid + TGID_OFFSET;
50375 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
50376 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
50377 put_task_struct(iter.task);
50378 goto out;
50379 }
50380 @@ -3177,7 +3330,7 @@ static const struct pid_entry tid_base_s
50381 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50382 #endif
50383 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
50384 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50385 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50386 INF("syscall", S_IRUGO, proc_pid_syscall),
50387 #endif
50388 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50389 @@ -3201,10 +3354,10 @@ static const struct pid_entry tid_base_s
50390 #ifdef CONFIG_SECURITY
50391 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50392 #endif
50393 -#ifdef CONFIG_KALLSYMS
50394 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50395 INF("wchan", S_IRUGO, proc_pid_wchan),
50396 #endif
50397 -#ifdef CONFIG_STACKTRACE
50398 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50399 ONE("stack", S_IRUGO, proc_pid_stack),
50400 #endif
50401 #ifdef CONFIG_SCHEDSTATS
50402 diff -urNp linux-2.6.39.3/fs/proc/cmdline.c linux-2.6.39.3/fs/proc/cmdline.c
50403 --- linux-2.6.39.3/fs/proc/cmdline.c 2011-05-19 00:06:34.000000000 -0400
50404 +++ linux-2.6.39.3/fs/proc/cmdline.c 2011-05-22 19:41:37.000000000 -0400
50405 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
50406
50407 static int __init proc_cmdline_init(void)
50408 {
50409 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50410 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
50411 +#else
50412 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
50413 +#endif
50414 return 0;
50415 }
50416 module_init(proc_cmdline_init);
50417 diff -urNp linux-2.6.39.3/fs/proc/devices.c linux-2.6.39.3/fs/proc/devices.c
50418 --- linux-2.6.39.3/fs/proc/devices.c 2011-05-19 00:06:34.000000000 -0400
50419 +++ linux-2.6.39.3/fs/proc/devices.c 2011-05-22 19:41:37.000000000 -0400
50420 @@ -64,7 +64,11 @@ static const struct file_operations proc
50421
50422 static int __init proc_devices_init(void)
50423 {
50424 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50425 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
50426 +#else
50427 proc_create("devices", 0, NULL, &proc_devinfo_operations);
50428 +#endif
50429 return 0;
50430 }
50431 module_init(proc_devices_init);
50432 diff -urNp linux-2.6.39.3/fs/proc/inode.c linux-2.6.39.3/fs/proc/inode.c
50433 --- linux-2.6.39.3/fs/proc/inode.c 2011-05-19 00:06:34.000000000 -0400
50434 +++ linux-2.6.39.3/fs/proc/inode.c 2011-05-22 19:41:37.000000000 -0400
50435 @@ -433,7 +433,11 @@ struct inode *proc_get_inode(struct supe
50436 if (de->mode) {
50437 inode->i_mode = de->mode;
50438 inode->i_uid = de->uid;
50439 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50440 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50441 +#else
50442 inode->i_gid = de->gid;
50443 +#endif
50444 }
50445 if (de->size)
50446 inode->i_size = de->size;
50447 diff -urNp linux-2.6.39.3/fs/proc/internal.h linux-2.6.39.3/fs/proc/internal.h
50448 --- linux-2.6.39.3/fs/proc/internal.h 2011-05-19 00:06:34.000000000 -0400
50449 +++ linux-2.6.39.3/fs/proc/internal.h 2011-05-22 19:41:37.000000000 -0400
50450 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50451 struct pid *pid, struct task_struct *task);
50452 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50453 struct pid *pid, struct task_struct *task);
50454 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50455 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50456 +#endif
50457 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50458
50459 extern const struct file_operations proc_maps_operations;
50460 diff -urNp linux-2.6.39.3/fs/proc/Kconfig linux-2.6.39.3/fs/proc/Kconfig
50461 --- linux-2.6.39.3/fs/proc/Kconfig 2011-05-19 00:06:34.000000000 -0400
50462 +++ linux-2.6.39.3/fs/proc/Kconfig 2011-05-22 19:41:37.000000000 -0400
50463 @@ -30,12 +30,12 @@ config PROC_FS
50464
50465 config PROC_KCORE
50466 bool "/proc/kcore support" if !ARM
50467 - depends on PROC_FS && MMU
50468 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50469
50470 config PROC_VMCORE
50471 bool "/proc/vmcore support"
50472 - depends on PROC_FS && CRASH_DUMP
50473 - default y
50474 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50475 + default n
50476 help
50477 Exports the dump image of crashed kernel in ELF format.
50478
50479 @@ -59,8 +59,8 @@ config PROC_SYSCTL
50480 limited in memory.
50481
50482 config PROC_PAGE_MONITOR
50483 - default y
50484 - depends on PROC_FS && MMU
50485 + default n
50486 + depends on PROC_FS && MMU && !GRKERNSEC
50487 bool "Enable /proc page monitoring" if EXPERT
50488 help
50489 Various /proc files exist to monitor process memory utilization:
50490 diff -urNp linux-2.6.39.3/fs/proc/kcore.c linux-2.6.39.3/fs/proc/kcore.c
50491 --- linux-2.6.39.3/fs/proc/kcore.c 2011-05-19 00:06:34.000000000 -0400
50492 +++ linux-2.6.39.3/fs/proc/kcore.c 2011-05-22 19:41:37.000000000 -0400
50493 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
50494 off_t offset = 0;
50495 struct kcore_list *m;
50496
50497 + pax_track_stack();
50498 +
50499 /* setup ELF header */
50500 elf = (struct elfhdr *) bufp;
50501 bufp += sizeof(struct elfhdr);
50502 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
50503 * the addresses in the elf_phdr on our list.
50504 */
50505 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50506 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50507 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50508 + if (tsz > buflen)
50509 tsz = buflen;
50510 -
50511 +
50512 while (buflen) {
50513 struct kcore_list *m;
50514
50515 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
50516 kfree(elf_buf);
50517 } else {
50518 if (kern_addr_valid(start)) {
50519 - unsigned long n;
50520 + char *elf_buf;
50521 + mm_segment_t oldfs;
50522
50523 - n = copy_to_user(buffer, (char *)start, tsz);
50524 - /*
50525 - * We cannot distingush between fault on source
50526 - * and fault on destination. When this happens
50527 - * we clear too and hope it will trigger the
50528 - * EFAULT again.
50529 - */
50530 - if (n) {
50531 - if (clear_user(buffer + tsz - n,
50532 - n))
50533 + elf_buf = kmalloc(tsz, GFP_KERNEL);
50534 + if (!elf_buf)
50535 + return -ENOMEM;
50536 + oldfs = get_fs();
50537 + set_fs(KERNEL_DS);
50538 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50539 + set_fs(oldfs);
50540 + if (copy_to_user(buffer, elf_buf, tsz)) {
50541 + kfree(elf_buf);
50542 return -EFAULT;
50543 + }
50544 }
50545 + set_fs(oldfs);
50546 + kfree(elf_buf);
50547 } else {
50548 if (clear_user(buffer, tsz))
50549 return -EFAULT;
50550 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
50551
50552 static int open_kcore(struct inode *inode, struct file *filp)
50553 {
50554 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50555 + return -EPERM;
50556 +#endif
50557 if (!capable(CAP_SYS_RAWIO))
50558 return -EPERM;
50559 if (kcore_need_update)
50560 diff -urNp linux-2.6.39.3/fs/proc/meminfo.c linux-2.6.39.3/fs/proc/meminfo.c
50561 --- linux-2.6.39.3/fs/proc/meminfo.c 2011-05-19 00:06:34.000000000 -0400
50562 +++ linux-2.6.39.3/fs/proc/meminfo.c 2011-05-22 19:36:32.000000000 -0400
50563 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50564 unsigned long pages[NR_LRU_LISTS];
50565 int lru;
50566
50567 + pax_track_stack();
50568 +
50569 /*
50570 * display in kilobytes.
50571 */
50572 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
50573 vmi.used >> 10,
50574 vmi.largest_chunk >> 10
50575 #ifdef CONFIG_MEMORY_FAILURE
50576 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50577 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50578 #endif
50579 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
50580 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
50581 diff -urNp linux-2.6.39.3/fs/proc/nommu.c linux-2.6.39.3/fs/proc/nommu.c
50582 --- linux-2.6.39.3/fs/proc/nommu.c 2011-05-19 00:06:34.000000000 -0400
50583 +++ linux-2.6.39.3/fs/proc/nommu.c 2011-05-22 19:36:32.000000000 -0400
50584 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
50585 if (len < 1)
50586 len = 1;
50587 seq_printf(m, "%*c", len, ' ');
50588 - seq_path(m, &file->f_path, "");
50589 + seq_path(m, &file->f_path, "\n\\");
50590 }
50591
50592 seq_putc(m, '\n');
50593 diff -urNp linux-2.6.39.3/fs/proc/proc_net.c linux-2.6.39.3/fs/proc/proc_net.c
50594 --- linux-2.6.39.3/fs/proc/proc_net.c 2011-05-19 00:06:34.000000000 -0400
50595 +++ linux-2.6.39.3/fs/proc/proc_net.c 2011-05-22 19:41:37.000000000 -0400
50596 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
50597 struct task_struct *task;
50598 struct nsproxy *ns;
50599 struct net *net = NULL;
50600 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50601 + const struct cred *cred = current_cred();
50602 +#endif
50603 +
50604 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50605 + if (cred->fsuid)
50606 + return net;
50607 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50608 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50609 + return net;
50610 +#endif
50611
50612 rcu_read_lock();
50613 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50614 diff -urNp linux-2.6.39.3/fs/proc/proc_sysctl.c linux-2.6.39.3/fs/proc/proc_sysctl.c
50615 --- linux-2.6.39.3/fs/proc/proc_sysctl.c 2011-05-19 00:06:34.000000000 -0400
50616 +++ linux-2.6.39.3/fs/proc/proc_sysctl.c 2011-05-22 19:41:37.000000000 -0400
50617 @@ -8,6 +8,8 @@
50618 #include <linux/namei.h>
50619 #include "internal.h"
50620
50621 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50622 +
50623 static const struct dentry_operations proc_sys_dentry_operations;
50624 static const struct file_operations proc_sys_file_operations;
50625 static const struct inode_operations proc_sys_inode_operations;
50626 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
50627 if (!p)
50628 goto out;
50629
50630 + if (gr_handle_sysctl(p, MAY_EXEC))
50631 + goto out;
50632 +
50633 err = ERR_PTR(-ENOMEM);
50634 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
50635 if (h)
50636 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
50637 if (*pos < file->f_pos)
50638 continue;
50639
50640 + if (gr_handle_sysctl(table, 0))
50641 + continue;
50642 +
50643 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
50644 if (res)
50645 return res;
50646 @@ -358,6 +366,9 @@ static int proc_sys_getattr(struct vfsmo
50647 if (IS_ERR(head))
50648 return PTR_ERR(head);
50649
50650 + if (table && gr_handle_sysctl(table, MAY_EXEC))
50651 + return -ENOENT;
50652 +
50653 generic_fillattr(inode, stat);
50654 if (table)
50655 stat->mode = (stat->mode & S_IFMT) | table->mode;
50656 diff -urNp linux-2.6.39.3/fs/proc/root.c linux-2.6.39.3/fs/proc/root.c
50657 --- linux-2.6.39.3/fs/proc/root.c 2011-05-19 00:06:34.000000000 -0400
50658 +++ linux-2.6.39.3/fs/proc/root.c 2011-05-22 19:41:37.000000000 -0400
50659 @@ -122,7 +122,15 @@ void __init proc_root_init(void)
50660 #ifdef CONFIG_PROC_DEVICETREE
50661 proc_device_tree_init();
50662 #endif
50663 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50664 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50665 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
50666 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50667 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
50668 +#endif
50669 +#else
50670 proc_mkdir("bus", NULL);
50671 +#endif
50672 proc_sys_init();
50673 }
50674
50675 diff -urNp linux-2.6.39.3/fs/proc/task_mmu.c linux-2.6.39.3/fs/proc/task_mmu.c
50676 --- linux-2.6.39.3/fs/proc/task_mmu.c 2011-05-19 00:06:34.000000000 -0400
50677 +++ linux-2.6.39.3/fs/proc/task_mmu.c 2011-05-22 22:43:29.000000000 -0400
50678 @@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
50679 "VmExe:\t%8lu kB\n"
50680 "VmLib:\t%8lu kB\n"
50681 "VmPTE:\t%8lu kB\n"
50682 - "VmSwap:\t%8lu kB\n",
50683 - hiwater_vm << (PAGE_SHIFT-10),
50684 + "VmSwap:\t%8lu kB\n"
50685 +
50686 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50687 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
50688 +#endif
50689 +
50690 + ,hiwater_vm << (PAGE_SHIFT-10),
50691 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
50692 mm->locked_vm << (PAGE_SHIFT-10),
50693 hiwater_rss << (PAGE_SHIFT-10),
50694 @@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
50695 data << (PAGE_SHIFT-10),
50696 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
50697 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
50698 - swap << (PAGE_SHIFT-10));
50699 + swap << (PAGE_SHIFT-10)
50700 +
50701 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50702 + , mm->context.user_cs_base, mm->context.user_cs_limit
50703 +#endif
50704 +
50705 + );
50706 }
50707
50708 unsigned long task_vsize(struct mm_struct *mm)
50709 @@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
50710 return ret;
50711 }
50712
50713 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50714 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50715 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50716 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50717 +#endif
50718 +
50719 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
50720 {
50721 struct mm_struct *mm = vma->vm_mm;
50722 @@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
50723 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
50724 }
50725
50726 - /* We don't show the stack guard page in /proc/maps */
50727 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50728 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
50729 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
50730 +#else
50731 start = vma->vm_start;
50732 - if (stack_guard_page_start(vma, start))
50733 - start += PAGE_SIZE;
50734 end = vma->vm_end;
50735 - if (stack_guard_page_end(vma, end))
50736 - end -= PAGE_SIZE;
50737 +#endif
50738
50739 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
50740 start,
50741 @@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
50742 flags & VM_WRITE ? 'w' : '-',
50743 flags & VM_EXEC ? 'x' : '-',
50744 flags & VM_MAYSHARE ? 's' : 'p',
50745 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50746 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
50747 +#else
50748 pgoff,
50749 +#endif
50750 MAJOR(dev), MINOR(dev), ino, &len);
50751
50752 /*
50753 @@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
50754 */
50755 if (file) {
50756 pad_len_spaces(m, len);
50757 - seq_path(m, &file->f_path, "\n");
50758 + seq_path(m, &file->f_path, "\n\\");
50759 } else {
50760 const char *name = arch_vma_name(vma);
50761 if (!name) {
50762 @@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
50763 if (vma->vm_start <= mm->brk &&
50764 vma->vm_end >= mm->start_brk) {
50765 name = "[heap]";
50766 - } else if (vma->vm_start <= mm->start_stack &&
50767 - vma->vm_end >= mm->start_stack) {
50768 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
50769 + (vma->vm_start <= mm->start_stack &&
50770 + vma->vm_end >= mm->start_stack)) {
50771 name = "[stack]";
50772 }
50773 } else {
50774 @@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
50775 };
50776
50777 memset(&mss, 0, sizeof mss);
50778 - mss.vma = vma;
50779 - /* mmap_sem is held in m_start */
50780 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50781 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50782 -
50783 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50784 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
50785 +#endif
50786 + mss.vma = vma;
50787 + /* mmap_sem is held in m_start */
50788 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
50789 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
50790 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50791 + }
50792 +#endif
50793 show_map_vma(m, vma);
50794
50795 seq_printf(m,
50796 @@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
50797 "KernelPageSize: %8lu kB\n"
50798 "MMUPageSize: %8lu kB\n"
50799 "Locked: %8lu kB\n",
50800 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50801 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
50802 +#else
50803 (vma->vm_end - vma->vm_start) >> 10,
50804 +#endif
50805 mss.resident >> 10,
50806 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
50807 mss.shared_clean >> 10,
50808 diff -urNp linux-2.6.39.3/fs/proc/task_nommu.c linux-2.6.39.3/fs/proc/task_nommu.c
50809 --- linux-2.6.39.3/fs/proc/task_nommu.c 2011-05-19 00:06:34.000000000 -0400
50810 +++ linux-2.6.39.3/fs/proc/task_nommu.c 2011-05-22 19:36:32.000000000 -0400
50811 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
50812 else
50813 bytes += kobjsize(mm);
50814
50815 - if (current->fs && current->fs->users > 1)
50816 + if (current->fs && atomic_read(&current->fs->users) > 1)
50817 sbytes += kobjsize(current->fs);
50818 else
50819 bytes += kobjsize(current->fs);
50820 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
50821
50822 if (file) {
50823 pad_len_spaces(m, len);
50824 - seq_path(m, &file->f_path, "");
50825 + seq_path(m, &file->f_path, "\n\\");
50826 } else if (mm) {
50827 if (vma->vm_start <= mm->start_stack &&
50828 vma->vm_end >= mm->start_stack) {
50829 diff -urNp linux-2.6.39.3/fs/quota/netlink.c linux-2.6.39.3/fs/quota/netlink.c
50830 --- linux-2.6.39.3/fs/quota/netlink.c 2011-05-19 00:06:34.000000000 -0400
50831 +++ linux-2.6.39.3/fs/quota/netlink.c 2011-05-22 19:36:32.000000000 -0400
50832 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
50833 void quota_send_warning(short type, unsigned int id, dev_t dev,
50834 const char warntype)
50835 {
50836 - static atomic_t seq;
50837 + static atomic_unchecked_t seq;
50838 struct sk_buff *skb;
50839 void *msg_head;
50840 int ret;
50841 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
50842 "VFS: Not enough memory to send quota warning.\n");
50843 return;
50844 }
50845 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
50846 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
50847 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
50848 if (!msg_head) {
50849 printk(KERN_ERR
50850 diff -urNp linux-2.6.39.3/fs/readdir.c linux-2.6.39.3/fs/readdir.c
50851 --- linux-2.6.39.3/fs/readdir.c 2011-05-19 00:06:34.000000000 -0400
50852 +++ linux-2.6.39.3/fs/readdir.c 2011-05-22 19:41:42.000000000 -0400
50853 @@ -17,6 +17,7 @@
50854 #include <linux/security.h>
50855 #include <linux/syscalls.h>
50856 #include <linux/unistd.h>
50857 +#include <linux/namei.h>
50858
50859 #include <asm/uaccess.h>
50860
50861 @@ -67,6 +68,7 @@ struct old_linux_dirent {
50862
50863 struct readdir_callback {
50864 struct old_linux_dirent __user * dirent;
50865 + struct file * file;
50866 int result;
50867 };
50868
50869 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
50870 buf->result = -EOVERFLOW;
50871 return -EOVERFLOW;
50872 }
50873 +
50874 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50875 + return 0;
50876 +
50877 buf->result++;
50878 dirent = buf->dirent;
50879 if (!access_ok(VERIFY_WRITE, dirent,
50880 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
50881
50882 buf.result = 0;
50883 buf.dirent = dirent;
50884 + buf.file = file;
50885
50886 error = vfs_readdir(file, fillonedir, &buf);
50887 if (buf.result)
50888 @@ -142,6 +149,7 @@ struct linux_dirent {
50889 struct getdents_callback {
50890 struct linux_dirent __user * current_dir;
50891 struct linux_dirent __user * previous;
50892 + struct file * file;
50893 int count;
50894 int error;
50895 };
50896 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
50897 buf->error = -EOVERFLOW;
50898 return -EOVERFLOW;
50899 }
50900 +
50901 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50902 + return 0;
50903 +
50904 dirent = buf->previous;
50905 if (dirent) {
50906 if (__put_user(offset, &dirent->d_off))
50907 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
50908 buf.previous = NULL;
50909 buf.count = count;
50910 buf.error = 0;
50911 + buf.file = file;
50912
50913 error = vfs_readdir(file, filldir, &buf);
50914 if (error >= 0)
50915 @@ -229,6 +242,7 @@ out:
50916 struct getdents_callback64 {
50917 struct linux_dirent64 __user * current_dir;
50918 struct linux_dirent64 __user * previous;
50919 + struct file *file;
50920 int count;
50921 int error;
50922 };
50923 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
50924 buf->error = -EINVAL; /* only used if we fail.. */
50925 if (reclen > buf->count)
50926 return -EINVAL;
50927 +
50928 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
50929 + return 0;
50930 +
50931 dirent = buf->previous;
50932 if (dirent) {
50933 if (__put_user(offset, &dirent->d_off))
50934 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
50935
50936 buf.current_dir = dirent;
50937 buf.previous = NULL;
50938 + buf.file = file;
50939 buf.count = count;
50940 buf.error = 0;
50941
50942 diff -urNp linux-2.6.39.3/fs/reiserfs/dir.c linux-2.6.39.3/fs/reiserfs/dir.c
50943 --- linux-2.6.39.3/fs/reiserfs/dir.c 2011-05-19 00:06:34.000000000 -0400
50944 +++ linux-2.6.39.3/fs/reiserfs/dir.c 2011-05-22 19:36:32.000000000 -0400
50945 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
50946 struct reiserfs_dir_entry de;
50947 int ret = 0;
50948
50949 + pax_track_stack();
50950 +
50951 reiserfs_write_lock(inode->i_sb);
50952
50953 reiserfs_check_lock_depth(inode->i_sb, "readdir");
50954 diff -urNp linux-2.6.39.3/fs/reiserfs/do_balan.c linux-2.6.39.3/fs/reiserfs/do_balan.c
50955 --- linux-2.6.39.3/fs/reiserfs/do_balan.c 2011-05-19 00:06:34.000000000 -0400
50956 +++ linux-2.6.39.3/fs/reiserfs/do_balan.c 2011-05-22 19:36:32.000000000 -0400
50957 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
50958 return;
50959 }
50960
50961 - atomic_inc(&(fs_generation(tb->tb_sb)));
50962 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
50963 do_balance_starts(tb);
50964
50965 /* balance leaf returns 0 except if combining L R and S into
50966 diff -urNp linux-2.6.39.3/fs/reiserfs/item_ops.c linux-2.6.39.3/fs/reiserfs/item_ops.c
50967 --- linux-2.6.39.3/fs/reiserfs/item_ops.c 2011-05-19 00:06:34.000000000 -0400
50968 +++ linux-2.6.39.3/fs/reiserfs/item_ops.c 2011-05-22 19:36:32.000000000 -0400
50969 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
50970 vi->vi_index, vi->vi_type, vi->vi_ih);
50971 }
50972
50973 -static struct item_operations stat_data_ops = {
50974 +static const struct item_operations stat_data_ops = {
50975 .bytes_number = sd_bytes_number,
50976 .decrement_key = sd_decrement_key,
50977 .is_left_mergeable = sd_is_left_mergeable,
50978 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
50979 vi->vi_index, vi->vi_type, vi->vi_ih);
50980 }
50981
50982 -static struct item_operations direct_ops = {
50983 +static const struct item_operations direct_ops = {
50984 .bytes_number = direct_bytes_number,
50985 .decrement_key = direct_decrement_key,
50986 .is_left_mergeable = direct_is_left_mergeable,
50987 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
50988 vi->vi_index, vi->vi_type, vi->vi_ih);
50989 }
50990
50991 -static struct item_operations indirect_ops = {
50992 +static const struct item_operations indirect_ops = {
50993 .bytes_number = indirect_bytes_number,
50994 .decrement_key = indirect_decrement_key,
50995 .is_left_mergeable = indirect_is_left_mergeable,
50996 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
50997 printk("\n");
50998 }
50999
51000 -static struct item_operations direntry_ops = {
51001 +static const struct item_operations direntry_ops = {
51002 .bytes_number = direntry_bytes_number,
51003 .decrement_key = direntry_decrement_key,
51004 .is_left_mergeable = direntry_is_left_mergeable,
51005 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
51006 "Invalid item type observed, run fsck ASAP");
51007 }
51008
51009 -static struct item_operations errcatch_ops = {
51010 +static const struct item_operations errcatch_ops = {
51011 errcatch_bytes_number,
51012 errcatch_decrement_key,
51013 errcatch_is_left_mergeable,
51014 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
51015 #error Item types must use disk-format assigned values.
51016 #endif
51017
51018 -struct item_operations *item_ops[TYPE_ANY + 1] = {
51019 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
51020 &stat_data_ops,
51021 &indirect_ops,
51022 &direct_ops,
51023 diff -urNp linux-2.6.39.3/fs/reiserfs/journal.c linux-2.6.39.3/fs/reiserfs/journal.c
51024 --- linux-2.6.39.3/fs/reiserfs/journal.c 2011-05-19 00:06:34.000000000 -0400
51025 +++ linux-2.6.39.3/fs/reiserfs/journal.c 2011-05-22 19:36:32.000000000 -0400
51026 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
51027 struct buffer_head *bh;
51028 int i, j;
51029
51030 + pax_track_stack();
51031 +
51032 bh = __getblk(dev, block, bufsize);
51033 if (buffer_uptodate(bh))
51034 return (bh);
51035 diff -urNp linux-2.6.39.3/fs/reiserfs/namei.c linux-2.6.39.3/fs/reiserfs/namei.c
51036 --- linux-2.6.39.3/fs/reiserfs/namei.c 2011-05-19 00:06:34.000000000 -0400
51037 +++ linux-2.6.39.3/fs/reiserfs/namei.c 2011-05-22 19:36:32.000000000 -0400
51038 @@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
51039 unsigned long savelink = 1;
51040 struct timespec ctime;
51041
51042 + pax_track_stack();
51043 +
51044 /* three balancings: (1) old name removal, (2) new name insertion
51045 and (3) maybe "save" link insertion
51046 stat data updates: (1) old directory,
51047 diff -urNp linux-2.6.39.3/fs/reiserfs/procfs.c linux-2.6.39.3/fs/reiserfs/procfs.c
51048 --- linux-2.6.39.3/fs/reiserfs/procfs.c 2011-05-19 00:06:34.000000000 -0400
51049 +++ linux-2.6.39.3/fs/reiserfs/procfs.c 2011-05-22 19:36:32.000000000 -0400
51050 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
51051 "SMALL_TAILS " : "NO_TAILS ",
51052 replay_only(sb) ? "REPLAY_ONLY " : "",
51053 convert_reiserfs(sb) ? "CONV " : "",
51054 - atomic_read(&r->s_generation_counter),
51055 + atomic_read_unchecked(&r->s_generation_counter),
51056 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
51057 SF(s_do_balance), SF(s_unneeded_left_neighbor),
51058 SF(s_good_search_by_key_reada), SF(s_bmaps),
51059 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
51060 struct journal_params *jp = &rs->s_v1.s_journal;
51061 char b[BDEVNAME_SIZE];
51062
51063 + pax_track_stack();
51064 +
51065 seq_printf(m, /* on-disk fields */
51066 "jp_journal_1st_block: \t%i\n"
51067 "jp_journal_dev: \t%s[%x]\n"
51068 diff -urNp linux-2.6.39.3/fs/reiserfs/stree.c linux-2.6.39.3/fs/reiserfs/stree.c
51069 --- linux-2.6.39.3/fs/reiserfs/stree.c 2011-05-19 00:06:34.000000000 -0400
51070 +++ linux-2.6.39.3/fs/reiserfs/stree.c 2011-05-22 19:36:32.000000000 -0400
51071 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
51072 int iter = 0;
51073 #endif
51074
51075 + pax_track_stack();
51076 +
51077 BUG_ON(!th->t_trans_id);
51078
51079 init_tb_struct(th, &s_del_balance, sb, path,
51080 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
51081 int retval;
51082 int quota_cut_bytes = 0;
51083
51084 + pax_track_stack();
51085 +
51086 BUG_ON(!th->t_trans_id);
51087
51088 le_key2cpu_key(&cpu_key, key);
51089 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
51090 int quota_cut_bytes;
51091 loff_t tail_pos = 0;
51092
51093 + pax_track_stack();
51094 +
51095 BUG_ON(!th->t_trans_id);
51096
51097 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
51098 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
51099 int retval;
51100 int fs_gen;
51101
51102 + pax_track_stack();
51103 +
51104 BUG_ON(!th->t_trans_id);
51105
51106 fs_gen = get_generation(inode->i_sb);
51107 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
51108 int fs_gen = 0;
51109 int quota_bytes = 0;
51110
51111 + pax_track_stack();
51112 +
51113 BUG_ON(!th->t_trans_id);
51114
51115 if (inode) { /* Do we count quotas for item? */
51116 diff -urNp linux-2.6.39.3/fs/reiserfs/super.c linux-2.6.39.3/fs/reiserfs/super.c
51117 --- linux-2.6.39.3/fs/reiserfs/super.c 2011-05-19 00:06:34.000000000 -0400
51118 +++ linux-2.6.39.3/fs/reiserfs/super.c 2011-05-22 19:36:32.000000000 -0400
51119 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
51120 {.option_name = NULL}
51121 };
51122
51123 + pax_track_stack();
51124 +
51125 *blocks = 0;
51126 if (!options || !*options)
51127 /* use default configuration: create tails, journaling on, no
51128 diff -urNp linux-2.6.39.3/fs/select.c linux-2.6.39.3/fs/select.c
51129 --- linux-2.6.39.3/fs/select.c 2011-05-19 00:06:34.000000000 -0400
51130 +++ linux-2.6.39.3/fs/select.c 2011-05-22 19:41:42.000000000 -0400
51131 @@ -20,6 +20,7 @@
51132 #include <linux/module.h>
51133 #include <linux/slab.h>
51134 #include <linux/poll.h>
51135 +#include <linux/security.h>
51136 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
51137 #include <linux/file.h>
51138 #include <linux/fdtable.h>
51139 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
51140 int retval, i, timed_out = 0;
51141 unsigned long slack = 0;
51142
51143 + pax_track_stack();
51144 +
51145 rcu_read_lock();
51146 retval = max_select_fd(n, fds);
51147 rcu_read_unlock();
51148 @@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
51149 /* Allocate small arguments on the stack to save memory and be faster */
51150 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
51151
51152 + pax_track_stack();
51153 +
51154 ret = -EINVAL;
51155 if (n < 0)
51156 goto out_nofds;
51157 @@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
51158 struct poll_list *walk = head;
51159 unsigned long todo = nfds;
51160
51161 + pax_track_stack();
51162 +
51163 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
51164 if (nfds > rlimit(RLIMIT_NOFILE))
51165 return -EINVAL;
51166
51167 diff -urNp linux-2.6.39.3/fs/seq_file.c linux-2.6.39.3/fs/seq_file.c
51168 --- linux-2.6.39.3/fs/seq_file.c 2011-05-19 00:06:34.000000000 -0400
51169 +++ linux-2.6.39.3/fs/seq_file.c 2011-05-22 19:36:32.000000000 -0400
51170 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
51171 return 0;
51172 }
51173 if (!m->buf) {
51174 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51175 + m->size = PAGE_SIZE;
51176 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51177 if (!m->buf)
51178 return -ENOMEM;
51179 }
51180 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
51181 Eoverflow:
51182 m->op->stop(m, p);
51183 kfree(m->buf);
51184 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51185 + m->size <<= 1;
51186 + m->buf = kmalloc(m->size, GFP_KERNEL);
51187 return !m->buf ? -ENOMEM : -EAGAIN;
51188 }
51189
51190 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
51191 m->version = file->f_version;
51192 /* grab buffer if we didn't have one */
51193 if (!m->buf) {
51194 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51195 + m->size = PAGE_SIZE;
51196 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51197 if (!m->buf)
51198 goto Enomem;
51199 }
51200 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
51201 goto Fill;
51202 m->op->stop(m, p);
51203 kfree(m->buf);
51204 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51205 + m->size <<= 1;
51206 + m->buf = kmalloc(m->size, GFP_KERNEL);
51207 if (!m->buf)
51208 goto Enomem;
51209 m->count = 0;
51210 diff -urNp linux-2.6.39.3/fs/splice.c linux-2.6.39.3/fs/splice.c
51211 --- linux-2.6.39.3/fs/splice.c 2011-05-19 00:06:34.000000000 -0400
51212 +++ linux-2.6.39.3/fs/splice.c 2011-05-22 19:36:32.000000000 -0400
51213 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
51214 pipe_lock(pipe);
51215
51216 for (;;) {
51217 - if (!pipe->readers) {
51218 + if (!atomic_read(&pipe->readers)) {
51219 send_sig(SIGPIPE, current, 0);
51220 if (!ret)
51221 ret = -EPIPE;
51222 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
51223 do_wakeup = 0;
51224 }
51225
51226 - pipe->waiting_writers++;
51227 + atomic_inc(&pipe->waiting_writers);
51228 pipe_wait(pipe);
51229 - pipe->waiting_writers--;
51230 + atomic_dec(&pipe->waiting_writers);
51231 }
51232
51233 pipe_unlock(pipe);
51234 @@ -316,6 +316,8 @@ __generic_file_splice_read(struct file *
51235 .spd_release = spd_release_page,
51236 };
51237
51238 + pax_track_stack();
51239 +
51240 if (splice_grow_spd(pipe, &spd))
51241 return -ENOMEM;
51242
51243 @@ -556,7 +558,7 @@ static ssize_t kernel_readv(struct file
51244 old_fs = get_fs();
51245 set_fs(get_ds());
51246 /* The cast to a user pointer is valid due to the set_fs() */
51247 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
51248 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
51249 set_fs(old_fs);
51250
51251 return res;
51252 @@ -571,7 +573,7 @@ static ssize_t kernel_write(struct file
51253 old_fs = get_fs();
51254 set_fs(get_ds());
51255 /* The cast to a user pointer is valid due to the set_fs() */
51256 - res = vfs_write(file, (const char __user *)buf, count, &pos);
51257 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
51258 set_fs(old_fs);
51259
51260 return res;
51261 @@ -599,6 +601,8 @@ ssize_t default_file_splice_read(struct
51262 .spd_release = spd_release_page,
51263 };
51264
51265 + pax_track_stack();
51266 +
51267 if (splice_grow_spd(pipe, &spd))
51268 return -ENOMEM;
51269
51270 @@ -622,7 +626,7 @@ ssize_t default_file_splice_read(struct
51271 goto err;
51272
51273 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
51274 - vec[i].iov_base = (void __user *) page_address(page);
51275 + vec[i].iov_base = (__force void __user *) page_address(page);
51276 vec[i].iov_len = this_len;
51277 spd.pages[i] = page;
51278 spd.nr_pages++;
51279 @@ -842,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
51280 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
51281 {
51282 while (!pipe->nrbufs) {
51283 - if (!pipe->writers)
51284 + if (!atomic_read(&pipe->writers))
51285 return 0;
51286
51287 - if (!pipe->waiting_writers && sd->num_spliced)
51288 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
51289 return 0;
51290
51291 if (sd->flags & SPLICE_F_NONBLOCK)
51292 @@ -1178,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct fi
51293 * out of the pipe right after the splice_to_pipe(). So set
51294 * PIPE_READERS appropriately.
51295 */
51296 - pipe->readers = 1;
51297 + atomic_set(&pipe->readers, 1);
51298
51299 current->splice_pipe = pipe;
51300 }
51301 @@ -1615,6 +1619,8 @@ static long vmsplice_to_pipe(struct file
51302 };
51303 long ret;
51304
51305 + pax_track_stack();
51306 +
51307 pipe = get_pipe_info(file);
51308 if (!pipe)
51309 return -EBADF;
51310 @@ -1730,9 +1736,9 @@ static int ipipe_prep(struct pipe_inode_
51311 ret = -ERESTARTSYS;
51312 break;
51313 }
51314 - if (!pipe->writers)
51315 + if (!atomic_read(&pipe->writers))
51316 break;
51317 - if (!pipe->waiting_writers) {
51318 + if (!atomic_read(&pipe->waiting_writers)) {
51319 if (flags & SPLICE_F_NONBLOCK) {
51320 ret = -EAGAIN;
51321 break;
51322 @@ -1764,7 +1770,7 @@ static int opipe_prep(struct pipe_inode_
51323 pipe_lock(pipe);
51324
51325 while (pipe->nrbufs >= pipe->buffers) {
51326 - if (!pipe->readers) {
51327 + if (!atomic_read(&pipe->readers)) {
51328 send_sig(SIGPIPE, current, 0);
51329 ret = -EPIPE;
51330 break;
51331 @@ -1777,9 +1783,9 @@ static int opipe_prep(struct pipe_inode_
51332 ret = -ERESTARTSYS;
51333 break;
51334 }
51335 - pipe->waiting_writers++;
51336 + atomic_inc(&pipe->waiting_writers);
51337 pipe_wait(pipe);
51338 - pipe->waiting_writers--;
51339 + atomic_dec(&pipe->waiting_writers);
51340 }
51341
51342 pipe_unlock(pipe);
51343 @@ -1815,14 +1821,14 @@ retry:
51344 pipe_double_lock(ipipe, opipe);
51345
51346 do {
51347 - if (!opipe->readers) {
51348 + if (!atomic_read(&opipe->readers)) {
51349 send_sig(SIGPIPE, current, 0);
51350 if (!ret)
51351 ret = -EPIPE;
51352 break;
51353 }
51354
51355 - if (!ipipe->nrbufs && !ipipe->writers)
51356 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
51357 break;
51358
51359 /*
51360 @@ -1922,7 +1928,7 @@ static int link_pipe(struct pipe_inode_i
51361 pipe_double_lock(ipipe, opipe);
51362
51363 do {
51364 - if (!opipe->readers) {
51365 + if (!atomic_read(&opipe->readers)) {
51366 send_sig(SIGPIPE, current, 0);
51367 if (!ret)
51368 ret = -EPIPE;
51369 @@ -1967,7 +1973,7 @@ static int link_pipe(struct pipe_inode_i
51370 * return EAGAIN if we have the potential of some data in the
51371 * future, otherwise just return 0
51372 */
51373 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
51374 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
51375 ret = -EAGAIN;
51376
51377 pipe_unlock(ipipe);
51378 diff -urNp linux-2.6.39.3/fs/sysfs/file.c linux-2.6.39.3/fs/sysfs/file.c
51379 --- linux-2.6.39.3/fs/sysfs/file.c 2011-05-19 00:06:34.000000000 -0400
51380 +++ linux-2.6.39.3/fs/sysfs/file.c 2011-05-22 19:36:32.000000000 -0400
51381 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
51382
51383 struct sysfs_open_dirent {
51384 atomic_t refcnt;
51385 - atomic_t event;
51386 + atomic_unchecked_t event;
51387 wait_queue_head_t poll;
51388 struct list_head buffers; /* goes through sysfs_buffer.list */
51389 };
51390 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
51391 if (!sysfs_get_active(attr_sd))
51392 return -ENODEV;
51393
51394 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
51395 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
51396 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
51397
51398 sysfs_put_active(attr_sd);
51399 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
51400 return -ENOMEM;
51401
51402 atomic_set(&new_od->refcnt, 0);
51403 - atomic_set(&new_od->event, 1);
51404 + atomic_set_unchecked(&new_od->event, 1);
51405 init_waitqueue_head(&new_od->poll);
51406 INIT_LIST_HEAD(&new_od->buffers);
51407 goto retry;
51408 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
51409
51410 sysfs_put_active(attr_sd);
51411
51412 - if (buffer->event != atomic_read(&od->event))
51413 + if (buffer->event != atomic_read_unchecked(&od->event))
51414 goto trigger;
51415
51416 return DEFAULT_POLLMASK;
51417 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
51418
51419 od = sd->s_attr.open;
51420 if (od) {
51421 - atomic_inc(&od->event);
51422 + atomic_inc_unchecked(&od->event);
51423 wake_up_interruptible(&od->poll);
51424 }
51425
51426 diff -urNp linux-2.6.39.3/fs/sysfs/mount.c linux-2.6.39.3/fs/sysfs/mount.c
51427 --- linux-2.6.39.3/fs/sysfs/mount.c 2011-05-19 00:06:34.000000000 -0400
51428 +++ linux-2.6.39.3/fs/sysfs/mount.c 2011-05-22 19:41:42.000000000 -0400
51429 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
51430 .s_name = "",
51431 .s_count = ATOMIC_INIT(1),
51432 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
51433 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51434 + .s_mode = S_IFDIR | S_IRWXU,
51435 +#else
51436 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51437 +#endif
51438 .s_ino = 1,
51439 };
51440
51441 diff -urNp linux-2.6.39.3/fs/sysfs/symlink.c linux-2.6.39.3/fs/sysfs/symlink.c
51442 --- linux-2.6.39.3/fs/sysfs/symlink.c 2011-05-19 00:06:34.000000000 -0400
51443 +++ linux-2.6.39.3/fs/sysfs/symlink.c 2011-05-22 19:36:32.000000000 -0400
51444 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
51445
51446 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51447 {
51448 - char *page = nd_get_link(nd);
51449 + const char *page = nd_get_link(nd);
51450 if (!IS_ERR(page))
51451 free_page((unsigned long)page);
51452 }
51453 diff -urNp linux-2.6.39.3/fs/udf/inode.c linux-2.6.39.3/fs/udf/inode.c
51454 --- linux-2.6.39.3/fs/udf/inode.c 2011-05-19 00:06:34.000000000 -0400
51455 +++ linux-2.6.39.3/fs/udf/inode.c 2011-05-22 19:36:32.000000000 -0400
51456 @@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
51457 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51458 int lastblock = 0;
51459
51460 + pax_track_stack();
51461 +
51462 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51463 prev_epos.block = iinfo->i_location;
51464 prev_epos.bh = NULL;
51465 diff -urNp linux-2.6.39.3/fs/udf/misc.c linux-2.6.39.3/fs/udf/misc.c
51466 --- linux-2.6.39.3/fs/udf/misc.c 2011-05-19 00:06:34.000000000 -0400
51467 +++ linux-2.6.39.3/fs/udf/misc.c 2011-05-22 19:36:32.000000000 -0400
51468 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51469
51470 u8 udf_tag_checksum(const struct tag *t)
51471 {
51472 - u8 *data = (u8 *)t;
51473 + const u8 *data = (const u8 *)t;
51474 u8 checksum = 0;
51475 int i;
51476 for (i = 0; i < sizeof(struct tag); ++i)
51477 diff -urNp linux-2.6.39.3/fs/utimes.c linux-2.6.39.3/fs/utimes.c
51478 --- linux-2.6.39.3/fs/utimes.c 2011-05-19 00:06:34.000000000 -0400
51479 +++ linux-2.6.39.3/fs/utimes.c 2011-05-22 19:41:42.000000000 -0400
51480 @@ -1,6 +1,7 @@
51481 #include <linux/compiler.h>
51482 #include <linux/file.h>
51483 #include <linux/fs.h>
51484 +#include <linux/security.h>
51485 #include <linux/linkage.h>
51486 #include <linux/mount.h>
51487 #include <linux/namei.h>
51488 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
51489 goto mnt_drop_write_and_out;
51490 }
51491 }
51492 +
51493 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
51494 + error = -EACCES;
51495 + goto mnt_drop_write_and_out;
51496 + }
51497 +
51498 mutex_lock(&inode->i_mutex);
51499 error = notify_change(path->dentry, &newattrs);
51500 mutex_unlock(&inode->i_mutex);
51501 diff -urNp linux-2.6.39.3/fs/xattr_acl.c linux-2.6.39.3/fs/xattr_acl.c
51502 --- linux-2.6.39.3/fs/xattr_acl.c 2011-05-19 00:06:34.000000000 -0400
51503 +++ linux-2.6.39.3/fs/xattr_acl.c 2011-05-22 19:36:32.000000000 -0400
51504 @@ -17,8 +17,8 @@
51505 struct posix_acl *
51506 posix_acl_from_xattr(const void *value, size_t size)
51507 {
51508 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51509 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51510 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51511 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
51512 int count;
51513 struct posix_acl *acl;
51514 struct posix_acl_entry *acl_e;
51515 diff -urNp linux-2.6.39.3/fs/xattr.c linux-2.6.39.3/fs/xattr.c
51516 --- linux-2.6.39.3/fs/xattr.c 2011-05-19 00:06:34.000000000 -0400
51517 +++ linux-2.6.39.3/fs/xattr.c 2011-05-22 19:41:42.000000000 -0400
51518 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
51519 * Extended attribute SET operations
51520 */
51521 static long
51522 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
51523 +setxattr(struct path *path, const char __user *name, const void __user *value,
51524 size_t size, int flags)
51525 {
51526 int error;
51527 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
51528 return PTR_ERR(kvalue);
51529 }
51530
51531 - error = vfs_setxattr(d, kname, kvalue, size, flags);
51532 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
51533 + error = -EACCES;
51534 + goto out;
51535 + }
51536 +
51537 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
51538 +out:
51539 kfree(kvalue);
51540 return error;
51541 }
51542 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
51543 return error;
51544 error = mnt_want_write(path.mnt);
51545 if (!error) {
51546 - error = setxattr(path.dentry, name, value, size, flags);
51547 + error = setxattr(&path, name, value, size, flags);
51548 mnt_drop_write(path.mnt);
51549 }
51550 path_put(&path);
51551 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
51552 return error;
51553 error = mnt_want_write(path.mnt);
51554 if (!error) {
51555 - error = setxattr(path.dentry, name, value, size, flags);
51556 + error = setxattr(&path, name, value, size, flags);
51557 mnt_drop_write(path.mnt);
51558 }
51559 path_put(&path);
51560 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
51561 const void __user *,value, size_t, size, int, flags)
51562 {
51563 struct file *f;
51564 - struct dentry *dentry;
51565 int error = -EBADF;
51566
51567 f = fget(fd);
51568 if (!f)
51569 return error;
51570 - dentry = f->f_path.dentry;
51571 - audit_inode(NULL, dentry);
51572 + audit_inode(NULL, f->f_path.dentry);
51573 error = mnt_want_write_file(f);
51574 if (!error) {
51575 - error = setxattr(dentry, name, value, size, flags);
51576 + error = setxattr(&f->f_path, name, value, size, flags);
51577 mnt_drop_write(f->f_path.mnt);
51578 }
51579 fput(f);
51580 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c
51581 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-19 00:06:34.000000000 -0400
51582 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-05-22 19:41:42.000000000 -0400
51583 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
51584 xfs_fsop_geom_t fsgeo;
51585 int error;
51586
51587 + memset(&fsgeo, 0, sizeof(fsgeo));
51588 error = xfs_fs_geometry(mp, &fsgeo, 3);
51589 if (error)
51590 return -error;
51591 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c
51592 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-19 00:06:34.000000000 -0400
51593 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_ioctl.c 2011-05-22 19:36:32.000000000 -0400
51594 @@ -128,7 +128,7 @@ xfs_find_handle(
51595 }
51596
51597 error = -EFAULT;
51598 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
51599 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
51600 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
51601 goto out_put;
51602
51603 diff -urNp linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c
51604 --- linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c 2011-05-19 00:06:34.000000000 -0400
51605 +++ linux-2.6.39.3/fs/xfs/linux-2.6/xfs_iops.c 2011-05-22 19:36:32.000000000 -0400
51606 @@ -437,7 +437,7 @@ xfs_vn_put_link(
51607 struct nameidata *nd,
51608 void *p)
51609 {
51610 - char *s = nd_get_link(nd);
51611 + const char *s = nd_get_link(nd);
51612
51613 if (!IS_ERR(s))
51614 kfree(s);
51615 diff -urNp linux-2.6.39.3/fs/xfs/xfs_bmap.c linux-2.6.39.3/fs/xfs/xfs_bmap.c
51616 --- linux-2.6.39.3/fs/xfs/xfs_bmap.c 2011-05-19 00:06:34.000000000 -0400
51617 +++ linux-2.6.39.3/fs/xfs/xfs_bmap.c 2011-05-22 19:36:32.000000000 -0400
51618 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
51619 int nmap,
51620 int ret_nmap);
51621 #else
51622 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
51623 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
51624 #endif /* DEBUG */
51625
51626 STATIC int
51627 diff -urNp linux-2.6.39.3/fs/xfs/xfs_dir2.c linux-2.6.39.3/fs/xfs/xfs_dir2.c
51628 --- linux-2.6.39.3/fs/xfs/xfs_dir2.c 2011-05-19 00:06:34.000000000 -0400
51629 +++ linux-2.6.39.3/fs/xfs/xfs_dir2.c 2011-05-22 19:36:32.000000000 -0400
51630 @@ -85,7 +85,7 @@ xfs_ascii_ci_compname(
51631 return result;
51632 }
51633
51634 -static struct xfs_nameops xfs_ascii_ci_nameops = {
51635 +static const struct xfs_nameops xfs_ascii_ci_nameops = {
51636 .hashname = xfs_ascii_ci_hashname,
51637 .compname = xfs_ascii_ci_compname,
51638 };
51639 diff -urNp linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c
51640 --- linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c 2011-05-19 00:06:34.000000000 -0400
51641 +++ linux-2.6.39.3/fs/xfs/xfs_dir2_sf.c 2011-05-22 19:36:32.000000000 -0400
51642 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
51643 }
51644
51645 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
51646 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51647 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
51648 + char name[sfep->namelen];
51649 + memcpy(name, sfep->name, sfep->namelen);
51650 + if (filldir(dirent, name, sfep->namelen,
51651 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
51652 + *offset = off & 0x7fffffff;
51653 + return 0;
51654 + }
51655 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
51656 off & 0x7fffffff, ino, DT_UNKNOWN)) {
51657 *offset = off & 0x7fffffff;
51658 return 0;
51659 diff -urNp linux-2.6.39.3/grsecurity/gracl_alloc.c linux-2.6.39.3/grsecurity/gracl_alloc.c
51660 --- linux-2.6.39.3/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
51661 +++ linux-2.6.39.3/grsecurity/gracl_alloc.c 2011-05-22 19:41:42.000000000 -0400
51662 @@ -0,0 +1,105 @@
51663 +#include <linux/kernel.h>
51664 +#include <linux/mm.h>
51665 +#include <linux/slab.h>
51666 +#include <linux/vmalloc.h>
51667 +#include <linux/gracl.h>
51668 +#include <linux/grsecurity.h>
51669 +
51670 +static unsigned long alloc_stack_next = 1;
51671 +static unsigned long alloc_stack_size = 1;
51672 +static void **alloc_stack;
51673 +
51674 +static __inline__ int
51675 +alloc_pop(void)
51676 +{
51677 + if (alloc_stack_next == 1)
51678 + return 0;
51679 +
51680 + kfree(alloc_stack[alloc_stack_next - 2]);
51681 +
51682 + alloc_stack_next--;
51683 +
51684 + return 1;
51685 +}
51686 +
51687 +static __inline__ int
51688 +alloc_push(void *buf)
51689 +{
51690 + if (alloc_stack_next >= alloc_stack_size)
51691 + return 1;
51692 +
51693 + alloc_stack[alloc_stack_next - 1] = buf;
51694 +
51695 + alloc_stack_next++;
51696 +
51697 + return 0;
51698 +}
51699 +
51700 +void *
51701 +acl_alloc(unsigned long len)
51702 +{
51703 + void *ret = NULL;
51704 +
51705 + if (!len || len > PAGE_SIZE)
51706 + goto out;
51707 +
51708 + ret = kmalloc(len, GFP_KERNEL);
51709 +
51710 + if (ret) {
51711 + if (alloc_push(ret)) {
51712 + kfree(ret);
51713 + ret = NULL;
51714 + }
51715 + }
51716 +
51717 +out:
51718 + return ret;
51719 +}
51720 +
51721 +void *
51722 +acl_alloc_num(unsigned long num, unsigned long len)
51723 +{
51724 + if (!len || (num > (PAGE_SIZE / len)))
51725 + return NULL;
51726 +
51727 + return acl_alloc(num * len);
51728 +}
51729 +
51730 +void
51731 +acl_free_all(void)
51732 +{
51733 + if (gr_acl_is_enabled() || !alloc_stack)
51734 + return;
51735 +
51736 + while (alloc_pop()) ;
51737 +
51738 + if (alloc_stack) {
51739 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
51740 + kfree(alloc_stack);
51741 + else
51742 + vfree(alloc_stack);
51743 + }
51744 +
51745 + alloc_stack = NULL;
51746 + alloc_stack_size = 1;
51747 + alloc_stack_next = 1;
51748 +
51749 + return;
51750 +}
51751 +
51752 +int
51753 +acl_alloc_stack_init(unsigned long size)
51754 +{
51755 + if ((size * sizeof (void *)) <= PAGE_SIZE)
51756 + alloc_stack =
51757 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
51758 + else
51759 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
51760 +
51761 + alloc_stack_size = size;
51762 +
51763 + if (!alloc_stack)
51764 + return 0;
51765 + else
51766 + return 1;
51767 +}
51768 diff -urNp linux-2.6.39.3/grsecurity/gracl.c linux-2.6.39.3/grsecurity/gracl.c
51769 --- linux-2.6.39.3/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
51770 +++ linux-2.6.39.3/grsecurity/gracl.c 2011-07-14 21:03:00.000000000 -0400
51771 @@ -0,0 +1,4106 @@
51772 +#include <linux/kernel.h>
51773 +#include <linux/module.h>
51774 +#include <linux/sched.h>
51775 +#include <linux/mm.h>
51776 +#include <linux/file.h>
51777 +#include <linux/fs.h>
51778 +#include <linux/namei.h>
51779 +#include <linux/mount.h>
51780 +#include <linux/tty.h>
51781 +#include <linux/proc_fs.h>
51782 +#include <linux/lglock.h>
51783 +#include <linux/slab.h>
51784 +#include <linux/vmalloc.h>
51785 +#include <linux/types.h>
51786 +#include <linux/sysctl.h>
51787 +#include <linux/netdevice.h>
51788 +#include <linux/ptrace.h>
51789 +#include <linux/gracl.h>
51790 +#include <linux/gralloc.h>
51791 +#include <linux/grsecurity.h>
51792 +#include <linux/grinternal.h>
51793 +#include <linux/pid_namespace.h>
51794 +#include <linux/fdtable.h>
51795 +#include <linux/percpu.h>
51796 +
51797 +#include <asm/uaccess.h>
51798 +#include <asm/errno.h>
51799 +#include <asm/mman.h>
51800 +
51801 +static struct acl_role_db acl_role_set;
51802 +static struct name_db name_set;
51803 +static struct inodev_db inodev_set;
51804 +
51805 +/* for keeping track of userspace pointers used for subjects, so we
51806 + can share references in the kernel as well
51807 +*/
51808 +
51809 +static struct path real_root;
51810 +
51811 +static struct acl_subj_map_db subj_map_set;
51812 +
51813 +static struct acl_role_label *default_role;
51814 +
51815 +static struct acl_role_label *role_list;
51816 +
51817 +static u16 acl_sp_role_value;
51818 +
51819 +extern char *gr_shared_page[4];
51820 +static DEFINE_MUTEX(gr_dev_mutex);
51821 +DEFINE_RWLOCK(gr_inode_lock);
51822 +
51823 +struct gr_arg *gr_usermode;
51824 +
51825 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
51826 +
51827 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
51828 +extern void gr_clear_learn_entries(void);
51829 +
51830 +#ifdef CONFIG_GRKERNSEC_RESLOG
51831 +extern void gr_log_resource(const struct task_struct *task,
51832 + const int res, const unsigned long wanted, const int gt);
51833 +#endif
51834 +
51835 +unsigned char *gr_system_salt;
51836 +unsigned char *gr_system_sum;
51837 +
51838 +static struct sprole_pw **acl_special_roles = NULL;
51839 +static __u16 num_sprole_pws = 0;
51840 +
51841 +static struct acl_role_label *kernel_role = NULL;
51842 +
51843 +static unsigned int gr_auth_attempts = 0;
51844 +static unsigned long gr_auth_expires = 0UL;
51845 +
51846 +#ifdef CONFIG_NET
51847 +extern struct vfsmount *sock_mnt;
51848 +#endif
51849 +
51850 +extern struct vfsmount *pipe_mnt;
51851 +extern struct vfsmount *shm_mnt;
51852 +#ifdef CONFIG_HUGETLBFS
51853 +extern struct vfsmount *hugetlbfs_vfsmount;
51854 +#endif
51855 +
51856 +static struct acl_object_label *fakefs_obj_rw;
51857 +static struct acl_object_label *fakefs_obj_rwx;
51858 +
51859 +extern int gr_init_uidset(void);
51860 +extern void gr_free_uidset(void);
51861 +extern void gr_remove_uid(uid_t uid);
51862 +extern int gr_find_uid(uid_t uid);
51863 +
51864 +DECLARE_BRLOCK(vfsmount_lock);
51865 +
51866 +__inline__ int
51867 +gr_acl_is_enabled(void)
51868 +{
51869 + return (gr_status & GR_READY);
51870 +}
51871 +
51872 +#ifdef CONFIG_BTRFS_FS
51873 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
51874 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
51875 +#endif
51876 +
51877 +static inline dev_t __get_dev(const struct dentry *dentry)
51878 +{
51879 +#ifdef CONFIG_BTRFS_FS
51880 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
51881 + return get_btrfs_dev_from_inode(dentry->d_inode);
51882 + else
51883 +#endif
51884 + return dentry->d_inode->i_sb->s_dev;
51885 +}
51886 +
51887 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
51888 +{
51889 + return __get_dev(dentry);
51890 +}
51891 +
51892 +static char gr_task_roletype_to_char(struct task_struct *task)
51893 +{
51894 + switch (task->role->roletype &
51895 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
51896 + GR_ROLE_SPECIAL)) {
51897 + case GR_ROLE_DEFAULT:
51898 + return 'D';
51899 + case GR_ROLE_USER:
51900 + return 'U';
51901 + case GR_ROLE_GROUP:
51902 + return 'G';
51903 + case GR_ROLE_SPECIAL:
51904 + return 'S';
51905 + }
51906 +
51907 + return 'X';
51908 +}
51909 +
51910 +char gr_roletype_to_char(void)
51911 +{
51912 + return gr_task_roletype_to_char(current);
51913 +}
51914 +
51915 +__inline__ int
51916 +gr_acl_tpe_check(void)
51917 +{
51918 + if (unlikely(!(gr_status & GR_READY)))
51919 + return 0;
51920 + if (current->role->roletype & GR_ROLE_TPE)
51921 + return 1;
51922 + else
51923 + return 0;
51924 +}
51925 +
51926 +int
51927 +gr_handle_rawio(const struct inode *inode)
51928 +{
51929 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
51930 + if (inode && S_ISBLK(inode->i_mode) &&
51931 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
51932 + !capable(CAP_SYS_RAWIO))
51933 + return 1;
51934 +#endif
51935 + return 0;
51936 +}
51937 +
51938 +static int
51939 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
51940 +{
51941 + if (likely(lena != lenb))
51942 + return 0;
51943 +
51944 + return !memcmp(a, b, lena);
51945 +}
51946 +
51947 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
51948 +{
51949 + *buflen -= namelen;
51950 + if (*buflen < 0)
51951 + return -ENAMETOOLONG;
51952 + *buffer -= namelen;
51953 + memcpy(*buffer, str, namelen);
51954 + return 0;
51955 +}
51956 +
51957 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
51958 +{
51959 + return prepend(buffer, buflen, name->name, name->len);
51960 +}
51961 +
51962 +static int prepend_path(const struct path *path, struct path *root,
51963 + char **buffer, int *buflen)
51964 +{
51965 + struct dentry *dentry = path->dentry;
51966 + struct vfsmount *vfsmnt = path->mnt;
51967 + bool slash = false;
51968 + int error = 0;
51969 +
51970 + while (dentry != root->dentry || vfsmnt != root->mnt) {
51971 + struct dentry * parent;
51972 +
51973 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
51974 + /* Global root? */
51975 + if (vfsmnt->mnt_parent == vfsmnt) {
51976 + goto out;
51977 + }
51978 + dentry = vfsmnt->mnt_mountpoint;
51979 + vfsmnt = vfsmnt->mnt_parent;
51980 + continue;
51981 + }
51982 + parent = dentry->d_parent;
51983 + prefetch(parent);
51984 + spin_lock(&dentry->d_lock);
51985 + error = prepend_name(buffer, buflen, &dentry->d_name);
51986 + spin_unlock(&dentry->d_lock);
51987 + if (!error)
51988 + error = prepend(buffer, buflen, "/", 1);
51989 + if (error)
51990 + break;
51991 +
51992 + slash = true;
51993 + dentry = parent;
51994 + }
51995 +
51996 +out:
51997 + if (!error && !slash)
51998 + error = prepend(buffer, buflen, "/", 1);
51999 +
52000 + return error;
52001 +}
52002 +
52003 +/* this must be called with vfsmount_lock and rename_lock held */
52004 +
52005 +static char *__our_d_path(const struct path *path, struct path *root,
52006 + char *buf, int buflen)
52007 +{
52008 + char *res = buf + buflen;
52009 + int error;
52010 +
52011 + prepend(&res, &buflen, "\0", 1);
52012 + error = prepend_path(path, root, &res, &buflen);
52013 + if (error)
52014 + return ERR_PTR(error);
52015 +
52016 + return res;
52017 +}
52018 +
52019 +static char *
52020 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
52021 +{
52022 + char *retval;
52023 +
52024 + retval = __our_d_path(path, root, buf, buflen);
52025 + if (unlikely(IS_ERR(retval)))
52026 + retval = strcpy(buf, "<path too long>");
52027 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
52028 + retval[1] = '\0';
52029 +
52030 + return retval;
52031 +}
52032 +
52033 +static char *
52034 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52035 + char *buf, int buflen)
52036 +{
52037 + struct path path;
52038 + char *res;
52039 +
52040 + path.dentry = (struct dentry *)dentry;
52041 + path.mnt = (struct vfsmount *)vfsmnt;
52042 +
52043 + /* we can use real_root.dentry, real_root.mnt, because this is only called
52044 + by the RBAC system */
52045 + res = gen_full_path(&path, &real_root, buf, buflen);
52046 +
52047 + return res;
52048 +}
52049 +
52050 +static char *
52051 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52052 + char *buf, int buflen)
52053 +{
52054 + char *res;
52055 + struct path path;
52056 + struct path root;
52057 + struct task_struct *reaper = &init_task;
52058 +
52059 + path.dentry = (struct dentry *)dentry;
52060 + path.mnt = (struct vfsmount *)vfsmnt;
52061 +
52062 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
52063 + get_fs_root(reaper->fs, &root);
52064 +
52065 + write_seqlock(&rename_lock);
52066 + br_read_lock(vfsmount_lock);
52067 + res = gen_full_path(&path, &root, buf, buflen);
52068 + br_read_unlock(vfsmount_lock);
52069 + write_sequnlock(&rename_lock);
52070 +
52071 + path_put(&root);
52072 + return res;
52073 +}
52074 +
52075 +static char *
52076 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52077 +{
52078 + char *ret;
52079 + write_seqlock(&rename_lock);
52080 + br_read_lock(vfsmount_lock);
52081 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52082 + PAGE_SIZE);
52083 + br_read_unlock(vfsmount_lock);
52084 + write_sequnlock(&rename_lock);
52085 + return ret;
52086 +}
52087 +
52088 +char *
52089 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
52090 +{
52091 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52092 + PAGE_SIZE);
52093 +}
52094 +
52095 +char *
52096 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
52097 +{
52098 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52099 + PAGE_SIZE);
52100 +}
52101 +
52102 +char *
52103 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
52104 +{
52105 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
52106 + PAGE_SIZE);
52107 +}
52108 +
52109 +char *
52110 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
52111 +{
52112 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
52113 + PAGE_SIZE);
52114 +}
52115 +
52116 +char *
52117 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
52118 +{
52119 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
52120 + PAGE_SIZE);
52121 +}
52122 +
52123 +__inline__ __u32
52124 +to_gr_audit(const __u32 reqmode)
52125 +{
52126 + /* masks off auditable permission flags, then shifts them to create
52127 + auditing flags, and adds the special case of append auditing if
52128 + we're requesting write */
52129 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
52130 +}
52131 +
52132 +struct acl_subject_label *
52133 +lookup_subject_map(const struct acl_subject_label *userp)
52134 +{
52135 + unsigned int index = shash(userp, subj_map_set.s_size);
52136 + struct subject_map *match;
52137 +
52138 + match = subj_map_set.s_hash[index];
52139 +
52140 + while (match && match->user != userp)
52141 + match = match->next;
52142 +
52143 + if (match != NULL)
52144 + return match->kernel;
52145 + else
52146 + return NULL;
52147 +}
52148 +
52149 +static void
52150 +insert_subj_map_entry(struct subject_map *subjmap)
52151 +{
52152 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
52153 + struct subject_map **curr;
52154 +
52155 + subjmap->prev = NULL;
52156 +
52157 + curr = &subj_map_set.s_hash[index];
52158 + if (*curr != NULL)
52159 + (*curr)->prev = subjmap;
52160 +
52161 + subjmap->next = *curr;
52162 + *curr = subjmap;
52163 +
52164 + return;
52165 +}
52166 +
52167 +static struct acl_role_label *
52168 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
52169 + const gid_t gid)
52170 +{
52171 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
52172 + struct acl_role_label *match;
52173 + struct role_allowed_ip *ipp;
52174 + unsigned int x;
52175 + u32 curr_ip = task->signal->curr_ip;
52176 +
52177 + task->signal->saved_ip = curr_ip;
52178 +
52179 + match = acl_role_set.r_hash[index];
52180 +
52181 + while (match) {
52182 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
52183 + for (x = 0; x < match->domain_child_num; x++) {
52184 + if (match->domain_children[x] == uid)
52185 + goto found;
52186 + }
52187 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
52188 + break;
52189 + match = match->next;
52190 + }
52191 +found:
52192 + if (match == NULL) {
52193 + try_group:
52194 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
52195 + match = acl_role_set.r_hash[index];
52196 +
52197 + while (match) {
52198 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
52199 + for (x = 0; x < match->domain_child_num; x++) {
52200 + if (match->domain_children[x] == gid)
52201 + goto found2;
52202 + }
52203 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
52204 + break;
52205 + match = match->next;
52206 + }
52207 +found2:
52208 + if (match == NULL)
52209 + match = default_role;
52210 + if (match->allowed_ips == NULL)
52211 + return match;
52212 + else {
52213 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52214 + if (likely
52215 + ((ntohl(curr_ip) & ipp->netmask) ==
52216 + (ntohl(ipp->addr) & ipp->netmask)))
52217 + return match;
52218 + }
52219 + match = default_role;
52220 + }
52221 + } else if (match->allowed_ips == NULL) {
52222 + return match;
52223 + } else {
52224 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52225 + if (likely
52226 + ((ntohl(curr_ip) & ipp->netmask) ==
52227 + (ntohl(ipp->addr) & ipp->netmask)))
52228 + return match;
52229 + }
52230 + goto try_group;
52231 + }
52232 +
52233 + return match;
52234 +}
52235 +
52236 +struct acl_subject_label *
52237 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52238 + const struct acl_role_label *role)
52239 +{
52240 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52241 + struct acl_subject_label *match;
52242 +
52243 + match = role->subj_hash[index];
52244 +
52245 + while (match && (match->inode != ino || match->device != dev ||
52246 + (match->mode & GR_DELETED))) {
52247 + match = match->next;
52248 + }
52249 +
52250 + if (match && !(match->mode & GR_DELETED))
52251 + return match;
52252 + else
52253 + return NULL;
52254 +}
52255 +
52256 +struct acl_subject_label *
52257 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52258 + const struct acl_role_label *role)
52259 +{
52260 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52261 + struct acl_subject_label *match;
52262 +
52263 + match = role->subj_hash[index];
52264 +
52265 + while (match && (match->inode != ino || match->device != dev ||
52266 + !(match->mode & GR_DELETED))) {
52267 + match = match->next;
52268 + }
52269 +
52270 + if (match && (match->mode & GR_DELETED))
52271 + return match;
52272 + else
52273 + return NULL;
52274 +}
52275 +
52276 +static struct acl_object_label *
52277 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52278 + const struct acl_subject_label *subj)
52279 +{
52280 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52281 + struct acl_object_label *match;
52282 +
52283 + match = subj->obj_hash[index];
52284 +
52285 + while (match && (match->inode != ino || match->device != dev ||
52286 + (match->mode & GR_DELETED))) {
52287 + match = match->next;
52288 + }
52289 +
52290 + if (match && !(match->mode & GR_DELETED))
52291 + return match;
52292 + else
52293 + return NULL;
52294 +}
52295 +
52296 +static struct acl_object_label *
52297 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52298 + const struct acl_subject_label *subj)
52299 +{
52300 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52301 + struct acl_object_label *match;
52302 +
52303 + match = subj->obj_hash[index];
52304 +
52305 + while (match && (match->inode != ino || match->device != dev ||
52306 + !(match->mode & GR_DELETED))) {
52307 + match = match->next;
52308 + }
52309 +
52310 + if (match && (match->mode & GR_DELETED))
52311 + return match;
52312 +
52313 + match = subj->obj_hash[index];
52314 +
52315 + while (match && (match->inode != ino || match->device != dev ||
52316 + (match->mode & GR_DELETED))) {
52317 + match = match->next;
52318 + }
52319 +
52320 + if (match && !(match->mode & GR_DELETED))
52321 + return match;
52322 + else
52323 + return NULL;
52324 +}
52325 +
52326 +static struct name_entry *
52327 +lookup_name_entry(const char *name)
52328 +{
52329 + unsigned int len = strlen(name);
52330 + unsigned int key = full_name_hash(name, len);
52331 + unsigned int index = key % name_set.n_size;
52332 + struct name_entry *match;
52333 +
52334 + match = name_set.n_hash[index];
52335 +
52336 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52337 + match = match->next;
52338 +
52339 + return match;
52340 +}
52341 +
52342 +static struct name_entry *
52343 +lookup_name_entry_create(const char *name)
52344 +{
52345 + unsigned int len = strlen(name);
52346 + unsigned int key = full_name_hash(name, len);
52347 + unsigned int index = key % name_set.n_size;
52348 + struct name_entry *match;
52349 +
52350 + match = name_set.n_hash[index];
52351 +
52352 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52353 + !match->deleted))
52354 + match = match->next;
52355 +
52356 + if (match && match->deleted)
52357 + return match;
52358 +
52359 + match = name_set.n_hash[index];
52360 +
52361 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52362 + match->deleted))
52363 + match = match->next;
52364 +
52365 + if (match && !match->deleted)
52366 + return match;
52367 + else
52368 + return NULL;
52369 +}
52370 +
52371 +static struct inodev_entry *
52372 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
52373 +{
52374 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
52375 + struct inodev_entry *match;
52376 +
52377 + match = inodev_set.i_hash[index];
52378 +
52379 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52380 + match = match->next;
52381 +
52382 + return match;
52383 +}
52384 +
52385 +static void
52386 +insert_inodev_entry(struct inodev_entry *entry)
52387 +{
52388 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52389 + inodev_set.i_size);
52390 + struct inodev_entry **curr;
52391 +
52392 + entry->prev = NULL;
52393 +
52394 + curr = &inodev_set.i_hash[index];
52395 + if (*curr != NULL)
52396 + (*curr)->prev = entry;
52397 +
52398 + entry->next = *curr;
52399 + *curr = entry;
52400 +
52401 + return;
52402 +}
52403 +
52404 +static void
52405 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52406 +{
52407 + unsigned int index =
52408 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52409 + struct acl_role_label **curr;
52410 + struct acl_role_label *tmp;
52411 +
52412 + curr = &acl_role_set.r_hash[index];
52413 +
52414 + /* if role was already inserted due to domains and already has
52415 + a role in the same bucket as it attached, then we need to
52416 + combine these two buckets
52417 + */
52418 + if (role->next) {
52419 + tmp = role->next;
52420 + while (tmp->next)
52421 + tmp = tmp->next;
52422 + tmp->next = *curr;
52423 + } else
52424 + role->next = *curr;
52425 + *curr = role;
52426 +
52427 + return;
52428 +}
52429 +
52430 +static void
52431 +insert_acl_role_label(struct acl_role_label *role)
52432 +{
52433 + int i;
52434 +
52435 + if (role_list == NULL) {
52436 + role_list = role;
52437 + role->prev = NULL;
52438 + } else {
52439 + role->prev = role_list;
52440 + role_list = role;
52441 + }
52442 +
52443 + /* used for hash chains */
52444 + role->next = NULL;
52445 +
52446 + if (role->roletype & GR_ROLE_DOMAIN) {
52447 + for (i = 0; i < role->domain_child_num; i++)
52448 + __insert_acl_role_label(role, role->domain_children[i]);
52449 + } else
52450 + __insert_acl_role_label(role, role->uidgid);
52451 +}
52452 +
52453 +static int
52454 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52455 +{
52456 + struct name_entry **curr, *nentry;
52457 + struct inodev_entry *ientry;
52458 + unsigned int len = strlen(name);
52459 + unsigned int key = full_name_hash(name, len);
52460 + unsigned int index = key % name_set.n_size;
52461 +
52462 + curr = &name_set.n_hash[index];
52463 +
52464 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52465 + curr = &((*curr)->next);
52466 +
52467 + if (*curr != NULL)
52468 + return 1;
52469 +
52470 + nentry = acl_alloc(sizeof (struct name_entry));
52471 + if (nentry == NULL)
52472 + return 0;
52473 + ientry = acl_alloc(sizeof (struct inodev_entry));
52474 + if (ientry == NULL)
52475 + return 0;
52476 + ientry->nentry = nentry;
52477 +
52478 + nentry->key = key;
52479 + nentry->name = name;
52480 + nentry->inode = inode;
52481 + nentry->device = device;
52482 + nentry->len = len;
52483 + nentry->deleted = deleted;
52484 +
52485 + nentry->prev = NULL;
52486 + curr = &name_set.n_hash[index];
52487 + if (*curr != NULL)
52488 + (*curr)->prev = nentry;
52489 + nentry->next = *curr;
52490 + *curr = nentry;
52491 +
52492 + /* insert us into the table searchable by inode/dev */
52493 + insert_inodev_entry(ientry);
52494 +
52495 + return 1;
52496 +}
52497 +
52498 +static void
52499 +insert_acl_obj_label(struct acl_object_label *obj,
52500 + struct acl_subject_label *subj)
52501 +{
52502 + unsigned int index =
52503 + fhash(obj->inode, obj->device, subj->obj_hash_size);
52504 + struct acl_object_label **curr;
52505 +
52506 +
52507 + obj->prev = NULL;
52508 +
52509 + curr = &subj->obj_hash[index];
52510 + if (*curr != NULL)
52511 + (*curr)->prev = obj;
52512 +
52513 + obj->next = *curr;
52514 + *curr = obj;
52515 +
52516 + return;
52517 +}
52518 +
52519 +static void
52520 +insert_acl_subj_label(struct acl_subject_label *obj,
52521 + struct acl_role_label *role)
52522 +{
52523 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
52524 + struct acl_subject_label **curr;
52525 +
52526 + obj->prev = NULL;
52527 +
52528 + curr = &role->subj_hash[index];
52529 + if (*curr != NULL)
52530 + (*curr)->prev = obj;
52531 +
52532 + obj->next = *curr;
52533 + *curr = obj;
52534 +
52535 + return;
52536 +}
52537 +
52538 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
52539 +
52540 +static void *
52541 +create_table(__u32 * len, int elementsize)
52542 +{
52543 + unsigned int table_sizes[] = {
52544 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
52545 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
52546 + 4194301, 8388593, 16777213, 33554393, 67108859
52547 + };
52548 + void *newtable = NULL;
52549 + unsigned int pwr = 0;
52550 +
52551 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
52552 + table_sizes[pwr] <= *len)
52553 + pwr++;
52554 +
52555 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
52556 + return newtable;
52557 +
52558 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
52559 + newtable =
52560 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
52561 + else
52562 + newtable = vmalloc(table_sizes[pwr] * elementsize);
52563 +
52564 + *len = table_sizes[pwr];
52565 +
52566 + return newtable;
52567 +}
52568 +
52569 +static int
52570 +init_variables(const struct gr_arg *arg)
52571 +{
52572 + struct task_struct *reaper = &init_task;
52573 + unsigned int stacksize;
52574 +
52575 + subj_map_set.s_size = arg->role_db.num_subjects;
52576 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
52577 + name_set.n_size = arg->role_db.num_objects;
52578 + inodev_set.i_size = arg->role_db.num_objects;
52579 +
52580 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
52581 + !name_set.n_size || !inodev_set.i_size)
52582 + return 1;
52583 +
52584 + if (!gr_init_uidset())
52585 + return 1;
52586 +
52587 + /* set up the stack that holds allocation info */
52588 +
52589 + stacksize = arg->role_db.num_pointers + 5;
52590 +
52591 + if (!acl_alloc_stack_init(stacksize))
52592 + return 1;
52593 +
52594 + /* grab reference for the real root dentry and vfsmount */
52595 + get_fs_root(reaper->fs, &real_root);
52596 +
52597 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52598 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
52599 +#endif
52600 +
52601 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
52602 + if (fakefs_obj_rw == NULL)
52603 + return 1;
52604 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
52605 +
52606 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
52607 + if (fakefs_obj_rwx == NULL)
52608 + return 1;
52609 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
52610 +
52611 + subj_map_set.s_hash =
52612 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
52613 + acl_role_set.r_hash =
52614 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
52615 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
52616 + inodev_set.i_hash =
52617 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
52618 +
52619 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
52620 + !name_set.n_hash || !inodev_set.i_hash)
52621 + return 1;
52622 +
52623 + memset(subj_map_set.s_hash, 0,
52624 + sizeof(struct subject_map *) * subj_map_set.s_size);
52625 + memset(acl_role_set.r_hash, 0,
52626 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
52627 + memset(name_set.n_hash, 0,
52628 + sizeof (struct name_entry *) * name_set.n_size);
52629 + memset(inodev_set.i_hash, 0,
52630 + sizeof (struct inodev_entry *) * inodev_set.i_size);
52631 +
52632 + return 0;
52633 +}
52634 +
52635 +/* free information not needed after startup
52636 + currently contains user->kernel pointer mappings for subjects
52637 +*/
52638 +
52639 +static void
52640 +free_init_variables(void)
52641 +{
52642 + __u32 i;
52643 +
52644 + if (subj_map_set.s_hash) {
52645 + for (i = 0; i < subj_map_set.s_size; i++) {
52646 + if (subj_map_set.s_hash[i]) {
52647 + kfree(subj_map_set.s_hash[i]);
52648 + subj_map_set.s_hash[i] = NULL;
52649 + }
52650 + }
52651 +
52652 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
52653 + PAGE_SIZE)
52654 + kfree(subj_map_set.s_hash);
52655 + else
52656 + vfree(subj_map_set.s_hash);
52657 + }
52658 +
52659 + return;
52660 +}
52661 +
52662 +static void
52663 +free_variables(void)
52664 +{
52665 + struct acl_subject_label *s;
52666 + struct acl_role_label *r;
52667 + struct task_struct *task, *task2;
52668 + unsigned int x;
52669 +
52670 + gr_clear_learn_entries();
52671 +
52672 + read_lock(&tasklist_lock);
52673 + do_each_thread(task2, task) {
52674 + task->acl_sp_role = 0;
52675 + task->acl_role_id = 0;
52676 + task->acl = NULL;
52677 + task->role = NULL;
52678 + } while_each_thread(task2, task);
52679 + read_unlock(&tasklist_lock);
52680 +
52681 + /* release the reference to the real root dentry and vfsmount */
52682 + path_put(&real_root);
52683 +
52684 + /* free all object hash tables */
52685 +
52686 + FOR_EACH_ROLE_START(r)
52687 + if (r->subj_hash == NULL)
52688 + goto next_role;
52689 + FOR_EACH_SUBJECT_START(r, s, x)
52690 + if (s->obj_hash == NULL)
52691 + break;
52692 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52693 + kfree(s->obj_hash);
52694 + else
52695 + vfree(s->obj_hash);
52696 + FOR_EACH_SUBJECT_END(s, x)
52697 + FOR_EACH_NESTED_SUBJECT_START(r, s)
52698 + if (s->obj_hash == NULL)
52699 + break;
52700 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
52701 + kfree(s->obj_hash);
52702 + else
52703 + vfree(s->obj_hash);
52704 + FOR_EACH_NESTED_SUBJECT_END(s)
52705 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
52706 + kfree(r->subj_hash);
52707 + else
52708 + vfree(r->subj_hash);
52709 + r->subj_hash = NULL;
52710 +next_role:
52711 + FOR_EACH_ROLE_END(r)
52712 +
52713 + acl_free_all();
52714 +
52715 + if (acl_role_set.r_hash) {
52716 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
52717 + PAGE_SIZE)
52718 + kfree(acl_role_set.r_hash);
52719 + else
52720 + vfree(acl_role_set.r_hash);
52721 + }
52722 + if (name_set.n_hash) {
52723 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
52724 + PAGE_SIZE)
52725 + kfree(name_set.n_hash);
52726 + else
52727 + vfree(name_set.n_hash);
52728 + }
52729 +
52730 + if (inodev_set.i_hash) {
52731 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
52732 + PAGE_SIZE)
52733 + kfree(inodev_set.i_hash);
52734 + else
52735 + vfree(inodev_set.i_hash);
52736 + }
52737 +
52738 + gr_free_uidset();
52739 +
52740 + memset(&name_set, 0, sizeof (struct name_db));
52741 + memset(&inodev_set, 0, sizeof (struct inodev_db));
52742 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
52743 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
52744 +
52745 + default_role = NULL;
52746 + role_list = NULL;
52747 +
52748 + return;
52749 +}
52750 +
52751 +static __u32
52752 +count_user_objs(struct acl_object_label *userp)
52753 +{
52754 + struct acl_object_label o_tmp;
52755 + __u32 num = 0;
52756 +
52757 + while (userp) {
52758 + if (copy_from_user(&o_tmp, userp,
52759 + sizeof (struct acl_object_label)))
52760 + break;
52761 +
52762 + userp = o_tmp.prev;
52763 + num++;
52764 + }
52765 +
52766 + return num;
52767 +}
52768 +
52769 +static struct acl_subject_label *
52770 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
52771 +
52772 +static int
52773 +copy_user_glob(struct acl_object_label *obj)
52774 +{
52775 + struct acl_object_label *g_tmp, **guser;
52776 + unsigned int len;
52777 + char *tmp;
52778 +
52779 + if (obj->globbed == NULL)
52780 + return 0;
52781 +
52782 + guser = &obj->globbed;
52783 + while (*guser) {
52784 + g_tmp = (struct acl_object_label *)
52785 + acl_alloc(sizeof (struct acl_object_label));
52786 + if (g_tmp == NULL)
52787 + return -ENOMEM;
52788 +
52789 + if (copy_from_user(g_tmp, *guser,
52790 + sizeof (struct acl_object_label)))
52791 + return -EFAULT;
52792 +
52793 + len = strnlen_user(g_tmp->filename, PATH_MAX);
52794 +
52795 + if (!len || len >= PATH_MAX)
52796 + return -EINVAL;
52797 +
52798 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52799 + return -ENOMEM;
52800 +
52801 + if (copy_from_user(tmp, g_tmp->filename, len))
52802 + return -EFAULT;
52803 + tmp[len-1] = '\0';
52804 + g_tmp->filename = tmp;
52805 +
52806 + *guser = g_tmp;
52807 + guser = &(g_tmp->next);
52808 + }
52809 +
52810 + return 0;
52811 +}
52812 +
52813 +static int
52814 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
52815 + struct acl_role_label *role)
52816 +{
52817 + struct acl_object_label *o_tmp;
52818 + unsigned int len;
52819 + int ret;
52820 + char *tmp;
52821 +
52822 + while (userp) {
52823 + if ((o_tmp = (struct acl_object_label *)
52824 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
52825 + return -ENOMEM;
52826 +
52827 + if (copy_from_user(o_tmp, userp,
52828 + sizeof (struct acl_object_label)))
52829 + return -EFAULT;
52830 +
52831 + userp = o_tmp->prev;
52832 +
52833 + len = strnlen_user(o_tmp->filename, PATH_MAX);
52834 +
52835 + if (!len || len >= PATH_MAX)
52836 + return -EINVAL;
52837 +
52838 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52839 + return -ENOMEM;
52840 +
52841 + if (copy_from_user(tmp, o_tmp->filename, len))
52842 + return -EFAULT;
52843 + tmp[len-1] = '\0';
52844 + o_tmp->filename = tmp;
52845 +
52846 + insert_acl_obj_label(o_tmp, subj);
52847 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
52848 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
52849 + return -ENOMEM;
52850 +
52851 + ret = copy_user_glob(o_tmp);
52852 + if (ret)
52853 + return ret;
52854 +
52855 + if (o_tmp->nested) {
52856 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
52857 + if (IS_ERR(o_tmp->nested))
52858 + return PTR_ERR(o_tmp->nested);
52859 +
52860 + /* insert into nested subject list */
52861 + o_tmp->nested->next = role->hash->first;
52862 + role->hash->first = o_tmp->nested;
52863 + }
52864 + }
52865 +
52866 + return 0;
52867 +}
52868 +
52869 +static __u32
52870 +count_user_subjs(struct acl_subject_label *userp)
52871 +{
52872 + struct acl_subject_label s_tmp;
52873 + __u32 num = 0;
52874 +
52875 + while (userp) {
52876 + if (copy_from_user(&s_tmp, userp,
52877 + sizeof (struct acl_subject_label)))
52878 + break;
52879 +
52880 + userp = s_tmp.prev;
52881 + /* do not count nested subjects against this count, since
52882 + they are not included in the hash table, but are
52883 + attached to objects. We have already counted
52884 + the subjects in userspace for the allocation
52885 + stack
52886 + */
52887 + if (!(s_tmp.mode & GR_NESTED))
52888 + num++;
52889 + }
52890 +
52891 + return num;
52892 +}
52893 +
52894 +static int
52895 +copy_user_allowedips(struct acl_role_label *rolep)
52896 +{
52897 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
52898 +
52899 + ruserip = rolep->allowed_ips;
52900 +
52901 + while (ruserip) {
52902 + rlast = rtmp;
52903 +
52904 + if ((rtmp = (struct role_allowed_ip *)
52905 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
52906 + return -ENOMEM;
52907 +
52908 + if (copy_from_user(rtmp, ruserip,
52909 + sizeof (struct role_allowed_ip)))
52910 + return -EFAULT;
52911 +
52912 + ruserip = rtmp->prev;
52913 +
52914 + if (!rlast) {
52915 + rtmp->prev = NULL;
52916 + rolep->allowed_ips = rtmp;
52917 + } else {
52918 + rlast->next = rtmp;
52919 + rtmp->prev = rlast;
52920 + }
52921 +
52922 + if (!ruserip)
52923 + rtmp->next = NULL;
52924 + }
52925 +
52926 + return 0;
52927 +}
52928 +
52929 +static int
52930 +copy_user_transitions(struct acl_role_label *rolep)
52931 +{
52932 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
52933 +
52934 + unsigned int len;
52935 + char *tmp;
52936 +
52937 + rusertp = rolep->transitions;
52938 +
52939 + while (rusertp) {
52940 + rlast = rtmp;
52941 +
52942 + if ((rtmp = (struct role_transition *)
52943 + acl_alloc(sizeof (struct role_transition))) == NULL)
52944 + return -ENOMEM;
52945 +
52946 + if (copy_from_user(rtmp, rusertp,
52947 + sizeof (struct role_transition)))
52948 + return -EFAULT;
52949 +
52950 + rusertp = rtmp->prev;
52951 +
52952 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
52953 +
52954 + if (!len || len >= GR_SPROLE_LEN)
52955 + return -EINVAL;
52956 +
52957 + if ((tmp = (char *) acl_alloc(len)) == NULL)
52958 + return -ENOMEM;
52959 +
52960 + if (copy_from_user(tmp, rtmp->rolename, len))
52961 + return -EFAULT;
52962 + tmp[len-1] = '\0';
52963 + rtmp->rolename = tmp;
52964 +
52965 + if (!rlast) {
52966 + rtmp->prev = NULL;
52967 + rolep->transitions = rtmp;
52968 + } else {
52969 + rlast->next = rtmp;
52970 + rtmp->prev = rlast;
52971 + }
52972 +
52973 + if (!rusertp)
52974 + rtmp->next = NULL;
52975 + }
52976 +
52977 + return 0;
52978 +}
52979 +
52980 +static struct acl_subject_label *
52981 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
52982 +{
52983 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
52984 + unsigned int len;
52985 + char *tmp;
52986 + __u32 num_objs;
52987 + struct acl_ip_label **i_tmp, *i_utmp2;
52988 + struct gr_hash_struct ghash;
52989 + struct subject_map *subjmap;
52990 + unsigned int i_num;
52991 + int err;
52992 +
52993 + s_tmp = lookup_subject_map(userp);
52994 +
52995 + /* we've already copied this subject into the kernel, just return
52996 + the reference to it, and don't copy it over again
52997 + */
52998 + if (s_tmp)
52999 + return(s_tmp);
53000 +
53001 + if ((s_tmp = (struct acl_subject_label *)
53002 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
53003 + return ERR_PTR(-ENOMEM);
53004 +
53005 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
53006 + if (subjmap == NULL)
53007 + return ERR_PTR(-ENOMEM);
53008 +
53009 + subjmap->user = userp;
53010 + subjmap->kernel = s_tmp;
53011 + insert_subj_map_entry(subjmap);
53012 +
53013 + if (copy_from_user(s_tmp, userp,
53014 + sizeof (struct acl_subject_label)))
53015 + return ERR_PTR(-EFAULT);
53016 +
53017 + len = strnlen_user(s_tmp->filename, PATH_MAX);
53018 +
53019 + if (!len || len >= PATH_MAX)
53020 + return ERR_PTR(-EINVAL);
53021 +
53022 + if ((tmp = (char *) acl_alloc(len)) == NULL)
53023 + return ERR_PTR(-ENOMEM);
53024 +
53025 + if (copy_from_user(tmp, s_tmp->filename, len))
53026 + return ERR_PTR(-EFAULT);
53027 + tmp[len-1] = '\0';
53028 + s_tmp->filename = tmp;
53029 +
53030 + if (!strcmp(s_tmp->filename, "/"))
53031 + role->root_label = s_tmp;
53032 +
53033 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
53034 + return ERR_PTR(-EFAULT);
53035 +
53036 + /* copy user and group transition tables */
53037 +
53038 + if (s_tmp->user_trans_num) {
53039 + uid_t *uidlist;
53040 +
53041 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
53042 + if (uidlist == NULL)
53043 + return ERR_PTR(-ENOMEM);
53044 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
53045 + return ERR_PTR(-EFAULT);
53046 +
53047 + s_tmp->user_transitions = uidlist;
53048 + }
53049 +
53050 + if (s_tmp->group_trans_num) {
53051 + gid_t *gidlist;
53052 +
53053 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
53054 + if (gidlist == NULL)
53055 + return ERR_PTR(-ENOMEM);
53056 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
53057 + return ERR_PTR(-EFAULT);
53058 +
53059 + s_tmp->group_transitions = gidlist;
53060 + }
53061 +
53062 + /* set up object hash table */
53063 + num_objs = count_user_objs(ghash.first);
53064 +
53065 + s_tmp->obj_hash_size = num_objs;
53066 + s_tmp->obj_hash =
53067 + (struct acl_object_label **)
53068 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
53069 +
53070 + if (!s_tmp->obj_hash)
53071 + return ERR_PTR(-ENOMEM);
53072 +
53073 + memset(s_tmp->obj_hash, 0,
53074 + s_tmp->obj_hash_size *
53075 + sizeof (struct acl_object_label *));
53076 +
53077 + /* add in objects */
53078 + err = copy_user_objs(ghash.first, s_tmp, role);
53079 +
53080 + if (err)
53081 + return ERR_PTR(err);
53082 +
53083 + /* set pointer for parent subject */
53084 + if (s_tmp->parent_subject) {
53085 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
53086 +
53087 + if (IS_ERR(s_tmp2))
53088 + return s_tmp2;
53089 +
53090 + s_tmp->parent_subject = s_tmp2;
53091 + }
53092 +
53093 + /* add in ip acls */
53094 +
53095 + if (!s_tmp->ip_num) {
53096 + s_tmp->ips = NULL;
53097 + goto insert;
53098 + }
53099 +
53100 + i_tmp =
53101 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
53102 + sizeof (struct acl_ip_label *));
53103 +
53104 + if (!i_tmp)
53105 + return ERR_PTR(-ENOMEM);
53106 +
53107 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
53108 + *(i_tmp + i_num) =
53109 + (struct acl_ip_label *)
53110 + acl_alloc(sizeof (struct acl_ip_label));
53111 + if (!*(i_tmp + i_num))
53112 + return ERR_PTR(-ENOMEM);
53113 +
53114 + if (copy_from_user
53115 + (&i_utmp2, s_tmp->ips + i_num,
53116 + sizeof (struct acl_ip_label *)))
53117 + return ERR_PTR(-EFAULT);
53118 +
53119 + if (copy_from_user
53120 + (*(i_tmp + i_num), i_utmp2,
53121 + sizeof (struct acl_ip_label)))
53122 + return ERR_PTR(-EFAULT);
53123 +
53124 + if ((*(i_tmp + i_num))->iface == NULL)
53125 + continue;
53126 +
53127 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
53128 + if (!len || len >= IFNAMSIZ)
53129 + return ERR_PTR(-EINVAL);
53130 + tmp = acl_alloc(len);
53131 + if (tmp == NULL)
53132 + return ERR_PTR(-ENOMEM);
53133 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
53134 + return ERR_PTR(-EFAULT);
53135 + (*(i_tmp + i_num))->iface = tmp;
53136 + }
53137 +
53138 + s_tmp->ips = i_tmp;
53139 +
53140 +insert:
53141 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
53142 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
53143 + return ERR_PTR(-ENOMEM);
53144 +
53145 + return s_tmp;
53146 +}
53147 +
53148 +static int
53149 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
53150 +{
53151 + struct acl_subject_label s_pre;
53152 + struct acl_subject_label * ret;
53153 + int err;
53154 +
53155 + while (userp) {
53156 + if (copy_from_user(&s_pre, userp,
53157 + sizeof (struct acl_subject_label)))
53158 + return -EFAULT;
53159 +
53160 + /* do not add nested subjects here, add
53161 + while parsing objects
53162 + */
53163 +
53164 + if (s_pre.mode & GR_NESTED) {
53165 + userp = s_pre.prev;
53166 + continue;
53167 + }
53168 +
53169 + ret = do_copy_user_subj(userp, role);
53170 +
53171 + err = PTR_ERR(ret);
53172 + if (IS_ERR(ret))
53173 + return err;
53174 +
53175 + insert_acl_subj_label(ret, role);
53176 +
53177 + userp = s_pre.prev;
53178 + }
53179 +
53180 + return 0;
53181 +}
53182 +
53183 +static int
53184 +copy_user_acl(struct gr_arg *arg)
53185 +{
53186 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
53187 + struct sprole_pw *sptmp;
53188 + struct gr_hash_struct *ghash;
53189 + uid_t *domainlist;
53190 + unsigned int r_num;
53191 + unsigned int len;
53192 + char *tmp;
53193 + int err = 0;
53194 + __u16 i;
53195 + __u32 num_subjs;
53196 +
53197 + /* we need a default and kernel role */
53198 + if (arg->role_db.num_roles < 2)
53199 + return -EINVAL;
53200 +
53201 + /* copy special role authentication info from userspace */
53202 +
53203 + num_sprole_pws = arg->num_sprole_pws;
53204 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53205 +
53206 + if (!acl_special_roles) {
53207 + err = -ENOMEM;
53208 + goto cleanup;
53209 + }
53210 +
53211 + for (i = 0; i < num_sprole_pws; i++) {
53212 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53213 + if (!sptmp) {
53214 + err = -ENOMEM;
53215 + goto cleanup;
53216 + }
53217 + if (copy_from_user(sptmp, arg->sprole_pws + i,
53218 + sizeof (struct sprole_pw))) {
53219 + err = -EFAULT;
53220 + goto cleanup;
53221 + }
53222 +
53223 + len =
53224 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53225 +
53226 + if (!len || len >= GR_SPROLE_LEN) {
53227 + err = -EINVAL;
53228 + goto cleanup;
53229 + }
53230 +
53231 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53232 + err = -ENOMEM;
53233 + goto cleanup;
53234 + }
53235 +
53236 + if (copy_from_user(tmp, sptmp->rolename, len)) {
53237 + err = -EFAULT;
53238 + goto cleanup;
53239 + }
53240 + tmp[len-1] = '\0';
53241 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53242 + printk(KERN_ALERT "Copying special role %s\n", tmp);
53243 +#endif
53244 + sptmp->rolename = tmp;
53245 + acl_special_roles[i] = sptmp;
53246 + }
53247 +
53248 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53249 +
53250 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53251 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
53252 +
53253 + if (!r_tmp) {
53254 + err = -ENOMEM;
53255 + goto cleanup;
53256 + }
53257 +
53258 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
53259 + sizeof (struct acl_role_label *))) {
53260 + err = -EFAULT;
53261 + goto cleanup;
53262 + }
53263 +
53264 + if (copy_from_user(r_tmp, r_utmp2,
53265 + sizeof (struct acl_role_label))) {
53266 + err = -EFAULT;
53267 + goto cleanup;
53268 + }
53269 +
53270 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53271 +
53272 + if (!len || len >= PATH_MAX) {
53273 + err = -EINVAL;
53274 + goto cleanup;
53275 + }
53276 +
53277 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53278 + err = -ENOMEM;
53279 + goto cleanup;
53280 + }
53281 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
53282 + err = -EFAULT;
53283 + goto cleanup;
53284 + }
53285 + tmp[len-1] = '\0';
53286 + r_tmp->rolename = tmp;
53287 +
53288 + if (!strcmp(r_tmp->rolename, "default")
53289 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53290 + default_role = r_tmp;
53291 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53292 + kernel_role = r_tmp;
53293 + }
53294 +
53295 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53296 + err = -ENOMEM;
53297 + goto cleanup;
53298 + }
53299 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53300 + err = -EFAULT;
53301 + goto cleanup;
53302 + }
53303 +
53304 + r_tmp->hash = ghash;
53305 +
53306 + num_subjs = count_user_subjs(r_tmp->hash->first);
53307 +
53308 + r_tmp->subj_hash_size = num_subjs;
53309 + r_tmp->subj_hash =
53310 + (struct acl_subject_label **)
53311 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53312 +
53313 + if (!r_tmp->subj_hash) {
53314 + err = -ENOMEM;
53315 + goto cleanup;
53316 + }
53317 +
53318 + err = copy_user_allowedips(r_tmp);
53319 + if (err)
53320 + goto cleanup;
53321 +
53322 + /* copy domain info */
53323 + if (r_tmp->domain_children != NULL) {
53324 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53325 + if (domainlist == NULL) {
53326 + err = -ENOMEM;
53327 + goto cleanup;
53328 + }
53329 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53330 + err = -EFAULT;
53331 + goto cleanup;
53332 + }
53333 + r_tmp->domain_children = domainlist;
53334 + }
53335 +
53336 + err = copy_user_transitions(r_tmp);
53337 + if (err)
53338 + goto cleanup;
53339 +
53340 + memset(r_tmp->subj_hash, 0,
53341 + r_tmp->subj_hash_size *
53342 + sizeof (struct acl_subject_label *));
53343 +
53344 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53345 +
53346 + if (err)
53347 + goto cleanup;
53348 +
53349 + /* set nested subject list to null */
53350 + r_tmp->hash->first = NULL;
53351 +
53352 + insert_acl_role_label(r_tmp);
53353 + }
53354 +
53355 + goto return_err;
53356 + cleanup:
53357 + free_variables();
53358 + return_err:
53359 + return err;
53360 +
53361 +}
53362 +
53363 +static int
53364 +gracl_init(struct gr_arg *args)
53365 +{
53366 + int error = 0;
53367 +
53368 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53369 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53370 +
53371 + if (init_variables(args)) {
53372 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53373 + error = -ENOMEM;
53374 + free_variables();
53375 + goto out;
53376 + }
53377 +
53378 + error = copy_user_acl(args);
53379 + free_init_variables();
53380 + if (error) {
53381 + free_variables();
53382 + goto out;
53383 + }
53384 +
53385 + if ((error = gr_set_acls(0))) {
53386 + free_variables();
53387 + goto out;
53388 + }
53389 +
53390 + pax_open_kernel();
53391 + gr_status |= GR_READY;
53392 + pax_close_kernel();
53393 +
53394 + out:
53395 + return error;
53396 +}
53397 +
53398 +/* derived from glibc fnmatch() 0: match, 1: no match*/
53399 +
53400 +static int
53401 +glob_match(const char *p, const char *n)
53402 +{
53403 + char c;
53404 +
53405 + while ((c = *p++) != '\0') {
53406 + switch (c) {
53407 + case '?':
53408 + if (*n == '\0')
53409 + return 1;
53410 + else if (*n == '/')
53411 + return 1;
53412 + break;
53413 + case '\\':
53414 + if (*n != c)
53415 + return 1;
53416 + break;
53417 + case '*':
53418 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
53419 + if (*n == '/')
53420 + return 1;
53421 + else if (c == '?') {
53422 + if (*n == '\0')
53423 + return 1;
53424 + else
53425 + ++n;
53426 + }
53427 + }
53428 + if (c == '\0') {
53429 + return 0;
53430 + } else {
53431 + const char *endp;
53432 +
53433 + if ((endp = strchr(n, '/')) == NULL)
53434 + endp = n + strlen(n);
53435 +
53436 + if (c == '[') {
53437 + for (--p; n < endp; ++n)
53438 + if (!glob_match(p, n))
53439 + return 0;
53440 + } else if (c == '/') {
53441 + while (*n != '\0' && *n != '/')
53442 + ++n;
53443 + if (*n == '/' && !glob_match(p, n + 1))
53444 + return 0;
53445 + } else {
53446 + for (--p; n < endp; ++n)
53447 + if (*n == c && !glob_match(p, n))
53448 + return 0;
53449 + }
53450 +
53451 + return 1;
53452 + }
53453 + case '[':
53454 + {
53455 + int not;
53456 + char cold;
53457 +
53458 + if (*n == '\0' || *n == '/')
53459 + return 1;
53460 +
53461 + not = (*p == '!' || *p == '^');
53462 + if (not)
53463 + ++p;
53464 +
53465 + c = *p++;
53466 + for (;;) {
53467 + unsigned char fn = (unsigned char)*n;
53468 +
53469 + if (c == '\0')
53470 + return 1;
53471 + else {
53472 + if (c == fn)
53473 + goto matched;
53474 + cold = c;
53475 + c = *p++;
53476 +
53477 + if (c == '-' && *p != ']') {
53478 + unsigned char cend = *p++;
53479 +
53480 + if (cend == '\0')
53481 + return 1;
53482 +
53483 + if (cold <= fn && fn <= cend)
53484 + goto matched;
53485 +
53486 + c = *p++;
53487 + }
53488 + }
53489 +
53490 + if (c == ']')
53491 + break;
53492 + }
53493 + if (!not)
53494 + return 1;
53495 + break;
53496 + matched:
53497 + while (c != ']') {
53498 + if (c == '\0')
53499 + return 1;
53500 +
53501 + c = *p++;
53502 + }
53503 + if (not)
53504 + return 1;
53505 + }
53506 + break;
53507 + default:
53508 + if (c != *n)
53509 + return 1;
53510 + }
53511 +
53512 + ++n;
53513 + }
53514 +
53515 + if (*n == '\0')
53516 + return 0;
53517 +
53518 + if (*n == '/')
53519 + return 0;
53520 +
53521 + return 1;
53522 +}
53523 +
53524 +static struct acl_object_label *
53525 +chk_glob_label(struct acl_object_label *globbed,
53526 + struct dentry *dentry, struct vfsmount *mnt, char **path)
53527 +{
53528 + struct acl_object_label *tmp;
53529 +
53530 + if (*path == NULL)
53531 + *path = gr_to_filename_nolock(dentry, mnt);
53532 +
53533 + tmp = globbed;
53534 +
53535 + while (tmp) {
53536 + if (!glob_match(tmp->filename, *path))
53537 + return tmp;
53538 + tmp = tmp->next;
53539 + }
53540 +
53541 + return NULL;
53542 +}
53543 +
53544 +static struct acl_object_label *
53545 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53546 + const ino_t curr_ino, const dev_t curr_dev,
53547 + const struct acl_subject_label *subj, char **path, const int checkglob)
53548 +{
53549 + struct acl_subject_label *tmpsubj;
53550 + struct acl_object_label *retval;
53551 + struct acl_object_label *retval2;
53552 +
53553 + tmpsubj = (struct acl_subject_label *) subj;
53554 + read_lock(&gr_inode_lock);
53555 + do {
53556 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
53557 + if (retval) {
53558 + if (checkglob && retval->globbed) {
53559 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
53560 + (struct vfsmount *)orig_mnt, path);
53561 + if (retval2)
53562 + retval = retval2;
53563 + }
53564 + break;
53565 + }
53566 + } while ((tmpsubj = tmpsubj->parent_subject));
53567 + read_unlock(&gr_inode_lock);
53568 +
53569 + return retval;
53570 +}
53571 +
53572 +static __inline__ struct acl_object_label *
53573 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
53574 + struct dentry *curr_dentry,
53575 + const struct acl_subject_label *subj, char **path, const int checkglob)
53576 +{
53577 + int newglob = checkglob;
53578 + ino_t inode;
53579 + dev_t device;
53580 +
53581 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
53582 + as we don't want a / * rule to match instead of the / object
53583 + don't do this for create lookups that call this function though, since they're looking up
53584 + on the parent and thus need globbing checks on all paths
53585 + */
53586 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
53587 + newglob = GR_NO_GLOB;
53588 +
53589 + spin_lock(&curr_dentry->d_lock);
53590 + inode = curr_dentry->d_inode->i_ino;
53591 + device = __get_dev(curr_dentry);
53592 + spin_unlock(&curr_dentry->d_lock);
53593 +
53594 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
53595 +}
53596 +
53597 +static struct acl_object_label *
53598 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53599 + const struct acl_subject_label *subj, char *path, const int checkglob)
53600 +{
53601 + struct dentry *dentry = (struct dentry *) l_dentry;
53602 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53603 + struct acl_object_label *retval;
53604 + struct dentry *parent;
53605 +
53606 + write_seqlock(&rename_lock);
53607 + br_read_lock(vfsmount_lock);
53608 +
53609 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
53610 +#ifdef CONFIG_NET
53611 + mnt == sock_mnt ||
53612 +#endif
53613 +#ifdef CONFIG_HUGETLBFS
53614 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
53615 +#endif
53616 + /* ignore Eric Biederman */
53617 + IS_PRIVATE(l_dentry->d_inode))) {
53618 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
53619 + goto out;
53620 + }
53621 +
53622 + for (;;) {
53623 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53624 + break;
53625 +
53626 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53627 + if (mnt->mnt_parent == mnt)
53628 + break;
53629 +
53630 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53631 + if (retval != NULL)
53632 + goto out;
53633 +
53634 + dentry = mnt->mnt_mountpoint;
53635 + mnt = mnt->mnt_parent;
53636 + continue;
53637 + }
53638 +
53639 + parent = dentry->d_parent;
53640 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53641 + if (retval != NULL)
53642 + goto out;
53643 +
53644 + dentry = parent;
53645 + }
53646 +
53647 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
53648 +
53649 + /* real_root is pinned so we don't have to hold a reference */
53650 + if (retval == NULL)
53651 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
53652 +out:
53653 + br_read_unlock(vfsmount_lock);
53654 + write_sequnlock(&rename_lock);
53655 +
53656 + BUG_ON(retval == NULL);
53657 +
53658 + return retval;
53659 +}
53660 +
53661 +static __inline__ struct acl_object_label *
53662 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53663 + const struct acl_subject_label *subj)
53664 +{
53665 + char *path = NULL;
53666 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
53667 +}
53668 +
53669 +static __inline__ struct acl_object_label *
53670 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53671 + const struct acl_subject_label *subj)
53672 +{
53673 + char *path = NULL;
53674 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
53675 +}
53676 +
53677 +static __inline__ struct acl_object_label *
53678 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53679 + const struct acl_subject_label *subj, char *path)
53680 +{
53681 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
53682 +}
53683 +
53684 +static struct acl_subject_label *
53685 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
53686 + const struct acl_role_label *role)
53687 +{
53688 + struct dentry *dentry = (struct dentry *) l_dentry;
53689 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
53690 + struct acl_subject_label *retval;
53691 + struct dentry *parent;
53692 +
53693 + write_seqlock(&rename_lock);
53694 + br_read_lock(vfsmount_lock);
53695 +
53696 + for (;;) {
53697 + if (dentry == real_root.dentry && mnt == real_root.mnt)
53698 + break;
53699 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
53700 + if (mnt->mnt_parent == mnt)
53701 + break;
53702 +
53703 + spin_lock(&dentry->d_lock);
53704 + read_lock(&gr_inode_lock);
53705 + retval =
53706 + lookup_acl_subj_label(dentry->d_inode->i_ino,
53707 + __get_dev(dentry), role);
53708 + read_unlock(&gr_inode_lock);
53709 + spin_unlock(&dentry->d_lock);
53710 + if (retval != NULL)
53711 + goto out;
53712 +
53713 + dentry = mnt->mnt_mountpoint;
53714 + mnt = mnt->mnt_parent;
53715 + continue;
53716 + }
53717 +
53718 + spin_lock(&dentry->d_lock);
53719 + read_lock(&gr_inode_lock);
53720 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53721 + __get_dev(dentry), role);
53722 + read_unlock(&gr_inode_lock);
53723 + parent = dentry->d_parent;
53724 + spin_unlock(&dentry->d_lock);
53725 +
53726 + if (retval != NULL)
53727 + goto out;
53728 +
53729 + dentry = parent;
53730 + }
53731 +
53732 + spin_lock(&dentry->d_lock);
53733 + read_lock(&gr_inode_lock);
53734 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
53735 + __get_dev(dentry), role);
53736 + read_unlock(&gr_inode_lock);
53737 + spin_unlock(&dentry->d_lock);
53738 +
53739 + if (unlikely(retval == NULL)) {
53740 + /* real_root is pinned, we don't need to hold a reference */
53741 + read_lock(&gr_inode_lock);
53742 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
53743 + __get_dev(real_root.dentry), role);
53744 + read_unlock(&gr_inode_lock);
53745 + }
53746 +out:
53747 + br_read_unlock(vfsmount_lock);
53748 + write_sequnlock(&rename_lock);
53749 +
53750 + BUG_ON(retval == NULL);
53751 +
53752 + return retval;
53753 +}
53754 +
53755 +static void
53756 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
53757 +{
53758 + struct task_struct *task = current;
53759 + const struct cred *cred = current_cred();
53760 +
53761 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53762 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53763 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53764 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
53765 +
53766 + return;
53767 +}
53768 +
53769 +static void
53770 +gr_log_learn_sysctl(const char *path, const __u32 mode)
53771 +{
53772 + struct task_struct *task = current;
53773 + const struct cred *cred = current_cred();
53774 +
53775 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
53776 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53777 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53778 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
53779 +
53780 + return;
53781 +}
53782 +
53783 +static void
53784 +gr_log_learn_id_change(const char type, const unsigned int real,
53785 + const unsigned int effective, const unsigned int fs)
53786 +{
53787 + struct task_struct *task = current;
53788 + const struct cred *cred = current_cred();
53789 +
53790 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
53791 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
53792 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
53793 + type, real, effective, fs, &task->signal->saved_ip);
53794 +
53795 + return;
53796 +}
53797 +
53798 +__u32
53799 +gr_check_link(const struct dentry * new_dentry,
53800 + const struct dentry * parent_dentry,
53801 + const struct vfsmount * parent_mnt,
53802 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
53803 +{
53804 + struct acl_object_label *obj;
53805 + __u32 oldmode, newmode;
53806 + __u32 needmode;
53807 +
53808 + if (unlikely(!(gr_status & GR_READY)))
53809 + return (GR_CREATE | GR_LINK);
53810 +
53811 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
53812 + oldmode = obj->mode;
53813 +
53814 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53815 + oldmode |= (GR_CREATE | GR_LINK);
53816 +
53817 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
53818 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53819 + needmode |= GR_SETID | GR_AUDIT_SETID;
53820 +
53821 + newmode =
53822 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
53823 + oldmode | needmode);
53824 +
53825 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
53826 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
53827 + GR_INHERIT | GR_AUDIT_INHERIT);
53828 +
53829 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
53830 + goto bad;
53831 +
53832 + if ((oldmode & needmode) != needmode)
53833 + goto bad;
53834 +
53835 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
53836 + if ((newmode & needmode) != needmode)
53837 + goto bad;
53838 +
53839 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
53840 + return newmode;
53841 +bad:
53842 + needmode = oldmode;
53843 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
53844 + needmode |= GR_SETID;
53845 +
53846 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53847 + gr_log_learn(old_dentry, old_mnt, needmode);
53848 + return (GR_CREATE | GR_LINK);
53849 + } else if (newmode & GR_SUPPRESS)
53850 + return GR_SUPPRESS;
53851 + else
53852 + return 0;
53853 +}
53854 +
53855 +__u32
53856 +gr_search_file(const struct dentry * dentry, const __u32 mode,
53857 + const struct vfsmount * mnt)
53858 +{
53859 + __u32 retval = mode;
53860 + struct acl_subject_label *curracl;
53861 + struct acl_object_label *currobj;
53862 +
53863 + if (unlikely(!(gr_status & GR_READY)))
53864 + return (mode & ~GR_AUDITS);
53865 +
53866 + curracl = current->acl;
53867 +
53868 + currobj = chk_obj_label(dentry, mnt, curracl);
53869 + retval = currobj->mode & mode;
53870 +
53871 + /* if we're opening a specified transfer file for writing
53872 + (e.g. /dev/initctl), then transfer our role to init
53873 + */
53874 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
53875 + current->role->roletype & GR_ROLE_PERSIST)) {
53876 + struct task_struct *task = init_pid_ns.child_reaper;
53877 +
53878 + if (task->role != current->role) {
53879 + task->acl_sp_role = 0;
53880 + task->acl_role_id = current->acl_role_id;
53881 + task->role = current->role;
53882 + rcu_read_lock();
53883 + read_lock(&grsec_exec_file_lock);
53884 + gr_apply_subject_to_task(task);
53885 + read_unlock(&grsec_exec_file_lock);
53886 + rcu_read_unlock();
53887 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
53888 + }
53889 + }
53890 +
53891 + if (unlikely
53892 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
53893 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
53894 + __u32 new_mode = mode;
53895 +
53896 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53897 +
53898 + retval = new_mode;
53899 +
53900 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
53901 + new_mode |= GR_INHERIT;
53902 +
53903 + if (!(mode & GR_NOLEARN))
53904 + gr_log_learn(dentry, mnt, new_mode);
53905 + }
53906 +
53907 + return retval;
53908 +}
53909 +
53910 +__u32
53911 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
53912 + const struct vfsmount * mnt, const __u32 mode)
53913 +{
53914 + struct name_entry *match;
53915 + struct acl_object_label *matchpo;
53916 + struct acl_subject_label *curracl;
53917 + char *path;
53918 + __u32 retval;
53919 +
53920 + if (unlikely(!(gr_status & GR_READY)))
53921 + return (mode & ~GR_AUDITS);
53922 +
53923 + preempt_disable();
53924 + path = gr_to_filename_rbac(new_dentry, mnt);
53925 + match = lookup_name_entry_create(path);
53926 +
53927 + if (!match)
53928 + goto check_parent;
53929 +
53930 + curracl = current->acl;
53931 +
53932 + read_lock(&gr_inode_lock);
53933 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
53934 + read_unlock(&gr_inode_lock);
53935 +
53936 + if (matchpo) {
53937 + if ((matchpo->mode & mode) !=
53938 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
53939 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
53940 + __u32 new_mode = mode;
53941 +
53942 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53943 +
53944 + gr_log_learn(new_dentry, mnt, new_mode);
53945 +
53946 + preempt_enable();
53947 + return new_mode;
53948 + }
53949 + preempt_enable();
53950 + return (matchpo->mode & mode);
53951 + }
53952 +
53953 + check_parent:
53954 + curracl = current->acl;
53955 +
53956 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
53957 + retval = matchpo->mode & mode;
53958 +
53959 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
53960 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
53961 + __u32 new_mode = mode;
53962 +
53963 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53964 +
53965 + gr_log_learn(new_dentry, mnt, new_mode);
53966 + preempt_enable();
53967 + return new_mode;
53968 + }
53969 +
53970 + preempt_enable();
53971 + return retval;
53972 +}
53973 +
53974 +int
53975 +gr_check_hidden_task(const struct task_struct *task)
53976 +{
53977 + if (unlikely(!(gr_status & GR_READY)))
53978 + return 0;
53979 +
53980 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
53981 + return 1;
53982 +
53983 + return 0;
53984 +}
53985 +
53986 +int
53987 +gr_check_protected_task(const struct task_struct *task)
53988 +{
53989 + if (unlikely(!(gr_status & GR_READY) || !task))
53990 + return 0;
53991 +
53992 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
53993 + task->acl != current->acl)
53994 + return 1;
53995 +
53996 + return 0;
53997 +}
53998 +
53999 +int
54000 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
54001 +{
54002 + struct task_struct *p;
54003 + int ret = 0;
54004 +
54005 + if (unlikely(!(gr_status & GR_READY) || !pid))
54006 + return ret;
54007 +
54008 + read_lock(&tasklist_lock);
54009 + do_each_pid_task(pid, type, p) {
54010 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54011 + p->acl != current->acl) {
54012 + ret = 1;
54013 + goto out;
54014 + }
54015 + } while_each_pid_task(pid, type, p);
54016 +out:
54017 + read_unlock(&tasklist_lock);
54018 +
54019 + return ret;
54020 +}
54021 +
54022 +void
54023 +gr_copy_label(struct task_struct *tsk)
54024 +{
54025 + tsk->signal->used_accept = 0;
54026 + tsk->acl_sp_role = 0;
54027 + tsk->acl_role_id = current->acl_role_id;
54028 + tsk->acl = current->acl;
54029 + tsk->role = current->role;
54030 + tsk->signal->curr_ip = current->signal->curr_ip;
54031 + tsk->signal->saved_ip = current->signal->saved_ip;
54032 + if (current->exec_file)
54033 + get_file(current->exec_file);
54034 + tsk->exec_file = current->exec_file;
54035 + tsk->is_writable = current->is_writable;
54036 + if (unlikely(current->signal->used_accept)) {
54037 + current->signal->curr_ip = 0;
54038 + current->signal->saved_ip = 0;
54039 + }
54040 +
54041 + return;
54042 +}
54043 +
54044 +static void
54045 +gr_set_proc_res(struct task_struct *task)
54046 +{
54047 + struct acl_subject_label *proc;
54048 + unsigned short i;
54049 +
54050 + proc = task->acl;
54051 +
54052 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
54053 + return;
54054 +
54055 + for (i = 0; i < RLIM_NLIMITS; i++) {
54056 + if (!(proc->resmask & (1 << i)))
54057 + continue;
54058 +
54059 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
54060 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
54061 + }
54062 +
54063 + return;
54064 +}
54065 +
54066 +extern int __gr_process_user_ban(struct user_struct *user);
54067 +
54068 +int
54069 +gr_check_user_change(int real, int effective, int fs)
54070 +{
54071 + unsigned int i;
54072 + __u16 num;
54073 + uid_t *uidlist;
54074 + int curuid;
54075 + int realok = 0;
54076 + int effectiveok = 0;
54077 + int fsok = 0;
54078 +
54079 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54080 + struct user_struct *user;
54081 +
54082 + if (real == -1)
54083 + goto skipit;
54084 +
54085 + user = find_user(real);
54086 + if (user == NULL)
54087 + goto skipit;
54088 +
54089 + if (__gr_process_user_ban(user)) {
54090 + /* for find_user */
54091 + free_uid(user);
54092 + return 1;
54093 + }
54094 +
54095 + /* for find_user */
54096 + free_uid(user);
54097 +
54098 +skipit:
54099 +#endif
54100 +
54101 + if (unlikely(!(gr_status & GR_READY)))
54102 + return 0;
54103 +
54104 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54105 + gr_log_learn_id_change('u', real, effective, fs);
54106 +
54107 + num = current->acl->user_trans_num;
54108 + uidlist = current->acl->user_transitions;
54109 +
54110 + if (uidlist == NULL)
54111 + return 0;
54112 +
54113 + if (real == -1)
54114 + realok = 1;
54115 + if (effective == -1)
54116 + effectiveok = 1;
54117 + if (fs == -1)
54118 + fsok = 1;
54119 +
54120 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
54121 + for (i = 0; i < num; i++) {
54122 + curuid = (int)uidlist[i];
54123 + if (real == curuid)
54124 + realok = 1;
54125 + if (effective == curuid)
54126 + effectiveok = 1;
54127 + if (fs == curuid)
54128 + fsok = 1;
54129 + }
54130 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
54131 + for (i = 0; i < num; i++) {
54132 + curuid = (int)uidlist[i];
54133 + if (real == curuid)
54134 + break;
54135 + if (effective == curuid)
54136 + break;
54137 + if (fs == curuid)
54138 + break;
54139 + }
54140 + /* not in deny list */
54141 + if (i == num) {
54142 + realok = 1;
54143 + effectiveok = 1;
54144 + fsok = 1;
54145 + }
54146 + }
54147 +
54148 + if (realok && effectiveok && fsok)
54149 + return 0;
54150 + else {
54151 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54152 + return 1;
54153 + }
54154 +}
54155 +
54156 +int
54157 +gr_check_group_change(int real, int effective, int fs)
54158 +{
54159 + unsigned int i;
54160 + __u16 num;
54161 + gid_t *gidlist;
54162 + int curgid;
54163 + int realok = 0;
54164 + int effectiveok = 0;
54165 + int fsok = 0;
54166 +
54167 + if (unlikely(!(gr_status & GR_READY)))
54168 + return 0;
54169 +
54170 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54171 + gr_log_learn_id_change('g', real, effective, fs);
54172 +
54173 + num = current->acl->group_trans_num;
54174 + gidlist = current->acl->group_transitions;
54175 +
54176 + if (gidlist == NULL)
54177 + return 0;
54178 +
54179 + if (real == -1)
54180 + realok = 1;
54181 + if (effective == -1)
54182 + effectiveok = 1;
54183 + if (fs == -1)
54184 + fsok = 1;
54185 +
54186 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
54187 + for (i = 0; i < num; i++) {
54188 + curgid = (int)gidlist[i];
54189 + if (real == curgid)
54190 + realok = 1;
54191 + if (effective == curgid)
54192 + effectiveok = 1;
54193 + if (fs == curgid)
54194 + fsok = 1;
54195 + }
54196 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
54197 + for (i = 0; i < num; i++) {
54198 + curgid = (int)gidlist[i];
54199 + if (real == curgid)
54200 + break;
54201 + if (effective == curgid)
54202 + break;
54203 + if (fs == curgid)
54204 + break;
54205 + }
54206 + /* not in deny list */
54207 + if (i == num) {
54208 + realok = 1;
54209 + effectiveok = 1;
54210 + fsok = 1;
54211 + }
54212 + }
54213 +
54214 + if (realok && effectiveok && fsok)
54215 + return 0;
54216 + else {
54217 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54218 + return 1;
54219 + }
54220 +}
54221 +
54222 +void
54223 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54224 +{
54225 + struct acl_role_label *role = task->role;
54226 + struct acl_subject_label *subj = NULL;
54227 + struct acl_object_label *obj;
54228 + struct file *filp;
54229 +
54230 + if (unlikely(!(gr_status & GR_READY)))
54231 + return;
54232 +
54233 + filp = task->exec_file;
54234 +
54235 + /* kernel process, we'll give them the kernel role */
54236 + if (unlikely(!filp)) {
54237 + task->role = kernel_role;
54238 + task->acl = kernel_role->root_label;
54239 + return;
54240 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54241 + role = lookup_acl_role_label(task, uid, gid);
54242 +
54243 + /* perform subject lookup in possibly new role
54244 + we can use this result below in the case where role == task->role
54245 + */
54246 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54247 +
54248 + /* if we changed uid/gid, but result in the same role
54249 + and are using inheritance, don't lose the inherited subject
54250 + if current subject is other than what normal lookup
54251 + would result in, we arrived via inheritance, don't
54252 + lose subject
54253 + */
54254 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54255 + (subj == task->acl)))
54256 + task->acl = subj;
54257 +
54258 + task->role = role;
54259 +
54260 + task->is_writable = 0;
54261 +
54262 + /* ignore additional mmap checks for processes that are writable
54263 + by the default ACL */
54264 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54265 + if (unlikely(obj->mode & GR_WRITE))
54266 + task->is_writable = 1;
54267 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54268 + if (unlikely(obj->mode & GR_WRITE))
54269 + task->is_writable = 1;
54270 +
54271 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54272 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54273 +#endif
54274 +
54275 + gr_set_proc_res(task);
54276 +
54277 + return;
54278 +}
54279 +
54280 +int
54281 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54282 + const int unsafe_share)
54283 +{
54284 + struct task_struct *task = current;
54285 + struct acl_subject_label *newacl;
54286 + struct acl_object_label *obj;
54287 + __u32 retmode;
54288 +
54289 + if (unlikely(!(gr_status & GR_READY)))
54290 + return 0;
54291 +
54292 + newacl = chk_subj_label(dentry, mnt, task->role);
54293 +
54294 + task_lock(task);
54295 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54296 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54297 + !(task->role->roletype & GR_ROLE_GOD) &&
54298 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54299 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54300 + task_unlock(task);
54301 + if (unsafe_share)
54302 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54303 + else
54304 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54305 + return -EACCES;
54306 + }
54307 + task_unlock(task);
54308 +
54309 + obj = chk_obj_label(dentry, mnt, task->acl);
54310 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54311 +
54312 + if (!(task->acl->mode & GR_INHERITLEARN) &&
54313 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54314 + if (obj->nested)
54315 + task->acl = obj->nested;
54316 + else
54317 + task->acl = newacl;
54318 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54319 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54320 +
54321 + task->is_writable = 0;
54322 +
54323 + /* ignore additional mmap checks for processes that are writable
54324 + by the default ACL */
54325 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
54326 + if (unlikely(obj->mode & GR_WRITE))
54327 + task->is_writable = 1;
54328 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
54329 + if (unlikely(obj->mode & GR_WRITE))
54330 + task->is_writable = 1;
54331 +
54332 + gr_set_proc_res(task);
54333 +
54334 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54335 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54336 +#endif
54337 + return 0;
54338 +}
54339 +
54340 +/* always called with valid inodev ptr */
54341 +static void
54342 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54343 +{
54344 + struct acl_object_label *matchpo;
54345 + struct acl_subject_label *matchps;
54346 + struct acl_subject_label *subj;
54347 + struct acl_role_label *role;
54348 + unsigned int x;
54349 +
54350 + FOR_EACH_ROLE_START(role)
54351 + FOR_EACH_SUBJECT_START(role, subj, x)
54352 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54353 + matchpo->mode |= GR_DELETED;
54354 + FOR_EACH_SUBJECT_END(subj,x)
54355 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54356 + if (subj->inode == ino && subj->device == dev)
54357 + subj->mode |= GR_DELETED;
54358 + FOR_EACH_NESTED_SUBJECT_END(subj)
54359 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54360 + matchps->mode |= GR_DELETED;
54361 + FOR_EACH_ROLE_END(role)
54362 +
54363 + inodev->nentry->deleted = 1;
54364 +
54365 + return;
54366 +}
54367 +
54368 +void
54369 +gr_handle_delete(const ino_t ino, const dev_t dev)
54370 +{
54371 + struct inodev_entry *inodev;
54372 +
54373 + if (unlikely(!(gr_status & GR_READY)))
54374 + return;
54375 +
54376 + write_lock(&gr_inode_lock);
54377 + inodev = lookup_inodev_entry(ino, dev);
54378 + if (inodev != NULL)
54379 + do_handle_delete(inodev, ino, dev);
54380 + write_unlock(&gr_inode_lock);
54381 +
54382 + return;
54383 +}
54384 +
54385 +static void
54386 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54387 + const ino_t newinode, const dev_t newdevice,
54388 + struct acl_subject_label *subj)
54389 +{
54390 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54391 + struct acl_object_label *match;
54392 +
54393 + match = subj->obj_hash[index];
54394 +
54395 + while (match && (match->inode != oldinode ||
54396 + match->device != olddevice ||
54397 + !(match->mode & GR_DELETED)))
54398 + match = match->next;
54399 +
54400 + if (match && (match->inode == oldinode)
54401 + && (match->device == olddevice)
54402 + && (match->mode & GR_DELETED)) {
54403 + if (match->prev == NULL) {
54404 + subj->obj_hash[index] = match->next;
54405 + if (match->next != NULL)
54406 + match->next->prev = NULL;
54407 + } else {
54408 + match->prev->next = match->next;
54409 + if (match->next != NULL)
54410 + match->next->prev = match->prev;
54411 + }
54412 + match->prev = NULL;
54413 + match->next = NULL;
54414 + match->inode = newinode;
54415 + match->device = newdevice;
54416 + match->mode &= ~GR_DELETED;
54417 +
54418 + insert_acl_obj_label(match, subj);
54419 + }
54420 +
54421 + return;
54422 +}
54423 +
54424 +static void
54425 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54426 + const ino_t newinode, const dev_t newdevice,
54427 + struct acl_role_label *role)
54428 +{
54429 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54430 + struct acl_subject_label *match;
54431 +
54432 + match = role->subj_hash[index];
54433 +
54434 + while (match && (match->inode != oldinode ||
54435 + match->device != olddevice ||
54436 + !(match->mode & GR_DELETED)))
54437 + match = match->next;
54438 +
54439 + if (match && (match->inode == oldinode)
54440 + && (match->device == olddevice)
54441 + && (match->mode & GR_DELETED)) {
54442 + if (match->prev == NULL) {
54443 + role->subj_hash[index] = match->next;
54444 + if (match->next != NULL)
54445 + match->next->prev = NULL;
54446 + } else {
54447 + match->prev->next = match->next;
54448 + if (match->next != NULL)
54449 + match->next->prev = match->prev;
54450 + }
54451 + match->prev = NULL;
54452 + match->next = NULL;
54453 + match->inode = newinode;
54454 + match->device = newdevice;
54455 + match->mode &= ~GR_DELETED;
54456 +
54457 + insert_acl_subj_label(match, role);
54458 + }
54459 +
54460 + return;
54461 +}
54462 +
54463 +static void
54464 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54465 + const ino_t newinode, const dev_t newdevice)
54466 +{
54467 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54468 + struct inodev_entry *match;
54469 +
54470 + match = inodev_set.i_hash[index];
54471 +
54472 + while (match && (match->nentry->inode != oldinode ||
54473 + match->nentry->device != olddevice || !match->nentry->deleted))
54474 + match = match->next;
54475 +
54476 + if (match && (match->nentry->inode == oldinode)
54477 + && (match->nentry->device == olddevice) &&
54478 + match->nentry->deleted) {
54479 + if (match->prev == NULL) {
54480 + inodev_set.i_hash[index] = match->next;
54481 + if (match->next != NULL)
54482 + match->next->prev = NULL;
54483 + } else {
54484 + match->prev->next = match->next;
54485 + if (match->next != NULL)
54486 + match->next->prev = match->prev;
54487 + }
54488 + match->prev = NULL;
54489 + match->next = NULL;
54490 + match->nentry->inode = newinode;
54491 + match->nentry->device = newdevice;
54492 + match->nentry->deleted = 0;
54493 +
54494 + insert_inodev_entry(match);
54495 + }
54496 +
54497 + return;
54498 +}
54499 +
54500 +static void
54501 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
54502 + const struct vfsmount *mnt)
54503 +{
54504 + struct acl_subject_label *subj;
54505 + struct acl_role_label *role;
54506 + unsigned int x;
54507 + ino_t ino = dentry->d_inode->i_ino;
54508 + dev_t dev = __get_dev(dentry);
54509 +
54510 + FOR_EACH_ROLE_START(role)
54511 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
54512 +
54513 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54514 + if ((subj->inode == ino) && (subj->device == dev)) {
54515 + subj->inode = ino;
54516 + subj->device = dev;
54517 + }
54518 + FOR_EACH_NESTED_SUBJECT_END(subj)
54519 + FOR_EACH_SUBJECT_START(role, subj, x)
54520 + update_acl_obj_label(matchn->inode, matchn->device,
54521 + ino, dev, subj);
54522 + FOR_EACH_SUBJECT_END(subj,x)
54523 + FOR_EACH_ROLE_END(role)
54524 +
54525 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
54526 +
54527 + return;
54528 +}
54529 +
54530 +void
54531 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54532 +{
54533 + struct name_entry *matchn;
54534 +
54535 + if (unlikely(!(gr_status & GR_READY)))
54536 + return;
54537 +
54538 + preempt_disable();
54539 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
54540 +
54541 + if (unlikely((unsigned long)matchn)) {
54542 + write_lock(&gr_inode_lock);
54543 + do_handle_create(matchn, dentry, mnt);
54544 + write_unlock(&gr_inode_lock);
54545 + }
54546 + preempt_enable();
54547 +
54548 + return;
54549 +}
54550 +
54551 +void
54552 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54553 + struct dentry *old_dentry,
54554 + struct dentry *new_dentry,
54555 + struct vfsmount *mnt, const __u8 replace)
54556 +{
54557 + struct name_entry *matchn;
54558 + struct inodev_entry *inodev;
54559 + ino_t old_ino = old_dentry->d_inode->i_ino;
54560 + dev_t old_dev = __get_dev(old_dentry);
54561 +
54562 + /* vfs_rename swaps the name and parent link for old_dentry and
54563 + new_dentry
54564 + at this point, old_dentry has the new name, parent link, and inode
54565 + for the renamed file
54566 + if a file is being replaced by a rename, new_dentry has the inode
54567 + and name for the replaced file
54568 + */
54569 +
54570 + if (unlikely(!(gr_status & GR_READY)))
54571 + return;
54572 +
54573 + preempt_disable();
54574 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
54575 +
54576 + /* we wouldn't have to check d_inode if it weren't for
54577 + NFS silly-renaming
54578 + */
54579 +
54580 + write_lock(&gr_inode_lock);
54581 + if (unlikely(replace && new_dentry->d_inode)) {
54582 + ino_t new_ino = new_dentry->d_inode->i_ino;
54583 + dev_t new_dev = __get_dev(new_dentry);
54584 +
54585 + inodev = lookup_inodev_entry(new_ino, new_dev);
54586 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
54587 + do_handle_delete(inodev, new_ino, new_dev);
54588 + }
54589 +
54590 + inodev = lookup_inodev_entry(old_ino, old_dev);
54591 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
54592 + do_handle_delete(inodev, old_ino, old_dev);
54593 +
54594 + if (unlikely((unsigned long)matchn))
54595 + do_handle_create(matchn, old_dentry, mnt);
54596 +
54597 + write_unlock(&gr_inode_lock);
54598 + preempt_enable();
54599 +
54600 + return;
54601 +}
54602 +
54603 +static int
54604 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
54605 + unsigned char **sum)
54606 +{
54607 + struct acl_role_label *r;
54608 + struct role_allowed_ip *ipp;
54609 + struct role_transition *trans;
54610 + unsigned int i;
54611 + int found = 0;
54612 + u32 curr_ip = current->signal->curr_ip;
54613 +
54614 + current->signal->saved_ip = curr_ip;
54615 +
54616 + /* check transition table */
54617 +
54618 + for (trans = current->role->transitions; trans; trans = trans->next) {
54619 + if (!strcmp(rolename, trans->rolename)) {
54620 + found = 1;
54621 + break;
54622 + }
54623 + }
54624 +
54625 + if (!found)
54626 + return 0;
54627 +
54628 + /* handle special roles that do not require authentication
54629 + and check ip */
54630 +
54631 + FOR_EACH_ROLE_START(r)
54632 + if (!strcmp(rolename, r->rolename) &&
54633 + (r->roletype & GR_ROLE_SPECIAL)) {
54634 + found = 0;
54635 + if (r->allowed_ips != NULL) {
54636 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
54637 + if ((ntohl(curr_ip) & ipp->netmask) ==
54638 + (ntohl(ipp->addr) & ipp->netmask))
54639 + found = 1;
54640 + }
54641 + } else
54642 + found = 2;
54643 + if (!found)
54644 + return 0;
54645 +
54646 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
54647 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
54648 + *salt = NULL;
54649 + *sum = NULL;
54650 + return 1;
54651 + }
54652 + }
54653 + FOR_EACH_ROLE_END(r)
54654 +
54655 + for (i = 0; i < num_sprole_pws; i++) {
54656 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
54657 + *salt = acl_special_roles[i]->salt;
54658 + *sum = acl_special_roles[i]->sum;
54659 + return 1;
54660 + }
54661 + }
54662 +
54663 + return 0;
54664 +}
54665 +
54666 +static void
54667 +assign_special_role(char *rolename)
54668 +{
54669 + struct acl_object_label *obj;
54670 + struct acl_role_label *r;
54671 + struct acl_role_label *assigned = NULL;
54672 + struct task_struct *tsk;
54673 + struct file *filp;
54674 +
54675 + FOR_EACH_ROLE_START(r)
54676 + if (!strcmp(rolename, r->rolename) &&
54677 + (r->roletype & GR_ROLE_SPECIAL)) {
54678 + assigned = r;
54679 + break;
54680 + }
54681 + FOR_EACH_ROLE_END(r)
54682 +
54683 + if (!assigned)
54684 + return;
54685 +
54686 + read_lock(&tasklist_lock);
54687 + read_lock(&grsec_exec_file_lock);
54688 +
54689 + tsk = current->real_parent;
54690 + if (tsk == NULL)
54691 + goto out_unlock;
54692 +
54693 + filp = tsk->exec_file;
54694 + if (filp == NULL)
54695 + goto out_unlock;
54696 +
54697 + tsk->is_writable = 0;
54698 +
54699 + tsk->acl_sp_role = 1;
54700 + tsk->acl_role_id = ++acl_sp_role_value;
54701 + tsk->role = assigned;
54702 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
54703 +
54704 + /* ignore additional mmap checks for processes that are writable
54705 + by the default ACL */
54706 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54707 + if (unlikely(obj->mode & GR_WRITE))
54708 + tsk->is_writable = 1;
54709 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
54710 + if (unlikely(obj->mode & GR_WRITE))
54711 + tsk->is_writable = 1;
54712 +
54713 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54714 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
54715 +#endif
54716 +
54717 +out_unlock:
54718 + read_unlock(&grsec_exec_file_lock);
54719 + read_unlock(&tasklist_lock);
54720 + return;
54721 +}
54722 +
54723 +int gr_check_secure_terminal(struct task_struct *task)
54724 +{
54725 + struct task_struct *p, *p2, *p3;
54726 + struct files_struct *files;
54727 + struct fdtable *fdt;
54728 + struct file *our_file = NULL, *file;
54729 + int i;
54730 +
54731 + if (task->signal->tty == NULL)
54732 + return 1;
54733 +
54734 + files = get_files_struct(task);
54735 + if (files != NULL) {
54736 + rcu_read_lock();
54737 + fdt = files_fdtable(files);
54738 + for (i=0; i < fdt->max_fds; i++) {
54739 + file = fcheck_files(files, i);
54740 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
54741 + get_file(file);
54742 + our_file = file;
54743 + }
54744 + }
54745 + rcu_read_unlock();
54746 + put_files_struct(files);
54747 + }
54748 +
54749 + if (our_file == NULL)
54750 + return 1;
54751 +
54752 + read_lock(&tasklist_lock);
54753 + do_each_thread(p2, p) {
54754 + files = get_files_struct(p);
54755 + if (files == NULL ||
54756 + (p->signal && p->signal->tty == task->signal->tty)) {
54757 + if (files != NULL)
54758 + put_files_struct(files);
54759 + continue;
54760 + }
54761 + rcu_read_lock();
54762 + fdt = files_fdtable(files);
54763 + for (i=0; i < fdt->max_fds; i++) {
54764 + file = fcheck_files(files, i);
54765 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
54766 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
54767 + p3 = task;
54768 + while (p3->pid > 0) {
54769 + if (p3 == p)
54770 + break;
54771 + p3 = p3->real_parent;
54772 + }
54773 + if (p3 == p)
54774 + break;
54775 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
54776 + gr_handle_alertkill(p);
54777 + rcu_read_unlock();
54778 + put_files_struct(files);
54779 + read_unlock(&tasklist_lock);
54780 + fput(our_file);
54781 + return 0;
54782 + }
54783 + }
54784 + rcu_read_unlock();
54785 + put_files_struct(files);
54786 + } while_each_thread(p2, p);
54787 + read_unlock(&tasklist_lock);
54788 +
54789 + fput(our_file);
54790 + return 1;
54791 +}
54792 +
54793 +ssize_t
54794 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
54795 +{
54796 + struct gr_arg_wrapper uwrap;
54797 + unsigned char *sprole_salt = NULL;
54798 + unsigned char *sprole_sum = NULL;
54799 + int error = sizeof (struct gr_arg_wrapper);
54800 + int error2 = 0;
54801 +
54802 + mutex_lock(&gr_dev_mutex);
54803 +
54804 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
54805 + error = -EPERM;
54806 + goto out;
54807 + }
54808 +
54809 + if (count != sizeof (struct gr_arg_wrapper)) {
54810 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
54811 + error = -EINVAL;
54812 + goto out;
54813 + }
54814 +
54815 +
54816 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
54817 + gr_auth_expires = 0;
54818 + gr_auth_attempts = 0;
54819 + }
54820 +
54821 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
54822 + error = -EFAULT;
54823 + goto out;
54824 + }
54825 +
54826 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
54827 + error = -EINVAL;
54828 + goto out;
54829 + }
54830 +
54831 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
54832 + error = -EFAULT;
54833 + goto out;
54834 + }
54835 +
54836 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54837 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54838 + time_after(gr_auth_expires, get_seconds())) {
54839 + error = -EBUSY;
54840 + goto out;
54841 + }
54842 +
54843 + /* if non-root trying to do anything other than use a special role,
54844 + do not attempt authentication, do not count towards authentication
54845 + locking
54846 + */
54847 +
54848 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
54849 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
54850 + current_uid()) {
54851 + error = -EPERM;
54852 + goto out;
54853 + }
54854 +
54855 + /* ensure pw and special role name are null terminated */
54856 +
54857 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
54858 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
54859 +
54860 + /* Okay.
54861 + * We have our enough of the argument structure..(we have yet
54862 + * to copy_from_user the tables themselves) . Copy the tables
54863 + * only if we need them, i.e. for loading operations. */
54864 +
54865 + switch (gr_usermode->mode) {
54866 + case GR_STATUS:
54867 + if (gr_status & GR_READY) {
54868 + error = 1;
54869 + if (!gr_check_secure_terminal(current))
54870 + error = 3;
54871 + } else
54872 + error = 2;
54873 + goto out;
54874 + case GR_SHUTDOWN:
54875 + if ((gr_status & GR_READY)
54876 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54877 + pax_open_kernel();
54878 + gr_status &= ~GR_READY;
54879 + pax_close_kernel();
54880 +
54881 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
54882 + free_variables();
54883 + memset(gr_usermode, 0, sizeof (struct gr_arg));
54884 + memset(gr_system_salt, 0, GR_SALT_LEN);
54885 + memset(gr_system_sum, 0, GR_SHA_LEN);
54886 + } else if (gr_status & GR_READY) {
54887 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
54888 + error = -EPERM;
54889 + } else {
54890 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
54891 + error = -EAGAIN;
54892 + }
54893 + break;
54894 + case GR_ENABLE:
54895 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
54896 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
54897 + else {
54898 + if (gr_status & GR_READY)
54899 + error = -EAGAIN;
54900 + else
54901 + error = error2;
54902 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
54903 + }
54904 + break;
54905 + case GR_RELOAD:
54906 + if (!(gr_status & GR_READY)) {
54907 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
54908 + error = -EAGAIN;
54909 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54910 + preempt_disable();
54911 +
54912 + pax_open_kernel();
54913 + gr_status &= ~GR_READY;
54914 + pax_close_kernel();
54915 +
54916 + free_variables();
54917 + if (!(error2 = gracl_init(gr_usermode))) {
54918 + preempt_enable();
54919 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
54920 + } else {
54921 + preempt_enable();
54922 + error = error2;
54923 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54924 + }
54925 + } else {
54926 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
54927 + error = -EPERM;
54928 + }
54929 + break;
54930 + case GR_SEGVMOD:
54931 + if (unlikely(!(gr_status & GR_READY))) {
54932 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
54933 + error = -EAGAIN;
54934 + break;
54935 + }
54936 +
54937 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
54938 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
54939 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
54940 + struct acl_subject_label *segvacl;
54941 + segvacl =
54942 + lookup_acl_subj_label(gr_usermode->segv_inode,
54943 + gr_usermode->segv_device,
54944 + current->role);
54945 + if (segvacl) {
54946 + segvacl->crashes = 0;
54947 + segvacl->expires = 0;
54948 + }
54949 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
54950 + gr_remove_uid(gr_usermode->segv_uid);
54951 + }
54952 + } else {
54953 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
54954 + error = -EPERM;
54955 + }
54956 + break;
54957 + case GR_SPROLE:
54958 + case GR_SPROLEPAM:
54959 + if (unlikely(!(gr_status & GR_READY))) {
54960 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
54961 + error = -EAGAIN;
54962 + break;
54963 + }
54964 +
54965 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
54966 + current->role->expires = 0;
54967 + current->role->auth_attempts = 0;
54968 + }
54969 +
54970 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
54971 + time_after(current->role->expires, get_seconds())) {
54972 + error = -EBUSY;
54973 + goto out;
54974 + }
54975 +
54976 + if (lookup_special_role_auth
54977 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
54978 + && ((!sprole_salt && !sprole_sum)
54979 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
54980 + char *p = "";
54981 + assign_special_role(gr_usermode->sp_role);
54982 + read_lock(&tasklist_lock);
54983 + if (current->real_parent)
54984 + p = current->real_parent->role->rolename;
54985 + read_unlock(&tasklist_lock);
54986 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
54987 + p, acl_sp_role_value);
54988 + } else {
54989 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
54990 + error = -EPERM;
54991 + if(!(current->role->auth_attempts++))
54992 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
54993 +
54994 + goto out;
54995 + }
54996 + break;
54997 + case GR_UNSPROLE:
54998 + if (unlikely(!(gr_status & GR_READY))) {
54999 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
55000 + error = -EAGAIN;
55001 + break;
55002 + }
55003 +
55004 + if (current->role->roletype & GR_ROLE_SPECIAL) {
55005 + char *p = "";
55006 + int i = 0;
55007 +
55008 + read_lock(&tasklist_lock);
55009 + if (current->real_parent) {
55010 + p = current->real_parent->role->rolename;
55011 + i = current->real_parent->acl_role_id;
55012 + }
55013 + read_unlock(&tasklist_lock);
55014 +
55015 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
55016 + gr_set_acls(1);
55017 + } else {
55018 + error = -EPERM;
55019 + goto out;
55020 + }
55021 + break;
55022 + default:
55023 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
55024 + error = -EINVAL;
55025 + break;
55026 + }
55027 +
55028 + if (error != -EPERM)
55029 + goto out;
55030 +
55031 + if(!(gr_auth_attempts++))
55032 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55033 +
55034 + out:
55035 + mutex_unlock(&gr_dev_mutex);
55036 + return error;
55037 +}
55038 +
55039 +/* must be called with
55040 + rcu_read_lock();
55041 + read_lock(&tasklist_lock);
55042 + read_lock(&grsec_exec_file_lock);
55043 +*/
55044 +int gr_apply_subject_to_task(struct task_struct *task)
55045 +{
55046 + struct acl_object_label *obj;
55047 + char *tmpname;
55048 + struct acl_subject_label *tmpsubj;
55049 + struct file *filp;
55050 + struct name_entry *nmatch;
55051 +
55052 + filp = task->exec_file;
55053 + if (filp == NULL)
55054 + return 0;
55055 +
55056 + /* the following is to apply the correct subject
55057 + on binaries running when the RBAC system
55058 + is enabled, when the binaries have been
55059 + replaced or deleted since their execution
55060 + -----
55061 + when the RBAC system starts, the inode/dev
55062 + from exec_file will be one the RBAC system
55063 + is unaware of. It only knows the inode/dev
55064 + of the present file on disk, or the absence
55065 + of it.
55066 + */
55067 + preempt_disable();
55068 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
55069 +
55070 + nmatch = lookup_name_entry(tmpname);
55071 + preempt_enable();
55072 + tmpsubj = NULL;
55073 + if (nmatch) {
55074 + if (nmatch->deleted)
55075 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
55076 + else
55077 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
55078 + if (tmpsubj != NULL)
55079 + task->acl = tmpsubj;
55080 + }
55081 + if (tmpsubj == NULL)
55082 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
55083 + task->role);
55084 + if (task->acl) {
55085 + task->is_writable = 0;
55086 + /* ignore additional mmap checks for processes that are writable
55087 + by the default ACL */
55088 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55089 + if (unlikely(obj->mode & GR_WRITE))
55090 + task->is_writable = 1;
55091 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
55092 + if (unlikely(obj->mode & GR_WRITE))
55093 + task->is_writable = 1;
55094 +
55095 + gr_set_proc_res(task);
55096 +
55097 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55098 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
55099 +#endif
55100 + } else {
55101 + return 1;
55102 + }
55103 +
55104 + return 0;
55105 +}
55106 +
55107 +int
55108 +gr_set_acls(const int type)
55109 +{
55110 + struct task_struct *task, *task2;
55111 + struct acl_role_label *role = current->role;
55112 + __u16 acl_role_id = current->acl_role_id;
55113 + const struct cred *cred;
55114 + int ret;
55115 +
55116 + rcu_read_lock();
55117 + read_lock(&tasklist_lock);
55118 + read_lock(&grsec_exec_file_lock);
55119 + do_each_thread(task2, task) {
55120 + /* check to see if we're called from the exit handler,
55121 + if so, only replace ACLs that have inherited the admin
55122 + ACL */
55123 +
55124 + if (type && (task->role != role ||
55125 + task->acl_role_id != acl_role_id))
55126 + continue;
55127 +
55128 + task->acl_role_id = 0;
55129 + task->acl_sp_role = 0;
55130 +
55131 + if (task->exec_file) {
55132 + cred = __task_cred(task);
55133 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
55134 + ret = gr_apply_subject_to_task(task);
55135 + if (ret) {
55136 + read_unlock(&grsec_exec_file_lock);
55137 + read_unlock(&tasklist_lock);
55138 + rcu_read_unlock();
55139 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
55140 + return ret;
55141 + }
55142 + } else {
55143 + // it's a kernel process
55144 + task->role = kernel_role;
55145 + task->acl = kernel_role->root_label;
55146 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
55147 + task->acl->mode &= ~GR_PROCFIND;
55148 +#endif
55149 + }
55150 + } while_each_thread(task2, task);
55151 + read_unlock(&grsec_exec_file_lock);
55152 + read_unlock(&tasklist_lock);
55153 + rcu_read_unlock();
55154 +
55155 + return 0;
55156 +}
55157 +
55158 +void
55159 +gr_learn_resource(const struct task_struct *task,
55160 + const int res, const unsigned long wanted, const int gt)
55161 +{
55162 + struct acl_subject_label *acl;
55163 + const struct cred *cred;
55164 +
55165 + if (unlikely((gr_status & GR_READY) &&
55166 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
55167 + goto skip_reslog;
55168 +
55169 +#ifdef CONFIG_GRKERNSEC_RESLOG
55170 + gr_log_resource(task, res, wanted, gt);
55171 +#endif
55172 + skip_reslog:
55173 +
55174 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
55175 + return;
55176 +
55177 + acl = task->acl;
55178 +
55179 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
55180 + !(acl->resmask & (1 << (unsigned short) res))))
55181 + return;
55182 +
55183 + if (wanted >= acl->res[res].rlim_cur) {
55184 + unsigned long res_add;
55185 +
55186 + res_add = wanted;
55187 + switch (res) {
55188 + case RLIMIT_CPU:
55189 + res_add += GR_RLIM_CPU_BUMP;
55190 + break;
55191 + case RLIMIT_FSIZE:
55192 + res_add += GR_RLIM_FSIZE_BUMP;
55193 + break;
55194 + case RLIMIT_DATA:
55195 + res_add += GR_RLIM_DATA_BUMP;
55196 + break;
55197 + case RLIMIT_STACK:
55198 + res_add += GR_RLIM_STACK_BUMP;
55199 + break;
55200 + case RLIMIT_CORE:
55201 + res_add += GR_RLIM_CORE_BUMP;
55202 + break;
55203 + case RLIMIT_RSS:
55204 + res_add += GR_RLIM_RSS_BUMP;
55205 + break;
55206 + case RLIMIT_NPROC:
55207 + res_add += GR_RLIM_NPROC_BUMP;
55208 + break;
55209 + case RLIMIT_NOFILE:
55210 + res_add += GR_RLIM_NOFILE_BUMP;
55211 + break;
55212 + case RLIMIT_MEMLOCK:
55213 + res_add += GR_RLIM_MEMLOCK_BUMP;
55214 + break;
55215 + case RLIMIT_AS:
55216 + res_add += GR_RLIM_AS_BUMP;
55217 + break;
55218 + case RLIMIT_LOCKS:
55219 + res_add += GR_RLIM_LOCKS_BUMP;
55220 + break;
55221 + case RLIMIT_SIGPENDING:
55222 + res_add += GR_RLIM_SIGPENDING_BUMP;
55223 + break;
55224 + case RLIMIT_MSGQUEUE:
55225 + res_add += GR_RLIM_MSGQUEUE_BUMP;
55226 + break;
55227 + case RLIMIT_NICE:
55228 + res_add += GR_RLIM_NICE_BUMP;
55229 + break;
55230 + case RLIMIT_RTPRIO:
55231 + res_add += GR_RLIM_RTPRIO_BUMP;
55232 + break;
55233 + case RLIMIT_RTTIME:
55234 + res_add += GR_RLIM_RTTIME_BUMP;
55235 + break;
55236 + }
55237 +
55238 + acl->res[res].rlim_cur = res_add;
55239 +
55240 + if (wanted > acl->res[res].rlim_max)
55241 + acl->res[res].rlim_max = res_add;
55242 +
55243 + /* only log the subject filename, since resource logging is supported for
55244 + single-subject learning only */
55245 + rcu_read_lock();
55246 + cred = __task_cred(task);
55247 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55248 + task->role->roletype, cred->uid, cred->gid, acl->filename,
55249 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55250 + "", (unsigned long) res, &task->signal->saved_ip);
55251 + rcu_read_unlock();
55252 + }
55253 +
55254 + return;
55255 +}
55256 +
55257 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55258 +void
55259 +pax_set_initial_flags(struct linux_binprm *bprm)
55260 +{
55261 + struct task_struct *task = current;
55262 + struct acl_subject_label *proc;
55263 + unsigned long flags;
55264 +
55265 + if (unlikely(!(gr_status & GR_READY)))
55266 + return;
55267 +
55268 + flags = pax_get_flags(task);
55269 +
55270 + proc = task->acl;
55271 +
55272 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55273 + flags &= ~MF_PAX_PAGEEXEC;
55274 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55275 + flags &= ~MF_PAX_SEGMEXEC;
55276 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55277 + flags &= ~MF_PAX_RANDMMAP;
55278 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55279 + flags &= ~MF_PAX_EMUTRAMP;
55280 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55281 + flags &= ~MF_PAX_MPROTECT;
55282 +
55283 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55284 + flags |= MF_PAX_PAGEEXEC;
55285 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55286 + flags |= MF_PAX_SEGMEXEC;
55287 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55288 + flags |= MF_PAX_RANDMMAP;
55289 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55290 + flags |= MF_PAX_EMUTRAMP;
55291 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55292 + flags |= MF_PAX_MPROTECT;
55293 +
55294 + pax_set_flags(task, flags);
55295 +
55296 + return;
55297 +}
55298 +#endif
55299 +
55300 +#ifdef CONFIG_SYSCTL
55301 +/* Eric Biederman likes breaking userland ABI and every inode-based security
55302 + system to save 35kb of memory */
55303 +
55304 +/* we modify the passed in filename, but adjust it back before returning */
55305 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55306 +{
55307 + struct name_entry *nmatch;
55308 + char *p, *lastp = NULL;
55309 + struct acl_object_label *obj = NULL, *tmp;
55310 + struct acl_subject_label *tmpsubj;
55311 + char c = '\0';
55312 +
55313 + read_lock(&gr_inode_lock);
55314 +
55315 + p = name + len - 1;
55316 + do {
55317 + nmatch = lookup_name_entry(name);
55318 + if (lastp != NULL)
55319 + *lastp = c;
55320 +
55321 + if (nmatch == NULL)
55322 + goto next_component;
55323 + tmpsubj = current->acl;
55324 + do {
55325 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55326 + if (obj != NULL) {
55327 + tmp = obj->globbed;
55328 + while (tmp) {
55329 + if (!glob_match(tmp->filename, name)) {
55330 + obj = tmp;
55331 + goto found_obj;
55332 + }
55333 + tmp = tmp->next;
55334 + }
55335 + goto found_obj;
55336 + }
55337 + } while ((tmpsubj = tmpsubj->parent_subject));
55338 +next_component:
55339 + /* end case */
55340 + if (p == name)
55341 + break;
55342 +
55343 + while (*p != '/')
55344 + p--;
55345 + if (p == name)
55346 + lastp = p + 1;
55347 + else {
55348 + lastp = p;
55349 + p--;
55350 + }
55351 + c = *lastp;
55352 + *lastp = '\0';
55353 + } while (1);
55354 +found_obj:
55355 + read_unlock(&gr_inode_lock);
55356 + /* obj returned will always be non-null */
55357 + return obj;
55358 +}
55359 +
55360 +/* returns 0 when allowing, non-zero on error
55361 + op of 0 is used for readdir, so we don't log the names of hidden files
55362 +*/
55363 +__u32
55364 +gr_handle_sysctl(const struct ctl_table *table, const int op)
55365 +{
55366 + struct ctl_table *tmp;
55367 + const char *proc_sys = "/proc/sys";
55368 + char *path;
55369 + struct acl_object_label *obj;
55370 + unsigned short len = 0, pos = 0, depth = 0, i;
55371 + __u32 err = 0;
55372 + __u32 mode = 0;
55373 +
55374 + if (unlikely(!(gr_status & GR_READY)))
55375 + return 0;
55376 +
55377 + /* for now, ignore operations on non-sysctl entries if it's not a
55378 + readdir*/
55379 + if (table->child != NULL && op != 0)
55380 + return 0;
55381 +
55382 + mode |= GR_FIND;
55383 + /* it's only a read if it's an entry, read on dirs is for readdir */
55384 + if (op & MAY_READ)
55385 + mode |= GR_READ;
55386 + if (op & MAY_WRITE)
55387 + mode |= GR_WRITE;
55388 +
55389 + preempt_disable();
55390 +
55391 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55392 +
55393 + /* it's only a read/write if it's an actual entry, not a dir
55394 + (which are opened for readdir)
55395 + */
55396 +
55397 + /* convert the requested sysctl entry into a pathname */
55398 +
55399 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55400 + len += strlen(tmp->procname);
55401 + len++;
55402 + depth++;
55403 + }
55404 +
55405 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55406 + /* deny */
55407 + goto out;
55408 + }
55409 +
55410 + memset(path, 0, PAGE_SIZE);
55411 +
55412 + memcpy(path, proc_sys, strlen(proc_sys));
55413 +
55414 + pos += strlen(proc_sys);
55415 +
55416 + for (; depth > 0; depth--) {
55417 + path[pos] = '/';
55418 + pos++;
55419 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55420 + if (depth == i) {
55421 + memcpy(path + pos, tmp->procname,
55422 + strlen(tmp->procname));
55423 + pos += strlen(tmp->procname);
55424 + }
55425 + i++;
55426 + }
55427 + }
55428 +
55429 + obj = gr_lookup_by_name(path, pos);
55430 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55431 +
55432 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55433 + ((err & mode) != mode))) {
55434 + __u32 new_mode = mode;
55435 +
55436 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55437 +
55438 + err = 0;
55439 + gr_log_learn_sysctl(path, new_mode);
55440 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55441 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55442 + err = -ENOENT;
55443 + } else if (!(err & GR_FIND)) {
55444 + err = -ENOENT;
55445 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55446 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
55447 + path, (mode & GR_READ) ? " reading" : "",
55448 + (mode & GR_WRITE) ? " writing" : "");
55449 + err = -EACCES;
55450 + } else if ((err & mode) != mode) {
55451 + err = -EACCES;
55452 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
55453 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
55454 + path, (mode & GR_READ) ? " reading" : "",
55455 + (mode & GR_WRITE) ? " writing" : "");
55456 + err = 0;
55457 + } else
55458 + err = 0;
55459 +
55460 + out:
55461 + preempt_enable();
55462 +
55463 + return err;
55464 +}
55465 +#endif
55466 +
55467 +int
55468 +gr_handle_proc_ptrace(struct task_struct *task)
55469 +{
55470 + struct file *filp;
55471 + struct task_struct *tmp = task;
55472 + struct task_struct *curtemp = current;
55473 + __u32 retmode;
55474 +
55475 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55476 + if (unlikely(!(gr_status & GR_READY)))
55477 + return 0;
55478 +#endif
55479 +
55480 + read_lock(&tasklist_lock);
55481 + read_lock(&grsec_exec_file_lock);
55482 + filp = task->exec_file;
55483 +
55484 + while (tmp->pid > 0) {
55485 + if (tmp == curtemp)
55486 + break;
55487 + tmp = tmp->real_parent;
55488 + }
55489 +
55490 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55491 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
55492 + read_unlock(&grsec_exec_file_lock);
55493 + read_unlock(&tasklist_lock);
55494 + return 1;
55495 + }
55496 +
55497 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55498 + if (!(gr_status & GR_READY)) {
55499 + read_unlock(&grsec_exec_file_lock);
55500 + read_unlock(&tasklist_lock);
55501 + return 0;
55502 + }
55503 +#endif
55504 +
55505 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
55506 + read_unlock(&grsec_exec_file_lock);
55507 + read_unlock(&tasklist_lock);
55508 +
55509 + if (retmode & GR_NOPTRACE)
55510 + return 1;
55511 +
55512 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
55513 + && (current->acl != task->acl || (current->acl != current->role->root_label
55514 + && current->pid != task->pid)))
55515 + return 1;
55516 +
55517 + return 0;
55518 +}
55519 +
55520 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
55521 +{
55522 + if (unlikely(!(gr_status & GR_READY)))
55523 + return;
55524 +
55525 + if (!(current->role->roletype & GR_ROLE_GOD))
55526 + return;
55527 +
55528 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
55529 + p->role->rolename, gr_task_roletype_to_char(p),
55530 + p->acl->filename);
55531 +}
55532 +
55533 +int
55534 +gr_handle_ptrace(struct task_struct *task, const long request)
55535 +{
55536 + struct task_struct *tmp = task;
55537 + struct task_struct *curtemp = current;
55538 + __u32 retmode;
55539 +
55540 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
55541 + if (unlikely(!(gr_status & GR_READY)))
55542 + return 0;
55543 +#endif
55544 +
55545 + read_lock(&tasklist_lock);
55546 + while (tmp->pid > 0) {
55547 + if (tmp == curtemp)
55548 + break;
55549 + tmp = tmp->real_parent;
55550 + }
55551 +
55552 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
55553 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
55554 + read_unlock(&tasklist_lock);
55555 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55556 + return 1;
55557 + }
55558 + read_unlock(&tasklist_lock);
55559 +
55560 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55561 + if (!(gr_status & GR_READY))
55562 + return 0;
55563 +#endif
55564 +
55565 + read_lock(&grsec_exec_file_lock);
55566 + if (unlikely(!task->exec_file)) {
55567 + read_unlock(&grsec_exec_file_lock);
55568 + return 0;
55569 + }
55570 +
55571 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
55572 + read_unlock(&grsec_exec_file_lock);
55573 +
55574 + if (retmode & GR_NOPTRACE) {
55575 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55576 + return 1;
55577 + }
55578 +
55579 + if (retmode & GR_PTRACERD) {
55580 + switch (request) {
55581 + case PTRACE_POKETEXT:
55582 + case PTRACE_POKEDATA:
55583 + case PTRACE_POKEUSR:
55584 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
55585 + case PTRACE_SETREGS:
55586 + case PTRACE_SETFPREGS:
55587 +#endif
55588 +#ifdef CONFIG_X86
55589 + case PTRACE_SETFPXREGS:
55590 +#endif
55591 +#ifdef CONFIG_ALTIVEC
55592 + case PTRACE_SETVRREGS:
55593 +#endif
55594 + return 1;
55595 + default:
55596 + return 0;
55597 + }
55598 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
55599 + !(current->role->roletype & GR_ROLE_GOD) &&
55600 + (current->acl != task->acl)) {
55601 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
55602 + return 1;
55603 + }
55604 +
55605 + return 0;
55606 +}
55607 +
55608 +static int is_writable_mmap(const struct file *filp)
55609 +{
55610 + struct task_struct *task = current;
55611 + struct acl_object_label *obj, *obj2;
55612 +
55613 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
55614 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
55615 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55616 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
55617 + task->role->root_label);
55618 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
55619 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
55620 + return 1;
55621 + }
55622 + }
55623 + return 0;
55624 +}
55625 +
55626 +int
55627 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
55628 +{
55629 + __u32 mode;
55630 +
55631 + if (unlikely(!file || !(prot & PROT_EXEC)))
55632 + return 1;
55633 +
55634 + if (is_writable_mmap(file))
55635 + return 0;
55636 +
55637 + mode =
55638 + gr_search_file(file->f_path.dentry,
55639 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55640 + file->f_path.mnt);
55641 +
55642 + if (!gr_tpe_allow(file))
55643 + return 0;
55644 +
55645 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55646 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55647 + return 0;
55648 + } else if (unlikely(!(mode & GR_EXEC))) {
55649 + return 0;
55650 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55651 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55652 + return 1;
55653 + }
55654 +
55655 + return 1;
55656 +}
55657 +
55658 +int
55659 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
55660 +{
55661 + __u32 mode;
55662 +
55663 + if (unlikely(!file || !(prot & PROT_EXEC)))
55664 + return 1;
55665 +
55666 + if (is_writable_mmap(file))
55667 + return 0;
55668 +
55669 + mode =
55670 + gr_search_file(file->f_path.dentry,
55671 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
55672 + file->f_path.mnt);
55673 +
55674 + if (!gr_tpe_allow(file))
55675 + return 0;
55676 +
55677 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
55678 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55679 + return 0;
55680 + } else if (unlikely(!(mode & GR_EXEC))) {
55681 + return 0;
55682 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
55683 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
55684 + return 1;
55685 + }
55686 +
55687 + return 1;
55688 +}
55689 +
55690 +void
55691 +gr_acl_handle_psacct(struct task_struct *task, const long code)
55692 +{
55693 + unsigned long runtime;
55694 + unsigned long cputime;
55695 + unsigned int wday, cday;
55696 + __u8 whr, chr;
55697 + __u8 wmin, cmin;
55698 + __u8 wsec, csec;
55699 + struct timespec timeval;
55700 +
55701 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
55702 + !(task->acl->mode & GR_PROCACCT)))
55703 + return;
55704 +
55705 + do_posix_clock_monotonic_gettime(&timeval);
55706 + runtime = timeval.tv_sec - task->start_time.tv_sec;
55707 + wday = runtime / (3600 * 24);
55708 + runtime -= wday * (3600 * 24);
55709 + whr = runtime / 3600;
55710 + runtime -= whr * 3600;
55711 + wmin = runtime / 60;
55712 + runtime -= wmin * 60;
55713 + wsec = runtime;
55714 +
55715 + cputime = (task->utime + task->stime) / HZ;
55716 + cday = cputime / (3600 * 24);
55717 + cputime -= cday * (3600 * 24);
55718 + chr = cputime / 3600;
55719 + cputime -= chr * 3600;
55720 + cmin = cputime / 60;
55721 + cputime -= cmin * 60;
55722 + csec = cputime;
55723 +
55724 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
55725 +
55726 + return;
55727 +}
55728 +
55729 +void gr_set_kernel_label(struct task_struct *task)
55730 +{
55731 + if (gr_status & GR_READY) {
55732 + task->role = kernel_role;
55733 + task->acl = kernel_role->root_label;
55734 + }
55735 + return;
55736 +}
55737 +
55738 +#ifdef CONFIG_TASKSTATS
55739 +int gr_is_taskstats_denied(int pid)
55740 +{
55741 + struct task_struct *task;
55742 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55743 + const struct cred *cred;
55744 +#endif
55745 + int ret = 0;
55746 +
55747 + /* restrict taskstats viewing to un-chrooted root users
55748 + who have the 'view' subject flag if the RBAC system is enabled
55749 + */
55750 +
55751 + rcu_read_lock();
55752 + read_lock(&tasklist_lock);
55753 + task = find_task_by_vpid(pid);
55754 + if (task) {
55755 +#ifdef CONFIG_GRKERNSEC_CHROOT
55756 + if (proc_is_chrooted(task))
55757 + ret = -EACCES;
55758 +#endif
55759 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55760 + cred = __task_cred(task);
55761 +#ifdef CONFIG_GRKERNSEC_PROC_USER
55762 + if (cred->uid != 0)
55763 + ret = -EACCES;
55764 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55765 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
55766 + ret = -EACCES;
55767 +#endif
55768 +#endif
55769 + if (gr_status & GR_READY) {
55770 + if (!(task->acl->mode & GR_VIEW))
55771 + ret = -EACCES;
55772 + }
55773 + } else
55774 + ret = -ENOENT;
55775 +
55776 + read_unlock(&tasklist_lock);
55777 + rcu_read_unlock();
55778 +
55779 + return ret;
55780 +}
55781 +#endif
55782 +
55783 +/* AUXV entries are filled via a descendant of search_binary_handler
55784 + after we've already applied the subject for the target
55785 +*/
55786 +int gr_acl_enable_at_secure(void)
55787 +{
55788 + if (unlikely(!(gr_status & GR_READY)))
55789 + return 0;
55790 +
55791 + if (current->acl->mode & GR_ATSECURE)
55792 + return 1;
55793 +
55794 + return 0;
55795 +}
55796 +
55797 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
55798 +{
55799 + struct task_struct *task = current;
55800 + struct dentry *dentry = file->f_path.dentry;
55801 + struct vfsmount *mnt = file->f_path.mnt;
55802 + struct acl_object_label *obj, *tmp;
55803 + struct acl_subject_label *subj;
55804 + unsigned int bufsize;
55805 + int is_not_root;
55806 + char *path;
55807 + dev_t dev = __get_dev(dentry);
55808 +
55809 + if (unlikely(!(gr_status & GR_READY)))
55810 + return 1;
55811 +
55812 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55813 + return 1;
55814 +
55815 + /* ignore Eric Biederman */
55816 + if (IS_PRIVATE(dentry->d_inode))
55817 + return 1;
55818 +
55819 + subj = task->acl;
55820 + do {
55821 + obj = lookup_acl_obj_label(ino, dev, subj);
55822 + if (obj != NULL)
55823 + return (obj->mode & GR_FIND) ? 1 : 0;
55824 + } while ((subj = subj->parent_subject));
55825 +
55826 + /* this is purely an optimization since we're looking for an object
55827 + for the directory we're doing a readdir on
55828 + if it's possible for any globbed object to match the entry we're
55829 + filling into the directory, then the object we find here will be
55830 + an anchor point with attached globbed objects
55831 + */
55832 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
55833 + if (obj->globbed == NULL)
55834 + return (obj->mode & GR_FIND) ? 1 : 0;
55835 +
55836 + is_not_root = ((obj->filename[0] == '/') &&
55837 + (obj->filename[1] == '\0')) ? 0 : 1;
55838 + bufsize = PAGE_SIZE - namelen - is_not_root;
55839 +
55840 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
55841 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
55842 + return 1;
55843 +
55844 + preempt_disable();
55845 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
55846 + bufsize);
55847 +
55848 + bufsize = strlen(path);
55849 +
55850 + /* if base is "/", don't append an additional slash */
55851 + if (is_not_root)
55852 + *(path + bufsize) = '/';
55853 + memcpy(path + bufsize + is_not_root, name, namelen);
55854 + *(path + bufsize + namelen + is_not_root) = '\0';
55855 +
55856 + tmp = obj->globbed;
55857 + while (tmp) {
55858 + if (!glob_match(tmp->filename, path)) {
55859 + preempt_enable();
55860 + return (tmp->mode & GR_FIND) ? 1 : 0;
55861 + }
55862 + tmp = tmp->next;
55863 + }
55864 + preempt_enable();
55865 + return (obj->mode & GR_FIND) ? 1 : 0;
55866 +}
55867 +
55868 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
55869 +EXPORT_SYMBOL(gr_acl_is_enabled);
55870 +#endif
55871 +EXPORT_SYMBOL(gr_learn_resource);
55872 +EXPORT_SYMBOL(gr_set_kernel_label);
55873 +#ifdef CONFIG_SECURITY
55874 +EXPORT_SYMBOL(gr_check_user_change);
55875 +EXPORT_SYMBOL(gr_check_group_change);
55876 +#endif
55877 +
55878 diff -urNp linux-2.6.39.3/grsecurity/gracl_cap.c linux-2.6.39.3/grsecurity/gracl_cap.c
55879 --- linux-2.6.39.3/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
55880 +++ linux-2.6.39.3/grsecurity/gracl_cap.c 2011-05-22 19:41:42.000000000 -0400
55881 @@ -0,0 +1,139 @@
55882 +#include <linux/kernel.h>
55883 +#include <linux/module.h>
55884 +#include <linux/sched.h>
55885 +#include <linux/gracl.h>
55886 +#include <linux/grsecurity.h>
55887 +#include <linux/grinternal.h>
55888 +
55889 +static const char *captab_log[] = {
55890 + "CAP_CHOWN",
55891 + "CAP_DAC_OVERRIDE",
55892 + "CAP_DAC_READ_SEARCH",
55893 + "CAP_FOWNER",
55894 + "CAP_FSETID",
55895 + "CAP_KILL",
55896 + "CAP_SETGID",
55897 + "CAP_SETUID",
55898 + "CAP_SETPCAP",
55899 + "CAP_LINUX_IMMUTABLE",
55900 + "CAP_NET_BIND_SERVICE",
55901 + "CAP_NET_BROADCAST",
55902 + "CAP_NET_ADMIN",
55903 + "CAP_NET_RAW",
55904 + "CAP_IPC_LOCK",
55905 + "CAP_IPC_OWNER",
55906 + "CAP_SYS_MODULE",
55907 + "CAP_SYS_RAWIO",
55908 + "CAP_SYS_CHROOT",
55909 + "CAP_SYS_PTRACE",
55910 + "CAP_SYS_PACCT",
55911 + "CAP_SYS_ADMIN",
55912 + "CAP_SYS_BOOT",
55913 + "CAP_SYS_NICE",
55914 + "CAP_SYS_RESOURCE",
55915 + "CAP_SYS_TIME",
55916 + "CAP_SYS_TTY_CONFIG",
55917 + "CAP_MKNOD",
55918 + "CAP_LEASE",
55919 + "CAP_AUDIT_WRITE",
55920 + "CAP_AUDIT_CONTROL",
55921 + "CAP_SETFCAP",
55922 + "CAP_MAC_OVERRIDE",
55923 + "CAP_MAC_ADMIN",
55924 + "CAP_SYSLOG"
55925 +};
55926 +
55927 +EXPORT_SYMBOL(gr_is_capable);
55928 +EXPORT_SYMBOL(gr_is_capable_nolog);
55929 +
55930 +int
55931 +gr_is_capable(const int cap)
55932 +{
55933 + struct task_struct *task = current;
55934 + const struct cred *cred = current_cred();
55935 + struct acl_subject_label *curracl;
55936 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55937 + kernel_cap_t cap_audit = __cap_empty_set;
55938 +
55939 + if (!gr_acl_is_enabled())
55940 + return 1;
55941 +
55942 + curracl = task->acl;
55943 +
55944 + cap_drop = curracl->cap_lower;
55945 + cap_mask = curracl->cap_mask;
55946 + cap_audit = curracl->cap_invert_audit;
55947 +
55948 + while ((curracl = curracl->parent_subject)) {
55949 + /* if the cap isn't specified in the current computed mask but is specified in the
55950 + current level subject, and is lowered in the current level subject, then add
55951 + it to the set of dropped capabilities
55952 + otherwise, add the current level subject's mask to the current computed mask
55953 + */
55954 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
55955 + cap_raise(cap_mask, cap);
55956 + if (cap_raised(curracl->cap_lower, cap))
55957 + cap_raise(cap_drop, cap);
55958 + if (cap_raised(curracl->cap_invert_audit, cap))
55959 + cap_raise(cap_audit, cap);
55960 + }
55961 + }
55962 +
55963 + if (!cap_raised(cap_drop, cap)) {
55964 + if (cap_raised(cap_audit, cap))
55965 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
55966 + return 1;
55967 + }
55968 +
55969 + curracl = task->acl;
55970 +
55971 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
55972 + && cap_raised(cred->cap_effective, cap)) {
55973 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55974 + task->role->roletype, cred->uid,
55975 + cred->gid, task->exec_file ?
55976 + gr_to_filename(task->exec_file->f_path.dentry,
55977 + task->exec_file->f_path.mnt) : curracl->filename,
55978 + curracl->filename, 0UL,
55979 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
55980 + return 1;
55981 + }
55982 +
55983 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
55984 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
55985 + return 0;
55986 +}
55987 +
55988 +int
55989 +gr_is_capable_nolog(const int cap)
55990 +{
55991 + struct acl_subject_label *curracl;
55992 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
55993 +
55994 + if (!gr_acl_is_enabled())
55995 + return 1;
55996 +
55997 + curracl = current->acl;
55998 +
55999 + cap_drop = curracl->cap_lower;
56000 + cap_mask = curracl->cap_mask;
56001 +
56002 + while ((curracl = curracl->parent_subject)) {
56003 + /* if the cap isn't specified in the current computed mask but is specified in the
56004 + current level subject, and is lowered in the current level subject, then add
56005 + it to the set of dropped capabilities
56006 + otherwise, add the current level subject's mask to the current computed mask
56007 + */
56008 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56009 + cap_raise(cap_mask, cap);
56010 + if (cap_raised(curracl->cap_lower, cap))
56011 + cap_raise(cap_drop, cap);
56012 + }
56013 + }
56014 +
56015 + if (!cap_raised(cap_drop, cap))
56016 + return 1;
56017 +
56018 + return 0;
56019 +}
56020 +
56021 diff -urNp linux-2.6.39.3/grsecurity/gracl_fs.c linux-2.6.39.3/grsecurity/gracl_fs.c
56022 --- linux-2.6.39.3/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
56023 +++ linux-2.6.39.3/grsecurity/gracl_fs.c 2011-05-22 19:41:42.000000000 -0400
56024 @@ -0,0 +1,431 @@
56025 +#include <linux/kernel.h>
56026 +#include <linux/sched.h>
56027 +#include <linux/types.h>
56028 +#include <linux/fs.h>
56029 +#include <linux/file.h>
56030 +#include <linux/stat.h>
56031 +#include <linux/grsecurity.h>
56032 +#include <linux/grinternal.h>
56033 +#include <linux/gracl.h>
56034 +
56035 +__u32
56036 +gr_acl_handle_hidden_file(const struct dentry * dentry,
56037 + const struct vfsmount * mnt)
56038 +{
56039 + __u32 mode;
56040 +
56041 + if (unlikely(!dentry->d_inode))
56042 + return GR_FIND;
56043 +
56044 + mode =
56045 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
56046 +
56047 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
56048 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56049 + return mode;
56050 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
56051 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56052 + return 0;
56053 + } else if (unlikely(!(mode & GR_FIND)))
56054 + return 0;
56055 +
56056 + return GR_FIND;
56057 +}
56058 +
56059 +__u32
56060 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56061 + const int fmode)
56062 +{
56063 + __u32 reqmode = GR_FIND;
56064 + __u32 mode;
56065 +
56066 + if (unlikely(!dentry->d_inode))
56067 + return reqmode;
56068 +
56069 + if (unlikely(fmode & O_APPEND))
56070 + reqmode |= GR_APPEND;
56071 + else if (unlikely(fmode & FMODE_WRITE))
56072 + reqmode |= GR_WRITE;
56073 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56074 + reqmode |= GR_READ;
56075 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
56076 + reqmode &= ~GR_READ;
56077 + mode =
56078 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56079 + mnt);
56080 +
56081 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56082 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56083 + reqmode & GR_READ ? " reading" : "",
56084 + reqmode & GR_WRITE ? " writing" : reqmode &
56085 + GR_APPEND ? " appending" : "");
56086 + return reqmode;
56087 + } else
56088 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56089 + {
56090 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56091 + reqmode & GR_READ ? " reading" : "",
56092 + reqmode & GR_WRITE ? " writing" : reqmode &
56093 + GR_APPEND ? " appending" : "");
56094 + return 0;
56095 + } else if (unlikely((mode & reqmode) != reqmode))
56096 + return 0;
56097 +
56098 + return reqmode;
56099 +}
56100 +
56101 +__u32
56102 +gr_acl_handle_creat(const struct dentry * dentry,
56103 + const struct dentry * p_dentry,
56104 + const struct vfsmount * p_mnt, const int fmode,
56105 + const int imode)
56106 +{
56107 + __u32 reqmode = GR_WRITE | GR_CREATE;
56108 + __u32 mode;
56109 +
56110 + if (unlikely(fmode & O_APPEND))
56111 + reqmode |= GR_APPEND;
56112 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56113 + reqmode |= GR_READ;
56114 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
56115 + reqmode |= GR_SETID;
56116 +
56117 + mode =
56118 + gr_check_create(dentry, p_dentry, p_mnt,
56119 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56120 +
56121 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56122 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56123 + reqmode & GR_READ ? " reading" : "",
56124 + reqmode & GR_WRITE ? " writing" : reqmode &
56125 + GR_APPEND ? " appending" : "");
56126 + return reqmode;
56127 + } else
56128 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56129 + {
56130 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56131 + reqmode & GR_READ ? " reading" : "",
56132 + reqmode & GR_WRITE ? " writing" : reqmode &
56133 + GR_APPEND ? " appending" : "");
56134 + return 0;
56135 + } else if (unlikely((mode & reqmode) != reqmode))
56136 + return 0;
56137 +
56138 + return reqmode;
56139 +}
56140 +
56141 +__u32
56142 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
56143 + const int fmode)
56144 +{
56145 + __u32 mode, reqmode = GR_FIND;
56146 +
56147 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
56148 + reqmode |= GR_EXEC;
56149 + if (fmode & S_IWOTH)
56150 + reqmode |= GR_WRITE;
56151 + if (fmode & S_IROTH)
56152 + reqmode |= GR_READ;
56153 +
56154 + mode =
56155 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56156 + mnt);
56157 +
56158 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56159 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56160 + reqmode & GR_READ ? " reading" : "",
56161 + reqmode & GR_WRITE ? " writing" : "",
56162 + reqmode & GR_EXEC ? " executing" : "");
56163 + return reqmode;
56164 + } else
56165 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56166 + {
56167 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56168 + reqmode & GR_READ ? " reading" : "",
56169 + reqmode & GR_WRITE ? " writing" : "",
56170 + reqmode & GR_EXEC ? " executing" : "");
56171 + return 0;
56172 + } else if (unlikely((mode & reqmode) != reqmode))
56173 + return 0;
56174 +
56175 + return reqmode;
56176 +}
56177 +
56178 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
56179 +{
56180 + __u32 mode;
56181 +
56182 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
56183 +
56184 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56185 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
56186 + return mode;
56187 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56188 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
56189 + return 0;
56190 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56191 + return 0;
56192 +
56193 + return (reqmode);
56194 +}
56195 +
56196 +__u32
56197 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56198 +{
56199 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
56200 +}
56201 +
56202 +__u32
56203 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56204 +{
56205 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56206 +}
56207 +
56208 +__u32
56209 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56210 +{
56211 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56212 +}
56213 +
56214 +__u32
56215 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56216 +{
56217 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56218 +}
56219 +
56220 +__u32
56221 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56222 + mode_t mode)
56223 +{
56224 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56225 + return 1;
56226 +
56227 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56228 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56229 + GR_FCHMOD_ACL_MSG);
56230 + } else {
56231 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56232 + }
56233 +}
56234 +
56235 +__u32
56236 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56237 + mode_t mode)
56238 +{
56239 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56240 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56241 + GR_CHMOD_ACL_MSG);
56242 + } else {
56243 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56244 + }
56245 +}
56246 +
56247 +__u32
56248 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56249 +{
56250 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56251 +}
56252 +
56253 +__u32
56254 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56255 +{
56256 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56257 +}
56258 +
56259 +__u32
56260 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56261 +{
56262 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56263 +}
56264 +
56265 +__u32
56266 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56267 +{
56268 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56269 + GR_UNIXCONNECT_ACL_MSG);
56270 +}
56271 +
56272 +/* hardlinks require at minimum create permission,
56273 + any additional privilege required is based on the
56274 + privilege of the file being linked to
56275 +*/
56276 +__u32
56277 +gr_acl_handle_link(const struct dentry * new_dentry,
56278 + const struct dentry * parent_dentry,
56279 + const struct vfsmount * parent_mnt,
56280 + const struct dentry * old_dentry,
56281 + const struct vfsmount * old_mnt, const char *to)
56282 +{
56283 + __u32 mode;
56284 + __u32 needmode = GR_CREATE | GR_LINK;
56285 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56286 +
56287 + mode =
56288 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56289 + old_mnt);
56290 +
56291 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56292 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56293 + return mode;
56294 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56295 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56296 + return 0;
56297 + } else if (unlikely((mode & needmode) != needmode))
56298 + return 0;
56299 +
56300 + return 1;
56301 +}
56302 +
56303 +__u32
56304 +gr_acl_handle_symlink(const struct dentry * new_dentry,
56305 + const struct dentry * parent_dentry,
56306 + const struct vfsmount * parent_mnt, const char *from)
56307 +{
56308 + __u32 needmode = GR_WRITE | GR_CREATE;
56309 + __u32 mode;
56310 +
56311 + mode =
56312 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
56313 + GR_CREATE | GR_AUDIT_CREATE |
56314 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56315 +
56316 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56317 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56318 + return mode;
56319 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56320 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56321 + return 0;
56322 + } else if (unlikely((mode & needmode) != needmode))
56323 + return 0;
56324 +
56325 + return (GR_WRITE | GR_CREATE);
56326 +}
56327 +
56328 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56329 +{
56330 + __u32 mode;
56331 +
56332 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56333 +
56334 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56335 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56336 + return mode;
56337 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56338 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56339 + return 0;
56340 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56341 + return 0;
56342 +
56343 + return (reqmode);
56344 +}
56345 +
56346 +__u32
56347 +gr_acl_handle_mknod(const struct dentry * new_dentry,
56348 + const struct dentry * parent_dentry,
56349 + const struct vfsmount * parent_mnt,
56350 + const int mode)
56351 +{
56352 + __u32 reqmode = GR_WRITE | GR_CREATE;
56353 + if (unlikely(mode & (S_ISUID | S_ISGID)))
56354 + reqmode |= GR_SETID;
56355 +
56356 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56357 + reqmode, GR_MKNOD_ACL_MSG);
56358 +}
56359 +
56360 +__u32
56361 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
56362 + const struct dentry *parent_dentry,
56363 + const struct vfsmount *parent_mnt)
56364 +{
56365 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56366 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56367 +}
56368 +
56369 +#define RENAME_CHECK_SUCCESS(old, new) \
56370 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56371 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56372 +
56373 +int
56374 +gr_acl_handle_rename(struct dentry *new_dentry,
56375 + struct dentry *parent_dentry,
56376 + const struct vfsmount *parent_mnt,
56377 + struct dentry *old_dentry,
56378 + struct inode *old_parent_inode,
56379 + struct vfsmount *old_mnt, const char *newname)
56380 +{
56381 + __u32 comp1, comp2;
56382 + int error = 0;
56383 +
56384 + if (unlikely(!gr_acl_is_enabled()))
56385 + return 0;
56386 +
56387 + if (!new_dentry->d_inode) {
56388 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56389 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56390 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56391 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56392 + GR_DELETE | GR_AUDIT_DELETE |
56393 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56394 + GR_SUPPRESS, old_mnt);
56395 + } else {
56396 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56397 + GR_CREATE | GR_DELETE |
56398 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56399 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56400 + GR_SUPPRESS, parent_mnt);
56401 + comp2 =
56402 + gr_search_file(old_dentry,
56403 + GR_READ | GR_WRITE | GR_AUDIT_READ |
56404 + GR_DELETE | GR_AUDIT_DELETE |
56405 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56406 + }
56407 +
56408 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56409 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56410 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56411 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56412 + && !(comp2 & GR_SUPPRESS)) {
56413 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56414 + error = -EACCES;
56415 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56416 + error = -EACCES;
56417 +
56418 + return error;
56419 +}
56420 +
56421 +void
56422 +gr_acl_handle_exit(void)
56423 +{
56424 + u16 id;
56425 + char *rolename;
56426 + struct file *exec_file;
56427 +
56428 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56429 + !(current->role->roletype & GR_ROLE_PERSIST))) {
56430 + id = current->acl_role_id;
56431 + rolename = current->role->rolename;
56432 + gr_set_acls(1);
56433 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56434 + }
56435 +
56436 + write_lock(&grsec_exec_file_lock);
56437 + exec_file = current->exec_file;
56438 + current->exec_file = NULL;
56439 + write_unlock(&grsec_exec_file_lock);
56440 +
56441 + if (exec_file)
56442 + fput(exec_file);
56443 +}
56444 +
56445 +int
56446 +gr_acl_handle_procpidmem(const struct task_struct *task)
56447 +{
56448 + if (unlikely(!gr_acl_is_enabled()))
56449 + return 0;
56450 +
56451 + if (task != current && task->acl->mode & GR_PROTPROCFD)
56452 + return -EACCES;
56453 +
56454 + return 0;
56455 +}
56456 diff -urNp linux-2.6.39.3/grsecurity/gracl_ip.c linux-2.6.39.3/grsecurity/gracl_ip.c
56457 --- linux-2.6.39.3/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56458 +++ linux-2.6.39.3/grsecurity/gracl_ip.c 2011-05-22 22:47:31.000000000 -0400
56459 @@ -0,0 +1,381 @@
56460 +#include <linux/kernel.h>
56461 +#include <asm/uaccess.h>
56462 +#include <asm/errno.h>
56463 +#include <net/sock.h>
56464 +#include <linux/file.h>
56465 +#include <linux/fs.h>
56466 +#include <linux/net.h>
56467 +#include <linux/in.h>
56468 +#include <linux/skbuff.h>
56469 +#include <linux/ip.h>
56470 +#include <linux/udp.h>
56471 +#include <linux/types.h>
56472 +#include <linux/sched.h>
56473 +#include <linux/netdevice.h>
56474 +#include <linux/inetdevice.h>
56475 +#include <linux/gracl.h>
56476 +#include <linux/grsecurity.h>
56477 +#include <linux/grinternal.h>
56478 +
56479 +#define GR_BIND 0x01
56480 +#define GR_CONNECT 0x02
56481 +#define GR_INVERT 0x04
56482 +#define GR_BINDOVERRIDE 0x08
56483 +#define GR_CONNECTOVERRIDE 0x10
56484 +#define GR_SOCK_FAMILY 0x20
56485 +
56486 +static const char * gr_protocols[IPPROTO_MAX] = {
56487 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
56488 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
56489 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
56490 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
56491 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
56492 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
56493 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
56494 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
56495 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
56496 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
56497 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
56498 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
56499 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
56500 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
56501 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
56502 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
56503 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
56504 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
56505 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
56506 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
56507 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
56508 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
56509 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
56510 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
56511 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
56512 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
56513 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
56514 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
56515 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
56516 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
56517 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
56518 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
56519 + };
56520 +
56521 +static const char * gr_socktypes[SOCK_MAX] = {
56522 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
56523 + "unknown:7", "unknown:8", "unknown:9", "packet"
56524 + };
56525 +
56526 +static const char * gr_sockfamilies[AF_MAX+1] = {
56527 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
56528 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
56529 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
56530 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
56531 + };
56532 +
56533 +const char *
56534 +gr_proto_to_name(unsigned char proto)
56535 +{
56536 + return gr_protocols[proto];
56537 +}
56538 +
56539 +const char *
56540 +gr_socktype_to_name(unsigned char type)
56541 +{
56542 + return gr_socktypes[type];
56543 +}
56544 +
56545 +const char *
56546 +gr_sockfamily_to_name(unsigned char family)
56547 +{
56548 + return gr_sockfamilies[family];
56549 +}
56550 +
56551 +int
56552 +gr_search_socket(const int domain, const int type, const int protocol)
56553 +{
56554 + struct acl_subject_label *curr;
56555 + const struct cred *cred = current_cred();
56556 +
56557 + if (unlikely(!gr_acl_is_enabled()))
56558 + goto exit;
56559 +
56560 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
56561 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
56562 + goto exit; // let the kernel handle it
56563 +
56564 + curr = current->acl;
56565 +
56566 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
56567 + /* the family is allowed, if this is PF_INET allow it only if
56568 + the extra sock type/protocol checks pass */
56569 + if (domain == PF_INET)
56570 + goto inet_check;
56571 + goto exit;
56572 + } else {
56573 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56574 + __u32 fakeip = 0;
56575 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56576 + current->role->roletype, cred->uid,
56577 + cred->gid, current->exec_file ?
56578 + gr_to_filename(current->exec_file->f_path.dentry,
56579 + current->exec_file->f_path.mnt) :
56580 + curr->filename, curr->filename,
56581 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
56582 + &current->signal->saved_ip);
56583 + goto exit;
56584 + }
56585 + goto exit_fail;
56586 + }
56587 +
56588 +inet_check:
56589 + /* the rest of this checking is for IPv4 only */
56590 + if (!curr->ips)
56591 + goto exit;
56592 +
56593 + if ((curr->ip_type & (1 << type)) &&
56594 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
56595 + goto exit;
56596 +
56597 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56598 + /* we don't place acls on raw sockets , and sometimes
56599 + dgram/ip sockets are opened for ioctl and not
56600 + bind/connect, so we'll fake a bind learn log */
56601 + if (type == SOCK_RAW || type == SOCK_PACKET) {
56602 + __u32 fakeip = 0;
56603 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56604 + current->role->roletype, cred->uid,
56605 + cred->gid, current->exec_file ?
56606 + gr_to_filename(current->exec_file->f_path.dentry,
56607 + current->exec_file->f_path.mnt) :
56608 + curr->filename, curr->filename,
56609 + &fakeip, 0, type,
56610 + protocol, GR_CONNECT, &current->signal->saved_ip);
56611 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
56612 + __u32 fakeip = 0;
56613 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56614 + current->role->roletype, cred->uid,
56615 + cred->gid, current->exec_file ?
56616 + gr_to_filename(current->exec_file->f_path.dentry,
56617 + current->exec_file->f_path.mnt) :
56618 + curr->filename, curr->filename,
56619 + &fakeip, 0, type,
56620 + protocol, GR_BIND, &current->signal->saved_ip);
56621 + }
56622 + /* we'll log when they use connect or bind */
56623 + goto exit;
56624 + }
56625 +
56626 +exit_fail:
56627 + if (domain == PF_INET)
56628 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
56629 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
56630 + else
56631 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
56632 + gr_socktype_to_name(type), protocol);
56633 +
56634 + return 0;
56635 +exit:
56636 + return 1;
56637 +}
56638 +
56639 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
56640 +{
56641 + if ((ip->mode & mode) &&
56642 + (ip_port >= ip->low) &&
56643 + (ip_port <= ip->high) &&
56644 + ((ntohl(ip_addr) & our_netmask) ==
56645 + (ntohl(our_addr) & our_netmask))
56646 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
56647 + && (ip->type & (1 << type))) {
56648 + if (ip->mode & GR_INVERT)
56649 + return 2; // specifically denied
56650 + else
56651 + return 1; // allowed
56652 + }
56653 +
56654 + return 0; // not specifically allowed, may continue parsing
56655 +}
56656 +
56657 +static int
56658 +gr_search_connectbind(const int full_mode, struct sock *sk,
56659 + struct sockaddr_in *addr, const int type)
56660 +{
56661 + char iface[IFNAMSIZ] = {0};
56662 + struct acl_subject_label *curr;
56663 + struct acl_ip_label *ip;
56664 + struct inet_sock *isk;
56665 + struct net_device *dev;
56666 + struct in_device *idev;
56667 + unsigned long i;
56668 + int ret;
56669 + int mode = full_mode & (GR_BIND | GR_CONNECT);
56670 + __u32 ip_addr = 0;
56671 + __u32 our_addr;
56672 + __u32 our_netmask;
56673 + char *p;
56674 + __u16 ip_port = 0;
56675 + const struct cred *cred = current_cred();
56676 +
56677 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
56678 + return 0;
56679 +
56680 + curr = current->acl;
56681 + isk = inet_sk(sk);
56682 +
56683 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
56684 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
56685 + addr->sin_addr.s_addr = curr->inaddr_any_override;
56686 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
56687 + struct sockaddr_in saddr;
56688 + int err;
56689 +
56690 + saddr.sin_family = AF_INET;
56691 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
56692 + saddr.sin_port = isk->inet_sport;
56693 +
56694 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56695 + if (err)
56696 + return err;
56697 +
56698 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
56699 + if (err)
56700 + return err;
56701 + }
56702 +
56703 + if (!curr->ips)
56704 + return 0;
56705 +
56706 + ip_addr = addr->sin_addr.s_addr;
56707 + ip_port = ntohs(addr->sin_port);
56708 +
56709 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
56710 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
56711 + current->role->roletype, cred->uid,
56712 + cred->gid, current->exec_file ?
56713 + gr_to_filename(current->exec_file->f_path.dentry,
56714 + current->exec_file->f_path.mnt) :
56715 + curr->filename, curr->filename,
56716 + &ip_addr, ip_port, type,
56717 + sk->sk_protocol, mode, &current->signal->saved_ip);
56718 + return 0;
56719 + }
56720 +
56721 + for (i = 0; i < curr->ip_num; i++) {
56722 + ip = *(curr->ips + i);
56723 + if (ip->iface != NULL) {
56724 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
56725 + p = strchr(iface, ':');
56726 + if (p != NULL)
56727 + *p = '\0';
56728 + dev = dev_get_by_name(sock_net(sk), iface);
56729 + if (dev == NULL)
56730 + continue;
56731 + idev = in_dev_get(dev);
56732 + if (idev == NULL) {
56733 + dev_put(dev);
56734 + continue;
56735 + }
56736 + rcu_read_lock();
56737 + for_ifa(idev) {
56738 + if (!strcmp(ip->iface, ifa->ifa_label)) {
56739 + our_addr = ifa->ifa_address;
56740 + our_netmask = 0xffffffff;
56741 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56742 + if (ret == 1) {
56743 + rcu_read_unlock();
56744 + in_dev_put(idev);
56745 + dev_put(dev);
56746 + return 0;
56747 + } else if (ret == 2) {
56748 + rcu_read_unlock();
56749 + in_dev_put(idev);
56750 + dev_put(dev);
56751 + goto denied;
56752 + }
56753 + }
56754 + } endfor_ifa(idev);
56755 + rcu_read_unlock();
56756 + in_dev_put(idev);
56757 + dev_put(dev);
56758 + } else {
56759 + our_addr = ip->addr;
56760 + our_netmask = ip->netmask;
56761 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
56762 + if (ret == 1)
56763 + return 0;
56764 + else if (ret == 2)
56765 + goto denied;
56766 + }
56767 + }
56768 +
56769 +denied:
56770 + if (mode == GR_BIND)
56771 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56772 + else if (mode == GR_CONNECT)
56773 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
56774 +
56775 + return -EACCES;
56776 +}
56777 +
56778 +int
56779 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
56780 +{
56781 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
56782 +}
56783 +
56784 +int
56785 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
56786 +{
56787 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
56788 +}
56789 +
56790 +int gr_search_listen(struct socket *sock)
56791 +{
56792 + struct sock *sk = sock->sk;
56793 + struct sockaddr_in addr;
56794 +
56795 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56796 + addr.sin_port = inet_sk(sk)->inet_sport;
56797 +
56798 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56799 +}
56800 +
56801 +int gr_search_accept(struct socket *sock)
56802 +{
56803 + struct sock *sk = sock->sk;
56804 + struct sockaddr_in addr;
56805 +
56806 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
56807 + addr.sin_port = inet_sk(sk)->inet_sport;
56808 +
56809 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
56810 +}
56811 +
56812 +int
56813 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
56814 +{
56815 + if (addr)
56816 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
56817 + else {
56818 + struct sockaddr_in sin;
56819 + const struct inet_sock *inet = inet_sk(sk);
56820 +
56821 + sin.sin_addr.s_addr = inet->inet_daddr;
56822 + sin.sin_port = inet->inet_dport;
56823 +
56824 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56825 + }
56826 +}
56827 +
56828 +int
56829 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
56830 +{
56831 + struct sockaddr_in sin;
56832 +
56833 + if (unlikely(skb->len < sizeof (struct udphdr)))
56834 + return 0; // skip this packet
56835 +
56836 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
56837 + sin.sin_port = udp_hdr(skb)->source;
56838 +
56839 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
56840 +}
56841 diff -urNp linux-2.6.39.3/grsecurity/gracl_learn.c linux-2.6.39.3/grsecurity/gracl_learn.c
56842 --- linux-2.6.39.3/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
56843 +++ linux-2.6.39.3/grsecurity/gracl_learn.c 2011-07-14 21:03:00.000000000 -0400
56844 @@ -0,0 +1,207 @@
56845 +#include <linux/kernel.h>
56846 +#include <linux/mm.h>
56847 +#include <linux/sched.h>
56848 +#include <linux/poll.h>
56849 +#include <linux/string.h>
56850 +#include <linux/file.h>
56851 +#include <linux/types.h>
56852 +#include <linux/vmalloc.h>
56853 +#include <linux/grinternal.h>
56854 +
56855 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
56856 + size_t count, loff_t *ppos);
56857 +extern int gr_acl_is_enabled(void);
56858 +
56859 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
56860 +static int gr_learn_attached;
56861 +
56862 +/* use a 512k buffer */
56863 +#define LEARN_BUFFER_SIZE (512 * 1024)
56864 +
56865 +static DEFINE_SPINLOCK(gr_learn_lock);
56866 +static DEFINE_MUTEX(gr_learn_user_mutex);
56867 +
56868 +/* we need to maintain two buffers, so that the kernel context of grlearn
56869 + uses a semaphore around the userspace copying, and the other kernel contexts
56870 + use a spinlock when copying into the buffer, since they cannot sleep
56871 +*/
56872 +static char *learn_buffer;
56873 +static char *learn_buffer_user;
56874 +static int learn_buffer_len;
56875 +static int learn_buffer_user_len;
56876 +
56877 +static ssize_t
56878 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
56879 +{
56880 + DECLARE_WAITQUEUE(wait, current);
56881 + ssize_t retval = 0;
56882 +
56883 + add_wait_queue(&learn_wait, &wait);
56884 + set_current_state(TASK_INTERRUPTIBLE);
56885 + do {
56886 + mutex_lock(&gr_learn_user_mutex);
56887 + spin_lock(&gr_learn_lock);
56888 + if (learn_buffer_len)
56889 + break;
56890 + spin_unlock(&gr_learn_lock);
56891 + mutex_unlock(&gr_learn_user_mutex);
56892 + if (file->f_flags & O_NONBLOCK) {
56893 + retval = -EAGAIN;
56894 + goto out;
56895 + }
56896 + if (signal_pending(current)) {
56897 + retval = -ERESTARTSYS;
56898 + goto out;
56899 + }
56900 +
56901 + schedule();
56902 + } while (1);
56903 +
56904 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
56905 + learn_buffer_user_len = learn_buffer_len;
56906 + retval = learn_buffer_len;
56907 + learn_buffer_len = 0;
56908 +
56909 + spin_unlock(&gr_learn_lock);
56910 +
56911 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
56912 + retval = -EFAULT;
56913 +
56914 + mutex_unlock(&gr_learn_user_mutex);
56915 +out:
56916 + set_current_state(TASK_RUNNING);
56917 + remove_wait_queue(&learn_wait, &wait);
56918 + return retval;
56919 +}
56920 +
56921 +static unsigned int
56922 +poll_learn(struct file * file, poll_table * wait)
56923 +{
56924 + poll_wait(file, &learn_wait, wait);
56925 +
56926 + if (learn_buffer_len)
56927 + return (POLLIN | POLLRDNORM);
56928 +
56929 + return 0;
56930 +}
56931 +
56932 +void
56933 +gr_clear_learn_entries(void)
56934 +{
56935 + char *tmp;
56936 +
56937 + mutex_lock(&gr_learn_user_mutex);
56938 + spin_lock(&gr_learn_lock);
56939 + tmp = learn_buffer;
56940 + learn_buffer = NULL;
56941 + spin_unlock(&gr_learn_lock);
56942 + if (tmp)
56943 + vfree(tmp);
56944 + if (learn_buffer_user != NULL) {
56945 + vfree(learn_buffer_user);
56946 + learn_buffer_user = NULL;
56947 + }
56948 + learn_buffer_len = 0;
56949 + mutex_unlock(&gr_learn_user_mutex);
56950 +
56951 + return;
56952 +}
56953 +
56954 +void
56955 +gr_add_learn_entry(const char *fmt, ...)
56956 +{
56957 + va_list args;
56958 + unsigned int len;
56959 +
56960 + if (!gr_learn_attached)
56961 + return;
56962 +
56963 + spin_lock(&gr_learn_lock);
56964 +
56965 + /* leave a gap at the end so we know when it's "full" but don't have to
56966 + compute the exact length of the string we're trying to append
56967 + */
56968 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
56969 + spin_unlock(&gr_learn_lock);
56970 + wake_up_interruptible(&learn_wait);
56971 + return;
56972 + }
56973 + if (learn_buffer == NULL) {
56974 + spin_unlock(&gr_learn_lock);
56975 + return;
56976 + }
56977 +
56978 + va_start(args, fmt);
56979 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
56980 + va_end(args);
56981 +
56982 + learn_buffer_len += len + 1;
56983 +
56984 + spin_unlock(&gr_learn_lock);
56985 + wake_up_interruptible(&learn_wait);
56986 +
56987 + return;
56988 +}
56989 +
56990 +static int
56991 +open_learn(struct inode *inode, struct file *file)
56992 +{
56993 + if (file->f_mode & FMODE_READ && gr_learn_attached)
56994 + return -EBUSY;
56995 + if (file->f_mode & FMODE_READ) {
56996 + int retval = 0;
56997 + mutex_lock(&gr_learn_user_mutex);
56998 + if (learn_buffer == NULL)
56999 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
57000 + if (learn_buffer_user == NULL)
57001 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
57002 + if (learn_buffer == NULL) {
57003 + retval = -ENOMEM;
57004 + goto out_error;
57005 + }
57006 + if (learn_buffer_user == NULL) {
57007 + retval = -ENOMEM;
57008 + goto out_error;
57009 + }
57010 + learn_buffer_len = 0;
57011 + learn_buffer_user_len = 0;
57012 + gr_learn_attached = 1;
57013 +out_error:
57014 + mutex_unlock(&gr_learn_user_mutex);
57015 + return retval;
57016 + }
57017 + return 0;
57018 +}
57019 +
57020 +static int
57021 +close_learn(struct inode *inode, struct file *file)
57022 +{
57023 + if (file->f_mode & FMODE_READ) {
57024 + char *tmp = NULL;
57025 + mutex_lock(&gr_learn_user_mutex);
57026 + spin_lock(&gr_learn_lock);
57027 + tmp = learn_buffer;
57028 + learn_buffer = NULL;
57029 + spin_unlock(&gr_learn_lock);
57030 + if (tmp)
57031 + vfree(tmp);
57032 + if (learn_buffer_user != NULL) {
57033 + vfree(learn_buffer_user);
57034 + learn_buffer_user = NULL;
57035 + }
57036 + learn_buffer_len = 0;
57037 + learn_buffer_user_len = 0;
57038 + gr_learn_attached = 0;
57039 + mutex_unlock(&gr_learn_user_mutex);
57040 + }
57041 +
57042 + return 0;
57043 +}
57044 +
57045 +const struct file_operations grsec_fops = {
57046 + .read = read_learn,
57047 + .write = write_grsec_handler,
57048 + .open = open_learn,
57049 + .release = close_learn,
57050 + .poll = poll_learn,
57051 +};
57052 diff -urNp linux-2.6.39.3/grsecurity/gracl_res.c linux-2.6.39.3/grsecurity/gracl_res.c
57053 --- linux-2.6.39.3/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
57054 +++ linux-2.6.39.3/grsecurity/gracl_res.c 2011-05-22 19:41:42.000000000 -0400
57055 @@ -0,0 +1,68 @@
57056 +#include <linux/kernel.h>
57057 +#include <linux/sched.h>
57058 +#include <linux/gracl.h>
57059 +#include <linux/grinternal.h>
57060 +
57061 +static const char *restab_log[] = {
57062 + [RLIMIT_CPU] = "RLIMIT_CPU",
57063 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
57064 + [RLIMIT_DATA] = "RLIMIT_DATA",
57065 + [RLIMIT_STACK] = "RLIMIT_STACK",
57066 + [RLIMIT_CORE] = "RLIMIT_CORE",
57067 + [RLIMIT_RSS] = "RLIMIT_RSS",
57068 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
57069 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
57070 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
57071 + [RLIMIT_AS] = "RLIMIT_AS",
57072 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
57073 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
57074 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
57075 + [RLIMIT_NICE] = "RLIMIT_NICE",
57076 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
57077 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
57078 + [GR_CRASH_RES] = "RLIMIT_CRASH"
57079 +};
57080 +
57081 +void
57082 +gr_log_resource(const struct task_struct *task,
57083 + const int res, const unsigned long wanted, const int gt)
57084 +{
57085 + const struct cred *cred;
57086 + unsigned long rlim;
57087 +
57088 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
57089 + return;
57090 +
57091 + // not yet supported resource
57092 + if (unlikely(!restab_log[res]))
57093 + return;
57094 +
57095 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
57096 + rlim = task_rlimit_max(task, res);
57097 + else
57098 + rlim = task_rlimit(task, res);
57099 +
57100 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
57101 + return;
57102 +
57103 + rcu_read_lock();
57104 + cred = __task_cred(task);
57105 +
57106 + if (res == RLIMIT_NPROC &&
57107 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
57108 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
57109 + goto out_rcu_unlock;
57110 + else if (res == RLIMIT_MEMLOCK &&
57111 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
57112 + goto out_rcu_unlock;
57113 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
57114 + goto out_rcu_unlock;
57115 + rcu_read_unlock();
57116 +
57117 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
57118 +
57119 + return;
57120 +out_rcu_unlock:
57121 + rcu_read_unlock();
57122 + return;
57123 +}
57124 diff -urNp linux-2.6.39.3/grsecurity/gracl_segv.c linux-2.6.39.3/grsecurity/gracl_segv.c
57125 --- linux-2.6.39.3/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
57126 +++ linux-2.6.39.3/grsecurity/gracl_segv.c 2011-05-22 22:47:39.000000000 -0400
57127 @@ -0,0 +1,299 @@
57128 +#include <linux/kernel.h>
57129 +#include <linux/mm.h>
57130 +#include <asm/uaccess.h>
57131 +#include <asm/errno.h>
57132 +#include <asm/mman.h>
57133 +#include <net/sock.h>
57134 +#include <linux/file.h>
57135 +#include <linux/fs.h>
57136 +#include <linux/net.h>
57137 +#include <linux/in.h>
57138 +#include <linux/slab.h>
57139 +#include <linux/types.h>
57140 +#include <linux/sched.h>
57141 +#include <linux/timer.h>
57142 +#include <linux/gracl.h>
57143 +#include <linux/grsecurity.h>
57144 +#include <linux/grinternal.h>
57145 +
57146 +static struct crash_uid *uid_set;
57147 +static unsigned short uid_used;
57148 +static DEFINE_SPINLOCK(gr_uid_lock);
57149 +extern rwlock_t gr_inode_lock;
57150 +extern struct acl_subject_label *
57151 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
57152 + struct acl_role_label *role);
57153 +
57154 +#ifdef CONFIG_BTRFS_FS
57155 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
57156 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
57157 +#endif
57158 +
57159 +static inline dev_t __get_dev(const struct dentry *dentry)
57160 +{
57161 +#ifdef CONFIG_BTRFS_FS
57162 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
57163 + return get_btrfs_dev_from_inode(dentry->d_inode);
57164 + else
57165 +#endif
57166 + return dentry->d_inode->i_sb->s_dev;
57167 +}
57168 +
57169 +int
57170 +gr_init_uidset(void)
57171 +{
57172 + uid_set =
57173 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
57174 + uid_used = 0;
57175 +
57176 + return uid_set ? 1 : 0;
57177 +}
57178 +
57179 +void
57180 +gr_free_uidset(void)
57181 +{
57182 + if (uid_set)
57183 + kfree(uid_set);
57184 +
57185 + return;
57186 +}
57187 +
57188 +int
57189 +gr_find_uid(const uid_t uid)
57190 +{
57191 + struct crash_uid *tmp = uid_set;
57192 + uid_t buid;
57193 + int low = 0, high = uid_used - 1, mid;
57194 +
57195 + while (high >= low) {
57196 + mid = (low + high) >> 1;
57197 + buid = tmp[mid].uid;
57198 + if (buid == uid)
57199 + return mid;
57200 + if (buid > uid)
57201 + high = mid - 1;
57202 + if (buid < uid)
57203 + low = mid + 1;
57204 + }
57205 +
57206 + return -1;
57207 +}
57208 +
57209 +static __inline__ void
57210 +gr_insertsort(void)
57211 +{
57212 + unsigned short i, j;
57213 + struct crash_uid index;
57214 +
57215 + for (i = 1; i < uid_used; i++) {
57216 + index = uid_set[i];
57217 + j = i;
57218 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57219 + uid_set[j] = uid_set[j - 1];
57220 + j--;
57221 + }
57222 + uid_set[j] = index;
57223 + }
57224 +
57225 + return;
57226 +}
57227 +
57228 +static __inline__ void
57229 +gr_insert_uid(const uid_t uid, const unsigned long expires)
57230 +{
57231 + int loc;
57232 +
57233 + if (uid_used == GR_UIDTABLE_MAX)
57234 + return;
57235 +
57236 + loc = gr_find_uid(uid);
57237 +
57238 + if (loc >= 0) {
57239 + uid_set[loc].expires = expires;
57240 + return;
57241 + }
57242 +
57243 + uid_set[uid_used].uid = uid;
57244 + uid_set[uid_used].expires = expires;
57245 + uid_used++;
57246 +
57247 + gr_insertsort();
57248 +
57249 + return;
57250 +}
57251 +
57252 +void
57253 +gr_remove_uid(const unsigned short loc)
57254 +{
57255 + unsigned short i;
57256 +
57257 + for (i = loc + 1; i < uid_used; i++)
57258 + uid_set[i - 1] = uid_set[i];
57259 +
57260 + uid_used--;
57261 +
57262 + return;
57263 +}
57264 +
57265 +int
57266 +gr_check_crash_uid(const uid_t uid)
57267 +{
57268 + int loc;
57269 + int ret = 0;
57270 +
57271 + if (unlikely(!gr_acl_is_enabled()))
57272 + return 0;
57273 +
57274 + spin_lock(&gr_uid_lock);
57275 + loc = gr_find_uid(uid);
57276 +
57277 + if (loc < 0)
57278 + goto out_unlock;
57279 +
57280 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
57281 + gr_remove_uid(loc);
57282 + else
57283 + ret = 1;
57284 +
57285 +out_unlock:
57286 + spin_unlock(&gr_uid_lock);
57287 + return ret;
57288 +}
57289 +
57290 +static __inline__ int
57291 +proc_is_setxid(const struct cred *cred)
57292 +{
57293 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
57294 + cred->uid != cred->fsuid)
57295 + return 1;
57296 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57297 + cred->gid != cred->fsgid)
57298 + return 1;
57299 +
57300 + return 0;
57301 +}
57302 +
57303 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
57304 +
57305 +void
57306 +gr_handle_crash(struct task_struct *task, const int sig)
57307 +{
57308 + struct acl_subject_label *curr;
57309 + struct acl_subject_label *curr2;
57310 + struct task_struct *tsk, *tsk2;
57311 + const struct cred *cred;
57312 + const struct cred *cred2;
57313 +
57314 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57315 + return;
57316 +
57317 + if (unlikely(!gr_acl_is_enabled()))
57318 + return;
57319 +
57320 + curr = task->acl;
57321 +
57322 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
57323 + return;
57324 +
57325 + if (time_before_eq(curr->expires, get_seconds())) {
57326 + curr->expires = 0;
57327 + curr->crashes = 0;
57328 + }
57329 +
57330 + curr->crashes++;
57331 +
57332 + if (!curr->expires)
57333 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57334 +
57335 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57336 + time_after(curr->expires, get_seconds())) {
57337 + rcu_read_lock();
57338 + cred = __task_cred(task);
57339 + if (cred->uid && proc_is_setxid(cred)) {
57340 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57341 + spin_lock(&gr_uid_lock);
57342 + gr_insert_uid(cred->uid, curr->expires);
57343 + spin_unlock(&gr_uid_lock);
57344 + curr->expires = 0;
57345 + curr->crashes = 0;
57346 + read_lock(&tasklist_lock);
57347 + do_each_thread(tsk2, tsk) {
57348 + cred2 = __task_cred(tsk);
57349 + if (tsk != task && cred2->uid == cred->uid)
57350 + gr_fake_force_sig(SIGKILL, tsk);
57351 + } while_each_thread(tsk2, tsk);
57352 + read_unlock(&tasklist_lock);
57353 + } else {
57354 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57355 + read_lock(&tasklist_lock);
57356 + do_each_thread(tsk2, tsk) {
57357 + if (likely(tsk != task)) {
57358 + curr2 = tsk->acl;
57359 +
57360 + if (curr2->device == curr->device &&
57361 + curr2->inode == curr->inode)
57362 + gr_fake_force_sig(SIGKILL, tsk);
57363 + }
57364 + } while_each_thread(tsk2, tsk);
57365 + read_unlock(&tasklist_lock);
57366 + }
57367 + rcu_read_unlock();
57368 + }
57369 +
57370 + return;
57371 +}
57372 +
57373 +int
57374 +gr_check_crash_exec(const struct file *filp)
57375 +{
57376 + struct acl_subject_label *curr;
57377 +
57378 + if (unlikely(!gr_acl_is_enabled()))
57379 + return 0;
57380 +
57381 + read_lock(&gr_inode_lock);
57382 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57383 + __get_dev(filp->f_path.dentry),
57384 + current->role);
57385 + read_unlock(&gr_inode_lock);
57386 +
57387 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57388 + (!curr->crashes && !curr->expires))
57389 + return 0;
57390 +
57391 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57392 + time_after(curr->expires, get_seconds()))
57393 + return 1;
57394 + else if (time_before_eq(curr->expires, get_seconds())) {
57395 + curr->crashes = 0;
57396 + curr->expires = 0;
57397 + }
57398 +
57399 + return 0;
57400 +}
57401 +
57402 +void
57403 +gr_handle_alertkill(struct task_struct *task)
57404 +{
57405 + struct acl_subject_label *curracl;
57406 + __u32 curr_ip;
57407 + struct task_struct *p, *p2;
57408 +
57409 + if (unlikely(!gr_acl_is_enabled()))
57410 + return;
57411 +
57412 + curracl = task->acl;
57413 + curr_ip = task->signal->curr_ip;
57414 +
57415 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57416 + read_lock(&tasklist_lock);
57417 + do_each_thread(p2, p) {
57418 + if (p->signal->curr_ip == curr_ip)
57419 + gr_fake_force_sig(SIGKILL, p);
57420 + } while_each_thread(p2, p);
57421 + read_unlock(&tasklist_lock);
57422 + } else if (curracl->mode & GR_KILLPROC)
57423 + gr_fake_force_sig(SIGKILL, task);
57424 +
57425 + return;
57426 +}
57427 diff -urNp linux-2.6.39.3/grsecurity/gracl_shm.c linux-2.6.39.3/grsecurity/gracl_shm.c
57428 --- linux-2.6.39.3/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57429 +++ linux-2.6.39.3/grsecurity/gracl_shm.c 2011-05-22 19:41:42.000000000 -0400
57430 @@ -0,0 +1,40 @@
57431 +#include <linux/kernel.h>
57432 +#include <linux/mm.h>
57433 +#include <linux/sched.h>
57434 +#include <linux/file.h>
57435 +#include <linux/ipc.h>
57436 +#include <linux/gracl.h>
57437 +#include <linux/grsecurity.h>
57438 +#include <linux/grinternal.h>
57439 +
57440 +int
57441 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57442 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57443 +{
57444 + struct task_struct *task;
57445 +
57446 + if (!gr_acl_is_enabled())
57447 + return 1;
57448 +
57449 + rcu_read_lock();
57450 + read_lock(&tasklist_lock);
57451 +
57452 + task = find_task_by_vpid(shm_cprid);
57453 +
57454 + if (unlikely(!task))
57455 + task = find_task_by_vpid(shm_lapid);
57456 +
57457 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57458 + (task->pid == shm_lapid)) &&
57459 + (task->acl->mode & GR_PROTSHM) &&
57460 + (task->acl != current->acl))) {
57461 + read_unlock(&tasklist_lock);
57462 + rcu_read_unlock();
57463 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57464 + return 0;
57465 + }
57466 + read_unlock(&tasklist_lock);
57467 + rcu_read_unlock();
57468 +
57469 + return 1;
57470 +}
57471 diff -urNp linux-2.6.39.3/grsecurity/grsec_chdir.c linux-2.6.39.3/grsecurity/grsec_chdir.c
57472 --- linux-2.6.39.3/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57473 +++ linux-2.6.39.3/grsecurity/grsec_chdir.c 2011-05-22 19:41:42.000000000 -0400
57474 @@ -0,0 +1,19 @@
57475 +#include <linux/kernel.h>
57476 +#include <linux/sched.h>
57477 +#include <linux/fs.h>
57478 +#include <linux/file.h>
57479 +#include <linux/grsecurity.h>
57480 +#include <linux/grinternal.h>
57481 +
57482 +void
57483 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57484 +{
57485 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57486 + if ((grsec_enable_chdir && grsec_enable_group &&
57487 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57488 + !grsec_enable_group)) {
57489 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57490 + }
57491 +#endif
57492 + return;
57493 +}
57494 diff -urNp linux-2.6.39.3/grsecurity/grsec_chroot.c linux-2.6.39.3/grsecurity/grsec_chroot.c
57495 --- linux-2.6.39.3/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
57496 +++ linux-2.6.39.3/grsecurity/grsec_chroot.c 2011-07-18 17:20:05.000000000 -0400
57497 @@ -0,0 +1,349 @@
57498 +#include <linux/kernel.h>
57499 +#include <linux/module.h>
57500 +#include <linux/sched.h>
57501 +#include <linux/file.h>
57502 +#include <linux/fs.h>
57503 +#include <linux/mount.h>
57504 +#include <linux/types.h>
57505 +#include <linux/pid_namespace.h>
57506 +#include <linux/grsecurity.h>
57507 +#include <linux/grinternal.h>
57508 +
57509 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
57510 +{
57511 +#ifdef CONFIG_GRKERNSEC
57512 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
57513 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
57514 + task->gr_is_chrooted = 1;
57515 + else
57516 + task->gr_is_chrooted = 0;
57517 +
57518 + task->gr_chroot_dentry = path->dentry;
57519 +#endif
57520 + return;
57521 +}
57522 +
57523 +void gr_clear_chroot_entries(struct task_struct *task)
57524 +{
57525 +#ifdef CONFIG_GRKERNSEC
57526 + task->gr_is_chrooted = 0;
57527 + task->gr_chroot_dentry = NULL;
57528 +#endif
57529 + return;
57530 +}
57531 +
57532 +int
57533 +gr_handle_chroot_unix(const pid_t pid)
57534 +{
57535 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57536 + struct task_struct *p;
57537 +
57538 + if (unlikely(!grsec_enable_chroot_unix))
57539 + return 1;
57540 +
57541 + if (likely(!proc_is_chrooted(current)))
57542 + return 1;
57543 +
57544 + rcu_read_lock();
57545 + read_lock(&tasklist_lock);
57546 + p = find_task_by_vpid_unrestricted(pid);
57547 + if (unlikely(p && !have_same_root(current, p))) {
57548 + read_unlock(&tasklist_lock);
57549 + rcu_read_unlock();
57550 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
57551 + return 0;
57552 + }
57553 + read_unlock(&tasklist_lock);
57554 + rcu_read_unlock();
57555 +#endif
57556 + return 1;
57557 +}
57558 +
57559 +int
57560 +gr_handle_chroot_nice(void)
57561 +{
57562 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57563 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
57564 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
57565 + return -EPERM;
57566 + }
57567 +#endif
57568 + return 0;
57569 +}
57570 +
57571 +int
57572 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
57573 +{
57574 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57575 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
57576 + && proc_is_chrooted(current)) {
57577 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
57578 + return -EACCES;
57579 + }
57580 +#endif
57581 + return 0;
57582 +}
57583 +
57584 +int
57585 +gr_handle_chroot_rawio(const struct inode *inode)
57586 +{
57587 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57588 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
57589 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
57590 + return 1;
57591 +#endif
57592 + return 0;
57593 +}
57594 +
57595 +int
57596 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
57597 +{
57598 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57599 + struct task_struct *p;
57600 + int ret = 0;
57601 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
57602 + return ret;
57603 +
57604 + read_lock(&tasklist_lock);
57605 + do_each_pid_task(pid, type, p) {
57606 + if (!have_same_root(current, p)) {
57607 + ret = 1;
57608 + goto out;
57609 + }
57610 + } while_each_pid_task(pid, type, p);
57611 +out:
57612 + read_unlock(&tasklist_lock);
57613 + return ret;
57614 +#endif
57615 + return 0;
57616 +}
57617 +
57618 +int
57619 +gr_pid_is_chrooted(struct task_struct *p)
57620 +{
57621 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57622 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
57623 + return 0;
57624 +
57625 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
57626 + !have_same_root(current, p)) {
57627 + return 1;
57628 + }
57629 +#endif
57630 + return 0;
57631 +}
57632 +
57633 +EXPORT_SYMBOL(gr_pid_is_chrooted);
57634 +
57635 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
57636 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
57637 +{
57638 + struct path path, currentroot;
57639 + int ret = 0;
57640 +
57641 + path.dentry = (struct dentry *)u_dentry;
57642 + path.mnt = (struct vfsmount *)u_mnt;
57643 + get_fs_root(current->fs, &currentroot);
57644 + if (path_is_under(&path, &currentroot))
57645 + ret = 1;
57646 + path_put(&currentroot);
57647 +
57648 + return ret;
57649 +}
57650 +#endif
57651 +
57652 +int
57653 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
57654 +{
57655 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57656 + if (!grsec_enable_chroot_fchdir)
57657 + return 1;
57658 +
57659 + if (!proc_is_chrooted(current))
57660 + return 1;
57661 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
57662 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
57663 + return 0;
57664 + }
57665 +#endif
57666 + return 1;
57667 +}
57668 +
57669 +int
57670 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57671 + const time_t shm_createtime)
57672 +{
57673 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57674 + struct task_struct *p;
57675 + time_t starttime;
57676 +
57677 + if (unlikely(!grsec_enable_chroot_shmat))
57678 + return 1;
57679 +
57680 + if (likely(!proc_is_chrooted(current)))
57681 + return 1;
57682 +
57683 + rcu_read_lock();
57684 + read_lock(&tasklist_lock);
57685 +
57686 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
57687 + starttime = p->start_time.tv_sec;
57688 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
57689 + if (have_same_root(current, p)) {
57690 + goto allow;
57691 + } else {
57692 + read_unlock(&tasklist_lock);
57693 + rcu_read_unlock();
57694 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57695 + return 0;
57696 + }
57697 + }
57698 + /* creator exited, pid reuse, fall through to next check */
57699 + }
57700 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
57701 + if (unlikely(!have_same_root(current, p))) {
57702 + read_unlock(&tasklist_lock);
57703 + rcu_read_unlock();
57704 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
57705 + return 0;
57706 + }
57707 + }
57708 +
57709 +allow:
57710 + read_unlock(&tasklist_lock);
57711 + rcu_read_unlock();
57712 +#endif
57713 + return 1;
57714 +}
57715 +
57716 +void
57717 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
57718 +{
57719 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57720 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
57721 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
57722 +#endif
57723 + return;
57724 +}
57725 +
57726 +int
57727 +gr_handle_chroot_mknod(const struct dentry *dentry,
57728 + const struct vfsmount *mnt, const int mode)
57729 +{
57730 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57731 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
57732 + proc_is_chrooted(current)) {
57733 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
57734 + return -EPERM;
57735 + }
57736 +#endif
57737 + return 0;
57738 +}
57739 +
57740 +int
57741 +gr_handle_chroot_mount(const struct dentry *dentry,
57742 + const struct vfsmount *mnt, const char *dev_name)
57743 +{
57744 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57745 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
57746 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
57747 + return -EPERM;
57748 + }
57749 +#endif
57750 + return 0;
57751 +}
57752 +
57753 +int
57754 +gr_handle_chroot_pivot(void)
57755 +{
57756 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57757 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
57758 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
57759 + return -EPERM;
57760 + }
57761 +#endif
57762 + return 0;
57763 +}
57764 +
57765 +int
57766 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
57767 +{
57768 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57769 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
57770 + !gr_is_outside_chroot(dentry, mnt)) {
57771 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
57772 + return -EPERM;
57773 + }
57774 +#endif
57775 + return 0;
57776 +}
57777 +
57778 +int
57779 +gr_handle_chroot_caps(struct path *path)
57780 +{
57781 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57782 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
57783 + (init_task.fs->root.dentry != path->dentry) &&
57784 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
57785 +
57786 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
57787 + const struct cred *old = current_cred();
57788 + struct cred *new = prepare_creds();
57789 + if (new == NULL)
57790 + return 1;
57791 +
57792 + new->cap_permitted = cap_drop(old->cap_permitted,
57793 + chroot_caps);
57794 + new->cap_inheritable = cap_drop(old->cap_inheritable,
57795 + chroot_caps);
57796 + new->cap_effective = cap_drop(old->cap_effective,
57797 + chroot_caps);
57798 +
57799 + commit_creds(new);
57800 +
57801 + return 0;
57802 + }
57803 +#endif
57804 + return 0;
57805 +}
57806 +
57807 +int
57808 +gr_handle_chroot_sysctl(const int op)
57809 +{
57810 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57811 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
57812 + proc_is_chrooted(current))
57813 + return -EACCES;
57814 +#endif
57815 + return 0;
57816 +}
57817 +
57818 +void
57819 +gr_handle_chroot_chdir(struct path *path)
57820 +{
57821 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57822 + if (grsec_enable_chroot_chdir)
57823 + set_fs_pwd(current->fs, path);
57824 +#endif
57825 + return;
57826 +}
57827 +
57828 +int
57829 +gr_handle_chroot_chmod(const struct dentry *dentry,
57830 + const struct vfsmount *mnt, const int mode)
57831 +{
57832 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57833 + /* allow chmod +s on directories, but not files */
57834 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
57835 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
57836 + proc_is_chrooted(current)) {
57837 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
57838 + return -EPERM;
57839 + }
57840 +#endif
57841 + return 0;
57842 +}
57843 +
57844 +#ifdef CONFIG_SECURITY
57845 +EXPORT_SYMBOL(gr_handle_chroot_caps);
57846 +#endif
57847 diff -urNp linux-2.6.39.3/grsecurity/grsec_disabled.c linux-2.6.39.3/grsecurity/grsec_disabled.c
57848 --- linux-2.6.39.3/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
57849 +++ linux-2.6.39.3/grsecurity/grsec_disabled.c 2011-05-22 19:41:42.000000000 -0400
57850 @@ -0,0 +1,447 @@
57851 +#include <linux/kernel.h>
57852 +#include <linux/module.h>
57853 +#include <linux/sched.h>
57854 +#include <linux/file.h>
57855 +#include <linux/fs.h>
57856 +#include <linux/kdev_t.h>
57857 +#include <linux/net.h>
57858 +#include <linux/in.h>
57859 +#include <linux/ip.h>
57860 +#include <linux/skbuff.h>
57861 +#include <linux/sysctl.h>
57862 +
57863 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57864 +void
57865 +pax_set_initial_flags(struct linux_binprm *bprm)
57866 +{
57867 + return;
57868 +}
57869 +#endif
57870 +
57871 +#ifdef CONFIG_SYSCTL
57872 +__u32
57873 +gr_handle_sysctl(const struct ctl_table * table, const int op)
57874 +{
57875 + return 0;
57876 +}
57877 +#endif
57878 +
57879 +#ifdef CONFIG_TASKSTATS
57880 +int gr_is_taskstats_denied(int pid)
57881 +{
57882 + return 0;
57883 +}
57884 +#endif
57885 +
57886 +int
57887 +gr_acl_is_enabled(void)
57888 +{
57889 + return 0;
57890 +}
57891 +
57892 +int
57893 +gr_handle_rawio(const struct inode *inode)
57894 +{
57895 + return 0;
57896 +}
57897 +
57898 +void
57899 +gr_acl_handle_psacct(struct task_struct *task, const long code)
57900 +{
57901 + return;
57902 +}
57903 +
57904 +int
57905 +gr_handle_ptrace(struct task_struct *task, const long request)
57906 +{
57907 + return 0;
57908 +}
57909 +
57910 +int
57911 +gr_handle_proc_ptrace(struct task_struct *task)
57912 +{
57913 + return 0;
57914 +}
57915 +
57916 +void
57917 +gr_learn_resource(const struct task_struct *task,
57918 + const int res, const unsigned long wanted, const int gt)
57919 +{
57920 + return;
57921 +}
57922 +
57923 +int
57924 +gr_set_acls(const int type)
57925 +{
57926 + return 0;
57927 +}
57928 +
57929 +int
57930 +gr_check_hidden_task(const struct task_struct *tsk)
57931 +{
57932 + return 0;
57933 +}
57934 +
57935 +int
57936 +gr_check_protected_task(const struct task_struct *task)
57937 +{
57938 + return 0;
57939 +}
57940 +
57941 +int
57942 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
57943 +{
57944 + return 0;
57945 +}
57946 +
57947 +void
57948 +gr_copy_label(struct task_struct *tsk)
57949 +{
57950 + return;
57951 +}
57952 +
57953 +void
57954 +gr_set_pax_flags(struct task_struct *task)
57955 +{
57956 + return;
57957 +}
57958 +
57959 +int
57960 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
57961 + const int unsafe_share)
57962 +{
57963 + return 0;
57964 +}
57965 +
57966 +void
57967 +gr_handle_delete(const ino_t ino, const dev_t dev)
57968 +{
57969 + return;
57970 +}
57971 +
57972 +void
57973 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
57974 +{
57975 + return;
57976 +}
57977 +
57978 +void
57979 +gr_handle_crash(struct task_struct *task, const int sig)
57980 +{
57981 + return;
57982 +}
57983 +
57984 +int
57985 +gr_check_crash_exec(const struct file *filp)
57986 +{
57987 + return 0;
57988 +}
57989 +
57990 +int
57991 +gr_check_crash_uid(const uid_t uid)
57992 +{
57993 + return 0;
57994 +}
57995 +
57996 +void
57997 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
57998 + struct dentry *old_dentry,
57999 + struct dentry *new_dentry,
58000 + struct vfsmount *mnt, const __u8 replace)
58001 +{
58002 + return;
58003 +}
58004 +
58005 +int
58006 +gr_search_socket(const int family, const int type, const int protocol)
58007 +{
58008 + return 1;
58009 +}
58010 +
58011 +int
58012 +gr_search_connectbind(const int mode, const struct socket *sock,
58013 + const struct sockaddr_in *addr)
58014 +{
58015 + return 0;
58016 +}
58017 +
58018 +int
58019 +gr_is_capable(const int cap)
58020 +{
58021 + return 1;
58022 +}
58023 +
58024 +int
58025 +gr_is_capable_nolog(const int cap)
58026 +{
58027 + return 1;
58028 +}
58029 +
58030 +void
58031 +gr_handle_alertkill(struct task_struct *task)
58032 +{
58033 + return;
58034 +}
58035 +
58036 +__u32
58037 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
58038 +{
58039 + return 1;
58040 +}
58041 +
58042 +__u32
58043 +gr_acl_handle_hidden_file(const struct dentry * dentry,
58044 + const struct vfsmount * mnt)
58045 +{
58046 + return 1;
58047 +}
58048 +
58049 +__u32
58050 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
58051 + const int fmode)
58052 +{
58053 + return 1;
58054 +}
58055 +
58056 +__u32
58057 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
58058 +{
58059 + return 1;
58060 +}
58061 +
58062 +__u32
58063 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
58064 +{
58065 + return 1;
58066 +}
58067 +
58068 +int
58069 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
58070 + unsigned int *vm_flags)
58071 +{
58072 + return 1;
58073 +}
58074 +
58075 +__u32
58076 +gr_acl_handle_truncate(const struct dentry * dentry,
58077 + const struct vfsmount * mnt)
58078 +{
58079 + return 1;
58080 +}
58081 +
58082 +__u32
58083 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
58084 +{
58085 + return 1;
58086 +}
58087 +
58088 +__u32
58089 +gr_acl_handle_access(const struct dentry * dentry,
58090 + const struct vfsmount * mnt, const int fmode)
58091 +{
58092 + return 1;
58093 +}
58094 +
58095 +__u32
58096 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
58097 + mode_t mode)
58098 +{
58099 + return 1;
58100 +}
58101 +
58102 +__u32
58103 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
58104 + mode_t mode)
58105 +{
58106 + return 1;
58107 +}
58108 +
58109 +__u32
58110 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
58111 +{
58112 + return 1;
58113 +}
58114 +
58115 +__u32
58116 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
58117 +{
58118 + return 1;
58119 +}
58120 +
58121 +void
58122 +grsecurity_init(void)
58123 +{
58124 + return;
58125 +}
58126 +
58127 +__u32
58128 +gr_acl_handle_mknod(const struct dentry * new_dentry,
58129 + const struct dentry * parent_dentry,
58130 + const struct vfsmount * parent_mnt,
58131 + const int mode)
58132 +{
58133 + return 1;
58134 +}
58135 +
58136 +__u32
58137 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
58138 + const struct dentry * parent_dentry,
58139 + const struct vfsmount * parent_mnt)
58140 +{
58141 + return 1;
58142 +}
58143 +
58144 +__u32
58145 +gr_acl_handle_symlink(const struct dentry * new_dentry,
58146 + const struct dentry * parent_dentry,
58147 + const struct vfsmount * parent_mnt, const char *from)
58148 +{
58149 + return 1;
58150 +}
58151 +
58152 +__u32
58153 +gr_acl_handle_link(const struct dentry * new_dentry,
58154 + const struct dentry * parent_dentry,
58155 + const struct vfsmount * parent_mnt,
58156 + const struct dentry * old_dentry,
58157 + const struct vfsmount * old_mnt, const char *to)
58158 +{
58159 + return 1;
58160 +}
58161 +
58162 +int
58163 +gr_acl_handle_rename(const struct dentry *new_dentry,
58164 + const struct dentry *parent_dentry,
58165 + const struct vfsmount *parent_mnt,
58166 + const struct dentry *old_dentry,
58167 + const struct inode *old_parent_inode,
58168 + const struct vfsmount *old_mnt, const char *newname)
58169 +{
58170 + return 0;
58171 +}
58172 +
58173 +int
58174 +gr_acl_handle_filldir(const struct file *file, const char *name,
58175 + const int namelen, const ino_t ino)
58176 +{
58177 + return 1;
58178 +}
58179 +
58180 +int
58181 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58182 + const time_t shm_createtime, const uid_t cuid, const int shmid)
58183 +{
58184 + return 1;
58185 +}
58186 +
58187 +int
58188 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58189 +{
58190 + return 0;
58191 +}
58192 +
58193 +int
58194 +gr_search_accept(const struct socket *sock)
58195 +{
58196 + return 0;
58197 +}
58198 +
58199 +int
58200 +gr_search_listen(const struct socket *sock)
58201 +{
58202 + return 0;
58203 +}
58204 +
58205 +int
58206 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58207 +{
58208 + return 0;
58209 +}
58210 +
58211 +__u32
58212 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58213 +{
58214 + return 1;
58215 +}
58216 +
58217 +__u32
58218 +gr_acl_handle_creat(const struct dentry * dentry,
58219 + const struct dentry * p_dentry,
58220 + const struct vfsmount * p_mnt, const int fmode,
58221 + const int imode)
58222 +{
58223 + return 1;
58224 +}
58225 +
58226 +void
58227 +gr_acl_handle_exit(void)
58228 +{
58229 + return;
58230 +}
58231 +
58232 +int
58233 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58234 +{
58235 + return 1;
58236 +}
58237 +
58238 +void
58239 +gr_set_role_label(const uid_t uid, const gid_t gid)
58240 +{
58241 + return;
58242 +}
58243 +
58244 +int
58245 +gr_acl_handle_procpidmem(const struct task_struct *task)
58246 +{
58247 + return 0;
58248 +}
58249 +
58250 +int
58251 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58252 +{
58253 + return 0;
58254 +}
58255 +
58256 +int
58257 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58258 +{
58259 + return 0;
58260 +}
58261 +
58262 +void
58263 +gr_set_kernel_label(struct task_struct *task)
58264 +{
58265 + return;
58266 +}
58267 +
58268 +int
58269 +gr_check_user_change(int real, int effective, int fs)
58270 +{
58271 + return 0;
58272 +}
58273 +
58274 +int
58275 +gr_check_group_change(int real, int effective, int fs)
58276 +{
58277 + return 0;
58278 +}
58279 +
58280 +int gr_acl_enable_at_secure(void)
58281 +{
58282 + return 0;
58283 +}
58284 +
58285 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58286 +{
58287 + return dentry->d_inode->i_sb->s_dev;
58288 +}
58289 +
58290 +EXPORT_SYMBOL(gr_is_capable);
58291 +EXPORT_SYMBOL(gr_is_capable_nolog);
58292 +EXPORT_SYMBOL(gr_learn_resource);
58293 +EXPORT_SYMBOL(gr_set_kernel_label);
58294 +#ifdef CONFIG_SECURITY
58295 +EXPORT_SYMBOL(gr_check_user_change);
58296 +EXPORT_SYMBOL(gr_check_group_change);
58297 +#endif
58298 diff -urNp linux-2.6.39.3/grsecurity/grsec_exec.c linux-2.6.39.3/grsecurity/grsec_exec.c
58299 --- linux-2.6.39.3/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58300 +++ linux-2.6.39.3/grsecurity/grsec_exec.c 2011-05-22 22:41:29.000000000 -0400
58301 @@ -0,0 +1,146 @@
58302 +#include <linux/kernel.h>
58303 +#include <linux/sched.h>
58304 +#include <linux/file.h>
58305 +#include <linux/binfmts.h>
58306 +#include <linux/fs.h>
58307 +#include <linux/types.h>
58308 +#include <linux/grdefs.h>
58309 +#include <linux/grinternal.h>
58310 +#include <linux/capability.h>
58311 +#include <linux/compat.h>
58312 +
58313 +#include <asm/uaccess.h>
58314 +
58315 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58316 +static char gr_exec_arg_buf[132];
58317 +static DEFINE_MUTEX(gr_exec_arg_mutex);
58318 +#endif
58319 +
58320 +int
58321 +gr_handle_nproc(void)
58322 +{
58323 +#ifdef CONFIG_GRKERNSEC_EXECVE
58324 + const struct cred *cred = current_cred();
58325 + if (grsec_enable_execve && cred->user &&
58326 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
58327 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
58328 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
58329 + return -EAGAIN;
58330 + }
58331 +#endif
58332 + return 0;
58333 +}
58334 +
58335 +void
58336 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58337 +{
58338 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58339 + char *grarg = gr_exec_arg_buf;
58340 + unsigned int i, x, execlen = 0;
58341 + char c;
58342 +
58343 + if (!((grsec_enable_execlog && grsec_enable_group &&
58344 + in_group_p(grsec_audit_gid))
58345 + || (grsec_enable_execlog && !grsec_enable_group)))
58346 + return;
58347 +
58348 + mutex_lock(&gr_exec_arg_mutex);
58349 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58350 +
58351 + if (unlikely(argv == NULL))
58352 + goto log;
58353 +
58354 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58355 + const char __user *p;
58356 + unsigned int len;
58357 +
58358 + if (copy_from_user(&p, argv + i, sizeof(p)))
58359 + goto log;
58360 + if (!p)
58361 + goto log;
58362 + len = strnlen_user(p, 128 - execlen);
58363 + if (len > 128 - execlen)
58364 + len = 128 - execlen;
58365 + else if (len > 0)
58366 + len--;
58367 + if (copy_from_user(grarg + execlen, p, len))
58368 + goto log;
58369 +
58370 + /* rewrite unprintable characters */
58371 + for (x = 0; x < len; x++) {
58372 + c = *(grarg + execlen + x);
58373 + if (c < 32 || c > 126)
58374 + *(grarg + execlen + x) = ' ';
58375 + }
58376 +
58377 + execlen += len;
58378 + *(grarg + execlen) = ' ';
58379 + *(grarg + execlen + 1) = '\0';
58380 + execlen++;
58381 + }
58382 +
58383 + log:
58384 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58385 + bprm->file->f_path.mnt, grarg);
58386 + mutex_unlock(&gr_exec_arg_mutex);
58387 +#endif
58388 + return;
58389 +}
58390 +
58391 +#ifdef CONFIG_COMPAT
58392 +void
58393 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58394 +{
58395 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58396 + char *grarg = gr_exec_arg_buf;
58397 + unsigned int i, x, execlen = 0;
58398 + char c;
58399 +
58400 + if (!((grsec_enable_execlog && grsec_enable_group &&
58401 + in_group_p(grsec_audit_gid))
58402 + || (grsec_enable_execlog && !grsec_enable_group)))
58403 + return;
58404 +
58405 + mutex_lock(&gr_exec_arg_mutex);
58406 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58407 +
58408 + if (unlikely(argv == NULL))
58409 + goto log;
58410 +
58411 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58412 + compat_uptr_t p;
58413 + unsigned int len;
58414 +
58415 + if (get_user(p, argv + i))
58416 + goto log;
58417 + len = strnlen_user(compat_ptr(p), 128 - execlen);
58418 + if (len > 128 - execlen)
58419 + len = 128 - execlen;
58420 + else if (len > 0)
58421 + len--;
58422 + else
58423 + goto log;
58424 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58425 + goto log;
58426 +
58427 + /* rewrite unprintable characters */
58428 + for (x = 0; x < len; x++) {
58429 + c = *(grarg + execlen + x);
58430 + if (c < 32 || c > 126)
58431 + *(grarg + execlen + x) = ' ';
58432 + }
58433 +
58434 + execlen += len;
58435 + *(grarg + execlen) = ' ';
58436 + *(grarg + execlen + 1) = '\0';
58437 + execlen++;
58438 + }
58439 +
58440 + log:
58441 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58442 + bprm->file->f_path.mnt, grarg);
58443 + mutex_unlock(&gr_exec_arg_mutex);
58444 +#endif
58445 + return;
58446 +}
58447 +#endif
58448 diff -urNp linux-2.6.39.3/grsecurity/grsec_fifo.c linux-2.6.39.3/grsecurity/grsec_fifo.c
58449 --- linux-2.6.39.3/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
58450 +++ linux-2.6.39.3/grsecurity/grsec_fifo.c 2011-05-22 19:41:42.000000000 -0400
58451 @@ -0,0 +1,24 @@
58452 +#include <linux/kernel.h>
58453 +#include <linux/sched.h>
58454 +#include <linux/fs.h>
58455 +#include <linux/file.h>
58456 +#include <linux/grinternal.h>
58457 +
58458 +int
58459 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
58460 + const struct dentry *dir, const int flag, const int acc_mode)
58461 +{
58462 +#ifdef CONFIG_GRKERNSEC_FIFO
58463 + const struct cred *cred = current_cred();
58464 +
58465 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
58466 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
58467 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
58468 + (cred->fsuid != dentry->d_inode->i_uid)) {
58469 + if (!inode_permission(dentry->d_inode, acc_mode))
58470 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
58471 + return -EACCES;
58472 + }
58473 +#endif
58474 + return 0;
58475 +}
58476 diff -urNp linux-2.6.39.3/grsecurity/grsec_fork.c linux-2.6.39.3/grsecurity/grsec_fork.c
58477 --- linux-2.6.39.3/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
58478 +++ linux-2.6.39.3/grsecurity/grsec_fork.c 2011-05-22 19:41:42.000000000 -0400
58479 @@ -0,0 +1,23 @@
58480 +#include <linux/kernel.h>
58481 +#include <linux/sched.h>
58482 +#include <linux/grsecurity.h>
58483 +#include <linux/grinternal.h>
58484 +#include <linux/errno.h>
58485 +
58486 +void
58487 +gr_log_forkfail(const int retval)
58488 +{
58489 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58490 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
58491 + switch (retval) {
58492 + case -EAGAIN:
58493 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
58494 + break;
58495 + case -ENOMEM:
58496 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
58497 + break;
58498 + }
58499 + }
58500 +#endif
58501 + return;
58502 +}
58503 diff -urNp linux-2.6.39.3/grsecurity/grsec_init.c linux-2.6.39.3/grsecurity/grsec_init.c
58504 --- linux-2.6.39.3/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
58505 +++ linux-2.6.39.3/grsecurity/grsec_init.c 2011-06-29 19:35:59.000000000 -0400
58506 @@ -0,0 +1,273 @@
58507 +#include <linux/kernel.h>
58508 +#include <linux/sched.h>
58509 +#include <linux/mm.h>
58510 +#include <linux/gracl.h>
58511 +#include <linux/slab.h>
58512 +#include <linux/vmalloc.h>
58513 +#include <linux/percpu.h>
58514 +#include <linux/module.h>
58515 +
58516 +int grsec_enable_brute;
58517 +int grsec_enable_link;
58518 +int grsec_enable_dmesg;
58519 +int grsec_enable_harden_ptrace;
58520 +int grsec_enable_fifo;
58521 +int grsec_enable_execve;
58522 +int grsec_enable_execlog;
58523 +int grsec_enable_signal;
58524 +int grsec_enable_forkfail;
58525 +int grsec_enable_audit_ptrace;
58526 +int grsec_enable_time;
58527 +int grsec_enable_audit_textrel;
58528 +int grsec_enable_group;
58529 +int grsec_audit_gid;
58530 +int grsec_enable_chdir;
58531 +int grsec_enable_mount;
58532 +int grsec_enable_rofs;
58533 +int grsec_enable_chroot_findtask;
58534 +int grsec_enable_chroot_mount;
58535 +int grsec_enable_chroot_shmat;
58536 +int grsec_enable_chroot_fchdir;
58537 +int grsec_enable_chroot_double;
58538 +int grsec_enable_chroot_pivot;
58539 +int grsec_enable_chroot_chdir;
58540 +int grsec_enable_chroot_chmod;
58541 +int grsec_enable_chroot_mknod;
58542 +int grsec_enable_chroot_nice;
58543 +int grsec_enable_chroot_execlog;
58544 +int grsec_enable_chroot_caps;
58545 +int grsec_enable_chroot_sysctl;
58546 +int grsec_enable_chroot_unix;
58547 +int grsec_enable_tpe;
58548 +int grsec_tpe_gid;
58549 +int grsec_enable_blackhole;
58550 +#ifdef CONFIG_IPV6_MODULE
58551 +EXPORT_SYMBOL(grsec_enable_blackhole);
58552 +#endif
58553 +int grsec_lastack_retries;
58554 +int grsec_enable_tpe_all;
58555 +int grsec_enable_tpe_invert;
58556 +int grsec_enable_socket_all;
58557 +int grsec_socket_all_gid;
58558 +int grsec_enable_socket_client;
58559 +int grsec_socket_client_gid;
58560 +int grsec_enable_socket_server;
58561 +int grsec_socket_server_gid;
58562 +int grsec_resource_logging;
58563 +int grsec_disable_privio;
58564 +int grsec_enable_log_rwxmaps;
58565 +int grsec_lock;
58566 +
58567 +DEFINE_SPINLOCK(grsec_alert_lock);
58568 +unsigned long grsec_alert_wtime = 0;
58569 +unsigned long grsec_alert_fyet = 0;
58570 +
58571 +DEFINE_SPINLOCK(grsec_audit_lock);
58572 +
58573 +DEFINE_RWLOCK(grsec_exec_file_lock);
58574 +
58575 +char *gr_shared_page[4];
58576 +
58577 +char *gr_alert_log_fmt;
58578 +char *gr_audit_log_fmt;
58579 +char *gr_alert_log_buf;
58580 +char *gr_audit_log_buf;
58581 +
58582 +extern struct gr_arg *gr_usermode;
58583 +extern unsigned char *gr_system_salt;
58584 +extern unsigned char *gr_system_sum;
58585 +
58586 +void __init
58587 +grsecurity_init(void)
58588 +{
58589 + int j;
58590 + /* create the per-cpu shared pages */
58591 +
58592 +#ifdef CONFIG_X86
58593 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
58594 +#endif
58595 +
58596 + for (j = 0; j < 4; j++) {
58597 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
58598 + if (gr_shared_page[j] == NULL) {
58599 + panic("Unable to allocate grsecurity shared page");
58600 + return;
58601 + }
58602 + }
58603 +
58604 + /* allocate log buffers */
58605 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
58606 + if (!gr_alert_log_fmt) {
58607 + panic("Unable to allocate grsecurity alert log format buffer");
58608 + return;
58609 + }
58610 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
58611 + if (!gr_audit_log_fmt) {
58612 + panic("Unable to allocate grsecurity audit log format buffer");
58613 + return;
58614 + }
58615 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58616 + if (!gr_alert_log_buf) {
58617 + panic("Unable to allocate grsecurity alert log buffer");
58618 + return;
58619 + }
58620 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
58621 + if (!gr_audit_log_buf) {
58622 + panic("Unable to allocate grsecurity audit log buffer");
58623 + return;
58624 + }
58625 +
58626 + /* allocate memory for authentication structure */
58627 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
58628 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
58629 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
58630 +
58631 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
58632 + panic("Unable to allocate grsecurity authentication structure");
58633 + return;
58634 + }
58635 +
58636 +
58637 +#ifdef CONFIG_GRKERNSEC_IO
58638 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
58639 + grsec_disable_privio = 1;
58640 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58641 + grsec_disable_privio = 1;
58642 +#else
58643 + grsec_disable_privio = 0;
58644 +#endif
58645 +#endif
58646 +
58647 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58648 + /* for backward compatibility, tpe_invert always defaults to on if
58649 + enabled in the kernel
58650 + */
58651 + grsec_enable_tpe_invert = 1;
58652 +#endif
58653 +
58654 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
58655 +#ifndef CONFIG_GRKERNSEC_SYSCTL
58656 + grsec_lock = 1;
58657 +#endif
58658 +
58659 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58660 + grsec_enable_audit_textrel = 1;
58661 +#endif
58662 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58663 + grsec_enable_log_rwxmaps = 1;
58664 +#endif
58665 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
58666 + grsec_enable_group = 1;
58667 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
58668 +#endif
58669 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58670 + grsec_enable_chdir = 1;
58671 +#endif
58672 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
58673 + grsec_enable_harden_ptrace = 1;
58674 +#endif
58675 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58676 + grsec_enable_mount = 1;
58677 +#endif
58678 +#ifdef CONFIG_GRKERNSEC_LINK
58679 + grsec_enable_link = 1;
58680 +#endif
58681 +#ifdef CONFIG_GRKERNSEC_BRUTE
58682 + grsec_enable_brute = 1;
58683 +#endif
58684 +#ifdef CONFIG_GRKERNSEC_DMESG
58685 + grsec_enable_dmesg = 1;
58686 +#endif
58687 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58688 + grsec_enable_blackhole = 1;
58689 + grsec_lastack_retries = 4;
58690 +#endif
58691 +#ifdef CONFIG_GRKERNSEC_FIFO
58692 + grsec_enable_fifo = 1;
58693 +#endif
58694 +#ifdef CONFIG_GRKERNSEC_EXECVE
58695 + grsec_enable_execve = 1;
58696 +#endif
58697 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58698 + grsec_enable_execlog = 1;
58699 +#endif
58700 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58701 + grsec_enable_signal = 1;
58702 +#endif
58703 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58704 + grsec_enable_forkfail = 1;
58705 +#endif
58706 +#ifdef CONFIG_GRKERNSEC_TIME
58707 + grsec_enable_time = 1;
58708 +#endif
58709 +#ifdef CONFIG_GRKERNSEC_RESLOG
58710 + grsec_resource_logging = 1;
58711 +#endif
58712 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58713 + grsec_enable_chroot_findtask = 1;
58714 +#endif
58715 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58716 + grsec_enable_chroot_unix = 1;
58717 +#endif
58718 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58719 + grsec_enable_chroot_mount = 1;
58720 +#endif
58721 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58722 + grsec_enable_chroot_fchdir = 1;
58723 +#endif
58724 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58725 + grsec_enable_chroot_shmat = 1;
58726 +#endif
58727 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58728 + grsec_enable_audit_ptrace = 1;
58729 +#endif
58730 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58731 + grsec_enable_chroot_double = 1;
58732 +#endif
58733 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58734 + grsec_enable_chroot_pivot = 1;
58735 +#endif
58736 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58737 + grsec_enable_chroot_chdir = 1;
58738 +#endif
58739 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58740 + grsec_enable_chroot_chmod = 1;
58741 +#endif
58742 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58743 + grsec_enable_chroot_mknod = 1;
58744 +#endif
58745 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58746 + grsec_enable_chroot_nice = 1;
58747 +#endif
58748 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58749 + grsec_enable_chroot_execlog = 1;
58750 +#endif
58751 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58752 + grsec_enable_chroot_caps = 1;
58753 +#endif
58754 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58755 + grsec_enable_chroot_sysctl = 1;
58756 +#endif
58757 +#ifdef CONFIG_GRKERNSEC_TPE
58758 + grsec_enable_tpe = 1;
58759 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
58760 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58761 + grsec_enable_tpe_all = 1;
58762 +#endif
58763 +#endif
58764 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58765 + grsec_enable_socket_all = 1;
58766 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
58767 +#endif
58768 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58769 + grsec_enable_socket_client = 1;
58770 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
58771 +#endif
58772 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58773 + grsec_enable_socket_server = 1;
58774 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
58775 +#endif
58776 +#endif
58777 +
58778 + return;
58779 +}
58780 diff -urNp linux-2.6.39.3/grsecurity/grsec_link.c linux-2.6.39.3/grsecurity/grsec_link.c
58781 --- linux-2.6.39.3/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
58782 +++ linux-2.6.39.3/grsecurity/grsec_link.c 2011-05-22 19:41:42.000000000 -0400
58783 @@ -0,0 +1,43 @@
58784 +#include <linux/kernel.h>
58785 +#include <linux/sched.h>
58786 +#include <linux/fs.h>
58787 +#include <linux/file.h>
58788 +#include <linux/grinternal.h>
58789 +
58790 +int
58791 +gr_handle_follow_link(const struct inode *parent,
58792 + const struct inode *inode,
58793 + const struct dentry *dentry, const struct vfsmount *mnt)
58794 +{
58795 +#ifdef CONFIG_GRKERNSEC_LINK
58796 + const struct cred *cred = current_cred();
58797 +
58798 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
58799 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
58800 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
58801 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
58802 + return -EACCES;
58803 + }
58804 +#endif
58805 + return 0;
58806 +}
58807 +
58808 +int
58809 +gr_handle_hardlink(const struct dentry *dentry,
58810 + const struct vfsmount *mnt,
58811 + struct inode *inode, const int mode, const char *to)
58812 +{
58813 +#ifdef CONFIG_GRKERNSEC_LINK
58814 + const struct cred *cred = current_cred();
58815 +
58816 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
58817 + (!S_ISREG(mode) || (mode & S_ISUID) ||
58818 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
58819 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
58820 + !capable(CAP_FOWNER) && cred->uid) {
58821 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
58822 + return -EPERM;
58823 + }
58824 +#endif
58825 + return 0;
58826 +}
58827 diff -urNp linux-2.6.39.3/grsecurity/grsec_log.c linux-2.6.39.3/grsecurity/grsec_log.c
58828 --- linux-2.6.39.3/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
58829 +++ linux-2.6.39.3/grsecurity/grsec_log.c 2011-05-22 19:41:42.000000000 -0400
58830 @@ -0,0 +1,310 @@
58831 +#include <linux/kernel.h>
58832 +#include <linux/sched.h>
58833 +#include <linux/file.h>
58834 +#include <linux/tty.h>
58835 +#include <linux/fs.h>
58836 +#include <linux/grinternal.h>
58837 +
58838 +#ifdef CONFIG_TREE_PREEMPT_RCU
58839 +#define DISABLE_PREEMPT() preempt_disable()
58840 +#define ENABLE_PREEMPT() preempt_enable()
58841 +#else
58842 +#define DISABLE_PREEMPT()
58843 +#define ENABLE_PREEMPT()
58844 +#endif
58845 +
58846 +#define BEGIN_LOCKS(x) \
58847 + DISABLE_PREEMPT(); \
58848 + rcu_read_lock(); \
58849 + read_lock(&tasklist_lock); \
58850 + read_lock(&grsec_exec_file_lock); \
58851 + if (x != GR_DO_AUDIT) \
58852 + spin_lock(&grsec_alert_lock); \
58853 + else \
58854 + spin_lock(&grsec_audit_lock)
58855 +
58856 +#define END_LOCKS(x) \
58857 + if (x != GR_DO_AUDIT) \
58858 + spin_unlock(&grsec_alert_lock); \
58859 + else \
58860 + spin_unlock(&grsec_audit_lock); \
58861 + read_unlock(&grsec_exec_file_lock); \
58862 + read_unlock(&tasklist_lock); \
58863 + rcu_read_unlock(); \
58864 + ENABLE_PREEMPT(); \
58865 + if (x == GR_DONT_AUDIT) \
58866 + gr_handle_alertkill(current)
58867 +
58868 +enum {
58869 + FLOODING,
58870 + NO_FLOODING
58871 +};
58872 +
58873 +extern char *gr_alert_log_fmt;
58874 +extern char *gr_audit_log_fmt;
58875 +extern char *gr_alert_log_buf;
58876 +extern char *gr_audit_log_buf;
58877 +
58878 +static int gr_log_start(int audit)
58879 +{
58880 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
58881 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
58882 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58883 +
58884 + if (audit == GR_DO_AUDIT)
58885 + goto set_fmt;
58886 +
58887 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
58888 + grsec_alert_wtime = jiffies;
58889 + grsec_alert_fyet = 0;
58890 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
58891 + grsec_alert_fyet++;
58892 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
58893 + grsec_alert_wtime = jiffies;
58894 + grsec_alert_fyet++;
58895 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
58896 + return FLOODING;
58897 + } else return FLOODING;
58898 +
58899 +set_fmt:
58900 + memset(buf, 0, PAGE_SIZE);
58901 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
58902 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
58903 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58904 + } else if (current->signal->curr_ip) {
58905 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
58906 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58907 + } else if (gr_acl_is_enabled()) {
58908 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
58909 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58910 + } else {
58911 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
58912 + strcpy(buf, fmt);
58913 + }
58914 +
58915 + return NO_FLOODING;
58916 +}
58917 +
58918 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58919 + __attribute__ ((format (printf, 2, 0)));
58920 +
58921 +static void gr_log_middle(int audit, const char *msg, va_list ap)
58922 +{
58923 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58924 + unsigned int len = strlen(buf);
58925 +
58926 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58927 +
58928 + return;
58929 +}
58930 +
58931 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58932 + __attribute__ ((format (printf, 2, 3)));
58933 +
58934 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
58935 +{
58936 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58937 + unsigned int len = strlen(buf);
58938 + va_list ap;
58939 +
58940 + va_start(ap, msg);
58941 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
58942 + va_end(ap);
58943 +
58944 + return;
58945 +}
58946 +
58947 +static void gr_log_end(int audit)
58948 +{
58949 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
58950 + unsigned int len = strlen(buf);
58951 +
58952 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
58953 + printk("%s\n", buf);
58954 +
58955 + return;
58956 +}
58957 +
58958 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
58959 +{
58960 + int logtype;
58961 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
58962 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
58963 + void *voidptr = NULL;
58964 + int num1 = 0, num2 = 0;
58965 + unsigned long ulong1 = 0, ulong2 = 0;
58966 + struct dentry *dentry = NULL;
58967 + struct vfsmount *mnt = NULL;
58968 + struct file *file = NULL;
58969 + struct task_struct *task = NULL;
58970 + const struct cred *cred, *pcred;
58971 + va_list ap;
58972 +
58973 + BEGIN_LOCKS(audit);
58974 + logtype = gr_log_start(audit);
58975 + if (logtype == FLOODING) {
58976 + END_LOCKS(audit);
58977 + return;
58978 + }
58979 + va_start(ap, argtypes);
58980 + switch (argtypes) {
58981 + case GR_TTYSNIFF:
58982 + task = va_arg(ap, struct task_struct *);
58983 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
58984 + break;
58985 + case GR_SYSCTL_HIDDEN:
58986 + str1 = va_arg(ap, char *);
58987 + gr_log_middle_varargs(audit, msg, result, str1);
58988 + break;
58989 + case GR_RBAC:
58990 + dentry = va_arg(ap, struct dentry *);
58991 + mnt = va_arg(ap, struct vfsmount *);
58992 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
58993 + break;
58994 + case GR_RBAC_STR:
58995 + dentry = va_arg(ap, struct dentry *);
58996 + mnt = va_arg(ap, struct vfsmount *);
58997 + str1 = va_arg(ap, char *);
58998 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
58999 + break;
59000 + case GR_STR_RBAC:
59001 + str1 = va_arg(ap, char *);
59002 + dentry = va_arg(ap, struct dentry *);
59003 + mnt = va_arg(ap, struct vfsmount *);
59004 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
59005 + break;
59006 + case GR_RBAC_MODE2:
59007 + dentry = va_arg(ap, struct dentry *);
59008 + mnt = va_arg(ap, struct vfsmount *);
59009 + str1 = va_arg(ap, char *);
59010 + str2 = va_arg(ap, char *);
59011 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
59012 + break;
59013 + case GR_RBAC_MODE3:
59014 + dentry = va_arg(ap, struct dentry *);
59015 + mnt = va_arg(ap, struct vfsmount *);
59016 + str1 = va_arg(ap, char *);
59017 + str2 = va_arg(ap, char *);
59018 + str3 = va_arg(ap, char *);
59019 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
59020 + break;
59021 + case GR_FILENAME:
59022 + dentry = va_arg(ap, struct dentry *);
59023 + mnt = va_arg(ap, struct vfsmount *);
59024 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
59025 + break;
59026 + case GR_STR_FILENAME:
59027 + str1 = va_arg(ap, char *);
59028 + dentry = va_arg(ap, struct dentry *);
59029 + mnt = va_arg(ap, struct vfsmount *);
59030 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
59031 + break;
59032 + case GR_FILENAME_STR:
59033 + dentry = va_arg(ap, struct dentry *);
59034 + mnt = va_arg(ap, struct vfsmount *);
59035 + str1 = va_arg(ap, char *);
59036 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
59037 + break;
59038 + case GR_FILENAME_TWO_INT:
59039 + dentry = va_arg(ap, struct dentry *);
59040 + mnt = va_arg(ap, struct vfsmount *);
59041 + num1 = va_arg(ap, int);
59042 + num2 = va_arg(ap, int);
59043 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
59044 + break;
59045 + case GR_FILENAME_TWO_INT_STR:
59046 + dentry = va_arg(ap, struct dentry *);
59047 + mnt = va_arg(ap, struct vfsmount *);
59048 + num1 = va_arg(ap, int);
59049 + num2 = va_arg(ap, int);
59050 + str1 = va_arg(ap, char *);
59051 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
59052 + break;
59053 + case GR_TEXTREL:
59054 + file = va_arg(ap, struct file *);
59055 + ulong1 = va_arg(ap, unsigned long);
59056 + ulong2 = va_arg(ap, unsigned long);
59057 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
59058 + break;
59059 + case GR_PTRACE:
59060 + task = va_arg(ap, struct task_struct *);
59061 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
59062 + break;
59063 + case GR_RESOURCE:
59064 + task = va_arg(ap, struct task_struct *);
59065 + cred = __task_cred(task);
59066 + pcred = __task_cred(task->real_parent);
59067 + ulong1 = va_arg(ap, unsigned long);
59068 + str1 = va_arg(ap, char *);
59069 + ulong2 = va_arg(ap, unsigned long);
59070 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59071 + break;
59072 + case GR_CAP:
59073 + task = va_arg(ap, struct task_struct *);
59074 + cred = __task_cred(task);
59075 + pcred = __task_cred(task->real_parent);
59076 + str1 = va_arg(ap, char *);
59077 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59078 + break;
59079 + case GR_SIG:
59080 + str1 = va_arg(ap, char *);
59081 + voidptr = va_arg(ap, void *);
59082 + gr_log_middle_varargs(audit, msg, str1, voidptr);
59083 + break;
59084 + case GR_SIG2:
59085 + task = va_arg(ap, struct task_struct *);
59086 + cred = __task_cred(task);
59087 + pcred = __task_cred(task->real_parent);
59088 + num1 = va_arg(ap, int);
59089 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59090 + break;
59091 + case GR_CRASH1:
59092 + task = va_arg(ap, struct task_struct *);
59093 + cred = __task_cred(task);
59094 + pcred = __task_cred(task->real_parent);
59095 + ulong1 = va_arg(ap, unsigned long);
59096 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
59097 + break;
59098 + case GR_CRASH2:
59099 + task = va_arg(ap, struct task_struct *);
59100 + cred = __task_cred(task);
59101 + pcred = __task_cred(task->real_parent);
59102 + ulong1 = va_arg(ap, unsigned long);
59103 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
59104 + break;
59105 + case GR_RWXMAP:
59106 + file = va_arg(ap, struct file *);
59107 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
59108 + break;
59109 + case GR_PSACCT:
59110 + {
59111 + unsigned int wday, cday;
59112 + __u8 whr, chr;
59113 + __u8 wmin, cmin;
59114 + __u8 wsec, csec;
59115 + char cur_tty[64] = { 0 };
59116 + char parent_tty[64] = { 0 };
59117 +
59118 + task = va_arg(ap, struct task_struct *);
59119 + wday = va_arg(ap, unsigned int);
59120 + cday = va_arg(ap, unsigned int);
59121 + whr = va_arg(ap, int);
59122 + chr = va_arg(ap, int);
59123 + wmin = va_arg(ap, int);
59124 + cmin = va_arg(ap, int);
59125 + wsec = va_arg(ap, int);
59126 + csec = va_arg(ap, int);
59127 + ulong1 = va_arg(ap, unsigned long);
59128 + cred = __task_cred(task);
59129 + pcred = __task_cred(task->real_parent);
59130 +
59131 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59132 + }
59133 + break;
59134 + default:
59135 + gr_log_middle(audit, msg, ap);
59136 + }
59137 + va_end(ap);
59138 + gr_log_end(audit);
59139 + END_LOCKS(audit);
59140 +}
59141 diff -urNp linux-2.6.39.3/grsecurity/grsec_mem.c linux-2.6.39.3/grsecurity/grsec_mem.c
59142 --- linux-2.6.39.3/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
59143 +++ linux-2.6.39.3/grsecurity/grsec_mem.c 2011-05-22 19:41:42.000000000 -0400
59144 @@ -0,0 +1,33 @@
59145 +#include <linux/kernel.h>
59146 +#include <linux/sched.h>
59147 +#include <linux/mm.h>
59148 +#include <linux/mman.h>
59149 +#include <linux/grinternal.h>
59150 +
59151 +void
59152 +gr_handle_ioperm(void)
59153 +{
59154 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
59155 + return;
59156 +}
59157 +
59158 +void
59159 +gr_handle_iopl(void)
59160 +{
59161 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
59162 + return;
59163 +}
59164 +
59165 +void
59166 +gr_handle_mem_readwrite(u64 from, u64 to)
59167 +{
59168 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
59169 + return;
59170 +}
59171 +
59172 +void
59173 +gr_handle_vm86(void)
59174 +{
59175 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
59176 + return;
59177 +}
59178 diff -urNp linux-2.6.39.3/grsecurity/grsec_mount.c linux-2.6.39.3/grsecurity/grsec_mount.c
59179 --- linux-2.6.39.3/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
59180 +++ linux-2.6.39.3/grsecurity/grsec_mount.c 2011-06-20 19:46:18.000000000 -0400
59181 @@ -0,0 +1,62 @@
59182 +#include <linux/kernel.h>
59183 +#include <linux/sched.h>
59184 +#include <linux/mount.h>
59185 +#include <linux/grsecurity.h>
59186 +#include <linux/grinternal.h>
59187 +
59188 +void
59189 +gr_log_remount(const char *devname, const int retval)
59190 +{
59191 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59192 + if (grsec_enable_mount && (retval >= 0))
59193 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59194 +#endif
59195 + return;
59196 +}
59197 +
59198 +void
59199 +gr_log_unmount(const char *devname, const int retval)
59200 +{
59201 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59202 + if (grsec_enable_mount && (retval >= 0))
59203 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59204 +#endif
59205 + return;
59206 +}
59207 +
59208 +void
59209 +gr_log_mount(const char *from, const char *to, const int retval)
59210 +{
59211 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59212 + if (grsec_enable_mount && (retval >= 0))
59213 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59214 +#endif
59215 + return;
59216 +}
59217 +
59218 +int
59219 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59220 +{
59221 +#ifdef CONFIG_GRKERNSEC_ROFS
59222 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59223 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59224 + return -EPERM;
59225 + } else
59226 + return 0;
59227 +#endif
59228 + return 0;
59229 +}
59230 +
59231 +int
59232 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59233 +{
59234 +#ifdef CONFIG_GRKERNSEC_ROFS
59235 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59236 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59237 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59238 + return -EPERM;
59239 + } else
59240 + return 0;
59241 +#endif
59242 + return 0;
59243 +}
59244 diff -urNp linux-2.6.39.3/grsecurity/grsec_pax.c linux-2.6.39.3/grsecurity/grsec_pax.c
59245 --- linux-2.6.39.3/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59246 +++ linux-2.6.39.3/grsecurity/grsec_pax.c 2011-05-22 19:41:42.000000000 -0400
59247 @@ -0,0 +1,36 @@
59248 +#include <linux/kernel.h>
59249 +#include <linux/sched.h>
59250 +#include <linux/mm.h>
59251 +#include <linux/file.h>
59252 +#include <linux/grinternal.h>
59253 +#include <linux/grsecurity.h>
59254 +
59255 +void
59256 +gr_log_textrel(struct vm_area_struct * vma)
59257 +{
59258 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59259 + if (grsec_enable_audit_textrel)
59260 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59261 +#endif
59262 + return;
59263 +}
59264 +
59265 +void
59266 +gr_log_rwxmmap(struct file *file)
59267 +{
59268 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59269 + if (grsec_enable_log_rwxmaps)
59270 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59271 +#endif
59272 + return;
59273 +}
59274 +
59275 +void
59276 +gr_log_rwxmprotect(struct file *file)
59277 +{
59278 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59279 + if (grsec_enable_log_rwxmaps)
59280 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59281 +#endif
59282 + return;
59283 +}
59284 diff -urNp linux-2.6.39.3/grsecurity/grsec_ptrace.c linux-2.6.39.3/grsecurity/grsec_ptrace.c
59285 --- linux-2.6.39.3/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59286 +++ linux-2.6.39.3/grsecurity/grsec_ptrace.c 2011-05-22 19:41:42.000000000 -0400
59287 @@ -0,0 +1,14 @@
59288 +#include <linux/kernel.h>
59289 +#include <linux/sched.h>
59290 +#include <linux/grinternal.h>
59291 +#include <linux/grsecurity.h>
59292 +
59293 +void
59294 +gr_audit_ptrace(struct task_struct *task)
59295 +{
59296 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59297 + if (grsec_enable_audit_ptrace)
59298 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59299 +#endif
59300 + return;
59301 +}
59302 diff -urNp linux-2.6.39.3/grsecurity/grsec_sig.c linux-2.6.39.3/grsecurity/grsec_sig.c
59303 --- linux-2.6.39.3/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59304 +++ linux-2.6.39.3/grsecurity/grsec_sig.c 2011-06-29 19:40:46.000000000 -0400
59305 @@ -0,0 +1,206 @@
59306 +#include <linux/kernel.h>
59307 +#include <linux/sched.h>
59308 +#include <linux/delay.h>
59309 +#include <linux/grsecurity.h>
59310 +#include <linux/grinternal.h>
59311 +#include <linux/hardirq.h>
59312 +
59313 +char *signames[] = {
59314 + [SIGSEGV] = "Segmentation fault",
59315 + [SIGILL] = "Illegal instruction",
59316 + [SIGABRT] = "Abort",
59317 + [SIGBUS] = "Invalid alignment/Bus error"
59318 +};
59319 +
59320 +void
59321 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59322 +{
59323 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59324 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59325 + (sig == SIGABRT) || (sig == SIGBUS))) {
59326 + if (t->pid == current->pid) {
59327 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59328 + } else {
59329 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59330 + }
59331 + }
59332 +#endif
59333 + return;
59334 +}
59335 +
59336 +int
59337 +gr_handle_signal(const struct task_struct *p, const int sig)
59338 +{
59339 +#ifdef CONFIG_GRKERNSEC
59340 + if (current->pid > 1 && gr_check_protected_task(p)) {
59341 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59342 + return -EPERM;
59343 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59344 + return -EPERM;
59345 + }
59346 +#endif
59347 + return 0;
59348 +}
59349 +
59350 +#ifdef CONFIG_GRKERNSEC
59351 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59352 +
59353 +int gr_fake_force_sig(int sig, struct task_struct *t)
59354 +{
59355 + unsigned long int flags;
59356 + int ret, blocked, ignored;
59357 + struct k_sigaction *action;
59358 +
59359 + spin_lock_irqsave(&t->sighand->siglock, flags);
59360 + action = &t->sighand->action[sig-1];
59361 + ignored = action->sa.sa_handler == SIG_IGN;
59362 + blocked = sigismember(&t->blocked, sig);
59363 + if (blocked || ignored) {
59364 + action->sa.sa_handler = SIG_DFL;
59365 + if (blocked) {
59366 + sigdelset(&t->blocked, sig);
59367 + recalc_sigpending_and_wake(t);
59368 + }
59369 + }
59370 + if (action->sa.sa_handler == SIG_DFL)
59371 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
59372 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
59373 +
59374 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
59375 +
59376 + return ret;
59377 +}
59378 +#endif
59379 +
59380 +#ifdef CONFIG_GRKERNSEC_BRUTE
59381 +#define GR_USER_BAN_TIME (15 * 60)
59382 +
59383 +static int __get_dumpable(unsigned long mm_flags)
59384 +{
59385 + int ret;
59386 +
59387 + ret = mm_flags & MMF_DUMPABLE_MASK;
59388 + return (ret >= 2) ? 2 : ret;
59389 +}
59390 +#endif
59391 +
59392 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
59393 +{
59394 +#ifdef CONFIG_GRKERNSEC_BRUTE
59395 + uid_t uid = 0;
59396 +
59397 + if (!grsec_enable_brute)
59398 + return;
59399 +
59400 + rcu_read_lock();
59401 + read_lock(&tasklist_lock);
59402 + read_lock(&grsec_exec_file_lock);
59403 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
59404 + p->real_parent->brute = 1;
59405 + else {
59406 + const struct cred *cred = __task_cred(p), *cred2;
59407 + struct task_struct *tsk, *tsk2;
59408 +
59409 + if (!__get_dumpable(mm_flags) && cred->uid) {
59410 + struct user_struct *user;
59411 +
59412 + uid = cred->uid;
59413 +
59414 + /* this is put upon execution past expiration */
59415 + user = find_user(uid);
59416 + if (user == NULL)
59417 + goto unlock;
59418 + user->banned = 1;
59419 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
59420 + if (user->ban_expires == ~0UL)
59421 + user->ban_expires--;
59422 +
59423 + do_each_thread(tsk2, tsk) {
59424 + cred2 = __task_cred(tsk);
59425 + if (tsk != p && cred2->uid == uid)
59426 + gr_fake_force_sig(SIGKILL, tsk);
59427 + } while_each_thread(tsk2, tsk);
59428 + }
59429 + }
59430 +unlock:
59431 + read_unlock(&grsec_exec_file_lock);
59432 + read_unlock(&tasklist_lock);
59433 + rcu_read_unlock();
59434 +
59435 + if (uid)
59436 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
59437 +
59438 +#endif
59439 + return;
59440 +}
59441 +
59442 +void gr_handle_brute_check(void)
59443 +{
59444 +#ifdef CONFIG_GRKERNSEC_BRUTE
59445 + if (current->brute)
59446 + msleep(30 * 1000);
59447 +#endif
59448 + return;
59449 +}
59450 +
59451 +void gr_handle_kernel_exploit(void)
59452 +{
59453 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
59454 + const struct cred *cred;
59455 + struct task_struct *tsk, *tsk2;
59456 + struct user_struct *user;
59457 + uid_t uid;
59458 +
59459 + if (in_irq() || in_serving_softirq() || in_nmi())
59460 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
59461 +
59462 + uid = current_uid();
59463 +
59464 + if (uid == 0)
59465 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
59466 + else {
59467 + /* kill all the processes of this user, hold a reference
59468 + to their creds struct, and prevent them from creating
59469 + another process until system reset
59470 + */
59471 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
59472 + /* we intentionally leak this ref */
59473 + user = get_uid(current->cred->user);
59474 + if (user) {
59475 + user->banned = 1;
59476 + user->ban_expires = ~0UL;
59477 + }
59478 +
59479 + read_lock(&tasklist_lock);
59480 + do_each_thread(tsk2, tsk) {
59481 + cred = __task_cred(tsk);
59482 + if (cred->uid == uid)
59483 + gr_fake_force_sig(SIGKILL, tsk);
59484 + } while_each_thread(tsk2, tsk);
59485 + read_unlock(&tasklist_lock);
59486 + }
59487 +#endif
59488 +}
59489 +
59490 +int __gr_process_user_ban(struct user_struct *user)
59491 +{
59492 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59493 + if (unlikely(user->banned)) {
59494 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
59495 + user->banned = 0;
59496 + user->ban_expires = 0;
59497 + free_uid(user);
59498 + } else
59499 + return -EPERM;
59500 + }
59501 +#endif
59502 + return 0;
59503 +}
59504 +
59505 +int gr_process_user_ban(void)
59506 +{
59507 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59508 + return __gr_process_user_ban(current->cred->user);
59509 +#endif
59510 + return 0;
59511 +}
59512 diff -urNp linux-2.6.39.3/grsecurity/grsec_sock.c linux-2.6.39.3/grsecurity/grsec_sock.c
59513 --- linux-2.6.39.3/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
59514 +++ linux-2.6.39.3/grsecurity/grsec_sock.c 2011-05-22 20:29:21.000000000 -0400
59515 @@ -0,0 +1,244 @@
59516 +#include <linux/kernel.h>
59517 +#include <linux/module.h>
59518 +#include <linux/sched.h>
59519 +#include <linux/file.h>
59520 +#include <linux/net.h>
59521 +#include <linux/in.h>
59522 +#include <linux/ip.h>
59523 +#include <net/sock.h>
59524 +#include <net/inet_sock.h>
59525 +#include <linux/grsecurity.h>
59526 +#include <linux/grinternal.h>
59527 +#include <linux/gracl.h>
59528 +
59529 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
59530 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
59531 +
59532 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
59533 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
59534 +
59535 +#ifdef CONFIG_UNIX_MODULE
59536 +EXPORT_SYMBOL(gr_acl_handle_unix);
59537 +EXPORT_SYMBOL(gr_acl_handle_mknod);
59538 +EXPORT_SYMBOL(gr_handle_chroot_unix);
59539 +EXPORT_SYMBOL(gr_handle_create);
59540 +#endif
59541 +
59542 +#ifdef CONFIG_GRKERNSEC
59543 +#define gr_conn_table_size 32749
59544 +struct conn_table_entry {
59545 + struct conn_table_entry *next;
59546 + struct signal_struct *sig;
59547 +};
59548 +
59549 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
59550 +DEFINE_SPINLOCK(gr_conn_table_lock);
59551 +
59552 +extern const char * gr_socktype_to_name(unsigned char type);
59553 +extern const char * gr_proto_to_name(unsigned char proto);
59554 +extern const char * gr_sockfamily_to_name(unsigned char family);
59555 +
59556 +static __inline__ int
59557 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
59558 +{
59559 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
59560 +}
59561 +
59562 +static __inline__ int
59563 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
59564 + __u16 sport, __u16 dport)
59565 +{
59566 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
59567 + sig->gr_sport == sport && sig->gr_dport == dport))
59568 + return 1;
59569 + else
59570 + return 0;
59571 +}
59572 +
59573 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
59574 +{
59575 + struct conn_table_entry **match;
59576 + unsigned int index;
59577 +
59578 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59579 + sig->gr_sport, sig->gr_dport,
59580 + gr_conn_table_size);
59581 +
59582 + newent->sig = sig;
59583 +
59584 + match = &gr_conn_table[index];
59585 + newent->next = *match;
59586 + *match = newent;
59587 +
59588 + return;
59589 +}
59590 +
59591 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
59592 +{
59593 + struct conn_table_entry *match, *last = NULL;
59594 + unsigned int index;
59595 +
59596 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
59597 + sig->gr_sport, sig->gr_dport,
59598 + gr_conn_table_size);
59599 +
59600 + match = gr_conn_table[index];
59601 + while (match && !conn_match(match->sig,
59602 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
59603 + sig->gr_dport)) {
59604 + last = match;
59605 + match = match->next;
59606 + }
59607 +
59608 + if (match) {
59609 + if (last)
59610 + last->next = match->next;
59611 + else
59612 + gr_conn_table[index] = NULL;
59613 + kfree(match);
59614 + }
59615 +
59616 + return;
59617 +}
59618 +
59619 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
59620 + __u16 sport, __u16 dport)
59621 +{
59622 + struct conn_table_entry *match;
59623 + unsigned int index;
59624 +
59625 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
59626 +
59627 + match = gr_conn_table[index];
59628 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
59629 + match = match->next;
59630 +
59631 + if (match)
59632 + return match->sig;
59633 + else
59634 + return NULL;
59635 +}
59636 +
59637 +#endif
59638 +
59639 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
59640 +{
59641 +#ifdef CONFIG_GRKERNSEC
59642 + struct signal_struct *sig = task->signal;
59643 + struct conn_table_entry *newent;
59644 +
59645 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
59646 + if (newent == NULL)
59647 + return;
59648 + /* no bh lock needed since we are called with bh disabled */
59649 + spin_lock(&gr_conn_table_lock);
59650 + gr_del_task_from_ip_table_nolock(sig);
59651 + sig->gr_saddr = inet->inet_rcv_saddr;
59652 + sig->gr_daddr = inet->inet_daddr;
59653 + sig->gr_sport = inet->inet_sport;
59654 + sig->gr_dport = inet->inet_dport;
59655 + gr_add_to_task_ip_table_nolock(sig, newent);
59656 + spin_unlock(&gr_conn_table_lock);
59657 +#endif
59658 + return;
59659 +}
59660 +
59661 +void gr_del_task_from_ip_table(struct task_struct *task)
59662 +{
59663 +#ifdef CONFIG_GRKERNSEC
59664 + spin_lock_bh(&gr_conn_table_lock);
59665 + gr_del_task_from_ip_table_nolock(task->signal);
59666 + spin_unlock_bh(&gr_conn_table_lock);
59667 +#endif
59668 + return;
59669 +}
59670 +
59671 +void
59672 +gr_attach_curr_ip(const struct sock *sk)
59673 +{
59674 +#ifdef CONFIG_GRKERNSEC
59675 + struct signal_struct *p, *set;
59676 + const struct inet_sock *inet = inet_sk(sk);
59677 +
59678 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
59679 + return;
59680 +
59681 + set = current->signal;
59682 +
59683 + spin_lock_bh(&gr_conn_table_lock);
59684 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
59685 + inet->inet_dport, inet->inet_sport);
59686 + if (unlikely(p != NULL)) {
59687 + set->curr_ip = p->curr_ip;
59688 + set->used_accept = 1;
59689 + gr_del_task_from_ip_table_nolock(p);
59690 + spin_unlock_bh(&gr_conn_table_lock);
59691 + return;
59692 + }
59693 + spin_unlock_bh(&gr_conn_table_lock);
59694 +
59695 + set->curr_ip = inet->inet_daddr;
59696 + set->used_accept = 1;
59697 +#endif
59698 + return;
59699 +}
59700 +
59701 +int
59702 +gr_handle_sock_all(const int family, const int type, const int protocol)
59703 +{
59704 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59705 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
59706 + (family != AF_UNIX)) {
59707 + if (family == AF_INET)
59708 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
59709 + else
59710 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
59711 + return -EACCES;
59712 + }
59713 +#endif
59714 + return 0;
59715 +}
59716 +
59717 +int
59718 +gr_handle_sock_server(const struct sockaddr *sck)
59719 +{
59720 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59721 + if (grsec_enable_socket_server &&
59722 + in_group_p(grsec_socket_server_gid) &&
59723 + sck && (sck->sa_family != AF_UNIX) &&
59724 + (sck->sa_family != AF_LOCAL)) {
59725 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59726 + return -EACCES;
59727 + }
59728 +#endif
59729 + return 0;
59730 +}
59731 +
59732 +int
59733 +gr_handle_sock_server_other(const struct sock *sck)
59734 +{
59735 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59736 + if (grsec_enable_socket_server &&
59737 + in_group_p(grsec_socket_server_gid) &&
59738 + sck && (sck->sk_family != AF_UNIX) &&
59739 + (sck->sk_family != AF_LOCAL)) {
59740 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
59741 + return -EACCES;
59742 + }
59743 +#endif
59744 + return 0;
59745 +}
59746 +
59747 +int
59748 +gr_handle_sock_client(const struct sockaddr *sck)
59749 +{
59750 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59751 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
59752 + sck && (sck->sa_family != AF_UNIX) &&
59753 + (sck->sa_family != AF_LOCAL)) {
59754 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
59755 + return -EACCES;
59756 + }
59757 +#endif
59758 + return 0;
59759 +}
59760 diff -urNp linux-2.6.39.3/grsecurity/grsec_sysctl.c linux-2.6.39.3/grsecurity/grsec_sysctl.c
59761 --- linux-2.6.39.3/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
59762 +++ linux-2.6.39.3/grsecurity/grsec_sysctl.c 2011-06-29 19:38:04.000000000 -0400
59763 @@ -0,0 +1,442 @@
59764 +#include <linux/kernel.h>
59765 +#include <linux/sched.h>
59766 +#include <linux/sysctl.h>
59767 +#include <linux/grsecurity.h>
59768 +#include <linux/grinternal.h>
59769 +
59770 +int
59771 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
59772 +{
59773 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59774 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
59775 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
59776 + return -EACCES;
59777 + }
59778 +#endif
59779 + return 0;
59780 +}
59781 +
59782 +#ifdef CONFIG_GRKERNSEC_ROFS
59783 +static int __maybe_unused one = 1;
59784 +#endif
59785 +
59786 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
59787 +struct ctl_table grsecurity_table[] = {
59788 +#ifdef CONFIG_GRKERNSEC_SYSCTL
59789 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
59790 +#ifdef CONFIG_GRKERNSEC_IO
59791 + {
59792 + .procname = "disable_priv_io",
59793 + .data = &grsec_disable_privio,
59794 + .maxlen = sizeof(int),
59795 + .mode = 0600,
59796 + .proc_handler = &proc_dointvec,
59797 + },
59798 +#endif
59799 +#endif
59800 +#ifdef CONFIG_GRKERNSEC_LINK
59801 + {
59802 + .procname = "linking_restrictions",
59803 + .data = &grsec_enable_link,
59804 + .maxlen = sizeof(int),
59805 + .mode = 0600,
59806 + .proc_handler = &proc_dointvec,
59807 + },
59808 +#endif
59809 +#ifdef CONFIG_GRKERNSEC_BRUTE
59810 + {
59811 + .procname = "deter_bruteforce",
59812 + .data = &grsec_enable_brute,
59813 + .maxlen = sizeof(int),
59814 + .mode = 0600,
59815 + .proc_handler = &proc_dointvec,
59816 + },
59817 +#endif
59818 +#ifdef CONFIG_GRKERNSEC_FIFO
59819 + {
59820 + .procname = "fifo_restrictions",
59821 + .data = &grsec_enable_fifo,
59822 + .maxlen = sizeof(int),
59823 + .mode = 0600,
59824 + .proc_handler = &proc_dointvec,
59825 + },
59826 +#endif
59827 +#ifdef CONFIG_GRKERNSEC_EXECVE
59828 + {
59829 + .procname = "execve_limiting",
59830 + .data = &grsec_enable_execve,
59831 + .maxlen = sizeof(int),
59832 + .mode = 0600,
59833 + .proc_handler = &proc_dointvec,
59834 + },
59835 +#endif
59836 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59837 + {
59838 + .procname = "ip_blackhole",
59839 + .data = &grsec_enable_blackhole,
59840 + .maxlen = sizeof(int),
59841 + .mode = 0600,
59842 + .proc_handler = &proc_dointvec,
59843 + },
59844 + {
59845 + .procname = "lastack_retries",
59846 + .data = &grsec_lastack_retries,
59847 + .maxlen = sizeof(int),
59848 + .mode = 0600,
59849 + .proc_handler = &proc_dointvec,
59850 + },
59851 +#endif
59852 +#ifdef CONFIG_GRKERNSEC_EXECLOG
59853 + {
59854 + .procname = "exec_logging",
59855 + .data = &grsec_enable_execlog,
59856 + .maxlen = sizeof(int),
59857 + .mode = 0600,
59858 + .proc_handler = &proc_dointvec,
59859 + },
59860 +#endif
59861 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59862 + {
59863 + .procname = "rwxmap_logging",
59864 + .data = &grsec_enable_log_rwxmaps,
59865 + .maxlen = sizeof(int),
59866 + .mode = 0600,
59867 + .proc_handler = &proc_dointvec,
59868 + },
59869 +#endif
59870 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59871 + {
59872 + .procname = "signal_logging",
59873 + .data = &grsec_enable_signal,
59874 + .maxlen = sizeof(int),
59875 + .mode = 0600,
59876 + .proc_handler = &proc_dointvec,
59877 + },
59878 +#endif
59879 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59880 + {
59881 + .procname = "forkfail_logging",
59882 + .data = &grsec_enable_forkfail,
59883 + .maxlen = sizeof(int),
59884 + .mode = 0600,
59885 + .proc_handler = &proc_dointvec,
59886 + },
59887 +#endif
59888 +#ifdef CONFIG_GRKERNSEC_TIME
59889 + {
59890 + .procname = "timechange_logging",
59891 + .data = &grsec_enable_time,
59892 + .maxlen = sizeof(int),
59893 + .mode = 0600,
59894 + .proc_handler = &proc_dointvec,
59895 + },
59896 +#endif
59897 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59898 + {
59899 + .procname = "chroot_deny_shmat",
59900 + .data = &grsec_enable_chroot_shmat,
59901 + .maxlen = sizeof(int),
59902 + .mode = 0600,
59903 + .proc_handler = &proc_dointvec,
59904 + },
59905 +#endif
59906 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59907 + {
59908 + .procname = "chroot_deny_unix",
59909 + .data = &grsec_enable_chroot_unix,
59910 + .maxlen = sizeof(int),
59911 + .mode = 0600,
59912 + .proc_handler = &proc_dointvec,
59913 + },
59914 +#endif
59915 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59916 + {
59917 + .procname = "chroot_deny_mount",
59918 + .data = &grsec_enable_chroot_mount,
59919 + .maxlen = sizeof(int),
59920 + .mode = 0600,
59921 + .proc_handler = &proc_dointvec,
59922 + },
59923 +#endif
59924 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59925 + {
59926 + .procname = "chroot_deny_fchdir",
59927 + .data = &grsec_enable_chroot_fchdir,
59928 + .maxlen = sizeof(int),
59929 + .mode = 0600,
59930 + .proc_handler = &proc_dointvec,
59931 + },
59932 +#endif
59933 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59934 + {
59935 + .procname = "chroot_deny_chroot",
59936 + .data = &grsec_enable_chroot_double,
59937 + .maxlen = sizeof(int),
59938 + .mode = 0600,
59939 + .proc_handler = &proc_dointvec,
59940 + },
59941 +#endif
59942 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59943 + {
59944 + .procname = "chroot_deny_pivot",
59945 + .data = &grsec_enable_chroot_pivot,
59946 + .maxlen = sizeof(int),
59947 + .mode = 0600,
59948 + .proc_handler = &proc_dointvec,
59949 + },
59950 +#endif
59951 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59952 + {
59953 + .procname = "chroot_enforce_chdir",
59954 + .data = &grsec_enable_chroot_chdir,
59955 + .maxlen = sizeof(int),
59956 + .mode = 0600,
59957 + .proc_handler = &proc_dointvec,
59958 + },
59959 +#endif
59960 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59961 + {
59962 + .procname = "chroot_deny_chmod",
59963 + .data = &grsec_enable_chroot_chmod,
59964 + .maxlen = sizeof(int),
59965 + .mode = 0600,
59966 + .proc_handler = &proc_dointvec,
59967 + },
59968 +#endif
59969 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59970 + {
59971 + .procname = "chroot_deny_mknod",
59972 + .data = &grsec_enable_chroot_mknod,
59973 + .maxlen = sizeof(int),
59974 + .mode = 0600,
59975 + .proc_handler = &proc_dointvec,
59976 + },
59977 +#endif
59978 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59979 + {
59980 + .procname = "chroot_restrict_nice",
59981 + .data = &grsec_enable_chroot_nice,
59982 + .maxlen = sizeof(int),
59983 + .mode = 0600,
59984 + .proc_handler = &proc_dointvec,
59985 + },
59986 +#endif
59987 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59988 + {
59989 + .procname = "chroot_execlog",
59990 + .data = &grsec_enable_chroot_execlog,
59991 + .maxlen = sizeof(int),
59992 + .mode = 0600,
59993 + .proc_handler = &proc_dointvec,
59994 + },
59995 +#endif
59996 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59997 + {
59998 + .procname = "chroot_caps",
59999 + .data = &grsec_enable_chroot_caps,
60000 + .maxlen = sizeof(int),
60001 + .mode = 0600,
60002 + .proc_handler = &proc_dointvec,
60003 + },
60004 +#endif
60005 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
60006 + {
60007 + .procname = "chroot_deny_sysctl",
60008 + .data = &grsec_enable_chroot_sysctl,
60009 + .maxlen = sizeof(int),
60010 + .mode = 0600,
60011 + .proc_handler = &proc_dointvec,
60012 + },
60013 +#endif
60014 +#ifdef CONFIG_GRKERNSEC_TPE
60015 + {
60016 + .procname = "tpe",
60017 + .data = &grsec_enable_tpe,
60018 + .maxlen = sizeof(int),
60019 + .mode = 0600,
60020 + .proc_handler = &proc_dointvec,
60021 + },
60022 + {
60023 + .procname = "tpe_gid",
60024 + .data = &grsec_tpe_gid,
60025 + .maxlen = sizeof(int),
60026 + .mode = 0600,
60027 + .proc_handler = &proc_dointvec,
60028 + },
60029 +#endif
60030 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60031 + {
60032 + .procname = "tpe_invert",
60033 + .data = &grsec_enable_tpe_invert,
60034 + .maxlen = sizeof(int),
60035 + .mode = 0600,
60036 + .proc_handler = &proc_dointvec,
60037 + },
60038 +#endif
60039 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60040 + {
60041 + .procname = "tpe_restrict_all",
60042 + .data = &grsec_enable_tpe_all,
60043 + .maxlen = sizeof(int),
60044 + .mode = 0600,
60045 + .proc_handler = &proc_dointvec,
60046 + },
60047 +#endif
60048 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60049 + {
60050 + .procname = "socket_all",
60051 + .data = &grsec_enable_socket_all,
60052 + .maxlen = sizeof(int),
60053 + .mode = 0600,
60054 + .proc_handler = &proc_dointvec,
60055 + },
60056 + {
60057 + .procname = "socket_all_gid",
60058 + .data = &grsec_socket_all_gid,
60059 + .maxlen = sizeof(int),
60060 + .mode = 0600,
60061 + .proc_handler = &proc_dointvec,
60062 + },
60063 +#endif
60064 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60065 + {
60066 + .procname = "socket_client",
60067 + .data = &grsec_enable_socket_client,
60068 + .maxlen = sizeof(int),
60069 + .mode = 0600,
60070 + .proc_handler = &proc_dointvec,
60071 + },
60072 + {
60073 + .procname = "socket_client_gid",
60074 + .data = &grsec_socket_client_gid,
60075 + .maxlen = sizeof(int),
60076 + .mode = 0600,
60077 + .proc_handler = &proc_dointvec,
60078 + },
60079 +#endif
60080 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60081 + {
60082 + .procname = "socket_server",
60083 + .data = &grsec_enable_socket_server,
60084 + .maxlen = sizeof(int),
60085 + .mode = 0600,
60086 + .proc_handler = &proc_dointvec,
60087 + },
60088 + {
60089 + .procname = "socket_server_gid",
60090 + .data = &grsec_socket_server_gid,
60091 + .maxlen = sizeof(int),
60092 + .mode = 0600,
60093 + .proc_handler = &proc_dointvec,
60094 + },
60095 +#endif
60096 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60097 + {
60098 + .procname = "audit_group",
60099 + .data = &grsec_enable_group,
60100 + .maxlen = sizeof(int),
60101 + .mode = 0600,
60102 + .proc_handler = &proc_dointvec,
60103 + },
60104 + {
60105 + .procname = "audit_gid",
60106 + .data = &grsec_audit_gid,
60107 + .maxlen = sizeof(int),
60108 + .mode = 0600,
60109 + .proc_handler = &proc_dointvec,
60110 + },
60111 +#endif
60112 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60113 + {
60114 + .procname = "audit_chdir",
60115 + .data = &grsec_enable_chdir,
60116 + .maxlen = sizeof(int),
60117 + .mode = 0600,
60118 + .proc_handler = &proc_dointvec,
60119 + },
60120 +#endif
60121 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60122 + {
60123 + .procname = "audit_mount",
60124 + .data = &grsec_enable_mount,
60125 + .maxlen = sizeof(int),
60126 + .mode = 0600,
60127 + .proc_handler = &proc_dointvec,
60128 + },
60129 +#endif
60130 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60131 + {
60132 + .procname = "audit_textrel",
60133 + .data = &grsec_enable_audit_textrel,
60134 + .maxlen = sizeof(int),
60135 + .mode = 0600,
60136 + .proc_handler = &proc_dointvec,
60137 + },
60138 +#endif
60139 +#ifdef CONFIG_GRKERNSEC_DMESG
60140 + {
60141 + .procname = "dmesg",
60142 + .data = &grsec_enable_dmesg,
60143 + .maxlen = sizeof(int),
60144 + .mode = 0600,
60145 + .proc_handler = &proc_dointvec,
60146 + },
60147 +#endif
60148 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60149 + {
60150 + .procname = "chroot_findtask",
60151 + .data = &grsec_enable_chroot_findtask,
60152 + .maxlen = sizeof(int),
60153 + .mode = 0600,
60154 + .proc_handler = &proc_dointvec,
60155 + },
60156 +#endif
60157 +#ifdef CONFIG_GRKERNSEC_RESLOG
60158 + {
60159 + .procname = "resource_logging",
60160 + .data = &grsec_resource_logging,
60161 + .maxlen = sizeof(int),
60162 + .mode = 0600,
60163 + .proc_handler = &proc_dointvec,
60164 + },
60165 +#endif
60166 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
60167 + {
60168 + .procname = "audit_ptrace",
60169 + .data = &grsec_enable_audit_ptrace,
60170 + .maxlen = sizeof(int),
60171 + .mode = 0600,
60172 + .proc_handler = &proc_dointvec,
60173 + },
60174 +#endif
60175 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
60176 + {
60177 + .procname = "harden_ptrace",
60178 + .data = &grsec_enable_harden_ptrace,
60179 + .maxlen = sizeof(int),
60180 + .mode = 0600,
60181 + .proc_handler = &proc_dointvec,
60182 + },
60183 +#endif
60184 + {
60185 + .procname = "grsec_lock",
60186 + .data = &grsec_lock,
60187 + .maxlen = sizeof(int),
60188 + .mode = 0600,
60189 + .proc_handler = &proc_dointvec,
60190 + },
60191 +#endif
60192 +#ifdef CONFIG_GRKERNSEC_ROFS
60193 + {
60194 + .procname = "romount_protect",
60195 + .data = &grsec_enable_rofs,
60196 + .maxlen = sizeof(int),
60197 + .mode = 0600,
60198 + .proc_handler = &proc_dointvec_minmax,
60199 + .extra1 = &one,
60200 + .extra2 = &one,
60201 + },
60202 +#endif
60203 + { }
60204 +};
60205 +#endif
60206 diff -urNp linux-2.6.39.3/grsecurity/grsec_time.c linux-2.6.39.3/grsecurity/grsec_time.c
60207 --- linux-2.6.39.3/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60208 +++ linux-2.6.39.3/grsecurity/grsec_time.c 2011-05-22 19:41:42.000000000 -0400
60209 @@ -0,0 +1,16 @@
60210 +#include <linux/kernel.h>
60211 +#include <linux/sched.h>
60212 +#include <linux/grinternal.h>
60213 +#include <linux/module.h>
60214 +
60215 +void
60216 +gr_log_timechange(void)
60217 +{
60218 +#ifdef CONFIG_GRKERNSEC_TIME
60219 + if (grsec_enable_time)
60220 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60221 +#endif
60222 + return;
60223 +}
60224 +
60225 +EXPORT_SYMBOL(gr_log_timechange);
60226 diff -urNp linux-2.6.39.3/grsecurity/grsec_tpe.c linux-2.6.39.3/grsecurity/grsec_tpe.c
60227 --- linux-2.6.39.3/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60228 +++ linux-2.6.39.3/grsecurity/grsec_tpe.c 2011-05-22 19:41:42.000000000 -0400
60229 @@ -0,0 +1,39 @@
60230 +#include <linux/kernel.h>
60231 +#include <linux/sched.h>
60232 +#include <linux/file.h>
60233 +#include <linux/fs.h>
60234 +#include <linux/grinternal.h>
60235 +
60236 +extern int gr_acl_tpe_check(void);
60237 +
60238 +int
60239 +gr_tpe_allow(const struct file *file)
60240 +{
60241 +#ifdef CONFIG_GRKERNSEC
60242 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60243 + const struct cred *cred = current_cred();
60244 +
60245 + if (cred->uid && ((grsec_enable_tpe &&
60246 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60247 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60248 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60249 +#else
60250 + in_group_p(grsec_tpe_gid)
60251 +#endif
60252 + ) || gr_acl_tpe_check()) &&
60253 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60254 + (inode->i_mode & S_IWOTH))))) {
60255 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60256 + return 0;
60257 + }
60258 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60259 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60260 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60261 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60262 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60263 + return 0;
60264 + }
60265 +#endif
60266 +#endif
60267 + return 1;
60268 +}
60269 diff -urNp linux-2.6.39.3/grsecurity/grsum.c linux-2.6.39.3/grsecurity/grsum.c
60270 --- linux-2.6.39.3/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60271 +++ linux-2.6.39.3/grsecurity/grsum.c 2011-05-22 19:41:42.000000000 -0400
60272 @@ -0,0 +1,61 @@
60273 +#include <linux/err.h>
60274 +#include <linux/kernel.h>
60275 +#include <linux/sched.h>
60276 +#include <linux/mm.h>
60277 +#include <linux/scatterlist.h>
60278 +#include <linux/crypto.h>
60279 +#include <linux/gracl.h>
60280 +
60281 +
60282 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60283 +#error "crypto and sha256 must be built into the kernel"
60284 +#endif
60285 +
60286 +int
60287 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60288 +{
60289 + char *p;
60290 + struct crypto_hash *tfm;
60291 + struct hash_desc desc;
60292 + struct scatterlist sg;
60293 + unsigned char temp_sum[GR_SHA_LEN];
60294 + volatile int retval = 0;
60295 + volatile int dummy = 0;
60296 + unsigned int i;
60297 +
60298 + sg_init_table(&sg, 1);
60299 +
60300 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
60301 + if (IS_ERR(tfm)) {
60302 + /* should never happen, since sha256 should be built in */
60303 + return 1;
60304 + }
60305 +
60306 + desc.tfm = tfm;
60307 + desc.flags = 0;
60308 +
60309 + crypto_hash_init(&desc);
60310 +
60311 + p = salt;
60312 + sg_set_buf(&sg, p, GR_SALT_LEN);
60313 + crypto_hash_update(&desc, &sg, sg.length);
60314 +
60315 + p = entry->pw;
60316 + sg_set_buf(&sg, p, strlen(p));
60317 +
60318 + crypto_hash_update(&desc, &sg, sg.length);
60319 +
60320 + crypto_hash_final(&desc, temp_sum);
60321 +
60322 + memset(entry->pw, 0, GR_PW_LEN);
60323 +
60324 + for (i = 0; i < GR_SHA_LEN; i++)
60325 + if (sum[i] != temp_sum[i])
60326 + retval = 1;
60327 + else
60328 + dummy = 1; // waste a cycle
60329 +
60330 + crypto_free_hash(tfm);
60331 +
60332 + return retval;
60333 +}
60334 diff -urNp linux-2.6.39.3/grsecurity/Kconfig linux-2.6.39.3/grsecurity/Kconfig
60335 --- linux-2.6.39.3/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
60336 +++ linux-2.6.39.3/grsecurity/Kconfig 2011-07-06 19:58:30.000000000 -0400
60337 @@ -0,0 +1,1048 @@
60338 +#
60339 +# grecurity configuration
60340 +#
60341 +
60342 +menu "Grsecurity"
60343 +
60344 +config GRKERNSEC
60345 + bool "Grsecurity"
60346 + select CRYPTO
60347 + select CRYPTO_SHA256
60348 + help
60349 + If you say Y here, you will be able to configure many features
60350 + that will enhance the security of your system. It is highly
60351 + recommended that you say Y here and read through the help
60352 + for each option so that you fully understand the features and
60353 + can evaluate their usefulness for your machine.
60354 +
60355 +choice
60356 + prompt "Security Level"
60357 + depends on GRKERNSEC
60358 + default GRKERNSEC_CUSTOM
60359 +
60360 +config GRKERNSEC_LOW
60361 + bool "Low"
60362 + select GRKERNSEC_LINK
60363 + select GRKERNSEC_FIFO
60364 + select GRKERNSEC_EXECVE
60365 + select GRKERNSEC_RANDNET
60366 + select GRKERNSEC_DMESG
60367 + select GRKERNSEC_CHROOT
60368 + select GRKERNSEC_CHROOT_CHDIR
60369 +
60370 + help
60371 + If you choose this option, several of the grsecurity options will
60372 + be enabled that will give you greater protection against a number
60373 + of attacks, while assuring that none of your software will have any
60374 + conflicts with the additional security measures. If you run a lot
60375 + of unusual software, or you are having problems with the higher
60376 + security levels, you should say Y here. With this option, the
60377 + following features are enabled:
60378 +
60379 + - Linking restrictions
60380 + - FIFO restrictions
60381 + - Enforcing RLIMIT_NPROC on execve
60382 + - Restricted dmesg
60383 + - Enforced chdir("/") on chroot
60384 + - Runtime module disabling
60385 +
60386 +config GRKERNSEC_MEDIUM
60387 + bool "Medium"
60388 + select PAX
60389 + select PAX_EI_PAX
60390 + select PAX_PT_PAX_FLAGS
60391 + select PAX_HAVE_ACL_FLAGS
60392 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60393 + select GRKERNSEC_CHROOT
60394 + select GRKERNSEC_CHROOT_SYSCTL
60395 + select GRKERNSEC_LINK
60396 + select GRKERNSEC_FIFO
60397 + select GRKERNSEC_EXECVE
60398 + select GRKERNSEC_DMESG
60399 + select GRKERNSEC_RANDNET
60400 + select GRKERNSEC_FORKFAIL
60401 + select GRKERNSEC_TIME
60402 + select GRKERNSEC_SIGNAL
60403 + select GRKERNSEC_CHROOT
60404 + select GRKERNSEC_CHROOT_UNIX
60405 + select GRKERNSEC_CHROOT_MOUNT
60406 + select GRKERNSEC_CHROOT_PIVOT
60407 + select GRKERNSEC_CHROOT_DOUBLE
60408 + select GRKERNSEC_CHROOT_CHDIR
60409 + select GRKERNSEC_CHROOT_MKNOD
60410 + select GRKERNSEC_PROC
60411 + select GRKERNSEC_PROC_USERGROUP
60412 + select PAX_RANDUSTACK
60413 + select PAX_ASLR
60414 + select PAX_RANDMMAP
60415 + select PAX_REFCOUNT if (X86 || SPARC64)
60416 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
60417 +
60418 + help
60419 + If you say Y here, several features in addition to those included
60420 + in the low additional security level will be enabled. These
60421 + features provide even more security to your system, though in rare
60422 + cases they may be incompatible with very old or poorly written
60423 + software. If you enable this option, make sure that your auth
60424 + service (identd) is running as gid 1001. With this option,
60425 + the following features (in addition to those provided in the
60426 + low additional security level) will be enabled:
60427 +
60428 + - Failed fork logging
60429 + - Time change logging
60430 + - Signal logging
60431 + - Deny mounts in chroot
60432 + - Deny double chrooting
60433 + - Deny sysctl writes in chroot
60434 + - Deny mknod in chroot
60435 + - Deny access to abstract AF_UNIX sockets out of chroot
60436 + - Deny pivot_root in chroot
60437 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
60438 + - /proc restrictions with special GID set to 10 (usually wheel)
60439 + - Address Space Layout Randomization (ASLR)
60440 + - Prevent exploitation of most refcount overflows
60441 + - Bounds checking of copying between the kernel and userland
60442 +
60443 +config GRKERNSEC_HIGH
60444 + bool "High"
60445 + select GRKERNSEC_LINK
60446 + select GRKERNSEC_FIFO
60447 + select GRKERNSEC_EXECVE
60448 + select GRKERNSEC_DMESG
60449 + select GRKERNSEC_FORKFAIL
60450 + select GRKERNSEC_TIME
60451 + select GRKERNSEC_SIGNAL
60452 + select GRKERNSEC_CHROOT
60453 + select GRKERNSEC_CHROOT_SHMAT
60454 + select GRKERNSEC_CHROOT_UNIX
60455 + select GRKERNSEC_CHROOT_MOUNT
60456 + select GRKERNSEC_CHROOT_FCHDIR
60457 + select GRKERNSEC_CHROOT_PIVOT
60458 + select GRKERNSEC_CHROOT_DOUBLE
60459 + select GRKERNSEC_CHROOT_CHDIR
60460 + select GRKERNSEC_CHROOT_MKNOD
60461 + select GRKERNSEC_CHROOT_CAPS
60462 + select GRKERNSEC_CHROOT_SYSCTL
60463 + select GRKERNSEC_CHROOT_FINDTASK
60464 + select GRKERNSEC_SYSFS_RESTRICT
60465 + select GRKERNSEC_PROC
60466 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
60467 + select GRKERNSEC_HIDESYM
60468 + select GRKERNSEC_BRUTE
60469 + select GRKERNSEC_PROC_USERGROUP
60470 + select GRKERNSEC_KMEM
60471 + select GRKERNSEC_RESLOG
60472 + select GRKERNSEC_RANDNET
60473 + select GRKERNSEC_PROC_ADD
60474 + select GRKERNSEC_CHROOT_CHMOD
60475 + select GRKERNSEC_CHROOT_NICE
60476 + select GRKERNSEC_AUDIT_MOUNT
60477 + select GRKERNSEC_MODHARDEN if (MODULES)
60478 + select GRKERNSEC_HARDEN_PTRACE
60479 + select GRKERNSEC_VM86 if (X86_32)
60480 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
60481 + select PAX
60482 + select PAX_RANDUSTACK
60483 + select PAX_ASLR
60484 + select PAX_RANDMMAP
60485 + select PAX_NOEXEC
60486 + select PAX_MPROTECT
60487 + select PAX_EI_PAX
60488 + select PAX_PT_PAX_FLAGS
60489 + select PAX_HAVE_ACL_FLAGS
60490 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
60491 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
60492 + select PAX_RANDKSTACK if (X86_TSC && X86)
60493 + select PAX_SEGMEXEC if (X86_32)
60494 + select PAX_PAGEEXEC
60495 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
60496 + select PAX_EMUTRAMP if (PARISC)
60497 + select PAX_EMUSIGRT if (PARISC)
60498 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
60499 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
60500 + select PAX_REFCOUNT if (X86 || SPARC64)
60501 + select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
60502 + help
60503 + If you say Y here, many of the features of grsecurity will be
60504 + enabled, which will protect you against many kinds of attacks
60505 + against your system. The heightened security comes at a cost
60506 + of an increased chance of incompatibilities with rare software
60507 + on your machine. Since this security level enables PaX, you should
60508 + view <http://pax.grsecurity.net> and read about the PaX
60509 + project. While you are there, download chpax and run it on
60510 + binaries that cause problems with PaX. Also remember that
60511 + since the /proc restrictions are enabled, you must run your
60512 + identd as gid 1001. This security level enables the following
60513 + features in addition to those listed in the low and medium
60514 + security levels:
60515 +
60516 + - Additional /proc restrictions
60517 + - Chmod restrictions in chroot
60518 + - No signals, ptrace, or viewing of processes outside of chroot
60519 + - Capability restrictions in chroot
60520 + - Deny fchdir out of chroot
60521 + - Priority restrictions in chroot
60522 + - Segmentation-based implementation of PaX
60523 + - Mprotect restrictions
60524 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
60525 + - Kernel stack randomization
60526 + - Mount/unmount/remount logging
60527 + - Kernel symbol hiding
60528 + - Prevention of memory exhaustion-based exploits
60529 + - Hardening of module auto-loading
60530 + - Ptrace restrictions
60531 + - Restricted vm86 mode
60532 + - Restricted sysfs/debugfs
60533 + - Active kernel exploit response
60534 +
60535 +config GRKERNSEC_CUSTOM
60536 + bool "Custom"
60537 + help
60538 + If you say Y here, you will be able to configure every grsecurity
60539 + option, which allows you to enable many more features that aren't
60540 + covered in the basic security levels. These additional features
60541 + include TPE, socket restrictions, and the sysctl system for
60542 + grsecurity. It is advised that you read through the help for
60543 + each option to determine its usefulness in your situation.
60544 +
60545 +endchoice
60546 +
60547 +menu "Address Space Protection"
60548 +depends on GRKERNSEC
60549 +
60550 +config GRKERNSEC_KMEM
60551 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
60552 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
60553 + help
60554 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
60555 + be written to via mmap or otherwise to modify the running kernel.
60556 + /dev/port will also not be allowed to be opened. If you have module
60557 + support disabled, enabling this will close up four ways that are
60558 + currently used to insert malicious code into the running kernel.
60559 + Even with all these features enabled, we still highly recommend that
60560 + you use the RBAC system, as it is still possible for an attacker to
60561 + modify the running kernel through privileged I/O granted by ioperm/iopl.
60562 + If you are not using XFree86, you may be able to stop this additional
60563 + case by enabling the 'Disable privileged I/O' option. Though nothing
60564 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
60565 + but only to video memory, which is the only writing we allow in this
60566 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
60567 + not be allowed to mprotect it with PROT_WRITE later.
60568 + It is highly recommended that you say Y here if you meet all the
60569 + conditions above.
60570 +
60571 +config GRKERNSEC_VM86
60572 + bool "Restrict VM86 mode"
60573 + depends on X86_32
60574 +
60575 + help
60576 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
60577 + make use of a special execution mode on 32bit x86 processors called
60578 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
60579 + video cards and will still work with this option enabled. The purpose
60580 + of the option is to prevent exploitation of emulation errors in
60581 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
60582 + Nearly all users should be able to enable this option.
60583 +
60584 +config GRKERNSEC_IO
60585 + bool "Disable privileged I/O"
60586 + depends on X86
60587 + select RTC_CLASS
60588 + select RTC_INTF_DEV
60589 + select RTC_DRV_CMOS
60590 +
60591 + help
60592 + If you say Y here, all ioperm and iopl calls will return an error.
60593 + Ioperm and iopl can be used to modify the running kernel.
60594 + Unfortunately, some programs need this access to operate properly,
60595 + the most notable of which are XFree86 and hwclock. hwclock can be
60596 + remedied by having RTC support in the kernel, so real-time
60597 + clock support is enabled if this option is enabled, to ensure
60598 + that hwclock operates correctly. XFree86 still will not
60599 + operate correctly with this option enabled, so DO NOT CHOOSE Y
60600 + IF YOU USE XFree86. If you use XFree86 and you still want to
60601 + protect your kernel against modification, use the RBAC system.
60602 +
60603 +config GRKERNSEC_PROC_MEMMAP
60604 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
60605 + default y if (PAX_NOEXEC || PAX_ASLR)
60606 + depends on PAX_NOEXEC || PAX_ASLR
60607 + help
60608 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
60609 + give no information about the addresses of its mappings if
60610 + PaX features that rely on random addresses are enabled on the task.
60611 + If you use PaX it is greatly recommended that you say Y here as it
60612 + closes up a hole that makes the full ASLR useless for suid
60613 + binaries.
60614 +
60615 +config GRKERNSEC_BRUTE
60616 + bool "Deter exploit bruteforcing"
60617 + help
60618 + If you say Y here, attempts to bruteforce exploits against forking
60619 + daemons such as apache or sshd, as well as against suid/sgid binaries
60620 + will be deterred. When a child of a forking daemon is killed by PaX
60621 + or crashes due to an illegal instruction or other suspicious signal,
60622 + the parent process will be delayed 30 seconds upon every subsequent
60623 + fork until the administrator is able to assess the situation and
60624 + restart the daemon.
60625 + In the suid/sgid case, the attempt is logged, the user has all their
60626 + processes terminated, and they are prevented from executing any further
60627 + processes for 15 minutes.
60628 + It is recommended that you also enable signal logging in the auditing
60629 + section so that logs are generated when a process triggers a suspicious
60630 + signal.
60631 + If the sysctl option is enabled, a sysctl option with name
60632 + "deter_bruteforce" is created.
60633 +
60634 +
60635 +config GRKERNSEC_MODHARDEN
60636 + bool "Harden module auto-loading"
60637 + depends on MODULES
60638 + help
60639 + If you say Y here, module auto-loading in response to use of some
60640 + feature implemented by an unloaded module will be restricted to
60641 + root users. Enabling this option helps defend against attacks
60642 + by unprivileged users who abuse the auto-loading behavior to
60643 + cause a vulnerable module to load that is then exploited.
60644 +
60645 + If this option prevents a legitimate use of auto-loading for a
60646 + non-root user, the administrator can execute modprobe manually
60647 + with the exact name of the module mentioned in the alert log.
60648 + Alternatively, the administrator can add the module to the list
60649 + of modules loaded at boot by modifying init scripts.
60650 +
60651 + Modification of init scripts will most likely be needed on
60652 + Ubuntu servers with encrypted home directory support enabled,
60653 + as the first non-root user logging in will cause the ecb(aes),
60654 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
60655 +
60656 +config GRKERNSEC_HIDESYM
60657 + bool "Hide kernel symbols"
60658 + help
60659 + If you say Y here, getting information on loaded modules, and
60660 + displaying all kernel symbols through a syscall will be restricted
60661 + to users with CAP_SYS_MODULE. For software compatibility reasons,
60662 + /proc/kallsyms will be restricted to the root user. The RBAC
60663 + system can hide that entry even from root.
60664 +
60665 + This option also prevents leaking of kernel addresses through
60666 + several /proc entries.
60667 +
60668 + Note that this option is only effective provided the following
60669 + conditions are met:
60670 + 1) The kernel using grsecurity is not precompiled by some distribution
60671 + 2) You have also enabled GRKERNSEC_DMESG
60672 + 3) You are using the RBAC system and hiding other files such as your
60673 + kernel image and System.map. Alternatively, enabling this option
60674 + causes the permissions on /boot, /lib/modules, and the kernel
60675 + source directory to change at compile time to prevent
60676 + reading by non-root users.
60677 + If the above conditions are met, this option will aid in providing a
60678 + useful protection against local kernel exploitation of overflows
60679 + and arbitrary read/write vulnerabilities.
60680 +
60681 +config GRKERNSEC_KERN_LOCKOUT
60682 + bool "Active kernel exploit response"
60683 + depends on X86 || ARM || PPC || SPARC
60684 + help
60685 + If you say Y here, when a PaX alert is triggered due to suspicious
60686 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
60687 + or an OOPs occurs due to bad memory accesses, instead of just
60688 + terminating the offending process (and potentially allowing
60689 + a subsequent exploit from the same user), we will take one of two
60690 + actions:
60691 + If the user was root, we will panic the system
60692 + If the user was non-root, we will log the attempt, terminate
60693 + all processes owned by the user, then prevent them from creating
60694 + any new processes until the system is restarted
60695 + This deters repeated kernel exploitation/bruteforcing attempts
60696 + and is useful for later forensics.
60697 +
60698 +endmenu
60699 +menu "Role Based Access Control Options"
60700 +depends on GRKERNSEC
60701 +
60702 +config GRKERNSEC_RBAC_DEBUG
60703 + bool
60704 +
60705 +config GRKERNSEC_NO_RBAC
60706 + bool "Disable RBAC system"
60707 + help
60708 + If you say Y here, the /dev/grsec device will be removed from the kernel,
60709 + preventing the RBAC system from being enabled. You should only say Y
60710 + here if you have no intention of using the RBAC system, so as to prevent
60711 + an attacker with root access from misusing the RBAC system to hide files
60712 + and processes when loadable module support and /dev/[k]mem have been
60713 + locked down.
60714 +
60715 +config GRKERNSEC_ACL_HIDEKERN
60716 + bool "Hide kernel processes"
60717 + help
60718 + If you say Y here, all kernel threads will be hidden to all
60719 + processes but those whose subject has the "view hidden processes"
60720 + flag.
60721 +
60722 +config GRKERNSEC_ACL_MAXTRIES
60723 + int "Maximum tries before password lockout"
60724 + default 3
60725 + help
60726 + This option enforces the maximum number of times a user can attempt
60727 + to authorize themselves with the grsecurity RBAC system before being
60728 + denied the ability to attempt authorization again for a specified time.
60729 + The lower the number, the harder it will be to brute-force a password.
60730 +
60731 +config GRKERNSEC_ACL_TIMEOUT
60732 + int "Time to wait after max password tries, in seconds"
60733 + default 30
60734 + help
60735 + This option specifies the time the user must wait after attempting to
60736 + authorize to the RBAC system with the maximum number of invalid
60737 + passwords. The higher the number, the harder it will be to brute-force
60738 + a password.
60739 +
60740 +endmenu
60741 +menu "Filesystem Protections"
60742 +depends on GRKERNSEC
60743 +
60744 +config GRKERNSEC_PROC
60745 + bool "Proc restrictions"
60746 + help
60747 + If you say Y here, the permissions of the /proc filesystem
60748 + will be altered to enhance system security and privacy. You MUST
60749 + choose either a user only restriction or a user and group restriction.
60750 + Depending upon the option you choose, you can either restrict users to
60751 + see only the processes they themselves run, or choose a group that can
60752 + view all processes and files normally restricted to root if you choose
60753 + the "restrict to user only" option. NOTE: If you're running identd as
60754 + a non-root user, you will have to run it as the group you specify here.
60755 +
60756 +config GRKERNSEC_PROC_USER
60757 + bool "Restrict /proc to user only"
60758 + depends on GRKERNSEC_PROC
60759 + help
60760 + If you say Y here, non-root users will only be able to view their own
60761 + processes, and restricts them from viewing network-related information,
60762 + and viewing kernel symbol and module information.
60763 +
60764 +config GRKERNSEC_PROC_USERGROUP
60765 + bool "Allow special group"
60766 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
60767 + help
60768 + If you say Y here, you will be able to select a group that will be
60769 + able to view all processes and network-related information. If you've
60770 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
60771 + remain hidden. This option is useful if you want to run identd as
60772 + a non-root user.
60773 +
60774 +config GRKERNSEC_PROC_GID
60775 + int "GID for special group"
60776 + depends on GRKERNSEC_PROC_USERGROUP
60777 + default 1001
60778 +
60779 +config GRKERNSEC_PROC_ADD
60780 + bool "Additional restrictions"
60781 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
60782 + help
60783 + If you say Y here, additional restrictions will be placed on
60784 + /proc that keep normal users from viewing device information and
60785 + slabinfo information that could be useful for exploits.
60786 +
60787 +config GRKERNSEC_LINK
60788 + bool "Linking restrictions"
60789 + help
60790 + If you say Y here, /tmp race exploits will be prevented, since users
60791 + will no longer be able to follow symlinks owned by other users in
60792 + world-writable +t directories (e.g. /tmp), unless the owner of the
60793 + symlink is the owner of the directory. users will also not be
60794 + able to hardlink to files they do not own. If the sysctl option is
60795 + enabled, a sysctl option with name "linking_restrictions" is created.
60796 +
60797 +config GRKERNSEC_FIFO
60798 + bool "FIFO restrictions"
60799 + help
60800 + If you say Y here, users will not be able to write to FIFOs they don't
60801 + own in world-writable +t directories (e.g. /tmp), unless the owner of
60802 + the FIFO is the same owner of the directory it's held in. If the sysctl
60803 + option is enabled, a sysctl option with name "fifo_restrictions" is
60804 + created.
60805 +
60806 +config GRKERNSEC_SYSFS_RESTRICT
60807 + bool "Sysfs/debugfs restriction"
60808 + depends on SYSFS
60809 + help
60810 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
60811 + any filesystem normally mounted under it (e.g. debugfs) will only
60812 + be accessible by root. These filesystems generally provide access
60813 + to hardware and debug information that isn't appropriate for unprivileged
60814 + users of the system. Sysfs and debugfs have also become a large source
60815 + of new vulnerabilities, ranging from infoleaks to local compromise.
60816 + There has been very little oversight with an eye toward security involved
60817 + in adding new exporters of information to these filesystems, so their
60818 + use is discouraged.
60819 + This option is equivalent to a chmod 0700 of the mount paths.
60820 +
60821 +config GRKERNSEC_ROFS
60822 + bool "Runtime read-only mount protection"
60823 + help
60824 + If you say Y here, a sysctl option with name "romount_protect" will
60825 + be created. By setting this option to 1 at runtime, filesystems
60826 + will be protected in the following ways:
60827 + * No new writable mounts will be allowed
60828 + * Existing read-only mounts won't be able to be remounted read/write
60829 + * Write operations will be denied on all block devices
60830 + This option acts independently of grsec_lock: once it is set to 1,
60831 + it cannot be turned off. Therefore, please be mindful of the resulting
60832 + behavior if this option is enabled in an init script on a read-only
60833 + filesystem. This feature is mainly intended for secure embedded systems.
60834 +
60835 +config GRKERNSEC_CHROOT
60836 + bool "Chroot jail restrictions"
60837 + help
60838 + If you say Y here, you will be able to choose several options that will
60839 + make breaking out of a chrooted jail much more difficult. If you
60840 + encounter no software incompatibilities with the following options, it
60841 + is recommended that you enable each one.
60842 +
60843 +config GRKERNSEC_CHROOT_MOUNT
60844 + bool "Deny mounts"
60845 + depends on GRKERNSEC_CHROOT
60846 + help
60847 + If you say Y here, processes inside a chroot will not be able to
60848 + mount or remount filesystems. If the sysctl option is enabled, a
60849 + sysctl option with name "chroot_deny_mount" is created.
60850 +
60851 +config GRKERNSEC_CHROOT_DOUBLE
60852 + bool "Deny double-chroots"
60853 + depends on GRKERNSEC_CHROOT
60854 + help
60855 + If you say Y here, processes inside a chroot will not be able to chroot
60856 + again outside the chroot. This is a widely used method of breaking
60857 + out of a chroot jail and should not be allowed. If the sysctl
60858 + option is enabled, a sysctl option with name
60859 + "chroot_deny_chroot" is created.
60860 +
60861 +config GRKERNSEC_CHROOT_PIVOT
60862 + bool "Deny pivot_root in chroot"
60863 + depends on GRKERNSEC_CHROOT
60864 + help
60865 + If you say Y here, processes inside a chroot will not be able to use
60866 + a function called pivot_root() that was introduced in Linux 2.3.41. It
60867 + works similar to chroot in that it changes the root filesystem. This
60868 + function could be misused in a chrooted process to attempt to break out
60869 + of the chroot, and therefore should not be allowed. If the sysctl
60870 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
60871 + created.
60872 +
60873 +config GRKERNSEC_CHROOT_CHDIR
60874 + bool "Enforce chdir(\"/\") on all chroots"
60875 + depends on GRKERNSEC_CHROOT
60876 + help
60877 + If you say Y here, the current working directory of all newly-chrooted
60878 + applications will be set to the the root directory of the chroot.
60879 + The man page on chroot(2) states:
60880 + Note that this call does not change the current working
60881 + directory, so that `.' can be outside the tree rooted at
60882 + `/'. In particular, the super-user can escape from a
60883 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
60884 +
60885 + It is recommended that you say Y here, since it's not known to break
60886 + any software. If the sysctl option is enabled, a sysctl option with
60887 + name "chroot_enforce_chdir" is created.
60888 +
60889 +config GRKERNSEC_CHROOT_CHMOD
60890 + bool "Deny (f)chmod +s"
60891 + depends on GRKERNSEC_CHROOT
60892 + help
60893 + If you say Y here, processes inside a chroot will not be able to chmod
60894 + or fchmod files to make them have suid or sgid bits. This protects
60895 + against another published method of breaking a chroot. If the sysctl
60896 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
60897 + created.
60898 +
60899 +config GRKERNSEC_CHROOT_FCHDIR
60900 + bool "Deny fchdir out of chroot"
60901 + depends on GRKERNSEC_CHROOT
60902 + help
60903 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
60904 + to a file descriptor of the chrooting process that points to a directory
60905 + outside the filesystem will be stopped. If the sysctl option
60906 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
60907 +
60908 +config GRKERNSEC_CHROOT_MKNOD
60909 + bool "Deny mknod"
60910 + depends on GRKERNSEC_CHROOT
60911 + help
60912 + If you say Y here, processes inside a chroot will not be allowed to
60913 + mknod. The problem with using mknod inside a chroot is that it
60914 + would allow an attacker to create a device entry that is the same
60915 + as one on the physical root of your system, which could range from
60916 + anything from the console device to a device for your harddrive (which
60917 + they could then use to wipe the drive or steal data). It is recommended
60918 + that you say Y here, unless you run into software incompatibilities.
60919 + If the sysctl option is enabled, a sysctl option with name
60920 + "chroot_deny_mknod" is created.
60921 +
60922 +config GRKERNSEC_CHROOT_SHMAT
60923 + bool "Deny shmat() out of chroot"
60924 + depends on GRKERNSEC_CHROOT
60925 + help
60926 + If you say Y here, processes inside a chroot will not be able to attach
60927 + to shared memory segments that were created outside of the chroot jail.
60928 + It is recommended that you say Y here. If the sysctl option is enabled,
60929 + a sysctl option with name "chroot_deny_shmat" is created.
60930 +
60931 +config GRKERNSEC_CHROOT_UNIX
60932 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
60933 + depends on GRKERNSEC_CHROOT
60934 + help
60935 + If you say Y here, processes inside a chroot will not be able to
60936 + connect to abstract (meaning not belonging to a filesystem) Unix
60937 + domain sockets that were bound outside of a chroot. It is recommended
60938 + that you say Y here. If the sysctl option is enabled, a sysctl option
60939 + with name "chroot_deny_unix" is created.
60940 +
60941 +config GRKERNSEC_CHROOT_FINDTASK
60942 + bool "Protect outside processes"
60943 + depends on GRKERNSEC_CHROOT
60944 + help
60945 + If you say Y here, processes inside a chroot will not be able to
60946 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
60947 + getsid, or view any process outside of the chroot. If the sysctl
60948 + option is enabled, a sysctl option with name "chroot_findtask" is
60949 + created.
60950 +
60951 +config GRKERNSEC_CHROOT_NICE
60952 + bool "Restrict priority changes"
60953 + depends on GRKERNSEC_CHROOT
60954 + help
60955 + If you say Y here, processes inside a chroot will not be able to raise
60956 + the priority of processes in the chroot, or alter the priority of
60957 + processes outside the chroot. This provides more security than simply
60958 + removing CAP_SYS_NICE from the process' capability set. If the
60959 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
60960 + is created.
60961 +
60962 +config GRKERNSEC_CHROOT_SYSCTL
60963 + bool "Deny sysctl writes"
60964 + depends on GRKERNSEC_CHROOT
60965 + help
60966 + If you say Y here, an attacker in a chroot will not be able to
60967 + write to sysctl entries, either by sysctl(2) or through a /proc
60968 + interface. It is strongly recommended that you say Y here. If the
60969 + sysctl option is enabled, a sysctl option with name
60970 + "chroot_deny_sysctl" is created.
60971 +
60972 +config GRKERNSEC_CHROOT_CAPS
60973 + bool "Capability restrictions"
60974 + depends on GRKERNSEC_CHROOT
60975 + help
60976 + If you say Y here, the capabilities on all root processes within a
60977 + chroot jail will be lowered to stop module insertion, raw i/o,
60978 + system and net admin tasks, rebooting the system, modifying immutable
60979 + files, modifying IPC owned by another, and changing the system time.
60980 + This is left an option because it can break some apps. Disable this
60981 + if your chrooted apps are having problems performing those kinds of
60982 + tasks. If the sysctl option is enabled, a sysctl option with
60983 + name "chroot_caps" is created.
60984 +
60985 +endmenu
60986 +menu "Kernel Auditing"
60987 +depends on GRKERNSEC
60988 +
60989 +config GRKERNSEC_AUDIT_GROUP
60990 + bool "Single group for auditing"
60991 + help
60992 + If you say Y here, the exec, chdir, and (un)mount logging features
60993 + will only operate on a group you specify. This option is recommended
60994 + if you only want to watch certain users instead of having a large
60995 + amount of logs from the entire system. If the sysctl option is enabled,
60996 + a sysctl option with name "audit_group" is created.
60997 +
60998 +config GRKERNSEC_AUDIT_GID
60999 + int "GID for auditing"
61000 + depends on GRKERNSEC_AUDIT_GROUP
61001 + default 1007
61002 +
61003 +config GRKERNSEC_EXECLOG
61004 + bool "Exec logging"
61005 + help
61006 + If you say Y here, all execve() calls will be logged (since the
61007 + other exec*() calls are frontends to execve(), all execution
61008 + will be logged). Useful for shell-servers that like to keep track
61009 + of their users. If the sysctl option is enabled, a sysctl option with
61010 + name "exec_logging" is created.
61011 + WARNING: This option when enabled will produce a LOT of logs, especially
61012 + on an active system.
61013 +
61014 +config GRKERNSEC_RESLOG
61015 + bool "Resource logging"
61016 + help
61017 + If you say Y here, all attempts to overstep resource limits will
61018 + be logged with the resource name, the requested size, and the current
61019 + limit. It is highly recommended that you say Y here. If the sysctl
61020 + option is enabled, a sysctl option with name "resource_logging" is
61021 + created. If the RBAC system is enabled, the sysctl value is ignored.
61022 +
61023 +config GRKERNSEC_CHROOT_EXECLOG
61024 + bool "Log execs within chroot"
61025 + help
61026 + If you say Y here, all executions inside a chroot jail will be logged
61027 + to syslog. This can cause a large amount of logs if certain
61028 + applications (eg. djb's daemontools) are installed on the system, and
61029 + is therefore left as an option. If the sysctl option is enabled, a
61030 + sysctl option with name "chroot_execlog" is created.
61031 +
61032 +config GRKERNSEC_AUDIT_PTRACE
61033 + bool "Ptrace logging"
61034 + help
61035 + If you say Y here, all attempts to attach to a process via ptrace
61036 + will be logged. If the sysctl option is enabled, a sysctl option
61037 + with name "audit_ptrace" is created.
61038 +
61039 +config GRKERNSEC_AUDIT_CHDIR
61040 + bool "Chdir logging"
61041 + help
61042 + If you say Y here, all chdir() calls will be logged. If the sysctl
61043 + option is enabled, a sysctl option with name "audit_chdir" is created.
61044 +
61045 +config GRKERNSEC_AUDIT_MOUNT
61046 + bool "(Un)Mount logging"
61047 + help
61048 + If you say Y here, all mounts and unmounts will be logged. If the
61049 + sysctl option is enabled, a sysctl option with name "audit_mount" is
61050 + created.
61051 +
61052 +config GRKERNSEC_SIGNAL
61053 + bool "Signal logging"
61054 + help
61055 + If you say Y here, certain important signals will be logged, such as
61056 + SIGSEGV, which will as a result inform you of when a error in a program
61057 + occurred, which in some cases could mean a possible exploit attempt.
61058 + If the sysctl option is enabled, a sysctl option with name
61059 + "signal_logging" is created.
61060 +
61061 +config GRKERNSEC_FORKFAIL
61062 + bool "Fork failure logging"
61063 + help
61064 + If you say Y here, all failed fork() attempts will be logged.
61065 + This could suggest a fork bomb, or someone attempting to overstep
61066 + their process limit. If the sysctl option is enabled, a sysctl option
61067 + with name "forkfail_logging" is created.
61068 +
61069 +config GRKERNSEC_TIME
61070 + bool "Time change logging"
61071 + help
61072 + If you say Y here, any changes of the system clock will be logged.
61073 + If the sysctl option is enabled, a sysctl option with name
61074 + "timechange_logging" is created.
61075 +
61076 +config GRKERNSEC_PROC_IPADDR
61077 + bool "/proc/<pid>/ipaddr support"
61078 + help
61079 + If you say Y here, a new entry will be added to each /proc/<pid>
61080 + directory that contains the IP address of the person using the task.
61081 + The IP is carried across local TCP and AF_UNIX stream sockets.
61082 + This information can be useful for IDS/IPSes to perform remote response
61083 + to a local attack. The entry is readable by only the owner of the
61084 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
61085 + the RBAC system), and thus does not create privacy concerns.
61086 +
61087 +config GRKERNSEC_RWXMAP_LOG
61088 + bool 'Denied RWX mmap/mprotect logging'
61089 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
61090 + help
61091 + If you say Y here, calls to mmap() and mprotect() with explicit
61092 + usage of PROT_WRITE and PROT_EXEC together will be logged when
61093 + denied by the PAX_MPROTECT feature. If the sysctl option is
61094 + enabled, a sysctl option with name "rwxmap_logging" is created.
61095 +
61096 +config GRKERNSEC_AUDIT_TEXTREL
61097 + bool 'ELF text relocations logging (READ HELP)'
61098 + depends on PAX_MPROTECT
61099 + help
61100 + If you say Y here, text relocations will be logged with the filename
61101 + of the offending library or binary. The purpose of the feature is
61102 + to help Linux distribution developers get rid of libraries and
61103 + binaries that need text relocations which hinder the future progress
61104 + of PaX. Only Linux distribution developers should say Y here, and
61105 + never on a production machine, as this option creates an information
61106 + leak that could aid an attacker in defeating the randomization of
61107 + a single memory region. If the sysctl option is enabled, a sysctl
61108 + option with name "audit_textrel" is created.
61109 +
61110 +endmenu
61111 +
61112 +menu "Executable Protections"
61113 +depends on GRKERNSEC
61114 +
61115 +config GRKERNSEC_EXECVE
61116 + bool "Enforce RLIMIT_NPROC on execs"
61117 + help
61118 + If you say Y here, users with a resource limit on processes will
61119 + have the value checked during execve() calls. The current system
61120 + only checks the system limit during fork() calls. If the sysctl option
61121 + is enabled, a sysctl option with name "execve_limiting" is created.
61122 +
61123 +config GRKERNSEC_DMESG
61124 + bool "Dmesg(8) restriction"
61125 + help
61126 + If you say Y here, non-root users will not be able to use dmesg(8)
61127 + to view up to the last 4kb of messages in the kernel's log buffer.
61128 + The kernel's log buffer often contains kernel addresses and other
61129 + identifying information useful to an attacker in fingerprinting a
61130 + system for a targeted exploit.
61131 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
61132 + created.
61133 +
61134 +config GRKERNSEC_HARDEN_PTRACE
61135 + bool "Deter ptrace-based process snooping"
61136 + help
61137 + If you say Y here, TTY sniffers and other malicious monitoring
61138 + programs implemented through ptrace will be defeated. If you
61139 + have been using the RBAC system, this option has already been
61140 + enabled for several years for all users, with the ability to make
61141 + fine-grained exceptions.
61142 +
61143 + This option only affects the ability of non-root users to ptrace
61144 + processes that are not a descendent of the ptracing process.
61145 + This means that strace ./binary and gdb ./binary will still work,
61146 + but attaching to arbitrary processes will not. If the sysctl
61147 + option is enabled, a sysctl option with name "harden_ptrace" is
61148 + created.
61149 +
61150 +config GRKERNSEC_TPE
61151 + bool "Trusted Path Execution (TPE)"
61152 + help
61153 + If you say Y here, you will be able to choose a gid to add to the
61154 + supplementary groups of users you want to mark as "untrusted."
61155 + These users will not be able to execute any files that are not in
61156 + root-owned directories writable only by root. If the sysctl option
61157 + is enabled, a sysctl option with name "tpe" is created.
61158 +
61159 +config GRKERNSEC_TPE_ALL
61160 + bool "Partially restrict all non-root users"
61161 + depends on GRKERNSEC_TPE
61162 + help
61163 + If you say Y here, all non-root users will be covered under
61164 + a weaker TPE restriction. This is separate from, and in addition to,
61165 + the main TPE options that you have selected elsewhere. Thus, if a
61166 + "trusted" GID is chosen, this restriction applies to even that GID.
61167 + Under this restriction, all non-root users will only be allowed to
61168 + execute files in directories they own that are not group or
61169 + world-writable, or in directories owned by root and writable only by
61170 + root. If the sysctl option is enabled, a sysctl option with name
61171 + "tpe_restrict_all" is created.
61172 +
61173 +config GRKERNSEC_TPE_INVERT
61174 + bool "Invert GID option"
61175 + depends on GRKERNSEC_TPE
61176 + help
61177 + If you say Y here, the group you specify in the TPE configuration will
61178 + decide what group TPE restrictions will be *disabled* for. This
61179 + option is useful if you want TPE restrictions to be applied to most
61180 + users on the system. If the sysctl option is enabled, a sysctl option
61181 + with name "tpe_invert" is created. Unlike other sysctl options, this
61182 + entry will default to on for backward-compatibility.
61183 +
61184 +config GRKERNSEC_TPE_GID
61185 + int "GID for untrusted users"
61186 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
61187 + default 1005
61188 + help
61189 + Setting this GID determines what group TPE restrictions will be
61190 + *enabled* for. If the sysctl option is enabled, a sysctl option
61191 + with name "tpe_gid" is created.
61192 +
61193 +config GRKERNSEC_TPE_GID
61194 + int "GID for trusted users"
61195 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
61196 + default 1005
61197 + help
61198 + Setting this GID determines what group TPE restrictions will be
61199 + *disabled* for. If the sysctl option is enabled, a sysctl option
61200 + with name "tpe_gid" is created.
61201 +
61202 +endmenu
61203 +menu "Network Protections"
61204 +depends on GRKERNSEC
61205 +
61206 +config GRKERNSEC_RANDNET
61207 + bool "Larger entropy pools"
61208 + help
61209 + If you say Y here, the entropy pools used for many features of Linux
61210 + and grsecurity will be doubled in size. Since several grsecurity
61211 + features use additional randomness, it is recommended that you say Y
61212 + here. Saying Y here has a similar effect as modifying
61213 + /proc/sys/kernel/random/poolsize.
61214 +
61215 +config GRKERNSEC_BLACKHOLE
61216 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
61217 + help
61218 + If you say Y here, neither TCP resets nor ICMP
61219 + destination-unreachable packets will be sent in response to packets
61220 + sent to ports for which no associated listening process exists.
61221 + This feature supports both IPV4 and IPV6 and exempts the
61222 + loopback interface from blackholing. Enabling this feature
61223 + makes a host more resilient to DoS attacks and reduces network
61224 + visibility against scanners.
61225 +
61226 + The blackhole feature as-implemented is equivalent to the FreeBSD
61227 + blackhole feature, as it prevents RST responses to all packets, not
61228 + just SYNs. Under most application behavior this causes no
61229 + problems, but applications (like haproxy) may not close certain
61230 + connections in a way that cleanly terminates them on the remote
61231 + end, leaving the remote host in LAST_ACK state. Because of this
61232 + side-effect and to prevent intentional LAST_ACK DoSes, this
61233 + feature also adds automatic mitigation against such attacks.
61234 + The mitigation drastically reduces the amount of time a socket
61235 + can spend in LAST_ACK state. If you're using haproxy and not
61236 + all servers it connects to have this option enabled, consider
61237 + disabling this feature on the haproxy host.
61238 +
61239 + If the sysctl option is enabled, two sysctl options with names
61240 + "ip_blackhole" and "lastack_retries" will be created.
61241 + While "ip_blackhole" takes the standard zero/non-zero on/off
61242 + toggle, "lastack_retries" uses the same kinds of values as
61243 + "tcp_retries1" and "tcp_retries2". The default value of 4
61244 + prevents a socket from lasting more than 45 seconds in LAST_ACK
61245 + state.
61246 +
61247 +config GRKERNSEC_SOCKET
61248 + bool "Socket restrictions"
61249 + help
61250 + If you say Y here, you will be able to choose from several options.
61251 + If you assign a GID on your system and add it to the supplementary
61252 + groups of users you want to restrict socket access to, this patch
61253 + will perform up to three things, based on the option(s) you choose.
61254 +
61255 +config GRKERNSEC_SOCKET_ALL
61256 + bool "Deny any sockets to group"
61257 + depends on GRKERNSEC_SOCKET
61258 + help
61259 + If you say Y here, you will be able to choose a GID of whose users will
61260 + be unable to connect to other hosts from your machine or run server
61261 + applications from your machine. If the sysctl option is enabled, a
61262 + sysctl option with name "socket_all" is created.
61263 +
61264 +config GRKERNSEC_SOCKET_ALL_GID
61265 + int "GID to deny all sockets for"
61266 + depends on GRKERNSEC_SOCKET_ALL
61267 + default 1004
61268 + help
61269 + Here you can choose the GID to disable socket access for. Remember to
61270 + add the users you want socket access disabled for to the GID
61271 + specified here. If the sysctl option is enabled, a sysctl option
61272 + with name "socket_all_gid" is created.
61273 +
61274 +config GRKERNSEC_SOCKET_CLIENT
61275 + bool "Deny client sockets to group"
61276 + depends on GRKERNSEC_SOCKET
61277 + help
61278 + If you say Y here, you will be able to choose a GID of whose users will
61279 + be unable to connect to other hosts from your machine, but will be
61280 + able to run servers. If this option is enabled, all users in the group
61281 + you specify will have to use passive mode when initiating ftp transfers
61282 + from the shell on your machine. If the sysctl option is enabled, a
61283 + sysctl option with name "socket_client" is created.
61284 +
61285 +config GRKERNSEC_SOCKET_CLIENT_GID
61286 + int "GID to deny client sockets for"
61287 + depends on GRKERNSEC_SOCKET_CLIENT
61288 + default 1003
61289 + help
61290 + Here you can choose the GID to disable client socket access for.
61291 + Remember to add the users you want client socket access disabled for to
61292 + the GID specified here. If the sysctl option is enabled, a sysctl
61293 + option with name "socket_client_gid" is created.
61294 +
61295 +config GRKERNSEC_SOCKET_SERVER
61296 + bool "Deny server sockets to group"
61297 + depends on GRKERNSEC_SOCKET
61298 + help
61299 + If you say Y here, you will be able to choose a GID of whose users will
61300 + be unable to run server applications from your machine. If the sysctl
61301 + option is enabled, a sysctl option with name "socket_server" is created.
61302 +
61303 +config GRKERNSEC_SOCKET_SERVER_GID
61304 + int "GID to deny server sockets for"
61305 + depends on GRKERNSEC_SOCKET_SERVER
61306 + default 1002
61307 + help
61308 + Here you can choose the GID to disable server socket access for.
61309 + Remember to add the users you want server socket access disabled for to
61310 + the GID specified here. If the sysctl option is enabled, a sysctl
61311 + option with name "socket_server_gid" is created.
61312 +
61313 +endmenu
61314 +menu "Sysctl support"
61315 +depends on GRKERNSEC && SYSCTL
61316 +
61317 +config GRKERNSEC_SYSCTL
61318 + bool "Sysctl support"
61319 + help
61320 + If you say Y here, you will be able to change the options that
61321 + grsecurity runs with at bootup, without having to recompile your
61322 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
61323 + to enable (1) or disable (0) various features. All the sysctl entries
61324 + are mutable until the "grsec_lock" entry is set to a non-zero value.
61325 + All features enabled in the kernel configuration are disabled at boot
61326 + if you do not say Y to the "Turn on features by default" option.
61327 + All options should be set at startup, and the grsec_lock entry should
61328 + be set to a non-zero value after all the options are set.
61329 + *THIS IS EXTREMELY IMPORTANT*
61330 +
61331 +config GRKERNSEC_SYSCTL_DISTRO
61332 + bool "Extra sysctl support for distro makers (READ HELP)"
61333 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
61334 + help
61335 + If you say Y here, additional sysctl options will be created
61336 + for features that affect processes running as root. Therefore,
61337 + it is critical when using this option that the grsec_lock entry be
61338 + enabled after boot. Only distros with prebuilt kernel packages
61339 + with this option enabled that can ensure grsec_lock is enabled
61340 + after boot should use this option.
61341 + *Failure to set grsec_lock after boot makes all grsec features
61342 + this option covers useless*
61343 +
61344 + Currently this option creates the following sysctl entries:
61345 + "Disable Privileged I/O": "disable_priv_io"
61346 +
61347 +config GRKERNSEC_SYSCTL_ON
61348 + bool "Turn on features by default"
61349 + depends on GRKERNSEC_SYSCTL
61350 + help
61351 + If you say Y here, instead of having all features enabled in the
61352 + kernel configuration disabled at boot time, the features will be
61353 + enabled at boot time. It is recommended you say Y here unless
61354 + there is some reason you would want all sysctl-tunable features to
61355 + be disabled by default. As mentioned elsewhere, it is important
61356 + to enable the grsec_lock entry once you have finished modifying
61357 + the sysctl entries.
61358 +
61359 +endmenu
61360 +menu "Logging Options"
61361 +depends on GRKERNSEC
61362 +
61363 +config GRKERNSEC_FLOODTIME
61364 + int "Seconds in between log messages (minimum)"
61365 + default 10
61366 + help
61367 + This option allows you to enforce the number of seconds between
61368 + grsecurity log messages. The default should be suitable for most
61369 + people, however, if you choose to change it, choose a value small enough
61370 + to allow informative logs to be produced, but large enough to
61371 + prevent flooding.
61372 +
61373 +config GRKERNSEC_FLOODBURST
61374 + int "Number of messages in a burst (maximum)"
61375 + default 4
61376 + help
61377 + This option allows you to choose the maximum number of messages allowed
61378 + within the flood time interval you chose in a separate option. The
61379 + default should be suitable for most people, however if you find that
61380 + many of your logs are being interpreted as flooding, you may want to
61381 + raise this value.
61382 +
61383 +endmenu
61384 +
61385 +endmenu
61386 diff -urNp linux-2.6.39.3/grsecurity/Makefile linux-2.6.39.3/grsecurity/Makefile
61387 --- linux-2.6.39.3/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
61388 +++ linux-2.6.39.3/grsecurity/Makefile 2011-05-24 20:26:54.000000000 -0400
61389 @@ -0,0 +1,33 @@
61390 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
61391 +# during 2001-2009 it has been completely redesigned by Brad Spengler
61392 +# into an RBAC system
61393 +#
61394 +# All code in this directory and various hooks inserted throughout the kernel
61395 +# are copyright Brad Spengler - Open Source Security, Inc., and released
61396 +# under the GPL v2 or higher
61397 +
61398 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
61399 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
61400 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
61401 +
61402 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
61403 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
61404 + gracl_learn.o grsec_log.o
61405 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
61406 +
61407 +ifdef CONFIG_NET
61408 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
61409 +endif
61410 +
61411 +ifndef CONFIG_GRKERNSEC
61412 +obj-y += grsec_disabled.o
61413 +endif
61414 +
61415 +ifdef CONFIG_GRKERNSEC_HIDESYM
61416 +extra-y := grsec_hidesym.o
61417 +$(obj)/grsec_hidesym.o:
61418 + @-chmod -f 500 /boot
61419 + @-chmod -f 500 /lib/modules
61420 + @-chmod -f 700 .
61421 + @echo ' grsec: protected kernel image paths'
61422 +endif
61423 diff -urNp linux-2.6.39.3/include/acpi/acpi_drivers.h linux-2.6.39.3/include/acpi/acpi_drivers.h
61424 --- linux-2.6.39.3/include/acpi/acpi_drivers.h 2011-05-19 00:06:34.000000000 -0400
61425 +++ linux-2.6.39.3/include/acpi/acpi_drivers.h 2011-05-22 19:36:32.000000000 -0400
61426 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
61427 Dock Station
61428 -------------------------------------------------------------------------- */
61429 struct acpi_dock_ops {
61430 - acpi_notify_handler handler;
61431 - acpi_notify_handler uevent;
61432 + const acpi_notify_handler handler;
61433 + const acpi_notify_handler uevent;
61434 };
61435
61436 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
61437 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
61438 extern int register_dock_notifier(struct notifier_block *nb);
61439 extern void unregister_dock_notifier(struct notifier_block *nb);
61440 extern int register_hotplug_dock_device(acpi_handle handle,
61441 - struct acpi_dock_ops *ops,
61442 + const struct acpi_dock_ops *ops,
61443 void *context);
61444 extern void unregister_hotplug_dock_device(acpi_handle handle);
61445 #else
61446 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
61447 {
61448 }
61449 static inline int register_hotplug_dock_device(acpi_handle handle,
61450 - struct acpi_dock_ops *ops,
61451 + const struct acpi_dock_ops *ops,
61452 void *context)
61453 {
61454 return -ENODEV;
61455 diff -urNp linux-2.6.39.3/include/acpi/processor.h linux-2.6.39.3/include/acpi/processor.h
61456 --- linux-2.6.39.3/include/acpi/processor.h 2011-05-19 00:06:34.000000000 -0400
61457 +++ linux-2.6.39.3/include/acpi/processor.h 2011-05-22 19:36:32.000000000 -0400
61458 @@ -344,7 +344,7 @@ extern struct cpuidle_driver acpi_idle_d
61459
61460 /* in processor_thermal.c */
61461 int acpi_processor_get_limit_info(struct acpi_processor *pr);
61462 -extern struct thermal_cooling_device_ops processor_cooling_ops;
61463 +extern const struct thermal_cooling_device_ops processor_cooling_ops;
61464 #ifdef CONFIG_CPU_FREQ
61465 void acpi_thermal_cpufreq_init(void);
61466 void acpi_thermal_cpufreq_exit(void);
61467 diff -urNp linux-2.6.39.3/include/asm-generic/atomic-long.h linux-2.6.39.3/include/asm-generic/atomic-long.h
61468 --- linux-2.6.39.3/include/asm-generic/atomic-long.h 2011-05-19 00:06:34.000000000 -0400
61469 +++ linux-2.6.39.3/include/asm-generic/atomic-long.h 2011-05-22 19:36:32.000000000 -0400
61470 @@ -22,6 +22,12 @@
61471
61472 typedef atomic64_t atomic_long_t;
61473
61474 +#ifdef CONFIG_PAX_REFCOUNT
61475 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
61476 +#else
61477 +typedef atomic64_t atomic_long_unchecked_t;
61478 +#endif
61479 +
61480 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
61481
61482 static inline long atomic_long_read(atomic_long_t *l)
61483 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
61484 return (long)atomic64_read(v);
61485 }
61486
61487 +#ifdef CONFIG_PAX_REFCOUNT
61488 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61489 +{
61490 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61491 +
61492 + return (long)atomic64_read_unchecked(v);
61493 +}
61494 +#endif
61495 +
61496 static inline void atomic_long_set(atomic_long_t *l, long i)
61497 {
61498 atomic64_t *v = (atomic64_t *)l;
61499 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
61500 atomic64_set(v, i);
61501 }
61502
61503 +#ifdef CONFIG_PAX_REFCOUNT
61504 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61505 +{
61506 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61507 +
61508 + atomic64_set_unchecked(v, i);
61509 +}
61510 +#endif
61511 +
61512 static inline void atomic_long_inc(atomic_long_t *l)
61513 {
61514 atomic64_t *v = (atomic64_t *)l;
61515 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
61516 atomic64_inc(v);
61517 }
61518
61519 +#ifdef CONFIG_PAX_REFCOUNT
61520 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61521 +{
61522 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61523 +
61524 + atomic64_inc_unchecked(v);
61525 +}
61526 +#endif
61527 +
61528 static inline void atomic_long_dec(atomic_long_t *l)
61529 {
61530 atomic64_t *v = (atomic64_t *)l;
61531 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
61532 atomic64_dec(v);
61533 }
61534
61535 +#ifdef CONFIG_PAX_REFCOUNT
61536 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61537 +{
61538 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61539 +
61540 + atomic64_dec_unchecked(v);
61541 +}
61542 +#endif
61543 +
61544 static inline void atomic_long_add(long i, atomic_long_t *l)
61545 {
61546 atomic64_t *v = (atomic64_t *)l;
61547 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
61548 atomic64_add(i, v);
61549 }
61550
61551 +#ifdef CONFIG_PAX_REFCOUNT
61552 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61553 +{
61554 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61555 +
61556 + atomic64_add_unchecked(i, v);
61557 +}
61558 +#endif
61559 +
61560 static inline void atomic_long_sub(long i, atomic_long_t *l)
61561 {
61562 atomic64_t *v = (atomic64_t *)l;
61563 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
61564 atomic64_sub(i, v);
61565 }
61566
61567 +#ifdef CONFIG_PAX_REFCOUNT
61568 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61569 +{
61570 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61571 +
61572 + atomic64_sub_unchecked(i, v);
61573 +}
61574 +#endif
61575 +
61576 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61577 {
61578 atomic64_t *v = (atomic64_t *)l;
61579 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
61580 return (long)atomic64_inc_return(v);
61581 }
61582
61583 +#ifdef CONFIG_PAX_REFCOUNT
61584 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61585 +{
61586 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
61587 +
61588 + return (long)atomic64_inc_return_unchecked(v);
61589 +}
61590 +#endif
61591 +
61592 static inline long atomic_long_dec_return(atomic_long_t *l)
61593 {
61594 atomic64_t *v = (atomic64_t *)l;
61595 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
61596
61597 typedef atomic_t atomic_long_t;
61598
61599 +#ifdef CONFIG_PAX_REFCOUNT
61600 +typedef atomic_unchecked_t atomic_long_unchecked_t;
61601 +#else
61602 +typedef atomic_t atomic_long_unchecked_t;
61603 +#endif
61604 +
61605 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
61606 static inline long atomic_long_read(atomic_long_t *l)
61607 {
61608 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
61609 return (long)atomic_read(v);
61610 }
61611
61612 +#ifdef CONFIG_PAX_REFCOUNT
61613 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
61614 +{
61615 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61616 +
61617 + return (long)atomic_read_unchecked(v);
61618 +}
61619 +#endif
61620 +
61621 static inline void atomic_long_set(atomic_long_t *l, long i)
61622 {
61623 atomic_t *v = (atomic_t *)l;
61624 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
61625 atomic_set(v, i);
61626 }
61627
61628 +#ifdef CONFIG_PAX_REFCOUNT
61629 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
61630 +{
61631 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61632 +
61633 + atomic_set_unchecked(v, i);
61634 +}
61635 +#endif
61636 +
61637 static inline void atomic_long_inc(atomic_long_t *l)
61638 {
61639 atomic_t *v = (atomic_t *)l;
61640 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
61641 atomic_inc(v);
61642 }
61643
61644 +#ifdef CONFIG_PAX_REFCOUNT
61645 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
61646 +{
61647 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61648 +
61649 + atomic_inc_unchecked(v);
61650 +}
61651 +#endif
61652 +
61653 static inline void atomic_long_dec(atomic_long_t *l)
61654 {
61655 atomic_t *v = (atomic_t *)l;
61656 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
61657 atomic_dec(v);
61658 }
61659
61660 +#ifdef CONFIG_PAX_REFCOUNT
61661 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
61662 +{
61663 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61664 +
61665 + atomic_dec_unchecked(v);
61666 +}
61667 +#endif
61668 +
61669 static inline void atomic_long_add(long i, atomic_long_t *l)
61670 {
61671 atomic_t *v = (atomic_t *)l;
61672 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
61673 atomic_add(i, v);
61674 }
61675
61676 +#ifdef CONFIG_PAX_REFCOUNT
61677 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
61678 +{
61679 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61680 +
61681 + atomic_add_unchecked(i, v);
61682 +}
61683 +#endif
61684 +
61685 static inline void atomic_long_sub(long i, atomic_long_t *l)
61686 {
61687 atomic_t *v = (atomic_t *)l;
61688 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
61689 atomic_sub(i, v);
61690 }
61691
61692 +#ifdef CONFIG_PAX_REFCOUNT
61693 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
61694 +{
61695 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61696 +
61697 + atomic_sub_unchecked(i, v);
61698 +}
61699 +#endif
61700 +
61701 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
61702 {
61703 atomic_t *v = (atomic_t *)l;
61704 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
61705 return (long)atomic_inc_return(v);
61706 }
61707
61708 +#ifdef CONFIG_PAX_REFCOUNT
61709 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
61710 +{
61711 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
61712 +
61713 + return (long)atomic_inc_return_unchecked(v);
61714 +}
61715 +#endif
61716 +
61717 static inline long atomic_long_dec_return(atomic_long_t *l)
61718 {
61719 atomic_t *v = (atomic_t *)l;
61720 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
61721
61722 #endif /* BITS_PER_LONG == 64 */
61723
61724 +#ifdef CONFIG_PAX_REFCOUNT
61725 +static inline void pax_refcount_needs_these_functions(void)
61726 +{
61727 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
61728 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
61729 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
61730 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
61731 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
61732 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
61733 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
61734 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
61735 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
61736 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
61737 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
61738 +
61739 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
61740 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
61741 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
61742 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
61743 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
61744 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
61745 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
61746 +}
61747 +#else
61748 +#define atomic_read_unchecked(v) atomic_read(v)
61749 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
61750 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
61751 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
61752 +#define atomic_inc_unchecked(v) atomic_inc(v)
61753 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
61754 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
61755 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
61756 +#define atomic_dec_unchecked(v) atomic_dec(v)
61757 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
61758 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
61759 +
61760 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
61761 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
61762 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
61763 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
61764 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
61765 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
61766 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
61767 +#endif
61768 +
61769 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
61770 diff -urNp linux-2.6.39.3/include/asm-generic/cache.h linux-2.6.39.3/include/asm-generic/cache.h
61771 --- linux-2.6.39.3/include/asm-generic/cache.h 2011-05-19 00:06:34.000000000 -0400
61772 +++ linux-2.6.39.3/include/asm-generic/cache.h 2011-07-06 20:00:13.000000000 -0400
61773 @@ -6,7 +6,7 @@
61774 * cache lines need to provide their own cache.h.
61775 */
61776
61777 -#define L1_CACHE_SHIFT 5
61778 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61779 +#define L1_CACHE_SHIFT 5UL
61780 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
61781
61782 #endif /* __ASM_GENERIC_CACHE_H */
61783 diff -urNp linux-2.6.39.3/include/asm-generic/dma-mapping-common.h linux-2.6.39.3/include/asm-generic/dma-mapping-common.h
61784 --- linux-2.6.39.3/include/asm-generic/dma-mapping-common.h 2011-05-19 00:06:34.000000000 -0400
61785 +++ linux-2.6.39.3/include/asm-generic/dma-mapping-common.h 2011-05-22 19:36:32.000000000 -0400
61786 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
61787 enum dma_data_direction dir,
61788 struct dma_attrs *attrs)
61789 {
61790 - struct dma_map_ops *ops = get_dma_ops(dev);
61791 + const struct dma_map_ops *ops = get_dma_ops(dev);
61792 dma_addr_t addr;
61793
61794 kmemcheck_mark_initialized(ptr, size);
61795 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
61796 enum dma_data_direction dir,
61797 struct dma_attrs *attrs)
61798 {
61799 - struct dma_map_ops *ops = get_dma_ops(dev);
61800 + const struct dma_map_ops *ops = get_dma_ops(dev);
61801
61802 BUG_ON(!valid_dma_direction(dir));
61803 if (ops->unmap_page)
61804 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
61805 int nents, enum dma_data_direction dir,
61806 struct dma_attrs *attrs)
61807 {
61808 - struct dma_map_ops *ops = get_dma_ops(dev);
61809 + const struct dma_map_ops *ops = get_dma_ops(dev);
61810 int i, ents;
61811 struct scatterlist *s;
61812
61813 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
61814 int nents, enum dma_data_direction dir,
61815 struct dma_attrs *attrs)
61816 {
61817 - struct dma_map_ops *ops = get_dma_ops(dev);
61818 + const struct dma_map_ops *ops = get_dma_ops(dev);
61819
61820 BUG_ON(!valid_dma_direction(dir));
61821 debug_dma_unmap_sg(dev, sg, nents, dir);
61822 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
61823 size_t offset, size_t size,
61824 enum dma_data_direction dir)
61825 {
61826 - struct dma_map_ops *ops = get_dma_ops(dev);
61827 + const struct dma_map_ops *ops = get_dma_ops(dev);
61828 dma_addr_t addr;
61829
61830 kmemcheck_mark_initialized(page_address(page) + offset, size);
61831 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
61832 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
61833 size_t size, enum dma_data_direction dir)
61834 {
61835 - struct dma_map_ops *ops = get_dma_ops(dev);
61836 + const struct dma_map_ops *ops = get_dma_ops(dev);
61837
61838 BUG_ON(!valid_dma_direction(dir));
61839 if (ops->unmap_page)
61840 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
61841 size_t size,
61842 enum dma_data_direction dir)
61843 {
61844 - struct dma_map_ops *ops = get_dma_ops(dev);
61845 + const struct dma_map_ops *ops = get_dma_ops(dev);
61846
61847 BUG_ON(!valid_dma_direction(dir));
61848 if (ops->sync_single_for_cpu)
61849 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
61850 dma_addr_t addr, size_t size,
61851 enum dma_data_direction dir)
61852 {
61853 - struct dma_map_ops *ops = get_dma_ops(dev);
61854 + const struct dma_map_ops *ops = get_dma_ops(dev);
61855
61856 BUG_ON(!valid_dma_direction(dir));
61857 if (ops->sync_single_for_device)
61858 @@ -139,7 +139,7 @@ static inline void
61859 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
61860 int nelems, enum dma_data_direction dir)
61861 {
61862 - struct dma_map_ops *ops = get_dma_ops(dev);
61863 + const struct dma_map_ops *ops = get_dma_ops(dev);
61864
61865 BUG_ON(!valid_dma_direction(dir));
61866 if (ops->sync_sg_for_cpu)
61867 @@ -151,7 +151,7 @@ static inline void
61868 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
61869 int nelems, enum dma_data_direction dir)
61870 {
61871 - struct dma_map_ops *ops = get_dma_ops(dev);
61872 + const struct dma_map_ops *ops = get_dma_ops(dev);
61873
61874 BUG_ON(!valid_dma_direction(dir));
61875 if (ops->sync_sg_for_device)
61876 diff -urNp linux-2.6.39.3/include/asm-generic/int-l64.h linux-2.6.39.3/include/asm-generic/int-l64.h
61877 --- linux-2.6.39.3/include/asm-generic/int-l64.h 2011-05-19 00:06:34.000000000 -0400
61878 +++ linux-2.6.39.3/include/asm-generic/int-l64.h 2011-05-22 19:36:32.000000000 -0400
61879 @@ -46,6 +46,8 @@ typedef unsigned int u32;
61880 typedef signed long s64;
61881 typedef unsigned long u64;
61882
61883 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
61884 +
61885 #define S8_C(x) x
61886 #define U8_C(x) x ## U
61887 #define S16_C(x) x
61888 diff -urNp linux-2.6.39.3/include/asm-generic/int-ll64.h linux-2.6.39.3/include/asm-generic/int-ll64.h
61889 --- linux-2.6.39.3/include/asm-generic/int-ll64.h 2011-05-19 00:06:34.000000000 -0400
61890 +++ linux-2.6.39.3/include/asm-generic/int-ll64.h 2011-05-22 19:36:32.000000000 -0400
61891 @@ -51,6 +51,8 @@ typedef unsigned int u32;
61892 typedef signed long long s64;
61893 typedef unsigned long long u64;
61894
61895 +typedef unsigned long long intoverflow_t;
61896 +
61897 #define S8_C(x) x
61898 #define U8_C(x) x ## U
61899 #define S16_C(x) x
61900 diff -urNp linux-2.6.39.3/include/asm-generic/kmap_types.h linux-2.6.39.3/include/asm-generic/kmap_types.h
61901 --- linux-2.6.39.3/include/asm-generic/kmap_types.h 2011-05-19 00:06:34.000000000 -0400
61902 +++ linux-2.6.39.3/include/asm-generic/kmap_types.h 2011-05-22 19:36:32.000000000 -0400
61903 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
61904 KMAP_D(17) KM_NMI,
61905 KMAP_D(18) KM_NMI_PTE,
61906 KMAP_D(19) KM_KDB,
61907 +KMAP_D(20) KM_CLEARPAGE,
61908 /*
61909 * Remember to update debug_kmap_atomic() when adding new kmap types!
61910 */
61911 -KMAP_D(20) KM_TYPE_NR
61912 +KMAP_D(21) KM_TYPE_NR
61913 };
61914
61915 #undef KMAP_D
61916 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable.h linux-2.6.39.3/include/asm-generic/pgtable.h
61917 --- linux-2.6.39.3/include/asm-generic/pgtable.h 2011-05-19 00:06:34.000000000 -0400
61918 +++ linux-2.6.39.3/include/asm-generic/pgtable.h 2011-05-22 19:36:32.000000000 -0400
61919 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
61920 #endif /* __HAVE_ARCH_PMD_WRITE */
61921 #endif
61922
61923 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
61924 +static inline unsigned long pax_open_kernel(void) { return 0; }
61925 +#endif
61926 +
61927 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
61928 +static inline unsigned long pax_close_kernel(void) { return 0; }
61929 +#endif
61930 +
61931 #endif /* !__ASSEMBLY__ */
61932
61933 #endif /* _ASM_GENERIC_PGTABLE_H */
61934 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h
61935 --- linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h 2011-05-19 00:06:34.000000000 -0400
61936 +++ linux-2.6.39.3/include/asm-generic/pgtable-nopmd.h 2011-05-22 19:36:32.000000000 -0400
61937 @@ -1,14 +1,19 @@
61938 #ifndef _PGTABLE_NOPMD_H
61939 #define _PGTABLE_NOPMD_H
61940
61941 -#ifndef __ASSEMBLY__
61942 -
61943 #include <asm-generic/pgtable-nopud.h>
61944
61945 -struct mm_struct;
61946 -
61947 #define __PAGETABLE_PMD_FOLDED
61948
61949 +#define PMD_SHIFT PUD_SHIFT
61950 +#define PTRS_PER_PMD 1
61951 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
61952 +#define PMD_MASK (~(PMD_SIZE-1))
61953 +
61954 +#ifndef __ASSEMBLY__
61955 +
61956 +struct mm_struct;
61957 +
61958 /*
61959 * Having the pmd type consist of a pud gets the size right, and allows
61960 * us to conceptually access the pud entry that this pmd is folded into
61961 @@ -16,11 +21,6 @@ struct mm_struct;
61962 */
61963 typedef struct { pud_t pud; } pmd_t;
61964
61965 -#define PMD_SHIFT PUD_SHIFT
61966 -#define PTRS_PER_PMD 1
61967 -#define PMD_SIZE (1UL << PMD_SHIFT)
61968 -#define PMD_MASK (~(PMD_SIZE-1))
61969 -
61970 /*
61971 * The "pud_xxx()" functions here are trivial for a folded two-level
61972 * setup: the pmd is never bad, and a pmd always exists (as it's folded
61973 diff -urNp linux-2.6.39.3/include/asm-generic/pgtable-nopud.h linux-2.6.39.3/include/asm-generic/pgtable-nopud.h
61974 --- linux-2.6.39.3/include/asm-generic/pgtable-nopud.h 2011-05-19 00:06:34.000000000 -0400
61975 +++ linux-2.6.39.3/include/asm-generic/pgtable-nopud.h 2011-05-22 19:36:32.000000000 -0400
61976 @@ -1,10 +1,15 @@
61977 #ifndef _PGTABLE_NOPUD_H
61978 #define _PGTABLE_NOPUD_H
61979
61980 -#ifndef __ASSEMBLY__
61981 -
61982 #define __PAGETABLE_PUD_FOLDED
61983
61984 +#define PUD_SHIFT PGDIR_SHIFT
61985 +#define PTRS_PER_PUD 1
61986 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
61987 +#define PUD_MASK (~(PUD_SIZE-1))
61988 +
61989 +#ifndef __ASSEMBLY__
61990 +
61991 /*
61992 * Having the pud type consist of a pgd gets the size right, and allows
61993 * us to conceptually access the pgd entry that this pud is folded into
61994 @@ -12,11 +17,6 @@
61995 */
61996 typedef struct { pgd_t pgd; } pud_t;
61997
61998 -#define PUD_SHIFT PGDIR_SHIFT
61999 -#define PTRS_PER_PUD 1
62000 -#define PUD_SIZE (1UL << PUD_SHIFT)
62001 -#define PUD_MASK (~(PUD_SIZE-1))
62002 -
62003 /*
62004 * The "pgd_xxx()" functions here are trivial for a folded two-level
62005 * setup: the pud is never bad, and a pud always exists (as it's folded
62006 diff -urNp linux-2.6.39.3/include/asm-generic/vmlinux.lds.h linux-2.6.39.3/include/asm-generic/vmlinux.lds.h
62007 --- linux-2.6.39.3/include/asm-generic/vmlinux.lds.h 2011-05-19 00:06:34.000000000 -0400
62008 +++ linux-2.6.39.3/include/asm-generic/vmlinux.lds.h 2011-05-22 19:36:32.000000000 -0400
62009 @@ -213,6 +213,7 @@
62010 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
62011 VMLINUX_SYMBOL(__start_rodata) = .; \
62012 *(.rodata) *(.rodata.*) \
62013 + *(.data..read_only) \
62014 *(__vermagic) /* Kernel version magic */ \
62015 . = ALIGN(8); \
62016 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
62017 @@ -707,14 +708,15 @@
62018 * section in the linker script will go there too. @phdr should have
62019 * a leading colon.
62020 *
62021 - * Note that this macros defines __per_cpu_load as an absolute symbol.
62022 + * Note that this macros defines per_cpu_load as an absolute symbol.
62023 * If there is no need to put the percpu section at a predetermined
62024 * address, use PERCPU().
62025 */
62026 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
62027 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
62028 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
62029 + per_cpu_load = .; \
62030 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
62031 - LOAD_OFFSET) { \
62032 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
62033 VMLINUX_SYMBOL(__per_cpu_start) = .; \
62034 *(.data..percpu..first) \
62035 . = ALIGN(PAGE_SIZE); \
62036 @@ -726,7 +728,7 @@
62037 *(.data..percpu..shared_aligned) \
62038 VMLINUX_SYMBOL(__per_cpu_end) = .; \
62039 } phdr \
62040 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
62041 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
62042
62043 /**
62044 * PERCPU - define output section for percpu area, simple version
62045 diff -urNp linux-2.6.39.3/include/drm/drmP.h linux-2.6.39.3/include/drm/drmP.h
62046 --- linux-2.6.39.3/include/drm/drmP.h 2011-05-19 00:06:34.000000000 -0400
62047 +++ linux-2.6.39.3/include/drm/drmP.h 2011-05-22 19:41:42.000000000 -0400
62048 @@ -73,6 +73,7 @@
62049 #include <linux/workqueue.h>
62050 #include <linux/poll.h>
62051 #include <asm/pgalloc.h>
62052 +#include <asm/local.h>
62053 #include "drm.h"
62054
62055 #include <linux/idr.h>
62056 @@ -908,7 +909,7 @@ struct drm_driver {
62057 uint32_t handle);
62058
62059 /* Driver private ops for this object */
62060 - struct vm_operations_struct *gem_vm_ops;
62061 + const struct vm_operations_struct *gem_vm_ops;
62062
62063 int major;
62064 int minor;
62065 @@ -1023,7 +1024,7 @@ struct drm_device {
62066
62067 /** \name Usage Counters */
62068 /*@{ */
62069 - int open_count; /**< Outstanding files open */
62070 + local_t open_count; /**< Outstanding files open */
62071 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
62072 atomic_t vma_count; /**< Outstanding vma areas open */
62073 int buf_use; /**< Buffers in use -- cannot alloc */
62074 @@ -1034,7 +1035,7 @@ struct drm_device {
62075 /*@{ */
62076 unsigned long counters;
62077 enum drm_stat_type types[15];
62078 - atomic_t counts[15];
62079 + atomic_unchecked_t counts[15];
62080 /*@} */
62081
62082 struct list_head filelist;
62083 diff -urNp linux-2.6.39.3/include/linux/a.out.h linux-2.6.39.3/include/linux/a.out.h
62084 --- linux-2.6.39.3/include/linux/a.out.h 2011-05-19 00:06:34.000000000 -0400
62085 +++ linux-2.6.39.3/include/linux/a.out.h 2011-05-22 19:36:32.000000000 -0400
62086 @@ -39,6 +39,14 @@ enum machine_type {
62087 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
62088 };
62089
62090 +/* Constants for the N_FLAGS field */
62091 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62092 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
62093 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
62094 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
62095 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62096 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62097 +
62098 #if !defined (N_MAGIC)
62099 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
62100 #endif
62101 diff -urNp linux-2.6.39.3/include/linux/atmdev.h linux-2.6.39.3/include/linux/atmdev.h
62102 --- linux-2.6.39.3/include/linux/atmdev.h 2011-05-19 00:06:34.000000000 -0400
62103 +++ linux-2.6.39.3/include/linux/atmdev.h 2011-05-22 19:36:32.000000000 -0400
62104 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
62105 #endif
62106
62107 struct k_atm_aal_stats {
62108 -#define __HANDLE_ITEM(i) atomic_t i
62109 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
62110 __AAL_STAT_ITEMS
62111 #undef __HANDLE_ITEM
62112 };
62113 diff -urNp linux-2.6.39.3/include/linux/binfmts.h linux-2.6.39.3/include/linux/binfmts.h
62114 --- linux-2.6.39.3/include/linux/binfmts.h 2011-05-19 00:06:34.000000000 -0400
62115 +++ linux-2.6.39.3/include/linux/binfmts.h 2011-05-22 19:36:32.000000000 -0400
62116 @@ -92,6 +92,7 @@ struct linux_binfmt {
62117 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
62118 int (*load_shlib)(struct file *);
62119 int (*core_dump)(struct coredump_params *cprm);
62120 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
62121 unsigned long min_coredump; /* minimal dump size */
62122 };
62123
62124 diff -urNp linux-2.6.39.3/include/linux/blkdev.h linux-2.6.39.3/include/linux/blkdev.h
62125 --- linux-2.6.39.3/include/linux/blkdev.h 2011-06-03 00:04:14.000000000 -0400
62126 +++ linux-2.6.39.3/include/linux/blkdev.h 2011-06-03 00:32:08.000000000 -0400
62127 @@ -1292,22 +1292,22 @@ queue_max_integrity_segments(struct requ
62128 #endif /* CONFIG_BLK_DEV_INTEGRITY */
62129
62130 struct block_device_operations {
62131 - int (*open) (struct block_device *, fmode_t);
62132 - int (*release) (struct gendisk *, fmode_t);
62133 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62134 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62135 - int (*direct_access) (struct block_device *, sector_t,
62136 + int (* const open) (struct block_device *, fmode_t);
62137 + int (* const release) (struct gendisk *, fmode_t);
62138 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62139 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
62140 + int (* const direct_access) (struct block_device *, sector_t,
62141 void **, unsigned long *);
62142 - unsigned int (*check_events) (struct gendisk *disk,
62143 + unsigned int (* const check_events) (struct gendisk *disk,
62144 unsigned int clearing);
62145 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
62146 - int (*media_changed) (struct gendisk *);
62147 - void (*unlock_native_capacity) (struct gendisk *);
62148 - int (*revalidate_disk) (struct gendisk *);
62149 - int (*getgeo)(struct block_device *, struct hd_geometry *);
62150 + int (* const media_changed) (struct gendisk *);
62151 + void (* const unlock_native_capacity) (struct gendisk *);
62152 + int (* const revalidate_disk) (struct gendisk *);
62153 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
62154 /* this callback is with swap_lock and sometimes page table lock held */
62155 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
62156 - struct module *owner;
62157 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
62158 + struct module * const owner;
62159 };
62160
62161 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
62162 diff -urNp linux-2.6.39.3/include/linux/blktrace_api.h linux-2.6.39.3/include/linux/blktrace_api.h
62163 --- linux-2.6.39.3/include/linux/blktrace_api.h 2011-05-19 00:06:34.000000000 -0400
62164 +++ linux-2.6.39.3/include/linux/blktrace_api.h 2011-05-22 19:36:32.000000000 -0400
62165 @@ -161,7 +161,7 @@ struct blk_trace {
62166 struct dentry *dir;
62167 struct dentry *dropped_file;
62168 struct dentry *msg_file;
62169 - atomic_t dropped;
62170 + atomic_unchecked_t dropped;
62171 };
62172
62173 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
62174 diff -urNp linux-2.6.39.3/include/linux/byteorder/little_endian.h linux-2.6.39.3/include/linux/byteorder/little_endian.h
62175 --- linux-2.6.39.3/include/linux/byteorder/little_endian.h 2011-05-19 00:06:34.000000000 -0400
62176 +++ linux-2.6.39.3/include/linux/byteorder/little_endian.h 2011-05-22 19:36:32.000000000 -0400
62177 @@ -42,51 +42,51 @@
62178
62179 static inline __le64 __cpu_to_le64p(const __u64 *p)
62180 {
62181 - return (__force __le64)*p;
62182 + return (__force const __le64)*p;
62183 }
62184 static inline __u64 __le64_to_cpup(const __le64 *p)
62185 {
62186 - return (__force __u64)*p;
62187 + return (__force const __u64)*p;
62188 }
62189 static inline __le32 __cpu_to_le32p(const __u32 *p)
62190 {
62191 - return (__force __le32)*p;
62192 + return (__force const __le32)*p;
62193 }
62194 static inline __u32 __le32_to_cpup(const __le32 *p)
62195 {
62196 - return (__force __u32)*p;
62197 + return (__force const __u32)*p;
62198 }
62199 static inline __le16 __cpu_to_le16p(const __u16 *p)
62200 {
62201 - return (__force __le16)*p;
62202 + return (__force const __le16)*p;
62203 }
62204 static inline __u16 __le16_to_cpup(const __le16 *p)
62205 {
62206 - return (__force __u16)*p;
62207 + return (__force const __u16)*p;
62208 }
62209 static inline __be64 __cpu_to_be64p(const __u64 *p)
62210 {
62211 - return (__force __be64)__swab64p(p);
62212 + return (__force const __be64)__swab64p(p);
62213 }
62214 static inline __u64 __be64_to_cpup(const __be64 *p)
62215 {
62216 - return __swab64p((__u64 *)p);
62217 + return __swab64p((const __u64 *)p);
62218 }
62219 static inline __be32 __cpu_to_be32p(const __u32 *p)
62220 {
62221 - return (__force __be32)__swab32p(p);
62222 + return (__force const __be32)__swab32p(p);
62223 }
62224 static inline __u32 __be32_to_cpup(const __be32 *p)
62225 {
62226 - return __swab32p((__u32 *)p);
62227 + return __swab32p((const __u32 *)p);
62228 }
62229 static inline __be16 __cpu_to_be16p(const __u16 *p)
62230 {
62231 - return (__force __be16)__swab16p(p);
62232 + return (__force const __be16)__swab16p(p);
62233 }
62234 static inline __u16 __be16_to_cpup(const __be16 *p)
62235 {
62236 - return __swab16p((__u16 *)p);
62237 + return __swab16p((const __u16 *)p);
62238 }
62239 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
62240 #define __le64_to_cpus(x) do { (void)(x); } while (0)
62241 diff -urNp linux-2.6.39.3/include/linux/cache.h linux-2.6.39.3/include/linux/cache.h
62242 --- linux-2.6.39.3/include/linux/cache.h 2011-05-19 00:06:34.000000000 -0400
62243 +++ linux-2.6.39.3/include/linux/cache.h 2011-05-22 19:36:32.000000000 -0400
62244 @@ -16,6 +16,10 @@
62245 #define __read_mostly
62246 #endif
62247
62248 +#ifndef __read_only
62249 +#define __read_only __read_mostly
62250 +#endif
62251 +
62252 #ifndef ____cacheline_aligned
62253 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
62254 #endif
62255 diff -urNp linux-2.6.39.3/include/linux/capability.h linux-2.6.39.3/include/linux/capability.h
62256 --- linux-2.6.39.3/include/linux/capability.h 2011-05-19 00:06:34.000000000 -0400
62257 +++ linux-2.6.39.3/include/linux/capability.h 2011-05-22 21:02:47.000000000 -0400
62258 @@ -547,6 +547,9 @@ extern bool capable(int cap);
62259 extern bool ns_capable(struct user_namespace *ns, int cap);
62260 extern bool task_ns_capable(struct task_struct *t, int cap);
62261 extern bool nsown_capable(int cap);
62262 +extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
62263 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
62264 +extern bool capable_nolog(int cap);
62265
62266 /* audit system wants to get cap info from files as well */
62267 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
62268 diff -urNp linux-2.6.39.3/include/linux/compiler-gcc4.h linux-2.6.39.3/include/linux/compiler-gcc4.h
62269 --- linux-2.6.39.3/include/linux/compiler-gcc4.h 2011-05-19 00:06:34.000000000 -0400
62270 +++ linux-2.6.39.3/include/linux/compiler-gcc4.h 2011-05-22 19:36:32.000000000 -0400
62271 @@ -46,6 +46,11 @@
62272 #define __noclone __attribute__((__noclone__))
62273
62274 #endif
62275 +
62276 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
62277 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
62278 +#define __bos0(ptr) __bos((ptr), 0)
62279 +#define __bos1(ptr) __bos((ptr), 1)
62280 #endif
62281
62282 #if __GNUC_MINOR__ > 0
62283 diff -urNp linux-2.6.39.3/include/linux/compiler.h linux-2.6.39.3/include/linux/compiler.h
62284 --- linux-2.6.39.3/include/linux/compiler.h 2011-05-19 00:06:34.000000000 -0400
62285 +++ linux-2.6.39.3/include/linux/compiler.h 2011-05-22 19:36:32.000000000 -0400
62286 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
62287 #define __cold
62288 #endif
62289
62290 +#ifndef __alloc_size
62291 +#define __alloc_size
62292 +#endif
62293 +
62294 +#ifndef __bos
62295 +#define __bos
62296 +#endif
62297 +
62298 +#ifndef __bos0
62299 +#define __bos0
62300 +#endif
62301 +
62302 +#ifndef __bos1
62303 +#define __bos1
62304 +#endif
62305 +
62306 /* Simple shorthand for a section definition */
62307 #ifndef __section
62308 # define __section(S) __attribute__ ((__section__(#S)))
62309 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
62310 * use is to mediate communication between process-level code and irq/NMI
62311 * handlers, all running on the same CPU.
62312 */
62313 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
62314 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
62315 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
62316
62317 #endif /* __LINUX_COMPILER_H */
62318 diff -urNp linux-2.6.39.3/include/linux/concap.h linux-2.6.39.3/include/linux/concap.h
62319 --- linux-2.6.39.3/include/linux/concap.h 2011-05-19 00:06:34.000000000 -0400
62320 +++ linux-2.6.39.3/include/linux/concap.h 2011-05-22 19:36:32.000000000 -0400
62321 @@ -30,7 +30,7 @@ struct concap_device_ops;
62322 struct concap_proto{
62323 struct net_device *net_dev; /* net device using our service */
62324 struct concap_device_ops *dops; /* callbacks provided by device */
62325 - struct concap_proto_ops *pops; /* callbacks provided by us */
62326 + const struct concap_proto_ops *pops; /* callbacks provided by us */
62327 spinlock_t lock;
62328 int flags;
62329 void *proto_data; /* protocol specific private data, to
62330 diff -urNp linux-2.6.39.3/include/linux/configfs.h linux-2.6.39.3/include/linux/configfs.h
62331 --- linux-2.6.39.3/include/linux/configfs.h 2011-05-19 00:06:34.000000000 -0400
62332 +++ linux-2.6.39.3/include/linux/configfs.h 2011-05-22 19:36:32.000000000 -0400
62333 @@ -82,7 +82,7 @@ extern void config_item_put(struct confi
62334 struct config_item_type {
62335 struct module *ct_owner;
62336 struct configfs_item_operations *ct_item_ops;
62337 - struct configfs_group_operations *ct_group_ops;
62338 + const struct configfs_group_operations *ct_group_ops;
62339 struct configfs_attribute **ct_attrs;
62340 };
62341
62342 diff -urNp linux-2.6.39.3/include/linux/cpuset.h linux-2.6.39.3/include/linux/cpuset.h
62343 --- linux-2.6.39.3/include/linux/cpuset.h 2011-05-19 00:06:34.000000000 -0400
62344 +++ linux-2.6.39.3/include/linux/cpuset.h 2011-05-22 19:36:32.000000000 -0400
62345 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
62346 * nodemask.
62347 */
62348 smp_mb();
62349 - --ACCESS_ONCE(current->mems_allowed_change_disable);
62350 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
62351 }
62352
62353 static inline void set_mems_allowed(nodemask_t nodemask)
62354 diff -urNp linux-2.6.39.3/include/linux/dca.h linux-2.6.39.3/include/linux/dca.h
62355 --- linux-2.6.39.3/include/linux/dca.h 2011-05-19 00:06:34.000000000 -0400
62356 +++ linux-2.6.39.3/include/linux/dca.h 2011-05-22 19:36:32.000000000 -0400
62357 @@ -34,7 +34,7 @@ void dca_unregister_notify(struct notifi
62358
62359 struct dca_provider {
62360 struct list_head node;
62361 - struct dca_ops *ops;
62362 + const struct dca_ops *ops;
62363 struct device *cd;
62364 int id;
62365 };
62366 @@ -53,7 +53,7 @@ struct dca_ops {
62367 int (*dev_managed) (struct dca_provider *, struct device *);
62368 };
62369
62370 -struct dca_provider *alloc_dca_provider(struct dca_ops *ops, int priv_size);
62371 +struct dca_provider *alloc_dca_provider(const struct dca_ops *ops, int priv_size);
62372 void free_dca_provider(struct dca_provider *dca);
62373 int register_dca_provider(struct dca_provider *dca, struct device *dev);
62374 void unregister_dca_provider(struct dca_provider *dca, struct device *dev);
62375 diff -urNp linux-2.6.39.3/include/linux/decompress/mm.h linux-2.6.39.3/include/linux/decompress/mm.h
62376 --- linux-2.6.39.3/include/linux/decompress/mm.h 2011-05-19 00:06:34.000000000 -0400
62377 +++ linux-2.6.39.3/include/linux/decompress/mm.h 2011-05-22 19:36:33.000000000 -0400
62378 @@ -77,7 +77,7 @@ static void free(void *where)
62379 * warnings when not needed (indeed large_malloc / large_free are not
62380 * needed by inflate */
62381
62382 -#define malloc(a) kmalloc(a, GFP_KERNEL)
62383 +#define malloc(a) kmalloc((a), GFP_KERNEL)
62384 #define free(a) kfree(a)
62385
62386 #define large_malloc(a) vmalloc(a)
62387 diff -urNp linux-2.6.39.3/include/linux/dma-mapping.h linux-2.6.39.3/include/linux/dma-mapping.h
62388 --- linux-2.6.39.3/include/linux/dma-mapping.h 2011-05-19 00:06:34.000000000 -0400
62389 +++ linux-2.6.39.3/include/linux/dma-mapping.h 2011-05-22 19:36:33.000000000 -0400
62390 @@ -16,40 +16,40 @@ enum dma_data_direction {
62391 };
62392
62393 struct dma_map_ops {
62394 - void* (*alloc_coherent)(struct device *dev, size_t size,
62395 + void* (* const alloc_coherent)(struct device *dev, size_t size,
62396 dma_addr_t *dma_handle, gfp_t gfp);
62397 - void (*free_coherent)(struct device *dev, size_t size,
62398 + void (* const free_coherent)(struct device *dev, size_t size,
62399 void *vaddr, dma_addr_t dma_handle);
62400 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
62401 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
62402 unsigned long offset, size_t size,
62403 enum dma_data_direction dir,
62404 struct dma_attrs *attrs);
62405 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
62406 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
62407 size_t size, enum dma_data_direction dir,
62408 struct dma_attrs *attrs);
62409 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
62410 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
62411 int nents, enum dma_data_direction dir,
62412 struct dma_attrs *attrs);
62413 - void (*unmap_sg)(struct device *dev,
62414 + void (* const unmap_sg)(struct device *dev,
62415 struct scatterlist *sg, int nents,
62416 enum dma_data_direction dir,
62417 struct dma_attrs *attrs);
62418 - void (*sync_single_for_cpu)(struct device *dev,
62419 + void (* const sync_single_for_cpu)(struct device *dev,
62420 dma_addr_t dma_handle, size_t size,
62421 enum dma_data_direction dir);
62422 - void (*sync_single_for_device)(struct device *dev,
62423 + void (* const sync_single_for_device)(struct device *dev,
62424 dma_addr_t dma_handle, size_t size,
62425 enum dma_data_direction dir);
62426 - void (*sync_sg_for_cpu)(struct device *dev,
62427 + void (* const sync_sg_for_cpu)(struct device *dev,
62428 struct scatterlist *sg, int nents,
62429 enum dma_data_direction dir);
62430 - void (*sync_sg_for_device)(struct device *dev,
62431 + void (* const sync_sg_for_device)(struct device *dev,
62432 struct scatterlist *sg, int nents,
62433 enum dma_data_direction dir);
62434 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
62435 - int (*dma_supported)(struct device *dev, u64 mask);
62436 - int (*set_dma_mask)(struct device *dev, u64 mask);
62437 - int is_phys;
62438 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
62439 + int (* const dma_supported)(struct device *dev, u64 mask);
62440 + int (* set_dma_mask)(struct device *dev, u64 mask);
62441 + const int is_phys;
62442 };
62443
62444 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
62445 diff -urNp linux-2.6.39.3/include/linux/elf.h linux-2.6.39.3/include/linux/elf.h
62446 --- linux-2.6.39.3/include/linux/elf.h 2011-05-19 00:06:34.000000000 -0400
62447 +++ linux-2.6.39.3/include/linux/elf.h 2011-05-22 19:36:33.000000000 -0400
62448 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
62449 #define PT_GNU_EH_FRAME 0x6474e550
62450
62451 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
62452 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
62453 +
62454 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
62455 +
62456 +/* Constants for the e_flags field */
62457 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62458 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
62459 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
62460 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
62461 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62462 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62463
62464 /*
62465 * Extended Numbering
62466 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
62467 #define DT_DEBUG 21
62468 #define DT_TEXTREL 22
62469 #define DT_JMPREL 23
62470 +#define DT_FLAGS 30
62471 + #define DF_TEXTREL 0x00000004
62472 #define DT_ENCODING 32
62473 #define OLD_DT_LOOS 0x60000000
62474 #define DT_LOOS 0x6000000d
62475 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
62476 #define PF_W 0x2
62477 #define PF_X 0x1
62478
62479 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
62480 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
62481 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
62482 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
62483 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
62484 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
62485 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
62486 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
62487 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
62488 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
62489 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
62490 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
62491 +
62492 typedef struct elf32_phdr{
62493 Elf32_Word p_type;
62494 Elf32_Off p_offset;
62495 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
62496 #define EI_OSABI 7
62497 #define EI_PAD 8
62498
62499 +#define EI_PAX 14
62500 +
62501 #define ELFMAG0 0x7f /* EI_MAG */
62502 #define ELFMAG1 'E'
62503 #define ELFMAG2 'L'
62504 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
62505 #define elf_note elf32_note
62506 #define elf_addr_t Elf32_Off
62507 #define Elf_Half Elf32_Half
62508 +#define elf_dyn Elf32_Dyn
62509
62510 #else
62511
62512 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
62513 #define elf_note elf64_note
62514 #define elf_addr_t Elf64_Off
62515 #define Elf_Half Elf64_Half
62516 +#define elf_dyn Elf64_Dyn
62517
62518 #endif
62519
62520 diff -urNp linux-2.6.39.3/include/linux/enclosure.h linux-2.6.39.3/include/linux/enclosure.h
62521 --- linux-2.6.39.3/include/linux/enclosure.h 2011-05-19 00:06:34.000000000 -0400
62522 +++ linux-2.6.39.3/include/linux/enclosure.h 2011-05-22 19:36:33.000000000 -0400
62523 @@ -98,7 +98,7 @@ struct enclosure_device {
62524 void *scratch;
62525 struct list_head node;
62526 struct device edev;
62527 - struct enclosure_component_callbacks *cb;
62528 + const struct enclosure_component_callbacks *cb;
62529 int components;
62530 struct enclosure_component component[0];
62531 };
62532 diff -urNp linux-2.6.39.3/include/linux/fscache-cache.h linux-2.6.39.3/include/linux/fscache-cache.h
62533 --- linux-2.6.39.3/include/linux/fscache-cache.h 2011-05-19 00:06:34.000000000 -0400
62534 +++ linux-2.6.39.3/include/linux/fscache-cache.h 2011-05-22 19:36:33.000000000 -0400
62535 @@ -113,7 +113,7 @@ struct fscache_operation {
62536 #endif
62537 };
62538
62539 -extern atomic_t fscache_op_debug_id;
62540 +extern atomic_unchecked_t fscache_op_debug_id;
62541 extern void fscache_op_work_func(struct work_struct *work);
62542
62543 extern void fscache_enqueue_operation(struct fscache_operation *);
62544 @@ -133,7 +133,7 @@ static inline void fscache_operation_ini
62545 {
62546 INIT_WORK(&op->work, fscache_op_work_func);
62547 atomic_set(&op->usage, 1);
62548 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
62549 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
62550 op->processor = processor;
62551 op->release = release;
62552 INIT_LIST_HEAD(&op->pend_link);
62553 diff -urNp linux-2.6.39.3/include/linux/fs.h linux-2.6.39.3/include/linux/fs.h
62554 --- linux-2.6.39.3/include/linux/fs.h 2011-05-19 00:06:34.000000000 -0400
62555 +++ linux-2.6.39.3/include/linux/fs.h 2011-05-22 19:41:42.000000000 -0400
62556 @@ -108,6 +108,11 @@ struct inodes_stat_t {
62557 /* File was opened by fanotify and shouldn't generate fanotify events */
62558 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
62559
62560 +/* Hack for grsec so as not to require read permission simply to execute
62561 + * a binary
62562 + */
62563 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
62564 +
62565 /*
62566 * The below are the various read and write types that we support. Some of
62567 * them include behavioral modifiers that send information down to the
62568 @@ -575,41 +580,41 @@ typedef int (*read_actor_t)(read_descrip
62569 unsigned long, unsigned long);
62570
62571 struct address_space_operations {
62572 - int (*writepage)(struct page *page, struct writeback_control *wbc);
62573 - int (*readpage)(struct file *, struct page *);
62574 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
62575 + int (* const readpage)(struct file *, struct page *);
62576
62577 /* Write back some dirty pages from this mapping. */
62578 - int (*writepages)(struct address_space *, struct writeback_control *);
62579 + int (* const writepages)(struct address_space *, struct writeback_control *);
62580
62581 /* Set a page dirty. Return true if this dirtied it */
62582 - int (*set_page_dirty)(struct page *page);
62583 + int (* const set_page_dirty)(struct page *page);
62584
62585 - int (*readpages)(struct file *filp, struct address_space *mapping,
62586 + int (* const readpages)(struct file *filp, struct address_space *mapping,
62587 struct list_head *pages, unsigned nr_pages);
62588
62589 - int (*write_begin)(struct file *, struct address_space *mapping,
62590 + int (* const write_begin)(struct file *, struct address_space *mapping,
62591 loff_t pos, unsigned len, unsigned flags,
62592 struct page **pagep, void **fsdata);
62593 - int (*write_end)(struct file *, struct address_space *mapping,
62594 + int (* const write_end)(struct file *, struct address_space *mapping,
62595 loff_t pos, unsigned len, unsigned copied,
62596 struct page *page, void *fsdata);
62597
62598 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
62599 - sector_t (*bmap)(struct address_space *, sector_t);
62600 - void (*invalidatepage) (struct page *, unsigned long);
62601 - int (*releasepage) (struct page *, gfp_t);
62602 - void (*freepage)(struct page *);
62603 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
62604 + sector_t (* const bmap)(struct address_space *, sector_t);
62605 + void (* const invalidatepage) (struct page *, unsigned long);
62606 + int (* const releasepage) (struct page *, gfp_t);
62607 + void (* const freepage)(struct page *);
62608 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
62609 loff_t offset, unsigned long nr_segs);
62610 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
62611 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
62612 void **, unsigned long *);
62613 /* migrate the contents of a page to the specified target */
62614 - int (*migratepage) (struct address_space *,
62615 + int (* const migratepage) (struct address_space *,
62616 struct page *, struct page *);
62617 - int (*launder_page) (struct page *);
62618 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
62619 + int (* const launder_page) (struct page *);
62620 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
62621 unsigned long);
62622 - int (*error_remove_page)(struct address_space *, struct page *);
62623 + int (* const error_remove_page)(struct address_space *, struct page *);
62624 };
62625
62626 extern const struct address_space_operations empty_aops;
62627 @@ -1060,17 +1065,17 @@ static inline int file_check_writeable(s
62628 typedef struct files_struct *fl_owner_t;
62629
62630 struct file_lock_operations {
62631 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
62632 - void (*fl_release_private)(struct file_lock *);
62633 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
62634 + void (* const fl_release_private)(struct file_lock *);
62635 };
62636
62637 struct lock_manager_operations {
62638 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
62639 - void (*fl_notify)(struct file_lock *); /* unblock callback */
62640 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
62641 - void (*fl_release_private)(struct file_lock *);
62642 - void (*fl_break)(struct file_lock *);
62643 - int (*fl_change)(struct file_lock **, int);
62644 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
62645 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
62646 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
62647 + void (* const fl_release_private)(struct file_lock *);
62648 + void (* const fl_break)(struct file_lock *);
62649 + int (* const fl_change)(struct file_lock **, int);
62650 };
62651
62652 struct lock_manager {
62653 @@ -1611,31 +1616,31 @@ extern ssize_t vfs_writev(struct file *,
62654 unsigned long, loff_t *);
62655
62656 struct super_operations {
62657 - struct inode *(*alloc_inode)(struct super_block *sb);
62658 - void (*destroy_inode)(struct inode *);
62659 + struct inode *(* const alloc_inode)(struct super_block *sb);
62660 + void (* const destroy_inode)(struct inode *);
62661
62662 - void (*dirty_inode) (struct inode *);
62663 - int (*write_inode) (struct inode *, struct writeback_control *wbc);
62664 - int (*drop_inode) (struct inode *);
62665 - void (*evict_inode) (struct inode *);
62666 - void (*put_super) (struct super_block *);
62667 - void (*write_super) (struct super_block *);
62668 - int (*sync_fs)(struct super_block *sb, int wait);
62669 - int (*freeze_fs) (struct super_block *);
62670 - int (*unfreeze_fs) (struct super_block *);
62671 - int (*statfs) (struct dentry *, struct kstatfs *);
62672 - int (*remount_fs) (struct super_block *, int *, char *);
62673 - void (*umount_begin) (struct super_block *);
62674 -
62675 - int (*show_options)(struct seq_file *, struct vfsmount *);
62676 - int (*show_devname)(struct seq_file *, struct vfsmount *);
62677 - int (*show_path)(struct seq_file *, struct vfsmount *);
62678 - int (*show_stats)(struct seq_file *, struct vfsmount *);
62679 + void (* const dirty_inode) (struct inode *);
62680 + int (* const write_inode) (struct inode *, struct writeback_control *wbc);
62681 + int (* const drop_inode) (struct inode *);
62682 + void (* const evict_inode) (struct inode *);
62683 + void (* const put_super) (struct super_block *);
62684 + void (* const write_super) (struct super_block *);
62685 + int (* const sync_fs)(struct super_block *sb, int wait);
62686 + int (* const freeze_fs) (struct super_block *);
62687 + int (* const unfreeze_fs) (struct super_block *);
62688 + int (* const statfs) (struct dentry *, struct kstatfs *);
62689 + int (* const remount_fs) (struct super_block *, int *, char *);
62690 + void (* const umount_begin) (struct super_block *);
62691 +
62692 + int (* const show_options)(struct seq_file *, struct vfsmount *);
62693 + int (* const show_devname)(struct seq_file *, struct vfsmount *);
62694 + int (* const show_path)(struct seq_file *, struct vfsmount *);
62695 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
62696 #ifdef CONFIG_QUOTA
62697 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
62698 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62699 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
62700 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
62701 #endif
62702 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62703 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
62704 };
62705
62706 /*
62707 diff -urNp linux-2.6.39.3/include/linux/fs_struct.h linux-2.6.39.3/include/linux/fs_struct.h
62708 --- linux-2.6.39.3/include/linux/fs_struct.h 2011-05-19 00:06:34.000000000 -0400
62709 +++ linux-2.6.39.3/include/linux/fs_struct.h 2011-05-22 19:36:33.000000000 -0400
62710 @@ -6,7 +6,7 @@
62711 #include <linux/seqlock.h>
62712
62713 struct fs_struct {
62714 - int users;
62715 + atomic_t users;
62716 spinlock_t lock;
62717 seqcount_t seq;
62718 int umask;
62719 diff -urNp linux-2.6.39.3/include/linux/ftrace_event.h linux-2.6.39.3/include/linux/ftrace_event.h
62720 --- linux-2.6.39.3/include/linux/ftrace_event.h 2011-05-19 00:06:34.000000000 -0400
62721 +++ linux-2.6.39.3/include/linux/ftrace_event.h 2011-05-22 19:36:33.000000000 -0400
62722 @@ -235,7 +235,7 @@ extern int trace_define_field(struct ftr
62723 extern int trace_add_event_call(struct ftrace_event_call *call);
62724 extern void trace_remove_event_call(struct ftrace_event_call *call);
62725
62726 -#define is_signed_type(type) (((type)(-1)) < 0)
62727 +#define is_signed_type(type) (((type)(-1)) < (type)1)
62728
62729 int trace_set_clr_event(const char *system, const char *event, int set);
62730
62731 diff -urNp linux-2.6.39.3/include/linux/ftrace.h linux-2.6.39.3/include/linux/ftrace.h
62732 --- linux-2.6.39.3/include/linux/ftrace.h 2011-05-19 00:06:34.000000000 -0400
62733 +++ linux-2.6.39.3/include/linux/ftrace.h 2011-05-22 19:36:33.000000000 -0400
62734 @@ -140,7 +140,7 @@ extern void
62735 unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
62736 void *data);
62737 extern void
62738 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops);
62739 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops);
62740 extern void unregister_ftrace_function_probe_all(char *glob);
62741
62742 extern int ftrace_text_reserved(void *start, void *end);
62743 diff -urNp linux-2.6.39.3/include/linux/genhd.h linux-2.6.39.3/include/linux/genhd.h
62744 --- linux-2.6.39.3/include/linux/genhd.h 2011-06-03 00:04:14.000000000 -0400
62745 +++ linux-2.6.39.3/include/linux/genhd.h 2011-06-03 00:32:08.000000000 -0400
62746 @@ -184,7 +184,7 @@ struct gendisk {
62747 struct kobject *slave_dir;
62748
62749 struct timer_rand_state *random;
62750 - atomic_t sync_io; /* RAID */
62751 + atomic_unchecked_t sync_io; /* RAID */
62752 struct disk_events *ev;
62753 #ifdef CONFIG_BLK_DEV_INTEGRITY
62754 struct blk_integrity *integrity;
62755 diff -urNp linux-2.6.39.3/include/linux/gracl.h linux-2.6.39.3/include/linux/gracl.h
62756 --- linux-2.6.39.3/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
62757 +++ linux-2.6.39.3/include/linux/gracl.h 2011-05-22 19:41:42.000000000 -0400
62758 @@ -0,0 +1,317 @@
62759 +#ifndef GR_ACL_H
62760 +#define GR_ACL_H
62761 +
62762 +#include <linux/grdefs.h>
62763 +#include <linux/resource.h>
62764 +#include <linux/capability.h>
62765 +#include <linux/dcache.h>
62766 +#include <asm/resource.h>
62767 +
62768 +/* Major status information */
62769 +
62770 +#define GR_VERSION "grsecurity 2.2.2"
62771 +#define GRSECURITY_VERSION 0x2202
62772 +
62773 +enum {
62774 + GR_SHUTDOWN = 0,
62775 + GR_ENABLE = 1,
62776 + GR_SPROLE = 2,
62777 + GR_RELOAD = 3,
62778 + GR_SEGVMOD = 4,
62779 + GR_STATUS = 5,
62780 + GR_UNSPROLE = 6,
62781 + GR_PASSSET = 7,
62782 + GR_SPROLEPAM = 8,
62783 +};
62784 +
62785 +/* Password setup definitions
62786 + * kernel/grhash.c */
62787 +enum {
62788 + GR_PW_LEN = 128,
62789 + GR_SALT_LEN = 16,
62790 + GR_SHA_LEN = 32,
62791 +};
62792 +
62793 +enum {
62794 + GR_SPROLE_LEN = 64,
62795 +};
62796 +
62797 +enum {
62798 + GR_NO_GLOB = 0,
62799 + GR_REG_GLOB,
62800 + GR_CREATE_GLOB
62801 +};
62802 +
62803 +#define GR_NLIMITS 32
62804 +
62805 +/* Begin Data Structures */
62806 +
62807 +struct sprole_pw {
62808 + unsigned char *rolename;
62809 + unsigned char salt[GR_SALT_LEN];
62810 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
62811 +};
62812 +
62813 +struct name_entry {
62814 + __u32 key;
62815 + ino_t inode;
62816 + dev_t device;
62817 + char *name;
62818 + __u16 len;
62819 + __u8 deleted;
62820 + struct name_entry *prev;
62821 + struct name_entry *next;
62822 +};
62823 +
62824 +struct inodev_entry {
62825 + struct name_entry *nentry;
62826 + struct inodev_entry *prev;
62827 + struct inodev_entry *next;
62828 +};
62829 +
62830 +struct acl_role_db {
62831 + struct acl_role_label **r_hash;
62832 + __u32 r_size;
62833 +};
62834 +
62835 +struct inodev_db {
62836 + struct inodev_entry **i_hash;
62837 + __u32 i_size;
62838 +};
62839 +
62840 +struct name_db {
62841 + struct name_entry **n_hash;
62842 + __u32 n_size;
62843 +};
62844 +
62845 +struct crash_uid {
62846 + uid_t uid;
62847 + unsigned long expires;
62848 +};
62849 +
62850 +struct gr_hash_struct {
62851 + void **table;
62852 + void **nametable;
62853 + void *first;
62854 + __u32 table_size;
62855 + __u32 used_size;
62856 + int type;
62857 +};
62858 +
62859 +/* Userspace Grsecurity ACL data structures */
62860 +
62861 +struct acl_subject_label {
62862 + char *filename;
62863 + ino_t inode;
62864 + dev_t device;
62865 + __u32 mode;
62866 + kernel_cap_t cap_mask;
62867 + kernel_cap_t cap_lower;
62868 + kernel_cap_t cap_invert_audit;
62869 +
62870 + struct rlimit res[GR_NLIMITS];
62871 + __u32 resmask;
62872 +
62873 + __u8 user_trans_type;
62874 + __u8 group_trans_type;
62875 + uid_t *user_transitions;
62876 + gid_t *group_transitions;
62877 + __u16 user_trans_num;
62878 + __u16 group_trans_num;
62879 +
62880 + __u32 sock_families[2];
62881 + __u32 ip_proto[8];
62882 + __u32 ip_type;
62883 + struct acl_ip_label **ips;
62884 + __u32 ip_num;
62885 + __u32 inaddr_any_override;
62886 +
62887 + __u32 crashes;
62888 + unsigned long expires;
62889 +
62890 + struct acl_subject_label *parent_subject;
62891 + struct gr_hash_struct *hash;
62892 + struct acl_subject_label *prev;
62893 + struct acl_subject_label *next;
62894 +
62895 + struct acl_object_label **obj_hash;
62896 + __u32 obj_hash_size;
62897 + __u16 pax_flags;
62898 +};
62899 +
62900 +struct role_allowed_ip {
62901 + __u32 addr;
62902 + __u32 netmask;
62903 +
62904 + struct role_allowed_ip *prev;
62905 + struct role_allowed_ip *next;
62906 +};
62907 +
62908 +struct role_transition {
62909 + char *rolename;
62910 +
62911 + struct role_transition *prev;
62912 + struct role_transition *next;
62913 +};
62914 +
62915 +struct acl_role_label {
62916 + char *rolename;
62917 + uid_t uidgid;
62918 + __u16 roletype;
62919 +
62920 + __u16 auth_attempts;
62921 + unsigned long expires;
62922 +
62923 + struct acl_subject_label *root_label;
62924 + struct gr_hash_struct *hash;
62925 +
62926 + struct acl_role_label *prev;
62927 + struct acl_role_label *next;
62928 +
62929 + struct role_transition *transitions;
62930 + struct role_allowed_ip *allowed_ips;
62931 + uid_t *domain_children;
62932 + __u16 domain_child_num;
62933 +
62934 + struct acl_subject_label **subj_hash;
62935 + __u32 subj_hash_size;
62936 +};
62937 +
62938 +struct user_acl_role_db {
62939 + struct acl_role_label **r_table;
62940 + __u32 num_pointers; /* Number of allocations to track */
62941 + __u32 num_roles; /* Number of roles */
62942 + __u32 num_domain_children; /* Number of domain children */
62943 + __u32 num_subjects; /* Number of subjects */
62944 + __u32 num_objects; /* Number of objects */
62945 +};
62946 +
62947 +struct acl_object_label {
62948 + char *filename;
62949 + ino_t inode;
62950 + dev_t device;
62951 + __u32 mode;
62952 +
62953 + struct acl_subject_label *nested;
62954 + struct acl_object_label *globbed;
62955 +
62956 + /* next two structures not used */
62957 +
62958 + struct acl_object_label *prev;
62959 + struct acl_object_label *next;
62960 +};
62961 +
62962 +struct acl_ip_label {
62963 + char *iface;
62964 + __u32 addr;
62965 + __u32 netmask;
62966 + __u16 low, high;
62967 + __u8 mode;
62968 + __u32 type;
62969 + __u32 proto[8];
62970 +
62971 + /* next two structures not used */
62972 +
62973 + struct acl_ip_label *prev;
62974 + struct acl_ip_label *next;
62975 +};
62976 +
62977 +struct gr_arg {
62978 + struct user_acl_role_db role_db;
62979 + unsigned char pw[GR_PW_LEN];
62980 + unsigned char salt[GR_SALT_LEN];
62981 + unsigned char sum[GR_SHA_LEN];
62982 + unsigned char sp_role[GR_SPROLE_LEN];
62983 + struct sprole_pw *sprole_pws;
62984 + dev_t segv_device;
62985 + ino_t segv_inode;
62986 + uid_t segv_uid;
62987 + __u16 num_sprole_pws;
62988 + __u16 mode;
62989 +};
62990 +
62991 +struct gr_arg_wrapper {
62992 + struct gr_arg *arg;
62993 + __u32 version;
62994 + __u32 size;
62995 +};
62996 +
62997 +struct subject_map {
62998 + struct acl_subject_label *user;
62999 + struct acl_subject_label *kernel;
63000 + struct subject_map *prev;
63001 + struct subject_map *next;
63002 +};
63003 +
63004 +struct acl_subj_map_db {
63005 + struct subject_map **s_hash;
63006 + __u32 s_size;
63007 +};
63008 +
63009 +/* End Data Structures Section */
63010 +
63011 +/* Hash functions generated by empirical testing by Brad Spengler
63012 + Makes good use of the low bits of the inode. Generally 0-1 times
63013 + in loop for successful match. 0-3 for unsuccessful match.
63014 + Shift/add algorithm with modulus of table size and an XOR*/
63015 +
63016 +static __inline__ unsigned int
63017 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
63018 +{
63019 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
63020 +}
63021 +
63022 + static __inline__ unsigned int
63023 +shash(const struct acl_subject_label *userp, const unsigned int sz)
63024 +{
63025 + return ((const unsigned long)userp % sz);
63026 +}
63027 +
63028 +static __inline__ unsigned int
63029 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
63030 +{
63031 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
63032 +}
63033 +
63034 +static __inline__ unsigned int
63035 +nhash(const char *name, const __u16 len, const unsigned int sz)
63036 +{
63037 + return full_name_hash((const unsigned char *)name, len) % sz;
63038 +}
63039 +
63040 +#define FOR_EACH_ROLE_START(role) \
63041 + role = role_list; \
63042 + while (role) {
63043 +
63044 +#define FOR_EACH_ROLE_END(role) \
63045 + role = role->prev; \
63046 + }
63047 +
63048 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
63049 + subj = NULL; \
63050 + iter = 0; \
63051 + while (iter < role->subj_hash_size) { \
63052 + if (subj == NULL) \
63053 + subj = role->subj_hash[iter]; \
63054 + if (subj == NULL) { \
63055 + iter++; \
63056 + continue; \
63057 + }
63058 +
63059 +#define FOR_EACH_SUBJECT_END(subj,iter) \
63060 + subj = subj->next; \
63061 + if (subj == NULL) \
63062 + iter++; \
63063 + }
63064 +
63065 +
63066 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
63067 + subj = role->hash->first; \
63068 + while (subj != NULL) {
63069 +
63070 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
63071 + subj = subj->next; \
63072 + }
63073 +
63074 +#endif
63075 +
63076 diff -urNp linux-2.6.39.3/include/linux/gralloc.h linux-2.6.39.3/include/linux/gralloc.h
63077 --- linux-2.6.39.3/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
63078 +++ linux-2.6.39.3/include/linux/gralloc.h 2011-05-22 19:41:42.000000000 -0400
63079 @@ -0,0 +1,9 @@
63080 +#ifndef __GRALLOC_H
63081 +#define __GRALLOC_H
63082 +
63083 +void acl_free_all(void);
63084 +int acl_alloc_stack_init(unsigned long size);
63085 +void *acl_alloc(unsigned long len);
63086 +void *acl_alloc_num(unsigned long num, unsigned long len);
63087 +
63088 +#endif
63089 diff -urNp linux-2.6.39.3/include/linux/grdefs.h linux-2.6.39.3/include/linux/grdefs.h
63090 --- linux-2.6.39.3/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
63091 +++ linux-2.6.39.3/include/linux/grdefs.h 2011-06-11 16:24:51.000000000 -0400
63092 @@ -0,0 +1,140 @@
63093 +#ifndef GRDEFS_H
63094 +#define GRDEFS_H
63095 +
63096 +/* Begin grsecurity status declarations */
63097 +
63098 +enum {
63099 + GR_READY = 0x01,
63100 + GR_STATUS_INIT = 0x00 // disabled state
63101 +};
63102 +
63103 +/* Begin ACL declarations */
63104 +
63105 +/* Role flags */
63106 +
63107 +enum {
63108 + GR_ROLE_USER = 0x0001,
63109 + GR_ROLE_GROUP = 0x0002,
63110 + GR_ROLE_DEFAULT = 0x0004,
63111 + GR_ROLE_SPECIAL = 0x0008,
63112 + GR_ROLE_AUTH = 0x0010,
63113 + GR_ROLE_NOPW = 0x0020,
63114 + GR_ROLE_GOD = 0x0040,
63115 + GR_ROLE_LEARN = 0x0080,
63116 + GR_ROLE_TPE = 0x0100,
63117 + GR_ROLE_DOMAIN = 0x0200,
63118 + GR_ROLE_PAM = 0x0400,
63119 + GR_ROLE_PERSIST = 0x0800
63120 +};
63121 +
63122 +/* ACL Subject and Object mode flags */
63123 +enum {
63124 + GR_DELETED = 0x80000000
63125 +};
63126 +
63127 +/* ACL Object-only mode flags */
63128 +enum {
63129 + GR_READ = 0x00000001,
63130 + GR_APPEND = 0x00000002,
63131 + GR_WRITE = 0x00000004,
63132 + GR_EXEC = 0x00000008,
63133 + GR_FIND = 0x00000010,
63134 + GR_INHERIT = 0x00000020,
63135 + GR_SETID = 0x00000040,
63136 + GR_CREATE = 0x00000080,
63137 + GR_DELETE = 0x00000100,
63138 + GR_LINK = 0x00000200,
63139 + GR_AUDIT_READ = 0x00000400,
63140 + GR_AUDIT_APPEND = 0x00000800,
63141 + GR_AUDIT_WRITE = 0x00001000,
63142 + GR_AUDIT_EXEC = 0x00002000,
63143 + GR_AUDIT_FIND = 0x00004000,
63144 + GR_AUDIT_INHERIT= 0x00008000,
63145 + GR_AUDIT_SETID = 0x00010000,
63146 + GR_AUDIT_CREATE = 0x00020000,
63147 + GR_AUDIT_DELETE = 0x00040000,
63148 + GR_AUDIT_LINK = 0x00080000,
63149 + GR_PTRACERD = 0x00100000,
63150 + GR_NOPTRACE = 0x00200000,
63151 + GR_SUPPRESS = 0x00400000,
63152 + GR_NOLEARN = 0x00800000,
63153 + GR_INIT_TRANSFER= 0x01000000
63154 +};
63155 +
63156 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
63157 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
63158 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
63159 +
63160 +/* ACL subject-only mode flags */
63161 +enum {
63162 + GR_KILL = 0x00000001,
63163 + GR_VIEW = 0x00000002,
63164 + GR_PROTECTED = 0x00000004,
63165 + GR_LEARN = 0x00000008,
63166 + GR_OVERRIDE = 0x00000010,
63167 + /* just a placeholder, this mode is only used in userspace */
63168 + GR_DUMMY = 0x00000020,
63169 + GR_PROTSHM = 0x00000040,
63170 + GR_KILLPROC = 0x00000080,
63171 + GR_KILLIPPROC = 0x00000100,
63172 + /* just a placeholder, this mode is only used in userspace */
63173 + GR_NOTROJAN = 0x00000200,
63174 + GR_PROTPROCFD = 0x00000400,
63175 + GR_PROCACCT = 0x00000800,
63176 + GR_RELAXPTRACE = 0x00001000,
63177 + GR_NESTED = 0x00002000,
63178 + GR_INHERITLEARN = 0x00004000,
63179 + GR_PROCFIND = 0x00008000,
63180 + GR_POVERRIDE = 0x00010000,
63181 + GR_KERNELAUTH = 0x00020000,
63182 + GR_ATSECURE = 0x00040000,
63183 + GR_SHMEXEC = 0x00080000
63184 +};
63185 +
63186 +enum {
63187 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
63188 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
63189 + GR_PAX_ENABLE_MPROTECT = 0x0004,
63190 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
63191 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
63192 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
63193 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
63194 + GR_PAX_DISABLE_MPROTECT = 0x0400,
63195 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
63196 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
63197 +};
63198 +
63199 +enum {
63200 + GR_ID_USER = 0x01,
63201 + GR_ID_GROUP = 0x02,
63202 +};
63203 +
63204 +enum {
63205 + GR_ID_ALLOW = 0x01,
63206 + GR_ID_DENY = 0x02,
63207 +};
63208 +
63209 +#define GR_CRASH_RES 31
63210 +#define GR_UIDTABLE_MAX 500
63211 +
63212 +/* begin resource learning section */
63213 +enum {
63214 + GR_RLIM_CPU_BUMP = 60,
63215 + GR_RLIM_FSIZE_BUMP = 50000,
63216 + GR_RLIM_DATA_BUMP = 10000,
63217 + GR_RLIM_STACK_BUMP = 1000,
63218 + GR_RLIM_CORE_BUMP = 10000,
63219 + GR_RLIM_RSS_BUMP = 500000,
63220 + GR_RLIM_NPROC_BUMP = 1,
63221 + GR_RLIM_NOFILE_BUMP = 5,
63222 + GR_RLIM_MEMLOCK_BUMP = 50000,
63223 + GR_RLIM_AS_BUMP = 500000,
63224 + GR_RLIM_LOCKS_BUMP = 2,
63225 + GR_RLIM_SIGPENDING_BUMP = 5,
63226 + GR_RLIM_MSGQUEUE_BUMP = 10000,
63227 + GR_RLIM_NICE_BUMP = 1,
63228 + GR_RLIM_RTPRIO_BUMP = 1,
63229 + GR_RLIM_RTTIME_BUMP = 1000000
63230 +};
63231 +
63232 +#endif
63233 diff -urNp linux-2.6.39.3/include/linux/grinternal.h linux-2.6.39.3/include/linux/grinternal.h
63234 --- linux-2.6.39.3/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
63235 +++ linux-2.6.39.3/include/linux/grinternal.h 2011-07-14 21:03:15.000000000 -0400
63236 @@ -0,0 +1,219 @@
63237 +#ifndef __GRINTERNAL_H
63238 +#define __GRINTERNAL_H
63239 +
63240 +#ifdef CONFIG_GRKERNSEC
63241 +
63242 +#include <linux/fs.h>
63243 +#include <linux/mnt_namespace.h>
63244 +#include <linux/nsproxy.h>
63245 +#include <linux/gracl.h>
63246 +#include <linux/grdefs.h>
63247 +#include <linux/grmsg.h>
63248 +
63249 +void gr_add_learn_entry(const char *fmt, ...)
63250 + __attribute__ ((format (printf, 1, 2)));
63251 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
63252 + const struct vfsmount *mnt);
63253 +__u32 gr_check_create(const struct dentry *new_dentry,
63254 + const struct dentry *parent,
63255 + const struct vfsmount *mnt, const __u32 mode);
63256 +int gr_check_protected_task(const struct task_struct *task);
63257 +__u32 to_gr_audit(const __u32 reqmode);
63258 +int gr_set_acls(const int type);
63259 +int gr_apply_subject_to_task(struct task_struct *task);
63260 +int gr_acl_is_enabled(void);
63261 +char gr_roletype_to_char(void);
63262 +
63263 +void gr_handle_alertkill(struct task_struct *task);
63264 +char *gr_to_filename(const struct dentry *dentry,
63265 + const struct vfsmount *mnt);
63266 +char *gr_to_filename1(const struct dentry *dentry,
63267 + const struct vfsmount *mnt);
63268 +char *gr_to_filename2(const struct dentry *dentry,
63269 + const struct vfsmount *mnt);
63270 +char *gr_to_filename3(const struct dentry *dentry,
63271 + const struct vfsmount *mnt);
63272 +
63273 +extern int grsec_enable_harden_ptrace;
63274 +extern int grsec_enable_link;
63275 +extern int grsec_enable_fifo;
63276 +extern int grsec_enable_execve;
63277 +extern int grsec_enable_shm;
63278 +extern int grsec_enable_execlog;
63279 +extern int grsec_enable_signal;
63280 +extern int grsec_enable_audit_ptrace;
63281 +extern int grsec_enable_forkfail;
63282 +extern int grsec_enable_time;
63283 +extern int grsec_enable_rofs;
63284 +extern int grsec_enable_chroot_shmat;
63285 +extern int grsec_enable_chroot_mount;
63286 +extern int grsec_enable_chroot_double;
63287 +extern int grsec_enable_chroot_pivot;
63288 +extern int grsec_enable_chroot_chdir;
63289 +extern int grsec_enable_chroot_chmod;
63290 +extern int grsec_enable_chroot_mknod;
63291 +extern int grsec_enable_chroot_fchdir;
63292 +extern int grsec_enable_chroot_nice;
63293 +extern int grsec_enable_chroot_execlog;
63294 +extern int grsec_enable_chroot_caps;
63295 +extern int grsec_enable_chroot_sysctl;
63296 +extern int grsec_enable_chroot_unix;
63297 +extern int grsec_enable_tpe;
63298 +extern int grsec_tpe_gid;
63299 +extern int grsec_enable_tpe_all;
63300 +extern int grsec_enable_tpe_invert;
63301 +extern int grsec_enable_socket_all;
63302 +extern int grsec_socket_all_gid;
63303 +extern int grsec_enable_socket_client;
63304 +extern int grsec_socket_client_gid;
63305 +extern int grsec_enable_socket_server;
63306 +extern int grsec_socket_server_gid;
63307 +extern int grsec_audit_gid;
63308 +extern int grsec_enable_group;
63309 +extern int grsec_enable_audit_textrel;
63310 +extern int grsec_enable_log_rwxmaps;
63311 +extern int grsec_enable_mount;
63312 +extern int grsec_enable_chdir;
63313 +extern int grsec_resource_logging;
63314 +extern int grsec_enable_blackhole;
63315 +extern int grsec_lastack_retries;
63316 +extern int grsec_enable_brute;
63317 +extern int grsec_lock;
63318 +
63319 +extern spinlock_t grsec_alert_lock;
63320 +extern unsigned long grsec_alert_wtime;
63321 +extern unsigned long grsec_alert_fyet;
63322 +
63323 +extern spinlock_t grsec_audit_lock;
63324 +
63325 +extern rwlock_t grsec_exec_file_lock;
63326 +
63327 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
63328 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
63329 + (tsk)->exec_file->f_vfsmnt) : "/")
63330 +
63331 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
63332 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
63333 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63334 +
63335 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
63336 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
63337 + (tsk)->exec_file->f_vfsmnt) : "/")
63338 +
63339 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
63340 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
63341 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
63342 +
63343 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
63344 +
63345 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
63346 +
63347 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
63348 + (task)->pid, (cred)->uid, \
63349 + (cred)->euid, (cred)->gid, (cred)->egid, \
63350 + gr_parent_task_fullpath(task), \
63351 + (task)->real_parent->comm, (task)->real_parent->pid, \
63352 + (pcred)->uid, (pcred)->euid, \
63353 + (pcred)->gid, (pcred)->egid
63354 +
63355 +#define GR_CHROOT_CAPS {{ \
63356 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
63357 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
63358 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
63359 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
63360 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
63361 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
63362 +
63363 +#define security_learn(normal_msg,args...) \
63364 +({ \
63365 + read_lock(&grsec_exec_file_lock); \
63366 + gr_add_learn_entry(normal_msg "\n", ## args); \
63367 + read_unlock(&grsec_exec_file_lock); \
63368 +})
63369 +
63370 +enum {
63371 + GR_DO_AUDIT,
63372 + GR_DONT_AUDIT,
63373 + /* used for non-audit messages that we shouldn't kill the task on */
63374 + GR_DONT_AUDIT_GOOD
63375 +};
63376 +
63377 +enum {
63378 + GR_TTYSNIFF,
63379 + GR_RBAC,
63380 + GR_RBAC_STR,
63381 + GR_STR_RBAC,
63382 + GR_RBAC_MODE2,
63383 + GR_RBAC_MODE3,
63384 + GR_FILENAME,
63385 + GR_SYSCTL_HIDDEN,
63386 + GR_NOARGS,
63387 + GR_ONE_INT,
63388 + GR_ONE_INT_TWO_STR,
63389 + GR_ONE_STR,
63390 + GR_STR_INT,
63391 + GR_TWO_STR_INT,
63392 + GR_TWO_INT,
63393 + GR_TWO_U64,
63394 + GR_THREE_INT,
63395 + GR_FIVE_INT_TWO_STR,
63396 + GR_TWO_STR,
63397 + GR_THREE_STR,
63398 + GR_FOUR_STR,
63399 + GR_STR_FILENAME,
63400 + GR_FILENAME_STR,
63401 + GR_FILENAME_TWO_INT,
63402 + GR_FILENAME_TWO_INT_STR,
63403 + GR_TEXTREL,
63404 + GR_PTRACE,
63405 + GR_RESOURCE,
63406 + GR_CAP,
63407 + GR_SIG,
63408 + GR_SIG2,
63409 + GR_CRASH1,
63410 + GR_CRASH2,
63411 + GR_PSACCT,
63412 + GR_RWXMAP
63413 +};
63414 +
63415 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
63416 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
63417 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
63418 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
63419 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
63420 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
63421 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
63422 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
63423 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
63424 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
63425 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
63426 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
63427 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
63428 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
63429 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
63430 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
63431 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
63432 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
63433 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
63434 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
63435 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
63436 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
63437 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
63438 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
63439 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
63440 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
63441 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
63442 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
63443 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
63444 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
63445 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
63446 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
63447 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
63448 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
63449 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
63450 +
63451 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
63452 +
63453 +#endif
63454 +
63455 +#endif
63456 diff -urNp linux-2.6.39.3/include/linux/grmsg.h linux-2.6.39.3/include/linux/grmsg.h
63457 --- linux-2.6.39.3/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
63458 +++ linux-2.6.39.3/include/linux/grmsg.h 2011-05-22 19:41:42.000000000 -0400
63459 @@ -0,0 +1,108 @@
63460 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
63461 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
63462 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
63463 +#define GR_STOPMOD_MSG "denied modification of module state by "
63464 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
63465 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
63466 +#define GR_IOPERM_MSG "denied use of ioperm() by "
63467 +#define GR_IOPL_MSG "denied use of iopl() by "
63468 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
63469 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
63470 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
63471 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
63472 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
63473 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
63474 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
63475 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
63476 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
63477 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
63478 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
63479 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
63480 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
63481 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
63482 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
63483 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
63484 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
63485 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
63486 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
63487 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
63488 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
63489 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
63490 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
63491 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
63492 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
63493 +#define GR_NPROC_MSG "denied overstep of process limit by "
63494 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
63495 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
63496 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
63497 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
63498 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
63499 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
63500 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
63501 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
63502 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
63503 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
63504 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
63505 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
63506 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
63507 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
63508 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
63509 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
63510 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
63511 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
63512 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
63513 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
63514 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
63515 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
63516 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
63517 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
63518 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
63519 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
63520 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
63521 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
63522 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
63523 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
63524 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
63525 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
63526 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
63527 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
63528 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
63529 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
63530 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
63531 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
63532 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
63533 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
63534 +#define GR_NICE_CHROOT_MSG "denied priority change by "
63535 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
63536 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
63537 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
63538 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
63539 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
63540 +#define GR_TIME_MSG "time set by "
63541 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
63542 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
63543 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
63544 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
63545 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
63546 +#define GR_BIND_MSG "denied bind() by "
63547 +#define GR_CONNECT_MSG "denied connect() by "
63548 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
63549 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
63550 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
63551 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
63552 +#define GR_CAP_ACL_MSG "use of %s denied for "
63553 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
63554 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
63555 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
63556 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
63557 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
63558 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
63559 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
63560 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
63561 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
63562 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
63563 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
63564 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
63565 +#define GR_VM86_MSG "denied use of vm86 by "
63566 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
63567 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
63568 diff -urNp linux-2.6.39.3/include/linux/grsecurity.h linux-2.6.39.3/include/linux/grsecurity.h
63569 --- linux-2.6.39.3/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
63570 +++ linux-2.6.39.3/include/linux/grsecurity.h 2011-07-16 15:28:00.000000000 -0400
63571 @@ -0,0 +1,215 @@
63572 +#ifndef GR_SECURITY_H
63573 +#define GR_SECURITY_H
63574 +#include <linux/fs.h>
63575 +#include <linux/fs_struct.h>
63576 +#include <linux/binfmts.h>
63577 +#include <linux/gracl.h>
63578 +#include <linux/compat.h>
63579 +
63580 +/* notify of brain-dead configs */
63581 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
63582 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
63583 +#endif
63584 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63585 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63586 +#endif
63587 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
63588 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
63589 +#endif
63590 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
63591 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
63592 +#endif
63593 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
63594 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
63595 +#endif
63596 +
63597 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
63598 +void gr_handle_brute_check(void);
63599 +void gr_handle_kernel_exploit(void);
63600 +int gr_process_user_ban(void);
63601 +
63602 +char gr_roletype_to_char(void);
63603 +
63604 +int gr_acl_enable_at_secure(void);
63605 +
63606 +int gr_check_user_change(int real, int effective, int fs);
63607 +int gr_check_group_change(int real, int effective, int fs);
63608 +
63609 +void gr_del_task_from_ip_table(struct task_struct *p);
63610 +
63611 +int gr_pid_is_chrooted(struct task_struct *p);
63612 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
63613 +int gr_handle_chroot_nice(void);
63614 +int gr_handle_chroot_sysctl(const int op);
63615 +int gr_handle_chroot_setpriority(struct task_struct *p,
63616 + const int niceval);
63617 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
63618 +int gr_handle_chroot_chroot(const struct dentry *dentry,
63619 + const struct vfsmount *mnt);
63620 +int gr_handle_chroot_caps(struct path *path);
63621 +void gr_handle_chroot_chdir(struct path *path);
63622 +int gr_handle_chroot_chmod(const struct dentry *dentry,
63623 + const struct vfsmount *mnt, const int mode);
63624 +int gr_handle_chroot_mknod(const struct dentry *dentry,
63625 + const struct vfsmount *mnt, const int mode);
63626 +int gr_handle_chroot_mount(const struct dentry *dentry,
63627 + const struct vfsmount *mnt,
63628 + const char *dev_name);
63629 +int gr_handle_chroot_pivot(void);
63630 +int gr_handle_chroot_unix(const pid_t pid);
63631 +
63632 +int gr_handle_rawio(const struct inode *inode);
63633 +int gr_handle_nproc(void);
63634 +
63635 +void gr_handle_ioperm(void);
63636 +void gr_handle_iopl(void);
63637 +
63638 +int gr_tpe_allow(const struct file *file);
63639 +
63640 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
63641 +void gr_clear_chroot_entries(struct task_struct *task);
63642 +
63643 +void gr_log_forkfail(const int retval);
63644 +void gr_log_timechange(void);
63645 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
63646 +void gr_log_chdir(const struct dentry *dentry,
63647 + const struct vfsmount *mnt);
63648 +void gr_log_chroot_exec(const struct dentry *dentry,
63649 + const struct vfsmount *mnt);
63650 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
63651 +#ifdef CONFIG_COMPAT
63652 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
63653 +#endif
63654 +void gr_log_remount(const char *devname, const int retval);
63655 +void gr_log_unmount(const char *devname, const int retval);
63656 +void gr_log_mount(const char *from, const char *to, const int retval);
63657 +void gr_log_textrel(struct vm_area_struct *vma);
63658 +void gr_log_rwxmmap(struct file *file);
63659 +void gr_log_rwxmprotect(struct file *file);
63660 +
63661 +int gr_handle_follow_link(const struct inode *parent,
63662 + const struct inode *inode,
63663 + const struct dentry *dentry,
63664 + const struct vfsmount *mnt);
63665 +int gr_handle_fifo(const struct dentry *dentry,
63666 + const struct vfsmount *mnt,
63667 + const struct dentry *dir, const int flag,
63668 + const int acc_mode);
63669 +int gr_handle_hardlink(const struct dentry *dentry,
63670 + const struct vfsmount *mnt,
63671 + struct inode *inode,
63672 + const int mode, const char *to);
63673 +
63674 +int gr_is_capable(const int cap);
63675 +int gr_is_capable_nolog(const int cap);
63676 +void gr_learn_resource(const struct task_struct *task, const int limit,
63677 + const unsigned long wanted, const int gt);
63678 +void gr_copy_label(struct task_struct *tsk);
63679 +void gr_handle_crash(struct task_struct *task, const int sig);
63680 +int gr_handle_signal(const struct task_struct *p, const int sig);
63681 +int gr_check_crash_uid(const uid_t uid);
63682 +int gr_check_protected_task(const struct task_struct *task);
63683 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
63684 +int gr_acl_handle_mmap(const struct file *file,
63685 + const unsigned long prot);
63686 +int gr_acl_handle_mprotect(const struct file *file,
63687 + const unsigned long prot);
63688 +int gr_check_hidden_task(const struct task_struct *tsk);
63689 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
63690 + const struct vfsmount *mnt);
63691 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
63692 + const struct vfsmount *mnt);
63693 +__u32 gr_acl_handle_access(const struct dentry *dentry,
63694 + const struct vfsmount *mnt, const int fmode);
63695 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
63696 + const struct vfsmount *mnt, mode_t mode);
63697 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
63698 + const struct vfsmount *mnt, mode_t mode);
63699 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
63700 + const struct vfsmount *mnt);
63701 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
63702 + const struct vfsmount *mnt);
63703 +int gr_handle_ptrace(struct task_struct *task, const long request);
63704 +int gr_handle_proc_ptrace(struct task_struct *task);
63705 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
63706 + const struct vfsmount *mnt);
63707 +int gr_check_crash_exec(const struct file *filp);
63708 +int gr_acl_is_enabled(void);
63709 +void gr_set_kernel_label(struct task_struct *task);
63710 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
63711 + const gid_t gid);
63712 +int gr_set_proc_label(const struct dentry *dentry,
63713 + const struct vfsmount *mnt,
63714 + const int unsafe_share);
63715 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
63716 + const struct vfsmount *mnt);
63717 +__u32 gr_acl_handle_open(const struct dentry *dentry,
63718 + const struct vfsmount *mnt, const int fmode);
63719 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
63720 + const struct dentry *p_dentry,
63721 + const struct vfsmount *p_mnt, const int fmode,
63722 + const int imode);
63723 +void gr_handle_create(const struct dentry *dentry,
63724 + const struct vfsmount *mnt);
63725 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
63726 + const struct dentry *parent_dentry,
63727 + const struct vfsmount *parent_mnt,
63728 + const int mode);
63729 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
63730 + const struct dentry *parent_dentry,
63731 + const struct vfsmount *parent_mnt);
63732 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
63733 + const struct vfsmount *mnt);
63734 +void gr_handle_delete(const ino_t ino, const dev_t dev);
63735 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
63736 + const struct vfsmount *mnt);
63737 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
63738 + const struct dentry *parent_dentry,
63739 + const struct vfsmount *parent_mnt,
63740 + const char *from);
63741 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
63742 + const struct dentry *parent_dentry,
63743 + const struct vfsmount *parent_mnt,
63744 + const struct dentry *old_dentry,
63745 + const struct vfsmount *old_mnt, const char *to);
63746 +int gr_acl_handle_rename(struct dentry *new_dentry,
63747 + struct dentry *parent_dentry,
63748 + const struct vfsmount *parent_mnt,
63749 + struct dentry *old_dentry,
63750 + struct inode *old_parent_inode,
63751 + struct vfsmount *old_mnt, const char *newname);
63752 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63753 + struct dentry *old_dentry,
63754 + struct dentry *new_dentry,
63755 + struct vfsmount *mnt, const __u8 replace);
63756 +__u32 gr_check_link(const struct dentry *new_dentry,
63757 + const struct dentry *parent_dentry,
63758 + const struct vfsmount *parent_mnt,
63759 + const struct dentry *old_dentry,
63760 + const struct vfsmount *old_mnt);
63761 +int gr_acl_handle_filldir(const struct file *file, const char *name,
63762 + const unsigned int namelen, const ino_t ino);
63763 +
63764 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
63765 + const struct vfsmount *mnt);
63766 +void gr_acl_handle_exit(void);
63767 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
63768 +int gr_acl_handle_procpidmem(const struct task_struct *task);
63769 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
63770 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
63771 +void gr_audit_ptrace(struct task_struct *task);
63772 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
63773 +
63774 +#ifdef CONFIG_GRKERNSEC
63775 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
63776 +void gr_handle_vm86(void);
63777 +void gr_handle_mem_readwrite(u64 from, u64 to);
63778 +
63779 +extern int grsec_enable_dmesg;
63780 +extern int grsec_disable_privio;
63781 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
63782 +extern int grsec_enable_chroot_findtask;
63783 +#endif
63784 +#endif
63785 +
63786 +#endif
63787 diff -urNp linux-2.6.39.3/include/linux/grsock.h linux-2.6.39.3/include/linux/grsock.h
63788 --- linux-2.6.39.3/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
63789 +++ linux-2.6.39.3/include/linux/grsock.h 2011-05-22 19:41:42.000000000 -0400
63790 @@ -0,0 +1,19 @@
63791 +#ifndef __GRSOCK_H
63792 +#define __GRSOCK_H
63793 +
63794 +extern void gr_attach_curr_ip(const struct sock *sk);
63795 +extern int gr_handle_sock_all(const int family, const int type,
63796 + const int protocol);
63797 +extern int gr_handle_sock_server(const struct sockaddr *sck);
63798 +extern int gr_handle_sock_server_other(const struct sock *sck);
63799 +extern int gr_handle_sock_client(const struct sockaddr *sck);
63800 +extern int gr_search_connect(struct socket * sock,
63801 + struct sockaddr_in * addr);
63802 +extern int gr_search_bind(struct socket * sock,
63803 + struct sockaddr_in * addr);
63804 +extern int gr_search_listen(struct socket * sock);
63805 +extern int gr_search_accept(struct socket * sock);
63806 +extern int gr_search_socket(const int domain, const int type,
63807 + const int protocol);
63808 +
63809 +#endif
63810 diff -urNp linux-2.6.39.3/include/linux/highmem.h linux-2.6.39.3/include/linux/highmem.h
63811 --- linux-2.6.39.3/include/linux/highmem.h 2011-05-19 00:06:34.000000000 -0400
63812 +++ linux-2.6.39.3/include/linux/highmem.h 2011-05-22 19:36:33.000000000 -0400
63813 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
63814 kunmap_atomic(kaddr, KM_USER0);
63815 }
63816
63817 +static inline void sanitize_highpage(struct page *page)
63818 +{
63819 + void *kaddr;
63820 + unsigned long flags;
63821 +
63822 + local_irq_save(flags);
63823 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
63824 + clear_page(kaddr);
63825 + kunmap_atomic(kaddr, KM_CLEARPAGE);
63826 + local_irq_restore(flags);
63827 +}
63828 +
63829 static inline void zero_user_segments(struct page *page,
63830 unsigned start1, unsigned end1,
63831 unsigned start2, unsigned end2)
63832 diff -urNp linux-2.6.39.3/include/linux/i2o.h linux-2.6.39.3/include/linux/i2o.h
63833 --- linux-2.6.39.3/include/linux/i2o.h 2011-05-19 00:06:34.000000000 -0400
63834 +++ linux-2.6.39.3/include/linux/i2o.h 2011-05-22 19:36:33.000000000 -0400
63835 @@ -564,7 +564,7 @@ struct i2o_controller {
63836 struct i2o_device *exec; /* Executive */
63837 #if BITS_PER_LONG == 64
63838 spinlock_t context_list_lock; /* lock for context_list */
63839 - atomic_t context_list_counter; /* needed for unique contexts */
63840 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
63841 struct list_head context_list; /* list of context id's
63842 and pointers */
63843 #endif
63844 diff -urNp linux-2.6.39.3/include/linux/if_phonet.h linux-2.6.39.3/include/linux/if_phonet.h
63845 --- linux-2.6.39.3/include/linux/if_phonet.h 2011-05-19 00:06:34.000000000 -0400
63846 +++ linux-2.6.39.3/include/linux/if_phonet.h 2011-05-22 19:36:33.000000000 -0400
63847 @@ -13,7 +13,7 @@
63848 #define PHONET_DEV_MTU PHONET_MAX_MTU
63849
63850 #ifdef __KERNEL__
63851 -extern struct header_ops phonet_header_ops;
63852 +extern const struct header_ops phonet_header_ops;
63853 #endif
63854
63855 #endif
63856 diff -urNp linux-2.6.39.3/include/linux/init.h linux-2.6.39.3/include/linux/init.h
63857 --- linux-2.6.39.3/include/linux/init.h 2011-05-19 00:06:34.000000000 -0400
63858 +++ linux-2.6.39.3/include/linux/init.h 2011-05-22 19:36:33.000000000 -0400
63859 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
63860
63861 /* Each module must use one module_init(). */
63862 #define module_init(initfn) \
63863 - static inline initcall_t __inittest(void) \
63864 + static inline __used initcall_t __inittest(void) \
63865 { return initfn; } \
63866 int init_module(void) __attribute__((alias(#initfn)));
63867
63868 /* This is only required if you want to be unloadable. */
63869 #define module_exit(exitfn) \
63870 - static inline exitcall_t __exittest(void) \
63871 + static inline __used exitcall_t __exittest(void) \
63872 { return exitfn; } \
63873 void cleanup_module(void) __attribute__((alias(#exitfn)));
63874
63875 diff -urNp linux-2.6.39.3/include/linux/init_task.h linux-2.6.39.3/include/linux/init_task.h
63876 --- linux-2.6.39.3/include/linux/init_task.h 2011-05-19 00:06:34.000000000 -0400
63877 +++ linux-2.6.39.3/include/linux/init_task.h 2011-05-22 19:36:33.000000000 -0400
63878 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
63879 #define INIT_IDS
63880 #endif
63881
63882 +#ifdef CONFIG_X86
63883 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
63884 +#else
63885 +#define INIT_TASK_THREAD_INFO
63886 +#endif
63887 +
63888 /*
63889 * Because of the reduced scope of CAP_SETPCAP when filesystem
63890 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
63891 @@ -163,6 +169,7 @@ extern struct cred init_cred;
63892 RCU_INIT_POINTER(.cred, &init_cred), \
63893 .comm = "swapper", \
63894 .thread = INIT_THREAD, \
63895 + INIT_TASK_THREAD_INFO \
63896 .fs = &init_fs, \
63897 .files = &init_files, \
63898 .signal = &init_signals, \
63899 diff -urNp linux-2.6.39.3/include/linux/interrupt.h linux-2.6.39.3/include/linux/interrupt.h
63900 --- linux-2.6.39.3/include/linux/interrupt.h 2011-05-19 00:06:34.000000000 -0400
63901 +++ linux-2.6.39.3/include/linux/interrupt.h 2011-05-22 19:36:33.000000000 -0400
63902 @@ -422,7 +422,7 @@ enum
63903 /* map softirq index to softirq name. update 'softirq_to_name' in
63904 * kernel/softirq.c when adding a new softirq.
63905 */
63906 -extern char *softirq_to_name[NR_SOFTIRQS];
63907 +extern const char * const softirq_to_name[NR_SOFTIRQS];
63908
63909 /* softirq mask and active fields moved to irq_cpustat_t in
63910 * asm/hardirq.h to get better cache usage. KAO
63911 @@ -430,12 +430,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
63912
63913 struct softirq_action
63914 {
63915 - void (*action)(struct softirq_action *);
63916 + void (*action)(void);
63917 };
63918
63919 asmlinkage void do_softirq(void);
63920 asmlinkage void __do_softirq(void);
63921 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
63922 +extern void open_softirq(int nr, void (*action)(void));
63923 extern void softirq_init(void);
63924 static inline void __raise_softirq_irqoff(unsigned int nr)
63925 {
63926 diff -urNp linux-2.6.39.3/include/linux/iommu.h linux-2.6.39.3/include/linux/iommu.h
63927 --- linux-2.6.39.3/include/linux/iommu.h 2011-05-19 00:06:34.000000000 -0400
63928 +++ linux-2.6.39.3/include/linux/iommu.h 2011-05-22 19:36:33.000000000 -0400
63929 @@ -49,7 +49,7 @@ struct iommu_ops {
63930
63931 #ifdef CONFIG_IOMMU_API
63932
63933 -extern void register_iommu(struct iommu_ops *ops);
63934 +extern void register_iommu(const struct iommu_ops *ops);
63935 extern bool iommu_found(void);
63936 extern struct iommu_domain *iommu_domain_alloc(void);
63937 extern void iommu_domain_free(struct iommu_domain *domain);
63938 diff -urNp linux-2.6.39.3/include/linux/ipmi.h linux-2.6.39.3/include/linux/ipmi.h
63939 --- linux-2.6.39.3/include/linux/ipmi.h 2011-05-19 00:06:34.000000000 -0400
63940 +++ linux-2.6.39.3/include/linux/ipmi.h 2011-05-22 19:36:33.000000000 -0400
63941 @@ -282,7 +282,7 @@ struct ipmi_user_hndl {
63942
63943 /* Create a new user of the IPMI layer on the given interface number. */
63944 int ipmi_create_user(unsigned int if_num,
63945 - struct ipmi_user_hndl *handler,
63946 + const struct ipmi_user_hndl *handler,
63947 void *handler_data,
63948 ipmi_user_t *user);
63949
63950 diff -urNp linux-2.6.39.3/include/linux/kallsyms.h linux-2.6.39.3/include/linux/kallsyms.h
63951 --- linux-2.6.39.3/include/linux/kallsyms.h 2011-05-19 00:06:34.000000000 -0400
63952 +++ linux-2.6.39.3/include/linux/kallsyms.h 2011-05-22 22:52:54.000000000 -0400
63953 @@ -15,7 +15,8 @@
63954
63955 struct module;
63956
63957 -#ifdef CONFIG_KALLSYMS
63958 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
63959 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63960 /* Lookup the address for a symbol. Returns 0 if not found. */
63961 unsigned long kallsyms_lookup_name(const char *name);
63962
63963 @@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
63964 /* Stupid that this does nothing, but I didn't create this mess. */
63965 #define __print_symbol(fmt, addr)
63966 #endif /*CONFIG_KALLSYMS*/
63967 +#else /* when included by kallsyms.c, vsnprintf.c, or
63968 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
63969 +extern void __print_symbol(const char *fmt, unsigned long address);
63970 +extern int sprint_backtrace(char *buffer, unsigned long address);
63971 +extern int sprint_symbol(char *buffer, unsigned long address);
63972 +const char *kallsyms_lookup(unsigned long addr,
63973 + unsigned long *symbolsize,
63974 + unsigned long *offset,
63975 + char **modname, char *namebuf);
63976 +#endif
63977
63978 /* This macro allows us to keep printk typechecking */
63979 static void __check_printsym_format(const char *fmt, ...)
63980 diff -urNp linux-2.6.39.3/include/linux/kgdb.h linux-2.6.39.3/include/linux/kgdb.h
63981 --- linux-2.6.39.3/include/linux/kgdb.h 2011-05-19 00:06:34.000000000 -0400
63982 +++ linux-2.6.39.3/include/linux/kgdb.h 2011-05-22 19:36:33.000000000 -0400
63983 @@ -53,7 +53,7 @@ extern int kgdb_connected;
63984 extern int kgdb_io_module_registered;
63985
63986 extern atomic_t kgdb_setting_breakpoint;
63987 -extern atomic_t kgdb_cpu_doing_single_step;
63988 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
63989
63990 extern struct task_struct *kgdb_usethread;
63991 extern struct task_struct *kgdb_contthread;
63992 @@ -269,22 +269,22 @@ struct kgdb_arch {
63993 */
63994 struct kgdb_io {
63995 const char *name;
63996 - int (*read_char) (void);
63997 - void (*write_char) (u8);
63998 - void (*flush) (void);
63999 - int (*init) (void);
64000 - void (*pre_exception) (void);
64001 - void (*post_exception) (void);
64002 + int (* const read_char) (void);
64003 + void (* const write_char) (u8);
64004 + void (* const flush) (void);
64005 + int (* const init) (void);
64006 + void (* const pre_exception) (void);
64007 + void (* const post_exception) (void);
64008 int is_console;
64009 };
64010
64011 -extern struct kgdb_arch arch_kgdb_ops;
64012 +extern const struct kgdb_arch arch_kgdb_ops;
64013
64014 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
64015
64016 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
64017 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
64018 -extern struct kgdb_io *dbg_io_ops;
64019 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
64020 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
64021 +extern const struct kgdb_io *dbg_io_ops;
64022
64023 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
64024 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
64025 diff -urNp linux-2.6.39.3/include/linux/kmod.h linux-2.6.39.3/include/linux/kmod.h
64026 --- linux-2.6.39.3/include/linux/kmod.h 2011-05-19 00:06:34.000000000 -0400
64027 +++ linux-2.6.39.3/include/linux/kmod.h 2011-05-22 19:41:42.000000000 -0400
64028 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
64029 * usually useless though. */
64030 extern int __request_module(bool wait, const char *name, ...) \
64031 __attribute__((format(printf, 2, 3)));
64032 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
64033 + __attribute__((format(printf, 3, 4)));
64034 #define request_module(mod...) __request_module(true, mod)
64035 #define request_module_nowait(mod...) __request_module(false, mod)
64036 #define try_then_request_module(x, mod...) \
64037 diff -urNp linux-2.6.39.3/include/linux/kvm_host.h linux-2.6.39.3/include/linux/kvm_host.h
64038 --- linux-2.6.39.3/include/linux/kvm_host.h 2011-05-19 00:06:34.000000000 -0400
64039 +++ linux-2.6.39.3/include/linux/kvm_host.h 2011-05-22 19:36:33.000000000 -0400
64040 @@ -302,7 +302,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
64041 void vcpu_load(struct kvm_vcpu *vcpu);
64042 void vcpu_put(struct kvm_vcpu *vcpu);
64043
64044 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
64045 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
64046 struct module *module);
64047 void kvm_exit(void);
64048
64049 @@ -442,7 +442,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
64050 struct kvm_guest_debug *dbg);
64051 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
64052
64053 -int kvm_arch_init(void *opaque);
64054 +int kvm_arch_init(const void *opaque);
64055 void kvm_arch_exit(void);
64056
64057 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
64058 diff -urNp linux-2.6.39.3/include/linux/lapb.h linux-2.6.39.3/include/linux/lapb.h
64059 --- linux-2.6.39.3/include/linux/lapb.h 2011-05-19 00:06:34.000000000 -0400
64060 +++ linux-2.6.39.3/include/linux/lapb.h 2011-05-22 19:36:33.000000000 -0400
64061 @@ -44,7 +44,7 @@ struct lapb_parms_struct {
64062 unsigned int mode;
64063 };
64064
64065 -extern int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks);
64066 +extern int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks);
64067 extern int lapb_unregister(struct net_device *dev);
64068 extern int lapb_getparms(struct net_device *dev, struct lapb_parms_struct *parms);
64069 extern int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms);
64070 diff -urNp linux-2.6.39.3/include/linux/lcd.h linux-2.6.39.3/include/linux/lcd.h
64071 --- linux-2.6.39.3/include/linux/lcd.h 2011-05-19 00:06:34.000000000 -0400
64072 +++ linux-2.6.39.3/include/linux/lcd.h 2011-05-22 19:36:33.000000000 -0400
64073 @@ -60,7 +60,7 @@ struct lcd_device {
64074 points to something in the body of that driver, it is also invalid. */
64075 struct mutex ops_lock;
64076 /* If this is NULL, the backing module is unloaded */
64077 - struct lcd_ops *ops;
64078 + const struct lcd_ops *ops;
64079 /* Serialise access to set_power method */
64080 struct mutex update_lock;
64081 /* The framebuffer notifier block */
64082 @@ -101,7 +101,7 @@ static inline void lcd_set_power(struct
64083 }
64084
64085 extern struct lcd_device *lcd_device_register(const char *name,
64086 - struct device *parent, void *devdata, struct lcd_ops *ops);
64087 + struct device *parent, void *devdata, const struct lcd_ops *ops);
64088 extern void lcd_device_unregister(struct lcd_device *ld);
64089
64090 #define to_lcd_device(obj) container_of(obj, struct lcd_device, dev)
64091 diff -urNp linux-2.6.39.3/include/linux/libata.h linux-2.6.39.3/include/linux/libata.h
64092 --- linux-2.6.39.3/include/linux/libata.h 2011-05-19 00:06:34.000000000 -0400
64093 +++ linux-2.6.39.3/include/linux/libata.h 2011-05-22 19:36:33.000000000 -0400
64094 @@ -524,11 +524,11 @@ struct ata_ioports {
64095
64096 struct ata_host {
64097 spinlock_t lock;
64098 - struct device *dev;
64099 + struct device *dev;
64100 void __iomem * const *iomap;
64101 unsigned int n_ports;
64102 void *private_data;
64103 - struct ata_port_operations *ops;
64104 + const struct ata_port_operations *ops;
64105 unsigned long flags;
64106
64107 struct mutex eh_mutex;
64108 @@ -719,7 +719,7 @@ struct ata_link {
64109
64110 struct ata_port {
64111 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
64112 - struct ata_port_operations *ops;
64113 + const struct ata_port_operations *ops;
64114 spinlock_t *lock;
64115 /* Flags owned by the EH context. Only EH should touch these once the
64116 port is active */
64117 @@ -907,7 +907,7 @@ struct ata_port_info {
64118 unsigned long pio_mask;
64119 unsigned long mwdma_mask;
64120 unsigned long udma_mask;
64121 - struct ata_port_operations *port_ops;
64122 + const struct ata_port_operations *port_ops;
64123 void *private_data;
64124 };
64125
64126 @@ -931,7 +931,7 @@ extern const unsigned long sata_deb_timi
64127 extern const unsigned long sata_deb_timing_hotplug[];
64128 extern const unsigned long sata_deb_timing_long[];
64129
64130 -extern struct ata_port_operations ata_dummy_port_ops;
64131 +extern const struct ata_port_operations ata_dummy_port_ops;
64132 extern const struct ata_port_info ata_dummy_port_info;
64133
64134 static inline const unsigned long *
64135 @@ -977,7 +977,7 @@ extern int ata_host_activate(struct ata_
64136 struct scsi_host_template *sht);
64137 extern void ata_host_detach(struct ata_host *host);
64138 extern void ata_host_init(struct ata_host *, struct device *,
64139 - unsigned long, struct ata_port_operations *);
64140 + unsigned long, const struct ata_port_operations *);
64141 extern int ata_scsi_detect(struct scsi_host_template *sht);
64142 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
64143 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
64144 diff -urNp linux-2.6.39.3/include/linux/lockd/bind.h linux-2.6.39.3/include/linux/lockd/bind.h
64145 --- linux-2.6.39.3/include/linux/lockd/bind.h 2011-05-19 00:06:34.000000000 -0400
64146 +++ linux-2.6.39.3/include/linux/lockd/bind.h 2011-05-22 19:36:33.000000000 -0400
64147 @@ -23,13 +23,13 @@ struct svc_rqst;
64148 * This is the set of functions for lockd->nfsd communication
64149 */
64150 struct nlmsvc_binding {
64151 - __be32 (*fopen)(struct svc_rqst *,
64152 + __be32 (* const fopen)(struct svc_rqst *,
64153 struct nfs_fh *,
64154 struct file **);
64155 - void (*fclose)(struct file *);
64156 + void (* const fclose)(struct file *);
64157 };
64158
64159 -extern struct nlmsvc_binding * nlmsvc_ops;
64160 +extern const struct nlmsvc_binding * nlmsvc_ops;
64161
64162 /*
64163 * Similar to nfs_client_initdata, but without the NFS-specific
64164 diff -urNp linux-2.6.39.3/include/linux/mfd/abx500.h linux-2.6.39.3/include/linux/mfd/abx500.h
64165 --- linux-2.6.39.3/include/linux/mfd/abx500.h 2011-05-19 00:06:34.000000000 -0400
64166 +++ linux-2.6.39.3/include/linux/mfd/abx500.h 2011-05-22 19:36:33.000000000 -0400
64167 @@ -227,6 +227,6 @@ struct abx500_ops {
64168 int (*startup_irq_enabled) (struct device *, unsigned int);
64169 };
64170
64171 -int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
64172 +int abx500_register_ops(struct device *core_dev, const struct abx500_ops *ops);
64173 void abx500_remove_ops(struct device *dev);
64174 #endif
64175 diff -urNp linux-2.6.39.3/include/linux/mm.h linux-2.6.39.3/include/linux/mm.h
64176 --- linux-2.6.39.3/include/linux/mm.h 2011-05-19 00:06:34.000000000 -0400
64177 +++ linux-2.6.39.3/include/linux/mm.h 2011-05-22 19:36:33.000000000 -0400
64178 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
64179
64180 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
64181 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
64182 +
64183 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
64184 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
64185 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
64186 +#else
64187 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
64188 +#endif
64189 +
64190 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
64191 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
64192
64193 @@ -1010,34 +1017,6 @@ int set_page_dirty(struct page *page);
64194 int set_page_dirty_lock(struct page *page);
64195 int clear_page_dirty_for_io(struct page *page);
64196
64197 -/* Is the vma a continuation of the stack vma above it? */
64198 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
64199 -{
64200 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
64201 -}
64202 -
64203 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
64204 - unsigned long addr)
64205 -{
64206 - return (vma->vm_flags & VM_GROWSDOWN) &&
64207 - (vma->vm_start == addr) &&
64208 - !vma_growsdown(vma->vm_prev, addr);
64209 -}
64210 -
64211 -/* Is the vma a continuation of the stack vma below it? */
64212 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
64213 -{
64214 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
64215 -}
64216 -
64217 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
64218 - unsigned long addr)
64219 -{
64220 - return (vma->vm_flags & VM_GROWSUP) &&
64221 - (vma->vm_end == addr) &&
64222 - !vma_growsup(vma->vm_next, addr);
64223 -}
64224 -
64225 extern unsigned long move_page_tables(struct vm_area_struct *vma,
64226 unsigned long old_addr, struct vm_area_struct *new_vma,
64227 unsigned long new_addr, unsigned long len);
64228 @@ -1189,6 +1168,15 @@ struct shrinker {
64229 extern void register_shrinker(struct shrinker *);
64230 extern void unregister_shrinker(struct shrinker *);
64231
64232 +#ifdef CONFIG_MMU
64233 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
64234 +#else
64235 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64236 +{
64237 + return __pgprot(0);
64238 +}
64239 +#endif
64240 +
64241 int vma_wants_writenotify(struct vm_area_struct *vma);
64242
64243 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
64244 @@ -1476,6 +1464,7 @@ out:
64245 }
64246
64247 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
64248 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
64249
64250 extern unsigned long do_brk(unsigned long, unsigned long);
64251
64252 @@ -1532,6 +1521,10 @@ extern struct vm_area_struct * find_vma(
64253 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
64254 struct vm_area_struct **pprev);
64255
64256 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
64257 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
64258 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
64259 +
64260 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
64261 NULL if none. Assume start_addr < end_addr. */
64262 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
64263 @@ -1548,15 +1541,6 @@ static inline unsigned long vma_pages(st
64264 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
64265 }
64266
64267 -#ifdef CONFIG_MMU
64268 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
64269 -#else
64270 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
64271 -{
64272 - return __pgprot(0);
64273 -}
64274 -#endif
64275 -
64276 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
64277 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
64278 unsigned long pfn, unsigned long size, pgprot_t);
64279 @@ -1668,7 +1652,7 @@ extern int unpoison_memory(unsigned long
64280 extern int sysctl_memory_failure_early_kill;
64281 extern int sysctl_memory_failure_recovery;
64282 extern void shake_page(struct page *p, int access);
64283 -extern atomic_long_t mce_bad_pages;
64284 +extern atomic_long_unchecked_t mce_bad_pages;
64285 extern int soft_offline_page(struct page *page, int flags);
64286
64287 extern void dump_page(struct page *page);
64288 @@ -1682,5 +1666,11 @@ extern void copy_user_huge_page(struct p
64289 unsigned int pages_per_huge_page);
64290 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
64291
64292 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64293 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
64294 +#else
64295 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
64296 +#endif
64297 +
64298 #endif /* __KERNEL__ */
64299 #endif /* _LINUX_MM_H */
64300 diff -urNp linux-2.6.39.3/include/linux/mm_types.h linux-2.6.39.3/include/linux/mm_types.h
64301 --- linux-2.6.39.3/include/linux/mm_types.h 2011-05-19 00:06:34.000000000 -0400
64302 +++ linux-2.6.39.3/include/linux/mm_types.h 2011-05-22 19:36:33.000000000 -0400
64303 @@ -183,6 +183,8 @@ struct vm_area_struct {
64304 #ifdef CONFIG_NUMA
64305 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
64306 #endif
64307 +
64308 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
64309 };
64310
64311 struct core_thread {
64312 @@ -317,6 +319,24 @@ struct mm_struct {
64313 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
64314 pgtable_t pmd_huge_pte; /* protected by page_table_lock */
64315 #endif
64316 +
64317 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
64318 + unsigned long pax_flags;
64319 +#endif
64320 +
64321 +#ifdef CONFIG_PAX_DLRESOLVE
64322 + unsigned long call_dl_resolve;
64323 +#endif
64324 +
64325 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
64326 + unsigned long call_syscall;
64327 +#endif
64328 +
64329 +#ifdef CONFIG_PAX_ASLR
64330 + unsigned long delta_mmap; /* randomized offset */
64331 + unsigned long delta_stack; /* randomized offset */
64332 +#endif
64333 +
64334 };
64335
64336 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
64337 diff -urNp linux-2.6.39.3/include/linux/mmu_notifier.h linux-2.6.39.3/include/linux/mmu_notifier.h
64338 --- linux-2.6.39.3/include/linux/mmu_notifier.h 2011-05-19 00:06:34.000000000 -0400
64339 +++ linux-2.6.39.3/include/linux/mmu_notifier.h 2011-05-22 19:36:33.000000000 -0400
64340 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
64341 */
64342 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
64343 ({ \
64344 - pte_t __pte; \
64345 + pte_t ___pte; \
64346 struct vm_area_struct *___vma = __vma; \
64347 unsigned long ___address = __address; \
64348 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
64349 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
64350 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
64351 - __pte; \
64352 + ___pte; \
64353 })
64354
64355 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
64356 diff -urNp linux-2.6.39.3/include/linux/mmzone.h linux-2.6.39.3/include/linux/mmzone.h
64357 --- linux-2.6.39.3/include/linux/mmzone.h 2011-05-19 00:06:34.000000000 -0400
64358 +++ linux-2.6.39.3/include/linux/mmzone.h 2011-05-22 19:36:33.000000000 -0400
64359 @@ -355,7 +355,7 @@ struct zone {
64360 unsigned long flags; /* zone flags, see below */
64361
64362 /* Zone statistics */
64363 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64364 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64365
64366 /*
64367 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
64368 diff -urNp linux-2.6.39.3/include/linux/mod_devicetable.h linux-2.6.39.3/include/linux/mod_devicetable.h
64369 --- linux-2.6.39.3/include/linux/mod_devicetable.h 2011-05-19 00:06:34.000000000 -0400
64370 +++ linux-2.6.39.3/include/linux/mod_devicetable.h 2011-05-22 19:36:33.000000000 -0400
64371 @@ -12,7 +12,7 @@
64372 typedef unsigned long kernel_ulong_t;
64373 #endif
64374
64375 -#define PCI_ANY_ID (~0)
64376 +#define PCI_ANY_ID ((__u16)~0)
64377
64378 struct pci_device_id {
64379 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
64380 @@ -131,7 +131,7 @@ struct usb_device_id {
64381 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
64382 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
64383
64384 -#define HID_ANY_ID (~0)
64385 +#define HID_ANY_ID (~0U)
64386
64387 struct hid_device_id {
64388 __u16 bus;
64389 diff -urNp linux-2.6.39.3/include/linux/module.h linux-2.6.39.3/include/linux/module.h
64390 --- linux-2.6.39.3/include/linux/module.h 2011-05-19 00:06:34.000000000 -0400
64391 +++ linux-2.6.39.3/include/linux/module.h 2011-05-22 19:36:33.000000000 -0400
64392 @@ -324,19 +324,16 @@ struct module
64393 int (*init)(void);
64394
64395 /* If this is non-NULL, vfree after init() returns */
64396 - void *module_init;
64397 + void *module_init_rx, *module_init_rw;
64398
64399 /* Here is the actual code + data, vfree'd on unload. */
64400 - void *module_core;
64401 + void *module_core_rx, *module_core_rw;
64402
64403 /* Here are the sizes of the init and core sections */
64404 - unsigned int init_size, core_size;
64405 + unsigned int init_size_rw, core_size_rw;
64406
64407 /* The size of the executable code in each section. */
64408 - unsigned int init_text_size, core_text_size;
64409 -
64410 - /* Size of RO sections of the module (text+rodata) */
64411 - unsigned int init_ro_size, core_ro_size;
64412 + unsigned int init_size_rx, core_size_rx;
64413
64414 /* Arch-specific module values */
64415 struct mod_arch_specific arch;
64416 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
64417 bool is_module_percpu_address(unsigned long addr);
64418 bool is_module_text_address(unsigned long addr);
64419
64420 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
64421 +{
64422 +
64423 +#ifdef CONFIG_PAX_KERNEXEC
64424 + if (ktla_ktva(addr) >= (unsigned long)start &&
64425 + ktla_ktva(addr) < (unsigned long)start + size)
64426 + return 1;
64427 +#endif
64428 +
64429 + return ((void *)addr >= start && (void *)addr < start + size);
64430 +}
64431 +
64432 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
64433 +{
64434 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
64435 +}
64436 +
64437 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
64438 +{
64439 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
64440 +}
64441 +
64442 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
64443 +{
64444 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
64445 +}
64446 +
64447 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
64448 +{
64449 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
64450 +}
64451 +
64452 static inline int within_module_core(unsigned long addr, struct module *mod)
64453 {
64454 - return (unsigned long)mod->module_core <= addr &&
64455 - addr < (unsigned long)mod->module_core + mod->core_size;
64456 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
64457 }
64458
64459 static inline int within_module_init(unsigned long addr, struct module *mod)
64460 {
64461 - return (unsigned long)mod->module_init <= addr &&
64462 - addr < (unsigned long)mod->module_init + mod->init_size;
64463 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
64464 }
64465
64466 /* Search for module by name: must hold module_mutex. */
64467 diff -urNp linux-2.6.39.3/include/linux/moduleloader.h linux-2.6.39.3/include/linux/moduleloader.h
64468 --- linux-2.6.39.3/include/linux/moduleloader.h 2011-05-19 00:06:34.000000000 -0400
64469 +++ linux-2.6.39.3/include/linux/moduleloader.h 2011-05-22 19:36:33.000000000 -0400
64470 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
64471 sections. Returns NULL on failure. */
64472 void *module_alloc(unsigned long size);
64473
64474 +#ifdef CONFIG_PAX_KERNEXEC
64475 +void *module_alloc_exec(unsigned long size);
64476 +#else
64477 +#define module_alloc_exec(x) module_alloc(x)
64478 +#endif
64479 +
64480 /* Free memory returned from module_alloc. */
64481 void module_free(struct module *mod, void *module_region);
64482
64483 +#ifdef CONFIG_PAX_KERNEXEC
64484 +void module_free_exec(struct module *mod, void *module_region);
64485 +#else
64486 +#define module_free_exec(x, y) module_free((x), (y))
64487 +#endif
64488 +
64489 /* Apply the given relocation to the (simplified) ELF. Return -error
64490 or 0. */
64491 int apply_relocate(Elf_Shdr *sechdrs,
64492 diff -urNp linux-2.6.39.3/include/linux/moduleparam.h linux-2.6.39.3/include/linux/moduleparam.h
64493 --- linux-2.6.39.3/include/linux/moduleparam.h 2011-05-19 00:06:34.000000000 -0400
64494 +++ linux-2.6.39.3/include/linux/moduleparam.h 2011-05-22 19:36:33.000000000 -0400
64495 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
64496 * @len is usually just sizeof(string).
64497 */
64498 #define module_param_string(name, string, len, perm) \
64499 - static const struct kparam_string __param_string_##name \
64500 + static const struct kparam_string __param_string_##name __used \
64501 = { len, string }; \
64502 __module_param_call(MODULE_PARAM_PREFIX, name, \
64503 &param_ops_string, \
64504 @@ -285,48 +285,48 @@ static inline void destroy_params(const
64505 #define __param_check(name, p, type) \
64506 static inline type *__check_##name(void) { return(p); }
64507
64508 -extern struct kernel_param_ops param_ops_byte;
64509 +extern const struct kernel_param_ops param_ops_byte;
64510 extern int param_set_byte(const char *val, const struct kernel_param *kp);
64511 extern int param_get_byte(char *buffer, const struct kernel_param *kp);
64512 #define param_check_byte(name, p) __param_check(name, p, unsigned char)
64513
64514 -extern struct kernel_param_ops param_ops_short;
64515 +extern const struct kernel_param_ops param_ops_short;
64516 extern int param_set_short(const char *val, const struct kernel_param *kp);
64517 extern int param_get_short(char *buffer, const struct kernel_param *kp);
64518 #define param_check_short(name, p) __param_check(name, p, short)
64519
64520 -extern struct kernel_param_ops param_ops_ushort;
64521 +extern const struct kernel_param_ops param_ops_ushort;
64522 extern int param_set_ushort(const char *val, const struct kernel_param *kp);
64523 extern int param_get_ushort(char *buffer, const struct kernel_param *kp);
64524 #define param_check_ushort(name, p) __param_check(name, p, unsigned short)
64525
64526 -extern struct kernel_param_ops param_ops_int;
64527 +extern const struct kernel_param_ops param_ops_int;
64528 extern int param_set_int(const char *val, const struct kernel_param *kp);
64529 extern int param_get_int(char *buffer, const struct kernel_param *kp);
64530 #define param_check_int(name, p) __param_check(name, p, int)
64531
64532 -extern struct kernel_param_ops param_ops_uint;
64533 +extern const struct kernel_param_ops param_ops_uint;
64534 extern int param_set_uint(const char *val, const struct kernel_param *kp);
64535 extern int param_get_uint(char *buffer, const struct kernel_param *kp);
64536 #define param_check_uint(name, p) __param_check(name, p, unsigned int)
64537
64538 -extern struct kernel_param_ops param_ops_long;
64539 +extern const struct kernel_param_ops param_ops_long;
64540 extern int param_set_long(const char *val, const struct kernel_param *kp);
64541 extern int param_get_long(char *buffer, const struct kernel_param *kp);
64542 #define param_check_long(name, p) __param_check(name, p, long)
64543
64544 -extern struct kernel_param_ops param_ops_ulong;
64545 +extern const struct kernel_param_ops param_ops_ulong;
64546 extern int param_set_ulong(const char *val, const struct kernel_param *kp);
64547 extern int param_get_ulong(char *buffer, const struct kernel_param *kp);
64548 #define param_check_ulong(name, p) __param_check(name, p, unsigned long)
64549
64550 -extern struct kernel_param_ops param_ops_charp;
64551 +extern const struct kernel_param_ops param_ops_charp;
64552 extern int param_set_charp(const char *val, const struct kernel_param *kp);
64553 extern int param_get_charp(char *buffer, const struct kernel_param *kp);
64554 #define param_check_charp(name, p) __param_check(name, p, char *)
64555
64556 /* For historical reasons "bool" parameters can be (unsigned) "int". */
64557 -extern struct kernel_param_ops param_ops_bool;
64558 +extern const struct kernel_param_ops param_ops_bool;
64559 extern int param_set_bool(const char *val, const struct kernel_param *kp);
64560 extern int param_get_bool(char *buffer, const struct kernel_param *kp);
64561 #define param_check_bool(name, p) \
64562 @@ -337,7 +337,7 @@ extern int param_get_bool(char *buffer,
64563 !__same_type((p), int *)); \
64564 }
64565
64566 -extern struct kernel_param_ops param_ops_invbool;
64567 +extern const struct kernel_param_ops param_ops_invbool;
64568 extern int param_set_invbool(const char *val, const struct kernel_param *kp);
64569 extern int param_get_invbool(char *buffer, const struct kernel_param *kp);
64570 #define param_check_invbool(name, p) __param_check(name, p, bool)
64571 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
64572 * module_param_named() for why this might be necessary.
64573 */
64574 #define module_param_array_named(name, array, type, nump, perm) \
64575 - static const struct kparam_array __param_arr_##name \
64576 + static const struct kparam_array __param_arr_##name __used \
64577 = { ARRAY_SIZE(array), nump, &param_ops_##type, \
64578 sizeof(array[0]), array }; \
64579 __module_param_call(MODULE_PARAM_PREFIX, name, \
64580 @@ -379,9 +379,9 @@ extern int param_get_invbool(char *buffe
64581 __same_type(array[0], bool), perm); \
64582 __MODULE_PARM_TYPE(name, "array of " #type)
64583
64584 -extern struct kernel_param_ops param_array_ops;
64585 +extern const struct kernel_param_ops param_array_ops;
64586
64587 -extern struct kernel_param_ops param_ops_string;
64588 +extern const struct kernel_param_ops param_ops_string;
64589 extern int param_set_copystring(const char *val, const struct kernel_param *);
64590 extern int param_get_string(char *buffer, const struct kernel_param *kp);
64591
64592 diff -urNp linux-2.6.39.3/include/linux/mutex.h linux-2.6.39.3/include/linux/mutex.h
64593 --- linux-2.6.39.3/include/linux/mutex.h 2011-05-19 00:06:34.000000000 -0400
64594 +++ linux-2.6.39.3/include/linux/mutex.h 2011-05-22 19:36:33.000000000 -0400
64595 @@ -51,7 +51,7 @@ struct mutex {
64596 spinlock_t wait_lock;
64597 struct list_head wait_list;
64598 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
64599 - struct thread_info *owner;
64600 + struct task_struct *owner;
64601 #endif
64602 #ifdef CONFIG_DEBUG_MUTEXES
64603 const char *name;
64604 diff -urNp linux-2.6.39.3/include/linux/namei.h linux-2.6.39.3/include/linux/namei.h
64605 --- linux-2.6.39.3/include/linux/namei.h 2011-05-19 00:06:34.000000000 -0400
64606 +++ linux-2.6.39.3/include/linux/namei.h 2011-05-22 19:36:33.000000000 -0400
64607 @@ -24,7 +24,7 @@ struct nameidata {
64608 unsigned seq;
64609 int last_type;
64610 unsigned depth;
64611 - char *saved_names[MAX_NESTED_LINKS + 1];
64612 + const char *saved_names[MAX_NESTED_LINKS + 1];
64613
64614 /* Intent data */
64615 union {
64616 @@ -91,12 +91,12 @@ extern int follow_up(struct path *);
64617 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
64618 extern void unlock_rename(struct dentry *, struct dentry *);
64619
64620 -static inline void nd_set_link(struct nameidata *nd, char *path)
64621 +static inline void nd_set_link(struct nameidata *nd, const char *path)
64622 {
64623 nd->saved_names[nd->depth] = path;
64624 }
64625
64626 -static inline char *nd_get_link(struct nameidata *nd)
64627 +static inline const char *nd_get_link(const struct nameidata *nd)
64628 {
64629 return nd->saved_names[nd->depth];
64630 }
64631 diff -urNp linux-2.6.39.3/include/linux/netfilter/xt_gradm.h linux-2.6.39.3/include/linux/netfilter/xt_gradm.h
64632 --- linux-2.6.39.3/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
64633 +++ linux-2.6.39.3/include/linux/netfilter/xt_gradm.h 2011-05-22 19:41:42.000000000 -0400
64634 @@ -0,0 +1,9 @@
64635 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
64636 +#define _LINUX_NETFILTER_XT_GRADM_H 1
64637 +
64638 +struct xt_gradm_mtinfo {
64639 + __u16 flags;
64640 + __u16 invflags;
64641 +};
64642 +
64643 +#endif
64644 diff -urNp linux-2.6.39.3/include/linux/oprofile.h linux-2.6.39.3/include/linux/oprofile.h
64645 --- linux-2.6.39.3/include/linux/oprofile.h 2011-05-19 00:06:34.000000000 -0400
64646 +++ linux-2.6.39.3/include/linux/oprofile.h 2011-05-22 19:36:33.000000000 -0400
64647 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
64648 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
64649 char const * name, ulong * val);
64650
64651 -/** Create a file for read-only access to an atomic_t. */
64652 +/** Create a file for read-only access to an atomic_unchecked_t. */
64653 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
64654 - char const * name, atomic_t * val);
64655 + char const * name, atomic_unchecked_t * val);
64656
64657 /** create a directory */
64658 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
64659 diff -urNp linux-2.6.39.3/include/linux/padata.h linux-2.6.39.3/include/linux/padata.h
64660 --- linux-2.6.39.3/include/linux/padata.h 2011-05-19 00:06:34.000000000 -0400
64661 +++ linux-2.6.39.3/include/linux/padata.h 2011-05-22 19:36:33.000000000 -0400
64662 @@ -129,7 +129,7 @@ struct parallel_data {
64663 struct padata_instance *pinst;
64664 struct padata_parallel_queue __percpu *pqueue;
64665 struct padata_serial_queue __percpu *squeue;
64666 - atomic_t seq_nr;
64667 + atomic_unchecked_t seq_nr;
64668 atomic_t reorder_objects;
64669 atomic_t refcnt;
64670 unsigned int max_seq_nr;
64671 diff -urNp linux-2.6.39.3/include/linux/pci.h linux-2.6.39.3/include/linux/pci.h
64672 --- linux-2.6.39.3/include/linux/pci.h 2011-05-19 00:06:34.000000000 -0400
64673 +++ linux-2.6.39.3/include/linux/pci.h 2011-05-22 19:36:33.000000000 -0400
64674 @@ -411,7 +411,7 @@ struct pci_bus {
64675 struct resource *resource[PCI_BRIDGE_RESOURCE_NUM];
64676 struct list_head resources; /* address space routed to this bus */
64677
64678 - struct pci_ops *ops; /* configuration access functions */
64679 + const struct pci_ops *ops; /* configuration access functions */
64680 void *sysdata; /* hook for sys-specific extension */
64681 struct proc_dir_entry *procdir; /* directory entry in /proc/bus/pci */
64682
64683 @@ -550,7 +550,7 @@ struct pci_driver {
64684 int (*resume_early) (struct pci_dev *dev);
64685 int (*resume) (struct pci_dev *dev); /* Device woken up */
64686 void (*shutdown) (struct pci_dev *dev);
64687 - struct pci_error_handlers *err_handler;
64688 + const struct pci_error_handlers *err_handler;
64689 struct device_driver driver;
64690 struct pci_dynids dynids;
64691 };
64692 @@ -639,7 +639,7 @@ void pcibios_scan_specific_bus(int busn)
64693 extern struct pci_bus *pci_find_bus(int domain, int busnr);
64694 void pci_bus_add_devices(const struct pci_bus *bus);
64695 struct pci_bus *pci_scan_bus_parented(struct device *parent, int bus,
64696 - struct pci_ops *ops, void *sysdata);
64697 + const struct pci_ops *ops, void *sysdata);
64698 static inline struct pci_bus * __devinit pci_scan_bus(int bus, struct pci_ops *ops,
64699 void *sysdata)
64700 {
64701 @@ -650,7 +650,7 @@ static inline struct pci_bus * __devinit
64702 return root_bus;
64703 }
64704 struct pci_bus *pci_create_bus(struct device *parent, int bus,
64705 - struct pci_ops *ops, void *sysdata);
64706 + const struct pci_ops *ops, void *sysdata);
64707 struct pci_bus *pci_add_new_bus(struct pci_bus *parent, struct pci_dev *dev,
64708 int busnr);
64709 void pcie_update_link_speed(struct pci_bus *bus, u16 link_status);
64710 @@ -727,7 +727,7 @@ int pci_bus_write_config_word(struct pci
64711 int where, u16 val);
64712 int pci_bus_write_config_dword(struct pci_bus *bus, unsigned int devfn,
64713 int where, u32 val);
64714 -struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, struct pci_ops *ops);
64715 +const struct pci_ops *pci_bus_set_ops(struct pci_bus *bus, const struct pci_ops *ops);
64716
64717 static inline int pci_read_config_byte(struct pci_dev *dev, int where, u8 *val)
64718 {
64719 diff -urNp linux-2.6.39.3/include/linux/perf_event.h linux-2.6.39.3/include/linux/perf_event.h
64720 --- linux-2.6.39.3/include/linux/perf_event.h 2011-05-19 00:06:34.000000000 -0400
64721 +++ linux-2.6.39.3/include/linux/perf_event.h 2011-05-22 19:36:33.000000000 -0400
64722 @@ -759,8 +759,8 @@ struct perf_event {
64723
64724 enum perf_event_active_state state;
64725 unsigned int attach_state;
64726 - local64_t count;
64727 - atomic64_t child_count;
64728 + local64_t count; /* PaX: fix it one day */
64729 + atomic64_unchecked_t child_count;
64730
64731 /*
64732 * These are the total time in nanoseconds that the event
64733 @@ -811,8 +811,8 @@ struct perf_event {
64734 * These accumulate total time (in nanoseconds) that children
64735 * events have been enabled and running, respectively.
64736 */
64737 - atomic64_t child_total_time_enabled;
64738 - atomic64_t child_total_time_running;
64739 + atomic64_unchecked_t child_total_time_enabled;
64740 + atomic64_unchecked_t child_total_time_running;
64741
64742 /*
64743 * Protect attach/detach and child_list:
64744 @@ -1090,9 +1090,9 @@ void perf_event_task_sched_out(struct ta
64745 }
64746
64747 extern void perf_event_mmap(struct vm_area_struct *vma);
64748 -extern struct perf_guest_info_callbacks *perf_guest_cbs;
64749 -extern int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64750 -extern int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *callbacks);
64751 +extern const struct perf_guest_info_callbacks *perf_guest_cbs;
64752 +extern int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64753 +extern int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *callbacks);
64754
64755 extern void perf_event_comm(struct task_struct *tsk);
64756 extern void perf_event_fork(struct task_struct *tsk);
64757 diff -urNp linux-2.6.39.3/include/linux/pipe_fs_i.h linux-2.6.39.3/include/linux/pipe_fs_i.h
64758 --- linux-2.6.39.3/include/linux/pipe_fs_i.h 2011-05-19 00:06:34.000000000 -0400
64759 +++ linux-2.6.39.3/include/linux/pipe_fs_i.h 2011-05-22 19:36:33.000000000 -0400
64760 @@ -46,9 +46,9 @@ struct pipe_buffer {
64761 struct pipe_inode_info {
64762 wait_queue_head_t wait;
64763 unsigned int nrbufs, curbuf, buffers;
64764 - unsigned int readers;
64765 - unsigned int writers;
64766 - unsigned int waiting_writers;
64767 + atomic_t readers;
64768 + atomic_t writers;
64769 + atomic_t waiting_writers;
64770 unsigned int r_counter;
64771 unsigned int w_counter;
64772 struct page *tmp_page;
64773 diff -urNp linux-2.6.39.3/include/linux/pm.h linux-2.6.39.3/include/linux/pm.h
64774 --- linux-2.6.39.3/include/linux/pm.h 2011-07-09 09:18:51.000000000 -0400
64775 +++ linux-2.6.39.3/include/linux/pm.h 2011-07-09 09:19:24.000000000 -0400
64776 @@ -268,7 +268,7 @@ const struct dev_pm_ops name = { \
64777 * runtime PM, make the pm member point to generic_subsys_pm_ops.
64778 */
64779 #ifdef CONFIG_PM
64780 -extern struct dev_pm_ops generic_subsys_pm_ops;
64781 +extern const struct dev_pm_ops generic_subsys_pm_ops;
64782 #define GENERIC_SUBSYS_PM_OPS (&generic_subsys_pm_ops)
64783 #else
64784 #define GENERIC_SUBSYS_PM_OPS NULL
64785 @@ -472,7 +472,7 @@ extern void update_pm_runtime_accounting
64786 * subsystem-level and driver-level callbacks.
64787 */
64788 struct dev_power_domain {
64789 - struct dev_pm_ops ops;
64790 + const struct dev_pm_ops ops;
64791 };
64792
64793 /*
64794 diff -urNp linux-2.6.39.3/include/linux/pm_runtime.h linux-2.6.39.3/include/linux/pm_runtime.h
64795 --- linux-2.6.39.3/include/linux/pm_runtime.h 2011-05-19 00:06:34.000000000 -0400
64796 +++ linux-2.6.39.3/include/linux/pm_runtime.h 2011-05-22 19:36:33.000000000 -0400
64797 @@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
64798
64799 static inline void pm_runtime_mark_last_busy(struct device *dev)
64800 {
64801 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
64802 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
64803 }
64804
64805 #else /* !CONFIG_PM_RUNTIME */
64806 diff -urNp linux-2.6.39.3/include/linux/poison.h linux-2.6.39.3/include/linux/poison.h
64807 --- linux-2.6.39.3/include/linux/poison.h 2011-05-19 00:06:34.000000000 -0400
64808 +++ linux-2.6.39.3/include/linux/poison.h 2011-05-22 19:36:33.000000000 -0400
64809 @@ -19,8 +19,8 @@
64810 * under normal circumstances, used to verify that nobody uses
64811 * non-initialized list entries.
64812 */
64813 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
64814 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
64815 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
64816 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
64817
64818 /********** include/linux/timer.h **********/
64819 /*
64820 diff -urNp linux-2.6.39.3/include/linux/posix-timers.h linux-2.6.39.3/include/linux/posix-timers.h
64821 --- linux-2.6.39.3/include/linux/posix-timers.h 2011-05-19 00:06:34.000000000 -0400
64822 +++ linux-2.6.39.3/include/linux/posix-timers.h 2011-05-22 19:36:33.000000000 -0400
64823 @@ -102,10 +102,10 @@ struct k_clock {
64824 struct itimerspec * cur_setting);
64825 };
64826
64827 -extern struct k_clock clock_posix_cpu;
64828 -extern struct k_clock clock_posix_dynamic;
64829 +extern const struct k_clock clock_posix_cpu;
64830 +extern const struct k_clock clock_posix_dynamic;
64831
64832 -void posix_timers_register_clock(const clockid_t clock_id, struct k_clock *new_clock);
64833 +void posix_timers_register_clock(const clockid_t clock_id, const struct k_clock *new_clock);
64834
64835 /* function to call to trigger timer event */
64836 int posix_timer_event(struct k_itimer *timr, int si_private);
64837 diff -urNp linux-2.6.39.3/include/linux/proc_fs.h linux-2.6.39.3/include/linux/proc_fs.h
64838 --- linux-2.6.39.3/include/linux/proc_fs.h 2011-05-19 00:06:34.000000000 -0400
64839 +++ linux-2.6.39.3/include/linux/proc_fs.h 2011-05-22 19:41:42.000000000 -0400
64840 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
64841 return proc_create_data(name, mode, parent, proc_fops, NULL);
64842 }
64843
64844 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
64845 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
64846 +{
64847 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64848 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
64849 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64850 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
64851 +#else
64852 + return proc_create_data(name, mode, parent, proc_fops, NULL);
64853 +#endif
64854 +}
64855 +
64856 +
64857 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
64858 mode_t mode, struct proc_dir_entry *base,
64859 read_proc_t *read_proc, void * data)
64860 diff -urNp linux-2.6.39.3/include/linux/ptrace.h linux-2.6.39.3/include/linux/ptrace.h
64861 --- linux-2.6.39.3/include/linux/ptrace.h 2011-05-19 00:06:34.000000000 -0400
64862 +++ linux-2.6.39.3/include/linux/ptrace.h 2011-05-22 19:41:42.000000000 -0400
64863 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
64864 extern void exit_ptrace(struct task_struct *tracer);
64865 #define PTRACE_MODE_READ 1
64866 #define PTRACE_MODE_ATTACH 2
64867 -/* Returns 0 on success, -errno on denial. */
64868 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
64869 /* Returns true on success, false on denial. */
64870 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
64871 +/* Returns true on success, false on denial. */
64872 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
64873
64874 static inline int ptrace_reparented(struct task_struct *child)
64875 {
64876 diff -urNp linux-2.6.39.3/include/linux/random.h linux-2.6.39.3/include/linux/random.h
64877 --- linux-2.6.39.3/include/linux/random.h 2011-05-19 00:06:34.000000000 -0400
64878 +++ linux-2.6.39.3/include/linux/random.h 2011-05-22 19:36:33.000000000 -0400
64879 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
64880
64881 u32 prandom32(struct rnd_state *);
64882
64883 +static inline unsigned long pax_get_random_long(void)
64884 +{
64885 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
64886 +}
64887 +
64888 /*
64889 * Handle minimum values for seeds
64890 */
64891 static inline u32 __seed(u32 x, u32 m)
64892 {
64893 - return (x < m) ? x + m : x;
64894 + return (x <= m) ? x + m + 1 : x;
64895 }
64896
64897 /**
64898 diff -urNp linux-2.6.39.3/include/linux/reboot.h linux-2.6.39.3/include/linux/reboot.h
64899 --- linux-2.6.39.3/include/linux/reboot.h 2011-05-19 00:06:34.000000000 -0400
64900 +++ linux-2.6.39.3/include/linux/reboot.h 2011-05-22 19:36:33.000000000 -0400
64901 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
64902 * Architecture-specific implementations of sys_reboot commands.
64903 */
64904
64905 -extern void machine_restart(char *cmd);
64906 -extern void machine_halt(void);
64907 -extern void machine_power_off(void);
64908 +extern void machine_restart(char *cmd) __noreturn;
64909 +extern void machine_halt(void) __noreturn;
64910 +extern void machine_power_off(void) __noreturn;
64911
64912 extern void machine_shutdown(void);
64913 struct pt_regs;
64914 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
64915 */
64916
64917 extern void kernel_restart_prepare(char *cmd);
64918 -extern void kernel_restart(char *cmd);
64919 -extern void kernel_halt(void);
64920 -extern void kernel_power_off(void);
64921 +extern void kernel_restart(char *cmd) __noreturn;
64922 +extern void kernel_halt(void) __noreturn;
64923 +extern void kernel_power_off(void) __noreturn;
64924
64925 extern int C_A_D; /* for sysctl */
64926 void ctrl_alt_del(void);
64927 @@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
64928 * Emergency restart, callable from an interrupt handler.
64929 */
64930
64931 -extern void emergency_restart(void);
64932 +extern void emergency_restart(void) __noreturn;
64933 #include <asm/emergency-restart.h>
64934
64935 #endif
64936 diff -urNp linux-2.6.39.3/include/linux/reiserfs_fs.h linux-2.6.39.3/include/linux/reiserfs_fs.h
64937 --- linux-2.6.39.3/include/linux/reiserfs_fs.h 2011-05-19 00:06:34.000000000 -0400
64938 +++ linux-2.6.39.3/include/linux/reiserfs_fs.h 2011-05-22 19:36:33.000000000 -0400
64939 @@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
64940 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
64941
64942 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
64943 -#define get_generation(s) atomic_read (&fs_generation(s))
64944 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
64945 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
64946 #define __fs_changed(gen,s) (gen != get_generation (s))
64947 #define fs_changed(gen,s) \
64948 @@ -1618,24 +1618,24 @@ static inline struct super_block *sb_fro
64949 */
64950
64951 struct item_operations {
64952 - int (*bytes_number) (struct item_head * ih, int block_size);
64953 - void (*decrement_key) (struct cpu_key *);
64954 - int (*is_left_mergeable) (struct reiserfs_key * ih,
64955 + int (* const bytes_number) (struct item_head * ih, int block_size);
64956 + void (* const decrement_key) (struct cpu_key *);
64957 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
64958 unsigned long bsize);
64959 - void (*print_item) (struct item_head *, char *item);
64960 - void (*check_item) (struct item_head *, char *item);
64961 + void (* const print_item) (struct item_head *, char *item);
64962 + void (* const check_item) (struct item_head *, char *item);
64963
64964 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64965 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
64966 int is_affected, int insert_size);
64967 - int (*check_left) (struct virtual_item * vi, int free,
64968 + int (* const check_left) (struct virtual_item * vi, int free,
64969 int start_skip, int end_skip);
64970 - int (*check_right) (struct virtual_item * vi, int free);
64971 - int (*part_size) (struct virtual_item * vi, int from, int to);
64972 - int (*unit_num) (struct virtual_item * vi);
64973 - void (*print_vi) (struct virtual_item * vi);
64974 + int (* const check_right) (struct virtual_item * vi, int free);
64975 + int (* const part_size) (struct virtual_item * vi, int from, int to);
64976 + int (* const unit_num) (struct virtual_item * vi);
64977 + void (* const print_vi) (struct virtual_item * vi);
64978 };
64979
64980 -extern struct item_operations *item_ops[TYPE_ANY + 1];
64981 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
64982
64983 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
64984 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
64985 diff -urNp linux-2.6.39.3/include/linux/reiserfs_fs_sb.h linux-2.6.39.3/include/linux/reiserfs_fs_sb.h
64986 --- linux-2.6.39.3/include/linux/reiserfs_fs_sb.h 2011-05-19 00:06:34.000000000 -0400
64987 +++ linux-2.6.39.3/include/linux/reiserfs_fs_sb.h 2011-05-22 19:36:33.000000000 -0400
64988 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
64989 /* Comment? -Hans */
64990 wait_queue_head_t s_wait;
64991 /* To be obsoleted soon by per buffer seals.. -Hans */
64992 - atomic_t s_generation_counter; // increased by one every time the
64993 + atomic_unchecked_t s_generation_counter; // increased by one every time the
64994 // tree gets re-balanced
64995 unsigned long s_properties; /* File system properties. Currently holds
64996 on-disk FS format */
64997 diff -urNp linux-2.6.39.3/include/linux/rmap.h linux-2.6.39.3/include/linux/rmap.h
64998 --- linux-2.6.39.3/include/linux/rmap.h 2011-05-19 00:06:34.000000000 -0400
64999 +++ linux-2.6.39.3/include/linux/rmap.h 2011-05-22 19:36:33.000000000 -0400
65000 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
65001 void anon_vma_init(void); /* create anon_vma_cachep */
65002 int anon_vma_prepare(struct vm_area_struct *);
65003 void unlink_anon_vmas(struct vm_area_struct *);
65004 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
65005 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
65006 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
65007 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
65008 void __anon_vma_link(struct vm_area_struct *);
65009
65010 static inline void anon_vma_merge(struct vm_area_struct *vma,
65011 diff -urNp linux-2.6.39.3/include/linux/sched.h linux-2.6.39.3/include/linux/sched.h
65012 --- linux-2.6.39.3/include/linux/sched.h 2011-05-19 00:06:34.000000000 -0400
65013 +++ linux-2.6.39.3/include/linux/sched.h 2011-07-14 21:03:15.000000000 -0400
65014 @@ -100,6 +100,7 @@ struct bio_list;
65015 struct fs_struct;
65016 struct perf_event_context;
65017 struct blk_plug;
65018 +struct linux_binprm;
65019
65020 /*
65021 * List of flags we want to share for kernel threads,
65022 @@ -360,7 +361,7 @@ extern signed long schedule_timeout_inte
65023 extern signed long schedule_timeout_killable(signed long timeout);
65024 extern signed long schedule_timeout_uninterruptible(signed long timeout);
65025 asmlinkage void schedule(void);
65026 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
65027 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
65028
65029 struct nsproxy;
65030 struct user_namespace;
65031 @@ -381,10 +382,13 @@ struct user_namespace;
65032 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
65033
65034 extern int sysctl_max_map_count;
65035 +extern unsigned long sysctl_heap_stack_gap;
65036
65037 #include <linux/aio.h>
65038
65039 #ifdef CONFIG_MMU
65040 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
65041 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
65042 extern void arch_pick_mmap_layout(struct mm_struct *mm);
65043 extern unsigned long
65044 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
65045 @@ -629,6 +633,17 @@ struct signal_struct {
65046 #ifdef CONFIG_TASKSTATS
65047 struct taskstats *stats;
65048 #endif
65049 +
65050 +#ifdef CONFIG_GRKERNSEC
65051 + u32 curr_ip;
65052 + u32 saved_ip;
65053 + u32 gr_saddr;
65054 + u32 gr_daddr;
65055 + u16 gr_sport;
65056 + u16 gr_dport;
65057 + u8 used_accept:1;
65058 +#endif
65059 +
65060 #ifdef CONFIG_AUDIT
65061 unsigned audit_tty;
65062 struct tty_audit_buf *tty_audit_buf;
65063 @@ -701,6 +716,11 @@ struct user_struct {
65064 struct key *session_keyring; /* UID's default session keyring */
65065 #endif
65066
65067 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
65068 + unsigned int banned;
65069 + unsigned long ban_expires;
65070 +#endif
65071 +
65072 /* Hash table maintenance information */
65073 struct hlist_node uidhash_node;
65074 uid_t uid;
65075 @@ -1310,8 +1330,8 @@ struct task_struct {
65076 struct list_head thread_group;
65077
65078 struct completion *vfork_done; /* for vfork() */
65079 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65080 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65081 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65082 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65083
65084 cputime_t utime, stime, utimescaled, stimescaled;
65085 cputime_t gtime;
65086 @@ -1327,13 +1347,6 @@ struct task_struct {
65087 struct task_cputime cputime_expires;
65088 struct list_head cpu_timers[3];
65089
65090 -/* process credentials */
65091 - const struct cred __rcu *real_cred; /* objective and real subjective task
65092 - * credentials (COW) */
65093 - const struct cred __rcu *cred; /* effective (overridable) subjective task
65094 - * credentials (COW) */
65095 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65096 -
65097 char comm[TASK_COMM_LEN]; /* executable name excluding path
65098 - access with [gs]et_task_comm (which lock
65099 it with task_lock())
65100 @@ -1350,8 +1363,16 @@ struct task_struct {
65101 #endif
65102 /* CPU-specific state of this task */
65103 struct thread_struct thread;
65104 +/* thread_info moved to task_struct */
65105 +#ifdef CONFIG_X86
65106 + struct thread_info tinfo;
65107 +#endif
65108 /* filesystem information */
65109 struct fs_struct *fs;
65110 +
65111 + const struct cred __rcu *cred; /* effective (overridable) subjective task
65112 + * credentials (COW) */
65113 +
65114 /* open file information */
65115 struct files_struct *files;
65116 /* namespaces */
65117 @@ -1398,6 +1419,11 @@ struct task_struct {
65118 struct rt_mutex_waiter *pi_blocked_on;
65119 #endif
65120
65121 +/* process credentials */
65122 + const struct cred __rcu *real_cred; /* objective and real subjective task
65123 + * credentials (COW) */
65124 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65125 +
65126 #ifdef CONFIG_DEBUG_MUTEXES
65127 /* mutex deadlock detection */
65128 struct mutex_waiter *blocked_on;
65129 @@ -1508,6 +1534,21 @@ struct task_struct {
65130 unsigned long default_timer_slack_ns;
65131
65132 struct list_head *scm_work_list;
65133 +
65134 +#ifdef CONFIG_GRKERNSEC
65135 + /* grsecurity */
65136 + struct dentry *gr_chroot_dentry;
65137 + struct acl_subject_label *acl;
65138 + struct acl_role_label *role;
65139 + struct file *exec_file;
65140 + u16 acl_role_id;
65141 + /* is this the task that authenticated to the special role */
65142 + u8 acl_sp_role;
65143 + u8 is_writable;
65144 + u8 brute;
65145 + u8 gr_is_chrooted;
65146 +#endif
65147 +
65148 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
65149 /* Index of current stored address in ret_stack */
65150 int curr_ret_stack;
65151 @@ -1542,6 +1583,57 @@ struct task_struct {
65152 #endif
65153 };
65154
65155 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65156 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65157 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65158 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65159 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65160 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65161 +
65162 +#ifdef CONFIG_PAX_SOFTMODE
65163 +extern unsigned int pax_softmode;
65164 +#endif
65165 +
65166 +extern int pax_check_flags(unsigned long *);
65167 +
65168 +/* if tsk != current then task_lock must be held on it */
65169 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65170 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
65171 +{
65172 + if (likely(tsk->mm))
65173 + return tsk->mm->pax_flags;
65174 + else
65175 + return 0UL;
65176 +}
65177 +
65178 +/* if tsk != current then task_lock must be held on it */
65179 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65180 +{
65181 + if (likely(tsk->mm)) {
65182 + tsk->mm->pax_flags = flags;
65183 + return 0;
65184 + }
65185 + return -EINVAL;
65186 +}
65187 +#endif
65188 +
65189 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65190 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
65191 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65192 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65193 +#endif
65194 +
65195 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
65196 +extern void pax_report_insns(void *pc, void *sp);
65197 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
65198 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
65199 +
65200 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
65201 +extern void pax_track_stack(void);
65202 +#else
65203 +static inline void pax_track_stack(void) {}
65204 +#endif
65205 +
65206 /* Future-safe accessor for struct task_struct's cpus_allowed. */
65207 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
65208
65209 @@ -2009,7 +2101,9 @@ void yield(void);
65210 extern struct exec_domain default_exec_domain;
65211
65212 union thread_union {
65213 +#ifndef CONFIG_X86
65214 struct thread_info thread_info;
65215 +#endif
65216 unsigned long stack[THREAD_SIZE/sizeof(long)];
65217 };
65218
65219 @@ -2042,6 +2136,7 @@ extern struct pid_namespace init_pid_ns;
65220 */
65221
65222 extern struct task_struct *find_task_by_vpid(pid_t nr);
65223 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
65224 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
65225 struct pid_namespace *ns);
65226
65227 @@ -2179,7 +2274,7 @@ extern void __cleanup_sighand(struct sig
65228 extern void exit_itimers(struct signal_struct *);
65229 extern void flush_itimer_signals(void);
65230
65231 -extern NORET_TYPE void do_group_exit(int);
65232 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
65233
65234 extern void daemonize(const char *, ...);
65235 extern int allow_signal(int);
65236 @@ -2320,13 +2415,17 @@ static inline unsigned long *end_of_stac
65237
65238 #endif
65239
65240 -static inline int object_is_on_stack(void *obj)
65241 +static inline int object_starts_on_stack(void *obj)
65242 {
65243 - void *stack = task_stack_page(current);
65244 + const void *stack = task_stack_page(current);
65245
65246 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
65247 }
65248
65249 +#ifdef CONFIG_PAX_USERCOPY
65250 +extern int object_is_on_stack(const void *obj, unsigned long len);
65251 +#endif
65252 +
65253 extern void thread_info_cache_init(void);
65254
65255 #ifdef CONFIG_DEBUG_STACK_USAGE
65256 diff -urNp linux-2.6.39.3/include/linux/screen_info.h linux-2.6.39.3/include/linux/screen_info.h
65257 --- linux-2.6.39.3/include/linux/screen_info.h 2011-05-19 00:06:34.000000000 -0400
65258 +++ linux-2.6.39.3/include/linux/screen_info.h 2011-05-22 19:36:33.000000000 -0400
65259 @@ -43,7 +43,8 @@ struct screen_info {
65260 __u16 pages; /* 0x32 */
65261 __u16 vesa_attributes; /* 0x34 */
65262 __u32 capabilities; /* 0x36 */
65263 - __u8 _reserved[6]; /* 0x3a */
65264 + __u16 vesapm_size; /* 0x3a */
65265 + __u8 _reserved[4]; /* 0x3c */
65266 } __attribute__((packed));
65267
65268 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
65269 diff -urNp linux-2.6.39.3/include/linux/security.h linux-2.6.39.3/include/linux/security.h
65270 --- linux-2.6.39.3/include/linux/security.h 2011-05-19 00:06:34.000000000 -0400
65271 +++ linux-2.6.39.3/include/linux/security.h 2011-05-22 19:41:42.000000000 -0400
65272 @@ -36,6 +36,7 @@
65273 #include <linux/key.h>
65274 #include <linux/xfrm.h>
65275 #include <linux/slab.h>
65276 +#include <linux/grsecurity.h>
65277 #include <net/flow.h>
65278
65279 /* Maximum number of letters for an LSM name string */
65280 diff -urNp linux-2.6.39.3/include/linux/shm.h linux-2.6.39.3/include/linux/shm.h
65281 --- linux-2.6.39.3/include/linux/shm.h 2011-05-19 00:06:34.000000000 -0400
65282 +++ linux-2.6.39.3/include/linux/shm.h 2011-05-22 19:41:42.000000000 -0400
65283 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
65284 pid_t shm_cprid;
65285 pid_t shm_lprid;
65286 struct user_struct *mlock_user;
65287 +#ifdef CONFIG_GRKERNSEC
65288 + time_t shm_createtime;
65289 + pid_t shm_lapid;
65290 +#endif
65291 };
65292
65293 /* shm_mode upper byte flags */
65294 diff -urNp linux-2.6.39.3/include/linux/skbuff.h linux-2.6.39.3/include/linux/skbuff.h
65295 --- linux-2.6.39.3/include/linux/skbuff.h 2011-05-19 00:06:34.000000000 -0400
65296 +++ linux-2.6.39.3/include/linux/skbuff.h 2011-07-06 20:00:13.000000000 -0400
65297 @@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
65298 */
65299 static inline int skb_queue_empty(const struct sk_buff_head *list)
65300 {
65301 - return list->next == (struct sk_buff *)list;
65302 + return list->next == (const struct sk_buff *)list;
65303 }
65304
65305 /**
65306 @@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
65307 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
65308 const struct sk_buff *skb)
65309 {
65310 - return skb->next == (struct sk_buff *)list;
65311 + return skb->next == (const struct sk_buff *)list;
65312 }
65313
65314 /**
65315 @@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
65316 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
65317 const struct sk_buff *skb)
65318 {
65319 - return skb->prev == (struct sk_buff *)list;
65320 + return skb->prev == (const struct sk_buff *)list;
65321 }
65322
65323 /**
65324 @@ -1435,7 +1435,7 @@ static inline int pskb_network_may_pull(
65325 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
65326 */
65327 #ifndef NET_SKB_PAD
65328 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
65329 +#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
65330 #endif
65331
65332 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
65333 diff -urNp linux-2.6.39.3/include/linux/slab_def.h linux-2.6.39.3/include/linux/slab_def.h
65334 --- linux-2.6.39.3/include/linux/slab_def.h 2011-05-19 00:06:34.000000000 -0400
65335 +++ linux-2.6.39.3/include/linux/slab_def.h 2011-05-22 19:36:33.000000000 -0400
65336 @@ -96,10 +96,10 @@ struct kmem_cache {
65337 unsigned long node_allocs;
65338 unsigned long node_frees;
65339 unsigned long node_overflow;
65340 - atomic_t allochit;
65341 - atomic_t allocmiss;
65342 - atomic_t freehit;
65343 - atomic_t freemiss;
65344 + atomic_unchecked_t allochit;
65345 + atomic_unchecked_t allocmiss;
65346 + atomic_unchecked_t freehit;
65347 + atomic_unchecked_t freemiss;
65348
65349 /*
65350 * If debugging is enabled, then the allocator can add additional
65351 diff -urNp linux-2.6.39.3/include/linux/slab.h linux-2.6.39.3/include/linux/slab.h
65352 --- linux-2.6.39.3/include/linux/slab.h 2011-05-19 00:06:34.000000000 -0400
65353 +++ linux-2.6.39.3/include/linux/slab.h 2011-05-23 17:07:00.000000000 -0400
65354 @@ -11,12 +11,20 @@
65355
65356 #include <linux/gfp.h>
65357 #include <linux/types.h>
65358 +#include <linux/err.h>
65359
65360 /*
65361 * Flags to pass to kmem_cache_create().
65362 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
65363 */
65364 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
65365 +
65366 +#ifdef CONFIG_PAX_USERCOPY
65367 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
65368 +#else
65369 +#define SLAB_USERCOPY 0x00000000UL
65370 +#endif
65371 +
65372 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
65373 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
65374 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
65375 @@ -87,10 +95,13 @@
65376 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
65377 * Both make kfree a no-op.
65378 */
65379 -#define ZERO_SIZE_PTR ((void *)16)
65380 +#define ZERO_SIZE_PTR \
65381 +({ \
65382 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
65383 + (void *)(-MAX_ERRNO-1L); \
65384 +})
65385
65386 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
65387 - (unsigned long)ZERO_SIZE_PTR)
65388 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
65389
65390 /*
65391 * struct kmem_cache related prototypes
65392 @@ -141,6 +152,7 @@ void * __must_check krealloc(const void
65393 void kfree(const void *);
65394 void kzfree(const void *);
65395 size_t ksize(const void *);
65396 +void check_object_size(const void *ptr, unsigned long n, bool to);
65397
65398 /*
65399 * Allocator specific definitions. These are mainly used to establish optimized
65400 @@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
65401
65402 void __init kmem_cache_init_late(void);
65403
65404 +#define kmalloc(x, y) \
65405 +({ \
65406 + void *___retval; \
65407 + intoverflow_t ___x = (intoverflow_t)x; \
65408 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
65409 + ___retval = NULL; \
65410 + else \
65411 + ___retval = kmalloc((size_t)___x, (y)); \
65412 + ___retval; \
65413 +})
65414 +
65415 +#define kmalloc_node(x, y, z) \
65416 +({ \
65417 + void *___retval; \
65418 + intoverflow_t ___x = (intoverflow_t)x; \
65419 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
65420 + ___retval = NULL; \
65421 + else \
65422 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
65423 + ___retval; \
65424 +})
65425 +
65426 +#define kzalloc(x, y) \
65427 +({ \
65428 + void *___retval; \
65429 + intoverflow_t ___x = (intoverflow_t)x; \
65430 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
65431 + ___retval = NULL; \
65432 + else \
65433 + ___retval = kzalloc((size_t)___x, (y)); \
65434 + ___retval; \
65435 +})
65436 +
65437 +#define __krealloc(x, y, z) \
65438 +({ \
65439 + void *___retval; \
65440 + intoverflow_t ___y = (intoverflow_t)y; \
65441 + if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
65442 + ___retval = NULL; \
65443 + else \
65444 + ___retval = __krealloc((x), (size_t)___y, (z)); \
65445 + ___retval; \
65446 +})
65447 +
65448 +#define krealloc(x, y, z) \
65449 +({ \
65450 + void *___retval; \
65451 + intoverflow_t ___y = (intoverflow_t)y; \
65452 + if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
65453 + ___retval = NULL; \
65454 + else \
65455 + ___retval = krealloc((x), (size_t)___y, (z)); \
65456 + ___retval; \
65457 +})
65458 +
65459 #endif /* _LINUX_SLAB_H */
65460 diff -urNp linux-2.6.39.3/include/linux/slub_def.h linux-2.6.39.3/include/linux/slub_def.h
65461 --- linux-2.6.39.3/include/linux/slub_def.h 2011-05-19 00:06:34.000000000 -0400
65462 +++ linux-2.6.39.3/include/linux/slub_def.h 2011-05-22 19:36:33.000000000 -0400
65463 @@ -84,7 +84,7 @@ struct kmem_cache {
65464 struct kmem_cache_order_objects max;
65465 struct kmem_cache_order_objects min;
65466 gfp_t allocflags; /* gfp flags to use on each alloc */
65467 - int refcount; /* Refcount for slab cache destroy */
65468 + atomic_t refcount; /* Refcount for slab cache destroy */
65469 void (*ctor)(void *);
65470 int inuse; /* Offset to metadata */
65471 int align; /* Alignment */
65472 diff -urNp linux-2.6.39.3/include/linux/sonet.h linux-2.6.39.3/include/linux/sonet.h
65473 --- linux-2.6.39.3/include/linux/sonet.h 2011-05-19 00:06:34.000000000 -0400
65474 +++ linux-2.6.39.3/include/linux/sonet.h 2011-05-22 19:36:33.000000000 -0400
65475 @@ -61,7 +61,7 @@ struct sonet_stats {
65476 #include <asm/atomic.h>
65477
65478 struct k_sonet_stats {
65479 -#define __HANDLE_ITEM(i) atomic_t i
65480 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
65481 __SONET_ITEMS
65482 #undef __HANDLE_ITEM
65483 };
65484 diff -urNp linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h
65485 --- linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h 2011-05-19 00:06:34.000000000 -0400
65486 +++ linux-2.6.39.3/include/linux/ssb/ssb_driver_gige.h 2011-05-22 19:36:33.000000000 -0400
65487 @@ -44,7 +44,7 @@ struct ssb_gige {
65488
65489 /* The PCI controller device. */
65490 struct pci_controller pci_controller;
65491 - struct pci_ops pci_ops;
65492 + const struct pci_ops pci_ops;
65493 struct resource mem_resource;
65494 struct resource io_resource;
65495 };
65496 diff -urNp linux-2.6.39.3/include/linux/sunrpc/clnt.h linux-2.6.39.3/include/linux/sunrpc/clnt.h
65497 --- linux-2.6.39.3/include/linux/sunrpc/clnt.h 2011-05-19 00:06:34.000000000 -0400
65498 +++ linux-2.6.39.3/include/linux/sunrpc/clnt.h 2011-05-22 19:36:33.000000000 -0400
65499 @@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
65500 {
65501 switch (sap->sa_family) {
65502 case AF_INET:
65503 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
65504 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
65505 case AF_INET6:
65506 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
65507 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
65508 }
65509 return 0;
65510 }
65511 @@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
65512 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
65513 const struct sockaddr *src)
65514 {
65515 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
65516 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
65517 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
65518
65519 dsin->sin_family = ssin->sin_family;
65520 @@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
65521 if (sa->sa_family != AF_INET6)
65522 return 0;
65523
65524 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
65525 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
65526 }
65527
65528 #endif /* __KERNEL__ */
65529 diff -urNp linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h
65530 --- linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h 2011-05-19 00:06:34.000000000 -0400
65531 +++ linux-2.6.39.3/include/linux/sunrpc/svc_rdma.h 2011-05-22 19:36:33.000000000 -0400
65532 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
65533 extern unsigned int svcrdma_max_requests;
65534 extern unsigned int svcrdma_max_req_size;
65535
65536 -extern atomic_t rdma_stat_recv;
65537 -extern atomic_t rdma_stat_read;
65538 -extern atomic_t rdma_stat_write;
65539 -extern atomic_t rdma_stat_sq_starve;
65540 -extern atomic_t rdma_stat_rq_starve;
65541 -extern atomic_t rdma_stat_rq_poll;
65542 -extern atomic_t rdma_stat_rq_prod;
65543 -extern atomic_t rdma_stat_sq_poll;
65544 -extern atomic_t rdma_stat_sq_prod;
65545 +extern atomic_unchecked_t rdma_stat_recv;
65546 +extern atomic_unchecked_t rdma_stat_read;
65547 +extern atomic_unchecked_t rdma_stat_write;
65548 +extern atomic_unchecked_t rdma_stat_sq_starve;
65549 +extern atomic_unchecked_t rdma_stat_rq_starve;
65550 +extern atomic_unchecked_t rdma_stat_rq_poll;
65551 +extern atomic_unchecked_t rdma_stat_rq_prod;
65552 +extern atomic_unchecked_t rdma_stat_sq_poll;
65553 +extern atomic_unchecked_t rdma_stat_sq_prod;
65554
65555 #define RPCRDMA_VERSION 1
65556
65557 diff -urNp linux-2.6.39.3/include/linux/suspend.h linux-2.6.39.3/include/linux/suspend.h
65558 --- linux-2.6.39.3/include/linux/suspend.h 2011-05-19 00:06:34.000000000 -0400
65559 +++ linux-2.6.39.3/include/linux/suspend.h 2011-05-22 19:36:33.000000000 -0400
65560 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
65561 * which require special recovery actions in that situation.
65562 */
65563 struct platform_suspend_ops {
65564 - int (*valid)(suspend_state_t state);
65565 - int (*begin)(suspend_state_t state);
65566 - int (*prepare)(void);
65567 - int (*prepare_late)(void);
65568 - int (*enter)(suspend_state_t state);
65569 - void (*wake)(void);
65570 - void (*finish)(void);
65571 - void (*end)(void);
65572 - void (*recover)(void);
65573 + int (* const valid)(suspend_state_t state);
65574 + int (* const begin)(suspend_state_t state);
65575 + int (* const prepare)(void);
65576 + int (* const prepare_late)(void);
65577 + int (* const enter)(suspend_state_t state);
65578 + void (* const wake)(void);
65579 + void (* const finish)(void);
65580 + void (* const end)(void);
65581 + void (* const recover)(void);
65582 };
65583
65584 #ifdef CONFIG_SUSPEND
65585 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
65586 * platforms which require special recovery actions in that situation.
65587 */
65588 struct platform_hibernation_ops {
65589 - int (*begin)(void);
65590 - void (*end)(void);
65591 - int (*pre_snapshot)(void);
65592 - void (*finish)(void);
65593 - int (*prepare)(void);
65594 - int (*enter)(void);
65595 - void (*leave)(void);
65596 - int (*pre_restore)(void);
65597 - void (*restore_cleanup)(void);
65598 - void (*recover)(void);
65599 + int (* const begin)(void);
65600 + void (* const end)(void);
65601 + int (* const pre_snapshot)(void);
65602 + void (* const finish)(void);
65603 + int (* const prepare)(void);
65604 + int (* const enter)(void);
65605 + void (* const leave)(void);
65606 + int (* const pre_restore)(void);
65607 + void (* const restore_cleanup)(void);
65608 + void (* const recover)(void);
65609 };
65610
65611 #ifdef CONFIG_HIBERNATION
65612 diff -urNp linux-2.6.39.3/include/linux/sysctl.h linux-2.6.39.3/include/linux/sysctl.h
65613 --- linux-2.6.39.3/include/linux/sysctl.h 2011-05-19 00:06:34.000000000 -0400
65614 +++ linux-2.6.39.3/include/linux/sysctl.h 2011-05-22 19:41:42.000000000 -0400
65615 @@ -155,7 +155,11 @@ enum
65616 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
65617 };
65618
65619 -
65620 +#ifdef CONFIG_PAX_SOFTMODE
65621 +enum {
65622 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65623 +};
65624 +#endif
65625
65626 /* CTL_VM names: */
65627 enum
65628 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
65629
65630 extern int proc_dostring(struct ctl_table *, int,
65631 void __user *, size_t *, loff_t *);
65632 +extern int proc_dostring_modpriv(struct ctl_table *, int,
65633 + void __user *, size_t *, loff_t *);
65634 extern int proc_dointvec(struct ctl_table *, int,
65635 void __user *, size_t *, loff_t *);
65636 extern int proc_dointvec_minmax(struct ctl_table *, int,
65637 diff -urNp linux-2.6.39.3/include/linux/sysfs.h linux-2.6.39.3/include/linux/sysfs.h
65638 --- linux-2.6.39.3/include/linux/sysfs.h 2011-05-19 00:06:34.000000000 -0400
65639 +++ linux-2.6.39.3/include/linux/sysfs.h 2011-05-22 19:36:33.000000000 -0400
65640 @@ -110,8 +110,8 @@ struct bin_attribute {
65641 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
65642
65643 struct sysfs_ops {
65644 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
65645 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
65646 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
65647 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
65648 };
65649
65650 struct sysfs_dirent;
65651 diff -urNp linux-2.6.39.3/include/linux/tty.h linux-2.6.39.3/include/linux/tty.h
65652 --- linux-2.6.39.3/include/linux/tty.h 2011-05-19 00:06:34.000000000 -0400
65653 +++ linux-2.6.39.3/include/linux/tty.h 2011-05-22 19:36:33.000000000 -0400
65654 @@ -13,6 +13,7 @@
65655 #include <linux/tty_driver.h>
65656 #include <linux/tty_ldisc.h>
65657 #include <linux/mutex.h>
65658 +#include <linux/poll.h>
65659
65660 #include <asm/system.h>
65661
65662 @@ -466,7 +467,6 @@ extern int tty_perform_flush(struct tty_
65663 extern dev_t tty_devnum(struct tty_struct *tty);
65664 extern void proc_clear_tty(struct task_struct *p);
65665 extern struct tty_struct *get_current_tty(void);
65666 -extern void tty_default_fops(struct file_operations *fops);
65667 extern struct tty_struct *alloc_tty_struct(void);
65668 extern int tty_add_file(struct tty_struct *tty, struct file *file);
65669 extern void free_tty_struct(struct tty_struct *tty);
65670 @@ -529,6 +529,18 @@ extern void tty_ldisc_begin(void);
65671 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
65672 extern void tty_ldisc_enable(struct tty_struct *tty);
65673
65674 +/* tty_io.c */
65675 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
65676 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
65677 +extern unsigned int tty_poll(struct file *, poll_table *);
65678 +#ifdef CONFIG_COMPAT
65679 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
65680 + unsigned long arg);
65681 +#else
65682 +#define tty_compat_ioctl NULL
65683 +#endif
65684 +extern int tty_release(struct inode *, struct file *);
65685 +extern int tty_fasync(int fd, struct file *filp, int on);
65686
65687 /* n_tty.c */
65688 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
65689 diff -urNp linux-2.6.39.3/include/linux/tty_ldisc.h linux-2.6.39.3/include/linux/tty_ldisc.h
65690 --- linux-2.6.39.3/include/linux/tty_ldisc.h 2011-05-19 00:06:34.000000000 -0400
65691 +++ linux-2.6.39.3/include/linux/tty_ldisc.h 2011-05-22 19:36:33.000000000 -0400
65692 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
65693
65694 struct module *owner;
65695
65696 - int refcount;
65697 + atomic_t refcount;
65698 };
65699
65700 struct tty_ldisc {
65701 diff -urNp linux-2.6.39.3/include/linux/types.h linux-2.6.39.3/include/linux/types.h
65702 --- linux-2.6.39.3/include/linux/types.h 2011-05-19 00:06:34.000000000 -0400
65703 +++ linux-2.6.39.3/include/linux/types.h 2011-05-22 19:36:33.000000000 -0400
65704 @@ -213,10 +213,26 @@ typedef struct {
65705 int counter;
65706 } atomic_t;
65707
65708 +#ifdef CONFIG_PAX_REFCOUNT
65709 +typedef struct {
65710 + int counter;
65711 +} atomic_unchecked_t;
65712 +#else
65713 +typedef atomic_t atomic_unchecked_t;
65714 +#endif
65715 +
65716 #ifdef CONFIG_64BIT
65717 typedef struct {
65718 long counter;
65719 } atomic64_t;
65720 +
65721 +#ifdef CONFIG_PAX_REFCOUNT
65722 +typedef struct {
65723 + long counter;
65724 +} atomic64_unchecked_t;
65725 +#else
65726 +typedef atomic64_t atomic64_unchecked_t;
65727 +#endif
65728 #endif
65729
65730 struct list_head {
65731 diff -urNp linux-2.6.39.3/include/linux/uaccess.h linux-2.6.39.3/include/linux/uaccess.h
65732 --- linux-2.6.39.3/include/linux/uaccess.h 2011-05-19 00:06:34.000000000 -0400
65733 +++ linux-2.6.39.3/include/linux/uaccess.h 2011-05-22 19:36:33.000000000 -0400
65734 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65735 long ret; \
65736 mm_segment_t old_fs = get_fs(); \
65737 \
65738 - set_fs(KERNEL_DS); \
65739 pagefault_disable(); \
65740 + set_fs(KERNEL_DS); \
65741 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
65742 - pagefault_enable(); \
65743 set_fs(old_fs); \
65744 + pagefault_enable(); \
65745 ret; \
65746 })
65747
65748 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
65749 * Safely read from address @src to the buffer at @dst. If a kernel fault
65750 * happens, handle that and return -EFAULT.
65751 */
65752 -extern long probe_kernel_read(void *dst, void *src, size_t size);
65753 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
65754 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
65755 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
65756
65757 /*
65758 * probe_kernel_write(): safely attempt to write to a location
65759 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
65760 * Safely write to address @dst from the buffer at @src. If a kernel fault
65761 * happens, handle that and return -EFAULT.
65762 */
65763 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
65764 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
65765 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
65766 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
65767
65768 #endif /* __LINUX_UACCESS_H__ */
65769 diff -urNp linux-2.6.39.3/include/linux/unaligned/access_ok.h linux-2.6.39.3/include/linux/unaligned/access_ok.h
65770 --- linux-2.6.39.3/include/linux/unaligned/access_ok.h 2011-05-19 00:06:34.000000000 -0400
65771 +++ linux-2.6.39.3/include/linux/unaligned/access_ok.h 2011-05-22 19:36:33.000000000 -0400
65772 @@ -6,32 +6,32 @@
65773
65774 static inline u16 get_unaligned_le16(const void *p)
65775 {
65776 - return le16_to_cpup((__le16 *)p);
65777 + return le16_to_cpup((const __le16 *)p);
65778 }
65779
65780 static inline u32 get_unaligned_le32(const void *p)
65781 {
65782 - return le32_to_cpup((__le32 *)p);
65783 + return le32_to_cpup((const __le32 *)p);
65784 }
65785
65786 static inline u64 get_unaligned_le64(const void *p)
65787 {
65788 - return le64_to_cpup((__le64 *)p);
65789 + return le64_to_cpup((const __le64 *)p);
65790 }
65791
65792 static inline u16 get_unaligned_be16(const void *p)
65793 {
65794 - return be16_to_cpup((__be16 *)p);
65795 + return be16_to_cpup((const __be16 *)p);
65796 }
65797
65798 static inline u32 get_unaligned_be32(const void *p)
65799 {
65800 - return be32_to_cpup((__be32 *)p);
65801 + return be32_to_cpup((const __be32 *)p);
65802 }
65803
65804 static inline u64 get_unaligned_be64(const void *p)
65805 {
65806 - return be64_to_cpup((__be64 *)p);
65807 + return be64_to_cpup((const __be64 *)p);
65808 }
65809
65810 static inline void put_unaligned_le16(u16 val, void *p)
65811 diff -urNp linux-2.6.39.3/include/linux/usb/hcd.h linux-2.6.39.3/include/linux/usb/hcd.h
65812 --- linux-2.6.39.3/include/linux/usb/hcd.h 2011-05-19 00:06:34.000000000 -0400
65813 +++ linux-2.6.39.3/include/linux/usb/hcd.h 2011-05-22 19:36:33.000000000 -0400
65814 @@ -615,7 +615,7 @@ struct usb_mon_operations {
65815 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
65816 };
65817
65818 -extern struct usb_mon_operations *mon_ops;
65819 +extern const struct usb_mon_operations *mon_ops;
65820
65821 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
65822 {
65823 @@ -637,7 +637,7 @@ static inline void usbmon_urb_complete(s
65824 (*mon_ops->urb_complete)(bus, urb, status);
65825 }
65826
65827 -int usb_mon_register(struct usb_mon_operations *ops);
65828 +int usb_mon_register(const struct usb_mon_operations *ops);
65829 void usb_mon_deregister(void);
65830
65831 #else
65832 diff -urNp linux-2.6.39.3/include/linux/usb/intel_mid_otg.h linux-2.6.39.3/include/linux/usb/intel_mid_otg.h
65833 --- linux-2.6.39.3/include/linux/usb/intel_mid_otg.h 2011-05-19 00:06:34.000000000 -0400
65834 +++ linux-2.6.39.3/include/linux/usb/intel_mid_otg.h 2011-05-22 19:36:33.000000000 -0400
65835 @@ -115,7 +115,7 @@ struct intel_mid_otg_xceiv {
65836 void __iomem *base;
65837
65838 /* ops to access ulpi */
65839 - struct iotg_ulpi_access_ops ulpi_ops;
65840 + const struct iotg_ulpi_access_ops ulpi_ops;
65841
65842 /* atomic notifier for interrupt context */
65843 struct atomic_notifier_head iotg_notifier;
65844 diff -urNp linux-2.6.39.3/include/linux/usb/ulpi.h linux-2.6.39.3/include/linux/usb/ulpi.h
65845 --- linux-2.6.39.3/include/linux/usb/ulpi.h 2011-05-19 00:06:34.000000000 -0400
65846 +++ linux-2.6.39.3/include/linux/usb/ulpi.h 2011-05-22 19:36:33.000000000 -0400
65847 @@ -186,7 +186,7 @@ struct otg_transceiver *otg_ulpi_create(
65848
65849 #ifdef CONFIG_USB_ULPI_VIEWPORT
65850 /* access ops for controllers with a viewport register */
65851 -extern struct otg_io_access_ops ulpi_viewport_access_ops;
65852 +extern const struct otg_io_access_ops ulpi_viewport_access_ops;
65853 #endif
65854
65855 #endif /* __LINUX_USB_ULPI_H */
65856 diff -urNp linux-2.6.39.3/include/linux/vga_switcheroo.h linux-2.6.39.3/include/linux/vga_switcheroo.h
65857 --- linux-2.6.39.3/include/linux/vga_switcheroo.h 2011-05-19 00:06:34.000000000 -0400
65858 +++ linux-2.6.39.3/include/linux/vga_switcheroo.h 2011-05-22 19:36:33.000000000 -0400
65859 @@ -39,7 +39,7 @@ int vga_switcheroo_register_client(struc
65860 void vga_switcheroo_client_fb_set(struct pci_dev *dev,
65861 struct fb_info *info);
65862
65863 -int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler);
65864 +int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler);
65865 void vga_switcheroo_unregister_handler(void);
65866
65867 int vga_switcheroo_process_delayed_switch(void);
65868 @@ -52,7 +52,7 @@ static inline int vga_switcheroo_registe
65869 void (*reprobe)(struct pci_dev *dev),
65870 bool (*can_switch)(struct pci_dev *dev)) { return 0; }
65871 static inline void vga_switcheroo_client_fb_set(struct pci_dev *dev, struct fb_info *info) {}
65872 -static inline int vga_switcheroo_register_handler(struct vga_switcheroo_handler *handler) { return 0; }
65873 +static inline int vga_switcheroo_register_handler(const struct vga_switcheroo_handler *handler) { return 0; }
65874 static inline void vga_switcheroo_unregister_handler(void) {}
65875 static inline int vga_switcheroo_process_delayed_switch(void) { return 0; }
65876
65877 diff -urNp linux-2.6.39.3/include/linux/virtio.h linux-2.6.39.3/include/linux/virtio.h
65878 --- linux-2.6.39.3/include/linux/virtio.h 2011-05-19 00:06:34.000000000 -0400
65879 +++ linux-2.6.39.3/include/linux/virtio.h 2011-05-22 19:36:33.000000000 -0400
65880 @@ -102,7 +102,7 @@ struct virtio_device {
65881 int index;
65882 struct device dev;
65883 struct virtio_device_id id;
65884 - struct virtio_config_ops *config;
65885 + const struct virtio_config_ops *config;
65886 struct list_head vqs;
65887 /* Note that this is a Linux set_bit-style bitmap. */
65888 unsigned long features[1];
65889 diff -urNp linux-2.6.39.3/include/linux/vmalloc.h linux-2.6.39.3/include/linux/vmalloc.h
65890 --- linux-2.6.39.3/include/linux/vmalloc.h 2011-05-19 00:06:34.000000000 -0400
65891 +++ linux-2.6.39.3/include/linux/vmalloc.h 2011-05-22 19:36:33.000000000 -0400
65892 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
65893 #define VM_MAP 0x00000004 /* vmap()ed pages */
65894 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
65895 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
65896 +
65897 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65898 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
65899 +#endif
65900 +
65901 /* bits [20..32] reserved for arch specific ioremap internals */
65902
65903 /*
65904 @@ -155,4 +160,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
65905 # endif
65906 #endif
65907
65908 +#define vmalloc(x) \
65909 +({ \
65910 + void *___retval; \
65911 + intoverflow_t ___x = (intoverflow_t)x; \
65912 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
65913 + ___retval = NULL; \
65914 + else \
65915 + ___retval = vmalloc((unsigned long)___x); \
65916 + ___retval; \
65917 +})
65918 +
65919 +#define vzalloc(x) \
65920 +({ \
65921 + void *___retval; \
65922 + intoverflow_t ___x = (intoverflow_t)x; \
65923 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
65924 + ___retval = NULL; \
65925 + else \
65926 + ___retval = vzalloc((unsigned long)___x); \
65927 + ___retval; \
65928 +})
65929 +
65930 +#define __vmalloc(x, y, z) \
65931 +({ \
65932 + void *___retval; \
65933 + intoverflow_t ___x = (intoverflow_t)x; \
65934 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
65935 + ___retval = NULL; \
65936 + else \
65937 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
65938 + ___retval; \
65939 +})
65940 +
65941 +#define vmalloc_user(x) \
65942 +({ \
65943 + void *___retval; \
65944 + intoverflow_t ___x = (intoverflow_t)x; \
65945 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
65946 + ___retval = NULL; \
65947 + else \
65948 + ___retval = vmalloc_user((unsigned long)___x); \
65949 + ___retval; \
65950 +})
65951 +
65952 +#define vmalloc_exec(x) \
65953 +({ \
65954 + void *___retval; \
65955 + intoverflow_t ___x = (intoverflow_t)x; \
65956 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
65957 + ___retval = NULL; \
65958 + else \
65959 + ___retval = vmalloc_exec((unsigned long)___x); \
65960 + ___retval; \
65961 +})
65962 +
65963 +#define vmalloc_node(x, y) \
65964 +({ \
65965 + void *___retval; \
65966 + intoverflow_t ___x = (intoverflow_t)x; \
65967 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
65968 + ___retval = NULL; \
65969 + else \
65970 + ___retval = vmalloc_node((unsigned long)___x, (y));\
65971 + ___retval; \
65972 +})
65973 +
65974 +#define vzalloc_node(x, y) \
65975 +({ \
65976 + void *___retval; \
65977 + intoverflow_t ___x = (intoverflow_t)x; \
65978 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
65979 + ___retval = NULL; \
65980 + else \
65981 + ___retval = vzalloc_node((unsigned long)___x, (y));\
65982 + ___retval; \
65983 +})
65984 +
65985 +#define vmalloc_32(x) \
65986 +({ \
65987 + void *___retval; \
65988 + intoverflow_t ___x = (intoverflow_t)x; \
65989 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
65990 + ___retval = NULL; \
65991 + else \
65992 + ___retval = vmalloc_32((unsigned long)___x); \
65993 + ___retval; \
65994 +})
65995 +
65996 +#define vmalloc_32_user(x) \
65997 +({ \
65998 +void *___retval; \
65999 + intoverflow_t ___x = (intoverflow_t)x; \
66000 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
66001 + ___retval = NULL; \
66002 + else \
66003 + ___retval = vmalloc_32_user((unsigned long)___x);\
66004 + ___retval; \
66005 +})
66006 +
66007 #endif /* _LINUX_VMALLOC_H */
66008 diff -urNp linux-2.6.39.3/include/linux/vmstat.h linux-2.6.39.3/include/linux/vmstat.h
66009 --- linux-2.6.39.3/include/linux/vmstat.h 2011-05-19 00:06:34.000000000 -0400
66010 +++ linux-2.6.39.3/include/linux/vmstat.h 2011-05-22 19:36:33.000000000 -0400
66011 @@ -147,18 +147,18 @@ static inline void vm_events_fold_cpu(in
66012 /*
66013 * Zone based page accounting with per cpu differentials.
66014 */
66015 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66016 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66017
66018 static inline void zone_page_state_add(long x, struct zone *zone,
66019 enum zone_stat_item item)
66020 {
66021 - atomic_long_add(x, &zone->vm_stat[item]);
66022 - atomic_long_add(x, &vm_stat[item]);
66023 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
66024 + atomic_long_add_unchecked(x, &vm_stat[item]);
66025 }
66026
66027 static inline unsigned long global_page_state(enum zone_stat_item item)
66028 {
66029 - long x = atomic_long_read(&vm_stat[item]);
66030 + long x = atomic_long_read_unchecked(&vm_stat[item]);
66031 #ifdef CONFIG_SMP
66032 if (x < 0)
66033 x = 0;
66034 @@ -169,7 +169,7 @@ static inline unsigned long global_page_
66035 static inline unsigned long zone_page_state(struct zone *zone,
66036 enum zone_stat_item item)
66037 {
66038 - long x = atomic_long_read(&zone->vm_stat[item]);
66039 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66040 #ifdef CONFIG_SMP
66041 if (x < 0)
66042 x = 0;
66043 @@ -186,7 +186,7 @@ static inline unsigned long zone_page_st
66044 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
66045 enum zone_stat_item item)
66046 {
66047 - long x = atomic_long_read(&zone->vm_stat[item]);
66048 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66049
66050 #ifdef CONFIG_SMP
66051 int cpu;
66052 @@ -280,8 +280,8 @@ static inline void __mod_zone_page_state
66053
66054 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
66055 {
66056 - atomic_long_inc(&zone->vm_stat[item]);
66057 - atomic_long_inc(&vm_stat[item]);
66058 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
66059 + atomic_long_inc_unchecked(&vm_stat[item]);
66060 }
66061
66062 static inline void __inc_zone_page_state(struct page *page,
66063 @@ -292,8 +292,8 @@ static inline void __inc_zone_page_state
66064
66065 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
66066 {
66067 - atomic_long_dec(&zone->vm_stat[item]);
66068 - atomic_long_dec(&vm_stat[item]);
66069 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
66070 + atomic_long_dec_unchecked(&vm_stat[item]);
66071 }
66072
66073 static inline void __dec_zone_page_state(struct page *page,
66074 diff -urNp linux-2.6.39.3/include/media/saa7146_vv.h linux-2.6.39.3/include/media/saa7146_vv.h
66075 --- linux-2.6.39.3/include/media/saa7146_vv.h 2011-05-19 00:06:34.000000000 -0400
66076 +++ linux-2.6.39.3/include/media/saa7146_vv.h 2011-05-22 19:36:33.000000000 -0400
66077 @@ -202,13 +202,13 @@ void saa7146_set_gpio(struct saa7146_dev
66078
66079 /* from saa7146_video.c */
66080 extern const struct v4l2_ioctl_ops saa7146_video_ioctl_ops;
66081 -extern struct saa7146_use_ops saa7146_video_uops;
66082 +extern const struct saa7146_use_ops saa7146_video_uops;
66083 int saa7146_start_preview(struct saa7146_fh *fh);
66084 int saa7146_stop_preview(struct saa7146_fh *fh);
66085 long saa7146_video_do_ioctl(struct file *file, unsigned int cmd, void *arg);
66086
66087 /* from saa7146_vbi.c */
66088 -extern struct saa7146_use_ops saa7146_vbi_uops;
66089 +extern const struct saa7146_use_ops saa7146_vbi_uops;
66090
66091 /* resource management functions */
66092 int saa7146_res_get(struct saa7146_fh *fh, unsigned int bit);
66093 diff -urNp linux-2.6.39.3/include/media/v4l2-device.h linux-2.6.39.3/include/media/v4l2-device.h
66094 --- linux-2.6.39.3/include/media/v4l2-device.h 2011-05-19 00:06:34.000000000 -0400
66095 +++ linux-2.6.39.3/include/media/v4l2-device.h 2011-05-22 19:36:33.000000000 -0400
66096 @@ -95,7 +95,7 @@ int __must_check v4l2_device_register(st
66097 this function returns 0. If the name ends with a digit (e.g. cx18),
66098 then the name will be set to cx18-0 since cx180 looks really odd. */
66099 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
66100 - atomic_t *instance);
66101 + atomic_unchecked_t *instance);
66102
66103 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
66104 Since the parent disappears this ensures that v4l2_dev doesn't have an
66105 diff -urNp linux-2.6.39.3/include/net/caif/cfctrl.h linux-2.6.39.3/include/net/caif/cfctrl.h
66106 --- linux-2.6.39.3/include/net/caif/cfctrl.h 2011-05-19 00:06:34.000000000 -0400
66107 +++ linux-2.6.39.3/include/net/caif/cfctrl.h 2011-05-22 19:36:33.000000000 -0400
66108 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
66109 struct cfctrl {
66110 struct cfsrvl serv;
66111 struct cfctrl_rsp res;
66112 - atomic_t req_seq_no;
66113 - atomic_t rsp_seq_no;
66114 + atomic_unchecked_t req_seq_no;
66115 + atomic_unchecked_t rsp_seq_no;
66116 struct list_head list;
66117 /* Protects from simultaneous access to first_req list */
66118 spinlock_t info_list_lock;
66119 diff -urNp linux-2.6.39.3/include/net/flow.h linux-2.6.39.3/include/net/flow.h
66120 --- linux-2.6.39.3/include/net/flow.h 2011-05-19 00:06:34.000000000 -0400
66121 +++ linux-2.6.39.3/include/net/flow.h 2011-05-22 19:36:33.000000000 -0400
66122 @@ -167,6 +167,6 @@ extern struct flow_cache_object *flow_ca
66123 u8 dir, flow_resolve_t resolver, void *ctx);
66124
66125 extern void flow_cache_flush(void);
66126 -extern atomic_t flow_cache_genid;
66127 +extern atomic_unchecked_t flow_cache_genid;
66128
66129 #endif
66130 diff -urNp linux-2.6.39.3/include/net/inetpeer.h linux-2.6.39.3/include/net/inetpeer.h
66131 --- linux-2.6.39.3/include/net/inetpeer.h 2011-05-19 00:06:34.000000000 -0400
66132 +++ linux-2.6.39.3/include/net/inetpeer.h 2011-05-22 19:36:33.000000000 -0400
66133 @@ -43,8 +43,8 @@ struct inet_peer {
66134 */
66135 union {
66136 struct {
66137 - atomic_t rid; /* Frag reception counter */
66138 - atomic_t ip_id_count; /* IP ID for the next packet */
66139 + atomic_unchecked_t rid; /* Frag reception counter */
66140 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
66141 __u32 tcp_ts;
66142 __u32 tcp_ts_stamp;
66143 u32 metrics[RTAX_MAX];
66144 @@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
66145 {
66146 more++;
66147 inet_peer_refcheck(p);
66148 - return atomic_add_return(more, &p->ip_id_count) - more;
66149 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
66150 }
66151
66152 #endif /* _NET_INETPEER_H */
66153 diff -urNp linux-2.6.39.3/include/net/ip_fib.h linux-2.6.39.3/include/net/ip_fib.h
66154 --- linux-2.6.39.3/include/net/ip_fib.h 2011-05-19 00:06:34.000000000 -0400
66155 +++ linux-2.6.39.3/include/net/ip_fib.h 2011-05-22 19:36:33.000000000 -0400
66156 @@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
66157
66158 #define FIB_RES_SADDR(net, res) \
66159 ((FIB_RES_NH(res).nh_saddr_genid == \
66160 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
66161 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
66162 FIB_RES_NH(res).nh_saddr : \
66163 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
66164 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
66165 diff -urNp linux-2.6.39.3/include/net/ip_vs.h linux-2.6.39.3/include/net/ip_vs.h
66166 --- linux-2.6.39.3/include/net/ip_vs.h 2011-07-09 09:18:51.000000000 -0400
66167 +++ linux-2.6.39.3/include/net/ip_vs.h 2011-07-09 09:19:24.000000000 -0400
66168 @@ -512,7 +512,7 @@ struct ip_vs_conn {
66169 struct ip_vs_conn *control; /* Master control connection */
66170 atomic_t n_control; /* Number of controlled ones */
66171 struct ip_vs_dest *dest; /* real server */
66172 - atomic_t in_pkts; /* incoming packet counter */
66173 + atomic_unchecked_t in_pkts; /* incoming packet counter */
66174
66175 /* packet transmitter for different forwarding methods. If it
66176 mangles the packet, it must return NF_DROP or better NF_STOLEN,
66177 @@ -650,7 +650,7 @@ struct ip_vs_dest {
66178 __be16 port; /* port number of the server */
66179 union nf_inet_addr addr; /* IP address of the server */
66180 volatile unsigned flags; /* dest status flags */
66181 - atomic_t conn_flags; /* flags to copy to conn */
66182 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
66183 atomic_t weight; /* server weight */
66184
66185 atomic_t refcnt; /* reference counter */
66186 diff -urNp linux-2.6.39.3/include/net/irda/ircomm_tty.h linux-2.6.39.3/include/net/irda/ircomm_tty.h
66187 --- linux-2.6.39.3/include/net/irda/ircomm_tty.h 2011-05-19 00:06:34.000000000 -0400
66188 +++ linux-2.6.39.3/include/net/irda/ircomm_tty.h 2011-05-22 19:36:33.000000000 -0400
66189 @@ -35,6 +35,7 @@
66190 #include <linux/termios.h>
66191 #include <linux/timer.h>
66192 #include <linux/tty.h> /* struct tty_struct */
66193 +#include <asm/local.h>
66194
66195 #include <net/irda/irias_object.h>
66196 #include <net/irda/ircomm_core.h>
66197 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
66198 unsigned short close_delay;
66199 unsigned short closing_wait; /* time to wait before closing */
66200
66201 - int open_count;
66202 - int blocked_open; /* # of blocked opens */
66203 + local_t open_count;
66204 + local_t blocked_open; /* # of blocked opens */
66205
66206 /* Protect concurent access to :
66207 * o self->open_count
66208 diff -urNp linux-2.6.39.3/include/net/iucv/af_iucv.h linux-2.6.39.3/include/net/iucv/af_iucv.h
66209 --- linux-2.6.39.3/include/net/iucv/af_iucv.h 2011-05-19 00:06:34.000000000 -0400
66210 +++ linux-2.6.39.3/include/net/iucv/af_iucv.h 2011-05-22 19:36:33.000000000 -0400
66211 @@ -87,7 +87,7 @@ struct iucv_sock {
66212 struct iucv_sock_list {
66213 struct hlist_head head;
66214 rwlock_t lock;
66215 - atomic_t autobind_name;
66216 + atomic_unchecked_t autobind_name;
66217 };
66218
66219 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
66220 diff -urNp linux-2.6.39.3/include/net/neighbour.h linux-2.6.39.3/include/net/neighbour.h
66221 --- linux-2.6.39.3/include/net/neighbour.h 2011-05-19 00:06:34.000000000 -0400
66222 +++ linux-2.6.39.3/include/net/neighbour.h 2011-05-22 19:36:33.000000000 -0400
66223 @@ -118,12 +118,12 @@ struct neighbour {
66224
66225 struct neigh_ops {
66226 int family;
66227 - void (*solicit)(struct neighbour *, struct sk_buff*);
66228 - void (*error_report)(struct neighbour *, struct sk_buff*);
66229 - int (*output)(struct sk_buff*);
66230 - int (*connected_output)(struct sk_buff*);
66231 - int (*hh_output)(struct sk_buff*);
66232 - int (*queue_xmit)(struct sk_buff*);
66233 + void (* const solicit)(struct neighbour *, struct sk_buff*);
66234 + void (* const error_report)(struct neighbour *, struct sk_buff*);
66235 + int (* const output)(struct sk_buff*);
66236 + int (* const connected_output)(struct sk_buff*);
66237 + int (* const hh_output)(struct sk_buff*);
66238 + int (* const queue_xmit)(struct sk_buff*);
66239 };
66240
66241 struct pneigh_entry {
66242 diff -urNp linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h
66243 --- linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h 2011-05-19 00:06:34.000000000 -0400
66244 +++ linux-2.6.39.3/include/net/netfilter/nf_conntrack_ecache.h 2011-05-22 19:36:33.000000000 -0400
66245 @@ -95,7 +95,7 @@ nf_conntrack_eventmask_report(unsigned i
66246 int report)
66247 {
66248 int ret = 0;
66249 - struct nf_ct_event_notifier *notify;
66250 + const struct nf_ct_event_notifier *notify;
66251 struct nf_conntrack_ecache *e;
66252
66253 rcu_read_lock();
66254 @@ -174,7 +174,7 @@ nf_ct_expect_event_report(enum ip_conntr
66255 u32 pid,
66256 int report)
66257 {
66258 - struct nf_exp_event_notifier *notify;
66259 + const struct nf_exp_event_notifier *notify;
66260 struct nf_conntrack_ecache *e;
66261
66262 rcu_read_lock();
66263 diff -urNp linux-2.6.39.3/include/net/netlink.h linux-2.6.39.3/include/net/netlink.h
66264 --- linux-2.6.39.3/include/net/netlink.h 2011-05-19 00:06:34.000000000 -0400
66265 +++ linux-2.6.39.3/include/net/netlink.h 2011-05-22 19:36:33.000000000 -0400
66266 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
66267 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
66268 {
66269 if (mark)
66270 - skb_trim(skb, (unsigned char *) mark - skb->data);
66271 + skb_trim(skb, (const unsigned char *) mark - skb->data);
66272 }
66273
66274 /**
66275 diff -urNp linux-2.6.39.3/include/net/netns/ipv4.h linux-2.6.39.3/include/net/netns/ipv4.h
66276 --- linux-2.6.39.3/include/net/netns/ipv4.h 2011-05-19 00:06:34.000000000 -0400
66277 +++ linux-2.6.39.3/include/net/netns/ipv4.h 2011-05-22 19:36:33.000000000 -0400
66278 @@ -54,8 +54,8 @@ struct netns_ipv4 {
66279 int sysctl_rt_cache_rebuild_count;
66280 int current_rt_cache_rebuild_count;
66281
66282 - atomic_t rt_genid;
66283 - atomic_t dev_addr_genid;
66284 + atomic_unchecked_t rt_genid;
66285 + atomic_unchecked_t dev_addr_genid;
66286
66287 #ifdef CONFIG_IP_MROUTE
66288 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
66289 diff -urNp linux-2.6.39.3/include/net/sctp/sctp.h linux-2.6.39.3/include/net/sctp/sctp.h
66290 --- linux-2.6.39.3/include/net/sctp/sctp.h 2011-05-19 00:06:34.000000000 -0400
66291 +++ linux-2.6.39.3/include/net/sctp/sctp.h 2011-05-22 19:36:33.000000000 -0400
66292 @@ -316,9 +316,9 @@ do { \
66293
66294 #else /* SCTP_DEBUG */
66295
66296 -#define SCTP_DEBUG_PRINTK(whatever...)
66297 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
66298 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
66299 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
66300 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
66301 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
66302 #define SCTP_ENABLE_DEBUG
66303 #define SCTP_DISABLE_DEBUG
66304 #define SCTP_ASSERT(expr, str, func)
66305 diff -urNp linux-2.6.39.3/include/net/sock.h linux-2.6.39.3/include/net/sock.h
66306 --- linux-2.6.39.3/include/net/sock.h 2011-05-19 00:06:34.000000000 -0400
66307 +++ linux-2.6.39.3/include/net/sock.h 2011-05-22 19:36:33.000000000 -0400
66308 @@ -277,7 +277,7 @@ struct sock {
66309 #ifdef CONFIG_RPS
66310 __u32 sk_rxhash;
66311 #endif
66312 - atomic_t sk_drops;
66313 + atomic_unchecked_t sk_drops;
66314 int sk_rcvbuf;
66315
66316 struct sk_filter __rcu *sk_filter;
66317 diff -urNp linux-2.6.39.3/include/net/tcp.h linux-2.6.39.3/include/net/tcp.h
66318 --- linux-2.6.39.3/include/net/tcp.h 2011-05-19 00:06:34.000000000 -0400
66319 +++ linux-2.6.39.3/include/net/tcp.h 2011-05-22 19:36:33.000000000 -0400
66320 @@ -1374,7 +1374,7 @@ enum tcp_seq_states {
66321 struct tcp_seq_afinfo {
66322 char *name;
66323 sa_family_t family;
66324 - struct file_operations seq_fops;
66325 + struct file_operations seq_fops; /* cannot be const */
66326 struct seq_operations seq_ops;
66327 };
66328
66329 diff -urNp linux-2.6.39.3/include/net/udp.h linux-2.6.39.3/include/net/udp.h
66330 --- linux-2.6.39.3/include/net/udp.h 2011-05-19 00:06:34.000000000 -0400
66331 +++ linux-2.6.39.3/include/net/udp.h 2011-05-22 19:36:33.000000000 -0400
66332 @@ -234,7 +234,7 @@ struct udp_seq_afinfo {
66333 char *name;
66334 sa_family_t family;
66335 struct udp_table *udp_table;
66336 - struct file_operations seq_fops;
66337 + struct file_operations seq_fops; /* cannot be const */
66338 struct seq_operations seq_ops;
66339 };
66340
66341 diff -urNp linux-2.6.39.3/include/net/xfrm.h linux-2.6.39.3/include/net/xfrm.h
66342 --- linux-2.6.39.3/include/net/xfrm.h 2011-05-19 00:06:34.000000000 -0400
66343 +++ linux-2.6.39.3/include/net/xfrm.h 2011-05-22 19:36:33.000000000 -0400
66344 @@ -505,7 +505,7 @@ struct xfrm_policy {
66345 struct timer_list timer;
66346
66347 struct flow_cache_object flo;
66348 - atomic_t genid;
66349 + atomic_unchecked_t genid;
66350 u32 priority;
66351 u32 index;
66352 struct xfrm_mark mark;
66353 diff -urNp linux-2.6.39.3/include/pcmcia/ss.h linux-2.6.39.3/include/pcmcia/ss.h
66354 --- linux-2.6.39.3/include/pcmcia/ss.h 2011-05-19 00:06:34.000000000 -0400
66355 +++ linux-2.6.39.3/include/pcmcia/ss.h 2011-05-22 19:36:33.000000000 -0400
66356 @@ -241,9 +241,9 @@ struct pcmcia_socket {
66357 * "select PCCARD_NONSTATIC" in Kconfig.
66358 *
66359 */
66360 -extern struct pccard_resource_ops pccard_static_ops;
66361 +extern const struct pccard_resource_ops pccard_static_ops;
66362 #if defined(CONFIG_PCMCIA) || defined(CONFIG_PCMCIA_MODULE)
66363 -extern struct pccard_resource_ops pccard_iodyn_ops;
66364 +extern const struct pccard_resource_ops pccard_iodyn_ops;
66365 extern struct pccard_resource_ops pccard_nonstatic_ops;
66366 #else
66367 /* If PCMCIA is not used, but only CARDBUS, these functions are not used
66368 diff -urNp linux-2.6.39.3/include/rdma/ib_verbs.h linux-2.6.39.3/include/rdma/ib_verbs.h
66369 --- linux-2.6.39.3/include/rdma/ib_verbs.h 2011-05-19 00:06:34.000000000 -0400
66370 +++ linux-2.6.39.3/include/rdma/ib_verbs.h 2011-05-22 19:36:33.000000000 -0400
66371 @@ -1149,7 +1149,7 @@ struct ib_device {
66372 struct ib_mad *in_mad,
66373 struct ib_mad *out_mad);
66374
66375 - struct ib_dma_mapping_ops *dma_ops;
66376 + const struct ib_dma_mapping_ops *dma_ops;
66377
66378 struct module *owner;
66379 struct device dev;
66380 diff -urNp linux-2.6.39.3/include/scsi/libfc.h linux-2.6.39.3/include/scsi/libfc.h
66381 --- linux-2.6.39.3/include/scsi/libfc.h 2011-05-19 00:06:34.000000000 -0400
66382 +++ linux-2.6.39.3/include/scsi/libfc.h 2011-05-22 19:36:33.000000000 -0400
66383 @@ -202,7 +202,7 @@ struct fc_rport_priv {
66384 struct mutex rp_mutex;
66385 struct delayed_work retry_work;
66386 enum fc_rport_event event;
66387 - struct fc_rport_operations *ops;
66388 + const struct fc_rport_operations *ops;
66389 struct list_head peers;
66390 struct work_struct event_work;
66391 u32 supported_classes;
66392 diff -urNp linux-2.6.39.3/include/scsi/scsi_device.h linux-2.6.39.3/include/scsi/scsi_device.h
66393 --- linux-2.6.39.3/include/scsi/scsi_device.h 2011-05-19 00:06:34.000000000 -0400
66394 +++ linux-2.6.39.3/include/scsi/scsi_device.h 2011-05-22 19:36:33.000000000 -0400
66395 @@ -161,9 +161,9 @@ struct scsi_device {
66396 unsigned int max_device_blocked; /* what device_blocked counts down from */
66397 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
66398
66399 - atomic_t iorequest_cnt;
66400 - atomic_t iodone_cnt;
66401 - atomic_t ioerr_cnt;
66402 + atomic_unchecked_t iorequest_cnt;
66403 + atomic_unchecked_t iodone_cnt;
66404 + atomic_unchecked_t ioerr_cnt;
66405
66406 struct device sdev_gendev,
66407 sdev_dev;
66408 diff -urNp linux-2.6.39.3/include/sound/ac97_codec.h linux-2.6.39.3/include/sound/ac97_codec.h
66409 --- linux-2.6.39.3/include/sound/ac97_codec.h 2011-05-19 00:06:34.000000000 -0400
66410 +++ linux-2.6.39.3/include/sound/ac97_codec.h 2011-05-22 19:36:33.000000000 -0400
66411 @@ -424,15 +424,15 @@
66412 struct snd_ac97;
66413
66414 struct snd_ac97_build_ops {
66415 - int (*build_3d) (struct snd_ac97 *ac97);
66416 - int (*build_specific) (struct snd_ac97 *ac97);
66417 - int (*build_spdif) (struct snd_ac97 *ac97);
66418 - int (*build_post_spdif) (struct snd_ac97 *ac97);
66419 + int (* const build_3d) (struct snd_ac97 *ac97);
66420 + int (* const build_specific) (struct snd_ac97 *ac97);
66421 + int (* const build_spdif) (struct snd_ac97 *ac97);
66422 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
66423 #ifdef CONFIG_PM
66424 - void (*suspend) (struct snd_ac97 *ac97);
66425 - void (*resume) (struct snd_ac97 *ac97);
66426 + void (* const suspend) (struct snd_ac97 *ac97);
66427 + void (* const resume) (struct snd_ac97 *ac97);
66428 #endif
66429 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66430 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
66431 };
66432
66433 struct snd_ac97_bus_ops {
66434 @@ -446,7 +446,7 @@ struct snd_ac97_bus_ops {
66435
66436 struct snd_ac97_bus {
66437 /* -- lowlevel (hardware) driver specific -- */
66438 - struct snd_ac97_bus_ops *ops;
66439 + const struct snd_ac97_bus_ops *ops;
66440 void *private_data;
66441 void (*private_free) (struct snd_ac97_bus *bus);
66442 /* --- */
66443 @@ -556,7 +556,7 @@ static inline int ac97_can_spdif(struct
66444
66445 /* functions */
66446 /* create new AC97 bus */
66447 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
66448 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
66449 void *private_data, struct snd_ac97_bus **rbus);
66450 /* create mixer controls */
66451 int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
66452 diff -urNp linux-2.6.39.3/include/sound/core.h linux-2.6.39.3/include/sound/core.h
66453 --- linux-2.6.39.3/include/sound/core.h 2011-05-19 00:06:34.000000000 -0400
66454 +++ linux-2.6.39.3/include/sound/core.h 2011-05-22 19:36:33.000000000 -0400
66455 @@ -88,7 +88,7 @@ struct snd_device {
66456 snd_device_state_t state; /* state of the device */
66457 snd_device_type_t type; /* device type */
66458 void *device_data; /* device structure */
66459 - struct snd_device_ops *ops; /* operations */
66460 + const struct snd_device_ops *ops; /* operations */
66461 };
66462
66463 #define snd_device(n) list_entry(n, struct snd_device, list)
66464 @@ -301,7 +301,7 @@ int snd_card_file_remove(struct snd_card
66465 /* device.c */
66466
66467 int snd_device_new(struct snd_card *card, snd_device_type_t type,
66468 - void *device_data, struct snd_device_ops *ops);
66469 + void *device_data, const struct snd_device_ops *ops);
66470 int snd_device_register(struct snd_card *card, void *device_data);
66471 int snd_device_register_all(struct snd_card *card);
66472 int snd_device_disconnect(struct snd_card *card, void *device_data);
66473 diff -urNp linux-2.6.39.3/include/sound/pcm.h linux-2.6.39.3/include/sound/pcm.h
66474 --- linux-2.6.39.3/include/sound/pcm.h 2011-05-19 00:06:34.000000000 -0400
66475 +++ linux-2.6.39.3/include/sound/pcm.h 2011-05-22 19:36:33.000000000 -0400
66476 @@ -379,7 +379,7 @@ struct snd_pcm_substream {
66477 unsigned int dma_buf_id;
66478 size_t dma_max;
66479 /* -- hardware operations -- */
66480 - struct snd_pcm_ops *ops;
66481 + const struct snd_pcm_ops *ops;
66482 /* -- runtime information -- */
66483 struct snd_pcm_runtime *runtime;
66484 /* -- timer section -- */
66485 @@ -845,7 +845,7 @@ const unsigned char *snd_pcm_format_sile
66486 int snd_pcm_format_set_silence(snd_pcm_format_t format, void *buf, unsigned int frames);
66487 snd_pcm_format_t snd_pcm_build_linear_format(int width, int unsignd, int big_endian);
66488
66489 -void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, struct snd_pcm_ops *ops);
66490 +void snd_pcm_set_ops(struct snd_pcm * pcm, int direction, const struct snd_pcm_ops *ops);
66491 void snd_pcm_set_sync(struct snd_pcm_substream *substream);
66492 int snd_pcm_lib_interleave_len(struct snd_pcm_substream *substream);
66493 int snd_pcm_lib_ioctl(struct snd_pcm_substream *substream,
66494 diff -urNp linux-2.6.39.3/include/sound/rawmidi.h linux-2.6.39.3/include/sound/rawmidi.h
66495 --- linux-2.6.39.3/include/sound/rawmidi.h 2011-05-19 00:06:34.000000000 -0400
66496 +++ linux-2.6.39.3/include/sound/rawmidi.h 2011-05-22 19:36:33.000000000 -0400
66497 @@ -100,7 +100,7 @@ struct snd_rawmidi_substream {
66498 struct snd_rawmidi_runtime *runtime;
66499 struct pid *pid;
66500 /* hardware layer */
66501 - struct snd_rawmidi_ops *ops;
66502 + const struct snd_rawmidi_ops *ops;
66503 };
66504
66505 struct snd_rawmidi_file {
66506 @@ -127,7 +127,7 @@ struct snd_rawmidi {
66507 int ossreg;
66508 #endif
66509
66510 - struct snd_rawmidi_global_ops *ops;
66511 + const struct snd_rawmidi_global_ops *ops;
66512
66513 struct snd_rawmidi_str streams[2];
66514
66515 @@ -151,7 +151,7 @@ int snd_rawmidi_new(struct snd_card *car
66516 int output_count, int input_count,
66517 struct snd_rawmidi **rmidi);
66518 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
66519 - struct snd_rawmidi_ops *ops);
66520 + const struct snd_rawmidi_ops *ops);
66521
66522 /* callbacks */
66523
66524 diff -urNp linux-2.6.39.3/include/sound/seq_device.h linux-2.6.39.3/include/sound/seq_device.h
66525 --- linux-2.6.39.3/include/sound/seq_device.h 2011-05-19 00:06:34.000000000 -0400
66526 +++ linux-2.6.39.3/include/sound/seq_device.h 2011-05-22 19:36:33.000000000 -0400
66527 @@ -69,7 +69,7 @@ struct snd_seq_dev_ops {
66528 */
66529 void snd_seq_device_load_drivers(void);
66530 int snd_seq_device_new(struct snd_card *card, int device, char *id, int argsize, struct snd_seq_device **result);
66531 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry, int argsize);
66532 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry, int argsize);
66533 int snd_seq_device_unregister_driver(char *id);
66534
66535 #define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
66536 diff -urNp linux-2.6.39.3/include/sound/snd_wavefront.h linux-2.6.39.3/include/sound/snd_wavefront.h
66537 --- linux-2.6.39.3/include/sound/snd_wavefront.h 2011-05-19 00:06:34.000000000 -0400
66538 +++ linux-2.6.39.3/include/sound/snd_wavefront.h 2011-05-22 19:36:33.000000000 -0400
66539 @@ -37,8 +37,8 @@ struct _snd_wavefront_midi {
66540 #define MPU_ACK 0xFE
66541 #define UART_MODE_ON 0x3F
66542
66543 -extern struct snd_rawmidi_ops snd_wavefront_midi_output;
66544 -extern struct snd_rawmidi_ops snd_wavefront_midi_input;
66545 +extern const struct snd_rawmidi_ops snd_wavefront_midi_output;
66546 +extern const struct snd_rawmidi_ops snd_wavefront_midi_input;
66547
66548 extern void snd_wavefront_midi_enable_virtual (snd_wavefront_card_t *);
66549 extern void snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *);
66550 diff -urNp linux-2.6.39.3/include/sound/soc.h linux-2.6.39.3/include/sound/soc.h
66551 --- linux-2.6.39.3/include/sound/soc.h 2011-05-19 00:06:34.000000000 -0400
66552 +++ linux-2.6.39.3/include/sound/soc.h 2011-05-22 19:36:33.000000000 -0400
66553 @@ -245,7 +245,7 @@ struct snd_soc_jack_gpio;
66554
66555 typedef int (*hw_write_t)(void *,const char* ,int);
66556
66557 -extern struct snd_ac97_bus_ops soc_ac97_ops;
66558 +extern const struct snd_ac97_bus_ops soc_ac97_ops;
66559
66560 enum snd_soc_control_type {
66561 SND_SOC_CUSTOM,
66562 diff -urNp linux-2.6.39.3/include/sound/ymfpci.h linux-2.6.39.3/include/sound/ymfpci.h
66563 --- linux-2.6.39.3/include/sound/ymfpci.h 2011-05-19 00:06:34.000000000 -0400
66564 +++ linux-2.6.39.3/include/sound/ymfpci.h 2011-05-22 19:36:33.000000000 -0400
66565 @@ -358,7 +358,7 @@ struct snd_ymfpci {
66566 spinlock_t reg_lock;
66567 spinlock_t voice_lock;
66568 wait_queue_head_t interrupt_sleep;
66569 - atomic_t interrupt_sleep_count;
66570 + atomic_unchecked_t interrupt_sleep_count;
66571 struct snd_info_entry *proc_entry;
66572 const struct firmware *dsp_microcode;
66573 const struct firmware *controller_microcode;
66574 diff -urNp linux-2.6.39.3/include/target/target_core_base.h linux-2.6.39.3/include/target/target_core_base.h
66575 --- linux-2.6.39.3/include/target/target_core_base.h 2011-06-03 00:04:14.000000000 -0400
66576 +++ linux-2.6.39.3/include/target/target_core_base.h 2011-06-03 00:32:08.000000000 -0400
66577 @@ -432,8 +432,8 @@ struct se_transport_task {
66578 atomic_t t_task_cdbs_left;
66579 atomic_t t_task_cdbs_ex_left;
66580 atomic_t t_task_cdbs_timeout_left;
66581 - atomic_t t_task_cdbs_sent;
66582 - atomic_t t_transport_aborted;
66583 + atomic_unchecked_t t_task_cdbs_sent;
66584 + atomic_unchecked_t t_transport_aborted;
66585 atomic_t t_transport_active;
66586 atomic_t t_transport_complete;
66587 atomic_t t_transport_queue_active;
66588 @@ -774,7 +774,7 @@ struct se_device {
66589 atomic_t active_cmds;
66590 atomic_t simple_cmds;
66591 atomic_t depth_left;
66592 - atomic_t dev_ordered_id;
66593 + atomic_unchecked_t dev_ordered_id;
66594 atomic_t dev_tur_active;
66595 atomic_t execute_tasks;
66596 atomic_t dev_status_thr_count;
66597 diff -urNp linux-2.6.39.3/include/trace/events/irq.h linux-2.6.39.3/include/trace/events/irq.h
66598 --- linux-2.6.39.3/include/trace/events/irq.h 2011-05-19 00:06:34.000000000 -0400
66599 +++ linux-2.6.39.3/include/trace/events/irq.h 2011-05-22 19:36:33.000000000 -0400
66600 @@ -36,7 +36,7 @@ struct softirq_action;
66601 */
66602 TRACE_EVENT(irq_handler_entry,
66603
66604 - TP_PROTO(int irq, struct irqaction *action),
66605 + TP_PROTO(int irq, const struct irqaction *action),
66606
66607 TP_ARGS(irq, action),
66608
66609 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
66610 */
66611 TRACE_EVENT(irq_handler_exit,
66612
66613 - TP_PROTO(int irq, struct irqaction *action, int ret),
66614 + TP_PROTO(int irq, const struct irqaction *action, int ret),
66615
66616 TP_ARGS(irq, action, ret),
66617
66618 diff -urNp linux-2.6.39.3/include/video/udlfb.h linux-2.6.39.3/include/video/udlfb.h
66619 --- linux-2.6.39.3/include/video/udlfb.h 2011-05-19 00:06:34.000000000 -0400
66620 +++ linux-2.6.39.3/include/video/udlfb.h 2011-05-22 19:36:33.000000000 -0400
66621 @@ -51,10 +51,10 @@ struct dlfb_data {
66622 int base8;
66623 u32 pseudo_palette[256];
66624 /* blit-only rendering path metrics, exposed through sysfs */
66625 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66626 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
66627 - atomic_t bytes_sent; /* to usb, after compression including overhead */
66628 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
66629 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
66630 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
66631 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
66632 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
66633 };
66634
66635 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
66636 diff -urNp linux-2.6.39.3/include/video/uvesafb.h linux-2.6.39.3/include/video/uvesafb.h
66637 --- linux-2.6.39.3/include/video/uvesafb.h 2011-05-19 00:06:34.000000000 -0400
66638 +++ linux-2.6.39.3/include/video/uvesafb.h 2011-05-22 19:36:33.000000000 -0400
66639 @@ -177,6 +177,7 @@ struct uvesafb_par {
66640 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
66641 u8 pmi_setpal; /* PMI for palette changes */
66642 u16 *pmi_base; /* protected mode interface location */
66643 + u8 *pmi_code; /* protected mode code location */
66644 void *pmi_start;
66645 void *pmi_pal;
66646 u8 *vbe_state_orig; /*
66647 diff -urNp linux-2.6.39.3/init/do_mounts.c linux-2.6.39.3/init/do_mounts.c
66648 --- linux-2.6.39.3/init/do_mounts.c 2011-05-19 00:06:34.000000000 -0400
66649 +++ linux-2.6.39.3/init/do_mounts.c 2011-05-22 19:36:33.000000000 -0400
66650 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
66651
66652 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
66653 {
66654 - int err = sys_mount(name, "/root", fs, flags, data);
66655 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
66656 if (err)
66657 return err;
66658
66659 @@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
66660 va_start(args, fmt);
66661 vsprintf(buf, fmt, args);
66662 va_end(args);
66663 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
66664 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
66665 if (fd >= 0) {
66666 sys_ioctl(fd, FDEJECT, 0);
66667 sys_close(fd);
66668 }
66669 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
66670 - fd = sys_open("/dev/console", O_RDWR, 0);
66671 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
66672 if (fd >= 0) {
66673 sys_ioctl(fd, TCGETS, (long)&termios);
66674 termios.c_lflag &= ~ICANON;
66675 sys_ioctl(fd, TCSETSF, (long)&termios);
66676 - sys_read(fd, &c, 1);
66677 + sys_read(fd, (char __user *)&c, 1);
66678 termios.c_lflag |= ICANON;
66679 sys_ioctl(fd, TCSETSF, (long)&termios);
66680 sys_close(fd);
66681 @@ -488,6 +488,6 @@ void __init prepare_namespace(void)
66682 mount_root();
66683 out:
66684 devtmpfs_mount("dev");
66685 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66686 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66687 sys_chroot((const char __user __force *)".");
66688 }
66689 diff -urNp linux-2.6.39.3/init/do_mounts.h linux-2.6.39.3/init/do_mounts.h
66690 --- linux-2.6.39.3/init/do_mounts.h 2011-05-19 00:06:34.000000000 -0400
66691 +++ linux-2.6.39.3/init/do_mounts.h 2011-05-22 19:36:33.000000000 -0400
66692 @@ -15,15 +15,15 @@ extern int root_mountflags;
66693
66694 static inline int create_dev(char *name, dev_t dev)
66695 {
66696 - sys_unlink(name);
66697 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
66698 + sys_unlink((__force char __user *)name);
66699 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
66700 }
66701
66702 #if BITS_PER_LONG == 32
66703 static inline u32 bstat(char *name)
66704 {
66705 struct stat64 stat;
66706 - if (sys_stat64(name, &stat) != 0)
66707 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
66708 return 0;
66709 if (!S_ISBLK(stat.st_mode))
66710 return 0;
66711 diff -urNp linux-2.6.39.3/init/do_mounts_initrd.c linux-2.6.39.3/init/do_mounts_initrd.c
66712 --- linux-2.6.39.3/init/do_mounts_initrd.c 2011-05-19 00:06:34.000000000 -0400
66713 +++ linux-2.6.39.3/init/do_mounts_initrd.c 2011-05-22 19:36:33.000000000 -0400
66714 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
66715 create_dev("/dev/root.old", Root_RAM0);
66716 /* mount initrd on rootfs' /root */
66717 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
66718 - sys_mkdir("/old", 0700);
66719 - root_fd = sys_open("/", 0, 0);
66720 - old_fd = sys_open("/old", 0, 0);
66721 + sys_mkdir((__force const char __user *)"/old", 0700);
66722 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
66723 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
66724 /* move initrd over / and chdir/chroot in initrd root */
66725 - sys_chdir("/root");
66726 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
66727 - sys_chroot(".");
66728 + sys_chdir((__force const char __user *)"/root");
66729 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
66730 + sys_chroot((__force const char __user *)".");
66731
66732 /*
66733 * In case that a resume from disk is carried out by linuxrc or one of
66734 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
66735
66736 /* move initrd to rootfs' /old */
66737 sys_fchdir(old_fd);
66738 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
66739 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
66740 /* switch root and cwd back to / of rootfs */
66741 sys_fchdir(root_fd);
66742 - sys_chroot(".");
66743 + sys_chroot((__force const char __user *)".");
66744 sys_close(old_fd);
66745 sys_close(root_fd);
66746
66747 if (new_decode_dev(real_root_dev) == Root_RAM0) {
66748 - sys_chdir("/old");
66749 + sys_chdir((__force const char __user *)"/old");
66750 return;
66751 }
66752
66753 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
66754 mount_root();
66755
66756 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
66757 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
66758 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
66759 if (!error)
66760 printk("okay\n");
66761 else {
66762 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
66763 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
66764 if (error == -ENOENT)
66765 printk("/initrd does not exist. Ignored.\n");
66766 else
66767 printk("failed\n");
66768 printk(KERN_NOTICE "Unmounting old root\n");
66769 - sys_umount("/old", MNT_DETACH);
66770 + sys_umount((__force char __user *)"/old", MNT_DETACH);
66771 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
66772 if (fd < 0) {
66773 error = fd;
66774 @@ -116,11 +116,11 @@ int __init initrd_load(void)
66775 * mounted in the normal path.
66776 */
66777 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
66778 - sys_unlink("/initrd.image");
66779 + sys_unlink((__force const char __user *)"/initrd.image");
66780 handle_initrd();
66781 return 1;
66782 }
66783 }
66784 - sys_unlink("/initrd.image");
66785 + sys_unlink((__force const char __user *)"/initrd.image");
66786 return 0;
66787 }
66788 diff -urNp linux-2.6.39.3/init/do_mounts_md.c linux-2.6.39.3/init/do_mounts_md.c
66789 --- linux-2.6.39.3/init/do_mounts_md.c 2011-05-19 00:06:34.000000000 -0400
66790 +++ linux-2.6.39.3/init/do_mounts_md.c 2011-05-22 19:36:33.000000000 -0400
66791 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
66792 partitioned ? "_d" : "", minor,
66793 md_setup_args[ent].device_names);
66794
66795 - fd = sys_open(name, 0, 0);
66796 + fd = sys_open((__force char __user *)name, 0, 0);
66797 if (fd < 0) {
66798 printk(KERN_ERR "md: open failed - cannot start "
66799 "array %s\n", name);
66800 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
66801 * array without it
66802 */
66803 sys_close(fd);
66804 - fd = sys_open(name, 0, 0);
66805 + fd = sys_open((__force char __user *)name, 0, 0);
66806 sys_ioctl(fd, BLKRRPART, 0);
66807 }
66808 sys_close(fd);
66809 diff -urNp linux-2.6.39.3/init/initramfs.c linux-2.6.39.3/init/initramfs.c
66810 --- linux-2.6.39.3/init/initramfs.c 2011-05-19 00:06:34.000000000 -0400
66811 +++ linux-2.6.39.3/init/initramfs.c 2011-05-22 19:36:33.000000000 -0400
66812 @@ -74,7 +74,7 @@ static void __init free_hash(void)
66813 }
66814 }
66815
66816 -static long __init do_utime(char __user *filename, time_t mtime)
66817 +static long __init do_utime(__force char __user *filename, time_t mtime)
66818 {
66819 struct timespec t[2];
66820
66821 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
66822 struct dir_entry *de, *tmp;
66823 list_for_each_entry_safe(de, tmp, &dir_list, list) {
66824 list_del(&de->list);
66825 - do_utime(de->name, de->mtime);
66826 + do_utime((__force char __user *)de->name, de->mtime);
66827 kfree(de->name);
66828 kfree(de);
66829 }
66830 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
66831 if (nlink >= 2) {
66832 char *old = find_link(major, minor, ino, mode, collected);
66833 if (old)
66834 - return (sys_link(old, collected) < 0) ? -1 : 1;
66835 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
66836 }
66837 return 0;
66838 }
66839 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
66840 {
66841 struct stat st;
66842
66843 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
66844 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
66845 if (S_ISDIR(st.st_mode))
66846 - sys_rmdir(path);
66847 + sys_rmdir((__force char __user *)path);
66848 else
66849 - sys_unlink(path);
66850 + sys_unlink((__force char __user *)path);
66851 }
66852 }
66853
66854 @@ -305,7 +305,7 @@ static int __init do_name(void)
66855 int openflags = O_WRONLY|O_CREAT;
66856 if (ml != 1)
66857 openflags |= O_TRUNC;
66858 - wfd = sys_open(collected, openflags, mode);
66859 + wfd = sys_open((__force char __user *)collected, openflags, mode);
66860
66861 if (wfd >= 0) {
66862 sys_fchown(wfd, uid, gid);
66863 @@ -317,17 +317,17 @@ static int __init do_name(void)
66864 }
66865 }
66866 } else if (S_ISDIR(mode)) {
66867 - sys_mkdir(collected, mode);
66868 - sys_chown(collected, uid, gid);
66869 - sys_chmod(collected, mode);
66870 + sys_mkdir((__force char __user *)collected, mode);
66871 + sys_chown((__force char __user *)collected, uid, gid);
66872 + sys_chmod((__force char __user *)collected, mode);
66873 dir_add(collected, mtime);
66874 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
66875 S_ISFIFO(mode) || S_ISSOCK(mode)) {
66876 if (maybe_link() == 0) {
66877 - sys_mknod(collected, mode, rdev);
66878 - sys_chown(collected, uid, gid);
66879 - sys_chmod(collected, mode);
66880 - do_utime(collected, mtime);
66881 + sys_mknod((__force char __user *)collected, mode, rdev);
66882 + sys_chown((__force char __user *)collected, uid, gid);
66883 + sys_chmod((__force char __user *)collected, mode);
66884 + do_utime((__force char __user *)collected, mtime);
66885 }
66886 }
66887 return 0;
66888 @@ -336,15 +336,15 @@ static int __init do_name(void)
66889 static int __init do_copy(void)
66890 {
66891 if (count >= body_len) {
66892 - sys_write(wfd, victim, body_len);
66893 + sys_write(wfd, (__force char __user *)victim, body_len);
66894 sys_close(wfd);
66895 - do_utime(vcollected, mtime);
66896 + do_utime((__force char __user *)vcollected, mtime);
66897 kfree(vcollected);
66898 eat(body_len);
66899 state = SkipIt;
66900 return 0;
66901 } else {
66902 - sys_write(wfd, victim, count);
66903 + sys_write(wfd, (__force char __user *)victim, count);
66904 body_len -= count;
66905 eat(count);
66906 return 1;
66907 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
66908 {
66909 collected[N_ALIGN(name_len) + body_len] = '\0';
66910 clean_path(collected, 0);
66911 - sys_symlink(collected + N_ALIGN(name_len), collected);
66912 - sys_lchown(collected, uid, gid);
66913 - do_utime(collected, mtime);
66914 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
66915 + sys_lchown((__force char __user *)collected, uid, gid);
66916 + do_utime((__force char __user *)collected, mtime);
66917 state = SkipIt;
66918 next_state = Reset;
66919 return 0;
66920 diff -urNp linux-2.6.39.3/init/Kconfig linux-2.6.39.3/init/Kconfig
66921 --- linux-2.6.39.3/init/Kconfig 2011-05-19 00:06:34.000000000 -0400
66922 +++ linux-2.6.39.3/init/Kconfig 2011-05-22 19:36:33.000000000 -0400
66923 @@ -1202,7 +1202,7 @@ config SLUB_DEBUG
66924
66925 config COMPAT_BRK
66926 bool "Disable heap randomization"
66927 - default y
66928 + default n
66929 help
66930 Randomizing heap placement makes heap exploits harder, but it
66931 also breaks ancient binaries (including anything libc5 based).
66932 diff -urNp linux-2.6.39.3/init/main.c linux-2.6.39.3/init/main.c
66933 --- linux-2.6.39.3/init/main.c 2011-06-03 00:04:14.000000000 -0400
66934 +++ linux-2.6.39.3/init/main.c 2011-06-03 00:32:08.000000000 -0400
66935 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
66936 extern void tc_init(void);
66937 #endif
66938
66939 +extern void grsecurity_init(void);
66940 +
66941 /*
66942 * Debug helper: via this flag we know that we are in 'early bootup code'
66943 * where only the boot processor is running with IRQ disabled. This means
66944 @@ -149,6 +151,49 @@ static int __init set_reset_devices(char
66945
66946 __setup("reset_devices", set_reset_devices);
66947
66948 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
66949 +extern char pax_enter_kernel_user[];
66950 +extern char pax_exit_kernel_user[];
66951 +extern pgdval_t clone_pgd_mask;
66952 +#endif
66953 +
66954 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
66955 +static int __init setup_pax_nouderef(char *str)
66956 +{
66957 +#ifdef CONFIG_X86_32
66958 + unsigned int cpu;
66959 + struct desc_struct *gdt;
66960 +
66961 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
66962 + gdt = get_cpu_gdt_table(cpu);
66963 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
66964 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
66965 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
66966 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
66967 + }
66968 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
66969 +#else
66970 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
66971 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
66972 + clone_pgd_mask = ~(pgdval_t)0UL;
66973 +#endif
66974 +
66975 + return 0;
66976 +}
66977 +early_param("pax_nouderef", setup_pax_nouderef);
66978 +#endif
66979 +
66980 +#ifdef CONFIG_PAX_SOFTMODE
66981 +unsigned int pax_softmode;
66982 +
66983 +static int __init setup_pax_softmode(char *str)
66984 +{
66985 + get_option(&str, &pax_softmode);
66986 + return 1;
66987 +}
66988 +__setup("pax_softmode=", setup_pax_softmode);
66989 +#endif
66990 +
66991 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
66992 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
66993 static const char *panic_later, *panic_param;
66994 @@ -663,6 +708,7 @@ int __init_or_module do_one_initcall(ini
66995 {
66996 int count = preempt_count();
66997 int ret;
66998 + const char *msg1 = "", *msg2 = "";
66999
67000 if (initcall_debug)
67001 ret = do_one_initcall_debug(fn);
67002 @@ -675,15 +721,15 @@ int __init_or_module do_one_initcall(ini
67003 sprintf(msgbuf, "error code %d ", ret);
67004
67005 if (preempt_count() != count) {
67006 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
67007 + msg1 = " preemption imbalance";
67008 preempt_count() = count;
67009 }
67010 if (irqs_disabled()) {
67011 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
67012 + msg2 = " disabled interrupts";
67013 local_irq_enable();
67014 }
67015 - if (msgbuf[0]) {
67016 - printk("initcall %pF returned with %s\n", fn, msgbuf);
67017 + if (msgbuf[0] || *msg1 || *msg2) {
67018 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
67019 }
67020
67021 return ret;
67022 @@ -801,7 +847,7 @@ static int __init kernel_init(void * unu
67023 do_basic_setup();
67024
67025 /* Open the /dev/console on the rootfs, this should never fail */
67026 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
67027 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
67028 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
67029
67030 (void) sys_dup(0);
67031 @@ -814,11 +860,13 @@ static int __init kernel_init(void * unu
67032 if (!ramdisk_execute_command)
67033 ramdisk_execute_command = "/init";
67034
67035 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
67036 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
67037 ramdisk_execute_command = NULL;
67038 prepare_namespace();
67039 }
67040
67041 + grsecurity_init();
67042 +
67043 /*
67044 * Ok, we have completed the initial bootup, and
67045 * we're essentially up and running. Get rid of the
67046 diff -urNp linux-2.6.39.3/ipc/mqueue.c linux-2.6.39.3/ipc/mqueue.c
67047 --- linux-2.6.39.3/ipc/mqueue.c 2011-05-19 00:06:34.000000000 -0400
67048 +++ linux-2.6.39.3/ipc/mqueue.c 2011-05-22 19:41:42.000000000 -0400
67049 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
67050 mq_bytes = (mq_msg_tblsz +
67051 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
67052
67053 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
67054 spin_lock(&mq_lock);
67055 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
67056 u->mq_bytes + mq_bytes >
67057 diff -urNp linux-2.6.39.3/ipc/sem.c linux-2.6.39.3/ipc/sem.c
67058 --- linux-2.6.39.3/ipc/sem.c 2011-05-19 00:06:34.000000000 -0400
67059 +++ linux-2.6.39.3/ipc/sem.c 2011-05-22 19:36:33.000000000 -0400
67060 @@ -854,6 +854,8 @@ static int semctl_main(struct ipc_namesp
67061 int nsems;
67062 struct list_head tasks;
67063
67064 + pax_track_stack();
67065 +
67066 sma = sem_lock_check(ns, semid);
67067 if (IS_ERR(sma))
67068 return PTR_ERR(sma);
67069 @@ -1301,6 +1303,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
67070 struct ipc_namespace *ns;
67071 struct list_head tasks;
67072
67073 + pax_track_stack();
67074 +
67075 ns = current->nsproxy->ipc_ns;
67076
67077 if (nsops < 1 || semid < 0)
67078 diff -urNp linux-2.6.39.3/ipc/shm.c linux-2.6.39.3/ipc/shm.c
67079 --- linux-2.6.39.3/ipc/shm.c 2011-05-19 00:06:34.000000000 -0400
67080 +++ linux-2.6.39.3/ipc/shm.c 2011-05-22 19:41:42.000000000 -0400
67081 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
67082 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
67083 #endif
67084
67085 +#ifdef CONFIG_GRKERNSEC
67086 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67087 + const time_t shm_createtime, const uid_t cuid,
67088 + const int shmid);
67089 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67090 + const time_t shm_createtime);
67091 +#endif
67092 +
67093 void shm_init_ns(struct ipc_namespace *ns)
67094 {
67095 ns->shm_ctlmax = SHMMAX;
67096 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
67097 shp->shm_lprid = 0;
67098 shp->shm_atim = shp->shm_dtim = 0;
67099 shp->shm_ctim = get_seconds();
67100 +#ifdef CONFIG_GRKERNSEC
67101 + {
67102 + struct timespec timeval;
67103 + do_posix_clock_monotonic_gettime(&timeval);
67104 +
67105 + shp->shm_createtime = timeval.tv_sec;
67106 + }
67107 +#endif
67108 shp->shm_segsz = size;
67109 shp->shm_nattch = 0;
67110 shp->shm_file = file;
67111 @@ -762,8 +778,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
67112 case SHM_LOCK:
67113 case SHM_UNLOCK:
67114 {
67115 - struct file *uninitialized_var(shm_file);
67116 -
67117 lru_add_drain_all(); /* drain pagevecs to lru lists */
67118
67119 shp = shm_lock_check(ns, shmid);
67120 @@ -896,9 +910,21 @@ long do_shmat(int shmid, char __user *sh
67121 if (err)
67122 goto out_unlock;
67123
67124 +#ifdef CONFIG_GRKERNSEC
67125 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
67126 + shp->shm_perm.cuid, shmid) ||
67127 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
67128 + err = -EACCES;
67129 + goto out_unlock;
67130 + }
67131 +#endif
67132 +
67133 path = shp->shm_file->f_path;
67134 path_get(&path);
67135 shp->shm_nattch++;
67136 +#ifdef CONFIG_GRKERNSEC
67137 + shp->shm_lapid = current->pid;
67138 +#endif
67139 size = i_size_read(path.dentry->d_inode);
67140 shm_unlock(shp);
67141
67142 diff -urNp linux-2.6.39.3/kernel/acct.c linux-2.6.39.3/kernel/acct.c
67143 --- linux-2.6.39.3/kernel/acct.c 2011-05-19 00:06:34.000000000 -0400
67144 +++ linux-2.6.39.3/kernel/acct.c 2011-05-22 19:36:33.000000000 -0400
67145 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
67146 */
67147 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
67148 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
67149 - file->f_op->write(file, (char *)&ac,
67150 + file->f_op->write(file, (__force char __user *)&ac,
67151 sizeof(acct_t), &file->f_pos);
67152 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
67153 set_fs(fs);
67154 diff -urNp linux-2.6.39.3/kernel/audit.c linux-2.6.39.3/kernel/audit.c
67155 --- linux-2.6.39.3/kernel/audit.c 2011-05-19 00:06:34.000000000 -0400
67156 +++ linux-2.6.39.3/kernel/audit.c 2011-05-22 19:36:33.000000000 -0400
67157 @@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
67158 3) suppressed due to audit_rate_limit
67159 4) suppressed due to audit_backlog_limit
67160 */
67161 -static atomic_t audit_lost = ATOMIC_INIT(0);
67162 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
67163
67164 /* The netlink socket. */
67165 static struct sock *audit_sock;
67166 @@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
67167 unsigned long now;
67168 int print;
67169
67170 - atomic_inc(&audit_lost);
67171 + atomic_inc_unchecked(&audit_lost);
67172
67173 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
67174
67175 @@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
67176 printk(KERN_WARNING
67177 "audit: audit_lost=%d audit_rate_limit=%d "
67178 "audit_backlog_limit=%d\n",
67179 - atomic_read(&audit_lost),
67180 + atomic_read_unchecked(&audit_lost),
67181 audit_rate_limit,
67182 audit_backlog_limit);
67183 audit_panic(message);
67184 @@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
67185 status_set.pid = audit_pid;
67186 status_set.rate_limit = audit_rate_limit;
67187 status_set.backlog_limit = audit_backlog_limit;
67188 - status_set.lost = atomic_read(&audit_lost);
67189 + status_set.lost = atomic_read_unchecked(&audit_lost);
67190 status_set.backlog = skb_queue_len(&audit_skb_queue);
67191 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
67192 &status_set, sizeof(status_set));
67193 diff -urNp linux-2.6.39.3/kernel/auditsc.c linux-2.6.39.3/kernel/auditsc.c
67194 --- linux-2.6.39.3/kernel/auditsc.c 2011-05-19 00:06:34.000000000 -0400
67195 +++ linux-2.6.39.3/kernel/auditsc.c 2011-05-22 19:36:33.000000000 -0400
67196 @@ -2111,7 +2111,7 @@ int auditsc_get_stamp(struct audit_conte
67197 }
67198
67199 /* global counter which is incremented every time something logs in */
67200 -static atomic_t session_id = ATOMIC_INIT(0);
67201 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
67202
67203 /**
67204 * audit_set_loginuid - set a task's audit_context loginuid
67205 @@ -2124,7 +2124,7 @@ static atomic_t session_id = ATOMIC_INIT
67206 */
67207 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
67208 {
67209 - unsigned int sessionid = atomic_inc_return(&session_id);
67210 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
67211 struct audit_context *context = task->audit_context;
67212
67213 if (context && context->in_syscall) {
67214 diff -urNp linux-2.6.39.3/kernel/capability.c linux-2.6.39.3/kernel/capability.c
67215 --- linux-2.6.39.3/kernel/capability.c 2011-05-19 00:06:34.000000000 -0400
67216 +++ linux-2.6.39.3/kernel/capability.c 2011-05-22 21:02:23.000000000 -0400
67217 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
67218 * before modification is attempted and the application
67219 * fails.
67220 */
67221 + if (tocopy > ARRAY_SIZE(kdata))
67222 + return -EFAULT;
67223 +
67224 if (copy_to_user(dataptr, kdata, tocopy
67225 * sizeof(struct __user_cap_data_struct))) {
67226 return -EFAULT;
67227 @@ -378,7 +381,7 @@ bool ns_capable(struct user_namespace *n
67228 BUG();
67229 }
67230
67231 - if (security_capable(ns, current_cred(), cap) == 0) {
67232 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
67233 current->flags |= PF_SUPERPRIV;
67234 return true;
67235 }
67236 @@ -386,6 +389,27 @@ bool ns_capable(struct user_namespace *n
67237 }
67238 EXPORT_SYMBOL(ns_capable);
67239
67240 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
67241 +{
67242 + if (unlikely(!cap_valid(cap))) {
67243 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
67244 + BUG();
67245 + }
67246 +
67247 + if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
67248 + current->flags |= PF_SUPERPRIV;
67249 + return true;
67250 + }
67251 + return false;
67252 +}
67253 +EXPORT_SYMBOL(ns_capable_nolog);
67254 +
67255 +bool capable_nolog(int cap)
67256 +{
67257 + return ns_capable_nolog(&init_user_ns, cap);
67258 +}
67259 +EXPORT_SYMBOL(capable_nolog);
67260 +
67261 /**
67262 * task_ns_capable - Determine whether current task has a superior
67263 * capability targeted at a specific task's user namespace.
67264 @@ -400,6 +424,12 @@ bool task_ns_capable(struct task_struct
67265 }
67266 EXPORT_SYMBOL(task_ns_capable);
67267
67268 +bool task_ns_capable_nolog(struct task_struct *t, int cap)
67269 +{
67270 + return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
67271 +}
67272 +EXPORT_SYMBOL(task_ns_capable_nolog);
67273 +
67274 /**
67275 * nsown_capable - Check superior capability to one's own user_ns
67276 * @cap: The capability in question
67277 diff -urNp linux-2.6.39.3/kernel/cgroup.c linux-2.6.39.3/kernel/cgroup.c
67278 --- linux-2.6.39.3/kernel/cgroup.c 2011-05-19 00:06:34.000000000 -0400
67279 +++ linux-2.6.39.3/kernel/cgroup.c 2011-05-22 19:36:33.000000000 -0400
67280 @@ -598,6 +598,8 @@ static struct css_set *find_css_set(
67281 struct hlist_head *hhead;
67282 struct cg_cgroup_link *link;
67283
67284 + pax_track_stack();
67285 +
67286 /* First see if we already have a cgroup group that matches
67287 * the desired set */
67288 read_lock(&css_set_lock);
67289 diff -urNp linux-2.6.39.3/kernel/compat.c linux-2.6.39.3/kernel/compat.c
67290 --- linux-2.6.39.3/kernel/compat.c 2011-05-19 00:06:34.000000000 -0400
67291 +++ linux-2.6.39.3/kernel/compat.c 2011-05-22 19:41:42.000000000 -0400
67292 @@ -13,6 +13,7 @@
67293
67294 #include <linux/linkage.h>
67295 #include <linux/compat.h>
67296 +#include <linux/module.h>
67297 #include <linux/errno.h>
67298 #include <linux/time.h>
67299 #include <linux/signal.h>
67300 diff -urNp linux-2.6.39.3/kernel/configs.c linux-2.6.39.3/kernel/configs.c
67301 --- linux-2.6.39.3/kernel/configs.c 2011-05-19 00:06:34.000000000 -0400
67302 +++ linux-2.6.39.3/kernel/configs.c 2011-05-22 19:41:42.000000000 -0400
67303 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
67304 struct proc_dir_entry *entry;
67305
67306 /* create the current config file */
67307 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
67308 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
67309 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
67310 + &ikconfig_file_ops);
67311 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67312 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
67313 + &ikconfig_file_ops);
67314 +#endif
67315 +#else
67316 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
67317 &ikconfig_file_ops);
67318 +#endif
67319 +
67320 if (!entry)
67321 return -ENOMEM;
67322
67323 diff -urNp linux-2.6.39.3/kernel/cred.c linux-2.6.39.3/kernel/cred.c
67324 --- linux-2.6.39.3/kernel/cred.c 2011-05-19 00:06:34.000000000 -0400
67325 +++ linux-2.6.39.3/kernel/cred.c 2011-05-22 19:41:42.000000000 -0400
67326 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
67327 */
67328 void __put_cred(struct cred *cred)
67329 {
67330 + pax_track_stack();
67331 +
67332 kdebug("__put_cred(%p{%d,%d})", cred,
67333 atomic_read(&cred->usage),
67334 read_cred_subscribers(cred));
67335 @@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
67336 {
67337 struct cred *cred;
67338
67339 + pax_track_stack();
67340 +
67341 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
67342 atomic_read(&tsk->cred->usage),
67343 read_cred_subscribers(tsk->cred));
67344 @@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
67345 {
67346 const struct cred *cred;
67347
67348 + pax_track_stack();
67349 +
67350 rcu_read_lock();
67351
67352 do {
67353 @@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
67354 {
67355 struct cred *new;
67356
67357 + pax_track_stack();
67358 +
67359 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
67360 if (!new)
67361 return NULL;
67362 @@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
67363 const struct cred *old;
67364 struct cred *new;
67365
67366 + pax_track_stack();
67367 +
67368 validate_process_creds();
67369
67370 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67371 @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
67372 struct thread_group_cred *tgcred = NULL;
67373 struct cred *new;
67374
67375 + pax_track_stack();
67376 +
67377 #ifdef CONFIG_KEYS
67378 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
67379 if (!tgcred)
67380 @@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
67381 struct cred *new;
67382 int ret;
67383
67384 + pax_track_stack();
67385 +
67386 if (
67387 #ifdef CONFIG_KEYS
67388 !p->cred->thread_keyring &&
67389 @@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
67390 struct task_struct *task = current;
67391 const struct cred *old = task->real_cred;
67392
67393 + pax_track_stack();
67394 +
67395 kdebug("commit_creds(%p{%d,%d})", new,
67396 atomic_read(&new->usage),
67397 read_cred_subscribers(new));
67398 @@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
67399
67400 get_cred(new); /* we will require a ref for the subj creds too */
67401
67402 + gr_set_role_label(task, new->uid, new->gid);
67403 +
67404 /* dumpability changes */
67405 if (old->euid != new->euid ||
67406 old->egid != new->egid ||
67407 @@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
67408 */
67409 void abort_creds(struct cred *new)
67410 {
67411 + pax_track_stack();
67412 +
67413 kdebug("abort_creds(%p{%d,%d})", new,
67414 atomic_read(&new->usage),
67415 read_cred_subscribers(new));
67416 @@ -574,6 +594,8 @@ const struct cred *override_creds(const
67417 {
67418 const struct cred *old = current->cred;
67419
67420 + pax_track_stack();
67421 +
67422 kdebug("override_creds(%p{%d,%d})", new,
67423 atomic_read(&new->usage),
67424 read_cred_subscribers(new));
67425 @@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
67426 {
67427 const struct cred *override = current->cred;
67428
67429 + pax_track_stack();
67430 +
67431 kdebug("revert_creds(%p{%d,%d})", old,
67432 atomic_read(&old->usage),
67433 read_cred_subscribers(old));
67434 @@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct
67435 const struct cred *old;
67436 struct cred *new;
67437
67438 + pax_track_stack();
67439 +
67440 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
67441 if (!new)
67442 return NULL;
67443 @@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
67444 */
67445 int set_security_override(struct cred *new, u32 secid)
67446 {
67447 + pax_track_stack();
67448 +
67449 return security_kernel_act_as(new, secid);
67450 }
67451 EXPORT_SYMBOL(set_security_override);
67452 @@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
67453 u32 secid;
67454 int ret;
67455
67456 + pax_track_stack();
67457 +
67458 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
67459 if (ret < 0)
67460 return ret;
67461 diff -urNp linux-2.6.39.3/kernel/debug/debug_core.c linux-2.6.39.3/kernel/debug/debug_core.c
67462 --- linux-2.6.39.3/kernel/debug/debug_core.c 2011-05-19 00:06:34.000000000 -0400
67463 +++ linux-2.6.39.3/kernel/debug/debug_core.c 2011-05-22 19:36:33.000000000 -0400
67464 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
67465 /* Guard for recursive entry */
67466 static int exception_level;
67467
67468 -struct kgdb_io *dbg_io_ops;
67469 +const struct kgdb_io *dbg_io_ops;
67470 static DEFINE_SPINLOCK(kgdb_registration_lock);
67471
67472 /* kgdb console driver is loaded */
67473 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
67474 */
67475 static atomic_t masters_in_kgdb;
67476 static atomic_t slaves_in_kgdb;
67477 -static atomic_t kgdb_break_tasklet_var;
67478 +static atomic_unchecked_t kgdb_break_tasklet_var;
67479 atomic_t kgdb_setting_breakpoint;
67480
67481 struct task_struct *kgdb_usethread;
67482 @@ -129,7 +129,7 @@ int kgdb_single_step;
67483 static pid_t kgdb_sstep_pid;
67484
67485 /* to keep track of the CPU which is doing the single stepping*/
67486 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67487 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
67488
67489 /*
67490 * If you are debugging a problem where roundup (the collection of
67491 @@ -542,7 +542,7 @@ return_normal:
67492 * kernel will only try for the value of sstep_tries before
67493 * giving up and continuing on.
67494 */
67495 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
67496 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
67497 (kgdb_info[cpu].task &&
67498 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
67499 atomic_set(&kgdb_active, -1);
67500 @@ -636,8 +636,8 @@ cpu_master_loop:
67501 }
67502
67503 kgdb_restore:
67504 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
67505 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
67506 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
67507 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
67508 if (kgdb_info[sstep_cpu].task)
67509 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
67510 else
67511 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
67512 static void kgdb_tasklet_bpt(unsigned long ing)
67513 {
67514 kgdb_breakpoint();
67515 - atomic_set(&kgdb_break_tasklet_var, 0);
67516 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
67517 }
67518
67519 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
67520
67521 void kgdb_schedule_breakpoint(void)
67522 {
67523 - if (atomic_read(&kgdb_break_tasklet_var) ||
67524 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
67525 atomic_read(&kgdb_active) != -1 ||
67526 atomic_read(&kgdb_setting_breakpoint))
67527 return;
67528 - atomic_inc(&kgdb_break_tasklet_var);
67529 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
67530 tasklet_schedule(&kgdb_tasklet_breakpoint);
67531 }
67532 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
67533 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
67534 *
67535 * Register it with the KGDB core.
67536 */
67537 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
67538 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
67539 {
67540 int err;
67541
67542 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
67543 *
67544 * Unregister it with the KGDB core.
67545 */
67546 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
67547 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
67548 {
67549 BUG_ON(kgdb_connected);
67550
67551 diff -urNp linux-2.6.39.3/kernel/debug/kdb/kdb_main.c linux-2.6.39.3/kernel/debug/kdb/kdb_main.c
67552 --- linux-2.6.39.3/kernel/debug/kdb/kdb_main.c 2011-05-19 00:06:34.000000000 -0400
67553 +++ linux-2.6.39.3/kernel/debug/kdb/kdb_main.c 2011-05-22 19:36:33.000000000 -0400
67554 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
67555 list_for_each_entry(mod, kdb_modules, list) {
67556
67557 kdb_printf("%-20s%8u 0x%p ", mod->name,
67558 - mod->core_size, (void *)mod);
67559 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
67560 #ifdef CONFIG_MODULE_UNLOAD
67561 kdb_printf("%4d ", module_refcount(mod));
67562 #endif
67563 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
67564 kdb_printf(" (Loading)");
67565 else
67566 kdb_printf(" (Live)");
67567 - kdb_printf(" 0x%p", mod->module_core);
67568 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67569
67570 #ifdef CONFIG_MODULE_UNLOAD
67571 {
67572 diff -urNp linux-2.6.39.3/kernel/exit.c linux-2.6.39.3/kernel/exit.c
67573 --- linux-2.6.39.3/kernel/exit.c 2011-05-19 00:06:34.000000000 -0400
67574 +++ linux-2.6.39.3/kernel/exit.c 2011-05-22 20:02:30.000000000 -0400
67575 @@ -57,6 +57,10 @@
67576 #include <asm/pgtable.h>
67577 #include <asm/mmu_context.h>
67578
67579 +#ifdef CONFIG_GRKERNSEC
67580 +extern rwlock_t grsec_exec_file_lock;
67581 +#endif
67582 +
67583 static void exit_mm(struct task_struct * tsk);
67584
67585 static void __unhash_process(struct task_struct *p, bool group_dead)
67586 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
67587 struct task_struct *leader;
67588 int zap_leader;
67589 repeat:
67590 + gr_del_task_from_ip_table(p);
67591 +
67592 tracehook_prepare_release_task(p);
67593 /* don't need to get the RCU readlock here - the process is dead and
67594 * can't be modifying its own credentials. But shut RCU-lockdep up */
67595 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
67596 {
67597 write_lock_irq(&tasklist_lock);
67598
67599 +#ifdef CONFIG_GRKERNSEC
67600 + write_lock(&grsec_exec_file_lock);
67601 + if (current->exec_file) {
67602 + fput(current->exec_file);
67603 + current->exec_file = NULL;
67604 + }
67605 + write_unlock(&grsec_exec_file_lock);
67606 +#endif
67607 +
67608 ptrace_unlink(current);
67609 /* Reparent to init */
67610 current->real_parent = current->parent = kthreadd_task;
67611 list_move_tail(&current->sibling, &current->real_parent->children);
67612
67613 + gr_set_kernel_label(current);
67614 +
67615 /* Set the exit signal to SIGCHLD so we signal init on exit */
67616 current->exit_signal = SIGCHLD;
67617
67618 @@ -394,7 +411,7 @@ int allow_signal(int sig)
67619 * know it'll be handled, so that they don't get converted to
67620 * SIGKILL or just silently dropped.
67621 */
67622 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
67623 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
67624 recalc_sigpending();
67625 spin_unlock_irq(&current->sighand->siglock);
67626 return 0;
67627 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
67628 vsnprintf(current->comm, sizeof(current->comm), name, args);
67629 va_end(args);
67630
67631 +#ifdef CONFIG_GRKERNSEC
67632 + write_lock(&grsec_exec_file_lock);
67633 + if (current->exec_file) {
67634 + fput(current->exec_file);
67635 + current->exec_file = NULL;
67636 + }
67637 + write_unlock(&grsec_exec_file_lock);
67638 +#endif
67639 +
67640 + gr_set_kernel_label(current);
67641 +
67642 /*
67643 * If we were started as result of loading a module, close all of the
67644 * user space pages. We don't need them, and if we didn't close them
67645 @@ -905,15 +933,8 @@ NORET_TYPE void do_exit(long code)
67646 struct task_struct *tsk = current;
67647 int group_dead;
67648
67649 - profile_task_exit(tsk);
67650 -
67651 - WARN_ON(atomic_read(&tsk->fs_excl));
67652 - WARN_ON(blk_needs_flush_plug(tsk));
67653 -
67654 if (unlikely(in_interrupt()))
67655 panic("Aiee, killing interrupt handler!");
67656 - if (unlikely(!tsk->pid))
67657 - panic("Attempted to kill the idle task!");
67658
67659 /*
67660 * If do_exit is called because this processes oopsed, it's possible
67661 @@ -924,6 +945,14 @@ NORET_TYPE void do_exit(long code)
67662 */
67663 set_fs(USER_DS);
67664
67665 + profile_task_exit(tsk);
67666 +
67667 + WARN_ON(atomic_read(&tsk->fs_excl));
67668 + WARN_ON(blk_needs_flush_plug(tsk));
67669 +
67670 + if (unlikely(!tsk->pid))
67671 + panic("Attempted to kill the idle task!");
67672 +
67673 tracehook_report_exit(&code);
67674
67675 validate_creds_for_do_exit(tsk);
67676 @@ -984,6 +1013,9 @@ NORET_TYPE void do_exit(long code)
67677 tsk->exit_code = code;
67678 taskstats_exit(tsk, group_dead);
67679
67680 + gr_acl_handle_psacct(tsk, code);
67681 + gr_acl_handle_exit();
67682 +
67683 exit_mm(tsk);
67684
67685 if (group_dead)
67686 diff -urNp linux-2.6.39.3/kernel/fork.c linux-2.6.39.3/kernel/fork.c
67687 --- linux-2.6.39.3/kernel/fork.c 2011-05-19 00:06:34.000000000 -0400
67688 +++ linux-2.6.39.3/kernel/fork.c 2011-05-22 19:41:42.000000000 -0400
67689 @@ -287,7 +287,7 @@ static struct task_struct *dup_task_stru
67690 *stackend = STACK_END_MAGIC; /* for overflow detection */
67691
67692 #ifdef CONFIG_CC_STACKPROTECTOR
67693 - tsk->stack_canary = get_random_int();
67694 + tsk->stack_canary = pax_get_random_long();
67695 #endif
67696
67697 /* One for us, one for whoever does the "release_task()" (usually parent) */
67698 @@ -309,13 +309,78 @@ out:
67699 }
67700
67701 #ifdef CONFIG_MMU
67702 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
67703 +{
67704 + struct vm_area_struct *tmp;
67705 + unsigned long charge;
67706 + struct mempolicy *pol;
67707 + struct file *file;
67708 +
67709 + charge = 0;
67710 + if (mpnt->vm_flags & VM_ACCOUNT) {
67711 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67712 + if (security_vm_enough_memory(len))
67713 + goto fail_nomem;
67714 + charge = len;
67715 + }
67716 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67717 + if (!tmp)
67718 + goto fail_nomem;
67719 + *tmp = *mpnt;
67720 + tmp->vm_mm = mm;
67721 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
67722 + pol = mpol_dup(vma_policy(mpnt));
67723 + if (IS_ERR(pol))
67724 + goto fail_nomem_policy;
67725 + vma_set_policy(tmp, pol);
67726 + if (anon_vma_fork(tmp, mpnt))
67727 + goto fail_nomem_anon_vma_fork;
67728 + tmp->vm_flags &= ~VM_LOCKED;
67729 + tmp->vm_next = tmp->vm_prev = NULL;
67730 + tmp->vm_mirror = NULL;
67731 + file = tmp->vm_file;
67732 + if (file) {
67733 + struct inode *inode = file->f_path.dentry->d_inode;
67734 + struct address_space *mapping = file->f_mapping;
67735 +
67736 + get_file(file);
67737 + if (tmp->vm_flags & VM_DENYWRITE)
67738 + atomic_dec(&inode->i_writecount);
67739 + spin_lock(&mapping->i_mmap_lock);
67740 + if (tmp->vm_flags & VM_SHARED)
67741 + mapping->i_mmap_writable++;
67742 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
67743 + flush_dcache_mmap_lock(mapping);
67744 + /* insert tmp into the share list, just after mpnt */
67745 + vma_prio_tree_add(tmp, mpnt);
67746 + flush_dcache_mmap_unlock(mapping);
67747 + spin_unlock(&mapping->i_mmap_lock);
67748 + }
67749 +
67750 + /*
67751 + * Clear hugetlb-related page reserves for children. This only
67752 + * affects MAP_PRIVATE mappings. Faults generated by the child
67753 + * are not guaranteed to succeed, even if read-only
67754 + */
67755 + if (is_vm_hugetlb_page(tmp))
67756 + reset_vma_resv_huge_pages(tmp);
67757 +
67758 + return tmp;
67759 +
67760 +fail_nomem_anon_vma_fork:
67761 + mpol_put(pol);
67762 +fail_nomem_policy:
67763 + kmem_cache_free(vm_area_cachep, tmp);
67764 +fail_nomem:
67765 + vm_unacct_memory(charge);
67766 + return NULL;
67767 +}
67768 +
67769 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
67770 {
67771 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
67772 struct rb_node **rb_link, *rb_parent;
67773 int retval;
67774 - unsigned long charge;
67775 - struct mempolicy *pol;
67776
67777 down_write(&oldmm->mmap_sem);
67778 flush_cache_dup_mm(oldmm);
67779 @@ -327,8 +392,8 @@ static int dup_mmap(struct mm_struct *mm
67780 mm->locked_vm = 0;
67781 mm->mmap = NULL;
67782 mm->mmap_cache = NULL;
67783 - mm->free_area_cache = oldmm->mmap_base;
67784 - mm->cached_hole_size = ~0UL;
67785 + mm->free_area_cache = oldmm->free_area_cache;
67786 + mm->cached_hole_size = oldmm->cached_hole_size;
67787 mm->map_count = 0;
67788 cpumask_clear(mm_cpumask(mm));
67789 mm->mm_rb = RB_ROOT;
67790 @@ -344,8 +409,6 @@ static int dup_mmap(struct mm_struct *mm
67791
67792 prev = NULL;
67793 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
67794 - struct file *file;
67795 -
67796 if (mpnt->vm_flags & VM_DONTCOPY) {
67797 long pages = vma_pages(mpnt);
67798 mm->total_vm -= pages;
67799 @@ -353,56 +416,13 @@ static int dup_mmap(struct mm_struct *mm
67800 -pages);
67801 continue;
67802 }
67803 - charge = 0;
67804 - if (mpnt->vm_flags & VM_ACCOUNT) {
67805 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
67806 - if (security_vm_enough_memory(len))
67807 - goto fail_nomem;
67808 - charge = len;
67809 - }
67810 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
67811 - if (!tmp)
67812 - goto fail_nomem;
67813 - *tmp = *mpnt;
67814 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
67815 - pol = mpol_dup(vma_policy(mpnt));
67816 - retval = PTR_ERR(pol);
67817 - if (IS_ERR(pol))
67818 - goto fail_nomem_policy;
67819 - vma_set_policy(tmp, pol);
67820 - tmp->vm_mm = mm;
67821 - if (anon_vma_fork(tmp, mpnt))
67822 - goto fail_nomem_anon_vma_fork;
67823 - tmp->vm_flags &= ~VM_LOCKED;
67824 - tmp->vm_next = tmp->vm_prev = NULL;
67825 - file = tmp->vm_file;
67826 - if (file) {
67827 - struct inode *inode = file->f_path.dentry->d_inode;
67828 - struct address_space *mapping = file->f_mapping;
67829 -
67830 - get_file(file);
67831 - if (tmp->vm_flags & VM_DENYWRITE)
67832 - atomic_dec(&inode->i_writecount);
67833 - spin_lock(&mapping->i_mmap_lock);
67834 - if (tmp->vm_flags & VM_SHARED)
67835 - mapping->i_mmap_writable++;
67836 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
67837 - flush_dcache_mmap_lock(mapping);
67838 - /* insert tmp into the share list, just after mpnt */
67839 - vma_prio_tree_add(tmp, mpnt);
67840 - flush_dcache_mmap_unlock(mapping);
67841 - spin_unlock(&mapping->i_mmap_lock);
67842 + tmp = dup_vma(mm, mpnt);
67843 + if (!tmp) {
67844 + retval = -ENOMEM;
67845 + goto out;
67846 }
67847
67848 /*
67849 - * Clear hugetlb-related page reserves for children. This only
67850 - * affects MAP_PRIVATE mappings. Faults generated by the child
67851 - * are not guaranteed to succeed, even if read-only
67852 - */
67853 - if (is_vm_hugetlb_page(tmp))
67854 - reset_vma_resv_huge_pages(tmp);
67855 -
67856 - /*
67857 * Link in the new vma and copy the page table entries.
67858 */
67859 *pprev = tmp;
67860 @@ -423,6 +443,31 @@ static int dup_mmap(struct mm_struct *mm
67861 if (retval)
67862 goto out;
67863 }
67864 +
67865 +#ifdef CONFIG_PAX_SEGMEXEC
67866 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
67867 + struct vm_area_struct *mpnt_m;
67868 +
67869 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
67870 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
67871 +
67872 + if (!mpnt->vm_mirror)
67873 + continue;
67874 +
67875 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
67876 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
67877 + mpnt->vm_mirror = mpnt_m;
67878 + } else {
67879 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
67880 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
67881 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
67882 + mpnt->vm_mirror->vm_mirror = mpnt;
67883 + }
67884 + }
67885 + BUG_ON(mpnt_m);
67886 + }
67887 +#endif
67888 +
67889 /* a new mm has just been created */
67890 arch_dup_mmap(oldmm, mm);
67891 retval = 0;
67892 @@ -431,14 +476,6 @@ out:
67893 flush_tlb_mm(oldmm);
67894 up_write(&oldmm->mmap_sem);
67895 return retval;
67896 -fail_nomem_anon_vma_fork:
67897 - mpol_put(pol);
67898 -fail_nomem_policy:
67899 - kmem_cache_free(vm_area_cachep, tmp);
67900 -fail_nomem:
67901 - retval = -ENOMEM;
67902 - vm_unacct_memory(charge);
67903 - goto out;
67904 }
67905
67906 static inline int mm_alloc_pgd(struct mm_struct * mm)
67907 @@ -785,13 +822,14 @@ static int copy_fs(unsigned long clone_f
67908 spin_unlock(&fs->lock);
67909 return -EAGAIN;
67910 }
67911 - fs->users++;
67912 + atomic_inc(&fs->users);
67913 spin_unlock(&fs->lock);
67914 return 0;
67915 }
67916 tsk->fs = copy_fs_struct(fs);
67917 if (!tsk->fs)
67918 return -ENOMEM;
67919 + gr_set_chroot_entries(tsk, &tsk->fs->root);
67920 return 0;
67921 }
67922
67923 @@ -1049,10 +1087,13 @@ static struct task_struct *copy_process(
67924 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
67925 #endif
67926 retval = -EAGAIN;
67927 +
67928 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
67929 +
67930 if (atomic_read(&p->real_cred->user->processes) >=
67931 task_rlimit(p, RLIMIT_NPROC)) {
67932 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
67933 - p->real_cred->user != INIT_USER)
67934 + if (p->real_cred->user != INIT_USER &&
67935 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
67936 goto bad_fork_free;
67937 }
67938
67939 @@ -1200,6 +1241,8 @@ static struct task_struct *copy_process(
67940 goto bad_fork_free_pid;
67941 }
67942
67943 + gr_copy_label(p);
67944 +
67945 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
67946 /*
67947 * Clear TID on mm_release()?
67948 @@ -1360,6 +1403,8 @@ bad_fork_cleanup_count:
67949 bad_fork_free:
67950 free_task(p);
67951 fork_out:
67952 + gr_log_forkfail(retval);
67953 +
67954 return ERR_PTR(retval);
67955 }
67956
67957 @@ -1448,6 +1493,8 @@ long do_fork(unsigned long clone_flags,
67958 if (clone_flags & CLONE_PARENT_SETTID)
67959 put_user(nr, parent_tidptr);
67960
67961 + gr_handle_brute_check();
67962 +
67963 if (clone_flags & CLONE_VFORK) {
67964 p->vfork_done = &vfork;
67965 init_completion(&vfork);
67966 @@ -1549,7 +1596,7 @@ static int unshare_fs(unsigned long unsh
67967 return 0;
67968
67969 /* don't need lock here; in the worst case we'll do useless copy */
67970 - if (fs->users == 1)
67971 + if (atomic_read(&fs->users) == 1)
67972 return 0;
67973
67974 *new_fsp = copy_fs_struct(fs);
67975 @@ -1636,7 +1683,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
67976 fs = current->fs;
67977 spin_lock(&fs->lock);
67978 current->fs = new_fs;
67979 - if (--fs->users)
67980 + gr_set_chroot_entries(current, &current->fs->root);
67981 + if (atomic_dec_return(&fs->users))
67982 new_fs = NULL;
67983 else
67984 new_fs = fs;
67985 diff -urNp linux-2.6.39.3/kernel/futex.c linux-2.6.39.3/kernel/futex.c
67986 --- linux-2.6.39.3/kernel/futex.c 2011-05-19 00:06:34.000000000 -0400
67987 +++ linux-2.6.39.3/kernel/futex.c 2011-05-22 22:41:57.000000000 -0400
67988 @@ -54,6 +54,7 @@
67989 #include <linux/mount.h>
67990 #include <linux/pagemap.h>
67991 #include <linux/syscalls.h>
67992 +#include <linux/ptrace.h>
67993 #include <linux/signal.h>
67994 #include <linux/module.h>
67995 #include <linux/magic.h>
67996 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
67997 struct page *page, *page_head;
67998 int err;
67999
68000 +#ifdef CONFIG_PAX_SEGMEXEC
68001 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
68002 + return -EFAULT;
68003 +#endif
68004 +
68005 /*
68006 * The futex address must be "naturally" aligned.
68007 */
68008 @@ -1833,6 +1839,8 @@ static int futex_wait(u32 __user *uaddr,
68009 struct futex_q q = futex_q_init;
68010 int ret;
68011
68012 + pax_track_stack();
68013 +
68014 if (!bitset)
68015 return -EINVAL;
68016 q.bitset = bitset;
68017 @@ -2229,6 +2237,8 @@ static int futex_wait_requeue_pi(u32 __u
68018 struct futex_q q = futex_q_init;
68019 int res, ret;
68020
68021 + pax_track_stack();
68022 +
68023 if (!bitset)
68024 return -EINVAL;
68025
68026 @@ -2401,7 +2411,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68027 {
68028 struct robust_list_head __user *head;
68029 unsigned long ret;
68030 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68031 const struct cred *cred = current_cred(), *pcred;
68032 +#endif
68033
68034 if (!futex_cmpxchg_enabled)
68035 return -ENOSYS;
68036 @@ -2417,6 +2429,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68037 if (!p)
68038 goto err_unlock;
68039 ret = -EPERM;
68040 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68041 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68042 + goto err_unlock;
68043 +#else
68044 pcred = __task_cred(p);
68045 /* If victim is in different user_ns, then uids are not
68046 comparable, so we must have CAP_SYS_PTRACE */
68047 @@ -2431,6 +2447,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68048 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
68049 goto err_unlock;
68050 ok:
68051 +#endif
68052 head = p->robust_list;
68053 rcu_read_unlock();
68054 }
68055 @@ -2682,6 +2699,7 @@ static int __init futex_init(void)
68056 {
68057 u32 curval;
68058 int i;
68059 + mm_segment_t oldfs;
68060
68061 /*
68062 * This will fail and we want it. Some arch implementations do
68063 @@ -2693,8 +2711,11 @@ static int __init futex_init(void)
68064 * implementation, the non-functional ones will return
68065 * -ENOSYS.
68066 */
68067 + oldfs = get_fs();
68068 + set_fs(USER_DS);
68069 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
68070 futex_cmpxchg_enabled = 1;
68071 + set_fs(oldfs);
68072
68073 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
68074 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
68075 diff -urNp linux-2.6.39.3/kernel/futex_compat.c linux-2.6.39.3/kernel/futex_compat.c
68076 --- linux-2.6.39.3/kernel/futex_compat.c 2011-05-19 00:06:34.000000000 -0400
68077 +++ linux-2.6.39.3/kernel/futex_compat.c 2011-05-22 22:42:09.000000000 -0400
68078 @@ -10,6 +10,7 @@
68079 #include <linux/compat.h>
68080 #include <linux/nsproxy.h>
68081 #include <linux/futex.h>
68082 +#include <linux/ptrace.h>
68083
68084 #include <asm/uaccess.h>
68085
68086 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
68087 {
68088 struct compat_robust_list_head __user *head;
68089 unsigned long ret;
68090 - const struct cred *cred = current_cred(), *pcred;
68091 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68092 + const struct cred *cred = current_cred();
68093 + const struct cred *pcred;
68094 +#endif
68095
68096 if (!futex_cmpxchg_enabled)
68097 return -ENOSYS;
68098 @@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
68099 if (!p)
68100 goto err_unlock;
68101 ret = -EPERM;
68102 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68103 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68104 + goto err_unlock;
68105 +#else
68106 pcred = __task_cred(p);
68107 /* If victim is in different user_ns, then uids are not
68108 comparable, so we must have CAP_SYS_PTRACE */
68109 @@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
68110 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
68111 goto err_unlock;
68112 ok:
68113 +#endif
68114 head = p->compat_robust_list;
68115 rcu_read_unlock();
68116 }
68117 diff -urNp linux-2.6.39.3/kernel/gcov/base.c linux-2.6.39.3/kernel/gcov/base.c
68118 --- linux-2.6.39.3/kernel/gcov/base.c 2011-05-19 00:06:34.000000000 -0400
68119 +++ linux-2.6.39.3/kernel/gcov/base.c 2011-05-22 19:36:33.000000000 -0400
68120 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
68121 }
68122
68123 #ifdef CONFIG_MODULES
68124 -static inline int within(void *addr, void *start, unsigned long size)
68125 -{
68126 - return ((addr >= start) && (addr < start + size));
68127 -}
68128 -
68129 /* Update list and generate events when modules are unloaded. */
68130 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
68131 void *data)
68132 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
68133 prev = NULL;
68134 /* Remove entries located in module from linked list. */
68135 for (info = gcov_info_head; info; info = info->next) {
68136 - if (within(info, mod->module_core, mod->core_size)) {
68137 + if (within_module_core_rw((unsigned long)info, mod)) {
68138 if (prev)
68139 prev->next = info->next;
68140 else
68141 diff -urNp linux-2.6.39.3/kernel/hrtimer.c linux-2.6.39.3/kernel/hrtimer.c
68142 --- linux-2.6.39.3/kernel/hrtimer.c 2011-05-19 00:06:34.000000000 -0400
68143 +++ linux-2.6.39.3/kernel/hrtimer.c 2011-05-22 19:36:33.000000000 -0400
68144 @@ -1383,7 +1383,7 @@ void hrtimer_peek_ahead_timers(void)
68145 local_irq_restore(flags);
68146 }
68147
68148 -static void run_hrtimer_softirq(struct softirq_action *h)
68149 +static void run_hrtimer_softirq(void)
68150 {
68151 hrtimer_peek_ahead_timers();
68152 }
68153 diff -urNp linux-2.6.39.3/kernel/irq/manage.c linux-2.6.39.3/kernel/irq/manage.c
68154 --- linux-2.6.39.3/kernel/irq/manage.c 2011-05-19 00:06:34.000000000 -0400
68155 +++ linux-2.6.39.3/kernel/irq/manage.c 2011-06-13 17:09:06.000000000 -0400
68156 @@ -491,6 +491,9 @@ int irq_set_irq_wake(unsigned int irq, u
68157 struct irq_desc *desc = irq_get_desc_buslock(irq, &flags);
68158 int ret = 0;
68159
68160 + if (!desc)
68161 + return -EINVAL;
68162 +
68163 /* wakeup-capable irqs can be shared between drivers that
68164 * don't need to have the same sleep mode behaviors.
68165 */
68166 diff -urNp linux-2.6.39.3/kernel/jump_label.c linux-2.6.39.3/kernel/jump_label.c
68167 --- linux-2.6.39.3/kernel/jump_label.c 2011-05-19 00:06:34.000000000 -0400
68168 +++ linux-2.6.39.3/kernel/jump_label.c 2011-05-22 19:36:33.000000000 -0400
68169 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
68170 mutex_unlock(&jump_label_mutex);
68171 }
68172
68173 +static void jump_label_swap(void *a, void *b, int size)
68174 +{
68175 + struct jump_entry t;
68176 +
68177 + t = *(struct jump_entry *)a;
68178 + pax_open_kernel();
68179 + *(struct jump_entry *)a = *(struct jump_entry *)b;
68180 + *(struct jump_entry *)b = t;
68181 + pax_close_kernel();
68182 +}
68183 +
68184 static int jump_label_cmp(const void *a, const void *b)
68185 {
68186 const struct jump_entry *jea = a;
68187 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
68188
68189 size = (((unsigned long)stop - (unsigned long)start)
68190 / sizeof(struct jump_entry));
68191 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
68192 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
68193 }
68194
68195 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
68196 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
68197 count = e_module->nr_entries;
68198 iter = e_module->table;
68199 while (count--) {
68200 - if (within_module_init(iter->code, mod))
68201 + if (within_module_init(iter->code, mod)) {
68202 + pax_open_kernel();
68203 iter->key = 0;
68204 + pax_close_kernel();
68205 + }
68206 iter++;
68207 }
68208 }
68209 diff -urNp linux-2.6.39.3/kernel/kallsyms.c linux-2.6.39.3/kernel/kallsyms.c
68210 --- linux-2.6.39.3/kernel/kallsyms.c 2011-05-19 00:06:34.000000000 -0400
68211 +++ linux-2.6.39.3/kernel/kallsyms.c 2011-05-22 19:41:42.000000000 -0400
68212 @@ -11,6 +11,9 @@
68213 * Changed the compression method from stem compression to "table lookup"
68214 * compression (see scripts/kallsyms.c for a more complete description)
68215 */
68216 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68217 +#define __INCLUDED_BY_HIDESYM 1
68218 +#endif
68219 #include <linux/kallsyms.h>
68220 #include <linux/module.h>
68221 #include <linux/init.h>
68222 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
68223
68224 static inline int is_kernel_inittext(unsigned long addr)
68225 {
68226 + if (system_state != SYSTEM_BOOTING)
68227 + return 0;
68228 +
68229 if (addr >= (unsigned long)_sinittext
68230 && addr <= (unsigned long)_einittext)
68231 return 1;
68232 return 0;
68233 }
68234
68235 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68236 +#ifdef CONFIG_MODULES
68237 +static inline int is_module_text(unsigned long addr)
68238 +{
68239 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
68240 + return 1;
68241 +
68242 + addr = ktla_ktva(addr);
68243 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
68244 +}
68245 +#else
68246 +static inline int is_module_text(unsigned long addr)
68247 +{
68248 + return 0;
68249 +}
68250 +#endif
68251 +#endif
68252 +
68253 static inline int is_kernel_text(unsigned long addr)
68254 {
68255 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
68256 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
68257
68258 static inline int is_kernel(unsigned long addr)
68259 {
68260 +
68261 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68262 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
68263 + return 1;
68264 +
68265 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
68266 +#else
68267 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
68268 +#endif
68269 +
68270 return 1;
68271 return in_gate_area_no_mm(addr);
68272 }
68273
68274 static int is_ksym_addr(unsigned long addr)
68275 {
68276 +
68277 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68278 + if (is_module_text(addr))
68279 + return 0;
68280 +#endif
68281 +
68282 if (all_var)
68283 return is_kernel(addr);
68284
68285 @@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
68286
68287 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
68288 {
68289 - iter->name[0] = '\0';
68290 iter->nameoff = get_symbol_offset(new_pos);
68291 iter->pos = new_pos;
68292 }
68293 @@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
68294 {
68295 struct kallsym_iter *iter = m->private;
68296
68297 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68298 + if (current_uid())
68299 + return 0;
68300 +#endif
68301 +
68302 /* Some debugging symbols have no name. Ignore them. */
68303 if (!iter->name[0])
68304 return 0;
68305 @@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
68306 struct kallsym_iter *iter;
68307 int ret;
68308
68309 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
68310 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
68311 if (!iter)
68312 return -ENOMEM;
68313 reset_iter(iter, 0);
68314 diff -urNp linux-2.6.39.3/kernel/kmod.c linux-2.6.39.3/kernel/kmod.c
68315 --- linux-2.6.39.3/kernel/kmod.c 2011-05-19 00:06:34.000000000 -0400
68316 +++ linux-2.6.39.3/kernel/kmod.c 2011-05-22 19:41:42.000000000 -0400
68317 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
68318 * If module auto-loading support is disabled then this function
68319 * becomes a no-operation.
68320 */
68321 -int __request_module(bool wait, const char *fmt, ...)
68322 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
68323 {
68324 - va_list args;
68325 char module_name[MODULE_NAME_LEN];
68326 unsigned int max_modprobes;
68327 int ret;
68328 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
68329 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
68330 static char *envp[] = { "HOME=/",
68331 "TERM=linux",
68332 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
68333 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
68334 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
68335 static int kmod_loop_msg;
68336
68337 - va_start(args, fmt);
68338 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
68339 - va_end(args);
68340 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
68341 if (ret >= MODULE_NAME_LEN)
68342 return -ENAMETOOLONG;
68343
68344 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
68345 if (ret)
68346 return ret;
68347
68348 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68349 + if (!current_uid()) {
68350 + /* hack to workaround consolekit/udisks stupidity */
68351 + read_lock(&tasklist_lock);
68352 + if (!strcmp(current->comm, "mount") &&
68353 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
68354 + read_unlock(&tasklist_lock);
68355 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
68356 + return -EPERM;
68357 + }
68358 + read_unlock(&tasklist_lock);
68359 + }
68360 +#endif
68361 +
68362 /* If modprobe needs a service that is in a module, we get a recursive
68363 * loop. Limit the number of running kmod threads to max_threads/2 or
68364 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
68365 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
68366 atomic_dec(&kmod_concurrent);
68367 return ret;
68368 }
68369 +
68370 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
68371 +{
68372 + va_list args;
68373 + int ret;
68374 +
68375 + va_start(args, fmt);
68376 + ret = ____request_module(wait, module_param, fmt, args);
68377 + va_end(args);
68378 +
68379 + return ret;
68380 +}
68381 +
68382 +int __request_module(bool wait, const char *fmt, ...)
68383 +{
68384 + va_list args;
68385 + int ret;
68386 +
68387 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68388 + if (current_uid()) {
68389 + char module_param[MODULE_NAME_LEN];
68390 +
68391 + memset(module_param, 0, sizeof(module_param));
68392 +
68393 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
68394 +
68395 + va_start(args, fmt);
68396 + ret = ____request_module(wait, module_param, fmt, args);
68397 + va_end(args);
68398 +
68399 + return ret;
68400 + }
68401 +#endif
68402 +
68403 + va_start(args, fmt);
68404 + ret = ____request_module(wait, NULL, fmt, args);
68405 + va_end(args);
68406 +
68407 + return ret;
68408 +}
68409 +
68410 EXPORT_SYMBOL(__request_module);
68411 #endif /* CONFIG_MODULES */
68412
68413 diff -urNp linux-2.6.39.3/kernel/kprobes.c linux-2.6.39.3/kernel/kprobes.c
68414 --- linux-2.6.39.3/kernel/kprobes.c 2011-05-19 00:06:34.000000000 -0400
68415 +++ linux-2.6.39.3/kernel/kprobes.c 2011-05-22 19:36:33.000000000 -0400
68416 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
68417 * kernel image and loaded module images reside. This is required
68418 * so x86_64 can correctly handle the %rip-relative fixups.
68419 */
68420 - kip->insns = module_alloc(PAGE_SIZE);
68421 + kip->insns = module_alloc_exec(PAGE_SIZE);
68422 if (!kip->insns) {
68423 kfree(kip);
68424 return NULL;
68425 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
68426 */
68427 if (!list_is_singular(&kip->list)) {
68428 list_del(&kip->list);
68429 - module_free(NULL, kip->insns);
68430 + module_free_exec(NULL, kip->insns);
68431 kfree(kip);
68432 }
68433 return 1;
68434 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
68435 {
68436 int i, err = 0;
68437 unsigned long offset = 0, size = 0;
68438 - char *modname, namebuf[128];
68439 + char *modname, namebuf[KSYM_NAME_LEN];
68440 const char *symbol_name;
68441 void *addr;
68442 struct kprobe_blackpoint *kb;
68443 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
68444 const char *sym = NULL;
68445 unsigned int i = *(loff_t *) v;
68446 unsigned long offset = 0;
68447 - char *modname, namebuf[128];
68448 + char *modname, namebuf[KSYM_NAME_LEN];
68449
68450 head = &kprobe_table[i];
68451 preempt_disable();
68452 diff -urNp linux-2.6.39.3/kernel/lockdep.c linux-2.6.39.3/kernel/lockdep.c
68453 --- linux-2.6.39.3/kernel/lockdep.c 2011-06-25 12:55:23.000000000 -0400
68454 +++ linux-2.6.39.3/kernel/lockdep.c 2011-06-25 13:00:28.000000000 -0400
68455 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
68456 end = (unsigned long) &_end,
68457 addr = (unsigned long) obj;
68458
68459 +#ifdef CONFIG_PAX_KERNEXEC
68460 + start = ktla_ktva(start);
68461 +#endif
68462 +
68463 /*
68464 * static variable?
68465 */
68466 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
68467 if (!static_obj(lock->key)) {
68468 debug_locks_off();
68469 printk("INFO: trying to register non-static key.\n");
68470 + printk("lock:%pS key:%pS.\n", lock, lock->key);
68471 printk("the code is fine but needs lockdep annotation.\n");
68472 printk("turning off the locking correctness validator.\n");
68473 dump_stack();
68474 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
68475 if (!class)
68476 return 0;
68477 }
68478 - atomic_inc((atomic_t *)&class->ops);
68479 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
68480 if (very_verbose(class)) {
68481 printk("\nacquire class [%p] %s", class->key, class->name);
68482 if (class->name_version > 1)
68483 diff -urNp linux-2.6.39.3/kernel/lockdep_proc.c linux-2.6.39.3/kernel/lockdep_proc.c
68484 --- linux-2.6.39.3/kernel/lockdep_proc.c 2011-05-19 00:06:34.000000000 -0400
68485 +++ linux-2.6.39.3/kernel/lockdep_proc.c 2011-05-22 19:36:33.000000000 -0400
68486 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
68487
68488 static void print_name(struct seq_file *m, struct lock_class *class)
68489 {
68490 - char str[128];
68491 + char str[KSYM_NAME_LEN];
68492 const char *name = class->name;
68493
68494 if (!name) {
68495 diff -urNp linux-2.6.39.3/kernel/module.c linux-2.6.39.3/kernel/module.c
68496 --- linux-2.6.39.3/kernel/module.c 2011-05-19 00:06:34.000000000 -0400
68497 +++ linux-2.6.39.3/kernel/module.c 2011-05-22 19:41:42.000000000 -0400
68498 @@ -57,6 +57,7 @@
68499 #include <linux/kmemleak.h>
68500 #include <linux/jump_label.h>
68501 #include <linux/pfn.h>
68502 +#include <linux/grsecurity.h>
68503
68504 #define CREATE_TRACE_POINTS
68505 #include <trace/events/module.h>
68506 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
68507
68508 /* Bounds of module allocation, for speeding __module_address.
68509 * Protected by module_mutex. */
68510 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
68511 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
68512 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
68513
68514 int register_module_notifier(struct notifier_block * nb)
68515 {
68516 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
68517 return true;
68518
68519 list_for_each_entry_rcu(mod, &modules, list) {
68520 - struct symsearch arr[] = {
68521 + struct symsearch modarr[] = {
68522 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
68523 NOT_GPL_ONLY, false },
68524 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
68525 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
68526 #endif
68527 };
68528
68529 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
68530 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
68531 return true;
68532 }
68533 return false;
68534 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
68535 static int percpu_modalloc(struct module *mod,
68536 unsigned long size, unsigned long align)
68537 {
68538 - if (align > PAGE_SIZE) {
68539 + if (align-1 >= PAGE_SIZE) {
68540 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
68541 mod->name, align, PAGE_SIZE);
68542 align = PAGE_SIZE;
68543 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
68544 */
68545 #ifdef CONFIG_SYSFS
68546
68547 -#ifdef CONFIG_KALLSYMS
68548 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
68549 static inline bool sect_empty(const Elf_Shdr *sect)
68550 {
68551 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
68552 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
68553 {
68554 unsigned long total_pages;
68555
68556 - if (mod->module_core == module_region) {
68557 + if (mod->module_core_rx == module_region) {
68558 /* Set core as NX+RW */
68559 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
68560 - set_memory_nx((unsigned long)mod->module_core, total_pages);
68561 - set_memory_rw((unsigned long)mod->module_core, total_pages);
68562 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
68563 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
68564 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
68565
68566 - } else if (mod->module_init == module_region) {
68567 + } else if (mod->module_init_rx == module_region) {
68568 /* Set init as NX+RW */
68569 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
68570 - set_memory_nx((unsigned long)mod->module_init, total_pages);
68571 - set_memory_rw((unsigned long)mod->module_init, total_pages);
68572 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
68573 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
68574 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
68575 }
68576 }
68577
68578 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
68579
68580 mutex_lock(&module_mutex);
68581 list_for_each_entry_rcu(mod, &modules, list) {
68582 - if ((mod->module_core) && (mod->core_text_size)) {
68583 - set_page_attributes(mod->module_core,
68584 - mod->module_core + mod->core_text_size,
68585 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68586 + set_page_attributes(mod->module_core_rx,
68587 + mod->module_core_rx + mod->core_size_rx,
68588 set_memory_rw);
68589 }
68590 - if ((mod->module_init) && (mod->init_text_size)) {
68591 - set_page_attributes(mod->module_init,
68592 - mod->module_init + mod->init_text_size,
68593 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68594 + set_page_attributes(mod->module_init_rx,
68595 + mod->module_init_rx + mod->init_size_rx,
68596 set_memory_rw);
68597 }
68598 }
68599 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
68600
68601 mutex_lock(&module_mutex);
68602 list_for_each_entry_rcu(mod, &modules, list) {
68603 - if ((mod->module_core) && (mod->core_text_size)) {
68604 - set_page_attributes(mod->module_core,
68605 - mod->module_core + mod->core_text_size,
68606 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
68607 + set_page_attributes(mod->module_core_rx,
68608 + mod->module_core_rx + mod->core_size_rx,
68609 set_memory_ro);
68610 }
68611 - if ((mod->module_init) && (mod->init_text_size)) {
68612 - set_page_attributes(mod->module_init,
68613 - mod->module_init + mod->init_text_size,
68614 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
68615 + set_page_attributes(mod->module_init_rx,
68616 + mod->module_init_rx + mod->init_size_rx,
68617 set_memory_ro);
68618 }
68619 }
68620 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
68621 destroy_params(mod->kp, mod->num_kp);
68622
68623 /* This may be NULL, but that's OK */
68624 - unset_section_ro_nx(mod, mod->module_init);
68625 - module_free(mod, mod->module_init);
68626 + unset_section_ro_nx(mod, mod->module_init_rx);
68627 + module_free(mod, mod->module_init_rw);
68628 + module_free_exec(mod, mod->module_init_rx);
68629 kfree(mod->args);
68630 percpu_modfree(mod);
68631
68632 /* Free lock-classes: */
68633 - lockdep_free_key_range(mod->module_core, mod->core_size);
68634 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
68635 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
68636
68637 /* Finally, free the core (containing the module structure) */
68638 - unset_section_ro_nx(mod, mod->module_core);
68639 - module_free(mod, mod->module_core);
68640 + unset_section_ro_nx(mod, mod->module_core_rx);
68641 + module_free_exec(mod, mod->module_core_rx);
68642 + module_free(mod, mod->module_core_rw);
68643
68644 #ifdef CONFIG_MPU
68645 update_protections(current->mm);
68646 @@ -1775,10 +1780,31 @@ static int simplify_symbols(struct modul
68647 unsigned int i;
68648 int ret = 0;
68649 const struct kernel_symbol *ksym;
68650 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68651 + int is_fs_load = 0;
68652 + int register_filesystem_found = 0;
68653 + char *p;
68654 +
68655 + p = strstr(mod->args, "grsec_modharden_fs");
68656 + if (p) {
68657 + char *endptr = p + strlen("grsec_modharden_fs");
68658 + /* copy \0 as well */
68659 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
68660 + is_fs_load = 1;
68661 + }
68662 +#endif
68663
68664 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
68665 const char *name = info->strtab + sym[i].st_name;
68666
68667 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68668 + /* it's a real shame this will never get ripped and copied
68669 + upstream! ;(
68670 + */
68671 + if (is_fs_load && !strcmp(name, "register_filesystem"))
68672 + register_filesystem_found = 1;
68673 +#endif
68674 +
68675 switch (sym[i].st_shndx) {
68676 case SHN_COMMON:
68677 /* We compiled with -fno-common. These are not
68678 @@ -1799,7 +1825,9 @@ static int simplify_symbols(struct modul
68679 ksym = resolve_symbol_wait(mod, info, name);
68680 /* Ok if resolved. */
68681 if (ksym && !IS_ERR(ksym)) {
68682 + pax_open_kernel();
68683 sym[i].st_value = ksym->value;
68684 + pax_close_kernel();
68685 break;
68686 }
68687
68688 @@ -1818,11 +1846,20 @@ static int simplify_symbols(struct modul
68689 secbase = (unsigned long)mod_percpu(mod);
68690 else
68691 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
68692 + pax_open_kernel();
68693 sym[i].st_value += secbase;
68694 + pax_close_kernel();
68695 break;
68696 }
68697 }
68698
68699 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
68700 + if (is_fs_load && !register_filesystem_found) {
68701 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
68702 + ret = -EPERM;
68703 + }
68704 +#endif
68705 +
68706 return ret;
68707 }
68708
68709 @@ -1906,22 +1943,12 @@ static void layout_sections(struct modul
68710 || s->sh_entsize != ~0UL
68711 || strstarts(sname, ".init"))
68712 continue;
68713 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
68714 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68715 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
68716 + else
68717 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
68718 DEBUGP("\t%s\n", name);
68719 }
68720 - switch (m) {
68721 - case 0: /* executable */
68722 - mod->core_size = debug_align(mod->core_size);
68723 - mod->core_text_size = mod->core_size;
68724 - break;
68725 - case 1: /* RO: text and ro-data */
68726 - mod->core_size = debug_align(mod->core_size);
68727 - mod->core_ro_size = mod->core_size;
68728 - break;
68729 - case 3: /* whole core */
68730 - mod->core_size = debug_align(mod->core_size);
68731 - break;
68732 - }
68733 }
68734
68735 DEBUGP("Init section allocation order:\n");
68736 @@ -1935,23 +1962,13 @@ static void layout_sections(struct modul
68737 || s->sh_entsize != ~0UL
68738 || !strstarts(sname, ".init"))
68739 continue;
68740 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
68741 - | INIT_OFFSET_MASK);
68742 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
68743 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
68744 + else
68745 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
68746 + s->sh_entsize |= INIT_OFFSET_MASK;
68747 DEBUGP("\t%s\n", sname);
68748 }
68749 - switch (m) {
68750 - case 0: /* executable */
68751 - mod->init_size = debug_align(mod->init_size);
68752 - mod->init_text_size = mod->init_size;
68753 - break;
68754 - case 1: /* RO: text and ro-data */
68755 - mod->init_size = debug_align(mod->init_size);
68756 - mod->init_ro_size = mod->init_size;
68757 - break;
68758 - case 3: /* whole init */
68759 - mod->init_size = debug_align(mod->init_size);
68760 - break;
68761 - }
68762 }
68763 }
68764
68765 @@ -2119,7 +2136,7 @@ static void layout_symtab(struct module
68766
68767 /* Put symbol section at end of init part of module. */
68768 symsect->sh_flags |= SHF_ALLOC;
68769 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
68770 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
68771 info->index.sym) | INIT_OFFSET_MASK;
68772 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
68773
68774 @@ -2136,19 +2153,19 @@ static void layout_symtab(struct module
68775 }
68776
68777 /* Append room for core symbols at end of core part. */
68778 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
68779 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
68780 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
68781 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
68782
68783 /* Put string table section at end of init part of module. */
68784 strsect->sh_flags |= SHF_ALLOC;
68785 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
68786 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
68787 info->index.str) | INIT_OFFSET_MASK;
68788 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
68789
68790 /* Append room for core symbols' strings at end of core part. */
68791 - info->stroffs = mod->core_size;
68792 + info->stroffs = mod->core_size_rx;
68793 __set_bit(0, info->strmap);
68794 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
68795 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
68796 }
68797
68798 static void add_kallsyms(struct module *mod, const struct load_info *info)
68799 @@ -2164,11 +2181,13 @@ static void add_kallsyms(struct module *
68800 /* Make sure we get permanent strtab: don't use info->strtab. */
68801 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
68802
68803 + pax_open_kernel();
68804 +
68805 /* Set types up while we still have access to sections. */
68806 for (i = 0; i < mod->num_symtab; i++)
68807 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
68808
68809 - mod->core_symtab = dst = mod->module_core + info->symoffs;
68810 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
68811 src = mod->symtab;
68812 *dst = *src;
68813 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
68814 @@ -2181,10 +2200,12 @@ static void add_kallsyms(struct module *
68815 }
68816 mod->core_num_syms = ndst;
68817
68818 - mod->core_strtab = s = mod->module_core + info->stroffs;
68819 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
68820 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
68821 if (test_bit(i, info->strmap))
68822 *++s = mod->strtab[i];
68823 +
68824 + pax_close_kernel();
68825 }
68826 #else
68827 static inline void layout_symtab(struct module *mod, struct load_info *info)
68828 @@ -2213,17 +2234,33 @@ static void dynamic_debug_remove(struct
68829 ddebug_remove_module(debug->modname);
68830 }
68831
68832 -static void *module_alloc_update_bounds(unsigned long size)
68833 +static void *module_alloc_update_bounds_rw(unsigned long size)
68834 {
68835 void *ret = module_alloc(size);
68836
68837 if (ret) {
68838 mutex_lock(&module_mutex);
68839 /* Update module bounds. */
68840 - if ((unsigned long)ret < module_addr_min)
68841 - module_addr_min = (unsigned long)ret;
68842 - if ((unsigned long)ret + size > module_addr_max)
68843 - module_addr_max = (unsigned long)ret + size;
68844 + if ((unsigned long)ret < module_addr_min_rw)
68845 + module_addr_min_rw = (unsigned long)ret;
68846 + if ((unsigned long)ret + size > module_addr_max_rw)
68847 + module_addr_max_rw = (unsigned long)ret + size;
68848 + mutex_unlock(&module_mutex);
68849 + }
68850 + return ret;
68851 +}
68852 +
68853 +static void *module_alloc_update_bounds_rx(unsigned long size)
68854 +{
68855 + void *ret = module_alloc_exec(size);
68856 +
68857 + if (ret) {
68858 + mutex_lock(&module_mutex);
68859 + /* Update module bounds. */
68860 + if ((unsigned long)ret < module_addr_min_rx)
68861 + module_addr_min_rx = (unsigned long)ret;
68862 + if ((unsigned long)ret + size > module_addr_max_rx)
68863 + module_addr_max_rx = (unsigned long)ret + size;
68864 mutex_unlock(&module_mutex);
68865 }
68866 return ret;
68867 @@ -2516,7 +2553,7 @@ static int move_module(struct module *mo
68868 void *ptr;
68869
68870 /* Do the allocs. */
68871 - ptr = module_alloc_update_bounds(mod->core_size);
68872 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
68873 /*
68874 * The pointer to this block is stored in the module structure
68875 * which is inside the block. Just mark it as not being a
68876 @@ -2526,23 +2563,50 @@ static int move_module(struct module *mo
68877 if (!ptr)
68878 return -ENOMEM;
68879
68880 - memset(ptr, 0, mod->core_size);
68881 - mod->module_core = ptr;
68882 + memset(ptr, 0, mod->core_size_rw);
68883 + mod->module_core_rw = ptr;
68884
68885 - ptr = module_alloc_update_bounds(mod->init_size);
68886 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
68887 /*
68888 * The pointer to this block is stored in the module structure
68889 * which is inside the block. This block doesn't need to be
68890 * scanned as it contains data and code that will be freed
68891 * after the module is initialized.
68892 */
68893 - kmemleak_ignore(ptr);
68894 - if (!ptr && mod->init_size) {
68895 - module_free(mod, mod->module_core);
68896 + kmemleak_not_leak(ptr);
68897 + if (!ptr && mod->init_size_rw) {
68898 + module_free(mod, mod->module_core_rw);
68899 return -ENOMEM;
68900 }
68901 - memset(ptr, 0, mod->init_size);
68902 - mod->module_init = ptr;
68903 + memset(ptr, 0, mod->init_size_rw);
68904 + mod->module_init_rw = ptr;
68905 +
68906 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
68907 + kmemleak_not_leak(ptr);
68908 + if (!ptr) {
68909 + module_free(mod, mod->module_init_rw);
68910 + module_free(mod, mod->module_core_rw);
68911 + return -ENOMEM;
68912 + }
68913 +
68914 + pax_open_kernel();
68915 + memset(ptr, 0, mod->core_size_rx);
68916 + pax_close_kernel();
68917 + mod->module_core_rx = ptr;
68918 +
68919 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
68920 + kmemleak_not_leak(ptr);
68921 + if (!ptr && mod->init_size_rx) {
68922 + module_free_exec(mod, mod->module_core_rx);
68923 + module_free(mod, mod->module_init_rw);
68924 + module_free(mod, mod->module_core_rw);
68925 + return -ENOMEM;
68926 + }
68927 +
68928 + pax_open_kernel();
68929 + memset(ptr, 0, mod->init_size_rx);
68930 + pax_close_kernel();
68931 + mod->module_init_rx = ptr;
68932
68933 /* Transfer each section which specifies SHF_ALLOC */
68934 DEBUGP("final section addresses:\n");
68935 @@ -2553,16 +2617,45 @@ static int move_module(struct module *mo
68936 if (!(shdr->sh_flags & SHF_ALLOC))
68937 continue;
68938
68939 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
68940 - dest = mod->module_init
68941 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68942 - else
68943 - dest = mod->module_core + shdr->sh_entsize;
68944 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
68945 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68946 + dest = mod->module_init_rw
68947 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68948 + else
68949 + dest = mod->module_init_rx
68950 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
68951 + } else {
68952 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
68953 + dest = mod->module_core_rw + shdr->sh_entsize;
68954 + else
68955 + dest = mod->module_core_rx + shdr->sh_entsize;
68956 + }
68957 +
68958 + if (shdr->sh_type != SHT_NOBITS) {
68959 +
68960 +#ifdef CONFIG_PAX_KERNEXEC
68961 +#ifdef CONFIG_X86_64
68962 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
68963 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
68964 +#endif
68965 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
68966 + pax_open_kernel();
68967 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68968 + pax_close_kernel();
68969 + } else
68970 +#endif
68971
68972 - if (shdr->sh_type != SHT_NOBITS)
68973 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
68974 + }
68975 /* Update sh_addr to point to copy in image. */
68976 - shdr->sh_addr = (unsigned long)dest;
68977 +
68978 +#ifdef CONFIG_PAX_KERNEXEC
68979 + if (shdr->sh_flags & SHF_EXECINSTR)
68980 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
68981 + else
68982 +#endif
68983 +
68984 + shdr->sh_addr = (unsigned long)dest;
68985 DEBUGP("\t0x%lx %s\n",
68986 shdr->sh_addr, info->secstrings + shdr->sh_name);
68987 }
68988 @@ -2613,12 +2706,12 @@ static void flush_module_icache(const st
68989 * Do it before processing of module parameters, so the module
68990 * can provide parameter accessor functions of its own.
68991 */
68992 - if (mod->module_init)
68993 - flush_icache_range((unsigned long)mod->module_init,
68994 - (unsigned long)mod->module_init
68995 - + mod->init_size);
68996 - flush_icache_range((unsigned long)mod->module_core,
68997 - (unsigned long)mod->module_core + mod->core_size);
68998 + if (mod->module_init_rx)
68999 + flush_icache_range((unsigned long)mod->module_init_rx,
69000 + (unsigned long)mod->module_init_rx
69001 + + mod->init_size_rx);
69002 + flush_icache_range((unsigned long)mod->module_core_rx,
69003 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
69004
69005 set_fs(old_fs);
69006 }
69007 @@ -2690,8 +2783,10 @@ static void module_deallocate(struct mod
69008 {
69009 kfree(info->strmap);
69010 percpu_modfree(mod);
69011 - module_free(mod, mod->module_init);
69012 - module_free(mod, mod->module_core);
69013 + module_free_exec(mod, mod->module_init_rx);
69014 + module_free_exec(mod, mod->module_core_rx);
69015 + module_free(mod, mod->module_init_rw);
69016 + module_free(mod, mod->module_core_rw);
69017 }
69018
69019 static int post_relocation(struct module *mod, const struct load_info *info)
69020 @@ -2748,9 +2843,38 @@ static struct module *load_module(void _
69021 if (err)
69022 goto free_unload;
69023
69024 + /* Now copy in args */
69025 + mod->args = strndup_user(uargs, ~0UL >> 1);
69026 + if (IS_ERR(mod->args)) {
69027 + err = PTR_ERR(mod->args);
69028 + goto free_unload;
69029 + }
69030 +
69031 /* Set up MODINFO_ATTR fields */
69032 setup_modinfo(mod, &info);
69033
69034 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69035 + {
69036 + char *p, *p2;
69037 +
69038 + if (strstr(mod->args, "grsec_modharden_netdev")) {
69039 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
69040 + err = -EPERM;
69041 + goto free_modinfo;
69042 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
69043 + p += strlen("grsec_modharden_normal");
69044 + p2 = strstr(p, "_");
69045 + if (p2) {
69046 + *p2 = '\0';
69047 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
69048 + *p2 = '_';
69049 + }
69050 + err = -EPERM;
69051 + goto free_modinfo;
69052 + }
69053 + }
69054 +#endif
69055 +
69056 /* Fix up syms, so that st_value is a pointer to location. */
69057 err = simplify_symbols(mod, &info);
69058 if (err < 0)
69059 @@ -2766,13 +2890,6 @@ static struct module *load_module(void _
69060
69061 flush_module_icache(mod);
69062
69063 - /* Now copy in args */
69064 - mod->args = strndup_user(uargs, ~0UL >> 1);
69065 - if (IS_ERR(mod->args)) {
69066 - err = PTR_ERR(mod->args);
69067 - goto free_arch_cleanup;
69068 - }
69069 -
69070 /* Mark state as coming so strong_try_module_get() ignores us. */
69071 mod->state = MODULE_STATE_COMING;
69072
69073 @@ -2832,11 +2949,10 @@ static struct module *load_module(void _
69074 unlock:
69075 mutex_unlock(&module_mutex);
69076 synchronize_sched();
69077 - kfree(mod->args);
69078 - free_arch_cleanup:
69079 module_arch_cleanup(mod);
69080 free_modinfo:
69081 free_modinfo(mod);
69082 + kfree(mod->args);
69083 free_unload:
69084 module_unload_free(mod);
69085 free_module:
69086 @@ -2877,16 +2993,16 @@ SYSCALL_DEFINE3(init_module, void __user
69087 MODULE_STATE_COMING, mod);
69088
69089 /* Set RO and NX regions for core */
69090 - set_section_ro_nx(mod->module_core,
69091 - mod->core_text_size,
69092 - mod->core_ro_size,
69093 - mod->core_size);
69094 + set_section_ro_nx(mod->module_core_rx,
69095 + mod->core_size_rx,
69096 + mod->core_size_rx,
69097 + mod->core_size_rx);
69098
69099 /* Set RO and NX regions for init */
69100 - set_section_ro_nx(mod->module_init,
69101 - mod->init_text_size,
69102 - mod->init_ro_size,
69103 - mod->init_size);
69104 + set_section_ro_nx(mod->module_init_rx,
69105 + mod->init_size_rx,
69106 + mod->init_size_rx,
69107 + mod->init_size_rx);
69108
69109 do_mod_ctors(mod);
69110 /* Start the module */
69111 @@ -2931,11 +3047,13 @@ SYSCALL_DEFINE3(init_module, void __user
69112 mod->symtab = mod->core_symtab;
69113 mod->strtab = mod->core_strtab;
69114 #endif
69115 - unset_section_ro_nx(mod, mod->module_init);
69116 - module_free(mod, mod->module_init);
69117 - mod->module_init = NULL;
69118 - mod->init_size = 0;
69119 - mod->init_text_size = 0;
69120 + unset_section_ro_nx(mod, mod->module_init_rx);
69121 + module_free(mod, mod->module_init_rw);
69122 + module_free_exec(mod, mod->module_init_rx);
69123 + mod->module_init_rw = NULL;
69124 + mod->module_init_rx = NULL;
69125 + mod->init_size_rw = 0;
69126 + mod->init_size_rx = 0;
69127 mutex_unlock(&module_mutex);
69128
69129 return 0;
69130 @@ -2966,10 +3084,16 @@ static const char *get_ksymbol(struct mo
69131 unsigned long nextval;
69132
69133 /* At worse, next value is at end of module */
69134 - if (within_module_init(addr, mod))
69135 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
69136 + if (within_module_init_rx(addr, mod))
69137 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
69138 + else if (within_module_init_rw(addr, mod))
69139 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
69140 + else if (within_module_core_rx(addr, mod))
69141 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
69142 + else if (within_module_core_rw(addr, mod))
69143 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
69144 else
69145 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
69146 + return NULL;
69147
69148 /* Scan for closest preceding symbol, and next symbol. (ELF
69149 starts real symbols at 1). */
69150 @@ -3215,7 +3339,7 @@ static int m_show(struct seq_file *m, vo
69151 char buf[8];
69152
69153 seq_printf(m, "%s %u",
69154 - mod->name, mod->init_size + mod->core_size);
69155 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
69156 print_unload_info(m, mod);
69157
69158 /* Informative for users. */
69159 @@ -3224,7 +3348,7 @@ static int m_show(struct seq_file *m, vo
69160 mod->state == MODULE_STATE_COMING ? "Loading":
69161 "Live");
69162 /* Used by oprofile and other similar tools. */
69163 - seq_printf(m, " 0x%pK", mod->module_core);
69164 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
69165
69166 /* Taints info */
69167 if (mod->taints)
69168 @@ -3260,7 +3384,17 @@ static const struct file_operations proc
69169
69170 static int __init proc_modules_init(void)
69171 {
69172 +#ifndef CONFIG_GRKERNSEC_HIDESYM
69173 +#ifdef CONFIG_GRKERNSEC_PROC_USER
69174 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69175 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69176 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
69177 +#else
69178 proc_create("modules", 0, NULL, &proc_modules_operations);
69179 +#endif
69180 +#else
69181 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69182 +#endif
69183 return 0;
69184 }
69185 module_init(proc_modules_init);
69186 @@ -3319,12 +3453,12 @@ struct module *__module_address(unsigned
69187 {
69188 struct module *mod;
69189
69190 - if (addr < module_addr_min || addr > module_addr_max)
69191 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
69192 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
69193 return NULL;
69194
69195 list_for_each_entry_rcu(mod, &modules, list)
69196 - if (within_module_core(addr, mod)
69197 - || within_module_init(addr, mod))
69198 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
69199 return mod;
69200 return NULL;
69201 }
69202 @@ -3358,11 +3492,20 @@ bool is_module_text_address(unsigned lon
69203 */
69204 struct module *__module_text_address(unsigned long addr)
69205 {
69206 - struct module *mod = __module_address(addr);
69207 + struct module *mod;
69208 +
69209 +#ifdef CONFIG_X86_32
69210 + addr = ktla_ktva(addr);
69211 +#endif
69212 +
69213 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
69214 + return NULL;
69215 +
69216 + mod = __module_address(addr);
69217 +
69218 if (mod) {
69219 /* Make sure it's within the text section. */
69220 - if (!within(addr, mod->module_init, mod->init_text_size)
69221 - && !within(addr, mod->module_core, mod->core_text_size))
69222 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
69223 mod = NULL;
69224 }
69225 return mod;
69226 diff -urNp linux-2.6.39.3/kernel/mutex.c linux-2.6.39.3/kernel/mutex.c
69227 --- linux-2.6.39.3/kernel/mutex.c 2011-05-19 00:06:34.000000000 -0400
69228 +++ linux-2.6.39.3/kernel/mutex.c 2011-05-22 19:36:33.000000000 -0400
69229 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
69230 */
69231
69232 for (;;) {
69233 - struct thread_info *owner;
69234 + struct task_struct *owner;
69235
69236 /*
69237 * If we own the BKL, then don't spin. The owner of
69238 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
69239 spin_lock_mutex(&lock->wait_lock, flags);
69240
69241 debug_mutex_lock_common(lock, &waiter);
69242 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
69243 + debug_mutex_add_waiter(lock, &waiter, task);
69244
69245 /* add waiting tasks to the end of the waitqueue (FIFO): */
69246 list_add_tail(&waiter.list, &lock->wait_list);
69247 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
69248 * TASK_UNINTERRUPTIBLE case.)
69249 */
69250 if (unlikely(signal_pending_state(state, task))) {
69251 - mutex_remove_waiter(lock, &waiter,
69252 - task_thread_info(task));
69253 + mutex_remove_waiter(lock, &waiter, task);
69254 mutex_release(&lock->dep_map, 1, ip);
69255 spin_unlock_mutex(&lock->wait_lock, flags);
69256
69257 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
69258 done:
69259 lock_acquired(&lock->dep_map, ip);
69260 /* got the lock - rejoice! */
69261 - mutex_remove_waiter(lock, &waiter, current_thread_info());
69262 + mutex_remove_waiter(lock, &waiter, task);
69263 mutex_set_owner(lock);
69264
69265 /* set it to 0 if there are no waiters left: */
69266 diff -urNp linux-2.6.39.3/kernel/mutex-debug.c linux-2.6.39.3/kernel/mutex-debug.c
69267 --- linux-2.6.39.3/kernel/mutex-debug.c 2011-05-19 00:06:34.000000000 -0400
69268 +++ linux-2.6.39.3/kernel/mutex-debug.c 2011-05-22 19:36:33.000000000 -0400
69269 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
69270 }
69271
69272 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69273 - struct thread_info *ti)
69274 + struct task_struct *task)
69275 {
69276 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
69277
69278 /* Mark the current thread as blocked on the lock: */
69279 - ti->task->blocked_on = waiter;
69280 + task->blocked_on = waiter;
69281 }
69282
69283 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69284 - struct thread_info *ti)
69285 + struct task_struct *task)
69286 {
69287 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
69288 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
69289 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
69290 - ti->task->blocked_on = NULL;
69291 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
69292 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
69293 + task->blocked_on = NULL;
69294
69295 list_del_init(&waiter->list);
69296 waiter->task = NULL;
69297 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
69298 return;
69299
69300 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
69301 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
69302 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
69303 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
69304 mutex_clear_owner(lock);
69305 }
69306 diff -urNp linux-2.6.39.3/kernel/mutex-debug.h linux-2.6.39.3/kernel/mutex-debug.h
69307 --- linux-2.6.39.3/kernel/mutex-debug.h 2011-05-19 00:06:34.000000000 -0400
69308 +++ linux-2.6.39.3/kernel/mutex-debug.h 2011-05-22 19:36:33.000000000 -0400
69309 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
69310 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
69311 extern void debug_mutex_add_waiter(struct mutex *lock,
69312 struct mutex_waiter *waiter,
69313 - struct thread_info *ti);
69314 + struct task_struct *task);
69315 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
69316 - struct thread_info *ti);
69317 + struct task_struct *task);
69318 extern void debug_mutex_unlock(struct mutex *lock);
69319 extern void debug_mutex_init(struct mutex *lock, const char *name,
69320 struct lock_class_key *key);
69321
69322 static inline void mutex_set_owner(struct mutex *lock)
69323 {
69324 - lock->owner = current_thread_info();
69325 + lock->owner = current;
69326 }
69327
69328 static inline void mutex_clear_owner(struct mutex *lock)
69329 diff -urNp linux-2.6.39.3/kernel/mutex.h linux-2.6.39.3/kernel/mutex.h
69330 --- linux-2.6.39.3/kernel/mutex.h 2011-05-19 00:06:34.000000000 -0400
69331 +++ linux-2.6.39.3/kernel/mutex.h 2011-05-22 19:36:33.000000000 -0400
69332 @@ -19,7 +19,7 @@
69333 #ifdef CONFIG_SMP
69334 static inline void mutex_set_owner(struct mutex *lock)
69335 {
69336 - lock->owner = current_thread_info();
69337 + lock->owner = current;
69338 }
69339
69340 static inline void mutex_clear_owner(struct mutex *lock)
69341 diff -urNp linux-2.6.39.3/kernel/padata.c linux-2.6.39.3/kernel/padata.c
69342 --- linux-2.6.39.3/kernel/padata.c 2011-05-19 00:06:34.000000000 -0400
69343 +++ linux-2.6.39.3/kernel/padata.c 2011-05-22 19:36:33.000000000 -0400
69344 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
69345 padata->pd = pd;
69346 padata->cb_cpu = cb_cpu;
69347
69348 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
69349 - atomic_set(&pd->seq_nr, -1);
69350 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
69351 + atomic_set_unchecked(&pd->seq_nr, -1);
69352
69353 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
69354 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
69355
69356 target_cpu = padata_cpu_hash(padata);
69357 queue = per_cpu_ptr(pd->pqueue, target_cpu);
69358 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
69359 padata_init_pqueues(pd);
69360 padata_init_squeues(pd);
69361 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
69362 - atomic_set(&pd->seq_nr, -1);
69363 + atomic_set_unchecked(&pd->seq_nr, -1);
69364 atomic_set(&pd->reorder_objects, 0);
69365 atomic_set(&pd->refcnt, 0);
69366 pd->pinst = pinst;
69367 diff -urNp linux-2.6.39.3/kernel/panic.c linux-2.6.39.3/kernel/panic.c
69368 --- linux-2.6.39.3/kernel/panic.c 2011-05-19 00:06:34.000000000 -0400
69369 +++ linux-2.6.39.3/kernel/panic.c 2011-05-22 19:41:42.000000000 -0400
69370 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
69371 const char *board;
69372
69373 printk(KERN_WARNING "------------[ cut here ]------------\n");
69374 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
69375 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
69376 board = dmi_get_system_info(DMI_PRODUCT_NAME);
69377 if (board)
69378 printk(KERN_WARNING "Hardware name: %s\n", board);
69379 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
69380 */
69381 void __stack_chk_fail(void)
69382 {
69383 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
69384 + dump_stack();
69385 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
69386 __builtin_return_address(0));
69387 }
69388 EXPORT_SYMBOL(__stack_chk_fail);
69389 diff -urNp linux-2.6.39.3/kernel/params.c linux-2.6.39.3/kernel/params.c
69390 --- linux-2.6.39.3/kernel/params.c 2011-05-19 00:06:34.000000000 -0400
69391 +++ linux-2.6.39.3/kernel/params.c 2011-05-22 19:36:33.000000000 -0400
69392 @@ -234,7 +234,7 @@ int parse_args(const char *name,
69393 { \
69394 return sprintf(buffer, format, *((type *)kp->arg)); \
69395 } \
69396 - struct kernel_param_ops param_ops_##name = { \
69397 + const struct kernel_param_ops param_ops_##name = { \
69398 .set = param_set_##name, \
69399 .get = param_get_##name, \
69400 }; \
69401 @@ -286,7 +286,7 @@ static void param_free_charp(void *arg)
69402 maybe_kfree_parameter(*((char **)arg));
69403 }
69404
69405 -struct kernel_param_ops param_ops_charp = {
69406 +const struct kernel_param_ops param_ops_charp = {
69407 .set = param_set_charp,
69408 .get = param_get_charp,
69409 .free = param_free_charp,
69410 @@ -334,7 +334,7 @@ int param_get_bool(char *buffer, const s
69411 }
69412 EXPORT_SYMBOL(param_get_bool);
69413
69414 -struct kernel_param_ops param_ops_bool = {
69415 +const struct kernel_param_ops param_ops_bool = {
69416 .set = param_set_bool,
69417 .get = param_get_bool,
69418 };
69419 @@ -362,7 +362,7 @@ int param_get_invbool(char *buffer, cons
69420 }
69421 EXPORT_SYMBOL(param_get_invbool);
69422
69423 -struct kernel_param_ops param_ops_invbool = {
69424 +const struct kernel_param_ops param_ops_invbool = {
69425 .set = param_set_invbool,
69426 .get = param_get_invbool,
69427 };
69428 @@ -460,7 +460,7 @@ static void param_array_free(void *arg)
69429 arr->ops->free(arr->elem + arr->elemsize * i);
69430 }
69431
69432 -struct kernel_param_ops param_array_ops = {
69433 +const struct kernel_param_ops param_array_ops = {
69434 .set = param_array_set,
69435 .get = param_array_get,
69436 .free = param_array_free,
69437 @@ -488,7 +488,7 @@ int param_get_string(char *buffer, const
69438 }
69439 EXPORT_SYMBOL(param_get_string);
69440
69441 -struct kernel_param_ops param_ops_string = {
69442 +const struct kernel_param_ops param_ops_string = {
69443 .set = param_set_copystring,
69444 .get = param_get_string,
69445 };
69446 diff -urNp linux-2.6.39.3/kernel/perf_event.c linux-2.6.39.3/kernel/perf_event.c
69447 --- linux-2.6.39.3/kernel/perf_event.c 2011-05-19 00:06:34.000000000 -0400
69448 +++ linux-2.6.39.3/kernel/perf_event.c 2011-05-22 19:36:33.000000000 -0400
69449 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
69450 return 0;
69451 }
69452
69453 -static atomic64_t perf_event_id;
69454 +static atomic64_unchecked_t perf_event_id;
69455
69456 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
69457 enum event_type_t event_type);
69458 @@ -2496,7 +2496,7 @@ static void __perf_event_read(void *info
69459
69460 static inline u64 perf_event_count(struct perf_event *event)
69461 {
69462 - return local64_read(&event->count) + atomic64_read(&event->child_count);
69463 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
69464 }
69465
69466 static u64 perf_event_read(struct perf_event *event)
69467 @@ -3031,9 +3031,9 @@ u64 perf_event_read_value(struct perf_ev
69468 mutex_lock(&event->child_mutex);
69469 total += perf_event_read(event);
69470 *enabled += event->total_time_enabled +
69471 - atomic64_read(&event->child_total_time_enabled);
69472 + atomic64_read_unchecked(&event->child_total_time_enabled);
69473 *running += event->total_time_running +
69474 - atomic64_read(&event->child_total_time_running);
69475 + atomic64_read_unchecked(&event->child_total_time_running);
69476
69477 list_for_each_entry(child, &event->child_list, child_list) {
69478 total += perf_event_read(child);
69479 @@ -3396,10 +3396,10 @@ void perf_event_update_userpage(struct p
69480 userpg->offset -= local64_read(&event->hw.prev_count);
69481
69482 userpg->time_enabled = event->total_time_enabled +
69483 - atomic64_read(&event->child_total_time_enabled);
69484 + atomic64_read_unchecked(&event->child_total_time_enabled);
69485
69486 userpg->time_running = event->total_time_running +
69487 - atomic64_read(&event->child_total_time_running);
69488 + atomic64_read_unchecked(&event->child_total_time_running);
69489
69490 barrier();
69491 ++userpg->lock;
69492 @@ -3884,16 +3884,16 @@ static void perf_pending_event(struct ir
69493 * Later on, we might change it to a list if there is
69494 * another virtualization implementation supporting the callbacks.
69495 */
69496 -struct perf_guest_info_callbacks *perf_guest_cbs;
69497 +const struct perf_guest_info_callbacks *perf_guest_cbs;
69498
69499 -int perf_register_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69500 +int perf_register_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69501 {
69502 perf_guest_cbs = cbs;
69503 return 0;
69504 }
69505 EXPORT_SYMBOL_GPL(perf_register_guest_info_callbacks);
69506
69507 -int perf_unregister_guest_info_callbacks(struct perf_guest_info_callbacks *cbs)
69508 +int perf_unregister_guest_info_callbacks(const struct perf_guest_info_callbacks *cbs)
69509 {
69510 perf_guest_cbs = NULL;
69511 return 0;
69512 @@ -4196,11 +4196,11 @@ static void perf_output_read_one(struct
69513 values[n++] = perf_event_count(event);
69514 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
69515 values[n++] = enabled +
69516 - atomic64_read(&event->child_total_time_enabled);
69517 + atomic64_read_unchecked(&event->child_total_time_enabled);
69518 }
69519 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
69520 values[n++] = running +
69521 - atomic64_read(&event->child_total_time_running);
69522 + atomic64_read_unchecked(&event->child_total_time_running);
69523 }
69524 if (read_format & PERF_FORMAT_ID)
69525 values[n++] = primary_event_id(event);
69526 @@ -6201,7 +6201,7 @@ perf_event_alloc(struct perf_event_attr
69527 event->parent = parent_event;
69528
69529 event->ns = get_pid_ns(current->nsproxy->pid_ns);
69530 - event->id = atomic64_inc_return(&perf_event_id);
69531 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
69532
69533 event->state = PERF_EVENT_STATE_INACTIVE;
69534
69535 @@ -6724,10 +6724,10 @@ static void sync_child_event(struct perf
69536 /*
69537 * Add back the child's count to the parent's count:
69538 */
69539 - atomic64_add(child_val, &parent_event->child_count);
69540 - atomic64_add(child_event->total_time_enabled,
69541 + atomic64_add_unchecked(child_val, &parent_event->child_count);
69542 + atomic64_add_unchecked(child_event->total_time_enabled,
69543 &parent_event->child_total_time_enabled);
69544 - atomic64_add(child_event->total_time_running,
69545 + atomic64_add_unchecked(child_event->total_time_running,
69546 &parent_event->child_total_time_running);
69547
69548 /*
69549 diff -urNp linux-2.6.39.3/kernel/pid.c linux-2.6.39.3/kernel/pid.c
69550 --- linux-2.6.39.3/kernel/pid.c 2011-05-19 00:06:34.000000000 -0400
69551 +++ linux-2.6.39.3/kernel/pid.c 2011-07-16 15:42:36.000000000 -0400
69552 @@ -33,6 +33,7 @@
69553 #include <linux/rculist.h>
69554 #include <linux/bootmem.h>
69555 #include <linux/hash.h>
69556 +#include <linux/security.h>
69557 #include <linux/pid_namespace.h>
69558 #include <linux/init_task.h>
69559 #include <linux/syscalls.h>
69560 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
69561
69562 int pid_max = PID_MAX_DEFAULT;
69563
69564 -#define RESERVED_PIDS 300
69565 +#define RESERVED_PIDS 500
69566
69567 int pid_max_min = RESERVED_PIDS + 1;
69568 int pid_max_max = PID_MAX_LIMIT;
69569 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
69570 */
69571 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
69572 {
69573 + struct task_struct *task;
69574 +
69575 rcu_lockdep_assert(rcu_read_lock_held());
69576 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69577 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
69578 +
69579 + if (gr_pid_is_chrooted(task))
69580 + return NULL;
69581 +
69582 + return task;
69583 }
69584
69585 struct task_struct *find_task_by_vpid(pid_t vnr)
69586 @@ -428,6 +436,12 @@ struct task_struct *find_task_by_vpid(pi
69587 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
69588 }
69589
69590 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
69591 +{
69592 + rcu_lockdep_assert(rcu_read_lock_held());
69593 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
69594 +}
69595 +
69596 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
69597 {
69598 struct pid *pid;
69599 diff -urNp linux-2.6.39.3/kernel/posix-cpu-timers.c linux-2.6.39.3/kernel/posix-cpu-timers.c
69600 --- linux-2.6.39.3/kernel/posix-cpu-timers.c 2011-05-19 00:06:34.000000000 -0400
69601 +++ linux-2.6.39.3/kernel/posix-cpu-timers.c 2011-05-22 19:41:42.000000000 -0400
69602 @@ -6,6 +6,7 @@
69603 #include <linux/posix-timers.h>
69604 #include <linux/errno.h>
69605 #include <linux/math64.h>
69606 +#include <linux/security.h>
69607 #include <asm/uaccess.h>
69608 #include <linux/kernel_stat.h>
69609 #include <trace/events/timer.h>
69610 @@ -1590,7 +1591,7 @@ static int thread_cpu_timer_create(struc
69611 return posix_cpu_timer_create(timer);
69612 }
69613
69614 -struct k_clock clock_posix_cpu = {
69615 +const struct k_clock clock_posix_cpu = {
69616 .clock_getres = posix_cpu_clock_getres,
69617 .clock_set = posix_cpu_clock_set,
69618 .clock_get = posix_cpu_clock_get,
69619 @@ -1604,14 +1605,14 @@ struct k_clock clock_posix_cpu = {
69620
69621 static __init int init_posix_cpu_timers(void)
69622 {
69623 - struct k_clock process = {
69624 + const struct k_clock process = {
69625 .clock_getres = process_cpu_clock_getres,
69626 .clock_get = process_cpu_clock_get,
69627 .timer_create = process_cpu_timer_create,
69628 .nsleep = process_cpu_nsleep,
69629 .nsleep_restart = process_cpu_nsleep_restart,
69630 };
69631 - struct k_clock thread = {
69632 + const struct k_clock thread = {
69633 .clock_getres = thread_cpu_clock_getres,
69634 .clock_get = thread_cpu_clock_get,
69635 .timer_create = thread_cpu_timer_create,
69636 diff -urNp linux-2.6.39.3/kernel/posix-timers.c linux-2.6.39.3/kernel/posix-timers.c
69637 --- linux-2.6.39.3/kernel/posix-timers.c 2011-05-19 00:06:34.000000000 -0400
69638 +++ linux-2.6.39.3/kernel/posix-timers.c 2011-05-22 20:13:41.000000000 -0400
69639 @@ -43,6 +43,7 @@
69640 #include <linux/idr.h>
69641 #include <linux/posix-clock.h>
69642 #include <linux/posix-timers.h>
69643 +#include <linux/grsecurity.h>
69644 #include <linux/syscalls.h>
69645 #include <linux/wait.h>
69646 #include <linux/workqueue.h>
69647 @@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
69648 */
69649 static __init int init_posix_timers(void)
69650 {
69651 - struct k_clock clock_realtime = {
69652 + const struct k_clock clock_realtime = {
69653 .clock_getres = hrtimer_get_res,
69654 .clock_get = posix_clock_realtime_get,
69655 .clock_set = posix_clock_realtime_set,
69656 @@ -239,7 +240,7 @@ static __init int init_posix_timers(void
69657 .timer_get = common_timer_get,
69658 .timer_del = common_timer_del,
69659 };
69660 - struct k_clock clock_monotonic = {
69661 + const struct k_clock clock_monotonic = {
69662 .clock_getres = hrtimer_get_res,
69663 .clock_get = posix_ktime_get_ts,
69664 .nsleep = common_nsleep,
69665 @@ -249,19 +250,19 @@ static __init int init_posix_timers(void
69666 .timer_get = common_timer_get,
69667 .timer_del = common_timer_del,
69668 };
69669 - struct k_clock clock_monotonic_raw = {
69670 + const struct k_clock clock_monotonic_raw = {
69671 .clock_getres = hrtimer_get_res,
69672 .clock_get = posix_get_monotonic_raw,
69673 };
69674 - struct k_clock clock_realtime_coarse = {
69675 + const struct k_clock clock_realtime_coarse = {
69676 .clock_getres = posix_get_coarse_res,
69677 .clock_get = posix_get_realtime_coarse,
69678 };
69679 - struct k_clock clock_monotonic_coarse = {
69680 + const struct k_clock clock_monotonic_coarse = {
69681 .clock_getres = posix_get_coarse_res,
69682 .clock_get = posix_get_monotonic_coarse,
69683 };
69684 - struct k_clock clock_boottime = {
69685 + const struct k_clock clock_boottime = {
69686 .clock_getres = hrtimer_get_res,
69687 .clock_get = posix_get_boottime,
69688 .nsleep = common_nsleep,
69689 @@ -272,6 +273,8 @@ static __init int init_posix_timers(void
69690 .timer_del = common_timer_del,
69691 };
69692
69693 + pax_track_stack();
69694 +
69695 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
69696 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
69697 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
69698 @@ -454,7 +457,7 @@ static struct pid *good_sigevent(sigeven
69699 }
69700
69701 void posix_timers_register_clock(const clockid_t clock_id,
69702 - struct k_clock *new_clock)
69703 + const struct k_clock *new_clock)
69704 {
69705 if ((unsigned) clock_id >= MAX_CLOCKS) {
69706 printk(KERN_WARNING "POSIX clock register failed for clock_id %d\n",
69707 @@ -506,7 +509,7 @@ static void release_posix_timer(struct k
69708 kmem_cache_free(posix_timers_cache, tmr);
69709 }
69710
69711 -static struct k_clock *clockid_to_kclock(const clockid_t id)
69712 +static const struct k_clock *clockid_to_kclock(const clockid_t id)
69713 {
69714 if (id < 0)
69715 return (id & CLOCKFD_MASK) == CLOCKFD ?
69716 @@ -529,7 +532,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
69717 struct sigevent __user *, timer_event_spec,
69718 timer_t __user *, created_timer_id)
69719 {
69720 - struct k_clock *kc = clockid_to_kclock(which_clock);
69721 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69722 struct k_itimer *new_timer;
69723 int error, new_timer_id;
69724 sigevent_t event;
69725 @@ -714,7 +717,7 @@ SYSCALL_DEFINE2(timer_gettime, timer_t,
69726 {
69727 struct itimerspec cur_setting;
69728 struct k_itimer *timr;
69729 - struct k_clock *kc;
69730 + const struct k_clock *kc;
69731 unsigned long flags;
69732 int ret = 0;
69733
69734 @@ -822,7 +825,7 @@ SYSCALL_DEFINE4(timer_settime, timer_t,
69735 int error = 0;
69736 unsigned long flag;
69737 struct itimerspec *rtn = old_setting ? &old_spec : NULL;
69738 - struct k_clock *kc;
69739 + const struct k_clock *kc;
69740
69741 if (!new_setting)
69742 return -EINVAL;
69743 @@ -868,7 +871,7 @@ static int common_timer_del(struct k_iti
69744
69745 static inline int timer_delete_hook(struct k_itimer *timer)
69746 {
69747 - struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69748 + const struct k_clock *kc = clockid_to_kclock(timer->it_clock);
69749
69750 if (WARN_ON_ONCE(!kc || !kc->timer_del))
69751 return -EINVAL;
69752 @@ -947,7 +950,7 @@ void exit_itimers(struct signal_struct *
69753 SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
69754 const struct timespec __user *, tp)
69755 {
69756 - struct k_clock *kc = clockid_to_kclock(which_clock);
69757 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69758 struct timespec new_tp;
69759
69760 if (!kc || !kc->clock_set)
69761 @@ -956,13 +959,20 @@ SYSCALL_DEFINE2(clock_settime, const clo
69762 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
69763 return -EFAULT;
69764
69765 + /* only the CLOCK_REALTIME clock can be set, all other clocks
69766 + have their clock_set fptr set to a nosettime dummy function
69767 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
69768 + call common_clock_set, which calls do_sys_settimeofday, which
69769 + we hook
69770 + */
69771 +
69772 return kc->clock_set(which_clock, &new_tp);
69773 }
69774
69775 SYSCALL_DEFINE2(clock_gettime, const clockid_t, which_clock,
69776 struct timespec __user *,tp)
69777 {
69778 - struct k_clock *kc = clockid_to_kclock(which_clock);
69779 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69780 struct timespec kernel_tp;
69781 int error;
69782
69783 @@ -980,7 +990,7 @@ SYSCALL_DEFINE2(clock_gettime, const clo
69784 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
69785 struct timex __user *, utx)
69786 {
69787 - struct k_clock *kc = clockid_to_kclock(which_clock);
69788 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69789 struct timex ktx;
69790 int err;
69791
69792 @@ -1003,7 +1013,7 @@ SYSCALL_DEFINE2(clock_adjtime, const clo
69793 SYSCALL_DEFINE2(clock_getres, const clockid_t, which_clock,
69794 struct timespec __user *, tp)
69795 {
69796 - struct k_clock *kc = clockid_to_kclock(which_clock);
69797 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69798 struct timespec rtn_tp;
69799 int error;
69800
69801 @@ -1033,7 +1043,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69802 const struct timespec __user *, rqtp,
69803 struct timespec __user *, rmtp)
69804 {
69805 - struct k_clock *kc = clockid_to_kclock(which_clock);
69806 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69807 struct timespec t;
69808
69809 if (!kc)
69810 @@ -1057,7 +1067,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const c
69811 long clock_nanosleep_restart(struct restart_block *restart_block)
69812 {
69813 clockid_t which_clock = restart_block->nanosleep.index;
69814 - struct k_clock *kc = clockid_to_kclock(which_clock);
69815 + const struct k_clock *kc = clockid_to_kclock(which_clock);
69816
69817 if (WARN_ON_ONCE(!kc || !kc->nsleep_restart))
69818 return -EINVAL;
69819 diff -urNp linux-2.6.39.3/kernel/power/poweroff.c linux-2.6.39.3/kernel/power/poweroff.c
69820 --- linux-2.6.39.3/kernel/power/poweroff.c 2011-05-19 00:06:34.000000000 -0400
69821 +++ linux-2.6.39.3/kernel/power/poweroff.c 2011-05-22 19:36:33.000000000 -0400
69822 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
69823 .enable_mask = SYSRQ_ENABLE_BOOT,
69824 };
69825
69826 -static int pm_sysrq_init(void)
69827 +static int __init pm_sysrq_init(void)
69828 {
69829 register_sysrq_key('o', &sysrq_poweroff_op);
69830 return 0;
69831 diff -urNp linux-2.6.39.3/kernel/power/process.c linux-2.6.39.3/kernel/power/process.c
69832 --- linux-2.6.39.3/kernel/power/process.c 2011-05-19 00:06:34.000000000 -0400
69833 +++ linux-2.6.39.3/kernel/power/process.c 2011-05-22 19:36:33.000000000 -0400
69834 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
69835 u64 elapsed_csecs64;
69836 unsigned int elapsed_csecs;
69837 bool wakeup = false;
69838 + bool timedout = false;
69839
69840 do_gettimeofday(&start);
69841
69842 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
69843
69844 while (true) {
69845 todo = 0;
69846 + if (time_after(jiffies, end_time))
69847 + timedout = true;
69848 read_lock(&tasklist_lock);
69849 do_each_thread(g, p) {
69850 if (frozen(p) || !freezable(p))
69851 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
69852 * try_to_stop() after schedule() in ptrace/signal
69853 * stop sees TIF_FREEZE.
69854 */
69855 - if (!task_is_stopped_or_traced(p) &&
69856 - !freezer_should_skip(p))
69857 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
69858 todo++;
69859 + if (timedout) {
69860 + printk(KERN_ERR "Task refusing to freeze:\n");
69861 + sched_show_task(p);
69862 + }
69863 + }
69864 } while_each_thread(g, p);
69865 read_unlock(&tasklist_lock);
69866
69867 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
69868 todo += wq_busy;
69869 }
69870
69871 - if (!todo || time_after(jiffies, end_time))
69872 + if (!todo || timedout)
69873 break;
69874
69875 if (pm_wakeup_pending()) {
69876 diff -urNp linux-2.6.39.3/kernel/printk.c linux-2.6.39.3/kernel/printk.c
69877 --- linux-2.6.39.3/kernel/printk.c 2011-05-19 00:06:34.000000000 -0400
69878 +++ linux-2.6.39.3/kernel/printk.c 2011-05-22 19:41:42.000000000 -0400
69879 @@ -284,12 +284,17 @@ static int check_syslog_permissions(int
69880 if (from_file && type != SYSLOG_ACTION_OPEN)
69881 return 0;
69882
69883 +#ifdef CONFIG_GRKERNSEC_DMESG
69884 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
69885 + return -EPERM;
69886 +#endif
69887 +
69888 if (syslog_action_restricted(type)) {
69889 if (capable(CAP_SYSLOG))
69890 return 0;
69891 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
69892 if (capable(CAP_SYS_ADMIN)) {
69893 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
69894 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
69895 "but no CAP_SYSLOG (deprecated).\n");
69896 return 0;
69897 }
69898 diff -urNp linux-2.6.39.3/kernel/profile.c linux-2.6.39.3/kernel/profile.c
69899 --- linux-2.6.39.3/kernel/profile.c 2011-05-19 00:06:34.000000000 -0400
69900 +++ linux-2.6.39.3/kernel/profile.c 2011-05-22 19:36:33.000000000 -0400
69901 @@ -39,7 +39,7 @@ struct profile_hit {
69902 /* Oprofile timer tick hook */
69903 static int (*timer_hook)(struct pt_regs *) __read_mostly;
69904
69905 -static atomic_t *prof_buffer;
69906 +static atomic_unchecked_t *prof_buffer;
69907 static unsigned long prof_len, prof_shift;
69908
69909 int prof_on __read_mostly;
69910 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
69911 hits[i].pc = 0;
69912 continue;
69913 }
69914 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69915 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69916 hits[i].hits = hits[i].pc = 0;
69917 }
69918 }
69919 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
69920 * Add the current hit(s) and flush the write-queue out
69921 * to the global buffer:
69922 */
69923 - atomic_add(nr_hits, &prof_buffer[pc]);
69924 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
69925 for (i = 0; i < NR_PROFILE_HIT; ++i) {
69926 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
69927 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
69928 hits[i].pc = hits[i].hits = 0;
69929 }
69930 out:
69931 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
69932 if (prof_on != type || !prof_buffer)
69933 return;
69934 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
69935 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69936 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
69937 }
69938 #endif /* !CONFIG_SMP */
69939 EXPORT_SYMBOL_GPL(profile_hits);
69940 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
69941 return -EFAULT;
69942 buf++; p++; count--; read++;
69943 }
69944 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
69945 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
69946 if (copy_to_user(buf, (void *)pnt, count))
69947 return -EFAULT;
69948 read += count;
69949 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
69950 }
69951 #endif
69952 profile_discard_flip_buffers();
69953 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
69954 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
69955 return count;
69956 }
69957
69958 diff -urNp linux-2.6.39.3/kernel/ptrace.c linux-2.6.39.3/kernel/ptrace.c
69959 --- linux-2.6.39.3/kernel/ptrace.c 2011-05-19 00:06:34.000000000 -0400
69960 +++ linux-2.6.39.3/kernel/ptrace.c 2011-05-23 17:07:00.000000000 -0400
69961 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
69962 return ret;
69963 }
69964
69965 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
69966 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
69967 + unsigned int log)
69968 {
69969 const struct cred *cred = current_cred(), *tcred;
69970
69971 @@ -143,7 +144,8 @@ int __ptrace_may_access(struct task_stru
69972 cred->gid == tcred->sgid &&
69973 cred->gid == tcred->gid))
69974 goto ok;
69975 - if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
69976 + if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
69977 + (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
69978 goto ok;
69979 rcu_read_unlock();
69980 return -EPERM;
69981 @@ -152,7 +154,9 @@ ok:
69982 smp_rmb();
69983 if (task->mm)
69984 dumpable = get_dumpable(task->mm);
69985 - if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
69986 + if (!dumpable &&
69987 + ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
69988 + (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
69989 return -EPERM;
69990
69991 return security_ptrace_access_check(task, mode);
69992 @@ -162,7 +166,16 @@ bool ptrace_may_access(struct task_struc
69993 {
69994 int err;
69995 task_lock(task);
69996 - err = __ptrace_may_access(task, mode);
69997 + err = __ptrace_may_access(task, mode, 0);
69998 + task_unlock(task);
69999 + return !err;
70000 +}
70001 +
70002 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
70003 +{
70004 + int err;
70005 + task_lock(task);
70006 + err = __ptrace_may_access(task, mode, 1);
70007 task_unlock(task);
70008 return !err;
70009 }
70010 @@ -189,7 +202,7 @@ static int ptrace_attach(struct task_str
70011 goto out;
70012
70013 task_lock(task);
70014 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
70015 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
70016 task_unlock(task);
70017 if (retval)
70018 goto unlock_creds;
70019 @@ -202,7 +215,7 @@ static int ptrace_attach(struct task_str
70020 goto unlock_tasklist;
70021
70022 task->ptrace = PT_PTRACED;
70023 - if (task_ns_capable(task, CAP_SYS_PTRACE))
70024 + if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
70025 task->ptrace |= PT_PTRACE_CAP;
70026
70027 __ptrace_link(task, current);
70028 @@ -362,6 +375,8 @@ int ptrace_readdata(struct task_struct *
70029 {
70030 int copied = 0;
70031
70032 + pax_track_stack();
70033 +
70034 while (len > 0) {
70035 char buf[128];
70036 int this_len, retval;
70037 @@ -373,7 +388,7 @@ int ptrace_readdata(struct task_struct *
70038 break;
70039 return -EIO;
70040 }
70041 - if (copy_to_user(dst, buf, retval))
70042 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
70043 return -EFAULT;
70044 copied += retval;
70045 src += retval;
70046 @@ -387,6 +402,8 @@ int ptrace_writedata(struct task_struct
70047 {
70048 int copied = 0;
70049
70050 + pax_track_stack();
70051 +
70052 while (len > 0) {
70053 char buf[128];
70054 int this_len, retval;
70055 @@ -569,9 +586,11 @@ int ptrace_request(struct task_struct *c
70056 {
70057 int ret = -EIO;
70058 siginfo_t siginfo;
70059 - void __user *datavp = (void __user *) data;
70060 + void __user *datavp = (__force void __user *) data;
70061 unsigned long __user *datalp = datavp;
70062
70063 + pax_track_stack();
70064 +
70065 switch (request) {
70066 case PTRACE_PEEKTEXT:
70067 case PTRACE_PEEKDATA:
70068 @@ -717,14 +736,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
70069 goto out;
70070 }
70071
70072 + if (gr_handle_ptrace(child, request)) {
70073 + ret = -EPERM;
70074 + goto out_put_task_struct;
70075 + }
70076 +
70077 if (request == PTRACE_ATTACH) {
70078 ret = ptrace_attach(child);
70079 /*
70080 * Some architectures need to do book-keeping after
70081 * a ptrace attach.
70082 */
70083 - if (!ret)
70084 + if (!ret) {
70085 arch_ptrace_attach(child);
70086 + gr_audit_ptrace(child);
70087 + }
70088 goto out_put_task_struct;
70089 }
70090
70091 @@ -749,7 +775,7 @@ int generic_ptrace_peekdata(struct task_
70092 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
70093 if (copied != sizeof(tmp))
70094 return -EIO;
70095 - return put_user(tmp, (unsigned long __user *)data);
70096 + return put_user(tmp, (__force unsigned long __user *)data);
70097 }
70098
70099 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
70100 @@ -772,6 +798,8 @@ int compat_ptrace_request(struct task_st
70101 siginfo_t siginfo;
70102 int ret;
70103
70104 + pax_track_stack();
70105 +
70106 switch (request) {
70107 case PTRACE_PEEKTEXT:
70108 case PTRACE_PEEKDATA:
70109 @@ -859,14 +887,21 @@ asmlinkage long compat_sys_ptrace(compat
70110 goto out;
70111 }
70112
70113 + if (gr_handle_ptrace(child, request)) {
70114 + ret = -EPERM;
70115 + goto out_put_task_struct;
70116 + }
70117 +
70118 if (request == PTRACE_ATTACH) {
70119 ret = ptrace_attach(child);
70120 /*
70121 * Some architectures need to do book-keeping after
70122 * a ptrace attach.
70123 */
70124 - if (!ret)
70125 + if (!ret) {
70126 arch_ptrace_attach(child);
70127 + gr_audit_ptrace(child);
70128 + }
70129 goto out_put_task_struct;
70130 }
70131
70132 diff -urNp linux-2.6.39.3/kernel/rcutorture.c linux-2.6.39.3/kernel/rcutorture.c
70133 --- linux-2.6.39.3/kernel/rcutorture.c 2011-05-19 00:06:34.000000000 -0400
70134 +++ linux-2.6.39.3/kernel/rcutorture.c 2011-05-22 19:36:33.000000000 -0400
70135 @@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
70136 { 0 };
70137 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
70138 { 0 };
70139 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70140 -static atomic_t n_rcu_torture_alloc;
70141 -static atomic_t n_rcu_torture_alloc_fail;
70142 -static atomic_t n_rcu_torture_free;
70143 -static atomic_t n_rcu_torture_mberror;
70144 -static atomic_t n_rcu_torture_error;
70145 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70146 +static atomic_unchecked_t n_rcu_torture_alloc;
70147 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
70148 +static atomic_unchecked_t n_rcu_torture_free;
70149 +static atomic_unchecked_t n_rcu_torture_mberror;
70150 +static atomic_unchecked_t n_rcu_torture_error;
70151 static long n_rcu_torture_boost_ktrerror;
70152 static long n_rcu_torture_boost_rterror;
70153 static long n_rcu_torture_boost_allocerror;
70154 @@ -225,11 +225,11 @@ rcu_torture_alloc(void)
70155
70156 spin_lock_bh(&rcu_torture_lock);
70157 if (list_empty(&rcu_torture_freelist)) {
70158 - atomic_inc(&n_rcu_torture_alloc_fail);
70159 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
70160 spin_unlock_bh(&rcu_torture_lock);
70161 return NULL;
70162 }
70163 - atomic_inc(&n_rcu_torture_alloc);
70164 + atomic_inc_unchecked(&n_rcu_torture_alloc);
70165 p = rcu_torture_freelist.next;
70166 list_del_init(p);
70167 spin_unlock_bh(&rcu_torture_lock);
70168 @@ -242,7 +242,7 @@ rcu_torture_alloc(void)
70169 static void
70170 rcu_torture_free(struct rcu_torture *p)
70171 {
70172 - atomic_inc(&n_rcu_torture_free);
70173 + atomic_inc_unchecked(&n_rcu_torture_free);
70174 spin_lock_bh(&rcu_torture_lock);
70175 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
70176 spin_unlock_bh(&rcu_torture_lock);
70177 @@ -362,7 +362,7 @@ rcu_torture_cb(struct rcu_head *p)
70178 i = rp->rtort_pipe_count;
70179 if (i > RCU_TORTURE_PIPE_LEN)
70180 i = RCU_TORTURE_PIPE_LEN;
70181 - atomic_inc(&rcu_torture_wcount[i]);
70182 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70183 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70184 rp->rtort_mbtest = 0;
70185 rcu_torture_free(rp);
70186 @@ -409,7 +409,7 @@ static void rcu_sync_torture_deferred_fr
70187 i = rp->rtort_pipe_count;
70188 if (i > RCU_TORTURE_PIPE_LEN)
70189 i = RCU_TORTURE_PIPE_LEN;
70190 - atomic_inc(&rcu_torture_wcount[i]);
70191 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70192 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70193 rp->rtort_mbtest = 0;
70194 list_del(&rp->rtort_free);
70195 @@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
70196 i = old_rp->rtort_pipe_count;
70197 if (i > RCU_TORTURE_PIPE_LEN)
70198 i = RCU_TORTURE_PIPE_LEN;
70199 - atomic_inc(&rcu_torture_wcount[i]);
70200 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70201 old_rp->rtort_pipe_count++;
70202 cur_ops->deferred_free(old_rp);
70203 }
70204 @@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
70205 return;
70206 }
70207 if (p->rtort_mbtest == 0)
70208 - atomic_inc(&n_rcu_torture_mberror);
70209 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70210 spin_lock(&rand_lock);
70211 cur_ops->read_delay(&rand);
70212 n_rcu_torture_timers++;
70213 @@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
70214 continue;
70215 }
70216 if (p->rtort_mbtest == 0)
70217 - atomic_inc(&n_rcu_torture_mberror);
70218 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70219 cur_ops->read_delay(&rand);
70220 preempt_disable();
70221 pipe_count = p->rtort_pipe_count;
70222 @@ -1072,10 +1072,10 @@ rcu_torture_printk(char *page)
70223 rcu_torture_current,
70224 rcu_torture_current_version,
70225 list_empty(&rcu_torture_freelist),
70226 - atomic_read(&n_rcu_torture_alloc),
70227 - atomic_read(&n_rcu_torture_alloc_fail),
70228 - atomic_read(&n_rcu_torture_free),
70229 - atomic_read(&n_rcu_torture_mberror),
70230 + atomic_read_unchecked(&n_rcu_torture_alloc),
70231 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
70232 + atomic_read_unchecked(&n_rcu_torture_free),
70233 + atomic_read_unchecked(&n_rcu_torture_mberror),
70234 n_rcu_torture_boost_ktrerror,
70235 n_rcu_torture_boost_rterror,
70236 n_rcu_torture_boost_allocerror,
70237 @@ -1083,7 +1083,7 @@ rcu_torture_printk(char *page)
70238 n_rcu_torture_boost_failure,
70239 n_rcu_torture_boosts,
70240 n_rcu_torture_timers);
70241 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
70242 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
70243 n_rcu_torture_boost_ktrerror != 0 ||
70244 n_rcu_torture_boost_rterror != 0 ||
70245 n_rcu_torture_boost_allocerror != 0 ||
70246 @@ -1093,7 +1093,7 @@ rcu_torture_printk(char *page)
70247 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
70248 if (i > 1) {
70249 cnt += sprintf(&page[cnt], "!!! ");
70250 - atomic_inc(&n_rcu_torture_error);
70251 + atomic_inc_unchecked(&n_rcu_torture_error);
70252 WARN_ON_ONCE(1);
70253 }
70254 cnt += sprintf(&page[cnt], "Reader Pipe: ");
70255 @@ -1107,7 +1107,7 @@ rcu_torture_printk(char *page)
70256 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
70257 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70258 cnt += sprintf(&page[cnt], " %d",
70259 - atomic_read(&rcu_torture_wcount[i]));
70260 + atomic_read_unchecked(&rcu_torture_wcount[i]));
70261 }
70262 cnt += sprintf(&page[cnt], "\n");
70263 if (cur_ops->stats)
70264 @@ -1415,7 +1415,7 @@ rcu_torture_cleanup(void)
70265
70266 if (cur_ops->cleanup)
70267 cur_ops->cleanup();
70268 - if (atomic_read(&n_rcu_torture_error))
70269 + if (atomic_read_unchecked(&n_rcu_torture_error))
70270 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
70271 else
70272 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
70273 @@ -1479,11 +1479,11 @@ rcu_torture_init(void)
70274
70275 rcu_torture_current = NULL;
70276 rcu_torture_current_version = 0;
70277 - atomic_set(&n_rcu_torture_alloc, 0);
70278 - atomic_set(&n_rcu_torture_alloc_fail, 0);
70279 - atomic_set(&n_rcu_torture_free, 0);
70280 - atomic_set(&n_rcu_torture_mberror, 0);
70281 - atomic_set(&n_rcu_torture_error, 0);
70282 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
70283 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
70284 + atomic_set_unchecked(&n_rcu_torture_free, 0);
70285 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
70286 + atomic_set_unchecked(&n_rcu_torture_error, 0);
70287 n_rcu_torture_boost_ktrerror = 0;
70288 n_rcu_torture_boost_rterror = 0;
70289 n_rcu_torture_boost_allocerror = 0;
70290 @@ -1491,7 +1491,7 @@ rcu_torture_init(void)
70291 n_rcu_torture_boost_failure = 0;
70292 n_rcu_torture_boosts = 0;
70293 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
70294 - atomic_set(&rcu_torture_wcount[i], 0);
70295 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
70296 for_each_possible_cpu(cpu) {
70297 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
70298 per_cpu(rcu_torture_count, cpu)[i] = 0;
70299 diff -urNp linux-2.6.39.3/kernel/rcutree.c linux-2.6.39.3/kernel/rcutree.c
70300 --- linux-2.6.39.3/kernel/rcutree.c 2011-05-19 00:06:34.000000000 -0400
70301 +++ linux-2.6.39.3/kernel/rcutree.c 2011-05-22 19:36:33.000000000 -0400
70302 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
70303 /*
70304 * Do softirq processing for the current CPU.
70305 */
70306 -static void rcu_process_callbacks(struct softirq_action *unused)
70307 +static void rcu_process_callbacks(void)
70308 {
70309 /*
70310 * Memory references from any prior RCU read-side critical sections
70311 diff -urNp linux-2.6.39.3/kernel/rcutree_plugin.h linux-2.6.39.3/kernel/rcutree_plugin.h
70312 --- linux-2.6.39.3/kernel/rcutree_plugin.h 2011-05-19 00:06:34.000000000 -0400
70313 +++ linux-2.6.39.3/kernel/rcutree_plugin.h 2011-05-22 19:36:33.000000000 -0400
70314 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
70315
70316 /* Clean up and exit. */
70317 smp_mb(); /* ensure expedited GP seen before counter increment. */
70318 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
70319 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
70320 unlock_mb_ret:
70321 mutex_unlock(&sync_rcu_preempt_exp_mutex);
70322 mb_ret:
70323 @@ -1025,8 +1025,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
70324
70325 #else /* #ifndef CONFIG_SMP */
70326
70327 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
70328 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
70329 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
70330 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
70331
70332 static int synchronize_sched_expedited_cpu_stop(void *data)
70333 {
70334 @@ -1081,7 +1081,7 @@ void synchronize_sched_expedited(void)
70335 int firstsnap, s, snap, trycount = 0;
70336
70337 /* Note that atomic_inc_return() implies full memory barrier. */
70338 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
70339 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
70340 get_online_cpus();
70341
70342 /*
70343 @@ -1102,7 +1102,7 @@ void synchronize_sched_expedited(void)
70344 }
70345
70346 /* Check to see if someone else did our work for us. */
70347 - s = atomic_read(&sync_sched_expedited_done);
70348 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70349 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
70350 smp_mb(); /* ensure test happens before caller kfree */
70351 return;
70352 @@ -1117,7 +1117,7 @@ void synchronize_sched_expedited(void)
70353 * grace period works for us.
70354 */
70355 get_online_cpus();
70356 - snap = atomic_read(&sync_sched_expedited_started) - 1;
70357 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
70358 smp_mb(); /* ensure read is before try_stop_cpus(). */
70359 }
70360
70361 @@ -1128,12 +1128,12 @@ void synchronize_sched_expedited(void)
70362 * than we did beat us to the punch.
70363 */
70364 do {
70365 - s = atomic_read(&sync_sched_expedited_done);
70366 + s = atomic_read_unchecked(&sync_sched_expedited_done);
70367 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
70368 smp_mb(); /* ensure test happens before caller kfree */
70369 break;
70370 }
70371 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
70372 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
70373
70374 put_online_cpus();
70375 }
70376 diff -urNp linux-2.6.39.3/kernel/relay.c linux-2.6.39.3/kernel/relay.c
70377 --- linux-2.6.39.3/kernel/relay.c 2011-05-19 00:06:34.000000000 -0400
70378 +++ linux-2.6.39.3/kernel/relay.c 2011-05-22 19:36:33.000000000 -0400
70379 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
70380 };
70381 ssize_t ret;
70382
70383 + pax_track_stack();
70384 +
70385 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
70386 return 0;
70387 if (splice_grow_spd(pipe, &spd))
70388 diff -urNp linux-2.6.39.3/kernel/resource.c linux-2.6.39.3/kernel/resource.c
70389 --- linux-2.6.39.3/kernel/resource.c 2011-05-19 00:06:34.000000000 -0400
70390 +++ linux-2.6.39.3/kernel/resource.c 2011-05-22 19:41:42.000000000 -0400
70391 @@ -133,8 +133,18 @@ static const struct file_operations proc
70392
70393 static int __init ioresources_init(void)
70394 {
70395 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70396 +#ifdef CONFIG_GRKERNSEC_PROC_USER
70397 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
70398 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
70399 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70400 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
70401 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
70402 +#endif
70403 +#else
70404 proc_create("ioports", 0, NULL, &proc_ioports_operations);
70405 proc_create("iomem", 0, NULL, &proc_iomem_operations);
70406 +#endif
70407 return 0;
70408 }
70409 __initcall(ioresources_init);
70410 diff -urNp linux-2.6.39.3/kernel/rtmutex-tester.c linux-2.6.39.3/kernel/rtmutex-tester.c
70411 --- linux-2.6.39.3/kernel/rtmutex-tester.c 2011-05-19 00:06:34.000000000 -0400
70412 +++ linux-2.6.39.3/kernel/rtmutex-tester.c 2011-05-22 19:36:33.000000000 -0400
70413 @@ -20,7 +20,7 @@
70414 #define MAX_RT_TEST_MUTEXES 8
70415
70416 static spinlock_t rttest_lock;
70417 -static atomic_t rttest_event;
70418 +static atomic_unchecked_t rttest_event;
70419
70420 struct test_thread_data {
70421 int opcode;
70422 @@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
70423
70424 case RTTEST_LOCKCONT:
70425 td->mutexes[td->opdata] = 1;
70426 - td->event = atomic_add_return(1, &rttest_event);
70427 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70428 return 0;
70429
70430 case RTTEST_RESET:
70431 @@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
70432 return 0;
70433
70434 case RTTEST_RESETEVENT:
70435 - atomic_set(&rttest_event, 0);
70436 + atomic_set_unchecked(&rttest_event, 0);
70437 return 0;
70438
70439 default:
70440 @@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
70441 return ret;
70442
70443 td->mutexes[id] = 1;
70444 - td->event = atomic_add_return(1, &rttest_event);
70445 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70446 rt_mutex_lock(&mutexes[id]);
70447 - td->event = atomic_add_return(1, &rttest_event);
70448 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70449 td->mutexes[id] = 4;
70450 return 0;
70451
70452 @@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
70453 return ret;
70454
70455 td->mutexes[id] = 1;
70456 - td->event = atomic_add_return(1, &rttest_event);
70457 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70458 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
70459 - td->event = atomic_add_return(1, &rttest_event);
70460 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70461 td->mutexes[id] = ret ? 0 : 4;
70462 return ret ? -EINTR : 0;
70463
70464 @@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
70465 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
70466 return ret;
70467
70468 - td->event = atomic_add_return(1, &rttest_event);
70469 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70470 rt_mutex_unlock(&mutexes[id]);
70471 - td->event = atomic_add_return(1, &rttest_event);
70472 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70473 td->mutexes[id] = 0;
70474 return 0;
70475
70476 @@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
70477 break;
70478
70479 td->mutexes[dat] = 2;
70480 - td->event = atomic_add_return(1, &rttest_event);
70481 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70482 break;
70483
70484 default:
70485 @@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
70486 return;
70487
70488 td->mutexes[dat] = 3;
70489 - td->event = atomic_add_return(1, &rttest_event);
70490 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70491 break;
70492
70493 case RTTEST_LOCKNOWAIT:
70494 @@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
70495 return;
70496
70497 td->mutexes[dat] = 1;
70498 - td->event = atomic_add_return(1, &rttest_event);
70499 + td->event = atomic_add_return_unchecked(1, &rttest_event);
70500 return;
70501
70502 default:
70503 diff -urNp linux-2.6.39.3/kernel/sched_autogroup.c linux-2.6.39.3/kernel/sched_autogroup.c
70504 --- linux-2.6.39.3/kernel/sched_autogroup.c 2011-05-19 00:06:34.000000000 -0400
70505 +++ linux-2.6.39.3/kernel/sched_autogroup.c 2011-05-22 19:36:33.000000000 -0400
70506 @@ -7,7 +7,7 @@
70507
70508 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
70509 static struct autogroup autogroup_default;
70510 -static atomic_t autogroup_seq_nr;
70511 +static atomic_unchecked_t autogroup_seq_nr;
70512
70513 static void __init autogroup_init(struct task_struct *init_task)
70514 {
70515 @@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
70516
70517 kref_init(&ag->kref);
70518 init_rwsem(&ag->lock);
70519 - ag->id = atomic_inc_return(&autogroup_seq_nr);
70520 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
70521 ag->tg = tg;
70522 #ifdef CONFIG_RT_GROUP_SCHED
70523 /*
70524 diff -urNp linux-2.6.39.3/kernel/sched.c linux-2.6.39.3/kernel/sched.c
70525 --- linux-2.6.39.3/kernel/sched.c 2011-05-19 00:06:34.000000000 -0400
70526 +++ linux-2.6.39.3/kernel/sched.c 2011-05-23 17:07:00.000000000 -0400
70527 @@ -4078,6 +4078,8 @@ asmlinkage void __sched schedule(void)
70528 struct rq *rq;
70529 int cpu;
70530
70531 + pax_track_stack();
70532 +
70533 need_resched:
70534 preempt_disable();
70535 cpu = smp_processor_id();
70536 @@ -4165,7 +4167,7 @@ EXPORT_SYMBOL(schedule);
70537 * Look out! "owner" is an entirely speculative pointer
70538 * access and not reliable.
70539 */
70540 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
70541 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
70542 {
70543 unsigned int cpu;
70544 struct rq *rq;
70545 @@ -4179,10 +4181,10 @@ int mutex_spin_on_owner(struct mutex *lo
70546 * DEBUG_PAGEALLOC could have unmapped it if
70547 * the mutex owner just released it and exited.
70548 */
70549 - if (probe_kernel_address(&owner->cpu, cpu))
70550 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
70551 return 0;
70552 #else
70553 - cpu = owner->cpu;
70554 + cpu = task_thread_info(owner)->cpu;
70555 #endif
70556
70557 /*
70558 @@ -4219,7 +4221,7 @@ int mutex_spin_on_owner(struct mutex *lo
70559 /*
70560 * Is that owner really running on that cpu?
70561 */
70562 - if (task_thread_info(rq->curr) != owner || need_resched())
70563 + if (rq->curr != owner || need_resched())
70564 return 0;
70565
70566 arch_mutex_cpu_relax();
70567 @@ -4778,6 +4780,8 @@ int can_nice(const struct task_struct *p
70568 /* convert nice value [19,-20] to rlimit style value [1,40] */
70569 int nice_rlim = 20 - nice;
70570
70571 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
70572 +
70573 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
70574 capable(CAP_SYS_NICE));
70575 }
70576 @@ -4811,7 +4815,8 @@ SYSCALL_DEFINE1(nice, int, increment)
70577 if (nice > 19)
70578 nice = 19;
70579
70580 - if (increment < 0 && !can_nice(current, nice))
70581 + if (increment < 0 && (!can_nice(current, nice) ||
70582 + gr_handle_chroot_nice()))
70583 return -EPERM;
70584
70585 retval = security_task_setnice(current, nice);
70586 @@ -4957,6 +4962,7 @@ recheck:
70587 unsigned long rlim_rtprio =
70588 task_rlimit(p, RLIMIT_RTPRIO);
70589
70590 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
70591 /* can't set/change the rt policy */
70592 if (policy != p->policy && !rlim_rtprio)
70593 return -EPERM;
70594 @@ -7164,7 +7170,7 @@ static void init_sched_groups_power(int
70595 long power;
70596 int weight;
70597
70598 - WARN_ON(!sd || !sd->groups);
70599 + BUG_ON(!sd || !sd->groups);
70600
70601 if (cpu != group_first_cpu(sd->groups))
70602 return;
70603 diff -urNp linux-2.6.39.3/kernel/sched_fair.c linux-2.6.39.3/kernel/sched_fair.c
70604 --- linux-2.6.39.3/kernel/sched_fair.c 2011-05-19 00:06:34.000000000 -0400
70605 +++ linux-2.6.39.3/kernel/sched_fair.c 2011-05-22 19:36:33.000000000 -0400
70606 @@ -3999,7 +3999,7 @@ static void nohz_idle_balance(int this_c
70607 * run_rebalance_domains is triggered when needed from the scheduler tick.
70608 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
70609 */
70610 -static void run_rebalance_domains(struct softirq_action *h)
70611 +static void run_rebalance_domains(void)
70612 {
70613 int this_cpu = smp_processor_id();
70614 struct rq *this_rq = cpu_rq(this_cpu);
70615 diff -urNp linux-2.6.39.3/kernel/signal.c linux-2.6.39.3/kernel/signal.c
70616 --- linux-2.6.39.3/kernel/signal.c 2011-05-19 00:06:34.000000000 -0400
70617 +++ linux-2.6.39.3/kernel/signal.c 2011-07-14 21:03:15.000000000 -0400
70618 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
70619
70620 int print_fatal_signals __read_mostly;
70621
70622 -static void __user *sig_handler(struct task_struct *t, int sig)
70623 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
70624 {
70625 return t->sighand->action[sig - 1].sa.sa_handler;
70626 }
70627
70628 -static int sig_handler_ignored(void __user *handler, int sig)
70629 +static int sig_handler_ignored(__sighandler_t handler, int sig)
70630 {
70631 /* Is it explicitly or implicitly ignored? */
70632 return handler == SIG_IGN ||
70633 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
70634 static int sig_task_ignored(struct task_struct *t, int sig,
70635 int from_ancestor_ns)
70636 {
70637 - void __user *handler;
70638 + __sighandler_t handler;
70639
70640 handler = sig_handler(t, sig);
70641
70642 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
70643 atomic_inc(&user->sigpending);
70644 rcu_read_unlock();
70645
70646 + if (!override_rlimit)
70647 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
70648 +
70649 if (override_rlimit ||
70650 atomic_read(&user->sigpending) <=
70651 task_rlimit(t, RLIMIT_SIGPENDING)) {
70652 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
70653
70654 int unhandled_signal(struct task_struct *tsk, int sig)
70655 {
70656 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
70657 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
70658 if (is_global_init(tsk))
70659 return 1;
70660 if (handler != SIG_IGN && handler != SIG_DFL)
70661 @@ -693,6 +696,12 @@ static int check_kill_permission(int sig
70662 }
70663 }
70664
70665 + /* allow glibc communication via tgkill to other threads in our
70666 + thread group */
70667 + if ((info->si_code != SI_TKILL || sig != (SIGRTMIN+1) ||
70668 + task_tgid_vnr(t) != info->si_pid) && gr_handle_signal(t, sig))
70669 + return -EPERM;
70670 +
70671 return security_task_kill(t, info, sig, 0);
70672 }
70673
70674 @@ -1041,7 +1050,7 @@ __group_send_sig_info(int sig, struct si
70675 return send_signal(sig, info, p, 1);
70676 }
70677
70678 -static int
70679 +int
70680 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70681 {
70682 return send_signal(sig, info, t, 0);
70683 @@ -1078,6 +1087,7 @@ force_sig_info(int sig, struct siginfo *
70684 unsigned long int flags;
70685 int ret, blocked, ignored;
70686 struct k_sigaction *action;
70687 + int is_unhandled = 0;
70688
70689 spin_lock_irqsave(&t->sighand->siglock, flags);
70690 action = &t->sighand->action[sig-1];
70691 @@ -1092,9 +1102,18 @@ force_sig_info(int sig, struct siginfo *
70692 }
70693 if (action->sa.sa_handler == SIG_DFL)
70694 t->signal->flags &= ~SIGNAL_UNKILLABLE;
70695 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
70696 + is_unhandled = 1;
70697 ret = specific_send_sig_info(sig, info, t);
70698 spin_unlock_irqrestore(&t->sighand->siglock, flags);
70699
70700 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
70701 + normal operation */
70702 + if (is_unhandled) {
70703 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
70704 + gr_handle_crash(t, sig);
70705 + }
70706 +
70707 return ret;
70708 }
70709
70710 @@ -1153,8 +1172,11 @@ int group_send_sig_info(int sig, struct
70711 ret = check_kill_permission(sig, info, p);
70712 rcu_read_unlock();
70713
70714 - if (!ret && sig)
70715 + if (!ret && sig) {
70716 ret = do_send_sig_info(sig, info, p, true);
70717 + if (!ret)
70718 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
70719 + }
70720
70721 return ret;
70722 }
70723 @@ -1718,6 +1740,8 @@ void ptrace_notify(int exit_code)
70724 {
70725 siginfo_t info;
70726
70727 + pax_track_stack();
70728 +
70729 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
70730
70731 memset(&info, 0, sizeof info);
70732 @@ -2393,7 +2417,15 @@ do_send_specific(pid_t tgid, pid_t pid,
70733 int error = -ESRCH;
70734
70735 rcu_read_lock();
70736 - p = find_task_by_vpid(pid);
70737 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
70738 + /* allow glibc communication via tgkill to other threads in our
70739 + thread group */
70740 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
70741 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
70742 + p = find_task_by_vpid_unrestricted(pid);
70743 + else
70744 +#endif
70745 + p = find_task_by_vpid(pid);
70746 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
70747 error = check_kill_permission(sig, info, p);
70748 /*
70749 diff -urNp linux-2.6.39.3/kernel/smp.c linux-2.6.39.3/kernel/smp.c
70750 --- linux-2.6.39.3/kernel/smp.c 2011-05-19 00:06:34.000000000 -0400
70751 +++ linux-2.6.39.3/kernel/smp.c 2011-05-22 19:36:33.000000000 -0400
70752 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
70753 }
70754 EXPORT_SYMBOL(smp_call_function);
70755
70756 -void ipi_call_lock(void)
70757 +void ipi_call_lock(void) __acquires(call_function.lock)
70758 {
70759 raw_spin_lock(&call_function.lock);
70760 }
70761
70762 -void ipi_call_unlock(void)
70763 +void ipi_call_unlock(void) __releases(call_function.lock)
70764 {
70765 raw_spin_unlock(&call_function.lock);
70766 }
70767
70768 -void ipi_call_lock_irq(void)
70769 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
70770 {
70771 raw_spin_lock_irq(&call_function.lock);
70772 }
70773
70774 -void ipi_call_unlock_irq(void)
70775 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
70776 {
70777 raw_spin_unlock_irq(&call_function.lock);
70778 }
70779 diff -urNp linux-2.6.39.3/kernel/softirq.c linux-2.6.39.3/kernel/softirq.c
70780 --- linux-2.6.39.3/kernel/softirq.c 2011-05-19 00:06:34.000000000 -0400
70781 +++ linux-2.6.39.3/kernel/softirq.c 2011-05-22 19:36:33.000000000 -0400
70782 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
70783
70784 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
70785
70786 -char *softirq_to_name[NR_SOFTIRQS] = {
70787 +const char * const softirq_to_name[NR_SOFTIRQS] = {
70788 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
70789 "TASKLET", "SCHED", "HRTIMER", "RCU"
70790 };
70791 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
70792
70793 asmlinkage void __do_softirq(void)
70794 {
70795 - struct softirq_action *h;
70796 + const struct softirq_action *h;
70797 __u32 pending;
70798 int max_restart = MAX_SOFTIRQ_RESTART;
70799 int cpu;
70800 @@ -235,7 +235,7 @@ restart:
70801 kstat_incr_softirqs_this_cpu(vec_nr);
70802
70803 trace_softirq_entry(vec_nr);
70804 - h->action(h);
70805 + h->action();
70806 trace_softirq_exit(vec_nr);
70807 if (unlikely(prev_count != preempt_count())) {
70808 printk(KERN_ERR "huh, entered softirq %u %s %p"
70809 @@ -377,7 +377,7 @@ void raise_softirq(unsigned int nr)
70810 local_irq_restore(flags);
70811 }
70812
70813 -void open_softirq(int nr, void (*action)(struct softirq_action *))
70814 +void open_softirq(int nr, void (*action)(void))
70815 {
70816 softirq_vec[nr].action = action;
70817 }
70818 @@ -433,7 +433,7 @@ void __tasklet_hi_schedule_first(struct
70819
70820 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
70821
70822 -static void tasklet_action(struct softirq_action *a)
70823 +static void tasklet_action(void)
70824 {
70825 struct tasklet_struct *list;
70826
70827 @@ -468,7 +468,7 @@ static void tasklet_action(struct softir
70828 }
70829 }
70830
70831 -static void tasklet_hi_action(struct softirq_action *a)
70832 +static void tasklet_hi_action(void)
70833 {
70834 struct tasklet_struct *list;
70835
70836 diff -urNp linux-2.6.39.3/kernel/sys.c linux-2.6.39.3/kernel/sys.c
70837 --- linux-2.6.39.3/kernel/sys.c 2011-05-19 00:06:34.000000000 -0400
70838 +++ linux-2.6.39.3/kernel/sys.c 2011-05-22 21:08:10.000000000 -0400
70839 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
70840 error = -EACCES;
70841 goto out;
70842 }
70843 +
70844 + if (gr_handle_chroot_setpriority(p, niceval)) {
70845 + error = -EACCES;
70846 + goto out;
70847 + }
70848 +
70849 no_nice = security_task_setnice(p, niceval);
70850 if (no_nice) {
70851 error = no_nice;
70852 @@ -538,6 +544,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
70853 goto error;
70854 }
70855
70856 + if (gr_check_group_change(new->gid, new->egid, -1))
70857 + goto error;
70858 +
70859 if (rgid != (gid_t) -1 ||
70860 (egid != (gid_t) -1 && egid != old->gid))
70861 new->sgid = new->egid;
70862 @@ -567,6 +576,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
70863 old = current_cred();
70864
70865 retval = -EPERM;
70866 +
70867 + if (gr_check_group_change(gid, gid, gid))
70868 + goto error;
70869 +
70870 if (nsown_capable(CAP_SETGID))
70871 new->gid = new->egid = new->sgid = new->fsgid = gid;
70872 else if (gid == old->gid || gid == old->sgid)
70873 @@ -647,6 +660,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
70874 goto error;
70875 }
70876
70877 + if (gr_check_user_change(new->uid, new->euid, -1))
70878 + goto error;
70879 +
70880 if (new->uid != old->uid) {
70881 retval = set_user(new);
70882 if (retval < 0)
70883 @@ -691,6 +707,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
70884 old = current_cred();
70885
70886 retval = -EPERM;
70887 +
70888 + if (gr_check_crash_uid(uid))
70889 + goto error;
70890 + if (gr_check_user_change(uid, uid, uid))
70891 + goto error;
70892 +
70893 if (nsown_capable(CAP_SETUID)) {
70894 new->suid = new->uid = uid;
70895 if (uid != old->uid) {
70896 @@ -745,6 +767,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
70897 goto error;
70898 }
70899
70900 + if (gr_check_user_change(ruid, euid, -1))
70901 + goto error;
70902 +
70903 if (ruid != (uid_t) -1) {
70904 new->uid = ruid;
70905 if (ruid != old->uid) {
70906 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
70907 goto error;
70908 }
70909
70910 + if (gr_check_group_change(rgid, egid, -1))
70911 + goto error;
70912 +
70913 if (rgid != (gid_t) -1)
70914 new->gid = rgid;
70915 if (egid != (gid_t) -1)
70916 @@ -855,6 +883,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70917 old = current_cred();
70918 old_fsuid = old->fsuid;
70919
70920 + if (gr_check_user_change(-1, -1, uid))
70921 + goto error;
70922 +
70923 if (uid == old->uid || uid == old->euid ||
70924 uid == old->suid || uid == old->fsuid ||
70925 nsown_capable(CAP_SETUID)) {
70926 @@ -865,6 +896,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
70927 }
70928 }
70929
70930 +error:
70931 abort_creds(new);
70932 return old_fsuid;
70933
70934 @@ -891,12 +923,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
70935 if (gid == old->gid || gid == old->egid ||
70936 gid == old->sgid || gid == old->fsgid ||
70937 nsown_capable(CAP_SETGID)) {
70938 + if (gr_check_group_change(-1, -1, gid))
70939 + goto error;
70940 +
70941 if (gid != old_fsgid) {
70942 new->fsgid = gid;
70943 goto change_okay;
70944 }
70945 }
70946
70947 +error:
70948 abort_creds(new);
70949 return old_fsgid;
70950
70951 @@ -1643,7 +1679,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
70952 error = get_dumpable(me->mm);
70953 break;
70954 case PR_SET_DUMPABLE:
70955 - if (arg2 < 0 || arg2 > 1) {
70956 + if (arg2 > 1) {
70957 error = -EINVAL;
70958 break;
70959 }
70960 diff -urNp linux-2.6.39.3/kernel/sysctl.c linux-2.6.39.3/kernel/sysctl.c
70961 --- linux-2.6.39.3/kernel/sysctl.c 2011-05-19 00:06:34.000000000 -0400
70962 +++ linux-2.6.39.3/kernel/sysctl.c 2011-05-22 20:23:10.000000000 -0400
70963 @@ -84,6 +84,13 @@
70964
70965
70966 #if defined(CONFIG_SYSCTL)
70967 +#include <linux/grsecurity.h>
70968 +#include <linux/grinternal.h>
70969 +
70970 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
70971 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
70972 + const int op);
70973 +extern int gr_handle_chroot_sysctl(const int op);
70974
70975 /* External variables not in a header file. */
70976 extern int sysctl_overcommit_memory;
70977 @@ -196,6 +203,7 @@ static int sysrq_sysctl_handler(ctl_tabl
70978 }
70979
70980 #endif
70981 +extern struct ctl_table grsecurity_table[];
70982
70983 static struct ctl_table root_table[];
70984 static struct ctl_table_root sysctl_table_root;
70985 @@ -225,6 +233,20 @@ extern struct ctl_table epoll_table[];
70986 int sysctl_legacy_va_layout;
70987 #endif
70988
70989 +#ifdef CONFIG_PAX_SOFTMODE
70990 +static ctl_table pax_table[] = {
70991 + {
70992 + .procname = "softmode",
70993 + .data = &pax_softmode,
70994 + .maxlen = sizeof(unsigned int),
70995 + .mode = 0600,
70996 + .proc_handler = &proc_dointvec,
70997 + },
70998 +
70999 + { }
71000 +};
71001 +#endif
71002 +
71003 /* The default sysctl tables: */
71004
71005 static struct ctl_table root_table[] = {
71006 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
71007 #endif
71008
71009 static struct ctl_table kern_table[] = {
71010 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
71011 + {
71012 + .procname = "grsecurity",
71013 + .mode = 0500,
71014 + .child = grsecurity_table,
71015 + },
71016 +#endif
71017 +
71018 +#ifdef CONFIG_PAX_SOFTMODE
71019 + {
71020 + .procname = "pax",
71021 + .mode = 0500,
71022 + .child = pax_table,
71023 + },
71024 +#endif
71025 +
71026 {
71027 .procname = "sched_child_runs_first",
71028 .data = &sysctl_sched_child_runs_first,
71029 @@ -545,7 +583,7 @@ static struct ctl_table kern_table[] = {
71030 .data = &modprobe_path,
71031 .maxlen = KMOD_PATH_LEN,
71032 .mode = 0644,
71033 - .proc_handler = proc_dostring,
71034 + .proc_handler = proc_dostring_modpriv,
71035 },
71036 {
71037 .procname = "modules_disabled",
71038 @@ -707,16 +745,20 @@ static struct ctl_table kern_table[] = {
71039 .extra1 = &zero,
71040 .extra2 = &one,
71041 },
71042 +#endif
71043 {
71044 .procname = "kptr_restrict",
71045 .data = &kptr_restrict,
71046 .maxlen = sizeof(int),
71047 .mode = 0644,
71048 .proc_handler = proc_dmesg_restrict,
71049 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71050 + .extra1 = &two,
71051 +#else
71052 .extra1 = &zero,
71053 +#endif
71054 .extra2 = &two,
71055 },
71056 -#endif
71057 {
71058 .procname = "ngroups_max",
71059 .data = &ngroups_max,
71060 @@ -1189,6 +1231,13 @@ static struct ctl_table vm_table[] = {
71061 .proc_handler = proc_dointvec_minmax,
71062 .extra1 = &zero,
71063 },
71064 + {
71065 + .procname = "heap_stack_gap",
71066 + .data = &sysctl_heap_stack_gap,
71067 + .maxlen = sizeof(sysctl_heap_stack_gap),
71068 + .mode = 0644,
71069 + .proc_handler = proc_doulongvec_minmax,
71070 + },
71071 #else
71072 {
71073 .procname = "nr_trim_pages",
71074 @@ -1698,6 +1747,17 @@ static int test_perm(int mode, int op)
71075 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
71076 {
71077 int mode;
71078 + int error;
71079 +
71080 + if (table->parent != NULL && table->parent->procname != NULL &&
71081 + table->procname != NULL &&
71082 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71083 + return -EACCES;
71084 + if (gr_handle_chroot_sysctl(op))
71085 + return -EACCES;
71086 + error = gr_handle_sysctl(table, op);
71087 + if (error)
71088 + return error;
71089
71090 if (root->permissions)
71091 mode = root->permissions(root, current->nsproxy, table);
71092 @@ -2102,6 +2162,16 @@ int proc_dostring(struct ctl_table *tabl
71093 buffer, lenp, ppos);
71094 }
71095
71096 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71097 + void __user *buffer, size_t *lenp, loff_t *ppos)
71098 +{
71099 + if (write && !capable(CAP_SYS_MODULE))
71100 + return -EPERM;
71101 +
71102 + return _proc_do_string(table->data, table->maxlen, write,
71103 + buffer, lenp, ppos);
71104 +}
71105 +
71106 static size_t proc_skip_spaces(char **buf)
71107 {
71108 size_t ret;
71109 @@ -2207,6 +2277,8 @@ static int proc_put_long(void __user **b
71110 len = strlen(tmp);
71111 if (len > *size)
71112 len = *size;
71113 + if (len > sizeof(tmp))
71114 + len = sizeof(tmp);
71115 if (copy_to_user(*buf, tmp, len))
71116 return -EFAULT;
71117 *size -= len;
71118 @@ -2523,8 +2595,11 @@ static int __do_proc_doulongvec_minmax(v
71119 *i = val;
71120 } else {
71121 val = convdiv * (*i) / convmul;
71122 - if (!first)
71123 + if (!first) {
71124 err = proc_put_char(&buffer, &left, '\t');
71125 + if (err)
71126 + break;
71127 + }
71128 err = proc_put_long(&buffer, &left, val, false);
71129 if (err)
71130 break;
71131 @@ -2919,6 +2994,12 @@ int proc_dostring(struct ctl_table *tabl
71132 return -ENOSYS;
71133 }
71134
71135 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71136 + void __user *buffer, size_t *lenp, loff_t *ppos)
71137 +{
71138 + return -ENOSYS;
71139 +}
71140 +
71141 int proc_dointvec(struct ctl_table *table, int write,
71142 void __user *buffer, size_t *lenp, loff_t *ppos)
71143 {
71144 @@ -2975,6 +3056,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
71145 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
71146 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
71147 EXPORT_SYMBOL(proc_dostring);
71148 +EXPORT_SYMBOL(proc_dostring_modpriv);
71149 EXPORT_SYMBOL(proc_doulongvec_minmax);
71150 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
71151 EXPORT_SYMBOL(register_sysctl_table);
71152 diff -urNp linux-2.6.39.3/kernel/sysctl_check.c linux-2.6.39.3/kernel/sysctl_check.c
71153 --- linux-2.6.39.3/kernel/sysctl_check.c 2011-05-19 00:06:34.000000000 -0400
71154 +++ linux-2.6.39.3/kernel/sysctl_check.c 2011-05-22 19:41:42.000000000 -0400
71155 @@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
71156 set_fail(&fail, table, "Directory with extra2");
71157 } else {
71158 if ((table->proc_handler == proc_dostring) ||
71159 + (table->proc_handler == proc_dostring_modpriv) ||
71160 (table->proc_handler == proc_dointvec) ||
71161 (table->proc_handler == proc_dointvec_minmax) ||
71162 (table->proc_handler == proc_dointvec_jiffies) ||
71163 diff -urNp linux-2.6.39.3/kernel/taskstats.c linux-2.6.39.3/kernel/taskstats.c
71164 --- linux-2.6.39.3/kernel/taskstats.c 2011-07-09 09:18:51.000000000 -0400
71165 +++ linux-2.6.39.3/kernel/taskstats.c 2011-07-09 09:19:24.000000000 -0400
71166 @@ -27,9 +27,12 @@
71167 #include <linux/cgroup.h>
71168 #include <linux/fs.h>
71169 #include <linux/file.h>
71170 +#include <linux/grsecurity.h>
71171 #include <net/genetlink.h>
71172 #include <asm/atomic.h>
71173
71174 +extern int gr_is_taskstats_denied(int pid);
71175 +
71176 /*
71177 * Maximum length of a cpumask that can be specified in
71178 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
71179 @@ -558,6 +561,9 @@ err:
71180
71181 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
71182 {
71183 + if (gr_is_taskstats_denied(current->pid))
71184 + return -EACCES;
71185 +
71186 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
71187 return cmd_attr_register_cpumask(info);
71188 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
71189 diff -urNp linux-2.6.39.3/kernel/time/posix-clock.c linux-2.6.39.3/kernel/time/posix-clock.c
71190 --- linux-2.6.39.3/kernel/time/posix-clock.c 2011-05-19 00:06:34.000000000 -0400
71191 +++ linux-2.6.39.3/kernel/time/posix-clock.c 2011-05-22 19:36:33.000000000 -0400
71192 @@ -433,7 +433,7 @@ static int pc_timer_settime(struct k_iti
71193 return err;
71194 }
71195
71196 -struct k_clock clock_posix_dynamic = {
71197 +const struct k_clock clock_posix_dynamic = {
71198 .clock_getres = pc_clock_getres,
71199 .clock_set = pc_clock_settime,
71200 .clock_get = pc_clock_gettime,
71201 diff -urNp linux-2.6.39.3/kernel/time/tick-broadcast.c linux-2.6.39.3/kernel/time/tick-broadcast.c
71202 --- linux-2.6.39.3/kernel/time/tick-broadcast.c 2011-05-19 00:06:34.000000000 -0400
71203 +++ linux-2.6.39.3/kernel/time/tick-broadcast.c 2011-05-22 19:36:33.000000000 -0400
71204 @@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
71205 * then clear the broadcast bit.
71206 */
71207 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
71208 - int cpu = smp_processor_id();
71209 + cpu = smp_processor_id();
71210
71211 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
71212 tick_broadcast_clear_oneshot(cpu);
71213 diff -urNp linux-2.6.39.3/kernel/time/timekeeping.c linux-2.6.39.3/kernel/time/timekeeping.c
71214 --- linux-2.6.39.3/kernel/time/timekeeping.c 2011-05-19 00:06:34.000000000 -0400
71215 +++ linux-2.6.39.3/kernel/time/timekeeping.c 2011-05-22 20:40:50.000000000 -0400
71216 @@ -14,6 +14,7 @@
71217 #include <linux/init.h>
71218 #include <linux/mm.h>
71219 #include <linux/sched.h>
71220 +#include <linux/grsecurity.h>
71221 #include <linux/syscore_ops.h>
71222 #include <linux/clocksource.h>
71223 #include <linux/jiffies.h>
71224 @@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
71225 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
71226 return -EINVAL;
71227
71228 + gr_log_timechange();
71229 +
71230 write_seqlock_irqsave(&xtime_lock, flags);
71231
71232 timekeeping_forward_now();
71233 diff -urNp linux-2.6.39.3/kernel/time/timer_list.c linux-2.6.39.3/kernel/time/timer_list.c
71234 --- linux-2.6.39.3/kernel/time/timer_list.c 2011-05-19 00:06:34.000000000 -0400
71235 +++ linux-2.6.39.3/kernel/time/timer_list.c 2011-05-22 19:41:42.000000000 -0400
71236 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
71237
71238 static void print_name_offset(struct seq_file *m, void *sym)
71239 {
71240 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71241 + SEQ_printf(m, "<%p>", NULL);
71242 +#else
71243 char symname[KSYM_NAME_LEN];
71244
71245 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
71246 SEQ_printf(m, "<%pK>", sym);
71247 else
71248 SEQ_printf(m, "%s", symname);
71249 +#endif
71250 }
71251
71252 static void
71253 @@ -112,7 +116,11 @@ next_one:
71254 static void
71255 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
71256 {
71257 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71258 + SEQ_printf(m, " .base: %p\n", NULL);
71259 +#else
71260 SEQ_printf(m, " .base: %pK\n", base);
71261 +#endif
71262 SEQ_printf(m, " .index: %d\n",
71263 base->index);
71264 SEQ_printf(m, " .resolution: %Lu nsecs\n",
71265 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
71266 {
71267 struct proc_dir_entry *pe;
71268
71269 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71270 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
71271 +#else
71272 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
71273 +#endif
71274 if (!pe)
71275 return -ENOMEM;
71276 return 0;
71277 diff -urNp linux-2.6.39.3/kernel/time/timer_stats.c linux-2.6.39.3/kernel/time/timer_stats.c
71278 --- linux-2.6.39.3/kernel/time/timer_stats.c 2011-05-19 00:06:34.000000000 -0400
71279 +++ linux-2.6.39.3/kernel/time/timer_stats.c 2011-05-22 19:41:42.000000000 -0400
71280 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
71281 static unsigned long nr_entries;
71282 static struct entry entries[MAX_ENTRIES];
71283
71284 -static atomic_t overflow_count;
71285 +static atomic_unchecked_t overflow_count;
71286
71287 /*
71288 * The entries are in a hash-table, for fast lookup:
71289 @@ -140,7 +140,7 @@ static void reset_entries(void)
71290 nr_entries = 0;
71291 memset(entries, 0, sizeof(entries));
71292 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
71293 - atomic_set(&overflow_count, 0);
71294 + atomic_set_unchecked(&overflow_count, 0);
71295 }
71296
71297 static struct entry *alloc_entry(void)
71298 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
71299 if (likely(entry))
71300 entry->count++;
71301 else
71302 - atomic_inc(&overflow_count);
71303 + atomic_inc_unchecked(&overflow_count);
71304
71305 out_unlock:
71306 raw_spin_unlock_irqrestore(lock, flags);
71307 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
71308
71309 static void print_name_offset(struct seq_file *m, unsigned long addr)
71310 {
71311 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71312 + seq_printf(m, "<%p>", NULL);
71313 +#else
71314 char symname[KSYM_NAME_LEN];
71315
71316 if (lookup_symbol_name(addr, symname) < 0)
71317 seq_printf(m, "<%p>", (void *)addr);
71318 else
71319 seq_printf(m, "%s", symname);
71320 +#endif
71321 }
71322
71323 static int tstats_show(struct seq_file *m, void *v)
71324 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
71325
71326 seq_puts(m, "Timer Stats Version: v0.2\n");
71327 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
71328 - if (atomic_read(&overflow_count))
71329 + if (atomic_read_unchecked(&overflow_count))
71330 seq_printf(m, "Overflow: %d entries\n",
71331 - atomic_read(&overflow_count));
71332 + atomic_read_unchecked(&overflow_count));
71333
71334 for (i = 0; i < nr_entries; i++) {
71335 entry = entries + i;
71336 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
71337 {
71338 struct proc_dir_entry *pe;
71339
71340 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71341 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
71342 +#else
71343 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
71344 +#endif
71345 if (!pe)
71346 return -ENOMEM;
71347 return 0;
71348 diff -urNp linux-2.6.39.3/kernel/time.c linux-2.6.39.3/kernel/time.c
71349 --- linux-2.6.39.3/kernel/time.c 2011-05-19 00:06:34.000000000 -0400
71350 +++ linux-2.6.39.3/kernel/time.c 2011-05-22 19:41:42.000000000 -0400
71351 @@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
71352 return error;
71353
71354 if (tz) {
71355 + /* we log in do_settimeofday called below, so don't log twice
71356 + */
71357 + if (!tv)
71358 + gr_log_timechange();
71359 +
71360 /* SMP safe, global irq locking makes it work. */
71361 sys_tz = *tz;
71362 update_vsyscall_tz();
71363 diff -urNp linux-2.6.39.3/kernel/timer.c linux-2.6.39.3/kernel/timer.c
71364 --- linux-2.6.39.3/kernel/timer.c 2011-05-19 00:06:34.000000000 -0400
71365 +++ linux-2.6.39.3/kernel/timer.c 2011-05-22 19:36:33.000000000 -0400
71366 @@ -1305,7 +1305,7 @@ void update_process_times(int user_tick)
71367 /*
71368 * This function runs timers and the timer-tq in bottom half context.
71369 */
71370 -static void run_timer_softirq(struct softirq_action *h)
71371 +static void run_timer_softirq(void)
71372 {
71373 struct tvec_base *base = __this_cpu_read(tvec_bases);
71374
71375 diff -urNp linux-2.6.39.3/kernel/trace/blktrace.c linux-2.6.39.3/kernel/trace/blktrace.c
71376 --- linux-2.6.39.3/kernel/trace/blktrace.c 2011-05-19 00:06:34.000000000 -0400
71377 +++ linux-2.6.39.3/kernel/trace/blktrace.c 2011-05-22 19:36:33.000000000 -0400
71378 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
71379 struct blk_trace *bt = filp->private_data;
71380 char buf[16];
71381
71382 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
71383 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
71384
71385 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
71386 }
71387 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
71388 return 1;
71389
71390 bt = buf->chan->private_data;
71391 - atomic_inc(&bt->dropped);
71392 + atomic_inc_unchecked(&bt->dropped);
71393 return 0;
71394 }
71395
71396 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
71397
71398 bt->dir = dir;
71399 bt->dev = dev;
71400 - atomic_set(&bt->dropped, 0);
71401 + atomic_set_unchecked(&bt->dropped, 0);
71402
71403 ret = -EIO;
71404 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
71405 diff -urNp linux-2.6.39.3/kernel/trace/ftrace.c linux-2.6.39.3/kernel/trace/ftrace.c
71406 --- linux-2.6.39.3/kernel/trace/ftrace.c 2011-06-03 00:04:14.000000000 -0400
71407 +++ linux-2.6.39.3/kernel/trace/ftrace.c 2011-06-03 00:32:08.000000000 -0400
71408 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
71409
71410 ip = rec->ip;
71411
71412 + ret = ftrace_arch_code_modify_prepare();
71413 + FTRACE_WARN_ON(ret);
71414 + if (ret)
71415 + return 0;
71416 +
71417 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
71418 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
71419 if (ret) {
71420 ftrace_bug(ret, ip);
71421 rec->flags |= FTRACE_FL_FAILED;
71422 - return 0;
71423 }
71424 - return 1;
71425 + return ret ? 0 : 1;
71426 }
71427
71428 /*
71429 @@ -2011,7 +2016,7 @@ static void ftrace_free_entry_rcu(struct
71430
71431 int
71432 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71433 - void *data)
71434 + void *data)
71435 {
71436 struct ftrace_func_probe *entry;
71437 struct ftrace_page *pg;
71438 @@ -2083,7 +2088,7 @@ enum {
71439 };
71440
71441 static void
71442 -__unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
71443 +__unregister_ftrace_function_probe(char *glob, const struct ftrace_probe_ops *ops,
71444 void *data, int flags)
71445 {
71446 struct ftrace_func_probe *entry;
71447 @@ -2144,7 +2149,7 @@ unregister_ftrace_function_probe(char *g
71448 }
71449
71450 void
71451 -unregister_ftrace_function_probe_func(char *glob, struct ftrace_probe_ops *ops)
71452 +unregister_ftrace_function_probe_func(char *glob, const struct ftrace_probe_ops *ops)
71453 {
71454 __unregister_ftrace_function_probe(glob, ops, NULL, PROBE_TEST_FUNC);
71455 }
71456 diff -urNp linux-2.6.39.3/kernel/trace/trace.c linux-2.6.39.3/kernel/trace/trace.c
71457 --- linux-2.6.39.3/kernel/trace/trace.c 2011-05-19 00:06:34.000000000 -0400
71458 +++ linux-2.6.39.3/kernel/trace/trace.c 2011-05-22 19:36:33.000000000 -0400
71459 @@ -3330,6 +3330,8 @@ static ssize_t tracing_splice_read_pipe(
71460 size_t rem;
71461 unsigned int i;
71462
71463 + pax_track_stack();
71464 +
71465 if (splice_grow_spd(pipe, &spd))
71466 return -ENOMEM;
71467
71468 @@ -3813,6 +3815,8 @@ tracing_buffers_splice_read(struct file
71469 int entries, size, i;
71470 size_t ret;
71471
71472 + pax_track_stack();
71473 +
71474 if (splice_grow_spd(pipe, &spd))
71475 return -ENOMEM;
71476
71477 @@ -3981,10 +3985,9 @@ static const struct file_operations trac
71478 };
71479 #endif
71480
71481 -static struct dentry *d_tracer;
71482 -
71483 struct dentry *tracing_init_dentry(void)
71484 {
71485 + static struct dentry *d_tracer;
71486 static int once;
71487
71488 if (d_tracer)
71489 @@ -4004,10 +4007,9 @@ struct dentry *tracing_init_dentry(void)
71490 return d_tracer;
71491 }
71492
71493 -static struct dentry *d_percpu;
71494 -
71495 struct dentry *tracing_dentry_percpu(void)
71496 {
71497 + static struct dentry *d_percpu;
71498 static int once;
71499 struct dentry *d_tracer;
71500
71501 diff -urNp linux-2.6.39.3/kernel/trace/trace_events.c linux-2.6.39.3/kernel/trace/trace_events.c
71502 --- linux-2.6.39.3/kernel/trace/trace_events.c 2011-05-19 00:06:34.000000000 -0400
71503 +++ linux-2.6.39.3/kernel/trace/trace_events.c 2011-05-22 19:36:33.000000000 -0400
71504 @@ -1241,10 +1241,10 @@ static LIST_HEAD(ftrace_module_file_list
71505 struct ftrace_module_file_ops {
71506 struct list_head list;
71507 struct module *mod;
71508 - struct file_operations id;
71509 - struct file_operations enable;
71510 - struct file_operations format;
71511 - struct file_operations filter;
71512 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
71513 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
71514 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
71515 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
71516 };
71517
71518 static struct ftrace_module_file_ops *
71519 diff -urNp linux-2.6.39.3/kernel/trace/trace_functions.c linux-2.6.39.3/kernel/trace/trace_functions.c
71520 --- linux-2.6.39.3/kernel/trace/trace_functions.c 2011-05-19 00:06:34.000000000 -0400
71521 +++ linux-2.6.39.3/kernel/trace/trace_functions.c 2011-05-22 19:36:33.000000000 -0400
71522 @@ -308,7 +308,7 @@ ftrace_trace_onoff_print(struct seq_file
71523 static int
71524 ftrace_trace_onoff_unreg(char *glob, char *cmd, char *param)
71525 {
71526 - struct ftrace_probe_ops *ops;
71527 + const struct ftrace_probe_ops *ops;
71528
71529 /* we register both traceon and traceoff to this callback */
71530 if (strcmp(cmd, "traceon") == 0)
71531 diff -urNp linux-2.6.39.3/kernel/trace/trace_mmiotrace.c linux-2.6.39.3/kernel/trace/trace_mmiotrace.c
71532 --- linux-2.6.39.3/kernel/trace/trace_mmiotrace.c 2011-05-19 00:06:34.000000000 -0400
71533 +++ linux-2.6.39.3/kernel/trace/trace_mmiotrace.c 2011-05-22 19:36:33.000000000 -0400
71534 @@ -24,7 +24,7 @@ struct header_iter {
71535 static struct trace_array *mmio_trace_array;
71536 static bool overrun_detected;
71537 static unsigned long prev_overruns;
71538 -static atomic_t dropped_count;
71539 +static atomic_unchecked_t dropped_count;
71540
71541 static void mmio_reset_data(struct trace_array *tr)
71542 {
71543 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
71544
71545 static unsigned long count_overruns(struct trace_iterator *iter)
71546 {
71547 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
71548 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
71549 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
71550
71551 if (over > prev_overruns)
71552 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
71553 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
71554 sizeof(*entry), 0, pc);
71555 if (!event) {
71556 - atomic_inc(&dropped_count);
71557 + atomic_inc_unchecked(&dropped_count);
71558 return;
71559 }
71560 entry = ring_buffer_event_data(event);
71561 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
71562 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
71563 sizeof(*entry), 0, pc);
71564 if (!event) {
71565 - atomic_inc(&dropped_count);
71566 + atomic_inc_unchecked(&dropped_count);
71567 return;
71568 }
71569 entry = ring_buffer_event_data(event);
71570 diff -urNp linux-2.6.39.3/kernel/trace/trace_output.c linux-2.6.39.3/kernel/trace/trace_output.c
71571 --- linux-2.6.39.3/kernel/trace/trace_output.c 2011-05-19 00:06:34.000000000 -0400
71572 +++ linux-2.6.39.3/kernel/trace/trace_output.c 2011-05-22 19:36:33.000000000 -0400
71573 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
71574
71575 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
71576 if (!IS_ERR(p)) {
71577 - p = mangle_path(s->buffer + s->len, p, "\n");
71578 + p = mangle_path(s->buffer + s->len, p, "\n\\");
71579 if (p) {
71580 s->len = p - s->buffer;
71581 return 1;
71582 diff -urNp linux-2.6.39.3/kernel/trace/trace_stack.c linux-2.6.39.3/kernel/trace/trace_stack.c
71583 --- linux-2.6.39.3/kernel/trace/trace_stack.c 2011-05-19 00:06:34.000000000 -0400
71584 +++ linux-2.6.39.3/kernel/trace/trace_stack.c 2011-05-22 19:36:33.000000000 -0400
71585 @@ -50,7 +50,7 @@ static inline void check_stack(void)
71586 return;
71587
71588 /* we do not handle interrupt stacks yet */
71589 - if (!object_is_on_stack(&this_size))
71590 + if (!object_starts_on_stack(&this_size))
71591 return;
71592
71593 local_irq_save(flags);
71594 diff -urNp linux-2.6.39.3/kernel/trace/trace_workqueue.c linux-2.6.39.3/kernel/trace/trace_workqueue.c
71595 --- linux-2.6.39.3/kernel/trace/trace_workqueue.c 2011-05-19 00:06:34.000000000 -0400
71596 +++ linux-2.6.39.3/kernel/trace/trace_workqueue.c 2011-05-22 19:36:33.000000000 -0400
71597 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
71598 int cpu;
71599 pid_t pid;
71600 /* Can be inserted from interrupt or user context, need to be atomic */
71601 - atomic_t inserted;
71602 + atomic_unchecked_t inserted;
71603 /*
71604 * Don't need to be atomic, works are serialized in a single workqueue thread
71605 * on a single CPU.
71606 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
71607 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
71608 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
71609 if (node->pid == wq_thread->pid) {
71610 - atomic_inc(&node->inserted);
71611 + atomic_inc_unchecked(&node->inserted);
71612 goto found;
71613 }
71614 }
71615 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
71616 tsk = get_pid_task(pid, PIDTYPE_PID);
71617 if (tsk) {
71618 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
71619 - atomic_read(&cws->inserted), cws->executed,
71620 + atomic_read_unchecked(&cws->inserted), cws->executed,
71621 tsk->comm);
71622 put_task_struct(tsk);
71623 }
71624 diff -urNp linux-2.6.39.3/lib/bug.c linux-2.6.39.3/lib/bug.c
71625 --- linux-2.6.39.3/lib/bug.c 2011-05-19 00:06:34.000000000 -0400
71626 +++ linux-2.6.39.3/lib/bug.c 2011-05-22 19:36:33.000000000 -0400
71627 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
71628 return BUG_TRAP_TYPE_NONE;
71629
71630 bug = find_bug(bugaddr);
71631 + if (!bug)
71632 + return BUG_TRAP_TYPE_NONE;
71633
71634 file = NULL;
71635 line = 0;
71636 diff -urNp linux-2.6.39.3/lib/debugobjects.c linux-2.6.39.3/lib/debugobjects.c
71637 --- linux-2.6.39.3/lib/debugobjects.c 2011-07-09 09:18:51.000000000 -0400
71638 +++ linux-2.6.39.3/lib/debugobjects.c 2011-07-09 09:19:24.000000000 -0400
71639 @@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
71640 if (limit > 4)
71641 return;
71642
71643 - is_on_stack = object_is_on_stack(addr);
71644 + is_on_stack = object_starts_on_stack(addr);
71645 if (is_on_stack == onstack)
71646 return;
71647
71648 diff -urNp linux-2.6.39.3/lib/dma-debug.c linux-2.6.39.3/lib/dma-debug.c
71649 --- linux-2.6.39.3/lib/dma-debug.c 2011-05-19 00:06:34.000000000 -0400
71650 +++ linux-2.6.39.3/lib/dma-debug.c 2011-05-22 19:36:33.000000000 -0400
71651 @@ -862,7 +862,7 @@ out:
71652
71653 static void check_for_stack(struct device *dev, void *addr)
71654 {
71655 - if (object_is_on_stack(addr))
71656 + if (object_starts_on_stack(addr))
71657 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
71658 "stack [addr=%p]\n", addr);
71659 }
71660 diff -urNp linux-2.6.39.3/lib/inflate.c linux-2.6.39.3/lib/inflate.c
71661 --- linux-2.6.39.3/lib/inflate.c 2011-05-19 00:06:34.000000000 -0400
71662 +++ linux-2.6.39.3/lib/inflate.c 2011-05-22 19:36:33.000000000 -0400
71663 @@ -269,7 +269,7 @@ static void free(void *where)
71664 malloc_ptr = free_mem_ptr;
71665 }
71666 #else
71667 -#define malloc(a) kmalloc(a, GFP_KERNEL)
71668 +#define malloc(a) kmalloc((a), GFP_KERNEL)
71669 #define free(a) kfree(a)
71670 #endif
71671
71672 diff -urNp linux-2.6.39.3/lib/Kconfig.debug linux-2.6.39.3/lib/Kconfig.debug
71673 --- linux-2.6.39.3/lib/Kconfig.debug 2011-05-19 00:06:34.000000000 -0400
71674 +++ linux-2.6.39.3/lib/Kconfig.debug 2011-05-22 19:41:42.000000000 -0400
71675 @@ -1078,6 +1078,7 @@ config LATENCYTOP
71676 depends on DEBUG_KERNEL
71677 depends on STACKTRACE_SUPPORT
71678 depends on PROC_FS
71679 + depends on !GRKERNSEC_HIDESYM
71680 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
71681 select KALLSYMS
71682 select KALLSYMS_ALL
71683 diff -urNp linux-2.6.39.3/lib/kref.c linux-2.6.39.3/lib/kref.c
71684 --- linux-2.6.39.3/lib/kref.c 2011-05-19 00:06:34.000000000 -0400
71685 +++ linux-2.6.39.3/lib/kref.c 2011-05-22 19:36:33.000000000 -0400
71686 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
71687 */
71688 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
71689 {
71690 - WARN_ON(release == NULL);
71691 + BUG_ON(release == NULL);
71692 WARN_ON(release == (void (*)(struct kref *))kfree);
71693
71694 if (atomic_dec_and_test(&kref->refcount)) {
71695 diff -urNp linux-2.6.39.3/lib/radix-tree.c linux-2.6.39.3/lib/radix-tree.c
71696 --- linux-2.6.39.3/lib/radix-tree.c 2011-05-19 00:06:34.000000000 -0400
71697 +++ linux-2.6.39.3/lib/radix-tree.c 2011-05-22 19:36:33.000000000 -0400
71698 @@ -80,7 +80,7 @@ struct radix_tree_preload {
71699 int nr;
71700 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71701 };
71702 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71703 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
71704
71705 static inline void *ptr_to_indirect(void *ptr)
71706 {
71707 diff -urNp linux-2.6.39.3/lib/vsprintf.c linux-2.6.39.3/lib/vsprintf.c
71708 --- linux-2.6.39.3/lib/vsprintf.c 2011-05-19 00:06:34.000000000 -0400
71709 +++ linux-2.6.39.3/lib/vsprintf.c 2011-05-22 20:54:59.000000000 -0400
71710 @@ -16,6 +16,9 @@
71711 * - scnprintf and vscnprintf
71712 */
71713
71714 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71715 +#define __INCLUDED_BY_HIDESYM 1
71716 +#endif
71717 #include <stdarg.h>
71718 #include <linux/module.h>
71719 #include <linux/types.h>
71720 @@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
71721 char sym[KSYM_SYMBOL_LEN];
71722 if (ext == 'B')
71723 sprint_backtrace(sym, value);
71724 - else if (ext != 'f' && ext != 's')
71725 + else if (ext != 'f' && ext != 's' && ext != 'a')
71726 sprint_symbol(sym, value);
71727 else
71728 kallsyms_lookup(value, NULL, NULL, NULL, sym);
71729 @@ -797,7 +800,11 @@ char *uuid_string(char *buf, char *end,
71730 return string(buf, end, uuid, spec);
71731 }
71732
71733 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71734 +int kptr_restrict __read_mostly = 2;
71735 +#else
71736 int kptr_restrict __read_mostly;
71737 +#endif
71738
71739 /*
71740 * Show a '%p' thing. A kernel extension is that the '%p' is followed
71741 @@ -811,6 +818,8 @@ int kptr_restrict __read_mostly;
71742 * - 'S' For symbolic direct pointers with offset
71743 * - 's' For symbolic direct pointers without offset
71744 * - 'B' For backtraced symbolic direct pointers with offset
71745 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
71746 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
71747 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
71748 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
71749 * - 'M' For a 6-byte MAC address, it prints the address in the
71750 @@ -855,12 +864,12 @@ char *pointer(const char *fmt, char *buf
71751 {
71752 if (!ptr && *fmt != 'K') {
71753 /*
71754 - * Print (null) with the same width as a pointer so it makes
71755 + * Print (nil) with the same width as a pointer so it makes
71756 * tabular output look nice.
71757 */
71758 if (spec.field_width == -1)
71759 spec.field_width = 2 * sizeof(void *);
71760 - return string(buf, end, "(null)", spec);
71761 + return string(buf, end, "(nil)", spec);
71762 }
71763
71764 switch (*fmt) {
71765 @@ -870,6 +879,13 @@ char *pointer(const char *fmt, char *buf
71766 /* Fallthrough */
71767 case 'S':
71768 case 's':
71769 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71770 + break;
71771 +#else
71772 + return symbol_string(buf, end, ptr, spec, *fmt);
71773 +#endif
71774 + case 'A':
71775 + case 'a':
71776 case 'B':
71777 return symbol_string(buf, end, ptr, spec, *fmt);
71778 case 'R':
71779 @@ -1632,11 +1648,11 @@ int bstr_printf(char *buf, size_t size,
71780 typeof(type) value; \
71781 if (sizeof(type) == 8) { \
71782 args = PTR_ALIGN(args, sizeof(u32)); \
71783 - *(u32 *)&value = *(u32 *)args; \
71784 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
71785 + *(u32 *)&value = *(const u32 *)args; \
71786 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
71787 } else { \
71788 args = PTR_ALIGN(args, sizeof(type)); \
71789 - value = *(typeof(type) *)args; \
71790 + value = *(const typeof(type) *)args; \
71791 } \
71792 args += sizeof(type); \
71793 value; \
71794 @@ -1699,7 +1715,7 @@ int bstr_printf(char *buf, size_t size,
71795 case FORMAT_TYPE_STR: {
71796 const char *str_arg = args;
71797 args += strlen(str_arg) + 1;
71798 - str = string(str, end, (char *)str_arg, spec);
71799 + str = string(str, end, str_arg, spec);
71800 break;
71801 }
71802
71803 diff -urNp linux-2.6.39.3/localversion-grsec linux-2.6.39.3/localversion-grsec
71804 --- linux-2.6.39.3/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71805 +++ linux-2.6.39.3/localversion-grsec 2011-05-22 19:41:42.000000000 -0400
71806 @@ -0,0 +1 @@
71807 +-grsec
71808 diff -urNp linux-2.6.39.3/Makefile linux-2.6.39.3/Makefile
71809 --- linux-2.6.39.3/Makefile 2011-07-09 09:18:51.000000000 -0400
71810 +++ linux-2.6.39.3/Makefile 2011-07-09 09:19:18.000000000 -0400
71811 @@ -237,8 +237,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71812
71813 HOSTCC = gcc
71814 HOSTCXX = g++
71815 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
71816 -HOSTCXXFLAGS = -O2
71817 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
71818 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
71819 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
71820
71821 # Decide whether to build built-in, modular, or both.
71822 # Normally, just do built-in.
71823 @@ -356,10 +357,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
71824 KBUILD_CPPFLAGS := -D__KERNEL__
71825
71826 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71827 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
71828 -fno-strict-aliasing -fno-common \
71829 -Werror-implicit-function-declaration \
71830 -Wno-format-security \
71831 -fno-delete-null-pointer-checks
71832 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
71833 KBUILD_AFLAGS_KERNEL :=
71834 KBUILD_CFLAGS_KERNEL :=
71835 KBUILD_AFLAGS := -D__ASSEMBLY__
71836 @@ -397,8 +400,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
71837 # Rules shared between *config targets and build targets
71838
71839 # Basic helpers built in scripts/
71840 -PHONY += scripts_basic
71841 -scripts_basic:
71842 +PHONY += scripts_basic pax-plugin
71843 +scripts_basic: pax-plugin
71844 $(Q)$(MAKE) $(build)=scripts/basic
71845 $(Q)rm -f .tmp_quiet_recordmcount
71846
71847 @@ -550,6 +553,18 @@ endif
71848
71849 include $(srctree)/arch/$(SRCARCH)/Makefile
71850
71851 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71852 +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0405, -fplugin=$(objtree)/tools/gcc/pax_plugin.so -fplugin-arg-pax_plugin-track-lowest-sp=100)
71853 +endif
71854 +pax-plugin:
71855 +ifneq (,$(findstring pax_plugin, $(KBUILD_CFLAGS)))
71856 + $(Q)$(MAKE) $(build)=tools/gcc
71857 +else
71858 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
71859 + $(Q)echo "warning, your gcc does not support plugins, PAX_MEMORY_STACKLEAK will be less secure"
71860 +endif
71861 +endif
71862 +
71863 ifneq ($(CONFIG_FRAME_WARN),0)
71864 KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
71865 endif
71866 @@ -685,7 +700,7 @@ export mod_strip_cmd
71867
71868
71869 ifeq ($(KBUILD_EXTMOD),)
71870 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71871 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71872
71873 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71874 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71875 @@ -947,7 +962,7 @@ ifneq ($(KBUILD_SRC),)
71876 endif
71877
71878 # prepare2 creates a makefile if using a separate output directory
71879 -prepare2: prepare3 outputmakefile
71880 +prepare2: prepare3 outputmakefile pax-plugin
71881
71882 prepare1: prepare2 include/linux/version.h include/generated/utsrelease.h \
71883 include/config/auto.conf
71884 @@ -1375,7 +1390,7 @@ clean: $(clean-dirs)
71885 $(call cmd,rmdirs)
71886 $(call cmd,rmfiles)
71887 @find $(if $(KBUILD_EXTMOD), $(KBUILD_EXTMOD), .) $(RCS_FIND_IGNORE) \
71888 - \( -name '*.[oas]' -o -name '*.ko' -o -name '.*.cmd' \
71889 + \( -name '*.[oas]' -o -name '*.[ks]o' -o -name '.*.cmd' \
71890 -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \
71891 -o -name '*.symtypes' -o -name 'modules.order' \
71892 -o -name modules.builtin -o -name '.tmp_*.o.*' \
71893 diff -urNp linux-2.6.39.3/mm/filemap.c linux-2.6.39.3/mm/filemap.c
71894 --- linux-2.6.39.3/mm/filemap.c 2011-05-19 00:06:34.000000000 -0400
71895 +++ linux-2.6.39.3/mm/filemap.c 2011-05-22 19:41:42.000000000 -0400
71896 @@ -1724,7 +1724,7 @@ int generic_file_mmap(struct file * file
71897 struct address_space *mapping = file->f_mapping;
71898
71899 if (!mapping->a_ops->readpage)
71900 - return -ENOEXEC;
71901 + return -ENODEV;
71902 file_accessed(file);
71903 vma->vm_ops = &generic_file_vm_ops;
71904 vma->vm_flags |= VM_CAN_NONLINEAR;
71905 @@ -2120,6 +2120,7 @@ inline int generic_write_checks(struct f
71906 *pos = i_size_read(inode);
71907
71908 if (limit != RLIM_INFINITY) {
71909 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71910 if (*pos >= limit) {
71911 send_sig(SIGXFSZ, current, 0);
71912 return -EFBIG;
71913 diff -urNp linux-2.6.39.3/mm/fremap.c linux-2.6.39.3/mm/fremap.c
71914 --- linux-2.6.39.3/mm/fremap.c 2011-05-19 00:06:34.000000000 -0400
71915 +++ linux-2.6.39.3/mm/fremap.c 2011-05-22 19:36:33.000000000 -0400
71916 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71917 retry:
71918 vma = find_vma(mm, start);
71919
71920 +#ifdef CONFIG_PAX_SEGMEXEC
71921 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71922 + goto out;
71923 +#endif
71924 +
71925 /*
71926 * Make sure the vma is shared, that it supports prefaulting,
71927 * and that the remapped range is valid and fully within
71928 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71929 /*
71930 * drop PG_Mlocked flag for over-mapped range
71931 */
71932 - unsigned int saved_flags = vma->vm_flags;
71933 + unsigned long saved_flags = vma->vm_flags;
71934 munlock_vma_pages_range(vma, start, start + size);
71935 vma->vm_flags = saved_flags;
71936 }
71937 diff -urNp linux-2.6.39.3/mm/highmem.c linux-2.6.39.3/mm/highmem.c
71938 --- linux-2.6.39.3/mm/highmem.c 2011-05-19 00:06:34.000000000 -0400
71939 +++ linux-2.6.39.3/mm/highmem.c 2011-05-22 19:36:33.000000000 -0400
71940 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
71941 * So no dangers, even with speculative execution.
71942 */
71943 page = pte_page(pkmap_page_table[i]);
71944 + pax_open_kernel();
71945 pte_clear(&init_mm, (unsigned long)page_address(page),
71946 &pkmap_page_table[i]);
71947 -
71948 + pax_close_kernel();
71949 set_page_address(page, NULL);
71950 need_flush = 1;
71951 }
71952 @@ -186,9 +187,11 @@ start:
71953 }
71954 }
71955 vaddr = PKMAP_ADDR(last_pkmap_nr);
71956 +
71957 + pax_open_kernel();
71958 set_pte_at(&init_mm, vaddr,
71959 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71960 -
71961 + pax_close_kernel();
71962 pkmap_count[last_pkmap_nr] = 1;
71963 set_page_address(page, (void *)vaddr);
71964
71965 diff -urNp linux-2.6.39.3/mm/huge_memory.c linux-2.6.39.3/mm/huge_memory.c
71966 --- linux-2.6.39.3/mm/huge_memory.c 2011-05-19 00:06:34.000000000 -0400
71967 +++ linux-2.6.39.3/mm/huge_memory.c 2011-05-22 19:36:33.000000000 -0400
71968 @@ -702,7 +702,7 @@ out:
71969 * run pte_offset_map on the pmd, if an huge pmd could
71970 * materialize from under us from a different thread.
71971 */
71972 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
71973 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
71974 return VM_FAULT_OOM;
71975 /* if an huge pmd materialized from under us just retry later */
71976 if (unlikely(pmd_trans_huge(*pmd)))
71977 diff -urNp linux-2.6.39.3/mm/hugetlb.c linux-2.6.39.3/mm/hugetlb.c
71978 --- linux-2.6.39.3/mm/hugetlb.c 2011-07-09 09:18:51.000000000 -0400
71979 +++ linux-2.6.39.3/mm/hugetlb.c 2011-07-09 09:19:24.000000000 -0400
71980 @@ -2339,6 +2339,27 @@ static int unmap_ref_private(struct mm_s
71981 return 1;
71982 }
71983
71984 +#ifdef CONFIG_PAX_SEGMEXEC
71985 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71986 +{
71987 + struct mm_struct *mm = vma->vm_mm;
71988 + struct vm_area_struct *vma_m;
71989 + unsigned long address_m;
71990 + pte_t *ptep_m;
71991 +
71992 + vma_m = pax_find_mirror_vma(vma);
71993 + if (!vma_m)
71994 + return;
71995 +
71996 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71997 + address_m = address + SEGMEXEC_TASK_SIZE;
71998 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71999 + get_page(page_m);
72000 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
72001 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
72002 +}
72003 +#endif
72004 +
72005 /*
72006 * Hugetlb_cow() should be called with page lock of the original hugepage held.
72007 */
72008 @@ -2440,6 +2461,11 @@ retry_avoidcopy:
72009 make_huge_pte(vma, new_page, 1));
72010 page_remove_rmap(old_page);
72011 hugepage_add_new_anon_rmap(new_page, vma, address);
72012 +
72013 +#ifdef CONFIG_PAX_SEGMEXEC
72014 + pax_mirror_huge_pte(vma, address, new_page);
72015 +#endif
72016 +
72017 /* Make the old page be freed below */
72018 new_page = old_page;
72019 mmu_notifier_invalidate_range_end(mm,
72020 @@ -2591,6 +2617,10 @@ retry:
72021 && (vma->vm_flags & VM_SHARED)));
72022 set_huge_pte_at(mm, address, ptep, new_pte);
72023
72024 +#ifdef CONFIG_PAX_SEGMEXEC
72025 + pax_mirror_huge_pte(vma, address, page);
72026 +#endif
72027 +
72028 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
72029 /* Optimization, do the COW without a second fault */
72030 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
72031 @@ -2620,6 +2650,10 @@ int hugetlb_fault(struct mm_struct *mm,
72032 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
72033 struct hstate *h = hstate_vma(vma);
72034
72035 +#ifdef CONFIG_PAX_SEGMEXEC
72036 + struct vm_area_struct *vma_m;
72037 +#endif
72038 +
72039 ptep = huge_pte_offset(mm, address);
72040 if (ptep) {
72041 entry = huge_ptep_get(ptep);
72042 @@ -2631,6 +2665,26 @@ int hugetlb_fault(struct mm_struct *mm,
72043 VM_FAULT_SET_HINDEX(h - hstates);
72044 }
72045
72046 +#ifdef CONFIG_PAX_SEGMEXEC
72047 + vma_m = pax_find_mirror_vma(vma);
72048 + if (vma_m) {
72049 + unsigned long address_m;
72050 +
72051 + if (vma->vm_start > vma_m->vm_start) {
72052 + address_m = address;
72053 + address -= SEGMEXEC_TASK_SIZE;
72054 + vma = vma_m;
72055 + h = hstate_vma(vma);
72056 + } else
72057 + address_m = address + SEGMEXEC_TASK_SIZE;
72058 +
72059 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
72060 + return VM_FAULT_OOM;
72061 + address_m &= HPAGE_MASK;
72062 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
72063 + }
72064 +#endif
72065 +
72066 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
72067 if (!ptep)
72068 return VM_FAULT_OOM;
72069 diff -urNp linux-2.6.39.3/mm/internal.h linux-2.6.39.3/mm/internal.h
72070 --- linux-2.6.39.3/mm/internal.h 2011-05-19 00:06:34.000000000 -0400
72071 +++ linux-2.6.39.3/mm/internal.h 2011-07-09 09:12:54.000000000 -0400
72072 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
72073 * in mm/page_alloc.c
72074 */
72075 extern void __free_pages_bootmem(struct page *page, unsigned int order);
72076 +extern void free_compound_page(struct page *page);
72077 extern void prep_compound_page(struct page *page, unsigned long order);
72078 #ifdef CONFIG_MEMORY_FAILURE
72079 extern bool is_free_buddy_page(struct page *page);
72080 diff -urNp linux-2.6.39.3/mm/Kconfig linux-2.6.39.3/mm/Kconfig
72081 --- linux-2.6.39.3/mm/Kconfig 2011-05-19 00:06:34.000000000 -0400
72082 +++ linux-2.6.39.3/mm/Kconfig 2011-05-22 19:41:42.000000000 -0400
72083 @@ -240,7 +240,7 @@ config KSM
72084 config DEFAULT_MMAP_MIN_ADDR
72085 int "Low address space to protect from user allocation"
72086 depends on MMU
72087 - default 4096
72088 + default 65536
72089 help
72090 This is the portion of low virtual memory which should be protected
72091 from userspace allocation. Keeping a user from writing to low pages
72092 diff -urNp linux-2.6.39.3/mm/kmemleak.c linux-2.6.39.3/mm/kmemleak.c
72093 --- linux-2.6.39.3/mm/kmemleak.c 2011-06-03 00:04:14.000000000 -0400
72094 +++ linux-2.6.39.3/mm/kmemleak.c 2011-06-03 00:32:08.000000000 -0400
72095 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
72096
72097 for (i = 0; i < object->trace_len; i++) {
72098 void *ptr = (void *)object->trace[i];
72099 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
72100 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
72101 }
72102 }
72103
72104 diff -urNp linux-2.6.39.3/mm/maccess.c linux-2.6.39.3/mm/maccess.c
72105 --- linux-2.6.39.3/mm/maccess.c 2011-05-19 00:06:34.000000000 -0400
72106 +++ linux-2.6.39.3/mm/maccess.c 2011-05-22 19:36:33.000000000 -0400
72107 @@ -15,10 +15,10 @@
72108 * happens, handle that and return -EFAULT.
72109 */
72110
72111 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
72112 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
72113 __attribute__((alias("__probe_kernel_read")));
72114
72115 -long __probe_kernel_read(void *dst, void *src, size_t size)
72116 +long __probe_kernel_read(void *dst, const void *src, size_t size)
72117 {
72118 long ret;
72119 mm_segment_t old_fs = get_fs();
72120 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
72121 * Safely write to address @dst from the buffer at @src. If a kernel fault
72122 * happens, handle that and return -EFAULT.
72123 */
72124 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
72125 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
72126 __attribute__((alias("__probe_kernel_write")));
72127
72128 -long __probe_kernel_write(void *dst, void *src, size_t size)
72129 +long __probe_kernel_write(void *dst, const void *src, size_t size)
72130 {
72131 long ret;
72132 mm_segment_t old_fs = get_fs();
72133 diff -urNp linux-2.6.39.3/mm/madvise.c linux-2.6.39.3/mm/madvise.c
72134 --- linux-2.6.39.3/mm/madvise.c 2011-05-19 00:06:34.000000000 -0400
72135 +++ linux-2.6.39.3/mm/madvise.c 2011-05-22 19:36:33.000000000 -0400
72136 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
72137 pgoff_t pgoff;
72138 unsigned long new_flags = vma->vm_flags;
72139
72140 +#ifdef CONFIG_PAX_SEGMEXEC
72141 + struct vm_area_struct *vma_m;
72142 +#endif
72143 +
72144 switch (behavior) {
72145 case MADV_NORMAL:
72146 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
72147 @@ -110,6 +114,13 @@ success:
72148 /*
72149 * vm_flags is protected by the mmap_sem held in write mode.
72150 */
72151 +
72152 +#ifdef CONFIG_PAX_SEGMEXEC
72153 + vma_m = pax_find_mirror_vma(vma);
72154 + if (vma_m)
72155 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
72156 +#endif
72157 +
72158 vma->vm_flags = new_flags;
72159
72160 out:
72161 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
72162 struct vm_area_struct ** prev,
72163 unsigned long start, unsigned long end)
72164 {
72165 +
72166 +#ifdef CONFIG_PAX_SEGMEXEC
72167 + struct vm_area_struct *vma_m;
72168 +#endif
72169 +
72170 *prev = vma;
72171 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
72172 return -EINVAL;
72173 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
72174 zap_page_range(vma, start, end - start, &details);
72175 } else
72176 zap_page_range(vma, start, end - start, NULL);
72177 +
72178 +#ifdef CONFIG_PAX_SEGMEXEC
72179 + vma_m = pax_find_mirror_vma(vma);
72180 + if (vma_m) {
72181 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
72182 + struct zap_details details = {
72183 + .nonlinear_vma = vma_m,
72184 + .last_index = ULONG_MAX,
72185 + };
72186 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
72187 + } else
72188 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
72189 + }
72190 +#endif
72191 +
72192 return 0;
72193 }
72194
72195 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
72196 if (end < start)
72197 goto out;
72198
72199 +#ifdef CONFIG_PAX_SEGMEXEC
72200 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
72201 + if (end > SEGMEXEC_TASK_SIZE)
72202 + goto out;
72203 + } else
72204 +#endif
72205 +
72206 + if (end > TASK_SIZE)
72207 + goto out;
72208 +
72209 error = 0;
72210 if (end == start)
72211 goto out;
72212 diff -urNp linux-2.6.39.3/mm/memory.c linux-2.6.39.3/mm/memory.c
72213 --- linux-2.6.39.3/mm/memory.c 2011-05-19 00:06:34.000000000 -0400
72214 +++ linux-2.6.39.3/mm/memory.c 2011-05-22 19:36:33.000000000 -0400
72215 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
72216 return;
72217
72218 pmd = pmd_offset(pud, start);
72219 +
72220 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
72221 pud_clear(pud);
72222 pmd_free_tlb(tlb, pmd, start);
72223 +#endif
72224 +
72225 }
72226
72227 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
72228 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
72229 if (end - 1 > ceiling - 1)
72230 return;
72231
72232 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
72233 pud = pud_offset(pgd, start);
72234 pgd_clear(pgd);
72235 pud_free_tlb(tlb, pud, start);
72236 +#endif
72237 +
72238 }
72239
72240 /*
72241 @@ -1410,12 +1417,6 @@ no_page_table:
72242 return page;
72243 }
72244
72245 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
72246 -{
72247 - return stack_guard_page_start(vma, addr) ||
72248 - stack_guard_page_end(vma, addr+PAGE_SIZE);
72249 -}
72250 -
72251 /**
72252 * __get_user_pages() - pin user pages in memory
72253 * @tsk: task_struct of target task
72254 @@ -1488,10 +1489,10 @@ int __get_user_pages(struct task_struct
72255 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
72256 i = 0;
72257
72258 - do {
72259 + while (nr_pages) {
72260 struct vm_area_struct *vma;
72261
72262 - vma = find_extend_vma(mm, start);
72263 + vma = find_vma(mm, start);
72264 if (!vma && in_gate_area(mm, start)) {
72265 unsigned long pg = start & PAGE_MASK;
72266 pgd_t *pgd;
72267 @@ -1539,7 +1540,7 @@ int __get_user_pages(struct task_struct
72268 goto next_page;
72269 }
72270
72271 - if (!vma ||
72272 + if (!vma || start < vma->vm_start ||
72273 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
72274 !(vm_flags & vma->vm_flags))
72275 return i ? : -EFAULT;
72276 @@ -1566,11 +1567,6 @@ int __get_user_pages(struct task_struct
72277 int ret;
72278 unsigned int fault_flags = 0;
72279
72280 - /* For mlock, just skip the stack guard page. */
72281 - if (foll_flags & FOLL_MLOCK) {
72282 - if (stack_guard_page(vma, start))
72283 - goto next_page;
72284 - }
72285 if (foll_flags & FOLL_WRITE)
72286 fault_flags |= FAULT_FLAG_WRITE;
72287 if (nonblocking)
72288 @@ -1644,7 +1640,7 @@ next_page:
72289 start += PAGE_SIZE;
72290 nr_pages--;
72291 } while (nr_pages && start < vma->vm_end);
72292 - } while (nr_pages);
72293 + }
72294 return i;
72295 }
72296 EXPORT_SYMBOL(__get_user_pages);
72297 @@ -1795,6 +1791,10 @@ static int insert_page(struct vm_area_st
72298 page_add_file_rmap(page);
72299 set_pte_at(mm, addr, pte, mk_pte(page, prot));
72300
72301 +#ifdef CONFIG_PAX_SEGMEXEC
72302 + pax_mirror_file_pte(vma, addr, page, ptl);
72303 +#endif
72304 +
72305 retval = 0;
72306 pte_unmap_unlock(pte, ptl);
72307 return retval;
72308 @@ -1829,10 +1829,22 @@ out:
72309 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
72310 struct page *page)
72311 {
72312 +
72313 +#ifdef CONFIG_PAX_SEGMEXEC
72314 + struct vm_area_struct *vma_m;
72315 +#endif
72316 +
72317 if (addr < vma->vm_start || addr >= vma->vm_end)
72318 return -EFAULT;
72319 if (!page_count(page))
72320 return -EINVAL;
72321 +
72322 +#ifdef CONFIG_PAX_SEGMEXEC
72323 + vma_m = pax_find_mirror_vma(vma);
72324 + if (vma_m)
72325 + vma_m->vm_flags |= VM_INSERTPAGE;
72326 +#endif
72327 +
72328 vma->vm_flags |= VM_INSERTPAGE;
72329 return insert_page(vma, addr, page, vma->vm_page_prot);
72330 }
72331 @@ -1918,6 +1930,7 @@ int vm_insert_mixed(struct vm_area_struc
72332 unsigned long pfn)
72333 {
72334 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
72335 + BUG_ON(vma->vm_mirror);
72336
72337 if (addr < vma->vm_start || addr >= vma->vm_end)
72338 return -EFAULT;
72339 @@ -2233,6 +2246,186 @@ static inline void cow_user_page(struct
72340 copy_user_highpage(dst, src, va, vma);
72341 }
72342
72343 +#ifdef CONFIG_PAX_SEGMEXEC
72344 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
72345 +{
72346 + struct mm_struct *mm = vma->vm_mm;
72347 + spinlock_t *ptl;
72348 + pte_t *pte, entry;
72349 +
72350 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
72351 + entry = *pte;
72352 + if (!pte_present(entry)) {
72353 + if (!pte_none(entry)) {
72354 + BUG_ON(pte_file(entry));
72355 + free_swap_and_cache(pte_to_swp_entry(entry));
72356 + pte_clear_not_present_full(mm, address, pte, 0);
72357 + }
72358 + } else {
72359 + struct page *page;
72360 +
72361 + flush_cache_page(vma, address, pte_pfn(entry));
72362 + entry = ptep_clear_flush(vma, address, pte);
72363 + BUG_ON(pte_dirty(entry));
72364 + page = vm_normal_page(vma, address, entry);
72365 + if (page) {
72366 + update_hiwater_rss(mm);
72367 + if (PageAnon(page))
72368 + dec_mm_counter_fast(mm, MM_ANONPAGES);
72369 + else
72370 + dec_mm_counter_fast(mm, MM_FILEPAGES);
72371 + page_remove_rmap(page);
72372 + page_cache_release(page);
72373 + }
72374 + }
72375 + pte_unmap_unlock(pte, ptl);
72376 +}
72377 +
72378 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
72379 + *
72380 + * the ptl of the lower mapped page is held on entry and is not released on exit
72381 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
72382 + */
72383 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72384 +{
72385 + struct mm_struct *mm = vma->vm_mm;
72386 + unsigned long address_m;
72387 + spinlock_t *ptl_m;
72388 + struct vm_area_struct *vma_m;
72389 + pmd_t *pmd_m;
72390 + pte_t *pte_m, entry_m;
72391 +
72392 + BUG_ON(!page_m || !PageAnon(page_m));
72393 +
72394 + vma_m = pax_find_mirror_vma(vma);
72395 + if (!vma_m)
72396 + return;
72397 +
72398 + BUG_ON(!PageLocked(page_m));
72399 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72400 + address_m = address + SEGMEXEC_TASK_SIZE;
72401 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72402 + pte_m = pte_offset_map(pmd_m, address_m);
72403 + ptl_m = pte_lockptr(mm, pmd_m);
72404 + if (ptl != ptl_m) {
72405 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72406 + if (!pte_none(*pte_m))
72407 + goto out;
72408 + }
72409 +
72410 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72411 + page_cache_get(page_m);
72412 + page_add_anon_rmap(page_m, vma_m, address_m);
72413 + inc_mm_counter_fast(mm, MM_ANONPAGES);
72414 + set_pte_at(mm, address_m, pte_m, entry_m);
72415 + update_mmu_cache(vma_m, address_m, entry_m);
72416 +out:
72417 + if (ptl != ptl_m)
72418 + spin_unlock(ptl_m);
72419 + pte_unmap(pte_m);
72420 + unlock_page(page_m);
72421 +}
72422 +
72423 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
72424 +{
72425 + struct mm_struct *mm = vma->vm_mm;
72426 + unsigned long address_m;
72427 + spinlock_t *ptl_m;
72428 + struct vm_area_struct *vma_m;
72429 + pmd_t *pmd_m;
72430 + pte_t *pte_m, entry_m;
72431 +
72432 + BUG_ON(!page_m || PageAnon(page_m));
72433 +
72434 + vma_m = pax_find_mirror_vma(vma);
72435 + if (!vma_m)
72436 + return;
72437 +
72438 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72439 + address_m = address + SEGMEXEC_TASK_SIZE;
72440 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72441 + pte_m = pte_offset_map(pmd_m, address_m);
72442 + ptl_m = pte_lockptr(mm, pmd_m);
72443 + if (ptl != ptl_m) {
72444 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72445 + if (!pte_none(*pte_m))
72446 + goto out;
72447 + }
72448 +
72449 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
72450 + page_cache_get(page_m);
72451 + page_add_file_rmap(page_m);
72452 + inc_mm_counter_fast(mm, MM_FILEPAGES);
72453 + set_pte_at(mm, address_m, pte_m, entry_m);
72454 + update_mmu_cache(vma_m, address_m, entry_m);
72455 +out:
72456 + if (ptl != ptl_m)
72457 + spin_unlock(ptl_m);
72458 + pte_unmap(pte_m);
72459 +}
72460 +
72461 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
72462 +{
72463 + struct mm_struct *mm = vma->vm_mm;
72464 + unsigned long address_m;
72465 + spinlock_t *ptl_m;
72466 + struct vm_area_struct *vma_m;
72467 + pmd_t *pmd_m;
72468 + pte_t *pte_m, entry_m;
72469 +
72470 + vma_m = pax_find_mirror_vma(vma);
72471 + if (!vma_m)
72472 + return;
72473 +
72474 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
72475 + address_m = address + SEGMEXEC_TASK_SIZE;
72476 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
72477 + pte_m = pte_offset_map(pmd_m, address_m);
72478 + ptl_m = pte_lockptr(mm, pmd_m);
72479 + if (ptl != ptl_m) {
72480 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
72481 + if (!pte_none(*pte_m))
72482 + goto out;
72483 + }
72484 +
72485 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
72486 + set_pte_at(mm, address_m, pte_m, entry_m);
72487 +out:
72488 + if (ptl != ptl_m)
72489 + spin_unlock(ptl_m);
72490 + pte_unmap(pte_m);
72491 +}
72492 +
72493 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72494 +{
72495 + struct page *page_m;
72496 + pte_t entry;
72497 +
72498 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72499 + goto out;
72500 +
72501 + entry = *pte;
72502 + page_m = vm_normal_page(vma, address, entry);
72503 + if (!page_m)
72504 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72505 + else if (PageAnon(page_m)) {
72506 + if (pax_find_mirror_vma(vma)) {
72507 + pte_unmap_unlock(pte, ptl);
72508 + lock_page(page_m);
72509 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72510 + if (pte_same(entry, *pte))
72511 + pax_mirror_anon_pte(vma, address, page_m, ptl);
72512 + else
72513 + unlock_page(page_m);
72514 + }
72515 + } else
72516 + pax_mirror_file_pte(vma, address, page_m, ptl);
72517 +
72518 +out:
72519 + pte_unmap_unlock(pte, ptl);
72520 +}
72521 +#endif
72522 +
72523 /*
72524 * This routine handles present pages, when users try to write
72525 * to a shared page. It is done by copying the page to a new address
72526 @@ -2444,6 +2637,12 @@ gotten:
72527 */
72528 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72529 if (likely(pte_same(*page_table, orig_pte))) {
72530 +
72531 +#ifdef CONFIG_PAX_SEGMEXEC
72532 + if (pax_find_mirror_vma(vma))
72533 + BUG_ON(!trylock_page(new_page));
72534 +#endif
72535 +
72536 if (old_page) {
72537 if (!PageAnon(old_page)) {
72538 dec_mm_counter_fast(mm, MM_FILEPAGES);
72539 @@ -2495,6 +2694,10 @@ gotten:
72540 page_remove_rmap(old_page);
72541 }
72542
72543 +#ifdef CONFIG_PAX_SEGMEXEC
72544 + pax_mirror_anon_pte(vma, address, new_page, ptl);
72545 +#endif
72546 +
72547 /* Free the old page.. */
72548 new_page = old_page;
72549 ret |= VM_FAULT_WRITE;
72550 @@ -2905,6 +3108,11 @@ static int do_swap_page(struct mm_struct
72551 swap_free(entry);
72552 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
72553 try_to_free_swap(page);
72554 +
72555 +#ifdef CONFIG_PAX_SEGMEXEC
72556 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
72557 +#endif
72558 +
72559 unlock_page(page);
72560 if (swapcache) {
72561 /*
72562 @@ -2928,6 +3136,11 @@ static int do_swap_page(struct mm_struct
72563
72564 /* No need to invalidate - it was non-present before */
72565 update_mmu_cache(vma, address, page_table);
72566 +
72567 +#ifdef CONFIG_PAX_SEGMEXEC
72568 + pax_mirror_anon_pte(vma, address, page, ptl);
72569 +#endif
72570 +
72571 unlock:
72572 pte_unmap_unlock(page_table, ptl);
72573 out:
72574 @@ -2947,40 +3160,6 @@ out_release:
72575 }
72576
72577 /*
72578 - * This is like a special single-page "expand_{down|up}wards()",
72579 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
72580 - * doesn't hit another vma.
72581 - */
72582 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
72583 -{
72584 - address &= PAGE_MASK;
72585 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
72586 - struct vm_area_struct *prev = vma->vm_prev;
72587 -
72588 - /*
72589 - * Is there a mapping abutting this one below?
72590 - *
72591 - * That's only ok if it's the same stack mapping
72592 - * that has gotten split..
72593 - */
72594 - if (prev && prev->vm_end == address)
72595 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
72596 -
72597 - expand_stack(vma, address - PAGE_SIZE);
72598 - }
72599 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
72600 - struct vm_area_struct *next = vma->vm_next;
72601 -
72602 - /* As VM_GROWSDOWN but s/below/above/ */
72603 - if (next && next->vm_start == address + PAGE_SIZE)
72604 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
72605 -
72606 - expand_upwards(vma, address + PAGE_SIZE);
72607 - }
72608 - return 0;
72609 -}
72610 -
72611 -/*
72612 * We enter with non-exclusive mmap_sem (to exclude vma changes,
72613 * but allow concurrent faults), and pte mapped but not yet locked.
72614 * We return with mmap_sem still held, but pte unmapped and unlocked.
72615 @@ -2989,27 +3168,23 @@ static int do_anonymous_page(struct mm_s
72616 unsigned long address, pte_t *page_table, pmd_t *pmd,
72617 unsigned int flags)
72618 {
72619 - struct page *page;
72620 + struct page *page = NULL;
72621 spinlock_t *ptl;
72622 pte_t entry;
72623
72624 - pte_unmap(page_table);
72625 -
72626 - /* Check if we need to add a guard page to the stack */
72627 - if (check_stack_guard_page(vma, address) < 0)
72628 - return VM_FAULT_SIGBUS;
72629 -
72630 - /* Use the zero-page for reads */
72631 if (!(flags & FAULT_FLAG_WRITE)) {
72632 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
72633 vma->vm_page_prot));
72634 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
72635 + ptl = pte_lockptr(mm, pmd);
72636 + spin_lock(ptl);
72637 if (!pte_none(*page_table))
72638 goto unlock;
72639 goto setpte;
72640 }
72641
72642 /* Allocate our own private page. */
72643 + pte_unmap(page_table);
72644 +
72645 if (unlikely(anon_vma_prepare(vma)))
72646 goto oom;
72647 page = alloc_zeroed_user_highpage_movable(vma, address);
72648 @@ -3028,6 +3203,11 @@ static int do_anonymous_page(struct mm_s
72649 if (!pte_none(*page_table))
72650 goto release;
72651
72652 +#ifdef CONFIG_PAX_SEGMEXEC
72653 + if (pax_find_mirror_vma(vma))
72654 + BUG_ON(!trylock_page(page));
72655 +#endif
72656 +
72657 inc_mm_counter_fast(mm, MM_ANONPAGES);
72658 page_add_new_anon_rmap(page, vma, address);
72659 setpte:
72660 @@ -3035,6 +3215,12 @@ setpte:
72661
72662 /* No need to invalidate - it was non-present before */
72663 update_mmu_cache(vma, address, page_table);
72664 +
72665 +#ifdef CONFIG_PAX_SEGMEXEC
72666 + if (page)
72667 + pax_mirror_anon_pte(vma, address, page, ptl);
72668 +#endif
72669 +
72670 unlock:
72671 pte_unmap_unlock(page_table, ptl);
72672 return 0;
72673 @@ -3172,6 +3358,12 @@ static int __do_fault(struct mm_struct *
72674 */
72675 /* Only go through if we didn't race with anybody else... */
72676 if (likely(pte_same(*page_table, orig_pte))) {
72677 +
72678 +#ifdef CONFIG_PAX_SEGMEXEC
72679 + if (anon && pax_find_mirror_vma(vma))
72680 + BUG_ON(!trylock_page(page));
72681 +#endif
72682 +
72683 flush_icache_page(vma, page);
72684 entry = mk_pte(page, vma->vm_page_prot);
72685 if (flags & FAULT_FLAG_WRITE)
72686 @@ -3191,6 +3383,14 @@ static int __do_fault(struct mm_struct *
72687
72688 /* no need to invalidate: a not-present page won't be cached */
72689 update_mmu_cache(vma, address, page_table);
72690 +
72691 +#ifdef CONFIG_PAX_SEGMEXEC
72692 + if (anon)
72693 + pax_mirror_anon_pte(vma, address, page, ptl);
72694 + else
72695 + pax_mirror_file_pte(vma, address, page, ptl);
72696 +#endif
72697 +
72698 } else {
72699 if (charged)
72700 mem_cgroup_uncharge_page(page);
72701 @@ -3338,6 +3538,12 @@ int handle_pte_fault(struct mm_struct *m
72702 if (flags & FAULT_FLAG_WRITE)
72703 flush_tlb_fix_spurious_fault(vma, address);
72704 }
72705 +
72706 +#ifdef CONFIG_PAX_SEGMEXEC
72707 + pax_mirror_pte(vma, address, pte, pmd, ptl);
72708 + return 0;
72709 +#endif
72710 +
72711 unlock:
72712 pte_unmap_unlock(pte, ptl);
72713 return 0;
72714 @@ -3354,6 +3560,10 @@ int handle_mm_fault(struct mm_struct *mm
72715 pmd_t *pmd;
72716 pte_t *pte;
72717
72718 +#ifdef CONFIG_PAX_SEGMEXEC
72719 + struct vm_area_struct *vma_m;
72720 +#endif
72721 +
72722 __set_current_state(TASK_RUNNING);
72723
72724 count_vm_event(PGFAULT);
72725 @@ -3364,6 +3574,34 @@ int handle_mm_fault(struct mm_struct *mm
72726 if (unlikely(is_vm_hugetlb_page(vma)))
72727 return hugetlb_fault(mm, vma, address, flags);
72728
72729 +#ifdef CONFIG_PAX_SEGMEXEC
72730 + vma_m = pax_find_mirror_vma(vma);
72731 + if (vma_m) {
72732 + unsigned long address_m;
72733 + pgd_t *pgd_m;
72734 + pud_t *pud_m;
72735 + pmd_t *pmd_m;
72736 +
72737 + if (vma->vm_start > vma_m->vm_start) {
72738 + address_m = address;
72739 + address -= SEGMEXEC_TASK_SIZE;
72740 + vma = vma_m;
72741 + } else
72742 + address_m = address + SEGMEXEC_TASK_SIZE;
72743 +
72744 + pgd_m = pgd_offset(mm, address_m);
72745 + pud_m = pud_alloc(mm, pgd_m, address_m);
72746 + if (!pud_m)
72747 + return VM_FAULT_OOM;
72748 + pmd_m = pmd_alloc(mm, pud_m, address_m);
72749 + if (!pmd_m)
72750 + return VM_FAULT_OOM;
72751 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
72752 + return VM_FAULT_OOM;
72753 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
72754 + }
72755 +#endif
72756 +
72757 pgd = pgd_offset(mm, address);
72758 pud = pud_alloc(mm, pgd, address);
72759 if (!pud)
72760 @@ -3393,7 +3631,7 @@ int handle_mm_fault(struct mm_struct *mm
72761 * run pte_offset_map on the pmd, if an huge pmd could
72762 * materialize from under us from a different thread.
72763 */
72764 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
72765 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
72766 return VM_FAULT_OOM;
72767 /* if an huge pmd materialized from under us just retry later */
72768 if (unlikely(pmd_trans_huge(*pmd)))
72769 @@ -3497,7 +3735,7 @@ static int __init gate_vma_init(void)
72770 gate_vma.vm_start = FIXADDR_USER_START;
72771 gate_vma.vm_end = FIXADDR_USER_END;
72772 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
72773 - gate_vma.vm_page_prot = __P101;
72774 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
72775 /*
72776 * Make sure the vDSO gets into every core dump.
72777 * Dumping its contents makes post-mortem fully interpretable later
72778 diff -urNp linux-2.6.39.3/mm/memory-failure.c linux-2.6.39.3/mm/memory-failure.c
72779 --- linux-2.6.39.3/mm/memory-failure.c 2011-07-09 09:18:51.000000000 -0400
72780 +++ linux-2.6.39.3/mm/memory-failure.c 2011-07-09 09:19:26.000000000 -0400
72781 @@ -59,7 +59,7 @@ int sysctl_memory_failure_early_kill __r
72782
72783 int sysctl_memory_failure_recovery __read_mostly = 1;
72784
72785 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72786 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
72787
72788 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
72789
72790 @@ -1013,7 +1013,7 @@ int __memory_failure(unsigned long pfn,
72791 }
72792
72793 nr_pages = 1 << compound_trans_order(hpage);
72794 - atomic_long_add(nr_pages, &mce_bad_pages);
72795 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
72796
72797 /*
72798 * We need/can do nothing about count=0 pages.
72799 @@ -1043,7 +1043,7 @@ int __memory_failure(unsigned long pfn,
72800 if (!PageHWPoison(hpage)
72801 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
72802 || (p != hpage && TestSetPageHWPoison(hpage))) {
72803 - atomic_long_sub(nr_pages, &mce_bad_pages);
72804 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72805 return 0;
72806 }
72807 set_page_hwpoison_huge_page(hpage);
72808 @@ -1101,7 +1101,7 @@ int __memory_failure(unsigned long pfn,
72809 }
72810 if (hwpoison_filter(p)) {
72811 if (TestClearPageHWPoison(p))
72812 - atomic_long_sub(nr_pages, &mce_bad_pages);
72813 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72814 unlock_page(hpage);
72815 put_page(hpage);
72816 return 0;
72817 @@ -1227,7 +1227,7 @@ int unpoison_memory(unsigned long pfn)
72818 return 0;
72819 }
72820 if (TestClearPageHWPoison(p))
72821 - atomic_long_sub(nr_pages, &mce_bad_pages);
72822 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72823 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
72824 return 0;
72825 }
72826 @@ -1241,7 +1241,7 @@ int unpoison_memory(unsigned long pfn)
72827 */
72828 if (TestClearPageHWPoison(page)) {
72829 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
72830 - atomic_long_sub(nr_pages, &mce_bad_pages);
72831 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
72832 freeit = 1;
72833 if (PageHuge(page))
72834 clear_page_hwpoison_huge_page(page);
72835 @@ -1354,7 +1354,7 @@ static int soft_offline_huge_page(struct
72836 }
72837 done:
72838 if (!PageHWPoison(hpage))
72839 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
72840 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
72841 set_page_hwpoison_huge_page(hpage);
72842 dequeue_hwpoisoned_huge_page(hpage);
72843 /* keep elevated page count for bad page */
72844 @@ -1484,7 +1484,7 @@ int soft_offline_page(struct page *page,
72845 return ret;
72846
72847 done:
72848 - atomic_long_add(1, &mce_bad_pages);
72849 + atomic_long_add_unchecked(1, &mce_bad_pages);
72850 SetPageHWPoison(page);
72851 /* keep elevated page count for bad page */
72852 return ret;
72853 diff -urNp linux-2.6.39.3/mm/mempolicy.c linux-2.6.39.3/mm/mempolicy.c
72854 --- linux-2.6.39.3/mm/mempolicy.c 2011-05-19 00:06:34.000000000 -0400
72855 +++ linux-2.6.39.3/mm/mempolicy.c 2011-05-22 19:41:42.000000000 -0400
72856 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
72857 unsigned long vmstart;
72858 unsigned long vmend;
72859
72860 +#ifdef CONFIG_PAX_SEGMEXEC
72861 + struct vm_area_struct *vma_m;
72862 +#endif
72863 +
72864 vma = find_vma_prev(mm, start, &prev);
72865 if (!vma || vma->vm_start > start)
72866 return -EFAULT;
72867 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
72868 err = policy_vma(vma, new_pol);
72869 if (err)
72870 goto out;
72871 +
72872 +#ifdef CONFIG_PAX_SEGMEXEC
72873 + vma_m = pax_find_mirror_vma(vma);
72874 + if (vma_m) {
72875 + err = policy_vma(vma_m, new_pol);
72876 + if (err)
72877 + goto out;
72878 + }
72879 +#endif
72880 +
72881 }
72882
72883 out:
72884 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
72885
72886 if (end < start)
72887 return -EINVAL;
72888 +
72889 +#ifdef CONFIG_PAX_SEGMEXEC
72890 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72891 + if (end > SEGMEXEC_TASK_SIZE)
72892 + return -EINVAL;
72893 + } else
72894 +#endif
72895 +
72896 + if (end > TASK_SIZE)
72897 + return -EINVAL;
72898 +
72899 if (end == start)
72900 return 0;
72901
72902 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72903 if (!mm)
72904 goto out;
72905
72906 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72907 + if (mm != current->mm &&
72908 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72909 + err = -EPERM;
72910 + goto out;
72911 + }
72912 +#endif
72913 +
72914 /*
72915 * Check if this process has the right to modify the specified
72916 * process. The right exists if the process has administrative
72917 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
72918 rcu_read_lock();
72919 tcred = __task_cred(task);
72920 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72921 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72922 - !capable(CAP_SYS_NICE)) {
72923 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72924 rcu_read_unlock();
72925 err = -EPERM;
72926 goto out;
72927 @@ -2634,7 +2666,7 @@ int show_numa_map(struct seq_file *m, vo
72928
72929 if (file) {
72930 seq_printf(m, " file=");
72931 - seq_path(m, &file->f_path, "\n\t= ");
72932 + seq_path(m, &file->f_path, "\n\t\\= ");
72933 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
72934 seq_printf(m, " heap");
72935 } else if (vma->vm_start <= mm->start_stack &&
72936 diff -urNp linux-2.6.39.3/mm/migrate.c linux-2.6.39.3/mm/migrate.c
72937 --- linux-2.6.39.3/mm/migrate.c 2011-07-09 09:18:51.000000000 -0400
72938 +++ linux-2.6.39.3/mm/migrate.c 2011-07-09 09:19:26.000000000 -0400
72939 @@ -1133,6 +1133,8 @@ static int do_pages_move(struct mm_struc
72940 unsigned long chunk_start;
72941 int err;
72942
72943 + pax_track_stack();
72944 +
72945 task_nodes = cpuset_mems_allowed(task);
72946
72947 err = -ENOMEM;
72948 @@ -1317,6 +1319,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72949 if (!mm)
72950 return -EINVAL;
72951
72952 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
72953 + if (mm != current->mm &&
72954 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
72955 + err = -EPERM;
72956 + goto out;
72957 + }
72958 +#endif
72959 +
72960 /*
72961 * Check if this process has the right to modify the specified
72962 * process. The right exists if the process has administrative
72963 @@ -1326,8 +1336,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
72964 rcu_read_lock();
72965 tcred = __task_cred(task);
72966 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
72967 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
72968 - !capable(CAP_SYS_NICE)) {
72969 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
72970 rcu_read_unlock();
72971 err = -EPERM;
72972 goto out;
72973 diff -urNp linux-2.6.39.3/mm/mlock.c linux-2.6.39.3/mm/mlock.c
72974 --- linux-2.6.39.3/mm/mlock.c 2011-05-19 00:06:34.000000000 -0400
72975 +++ linux-2.6.39.3/mm/mlock.c 2011-05-22 19:41:42.000000000 -0400
72976 @@ -13,6 +13,7 @@
72977 #include <linux/pagemap.h>
72978 #include <linux/mempolicy.h>
72979 #include <linux/syscalls.h>
72980 +#include <linux/security.h>
72981 #include <linux/sched.h>
72982 #include <linux/module.h>
72983 #include <linux/rmap.h>
72984 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
72985 return -EINVAL;
72986 if (end == start)
72987 return 0;
72988 + if (end > TASK_SIZE)
72989 + return -EINVAL;
72990 +
72991 vma = find_vma_prev(current->mm, start, &prev);
72992 if (!vma || vma->vm_start > start)
72993 return -ENOMEM;
72994 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
72995 for (nstart = start ; ; ) {
72996 unsigned int newflags;
72997
72998 +#ifdef CONFIG_PAX_SEGMEXEC
72999 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
73000 + break;
73001 +#endif
73002 +
73003 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
73004
73005 newflags = vma->vm_flags | VM_LOCKED;
73006 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
73007 lock_limit >>= PAGE_SHIFT;
73008
73009 /* check against resource limits */
73010 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
73011 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
73012 error = do_mlock(start, len, 1);
73013 up_write(&current->mm->mmap_sem);
73014 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
73015 static int do_mlockall(int flags)
73016 {
73017 struct vm_area_struct * vma, * prev = NULL;
73018 - unsigned int def_flags = 0;
73019
73020 if (flags & MCL_FUTURE)
73021 - def_flags = VM_LOCKED;
73022 - current->mm->def_flags = def_flags;
73023 + current->mm->def_flags |= VM_LOCKED;
73024 + else
73025 + current->mm->def_flags &= ~VM_LOCKED;
73026 if (flags == MCL_FUTURE)
73027 goto out;
73028
73029 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
73030 - unsigned int newflags;
73031 + unsigned long newflags;
73032 +
73033 +#ifdef CONFIG_PAX_SEGMEXEC
73034 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
73035 + break;
73036 +#endif
73037
73038 + BUG_ON(vma->vm_end > TASK_SIZE);
73039 newflags = vma->vm_flags | VM_LOCKED;
73040 if (!(flags & MCL_CURRENT))
73041 newflags &= ~VM_LOCKED;
73042 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
73043 lock_limit >>= PAGE_SHIFT;
73044
73045 ret = -ENOMEM;
73046 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
73047 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
73048 capable(CAP_IPC_LOCK))
73049 ret = do_mlockall(flags);
73050 diff -urNp linux-2.6.39.3/mm/mmap.c linux-2.6.39.3/mm/mmap.c
73051 --- linux-2.6.39.3/mm/mmap.c 2011-05-19 00:06:34.000000000 -0400
73052 +++ linux-2.6.39.3/mm/mmap.c 2011-05-22 19:41:42.000000000 -0400
73053 @@ -46,6 +46,16 @@
73054 #define arch_rebalance_pgtables(addr, len) (addr)
73055 #endif
73056
73057 +static inline void verify_mm_writelocked(struct mm_struct *mm)
73058 +{
73059 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
73060 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73061 + up_read(&mm->mmap_sem);
73062 + BUG();
73063 + }
73064 +#endif
73065 +}
73066 +
73067 static void unmap_region(struct mm_struct *mm,
73068 struct vm_area_struct *vma, struct vm_area_struct *prev,
73069 unsigned long start, unsigned long end);
73070 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
73071 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
73072 *
73073 */
73074 -pgprot_t protection_map[16] = {
73075 +pgprot_t protection_map[16] __read_only = {
73076 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
73077 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
73078 };
73079
73080 pgprot_t vm_get_page_prot(unsigned long vm_flags)
73081 {
73082 - return __pgprot(pgprot_val(protection_map[vm_flags &
73083 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
73084 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
73085 pgprot_val(arch_vm_get_page_prot(vm_flags)));
73086 +
73087 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73088 + if (!(__supported_pte_mask & _PAGE_NX) &&
73089 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
73090 + (vm_flags & (VM_READ | VM_WRITE)))
73091 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
73092 +#endif
73093 +
73094 + return prot;
73095 }
73096 EXPORT_SYMBOL(vm_get_page_prot);
73097
73098 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
73099 int sysctl_overcommit_ratio = 50; /* default is 50% */
73100 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
73101 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
73102 struct percpu_counter vm_committed_as;
73103
73104 /*
73105 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
73106 struct vm_area_struct *next = vma->vm_next;
73107
73108 might_sleep();
73109 + BUG_ON(vma->vm_mirror);
73110 if (vma->vm_ops && vma->vm_ops->close)
73111 vma->vm_ops->close(vma);
73112 if (vma->vm_file) {
73113 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
73114 * not page aligned -Ram Gupta
73115 */
73116 rlim = rlimit(RLIMIT_DATA);
73117 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
73118 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
73119 (mm->end_data - mm->start_data) > rlim)
73120 goto out;
73121 @@ -719,6 +741,12 @@ static int
73122 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
73123 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
73124 {
73125 +
73126 +#ifdef CONFIG_PAX_SEGMEXEC
73127 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
73128 + return 0;
73129 +#endif
73130 +
73131 if (is_mergeable_vma(vma, file, vm_flags) &&
73132 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
73133 if (vma->vm_pgoff == vm_pgoff)
73134 @@ -738,6 +766,12 @@ static int
73135 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
73136 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
73137 {
73138 +
73139 +#ifdef CONFIG_PAX_SEGMEXEC
73140 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
73141 + return 0;
73142 +#endif
73143 +
73144 if (is_mergeable_vma(vma, file, vm_flags) &&
73145 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
73146 pgoff_t vm_pglen;
73147 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
73148 struct vm_area_struct *vma_merge(struct mm_struct *mm,
73149 struct vm_area_struct *prev, unsigned long addr,
73150 unsigned long end, unsigned long vm_flags,
73151 - struct anon_vma *anon_vma, struct file *file,
73152 + struct anon_vma *anon_vma, struct file *file,
73153 pgoff_t pgoff, struct mempolicy *policy)
73154 {
73155 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
73156 struct vm_area_struct *area, *next;
73157 int err;
73158
73159 +#ifdef CONFIG_PAX_SEGMEXEC
73160 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
73161 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
73162 +
73163 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
73164 +#endif
73165 +
73166 /*
73167 * We later require that vma->vm_flags == vm_flags,
73168 * so this tests vma->vm_flags & VM_SPECIAL, too.
73169 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
73170 if (next && next->vm_end == end) /* cases 6, 7, 8 */
73171 next = next->vm_next;
73172
73173 +#ifdef CONFIG_PAX_SEGMEXEC
73174 + if (prev)
73175 + prev_m = pax_find_mirror_vma(prev);
73176 + if (area)
73177 + area_m = pax_find_mirror_vma(area);
73178 + if (next)
73179 + next_m = pax_find_mirror_vma(next);
73180 +#endif
73181 +
73182 /*
73183 * Can it merge with the predecessor?
73184 */
73185 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
73186 /* cases 1, 6 */
73187 err = vma_adjust(prev, prev->vm_start,
73188 next->vm_end, prev->vm_pgoff, NULL);
73189 - } else /* cases 2, 5, 7 */
73190 +
73191 +#ifdef CONFIG_PAX_SEGMEXEC
73192 + if (!err && prev_m)
73193 + err = vma_adjust(prev_m, prev_m->vm_start,
73194 + next_m->vm_end, prev_m->vm_pgoff, NULL);
73195 +#endif
73196 +
73197 + } else { /* cases 2, 5, 7 */
73198 err = vma_adjust(prev, prev->vm_start,
73199 end, prev->vm_pgoff, NULL);
73200 +
73201 +#ifdef CONFIG_PAX_SEGMEXEC
73202 + if (!err && prev_m)
73203 + err = vma_adjust(prev_m, prev_m->vm_start,
73204 + end_m, prev_m->vm_pgoff, NULL);
73205 +#endif
73206 +
73207 + }
73208 if (err)
73209 return NULL;
73210 khugepaged_enter_vma_merge(prev);
73211 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
73212 mpol_equal(policy, vma_policy(next)) &&
73213 can_vma_merge_before(next, vm_flags,
73214 anon_vma, file, pgoff+pglen)) {
73215 - if (prev && addr < prev->vm_end) /* case 4 */
73216 + if (prev && addr < prev->vm_end) { /* case 4 */
73217 err = vma_adjust(prev, prev->vm_start,
73218 addr, prev->vm_pgoff, NULL);
73219 - else /* cases 3, 8 */
73220 +
73221 +#ifdef CONFIG_PAX_SEGMEXEC
73222 + if (!err && prev_m)
73223 + err = vma_adjust(prev_m, prev_m->vm_start,
73224 + addr_m, prev_m->vm_pgoff, NULL);
73225 +#endif
73226 +
73227 + } else { /* cases 3, 8 */
73228 err = vma_adjust(area, addr, next->vm_end,
73229 next->vm_pgoff - pglen, NULL);
73230 +
73231 +#ifdef CONFIG_PAX_SEGMEXEC
73232 + if (!err && area_m)
73233 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
73234 + next_m->vm_pgoff - pglen, NULL);
73235 +#endif
73236 +
73237 + }
73238 if (err)
73239 return NULL;
73240 khugepaged_enter_vma_merge(area);
73241 @@ -958,14 +1038,11 @@ none:
73242 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
73243 struct file *file, long pages)
73244 {
73245 - const unsigned long stack_flags
73246 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
73247 -
73248 if (file) {
73249 mm->shared_vm += pages;
73250 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
73251 mm->exec_vm += pages;
73252 - } else if (flags & stack_flags)
73253 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
73254 mm->stack_vm += pages;
73255 if (flags & (VM_RESERVED|VM_IO))
73256 mm->reserved_vm += pages;
73257 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
73258 * (the exception is when the underlying filesystem is noexec
73259 * mounted, in which case we dont add PROT_EXEC.)
73260 */
73261 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73262 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73263 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
73264 prot |= PROT_EXEC;
73265
73266 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
73267 /* Obtain the address to map to. we verify (or select) it and ensure
73268 * that it represents a valid section of the address space.
73269 */
73270 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
73271 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
73272 if (addr & ~PAGE_MASK)
73273 return addr;
73274
73275 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
73276 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
73277 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
73278
73279 +#ifdef CONFIG_PAX_MPROTECT
73280 + if (mm->pax_flags & MF_PAX_MPROTECT) {
73281 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
73282 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
73283 + gr_log_rwxmmap(file);
73284 +
73285 +#ifdef CONFIG_PAX_EMUPLT
73286 + vm_flags &= ~VM_EXEC;
73287 +#else
73288 + return -EPERM;
73289 +#endif
73290 +
73291 + }
73292 +
73293 + if (!(vm_flags & VM_EXEC))
73294 + vm_flags &= ~VM_MAYEXEC;
73295 +#else
73296 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73297 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73298 +#endif
73299 + else
73300 + vm_flags &= ~VM_MAYWRITE;
73301 + }
73302 +#endif
73303 +
73304 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73305 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
73306 + vm_flags &= ~VM_PAGEEXEC;
73307 +#endif
73308 +
73309 if (flags & MAP_LOCKED)
73310 if (!can_do_mlock())
73311 return -EPERM;
73312 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
73313 locked += mm->locked_vm;
73314 lock_limit = rlimit(RLIMIT_MEMLOCK);
73315 lock_limit >>= PAGE_SHIFT;
73316 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73317 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73318 return -EAGAIN;
73319 }
73320 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
73321 if (error)
73322 return error;
73323
73324 + if (!gr_acl_handle_mmap(file, prot))
73325 + return -EACCES;
73326 +
73327 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
73328 }
73329 EXPORT_SYMBOL(do_mmap_pgoff);
73330 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
73331 */
73332 int vma_wants_writenotify(struct vm_area_struct *vma)
73333 {
73334 - unsigned int vm_flags = vma->vm_flags;
73335 + unsigned long vm_flags = vma->vm_flags;
73336
73337 /* If it was private or non-writable, the write bit is already clear */
73338 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
73339 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
73340 return 0;
73341
73342 /* The backer wishes to know when pages are first written to? */
73343 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
73344 unsigned long charged = 0;
73345 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
73346
73347 +#ifdef CONFIG_PAX_SEGMEXEC
73348 + struct vm_area_struct *vma_m = NULL;
73349 +#endif
73350 +
73351 + /*
73352 + * mm->mmap_sem is required to protect against another thread
73353 + * changing the mappings in case we sleep.
73354 + */
73355 + verify_mm_writelocked(mm);
73356 +
73357 /* Clear old maps */
73358 error = -ENOMEM;
73359 -munmap_back:
73360 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73361 if (vma && vma->vm_start < addr + len) {
73362 if (do_munmap(mm, addr, len))
73363 return -ENOMEM;
73364 - goto munmap_back;
73365 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73366 + BUG_ON(vma && vma->vm_start < addr + len);
73367 }
73368
73369 /* Check against address space limit. */
73370 @@ -1295,6 +1416,16 @@ munmap_back:
73371 goto unacct_error;
73372 }
73373
73374 +#ifdef CONFIG_PAX_SEGMEXEC
73375 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
73376 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73377 + if (!vma_m) {
73378 + error = -ENOMEM;
73379 + goto free_vma;
73380 + }
73381 + }
73382 +#endif
73383 +
73384 vma->vm_mm = mm;
73385 vma->vm_start = addr;
73386 vma->vm_end = addr + len;
73387 @@ -1318,6 +1449,19 @@ munmap_back:
73388 error = file->f_op->mmap(file, vma);
73389 if (error)
73390 goto unmap_and_free_vma;
73391 +
73392 +#ifdef CONFIG_PAX_SEGMEXEC
73393 + if (vma_m && (vm_flags & VM_EXECUTABLE))
73394 + added_exe_file_vma(mm);
73395 +#endif
73396 +
73397 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73398 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
73399 + vma->vm_flags |= VM_PAGEEXEC;
73400 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73401 + }
73402 +#endif
73403 +
73404 if (vm_flags & VM_EXECUTABLE)
73405 added_exe_file_vma(mm);
73406
73407 @@ -1353,6 +1497,11 @@ munmap_back:
73408 vma_link(mm, vma, prev, rb_link, rb_parent);
73409 file = vma->vm_file;
73410
73411 +#ifdef CONFIG_PAX_SEGMEXEC
73412 + if (vma_m)
73413 + BUG_ON(pax_mirror_vma(vma_m, vma));
73414 +#endif
73415 +
73416 /* Once vma denies write, undo our temporary denial count */
73417 if (correct_wcount)
73418 atomic_inc(&inode->i_writecount);
73419 @@ -1361,6 +1510,7 @@ out:
73420
73421 mm->total_vm += len >> PAGE_SHIFT;
73422 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
73423 + track_exec_limit(mm, addr, addr + len, vm_flags);
73424 if (vm_flags & VM_LOCKED) {
73425 if (!mlock_vma_pages_range(vma, addr, addr + len))
73426 mm->locked_vm += (len >> PAGE_SHIFT);
73427 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
73428 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
73429 charged = 0;
73430 free_vma:
73431 +
73432 +#ifdef CONFIG_PAX_SEGMEXEC
73433 + if (vma_m)
73434 + kmem_cache_free(vm_area_cachep, vma_m);
73435 +#endif
73436 +
73437 kmem_cache_free(vm_area_cachep, vma);
73438 unacct_error:
73439 if (charged)
73440 @@ -1385,6 +1541,44 @@ unacct_error:
73441 return error;
73442 }
73443
73444 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
73445 +{
73446 + if (!vma) {
73447 +#ifdef CONFIG_STACK_GROWSUP
73448 + if (addr > sysctl_heap_stack_gap)
73449 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
73450 + else
73451 + vma = find_vma(current->mm, 0);
73452 + if (vma && (vma->vm_flags & VM_GROWSUP))
73453 + return false;
73454 +#endif
73455 + return true;
73456 + }
73457 +
73458 + if (addr + len > vma->vm_start)
73459 + return false;
73460 +
73461 + if (vma->vm_flags & VM_GROWSDOWN)
73462 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
73463 +#ifdef CONFIG_STACK_GROWSUP
73464 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
73465 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
73466 +#endif
73467 +
73468 + return true;
73469 +}
73470 +
73471 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
73472 +{
73473 + if (vma->vm_start < len)
73474 + return -ENOMEM;
73475 + if (!(vma->vm_flags & VM_GROWSDOWN))
73476 + return vma->vm_start - len;
73477 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
73478 + return vma->vm_start - len - sysctl_heap_stack_gap;
73479 + return -ENOMEM;
73480 +}
73481 +
73482 /* Get an address range which is currently unmapped.
73483 * For shmat() with addr=0.
73484 *
73485 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
73486 if (flags & MAP_FIXED)
73487 return addr;
73488
73489 +#ifdef CONFIG_PAX_RANDMMAP
73490 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73491 +#endif
73492 +
73493 if (addr) {
73494 addr = PAGE_ALIGN(addr);
73495 - vma = find_vma(mm, addr);
73496 - if (TASK_SIZE - len >= addr &&
73497 - (!vma || addr + len <= vma->vm_start))
73498 - return addr;
73499 + if (TASK_SIZE - len >= addr) {
73500 + vma = find_vma(mm, addr);
73501 + if (check_heap_stack_gap(vma, addr, len))
73502 + return addr;
73503 + }
73504 }
73505 if (len > mm->cached_hole_size) {
73506 - start_addr = addr = mm->free_area_cache;
73507 + start_addr = addr = mm->free_area_cache;
73508 } else {
73509 - start_addr = addr = TASK_UNMAPPED_BASE;
73510 - mm->cached_hole_size = 0;
73511 + start_addr = addr = mm->mmap_base;
73512 + mm->cached_hole_size = 0;
73513 }
73514
73515 full_search:
73516 @@ -1433,34 +1632,40 @@ full_search:
73517 * Start a new search - just in case we missed
73518 * some holes.
73519 */
73520 - if (start_addr != TASK_UNMAPPED_BASE) {
73521 - addr = TASK_UNMAPPED_BASE;
73522 - start_addr = addr;
73523 + if (start_addr != mm->mmap_base) {
73524 + start_addr = addr = mm->mmap_base;
73525 mm->cached_hole_size = 0;
73526 goto full_search;
73527 }
73528 return -ENOMEM;
73529 }
73530 - if (!vma || addr + len <= vma->vm_start) {
73531 - /*
73532 - * Remember the place where we stopped the search:
73533 - */
73534 - mm->free_area_cache = addr + len;
73535 - return addr;
73536 - }
73537 + if (check_heap_stack_gap(vma, addr, len))
73538 + break;
73539 if (addr + mm->cached_hole_size < vma->vm_start)
73540 mm->cached_hole_size = vma->vm_start - addr;
73541 addr = vma->vm_end;
73542 }
73543 +
73544 + /*
73545 + * Remember the place where we stopped the search:
73546 + */
73547 + mm->free_area_cache = addr + len;
73548 + return addr;
73549 }
73550 #endif
73551
73552 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
73553 {
73554 +
73555 +#ifdef CONFIG_PAX_SEGMEXEC
73556 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73557 + return;
73558 +#endif
73559 +
73560 /*
73561 * Is this a new hole at the lowest possible address?
73562 */
73563 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
73564 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
73565 mm->free_area_cache = addr;
73566 mm->cached_hole_size = ~0UL;
73567 }
73568 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
73569 {
73570 struct vm_area_struct *vma;
73571 struct mm_struct *mm = current->mm;
73572 - unsigned long addr = addr0;
73573 + unsigned long base = mm->mmap_base, addr = addr0;
73574
73575 /* requested length too big for entire address space */
73576 if (len > TASK_SIZE)
73577 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
73578 if (flags & MAP_FIXED)
73579 return addr;
73580
73581 +#ifdef CONFIG_PAX_RANDMMAP
73582 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
73583 +#endif
73584 +
73585 /* requesting a specific address */
73586 if (addr) {
73587 addr = PAGE_ALIGN(addr);
73588 - vma = find_vma(mm, addr);
73589 - if (TASK_SIZE - len >= addr &&
73590 - (!vma || addr + len <= vma->vm_start))
73591 - return addr;
73592 + if (TASK_SIZE - len >= addr) {
73593 + vma = find_vma(mm, addr);
73594 + if (check_heap_stack_gap(vma, addr, len))
73595 + return addr;
73596 + }
73597 }
73598
73599 /* check if free_area_cache is useful for us */
73600 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
73601 /* make sure it can fit in the remaining address space */
73602 if (addr > len) {
73603 vma = find_vma(mm, addr-len);
73604 - if (!vma || addr <= vma->vm_start)
73605 + if (check_heap_stack_gap(vma, addr - len, len))
73606 /* remember the address as a hint for next time */
73607 return (mm->free_area_cache = addr-len);
73608 }
73609 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
73610 * return with success:
73611 */
73612 vma = find_vma(mm, addr);
73613 - if (!vma || addr+len <= vma->vm_start)
73614 + if (check_heap_stack_gap(vma, addr, len))
73615 /* remember the address as a hint for next time */
73616 return (mm->free_area_cache = addr);
73617
73618 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
73619 mm->cached_hole_size = vma->vm_start - addr;
73620
73621 /* try just below the current vma->vm_start */
73622 - addr = vma->vm_start-len;
73623 - } while (len < vma->vm_start);
73624 + addr = skip_heap_stack_gap(vma, len);
73625 + } while (!IS_ERR_VALUE(addr));
73626
73627 bottomup:
73628 /*
73629 @@ -1544,13 +1754,21 @@ bottomup:
73630 * can happen with large stack limits and large mmap()
73631 * allocations.
73632 */
73633 + mm->mmap_base = TASK_UNMAPPED_BASE;
73634 +
73635 +#ifdef CONFIG_PAX_RANDMMAP
73636 + if (mm->pax_flags & MF_PAX_RANDMMAP)
73637 + mm->mmap_base += mm->delta_mmap;
73638 +#endif
73639 +
73640 + mm->free_area_cache = mm->mmap_base;
73641 mm->cached_hole_size = ~0UL;
73642 - mm->free_area_cache = TASK_UNMAPPED_BASE;
73643 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
73644 /*
73645 * Restore the topdown base:
73646 */
73647 - mm->free_area_cache = mm->mmap_base;
73648 + mm->mmap_base = base;
73649 + mm->free_area_cache = base;
73650 mm->cached_hole_size = ~0UL;
73651
73652 return addr;
73653 @@ -1559,6 +1777,12 @@ bottomup:
73654
73655 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
73656 {
73657 +
73658 +#ifdef CONFIG_PAX_SEGMEXEC
73659 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
73660 + return;
73661 +#endif
73662 +
73663 /*
73664 * Is this a new hole at the highest possible address?
73665 */
73666 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
73667 mm->free_area_cache = addr;
73668
73669 /* dont allow allocations above current base */
73670 - if (mm->free_area_cache > mm->mmap_base)
73671 + if (mm->free_area_cache > mm->mmap_base) {
73672 mm->free_area_cache = mm->mmap_base;
73673 + mm->cached_hole_size = ~0UL;
73674 + }
73675 }
73676
73677 unsigned long
73678 @@ -1675,6 +1901,28 @@ out:
73679 return prev ? prev->vm_next : vma;
73680 }
73681
73682 +#ifdef CONFIG_PAX_SEGMEXEC
73683 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
73684 +{
73685 + struct vm_area_struct *vma_m;
73686 +
73687 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
73688 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
73689 + BUG_ON(vma->vm_mirror);
73690 + return NULL;
73691 + }
73692 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
73693 + vma_m = vma->vm_mirror;
73694 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
73695 + BUG_ON(vma->vm_file != vma_m->vm_file);
73696 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
73697 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
73698 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
73699 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
73700 + return vma_m;
73701 +}
73702 +#endif
73703 +
73704 /*
73705 * Verify that the stack growth is acceptable and
73706 * update accounting. This is shared with both the
73707 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
73708 return -ENOMEM;
73709
73710 /* Stack limit test */
73711 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
73712 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
73713 return -ENOMEM;
73714
73715 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
73716 locked = mm->locked_vm + grow;
73717 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
73718 limit >>= PAGE_SHIFT;
73719 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73720 if (locked > limit && !capable(CAP_IPC_LOCK))
73721 return -ENOMEM;
73722 }
73723 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
73724 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
73725 * vma is the last one with address > vma->vm_end. Have to extend vma.
73726 */
73727 +#ifndef CONFIG_IA64
73728 +static
73729 +#endif
73730 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
73731 {
73732 int error;
73733 + bool locknext;
73734
73735 if (!(vma->vm_flags & VM_GROWSUP))
73736 return -EFAULT;
73737
73738 + /* Also guard against wrapping around to address 0. */
73739 + if (address < PAGE_ALIGN(address+1))
73740 + address = PAGE_ALIGN(address+1);
73741 + else
73742 + return -ENOMEM;
73743 +
73744 /*
73745 * We must make sure the anon_vma is allocated
73746 * so that the anon_vma locking is not a noop.
73747 */
73748 if (unlikely(anon_vma_prepare(vma)))
73749 return -ENOMEM;
73750 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
73751 + if (locknext && anon_vma_prepare(vma->vm_next))
73752 + return -ENOMEM;
73753 vma_lock_anon_vma(vma);
73754 + if (locknext)
73755 + vma_lock_anon_vma(vma->vm_next);
73756
73757 /*
73758 * vma->vm_start/vm_end cannot change under us because the caller
73759 * is required to hold the mmap_sem in read mode. We need the
73760 - * anon_vma lock to serialize against concurrent expand_stacks.
73761 - * Also guard against wrapping around to address 0.
73762 + * anon_vma locks to serialize against concurrent expand_stacks
73763 + * and expand_upwards.
73764 */
73765 - if (address < PAGE_ALIGN(address+4))
73766 - address = PAGE_ALIGN(address+4);
73767 - else {
73768 - vma_unlock_anon_vma(vma);
73769 - return -ENOMEM;
73770 - }
73771 error = 0;
73772
73773 /* Somebody else might have raced and expanded it already */
73774 - if (address > vma->vm_end) {
73775 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
73776 + error = -ENOMEM;
73777 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
73778 unsigned long size, grow;
73779
73780 size = address - vma->vm_start;
73781 @@ -1776,6 +2037,8 @@ int expand_upwards(struct vm_area_struct
73782 }
73783 }
73784 }
73785 + if (locknext)
73786 + vma_unlock_anon_vma(vma->vm_next);
73787 vma_unlock_anon_vma(vma);
73788 khugepaged_enter_vma_merge(vma);
73789 return error;
73790 @@ -1789,6 +2052,8 @@ static int expand_downwards(struct vm_ar
73791 unsigned long address)
73792 {
73793 int error;
73794 + bool lockprev = false;
73795 + struct vm_area_struct *prev;
73796
73797 /*
73798 * We must make sure the anon_vma is allocated
73799 @@ -1802,6 +2067,15 @@ static int expand_downwards(struct vm_ar
73800 if (error)
73801 return error;
73802
73803 + prev = vma->vm_prev;
73804 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
73805 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
73806 +#endif
73807 + if (lockprev && anon_vma_prepare(prev))
73808 + return -ENOMEM;
73809 + if (lockprev)
73810 + vma_lock_anon_vma(prev);
73811 +
73812 vma_lock_anon_vma(vma);
73813
73814 /*
73815 @@ -1811,9 +2085,17 @@ static int expand_downwards(struct vm_ar
73816 */
73817
73818 /* Somebody else might have raced and expanded it already */
73819 - if (address < vma->vm_start) {
73820 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
73821 + error = -ENOMEM;
73822 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
73823 unsigned long size, grow;
73824
73825 +#ifdef CONFIG_PAX_SEGMEXEC
73826 + struct vm_area_struct *vma_m;
73827 +
73828 + vma_m = pax_find_mirror_vma(vma);
73829 +#endif
73830 +
73831 size = vma->vm_end - address;
73832 grow = (vma->vm_start - address) >> PAGE_SHIFT;
73833
73834 @@ -1823,11 +2105,22 @@ static int expand_downwards(struct vm_ar
73835 if (!error) {
73836 vma->vm_start = address;
73837 vma->vm_pgoff -= grow;
73838 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
73839 +
73840 +#ifdef CONFIG_PAX_SEGMEXEC
73841 + if (vma_m) {
73842 + vma_m->vm_start -= grow << PAGE_SHIFT;
73843 + vma_m->vm_pgoff -= grow;
73844 + }
73845 +#endif
73846 +
73847 perf_event_mmap(vma);
73848 }
73849 }
73850 }
73851 vma_unlock_anon_vma(vma);
73852 + if (lockprev)
73853 + vma_unlock_anon_vma(prev);
73854 khugepaged_enter_vma_merge(vma);
73855 return error;
73856 }
73857 @@ -1902,6 +2195,13 @@ static void remove_vma_list(struct mm_st
73858 do {
73859 long nrpages = vma_pages(vma);
73860
73861 +#ifdef CONFIG_PAX_SEGMEXEC
73862 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
73863 + vma = remove_vma(vma);
73864 + continue;
73865 + }
73866 +#endif
73867 +
73868 mm->total_vm -= nrpages;
73869 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
73870 vma = remove_vma(vma);
73871 @@ -1947,6 +2247,16 @@ detach_vmas_to_be_unmapped(struct mm_str
73872 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
73873 vma->vm_prev = NULL;
73874 do {
73875 +
73876 +#ifdef CONFIG_PAX_SEGMEXEC
73877 + if (vma->vm_mirror) {
73878 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
73879 + vma->vm_mirror->vm_mirror = NULL;
73880 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
73881 + vma->vm_mirror = NULL;
73882 + }
73883 +#endif
73884 +
73885 rb_erase(&vma->vm_rb, &mm->mm_rb);
73886 mm->map_count--;
73887 tail_vma = vma;
73888 @@ -1975,14 +2285,33 @@ static int __split_vma(struct mm_struct
73889 struct vm_area_struct *new;
73890 int err = -ENOMEM;
73891
73892 +#ifdef CONFIG_PAX_SEGMEXEC
73893 + struct vm_area_struct *vma_m, *new_m = NULL;
73894 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
73895 +#endif
73896 +
73897 if (is_vm_hugetlb_page(vma) && (addr &
73898 ~(huge_page_mask(hstate_vma(vma)))))
73899 return -EINVAL;
73900
73901 +#ifdef CONFIG_PAX_SEGMEXEC
73902 + vma_m = pax_find_mirror_vma(vma);
73903 +#endif
73904 +
73905 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73906 if (!new)
73907 goto out_err;
73908
73909 +#ifdef CONFIG_PAX_SEGMEXEC
73910 + if (vma_m) {
73911 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
73912 + if (!new_m) {
73913 + kmem_cache_free(vm_area_cachep, new);
73914 + goto out_err;
73915 + }
73916 + }
73917 +#endif
73918 +
73919 /* most fields are the same, copy all, and then fixup */
73920 *new = *vma;
73921
73922 @@ -1995,6 +2324,22 @@ static int __split_vma(struct mm_struct
73923 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
73924 }
73925
73926 +#ifdef CONFIG_PAX_SEGMEXEC
73927 + if (vma_m) {
73928 + *new_m = *vma_m;
73929 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
73930 + new_m->vm_mirror = new;
73931 + new->vm_mirror = new_m;
73932 +
73933 + if (new_below)
73934 + new_m->vm_end = addr_m;
73935 + else {
73936 + new_m->vm_start = addr_m;
73937 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
73938 + }
73939 + }
73940 +#endif
73941 +
73942 pol = mpol_dup(vma_policy(vma));
73943 if (IS_ERR(pol)) {
73944 err = PTR_ERR(pol);
73945 @@ -2020,6 +2365,42 @@ static int __split_vma(struct mm_struct
73946 else
73947 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
73948
73949 +#ifdef CONFIG_PAX_SEGMEXEC
73950 + if (!err && vma_m) {
73951 + if (anon_vma_clone(new_m, vma_m))
73952 + goto out_free_mpol;
73953 +
73954 + mpol_get(pol);
73955 + vma_set_policy(new_m, pol);
73956 +
73957 + if (new_m->vm_file) {
73958 + get_file(new_m->vm_file);
73959 + if (vma_m->vm_flags & VM_EXECUTABLE)
73960 + added_exe_file_vma(mm);
73961 + }
73962 +
73963 + if (new_m->vm_ops && new_m->vm_ops->open)
73964 + new_m->vm_ops->open(new_m);
73965 +
73966 + if (new_below)
73967 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
73968 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73969 + else
73970 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73971 +
73972 + if (err) {
73973 + if (new_m->vm_ops && new_m->vm_ops->close)
73974 + new_m->vm_ops->close(new_m);
73975 + if (new_m->vm_file) {
73976 + if (vma_m->vm_flags & VM_EXECUTABLE)
73977 + removed_exe_file_vma(mm);
73978 + fput(new_m->vm_file);
73979 + }
73980 + mpol_put(pol);
73981 + }
73982 + }
73983 +#endif
73984 +
73985 /* Success. */
73986 if (!err)
73987 return 0;
73988 @@ -2032,10 +2413,18 @@ static int __split_vma(struct mm_struct
73989 removed_exe_file_vma(mm);
73990 fput(new->vm_file);
73991 }
73992 - unlink_anon_vmas(new);
73993 out_free_mpol:
73994 mpol_put(pol);
73995 out_free_vma:
73996 +
73997 +#ifdef CONFIG_PAX_SEGMEXEC
73998 + if (new_m) {
73999 + unlink_anon_vmas(new_m);
74000 + kmem_cache_free(vm_area_cachep, new_m);
74001 + }
74002 +#endif
74003 +
74004 + unlink_anon_vmas(new);
74005 kmem_cache_free(vm_area_cachep, new);
74006 out_err:
74007 return err;
74008 @@ -2048,6 +2437,15 @@ static int __split_vma(struct mm_struct
74009 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
74010 unsigned long addr, int new_below)
74011 {
74012 +
74013 +#ifdef CONFIG_PAX_SEGMEXEC
74014 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
74015 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
74016 + if (mm->map_count >= sysctl_max_map_count-1)
74017 + return -ENOMEM;
74018 + } else
74019 +#endif
74020 +
74021 if (mm->map_count >= sysctl_max_map_count)
74022 return -ENOMEM;
74023
74024 @@ -2059,11 +2457,30 @@ int split_vma(struct mm_struct *mm, stru
74025 * work. This now handles partial unmappings.
74026 * Jeremy Fitzhardinge <jeremy@goop.org>
74027 */
74028 +#ifdef CONFIG_PAX_SEGMEXEC
74029 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
74030 +{
74031 + int ret = __do_munmap(mm, start, len);
74032 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
74033 + return ret;
74034 +
74035 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
74036 +}
74037 +
74038 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
74039 +#else
74040 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
74041 +#endif
74042 {
74043 unsigned long end;
74044 struct vm_area_struct *vma, *prev, *last;
74045
74046 + /*
74047 + * mm->mmap_sem is required to protect against another thread
74048 + * changing the mappings in case we sleep.
74049 + */
74050 + verify_mm_writelocked(mm);
74051 +
74052 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
74053 return -EINVAL;
74054
74055 @@ -2137,6 +2554,8 @@ int do_munmap(struct mm_struct *mm, unsi
74056 /* Fix up all other VM information */
74057 remove_vma_list(mm, vma);
74058
74059 + track_exec_limit(mm, start, end, 0UL);
74060 +
74061 return 0;
74062 }
74063
74064 @@ -2149,22 +2568,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
74065
74066 profile_munmap(addr);
74067
74068 +#ifdef CONFIG_PAX_SEGMEXEC
74069 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
74070 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
74071 + return -EINVAL;
74072 +#endif
74073 +
74074 down_write(&mm->mmap_sem);
74075 ret = do_munmap(mm, addr, len);
74076 up_write(&mm->mmap_sem);
74077 return ret;
74078 }
74079
74080 -static inline void verify_mm_writelocked(struct mm_struct *mm)
74081 -{
74082 -#ifdef CONFIG_DEBUG_VM
74083 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
74084 - WARN_ON(1);
74085 - up_read(&mm->mmap_sem);
74086 - }
74087 -#endif
74088 -}
74089 -
74090 /*
74091 * this is really a simplified "do_mmap". it only handles
74092 * anonymous maps. eventually we may be able to do some
74093 @@ -2178,6 +2593,7 @@ unsigned long do_brk(unsigned long addr,
74094 struct rb_node ** rb_link, * rb_parent;
74095 pgoff_t pgoff = addr >> PAGE_SHIFT;
74096 int error;
74097 + unsigned long charged;
74098
74099 len = PAGE_ALIGN(len);
74100 if (!len)
74101 @@ -2189,16 +2605,30 @@ unsigned long do_brk(unsigned long addr,
74102
74103 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
74104
74105 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
74106 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74107 + flags &= ~VM_EXEC;
74108 +
74109 +#ifdef CONFIG_PAX_MPROTECT
74110 + if (mm->pax_flags & MF_PAX_MPROTECT)
74111 + flags &= ~VM_MAYEXEC;
74112 +#endif
74113 +
74114 + }
74115 +#endif
74116 +
74117 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
74118 if (error & ~PAGE_MASK)
74119 return error;
74120
74121 + charged = len >> PAGE_SHIFT;
74122 +
74123 /*
74124 * mlock MCL_FUTURE?
74125 */
74126 if (mm->def_flags & VM_LOCKED) {
74127 unsigned long locked, lock_limit;
74128 - locked = len >> PAGE_SHIFT;
74129 + locked = charged;
74130 locked += mm->locked_vm;
74131 lock_limit = rlimit(RLIMIT_MEMLOCK);
74132 lock_limit >>= PAGE_SHIFT;
74133 @@ -2215,22 +2645,22 @@ unsigned long do_brk(unsigned long addr,
74134 /*
74135 * Clear old maps. this also does some error checking for us
74136 */
74137 - munmap_back:
74138 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74139 if (vma && vma->vm_start < addr + len) {
74140 if (do_munmap(mm, addr, len))
74141 return -ENOMEM;
74142 - goto munmap_back;
74143 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74144 + BUG_ON(vma && vma->vm_start < addr + len);
74145 }
74146
74147 /* Check against address space limits *after* clearing old maps... */
74148 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
74149 + if (!may_expand_vm(mm, charged))
74150 return -ENOMEM;
74151
74152 if (mm->map_count > sysctl_max_map_count)
74153 return -ENOMEM;
74154
74155 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
74156 + if (security_vm_enough_memory(charged))
74157 return -ENOMEM;
74158
74159 /* Can we just expand an old private anonymous mapping? */
74160 @@ -2244,7 +2674,7 @@ unsigned long do_brk(unsigned long addr,
74161 */
74162 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74163 if (!vma) {
74164 - vm_unacct_memory(len >> PAGE_SHIFT);
74165 + vm_unacct_memory(charged);
74166 return -ENOMEM;
74167 }
74168
74169 @@ -2258,11 +2688,12 @@ unsigned long do_brk(unsigned long addr,
74170 vma_link(mm, vma, prev, rb_link, rb_parent);
74171 out:
74172 perf_event_mmap(vma);
74173 - mm->total_vm += len >> PAGE_SHIFT;
74174 + mm->total_vm += charged;
74175 if (flags & VM_LOCKED) {
74176 if (!mlock_vma_pages_range(vma, addr, addr + len))
74177 - mm->locked_vm += (len >> PAGE_SHIFT);
74178 + mm->locked_vm += charged;
74179 }
74180 + track_exec_limit(mm, addr, addr + len, flags);
74181 return addr;
74182 }
74183
74184 @@ -2309,8 +2740,10 @@ void exit_mmap(struct mm_struct *mm)
74185 * Walk the list again, actually closing and freeing it,
74186 * with preemption enabled, without holding any MM locks.
74187 */
74188 - while (vma)
74189 + while (vma) {
74190 + vma->vm_mirror = NULL;
74191 vma = remove_vma(vma);
74192 + }
74193
74194 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
74195 }
74196 @@ -2324,6 +2757,13 @@ int insert_vm_struct(struct mm_struct *
74197 struct vm_area_struct * __vma, * prev;
74198 struct rb_node ** rb_link, * rb_parent;
74199
74200 +#ifdef CONFIG_PAX_SEGMEXEC
74201 + struct vm_area_struct *vma_m = NULL;
74202 +#endif
74203 +
74204 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
74205 + return -EPERM;
74206 +
74207 /*
74208 * The vm_pgoff of a purely anonymous vma should be irrelevant
74209 * until its first write fault, when page's anon_vma and index
74210 @@ -2346,7 +2786,22 @@ int insert_vm_struct(struct mm_struct *
74211 if ((vma->vm_flags & VM_ACCOUNT) &&
74212 security_vm_enough_memory_mm(mm, vma_pages(vma)))
74213 return -ENOMEM;
74214 +
74215 +#ifdef CONFIG_PAX_SEGMEXEC
74216 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
74217 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74218 + if (!vma_m)
74219 + return -ENOMEM;
74220 + }
74221 +#endif
74222 +
74223 vma_link(mm, vma, prev, rb_link, rb_parent);
74224 +
74225 +#ifdef CONFIG_PAX_SEGMEXEC
74226 + if (vma_m)
74227 + BUG_ON(pax_mirror_vma(vma_m, vma));
74228 +#endif
74229 +
74230 return 0;
74231 }
74232
74233 @@ -2364,6 +2819,8 @@ struct vm_area_struct *copy_vma(struct v
74234 struct rb_node **rb_link, *rb_parent;
74235 struct mempolicy *pol;
74236
74237 + BUG_ON(vma->vm_mirror);
74238 +
74239 /*
74240 * If anonymous vma has not yet been faulted, update new pgoff
74241 * to match new location, to increase its chance of merging.
74242 @@ -2413,6 +2870,39 @@ struct vm_area_struct *copy_vma(struct v
74243 kmem_cache_free(vm_area_cachep, new_vma);
74244 return NULL;
74245 }
74246 +
74247 +#ifdef CONFIG_PAX_SEGMEXEC
74248 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
74249 +{
74250 + struct vm_area_struct *prev_m;
74251 + struct rb_node **rb_link_m, *rb_parent_m;
74252 + struct mempolicy *pol_m;
74253 +
74254 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
74255 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
74256 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
74257 + *vma_m = *vma;
74258 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
74259 + if (anon_vma_clone(vma_m, vma))
74260 + return -ENOMEM;
74261 + pol_m = vma_policy(vma_m);
74262 + mpol_get(pol_m);
74263 + vma_set_policy(vma_m, pol_m);
74264 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
74265 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
74266 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
74267 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
74268 + if (vma_m->vm_file)
74269 + get_file(vma_m->vm_file);
74270 + if (vma_m->vm_ops && vma_m->vm_ops->open)
74271 + vma_m->vm_ops->open(vma_m);
74272 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
74273 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
74274 + vma_m->vm_mirror = vma;
74275 + vma->vm_mirror = vma_m;
74276 + return 0;
74277 +}
74278 +#endif
74279
74280 /*
74281 * Return true if the calling process may expand its vm space by the passed
74282 @@ -2424,7 +2914,7 @@ int may_expand_vm(struct mm_struct *mm,
74283 unsigned long lim;
74284
74285 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
74286 -
74287 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
74288 if (cur + npages > lim)
74289 return 0;
74290 return 1;
74291 @@ -2495,6 +2985,22 @@ int install_special_mapping(struct mm_st
74292 vma->vm_start = addr;
74293 vma->vm_end = addr + len;
74294
74295 +#ifdef CONFIG_PAX_MPROTECT
74296 + if (mm->pax_flags & MF_PAX_MPROTECT) {
74297 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
74298 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
74299 + return -EPERM;
74300 + if (!(vm_flags & VM_EXEC))
74301 + vm_flags &= ~VM_MAYEXEC;
74302 +#else
74303 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74304 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74305 +#endif
74306 + else
74307 + vm_flags &= ~VM_MAYWRITE;
74308 + }
74309 +#endif
74310 +
74311 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
74312 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74313
74314 diff -urNp linux-2.6.39.3/mm/mprotect.c linux-2.6.39.3/mm/mprotect.c
74315 --- linux-2.6.39.3/mm/mprotect.c 2011-05-19 00:06:34.000000000 -0400
74316 +++ linux-2.6.39.3/mm/mprotect.c 2011-05-22 19:41:42.000000000 -0400
74317 @@ -23,10 +23,16 @@
74318 #include <linux/mmu_notifier.h>
74319 #include <linux/migrate.h>
74320 #include <linux/perf_event.h>
74321 +
74322 +#ifdef CONFIG_PAX_MPROTECT
74323 +#include <linux/elf.h>
74324 +#endif
74325 +
74326 #include <asm/uaccess.h>
74327 #include <asm/pgtable.h>
74328 #include <asm/cacheflush.h>
74329 #include <asm/tlbflush.h>
74330 +#include <asm/mmu_context.h>
74331
74332 #ifndef pgprot_modify
74333 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
74334 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
74335 flush_tlb_range(vma, start, end);
74336 }
74337
74338 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74339 +/* called while holding the mmap semaphor for writing except stack expansion */
74340 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
74341 +{
74342 + unsigned long oldlimit, newlimit = 0UL;
74343 +
74344 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
74345 + return;
74346 +
74347 + spin_lock(&mm->page_table_lock);
74348 + oldlimit = mm->context.user_cs_limit;
74349 + if ((prot & VM_EXEC) && oldlimit < end)
74350 + /* USER_CS limit moved up */
74351 + newlimit = end;
74352 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
74353 + /* USER_CS limit moved down */
74354 + newlimit = start;
74355 +
74356 + if (newlimit) {
74357 + mm->context.user_cs_limit = newlimit;
74358 +
74359 +#ifdef CONFIG_SMP
74360 + wmb();
74361 + cpus_clear(mm->context.cpu_user_cs_mask);
74362 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
74363 +#endif
74364 +
74365 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
74366 + }
74367 + spin_unlock(&mm->page_table_lock);
74368 + if (newlimit == end) {
74369 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
74370 +
74371 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
74372 + if (is_vm_hugetlb_page(vma))
74373 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
74374 + else
74375 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
74376 + }
74377 +}
74378 +#endif
74379 +
74380 int
74381 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
74382 unsigned long start, unsigned long end, unsigned long newflags)
74383 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
74384 int error;
74385 int dirty_accountable = 0;
74386
74387 +#ifdef CONFIG_PAX_SEGMEXEC
74388 + struct vm_area_struct *vma_m = NULL;
74389 + unsigned long start_m, end_m;
74390 +
74391 + start_m = start + SEGMEXEC_TASK_SIZE;
74392 + end_m = end + SEGMEXEC_TASK_SIZE;
74393 +#endif
74394 +
74395 if (newflags == oldflags) {
74396 *pprev = vma;
74397 return 0;
74398 }
74399
74400 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
74401 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
74402 +
74403 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
74404 + return -ENOMEM;
74405 +
74406 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
74407 + return -ENOMEM;
74408 + }
74409 +
74410 /*
74411 * If we make a private mapping writable we increase our commit;
74412 * but (without finer accounting) cannot reduce our commit if we
74413 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
74414 }
74415 }
74416
74417 +#ifdef CONFIG_PAX_SEGMEXEC
74418 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
74419 + if (start != vma->vm_start) {
74420 + error = split_vma(mm, vma, start, 1);
74421 + if (error)
74422 + goto fail;
74423 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
74424 + *pprev = (*pprev)->vm_next;
74425 + }
74426 +
74427 + if (end != vma->vm_end) {
74428 + error = split_vma(mm, vma, end, 0);
74429 + if (error)
74430 + goto fail;
74431 + }
74432 +
74433 + if (pax_find_mirror_vma(vma)) {
74434 + error = __do_munmap(mm, start_m, end_m - start_m);
74435 + if (error)
74436 + goto fail;
74437 + } else {
74438 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74439 + if (!vma_m) {
74440 + error = -ENOMEM;
74441 + goto fail;
74442 + }
74443 + vma->vm_flags = newflags;
74444 + error = pax_mirror_vma(vma_m, vma);
74445 + if (error) {
74446 + vma->vm_flags = oldflags;
74447 + goto fail;
74448 + }
74449 + }
74450 + }
74451 +#endif
74452 +
74453 /*
74454 * First try to merge with previous and/or next vma.
74455 */
74456 @@ -204,9 +306,21 @@ success:
74457 * vm_flags and vm_page_prot are protected by the mmap_sem
74458 * held in write mode.
74459 */
74460 +
74461 +#ifdef CONFIG_PAX_SEGMEXEC
74462 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
74463 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
74464 +#endif
74465 +
74466 vma->vm_flags = newflags;
74467 +
74468 +#ifdef CONFIG_PAX_MPROTECT
74469 + if (mm->binfmt && mm->binfmt->handle_mprotect)
74470 + mm->binfmt->handle_mprotect(vma, newflags);
74471 +#endif
74472 +
74473 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
74474 - vm_get_page_prot(newflags));
74475 + vm_get_page_prot(vma->vm_flags));
74476
74477 if (vma_wants_writenotify(vma)) {
74478 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
74479 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74480 end = start + len;
74481 if (end <= start)
74482 return -ENOMEM;
74483 +
74484 +#ifdef CONFIG_PAX_SEGMEXEC
74485 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
74486 + if (end > SEGMEXEC_TASK_SIZE)
74487 + return -EINVAL;
74488 + } else
74489 +#endif
74490 +
74491 + if (end > TASK_SIZE)
74492 + return -EINVAL;
74493 +
74494 if (!arch_validate_prot(prot))
74495 return -EINVAL;
74496
74497 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74498 /*
74499 * Does the application expect PROT_READ to imply PROT_EXEC:
74500 */
74501 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74502 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74503 prot |= PROT_EXEC;
74504
74505 vm_flags = calc_vm_prot_bits(prot);
74506 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74507 if (start > vma->vm_start)
74508 prev = vma;
74509
74510 +#ifdef CONFIG_PAX_MPROTECT
74511 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
74512 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
74513 +#endif
74514 +
74515 for (nstart = start ; ; ) {
74516 unsigned long newflags;
74517
74518 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74519
74520 /* newflags >> 4 shift VM_MAY% in place of VM_% */
74521 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
74522 + if (prot & (PROT_WRITE | PROT_EXEC))
74523 + gr_log_rwxmprotect(vma->vm_file);
74524 +
74525 + error = -EACCES;
74526 + goto out;
74527 + }
74528 +
74529 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
74530 error = -EACCES;
74531 goto out;
74532 }
74533 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
74534 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
74535 if (error)
74536 goto out;
74537 +
74538 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
74539 +
74540 nstart = tmp;
74541
74542 if (nstart < prev->vm_end)
74543 diff -urNp linux-2.6.39.3/mm/mremap.c linux-2.6.39.3/mm/mremap.c
74544 --- linux-2.6.39.3/mm/mremap.c 2011-05-19 00:06:34.000000000 -0400
74545 +++ linux-2.6.39.3/mm/mremap.c 2011-05-22 19:36:33.000000000 -0400
74546 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
74547 continue;
74548 pte = ptep_clear_flush(vma, old_addr, old_pte);
74549 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
74550 +
74551 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74552 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
74553 + pte = pte_exprotect(pte);
74554 +#endif
74555 +
74556 set_pte_at(mm, new_addr, new_pte, pte);
74557 }
74558
74559 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
74560 if (is_vm_hugetlb_page(vma))
74561 goto Einval;
74562
74563 +#ifdef CONFIG_PAX_SEGMEXEC
74564 + if (pax_find_mirror_vma(vma))
74565 + goto Einval;
74566 +#endif
74567 +
74568 /* We can't remap across vm area boundaries */
74569 if (old_len > vma->vm_end - addr)
74570 goto Efault;
74571 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
74572 unsigned long ret = -EINVAL;
74573 unsigned long charged = 0;
74574 unsigned long map_flags;
74575 + unsigned long pax_task_size = TASK_SIZE;
74576
74577 if (new_addr & ~PAGE_MASK)
74578 goto out;
74579
74580 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
74581 +#ifdef CONFIG_PAX_SEGMEXEC
74582 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74583 + pax_task_size = SEGMEXEC_TASK_SIZE;
74584 +#endif
74585 +
74586 + pax_task_size -= PAGE_SIZE;
74587 +
74588 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
74589 goto out;
74590
74591 /* Check if the location we're moving into overlaps the
74592 * old location at all, and fail if it does.
74593 */
74594 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
74595 - goto out;
74596 -
74597 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
74598 + if (addr + old_len > new_addr && new_addr + new_len > addr)
74599 goto out;
74600
74601 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74602 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
74603 struct vm_area_struct *vma;
74604 unsigned long ret = -EINVAL;
74605 unsigned long charged = 0;
74606 + unsigned long pax_task_size = TASK_SIZE;
74607
74608 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
74609 goto out;
74610 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
74611 if (!new_len)
74612 goto out;
74613
74614 +#ifdef CONFIG_PAX_SEGMEXEC
74615 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
74616 + pax_task_size = SEGMEXEC_TASK_SIZE;
74617 +#endif
74618 +
74619 + pax_task_size -= PAGE_SIZE;
74620 +
74621 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
74622 + old_len > pax_task_size || addr > pax_task_size-old_len)
74623 + goto out;
74624 +
74625 if (flags & MREMAP_FIXED) {
74626 if (flags & MREMAP_MAYMOVE)
74627 ret = mremap_to(addr, old_len, new_addr, new_len);
74628 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
74629 addr + new_len);
74630 }
74631 ret = addr;
74632 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
74633 goto out;
74634 }
74635 }
74636 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
74637 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
74638 if (ret)
74639 goto out;
74640 +
74641 + map_flags = vma->vm_flags;
74642 ret = move_vma(vma, addr, old_len, new_len, new_addr);
74643 + if (!(ret & ~PAGE_MASK)) {
74644 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
74645 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
74646 + }
74647 }
74648 out:
74649 if (ret & ~PAGE_MASK)
74650 diff -urNp linux-2.6.39.3/mm/nobootmem.c linux-2.6.39.3/mm/nobootmem.c
74651 --- linux-2.6.39.3/mm/nobootmem.c 2011-05-19 00:06:34.000000000 -0400
74652 +++ linux-2.6.39.3/mm/nobootmem.c 2011-05-22 19:36:33.000000000 -0400
74653 @@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
74654 unsigned long __init free_all_memory_core_early(int nodeid)
74655 {
74656 int i;
74657 - u64 start, end;
74658 + u64 start, end, startrange, endrange;
74659 unsigned long count = 0;
74660 - struct range *range = NULL;
74661 + struct range *range = NULL, rangerange = { 0, 0 };
74662 int nr_range;
74663
74664 nr_range = get_free_all_memory_range(&range, nodeid);
74665 + startrange = __pa(range) >> PAGE_SHIFT;
74666 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
74667
74668 for (i = 0; i < nr_range; i++) {
74669 start = range[i].start;
74670 end = range[i].end;
74671 + if (start <= endrange && startrange < end) {
74672 + BUG_ON(rangerange.start | rangerange.end);
74673 + rangerange = range[i];
74674 + continue;
74675 + }
74676 count += end - start;
74677 __free_pages_memory(start, end);
74678 }
74679 + start = rangerange.start;
74680 + end = rangerange.end;
74681 + count += end - start;
74682 + __free_pages_memory(start, end);
74683
74684 return count;
74685 }
74686 diff -urNp linux-2.6.39.3/mm/nommu.c linux-2.6.39.3/mm/nommu.c
74687 --- linux-2.6.39.3/mm/nommu.c 2011-05-19 00:06:34.000000000 -0400
74688 +++ linux-2.6.39.3/mm/nommu.c 2011-05-22 19:36:33.000000000 -0400
74689 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
74690 int sysctl_overcommit_ratio = 50; /* default is 50% */
74691 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
74692 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
74693 -int heap_stack_gap = 0;
74694
74695 atomic_long_t mmap_pages_allocated;
74696
74697 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
74698 EXPORT_SYMBOL(find_vma);
74699
74700 /*
74701 - * find a VMA
74702 - * - we don't extend stack VMAs under NOMMU conditions
74703 - */
74704 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
74705 -{
74706 - return find_vma(mm, addr);
74707 -}
74708 -
74709 -/*
74710 * expand a stack to a given address
74711 * - not supported under NOMMU conditions
74712 */
74713 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
74714
74715 /* most fields are the same, copy all, and then fixup */
74716 *new = *vma;
74717 + INIT_LIST_HEAD(&new->anon_vma_chain);
74718 *region = *vma->vm_region;
74719 new->vm_region = region;
74720
74721 diff -urNp linux-2.6.39.3/mm/page_alloc.c linux-2.6.39.3/mm/page_alloc.c
74722 --- linux-2.6.39.3/mm/page_alloc.c 2011-06-03 00:04:14.000000000 -0400
74723 +++ linux-2.6.39.3/mm/page_alloc.c 2011-07-09 09:12:54.000000000 -0400
74724 @@ -337,7 +337,7 @@ out:
74725 * This usage means that zero-order pages may not be compound.
74726 */
74727
74728 -static void free_compound_page(struct page *page)
74729 +void free_compound_page(struct page *page)
74730 {
74731 __free_pages_ok(page, compound_order(page));
74732 }
74733 @@ -650,6 +650,10 @@ static bool free_pages_prepare(struct pa
74734 int i;
74735 int bad = 0;
74736
74737 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74738 + unsigned long index = 1UL << order;
74739 +#endif
74740 +
74741 trace_mm_page_free_direct(page, order);
74742 kmemcheck_free_shadow(page, order);
74743
74744 @@ -665,6 +669,12 @@ static bool free_pages_prepare(struct pa
74745 debug_check_no_obj_freed(page_address(page),
74746 PAGE_SIZE << order);
74747 }
74748 +
74749 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74750 + for (; index; --index)
74751 + sanitize_highpage(page + index - 1);
74752 +#endif
74753 +
74754 arch_free_page(page, order);
74755 kernel_map_pages(page, 1 << order, 0);
74756
74757 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
74758 arch_alloc_page(page, order);
74759 kernel_map_pages(page, 1 << order, 1);
74760
74761 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
74762 if (gfp_flags & __GFP_ZERO)
74763 prep_zero_page(page, order, gfp_flags);
74764 +#endif
74765
74766 if (order && (gfp_flags & __GFP_COMP))
74767 prep_compound_page(page, order);
74768 @@ -2504,6 +2516,8 @@ void __show_free_areas(unsigned int filt
74769 int cpu;
74770 struct zone *zone;
74771
74772 + pax_track_stack();
74773 +
74774 for_each_populated_zone(zone) {
74775 if (skip_free_areas_zone(filter, zone))
74776 continue;
74777 diff -urNp linux-2.6.39.3/mm/percpu.c linux-2.6.39.3/mm/percpu.c
74778 --- linux-2.6.39.3/mm/percpu.c 2011-05-19 00:06:34.000000000 -0400
74779 +++ linux-2.6.39.3/mm/percpu.c 2011-05-22 19:36:33.000000000 -0400
74780 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
74781 static unsigned int pcpu_last_unit_cpu __read_mostly;
74782
74783 /* the address of the first chunk which starts with the kernel static area */
74784 -void *pcpu_base_addr __read_mostly;
74785 +void *pcpu_base_addr __read_only;
74786 EXPORT_SYMBOL_GPL(pcpu_base_addr);
74787
74788 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
74789 diff -urNp linux-2.6.39.3/mm/rmap.c linux-2.6.39.3/mm/rmap.c
74790 --- linux-2.6.39.3/mm/rmap.c 2011-05-19 00:06:34.000000000 -0400
74791 +++ linux-2.6.39.3/mm/rmap.c 2011-05-22 19:36:33.000000000 -0400
74792 @@ -131,6 +131,10 @@ int anon_vma_prepare(struct vm_area_stru
74793 struct anon_vma *anon_vma = vma->anon_vma;
74794 struct anon_vma_chain *avc;
74795
74796 +#ifdef CONFIG_PAX_SEGMEXEC
74797 + struct anon_vma_chain *avc_m = NULL;
74798 +#endif
74799 +
74800 might_sleep();
74801 if (unlikely(!anon_vma)) {
74802 struct mm_struct *mm = vma->vm_mm;
74803 @@ -140,6 +144,12 @@ int anon_vma_prepare(struct vm_area_stru
74804 if (!avc)
74805 goto out_enomem;
74806
74807 +#ifdef CONFIG_PAX_SEGMEXEC
74808 + avc_m = anon_vma_chain_alloc();
74809 + if (!avc_m)
74810 + goto out_enomem_free_avc;
74811 +#endif
74812 +
74813 anon_vma = find_mergeable_anon_vma(vma);
74814 allocated = NULL;
74815 if (!anon_vma) {
74816 @@ -153,6 +163,21 @@ int anon_vma_prepare(struct vm_area_stru
74817 /* page_table_lock to protect against threads */
74818 spin_lock(&mm->page_table_lock);
74819 if (likely(!vma->anon_vma)) {
74820 +
74821 +#ifdef CONFIG_PAX_SEGMEXEC
74822 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
74823 +
74824 + if (vma_m) {
74825 + BUG_ON(vma_m->anon_vma);
74826 + vma_m->anon_vma = anon_vma;
74827 + avc_m->anon_vma = anon_vma;
74828 + avc_m->vma = vma;
74829 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
74830 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
74831 + avc_m = NULL;
74832 + }
74833 +#endif
74834 +
74835 vma->anon_vma = anon_vma;
74836 avc->anon_vma = anon_vma;
74837 avc->vma = vma;
74838 @@ -166,12 +191,24 @@ int anon_vma_prepare(struct vm_area_stru
74839
74840 if (unlikely(allocated))
74841 put_anon_vma(allocated);
74842 +
74843 +#ifdef CONFIG_PAX_SEGMEXEC
74844 + if (unlikely(avc_m))
74845 + anon_vma_chain_free(avc_m);
74846 +#endif
74847 +
74848 if (unlikely(avc))
74849 anon_vma_chain_free(avc);
74850 }
74851 return 0;
74852
74853 out_enomem_free_avc:
74854 +
74855 +#ifdef CONFIG_PAX_SEGMEXEC
74856 + if (avc_m)
74857 + anon_vma_chain_free(avc_m);
74858 +#endif
74859 +
74860 anon_vma_chain_free(avc);
74861 out_enomem:
74862 return -ENOMEM;
74863 @@ -198,7 +235,7 @@ static void anon_vma_chain_link(struct v
74864 * Attach the anon_vmas from src to dst.
74865 * Returns 0 on success, -ENOMEM on failure.
74866 */
74867 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
74868 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
74869 {
74870 struct anon_vma_chain *avc, *pavc;
74871
74872 @@ -220,7 +257,7 @@ int anon_vma_clone(struct vm_area_struct
74873 * the corresponding VMA in the parent process is attached to.
74874 * Returns 0 on success, non-zero on failure.
74875 */
74876 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
74877 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
74878 {
74879 struct anon_vma_chain *avc;
74880 struct anon_vma *anon_vma;
74881 diff -urNp linux-2.6.39.3/mm/shmem.c linux-2.6.39.3/mm/shmem.c
74882 --- linux-2.6.39.3/mm/shmem.c 2011-06-03 00:04:14.000000000 -0400
74883 +++ linux-2.6.39.3/mm/shmem.c 2011-06-03 00:32:08.000000000 -0400
74884 @@ -31,7 +31,7 @@
74885 #include <linux/percpu_counter.h>
74886 #include <linux/swap.h>
74887
74888 -static struct vfsmount *shm_mnt;
74889 +struct vfsmount *shm_mnt;
74890
74891 #ifdef CONFIG_SHMEM
74892 /*
74893 @@ -1087,6 +1087,8 @@ static int shmem_writepage(struct page *
74894 goto unlock;
74895 }
74896 entry = shmem_swp_entry(info, index, NULL);
74897 + if (!entry)
74898 + goto unlock;
74899 if (entry->val) {
74900 /*
74901 * The more uptodate page coming down from a stacked
74902 @@ -1158,6 +1160,8 @@ static struct page *shmem_swapin(swp_ent
74903 struct vm_area_struct pvma;
74904 struct page *page;
74905
74906 + pax_track_stack();
74907 +
74908 spol = mpol_cond_copy(&mpol,
74909 mpol_shared_policy_lookup(&info->policy, idx));
74910
74911 @@ -2014,7 +2018,7 @@ static int shmem_symlink(struct inode *d
74912
74913 info = SHMEM_I(inode);
74914 inode->i_size = len-1;
74915 - if (len <= (char *)inode - (char *)info) {
74916 + if (len <= (char *)inode - (char *)info && len <= 64) {
74917 /* do it inline */
74918 memcpy(info, symname, len);
74919 inode->i_op = &shmem_symlink_inline_operations;
74920 @@ -2362,8 +2366,7 @@ int shmem_fill_super(struct super_block
74921 int err = -ENOMEM;
74922
74923 /* Round up to L1_CACHE_BYTES to resist false sharing */
74924 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
74925 - L1_CACHE_BYTES), GFP_KERNEL);
74926 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
74927 if (!sbinfo)
74928 return -ENOMEM;
74929
74930 diff -urNp linux-2.6.39.3/mm/slab.c linux-2.6.39.3/mm/slab.c
74931 --- linux-2.6.39.3/mm/slab.c 2011-05-19 00:06:34.000000000 -0400
74932 +++ linux-2.6.39.3/mm/slab.c 2011-05-22 19:41:42.000000000 -0400
74933 @@ -150,7 +150,7 @@
74934
74935 /* Legal flag mask for kmem_cache_create(). */
74936 #if DEBUG
74937 -# define CREATE_MASK (SLAB_RED_ZONE | \
74938 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
74939 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
74940 SLAB_CACHE_DMA | \
74941 SLAB_STORE_USER | \
74942 @@ -158,7 +158,7 @@
74943 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74944 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
74945 #else
74946 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
74947 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
74948 SLAB_CACHE_DMA | \
74949 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
74950 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
74951 @@ -287,7 +287,7 @@ struct kmem_list3 {
74952 * Need this for bootstrapping a per node allocator.
74953 */
74954 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
74955 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
74956 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
74957 #define CACHE_CACHE 0
74958 #define SIZE_AC MAX_NUMNODES
74959 #define SIZE_L3 (2 * MAX_NUMNODES)
74960 @@ -388,10 +388,10 @@ static void kmem_list3_init(struct kmem_
74961 if ((x)->max_freeable < i) \
74962 (x)->max_freeable = i; \
74963 } while (0)
74964 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
74965 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
74966 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
74967 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
74968 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
74969 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
74970 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
74971 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
74972 #else
74973 #define STATS_INC_ACTIVE(x) do { } while (0)
74974 #define STATS_DEC_ACTIVE(x) do { } while (0)
74975 @@ -537,7 +537,7 @@ static inline void *index_to_obj(struct
74976 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
74977 */
74978 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
74979 - const struct slab *slab, void *obj)
74980 + const struct slab *slab, const void *obj)
74981 {
74982 u32 offset = (obj - slab->s_mem);
74983 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
74984 @@ -563,7 +563,7 @@ struct cache_names {
74985 static struct cache_names __initdata cache_names[] = {
74986 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
74987 #include <linux/kmalloc_sizes.h>
74988 - {NULL,}
74989 + {NULL}
74990 #undef CACHE
74991 };
74992
74993 @@ -1529,7 +1529,7 @@ void __init kmem_cache_init(void)
74994 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
74995 sizes[INDEX_AC].cs_size,
74996 ARCH_KMALLOC_MINALIGN,
74997 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
74998 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
74999 NULL);
75000
75001 if (INDEX_AC != INDEX_L3) {
75002 @@ -1537,7 +1537,7 @@ void __init kmem_cache_init(void)
75003 kmem_cache_create(names[INDEX_L3].name,
75004 sizes[INDEX_L3].cs_size,
75005 ARCH_KMALLOC_MINALIGN,
75006 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75007 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75008 NULL);
75009 }
75010
75011 @@ -1555,7 +1555,7 @@ void __init kmem_cache_init(void)
75012 sizes->cs_cachep = kmem_cache_create(names->name,
75013 sizes->cs_size,
75014 ARCH_KMALLOC_MINALIGN,
75015 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75016 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75017 NULL);
75018 }
75019 #ifdef CONFIG_ZONE_DMA
75020 @@ -4270,10 +4270,10 @@ static int s_show(struct seq_file *m, vo
75021 }
75022 /* cpu stats */
75023 {
75024 - unsigned long allochit = atomic_read(&cachep->allochit);
75025 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
75026 - unsigned long freehit = atomic_read(&cachep->freehit);
75027 - unsigned long freemiss = atomic_read(&cachep->freemiss);
75028 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
75029 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
75030 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
75031 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
75032
75033 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
75034 allochit, allocmiss, freehit, freemiss);
75035 @@ -4530,15 +4530,66 @@ static const struct file_operations proc
75036
75037 static int __init slab_proc_init(void)
75038 {
75039 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
75040 + mode_t gr_mode = S_IRUGO;
75041 +
75042 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75043 + gr_mode = S_IRUSR;
75044 +#endif
75045 +
75046 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
75047 #ifdef CONFIG_DEBUG_SLAB_LEAK
75048 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
75049 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
75050 #endif
75051 return 0;
75052 }
75053 module_init(slab_proc_init);
75054 #endif
75055
75056 +void check_object_size(const void *ptr, unsigned long n, bool to)
75057 +{
75058 +
75059 +#ifdef CONFIG_PAX_USERCOPY
75060 + struct page *page;
75061 + struct kmem_cache *cachep = NULL;
75062 + struct slab *slabp;
75063 + unsigned int objnr;
75064 + unsigned long offset;
75065 +
75066 + if (!n)
75067 + return;
75068 +
75069 + if (ZERO_OR_NULL_PTR(ptr))
75070 + goto report;
75071 +
75072 + if (!virt_addr_valid(ptr))
75073 + return;
75074 +
75075 + page = virt_to_head_page(ptr);
75076 +
75077 + if (!PageSlab(page)) {
75078 + if (object_is_on_stack(ptr, n) == -1)
75079 + goto report;
75080 + return;
75081 + }
75082 +
75083 + cachep = page_get_cache(page);
75084 + if (!(cachep->flags & SLAB_USERCOPY))
75085 + goto report;
75086 +
75087 + slabp = page_get_slab(page);
75088 + objnr = obj_to_index(cachep, slabp, ptr);
75089 + BUG_ON(objnr >= cachep->num);
75090 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
75091 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
75092 + return;
75093 +
75094 +report:
75095 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
75096 +#endif
75097 +
75098 +}
75099 +EXPORT_SYMBOL(check_object_size);
75100 +
75101 /**
75102 * ksize - get the actual amount of memory allocated for a given object
75103 * @objp: Pointer to the object
75104 diff -urNp linux-2.6.39.3/mm/slob.c linux-2.6.39.3/mm/slob.c
75105 --- linux-2.6.39.3/mm/slob.c 2011-05-19 00:06:34.000000000 -0400
75106 +++ linux-2.6.39.3/mm/slob.c 2011-07-06 20:00:13.000000000 -0400
75107 @@ -29,7 +29,7 @@
75108 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
75109 * alloc_pages() directly, allocating compound pages so the page order
75110 * does not have to be separately tracked, and also stores the exact
75111 - * allocation size in page->private so that it can be used to accurately
75112 + * allocation size in slob_page->size so that it can be used to accurately
75113 * provide ksize(). These objects are detected in kfree() because slob_page()
75114 * is false for them.
75115 *
75116 @@ -58,6 +58,7 @@
75117 */
75118
75119 #include <linux/kernel.h>
75120 +#include <linux/sched.h>
75121 #include <linux/slab.h>
75122 #include <linux/mm.h>
75123 #include <linux/swap.h> /* struct reclaim_state */
75124 @@ -102,7 +103,8 @@ struct slob_page {
75125 unsigned long flags; /* mandatory */
75126 atomic_t _count; /* mandatory */
75127 slobidx_t units; /* free units left in page */
75128 - unsigned long pad[2];
75129 + unsigned long pad[1];
75130 + unsigned long size; /* size when >=PAGE_SIZE */
75131 slob_t *free; /* first free slob_t in page */
75132 struct list_head list; /* linked list of free pages */
75133 };
75134 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
75135 */
75136 static inline int is_slob_page(struct slob_page *sp)
75137 {
75138 - return PageSlab((struct page *)sp);
75139 + return PageSlab((struct page *)sp) && !sp->size;
75140 }
75141
75142 static inline void set_slob_page(struct slob_page *sp)
75143 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
75144
75145 static inline struct slob_page *slob_page(const void *addr)
75146 {
75147 - return (struct slob_page *)virt_to_page(addr);
75148 + return (struct slob_page *)virt_to_head_page(addr);
75149 }
75150
75151 /*
75152 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
75153 /*
75154 * Return the size of a slob block.
75155 */
75156 -static slobidx_t slob_units(slob_t *s)
75157 +static slobidx_t slob_units(const slob_t *s)
75158 {
75159 if (s->units > 0)
75160 return s->units;
75161 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
75162 /*
75163 * Return the next free slob block pointer after this one.
75164 */
75165 -static slob_t *slob_next(slob_t *s)
75166 +static slob_t *slob_next(const slob_t *s)
75167 {
75168 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
75169 slobidx_t next;
75170 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
75171 /*
75172 * Returns true if s is the last free block in its page.
75173 */
75174 -static int slob_last(slob_t *s)
75175 +static int slob_last(const slob_t *s)
75176 {
75177 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
75178 }
75179 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
75180 if (!page)
75181 return NULL;
75182
75183 + set_slob_page(page);
75184 return page_address(page);
75185 }
75186
75187 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
75188 if (!b)
75189 return NULL;
75190 sp = slob_page(b);
75191 - set_slob_page(sp);
75192
75193 spin_lock_irqsave(&slob_lock, flags);
75194 sp->units = SLOB_UNITS(PAGE_SIZE);
75195 sp->free = b;
75196 + sp->size = 0;
75197 INIT_LIST_HEAD(&sp->list);
75198 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
75199 set_slob_page_free(sp, slob_list);
75200 @@ -476,10 +479,9 @@ out:
75201 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
75202 */
75203
75204 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
75205 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
75206 {
75207 - unsigned int *m;
75208 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75209 + slob_t *m;
75210 void *ret;
75211
75212 lockdep_trace_alloc(gfp);
75213 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
75214
75215 if (!m)
75216 return NULL;
75217 - *m = size;
75218 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
75219 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
75220 + m[0].units = size;
75221 + m[1].units = align;
75222 ret = (void *)m + align;
75223
75224 trace_kmalloc_node(_RET_IP_, ret,
75225 @@ -504,16 +509,25 @@ void *__kmalloc_node(size_t size, gfp_t
75226 gfp |= __GFP_COMP;
75227 ret = slob_new_pages(gfp, order, node);
75228 if (ret) {
75229 - struct page *page;
75230 - page = virt_to_page(ret);
75231 - page->private = size;
75232 + struct slob_page *sp;
75233 + sp = slob_page(ret);
75234 + sp->size = size;
75235 }
75236
75237 trace_kmalloc_node(_RET_IP_, ret,
75238 size, PAGE_SIZE << order, gfp, node);
75239 }
75240
75241 - kmemleak_alloc(ret, size, 1, gfp);
75242 + return ret;
75243 +}
75244 +
75245 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
75246 +{
75247 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75248 + void *ret = __kmalloc_node_align(size, gfp, node, align);
75249 +
75250 + if (!ZERO_OR_NULL_PTR(ret))
75251 + kmemleak_alloc(ret, size, 1, gfp);
75252 return ret;
75253 }
75254 EXPORT_SYMBOL(__kmalloc_node);
75255 @@ -531,13 +545,88 @@ void kfree(const void *block)
75256 sp = slob_page(block);
75257 if (is_slob_page(sp)) {
75258 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75259 - unsigned int *m = (unsigned int *)(block - align);
75260 - slob_free(m, *m + align);
75261 - } else
75262 + slob_t *m = (slob_t *)(block - align);
75263 + slob_free(m, m[0].units + align);
75264 + } else {
75265 + clear_slob_page(sp);
75266 + free_slob_page(sp);
75267 + sp->size = 0;
75268 put_page(&sp->page);
75269 + }
75270 }
75271 EXPORT_SYMBOL(kfree);
75272
75273 +void check_object_size(const void *ptr, unsigned long n, bool to)
75274 +{
75275 +
75276 +#ifdef CONFIG_PAX_USERCOPY
75277 + struct slob_page *sp;
75278 + const slob_t *free;
75279 + const void *base;
75280 + unsigned long flags;
75281 +
75282 + if (!n)
75283 + return;
75284 +
75285 + if (ZERO_OR_NULL_PTR(ptr))
75286 + goto report;
75287 +
75288 + if (!virt_addr_valid(ptr))
75289 + return;
75290 +
75291 + sp = slob_page(ptr);
75292 + if (!PageSlab((struct page*)sp)) {
75293 + if (object_is_on_stack(ptr, n) == -1)
75294 + goto report;
75295 + return;
75296 + }
75297 +
75298 + if (sp->size) {
75299 + base = page_address(&sp->page);
75300 + if (base <= ptr && n <= sp->size - (ptr - base))
75301 + return;
75302 + goto report;
75303 + }
75304 +
75305 + /* some tricky double walking to find the chunk */
75306 + spin_lock_irqsave(&slob_lock, flags);
75307 + base = (void *)((unsigned long)ptr & PAGE_MASK);
75308 + free = sp->free;
75309 +
75310 + while (!slob_last(free) && (void *)free <= ptr) {
75311 + base = free + slob_units(free);
75312 + free = slob_next(free);
75313 + }
75314 +
75315 + while (base < (void *)free) {
75316 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
75317 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
75318 + int offset;
75319 +
75320 + if (ptr < base + align)
75321 + break;
75322 +
75323 + offset = ptr - base - align;
75324 + if (offset >= m) {
75325 + base += size;
75326 + continue;
75327 + }
75328 +
75329 + if (n > m - offset)
75330 + break;
75331 +
75332 + spin_unlock_irqrestore(&slob_lock, flags);
75333 + return;
75334 + }
75335 +
75336 + spin_unlock_irqrestore(&slob_lock, flags);
75337 +report:
75338 + pax_report_usercopy(ptr, n, to, NULL);
75339 +#endif
75340 +
75341 +}
75342 +EXPORT_SYMBOL(check_object_size);
75343 +
75344 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
75345 size_t ksize(const void *block)
75346 {
75347 @@ -550,10 +639,10 @@ size_t ksize(const void *block)
75348 sp = slob_page(block);
75349 if (is_slob_page(sp)) {
75350 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
75351 - unsigned int *m = (unsigned int *)(block - align);
75352 - return SLOB_UNITS(*m) * SLOB_UNIT;
75353 + slob_t *m = (slob_t *)(block - align);
75354 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
75355 } else
75356 - return sp->page.private;
75357 + return sp->size;
75358 }
75359 EXPORT_SYMBOL(ksize);
75360
75361 @@ -569,8 +658,13 @@ struct kmem_cache *kmem_cache_create(con
75362 {
75363 struct kmem_cache *c;
75364
75365 +#ifdef CONFIG_PAX_USERCOPY
75366 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
75367 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
75368 +#else
75369 c = slob_alloc(sizeof(struct kmem_cache),
75370 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
75371 +#endif
75372
75373 if (c) {
75374 c->name = name;
75375 @@ -608,17 +702,25 @@ void *kmem_cache_alloc_node(struct kmem_
75376 {
75377 void *b;
75378
75379 +#ifdef CONFIG_PAX_USERCOPY
75380 + b = __kmalloc_node_align(c->size, flags, node, c->align);
75381 +#else
75382 if (c->size < PAGE_SIZE) {
75383 b = slob_alloc(c->size, flags, c->align, node);
75384 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75385 SLOB_UNITS(c->size) * SLOB_UNIT,
75386 flags, node);
75387 } else {
75388 + struct slob_page *sp;
75389 +
75390 b = slob_new_pages(flags, get_order(c->size), node);
75391 + sp = slob_page(b);
75392 + sp->size = c->size;
75393 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
75394 PAGE_SIZE << get_order(c->size),
75395 flags, node);
75396 }
75397 +#endif
75398
75399 if (c->ctor)
75400 c->ctor(b);
75401 @@ -630,10 +732,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
75402
75403 static void __kmem_cache_free(void *b, int size)
75404 {
75405 - if (size < PAGE_SIZE)
75406 + struct slob_page *sp = slob_page(b);
75407 +
75408 + if (is_slob_page(sp))
75409 slob_free(b, size);
75410 - else
75411 + else {
75412 + clear_slob_page(sp);
75413 + free_slob_page(sp);
75414 + sp->size = 0;
75415 slob_free_pages(b, get_order(size));
75416 + }
75417 }
75418
75419 static void kmem_rcu_free(struct rcu_head *head)
75420 @@ -646,17 +754,31 @@ static void kmem_rcu_free(struct rcu_hea
75421
75422 void kmem_cache_free(struct kmem_cache *c, void *b)
75423 {
75424 + int size = c->size;
75425 +
75426 +#ifdef CONFIG_PAX_USERCOPY
75427 + if (size + c->align < PAGE_SIZE) {
75428 + size += c->align;
75429 + b -= c->align;
75430 + }
75431 +#endif
75432 +
75433 kmemleak_free_recursive(b, c->flags);
75434 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
75435 struct slob_rcu *slob_rcu;
75436 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
75437 - slob_rcu->size = c->size;
75438 + slob_rcu = b + (size - sizeof(struct slob_rcu));
75439 + slob_rcu->size = size;
75440 call_rcu(&slob_rcu->head, kmem_rcu_free);
75441 } else {
75442 - __kmem_cache_free(b, c->size);
75443 + __kmem_cache_free(b, size);
75444 }
75445
75446 +#ifdef CONFIG_PAX_USERCOPY
75447 + trace_kfree(_RET_IP_, b);
75448 +#else
75449 trace_kmem_cache_free(_RET_IP_, b);
75450 +#endif
75451 +
75452 }
75453 EXPORT_SYMBOL(kmem_cache_free);
75454
75455 diff -urNp linux-2.6.39.3/mm/slub.c linux-2.6.39.3/mm/slub.c
75456 --- linux-2.6.39.3/mm/slub.c 2011-06-03 00:04:14.000000000 -0400
75457 +++ linux-2.6.39.3/mm/slub.c 2011-06-03 00:32:08.000000000 -0400
75458 @@ -431,7 +431,7 @@ static void print_track(const char *s, s
75459 if (!t->addr)
75460 return;
75461
75462 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
75463 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
75464 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
75465 }
75466
75467 @@ -2183,6 +2183,8 @@ void kmem_cache_free(struct kmem_cache *
75468
75469 page = virt_to_head_page(x);
75470
75471 + BUG_ON(!PageSlab(page));
75472 +
75473 slab_free(s, page, x, _RET_IP_);
75474
75475 trace_kmem_cache_free(_RET_IP_, x);
75476 @@ -2216,7 +2218,7 @@ static int slub_min_objects;
75477 * Merge control. If this is set then no merging of slab caches will occur.
75478 * (Could be removed. This was introduced to pacify the merge skeptics.)
75479 */
75480 -static int slub_nomerge;
75481 +static int slub_nomerge = 1;
75482
75483 /*
75484 * Calculate the order of allocation given an slab object size.
75485 @@ -2644,7 +2646,7 @@ static int kmem_cache_open(struct kmem_c
75486 * list to avoid pounding the page allocator excessively.
75487 */
75488 set_min_partial(s, ilog2(s->size));
75489 - s->refcount = 1;
75490 + atomic_set(&s->refcount, 1);
75491 #ifdef CONFIG_NUMA
75492 s->remote_node_defrag_ratio = 1000;
75493 #endif
75494 @@ -2750,8 +2752,7 @@ static inline int kmem_cache_close(struc
75495 void kmem_cache_destroy(struct kmem_cache *s)
75496 {
75497 down_write(&slub_lock);
75498 - s->refcount--;
75499 - if (!s->refcount) {
75500 + if (atomic_dec_and_test(&s->refcount)) {
75501 list_del(&s->list);
75502 if (kmem_cache_close(s)) {
75503 printk(KERN_ERR "SLUB %s: %s called for cache that "
75504 @@ -2961,6 +2962,46 @@ void *__kmalloc_node(size_t size, gfp_t
75505 EXPORT_SYMBOL(__kmalloc_node);
75506 #endif
75507
75508 +void check_object_size(const void *ptr, unsigned long n, bool to)
75509 +{
75510 +
75511 +#ifdef CONFIG_PAX_USERCOPY
75512 + struct page *page;
75513 + struct kmem_cache *s = NULL;
75514 + unsigned long offset;
75515 +
75516 + if (!n)
75517 + return;
75518 +
75519 + if (ZERO_OR_NULL_PTR(ptr))
75520 + goto report;
75521 +
75522 + if (!virt_addr_valid(ptr))
75523 + return;
75524 +
75525 + page = virt_to_head_page(ptr);
75526 +
75527 + if (!PageSlab(page)) {
75528 + if (object_is_on_stack(ptr, n) == -1)
75529 + goto report;
75530 + return;
75531 + }
75532 +
75533 + s = page->slab;
75534 + if (!(s->flags & SLAB_USERCOPY))
75535 + goto report;
75536 +
75537 + offset = (ptr - page_address(page)) % s->size;
75538 + if (offset <= s->objsize && n <= s->objsize - offset)
75539 + return;
75540 +
75541 +report:
75542 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
75543 +#endif
75544 +
75545 +}
75546 +EXPORT_SYMBOL(check_object_size);
75547 +
75548 size_t ksize(const void *object)
75549 {
75550 struct page *page;
75551 @@ -3205,7 +3246,7 @@ static void __init kmem_cache_bootstrap_
75552 int node;
75553
75554 list_add(&s->list, &slab_caches);
75555 - s->refcount = -1;
75556 + atomic_set(&s->refcount, -1);
75557
75558 for_each_node_state(node, N_NORMAL_MEMORY) {
75559 struct kmem_cache_node *n = get_node(s, node);
75560 @@ -3322,17 +3363,17 @@ void __init kmem_cache_init(void)
75561
75562 /* Caches that are not of the two-to-the-power-of size */
75563 if (KMALLOC_MIN_SIZE <= 32) {
75564 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
75565 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
75566 caches++;
75567 }
75568
75569 if (KMALLOC_MIN_SIZE <= 64) {
75570 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
75571 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
75572 caches++;
75573 }
75574
75575 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
75576 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
75577 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
75578 caches++;
75579 }
75580
75581 @@ -3400,7 +3441,7 @@ static int slab_unmergeable(struct kmem_
75582 /*
75583 * We may have set a slab to be unmergeable during bootstrap.
75584 */
75585 - if (s->refcount < 0)
75586 + if (atomic_read(&s->refcount) < 0)
75587 return 1;
75588
75589 return 0;
75590 @@ -3459,7 +3500,7 @@ struct kmem_cache *kmem_cache_create(con
75591 down_write(&slub_lock);
75592 s = find_mergeable(size, align, flags, name, ctor);
75593 if (s) {
75594 - s->refcount++;
75595 + atomic_inc(&s->refcount);
75596 /*
75597 * Adjust the object sizes so that we clear
75598 * the complete object on kzalloc.
75599 @@ -3468,7 +3509,7 @@ struct kmem_cache *kmem_cache_create(con
75600 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
75601
75602 if (sysfs_slab_alias(s, name)) {
75603 - s->refcount--;
75604 + atomic_dec(&s->refcount);
75605 goto err;
75606 }
75607 up_write(&slub_lock);
75608 @@ -4201,7 +4242,7 @@ SLAB_ATTR_RO(ctor);
75609
75610 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
75611 {
75612 - return sprintf(buf, "%d\n", s->refcount - 1);
75613 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
75614 }
75615 SLAB_ATTR_RO(aliases);
75616
75617 @@ -4945,7 +4986,13 @@ static const struct file_operations proc
75618
75619 static int __init slab_proc_init(void)
75620 {
75621 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
75622 + mode_t gr_mode = S_IRUGO;
75623 +
75624 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75625 + gr_mode = S_IRUSR;
75626 +#endif
75627 +
75628 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
75629 return 0;
75630 }
75631 module_init(slab_proc_init);
75632 diff -urNp linux-2.6.39.3/mm/swap.c linux-2.6.39.3/mm/swap.c
75633 --- linux-2.6.39.3/mm/swap.c 2011-05-19 00:06:34.000000000 -0400
75634 +++ linux-2.6.39.3/mm/swap.c 2011-07-09 09:12:54.000000000 -0400
75635 @@ -31,6 +31,7 @@
75636 #include <linux/backing-dev.h>
75637 #include <linux/memcontrol.h>
75638 #include <linux/gfp.h>
75639 +#include <linux/hugetlb.h>
75640
75641 #include "internal.h"
75642
75643 @@ -71,6 +72,8 @@ static void __put_compound_page(struct p
75644
75645 __page_cache_release(page);
75646 dtor = get_compound_page_dtor(page);
75647 + if (!PageHuge(page))
75648 + BUG_ON(dtor != free_compound_page);
75649 (*dtor)(page);
75650 }
75651
75652 diff -urNp linux-2.6.39.3/mm/swapfile.c linux-2.6.39.3/mm/swapfile.c
75653 --- linux-2.6.39.3/mm/swapfile.c 2011-05-19 00:06:34.000000000 -0400
75654 +++ linux-2.6.39.3/mm/swapfile.c 2011-05-22 19:36:33.000000000 -0400
75655 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
75656
75657 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
75658 /* Activity counter to indicate that a swapon or swapoff has occurred */
75659 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
75660 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
75661
75662 static inline unsigned char swap_count(unsigned char ent)
75663 {
75664 @@ -1669,7 +1669,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
75665 }
75666 filp_close(swap_file, NULL);
75667 err = 0;
75668 - atomic_inc(&proc_poll_event);
75669 + atomic_inc_unchecked(&proc_poll_event);
75670 wake_up_interruptible(&proc_poll_wait);
75671
75672 out_dput:
75673 @@ -1690,8 +1690,8 @@ static unsigned swaps_poll(struct file *
75674
75675 poll_wait(file, &proc_poll_wait, wait);
75676
75677 - if (s->event != atomic_read(&proc_poll_event)) {
75678 - s->event = atomic_read(&proc_poll_event);
75679 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
75680 + s->event = atomic_read_unchecked(&proc_poll_event);
75681 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
75682 }
75683
75684 @@ -1797,7 +1797,7 @@ static int swaps_open(struct inode *inod
75685 }
75686
75687 s->seq.private = s;
75688 - s->event = atomic_read(&proc_poll_event);
75689 + s->event = atomic_read_unchecked(&proc_poll_event);
75690 return ret;
75691 }
75692
75693 @@ -2131,7 +2131,7 @@ SYSCALL_DEFINE2(swapon, const char __use
75694 (p->flags & SWP_DISCARDABLE) ? "D" : "");
75695
75696 mutex_unlock(&swapon_mutex);
75697 - atomic_inc(&proc_poll_event);
75698 + atomic_inc_unchecked(&proc_poll_event);
75699 wake_up_interruptible(&proc_poll_wait);
75700
75701 if (S_ISREG(inode->i_mode))
75702 diff -urNp linux-2.6.39.3/mm/util.c linux-2.6.39.3/mm/util.c
75703 --- linux-2.6.39.3/mm/util.c 2011-05-19 00:06:34.000000000 -0400
75704 +++ linux-2.6.39.3/mm/util.c 2011-05-23 17:07:00.000000000 -0400
75705 @@ -112,6 +112,7 @@ EXPORT_SYMBOL(memdup_user);
75706 * allocated buffer. Use this if you don't want to free the buffer immediately
75707 * like, for example, with RCU.
75708 */
75709 +#undef __krealloc
75710 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
75711 {
75712 void *ret;
75713 @@ -145,6 +146,7 @@ EXPORT_SYMBOL(__krealloc);
75714 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
75715 * %NULL pointer, the object pointed to is freed.
75716 */
75717 +#undef krealloc
75718 void *krealloc(const void *p, size_t new_size, gfp_t flags)
75719 {
75720 void *ret;
75721 @@ -219,6 +221,12 @@ EXPORT_SYMBOL(strndup_user);
75722 void arch_pick_mmap_layout(struct mm_struct *mm)
75723 {
75724 mm->mmap_base = TASK_UNMAPPED_BASE;
75725 +
75726 +#ifdef CONFIG_PAX_RANDMMAP
75727 + if (mm->pax_flags & MF_PAX_RANDMMAP)
75728 + mm->mmap_base += mm->delta_mmap;
75729 +#endif
75730 +
75731 mm->get_unmapped_area = arch_get_unmapped_area;
75732 mm->unmap_area = arch_unmap_area;
75733 }
75734 diff -urNp linux-2.6.39.3/mm/vmalloc.c linux-2.6.39.3/mm/vmalloc.c
75735 --- linux-2.6.39.3/mm/vmalloc.c 2011-05-19 00:06:34.000000000 -0400
75736 +++ linux-2.6.39.3/mm/vmalloc.c 2011-05-22 19:36:33.000000000 -0400
75737 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
75738
75739 pte = pte_offset_kernel(pmd, addr);
75740 do {
75741 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75742 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75743 +
75744 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75745 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
75746 + BUG_ON(!pte_exec(*pte));
75747 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
75748 + continue;
75749 + }
75750 +#endif
75751 +
75752 + {
75753 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
75754 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
75755 + }
75756 } while (pte++, addr += PAGE_SIZE, addr != end);
75757 }
75758
75759 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
75760 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
75761 {
75762 pte_t *pte;
75763 + int ret = -ENOMEM;
75764
75765 /*
75766 * nr is a running index into the array which helps higher level
75767 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
75768 pte = pte_alloc_kernel(pmd, addr);
75769 if (!pte)
75770 return -ENOMEM;
75771 +
75772 + pax_open_kernel();
75773 do {
75774 struct page *page = pages[*nr];
75775
75776 - if (WARN_ON(!pte_none(*pte)))
75777 - return -EBUSY;
75778 - if (WARN_ON(!page))
75779 - return -ENOMEM;
75780 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75781 + if (pgprot_val(prot) & _PAGE_NX)
75782 +#endif
75783 +
75784 + if (WARN_ON(!pte_none(*pte))) {
75785 + ret = -EBUSY;
75786 + goto out;
75787 + }
75788 + if (WARN_ON(!page)) {
75789 + ret = -ENOMEM;
75790 + goto out;
75791 + }
75792 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
75793 (*nr)++;
75794 } while (pte++, addr += PAGE_SIZE, addr != end);
75795 - return 0;
75796 + ret = 0;
75797 +out:
75798 + pax_close_kernel();
75799 + return ret;
75800 }
75801
75802 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
75803 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
75804 * and fall back on vmalloc() if that fails. Others
75805 * just put it in the vmalloc space.
75806 */
75807 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
75808 +#ifdef CONFIG_MODULES
75809 +#ifdef MODULES_VADDR
75810 unsigned long addr = (unsigned long)x;
75811 if (addr >= MODULES_VADDR && addr < MODULES_END)
75812 return 1;
75813 #endif
75814 +
75815 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
75816 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
75817 + return 1;
75818 +#endif
75819 +
75820 +#endif
75821 +
75822 return is_vmalloc_addr(x);
75823 }
75824
75825 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
75826
75827 if (!pgd_none(*pgd)) {
75828 pud_t *pud = pud_offset(pgd, addr);
75829 +#ifdef CONFIG_X86
75830 + if (!pud_large(*pud))
75831 +#endif
75832 if (!pud_none(*pud)) {
75833 pmd_t *pmd = pmd_offset(pud, addr);
75834 +#ifdef CONFIG_X86
75835 + if (!pmd_large(*pmd))
75836 +#endif
75837 if (!pmd_none(*pmd)) {
75838 pte_t *ptep, pte;
75839
75840 @@ -1296,6 +1336,16 @@ static struct vm_struct *__get_vm_area_n
75841 struct vm_struct *area;
75842
75843 BUG_ON(in_interrupt());
75844 +
75845 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75846 + if (flags & VM_KERNEXEC) {
75847 + if (start != VMALLOC_START || end != VMALLOC_END)
75848 + return NULL;
75849 + start = (unsigned long)MODULES_EXEC_VADDR;
75850 + end = (unsigned long)MODULES_EXEC_END;
75851 + }
75852 +#endif
75853 +
75854 if (flags & VM_IOREMAP) {
75855 int bit = fls(size);
75856
75857 @@ -1514,6 +1564,11 @@ void *vmap(struct page **pages, unsigned
75858 if (count > totalram_pages)
75859 return NULL;
75860
75861 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75862 + if (!(pgprot_val(prot) & _PAGE_NX))
75863 + flags |= VM_KERNEXEC;
75864 +#endif
75865 +
75866 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
75867 __builtin_return_address(0));
75868 if (!area)
75869 @@ -1610,6 +1665,13 @@ void *__vmalloc_node_range(unsigned long
75870 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
75871 return NULL;
75872
75873 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75874 + if (!(pgprot_val(prot) & _PAGE_NX))
75875 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
75876 + node, gfp_mask, caller);
75877 + else
75878 +#endif
75879 +
75880 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
75881 gfp_mask, caller);
75882
75883 @@ -1649,6 +1711,7 @@ static void *__vmalloc_node(unsigned lon
75884 gfp_mask, prot, node, caller);
75885 }
75886
75887 +#undef __vmalloc
75888 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
75889 {
75890 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
75891 @@ -1672,6 +1735,7 @@ static inline void *__vmalloc_node_flags
75892 * For tight control over page level allocator and protection flags
75893 * use __vmalloc() instead.
75894 */
75895 +#undef vmalloc
75896 void *vmalloc(unsigned long size)
75897 {
75898 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
75899 @@ -1688,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc);
75900 * For tight control over page level allocator and protection flags
75901 * use __vmalloc() instead.
75902 */
75903 +#undef vzalloc
75904 void *vzalloc(unsigned long size)
75905 {
75906 return __vmalloc_node_flags(size, -1,
75907 @@ -1702,6 +1767,7 @@ EXPORT_SYMBOL(vzalloc);
75908 * The resulting memory area is zeroed so it can be mapped to userspace
75909 * without leaking data.
75910 */
75911 +#undef vmalloc_user
75912 void *vmalloc_user(unsigned long size)
75913 {
75914 struct vm_struct *area;
75915 @@ -1729,6 +1795,7 @@ EXPORT_SYMBOL(vmalloc_user);
75916 * For tight control over page level allocator and protection flags
75917 * use __vmalloc() instead.
75918 */
75919 +#undef vmalloc_node
75920 void *vmalloc_node(unsigned long size, int node)
75921 {
75922 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
75923 @@ -1748,6 +1815,7 @@ EXPORT_SYMBOL(vmalloc_node);
75924 * For tight control over page level allocator and protection flags
75925 * use __vmalloc_node() instead.
75926 */
75927 +#undef vzalloc_node
75928 void *vzalloc_node(unsigned long size, int node)
75929 {
75930 return __vmalloc_node_flags(size, node,
75931 @@ -1770,10 +1838,10 @@ EXPORT_SYMBOL(vzalloc_node);
75932 * For tight control over page level allocator and protection flags
75933 * use __vmalloc() instead.
75934 */
75935 -
75936 +#undef vmalloc_exec
75937 void *vmalloc_exec(unsigned long size)
75938 {
75939 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
75940 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
75941 -1, __builtin_return_address(0));
75942 }
75943
75944 @@ -1792,6 +1860,7 @@ void *vmalloc_exec(unsigned long size)
75945 * Allocate enough 32bit PA addressable pages to cover @size from the
75946 * page level allocator and map them into contiguous kernel virtual space.
75947 */
75948 +#undef vmalloc_32
75949 void *vmalloc_32(unsigned long size)
75950 {
75951 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
75952 @@ -1806,6 +1875,7 @@ EXPORT_SYMBOL(vmalloc_32);
75953 * The resulting memory area is 32bit addressable and zeroed so it can be
75954 * mapped to userspace without leaking data.
75955 */
75956 +#undef vmalloc_32_user
75957 void *vmalloc_32_user(unsigned long size)
75958 {
75959 struct vm_struct *area;
75960 @@ -2068,6 +2138,8 @@ int remap_vmalloc_range(struct vm_area_s
75961 unsigned long uaddr = vma->vm_start;
75962 unsigned long usize = vma->vm_end - vma->vm_start;
75963
75964 + BUG_ON(vma->vm_mirror);
75965 +
75966 if ((PAGE_SIZE-1) & (unsigned long)addr)
75967 return -EINVAL;
75968
75969 diff -urNp linux-2.6.39.3/mm/vmstat.c linux-2.6.39.3/mm/vmstat.c
75970 --- linux-2.6.39.3/mm/vmstat.c 2011-05-19 00:06:34.000000000 -0400
75971 +++ linux-2.6.39.3/mm/vmstat.c 2011-05-22 19:41:42.000000000 -0400
75972 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
75973 *
75974 * vm_stat contains the global counters
75975 */
75976 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75977 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75978 EXPORT_SYMBOL(vm_stat);
75979
75980 #ifdef CONFIG_SMP
75981 @@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
75982 v = p->vm_stat_diff[i];
75983 p->vm_stat_diff[i] = 0;
75984 local_irq_restore(flags);
75985 - atomic_long_add(v, &zone->vm_stat[i]);
75986 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
75987 global_diff[i] += v;
75988 #ifdef CONFIG_NUMA
75989 /* 3 seconds idle till flush */
75990 @@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
75991
75992 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
75993 if (global_diff[i])
75994 - atomic_long_add(global_diff[i], &vm_stat[i]);
75995 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
75996 }
75997
75998 #endif
75999 @@ -1205,10 +1205,20 @@ static int __init setup_vmstat(void)
76000 start_cpu_timer(cpu);
76001 #endif
76002 #ifdef CONFIG_PROC_FS
76003 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
76004 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
76005 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
76006 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
76007 + {
76008 + mode_t gr_mode = S_IRUGO;
76009 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
76010 + gr_mode = S_IRUSR;
76011 +#endif
76012 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
76013 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
76014 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
76015 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
76016 +#else
76017 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
76018 +#endif
76019 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
76020 + }
76021 #endif
76022 return 0;
76023 }
76024 diff -urNp linux-2.6.39.3/net/8021q/vlan.c linux-2.6.39.3/net/8021q/vlan.c
76025 --- linux-2.6.39.3/net/8021q/vlan.c 2011-05-19 00:06:34.000000000 -0400
76026 +++ linux-2.6.39.3/net/8021q/vlan.c 2011-05-22 19:36:33.000000000 -0400
76027 @@ -592,8 +592,7 @@ static int vlan_ioctl_handler(struct net
76028 err = -EPERM;
76029 if (!capable(CAP_NET_ADMIN))
76030 break;
76031 - if ((args.u.name_type >= 0) &&
76032 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
76033 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
76034 struct vlan_net *vn;
76035
76036 vn = net_generic(net, vlan_net_id);
76037 diff -urNp linux-2.6.39.3/net/atm/atm_misc.c linux-2.6.39.3/net/atm/atm_misc.c
76038 --- linux-2.6.39.3/net/atm/atm_misc.c 2011-05-19 00:06:34.000000000 -0400
76039 +++ linux-2.6.39.3/net/atm/atm_misc.c 2011-05-22 19:36:33.000000000 -0400
76040 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
76041 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
76042 return 1;
76043 atm_return(vcc, truesize);
76044 - atomic_inc(&vcc->stats->rx_drop);
76045 + atomic_inc_unchecked(&vcc->stats->rx_drop);
76046 return 0;
76047 }
76048 EXPORT_SYMBOL(atm_charge);
76049 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
76050 }
76051 }
76052 atm_return(vcc, guess);
76053 - atomic_inc(&vcc->stats->rx_drop);
76054 + atomic_inc_unchecked(&vcc->stats->rx_drop);
76055 return NULL;
76056 }
76057 EXPORT_SYMBOL(atm_alloc_charge);
76058 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
76059
76060 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
76061 {
76062 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
76063 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
76064 __SONET_ITEMS
76065 #undef __HANDLE_ITEM
76066 }
76067 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
76068
76069 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
76070 {
76071 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
76072 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
76073 __SONET_ITEMS
76074 #undef __HANDLE_ITEM
76075 }
76076 diff -urNp linux-2.6.39.3/net/atm/mpoa_caches.c linux-2.6.39.3/net/atm/mpoa_caches.c
76077 --- linux-2.6.39.3/net/atm/mpoa_caches.c 2011-05-19 00:06:34.000000000 -0400
76078 +++ linux-2.6.39.3/net/atm/mpoa_caches.c 2011-05-22 19:36:33.000000000 -0400
76079 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
76080 struct timeval now;
76081 struct k_message msg;
76082
76083 + pax_track_stack();
76084 +
76085 do_gettimeofday(&now);
76086
76087 read_lock_bh(&client->ingress_lock);
76088 diff -urNp linux-2.6.39.3/net/atm/proc.c linux-2.6.39.3/net/atm/proc.c
76089 --- linux-2.6.39.3/net/atm/proc.c 2011-05-19 00:06:34.000000000 -0400
76090 +++ linux-2.6.39.3/net/atm/proc.c 2011-05-22 19:41:42.000000000 -0400
76091 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
76092 const struct k_atm_aal_stats *stats)
76093 {
76094 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
76095 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
76096 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
76097 - atomic_read(&stats->rx_drop));
76098 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
76099 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
76100 + atomic_read_unchecked(&stats->rx_drop));
76101 }
76102
76103 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
76104 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
76105 {
76106 struct sock *sk = sk_atm(vcc);
76107
76108 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76109 + seq_printf(seq, "%p ", NULL);
76110 +#else
76111 seq_printf(seq, "%p ", vcc);
76112 +#endif
76113 +
76114 if (!vcc->dev)
76115 seq_printf(seq, "Unassigned ");
76116 else
76117 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
76118 {
76119 if (!vcc->dev)
76120 seq_printf(seq, sizeof(void *) == 4 ?
76121 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76122 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
76123 +#else
76124 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
76125 +#endif
76126 else
76127 seq_printf(seq, "%3d %3d %5d ",
76128 vcc->dev->number, vcc->vpi, vcc->vci);
76129 diff -urNp linux-2.6.39.3/net/atm/resources.c linux-2.6.39.3/net/atm/resources.c
76130 --- linux-2.6.39.3/net/atm/resources.c 2011-05-19 00:06:34.000000000 -0400
76131 +++ linux-2.6.39.3/net/atm/resources.c 2011-05-22 19:36:33.000000000 -0400
76132 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
76133 static void copy_aal_stats(struct k_atm_aal_stats *from,
76134 struct atm_aal_stats *to)
76135 {
76136 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
76137 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
76138 __AAL_STAT_ITEMS
76139 #undef __HANDLE_ITEM
76140 }
76141 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
76142 static void subtract_aal_stats(struct k_atm_aal_stats *from,
76143 struct atm_aal_stats *to)
76144 {
76145 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
76146 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
76147 __AAL_STAT_ITEMS
76148 #undef __HANDLE_ITEM
76149 }
76150 diff -urNp linux-2.6.39.3/net/batman-adv/hard-interface.c linux-2.6.39.3/net/batman-adv/hard-interface.c
76151 --- linux-2.6.39.3/net/batman-adv/hard-interface.c 2011-05-19 00:06:34.000000000 -0400
76152 +++ linux-2.6.39.3/net/batman-adv/hard-interface.c 2011-05-22 19:36:33.000000000 -0400
76153 @@ -339,8 +339,8 @@ int hardif_enable_interface(struct hard_
76154 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
76155 dev_add_pack(&hard_iface->batman_adv_ptype);
76156
76157 - atomic_set(&hard_iface->seqno, 1);
76158 - atomic_set(&hard_iface->frag_seqno, 1);
76159 + atomic_set_unchecked(&hard_iface->seqno, 1);
76160 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
76161 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
76162 hard_iface->net_dev->name);
76163
76164 diff -urNp linux-2.6.39.3/net/batman-adv/routing.c linux-2.6.39.3/net/batman-adv/routing.c
76165 --- linux-2.6.39.3/net/batman-adv/routing.c 2011-05-19 00:06:34.000000000 -0400
76166 +++ linux-2.6.39.3/net/batman-adv/routing.c 2011-05-22 19:36:33.000000000 -0400
76167 @@ -625,7 +625,7 @@ void receive_bat_packet(struct ethhdr *e
76168 return;
76169
76170 /* could be changed by schedule_own_packet() */
76171 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
76172 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
76173
76174 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
76175
76176 diff -urNp linux-2.6.39.3/net/batman-adv/send.c linux-2.6.39.3/net/batman-adv/send.c
76177 --- linux-2.6.39.3/net/batman-adv/send.c 2011-05-19 00:06:34.000000000 -0400
76178 +++ linux-2.6.39.3/net/batman-adv/send.c 2011-05-22 19:36:33.000000000 -0400
76179 @@ -277,7 +277,7 @@ void schedule_own_packet(struct hard_ifa
76180
76181 /* change sequence number to network order */
76182 batman_packet->seqno =
76183 - htonl((uint32_t)atomic_read(&hard_iface->seqno));
76184 + htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
76185
76186 if (vis_server == VIS_TYPE_SERVER_SYNC)
76187 batman_packet->flags |= VIS_SERVER;
76188 @@ -291,7 +291,7 @@ void schedule_own_packet(struct hard_ifa
76189 else
76190 batman_packet->gw_flags = 0;
76191
76192 - atomic_inc(&hard_iface->seqno);
76193 + atomic_inc_unchecked(&hard_iface->seqno);
76194
76195 slide_own_bcast_window(hard_iface);
76196 send_time = own_send_time(bat_priv);
76197 diff -urNp linux-2.6.39.3/net/batman-adv/soft-interface.c linux-2.6.39.3/net/batman-adv/soft-interface.c
76198 --- linux-2.6.39.3/net/batman-adv/soft-interface.c 2011-05-19 00:06:34.000000000 -0400
76199 +++ linux-2.6.39.3/net/batman-adv/soft-interface.c 2011-05-22 19:36:33.000000000 -0400
76200 @@ -386,7 +386,7 @@ int interface_tx(struct sk_buff *skb, st
76201
76202 /* set broadcast sequence number */
76203 bcast_packet->seqno =
76204 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
76205 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
76206
76207 add_bcast_packet_to_list(bat_priv, skb);
76208
76209 @@ -579,7 +579,7 @@ struct net_device *softif_create(char *n
76210 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
76211
76212 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
76213 - atomic_set(&bat_priv->bcast_seqno, 1);
76214 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
76215 atomic_set(&bat_priv->hna_local_changed, 0);
76216
76217 bat_priv->primary_if = NULL;
76218 diff -urNp linux-2.6.39.3/net/batman-adv/types.h linux-2.6.39.3/net/batman-adv/types.h
76219 --- linux-2.6.39.3/net/batman-adv/types.h 2011-05-19 00:06:34.000000000 -0400
76220 +++ linux-2.6.39.3/net/batman-adv/types.h 2011-05-22 19:36:33.000000000 -0400
76221 @@ -38,8 +38,8 @@ struct hard_iface {
76222 int16_t if_num;
76223 char if_status;
76224 struct net_device *net_dev;
76225 - atomic_t seqno;
76226 - atomic_t frag_seqno;
76227 + atomic_unchecked_t seqno;
76228 + atomic_unchecked_t frag_seqno;
76229 unsigned char *packet_buff;
76230 int packet_len;
76231 struct kobject *hardif_obj;
76232 @@ -141,7 +141,7 @@ struct bat_priv {
76233 atomic_t orig_interval; /* uint */
76234 atomic_t hop_penalty; /* uint */
76235 atomic_t log_level; /* uint */
76236 - atomic_t bcast_seqno;
76237 + atomic_unchecked_t bcast_seqno;
76238 atomic_t bcast_queue_left;
76239 atomic_t batman_queue_left;
76240 char num_ifaces;
76241 diff -urNp linux-2.6.39.3/net/batman-adv/unicast.c linux-2.6.39.3/net/batman-adv/unicast.c
76242 --- linux-2.6.39.3/net/batman-adv/unicast.c 2011-05-19 00:06:34.000000000 -0400
76243 +++ linux-2.6.39.3/net/batman-adv/unicast.c 2011-05-22 19:36:33.000000000 -0400
76244 @@ -263,7 +263,7 @@ int frag_send_skb(struct sk_buff *skb, s
76245 frag1->flags = UNI_FRAG_HEAD | large_tail;
76246 frag2->flags = large_tail;
76247
76248 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
76249 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
76250 frag1->seqno = htons(seqno - 1);
76251 frag2->seqno = htons(seqno);
76252
76253 diff -urNp linux-2.6.39.3/net/bluetooth/l2cap_core.c linux-2.6.39.3/net/bluetooth/l2cap_core.c
76254 --- linux-2.6.39.3/net/bluetooth/l2cap_core.c 2011-05-19 00:06:34.000000000 -0400
76255 +++ linux-2.6.39.3/net/bluetooth/l2cap_core.c 2011-06-25 14:32:21.000000000 -0400
76256 @@ -2202,7 +2202,7 @@ static inline int l2cap_config_req(struc
76257
76258 /* Reject if config buffer is too small. */
76259 len = cmd_len - sizeof(*req);
76260 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
76261 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
76262 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
76263 l2cap_build_conf_rsp(sk, rsp,
76264 L2CAP_CONF_REJECT, flags), rsp);
76265 diff -urNp linux-2.6.39.3/net/bluetooth/l2cap_sock.c linux-2.6.39.3/net/bluetooth/l2cap_sock.c
76266 --- linux-2.6.39.3/net/bluetooth/l2cap_sock.c 2011-05-19 00:06:34.000000000 -0400
76267 +++ linux-2.6.39.3/net/bluetooth/l2cap_sock.c 2011-06-12 06:36:08.000000000 -0400
76268 @@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str
76269 break;
76270 }
76271
76272 + memset(&cinfo, 0, sizeof(cinfo));
76273 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
76274 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
76275
76276 diff -urNp linux-2.6.39.3/net/bluetooth/rfcomm/sock.c linux-2.6.39.3/net/bluetooth/rfcomm/sock.c
76277 --- linux-2.6.39.3/net/bluetooth/rfcomm/sock.c 2011-05-19 00:06:34.000000000 -0400
76278 +++ linux-2.6.39.3/net/bluetooth/rfcomm/sock.c 2011-06-12 06:36:42.000000000 -0400
76279 @@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st
76280
76281 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
76282
76283 + memset(&cinfo, 0, sizeof(cinfo));
76284 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
76285 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
76286
76287 diff -urNp linux-2.6.39.3/net/bridge/br_multicast.c linux-2.6.39.3/net/bridge/br_multicast.c
76288 --- linux-2.6.39.3/net/bridge/br_multicast.c 2011-05-19 00:06:34.000000000 -0400
76289 +++ linux-2.6.39.3/net/bridge/br_multicast.c 2011-05-22 19:36:33.000000000 -0400
76290 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
76291 nexthdr = ip6h->nexthdr;
76292 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
76293
76294 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
76295 + if (nexthdr != IPPROTO_ICMPV6)
76296 return 0;
76297
76298 /* Okay, we found ICMPv6 header */
76299 diff -urNp linux-2.6.39.3/net/bridge/netfilter/ebtables.c linux-2.6.39.3/net/bridge/netfilter/ebtables.c
76300 --- linux-2.6.39.3/net/bridge/netfilter/ebtables.c 2011-05-19 00:06:34.000000000 -0400
76301 +++ linux-2.6.39.3/net/bridge/netfilter/ebtables.c 2011-05-22 19:36:33.000000000 -0400
76302 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
76303 tmp.valid_hooks = t->table->valid_hooks;
76304 }
76305 mutex_unlock(&ebt_mutex);
76306 - if (copy_to_user(user, &tmp, *len) != 0){
76307 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
76308 BUGPRINT("c2u Didn't work\n");
76309 ret = -EFAULT;
76310 break;
76311 @@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
76312 int ret;
76313 void __user *pos;
76314
76315 + pax_track_stack();
76316 +
76317 memset(&tinfo, 0, sizeof(tinfo));
76318
76319 if (cmd == EBT_SO_GET_ENTRIES) {
76320 diff -urNp linux-2.6.39.3/net/caif/caif_socket.c linux-2.6.39.3/net/caif/caif_socket.c
76321 --- linux-2.6.39.3/net/caif/caif_socket.c 2011-05-19 00:06:34.000000000 -0400
76322 +++ linux-2.6.39.3/net/caif/caif_socket.c 2011-05-22 19:36:33.000000000 -0400
76323 @@ -48,18 +48,19 @@ static struct dentry *debugfsdir;
76324 #ifdef CONFIG_DEBUG_FS
76325 struct debug_fs_counter {
76326 atomic_t caif_nr_socks;
76327 - atomic_t num_connect_req;
76328 - atomic_t num_connect_resp;
76329 - atomic_t num_connect_fail_resp;
76330 - atomic_t num_disconnect;
76331 - atomic_t num_remote_shutdown_ind;
76332 - atomic_t num_tx_flow_off_ind;
76333 - atomic_t num_tx_flow_on_ind;
76334 - atomic_t num_rx_flow_off;
76335 - atomic_t num_rx_flow_on;
76336 + atomic_unchecked_t num_connect_req;
76337 + atomic_unchecked_t num_connect_resp;
76338 + atomic_unchecked_t num_connect_fail_resp;
76339 + atomic_unchecked_t num_disconnect;
76340 + atomic_unchecked_t num_remote_shutdown_ind;
76341 + atomic_unchecked_t num_tx_flow_off_ind;
76342 + atomic_unchecked_t num_tx_flow_on_ind;
76343 + atomic_unchecked_t num_rx_flow_off;
76344 + atomic_unchecked_t num_rx_flow_on;
76345 };
76346 static struct debug_fs_counter cnt;
76347 #define dbfs_atomic_inc(v) atomic_inc(v)
76348 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_unchecked(v)
76349 #define dbfs_atomic_dec(v) atomic_dec(v)
76350 #else
76351 #define dbfs_atomic_inc(v)
76352 @@ -159,7 +160,7 @@ static int caif_queue_rcv_skb(struct soc
76353 atomic_read(&cf_sk->sk.sk_rmem_alloc),
76354 sk_rcvbuf_lowwater(cf_sk));
76355 set_rx_flow_off(cf_sk);
76356 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76357 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76358 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76359 }
76360
76361 @@ -169,7 +170,7 @@ static int caif_queue_rcv_skb(struct soc
76362 if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
76363 set_rx_flow_off(cf_sk);
76364 pr_debug("sending flow OFF due to rmem_schedule\n");
76365 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
76366 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
76367 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
76368 }
76369 skb->dev = NULL;
76370 @@ -218,21 +219,21 @@ static void caif_ctrl_cb(struct cflayer
76371 switch (flow) {
76372 case CAIF_CTRLCMD_FLOW_ON_IND:
76373 /* OK from modem to start sending again */
76374 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
76375 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
76376 set_tx_flow_on(cf_sk);
76377 cf_sk->sk.sk_state_change(&cf_sk->sk);
76378 break;
76379
76380 case CAIF_CTRLCMD_FLOW_OFF_IND:
76381 /* Modem asks us to shut up */
76382 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
76383 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
76384 set_tx_flow_off(cf_sk);
76385 cf_sk->sk.sk_state_change(&cf_sk->sk);
76386 break;
76387
76388 case CAIF_CTRLCMD_INIT_RSP:
76389 /* We're now connected */
76390 - dbfs_atomic_inc(&cnt.num_connect_resp);
76391 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
76392 cf_sk->sk.sk_state = CAIF_CONNECTED;
76393 set_tx_flow_on(cf_sk);
76394 cf_sk->sk.sk_state_change(&cf_sk->sk);
76395 @@ -247,7 +248,7 @@ static void caif_ctrl_cb(struct cflayer
76396
76397 case CAIF_CTRLCMD_INIT_FAIL_RSP:
76398 /* Connect request failed */
76399 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
76400 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
76401 cf_sk->sk.sk_err = ECONNREFUSED;
76402 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
76403 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76404 @@ -261,7 +262,7 @@ static void caif_ctrl_cb(struct cflayer
76405
76406 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
76407 /* Modem has closed this connection, or device is down. */
76408 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
76409 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
76410 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
76411 cf_sk->sk.sk_err = ECONNRESET;
76412 set_rx_flow_on(cf_sk);
76413 @@ -281,7 +282,7 @@ static void caif_check_flow_release(stru
76414 return;
76415
76416 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
76417 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
76418 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
76419 set_rx_flow_on(cf_sk);
76420 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
76421 }
76422 @@ -864,7 +865,7 @@ static int caif_connect(struct socket *s
76423 /*ifindex = id of the interface.*/
76424 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
76425
76426 - dbfs_atomic_inc(&cnt.num_connect_req);
76427 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
76428 cf_sk->layer.receive = caif_sktrecv_cb;
76429 err = caif_connect_client(&cf_sk->conn_req,
76430 &cf_sk->layer, &ifindex, &headroom, &tailroom);
76431 @@ -952,7 +953,7 @@ static int caif_release(struct socket *s
76432 spin_unlock(&sk->sk_receive_queue.lock);
76433 sock->sk = NULL;
76434
76435 - dbfs_atomic_inc(&cnt.num_disconnect);
76436 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
76437
76438 if (cf_sk->debugfs_socket_dir != NULL)
76439 debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
76440 diff -urNp linux-2.6.39.3/net/caif/cfctrl.c linux-2.6.39.3/net/caif/cfctrl.c
76441 --- linux-2.6.39.3/net/caif/cfctrl.c 2011-05-19 00:06:34.000000000 -0400
76442 +++ linux-2.6.39.3/net/caif/cfctrl.c 2011-05-22 19:36:33.000000000 -0400
76443 @@ -9,6 +9,7 @@
76444 #include <linux/stddef.h>
76445 #include <linux/spinlock.h>
76446 #include <linux/slab.h>
76447 +#include <linux/sched.h>
76448 #include <net/caif/caif_layer.h>
76449 #include <net/caif/cfpkt.h>
76450 #include <net/caif/cfctrl.h>
76451 @@ -46,8 +47,8 @@ struct cflayer *cfctrl_create(void)
76452 dev_info.id = 0xff;
76453 memset(this, 0, sizeof(*this));
76454 cfsrvl_init(&this->serv, 0, &dev_info, false);
76455 - atomic_set(&this->req_seq_no, 1);
76456 - atomic_set(&this->rsp_seq_no, 1);
76457 + atomic_set_unchecked(&this->req_seq_no, 1);
76458 + atomic_set_unchecked(&this->rsp_seq_no, 1);
76459 this->serv.layer.receive = cfctrl_recv;
76460 sprintf(this->serv.layer.name, "ctrl");
76461 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
76462 @@ -116,8 +117,8 @@ void cfctrl_insert_req(struct cfctrl *ct
76463 struct cfctrl_request_info *req)
76464 {
76465 spin_lock(&ctrl->info_list_lock);
76466 - atomic_inc(&ctrl->req_seq_no);
76467 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
76468 + atomic_inc_unchecked(&ctrl->req_seq_no);
76469 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
76470 list_add_tail(&req->list, &ctrl->list);
76471 spin_unlock(&ctrl->info_list_lock);
76472 }
76473 @@ -136,7 +137,7 @@ struct cfctrl_request_info *cfctrl_remov
76474 if (p != first)
76475 pr_warn("Requests are not received in order\n");
76476
76477 - atomic_set(&ctrl->rsp_seq_no,
76478 + atomic_set_unchecked(&ctrl->rsp_seq_no,
76479 p->sequence_no);
76480 list_del(&p->list);
76481 goto out;
76482 @@ -385,6 +386,7 @@ static int cfctrl_recv(struct cflayer *l
76483 struct cfctrl *cfctrl = container_obj(layer);
76484 struct cfctrl_request_info rsp, *req;
76485
76486 + pax_track_stack();
76487
76488 cfpkt_extr_head(pkt, &cmdrsp, 1);
76489 cmd = cmdrsp & CFCTRL_CMD_MASK;
76490 diff -urNp linux-2.6.39.3/net/can/bcm.c linux-2.6.39.3/net/can/bcm.c
76491 --- linux-2.6.39.3/net/can/bcm.c 2011-05-19 00:06:34.000000000 -0400
76492 +++ linux-2.6.39.3/net/can/bcm.c 2011-05-22 19:41:42.000000000 -0400
76493 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
76494 struct bcm_sock *bo = bcm_sk(sk);
76495 struct bcm_op *op;
76496
76497 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76498 + seq_printf(m, ">>> socket %p", NULL);
76499 + seq_printf(m, " / sk %p", NULL);
76500 + seq_printf(m, " / bo %p", NULL);
76501 +#else
76502 seq_printf(m, ">>> socket %p", sk->sk_socket);
76503 seq_printf(m, " / sk %p", sk);
76504 seq_printf(m, " / bo %p", bo);
76505 +#endif
76506 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
76507 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
76508 seq_printf(m, " <<<\n");
76509 diff -urNp linux-2.6.39.3/net/core/datagram.c linux-2.6.39.3/net/core/datagram.c
76510 --- linux-2.6.39.3/net/core/datagram.c 2011-05-19 00:06:34.000000000 -0400
76511 +++ linux-2.6.39.3/net/core/datagram.c 2011-05-22 19:36:33.000000000 -0400
76512 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
76513 }
76514
76515 kfree_skb(skb);
76516 - atomic_inc(&sk->sk_drops);
76517 + atomic_inc_unchecked(&sk->sk_drops);
76518 sk_mem_reclaim_partial(sk);
76519
76520 return err;
76521 diff -urNp linux-2.6.39.3/net/core/dev.c linux-2.6.39.3/net/core/dev.c
76522 --- linux-2.6.39.3/net/core/dev.c 2011-06-03 00:04:14.000000000 -0400
76523 +++ linux-2.6.39.3/net/core/dev.c 2011-06-03 00:32:08.000000000 -0400
76524 @@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
76525 if (no_module && capable(CAP_NET_ADMIN))
76526 no_module = request_module("netdev-%s", name);
76527 if (no_module && capable(CAP_SYS_MODULE)) {
76528 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
76529 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
76530 +#else
76531 if (!request_module("%s", name))
76532 pr_err("Loading kernel module for a network device "
76533 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
76534 "instead\n", name);
76535 +#endif
76536 }
76537 }
76538 EXPORT_SYMBOL(dev_load);
76539 @@ -1957,7 +1961,7 @@ struct dev_gso_cb {
76540
76541 static void dev_gso_skb_destructor(struct sk_buff *skb)
76542 {
76543 - struct dev_gso_cb *cb;
76544 + const struct dev_gso_cb *cb;
76545
76546 do {
76547 struct sk_buff *nskb = skb->next;
76548 @@ -2901,7 +2905,7 @@ int netif_rx_ni(struct sk_buff *skb)
76549 }
76550 EXPORT_SYMBOL(netif_rx_ni);
76551
76552 -static void net_tx_action(struct softirq_action *h)
76553 +static void net_tx_action(void)
76554 {
76555 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76556
76557 @@ -3765,7 +3769,7 @@ void netif_napi_del(struct napi_struct *
76558 }
76559 EXPORT_SYMBOL(netif_napi_del);
76560
76561 -static void net_rx_action(struct softirq_action *h)
76562 +static void net_rx_action(void)
76563 {
76564 struct softnet_data *sd = &__get_cpu_var(softnet_data);
76565 unsigned long time_limit = jiffies + 2;
76566 diff -urNp linux-2.6.39.3/net/core/flow.c linux-2.6.39.3/net/core/flow.c
76567 --- linux-2.6.39.3/net/core/flow.c 2011-05-19 00:06:34.000000000 -0400
76568 +++ linux-2.6.39.3/net/core/flow.c 2011-05-22 19:36:34.000000000 -0400
76569 @@ -60,7 +60,7 @@ struct flow_cache {
76570 struct timer_list rnd_timer;
76571 };
76572
76573 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
76574 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
76575 EXPORT_SYMBOL(flow_cache_genid);
76576 static struct flow_cache flow_cache_global;
76577 static struct kmem_cache *flow_cachep __read_mostly;
76578 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
76579
76580 static int flow_entry_valid(struct flow_cache_entry *fle)
76581 {
76582 - if (atomic_read(&flow_cache_genid) != fle->genid)
76583 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
76584 return 0;
76585 if (fle->object && !fle->object->ops->check(fle->object))
76586 return 0;
76587 @@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, const
76588 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
76589 fcp->hash_count++;
76590 }
76591 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
76592 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
76593 flo = fle->object;
76594 if (!flo)
76595 goto ret_object;
76596 @@ -274,7 +274,7 @@ nocache:
76597 }
76598 flo = resolver(net, key, family, dir, flo, ctx);
76599 if (fle) {
76600 - fle->genid = atomic_read(&flow_cache_genid);
76601 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
76602 if (!IS_ERR(flo))
76603 fle->object = flo;
76604 else
76605 diff -urNp linux-2.6.39.3/net/core/skbuff.c linux-2.6.39.3/net/core/skbuff.c
76606 --- linux-2.6.39.3/net/core/skbuff.c 2011-06-03 00:04:14.000000000 -0400
76607 +++ linux-2.6.39.3/net/core/skbuff.c 2011-06-03 00:32:08.000000000 -0400
76608 @@ -1542,6 +1542,8 @@ int skb_splice_bits(struct sk_buff *skb,
76609 struct sock *sk = skb->sk;
76610 int ret = 0;
76611
76612 + pax_track_stack();
76613 +
76614 if (splice_grow_spd(pipe, &spd))
76615 return -ENOMEM;
76616
76617 diff -urNp linux-2.6.39.3/net/core/sock.c linux-2.6.39.3/net/core/sock.c
76618 --- linux-2.6.39.3/net/core/sock.c 2011-05-19 00:06:34.000000000 -0400
76619 +++ linux-2.6.39.3/net/core/sock.c 2011-05-22 19:36:34.000000000 -0400
76620 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76621 */
76622 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
76623 (unsigned)sk->sk_rcvbuf) {
76624 - atomic_inc(&sk->sk_drops);
76625 + atomic_inc_unchecked(&sk->sk_drops);
76626 return -ENOMEM;
76627 }
76628
76629 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76630 return err;
76631
76632 if (!sk_rmem_schedule(sk, skb->truesize)) {
76633 - atomic_inc(&sk->sk_drops);
76634 + atomic_inc_unchecked(&sk->sk_drops);
76635 return -ENOBUFS;
76636 }
76637
76638 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
76639 skb_dst_force(skb);
76640
76641 spin_lock_irqsave(&list->lock, flags);
76642 - skb->dropcount = atomic_read(&sk->sk_drops);
76643 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
76644 __skb_queue_tail(list, skb);
76645 spin_unlock_irqrestore(&list->lock, flags);
76646
76647 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
76648 skb->dev = NULL;
76649
76650 if (sk_rcvqueues_full(sk, skb)) {
76651 - atomic_inc(&sk->sk_drops);
76652 + atomic_inc_unchecked(&sk->sk_drops);
76653 goto discard_and_relse;
76654 }
76655 if (nested)
76656 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
76657 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
76658 } else if (sk_add_backlog(sk, skb)) {
76659 bh_unlock_sock(sk);
76660 - atomic_inc(&sk->sk_drops);
76661 + atomic_inc_unchecked(&sk->sk_drops);
76662 goto discard_and_relse;
76663 }
76664
76665 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
76666 return -ENOTCONN;
76667 if (lv < len)
76668 return -EINVAL;
76669 - if (copy_to_user(optval, address, len))
76670 + if (len > sizeof(address) || copy_to_user(optval, address, len))
76671 return -EFAULT;
76672 goto lenout;
76673 }
76674 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
76675
76676 if (len > lv)
76677 len = lv;
76678 - if (copy_to_user(optval, &v, len))
76679 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
76680 return -EFAULT;
76681 lenout:
76682 if (put_user(len, optlen))
76683 @@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
76684 */
76685 smp_wmb();
76686 atomic_set(&sk->sk_refcnt, 1);
76687 - atomic_set(&sk->sk_drops, 0);
76688 + atomic_set_unchecked(&sk->sk_drops, 0);
76689 }
76690 EXPORT_SYMBOL(sock_init_data);
76691
76692 diff -urNp linux-2.6.39.3/net/decnet/sysctl_net_decnet.c linux-2.6.39.3/net/decnet/sysctl_net_decnet.c
76693 --- linux-2.6.39.3/net/decnet/sysctl_net_decnet.c 2011-05-19 00:06:34.000000000 -0400
76694 +++ linux-2.6.39.3/net/decnet/sysctl_net_decnet.c 2011-05-22 19:36:34.000000000 -0400
76695 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
76696
76697 if (len > *lenp) len = *lenp;
76698
76699 - if (copy_to_user(buffer, addr, len))
76700 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
76701 return -EFAULT;
76702
76703 *lenp = len;
76704 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
76705
76706 if (len > *lenp) len = *lenp;
76707
76708 - if (copy_to_user(buffer, devname, len))
76709 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
76710 return -EFAULT;
76711
76712 *lenp = len;
76713 diff -urNp linux-2.6.39.3/net/econet/Kconfig linux-2.6.39.3/net/econet/Kconfig
76714 --- linux-2.6.39.3/net/econet/Kconfig 2011-05-19 00:06:34.000000000 -0400
76715 +++ linux-2.6.39.3/net/econet/Kconfig 2011-05-22 19:41:42.000000000 -0400
76716 @@ -4,7 +4,7 @@
76717
76718 config ECONET
76719 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
76720 - depends on EXPERIMENTAL && INET
76721 + depends on EXPERIMENTAL && INET && BROKEN
76722 ---help---
76723 Econet is a fairly old and slow networking protocol mainly used by
76724 Acorn computers to access file and print servers. It uses native
76725 diff -urNp linux-2.6.39.3/net/ipv4/fib_frontend.c linux-2.6.39.3/net/ipv4/fib_frontend.c
76726 --- linux-2.6.39.3/net/ipv4/fib_frontend.c 2011-05-19 00:06:34.000000000 -0400
76727 +++ linux-2.6.39.3/net/ipv4/fib_frontend.c 2011-05-22 19:36:34.000000000 -0400
76728 @@ -968,12 +968,12 @@ static int fib_inetaddr_event(struct not
76729 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76730 fib_sync_up(dev);
76731 #endif
76732 - atomic_inc(&net->ipv4.dev_addr_genid);
76733 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76734 rt_cache_flush(dev_net(dev), -1);
76735 break;
76736 case NETDEV_DOWN:
76737 fib_del_ifaddr(ifa, NULL);
76738 - atomic_inc(&net->ipv4.dev_addr_genid);
76739 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76740 if (ifa->ifa_dev->ifa_list == NULL) {
76741 /* Last address was deleted from this interface.
76742 * Disable IP.
76743 @@ -1009,7 +1009,7 @@ static int fib_netdev_event(struct notif
76744 #ifdef CONFIG_IP_ROUTE_MULTIPATH
76745 fib_sync_up(dev);
76746 #endif
76747 - atomic_inc(&net->ipv4.dev_addr_genid);
76748 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
76749 rt_cache_flush(dev_net(dev), -1);
76750 break;
76751 case NETDEV_DOWN:
76752 diff -urNp linux-2.6.39.3/net/ipv4/fib_semantics.c linux-2.6.39.3/net/ipv4/fib_semantics.c
76753 --- linux-2.6.39.3/net/ipv4/fib_semantics.c 2011-05-19 00:06:34.000000000 -0400
76754 +++ linux-2.6.39.3/net/ipv4/fib_semantics.c 2011-05-22 19:36:34.000000000 -0400
76755 @@ -701,7 +701,7 @@ __be32 fib_info_update_nh_saddr(struct n
76756 nh->nh_saddr = inet_select_addr(nh->nh_dev,
76757 nh->nh_gw,
76758 nh->nh_parent->fib_scope);
76759 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
76760 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
76761
76762 return nh->nh_saddr;
76763 }
76764 diff -urNp linux-2.6.39.3/net/ipv4/inet_diag.c linux-2.6.39.3/net/ipv4/inet_diag.c
76765 --- linux-2.6.39.3/net/ipv4/inet_diag.c 2011-07-09 09:18:51.000000000 -0400
76766 +++ linux-2.6.39.3/net/ipv4/inet_diag.c 2011-06-20 19:27:58.000000000 -0400
76767 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
76768 r->idiag_retrans = 0;
76769
76770 r->id.idiag_if = sk->sk_bound_dev_if;
76771 +
76772 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76773 + r->id.idiag_cookie[0] = 0;
76774 + r->id.idiag_cookie[1] = 0;
76775 +#else
76776 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
76777 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
76778 +#endif
76779
76780 r->id.idiag_sport = inet->inet_sport;
76781 r->id.idiag_dport = inet->inet_dport;
76782 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
76783 r->idiag_family = tw->tw_family;
76784 r->idiag_retrans = 0;
76785 r->id.idiag_if = tw->tw_bound_dev_if;
76786 +
76787 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76788 + r->id.idiag_cookie[0] = 0;
76789 + r->id.idiag_cookie[1] = 0;
76790 +#else
76791 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
76792 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
76793 +#endif
76794 +
76795 r->id.idiag_sport = tw->tw_sport;
76796 r->id.idiag_dport = tw->tw_dport;
76797 r->id.idiag_src[0] = tw->tw_rcv_saddr;
76798 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
76799 if (sk == NULL)
76800 goto unlock;
76801
76802 +#ifndef CONFIG_GRKERNSEC_HIDESYM
76803 err = -ESTALE;
76804 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
76805 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
76806 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
76807 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
76808 goto out;
76809 +#endif
76810
76811 err = -ENOMEM;
76812 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
76813 @@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
76814 r->idiag_retrans = req->retrans;
76815
76816 r->id.idiag_if = sk->sk_bound_dev_if;
76817 +
76818 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76819 + r->id.idiag_cookie[0] = 0;
76820 + r->id.idiag_cookie[1] = 0;
76821 +#else
76822 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
76823 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
76824 +#endif
76825
76826 tmo = req->expires - jiffies;
76827 if (tmo < 0)
76828 diff -urNp linux-2.6.39.3/net/ipv4/inet_hashtables.c linux-2.6.39.3/net/ipv4/inet_hashtables.c
76829 --- linux-2.6.39.3/net/ipv4/inet_hashtables.c 2011-05-19 00:06:34.000000000 -0400
76830 +++ linux-2.6.39.3/net/ipv4/inet_hashtables.c 2011-05-22 19:41:42.000000000 -0400
76831 @@ -18,11 +18,14 @@
76832 #include <linux/sched.h>
76833 #include <linux/slab.h>
76834 #include <linux/wait.h>
76835 +#include <linux/security.h>
76836
76837 #include <net/inet_connection_sock.h>
76838 #include <net/inet_hashtables.h>
76839 #include <net/ip.h>
76840
76841 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
76842 +
76843 /*
76844 * Allocate and initialize a new local port bind bucket.
76845 * The bindhash mutex for snum's hash chain must be held here.
76846 @@ -529,6 +532,8 @@ ok:
76847 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
76848 spin_unlock(&head->lock);
76849
76850 + gr_update_task_in_ip_table(current, inet_sk(sk));
76851 +
76852 if (tw) {
76853 inet_twsk_deschedule(tw, death_row);
76854 while (twrefcnt) {
76855 diff -urNp linux-2.6.39.3/net/ipv4/inetpeer.c linux-2.6.39.3/net/ipv4/inetpeer.c
76856 --- linux-2.6.39.3/net/ipv4/inetpeer.c 2011-07-09 09:18:51.000000000 -0400
76857 +++ linux-2.6.39.3/net/ipv4/inetpeer.c 2011-07-09 09:21:38.000000000 -0400
76858 @@ -480,6 +480,8 @@ struct inet_peer *inet_getpeer(struct in
76859 unsigned int sequence;
76860 int invalidated, newrefcnt = 0;
76861
76862 + pax_track_stack();
76863 +
76864 /* Look up for the address quickly, lockless.
76865 * Because of a concurrent writer, we might not find an existing entry.
76866 */
76867 @@ -516,8 +518,8 @@ found: /* The existing node has been fo
76868 if (p) {
76869 p->daddr = *daddr;
76870 atomic_set(&p->refcnt, 1);
76871 - atomic_set(&p->rid, 0);
76872 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76873 + atomic_set_unchecked(&p->rid, 0);
76874 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
76875 p->tcp_ts_stamp = 0;
76876 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
76877 p->rate_tokens = 0;
76878 diff -urNp linux-2.6.39.3/net/ipv4/ip_fragment.c linux-2.6.39.3/net/ipv4/ip_fragment.c
76879 --- linux-2.6.39.3/net/ipv4/ip_fragment.c 2011-05-19 00:06:34.000000000 -0400
76880 +++ linux-2.6.39.3/net/ipv4/ip_fragment.c 2011-05-22 19:36:34.000000000 -0400
76881 @@ -297,7 +297,7 @@ static inline int ip_frag_too_far(struct
76882 return 0;
76883
76884 start = qp->rid;
76885 - end = atomic_inc_return(&peer->rid);
76886 + end = atomic_inc_return_unchecked(&peer->rid);
76887 qp->rid = end;
76888
76889 rc = qp->q.fragments && (end - start) > max;
76890 diff -urNp linux-2.6.39.3/net/ipv4/ip_sockglue.c linux-2.6.39.3/net/ipv4/ip_sockglue.c
76891 --- linux-2.6.39.3/net/ipv4/ip_sockglue.c 2011-05-19 00:06:34.000000000 -0400
76892 +++ linux-2.6.39.3/net/ipv4/ip_sockglue.c 2011-05-22 19:36:34.000000000 -0400
76893 @@ -1064,6 +1064,8 @@ static int do_ip_getsockopt(struct sock
76894 int val;
76895 int len;
76896
76897 + pax_track_stack();
76898 +
76899 if (level != SOL_IP)
76900 return -EOPNOTSUPP;
76901
76902 diff -urNp linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c
76903 --- linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-19 00:06:34.000000000 -0400
76904 +++ linux-2.6.39.3/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-05-22 19:36:34.000000000 -0400
76905 @@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
76906
76907 *len = 0;
76908
76909 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
76910 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
76911 if (*octets == NULL) {
76912 if (net_ratelimit())
76913 pr_notice("OOM in bsalg (%d)\n", __LINE__);
76914 diff -urNp linux-2.6.39.3/net/ipv4/raw.c linux-2.6.39.3/net/ipv4/raw.c
76915 --- linux-2.6.39.3/net/ipv4/raw.c 2011-05-19 00:06:34.000000000 -0400
76916 +++ linux-2.6.39.3/net/ipv4/raw.c 2011-05-22 19:41:42.000000000 -0400
76917 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
76918 int raw_rcv(struct sock *sk, struct sk_buff *skb)
76919 {
76920 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
76921 - atomic_inc(&sk->sk_drops);
76922 + atomic_inc_unchecked(&sk->sk_drops);
76923 kfree_skb(skb);
76924 return NET_RX_DROP;
76925 }
76926 @@ -730,15 +730,19 @@ static int raw_init(struct sock *sk)
76927
76928 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
76929 {
76930 + struct icmp_filter filter;
76931 +
76932 if (optlen > sizeof(struct icmp_filter))
76933 optlen = sizeof(struct icmp_filter);
76934 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
76935 + if (copy_from_user(&filter, optval, optlen))
76936 return -EFAULT;
76937 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
76938 return 0;
76939 }
76940
76941 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
76942 {
76943 + struct icmp_filter filter;
76944 int len, ret = -EFAULT;
76945
76946 if (get_user(len, optlen))
76947 @@ -749,8 +753,9 @@ static int raw_geticmpfilter(struct sock
76948 if (len > sizeof(struct icmp_filter))
76949 len = sizeof(struct icmp_filter);
76950 ret = -EFAULT;
76951 + memcpy(&filter, &raw_sk(sk)->filter, len);
76952 if (put_user(len, optlen) ||
76953 - copy_to_user(optval, &raw_sk(sk)->filter, len))
76954 + copy_to_user(optval, &filter, len))
76955 goto out;
76956 ret = 0;
76957 out: return ret;
76958 @@ -978,7 +983,13 @@ static void raw_sock_seq_show(struct seq
76959 sk_wmem_alloc_get(sp),
76960 sk_rmem_alloc_get(sp),
76961 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76962 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76963 + atomic_read(&sp->sk_refcnt),
76964 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76965 + NULL,
76966 +#else
76967 + sp,
76968 +#endif
76969 + atomic_read_unchecked(&sp->sk_drops));
76970 }
76971
76972 static int raw_seq_show(struct seq_file *seq, void *v)
76973 diff -urNp linux-2.6.39.3/net/ipv4/route.c linux-2.6.39.3/net/ipv4/route.c
76974 --- linux-2.6.39.3/net/ipv4/route.c 2011-07-09 09:18:51.000000000 -0400
76975 +++ linux-2.6.39.3/net/ipv4/route.c 2011-07-09 09:19:27.000000000 -0400
76976 @@ -303,7 +303,7 @@ static inline unsigned int rt_hash(__be3
76977
76978 static inline int rt_genid(struct net *net)
76979 {
76980 - return atomic_read(&net->ipv4.rt_genid);
76981 + return atomic_read_unchecked(&net->ipv4.rt_genid);
76982 }
76983
76984 #ifdef CONFIG_PROC_FS
76985 @@ -831,7 +831,7 @@ static void rt_cache_invalidate(struct n
76986 unsigned char shuffle;
76987
76988 get_random_bytes(&shuffle, sizeof(shuffle));
76989 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
76990 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
76991 }
76992
76993 /*
76994 @@ -2833,7 +2833,7 @@ static int rt_fill_info(struct net *net,
76995 rt->peer->pmtu_expires - jiffies : 0;
76996 if (rt->peer) {
76997 inet_peer_refcheck(rt->peer);
76998 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
76999 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
77000 if (rt->peer->tcp_ts_stamp) {
77001 ts = rt->peer->tcp_ts;
77002 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
77003 diff -urNp linux-2.6.39.3/net/ipv4/tcp.c linux-2.6.39.3/net/ipv4/tcp.c
77004 --- linux-2.6.39.3/net/ipv4/tcp.c 2011-05-19 00:06:34.000000000 -0400
77005 +++ linux-2.6.39.3/net/ipv4/tcp.c 2011-05-22 19:36:34.000000000 -0400
77006 @@ -2121,6 +2121,8 @@ static int do_tcp_setsockopt(struct sock
77007 int val;
77008 int err = 0;
77009
77010 + pax_track_stack();
77011 +
77012 /* These are data/string values, all the others are ints */
77013 switch (optname) {
77014 case TCP_CONGESTION: {
77015 @@ -2500,6 +2502,8 @@ static int do_tcp_getsockopt(struct sock
77016 struct tcp_sock *tp = tcp_sk(sk);
77017 int val, len;
77018
77019 + pax_track_stack();
77020 +
77021 if (get_user(len, optlen))
77022 return -EFAULT;
77023
77024 diff -urNp linux-2.6.39.3/net/ipv4/tcp_ipv4.c linux-2.6.39.3/net/ipv4/tcp_ipv4.c
77025 --- linux-2.6.39.3/net/ipv4/tcp_ipv4.c 2011-05-19 00:06:34.000000000 -0400
77026 +++ linux-2.6.39.3/net/ipv4/tcp_ipv4.c 2011-05-22 19:41:42.000000000 -0400
77027 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
77028 int sysctl_tcp_low_latency __read_mostly;
77029 EXPORT_SYMBOL(sysctl_tcp_low_latency);
77030
77031 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77032 +extern int grsec_enable_blackhole;
77033 +#endif
77034
77035 #ifdef CONFIG_TCP_MD5SIG
77036 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
77037 @@ -1594,6 +1597,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
77038 return 0;
77039
77040 reset:
77041 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77042 + if (!grsec_enable_blackhole)
77043 +#endif
77044 tcp_v4_send_reset(rsk, skb);
77045 discard:
77046 kfree_skb(skb);
77047 @@ -1656,12 +1662,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
77048 TCP_SKB_CB(skb)->sacked = 0;
77049
77050 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77051 - if (!sk)
77052 + if (!sk) {
77053 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77054 + ret = 1;
77055 +#endif
77056 goto no_tcp_socket;
77057 -
77058 + }
77059 process:
77060 - if (sk->sk_state == TCP_TIME_WAIT)
77061 + if (sk->sk_state == TCP_TIME_WAIT) {
77062 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77063 + ret = 2;
77064 +#endif
77065 goto do_time_wait;
77066 + }
77067
77068 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
77069 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77070 @@ -1711,6 +1724,10 @@ no_tcp_socket:
77071 bad_packet:
77072 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77073 } else {
77074 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77075 + if (!grsec_enable_blackhole || (ret == 1 &&
77076 + (skb->dev->flags & IFF_LOOPBACK)))
77077 +#endif
77078 tcp_v4_send_reset(NULL, skb);
77079 }
77080
77081 @@ -2374,7 +2391,11 @@ static void get_openreq4(struct sock *sk
77082 0, /* non standard timer */
77083 0, /* open_requests have no inode */
77084 atomic_read(&sk->sk_refcnt),
77085 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77086 + NULL,
77087 +#else
77088 req,
77089 +#endif
77090 len);
77091 }
77092
77093 @@ -2424,7 +2445,12 @@ static void get_tcp4_sock(struct sock *s
77094 sock_i_uid(sk),
77095 icsk->icsk_probes_out,
77096 sock_i_ino(sk),
77097 - atomic_read(&sk->sk_refcnt), sk,
77098 + atomic_read(&sk->sk_refcnt),
77099 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77100 + NULL,
77101 +#else
77102 + sk,
77103 +#endif
77104 jiffies_to_clock_t(icsk->icsk_rto),
77105 jiffies_to_clock_t(icsk->icsk_ack.ato),
77106 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
77107 @@ -2452,7 +2478,13 @@ static void get_timewait4_sock(struct in
77108 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
77109 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
77110 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77111 - atomic_read(&tw->tw_refcnt), tw, len);
77112 + atomic_read(&tw->tw_refcnt),
77113 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77114 + NULL,
77115 +#else
77116 + tw,
77117 +#endif
77118 + len);
77119 }
77120
77121 #define TMPSZ 150
77122 diff -urNp linux-2.6.39.3/net/ipv4/tcp_minisocks.c linux-2.6.39.3/net/ipv4/tcp_minisocks.c
77123 --- linux-2.6.39.3/net/ipv4/tcp_minisocks.c 2011-05-19 00:06:34.000000000 -0400
77124 +++ linux-2.6.39.3/net/ipv4/tcp_minisocks.c 2011-05-22 19:41:42.000000000 -0400
77125 @@ -27,6 +27,10 @@
77126 #include <net/inet_common.h>
77127 #include <net/xfrm.h>
77128
77129 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77130 +extern int grsec_enable_blackhole;
77131 +#endif
77132 +
77133 int sysctl_tcp_syncookies __read_mostly = 1;
77134 EXPORT_SYMBOL(sysctl_tcp_syncookies);
77135
77136 @@ -745,6 +749,10 @@ listen_overflow:
77137
77138 embryonic_reset:
77139 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
77140 +
77141 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77142 + if (!grsec_enable_blackhole)
77143 +#endif
77144 if (!(flg & TCP_FLAG_RST))
77145 req->rsk_ops->send_reset(sk, skb);
77146
77147 diff -urNp linux-2.6.39.3/net/ipv4/tcp_output.c linux-2.6.39.3/net/ipv4/tcp_output.c
77148 --- linux-2.6.39.3/net/ipv4/tcp_output.c 2011-05-19 00:06:34.000000000 -0400
77149 +++ linux-2.6.39.3/net/ipv4/tcp_output.c 2011-05-22 19:36:34.000000000 -0400
77150 @@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
77151 int mss;
77152 int s_data_desired = 0;
77153
77154 + pax_track_stack();
77155 +
77156 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
77157 s_data_desired = cvp->s_data_desired;
77158 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
77159 diff -urNp linux-2.6.39.3/net/ipv4/tcp_probe.c linux-2.6.39.3/net/ipv4/tcp_probe.c
77160 --- linux-2.6.39.3/net/ipv4/tcp_probe.c 2011-05-19 00:06:34.000000000 -0400
77161 +++ linux-2.6.39.3/net/ipv4/tcp_probe.c 2011-05-22 19:36:34.000000000 -0400
77162 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
77163 if (cnt + width >= len)
77164 break;
77165
77166 - if (copy_to_user(buf + cnt, tbuf, width))
77167 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
77168 return -EFAULT;
77169 cnt += width;
77170 }
77171 diff -urNp linux-2.6.39.3/net/ipv4/tcp_timer.c linux-2.6.39.3/net/ipv4/tcp_timer.c
77172 --- linux-2.6.39.3/net/ipv4/tcp_timer.c 2011-05-19 00:06:34.000000000 -0400
77173 +++ linux-2.6.39.3/net/ipv4/tcp_timer.c 2011-05-22 19:41:42.000000000 -0400
77174 @@ -22,6 +22,10 @@
77175 #include <linux/gfp.h>
77176 #include <net/tcp.h>
77177
77178 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77179 +extern int grsec_lastack_retries;
77180 +#endif
77181 +
77182 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
77183 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
77184 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
77185 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
77186 }
77187 }
77188
77189 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77190 + if ((sk->sk_state == TCP_LAST_ACK) &&
77191 + (grsec_lastack_retries > 0) &&
77192 + (grsec_lastack_retries < retry_until))
77193 + retry_until = grsec_lastack_retries;
77194 +#endif
77195 +
77196 if (retransmits_timed_out(sk, retry_until,
77197 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
77198 /* Has it gone just too far? */
77199 diff -urNp linux-2.6.39.3/net/ipv4/udp.c linux-2.6.39.3/net/ipv4/udp.c
77200 --- linux-2.6.39.3/net/ipv4/udp.c 2011-07-09 09:18:51.000000000 -0400
77201 +++ linux-2.6.39.3/net/ipv4/udp.c 2011-07-09 09:19:27.000000000 -0400
77202 @@ -86,6 +86,7 @@
77203 #include <linux/types.h>
77204 #include <linux/fcntl.h>
77205 #include <linux/module.h>
77206 +#include <linux/security.h>
77207 #include <linux/socket.h>
77208 #include <linux/sockios.h>
77209 #include <linux/igmp.h>
77210 @@ -107,6 +108,10 @@
77211 #include <net/xfrm.h>
77212 #include "udp_impl.h"
77213
77214 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77215 +extern int grsec_enable_blackhole;
77216 +#endif
77217 +
77218 struct udp_table udp_table __read_mostly;
77219 EXPORT_SYMBOL(udp_table);
77220
77221 @@ -564,6 +569,9 @@ found:
77222 return s;
77223 }
77224
77225 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
77226 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
77227 +
77228 /*
77229 * This routine is called by the ICMP module when it gets some
77230 * sort of error condition. If err < 0 then the socket should
77231 @@ -853,9 +861,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
77232 dport = usin->sin_port;
77233 if (dport == 0)
77234 return -EINVAL;
77235 +
77236 + err = gr_search_udp_sendmsg(sk, usin);
77237 + if (err)
77238 + return err;
77239 } else {
77240 if (sk->sk_state != TCP_ESTABLISHED)
77241 return -EDESTADDRREQ;
77242 +
77243 + err = gr_search_udp_sendmsg(sk, NULL);
77244 + if (err)
77245 + return err;
77246 +
77247 daddr = inet->inet_daddr;
77248 dport = inet->inet_dport;
77249 /* Open fast path for connected socket.
77250 @@ -1090,7 +1107,7 @@ static unsigned int first_packet_length(
77251 udp_lib_checksum_complete(skb)) {
77252 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77253 IS_UDPLITE(sk));
77254 - atomic_inc(&sk->sk_drops);
77255 + atomic_inc_unchecked(&sk->sk_drops);
77256 __skb_unlink(skb, rcvq);
77257 __skb_queue_tail(&list_kill, skb);
77258 }
77259 @@ -1176,6 +1193,10 @@ try_again:
77260 if (!skb)
77261 goto out;
77262
77263 + err = gr_search_udp_recvmsg(sk, skb);
77264 + if (err)
77265 + goto out_free;
77266 +
77267 ulen = skb->len - sizeof(struct udphdr);
77268 if (len > ulen)
77269 len = ulen;
77270 @@ -1475,7 +1496,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
77271
77272 drop:
77273 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77274 - atomic_inc(&sk->sk_drops);
77275 + atomic_inc_unchecked(&sk->sk_drops);
77276 kfree_skb(skb);
77277 return -1;
77278 }
77279 @@ -1494,7 +1515,7 @@ static void flush_stack(struct sock **st
77280 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
77281
77282 if (!skb1) {
77283 - atomic_inc(&sk->sk_drops);
77284 + atomic_inc_unchecked(&sk->sk_drops);
77285 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
77286 IS_UDPLITE(sk));
77287 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
77288 @@ -1663,6 +1684,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
77289 goto csum_error;
77290
77291 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
77292 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77293 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77294 +#endif
77295 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
77296
77297 /*
77298 @@ -2090,8 +2114,13 @@ static void udp4_format_sock(struct sock
77299 sk_wmem_alloc_get(sp),
77300 sk_rmem_alloc_get(sp),
77301 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
77302 - atomic_read(&sp->sk_refcnt), sp,
77303 - atomic_read(&sp->sk_drops), len);
77304 + atomic_read(&sp->sk_refcnt),
77305 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77306 + NULL,
77307 +#else
77308 + sp,
77309 +#endif
77310 + atomic_read_unchecked(&sp->sk_drops), len);
77311 }
77312
77313 int udp4_seq_show(struct seq_file *seq, void *v)
77314 diff -urNp linux-2.6.39.3/net/ipv6/inet6_connection_sock.c linux-2.6.39.3/net/ipv6/inet6_connection_sock.c
77315 --- linux-2.6.39.3/net/ipv6/inet6_connection_sock.c 2011-05-19 00:06:34.000000000 -0400
77316 +++ linux-2.6.39.3/net/ipv6/inet6_connection_sock.c 2011-05-22 19:36:34.000000000 -0400
77317 @@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
77318 #ifdef CONFIG_XFRM
77319 {
77320 struct rt6_info *rt = (struct rt6_info *)dst;
77321 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
77322 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
77323 }
77324 #endif
77325 }
77326 @@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
77327 #ifdef CONFIG_XFRM
77328 if (dst) {
77329 struct rt6_info *rt = (struct rt6_info *)dst;
77330 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
77331 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
77332 __sk_dst_reset(sk);
77333 dst = NULL;
77334 }
77335 diff -urNp linux-2.6.39.3/net/ipv6/ipv6_sockglue.c linux-2.6.39.3/net/ipv6/ipv6_sockglue.c
77336 --- linux-2.6.39.3/net/ipv6/ipv6_sockglue.c 2011-05-19 00:06:34.000000000 -0400
77337 +++ linux-2.6.39.3/net/ipv6/ipv6_sockglue.c 2011-05-22 19:36:34.000000000 -0400
77338 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
77339 int val, valbool;
77340 int retv = -ENOPROTOOPT;
77341
77342 + pax_track_stack();
77343 +
77344 if (optval == NULL)
77345 val=0;
77346 else {
77347 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
77348 int len;
77349 int val;
77350
77351 + pax_track_stack();
77352 +
77353 if (ip6_mroute_opt(optname))
77354 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
77355
77356 diff -urNp linux-2.6.39.3/net/ipv6/raw.c linux-2.6.39.3/net/ipv6/raw.c
77357 --- linux-2.6.39.3/net/ipv6/raw.c 2011-05-19 00:06:34.000000000 -0400
77358 +++ linux-2.6.39.3/net/ipv6/raw.c 2011-05-22 19:41:42.000000000 -0400
77359 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
77360 {
77361 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
77362 skb_checksum_complete(skb)) {
77363 - atomic_inc(&sk->sk_drops);
77364 + atomic_inc_unchecked(&sk->sk_drops);
77365 kfree_skb(skb);
77366 return NET_RX_DROP;
77367 }
77368 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77369 struct raw6_sock *rp = raw6_sk(sk);
77370
77371 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
77372 - atomic_inc(&sk->sk_drops);
77373 + atomic_inc_unchecked(&sk->sk_drops);
77374 kfree_skb(skb);
77375 return NET_RX_DROP;
77376 }
77377 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
77378
77379 if (inet->hdrincl) {
77380 if (skb_checksum_complete(skb)) {
77381 - atomic_inc(&sk->sk_drops);
77382 + atomic_inc_unchecked(&sk->sk_drops);
77383 kfree_skb(skb);
77384 return NET_RX_DROP;
77385 }
77386 @@ -601,7 +601,7 @@ out:
77387 return err;
77388 }
77389
77390 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
77391 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
77392 struct flowi6 *fl6, struct dst_entry **dstp,
77393 unsigned int flags)
77394 {
77395 @@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
77396 u16 proto;
77397 int err;
77398
77399 + pax_track_stack();
77400 +
77401 /* Rough check on arithmetic overflow,
77402 better check is made in ip6_append_data().
77403 */
77404 @@ -909,12 +911,15 @@ do_confirm:
77405 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
77406 char __user *optval, int optlen)
77407 {
77408 + struct icmp6_filter filter;
77409 +
77410 switch (optname) {
77411 case ICMPV6_FILTER:
77412 if (optlen > sizeof(struct icmp6_filter))
77413 optlen = sizeof(struct icmp6_filter);
77414 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
77415 + if (copy_from_user(&filter, optval, optlen))
77416 return -EFAULT;
77417 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
77418 return 0;
77419 default:
77420 return -ENOPROTOOPT;
77421 @@ -926,6 +931,7 @@ static int rawv6_seticmpfilter(struct so
77422 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
77423 char __user *optval, int __user *optlen)
77424 {
77425 + struct icmp6_filter filter;
77426 int len;
77427
77428 switch (optname) {
77429 @@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
77430 len = sizeof(struct icmp6_filter);
77431 if (put_user(len, optlen))
77432 return -EFAULT;
77433 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
77434 + memcpy(&filter, &raw6_sk(sk)->filter, len);
77435 + if (copy_to_user(optval, &filter, len))
77436 return -EFAULT;
77437 return 0;
77438 default:
77439 @@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
77440 0, 0L, 0,
77441 sock_i_uid(sp), 0,
77442 sock_i_ino(sp),
77443 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77444 + atomic_read(&sp->sk_refcnt),
77445 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77446 + NULL,
77447 +#else
77448 + sp,
77449 +#endif
77450 + atomic_read_unchecked(&sp->sk_drops));
77451 }
77452
77453 static int raw6_seq_show(struct seq_file *seq, void *v)
77454 diff -urNp linux-2.6.39.3/net/ipv6/tcp_ipv6.c linux-2.6.39.3/net/ipv6/tcp_ipv6.c
77455 --- linux-2.6.39.3/net/ipv6/tcp_ipv6.c 2011-05-19 00:06:34.000000000 -0400
77456 +++ linux-2.6.39.3/net/ipv6/tcp_ipv6.c 2011-05-22 19:41:42.000000000 -0400
77457 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
77458 }
77459 #endif
77460
77461 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77462 +extern int grsec_enable_blackhole;
77463 +#endif
77464 +
77465 static void tcp_v6_hash(struct sock *sk)
77466 {
77467 if (sk->sk_state != TCP_CLOSE) {
77468 @@ -1660,6 +1664,9 @@ static int tcp_v6_do_rcv(struct sock *sk
77469 return 0;
77470
77471 reset:
77472 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77473 + if (!grsec_enable_blackhole)
77474 +#endif
77475 tcp_v6_send_reset(sk, skb);
77476 discard:
77477 if (opt_skb)
77478 @@ -1739,12 +1746,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
77479 TCP_SKB_CB(skb)->sacked = 0;
77480
77481 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77482 - if (!sk)
77483 + if (!sk) {
77484 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77485 + ret = 1;
77486 +#endif
77487 goto no_tcp_socket;
77488 + }
77489
77490 process:
77491 - if (sk->sk_state == TCP_TIME_WAIT)
77492 + if (sk->sk_state == TCP_TIME_WAIT) {
77493 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77494 + ret = 2;
77495 +#endif
77496 goto do_time_wait;
77497 + }
77498
77499 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
77500 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
77501 @@ -1792,6 +1807,10 @@ no_tcp_socket:
77502 bad_packet:
77503 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77504 } else {
77505 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77506 + if (!grsec_enable_blackhole || (ret == 1 &&
77507 + (skb->dev->flags & IFF_LOOPBACK)))
77508 +#endif
77509 tcp_v6_send_reset(NULL, skb);
77510 }
77511
77512 @@ -2052,7 +2071,13 @@ static void get_openreq6(struct seq_file
77513 uid,
77514 0, /* non standard timer */
77515 0, /* open_requests have no inode */
77516 - 0, req);
77517 + 0,
77518 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77519 + NULL
77520 +#else
77521 + req
77522 +#endif
77523 + );
77524 }
77525
77526 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
77527 @@ -2102,7 +2127,12 @@ static void get_tcp6_sock(struct seq_fil
77528 sock_i_uid(sp),
77529 icsk->icsk_probes_out,
77530 sock_i_ino(sp),
77531 - atomic_read(&sp->sk_refcnt), sp,
77532 + atomic_read(&sp->sk_refcnt),
77533 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77534 + NULL,
77535 +#else
77536 + sp,
77537 +#endif
77538 jiffies_to_clock_t(icsk->icsk_rto),
77539 jiffies_to_clock_t(icsk->icsk_ack.ato),
77540 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
77541 @@ -2137,7 +2167,13 @@ static void get_timewait6_sock(struct se
77542 dest->s6_addr32[2], dest->s6_addr32[3], destp,
77543 tw->tw_substate, 0, 0,
77544 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
77545 - atomic_read(&tw->tw_refcnt), tw);
77546 + atomic_read(&tw->tw_refcnt),
77547 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77548 + NULL
77549 +#else
77550 + tw
77551 +#endif
77552 + );
77553 }
77554
77555 static int tcp6_seq_show(struct seq_file *seq, void *v)
77556 diff -urNp linux-2.6.39.3/net/ipv6/udp.c linux-2.6.39.3/net/ipv6/udp.c
77557 --- linux-2.6.39.3/net/ipv6/udp.c 2011-07-09 09:18:51.000000000 -0400
77558 +++ linux-2.6.39.3/net/ipv6/udp.c 2011-07-09 09:19:27.000000000 -0400
77559 @@ -50,6 +50,10 @@
77560 #include <linux/seq_file.h>
77561 #include "udp_impl.h"
77562
77563 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77564 +extern int grsec_enable_blackhole;
77565 +#endif
77566 +
77567 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
77568 {
77569 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
77570 @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
77571
77572 return 0;
77573 drop:
77574 - atomic_inc(&sk->sk_drops);
77575 + atomic_inc_unchecked(&sk->sk_drops);
77576 drop_no_sk_drops_inc:
77577 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
77578 kfree_skb(skb);
77579 @@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
77580 continue;
77581 }
77582 drop:
77583 - atomic_inc(&sk->sk_drops);
77584 + atomic_inc_unchecked(&sk->sk_drops);
77585 UDP6_INC_STATS_BH(sock_net(sk),
77586 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
77587 UDP6_INC_STATS_BH(sock_net(sk),
77588 @@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77589 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
77590 proto == IPPROTO_UDPLITE);
77591
77592 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77593 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
77594 +#endif
77595 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
77596
77597 kfree_skb(skb);
77598 @@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
77599 if (!sock_owned_by_user(sk))
77600 udpv6_queue_rcv_skb(sk, skb);
77601 else if (sk_add_backlog(sk, skb)) {
77602 - atomic_inc(&sk->sk_drops);
77603 + atomic_inc_unchecked(&sk->sk_drops);
77604 bh_unlock_sock(sk);
77605 sock_put(sk);
77606 goto discard;
77607 @@ -1406,8 +1413,13 @@ static void udp6_sock_seq_show(struct se
77608 0, 0L, 0,
77609 sock_i_uid(sp), 0,
77610 sock_i_ino(sp),
77611 - atomic_read(&sp->sk_refcnt), sp,
77612 - atomic_read(&sp->sk_drops));
77613 + atomic_read(&sp->sk_refcnt),
77614 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77615 + NULL,
77616 +#else
77617 + sp,
77618 +#endif
77619 + atomic_read_unchecked(&sp->sk_drops));
77620 }
77621
77622 int udp6_seq_show(struct seq_file *seq, void *v)
77623 diff -urNp linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c
77624 --- linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c 2011-05-19 00:06:34.000000000 -0400
77625 +++ linux-2.6.39.3/net/irda/ircomm/ircomm_tty.c 2011-05-22 19:36:34.000000000 -0400
77626 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
77627 add_wait_queue(&self->open_wait, &wait);
77628
77629 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
77630 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77631 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77632
77633 /* As far as I can see, we protect open_count - Jean II */
77634 spin_lock_irqsave(&self->spinlock, flags);
77635 if (!tty_hung_up_p(filp)) {
77636 extra_count = 1;
77637 - self->open_count--;
77638 + local_dec(&self->open_count);
77639 }
77640 spin_unlock_irqrestore(&self->spinlock, flags);
77641 - self->blocked_open++;
77642 + local_inc(&self->blocked_open);
77643
77644 while (1) {
77645 if (tty->termios->c_cflag & CBAUD) {
77646 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
77647 }
77648
77649 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
77650 - __FILE__,__LINE__, tty->driver->name, self->open_count );
77651 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
77652
77653 schedule();
77654 }
77655 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
77656 if (extra_count) {
77657 /* ++ is not atomic, so this should be protected - Jean II */
77658 spin_lock_irqsave(&self->spinlock, flags);
77659 - self->open_count++;
77660 + local_inc(&self->open_count);
77661 spin_unlock_irqrestore(&self->spinlock, flags);
77662 }
77663 - self->blocked_open--;
77664 + local_dec(&self->blocked_open);
77665
77666 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
77667 - __FILE__,__LINE__, tty->driver->name, self->open_count);
77668 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
77669
77670 if (!retval)
77671 self->flags |= ASYNC_NORMAL_ACTIVE;
77672 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
77673 }
77674 /* ++ is not atomic, so this should be protected - Jean II */
77675 spin_lock_irqsave(&self->spinlock, flags);
77676 - self->open_count++;
77677 + local_inc(&self->open_count);
77678
77679 tty->driver_data = self;
77680 self->tty = tty;
77681 spin_unlock_irqrestore(&self->spinlock, flags);
77682
77683 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
77684 - self->line, self->open_count);
77685 + self->line, local_read(&self->open_count));
77686
77687 /* Not really used by us, but lets do it anyway */
77688 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
77689 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
77690 return;
77691 }
77692
77693 - if ((tty->count == 1) && (self->open_count != 1)) {
77694 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
77695 /*
77696 * Uh, oh. tty->count is 1, which means that the tty
77697 * structure will be freed. state->count should always
77698 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
77699 */
77700 IRDA_DEBUG(0, "%s(), bad serial port count; "
77701 "tty->count is 1, state->count is %d\n", __func__ ,
77702 - self->open_count);
77703 - self->open_count = 1;
77704 + local_read(&self->open_count));
77705 + local_set(&self->open_count, 1);
77706 }
77707
77708 - if (--self->open_count < 0) {
77709 + if (local_dec_return(&self->open_count) < 0) {
77710 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
77711 - __func__, self->line, self->open_count);
77712 - self->open_count = 0;
77713 + __func__, self->line, local_read(&self->open_count));
77714 + local_set(&self->open_count, 0);
77715 }
77716 - if (self->open_count) {
77717 + if (local_read(&self->open_count)) {
77718 spin_unlock_irqrestore(&self->spinlock, flags);
77719
77720 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
77721 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
77722 tty->closing = 0;
77723 self->tty = NULL;
77724
77725 - if (self->blocked_open) {
77726 + if (local_read(&self->blocked_open)) {
77727 if (self->close_delay)
77728 schedule_timeout_interruptible(self->close_delay);
77729 wake_up_interruptible(&self->open_wait);
77730 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
77731 spin_lock_irqsave(&self->spinlock, flags);
77732 self->flags &= ~ASYNC_NORMAL_ACTIVE;
77733 self->tty = NULL;
77734 - self->open_count = 0;
77735 + local_set(&self->open_count, 0);
77736 spin_unlock_irqrestore(&self->spinlock, flags);
77737
77738 wake_up_interruptible(&self->open_wait);
77739 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
77740 seq_putc(m, '\n');
77741
77742 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
77743 - seq_printf(m, "Open count: %d\n", self->open_count);
77744 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
77745 seq_printf(m, "Max data size: %d\n", self->max_data_size);
77746 seq_printf(m, "Max header size: %d\n", self->max_header_size);
77747
77748 diff -urNp linux-2.6.39.3/net/iucv/af_iucv.c linux-2.6.39.3/net/iucv/af_iucv.c
77749 --- linux-2.6.39.3/net/iucv/af_iucv.c 2011-05-19 00:06:34.000000000 -0400
77750 +++ linux-2.6.39.3/net/iucv/af_iucv.c 2011-05-22 19:36:34.000000000 -0400
77751 @@ -653,10 +653,10 @@ static int iucv_sock_autobind(struct soc
77752
77753 write_lock_bh(&iucv_sk_list.lock);
77754
77755 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
77756 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77757 while (__iucv_get_sock_by_name(name)) {
77758 sprintf(name, "%08x",
77759 - atomic_inc_return(&iucv_sk_list.autobind_name));
77760 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
77761 }
77762
77763 write_unlock_bh(&iucv_sk_list.lock);
77764 diff -urNp linux-2.6.39.3/net/key/af_key.c linux-2.6.39.3/net/key/af_key.c
77765 --- linux-2.6.39.3/net/key/af_key.c 2011-05-19 00:06:34.000000000 -0400
77766 +++ linux-2.6.39.3/net/key/af_key.c 2011-05-22 19:41:42.000000000 -0400
77767 @@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
77768 struct xfrm_migrate m[XFRM_MAX_DEPTH];
77769 struct xfrm_kmaddress k;
77770
77771 + pax_track_stack();
77772 +
77773 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
77774 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
77775 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
77776 @@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
77777 static u32 get_acqseq(void)
77778 {
77779 u32 res;
77780 - static atomic_t acqseq;
77781 + static atomic_unchecked_t acqseq;
77782
77783 do {
77784 - res = atomic_inc_return(&acqseq);
77785 + res = atomic_inc_return_unchecked(&acqseq);
77786 } while (!res);
77787 return res;
77788 }
77789 @@ -3657,7 +3659,11 @@ static int pfkey_seq_show(struct seq_fil
77790 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
77791 else
77792 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
77793 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77794 + NULL,
77795 +#else
77796 s,
77797 +#endif
77798 atomic_read(&s->sk_refcnt),
77799 sk_rmem_alloc_get(s),
77800 sk_wmem_alloc_get(s),
77801 diff -urNp linux-2.6.39.3/net/l2tp/l2tp_ip.c linux-2.6.39.3/net/l2tp/l2tp_ip.c
77802 --- linux-2.6.39.3/net/l2tp/l2tp_ip.c 2011-05-19 00:06:34.000000000 -0400
77803 +++ linux-2.6.39.3/net/l2tp/l2tp_ip.c 2011-05-22 19:36:34.000000000 -0400
77804 @@ -625,7 +625,7 @@ static struct inet_protosw l2tp_ip_proto
77805 .no_check = 0,
77806 };
77807
77808 -static struct net_protocol l2tp_ip_protocol __read_mostly = {
77809 +static const struct net_protocol l2tp_ip_protocol = {
77810 .handler = l2tp_ip_recv,
77811 };
77812
77813 diff -urNp linux-2.6.39.3/net/lapb/lapb_iface.c linux-2.6.39.3/net/lapb/lapb_iface.c
77814 --- linux-2.6.39.3/net/lapb/lapb_iface.c 2011-05-19 00:06:34.000000000 -0400
77815 +++ linux-2.6.39.3/net/lapb/lapb_iface.c 2011-05-22 19:36:34.000000000 -0400
77816 @@ -138,8 +138,7 @@ static struct lapb_cb *lapb_create_cb(vo
77817 out:
77818 return lapb;
77819 }
77820 -
77821 -int lapb_register(struct net_device *dev, struct lapb_register_struct *callbacks)
77822 +int lapb_register(struct net_device *dev, const struct lapb_register_struct *callbacks)
77823 {
77824 struct lapb_cb *lapb;
77825 int rc = LAPB_BADTOKEN;
77826 diff -urNp linux-2.6.39.3/net/mac80211/cfg.c linux-2.6.39.3/net/mac80211/cfg.c
77827 --- linux-2.6.39.3/net/mac80211/cfg.c 2011-06-03 00:04:14.000000000 -0400
77828 +++ linux-2.6.39.3/net/mac80211/cfg.c 2011-06-03 00:32:08.000000000 -0400
77829 @@ -2031,7 +2031,7 @@ static void ieee80211_get_ringparam(stru
77830 drv_get_ringparam(local, tx, tx_max, rx, rx_max);
77831 }
77832
77833 -struct cfg80211_ops mac80211_config_ops = {
77834 +const struct cfg80211_ops mac80211_config_ops = {
77835 .add_virtual_intf = ieee80211_add_iface,
77836 .del_virtual_intf = ieee80211_del_iface,
77837 .change_virtual_intf = ieee80211_change_iface,
77838 diff -urNp linux-2.6.39.3/net/mac80211/cfg.h linux-2.6.39.3/net/mac80211/cfg.h
77839 --- linux-2.6.39.3/net/mac80211/cfg.h 2011-05-19 00:06:34.000000000 -0400
77840 +++ linux-2.6.39.3/net/mac80211/cfg.h 2011-05-22 19:36:34.000000000 -0400
77841 @@ -4,6 +4,6 @@
77842 #ifndef __CFG_H
77843 #define __CFG_H
77844
77845 -extern struct cfg80211_ops mac80211_config_ops;
77846 +extern const struct cfg80211_ops mac80211_config_ops;
77847
77848 #endif /* __CFG_H */
77849 diff -urNp linux-2.6.39.3/net/mac80211/debugfs_sta.c linux-2.6.39.3/net/mac80211/debugfs_sta.c
77850 --- linux-2.6.39.3/net/mac80211/debugfs_sta.c 2011-05-19 00:06:34.000000000 -0400
77851 +++ linux-2.6.39.3/net/mac80211/debugfs_sta.c 2011-05-22 19:36:34.000000000 -0400
77852 @@ -115,6 +115,8 @@ static ssize_t sta_agg_status_read(struc
77853 struct tid_ampdu_rx *tid_rx;
77854 struct tid_ampdu_tx *tid_tx;
77855
77856 + pax_track_stack();
77857 +
77858 rcu_read_lock();
77859
77860 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
77861 @@ -215,6 +217,8 @@ static ssize_t sta_ht_capa_read(struct f
77862 struct sta_info *sta = file->private_data;
77863 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
77864
77865 + pax_track_stack();
77866 +
77867 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
77868 htc->ht_supported ? "" : "not ");
77869 if (htc->ht_supported) {
77870 diff -urNp linux-2.6.39.3/net/mac80211/ieee80211_i.h linux-2.6.39.3/net/mac80211/ieee80211_i.h
77871 --- linux-2.6.39.3/net/mac80211/ieee80211_i.h 2011-05-19 00:06:34.000000000 -0400
77872 +++ linux-2.6.39.3/net/mac80211/ieee80211_i.h 2011-05-22 19:36:34.000000000 -0400
77873 @@ -27,6 +27,7 @@
77874 #include <net/ieee80211_radiotap.h>
77875 #include <net/cfg80211.h>
77876 #include <net/mac80211.h>
77877 +#include <asm/local.h>
77878 #include "key.h"
77879 #include "sta_info.h"
77880
77881 @@ -714,7 +715,7 @@ struct ieee80211_local {
77882 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
77883 spinlock_t queue_stop_reason_lock;
77884
77885 - int open_count;
77886 + local_t open_count;
77887 int monitors, cooked_mntrs;
77888 /* number of interfaces with corresponding FIF_ flags */
77889 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
77890 diff -urNp linux-2.6.39.3/net/mac80211/iface.c linux-2.6.39.3/net/mac80211/iface.c
77891 --- linux-2.6.39.3/net/mac80211/iface.c 2011-05-19 00:06:34.000000000 -0400
77892 +++ linux-2.6.39.3/net/mac80211/iface.c 2011-05-22 19:36:34.000000000 -0400
77893 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
77894 break;
77895 }
77896
77897 - if (local->open_count == 0) {
77898 + if (local_read(&local->open_count) == 0) {
77899 res = drv_start(local);
77900 if (res)
77901 goto err_del_bss;
77902 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
77903 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
77904
77905 if (!is_valid_ether_addr(dev->dev_addr)) {
77906 - if (!local->open_count)
77907 + if (!local_read(&local->open_count))
77908 drv_stop(local);
77909 return -EADDRNOTAVAIL;
77910 }
77911 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
77912 mutex_unlock(&local->mtx);
77913
77914 if (coming_up)
77915 - local->open_count++;
77916 + local_inc(&local->open_count);
77917
77918 if (hw_reconf_flags) {
77919 ieee80211_hw_config(local, hw_reconf_flags);
77920 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
77921 err_del_interface:
77922 drv_remove_interface(local, &sdata->vif);
77923 err_stop:
77924 - if (!local->open_count)
77925 + if (!local_read(&local->open_count))
77926 drv_stop(local);
77927 err_del_bss:
77928 sdata->bss = NULL;
77929 @@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
77930 }
77931
77932 if (going_down)
77933 - local->open_count--;
77934 + local_dec(&local->open_count);
77935
77936 switch (sdata->vif.type) {
77937 case NL80211_IFTYPE_AP_VLAN:
77938 @@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
77939
77940 ieee80211_recalc_ps(local, -1);
77941
77942 - if (local->open_count == 0) {
77943 + if (local_read(&local->open_count) == 0) {
77944 if (local->ops->napi_poll)
77945 napi_disable(&local->napi);
77946 ieee80211_clear_tx_pending(local);
77947 diff -urNp linux-2.6.39.3/net/mac80211/main.c linux-2.6.39.3/net/mac80211/main.c
77948 --- linux-2.6.39.3/net/mac80211/main.c 2011-05-19 00:06:34.000000000 -0400
77949 +++ linux-2.6.39.3/net/mac80211/main.c 2011-05-22 19:36:34.000000000 -0400
77950 @@ -215,7 +215,7 @@ int ieee80211_hw_config(struct ieee80211
77951 local->hw.conf.power_level = power;
77952 }
77953
77954 - if (changed && local->open_count) {
77955 + if (changed && local_read(&local->open_count)) {
77956 ret = drv_config(local, changed);
77957 /*
77958 * Goal:
77959 diff -urNp linux-2.6.39.3/net/mac80211/mlme.c linux-2.6.39.3/net/mac80211/mlme.c
77960 --- linux-2.6.39.3/net/mac80211/mlme.c 2011-06-03 00:04:14.000000000 -0400
77961 +++ linux-2.6.39.3/net/mac80211/mlme.c 2011-06-03 00:32:08.000000000 -0400
77962 @@ -1431,6 +1431,8 @@ static bool ieee80211_assoc_success(stru
77963 bool have_higher_than_11mbit = false;
77964 u16 ap_ht_cap_flags;
77965
77966 + pax_track_stack();
77967 +
77968 /* AssocResp and ReassocResp have identical structure */
77969
77970 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
77971 diff -urNp linux-2.6.39.3/net/mac80211/pm.c linux-2.6.39.3/net/mac80211/pm.c
77972 --- linux-2.6.39.3/net/mac80211/pm.c 2011-05-19 00:06:34.000000000 -0400
77973 +++ linux-2.6.39.3/net/mac80211/pm.c 2011-05-22 19:36:34.000000000 -0400
77974 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
77975 }
77976
77977 /* stop hardware - this must stop RX */
77978 - if (local->open_count)
77979 + if (local_read(&local->open_count))
77980 ieee80211_stop_device(local);
77981
77982 local->suspended = true;
77983 diff -urNp linux-2.6.39.3/net/mac80211/rate.c linux-2.6.39.3/net/mac80211/rate.c
77984 --- linux-2.6.39.3/net/mac80211/rate.c 2011-05-19 00:06:34.000000000 -0400
77985 +++ linux-2.6.39.3/net/mac80211/rate.c 2011-05-22 19:36:34.000000000 -0400
77986 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
77987
77988 ASSERT_RTNL();
77989
77990 - if (local->open_count)
77991 + if (local_read(&local->open_count))
77992 return -EBUSY;
77993
77994 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
77995 diff -urNp linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c
77996 --- linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c 2011-05-19 00:06:34.000000000 -0400
77997 +++ linux-2.6.39.3/net/mac80211/rc80211_pid_debugfs.c 2011-05-22 19:36:34.000000000 -0400
77998 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
77999
78000 spin_unlock_irqrestore(&events->lock, status);
78001
78002 - if (copy_to_user(buf, pb, p))
78003 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
78004 return -EFAULT;
78005
78006 return p;
78007 diff -urNp linux-2.6.39.3/net/mac80211/util.c linux-2.6.39.3/net/mac80211/util.c
78008 --- linux-2.6.39.3/net/mac80211/util.c 2011-05-19 00:06:34.000000000 -0400
78009 +++ linux-2.6.39.3/net/mac80211/util.c 2011-05-22 19:36:34.000000000 -0400
78010 @@ -1129,7 +1129,7 @@ int ieee80211_reconfig(struct ieee80211_
78011 local->resuming = true;
78012
78013 /* restart hardware */
78014 - if (local->open_count) {
78015 + if (local_read(&local->open_count)) {
78016 /*
78017 * Upon resume hardware can sometimes be goofy due to
78018 * various platform / driver / bus issues, so restarting
78019 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c
78020 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c 2011-07-09 09:18:51.000000000 -0400
78021 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_conn.c 2011-07-09 09:19:27.000000000 -0400
78022 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
78023 /* Increase the refcnt counter of the dest */
78024 atomic_inc(&dest->refcnt);
78025
78026 - conn_flags = atomic_read(&dest->conn_flags);
78027 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
78028 if (cp->protocol != IPPROTO_UDP)
78029 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
78030 /* Bind with the destination and its corresponding transmitter */
78031 @@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
78032 atomic_set(&cp->refcnt, 1);
78033
78034 atomic_set(&cp->n_control, 0);
78035 - atomic_set(&cp->in_pkts, 0);
78036 + atomic_set_unchecked(&cp->in_pkts, 0);
78037
78038 atomic_inc(&ipvs->conn_count);
78039 if (flags & IP_VS_CONN_F_NO_CPORT)
78040 @@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
78041
78042 /* Don't drop the entry if its number of incoming packets is not
78043 located in [0, 8] */
78044 - i = atomic_read(&cp->in_pkts);
78045 + i = atomic_read_unchecked(&cp->in_pkts);
78046 if (i > 8 || i < 0) return 0;
78047
78048 if (!todrop_rate[i]) return 0;
78049 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c
78050 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c 2011-07-09 09:18:51.000000000 -0400
78051 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_core.c 2011-07-09 09:19:27.000000000 -0400
78052 @@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
78053 ret = cp->packet_xmit(skb, cp, pd->pp);
78054 /* do not touch skb anymore */
78055
78056 - atomic_inc(&cp->in_pkts);
78057 + atomic_inc_unchecked(&cp->in_pkts);
78058 ip_vs_conn_put(cp);
78059 return ret;
78060 }
78061 @@ -1633,7 +1633,7 @@ ip_vs_in(unsigned int hooknum, struct sk
78062 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
78063 pkts = sysctl_sync_threshold(ipvs);
78064 else
78065 - pkts = atomic_add_return(1, &cp->in_pkts);
78066 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
78067
78068 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
78069 cp->protocol == IPPROTO_SCTP) {
78070 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c
78071 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-19 00:06:34.000000000 -0400
78072 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-22 19:36:34.000000000 -0400
78073 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
78074 ip_vs_rs_hash(ipvs, dest);
78075 write_unlock_bh(&ipvs->rs_lock);
78076 }
78077 - atomic_set(&dest->conn_flags, conn_flags);
78078 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
78079
78080 /* bind the service */
78081 if (!dest->svc) {
78082 @@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
78083 " %-7s %-6d %-10d %-10d\n",
78084 &dest->addr.in6,
78085 ntohs(dest->port),
78086 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
78087 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
78088 atomic_read(&dest->weight),
78089 atomic_read(&dest->activeconns),
78090 atomic_read(&dest->inactconns));
78091 @@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
78092 "%-7s %-6d %-10d %-10d\n",
78093 ntohl(dest->addr.ip),
78094 ntohs(dest->port),
78095 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
78096 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
78097 atomic_read(&dest->weight),
78098 atomic_read(&dest->activeconns),
78099 atomic_read(&dest->inactconns));
78100 @@ -2287,6 +2287,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
78101 struct ip_vs_dest_user *udest_compat;
78102 struct ip_vs_dest_user_kern udest;
78103
78104 + pax_track_stack();
78105 +
78106 if (!capable(CAP_NET_ADMIN))
78107 return -EPERM;
78108
78109 @@ -2501,7 +2503,7 @@ __ip_vs_get_dest_entries(struct net *net
78110
78111 entry.addr = dest->addr.ip;
78112 entry.port = dest->port;
78113 - entry.conn_flags = atomic_read(&dest->conn_flags);
78114 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
78115 entry.weight = atomic_read(&dest->weight);
78116 entry.u_threshold = dest->u_threshold;
78117 entry.l_threshold = dest->l_threshold;
78118 @@ -3029,7 +3031,7 @@ static int ip_vs_genl_fill_dest(struct s
78119 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
78120
78121 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
78122 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
78123 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
78124 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
78125 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
78126 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
78127 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c
78128 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c 2011-05-19 00:06:34.000000000 -0400
78129 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_sync.c 2011-05-22 19:36:34.000000000 -0400
78130 @@ -648,7 +648,7 @@ control:
78131 * i.e only increment in_pkts for Templates.
78132 */
78133 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
78134 - int pkts = atomic_add_return(1, &cp->in_pkts);
78135 + int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
78136
78137 if (pkts % sysctl_sync_period(ipvs) != 1)
78138 return;
78139 @@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
78140
78141 if (opt)
78142 memcpy(&cp->in_seq, opt, sizeof(*opt));
78143 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
78144 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
78145 cp->state = state;
78146 cp->old_state = cp->state;
78147 /*
78148 diff -urNp linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c
78149 --- linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-19 00:06:34.000000000 -0400
78150 +++ linux-2.6.39.3/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-22 19:36:34.000000000 -0400
78151 @@ -1127,7 +1127,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
78152 else
78153 rc = NF_ACCEPT;
78154 /* do not touch skb anymore */
78155 - atomic_inc(&cp->in_pkts);
78156 + atomic_inc_unchecked(&cp->in_pkts);
78157 goto out;
78158 }
78159
78160 @@ -1245,7 +1245,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
78161 else
78162 rc = NF_ACCEPT;
78163 /* do not touch skb anymore */
78164 - atomic_inc(&cp->in_pkts);
78165 + atomic_inc_unchecked(&cp->in_pkts);
78166 goto out;
78167 }
78168
78169 diff -urNp linux-2.6.39.3/net/netfilter/Kconfig linux-2.6.39.3/net/netfilter/Kconfig
78170 --- linux-2.6.39.3/net/netfilter/Kconfig 2011-05-19 00:06:34.000000000 -0400
78171 +++ linux-2.6.39.3/net/netfilter/Kconfig 2011-05-22 19:41:42.000000000 -0400
78172 @@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
78173
78174 To compile it as a module, choose M here. If unsure, say N.
78175
78176 +config NETFILTER_XT_MATCH_GRADM
78177 + tristate '"gradm" match support'
78178 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
78179 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
78180 + ---help---
78181 + The gradm match allows to match on grsecurity RBAC being enabled.
78182 + It is useful when iptables rules are applied early on bootup to
78183 + prevent connections to the machine (except from a trusted host)
78184 + while the RBAC system is disabled.
78185 +
78186 config NETFILTER_XT_MATCH_HASHLIMIT
78187 tristate '"hashlimit" match support'
78188 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
78189 diff -urNp linux-2.6.39.3/net/netfilter/Makefile linux-2.6.39.3/net/netfilter/Makefile
78190 --- linux-2.6.39.3/net/netfilter/Makefile 2011-05-19 00:06:34.000000000 -0400
78191 +++ linux-2.6.39.3/net/netfilter/Makefile 2011-05-22 20:40:16.000000000 -0400
78192 @@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
78193 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
78194 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
78195 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
78196 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
78197 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
78198 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
78199 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
78200 diff -urNp linux-2.6.39.3/net/netfilter/nfnetlink_log.c linux-2.6.39.3/net/netfilter/nfnetlink_log.c
78201 --- linux-2.6.39.3/net/netfilter/nfnetlink_log.c 2011-05-19 00:06:34.000000000 -0400
78202 +++ linux-2.6.39.3/net/netfilter/nfnetlink_log.c 2011-05-22 19:36:35.000000000 -0400
78203 @@ -70,7 +70,7 @@ struct nfulnl_instance {
78204 };
78205
78206 static DEFINE_SPINLOCK(instances_lock);
78207 -static atomic_t global_seq;
78208 +static atomic_unchecked_t global_seq;
78209
78210 #define INSTANCE_BUCKETS 16
78211 static struct hlist_head instance_table[INSTANCE_BUCKETS];
78212 @@ -506,7 +506,7 @@ __build_packet_message(struct nfulnl_ins
78213 /* global sequence number */
78214 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
78215 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
78216 - htonl(atomic_inc_return(&global_seq)));
78217 + htonl(atomic_inc_return_unchecked(&global_seq)));
78218
78219 if (data_len) {
78220 struct nlattr *nla;
78221 diff -urNp linux-2.6.39.3/net/netfilter/nfnetlink_queue.c linux-2.6.39.3/net/netfilter/nfnetlink_queue.c
78222 --- linux-2.6.39.3/net/netfilter/nfnetlink_queue.c 2011-05-19 00:06:34.000000000 -0400
78223 +++ linux-2.6.39.3/net/netfilter/nfnetlink_queue.c 2011-05-22 19:36:35.000000000 -0400
78224 @@ -58,7 +58,7 @@ struct nfqnl_instance {
78225 */
78226 spinlock_t lock;
78227 unsigned int queue_total;
78228 - atomic_t id_sequence; /* 'sequence' of pkt ids */
78229 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
78230 struct list_head queue_list; /* packets in queue */
78231 };
78232
78233 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
78234 nfmsg->version = NFNETLINK_V0;
78235 nfmsg->res_id = htons(queue->queue_num);
78236
78237 - entry->id = atomic_inc_return(&queue->id_sequence);
78238 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
78239 pmsg.packet_id = htonl(entry->id);
78240 pmsg.hw_protocol = entskb->protocol;
78241 pmsg.hook = entry->hook;
78242 @@ -869,7 +869,7 @@ static int seq_show(struct seq_file *s,
78243 inst->peer_pid, inst->queue_total,
78244 inst->copy_mode, inst->copy_range,
78245 inst->queue_dropped, inst->queue_user_dropped,
78246 - atomic_read(&inst->id_sequence), 1);
78247 + atomic_read_unchecked(&inst->id_sequence), 1);
78248 }
78249
78250 static const struct seq_operations nfqnl_seq_ops = {
78251 diff -urNp linux-2.6.39.3/net/netfilter/xt_gradm.c linux-2.6.39.3/net/netfilter/xt_gradm.c
78252 --- linux-2.6.39.3/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
78253 +++ linux-2.6.39.3/net/netfilter/xt_gradm.c 2011-05-22 19:41:42.000000000 -0400
78254 @@ -0,0 +1,51 @@
78255 +/*
78256 + * gradm match for netfilter
78257 + * Copyright © Zbigniew Krzystolik, 2010
78258 + *
78259 + * This program is free software; you can redistribute it and/or modify
78260 + * it under the terms of the GNU General Public License; either version
78261 + * 2 or 3 as published by the Free Software Foundation.
78262 + */
78263 +#include <linux/module.h>
78264 +#include <linux/moduleparam.h>
78265 +#include <linux/skbuff.h>
78266 +#include <linux/netfilter/x_tables.h>
78267 +#include <linux/grsecurity.h>
78268 +#include <linux/netfilter/xt_gradm.h>
78269 +
78270 +static bool
78271 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
78272 +{
78273 + const struct xt_gradm_mtinfo *info = par->matchinfo;
78274 + bool retval = false;
78275 + if (gr_acl_is_enabled())
78276 + retval = true;
78277 + return retval ^ info->invflags;
78278 +}
78279 +
78280 +static struct xt_match gradm_mt_reg __read_mostly = {
78281 + .name = "gradm",
78282 + .revision = 0,
78283 + .family = NFPROTO_UNSPEC,
78284 + .match = gradm_mt,
78285 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
78286 + .me = THIS_MODULE,
78287 +};
78288 +
78289 +static int __init gradm_mt_init(void)
78290 +{
78291 + return xt_register_match(&gradm_mt_reg);
78292 +}
78293 +
78294 +static void __exit gradm_mt_exit(void)
78295 +{
78296 + xt_unregister_match(&gradm_mt_reg);
78297 +}
78298 +
78299 +module_init(gradm_mt_init);
78300 +module_exit(gradm_mt_exit);
78301 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
78302 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
78303 +MODULE_LICENSE("GPL");
78304 +MODULE_ALIAS("ipt_gradm");
78305 +MODULE_ALIAS("ip6t_gradm");
78306 diff -urNp linux-2.6.39.3/net/netfilter/xt_statistic.c linux-2.6.39.3/net/netfilter/xt_statistic.c
78307 --- linux-2.6.39.3/net/netfilter/xt_statistic.c 2011-05-19 00:06:34.000000000 -0400
78308 +++ linux-2.6.39.3/net/netfilter/xt_statistic.c 2011-05-22 19:36:35.000000000 -0400
78309 @@ -18,7 +18,7 @@
78310 #include <linux/netfilter/x_tables.h>
78311
78312 struct xt_statistic_priv {
78313 - atomic_t count;
78314 + atomic_unchecked_t count;
78315 } ____cacheline_aligned_in_smp;
78316
78317 MODULE_LICENSE("GPL");
78318 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
78319 break;
78320 case XT_STATISTIC_MODE_NTH:
78321 do {
78322 - oval = atomic_read(&info->master->count);
78323 + oval = atomic_read_unchecked(&info->master->count);
78324 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
78325 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
78326 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
78327 if (nval == 0)
78328 ret = !ret;
78329 break;
78330 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
78331 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
78332 if (info->master == NULL)
78333 return -ENOMEM;
78334 - atomic_set(&info->master->count, info->u.nth.count);
78335 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
78336
78337 return 0;
78338 }
78339 diff -urNp linux-2.6.39.3/net/netlink/af_netlink.c linux-2.6.39.3/net/netlink/af_netlink.c
78340 --- linux-2.6.39.3/net/netlink/af_netlink.c 2011-05-19 00:06:34.000000000 -0400
78341 +++ linux-2.6.39.3/net/netlink/af_netlink.c 2011-05-22 19:41:42.000000000 -0400
78342 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
78343 sk->sk_error_report(sk);
78344 }
78345 }
78346 - atomic_inc(&sk->sk_drops);
78347 + atomic_inc_unchecked(&sk->sk_drops);
78348 }
78349
78350 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
78351 @@ -1992,15 +1992,23 @@ static int netlink_seq_show(struct seq_f
78352 struct netlink_sock *nlk = nlk_sk(s);
78353
78354 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
78355 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78356 + NULL,
78357 +#else
78358 s,
78359 +#endif
78360 s->sk_protocol,
78361 nlk->pid,
78362 nlk->groups ? (u32)nlk->groups[0] : 0,
78363 sk_rmem_alloc_get(s),
78364 sk_wmem_alloc_get(s),
78365 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78366 + NULL,
78367 +#else
78368 nlk->cb,
78369 +#endif
78370 atomic_read(&s->sk_refcnt),
78371 - atomic_read(&s->sk_drops),
78372 + atomic_read_unchecked(&s->sk_drops),
78373 sock_i_ino(s)
78374 );
78375
78376 diff -urNp linux-2.6.39.3/net/netrom/af_netrom.c linux-2.6.39.3/net/netrom/af_netrom.c
78377 --- linux-2.6.39.3/net/netrom/af_netrom.c 2011-05-19 00:06:34.000000000 -0400
78378 +++ linux-2.6.39.3/net/netrom/af_netrom.c 2011-05-22 19:41:42.000000000 -0400
78379 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
78380 struct sock *sk = sock->sk;
78381 struct nr_sock *nr = nr_sk(sk);
78382
78383 + memset(sax, 0, sizeof(*sax));
78384 lock_sock(sk);
78385 if (peer != 0) {
78386 if (sk->sk_state != TCP_ESTABLISHED) {
78387 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
78388 *uaddr_len = sizeof(struct full_sockaddr_ax25);
78389 } else {
78390 sax->fsa_ax25.sax25_family = AF_NETROM;
78391 - sax->fsa_ax25.sax25_ndigis = 0;
78392 sax->fsa_ax25.sax25_call = nr->source_addr;
78393 *uaddr_len = sizeof(struct sockaddr_ax25);
78394 }
78395 diff -urNp linux-2.6.39.3/net/packet/af_packet.c linux-2.6.39.3/net/packet/af_packet.c
78396 --- linux-2.6.39.3/net/packet/af_packet.c 2011-07-09 09:18:51.000000000 -0400
78397 +++ linux-2.6.39.3/net/packet/af_packet.c 2011-07-09 09:19:27.000000000 -0400
78398 @@ -647,14 +647,14 @@ static int packet_rcv(struct sk_buff *sk
78399
78400 spin_lock(&sk->sk_receive_queue.lock);
78401 po->stats.tp_packets++;
78402 - skb->dropcount = atomic_read(&sk->sk_drops);
78403 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
78404 __skb_queue_tail(&sk->sk_receive_queue, skb);
78405 spin_unlock(&sk->sk_receive_queue.lock);
78406 sk->sk_data_ready(sk, skb->len);
78407 return 0;
78408
78409 drop_n_acct:
78410 - po->stats.tp_drops = atomic_inc_return(&sk->sk_drops);
78411 + po->stats.tp_drops = atomic_inc_return_unchecked(&sk->sk_drops);
78412
78413 drop_n_restore:
78414 if (skb_head != skb->data && skb_shared(skb)) {
78415 @@ -2159,7 +2159,7 @@ static int packet_getsockopt(struct sock
78416 case PACKET_HDRLEN:
78417 if (len > sizeof(int))
78418 len = sizeof(int);
78419 - if (copy_from_user(&val, optval, len))
78420 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
78421 return -EFAULT;
78422 switch (val) {
78423 case TPACKET_V1:
78424 @@ -2197,7 +2197,7 @@ static int packet_getsockopt(struct sock
78425
78426 if (put_user(len, optlen))
78427 return -EFAULT;
78428 - if (copy_to_user(optval, data, len))
78429 + if (len > sizeof(st) || copy_to_user(optval, data, len))
78430 return -EFAULT;
78431 return 0;
78432 }
78433 @@ -2709,7 +2709,11 @@ static int packet_seq_show(struct seq_fi
78434
78435 seq_printf(seq,
78436 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
78437 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78438 + NULL,
78439 +#else
78440 s,
78441 +#endif
78442 atomic_read(&s->sk_refcnt),
78443 s->sk_type,
78444 ntohs(po->num),
78445 diff -urNp linux-2.6.39.3/net/phonet/af_phonet.c linux-2.6.39.3/net/phonet/af_phonet.c
78446 --- linux-2.6.39.3/net/phonet/af_phonet.c 2011-05-19 00:06:34.000000000 -0400
78447 +++ linux-2.6.39.3/net/phonet/af_phonet.c 2011-05-22 19:41:42.000000000 -0400
78448 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
78449 {
78450 struct phonet_protocol *pp;
78451
78452 - if (protocol >= PHONET_NPROTO)
78453 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78454 return NULL;
78455
78456 rcu_read_lock();
78457 @@ -149,7 +149,7 @@ static int pn_header_parse(const struct
78458 return 1;
78459 }
78460
78461 -struct header_ops phonet_header_ops = {
78462 +const struct header_ops phonet_header_ops = {
78463 .create = pn_header_create,
78464 .parse = pn_header_parse,
78465 };
78466 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_regist
78467 {
78468 int err = 0;
78469
78470 - if (protocol >= PHONET_NPROTO)
78471 + if (protocol < 0 || protocol >= PHONET_NPROTO)
78472 return -EINVAL;
78473
78474 err = proto_register(pp->prot, 1);
78475 diff -urNp linux-2.6.39.3/net/phonet/pep.c linux-2.6.39.3/net/phonet/pep.c
78476 --- linux-2.6.39.3/net/phonet/pep.c 2011-05-19 00:06:34.000000000 -0400
78477 +++ linux-2.6.39.3/net/phonet/pep.c 2011-05-22 19:36:35.000000000 -0400
78478 @@ -387,7 +387,7 @@ static int pipe_do_rcv(struct sock *sk,
78479
78480 case PNS_PEP_CTRL_REQ:
78481 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
78482 - atomic_inc(&sk->sk_drops);
78483 + atomic_inc_unchecked(&sk->sk_drops);
78484 break;
78485 }
78486 __skb_pull(skb, 4);
78487 @@ -408,7 +408,7 @@ static int pipe_do_rcv(struct sock *sk,
78488 }
78489
78490 if (pn->rx_credits == 0) {
78491 - atomic_inc(&sk->sk_drops);
78492 + atomic_inc_unchecked(&sk->sk_drops);
78493 err = -ENOBUFS;
78494 break;
78495 }
78496 @@ -556,7 +556,7 @@ static int pipe_handler_do_rcv(struct so
78497 }
78498
78499 if (pn->rx_credits == 0) {
78500 - atomic_inc(&sk->sk_drops);
78501 + atomic_inc_unchecked(&sk->sk_drops);
78502 err = NET_RX_DROP;
78503 break;
78504 }
78505 diff -urNp linux-2.6.39.3/net/phonet/socket.c linux-2.6.39.3/net/phonet/socket.c
78506 --- linux-2.6.39.3/net/phonet/socket.c 2011-05-19 00:06:34.000000000 -0400
78507 +++ linux-2.6.39.3/net/phonet/socket.c 2011-05-22 20:39:26.000000000 -0400
78508 @@ -613,8 +613,13 @@ static int pn_sock_seq_show(struct seq_f
78509 pn->resource, sk->sk_state,
78510 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
78511 sock_i_uid(sk), sock_i_ino(sk),
78512 - atomic_read(&sk->sk_refcnt), sk,
78513 - atomic_read(&sk->sk_drops), &len);
78514 + atomic_read(&sk->sk_refcnt),
78515 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78516 + NULL,
78517 +#else
78518 + sk,
78519 +#endif
78520 + atomic_read_unchecked(&sk->sk_drops), &len);
78521 }
78522 seq_printf(seq, "%*s\n", 127 - len, "");
78523 return 0;
78524 diff -urNp linux-2.6.39.3/net/rds/cong.c linux-2.6.39.3/net/rds/cong.c
78525 --- linux-2.6.39.3/net/rds/cong.c 2011-05-19 00:06:34.000000000 -0400
78526 +++ linux-2.6.39.3/net/rds/cong.c 2011-05-22 19:36:35.000000000 -0400
78527 @@ -77,7 +77,7 @@
78528 * finds that the saved generation number is smaller than the global generation
78529 * number, it wakes up the process.
78530 */
78531 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
78532 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
78533
78534 /*
78535 * Congestion monitoring
78536 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
78537 rdsdebug("waking map %p for %pI4\n",
78538 map, &map->m_addr);
78539 rds_stats_inc(s_cong_update_received);
78540 - atomic_inc(&rds_cong_generation);
78541 + atomic_inc_unchecked(&rds_cong_generation);
78542 if (waitqueue_active(&map->m_waitq))
78543 wake_up(&map->m_waitq);
78544 if (waitqueue_active(&rds_poll_waitq))
78545 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
78546
78547 int rds_cong_updated_since(unsigned long *recent)
78548 {
78549 - unsigned long gen = atomic_read(&rds_cong_generation);
78550 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
78551
78552 if (likely(*recent == gen))
78553 return 0;
78554 diff -urNp linux-2.6.39.3/net/rds/ib_cm.c linux-2.6.39.3/net/rds/ib_cm.c
78555 --- linux-2.6.39.3/net/rds/ib_cm.c 2011-05-19 00:06:34.000000000 -0400
78556 +++ linux-2.6.39.3/net/rds/ib_cm.c 2011-05-22 19:36:35.000000000 -0400
78557 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
78558 /* Clear the ACK state */
78559 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78560 #ifdef KERNEL_HAS_ATOMIC64
78561 - atomic64_set(&ic->i_ack_next, 0);
78562 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78563 #else
78564 ic->i_ack_next = 0;
78565 #endif
78566 diff -urNp linux-2.6.39.3/net/rds/ib.h linux-2.6.39.3/net/rds/ib.h
78567 --- linux-2.6.39.3/net/rds/ib.h 2011-05-19 00:06:34.000000000 -0400
78568 +++ linux-2.6.39.3/net/rds/ib.h 2011-05-22 19:36:35.000000000 -0400
78569 @@ -127,7 +127,7 @@ struct rds_ib_connection {
78570 /* sending acks */
78571 unsigned long i_ack_flags;
78572 #ifdef KERNEL_HAS_ATOMIC64
78573 - atomic64_t i_ack_next; /* next ACK to send */
78574 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78575 #else
78576 spinlock_t i_ack_lock; /* protect i_ack_next */
78577 u64 i_ack_next; /* next ACK to send */
78578 diff -urNp linux-2.6.39.3/net/rds/ib_recv.c linux-2.6.39.3/net/rds/ib_recv.c
78579 --- linux-2.6.39.3/net/rds/ib_recv.c 2011-05-19 00:06:34.000000000 -0400
78580 +++ linux-2.6.39.3/net/rds/ib_recv.c 2011-05-22 19:36:35.000000000 -0400
78581 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78582 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
78583 int ack_required)
78584 {
78585 - atomic64_set(&ic->i_ack_next, seq);
78586 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78587 if (ack_required) {
78588 smp_mb__before_clear_bit();
78589 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78590 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
78591 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78592 smp_mb__after_clear_bit();
78593
78594 - return atomic64_read(&ic->i_ack_next);
78595 + return atomic64_read_unchecked(&ic->i_ack_next);
78596 }
78597 #endif
78598
78599 diff -urNp linux-2.6.39.3/net/rds/iw_cm.c linux-2.6.39.3/net/rds/iw_cm.c
78600 --- linux-2.6.39.3/net/rds/iw_cm.c 2011-05-19 00:06:34.000000000 -0400
78601 +++ linux-2.6.39.3/net/rds/iw_cm.c 2011-05-22 19:36:35.000000000 -0400
78602 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
78603 /* Clear the ACK state */
78604 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
78605 #ifdef KERNEL_HAS_ATOMIC64
78606 - atomic64_set(&ic->i_ack_next, 0);
78607 + atomic64_set_unchecked(&ic->i_ack_next, 0);
78608 #else
78609 ic->i_ack_next = 0;
78610 #endif
78611 diff -urNp linux-2.6.39.3/net/rds/iw.h linux-2.6.39.3/net/rds/iw.h
78612 --- linux-2.6.39.3/net/rds/iw.h 2011-05-19 00:06:34.000000000 -0400
78613 +++ linux-2.6.39.3/net/rds/iw.h 2011-05-22 19:36:35.000000000 -0400
78614 @@ -133,7 +133,7 @@ struct rds_iw_connection {
78615 /* sending acks */
78616 unsigned long i_ack_flags;
78617 #ifdef KERNEL_HAS_ATOMIC64
78618 - atomic64_t i_ack_next; /* next ACK to send */
78619 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
78620 #else
78621 spinlock_t i_ack_lock; /* protect i_ack_next */
78622 u64 i_ack_next; /* next ACK to send */
78623 diff -urNp linux-2.6.39.3/net/rds/iw_rdma.c linux-2.6.39.3/net/rds/iw_rdma.c
78624 --- linux-2.6.39.3/net/rds/iw_rdma.c 2011-05-19 00:06:34.000000000 -0400
78625 +++ linux-2.6.39.3/net/rds/iw_rdma.c 2011-05-22 19:36:35.000000000 -0400
78626 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
78627 struct rdma_cm_id *pcm_id;
78628 int rc;
78629
78630 + pax_track_stack();
78631 +
78632 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
78633 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
78634
78635 diff -urNp linux-2.6.39.3/net/rds/iw_recv.c linux-2.6.39.3/net/rds/iw_recv.c
78636 --- linux-2.6.39.3/net/rds/iw_recv.c 2011-05-19 00:06:34.000000000 -0400
78637 +++ linux-2.6.39.3/net/rds/iw_recv.c 2011-05-22 19:36:35.000000000 -0400
78638 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78639 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
78640 int ack_required)
78641 {
78642 - atomic64_set(&ic->i_ack_next, seq);
78643 + atomic64_set_unchecked(&ic->i_ack_next, seq);
78644 if (ack_required) {
78645 smp_mb__before_clear_bit();
78646 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78647 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
78648 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
78649 smp_mb__after_clear_bit();
78650
78651 - return atomic64_read(&ic->i_ack_next);
78652 + return atomic64_read_unchecked(&ic->i_ack_next);
78653 }
78654 #endif
78655
78656 diff -urNp linux-2.6.39.3/net/rxrpc/af_rxrpc.c linux-2.6.39.3/net/rxrpc/af_rxrpc.c
78657 --- linux-2.6.39.3/net/rxrpc/af_rxrpc.c 2011-05-19 00:06:34.000000000 -0400
78658 +++ linux-2.6.39.3/net/rxrpc/af_rxrpc.c 2011-05-22 19:36:35.000000000 -0400
78659 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
78660 __be32 rxrpc_epoch;
78661
78662 /* current debugging ID */
78663 -atomic_t rxrpc_debug_id;
78664 +atomic_unchecked_t rxrpc_debug_id;
78665
78666 /* count of skbs currently in use */
78667 atomic_t rxrpc_n_skbs;
78668 diff -urNp linux-2.6.39.3/net/rxrpc/ar-ack.c linux-2.6.39.3/net/rxrpc/ar-ack.c
78669 --- linux-2.6.39.3/net/rxrpc/ar-ack.c 2011-05-19 00:06:34.000000000 -0400
78670 +++ linux-2.6.39.3/net/rxrpc/ar-ack.c 2011-05-22 19:36:35.000000000 -0400
78671 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
78672
78673 _enter("{%d,%d,%d,%d},",
78674 call->acks_hard, call->acks_unacked,
78675 - atomic_read(&call->sequence),
78676 + atomic_read_unchecked(&call->sequence),
78677 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
78678
78679 stop = 0;
78680 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
78681
78682 /* each Tx packet has a new serial number */
78683 sp->hdr.serial =
78684 - htonl(atomic_inc_return(&call->conn->serial));
78685 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
78686
78687 hdr = (struct rxrpc_header *) txb->head;
78688 hdr->serial = sp->hdr.serial;
78689 @@ -405,7 +405,7 @@ static void rxrpc_rotate_tx_window(struc
78690 */
78691 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
78692 {
78693 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
78694 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
78695 }
78696
78697 /*
78698 @@ -631,7 +631,7 @@ process_further:
78699
78700 latest = ntohl(sp->hdr.serial);
78701 hard = ntohl(ack.firstPacket);
78702 - tx = atomic_read(&call->sequence);
78703 + tx = atomic_read_unchecked(&call->sequence);
78704
78705 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78706 latest,
78707 @@ -844,6 +844,8 @@ void rxrpc_process_call(struct work_stru
78708 u32 abort_code = RX_PROTOCOL_ERROR;
78709 u8 *acks = NULL;
78710
78711 + pax_track_stack();
78712 +
78713 //printk("\n--------------------\n");
78714 _enter("{%d,%s,%lx} [%lu]",
78715 call->debug_id, rxrpc_call_states[call->state], call->events,
78716 @@ -1163,7 +1165,7 @@ void rxrpc_process_call(struct work_stru
78717 goto maybe_reschedule;
78718
78719 send_ACK_with_skew:
78720 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
78721 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
78722 ntohl(ack.serial));
78723 send_ACK:
78724 mtu = call->conn->trans->peer->if_mtu;
78725 @@ -1175,7 +1177,7 @@ send_ACK:
78726 ackinfo.rxMTU = htonl(5692);
78727 ackinfo.jumbo_max = htonl(4);
78728
78729 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78730 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78731 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
78732 ntohl(hdr.serial),
78733 ntohs(ack.maxSkew),
78734 @@ -1193,7 +1195,7 @@ send_ACK:
78735 send_message:
78736 _debug("send message");
78737
78738 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
78739 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
78740 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
78741 send_message_2:
78742
78743 diff -urNp linux-2.6.39.3/net/rxrpc/ar-call.c linux-2.6.39.3/net/rxrpc/ar-call.c
78744 --- linux-2.6.39.3/net/rxrpc/ar-call.c 2011-05-19 00:06:34.000000000 -0400
78745 +++ linux-2.6.39.3/net/rxrpc/ar-call.c 2011-05-22 19:36:35.000000000 -0400
78746 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
78747 spin_lock_init(&call->lock);
78748 rwlock_init(&call->state_lock);
78749 atomic_set(&call->usage, 1);
78750 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
78751 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78752 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
78753
78754 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
78755 diff -urNp linux-2.6.39.3/net/rxrpc/ar-connection.c linux-2.6.39.3/net/rxrpc/ar-connection.c
78756 --- linux-2.6.39.3/net/rxrpc/ar-connection.c 2011-05-19 00:06:34.000000000 -0400
78757 +++ linux-2.6.39.3/net/rxrpc/ar-connection.c 2011-05-22 19:36:35.000000000 -0400
78758 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
78759 rwlock_init(&conn->lock);
78760 spin_lock_init(&conn->state_lock);
78761 atomic_set(&conn->usage, 1);
78762 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
78763 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78764 conn->avail_calls = RXRPC_MAXCALLS;
78765 conn->size_align = 4;
78766 conn->header_size = sizeof(struct rxrpc_header);
78767 diff -urNp linux-2.6.39.3/net/rxrpc/ar-connevent.c linux-2.6.39.3/net/rxrpc/ar-connevent.c
78768 --- linux-2.6.39.3/net/rxrpc/ar-connevent.c 2011-05-19 00:06:34.000000000 -0400
78769 +++ linux-2.6.39.3/net/rxrpc/ar-connevent.c 2011-05-22 19:36:35.000000000 -0400
78770 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
78771
78772 len = iov[0].iov_len + iov[1].iov_len;
78773
78774 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78775 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78776 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
78777
78778 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78779 diff -urNp linux-2.6.39.3/net/rxrpc/ar-input.c linux-2.6.39.3/net/rxrpc/ar-input.c
78780 --- linux-2.6.39.3/net/rxrpc/ar-input.c 2011-05-19 00:06:34.000000000 -0400
78781 +++ linux-2.6.39.3/net/rxrpc/ar-input.c 2011-05-22 19:36:35.000000000 -0400
78782 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
78783 /* track the latest serial number on this connection for ACK packet
78784 * information */
78785 serial = ntohl(sp->hdr.serial);
78786 - hi_serial = atomic_read(&call->conn->hi_serial);
78787 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
78788 while (serial > hi_serial)
78789 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
78790 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
78791 serial);
78792
78793 /* request ACK generation for any ACK or DATA packet that requests
78794 diff -urNp linux-2.6.39.3/net/rxrpc/ar-internal.h linux-2.6.39.3/net/rxrpc/ar-internal.h
78795 --- linux-2.6.39.3/net/rxrpc/ar-internal.h 2011-05-19 00:06:34.000000000 -0400
78796 +++ linux-2.6.39.3/net/rxrpc/ar-internal.h 2011-05-22 19:36:35.000000000 -0400
78797 @@ -272,8 +272,8 @@ struct rxrpc_connection {
78798 int error; /* error code for local abort */
78799 int debug_id; /* debug ID for printks */
78800 unsigned call_counter; /* call ID counter */
78801 - atomic_t serial; /* packet serial number counter */
78802 - atomic_t hi_serial; /* highest serial number received */
78803 + atomic_unchecked_t serial; /* packet serial number counter */
78804 + atomic_unchecked_t hi_serial; /* highest serial number received */
78805 u8 avail_calls; /* number of calls available */
78806 u8 size_align; /* data size alignment (for security) */
78807 u8 header_size; /* rxrpc + security header size */
78808 @@ -346,7 +346,7 @@ struct rxrpc_call {
78809 spinlock_t lock;
78810 rwlock_t state_lock; /* lock for state transition */
78811 atomic_t usage;
78812 - atomic_t sequence; /* Tx data packet sequence counter */
78813 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
78814 u32 abort_code; /* local/remote abort code */
78815 enum { /* current state of call */
78816 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
78817 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
78818 */
78819 extern atomic_t rxrpc_n_skbs;
78820 extern __be32 rxrpc_epoch;
78821 -extern atomic_t rxrpc_debug_id;
78822 +extern atomic_unchecked_t rxrpc_debug_id;
78823 extern struct workqueue_struct *rxrpc_workqueue;
78824
78825 /*
78826 diff -urNp linux-2.6.39.3/net/rxrpc/ar-local.c linux-2.6.39.3/net/rxrpc/ar-local.c
78827 --- linux-2.6.39.3/net/rxrpc/ar-local.c 2011-05-19 00:06:34.000000000 -0400
78828 +++ linux-2.6.39.3/net/rxrpc/ar-local.c 2011-05-22 19:36:35.000000000 -0400
78829 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
78830 spin_lock_init(&local->lock);
78831 rwlock_init(&local->services_lock);
78832 atomic_set(&local->usage, 1);
78833 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
78834 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78835 memcpy(&local->srx, srx, sizeof(*srx));
78836 }
78837
78838 diff -urNp linux-2.6.39.3/net/rxrpc/ar-output.c linux-2.6.39.3/net/rxrpc/ar-output.c
78839 --- linux-2.6.39.3/net/rxrpc/ar-output.c 2011-05-19 00:06:34.000000000 -0400
78840 +++ linux-2.6.39.3/net/rxrpc/ar-output.c 2011-05-22 19:36:35.000000000 -0400
78841 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
78842 sp->hdr.cid = call->cid;
78843 sp->hdr.callNumber = call->call_id;
78844 sp->hdr.seq =
78845 - htonl(atomic_inc_return(&call->sequence));
78846 + htonl(atomic_inc_return_unchecked(&call->sequence));
78847 sp->hdr.serial =
78848 - htonl(atomic_inc_return(&conn->serial));
78849 + htonl(atomic_inc_return_unchecked(&conn->serial));
78850 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
78851 sp->hdr.userStatus = 0;
78852 sp->hdr.securityIndex = conn->security_ix;
78853 diff -urNp linux-2.6.39.3/net/rxrpc/ar-peer.c linux-2.6.39.3/net/rxrpc/ar-peer.c
78854 --- linux-2.6.39.3/net/rxrpc/ar-peer.c 2011-05-19 00:06:34.000000000 -0400
78855 +++ linux-2.6.39.3/net/rxrpc/ar-peer.c 2011-05-22 19:36:35.000000000 -0400
78856 @@ -71,7 +71,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
78857 INIT_LIST_HEAD(&peer->error_targets);
78858 spin_lock_init(&peer->lock);
78859 atomic_set(&peer->usage, 1);
78860 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
78861 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78862 memcpy(&peer->srx, srx, sizeof(*srx));
78863
78864 rxrpc_assess_MTU_size(peer);
78865 diff -urNp linux-2.6.39.3/net/rxrpc/ar-proc.c linux-2.6.39.3/net/rxrpc/ar-proc.c
78866 --- linux-2.6.39.3/net/rxrpc/ar-proc.c 2011-05-19 00:06:34.000000000 -0400
78867 +++ linux-2.6.39.3/net/rxrpc/ar-proc.c 2011-05-22 19:36:35.000000000 -0400
78868 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
78869 atomic_read(&conn->usage),
78870 rxrpc_conn_states[conn->state],
78871 key_serial(conn->key),
78872 - atomic_read(&conn->serial),
78873 - atomic_read(&conn->hi_serial));
78874 + atomic_read_unchecked(&conn->serial),
78875 + atomic_read_unchecked(&conn->hi_serial));
78876
78877 return 0;
78878 }
78879 diff -urNp linux-2.6.39.3/net/rxrpc/ar-transport.c linux-2.6.39.3/net/rxrpc/ar-transport.c
78880 --- linux-2.6.39.3/net/rxrpc/ar-transport.c 2011-05-19 00:06:34.000000000 -0400
78881 +++ linux-2.6.39.3/net/rxrpc/ar-transport.c 2011-05-22 19:36:35.000000000 -0400
78882 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
78883 spin_lock_init(&trans->client_lock);
78884 rwlock_init(&trans->conn_lock);
78885 atomic_set(&trans->usage, 1);
78886 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
78887 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
78888
78889 if (peer->srx.transport.family == AF_INET) {
78890 switch (peer->srx.transport_type) {
78891 diff -urNp linux-2.6.39.3/net/rxrpc/rxkad.c linux-2.6.39.3/net/rxrpc/rxkad.c
78892 --- linux-2.6.39.3/net/rxrpc/rxkad.c 2011-05-19 00:06:34.000000000 -0400
78893 +++ linux-2.6.39.3/net/rxrpc/rxkad.c 2011-05-22 19:36:35.000000000 -0400
78894 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
78895 u16 check;
78896 int nsg;
78897
78898 + pax_track_stack();
78899 +
78900 sp = rxrpc_skb(skb);
78901
78902 _enter("");
78903 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
78904 u16 check;
78905 int nsg;
78906
78907 + pax_track_stack();
78908 +
78909 _enter("");
78910
78911 sp = rxrpc_skb(skb);
78912 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
78913
78914 len = iov[0].iov_len + iov[1].iov_len;
78915
78916 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
78917 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78918 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
78919
78920 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
78921 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
78922
78923 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
78924
78925 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
78926 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
78927 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
78928
78929 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
78930 diff -urNp linux-2.6.39.3/net/sched/em_meta.c linux-2.6.39.3/net/sched/em_meta.c
78931 --- linux-2.6.39.3/net/sched/em_meta.c 2011-05-19 00:06:34.000000000 -0400
78932 +++ linux-2.6.39.3/net/sched/em_meta.c 2011-05-22 19:36:35.000000000 -0400
78933 @@ -832,7 +832,7 @@ static int em_meta_dump(struct sk_buff *
78934 {
78935 struct meta_match *meta = (struct meta_match *) em->data;
78936 struct tcf_meta_hdr hdr;
78937 - struct meta_type_ops *ops;
78938 + const struct meta_type_ops *ops;
78939
78940 memset(&hdr, 0, sizeof(hdr));
78941 memcpy(&hdr.left, &meta->lvalue.hdr, sizeof(hdr.left));
78942 diff -urNp linux-2.6.39.3/net/sctp/proc.c linux-2.6.39.3/net/sctp/proc.c
78943 --- linux-2.6.39.3/net/sctp/proc.c 2011-05-19 00:06:34.000000000 -0400
78944 +++ linux-2.6.39.3/net/sctp/proc.c 2011-05-22 19:41:42.000000000 -0400
78945 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
78946 sctp_for_each_hentry(epb, node, &head->chain) {
78947 ep = sctp_ep(epb);
78948 sk = epb->sk;
78949 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
78950 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
78951 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78952 + NULL, NULL,
78953 +#else
78954 + ep, sk,
78955 +#endif
78956 sctp_sk(sk)->type, sk->sk_state, hash,
78957 epb->bind_addr.port,
78958 sock_i_uid(sk), sock_i_ino(sk));
78959 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
78960 seq_printf(seq,
78961 "%8p %8p %-3d %-3d %-2d %-4d "
78962 "%4d %8d %8d %7d %5lu %-5d %5d ",
78963 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
78964 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78965 + NULL, NULL,
78966 +#else
78967 + assoc, sk,
78968 +#endif
78969 + sctp_sk(sk)->type, sk->sk_state,
78970 assoc->state, hash,
78971 assoc->assoc_id,
78972 assoc->sndbuf_used,
78973 diff -urNp linux-2.6.39.3/net/sctp/socket.c linux-2.6.39.3/net/sctp/socket.c
78974 --- linux-2.6.39.3/net/sctp/socket.c 2011-05-19 00:06:34.000000000 -0400
78975 +++ linux-2.6.39.3/net/sctp/socket.c 2011-05-22 19:36:35.000000000 -0400
78976 @@ -4433,7 +4433,7 @@ static int sctp_getsockopt_peer_addrs(st
78977 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
78978 if (space_left < addrlen)
78979 return -ENOMEM;
78980 - if (copy_to_user(to, &temp, addrlen))
78981 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
78982 return -EFAULT;
78983 to += addrlen;
78984 cnt++;
78985 diff -urNp linux-2.6.39.3/net/socket.c linux-2.6.39.3/net/socket.c
78986 --- linux-2.6.39.3/net/socket.c 2011-06-03 00:04:14.000000000 -0400
78987 +++ linux-2.6.39.3/net/socket.c 2011-06-03 00:32:08.000000000 -0400
78988 @@ -88,6 +88,7 @@
78989 #include <linux/nsproxy.h>
78990 #include <linux/magic.h>
78991 #include <linux/slab.h>
78992 +#include <linux/in.h>
78993
78994 #include <asm/uaccess.h>
78995 #include <asm/unistd.h>
78996 @@ -105,6 +106,8 @@
78997 #include <linux/sockios.h>
78998 #include <linux/atalk.h>
78999
79000 +#include <linux/grsock.h>
79001 +
79002 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
79003 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
79004 unsigned long nr_segs, loff_t pos);
79005 @@ -330,7 +333,7 @@ static struct dentry *sockfs_mount(struc
79006 &sockfs_dentry_operations, SOCKFS_MAGIC);
79007 }
79008
79009 -static struct vfsmount *sock_mnt __read_mostly;
79010 +struct vfsmount *sock_mnt __read_mostly;
79011
79012 static struct file_system_type sock_fs_type = {
79013 .name = "sockfs",
79014 @@ -1179,6 +1182,8 @@ int __sock_create(struct net *net, int f
79015 return -EAFNOSUPPORT;
79016 if (type < 0 || type >= SOCK_MAX)
79017 return -EINVAL;
79018 + if (protocol < 0)
79019 + return -EINVAL;
79020
79021 /* Compatibility.
79022
79023 @@ -1311,6 +1316,16 @@ SYSCALL_DEFINE3(socket, int, family, int
79024 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
79025 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
79026
79027 + if(!gr_search_socket(family, type, protocol)) {
79028 + retval = -EACCES;
79029 + goto out;
79030 + }
79031 +
79032 + if (gr_handle_sock_all(family, type, protocol)) {
79033 + retval = -EACCES;
79034 + goto out;
79035 + }
79036 +
79037 retval = sock_create(family, type, protocol, &sock);
79038 if (retval < 0)
79039 goto out;
79040 @@ -1423,6 +1438,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
79041 if (sock) {
79042 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
79043 if (err >= 0) {
79044 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
79045 + err = -EACCES;
79046 + goto error;
79047 + }
79048 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
79049 + if (err)
79050 + goto error;
79051 +
79052 err = security_socket_bind(sock,
79053 (struct sockaddr *)&address,
79054 addrlen);
79055 @@ -1431,6 +1454,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
79056 (struct sockaddr *)
79057 &address, addrlen);
79058 }
79059 +error:
79060 fput_light(sock->file, fput_needed);
79061 }
79062 return err;
79063 @@ -1454,10 +1478,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
79064 if ((unsigned)backlog > somaxconn)
79065 backlog = somaxconn;
79066
79067 + if (gr_handle_sock_server_other(sock->sk)) {
79068 + err = -EPERM;
79069 + goto error;
79070 + }
79071 +
79072 + err = gr_search_listen(sock);
79073 + if (err)
79074 + goto error;
79075 +
79076 err = security_socket_listen(sock, backlog);
79077 if (!err)
79078 err = sock->ops->listen(sock, backlog);
79079
79080 +error:
79081 fput_light(sock->file, fput_needed);
79082 }
79083 return err;
79084 @@ -1501,6 +1535,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79085 newsock->type = sock->type;
79086 newsock->ops = sock->ops;
79087
79088 + if (gr_handle_sock_server_other(sock->sk)) {
79089 + err = -EPERM;
79090 + sock_release(newsock);
79091 + goto out_put;
79092 + }
79093 +
79094 + err = gr_search_accept(sock);
79095 + if (err) {
79096 + sock_release(newsock);
79097 + goto out_put;
79098 + }
79099 +
79100 /*
79101 * We don't need try_module_get here, as the listening socket (sock)
79102 * has the protocol module (sock->ops->owner) held.
79103 @@ -1539,6 +1585,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79104 fd_install(newfd, newfile);
79105 err = newfd;
79106
79107 + gr_attach_curr_ip(newsock->sk);
79108 +
79109 out_put:
79110 fput_light(sock->file, fput_needed);
79111 out:
79112 @@ -1571,6 +1619,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
79113 int, addrlen)
79114 {
79115 struct socket *sock;
79116 + struct sockaddr *sck;
79117 struct sockaddr_storage address;
79118 int err, fput_needed;
79119
79120 @@ -1581,6 +1630,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
79121 if (err < 0)
79122 goto out_put;
79123
79124 + sck = (struct sockaddr *)&address;
79125 +
79126 + if (gr_handle_sock_client(sck)) {
79127 + err = -EACCES;
79128 + goto out_put;
79129 + }
79130 +
79131 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
79132 + if (err)
79133 + goto out_put;
79134 +
79135 err =
79136 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
79137 if (err)
79138 @@ -1882,6 +1942,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
79139 int err, ctl_len, iov_size, total_len;
79140 int fput_needed;
79141
79142 + pax_track_stack();
79143 +
79144 err = -EFAULT;
79145 if (MSG_CMSG_COMPAT & flags) {
79146 if (get_compat_msghdr(&msg_sys, msg_compat))
79147 diff -urNp linux-2.6.39.3/net/sunrpc/sched.c linux-2.6.39.3/net/sunrpc/sched.c
79148 --- linux-2.6.39.3/net/sunrpc/sched.c 2011-07-09 09:18:51.000000000 -0400
79149 +++ linux-2.6.39.3/net/sunrpc/sched.c 2011-07-09 09:19:27.000000000 -0400
79150 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
79151 #ifdef RPC_DEBUG
79152 static void rpc_task_set_debuginfo(struct rpc_task *task)
79153 {
79154 - static atomic_t rpc_pid;
79155 + static atomic_unchecked_t rpc_pid;
79156
79157 - task->tk_pid = atomic_inc_return(&rpc_pid);
79158 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
79159 }
79160 #else
79161 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
79162 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c
79163 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-19 00:06:34.000000000 -0400
79164 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-22 19:36:35.000000000 -0400
79165 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
79166 static unsigned int min_max_inline = 4096;
79167 static unsigned int max_max_inline = 65536;
79168
79169 -atomic_t rdma_stat_recv;
79170 -atomic_t rdma_stat_read;
79171 -atomic_t rdma_stat_write;
79172 -atomic_t rdma_stat_sq_starve;
79173 -atomic_t rdma_stat_rq_starve;
79174 -atomic_t rdma_stat_rq_poll;
79175 -atomic_t rdma_stat_rq_prod;
79176 -atomic_t rdma_stat_sq_poll;
79177 -atomic_t rdma_stat_sq_prod;
79178 +atomic_unchecked_t rdma_stat_recv;
79179 +atomic_unchecked_t rdma_stat_read;
79180 +atomic_unchecked_t rdma_stat_write;
79181 +atomic_unchecked_t rdma_stat_sq_starve;
79182 +atomic_unchecked_t rdma_stat_rq_starve;
79183 +atomic_unchecked_t rdma_stat_rq_poll;
79184 +atomic_unchecked_t rdma_stat_rq_prod;
79185 +atomic_unchecked_t rdma_stat_sq_poll;
79186 +atomic_unchecked_t rdma_stat_sq_prod;
79187
79188 /* Temporary NFS request map and context caches */
79189 struct kmem_cache *svc_rdma_map_cachep;
79190 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
79191 len -= *ppos;
79192 if (len > *lenp)
79193 len = *lenp;
79194 - if (len && copy_to_user(buffer, str_buf, len))
79195 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
79196 return -EFAULT;
79197 *lenp = len;
79198 *ppos += len;
79199 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
79200 {
79201 .procname = "rdma_stat_read",
79202 .data = &rdma_stat_read,
79203 - .maxlen = sizeof(atomic_t),
79204 + .maxlen = sizeof(atomic_unchecked_t),
79205 .mode = 0644,
79206 .proc_handler = read_reset_stat,
79207 },
79208 {
79209 .procname = "rdma_stat_recv",
79210 .data = &rdma_stat_recv,
79211 - .maxlen = sizeof(atomic_t),
79212 + .maxlen = sizeof(atomic_unchecked_t),
79213 .mode = 0644,
79214 .proc_handler = read_reset_stat,
79215 },
79216 {
79217 .procname = "rdma_stat_write",
79218 .data = &rdma_stat_write,
79219 - .maxlen = sizeof(atomic_t),
79220 + .maxlen = sizeof(atomic_unchecked_t),
79221 .mode = 0644,
79222 .proc_handler = read_reset_stat,
79223 },
79224 {
79225 .procname = "rdma_stat_sq_starve",
79226 .data = &rdma_stat_sq_starve,
79227 - .maxlen = sizeof(atomic_t),
79228 + .maxlen = sizeof(atomic_unchecked_t),
79229 .mode = 0644,
79230 .proc_handler = read_reset_stat,
79231 },
79232 {
79233 .procname = "rdma_stat_rq_starve",
79234 .data = &rdma_stat_rq_starve,
79235 - .maxlen = sizeof(atomic_t),
79236 + .maxlen = sizeof(atomic_unchecked_t),
79237 .mode = 0644,
79238 .proc_handler = read_reset_stat,
79239 },
79240 {
79241 .procname = "rdma_stat_rq_poll",
79242 .data = &rdma_stat_rq_poll,
79243 - .maxlen = sizeof(atomic_t),
79244 + .maxlen = sizeof(atomic_unchecked_t),
79245 .mode = 0644,
79246 .proc_handler = read_reset_stat,
79247 },
79248 {
79249 .procname = "rdma_stat_rq_prod",
79250 .data = &rdma_stat_rq_prod,
79251 - .maxlen = sizeof(atomic_t),
79252 + .maxlen = sizeof(atomic_unchecked_t),
79253 .mode = 0644,
79254 .proc_handler = read_reset_stat,
79255 },
79256 {
79257 .procname = "rdma_stat_sq_poll",
79258 .data = &rdma_stat_sq_poll,
79259 - .maxlen = sizeof(atomic_t),
79260 + .maxlen = sizeof(atomic_unchecked_t),
79261 .mode = 0644,
79262 .proc_handler = read_reset_stat,
79263 },
79264 {
79265 .procname = "rdma_stat_sq_prod",
79266 .data = &rdma_stat_sq_prod,
79267 - .maxlen = sizeof(atomic_t),
79268 + .maxlen = sizeof(atomic_unchecked_t),
79269 .mode = 0644,
79270 .proc_handler = read_reset_stat,
79271 },
79272 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
79273 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-19 00:06:34.000000000 -0400
79274 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-22 19:36:35.000000000 -0400
79275 @@ -499,7 +499,7 @@ next_sge:
79276 svc_rdma_put_context(ctxt, 0);
79277 goto out;
79278 }
79279 - atomic_inc(&rdma_stat_read);
79280 + atomic_inc_unchecked(&rdma_stat_read);
79281
79282 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
79283 chl_map->ch[ch_no].count -= read_wr.num_sge;
79284 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79285 dto_q);
79286 list_del_init(&ctxt->dto_q);
79287 } else {
79288 - atomic_inc(&rdma_stat_rq_starve);
79289 + atomic_inc_unchecked(&rdma_stat_rq_starve);
79290 clear_bit(XPT_DATA, &xprt->xpt_flags);
79291 ctxt = NULL;
79292 }
79293 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
79294 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
79295 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
79296 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
79297 - atomic_inc(&rdma_stat_recv);
79298 + atomic_inc_unchecked(&rdma_stat_recv);
79299
79300 /* Build up the XDR from the receive buffers. */
79301 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
79302 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c
79303 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-19 00:06:34.000000000 -0400
79304 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-22 19:36:35.000000000 -0400
79305 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
79306 write_wr.wr.rdma.remote_addr = to;
79307
79308 /* Post It */
79309 - atomic_inc(&rdma_stat_write);
79310 + atomic_inc_unchecked(&rdma_stat_write);
79311 if (svc_rdma_send(xprt, &write_wr))
79312 goto err;
79313 return 0;
79314 diff -urNp linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c
79315 --- linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-19 00:06:34.000000000 -0400
79316 +++ linux-2.6.39.3/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-22 19:36:35.000000000 -0400
79317 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
79318 return;
79319
79320 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
79321 - atomic_inc(&rdma_stat_rq_poll);
79322 + atomic_inc_unchecked(&rdma_stat_rq_poll);
79323
79324 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
79325 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
79326 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
79327 }
79328
79329 if (ctxt)
79330 - atomic_inc(&rdma_stat_rq_prod);
79331 + atomic_inc_unchecked(&rdma_stat_rq_prod);
79332
79333 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
79334 /*
79335 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
79336 return;
79337
79338 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
79339 - atomic_inc(&rdma_stat_sq_poll);
79340 + atomic_inc_unchecked(&rdma_stat_sq_poll);
79341 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
79342 if (wc.status != IB_WC_SUCCESS)
79343 /* Close the transport */
79344 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
79345 }
79346
79347 if (ctxt)
79348 - atomic_inc(&rdma_stat_sq_prod);
79349 + atomic_inc_unchecked(&rdma_stat_sq_prod);
79350 }
79351
79352 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
79353 @@ -1271,7 +1271,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
79354 spin_lock_bh(&xprt->sc_lock);
79355 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
79356 spin_unlock_bh(&xprt->sc_lock);
79357 - atomic_inc(&rdma_stat_sq_starve);
79358 + atomic_inc_unchecked(&rdma_stat_sq_starve);
79359
79360 /* See if we can opportunistically reap SQ WR to make room */
79361 sq_cq_reap(xprt);
79362 diff -urNp linux-2.6.39.3/net/sysctl_net.c linux-2.6.39.3/net/sysctl_net.c
79363 --- linux-2.6.39.3/net/sysctl_net.c 2011-05-19 00:06:34.000000000 -0400
79364 +++ linux-2.6.39.3/net/sysctl_net.c 2011-05-22 19:41:42.000000000 -0400
79365 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
79366 struct ctl_table *table)
79367 {
79368 /* Allow network administrator to have same access as root. */
79369 - if (capable(CAP_NET_ADMIN)) {
79370 + if (capable_nolog(CAP_NET_ADMIN)) {
79371 int mode = (table->mode >> 6) & 7;
79372 return (mode << 6) | (mode << 3) | mode;
79373 }
79374 diff -urNp linux-2.6.39.3/net/unix/af_unix.c linux-2.6.39.3/net/unix/af_unix.c
79375 --- linux-2.6.39.3/net/unix/af_unix.c 2011-05-19 00:06:34.000000000 -0400
79376 +++ linux-2.6.39.3/net/unix/af_unix.c 2011-07-18 18:16:27.000000000 -0400
79377 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
79378 err = -ECONNREFUSED;
79379 if (!S_ISSOCK(inode->i_mode))
79380 goto put_fail;
79381 +
79382 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
79383 + err = -EACCES;
79384 + goto put_fail;
79385 + }
79386 +
79387 u = unix_find_socket_byinode(inode);
79388 if (!u)
79389 goto put_fail;
79390 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
79391 if (u) {
79392 struct dentry *dentry;
79393 dentry = unix_sk(u)->dentry;
79394 +
79395 + if (!gr_handle_chroot_unix(pid_vnr(u->sk_peer_pid))) {
79396 + err = -EPERM;
79397 + sock_put(u);
79398 + goto fail;
79399 + }
79400 +
79401 if (dentry)
79402 touch_atime(unix_sk(u)->mnt, dentry);
79403 } else
79404 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
79405 err = security_path_mknod(&nd.path, dentry, mode, 0);
79406 if (err)
79407 goto out_mknod_drop_write;
79408 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
79409 + err = -EACCES;
79410 + goto out_mknod_drop_write;
79411 + }
79412 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
79413 out_mknod_drop_write:
79414 mnt_drop_write(nd.path.mnt);
79415 if (err)
79416 goto out_mknod_dput;
79417 +
79418 + gr_handle_create(dentry, nd.path.mnt);
79419 +
79420 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
79421 dput(nd.path.dentry);
79422 nd.path.dentry = dentry;
79423 @@ -2255,7 +2275,11 @@ static int unix_seq_show(struct seq_file
79424 unix_state_lock(s);
79425
79426 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
79427 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79428 + NULL,
79429 +#else
79430 s,
79431 +#endif
79432 atomic_read(&s->sk_refcnt),
79433 0,
79434 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
79435 diff -urNp linux-2.6.39.3/net/wireless/wext-core.c linux-2.6.39.3/net/wireless/wext-core.c
79436 --- linux-2.6.39.3/net/wireless/wext-core.c 2011-05-19 00:06:34.000000000 -0400
79437 +++ linux-2.6.39.3/net/wireless/wext-core.c 2011-05-22 19:36:35.000000000 -0400
79438 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
79439 */
79440
79441 /* Support for very large requests */
79442 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
79443 - (user_length > descr->max_tokens)) {
79444 + if (user_length > descr->max_tokens) {
79445 /* Allow userspace to GET more than max so
79446 * we can support any size GET requests.
79447 * There is still a limit : -ENOMEM.
79448 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
79449 }
79450 }
79451
79452 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
79453 - /*
79454 - * If this is a GET, but not NOMAX, it means that the extra
79455 - * data is not bounded by userspace, but by max_tokens. Thus
79456 - * set the length to max_tokens. This matches the extra data
79457 - * allocation.
79458 - * The driver should fill it with the number of tokens it
79459 - * provided, and it may check iwp->length rather than having
79460 - * knowledge of max_tokens. If the driver doesn't change the
79461 - * iwp->length, this ioctl just copies back max_token tokens
79462 - * filled with zeroes. Hopefully the driver isn't claiming
79463 - * them to be valid data.
79464 - */
79465 - iwp->length = descr->max_tokens;
79466 - }
79467 -
79468 err = handler(dev, info, (union iwreq_data *) iwp, extra);
79469
79470 iwp->length += essid_compat;
79471 diff -urNp linux-2.6.39.3/net/xfrm/xfrm_policy.c linux-2.6.39.3/net/xfrm/xfrm_policy.c
79472 --- linux-2.6.39.3/net/xfrm/xfrm_policy.c 2011-05-19 00:06:34.000000000 -0400
79473 +++ linux-2.6.39.3/net/xfrm/xfrm_policy.c 2011-05-22 19:36:35.000000000 -0400
79474 @@ -299,7 +299,7 @@ static void xfrm_policy_kill(struct xfrm
79475 {
79476 policy->walk.dead = 1;
79477
79478 - atomic_inc(&policy->genid);
79479 + atomic_inc_unchecked(&policy->genid);
79480
79481 if (del_timer(&policy->timer))
79482 xfrm_pol_put(policy);
79483 @@ -583,7 +583,7 @@ int xfrm_policy_insert(int dir, struct x
79484 hlist_add_head(&policy->bydst, chain);
79485 xfrm_pol_hold(policy);
79486 net->xfrm.policy_count[dir]++;
79487 - atomic_inc(&flow_cache_genid);
79488 + atomic_inc_unchecked(&flow_cache_genid);
79489 if (delpol)
79490 __xfrm_policy_unlink(delpol, dir);
79491 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
79492 @@ -1527,7 +1527,7 @@ free_dst:
79493 goto out;
79494 }
79495
79496 -static int inline
79497 +static inline int
79498 xfrm_dst_alloc_copy(void **target, const void *src, int size)
79499 {
79500 if (!*target) {
79501 @@ -1539,7 +1539,7 @@ xfrm_dst_alloc_copy(void **target, const
79502 return 0;
79503 }
79504
79505 -static int inline
79506 +static inline int
79507 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
79508 {
79509 #ifdef CONFIG_XFRM_SUB_POLICY
79510 @@ -1551,7 +1551,7 @@ xfrm_dst_update_parent(struct dst_entry
79511 #endif
79512 }
79513
79514 -static int inline
79515 +static inline int
79516 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
79517 {
79518 #ifdef CONFIG_XFRM_SUB_POLICY
79519 @@ -1645,7 +1645,7 @@ xfrm_resolve_and_create_bundle(struct xf
79520
79521 xdst->num_pols = num_pols;
79522 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
79523 - xdst->policy_genid = atomic_read(&pols[0]->genid);
79524 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
79525
79526 return xdst;
79527 }
79528 @@ -2332,7 +2332,7 @@ static int xfrm_bundle_ok(struct xfrm_ds
79529 if (xdst->xfrm_genid != dst->xfrm->genid)
79530 return 0;
79531 if (xdst->num_pols > 0 &&
79532 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
79533 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
79534 return 0;
79535
79536 mtu = dst_mtu(dst->child);
79537 @@ -2860,7 +2860,7 @@ static int xfrm_policy_migrate(struct xf
79538 sizeof(pol->xfrm_vec[i].saddr));
79539 pol->xfrm_vec[i].encap_family = mp->new_family;
79540 /* flush bundles */
79541 - atomic_inc(&pol->genid);
79542 + atomic_inc_unchecked(&pol->genid);
79543 }
79544 }
79545
79546 diff -urNp linux-2.6.39.3/net/xfrm/xfrm_user.c linux-2.6.39.3/net/xfrm/xfrm_user.c
79547 --- linux-2.6.39.3/net/xfrm/xfrm_user.c 2011-05-19 00:06:34.000000000 -0400
79548 +++ linux-2.6.39.3/net/xfrm/xfrm_user.c 2011-05-22 19:36:35.000000000 -0400
79549 @@ -1394,6 +1394,8 @@ static int copy_to_user_tmpl(struct xfrm
79550 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
79551 int i;
79552
79553 + pax_track_stack();
79554 +
79555 if (xp->xfrm_nr == 0)
79556 return 0;
79557
79558 @@ -2062,6 +2064,8 @@ static int xfrm_do_migrate(struct sk_buf
79559 int err;
79560 int n = 0;
79561
79562 + pax_track_stack();
79563 +
79564 if (attrs[XFRMA_MIGRATE] == NULL)
79565 return -EINVAL;
79566
79567 diff -urNp linux-2.6.39.3/scripts/basic/fixdep.c linux-2.6.39.3/scripts/basic/fixdep.c
79568 --- linux-2.6.39.3/scripts/basic/fixdep.c 2011-05-19 00:06:34.000000000 -0400
79569 +++ linux-2.6.39.3/scripts/basic/fixdep.c 2011-05-22 19:36:35.000000000 -0400
79570 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
79571
79572 static void parse_config_file(const char *map, size_t len)
79573 {
79574 - const int *end = (const int *) (map + len);
79575 + const unsigned int *end = (const unsigned int *) (map + len);
79576 /* start at +1, so that p can never be < map */
79577 - const int *m = (const int *) map + 1;
79578 + const unsigned int *m = (const unsigned int *) map + 1;
79579 const char *p, *q;
79580
79581 for (; m < end; m++) {
79582 @@ -405,7 +405,7 @@ static void print_deps(void)
79583 static void traps(void)
79584 {
79585 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
79586 - int *p = (int *)test;
79587 + unsigned int *p = (unsigned int *)test;
79588
79589 if (*p != INT_CONF) {
79590 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
79591 diff -urNp linux-2.6.39.3/scripts/dtc/flattree.c linux-2.6.39.3/scripts/dtc/flattree.c
79592 --- linux-2.6.39.3/scripts/dtc/flattree.c 2011-05-19 00:06:34.000000000 -0400
79593 +++ linux-2.6.39.3/scripts/dtc/flattree.c 2011-05-22 19:36:35.000000000 -0400
79594 @@ -104,7 +104,7 @@ static void bin_emit_property(void *e, s
79595 bin_emit_cell(e, FDT_PROP);
79596 }
79597
79598 -static struct emitter bin_emitter = {
79599 +static const struct emitter bin_emitter = {
79600 .cell = bin_emit_cell,
79601 .string = bin_emit_string,
79602 .align = bin_emit_align,
79603 @@ -230,7 +230,7 @@ static void asm_emit_property(void *e, s
79604 asm_emit_cell(e, FDT_PROP);
79605 }
79606
79607 -static struct emitter asm_emitter = {
79608 +static const struct emitter asm_emitter = {
79609 .cell = asm_emit_cell,
79610 .string = asm_emit_string,
79611 .align = asm_emit_align,
79612 diff -urNp linux-2.6.39.3/scripts/Makefile.build linux-2.6.39.3/scripts/Makefile.build
79613 --- linux-2.6.39.3/scripts/Makefile.build 2011-05-19 00:06:34.000000000 -0400
79614 +++ linux-2.6.39.3/scripts/Makefile.build 2011-06-03 01:15:00.000000000 -0400
79615 @@ -93,7 +93,7 @@ endif
79616 endif
79617
79618 # Do not include host rules unless needed
79619 -ifneq ($(hostprogs-y)$(hostprogs-m),)
79620 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
79621 include scripts/Makefile.host
79622 endif
79623
79624 diff -urNp linux-2.6.39.3/scripts/Makefile.clean linux-2.6.39.3/scripts/Makefile.clean
79625 --- linux-2.6.39.3/scripts/Makefile.clean 2011-05-19 00:06:34.000000000 -0400
79626 +++ linux-2.6.39.3/scripts/Makefile.clean 2011-06-03 01:16:02.000000000 -0400
79627 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
79628 __clean-files := $(extra-y) $(always) \
79629 $(targets) $(clean-files) \
79630 $(host-progs) \
79631 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
79632 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
79633 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
79634
79635 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
79636
79637 diff -urNp linux-2.6.39.3/scripts/Makefile.host linux-2.6.39.3/scripts/Makefile.host
79638 --- linux-2.6.39.3/scripts/Makefile.host 2011-05-19 00:06:34.000000000 -0400
79639 +++ linux-2.6.39.3/scripts/Makefile.host 2011-06-03 01:17:12.000000000 -0400
79640 @@ -31,6 +31,7 @@
79641 # Note: Shared libraries consisting of C++ files are not supported
79642
79643 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
79644 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
79645
79646 # C code
79647 # Executables compiled from a single .c file
79648 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
79649 # Shared libaries (only .c supported)
79650 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
79651 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
79652 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
79653 # Remove .so files from "xxx-objs"
79654 host-cobjs := $(filter-out %.so,$(host-cobjs))
79655
79656 diff -urNp linux-2.6.39.3/scripts/mod/file2alias.c linux-2.6.39.3/scripts/mod/file2alias.c
79657 --- linux-2.6.39.3/scripts/mod/file2alias.c 2011-05-19 00:06:34.000000000 -0400
79658 +++ linux-2.6.39.3/scripts/mod/file2alias.c 2011-05-22 19:36:35.000000000 -0400
79659 @@ -72,7 +72,7 @@ static void device_id_check(const char *
79660 unsigned long size, unsigned long id_size,
79661 void *symval)
79662 {
79663 - int i;
79664 + unsigned int i;
79665
79666 if (size % id_size || size < id_size) {
79667 if (cross_build != 0)
79668 @@ -102,7 +102,7 @@ static void device_id_check(const char *
79669 /* USB is special because the bcdDevice can be matched against a numeric range */
79670 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
79671 static void do_usb_entry(struct usb_device_id *id,
79672 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
79673 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
79674 unsigned char range_lo, unsigned char range_hi,
79675 unsigned char max, struct module *mod)
79676 {
79677 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
79678 for (i = 0; i < count; i++) {
79679 const char *id = (char *)devs[i].id;
79680 char acpi_id[sizeof(devs[0].id)];
79681 - int j;
79682 + unsigned int j;
79683
79684 buf_printf(&mod->dev_table_buf,
79685 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79686 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
79687
79688 for (j = 0; j < PNP_MAX_DEVICES; j++) {
79689 const char *id = (char *)card->devs[j].id;
79690 - int i2, j2;
79691 + unsigned int i2, j2;
79692 int dup = 0;
79693
79694 if (!id[0])
79695 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
79696 /* add an individual alias for every device entry */
79697 if (!dup) {
79698 char acpi_id[sizeof(card->devs[0].id)];
79699 - int k;
79700 + unsigned int k;
79701
79702 buf_printf(&mod->dev_table_buf,
79703 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
79704 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
79705 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
79706 char *alias)
79707 {
79708 - int i, j;
79709 + unsigned int i, j;
79710
79711 sprintf(alias, "dmi*");
79712
79713 diff -urNp linux-2.6.39.3/scripts/mod/modpost.c linux-2.6.39.3/scripts/mod/modpost.c
79714 --- linux-2.6.39.3/scripts/mod/modpost.c 2011-05-19 00:06:34.000000000 -0400
79715 +++ linux-2.6.39.3/scripts/mod/modpost.c 2011-07-06 20:00:13.000000000 -0400
79716 @@ -896,6 +896,7 @@ enum mismatch {
79717 ANY_INIT_TO_ANY_EXIT,
79718 ANY_EXIT_TO_ANY_INIT,
79719 EXPORT_TO_INIT_EXIT,
79720 + DATA_TO_TEXT
79721 };
79722
79723 struct sectioncheck {
79724 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
79725 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
79726 .mismatch = EXPORT_TO_INIT_EXIT,
79727 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
79728 +},
79729 +/* Do not reference code from writable data */
79730 +{
79731 + .fromsec = { DATA_SECTIONS, NULL },
79732 + .tosec = { TEXT_SECTIONS, NULL },
79733 + .mismatch = DATA_TO_TEXT
79734 }
79735 };
79736
79737 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
79738 continue;
79739 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
79740 continue;
79741 - if (sym->st_value == addr)
79742 - return sym;
79743 /* Find a symbol nearby - addr are maybe negative */
79744 d = sym->st_value - addr;
79745 + if (d == 0)
79746 + return sym;
79747 if (d < 0)
79748 d = addr - sym->st_value;
79749 if (d < distance) {
79750 @@ -1408,6 +1415,14 @@ static void report_sec_mismatch(const ch
79751 tosym, prl_to, prl_to, tosym);
79752 free(prl_to);
79753 break;
79754 + case DATA_TO_TEXT:
79755 +/*
79756 + fprintf(stderr,
79757 + "The variable %s references\n"
79758 + "the %s %s%s%s\n",
79759 + fromsym, to, sec2annotation(tosec), tosym, to_p);
79760 +*/
79761 + break;
79762 }
79763 fprintf(stderr, "\n");
79764 }
79765 @@ -1633,7 +1648,7 @@ static void section_rel(const char *modn
79766 static void check_sec_ref(struct module *mod, const char *modname,
79767 struct elf_info *elf)
79768 {
79769 - int i;
79770 + unsigned int i;
79771 Elf_Shdr *sechdrs = elf->sechdrs;
79772
79773 /* Walk through all sections */
79774 @@ -1731,7 +1746,7 @@ void __attribute__((format(printf, 2, 3)
79775 va_end(ap);
79776 }
79777
79778 -void buf_write(struct buffer *buf, const char *s, int len)
79779 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
79780 {
79781 if (buf->size - buf->pos < len) {
79782 buf->size += len + SZ;
79783 @@ -1943,7 +1958,7 @@ static void write_if_changed(struct buff
79784 if (fstat(fileno(file), &st) < 0)
79785 goto close_write;
79786
79787 - if (st.st_size != b->pos)
79788 + if (st.st_size != (off_t)b->pos)
79789 goto close_write;
79790
79791 tmp = NOFAIL(malloc(b->pos));
79792 diff -urNp linux-2.6.39.3/scripts/mod/modpost.h linux-2.6.39.3/scripts/mod/modpost.h
79793 --- linux-2.6.39.3/scripts/mod/modpost.h 2011-05-19 00:06:34.000000000 -0400
79794 +++ linux-2.6.39.3/scripts/mod/modpost.h 2011-05-22 19:36:35.000000000 -0400
79795 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
79796
79797 struct buffer {
79798 char *p;
79799 - int pos;
79800 - int size;
79801 + unsigned int pos;
79802 + unsigned int size;
79803 };
79804
79805 void __attribute__((format(printf, 2, 3)))
79806 buf_printf(struct buffer *buf, const char *fmt, ...);
79807
79808 void
79809 -buf_write(struct buffer *buf, const char *s, int len);
79810 +buf_write(struct buffer *buf, const char *s, unsigned int len);
79811
79812 struct module {
79813 struct module *next;
79814 diff -urNp linux-2.6.39.3/scripts/mod/sumversion.c linux-2.6.39.3/scripts/mod/sumversion.c
79815 --- linux-2.6.39.3/scripts/mod/sumversion.c 2011-05-19 00:06:34.000000000 -0400
79816 +++ linux-2.6.39.3/scripts/mod/sumversion.c 2011-05-22 19:36:35.000000000 -0400
79817 @@ -470,7 +470,7 @@ static void write_version(const char *fi
79818 goto out;
79819 }
79820
79821 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
79822 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
79823 warn("writing sum in %s failed: %s\n",
79824 filename, strerror(errno));
79825 goto out;
79826 diff -urNp linux-2.6.39.3/scripts/pnmtologo.c linux-2.6.39.3/scripts/pnmtologo.c
79827 --- linux-2.6.39.3/scripts/pnmtologo.c 2011-05-19 00:06:34.000000000 -0400
79828 +++ linux-2.6.39.3/scripts/pnmtologo.c 2011-05-22 19:36:35.000000000 -0400
79829 @@ -237,14 +237,14 @@ static void write_header(void)
79830 fprintf(out, " * Linux logo %s\n", logoname);
79831 fputs(" */\n\n", out);
79832 fputs("#include <linux/linux_logo.h>\n\n", out);
79833 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
79834 + fprintf(out, "static unsigned char %s_data[] = {\n",
79835 logoname);
79836 }
79837
79838 static void write_footer(void)
79839 {
79840 fputs("\n};\n\n", out);
79841 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
79842 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
79843 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
79844 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
79845 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
79846 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
79847 fputs("\n};\n\n", out);
79848
79849 /* write logo clut */
79850 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
79851 + fprintf(out, "static unsigned char %s_clut[] = {\n",
79852 logoname);
79853 write_hex_cnt = 0;
79854 for (i = 0; i < logo_clutsize; i++) {
79855 diff -urNp linux-2.6.39.3/security/apparmor/lsm.c linux-2.6.39.3/security/apparmor/lsm.c
79856 --- linux-2.6.39.3/security/apparmor/lsm.c 2011-06-25 12:55:23.000000000 -0400
79857 +++ linux-2.6.39.3/security/apparmor/lsm.c 2011-06-25 13:00:28.000000000 -0400
79858 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
79859 return error;
79860 }
79861
79862 -static struct security_operations apparmor_ops = {
79863 +static struct security_operations apparmor_ops __read_only = {
79864 .name = "apparmor",
79865
79866 .ptrace_access_check = apparmor_ptrace_access_check,
79867 @@ -672,7 +672,7 @@ static struct security_operations apparm
79868 static int param_set_aabool(const char *val, const struct kernel_param *kp);
79869 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
79870 #define param_check_aabool(name, p) __param_check(name, p, int)
79871 -static struct kernel_param_ops param_ops_aabool = {
79872 +static const struct kernel_param_ops param_ops_aabool = {
79873 .set = param_set_aabool,
79874 .get = param_get_aabool
79875 };
79876 @@ -680,7 +680,7 @@ static struct kernel_param_ops param_ops
79877 static int param_set_aauint(const char *val, const struct kernel_param *kp);
79878 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
79879 #define param_check_aauint(name, p) __param_check(name, p, int)
79880 -static struct kernel_param_ops param_ops_aauint = {
79881 +static const struct kernel_param_ops param_ops_aauint = {
79882 .set = param_set_aauint,
79883 .get = param_get_aauint
79884 };
79885 @@ -688,7 +688,7 @@ static struct kernel_param_ops param_ops
79886 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
79887 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
79888 #define param_check_aalockpolicy(name, p) __param_check(name, p, int)
79889 -static struct kernel_param_ops param_ops_aalockpolicy = {
79890 +static const struct kernel_param_ops param_ops_aalockpolicy = {
79891 .set = param_set_aalockpolicy,
79892 .get = param_get_aalockpolicy
79893 };
79894 diff -urNp linux-2.6.39.3/security/commoncap.c linux-2.6.39.3/security/commoncap.c
79895 --- linux-2.6.39.3/security/commoncap.c 2011-05-19 00:06:34.000000000 -0400
79896 +++ linux-2.6.39.3/security/commoncap.c 2011-05-22 20:28:59.000000000 -0400
79897 @@ -28,6 +28,7 @@
79898 #include <linux/prctl.h>
79899 #include <linux/securebits.h>
79900 #include <linux/user_namespace.h>
79901 +#include <net/sock.h>
79902
79903 /*
79904 * If a non-root user executes a setuid-root binary in
79905 @@ -58,7 +59,7 @@ int cap_netlink_send(struct sock *sk, st
79906
79907 int cap_netlink_recv(struct sk_buff *skb, int cap)
79908 {
79909 - if (!cap_raised(current_cap(), cap))
79910 + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
79911 return -EPERM;
79912 return 0;
79913 }
79914 @@ -580,6 +581,9 @@ int cap_bprm_secureexec(struct linux_bin
79915 {
79916 const struct cred *cred = current_cred();
79917
79918 + if (gr_acl_enable_at_secure())
79919 + return 1;
79920 +
79921 if (cred->uid != 0) {
79922 if (bprm->cap_effective)
79923 return 1;
79924 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_api.c linux-2.6.39.3/security/integrity/ima/ima_api.c
79925 --- linux-2.6.39.3/security/integrity/ima/ima_api.c 2011-05-19 00:06:34.000000000 -0400
79926 +++ linux-2.6.39.3/security/integrity/ima/ima_api.c 2011-05-22 19:36:35.000000000 -0400
79927 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
79928 int result;
79929
79930 /* can overflow, only indicator */
79931 - atomic_long_inc(&ima_htable.violations);
79932 + atomic_long_inc_unchecked(&ima_htable.violations);
79933
79934 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
79935 if (!entry) {
79936 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_fs.c linux-2.6.39.3/security/integrity/ima/ima_fs.c
79937 --- linux-2.6.39.3/security/integrity/ima/ima_fs.c 2011-05-19 00:06:34.000000000 -0400
79938 +++ linux-2.6.39.3/security/integrity/ima/ima_fs.c 2011-05-22 19:36:35.000000000 -0400
79939 @@ -28,12 +28,12 @@
79940 static int valid_policy = 1;
79941 #define TMPBUFLEN 12
79942 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
79943 - loff_t *ppos, atomic_long_t *val)
79944 + loff_t *ppos, atomic_long_unchecked_t *val)
79945 {
79946 char tmpbuf[TMPBUFLEN];
79947 ssize_t len;
79948
79949 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
79950 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
79951 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
79952 }
79953
79954 diff -urNp linux-2.6.39.3/security/integrity/ima/ima.h linux-2.6.39.3/security/integrity/ima/ima.h
79955 --- linux-2.6.39.3/security/integrity/ima/ima.h 2011-05-19 00:06:34.000000000 -0400
79956 +++ linux-2.6.39.3/security/integrity/ima/ima.h 2011-05-22 19:36:35.000000000 -0400
79957 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
79958 extern spinlock_t ima_queue_lock;
79959
79960 struct ima_h_table {
79961 - atomic_long_t len; /* number of stored measurements in the list */
79962 - atomic_long_t violations;
79963 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
79964 + atomic_long_unchecked_t violations;
79965 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
79966 };
79967 extern struct ima_h_table ima_htable;
79968 diff -urNp linux-2.6.39.3/security/integrity/ima/ima_queue.c linux-2.6.39.3/security/integrity/ima/ima_queue.c
79969 --- linux-2.6.39.3/security/integrity/ima/ima_queue.c 2011-05-19 00:06:34.000000000 -0400
79970 +++ linux-2.6.39.3/security/integrity/ima/ima_queue.c 2011-05-22 19:36:35.000000000 -0400
79971 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
79972 INIT_LIST_HEAD(&qe->later);
79973 list_add_tail_rcu(&qe->later, &ima_measurements);
79974
79975 - atomic_long_inc(&ima_htable.len);
79976 + atomic_long_inc_unchecked(&ima_htable.len);
79977 key = ima_hash_key(entry->digest);
79978 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
79979 return 0;
79980 diff -urNp linux-2.6.39.3/security/Kconfig linux-2.6.39.3/security/Kconfig
79981 --- linux-2.6.39.3/security/Kconfig 2011-05-19 00:06:34.000000000 -0400
79982 +++ linux-2.6.39.3/security/Kconfig 2011-07-06 19:58:46.000000000 -0400
79983 @@ -4,6 +4,554 @@
79984
79985 menu "Security options"
79986
79987 +source grsecurity/Kconfig
79988 +
79989 +menu "PaX"
79990 +
79991 + config ARCH_TRACK_EXEC_LIMIT
79992 + bool
79993 +
79994 + config PAX_PER_CPU_PGD
79995 + bool
79996 +
79997 + config TASK_SIZE_MAX_SHIFT
79998 + int
79999 + depends on X86_64
80000 + default 47 if !PAX_PER_CPU_PGD
80001 + default 42 if PAX_PER_CPU_PGD
80002 +
80003 + config PAX_ENABLE_PAE
80004 + bool
80005 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
80006 +
80007 +config PAX
80008 + bool "Enable various PaX features"
80009 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
80010 + help
80011 + This allows you to enable various PaX features. PaX adds
80012 + intrusion prevention mechanisms to the kernel that reduce
80013 + the risks posed by exploitable memory corruption bugs.
80014 +
80015 +menu "PaX Control"
80016 + depends on PAX
80017 +
80018 +config PAX_SOFTMODE
80019 + bool 'Support soft mode'
80020 + select PAX_PT_PAX_FLAGS
80021 + help
80022 + Enabling this option will allow you to run PaX in soft mode, that
80023 + is, PaX features will not be enforced by default, only on executables
80024 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
80025 + is the only way to mark executables for soft mode use.
80026 +
80027 + Soft mode can be activated by using the "pax_softmode=1" kernel command
80028 + line option on boot. Furthermore you can control various PaX features
80029 + at runtime via the entries in /proc/sys/kernel/pax.
80030 +
80031 +config PAX_EI_PAX
80032 + bool 'Use legacy ELF header marking'
80033 + help
80034 + Enabling this option will allow you to control PaX features on
80035 + a per executable basis via the 'chpax' utility available at
80036 + http://pax.grsecurity.net/. The control flags will be read from
80037 + an otherwise reserved part of the ELF header. This marking has
80038 + numerous drawbacks (no support for soft-mode, toolchain does not
80039 + know about the non-standard use of the ELF header) therefore it
80040 + has been deprecated in favour of PT_PAX_FLAGS support.
80041 +
80042 + Note that if you enable PT_PAX_FLAGS marking support as well,
80043 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
80044 +
80045 +config PAX_PT_PAX_FLAGS
80046 + bool 'Use ELF program header marking'
80047 + help
80048 + Enabling this option will allow you to control PaX features on
80049 + a per executable basis via the 'paxctl' utility available at
80050 + http://pax.grsecurity.net/. The control flags will be read from
80051 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
80052 + has the benefits of supporting both soft mode and being fully
80053 + integrated into the toolchain (the binutils patch is available
80054 + from http://pax.grsecurity.net).
80055 +
80056 + If your toolchain does not support PT_PAX_FLAGS markings,
80057 + you can create one in most cases with 'paxctl -C'.
80058 +
80059 + Note that if you enable the legacy EI_PAX marking support as well,
80060 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
80061 +
80062 +choice
80063 + prompt 'MAC system integration'
80064 + default PAX_HAVE_ACL_FLAGS
80065 + help
80066 + Mandatory Access Control systems have the option of controlling
80067 + PaX flags on a per executable basis, choose the method supported
80068 + by your particular system.
80069 +
80070 + - "none": if your MAC system does not interact with PaX,
80071 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
80072 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
80073 +
80074 + NOTE: this option is for developers/integrators only.
80075 +
80076 + config PAX_NO_ACL_FLAGS
80077 + bool 'none'
80078 +
80079 + config PAX_HAVE_ACL_FLAGS
80080 + bool 'direct'
80081 +
80082 + config PAX_HOOK_ACL_FLAGS
80083 + bool 'hook'
80084 +endchoice
80085 +
80086 +endmenu
80087 +
80088 +menu "Non-executable pages"
80089 + depends on PAX
80090 +
80091 +config PAX_NOEXEC
80092 + bool "Enforce non-executable pages"
80093 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
80094 + help
80095 + By design some architectures do not allow for protecting memory
80096 + pages against execution or even if they do, Linux does not make
80097 + use of this feature. In practice this means that if a page is
80098 + readable (such as the stack or heap) it is also executable.
80099 +
80100 + There is a well known exploit technique that makes use of this
80101 + fact and a common programming mistake where an attacker can
80102 + introduce code of his choice somewhere in the attacked program's
80103 + memory (typically the stack or the heap) and then execute it.
80104 +
80105 + If the attacked program was running with different (typically
80106 + higher) privileges than that of the attacker, then he can elevate
80107 + his own privilege level (e.g. get a root shell, write to files for
80108 + which he does not have write access to, etc).
80109 +
80110 + Enabling this option will let you choose from various features
80111 + that prevent the injection and execution of 'foreign' code in
80112 + a program.
80113 +
80114 + This will also break programs that rely on the old behaviour and
80115 + expect that dynamically allocated memory via the malloc() family
80116 + of functions is executable (which it is not). Notable examples
80117 + are the XFree86 4.x server, the java runtime and wine.
80118 +
80119 +config PAX_PAGEEXEC
80120 + bool "Paging based non-executable pages"
80121 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
80122 + select S390_SWITCH_AMODE if S390
80123 + select S390_EXEC_PROTECT if S390
80124 + select ARCH_TRACK_EXEC_LIMIT if X86_32
80125 + help
80126 + This implementation is based on the paging feature of the CPU.
80127 + On i386 without hardware non-executable bit support there is a
80128 + variable but usually low performance impact, however on Intel's
80129 + P4 core based CPUs it is very high so you should not enable this
80130 + for kernels meant to be used on such CPUs.
80131 +
80132 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
80133 + with hardware non-executable bit support there is no performance
80134 + impact, on ppc the impact is negligible.
80135 +
80136 + Note that several architectures require various emulations due to
80137 + badly designed userland ABIs, this will cause a performance impact
80138 + but will disappear as soon as userland is fixed. For example, ppc
80139 + userland MUST have been built with secure-plt by a recent toolchain.
80140 +
80141 +config PAX_SEGMEXEC
80142 + bool "Segmentation based non-executable pages"
80143 + depends on PAX_NOEXEC && X86_32
80144 + help
80145 + This implementation is based on the segmentation feature of the
80146 + CPU and has a very small performance impact, however applications
80147 + will be limited to a 1.5 GB address space instead of the normal
80148 + 3 GB.
80149 +
80150 +config PAX_EMUTRAMP
80151 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
80152 + default y if PARISC
80153 + help
80154 + There are some programs and libraries that for one reason or
80155 + another attempt to execute special small code snippets from
80156 + non-executable memory pages. Most notable examples are the
80157 + signal handler return code generated by the kernel itself and
80158 + the GCC trampolines.
80159 +
80160 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
80161 + such programs will no longer work under your kernel.
80162 +
80163 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
80164 + utilities to enable trampoline emulation for the affected programs
80165 + yet still have the protection provided by the non-executable pages.
80166 +
80167 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
80168 + your system will not even boot.
80169 +
80170 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
80171 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
80172 + for the affected files.
80173 +
80174 + NOTE: enabling this feature *may* open up a loophole in the
80175 + protection provided by non-executable pages that an attacker
80176 + could abuse. Therefore the best solution is to not have any
80177 + files on your system that would require this option. This can
80178 + be achieved by not using libc5 (which relies on the kernel
80179 + signal handler return code) and not using or rewriting programs
80180 + that make use of the nested function implementation of GCC.
80181 + Skilled users can just fix GCC itself so that it implements
80182 + nested function calls in a way that does not interfere with PaX.
80183 +
80184 +config PAX_EMUSIGRT
80185 + bool "Automatically emulate sigreturn trampolines"
80186 + depends on PAX_EMUTRAMP && PARISC
80187 + default y
80188 + help
80189 + Enabling this option will have the kernel automatically detect
80190 + and emulate signal return trampolines executing on the stack
80191 + that would otherwise lead to task termination.
80192 +
80193 + This solution is intended as a temporary one for users with
80194 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
80195 + Modula-3 runtime, etc) or executables linked to such, basically
80196 + everything that does not specify its own SA_RESTORER function in
80197 + normal executable memory like glibc 2.1+ does.
80198 +
80199 + On parisc you MUST enable this option, otherwise your system will
80200 + not even boot.
80201 +
80202 + NOTE: this feature cannot be disabled on a per executable basis
80203 + and since it *does* open up a loophole in the protection provided
80204 + by non-executable pages, the best solution is to not have any
80205 + files on your system that would require this option.
80206 +
80207 +config PAX_MPROTECT
80208 + bool "Restrict mprotect()"
80209 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
80210 + help
80211 + Enabling this option will prevent programs from
80212 + - changing the executable status of memory pages that were
80213 + not originally created as executable,
80214 + - making read-only executable pages writable again,
80215 + - creating executable pages from anonymous memory,
80216 + - making read-only-after-relocations (RELRO) data pages writable again.
80217 +
80218 + You should say Y here to complete the protection provided by
80219 + the enforcement of non-executable pages.
80220 +
80221 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80222 + this feature on a per file basis.
80223 +
80224 +config PAX_MPROTECT_COMPAT
80225 + bool "Use legacy/compat protection demoting (read help)"
80226 + depends on PAX_MPROTECT
80227 + default n
80228 + help
80229 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
80230 + by sending the proper error code to the application. For some broken
80231 + userland, this can cause problems with Python or other applications. The
80232 + current implementation however allows for applications like clamav to
80233 + detect if JIT compilation/execution is allowed and to fall back gracefully
80234 + to an interpreter-based mode if it does not. While we encourage everyone
80235 + to use the current implementation as-is and push upstream to fix broken
80236 + userland (note that the RWX logging option can assist with this), in some
80237 + environments this may not be possible. Having to disable MPROTECT
80238 + completely on certain binaries reduces the security benefit of PaX,
80239 + so this option is provided for those environments to revert to the old
80240 + behavior.
80241 +
80242 +config PAX_ELFRELOCS
80243 + bool "Allow ELF text relocations (read help)"
80244 + depends on PAX_MPROTECT
80245 + default n
80246 + help
80247 + Non-executable pages and mprotect() restrictions are effective
80248 + in preventing the introduction of new executable code into an
80249 + attacked task's address space. There remain only two venues
80250 + for this kind of attack: if the attacker can execute already
80251 + existing code in the attacked task then he can either have it
80252 + create and mmap() a file containing his code or have it mmap()
80253 + an already existing ELF library that does not have position
80254 + independent code in it and use mprotect() on it to make it
80255 + writable and copy his code there. While protecting against
80256 + the former approach is beyond PaX, the latter can be prevented
80257 + by having only PIC ELF libraries on one's system (which do not
80258 + need to relocate their code). If you are sure this is your case,
80259 + as is the case with all modern Linux distributions, then leave
80260 + this option disabled. You should say 'n' here.
80261 +
80262 +config PAX_ETEXECRELOCS
80263 + bool "Allow ELF ET_EXEC text relocations"
80264 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
80265 + select PAX_ELFRELOCS
80266 + default y
80267 + help
80268 + On some architectures there are incorrectly created applications
80269 + that require text relocations and would not work without enabling
80270 + this option. If you are an alpha, ia64 or parisc user, you should
80271 + enable this option and disable it once you have made sure that
80272 + none of your applications need it.
80273 +
80274 +config PAX_EMUPLT
80275 + bool "Automatically emulate ELF PLT"
80276 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
80277 + default y
80278 + help
80279 + Enabling this option will have the kernel automatically detect
80280 + and emulate the Procedure Linkage Table entries in ELF files.
80281 + On some architectures such entries are in writable memory, and
80282 + become non-executable leading to task termination. Therefore
80283 + it is mandatory that you enable this option on alpha, parisc,
80284 + sparc and sparc64, otherwise your system would not even boot.
80285 +
80286 + NOTE: this feature *does* open up a loophole in the protection
80287 + provided by the non-executable pages, therefore the proper
80288 + solution is to modify the toolchain to produce a PLT that does
80289 + not need to be writable.
80290 +
80291 +config PAX_DLRESOLVE
80292 + bool 'Emulate old glibc resolver stub'
80293 + depends on PAX_EMUPLT && SPARC
80294 + default n
80295 + help
80296 + This option is needed if userland has an old glibc (before 2.4)
80297 + that puts a 'save' instruction into the runtime generated resolver
80298 + stub that needs special emulation.
80299 +
80300 +config PAX_KERNEXEC
80301 + bool "Enforce non-executable kernel pages"
80302 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
80303 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
80304 + help
80305 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
80306 + that is, enabling this option will make it harder to inject
80307 + and execute 'foreign' code in kernel memory itself.
80308 +
80309 + Note that on x86_64 kernels there is a known regression when
80310 + this feature and KVM/VMX are both enabled in the host kernel.
80311 +
80312 +config PAX_KERNEXEC_MODULE_TEXT
80313 + int "Minimum amount of memory reserved for module code"
80314 + default "4"
80315 + depends on PAX_KERNEXEC && X86_32 && MODULES
80316 + help
80317 + Due to implementation details the kernel must reserve a fixed
80318 + amount of memory for module code at compile time that cannot be
80319 + changed at runtime. Here you can specify the minimum amount
80320 + in MB that will be reserved. Due to the same implementation
80321 + details this size will always be rounded up to the next 2/4 MB
80322 + boundary (depends on PAE) so the actually available memory for
80323 + module code will usually be more than this minimum.
80324 +
80325 + The default 4 MB should be enough for most users but if you have
80326 + an excessive number of modules (e.g., most distribution configs
80327 + compile many drivers as modules) or use huge modules such as
80328 + nvidia's kernel driver, you will need to adjust this amount.
80329 + A good rule of thumb is to look at your currently loaded kernel
80330 + modules and add up their sizes.
80331 +
80332 +endmenu
80333 +
80334 +menu "Address Space Layout Randomization"
80335 + depends on PAX
80336 +
80337 +config PAX_ASLR
80338 + bool "Address Space Layout Randomization"
80339 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
80340 + help
80341 + Many if not most exploit techniques rely on the knowledge of
80342 + certain addresses in the attacked program. The following options
80343 + will allow the kernel to apply a certain amount of randomization
80344 + to specific parts of the program thereby forcing an attacker to
80345 + guess them in most cases. Any failed guess will most likely crash
80346 + the attacked program which allows the kernel to detect such attempts
80347 + and react on them. PaX itself provides no reaction mechanisms,
80348 + instead it is strongly encouraged that you make use of Nergal's
80349 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
80350 + (http://www.grsecurity.net/) built-in crash detection features or
80351 + develop one yourself.
80352 +
80353 + By saying Y here you can choose to randomize the following areas:
80354 + - top of the task's kernel stack
80355 + - top of the task's userland stack
80356 + - base address for mmap() requests that do not specify one
80357 + (this includes all libraries)
80358 + - base address of the main executable
80359 +
80360 + It is strongly recommended to say Y here as address space layout
80361 + randomization has negligible impact on performance yet it provides
80362 + a very effective protection.
80363 +
80364 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
80365 + this feature on a per file basis.
80366 +
80367 +config PAX_RANDKSTACK
80368 + bool "Randomize kernel stack base"
80369 + depends on PAX_ASLR && X86_TSC && X86
80370 + help
80371 + By saying Y here the kernel will randomize every task's kernel
80372 + stack on every system call. This will not only force an attacker
80373 + to guess it but also prevent him from making use of possible
80374 + leaked information about it.
80375 +
80376 + Since the kernel stack is a rather scarce resource, randomization
80377 + may cause unexpected stack overflows, therefore you should very
80378 + carefully test your system. Note that once enabled in the kernel
80379 + configuration, this feature cannot be disabled on a per file basis.
80380 +
80381 +config PAX_RANDUSTACK
80382 + bool "Randomize user stack base"
80383 + depends on PAX_ASLR
80384 + help
80385 + By saying Y here the kernel will randomize every task's userland
80386 + stack. The randomization is done in two steps where the second
80387 + one may apply a big amount of shift to the top of the stack and
80388 + cause problems for programs that want to use lots of memory (more
80389 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
80390 + For this reason the second step can be controlled by 'chpax' or
80391 + 'paxctl' on a per file basis.
80392 +
80393 +config PAX_RANDMMAP
80394 + bool "Randomize mmap() base"
80395 + depends on PAX_ASLR
80396 + help
80397 + By saying Y here the kernel will use a randomized base address for
80398 + mmap() requests that do not specify one themselves. As a result
80399 + all dynamically loaded libraries will appear at random addresses
80400 + and therefore be harder to exploit by a technique where an attacker
80401 + attempts to execute library code for his purposes (e.g. spawn a
80402 + shell from an exploited program that is running at an elevated
80403 + privilege level).
80404 +
80405 + Furthermore, if a program is relinked as a dynamic ELF file, its
80406 + base address will be randomized as well, completing the full
80407 + randomization of the address space layout. Attacking such programs
80408 + becomes a guess game. You can find an example of doing this at
80409 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
80410 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
80411 +
80412 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
80413 + feature on a per file basis.
80414 +
80415 +endmenu
80416 +
80417 +menu "Miscellaneous hardening features"
80418 +
80419 +config PAX_MEMORY_SANITIZE
80420 + bool "Sanitize all freed memory"
80421 + help
80422 + By saying Y here the kernel will erase memory pages as soon as they
80423 + are freed. This in turn reduces the lifetime of data stored in the
80424 + pages, making it less likely that sensitive information such as
80425 + passwords, cryptographic secrets, etc stay in memory for too long.
80426 +
80427 + This is especially useful for programs whose runtime is short, long
80428 + lived processes and the kernel itself benefit from this as long as
80429 + they operate on whole memory pages and ensure timely freeing of pages
80430 + that may hold sensitive information.
80431 +
80432 + The tradeoff is performance impact, on a single CPU system kernel
80433 + compilation sees a 3% slowdown, other systems and workloads may vary
80434 + and you are advised to test this feature on your expected workload
80435 + before deploying it.
80436 +
80437 + Note that this feature does not protect data stored in live pages,
80438 + e.g., process memory swapped to disk may stay there for a long time.
80439 +
80440 +config PAX_MEMORY_STACKLEAK
80441 + bool "Sanitize kernel stack"
80442 + depends on X86
80443 + help
80444 + By saying Y here the kernel will erase the kernel stack before it
80445 + returns from a system call. This in turn reduces the information
80446 + that a kernel stack leak bug can reveal.
80447 +
80448 + Note that such a bug can still leak information that was put on
80449 + the stack by the current system call (the one eventually triggering
80450 + the bug) but traces of earlier system calls on the kernel stack
80451 + cannot leak anymore.
80452 +
80453 + The tradeoff is performance impact: on a single CPU system kernel
80454 + compilation sees a 1% slowdown, other systems and workloads may vary
80455 + and you are advised to test this feature on your expected workload
80456 + before deploying it.
80457 +
80458 + Note: full support for this feature requires gcc with plugin support
80459 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
80460 + is not supported). Using older gcc versions means that functions
80461 + with large enough stack frames may leave uninitialized memory behind
80462 + that may be exposed to a later syscall leaking the stack.
80463 +
80464 +config PAX_MEMORY_UDEREF
80465 + bool "Prevent invalid userland pointer dereference"
80466 + depends on X86 && !UML_X86 && !XEN
80467 + select PAX_PER_CPU_PGD if X86_64
80468 + help
80469 + By saying Y here the kernel will be prevented from dereferencing
80470 + userland pointers in contexts where the kernel expects only kernel
80471 + pointers. This is both a useful runtime debugging feature and a
80472 + security measure that prevents exploiting a class of kernel bugs.
80473 +
80474 + The tradeoff is that some virtualization solutions may experience
80475 + a huge slowdown and therefore you should not enable this feature
80476 + for kernels meant to run in such environments. Whether a given VM
80477 + solution is affected or not is best determined by simply trying it
80478 + out, the performance impact will be obvious right on boot as this
80479 + mechanism engages from very early on. A good rule of thumb is that
80480 + VMs running on CPUs without hardware virtualization support (i.e.,
80481 + the majority of IA-32 CPUs) will likely experience the slowdown.
80482 +
80483 +config PAX_REFCOUNT
80484 + bool "Prevent various kernel object reference counter overflows"
80485 + depends on GRKERNSEC && (X86 || SPARC64)
80486 + help
80487 + By saying Y here the kernel will detect and prevent overflowing
80488 + various (but not all) kinds of object reference counters. Such
80489 + overflows can normally occur due to bugs only and are often, if
80490 + not always, exploitable.
80491 +
80492 + The tradeoff is that data structures protected by an overflowed
80493 + refcount will never be freed and therefore will leak memory. Note
80494 + that this leak also happens even without this protection but in
80495 + that case the overflow can eventually trigger the freeing of the
80496 + data structure while it is still being used elsewhere, resulting
80497 + in the exploitable situation that this feature prevents.
80498 +
80499 + Since this has a negligible performance impact, you should enable
80500 + this feature.
80501 +
80502 +config PAX_USERCOPY
80503 + bool "Harden heap object copies between kernel and userland"
80504 + depends on X86 || PPC || SPARC || ARM
80505 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
80506 + help
80507 + By saying Y here the kernel will enforce the size of heap objects
80508 + when they are copied in either direction between the kernel and
80509 + userland, even if only a part of the heap object is copied.
80510 +
80511 + Specifically, this checking prevents information leaking from the
80512 + kernel heap during kernel to userland copies (if the kernel heap
80513 + object is otherwise fully initialized) and prevents kernel heap
80514 + overflows during userland to kernel copies.
80515 +
80516 + Note that the current implementation provides the strictest bounds
80517 + checks for the SLUB allocator.
80518 +
80519 + Enabling this option also enables per-slab cache protection against
80520 + data in a given cache being copied into/out of via userland
80521 + accessors. Though the whitelist of regions will be reduced over
80522 + time, it notably protects important data structures like task structs.
80523 +
80524 + If frame pointers are enabled on x86, this option will also restrict
80525 + copies into and out of the kernel stack to local variables within a
80526 + single frame.
80527 +
80528 + Since this has a negligible performance impact, you should enable
80529 + this feature.
80530 +
80531 +endmenu
80532 +
80533 +endmenu
80534 +
80535 config KEYS
80536 bool "Enable access key retention support"
80537 help
80538 @@ -167,7 +715,7 @@ config INTEL_TXT
80539 config LSM_MMAP_MIN_ADDR
80540 int "Low address space for LSM to protect from user allocation"
80541 depends on SECURITY && SECURITY_SELINUX
80542 - default 65536
80543 + default 32768
80544 help
80545 This is the portion of low virtual memory which should be protected
80546 from userspace allocation. Keeping a user from writing to low pages
80547 diff -urNp linux-2.6.39.3/security/keys/keyring.c linux-2.6.39.3/security/keys/keyring.c
80548 --- linux-2.6.39.3/security/keys/keyring.c 2011-05-19 00:06:34.000000000 -0400
80549 +++ linux-2.6.39.3/security/keys/keyring.c 2011-05-22 19:36:35.000000000 -0400
80550 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
80551 ret = -EFAULT;
80552
80553 for (loop = 0; loop < klist->nkeys; loop++) {
80554 + key_serial_t serial;
80555 key = klist->keys[loop];
80556 + serial = key->serial;
80557
80558 tmp = sizeof(key_serial_t);
80559 if (tmp > buflen)
80560 tmp = buflen;
80561
80562 - if (copy_to_user(buffer,
80563 - &key->serial,
80564 - tmp) != 0)
80565 + if (copy_to_user(buffer, &serial, tmp))
80566 goto error;
80567
80568 buflen -= tmp;
80569 diff -urNp linux-2.6.39.3/security/min_addr.c linux-2.6.39.3/security/min_addr.c
80570 --- linux-2.6.39.3/security/min_addr.c 2011-05-19 00:06:34.000000000 -0400
80571 +++ linux-2.6.39.3/security/min_addr.c 2011-05-22 19:41:42.000000000 -0400
80572 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
80573 */
80574 static void update_mmap_min_addr(void)
80575 {
80576 +#ifndef SPARC
80577 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
80578 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
80579 mmap_min_addr = dac_mmap_min_addr;
80580 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
80581 #else
80582 mmap_min_addr = dac_mmap_min_addr;
80583 #endif
80584 +#endif
80585 }
80586
80587 /*
80588 diff -urNp linux-2.6.39.3/security/security.c linux-2.6.39.3/security/security.c
80589 --- linux-2.6.39.3/security/security.c 2011-05-19 00:06:34.000000000 -0400
80590 +++ linux-2.6.39.3/security/security.c 2011-05-22 19:41:42.000000000 -0400
80591 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
80592 /* things that live in capability.c */
80593 extern void __init security_fixup_ops(struct security_operations *ops);
80594
80595 -static struct security_operations *security_ops;
80596 -static struct security_operations default_security_ops = {
80597 +static struct security_operations *security_ops __read_only;
80598 +static struct security_operations default_security_ops __read_only = {
80599 .name = "default",
80600 };
80601
80602 @@ -67,7 +67,9 @@ int __init security_init(void)
80603
80604 void reset_security_ops(void)
80605 {
80606 + pax_open_kernel();
80607 security_ops = &default_security_ops;
80608 + pax_close_kernel();
80609 }
80610
80611 /* Save user chosen LSM */
80612 diff -urNp linux-2.6.39.3/security/selinux/hooks.c linux-2.6.39.3/security/selinux/hooks.c
80613 --- linux-2.6.39.3/security/selinux/hooks.c 2011-05-19 00:06:34.000000000 -0400
80614 +++ linux-2.6.39.3/security/selinux/hooks.c 2011-05-22 19:41:42.000000000 -0400
80615 @@ -93,7 +93,6 @@
80616 #define NUM_SEL_MNT_OPTS 5
80617
80618 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
80619 -extern struct security_operations *security_ops;
80620
80621 /* SECMARK reference count */
80622 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
80623 @@ -5431,7 +5430,7 @@ static int selinux_key_getsecurity(struc
80624
80625 #endif
80626
80627 -static struct security_operations selinux_ops = {
80628 +static struct security_operations selinux_ops __read_only = {
80629 .name = "selinux",
80630
80631 .ptrace_access_check = selinux_ptrace_access_check,
80632 diff -urNp linux-2.6.39.3/security/selinux/include/xfrm.h linux-2.6.39.3/security/selinux/include/xfrm.h
80633 --- linux-2.6.39.3/security/selinux/include/xfrm.h 2011-05-19 00:06:34.000000000 -0400
80634 +++ linux-2.6.39.3/security/selinux/include/xfrm.h 2011-05-22 19:36:35.000000000 -0400
80635 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
80636
80637 static inline void selinux_xfrm_notify_policyload(void)
80638 {
80639 - atomic_inc(&flow_cache_genid);
80640 + atomic_inc_unchecked(&flow_cache_genid);
80641 }
80642 #else
80643 static inline int selinux_xfrm_enabled(void)
80644 diff -urNp linux-2.6.39.3/security/selinux/ss/services.c linux-2.6.39.3/security/selinux/ss/services.c
80645 --- linux-2.6.39.3/security/selinux/ss/services.c 2011-05-19 00:06:34.000000000 -0400
80646 +++ linux-2.6.39.3/security/selinux/ss/services.c 2011-05-22 19:36:35.000000000 -0400
80647 @@ -1806,6 +1806,8 @@ int security_load_policy(void *data, siz
80648 int rc = 0;
80649 struct policy_file file = { data, len }, *fp = &file;
80650
80651 + pax_track_stack();
80652 +
80653 if (!ss_initialized) {
80654 avtab_cache_init();
80655 rc = policydb_read(&policydb, fp);
80656 diff -urNp linux-2.6.39.3/security/smack/smack_lsm.c linux-2.6.39.3/security/smack/smack_lsm.c
80657 --- linux-2.6.39.3/security/smack/smack_lsm.c 2011-05-19 00:06:34.000000000 -0400
80658 +++ linux-2.6.39.3/security/smack/smack_lsm.c 2011-05-22 19:36:35.000000000 -0400
80659 @@ -3386,7 +3386,7 @@ static int smack_inode_getsecctx(struct
80660 return 0;
80661 }
80662
80663 -struct security_operations smack_ops = {
80664 +struct security_operations smack_ops __read_only = {
80665 .name = "smack",
80666
80667 .ptrace_access_check = smack_ptrace_access_check,
80668 diff -urNp linux-2.6.39.3/security/tomoyo/tomoyo.c linux-2.6.39.3/security/tomoyo/tomoyo.c
80669 --- linux-2.6.39.3/security/tomoyo/tomoyo.c 2011-05-19 00:06:34.000000000 -0400
80670 +++ linux-2.6.39.3/security/tomoyo/tomoyo.c 2011-05-22 19:36:35.000000000 -0400
80671 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
80672 * tomoyo_security_ops is a "struct security_operations" which is used for
80673 * registering TOMOYO.
80674 */
80675 -static struct security_operations tomoyo_security_ops = {
80676 +static struct security_operations tomoyo_security_ops __read_only = {
80677 .name = "tomoyo",
80678 .cred_alloc_blank = tomoyo_cred_alloc_blank,
80679 .cred_prepare = tomoyo_cred_prepare,
80680 diff -urNp linux-2.6.39.3/sound/aoa/aoa.h linux-2.6.39.3/sound/aoa/aoa.h
80681 --- linux-2.6.39.3/sound/aoa/aoa.h 2011-05-19 00:06:34.000000000 -0400
80682 +++ linux-2.6.39.3/sound/aoa/aoa.h 2011-05-22 19:36:35.000000000 -0400
80683 @@ -122,8 +122,8 @@ extern struct snd_card *aoa_get_card(voi
80684 extern int aoa_snd_ctl_add(struct snd_kcontrol* control);
80685
80686 /* GPIO stuff */
80687 -extern struct gpio_methods *pmf_gpio_methods;
80688 -extern struct gpio_methods *ftr_gpio_methods;
80689 +extern const struct gpio_methods *pmf_gpio_methods;
80690 +extern const struct gpio_methods *ftr_gpio_methods;
80691 /* extern struct gpio_methods *map_gpio_methods; */
80692
80693 #endif /* __AOA_H */
80694 diff -urNp linux-2.6.39.3/sound/aoa/codecs/onyx.c linux-2.6.39.3/sound/aoa/codecs/onyx.c
80695 --- linux-2.6.39.3/sound/aoa/codecs/onyx.c 2011-05-19 00:06:34.000000000 -0400
80696 +++ linux-2.6.39.3/sound/aoa/codecs/onyx.c 2011-05-22 19:36:35.000000000 -0400
80697 @@ -54,7 +54,7 @@ struct onyx {
80698 spdif_locked:1,
80699 analog_locked:1,
80700 original_mute:2;
80701 - int open_count;
80702 + local_t open_count;
80703 struct codec_info *codec_info;
80704
80705 /* mutex serializes concurrent access to the device
80706 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
80707 struct onyx *onyx = cii->codec_data;
80708
80709 mutex_lock(&onyx->mutex);
80710 - onyx->open_count++;
80711 + local_inc(&onyx->open_count);
80712 mutex_unlock(&onyx->mutex);
80713
80714 return 0;
80715 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
80716 struct onyx *onyx = cii->codec_data;
80717
80718 mutex_lock(&onyx->mutex);
80719 - onyx->open_count--;
80720 - if (!onyx->open_count)
80721 + if (local_dec_and_test(&onyx->open_count))
80722 onyx->spdif_locked = onyx->analog_locked = 0;
80723 mutex_unlock(&onyx->mutex);
80724
80725 diff -urNp linux-2.6.39.3/sound/aoa/codecs/onyx.h linux-2.6.39.3/sound/aoa/codecs/onyx.h
80726 --- linux-2.6.39.3/sound/aoa/codecs/onyx.h 2011-05-19 00:06:34.000000000 -0400
80727 +++ linux-2.6.39.3/sound/aoa/codecs/onyx.h 2011-05-22 19:36:35.000000000 -0400
80728 @@ -11,6 +11,7 @@
80729 #include <linux/i2c.h>
80730 #include <asm/pmac_low_i2c.h>
80731 #include <asm/prom.h>
80732 +#include <asm/local.h>
80733
80734 /* PCM3052 register definitions */
80735
80736 diff -urNp linux-2.6.39.3/sound/arm/aaci.c linux-2.6.39.3/sound/arm/aaci.c
80737 --- linux-2.6.39.3/sound/arm/aaci.c 2011-05-19 00:06:34.000000000 -0400
80738 +++ linux-2.6.39.3/sound/arm/aaci.c 2011-05-22 19:36:35.000000000 -0400
80739 @@ -635,7 +635,7 @@ static int aaci_pcm_playback_trigger(str
80740 return ret;
80741 }
80742
80743 -static struct snd_pcm_ops aaci_playback_ops = {
80744 +static const struct snd_pcm_ops aaci_playback_ops = {
80745 .open = aaci_pcm_open,
80746 .close = aaci_pcm_close,
80747 .ioctl = snd_pcm_lib_ioctl,
80748 @@ -738,7 +738,7 @@ static int aaci_pcm_capture_prepare(stru
80749 return 0;
80750 }
80751
80752 -static struct snd_pcm_ops aaci_capture_ops = {
80753 +static const struct snd_pcm_ops aaci_capture_ops = {
80754 .open = aaci_pcm_open,
80755 .close = aaci_pcm_close,
80756 .ioctl = snd_pcm_lib_ioctl,
80757 @@ -827,7 +827,7 @@ static struct ac97_pcm ac97_defs[] __dev
80758 }
80759 };
80760
80761 -static struct snd_ac97_bus_ops aaci_bus_ops = {
80762 +static const struct snd_ac97_bus_ops aaci_bus_ops = {
80763 .write = aaci_ac97_write,
80764 .read = aaci_ac97_read,
80765 };
80766 diff -urNp linux-2.6.39.3/sound/arm/pxa2xx-ac97.c linux-2.6.39.3/sound/arm/pxa2xx-ac97.c
80767 --- linux-2.6.39.3/sound/arm/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
80768 +++ linux-2.6.39.3/sound/arm/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
80769 @@ -34,7 +34,7 @@ static void pxa2xx_ac97_reset(struct snd
80770 pxa2xx_ac97_finish_reset(ac97);
80771 }
80772
80773 -static struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80774 +static const struct snd_ac97_bus_ops pxa2xx_ac97_ops = {
80775 .read = pxa2xx_ac97_read,
80776 .write = pxa2xx_ac97_write,
80777 .reset = pxa2xx_ac97_reset,
80778 diff -urNp linux-2.6.39.3/sound/atmel/abdac.c linux-2.6.39.3/sound/atmel/abdac.c
80779 --- linux-2.6.39.3/sound/atmel/abdac.c 2011-05-19 00:06:34.000000000 -0400
80780 +++ linux-2.6.39.3/sound/atmel/abdac.c 2011-05-22 19:36:35.000000000 -0400
80781 @@ -297,7 +297,7 @@ static irqreturn_t abdac_interrupt(int i
80782 return IRQ_HANDLED;
80783 }
80784
80785 -static struct snd_pcm_ops atmel_abdac_ops = {
80786 +static const struct snd_pcm_ops atmel_abdac_ops = {
80787 .open = atmel_abdac_open,
80788 .close = atmel_abdac_close,
80789 .ioctl = snd_pcm_lib_ioctl,
80790 diff -urNp linux-2.6.39.3/sound/atmel/ac97c.c linux-2.6.39.3/sound/atmel/ac97c.c
80791 --- linux-2.6.39.3/sound/atmel/ac97c.c 2011-05-19 00:06:34.000000000 -0400
80792 +++ linux-2.6.39.3/sound/atmel/ac97c.c 2011-05-22 19:36:35.000000000 -0400
80793 @@ -626,7 +626,7 @@ atmel_ac97c_capture_pointer(struct snd_p
80794 return frames;
80795 }
80796
80797 -static struct snd_pcm_ops atmel_ac97_playback_ops = {
80798 +static const struct snd_pcm_ops atmel_ac97_playback_ops = {
80799 .open = atmel_ac97c_playback_open,
80800 .close = atmel_ac97c_playback_close,
80801 .ioctl = snd_pcm_lib_ioctl,
80802 @@ -637,7 +637,7 @@ static struct snd_pcm_ops atmel_ac97_pla
80803 .pointer = atmel_ac97c_playback_pointer,
80804 };
80805
80806 -static struct snd_pcm_ops atmel_ac97_capture_ops = {
80807 +static const struct snd_pcm_ops atmel_ac97_capture_ops = {
80808 .open = atmel_ac97c_capture_open,
80809 .close = atmel_ac97c_capture_close,
80810 .ioctl = snd_pcm_lib_ioctl,
80811 @@ -909,7 +909,7 @@ static int __devinit atmel_ac97c_probe(s
80812 struct resource *regs;
80813 struct ac97c_platform_data *pdata;
80814 struct clk *pclk;
80815 - static struct snd_ac97_bus_ops ops = {
80816 + static const struct snd_ac97_bus_ops ops = {
80817 .write = atmel_ac97c_write,
80818 .read = atmel_ac97c_read,
80819 };
80820 diff -urNp linux-2.6.39.3/sound/core/control.c linux-2.6.39.3/sound/core/control.c
80821 --- linux-2.6.39.3/sound/core/control.c 2011-05-19 00:06:34.000000000 -0400
80822 +++ linux-2.6.39.3/sound/core/control.c 2011-05-22 19:36:35.000000000 -0400
80823 @@ -1520,7 +1520,7 @@ static int snd_ctl_dev_free(struct snd_d
80824 */
80825 int snd_ctl_create(struct snd_card *card)
80826 {
80827 - static struct snd_device_ops ops = {
80828 + static const struct snd_device_ops ops = {
80829 .dev_free = snd_ctl_dev_free,
80830 .dev_register = snd_ctl_dev_register,
80831 .dev_disconnect = snd_ctl_dev_disconnect,
80832 diff -urNp linux-2.6.39.3/sound/core/device.c linux-2.6.39.3/sound/core/device.c
80833 --- linux-2.6.39.3/sound/core/device.c 2011-05-19 00:06:34.000000000 -0400
80834 +++ linux-2.6.39.3/sound/core/device.c 2011-05-22 19:36:35.000000000 -0400
80835 @@ -41,7 +41,7 @@
80836 * Returns zero if successful, or a negative error code on failure.
80837 */
80838 int snd_device_new(struct snd_card *card, snd_device_type_t type,
80839 - void *device_data, struct snd_device_ops *ops)
80840 + void *device_data, const struct snd_device_ops *ops)
80841 {
80842 struct snd_device *dev;
80843
80844 diff -urNp linux-2.6.39.3/sound/core/hwdep.c linux-2.6.39.3/sound/core/hwdep.c
80845 --- linux-2.6.39.3/sound/core/hwdep.c 2011-05-19 00:06:34.000000000 -0400
80846 +++ linux-2.6.39.3/sound/core/hwdep.c 2011-05-22 19:36:35.000000000 -0400
80847 @@ -348,7 +348,7 @@ int snd_hwdep_new(struct snd_card *card,
80848 {
80849 struct snd_hwdep *hwdep;
80850 int err;
80851 - static struct snd_device_ops ops = {
80852 + static const struct snd_device_ops ops = {
80853 .dev_free = snd_hwdep_dev_free,
80854 .dev_register = snd_hwdep_dev_register,
80855 .dev_disconnect = snd_hwdep_dev_disconnect,
80856 diff -urNp linux-2.6.39.3/sound/core/info.c linux-2.6.39.3/sound/core/info.c
80857 --- linux-2.6.39.3/sound/core/info.c 2011-05-19 00:06:34.000000000 -0400
80858 +++ linux-2.6.39.3/sound/core/info.c 2011-05-22 19:36:35.000000000 -0400
80859 @@ -897,7 +897,7 @@ static int snd_info_dev_register_entry(s
80860 int snd_card_proc_new(struct snd_card *card, const char *name,
80861 struct snd_info_entry **entryp)
80862 {
80863 - static struct snd_device_ops ops = {
80864 + static const struct snd_device_ops ops = {
80865 .dev_free = snd_info_dev_free_entry,
80866 .dev_register = snd_info_dev_register_entry,
80867 /* disconnect is done via snd_info_card_disconnect() */
80868 diff -urNp linux-2.6.39.3/sound/core/jack.c linux-2.6.39.3/sound/core/jack.c
80869 --- linux-2.6.39.3/sound/core/jack.c 2011-05-19 00:06:34.000000000 -0400
80870 +++ linux-2.6.39.3/sound/core/jack.c 2011-05-22 19:36:35.000000000 -0400
80871 @@ -105,7 +105,7 @@ int snd_jack_new(struct snd_card *card,
80872 struct snd_jack *jack;
80873 int err;
80874 int i;
80875 - static struct snd_device_ops ops = {
80876 + static const struct snd_device_ops ops = {
80877 .dev_free = snd_jack_dev_free,
80878 .dev_register = snd_jack_dev_register,
80879 };
80880 diff -urNp linux-2.6.39.3/sound/core/pcm.c linux-2.6.39.3/sound/core/pcm.c
80881 --- linux-2.6.39.3/sound/core/pcm.c 2011-05-19 00:06:34.000000000 -0400
80882 +++ linux-2.6.39.3/sound/core/pcm.c 2011-05-22 19:36:35.000000000 -0400
80883 @@ -717,7 +717,7 @@ int snd_pcm_new(struct snd_card *card, c
80884 {
80885 struct snd_pcm *pcm;
80886 int err;
80887 - static struct snd_device_ops ops = {
80888 + static const struct snd_device_ops ops = {
80889 .dev_free = snd_pcm_dev_free,
80890 .dev_register = snd_pcm_dev_register,
80891 .dev_disconnect = snd_pcm_dev_disconnect,
80892 diff -urNp linux-2.6.39.3/sound/core/pcm_lib.c linux-2.6.39.3/sound/core/pcm_lib.c
80893 --- linux-2.6.39.3/sound/core/pcm_lib.c 2011-05-19 00:06:34.000000000 -0400
80894 +++ linux-2.6.39.3/sound/core/pcm_lib.c 2011-05-22 19:36:35.000000000 -0400
80895 @@ -505,7 +505,7 @@ int snd_pcm_update_hw_ptr(struct snd_pcm
80896 *
80897 * Sets the given PCM operators to the pcm instance.
80898 */
80899 -void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, struct snd_pcm_ops *ops)
80900 +void snd_pcm_set_ops(struct snd_pcm *pcm, int direction, const struct snd_pcm_ops *ops)
80901 {
80902 struct snd_pcm_str *stream = &pcm->streams[direction];
80903 struct snd_pcm_substream *substream;
80904 diff -urNp linux-2.6.39.3/sound/core/pcm_native.c linux-2.6.39.3/sound/core/pcm_native.c
80905 --- linux-2.6.39.3/sound/core/pcm_native.c 2011-05-19 00:06:34.000000000 -0400
80906 +++ linux-2.6.39.3/sound/core/pcm_native.c 2011-05-22 19:36:35.000000000 -0400
80907 @@ -702,7 +702,7 @@ struct action_ops {
80908 * Note: the stream state might be changed also on failure
80909 * Note2: call with calling stream lock + link lock
80910 */
80911 -static int snd_pcm_action_group(struct action_ops *ops,
80912 +static int snd_pcm_action_group(const struct action_ops *ops,
80913 struct snd_pcm_substream *substream,
80914 int state, int do_lock)
80915 {
80916 @@ -751,7 +751,7 @@ static int snd_pcm_action_group(struct a
80917 /*
80918 * Note: call with stream lock
80919 */
80920 -static int snd_pcm_action_single(struct action_ops *ops,
80921 +static int snd_pcm_action_single(const struct action_ops *ops,
80922 struct snd_pcm_substream *substream,
80923 int state)
80924 {
80925 @@ -771,7 +771,7 @@ static int snd_pcm_action_single(struct
80926 /*
80927 * Note: call with stream lock
80928 */
80929 -static int snd_pcm_action(struct action_ops *ops,
80930 +static int snd_pcm_action(const struct action_ops *ops,
80931 struct snd_pcm_substream *substream,
80932 int state)
80933 {
80934 @@ -794,7 +794,7 @@ static int snd_pcm_action(struct action_
80935 /*
80936 * Note: don't use any locks before
80937 */
80938 -static int snd_pcm_action_lock_irq(struct action_ops *ops,
80939 +static int snd_pcm_action_lock_irq(const struct action_ops *ops,
80940 struct snd_pcm_substream *substream,
80941 int state)
80942 {
80943 @@ -818,7 +818,7 @@ static int snd_pcm_action_lock_irq(struc
80944
80945 /*
80946 */
80947 -static int snd_pcm_action_nonatomic(struct action_ops *ops,
80948 +static int snd_pcm_action_nonatomic(const struct action_ops *ops,
80949 struct snd_pcm_substream *substream,
80950 int state)
80951 {
80952 @@ -877,7 +877,7 @@ static void snd_pcm_post_start(struct sn
80953 &runtime->trigger_tstamp);
80954 }
80955
80956 -static struct action_ops snd_pcm_action_start = {
80957 +static const struct action_ops snd_pcm_action_start = {
80958 .pre_action = snd_pcm_pre_start,
80959 .do_action = snd_pcm_do_start,
80960 .undo_action = snd_pcm_undo_start,
80961 @@ -928,7 +928,7 @@ static void snd_pcm_post_stop(struct snd
80962 wake_up(&runtime->tsleep);
80963 }
80964
80965 -static struct action_ops snd_pcm_action_stop = {
80966 +static const struct action_ops snd_pcm_action_stop = {
80967 .pre_action = snd_pcm_pre_stop,
80968 .do_action = snd_pcm_do_stop,
80969 .post_action = snd_pcm_post_stop
80970 @@ -1025,7 +1025,7 @@ static void snd_pcm_post_pause(struct sn
80971 }
80972 }
80973
80974 -static struct action_ops snd_pcm_action_pause = {
80975 +static const struct action_ops snd_pcm_action_pause = {
80976 .pre_action = snd_pcm_pre_pause,
80977 .do_action = snd_pcm_do_pause,
80978 .undo_action = snd_pcm_undo_pause,
80979 @@ -1076,7 +1076,7 @@ static void snd_pcm_post_suspend(struct
80980 wake_up(&runtime->tsleep);
80981 }
80982
80983 -static struct action_ops snd_pcm_action_suspend = {
80984 +static const struct action_ops snd_pcm_action_suspend = {
80985 .pre_action = snd_pcm_pre_suspend,
80986 .do_action = snd_pcm_do_suspend,
80987 .post_action = snd_pcm_post_suspend
80988 @@ -1175,7 +1175,7 @@ static void snd_pcm_post_resume(struct s
80989 runtime->status->state = runtime->status->suspended_state;
80990 }
80991
80992 -static struct action_ops snd_pcm_action_resume = {
80993 +static const struct action_ops snd_pcm_action_resume = {
80994 .pre_action = snd_pcm_pre_resume,
80995 .do_action = snd_pcm_do_resume,
80996 .undo_action = snd_pcm_undo_resume,
80997 @@ -1278,7 +1278,7 @@ static void snd_pcm_post_reset(struct sn
80998 snd_pcm_playback_silence(substream, ULONG_MAX);
80999 }
81000
81001 -static struct action_ops snd_pcm_action_reset = {
81002 +static const struct action_ops snd_pcm_action_reset = {
81003 .pre_action = snd_pcm_pre_reset,
81004 .do_action = snd_pcm_do_reset,
81005 .post_action = snd_pcm_post_reset
81006 @@ -1322,7 +1322,7 @@ static void snd_pcm_post_prepare(struct
81007 runtime->status->state = SNDRV_PCM_STATE_PREPARED;
81008 }
81009
81010 -static struct action_ops snd_pcm_action_prepare = {
81011 +static const struct action_ops snd_pcm_action_prepare = {
81012 .pre_action = snd_pcm_pre_prepare,
81013 .do_action = snd_pcm_do_prepare,
81014 .post_action = snd_pcm_post_prepare
81015 @@ -1397,7 +1397,7 @@ static void snd_pcm_post_drain_init(stru
81016 {
81017 }
81018
81019 -static struct action_ops snd_pcm_action_drain_init = {
81020 +static const struct action_ops snd_pcm_action_drain_init = {
81021 .pre_action = snd_pcm_pre_drain_init,
81022 .do_action = snd_pcm_do_drain_init,
81023 .post_action = snd_pcm_post_drain_init
81024 diff -urNp linux-2.6.39.3/sound/core/rawmidi.c linux-2.6.39.3/sound/core/rawmidi.c
81025 --- linux-2.6.39.3/sound/core/rawmidi.c 2011-05-19 00:06:34.000000000 -0400
81026 +++ linux-2.6.39.3/sound/core/rawmidi.c 2011-05-22 19:36:35.000000000 -0400
81027 @@ -1449,7 +1449,7 @@ int snd_rawmidi_new(struct snd_card *car
81028 {
81029 struct snd_rawmidi *rmidi;
81030 int err;
81031 - static struct snd_device_ops ops = {
81032 + static const struct snd_device_ops ops = {
81033 .dev_free = snd_rawmidi_dev_free,
81034 .dev_register = snd_rawmidi_dev_register,
81035 .dev_disconnect = snd_rawmidi_dev_disconnect,
81036 @@ -1654,7 +1654,7 @@ static int snd_rawmidi_dev_disconnect(st
81037 * Sets the rawmidi operators for the given stream direction.
81038 */
81039 void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
81040 - struct snd_rawmidi_ops *ops)
81041 + const struct snd_rawmidi_ops *ops)
81042 {
81043 struct snd_rawmidi_substream *substream;
81044
81045 diff -urNp linux-2.6.39.3/sound/core/seq/seq_device.c linux-2.6.39.3/sound/core/seq/seq_device.c
81046 --- linux-2.6.39.3/sound/core/seq/seq_device.c 2011-05-19 00:06:34.000000000 -0400
81047 +++ linux-2.6.39.3/sound/core/seq/seq_device.c 2011-05-22 19:36:35.000000000 -0400
81048 @@ -178,7 +178,7 @@ int snd_seq_device_new(struct snd_card *
81049 struct snd_seq_device *dev;
81050 struct ops_list *ops;
81051 int err;
81052 - static struct snd_device_ops dops = {
81053 + static const struct snd_device_ops dops = {
81054 .dev_free = snd_seq_device_dev_free,
81055 .dev_register = snd_seq_device_dev_register,
81056 .dev_disconnect = snd_seq_device_dev_disconnect,
81057 @@ -307,7 +307,7 @@ static int snd_seq_device_dev_disconnect
81058 * id = driver id
81059 * entry = driver operators - duplicated to each instance
81060 */
81061 -int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry,
81062 +int snd_seq_device_register_driver(char *id, const struct snd_seq_dev_ops *entry,
81063 int argsize)
81064 {
81065 struct ops_list *ops;
81066 diff -urNp linux-2.6.39.3/sound/core/seq/seq_midi.c linux-2.6.39.3/sound/core/seq/seq_midi.c
81067 --- linux-2.6.39.3/sound/core/seq/seq_midi.c 2011-05-19 00:06:34.000000000 -0400
81068 +++ linux-2.6.39.3/sound/core/seq/seq_midi.c 2011-05-22 19:36:35.000000000 -0400
81069 @@ -461,7 +461,7 @@ snd_seq_midisynth_unregister_port(struct
81070
81071 static int __init alsa_seq_midi_init(void)
81072 {
81073 - static struct snd_seq_dev_ops ops = {
81074 + static const struct snd_seq_dev_ops ops = {
81075 snd_seq_midisynth_register_port,
81076 snd_seq_midisynth_unregister_port,
81077 };
81078 diff -urNp linux-2.6.39.3/sound/core/seq/seq_virmidi.c linux-2.6.39.3/sound/core/seq/seq_virmidi.c
81079 --- linux-2.6.39.3/sound/core/seq/seq_virmidi.c 2011-05-19 00:06:34.000000000 -0400
81080 +++ linux-2.6.39.3/sound/core/seq/seq_virmidi.c 2011-05-22 19:36:35.000000000 -0400
81081 @@ -337,13 +337,13 @@ static int snd_virmidi_unuse(void *priva
81082 * Register functions
81083 */
81084
81085 -static struct snd_rawmidi_ops snd_virmidi_input_ops = {
81086 +static const struct snd_rawmidi_ops snd_virmidi_input_ops = {
81087 .open = snd_virmidi_input_open,
81088 .close = snd_virmidi_input_close,
81089 .trigger = snd_virmidi_input_trigger,
81090 };
81091
81092 -static struct snd_rawmidi_ops snd_virmidi_output_ops = {
81093 +static const struct snd_rawmidi_ops snd_virmidi_output_ops = {
81094 .open = snd_virmidi_output_open,
81095 .close = snd_virmidi_output_close,
81096 .trigger = snd_virmidi_output_trigger,
81097 @@ -467,7 +467,7 @@ static int snd_virmidi_dev_unregister(st
81098 /*
81099 *
81100 */
81101 -static struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
81102 +static const struct snd_rawmidi_global_ops snd_virmidi_global_ops = {
81103 .dev_register = snd_virmidi_dev_register,
81104 .dev_unregister = snd_virmidi_dev_unregister,
81105 };
81106 diff -urNp linux-2.6.39.3/sound/core/timer.c linux-2.6.39.3/sound/core/timer.c
81107 --- linux-2.6.39.3/sound/core/timer.c 2011-05-19 00:06:34.000000000 -0400
81108 +++ linux-2.6.39.3/sound/core/timer.c 2011-05-22 19:36:35.000000000 -0400
81109 @@ -756,7 +756,7 @@ int snd_timer_new(struct snd_card *card,
81110 {
81111 struct snd_timer *timer;
81112 int err;
81113 - static struct snd_device_ops ops = {
81114 + static const struct snd_device_ops ops = {
81115 .dev_free = snd_timer_dev_free,
81116 .dev_register = snd_timer_dev_register,
81117 .dev_disconnect = snd_timer_dev_disconnect,
81118 diff -urNp linux-2.6.39.3/sound/drivers/aloop.c linux-2.6.39.3/sound/drivers/aloop.c
81119 --- linux-2.6.39.3/sound/drivers/aloop.c 2011-05-19 00:06:34.000000000 -0400
81120 +++ linux-2.6.39.3/sound/drivers/aloop.c 2011-05-22 19:36:35.000000000 -0400
81121 @@ -731,7 +731,7 @@ static int loopback_close(struct snd_pcm
81122 return 0;
81123 }
81124
81125 -static struct snd_pcm_ops loopback_playback_ops = {
81126 +static const struct snd_pcm_ops loopback_playback_ops = {
81127 .open = loopback_open,
81128 .close = loopback_close,
81129 .ioctl = snd_pcm_lib_ioctl,
81130 @@ -742,7 +742,7 @@ static struct snd_pcm_ops loopback_playb
81131 .pointer = loopback_pointer,
81132 };
81133
81134 -static struct snd_pcm_ops loopback_capture_ops = {
81135 +static const struct snd_pcm_ops loopback_capture_ops = {
81136 .open = loopback_open,
81137 .close = loopback_close,
81138 .ioctl = snd_pcm_lib_ioctl,
81139 diff -urNp linux-2.6.39.3/sound/drivers/dummy.c linux-2.6.39.3/sound/drivers/dummy.c
81140 --- linux-2.6.39.3/sound/drivers/dummy.c 2011-05-19 00:06:34.000000000 -0400
81141 +++ linux-2.6.39.3/sound/drivers/dummy.c 2011-05-22 19:36:35.000000000 -0400
81142 @@ -350,7 +350,7 @@ static void dummy_systimer_free(struct s
81143 kfree(substream->runtime->private_data);
81144 }
81145
81146 -static struct dummy_timer_ops dummy_systimer_ops = {
81147 +static const struct dummy_timer_ops dummy_systimer_ops = {
81148 .create = dummy_systimer_create,
81149 .free = dummy_systimer_free,
81150 .prepare = dummy_systimer_prepare,
81151 @@ -474,7 +474,7 @@ static void dummy_hrtimer_free(struct sn
81152 kfree(dpcm);
81153 }
81154
81155 -static struct dummy_timer_ops dummy_hrtimer_ops = {
81156 +static const struct dummy_timer_ops dummy_hrtimer_ops = {
81157 .create = dummy_hrtimer_create,
81158 .free = dummy_hrtimer_free,
81159 .prepare = dummy_hrtimer_prepare,
81160 @@ -660,7 +660,7 @@ static struct page *dummy_pcm_page(struc
81161 return virt_to_page(dummy_page[substream->stream]); /* the same page */
81162 }
81163
81164 -static struct snd_pcm_ops dummy_pcm_ops = {
81165 +static const struct snd_pcm_ops dummy_pcm_ops = {
81166 .open = dummy_pcm_open,
81167 .close = dummy_pcm_close,
81168 .ioctl = snd_pcm_lib_ioctl,
81169 @@ -671,7 +671,7 @@ static struct snd_pcm_ops dummy_pcm_ops
81170 .pointer = dummy_pcm_pointer,
81171 };
81172
81173 -static struct snd_pcm_ops dummy_pcm_ops_no_buf = {
81174 +static const struct snd_pcm_ops dummy_pcm_ops_no_buf = {
81175 .open = dummy_pcm_open,
81176 .close = dummy_pcm_close,
81177 .ioctl = snd_pcm_lib_ioctl,
81178 @@ -689,7 +689,7 @@ static int __devinit snd_card_dummy_pcm(
81179 int substreams)
81180 {
81181 struct snd_pcm *pcm;
81182 - struct snd_pcm_ops *ops;
81183 + const struct snd_pcm_ops *ops;
81184 int err;
81185
81186 err = snd_pcm_new(dummy->card, "Dummy PCM", device,
81187 diff -urNp linux-2.6.39.3/sound/drivers/ml403-ac97cr.c linux-2.6.39.3/sound/drivers/ml403-ac97cr.c
81188 --- linux-2.6.39.3/sound/drivers/ml403-ac97cr.c 2011-05-19 00:06:34.000000000 -0400
81189 +++ linux-2.6.39.3/sound/drivers/ml403-ac97cr.c 2011-05-22 19:36:35.000000000 -0400
81190 @@ -759,7 +759,7 @@ static int snd_ml403_ac97cr_capture_clos
81191 return 0;
81192 }
81193
81194 -static struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
81195 +static const struct snd_pcm_ops snd_ml403_ac97cr_playback_ops = {
81196 .open = snd_ml403_ac97cr_playback_open,
81197 .close = snd_ml403_ac97cr_playback_close,
81198 .ioctl = snd_pcm_lib_ioctl,
81199 @@ -770,7 +770,7 @@ static struct snd_pcm_ops snd_ml403_ac97
81200 .pointer = snd_ml403_ac97cr_pcm_pointer,
81201 };
81202
81203 -static struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
81204 +static const struct snd_pcm_ops snd_ml403_ac97cr_capture_ops = {
81205 .open = snd_ml403_ac97cr_capture_open,
81206 .close = snd_ml403_ac97cr_capture_close,
81207 .ioctl = snd_pcm_lib_ioctl,
81208 @@ -1114,7 +1114,7 @@ snd_ml403_ac97cr_create(struct snd_card
81209 {
81210 struct snd_ml403_ac97cr *ml403_ac97cr;
81211 int err;
81212 - static struct snd_device_ops ops = {
81213 + static const struct snd_device_ops ops = {
81214 .dev_free = snd_ml403_ac97cr_dev_free,
81215 };
81216 struct resource *resource;
81217 @@ -1210,7 +1210,7 @@ snd_ml403_ac97cr_mixer(struct snd_ml403_
81218 struct snd_ac97_bus *bus;
81219 struct snd_ac97_template ac97;
81220 int err;
81221 - static struct snd_ac97_bus_ops ops = {
81222 + static const struct snd_ac97_bus_ops ops = {
81223 .write = snd_ml403_ac97cr_codec_write,
81224 .read = snd_ml403_ac97cr_codec_read,
81225 };
81226 diff -urNp linux-2.6.39.3/sound/drivers/mtpav.c linux-2.6.39.3/sound/drivers/mtpav.c
81227 --- linux-2.6.39.3/sound/drivers/mtpav.c 2011-05-19 00:06:34.000000000 -0400
81228 +++ linux-2.6.39.3/sound/drivers/mtpav.c 2011-05-22 19:36:35.000000000 -0400
81229 @@ -601,13 +601,13 @@ static int __devinit snd_mtpav_get_ISA(s
81230 /*
81231 */
81232
81233 -static struct snd_rawmidi_ops snd_mtpav_output = {
81234 +static const struct snd_rawmidi_ops snd_mtpav_output = {
81235 .open = snd_mtpav_output_open,
81236 .close = snd_mtpav_output_close,
81237 .trigger = snd_mtpav_output_trigger,
81238 };
81239
81240 -static struct snd_rawmidi_ops snd_mtpav_input = {
81241 +static const struct snd_rawmidi_ops snd_mtpav_input = {
81242 .open = snd_mtpav_input_open,
81243 .close = snd_mtpav_input_close,
81244 .trigger = snd_mtpav_input_trigger,
81245 diff -urNp linux-2.6.39.3/sound/drivers/mts64.c linux-2.6.39.3/sound/drivers/mts64.c
81246 --- linux-2.6.39.3/sound/drivers/mts64.c 2011-05-19 00:06:34.000000000 -0400
81247 +++ linux-2.6.39.3/sound/drivers/mts64.c 2011-05-22 19:36:35.000000000 -0400
81248 @@ -28,6 +28,7 @@
81249 #include <sound/initval.h>
81250 #include <sound/rawmidi.h>
81251 #include <sound/control.h>
81252 +#include <asm/local.h>
81253
81254 #define CARD_NAME "Miditerminal 4140"
81255 #define DRIVER_NAME "MTS64"
81256 @@ -66,7 +67,7 @@ struct mts64 {
81257 struct pardevice *pardev;
81258 int pardev_claimed;
81259
81260 - int open_count;
81261 + local_t open_count;
81262 int current_midi_output_port;
81263 int current_midi_input_port;
81264 u8 mode[MTS64_NUM_INPUT_PORTS];
81265 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
81266 {
81267 struct mts64 *mts = substream->rmidi->private_data;
81268
81269 - if (mts->open_count == 0) {
81270 + if (local_read(&mts->open_count) == 0) {
81271 /* We don't need a spinlock here, because this is just called
81272 if the device has not been opened before.
81273 So there aren't any IRQs from the device */
81274 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
81275
81276 msleep(50);
81277 }
81278 - ++(mts->open_count);
81279 + local_inc(&mts->open_count);
81280
81281 return 0;
81282 }
81283 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
81284 struct mts64 *mts = substream->rmidi->private_data;
81285 unsigned long flags;
81286
81287 - --(mts->open_count);
81288 - if (mts->open_count == 0) {
81289 + if (local_dec_return(&mts->open_count) == 0) {
81290 /* We need the spinlock_irqsave here because we can still
81291 have IRQs at this point */
81292 spin_lock_irqsave(&mts->lock, flags);
81293 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
81294
81295 msleep(500);
81296
81297 - } else if (mts->open_count < 0)
81298 - mts->open_count = 0;
81299 + } else if (local_read(&mts->open_count) < 0)
81300 + local_set(&mts->open_count, 0);
81301
81302 return 0;
81303 }
81304 @@ -760,13 +760,13 @@ static void snd_mts64_rawmidi_input_trig
81305 spin_unlock_irqrestore(&mts->lock, flags);
81306 }
81307
81308 -static struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81309 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_output_ops = {
81310 .open = snd_mts64_rawmidi_open,
81311 .close = snd_mts64_rawmidi_close,
81312 .trigger = snd_mts64_rawmidi_output_trigger
81313 };
81314
81315 -static struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81316 +static const struct snd_rawmidi_ops snd_mts64_rawmidi_input_ops = {
81317 .open = snd_mts64_rawmidi_open,
81318 .close = snd_mts64_rawmidi_close,
81319 .trigger = snd_mts64_rawmidi_input_trigger
81320 diff -urNp linux-2.6.39.3/sound/drivers/pcsp/pcsp.c linux-2.6.39.3/sound/drivers/pcsp/pcsp.c
81321 --- linux-2.6.39.3/sound/drivers/pcsp/pcsp.c 2011-05-19 00:06:34.000000000 -0400
81322 +++ linux-2.6.39.3/sound/drivers/pcsp/pcsp.c 2011-05-22 19:36:35.000000000 -0400
81323 @@ -41,7 +41,7 @@ struct snd_pcsp pcsp_chip;
81324
81325 static int __devinit snd_pcsp_create(struct snd_card *card)
81326 {
81327 - static struct snd_device_ops ops = { };
81328 + static const struct snd_device_ops ops = { };
81329 struct timespec tp;
81330 int err;
81331 int div, min_div, order;
81332 diff -urNp linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c
81333 --- linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c 2011-05-19 00:06:34.000000000 -0400
81334 +++ linux-2.6.39.3/sound/drivers/pcsp/pcsp_lib.c 2011-05-22 19:36:35.000000000 -0400
81335 @@ -323,7 +323,7 @@ static int snd_pcsp_playback_open(struct
81336 return 0;
81337 }
81338
81339 -static struct snd_pcm_ops snd_pcsp_playback_ops = {
81340 +static const struct snd_pcm_ops snd_pcsp_playback_ops = {
81341 .open = snd_pcsp_playback_open,
81342 .close = snd_pcsp_playback_close,
81343 .ioctl = snd_pcm_lib_ioctl,
81344 diff -urNp linux-2.6.39.3/sound/drivers/portman2x4.c linux-2.6.39.3/sound/drivers/portman2x4.c
81345 --- linux-2.6.39.3/sound/drivers/portman2x4.c 2011-05-19 00:06:34.000000000 -0400
81346 +++ linux-2.6.39.3/sound/drivers/portman2x4.c 2011-05-22 19:36:35.000000000 -0400
81347 @@ -47,6 +47,7 @@
81348 #include <sound/initval.h>
81349 #include <sound/rawmidi.h>
81350 #include <sound/control.h>
81351 +#include <asm/local.h>
81352
81353 #define CARD_NAME "Portman 2x4"
81354 #define DRIVER_NAME "portman"
81355 @@ -84,7 +85,7 @@ struct portman {
81356 struct pardevice *pardev;
81357 int pardev_claimed;
81358
81359 - int open_count;
81360 + local_t open_count;
81361 int mode[PORTMAN_NUM_INPUT_PORTS];
81362 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
81363 };
81364 @@ -547,13 +548,13 @@ static void snd_portman_midi_output_trig
81365 spin_unlock_irqrestore(&pm->reg_lock, flags);
81366 }
81367
81368 -static struct snd_rawmidi_ops snd_portman_midi_output = {
81369 +static const struct snd_rawmidi_ops snd_portman_midi_output = {
81370 .open = snd_portman_midi_open,
81371 .close = snd_portman_midi_close,
81372 .trigger = snd_portman_midi_output_trigger,
81373 };
81374
81375 -static struct snd_rawmidi_ops snd_portman_midi_input = {
81376 +static const struct snd_rawmidi_ops snd_portman_midi_input = {
81377 .open = snd_portman_midi_open,
81378 .close = snd_portman_midi_close,
81379 .trigger = snd_portman_midi_input_trigger,
81380 diff -urNp linux-2.6.39.3/sound/drivers/serial-u16550.c linux-2.6.39.3/sound/drivers/serial-u16550.c
81381 --- linux-2.6.39.3/sound/drivers/serial-u16550.c 2011-05-19 00:06:34.000000000 -0400
81382 +++ linux-2.6.39.3/sound/drivers/serial-u16550.c 2011-05-22 19:36:35.000000000 -0400
81383 @@ -754,15 +754,13 @@ static void snd_uart16550_output_trigger
81384 snd_uart16550_output_write(substream);
81385 }
81386
81387 -static struct snd_rawmidi_ops snd_uart16550_output =
81388 -{
81389 +static const struct snd_rawmidi_ops snd_uart16550_output = {
81390 .open = snd_uart16550_output_open,
81391 .close = snd_uart16550_output_close,
81392 .trigger = snd_uart16550_output_trigger,
81393 };
81394
81395 -static struct snd_rawmidi_ops snd_uart16550_input =
81396 -{
81397 +static const struct snd_rawmidi_ops snd_uart16550_input = {
81398 .open = snd_uart16550_input_open,
81399 .close = snd_uart16550_input_close,
81400 .trigger = snd_uart16550_input_trigger,
81401 @@ -792,7 +790,7 @@ static int __devinit snd_uart16550_creat
81402 int droponfull,
81403 struct snd_uart16550 **ruart)
81404 {
81405 - static struct snd_device_ops ops = {
81406 + static const struct snd_device_ops ops = {
81407 .dev_free = snd_uart16550_dev_free,
81408 };
81409 struct snd_uart16550 *uart;
81410 diff -urNp linux-2.6.39.3/sound/drivers/vx/vx_pcm.c linux-2.6.39.3/sound/drivers/vx/vx_pcm.c
81411 --- linux-2.6.39.3/sound/drivers/vx/vx_pcm.c 2011-05-19 00:06:34.000000000 -0400
81412 +++ linux-2.6.39.3/sound/drivers/vx/vx_pcm.c 2011-05-22 19:36:35.000000000 -0400
81413 @@ -895,7 +895,7 @@ static int vx_pcm_prepare(struct snd_pcm
81414 /*
81415 * operators for PCM playback
81416 */
81417 -static struct snd_pcm_ops vx_pcm_playback_ops = {
81418 +static const struct snd_pcm_ops vx_pcm_playback_ops = {
81419 .open = vx_pcm_playback_open,
81420 .close = vx_pcm_playback_close,
81421 .ioctl = snd_pcm_lib_ioctl,
81422 @@ -1116,7 +1116,7 @@ static snd_pcm_uframes_t vx_pcm_capture_
81423 /*
81424 * operators for PCM capture
81425 */
81426 -static struct snd_pcm_ops vx_pcm_capture_ops = {
81427 +static const struct snd_pcm_ops vx_pcm_capture_ops = {
81428 .open = vx_pcm_capture_open,
81429 .close = vx_pcm_capture_close,
81430 .ioctl = snd_pcm_lib_ioctl,
81431 diff -urNp linux-2.6.39.3/sound/firewire/amdtp.c linux-2.6.39.3/sound/firewire/amdtp.c
81432 --- linux-2.6.39.3/sound/firewire/amdtp.c 2011-05-19 00:06:34.000000000 -0400
81433 +++ linux-2.6.39.3/sound/firewire/amdtp.c 2011-05-22 19:36:35.000000000 -0400
81434 @@ -371,7 +371,7 @@ static void queue_out_packet(struct amdt
81435 ptr = s->pcm_buffer_pointer + data_blocks;
81436 if (ptr >= pcm->runtime->buffer_size)
81437 ptr -= pcm->runtime->buffer_size;
81438 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
81439 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
81440
81441 s->pcm_period_pointer += data_blocks;
81442 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
81443 @@ -510,7 +510,7 @@ EXPORT_SYMBOL(amdtp_out_stream_start);
81444 */
81445 void amdtp_out_stream_update(struct amdtp_out_stream *s)
81446 {
81447 - ACCESS_ONCE(s->source_node_id_field) =
81448 + ACCESS_ONCE_RW(s->source_node_id_field) =
81449 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
81450 }
81451 EXPORT_SYMBOL(amdtp_out_stream_update);
81452 diff -urNp linux-2.6.39.3/sound/firewire/amdtp.h linux-2.6.39.3/sound/firewire/amdtp.h
81453 --- linux-2.6.39.3/sound/firewire/amdtp.h 2011-05-19 00:06:34.000000000 -0400
81454 +++ linux-2.6.39.3/sound/firewire/amdtp.h 2011-05-22 19:36:35.000000000 -0400
81455 @@ -146,7 +146,7 @@ static inline void amdtp_out_stream_pcm_
81456 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
81457 struct snd_pcm_substream *pcm)
81458 {
81459 - ACCESS_ONCE(s->pcm) = pcm;
81460 + ACCESS_ONCE_RW(s->pcm) = pcm;
81461 }
81462
81463 /**
81464 diff -urNp linux-2.6.39.3/sound/i2c/i2c.c linux-2.6.39.3/sound/i2c/i2c.c
81465 --- linux-2.6.39.3/sound/i2c/i2c.c 2011-05-19 00:06:34.000000000 -0400
81466 +++ linux-2.6.39.3/sound/i2c/i2c.c 2011-05-22 19:36:35.000000000 -0400
81467 @@ -80,7 +80,7 @@ int snd_i2c_bus_create(struct snd_card *
81468 {
81469 struct snd_i2c_bus *bus;
81470 int err;
81471 - static struct snd_device_ops ops = {
81472 + static const struct snd_device_ops ops = {
81473 .dev_free = snd_i2c_bus_dev_free,
81474 };
81475
81476 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4113.c linux-2.6.39.3/sound/i2c/other/ak4113.c
81477 --- linux-2.6.39.3/sound/i2c/other/ak4113.c 2011-05-19 00:06:34.000000000 -0400
81478 +++ linux-2.6.39.3/sound/i2c/other/ak4113.c 2011-05-22 19:36:35.000000000 -0400
81479 @@ -75,7 +75,7 @@ int snd_ak4113_create(struct snd_card *c
81480 struct ak4113 *chip;
81481 int err = 0;
81482 unsigned char reg;
81483 - static struct snd_device_ops ops = {
81484 + static const struct snd_device_ops ops = {
81485 .dev_free = snd_ak4113_dev_free,
81486 };
81487
81488 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4114.c linux-2.6.39.3/sound/i2c/other/ak4114.c
81489 --- linux-2.6.39.3/sound/i2c/other/ak4114.c 2011-05-19 00:06:34.000000000 -0400
81490 +++ linux-2.6.39.3/sound/i2c/other/ak4114.c 2011-05-22 19:36:35.000000000 -0400
81491 @@ -86,7 +86,7 @@ int snd_ak4114_create(struct snd_card *c
81492 struct ak4114 *chip;
81493 int err = 0;
81494 unsigned char reg;
81495 - static struct snd_device_ops ops = {
81496 + static const struct snd_device_ops ops = {
81497 .dev_free = snd_ak4114_dev_free,
81498 };
81499
81500 diff -urNp linux-2.6.39.3/sound/i2c/other/ak4117.c linux-2.6.39.3/sound/i2c/other/ak4117.c
81501 --- linux-2.6.39.3/sound/i2c/other/ak4117.c 2011-05-19 00:06:34.000000000 -0400
81502 +++ linux-2.6.39.3/sound/i2c/other/ak4117.c 2011-05-22 19:36:35.000000000 -0400
81503 @@ -78,7 +78,7 @@ int snd_ak4117_create(struct snd_card *c
81504 struct ak4117 *chip;
81505 int err = 0;
81506 unsigned char reg;
81507 - static struct snd_device_ops ops = {
81508 + static const struct snd_device_ops ops = {
81509 .dev_free = snd_ak4117_dev_free,
81510 };
81511
81512 diff -urNp linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c
81513 --- linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c 2011-05-19 00:06:34.000000000 -0400
81514 +++ linux-2.6.39.3/sound/isa/ad1816a/ad1816a_lib.c 2011-05-22 19:36:35.000000000 -0400
81515 @@ -575,7 +575,7 @@ int __devinit snd_ad1816a_create(struct
81516 unsigned long port, int irq, int dma1, int dma2,
81517 struct snd_ad1816a **rchip)
81518 {
81519 - static struct snd_device_ops ops = {
81520 + static const struct snd_device_ops ops = {
81521 .dev_free = snd_ad1816a_dev_free,
81522 };
81523 int error;
81524 diff -urNp linux-2.6.39.3/sound/isa/es1688/es1688_lib.c linux-2.6.39.3/sound/isa/es1688/es1688_lib.c
81525 --- linux-2.6.39.3/sound/isa/es1688/es1688_lib.c 2011-05-19 00:06:34.000000000 -0400
81526 +++ linux-2.6.39.3/sound/isa/es1688/es1688_lib.c 2011-05-22 19:36:35.000000000 -0400
81527 @@ -646,7 +646,7 @@ int snd_es1688_create(struct snd_card *c
81528 int dma8,
81529 unsigned short hardware)
81530 {
81531 - static struct snd_device_ops ops = {
81532 + static const struct snd_device_ops ops = {
81533 .dev_free = snd_es1688_dev_free,
81534 };
81535
81536 diff -urNp linux-2.6.39.3/sound/isa/es18xx.c linux-2.6.39.3/sound/isa/es18xx.c
81537 --- linux-2.6.39.3/sound/isa/es18xx.c 2011-05-19 00:06:34.000000000 -0400
81538 +++ linux-2.6.39.3/sound/isa/es18xx.c 2011-05-22 19:36:35.000000000 -0400
81539 @@ -1658,7 +1658,7 @@ static int __devinit snd_es18xx_probe(st
81540 return snd_es18xx_initialize(chip, mpu_port, fm_port);
81541 }
81542
81543 -static struct snd_pcm_ops snd_es18xx_playback_ops = {
81544 +static const struct snd_pcm_ops snd_es18xx_playback_ops = {
81545 .open = snd_es18xx_playback_open,
81546 .close = snd_es18xx_playback_close,
81547 .ioctl = snd_pcm_lib_ioctl,
81548 @@ -1669,7 +1669,7 @@ static struct snd_pcm_ops snd_es18xx_pla
81549 .pointer = snd_es18xx_playback_pointer,
81550 };
81551
81552 -static struct snd_pcm_ops snd_es18xx_capture_ops = {
81553 +static const struct snd_pcm_ops snd_es18xx_capture_ops = {
81554 .open = snd_es18xx_capture_open,
81555 .close = snd_es18xx_capture_close,
81556 .ioctl = snd_pcm_lib_ioctl,
81557 @@ -1784,7 +1784,7 @@ static int __devinit snd_es18xx_new_devi
81558 int irq, int dma1, int dma2)
81559 {
81560 struct snd_es18xx *chip = card->private_data;
81561 - static struct snd_device_ops ops = {
81562 + static const struct snd_device_ops ops = {
81563 .dev_free = snd_es18xx_dev_free,
81564 };
81565 int err;
81566 diff -urNp linux-2.6.39.3/sound/isa/gus/gus_main.c linux-2.6.39.3/sound/isa/gus/gus_main.c
81567 --- linux-2.6.39.3/sound/isa/gus/gus_main.c 2011-05-19 00:06:34.000000000 -0400
81568 +++ linux-2.6.39.3/sound/isa/gus/gus_main.c 2011-05-22 19:36:35.000000000 -0400
81569 @@ -139,7 +139,7 @@ int snd_gus_create(struct snd_card *card
81570 {
81571 struct snd_gus_card *gus;
81572 int err;
81573 - static struct snd_device_ops ops = {
81574 + static const struct snd_device_ops ops = {
81575 .dev_free = snd_gus_dev_free,
81576 };
81577
81578 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd.c linux-2.6.39.3/sound/isa/msnd/msnd.c
81579 --- linux-2.6.39.3/sound/isa/msnd/msnd.c 2011-05-19 00:06:34.000000000 -0400
81580 +++ linux-2.6.39.3/sound/isa/msnd/msnd.c 2011-05-22 19:36:35.000000000 -0400
81581 @@ -570,7 +570,7 @@ snd_msnd_playback_pointer(struct snd_pcm
81582 }
81583
81584
81585 -static struct snd_pcm_ops snd_msnd_playback_ops = {
81586 +static const struct snd_pcm_ops snd_msnd_playback_ops = {
81587 .open = snd_msnd_playback_open,
81588 .close = snd_msnd_playback_close,
81589 .ioctl = snd_pcm_lib_ioctl,
81590 @@ -667,7 +667,7 @@ static int snd_msnd_capture_hw_params(st
81591 }
81592
81593
81594 -static struct snd_pcm_ops snd_msnd_capture_ops = {
81595 +static const struct snd_pcm_ops snd_msnd_capture_ops = {
81596 .open = snd_msnd_capture_open,
81597 .close = snd_msnd_capture_close,
81598 .ioctl = snd_pcm_lib_ioctl,
81599 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd_midi.c linux-2.6.39.3/sound/isa/msnd/msnd_midi.c
81600 --- linux-2.6.39.3/sound/isa/msnd/msnd_midi.c 2011-05-19 00:06:34.000000000 -0400
81601 +++ linux-2.6.39.3/sound/isa/msnd/msnd_midi.c 2011-05-22 19:36:35.000000000 -0400
81602 @@ -141,7 +141,7 @@ void snd_msndmidi_input_read(void *mpuv)
81603 }
81604 EXPORT_SYMBOL(snd_msndmidi_input_read);
81605
81606 -static struct snd_rawmidi_ops snd_msndmidi_input = {
81607 +static const struct snd_rawmidi_ops snd_msndmidi_input = {
81608 .open = snd_msndmidi_input_open,
81609 .close = snd_msndmidi_input_close,
81610 .trigger = snd_msndmidi_input_trigger,
81611 diff -urNp linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c
81612 --- linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c 2011-05-19 00:06:34.000000000 -0400
81613 +++ linux-2.6.39.3/sound/isa/msnd/msnd_pinnacle.c 2011-05-22 19:36:35.000000000 -0400
81614 @@ -539,7 +539,7 @@ static int __devinit snd_msnd_attach(str
81615 {
81616 struct snd_msnd *chip = card->private_data;
81617 int err;
81618 - static struct snd_device_ops ops = {
81619 + static const struct snd_device_ops ops = {
81620 .dev_free = snd_msnd_dev_free,
81621 };
81622
81623 diff -urNp linux-2.6.39.3/sound/isa/sb/emu8000.c linux-2.6.39.3/sound/isa/sb/emu8000.c
81624 --- linux-2.6.39.3/sound/isa/sb/emu8000.c 2011-05-19 00:06:34.000000000 -0400
81625 +++ linux-2.6.39.3/sound/isa/sb/emu8000.c 2011-05-22 19:36:35.000000000 -0400
81626 @@ -1079,7 +1079,7 @@ snd_emu8000_new(struct snd_card *card, i
81627 struct snd_seq_device *awe;
81628 struct snd_emu8000 *hw;
81629 int err;
81630 - static struct snd_device_ops ops = {
81631 + static const struct snd_device_ops ops = {
81632 .dev_free = snd_emu8000_dev_free,
81633 };
81634
81635 diff -urNp linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c
81636 --- linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c 2011-05-19 00:06:34.000000000 -0400
81637 +++ linux-2.6.39.3/sound/isa/sb/emu8000_pcm.c 2011-05-22 19:36:35.000000000 -0400
81638 @@ -667,7 +667,7 @@ static snd_pcm_uframes_t emu8k_pcm_point
81639 }
81640
81641
81642 -static struct snd_pcm_ops emu8k_pcm_ops = {
81643 +static const struct snd_pcm_ops emu8k_pcm_ops = {
81644 .open = emu8k_pcm_open,
81645 .close = emu8k_pcm_close,
81646 .ioctl = snd_pcm_lib_ioctl,
81647 diff -urNp linux-2.6.39.3/sound/isa/sb/sb_common.c linux-2.6.39.3/sound/isa/sb/sb_common.c
81648 --- linux-2.6.39.3/sound/isa/sb/sb_common.c 2011-05-19 00:06:34.000000000 -0400
81649 +++ linux-2.6.39.3/sound/isa/sb/sb_common.c 2011-05-22 19:36:35.000000000 -0400
81650 @@ -218,7 +218,7 @@ int snd_sbdsp_create(struct snd_card *ca
81651 {
81652 struct snd_sb *chip;
81653 int err;
81654 - static struct snd_device_ops ops = {
81655 + static const struct snd_device_ops ops = {
81656 .dev_free = snd_sbdsp_dev_free,
81657 };
81658
81659 diff -urNp linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c
81660 --- linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c 2011-05-19 00:06:34.000000000 -0400
81661 +++ linux-2.6.39.3/sound/isa/wavefront/wavefront_midi.c 2011-05-22 19:36:35.000000000 -0400
81662 @@ -561,14 +561,14 @@ snd_wavefront_midi_start (snd_wavefront_
81663 return 0;
81664 }
81665
81666 -struct snd_rawmidi_ops snd_wavefront_midi_output =
81667 +const struct snd_rawmidi_ops snd_wavefront_midi_output =
81668 {
81669 .open = snd_wavefront_midi_output_open,
81670 .close = snd_wavefront_midi_output_close,
81671 .trigger = snd_wavefront_midi_output_trigger,
81672 };
81673
81674 -struct snd_rawmidi_ops snd_wavefront_midi_input =
81675 +const struct snd_rawmidi_ops snd_wavefront_midi_input =
81676 {
81677 .open = snd_wavefront_midi_input_open,
81678 .close = snd_wavefront_midi_input_close,
81679 diff -urNp linux-2.6.39.3/sound/isa/wss/wss_lib.c linux-2.6.39.3/sound/isa/wss/wss_lib.c
81680 --- linux-2.6.39.3/sound/isa/wss/wss_lib.c 2011-05-19 00:06:34.000000000 -0400
81681 +++ linux-2.6.39.3/sound/isa/wss/wss_lib.c 2011-05-22 19:36:35.000000000 -0400
81682 @@ -1801,7 +1801,7 @@ int snd_wss_create(struct snd_card *card
81683 unsigned short hwshare,
81684 struct snd_wss **rchip)
81685 {
81686 - static struct snd_device_ops ops = {
81687 + static const struct snd_device_ops ops = {
81688 .dev_free = snd_wss_dev_free,
81689 };
81690 struct snd_wss *chip;
81691 diff -urNp linux-2.6.39.3/sound/mips/au1x00.c linux-2.6.39.3/sound/mips/au1x00.c
81692 --- linux-2.6.39.3/sound/mips/au1x00.c 2011-05-19 00:06:34.000000000 -0400
81693 +++ linux-2.6.39.3/sound/mips/au1x00.c 2011-05-22 19:36:35.000000000 -0400
81694 @@ -416,7 +416,7 @@ snd_au1000_pointer(struct snd_pcm_substr
81695 return bytes_to_frames(runtime,location);
81696 }
81697
81698 -static struct snd_pcm_ops snd_card_au1000_playback_ops = {
81699 +static const struct snd_pcm_ops snd_card_au1000_playback_ops = {
81700 .open = snd_au1000_playback_open,
81701 .close = snd_au1000_playback_close,
81702 .ioctl = snd_pcm_lib_ioctl,
81703 @@ -427,7 +427,7 @@ static struct snd_pcm_ops snd_card_au100
81704 .pointer = snd_au1000_pointer,
81705 };
81706
81707 -static struct snd_pcm_ops snd_card_au1000_capture_ops = {
81708 +static const struct snd_pcm_ops snd_card_au1000_capture_ops = {
81709 .open = snd_au1000_capture_open,
81710 .close = snd_au1000_capture_close,
81711 .ioctl = snd_pcm_lib_ioctl,
81712 @@ -557,7 +557,7 @@ snd_au1000_ac97_new(struct snd_au1000 *a
81713 int err;
81714 struct snd_ac97_bus *pbus;
81715 struct snd_ac97_template ac97;
81716 - static struct snd_ac97_bus_ops ops = {
81717 + static const struct snd_ac97_bus_ops ops = {
81718 .write = snd_au1000_ac97_write,
81719 .read = snd_au1000_ac97_read,
81720 };
81721 diff -urNp linux-2.6.39.3/sound/mips/hal2.c linux-2.6.39.3/sound/mips/hal2.c
81722 --- linux-2.6.39.3/sound/mips/hal2.c 2011-05-19 00:06:34.000000000 -0400
81723 +++ linux-2.6.39.3/sound/mips/hal2.c 2011-05-22 19:36:35.000000000 -0400
81724 @@ -708,7 +708,7 @@ static int hal2_capture_ack(struct snd_p
81725 return 0;
81726 }
81727
81728 -static struct snd_pcm_ops hal2_playback_ops = {
81729 +static const struct snd_pcm_ops hal2_playback_ops = {
81730 .open = hal2_playback_open,
81731 .close = hal2_playback_close,
81732 .ioctl = snd_pcm_lib_ioctl,
81733 @@ -720,7 +720,7 @@ static struct snd_pcm_ops hal2_playback_
81734 .ack = hal2_playback_ack,
81735 };
81736
81737 -static struct snd_pcm_ops hal2_capture_ops = {
81738 +static const struct snd_pcm_ops hal2_capture_ops = {
81739 .open = hal2_capture_open,
81740 .close = hal2_capture_close,
81741 .ioctl = snd_pcm_lib_ioctl,
81742 @@ -766,7 +766,7 @@ static int hal2_dev_free(struct snd_devi
81743 return 0;
81744 }
81745
81746 -static struct snd_device_ops hal2_ops = {
81747 +static const struct snd_device_ops hal2_ops = {
81748 .dev_free = hal2_dev_free,
81749 };
81750
81751 diff -urNp linux-2.6.39.3/sound/mips/sgio2audio.c linux-2.6.39.3/sound/mips/sgio2audio.c
81752 --- linux-2.6.39.3/sound/mips/sgio2audio.c 2011-05-19 00:06:34.000000000 -0400
81753 +++ linux-2.6.39.3/sound/mips/sgio2audio.c 2011-05-22 19:36:35.000000000 -0400
81754 @@ -681,7 +681,7 @@ snd_sgio2audio_pcm_pointer(struct snd_pc
81755 }
81756
81757 /* operators */
81758 -static struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81759 +static const struct snd_pcm_ops snd_sgio2audio_playback1_ops = {
81760 .open = snd_sgio2audio_playback1_open,
81761 .close = snd_sgio2audio_pcm_close,
81762 .ioctl = snd_pcm_lib_ioctl,
81763 @@ -694,7 +694,7 @@ static struct snd_pcm_ops snd_sgio2audio
81764 .mmap = snd_pcm_lib_mmap_vmalloc,
81765 };
81766
81767 -static struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81768 +static const struct snd_pcm_ops snd_sgio2audio_playback2_ops = {
81769 .open = snd_sgio2audio_playback2_open,
81770 .close = snd_sgio2audio_pcm_close,
81771 .ioctl = snd_pcm_lib_ioctl,
81772 @@ -707,7 +707,7 @@ static struct snd_pcm_ops snd_sgio2audio
81773 .mmap = snd_pcm_lib_mmap_vmalloc,
81774 };
81775
81776 -static struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81777 +static const struct snd_pcm_ops snd_sgio2audio_capture_ops = {
81778 .open = snd_sgio2audio_capture_open,
81779 .close = snd_sgio2audio_pcm_close,
81780 .ioctl = snd_pcm_lib_ioctl,
81781 @@ -829,7 +829,7 @@ static int snd_sgio2audio_dev_free(struc
81782 return snd_sgio2audio_free(chip);
81783 }
81784
81785 -static struct snd_device_ops ops = {
81786 +static const struct snd_device_ops ops = {
81787 .dev_free = snd_sgio2audio_dev_free,
81788 };
81789
81790 diff -urNp linux-2.6.39.3/sound/oss/ac97_codec.c linux-2.6.39.3/sound/oss/ac97_codec.c
81791 --- linux-2.6.39.3/sound/oss/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81792 +++ linux-2.6.39.3/sound/oss/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81793 @@ -99,23 +99,23 @@ static int generic_digital_control(struc
81794 * operations yet
81795 */
81796
81797 -static struct ac97_ops null_ops = { NULL, NULL, NULL };
81798 -static struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81799 -static struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81800 -static struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81801 -static struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81802 -static struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81803 -static struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81804 -static struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81805 -static struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81806 -static struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81807 -static struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81808 -static struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81809 -static struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81810 -static struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81811 -static struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81812 -static struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81813 -static struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81814 +static const struct ac97_ops null_ops = { NULL, NULL, NULL };
81815 +static const struct ac97_ops default_ops = { NULL, eapd_control, NULL };
81816 +static const struct ac97_ops default_digital_ops = { NULL, eapd_control, generic_digital_control};
81817 +static const struct ac97_ops wolfson_ops03 = { wolfson_init03, NULL, NULL };
81818 +static const struct ac97_ops wolfson_ops04 = { wolfson_init04, NULL, NULL };
81819 +static const struct ac97_ops wolfson_ops05 = { wolfson_init05, NULL, NULL };
81820 +static const struct ac97_ops wolfson_ops11 = { wolfson_init11, NULL, NULL };
81821 +static const struct ac97_ops wolfson_ops13 = { wolfson_init13, NULL, NULL };
81822 +static const struct ac97_ops tritech_ops = { tritech_init, NULL, NULL };
81823 +static const struct ac97_ops tritech_m_ops = { tritech_maestro_init, NULL, NULL };
81824 +static const struct ac97_ops sigmatel_9708_ops = { sigmatel_9708_init, NULL, NULL };
81825 +static const struct ac97_ops sigmatel_9721_ops = { sigmatel_9721_init, NULL, NULL };
81826 +static const struct ac97_ops sigmatel_9744_ops = { sigmatel_9744_init, NULL, NULL };
81827 +static const struct ac97_ops crystal_digital_ops = { NULL, eapd_control, crystal_digital_control };
81828 +static const struct ac97_ops ad1886_ops = { ad1886_init, eapd_control, NULL };
81829 +static const struct ac97_ops cmedia_ops = { NULL, eapd_control, NULL};
81830 +static const struct ac97_ops cmedia_digital_ops = { cmedia_init, eapd_control, cmedia_digital_control};
81831
81832 /* sorted by vendor/device id */
81833 static const struct {
81834 diff -urNp linux-2.6.39.3/sound/oss/sb_audio.c linux-2.6.39.3/sound/oss/sb_audio.c
81835 --- linux-2.6.39.3/sound/oss/sb_audio.c 2011-05-19 00:06:34.000000000 -0400
81836 +++ linux-2.6.39.3/sound/oss/sb_audio.c 2011-05-22 19:36:35.000000000 -0400
81837 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
81838 buf16 = (signed short *)(localbuf + localoffs);
81839 while (c)
81840 {
81841 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81842 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81843 if (copy_from_user(lbuf8,
81844 userbuf+useroffs + p,
81845 locallen))
81846 diff -urNp linux-2.6.39.3/sound/oss/swarm_cs4297a.c linux-2.6.39.3/sound/oss/swarm_cs4297a.c
81847 --- linux-2.6.39.3/sound/oss/swarm_cs4297a.c 2011-05-19 00:06:34.000000000 -0400
81848 +++ linux-2.6.39.3/sound/oss/swarm_cs4297a.c 2011-05-22 19:36:35.000000000 -0400
81849 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
81850 {
81851 struct cs4297a_state *s;
81852 u32 pwr, id;
81853 - mm_segment_t fs;
81854 int rval;
81855 #ifndef CONFIG_BCM_CS4297A_CSWARM
81856 u64 cfg;
81857 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
81858 if (!rval) {
81859 char *sb1250_duart_present;
81860
81861 +#if 0
81862 + mm_segment_t fs;
81863 fs = get_fs();
81864 set_fs(KERNEL_DS);
81865 -#if 0
81866 val = SOUND_MASK_LINE;
81867 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
81868 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
81869 val = initvol[i].vol;
81870 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
81871 }
81872 + set_fs(fs);
81873 // cs4297a_write_ac97(s, 0x18, 0x0808);
81874 #else
81875 // cs4297a_write_ac97(s, 0x5e, 0x180);
81876 cs4297a_write_ac97(s, 0x02, 0x0808);
81877 cs4297a_write_ac97(s, 0x18, 0x0808);
81878 #endif
81879 - set_fs(fs);
81880
81881 list_add(&s->list, &cs4297a_devs);
81882
81883 diff -urNp linux-2.6.39.3/sound/parisc/harmony.c linux-2.6.39.3/sound/parisc/harmony.c
81884 --- linux-2.6.39.3/sound/parisc/harmony.c 2011-05-19 00:06:34.000000000 -0400
81885 +++ linux-2.6.39.3/sound/parisc/harmony.c 2011-05-22 19:36:35.000000000 -0400
81886 @@ -596,7 +596,7 @@ snd_harmony_hw_free(struct snd_pcm_subst
81887 return snd_pcm_lib_free_pages(ss);
81888 }
81889
81890 -static struct snd_pcm_ops snd_harmony_playback_ops = {
81891 +static const struct snd_pcm_ops snd_harmony_playback_ops = {
81892 .open = snd_harmony_playback_open,
81893 .close = snd_harmony_playback_close,
81894 .ioctl = snd_pcm_lib_ioctl,
81895 @@ -607,7 +607,7 @@ static struct snd_pcm_ops snd_harmony_pl
81896 .pointer = snd_harmony_playback_pointer,
81897 };
81898
81899 -static struct snd_pcm_ops snd_harmony_capture_ops = {
81900 +static const struct snd_pcm_ops snd_harmony_capture_ops = {
81901 .open = snd_harmony_capture_open,
81902 .close = snd_harmony_capture_close,
81903 .ioctl = snd_pcm_lib_ioctl,
81904 @@ -922,7 +922,7 @@ snd_harmony_create(struct snd_card *card
81905 {
81906 int err;
81907 struct snd_harmony *h;
81908 - static struct snd_device_ops ops = {
81909 + static const struct snd_device_ops ops = {
81910 .dev_free = snd_harmony_dev_free,
81911 };
81912
81913 diff -urNp linux-2.6.39.3/sound/pci/ac97/ac97_codec.c linux-2.6.39.3/sound/pci/ac97/ac97_codec.c
81914 --- linux-2.6.39.3/sound/pci/ac97/ac97_codec.c 2011-05-19 00:06:34.000000000 -0400
81915 +++ linux-2.6.39.3/sound/pci/ac97/ac97_codec.c 2011-05-22 19:36:35.000000000 -0400
81916 @@ -1910,12 +1910,12 @@ static int ac97_reset_wait(struct snd_ac
81917 *
81918 * Returns zero if successful, or a negative error code on failure.
81919 */
81920 -int snd_ac97_bus(struct snd_card *card, int num, struct snd_ac97_bus_ops *ops,
81921 +int snd_ac97_bus(struct snd_card *card, int num, const struct snd_ac97_bus_ops *ops,
81922 void *private_data, struct snd_ac97_bus **rbus)
81923 {
81924 int err;
81925 struct snd_ac97_bus *bus;
81926 - static struct snd_device_ops dev_ops = {
81927 + static const struct snd_device_ops dev_ops = {
81928 .dev_free = snd_ac97_bus_dev_free,
81929 };
81930
81931 @@ -2015,7 +2015,7 @@ int snd_ac97_mixer(struct snd_ac97_bus *
81932 unsigned long end_time;
81933 unsigned int reg;
81934 const struct ac97_codec_id *pid;
81935 - static struct snd_device_ops ops = {
81936 + static const struct snd_device_ops ops = {
81937 .dev_free = snd_ac97_dev_free,
81938 .dev_register = snd_ac97_dev_register,
81939 .dev_disconnect = snd_ac97_dev_disconnect,
81940 diff -urNp linux-2.6.39.3/sound/pci/ad1889.c linux-2.6.39.3/sound/pci/ad1889.c
81941 --- linux-2.6.39.3/sound/pci/ad1889.c 2011-05-19 00:06:34.000000000 -0400
81942 +++ linux-2.6.39.3/sound/pci/ad1889.c 2011-05-22 19:36:35.000000000 -0400
81943 @@ -574,7 +574,7 @@ snd_ad1889_capture_pointer(struct snd_pc
81944 return bytes_to_frames(ss->runtime, ptr);
81945 }
81946
81947 -static struct snd_pcm_ops snd_ad1889_playback_ops = {
81948 +static const struct snd_pcm_ops snd_ad1889_playback_ops = {
81949 .open = snd_ad1889_playback_open,
81950 .close = snd_ad1889_playback_close,
81951 .ioctl = snd_pcm_lib_ioctl,
81952 @@ -585,7 +585,7 @@ static struct snd_pcm_ops snd_ad1889_pla
81953 .pointer = snd_ad1889_playback_pointer,
81954 };
81955
81956 -static struct snd_pcm_ops snd_ad1889_capture_ops = {
81957 +static const struct snd_pcm_ops snd_ad1889_capture_ops = {
81958 .open = snd_ad1889_capture_open,
81959 .close = snd_ad1889_capture_close,
81960 .ioctl = snd_pcm_lib_ioctl,
81961 @@ -809,7 +809,7 @@ snd_ad1889_ac97_init(struct snd_ad1889 *
81962 {
81963 int err;
81964 struct snd_ac97_template ac97;
81965 - static struct snd_ac97_bus_ops ops = {
81966 + static const struct snd_ac97_bus_ops ops = {
81967 .write = snd_ad1889_ac97_write,
81968 .read = snd_ad1889_ac97_read,
81969 };
81970 @@ -899,7 +899,7 @@ snd_ad1889_create(struct snd_card *card,
81971 int err;
81972
81973 struct snd_ad1889 *chip;
81974 - static struct snd_device_ops ops = {
81975 + static const struct snd_device_ops ops = {
81976 .dev_free = snd_ad1889_dev_free,
81977 };
81978
81979 diff -urNp linux-2.6.39.3/sound/pci/ak4531_codec.c linux-2.6.39.3/sound/pci/ak4531_codec.c
81980 --- linux-2.6.39.3/sound/pci/ak4531_codec.c 2011-05-19 00:06:34.000000000 -0400
81981 +++ linux-2.6.39.3/sound/pci/ak4531_codec.c 2011-05-22 19:36:35.000000000 -0400
81982 @@ -389,7 +389,7 @@ int __devinit snd_ak4531_mixer(struct sn
81983 unsigned int idx;
81984 int err;
81985 struct snd_ak4531 *ak4531;
81986 - static struct snd_device_ops ops = {
81987 + static const struct snd_device_ops ops = {
81988 .dev_free = snd_ak4531_dev_free,
81989 };
81990
81991 diff -urNp linux-2.6.39.3/sound/pci/ali5451/ali5451.c linux-2.6.39.3/sound/pci/ali5451/ali5451.c
81992 --- linux-2.6.39.3/sound/pci/ali5451/ali5451.c 2011-05-19 00:06:34.000000000 -0400
81993 +++ linux-2.6.39.3/sound/pci/ali5451/ali5451.c 2011-05-22 19:36:35.000000000 -0400
81994 @@ -1847,7 +1847,7 @@ static int __devinit snd_ali_mixer(struc
81995 struct snd_ac97_template ac97;
81996 unsigned int idx;
81997 int i, err;
81998 - static struct snd_ac97_bus_ops ops = {
81999 + static const struct snd_ac97_bus_ops ops = {
82000 .write = snd_ali_codec_write,
82001 .read = snd_ali_codec_read,
82002 };
82003 @@ -2114,7 +2114,7 @@ static int __devinit snd_ali_create(stru
82004 struct snd_ali *codec;
82005 int i, err;
82006 unsigned short cmdw;
82007 - static struct snd_device_ops ops = {
82008 + static const struct snd_device_ops ops = {
82009 .dev_free = snd_ali_dev_free,
82010 };
82011
82012 diff -urNp linux-2.6.39.3/sound/pci/als300.c linux-2.6.39.3/sound/pci/als300.c
82013 --- linux-2.6.39.3/sound/pci/als300.c 2011-05-19 00:06:34.000000000 -0400
82014 +++ linux-2.6.39.3/sound/pci/als300.c 2011-05-22 19:36:35.000000000 -0400
82015 @@ -319,7 +319,7 @@ static int snd_als300_ac97(struct snd_al
82016 struct snd_ac97_bus *bus;
82017 struct snd_ac97_template ac97;
82018 int err;
82019 - static struct snd_ac97_bus_ops ops = {
82020 + static const struct snd_ac97_bus_ops ops = {
82021 .write = snd_als300_ac97_write,
82022 .read = snd_als300_ac97_read,
82023 };
82024 @@ -589,7 +589,7 @@ static snd_pcm_uframes_t snd_als300_poin
82025 return bytes_to_frames(substream->runtime, current_ptr);
82026 }
82027
82028 -static struct snd_pcm_ops snd_als300_playback_ops = {
82029 +static const struct snd_pcm_ops snd_als300_playback_ops = {
82030 .open = snd_als300_playback_open,
82031 .close = snd_als300_playback_close,
82032 .ioctl = snd_pcm_lib_ioctl,
82033 @@ -600,7 +600,7 @@ static struct snd_pcm_ops snd_als300_pla
82034 .pointer = snd_als300_pointer,
82035 };
82036
82037 -static struct snd_pcm_ops snd_als300_capture_ops = {
82038 +static const struct snd_pcm_ops snd_als300_capture_ops = {
82039 .open = snd_als300_capture_open,
82040 .close = snd_als300_capture_close,
82041 .ioctl = snd_pcm_lib_ioctl,
82042 @@ -680,7 +680,7 @@ static int __devinit snd_als300_create(s
82043 void *irq_handler;
82044 int err;
82045
82046 - static struct snd_device_ops ops = {
82047 + static const struct snd_device_ops ops = {
82048 .dev_free = snd_als300_dev_free,
82049 };
82050 *rchip = NULL;
82051 diff -urNp linux-2.6.39.3/sound/pci/als4000.c linux-2.6.39.3/sound/pci/als4000.c
82052 --- linux-2.6.39.3/sound/pci/als4000.c 2011-05-19 00:06:34.000000000 -0400
82053 +++ linux-2.6.39.3/sound/pci/als4000.c 2011-05-22 19:36:35.000000000 -0400
82054 @@ -672,7 +672,7 @@ static int snd_als4000_capture_close(str
82055
82056 /******************************************************************/
82057
82058 -static struct snd_pcm_ops snd_als4000_playback_ops = {
82059 +static const struct snd_pcm_ops snd_als4000_playback_ops = {
82060 .open = snd_als4000_playback_open,
82061 .close = snd_als4000_playback_close,
82062 .ioctl = snd_pcm_lib_ioctl,
82063 @@ -683,7 +683,7 @@ static struct snd_pcm_ops snd_als4000_pl
82064 .pointer = snd_als4000_playback_pointer
82065 };
82066
82067 -static struct snd_pcm_ops snd_als4000_capture_ops = {
82068 +static const struct snd_pcm_ops snd_als4000_capture_ops = {
82069 .open = snd_als4000_capture_open,
82070 .close = snd_als4000_capture_close,
82071 .ioctl = snd_pcm_lib_ioctl,
82072 diff -urNp linux-2.6.39.3/sound/pci/asihpi/asihpi.c linux-2.6.39.3/sound/pci/asihpi/asihpi.c
82073 --- linux-2.6.39.3/sound/pci/asihpi/asihpi.c 2011-05-19 00:06:34.000000000 -0400
82074 +++ linux-2.6.39.3/sound/pci/asihpi/asihpi.c 2011-05-22 19:36:35.000000000 -0400
82075 @@ -1067,7 +1067,7 @@ static int snd_card_asihpi_playback_sile
82076 return 0;
82077 }
82078
82079 -static struct snd_pcm_ops snd_card_asihpi_playback_ops = {
82080 +static const struct snd_pcm_ops snd_card_asihpi_playback_ops = {
82081 .open = snd_card_asihpi_playback_open,
82082 .close = snd_card_asihpi_playback_close,
82083 .ioctl = snd_card_asihpi_playback_ioctl,
82084 @@ -1080,7 +1080,7 @@ static struct snd_pcm_ops snd_card_asihp
82085 .silence = snd_card_asihpi_playback_silence,
82086 };
82087
82088 -static struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
82089 +static const struct snd_pcm_ops snd_card_asihpi_playback_mmap_ops = {
82090 .open = snd_card_asihpi_playback_open,
82091 .close = snd_card_asihpi_playback_close,
82092 .ioctl = snd_card_asihpi_playback_ioctl,
82093 @@ -1268,7 +1268,7 @@ static int snd_card_asihpi_capture_copy(
82094 return 0;
82095 }
82096
82097 -static struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
82098 +static const struct snd_pcm_ops snd_card_asihpi_capture_mmap_ops = {
82099 .open = snd_card_asihpi_capture_open,
82100 .close = snd_card_asihpi_capture_close,
82101 .ioctl = snd_card_asihpi_capture_ioctl,
82102 @@ -1279,7 +1279,7 @@ static struct snd_pcm_ops snd_card_asihp
82103 .pointer = snd_card_asihpi_capture_pointer,
82104 };
82105
82106 -static struct snd_pcm_ops snd_card_asihpi_capture_ops = {
82107 +static const struct snd_pcm_ops snd_card_asihpi_capture_ops = {
82108 .open = snd_card_asihpi_capture_open,
82109 .close = snd_card_asihpi_capture_close,
82110 .ioctl = snd_card_asihpi_capture_ioctl,
82111 diff -urNp linux-2.6.39.3/sound/pci/atiixp.c linux-2.6.39.3/sound/pci/atiixp.c
82112 --- linux-2.6.39.3/sound/pci/atiixp.c 2011-05-19 00:06:34.000000000 -0400
82113 +++ linux-2.6.39.3/sound/pci/atiixp.c 2011-05-22 19:36:35.000000000 -0400
82114 @@ -1148,7 +1148,7 @@ static int snd_atiixp_spdif_close(struct
82115 }
82116
82117 /* AC97 playback */
82118 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
82119 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
82120 .open = snd_atiixp_playback_open,
82121 .close = snd_atiixp_playback_close,
82122 .ioctl = snd_pcm_lib_ioctl,
82123 @@ -1160,7 +1160,7 @@ static struct snd_pcm_ops snd_atiixp_pla
82124 };
82125
82126 /* AC97 capture */
82127 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
82128 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
82129 .open = snd_atiixp_capture_open,
82130 .close = snd_atiixp_capture_close,
82131 .ioctl = snd_pcm_lib_ioctl,
82132 @@ -1172,7 +1172,7 @@ static struct snd_pcm_ops snd_atiixp_cap
82133 };
82134
82135 /* SPDIF playback */
82136 -static struct snd_pcm_ops snd_atiixp_spdif_ops = {
82137 +static const struct snd_pcm_ops snd_atiixp_spdif_ops = {
82138 .open = snd_atiixp_spdif_open,
82139 .close = snd_atiixp_spdif_close,
82140 .ioctl = snd_pcm_lib_ioctl,
82141 @@ -1410,7 +1410,7 @@ static int __devinit snd_atiixp_mixer_ne
82142 struct snd_ac97_template ac97;
82143 int i, err;
82144 int codec_count;
82145 - static struct snd_ac97_bus_ops ops = {
82146 + static const struct snd_ac97_bus_ops ops = {
82147 .write = snd_atiixp_ac97_write,
82148 .read = snd_atiixp_ac97_read,
82149 };
82150 @@ -1590,7 +1590,7 @@ static int __devinit snd_atiixp_create(s
82151 struct pci_dev *pci,
82152 struct atiixp **r_chip)
82153 {
82154 - static struct snd_device_ops ops = {
82155 + static const struct snd_device_ops ops = {
82156 .dev_free = snd_atiixp_dev_free,
82157 };
82158 struct atiixp *chip;
82159 diff -urNp linux-2.6.39.3/sound/pci/atiixp_modem.c linux-2.6.39.3/sound/pci/atiixp_modem.c
82160 --- linux-2.6.39.3/sound/pci/atiixp_modem.c 2011-05-19 00:06:34.000000000 -0400
82161 +++ linux-2.6.39.3/sound/pci/atiixp_modem.c 2011-05-22 19:36:35.000000000 -0400
82162 @@ -947,7 +947,7 @@ static int snd_atiixp_capture_close(stru
82163
82164
82165 /* AC97 playback */
82166 -static struct snd_pcm_ops snd_atiixp_playback_ops = {
82167 +static const struct snd_pcm_ops snd_atiixp_playback_ops = {
82168 .open = snd_atiixp_playback_open,
82169 .close = snd_atiixp_playback_close,
82170 .ioctl = snd_pcm_lib_ioctl,
82171 @@ -959,7 +959,7 @@ static struct snd_pcm_ops snd_atiixp_pla
82172 };
82173
82174 /* AC97 capture */
82175 -static struct snd_pcm_ops snd_atiixp_capture_ops = {
82176 +static const struct snd_pcm_ops snd_atiixp_capture_ops = {
82177 .open = snd_atiixp_capture_open,
82178 .close = snd_atiixp_capture_close,
82179 .ioctl = snd_pcm_lib_ioctl,
82180 @@ -1067,7 +1067,7 @@ static int __devinit snd_atiixp_mixer_ne
82181 struct snd_ac97_template ac97;
82182 int i, err;
82183 int codec_count;
82184 - static struct snd_ac97_bus_ops ops = {
82185 + static const struct snd_ac97_bus_ops ops = {
82186 .write = snd_atiixp_ac97_write,
82187 .read = snd_atiixp_ac97_read,
82188 };
82189 @@ -1226,7 +1226,7 @@ static int __devinit snd_atiixp_create(s
82190 struct pci_dev *pci,
82191 struct atiixp_modem **r_chip)
82192 {
82193 - static struct snd_device_ops ops = {
82194 + static const struct snd_device_ops ops = {
82195 .dev_free = snd_atiixp_dev_free,
82196 };
82197 struct atiixp_modem *chip;
82198 diff -urNp linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c
82199 --- linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c 2011-05-19 00:06:34.000000000 -0400
82200 +++ linux-2.6.39.3/sound/pci/au88x0/au88x0_pcm.c 2011-05-22 19:36:35.000000000 -0400
82201 @@ -409,7 +409,7 @@ static snd_pcm_uframes_t snd_vortex_pcm_
82202 }
82203
82204 /* operators */
82205 -static struct snd_pcm_ops snd_vortex_playback_ops = {
82206 +static const struct snd_pcm_ops snd_vortex_playback_ops = {
82207 .open = snd_vortex_pcm_open,
82208 .close = snd_vortex_pcm_close,
82209 .ioctl = snd_pcm_lib_ioctl,
82210 diff -urNp linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c
82211 --- linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c 2011-05-19 00:06:34.000000000 -0400
82212 +++ linux-2.6.39.3/sound/pci/aw2/aw2-alsa.c 2011-05-22 19:36:35.000000000 -0400
82213 @@ -178,7 +178,7 @@ static struct pci_driver driver = {
82214 };
82215
82216 /* operators for playback PCM alsa interface */
82217 -static struct snd_pcm_ops snd_aw2_playback_ops = {
82218 +static const struct snd_pcm_ops snd_aw2_playback_ops = {
82219 .open = snd_aw2_pcm_playback_open,
82220 .close = snd_aw2_pcm_playback_close,
82221 .ioctl = snd_pcm_lib_ioctl,
82222 @@ -190,7 +190,7 @@ static struct snd_pcm_ops snd_aw2_playba
82223 };
82224
82225 /* operators for capture PCM alsa interface */
82226 -static struct snd_pcm_ops snd_aw2_capture_ops = {
82227 +static const struct snd_pcm_ops snd_aw2_capture_ops = {
82228 .open = snd_aw2_pcm_capture_open,
82229 .close = snd_aw2_pcm_capture_close,
82230 .ioctl = snd_pcm_lib_ioctl,
82231 @@ -263,7 +263,7 @@ static int __devinit snd_aw2_create(stru
82232 {
82233 struct aw2 *chip;
82234 int err;
82235 - static struct snd_device_ops ops = {
82236 + static const struct snd_device_ops ops = {
82237 .dev_free = snd_aw2_dev_free,
82238 };
82239
82240 diff -urNp linux-2.6.39.3/sound/pci/azt3328.c linux-2.6.39.3/sound/pci/azt3328.c
82241 --- linux-2.6.39.3/sound/pci/azt3328.c 2011-05-19 00:06:34.000000000 -0400
82242 +++ linux-2.6.39.3/sound/pci/azt3328.c 2011-05-22 19:36:35.000000000 -0400
82243 @@ -822,7 +822,7 @@ snd_azf3328_mixer_new(struct snd_azf3328
82244 {
82245 struct snd_ac97_bus *bus;
82246 struct snd_ac97_template ac97;
82247 - static struct snd_ac97_bus_ops ops = {
82248 + static const struct snd_ac97_bus_ops ops = {
82249 .write = snd_azf3328_mixer_ac97_write,
82250 .read = snd_azf3328_mixer_ac97_read,
82251 };
82252 @@ -2179,7 +2179,7 @@ snd_azf3328_pcm_close(struct snd_pcm_sub
82253
82254 /******************************************************************/
82255
82256 -static struct snd_pcm_ops snd_azf3328_playback_ops = {
82257 +static const struct snd_pcm_ops snd_azf3328_playback_ops = {
82258 .open = snd_azf3328_pcm_playback_open,
82259 .close = snd_azf3328_pcm_close,
82260 .ioctl = snd_pcm_lib_ioctl,
82261 @@ -2190,7 +2190,7 @@ static struct snd_pcm_ops snd_azf3328_pl
82262 .pointer = snd_azf3328_pcm_pointer
82263 };
82264
82265 -static struct snd_pcm_ops snd_azf3328_capture_ops = {
82266 +static const struct snd_pcm_ops snd_azf3328_capture_ops = {
82267 .open = snd_azf3328_pcm_capture_open,
82268 .close = snd_azf3328_pcm_close,
82269 .ioctl = snd_pcm_lib_ioctl,
82270 @@ -2201,7 +2201,7 @@ static struct snd_pcm_ops snd_azf3328_ca
82271 .pointer = snd_azf3328_pcm_pointer
82272 };
82273
82274 -static struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82275 +static const struct snd_pcm_ops snd_azf3328_i2s_out_ops = {
82276 .open = snd_azf3328_pcm_i2s_out_open,
82277 .close = snd_azf3328_pcm_close,
82278 .ioctl = snd_pcm_lib_ioctl,
82279 @@ -2497,7 +2497,7 @@ snd_azf3328_create(struct snd_card *card
82280 {
82281 struct snd_azf3328 *chip;
82282 int err;
82283 - static struct snd_device_ops ops = {
82284 + static const struct snd_device_ops ops = {
82285 .dev_free = snd_azf3328_dev_free,
82286 };
82287 u8 dma_init;
82288 diff -urNp linux-2.6.39.3/sound/pci/bt87x.c linux-2.6.39.3/sound/pci/bt87x.c
82289 --- linux-2.6.39.3/sound/pci/bt87x.c 2011-05-19 00:06:34.000000000 -0400
82290 +++ linux-2.6.39.3/sound/pci/bt87x.c 2011-05-22 19:36:35.000000000 -0400
82291 @@ -542,7 +542,7 @@ static snd_pcm_uframes_t snd_bt87x_point
82292 return (snd_pcm_uframes_t)bytes_to_frames(runtime, chip->current_line * chip->line_bytes);
82293 }
82294
82295 -static struct snd_pcm_ops snd_bt87x_pcm_ops = {
82296 +static const struct snd_pcm_ops snd_bt87x_pcm_ops = {
82297 .open = snd_bt87x_pcm_open,
82298 .close = snd_bt87x_close,
82299 .ioctl = snd_pcm_lib_ioctl,
82300 @@ -720,7 +720,7 @@ static int __devinit snd_bt87x_create(st
82301 {
82302 struct snd_bt87x *chip;
82303 int err;
82304 - static struct snd_device_ops ops = {
82305 + static const struct snd_device_ops ops = {
82306 .dev_free = snd_bt87x_dev_free
82307 };
82308
82309 diff -urNp linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c
82310 --- linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c 2011-05-19 00:06:34.000000000 -0400
82311 +++ linux-2.6.39.3/sound/pci/ca0106/ca0106_main.c 2011-05-22 19:36:35.000000000 -0400
82312 @@ -1103,7 +1103,7 @@ snd_ca0106_pcm_pointer_capture(struct sn
82313 }
82314
82315 /* operators */
82316 -static struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82317 +static const struct snd_pcm_ops snd_ca0106_playback_front_ops = {
82318 .open = snd_ca0106_pcm_open_playback_front,
82319 .close = snd_ca0106_pcm_close_playback,
82320 .ioctl = snd_pcm_lib_ioctl,
82321 @@ -1114,7 +1114,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82322 .pointer = snd_ca0106_pcm_pointer_playback,
82323 };
82324
82325 -static struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82326 +static const struct snd_pcm_ops snd_ca0106_capture_0_ops = {
82327 .open = snd_ca0106_pcm_open_0_capture,
82328 .close = snd_ca0106_pcm_close_capture,
82329 .ioctl = snd_pcm_lib_ioctl,
82330 @@ -1125,7 +1125,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82331 .pointer = snd_ca0106_pcm_pointer_capture,
82332 };
82333
82334 -static struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82335 +static const struct snd_pcm_ops snd_ca0106_capture_1_ops = {
82336 .open = snd_ca0106_pcm_open_1_capture,
82337 .close = snd_ca0106_pcm_close_capture,
82338 .ioctl = snd_pcm_lib_ioctl,
82339 @@ -1136,7 +1136,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82340 .pointer = snd_ca0106_pcm_pointer_capture,
82341 };
82342
82343 -static struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82344 +static const struct snd_pcm_ops snd_ca0106_capture_2_ops = {
82345 .open = snd_ca0106_pcm_open_2_capture,
82346 .close = snd_ca0106_pcm_close_capture,
82347 .ioctl = snd_pcm_lib_ioctl,
82348 @@ -1147,7 +1147,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82349 .pointer = snd_ca0106_pcm_pointer_capture,
82350 };
82351
82352 -static struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82353 +static const struct snd_pcm_ops snd_ca0106_capture_3_ops = {
82354 .open = snd_ca0106_pcm_open_3_capture,
82355 .close = snd_ca0106_pcm_close_capture,
82356 .ioctl = snd_pcm_lib_ioctl,
82357 @@ -1158,7 +1158,7 @@ static struct snd_pcm_ops snd_ca0106_cap
82358 .pointer = snd_ca0106_pcm_pointer_capture,
82359 };
82360
82361 -static struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82362 +static const struct snd_pcm_ops snd_ca0106_playback_center_lfe_ops = {
82363 .open = snd_ca0106_pcm_open_playback_center_lfe,
82364 .close = snd_ca0106_pcm_close_playback,
82365 .ioctl = snd_pcm_lib_ioctl,
82366 @@ -1169,7 +1169,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82367 .pointer = snd_ca0106_pcm_pointer_playback,
82368 };
82369
82370 -static struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82371 +static const struct snd_pcm_ops snd_ca0106_playback_unknown_ops = {
82372 .open = snd_ca0106_pcm_open_playback_unknown,
82373 .close = snd_ca0106_pcm_close_playback,
82374 .ioctl = snd_pcm_lib_ioctl,
82375 @@ -1180,7 +1180,7 @@ static struct snd_pcm_ops snd_ca0106_pla
82376 .pointer = snd_ca0106_pcm_pointer_playback,
82377 };
82378
82379 -static struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82380 +static const struct snd_pcm_ops snd_ca0106_playback_rear_ops = {
82381 .open = snd_ca0106_pcm_open_playback_rear,
82382 .close = snd_ca0106_pcm_close_playback,
82383 .ioctl = snd_pcm_lib_ioctl,
82384 @@ -1223,7 +1223,7 @@ static int snd_ca0106_ac97(struct snd_ca
82385 struct snd_ac97_bus *pbus;
82386 struct snd_ac97_template ac97;
82387 int err;
82388 - static struct snd_ac97_bus_ops ops = {
82389 + static const struct snd_ac97_bus_ops ops = {
82390 .write = snd_ca0106_ac97_write,
82391 .read = snd_ca0106_ac97_read,
82392 };
82393 @@ -1629,7 +1629,7 @@ static int __devinit snd_ca0106_create(i
82394 struct snd_ca0106 *chip;
82395 struct snd_ca0106_details *c;
82396 int err;
82397 - static struct snd_device_ops ops = {
82398 + static const struct snd_device_ops ops = {
82399 .dev_free = snd_ca0106_dev_free,
82400 };
82401
82402 diff -urNp linux-2.6.39.3/sound/pci/ca0106/ca_midi.c linux-2.6.39.3/sound/pci/ca0106/ca_midi.c
82403 --- linux-2.6.39.3/sound/pci/ca0106/ca_midi.c 2011-05-19 00:06:34.000000000 -0400
82404 +++ linux-2.6.39.3/sound/pci/ca0106/ca_midi.c 2011-05-22 19:36:35.000000000 -0400
82405 @@ -255,15 +255,13 @@ static void ca_midi_output_trigger(struc
82406 }
82407 }
82408
82409 -static struct snd_rawmidi_ops ca_midi_output =
82410 -{
82411 +static const struct snd_rawmidi_ops ca_midi_output = {
82412 .open = ca_midi_output_open,
82413 .close = ca_midi_output_close,
82414 .trigger = ca_midi_output_trigger,
82415 };
82416
82417 -static struct snd_rawmidi_ops ca_midi_input =
82418 -{
82419 +static const struct snd_rawmidi_ops ca_midi_input = {
82420 .open = ca_midi_input_open,
82421 .close = ca_midi_input_close,
82422 .trigger = ca_midi_input_trigger,
82423 diff -urNp linux-2.6.39.3/sound/pci/cmipci.c linux-2.6.39.3/sound/pci/cmipci.c
82424 --- linux-2.6.39.3/sound/pci/cmipci.c 2011-05-19 00:06:34.000000000 -0400
82425 +++ linux-2.6.39.3/sound/pci/cmipci.c 2011-05-22 19:36:35.000000000 -0400
82426 @@ -1838,7 +1838,7 @@ static int snd_cmipci_capture_spdif_clos
82427 /*
82428 */
82429
82430 -static struct snd_pcm_ops snd_cmipci_playback_ops = {
82431 +static const struct snd_pcm_ops snd_cmipci_playback_ops = {
82432 .open = snd_cmipci_playback_open,
82433 .close = snd_cmipci_playback_close,
82434 .ioctl = snd_pcm_lib_ioctl,
82435 @@ -1849,7 +1849,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82436 .pointer = snd_cmipci_playback_pointer,
82437 };
82438
82439 -static struct snd_pcm_ops snd_cmipci_capture_ops = {
82440 +static const struct snd_pcm_ops snd_cmipci_capture_ops = {
82441 .open = snd_cmipci_capture_open,
82442 .close = snd_cmipci_capture_close,
82443 .ioctl = snd_pcm_lib_ioctl,
82444 @@ -1860,7 +1860,7 @@ static struct snd_pcm_ops snd_cmipci_cap
82445 .pointer = snd_cmipci_capture_pointer,
82446 };
82447
82448 -static struct snd_pcm_ops snd_cmipci_playback2_ops = {
82449 +static const struct snd_pcm_ops snd_cmipci_playback2_ops = {
82450 .open = snd_cmipci_playback2_open,
82451 .close = snd_cmipci_playback2_close,
82452 .ioctl = snd_pcm_lib_ioctl,
82453 @@ -1871,7 +1871,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82454 .pointer = snd_cmipci_capture_pointer, /* channel B */
82455 };
82456
82457 -static struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82458 +static const struct snd_pcm_ops snd_cmipci_playback_spdif_ops = {
82459 .open = snd_cmipci_playback_spdif_open,
82460 .close = snd_cmipci_playback_spdif_close,
82461 .ioctl = snd_pcm_lib_ioctl,
82462 @@ -1882,7 +1882,7 @@ static struct snd_pcm_ops snd_cmipci_pla
82463 .pointer = snd_cmipci_playback_pointer,
82464 };
82465
82466 -static struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82467 +static const struct snd_pcm_ops snd_cmipci_capture_spdif_ops = {
82468 .open = snd_cmipci_capture_spdif_open,
82469 .close = snd_cmipci_capture_spdif_close,
82470 .ioctl = snd_pcm_lib_ioctl,
82471 @@ -3011,7 +3011,7 @@ static int __devinit snd_cmipci_create(s
82472 {
82473 struct cmipci *cm;
82474 int err;
82475 - static struct snd_device_ops ops = {
82476 + static const struct snd_device_ops ops = {
82477 .dev_free = snd_cmipci_dev_free,
82478 };
82479 unsigned int val;
82480 diff -urNp linux-2.6.39.3/sound/pci/cs4281.c linux-2.6.39.3/sound/pci/cs4281.c
82481 --- linux-2.6.39.3/sound/pci/cs4281.c 2011-05-19 00:06:34.000000000 -0400
82482 +++ linux-2.6.39.3/sound/pci/cs4281.c 2011-05-22 19:36:35.000000000 -0400
82483 @@ -947,7 +947,7 @@ static int snd_cs4281_capture_close(stru
82484 return 0;
82485 }
82486
82487 -static struct snd_pcm_ops snd_cs4281_playback_ops = {
82488 +static const struct snd_pcm_ops snd_cs4281_playback_ops = {
82489 .open = snd_cs4281_playback_open,
82490 .close = snd_cs4281_playback_close,
82491 .ioctl = snd_pcm_lib_ioctl,
82492 @@ -958,7 +958,7 @@ static struct snd_pcm_ops snd_cs4281_pla
82493 .pointer = snd_cs4281_pointer,
82494 };
82495
82496 -static struct snd_pcm_ops snd_cs4281_capture_ops = {
82497 +static const struct snd_pcm_ops snd_cs4281_capture_ops = {
82498 .open = snd_cs4281_capture_open,
82499 .close = snd_cs4281_capture_close,
82500 .ioctl = snd_pcm_lib_ioctl,
82501 @@ -1098,7 +1098,7 @@ static int __devinit snd_cs4281_mixer(st
82502 struct snd_card *card = chip->card;
82503 struct snd_ac97_template ac97;
82504 int err;
82505 - static struct snd_ac97_bus_ops ops = {
82506 + static const struct snd_ac97_bus_ops ops = {
82507 .write = snd_cs4281_ac97_write,
82508 .read = snd_cs4281_ac97_read,
82509 };
82510 @@ -1343,7 +1343,7 @@ static int __devinit snd_cs4281_create(s
82511 struct cs4281 *chip;
82512 unsigned int tmp;
82513 int err;
82514 - static struct snd_device_ops ops = {
82515 + static const struct snd_device_ops ops = {
82516 .dev_free = snd_cs4281_dev_free,
82517 };
82518
82519 @@ -1765,15 +1765,13 @@ static void snd_cs4281_midi_output_trigg
82520 spin_unlock_irqrestore(&chip->reg_lock, flags);
82521 }
82522
82523 -static struct snd_rawmidi_ops snd_cs4281_midi_output =
82524 -{
82525 +static const struct snd_rawmidi_ops snd_cs4281_midi_output = {
82526 .open = snd_cs4281_midi_output_open,
82527 .close = snd_cs4281_midi_output_close,
82528 .trigger = snd_cs4281_midi_output_trigger,
82529 };
82530
82531 -static struct snd_rawmidi_ops snd_cs4281_midi_input =
82532 -{
82533 +static const struct snd_rawmidi_ops snd_cs4281_midi_input = {
82534 .open = snd_cs4281_midi_input_open,
82535 .close = snd_cs4281_midi_input_close,
82536 .trigger = snd_cs4281_midi_input_trigger,
82537 diff -urNp linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c
82538 --- linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c 2011-05-19 00:06:34.000000000 -0400
82539 +++ linux-2.6.39.3/sound/pci/cs46xx/cs46xx_lib.c 2011-05-22 19:36:35.000000000 -0400
82540 @@ -3722,7 +3722,7 @@ int __devinit snd_cs46xx_create(struct s
82541 struct snd_cs46xx_region *region;
82542 struct cs_card_type *cp;
82543 u16 ss_card, ss_vendor;
82544 - static struct snd_device_ops ops = {
82545 + static const struct snd_device_ops ops = {
82546 .dev_free = snd_cs46xx_dev_free,
82547 };
82548
82549 diff -urNp linux-2.6.39.3/sound/pci/cs5530.c linux-2.6.39.3/sound/pci/cs5530.c
82550 --- linux-2.6.39.3/sound/pci/cs5530.c 2011-05-19 00:06:34.000000000 -0400
82551 +++ linux-2.6.39.3/sound/pci/cs5530.c 2011-05-22 19:36:35.000000000 -0400
82552 @@ -107,7 +107,7 @@ static int __devinit snd_cs5530_create(s
82553 void __iomem *mem;
82554 int err;
82555
82556 - static struct snd_device_ops ops = {
82557 + static const struct snd_device_ops ops = {
82558 .dev_free = snd_cs5530_dev_free,
82559 };
82560 *rchip = NULL;
82561 diff -urNp linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c
82562 --- linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c 2011-05-19 00:06:34.000000000 -0400
82563 +++ linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio.c 2011-05-22 19:36:35.000000000 -0400
82564 @@ -150,7 +150,7 @@ static int __devinit snd_cs5535audio_mix
82565 struct snd_ac97_bus *pbus;
82566 struct snd_ac97_template ac97;
82567 int err;
82568 - static struct snd_ac97_bus_ops ops = {
82569 + static const struct snd_ac97_bus_ops ops = {
82570 .write = snd_cs5535audio_ac97_codec_write,
82571 .read = snd_cs5535audio_ac97_codec_read,
82572 };
82573 @@ -277,7 +277,7 @@ static int __devinit snd_cs5535audio_cre
82574 struct cs5535audio *cs5535au;
82575
82576 int err;
82577 - static struct snd_device_ops ops = {
82578 + static const struct snd_device_ops ops = {
82579 .dev_free = snd_cs5535audio_dev_free,
82580 };
82581
82582 diff -urNp linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c
82583 --- linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-19 00:06:34.000000000 -0400
82584 +++ linux-2.6.39.3/sound/pci/cs5535audio/cs5535audio_pcm.c 2011-05-22 19:36:35.000000000 -0400
82585 @@ -380,7 +380,7 @@ static int snd_cs5535audio_capture_prepa
82586 substream->runtime->rate);
82587 }
82588
82589 -static struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82590 +static const struct snd_pcm_ops snd_cs5535audio_playback_ops = {
82591 .open = snd_cs5535audio_playback_open,
82592 .close = snd_cs5535audio_playback_close,
82593 .ioctl = snd_pcm_lib_ioctl,
82594 @@ -391,7 +391,7 @@ static struct snd_pcm_ops snd_cs5535audi
82595 .pointer = snd_cs5535audio_pcm_pointer,
82596 };
82597
82598 -static struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82599 +static const struct snd_pcm_ops snd_cs5535audio_capture_ops = {
82600 .open = snd_cs5535audio_capture_open,
82601 .close = snd_cs5535audio_capture_close,
82602 .ioctl = snd_pcm_lib_ioctl,
82603 diff -urNp linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c
82604 --- linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c 2011-05-19 00:06:34.000000000 -0400
82605 +++ linux-2.6.39.3/sound/pci/ctxfi/ctpcm.c 2011-05-22 19:36:35.000000000 -0400
82606 @@ -370,7 +370,7 @@ ct_pcm_capture_pointer(struct snd_pcm_su
82607 }
82608
82609 /* PCM operators for playback */
82610 -static struct snd_pcm_ops ct_pcm_playback_ops = {
82611 +static const struct snd_pcm_ops ct_pcm_playback_ops = {
82612 .open = ct_pcm_playback_open,
82613 .close = ct_pcm_playback_close,
82614 .ioctl = snd_pcm_lib_ioctl,
82615 @@ -383,7 +383,7 @@ static struct snd_pcm_ops ct_pcm_playbac
82616 };
82617
82618 /* PCM operators for capture */
82619 -static struct snd_pcm_ops ct_pcm_capture_ops = {
82620 +static const struct snd_pcm_ops ct_pcm_capture_ops = {
82621 .open = ct_pcm_capture_open,
82622 .close = ct_pcm_capture_close,
82623 .ioctl = snd_pcm_lib_ioctl,
82624 diff -urNp linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c
82625 --- linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c 2011-05-19 00:06:34.000000000 -0400
82626 +++ linux-2.6.39.3/sound/pci/echoaudio/echoaudio.c 2011-05-22 19:36:35.000000000 -0400
82627 @@ -831,7 +831,7 @@ static snd_pcm_uframes_t pcm_pointer(str
82628
82629
82630 /* pcm *_ops structures */
82631 -static struct snd_pcm_ops analog_playback_ops = {
82632 +static const struct snd_pcm_ops analog_playback_ops = {
82633 .open = pcm_analog_out_open,
82634 .close = pcm_close,
82635 .ioctl = snd_pcm_lib_ioctl,
82636 @@ -842,7 +842,7 @@ static struct snd_pcm_ops analog_playbac
82637 .pointer = pcm_pointer,
82638 .page = snd_pcm_sgbuf_ops_page,
82639 };
82640 -static struct snd_pcm_ops analog_capture_ops = {
82641 +static const struct snd_pcm_ops analog_capture_ops = {
82642 .open = pcm_analog_in_open,
82643 .close = pcm_close,
82644 .ioctl = snd_pcm_lib_ioctl,
82645 @@ -855,7 +855,7 @@ static struct snd_pcm_ops analog_capture
82646 };
82647 #ifdef ECHOCARD_HAS_DIGITAL_IO
82648 #ifndef ECHOCARD_HAS_VMIXER
82649 -static struct snd_pcm_ops digital_playback_ops = {
82650 +static const struct snd_pcm_ops digital_playback_ops = {
82651 .open = pcm_digital_out_open,
82652 .close = pcm_close,
82653 .ioctl = snd_pcm_lib_ioctl,
82654 @@ -867,7 +867,7 @@ static struct snd_pcm_ops digital_playba
82655 .page = snd_pcm_sgbuf_ops_page,
82656 };
82657 #endif /* !ECHOCARD_HAS_VMIXER */
82658 -static struct snd_pcm_ops digital_capture_ops = {
82659 +static const struct snd_pcm_ops digital_capture_ops = {
82660 .open = pcm_digital_in_open,
82661 .close = pcm_close,
82662 .ioctl = snd_pcm_lib_ioctl,
82663 @@ -1945,7 +1945,7 @@ static __devinit int snd_echo_create(str
82664 struct echoaudio *chip;
82665 int err;
82666 size_t sz;
82667 - static struct snd_device_ops ops = {
82668 + static const struct snd_device_ops ops = {
82669 .dev_free = snd_echo_dev_free,
82670 };
82671
82672 diff -urNp linux-2.6.39.3/sound/pci/echoaudio/midi.c linux-2.6.39.3/sound/pci/echoaudio/midi.c
82673 --- linux-2.6.39.3/sound/pci/echoaudio/midi.c 2011-05-19 00:06:34.000000000 -0400
82674 +++ linux-2.6.39.3/sound/pci/echoaudio/midi.c 2011-05-22 19:36:35.000000000 -0400
82675 @@ -292,13 +292,13 @@ static int snd_echo_midi_output_close(st
82676
82677
82678
82679 -static struct snd_rawmidi_ops snd_echo_midi_input = {
82680 +static const struct snd_rawmidi_ops snd_echo_midi_input = {
82681 .open = snd_echo_midi_input_open,
82682 .close = snd_echo_midi_input_close,
82683 .trigger = snd_echo_midi_input_trigger,
82684 };
82685
82686 -static struct snd_rawmidi_ops snd_echo_midi_output = {
82687 +static const struct snd_rawmidi_ops snd_echo_midi_output = {
82688 .open = snd_echo_midi_output_open,
82689 .close = snd_echo_midi_output_close,
82690 .trigger = snd_echo_midi_output_trigger,
82691 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c
82692 --- linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c 2011-05-19 00:06:34.000000000 -0400
82693 +++ linux-2.6.39.3/sound/pci/emu10k1/emu10k1_main.c 2011-05-22 19:36:35.000000000 -0400
82694 @@ -1722,7 +1722,7 @@ int __devinit snd_emu10k1_create(struct
82695 int is_audigy;
82696 unsigned int silent_page;
82697 const struct snd_emu_chip_details *c;
82698 - static struct snd_device_ops ops = {
82699 + static const struct snd_device_ops ops = {
82700 .dev_free = snd_emu10k1_dev_free,
82701 };
82702
82703 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c
82704 --- linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c 2011-05-19 00:06:34.000000000 -0400
82705 +++ linux-2.6.39.3/sound/pci/emu10k1/emu10k1x.c 2011-05-22 19:36:35.000000000 -0400
82706 @@ -543,7 +543,7 @@ snd_emu10k1x_pcm_pointer(struct snd_pcm_
82707 }
82708
82709 /* operators */
82710 -static struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82711 +static const struct snd_pcm_ops snd_emu10k1x_playback_ops = {
82712 .open = snd_emu10k1x_playback_open,
82713 .close = snd_emu10k1x_playback_close,
82714 .ioctl = snd_pcm_lib_ioctl,
82715 @@ -689,7 +689,7 @@ snd_emu10k1x_pcm_pointer_capture(struct
82716 return ptr;
82717 }
82718
82719 -static struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82720 +static const struct snd_pcm_ops snd_emu10k1x_capture_ops = {
82721 .open = snd_emu10k1x_pcm_open_capture,
82722 .close = snd_emu10k1x_pcm_close_capture,
82723 .ioctl = snd_pcm_lib_ioctl,
82724 @@ -731,7 +731,7 @@ static int snd_emu10k1x_ac97(struct emu1
82725 struct snd_ac97_bus *pbus;
82726 struct snd_ac97_template ac97;
82727 int err;
82728 - static struct snd_ac97_bus_ops ops = {
82729 + static const struct snd_ac97_bus_ops ops = {
82730 .write = snd_emu10k1x_ac97_write,
82731 .read = snd_emu10k1x_ac97_read,
82732 };
82733 @@ -888,7 +888,7 @@ static int __devinit snd_emu10k1x_create
82734 struct emu10k1x *chip;
82735 int err;
82736 int ch;
82737 - static struct snd_device_ops ops = {
82738 + static const struct snd_device_ops ops = {
82739 .dev_free = snd_emu10k1x_dev_free,
82740 };
82741
82742 @@ -1465,15 +1465,13 @@ static void snd_emu10k1x_midi_output_tri
82743
82744 */
82745
82746 -static struct snd_rawmidi_ops snd_emu10k1x_midi_output =
82747 -{
82748 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_output = {
82749 .open = snd_emu10k1x_midi_output_open,
82750 .close = snd_emu10k1x_midi_output_close,
82751 .trigger = snd_emu10k1x_midi_output_trigger,
82752 };
82753
82754 -static struct snd_rawmidi_ops snd_emu10k1x_midi_input =
82755 -{
82756 +static const struct snd_rawmidi_ops snd_emu10k1x_midi_input = {
82757 .open = snd_emu10k1x_midi_input_open,
82758 .close = snd_emu10k1x_midi_input_close,
82759 .trigger = snd_emu10k1x_midi_input_trigger,
82760 diff -urNp linux-2.6.39.3/sound/pci/emu10k1/p16v.c linux-2.6.39.3/sound/pci/emu10k1/p16v.c
82761 --- linux-2.6.39.3/sound/pci/emu10k1/p16v.c 2011-05-19 00:06:34.000000000 -0400
82762 +++ linux-2.6.39.3/sound/pci/emu10k1/p16v.c 2011-05-22 19:36:35.000000000 -0400
82763 @@ -601,7 +601,7 @@ snd_p16v_pcm_pointer_capture(struct snd_
82764 }
82765
82766 /* operators */
82767 -static struct snd_pcm_ops snd_p16v_playback_front_ops = {
82768 +static const struct snd_pcm_ops snd_p16v_playback_front_ops = {
82769 .open = snd_p16v_pcm_open_playback_front,
82770 .close = snd_p16v_pcm_close_playback,
82771 .ioctl = snd_pcm_lib_ioctl,
82772 @@ -612,7 +612,7 @@ static struct snd_pcm_ops snd_p16v_playb
82773 .pointer = snd_p16v_pcm_pointer_playback,
82774 };
82775
82776 -static struct snd_pcm_ops snd_p16v_capture_ops = {
82777 +static const struct snd_pcm_ops snd_p16v_capture_ops = {
82778 .open = snd_p16v_pcm_open_capture,
82779 .close = snd_p16v_pcm_close_capture,
82780 .ioctl = snd_pcm_lib_ioctl,
82781 diff -urNp linux-2.6.39.3/sound/pci/ens1370.c linux-2.6.39.3/sound/pci/ens1370.c
82782 --- linux-2.6.39.3/sound/pci/ens1370.c 2011-05-19 00:06:34.000000000 -0400
82783 +++ linux-2.6.39.3/sound/pci/ens1370.c 2011-05-22 19:36:35.000000000 -0400
82784 @@ -1225,7 +1225,7 @@ static int snd_ensoniq_capture_close(str
82785 return 0;
82786 }
82787
82788 -static struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82789 +static const struct snd_pcm_ops snd_ensoniq_playback1_ops = {
82790 .open = snd_ensoniq_playback1_open,
82791 .close = snd_ensoniq_playback1_close,
82792 .ioctl = snd_pcm_lib_ioctl,
82793 @@ -1236,7 +1236,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82794 .pointer = snd_ensoniq_playback1_pointer,
82795 };
82796
82797 -static struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82798 +static const struct snd_pcm_ops snd_ensoniq_playback2_ops = {
82799 .open = snd_ensoniq_playback2_open,
82800 .close = snd_ensoniq_playback2_close,
82801 .ioctl = snd_pcm_lib_ioctl,
82802 @@ -1247,7 +1247,7 @@ static struct snd_pcm_ops snd_ensoniq_pl
82803 .pointer = snd_ensoniq_playback2_pointer,
82804 };
82805
82806 -static struct snd_pcm_ops snd_ensoniq_capture_ops = {
82807 +static const struct snd_pcm_ops snd_ensoniq_capture_ops = {
82808 .open = snd_ensoniq_capture_open,
82809 .close = snd_ensoniq_capture_close,
82810 .ioctl = snd_pcm_lib_ioctl,
82811 @@ -1633,7 +1633,7 @@ static int __devinit snd_ensoniq_1371_mi
82812 struct snd_ac97_bus *pbus;
82813 struct snd_ac97_template ac97;
82814 int err;
82815 - static struct snd_ac97_bus_ops ops = {
82816 + static const struct snd_ac97_bus_ops ops = {
82817 .write = snd_es1371_codec_write,
82818 .read = snd_es1371_codec_read,
82819 .wait = snd_es1371_codec_wait,
82820 @@ -2096,7 +2096,7 @@ static int __devinit snd_ensoniq_create(
82821 {
82822 struct ensoniq *ensoniq;
82823 int err;
82824 - static struct snd_device_ops ops = {
82825 + static const struct snd_device_ops ops = {
82826 .dev_free = snd_ensoniq_dev_free,
82827 };
82828
82829 @@ -2331,15 +2331,13 @@ static void snd_ensoniq_midi_output_trig
82830 spin_unlock_irqrestore(&ensoniq->reg_lock, flags);
82831 }
82832
82833 -static struct snd_rawmidi_ops snd_ensoniq_midi_output =
82834 -{
82835 +static const struct snd_rawmidi_ops snd_ensoniq_midi_output = {
82836 .open = snd_ensoniq_midi_output_open,
82837 .close = snd_ensoniq_midi_output_close,
82838 .trigger = snd_ensoniq_midi_output_trigger,
82839 };
82840
82841 -static struct snd_rawmidi_ops snd_ensoniq_midi_input =
82842 -{
82843 +static const struct snd_rawmidi_ops snd_ensoniq_midi_input = {
82844 .open = snd_ensoniq_midi_input_open,
82845 .close = snd_ensoniq_midi_input_close,
82846 .trigger = snd_ensoniq_midi_input_trigger,
82847 diff -urNp linux-2.6.39.3/sound/pci/es1938.c linux-2.6.39.3/sound/pci/es1938.c
82848 --- linux-2.6.39.3/sound/pci/es1938.c 2011-05-19 00:06:34.000000000 -0400
82849 +++ linux-2.6.39.3/sound/pci/es1938.c 2011-05-22 19:36:35.000000000 -0400
82850 @@ -1004,7 +1004,7 @@ static int snd_es1938_playback_close(str
82851 return 0;
82852 }
82853
82854 -static struct snd_pcm_ops snd_es1938_playback_ops = {
82855 +static const struct snd_pcm_ops snd_es1938_playback_ops = {
82856 .open = snd_es1938_playback_open,
82857 .close = snd_es1938_playback_close,
82858 .ioctl = snd_pcm_lib_ioctl,
82859 @@ -1015,7 +1015,7 @@ static struct snd_pcm_ops snd_es1938_pla
82860 .pointer = snd_es1938_playback_pointer,
82861 };
82862
82863 -static struct snd_pcm_ops snd_es1938_capture_ops = {
82864 +static const struct snd_pcm_ops snd_es1938_capture_ops = {
82865 .open = snd_es1938_capture_open,
82866 .close = snd_es1938_capture_close,
82867 .ioctl = snd_pcm_lib_ioctl,
82868 @@ -1598,7 +1598,7 @@ static int __devinit snd_es1938_create(s
82869 {
82870 struct es1938 *chip;
82871 int err;
82872 - static struct snd_device_ops ops = {
82873 + static const struct snd_device_ops ops = {
82874 .dev_free = snd_es1938_dev_free,
82875 };
82876
82877 diff -urNp linux-2.6.39.3/sound/pci/es1968.c linux-2.6.39.3/sound/pci/es1968.c
82878 --- linux-2.6.39.3/sound/pci/es1968.c 2011-05-19 00:06:34.000000000 -0400
82879 +++ linux-2.6.39.3/sound/pci/es1968.c 2011-05-22 19:36:35.000000000 -0400
82880 @@ -1682,7 +1682,7 @@ static int snd_es1968_capture_close(stru
82881 return 0;
82882 }
82883
82884 -static struct snd_pcm_ops snd_es1968_playback_ops = {
82885 +static const struct snd_pcm_ops snd_es1968_playback_ops = {
82886 .open = snd_es1968_playback_open,
82887 .close = snd_es1968_playback_close,
82888 .ioctl = snd_pcm_lib_ioctl,
82889 @@ -1693,7 +1693,7 @@ static struct snd_pcm_ops snd_es1968_pla
82890 .pointer = snd_es1968_pcm_pointer,
82891 };
82892
82893 -static struct snd_pcm_ops snd_es1968_capture_ops = {
82894 +static const struct snd_pcm_ops snd_es1968_capture_ops = {
82895 .open = snd_es1968_capture_open,
82896 .close = snd_es1968_capture_close,
82897 .ioctl = snd_pcm_lib_ioctl,
82898 @@ -2053,7 +2053,7 @@ snd_es1968_mixer(struct es1968 *chip)
82899 struct snd_ctl_elem_id elem_id;
82900 #endif
82901 int err;
82902 - static struct snd_ac97_bus_ops ops = {
82903 + static const struct snd_ac97_bus_ops ops = {
82904 .write = snd_es1968_ac97_write,
82905 .read = snd_es1968_ac97_read,
82906 };
82907 @@ -2627,7 +2627,7 @@ static int __devinit snd_es1968_create(s
82908 int do_pm,
82909 struct es1968 **chip_ret)
82910 {
82911 - static struct snd_device_ops ops = {
82912 + static const struct snd_device_ops ops = {
82913 .dev_free = snd_es1968_dev_free,
82914 };
82915 struct es1968 *chip;
82916 diff -urNp linux-2.6.39.3/sound/pci/fm801.c linux-2.6.39.3/sound/pci/fm801.c
82917 --- linux-2.6.39.3/sound/pci/fm801.c 2011-05-19 00:06:34.000000000 -0400
82918 +++ linux-2.6.39.3/sound/pci/fm801.c 2011-05-22 19:36:35.000000000 -0400
82919 @@ -662,7 +662,7 @@ static int snd_fm801_capture_close(struc
82920 return 0;
82921 }
82922
82923 -static struct snd_pcm_ops snd_fm801_playback_ops = {
82924 +static const struct snd_pcm_ops snd_fm801_playback_ops = {
82925 .open = snd_fm801_playback_open,
82926 .close = snd_fm801_playback_close,
82927 .ioctl = snd_pcm_lib_ioctl,
82928 @@ -673,7 +673,7 @@ static struct snd_pcm_ops snd_fm801_play
82929 .pointer = snd_fm801_playback_pointer,
82930 };
82931
82932 -static struct snd_pcm_ops snd_fm801_capture_ops = {
82933 +static const struct snd_pcm_ops snd_fm801_capture_ops = {
82934 .open = snd_fm801_capture_open,
82935 .close = snd_fm801_capture_close,
82936 .ioctl = snd_pcm_lib_ioctl,
82937 @@ -1236,7 +1236,7 @@ static int __devinit snd_fm801_mixer(str
82938 struct snd_ac97_template ac97;
82939 unsigned int i;
82940 int err;
82941 - static struct snd_ac97_bus_ops ops = {
82942 + static const struct snd_ac97_bus_ops ops = {
82943 .write = snd_fm801_codec_write,
82944 .read = snd_fm801_codec_read,
82945 };
82946 @@ -1396,7 +1396,7 @@ static int __devinit snd_fm801_create(st
82947 {
82948 struct fm801 *chip;
82949 int err;
82950 - static struct snd_device_ops ops = {
82951 + static const struct snd_device_ops ops = {
82952 .dev_free = snd_fm801_dev_free,
82953 };
82954
82955 diff -urNp linux-2.6.39.3/sound/pci/hda/hda_generic.c linux-2.6.39.3/sound/pci/hda/hda_generic.c
82956 --- linux-2.6.39.3/sound/pci/hda/hda_generic.c 2011-05-19 00:06:34.000000000 -0400
82957 +++ linux-2.6.39.3/sound/pci/hda/hda_generic.c 2011-05-22 19:36:35.000000000 -0400
82958 @@ -1038,7 +1038,7 @@ static int generic_check_power_status(st
82959
82960 /*
82961 */
82962 -static struct hda_codec_ops generic_patch_ops = {
82963 +static const struct hda_codec_ops generic_patch_ops = {
82964 .build_controls = build_generic_controls,
82965 .build_pcms = build_generic_pcms,
82966 .free = snd_hda_generic_free,
82967 diff -urNp linux-2.6.39.3/sound/pci/hda/hda_intel.c linux-2.6.39.3/sound/pci/hda/hda_intel.c
82968 --- linux-2.6.39.3/sound/pci/hda/hda_intel.c 2011-06-03 00:04:14.000000000 -0400
82969 +++ linux-2.6.39.3/sound/pci/hda/hda_intel.c 2011-06-03 00:32:08.000000000 -0400
82970 @@ -2459,7 +2459,7 @@ static int __devinit azx_create(struct s
82971 struct azx *chip;
82972 int i, err;
82973 unsigned short gcap;
82974 - static struct snd_device_ops ops = {
82975 + static const struct snd_device_ops ops = {
82976 .dev_free = azx_dev_free,
82977 };
82978
82979 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_ca0110.c linux-2.6.39.3/sound/pci/hda/patch_ca0110.c
82980 --- linux-2.6.39.3/sound/pci/hda/patch_ca0110.c 2011-05-19 00:06:34.000000000 -0400
82981 +++ linux-2.6.39.3/sound/pci/hda/patch_ca0110.c 2011-05-22 19:36:35.000000000 -0400
82982 @@ -389,7 +389,7 @@ static void ca0110_free(struct hda_codec
82983 kfree(codec->spec);
82984 }
82985
82986 -static struct hda_codec_ops ca0110_patch_ops = {
82987 +static const struct hda_codec_ops ca0110_patch_ops = {
82988 .build_controls = ca0110_build_controls,
82989 .build_pcms = ca0110_build_pcms,
82990 .init = ca0110_init,
82991 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_cirrus.c linux-2.6.39.3/sound/pci/hda/patch_cirrus.c
82992 --- linux-2.6.39.3/sound/pci/hda/patch_cirrus.c 2011-05-19 00:06:34.000000000 -0400
82993 +++ linux-2.6.39.3/sound/pci/hda/patch_cirrus.c 2011-05-22 19:36:35.000000000 -0400
82994 @@ -1126,7 +1126,7 @@ static void cs_unsol_event(struct hda_co
82995 }
82996 }
82997
82998 -static struct hda_codec_ops cs_patch_ops = {
82999 +static const struct hda_codec_ops cs_patch_ops = {
83000 .build_controls = cs_build_controls,
83001 .build_pcms = cs_build_pcms,
83002 .init = cs_init,
83003 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_cmedia.c linux-2.6.39.3/sound/pci/hda/patch_cmedia.c
83004 --- linux-2.6.39.3/sound/pci/hda/patch_cmedia.c 2011-05-19 00:06:34.000000000 -0400
83005 +++ linux-2.6.39.3/sound/pci/hda/patch_cmedia.c 2011-05-22 19:36:35.000000000 -0400
83006 @@ -624,7 +624,7 @@ static struct snd_pci_quirk cmi9880_cfg_
83007 {} /* terminator */
83008 };
83009
83010 -static struct hda_codec_ops cmi9880_patch_ops = {
83011 +static const struct hda_codec_ops cmi9880_patch_ops = {
83012 .build_controls = cmi9880_build_controls,
83013 .build_pcms = cmi9880_build_pcms,
83014 .init = cmi9880_init,
83015 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_conexant.c linux-2.6.39.3/sound/pci/hda/patch_conexant.c
83016 --- linux-2.6.39.3/sound/pci/hda/patch_conexant.c 2011-07-09 09:18:51.000000000 -0400
83017 +++ linux-2.6.39.3/sound/pci/hda/patch_conexant.c 2011-07-09 09:19:27.000000000 -0400
83018 @@ -546,7 +546,7 @@ static int conexant_suspend(struct hda_c
83019 }
83020 #endif
83021
83022 -static struct hda_codec_ops conexant_patch_ops = {
83023 +static const struct hda_codec_ops conexant_patch_ops = {
83024 .build_controls = conexant_build_controls,
83025 .build_pcms = conexant_build_pcms,
83026 .init = conexant_init,
83027 @@ -3792,7 +3792,7 @@ static int cx_auto_build_controls(struct
83028 return conexant_build_controls(codec);
83029 }
83030
83031 -static struct hda_codec_ops cx_auto_patch_ops = {
83032 +static const struct hda_codec_ops cx_auto_patch_ops = {
83033 .build_controls = cx_auto_build_controls,
83034 .build_pcms = conexant_build_pcms,
83035 .init = cx_auto_init,
83036 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_hdmi.c linux-2.6.39.3/sound/pci/hda/patch_hdmi.c
83037 --- linux-2.6.39.3/sound/pci/hda/patch_hdmi.c 2011-05-19 00:06:34.000000000 -0400
83038 +++ linux-2.6.39.3/sound/pci/hda/patch_hdmi.c 2011-05-22 19:36:35.000000000 -0400
83039 @@ -1124,7 +1124,7 @@ static void generic_hdmi_free(struct hda
83040 kfree(spec);
83041 }
83042
83043 -static struct hda_codec_ops generic_hdmi_patch_ops = {
83044 +static const struct hda_codec_ops generic_hdmi_patch_ops = {
83045 .init = generic_hdmi_init,
83046 .free = generic_hdmi_free,
83047 .build_pcms = generic_hdmi_build_pcms,
83048 @@ -1465,14 +1465,14 @@ static struct hda_pcm_stream nvhdmi_pcm_
83049 },
83050 };
83051
83052 -static struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
83053 +static const struct hda_codec_ops nvhdmi_patch_ops_8ch_7x = {
83054 .build_controls = generic_hdmi_build_controls,
83055 .build_pcms = generic_hdmi_build_pcms,
83056 .init = nvhdmi_7x_init,
83057 .free = generic_hdmi_free,
83058 };
83059
83060 -static struct hda_codec_ops nvhdmi_patch_ops_2ch = {
83061 +static const struct hda_codec_ops nvhdmi_patch_ops_2ch = {
83062 .build_controls = generic_hdmi_build_controls,
83063 .build_pcms = generic_hdmi_build_pcms,
83064 .init = nvhdmi_7x_init,
83065 @@ -1599,7 +1599,7 @@ static int atihdmi_init(struct hda_codec
83066 return 0;
83067 }
83068
83069 -static struct hda_codec_ops atihdmi_patch_ops = {
83070 +static const struct hda_codec_ops atihdmi_patch_ops = {
83071 .build_controls = generic_hdmi_build_controls,
83072 .build_pcms = generic_hdmi_build_pcms,
83073 .init = atihdmi_init,
83074 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_realtek.c linux-2.6.39.3/sound/pci/hda/patch_realtek.c
83075 --- linux-2.6.39.3/sound/pci/hda/patch_realtek.c 2011-07-09 09:18:51.000000000 -0400
83076 +++ linux-2.6.39.3/sound/pci/hda/patch_realtek.c 2011-07-09 09:19:27.000000000 -0400
83077 @@ -4273,7 +4273,7 @@ static int alc_resume(struct hda_codec *
83078
83079 /*
83080 */
83081 -static struct hda_codec_ops alc_patch_ops = {
83082 +static const struct hda_codec_ops alc_patch_ops = {
83083 .build_controls = alc_build_controls,
83084 .build_pcms = alc_build_pcms,
83085 .init = alc_init,
83086 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_si3054.c linux-2.6.39.3/sound/pci/hda/patch_si3054.c
83087 --- linux-2.6.39.3/sound/pci/hda/patch_si3054.c 2011-05-19 00:06:34.000000000 -0400
83088 +++ linux-2.6.39.3/sound/pci/hda/patch_si3054.c 2011-05-22 19:36:35.000000000 -0400
83089 @@ -263,7 +263,7 @@ static void si3054_free(struct hda_codec
83090 /*
83091 */
83092
83093 -static struct hda_codec_ops si3054_patch_ops = {
83094 +static const struct hda_codec_ops si3054_patch_ops = {
83095 .build_controls = si3054_build_controls,
83096 .build_pcms = si3054_build_pcms,
83097 .init = si3054_init,
83098 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c
83099 --- linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:04:14.000000000 -0400
83100 +++ linux-2.6.39.3/sound/pci/hda/patch_sigmatel.c 2011-06-03 00:32:08.000000000 -0400
83101 @@ -4968,7 +4968,7 @@ static int stac92xx_suspend(struct hda_c
83102 }
83103 #endif
83104
83105 -static struct hda_codec_ops stac92xx_patch_ops = {
83106 +static const struct hda_codec_ops stac92xx_patch_ops = {
83107 .build_controls = stac92xx_build_controls,
83108 .build_pcms = stac92xx_build_pcms,
83109 .init = stac92xx_init,
83110 diff -urNp linux-2.6.39.3/sound/pci/hda/patch_via.c linux-2.6.39.3/sound/pci/hda/patch_via.c
83111 --- linux-2.6.39.3/sound/pci/hda/patch_via.c 2011-05-19 00:06:34.000000000 -0400
83112 +++ linux-2.6.39.3/sound/pci/hda/patch_via.c 2011-05-22 19:36:35.000000000 -0400
83113 @@ -2254,7 +2254,7 @@ static int via_check_power_status(struct
83114
83115 /*
83116 */
83117 -static struct hda_codec_ops via_patch_ops = {
83118 +static const struct hda_codec_ops via_patch_ops = {
83119 .build_controls = via_build_controls,
83120 .build_pcms = via_build_pcms,
83121 .init = via_init,
83122 diff -urNp linux-2.6.39.3/sound/pci/ice1712/ice1712.c linux-2.6.39.3/sound/pci/ice1712/ice1712.c
83123 --- linux-2.6.39.3/sound/pci/ice1712/ice1712.c 2011-05-19 00:06:34.000000000 -0400
83124 +++ linux-2.6.39.3/sound/pci/ice1712/ice1712.c 2011-05-22 19:36:35.000000000 -0400
83125 @@ -2541,7 +2541,7 @@ static int __devinit snd_ice1712_create(
83126 {
83127 struct snd_ice1712 *ice;
83128 int err;
83129 - static struct snd_device_ops ops = {
83130 + static const struct snd_device_ops ops = {
83131 .dev_free = snd_ice1712_dev_free,
83132 };
83133
83134 diff -urNp linux-2.6.39.3/sound/pci/ice1712/ice1724.c linux-2.6.39.3/sound/pci/ice1712/ice1724.c
83135 --- linux-2.6.39.3/sound/pci/ice1712/ice1724.c 2011-05-19 00:06:34.000000000 -0400
83136 +++ linux-2.6.39.3/sound/pci/ice1712/ice1724.c 2011-05-22 19:36:35.000000000 -0400
83137 @@ -367,7 +367,7 @@ static void vt1724_midi_output_drain(str
83138 } while (time_after(timeout, jiffies));
83139 }
83140
83141 -static struct snd_rawmidi_ops vt1724_midi_output_ops = {
83142 +static const struct snd_rawmidi_ops vt1724_midi_output_ops = {
83143 .open = vt1724_midi_output_open,
83144 .close = vt1724_midi_output_close,
83145 .trigger = vt1724_midi_output_trigger,
83146 @@ -402,7 +402,7 @@ static void vt1724_midi_input_trigger(st
83147 spin_unlock_irqrestore(&ice->reg_lock, flags);
83148 }
83149
83150 -static struct snd_rawmidi_ops vt1724_midi_input_ops = {
83151 +static const struct snd_rawmidi_ops vt1724_midi_input_ops = {
83152 .open = vt1724_midi_input_open,
83153 .close = vt1724_midi_input_close,
83154 .trigger = vt1724_midi_input_trigger,
83155 @@ -2463,7 +2463,7 @@ static int __devinit snd_vt1724_create(s
83156 {
83157 struct snd_ice1712 *ice;
83158 int err;
83159 - static struct snd_device_ops ops = {
83160 + static const struct snd_device_ops ops = {
83161 .dev_free = snd_vt1724_dev_free,
83162 };
83163
83164 diff -urNp linux-2.6.39.3/sound/pci/intel8x0.c linux-2.6.39.3/sound/pci/intel8x0.c
83165 --- linux-2.6.39.3/sound/pci/intel8x0.c 2011-05-19 00:06:34.000000000 -0400
83166 +++ linux-2.6.39.3/sound/pci/intel8x0.c 2011-05-22 19:36:35.000000000 -0400
83167 @@ -2152,12 +2152,12 @@ static int __devinit snd_intel8x0_mixer(
83168 int err;
83169 unsigned int i, codecs;
83170 unsigned int glob_sta = 0;
83171 - struct snd_ac97_bus_ops *ops;
83172 - static struct snd_ac97_bus_ops standard_bus_ops = {
83173 + const struct snd_ac97_bus_ops *ops;
83174 + static const struct snd_ac97_bus_ops standard_bus_ops = {
83175 .write = snd_intel8x0_codec_write,
83176 .read = snd_intel8x0_codec_read,
83177 };
83178 - static struct snd_ac97_bus_ops ali_bus_ops = {
83179 + static const struct snd_ac97_bus_ops ali_bus_ops = {
83180 .write = snd_intel8x0_ali_codec_write,
83181 .read = snd_intel8x0_ali_codec_read,
83182 };
83183 @@ -2921,7 +2921,7 @@ static int __devinit snd_intel8x0_create
83184 unsigned int i;
83185 unsigned int int_sta_masks;
83186 struct ichdev *ichdev;
83187 - static struct snd_device_ops ops = {
83188 + static const struct snd_device_ops ops = {
83189 .dev_free = snd_intel8x0_dev_free,
83190 };
83191
83192 diff -urNp linux-2.6.39.3/sound/pci/intel8x0m.c linux-2.6.39.3/sound/pci/intel8x0m.c
83193 --- linux-2.6.39.3/sound/pci/intel8x0m.c 2011-05-19 00:06:34.000000000 -0400
83194 +++ linux-2.6.39.3/sound/pci/intel8x0m.c 2011-05-22 19:36:35.000000000 -0400
83195 @@ -826,7 +826,7 @@ static int __devinit snd_intel8x0m_mixer
83196 struct snd_ac97 *x97;
83197 int err;
83198 unsigned int glob_sta = 0;
83199 - static struct snd_ac97_bus_ops ops = {
83200 + static const struct snd_ac97_bus_ops ops = {
83201 .write = snd_intel8x0m_codec_write,
83202 .read = snd_intel8x0m_codec_read,
83203 };
83204 @@ -1116,7 +1116,7 @@ static int __devinit snd_intel8x0m_creat
83205 unsigned int i;
83206 unsigned int int_sta_masks;
83207 struct ichdev *ichdev;
83208 - static struct snd_device_ops ops = {
83209 + static const struct snd_device_ops ops = {
83210 .dev_free = snd_intel8x0m_dev_free,
83211 };
83212 static struct ich_reg_info intel_regs[2] = {
83213 @@ -1265,7 +1265,7 @@ static struct shortname_table {
83214 { 0x5455, "ALi M5455" },
83215 { 0x746d, "AMD AMD8111" },
83216 #endif
83217 - { 0 },
83218 + { 0, },
83219 };
83220
83221 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
83222 diff -urNp linux-2.6.39.3/sound/pci/korg1212/korg1212.c linux-2.6.39.3/sound/pci/korg1212/korg1212.c
83223 --- linux-2.6.39.3/sound/pci/korg1212/korg1212.c 2011-05-19 00:06:34.000000000 -0400
83224 +++ linux-2.6.39.3/sound/pci/korg1212/korg1212.c 2011-05-22 19:36:35.000000000 -0400
83225 @@ -1682,7 +1682,7 @@ static int snd_korg1212_capture_copy(str
83226 return snd_korg1212_copy_to(korg1212, dst, pos, count, 0, korg1212->channels * 2);
83227 }
83228
83229 -static struct snd_pcm_ops snd_korg1212_playback_ops = {
83230 +static const struct snd_pcm_ops snd_korg1212_playback_ops = {
83231 .open = snd_korg1212_playback_open,
83232 .close = snd_korg1212_playback_close,
83233 .ioctl = snd_korg1212_ioctl,
83234 @@ -1694,7 +1694,7 @@ static struct snd_pcm_ops snd_korg1212_p
83235 .silence = snd_korg1212_playback_silence,
83236 };
83237
83238 -static struct snd_pcm_ops snd_korg1212_capture_ops = {
83239 +static const struct snd_pcm_ops snd_korg1212_capture_ops = {
83240 .open = snd_korg1212_capture_open,
83241 .close = snd_korg1212_capture_close,
83242 .ioctl = snd_korg1212_ioctl,
83243 @@ -2164,7 +2164,7 @@ static int __devinit snd_korg1212_create
83244 struct snd_korg1212 * korg1212;
83245 const struct firmware *dsp_code;
83246
83247 - static struct snd_device_ops ops = {
83248 + static const struct snd_device_ops ops = {
83249 .dev_free = snd_korg1212_dev_free,
83250 };
83251
83252 diff -urNp linux-2.6.39.3/sound/pci/maestro3.c linux-2.6.39.3/sound/pci/maestro3.c
83253 --- linux-2.6.39.3/sound/pci/maestro3.c 2011-05-19 00:06:34.000000000 -0400
83254 +++ linux-2.6.39.3/sound/pci/maestro3.c 2011-05-22 19:36:35.000000000 -0400
83255 @@ -1926,7 +1926,7 @@ snd_m3_capture_close(struct snd_pcm_subs
83256 * create pcm instance
83257 */
83258
83259 -static struct snd_pcm_ops snd_m3_playback_ops = {
83260 +static const struct snd_pcm_ops snd_m3_playback_ops = {
83261 .open = snd_m3_playback_open,
83262 .close = snd_m3_playback_close,
83263 .ioctl = snd_pcm_lib_ioctl,
83264 @@ -1937,7 +1937,7 @@ static struct snd_pcm_ops snd_m3_playbac
83265 .pointer = snd_m3_pcm_pointer,
83266 };
83267
83268 -static struct snd_pcm_ops snd_m3_capture_ops = {
83269 +static const struct snd_pcm_ops snd_m3_capture_ops = {
83270 .open = snd_m3_capture_open,
83271 .close = snd_m3_capture_close,
83272 .ioctl = snd_pcm_lib_ioctl,
83273 @@ -2150,7 +2150,7 @@ static int __devinit snd_m3_mixer(struct
83274 struct snd_ctl_elem_id elem_id;
83275 #endif
83276 int err;
83277 - static struct snd_ac97_bus_ops ops = {
83278 + static const struct snd_ac97_bus_ops ops = {
83279 .write = snd_m3_ac97_write,
83280 .read = snd_m3_ac97_read,
83281 };
83282 @@ -2643,7 +2643,7 @@ snd_m3_create(struct snd_card *card, str
83283 struct snd_m3 *chip;
83284 int i, err;
83285 const struct snd_pci_quirk *quirk;
83286 - static struct snd_device_ops ops = {
83287 + static const struct snd_device_ops ops = {
83288 .dev_free = snd_m3_dev_free,
83289 };
83290
83291 diff -urNp linux-2.6.39.3/sound/pci/mixart/mixart.c linux-2.6.39.3/sound/pci/mixart/mixart.c
83292 --- linux-2.6.39.3/sound/pci/mixart/mixart.c 2011-05-19 00:06:34.000000000 -0400
83293 +++ linux-2.6.39.3/sound/pci/mixart/mixart.c 2011-05-22 19:36:35.000000000 -0400
83294 @@ -887,7 +887,7 @@ static snd_pcm_uframes_t snd_mixart_stre
83295
83296
83297
83298 -static struct snd_pcm_ops snd_mixart_playback_ops = {
83299 +static const struct snd_pcm_ops snd_mixart_playback_ops = {
83300 .open = snd_mixart_playback_open,
83301 .close = snd_mixart_close,
83302 .ioctl = snd_pcm_lib_ioctl,
83303 @@ -898,7 +898,7 @@ static struct snd_pcm_ops snd_mixart_pla
83304 .pointer = snd_mixart_stream_pointer,
83305 };
83306
83307 -static struct snd_pcm_ops snd_mixart_capture_ops = {
83308 +static const struct snd_pcm_ops snd_mixart_capture_ops = {
83309 .open = snd_mixart_capture_open,
83310 .close = snd_mixart_close,
83311 .ioctl = snd_pcm_lib_ioctl,
83312 @@ -1008,7 +1008,7 @@ static int __devinit snd_mixart_create(s
83313 {
83314 int err;
83315 struct snd_mixart *chip;
83316 - static struct snd_device_ops ops = {
83317 + static const struct snd_device_ops ops = {
83318 .dev_free = snd_mixart_chip_dev_free,
83319 };
83320
83321 diff -urNp linux-2.6.39.3/sound/pci/nm256/nm256.c linux-2.6.39.3/sound/pci/nm256/nm256.c
83322 --- linux-2.6.39.3/sound/pci/nm256/nm256.c 2011-05-19 00:06:34.000000000 -0400
83323 +++ linux-2.6.39.3/sound/pci/nm256/nm256.c 2011-05-22 19:36:35.000000000 -0400
83324 @@ -899,7 +899,7 @@ snd_nm256_capture_close(struct snd_pcm_s
83325 /*
83326 * create a pcm instance
83327 */
83328 -static struct snd_pcm_ops snd_nm256_playback_ops = {
83329 +static const struct snd_pcm_ops snd_nm256_playback_ops = {
83330 .open = snd_nm256_playback_open,
83331 .close = snd_nm256_playback_close,
83332 .ioctl = snd_pcm_lib_ioctl,
83333 @@ -914,7 +914,7 @@ static struct snd_pcm_ops snd_nm256_play
83334 .mmap = snd_pcm_lib_mmap_iomem,
83335 };
83336
83337 -static struct snd_pcm_ops snd_nm256_capture_ops = {
83338 +static const struct snd_pcm_ops snd_nm256_capture_ops = {
83339 .open = snd_nm256_capture_open,
83340 .close = snd_nm256_capture_close,
83341 .ioctl = snd_pcm_lib_ioctl,
83342 @@ -1301,7 +1301,7 @@ snd_nm256_mixer(struct nm256 *chip)
83343 struct snd_ac97_bus *pbus;
83344 struct snd_ac97_template ac97;
83345 int err;
83346 - static struct snd_ac97_bus_ops ops = {
83347 + static const struct snd_ac97_bus_ops ops = {
83348 .reset = snd_nm256_ac97_reset,
83349 .write = snd_nm256_ac97_write,
83350 .read = snd_nm256_ac97_read,
83351 @@ -1471,7 +1471,7 @@ snd_nm256_create(struct snd_card *card,
83352 {
83353 struct nm256 *chip;
83354 int err, pval;
83355 - static struct snd_device_ops ops = {
83356 + static const struct snd_device_ops ops = {
83357 .dev_free = snd_nm256_dev_free,
83358 };
83359 u32 addr;
83360 diff -urNp linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c
83361 --- linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c 2011-05-19 00:06:34.000000000 -0400
83362 +++ linux-2.6.39.3/sound/pci/oxygen/oxygen_pcm.c 2011-05-22 19:36:35.000000000 -0400
83363 @@ -606,7 +606,7 @@ static snd_pcm_uframes_t oxygen_pointer(
83364 return bytes_to_frames(runtime, curr_addr - (u32)runtime->dma_addr);
83365 }
83366
83367 -static struct snd_pcm_ops oxygen_rec_a_ops = {
83368 +static const struct snd_pcm_ops oxygen_rec_a_ops = {
83369 .open = oxygen_rec_a_open,
83370 .close = oxygen_close,
83371 .ioctl = snd_pcm_lib_ioctl,
83372 @@ -617,7 +617,7 @@ static struct snd_pcm_ops oxygen_rec_a_o
83373 .pointer = oxygen_pointer,
83374 };
83375
83376 -static struct snd_pcm_ops oxygen_rec_b_ops = {
83377 +static const struct snd_pcm_ops oxygen_rec_b_ops = {
83378 .open = oxygen_rec_b_open,
83379 .close = oxygen_close,
83380 .ioctl = snd_pcm_lib_ioctl,
83381 @@ -628,7 +628,7 @@ static struct snd_pcm_ops oxygen_rec_b_o
83382 .pointer = oxygen_pointer,
83383 };
83384
83385 -static struct snd_pcm_ops oxygen_rec_c_ops = {
83386 +static const struct snd_pcm_ops oxygen_rec_c_ops = {
83387 .open = oxygen_rec_c_open,
83388 .close = oxygen_close,
83389 .ioctl = snd_pcm_lib_ioctl,
83390 @@ -639,7 +639,7 @@ static struct snd_pcm_ops oxygen_rec_c_o
83391 .pointer = oxygen_pointer,
83392 };
83393
83394 -static struct snd_pcm_ops oxygen_spdif_ops = {
83395 +static const struct snd_pcm_ops oxygen_spdif_ops = {
83396 .open = oxygen_spdif_open,
83397 .close = oxygen_close,
83398 .ioctl = snd_pcm_lib_ioctl,
83399 @@ -650,7 +650,7 @@ static struct snd_pcm_ops oxygen_spdif_o
83400 .pointer = oxygen_pointer,
83401 };
83402
83403 -static struct snd_pcm_ops oxygen_multich_ops = {
83404 +static const struct snd_pcm_ops oxygen_multich_ops = {
83405 .open = oxygen_multich_open,
83406 .close = oxygen_close,
83407 .ioctl = snd_pcm_lib_ioctl,
83408 @@ -661,7 +661,7 @@ static struct snd_pcm_ops oxygen_multich
83409 .pointer = oxygen_pointer,
83410 };
83411
83412 -static struct snd_pcm_ops oxygen_ac97_ops = {
83413 +static const struct snd_pcm_ops oxygen_ac97_ops = {
83414 .open = oxygen_ac97_open,
83415 .close = oxygen_close,
83416 .ioctl = snd_pcm_lib_ioctl,
83417 diff -urNp linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c
83418 --- linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c 2011-05-19 00:06:34.000000000 -0400
83419 +++ linux-2.6.39.3/sound/pci/pcxhr/pcxhr.c 2011-05-22 19:36:35.000000000 -0400
83420 @@ -1121,7 +1121,7 @@ static snd_pcm_uframes_t pcxhr_stream_po
83421 }
83422
83423
83424 -static struct snd_pcm_ops pcxhr_ops = {
83425 +static const struct snd_pcm_ops pcxhr_ops = {
83426 .open = pcxhr_open,
83427 .close = pcxhr_close,
83428 .ioctl = snd_pcm_lib_ioctl,
83429 @@ -1184,7 +1184,7 @@ static int __devinit pcxhr_create(struct
83430 {
83431 int err;
83432 struct snd_pcxhr *chip;
83433 - static struct snd_device_ops ops = {
83434 + static const struct snd_device_ops ops = {
83435 .dev_free = pcxhr_chip_dev_free,
83436 };
83437
83438 diff -urNp linux-2.6.39.3/sound/pci/riptide/riptide.c linux-2.6.39.3/sound/pci/riptide/riptide.c
83439 --- linux-2.6.39.3/sound/pci/riptide/riptide.c 2011-05-19 00:06:34.000000000 -0400
83440 +++ linux-2.6.39.3/sound/pci/riptide/riptide.c 2011-05-22 19:36:35.000000000 -0400
83441 @@ -1675,7 +1675,7 @@ static int snd_riptide_capture_close(str
83442 return 0;
83443 }
83444
83445 -static struct snd_pcm_ops snd_riptide_playback_ops = {
83446 +static const struct snd_pcm_ops snd_riptide_playback_ops = {
83447 .open = snd_riptide_playback_open,
83448 .close = snd_riptide_playback_close,
83449 .ioctl = snd_pcm_lib_ioctl,
83450 @@ -1686,7 +1686,7 @@ static struct snd_pcm_ops snd_riptide_pl
83451 .trigger = snd_riptide_trigger,
83452 .pointer = snd_riptide_pointer,
83453 };
83454 -static struct snd_pcm_ops snd_riptide_capture_ops = {
83455 +static const struct snd_pcm_ops snd_riptide_capture_ops = {
83456 .open = snd_riptide_capture_open,
83457 .close = snd_riptide_capture_close,
83458 .ioctl = snd_pcm_lib_ioctl,
83459 @@ -1857,7 +1857,7 @@ snd_riptide_create(struct snd_card *card
83460 struct snd_riptide *chip;
83461 struct riptideport *hwport;
83462 int err;
83463 - static struct snd_device_ops ops = {
83464 + static const struct snd_device_ops ops = {
83465 .dev_free = snd_riptide_dev_free,
83466 };
83467
83468 @@ -1999,7 +1999,7 @@ static int __devinit snd_riptide_mixer(s
83469 struct snd_ac97_bus *pbus;
83470 struct snd_ac97_template ac97;
83471 int err = 0;
83472 - static struct snd_ac97_bus_ops ops = {
83473 + static const struct snd_ac97_bus_ops ops = {
83474 .write = snd_riptide_codec_write,
83475 .read = snd_riptide_codec_read,
83476 };
83477 diff -urNp linux-2.6.39.3/sound/pci/rme32.c linux-2.6.39.3/sound/pci/rme32.c
83478 --- linux-2.6.39.3/sound/pci/rme32.c 2011-05-19 00:06:34.000000000 -0400
83479 +++ linux-2.6.39.3/sound/pci/rme32.c 2011-05-22 19:36:35.000000000 -0400
83480 @@ -1197,7 +1197,7 @@ snd_rme32_capture_fd_pointer(struct snd_
83481 }
83482
83483 /* for halfduplex mode */
83484 -static struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83485 +static const struct snd_pcm_ops snd_rme32_playback_spdif_ops = {
83486 .open = snd_rme32_playback_spdif_open,
83487 .close = snd_rme32_playback_close,
83488 .ioctl = snd_pcm_lib_ioctl,
83489 @@ -1211,7 +1211,7 @@ static struct snd_pcm_ops snd_rme32_play
83490 .mmap = snd_pcm_lib_mmap_iomem,
83491 };
83492
83493 -static struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83494 +static const struct snd_pcm_ops snd_rme32_capture_spdif_ops = {
83495 .open = snd_rme32_capture_spdif_open,
83496 .close = snd_rme32_capture_close,
83497 .ioctl = snd_pcm_lib_ioctl,
83498 @@ -1224,7 +1224,7 @@ static struct snd_pcm_ops snd_rme32_capt
83499 .mmap = snd_pcm_lib_mmap_iomem,
83500 };
83501
83502 -static struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83503 +static const struct snd_pcm_ops snd_rme32_playback_adat_ops = {
83504 .open = snd_rme32_playback_adat_open,
83505 .close = snd_rme32_playback_close,
83506 .ioctl = snd_pcm_lib_ioctl,
83507 @@ -1237,7 +1237,7 @@ static struct snd_pcm_ops snd_rme32_play
83508 .mmap = snd_pcm_lib_mmap_iomem,
83509 };
83510
83511 -static struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83512 +static const struct snd_pcm_ops snd_rme32_capture_adat_ops = {
83513 .open = snd_rme32_capture_adat_open,
83514 .close = snd_rme32_capture_close,
83515 .ioctl = snd_pcm_lib_ioctl,
83516 @@ -1250,7 +1250,7 @@ static struct snd_pcm_ops snd_rme32_capt
83517 };
83518
83519 /* for fullduplex mode */
83520 -static struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83521 +static const struct snd_pcm_ops snd_rme32_playback_spdif_fd_ops = {
83522 .open = snd_rme32_playback_spdif_open,
83523 .close = snd_rme32_playback_close,
83524 .ioctl = snd_pcm_lib_ioctl,
83525 @@ -1262,7 +1262,7 @@ static struct snd_pcm_ops snd_rme32_play
83526 .ack = snd_rme32_playback_fd_ack,
83527 };
83528
83529 -static struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83530 +static const struct snd_pcm_ops snd_rme32_capture_spdif_fd_ops = {
83531 .open = snd_rme32_capture_spdif_open,
83532 .close = snd_rme32_capture_close,
83533 .ioctl = snd_pcm_lib_ioctl,
83534 @@ -1274,7 +1274,7 @@ static struct snd_pcm_ops snd_rme32_capt
83535 .ack = snd_rme32_capture_fd_ack,
83536 };
83537
83538 -static struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83539 +static const struct snd_pcm_ops snd_rme32_playback_adat_fd_ops = {
83540 .open = snd_rme32_playback_adat_open,
83541 .close = snd_rme32_playback_close,
83542 .ioctl = snd_pcm_lib_ioctl,
83543 @@ -1285,7 +1285,7 @@ static struct snd_pcm_ops snd_rme32_play
83544 .ack = snd_rme32_playback_fd_ack,
83545 };
83546
83547 -static struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83548 +static const struct snd_pcm_ops snd_rme32_capture_adat_fd_ops = {
83549 .open = snd_rme32_capture_adat_open,
83550 .close = snd_rme32_capture_close,
83551 .ioctl = snd_pcm_lib_ioctl,
83552 diff -urNp linux-2.6.39.3/sound/pci/rme9652/hdsp.c linux-2.6.39.3/sound/pci/rme9652/hdsp.c
83553 --- linux-2.6.39.3/sound/pci/rme9652/hdsp.c 2011-05-19 00:06:34.000000000 -0400
83554 +++ linux-2.6.39.3/sound/pci/rme9652/hdsp.c 2011-05-22 19:36:35.000000000 -0400
83555 @@ -1469,15 +1469,13 @@ static int snd_hdsp_midi_output_close(st
83556 return 0;
83557 }
83558
83559 -static struct snd_rawmidi_ops snd_hdsp_midi_output =
83560 -{
83561 +static const struct snd_rawmidi_ops snd_hdsp_midi_output = {
83562 .open = snd_hdsp_midi_output_open,
83563 .close = snd_hdsp_midi_output_close,
83564 .trigger = snd_hdsp_midi_output_trigger,
83565 };
83566
83567 -static struct snd_rawmidi_ops snd_hdsp_midi_input =
83568 -{
83569 +static const struct snd_rawmidi_ops snd_hdsp_midi_input = {
83570 .open = snd_hdsp_midi_input_open,
83571 .close = snd_hdsp_midi_input_close,
83572 .trigger = snd_hdsp_midi_input_trigger,
83573 @@ -5135,7 +5133,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
83574 return 0;
83575 }
83576
83577 -static struct snd_pcm_ops snd_hdsp_playback_ops = {
83578 +static const struct snd_pcm_ops snd_hdsp_playback_ops = {
83579 .open = snd_hdsp_playback_open,
83580 .close = snd_hdsp_playback_release,
83581 .ioctl = snd_hdsp_ioctl,
83582 @@ -5147,7 +5145,7 @@ static struct snd_pcm_ops snd_hdsp_playb
83583 .silence = snd_hdsp_hw_silence,
83584 };
83585
83586 -static struct snd_pcm_ops snd_hdsp_capture_ops = {
83587 +static const struct snd_pcm_ops snd_hdsp_capture_ops = {
83588 .open = snd_hdsp_capture_open,
83589 .close = snd_hdsp_capture_release,
83590 .ioctl = snd_hdsp_ioctl,
83591 diff -urNp linux-2.6.39.3/sound/pci/rme9652/hdspm.c linux-2.6.39.3/sound/pci/rme9652/hdspm.c
83592 --- linux-2.6.39.3/sound/pci/rme9652/hdspm.c 2011-05-19 00:06:34.000000000 -0400
83593 +++ linux-2.6.39.3/sound/pci/rme9652/hdspm.c 2011-05-22 19:36:35.000000000 -0400
83594 @@ -1773,15 +1773,13 @@ static int snd_hdspm_midi_output_close(s
83595 return 0;
83596 }
83597
83598 -static struct snd_rawmidi_ops snd_hdspm_midi_output =
83599 -{
83600 +static const struct snd_rawmidi_ops snd_hdspm_midi_output = {
83601 .open = snd_hdspm_midi_output_open,
83602 .close = snd_hdspm_midi_output_close,
83603 .trigger = snd_hdspm_midi_output_trigger,
83604 };
83605
83606 -static struct snd_rawmidi_ops snd_hdspm_midi_input =
83607 -{
83608 +static const struct snd_rawmidi_ops snd_hdspm_midi_input = {
83609 .open = snd_hdspm_midi_input_open,
83610 .close = snd_hdspm_midi_input_close,
83611 .trigger = snd_hdspm_midi_input_trigger,
83612 @@ -6172,7 +6170,7 @@ static int snd_hdspm_hwdep_ioctl(struct
83613 return 0;
83614 }
83615
83616 -static struct snd_pcm_ops snd_hdspm_playback_ops = {
83617 +static const struct snd_pcm_ops snd_hdspm_playback_ops = {
83618 .open = snd_hdspm_playback_open,
83619 .close = snd_hdspm_playback_release,
83620 .ioctl = snd_hdspm_ioctl,
83621 @@ -6184,7 +6182,7 @@ static struct snd_pcm_ops snd_hdspm_play
83622 .page = snd_pcm_sgbuf_ops_page,
83623 };
83624
83625 -static struct snd_pcm_ops snd_hdspm_capture_ops = {
83626 +static const struct snd_pcm_ops snd_hdspm_capture_ops = {
83627 .open = snd_hdspm_capture_open,
83628 .close = snd_hdspm_capture_release,
83629 .ioctl = snd_hdspm_ioctl,
83630 diff -urNp linux-2.6.39.3/sound/pci/rme9652/rme9652.c linux-2.6.39.3/sound/pci/rme9652/rme9652.c
83631 --- linux-2.6.39.3/sound/pci/rme9652/rme9652.c 2011-05-19 00:06:34.000000000 -0400
83632 +++ linux-2.6.39.3/sound/pci/rme9652/rme9652.c 2011-05-22 19:36:35.000000000 -0400
83633 @@ -2391,7 +2391,7 @@ static int snd_rme9652_capture_release(s
83634 return 0;
83635 }
83636
83637 -static struct snd_pcm_ops snd_rme9652_playback_ops = {
83638 +static const struct snd_pcm_ops snd_rme9652_playback_ops = {
83639 .open = snd_rme9652_playback_open,
83640 .close = snd_rme9652_playback_release,
83641 .ioctl = snd_rme9652_ioctl,
83642 @@ -2403,7 +2403,7 @@ static struct snd_pcm_ops snd_rme9652_pl
83643 .silence = snd_rme9652_hw_silence,
83644 };
83645
83646 -static struct snd_pcm_ops snd_rme9652_capture_ops = {
83647 +static const struct snd_pcm_ops snd_rme9652_capture_ops = {
83648 .open = snd_rme9652_capture_open,
83649 .close = snd_rme9652_capture_release,
83650 .ioctl = snd_rme9652_ioctl,
83651 diff -urNp linux-2.6.39.3/sound/pci/rme96.c linux-2.6.39.3/sound/pci/rme96.c
83652 --- linux-2.6.39.3/sound/pci/rme96.c 2011-05-19 00:06:34.000000000 -0400
83653 +++ linux-2.6.39.3/sound/pci/rme96.c 2011-05-22 19:36:35.000000000 -0400
83654 @@ -1447,7 +1447,7 @@ snd_rme96_capture_pointer(struct snd_pcm
83655 return snd_rme96_capture_ptr(rme96);
83656 }
83657
83658 -static struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83659 +static const struct snd_pcm_ops snd_rme96_playback_spdif_ops = {
83660 .open = snd_rme96_playback_spdif_open,
83661 .close = snd_rme96_playback_close,
83662 .ioctl = snd_pcm_lib_ioctl,
83663 @@ -1460,7 +1460,7 @@ static struct snd_pcm_ops snd_rme96_play
83664 .mmap = snd_pcm_lib_mmap_iomem,
83665 };
83666
83667 -static struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83668 +static const struct snd_pcm_ops snd_rme96_capture_spdif_ops = {
83669 .open = snd_rme96_capture_spdif_open,
83670 .close = snd_rme96_capture_close,
83671 .ioctl = snd_pcm_lib_ioctl,
83672 @@ -1472,7 +1472,7 @@ static struct snd_pcm_ops snd_rme96_capt
83673 .mmap = snd_pcm_lib_mmap_iomem,
83674 };
83675
83676 -static struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83677 +static const struct snd_pcm_ops snd_rme96_playback_adat_ops = {
83678 .open = snd_rme96_playback_adat_open,
83679 .close = snd_rme96_playback_close,
83680 .ioctl = snd_pcm_lib_ioctl,
83681 @@ -1485,7 +1485,7 @@ static struct snd_pcm_ops snd_rme96_play
83682 .mmap = snd_pcm_lib_mmap_iomem,
83683 };
83684
83685 -static struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83686 +static const struct snd_pcm_ops snd_rme96_capture_adat_ops = {
83687 .open = snd_rme96_capture_adat_open,
83688 .close = snd_rme96_capture_close,
83689 .ioctl = snd_pcm_lib_ioctl,
83690 diff -urNp linux-2.6.39.3/sound/pci/sis7019.c linux-2.6.39.3/sound/pci/sis7019.c
83691 --- linux-2.6.39.3/sound/pci/sis7019.c 2011-05-19 00:06:34.000000000 -0400
83692 +++ linux-2.6.39.3/sound/pci/sis7019.c 2011-05-22 19:36:35.000000000 -0400
83693 @@ -1011,7 +1011,7 @@ static int __devinit sis_mixer_create(st
83694 {
83695 struct snd_ac97_bus *bus;
83696 struct snd_ac97_template ac97;
83697 - static struct snd_ac97_bus_ops ops = {
83698 + static const struct snd_ac97_bus_ops ops = {
83699 .write = sis_ac97_write,
83700 .read = sis_ac97_read,
83701 };
83702 @@ -1293,7 +1293,7 @@ static int __devinit sis_chip_create(str
83703 {
83704 struct sis7019 *sis = card->private_data;
83705 struct voice *voice;
83706 - static struct snd_device_ops ops = {
83707 + static const struct snd_device_ops ops = {
83708 .dev_free = sis_dev_free,
83709 };
83710 int rc;
83711 diff -urNp linux-2.6.39.3/sound/pci/sonicvibes.c linux-2.6.39.3/sound/pci/sonicvibes.c
83712 --- linux-2.6.39.3/sound/pci/sonicvibes.c 2011-05-19 00:06:34.000000000 -0400
83713 +++ linux-2.6.39.3/sound/pci/sonicvibes.c 2011-05-22 19:36:35.000000000 -0400
83714 @@ -855,7 +855,7 @@ static int snd_sonicvibes_capture_close(
83715 return 0;
83716 }
83717
83718 -static struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83719 +static const struct snd_pcm_ops snd_sonicvibes_playback_ops = {
83720 .open = snd_sonicvibes_playback_open,
83721 .close = snd_sonicvibes_playback_close,
83722 .ioctl = snd_pcm_lib_ioctl,
83723 @@ -866,7 +866,7 @@ static struct snd_pcm_ops snd_sonicvibes
83724 .pointer = snd_sonicvibes_playback_pointer,
83725 };
83726
83727 -static struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83728 +static const struct snd_pcm_ops snd_sonicvibes_capture_ops = {
83729 .open = snd_sonicvibes_capture_open,
83730 .close = snd_sonicvibes_capture_close,
83731 .ioctl = snd_pcm_lib_ioctl,
83732 @@ -1255,7 +1255,7 @@ static int __devinit snd_sonicvibes_crea
83733 struct sonicvibes *sonic;
83734 unsigned int dmaa, dmac;
83735 int err;
83736 - static struct snd_device_ops ops = {
83737 + static const struct snd_device_ops ops = {
83738 .dev_free = snd_sonicvibes_dev_free,
83739 };
83740
83741 diff -urNp linux-2.6.39.3/sound/pci/trident/trident_main.c linux-2.6.39.3/sound/pci/trident/trident_main.c
83742 --- linux-2.6.39.3/sound/pci/trident/trident_main.c 2011-05-19 00:06:34.000000000 -0400
83743 +++ linux-2.6.39.3/sound/pci/trident/trident_main.c 2011-05-22 19:36:35.000000000 -0400
83744 @@ -3549,7 +3549,7 @@ int __devinit snd_trident_create(struct
83745 int i, err;
83746 struct snd_trident_voice *voice;
83747 struct snd_trident_pcm_mixer *tmix;
83748 - static struct snd_device_ops ops = {
83749 + static const struct snd_device_ops ops = {
83750 .dev_free = snd_trident_dev_free,
83751 };
83752
83753 diff -urNp linux-2.6.39.3/sound/pci/via82xx.c linux-2.6.39.3/sound/pci/via82xx.c
83754 --- linux-2.6.39.3/sound/pci/via82xx.c 2011-05-19 00:06:34.000000000 -0400
83755 +++ linux-2.6.39.3/sound/pci/via82xx.c 2011-05-22 19:36:35.000000000 -0400
83756 @@ -1352,7 +1352,7 @@ static int snd_via8233_playback_close(st
83757
83758
83759 /* via686 playback callbacks */
83760 -static struct snd_pcm_ops snd_via686_playback_ops = {
83761 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83762 .open = snd_via686_playback_open,
83763 .close = snd_via82xx_pcm_close,
83764 .ioctl = snd_pcm_lib_ioctl,
83765 @@ -1365,7 +1365,7 @@ static struct snd_pcm_ops snd_via686_pla
83766 };
83767
83768 /* via686 capture callbacks */
83769 -static struct snd_pcm_ops snd_via686_capture_ops = {
83770 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83771 .open = snd_via82xx_capture_open,
83772 .close = snd_via82xx_pcm_close,
83773 .ioctl = snd_pcm_lib_ioctl,
83774 @@ -1378,7 +1378,7 @@ static struct snd_pcm_ops snd_via686_cap
83775 };
83776
83777 /* via823x DSX playback callbacks */
83778 -static struct snd_pcm_ops snd_via8233_playback_ops = {
83779 +static const struct snd_pcm_ops snd_via8233_playback_ops = {
83780 .open = snd_via8233_playback_open,
83781 .close = snd_via8233_playback_close,
83782 .ioctl = snd_pcm_lib_ioctl,
83783 @@ -1391,7 +1391,7 @@ static struct snd_pcm_ops snd_via8233_pl
83784 };
83785
83786 /* via823x multi-channel playback callbacks */
83787 -static struct snd_pcm_ops snd_via8233_multi_ops = {
83788 +static const struct snd_pcm_ops snd_via8233_multi_ops = {
83789 .open = snd_via8233_multi_open,
83790 .close = snd_via82xx_pcm_close,
83791 .ioctl = snd_pcm_lib_ioctl,
83792 @@ -1404,7 +1404,7 @@ static struct snd_pcm_ops snd_via8233_mu
83793 };
83794
83795 /* via823x capture callbacks */
83796 -static struct snd_pcm_ops snd_via8233_capture_ops = {
83797 +static const struct snd_pcm_ops snd_via8233_capture_ops = {
83798 .open = snd_via82xx_capture_open,
83799 .close = snd_via82xx_pcm_close,
83800 .ioctl = snd_pcm_lib_ioctl,
83801 @@ -1868,7 +1868,7 @@ static int __devinit snd_via82xx_mixer_n
83802 {
83803 struct snd_ac97_template ac97;
83804 int err;
83805 - static struct snd_ac97_bus_ops ops = {
83806 + static const struct snd_ac97_bus_ops ops = {
83807 .write = snd_via82xx_codec_write,
83808 .read = snd_via82xx_codec_read,
83809 .wait = snd_via82xx_codec_wait,
83810 @@ -2340,7 +2340,7 @@ static int __devinit snd_via82xx_create(
83811 {
83812 struct via82xx *chip;
83813 int err;
83814 - static struct snd_device_ops ops = {
83815 + static const struct snd_device_ops ops = {
83816 .dev_free = snd_via82xx_dev_free,
83817 };
83818
83819 diff -urNp linux-2.6.39.3/sound/pci/via82xx_modem.c linux-2.6.39.3/sound/pci/via82xx_modem.c
83820 --- linux-2.6.39.3/sound/pci/via82xx_modem.c 2011-05-19 00:06:34.000000000 -0400
83821 +++ linux-2.6.39.3/sound/pci/via82xx_modem.c 2011-05-22 19:36:35.000000000 -0400
83822 @@ -799,7 +799,7 @@ static int snd_via82xx_pcm_close(struct
83823
83824
83825 /* via686 playback callbacks */
83826 -static struct snd_pcm_ops snd_via686_playback_ops = {
83827 +static const struct snd_pcm_ops snd_via686_playback_ops = {
83828 .open = snd_via82xx_playback_open,
83829 .close = snd_via82xx_pcm_close,
83830 .ioctl = snd_pcm_lib_ioctl,
83831 @@ -812,7 +812,7 @@ static struct snd_pcm_ops snd_via686_pla
83832 };
83833
83834 /* via686 capture callbacks */
83835 -static struct snd_pcm_ops snd_via686_capture_ops = {
83836 +static const struct snd_pcm_ops snd_via686_capture_ops = {
83837 .open = snd_via82xx_capture_open,
83838 .close = snd_via82xx_pcm_close,
83839 .ioctl = snd_pcm_lib_ioctl,
83840 @@ -889,7 +889,7 @@ static int __devinit snd_via82xx_mixer_n
83841 {
83842 struct snd_ac97_template ac97;
83843 int err;
83844 - static struct snd_ac97_bus_ops ops = {
83845 + static const struct snd_ac97_bus_ops ops = {
83846 .write = snd_via82xx_codec_write,
83847 .read = snd_via82xx_codec_read,
83848 .wait = snd_via82xx_codec_wait,
83849 @@ -1105,7 +1105,7 @@ static int __devinit snd_via82xx_create(
83850 {
83851 struct via82xx_modem *chip;
83852 int err;
83853 - static struct snd_device_ops ops = {
83854 + static const struct snd_device_ops ops = {
83855 .dev_free = snd_via82xx_dev_free,
83856 };
83857
83858 diff -urNp linux-2.6.39.3/sound/pci/vx222/vx222.c linux-2.6.39.3/sound/pci/vx222/vx222.c
83859 --- linux-2.6.39.3/sound/pci/vx222/vx222.c 2011-05-19 00:06:34.000000000 -0400
83860 +++ linux-2.6.39.3/sound/pci/vx222/vx222.c 2011-05-22 19:36:35.000000000 -0400
83861 @@ -141,7 +141,7 @@ static int __devinit snd_vx222_create(st
83862 struct vx_core *chip;
83863 struct snd_vx222 *vx;
83864 int i, err;
83865 - static struct snd_device_ops ops = {
83866 + static const struct snd_device_ops ops = {
83867 .dev_free = snd_vx222_dev_free,
83868 };
83869 struct snd_vx_ops *vx_ops;
83870 diff -urNp linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c
83871 --- linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c 2011-05-19 00:06:34.000000000 -0400
83872 +++ linux-2.6.39.3/sound/pci/ymfpci/ymfpci_main.c 2011-05-22 19:36:35.000000000 -0400
83873 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
83874 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
83875 break;
83876 }
83877 - if (atomic_read(&chip->interrupt_sleep_count)) {
83878 - atomic_set(&chip->interrupt_sleep_count, 0);
83879 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83880 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83881 wake_up(&chip->interrupt_sleep);
83882 }
83883 __end:
83884 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
83885 continue;
83886 init_waitqueue_entry(&wait, current);
83887 add_wait_queue(&chip->interrupt_sleep, &wait);
83888 - atomic_inc(&chip->interrupt_sleep_count);
83889 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
83890 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
83891 remove_wait_queue(&chip->interrupt_sleep, &wait);
83892 }
83893 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
83894 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
83895 spin_unlock(&chip->reg_lock);
83896
83897 - if (atomic_read(&chip->interrupt_sleep_count)) {
83898 - atomic_set(&chip->interrupt_sleep_count, 0);
83899 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
83900 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83901 wake_up(&chip->interrupt_sleep);
83902 }
83903 }
83904 @@ -2344,7 +2344,7 @@ int __devinit snd_ymfpci_create(struct s
83905 {
83906 struct snd_ymfpci *chip;
83907 int err;
83908 - static struct snd_device_ops ops = {
83909 + static const struct snd_device_ops ops = {
83910 .dev_free = snd_ymfpci_dev_free,
83911 };
83912
83913 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
83914 spin_lock_init(&chip->reg_lock);
83915 spin_lock_init(&chip->voice_lock);
83916 init_waitqueue_head(&chip->interrupt_sleep);
83917 - atomic_set(&chip->interrupt_sleep_count, 0);
83918 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
83919 chip->card = card;
83920 chip->pci = pci;
83921 chip->irq = -1;
83922 diff -urNp linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c
83923 --- linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-19 00:06:34.000000000 -0400
83924 +++ linux-2.6.39.3/sound/pcmcia/pdaudiocf/pdaudiocf.c 2011-05-22 19:36:35.000000000 -0400
83925 @@ -94,7 +94,7 @@ static int snd_pdacf_probe(struct pcmcia
83926 int i, err;
83927 struct snd_pdacf *pdacf;
83928 struct snd_card *card;
83929 - static struct snd_device_ops ops = {
83930 + static const struct snd_device_ops ops = {
83931 .dev_free = snd_pdacf_dev_free,
83932 };
83933
83934 diff -urNp linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c
83935 --- linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c 2011-05-19 00:06:34.000000000 -0400
83936 +++ linux-2.6.39.3/sound/pcmcia/vx/vxpocket.c 2011-05-22 19:36:35.000000000 -0400
83937 @@ -137,7 +137,7 @@ static int snd_vxpocket_new(struct snd_c
83938 {
83939 struct vx_core *chip;
83940 struct snd_vxpocket *vxp;
83941 - static struct snd_device_ops ops = {
83942 + static const struct snd_device_ops ops = {
83943 .dev_free = snd_vxpocket_dev_free,
83944 };
83945 int err;
83946 diff -urNp linux-2.6.39.3/sound/ppc/pmac.c linux-2.6.39.3/sound/ppc/pmac.c
83947 --- linux-2.6.39.3/sound/ppc/pmac.c 2011-05-19 00:06:34.000000000 -0400
83948 +++ linux-2.6.39.3/sound/ppc/pmac.c 2011-05-22 19:36:35.000000000 -0400
83949 @@ -1186,7 +1186,7 @@ int __devinit snd_pmac_new(struct snd_ca
83950 int i, err;
83951 unsigned int irq;
83952 unsigned long ctrl_addr, txdma_addr, rxdma_addr;
83953 - static struct snd_device_ops ops = {
83954 + static const struct snd_device_ops ops = {
83955 .dev_free = snd_pmac_dev_free,
83956 };
83957
83958 diff -urNp linux-2.6.39.3/sound/ppc/snd_ps3.c linux-2.6.39.3/sound/ppc/snd_ps3.c
83959 --- linux-2.6.39.3/sound/ppc/snd_ps3.c 2011-05-19 00:06:34.000000000 -0400
83960 +++ linux-2.6.39.3/sound/ppc/snd_ps3.c 2011-05-22 19:36:35.000000000 -0400
83961 @@ -773,7 +773,7 @@ static struct snd_kcontrol_new spdif_ctl
83962 },
83963 };
83964
83965 -static struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83966 +static const struct snd_pcm_ops snd_ps3_pcm_spdif_ops = {
83967 .open = snd_ps3_pcm_open,
83968 .close = snd_ps3_pcm_close,
83969 .ioctl = snd_pcm_lib_ioctl,
83970 diff -urNp linux-2.6.39.3/sound/sh/aica.c linux-2.6.39.3/sound/sh/aica.c
83971 --- linux-2.6.39.3/sound/sh/aica.c 2011-05-19 00:06:34.000000000 -0400
83972 +++ linux-2.6.39.3/sound/sh/aica.c 2011-05-22 19:36:35.000000000 -0400
83973 @@ -441,7 +441,7 @@ static unsigned long snd_aicapcm_pcm_poi
83974 return readl(AICA_CONTROL_CHANNEL_SAMPLE_NUMBER);
83975 }
83976
83977 -static struct snd_pcm_ops snd_aicapcm_playback_ops = {
83978 +static const struct snd_pcm_ops snd_aicapcm_playback_ops = {
83979 .open = snd_aicapcm_pcm_open,
83980 .close = snd_aicapcm_pcm_close,
83981 .ioctl = snd_pcm_lib_ioctl,
83982 diff -urNp linux-2.6.39.3/sound/sh/sh_dac_audio.c linux-2.6.39.3/sound/sh/sh_dac_audio.c
83983 --- linux-2.6.39.3/sound/sh/sh_dac_audio.c 2011-05-19 00:06:34.000000000 -0400
83984 +++ linux-2.6.39.3/sound/sh/sh_dac_audio.c 2011-05-22 19:36:35.000000000 -0400
83985 @@ -246,7 +246,7 @@ snd_pcm_uframes_t snd_sh_dac_pcm_pointer
83986 }
83987
83988 /* pcm ops */
83989 -static struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83990 +static const struct snd_pcm_ops snd_sh_dac_pcm_ops = {
83991 .open = snd_sh_dac_pcm_open,
83992 .close = snd_sh_dac_pcm_close,
83993 .ioctl = snd_pcm_lib_ioctl,
83994 @@ -352,7 +352,7 @@ static int __devinit snd_sh_dac_create(s
83995 struct snd_sh_dac *chip;
83996 int err;
83997
83998 - static struct snd_device_ops ops = {
83999 + static const struct snd_device_ops ops = {
84000 .dev_free = snd_sh_dac_dev_free,
84001 };
84002
84003 diff -urNp linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c
84004 --- linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c 2011-05-19 00:06:34.000000000 -0400
84005 +++ linux-2.6.39.3/sound/soc/atmel/atmel-pcm.c 2011-05-22 19:36:35.000000000 -0400
84006 @@ -346,7 +346,7 @@ static int atmel_pcm_mmap(struct snd_pcm
84007 vma->vm_end - vma->vm_start, vma->vm_page_prot);
84008 }
84009
84010 -static struct snd_pcm_ops atmel_pcm_ops = {
84011 +static const struct snd_pcm_ops atmel_pcm_ops = {
84012 .open = atmel_pcm_open,
84013 .close = atmel_pcm_close,
84014 .ioctl = snd_pcm_lib_ioctl,
84015 diff -urNp linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c
84016 --- linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c 2011-05-19 00:06:34.000000000 -0400
84017 +++ linux-2.6.39.3/sound/soc/atmel/playpaq_wm8510.c 2011-05-22 19:36:35.000000000 -0400
84018 @@ -289,7 +289,7 @@ static int playpaq_wm8510_hw_params(stru
84019
84020
84021
84022 -static struct snd_soc_ops playpaq_wm8510_ops = {
84023 +static const struct snd_soc_ops playpaq_wm8510_ops = {
84024 .hw_params = playpaq_wm8510_hw_params,
84025 };
84026
84027 diff -urNp linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c
84028 --- linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c 2011-05-19 00:06:34.000000000 -0400
84029 +++ linux-2.6.39.3/sound/soc/atmel/sam9g20_wm8731.c 2011-05-22 19:36:35.000000000 -0400
84030 @@ -87,7 +87,7 @@ static int at91sam9g20ek_hw_params(struc
84031 return 0;
84032 }
84033
84034 -static struct snd_soc_ops at91sam9g20ek_ops = {
84035 +static const struct snd_soc_ops at91sam9g20ek_ops = {
84036 .hw_params = at91sam9g20ek_hw_params,
84037 };
84038
84039 diff -urNp linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c
84040 --- linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-19 00:06:34.000000000 -0400
84041 +++ linux-2.6.39.3/sound/soc/atmel/snd-soc-afeb9260.c 2011-05-22 19:36:35.000000000 -0400
84042 @@ -81,7 +81,7 @@ static int afeb9260_hw_params(struct snd
84043 return err;
84044 }
84045
84046 -static struct snd_soc_ops afeb9260_ops = {
84047 +static const struct snd_soc_ops afeb9260_ops = {
84048 .hw_params = afeb9260_hw_params,
84049 };
84050
84051 diff -urNp linux-2.6.39.3/sound/soc/au1x/db1200.c linux-2.6.39.3/sound/soc/au1x/db1200.c
84052 --- linux-2.6.39.3/sound/soc/au1x/db1200.c 2011-05-19 00:06:34.000000000 -0400
84053 +++ linux-2.6.39.3/sound/soc/au1x/db1200.c 2011-05-22 19:36:35.000000000 -0400
84054 @@ -67,7 +67,7 @@ out:
84055 return ret;
84056 }
84057
84058 -static struct snd_soc_ops db1200_i2s_wm8731_ops = {
84059 +static const struct snd_soc_ops db1200_i2s_wm8731_ops = {
84060 .startup = db1200_i2s_startup,
84061 };
84062
84063 diff -urNp linux-2.6.39.3/sound/soc/au1x/dbdma2.c linux-2.6.39.3/sound/soc/au1x/dbdma2.c
84064 --- linux-2.6.39.3/sound/soc/au1x/dbdma2.c 2011-05-19 00:06:34.000000000 -0400
84065 +++ linux-2.6.39.3/sound/soc/au1x/dbdma2.c 2011-05-22 19:36:35.000000000 -0400
84066 @@ -303,7 +303,7 @@ static int au1xpsc_pcm_close(struct snd_
84067 return 0;
84068 }
84069
84070 -static struct snd_pcm_ops au1xpsc_pcm_ops = {
84071 +static const struct snd_pcm_ops au1xpsc_pcm_ops = {
84072 .open = au1xpsc_pcm_open,
84073 .close = au1xpsc_pcm_close,
84074 .ioctl = snd_pcm_lib_ioctl,
84075 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c
84076 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84077 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84078 @@ -244,7 +244,7 @@ static void bf5xx_ac97_cold_reset(struct
84079 #endif
84080 }
84081
84082 -struct snd_ac97_bus_ops soc_ac97_ops = {
84083 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84084 .read = bf5xx_ac97_read,
84085 .write = bf5xx_ac97_write,
84086 .warm_reset = bf5xx_ac97_warm_reset,
84087 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h
84088 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84089 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84090 @@ -9,7 +9,7 @@
84091 #ifndef _BF5XX_AC97_H
84092 #define _BF5XX_AC97_H
84093
84094 -extern struct snd_ac97_bus_ops bf5xx_ac97_ops;
84095 +extern const struct snd_ac97_bus_ops bf5xx_ac97_ops;
84096 extern struct snd_ac97 *ac97;
84097 /* Frame format in memory, only support stereo currently */
84098 struct ac97_frame {
84099 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c
84100 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-19 00:06:34.000000000 -0400
84101 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ac97-pcm.c 2011-05-22 19:36:35.000000000 -0400
84102 @@ -297,7 +297,7 @@ static int bf5xx_pcm_copy(struct snd_pcm
84103 }
84104 #endif
84105
84106 -static struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
84107 +static const struct snd_pcm_ops bf5xx_pcm_ac97_ops = {
84108 .open = bf5xx_pcm_open,
84109 .ioctl = snd_pcm_lib_ioctl,
84110 .hw_params = bf5xx_pcm_hw_params,
84111 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c
84112 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-19 00:06:34.000000000 -0400
84113 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1836.c 2011-05-22 19:36:35.000000000 -0400
84114 @@ -74,7 +74,7 @@ static int bf5xx_ad1836_hw_params(struct
84115 return 0;
84116 }
84117
84118 -static struct snd_soc_ops bf5xx_ad1836_ops = {
84119 +static const struct snd_soc_ops bf5xx_ad1836_ops = {
84120 .startup = bf5xx_ad1836_startup,
84121 .hw_params = bf5xx_ad1836_hw_params,
84122 };
84123 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c
84124 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-19 00:06:34.000000000 -0400
84125 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad193x.c 2011-05-22 19:36:35.000000000 -0400
84126 @@ -88,7 +88,7 @@ static int bf5xx_ad193x_hw_params(struct
84127 return 0;
84128 }
84129
84130 -static struct snd_soc_ops bf5xx_ad193x_ops = {
84131 +static const struct snd_soc_ops bf5xx_ad193x_ops = {
84132 .startup = bf5xx_ad193x_startup,
84133 .hw_params = bf5xx_ad193x_hw_params,
84134 };
84135 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c
84136 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-19 00:06:34.000000000 -0400
84137 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad1980.c 2011-05-22 19:36:35.000000000 -0400
84138 @@ -63,7 +63,7 @@ static int bf5xx_board_startup(struct sn
84139 return 0;
84140 }
84141
84142 -static struct snd_soc_ops bf5xx_board_ops = {
84143 +static const struct snd_soc_ops bf5xx_board_ops = {
84144 .startup = bf5xx_board_startup,
84145 };
84146
84147 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c
84148 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-19 00:06:34.000000000 -0400
84149 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ad73311.c 2011-05-22 19:36:35.000000000 -0400
84150 @@ -175,7 +175,7 @@ static int bf5xx_ad73311_hw_params(struc
84151 }
84152
84153
84154 -static struct snd_soc_ops bf5xx_ad73311_ops = {
84155 +static const struct snd_soc_ops bf5xx_ad73311_ops = {
84156 .startup = bf5xx_ad73311_startup,
84157 .hw_params = bf5xx_ad73311_hw_params,
84158 };
84159 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c
84160 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-19 00:06:34.000000000 -0400
84161 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-i2s-pcm.c 2011-05-22 19:36:35.000000000 -0400
84162 @@ -183,7 +183,7 @@ static int bf5xx_pcm_mmap(struct snd_pcm
84163 return 0 ;
84164 }
84165
84166 -static struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
84167 +static const struct snd_pcm_ops bf5xx_pcm_i2s_ops = {
84168 .open = bf5xx_pcm_open,
84169 .ioctl = snd_pcm_lib_ioctl,
84170 .hw_params = bf5xx_pcm_hw_params,
84171 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c
84172 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-19 00:06:34.000000000 -0400
84173 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-ssm2602.c 2011-05-22 19:36:35.000000000 -0400
84174 @@ -108,7 +108,7 @@ static int bf5xx_ssm2602_hw_params(struc
84175 return 0;
84176 }
84177
84178 -static struct snd_soc_ops bf5xx_ssm2602_ops = {
84179 +static const struct snd_soc_ops bf5xx_ssm2602_ops = {
84180 .startup = bf5xx_ssm2602_startup,
84181 .hw_params = bf5xx_ssm2602_hw_params,
84182 };
84183 diff -urNp linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c
84184 --- linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-19 00:06:34.000000000 -0400
84185 +++ linux-2.6.39.3/sound/soc/blackfin/bf5xx-tdm-pcm.c 2011-05-22 19:36:35.000000000 -0400
84186 @@ -220,7 +220,7 @@ static int bf5xx_pcm_silence(struct snd_
84187 }
84188
84189
84190 -struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
84191 +const struct snd_pcm_ops bf5xx_pcm_tdm_ops = {
84192 .open = bf5xx_pcm_open,
84193 .ioctl = snd_pcm_lib_ioctl,
84194 .hw_params = bf5xx_pcm_hw_params,
84195 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-evm.c linux-2.6.39.3/sound/soc/davinci/davinci-evm.c
84196 --- linux-2.6.39.3/sound/soc/davinci/davinci-evm.c 2011-05-19 00:06:34.000000000 -0400
84197 +++ linux-2.6.39.3/sound/soc/davinci/davinci-evm.c 2011-05-22 19:36:35.000000000 -0400
84198 @@ -88,11 +88,11 @@ static int evm_spdif_hw_params(struct sn
84199 return snd_soc_dai_set_fmt(cpu_dai, AUDIO_FORMAT);
84200 }
84201
84202 -static struct snd_soc_ops evm_ops = {
84203 +static const struct snd_soc_ops evm_ops = {
84204 .hw_params = evm_hw_params,
84205 };
84206
84207 -static struct snd_soc_ops evm_spdif_ops = {
84208 +static const struct snd_soc_ops evm_spdif_ops = {
84209 .hw_params = evm_spdif_hw_params,
84210 };
84211
84212 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c
84213 --- linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c 2011-05-19 00:06:34.000000000 -0400
84214 +++ linux-2.6.39.3/sound/soc/davinci/davinci-pcm.c 2011-05-22 19:36:35.000000000 -0400
84215 @@ -748,7 +748,7 @@ static int davinci_pcm_mmap(struct snd_p
84216 runtime->dma_bytes);
84217 }
84218
84219 -static struct snd_pcm_ops davinci_pcm_ops = {
84220 +static const struct snd_pcm_ops davinci_pcm_ops = {
84221 .open = davinci_pcm_open,
84222 .close = davinci_pcm_close,
84223 .ioctl = snd_pcm_lib_ioctl,
84224 diff -urNp linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c
84225 --- linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c 2011-05-19 00:06:34.000000000 -0400
84226 +++ linux-2.6.39.3/sound/soc/davinci/davinci-sffsdr.c 2011-05-22 19:36:35.000000000 -0400
84227 @@ -75,7 +75,7 @@ static int sffsdr_hw_params(struct snd_p
84228 #endif
84229 }
84230
84231 -static struct snd_soc_ops sffsdr_ops = {
84232 +static const struct snd_soc_ops sffsdr_ops = {
84233 .hw_params = sffsdr_hw_params,
84234 };
84235
84236 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c
84237 --- linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c 2011-05-19 00:06:34.000000000 -0400
84238 +++ linux-2.6.39.3/sound/soc/ep93xx/edb93xx.c 2011-05-22 19:36:35.000000000 -0400
84239 @@ -74,7 +74,7 @@ static int edb93xx_hw_params(struct snd_
84240 SND_SOC_CLOCK_OUT);
84241 }
84242
84243 -static struct snd_soc_ops edb93xx_ops = {
84244 +static const struct snd_soc_ops edb93xx_ops = {
84245 .hw_params = edb93xx_hw_params,
84246 };
84247
84248 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c
84249 --- linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84250 +++ linux-2.6.39.3/sound/soc/ep93xx/ep93xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84251 @@ -239,7 +239,7 @@ static irqreturn_t ep93xx_ac97_interrupt
84252 return IRQ_HANDLED;
84253 }
84254
84255 -struct snd_ac97_bus_ops soc_ac97_ops = {
84256 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84257 .read = ep93xx_ac97_read,
84258 .write = ep93xx_ac97_write,
84259 .reset = ep93xx_ac97_cold_reset,
84260 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c
84261 --- linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-19 00:06:34.000000000 -0400
84262 +++ linux-2.6.39.3/sound/soc/ep93xx/ep93xx-pcm.c 2011-05-22 19:36:35.000000000 -0400
84263 @@ -216,7 +216,7 @@ static int ep93xx_pcm_mmap(struct snd_pc
84264 runtime->dma_bytes);
84265 }
84266
84267 -static struct snd_pcm_ops ep93xx_pcm_ops = {
84268 +static const struct snd_pcm_ops ep93xx_pcm_ops = {
84269 .open = ep93xx_pcm_open,
84270 .close = ep93xx_pcm_close,
84271 .ioctl = snd_pcm_lib_ioctl,
84272 diff -urNp linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c
84273 --- linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c 2011-05-19 00:06:34.000000000 -0400
84274 +++ linux-2.6.39.3/sound/soc/ep93xx/snappercl15.c 2011-05-22 19:36:35.000000000 -0400
84275 @@ -55,7 +55,7 @@ static int snappercl15_hw_params(struct
84276 return 0;
84277 }
84278
84279 -static struct snd_soc_ops snappercl15_ops = {
84280 +static const struct snd_soc_ops snappercl15_ops = {
84281 .hw_params = snappercl15_hw_params,
84282 };
84283
84284 diff -urNp linux-2.6.39.3/sound/soc/fsl/fsl_dma.c linux-2.6.39.3/sound/soc/fsl/fsl_dma.c
84285 --- linux-2.6.39.3/sound/soc/fsl/fsl_dma.c 2011-05-19 00:06:34.000000000 -0400
84286 +++ linux-2.6.39.3/sound/soc/fsl/fsl_dma.c 2011-05-22 19:36:35.000000000 -0400
84287 @@ -887,7 +887,7 @@ static struct device_node *find_ssi_node
84288 return NULL;
84289 }
84290
84291 -static struct snd_pcm_ops fsl_dma_ops = {
84292 +static const struct snd_pcm_ops fsl_dma_ops = {
84293 .open = fsl_dma_open,
84294 .close = fsl_dma_close,
84295 .ioctl = snd_pcm_lib_ioctl,
84296 diff -urNp linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c
84297 --- linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c 2011-05-19 00:06:34.000000000 -0400
84298 +++ linux-2.6.39.3/sound/soc/fsl/mpc8610_hpcd.c 2011-05-22 19:36:35.000000000 -0400
84299 @@ -175,7 +175,7 @@ static int mpc8610_hpcd_machine_remove(s
84300 /**
84301 * mpc8610_hpcd_ops: ASoC machine driver operations
84302 */
84303 -static struct snd_soc_ops mpc8610_hpcd_ops = {
84304 +static const struct snd_soc_ops mpc8610_hpcd_ops = {
84305 .startup = mpc8610_hpcd_startup,
84306 };
84307
84308 diff -urNp linux-2.6.39.3/sound/soc/fsl/p1022_ds.c linux-2.6.39.3/sound/soc/fsl/p1022_ds.c
84309 --- linux-2.6.39.3/sound/soc/fsl/p1022_ds.c 2011-05-19 00:06:34.000000000 -0400
84310 +++ linux-2.6.39.3/sound/soc/fsl/p1022_ds.c 2011-05-22 19:36:35.000000000 -0400
84311 @@ -185,7 +185,7 @@ static int p1022_ds_machine_remove(struc
84312 /**
84313 * p1022_ds_ops: ASoC machine driver operations
84314 */
84315 -static struct snd_soc_ops p1022_ds_ops = {
84316 +static const struct snd_soc_ops p1022_ds_ops = {
84317 .startup = p1022_ds_startup,
84318 };
84319
84320 diff -urNp linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c
84321 --- linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c 2011-05-19 00:06:34.000000000 -0400
84322 +++ linux-2.6.39.3/sound/soc/imx/eukrea-tlv320.c 2011-05-22 19:36:35.000000000 -0400
84323 @@ -71,7 +71,7 @@ static int eukrea_tlv320_hw_params(struc
84324 return 0;
84325 }
84326
84327 -static struct snd_soc_ops eukrea_tlv320_snd_ops = {
84328 +static const struct snd_soc_ops eukrea_tlv320_snd_ops = {
84329 .hw_params = eukrea_tlv320_hw_params,
84330 };
84331
84332 diff -urNp linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c
84333 --- linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-19 00:06:34.000000000 -0400
84334 +++ linux-2.6.39.3/sound/soc/imx/imx-pcm-dma-mx2.c 2011-05-22 19:36:35.000000000 -0400
84335 @@ -283,7 +283,7 @@ static int snd_imx_close(struct snd_pcm_
84336 return 0;
84337 }
84338
84339 -static struct snd_pcm_ops imx_pcm_ops = {
84340 +static const struct snd_pcm_ops imx_pcm_ops = {
84341 .open = snd_imx_open,
84342 .close = snd_imx_close,
84343 .ioctl = snd_pcm_lib_ioctl,
84344 diff -urNp linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c
84345 --- linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c 2011-05-19 00:06:34.000000000 -0400
84346 +++ linux-2.6.39.3/sound/soc/imx/imx-pcm-fiq.c 2011-05-22 19:36:35.000000000 -0400
84347 @@ -225,7 +225,7 @@ static int snd_imx_close(struct snd_pcm_
84348 return 0;
84349 }
84350
84351 -static struct snd_pcm_ops imx_pcm_ops = {
84352 +static const struct snd_pcm_ops imx_pcm_ops = {
84353 .open = snd_imx_open,
84354 .close = snd_imx_close,
84355 .ioctl = snd_pcm_lib_ioctl,
84356 diff -urNp linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c
84357 --- linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c 2011-05-19 00:06:34.000000000 -0400
84358 +++ linux-2.6.39.3/sound/soc/imx/mx27vis-aic32x4.c 2011-05-22 19:36:35.000000000 -0400
84359 @@ -70,7 +70,7 @@ static int mx27vis_aic32x4_hw_params(str
84360 return 0;
84361 }
84362
84363 -static struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84364 +static const struct snd_soc_ops mx27vis_aic32x4_snd_ops = {
84365 .hw_params = mx27vis_aic32x4_hw_params,
84366 };
84367
84368 diff -urNp linux-2.6.39.3/sound/soc/imx/phycore-ac97.c linux-2.6.39.3/sound/soc/imx/phycore-ac97.c
84369 --- linux-2.6.39.3/sound/soc/imx/phycore-ac97.c 2011-05-19 00:06:34.000000000 -0400
84370 +++ linux-2.6.39.3/sound/soc/imx/phycore-ac97.c 2011-05-22 19:36:35.000000000 -0400
84371 @@ -21,7 +21,7 @@
84372
84373 static struct snd_soc_card imx_phycore;
84374
84375 -static struct snd_soc_ops imx_phycore_hifi_ops = {
84376 +static const struct snd_soc_ops imx_phycore_hifi_ops = {
84377 };
84378
84379 static struct snd_soc_dai_link imx_phycore_dai_ac97[] = {
84380 diff -urNp linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c
84381 --- linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c 2011-05-19 00:06:34.000000000 -0400
84382 +++ linux-2.6.39.3/sound/soc/imx/wm1133-ev1.c 2011-05-22 19:36:35.000000000 -0400
84383 @@ -149,7 +149,7 @@ static int wm1133_ev1_hw_params(struct s
84384 return 0;
84385 }
84386
84387 -static struct snd_soc_ops wm1133_ev1_ops = {
84388 +static const struct snd_soc_ops wm1133_ev1_ops = {
84389 .hw_params = wm1133_ev1_hw_params,
84390 };
84391
84392 diff -urNp linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c
84393 --- linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c 2011-05-19 00:06:34.000000000 -0400
84394 +++ linux-2.6.39.3/sound/soc/jz4740/jz4740-pcm.c 2011-05-22 19:36:35.000000000 -0400
84395 @@ -244,7 +244,7 @@ static int jz4740_pcm_mmap(struct snd_pc
84396 vma->vm_end - vma->vm_start, vma->vm_page_prot);
84397 }
84398
84399 -static struct snd_pcm_ops jz4740_pcm_ops = {
84400 +static const struct snd_pcm_ops jz4740_pcm_ops = {
84401 .open = jz4740_pcm_open,
84402 .close = jz4740_pcm_close,
84403 .ioctl = snd_pcm_lib_ioctl,
84404 diff -urNp linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c
84405 --- linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-19 00:06:34.000000000 -0400
84406 +++ linux-2.6.39.3/sound/soc/kirkwood/kirkwood-openrd.c 2011-05-22 19:36:35.000000000 -0400
84407 @@ -56,7 +56,7 @@ static int openrd_client_hw_params(struc
84408
84409 }
84410
84411 -static struct snd_soc_ops openrd_client_ops = {
84412 +static const struct snd_soc_ops openrd_client_ops = {
84413 .hw_params = openrd_client_hw_params,
84414 };
84415
84416 diff -urNp linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c
84417 --- linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-19 00:06:34.000000000 -0400
84418 +++ linux-2.6.39.3/sound/soc/kirkwood/kirkwood-t5325.c 2011-05-22 19:36:35.000000000 -0400
84419 @@ -44,7 +44,7 @@ static int t5325_hw_params(struct snd_pc
84420
84421 }
84422
84423 -static struct snd_soc_ops t5325_ops = {
84424 +static const struct snd_soc_ops t5325_ops = {
84425 .hw_params = t5325_hw_params,
84426 };
84427
84428 diff -urNp linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c
84429 --- linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c 2011-05-19 00:06:34.000000000 -0400
84430 +++ linux-2.6.39.3/sound/soc/mid-x86/sst_platform.c 2011-05-22 19:36:35.000000000 -0400
84431 @@ -381,7 +381,7 @@ static int sst_platform_pcm_hw_free(stru
84432 return snd_pcm_lib_free_pages(substream);
84433 }
84434
84435 -static struct snd_pcm_ops sst_platform_ops = {
84436 +static const struct snd_pcm_ops sst_platform_ops = {
84437 .open = sst_platform_open,
84438 .close = sst_platform_close,
84439 .ioctl = snd_pcm_lib_ioctl,
84440 diff -urNp linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c
84441 --- linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c 2011-05-19 00:06:34.000000000 -0400
84442 +++ linux-2.6.39.3/sound/soc/nuc900/nuc900-pcm.c 2011-05-22 19:36:35.000000000 -0400
84443 @@ -297,7 +297,7 @@ static int nuc900_dma_mmap(struct snd_pc
84444 runtime->dma_bytes);
84445 }
84446
84447 -static struct snd_pcm_ops nuc900_dma_ops = {
84448 +static const struct snd_pcm_ops nuc900_dma_ops = {
84449 .open = nuc900_dma_open,
84450 .close = nuc900_dma_close,
84451 .ioctl = snd_pcm_lib_ioctl,
84452 diff -urNp linux-2.6.39.3/sound/soc/omap/am3517evm.c linux-2.6.39.3/sound/soc/omap/am3517evm.c
84453 --- linux-2.6.39.3/sound/soc/omap/am3517evm.c 2011-05-19 00:06:34.000000000 -0400
84454 +++ linux-2.6.39.3/sound/soc/omap/am3517evm.c 2011-05-22 19:36:35.000000000 -0400
84455 @@ -88,7 +88,7 @@ static int am3517evm_hw_params(struct sn
84456 return 0;
84457 }
84458
84459 -static struct snd_soc_ops am3517evm_ops = {
84460 +static const struct snd_soc_ops am3517evm_ops = {
84461 .hw_params = am3517evm_hw_params,
84462 };
84463
84464 diff -urNp linux-2.6.39.3/sound/soc/omap/ams-delta.c linux-2.6.39.3/sound/soc/omap/ams-delta.c
84465 --- linux-2.6.39.3/sound/soc/omap/ams-delta.c 2011-05-19 00:06:34.000000000 -0400
84466 +++ linux-2.6.39.3/sound/soc/omap/ams-delta.c 2011-05-22 19:36:35.000000000 -0400
84467 @@ -420,7 +420,7 @@ static int ams_delta_hw_params(struct sn
84468 SND_SOC_DAIFMT_CBM_CFM);
84469 }
84470
84471 -static struct snd_soc_ops ams_delta_ops = {
84472 +static const struct snd_soc_ops ams_delta_ops = {
84473 .hw_params = ams_delta_hw_params,
84474 };
84475
84476 diff -urNp linux-2.6.39.3/sound/soc/omap/igep0020.c linux-2.6.39.3/sound/soc/omap/igep0020.c
84477 --- linux-2.6.39.3/sound/soc/omap/igep0020.c 2011-05-19 00:06:34.000000000 -0400
84478 +++ linux-2.6.39.3/sound/soc/omap/igep0020.c 2011-05-22 19:36:35.000000000 -0400
84479 @@ -72,7 +72,7 @@ static int igep2_hw_params(struct snd_pc
84480 return 0;
84481 }
84482
84483 -static struct snd_soc_ops igep2_ops = {
84484 +static const struct snd_soc_ops igep2_ops = {
84485 .hw_params = igep2_hw_params,
84486 };
84487
84488 diff -urNp linux-2.6.39.3/sound/soc/omap/n810.c linux-2.6.39.3/sound/soc/omap/n810.c
84489 --- linux-2.6.39.3/sound/soc/omap/n810.c 2011-05-19 00:06:34.000000000 -0400
84490 +++ linux-2.6.39.3/sound/soc/omap/n810.c 2011-05-22 19:36:35.000000000 -0400
84491 @@ -141,7 +141,7 @@ static int n810_hw_params(struct snd_pcm
84492 return err;
84493 }
84494
84495 -static struct snd_soc_ops n810_ops = {
84496 +static const struct snd_soc_ops n810_ops = {
84497 .startup = n810_startup,
84498 .hw_params = n810_hw_params,
84499 .shutdown = n810_shutdown,
84500 diff -urNp linux-2.6.39.3/sound/soc/omap/omap2evm.c linux-2.6.39.3/sound/soc/omap/omap2evm.c
84501 --- linux-2.6.39.3/sound/soc/omap/omap2evm.c 2011-05-19 00:06:34.000000000 -0400
84502 +++ linux-2.6.39.3/sound/soc/omap/omap2evm.c 2011-05-22 19:36:35.000000000 -0400
84503 @@ -74,7 +74,7 @@ static int omap2evm_hw_params(struct snd
84504 return 0;
84505 }
84506
84507 -static struct snd_soc_ops omap2evm_ops = {
84508 +static const struct snd_soc_ops omap2evm_ops = {
84509 .hw_params = omap2evm_hw_params,
84510 };
84511
84512 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3beagle.c linux-2.6.39.3/sound/soc/omap/omap3beagle.c
84513 --- linux-2.6.39.3/sound/soc/omap/omap3beagle.c 2011-05-19 00:06:34.000000000 -0400
84514 +++ linux-2.6.39.3/sound/soc/omap/omap3beagle.c 2011-05-22 19:36:35.000000000 -0400
84515 @@ -82,7 +82,7 @@ static int omap3beagle_hw_params(struct
84516 return 0;
84517 }
84518
84519 -static struct snd_soc_ops omap3beagle_ops = {
84520 +static const struct snd_soc_ops omap3beagle_ops = {
84521 .hw_params = omap3beagle_hw_params,
84522 };
84523
84524 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3evm.c linux-2.6.39.3/sound/soc/omap/omap3evm.c
84525 --- linux-2.6.39.3/sound/soc/omap/omap3evm.c 2011-05-19 00:06:34.000000000 -0400
84526 +++ linux-2.6.39.3/sound/soc/omap/omap3evm.c 2011-05-22 19:36:35.000000000 -0400
84527 @@ -70,7 +70,7 @@ static int omap3evm_hw_params(struct snd
84528 return 0;
84529 }
84530
84531 -static struct snd_soc_ops omap3evm_ops = {
84532 +static const struct snd_soc_ops omap3evm_ops = {
84533 .hw_params = omap3evm_hw_params,
84534 };
84535
84536 diff -urNp linux-2.6.39.3/sound/soc/omap/omap3pandora.c linux-2.6.39.3/sound/soc/omap/omap3pandora.c
84537 --- linux-2.6.39.3/sound/soc/omap/omap3pandora.c 2011-05-19 00:06:34.000000000 -0400
84538 +++ linux-2.6.39.3/sound/soc/omap/omap3pandora.c 2011-05-22 19:36:35.000000000 -0400
84539 @@ -218,7 +218,7 @@ static int omap3pandora_in_init(struct s
84540 return snd_soc_dapm_sync(dapm);
84541 }
84542
84543 -static struct snd_soc_ops omap3pandora_ops = {
84544 +static const struct snd_soc_ops omap3pandora_ops = {
84545 .hw_params = omap3pandora_hw_params,
84546 };
84547
84548 diff -urNp linux-2.6.39.3/sound/soc/omap/omap-pcm.c linux-2.6.39.3/sound/soc/omap/omap-pcm.c
84549 --- linux-2.6.39.3/sound/soc/omap/omap-pcm.c 2011-05-19 00:06:34.000000000 -0400
84550 +++ linux-2.6.39.3/sound/soc/omap/omap-pcm.c 2011-05-22 19:36:35.000000000 -0400
84551 @@ -311,7 +311,7 @@ static int omap_pcm_mmap(struct snd_pcm_
84552 runtime->dma_bytes);
84553 }
84554
84555 -static struct snd_pcm_ops omap_pcm_ops = {
84556 +static const struct snd_pcm_ops omap_pcm_ops = {
84557 .open = omap_pcm_open,
84558 .close = omap_pcm_close,
84559 .ioctl = snd_pcm_lib_ioctl,
84560 diff -urNp linux-2.6.39.3/sound/soc/omap/osk5912.c linux-2.6.39.3/sound/soc/omap/osk5912.c
84561 --- linux-2.6.39.3/sound/soc/omap/osk5912.c 2011-05-19 00:06:34.000000000 -0400
84562 +++ linux-2.6.39.3/sound/soc/omap/osk5912.c 2011-05-22 19:36:35.000000000 -0400
84563 @@ -90,7 +90,7 @@ static int osk_hw_params(struct snd_pcm_
84564 return err;
84565 }
84566
84567 -static struct snd_soc_ops osk_ops = {
84568 +static const struct snd_soc_ops osk_ops = {
84569 .startup = osk_startup,
84570 .hw_params = osk_hw_params,
84571 .shutdown = osk_shutdown,
84572 diff -urNp linux-2.6.39.3/sound/soc/omap/overo.c linux-2.6.39.3/sound/soc/omap/overo.c
84573 --- linux-2.6.39.3/sound/soc/omap/overo.c 2011-05-19 00:06:34.000000000 -0400
84574 +++ linux-2.6.39.3/sound/soc/omap/overo.c 2011-05-22 19:36:35.000000000 -0400
84575 @@ -72,7 +72,7 @@ static int overo_hw_params(struct snd_pc
84576 return 0;
84577 }
84578
84579 -static struct snd_soc_ops overo_ops = {
84580 +static const struct snd_soc_ops overo_ops = {
84581 .hw_params = overo_hw_params,
84582 };
84583
84584 diff -urNp linux-2.6.39.3/sound/soc/omap/rx51.c linux-2.6.39.3/sound/soc/omap/rx51.c
84585 --- linux-2.6.39.3/sound/soc/omap/rx51.c 2011-05-19 00:06:34.000000000 -0400
84586 +++ linux-2.6.39.3/sound/soc/omap/rx51.c 2011-05-22 19:36:35.000000000 -0400
84587 @@ -139,7 +139,7 @@ static int rx51_hw_params(struct snd_pcm
84588 SND_SOC_CLOCK_IN);
84589 }
84590
84591 -static struct snd_soc_ops rx51_ops = {
84592 +static const struct snd_soc_ops rx51_ops = {
84593 .startup = rx51_startup,
84594 .hw_params = rx51_hw_params,
84595 };
84596 diff -urNp linux-2.6.39.3/sound/soc/omap/sdp3430.c linux-2.6.39.3/sound/soc/omap/sdp3430.c
84597 --- linux-2.6.39.3/sound/soc/omap/sdp3430.c 2011-05-19 00:06:34.000000000 -0400
84598 +++ linux-2.6.39.3/sound/soc/omap/sdp3430.c 2011-05-22 19:36:35.000000000 -0400
84599 @@ -87,7 +87,7 @@ static int sdp3430_hw_params(struct snd_
84600 return 0;
84601 }
84602
84603 -static struct snd_soc_ops sdp3430_ops = {
84604 +static const struct snd_soc_ops sdp3430_ops = {
84605 .hw_params = sdp3430_hw_params,
84606 };
84607
84608 @@ -130,7 +130,7 @@ static int sdp3430_hw_voice_params(struc
84609 return 0;
84610 }
84611
84612 -static struct snd_soc_ops sdp3430_voice_ops = {
84613 +static const struct snd_soc_ops sdp3430_voice_ops = {
84614 .hw_params = sdp3430_hw_voice_params,
84615 };
84616
84617 diff -urNp linux-2.6.39.3/sound/soc/omap/sdp4430.c linux-2.6.39.3/sound/soc/omap/sdp4430.c
84618 --- linux-2.6.39.3/sound/soc/omap/sdp4430.c 2011-05-19 00:06:34.000000000 -0400
84619 +++ linux-2.6.39.3/sound/soc/omap/sdp4430.c 2011-05-22 19:36:35.000000000 -0400
84620 @@ -62,7 +62,7 @@ static int sdp4430_hw_params(struct snd_
84621 return ret;
84622 }
84623
84624 -static struct snd_soc_ops sdp4430_ops = {
84625 +static const struct snd_soc_ops sdp4430_ops = {
84626 .hw_params = sdp4430_hw_params,
84627 };
84628
84629 diff -urNp linux-2.6.39.3/sound/soc/omap/zoom2.c linux-2.6.39.3/sound/soc/omap/zoom2.c
84630 --- linux-2.6.39.3/sound/soc/omap/zoom2.c 2011-05-19 00:06:34.000000000 -0400
84631 +++ linux-2.6.39.3/sound/soc/omap/zoom2.c 2011-05-22 19:36:35.000000000 -0400
84632 @@ -78,7 +78,7 @@ static int zoom2_hw_params(struct snd_pc
84633 return 0;
84634 }
84635
84636 -static struct snd_soc_ops zoom2_ops = {
84637 +static const struct snd_soc_ops zoom2_ops = {
84638 .hw_params = zoom2_hw_params,
84639 };
84640
84641 @@ -121,7 +121,7 @@ static int zoom2_hw_voice_params(struct
84642 return 0;
84643 }
84644
84645 -static struct snd_soc_ops zoom2_voice_ops = {
84646 +static const struct snd_soc_ops zoom2_voice_ops = {
84647 .hw_params = zoom2_hw_voice_params,
84648 };
84649
84650 diff -urNp linux-2.6.39.3/sound/soc/pxa/corgi.c linux-2.6.39.3/sound/soc/pxa/corgi.c
84651 --- linux-2.6.39.3/sound/soc/pxa/corgi.c 2011-05-19 00:06:34.000000000 -0400
84652 +++ linux-2.6.39.3/sound/soc/pxa/corgi.c 2011-05-22 19:36:35.000000000 -0400
84653 @@ -169,7 +169,7 @@ static int corgi_hw_params(struct snd_pc
84654 return 0;
84655 }
84656
84657 -static struct snd_soc_ops corgi_ops = {
84658 +static const struct snd_soc_ops corgi_ops = {
84659 .startup = corgi_startup,
84660 .hw_params = corgi_hw_params,
84661 .shutdown = corgi_shutdown,
84662 diff -urNp linux-2.6.39.3/sound/soc/pxa/imote2.c linux-2.6.39.3/sound/soc/pxa/imote2.c
84663 --- linux-2.6.39.3/sound/soc/pxa/imote2.c 2011-05-19 00:06:34.000000000 -0400
84664 +++ linux-2.6.39.3/sound/soc/pxa/imote2.c 2011-05-22 19:36:35.000000000 -0400
84665 @@ -56,7 +56,7 @@ static int imote2_asoc_hw_params(struct
84666 return ret;
84667 }
84668
84669 -static struct snd_soc_ops imote2_asoc_ops = {
84670 +static const struct snd_soc_ops imote2_asoc_ops = {
84671 .hw_params = imote2_asoc_hw_params,
84672 };
84673
84674 diff -urNp linux-2.6.39.3/sound/soc/pxa/magician.c linux-2.6.39.3/sound/soc/pxa/magician.c
84675 --- linux-2.6.39.3/sound/soc/pxa/magician.c 2011-05-19 00:06:34.000000000 -0400
84676 +++ linux-2.6.39.3/sound/soc/pxa/magician.c 2011-05-22 19:36:35.000000000 -0400
84677 @@ -258,12 +258,12 @@ static int magician_capture_hw_params(st
84678 return 0;
84679 }
84680
84681 -static struct snd_soc_ops magician_capture_ops = {
84682 +static const struct snd_soc_ops magician_capture_ops = {
84683 .startup = magician_startup,
84684 .hw_params = magician_capture_hw_params,
84685 };
84686
84687 -static struct snd_soc_ops magician_playback_ops = {
84688 +static const struct snd_soc_ops magician_playback_ops = {
84689 .startup = magician_startup,
84690 .hw_params = magician_playback_hw_params,
84691 };
84692 diff -urNp linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c
84693 --- linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c 2011-05-19 00:06:34.000000000 -0400
84694 +++ linux-2.6.39.3/sound/soc/pxa/mioa701_wm9713.c 2011-05-22 19:36:35.000000000 -0400
84695 @@ -156,7 +156,7 @@ static int mioa701_wm9713_init(struct sn
84696 return 0;
84697 }
84698
84699 -static struct snd_soc_ops mioa701_ops;
84700 +static const struct snd_soc_ops mioa701_ops;
84701
84702 static struct snd_soc_dai_link mioa701_dai[] = {
84703 {
84704 diff -urNp linux-2.6.39.3/sound/soc/pxa/poodle.c linux-2.6.39.3/sound/soc/pxa/poodle.c
84705 --- linux-2.6.39.3/sound/soc/pxa/poodle.c 2011-05-19 00:06:34.000000000 -0400
84706 +++ linux-2.6.39.3/sound/soc/pxa/poodle.c 2011-05-22 19:36:35.000000000 -0400
84707 @@ -148,7 +148,7 @@ static int poodle_hw_params(struct snd_p
84708 return 0;
84709 }
84710
84711 -static struct snd_soc_ops poodle_ops = {
84712 +static const struct snd_soc_ops poodle_ops = {
84713 .startup = poodle_startup,
84714 .hw_params = poodle_hw_params,
84715 .shutdown = poodle_shutdown,
84716 diff -urNp linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c
84717 --- linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c 2011-05-19 00:06:34.000000000 -0400
84718 +++ linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.c 2011-05-22 19:36:35.000000000 -0400
84719 @@ -40,7 +40,7 @@ static void pxa2xx_ac97_cold_reset(struc
84720 pxa2xx_ac97_finish_reset(ac97);
84721 }
84722
84723 -struct snd_ac97_bus_ops soc_ac97_ops = {
84724 +const struct snd_ac97_bus_ops soc_ac97_ops = {
84725 .read = pxa2xx_ac97_read,
84726 .write = pxa2xx_ac97_write,
84727 .warm_reset = pxa2xx_ac97_warm_reset,
84728 diff -urNp linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h
84729 --- linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h 2011-05-19 00:06:34.000000000 -0400
84730 +++ linux-2.6.39.3/sound/soc/pxa/pxa2xx-ac97.h 2011-05-22 19:36:35.000000000 -0400
84731 @@ -15,6 +15,6 @@
84732 #define PXA2XX_DAI_AC97_MIC 2
84733
84734 /* platform data */
84735 -extern struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84736 +extern const struct snd_ac97_bus_ops pxa2xx_ac97_ops;
84737
84738 #endif
84739 diff -urNp linux-2.6.39.3/sound/soc/pxa/raumfeld.c linux-2.6.39.3/sound/soc/pxa/raumfeld.c
84740 --- linux-2.6.39.3/sound/soc/pxa/raumfeld.c 2011-06-03 00:04:14.000000000 -0400
84741 +++ linux-2.6.39.3/sound/soc/pxa/raumfeld.c 2011-06-03 00:32:09.000000000 -0400
84742 @@ -145,7 +145,7 @@ static int raumfeld_cs4270_hw_params(str
84743 return 0;
84744 }
84745
84746 -static struct snd_soc_ops raumfeld_cs4270_ops = {
84747 +static const struct snd_soc_ops raumfeld_cs4270_ops = {
84748 .startup = raumfeld_cs4270_startup,
84749 .shutdown = raumfeld_cs4270_shutdown,
84750 .hw_params = raumfeld_cs4270_hw_params,
84751 @@ -221,7 +221,7 @@ static int raumfeld_ak4104_hw_params(str
84752 return 0;
84753 }
84754
84755 -static struct snd_soc_ops raumfeld_ak4104_ops = {
84756 +static const struct snd_soc_ops raumfeld_ak4104_ops = {
84757 .hw_params = raumfeld_ak4104_hw_params,
84758 };
84759
84760 diff -urNp linux-2.6.39.3/sound/soc/pxa/saarb.c linux-2.6.39.3/sound/soc/pxa/saarb.c
84761 --- linux-2.6.39.3/sound/soc/pxa/saarb.c 2011-05-19 00:06:34.000000000 -0400
84762 +++ linux-2.6.39.3/sound/soc/pxa/saarb.c 2011-05-22 19:36:35.000000000 -0400
84763 @@ -106,7 +106,7 @@ static int saarb_i2s_hw_params(struct sn
84764 return ret;
84765 }
84766
84767 -static struct snd_soc_ops saarb_i2s_ops = {
84768 +static const struct snd_soc_ops saarb_i2s_ops = {
84769 .hw_params = saarb_i2s_hw_params,
84770 };
84771
84772 diff -urNp linux-2.6.39.3/sound/soc/pxa/spitz.c linux-2.6.39.3/sound/soc/pxa/spitz.c
84773 --- linux-2.6.39.3/sound/soc/pxa/spitz.c 2011-05-19 00:06:34.000000000 -0400
84774 +++ linux-2.6.39.3/sound/soc/pxa/spitz.c 2011-05-22 19:36:35.000000000 -0400
84775 @@ -169,7 +169,7 @@ static int spitz_hw_params(struct snd_pc
84776 return 0;
84777 }
84778
84779 -static struct snd_soc_ops spitz_ops = {
84780 +static const struct snd_soc_ops spitz_ops = {
84781 .startup = spitz_startup,
84782 .hw_params = spitz_hw_params,
84783 };
84784 diff -urNp linux-2.6.39.3/sound/soc/pxa/tavorevb3.c linux-2.6.39.3/sound/soc/pxa/tavorevb3.c
84785 --- linux-2.6.39.3/sound/soc/pxa/tavorevb3.c 2011-05-19 00:06:34.000000000 -0400
84786 +++ linux-2.6.39.3/sound/soc/pxa/tavorevb3.c 2011-05-22 19:36:35.000000000 -0400
84787 @@ -106,7 +106,7 @@ static int evb3_i2s_hw_params(struct snd
84788 return ret;
84789 }
84790
84791 -static struct snd_soc_ops evb3_i2s_ops = {
84792 +static const struct snd_soc_ops evb3_i2s_ops = {
84793 .hw_params = evb3_i2s_hw_params,
84794 };
84795
84796 diff -urNp linux-2.6.39.3/sound/soc/pxa/tosa.c linux-2.6.39.3/sound/soc/pxa/tosa.c
84797 --- linux-2.6.39.3/sound/soc/pxa/tosa.c 2011-05-19 00:06:34.000000000 -0400
84798 +++ linux-2.6.39.3/sound/soc/pxa/tosa.c 2011-05-22 19:36:35.000000000 -0400
84799 @@ -92,7 +92,7 @@ static int tosa_startup(struct snd_pcm_s
84800 return 0;
84801 }
84802
84803 -static struct snd_soc_ops tosa_ops = {
84804 +static const struct snd_soc_ops tosa_ops = {
84805 .startup = tosa_startup,
84806 };
84807
84808 diff -urNp linux-2.6.39.3/sound/soc/pxa/z2.c linux-2.6.39.3/sound/soc/pxa/z2.c
84809 --- linux-2.6.39.3/sound/soc/pxa/z2.c 2011-05-19 00:06:34.000000000 -0400
84810 +++ linux-2.6.39.3/sound/soc/pxa/z2.c 2011-05-22 19:36:35.000000000 -0400
84811 @@ -187,7 +187,7 @@ err:
84812 return ret;
84813 }
84814
84815 -static struct snd_soc_ops z2_ops = {
84816 +static const struct snd_soc_ops z2_ops = {
84817 .hw_params = z2_hw_params,
84818 };
84819
84820 diff -urNp linux-2.6.39.3/sound/soc/pxa/zylonite.c linux-2.6.39.3/sound/soc/pxa/zylonite.c
84821 --- linux-2.6.39.3/sound/soc/pxa/zylonite.c 2011-05-19 00:06:34.000000000 -0400
84822 +++ linux-2.6.39.3/sound/soc/pxa/zylonite.c 2011-05-22 19:36:35.000000000 -0400
84823 @@ -156,7 +156,7 @@ static int zylonite_voice_hw_params(stru
84824 return 0;
84825 }
84826
84827 -static struct snd_soc_ops zylonite_voice_ops = {
84828 +static const struct snd_soc_ops zylonite_voice_ops = {
84829 .hw_params = zylonite_voice_hw_params,
84830 };
84831
84832 diff -urNp linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c
84833 --- linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c 2011-05-19 00:06:34.000000000 -0400
84834 +++ linux-2.6.39.3/sound/soc/s6000/s6000-pcm.c 2011-05-22 19:36:35.000000000 -0400
84835 @@ -420,7 +420,7 @@ static int s6000_pcm_hw_free(struct snd_
84836 return snd_pcm_lib_free_pages(substream);
84837 }
84838
84839 -static struct snd_pcm_ops s6000_pcm_ops = {
84840 +static const struct snd_pcm_ops s6000_pcm_ops = {
84841 .open = s6000_pcm_open,
84842 .close = s6000_pcm_close,
84843 .ioctl = snd_pcm_lib_ioctl,
84844 diff -urNp linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c
84845 --- linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c 2011-05-19 00:06:34.000000000 -0400
84846 +++ linux-2.6.39.3/sound/soc/s6000/s6105-ipcam.c 2011-05-22 19:36:35.000000000 -0400
84847 @@ -55,7 +55,7 @@ static int s6105_hw_params(struct snd_pc
84848 return 0;
84849 }
84850
84851 -static struct snd_soc_ops s6105_ops = {
84852 +static const struct snd_soc_ops s6105_ops = {
84853 .hw_params = s6105_hw_params,
84854 };
84855
84856 diff -urNp linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c
84857 --- linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c 2011-05-19 00:06:34.000000000 -0400
84858 +++ linux-2.6.39.3/sound/soc/samsung/goni_wm8994.c 2011-05-22 19:36:35.000000000 -0400
84859 @@ -176,7 +176,7 @@ static int goni_hifi_hw_params(struct sn
84860 return 0;
84861 }
84862
84863 -static struct snd_soc_ops goni_hifi_ops = {
84864 +static const struct snd_soc_ops goni_hifi_ops = {
84865 .hw_params = goni_hifi_hw_params,
84866 };
84867
84868 @@ -227,7 +227,7 @@ static struct snd_soc_dai_driver voice_d
84869 .formats = SNDRV_PCM_FMTBIT_S16_LE,},
84870 };
84871
84872 -static struct snd_soc_ops goni_voice_ops = {
84873 +static const struct snd_soc_ops goni_voice_ops = {
84874 .hw_params = goni_voice_hw_params,
84875 };
84876
84877 diff -urNp linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c
84878 --- linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84879 +++ linux-2.6.39.3/sound/soc/samsung/h1940_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84880 @@ -136,7 +136,7 @@ static int h1940_hw_params(struct snd_pc
84881 return 0;
84882 }
84883
84884 -static struct snd_soc_ops h1940_ops = {
84885 +static const struct snd_soc_ops h1940_ops = {
84886 .startup = h1940_startup,
84887 .hw_params = h1940_hw_params,
84888 };
84889 diff -urNp linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c
84890 --- linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c 2011-05-19 00:06:34.000000000 -0400
84891 +++ linux-2.6.39.3/sound/soc/samsung/jive_wm8750.c 2011-05-22 19:36:35.000000000 -0400
84892 @@ -92,7 +92,7 @@ static int jive_hw_params(struct snd_pcm
84893 return 0;
84894 }
84895
84896 -static struct snd_soc_ops jive_ops = {
84897 +static const struct snd_soc_ops jive_ops = {
84898 .hw_params = jive_hw_params,
84899 };
84900
84901 diff -urNp linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c
84902 --- linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c 2011-05-19 00:06:34.000000000 -0400
84903 +++ linux-2.6.39.3/sound/soc/samsung/neo1973_wm8753.c 2011-05-22 19:36:35.000000000 -0400
84904 @@ -128,7 +128,7 @@ static int neo1973_hifi_hw_free(struct s
84905 /*
84906 * Neo1973 WM8753 HiFi DAI opserations.
84907 */
84908 -static struct snd_soc_ops neo1973_hifi_ops = {
84909 +static const struct snd_soc_ops neo1973_hifi_ops = {
84910 .hw_params = neo1973_hifi_hw_params,
84911 .hw_free = neo1973_hifi_hw_free,
84912 };
84913 @@ -187,7 +187,7 @@ static int neo1973_voice_hw_free(struct
84914 return snd_soc_dai_set_pll(codec_dai, WM8753_PLL2, 0, 0, 0);
84915 }
84916
84917 -static struct snd_soc_ops neo1973_voice_ops = {
84918 +static const struct snd_soc_ops neo1973_voice_ops = {
84919 .hw_params = neo1973_voice_hw_params,
84920 .hw_free = neo1973_voice_hw_free,
84921 };
84922 diff -urNp linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c
84923 --- linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c 2011-05-19 00:06:34.000000000 -0400
84924 +++ linux-2.6.39.3/sound/soc/samsung/rx1950_uda1380.c 2011-05-22 19:36:35.000000000 -0400
84925 @@ -70,7 +70,7 @@ static struct snd_soc_jack_gpio hp_jack_
84926 },
84927 };
84928
84929 -static struct snd_soc_ops rx1950_ops = {
84930 +static const struct snd_soc_ops rx1950_ops = {
84931 .startup = rx1950_startup,
84932 .hw_params = rx1950_hw_params,
84933 };
84934 diff -urNp linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c
84935 --- linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c 2011-05-19 00:06:34.000000000 -0400
84936 +++ linux-2.6.39.3/sound/soc/samsung/s3c24xx_simtec.c 2011-05-22 19:36:35.000000000 -0400
84937 @@ -228,7 +228,7 @@ static int simtec_call_startup(struct s3
84938 return 0;
84939 }
84940
84941 -static struct snd_soc_ops simtec_snd_ops = {
84942 +static const struct snd_soc_ops simtec_snd_ops = {
84943 .hw_params = simtec_hw_params,
84944 };
84945
84946 diff -urNp linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c
84947 --- linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-19 00:06:34.000000000 -0400
84948 +++ linux-2.6.39.3/sound/soc/samsung/s3c24xx_uda134x.c 2011-05-22 19:36:35.000000000 -0400
84949 @@ -210,7 +210,7 @@ static int s3c24xx_uda134x_hw_params(str
84950 return 0;
84951 }
84952
84953 -static struct snd_soc_ops s3c24xx_uda134x_ops = {
84954 +static const struct snd_soc_ops s3c24xx_uda134x_ops = {
84955 .startup = s3c24xx_uda134x_startup,
84956 .shutdown = s3c24xx_uda134x_shutdown,
84957 .hw_params = s3c24xx_uda134x_hw_params,
84958 diff -urNp linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c
84959 --- linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c 2011-05-19 00:06:34.000000000 -0400
84960 +++ linux-2.6.39.3/sound/soc/samsung/smartq_wm8987.c 2011-05-22 19:36:35.000000000 -0400
84961 @@ -92,7 +92,7 @@ static int smartq_hifi_hw_params(struct
84962 /*
84963 * SmartQ WM8987 HiFi DAI operations.
84964 */
84965 -static struct snd_soc_ops smartq_hifi_ops = {
84966 +static const struct snd_soc_ops smartq_hifi_ops = {
84967 .hw_params = smartq_hifi_hw_params,
84968 };
84969
84970 diff -urNp linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c
84971 --- linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c 2011-05-19 00:06:34.000000000 -0400
84972 +++ linux-2.6.39.3/sound/soc/samsung/smdk_spdif.c 2011-05-22 19:36:35.000000000 -0400
84973 @@ -143,7 +143,7 @@ static int smdk_hw_params(struct snd_pcm
84974 return ret;
84975 }
84976
84977 -static struct snd_soc_ops smdk_spdif_ops = {
84978 +static const struct snd_soc_ops smdk_spdif_ops = {
84979 .hw_params = smdk_hw_params,
84980 };
84981
84982 diff -urNp linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c
84983 --- linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c 2011-05-19 00:06:34.000000000 -0400
84984 +++ linux-2.6.39.3/sound/soc/samsung/smdk_wm8580.c 2011-05-22 19:36:35.000000000 -0400
84985 @@ -114,7 +114,7 @@ static int smdk_hw_params(struct snd_pcm
84986 /*
84987 * SMDK WM8580 DAI operations.
84988 */
84989 -static struct snd_soc_ops smdk_ops = {
84990 +static const struct snd_soc_ops smdk_ops = {
84991 .hw_params = smdk_hw_params,
84992 };
84993
84994 diff -urNp linux-2.6.39.3/sound/soc/sh/dma-sh7760.c linux-2.6.39.3/sound/soc/sh/dma-sh7760.c
84995 --- linux-2.6.39.3/sound/soc/sh/dma-sh7760.c 2011-05-19 00:06:34.000000000 -0400
84996 +++ linux-2.6.39.3/sound/soc/sh/dma-sh7760.c 2011-05-22 19:36:35.000000000 -0400
84997 @@ -311,7 +311,7 @@ static snd_pcm_uframes_t camelot_pos(str
84998 return bytes_to_frames(runtime, pos);
84999 }
85000
85001 -static struct snd_pcm_ops camelot_pcm_ops = {
85002 +static const struct snd_pcm_ops camelot_pcm_ops = {
85003 .open = camelot_pcm_open,
85004 .close = camelot_pcm_close,
85005 .ioctl = snd_pcm_lib_ioctl,
85006 diff -urNp linux-2.6.39.3/sound/soc/sh/hac.c linux-2.6.39.3/sound/soc/sh/hac.c
85007 --- linux-2.6.39.3/sound/soc/sh/hac.c 2011-05-19 00:06:34.000000000 -0400
85008 +++ linux-2.6.39.3/sound/soc/sh/hac.c 2011-05-22 19:36:35.000000000 -0400
85009 @@ -227,7 +227,7 @@ static void hac_ac97_coldrst(struct snd_
85010 hac_ac97_warmrst(ac97);
85011 }
85012
85013 -struct snd_ac97_bus_ops soc_ac97_ops = {
85014 +const struct snd_ac97_bus_ops soc_ac97_ops = {
85015 .read = hac_ac97_read,
85016 .write = hac_ac97_write,
85017 .reset = hac_ac97_coldrst,
85018 diff -urNp linux-2.6.39.3/sound/soc/sh/migor.c linux-2.6.39.3/sound/soc/sh/migor.c
85019 --- linux-2.6.39.3/sound/soc/sh/migor.c 2011-05-19 00:06:34.000000000 -0400
85020 +++ linux-2.6.39.3/sound/soc/sh/migor.c 2011-05-22 19:36:35.000000000 -0400
85021 @@ -108,7 +108,7 @@ static int migor_hw_free(struct snd_pcm_
85022 return 0;
85023 }
85024
85025 -static struct snd_soc_ops migor_dai_ops = {
85026 +static const struct snd_soc_ops migor_dai_ops = {
85027 .hw_params = migor_hw_params,
85028 .hw_free = migor_hw_free,
85029 };
85030 diff -urNp linux-2.6.39.3/sound/soc/sh/siu_pcm.c linux-2.6.39.3/sound/soc/sh/siu_pcm.c
85031 --- linux-2.6.39.3/sound/soc/sh/siu_pcm.c 2011-05-19 00:06:34.000000000 -0400
85032 +++ linux-2.6.39.3/sound/soc/sh/siu_pcm.c 2011-05-22 19:36:35.000000000 -0400
85033 @@ -597,7 +597,7 @@ static void siu_pcm_free(struct snd_pcm
85034 dev_dbg(pcm->card->dev, "%s\n", __func__);
85035 }
85036
85037 -static struct snd_pcm_ops siu_pcm_ops = {
85038 +static const struct snd_pcm_ops siu_pcm_ops = {
85039 .open = siu_pcm_open,
85040 .close = siu_pcm_close,
85041 .ioctl = snd_pcm_lib_ioctl,
85042 diff -urNp linux-2.6.39.3/sound/soc/tegra/harmony.c linux-2.6.39.3/sound/soc/tegra/harmony.c
85043 --- linux-2.6.39.3/sound/soc/tegra/harmony.c 2011-05-19 00:06:34.000000000 -0400
85044 +++ linux-2.6.39.3/sound/soc/tegra/harmony.c 2011-05-22 19:36:35.000000000 -0400
85045 @@ -126,7 +126,7 @@ static int harmony_asoc_hw_params(struct
85046 return 0;
85047 }
85048
85049 -static struct snd_soc_ops harmony_asoc_ops = {
85050 +static const struct snd_soc_ops harmony_asoc_ops = {
85051 .hw_params = harmony_asoc_hw_params,
85052 };
85053
85054 diff -urNp linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c
85055 --- linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c 2011-05-19 00:06:34.000000000 -0400
85056 +++ linux-2.6.39.3/sound/soc/tegra/tegra_pcm.c 2011-05-22 19:36:36.000000000 -0400
85057 @@ -277,7 +277,7 @@ static int tegra_pcm_mmap(struct snd_pcm
85058 runtime->dma_bytes);
85059 }
85060
85061 -static struct snd_pcm_ops tegra_pcm_ops = {
85062 +static const struct snd_pcm_ops tegra_pcm_ops = {
85063 .open = tegra_pcm_open,
85064 .close = tegra_pcm_close,
85065 .ioctl = snd_pcm_lib_ioctl,
85066 diff -urNp linux-2.6.39.3/sound/soc/txx9/txx9aclc.c linux-2.6.39.3/sound/soc/txx9/txx9aclc.c
85067 --- linux-2.6.39.3/sound/soc/txx9/txx9aclc.c 2011-05-19 00:06:34.000000000 -0400
85068 +++ linux-2.6.39.3/sound/soc/txx9/txx9aclc.c 2011-05-22 19:36:36.000000000 -0400
85069 @@ -272,7 +272,7 @@ static int txx9aclc_pcm_close(struct snd
85070 return 0;
85071 }
85072
85073 -static struct snd_pcm_ops txx9aclc_pcm_ops = {
85074 +static const struct snd_pcm_ops txx9aclc_pcm_ops = {
85075 .open = txx9aclc_pcm_open,
85076 .close = txx9aclc_pcm_close,
85077 .ioctl = snd_pcm_lib_ioctl,
85078 diff -urNp linux-2.6.39.3/sound/sparc/amd7930.c linux-2.6.39.3/sound/sparc/amd7930.c
85079 --- linux-2.6.39.3/sound/sparc/amd7930.c 2011-05-19 00:06:34.000000000 -0400
85080 +++ linux-2.6.39.3/sound/sparc/amd7930.c 2011-05-22 19:36:36.000000000 -0400
85081 @@ -733,7 +733,7 @@ static int snd_amd7930_hw_free(struct sn
85082 return snd_pcm_lib_free_pages(substream);
85083 }
85084
85085 -static struct snd_pcm_ops snd_amd7930_playback_ops = {
85086 +static const struct snd_pcm_ops snd_amd7930_playback_ops = {
85087 .open = snd_amd7930_playback_open,
85088 .close = snd_amd7930_playback_close,
85089 .ioctl = snd_pcm_lib_ioctl,
85090 @@ -744,7 +744,7 @@ static struct snd_pcm_ops snd_amd7930_pl
85091 .pointer = snd_amd7930_playback_pointer,
85092 };
85093
85094 -static struct snd_pcm_ops snd_amd7930_capture_ops = {
85095 +static const struct snd_pcm_ops snd_amd7930_capture_ops = {
85096 .open = snd_amd7930_capture_open,
85097 .close = snd_amd7930_capture_close,
85098 .ioctl = snd_pcm_lib_ioctl,
85099 @@ -929,7 +929,7 @@ static int snd_amd7930_dev_free(struct s
85100 return snd_amd7930_free(amd);
85101 }
85102
85103 -static struct snd_device_ops snd_amd7930_dev_ops = {
85104 +static const struct snd_device_ops snd_amd7930_dev_ops = {
85105 .dev_free = snd_amd7930_dev_free,
85106 };
85107
85108 diff -urNp linux-2.6.39.3/sound/sparc/cs4231.c linux-2.6.39.3/sound/sparc/cs4231.c
85109 --- linux-2.6.39.3/sound/sparc/cs4231.c 2011-05-19 00:06:34.000000000 -0400
85110 +++ linux-2.6.39.3/sound/sparc/cs4231.c 2011-05-22 19:36:36.000000000 -0400
85111 @@ -1196,7 +1196,7 @@ static int snd_cs4231_capture_close(stru
85112 * XXX the audio AUXIO register...
85113 */
85114
85115 -static struct snd_pcm_ops snd_cs4231_playback_ops = {
85116 +static const struct snd_pcm_ops snd_cs4231_playback_ops = {
85117 .open = snd_cs4231_playback_open,
85118 .close = snd_cs4231_playback_close,
85119 .ioctl = snd_pcm_lib_ioctl,
85120 @@ -1207,7 +1207,7 @@ static struct snd_pcm_ops snd_cs4231_pla
85121 .pointer = snd_cs4231_playback_pointer,
85122 };
85123
85124 -static struct snd_pcm_ops snd_cs4231_capture_ops = {
85125 +static const struct snd_pcm_ops snd_cs4231_capture_ops = {
85126 .open = snd_cs4231_capture_open,
85127 .close = snd_cs4231_capture_close,
85128 .ioctl = snd_pcm_lib_ioctl,
85129 @@ -1789,7 +1789,7 @@ static int snd_cs4231_sbus_dev_free(stru
85130 return snd_cs4231_sbus_free(cp);
85131 }
85132
85133 -static struct snd_device_ops snd_cs4231_sbus_dev_ops = {
85134 +static const struct snd_device_ops snd_cs4231_sbus_dev_ops = {
85135 .dev_free = snd_cs4231_sbus_dev_free,
85136 };
85137
85138 @@ -1955,7 +1955,7 @@ static int snd_cs4231_ebus_dev_free(stru
85139 return snd_cs4231_ebus_free(cp);
85140 }
85141
85142 -static struct snd_device_ops snd_cs4231_ebus_dev_ops = {
85143 +static const struct snd_device_ops snd_cs4231_ebus_dev_ops = {
85144 .dev_free = snd_cs4231_ebus_dev_free,
85145 };
85146
85147 diff -urNp linux-2.6.39.3/sound/sparc/dbri.c linux-2.6.39.3/sound/sparc/dbri.c
85148 --- linux-2.6.39.3/sound/sparc/dbri.c 2011-05-19 00:06:34.000000000 -0400
85149 +++ linux-2.6.39.3/sound/sparc/dbri.c 2011-05-22 19:36:36.000000000 -0400
85150 @@ -2205,7 +2205,7 @@ static snd_pcm_uframes_t snd_dbri_pointe
85151 return ret;
85152 }
85153
85154 -static struct snd_pcm_ops snd_dbri_ops = {
85155 +static const struct snd_pcm_ops snd_dbri_ops = {
85156 .open = snd_dbri_open,
85157 .close = snd_dbri_close,
85158 .ioctl = snd_pcm_lib_ioctl,
85159 diff -urNp linux-2.6.39.3/sound/spi/at73c213.c linux-2.6.39.3/sound/spi/at73c213.c
85160 --- linux-2.6.39.3/sound/spi/at73c213.c 2011-05-19 00:06:34.000000000 -0400
85161 +++ linux-2.6.39.3/sound/spi/at73c213.c 2011-05-22 19:36:36.000000000 -0400
85162 @@ -319,7 +319,7 @@ snd_at73c213_pcm_pointer(struct snd_pcm_
85163 return pos;
85164 }
85165
85166 -static struct snd_pcm_ops at73c213_playback_ops = {
85167 +static const struct snd_pcm_ops at73c213_playback_ops = {
85168 .open = snd_at73c213_pcm_open,
85169 .close = snd_at73c213_pcm_close,
85170 .ioctl = snd_pcm_lib_ioctl,
85171 @@ -882,7 +882,7 @@ static int snd_at73c213_dev_free(struct
85172 static int __devinit snd_at73c213_dev_init(struct snd_card *card,
85173 struct spi_device *spi)
85174 {
85175 - static struct snd_device_ops ops = {
85176 + static const struct snd_device_ops ops = {
85177 .dev_free = snd_at73c213_dev_free,
85178 };
85179 struct snd_at73c213 *chip = get_chip(card);
85180 diff -urNp linux-2.6.39.3/sound/usb/6fire/midi.c linux-2.6.39.3/sound/usb/6fire/midi.c
85181 --- linux-2.6.39.3/sound/usb/6fire/midi.c 2011-05-19 00:06:34.000000000 -0400
85182 +++ linux-2.6.39.3/sound/usb/6fire/midi.c 2011-05-22 19:36:36.000000000 -0400
85183 @@ -134,14 +134,14 @@ static void usb6fire_midi_in_trigger(
85184 spin_unlock_irqrestore(&rt->in_lock, flags);
85185 }
85186
85187 -static struct snd_rawmidi_ops out_ops = {
85188 +static const struct snd_rawmidi_ops out_ops = {
85189 .open = usb6fire_midi_out_open,
85190 .close = usb6fire_midi_out_close,
85191 .trigger = usb6fire_midi_out_trigger,
85192 .drain = usb6fire_midi_out_drain
85193 };
85194
85195 -static struct snd_rawmidi_ops in_ops = {
85196 +static const struct snd_rawmidi_ops in_ops = {
85197 .open = usb6fire_midi_in_open,
85198 .close = usb6fire_midi_in_close,
85199 .trigger = usb6fire_midi_in_trigger
85200 diff -urNp linux-2.6.39.3/sound/usb/caiaq/audio.c linux-2.6.39.3/sound/usb/caiaq/audio.c
85201 --- linux-2.6.39.3/sound/usb/caiaq/audio.c 2011-05-19 00:06:34.000000000 -0400
85202 +++ linux-2.6.39.3/sound/usb/caiaq/audio.c 2011-05-22 19:36:36.000000000 -0400
85203 @@ -322,7 +322,7 @@ snd_usb_caiaq_pcm_pointer(struct snd_pcm
85204 }
85205
85206 /* operators for both playback and capture */
85207 -static struct snd_pcm_ops snd_usb_caiaq_ops = {
85208 +static const struct snd_pcm_ops snd_usb_caiaq_ops = {
85209 .open = snd_usb_caiaq_substream_open,
85210 .close = snd_usb_caiaq_substream_close,
85211 .ioctl = snd_pcm_lib_ioctl,
85212 diff -urNp linux-2.6.39.3/sound/usb/caiaq/midi.c linux-2.6.39.3/sound/usb/caiaq/midi.c
85213 --- linux-2.6.39.3/sound/usb/caiaq/midi.c 2011-05-19 00:06:34.000000000 -0400
85214 +++ linux-2.6.39.3/sound/usb/caiaq/midi.c 2011-05-22 19:36:36.000000000 -0400
85215 @@ -100,15 +100,13 @@ static void snd_usb_caiaq_midi_output_tr
85216 }
85217
85218
85219 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_output =
85220 -{
85221 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_output = {
85222 .open = snd_usb_caiaq_midi_output_open,
85223 .close = snd_usb_caiaq_midi_output_close,
85224 .trigger = snd_usb_caiaq_midi_output_trigger,
85225 };
85226
85227 -static struct snd_rawmidi_ops snd_usb_caiaq_midi_input =
85228 -{
85229 +static const struct snd_rawmidi_ops snd_usb_caiaq_midi_input = {
85230 .open = snd_usb_caiaq_midi_input_open,
85231 .close = snd_usb_caiaq_midi_input_close,
85232 .trigger = snd_usb_caiaq_midi_input_trigger,
85233 diff -urNp linux-2.6.39.3/sound/usb/card.c linux-2.6.39.3/sound/usb/card.c
85234 --- linux-2.6.39.3/sound/usb/card.c 2011-05-19 00:06:34.000000000 -0400
85235 +++ linux-2.6.39.3/sound/usb/card.c 2011-05-22 19:36:36.000000000 -0400
85236 @@ -305,7 +305,7 @@ static int snd_usb_audio_create(struct u
85237 struct snd_usb_audio *chip;
85238 int err, len;
85239 char component[14];
85240 - static struct snd_device_ops ops = {
85241 + static const struct snd_device_ops ops = {
85242 .dev_free = snd_usb_audio_dev_free,
85243 };
85244
85245 diff -urNp linux-2.6.39.3/sound/usb/midi.c linux-2.6.39.3/sound/usb/midi.c
85246 --- linux-2.6.39.3/sound/usb/midi.c 2011-05-19 00:06:34.000000000 -0400
85247 +++ linux-2.6.39.3/sound/usb/midi.c 2011-05-22 19:36:36.000000000 -0400
85248 @@ -1146,14 +1146,14 @@ static void snd_usbmidi_input_trigger(st
85249 clear_bit(substream->number, &umidi->input_triggered);
85250 }
85251
85252 -static struct snd_rawmidi_ops snd_usbmidi_output_ops = {
85253 +static const struct snd_rawmidi_ops snd_usbmidi_output_ops = {
85254 .open = snd_usbmidi_output_open,
85255 .close = snd_usbmidi_output_close,
85256 .trigger = snd_usbmidi_output_trigger,
85257 .drain = snd_usbmidi_output_drain,
85258 };
85259
85260 -static struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85261 +static const struct snd_rawmidi_ops snd_usbmidi_input_ops = {
85262 .open = snd_usbmidi_input_open,
85263 .close = snd_usbmidi_input_close,
85264 .trigger = snd_usbmidi_input_trigger
85265 diff -urNp linux-2.6.39.3/sound/usb/misc/ua101.c linux-2.6.39.3/sound/usb/misc/ua101.c
85266 --- linux-2.6.39.3/sound/usb/misc/ua101.c 2011-05-19 00:06:34.000000000 -0400
85267 +++ linux-2.6.39.3/sound/usb/misc/ua101.c 2011-05-22 19:36:36.000000000 -0400
85268 @@ -886,7 +886,7 @@ static snd_pcm_uframes_t playback_pcm_po
85269 return ua101_pcm_pointer(ua, &ua->playback);
85270 }
85271
85272 -static struct snd_pcm_ops capture_pcm_ops = {
85273 +static const struct snd_pcm_ops capture_pcm_ops = {
85274 .open = capture_pcm_open,
85275 .close = capture_pcm_close,
85276 .ioctl = snd_pcm_lib_ioctl,
85277 @@ -899,7 +899,7 @@ static struct snd_pcm_ops capture_pcm_op
85278 .mmap = snd_pcm_lib_mmap_vmalloc,
85279 };
85280
85281 -static struct snd_pcm_ops playback_pcm_ops = {
85282 +static const struct snd_pcm_ops playback_pcm_ops = {
85283 .open = playback_pcm_open,
85284 .close = playback_pcm_close,
85285 .ioctl = snd_pcm_lib_ioctl,
85286 diff -urNp linux-2.6.39.3/sound/usb/mixer.c linux-2.6.39.3/sound/usb/mixer.c
85287 --- linux-2.6.39.3/sound/usb/mixer.c 2011-05-19 00:06:34.000000000 -0400
85288 +++ linux-2.6.39.3/sound/usb/mixer.c 2011-05-22 19:36:36.000000000 -0400
85289 @@ -2201,7 +2201,7 @@ static int snd_usb_mixer_status_create(s
85290 int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
85291 int ignore_error)
85292 {
85293 - static struct snd_device_ops dev_ops = {
85294 + static const struct snd_device_ops dev_ops = {
85295 .dev_free = snd_usb_mixer_dev_free
85296 };
85297 struct usb_mixer_interface *mixer;
85298 diff -urNp linux-2.6.39.3/sound/usb/pcm.c linux-2.6.39.3/sound/usb/pcm.c
85299 --- linux-2.6.39.3/sound/usb/pcm.c 2011-05-19 00:06:34.000000000 -0400
85300 +++ linux-2.6.39.3/sound/usb/pcm.c 2011-05-22 19:36:36.000000000 -0400
85301 @@ -844,7 +844,7 @@ static int snd_usb_capture_close(struct
85302 return snd_usb_pcm_close(substream, SNDRV_PCM_STREAM_CAPTURE);
85303 }
85304
85305 -static struct snd_pcm_ops snd_usb_playback_ops = {
85306 +static const struct snd_pcm_ops snd_usb_playback_ops = {
85307 .open = snd_usb_playback_open,
85308 .close = snd_usb_playback_close,
85309 .ioctl = snd_pcm_lib_ioctl,
85310 @@ -857,7 +857,7 @@ static struct snd_pcm_ops snd_usb_playba
85311 .mmap = snd_pcm_lib_mmap_vmalloc,
85312 };
85313
85314 -static struct snd_pcm_ops snd_usb_capture_ops = {
85315 +static const struct snd_pcm_ops snd_usb_capture_ops = {
85316 .open = snd_usb_capture_open,
85317 .close = snd_usb_capture_close,
85318 .ioctl = snd_pcm_lib_ioctl,
85319 diff -urNp linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c
85320 --- linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c 2011-05-19 00:06:34.000000000 -0400
85321 +++ linux-2.6.39.3/sound/usb/usx2y/usbusx2yaudio.c 2011-05-22 19:36:36.000000000 -0400
85322 @@ -919,8 +919,7 @@ static int snd_usX2Y_pcm_close(struct sn
85323 }
85324
85325
85326 -static struct snd_pcm_ops snd_usX2Y_pcm_ops =
85327 -{
85328 +static const struct snd_pcm_ops snd_usX2Y_pcm_ops = {
85329 .open = snd_usX2Y_pcm_open,
85330 .close = snd_usX2Y_pcm_close,
85331 .ioctl = snd_pcm_lib_ioctl,
85332 diff -urNp linux-2.6.39.3/tools/gcc/Makefile linux-2.6.39.3/tools/gcc/Makefile
85333 --- linux-2.6.39.3/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
85334 +++ linux-2.6.39.3/tools/gcc/Makefile 2011-06-03 01:19:01.000000000 -0400
85335 @@ -0,0 +1,11 @@
85336 +#CC := gcc
85337 +#PLUGIN_SOURCE_FILES := pax_plugin.c
85338 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
85339 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
85340 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
85341 +
85342 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
85343 +
85344 +hostlibs-y := pax_plugin.so
85345 +always := $(hostlibs-y)
85346 +pax_plugin-objs := pax_plugin.o
85347 diff -urNp linux-2.6.39.3/tools/gcc/pax_plugin.c linux-2.6.39.3/tools/gcc/pax_plugin.c
85348 --- linux-2.6.39.3/tools/gcc/pax_plugin.c 1969-12-31 19:00:00.000000000 -0500
85349 +++ linux-2.6.39.3/tools/gcc/pax_plugin.c 2011-07-06 20:00:13.000000000 -0400
85350 @@ -0,0 +1,243 @@
85351 +/*
85352 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
85353 + * Licensed under the GPL v2
85354 + *
85355 + * Note: the choice of the license means that the compilation process is
85356 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
85357 + * but for the kernel it doesn't matter since it doesn't link against
85358 + * any of the gcc libraries
85359 + *
85360 + * gcc plugin to help implement various PaX features
85361 + *
85362 + * - track lowest stack pointer
85363 + *
85364 + * TODO:
85365 + * - initialize all local variables
85366 + *
85367 + * BUGS:
85368 + * - cloned functions are instrumented twice
85369 + */
85370 +#include "gcc-plugin.h"
85371 +#include "plugin-version.h"
85372 +#include "config.h"
85373 +#include "system.h"
85374 +#include "coretypes.h"
85375 +#include "tm.h"
85376 +#include "toplev.h"
85377 +#include "basic-block.h"
85378 +#include "gimple.h"
85379 +//#include "expr.h" where are you...
85380 +#include "diagnostic.h"
85381 +#include "rtl.h"
85382 +#include "emit-rtl.h"
85383 +#include "function.h"
85384 +#include "tree.h"
85385 +#include "tree-pass.h"
85386 +#include "intl.h"
85387 +
85388 +int plugin_is_GPL_compatible;
85389 +
85390 +static int track_frame_size = -1;
85391 +static const char track_function[] = "pax_track_stack";
85392 +static bool init_locals;
85393 +
85394 +static struct plugin_info pax_plugin_info = {
85395 + .version = "201106030000",
85396 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
85397 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
85398 +};
85399 +
85400 +static bool gate_pax_track_stack(void);
85401 +static unsigned int execute_pax_tree_instrument(void);
85402 +static unsigned int execute_pax_final(void);
85403 +
85404 +static struct gimple_opt_pass pax_tree_instrument_pass = {
85405 + .pass = {
85406 + .type = GIMPLE_PASS,
85407 + .name = "pax_tree_instrument",
85408 + .gate = gate_pax_track_stack,
85409 + .execute = execute_pax_tree_instrument,
85410 + .sub = NULL,
85411 + .next = NULL,
85412 + .static_pass_number = 0,
85413 + .tv_id = TV_NONE,
85414 + .properties_required = PROP_gimple_leh | PROP_cfg,
85415 + .properties_provided = 0,
85416 + .properties_destroyed = 0,
85417 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
85418 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
85419 + }
85420 +};
85421 +
85422 +static struct rtl_opt_pass pax_final_rtl_opt_pass = {
85423 + .pass = {
85424 + .type = RTL_PASS,
85425 + .name = "pax_final",
85426 + .gate = gate_pax_track_stack,
85427 + .execute = execute_pax_final,
85428 + .sub = NULL,
85429 + .next = NULL,
85430 + .static_pass_number = 0,
85431 + .tv_id = TV_NONE,
85432 + .properties_required = 0,
85433 + .properties_provided = 0,
85434 + .properties_destroyed = 0,
85435 + .todo_flags_start = 0,
85436 + .todo_flags_finish = 0
85437 + }
85438 +};
85439 +
85440 +static bool gate_pax_track_stack(void)
85441 +{
85442 + return track_frame_size >= 0;
85443 +}
85444 +
85445 +static void pax_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
85446 +{
85447 + gimple call;
85448 + tree decl, type;
85449 +
85450 + // insert call to void pax_track_stack(void)
85451 + type = build_function_type_list(void_type_node, NULL_TREE);
85452 + decl = build_fn_decl(track_function, type);
85453 + DECL_ASSEMBLER_NAME(decl); // for LTO
85454 + call = gimple_build_call(decl, 0);
85455 + if (before)
85456 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
85457 + else
85458 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
85459 +}
85460 +
85461 +static unsigned int execute_pax_tree_instrument(void)
85462 +{
85463 + basic_block bb;
85464 + gimple_stmt_iterator gsi;
85465 +
85466 + // 1. loop through BBs and GIMPLE statements
85467 + FOR_EACH_BB(bb) {
85468 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
85469 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
85470 + tree decl;
85471 + gimple stmt = gsi_stmt(gsi);
85472 +
85473 + if (!is_gimple_call(stmt))
85474 + continue;
85475 + decl = gimple_call_fndecl(stmt);
85476 + if (!decl)
85477 + continue;
85478 + if (TREE_CODE(decl) != FUNCTION_DECL)
85479 + continue;
85480 + if (!DECL_BUILT_IN(decl))
85481 + continue;
85482 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
85483 + continue;
85484 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
85485 + continue;
85486 +
85487 + // 2. insert track call after each __builtin_alloca call
85488 + pax_add_instrumentation(&gsi, false);
85489 +// print_node(stderr, "pax", decl, 4);
85490 + }
85491 + }
85492 +
85493 + // 3. insert track call at the beginning
85494 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
85495 + gsi = gsi_start_bb(bb);
85496 + pax_add_instrumentation(&gsi, true);
85497 +
85498 + return 0;
85499 +}
85500 +
85501 +static unsigned int execute_pax_final(void)
85502 +{
85503 + rtx insn;
85504 +
85505 + if (cfun->calls_alloca)
85506 + return 0;
85507 +
85508 + // 1. find pax_track_stack calls
85509 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
85510 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
85511 + rtx body;
85512 +
85513 + if (!CALL_P(insn))
85514 + continue;
85515 + body = PATTERN(insn);
85516 + if (GET_CODE(body) != CALL)
85517 + continue;
85518 + body = XEXP(body, 0);
85519 + if (GET_CODE(body) != MEM)
85520 + continue;
85521 + body = XEXP(body, 0);
85522 + if (GET_CODE(body) != SYMBOL_REF)
85523 + continue;
85524 + if (strcmp(XSTR(body, 0), track_function))
85525 + continue;
85526 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85527 + // 2. delete call if function frame is not big enough
85528 + if (get_frame_size() >= track_frame_size)
85529 + continue;
85530 + delete_insn_and_edges(insn);
85531 + }
85532 +
85533 +// print_simple_rtl(stderr, get_insns());
85534 +// print_rtl(stderr, get_insns());
85535 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
85536 +
85537 + return 0;
85538 +}
85539 +
85540 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
85541 +{
85542 + const char * const plugin_name = plugin_info->base_name;
85543 + const int argc = plugin_info->argc;
85544 + const struct plugin_argument * const argv = plugin_info->argv;
85545 + int i;
85546 + struct register_pass_info pax_tree_instrument_pass_info = {
85547 + .pass = &pax_tree_instrument_pass.pass,
85548 +// .reference_pass_name = "tree_profile",
85549 + .reference_pass_name = "optimized",
85550 + .ref_pass_instance_number = 0,
85551 + .pos_op = PASS_POS_INSERT_AFTER
85552 + };
85553 + struct register_pass_info pax_final_pass_info = {
85554 + .pass = &pax_final_rtl_opt_pass.pass,
85555 + .reference_pass_name = "final",
85556 + .ref_pass_instance_number = 0,
85557 + .pos_op = PASS_POS_INSERT_BEFORE
85558 + };
85559 +
85560 + if (!plugin_default_version_check(version, &gcc_version)) {
85561 + error(G_("incompatible gcc/plugin versions"));
85562 + return 1;
85563 + }
85564 +
85565 + register_callback(plugin_name, PLUGIN_INFO, NULL, &pax_plugin_info);
85566 +
85567 + for (i = 0; i < argc; ++i) {
85568 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
85569 + if (!argv[i].value) {
85570 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85571 + continue;
85572 + }
85573 + track_frame_size = atoi(argv[i].value);
85574 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
85575 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85576 + continue;
85577 + }
85578 + if (!strcmp(argv[i].key, "initialize-locals")) {
85579 + if (argv[i].value) {
85580 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
85581 + continue;
85582 + }
85583 + init_locals = true;
85584 + continue;
85585 + }
85586 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
85587 + }
85588 +
85589 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_tree_instrument_pass_info);
85590 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_final_pass_info);
85591 +
85592 + return 0;
85593 +}
85594 diff -urNp linux-2.6.39.3/tools/perf/builtin-lock.c linux-2.6.39.3/tools/perf/builtin-lock.c
85595 --- linux-2.6.39.3/tools/perf/builtin-lock.c 2011-05-19 00:06:34.000000000 -0400
85596 +++ linux-2.6.39.3/tools/perf/builtin-lock.c 2011-05-22 19:36:36.000000000 -0400
85597 @@ -635,14 +635,14 @@ end:
85598
85599 /* lock oriented handlers */
85600 /* TODO: handlers for CPU oriented, thread oriented */
85601 -static struct trace_lock_handler report_lock_ops = {
85602 +static const struct trace_lock_handler report_lock_ops = {
85603 .acquire_event = report_lock_acquire_event,
85604 .acquired_event = report_lock_acquired_event,
85605 .contended_event = report_lock_contended_event,
85606 .release_event = report_lock_release_event,
85607 };
85608
85609 -static struct trace_lock_handler *trace_handler;
85610 +static const struct trace_lock_handler *trace_handler;
85611
85612 static void
85613 process_lock_acquire_event(void *data,
85614 diff -urNp linux-2.6.39.3/tools/perf/builtin-sched.c linux-2.6.39.3/tools/perf/builtin-sched.c
85615 --- linux-2.6.39.3/tools/perf/builtin-sched.c 2011-05-19 00:06:34.000000000 -0400
85616 +++ linux-2.6.39.3/tools/perf/builtin-sched.c 2011-05-22 19:36:36.000000000 -0400
85617 @@ -845,7 +845,7 @@ replay_fork_event(struct trace_fork_even
85618 register_pid(fork_event->child_pid, fork_event->child_comm);
85619 }
85620
85621 -static struct trace_sched_handler replay_ops = {
85622 +static const struct trace_sched_handler replay_ops = {
85623 .wakeup_event = replay_wakeup_event,
85624 .switch_event = replay_switch_event,
85625 .fork_event = replay_fork_event,
85626 @@ -1183,7 +1183,7 @@ latency_migrate_task_event(struct trace_
85627 nr_unordered_timestamps++;
85628 }
85629
85630 -static struct trace_sched_handler lat_ops = {
85631 +static const struct trace_sched_handler lat_ops = {
85632 .wakeup_event = latency_wakeup_event,
85633 .switch_event = latency_switch_event,
85634 .runtime_event = latency_runtime_event,
85635 @@ -1353,7 +1353,7 @@ static void sort_lat(void)
85636 }
85637 }
85638
85639 -static struct trace_sched_handler *trace_handler;
85640 +static const struct trace_sched_handler *trace_handler;
85641
85642 static void
85643 process_sched_wakeup_event(void *data, struct perf_session *session,
85644 @@ -1719,7 +1719,7 @@ static void __cmd_lat(void)
85645
85646 }
85647
85648 -static struct trace_sched_handler map_ops = {
85649 +static const struct trace_sched_handler map_ops = {
85650 .wakeup_event = NULL,
85651 .switch_event = map_switch_event,
85652 .runtime_event = NULL,
85653 diff -urNp linux-2.6.39.3/usr/gen_init_cpio.c linux-2.6.39.3/usr/gen_init_cpio.c
85654 --- linux-2.6.39.3/usr/gen_init_cpio.c 2011-05-19 00:06:34.000000000 -0400
85655 +++ linux-2.6.39.3/usr/gen_init_cpio.c 2011-05-22 19:36:36.000000000 -0400
85656 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
85657 int retval;
85658 int rc = -1;
85659 int namesize;
85660 - int i;
85661 + unsigned int i;
85662
85663 mode |= S_IFREG;
85664
85665 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
85666 *env_var = *expanded = '\0';
85667 strncat(env_var, start + 2, end - start - 2);
85668 strncat(expanded, new_location, start - new_location);
85669 - strncat(expanded, getenv(env_var), PATH_MAX);
85670 - strncat(expanded, end + 1, PATH_MAX);
85671 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
85672 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
85673 strncpy(new_location, expanded, PATH_MAX);
85674 + new_location[PATH_MAX] = 0;
85675 } else
85676 break;
85677 }
85678 diff -urNp linux-2.6.39.3/virt/kvm/kvm_main.c linux-2.6.39.3/virt/kvm/kvm_main.c
85679 --- linux-2.6.39.3/virt/kvm/kvm_main.c 2011-05-19 00:06:34.000000000 -0400
85680 +++ linux-2.6.39.3/virt/kvm/kvm_main.c 2011-05-22 19:36:36.000000000 -0400
85681 @@ -73,7 +73,7 @@ LIST_HEAD(vm_list);
85682
85683 static cpumask_var_t cpus_hardware_enabled;
85684 static int kvm_usage_count = 0;
85685 -static atomic_t hardware_enable_failed;
85686 +static atomic_unchecked_t hardware_enable_failed;
85687
85688 struct kmem_cache *kvm_vcpu_cache;
85689 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
85690 @@ -1594,7 +1594,7 @@ static int kvm_vcpu_release(struct inode
85691 return 0;
85692 }
85693
85694 -static struct file_operations kvm_vcpu_fops = {
85695 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
85696 .release = kvm_vcpu_release,
85697 .unlocked_ioctl = kvm_vcpu_ioctl,
85698 .compat_ioctl = kvm_vcpu_ioctl,
85699 @@ -2063,7 +2063,7 @@ static int kvm_vm_mmap(struct file *file
85700 return 0;
85701 }
85702
85703 -static struct file_operations kvm_vm_fops = {
85704 +static struct file_operations kvm_vm_fops = { /* cannot be const */
85705 .release = kvm_vm_release,
85706 .unlocked_ioctl = kvm_vm_ioctl,
85707 #ifdef CONFIG_COMPAT
85708 @@ -2161,7 +2161,7 @@ out:
85709 return r;
85710 }
85711
85712 -static struct file_operations kvm_chardev_ops = {
85713 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
85714 .unlocked_ioctl = kvm_dev_ioctl,
85715 .compat_ioctl = kvm_dev_ioctl,
85716 .llseek = noop_llseek,
85717 @@ -2187,7 +2187,7 @@ static void hardware_enable_nolock(void
85718
85719 if (r) {
85720 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
85721 - atomic_inc(&hardware_enable_failed);
85722 + atomic_inc_unchecked(&hardware_enable_failed);
85723 printk(KERN_INFO "kvm: enabling virtualization on "
85724 "CPU%d failed\n", cpu);
85725 }
85726 @@ -2241,10 +2241,10 @@ static int hardware_enable_all(void)
85727
85728 kvm_usage_count++;
85729 if (kvm_usage_count == 1) {
85730 - atomic_set(&hardware_enable_failed, 0);
85731 + atomic_set_unchecked(&hardware_enable_failed, 0);
85732 on_each_cpu(hardware_enable_nolock, NULL, 1);
85733
85734 - if (atomic_read(&hardware_enable_failed)) {
85735 + if (atomic_read_unchecked(&hardware_enable_failed)) {
85736 hardware_disable_all_nolock();
85737 r = -EBUSY;
85738 }
85739 @@ -2509,7 +2509,7 @@ static void kvm_sched_out(struct preempt
85740 kvm_arch_vcpu_put(vcpu);
85741 }
85742
85743 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85744 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
85745 struct module *module)
85746 {
85747 int r;
85748 @@ -2572,7 +2572,7 @@ int kvm_init(void *opaque, unsigned vcpu
85749 if (!vcpu_align)
85750 vcpu_align = __alignof__(struct kvm_vcpu);
85751 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
85752 - 0, NULL);
85753 + SLAB_USERCOPY, NULL);
85754 if (!kvm_vcpu_cache) {
85755 r = -ENOMEM;
85756 goto out_free_3;
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)