aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2010-03-18 08:18:00 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2010-03-18 10:13:17 +0000
commit6c08a747e94cb5a2914337f7444304ab0d3b18d3 (patch)
tree56a4880a94c19af9f5af6f5550c6181d0227be24
parenta984987efa2e80601bea6fb44ab28c786850acd4 (diff)
downloadalpine_aports-6c08a747e94cb5a2914337f7444304ab0d3b18d3.tar.bz2
alpine_aports-6c08a747e94cb5a2914337f7444304ab0d3b18d3.tar.xz
alpine_aports-6c08a747e94cb5a2914337f7444304ab0d3b18d3.zip
main/linux-grsec: revert xfrm cache size patchv1.10.1
(cherry picked from commit cb0c20d57cec46314cd0cc41cd09c28147636850)
Diffstat
-rw-r--r--main/linux-grsec/APKBUILD8
-rw-r--r--main/linux-grsec/grsecurity-2.1.14-2.6.32.9-201002231820.patch53407
-rw-r--r--main/linux-grsec/xfrm-cache-size-revert.patch12
3 files changed, 15 insertions, 53412 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index d4824de90e..e29efde20a 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
4pkgname=linux-${_flavor} 4pkgname=linux-${_flavor}
5pkgver=2.6.32.9 5pkgver=2.6.32.9
6_kernver=2.6.32 6_kernver=2.6.32
7pkgrel=2 7pkgrel=3
8pkgdesc="Linux kernel with grsecurity" 8pkgdesc="Linux kernel with grsecurity"
9url=http://grsecurity.net 9url=http://grsecurity.net
10depends="mkinitfs linux-firmware" 10depends="mkinitfs linux-firmware"
@@ -15,11 +15,10 @@ install=
15source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2 15source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
16 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2 16 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
17 grsecurity-2.1.14-2.6.32.9-201003112025.patch 17 grsecurity-2.1.14-2.6.32.9-201003112025.patch
18 net-2.6.git-87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9.patch
19 xfrm-flow-cache-grsec.patch
20 ip_gre.patch 18 ip_gre.patch
21 ip_gre2.patch 19 ip_gre2.patch
22 arp.patch 20 arp.patch
21 xfrm-cache-size-revert.patch
23 kernelconfig.x86 22 kernelconfig.x86
24 " 23 "
25subpackages="$pkgname-dev linux-firmware:firmware" 24subpackages="$pkgname-dev linux-firmware:firmware"
@@ -126,9 +125,8 @@ firmware() {
126md5sums="260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2 125md5sums="260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2
1277f615dd3b4a3b19fb86e479996a2deb5 patch-2.6.32.9.bz2 1267f615dd3b4a3b19fb86e479996a2deb5 patch-2.6.32.9.bz2
12898721ae28fe928f970ce92d8fc99d3a0 grsecurity-2.1.14-2.6.32.9-201003112025.patch 12798721ae28fe928f970ce92d8fc99d3a0 grsecurity-2.1.14-2.6.32.9-201003112025.patch
129b60772a7fe2a6161e34514adcbddc191 net-2.6.git-87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9.patch
130a30b7b40203f8063abd1afc57d98e559 xfrm-flow-cache-grsec.patch
1313ef822f3a2723b9a80c3f12954457225 ip_gre.patch 1283ef822f3a2723b9a80c3f12954457225 ip_gre.patch
13213ca9e91700e459da269c957062bbea7 ip_gre2.patch 12913ca9e91700e459da269c957062bbea7 ip_gre2.patch
1334c39a161d918e7f274292ecfd168b891 arp.patch 1304c39a161d918e7f274292ecfd168b891 arp.patch
131329fcab881425e001d3243caa4648478 xfrm-cache-size-revert.patch
1347f442049b29ab749180e54ff8f20f1d0 kernelconfig.x86" 1327f442049b29ab749180e54ff8f20f1d0 kernelconfig.x86"
diff --git a/main/linux-grsec/grsecurity-2.1.14-2.6.32.9-201002231820.patch b/main/linux-grsec/grsecurity-2.1.14-2.6.32.9-201002231820.patch
deleted file mode 100644
index 09d2f5da28..0000000000
--- a/main/linux-grsec/grsecurity-2.1.14-2.6.32.9-201002231820.patch
+++ /dev/null
@@ -1,53407 +0,0 @@
1diff -urNp linux-2.6.32.9/arch/alpha/include/asm/elf.h linux-2.6.32.9/arch/alpha/include/asm/elf.h
2--- linux-2.6.32.9/arch/alpha/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
3+++ linux-2.6.32.9/arch/alpha/include/asm/elf.h 2010-02-23 17:09:53.067670152 -0500
4@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8+#ifdef CONFIG_PAX_ASLR
9+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10+
11+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13+#endif
14+
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18diff -urNp linux-2.6.32.9/arch/alpha/include/asm/pgtable.h linux-2.6.32.9/arch/alpha/include/asm/pgtable.h
19--- linux-2.6.32.9/arch/alpha/include/asm/pgtable.h 2010-02-09 07:57:19.000000000 -0500
20+++ linux-2.6.32.9/arch/alpha/include/asm/pgtable.h 2010-02-23 17:09:53.067670152 -0500
21@@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25+
26+#ifdef CONFIG_PAX_PAGEEXEC
27+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30+#else
31+# define PAGE_SHARED_NOEXEC PAGE_SHARED
32+# define PAGE_COPY_NOEXEC PAGE_COPY
33+# define PAGE_READONLY_NOEXEC PAGE_READONLY
34+#endif
35+
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39diff -urNp linux-2.6.32.9/arch/alpha/kernel/module.c linux-2.6.32.9/arch/alpha/kernel/module.c
40--- linux-2.6.32.9/arch/alpha/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
41+++ linux-2.6.32.9/arch/alpha/kernel/module.c 2010-02-23 17:09:53.067670152 -0500
42@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46- gp = (u64)me->module_core + me->core_size - 0x8000;
47+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
51diff -urNp linux-2.6.32.9/arch/alpha/kernel/osf_sys.c linux-2.6.32.9/arch/alpha/kernel/osf_sys.c
52--- linux-2.6.32.9/arch/alpha/kernel/osf_sys.c 2010-02-09 07:57:19.000000000 -0500
53+++ linux-2.6.32.9/arch/alpha/kernel/osf_sys.c 2010-02-23 17:09:53.067670152 -0500
54@@ -1205,6 +1205,10 @@ arch_get_unmapped_area(struct file *filp
55 merely specific addresses, but regions of memory -- perhaps
56 this feature should be incorporated into all ports? */
57
58+#ifdef CONFIG_PAX_RANDMMAP
59+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
60+#endif
61+
62 if (addr) {
63 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
64 if (addr != (unsigned long) -ENOMEM)
65@@ -1212,8 +1216,8 @@ arch_get_unmapped_area(struct file *filp
66 }
67
68 /* Next, try allocating at TASK_UNMAPPED_BASE. */
69- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
70- len, limit);
71+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
72+
73 if (addr != (unsigned long) -ENOMEM)
74 return addr;
75
76diff -urNp linux-2.6.32.9/arch/alpha/mm/fault.c linux-2.6.32.9/arch/alpha/mm/fault.c
77--- linux-2.6.32.9/arch/alpha/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
78+++ linux-2.6.32.9/arch/alpha/mm/fault.c 2010-02-23 17:09:53.071672140 -0500
79@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
80 __reload_thread(pcb);
81 }
82
83+#ifdef CONFIG_PAX_PAGEEXEC
84+/*
85+ * PaX: decide what to do with offenders (regs->pc = fault address)
86+ *
87+ * returns 1 when task should be killed
88+ * 2 when patched PLT trampoline was detected
89+ * 3 when unpatched PLT trampoline was detected
90+ */
91+static int pax_handle_fetch_fault(struct pt_regs *regs)
92+{
93+
94+#ifdef CONFIG_PAX_EMUPLT
95+ int err;
96+
97+ do { /* PaX: patched PLT emulation #1 */
98+ unsigned int ldah, ldq, jmp;
99+
100+ err = get_user(ldah, (unsigned int *)regs->pc);
101+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
102+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
103+
104+ if (err)
105+ break;
106+
107+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
108+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
109+ jmp == 0x6BFB0000U)
110+ {
111+ unsigned long r27, addr;
112+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
113+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
114+
115+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
116+ err = get_user(r27, (unsigned long *)addr);
117+ if (err)
118+ break;
119+
120+ regs->r27 = r27;
121+ regs->pc = r27;
122+ return 2;
123+ }
124+ } while (0);
125+
126+ do { /* PaX: patched PLT emulation #2 */
127+ unsigned int ldah, lda, br;
128+
129+ err = get_user(ldah, (unsigned int *)regs->pc);
130+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
131+ err |= get_user(br, (unsigned int *)(regs->pc+8));
132+
133+ if (err)
134+ break;
135+
136+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
137+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
138+ (br & 0xFFE00000U) == 0xC3E00000U)
139+ {
140+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
141+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
142+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
143+
144+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
145+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
146+ return 2;
147+ }
148+ } while (0);
149+
150+ do { /* PaX: unpatched PLT emulation */
151+ unsigned int br;
152+
153+ err = get_user(br, (unsigned int *)regs->pc);
154+
155+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
156+ unsigned int br2, ldq, nop, jmp;
157+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
158+
159+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
160+ err = get_user(br2, (unsigned int *)addr);
161+ err |= get_user(ldq, (unsigned int *)(addr+4));
162+ err |= get_user(nop, (unsigned int *)(addr+8));
163+ err |= get_user(jmp, (unsigned int *)(addr+12));
164+ err |= get_user(resolver, (unsigned long *)(addr+16));
165+
166+ if (err)
167+ break;
168+
169+ if (br2 == 0xC3600000U &&
170+ ldq == 0xA77B000CU &&
171+ nop == 0x47FF041FU &&
172+ jmp == 0x6B7B0000U)
173+ {
174+ regs->r28 = regs->pc+4;
175+ regs->r27 = addr+16;
176+ regs->pc = resolver;
177+ return 3;
178+ }
179+ }
180+ } while (0);
181+#endif
182+
183+ return 1;
184+}
185+
186+void pax_report_insns(void *pc, void *sp)
187+{
188+ unsigned long i;
189+
190+ printk(KERN_ERR "PAX: bytes at PC: ");
191+ for (i = 0; i < 5; i++) {
192+ unsigned int c;
193+ if (get_user(c, (unsigned int *)pc+i))
194+ printk(KERN_CONT "???????? ");
195+ else
196+ printk(KERN_CONT "%08x ", c);
197+ }
198+ printk("\n");
199+}
200+#endif
201
202 /*
203 * This routine handles page faults. It determines the address,
204@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
205 good_area:
206 si_code = SEGV_ACCERR;
207 if (cause < 0) {
208- if (!(vma->vm_flags & VM_EXEC))
209+ if (!(vma->vm_flags & VM_EXEC)) {
210+
211+#ifdef CONFIG_PAX_PAGEEXEC
212+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
213+ goto bad_area;
214+
215+ up_read(&mm->mmap_sem);
216+ switch (pax_handle_fetch_fault(regs)) {
217+
218+#ifdef CONFIG_PAX_EMUPLT
219+ case 2:
220+ case 3:
221+ return;
222+#endif
223+
224+ }
225+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
226+ do_group_exit(SIGKILL);
227+#else
228 goto bad_area;
229+#endif
230+
231+ }
232 } else if (!cause) {
233 /* Allow reads even for write-only mappings */
234 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
235diff -urNp linux-2.6.32.9/arch/arm/include/asm/elf.h linux-2.6.32.9/arch/arm/include/asm/elf.h
236--- linux-2.6.32.9/arch/arm/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
237+++ linux-2.6.32.9/arch/arm/include/asm/elf.h 2010-02-23 17:09:53.071672140 -0500
238@@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
239 the loader. We need to make sure that it is out of the way of the program
240 that it will "exec", and that there is sufficient room for the brk. */
241
242-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
243+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
244+
245+#ifdef CONFIG_PAX_ASLR
246+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
247+
248+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
249+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
250+#endif
251
252 /* When the program starts, a1 contains a pointer to a function to be
253 registered with atexit, as per the SVR4 ABI. A value of 0 means we
254diff -urNp linux-2.6.32.9/arch/arm/include/asm/kmap_types.h linux-2.6.32.9/arch/arm/include/asm/kmap_types.h
255--- linux-2.6.32.9/arch/arm/include/asm/kmap_types.h 2010-02-09 07:57:19.000000000 -0500
256+++ linux-2.6.32.9/arch/arm/include/asm/kmap_types.h 2010-02-23 17:09:53.071672140 -0500
257@@ -19,6 +19,7 @@ enum km_type {
258 KM_SOFTIRQ0,
259 KM_SOFTIRQ1,
260 KM_L2_CACHE,
261+ KM_CLEARPAGE,
262 KM_TYPE_NR
263 };
264
265diff -urNp linux-2.6.32.9/arch/arm/include/asm/uaccess.h linux-2.6.32.9/arch/arm/include/asm/uaccess.h
266--- linux-2.6.32.9/arch/arm/include/asm/uaccess.h 2010-02-09 07:57:19.000000000 -0500
267+++ linux-2.6.32.9/arch/arm/include/asm/uaccess.h 2010-02-23 17:09:53.071672140 -0500
268@@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
269
270 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
271 {
272+ if ((long)n < 0)
273+ return n;
274+
275 if (access_ok(VERIFY_READ, from, n))
276 n = __copy_from_user(to, from, n);
277 else /* security hole - plug it */
278@@ -412,6 +415,9 @@ static inline unsigned long __must_check
279
280 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
281 {
282+ if ((long)n < 0)
283+ return n;
284+
285 if (access_ok(VERIFY_WRITE, to, n))
286 n = __copy_to_user(to, from, n);
287 return n;
288diff -urNp linux-2.6.32.9/arch/arm/kernel/kgdb.c linux-2.6.32.9/arch/arm/kernel/kgdb.c
289--- linux-2.6.32.9/arch/arm/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
290+++ linux-2.6.32.9/arch/arm/kernel/kgdb.c 2010-02-23 17:09:53.071672140 -0500
291@@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
292 * and we handle the normal undef case within the do_undefinstr
293 * handler.
294 */
295-struct kgdb_arch arch_kgdb_ops = {
296+const struct kgdb_arch arch_kgdb_ops = {
297 #ifndef __ARMEB__
298 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
299 #else /* ! __ARMEB__ */
300diff -urNp linux-2.6.32.9/arch/arm/mach-at91/pm.c linux-2.6.32.9/arch/arm/mach-at91/pm.c
301--- linux-2.6.32.9/arch/arm/mach-at91/pm.c 2010-02-09 07:57:19.000000000 -0500
302+++ linux-2.6.32.9/arch/arm/mach-at91/pm.c 2010-02-23 17:09:53.071672140 -0500
303@@ -348,7 +348,7 @@ static void at91_pm_end(void)
304 }
305
306
307-static struct platform_suspend_ops at91_pm_ops ={
308+static const struct platform_suspend_ops at91_pm_ops ={
309 .valid = at91_pm_valid_state,
310 .begin = at91_pm_begin,
311 .enter = at91_pm_enter,
312diff -urNp linux-2.6.32.9/arch/arm/mach-omap1/pm.c linux-2.6.32.9/arch/arm/mach-omap1/pm.c
313--- linux-2.6.32.9/arch/arm/mach-omap1/pm.c 2010-02-09 07:57:19.000000000 -0500
314+++ linux-2.6.32.9/arch/arm/mach-omap1/pm.c 2010-02-23 17:09:53.071672140 -0500
315@@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
316
317
318
319-static struct platform_suspend_ops omap_pm_ops ={
320+static const struct platform_suspend_ops omap_pm_ops ={
321 .prepare = omap_pm_prepare,
322 .enter = omap_pm_enter,
323 .finish = omap_pm_finish,
324diff -urNp linux-2.6.32.9/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.9/arch/arm/mach-omap2/pm24xx.c
325--- linux-2.6.32.9/arch/arm/mach-omap2/pm24xx.c 2010-02-09 07:57:19.000000000 -0500
326+++ linux-2.6.32.9/arch/arm/mach-omap2/pm24xx.c 2010-02-23 17:09:53.071672140 -0500
327@@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
328 enable_hlt();
329 }
330
331-static struct platform_suspend_ops omap_pm_ops = {
332+static const struct platform_suspend_ops omap_pm_ops = {
333 .prepare = omap2_pm_prepare,
334 .enter = omap2_pm_enter,
335 .finish = omap2_pm_finish,
336diff -urNp linux-2.6.32.9/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.9/arch/arm/mach-omap2/pm34xx.c
337--- linux-2.6.32.9/arch/arm/mach-omap2/pm34xx.c 2010-02-09 07:57:19.000000000 -0500
338+++ linux-2.6.32.9/arch/arm/mach-omap2/pm34xx.c 2010-02-23 17:09:53.071672140 -0500
339@@ -401,7 +401,7 @@ static void omap3_pm_end(void)
340 return;
341 }
342
343-static struct platform_suspend_ops omap_pm_ops = {
344+static const struct platform_suspend_ops omap_pm_ops = {
345 .begin = omap3_pm_begin,
346 .end = omap3_pm_end,
347 .prepare = omap3_pm_prepare,
348diff -urNp linux-2.6.32.9/arch/arm/mach-pnx4008/pm.c linux-2.6.32.9/arch/arm/mach-pnx4008/pm.c
349--- linux-2.6.32.9/arch/arm/mach-pnx4008/pm.c 2010-02-09 07:57:19.000000000 -0500
350+++ linux-2.6.32.9/arch/arm/mach-pnx4008/pm.c 2010-02-23 17:09:53.071672140 -0500
351@@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
352 (state == PM_SUSPEND_MEM);
353 }
354
355-static struct platform_suspend_ops pnx4008_pm_ops = {
356+static const struct platform_suspend_ops pnx4008_pm_ops = {
357 .enter = pnx4008_pm_enter,
358 .valid = pnx4008_pm_valid,
359 };
360diff -urNp linux-2.6.32.9/arch/arm/mach-pxa/pm.c linux-2.6.32.9/arch/arm/mach-pxa/pm.c
361--- linux-2.6.32.9/arch/arm/mach-pxa/pm.c 2010-02-09 07:57:19.000000000 -0500
362+++ linux-2.6.32.9/arch/arm/mach-pxa/pm.c 2010-02-23 17:09:53.071672140 -0500
363@@ -95,7 +95,7 @@ void pxa_pm_finish(void)
364 pxa_cpu_pm_fns->finish();
365 }
366
367-static struct platform_suspend_ops pxa_pm_ops = {
368+static const struct platform_suspend_ops pxa_pm_ops = {
369 .valid = pxa_pm_valid,
370 .enter = pxa_pm_enter,
371 .prepare = pxa_pm_prepare,
372diff -urNp linux-2.6.32.9/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.9/arch/arm/mach-pxa/sharpsl_pm.c
373--- linux-2.6.32.9/arch/arm/mach-pxa/sharpsl_pm.c 2010-02-09 07:57:19.000000000 -0500
374+++ linux-2.6.32.9/arch/arm/mach-pxa/sharpsl_pm.c 2010-02-23 17:09:53.071672140 -0500
375@@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
376 }
377
378 #ifdef CONFIG_PM
379-static struct platform_suspend_ops sharpsl_pm_ops = {
380+static const struct platform_suspend_ops sharpsl_pm_ops = {
381 .prepare = pxa_pm_prepare,
382 .finish = pxa_pm_finish,
383 .enter = corgi_pxa_pm_enter,
384diff -urNp linux-2.6.32.9/arch/arm/mach-sa1100/pm.c linux-2.6.32.9/arch/arm/mach-sa1100/pm.c
385--- linux-2.6.32.9/arch/arm/mach-sa1100/pm.c 2010-02-09 07:57:19.000000000 -0500
386+++ linux-2.6.32.9/arch/arm/mach-sa1100/pm.c 2010-02-23 17:09:53.071672140 -0500
387@@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
388 return virt_to_phys(sp);
389 }
390
391-static struct platform_suspend_ops sa11x0_pm_ops = {
392+static const struct platform_suspend_ops sa11x0_pm_ops = {
393 .enter = sa11x0_pm_enter,
394 .valid = suspend_valid_only_mem,
395 };
396diff -urNp linux-2.6.32.9/arch/arm/mm/fault.c linux-2.6.32.9/arch/arm/mm/fault.c
397--- linux-2.6.32.9/arch/arm/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
398+++ linux-2.6.32.9/arch/arm/mm/fault.c 2010-02-23 17:09:53.071672140 -0500
399@@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
400 }
401 #endif
402
403+#ifdef CONFIG_PAX_PAGEEXEC
404+ if (fsr & FSR_LNX_PF) {
405+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
406+ do_group_exit(SIGKILL);
407+ }
408+#endif
409+
410 tsk->thread.address = addr;
411 tsk->thread.error_code = fsr;
412 tsk->thread.trap_no = 14;
413@@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
414 }
415 #endif /* CONFIG_MMU */
416
417+#ifdef CONFIG_PAX_PAGEEXEC
418+void pax_report_insns(void *pc, void *sp)
419+{
420+ long i;
421+
422+ printk(KERN_ERR "PAX: bytes at PC: ");
423+ for (i = 0; i < 20; i++) {
424+ unsigned char c;
425+ if (get_user(c, (__force unsigned char __user *)pc+i))
426+ printk(KERN_CONT "?? ");
427+ else
428+ printk(KERN_CONT "%02x ", c);
429+ }
430+ printk("\n");
431+
432+ printk(KERN_ERR "PAX: bytes at SP-4: ");
433+ for (i = -1; i < 20; i++) {
434+ unsigned long c;
435+ if (get_user(c, (__force unsigned long __user *)sp+i))
436+ printk(KERN_CONT "???????? ");
437+ else
438+ printk(KERN_CONT "%08lx ", c);
439+ }
440+ printk("\n");
441+}
442+#endif
443+
444 /*
445 * First Level Translation Fault Handler
446 *
447diff -urNp linux-2.6.32.9/arch/arm/mm/mmap.c linux-2.6.32.9/arch/arm/mm/mmap.c
448--- linux-2.6.32.9/arch/arm/mm/mmap.c 2010-02-09 07:57:19.000000000 -0500
449+++ linux-2.6.32.9/arch/arm/mm/mmap.c 2010-02-23 17:09:53.071672140 -0500
450@@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
451 if (len > TASK_SIZE)
452 return -ENOMEM;
453
454+#ifdef CONFIG_PAX_RANDMMAP
455+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
456+#endif
457+
458 if (addr) {
459 if (do_align)
460 addr = COLOUR_ALIGN(addr, pgoff);
461@@ -75,10 +79,10 @@ arch_get_unmapped_area(struct file *filp
462 return addr;
463 }
464 if (len > mm->cached_hole_size) {
465- start_addr = addr = mm->free_area_cache;
466+ start_addr = addr = mm->free_area_cache;
467 } else {
468- start_addr = addr = TASK_UNMAPPED_BASE;
469- mm->cached_hole_size = 0;
470+ start_addr = addr = mm->mmap_base;
471+ mm->cached_hole_size = 0;
472 }
473
474 full_search:
475@@ -94,8 +98,8 @@ full_search:
476 * Start a new search - just in case we missed
477 * some holes.
478 */
479- if (start_addr != TASK_UNMAPPED_BASE) {
480- start_addr = addr = TASK_UNMAPPED_BASE;
481+ if (start_addr != mm->mmap_base) {
482+ start_addr = addr = mm->mmap_base;
483 mm->cached_hole_size = 0;
484 goto full_search;
485 }
486diff -urNp linux-2.6.32.9/arch/arm/plat-s3c/pm.c linux-2.6.32.9/arch/arm/plat-s3c/pm.c
487--- linux-2.6.32.9/arch/arm/plat-s3c/pm.c 2010-02-09 07:57:19.000000000 -0500
488+++ linux-2.6.32.9/arch/arm/plat-s3c/pm.c 2010-02-23 17:09:53.071672140 -0500
489@@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
490 s3c_pm_check_cleanup();
491 }
492
493-static struct platform_suspend_ops s3c_pm_ops = {
494+static const struct platform_suspend_ops s3c_pm_ops = {
495 .enter = s3c_pm_enter,
496 .prepare = s3c_pm_prepare,
497 .finish = s3c_pm_finish,
498diff -urNp linux-2.6.32.9/arch/avr32/include/asm/elf.h linux-2.6.32.9/arch/avr32/include/asm/elf.h
499--- linux-2.6.32.9/arch/avr32/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
500+++ linux-2.6.32.9/arch/avr32/include/asm/elf.h 2010-02-23 17:09:53.071672140 -0500
501@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
502 the loader. We need to make sure that it is out of the way of the program
503 that it will "exec", and that there is sufficient room for the brk. */
504
505-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
506+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
507
508+#ifdef CONFIG_PAX_ASLR
509+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
510+
511+#define PAX_DELTA_MMAP_LEN 15
512+#define PAX_DELTA_STACK_LEN 15
513+#endif
514
515 /* This yields a mask that user programs can use to figure out what
516 instruction set this CPU supports. This could be done in user space,
517diff -urNp linux-2.6.32.9/arch/avr32/include/asm/kmap_types.h linux-2.6.32.9/arch/avr32/include/asm/kmap_types.h
518--- linux-2.6.32.9/arch/avr32/include/asm/kmap_types.h 2010-02-09 07:57:19.000000000 -0500
519+++ linux-2.6.32.9/arch/avr32/include/asm/kmap_types.h 2010-02-23 17:09:53.071672140 -0500
520@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
521 D(11) KM_IRQ1,
522 D(12) KM_SOFTIRQ0,
523 D(13) KM_SOFTIRQ1,
524-D(14) KM_TYPE_NR
525+D(14) KM_CLEARPAGE,
526+D(15) KM_TYPE_NR
527 };
528
529 #undef D
530diff -urNp linux-2.6.32.9/arch/avr32/mach-at32ap/pm.c linux-2.6.32.9/arch/avr32/mach-at32ap/pm.c
531--- linux-2.6.32.9/arch/avr32/mach-at32ap/pm.c 2010-02-09 07:57:19.000000000 -0500
532+++ linux-2.6.32.9/arch/avr32/mach-at32ap/pm.c 2010-02-23 17:09:53.071672140 -0500
533@@ -176,7 +176,7 @@ out:
534 return 0;
535 }
536
537-static struct platform_suspend_ops avr32_pm_ops = {
538+static const struct platform_suspend_ops avr32_pm_ops = {
539 .valid = avr32_pm_valid_state,
540 .enter = avr32_pm_enter,
541 };
542diff -urNp linux-2.6.32.9/arch/avr32/mm/fault.c linux-2.6.32.9/arch/avr32/mm/fault.c
543--- linux-2.6.32.9/arch/avr32/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
544+++ linux-2.6.32.9/arch/avr32/mm/fault.c 2010-02-23 17:09:53.071672140 -0500
545@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
546
547 int exception_trace = 1;
548
549+#ifdef CONFIG_PAX_PAGEEXEC
550+void pax_report_insns(void *pc, void *sp)
551+{
552+ unsigned long i;
553+
554+ printk(KERN_ERR "PAX: bytes at PC: ");
555+ for (i = 0; i < 20; i++) {
556+ unsigned char c;
557+ if (get_user(c, (unsigned char *)pc+i))
558+ printk(KERN_CONT "???????? ");
559+ else
560+ printk(KERN_CONT "%02x ", c);
561+ }
562+ printk("\n");
563+}
564+#endif
565+
566 /*
567 * This routine handles page faults. It determines the address and the
568 * problem, and then passes it off to one of the appropriate routines.
569@@ -157,6 +174,16 @@ bad_area:
570 up_read(&mm->mmap_sem);
571
572 if (user_mode(regs)) {
573+
574+#ifdef CONFIG_PAX_PAGEEXEC
575+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
576+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
577+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
578+ do_group_exit(SIGKILL);
579+ }
580+ }
581+#endif
582+
583 if (exception_trace && printk_ratelimit())
584 printk("%s%s[%d]: segfault at %08lx pc %08lx "
585 "sp %08lx ecr %lu\n",
586diff -urNp linux-2.6.32.9/arch/blackfin/kernel/kgdb.c linux-2.6.32.9/arch/blackfin/kernel/kgdb.c
587--- linux-2.6.32.9/arch/blackfin/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
588+++ linux-2.6.32.9/arch/blackfin/kernel/kgdb.c 2010-02-23 17:09:53.071672140 -0500
589@@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
590 return -1; /* this means that we do not want to exit from the handler */
591 }
592
593-struct kgdb_arch arch_kgdb_ops = {
594+const struct kgdb_arch arch_kgdb_ops = {
595 .gdb_bpt_instr = {0xa1},
596 #ifdef CONFIG_SMP
597 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
598diff -urNp linux-2.6.32.9/arch/blackfin/mach-common/pm.c linux-2.6.32.9/arch/blackfin/mach-common/pm.c
599--- linux-2.6.32.9/arch/blackfin/mach-common/pm.c 2010-02-09 07:57:19.000000000 -0500
600+++ linux-2.6.32.9/arch/blackfin/mach-common/pm.c 2010-02-23 17:09:53.071672140 -0500
601@@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
602 return 0;
603 }
604
605-struct platform_suspend_ops bfin_pm_ops = {
606+const struct platform_suspend_ops bfin_pm_ops = {
607 .enter = bfin_pm_enter,
608 .valid = bfin_pm_valid,
609 };
610diff -urNp linux-2.6.32.9/arch/frv/include/asm/kmap_types.h linux-2.6.32.9/arch/frv/include/asm/kmap_types.h
611--- linux-2.6.32.9/arch/frv/include/asm/kmap_types.h 2010-02-09 07:57:19.000000000 -0500
612+++ linux-2.6.32.9/arch/frv/include/asm/kmap_types.h 2010-02-23 17:09:53.071672140 -0500
613@@ -23,6 +23,7 @@ enum km_type {
614 KM_IRQ1,
615 KM_SOFTIRQ0,
616 KM_SOFTIRQ1,
617+ KM_CLEARPAGE,
618 KM_TYPE_NR
619 };
620
621diff -urNp linux-2.6.32.9/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.9/arch/ia64/hp/common/hwsw_iommu.c
622--- linux-2.6.32.9/arch/ia64/hp/common/hwsw_iommu.c 2010-02-09 07:57:19.000000000 -0500
623+++ linux-2.6.32.9/arch/ia64/hp/common/hwsw_iommu.c 2010-02-23 17:09:53.071672140 -0500
624@@ -17,7 +17,7 @@
625 #include <linux/swiotlb.h>
626 #include <asm/machvec.h>
627
628-extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
629+extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
630
631 /* swiotlb declarations & definitions: */
632 extern int swiotlb_late_init_with_default_size (size_t size);
633@@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
634 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
635 }
636
637-struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
638+const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
639 {
640 if (use_swiotlb(dev))
641 return &swiotlb_dma_ops;
642diff -urNp linux-2.6.32.9/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.9/arch/ia64/hp/common/sba_iommu.c
643--- linux-2.6.32.9/arch/ia64/hp/common/sba_iommu.c 2010-02-09 07:57:19.000000000 -0500
644+++ linux-2.6.32.9/arch/ia64/hp/common/sba_iommu.c 2010-02-23 17:09:53.075664142 -0500
645@@ -2077,7 +2077,7 @@ static struct acpi_driver acpi_sba_ioc_d
646 },
647 };
648
649-extern struct dma_map_ops swiotlb_dma_ops;
650+extern const struct dma_map_ops swiotlb_dma_ops;
651
652 static int __init
653 sba_init(void)
654@@ -2191,7 +2191,7 @@ sba_page_override(char *str)
655
656 __setup("sbapagesize=",sba_page_override);
657
658-struct dma_map_ops sba_dma_ops = {
659+const struct dma_map_ops sba_dma_ops = {
660 .alloc_coherent = sba_alloc_coherent,
661 .free_coherent = sba_free_coherent,
662 .map_page = sba_map_page,
663diff -urNp linux-2.6.32.9/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.9/arch/ia64/ia32/binfmt_elf32.c
664--- linux-2.6.32.9/arch/ia64/ia32/binfmt_elf32.c 2010-02-09 07:57:19.000000000 -0500
665+++ linux-2.6.32.9/arch/ia64/ia32/binfmt_elf32.c 2010-02-23 17:09:53.075664142 -0500
666@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
667
668 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
669
670+#ifdef CONFIG_PAX_ASLR
671+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
672+
673+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
674+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
675+#endif
676+
677 /* Ugly but avoids duplication */
678 #include "../../../fs/binfmt_elf.c"
679
680diff -urNp linux-2.6.32.9/arch/ia64/ia32/ia32priv.h linux-2.6.32.9/arch/ia64/ia32/ia32priv.h
681--- linux-2.6.32.9/arch/ia64/ia32/ia32priv.h 2010-02-09 07:57:19.000000000 -0500
682+++ linux-2.6.32.9/arch/ia64/ia32/ia32priv.h 2010-02-23 17:09:53.075664142 -0500
683@@ -296,7 +296,14 @@ typedef struct compat_siginfo {
684 #define ELF_DATA ELFDATA2LSB
685 #define ELF_ARCH EM_386
686
687-#define IA32_STACK_TOP IA32_PAGE_OFFSET
688+#ifdef CONFIG_PAX_RANDUSTACK
689+#define __IA32_DELTA_STACK (current->mm->delta_stack)
690+#else
691+#define __IA32_DELTA_STACK 0UL
692+#endif
693+
694+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
695+
696 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
697 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
698
699diff -urNp linux-2.6.32.9/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.9/arch/ia64/include/asm/dma-mapping.h
700--- linux-2.6.32.9/arch/ia64/include/asm/dma-mapping.h 2010-02-09 07:57:19.000000000 -0500
701+++ linux-2.6.32.9/arch/ia64/include/asm/dma-mapping.h 2010-02-23 17:09:53.075664142 -0500
702@@ -12,7 +12,7 @@
703
704 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
705
706-extern struct dma_map_ops *dma_ops;
707+extern const struct dma_map_ops *dma_ops;
708 extern struct ia64_machine_vector ia64_mv;
709 extern void set_iommu_machvec(void);
710
711@@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
712 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
713 dma_addr_t *daddr, gfp_t gfp)
714 {
715- struct dma_map_ops *ops = platform_dma_get_ops(dev);
716+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
717 void *caddr;
718
719 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
720@@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
721 static inline void dma_free_coherent(struct device *dev, size_t size,
722 void *caddr, dma_addr_t daddr)
723 {
724- struct dma_map_ops *ops = platform_dma_get_ops(dev);
725+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
726 debug_dma_free_coherent(dev, size, caddr, daddr);
727 ops->free_coherent(dev, size, caddr, daddr);
728 }
729@@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
730
731 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
732 {
733- struct dma_map_ops *ops = platform_dma_get_ops(dev);
734+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
735 return ops->mapping_error(dev, daddr);
736 }
737
738 static inline int dma_supported(struct device *dev, u64 mask)
739 {
740- struct dma_map_ops *ops = platform_dma_get_ops(dev);
741+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
742 return ops->dma_supported(dev, mask);
743 }
744
745diff -urNp linux-2.6.32.9/arch/ia64/include/asm/elf.h linux-2.6.32.9/arch/ia64/include/asm/elf.h
746--- linux-2.6.32.9/arch/ia64/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
747+++ linux-2.6.32.9/arch/ia64/include/asm/elf.h 2010-02-23 17:09:53.075664142 -0500
748@@ -43,6 +43,13 @@
749 */
750 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
751
752+#ifdef CONFIG_PAX_ASLR
753+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
754+
755+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
756+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
757+#endif
758+
759 #define PT_IA_64_UNWIND 0x70000001
760
761 /* IA-64 relocations: */
762diff -urNp linux-2.6.32.9/arch/ia64/include/asm/machvec.h linux-2.6.32.9/arch/ia64/include/asm/machvec.h
763--- linux-2.6.32.9/arch/ia64/include/asm/machvec.h 2010-02-09 07:57:19.000000000 -0500
764+++ linux-2.6.32.9/arch/ia64/include/asm/machvec.h 2010-02-23 17:09:53.075664142 -0500
765@@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
766 /* DMA-mapping interface: */
767 typedef void ia64_mv_dma_init (void);
768 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
769-typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
770+typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
771
772 /*
773 * WARNING: The legacy I/O space is _architected_. Platforms are
774@@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
775 # endif /* CONFIG_IA64_GENERIC */
776
777 extern void swiotlb_dma_init(void);
778-extern struct dma_map_ops *dma_get_ops(struct device *);
779+extern const struct dma_map_ops *dma_get_ops(struct device *);
780
781 /*
782 * Define default versions so we can extend machvec for new platforms without having
783diff -urNp linux-2.6.32.9/arch/ia64/include/asm/pgtable.h linux-2.6.32.9/arch/ia64/include/asm/pgtable.h
784--- linux-2.6.32.9/arch/ia64/include/asm/pgtable.h 2010-02-09 07:57:19.000000000 -0500
785+++ linux-2.6.32.9/arch/ia64/include/asm/pgtable.h 2010-02-23 17:09:53.075664142 -0500
786@@ -143,6 +143,17 @@
787 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
788 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
789 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
790+
791+#ifdef CONFIG_PAX_PAGEEXEC
792+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
793+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
794+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
795+#else
796+# define PAGE_SHARED_NOEXEC PAGE_SHARED
797+# define PAGE_READONLY_NOEXEC PAGE_READONLY
798+# define PAGE_COPY_NOEXEC PAGE_COPY
799+#endif
800+
801 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
802 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
803 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
804diff -urNp linux-2.6.32.9/arch/ia64/include/asm/uaccess.h linux-2.6.32.9/arch/ia64/include/asm/uaccess.h
805--- linux-2.6.32.9/arch/ia64/include/asm/uaccess.h 2010-02-09 07:57:19.000000000 -0500
806+++ linux-2.6.32.9/arch/ia64/include/asm/uaccess.h 2010-02-23 17:09:53.075664142 -0500
807@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
808 const void *__cu_from = (from); \
809 long __cu_len = (n); \
810 \
811- if (__access_ok(__cu_to, __cu_len, get_fs())) \
812+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
813 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
814 __cu_len; \
815 })
816@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
817 long __cu_len = (n); \
818 \
819 __chk_user_ptr(__cu_from); \
820- if (__access_ok(__cu_from, __cu_len, get_fs())) \
821+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
822 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
823 __cu_len; \
824 })
825diff -urNp linux-2.6.32.9/arch/ia64/kernel/dma-mapping.c linux-2.6.32.9/arch/ia64/kernel/dma-mapping.c
826--- linux-2.6.32.9/arch/ia64/kernel/dma-mapping.c 2010-02-09 07:57:19.000000000 -0500
827+++ linux-2.6.32.9/arch/ia64/kernel/dma-mapping.c 2010-02-23 17:09:53.075664142 -0500
828@@ -3,7 +3,7 @@
829 /* Set this to 1 if there is a HW IOMMU in the system */
830 int iommu_detected __read_mostly;
831
832-struct dma_map_ops *dma_ops;
833+const struct dma_map_ops *dma_ops;
834 EXPORT_SYMBOL(dma_ops);
835
836 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
837@@ -16,7 +16,7 @@ static int __init dma_init(void)
838 }
839 fs_initcall(dma_init);
840
841-struct dma_map_ops *dma_get_ops(struct device *dev)
842+const struct dma_map_ops *dma_get_ops(struct device *dev)
843 {
844 return dma_ops;
845 }
846diff -urNp linux-2.6.32.9/arch/ia64/kernel/module.c linux-2.6.32.9/arch/ia64/kernel/module.c
847--- linux-2.6.32.9/arch/ia64/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
848+++ linux-2.6.32.9/arch/ia64/kernel/module.c 2010-02-23 17:09:53.075664142 -0500
849@@ -315,8 +315,7 @@ module_alloc (unsigned long size)
850 void
851 module_free (struct module *mod, void *module_region)
852 {
853- if (mod && mod->arch.init_unw_table &&
854- module_region == mod->module_init) {
855+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
856 unw_remove_unwind_table(mod->arch.init_unw_table);
857 mod->arch.init_unw_table = NULL;
858 }
859@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
860 }
861
862 static inline int
863+in_init_rx (const struct module *mod, uint64_t addr)
864+{
865+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
866+}
867+
868+static inline int
869+in_init_rw (const struct module *mod, uint64_t addr)
870+{
871+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
872+}
873+
874+static inline int
875 in_init (const struct module *mod, uint64_t addr)
876 {
877- return addr - (uint64_t) mod->module_init < mod->init_size;
878+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
879+}
880+
881+static inline int
882+in_core_rx (const struct module *mod, uint64_t addr)
883+{
884+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
885+}
886+
887+static inline int
888+in_core_rw (const struct module *mod, uint64_t addr)
889+{
890+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
891 }
892
893 static inline int
894 in_core (const struct module *mod, uint64_t addr)
895 {
896- return addr - (uint64_t) mod->module_core < mod->core_size;
897+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
898 }
899
900 static inline int
901@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
902 break;
903
904 case RV_BDREL:
905- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
906+ if (in_init_rx(mod, val))
907+ val -= (uint64_t) mod->module_init_rx;
908+ else if (in_init_rw(mod, val))
909+ val -= (uint64_t) mod->module_init_rw;
910+ else if (in_core_rx(mod, val))
911+ val -= (uint64_t) mod->module_core_rx;
912+ else if (in_core_rw(mod, val))
913+ val -= (uint64_t) mod->module_core_rw;
914 break;
915
916 case RV_LTV:
917@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
918 * addresses have been selected...
919 */
920 uint64_t gp;
921- if (mod->core_size > MAX_LTOFF)
922+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
923 /*
924 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
925 * at the end of the module.
926 */
927- gp = mod->core_size - MAX_LTOFF / 2;
928+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
929 else
930- gp = mod->core_size / 2;
931- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
932+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
933+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
934 mod->arch.gp = gp;
935 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
936 }
937diff -urNp linux-2.6.32.9/arch/ia64/kernel/pci-dma.c linux-2.6.32.9/arch/ia64/kernel/pci-dma.c
938--- linux-2.6.32.9/arch/ia64/kernel/pci-dma.c 2010-02-09 07:57:19.000000000 -0500
939+++ linux-2.6.32.9/arch/ia64/kernel/pci-dma.c 2010-02-23 17:09:53.075664142 -0500
940@@ -43,7 +43,7 @@ struct device fallback_dev = {
941 .dma_mask = &fallback_dev.coherent_dma_mask,
942 };
943
944-extern struct dma_map_ops intel_dma_ops;
945+extern const struct dma_map_ops intel_dma_ops;
946
947 static int __init pci_iommu_init(void)
948 {
949diff -urNp linux-2.6.32.9/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.9/arch/ia64/kernel/pci-swiotlb.c
950--- linux-2.6.32.9/arch/ia64/kernel/pci-swiotlb.c 2010-02-09 07:57:19.000000000 -0500
951+++ linux-2.6.32.9/arch/ia64/kernel/pci-swiotlb.c 2010-02-23 17:09:53.075664142 -0500
952@@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
953 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
954 }
955
956-struct dma_map_ops swiotlb_dma_ops = {
957+const struct dma_map_ops swiotlb_dma_ops = {
958 .alloc_coherent = ia64_swiotlb_alloc_coherent,
959 .free_coherent = swiotlb_free_coherent,
960 .map_page = swiotlb_map_page,
961diff -urNp linux-2.6.32.9/arch/ia64/kernel/sys_ia64.c linux-2.6.32.9/arch/ia64/kernel/sys_ia64.c
962--- linux-2.6.32.9/arch/ia64/kernel/sys_ia64.c 2010-02-09 07:57:19.000000000 -0500
963+++ linux-2.6.32.9/arch/ia64/kernel/sys_ia64.c 2010-02-23 17:09:53.075664142 -0500
964@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
965 if (REGION_NUMBER(addr) == RGN_HPAGE)
966 addr = 0;
967 #endif
968+
969+#ifdef CONFIG_PAX_RANDMMAP
970+ if (mm->pax_flags & MF_PAX_RANDMMAP)
971+ addr = mm->free_area_cache;
972+ else
973+#endif
974+
975 if (!addr)
976 addr = mm->free_area_cache;
977
978@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
979 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
980 /* At this point: (!vma || addr < vma->vm_end). */
981 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
982- if (start_addr != TASK_UNMAPPED_BASE) {
983+ if (start_addr != mm->mmap_base) {
984 /* Start a new search --- just in case we missed some holes. */
985- addr = TASK_UNMAPPED_BASE;
986+ addr = mm->mmap_base;
987 goto full_search;
988 }
989 return -ENOMEM;
990diff -urNp linux-2.6.32.9/arch/ia64/kernel/topology.c linux-2.6.32.9/arch/ia64/kernel/topology.c
991--- linux-2.6.32.9/arch/ia64/kernel/topology.c 2010-02-09 07:57:19.000000000 -0500
992+++ linux-2.6.32.9/arch/ia64/kernel/topology.c 2010-02-23 17:09:53.075664142 -0500
993@@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
994 return ret;
995 }
996
997-static struct sysfs_ops cache_sysfs_ops = {
998+static const struct sysfs_ops cache_sysfs_ops = {
999 .show = cache_show
1000 };
1001
1002diff -urNp linux-2.6.32.9/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.9/arch/ia64/kernel/vmlinux.lds.S
1003--- linux-2.6.32.9/arch/ia64/kernel/vmlinux.lds.S 2010-02-09 07:57:19.000000000 -0500
1004+++ linux-2.6.32.9/arch/ia64/kernel/vmlinux.lds.S 2010-02-23 17:09:53.075664142 -0500
1005@@ -190,7 +190,7 @@ SECTIONS
1006 /* Per-cpu data: */
1007 . = ALIGN(PERCPU_PAGE_SIZE);
1008 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1009- __phys_per_cpu_start = __per_cpu_load;
1010+ __phys_per_cpu_start = per_cpu_load;
1011 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1012 * into percpu page size
1013 */
1014diff -urNp linux-2.6.32.9/arch/ia64/mm/fault.c linux-2.6.32.9/arch/ia64/mm/fault.c
1015--- linux-2.6.32.9/arch/ia64/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
1016+++ linux-2.6.32.9/arch/ia64/mm/fault.c 2010-02-23 17:09:53.075664142 -0500
1017@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1018 return pte_present(pte);
1019 }
1020
1021+#ifdef CONFIG_PAX_PAGEEXEC
1022+void pax_report_insns(void *pc, void *sp)
1023+{
1024+ unsigned long i;
1025+
1026+ printk(KERN_ERR "PAX: bytes at PC: ");
1027+ for (i = 0; i < 8; i++) {
1028+ unsigned int c;
1029+ if (get_user(c, (unsigned int *)pc+i))
1030+ printk(KERN_CONT "???????? ");
1031+ else
1032+ printk(KERN_CONT "%08x ", c);
1033+ }
1034+ printk("\n");
1035+}
1036+#endif
1037+
1038 void __kprobes
1039 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1040 {
1041@@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1042 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1043 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1044
1045- if ((vma->vm_flags & mask) != mask)
1046+ if ((vma->vm_flags & mask) != mask) {
1047+
1048+#ifdef CONFIG_PAX_PAGEEXEC
1049+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1050+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1051+ goto bad_area;
1052+
1053+ up_read(&mm->mmap_sem);
1054+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1055+ do_group_exit(SIGKILL);
1056+ }
1057+#endif
1058+
1059 goto bad_area;
1060
1061+ }
1062+
1063 survive:
1064 /*
1065 * If for any reason at all we couldn't handle the fault, make
1066diff -urNp linux-2.6.32.9/arch/ia64/mm/init.c linux-2.6.32.9/arch/ia64/mm/init.c
1067--- linux-2.6.32.9/arch/ia64/mm/init.c 2010-02-09 07:57:19.000000000 -0500
1068+++ linux-2.6.32.9/arch/ia64/mm/init.c 2010-02-23 17:09:53.075664142 -0500
1069@@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1070 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1071 vma->vm_end = vma->vm_start + PAGE_SIZE;
1072 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1073+
1074+#ifdef CONFIG_PAX_PAGEEXEC
1075+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1076+ vma->vm_flags &= ~VM_EXEC;
1077+
1078+#ifdef CONFIG_PAX_MPROTECT
1079+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
1080+ vma->vm_flags &= ~VM_MAYEXEC;
1081+#endif
1082+
1083+ }
1084+#endif
1085+
1086 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1087 down_write(&current->mm->mmap_sem);
1088 if (insert_vm_struct(current->mm, vma)) {
1089diff -urNp linux-2.6.32.9/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.9/arch/ia64/sn/pci/pci_dma.c
1090--- linux-2.6.32.9/arch/ia64/sn/pci/pci_dma.c 2010-02-09 07:57:19.000000000 -0500
1091+++ linux-2.6.32.9/arch/ia64/sn/pci/pci_dma.c 2010-02-23 17:09:53.075664142 -0500
1092@@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1093 return ret;
1094 }
1095
1096-static struct dma_map_ops sn_dma_ops = {
1097+static const struct dma_map_ops sn_dma_ops = {
1098 .alloc_coherent = sn_dma_alloc_coherent,
1099 .free_coherent = sn_dma_free_coherent,
1100 .map_page = sn_dma_map_page,
1101diff -urNp linux-2.6.32.9/arch/m32r/lib/usercopy.c linux-2.6.32.9/arch/m32r/lib/usercopy.c
1102--- linux-2.6.32.9/arch/m32r/lib/usercopy.c 2010-02-09 07:57:19.000000000 -0500
1103+++ linux-2.6.32.9/arch/m32r/lib/usercopy.c 2010-02-23 17:09:53.075664142 -0500
1104@@ -14,6 +14,9 @@
1105 unsigned long
1106 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1107 {
1108+ if ((long)n < 0)
1109+ return n;
1110+
1111 prefetch(from);
1112 if (access_ok(VERIFY_WRITE, to, n))
1113 __copy_user(to,from,n);
1114@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1115 unsigned long
1116 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1117 {
1118+ if ((long)n < 0)
1119+ return n;
1120+
1121 prefetchw(to);
1122 if (access_ok(VERIFY_READ, from, n))
1123 __copy_user_zeroing(to,from,n);
1124diff -urNp linux-2.6.32.9/arch/mips/alchemy/devboards/pm.c linux-2.6.32.9/arch/mips/alchemy/devboards/pm.c
1125--- linux-2.6.32.9/arch/mips/alchemy/devboards/pm.c 2010-02-09 07:57:19.000000000 -0500
1126+++ linux-2.6.32.9/arch/mips/alchemy/devboards/pm.c 2010-02-23 17:09:53.075664142 -0500
1127@@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1128
1129 }
1130
1131-static struct platform_suspend_ops db1x_pm_ops = {
1132+static const struct platform_suspend_ops db1x_pm_ops = {
1133 .valid = suspend_valid_only_mem,
1134 .begin = db1x_pm_begin,
1135 .enter = db1x_pm_enter,
1136diff -urNp linux-2.6.32.9/arch/mips/include/asm/elf.h linux-2.6.32.9/arch/mips/include/asm/elf.h
1137--- linux-2.6.32.9/arch/mips/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
1138+++ linux-2.6.32.9/arch/mips/include/asm/elf.h 2010-02-23 17:09:53.075664142 -0500
1139@@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1140 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1141 #endif
1142
1143+#ifdef CONFIG_PAX_ASLR
1144+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1145+
1146+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1147+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1148+#endif
1149+
1150 #endif /* _ASM_ELF_H */
1151diff -urNp linux-2.6.32.9/arch/mips/include/asm/page.h linux-2.6.32.9/arch/mips/include/asm/page.h
1152--- linux-2.6.32.9/arch/mips/include/asm/page.h 2010-02-09 07:57:19.000000000 -0500
1153+++ linux-2.6.32.9/arch/mips/include/asm/page.h 2010-02-23 17:09:53.075664142 -0500
1154@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1155 #ifdef CONFIG_CPU_MIPS32
1156 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1157 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1158- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1159+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1160 #else
1161 typedef struct { unsigned long long pte; } pte_t;
1162 #define pte_val(x) ((x).pte)
1163diff -urNp linux-2.6.32.9/arch/mips/include/asm/system.h linux-2.6.32.9/arch/mips/include/asm/system.h
1164--- linux-2.6.32.9/arch/mips/include/asm/system.h 2010-02-09 07:57:19.000000000 -0500
1165+++ linux-2.6.32.9/arch/mips/include/asm/system.h 2010-02-23 17:09:53.075664142 -0500
1166@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1167 */
1168 #define __ARCH_WANT_UNLOCKED_CTXSW
1169
1170-extern unsigned long arch_align_stack(unsigned long sp);
1171+#define arch_align_stack(x) ((x) & ALMASK)
1172
1173 #endif /* _ASM_SYSTEM_H */
1174diff -urNp linux-2.6.32.9/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.9/arch/mips/kernel/binfmt_elfn32.c
1175--- linux-2.6.32.9/arch/mips/kernel/binfmt_elfn32.c 2010-02-09 07:57:19.000000000 -0500
1176+++ linux-2.6.32.9/arch/mips/kernel/binfmt_elfn32.c 2010-02-23 17:09:53.075664142 -0500
1177@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1178 #undef ELF_ET_DYN_BASE
1179 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1180
1181+#ifdef CONFIG_PAX_ASLR
1182+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1183+
1184+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1185+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1186+#endif
1187+
1188 #include <asm/processor.h>
1189 #include <linux/module.h>
1190 #include <linux/elfcore.h>
1191diff -urNp linux-2.6.32.9/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.9/arch/mips/kernel/binfmt_elfo32.c
1192--- linux-2.6.32.9/arch/mips/kernel/binfmt_elfo32.c 2010-02-09 07:57:19.000000000 -0500
1193+++ linux-2.6.32.9/arch/mips/kernel/binfmt_elfo32.c 2010-02-23 17:09:53.075664142 -0500
1194@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1195 #undef ELF_ET_DYN_BASE
1196 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1197
1198+#ifdef CONFIG_PAX_ASLR
1199+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1200+
1201+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1202+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1203+#endif
1204+
1205 #include <asm/processor.h>
1206
1207 /*
1208diff -urNp linux-2.6.32.9/arch/mips/kernel/kgdb.c linux-2.6.32.9/arch/mips/kernel/kgdb.c
1209--- linux-2.6.32.9/arch/mips/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
1210+++ linux-2.6.32.9/arch/mips/kernel/kgdb.c 2010-02-23 17:09:53.079699812 -0500
1211@@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1212 return -1;
1213 }
1214
1215+/* cannot be const */
1216 struct kgdb_arch arch_kgdb_ops;
1217
1218 /*
1219diff -urNp linux-2.6.32.9/arch/mips/kernel/process.c linux-2.6.32.9/arch/mips/kernel/process.c
1220--- linux-2.6.32.9/arch/mips/kernel/process.c 2010-02-09 07:57:19.000000000 -0500
1221+++ linux-2.6.32.9/arch/mips/kernel/process.c 2010-02-23 17:09:53.079699812 -0500
1222@@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1223 out:
1224 return pc;
1225 }
1226-
1227-/*
1228- * Don't forget that the stack pointer must be aligned on a 8 bytes
1229- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1230- */
1231-unsigned long arch_align_stack(unsigned long sp)
1232-{
1233- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1234- sp -= get_random_int() & ~PAGE_MASK;
1235-
1236- return sp & ALMASK;
1237-}
1238diff -urNp linux-2.6.32.9/arch/mips/kernel/syscall.c linux-2.6.32.9/arch/mips/kernel/syscall.c
1239--- linux-2.6.32.9/arch/mips/kernel/syscall.c 2010-02-09 07:57:19.000000000 -0500
1240+++ linux-2.6.32.9/arch/mips/kernel/syscall.c 2010-02-23 17:09:53.079699812 -0500
1241@@ -102,6 +102,11 @@ unsigned long arch_get_unmapped_area(str
1242 do_color_align = 0;
1243 if (filp || (flags & MAP_SHARED))
1244 do_color_align = 1;
1245+
1246+#ifdef CONFIG_PAX_RANDMMAP
1247+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1248+#endif
1249+
1250 if (addr) {
1251 if (do_color_align)
1252 addr = COLOUR_ALIGN(addr, pgoff);
1253@@ -112,7 +117,7 @@ unsigned long arch_get_unmapped_area(str
1254 (!vmm || addr + len <= vmm->vm_start))
1255 return addr;
1256 }
1257- addr = TASK_UNMAPPED_BASE;
1258+ addr = current->mm->mmap_base;
1259 if (do_color_align)
1260 addr = COLOUR_ALIGN(addr, pgoff);
1261 else
1262diff -urNp linux-2.6.32.9/arch/mips/mm/fault.c linux-2.6.32.9/arch/mips/mm/fault.c
1263--- linux-2.6.32.9/arch/mips/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
1264+++ linux-2.6.32.9/arch/mips/mm/fault.c 2010-02-23 17:09:53.079699812 -0500
1265@@ -26,6 +26,23 @@
1266 #include <asm/ptrace.h>
1267 #include <asm/highmem.h> /* For VMALLOC_END */
1268
1269+#ifdef CONFIG_PAX_PAGEEXEC
1270+void pax_report_insns(void *pc)
1271+{
1272+ unsigned long i;
1273+
1274+ printk(KERN_ERR "PAX: bytes at PC: ");
1275+ for (i = 0; i < 5; i++) {
1276+ unsigned int c;
1277+ if (get_user(c, (unsigned int *)pc+i))
1278+ printk(KERN_CONT "???????? ");
1279+ else
1280+ printk(KERN_CONT "%08x ", c);
1281+ }
1282+ printk("\n");
1283+}
1284+#endif
1285+
1286 /*
1287 * This routine handles page faults. It determines the address,
1288 * and the problem, and then passes it off to one of the appropriate
1289diff -urNp linux-2.6.32.9/arch/parisc/include/asm/elf.h linux-2.6.32.9/arch/parisc/include/asm/elf.h
1290--- linux-2.6.32.9/arch/parisc/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
1291+++ linux-2.6.32.9/arch/parisc/include/asm/elf.h 2010-02-23 17:09:53.079699812 -0500
1292@@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1293
1294 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1295
1296+#ifdef CONFIG_PAX_ASLR
1297+#define PAX_ELF_ET_DYN_BASE 0x10000UL
1298+
1299+#define PAX_DELTA_MMAP_LEN 16
1300+#define PAX_DELTA_STACK_LEN 16
1301+#endif
1302+
1303 /* This yields a mask that user programs can use to figure out what
1304 instruction set this CPU supports. This could be done in user space,
1305 but it's not easy, and we've already done it here. */
1306diff -urNp linux-2.6.32.9/arch/parisc/include/asm/pgtable.h linux-2.6.32.9/arch/parisc/include/asm/pgtable.h
1307--- linux-2.6.32.9/arch/parisc/include/asm/pgtable.h 2010-02-09 07:57:19.000000000 -0500
1308+++ linux-2.6.32.9/arch/parisc/include/asm/pgtable.h 2010-02-23 17:09:53.079699812 -0500
1309@@ -207,6 +207,17 @@
1310 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1311 #define PAGE_COPY PAGE_EXECREAD
1312 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1313+
1314+#ifdef CONFIG_PAX_PAGEEXEC
1315+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1316+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1317+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1318+#else
1319+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1320+# define PAGE_COPY_NOEXEC PAGE_COPY
1321+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1322+#endif
1323+
1324 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1325 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1326 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1327diff -urNp linux-2.6.32.9/arch/parisc/kernel/module.c linux-2.6.32.9/arch/parisc/kernel/module.c
1328--- linux-2.6.32.9/arch/parisc/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
1329+++ linux-2.6.32.9/arch/parisc/kernel/module.c 2010-02-23 17:09:53.079699812 -0500
1330@@ -95,16 +95,38 @@
1331
1332 /* three functions to determine where in the module core
1333 * or init pieces the location is */
1334+static inline int in_init_rx(struct module *me, void *loc)
1335+{
1336+ return (loc >= me->module_init_rx &&
1337+ loc < (me->module_init_rx + me->init_size_rx));
1338+}
1339+
1340+static inline int in_init_rw(struct module *me, void *loc)
1341+{
1342+ return (loc >= me->module_init_rw &&
1343+ loc < (me->module_init_rw + me->init_size_rw));
1344+}
1345+
1346 static inline int in_init(struct module *me, void *loc)
1347 {
1348- return (loc >= me->module_init &&
1349- loc <= (me->module_init + me->init_size));
1350+ return in_init_rx(me, loc) || in_init_rw(me, loc);
1351+}
1352+
1353+static inline int in_core_rx(struct module *me, void *loc)
1354+{
1355+ return (loc >= me->module_core_rx &&
1356+ loc < (me->module_core_rx + me->core_size_rx));
1357+}
1358+
1359+static inline int in_core_rw(struct module *me, void *loc)
1360+{
1361+ return (loc >= me->module_core_rw &&
1362+ loc < (me->module_core_rw + me->core_size_rw));
1363 }
1364
1365 static inline int in_core(struct module *me, void *loc)
1366 {
1367- return (loc >= me->module_core &&
1368- loc <= (me->module_core + me->core_size));
1369+ return in_core_rx(me, loc) || in_core_rw(me, loc);
1370 }
1371
1372 static inline int in_local(struct module *me, void *loc)
1373@@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1374 }
1375
1376 /* align things a bit */
1377- me->core_size = ALIGN(me->core_size, 16);
1378- me->arch.got_offset = me->core_size;
1379- me->core_size += gots * sizeof(struct got_entry);
1380-
1381- me->core_size = ALIGN(me->core_size, 16);
1382- me->arch.fdesc_offset = me->core_size;
1383- me->core_size += fdescs * sizeof(Elf_Fdesc);
1384+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1385+ me->arch.got_offset = me->core_size_rw;
1386+ me->core_size_rw += gots * sizeof(struct got_entry);
1387+
1388+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1389+ me->arch.fdesc_offset = me->core_size_rw;
1390+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1391
1392 me->arch.got_max = gots;
1393 me->arch.fdesc_max = fdescs;
1394@@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1395
1396 BUG_ON(value == 0);
1397
1398- got = me->module_core + me->arch.got_offset;
1399+ got = me->module_core_rw + me->arch.got_offset;
1400 for (i = 0; got[i].addr; i++)
1401 if (got[i].addr == value)
1402 goto out;
1403@@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1404 #ifdef CONFIG_64BIT
1405 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1406 {
1407- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1408+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1409
1410 if (!value) {
1411 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1412@@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1413
1414 /* Create new one */
1415 fdesc->addr = value;
1416- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1417+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1418 return (Elf_Addr)fdesc;
1419 }
1420 #endif /* CONFIG_64BIT */
1421@@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1422
1423 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1424 end = table + sechdrs[me->arch.unwind_section].sh_size;
1425- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1426+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1427
1428 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1429 me->arch.unwind_section, table, end, gp);
1430diff -urNp linux-2.6.32.9/arch/parisc/kernel/sys_parisc.c linux-2.6.32.9/arch/parisc/kernel/sys_parisc.c
1431--- linux-2.6.32.9/arch/parisc/kernel/sys_parisc.c 2010-02-09 07:57:19.000000000 -0500
1432+++ linux-2.6.32.9/arch/parisc/kernel/sys_parisc.c 2010-02-23 17:09:53.079699812 -0500
1433@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1434 if (flags & MAP_FIXED)
1435 return addr;
1436 if (!addr)
1437- addr = TASK_UNMAPPED_BASE;
1438+ addr = current->mm->mmap_base;
1439
1440 if (filp) {
1441 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1442diff -urNp linux-2.6.32.9/arch/parisc/kernel/traps.c linux-2.6.32.9/arch/parisc/kernel/traps.c
1443--- linux-2.6.32.9/arch/parisc/kernel/traps.c 2010-02-09 07:57:19.000000000 -0500
1444+++ linux-2.6.32.9/arch/parisc/kernel/traps.c 2010-02-23 17:09:53.079699812 -0500
1445@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1446
1447 down_read(&current->mm->mmap_sem);
1448 vma = find_vma(current->mm,regs->iaoq[0]);
1449- if (vma && (regs->iaoq[0] >= vma->vm_start)
1450- && (vma->vm_flags & VM_EXEC)) {
1451-
1452+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1453 fault_address = regs->iaoq[0];
1454 fault_space = regs->iasq[0];
1455
1456diff -urNp linux-2.6.32.9/arch/parisc/mm/fault.c linux-2.6.32.9/arch/parisc/mm/fault.c
1457--- linux-2.6.32.9/arch/parisc/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
1458+++ linux-2.6.32.9/arch/parisc/mm/fault.c 2010-02-23 17:09:53.079699812 -0500
1459@@ -15,6 +15,7 @@
1460 #include <linux/sched.h>
1461 #include <linux/interrupt.h>
1462 #include <linux/module.h>
1463+#include <linux/unistd.h>
1464
1465 #include <asm/uaccess.h>
1466 #include <asm/traps.h>
1467@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1468 static unsigned long
1469 parisc_acctyp(unsigned long code, unsigned int inst)
1470 {
1471- if (code == 6 || code == 16)
1472+ if (code == 6 || code == 7 || code == 16)
1473 return VM_EXEC;
1474
1475 switch (inst & 0xf0000000) {
1476@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1477 }
1478 #endif
1479
1480+#ifdef CONFIG_PAX_PAGEEXEC
1481+/*
1482+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1483+ *
1484+ * returns 1 when task should be killed
1485+ * 2 when rt_sigreturn trampoline was detected
1486+ * 3 when unpatched PLT trampoline was detected
1487+ */
1488+static int pax_handle_fetch_fault(struct pt_regs *regs)
1489+{
1490+
1491+#ifdef CONFIG_PAX_EMUPLT
1492+ int err;
1493+
1494+ do { /* PaX: unpatched PLT emulation */
1495+ unsigned int bl, depwi;
1496+
1497+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1498+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1499+
1500+ if (err)
1501+ break;
1502+
1503+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1504+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1505+
1506+ err = get_user(ldw, (unsigned int *)addr);
1507+ err |= get_user(bv, (unsigned int *)(addr+4));
1508+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1509+
1510+ if (err)
1511+ break;
1512+
1513+ if (ldw == 0x0E801096U &&
1514+ bv == 0xEAC0C000U &&
1515+ ldw2 == 0x0E881095U)
1516+ {
1517+ unsigned int resolver, map;
1518+
1519+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1520+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1521+ if (err)
1522+ break;
1523+
1524+ regs->gr[20] = instruction_pointer(regs)+8;
1525+ regs->gr[21] = map;
1526+ regs->gr[22] = resolver;
1527+ regs->iaoq[0] = resolver | 3UL;
1528+ regs->iaoq[1] = regs->iaoq[0] + 4;
1529+ return 3;
1530+ }
1531+ }
1532+ } while (0);
1533+#endif
1534+
1535+#ifdef CONFIG_PAX_EMUTRAMP
1536+
1537+#ifndef CONFIG_PAX_EMUSIGRT
1538+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1539+ return 1;
1540+#endif
1541+
1542+ do { /* PaX: rt_sigreturn emulation */
1543+ unsigned int ldi1, ldi2, bel, nop;
1544+
1545+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1546+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1547+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1548+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1549+
1550+ if (err)
1551+ break;
1552+
1553+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1554+ ldi2 == 0x3414015AU &&
1555+ bel == 0xE4008200U &&
1556+ nop == 0x08000240U)
1557+ {
1558+ regs->gr[25] = (ldi1 & 2) >> 1;
1559+ regs->gr[20] = __NR_rt_sigreturn;
1560+ regs->gr[31] = regs->iaoq[1] + 16;
1561+ regs->sr[0] = regs->iasq[1];
1562+ regs->iaoq[0] = 0x100UL;
1563+ regs->iaoq[1] = regs->iaoq[0] + 4;
1564+ regs->iasq[0] = regs->sr[2];
1565+ regs->iasq[1] = regs->sr[2];
1566+ return 2;
1567+ }
1568+ } while (0);
1569+#endif
1570+
1571+ return 1;
1572+}
1573+
1574+void pax_report_insns(void *pc, void *sp)
1575+{
1576+ unsigned long i;
1577+
1578+ printk(KERN_ERR "PAX: bytes at PC: ");
1579+ for (i = 0; i < 5; i++) {
1580+ unsigned int c;
1581+ if (get_user(c, (unsigned int *)pc+i))
1582+ printk(KERN_CONT "???????? ");
1583+ else
1584+ printk(KERN_CONT "%08x ", c);
1585+ }
1586+ printk("\n");
1587+}
1588+#endif
1589+
1590 int fixup_exception(struct pt_regs *regs)
1591 {
1592 const struct exception_table_entry *fix;
1593@@ -192,8 +303,33 @@ good_area:
1594
1595 acc_type = parisc_acctyp(code,regs->iir);
1596
1597- if ((vma->vm_flags & acc_type) != acc_type)
1598+ if ((vma->vm_flags & acc_type) != acc_type) {
1599+
1600+#ifdef CONFIG_PAX_PAGEEXEC
1601+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1602+ (address & ~3UL) == instruction_pointer(regs))
1603+ {
1604+ up_read(&mm->mmap_sem);
1605+ switch (pax_handle_fetch_fault(regs)) {
1606+
1607+#ifdef CONFIG_PAX_EMUPLT
1608+ case 3:
1609+ return;
1610+#endif
1611+
1612+#ifdef CONFIG_PAX_EMUTRAMP
1613+ case 2:
1614+ return;
1615+#endif
1616+
1617+ }
1618+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1619+ do_group_exit(SIGKILL);
1620+ }
1621+#endif
1622+
1623 goto bad_area;
1624+ }
1625
1626 /*
1627 * If for any reason at all we couldn't handle the fault, make
1628diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/device.h linux-2.6.32.9/arch/powerpc/include/asm/device.h
1629--- linux-2.6.32.9/arch/powerpc/include/asm/device.h 2010-02-09 07:57:19.000000000 -0500
1630+++ linux-2.6.32.9/arch/powerpc/include/asm/device.h 2010-02-23 17:09:53.079699812 -0500
1631@@ -14,7 +14,7 @@ struct dev_archdata {
1632 struct device_node *of_node;
1633
1634 /* DMA operations on that device */
1635- struct dma_map_ops *dma_ops;
1636+ const struct dma_map_ops *dma_ops;
1637
1638 /*
1639 * When an iommu is in use, dma_data is used as a ptr to the base of the
1640diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.9/arch/powerpc/include/asm/dma-mapping.h
1641--- linux-2.6.32.9/arch/powerpc/include/asm/dma-mapping.h 2010-02-09 07:57:19.000000000 -0500
1642+++ linux-2.6.32.9/arch/powerpc/include/asm/dma-mapping.h 2010-02-23 17:09:53.079699812 -0500
1643@@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
1644 #ifdef CONFIG_PPC64
1645 extern struct dma_map_ops dma_iommu_ops;
1646 #endif
1647-extern struct dma_map_ops dma_direct_ops;
1648+extern const struct dma_map_ops dma_direct_ops;
1649
1650-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1651+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1652 {
1653 /* We don't handle the NULL dev case for ISA for now. We could
1654 * do it via an out of line call but it is not needed for now. The
1655@@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
1656 return dev->archdata.dma_ops;
1657 }
1658
1659-static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1660+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1661 {
1662 dev->archdata.dma_ops = ops;
1663 }
1664@@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
1665
1666 static inline int dma_supported(struct device *dev, u64 mask)
1667 {
1668- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1669+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1670
1671 if (unlikely(dma_ops == NULL))
1672 return 0;
1673@@ -132,7 +132,7 @@ static inline int dma_supported(struct d
1674
1675 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1676 {
1677- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1678+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1679
1680 if (unlikely(dma_ops == NULL))
1681 return -EIO;
1682@@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
1683 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1684 dma_addr_t *dma_handle, gfp_t flag)
1685 {
1686- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1687+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1688 void *cpu_addr;
1689
1690 BUG_ON(!dma_ops);
1691@@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
1692 static inline void dma_free_coherent(struct device *dev, size_t size,
1693 void *cpu_addr, dma_addr_t dma_handle)
1694 {
1695- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1696+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1697
1698 BUG_ON(!dma_ops);
1699
1700@@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
1701
1702 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1703 {
1704- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1705+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1706
1707 if (dma_ops->mapping_error)
1708 return dma_ops->mapping_error(dev, dma_addr);
1709diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/elf.h linux-2.6.32.9/arch/powerpc/include/asm/elf.h
1710--- linux-2.6.32.9/arch/powerpc/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
1711+++ linux-2.6.32.9/arch/powerpc/include/asm/elf.h 2010-02-23 17:09:53.079699812 -0500
1712@@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1713 the loader. We need to make sure that it is out of the way of the program
1714 that it will "exec", and that there is sufficient room for the brk. */
1715
1716-extern unsigned long randomize_et_dyn(unsigned long base);
1717-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1718+#define ELF_ET_DYN_BASE (0x20000000)
1719+
1720+#ifdef CONFIG_PAX_ASLR
1721+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1722+
1723+#ifdef __powerpc64__
1724+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1725+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1726+#else
1727+#define PAX_DELTA_MMAP_LEN 15
1728+#define PAX_DELTA_STACK_LEN 15
1729+#endif
1730+#endif
1731
1732 /*
1733 * Our registers are always unsigned longs, whether we're a 32 bit
1734@@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
1735 (0x7ff >> (PAGE_SHIFT - 12)) : \
1736 (0x3ffff >> (PAGE_SHIFT - 12)))
1737
1738-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1739-#define arch_randomize_brk arch_randomize_brk
1740-
1741 #endif /* __KERNEL__ */
1742
1743 /*
1744diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/iommu.h linux-2.6.32.9/arch/powerpc/include/asm/iommu.h
1745--- linux-2.6.32.9/arch/powerpc/include/asm/iommu.h 2010-02-09 07:57:19.000000000 -0500
1746+++ linux-2.6.32.9/arch/powerpc/include/asm/iommu.h 2010-02-23 17:09:53.079699812 -0500
1747@@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
1748 extern void iommu_init_early_dart(void);
1749 extern void iommu_init_early_pasemi(void);
1750
1751+/* dma-iommu.c */
1752+extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
1753+
1754 #ifdef CONFIG_PCI
1755 extern void pci_iommu_init(void);
1756 extern void pci_direct_iommu_init(void);
1757diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.9/arch/powerpc/include/asm/kmap_types.h
1758--- linux-2.6.32.9/arch/powerpc/include/asm/kmap_types.h 2010-02-09 07:57:19.000000000 -0500
1759+++ linux-2.6.32.9/arch/powerpc/include/asm/kmap_types.h 2010-02-23 17:09:53.079699812 -0500
1760@@ -26,6 +26,7 @@ enum km_type {
1761 KM_SOFTIRQ1,
1762 KM_PPC_SYNC_PAGE,
1763 KM_PPC_SYNC_ICACHE,
1764+ KM_CLEARPAGE,
1765 KM_TYPE_NR
1766 };
1767
1768diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/page_64.h linux-2.6.32.9/arch/powerpc/include/asm/page_64.h
1769--- linux-2.6.32.9/arch/powerpc/include/asm/page_64.h 2010-02-09 07:57:19.000000000 -0500
1770+++ linux-2.6.32.9/arch/powerpc/include/asm/page_64.h 2010-02-23 17:09:53.079699812 -0500
1771@@ -180,15 +180,18 @@ do { \
1772 * stack by default, so in the absense of a PT_GNU_STACK program header
1773 * we turn execute permission off.
1774 */
1775-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1776- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1777+#define VM_STACK_DEFAULT_FLAGS32 \
1778+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1779+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1780
1781 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1782 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1783
1784+#ifndef CONFIG_PAX_PAGEEXEC
1785 #define VM_STACK_DEFAULT_FLAGS \
1786 (test_thread_flag(TIF_32BIT) ? \
1787 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1788+#endif
1789
1790 #include <asm-generic/getorder.h>
1791
1792diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/page.h linux-2.6.32.9/arch/powerpc/include/asm/page.h
1793--- linux-2.6.32.9/arch/powerpc/include/asm/page.h 2010-02-09 07:57:19.000000000 -0500
1794+++ linux-2.6.32.9/arch/powerpc/include/asm/page.h 2010-02-23 17:09:53.079699812 -0500
1795@@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
1796 * and needs to be executable. This means the whole heap ends
1797 * up being executable.
1798 */
1799-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1800- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1801+#define VM_DATA_DEFAULT_FLAGS32 \
1802+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1803+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1804
1805 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1806 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1807@@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
1808 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1809 #endif
1810
1811+#define ktla_ktva(addr) (addr)
1812+#define ktva_ktla(addr) (addr)
1813+
1814 #ifndef __ASSEMBLY__
1815
1816 #undef STRICT_MM_TYPECHECKS
1817diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/pci.h linux-2.6.32.9/arch/powerpc/include/asm/pci.h
1818--- linux-2.6.32.9/arch/powerpc/include/asm/pci.h 2010-02-09 07:57:19.000000000 -0500
1819+++ linux-2.6.32.9/arch/powerpc/include/asm/pci.h 2010-02-23 17:09:53.079699812 -0500
1820@@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
1821 }
1822
1823 #ifdef CONFIG_PCI
1824-extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1825-extern struct dma_map_ops *get_pci_dma_ops(void);
1826+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1827+extern const struct dma_map_ops *get_pci_dma_ops(void);
1828 #else /* CONFIG_PCI */
1829 #define set_pci_dma_ops(d)
1830 #define get_pci_dma_ops() NULL
1831diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.9/arch/powerpc/include/asm/pte-hash32.h
1832--- linux-2.6.32.9/arch/powerpc/include/asm/pte-hash32.h 2010-02-09 07:57:19.000000000 -0500
1833+++ linux-2.6.32.9/arch/powerpc/include/asm/pte-hash32.h 2010-02-23 17:09:53.079699812 -0500
1834@@ -21,6 +21,7 @@
1835 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1836 #define _PAGE_USER 0x004 /* usermode access allowed */
1837 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
1838+#define _PAGE_EXEC _PAGE_GUARDED
1839 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1840 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1841 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
1842diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/reg.h linux-2.6.32.9/arch/powerpc/include/asm/reg.h
1843--- linux-2.6.32.9/arch/powerpc/include/asm/reg.h 2010-02-09 07:57:19.000000000 -0500
1844+++ linux-2.6.32.9/arch/powerpc/include/asm/reg.h 2010-02-23 17:09:53.079699812 -0500
1845@@ -191,6 +191,7 @@
1846 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1847 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1848 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1849+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1850 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1851 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1852 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
1853diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.9/arch/powerpc/include/asm/swiotlb.h
1854--- linux-2.6.32.9/arch/powerpc/include/asm/swiotlb.h 2010-02-09 07:57:19.000000000 -0500
1855+++ linux-2.6.32.9/arch/powerpc/include/asm/swiotlb.h 2010-02-23 17:09:53.079699812 -0500
1856@@ -13,7 +13,7 @@
1857
1858 #include <linux/swiotlb.h>
1859
1860-extern struct dma_map_ops swiotlb_dma_ops;
1861+extern const struct dma_map_ops swiotlb_dma_ops;
1862
1863 static inline void dma_mark_clean(void *addr, size_t size) {}
1864
1865diff -urNp linux-2.6.32.9/arch/powerpc/include/asm/uaccess.h linux-2.6.32.9/arch/powerpc/include/asm/uaccess.h
1866--- linux-2.6.32.9/arch/powerpc/include/asm/uaccess.h 2010-02-09 07:57:19.000000000 -0500
1867+++ linux-2.6.32.9/arch/powerpc/include/asm/uaccess.h 2010-02-23 17:09:53.079699812 -0500
1868@@ -327,52 +327,6 @@ do { \
1869 extern unsigned long __copy_tofrom_user(void __user *to,
1870 const void __user *from, unsigned long size);
1871
1872-#ifndef __powerpc64__
1873-
1874-static inline unsigned long copy_from_user(void *to,
1875- const void __user *from, unsigned long n)
1876-{
1877- unsigned long over;
1878-
1879- if (access_ok(VERIFY_READ, from, n))
1880- return __copy_tofrom_user((__force void __user *)to, from, n);
1881- if ((unsigned long)from < TASK_SIZE) {
1882- over = (unsigned long)from + n - TASK_SIZE;
1883- return __copy_tofrom_user((__force void __user *)to, from,
1884- n - over) + over;
1885- }
1886- return n;
1887-}
1888-
1889-static inline unsigned long copy_to_user(void __user *to,
1890- const void *from, unsigned long n)
1891-{
1892- unsigned long over;
1893-
1894- if (access_ok(VERIFY_WRITE, to, n))
1895- return __copy_tofrom_user(to, (__force void __user *)from, n);
1896- if ((unsigned long)to < TASK_SIZE) {
1897- over = (unsigned long)to + n - TASK_SIZE;
1898- return __copy_tofrom_user(to, (__force void __user *)from,
1899- n - over) + over;
1900- }
1901- return n;
1902-}
1903-
1904-#else /* __powerpc64__ */
1905-
1906-#define __copy_in_user(to, from, size) \
1907- __copy_tofrom_user((to), (from), (size))
1908-
1909-extern unsigned long copy_from_user(void *to, const void __user *from,
1910- unsigned long n);
1911-extern unsigned long copy_to_user(void __user *to, const void *from,
1912- unsigned long n);
1913-extern unsigned long copy_in_user(void __user *to, const void __user *from,
1914- unsigned long n);
1915-
1916-#endif /* __powerpc64__ */
1917-
1918 static inline unsigned long __copy_from_user_inatomic(void *to,
1919 const void __user *from, unsigned long n)
1920 {
1921@@ -396,6 +350,10 @@ static inline unsigned long __copy_from_
1922 if (ret == 0)
1923 return 0;
1924 }
1925+
1926+ if (!__builtin_constant_p(n))
1927+ check_object_size(to, n, false);
1928+
1929 return __copy_tofrom_user((__force void __user *)to, from, n);
1930 }
1931
1932@@ -422,6 +380,10 @@ static inline unsigned long __copy_to_us
1933 if (ret == 0)
1934 return 0;
1935 }
1936+
1937+ if (!__builtin_constant_p(n))
1938+ check_object_size(from, n, true);
1939+
1940 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1941 }
1942
1943@@ -439,6 +401,92 @@ static inline unsigned long __copy_to_us
1944 return __copy_to_user_inatomic(to, from, size);
1945 }
1946
1947+#ifndef __powerpc64__
1948+
1949+static inline unsigned long __must_check copy_from_user(void *to,
1950+ const void __user *from, unsigned long n)
1951+{
1952+ unsigned long over;
1953+
1954+ if ((long)n < 0)
1955+ return n;
1956+
1957+ if (access_ok(VERIFY_READ, from, n)) {
1958+ if (!__builtin_constant_p(n))
1959+ check_object_size(to, n, false);
1960+ return __copy_tofrom_user((__force void __user *)to, from, n);
1961+ }
1962+ if ((unsigned long)from < TASK_SIZE) {
1963+ over = (unsigned long)from + n - TASK_SIZE;
1964+ if (!__builtin_constant_p(n - over))
1965+ check_object_size(to, n - over, false);
1966+ return __copy_tofrom_user((__force void __user *)to, from,
1967+ n - over) + over;
1968+ }
1969+ return n;
1970+}
1971+
1972+static inline unsigned long __must_check copy_to_user(void __user *to,
1973+ const void *from, unsigned long n)
1974+{
1975+ unsigned long over;
1976+
1977+ if ((long)n < 0)
1978+ return n;
1979+
1980+ if (access_ok(VERIFY_WRITE, to, n)) {
1981+ if (!__builtin_constant_p(n))
1982+ check_object_size(from, n, true);
1983+ return __copy_tofrom_user(to, (__force void __user *)from, n);
1984+ }
1985+ if ((unsigned long)to < TASK_SIZE) {
1986+ over = (unsigned long)to + n - TASK_SIZE;
1987+ if (!__builtin_constant_p(n))
1988+ check_object_size(from, n - over, true);
1989+ return __copy_tofrom_user(to, (__force void __user *)from,
1990+ n - over) + over;
1991+ }
1992+ return n;
1993+}
1994+
1995+#else /* __powerpc64__ */
1996+
1997+#define __copy_in_user(to, from, size) \
1998+ __copy_tofrom_user((to), (from), (size))
1999+
2000+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2001+{
2002+ if ((long)n < 0 || n > INT_MAX)
2003+ return n;
2004+
2005+ if (!__builtin_constant_p(n))
2006+ check_object_size(to, n, false);
2007+
2008+ if (likely(access_ok(VERIFY_READ, from, n)))
2009+ n = __copy_from_user(to, from, n);
2010+ else
2011+ memset(to, 0, n);
2012+ return n;
2013+}
2014+
2015+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2016+{
2017+ if ((long)n < 0 || n > INT_MAX)
2018+ return n;
2019+
2020+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
2021+ if (!__builtin_constant_p(n))
2022+ check_object_size(from, n, true);
2023+ n = __copy_to_user(to, from, n);
2024+ }
2025+ return n;
2026+}
2027+
2028+extern unsigned long copy_in_user(void __user *to, const void __user *from,
2029+ unsigned long n);
2030+
2031+#endif /* __powerpc64__ */
2032+
2033 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2034
2035 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2036diff -urNp linux-2.6.32.9/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.9/arch/powerpc/kernel/cacheinfo.c
2037--- linux-2.6.32.9/arch/powerpc/kernel/cacheinfo.c 2010-02-09 07:57:19.000000000 -0500
2038+++ linux-2.6.32.9/arch/powerpc/kernel/cacheinfo.c 2010-02-23 17:09:53.083571404 -0500
2039@@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2040 &cache_assoc_attr,
2041 };
2042
2043-static struct sysfs_ops cache_index_ops = {
2044+static const struct sysfs_ops cache_index_ops = {
2045 .show = cache_index_show,
2046 };
2047
2048diff -urNp linux-2.6.32.9/arch/powerpc/kernel/dma.c linux-2.6.32.9/arch/powerpc/kernel/dma.c
2049--- linux-2.6.32.9/arch/powerpc/kernel/dma.c 2010-02-09 07:57:19.000000000 -0500
2050+++ linux-2.6.32.9/arch/powerpc/kernel/dma.c 2010-02-23 17:09:53.083571404 -0500
2051@@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2052 }
2053 #endif
2054
2055-struct dma_map_ops dma_direct_ops = {
2056+const struct dma_map_ops dma_direct_ops = {
2057 .alloc_coherent = dma_direct_alloc_coherent,
2058 .free_coherent = dma_direct_free_coherent,
2059 .map_sg = dma_direct_map_sg,
2060diff -urNp linux-2.6.32.9/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.9/arch/powerpc/kernel/dma-iommu.c
2061--- linux-2.6.32.9/arch/powerpc/kernel/dma-iommu.c 2010-02-09 07:57:19.000000000 -0500
2062+++ linux-2.6.32.9/arch/powerpc/kernel/dma-iommu.c 2010-02-23 17:09:53.083571404 -0500
2063@@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2064 }
2065
2066 /* We support DMA to/from any memory page via the iommu */
2067-static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2068+int dma_iommu_dma_supported(struct device *dev, u64 mask)
2069 {
2070 struct iommu_table *tbl = get_iommu_table_base(dev);
2071
2072diff -urNp linux-2.6.32.9/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.9/arch/powerpc/kernel/dma-swiotlb.c
2073--- linux-2.6.32.9/arch/powerpc/kernel/dma-swiotlb.c 2010-02-09 07:57:19.000000000 -0500
2074+++ linux-2.6.32.9/arch/powerpc/kernel/dma-swiotlb.c 2010-02-23 17:09:53.083571404 -0500
2075@@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2076 * map_page, and unmap_page on highmem, use normal dma_ops
2077 * for everything else.
2078 */
2079-struct dma_map_ops swiotlb_dma_ops = {
2080+const struct dma_map_ops swiotlb_dma_ops = {
2081 .alloc_coherent = dma_direct_alloc_coherent,
2082 .free_coherent = dma_direct_free_coherent,
2083 .map_sg = swiotlb_map_sg_attrs,
2084diff -urNp linux-2.6.32.9/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.9/arch/powerpc/kernel/exceptions-64e.S
2085--- linux-2.6.32.9/arch/powerpc/kernel/exceptions-64e.S 2010-02-09 07:57:19.000000000 -0500
2086+++ linux-2.6.32.9/arch/powerpc/kernel/exceptions-64e.S 2010-02-23 17:09:53.083571404 -0500
2087@@ -455,6 +455,7 @@ storage_fault_common:
2088 std r14,_DAR(r1)
2089 std r15,_DSISR(r1)
2090 addi r3,r1,STACK_FRAME_OVERHEAD
2091+ bl .save_nvgprs
2092 mr r4,r14
2093 mr r5,r15
2094 ld r14,PACA_EXGEN+EX_R14(r13)
2095@@ -464,8 +465,7 @@ storage_fault_common:
2096 cmpdi r3,0
2097 bne- 1f
2098 b .ret_from_except_lite
2099-1: bl .save_nvgprs
2100- mr r5,r3
2101+1: mr r5,r3
2102 addi r3,r1,STACK_FRAME_OVERHEAD
2103 ld r4,_DAR(r1)
2104 bl .bad_page_fault
2105diff -urNp linux-2.6.32.9/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.9/arch/powerpc/kernel/exceptions-64s.S
2106--- linux-2.6.32.9/arch/powerpc/kernel/exceptions-64s.S 2010-02-09 07:57:19.000000000 -0500
2107+++ linux-2.6.32.9/arch/powerpc/kernel/exceptions-64s.S 2010-02-23 17:09:53.083571404 -0500
2108@@ -818,10 +818,10 @@ handle_page_fault:
2109 11: ld r4,_DAR(r1)
2110 ld r5,_DSISR(r1)
2111 addi r3,r1,STACK_FRAME_OVERHEAD
2112+ bl .save_nvgprs
2113 bl .do_page_fault
2114 cmpdi r3,0
2115 beq+ 13f
2116- bl .save_nvgprs
2117 mr r5,r3
2118 addi r3,r1,STACK_FRAME_OVERHEAD
2119 lwz r4,_DAR(r1)
2120diff -urNp linux-2.6.32.9/arch/powerpc/kernel/ibmebus.c linux-2.6.32.9/arch/powerpc/kernel/ibmebus.c
2121--- linux-2.6.32.9/arch/powerpc/kernel/ibmebus.c 2010-02-09 07:57:19.000000000 -0500
2122+++ linux-2.6.32.9/arch/powerpc/kernel/ibmebus.c 2010-02-23 17:09:53.083571404 -0500
2123@@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2124 return 1;
2125 }
2126
2127-static struct dma_map_ops ibmebus_dma_ops = {
2128+static const struct dma_map_ops ibmebus_dma_ops = {
2129 .alloc_coherent = ibmebus_alloc_coherent,
2130 .free_coherent = ibmebus_free_coherent,
2131 .map_sg = ibmebus_map_sg,
2132diff -urNp linux-2.6.32.9/arch/powerpc/kernel/kgdb.c linux-2.6.32.9/arch/powerpc/kernel/kgdb.c
2133--- linux-2.6.32.9/arch/powerpc/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
2134+++ linux-2.6.32.9/arch/powerpc/kernel/kgdb.c 2010-02-23 17:09:53.083571404 -0500
2135@@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2136 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2137 return 0;
2138
2139- if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2140+ if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2141 regs->nip += 4;
2142
2143 return 1;
2144@@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2145 /*
2146 * Global data
2147 */
2148-struct kgdb_arch arch_kgdb_ops = {
2149+const struct kgdb_arch arch_kgdb_ops = {
2150 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2151 };
2152
2153diff -urNp linux-2.6.32.9/arch/powerpc/kernel/module_32.c linux-2.6.32.9/arch/powerpc/kernel/module_32.c
2154--- linux-2.6.32.9/arch/powerpc/kernel/module_32.c 2010-02-09 07:57:19.000000000 -0500
2155+++ linux-2.6.32.9/arch/powerpc/kernel/module_32.c 2010-02-23 17:09:53.083571404 -0500
2156@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2157 me->arch.core_plt_section = i;
2158 }
2159 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2160- printk("Module doesn't contain .plt or .init.plt sections.\n");
2161+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2162 return -ENOEXEC;
2163 }
2164
2165@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2166
2167 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2168 /* Init, or core PLT? */
2169- if (location >= mod->module_core
2170- && location < mod->module_core + mod->core_size)
2171+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2172+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2173 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2174- else
2175+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2176+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2177 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2178+ else {
2179+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2180+ return ~0UL;
2181+ }
2182
2183 /* Find this entry, or if that fails, the next avail. entry */
2184 while (entry->jump[0]) {
2185diff -urNp linux-2.6.32.9/arch/powerpc/kernel/module.c linux-2.6.32.9/arch/powerpc/kernel/module.c
2186--- linux-2.6.32.9/arch/powerpc/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
2187+++ linux-2.6.32.9/arch/powerpc/kernel/module.c 2010-02-23 17:09:53.083571404 -0500
2188@@ -31,11 +31,24 @@
2189
2190 LIST_HEAD(module_bug_list);
2191
2192+#ifdef CONFIG_PAX_KERNEXEC
2193 void *module_alloc(unsigned long size)
2194 {
2195 if (size == 0)
2196 return NULL;
2197
2198+ return vmalloc(size);
2199+}
2200+
2201+void *module_alloc_exec(unsigned long size)
2202+#else
2203+void *module_alloc(unsigned long size)
2204+#endif
2205+
2206+{
2207+ if (size == 0)
2208+ return NULL;
2209+
2210 return vmalloc_exec(size);
2211 }
2212
2213@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2214 vfree(module_region);
2215 }
2216
2217+#ifdef CONFIG_PAX_KERNEXEC
2218+void module_free_exec(struct module *mod, void *module_region)
2219+{
2220+ module_free(mod, module_region);
2221+}
2222+#endif
2223+
2224 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2225 const Elf_Shdr *sechdrs,
2226 const char *name)
2227diff -urNp linux-2.6.32.9/arch/powerpc/kernel/pci-common.c linux-2.6.32.9/arch/powerpc/kernel/pci-common.c
2228--- linux-2.6.32.9/arch/powerpc/kernel/pci-common.c 2010-02-09 07:57:19.000000000 -0500
2229+++ linux-2.6.32.9/arch/powerpc/kernel/pci-common.c 2010-02-23 17:09:53.083571404 -0500
2230@@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2231 unsigned int ppc_pci_flags = 0;
2232
2233
2234-static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2235+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2236
2237-void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2238+void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2239 {
2240 pci_dma_ops = dma_ops;
2241 }
2242
2243-struct dma_map_ops *get_pci_dma_ops(void)
2244+const struct dma_map_ops *get_pci_dma_ops(void)
2245 {
2246 return pci_dma_ops;
2247 }
2248diff -urNp linux-2.6.32.9/arch/powerpc/kernel/process.c linux-2.6.32.9/arch/powerpc/kernel/process.c
2249--- linux-2.6.32.9/arch/powerpc/kernel/process.c 2010-02-09 07:57:19.000000000 -0500
2250+++ linux-2.6.32.9/arch/powerpc/kernel/process.c 2010-02-23 17:09:53.083571404 -0500
2251@@ -1141,51 +1141,3 @@ unsigned long arch_align_stack(unsigned
2252 sp -= get_random_int() & ~PAGE_MASK;
2253 return sp & ~0xf;
2254 }
2255-
2256-static inline unsigned long brk_rnd(void)
2257-{
2258- unsigned long rnd = 0;
2259-
2260- /* 8MB for 32bit, 1GB for 64bit */
2261- if (is_32bit_task())
2262- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2263- else
2264- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2265-
2266- return rnd << PAGE_SHIFT;
2267-}
2268-
2269-unsigned long arch_randomize_brk(struct mm_struct *mm)
2270-{
2271- unsigned long base = mm->brk;
2272- unsigned long ret;
2273-
2274-#ifdef CONFIG_PPC_STD_MMU_64
2275- /*
2276- * If we are using 1TB segments and we are allowed to randomise
2277- * the heap, we can put it above 1TB so it is backed by a 1TB
2278- * segment. Otherwise the heap will be in the bottom 1TB
2279- * which always uses 256MB segments and this may result in a
2280- * performance penalty.
2281- */
2282- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2283- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2284-#endif
2285-
2286- ret = PAGE_ALIGN(base + brk_rnd());
2287-
2288- if (ret < mm->brk)
2289- return mm->brk;
2290-
2291- return ret;
2292-}
2293-
2294-unsigned long randomize_et_dyn(unsigned long base)
2295-{
2296- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2297-
2298- if (ret < base)
2299- return base;
2300-
2301- return ret;
2302-}
2303diff -urNp linux-2.6.32.9/arch/powerpc/kernel/signal_32.c linux-2.6.32.9/arch/powerpc/kernel/signal_32.c
2304--- linux-2.6.32.9/arch/powerpc/kernel/signal_32.c 2010-02-09 07:57:19.000000000 -0500
2305+++ linux-2.6.32.9/arch/powerpc/kernel/signal_32.c 2010-02-23 17:09:53.083571404 -0500
2306@@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2307 /* Save user registers on the stack */
2308 frame = &rt_sf->uc.uc_mcontext;
2309 addr = frame;
2310- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2311+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2312 if (save_user_regs(regs, frame, 0, 1))
2313 goto badframe;
2314 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2315diff -urNp linux-2.6.32.9/arch/powerpc/kernel/signal_64.c linux-2.6.32.9/arch/powerpc/kernel/signal_64.c
2316--- linux-2.6.32.9/arch/powerpc/kernel/signal_64.c 2010-02-09 07:57:19.000000000 -0500
2317+++ linux-2.6.32.9/arch/powerpc/kernel/signal_64.c 2010-02-23 17:09:53.083571404 -0500
2318@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2319 current->thread.fpscr.val = 0;
2320
2321 /* Set up to return from userspace. */
2322- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2323+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2324 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2325 } else {
2326 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2327diff -urNp linux-2.6.32.9/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.9/arch/powerpc/kernel/sys_ppc32.c
2328--- linux-2.6.32.9/arch/powerpc/kernel/sys_ppc32.c 2010-02-09 07:57:19.000000000 -0500
2329+++ linux-2.6.32.9/arch/powerpc/kernel/sys_ppc32.c 2010-02-23 17:09:53.083571404 -0500
2330@@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2331 if (oldlenp) {
2332 if (!error) {
2333 if (get_user(oldlen, oldlenp) ||
2334- put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2335+ put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2336+ copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2337 error = -EFAULT;
2338 }
2339- copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2340 }
2341 return error;
2342 }
2343diff -urNp linux-2.6.32.9/arch/powerpc/kernel/vdso.c linux-2.6.32.9/arch/powerpc/kernel/vdso.c
2344--- linux-2.6.32.9/arch/powerpc/kernel/vdso.c 2010-02-09 07:57:19.000000000 -0500
2345+++ linux-2.6.32.9/arch/powerpc/kernel/vdso.c 2010-02-23 17:09:53.083571404 -0500
2346@@ -36,6 +36,7 @@
2347 #include <asm/firmware.h>
2348 #include <asm/vdso.h>
2349 #include <asm/vdso_datapage.h>
2350+#include <asm/mman.h>
2351
2352 #include "setup.h"
2353
2354@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2355 vdso_base = VDSO32_MBASE;
2356 #endif
2357
2358- current->mm->context.vdso_base = 0;
2359+ current->mm->context.vdso_base = ~0UL;
2360
2361 /* vDSO has a problem and was disabled, just don't "enable" it for the
2362 * process
2363@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2364 vdso_base = get_unmapped_area(NULL, vdso_base,
2365 (vdso_pages << PAGE_SHIFT) +
2366 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2367- 0, 0);
2368+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
2369 if (IS_ERR_VALUE(vdso_base)) {
2370 rc = vdso_base;
2371 goto fail_mmapsem;
2372diff -urNp linux-2.6.32.9/arch/powerpc/kernel/vio.c linux-2.6.32.9/arch/powerpc/kernel/vio.c
2373--- linux-2.6.32.9/arch/powerpc/kernel/vio.c 2010-02-09 07:57:19.000000000 -0500
2374+++ linux-2.6.32.9/arch/powerpc/kernel/vio.c 2010-02-23 17:09:53.083571404 -0500
2375@@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2376 vio_cmo_dealloc(viodev, alloc_size);
2377 }
2378
2379-struct dma_map_ops vio_dma_mapping_ops = {
2380+static const struct dma_map_ops vio_dma_mapping_ops = {
2381 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2382 .free_coherent = vio_dma_iommu_free_coherent,
2383 .map_sg = vio_dma_iommu_map_sg,
2384 .unmap_sg = vio_dma_iommu_unmap_sg,
2385+ .dma_supported = dma_iommu_dma_supported,
2386 .map_page = vio_dma_iommu_map_page,
2387 .unmap_page = vio_dma_iommu_unmap_page,
2388
2389@@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2390
2391 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2392 {
2393- vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2394 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2395 }
2396
2397diff -urNp linux-2.6.32.9/arch/powerpc/lib/usercopy_64.c linux-2.6.32.9/arch/powerpc/lib/usercopy_64.c
2398--- linux-2.6.32.9/arch/powerpc/lib/usercopy_64.c 2010-02-09 07:57:19.000000000 -0500
2399+++ linux-2.6.32.9/arch/powerpc/lib/usercopy_64.c 2010-02-23 17:09:53.083571404 -0500
2400@@ -9,22 +9,6 @@
2401 #include <linux/module.h>
2402 #include <asm/uaccess.h>
2403
2404-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2405-{
2406- if (likely(access_ok(VERIFY_READ, from, n)))
2407- n = __copy_from_user(to, from, n);
2408- else
2409- memset(to, 0, n);
2410- return n;
2411-}
2412-
2413-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2414-{
2415- if (likely(access_ok(VERIFY_WRITE, to, n)))
2416- n = __copy_to_user(to, from, n);
2417- return n;
2418-}
2419-
2420 unsigned long copy_in_user(void __user *to, const void __user *from,
2421 unsigned long n)
2422 {
2423@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2424 return n;
2425 }
2426
2427-EXPORT_SYMBOL(copy_from_user);
2428-EXPORT_SYMBOL(copy_to_user);
2429 EXPORT_SYMBOL(copy_in_user);
2430
2431diff -urNp linux-2.6.32.9/arch/powerpc/mm/fault.c linux-2.6.32.9/arch/powerpc/mm/fault.c
2432--- linux-2.6.32.9/arch/powerpc/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
2433+++ linux-2.6.32.9/arch/powerpc/mm/fault.c 2010-02-23 17:09:53.083571404 -0500
2434@@ -30,6 +30,10 @@
2435 #include <linux/kprobes.h>
2436 #include <linux/kdebug.h>
2437 #include <linux/perf_event.h>
2438+#include <linux/slab.h>
2439+#include <linux/pagemap.h>
2440+#include <linux/compiler.h>
2441+#include <linux/unistd.h>
2442
2443 #include <asm/firmware.h>
2444 #include <asm/page.h>
2445@@ -40,6 +44,7 @@
2446 #include <asm/uaccess.h>
2447 #include <asm/tlbflush.h>
2448 #include <asm/siginfo.h>
2449+#include <asm/ptrace.h>
2450
2451
2452 #ifdef CONFIG_KPROBES
2453@@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2454 }
2455 #endif
2456
2457+#ifdef CONFIG_PAX_PAGEEXEC
2458+/*
2459+ * PaX: decide what to do with offenders (regs->nip = fault address)
2460+ *
2461+ * returns 1 when task should be killed
2462+ */
2463+static int pax_handle_fetch_fault(struct pt_regs *regs)
2464+{
2465+ return 1;
2466+}
2467+
2468+void pax_report_insns(void *pc, void *sp)
2469+{
2470+ unsigned long i;
2471+
2472+ printk(KERN_ERR "PAX: bytes at PC: ");
2473+ for (i = 0; i < 5; i++) {
2474+ unsigned int c;
2475+ if (get_user(c, (unsigned int __user *)pc+i))
2476+ printk(KERN_CONT "???????? ");
2477+ else
2478+ printk(KERN_CONT "%08x ", c);
2479+ }
2480+ printk("\n");
2481+}
2482+#endif
2483+
2484 /*
2485 * Check whether the instruction at regs->nip is a store using
2486 * an update addressing form which will update r1.
2487@@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2488 * indicate errors in DSISR but can validly be set in SRR1.
2489 */
2490 if (trap == 0x400)
2491- error_code &= 0x48200000;
2492+ error_code &= 0x58200000;
2493 else
2494 is_write = error_code & DSISR_ISSTORE;
2495 #else
2496@@ -250,7 +282,7 @@ good_area:
2497 * "undefined". Of those that can be set, this is the only
2498 * one which seems bad.
2499 */
2500- if (error_code & 0x10000000)
2501+ if (error_code & DSISR_GUARDED)
2502 /* Guarded storage error. */
2503 goto bad_area;
2504 #endif /* CONFIG_8xx */
2505@@ -265,7 +297,7 @@ good_area:
2506 * processors use the same I/D cache coherency mechanism
2507 * as embedded.
2508 */
2509- if (error_code & DSISR_PROTFAULT)
2510+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2511 goto bad_area;
2512 #endif /* CONFIG_PPC_STD_MMU */
2513
2514@@ -335,6 +367,23 @@ bad_area:
2515 bad_area_nosemaphore:
2516 /* User mode accesses cause a SIGSEGV */
2517 if (user_mode(regs)) {
2518+
2519+#ifdef CONFIG_PAX_PAGEEXEC
2520+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2521+#ifdef CONFIG_PPC_STD_MMU
2522+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2523+#else
2524+ if (is_exec && regs->nip == address) {
2525+#endif
2526+ switch (pax_handle_fetch_fault(regs)) {
2527+ }
2528+
2529+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2530+ do_group_exit(SIGKILL);
2531+ }
2532+ }
2533+#endif
2534+
2535 _exception(SIGSEGV, regs, code, address);
2536 return 0;
2537 }
2538diff -urNp linux-2.6.32.9/arch/powerpc/mm/mmap_64.c linux-2.6.32.9/arch/powerpc/mm/mmap_64.c
2539--- linux-2.6.32.9/arch/powerpc/mm/mmap_64.c 2010-02-09 07:57:19.000000000 -0500
2540+++ linux-2.6.32.9/arch/powerpc/mm/mmap_64.c 2010-02-23 17:09:53.083571404 -0500
2541@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2542 */
2543 if (mmap_is_legacy()) {
2544 mm->mmap_base = TASK_UNMAPPED_BASE;
2545+
2546+#ifdef CONFIG_PAX_RANDMMAP
2547+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2548+ mm->mmap_base += mm->delta_mmap;
2549+#endif
2550+
2551 mm->get_unmapped_area = arch_get_unmapped_area;
2552 mm->unmap_area = arch_unmap_area;
2553 } else {
2554 mm->mmap_base = mmap_base();
2555+
2556+#ifdef CONFIG_PAX_RANDMMAP
2557+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2558+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2559+#endif
2560+
2561 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2562 mm->unmap_area = arch_unmap_area_topdown;
2563 }
2564diff -urNp linux-2.6.32.9/arch/powerpc/mm/slice.c linux-2.6.32.9/arch/powerpc/mm/slice.c
2565--- linux-2.6.32.9/arch/powerpc/mm/slice.c 2010-02-09 07:57:19.000000000 -0500
2566+++ linux-2.6.32.9/arch/powerpc/mm/slice.c 2010-02-23 17:09:53.083571404 -0500
2567@@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
2568 if (fixed && addr > (mm->task_size - len))
2569 return -EINVAL;
2570
2571+#ifdef CONFIG_PAX_RANDMMAP
2572+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2573+ addr = 0;
2574+#endif
2575+
2576 /* If hint, make sure it matches our alignment restrictions */
2577 if (!fixed && addr) {
2578 addr = _ALIGN_UP(addr, 1ul << pshift);
2579diff -urNp linux-2.6.32.9/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.9/arch/powerpc/platforms/52xx/lite5200_pm.c
2580--- linux-2.6.32.9/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-02-09 07:57:19.000000000 -0500
2581+++ linux-2.6.32.9/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-02-23 17:09:53.083571404 -0500
2582@@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2583 lite5200_pm_target_state = PM_SUSPEND_ON;
2584 }
2585
2586-static struct platform_suspend_ops lite5200_pm_ops = {
2587+static const struct platform_suspend_ops lite5200_pm_ops = {
2588 .valid = lite5200_pm_valid,
2589 .begin = lite5200_pm_begin,
2590 .prepare = lite5200_pm_prepare,
2591diff -urNp linux-2.6.32.9/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.9/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2592--- linux-2.6.32.9/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-02-09 07:57:19.000000000 -0500
2593+++ linux-2.6.32.9/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-02-23 17:09:53.083571404 -0500
2594@@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
2595 iounmap(mbar);
2596 }
2597
2598-static struct platform_suspend_ops mpc52xx_pm_ops = {
2599+static const struct platform_suspend_ops mpc52xx_pm_ops = {
2600 .valid = mpc52xx_pm_valid,
2601 .prepare = mpc52xx_pm_prepare,
2602 .enter = mpc52xx_pm_enter,
2603diff -urNp linux-2.6.32.9/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.9/arch/powerpc/platforms/83xx/suspend.c
2604--- linux-2.6.32.9/arch/powerpc/platforms/83xx/suspend.c 2010-02-09 07:57:19.000000000 -0500
2605+++ linux-2.6.32.9/arch/powerpc/platforms/83xx/suspend.c 2010-02-23 17:09:53.088041045 -0500
2606@@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
2607 return ret;
2608 }
2609
2610-static struct platform_suspend_ops mpc83xx_suspend_ops = {
2611+static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2612 .valid = mpc83xx_suspend_valid,
2613 .begin = mpc83xx_suspend_begin,
2614 .enter = mpc83xx_suspend_enter,
2615diff -urNp linux-2.6.32.9/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.9/arch/powerpc/platforms/cell/iommu.c
2616--- linux-2.6.32.9/arch/powerpc/platforms/cell/iommu.c 2010-02-09 07:57:19.000000000 -0500
2617+++ linux-2.6.32.9/arch/powerpc/platforms/cell/iommu.c 2010-02-23 17:09:53.088041045 -0500
2618@@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2619
2620 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2621
2622-struct dma_map_ops dma_iommu_fixed_ops = {
2623+const struct dma_map_ops dma_iommu_fixed_ops = {
2624 .alloc_coherent = dma_fixed_alloc_coherent,
2625 .free_coherent = dma_fixed_free_coherent,
2626 .map_sg = dma_fixed_map_sg,
2627diff -urNp linux-2.6.32.9/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.9/arch/powerpc/platforms/ps3/system-bus.c
2628--- linux-2.6.32.9/arch/powerpc/platforms/ps3/system-bus.c 2010-02-09 07:57:19.000000000 -0500
2629+++ linux-2.6.32.9/arch/powerpc/platforms/ps3/system-bus.c 2010-02-23 17:09:53.088041045 -0500
2630@@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
2631 return mask >= DMA_BIT_MASK(32);
2632 }
2633
2634-static struct dma_map_ops ps3_sb_dma_ops = {
2635+static const struct dma_map_ops ps3_sb_dma_ops = {
2636 .alloc_coherent = ps3_alloc_coherent,
2637 .free_coherent = ps3_free_coherent,
2638 .map_sg = ps3_sb_map_sg,
2639@@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2640 .unmap_page = ps3_unmap_page,
2641 };
2642
2643-static struct dma_map_ops ps3_ioc0_dma_ops = {
2644+static const struct dma_map_ops ps3_ioc0_dma_ops = {
2645 .alloc_coherent = ps3_alloc_coherent,
2646 .free_coherent = ps3_free_coherent,
2647 .map_sg = ps3_ioc0_map_sg,
2648diff -urNp linux-2.6.32.9/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.9/arch/powerpc/platforms/pseries/Kconfig
2649--- linux-2.6.32.9/arch/powerpc/platforms/pseries/Kconfig 2010-02-09 07:57:19.000000000 -0500
2650+++ linux-2.6.32.9/arch/powerpc/platforms/pseries/Kconfig 2010-02-23 17:09:53.088041045 -0500
2651@@ -2,6 +2,8 @@ config PPC_PSERIES
2652 depends on PPC64 && PPC_BOOK3S
2653 bool "IBM pSeries & new (POWER5-based) iSeries"
2654 select MPIC
2655+ select PCI_MSI
2656+ select XICS
2657 select PPC_I8259
2658 select PPC_RTAS
2659 select RTAS_ERROR_LOGGING
2660diff -urNp linux-2.6.32.9/arch/s390/include/asm/elf.h linux-2.6.32.9/arch/s390/include/asm/elf.h
2661--- linux-2.6.32.9/arch/s390/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
2662+++ linux-2.6.32.9/arch/s390/include/asm/elf.h 2010-02-23 17:09:53.088041045 -0500
2663@@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
2664 that it will "exec", and that there is sufficient room for the brk. */
2665 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2666
2667+#ifdef CONFIG_PAX_ASLR
2668+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2669+
2670+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2671+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2672+#endif
2673+
2674 /* This yields a mask that user programs can use to figure out what
2675 instruction set this CPU supports. */
2676
2677diff -urNp linux-2.6.32.9/arch/s390/include/asm/setup.h linux-2.6.32.9/arch/s390/include/asm/setup.h
2678--- linux-2.6.32.9/arch/s390/include/asm/setup.h 2010-02-09 07:57:19.000000000 -0500
2679+++ linux-2.6.32.9/arch/s390/include/asm/setup.h 2010-02-23 17:09:53.088041045 -0500
2680@@ -50,13 +50,13 @@ extern unsigned long memory_end;
2681 void detect_memory_layout(struct mem_chunk chunk[]);
2682
2683 #ifdef CONFIG_S390_SWITCH_AMODE
2684-extern unsigned int switch_amode;
2685+#define switch_amode (1)
2686 #else
2687 #define switch_amode (0)
2688 #endif
2689
2690 #ifdef CONFIG_S390_EXEC_PROTECT
2691-extern unsigned int s390_noexec;
2692+#define s390_noexec (1)
2693 #else
2694 #define s390_noexec (0)
2695 #endif
2696diff -urNp linux-2.6.32.9/arch/s390/include/asm/uaccess.h linux-2.6.32.9/arch/s390/include/asm/uaccess.h
2697--- linux-2.6.32.9/arch/s390/include/asm/uaccess.h 2010-02-09 07:57:19.000000000 -0500
2698+++ linux-2.6.32.9/arch/s390/include/asm/uaccess.h 2010-02-23 17:09:53.088041045 -0500
2699@@ -232,6 +232,10 @@ static inline unsigned long __must_check
2700 copy_to_user(void __user *to, const void *from, unsigned long n)
2701 {
2702 might_fault();
2703+
2704+ if ((long)n < 0)
2705+ return n;
2706+
2707 if (access_ok(VERIFY_WRITE, to, n))
2708 n = __copy_to_user(to, from, n);
2709 return n;
2710@@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
2711 static inline unsigned long __must_check
2712 __copy_from_user(void *to, const void __user *from, unsigned long n)
2713 {
2714+ if ((long)n < 0)
2715+ return n;
2716+
2717 if (__builtin_constant_p(n) && (n <= 256))
2718 return uaccess.copy_from_user_small(n, from, to);
2719 else
2720@@ -283,6 +290,10 @@ static inline unsigned long __must_check
2721 copy_from_user(void *to, const void __user *from, unsigned long n)
2722 {
2723 might_fault();
2724+
2725+ if ((long)n < 0)
2726+ return n;
2727+
2728 if (access_ok(VERIFY_READ, from, n))
2729 n = __copy_from_user(to, from, n);
2730 else
2731diff -urNp linux-2.6.32.9/arch/s390/Kconfig linux-2.6.32.9/arch/s390/Kconfig
2732--- linux-2.6.32.9/arch/s390/Kconfig 2010-02-09 07:57:19.000000000 -0500
2733+++ linux-2.6.32.9/arch/s390/Kconfig 2010-02-23 17:09:53.088041045 -0500
2734@@ -194,28 +194,26 @@ config AUDIT_ARCH
2735
2736 config S390_SWITCH_AMODE
2737 bool "Switch kernel/user addressing modes"
2738+ default y
2739 help
2740 This option allows to switch the addressing modes of kernel and user
2741- space. The kernel parameter switch_amode=on will enable this feature,
2742- default is disabled. Enabling this (via kernel parameter) on machines
2743- earlier than IBM System z9-109 EC/BC will reduce system performance.
2744+ space. Enabling this on machines earlier than IBM System z9-109 EC/BC
2745+ will reduce system performance.
2746
2747 Note that this option will also be selected by selecting the execute
2748- protection option below. Enabling the execute protection via the
2749- noexec kernel parameter will also switch the addressing modes,
2750- independent of the switch_amode kernel parameter.
2751+ protection option below. Enabling the execute protection will also
2752+ switch the addressing modes, independent of this option.
2753
2754
2755 config S390_EXEC_PROTECT
2756 bool "Data execute protection"
2757+ default y
2758 select S390_SWITCH_AMODE
2759 help
2760 This option allows to enable a buffer overflow protection for user
2761 space programs and it also selects the addressing mode option above.
2762- The kernel parameter noexec=on will enable this feature and also
2763- switch the addressing modes, default is disabled. Enabling this (via
2764- kernel parameter) on machines earlier than IBM System z9-109 EC/BC
2765- will reduce system performance.
2766+ Enabling this on machines earlier than IBM System z9-109 EC/BC will
2767+ reduce system performance.
2768
2769 comment "Code generation options"
2770
2771diff -urNp linux-2.6.32.9/arch/s390/kernel/module.c linux-2.6.32.9/arch/s390/kernel/module.c
2772--- linux-2.6.32.9/arch/s390/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
2773+++ linux-2.6.32.9/arch/s390/kernel/module.c 2010-02-23 17:09:53.088041045 -0500
2774@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2775
2776 /* Increase core size by size of got & plt and set start
2777 offsets for got and plt. */
2778- me->core_size = ALIGN(me->core_size, 4);
2779- me->arch.got_offset = me->core_size;
2780- me->core_size += me->arch.got_size;
2781- me->arch.plt_offset = me->core_size;
2782- me->core_size += me->arch.plt_size;
2783+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
2784+ me->arch.got_offset = me->core_size_rw;
2785+ me->core_size_rw += me->arch.got_size;
2786+ me->arch.plt_offset = me->core_size_rx;
2787+ me->core_size_rx += me->arch.plt_size;
2788 return 0;
2789 }
2790
2791@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2792 if (info->got_initialized == 0) {
2793 Elf_Addr *gotent;
2794
2795- gotent = me->module_core + me->arch.got_offset +
2796+ gotent = me->module_core_rw + me->arch.got_offset +
2797 info->got_offset;
2798 *gotent = val;
2799 info->got_initialized = 1;
2800@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2801 else if (r_type == R_390_GOTENT ||
2802 r_type == R_390_GOTPLTENT)
2803 *(unsigned int *) loc =
2804- (val + (Elf_Addr) me->module_core - loc) >> 1;
2805+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2806 else if (r_type == R_390_GOT64 ||
2807 r_type == R_390_GOTPLT64)
2808 *(unsigned long *) loc = val;
2809@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2810 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2811 if (info->plt_initialized == 0) {
2812 unsigned int *ip;
2813- ip = me->module_core + me->arch.plt_offset +
2814+ ip = me->module_core_rx + me->arch.plt_offset +
2815 info->plt_offset;
2816 #ifndef CONFIG_64BIT
2817 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2818@@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2819 val - loc + 0xffffUL < 0x1ffffeUL) ||
2820 (r_type == R_390_PLT32DBL &&
2821 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2822- val = (Elf_Addr) me->module_core +
2823+ val = (Elf_Addr) me->module_core_rx +
2824 me->arch.plt_offset +
2825 info->plt_offset;
2826 val += rela->r_addend - loc;
2827@@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2828 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2829 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2830 val = val + rela->r_addend -
2831- ((Elf_Addr) me->module_core + me->arch.got_offset);
2832+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2833 if (r_type == R_390_GOTOFF16)
2834 *(unsigned short *) loc = val;
2835 else if (r_type == R_390_GOTOFF32)
2836@@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2837 break;
2838 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2839 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2840- val = (Elf_Addr) me->module_core + me->arch.got_offset +
2841+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2842 rela->r_addend - loc;
2843 if (r_type == R_390_GOTPC)
2844 *(unsigned int *) loc = val;
2845diff -urNp linux-2.6.32.9/arch/s390/kernel/setup.c linux-2.6.32.9/arch/s390/kernel/setup.c
2846--- linux-2.6.32.9/arch/s390/kernel/setup.c 2010-02-09 07:57:19.000000000 -0500
2847+++ linux-2.6.32.9/arch/s390/kernel/setup.c 2010-02-23 17:09:53.088041045 -0500
2848@@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
2849 early_param("mem", early_parse_mem);
2850
2851 #ifdef CONFIG_S390_SWITCH_AMODE
2852-unsigned int switch_amode = 0;
2853-EXPORT_SYMBOL_GPL(switch_amode);
2854-
2855 static int set_amode_and_uaccess(unsigned long user_amode,
2856 unsigned long user32_amode)
2857 {
2858@@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
2859 return 0;
2860 }
2861 }
2862-
2863-/*
2864- * Switch kernel/user addressing modes?
2865- */
2866-static int __init early_parse_switch_amode(char *p)
2867-{
2868- switch_amode = 1;
2869- return 0;
2870-}
2871-early_param("switch_amode", early_parse_switch_amode);
2872-
2873 #else /* CONFIG_S390_SWITCH_AMODE */
2874 static inline int set_amode_and_uaccess(unsigned long user_amode,
2875 unsigned long user32_amode)
2876@@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
2877 }
2878 #endif /* CONFIG_S390_SWITCH_AMODE */
2879
2880-#ifdef CONFIG_S390_EXEC_PROTECT
2881-unsigned int s390_noexec = 0;
2882-EXPORT_SYMBOL_GPL(s390_noexec);
2883-
2884-/*
2885- * Enable execute protection?
2886- */
2887-static int __init early_parse_noexec(char *p)
2888-{
2889- if (!strncmp(p, "off", 3))
2890- return 0;
2891- switch_amode = 1;
2892- s390_noexec = 1;
2893- return 0;
2894-}
2895-early_param("noexec", early_parse_noexec);
2896-#endif /* CONFIG_S390_EXEC_PROTECT */
2897-
2898 static void setup_addressing_mode(void)
2899 {
2900 if (s390_noexec) {
2901diff -urNp linux-2.6.32.9/arch/s390/mm/mmap.c linux-2.6.32.9/arch/s390/mm/mmap.c
2902--- linux-2.6.32.9/arch/s390/mm/mmap.c 2010-02-09 07:57:19.000000000 -0500
2903+++ linux-2.6.32.9/arch/s390/mm/mmap.c 2010-02-23 17:09:53.088041045 -0500
2904@@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
2905 */
2906 if (mmap_is_legacy()) {
2907 mm->mmap_base = TASK_UNMAPPED_BASE;
2908+
2909+#ifdef CONFIG_PAX_RANDMMAP
2910+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2911+ mm->mmap_base += mm->delta_mmap;
2912+#endif
2913+
2914 mm->get_unmapped_area = arch_get_unmapped_area;
2915 mm->unmap_area = arch_unmap_area;
2916 } else {
2917 mm->mmap_base = mmap_base();
2918+
2919+#ifdef CONFIG_PAX_RANDMMAP
2920+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2921+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2922+#endif
2923+
2924 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2925 mm->unmap_area = arch_unmap_area_topdown;
2926 }
2927@@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
2928 */
2929 if (mmap_is_legacy()) {
2930 mm->mmap_base = TASK_UNMAPPED_BASE;
2931+
2932+#ifdef CONFIG_PAX_RANDMMAP
2933+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2934+ mm->mmap_base += mm->delta_mmap;
2935+#endif
2936+
2937 mm->get_unmapped_area = s390_get_unmapped_area;
2938 mm->unmap_area = arch_unmap_area;
2939 } else {
2940 mm->mmap_base = mmap_base();
2941+
2942+#ifdef CONFIG_PAX_RANDMMAP
2943+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2944+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2945+#endif
2946+
2947 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2948 mm->unmap_area = arch_unmap_area_topdown;
2949 }
2950diff -urNp linux-2.6.32.9/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.9/arch/sh/boards/mach-hp6xx/pm.c
2951--- linux-2.6.32.9/arch/sh/boards/mach-hp6xx/pm.c 2010-02-09 07:57:19.000000000 -0500
2952+++ linux-2.6.32.9/arch/sh/boards/mach-hp6xx/pm.c 2010-02-23 17:09:53.088041045 -0500
2953@@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
2954 return 0;
2955 }
2956
2957-static struct platform_suspend_ops hp6x0_pm_ops = {
2958+static const struct platform_suspend_ops hp6x0_pm_ops = {
2959 .enter = hp6x0_pm_enter,
2960 .valid = suspend_valid_only_mem,
2961 };
2962diff -urNp linux-2.6.32.9/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.9/arch/sh/kernel/cpu/sh4/sq.c
2963--- linux-2.6.32.9/arch/sh/kernel/cpu/sh4/sq.c 2010-02-09 07:57:19.000000000 -0500
2964+++ linux-2.6.32.9/arch/sh/kernel/cpu/sh4/sq.c 2010-02-23 17:09:53.088041045 -0500
2965@@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
2966 NULL,
2967 };
2968
2969-static struct sysfs_ops sq_sysfs_ops = {
2970+static const struct sysfs_ops sq_sysfs_ops = {
2971 .show = sq_sysfs_show,
2972 .store = sq_sysfs_store,
2973 };
2974diff -urNp linux-2.6.32.9/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.9/arch/sh/kernel/cpu/shmobile/pm.c
2975--- linux-2.6.32.9/arch/sh/kernel/cpu/shmobile/pm.c 2010-02-09 07:57:19.000000000 -0500
2976+++ linux-2.6.32.9/arch/sh/kernel/cpu/shmobile/pm.c 2010-02-23 17:09:53.088041045 -0500
2977@@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
2978 return 0;
2979 }
2980
2981-static struct platform_suspend_ops sh_pm_ops = {
2982+static const struct platform_suspend_ops sh_pm_ops = {
2983 .enter = sh_pm_enter,
2984 .valid = suspend_valid_only_mem,
2985 };
2986diff -urNp linux-2.6.32.9/arch/sh/kernel/kgdb.c linux-2.6.32.9/arch/sh/kernel/kgdb.c
2987--- linux-2.6.32.9/arch/sh/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
2988+++ linux-2.6.32.9/arch/sh/kernel/kgdb.c 2010-02-23 17:09:53.088041045 -0500
2989@@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
2990 {
2991 }
2992
2993-struct kgdb_arch arch_kgdb_ops = {
2994+const struct kgdb_arch arch_kgdb_ops = {
2995 /* Breakpoint instruction: trapa #0x3c */
2996 #ifdef CONFIG_CPU_LITTLE_ENDIAN
2997 .gdb_bpt_instr = { 0x3c, 0xc3 },
2998diff -urNp linux-2.6.32.9/arch/sparc/include/asm/atomic_64.h linux-2.6.32.9/arch/sparc/include/asm/atomic_64.h
2999--- linux-2.6.32.9/arch/sparc/include/asm/atomic_64.h 2010-02-09 07:57:19.000000000 -0500
3000+++ linux-2.6.32.9/arch/sparc/include/asm/atomic_64.h 2010-02-23 17:09:53.088041045 -0500
3001@@ -14,18 +14,38 @@
3002 #define ATOMIC64_INIT(i) { (i) }
3003
3004 #define atomic_read(v) ((v)->counter)
3005+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3006+{
3007+ return v->counter;
3008+}
3009 #define atomic64_read(v) ((v)->counter)
3010+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3011+{
3012+ return v->counter;
3013+}
3014
3015 #define atomic_set(v, i) (((v)->counter) = i)
3016+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3017+{
3018+ v->counter = i;
3019+}
3020 #define atomic64_set(v, i) (((v)->counter) = i)
3021+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3022+{
3023+ v->counter = i;
3024+}
3025
3026 extern void atomic_add(int, atomic_t *);
3027+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3028 extern void atomic64_add(int, atomic64_t *);
3029+extern void atomic64_add_unchecked(int, atomic64_unchecked_t *);
3030 extern void atomic_sub(int, atomic_t *);
3031+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3032 extern void atomic64_sub(int, atomic64_t *);
3033
3034 extern int atomic_add_ret(int, atomic_t *);
3035 extern int atomic64_add_ret(int, atomic64_t *);
3036+extern int atomic64_add_ret_unchecked(int, atomic64_unchecked_t *);
3037 extern int atomic_sub_ret(int, atomic_t *);
3038 extern int atomic64_sub_ret(int, atomic64_t *);
3039
3040@@ -34,6 +54,7 @@ extern int atomic64_sub_ret(int, atomic6
3041
3042 #define atomic_inc_return(v) atomic_add_ret(1, v)
3043 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3044+#define atomic64_inc_return_unchecked(v) atomic64_add_ret_unchecked(1, v)
3045
3046 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3047 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3048@@ -59,7 +80,15 @@ extern int atomic64_sub_ret(int, atomic6
3049 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3050
3051 #define atomic_inc(v) atomic_add(1, v)
3052+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3053+{
3054+ atomic_add_unchecked(1, v);
3055+}
3056 #define atomic64_inc(v) atomic64_add(1, v)
3057+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3058+{
3059+ atomic64_add_unchecked(1, v);
3060+}
3061
3062 #define atomic_dec(v) atomic_sub(1, v)
3063 #define atomic64_dec(v) atomic64_sub(1, v)
3064@@ -72,17 +101,28 @@ extern int atomic64_sub_ret(int, atomic6
3065
3066 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3067 {
3068- int c, old;
3069+ int c, old, new;
3070 c = atomic_read(v);
3071 for (;;) {
3072- if (unlikely(c == (u)))
3073+ if (unlikely(c == u))
3074 break;
3075- old = atomic_cmpxchg((v), c, c + (a));
3076+
3077+ asm volatile("addcc %2, %0, %0\n"
3078+
3079+#ifdef CONFIG_PAX_REFCOUNT
3080+ "tvs %%icc, 6\n"
3081+#endif
3082+
3083+ : "=r" (new)
3084+ : "0" (c), "ir" (a)
3085+ : "cc");
3086+
3087+ old = atomic_cmpxchg(v, c, new);
3088 if (likely(old == c))
3089 break;
3090 c = old;
3091 }
3092- return c != (u);
3093+ return c != u;
3094 }
3095
3096 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3097@@ -93,17 +133,28 @@ static inline int atomic_add_unless(atom
3098
3099 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
3100 {
3101- long c, old;
3102+ long c, old, new;
3103 c = atomic64_read(v);
3104 for (;;) {
3105- if (unlikely(c == (u)))
3106+ if (unlikely(c == u))
3107 break;
3108- old = atomic64_cmpxchg((v), c, c + (a));
3109+
3110+ asm volatile("addcc %2, %0, %0\n"
3111+
3112+#ifdef CONFIG_PAX_REFCOUNT
3113+ "tvs %%xcc, 6\n"
3114+#endif
3115+
3116+ : "=r" (new)
3117+ : "0" (c), "ir" (a)
3118+ : "cc");
3119+
3120+ old = atomic64_cmpxchg(v, c, new);
3121 if (likely(old == c))
3122 break;
3123 c = old;
3124 }
3125- return c != (u);
3126+ return c != u;
3127 }
3128
3129 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3130diff -urNp linux-2.6.32.9/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.9/arch/sparc/include/asm/dma-mapping.h
3131--- linux-2.6.32.9/arch/sparc/include/asm/dma-mapping.h 2010-02-09 07:57:19.000000000 -0500
3132+++ linux-2.6.32.9/arch/sparc/include/asm/dma-mapping.h 2010-02-23 17:09:53.088041045 -0500
3133@@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3134 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3135 #define dma_is_consistent(d, h) (1)
3136
3137-extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3138+extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3139 extern struct bus_type pci_bus_type;
3140
3141-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3142+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3143 {
3144 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3145 if (dev->bus == &pci_bus_type)
3146@@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3147 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3148 dma_addr_t *dma_handle, gfp_t flag)
3149 {
3150- struct dma_map_ops *ops = get_dma_ops(dev);
3151+ const struct dma_map_ops *ops = get_dma_ops(dev);
3152 void *cpu_addr;
3153
3154 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3155@@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3156 static inline void dma_free_coherent(struct device *dev, size_t size,
3157 void *cpu_addr, dma_addr_t dma_handle)
3158 {
3159- struct dma_map_ops *ops = get_dma_ops(dev);
3160+ const struct dma_map_ops *ops = get_dma_ops(dev);
3161
3162 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3163 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3164diff -urNp linux-2.6.32.9/arch/sparc/include/asm/elf_32.h linux-2.6.32.9/arch/sparc/include/asm/elf_32.h
3165--- linux-2.6.32.9/arch/sparc/include/asm/elf_32.h 2010-02-09 07:57:19.000000000 -0500
3166+++ linux-2.6.32.9/arch/sparc/include/asm/elf_32.h 2010-02-23 17:09:53.088041045 -0500
3167@@ -116,6 +116,13 @@ typedef struct {
3168
3169 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3170
3171+#ifdef CONFIG_PAX_ASLR
3172+#define PAX_ELF_ET_DYN_BASE 0x10000UL
3173+
3174+#define PAX_DELTA_MMAP_LEN 16
3175+#define PAX_DELTA_STACK_LEN 16
3176+#endif
3177+
3178 /* This yields a mask that user programs can use to figure out what
3179 instruction set this cpu supports. This can NOT be done in userspace
3180 on Sparc. */
3181diff -urNp linux-2.6.32.9/arch/sparc/include/asm/elf_64.h linux-2.6.32.9/arch/sparc/include/asm/elf_64.h
3182--- linux-2.6.32.9/arch/sparc/include/asm/elf_64.h 2010-02-09 07:57:19.000000000 -0500
3183+++ linux-2.6.32.9/arch/sparc/include/asm/elf_64.h 2010-02-23 17:09:53.088041045 -0500
3184@@ -163,6 +163,12 @@ typedef struct {
3185 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3186 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3187
3188+#ifdef CONFIG_PAX_ASLR
3189+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3190+
3191+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3192+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3193+#endif
3194
3195 /* This yields a mask that user programs can use to figure out what
3196 instruction set this cpu supports. */
3197diff -urNp linux-2.6.32.9/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.9/arch/sparc/include/asm/pgtable_32.h
3198--- linux-2.6.32.9/arch/sparc/include/asm/pgtable_32.h 2010-02-09 07:57:19.000000000 -0500
3199+++ linux-2.6.32.9/arch/sparc/include/asm/pgtable_32.h 2010-02-23 17:09:53.088041045 -0500
3200@@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3201 BTFIXUPDEF_INT(page_none)
3202 BTFIXUPDEF_INT(page_copy)
3203 BTFIXUPDEF_INT(page_readonly)
3204+
3205+#ifdef CONFIG_PAX_PAGEEXEC
3206+BTFIXUPDEF_INT(page_shared_noexec)
3207+BTFIXUPDEF_INT(page_copy_noexec)
3208+BTFIXUPDEF_INT(page_readonly_noexec)
3209+#endif
3210+
3211 BTFIXUPDEF_INT(page_kernel)
3212
3213 #define PMD_SHIFT SUN4C_PMD_SHIFT
3214@@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3215 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3216 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3217
3218+#ifdef CONFIG_PAX_PAGEEXEC
3219+extern pgprot_t PAGE_SHARED_NOEXEC;
3220+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3221+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3222+#else
3223+# define PAGE_SHARED_NOEXEC PAGE_SHARED
3224+# define PAGE_COPY_NOEXEC PAGE_COPY
3225+# define PAGE_READONLY_NOEXEC PAGE_READONLY
3226+#endif
3227+
3228 extern unsigned long page_kernel;
3229
3230 #ifdef MODULE
3231diff -urNp linux-2.6.32.9/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.9/arch/sparc/include/asm/pgtsrmmu.h
3232--- linux-2.6.32.9/arch/sparc/include/asm/pgtsrmmu.h 2010-02-09 07:57:19.000000000 -0500
3233+++ linux-2.6.32.9/arch/sparc/include/asm/pgtsrmmu.h 2010-02-23 17:09:53.088041045 -0500
3234@@ -115,6 +115,13 @@
3235 SRMMU_EXEC | SRMMU_REF)
3236 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3237 SRMMU_EXEC | SRMMU_REF)
3238+
3239+#ifdef CONFIG_PAX_PAGEEXEC
3240+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3241+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3242+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3243+#endif
3244+
3245 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3246 SRMMU_DIRTY | SRMMU_REF)
3247
3248diff -urNp linux-2.6.32.9/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.9/arch/sparc/include/asm/spinlock_64.h
3249--- linux-2.6.32.9/arch/sparc/include/asm/spinlock_64.h 2010-02-09 07:57:19.000000000 -0500
3250+++ linux-2.6.32.9/arch/sparc/include/asm/spinlock_64.h 2010-02-23 17:09:53.091669311 -0500
3251@@ -99,7 +99,12 @@ static void inline arch_read_lock(raw_rw
3252 __asm__ __volatile__ (
3253 "1: ldsw [%2], %0\n"
3254 " brlz,pn %0, 2f\n"
3255-"4: add %0, 1, %1\n"
3256+"4: addcc %0, 1, %1\n"
3257+
3258+#ifdef CONFIG_PAX_REFCOUNT
3259+" tvs %%icc, 6\n"
3260+#endif
3261+
3262 " cas [%2], %0, %1\n"
3263 " cmp %0, %1\n"
3264 " bne,pn %%icc, 1b\n"
3265@@ -112,7 +117,7 @@ static void inline arch_read_lock(raw_rw
3266 " .previous"
3267 : "=&r" (tmp1), "=&r" (tmp2)
3268 : "r" (lock)
3269- : "memory");
3270+ : "memory", "cc");
3271 }
3272
3273 static int inline arch_read_trylock(raw_rwlock_t *lock)
3274@@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
3275 "1: ldsw [%2], %0\n"
3276 " brlz,a,pn %0, 2f\n"
3277 " mov 0, %0\n"
3278-" add %0, 1, %1\n"
3279+" addcc %0, 1, %1\n"
3280+
3281+#ifdef CONFIG_PAX_REFCOUNT
3282+" tvs %%icc, 6\n"
3283+#endif
3284+
3285 " cas [%2], %0, %1\n"
3286 " cmp %0, %1\n"
3287 " bne,pn %%icc, 1b\n"
3288@@ -142,7 +152,12 @@ static void inline arch_read_unlock(raw_
3289
3290 __asm__ __volatile__(
3291 "1: lduw [%2], %0\n"
3292-" sub %0, 1, %1\n"
3293+" subcc %0, 1, %1\n"
3294+
3295+#ifdef CONFIG_PAX_REFCOUNT
3296+" tvs %%icc, 6\n"
3297+#endif
3298+
3299 " cas [%2], %0, %1\n"
3300 " cmp %0, %1\n"
3301 " bne,pn %%xcc, 1b\n"
3302diff -urNp linux-2.6.32.9/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.9/arch/sparc/include/asm/uaccess_32.h
3303--- linux-2.6.32.9/arch/sparc/include/asm/uaccess_32.h 2010-02-09 07:57:19.000000000 -0500
3304+++ linux-2.6.32.9/arch/sparc/include/asm/uaccess_32.h 2010-02-23 17:09:53.091669311 -0500
3305@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3306
3307 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3308 {
3309- if (n && __access_ok((unsigned long) to, n))
3310+ if ((long)n < 0)
3311+ return n;
3312+
3313+ if (n && __access_ok((unsigned long) to, n)) {
3314+ if (!__builtin_constant_p(n))
3315+ check_object_size(from, n, true);
3316 return __copy_user(to, (__force void __user *) from, n);
3317- else
3318+ } else
3319 return n;
3320 }
3321
3322 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3323 {
3324+ if ((long)n < 0)
3325+ return n;
3326+
3327+ if (!__builtin_constant_p(n))
3328+ check_object_size(from, n, true);
3329+
3330 return __copy_user(to, (__force void __user *) from, n);
3331 }
3332
3333 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3334 {
3335- if (n && __access_ok((unsigned long) from, n))
3336+ if ((long)n < 0)
3337+ return n;
3338+
3339+ if (n && __access_ok((unsigned long) from, n)) {
3340+ if (!__builtin_constant_p(n))
3341+ check_object_size(to, n, false);
3342 return __copy_user((__force void __user *) to, from, n);
3343- else
3344+ } else
3345 return n;
3346 }
3347
3348 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3349 {
3350+ if ((long)n < 0)
3351+ return n;
3352+
3353 return __copy_user((__force void __user *) to, from, n);
3354 }
3355
3356diff -urNp linux-2.6.32.9/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.9/arch/sparc/include/asm/uaccess_64.h
3357--- linux-2.6.32.9/arch/sparc/include/asm/uaccess_64.h 2010-02-09 07:57:19.000000000 -0500
3358+++ linux-2.6.32.9/arch/sparc/include/asm/uaccess_64.h 2010-02-23 17:09:53.091669311 -0500
3359@@ -9,6 +9,7 @@
3360 #include <linux/compiler.h>
3361 #include <linux/string.h>
3362 #include <linux/thread_info.h>
3363+#include <linux/kernel.h>
3364 #include <asm/asi.h>
3365 #include <asm/system.h>
3366 #include <asm/spitfire.h>
3367@@ -203,6 +204,7 @@ __asm__ __volatile__( \
3368 : "=r" (x) : "r" (__m(addr)), "i" (retval))
3369
3370 extern int __get_user_bad(void);
3371+extern void check_object_size(const void *ptr, unsigned long n, bool to);
3372
3373 extern unsigned long __must_check ___copy_from_user(void *to,
3374 const void __user *from,
3375@@ -212,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3376 static inline unsigned long __must_check
3377 copy_from_user(void *to, const void __user *from, unsigned long size)
3378 {
3379- unsigned long ret = ___copy_from_user(to, from, size);
3380+ unsigned long ret;
3381
3382+ if ((long)size < 0 || size > INT_MAX)
3383+ return size;
3384+
3385+ if (!__builtin_constant_p(size))
3386+ check_object_size(to, size, false);
3387+
3388+ ret = ___copy_from_user(to, from, size);
3389 if (unlikely(ret))
3390 ret = copy_from_user_fixup(to, from, size);
3391 return ret;
3392@@ -228,8 +237,15 @@ extern unsigned long copy_to_user_fixup(
3393 static inline unsigned long __must_check
3394 copy_to_user(void __user *to, const void *from, unsigned long size)
3395 {
3396- unsigned long ret = ___copy_to_user(to, from, size);
3397+ unsigned long ret;
3398+
3399+ if ((long)size < 0 || size > INT_MAX)
3400+ return size;
3401+
3402+ if (!__builtin_constant_p(size))
3403+ check_object_size(from, size, true);
3404
3405+ ret = ___copy_to_user(to, from, size);
3406 if (unlikely(ret))
3407 ret = copy_to_user_fixup(to, from, size);
3408 return ret;
3409diff -urNp linux-2.6.32.9/arch/sparc/kernel/iommu.c linux-2.6.32.9/arch/sparc/kernel/iommu.c
3410--- linux-2.6.32.9/arch/sparc/kernel/iommu.c 2010-02-09 07:57:19.000000000 -0500
3411+++ linux-2.6.32.9/arch/sparc/kernel/iommu.c 2010-02-23 17:09:53.091669311 -0500
3412@@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3413 spin_unlock_irqrestore(&iommu->lock, flags);
3414 }
3415
3416-static struct dma_map_ops sun4u_dma_ops = {
3417+static const struct dma_map_ops sun4u_dma_ops = {
3418 .alloc_coherent = dma_4u_alloc_coherent,
3419 .free_coherent = dma_4u_free_coherent,
3420 .map_page = dma_4u_map_page,
3421@@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
3422 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3423 };
3424
3425-struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3426+const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3427 EXPORT_SYMBOL(dma_ops);
3428
3429 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3430diff -urNp linux-2.6.32.9/arch/sparc/kernel/ioport.c linux-2.6.32.9/arch/sparc/kernel/ioport.c
3431--- linux-2.6.32.9/arch/sparc/kernel/ioport.c 2010-02-09 07:57:19.000000000 -0500
3432+++ linux-2.6.32.9/arch/sparc/kernel/ioport.c 2010-02-23 17:09:53.091669311 -0500
3433@@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
3434 BUG();
3435 }
3436
3437-struct dma_map_ops sbus_dma_ops = {
3438+const struct dma_map_ops sbus_dma_ops = {
3439 .alloc_coherent = sbus_alloc_coherent,
3440 .free_coherent = sbus_free_coherent,
3441 .map_page = sbus_map_page,
3442@@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
3443 .sync_sg_for_device = sbus_sync_sg_for_device,
3444 };
3445
3446-struct dma_map_ops *dma_ops = &sbus_dma_ops;
3447+const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3448 EXPORT_SYMBOL(dma_ops);
3449
3450 static int __init sparc_register_ioport(void)
3451@@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
3452 }
3453 }
3454
3455-struct dma_map_ops pci32_dma_ops = {
3456+const struct dma_map_ops pci32_dma_ops = {
3457 .alloc_coherent = pci32_alloc_coherent,
3458 .free_coherent = pci32_free_coherent,
3459 .map_page = pci32_map_page,
3460diff -urNp linux-2.6.32.9/arch/sparc/kernel/kgdb_32.c linux-2.6.32.9/arch/sparc/kernel/kgdb_32.c
3461--- linux-2.6.32.9/arch/sparc/kernel/kgdb_32.c 2010-02-09 07:57:19.000000000 -0500
3462+++ linux-2.6.32.9/arch/sparc/kernel/kgdb_32.c 2010-02-23 17:09:53.091669311 -0500
3463@@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
3464 {
3465 }
3466
3467-struct kgdb_arch arch_kgdb_ops = {
3468+const struct kgdb_arch arch_kgdb_ops = {
3469 /* Breakpoint instruction: ta 0x7d */
3470 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3471 };
3472diff -urNp linux-2.6.32.9/arch/sparc/kernel/kgdb_64.c linux-2.6.32.9/arch/sparc/kernel/kgdb_64.c
3473--- linux-2.6.32.9/arch/sparc/kernel/kgdb_64.c 2010-02-09 07:57:19.000000000 -0500
3474+++ linux-2.6.32.9/arch/sparc/kernel/kgdb_64.c 2010-02-23 17:09:53.091669311 -0500
3475@@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
3476 {
3477 }
3478
3479-struct kgdb_arch arch_kgdb_ops = {
3480+const struct kgdb_arch arch_kgdb_ops = {
3481 /* Breakpoint instruction: ta 0x72 */
3482 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3483 };
3484diff -urNp linux-2.6.32.9/arch/sparc/kernel/Makefile linux-2.6.32.9/arch/sparc/kernel/Makefile
3485--- linux-2.6.32.9/arch/sparc/kernel/Makefile 2010-02-09 07:57:19.000000000 -0500
3486+++ linux-2.6.32.9/arch/sparc/kernel/Makefile 2010-02-23 17:09:53.091669311 -0500
3487@@ -3,7 +3,7 @@
3488 #
3489
3490 asflags-y := -ansi
3491-ccflags-y := -Werror
3492+#ccflags-y := -Werror
3493
3494 extra-y := head_$(BITS).o
3495 extra-y += init_task.o
3496diff -urNp linux-2.6.32.9/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.9/arch/sparc/kernel/pci_sun4v.c
3497--- linux-2.6.32.9/arch/sparc/kernel/pci_sun4v.c 2010-02-09 07:57:19.000000000 -0500
3498+++ linux-2.6.32.9/arch/sparc/kernel/pci_sun4v.c 2010-02-23 17:09:53.091669311 -0500
3499@@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3500 spin_unlock_irqrestore(&iommu->lock, flags);
3501 }
3502
3503-static struct dma_map_ops sun4v_dma_ops = {
3504+static const struct dma_map_ops sun4v_dma_ops = {
3505 .alloc_coherent = dma_4v_alloc_coherent,
3506 .free_coherent = dma_4v_free_coherent,
3507 .map_page = dma_4v_map_page,
3508diff -urNp linux-2.6.32.9/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.9/arch/sparc/kernel/sys_sparc_32.c
3509--- linux-2.6.32.9/arch/sparc/kernel/sys_sparc_32.c 2010-02-09 07:57:19.000000000 -0500
3510+++ linux-2.6.32.9/arch/sparc/kernel/sys_sparc_32.c 2010-02-23 17:09:53.091669311 -0500
3511@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3512 if (ARCH_SUN4C && len > 0x20000000)
3513 return -ENOMEM;
3514 if (!addr)
3515- addr = TASK_UNMAPPED_BASE;
3516+ addr = current->mm->mmap_base;
3517
3518 if (flags & MAP_SHARED)
3519 addr = COLOUR_ALIGN(addr);
3520diff -urNp linux-2.6.32.9/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.9/arch/sparc/kernel/sys_sparc_64.c
3521--- linux-2.6.32.9/arch/sparc/kernel/sys_sparc_64.c 2010-02-09 07:57:19.000000000 -0500
3522+++ linux-2.6.32.9/arch/sparc/kernel/sys_sparc_64.c 2010-02-23 17:09:53.091669311 -0500
3523@@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
3524 /* We do not accept a shared mapping if it would violate
3525 * cache aliasing constraints.
3526 */
3527- if ((flags & MAP_SHARED) &&
3528+ if ((filp || (flags & MAP_SHARED)) &&
3529 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3530 return -EINVAL;
3531 return addr;
3532@@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
3533 if (filp || (flags & MAP_SHARED))
3534 do_color_align = 1;
3535
3536+#ifdef CONFIG_PAX_RANDMMAP
3537+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3538+#endif
3539+
3540 if (addr) {
3541 if (do_color_align)
3542 addr = COLOUR_ALIGN(addr, pgoff);
3543@@ -153,9 +157,9 @@ unsigned long arch_get_unmapped_area(str
3544 }
3545
3546 if (len > mm->cached_hole_size) {
3547- start_addr = addr = mm->free_area_cache;
3548+ start_addr = addr = mm->free_area_cache;
3549 } else {
3550- start_addr = addr = TASK_UNMAPPED_BASE;
3551+ start_addr = addr = mm->mmap_base;
3552 mm->cached_hole_size = 0;
3553 }
3554
3555@@ -175,8 +179,8 @@ full_search:
3556 vma = find_vma(mm, VA_EXCLUDE_END);
3557 }
3558 if (unlikely(task_size < addr)) {
3559- if (start_addr != TASK_UNMAPPED_BASE) {
3560- start_addr = addr = TASK_UNMAPPED_BASE;
3561+ if (start_addr != mm->mmap_base) {
3562+ start_addr = addr = mm->mmap_base;
3563 mm->cached_hole_size = 0;
3564 goto full_search;
3565 }
3566@@ -216,7 +220,7 @@ arch_get_unmapped_area_topdown(struct fi
3567 /* We do not accept a shared mapping if it would violate
3568 * cache aliasing constraints.
3569 */
3570- if ((flags & MAP_SHARED) &&
3571+ if ((filp || (flags & MAP_SHARED)) &&
3572 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3573 return -EINVAL;
3574 return addr;
3575@@ -384,6 +388,12 @@ void arch_pick_mmap_layout(struct mm_str
3576 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
3577 sysctl_legacy_va_layout) {
3578 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3579+
3580+#ifdef CONFIG_PAX_RANDMMAP
3581+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3582+ mm->mmap_base += mm->delta_mmap;
3583+#endif
3584+
3585 mm->get_unmapped_area = arch_get_unmapped_area;
3586 mm->unmap_area = arch_unmap_area;
3587 } else {
3588@@ -398,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3589 gap = (task_size / 6 * 5);
3590
3591 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3592+
3593+#ifdef CONFIG_PAX_RANDMMAP
3594+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3595+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3596+#endif
3597+
3598 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3599 mm->unmap_area = arch_unmap_area_topdown;
3600 }
3601diff -urNp linux-2.6.32.9/arch/sparc/kernel/traps_64.c linux-2.6.32.9/arch/sparc/kernel/traps_64.c
3602--- linux-2.6.32.9/arch/sparc/kernel/traps_64.c 2010-02-09 07:57:19.000000000 -0500
3603+++ linux-2.6.32.9/arch/sparc/kernel/traps_64.c 2010-02-23 17:09:53.091669311 -0500
3604@@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
3605
3606 lvl -= 0x100;
3607 if (regs->tstate & TSTATE_PRIV) {
3608+
3609+#ifdef CONFIG_PAX_REFCOUNT
3610+ if (lvl == 6)
3611+ pax_report_refcount_overflow(regs);
3612+#endif
3613+
3614 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3615 die_if_kernel(buffer, regs);
3616 }
3617@@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
3618 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3619 {
3620 char buffer[32];
3621-
3622+
3623 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3624 0, lvl, SIGTRAP) == NOTIFY_STOP)
3625 return;
3626
3627+#ifdef CONFIG_PAX_REFCOUNT
3628+ if (lvl == 6)
3629+ pax_report_refcount_overflow(regs);
3630+#endif
3631+
3632 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3633
3634 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
3635diff -urNp linux-2.6.32.9/arch/sparc/kernel/tsb.S linux-2.6.32.9/arch/sparc/kernel/tsb.S
3636--- linux-2.6.32.9/arch/sparc/kernel/tsb.S 2010-02-09 07:57:19.000000000 -0500
3637+++ linux-2.6.32.9/arch/sparc/kernel/tsb.S 2010-02-23 17:09:53.091669311 -0500
3638@@ -191,10 +191,12 @@ tsb_dtlb_load:
3639
3640 tsb_itlb_load:
3641 /* Executable bit must be set. */
3642-661: andcc %g5, _PAGE_EXEC_4U, %g0
3643- .section .sun4v_1insn_patch, "ax"
3644+661: sethi %hi(_PAGE_EXEC_4U), %g4
3645+ andcc %g5, %g4, %g0
3646+ .section .sun4v_2insn_patch, "ax"
3647 .word 661b
3648 andcc %g5, _PAGE_EXEC_4V, %g0
3649+ nop
3650 .previous
3651
3652 be,pn %xcc, tsb_do_fault
3653diff -urNp linux-2.6.32.9/arch/sparc/lib/atomic_64.S linux-2.6.32.9/arch/sparc/lib/atomic_64.S
3654--- linux-2.6.32.9/arch/sparc/lib/atomic_64.S 2010-02-09 07:57:19.000000000 -0500
3655+++ linux-2.6.32.9/arch/sparc/lib/atomic_64.S 2010-02-23 17:09:53.091669311 -0500
3656@@ -18,7 +18,12 @@
3657 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3658 BACKOFF_SETUP(%o2)
3659 1: lduw [%o1], %g1
3660- add %g1, %o0, %g7
3661+ addcc %g1, %o0, %g7
3662+
3663+#ifdef CONFIG_PAX_REFCOUNT
3664+ tvs %icc, 6
3665+#endif
3666+
3667 cas [%o1], %g1, %g7
3668 cmp %g1, %g7
3669 bne,pn %icc, 2f
3670@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3671 2: BACKOFF_SPIN(%o2, %o3, 1b)
3672 .size atomic_add, .-atomic_add
3673
3674+ .globl atomic_add_unchecked
3675+ .type atomic_add_unchecked,#function
3676+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3677+ BACKOFF_SETUP(%o2)
3678+1: lduw [%o1], %g1
3679+ add %g1, %o0, %g7
3680+ cas [%o1], %g1, %g7
3681+ cmp %g1, %g7
3682+ bne,pn %icc, 2f
3683+ nop
3684+ retl
3685+ nop
3686+2: BACKOFF_SPIN(%o2, %o3, 1b)
3687+ .size atomic_add_unchecked, .-atomic_add_unchecked
3688+
3689 .globl atomic_sub
3690 .type atomic_sub,#function
3691 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3692 BACKOFF_SETUP(%o2)
3693 1: lduw [%o1], %g1
3694- sub %g1, %o0, %g7
3695+ subcc %g1, %o0, %g7
3696+
3697+#ifdef CONFIG_PAX_REFCOUNT
3698+ tvs %icc, 6
3699+#endif
3700+
3701 cas [%o1], %g1, %g7
3702 cmp %g1, %g7
3703 bne,pn %icc, 2f
3704@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3705 2: BACKOFF_SPIN(%o2, %o3, 1b)
3706 .size atomic_sub, .-atomic_sub
3707
3708+ .globl atomic_sub_unchecked
3709+ .type atomic_sub_unchecked,#function
3710+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3711+ BACKOFF_SETUP(%o2)
3712+1: lduw [%o1], %g1
3713+ sub %g1, %o0, %g7
3714+ cas [%o1], %g1, %g7
3715+ cmp %g1, %g7
3716+ bne,pn %icc, 2f
3717+ nop
3718+ retl
3719+ nop
3720+2: BACKOFF_SPIN(%o2, %o3, 1b)
3721+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
3722+
3723 .globl atomic_add_ret
3724 .type atomic_add_ret,#function
3725 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3726 BACKOFF_SETUP(%o2)
3727 1: lduw [%o1], %g1
3728- add %g1, %o0, %g7
3729+ addcc %g1, %o0, %g7
3730+
3731+#ifdef CONFIG_PAX_REFCOUNT
3732+ tvs %icc, 6
3733+#endif
3734+
3735 cas [%o1], %g1, %g7
3736 cmp %g1, %g7
3737 bne,pn %icc, 2f
3738@@ -64,7 +109,12 @@ atomic_add_ret: /* %o0 = increment, %o1
3739 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3740 BACKOFF_SETUP(%o2)
3741 1: lduw [%o1], %g1
3742- sub %g1, %o0, %g7
3743+ subcc %g1, %o0, %g7
3744+
3745+#ifdef CONFIG_PAX_REFCOUNT
3746+ tvs %icc, 6
3747+#endif
3748+
3749 cas [%o1], %g1, %g7
3750 cmp %g1, %g7
3751 bne,pn %icc, 2f
3752@@ -80,7 +130,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3753 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3754 BACKOFF_SETUP(%o2)
3755 1: ldx [%o1], %g1
3756- add %g1, %o0, %g7
3757+ addcc %g1, %o0, %g7
3758+
3759+#ifdef CONFIG_PAX_REFCOUNT
3760+ tvs %xcc, 6
3761+#endif
3762+
3763 casx [%o1], %g1, %g7
3764 cmp %g1, %g7
3765 bne,pn %xcc, 2f
3766@@ -90,12 +145,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3767 2: BACKOFF_SPIN(%o2, %o3, 1b)
3768 .size atomic64_add, .-atomic64_add
3769
3770+ .globl atomic64_add_unchecked
3771+ .type atomic64_add_unchecked,#function
3772+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3773+ BACKOFF_SETUP(%o2)
3774+1: ldx [%o1], %g1
3775+ addcc %g1, %o0, %g7
3776+ casx [%o1], %g1, %g7
3777+ cmp %g1, %g7
3778+ bne,pn %xcc, 2f
3779+ nop
3780+ retl
3781+ nop
3782+2: BACKOFF_SPIN(%o2, %o3, 1b)
3783+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
3784+
3785 .globl atomic64_sub
3786 .type atomic64_sub,#function
3787 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3788 BACKOFF_SETUP(%o2)
3789 1: ldx [%o1], %g1
3790- sub %g1, %o0, %g7
3791+ subcc %g1, %o0, %g7
3792+
3793+#ifdef CONFIG_PAX_REFCOUNT
3794+ tvs %xcc, 6
3795+#endif
3796+
3797 casx [%o1], %g1, %g7
3798 cmp %g1, %g7
3799 bne,pn %xcc, 2f
3800@@ -110,7 +185,12 @@ atomic64_sub: /* %o0 = decrement, %o1 =
3801 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3802 BACKOFF_SETUP(%o2)
3803 1: ldx [%o1], %g1
3804- add %g1, %o0, %g7
3805+ addcc %g1, %o0, %g7
3806+
3807+#ifdef CONFIG_PAX_REFCOUNT
3808+ tvs %xcc, 6
3809+#endif
3810+
3811 casx [%o1], %g1, %g7
3812 cmp %g1, %g7
3813 bne,pn %xcc, 2f
3814@@ -121,12 +201,33 @@ atomic64_add_ret: /* %o0 = increment, %o
3815 2: BACKOFF_SPIN(%o2, %o3, 1b)
3816 .size atomic64_add_ret, .-atomic64_add_ret
3817
3818+ .globl atomic64_add_ret_unchecked
3819+ .type atomic64_add_ret_unchecked,#function
3820+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3821+ BACKOFF_SETUP(%o2)
3822+1: ldx [%o1], %g1
3823+ addcc %g1, %o0, %g7
3824+ casx [%o1], %g1, %g7
3825+ cmp %g1, %g7
3826+ bne,pn %xcc, 2f
3827+ add %g7, %o0, %g7
3828+ mov %g7, %o0
3829+ retl
3830+ nop
3831+2: BACKOFF_SPIN(%o2, %o3, 1b)
3832+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
3833+
3834 .globl atomic64_sub_ret
3835 .type atomic64_sub_ret,#function
3836 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3837 BACKOFF_SETUP(%o2)
3838 1: ldx [%o1], %g1
3839- sub %g1, %o0, %g7
3840+ subcc %g1, %o0, %g7
3841+
3842+#ifdef CONFIG_PAX_REFCOUNT
3843+ tvs %xcc, 6
3844+#endif
3845+
3846 casx [%o1], %g1, %g7
3847 cmp %g1, %g7
3848 bne,pn %xcc, 2f
3849diff -urNp linux-2.6.32.9/arch/sparc/lib/ksyms.c linux-2.6.32.9/arch/sparc/lib/ksyms.c
3850--- linux-2.6.32.9/arch/sparc/lib/ksyms.c 2010-02-09 07:57:19.000000000 -0500
3851+++ linux-2.6.32.9/arch/sparc/lib/ksyms.c 2010-02-23 17:09:53.091669311 -0500
3852@@ -144,8 +144,10 @@ EXPORT_SYMBOL(__downgrade_write);
3853
3854 /* Atomic counter implementation. */
3855 EXPORT_SYMBOL(atomic_add);
3856+EXPORT_SYMBOL(atomic_add_unchecked);
3857 EXPORT_SYMBOL(atomic_add_ret);
3858 EXPORT_SYMBOL(atomic_sub);
3859+EXPORT_SYMBOL(atomic_sub_unchecked);
3860 EXPORT_SYMBOL(atomic_sub_ret);
3861 EXPORT_SYMBOL(atomic64_add);
3862 EXPORT_SYMBOL(atomic64_add_ret);
3863diff -urNp linux-2.6.32.9/arch/sparc/lib/rwsem_64.S linux-2.6.32.9/arch/sparc/lib/rwsem_64.S
3864--- linux-2.6.32.9/arch/sparc/lib/rwsem_64.S 2010-02-09 07:57:19.000000000 -0500
3865+++ linux-2.6.32.9/arch/sparc/lib/rwsem_64.S 2010-02-23 17:09:53.091669311 -0500
3866@@ -11,7 +11,12 @@
3867 .globl __down_read
3868 __down_read:
3869 1: lduw [%o0], %g1
3870- add %g1, 1, %g7
3871+ addcc %g1, 1, %g7
3872+
3873+#ifdef CONFIG_PAX_REFCOUNT
3874+ tvs %icc, 6
3875+#endif
3876+
3877 cas [%o0], %g1, %g7
3878 cmp %g1, %g7
3879 bne,pn %icc, 1b
3880@@ -33,7 +38,12 @@ __down_read:
3881 .globl __down_read_trylock
3882 __down_read_trylock:
3883 1: lduw [%o0], %g1
3884- add %g1, 1, %g7
3885+ addcc %g1, 1, %g7
3886+
3887+#ifdef CONFIG_PAX_REFCOUNT
3888+ tvs %icc, 6
3889+#endif
3890+
3891 cmp %g7, 0
3892 bl,pn %icc, 2f
3893 mov 0, %o1
3894@@ -51,7 +61,12 @@ __down_write:
3895 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3896 1:
3897 lduw [%o0], %g3
3898- add %g3, %g1, %g7
3899+ addcc %g3, %g1, %g7
3900+
3901+#ifdef CONFIG_PAX_REFCOUNT
3902+ tvs %icc, 6
3903+#endif
3904+
3905 cas [%o0], %g3, %g7
3906 cmp %g3, %g7
3907 bne,pn %icc, 1b
3908@@ -77,7 +92,12 @@ __down_write_trylock:
3909 cmp %g3, 0
3910 bne,pn %icc, 2f
3911 mov 0, %o1
3912- add %g3, %g1, %g7
3913+ addcc %g3, %g1, %g7
3914+
3915+#ifdef CONFIG_PAX_REFCOUNT
3916+ tvs %icc, 6
3917+#endif
3918+
3919 cas [%o0], %g3, %g7
3920 cmp %g3, %g7
3921 bne,pn %icc, 1b
3922@@ -90,7 +110,12 @@ __down_write_trylock:
3923 __up_read:
3924 1:
3925 lduw [%o0], %g1
3926- sub %g1, 1, %g7
3927+ subcc %g1, 1, %g7
3928+
3929+#ifdef CONFIG_PAX_REFCOUNT
3930+ tvs %icc, 6
3931+#endif
3932+
3933 cas [%o0], %g1, %g7
3934 cmp %g1, %g7
3935 bne,pn %icc, 1b
3936@@ -118,7 +143,12 @@ __up_write:
3937 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3938 1:
3939 lduw [%o0], %g3
3940- sub %g3, %g1, %g7
3941+ subcc %g3, %g1, %g7
3942+
3943+#ifdef CONFIG_PAX_REFCOUNT
3944+ tvs %icc, 6
3945+#endif
3946+
3947 cas [%o0], %g3, %g7
3948 cmp %g3, %g7
3949 bne,pn %icc, 1b
3950@@ -143,7 +173,12 @@ __downgrade_write:
3951 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
3952 1:
3953 lduw [%o0], %g3
3954- sub %g3, %g1, %g7
3955+ subcc %g3, %g1, %g7
3956+
3957+#ifdef CONFIG_PAX_REFCOUNT
3958+ tvs %icc, 6
3959+#endif
3960+
3961 cas [%o0], %g3, %g7
3962 cmp %g3, %g7
3963 bne,pn %icc, 1b
3964diff -urNp linux-2.6.32.9/arch/sparc/Makefile linux-2.6.32.9/arch/sparc/Makefile
3965--- linux-2.6.32.9/arch/sparc/Makefile 2010-02-09 07:57:19.000000000 -0500
3966+++ linux-2.6.32.9/arch/sparc/Makefile 2010-02-23 17:09:53.091669311 -0500
3967@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
3968 # Export what is needed by arch/sparc/boot/Makefile
3969 export VMLINUX_INIT VMLINUX_MAIN
3970 VMLINUX_INIT := $(head-y) $(init-y)
3971-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
3972+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
3973 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
3974 VMLINUX_MAIN += $(drivers-y) $(net-y)
3975
3976diff -urNp linux-2.6.32.9/arch/sparc/mm/fault_32.c linux-2.6.32.9/arch/sparc/mm/fault_32.c
3977--- linux-2.6.32.9/arch/sparc/mm/fault_32.c 2010-02-09 07:57:19.000000000 -0500
3978+++ linux-2.6.32.9/arch/sparc/mm/fault_32.c 2010-02-23 17:09:53.091669311 -0500
3979@@ -21,6 +21,9 @@
3980 #include <linux/interrupt.h>
3981 #include <linux/module.h>
3982 #include <linux/kdebug.h>
3983+#include <linux/slab.h>
3984+#include <linux/pagemap.h>
3985+#include <linux/compiler.h>
3986
3987 #include <asm/system.h>
3988 #include <asm/page.h>
3989@@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
3990 return safe_compute_effective_address(regs, insn);
3991 }
3992
3993+#ifdef CONFIG_PAX_PAGEEXEC
3994+#ifdef CONFIG_PAX_DLRESOLVE
3995+static void pax_emuplt_close(struct vm_area_struct *vma)
3996+{
3997+ vma->vm_mm->call_dl_resolve = 0UL;
3998+}
3999+
4000+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4001+{
4002+ unsigned int *kaddr;
4003+
4004+ vmf->page = alloc_page(GFP_HIGHUSER);
4005+ if (!vmf->page)
4006+ return VM_FAULT_OOM;
4007+
4008+ kaddr = kmap(vmf->page);
4009+ memset(kaddr, 0, PAGE_SIZE);
4010+ kaddr[0] = 0x9DE3BFA8U; /* save */
4011+ flush_dcache_page(vmf->page);
4012+ kunmap(vmf->page);
4013+ return VM_FAULT_MAJOR;
4014+}
4015+
4016+static const struct vm_operations_struct pax_vm_ops = {
4017+ .close = pax_emuplt_close,
4018+ .fault = pax_emuplt_fault
4019+};
4020+
4021+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4022+{
4023+ int ret;
4024+
4025+ vma->vm_mm = current->mm;
4026+ vma->vm_start = addr;
4027+ vma->vm_end = addr + PAGE_SIZE;
4028+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4029+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4030+ vma->vm_ops = &pax_vm_ops;
4031+
4032+ ret = insert_vm_struct(current->mm, vma);
4033+ if (ret)
4034+ return ret;
4035+
4036+ ++current->mm->total_vm;
4037+ return 0;
4038+}
4039+#endif
4040+
4041+/*
4042+ * PaX: decide what to do with offenders (regs->pc = fault address)
4043+ *
4044+ * returns 1 when task should be killed
4045+ * 2 when patched PLT trampoline was detected
4046+ * 3 when unpatched PLT trampoline was detected
4047+ */
4048+static int pax_handle_fetch_fault(struct pt_regs *regs)
4049+{
4050+
4051+#ifdef CONFIG_PAX_EMUPLT
4052+ int err;
4053+
4054+ do { /* PaX: patched PLT emulation #1 */
4055+ unsigned int sethi1, sethi2, jmpl;
4056+
4057+ err = get_user(sethi1, (unsigned int *)regs->pc);
4058+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4059+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4060+
4061+ if (err)
4062+ break;
4063+
4064+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4065+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4066+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4067+ {
4068+ unsigned int addr;
4069+
4070+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4071+ addr = regs->u_regs[UREG_G1];
4072+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4073+ regs->pc = addr;
4074+ regs->npc = addr+4;
4075+ return 2;
4076+ }
4077+ } while (0);
4078+
4079+ { /* PaX: patched PLT emulation #2 */
4080+ unsigned int ba;
4081+
4082+ err = get_user(ba, (unsigned int *)regs->pc);
4083+
4084+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4085+ unsigned int addr;
4086+
4087+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4088+ regs->pc = addr;
4089+ regs->npc = addr+4;
4090+ return 2;
4091+ }
4092+ }
4093+
4094+ do { /* PaX: patched PLT emulation #3 */
4095+ unsigned int sethi, jmpl, nop;
4096+
4097+ err = get_user(sethi, (unsigned int *)regs->pc);
4098+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4099+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4100+
4101+ if (err)
4102+ break;
4103+
4104+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4105+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4106+ nop == 0x01000000U)
4107+ {
4108+ unsigned int addr;
4109+
4110+ addr = (sethi & 0x003FFFFFU) << 10;
4111+ regs->u_regs[UREG_G1] = addr;
4112+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4113+ regs->pc = addr;
4114+ regs->npc = addr+4;
4115+ return 2;
4116+ }
4117+ } while (0);
4118+
4119+ do { /* PaX: unpatched PLT emulation step 1 */
4120+ unsigned int sethi, ba, nop;
4121+
4122+ err = get_user(sethi, (unsigned int *)regs->pc);
4123+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
4124+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4125+
4126+ if (err)
4127+ break;
4128+
4129+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4130+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4131+ nop == 0x01000000U)
4132+ {
4133+ unsigned int addr, save, call;
4134+
4135+ if ((ba & 0xFFC00000U) == 0x30800000U)
4136+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4137+ else
4138+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4139+
4140+ err = get_user(save, (unsigned int *)addr);
4141+ err |= get_user(call, (unsigned int *)(addr+4));
4142+ err |= get_user(nop, (unsigned int *)(addr+8));
4143+ if (err)
4144+ break;
4145+
4146+#ifdef CONFIG_PAX_DLRESOLVE
4147+ if (save == 0x9DE3BFA8U &&
4148+ (call & 0xC0000000U) == 0x40000000U &&
4149+ nop == 0x01000000U)
4150+ {
4151+ struct vm_area_struct *vma;
4152+ unsigned long call_dl_resolve;
4153+
4154+ down_read(&current->mm->mmap_sem);
4155+ call_dl_resolve = current->mm->call_dl_resolve;
4156+ up_read(&current->mm->mmap_sem);
4157+ if (likely(call_dl_resolve))
4158+ goto emulate;
4159+
4160+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4161+
4162+ down_write(&current->mm->mmap_sem);
4163+ if (current->mm->call_dl_resolve) {
4164+ call_dl_resolve = current->mm->call_dl_resolve;
4165+ up_write(&current->mm->mmap_sem);
4166+ if (vma)
4167+ kmem_cache_free(vm_area_cachep, vma);
4168+ goto emulate;
4169+ }
4170+
4171+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4172+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4173+ up_write(&current->mm->mmap_sem);
4174+ if (vma)
4175+ kmem_cache_free(vm_area_cachep, vma);
4176+ return 1;
4177+ }
4178+
4179+ if (pax_insert_vma(vma, call_dl_resolve)) {
4180+ up_write(&current->mm->mmap_sem);
4181+ kmem_cache_free(vm_area_cachep, vma);
4182+ return 1;
4183+ }
4184+
4185+ current->mm->call_dl_resolve = call_dl_resolve;
4186+ up_write(&current->mm->mmap_sem);
4187+
4188+emulate:
4189+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4190+ regs->pc = call_dl_resolve;
4191+ regs->npc = addr+4;
4192+ return 3;
4193+ }
4194+#endif
4195+
4196+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4197+ if ((save & 0xFFC00000U) == 0x05000000U &&
4198+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4199+ nop == 0x01000000U)
4200+ {
4201+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4202+ regs->u_regs[UREG_G2] = addr + 4;
4203+ addr = (save & 0x003FFFFFU) << 10;
4204+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4205+ regs->pc = addr;
4206+ regs->npc = addr+4;
4207+ return 3;
4208+ }
4209+ }
4210+ } while (0);
4211+
4212+ do { /* PaX: unpatched PLT emulation step 2 */
4213+ unsigned int save, call, nop;
4214+
4215+ err = get_user(save, (unsigned int *)(regs->pc-4));
4216+ err |= get_user(call, (unsigned int *)regs->pc);
4217+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
4218+ if (err)
4219+ break;
4220+
4221+ if (save == 0x9DE3BFA8U &&
4222+ (call & 0xC0000000U) == 0x40000000U &&
4223+ nop == 0x01000000U)
4224+ {
4225+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4226+
4227+ regs->u_regs[UREG_RETPC] = regs->pc;
4228+ regs->pc = dl_resolve;
4229+ regs->npc = dl_resolve+4;
4230+ return 3;
4231+ }
4232+ } while (0);
4233+#endif
4234+
4235+ return 1;
4236+}
4237+
4238+void pax_report_insns(void *pc, void *sp)
4239+{
4240+ unsigned long i;
4241+
4242+ printk(KERN_ERR "PAX: bytes at PC: ");
4243+ for (i = 0; i < 8; i++) {
4244+ unsigned int c;
4245+ if (get_user(c, (unsigned int *)pc+i))
4246+ printk(KERN_CONT "???????? ");
4247+ else
4248+ printk(KERN_CONT "%08x ", c);
4249+ }
4250+ printk("\n");
4251+}
4252+#endif
4253+
4254 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
4255 unsigned long address)
4256 {
4257@@ -231,6 +495,24 @@ good_area:
4258 if(!(vma->vm_flags & VM_WRITE))
4259 goto bad_area;
4260 } else {
4261+
4262+#ifdef CONFIG_PAX_PAGEEXEC
4263+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4264+ up_read(&mm->mmap_sem);
4265+ switch (pax_handle_fetch_fault(regs)) {
4266+
4267+#ifdef CONFIG_PAX_EMUPLT
4268+ case 2:
4269+ case 3:
4270+ return;
4271+#endif
4272+
4273+ }
4274+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4275+ do_group_exit(SIGKILL);
4276+ }
4277+#endif
4278+
4279 /* Allow reads even for write-only mappings */
4280 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4281 goto bad_area;
4282diff -urNp linux-2.6.32.9/arch/sparc/mm/fault_64.c linux-2.6.32.9/arch/sparc/mm/fault_64.c
4283--- linux-2.6.32.9/arch/sparc/mm/fault_64.c 2010-02-09 07:57:19.000000000 -0500
4284+++ linux-2.6.32.9/arch/sparc/mm/fault_64.c 2010-02-23 17:11:24.403715775 -0500
4285@@ -20,6 +20,9 @@
4286 #include <linux/kprobes.h>
4287 #include <linux/kdebug.h>
4288 #include <linux/percpu.h>
4289+#include <linux/slab.h>
4290+#include <linux/pagemap.h>
4291+#include <linux/compiler.h>
4292
4293 #include <asm/page.h>
4294 #include <asm/pgtable.h>
4295@@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
4296 show_regs(regs);
4297 }
4298
4299+#ifdef CONFIG_PAX_PAGEEXEC
4300+#ifdef CONFIG_PAX_DLRESOLVE
4301+static void pax_emuplt_close(struct vm_area_struct *vma)
4302+{
4303+ vma->vm_mm->call_dl_resolve = 0UL;
4304+}
4305+
4306+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4307+{
4308+ unsigned int *kaddr;
4309+
4310+ vmf->page = alloc_page(GFP_HIGHUSER);
4311+ if (!vmf->page)
4312+ return VM_FAULT_OOM;
4313+
4314+ kaddr = kmap(vmf->page);
4315+ memset(kaddr, 0, PAGE_SIZE);
4316+ kaddr[0] = 0x9DE3BFA8U; /* save */
4317+ flush_dcache_page(vmf->page);
4318+ kunmap(vmf->page);
4319+ return VM_FAULT_MAJOR;
4320+}
4321+
4322+static const struct vm_operations_struct pax_vm_ops = {
4323+ .close = pax_emuplt_close,
4324+ .fault = pax_emuplt_fault
4325+};
4326+
4327+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4328+{
4329+ int ret;
4330+
4331+ vma->vm_mm = current->mm;
4332+ vma->vm_start = addr;
4333+ vma->vm_end = addr + PAGE_SIZE;
4334+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4335+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4336+ vma->vm_ops = &pax_vm_ops;
4337+
4338+ ret = insert_vm_struct(current->mm, vma);
4339+ if (ret)
4340+ return ret;
4341+
4342+ ++current->mm->total_vm;
4343+ return 0;
4344+}
4345+#endif
4346+
4347+/*
4348+ * PaX: decide what to do with offenders (regs->tpc = fault address)
4349+ *
4350+ * returns 1 when task should be killed
4351+ * 2 when patched PLT trampoline was detected
4352+ * 3 when unpatched PLT trampoline was detected
4353+ */
4354+static int pax_handle_fetch_fault(struct pt_regs *regs)
4355+{
4356+
4357+#ifdef CONFIG_PAX_EMUPLT
4358+ int err;
4359+
4360+ do { /* PaX: patched PLT emulation #1 */
4361+ unsigned int sethi1, sethi2, jmpl;
4362+
4363+ err = get_user(sethi1, (unsigned int *)regs->tpc);
4364+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4365+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4366+
4367+ if (err)
4368+ break;
4369+
4370+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4371+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4372+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4373+ {
4374+ unsigned long addr;
4375+
4376+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4377+ addr = regs->u_regs[UREG_G1];
4378+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4379+
4380+ if (test_thread_flag(TIF_32BIT))
4381+ addr &= 0xFFFFFFFFUL;
4382+
4383+ regs->tpc = addr;
4384+ regs->tnpc = addr+4;
4385+ return 2;
4386+ }
4387+ } while (0);
4388+
4389+ { /* PaX: patched PLT emulation #2 */
4390+ unsigned int ba;
4391+
4392+ err = get_user(ba, (unsigned int *)regs->tpc);
4393+
4394+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4395+ unsigned long addr;
4396+
4397+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4398+
4399+ if (test_thread_flag(TIF_32BIT))
4400+ addr &= 0xFFFFFFFFUL;
4401+
4402+ regs->tpc = addr;
4403+ regs->tnpc = addr+4;
4404+ return 2;
4405+ }
4406+ }
4407+
4408+ do { /* PaX: patched PLT emulation #3 */
4409+ unsigned int sethi, jmpl, nop;
4410+
4411+ err = get_user(sethi, (unsigned int *)regs->tpc);
4412+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4413+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4414+
4415+ if (err)
4416+ break;
4417+
4418+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4419+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4420+ nop == 0x01000000U)
4421+ {
4422+ unsigned long addr;
4423+
4424+ addr = (sethi & 0x003FFFFFU) << 10;
4425+ regs->u_regs[UREG_G1] = addr;
4426+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4427+
4428+ if (test_thread_flag(TIF_32BIT))
4429+ addr &= 0xFFFFFFFFUL;
4430+
4431+ regs->tpc = addr;
4432+ regs->tnpc = addr+4;
4433+ return 2;
4434+ }
4435+ } while (0);
4436+
4437+ do { /* PaX: patched PLT emulation #4 */
4438+ unsigned int sethi, mov1, call, mov2;
4439+
4440+ err = get_user(sethi, (unsigned int *)regs->tpc);
4441+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4442+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
4443+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4444+
4445+ if (err)
4446+ break;
4447+
4448+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4449+ mov1 == 0x8210000FU &&
4450+ (call & 0xC0000000U) == 0x40000000U &&
4451+ mov2 == 0x9E100001U)
4452+ {
4453+ unsigned long addr;
4454+
4455+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4456+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4457+
4458+ if (test_thread_flag(TIF_32BIT))
4459+ addr &= 0xFFFFFFFFUL;
4460+
4461+ regs->tpc = addr;
4462+ regs->tnpc = addr+4;
4463+ return 2;
4464+ }
4465+ } while (0);
4466+
4467+ do { /* PaX: patched PLT emulation #5 */
4468+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4469+
4470+ err = get_user(sethi, (unsigned int *)regs->tpc);
4471+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4472+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4473+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4474+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4475+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4476+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4477+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4478+
4479+ if (err)
4480+ break;
4481+
4482+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4483+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
4484+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4485+ (or1 & 0xFFFFE000U) == 0x82106000U &&
4486+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
4487+ sllx == 0x83287020U &&
4488+ jmpl == 0x81C04005U &&
4489+ nop == 0x01000000U)
4490+ {
4491+ unsigned long addr;
4492+
4493+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4494+ regs->u_regs[UREG_G1] <<= 32;
4495+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4496+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4497+ regs->tpc = addr;
4498+ regs->tnpc = addr+4;
4499+ return 2;
4500+ }
4501+ } while (0);
4502+
4503+ do { /* PaX: patched PLT emulation #6 */
4504+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4505+
4506+ err = get_user(sethi, (unsigned int *)regs->tpc);
4507+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4508+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4509+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4510+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
4511+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4512+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4513+
4514+ if (err)
4515+ break;
4516+
4517+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4518+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
4519+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4520+ sllx == 0x83287020U &&
4521+ (or & 0xFFFFE000U) == 0x8A116000U &&
4522+ jmpl == 0x81C04005U &&
4523+ nop == 0x01000000U)
4524+ {
4525+ unsigned long addr;
4526+
4527+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4528+ regs->u_regs[UREG_G1] <<= 32;
4529+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4530+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4531+ regs->tpc = addr;
4532+ regs->tnpc = addr+4;
4533+ return 2;
4534+ }
4535+ } while (0);
4536+
4537+ do { /* PaX: unpatched PLT emulation step 1 */
4538+ unsigned int sethi, ba, nop;
4539+
4540+ err = get_user(sethi, (unsigned int *)regs->tpc);
4541+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4542+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4543+
4544+ if (err)
4545+ break;
4546+
4547+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4548+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4549+ nop == 0x01000000U)
4550+ {
4551+ unsigned long addr;
4552+ unsigned int save, call;
4553+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
4554+
4555+ if ((ba & 0xFFC00000U) == 0x30800000U)
4556+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4557+ else
4558+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4559+
4560+ if (test_thread_flag(TIF_32BIT))
4561+ addr &= 0xFFFFFFFFUL;
4562+
4563+ err = get_user(save, (unsigned int *)addr);
4564+ err |= get_user(call, (unsigned int *)(addr+4));
4565+ err |= get_user(nop, (unsigned int *)(addr+8));
4566+ if (err)
4567+ break;
4568+
4569+#ifdef CONFIG_PAX_DLRESOLVE
4570+ if (save == 0x9DE3BFA8U &&
4571+ (call & 0xC0000000U) == 0x40000000U &&
4572+ nop == 0x01000000U)
4573+ {
4574+ struct vm_area_struct *vma;
4575+ unsigned long call_dl_resolve;
4576+
4577+ down_read(&current->mm->mmap_sem);
4578+ call_dl_resolve = current->mm->call_dl_resolve;
4579+ up_read(&current->mm->mmap_sem);
4580+ if (likely(call_dl_resolve))
4581+ goto emulate;
4582+
4583+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4584+
4585+ down_write(&current->mm->mmap_sem);
4586+ if (current->mm->call_dl_resolve) {
4587+ call_dl_resolve = current->mm->call_dl_resolve;
4588+ up_write(&current->mm->mmap_sem);
4589+ if (vma)
4590+ kmem_cache_free(vm_area_cachep, vma);
4591+ goto emulate;
4592+ }
4593+
4594+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4595+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4596+ up_write(&current->mm->mmap_sem);
4597+ if (vma)
4598+ kmem_cache_free(vm_area_cachep, vma);
4599+ return 1;
4600+ }
4601+
4602+ if (pax_insert_vma(vma, call_dl_resolve)) {
4603+ up_write(&current->mm->mmap_sem);
4604+ kmem_cache_free(vm_area_cachep, vma);
4605+ return 1;
4606+ }
4607+
4608+ current->mm->call_dl_resolve = call_dl_resolve;
4609+ up_write(&current->mm->mmap_sem);
4610+
4611+emulate:
4612+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4613+ regs->tpc = call_dl_resolve;
4614+ regs->tnpc = addr+4;
4615+ return 3;
4616+ }
4617+#endif
4618+
4619+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4620+ if ((save & 0xFFC00000U) == 0x05000000U &&
4621+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4622+ nop == 0x01000000U)
4623+ {
4624+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4625+ regs->u_regs[UREG_G2] = addr + 4;
4626+ addr = (save & 0x003FFFFFU) << 10;
4627+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4628+
4629+ if (test_thread_flag(TIF_32BIT))
4630+ addr &= 0xFFFFFFFFUL;
4631+
4632+ regs->tpc = addr;
4633+ regs->tnpc = addr+4;
4634+ return 3;
4635+ }
4636+
4637+ /* PaX: 64-bit PLT stub */
4638+ err = get_user(sethi1, (unsigned int *)addr);
4639+ err |= get_user(sethi2, (unsigned int *)(addr+4));
4640+ err |= get_user(or1, (unsigned int *)(addr+8));
4641+ err |= get_user(or2, (unsigned int *)(addr+12));
4642+ err |= get_user(sllx, (unsigned int *)(addr+16));
4643+ err |= get_user(add, (unsigned int *)(addr+20));
4644+ err |= get_user(jmpl, (unsigned int *)(addr+24));
4645+ err |= get_user(nop, (unsigned int *)(addr+28));
4646+ if (err)
4647+ break;
4648+
4649+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4650+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4651+ (or1 & 0xFFFFE000U) == 0x88112000U &&
4652+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
4653+ sllx == 0x89293020U &&
4654+ add == 0x8A010005U &&
4655+ jmpl == 0x89C14000U &&
4656+ nop == 0x01000000U)
4657+ {
4658+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4659+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4660+ regs->u_regs[UREG_G4] <<= 32;
4661+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4662+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4663+ regs->u_regs[UREG_G4] = addr + 24;
4664+ addr = regs->u_regs[UREG_G5];
4665+ regs->tpc = addr;
4666+ regs->tnpc = addr+4;
4667+ return 3;
4668+ }
4669+ }
4670+ } while (0);
4671+
4672+#ifdef CONFIG_PAX_DLRESOLVE
4673+ do { /* PaX: unpatched PLT emulation step 2 */
4674+ unsigned int save, call, nop;
4675+
4676+ err = get_user(save, (unsigned int *)(regs->tpc-4));
4677+ err |= get_user(call, (unsigned int *)regs->tpc);
4678+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4679+ if (err)
4680+ break;
4681+
4682+ if (save == 0x9DE3BFA8U &&
4683+ (call & 0xC0000000U) == 0x40000000U &&
4684+ nop == 0x01000000U)
4685+ {
4686+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4687+
4688+ if (test_thread_flag(TIF_32BIT))
4689+ dl_resolve &= 0xFFFFFFFFUL;
4690+
4691+ regs->u_regs[UREG_RETPC] = regs->tpc;
4692+ regs->tpc = dl_resolve;
4693+ regs->tnpc = dl_resolve+4;
4694+ return 3;
4695+ }
4696+ } while (0);
4697+#endif
4698+
4699+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4700+ unsigned int sethi, ba, nop;
4701+
4702+ err = get_user(sethi, (unsigned int *)regs->tpc);
4703+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4704+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4705+
4706+ if (err)
4707+ break;
4708+
4709+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4710+ (ba & 0xFFF00000U) == 0x30600000U &&
4711+ nop == 0x01000000U)
4712+ {
4713+ unsigned long addr;
4714+
4715+ addr = (sethi & 0x003FFFFFU) << 10;
4716+ regs->u_regs[UREG_G1] = addr;
4717+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4718+
4719+ if (test_thread_flag(TIF_32BIT))
4720+ addr &= 0xFFFFFFFFUL;
4721+
4722+ regs->tpc = addr;
4723+ regs->tnpc = addr+4;
4724+ return 2;
4725+ }
4726+ } while (0);
4727+
4728+#endif
4729+
4730+ return 1;
4731+}
4732+
4733+void pax_report_insns(void *pc, void *sp)
4734+{
4735+ unsigned long i;
4736+
4737+ printk(KERN_ERR "PAX: bytes at PC: ");
4738+ for (i = 0; i < 8; i++) {
4739+ unsigned int c;
4740+ if (get_user(c, (unsigned int *)pc+i))
4741+ printk(KERN_CONT "???????? ");
4742+ else
4743+ printk(KERN_CONT "%08x ", c);
4744+ }
4745+ printk("\n");
4746+}
4747+#endif
4748+
4749 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4750 {
4751 struct mm_struct *mm = current->mm;
4752@@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
4753 if (!vma)
4754 goto bad_area;
4755
4756+#ifdef CONFIG_PAX_PAGEEXEC
4757+ /* PaX: detect ITLB misses on non-exec pages */
4758+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4759+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4760+ {
4761+ if (address != regs->tpc)
4762+ goto good_area;
4763+
4764+ up_read(&mm->mmap_sem);
4765+ switch (pax_handle_fetch_fault(regs)) {
4766+
4767+#ifdef CONFIG_PAX_EMUPLT
4768+ case 2:
4769+ case 3:
4770+ return;
4771+#endif
4772+
4773+ }
4774+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4775+ do_group_exit(SIGKILL);
4776+ }
4777+#endif
4778+
4779 /* Pure DTLB misses do not tell us whether the fault causing
4780 * load/store/atomic was a write or not, it only says that there
4781 * was no match. So in such a case we (carefully) read the
4782diff -urNp linux-2.6.32.9/arch/sparc/mm/init_32.c linux-2.6.32.9/arch/sparc/mm/init_32.c
4783--- linux-2.6.32.9/arch/sparc/mm/init_32.c 2010-02-09 07:57:19.000000000 -0500
4784+++ linux-2.6.32.9/arch/sparc/mm/init_32.c 2010-02-23 17:09:53.095660904 -0500
4785@@ -317,6 +317,9 @@ extern void device_scan(void);
4786 pgprot_t PAGE_SHARED __read_mostly;
4787 EXPORT_SYMBOL(PAGE_SHARED);
4788
4789+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4790+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4791+
4792 void __init paging_init(void)
4793 {
4794 switch(sparc_cpu_model) {
4795@@ -345,17 +348,17 @@ void __init paging_init(void)
4796
4797 /* Initialize the protection map with non-constant, MMU dependent values. */
4798 protection_map[0] = PAGE_NONE;
4799- protection_map[1] = PAGE_READONLY;
4800- protection_map[2] = PAGE_COPY;
4801- protection_map[3] = PAGE_COPY;
4802+ protection_map[1] = PAGE_READONLY_NOEXEC;
4803+ protection_map[2] = PAGE_COPY_NOEXEC;
4804+ protection_map[3] = PAGE_COPY_NOEXEC;
4805 protection_map[4] = PAGE_READONLY;
4806 protection_map[5] = PAGE_READONLY;
4807 protection_map[6] = PAGE_COPY;
4808 protection_map[7] = PAGE_COPY;
4809 protection_map[8] = PAGE_NONE;
4810- protection_map[9] = PAGE_READONLY;
4811- protection_map[10] = PAGE_SHARED;
4812- protection_map[11] = PAGE_SHARED;
4813+ protection_map[9] = PAGE_READONLY_NOEXEC;
4814+ protection_map[10] = PAGE_SHARED_NOEXEC;
4815+ protection_map[11] = PAGE_SHARED_NOEXEC;
4816 protection_map[12] = PAGE_READONLY;
4817 protection_map[13] = PAGE_READONLY;
4818 protection_map[14] = PAGE_SHARED;
4819diff -urNp linux-2.6.32.9/arch/sparc/mm/Makefile linux-2.6.32.9/arch/sparc/mm/Makefile
4820--- linux-2.6.32.9/arch/sparc/mm/Makefile 2010-02-09 07:57:19.000000000 -0500
4821+++ linux-2.6.32.9/arch/sparc/mm/Makefile 2010-02-23 17:09:53.095660904 -0500
4822@@ -2,7 +2,7 @@
4823 #
4824
4825 asflags-y := -ansi
4826-ccflags-y := -Werror
4827+#ccflags-y := -Werror
4828
4829 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
4830 obj-y += fault_$(BITS).o
4831diff -urNp linux-2.6.32.9/arch/sparc/mm/srmmu.c linux-2.6.32.9/arch/sparc/mm/srmmu.c
4832--- linux-2.6.32.9/arch/sparc/mm/srmmu.c 2010-02-09 07:57:19.000000000 -0500
4833+++ linux-2.6.32.9/arch/sparc/mm/srmmu.c 2010-02-23 17:09:53.095660904 -0500
4834@@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
4835 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4836 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4837 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4838+
4839+#ifdef CONFIG_PAX_PAGEEXEC
4840+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
4841+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
4842+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
4843+#endif
4844+
4845 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
4846 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
4847
4848diff -urNp linux-2.6.32.9/arch/um/include/asm/kmap_types.h linux-2.6.32.9/arch/um/include/asm/kmap_types.h
4849--- linux-2.6.32.9/arch/um/include/asm/kmap_types.h 2010-02-09 07:57:19.000000000 -0500
4850+++ linux-2.6.32.9/arch/um/include/asm/kmap_types.h 2010-02-23 17:09:53.095660904 -0500
4851@@ -23,6 +23,7 @@ enum km_type {
4852 KM_IRQ1,
4853 KM_SOFTIRQ0,
4854 KM_SOFTIRQ1,
4855+ KM_CLEARPAGE,
4856 KM_TYPE_NR
4857 };
4858
4859diff -urNp linux-2.6.32.9/arch/um/include/asm/page.h linux-2.6.32.9/arch/um/include/asm/page.h
4860--- linux-2.6.32.9/arch/um/include/asm/page.h 2010-02-09 07:57:19.000000000 -0500
4861+++ linux-2.6.32.9/arch/um/include/asm/page.h 2010-02-23 17:09:53.095660904 -0500
4862@@ -14,6 +14,9 @@
4863 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
4864 #define PAGE_MASK (~(PAGE_SIZE-1))
4865
4866+#define ktla_ktva(addr) (addr)
4867+#define ktva_ktla(addr) (addr)
4868+
4869 #ifndef __ASSEMBLY__
4870
4871 struct page;
4872diff -urNp linux-2.6.32.9/arch/um/sys-i386/syscalls.c linux-2.6.32.9/arch/um/sys-i386/syscalls.c
4873--- linux-2.6.32.9/arch/um/sys-i386/syscalls.c 2010-02-09 07:57:19.000000000 -0500
4874+++ linux-2.6.32.9/arch/um/sys-i386/syscalls.c 2010-02-23 17:09:53.095660904 -0500
4875@@ -11,6 +11,21 @@
4876 #include "asm/uaccess.h"
4877 #include "asm/unistd.h"
4878
4879+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
4880+{
4881+ unsigned long pax_task_size = TASK_SIZE;
4882+
4883+#ifdef CONFIG_PAX_SEGMEXEC
4884+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
4885+ pax_task_size = SEGMEXEC_TASK_SIZE;
4886+#endif
4887+
4888+ if (len > pax_task_size || addr > pax_task_size - len)
4889+ return -EINVAL;
4890+
4891+ return 0;
4892+}
4893+
4894 /*
4895 * Perform the select(nd, in, out, ex, tv) and mmap() system
4896 * calls. Linux/i386 didn't use to be able to handle more than
4897diff -urNp linux-2.6.32.9/arch/x86/boot/bitops.h linux-2.6.32.9/arch/x86/boot/bitops.h
4898--- linux-2.6.32.9/arch/x86/boot/bitops.h 2010-02-09 07:57:19.000000000 -0500
4899+++ linux-2.6.32.9/arch/x86/boot/bitops.h 2010-02-23 17:09:53.095660904 -0500
4900@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
4901 u8 v;
4902 const u32 *p = (const u32 *)addr;
4903
4904- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4905+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4906 return v;
4907 }
4908
4909@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
4910
4911 static inline void set_bit(int nr, void *addr)
4912 {
4913- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4914+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4915 }
4916
4917 #endif /* BOOT_BITOPS_H */
4918diff -urNp linux-2.6.32.9/arch/x86/boot/boot.h linux-2.6.32.9/arch/x86/boot/boot.h
4919--- linux-2.6.32.9/arch/x86/boot/boot.h 2010-02-09 07:57:19.000000000 -0500
4920+++ linux-2.6.32.9/arch/x86/boot/boot.h 2010-02-23 17:09:53.095660904 -0500
4921@@ -82,7 +82,7 @@ static inline void io_delay(void)
4922 static inline u16 ds(void)
4923 {
4924 u16 seg;
4925- asm("movw %%ds,%0" : "=rm" (seg));
4926+ asm volatile("movw %%ds,%0" : "=rm" (seg));
4927 return seg;
4928 }
4929
4930@@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
4931 static inline int memcmp(const void *s1, const void *s2, size_t len)
4932 {
4933 u8 diff;
4934- asm("repe; cmpsb; setnz %0"
4935+ asm volatile("repe; cmpsb; setnz %0"
4936 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
4937 return diff;
4938 }
4939diff -urNp linux-2.6.32.9/arch/x86/boot/compressed/head_32.S linux-2.6.32.9/arch/x86/boot/compressed/head_32.S
4940--- linux-2.6.32.9/arch/x86/boot/compressed/head_32.S 2010-02-09 07:57:19.000000000 -0500
4941+++ linux-2.6.32.9/arch/x86/boot/compressed/head_32.S 2010-02-23 17:09:53.095660904 -0500
4942@@ -76,7 +76,7 @@ ENTRY(startup_32)
4943 notl %eax
4944 andl %eax, %ebx
4945 #else
4946- movl $LOAD_PHYSICAL_ADDR, %ebx
4947+ movl $____LOAD_PHYSICAL_ADDR, %ebx
4948 #endif
4949
4950 /* Target address to relocate to for decompression */
4951@@ -149,7 +149,7 @@ relocated:
4952 * and where it was actually loaded.
4953 */
4954 movl %ebp, %ebx
4955- subl $LOAD_PHYSICAL_ADDR, %ebx
4956+ subl $____LOAD_PHYSICAL_ADDR, %ebx
4957 jz 2f /* Nothing to be done if loaded at compiled addr. */
4958 /*
4959 * Process relocations.
4960@@ -157,8 +157,7 @@ relocated:
4961
4962 1: subl $4, %edi
4963 movl (%edi), %ecx
4964- testl %ecx, %ecx
4965- jz 2f
4966+ jecxz 2f
4967 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
4968 jmp 1b
4969 2:
4970diff -urNp linux-2.6.32.9/arch/x86/boot/compressed/head_64.S linux-2.6.32.9/arch/x86/boot/compressed/head_64.S
4971--- linux-2.6.32.9/arch/x86/boot/compressed/head_64.S 2010-02-09 07:57:19.000000000 -0500
4972+++ linux-2.6.32.9/arch/x86/boot/compressed/head_64.S 2010-02-23 17:09:53.095660904 -0500
4973@@ -91,7 +91,7 @@ ENTRY(startup_32)
4974 notl %eax
4975 andl %eax, %ebx
4976 #else
4977- movl $LOAD_PHYSICAL_ADDR, %ebx
4978+ movl $____LOAD_PHYSICAL_ADDR, %ebx
4979 #endif
4980
4981 /* Target address to relocate to for decompression */
4982@@ -234,7 +234,7 @@ ENTRY(startup_64)
4983 notq %rax
4984 andq %rax, %rbp
4985 #else
4986- movq $LOAD_PHYSICAL_ADDR, %rbp
4987+ movq $____LOAD_PHYSICAL_ADDR, %rbp
4988 #endif
4989
4990 /* Target address to relocate to for decompression */
4991diff -urNp linux-2.6.32.9/arch/x86/boot/compressed/misc.c linux-2.6.32.9/arch/x86/boot/compressed/misc.c
4992--- linux-2.6.32.9/arch/x86/boot/compressed/misc.c 2010-02-09 07:57:19.000000000 -0500
4993+++ linux-2.6.32.9/arch/x86/boot/compressed/misc.c 2010-02-23 17:09:53.095660904 -0500
4994@@ -288,7 +288,7 @@ static void parse_elf(void *output)
4995 case PT_LOAD:
4996 #ifdef CONFIG_RELOCATABLE
4997 dest = output;
4998- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
4999+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5000 #else
5001 dest = (void *)(phdr->p_paddr);
5002 #endif
5003@@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
5004 error("Destination address too large");
5005 #endif
5006 #ifndef CONFIG_RELOCATABLE
5007- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5008+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5009 error("Wrong destination address");
5010 #endif
5011
5012diff -urNp linux-2.6.32.9/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.9/arch/x86/boot/compressed/mkpiggy.c
5013--- linux-2.6.32.9/arch/x86/boot/compressed/mkpiggy.c 2010-02-09 07:57:19.000000000 -0500
5014+++ linux-2.6.32.9/arch/x86/boot/compressed/mkpiggy.c 2010-02-23 17:09:53.095660904 -0500
5015@@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5016
5017 offs = (olen > ilen) ? olen - ilen : 0;
5018 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5019- offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5020+ offs += 64*1024; /* Add 64K bytes slack */
5021 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5022
5023 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
5024diff -urNp linux-2.6.32.9/arch/x86/boot/compressed/relocs.c linux-2.6.32.9/arch/x86/boot/compressed/relocs.c
5025--- linux-2.6.32.9/arch/x86/boot/compressed/relocs.c 2010-02-09 07:57:19.000000000 -0500
5026+++ linux-2.6.32.9/arch/x86/boot/compressed/relocs.c 2010-02-23 17:09:53.095660904 -0500
5027@@ -10,8 +10,11 @@
5028 #define USE_BSD
5029 #include <endian.h>
5030
5031+#include "../../../../include/linux/autoconf.h"
5032+
5033 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5034 static Elf32_Ehdr ehdr;
5035+static Elf32_Phdr *phdr;
5036 static unsigned long reloc_count, reloc_idx;
5037 static unsigned long *relocs;
5038
5039@@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
5040
5041 static int is_safe_abs_reloc(const char* sym_name)
5042 {
5043- int i;
5044+ unsigned int i;
5045
5046 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
5047 if (!strcmp(sym_name, safe_abs_relocs[i]))
5048@@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
5049 }
5050 }
5051
5052+static void read_phdrs(FILE *fp)
5053+{
5054+ unsigned int i;
5055+
5056+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5057+ if (!phdr) {
5058+ die("Unable to allocate %d program headers\n",
5059+ ehdr.e_phnum);
5060+ }
5061+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5062+ die("Seek to %d failed: %s\n",
5063+ ehdr.e_phoff, strerror(errno));
5064+ }
5065+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5066+ die("Cannot read ELF program headers: %s\n",
5067+ strerror(errno));
5068+ }
5069+ for(i = 0; i < ehdr.e_phnum; i++) {
5070+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5071+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5072+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5073+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5074+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5075+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5076+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5077+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5078+ }
5079+
5080+}
5081+
5082 static void read_shdrs(FILE *fp)
5083 {
5084- int i;
5085+ unsigned int i;
5086 Elf32_Shdr shdr;
5087
5088 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5089@@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
5090
5091 static void read_strtabs(FILE *fp)
5092 {
5093- int i;
5094+ unsigned int i;
5095 for (i = 0; i < ehdr.e_shnum; i++) {
5096 struct section *sec = &secs[i];
5097 if (sec->shdr.sh_type != SHT_STRTAB) {
5098@@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
5099
5100 static void read_symtabs(FILE *fp)
5101 {
5102- int i,j;
5103+ unsigned int i,j;
5104 for (i = 0; i < ehdr.e_shnum; i++) {
5105 struct section *sec = &secs[i];
5106 if (sec->shdr.sh_type != SHT_SYMTAB) {
5107@@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
5108
5109 static void read_relocs(FILE *fp)
5110 {
5111- int i,j;
5112+ unsigned int i,j;
5113+ uint32_t base;
5114+
5115 for (i = 0; i < ehdr.e_shnum; i++) {
5116 struct section *sec = &secs[i];
5117 if (sec->shdr.sh_type != SHT_REL) {
5118@@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
5119 die("Cannot read symbol table: %s\n",
5120 strerror(errno));
5121 }
5122+ base = 0;
5123+ for (j = 0; j < ehdr.e_phnum; j++) {
5124+ if (phdr[j].p_type != PT_LOAD )
5125+ continue;
5126+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5127+ continue;
5128+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5129+ break;
5130+ }
5131 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5132 Elf32_Rel *rel = &sec->reltab[j];
5133- rel->r_offset = elf32_to_cpu(rel->r_offset);
5134+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5135 rel->r_info = elf32_to_cpu(rel->r_info);
5136 }
5137 }
5138@@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
5139
5140 static void print_absolute_symbols(void)
5141 {
5142- int i;
5143+ unsigned int i;
5144 printf("Absolute symbols\n");
5145 printf(" Num: Value Size Type Bind Visibility Name\n");
5146 for (i = 0; i < ehdr.e_shnum; i++) {
5147 struct section *sec = &secs[i];
5148 char *sym_strtab;
5149 Elf32_Sym *sh_symtab;
5150- int j;
5151+ unsigned int j;
5152
5153 if (sec->shdr.sh_type != SHT_SYMTAB) {
5154 continue;
5155@@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
5156
5157 static void print_absolute_relocs(void)
5158 {
5159- int i, printed = 0;
5160+ unsigned int i, printed = 0;
5161
5162 for (i = 0; i < ehdr.e_shnum; i++) {
5163 struct section *sec = &secs[i];
5164 struct section *sec_applies, *sec_symtab;
5165 char *sym_strtab;
5166 Elf32_Sym *sh_symtab;
5167- int j;
5168+ unsigned int j;
5169 if (sec->shdr.sh_type != SHT_REL) {
5170 continue;
5171 }
5172@@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
5173
5174 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5175 {
5176- int i;
5177+ unsigned int i;
5178 /* Walk through the relocations */
5179 for (i = 0; i < ehdr.e_shnum; i++) {
5180 char *sym_strtab;
5181 Elf32_Sym *sh_symtab;
5182 struct section *sec_applies, *sec_symtab;
5183- int j;
5184+ unsigned int j;
5185 struct section *sec = &secs[i];
5186
5187 if (sec->shdr.sh_type != SHT_REL) {
5188@@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
5189 if (sym->st_shndx == SHN_ABS) {
5190 continue;
5191 }
5192+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5193+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5194+ continue;
5195+
5196+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5197+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5198+ if (!strcmp(sec_name(sym->st_shndx), ".data") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5199+ continue;
5200+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5201+ continue;
5202+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5203+ continue;
5204+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5205+ continue;
5206+#endif
5207 if (r_type == R_386_NONE || r_type == R_386_PC32) {
5208 /*
5209 * NONE can be ignored and and PC relative
5210@@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
5211
5212 static void emit_relocs(int as_text)
5213 {
5214- int i;
5215+ unsigned int i;
5216 /* Count how many relocations I have and allocate space for them. */
5217 reloc_count = 0;
5218 walk_relocs(count_reloc);
5219@@ -634,6 +693,7 @@ int main(int argc, char **argv)
5220 fname, strerror(errno));
5221 }
5222 read_ehdr(fp);
5223+ read_phdrs(fp);
5224 read_shdrs(fp);
5225 read_strtabs(fp);
5226 read_symtabs(fp);
5227diff -urNp linux-2.6.32.9/arch/x86/boot/cpucheck.c linux-2.6.32.9/arch/x86/boot/cpucheck.c
5228--- linux-2.6.32.9/arch/x86/boot/cpucheck.c 2010-02-09 07:57:19.000000000 -0500
5229+++ linux-2.6.32.9/arch/x86/boot/cpucheck.c 2010-02-23 17:09:53.095660904 -0500
5230@@ -74,7 +74,7 @@ static int has_fpu(void)
5231 u16 fcw = -1, fsw = -1;
5232 u32 cr0;
5233
5234- asm("movl %%cr0,%0" : "=r" (cr0));
5235+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
5236 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5237 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5238 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5239@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5240 {
5241 u32 f0, f1;
5242
5243- asm("pushfl ; "
5244+ asm volatile("pushfl ; "
5245 "pushfl ; "
5246 "popl %0 ; "
5247 "movl %0,%1 ; "
5248@@ -115,7 +115,7 @@ static void get_flags(void)
5249 set_bit(X86_FEATURE_FPU, cpu.flags);
5250
5251 if (has_eflag(X86_EFLAGS_ID)) {
5252- asm("cpuid"
5253+ asm volatile("cpuid"
5254 : "=a" (max_intel_level),
5255 "=b" (cpu_vendor[0]),
5256 "=d" (cpu_vendor[1]),
5257@@ -124,7 +124,7 @@ static void get_flags(void)
5258
5259 if (max_intel_level >= 0x00000001 &&
5260 max_intel_level <= 0x0000ffff) {
5261- asm("cpuid"
5262+ asm volatile("cpuid"
5263 : "=a" (tfms),
5264 "=c" (cpu.flags[4]),
5265 "=d" (cpu.flags[0])
5266@@ -136,7 +136,7 @@ static void get_flags(void)
5267 cpu.model += ((tfms >> 16) & 0xf) << 4;
5268 }
5269
5270- asm("cpuid"
5271+ asm volatile("cpuid"
5272 : "=a" (max_amd_level)
5273 : "a" (0x80000000)
5274 : "ebx", "ecx", "edx");
5275@@ -144,7 +144,7 @@ static void get_flags(void)
5276 if (max_amd_level >= 0x80000001 &&
5277 max_amd_level <= 0x8000ffff) {
5278 u32 eax = 0x80000001;
5279- asm("cpuid"
5280+ asm volatile("cpuid"
5281 : "+a" (eax),
5282 "=c" (cpu.flags[6]),
5283 "=d" (cpu.flags[1])
5284@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5285 u32 ecx = MSR_K7_HWCR;
5286 u32 eax, edx;
5287
5288- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5289+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5290 eax &= ~(1 << 15);
5291- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5292+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5293
5294 get_flags(); /* Make sure it really did something */
5295 err = check_flags();
5296@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5297 u32 ecx = MSR_VIA_FCR;
5298 u32 eax, edx;
5299
5300- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5301+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5302 eax |= (1<<1)|(1<<7);
5303- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5304+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5305
5306 set_bit(X86_FEATURE_CX8, cpu.flags);
5307 err = check_flags();
5308@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5309 u32 eax, edx;
5310 u32 level = 1;
5311
5312- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5313- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5314- asm("cpuid"
5315+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5316+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5317+ asm volatile("cpuid"
5318 : "+a" (level), "=d" (cpu.flags[0])
5319 : : "ecx", "ebx");
5320- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5321+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5322
5323 err = check_flags();
5324 }
5325diff -urNp linux-2.6.32.9/arch/x86/boot/header.S linux-2.6.32.9/arch/x86/boot/header.S
5326--- linux-2.6.32.9/arch/x86/boot/header.S 2010-02-09 07:57:19.000000000 -0500
5327+++ linux-2.6.32.9/arch/x86/boot/header.S 2010-02-23 17:09:53.095660904 -0500
5328@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5329 # single linked list of
5330 # struct setup_data
5331
5332-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5333+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5334
5335 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5336 #define VO_INIT_SIZE (VO__end - VO__text)
5337diff -urNp linux-2.6.32.9/arch/x86/boot/video-vesa.c linux-2.6.32.9/arch/x86/boot/video-vesa.c
5338--- linux-2.6.32.9/arch/x86/boot/video-vesa.c 2010-02-09 07:57:19.000000000 -0500
5339+++ linux-2.6.32.9/arch/x86/boot/video-vesa.c 2010-02-23 17:09:53.095660904 -0500
5340@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5341
5342 boot_params.screen_info.vesapm_seg = oreg.es;
5343 boot_params.screen_info.vesapm_off = oreg.di;
5344+ boot_params.screen_info.vesapm_size = oreg.cx;
5345 }
5346
5347 /*
5348diff -urNp linux-2.6.32.9/arch/x86/ia32/ia32_signal.c linux-2.6.32.9/arch/x86/ia32/ia32_signal.c
5349--- linux-2.6.32.9/arch/x86/ia32/ia32_signal.c 2010-02-09 07:57:19.000000000 -0500
5350+++ linux-2.6.32.9/arch/x86/ia32/ia32_signal.c 2010-02-23 17:09:53.095660904 -0500
5351@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
5352 sp -= frame_size;
5353 /* Align the stack pointer according to the i386 ABI,
5354 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5355- sp = ((sp + 4) & -16ul) - 4;
5356+ sp = ((sp - 12) & -16ul) - 4;
5357 return (void __user *) sp;
5358 }
5359
5360@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
5361 0xb8,
5362 __NR_ia32_rt_sigreturn,
5363 0x80cd,
5364- 0,
5365+ 0
5366 };
5367
5368 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
5369diff -urNp linux-2.6.32.9/arch/x86/include/asm/alternative.h linux-2.6.32.9/arch/x86/include/asm/alternative.h
5370--- linux-2.6.32.9/arch/x86/include/asm/alternative.h 2010-02-09 07:57:19.000000000 -0500
5371+++ linux-2.6.32.9/arch/x86/include/asm/alternative.h 2010-02-23 17:09:53.095660904 -0500
5372@@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
5373 " .byte 662b-661b\n" /* sourcelen */ \
5374 " .byte 664f-663f\n" /* replacementlen */ \
5375 ".previous\n" \
5376- ".section .altinstr_replacement, \"ax\"\n" \
5377+ ".section .altinstr_replacement, \"a\"\n" \
5378 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
5379 ".previous"
5380
5381diff -urNp linux-2.6.32.9/arch/x86/include/asm/apm.h linux-2.6.32.9/arch/x86/include/asm/apm.h
5382--- linux-2.6.32.9/arch/x86/include/asm/apm.h 2010-02-09 07:57:19.000000000 -0500
5383+++ linux-2.6.32.9/arch/x86/include/asm/apm.h 2010-02-23 17:09:53.095660904 -0500
5384@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
5385 __asm__ __volatile__(APM_DO_ZERO_SEGS
5386 "pushl %%edi\n\t"
5387 "pushl %%ebp\n\t"
5388- "lcall *%%cs:apm_bios_entry\n\t"
5389+ "lcall *%%ss:apm_bios_entry\n\t"
5390 "setc %%al\n\t"
5391 "popl %%ebp\n\t"
5392 "popl %%edi\n\t"
5393@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
5394 __asm__ __volatile__(APM_DO_ZERO_SEGS
5395 "pushl %%edi\n\t"
5396 "pushl %%ebp\n\t"
5397- "lcall *%%cs:apm_bios_entry\n\t"
5398+ "lcall *%%ss:apm_bios_entry\n\t"
5399 "setc %%bl\n\t"
5400 "popl %%ebp\n\t"
5401 "popl %%edi\n\t"
5402diff -urNp linux-2.6.32.9/arch/x86/include/asm/atomic_32.h linux-2.6.32.9/arch/x86/include/asm/atomic_32.h
5403--- linux-2.6.32.9/arch/x86/include/asm/atomic_32.h 2010-02-09 07:57:19.000000000 -0500
5404+++ linux-2.6.32.9/arch/x86/include/asm/atomic_32.h 2010-02-23 17:09:53.095660904 -0500
5405@@ -25,6 +25,17 @@ static inline int atomic_read(const atom
5406 }
5407
5408 /**
5409+ * atomic_read_unchecked - read atomic variable
5410+ * @v: pointer of type atomic_unchecked_t
5411+ *
5412+ * Atomically reads the value of @v.
5413+ */
5414+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5415+{
5416+ return v->counter;
5417+}
5418+
5419+/**
5420 * atomic_set - set atomic variable
5421 * @v: pointer of type atomic_t
5422 * @i: required value
5423@@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
5424 }
5425
5426 /**
5427+ * atomic_set_unchecked - set atomic variable
5428+ * @v: pointer of type atomic_unchecked_t
5429+ * @i: required value
5430+ *
5431+ * Atomically sets the value of @v to @i.
5432+ */
5433+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5434+{
5435+ v->counter = i;
5436+}
5437+
5438+/**
5439 * atomic_add - add integer to atomic variable
5440 * @i: integer value to add
5441 * @v: pointer of type atomic_t
5442@@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
5443 */
5444 static inline void atomic_add(int i, atomic_t *v)
5445 {
5446- asm volatile(LOCK_PREFIX "addl %1,%0"
5447+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5448+
5449+#ifdef CONFIG_PAX_REFCOUNT
5450+ "jno 0f\n"
5451+ LOCK_PREFIX "subl %1,%0\n"
5452+ "into\n0:\n"
5453+ _ASM_EXTABLE(0b, 0b)
5454+#endif
5455+
5456+ : "+m" (v->counter)
5457+ : "ir" (i));
5458+}
5459+
5460+/**
5461+ * atomic_add_unchecked - add integer to atomic variable
5462+ * @i: integer value to add
5463+ * @v: pointer of type atomic_unchecked_t
5464+ *
5465+ * Atomically adds @i to @v.
5466+ */
5467+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5468+{
5469+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5470 : "+m" (v->counter)
5471 : "ir" (i));
5472 }
5473@@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
5474 */
5475 static inline void atomic_sub(int i, atomic_t *v)
5476 {
5477- asm volatile(LOCK_PREFIX "subl %1,%0"
5478+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5479+
5480+#ifdef CONFIG_PAX_REFCOUNT
5481+ "jno 0f\n"
5482+ LOCK_PREFIX "addl %1,%0\n"
5483+ "into\n0:\n"
5484+ _ASM_EXTABLE(0b, 0b)
5485+#endif
5486+
5487+ : "+m" (v->counter)
5488+ : "ir" (i));
5489+}
5490+
5491+/**
5492+ * atomic_sub_unchecked - subtract integer from atomic variable
5493+ * @i: integer value to subtract
5494+ * @v: pointer of type atomic_t
5495+ *
5496+ * Atomically subtracts @i from @v.
5497+ */
5498+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5499+{
5500+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5501 : "+m" (v->counter)
5502 : "ir" (i));
5503 }
5504@@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
5505 {
5506 unsigned char c;
5507
5508- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5509+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
5510+
5511+#ifdef CONFIG_PAX_REFCOUNT
5512+ "jno 0f\n"
5513+ LOCK_PREFIX "addl %2,%0\n"
5514+ "into\n0:\n"
5515+ _ASM_EXTABLE(0b, 0b)
5516+#endif
5517+
5518+ "sete %1\n"
5519 : "+m" (v->counter), "=qm" (c)
5520 : "ir" (i) : "memory");
5521 return c;
5522@@ -91,7 +167,30 @@ static inline int atomic_sub_and_test(in
5523 */
5524 static inline void atomic_inc(atomic_t *v)
5525 {
5526- asm volatile(LOCK_PREFIX "incl %0"
5527+ asm volatile(LOCK_PREFIX "incl %0\n"
5528+
5529+#ifdef CONFIG_PAX_REFCOUNT
5530+ "into\n0:\n"
5531+ ".pushsection .fixup,\"ax\"\n"
5532+ "1:\n"
5533+ LOCK_PREFIX "decl %0\n"
5534+ "jmp 0b\n"
5535+ ".popsection\n"
5536+ _ASM_EXTABLE(0b, 1b)
5537+#endif
5538+
5539+ : "+m" (v->counter));
5540+}
5541+
5542+/**
5543+ * atomic_inc_unchecked - increment atomic variable
5544+ * @v: pointer of type atomic_unchecked_t
5545+ *
5546+ * Atomically increments @v by 1.
5547+ */
5548+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5549+{
5550+ asm volatile(LOCK_PREFIX "incl %0\n"
5551 : "+m" (v->counter));
5552 }
5553
5554@@ -103,7 +202,18 @@ static inline void atomic_inc(atomic_t *
5555 */
5556 static inline void atomic_dec(atomic_t *v)
5557 {
5558- asm volatile(LOCK_PREFIX "decl %0"
5559+ asm volatile(LOCK_PREFIX "decl %0\n"
5560+
5561+#ifdef CONFIG_PAX_REFCOUNT
5562+ "into\n0:\n"
5563+ ".pushsection .fixup,\"ax\"\n"
5564+ "1: \n"
5565+ LOCK_PREFIX "incl %0\n"
5566+ "jmp 0b\n"
5567+ ".popsection\n"
5568+ _ASM_EXTABLE(0b, 1b)
5569+#endif
5570+
5571 : "+m" (v->counter));
5572 }
5573
5574@@ -119,7 +229,19 @@ static inline int atomic_dec_and_test(at
5575 {
5576 unsigned char c;
5577
5578- asm volatile(LOCK_PREFIX "decl %0; sete %1"
5579+ asm volatile(LOCK_PREFIX "decl %0\n"
5580+
5581+#ifdef CONFIG_PAX_REFCOUNT
5582+ "into\n0:\n"
5583+ ".pushsection .fixup,\"ax\"\n"
5584+ "1: \n"
5585+ LOCK_PREFIX "incl %0\n"
5586+ "jmp 0b\n"
5587+ ".popsection\n"
5588+ _ASM_EXTABLE(0b, 1b)
5589+#endif
5590+
5591+ "sete %1\n"
5592 : "+m" (v->counter), "=qm" (c)
5593 : : "memory");
5594 return c != 0;
5595@@ -137,7 +259,19 @@ static inline int atomic_inc_and_test(at
5596 {
5597 unsigned char c;
5598
5599- asm volatile(LOCK_PREFIX "incl %0; sete %1"
5600+ asm volatile(LOCK_PREFIX "incl %0\n"
5601+
5602+#ifdef CONFIG_PAX_REFCOUNT
5603+ "into\n0:\n"
5604+ ".pushsection .fixup,\"ax\"\n"
5605+ "1: \n"
5606+ LOCK_PREFIX "decl %0\n"
5607+ "jmp 0b\n"
5608+ ".popsection\n"
5609+ _ASM_EXTABLE(0b, 1b)
5610+#endif
5611+
5612+ "sete %1\n"
5613 : "+m" (v->counter), "=qm" (c)
5614 : : "memory");
5615 return c != 0;
5616@@ -156,7 +290,16 @@ static inline int atomic_add_negative(in
5617 {
5618 unsigned char c;
5619
5620- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
5621+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
5622+
5623+#ifdef CONFIG_PAX_REFCOUNT
5624+ "jno 0f\n"
5625+ LOCK_PREFIX "subl %2,%0\n"
5626+ "into\n0:\n"
5627+ _ASM_EXTABLE(0b, 0b)
5628+#endif
5629+
5630+ "sets %1\n"
5631 : "+m" (v->counter), "=qm" (c)
5632 : "ir" (i) : "memory");
5633 return c;
5634@@ -179,6 +322,46 @@ static inline int atomic_add_return(int
5635 #endif
5636 /* Modern 486+ processor */
5637 __i = i;
5638+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5639+
5640+#ifdef CONFIG_PAX_REFCOUNT
5641+ "jno 0f\n"
5642+ "movl %0, %1\n"
5643+ "into\n0:\n"
5644+ _ASM_EXTABLE(0b, 0b)
5645+#endif
5646+
5647+ : "+r" (i), "+m" (v->counter)
5648+ : : "memory");
5649+ return i + __i;
5650+
5651+#ifdef CONFIG_M386
5652+no_xadd: /* Legacy 386 processor */
5653+ local_irq_save(flags);
5654+ __i = atomic_read(v);
5655+ atomic_set(v, i + __i);
5656+ local_irq_restore(flags);
5657+ return i + __i;
5658+#endif
5659+}
5660+
5661+/**
5662+ * atomic_add_return_unchecked - add integer and return
5663+ * @v: pointer of type atomic_unchecked_t
5664+ * @i: integer value to add
5665+ *
5666+ * Atomically adds @i to @v and returns @i + @v
5667+ */
5668+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5669+{
5670+ int __i;
5671+#ifdef CONFIG_M386
5672+ unsigned long flags;
5673+ if (unlikely(boot_cpu_data.x86 <= 3))
5674+ goto no_xadd;
5675+#endif
5676+ /* Modern 486+ processor */
5677+ __i = i;
5678 asm volatile(LOCK_PREFIX "xaddl %0, %1"
5679 : "+r" (i), "+m" (v->counter)
5680 : : "memory");
5681@@ -227,22 +410,34 @@ static inline int atomic_xchg(atomic_t *
5682 */
5683 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5684 {
5685- int c, old;
5686+ int c, old, new;
5687 c = atomic_read(v);
5688 for (;;) {
5689- if (unlikely(c == (u)))
5690+ if (unlikely(c == u))
5691 break;
5692- old = atomic_cmpxchg((v), c, c + (a));
5693+
5694+ asm volatile("addl %2,%0\n"
5695+
5696+#ifdef CONFIG_PAX_REFCOUNT
5697+ "into\n0:\n"
5698+ _ASM_EXTABLE(0b, 0b)
5699+#endif
5700+
5701+ : "=r" (new)
5702+ : "0" (c), "ir" (a));
5703+
5704+ old = atomic_cmpxchg(v, c, new);
5705 if (likely(old == c))
5706 break;
5707 c = old;
5708 }
5709- return c != (u);
5710+ return c != u;
5711 }
5712
5713 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5714
5715 #define atomic_inc_return(v) (atomic_add_return(1, v))
5716+#define atomic_inc_return_unchecked(v) (atomic_add_return_unchecked(1, v))
5717 #define atomic_dec_return(v) (atomic_sub_return(1, v))
5718
5719 /* These are x86-specific, used by some header files */
5720@@ -266,6 +461,14 @@ typedef struct {
5721 u64 __aligned(8) counter;
5722 } atomic64_t;
5723
5724+#ifdef CONFIG_PAX_REFCOUNT
5725+typedef struct {
5726+ u64 __aligned(8) counter;
5727+} atomic64_unchecked_t;
5728+#else
5729+typedef atomic64_t atomic64_unchecked_t;
5730+#endif
5731+
5732 #define ATOMIC64_INIT(val) { (val) }
5733
5734 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
5735diff -urNp linux-2.6.32.9/arch/x86/include/asm/atomic_64.h linux-2.6.32.9/arch/x86/include/asm/atomic_64.h
5736--- linux-2.6.32.9/arch/x86/include/asm/atomic_64.h 2010-02-09 07:57:19.000000000 -0500
5737+++ linux-2.6.32.9/arch/x86/include/asm/atomic_64.h 2010-02-23 17:09:53.099748973 -0500
5738@@ -24,6 +24,17 @@ static inline int atomic_read(const atom
5739 }
5740
5741 /**
5742+ * atomic_read_unchecked - read atomic variable
5743+ * @v: pointer of type atomic_unchecked_t
5744+ *
5745+ * Atomically reads the value of @v.
5746+ */
5747+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5748+{
5749+ return v->counter;
5750+}
5751+
5752+/**
5753 * atomic_set - set atomic variable
5754 * @v: pointer of type atomic_t
5755 * @i: required value
5756@@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
5757 }
5758
5759 /**
5760+ * atomic_set_unchecked - set atomic variable
5761+ * @v: pointer of type atomic_unchecked_t
5762+ * @i: required value
5763+ *
5764+ * Atomically sets the value of @v to @i.
5765+ */
5766+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5767+{
5768+ v->counter = i;
5769+}
5770+
5771+/**
5772 * atomic_add - add integer to atomic variable
5773 * @i: integer value to add
5774 * @v: pointer of type atomic_t
5775@@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
5776 */
5777 static inline void atomic_add(int i, atomic_t *v)
5778 {
5779- asm volatile(LOCK_PREFIX "addl %1,%0"
5780+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5781+
5782+#ifdef CONFIG_PAX_REFCOUNT
5783+ "jno 0f\n"
5784+ LOCK_PREFIX "subl %1,%0\n"
5785+ "int $4\n0:\n"
5786+ _ASM_EXTABLE(0b, 0b)
5787+#endif
5788+
5789+ : "=m" (v->counter)
5790+ : "ir" (i), "m" (v->counter));
5791+}
5792+
5793+/**
5794+ * atomic_add_unchecked - add integer to atomic variable
5795+ * @i: integer value to add
5796+ * @v: pointer of type atomic_unchecked_t
5797+ *
5798+ * Atomically adds @i to @v.
5799+ */
5800+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5801+{
5802+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5803 : "=m" (v->counter)
5804 : "ir" (i), "m" (v->counter));
5805 }
5806@@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
5807 */
5808 static inline void atomic_sub(int i, atomic_t *v)
5809 {
5810- asm volatile(LOCK_PREFIX "subl %1,%0"
5811+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5812+
5813+#ifdef CONFIG_PAX_REFCOUNT
5814+ "jno 0f\n"
5815+ LOCK_PREFIX "addl %1,%0\n"
5816+ "int $4\n0:\n"
5817+ _ASM_EXTABLE(0b, 0b)
5818+#endif
5819+
5820+ : "=m" (v->counter)
5821+ : "ir" (i), "m" (v->counter));
5822+}
5823+
5824+/**
5825+ * atomic_sub_unchecked - subtract the atomic variable
5826+ * @i: integer value to subtract
5827+ * @v: pointer of type atomic_unchecked_t
5828+ *
5829+ * Atomically subtracts @i from @v.
5830+ */
5831+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5832+{
5833+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5834 : "=m" (v->counter)
5835 : "ir" (i), "m" (v->counter));
5836 }
5837@@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
5838 {
5839 unsigned char c;
5840
5841- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5842+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
5843+
5844+#ifdef CONFIG_PAX_REFCOUNT
5845+ "jno 0f\n"
5846+ LOCK_PREFIX "addl %2,%0\n"
5847+ "int $4\n0:\n"
5848+ _ASM_EXTABLE(0b, 0b)
5849+#endif
5850+
5851+ "sete %1\n"
5852 : "=m" (v->counter), "=qm" (c)
5853 : "ir" (i), "m" (v->counter) : "memory");
5854 return c;
5855@@ -90,7 +166,32 @@ static inline int atomic_sub_and_test(in
5856 */
5857 static inline void atomic_inc(atomic_t *v)
5858 {
5859- asm volatile(LOCK_PREFIX "incl %0"
5860+ asm volatile(LOCK_PREFIX "incl %0\n"
5861+
5862+#ifdef CONFIG_PAX_REFCOUNT
5863+ "jno 0f\n"
5864+ "int $4\n0:\n"
5865+ ".pushsection .fixup,\"ax\"\n"
5866+ "1:\n"
5867+ LOCK_PREFIX "decl %0\n"
5868+ "jmp 0b\n"
5869+ ".popsection\n"
5870+ _ASM_EXTABLE(0b, 1b)
5871+#endif
5872+
5873+ : "=m" (v->counter)
5874+ : "m" (v->counter));
5875+}
5876+
5877+/**
5878+ * atomic_inc_unchecked - increment atomic variable
5879+ * @v: pointer of type atomic_unchecked_t
5880+ *
5881+ * Atomically increments @v by 1.
5882+ */
5883+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5884+{
5885+ asm volatile(LOCK_PREFIX "incl %0\n"
5886 : "=m" (v->counter)
5887 : "m" (v->counter));
5888 }
5889@@ -103,7 +204,19 @@ static inline void atomic_inc(atomic_t *
5890 */
5891 static inline void atomic_dec(atomic_t *v)
5892 {
5893- asm volatile(LOCK_PREFIX "decl %0"
5894+ asm volatile(LOCK_PREFIX "decl %0\n"
5895+
5896+#ifdef CONFIG_PAX_REFCOUNT
5897+ "jno 0f\n"
5898+ "int $4\n0:\n"
5899+ ".pushsection .fixup,\"ax\"\n"
5900+ "1: \n"
5901+ LOCK_PREFIX "incl %0\n"
5902+ "jmp 0b\n"
5903+ ".popsection\n"
5904+ _ASM_EXTABLE(0b, 1b)
5905+#endif
5906+
5907 : "=m" (v->counter)
5908 : "m" (v->counter));
5909 }
5910@@ -120,7 +233,20 @@ static inline int atomic_dec_and_test(at
5911 {
5912 unsigned char c;
5913
5914- asm volatile(LOCK_PREFIX "decl %0; sete %1"
5915+ asm volatile(LOCK_PREFIX "decl %0\n"
5916+
5917+#ifdef CONFIG_PAX_REFCOUNT
5918+ "jno 0f\n"
5919+ "int $4\n0:\n"
5920+ ".pushsection .fixup,\"ax\"\n"
5921+ "1: \n"
5922+ LOCK_PREFIX "incl %0\n"
5923+ "jmp 0b\n"
5924+ ".popsection\n"
5925+ _ASM_EXTABLE(0b, 1b)
5926+#endif
5927+
5928+ "sete %1\n"
5929 : "=m" (v->counter), "=qm" (c)
5930 : "m" (v->counter) : "memory");
5931 return c != 0;
5932@@ -138,7 +264,20 @@ static inline int atomic_inc_and_test(at
5933 {
5934 unsigned char c;
5935
5936- asm volatile(LOCK_PREFIX "incl %0; sete %1"
5937+ asm volatile(LOCK_PREFIX "incl %0\n"
5938+
5939+#ifdef CONFIG_PAX_REFCOUNT
5940+ "jno 0f\n"
5941+ "int $4\n0:\n"
5942+ ".pushsection .fixup,\"ax\"\n"
5943+ "1: \n"
5944+ LOCK_PREFIX "decl %0\n"
5945+ "jmp 0b\n"
5946+ ".popsection\n"
5947+ _ASM_EXTABLE(0b, 1b)
5948+#endif
5949+
5950+ "sete %1\n"
5951 : "=m" (v->counter), "=qm" (c)
5952 : "m" (v->counter) : "memory");
5953 return c != 0;
5954@@ -157,7 +296,16 @@ static inline int atomic_add_negative(in
5955 {
5956 unsigned char c;
5957
5958- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
5959+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
5960+
5961+#ifdef CONFIG_PAX_REFCOUNT
5962+ "jno 0f\n"
5963+ LOCK_PREFIX "subl %2,%0\n"
5964+ "int $4\n0:\n"
5965+ _ASM_EXTABLE(0b, 0b)
5966+#endif
5967+
5968+ "sets %1\n"
5969 : "=m" (v->counter), "=qm" (c)
5970 : "ir" (i), "m" (v->counter) : "memory");
5971 return c;
5972@@ -173,7 +321,15 @@ static inline int atomic_add_negative(in
5973 static inline int atomic_add_return(int i, atomic_t *v)
5974 {
5975 int __i = i;
5976- asm volatile(LOCK_PREFIX "xaddl %0, %1"
5977+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5978+
5979+#ifdef CONFIG_PAX_REFCOUNT
5980+ "jno 0f\n"
5981+ "movl %0, %1\n"
5982+ "int $4\n0:\n"
5983+ _ASM_EXTABLE(0b, 0b)
5984+#endif
5985+
5986 : "+r" (i), "+m" (v->counter)
5987 : : "memory");
5988 return i + __i;
5989@@ -204,6 +360,18 @@ static inline long atomic64_read(const a
5990 }
5991
5992 /**
5993+ * atomic64_read_unchecked - read atomic64 variable
5994+ * @v: pointer of type atomic64_unchecked_t
5995+ *
5996+ * Atomically reads the value of @v.
5997+ * Doesn't imply a read memory barrier.
5998+ */
5999+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6000+{
6001+ return v->counter;
6002+}
6003+
6004+/**
6005 * atomic64_set - set atomic64 variable
6006 * @v: pointer to type atomic64_t
6007 * @i: required value
6008@@ -216,6 +384,18 @@ static inline void atomic64_set(atomic64
6009 }
6010
6011 /**
6012+ * atomic64_set_unchecked - set atomic64 variable
6013+ * @v: pointer to type atomic64_unchecked_t
6014+ * @i: required value
6015+ *
6016+ * Atomically sets the value of @v to @i.
6017+ */
6018+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6019+{
6020+ v->counter = i;
6021+}
6022+
6023+/**
6024 * atomic64_add - add integer to atomic64 variable
6025 * @i: integer value to add
6026 * @v: pointer to type atomic64_t
6027@@ -224,6 +404,28 @@ static inline void atomic64_set(atomic64
6028 */
6029 static inline void atomic64_add(long i, atomic64_t *v)
6030 {
6031+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
6032+
6033+#ifdef CONFIG_PAX_REFCOUNT
6034+ "jno 0f\n"
6035+ LOCK_PREFIX "subq %1,%0\n"
6036+ "int $4\n0:\n"
6037+ _ASM_EXTABLE(0b, 0b)
6038+#endif
6039+
6040+ : "=m" (v->counter)
6041+ : "er" (i), "m" (v->counter));
6042+}
6043+
6044+/**
6045+ * atomic64_add_unchecked - add integer to atomic64 variable
6046+ * @i: integer value to add
6047+ * @v: pointer to type atomic64_unchecked_t
6048+ *
6049+ * Atomically adds @i to @v.
6050+ */
6051+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6052+{
6053 asm volatile(LOCK_PREFIX "addq %1,%0"
6054 : "=m" (v->counter)
6055 : "er" (i), "m" (v->counter));
6056@@ -238,7 +440,15 @@ static inline void atomic64_add(long i,
6057 */
6058 static inline void atomic64_sub(long i, atomic64_t *v)
6059 {
6060- asm volatile(LOCK_PREFIX "subq %1,%0"
6061+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
6062+
6063+#ifdef CONFIG_PAX_REFCOUNT
6064+ "jno 0f\n"
6065+ LOCK_PREFIX "addq %1,%0\n"
6066+ "int $4\n0:\n"
6067+ _ASM_EXTABLE(0b, 0b)
6068+#endif
6069+
6070 : "=m" (v->counter)
6071 : "er" (i), "m" (v->counter));
6072 }
6073@@ -256,7 +466,16 @@ static inline int atomic64_sub_and_test(
6074 {
6075 unsigned char c;
6076
6077- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6078+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
6079+
6080+#ifdef CONFIG_PAX_REFCOUNT
6081+ "jno 0f\n"
6082+ LOCK_PREFIX "addq %2,%0\n"
6083+ "int $4\n0:\n"
6084+ _ASM_EXTABLE(0b, 0b)
6085+#endif
6086+
6087+ "sete %1\n"
6088 : "=m" (v->counter), "=qm" (c)
6089 : "er" (i), "m" (v->counter) : "memory");
6090 return c;
6091@@ -270,6 +489,31 @@ static inline int atomic64_sub_and_test(
6092 */
6093 static inline void atomic64_inc(atomic64_t *v)
6094 {
6095+ asm volatile(LOCK_PREFIX "incq %0\n"
6096+
6097+#ifdef CONFIG_PAX_REFCOUNT
6098+ "jno 0f\n"
6099+ "int $4\n0:\n"
6100+ ".pushsection .fixup,\"ax\"\n"
6101+ "1:\n"
6102+ LOCK_PREFIX "decq %0\n"
6103+ "jmp 0b\n"
6104+ ".popsection\n"
6105+ _ASM_EXTABLE(0b, 1b)
6106+#endif
6107+
6108+ : "=m" (v->counter)
6109+ : "m" (v->counter));
6110+}
6111+
6112+/**
6113+ * atomic64_inc_unchecked - increment atomic64 variable
6114+ * @v: pointer to type atomic64_unchecked_t
6115+ *
6116+ * Atomically increments @v by 1.
6117+ */
6118+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6119+{
6120 asm volatile(LOCK_PREFIX "incq %0"
6121 : "=m" (v->counter)
6122 : "m" (v->counter));
6123@@ -283,7 +527,19 @@ static inline void atomic64_inc(atomic64
6124 */
6125 static inline void atomic64_dec(atomic64_t *v)
6126 {
6127- asm volatile(LOCK_PREFIX "decq %0"
6128+ asm volatile(LOCK_PREFIX "decq %0\n"
6129+
6130+#ifdef CONFIG_PAX_REFCOUNT
6131+ "jno 0f\n"
6132+ "int $4\n0:\n"
6133+ ".pushsection .fixup,\"ax\"\n"
6134+ "1: \n"
6135+ LOCK_PREFIX "incq %0\n"
6136+ "jmp 0b\n"
6137+ ".popsection\n"
6138+ _ASM_EXTABLE(0b, 1b)
6139+#endif
6140+
6141 : "=m" (v->counter)
6142 : "m" (v->counter));
6143 }
6144@@ -300,7 +556,20 @@ static inline int atomic64_dec_and_test(
6145 {
6146 unsigned char c;
6147
6148- asm volatile(LOCK_PREFIX "decq %0; sete %1"
6149+ asm volatile(LOCK_PREFIX "decq %0\n"
6150+
6151+#ifdef CONFIG_PAX_REFCOUNT
6152+ "jno 0f\n"
6153+ "int $4\n0:\n"
6154+ ".pushsection .fixup,\"ax\"\n"
6155+ "1: \n"
6156+ LOCK_PREFIX "incq %0\n"
6157+ "jmp 0b\n"
6158+ ".popsection\n"
6159+ _ASM_EXTABLE(0b, 1b)
6160+#endif
6161+
6162+ "sete %1\n"
6163 : "=m" (v->counter), "=qm" (c)
6164 : "m" (v->counter) : "memory");
6165 return c != 0;
6166@@ -318,7 +587,20 @@ static inline int atomic64_inc_and_test(
6167 {
6168 unsigned char c;
6169
6170- asm volatile(LOCK_PREFIX "incq %0; sete %1"
6171+ asm volatile(LOCK_PREFIX "incq %0\n"
6172+
6173+#ifdef CONFIG_PAX_REFCOUNT
6174+ "jno 0f\n"
6175+ "int $4\n0:\n"
6176+ ".pushsection .fixup,\"ax\"\n"
6177+ "1: \n"
6178+ LOCK_PREFIX "decq %0\n"
6179+ "jmp 0b\n"
6180+ ".popsection\n"
6181+ _ASM_EXTABLE(0b, 1b)
6182+#endif
6183+
6184+ "sete %1\n"
6185 : "=m" (v->counter), "=qm" (c)
6186 : "m" (v->counter) : "memory");
6187 return c != 0;
6188@@ -337,7 +619,16 @@ static inline int atomic64_add_negative(
6189 {
6190 unsigned char c;
6191
6192- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6193+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
6194+
6195+#ifdef CONFIG_PAX_REFCOUNT
6196+ "jno 0f\n"
6197+ LOCK_PREFIX "subq %2,%0\n"
6198+ "int $4\n0:\n"
6199+ _ASM_EXTABLE(0b, 0b)
6200+#endif
6201+
6202+ "sets %1\n"
6203 : "=m" (v->counter), "=qm" (c)
6204 : "er" (i), "m" (v->counter) : "memory");
6205 return c;
6206@@ -353,7 +644,31 @@ static inline int atomic64_add_negative(
6207 static inline long atomic64_add_return(long i, atomic64_t *v)
6208 {
6209 long __i = i;
6210- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6211+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6212+
6213+#ifdef CONFIG_PAX_REFCOUNT
6214+ "jno 0f\n"
6215+ "movq %0, %1\n"
6216+ "int $4\n0:\n"
6217+ _ASM_EXTABLE(0b, 0b)
6218+#endif
6219+
6220+ : "+r" (i), "+m" (v->counter)
6221+ : : "memory");
6222+ return i + __i;
6223+}
6224+
6225+/**
6226+ * atomic64_add_return_unchecked - add and return
6227+ * @i: integer value to add
6228+ * @v: pointer to type atomic64_unchecked_t
6229+ *
6230+ * Atomically adds @i to @v and returns @i + @v
6231+ */
6232+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6233+{
6234+ long __i = i;
6235+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
6236 : "+r" (i), "+m" (v->counter)
6237 : : "memory");
6238 return i + __i;
6239@@ -365,6 +680,7 @@ static inline long atomic64_sub_return(l
6240 }
6241
6242 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6243+#define atomic64_inc_return_unchecked(v) (atomic64_add_return_unchecked(1, (v)))
6244 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6245
6246 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6247@@ -398,17 +714,29 @@ static inline long atomic_xchg(atomic_t
6248 */
6249 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6250 {
6251- int c, old;
6252+ int c, old, new;
6253 c = atomic_read(v);
6254 for (;;) {
6255- if (unlikely(c == (u)))
6256+ if (unlikely(c == u))
6257 break;
6258- old = atomic_cmpxchg((v), c, c + (a));
6259+
6260+ asm volatile("addl %2,%0\n"
6261+
6262+#ifdef CONFIG_PAX_REFCOUNT
6263+ "jno 0f\n"
6264+ "int $4\n0:\n"
6265+ _ASM_EXTABLE(0b, 0b)
6266+#endif
6267+
6268+ : "=r" (new)
6269+ : "0" (c), "ir" (a));
6270+
6271+ old = atomic_cmpxchg(v, c, new);
6272 if (likely(old == c))
6273 break;
6274 c = old;
6275 }
6276- return c != (u);
6277+ return c != u;
6278 }
6279
6280 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6281@@ -424,17 +752,29 @@ static inline int atomic_add_unless(atom
6282 */
6283 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6284 {
6285- long c, old;
6286+ long c, old, new;
6287 c = atomic64_read(v);
6288 for (;;) {
6289- if (unlikely(c == (u)))
6290+ if (unlikely(c == u))
6291 break;
6292- old = atomic64_cmpxchg((v), c, c + (a));
6293+
6294+ asm volatile("addq %2,%0\n"
6295+
6296+#ifdef CONFIG_PAX_REFCOUNT
6297+ "jno 0f\n"
6298+ "int $4\n0:\n"
6299+ _ASM_EXTABLE(0b, 0b)
6300+#endif
6301+
6302+ : "=r" (new)
6303+ : "0" (c), "er" (a));
6304+
6305+ old = atomic64_cmpxchg((v), c, new);
6306 if (likely(old == c))
6307 break;
6308 c = old;
6309 }
6310- return c != (u);
6311+ return c != u;
6312 }
6313
6314 /**
6315diff -urNp linux-2.6.32.9/arch/x86/include/asm/boot.h linux-2.6.32.9/arch/x86/include/asm/boot.h
6316--- linux-2.6.32.9/arch/x86/include/asm/boot.h 2010-02-09 07:57:19.000000000 -0500
6317+++ linux-2.6.32.9/arch/x86/include/asm/boot.h 2010-02-23 17:09:53.099748973 -0500
6318@@ -11,10 +11,15 @@
6319 #include <asm/pgtable_types.h>
6320
6321 /* Physical address where kernel should be loaded. */
6322-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6323+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6324 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6325 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6326
6327+#ifndef __ASSEMBLY__
6328+extern unsigned char __LOAD_PHYSICAL_ADDR[];
6329+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6330+#endif
6331+
6332 /* Minimum kernel alignment, as a power of two */
6333 #ifdef CONFIG_X86_64
6334 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6335diff -urNp linux-2.6.32.9/arch/x86/include/asm/cache.h linux-2.6.32.9/arch/x86/include/asm/cache.h
6336--- linux-2.6.32.9/arch/x86/include/asm/cache.h 2010-02-09 07:57:19.000000000 -0500
6337+++ linux-2.6.32.9/arch/x86/include/asm/cache.h 2010-02-23 17:09:53.099748973 -0500
6338@@ -8,6 +8,7 @@
6339 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6340
6341 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
6342+#define __read_only __attribute__((__section__(".data.read_only")))
6343
6344 #ifdef CONFIG_X86_VSMP
6345 /* vSMP Internode cacheline shift */
6346diff -urNp linux-2.6.32.9/arch/x86/include/asm/checksum_32.h linux-2.6.32.9/arch/x86/include/asm/checksum_32.h
6347--- linux-2.6.32.9/arch/x86/include/asm/checksum_32.h 2010-02-09 07:57:19.000000000 -0500
6348+++ linux-2.6.32.9/arch/x86/include/asm/checksum_32.h 2010-02-23 17:09:53.099748973 -0500
6349@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6350 int len, __wsum sum,
6351 int *src_err_ptr, int *dst_err_ptr);
6352
6353+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6354+ int len, __wsum sum,
6355+ int *src_err_ptr, int *dst_err_ptr);
6356+
6357+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6358+ int len, __wsum sum,
6359+ int *src_err_ptr, int *dst_err_ptr);
6360+
6361 /*
6362 * Note: when you get a NULL pointer exception here this means someone
6363 * passed in an incorrect kernel address to one of these functions.
6364@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6365 int *err_ptr)
6366 {
6367 might_sleep();
6368- return csum_partial_copy_generic((__force void *)src, dst,
6369+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
6370 len, sum, err_ptr, NULL);
6371 }
6372
6373@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6374 {
6375 might_sleep();
6376 if (access_ok(VERIFY_WRITE, dst, len))
6377- return csum_partial_copy_generic(src, (__force void *)dst,
6378+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6379 len, sum, NULL, err_ptr);
6380
6381 if (len)
6382diff -urNp linux-2.6.32.9/arch/x86/include/asm/desc.h linux-2.6.32.9/arch/x86/include/asm/desc.h
6383--- linux-2.6.32.9/arch/x86/include/asm/desc.h 2010-02-09 07:57:19.000000000 -0500
6384+++ linux-2.6.32.9/arch/x86/include/asm/desc.h 2010-02-23 17:09:53.099748973 -0500
6385@@ -4,6 +4,7 @@
6386 #include <asm/desc_defs.h>
6387 #include <asm/ldt.h>
6388 #include <asm/mmu.h>
6389+#include <asm/pgtable.h>
6390 #include <linux/smp.h>
6391
6392 static inline void fill_ldt(struct desc_struct *desc,
6393@@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6394 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6395 desc->type = (info->read_exec_only ^ 1) << 1;
6396 desc->type |= info->contents << 2;
6397+ desc->type |= info->seg_not_present ^ 1;
6398 desc->s = 1;
6399 desc->dpl = 0x3;
6400 desc->p = info->seg_not_present ^ 1;
6401@@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6402 }
6403
6404 extern struct desc_ptr idt_descr;
6405-extern gate_desc idt_table[];
6406-
6407-struct gdt_page {
6408- struct desc_struct gdt[GDT_ENTRIES];
6409-} __attribute__((aligned(PAGE_SIZE)));
6410-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6411+extern gate_desc idt_table[256];
6412
6413+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6414 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6415 {
6416- return per_cpu(gdt_page, cpu).gdt;
6417+ return cpu_gdt_table[cpu];
6418 }
6419
6420 #ifdef CONFIG_X86_64
6421@@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6422 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6423 const gate_desc *gate)
6424 {
6425+ pax_open_kernel();
6426 memcpy(&idt[entry], gate, sizeof(*gate));
6427+ pax_close_kernel();
6428 }
6429
6430 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6431 const void *desc)
6432 {
6433+ pax_open_kernel();
6434 memcpy(&ldt[entry], desc, 8);
6435+ pax_close_kernel();
6436 }
6437
6438 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6439 const void *desc, int type)
6440 {
6441 unsigned int size;
6442+
6443 switch (type) {
6444 case DESC_TSS:
6445 size = sizeof(tss_desc);
6446@@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6447 size = sizeof(struct desc_struct);
6448 break;
6449 }
6450+
6451+ pax_open_kernel();
6452 memcpy(&gdt[entry], desc, size);
6453+ pax_close_kernel();
6454 }
6455
6456 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6457@@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6458
6459 static inline void native_load_tr_desc(void)
6460 {
6461+ pax_open_kernel();
6462 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6463+ pax_close_kernel();
6464 }
6465
6466 static inline void native_load_gdt(const struct desc_ptr *dtr)
6467@@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6468 unsigned int i;
6469 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6470
6471+ pax_open_kernel();
6472 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6473 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6474+ pax_close_kernel();
6475 }
6476
6477 #define _LDT_empty(info) \
6478@@ -392,4 +402,16 @@ static inline void set_system_intr_gate_
6479 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
6480 }
6481
6482+#ifdef CONFIG_X86_32
6483+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
6484+{
6485+ struct desc_struct d;
6486+
6487+ if (likely(limit))
6488+ limit = (limit - 1UL) >> PAGE_SHIFT;
6489+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
6490+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
6491+}
6492+#endif
6493+
6494 #endif /* _ASM_X86_DESC_H */
6495diff -urNp linux-2.6.32.9/arch/x86/include/asm/device.h linux-2.6.32.9/arch/x86/include/asm/device.h
6496--- linux-2.6.32.9/arch/x86/include/asm/device.h 2010-02-09 07:57:19.000000000 -0500
6497+++ linux-2.6.32.9/arch/x86/include/asm/device.h 2010-02-23 17:09:53.099748973 -0500
6498@@ -6,7 +6,7 @@ struct dev_archdata {
6499 void *acpi_handle;
6500 #endif
6501 #ifdef CONFIG_X86_64
6502-struct dma_map_ops *dma_ops;
6503+ const struct dma_map_ops *dma_ops;
6504 #endif
6505 #ifdef CONFIG_DMAR
6506 void *iommu; /* hook for IOMMU specific extension */
6507diff -urNp linux-2.6.32.9/arch/x86/include/asm/dma-mapping.h linux-2.6.32.9/arch/x86/include/asm/dma-mapping.h
6508--- linux-2.6.32.9/arch/x86/include/asm/dma-mapping.h 2010-02-09 07:57:19.000000000 -0500
6509+++ linux-2.6.32.9/arch/x86/include/asm/dma-mapping.h 2010-02-23 17:09:53.099748973 -0500
6510@@ -25,9 +25,9 @@ extern int iommu_merge;
6511 extern struct device x86_dma_fallback_dev;
6512 extern int panic_on_overflow;
6513
6514-extern struct dma_map_ops *dma_ops;
6515+extern const struct dma_map_ops *dma_ops;
6516
6517-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
6518+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
6519 {
6520 #ifdef CONFIG_X86_32
6521 return dma_ops;
6522@@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
6523 /* Make sure we keep the same behaviour */
6524 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
6525 {
6526- struct dma_map_ops *ops = get_dma_ops(dev);
6527+ const struct dma_map_ops *ops = get_dma_ops(dev);
6528 if (ops->mapping_error)
6529 return ops->mapping_error(dev, dma_addr);
6530
6531@@ -122,7 +122,7 @@ static inline void *
6532 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
6533 gfp_t gfp)
6534 {
6535- struct dma_map_ops *ops = get_dma_ops(dev);
6536+ const struct dma_map_ops *ops = get_dma_ops(dev);
6537 void *memory;
6538
6539 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
6540@@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
6541 static inline void dma_free_coherent(struct device *dev, size_t size,
6542 void *vaddr, dma_addr_t bus)
6543 {
6544- struct dma_map_ops *ops = get_dma_ops(dev);
6545+ const struct dma_map_ops *ops = get_dma_ops(dev);
6546
6547 WARN_ON(irqs_disabled()); /* for portability */
6548
6549diff -urNp linux-2.6.32.9/arch/x86/include/asm/e820.h linux-2.6.32.9/arch/x86/include/asm/e820.h
6550--- linux-2.6.32.9/arch/x86/include/asm/e820.h 2010-02-09 07:57:19.000000000 -0500
6551+++ linux-2.6.32.9/arch/x86/include/asm/e820.h 2010-02-23 17:09:53.099748973 -0500
6552@@ -133,7 +133,7 @@ extern char *default_machine_specific_me
6553 #define ISA_END_ADDRESS 0x100000
6554 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
6555
6556-#define BIOS_BEGIN 0x000a0000
6557+#define BIOS_BEGIN 0x000c0000
6558 #define BIOS_END 0x00100000
6559
6560 #ifdef __KERNEL__
6561diff -urNp linux-2.6.32.9/arch/x86/include/asm/elf.h linux-2.6.32.9/arch/x86/include/asm/elf.h
6562--- linux-2.6.32.9/arch/x86/include/asm/elf.h 2010-02-09 07:57:19.000000000 -0500
6563+++ linux-2.6.32.9/arch/x86/include/asm/elf.h 2010-02-23 17:09:53.099748973 -0500
6564@@ -257,7 +257,25 @@ extern int force_personality32;
6565 the loader. We need to make sure that it is out of the way of the program
6566 that it will "exec", and that there is sufficient room for the brk. */
6567
6568+#ifdef CONFIG_PAX_SEGMEXEC
6569+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
6570+#else
6571 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6572+#endif
6573+
6574+#ifdef CONFIG_PAX_ASLR
6575+#ifdef CONFIG_X86_32
6576+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
6577+
6578+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6579+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6580+#else
6581+#define PAX_ELF_ET_DYN_BASE 0x400000UL
6582+
6583+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6584+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6585+#endif
6586+#endif
6587
6588 /* This yields a mask that user programs can use to figure out what
6589 instruction set this CPU supports. This could be done in user space,
6590@@ -311,8 +329,7 @@ do { \
6591 #define ARCH_DLINFO \
6592 do { \
6593 if (vdso_enabled) \
6594- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
6595- (unsigned long)current->mm->context.vdso); \
6596+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
6597 } while (0)
6598
6599 #define AT_SYSINFO 32
6600@@ -323,7 +340,7 @@ do { \
6601
6602 #endif /* !CONFIG_X86_32 */
6603
6604-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
6605+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
6606
6607 #define VDSO_ENTRY \
6608 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
6609@@ -337,7 +354,4 @@ extern int arch_setup_additional_pages(s
6610 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
6611 #define compat_arch_setup_additional_pages syscall32_setup_pages
6612
6613-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
6614-#define arch_randomize_brk arch_randomize_brk
6615-
6616 #endif /* _ASM_X86_ELF_H */
6617diff -urNp linux-2.6.32.9/arch/x86/include/asm/futex.h linux-2.6.32.9/arch/x86/include/asm/futex.h
6618--- linux-2.6.32.9/arch/x86/include/asm/futex.h 2010-02-09 07:57:19.000000000 -0500
6619+++ linux-2.6.32.9/arch/x86/include/asm/futex.h 2010-02-23 17:09:53.099748973 -0500
6620@@ -11,6 +11,40 @@
6621 #include <asm/processor.h>
6622 #include <asm/system.h>
6623
6624+#ifdef CONFIG_X86_32
6625+#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6626+ asm volatile( \
6627+ "movw\t%w6, %%ds\n" \
6628+ "1:\t" insn "\n" \
6629+ "2:\tpushl\t%%ss\n" \
6630+ "\tpopl\t%%ds\n" \
6631+ "\t.section .fixup,\"ax\"\n" \
6632+ "3:\tmov\t%3, %1\n" \
6633+ "\tjmp\t2b\n" \
6634+ "\t.previous\n" \
6635+ _ASM_EXTABLE(1b, 3b) \
6636+ : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
6637+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
6638+
6639+#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
6640+ asm volatile("movw\t%w7, %%es\n" \
6641+ "1:\tmovl\t%%es:%2, %0\n" \
6642+ "\tmovl\t%0, %3\n" \
6643+ "\t" insn "\n" \
6644+ "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
6645+ "\tjnz\t1b\n" \
6646+ "3:\tpushl\t%%ss\n" \
6647+ "\tpopl\t%%es\n" \
6648+ "\t.section .fixup,\"ax\"\n" \
6649+ "4:\tmov\t%5, %1\n" \
6650+ "\tjmp\t3b\n" \
6651+ "\t.previous\n" \
6652+ _ASM_EXTABLE(1b, 4b) \
6653+ _ASM_EXTABLE(2b, 4b) \
6654+ : "=&a" (oldval), "=&r" (ret), \
6655+ "+m" (*uaddr), "=&r" (tem) \
6656+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
6657+#else
6658 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6659 asm volatile("1:\t" insn "\n" \
6660 "2:\t.section .fixup,\"ax\"\n" \
6661@@ -36,8 +70,9 @@
6662 : "=&a" (oldval), "=&r" (ret), \
6663 "+m" (*uaddr), "=&r" (tem) \
6664 : "r" (oparg), "i" (-EFAULT), "1" (0))
6665+#endif
6666
6667-static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
6668+static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
6669 {
6670 int op = (encoded_op >> 28) & 7;
6671 int cmp = (encoded_op >> 24) & 15;
6672@@ -61,11 +96,20 @@ static inline int futex_atomic_op_inuser
6673
6674 switch (op) {
6675 case FUTEX_OP_SET:
6676+#ifdef CONFIG_X86_32
6677+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
6678+#else
6679 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
6680+#endif
6681 break;
6682 case FUTEX_OP_ADD:
6683+#ifdef CONFIG_X86_32
6684+ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
6685+ uaddr, oparg);
6686+#else
6687 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
6688 uaddr, oparg);
6689+#endif
6690 break;
6691 case FUTEX_OP_OR:
6692 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
6693@@ -109,7 +153,7 @@ static inline int futex_atomic_op_inuser
6694 return ret;
6695 }
6696
6697-static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
6698+static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
6699 int newval)
6700 {
6701
6702@@ -122,14 +166,27 @@ static inline int futex_atomic_cmpxchg_i
6703 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
6704 return -EFAULT;
6705
6706- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6707+ asm volatile(
6708+#ifdef CONFIG_X86_32
6709+ "\tmovw %w5, %%ds\n"
6710+ "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6711+ "2:\tpushl %%ss\n"
6712+ "\tpopl %%ds\n"
6713+ "\t.section .fixup, \"ax\"\n"
6714+#else
6715+ "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6716 "2:\t.section .fixup, \"ax\"\n"
6717+#endif
6718 "3:\tmov %2, %0\n"
6719 "\tjmp 2b\n"
6720 "\t.previous\n"
6721 _ASM_EXTABLE(1b, 3b)
6722 : "=a" (oldval), "+m" (*uaddr)
6723+#ifdef CONFIG_X86_32
6724+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
6725+#else
6726 : "i" (-EFAULT), "r" (newval), "0" (oldval)
6727+#endif
6728 : "memory"
6729 );
6730
6731diff -urNp linux-2.6.32.9/arch/x86/include/asm/i387.h linux-2.6.32.9/arch/x86/include/asm/i387.h
6732--- linux-2.6.32.9/arch/x86/include/asm/i387.h 2010-02-09 07:57:19.000000000 -0500
6733+++ linux-2.6.32.9/arch/x86/include/asm/i387.h 2010-02-23 17:09:53.099748973 -0500
6734@@ -195,13 +195,8 @@ static inline int fxrstor_checking(struc
6735 }
6736
6737 /* We need a safe address that is cheap to find and that is already
6738- in L1 during context switch. The best choices are unfortunately
6739- different for UP and SMP */
6740-#ifdef CONFIG_SMP
6741-#define safe_address (__per_cpu_offset[0])
6742-#else
6743-#define safe_address (kstat_cpu(0).cpustat.user)
6744-#endif
6745+ in L1 during context switch. */
6746+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
6747
6748 /*
6749 * These must be called with preempt disabled
6750diff -urNp linux-2.6.32.9/arch/x86/include/asm/io_64.h linux-2.6.32.9/arch/x86/include/asm/io_64.h
6751--- linux-2.6.32.9/arch/x86/include/asm/io_64.h 2010-02-09 07:57:19.000000000 -0500
6752+++ linux-2.6.32.9/arch/x86/include/asm/io_64.h 2010-02-23 17:09:53.099748973 -0500
6753@@ -140,6 +140,17 @@ __OUTS(l)
6754
6755 #include <linux/vmalloc.h>
6756
6757+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
6758+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
6759+{
6760+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6761+}
6762+
6763+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
6764+{
6765+ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6766+}
6767+
6768 #include <asm-generic/iomap.h>
6769
6770 void __memcpy_fromio(void *, unsigned long, unsigned);
6771diff -urNp linux-2.6.32.9/arch/x86/include/asm/iommu.h linux-2.6.32.9/arch/x86/include/asm/iommu.h
6772--- linux-2.6.32.9/arch/x86/include/asm/iommu.h 2010-02-09 07:57:19.000000000 -0500
6773+++ linux-2.6.32.9/arch/x86/include/asm/iommu.h 2010-02-23 17:09:53.099748973 -0500
6774@@ -3,7 +3,7 @@
6775
6776 extern void pci_iommu_shutdown(void);
6777 extern void no_iommu_init(void);
6778-extern struct dma_map_ops nommu_dma_ops;
6779+extern const struct dma_map_ops nommu_dma_ops;
6780 extern int force_iommu, no_iommu;
6781 extern int iommu_detected;
6782 extern int iommu_pass_through;
6783diff -urNp linux-2.6.32.9/arch/x86/include/asm/irqflags.h linux-2.6.32.9/arch/x86/include/asm/irqflags.h
6784--- linux-2.6.32.9/arch/x86/include/asm/irqflags.h 2010-02-09 07:57:19.000000000 -0500
6785+++ linux-2.6.32.9/arch/x86/include/asm/irqflags.h 2010-02-23 17:09:53.099748973 -0500
6786@@ -146,6 +146,28 @@ static inline unsigned long __raw_local_
6787 #define INTERRUPT_RETURN iret
6788 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
6789 #define GET_CR0_INTO_EAX movl %cr0, %eax
6790+
6791+/* PaX: special register usage in entry_32.S, beware */
6792+#ifdef CONFIG_PAX_KERNEXEC
6793+#define PAX_EXIT_KERNEL \
6794+ cmpw $__KERNEXEC_KERNEL_CS, PT_CS(%esp);\
6795+ jnz 1f; \
6796+ movl %cr0, %esi; \
6797+ btc $16, %esi; \
6798+ movl %esi, %cr0; \
6799+1:
6800+
6801+#define PAX_ENTER_KERNEL \
6802+ movl %cr0, %esi; \
6803+ bts $16, %esi; \
6804+ jc 1f; \
6805+ movl %esi, %cr0; \
6806+1:
6807+#else
6808+#define PAX_EXIT_KERNEL
6809+#define PAX_ENTER_KERNEL
6810+#endif
6811+
6812 #endif
6813
6814
6815diff -urNp linux-2.6.32.9/arch/x86/include/asm/kvm_host.h linux-2.6.32.9/arch/x86/include/asm/kvm_host.h
6816--- linux-2.6.32.9/arch/x86/include/asm/kvm_host.h 2010-02-09 07:57:19.000000000 -0500
6817+++ linux-2.6.32.9/arch/x86/include/asm/kvm_host.h 2010-02-23 17:09:53.099748973 -0500
6818@@ -531,7 +531,7 @@ struct kvm_x86_ops {
6819 const struct trace_print_flags *exit_reasons_str;
6820 };
6821
6822-extern struct kvm_x86_ops *kvm_x86_ops;
6823+extern const struct kvm_x86_ops *kvm_x86_ops;
6824
6825 int kvm_mmu_module_init(void);
6826 void kvm_mmu_module_exit(void);
6827diff -urNp linux-2.6.32.9/arch/x86/include/asm/local.h linux-2.6.32.9/arch/x86/include/asm/local.h
6828--- linux-2.6.32.9/arch/x86/include/asm/local.h 2010-02-09 07:57:19.000000000 -0500
6829+++ linux-2.6.32.9/arch/x86/include/asm/local.h 2010-02-23 17:09:53.099748973 -0500
6830@@ -18,26 +18,90 @@ typedef struct {
6831
6832 static inline void local_inc(local_t *l)
6833 {
6834- asm volatile(_ASM_INC "%0"
6835+ asm volatile(_ASM_INC "%0\n"
6836+
6837+#ifdef CONFIG_PAX_REFCOUNT
6838+#ifdef CONFIG_X86_32
6839+ "into\n0:\n"
6840+#else
6841+ "jno 0f\n"
6842+ "int $4\n0:\n"
6843+#endif
6844+ ".pushsection .fixup,\"ax\"\n"
6845+ "1:\n"
6846+ _ASM_DEC "%0\n"
6847+ "jmp 0b\n"
6848+ ".popsection\n"
6849+ _ASM_EXTABLE(0b, 1b)
6850+#endif
6851+
6852 : "+m" (l->a.counter));
6853 }
6854
6855 static inline void local_dec(local_t *l)
6856 {
6857- asm volatile(_ASM_DEC "%0"
6858+ asm volatile(_ASM_DEC "%0\n"
6859+
6860+#ifdef CONFIG_PAX_REFCOUNT
6861+#ifdef CONFIG_X86_32
6862+ "into\n0:\n"
6863+#else
6864+ "jno 0f\n"
6865+ "int $4\n0:\n"
6866+#endif
6867+ ".pushsection .fixup,\"ax\"\n"
6868+ "1:\n"
6869+ _ASM_INC "%0\n"
6870+ "jmp 0b\n"
6871+ ".popsection\n"
6872+ _ASM_EXTABLE(0b, 1b)
6873+#endif
6874+
6875 : "+m" (l->a.counter));
6876 }
6877
6878 static inline void local_add(long i, local_t *l)
6879 {
6880- asm volatile(_ASM_ADD "%1,%0"
6881+ asm volatile(_ASM_ADD "%1,%0\n"
6882+
6883+#ifdef CONFIG_PAX_REFCOUNT
6884+#ifdef CONFIG_X86_32
6885+ "into\n0:\n"
6886+#else
6887+ "jno 0f\n"
6888+ "int $4\n0:\n"
6889+#endif
6890+ ".pushsection .fixup,\"ax\"\n"
6891+ "1:\n"
6892+ _ASM_SUB "%1,%0\n"
6893+ "jmp 0b\n"
6894+ ".popsection\n"
6895+ _ASM_EXTABLE(0b, 1b)
6896+#endif
6897+
6898 : "+m" (l->a.counter)
6899 : "ir" (i));
6900 }
6901
6902 static inline void local_sub(long i, local_t *l)
6903 {
6904- asm volatile(_ASM_SUB "%1,%0"
6905+ asm volatile(_ASM_SUB "%1,%0\n"
6906+
6907+#ifdef CONFIG_PAX_REFCOUNT
6908+#ifdef CONFIG_X86_32
6909+ "into\n0:\n"
6910+#else
6911+ "jno 0f\n"
6912+ "int $4\n0:\n"
6913+#endif
6914+ ".pushsection .fixup,\"ax\"\n"
6915+ "1:\n"
6916+ _ASM_ADD "%1,%0\n"
6917+ "jmp 0b\n"
6918+ ".popsection\n"
6919+ _ASM_EXTABLE(0b, 1b)
6920+#endif
6921+
6922 : "+m" (l->a.counter)
6923 : "ir" (i));
6924 }
6925@@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
6926 {
6927 unsigned char c;
6928
6929- asm volatile(_ASM_SUB "%2,%0; sete %1"
6930+ asm volatile(_ASM_SUB "%2,%0\n"
6931+
6932+#ifdef CONFIG_PAX_REFCOUNT
6933+#ifdef CONFIG_X86_32
6934+ "into\n0:\n"
6935+#else
6936+ "jno 0f\n"
6937+ "int $4\n0:\n"
6938+#endif
6939+ ".pushsection .fixup,\"ax\"\n"
6940+ "1:\n"
6941+ _ASM_ADD "%2,%0\n"
6942+ "jmp 0b\n"
6943+ ".popsection\n"
6944+ _ASM_EXTABLE(0b, 1b)
6945+#endif
6946+
6947+ "sete %1\n"
6948 : "+m" (l->a.counter), "=qm" (c)
6949 : "ir" (i) : "memory");
6950 return c;
6951@@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
6952 {
6953 unsigned char c;
6954
6955- asm volatile(_ASM_DEC "%0; sete %1"
6956+ asm volatile(_ASM_DEC "%0\n"
6957+
6958+#ifdef CONFIG_PAX_REFCOUNT
6959+#ifdef CONFIG_X86_32
6960+ "into\n0:\n"
6961+#else
6962+ "jno 0f\n"
6963+ "int $4\n0:\n"
6964+#endif
6965+ ".pushsection .fixup,\"ax\"\n"
6966+ "1:\n"
6967+ _ASM_INC "%0\n"
6968+ "jmp 0b\n"
6969+ ".popsection\n"
6970+ _ASM_EXTABLE(0b, 1b)
6971+#endif
6972+
6973+ "sete %1\n"
6974 : "+m" (l->a.counter), "=qm" (c)
6975 : : "memory");
6976 return c != 0;
6977@@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
6978 {
6979 unsigned char c;
6980
6981- asm volatile(_ASM_INC "%0; sete %1"
6982+ asm volatile(_ASM_INC "%0\n"
6983+
6984+#ifdef CONFIG_PAX_REFCOUNT
6985+#ifdef CONFIG_X86_32
6986+ "into\n0:\n"
6987+#else
6988+ "jno 0f\n"
6989+ "int $4\n0:\n"
6990+#endif
6991+ ".pushsection .fixup,\"ax\"\n"
6992+ "1:\n"
6993+ _ASM_DEC "%0\n"
6994+ "jmp 0b\n"
6995+ ".popsection\n"
6996+ _ASM_EXTABLE(0b, 1b)
6997+#endif
6998+
6999+ "sete %1\n"
7000 : "+m" (l->a.counter), "=qm" (c)
7001 : : "memory");
7002 return c != 0;
7003@@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7004 {
7005 unsigned char c;
7006
7007- asm volatile(_ASM_ADD "%2,%0; sets %1"
7008+ asm volatile(_ASM_ADD "%2,%0\n"
7009+
7010+#ifdef CONFIG_PAX_REFCOUNT
7011+#ifdef CONFIG_X86_32
7012+ "into\n0:\n"
7013+#else
7014+ "jno 0f\n"
7015+ "int $4\n0:\n"
7016+#endif
7017+ ".pushsection .fixup,\"ax\"\n"
7018+ "1:\n"
7019+ _ASM_SUB "%2,%0\n"
7020+ "jmp 0b\n"
7021+ ".popsection\n"
7022+ _ASM_EXTABLE(0b, 1b)
7023+#endif
7024+
7025+ "sets %1\n"
7026 : "+m" (l->a.counter), "=qm" (c)
7027 : "ir" (i) : "memory");
7028 return c;
7029@@ -133,7 +265,23 @@ static inline long local_add_return(long
7030 #endif
7031 /* Modern 486+ processor */
7032 __i = i;
7033- asm volatile(_ASM_XADD "%0, %1;"
7034+ asm volatile(_ASM_XADD "%0, %1\n"
7035+
7036+#ifdef CONFIG_PAX_REFCOUNT
7037+#ifdef CONFIG_X86_32
7038+ "into\n0:\n"
7039+#else
7040+ "jno 0f\n"
7041+ "int $4\n0:\n"
7042+#endif
7043+ ".pushsection .fixup,\"ax\"\n"
7044+ "1:\n"
7045+ _ASM_MOV "%0,%1\n"
7046+ "jmp 0b\n"
7047+ ".popsection\n"
7048+ _ASM_EXTABLE(0b, 1b)
7049+#endif
7050+
7051 : "+r" (i), "+m" (l->a.counter)
7052 : : "memory");
7053 return i + __i;
7054diff -urNp linux-2.6.32.9/arch/x86/include/asm/microcode.h linux-2.6.32.9/arch/x86/include/asm/microcode.h
7055--- linux-2.6.32.9/arch/x86/include/asm/microcode.h 2010-02-09 07:57:19.000000000 -0500
7056+++ linux-2.6.32.9/arch/x86/include/asm/microcode.h 2010-02-23 17:09:53.099748973 -0500
7057@@ -12,13 +12,13 @@ struct device;
7058 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7059
7060 struct microcode_ops {
7061- enum ucode_state (*request_microcode_user) (int cpu,
7062+ enum ucode_state (* const request_microcode_user) (int cpu,
7063 const void __user *buf, size_t size);
7064
7065- enum ucode_state (*request_microcode_fw) (int cpu,
7066+ enum ucode_state (* const request_microcode_fw) (int cpu,
7067 struct device *device);
7068
7069- void (*microcode_fini_cpu) (int cpu);
7070+ void (* const microcode_fini_cpu) (int cpu);
7071
7072 /*
7073 * The generic 'microcode_core' part guarantees that
7074@@ -38,18 +38,18 @@ struct ucode_cpu_info {
7075 extern struct ucode_cpu_info ucode_cpu_info[];
7076
7077 #ifdef CONFIG_MICROCODE_INTEL
7078-extern struct microcode_ops * __init init_intel_microcode(void);
7079+extern const struct microcode_ops * __init init_intel_microcode(void);
7080 #else
7081-static inline struct microcode_ops * __init init_intel_microcode(void)
7082+static inline const struct microcode_ops * __init init_intel_microcode(void)
7083 {
7084 return NULL;
7085 }
7086 #endif /* CONFIG_MICROCODE_INTEL */
7087
7088 #ifdef CONFIG_MICROCODE_AMD
7089-extern struct microcode_ops * __init init_amd_microcode(void);
7090+extern const struct microcode_ops * __init init_amd_microcode(void);
7091 #else
7092-static inline struct microcode_ops * __init init_amd_microcode(void)
7093+static inline const struct microcode_ops * __init init_amd_microcode(void)
7094 {
7095 return NULL;
7096 }
7097diff -urNp linux-2.6.32.9/arch/x86/include/asm/mman.h linux-2.6.32.9/arch/x86/include/asm/mman.h
7098--- linux-2.6.32.9/arch/x86/include/asm/mman.h 2010-02-09 07:57:19.000000000 -0500
7099+++ linux-2.6.32.9/arch/x86/include/asm/mman.h 2010-02-23 17:09:53.099748973 -0500
7100@@ -5,4 +5,14 @@
7101
7102 #include <asm-generic/mman.h>
7103
7104+#ifdef __KERNEL__
7105+#ifndef __ASSEMBLY__
7106+#ifdef CONFIG_X86_32
7107+#define arch_mmap_check i386_mmap_check
7108+int i386_mmap_check(unsigned long addr, unsigned long len,
7109+ unsigned long flags);
7110+#endif
7111+#endif
7112+#endif
7113+
7114 #endif /* _ASM_X86_MMAN_H */
7115diff -urNp linux-2.6.32.9/arch/x86/include/asm/mmu_context.h linux-2.6.32.9/arch/x86/include/asm/mmu_context.h
7116--- linux-2.6.32.9/arch/x86/include/asm/mmu_context.h 2010-02-09 07:57:19.000000000 -0500
7117+++ linux-2.6.32.9/arch/x86/include/asm/mmu_context.h 2010-02-23 17:09:53.099748973 -0500
7118@@ -34,11 +34,17 @@ static inline void switch_mm(struct mm_s
7119 struct task_struct *tsk)
7120 {
7121 unsigned cpu = smp_processor_id();
7122+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7123+ int tlbstate = TLBSTATE_OK;
7124+#endif
7125
7126 if (likely(prev != next)) {
7127 /* stop flush ipis for the previous mm */
7128 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7129 #ifdef CONFIG_SMP
7130+#ifdef CONFIG_X86_32
7131+ tlbstate = percpu_read(cpu_tlbstate.state);
7132+#endif
7133 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7134 percpu_write(cpu_tlbstate.active_mm, next);
7135 #endif
7136@@ -52,6 +58,26 @@ static inline void switch_mm(struct mm_s
7137 */
7138 if (unlikely(prev->context.ldt != next->context.ldt))
7139 load_LDT_nolock(&next->context);
7140+
7141+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7142+ if (!nx_enabled) {
7143+ smp_mb__before_clear_bit();
7144+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7145+ smp_mb__after_clear_bit();
7146+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7147+ }
7148+#endif
7149+
7150+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7151+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7152+ prev->context.user_cs_limit != next->context.user_cs_limit))
7153+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7154+#ifdef CONFIG_SMP
7155+ else if (unlikely(tlbstate != TLBSTATE_OK))
7156+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7157+#endif
7158+#endif
7159+
7160 }
7161 #ifdef CONFIG_SMP
7162 else {
7163@@ -65,6 +91,19 @@ static inline void switch_mm(struct mm_s
7164 */
7165 load_cr3(next->pgd);
7166 load_LDT_nolock(&next->context);
7167+
7168+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7169+ if (!nx_enabled)
7170+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7171+#endif
7172+
7173+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7174+#ifdef CONFIG_PAX_PAGEEXEC
7175+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
7176+#endif
7177+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7178+#endif
7179+
7180 }
7181 }
7182 #endif
7183diff -urNp linux-2.6.32.9/arch/x86/include/asm/mmu.h linux-2.6.32.9/arch/x86/include/asm/mmu.h
7184--- linux-2.6.32.9/arch/x86/include/asm/mmu.h 2010-02-09 07:57:19.000000000 -0500
7185+++ linux-2.6.32.9/arch/x86/include/asm/mmu.h 2010-02-23 17:09:53.099748973 -0500
7186@@ -9,10 +9,23 @@
7187 * we put the segment information here.
7188 */
7189 typedef struct {
7190- void *ldt;
7191+ struct desc_struct *ldt;
7192 int size;
7193 struct mutex lock;
7194- void *vdso;
7195+ unsigned long vdso;
7196+
7197+#ifdef CONFIG_X86_32
7198+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7199+ unsigned long user_cs_base;
7200+ unsigned long user_cs_limit;
7201+
7202+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7203+ cpumask_t cpu_user_cs_mask;
7204+#endif
7205+
7206+#endif
7207+#endif
7208+
7209 } mm_context_t;
7210
7211 #ifdef CONFIG_SMP
7212diff -urNp linux-2.6.32.9/arch/x86/include/asm/module.h linux-2.6.32.9/arch/x86/include/asm/module.h
7213--- linux-2.6.32.9/arch/x86/include/asm/module.h 2010-02-09 07:57:19.000000000 -0500
7214+++ linux-2.6.32.9/arch/x86/include/asm/module.h 2010-02-23 17:09:53.099748973 -0500
7215@@ -65,7 +65,12 @@
7216 # else
7217 # define MODULE_STACKSIZE ""
7218 # endif
7219-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7220+# ifdef CONFIG_GRKERNSEC
7221+# define MODULE_GRSEC "GRSECURITY "
7222+# else
7223+# define MODULE_GRSEC ""
7224+# endif
7225+# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
7226 #endif
7227
7228 #endif /* _ASM_X86_MODULE_H */
7229diff -urNp linux-2.6.32.9/arch/x86/include/asm/page_32_types.h linux-2.6.32.9/arch/x86/include/asm/page_32_types.h
7230--- linux-2.6.32.9/arch/x86/include/asm/page_32_types.h 2010-02-09 07:57:19.000000000 -0500
7231+++ linux-2.6.32.9/arch/x86/include/asm/page_32_types.h 2010-02-23 17:09:53.099748973 -0500
7232@@ -15,6 +15,10 @@
7233 */
7234 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7235
7236+#ifdef CONFIG_PAX_PAGEEXEC
7237+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7238+#endif
7239+
7240 #ifdef CONFIG_4KSTACKS
7241 #define THREAD_ORDER 0
7242 #else
7243diff -urNp linux-2.6.32.9/arch/x86/include/asm/page_64_types.h linux-2.6.32.9/arch/x86/include/asm/page_64_types.h
7244--- linux-2.6.32.9/arch/x86/include/asm/page_64_types.h 2010-02-09 07:57:19.000000000 -0500
7245+++ linux-2.6.32.9/arch/x86/include/asm/page_64_types.h 2010-02-23 17:09:53.099748973 -0500
7246@@ -39,6 +39,9 @@
7247 #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START)
7248 #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
7249
7250+#define ktla_ktva(addr) (addr)
7251+#define ktva_ktla(addr) (addr)
7252+
7253 /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
7254 #define __PHYSICAL_MASK_SHIFT 46
7255 #define __VIRTUAL_MASK_SHIFT 47
7256diff -urNp linux-2.6.32.9/arch/x86/include/asm/paravirt.h linux-2.6.32.9/arch/x86/include/asm/paravirt.h
7257--- linux-2.6.32.9/arch/x86/include/asm/paravirt.h 2010-02-09 07:57:19.000000000 -0500
7258+++ linux-2.6.32.9/arch/x86/include/asm/paravirt.h 2010-02-23 17:09:53.103663728 -0500
7259@@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
7260 pv_mmu_ops.set_fixmap(idx, phys, flags);
7261 }
7262
7263+#ifdef CONFIG_PAX_KERNEXEC
7264+static inline unsigned long pax_open_kernel(void)
7265+{
7266+ return pv_mmu_ops.pax_open_kernel();
7267+}
7268+
7269+static inline unsigned long pax_close_kernel(void)
7270+{
7271+ return pv_mmu_ops.pax_close_kernel();
7272+}
7273+#else
7274+static inline unsigned long pax_open_kernel(void) { return 0; }
7275+static inline unsigned long pax_close_kernel(void) { return 0; }
7276+#endif
7277+
7278 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7279
7280 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
7281@@ -845,7 +860,7 @@ static inline unsigned long __raw_local_
7282
7283 static inline void raw_local_irq_restore(unsigned long f)
7284 {
7285- PVOP_VCALLEE1(pv_irq_ops.restore_fl, f);
7286+ return PVOP_VCALLEE1(pv_irq_ops.restore_fl, f);
7287 }
7288
7289 static inline void raw_local_irq_disable(void)
7290@@ -945,7 +960,7 @@ extern void default_banner(void);
7291
7292 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7293 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7294-#define PARA_INDIRECT(addr) *%cs:addr
7295+#define PARA_INDIRECT(addr) *%ss:addr
7296 #endif
7297
7298 #define INTERRUPT_RETURN \
7299@@ -970,6 +985,31 @@ extern void default_banner(void);
7300 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret32))
7301
7302 #ifdef CONFIG_X86_32
7303+
7304+#ifdef CONFIG_PAX_KERNEXEC
7305+#define PAX_EXIT_KERNEL \
7306+ cmpw $__KERNEXEC_KERNEL_CS, PT_CS(%esp); \
7307+ jnz 1f; \
7308+ push %eax; push %ecx; \
7309+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7310+ btc $16, %eax; \
7311+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7312+ pop %ecx; pop %eax; \
7313+1:
7314+
7315+#define PAX_ENTER_KERNEL \
7316+ push %eax; push %ecx; \
7317+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7318+ bts $16, %eax; \
7319+ jc 1f; \
7320+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7321+1: \
7322+ pop %ecx; pop %eax;
7323+#else
7324+#define PAX_EXIT_KERNEL
7325+#define PAX_ENTER_KERNEL
7326+#endif
7327+
7328 #define GET_CR0_INTO_EAX \
7329 push %ecx; push %edx; \
7330 call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7331diff -urNp linux-2.6.32.9/arch/x86/include/asm/paravirt_types.h linux-2.6.32.9/arch/x86/include/asm/paravirt_types.h
7332--- linux-2.6.32.9/arch/x86/include/asm/paravirt_types.h 2010-02-09 07:57:19.000000000 -0500
7333+++ linux-2.6.32.9/arch/x86/include/asm/paravirt_types.h 2010-02-23 17:09:53.103663728 -0500
7334@@ -316,6 +316,12 @@ struct pv_mmu_ops {
7335 an mfn. We can tell which is which from the index. */
7336 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7337 phys_addr_t phys, pgprot_t flags);
7338+
7339+#ifdef CONFIG_PAX_KERNEXEC
7340+ unsigned long (*pax_open_kernel)(void);
7341+ unsigned long (*pax_close_kernel)(void);
7342+#endif
7343+
7344 };
7345
7346 struct raw_spinlock;
7347diff -urNp linux-2.6.32.9/arch/x86/include/asm/pci_x86.h linux-2.6.32.9/arch/x86/include/asm/pci_x86.h
7348--- linux-2.6.32.9/arch/x86/include/asm/pci_x86.h 2010-02-09 07:57:19.000000000 -0500
7349+++ linux-2.6.32.9/arch/x86/include/asm/pci_x86.h 2010-02-23 17:09:53.103663728 -0500
7350@@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
7351 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7352
7353 struct pci_raw_ops {
7354- int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7355+ int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7356 int reg, int len, u32 *val);
7357- int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7358+ int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7359 int reg, int len, u32 val);
7360 };
7361
7362-extern struct pci_raw_ops *raw_pci_ops;
7363-extern struct pci_raw_ops *raw_pci_ext_ops;
7364+extern const struct pci_raw_ops *raw_pci_ops;
7365+extern const struct pci_raw_ops *raw_pci_ext_ops;
7366
7367-extern struct pci_raw_ops pci_direct_conf1;
7368+extern const struct pci_raw_ops pci_direct_conf1;
7369 extern bool port_cf9_safe;
7370
7371 /* arch_initcall level */
7372diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgalloc.h linux-2.6.32.9/arch/x86/include/asm/pgalloc.h
7373--- linux-2.6.32.9/arch/x86/include/asm/pgalloc.h 2010-02-09 07:57:19.000000000 -0500
7374+++ linux-2.6.32.9/arch/x86/include/asm/pgalloc.h 2010-02-23 17:09:53.103663728 -0500
7375@@ -58,6 +58,13 @@ static inline void pmd_populate_kernel(s
7376 pmd_t *pmd, pte_t *pte)
7377 {
7378 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7379+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
7380+}
7381+
7382+static inline void pmd_populate_user(struct mm_struct *mm,
7383+ pmd_t *pmd, pte_t *pte)
7384+{
7385+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7386 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
7387 }
7388
7389diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.9/arch/x86/include/asm/pgtable-2level.h
7390--- linux-2.6.32.9/arch/x86/include/asm/pgtable-2level.h 2010-02-09 07:57:19.000000000 -0500
7391+++ linux-2.6.32.9/arch/x86/include/asm/pgtable-2level.h 2010-02-23 17:09:53.103663728 -0500
7392@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
7393
7394 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7395 {
7396+ pax_open_kernel();
7397 *pmdp = pmd;
7398+ pax_close_kernel();
7399 }
7400
7401 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
7402diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable_32.h linux-2.6.32.9/arch/x86/include/asm/pgtable_32.h
7403--- linux-2.6.32.9/arch/x86/include/asm/pgtable_32.h 2010-02-09 07:57:19.000000000 -0500
7404+++ linux-2.6.32.9/arch/x86/include/asm/pgtable_32.h 2010-02-23 17:09:53.103663728 -0500
7405@@ -26,8 +26,6 @@
7406 struct mm_struct;
7407 struct vm_area_struct;
7408
7409-extern pgd_t swapper_pg_dir[1024];
7410-
7411 static inline void pgtable_cache_init(void) { }
7412 static inline void check_pgt_cache(void) { }
7413 void paging_init(void);
7414@@ -48,6 +46,11 @@ extern void set_pmd_pfn(unsigned long, u
7415 # include <asm/pgtable-2level.h>
7416 #endif
7417
7418+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
7419+#ifdef CONFIG_X86_PAE
7420+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
7421+#endif
7422+
7423 #if defined(CONFIG_HIGHPTE)
7424 #define __KM_PTE \
7425 (in_nmi() ? KM_NMI_PTE : \
7426@@ -72,7 +75,9 @@ extern void set_pmd_pfn(unsigned long, u
7427 /* Clear a kernel PTE and flush it from the TLB */
7428 #define kpte_clear_flush(ptep, vaddr) \
7429 do { \
7430+ pax_open_kernel(); \
7431 pte_clear(&init_mm, (vaddr), (ptep)); \
7432+ pax_close_kernel(); \
7433 __flush_tlb_one((vaddr)); \
7434 } while (0)
7435
7436@@ -84,6 +89,9 @@ do { \
7437
7438 #endif /* !__ASSEMBLY__ */
7439
7440+#define HAVE_ARCH_UNMAPPED_AREA
7441+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
7442+
7443 /*
7444 * kern_addr_valid() is (1) for FLATMEM and (0) for
7445 * SPARSEMEM and DISCONTIGMEM
7446diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.9/arch/x86/include/asm/pgtable_32_types.h
7447--- linux-2.6.32.9/arch/x86/include/asm/pgtable_32_types.h 2010-02-09 07:57:19.000000000 -0500
7448+++ linux-2.6.32.9/arch/x86/include/asm/pgtable_32_types.h 2010-02-23 17:09:53.103663728 -0500
7449@@ -8,7 +8,7 @@
7450 */
7451 #ifdef CONFIG_X86_PAE
7452 # include <asm/pgtable-3level_types.h>
7453-# define PMD_SIZE (1UL << PMD_SHIFT)
7454+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
7455 # define PMD_MASK (~(PMD_SIZE - 1))
7456 #else
7457 # include <asm/pgtable-2level_types.h>
7458@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
7459 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
7460 #endif
7461
7462+#ifdef CONFIG_PAX_KERNEXEC
7463+#ifndef __ASSEMBLY__
7464+extern unsigned char MODULES_EXEC_VADDR[];
7465+extern unsigned char MODULES_EXEC_END[];
7466+#endif
7467+#include <asm/boot.h>
7468+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
7469+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
7470+#else
7471+#define ktla_ktva(addr) (addr)
7472+#define ktva_ktla(addr) (addr)
7473+#endif
7474+
7475 #define MODULES_VADDR VMALLOC_START
7476 #define MODULES_END VMALLOC_END
7477 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
7478diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.9/arch/x86/include/asm/pgtable-3level.h
7479--- linux-2.6.32.9/arch/x86/include/asm/pgtable-3level.h 2010-02-09 07:57:19.000000000 -0500
7480+++ linux-2.6.32.9/arch/x86/include/asm/pgtable-3level.h 2010-02-23 17:09:53.103663728 -0500
7481@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
7482
7483 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7484 {
7485+ pax_open_kernel();
7486 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
7487+ pax_close_kernel();
7488 }
7489
7490 static inline void native_set_pud(pud_t *pudp, pud_t pud)
7491 {
7492+ pax_open_kernel();
7493 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
7494+ pax_close_kernel();
7495 }
7496
7497 /*
7498diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable_64.h linux-2.6.32.9/arch/x86/include/asm/pgtable_64.h
7499--- linux-2.6.32.9/arch/x86/include/asm/pgtable_64.h 2010-02-09 07:57:19.000000000 -0500
7500+++ linux-2.6.32.9/arch/x86/include/asm/pgtable_64.h 2010-02-23 17:09:53.103663728 -0500
7501@@ -16,9 +16,12 @@
7502
7503 extern pud_t level3_kernel_pgt[512];
7504 extern pud_t level3_ident_pgt[512];
7505+extern pud_t level3_vmalloc_pgt[512];
7506+extern pud_t level3_vmemmap_pgt[512];
7507+extern pud_t level2_vmemmap_pgt[512];
7508 extern pmd_t level2_kernel_pgt[512];
7509 extern pmd_t level2_fixmap_pgt[512];
7510-extern pmd_t level2_ident_pgt[512];
7511+extern pmd_t level2_ident_pgt[512*2];
7512 extern pgd_t init_level4_pgt[];
7513
7514 #define swapper_pg_dir init_level4_pgt
7515@@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
7516
7517 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7518 {
7519+ pax_open_kernel();
7520 *pmdp = pmd;
7521+ pax_close_kernel();
7522 }
7523
7524 static inline void native_pmd_clear(pmd_t *pmd)
7525@@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
7526
7527 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
7528 {
7529+ pax_open_kernel();
7530 *pgdp = pgd;
7531+ pax_close_kernel();
7532 }
7533
7534 static inline void native_pgd_clear(pgd_t *pgd)
7535diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable.h linux-2.6.32.9/arch/x86/include/asm/pgtable.h
7536--- linux-2.6.32.9/arch/x86/include/asm/pgtable.h 2010-02-09 07:57:19.000000000 -0500
7537+++ linux-2.6.32.9/arch/x86/include/asm/pgtable.h 2010-02-23 17:09:53.103663728 -0500
7538@@ -74,12 +74,61 @@ extern struct list_head pgd_list;
7539
7540 #define arch_end_context_switch(prev) do {} while(0)
7541
7542+#define pax_open_kernel() native_pax_open_kernel()
7543+#define pax_close_kernel() native_pax_close_kernel()
7544 #endif /* CONFIG_PARAVIRT */
7545
7546+#define __HAVE_ARCH_PAX_OPEN_KERNEL
7547+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
7548+
7549+#ifdef CONFIG_PAX_KERNEXEC
7550+static inline unsigned long native_pax_open_kernel(void)
7551+{
7552+ unsigned long cr0;
7553+
7554+ preempt_disable();
7555+ barrier();
7556+ cr0 = read_cr0();
7557+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
7558+
7559+#ifdef CONFIG_X86_32
7560+ asm volatile("ljmp %0,$1f; 1:\n\t" : : "i"(__KERNEXEC_KERNEL_CS), "m"(__force_order));
7561+#endif
7562+
7563+ write_cr0(cr0 & ~X86_CR0_WP);
7564+ return cr0;
7565+}
7566+
7567+static inline unsigned long native_pax_close_kernel(void)
7568+{
7569+ unsigned long cr0;
7570+
7571+ cr0 = read_cr0();
7572+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
7573+
7574+#ifdef CONFIG_X86_32
7575+ asm volatile("ljmp %0,$1f; 1:\n\t" : : "i"(__KERNEL_CS), "m"(__force_order));
7576+#endif
7577+
7578+ write_cr0(cr0 | X86_CR0_WP);
7579+ barrier();
7580+ preempt_enable_no_resched();
7581+ return cr0;
7582+}
7583+#else
7584+static inline unsigned long native_pax_open_kernel(void) { return 0; }
7585+static inline unsigned long native_pax_close_kernel(void) { return 0; }
7586+#endif
7587+
7588 /*
7589 * The following only work if pte_present() is true.
7590 * Undefined behaviour if not..
7591 */
7592+static inline int pte_user(pte_t pte)
7593+{
7594+ return pte_val(pte) & _PAGE_USER;
7595+}
7596+
7597 static inline int pte_dirty(pte_t pte)
7598 {
7599 return pte_flags(pte) & _PAGE_DIRTY;
7600@@ -167,9 +216,29 @@ static inline pte_t pte_wrprotect(pte_t
7601 return pte_clear_flags(pte, _PAGE_RW);
7602 }
7603
7604+static inline pte_t pte_mkread(pte_t pte)
7605+{
7606+ return __pte(pte_val(pte) | _PAGE_USER);
7607+}
7608+
7609 static inline pte_t pte_mkexec(pte_t pte)
7610 {
7611- return pte_clear_flags(pte, _PAGE_NX);
7612+#ifdef CONFIG_X86_PAE
7613+ if (__supported_pte_mask & _PAGE_NX)
7614+ return pte_clear_flags(pte, _PAGE_NX);
7615+ else
7616+#endif
7617+ return pte_set_flags(pte, _PAGE_USER);
7618+}
7619+
7620+static inline pte_t pte_exprotect(pte_t pte)
7621+{
7622+#ifdef CONFIG_X86_PAE
7623+ if (__supported_pte_mask & _PAGE_NX)
7624+ return pte_set_flags(pte, _PAGE_NX);
7625+ else
7626+#endif
7627+ return pte_clear_flags(pte, _PAGE_USER);
7628 }
7629
7630 static inline pte_t pte_mkdirty(pte_t pte)
7631@@ -472,7 +541,7 @@ static inline pud_t *pud_offset(pgd_t *p
7632
7633 static inline int pgd_bad(pgd_t pgd)
7634 {
7635- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
7636+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
7637 }
7638
7639 static inline int pgd_none(pgd_t pgd)
7640@@ -611,9 +680,12 @@ static inline void ptep_set_wrprotect(st
7641 * dst and src can be on the same page, but the range must not overlap,
7642 * and must not cross a page boundary.
7643 */
7644-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
7645+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
7646 {
7647- memcpy(dst, src, count * sizeof(pgd_t));
7648+ pax_open_kernel();
7649+ while (count--)
7650+ *dst++ = *src++;
7651+ pax_close_kernel();
7652 }
7653
7654
7655diff -urNp linux-2.6.32.9/arch/x86/include/asm/pgtable_types.h linux-2.6.32.9/arch/x86/include/asm/pgtable_types.h
7656--- linux-2.6.32.9/arch/x86/include/asm/pgtable_types.h 2010-02-09 07:57:19.000000000 -0500
7657+++ linux-2.6.32.9/arch/x86/include/asm/pgtable_types.h 2010-02-23 17:09:53.103663728 -0500
7658@@ -16,12 +16,11 @@
7659 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
7660 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
7661 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
7662-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
7663+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
7664 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
7665 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
7666 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
7667-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
7668-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
7669+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
7670 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
7671
7672 /* If _PAGE_BIT_PRESENT is clear, we use these: */
7673@@ -39,7 +38,6 @@
7674 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
7675 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
7676 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
7677-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
7678 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
7679 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
7680 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
7681@@ -55,8 +53,10 @@
7682
7683 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
7684 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
7685-#else
7686+#elif defined(CONFIG_KMEMCHECK)
7687 #define _PAGE_NX (_AT(pteval_t, 0))
7688+#else
7689+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
7690 #endif
7691
7692 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
7693@@ -93,6 +93,9 @@
7694 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
7695 _PAGE_ACCESSED)
7696
7697+#define PAGE_READONLY_NOEXEC PAGE_READONLY
7698+#define PAGE_SHARED_NOEXEC PAGE_SHARED
7699+
7700 #define __PAGE_KERNEL_EXEC \
7701 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
7702 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
7703@@ -103,8 +106,8 @@
7704 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
7705 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
7706 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
7707-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
7708-#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
7709+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
7710+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
7711 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
7712 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
7713 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
7714@@ -163,8 +166,8 @@
7715 * bits are combined, this will alow user to access the high address mapped
7716 * VDSO in the presence of CONFIG_COMPAT_VDSO
7717 */
7718-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
7719-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
7720+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7721+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7722 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
7723 #endif
7724
7725@@ -278,7 +281,16 @@ typedef struct page *pgtable_t;
7726
7727 extern pteval_t __supported_pte_mask;
7728 extern void set_nx(void);
7729+
7730+#ifdef CONFIG_X86_32
7731+#ifdef CONFIG_X86_PAE
7732 extern int nx_enabled;
7733+#else
7734+#define nx_enabled (0)
7735+#endif
7736+#else
7737+#define nx_enabled (1)
7738+#endif
7739
7740 #define pgprot_writecombine pgprot_writecombine
7741 extern pgprot_t pgprot_writecombine(pgprot_t prot);
7742diff -urNp linux-2.6.32.9/arch/x86/include/asm/processor.h linux-2.6.32.9/arch/x86/include/asm/processor.h
7743--- linux-2.6.32.9/arch/x86/include/asm/processor.h 2010-02-09 07:57:19.000000000 -0500
7744+++ linux-2.6.32.9/arch/x86/include/asm/processor.h 2010-02-23 17:09:53.103663728 -0500
7745@@ -272,7 +272,7 @@ struct tss_struct {
7746
7747 } ____cacheline_aligned;
7748
7749-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
7750+extern struct tss_struct init_tss[NR_CPUS];
7751
7752 /*
7753 * Save the original ist values for checking stack pointers during debugging
7754@@ -911,8 +911,17 @@ static inline void spin_lock_prefetch(co
7755 */
7756 #define TASK_SIZE PAGE_OFFSET
7757 #define TASK_SIZE_MAX TASK_SIZE
7758+
7759+#ifdef CONFIG_PAX_SEGMEXEC
7760+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
7761+#endif
7762+
7763+#ifdef CONFIG_PAX_SEGMEXEC
7764+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
7765+#else
7766 #define STACK_TOP TASK_SIZE
7767-#define STACK_TOP_MAX STACK_TOP
7768+#endif
7769+#define STACK_TOP_MAX TASK_SIZE
7770
7771 #define INIT_THREAD { \
7772 .sp0 = sizeof(init_stack) + (long)&init_stack, \
7773@@ -929,7 +938,7 @@ static inline void spin_lock_prefetch(co
7774 */
7775 #define INIT_TSS { \
7776 .x86_tss = { \
7777- .sp0 = sizeof(init_stack) + (long)&init_stack, \
7778+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
7779 .ss0 = __KERNEL_DS, \
7780 .ss1 = __KERNEL_CS, \
7781 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
7782@@ -940,11 +949,7 @@ static inline void spin_lock_prefetch(co
7783 extern unsigned long thread_saved_pc(struct task_struct *tsk);
7784
7785 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
7786-#define KSTK_TOP(info) \
7787-({ \
7788- unsigned long *__ptr = (unsigned long *)(info); \
7789- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
7790-})
7791+#define KSTK_TOP(info) ((info)->task.thread.sp0)
7792
7793 /*
7794 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
7795@@ -959,7 +964,7 @@ extern unsigned long thread_saved_pc(str
7796 #define task_pt_regs(task) \
7797 ({ \
7798 struct pt_regs *__regs__; \
7799- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
7800+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
7801 __regs__ - 1; \
7802 })
7803
7804@@ -975,7 +980,7 @@ extern unsigned long thread_saved_pc(str
7805 * space during mmap's.
7806 */
7807 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
7808- 0xc0000000 : 0xFFFFe000)
7809+ 0xc0000000 : 0xFFFFf000)
7810
7811 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
7812 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
7813@@ -1012,6 +1017,10 @@ extern void start_thread(struct pt_regs
7814 */
7815 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
7816
7817+#ifdef CONFIG_PAX_SEGMEXEC
7818+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
7819+#endif
7820+
7821 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
7822
7823 /* Get/set a process' ability to use the timestamp counter instruction */
7824diff -urNp linux-2.6.32.9/arch/x86/include/asm/ptrace.h linux-2.6.32.9/arch/x86/include/asm/ptrace.h
7825--- linux-2.6.32.9/arch/x86/include/asm/ptrace.h 2010-02-09 07:57:19.000000000 -0500
7826+++ linux-2.6.32.9/arch/x86/include/asm/ptrace.h 2010-02-23 17:09:53.103663728 -0500
7827@@ -151,28 +151,29 @@ static inline unsigned long regs_return_
7828 }
7829
7830 /*
7831- * user_mode_vm(regs) determines whether a register set came from user mode.
7832+ * user_mode(regs) determines whether a register set came from user mode.
7833 * This is true if V8086 mode was enabled OR if the register set was from
7834 * protected mode with RPL-3 CS value. This tricky test checks that with
7835 * one comparison. Many places in the kernel can bypass this full check
7836- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
7837+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
7838+ * be used.
7839 */
7840-static inline int user_mode(struct pt_regs *regs)
7841+static inline int user_mode_novm(struct pt_regs *regs)
7842 {
7843 #ifdef CONFIG_X86_32
7844 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
7845 #else
7846- return !!(regs->cs & 3);
7847+ return !!(regs->cs & SEGMENT_RPL_MASK);
7848 #endif
7849 }
7850
7851-static inline int user_mode_vm(struct pt_regs *regs)
7852+static inline int user_mode(struct pt_regs *regs)
7853 {
7854 #ifdef CONFIG_X86_32
7855 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
7856 USER_RPL;
7857 #else
7858- return user_mode(regs);
7859+ return user_mode_novm(regs);
7860 #endif
7861 }
7862
7863diff -urNp linux-2.6.32.9/arch/x86/include/asm/reboot.h linux-2.6.32.9/arch/x86/include/asm/reboot.h
7864--- linux-2.6.32.9/arch/x86/include/asm/reboot.h 2010-02-09 07:57:19.000000000 -0500
7865+++ linux-2.6.32.9/arch/x86/include/asm/reboot.h 2010-02-23 17:09:53.103663728 -0500
7866@@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
7867
7868 void native_machine_crash_shutdown(struct pt_regs *regs);
7869 void native_machine_shutdown(void);
7870-void machine_real_restart(const unsigned char *code, int length);
7871+void machine_real_restart(const unsigned char *code, unsigned int length);
7872
7873 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
7874 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
7875diff -urNp linux-2.6.32.9/arch/x86/include/asm/rwsem.h linux-2.6.32.9/arch/x86/include/asm/rwsem.h
7876--- linux-2.6.32.9/arch/x86/include/asm/rwsem.h 2010-02-09 07:57:19.000000000 -0500
7877+++ linux-2.6.32.9/arch/x86/include/asm/rwsem.h 2010-02-23 17:09:53.103663728 -0500
7878@@ -106,10 +106,26 @@ static inline void __down_read(struct rw
7879 {
7880 asm volatile("# beginning down_read\n\t"
7881 LOCK_PREFIX " incl (%%eax)\n\t"
7882+
7883+#ifdef CONFIG_PAX_REFCOUNT
7884+#ifdef CONFIG_X86_32
7885+ "into\n0:\n"
7886+#else
7887+ "jno 0f\n"
7888+ "int $4\n0:\n"
7889+#endif
7890+ ".pushsection .fixup,\"ax\"\n"
7891+ "1:\n"
7892+ LOCK_PREFIX "decl (%%eax)\n"
7893+ "jmp 0b\n"
7894+ ".popsection\n"
7895+ _ASM_EXTABLE(0b, 1b)
7896+#endif
7897+
7898 /* adds 0x00000001, returns the old value */
7899- " jns 1f\n"
7900+ " jns 2f\n"
7901 " call call_rwsem_down_read_failed\n"
7902- "1:\n\t"
7903+ "2:\n\t"
7904 "# ending down_read\n\t"
7905 : "+m" (sem->count)
7906 : "a" (sem)
7907@@ -124,13 +140,29 @@ static inline int __down_read_trylock(st
7908 __s32 result, tmp;
7909 asm volatile("# beginning __down_read_trylock\n\t"
7910 " movl %0,%1\n\t"
7911- "1:\n\t"
7912+ "2:\n\t"
7913 " movl %1,%2\n\t"
7914 " addl %3,%2\n\t"
7915- " jle 2f\n\t"
7916+
7917+#ifdef CONFIG_PAX_REFCOUNT
7918+#ifdef CONFIG_X86_32
7919+ "into\n0:\n"
7920+#else
7921+ "jno 0f\n"
7922+ "int $4\n0:\n"
7923+#endif
7924+ ".pushsection .fixup,\"ax\"\n"
7925+ "1:\n"
7926+ "subl %3,%2\n"
7927+ "jmp 0b\n"
7928+ ".popsection\n"
7929+ _ASM_EXTABLE(0b, 1b)
7930+#endif
7931+
7932+ " jle 3f\n\t"
7933 LOCK_PREFIX " cmpxchgl %2,%0\n\t"
7934- " jnz 1b\n\t"
7935- "2:\n\t"
7936+ " jnz 2b\n\t"
7937+ "3:\n\t"
7938 "# ending __down_read_trylock\n\t"
7939 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
7940 : "i" (RWSEM_ACTIVE_READ_BIAS)
7941@@ -148,12 +180,28 @@ static inline void __down_write_nested(s
7942 tmp = RWSEM_ACTIVE_WRITE_BIAS;
7943 asm volatile("# beginning down_write\n\t"
7944 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
7945+
7946+#ifdef CONFIG_PAX_REFCOUNT
7947+#ifdef CONFIG_X86_32
7948+ "into\n0:\n"
7949+#else
7950+ "jno 0f\n"
7951+ "int $4\n0:\n"
7952+#endif
7953+ ".pushsection .fixup,\"ax\"\n"
7954+ "1:\n"
7955+ "movl %%edx,(%%eax)\n"
7956+ "jmp 0b\n"
7957+ ".popsection\n"
7958+ _ASM_EXTABLE(0b, 1b)
7959+#endif
7960+
7961 /* subtract 0x0000ffff, returns the old value */
7962 " testl %%edx,%%edx\n\t"
7963 /* was the count 0 before? */
7964- " jz 1f\n"
7965+ " jz 2f\n"
7966 " call call_rwsem_down_write_failed\n"
7967- "1:\n"
7968+ "2:\n"
7969 "# ending down_write"
7970 : "+m" (sem->count), "=d" (tmp)
7971 : "a" (sem), "1" (tmp)
7972@@ -186,10 +234,26 @@ static inline void __up_read(struct rw_s
7973 __s32 tmp = -RWSEM_ACTIVE_READ_BIAS;
7974 asm volatile("# beginning __up_read\n\t"
7975 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
7976+
7977+#ifdef CONFIG_PAX_REFCOUNT
7978+#ifdef CONFIG_X86_32
7979+ "into\n0:\n"
7980+#else
7981+ "jno 0f\n"
7982+ "int $4\n0:\n"
7983+#endif
7984+ ".pushsection .fixup,\"ax\"\n"
7985+ "1:\n"
7986+ "movl %%edx,(%%eax)\n"
7987+ "jmp 0b\n"
7988+ ".popsection\n"
7989+ _ASM_EXTABLE(0b, 1b)
7990+#endif
7991+
7992 /* subtracts 1, returns the old value */
7993- " jns 1f\n\t"
7994+ " jns 2f\n\t"
7995 " call call_rwsem_wake\n"
7996- "1:\n"
7997+ "2:\n"
7998 "# ending __up_read\n"
7999 : "+m" (sem->count), "=d" (tmp)
8000 : "a" (sem), "1" (tmp)
8001@@ -204,11 +268,27 @@ static inline void __up_write(struct rw_
8002 asm volatile("# beginning __up_write\n\t"
8003 " movl %2,%%edx\n\t"
8004 LOCK_PREFIX " xaddl %%edx,(%%eax)\n\t"
8005+
8006+#ifdef CONFIG_PAX_REFCOUNT
8007+#ifdef CONFIG_X86_32
8008+ "into\n0:\n"
8009+#else
8010+ "jno 0f\n"
8011+ "int $4\n0:\n"
8012+#endif
8013+ ".pushsection .fixup,\"ax\"\n"
8014+ "1:\n"
8015+ "movl %%edx,(%%eax)\n"
8016+ "jmp 0b\n"
8017+ ".popsection\n"
8018+ _ASM_EXTABLE(0b, 1b)
8019+#endif
8020+
8021 /* tries to transition
8022 0xffff0001 -> 0x00000000 */
8023- " jz 1f\n"
8024+ " jz 2f\n"
8025 " call call_rwsem_wake\n"
8026- "1:\n\t"
8027+ "2:\n\t"
8028 "# ending __up_write\n"
8029 : "+m" (sem->count)
8030 : "a" (sem), "i" (-RWSEM_ACTIVE_WRITE_BIAS)
8031@@ -222,10 +302,26 @@ static inline void __downgrade_write(str
8032 {
8033 asm volatile("# beginning __downgrade_write\n\t"
8034 LOCK_PREFIX " addl %2,(%%eax)\n\t"
8035+
8036+#ifdef CONFIG_PAX_REFCOUNT
8037+#ifdef CONFIG_X86_32
8038+ "into\n0:\n"
8039+#else
8040+ "jno 0f\n"
8041+ "int $4\n0:\n"
8042+#endif
8043+ ".pushsection .fixup,\"ax\"\n"
8044+ "1:\n"
8045+ LOCK_PREFIX "subl %2,(%%eax)\n"
8046+ "jmp 0b\n"
8047+ ".popsection\n"
8048+ _ASM_EXTABLE(0b, 1b)
8049+#endif
8050+
8051 /* transitions 0xZZZZ0001 -> 0xYYYY0001 */
8052- " jns 1f\n\t"
8053+ " jns 2f\n\t"
8054 " call call_rwsem_downgrade_wake\n"
8055- "1:\n\t"
8056+ "2:\n\t"
8057 "# ending __downgrade_write\n"
8058 : "+m" (sem->count)
8059 : "a" (sem), "i" (-RWSEM_WAITING_BIAS)
8060@@ -237,7 +333,23 @@ static inline void __downgrade_write(str
8061 */
8062 static inline void rwsem_atomic_add(int delta, struct rw_semaphore *sem)
8063 {
8064- asm volatile(LOCK_PREFIX "addl %1,%0"
8065+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
8066+
8067+#ifdef CONFIG_PAX_REFCOUNT
8068+#ifdef CONFIG_X86_32
8069+ "into\n0:\n"
8070+#else
8071+ "jno 0f\n"
8072+ "int $4\n0:\n"
8073+#endif
8074+ ".pushsection .fixup,\"ax\"\n"
8075+ "1:\n"
8076+ LOCK_PREFIX "subl %1,%0\n"
8077+ "jmp 0b\n"
8078+ ".popsection\n"
8079+ _ASM_EXTABLE(0b, 1b)
8080+#endif
8081+
8082 : "+m" (sem->count)
8083 : "ir" (delta));
8084 }
8085@@ -249,7 +361,23 @@ static inline int rwsem_atomic_update(in
8086 {
8087 int tmp = delta;
8088
8089- asm volatile(LOCK_PREFIX "xadd %0,%1"
8090+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8091+
8092+#ifdef CONFIG_PAX_REFCOUNT
8093+#ifdef CONFIG_X86_32
8094+ "into\n0:\n"
8095+#else
8096+ "jno 0f\n"
8097+ "int $4\n0:\n"
8098+#endif
8099+ ".pushsection .fixup,\"ax\"\n"
8100+ "1:\n"
8101+ "movl %0,%1\n"
8102+ "jmp 0b\n"
8103+ ".popsection\n"
8104+ _ASM_EXTABLE(0b, 1b)
8105+#endif
8106+
8107 : "+r" (tmp), "+m" (sem->count)
8108 : : "memory");
8109
8110diff -urNp linux-2.6.32.9/arch/x86/include/asm/segment.h linux-2.6.32.9/arch/x86/include/asm/segment.h
8111--- linux-2.6.32.9/arch/x86/include/asm/segment.h 2010-02-09 07:57:19.000000000 -0500
8112+++ linux-2.6.32.9/arch/x86/include/asm/segment.h 2010-02-23 17:09:53.103663728 -0500
8113@@ -62,8 +62,8 @@
8114 * 26 - ESPFIX small SS
8115 * 27 - per-cpu [ offset to per-cpu data area ]
8116 * 28 - stack_canary-20 [ for stack protector ]
8117- * 29 - unused
8118- * 30 - unused
8119+ * 29 - PCI BIOS CS
8120+ * 30 - PCI BIOS DS
8121 * 31 - TSS for double fault handler
8122 */
8123 #define GDT_ENTRY_TLS_MIN 6
8124@@ -77,6 +77,8 @@
8125
8126 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8127
8128+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8129+
8130 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8131
8132 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8133@@ -88,7 +90,7 @@
8134 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8135 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8136
8137-#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8138+#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8139 #ifdef CONFIG_SMP
8140 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8141 #else
8142@@ -102,6 +104,12 @@
8143 #define __KERNEL_STACK_CANARY 0
8144 #endif
8145
8146+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8147+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8148+
8149+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8150+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8151+
8152 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8153
8154 /*
8155@@ -139,12 +147,13 @@
8156 */
8157
8158 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8159-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8160+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8161
8162
8163 #else
8164 #include <asm/cache.h>
8165
8166+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 0
8167 #define GDT_ENTRY_KERNEL32_CS 1
8168 #define GDT_ENTRY_KERNEL_CS 2
8169 #define GDT_ENTRY_KERNEL_DS 3
8170@@ -183,6 +192,7 @@
8171 #endif
8172
8173 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8174+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8175 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8176 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8177 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8178diff -urNp linux-2.6.32.9/arch/x86/include/asm/spinlock.h linux-2.6.32.9/arch/x86/include/asm/spinlock.h
8179--- linux-2.6.32.9/arch/x86/include/asm/spinlock.h 2010-02-09 07:57:19.000000000 -0500
8180+++ linux-2.6.32.9/arch/x86/include/asm/spinlock.h 2010-02-23 17:09:53.103663728 -0500
8181@@ -249,18 +249,50 @@ static inline int __raw_write_can_lock(r
8182 static inline void __raw_read_lock(raw_rwlock_t *rw)
8183 {
8184 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8185- "jns 1f\n"
8186- "call __read_lock_failed\n\t"
8187+
8188+#ifdef CONFIG_PAX_REFCOUNT
8189+#ifdef CONFIG_X86_32
8190+ "into\n0:\n"
8191+#else
8192+ "jno 0f\n"
8193+ "int $4\n0:\n"
8194+#endif
8195+ ".pushsection .fixup,\"ax\"\n"
8196 "1:\n"
8197+ LOCK_PREFIX " addl $1,(%0)\n"
8198+ "jmp 0b\n"
8199+ ".popsection\n"
8200+ _ASM_EXTABLE(0b, 1b)
8201+#endif
8202+
8203+ "jns 2f\n"
8204+ "call __read_lock_failed\n\t"
8205+ "2:\n"
8206 ::LOCK_PTR_REG (rw) : "memory");
8207 }
8208
8209 static inline void __raw_write_lock(raw_rwlock_t *rw)
8210 {
8211 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8212- "jz 1f\n"
8213- "call __write_lock_failed\n\t"
8214+
8215+#ifdef CONFIG_PAX_REFCOUNT
8216+#ifdef CONFIG_X86_32
8217+ "into\n0:\n"
8218+#else
8219+ "jno 0f\n"
8220+ "int $4\n0:\n"
8221+#endif
8222+ ".pushsection .fixup,\"ax\"\n"
8223 "1:\n"
8224+ LOCK_PREFIX " addl %1,(%0)\n"
8225+ "jmp 0b\n"
8226+ ".popsection\n"
8227+ _ASM_EXTABLE(0b, 1b)
8228+#endif
8229+
8230+ "jz 2f\n"
8231+ "call __write_lock_failed\n\t"
8232+ "2:\n"
8233 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8234 }
8235
8236@@ -286,12 +318,45 @@ static inline int __raw_write_trylock(ra
8237
8238 static inline void __raw_read_unlock(raw_rwlock_t *rw)
8239 {
8240- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8241+ asm volatile(LOCK_PREFIX "incl %0\n"
8242+
8243+#ifdef CONFIG_PAX_REFCOUNT
8244+#ifdef CONFIG_X86_32
8245+ "into\n0:\n"
8246+#else
8247+ "jno 0f\n"
8248+ "int $4\n0:\n"
8249+#endif
8250+ ".pushsection .fixup,\"ax\"\n"
8251+ "1:\n"
8252+ LOCK_PREFIX "decl %0\n"
8253+ "jmp 0b\n"
8254+ ".popsection\n"
8255+ _ASM_EXTABLE(0b, 1b)
8256+#endif
8257+
8258+ :"+m" (rw->lock) : : "memory");
8259 }
8260
8261 static inline void __raw_write_unlock(raw_rwlock_t *rw)
8262 {
8263- asm volatile(LOCK_PREFIX "addl %1, %0"
8264+ asm volatile(LOCK_PREFIX "addl %1, %0\n"
8265+
8266+#ifdef CONFIG_PAX_REFCOUNT
8267+#ifdef CONFIG_X86_32
8268+ "into\n0:\n"
8269+#else
8270+ "jno 0f\n"
8271+ "int $4\n0:\n"
8272+#endif
8273+ ".pushsection .fixup,\"ax\"\n"
8274+ "1:\n"
8275+ LOCK_PREFIX "subl %1,%0\n"
8276+ "jmp 0b\n"
8277+ ".popsection\n"
8278+ _ASM_EXTABLE(0b, 1b)
8279+#endif
8280+
8281 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
8282 }
8283
8284diff -urNp linux-2.6.32.9/arch/x86/include/asm/system.h linux-2.6.32.9/arch/x86/include/asm/system.h
8285--- linux-2.6.32.9/arch/x86/include/asm/system.h 2010-02-09 07:57:19.000000000 -0500
8286+++ linux-2.6.32.9/arch/x86/include/asm/system.h 2010-02-23 17:09:53.103663728 -0500
8287@@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
8288 {
8289 unsigned long __limit;
8290 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
8291- return __limit + 1;
8292+ return __limit;
8293 }
8294
8295 static inline void native_clts(void)
8296@@ -340,7 +340,7 @@ void enable_hlt(void);
8297
8298 void cpu_idle_wait(void);
8299
8300-extern unsigned long arch_align_stack(unsigned long sp);
8301+#define arch_align_stack(x) ((x) & ~0xfUL)
8302 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
8303
8304 void default_idle(void);
8305diff -urNp linux-2.6.32.9/arch/x86/include/asm/uaccess_32.h linux-2.6.32.9/arch/x86/include/asm/uaccess_32.h
8306--- linux-2.6.32.9/arch/x86/include/asm/uaccess_32.h 2010-02-09 07:57:19.000000000 -0500
8307+++ linux-2.6.32.9/arch/x86/include/asm/uaccess_32.h 2010-02-23 17:09:53.103663728 -0500
8308@@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
8309 static __always_inline unsigned long __must_check
8310 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
8311 {
8312+ if ((long)n < 0)
8313+ return n;
8314+
8315 if (__builtin_constant_p(n)) {
8316 unsigned long ret;
8317
8318@@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
8319 return ret;
8320 }
8321 }
8322+ if (!__builtin_constant_p(n))
8323+ check_object_size(from, n, true);
8324 return __copy_to_user_ll(to, from, n);
8325 }
8326
8327@@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
8328 static __always_inline unsigned long
8329 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
8330 {
8331+ if ((long)n < 0)
8332+ return n;
8333+
8334 /* Avoid zeroing the tail if the copy fails..
8335 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
8336 * but as the zeroing behaviour is only significant when n is not
8337@@ -138,6 +146,10 @@ static __always_inline unsigned long
8338 __copy_from_user(void *to, const void __user *from, unsigned long n)
8339 {
8340 might_fault();
8341+
8342+ if ((long)n < 0)
8343+ return n;
8344+
8345 if (__builtin_constant_p(n)) {
8346 unsigned long ret;
8347
8348@@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
8349 return ret;
8350 }
8351 }
8352+ if (!__builtin_constant_p(n))
8353+ check_object_size(to, n, false);
8354 return __copy_from_user_ll(to, from, n);
8355 }
8356
8357@@ -160,6 +174,10 @@ static __always_inline unsigned long __c
8358 const void __user *from, unsigned long n)
8359 {
8360 might_fault();
8361+
8362+ if ((long)n < 0)
8363+ return n;
8364+
8365 if (__builtin_constant_p(n)) {
8366 unsigned long ret;
8367
8368@@ -182,14 +200,62 @@ static __always_inline unsigned long
8369 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
8370 unsigned long n)
8371 {
8372- return __copy_from_user_ll_nocache_nozero(to, from, n);
8373+ if ((long)n < 0)
8374+ return n;
8375+
8376+ return __copy_from_user_ll_nocache_nozero(to, from, n);
8377+}
8378+
8379+/**
8380+ * copy_to_user: - Copy a block of data into user space.
8381+ * @to: Destination address, in user space.
8382+ * @from: Source address, in kernel space.
8383+ * @n: Number of bytes to copy.
8384+ *
8385+ * Context: User context only. This function may sleep.
8386+ *
8387+ * Copy data from kernel space to user space.
8388+ *
8389+ * Returns number of bytes that could not be copied.
8390+ * On success, this will be zero.
8391+ */
8392+static __always_inline unsigned long __must_check
8393+copy_to_user(void __user *to, const void *from, unsigned long n)
8394+{
8395+ if (access_ok(VERIFY_WRITE, to, n))
8396+ n = __copy_to_user(to, from, n);
8397+ return n;
8398+}
8399+
8400+/**
8401+ * copy_from_user: - Copy a block of data from user space.
8402+ * @to: Destination address, in kernel space.
8403+ * @from: Source address, in user space.
8404+ * @n: Number of bytes to copy.
8405+ *
8406+ * Context: User context only. This function may sleep.
8407+ *
8408+ * Copy data from user space to kernel space.
8409+ *
8410+ * Returns number of bytes that could not be copied.
8411+ * On success, this will be zero.
8412+ *
8413+ * If some data could not be copied, this function will pad the copied
8414+ * data to the requested size using zero bytes.
8415+ */
8416+static __always_inline unsigned long __must_check
8417+copy_from_user(void *to, const void __user *from, unsigned long n)
8418+{
8419+ if (access_ok(VERIFY_READ, from, n))
8420+ n = __copy_from_user(to, from, n);
8421+ else if ((long)n > 0) {
8422+ if (!__builtin_constant_p(n))
8423+ check_object_size(to, n, false);
8424+ memset(to, 0, n);
8425+ }
8426+ return n;
8427 }
8428
8429-unsigned long __must_check copy_to_user(void __user *to,
8430- const void *from, unsigned long n);
8431-unsigned long __must_check copy_from_user(void *to,
8432- const void __user *from,
8433- unsigned long n);
8434 long __must_check strncpy_from_user(char *dst, const char __user *src,
8435 long count);
8436 long __must_check __strncpy_from_user(char *dst,
8437diff -urNp linux-2.6.32.9/arch/x86/include/asm/uaccess_64.h linux-2.6.32.9/arch/x86/include/asm/uaccess_64.h
8438--- linux-2.6.32.9/arch/x86/include/asm/uaccess_64.h 2010-02-09 07:57:19.000000000 -0500
8439+++ linux-2.6.32.9/arch/x86/include/asm/uaccess_64.h 2010-02-23 17:09:53.103663728 -0500
8440@@ -10,6 +10,8 @@
8441 #include <linux/lockdep.h>
8442 #include <asm/page.h>
8443
8444+#define set_fs(x) (current_thread_info()->addr_limit = (x))
8445+
8446 /*
8447 * Copy To/From Userspace
8448 */
8449@@ -19,20 +21,22 @@ __must_check unsigned long
8450 copy_user_generic(void *to, const void *from, unsigned len);
8451
8452 __must_check unsigned long
8453-copy_to_user(void __user *to, const void *from, unsigned len);
8454-__must_check unsigned long
8455-copy_from_user(void *to, const void __user *from, unsigned len);
8456-__must_check unsigned long
8457 copy_in_user(void __user *to, const void __user *from, unsigned len);
8458
8459 static __always_inline __must_check
8460-int __copy_from_user(void *dst, const void __user *src, unsigned size)
8461+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
8462 {
8463- int ret = 0;
8464+ unsigned ret = 0;
8465
8466 might_fault();
8467- if (!__builtin_constant_p(size))
8468+
8469+ if ((int)size < 0)
8470+ return size;
8471+
8472+ if (!__builtin_constant_p(size)) {
8473+ check_object_size(dst, size, false);
8474 return copy_user_generic(dst, (__force void *)src, size);
8475+ }
8476 switch (size) {
8477 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
8478 ret, "b", "b", "=q", 1);
8479@@ -70,13 +74,19 @@ int __copy_from_user(void *dst, const vo
8480 }
8481
8482 static __always_inline __must_check
8483-int __copy_to_user(void __user *dst, const void *src, unsigned size)
8484+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
8485 {
8486- int ret = 0;
8487+ unsigned ret = 0;
8488
8489 might_fault();
8490- if (!__builtin_constant_p(size))
8491+
8492+ if ((int)size < 0)
8493+ return size;
8494+
8495+ if (!__builtin_constant_p(size)) {
8496+ check_object_size(src, size, true);
8497 return copy_user_generic((__force void *)dst, src, size);
8498+ }
8499 switch (size) {
8500 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
8501 ret, "b", "b", "iq", 1);
8502@@ -114,11 +124,39 @@ int __copy_to_user(void __user *dst, con
8503 }
8504
8505 static __always_inline __must_check
8506-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
8507+unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
8508 {
8509- int ret = 0;
8510+ if (access_ok(VERIFY_WRITE, to, len))
8511+ len = __copy_to_user(to, from, len);
8512+ return len;
8513+}
8514+
8515+static __always_inline __must_check
8516+unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
8517+{
8518+ if ((int)len < 0)
8519+ return len;
8520+
8521+ if (access_ok(VERIFY_READ, from, len))
8522+ len = __copy_from_user(to, from, len);
8523+ else if ((int)len > 0) {
8524+ if (!__builtin_constant_p(len))
8525+ check_object_size(to, len, false);
8526+ memset(to, 0, len);
8527+ }
8528+ return len;
8529+}
8530+
8531+static __always_inline __must_check
8532+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
8533+{
8534+ unsigned ret = 0;
8535
8536 might_fault();
8537+
8538+ if ((int)size < 0)
8539+ return size;
8540+
8541 if (!__builtin_constant_p(size))
8542 return copy_user_generic((__force void *)dst,
8543 (__force void *)src, size);
8544@@ -179,30 +217,38 @@ __must_check unsigned long __clear_user(
8545 __must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
8546 unsigned size);
8547
8548-static __must_check __always_inline int
8549+static __must_check __always_inline unsigned long
8550 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
8551 {
8552+ if ((int)size < 0)
8553+ return size;
8554+
8555 return copy_user_generic((__force void *)dst, src, size);
8556 }
8557
8558-extern long __copy_user_nocache(void *dst, const void __user *src,
8559+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
8560 unsigned size, int zerorest);
8561
8562-static inline int
8563-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8564+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8565 {
8566 might_sleep();
8567+
8568+ if ((int)size < 0)
8569+ return size;
8570+
8571 return __copy_user_nocache(dst, src, size, 1);
8572 }
8573
8574-static inline int
8575-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8576+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8577 unsigned size)
8578 {
8579+ if ((int)size < 0)
8580+ return size;
8581+
8582 return __copy_user_nocache(dst, src, size, 0);
8583 }
8584
8585-unsigned long
8586+extern unsigned long
8587 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
8588
8589 #endif /* _ASM_X86_UACCESS_64_H */
8590diff -urNp linux-2.6.32.9/arch/x86/include/asm/uaccess.h linux-2.6.32.9/arch/x86/include/asm/uaccess.h
8591--- linux-2.6.32.9/arch/x86/include/asm/uaccess.h 2010-02-09 07:57:19.000000000 -0500
8592+++ linux-2.6.32.9/arch/x86/include/asm/uaccess.h 2010-02-23 17:09:53.103663728 -0500
8593@@ -8,8 +8,11 @@
8594 #include <linux/thread_info.h>
8595 #include <linux/prefetch.h>
8596 #include <linux/string.h>
8597+#include <linux/sched.h>
8598+#include <linux/slab.h>
8599 #include <asm/asm.h>
8600 #include <asm/page.h>
8601+#include <asm/segment.h>
8602
8603 #define VERIFY_READ 0
8604 #define VERIFY_WRITE 1
8605@@ -29,7 +32,12 @@
8606
8607 #define get_ds() (KERNEL_DS)
8608 #define get_fs() (current_thread_info()->addr_limit)
8609+#ifdef CONFIG_X86_32
8610+void __set_fs(mm_segment_t x, int cpu);
8611+void set_fs(mm_segment_t x);
8612+#else
8613 #define set_fs(x) (current_thread_info()->addr_limit = (x))
8614+#endif
8615
8616 #define segment_eq(a, b) ((a).seg == (b).seg)
8617
8618@@ -77,7 +85,29 @@
8619 * checks that the pointer is in the user space range - after calling
8620 * this function, memory access functions may still return -EFAULT.
8621 */
8622-#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
8623+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
8624+#define access_ok(type, addr, size) \
8625+({ \
8626+ long __size = size; \
8627+ unsigned long __addr = (unsigned long)addr; \
8628+ unsigned long __addr_ao = __addr & PAGE_MASK; \
8629+ unsigned long __end_ao = __addr + __size - 1; \
8630+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
8631+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
8632+ for (; __addr_ao <= __end_ao; __addr_ao += PAGE_SIZE) { \
8633+ char __c_ao; \
8634+ if (__size > PAGE_SIZE) \
8635+ cond_resched(); \
8636+ if (__get_user(__c_ao, (char __user *)__addr_ao))\
8637+ break; \
8638+ if (type != VERIFY_WRITE) \
8639+ continue; \
8640+ if (__put_user(__c_ao, (char __user *)__addr_ao))\
8641+ break; \
8642+ } \
8643+ } \
8644+ __ret_ao; \
8645+})
8646
8647 /*
8648 * The exception table consists of pairs of addresses: the first is the
8649@@ -183,13 +213,21 @@ extern int __get_user_bad(void);
8650 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
8651 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
8652
8653-
8654+#ifdef CONFIG_X86_32
8655+#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
8656+#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
8657+#else
8658+#define _ASM_LOAD_USER_DS(ds)
8659+#define _ASM_LOAD_KERNEL_DS
8660+#endif
8661
8662 #ifdef CONFIG_X86_32
8663 #define __put_user_asm_u64(x, addr, err, errret) \
8664- asm volatile("1: movl %%eax,0(%2)\n" \
8665- "2: movl %%edx,4(%2)\n" \
8666+ asm volatile(_ASM_LOAD_USER_DS(5) \
8667+ "1: movl %%eax,%%ds:0(%2)\n" \
8668+ "2: movl %%edx,%%ds:4(%2)\n" \
8669 "3:\n" \
8670+ _ASM_LOAD_KERNEL_DS \
8671 ".section .fixup,\"ax\"\n" \
8672 "4: movl %3,%0\n" \
8673 " jmp 3b\n" \
8674@@ -197,15 +235,18 @@ extern int __get_user_bad(void);
8675 _ASM_EXTABLE(1b, 4b) \
8676 _ASM_EXTABLE(2b, 4b) \
8677 : "=r" (err) \
8678- : "A" (x), "r" (addr), "i" (errret), "0" (err))
8679+ : "A" (x), "r" (addr), "i" (errret), "0" (err), \
8680+ "r"(__USER_DS))
8681
8682 #define __put_user_asm_ex_u64(x, addr) \
8683- asm volatile("1: movl %%eax,0(%1)\n" \
8684- "2: movl %%edx,4(%1)\n" \
8685+ asm volatile(_ASM_LOAD_USER_DS(2) \
8686+ "1: movl %%eax,%%ds:0(%1)\n" \
8687+ "2: movl %%edx,%%ds:4(%1)\n" \
8688 "3:\n" \
8689+ _ASM_LOAD_KERNEL_DS \
8690 _ASM_EXTABLE(1b, 2b - 1b) \
8691 _ASM_EXTABLE(2b, 3b - 2b) \
8692- : : "A" (x), "r" (addr))
8693+ : : "A" (x), "r" (addr), "r"(__USER_DS))
8694
8695 #define __put_user_x8(x, ptr, __ret_pu) \
8696 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
8697@@ -374,16 +415,18 @@ do { \
8698 } while (0)
8699
8700 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8701- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
8702+ asm volatile(_ASM_LOAD_USER_DS(5) \
8703+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
8704 "2:\n" \
8705+ _ASM_LOAD_KERNEL_DS \
8706 ".section .fixup,\"ax\"\n" \
8707 "3: mov %3,%0\n" \
8708 " xor"itype" %"rtype"1,%"rtype"1\n" \
8709 " jmp 2b\n" \
8710 ".previous\n" \
8711 _ASM_EXTABLE(1b, 3b) \
8712- : "=r" (err), ltype(x) \
8713- : "m" (__m(addr)), "i" (errret), "0" (err))
8714+ : "=r" (err), ltype (x) \
8715+ : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
8716
8717 #define __get_user_size_ex(x, ptr, size) \
8718 do { \
8719@@ -407,10 +450,12 @@ do { \
8720 } while (0)
8721
8722 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
8723- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
8724+ asm volatile(_ASM_LOAD_USER_DS(2) \
8725+ "1: mov"itype" %%ds:%1,%"rtype"0\n" \
8726 "2:\n" \
8727+ _ASM_LOAD_KERNEL_DS \
8728 _ASM_EXTABLE(1b, 2b - 1b) \
8729- : ltype(x) : "m" (__m(addr)))
8730+ : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
8731
8732 #define __put_user_nocheck(x, ptr, size) \
8733 ({ \
8734@@ -424,7 +469,7 @@ do { \
8735 int __gu_err; \
8736 unsigned long __gu_val; \
8737 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
8738- (x) = (__force __typeof__(*(ptr)))__gu_val; \
8739+ (x) = (__typeof__(*(ptr)))__gu_val; \
8740 __gu_err; \
8741 })
8742
8743@@ -438,21 +483,26 @@ struct __large_struct { unsigned long bu
8744 * aliasing issues.
8745 */
8746 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8747- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
8748+ asm volatile(_ASM_LOAD_USER_DS(5) \
8749+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
8750 "2:\n" \
8751+ _ASM_LOAD_KERNEL_DS \
8752 ".section .fixup,\"ax\"\n" \
8753 "3: mov %3,%0\n" \
8754 " jmp 2b\n" \
8755 ".previous\n" \
8756 _ASM_EXTABLE(1b, 3b) \
8757 : "=r"(err) \
8758- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
8759+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
8760+ "r"(__USER_DS))
8761
8762 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
8763- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
8764+ asm volatile(_ASM_LOAD_USER_DS(2) \
8765+ "1: mov"itype" %"rtype"0,%%ds:%1\n" \
8766 "2:\n" \
8767+ _ASM_LOAD_KERNEL_DS \
8768 _ASM_EXTABLE(1b, 2b - 1b) \
8769- : : ltype(x), "m" (__m(addr)))
8770+ : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
8771
8772 /*
8773 * uaccess_try and catch
8774@@ -530,7 +580,7 @@ struct __large_struct { unsigned long bu
8775 #define get_user_ex(x, ptr) do { \
8776 unsigned long __gue_val; \
8777 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
8778- (x) = (__force __typeof__(*(ptr)))__gue_val; \
8779+ (x) = (__typeof__(*(ptr)))__gue_val; \
8780 } while (0)
8781
8782 #ifdef CONFIG_X86_WP_WORKS_OK
8783@@ -567,6 +617,7 @@ extern struct movsl_mask {
8784
8785 #define ARCH_HAS_NOCACHE_UACCESS 1
8786
8787+#define ARCH_HAS_SORT_EXTABLE
8788 #ifdef CONFIG_X86_32
8789 # include "uaccess_32.h"
8790 #else
8791diff -urNp linux-2.6.32.9/arch/x86/include/asm/vgtod.h linux-2.6.32.9/arch/x86/include/asm/vgtod.h
8792--- linux-2.6.32.9/arch/x86/include/asm/vgtod.h 2010-02-09 07:57:19.000000000 -0500
8793+++ linux-2.6.32.9/arch/x86/include/asm/vgtod.h 2010-02-23 17:09:53.108051644 -0500
8794@@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
8795 int sysctl_enabled;
8796 struct timezone sys_tz;
8797 struct { /* extract of a clocksource struct */
8798+ char name[8];
8799 cycle_t (*vread)(void);
8800 cycle_t cycle_last;
8801 cycle_t mask;
8802diff -urNp linux-2.6.32.9/arch/x86/include/asm/vmi.h linux-2.6.32.9/arch/x86/include/asm/vmi.h
8803--- linux-2.6.32.9/arch/x86/include/asm/vmi.h 2010-02-09 07:57:19.000000000 -0500
8804+++ linux-2.6.32.9/arch/x86/include/asm/vmi.h 2010-02-23 17:09:53.108051644 -0500
8805@@ -191,6 +191,7 @@ struct vrom_header {
8806 u8 reserved[96]; /* Reserved for headers */
8807 char vmi_init[8]; /* VMI_Init jump point */
8808 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
8809+ char rom_data[8048]; /* rest of the option ROM */
8810 } __attribute__((packed));
8811
8812 struct pnp_header {
8813diff -urNp linux-2.6.32.9/arch/x86/include/asm/vsyscall.h linux-2.6.32.9/arch/x86/include/asm/vsyscall.h
8814--- linux-2.6.32.9/arch/x86/include/asm/vsyscall.h 2010-02-09 07:57:19.000000000 -0500
8815+++ linux-2.6.32.9/arch/x86/include/asm/vsyscall.h 2010-02-23 17:09:53.108051644 -0500
8816@@ -15,9 +15,10 @@ enum vsyscall_num {
8817
8818 #ifdef __KERNEL__
8819 #include <linux/seqlock.h>
8820+#include <linux/getcpu.h>
8821+#include <linux/time.h>
8822
8823 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
8824-#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
8825
8826 /* Definitions for CONFIG_GENERIC_TIME definitions */
8827 #define __section_vsyscall_gtod_data __attribute__ \
8828@@ -31,7 +32,6 @@ enum vsyscall_num {
8829 #define VGETCPU_LSL 2
8830
8831 extern int __vgetcpu_mode;
8832-extern volatile unsigned long __jiffies;
8833
8834 /* kernel space (writeable) */
8835 extern int vgetcpu_mode;
8836@@ -39,6 +39,9 @@ extern struct timezone sys_tz;
8837
8838 extern void map_vsyscall(void);
8839
8840+extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
8841+extern time_t vtime(time_t *t);
8842+extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
8843 #endif /* __KERNEL__ */
8844
8845 #endif /* _ASM_X86_VSYSCALL_H */
8846diff -urNp linux-2.6.32.9/arch/x86/Kconfig linux-2.6.32.9/arch/x86/Kconfig
8847--- linux-2.6.32.9/arch/x86/Kconfig 2010-02-09 07:57:19.000000000 -0500
8848+++ linux-2.6.32.9/arch/x86/Kconfig 2010-02-23 17:09:53.108051644 -0500
8849@@ -1083,7 +1083,7 @@ config PAGE_OFFSET
8850 hex
8851 default 0xB0000000 if VMSPLIT_3G_OPT
8852 default 0x80000000 if VMSPLIT_2G
8853- default 0x78000000 if VMSPLIT_2G_OPT
8854+ default 0x70000000 if VMSPLIT_2G_OPT
8855 default 0x40000000 if VMSPLIT_1G
8856 default 0xC0000000
8857 depends on X86_32
8858@@ -1409,7 +1409,7 @@ config ARCH_USES_PG_UNCACHED
8859
8860 config EFI
8861 bool "EFI runtime service support"
8862- depends on ACPI
8863+ depends on ACPI && !PAX_KERNEXEC
8864 ---help---
8865 This enables the kernel to use EFI runtime services that are
8866 available (such as the EFI variable services).
8867@@ -1496,6 +1496,7 @@ config KEXEC_JUMP
8868 config PHYSICAL_START
8869 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
8870 default "0x1000000"
8871+ range 0x400000 0x40000000
8872 ---help---
8873 This gives the physical address where the kernel is loaded.
8874
8875@@ -1560,6 +1561,7 @@ config PHYSICAL_ALIGN
8876 hex
8877 prompt "Alignment value to which kernel should be aligned" if X86_32
8878 default "0x1000000"
8879+ range 0x400000 0x1000000 if PAX_KERNEXEC
8880 range 0x2000 0x1000000
8881 ---help---
8882 This value puts the alignment restrictions on physical address
8883@@ -1591,9 +1593,10 @@ config HOTPLUG_CPU
8884 Say N if you want to disable CPU hotplug.
8885
8886 config COMPAT_VDSO
8887- def_bool y
8888+ def_bool n
8889 prompt "Compat VDSO support"
8890 depends on X86_32 || IA32_EMULATION
8891+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
8892 ---help---
8893 Map the 32-bit VDSO to the predictable old-style address too.
8894 ---help---
8895diff -urNp linux-2.6.32.9/arch/x86/Kconfig.cpu linux-2.6.32.9/arch/x86/Kconfig.cpu
8896--- linux-2.6.32.9/arch/x86/Kconfig.cpu 2010-02-09 07:57:19.000000000 -0500
8897+++ linux-2.6.32.9/arch/x86/Kconfig.cpu 2010-02-23 17:09:53.108051644 -0500
8898@@ -340,7 +340,7 @@ config X86_PPRO_FENCE
8899
8900 config X86_F00F_BUG
8901 def_bool y
8902- depends on M586MMX || M586TSC || M586 || M486 || M386
8903+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
8904
8905 config X86_WP_WORKS_OK
8906 def_bool y
8907@@ -360,7 +360,7 @@ config X86_POPAD_OK
8908
8909 config X86_ALIGNMENT_16
8910 def_bool y
8911- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
8912+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
8913
8914 config X86_INTEL_USERCOPY
8915 def_bool y
8916@@ -406,7 +406,7 @@ config X86_CMPXCHG64
8917 # generates cmov.
8918 config X86_CMOV
8919 def_bool y
8920- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
8921+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
8922
8923 config X86_MINIMUM_CPU_FAMILY
8924 int
8925diff -urNp linux-2.6.32.9/arch/x86/Kconfig.debug linux-2.6.32.9/arch/x86/Kconfig.debug
8926--- linux-2.6.32.9/arch/x86/Kconfig.debug 2010-02-09 07:57:19.000000000 -0500
8927+++ linux-2.6.32.9/arch/x86/Kconfig.debug 2010-02-23 17:09:53.108051644 -0500
8928@@ -99,7 +99,7 @@ config X86_PTDUMP
8929 config DEBUG_RODATA
8930 bool "Write protect kernel read-only data structures"
8931 default y
8932- depends on DEBUG_KERNEL
8933+ depends on DEBUG_KERNEL && BROKEN
8934 ---help---
8935 Mark the kernel read-only data as write-protected in the pagetables,
8936 in order to catch accidental (and incorrect) writes to such const
8937diff -urNp linux-2.6.32.9/arch/x86/kernel/acpi/boot.c linux-2.6.32.9/arch/x86/kernel/acpi/boot.c
8938--- linux-2.6.32.9/arch/x86/kernel/acpi/boot.c 2010-02-09 07:57:19.000000000 -0500
8939+++ linux-2.6.32.9/arch/x86/kernel/acpi/boot.c 2010-02-23 17:09:53.108051644 -0500
8940@@ -1508,7 +1508,7 @@ static struct dmi_system_id __initdata a
8941 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
8942 },
8943 },
8944- {}
8945+ { NULL, NULL, {{0, {0}}}, NULL}
8946 };
8947
8948 /*
8949diff -urNp linux-2.6.32.9/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.9/arch/x86/kernel/acpi/realmode/wakeup.S
8950--- linux-2.6.32.9/arch/x86/kernel/acpi/realmode/wakeup.S 2010-02-09 07:57:19.000000000 -0500
8951+++ linux-2.6.32.9/arch/x86/kernel/acpi/realmode/wakeup.S 2010-02-23 17:09:53.108051644 -0500
8952@@ -104,7 +104,7 @@ _start:
8953 movl %eax, %ecx
8954 orl %edx, %ecx
8955 jz 1f
8956- movl $0xc0000080, %ecx
8957+ mov $MSR_EFER, %ecx
8958 wrmsr
8959 1:
8960
8961diff -urNp linux-2.6.32.9/arch/x86/kernel/acpi/sleep.c linux-2.6.32.9/arch/x86/kernel/acpi/sleep.c
8962--- linux-2.6.32.9/arch/x86/kernel/acpi/sleep.c 2010-02-09 07:57:19.000000000 -0500
8963+++ linux-2.6.32.9/arch/x86/kernel/acpi/sleep.c 2010-02-23 17:09:53.108051644 -0500
8964@@ -11,11 +11,12 @@
8965 #include <linux/cpumask.h>
8966 #include <asm/segment.h>
8967 #include <asm/desc.h>
8968+#include <asm/e820.h>
8969
8970 #include "realmode/wakeup.h"
8971 #include "sleep.h"
8972
8973-unsigned long acpi_wakeup_address;
8974+unsigned long acpi_wakeup_address = 0x2000;
8975 unsigned long acpi_realmode_flags;
8976
8977 /* address in low memory of the wakeup routine. */
8978@@ -99,8 +100,12 @@ int acpi_save_state_mem(void)
8979 header->trampoline_segment = setup_trampoline() >> 4;
8980 #ifdef CONFIG_SMP
8981 stack_start.sp = temp_stack + sizeof(temp_stack);
8982+
8983+ pax_open_kernel();
8984 early_gdt_descr.address =
8985 (unsigned long)get_cpu_gdt_table(smp_processor_id());
8986+ pax_close_kernel();
8987+
8988 initial_gs = per_cpu_offset(smp_processor_id());
8989 #endif
8990 initial_code = (unsigned long)wakeup_long64;
8991@@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
8992 return;
8993 }
8994
8995- acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
8996-
8997- if (!acpi_realmode) {
8998- printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
8999- return;
9000- }
9001-
9002- acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
9003+ reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
9004+ acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
9005 }
9006
9007
9008diff -urNp linux-2.6.32.9/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.9/arch/x86/kernel/acpi/wakeup_32.S
9009--- linux-2.6.32.9/arch/x86/kernel/acpi/wakeup_32.S 2010-02-09 07:57:19.000000000 -0500
9010+++ linux-2.6.32.9/arch/x86/kernel/acpi/wakeup_32.S 2010-02-23 17:09:53.108051644 -0500
9011@@ -30,13 +30,11 @@ wakeup_pmode_return:
9012 # and restore the stack ... but you need gdt for this to work
9013 movl saved_context_esp, %esp
9014
9015- movl %cs:saved_magic, %eax
9016- cmpl $0x12345678, %eax
9017+ cmpl $0x12345678, saved_magic
9018 jne bogus_magic
9019
9020 # jump to place where we left off
9021- movl saved_eip, %eax
9022- jmp *%eax
9023+ jmp *(saved_eip)
9024
9025 bogus_magic:
9026 jmp bogus_magic
9027diff -urNp linux-2.6.32.9/arch/x86/kernel/alternative.c linux-2.6.32.9/arch/x86/kernel/alternative.c
9028--- linux-2.6.32.9/arch/x86/kernel/alternative.c 2010-02-09 07:57:19.000000000 -0500
9029+++ linux-2.6.32.9/arch/x86/kernel/alternative.c 2010-02-23 17:09:53.108051644 -0500
9030@@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
9031
9032 BUG_ON(p->len > MAX_PATCH_LEN);
9033 /* prep the buffer with the original instructions */
9034- memcpy(insnbuf, p->instr, p->len);
9035+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9036 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9037 (unsigned long)p->instr, p->len);
9038
9039@@ -492,12 +492,16 @@ void __init alternative_instructions(voi
9040 * instructions. And on the local CPU you need to be protected again NMI or MCE
9041 * handlers seeing an inconsistent instruction while you patch.
9042 */
9043-static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9044+static void *__kprobes text_poke_early(void *addr, const void *opcode,
9045 size_t len)
9046 {
9047 unsigned long flags;
9048 local_irq_save(flags);
9049- memcpy(addr, opcode, len);
9050+
9051+ pax_open_kernel();
9052+ memcpy(ktla_ktva(addr), opcode, len);
9053+ pax_close_kernel();
9054+
9055 sync_core();
9056 local_irq_restore(flags);
9057 /* Could also do a CLFLUSH here to speed up CPU recovery; but
9058@@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
9059 */
9060 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9061 {
9062- unsigned long flags;
9063- char *vaddr;
9064+ unsigned char *vaddr = ktla_ktva(addr);
9065 struct page *pages[2];
9066- int i;
9067+ size_t i;
9068
9069 if (!core_kernel_text((unsigned long)addr)) {
9070- pages[0] = vmalloc_to_page(addr);
9071- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
9072+ pages[0] = vmalloc_to_page(vaddr);
9073+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
9074 } else {
9075- pages[0] = virt_to_page(addr);
9076+ pages[0] = virt_to_page(vaddr);
9077 WARN_ON(!PageReserved(pages[0]));
9078- pages[1] = virt_to_page(addr + PAGE_SIZE);
9079+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
9080 }
9081 BUG_ON(!pages[0]);
9082- local_irq_save(flags);
9083- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
9084- if (pages[1])
9085- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
9086- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
9087- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
9088- clear_fixmap(FIX_TEXT_POKE0);
9089- if (pages[1])
9090- clear_fixmap(FIX_TEXT_POKE1);
9091- local_flush_tlb();
9092- sync_core();
9093- /* Could also do a CLFLUSH here to speed up CPU recovery; but
9094- that causes hangs on some VIA CPUs. */
9095+ text_poke_early(addr, opcode, len);
9096 for (i = 0; i < len; i++)
9097- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
9098- local_irq_restore(flags);
9099+ BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
9100 return addr;
9101 }
9102diff -urNp linux-2.6.32.9/arch/x86/kernel/amd_iommu.c linux-2.6.32.9/arch/x86/kernel/amd_iommu.c
9103--- linux-2.6.32.9/arch/x86/kernel/amd_iommu.c 2010-02-23 17:04:11.759589893 -0500
9104+++ linux-2.6.32.9/arch/x86/kernel/amd_iommu.c 2010-02-23 17:09:53.108051644 -0500
9105@@ -2074,7 +2074,7 @@ static void prealloc_protection_domains(
9106 }
9107 }
9108
9109-static struct dma_map_ops amd_iommu_dma_ops = {
9110+static const struct dma_map_ops amd_iommu_dma_ops = {
9111 .alloc_coherent = alloc_coherent,
9112 .free_coherent = free_coherent,
9113 .map_page = map_page,
9114diff -urNp linux-2.6.32.9/arch/x86/kernel/apic/io_apic.c linux-2.6.32.9/arch/x86/kernel/apic/io_apic.c
9115--- linux-2.6.32.9/arch/x86/kernel/apic/io_apic.c 2010-02-23 17:04:11.805135472 -0500
9116+++ linux-2.6.32.9/arch/x86/kernel/apic/io_apic.c 2010-02-23 17:09:53.108051644 -0500
9117@@ -711,7 +711,7 @@ struct IO_APIC_route_entry **alloc_ioapi
9118 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
9119 GFP_ATOMIC);
9120 if (!ioapic_entries)
9121- return 0;
9122+ return NULL;
9123
9124 for (apic = 0; apic < nr_ioapics; apic++) {
9125 ioapic_entries[apic] =
9126@@ -728,7 +728,7 @@ nomem:
9127 kfree(ioapic_entries[apic]);
9128 kfree(ioapic_entries);
9129
9130- return 0;
9131+ return NULL;
9132 }
9133
9134 /*
9135@@ -1145,7 +1145,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
9136 }
9137 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
9138
9139-void lock_vector_lock(void)
9140+void lock_vector_lock(void) __acquires(vector_lock)
9141 {
9142 /* Used to the online set of cpus does not change
9143 * during assign_irq_vector.
9144@@ -1153,7 +1153,7 @@ void lock_vector_lock(void)
9145 spin_lock(&vector_lock);
9146 }
9147
9148-void unlock_vector_lock(void)
9149+void unlock_vector_lock(void) __releases(vector_lock)
9150 {
9151 spin_unlock(&vector_lock);
9152 }
9153diff -urNp linux-2.6.32.9/arch/x86/kernel/apm_32.c linux-2.6.32.9/arch/x86/kernel/apm_32.c
9154--- linux-2.6.32.9/arch/x86/kernel/apm_32.c 2010-02-09 07:57:19.000000000 -0500
9155+++ linux-2.6.32.9/arch/x86/kernel/apm_32.c 2010-02-23 17:09:53.108051644 -0500
9156@@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
9157 * This is for buggy BIOS's that refer to (real mode) segment 0x40
9158 * even though they are called in protected mode.
9159 */
9160-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
9161+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
9162 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
9163
9164 static const char driver_version[] = "1.16ac"; /* no spaces */
9165@@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
9166 BUG_ON(cpu != 0);
9167 gdt = get_cpu_gdt_table(cpu);
9168 save_desc_40 = gdt[0x40 / 8];
9169+
9170+ pax_open_kernel();
9171 gdt[0x40 / 8] = bad_bios_desc;
9172+ pax_close_kernel();
9173
9174 apm_irq_save(flags);
9175 APM_DO_SAVE_SEGS;
9176@@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
9177 &call->esi);
9178 APM_DO_RESTORE_SEGS;
9179 apm_irq_restore(flags);
9180+
9181+ pax_open_kernel();
9182 gdt[0x40 / 8] = save_desc_40;
9183+ pax_close_kernel();
9184+
9185 put_cpu();
9186
9187 return call->eax & 0xff;
9188@@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
9189 BUG_ON(cpu != 0);
9190 gdt = get_cpu_gdt_table(cpu);
9191 save_desc_40 = gdt[0x40 / 8];
9192+
9193+ pax_open_kernel();
9194 gdt[0x40 / 8] = bad_bios_desc;
9195+ pax_close_kernel();
9196
9197 apm_irq_save(flags);
9198 APM_DO_SAVE_SEGS;
9199@@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
9200 &call->eax);
9201 APM_DO_RESTORE_SEGS;
9202 apm_irq_restore(flags);
9203+
9204+ pax_open_kernel();
9205 gdt[0x40 / 8] = save_desc_40;
9206+ pax_close_kernel();
9207+
9208 put_cpu();
9209 return error;
9210 }
9211@@ -975,7 +989,7 @@ recalc:
9212
9213 static void apm_power_off(void)
9214 {
9215- unsigned char po_bios_call[] = {
9216+ const unsigned char po_bios_call[] = {
9217 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
9218 0x8e, 0xd0, /* movw ax,ss */
9219 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
9220@@ -1933,7 +1947,10 @@ static const struct file_operations apm_
9221 static struct miscdevice apm_device = {
9222 APM_MINOR_DEV,
9223 "apm_bios",
9224- &apm_bios_fops
9225+ &apm_bios_fops,
9226+ {NULL, NULL},
9227+ NULL,
9228+ NULL
9229 };
9230
9231
9232@@ -2254,7 +2271,7 @@ static struct dmi_system_id __initdata a
9233 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
9234 },
9235
9236- { }
9237+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
9238 };
9239
9240 /*
9241@@ -2357,12 +2374,15 @@ static int __init apm_init(void)
9242 * code to that CPU.
9243 */
9244 gdt = get_cpu_gdt_table(0);
9245+
9246+ pax_open_kernel();
9247 set_desc_base(&gdt[APM_CS >> 3],
9248 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
9249 set_desc_base(&gdt[APM_CS_16 >> 3],
9250 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
9251 set_desc_base(&gdt[APM_DS >> 3],
9252 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
9253+ pax_close_kernel();
9254
9255 proc_create("apm", 0, NULL, &apm_file_ops);
9256
9257diff -urNp linux-2.6.32.9/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.9/arch/x86/kernel/asm-offsets_32.c
9258--- linux-2.6.32.9/arch/x86/kernel/asm-offsets_32.c 2010-02-09 07:57:19.000000000 -0500
9259+++ linux-2.6.32.9/arch/x86/kernel/asm-offsets_32.c 2010-02-23 17:09:53.112027314 -0500
9260@@ -115,6 +115,11 @@ void foo(void)
9261 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
9262 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9263 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
9264+
9265+#ifdef CONFIG_PAX_KERNEXEC
9266+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
9267+#endif
9268+
9269 #endif
9270
9271 #ifdef CONFIG_XEN
9272diff -urNp linux-2.6.32.9/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.9/arch/x86/kernel/asm-offsets_64.c
9273--- linux-2.6.32.9/arch/x86/kernel/asm-offsets_64.c 2010-02-09 07:57:19.000000000 -0500
9274+++ linux-2.6.32.9/arch/x86/kernel/asm-offsets_64.c 2010-02-23 17:09:53.112027314 -0500
9275@@ -115,6 +115,7 @@ int main(void)
9276 ENTRY(cr8);
9277 BLANK();
9278 #undef ENTRY
9279+ DEFINE(TSS_size, sizeof(struct tss_struct));
9280 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
9281 BLANK();
9282 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
9283diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/common.c linux-2.6.32.9/arch/x86/kernel/cpu/common.c
9284--- linux-2.6.32.9/arch/x86/kernel/cpu/common.c 2010-02-09 07:57:19.000000000 -0500
9285+++ linux-2.6.32.9/arch/x86/kernel/cpu/common.c 2010-02-23 17:09:53.112027314 -0500
9286@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
9287
9288 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
9289
9290-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
9291-#ifdef CONFIG_X86_64
9292- /*
9293- * We need valid kernel segments for data and code in long mode too
9294- * IRET will check the segment types kkeil 2000/10/28
9295- * Also sysret mandates a special GDT layout
9296- *
9297- * TLS descriptors are currently at a different place compared to i386.
9298- * Hopefully nobody expects them at a fixed place (Wine?)
9299- */
9300- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
9301- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
9302- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
9303- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
9304- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
9305- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
9306-#else
9307- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
9308- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9309- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
9310- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
9311- /*
9312- * Segments used for calling PnP BIOS have byte granularity.
9313- * They code segments and data segments have fixed 64k limits,
9314- * the transfer segment sizes are set at run time.
9315- */
9316- /* 32-bit code */
9317- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
9318- /* 16-bit code */
9319- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
9320- /* 16-bit data */
9321- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
9322- /* 16-bit data */
9323- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
9324- /* 16-bit data */
9325- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
9326- /*
9327- * The APM segments have byte granularity and their bases
9328- * are set at run time. All have 64k limits.
9329- */
9330- /* 32-bit code */
9331- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
9332- /* 16-bit code */
9333- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
9334- /* data */
9335- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
9336-
9337- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9338- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9339- GDT_STACK_CANARY_INIT
9340-#endif
9341-} };
9342-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
9343-
9344 static int __init x86_xsave_setup(char *s)
9345 {
9346 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
9347@@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
9348 {
9349 struct desc_ptr gdt_descr;
9350
9351- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
9352+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
9353 gdt_descr.size = GDT_SIZE - 1;
9354 load_gdt(&gdt_descr);
9355 /* Reload the per-cpu base */
9356@@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
9357 /* Filter out anything that depends on CPUID levels we don't have */
9358 filter_cpuid_features(c, true);
9359
9360+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
9361+ setup_clear_cpu_cap(X86_FEATURE_SEP);
9362+#endif
9363+
9364 /* If the model name is still unset, do table lookup. */
9365 if (!c->x86_model_id[0]) {
9366 const char *p;
9367@@ -1101,7 +1051,7 @@ void __cpuinit cpu_init(void)
9368 int i;
9369
9370 cpu = stack_smp_processor_id();
9371- t = &per_cpu(init_tss, cpu);
9372+ t = init_tss + cpu;
9373 orig_ist = &per_cpu(orig_ist, cpu);
9374
9375 #ifdef CONFIG_NUMA
9376@@ -1199,7 +1149,7 @@ void __cpuinit cpu_init(void)
9377 {
9378 int cpu = smp_processor_id();
9379 struct task_struct *curr = current;
9380- struct tss_struct *t = &per_cpu(init_tss, cpu);
9381+ struct tss_struct *t = init_tss + cpu;
9382 struct thread_struct *thread = &curr->thread;
9383
9384 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
9385diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
9386--- linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-02-09 07:57:19.000000000 -0500
9387+++ linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-02-23 17:09:53.112027314 -0500
9388@@ -521,7 +521,7 @@ static const struct dmi_system_id sw_any
9389 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
9390 },
9391 },
9392- { }
9393+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
9394 };
9395
9396 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
9397diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
9398--- linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-02-09 07:57:19.000000000 -0500
9399+++ linux-2.6.32.9/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-02-23 17:09:53.112027314 -0500
9400@@ -225,7 +225,7 @@ static struct cpu_model models[] =
9401 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
9402 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
9403
9404- { NULL, }
9405+ { NULL, NULL, 0, NULL}
9406 };
9407 #undef _BANIAS
9408 #undef BANIAS
9409diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/intel.c linux-2.6.32.9/arch/x86/kernel/cpu/intel.c
9410--- linux-2.6.32.9/arch/x86/kernel/cpu/intel.c 2010-02-09 07:57:19.000000000 -0500
9411+++ linux-2.6.32.9/arch/x86/kernel/cpu/intel.c 2010-02-23 17:09:53.112027314 -0500
9412@@ -139,7 +139,7 @@ static void __cpuinit trap_init_f00f_bug
9413 * Update the IDT descriptor and reload the IDT so that
9414 * it uses the read-only mapped virtual address.
9415 */
9416- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
9417+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
9418 load_idt(&idt_descr);
9419 }
9420 #endif
9421diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.9/arch/x86/kernel/cpu/intel_cacheinfo.c
9422--- linux-2.6.32.9/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-02-09 07:57:19.000000000 -0500
9423+++ linux-2.6.32.9/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-02-23 17:09:53.112027314 -0500
9424@@ -863,7 +863,7 @@ static ssize_t store(struct kobject *kob
9425 return ret;
9426 }
9427
9428-static struct sysfs_ops sysfs_ops = {
9429+static const struct sysfs_ops sysfs_ops = {
9430 .show = show,
9431 .store = store,
9432 };
9433diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/Makefile linux-2.6.32.9/arch/x86/kernel/cpu/Makefile
9434--- linux-2.6.32.9/arch/x86/kernel/cpu/Makefile 2010-02-09 07:57:19.000000000 -0500
9435+++ linux-2.6.32.9/arch/x86/kernel/cpu/Makefile 2010-02-23 17:09:53.112027314 -0500
9436@@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
9437 CFLAGS_REMOVE_common.o = -pg
9438 endif
9439
9440-# Make sure load_percpu_segment has no stackprotector
9441-nostackp := $(call cc-option, -fno-stack-protector)
9442-CFLAGS_common.o := $(nostackp)
9443-
9444 obj-y := intel_cacheinfo.o addon_cpuid_features.o
9445 obj-y += proc.o capflags.o powerflags.o common.o
9446 obj-y += vmware.o hypervisor.o sched.o
9447diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce_amd.c
9448--- linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-02-09 07:57:19.000000000 -0500
9449+++ linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-02-23 17:09:53.112027314 -0500
9450@@ -388,7 +388,7 @@ static ssize_t store(struct kobject *kob
9451 return ret;
9452 }
9453
9454-static struct sysfs_ops threshold_ops = {
9455+static const struct sysfs_ops threshold_ops = {
9456 .show = show,
9457 .store = store,
9458 };
9459diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce.c
9460--- linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce.c 2010-02-09 07:57:19.000000000 -0500
9461+++ linux-2.6.32.9/arch/x86/kernel/cpu/mcheck/mce.c 2010-02-23 17:09:53.112027314 -0500
9462@@ -187,7 +187,7 @@ static void print_mce(struct mce *m)
9463 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
9464 m->cs, m->ip);
9465
9466- if (m->cs == __KERNEL_CS)
9467+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
9468 print_symbol("{%s}", m->ip);
9469 pr_cont("\n");
9470 }
9471@@ -1429,14 +1429,14 @@ void __cpuinit mcheck_init(struct cpuinf
9472 */
9473
9474 static DEFINE_SPINLOCK(mce_state_lock);
9475-static int open_count; /* #times opened */
9476+static atomic_t open_count; /* #times opened */
9477 static int open_exclu; /* already open exclusive? */
9478
9479 static int mce_open(struct inode *inode, struct file *file)
9480 {
9481 spin_lock(&mce_state_lock);
9482
9483- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
9484+ if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
9485 spin_unlock(&mce_state_lock);
9486
9487 return -EBUSY;
9488@@ -1444,7 +1444,7 @@ static int mce_open(struct inode *inode,
9489
9490 if (file->f_flags & O_EXCL)
9491 open_exclu = 1;
9492- open_count++;
9493+ atomic_inc(&open_count);
9494
9495 spin_unlock(&mce_state_lock);
9496
9497@@ -1455,7 +1455,7 @@ static int mce_release(struct inode *ino
9498 {
9499 spin_lock(&mce_state_lock);
9500
9501- open_count--;
9502+ atomic_dec(&open_count);
9503 open_exclu = 0;
9504
9505 spin_unlock(&mce_state_lock);
9506@@ -1595,6 +1595,7 @@ static struct miscdevice mce_log_device
9507 MISC_MCELOG_MINOR,
9508 "mcelog",
9509 &mce_chrdev_ops,
9510+ {NULL, NULL}, NULL, NULL
9511 };
9512
9513 /*
9514diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/amd.c
9515--- linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/amd.c 2010-02-09 07:57:19.000000000 -0500
9516+++ linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/amd.c 2010-02-23 17:09:53.112027314 -0500
9517@@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
9518 return 0;
9519 }
9520
9521-static struct mtrr_ops amd_mtrr_ops = {
9522+static const struct mtrr_ops amd_mtrr_ops = {
9523 .vendor = X86_VENDOR_AMD,
9524 .set = amd_set_mtrr,
9525 .get = amd_get_mtrr,
9526diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/centaur.c
9527--- linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/centaur.c 2010-02-09 07:57:19.000000000 -0500
9528+++ linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/centaur.c 2010-02-23 17:09:53.112027314 -0500
9529@@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
9530 return 0;
9531 }
9532
9533-static struct mtrr_ops centaur_mtrr_ops = {
9534+static const struct mtrr_ops centaur_mtrr_ops = {
9535 .vendor = X86_VENDOR_CENTAUR,
9536 .set = centaur_set_mcr,
9537 .get = centaur_get_mcr,
9538diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/cyrix.c
9539--- linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-02-09 07:57:19.000000000 -0500
9540+++ linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-02-23 17:09:53.112027314 -0500
9541@@ -265,7 +265,7 @@ static void cyrix_set_all(void)
9542 post_set();
9543 }
9544
9545-static struct mtrr_ops cyrix_mtrr_ops = {
9546+static const struct mtrr_ops cyrix_mtrr_ops = {
9547 .vendor = X86_VENDOR_CYRIX,
9548 .set_all = cyrix_set_all,
9549 .set = cyrix_set_arr,
9550diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/generic.c
9551--- linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/generic.c 2010-02-09 07:57:19.000000000 -0500
9552+++ linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/generic.c 2010-02-23 17:09:53.112027314 -0500
9553@@ -29,7 +29,7 @@ static struct fixed_range_block fixed_ra
9554 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
9555 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
9556 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
9557- {}
9558+ { 0, 0 }
9559 };
9560
9561 static unsigned long smp_changes_mask;
9562@@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
9563 /*
9564 * Generic structure...
9565 */
9566-struct mtrr_ops generic_mtrr_ops = {
9567+const struct mtrr_ops generic_mtrr_ops = {
9568 .use_intel_if = 1,
9569 .set_all = generic_set_all,
9570 .get = generic_get_mtrr,
9571diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/main.c
9572--- linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/main.c 2010-02-09 07:57:19.000000000 -0500
9573+++ linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/main.c 2010-02-23 17:09:53.112027314 -0500
9574@@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
9575 u64 size_or_mask, size_and_mask;
9576 static bool mtrr_aps_delayed_init;
9577
9578-static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
9579+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
9580
9581-struct mtrr_ops *mtrr_if;
9582+const struct mtrr_ops *mtrr_if;
9583
9584 static void set_mtrr(unsigned int reg, unsigned long base,
9585 unsigned long size, mtrr_type type);
9586
9587-void set_mtrr_ops(struct mtrr_ops *ops)
9588+void set_mtrr_ops(const struct mtrr_ops *ops)
9589 {
9590 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
9591 mtrr_ops[ops->vendor] = ops;
9592diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/mtrr.h
9593--- linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-02-09 07:57:19.000000000 -0500
9594+++ linux-2.6.32.9/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-02-23 17:09:53.115579436 -0500
9595@@ -12,19 +12,19 @@
9596 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
9597
9598 struct mtrr_ops {
9599- u32 vendor;
9600- u32 use_intel_if;
9601- void (*set)(unsigned int reg, unsigned long base,
9602+ const u32 vendor;
9603+ const u32 use_intel_if;
9604+ void (* const set)(unsigned int reg, unsigned long base,
9605 unsigned long size, mtrr_type type);
9606- void (*set_all)(void);
9607+ void (* const set_all)(void);
9608
9609- void (*get)(unsigned int reg, unsigned long *base,
9610+ void (* const get)(unsigned int reg, unsigned long *base,
9611 unsigned long *size, mtrr_type *type);
9612- int (*get_free_region)(unsigned long base, unsigned long size,
9613+ int (* const get_free_region)(unsigned long base, unsigned long size,
9614 int replace_reg);
9615- int (*validate_add_page)(unsigned long base, unsigned long size,
9616+ int (* const validate_add_page)(unsigned long base, unsigned long size,
9617 unsigned int type);
9618- int (*have_wrcomb)(void);
9619+ int (* const have_wrcomb)(void);
9620 };
9621
9622 extern int generic_get_free_region(unsigned long base, unsigned long size,
9623@@ -32,7 +32,7 @@ extern int generic_get_free_region(unsig
9624 extern int generic_validate_add_page(unsigned long base, unsigned long size,
9625 unsigned int type);
9626
9627-extern struct mtrr_ops generic_mtrr_ops;
9628+extern const struct mtrr_ops generic_mtrr_ops;
9629
9630 extern int positive_have_wrcomb(void);
9631
9632@@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
9633 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
9634 void get_mtrr_state(void);
9635
9636-extern void set_mtrr_ops(struct mtrr_ops *ops);
9637+extern void set_mtrr_ops(const struct mtrr_ops *ops);
9638
9639 extern u64 size_or_mask, size_and_mask;
9640-extern struct mtrr_ops *mtrr_if;
9641+extern const struct mtrr_ops *mtrr_if;
9642
9643 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
9644 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
9645diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.9/arch/x86/kernel/cpu/perfctr-watchdog.c
9646--- linux-2.6.32.9/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-02-09 07:57:19.000000000 -0500
9647+++ linux-2.6.32.9/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-02-23 17:09:53.115579436 -0500
9648@@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
9649
9650 /* Interface defining a CPU specific perfctr watchdog */
9651 struct wd_ops {
9652- int (*reserve)(void);
9653- void (*unreserve)(void);
9654- int (*setup)(unsigned nmi_hz);
9655- void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9656- void (*stop)(void);
9657+ int (* const reserve)(void);
9658+ void (* const unreserve)(void);
9659+ int (* const setup)(unsigned nmi_hz);
9660+ void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9661+ void (* const stop)(void);
9662 unsigned perfctr;
9663 unsigned evntsel;
9664 u64 checkbit;
9665@@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
9666 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
9667 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
9668
9669+/* cannot be const */
9670 static struct wd_ops intel_arch_wd_ops;
9671
9672 static int setup_intel_arch_watchdog(unsigned nmi_hz)
9673@@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
9674 return 1;
9675 }
9676
9677+/* cannot be const */
9678 static struct wd_ops intel_arch_wd_ops __read_mostly = {
9679 .reserve = single_msr_reserve,
9680 .unreserve = single_msr_unreserve,
9681diff -urNp linux-2.6.32.9/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.9/arch/x86/kernel/cpu/perf_event.c
9682--- linux-2.6.32.9/arch/x86/kernel/cpu/perf_event.c 2010-02-09 07:57:19.000000000 -0500
9683+++ linux-2.6.32.9/arch/x86/kernel/cpu/perf_event.c 2010-02-23 17:09:53.115579436 -0500
9684@@ -2252,7 +2252,7 @@ perf_callchain_user(struct pt_regs *regs
9685 break;
9686
9687 callchain_store(entry, frame.return_address);
9688- fp = frame.next_frame;
9689+ fp = (__force const void __user *)frame.next_frame;
9690 }
9691 }
9692
9693diff -urNp linux-2.6.32.9/arch/x86/kernel/crash.c linux-2.6.32.9/arch/x86/kernel/crash.c
9694--- linux-2.6.32.9/arch/x86/kernel/crash.c 2010-02-09 07:57:19.000000000 -0500
9695+++ linux-2.6.32.9/arch/x86/kernel/crash.c 2010-02-23 17:09:53.115579436 -0500
9696@@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
9697 regs = args->regs;
9698
9699 #ifdef CONFIG_X86_32
9700- if (!user_mode_vm(regs)) {
9701+ if (!user_mode(regs)) {
9702 crash_fixup_ss_esp(&fixed_regs, regs);
9703 regs = &fixed_regs;
9704 }
9705diff -urNp linux-2.6.32.9/arch/x86/kernel/doublefault_32.c linux-2.6.32.9/arch/x86/kernel/doublefault_32.c
9706--- linux-2.6.32.9/arch/x86/kernel/doublefault_32.c 2010-02-09 07:57:19.000000000 -0500
9707+++ linux-2.6.32.9/arch/x86/kernel/doublefault_32.c 2010-02-23 17:09:53.115579436 -0500
9708@@ -11,7 +11,7 @@
9709
9710 #define DOUBLEFAULT_STACKSIZE (1024)
9711 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
9712-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
9713+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
9714
9715 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
9716
9717@@ -21,7 +21,7 @@ static void doublefault_fn(void)
9718 unsigned long gdt, tss;
9719
9720 store_gdt(&gdt_desc);
9721- gdt = gdt_desc.address;
9722+ gdt = (unsigned long)gdt_desc.address;
9723
9724 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
9725
9726@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
9727 /* 0x2 bit is always set */
9728 .flags = X86_EFLAGS_SF | 0x2,
9729 .sp = STACK_START,
9730- .es = __USER_DS,
9731+ .es = __KERNEL_DS,
9732 .cs = __KERNEL_CS,
9733 .ss = __KERNEL_DS,
9734- .ds = __USER_DS,
9735+ .ds = __KERNEL_DS,
9736 .fs = __KERNEL_PERCPU,
9737
9738 .__cr3 = __pa_nodebug(swapper_pg_dir),
9739diff -urNp linux-2.6.32.9/arch/x86/kernel/dumpstack_32.c linux-2.6.32.9/arch/x86/kernel/dumpstack_32.c
9740--- linux-2.6.32.9/arch/x86/kernel/dumpstack_32.c 2010-02-09 07:57:19.000000000 -0500
9741+++ linux-2.6.32.9/arch/x86/kernel/dumpstack_32.c 2010-02-23 17:09:53.115579436 -0500
9742@@ -112,11 +112,12 @@ void show_registers(struct pt_regs *regs
9743 * When in-kernel, we also print out the stack and code at the
9744 * time of the fault..
9745 */
9746- if (!user_mode_vm(regs)) {
9747+ if (!user_mode(regs)) {
9748 unsigned int code_prologue = code_bytes * 43 / 64;
9749 unsigned int code_len = code_bytes;
9750 unsigned char c;
9751 u8 *ip;
9752+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
9753
9754 printk(KERN_EMERG "Stack:\n");
9755 show_stack_log_lvl(NULL, regs, &regs->sp,
9756@@ -124,10 +125,10 @@ void show_registers(struct pt_regs *regs
9757
9758 printk(KERN_EMERG "Code: ");
9759
9760- ip = (u8 *)regs->ip - code_prologue;
9761+ ip = (u8 *)regs->ip - code_prologue + cs_base;
9762 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
9763 /* try starting at IP */
9764- ip = (u8 *)regs->ip;
9765+ ip = (u8 *)regs->ip + cs_base;
9766 code_len = code_len - code_prologue + 1;
9767 }
9768 for (i = 0; i < code_len; i++, ip++) {
9769@@ -136,7 +137,7 @@ void show_registers(struct pt_regs *regs
9770 printk(" Bad EIP value.");
9771 break;
9772 }
9773- if (ip == (u8 *)regs->ip)
9774+ if (ip == (u8 *)regs->ip + cs_base)
9775 printk("<%02x> ", c);
9776 else
9777 printk("%02x ", c);
9778@@ -149,6 +150,7 @@ int is_valid_bugaddr(unsigned long ip)
9779 {
9780 unsigned short ud2;
9781
9782+ ip = ktla_ktva(ip);
9783 if (ip < PAGE_OFFSET)
9784 return 0;
9785 if (probe_kernel_address((unsigned short *)ip, ud2))
9786diff -urNp linux-2.6.32.9/arch/x86/kernel/dumpstack.c linux-2.6.32.9/arch/x86/kernel/dumpstack.c
9787--- linux-2.6.32.9/arch/x86/kernel/dumpstack.c 2010-02-09 07:57:19.000000000 -0500
9788+++ linux-2.6.32.9/arch/x86/kernel/dumpstack.c 2010-02-23 17:09:53.115579436 -0500
9789@@ -180,7 +180,7 @@ void dump_stack(void)
9790 #endif
9791
9792 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
9793- current->pid, current->comm, print_tainted(),
9794+ task_pid_nr(current), current->comm, print_tainted(),
9795 init_utsname()->release,
9796 (int)strcspn(init_utsname()->version, " "),
9797 init_utsname()->version);
9798@@ -241,7 +241,7 @@ void __kprobes oops_end(unsigned long fl
9799 panic("Fatal exception in interrupt");
9800 if (panic_on_oops)
9801 panic("Fatal exception");
9802- do_exit(signr);
9803+ do_group_exit(signr);
9804 }
9805
9806 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
9807@@ -295,7 +295,7 @@ void die(const char *str, struct pt_regs
9808 unsigned long flags = oops_begin();
9809 int sig = SIGSEGV;
9810
9811- if (!user_mode_vm(regs))
9812+ if (!user_mode(regs))
9813 report_bug(regs->ip, regs);
9814
9815 if (__die(str, regs, err))
9816diff -urNp linux-2.6.32.9/arch/x86/kernel/e820.c linux-2.6.32.9/arch/x86/kernel/e820.c
9817--- linux-2.6.32.9/arch/x86/kernel/e820.c 2010-02-09 07:57:19.000000000 -0500
9818+++ linux-2.6.32.9/arch/x86/kernel/e820.c 2010-02-23 17:09:53.115579436 -0500
9819@@ -733,7 +733,10 @@ struct early_res {
9820 };
9821 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
9822 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
9823- {}
9824+#ifdef CONFIG_VM86
9825+ { PAGE_SIZE, ISA_START_ADDRESS, "V86 mode memory", 1 },
9826+#endif
9827+ { 0, 0, {0}, 0 }
9828 };
9829
9830 static int __init find_overlapped_early(u64 start, u64 end)
9831diff -urNp linux-2.6.32.9/arch/x86/kernel/efi_32.c linux-2.6.32.9/arch/x86/kernel/efi_32.c
9832--- linux-2.6.32.9/arch/x86/kernel/efi_32.c 2010-02-09 07:57:19.000000000 -0500
9833+++ linux-2.6.32.9/arch/x86/kernel/efi_32.c 2010-02-23 17:09:53.115579436 -0500
9834@@ -38,70 +38,38 @@
9835 */
9836
9837 static unsigned long efi_rt_eflags;
9838-static pgd_t efi_bak_pg_dir_pointer[2];
9839+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
9840
9841-void efi_call_phys_prelog(void)
9842+void __init efi_call_phys_prelog(void)
9843 {
9844- unsigned long cr4;
9845- unsigned long temp;
9846 struct desc_ptr gdt_descr;
9847
9848 local_irq_save(efi_rt_eflags);
9849
9850- /*
9851- * If I don't have PAE, I should just duplicate two entries in page
9852- * directory. If I have PAE, I just need to duplicate one entry in
9853- * page directory.
9854- */
9855- cr4 = read_cr4_safe();
9856
9857- if (cr4 & X86_CR4_PAE) {
9858- efi_bak_pg_dir_pointer[0].pgd =
9859- swapper_pg_dir[pgd_index(0)].pgd;
9860- swapper_pg_dir[0].pgd =
9861- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
9862- } else {
9863- efi_bak_pg_dir_pointer[0].pgd =
9864- swapper_pg_dir[pgd_index(0)].pgd;
9865- efi_bak_pg_dir_pointer[1].pgd =
9866- swapper_pg_dir[pgd_index(0x400000)].pgd;
9867- swapper_pg_dir[pgd_index(0)].pgd =
9868- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
9869- temp = PAGE_OFFSET + 0x400000;
9870- swapper_pg_dir[pgd_index(0x400000)].pgd =
9871- swapper_pg_dir[pgd_index(temp)].pgd;
9872- }
9873+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
9874+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
9875+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
9876
9877 /*
9878 * After the lock is released, the original page table is restored.
9879 */
9880 __flush_tlb_all();
9881
9882- gdt_descr.address = __pa(get_cpu_gdt_table(0));
9883+ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
9884 gdt_descr.size = GDT_SIZE - 1;
9885 load_gdt(&gdt_descr);
9886 }
9887
9888-void efi_call_phys_epilog(void)
9889+void __init efi_call_phys_epilog(void)
9890 {
9891- unsigned long cr4;
9892 struct desc_ptr gdt_descr;
9893
9894- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
9895+ gdt_descr.address = get_cpu_gdt_table(0);
9896 gdt_descr.size = GDT_SIZE - 1;
9897 load_gdt(&gdt_descr);
9898
9899- cr4 = read_cr4_safe();
9900-
9901- if (cr4 & X86_CR4_PAE) {
9902- swapper_pg_dir[pgd_index(0)].pgd =
9903- efi_bak_pg_dir_pointer[0].pgd;
9904- } else {
9905- swapper_pg_dir[pgd_index(0)].pgd =
9906- efi_bak_pg_dir_pointer[0].pgd;
9907- swapper_pg_dir[pgd_index(0x400000)].pgd =
9908- efi_bak_pg_dir_pointer[1].pgd;
9909- }
9910+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
9911
9912 /*
9913 * After the lock is released, the original page table is restored.
9914diff -urNp linux-2.6.32.9/arch/x86/kernel/efi_stub_32.S linux-2.6.32.9/arch/x86/kernel/efi_stub_32.S
9915--- linux-2.6.32.9/arch/x86/kernel/efi_stub_32.S 2010-02-09 07:57:19.000000000 -0500
9916+++ linux-2.6.32.9/arch/x86/kernel/efi_stub_32.S 2010-02-23 17:09:53.115579436 -0500
9917@@ -6,6 +6,7 @@
9918 */
9919
9920 #include <linux/linkage.h>
9921+#include <linux/init.h>
9922 #include <asm/page_types.h>
9923
9924 /*
9925@@ -20,7 +21,7 @@
9926 * service functions will comply with gcc calling convention, too.
9927 */
9928
9929-.text
9930+__INIT
9931 ENTRY(efi_call_phys)
9932 /*
9933 * 0. The function can only be called in Linux kernel. So CS has been
9934@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
9935 * The mapping of lower virtual memory has been created in prelog and
9936 * epilog.
9937 */
9938- movl $1f, %edx
9939- subl $__PAGE_OFFSET, %edx
9940- jmp *%edx
9941+ jmp 1f-__PAGE_OFFSET
9942 1:
9943
9944 /*
9945@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
9946 * parameter 2, ..., param n. To make things easy, we save the return
9947 * address of efi_call_phys in a global variable.
9948 */
9949- popl %edx
9950- movl %edx, saved_return_addr
9951- /* get the function pointer into ECX*/
9952- popl %ecx
9953- movl %ecx, efi_rt_function_ptr
9954- movl $2f, %edx
9955- subl $__PAGE_OFFSET, %edx
9956- pushl %edx
9957+ popl (saved_return_addr)
9958+ popl (efi_rt_function_ptr)
9959
9960 /*
9961 * 3. Clear PG bit in %CR0.
9962@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
9963 /*
9964 * 5. Call the physical function.
9965 */
9966- jmp *%ecx
9967+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
9968
9969-2:
9970 /*
9971 * 6. After EFI runtime service returns, control will return to
9972 * following instruction. We'd better readjust stack pointer first.
9973@@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
9974 movl %cr0, %edx
9975 orl $0x80000000, %edx
9976 movl %edx, %cr0
9977- jmp 1f
9978-1:
9979+
9980 /*
9981 * 8. Now restore the virtual mode from flat mode by
9982 * adding EIP with PAGE_OFFSET.
9983 */
9984- movl $1f, %edx
9985- jmp *%edx
9986+ jmp 1f+__PAGE_OFFSET
9987 1:
9988
9989 /*
9990 * 9. Balance the stack. And because EAX contain the return value,
9991 * we'd better not clobber it.
9992 */
9993- leal efi_rt_function_ptr, %edx
9994- movl (%edx), %ecx
9995- pushl %ecx
9996+ pushl (efi_rt_function_ptr)
9997
9998 /*
9999- * 10. Push the saved return address onto the stack and return.
10000+ * 10. Return to the saved return address.
10001 */
10002- leal saved_return_addr, %edx
10003- movl (%edx), %ecx
10004- pushl %ecx
10005- ret
10006+ jmpl *(saved_return_addr)
10007 ENDPROC(efi_call_phys)
10008 .previous
10009
10010-.data
10011+__INITDATA
10012 saved_return_addr:
10013 .long 0
10014 efi_rt_function_ptr:
10015diff -urNp linux-2.6.32.9/arch/x86/kernel/entry_32.S linux-2.6.32.9/arch/x86/kernel/entry_32.S
10016--- linux-2.6.32.9/arch/x86/kernel/entry_32.S 2010-02-09 07:57:19.000000000 -0500
10017+++ linux-2.6.32.9/arch/x86/kernel/entry_32.S 2010-02-23 17:09:53.115579436 -0500
10018@@ -191,7 +191,7 @@
10019
10020 #endif /* CONFIG_X86_32_LAZY_GS */
10021
10022-.macro SAVE_ALL
10023+.macro __SAVE_ALL _DS
10024 cld
10025 PUSH_GS
10026 pushl %fs
10027@@ -224,7 +224,7 @@
10028 pushl %ebx
10029 CFI_ADJUST_CFA_OFFSET 4
10030 CFI_REL_OFFSET ebx, 0
10031- movl $(__USER_DS), %edx
10032+ movl $\_DS, %edx
10033 movl %edx, %ds
10034 movl %edx, %es
10035 movl $(__KERNEL_PERCPU), %edx
10036@@ -232,6 +232,15 @@
10037 SET_KERNEL_GS %edx
10038 .endm
10039
10040+.macro SAVE_ALL
10041+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10042+ __SAVE_ALL __KERNEL_DS
10043+ PAX_ENTER_KERNEL
10044+#else
10045+ __SAVE_ALL __USER_DS
10046+#endif
10047+.endm
10048+
10049 .macro RESTORE_INT_REGS
10050 popl %ebx
10051 CFI_ADJUST_CFA_OFFSET -4
10052@@ -352,7 +361,15 @@ check_userspace:
10053 movb PT_CS(%esp), %al
10054 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10055 cmpl $USER_RPL, %eax
10056+
10057+#ifdef CONFIG_PAX_KERNEXEC
10058+ jae resume_userspace
10059+
10060+ PAX_EXIT_KERNEL
10061+ jmp resume_kernel
10062+#else
10063 jb resume_kernel # not returning to v8086 or userspace
10064+#endif
10065
10066 ENTRY(resume_userspace)
10067 LOCKDEP_SYS_EXIT
10068@@ -414,10 +431,9 @@ sysenter_past_esp:
10069 /*CFI_REL_OFFSET cs, 0*/
10070 /*
10071 * Push current_thread_info()->sysenter_return to the stack.
10072- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10073- * pushed above; +8 corresponds to copy_thread's esp0 setting.
10074 */
10075- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10076+ GET_THREAD_INFO(%ebp)
10077+ pushl TI_sysenter_return(%ebp)
10078 CFI_ADJUST_CFA_OFFSET 4
10079 CFI_REL_OFFSET eip, 0
10080
10081@@ -430,9 +446,19 @@ sysenter_past_esp:
10082 * Load the potential sixth argument from user stack.
10083 * Careful about security.
10084 */
10085+ movl PT_OLDESP(%esp),%ebp
10086+
10087+#ifdef CONFIG_PAX_MEMORY_UDEREF
10088+ mov PT_OLDSS(%esp),%ds
10089+1: movl %ds:(%ebp),%ebp
10090+ push %ss
10091+ pop %ds
10092+#else
10093 cmpl $__PAGE_OFFSET-3,%ebp
10094 jae syscall_fault
10095 1: movl (%ebp),%ebp
10096+#endif
10097+
10098 movl %ebp,PT_EBP(%esp)
10099 .section __ex_table,"a"
10100 .align 4
10101@@ -455,12 +481,23 @@ sysenter_do_call:
10102 testl $_TIF_ALLWORK_MASK, %ecx
10103 jne sysexit_audit
10104 sysenter_exit:
10105+
10106+#ifdef CONFIG_PAX_RANDKSTACK
10107+ pushl %eax
10108+ CFI_ADJUST_CFA_OFFSET 4
10109+ call pax_randomize_kstack
10110+ popl %eax
10111+ CFI_ADJUST_CFA_OFFSET -4
10112+#endif
10113+
10114 /* if something modifies registers it must also disable sysexit */
10115 movl PT_EIP(%esp), %edx
10116 movl PT_OLDESP(%esp), %ecx
10117 xorl %ebp,%ebp
10118 TRACE_IRQS_ON
10119 1: mov PT_FS(%esp), %fs
10120+2: mov PT_DS(%esp), %ds
10121+3: mov PT_ES(%esp), %es
10122 PTGS_TO_GS
10123 ENABLE_INTERRUPTS_SYSEXIT
10124
10125@@ -504,11 +541,17 @@ sysexit_audit:
10126
10127 CFI_ENDPROC
10128 .pushsection .fixup,"ax"
10129-2: movl $0,PT_FS(%esp)
10130+4: movl $0,PT_FS(%esp)
10131+ jmp 1b
10132+5: movl $0,PT_DS(%esp)
10133+ jmp 1b
10134+6: movl $0,PT_ES(%esp)
10135 jmp 1b
10136 .section __ex_table,"a"
10137 .align 4
10138- .long 1b,2b
10139+ .long 1b,4b
10140+ .long 2b,5b
10141+ .long 3b,6b
10142 .popsection
10143 PTGS_TO_GS_EX
10144 ENDPROC(ia32_sysenter_target)
10145@@ -538,6 +581,10 @@ syscall_exit:
10146 testl $_TIF_ALLWORK_MASK, %ecx # current->work
10147 jne syscall_exit_work
10148
10149+#ifdef CONFIG_PAX_RANDKSTACK
10150+ call pax_randomize_kstack
10151+#endif
10152+
10153 restore_all:
10154 TRACE_IRQS_IRET
10155 restore_all_notrace:
10156@@ -602,7 +649,13 @@ ldt_ss:
10157 mov PT_OLDESP(%esp), %eax /* load userspace esp */
10158 mov %dx, %ax /* eax: new kernel esp */
10159 sub %eax, %edx /* offset (low word is 0) */
10160- PER_CPU(gdt_page, %ebx)
10161+#ifdef CONFIG_SMP
10162+ movl PER_CPU_VAR(cpu_number), %ebx
10163+ shll $PAGE_SHIFT_asm, %ebx
10164+ addl $cpu_gdt_table, %ebx
10165+#else
10166+ movl $cpu_gdt_table, %ebx
10167+#endif
10168 shr $16, %edx
10169 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
10170 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
10171@@ -642,25 +695,19 @@ work_resched:
10172
10173 work_notifysig: # deal with pending signals and
10174 # notify-resume requests
10175+ movl %esp, %eax
10176 #ifdef CONFIG_VM86
10177 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
10178- movl %esp, %eax
10179- jne work_notifysig_v86 # returning to kernel-space or
10180+ jz 1f # returning to kernel-space or
10181 # vm86-space
10182- xorl %edx, %edx
10183- call do_notify_resume
10184- jmp resume_userspace_sig
10185
10186- ALIGN
10187-work_notifysig_v86:
10188 pushl %ecx # save ti_flags for do_notify_resume
10189 CFI_ADJUST_CFA_OFFSET 4
10190 call save_v86_state # %eax contains pt_regs pointer
10191 popl %ecx
10192 CFI_ADJUST_CFA_OFFSET -4
10193 movl %eax, %esp
10194-#else
10195- movl %esp, %eax
10196+1:
10197 #endif
10198 xorl %edx, %edx
10199 call do_notify_resume
10200@@ -695,6 +742,10 @@ END(syscall_exit_work)
10201
10202 RING0_INT_FRAME # can't unwind into user space anyway
10203 syscall_fault:
10204+#ifdef CONFIG_PAX_MEMORY_UDEREF
10205+ push %ss
10206+ pop %ds
10207+#endif
10208 GET_THREAD_INFO(%ebp)
10209 movl $-EFAULT,PT_EAX(%esp)
10210 jmp resume_userspace
10211@@ -735,7 +786,13 @@ PTREGSCALL(vm86old)
10212 * normal stack and adjusts ESP with the matching offset.
10213 */
10214 /* fixup the stack */
10215- PER_CPU(gdt_page, %ebx)
10216+#ifdef CONFIG_SMP
10217+ movl PER_CPU_VAR(cpu_number), %ebx
10218+ shll $PAGE_SHIFT_asm, %ebx
10219+ addl $cpu_gdt_table, %ebx
10220+#else
10221+ movl $cpu_gdt_table, %ebx
10222+#endif
10223 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
10224 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
10225 shl $16, %eax
10226@@ -1198,7 +1255,6 @@ return_to_handler:
10227 ret
10228 #endif
10229
10230-.section .rodata,"a"
10231 #include "syscall_table_32.S"
10232
10233 syscall_table_size=(.-sys_call_table)
10234@@ -1250,12 +1306,15 @@ error_code:
10235 movl %ecx, %fs
10236 UNWIND_ESPFIX_STACK
10237 GS_TO_REG %ecx
10238+
10239+ PAX_ENTER_KERNEL
10240+
10241 movl PT_GS(%esp), %edi # get the function address
10242 movl PT_ORIG_EAX(%esp), %edx # get the error code
10243 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
10244 REG_TO_PTGS %ecx
10245 SET_KERNEL_GS %ecx
10246- movl $(__USER_DS), %ecx
10247+ movl $(__KERNEL_DS), %ecx
10248 movl %ecx, %ds
10249 movl %ecx, %es
10250 TRACE_IRQS_OFF
10251@@ -1351,6 +1410,9 @@ nmi_stack_correct:
10252 xorl %edx,%edx # zero error code
10253 movl %esp,%eax # pt_regs pointer
10254 call do_nmi
10255+
10256+ PAX_EXIT_KERNEL
10257+
10258 jmp restore_all_notrace
10259 CFI_ENDPROC
10260
10261@@ -1391,6 +1453,9 @@ nmi_espfix_stack:
10262 FIXUP_ESPFIX_STACK # %eax == %esp
10263 xorl %edx,%edx # zero error code
10264 call do_nmi
10265+
10266+ PAX_EXIT_KERNEL
10267+
10268 RESTORE_REGS
10269 lss 12+4(%esp), %esp # back to espfix stack
10270 CFI_ADJUST_CFA_OFFSET -24
10271diff -urNp linux-2.6.32.9/arch/x86/kernel/entry_64.S linux-2.6.32.9/arch/x86/kernel/entry_64.S
10272--- linux-2.6.32.9/arch/x86/kernel/entry_64.S 2010-02-09 07:57:19.000000000 -0500
10273+++ linux-2.6.32.9/arch/x86/kernel/entry_64.S 2010-02-23 17:09:53.115579436 -0500
10274@@ -1068,7 +1068,12 @@ ENTRY(\sym)
10275 TRACE_IRQS_OFF
10276 movq %rsp,%rdi /* pt_regs pointer */
10277 xorl %esi,%esi /* no error code */
10278- PER_CPU(init_tss, %rbp)
10279+#ifdef CONFIG_SMP
10280+ imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
10281+ lea init_tss(%rbp), %rbp
10282+#else
10283+ lea init_tss(%rip), %rbp
10284+#endif
10285 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
10286 call \do_sym
10287 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
10288diff -urNp linux-2.6.32.9/arch/x86/kernel/ftrace.c linux-2.6.32.9/arch/x86/kernel/ftrace.c
10289--- linux-2.6.32.9/arch/x86/kernel/ftrace.c 2010-02-09 07:57:19.000000000 -0500
10290+++ linux-2.6.32.9/arch/x86/kernel/ftrace.c 2010-02-23 17:09:53.115579436 -0500
10291@@ -149,7 +149,9 @@ void ftrace_nmi_enter(void)
10292 {
10293 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
10294 smp_rmb();
10295+ pax_open_kernel();
10296 ftrace_mod_code();
10297+ pax_close_kernel();
10298 atomic_inc(&nmi_update_count);
10299 }
10300 /* Must have previous changes seen before executions */
10301@@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
10302
10303
10304
10305-static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
10306+static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
10307
10308 static unsigned char *ftrace_nop_replace(void)
10309 {
10310@@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
10311 {
10312 unsigned char replaced[MCOUNT_INSN_SIZE];
10313
10314+ ip = ktla_ktva(ip);
10315+
10316 /*
10317 * Note: Due to modules and __init, code can
10318 * disappear and change, we need to protect against faulting
10319@@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
10320 unsigned char old[MCOUNT_INSN_SIZE], *new;
10321 int ret;
10322
10323- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
10324+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
10325 new = ftrace_call_replace(ip, (unsigned long)func);
10326 ret = ftrace_modify_code(ip, old, new);
10327
10328@@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
10329 switch (faulted) {
10330 case 0:
10331 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
10332- memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
10333+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
10334 break;
10335 case 1:
10336 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
10337- memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
10338+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
10339 break;
10340 case 2:
10341 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
10342- memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
10343+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
10344 break;
10345 }
10346
10347@@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
10348 {
10349 unsigned char code[MCOUNT_INSN_SIZE];
10350
10351+ ip = ktla_ktva(ip);
10352+
10353 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
10354 return -EFAULT;
10355
10356diff -urNp linux-2.6.32.9/arch/x86/kernel/head32.c linux-2.6.32.9/arch/x86/kernel/head32.c
10357--- linux-2.6.32.9/arch/x86/kernel/head32.c 2010-02-09 07:57:19.000000000 -0500
10358+++ linux-2.6.32.9/arch/x86/kernel/head32.c 2010-02-23 17:09:53.115579436 -0500
10359@@ -16,6 +16,7 @@
10360 #include <asm/apic.h>
10361 #include <asm/io_apic.h>
10362 #include <asm/bios_ebda.h>
10363+#include <asm/boot.h>
10364
10365 static void __init i386_default_early_setup(void)
10366 {
10367@@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
10368 {
10369 reserve_trampoline_memory();
10370
10371- reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10372+ reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10373
10374 #ifdef CONFIG_BLK_DEV_INITRD
10375 /* Reserve INITRD */
10376diff -urNp linux-2.6.32.9/arch/x86/kernel/head_32.S linux-2.6.32.9/arch/x86/kernel/head_32.S
10377--- linux-2.6.32.9/arch/x86/kernel/head_32.S 2010-02-09 07:57:19.000000000 -0500
10378+++ linux-2.6.32.9/arch/x86/kernel/head_32.S 2010-02-23 17:09:53.115579436 -0500
10379@@ -19,10 +19,17 @@
10380 #include <asm/setup.h>
10381 #include <asm/processor-flags.h>
10382 #include <asm/percpu.h>
10383+#include <asm/msr-index.h>
10384
10385 /* Physical address */
10386 #define pa(X) ((X) - __PAGE_OFFSET)
10387
10388+#ifdef CONFIG_PAX_KERNEXEC
10389+#define ta(X) (X)
10390+#else
10391+#define ta(X) ((X) - __PAGE_OFFSET)
10392+#endif
10393+
10394 /*
10395 * References to members of the new_cpu_data structure.
10396 */
10397@@ -52,11 +59,7 @@
10398 * and small than max_low_pfn, otherwise will waste some page table entries
10399 */
10400
10401-#if PTRS_PER_PMD > 1
10402-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
10403-#else
10404-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
10405-#endif
10406+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
10407
10408 /* Enough space to fit pagetables for the low memory linear map */
10409 MAPPING_BEYOND_END = \
10410@@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
10411 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10412
10413 /*
10414+ * Real beginning of normal "text" segment
10415+ */
10416+ENTRY(stext)
10417+ENTRY(_stext)
10418+
10419+/*
10420 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
10421 * %esi points to the real-mode code as a 32-bit pointer.
10422 * CS and DS must be 4 GB flat segments, but we don't depend on
10423@@ -80,6 +89,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10424 * can.
10425 */
10426 __HEAD
10427+
10428+#ifdef CONFIG_PAX_KERNEXEC
10429+ jmp startup_32
10430+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
10431+.fill PAGE_SIZE-5,1,0xcc
10432+#endif
10433+
10434 ENTRY(startup_32)
10435 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
10436 us to not reload segments */
10437@@ -97,6 +113,55 @@ ENTRY(startup_32)
10438 movl %eax,%gs
10439 2:
10440
10441+#ifdef CONFIG_SMP
10442+ movl $pa(cpu_gdt_table),%edi
10443+ movl $__per_cpu_load,%eax
10444+ movw %ax,__KERNEL_PERCPU + 2(%edi)
10445+ rorl $16,%eax
10446+ movb %al,__KERNEL_PERCPU + 4(%edi)
10447+ movb %ah,__KERNEL_PERCPU + 7(%edi)
10448+ movl $__per_cpu_end - 1,%eax
10449+ subl $__per_cpu_start,%eax
10450+ movw %ax,__KERNEL_PERCPU + 0(%edi)
10451+#endif
10452+
10453+#ifdef CONFIG_PAX_MEMORY_UDEREF
10454+ movl $NR_CPUS,%ecx
10455+ movl $pa(cpu_gdt_table),%edi
10456+1:
10457+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
10458+ addl $PAGE_SIZE_asm,%edi
10459+ loop 1b
10460+#endif
10461+
10462+#ifdef CONFIG_PAX_KERNEXEC
10463+ movl $pa(boot_gdt),%edi
10464+ movl $__LOAD_PHYSICAL_ADDR,%eax
10465+ movw %ax,__BOOT_CS + 2(%edi)
10466+ rorl $16,%eax
10467+ movb %al,__BOOT_CS + 4(%edi)
10468+ movb %ah,__BOOT_CS + 7(%edi)
10469+ rorl $16,%eax
10470+
10471+ ljmp $(__BOOT_CS),$1f
10472+1:
10473+
10474+ movl $NR_CPUS,%ecx
10475+ movl $pa(cpu_gdt_table),%edi
10476+ addl $__PAGE_OFFSET,%eax
10477+1:
10478+ movw %ax,__KERNEL_CS + 2(%edi)
10479+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
10480+ rorl $16,%eax
10481+ movb %al,__KERNEL_CS + 4(%edi)
10482+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
10483+ movb %ah,__KERNEL_CS + 7(%edi)
10484+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
10485+ rorl $16,%eax
10486+ addl $PAGE_SIZE_asm,%edi
10487+ loop 1b
10488+#endif
10489+
10490 /*
10491 * Clear BSS first so that there are no surprises...
10492 */
10493@@ -140,9 +205,7 @@ ENTRY(startup_32)
10494 cmpl $num_subarch_entries, %eax
10495 jae bad_subarch
10496
10497- movl pa(subarch_entries)(,%eax,4), %eax
10498- subl $__PAGE_OFFSET, %eax
10499- jmp *%eax
10500+ jmp *pa(subarch_entries)(,%eax,4)
10501
10502 bad_subarch:
10503 WEAK(lguest_entry)
10504@@ -154,10 +217,10 @@ WEAK(xen_entry)
10505 __INITDATA
10506
10507 subarch_entries:
10508- .long default_entry /* normal x86/PC */
10509- .long lguest_entry /* lguest hypervisor */
10510- .long xen_entry /* Xen hypervisor */
10511- .long default_entry /* Moorestown MID */
10512+ .long ta(default_entry) /* normal x86/PC */
10513+ .long ta(lguest_entry) /* lguest hypervisor */
10514+ .long ta(xen_entry) /* Xen hypervisor */
10515+ .long ta(default_entry) /* Moorestown MID */
10516 num_subarch_entries = (. - subarch_entries) / 4
10517 .previous
10518 #endif /* CONFIG_PARAVIRT */
10519@@ -218,8 +281,11 @@ default_entry:
10520 movl %eax, pa(max_pfn_mapped)
10521
10522 /* Do early initialization of the fixmap area */
10523- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10524- movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10525+#ifdef CONFIG_COMPAT_VDSO
10526+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10527+#else
10528+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10529+#endif
10530 #else /* Not PAE */
10531
10532 page_pde_offset = (__PAGE_OFFSET >> 20);
10533@@ -249,8 +315,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
10534 movl %eax, pa(max_pfn_mapped)
10535
10536 /* Do early initialization of the fixmap area */
10537- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10538- movl %eax,pa(swapper_pg_dir+0xffc)
10539+#ifdef CONFIG_COMPAT_VDSO
10540+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
10541+#else
10542+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
10543+#endif
10544 #endif
10545 jmp 3f
10546 /*
10547@@ -297,6 +366,7 @@ ENTRY(startup_32_smp)
10548 orl %edx,%eax
10549 movl %eax,%cr4
10550
10551+#ifdef CONFIG_X86_PAE
10552 btl $5, %eax # check if PAE is enabled
10553 jnc 6f
10554
10555@@ -312,13 +382,17 @@ ENTRY(startup_32_smp)
10556 jnc 6f
10557
10558 /* Setup EFER (Extended Feature Enable Register) */
10559- movl $0xc0000080, %ecx
10560+ movl $MSR_EFER, %ecx
10561 rdmsr
10562
10563 btsl $11, %eax
10564 /* Make changes effective */
10565 wrmsr
10566
10567+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
10568+ movl $1,pa(nx_enabled)
10569+#endif
10570+
10571 6:
10572
10573 /*
10574@@ -344,9 +418,7 @@ ENTRY(startup_32_smp)
10575
10576 #ifdef CONFIG_SMP
10577 cmpb $0, ready
10578- jz 1f /* Initial CPU cleans BSS */
10579- jmp checkCPUtype
10580-1:
10581+ jnz checkCPUtype /* Initial CPU cleans BSS */
10582 #endif /* CONFIG_SMP */
10583
10584 /*
10585@@ -424,7 +496,7 @@ is386: movl $2,%ecx # set MP
10586 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
10587 movl %eax,%ss # after changing gdt.
10588
10589- movl $(__USER_DS),%eax # DS/ES contains default USER segment
10590+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
10591 movl %eax,%ds
10592 movl %eax,%es
10593
10594@@ -438,8 +510,11 @@ is386: movl $2,%ecx # set MP
10595 */
10596 cmpb $0,ready
10597 jne 1f
10598- movl $per_cpu__gdt_page,%eax
10599+ movl $cpu_gdt_table,%eax
10600 movl $per_cpu__stack_canary,%ecx
10601+#ifdef CONFIG_SMP
10602+ addl $__per_cpu_load,%ecx
10603+#endif
10604 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
10605 shrl $16, %ecx
10606 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
10607@@ -457,10 +532,6 @@ is386: movl $2,%ecx # set MP
10608 #ifdef CONFIG_SMP
10609 movb ready, %cl
10610 movb $1, ready
10611- cmpb $0,%cl # the first CPU calls start_kernel
10612- je 1f
10613- movl (stack_start), %esp
10614-1:
10615 #endif /* CONFIG_SMP */
10616 jmp *(initial_code)
10617
10618@@ -546,22 +617,22 @@ early_page_fault:
10619 jmp early_fault
10620
10621 early_fault:
10622- cld
10623 #ifdef CONFIG_PRINTK
10624+ cmpl $1,%ss:early_recursion_flag
10625+ je hlt_loop
10626+ incl %ss:early_recursion_flag
10627+ cld
10628 pusha
10629 movl $(__KERNEL_DS),%eax
10630 movl %eax,%ds
10631 movl %eax,%es
10632- cmpl $2,early_recursion_flag
10633- je hlt_loop
10634- incl early_recursion_flag
10635 movl %cr2,%eax
10636 pushl %eax
10637 pushl %edx /* trapno */
10638 pushl $fault_msg
10639 call printk
10640+; call dump_stack
10641 #endif
10642- call dump_stack
10643 hlt_loop:
10644 hlt
10645 jmp hlt_loop
10646@@ -569,8 +640,11 @@ hlt_loop:
10647 /* This is the default interrupt "handler" :-) */
10648 ALIGN
10649 ignore_int:
10650- cld
10651 #ifdef CONFIG_PRINTK
10652+ cmpl $2,%ss:early_recursion_flag
10653+ je hlt_loop
10654+ incl %ss:early_recursion_flag
10655+ cld
10656 pushl %eax
10657 pushl %ecx
10658 pushl %edx
10659@@ -579,9 +653,6 @@ ignore_int:
10660 movl $(__KERNEL_DS),%eax
10661 movl %eax,%ds
10662 movl %eax,%es
10663- cmpl $2,early_recursion_flag
10664- je hlt_loop
10665- incl early_recursion_flag
10666 pushl 16(%esp)
10667 pushl 24(%esp)
10668 pushl 32(%esp)
10669@@ -608,27 +679,37 @@ ENTRY(initial_code)
10670 /*
10671 * BSS section
10672 */
10673-__PAGE_ALIGNED_BSS
10674- .align PAGE_SIZE_asm
10675 #ifdef CONFIG_X86_PAE
10676+.section .swapper_pg_pmd,"a",@progbits
10677 swapper_pg_pmd:
10678 .fill 1024*KPMDS,4,0
10679 #else
10680+.section .swapper_pg_dir,"a",@progbits
10681 ENTRY(swapper_pg_dir)
10682 .fill 1024,4,0
10683 #endif
10684+
10685 swapper_pg_fixmap:
10686 .fill 1024,4,0
10687+
10688+.section .empty_zero_page,"a",@progbits
10689 ENTRY(empty_zero_page)
10690 .fill 4096,1,0
10691
10692 /*
10693+ * The IDT has to be page-aligned to simplify the Pentium
10694+ * F0 0F bug workaround.. We have a special link segment
10695+ * for this.
10696+ */
10697+.section .idt,"a",@progbits
10698+ENTRY(idt_table)
10699+ .fill 256,8,0
10700+
10701+/*
10702 * This starts the data section.
10703 */
10704 #ifdef CONFIG_X86_PAE
10705-__PAGE_ALIGNED_DATA
10706- /* Page-aligned for the benefit of paravirt? */
10707- .align PAGE_SIZE_asm
10708+.section .swapper_pg_dir,"a",@progbits
10709 ENTRY(swapper_pg_dir)
10710 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
10711 # if KPMDS == 3
10712@@ -651,11 +732,12 @@ ENTRY(swapper_pg_dir)
10713
10714 .data
10715 ENTRY(stack_start)
10716- .long init_thread_union+THREAD_SIZE
10717+ .long init_thread_union+THREAD_SIZE-8
10718 .long __BOOT_DS
10719
10720 ready: .byte 0
10721
10722+.section .rodata,"a",@progbits
10723 early_recursion_flag:
10724 .long 0
10725
10726@@ -691,7 +773,7 @@ fault_msg:
10727 .word 0 # 32 bit align gdt_desc.address
10728 boot_gdt_descr:
10729 .word __BOOT_DS+7
10730- .long boot_gdt - __PAGE_OFFSET
10731+ .long pa(boot_gdt)
10732
10733 .word 0 # 32-bit align idt_desc.address
10734 idt_descr:
10735@@ -702,7 +784,7 @@ idt_descr:
10736 .word 0 # 32 bit align gdt_desc.address
10737 ENTRY(early_gdt_descr)
10738 .word GDT_ENTRIES*8-1
10739- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
10740+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
10741
10742 /*
10743 * The boot_gdt must mirror the equivalent in setup.S and is
10744@@ -711,5 +793,65 @@ ENTRY(early_gdt_descr)
10745 .align L1_CACHE_BYTES
10746 ENTRY(boot_gdt)
10747 .fill GDT_ENTRY_BOOT_CS,8,0
10748- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
10749- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
10750+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
10751+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
10752+
10753+ .align PAGE_SIZE_asm
10754+ENTRY(cpu_gdt_table)
10755+ .rept NR_CPUS
10756+ .quad 0x0000000000000000 /* NULL descriptor */
10757+ .quad 0x0000000000000000 /* 0x0b reserved */
10758+ .quad 0x0000000000000000 /* 0x13 reserved */
10759+ .quad 0x0000000000000000 /* 0x1b reserved */
10760+
10761+#ifdef CONFIG_PAX_KERNEXEC
10762+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
10763+#else
10764+ .quad 0x0000000000000000 /* 0x20 unused */
10765+#endif
10766+
10767+ .quad 0x0000000000000000 /* 0x28 unused */
10768+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
10769+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
10770+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
10771+ .quad 0x0000000000000000 /* 0x4b reserved */
10772+ .quad 0x0000000000000000 /* 0x53 reserved */
10773+ .quad 0x0000000000000000 /* 0x5b reserved */
10774+
10775+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
10776+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
10777+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
10778+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
10779+
10780+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
10781+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
10782+
10783+ /*
10784+ * Segments used for calling PnP BIOS have byte granularity.
10785+ * The code segments and data segments have fixed 64k limits,
10786+ * the transfer segment sizes are set at run time.
10787+ */
10788+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
10789+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
10790+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
10791+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
10792+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
10793+
10794+ /*
10795+ * The APM segments have byte granularity and their bases
10796+ * are set at run time. All have 64k limits.
10797+ */
10798+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
10799+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
10800+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
10801+
10802+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
10803+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
10804+ .quad 0x0040930000000018 /* 0xe0 - STACK_CANARY */
10805+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
10806+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
10807+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
10808+
10809+ /* Be sure this is zeroed to avoid false validations in Xen */
10810+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
10811+ .endr
10812diff -urNp linux-2.6.32.9/arch/x86/kernel/head_64.S linux-2.6.32.9/arch/x86/kernel/head_64.S
10813--- linux-2.6.32.9/arch/x86/kernel/head_64.S 2010-02-09 07:57:19.000000000 -0500
10814+++ linux-2.6.32.9/arch/x86/kernel/head_64.S 2010-02-23 17:09:53.115579436 -0500
10815@@ -38,6 +38,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
10816 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
10817 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
10818 L3_START_KERNEL = pud_index(__START_KERNEL_map)
10819+L4_VMALLOC_START = pgd_index(VMALLOC_START)
10820+L3_VMALLOC_START = pud_index(VMALLOC_START)
10821+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
10822+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
10823
10824 .text
10825 __HEAD
10826@@ -85,35 +89,22 @@ startup_64:
10827 */
10828 addq %rbp, init_level4_pgt + 0(%rip)
10829 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
10830+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
10831+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
10832 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
10833
10834 addq %rbp, level3_ident_pgt + 0(%rip)
10835+#ifndef CONFIG_XEN
10836+ addq %rbp, level3_ident_pgt + 8(%rip)
10837+#endif
10838
10839- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
10840- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
10841+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
10842
10843- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
10844+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
10845+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
10846
10847- /* Add an Identity mapping if I am above 1G */
10848- leaq _text(%rip), %rdi
10849- andq $PMD_PAGE_MASK, %rdi
10850-
10851- movq %rdi, %rax
10852- shrq $PUD_SHIFT, %rax
10853- andq $(PTRS_PER_PUD - 1), %rax
10854- jz ident_complete
10855-
10856- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
10857- leaq level3_ident_pgt(%rip), %rbx
10858- movq %rdx, 0(%rbx, %rax, 8)
10859-
10860- movq %rdi, %rax
10861- shrq $PMD_SHIFT, %rax
10862- andq $(PTRS_PER_PMD - 1), %rax
10863- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
10864- leaq level2_spare_pgt(%rip), %rbx
10865- movq %rdx, 0(%rbx, %rax, 8)
10866-ident_complete:
10867+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
10868+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
10869
10870 /*
10871 * Fixup the kernel text+data virtual addresses. Note that
10872@@ -187,6 +178,10 @@ ENTRY(secondary_startup_64)
10873 btl $20,%edi /* No Execute supported? */
10874 jnc 1f
10875 btsl $_EFER_NX, %eax
10876+ leaq init_level4_pgt(%rip), %rdi
10877+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
10878+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
10879+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
10880 1: wrmsr /* Make changes effective */
10881
10882 /* Setup cr0 */
10883@@ -262,16 +257,16 @@ ENTRY(secondary_startup_64)
10884 .quad x86_64_start_kernel
10885 ENTRY(initial_gs)
10886 .quad INIT_PER_CPU_VAR(irq_stack_union)
10887- __FINITDATA
10888
10889 ENTRY(stack_start)
10890 .quad init_thread_union+THREAD_SIZE-8
10891 .word 0
10892+ __FINITDATA
10893
10894 bad_address:
10895 jmp bad_address
10896
10897- .section ".init.text","ax"
10898+ __INIT
10899 #ifdef CONFIG_EARLY_PRINTK
10900 .globl early_idt_handlers
10901 early_idt_handlers:
10902@@ -316,18 +311,23 @@ ENTRY(early_idt_handler)
10903 #endif /* EARLY_PRINTK */
10904 1: hlt
10905 jmp 1b
10906+ .previous
10907
10908 #ifdef CONFIG_EARLY_PRINTK
10909+ __INITDATA
10910 early_recursion_flag:
10911 .long 0
10912+ .previous
10913
10914+ .section .rodata,"a",@progbits
10915 early_idt_msg:
10916 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
10917 early_idt_ripmsg:
10918 .asciz "RIP %s\n"
10919-#endif /* CONFIG_EARLY_PRINTK */
10920 .previous
10921+#endif /* CONFIG_EARLY_PRINTK */
10922
10923+ .section .rodata,"a",@progbits
10924 #define NEXT_PAGE(name) \
10925 .balign PAGE_SIZE; \
10926 ENTRY(name)
10927@@ -350,13 +350,29 @@ NEXT_PAGE(init_level4_pgt)
10928 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
10929 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
10930 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
10931+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
10932+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
10933+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
10934+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
10935 .org init_level4_pgt + L4_START_KERNEL*8, 0
10936 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
10937 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
10938
10939 NEXT_PAGE(level3_ident_pgt)
10940 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
10941+#ifdef CONFIG_XEN
10942 .fill 511,8,0
10943+#else
10944+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
10945+ .fill 510,8,0
10946+#endif
10947+
10948+NEXT_PAGE(level3_vmalloc_pgt)
10949+ .fill 512,8,0
10950+
10951+NEXT_PAGE(level3_vmemmap_pgt)
10952+ .fill L3_VMEMMAP_START,8,0
10953+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
10954
10955 NEXT_PAGE(level3_kernel_pgt)
10956 .fill L3_START_KERNEL,8,0
10957@@ -364,20 +380,23 @@ NEXT_PAGE(level3_kernel_pgt)
10958 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
10959 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
10960
10961+NEXT_PAGE(level2_vmemmap_pgt)
10962+ .fill 512,8,0
10963+
10964 NEXT_PAGE(level2_fixmap_pgt)
10965- .fill 506,8,0
10966- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
10967- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
10968- .fill 5,8,0
10969+ .fill 507,8,0
10970+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
10971+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
10972+ .fill 4,8,0
10973
10974-NEXT_PAGE(level1_fixmap_pgt)
10975+NEXT_PAGE(level1_vsyscall_pgt)
10976 .fill 512,8,0
10977
10978-NEXT_PAGE(level2_ident_pgt)
10979- /* Since I easily can, map the first 1G.
10980+ /* Since I easily can, map the first 2G.
10981 * Don't set NX because code runs from these pages.
10982 */
10983- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
10984+NEXT_PAGE(level2_ident_pgt)
10985+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
10986
10987 NEXT_PAGE(level2_kernel_pgt)
10988 /*
10989@@ -390,33 +409,49 @@ NEXT_PAGE(level2_kernel_pgt)
10990 * If you want to increase this then increase MODULES_VADDR
10991 * too.)
10992 */
10993- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
10994- KERNEL_IMAGE_SIZE/PMD_SIZE)
10995-
10996-NEXT_PAGE(level2_spare_pgt)
10997- .fill 512, 8, 0
10998+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
10999
11000 #undef PMDS
11001 #undef NEXT_PAGE
11002
11003- .data
11004+ .align PAGE_SIZE
11005+ENTRY(cpu_gdt_table)
11006+ .rept NR_CPUS
11007+ .quad 0x0000000000000000 /* NULL descriptor */
11008+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
11009+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
11010+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
11011+ .quad 0x00cffb000000ffff /* __USER32_CS */
11012+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
11013+ .quad 0x00affb000000ffff /* __USER_CS */
11014+ .quad 0x0 /* unused */
11015+ .quad 0,0 /* TSS */
11016+ .quad 0,0 /* LDT */
11017+ .quad 0,0,0 /* three TLS descriptors */
11018+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
11019+ /* asm/segment.h:GDT_ENTRIES must match this */
11020+
11021+ /* zero the remaining page */
11022+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
11023+ .endr
11024+
11025 .align 16
11026 .globl early_gdt_descr
11027 early_gdt_descr:
11028 .word GDT_ENTRIES*8-1
11029 early_gdt_descr_base:
11030- .quad INIT_PER_CPU_VAR(gdt_page)
11031+ .quad cpu_gdt_table
11032
11033 ENTRY(phys_base)
11034 /* This must match the first entry in level2_kernel_pgt */
11035 .quad 0x0000000000000000
11036
11037 #include "../../x86/xen/xen-head.S"
11038-
11039- .section .bss, "aw", @nobits
11040+
11041+ .section .rodata,"a",@progbits
11042 .align L1_CACHE_BYTES
11043 ENTRY(idt_table)
11044- .skip IDT_ENTRIES * 16
11045+ .fill 512,8,0
11046
11047 __PAGE_ALIGNED_BSS
11048 .align PAGE_SIZE
11049diff -urNp linux-2.6.32.9/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.9/arch/x86/kernel/i386_ksyms_32.c
11050--- linux-2.6.32.9/arch/x86/kernel/i386_ksyms_32.c 2010-02-09 07:57:19.000000000 -0500
11051+++ linux-2.6.32.9/arch/x86/kernel/i386_ksyms_32.c 2010-02-23 17:09:53.115579436 -0500
11052@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
11053 EXPORT_SYMBOL(cmpxchg8b_emu);
11054 #endif
11055
11056+EXPORT_SYMBOL_GPL(cpu_gdt_table);
11057+
11058 /* Networking helper routines. */
11059 EXPORT_SYMBOL(csum_partial_copy_generic);
11060+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
11061+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
11062
11063 EXPORT_SYMBOL(__get_user_1);
11064 EXPORT_SYMBOL(__get_user_2);
11065@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
11066
11067 EXPORT_SYMBOL(csum_partial);
11068 EXPORT_SYMBOL(empty_zero_page);
11069+
11070+#ifdef CONFIG_PAX_KERNEXEC
11071+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
11072+#endif
11073diff -urNp linux-2.6.32.9/arch/x86/kernel/init_task.c linux-2.6.32.9/arch/x86/kernel/init_task.c
11074--- linux-2.6.32.9/arch/x86/kernel/init_task.c 2010-02-09 07:57:19.000000000 -0500
11075+++ linux-2.6.32.9/arch/x86/kernel/init_task.c 2010-02-23 17:09:53.115579436 -0500
11076@@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
11077 * section. Since TSS's are completely CPU-local, we want them
11078 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
11079 */
11080-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
11081-
11082+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
11083+EXPORT_SYMBOL(init_tss);
11084diff -urNp linux-2.6.32.9/arch/x86/kernel/ioport.c linux-2.6.32.9/arch/x86/kernel/ioport.c
11085--- linux-2.6.32.9/arch/x86/kernel/ioport.c 2010-02-09 07:57:19.000000000 -0500
11086+++ linux-2.6.32.9/arch/x86/kernel/ioport.c 2010-02-23 17:09:53.120037276 -0500
11087@@ -6,6 +6,7 @@
11088 #include <linux/sched.h>
11089 #include <linux/kernel.h>
11090 #include <linux/capability.h>
11091+#include <linux/security.h>
11092 #include <linux/errno.h>
11093 #include <linux/types.h>
11094 #include <linux/ioport.h>
11095@@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
11096
11097 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
11098 return -EINVAL;
11099+#ifdef CONFIG_GRKERNSEC_IO
11100+ if (turn_on) {
11101+ gr_handle_ioperm();
11102+ return -EPERM;
11103+ }
11104+#endif
11105 if (turn_on && !capable(CAP_SYS_RAWIO))
11106 return -EPERM;
11107
11108@@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
11109 * because the ->io_bitmap_max value must match the bitmap
11110 * contents:
11111 */
11112- tss = &per_cpu(init_tss, get_cpu());
11113+ tss = init_tss + get_cpu();
11114
11115 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
11116
11117@@ -111,8 +118,13 @@ static int do_iopl(unsigned int level, s
11118 return -EINVAL;
11119 /* Trying to gain more privileges? */
11120 if (level > old) {
11121+#ifdef CONFIG_GRKERNSEC_IO
11122+ gr_handle_iopl();
11123+ return -EPERM;
11124+#else
11125 if (!capable(CAP_SYS_RAWIO))
11126 return -EPERM;
11127+#endif
11128 }
11129 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
11130
11131diff -urNp linux-2.6.32.9/arch/x86/kernel/irq_32.c linux-2.6.32.9/arch/x86/kernel/irq_32.c
11132--- linux-2.6.32.9/arch/x86/kernel/irq_32.c 2010-02-09 07:57:19.000000000 -0500
11133+++ linux-2.6.32.9/arch/x86/kernel/irq_32.c 2010-02-23 17:09:53.120037276 -0500
11134@@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
11135 return 0;
11136
11137 /* build the stack frame on the IRQ stack */
11138- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11139+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11140 irqctx->tinfo.task = curctx->tinfo.task;
11141 irqctx->tinfo.previous_esp = current_stack_pointer;
11142
11143@@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
11144 irqctx->tinfo.previous_esp = current_stack_pointer;
11145
11146 /* build the stack frame on the softirq stack */
11147- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11148+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11149
11150 call_on_stack(__do_softirq, isp);
11151 /*
11152diff -urNp linux-2.6.32.9/arch/x86/kernel/kgdb.c linux-2.6.32.9/arch/x86/kernel/kgdb.c
11153--- linux-2.6.32.9/arch/x86/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
11154+++ linux-2.6.32.9/arch/x86/kernel/kgdb.c 2010-02-23 17:09:53.120037276 -0500
11155@@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
11156 return instruction_pointer(regs);
11157 }
11158
11159-struct kgdb_arch arch_kgdb_ops = {
11160+const struct kgdb_arch arch_kgdb_ops = {
11161 /* Breakpoint instruction: */
11162 .gdb_bpt_instr = { 0xcc },
11163 .flags = KGDB_HW_BREAKPOINT,
11164diff -urNp linux-2.6.32.9/arch/x86/kernel/kprobes.c linux-2.6.32.9/arch/x86/kernel/kprobes.c
11165--- linux-2.6.32.9/arch/x86/kernel/kprobes.c 2010-02-09 07:57:19.000000000 -0500
11166+++ linux-2.6.32.9/arch/x86/kernel/kprobes.c 2010-02-23 17:09:53.120037276 -0500
11167@@ -166,9 +166,13 @@ static void __kprobes set_jmp_op(void *f
11168 char op;
11169 s32 raddr;
11170 } __attribute__((packed)) * jop;
11171- jop = (struct __arch_jmp_op *)from;
11172+
11173+ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
11174+
11175+ pax_open_kernel();
11176 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
11177 jop->op = RELATIVEJUMP_INSTRUCTION;
11178+ pax_close_kernel();
11179 }
11180
11181 /*
11182@@ -345,16 +349,18 @@ static void __kprobes fix_riprel(struct
11183
11184 static void __kprobes arch_copy_kprobe(struct kprobe *p)
11185 {
11186- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
11187+ pax_open_kernel();
11188+ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
11189+ pax_close_kernel();
11190
11191 fix_riprel(p);
11192
11193- if (can_boost(p->addr))
11194+ if (can_boost(ktla_ktva(p->addr)))
11195 p->ainsn.boostable = 0;
11196 else
11197 p->ainsn.boostable = -1;
11198
11199- p->opcode = *p->addr;
11200+ p->opcode = *(ktla_ktva(p->addr));
11201 }
11202
11203 int __kprobes arch_prepare_kprobe(struct kprobe *p)
11204@@ -432,7 +438,7 @@ static void __kprobes prepare_singlestep
11205 if (p->opcode == BREAKPOINT_INSTRUCTION)
11206 regs->ip = (unsigned long)p->addr;
11207 else
11208- regs->ip = (unsigned long)p->ainsn.insn;
11209+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11210 }
11211
11212 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
11213@@ -453,7 +459,7 @@ static void __kprobes setup_singlestep(s
11214 if (p->ainsn.boostable == 1 && !p->post_handler) {
11215 /* Boost up -- we can execute copied instructions directly */
11216 reset_current_kprobe();
11217- regs->ip = (unsigned long)p->ainsn.insn;
11218+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11219 preempt_enable_no_resched();
11220 return;
11221 }
11222@@ -523,7 +529,7 @@ static int __kprobes kprobe_handler(stru
11223 struct kprobe_ctlblk *kcb;
11224
11225 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
11226- if (*addr != BREAKPOINT_INSTRUCTION) {
11227+ if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
11228 /*
11229 * The breakpoint instruction was removed right
11230 * after we hit it. Another cpu has removed
11231@@ -775,7 +781,7 @@ static void __kprobes resume_execution(s
11232 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
11233 {
11234 unsigned long *tos = stack_addr(regs);
11235- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
11236+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
11237 unsigned long orig_ip = (unsigned long)p->addr;
11238 kprobe_opcode_t *insn = p->ainsn.insn;
11239
11240@@ -958,7 +964,7 @@ int __kprobes kprobe_exceptions_notify(s
11241 struct die_args *args = data;
11242 int ret = NOTIFY_DONE;
11243
11244- if (args->regs && user_mode_vm(args->regs))
11245+ if (args->regs && user_mode(args->regs))
11246 return ret;
11247
11248 switch (val) {
11249diff -urNp linux-2.6.32.9/arch/x86/kernel/ldt.c linux-2.6.32.9/arch/x86/kernel/ldt.c
11250--- linux-2.6.32.9/arch/x86/kernel/ldt.c 2010-02-09 07:57:19.000000000 -0500
11251+++ linux-2.6.32.9/arch/x86/kernel/ldt.c 2010-02-23 17:09:53.120037276 -0500
11252@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
11253 if (reload) {
11254 #ifdef CONFIG_SMP
11255 preempt_disable();
11256- load_LDT(pc);
11257+ load_LDT_nolock(pc);
11258 if (!cpumask_equal(mm_cpumask(current->mm),
11259 cpumask_of(smp_processor_id())))
11260 smp_call_function(flush_ldt, current->mm, 1);
11261 preempt_enable();
11262 #else
11263- load_LDT(pc);
11264+ load_LDT_nolock(pc);
11265 #endif
11266 }
11267 if (oldsize) {
11268@@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
11269 return err;
11270
11271 for (i = 0; i < old->size; i++)
11272- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
11273+ write_ldt_entry(new->ldt, i, old->ldt + i);
11274 return 0;
11275 }
11276
11277@@ -115,6 +115,24 @@ int init_new_context(struct task_struct
11278 retval = copy_ldt(&mm->context, &old_mm->context);
11279 mutex_unlock(&old_mm->context.lock);
11280 }
11281+
11282+ if (tsk == current) {
11283+ mm->context.vdso = ~0UL;
11284+
11285+#ifdef CONFIG_X86_32
11286+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
11287+ mm->context.user_cs_base = 0UL;
11288+ mm->context.user_cs_limit = ~0UL;
11289+
11290+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
11291+ cpus_clear(mm->context.cpu_user_cs_mask);
11292+#endif
11293+
11294+#endif
11295+#endif
11296+
11297+ }
11298+
11299 return retval;
11300 }
11301
11302@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
11303 }
11304 }
11305
11306+#ifdef CONFIG_PAX_SEGMEXEC
11307+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
11308+ error = -EINVAL;
11309+ goto out_unlock;
11310+ }
11311+#endif
11312+
11313 fill_ldt(&ldt, &ldt_info);
11314 if (oldmode)
11315 ldt.avl = 0;
11316diff -urNp linux-2.6.32.9/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.9/arch/x86/kernel/machine_kexec_32.c
11317--- linux-2.6.32.9/arch/x86/kernel/machine_kexec_32.c 2010-02-09 07:57:19.000000000 -0500
11318+++ linux-2.6.32.9/arch/x86/kernel/machine_kexec_32.c 2010-02-23 17:09:53.120037276 -0500
11319@@ -26,7 +26,7 @@
11320 #include <asm/system.h>
11321 #include <asm/cacheflush.h>
11322
11323-static void set_idt(void *newidt, __u16 limit)
11324+static void set_idt(struct desc_struct *newidt, __u16 limit)
11325 {
11326 struct desc_ptr curidt;
11327
11328@@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
11329 }
11330
11331
11332-static void set_gdt(void *newgdt, __u16 limit)
11333+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
11334 {
11335 struct desc_ptr curgdt;
11336
11337@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
11338 }
11339
11340 control_page = page_address(image->control_code_page);
11341- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
11342+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
11343
11344 relocate_kernel_ptr = control_page;
11345 page_list[PA_CONTROL_PAGE] = __pa(control_page);
11346diff -urNp linux-2.6.32.9/arch/x86/kernel/microcode_amd.c linux-2.6.32.9/arch/x86/kernel/microcode_amd.c
11347--- linux-2.6.32.9/arch/x86/kernel/microcode_amd.c 2010-02-09 07:57:19.000000000 -0500
11348+++ linux-2.6.32.9/arch/x86/kernel/microcode_amd.c 2010-02-23 17:09:53.120037276 -0500
11349@@ -346,7 +346,7 @@ static void microcode_fini_cpu_amd(int c
11350 uci->mc = NULL;
11351 }
11352
11353-static struct microcode_ops microcode_amd_ops = {
11354+static const struct microcode_ops microcode_amd_ops = {
11355 .request_microcode_user = request_microcode_user,
11356 .request_microcode_fw = request_microcode_fw,
11357 .collect_cpu_info = collect_cpu_info_amd,
11358@@ -354,7 +354,7 @@ static struct microcode_ops microcode_am
11359 .microcode_fini_cpu = microcode_fini_cpu_amd,
11360 };
11361
11362-struct microcode_ops * __init init_amd_microcode(void)
11363+const struct microcode_ops * __init init_amd_microcode(void)
11364 {
11365 return &microcode_amd_ops;
11366 }
11367diff -urNp linux-2.6.32.9/arch/x86/kernel/microcode_core.c linux-2.6.32.9/arch/x86/kernel/microcode_core.c
11368--- linux-2.6.32.9/arch/x86/kernel/microcode_core.c 2010-02-09 07:57:19.000000000 -0500
11369+++ linux-2.6.32.9/arch/x86/kernel/microcode_core.c 2010-02-23 17:09:53.120037276 -0500
11370@@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
11371
11372 #define MICROCODE_VERSION "2.00"
11373
11374-static struct microcode_ops *microcode_ops;
11375+static const struct microcode_ops *microcode_ops;
11376
11377 /*
11378 * Synchronization.
11379diff -urNp linux-2.6.32.9/arch/x86/kernel/microcode_intel.c linux-2.6.32.9/arch/x86/kernel/microcode_intel.c
11380--- linux-2.6.32.9/arch/x86/kernel/microcode_intel.c 2010-02-09 07:57:19.000000000 -0500
11381+++ linux-2.6.32.9/arch/x86/kernel/microcode_intel.c 2010-02-23 17:09:53.120037276 -0500
11382@@ -443,13 +443,13 @@ static enum ucode_state request_microcod
11383
11384 static int get_ucode_user(void *to, const void *from, size_t n)
11385 {
11386- return copy_from_user(to, from, n);
11387+ return copy_from_user(to, (__force const void __user *)from, n);
11388 }
11389
11390 static enum ucode_state
11391 request_microcode_user(int cpu, const void __user *buf, size_t size)
11392 {
11393- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
11394+ return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
11395 }
11396
11397 static void microcode_fini_cpu(int cpu)
11398@@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
11399 uci->mc = NULL;
11400 }
11401
11402-static struct microcode_ops microcode_intel_ops = {
11403+static const struct microcode_ops microcode_intel_ops = {
11404 .request_microcode_user = request_microcode_user,
11405 .request_microcode_fw = request_microcode_fw,
11406 .collect_cpu_info = collect_cpu_info,
11407@@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
11408 .microcode_fini_cpu = microcode_fini_cpu,
11409 };
11410
11411-struct microcode_ops * __init init_intel_microcode(void)
11412+const struct microcode_ops * __init init_intel_microcode(void)
11413 {
11414 return &microcode_intel_ops;
11415 }
11416diff -urNp linux-2.6.32.9/arch/x86/kernel/module.c linux-2.6.32.9/arch/x86/kernel/module.c
11417--- linux-2.6.32.9/arch/x86/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
11418+++ linux-2.6.32.9/arch/x86/kernel/module.c 2010-02-23 17:09:53.120037276 -0500
11419@@ -34,7 +34,7 @@
11420 #define DEBUGP(fmt...)
11421 #endif
11422
11423-void *module_alloc(unsigned long size)
11424+static void *__module_alloc(unsigned long size, pgprot_t prot)
11425 {
11426 struct vm_struct *area;
11427
11428@@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
11429 if (!area)
11430 return NULL;
11431
11432- return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
11433- PAGE_KERNEL_EXEC);
11434+ return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
11435+}
11436+
11437+void *module_alloc(unsigned long size)
11438+{
11439+
11440+#ifdef CONFIG_PAX_KERNEXEC
11441+ return __module_alloc(size, PAGE_KERNEL);
11442+#else
11443+ return __module_alloc(size, PAGE_KERNEL_EXEC);
11444+#endif
11445+
11446 }
11447
11448 /* Free memory returned from module_alloc */
11449@@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
11450 vfree(module_region);
11451 }
11452
11453+#ifdef CONFIG_PAX_KERNEXEC
11454+#ifdef CONFIG_X86_32
11455+void *module_alloc_exec(unsigned long size)
11456+{
11457+ struct vm_struct *area;
11458+
11459+ if (size == 0)
11460+ return NULL;
11461+
11462+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
11463+ return area ? area->addr : NULL;
11464+}
11465+EXPORT_SYMBOL(module_alloc_exec);
11466+
11467+void module_free_exec(struct module *mod, void *module_region)
11468+{
11469+ vunmap(module_region);
11470+}
11471+EXPORT_SYMBOL(module_free_exec);
11472+#else
11473+void module_free_exec(struct module *mod, void *module_region)
11474+{
11475+ module_free(mod, module_region);
11476+}
11477+EXPORT_SYMBOL(module_free_exec);
11478+
11479+void *module_alloc_exec(unsigned long size)
11480+{
11481+ return __module_alloc(size, PAGE_KERNEL_RX);
11482+}
11483+EXPORT_SYMBOL(module_alloc_exec);
11484+#endif
11485+#endif
11486+
11487 /* We don't need anything special. */
11488 int module_frob_arch_sections(Elf_Ehdr *hdr,
11489 Elf_Shdr *sechdrs,
11490@@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
11491 unsigned int i;
11492 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
11493 Elf32_Sym *sym;
11494- uint32_t *location;
11495+ uint32_t *plocation, location;
11496
11497 DEBUGP("Applying relocate section %u to %u\n", relsec,
11498 sechdrs[relsec].sh_info);
11499 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
11500 /* This is where to make the change */
11501- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
11502- + rel[i].r_offset;
11503+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
11504+ location = (uint32_t)plocation;
11505+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
11506+ plocation = ktla_ktva((void *)plocation);
11507 /* This is the symbol it is referring to. Note that all
11508 undefined symbols have been resolved. */
11509 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
11510@@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
11511 switch (ELF32_R_TYPE(rel[i].r_info)) {
11512 case R_386_32:
11513 /* We add the value into the location given */
11514- *location += sym->st_value;
11515+ pax_open_kernel();
11516+ *plocation += sym->st_value;
11517+ pax_close_kernel();
11518 break;
11519 case R_386_PC32:
11520 /* Add the value, subtract its postition */
11521- *location += sym->st_value - (uint32_t)location;
11522+ pax_open_kernel();
11523+ *plocation += sym->st_value - location;
11524+ pax_close_kernel();
11525 break;
11526 default:
11527 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
11528@@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
11529 case R_X86_64_NONE:
11530 break;
11531 case R_X86_64_64:
11532+ pax_open_kernel();
11533 *(u64 *)loc = val;
11534+ pax_close_kernel();
11535 break;
11536 case R_X86_64_32:
11537+ pax_open_kernel();
11538 *(u32 *)loc = val;
11539+ pax_close_kernel();
11540 if (val != *(u32 *)loc)
11541 goto overflow;
11542 break;
11543 case R_X86_64_32S:
11544+ pax_open_kernel();
11545 *(s32 *)loc = val;
11546+ pax_close_kernel();
11547 if ((s64)val != *(s32 *)loc)
11548 goto overflow;
11549 break;
11550 case R_X86_64_PC32:
11551 val -= (u64)loc;
11552+ pax_open_kernel();
11553 *(u32 *)loc = val;
11554+ pax_close_kernel();
11555+
11556 #if 0
11557 if ((s64)val != *(s32 *)loc)
11558 goto overflow;
11559diff -urNp linux-2.6.32.9/arch/x86/kernel/paravirt.c linux-2.6.32.9/arch/x86/kernel/paravirt.c
11560--- linux-2.6.32.9/arch/x86/kernel/paravirt.c 2010-02-09 07:57:19.000000000 -0500
11561+++ linux-2.6.32.9/arch/x86/kernel/paravirt.c 2010-02-23 17:09:53.120037276 -0500
11562@@ -120,9 +120,9 @@ unsigned paravirt_patch_jmp(void *insnbu
11563
11564 /* Neat trick to map patch type back to the call within the
11565 * corresponding structure. */
11566-static void *get_call_destination(u8 type)
11567+static const void *get_call_destination(u8 type)
11568 {
11569- struct paravirt_patch_template tmpl = {
11570+ const struct paravirt_patch_template tmpl = {
11571 .pv_init_ops = pv_init_ops,
11572 .pv_time_ops = pv_time_ops,
11573 .pv_cpu_ops = pv_cpu_ops,
11574@@ -133,13 +133,13 @@ static void *get_call_destination(u8 typ
11575 .pv_lock_ops = pv_lock_ops,
11576 #endif
11577 };
11578- return *((void **)&tmpl + type);
11579+ return *((const void **)&tmpl + type);
11580 }
11581
11582 unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
11583 unsigned long addr, unsigned len)
11584 {
11585- void *opfunc = get_call_destination(type);
11586+ const void *opfunc = get_call_destination(type);
11587 unsigned ret;
11588
11589 if (opfunc == NULL)
11590@@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
11591 if (insn_len > len || start == NULL)
11592 insn_len = len;
11593 else
11594- memcpy(insnbuf, start, insn_len);
11595+ memcpy(insnbuf, ktla_ktva(start), insn_len);
11596
11597 return insn_len;
11598 }
11599@@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
11600 preempt_enable();
11601 }
11602
11603-struct pv_info pv_info = {
11604+struct pv_info pv_info __read_only = {
11605 .name = "bare hardware",
11606 .paravirt_enabled = 0,
11607 .kernel_rpl = 0,
11608 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
11609 };
11610
11611-struct pv_init_ops pv_init_ops = {
11612+struct pv_init_ops pv_init_ops __read_only = {
11613 .patch = native_patch,
11614 };
11615
11616-struct pv_time_ops pv_time_ops = {
11617+struct pv_time_ops pv_time_ops __read_only = {
11618 .sched_clock = native_sched_clock,
11619 };
11620
11621-struct pv_irq_ops pv_irq_ops = {
11622+struct pv_irq_ops pv_irq_ops __read_only = {
11623 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
11624 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
11625 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
11626@@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
11627 #endif
11628 };
11629
11630-struct pv_cpu_ops pv_cpu_ops = {
11631+struct pv_cpu_ops pv_cpu_ops __read_only = {
11632 .cpuid = native_cpuid,
11633 .get_debugreg = native_get_debugreg,
11634 .set_debugreg = native_set_debugreg,
11635@@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
11636 .end_context_switch = paravirt_nop,
11637 };
11638
11639-struct pv_apic_ops pv_apic_ops = {
11640+struct pv_apic_ops pv_apic_ops __read_only = {
11641 #ifdef CONFIG_X86_LOCAL_APIC
11642 .startup_ipi_hook = paravirt_nop,
11643 #endif
11644@@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
11645 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
11646 #endif
11647
11648-struct pv_mmu_ops pv_mmu_ops = {
11649+struct pv_mmu_ops pv_mmu_ops __read_only = {
11650
11651 .read_cr2 = native_read_cr2,
11652 .write_cr2 = native_write_cr2,
11653@@ -467,6 +467,12 @@ struct pv_mmu_ops pv_mmu_ops = {
11654 },
11655
11656 .set_fixmap = native_set_fixmap,
11657+
11658+#ifdef CONFIG_PAX_KERNEXEC
11659+ .pax_open_kernel = native_pax_open_kernel,
11660+ .pax_close_kernel = native_pax_close_kernel,
11661+#endif
11662+
11663 };
11664
11665 EXPORT_SYMBOL_GPL(pv_time_ops);
11666diff -urNp linux-2.6.32.9/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.9/arch/x86/kernel/paravirt-spinlocks.c
11667--- linux-2.6.32.9/arch/x86/kernel/paravirt-spinlocks.c 2010-02-09 07:57:19.000000000 -0500
11668+++ linux-2.6.32.9/arch/x86/kernel/paravirt-spinlocks.c 2010-02-23 17:09:53.120037276 -0500
11669@@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
11670 __raw_spin_lock(lock);
11671 }
11672
11673-struct pv_lock_ops pv_lock_ops = {
11674+struct pv_lock_ops pv_lock_ops __read_only = {
11675 #ifdef CONFIG_SMP
11676 .spin_is_locked = __ticket_spin_is_locked,
11677 .spin_is_contended = __ticket_spin_is_contended,
11678diff -urNp linux-2.6.32.9/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.9/arch/x86/kernel/pci-calgary_64.c
11679--- linux-2.6.32.9/arch/x86/kernel/pci-calgary_64.c 2010-02-09 07:57:19.000000000 -0500
11680+++ linux-2.6.32.9/arch/x86/kernel/pci-calgary_64.c 2010-02-23 17:09:53.120037276 -0500
11681@@ -472,7 +472,7 @@ static void calgary_free_coherent(struct
11682 free_pages((unsigned long)vaddr, get_order(size));
11683 }
11684
11685-static struct dma_map_ops calgary_dma_ops = {
11686+static const struct dma_map_ops calgary_dma_ops = {
11687 .alloc_coherent = calgary_alloc_coherent,
11688 .free_coherent = calgary_free_coherent,
11689 .map_sg = calgary_map_sg,
11690diff -urNp linux-2.6.32.9/arch/x86/kernel/pci-dma.c linux-2.6.32.9/arch/x86/kernel/pci-dma.c
11691--- linux-2.6.32.9/arch/x86/kernel/pci-dma.c 2010-02-09 07:57:19.000000000 -0500
11692+++ linux-2.6.32.9/arch/x86/kernel/pci-dma.c 2010-02-23 17:09:53.120037276 -0500
11693@@ -14,7 +14,7 @@
11694
11695 static int forbid_dac __read_mostly;
11696
11697-struct dma_map_ops *dma_ops;
11698+const struct dma_map_ops *dma_ops;
11699 EXPORT_SYMBOL(dma_ops);
11700
11701 static int iommu_sac_force __read_mostly;
11702@@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
11703
11704 int dma_supported(struct device *dev, u64 mask)
11705 {
11706- struct dma_map_ops *ops = get_dma_ops(dev);
11707+ const struct dma_map_ops *ops = get_dma_ops(dev);
11708
11709 #ifdef CONFIG_PCI
11710 if (mask > 0xffffffff && forbid_dac > 0) {
11711diff -urNp linux-2.6.32.9/arch/x86/kernel/pci-gart_64.c linux-2.6.32.9/arch/x86/kernel/pci-gart_64.c
11712--- linux-2.6.32.9/arch/x86/kernel/pci-gart_64.c 2010-02-09 07:57:19.000000000 -0500
11713+++ linux-2.6.32.9/arch/x86/kernel/pci-gart_64.c 2010-02-23 17:09:53.120037276 -0500
11714@@ -679,7 +679,7 @@ static __init int init_k8_gatt(struct ag
11715 return -1;
11716 }
11717
11718-static struct dma_map_ops gart_dma_ops = {
11719+static const struct dma_map_ops gart_dma_ops = {
11720 .map_sg = gart_map_sg,
11721 .unmap_sg = gart_unmap_sg,
11722 .map_page = gart_map_page,
11723diff -urNp linux-2.6.32.9/arch/x86/kernel/pci-nommu.c linux-2.6.32.9/arch/x86/kernel/pci-nommu.c
11724--- linux-2.6.32.9/arch/x86/kernel/pci-nommu.c 2010-02-09 07:57:19.000000000 -0500
11725+++ linux-2.6.32.9/arch/x86/kernel/pci-nommu.c 2010-02-23 17:09:53.120037276 -0500
11726@@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
11727 flush_write_buffers();
11728 }
11729
11730-struct dma_map_ops nommu_dma_ops = {
11731+const struct dma_map_ops nommu_dma_ops = {
11732 .alloc_coherent = dma_generic_alloc_coherent,
11733 .free_coherent = nommu_free_coherent,
11734 .map_sg = nommu_map_sg,
11735diff -urNp linux-2.6.32.9/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.9/arch/x86/kernel/pci-swiotlb.c
11736--- linux-2.6.32.9/arch/x86/kernel/pci-swiotlb.c 2010-02-09 07:57:19.000000000 -0500
11737+++ linux-2.6.32.9/arch/x86/kernel/pci-swiotlb.c 2010-02-23 17:09:53.120037276 -0500
11738@@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
11739 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
11740 }
11741
11742-static struct dma_map_ops swiotlb_dma_ops = {
11743+static const struct dma_map_ops swiotlb_dma_ops = {
11744 .mapping_error = swiotlb_dma_mapping_error,
11745 .alloc_coherent = x86_swiotlb_alloc_coherent,
11746 .free_coherent = swiotlb_free_coherent,
11747diff -urNp linux-2.6.32.9/arch/x86/kernel/process_32.c linux-2.6.32.9/arch/x86/kernel/process_32.c
11748--- linux-2.6.32.9/arch/x86/kernel/process_32.c 2010-02-09 07:57:19.000000000 -0500
11749+++ linux-2.6.32.9/arch/x86/kernel/process_32.c 2010-02-23 17:09:53.120037276 -0500
11750@@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
11751 unsigned long thread_saved_pc(struct task_struct *tsk)
11752 {
11753 return ((unsigned long *)tsk->thread.sp)[3];
11754+//XXX return tsk->thread.eip;
11755 }
11756
11757 #ifndef CONFIG_SMP
11758@@ -129,7 +130,7 @@ void __show_regs(struct pt_regs *regs, i
11759 unsigned short ss, gs;
11760 const char *board;
11761
11762- if (user_mode_vm(regs)) {
11763+ if (user_mode(regs)) {
11764 sp = regs->sp;
11765 ss = regs->ss & 0xffff;
11766 gs = get_user_gs(regs);
11767@@ -210,8 +211,8 @@ int kernel_thread(int (*fn)(void *), voi
11768 regs.bx = (unsigned long) fn;
11769 regs.dx = (unsigned long) arg;
11770
11771- regs.ds = __USER_DS;
11772- regs.es = __USER_DS;
11773+ regs.ds = __KERNEL_DS;
11774+ regs.es = __KERNEL_DS;
11775 regs.fs = __KERNEL_PERCPU;
11776 regs.gs = __KERNEL_STACK_CANARY;
11777 regs.orig_ax = -1;
11778@@ -247,7 +248,7 @@ int copy_thread(unsigned long clone_flag
11779 struct task_struct *tsk;
11780 int err;
11781
11782- childregs = task_pt_regs(p);
11783+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
11784 *childregs = *regs;
11785 childregs->ax = 0;
11786 childregs->sp = sp;
11787@@ -276,6 +277,7 @@ int copy_thread(unsigned long clone_flag
11788 * Set a new TLS for the child thread?
11789 */
11790 if (clone_flags & CLONE_SETTLS)
11791+//XXX needs set_fs()?
11792 err = do_set_thread_area(p, -1,
11793 (struct user_desc __user *)childregs->si, 0);
11794
11795@@ -346,7 +348,7 @@ __switch_to(struct task_struct *prev_p,
11796 struct thread_struct *prev = &prev_p->thread,
11797 *next = &next_p->thread;
11798 int cpu = smp_processor_id();
11799- struct tss_struct *tss = &per_cpu(init_tss, cpu);
11800+ struct tss_struct *tss = init_tss + cpu;
11801 bool preload_fpu;
11802
11803 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
11804@@ -381,6 +383,11 @@ __switch_to(struct task_struct *prev_p,
11805 */
11806 lazy_save_gs(prev->gs);
11807
11808+#ifdef CONFIG_PAX_MEMORY_UDEREF
11809+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
11810+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
11811+#endif
11812+
11813 /*
11814 * Load the per-thread Thread-Local Storage descriptor.
11815 */
11816@@ -497,3 +504,27 @@ unsigned long get_wchan(struct task_stru
11817 return 0;
11818 }
11819
11820+#ifdef CONFIG_PAX_RANDKSTACK
11821+asmlinkage void pax_randomize_kstack(void)
11822+{
11823+ struct thread_struct *thread = &current->thread;
11824+ unsigned long time;
11825+
11826+ if (!randomize_va_space)
11827+ return;
11828+
11829+ rdtscl(time);
11830+
11831+ /* P4 seems to return a 0 LSB, ignore it */
11832+#ifdef CONFIG_MPENTIUM4
11833+ time &= 0x1EUL;
11834+ time <<= 2;
11835+#else
11836+ time &= 0xFUL;
11837+ time <<= 3;
11838+#endif
11839+
11840+ thread->sp0 ^= time;
11841+ load_sp0(init_tss + smp_processor_id(), thread);
11842+}
11843+#endif
11844diff -urNp linux-2.6.32.9/arch/x86/kernel/process_64.c linux-2.6.32.9/arch/x86/kernel/process_64.c
11845--- linux-2.6.32.9/arch/x86/kernel/process_64.c 2010-02-09 07:57:19.000000000 -0500
11846+++ linux-2.6.32.9/arch/x86/kernel/process_64.c 2010-02-23 17:09:53.120037276 -0500
11847@@ -91,7 +91,7 @@ static void __exit_idle(void)
11848 void exit_idle(void)
11849 {
11850 /* idle loop has pid 0 */
11851- if (current->pid)
11852+ if (task_pid_nr(current))
11853 return;
11854 __exit_idle();
11855 }
11856@@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
11857 if (!board)
11858 board = "";
11859 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
11860- current->pid, current->comm, print_tainted(),
11861+ task_pid_nr(current), current->comm, print_tainted(),
11862 init_utsname()->release,
11863 (int)strcspn(init_utsname()->version, " "),
11864 init_utsname()->version, board);
11865@@ -381,7 +381,7 @@ __switch_to(struct task_struct *prev_p,
11866 struct thread_struct *prev = &prev_p->thread;
11867 struct thread_struct *next = &next_p->thread;
11868 int cpu = smp_processor_id();
11869- struct tss_struct *tss = &per_cpu(init_tss, cpu);
11870+ struct tss_struct *tss = init_tss + cpu;
11871 unsigned fsindex, gsindex;
11872 bool preload_fpu;
11873
11874@@ -560,12 +560,11 @@ unsigned long get_wchan(struct task_stru
11875 if (!p || p == current || p->state == TASK_RUNNING)
11876 return 0;
11877 stack = (unsigned long)task_stack_page(p);
11878- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
11879+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
11880 return 0;
11881 fp = *(u64 *)(p->thread.sp);
11882 do {
11883- if (fp < (unsigned long)stack ||
11884- fp >= (unsigned long)stack+THREAD_SIZE)
11885+ if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
11886 return 0;
11887 ip = *(u64 *)(fp+8);
11888 if (!in_sched_functions(ip))
11889diff -urNp linux-2.6.32.9/arch/x86/kernel/process.c linux-2.6.32.9/arch/x86/kernel/process.c
11890--- linux-2.6.32.9/arch/x86/kernel/process.c 2010-02-09 07:57:19.000000000 -0500
11891+++ linux-2.6.32.9/arch/x86/kernel/process.c 2010-02-23 17:09:53.123619300 -0500
11892@@ -73,7 +73,7 @@ void exit_thread(void)
11893 unsigned long *bp = t->io_bitmap_ptr;
11894
11895 if (bp) {
11896- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
11897+ struct tss_struct *tss = init_tss + get_cpu();
11898
11899 t->io_bitmap_ptr = NULL;
11900 clear_thread_flag(TIF_IO_BITMAP);
11901@@ -93,6 +93,9 @@ void flush_thread(void)
11902
11903 clear_tsk_thread_flag(tsk, TIF_DEBUG);
11904
11905+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
11906+ loadsegment(gs, 0);
11907+#endif
11908 tsk->thread.debugreg0 = 0;
11909 tsk->thread.debugreg1 = 0;
11910 tsk->thread.debugreg2 = 0;
11911@@ -584,17 +587,3 @@ static int __init idle_setup(char *str)
11912 return 0;
11913 }
11914 early_param("idle", idle_setup);
11915-
11916-unsigned long arch_align_stack(unsigned long sp)
11917-{
11918- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
11919- sp -= get_random_int() % 8192;
11920- return sp & ~0xf;
11921-}
11922-
11923-unsigned long arch_randomize_brk(struct mm_struct *mm)
11924-{
11925- unsigned long range_end = mm->brk + 0x02000000;
11926- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
11927-}
11928-
11929diff -urNp linux-2.6.32.9/arch/x86/kernel/ptrace.c linux-2.6.32.9/arch/x86/kernel/ptrace.c
11930--- linux-2.6.32.9/arch/x86/kernel/ptrace.c 2010-02-09 07:57:19.000000000 -0500
11931+++ linux-2.6.32.9/arch/x86/kernel/ptrace.c 2010-02-23 17:09:53.123619300 -0500
11932@@ -925,7 +925,7 @@ static const struct user_regset_view use
11933 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
11934 {
11935 int ret;
11936- unsigned long __user *datap = (unsigned long __user *)data;
11937+ unsigned long __user *datap = (__force unsigned long __user *)data;
11938
11939 switch (request) {
11940 /* read the word at location addr in the USER area. */
11941@@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
11942 if (addr < 0)
11943 return -EIO;
11944 ret = do_get_thread_area(child, addr,
11945- (struct user_desc __user *) data);
11946+ (__force struct user_desc __user *) data);
11947 break;
11948
11949 case PTRACE_SET_THREAD_AREA:
11950 if (addr < 0)
11951 return -EIO;
11952 ret = do_set_thread_area(child, addr,
11953- (struct user_desc __user *) data, 0);
11954+ (__force struct user_desc __user *) data, 0);
11955 break;
11956 #endif
11957
11958@@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
11959 #ifdef CONFIG_X86_PTRACE_BTS
11960 case PTRACE_BTS_CONFIG:
11961 ret = ptrace_bts_config
11962- (child, data, (struct ptrace_bts_config __user *)addr);
11963+ (child, data, (__force struct ptrace_bts_config __user *)addr);
11964 break;
11965
11966 case PTRACE_BTS_STATUS:
11967 ret = ptrace_bts_status
11968- (child, data, (struct ptrace_bts_config __user *)addr);
11969+ (child, data, (__force struct ptrace_bts_config __user *)addr);
11970 break;
11971
11972 case PTRACE_BTS_SIZE:
11973@@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
11974
11975 case PTRACE_BTS_GET:
11976 ret = ptrace_bts_read_record
11977- (child, data, (struct bts_struct __user *) addr);
11978+ (child, data, (__force struct bts_struct __user *) addr);
11979 break;
11980
11981 case PTRACE_BTS_CLEAR:
11982@@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
11983
11984 case PTRACE_BTS_DRAIN:
11985 ret = ptrace_bts_drain
11986- (child, data, (struct bts_struct __user *) addr);
11987+ (child, data, (__force struct bts_struct __user *) addr);
11988 break;
11989 #endif /* CONFIG_X86_PTRACE_BTS */
11990
11991@@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
11992 info.si_code = si_code;
11993
11994 /* User-mode ip? */
11995- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
11996+ info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
11997
11998 /* Send us the fake SIGTRAP */
11999 force_sig_info(SIGTRAP, &info, tsk);
12000diff -urNp linux-2.6.32.9/arch/x86/kernel/reboot.c linux-2.6.32.9/arch/x86/kernel/reboot.c
12001--- linux-2.6.32.9/arch/x86/kernel/reboot.c 2010-02-09 07:57:19.000000000 -0500
12002+++ linux-2.6.32.9/arch/x86/kernel/reboot.c 2010-02-23 17:09:53.123619300 -0500
12003@@ -33,7 +33,7 @@ void (*pm_power_off)(void);
12004 EXPORT_SYMBOL(pm_power_off);
12005
12006 static const struct desc_ptr no_idt = {};
12007-static int reboot_mode;
12008+static unsigned short reboot_mode;
12009 enum reboot_type reboot_type = BOOT_KBD;
12010 int reboot_force;
12011
12012@@ -276,7 +276,7 @@ static struct dmi_system_id __initdata r
12013 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
12014 },
12015 },
12016- { }
12017+ { NULL, NULL, {{0, {0}}}, NULL}
12018 };
12019
12020 static int __init reboot_init(void)
12021@@ -292,12 +292,12 @@ core_initcall(reboot_init);
12022 controller to pulse the CPU reset line, which is more thorough, but
12023 doesn't work with at least one type of 486 motherboard. It is easy
12024 to stop this code working; hence the copious comments. */
12025-static const unsigned long long
12026-real_mode_gdt_entries [3] =
12027+static struct desc_struct
12028+real_mode_gdt_entries [3] __read_only =
12029 {
12030- 0x0000000000000000ULL, /* Null descriptor */
12031- 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
12032- 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
12033+ GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
12034+ GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
12035+ GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
12036 };
12037
12038 static const struct desc_ptr
12039@@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
12040 * specified by the code and length parameters.
12041 * We assume that length will aways be less that 100!
12042 */
12043-void machine_real_restart(const unsigned char *code, int length)
12044+void machine_real_restart(const unsigned char *code, unsigned int length)
12045 {
12046 local_irq_disable();
12047
12048@@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
12049 /* Remap the kernel at virtual address zero, as well as offset zero
12050 from the kernel segment. This assumes the kernel segment starts at
12051 virtual address PAGE_OFFSET. */
12052- memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12053- sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
12054+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12055+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
12056
12057 /*
12058 * Use `swapper_pg_dir' as our page directory.
12059@@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
12060 boot)". This seems like a fairly standard thing that gets set by
12061 REBOOT.COM programs, and the previous reset routine did this
12062 too. */
12063- *((unsigned short *)0x472) = reboot_mode;
12064+ *(unsigned short *)(__va(0x472)) = reboot_mode;
12065
12066 /* For the switch to real mode, copy some code to low memory. It has
12067 to be in the first 64k because it is running in 16-bit mode, and it
12068 has to have the same physical and virtual address, because it turns
12069 off paging. Copy it near the end of the first page, out of the way
12070 of BIOS variables. */
12071- memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
12072- real_mode_switch, sizeof (real_mode_switch));
12073- memcpy((void *)(0x1000 - 100), code, length);
12074+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
12075+ memcpy(__va(0x1000 - 100), code, length);
12076
12077 /* Set up the IDT for real mode. */
12078 load_idt(&real_mode_idt);
12079diff -urNp linux-2.6.32.9/arch/x86/kernel/setup.c linux-2.6.32.9/arch/x86/kernel/setup.c
12080--- linux-2.6.32.9/arch/x86/kernel/setup.c 2010-02-09 07:57:19.000000000 -0500
12081+++ linux-2.6.32.9/arch/x86/kernel/setup.c 2010-02-23 17:09:53.123619300 -0500
12082@@ -771,14 +771,14 @@ void __init setup_arch(char **cmdline_p)
12083
12084 if (!boot_params.hdr.root_flags)
12085 root_mountflags &= ~MS_RDONLY;
12086- init_mm.start_code = (unsigned long) _text;
12087- init_mm.end_code = (unsigned long) _etext;
12088+ init_mm.start_code = ktla_ktva((unsigned long) _text);
12089+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
12090 init_mm.end_data = (unsigned long) _edata;
12091 init_mm.brk = _brk_end;
12092
12093- code_resource.start = virt_to_phys(_text);
12094- code_resource.end = virt_to_phys(_etext)-1;
12095- data_resource.start = virt_to_phys(_etext);
12096+ code_resource.start = virt_to_phys(ktla_ktva(_text));
12097+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
12098+ data_resource.start = virt_to_phys(_sdata);
12099 data_resource.end = virt_to_phys(_edata)-1;
12100 bss_resource.start = virt_to_phys(&__bss_start);
12101 bss_resource.end = virt_to_phys(&__bss_stop)-1;
12102diff -urNp linux-2.6.32.9/arch/x86/kernel/setup_percpu.c linux-2.6.32.9/arch/x86/kernel/setup_percpu.c
12103--- linux-2.6.32.9/arch/x86/kernel/setup_percpu.c 2010-02-09 07:57:19.000000000 -0500
12104+++ linux-2.6.32.9/arch/x86/kernel/setup_percpu.c 2010-02-23 17:09:53.123619300 -0500
12105@@ -25,19 +25,17 @@
12106 # define DBG(x...)
12107 #endif
12108
12109+#ifdef CONFIG_SMP
12110 DEFINE_PER_CPU(int, cpu_number);
12111 EXPORT_PER_CPU_SYMBOL(cpu_number);
12112+#endif
12113
12114-#ifdef CONFIG_X86_64
12115 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
12116-#else
12117-#define BOOT_PERCPU_OFFSET 0
12118-#endif
12119
12120 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
12121 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
12122
12123-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
12124+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
12125 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
12126 };
12127 EXPORT_SYMBOL(__per_cpu_offset);
12128@@ -158,13 +156,15 @@ static void __init pcpup_populate_pte(un
12129 static inline void setup_percpu_segment(int cpu)
12130 {
12131 #ifdef CONFIG_X86_32
12132- struct desc_struct gdt;
12133+ struct desc_struct d, *gdt = get_cpu_gdt_table(cpu);
12134+ unsigned long base = per_cpu_offset(cpu);
12135+ const unsigned long limit = VMALLOC_END - base - 1;
12136
12137- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
12138- 0x2 | DESCTYPE_S, 0x8);
12139- gdt.s = 1;
12140- write_gdt_entry(get_cpu_gdt_table(cpu),
12141- GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
12142+ if (limit < 64*1024)
12143+ pack_descriptor(&d, base, limit, 0x80 | DESCTYPE_S | 0x3, 0x4);
12144+ else
12145+ pack_descriptor(&d, base, limit >> PAGE_SHIFT, 0x80 | DESCTYPE_S | 0x3, 0xC);
12146+ write_gdt_entry(gdt, GDT_ENTRY_PERCPU, &d, DESCTYPE_S);
12147 #endif
12148 }
12149
12150@@ -212,6 +212,11 @@ void __init setup_per_cpu_areas(void)
12151 /* alrighty, percpu areas up and running */
12152 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
12153 for_each_possible_cpu(cpu) {
12154+#ifdef CONFIG_CC_STACKPROTECTOR
12155+#ifdef CONFIG_x86_32
12156+ unsigned long canary = per_cpu(stack_canary, cpu);
12157+#endif
12158+#endif
12159 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
12160 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
12161 per_cpu(cpu_number, cpu) = cpu;
12162@@ -239,6 +244,12 @@ void __init setup_per_cpu_areas(void)
12163 early_per_cpu_map(x86_cpu_to_node_map, cpu);
12164 #endif
12165 #endif
12166+#ifdef CONFIG_CC_STACKPROTECTOR
12167+#ifdef CONFIG_x86_32
12168+ if (cpu == boot_cpu_id)
12169+ per_cpu(stack_canary, cpu) = canary;
12170+#endif
12171+#endif
12172 /*
12173 * Up to this point, the boot CPU has been using .data.init
12174 * area. Reload any changed state for the boot CPU.
12175diff -urNp linux-2.6.32.9/arch/x86/kernel/signal.c linux-2.6.32.9/arch/x86/kernel/signal.c
12176--- linux-2.6.32.9/arch/x86/kernel/signal.c 2010-02-09 07:57:19.000000000 -0500
12177+++ linux-2.6.32.9/arch/x86/kernel/signal.c 2010-02-23 17:09:53.123619300 -0500
12178@@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
12179 * Align the stack pointer according to the i386 ABI,
12180 * i.e. so that on function entry ((sp + 4) & 15) == 0.
12181 */
12182- sp = ((sp + 4) & -16ul) - 4;
12183+ sp = ((sp - 12) & -16ul) - 4;
12184 #else /* !CONFIG_X86_32 */
12185 sp = round_down(sp, 16) - 8;
12186 #endif
12187@@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
12188 * Return an always-bogus address instead so we will die with SIGSEGV.
12189 */
12190 if (onsigstack && !likely(on_sig_stack(sp)))
12191- return (void __user *)-1L;
12192+ return (__force void __user *)-1L;
12193
12194 /* save i387 state */
12195 if (used_math() && save_i387_xstate(*fpstate) < 0)
12196- return (void __user *)-1L;
12197+ return (__force void __user *)-1L;
12198
12199 return (void __user *)sp;
12200 }
12201@@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
12202 }
12203
12204 if (current->mm->context.vdso)
12205- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
12206+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
12207 else
12208- restorer = &frame->retcode;
12209+ restorer = (void __user *)&frame->retcode;
12210 if (ka->sa.sa_flags & SA_RESTORER)
12211 restorer = ka->sa.sa_restorer;
12212
12213@@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
12214 * reasons and because gdb uses it as a signature to notice
12215 * signal handler stack frames.
12216 */
12217- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
12218+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
12219
12220 if (err)
12221 return -EFAULT;
12222@@ -377,7 +377,7 @@ static int __setup_rt_frame(int sig, str
12223 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
12224
12225 /* Set up to return from userspace. */
12226- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12227+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12228 if (ka->sa.sa_flags & SA_RESTORER)
12229 restorer = ka->sa.sa_restorer;
12230 put_user_ex(restorer, &frame->pretcode);
12231@@ -389,7 +389,7 @@ static int __setup_rt_frame(int sig, str
12232 * reasons and because gdb uses it as a signature to notice
12233 * signal handler stack frames.
12234 */
12235- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
12236+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
12237 } put_user_catch(err);
12238
12239 if (err)
12240@@ -789,7 +789,7 @@ static void do_signal(struct pt_regs *re
12241 * X86_32: vm86 regs switched out by assembly code before reaching
12242 * here, so testing against kernel CS suffices.
12243 */
12244- if (!user_mode(regs))
12245+ if (!user_mode_novm(regs))
12246 return;
12247
12248 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
12249diff -urNp linux-2.6.32.9/arch/x86/kernel/smpboot.c linux-2.6.32.9/arch/x86/kernel/smpboot.c
12250--- linux-2.6.32.9/arch/x86/kernel/smpboot.c 2010-02-09 07:57:19.000000000 -0500
12251+++ linux-2.6.32.9/arch/x86/kernel/smpboot.c 2010-02-23 17:09:53.123619300 -0500
12252@@ -729,7 +729,11 @@ do_rest:
12253 (unsigned long)task_stack_page(c_idle.idle) -
12254 KERNEL_STACK_OFFSET + THREAD_SIZE;
12255 #endif
12256+
12257+ pax_open_kernel();
12258 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12259+ pax_close_kernel();
12260+
12261 initial_code = (unsigned long)start_secondary;
12262 stack_start.sp = (void *) c_idle.idle->thread.sp;
12263
12264diff -urNp linux-2.6.32.9/arch/x86/kernel/step.c linux-2.6.32.9/arch/x86/kernel/step.c
12265--- linux-2.6.32.9/arch/x86/kernel/step.c 2010-02-09 07:57:19.000000000 -0500
12266+++ linux-2.6.32.9/arch/x86/kernel/step.c 2010-02-23 17:09:53.123619300 -0500
12267@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
12268 struct desc_struct *desc;
12269 unsigned long base;
12270
12271- seg &= ~7UL;
12272+ seg >>= 3;
12273
12274 mutex_lock(&child->mm->context.lock);
12275- if (unlikely((seg >> 3) >= child->mm->context.size))
12276+ if (unlikely(seg >= child->mm->context.size))
12277 addr = -1L; /* bogus selector, access would fault */
12278 else {
12279 desc = child->mm->context.ldt + seg;
12280@@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
12281 unsigned char opcode[15];
12282 unsigned long addr = convert_ip_to_linear(child, regs);
12283
12284+ if (addr == -EINVAL)
12285+ return 0;
12286+
12287 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
12288 for (i = 0; i < copied; i++) {
12289 switch (opcode[i]) {
12290@@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
12291
12292 #ifdef CONFIG_X86_64
12293 case 0x40 ... 0x4f:
12294- if (regs->cs != __USER_CS)
12295+ if ((regs->cs & 0xffff) != __USER_CS)
12296 /* 32-bit mode: register increment */
12297 return 0;
12298 /* 64-bit mode: REX prefix */
12299diff -urNp linux-2.6.32.9/arch/x86/kernel/syscall_table_32.S linux-2.6.32.9/arch/x86/kernel/syscall_table_32.S
12300--- linux-2.6.32.9/arch/x86/kernel/syscall_table_32.S 2010-02-09 07:57:19.000000000 -0500
12301+++ linux-2.6.32.9/arch/x86/kernel/syscall_table_32.S 2010-02-23 17:09:53.123619300 -0500
12302@@ -1,3 +1,4 @@
12303+.section .rodata,"a",@progbits
12304 ENTRY(sys_call_table)
12305 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
12306 .long sys_exit
12307diff -urNp linux-2.6.32.9/arch/x86/kernel/sys_i386_32.c linux-2.6.32.9/arch/x86/kernel/sys_i386_32.c
12308--- linux-2.6.32.9/arch/x86/kernel/sys_i386_32.c 2010-02-09 07:57:19.000000000 -0500
12309+++ linux-2.6.32.9/arch/x86/kernel/sys_i386_32.c 2010-02-23 17:09:53.123619300 -0500
12310@@ -24,6 +24,21 @@
12311
12312 #include <asm/syscalls.h>
12313
12314+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
12315+{
12316+ unsigned long pax_task_size = TASK_SIZE;
12317+
12318+#ifdef CONFIG_PAX_SEGMEXEC
12319+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
12320+ pax_task_size = SEGMEXEC_TASK_SIZE;
12321+#endif
12322+
12323+ if (len > pax_task_size || addr > pax_task_size - len)
12324+ return -EINVAL;
12325+
12326+ return 0;
12327+}
12328+
12329 /*
12330 * Perform the select(nd, in, out, ex, tv) and mmap() system
12331 * calls. Linux/i386 didn't use to be able to handle more than
12332@@ -58,6 +73,205 @@ out:
12333 return err;
12334 }
12335
12336+unsigned long
12337+arch_get_unmapped_area(struct file *filp, unsigned long addr,
12338+ unsigned long len, unsigned long pgoff, unsigned long flags)
12339+{
12340+ struct mm_struct *mm = current->mm;
12341+ struct vm_area_struct *vma;
12342+ unsigned long start_addr, pax_task_size = TASK_SIZE;
12343+
12344+#ifdef CONFIG_PAX_SEGMEXEC
12345+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
12346+ pax_task_size = SEGMEXEC_TASK_SIZE;
12347+#endif
12348+
12349+ if (len > pax_task_size)
12350+ return -ENOMEM;
12351+
12352+ if (flags & MAP_FIXED)
12353+ return addr;
12354+
12355+#ifdef CONFIG_PAX_RANDMMAP
12356+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12357+#endif
12358+
12359+ if (addr) {
12360+ addr = PAGE_ALIGN(addr);
12361+ vma = find_vma(mm, addr);
12362+ if (pax_task_size - len >= addr &&
12363+ (!vma || addr + len <= vma->vm_start))
12364+ return addr;
12365+ }
12366+ if (len > mm->cached_hole_size) {
12367+ start_addr = addr = mm->free_area_cache;
12368+ } else {
12369+ start_addr = addr = mm->mmap_base;
12370+ mm->cached_hole_size = 0;
12371+ }
12372+
12373+#ifdef CONFIG_PAX_PAGEEXEC
12374+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
12375+ start_addr = 0x00110000UL;
12376+
12377+#ifdef CONFIG_PAX_RANDMMAP
12378+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12379+ start_addr += mm->delta_mmap & 0x03FFF000UL;
12380+#endif
12381+
12382+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
12383+ start_addr = addr = mm->mmap_base;
12384+ else
12385+ addr = start_addr;
12386+ }
12387+#endif
12388+
12389+full_search:
12390+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
12391+ /* At this point: (!vma || addr < vma->vm_end). */
12392+ if (pax_task_size - len < addr) {
12393+ /*
12394+ * Start a new search - just in case we missed
12395+ * some holes.
12396+ */
12397+ if (start_addr != mm->mmap_base) {
12398+ start_addr = addr = mm->mmap_base;
12399+ mm->cached_hole_size = 0;
12400+ goto full_search;
12401+ }
12402+ return -ENOMEM;
12403+ }
12404+ if (!vma || addr + len <= vma->vm_start) {
12405+ /*
12406+ * Remember the place where we stopped the search:
12407+ */
12408+ mm->free_area_cache = addr + len;
12409+ return addr;
12410+ }
12411+ if (addr + mm->cached_hole_size < vma->vm_start)
12412+ mm->cached_hole_size = vma->vm_start - addr;
12413+ addr = vma->vm_end;
12414+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
12415+ start_addr = addr = mm->mmap_base;
12416+ mm->cached_hole_size = 0;
12417+ goto full_search;
12418+ }
12419+ }
12420+}
12421+
12422+unsigned long
12423+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12424+ const unsigned long len, const unsigned long pgoff,
12425+ const unsigned long flags)
12426+{
12427+ struct vm_area_struct *vma;
12428+ struct mm_struct *mm = current->mm;
12429+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
12430+
12431+#ifdef CONFIG_PAX_SEGMEXEC
12432+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
12433+ pax_task_size = SEGMEXEC_TASK_SIZE;
12434+#endif
12435+
12436+ /* requested length too big for entire address space */
12437+ if (len > pax_task_size)
12438+ return -ENOMEM;
12439+
12440+ if (flags & MAP_FIXED)
12441+ return addr;
12442+
12443+#ifdef CONFIG_PAX_PAGEEXEC
12444+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
12445+ goto bottomup;
12446+#endif
12447+
12448+#ifdef CONFIG_PAX_RANDMMAP
12449+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12450+#endif
12451+
12452+ /* requesting a specific address */
12453+ if (addr) {
12454+ addr = PAGE_ALIGN(addr);
12455+ vma = find_vma(mm, addr);
12456+ if (pax_task_size - len >= addr &&
12457+ (!vma || addr + len <= vma->vm_start))
12458+ return addr;
12459+ }
12460+
12461+ /* check if free_area_cache is useful for us */
12462+ if (len <= mm->cached_hole_size) {
12463+ mm->cached_hole_size = 0;
12464+ mm->free_area_cache = mm->mmap_base;
12465+ }
12466+
12467+ /* either no address requested or can't fit in requested address hole */
12468+ addr = mm->free_area_cache;
12469+
12470+ /* make sure it can fit in the remaining address space */
12471+ if (addr > len) {
12472+ vma = find_vma(mm, addr-len);
12473+ if (!vma || addr <= vma->vm_start)
12474+ /* remember the address as a hint for next time */
12475+ return (mm->free_area_cache = addr-len);
12476+ }
12477+
12478+ if (mm->mmap_base < len)
12479+ goto bottomup;
12480+
12481+ addr = mm->mmap_base-len;
12482+
12483+ do {
12484+ /*
12485+ * Lookup failure means no vma is above this address,
12486+ * else if new region fits below vma->vm_start,
12487+ * return with success:
12488+ */
12489+ vma = find_vma(mm, addr);
12490+ if (!vma || addr+len <= vma->vm_start)
12491+ /* remember the address as a hint for next time */
12492+ return (mm->free_area_cache = addr);
12493+
12494+ /* remember the largest hole we saw so far */
12495+ if (addr + mm->cached_hole_size < vma->vm_start)
12496+ mm->cached_hole_size = vma->vm_start - addr;
12497+
12498+ /* try just below the current vma->vm_start */
12499+ addr = vma->vm_start-len;
12500+ } while (len < vma->vm_start);
12501+
12502+bottomup:
12503+ /*
12504+ * A failed mmap() very likely causes application failure,
12505+ * so fall back to the bottom-up function here. This scenario
12506+ * can happen with large stack limits and large mmap()
12507+ * allocations.
12508+ */
12509+
12510+#ifdef CONFIG_PAX_SEGMEXEC
12511+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
12512+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
12513+ else
12514+#endif
12515+
12516+ mm->mmap_base = TASK_UNMAPPED_BASE;
12517+
12518+#ifdef CONFIG_PAX_RANDMMAP
12519+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12520+ mm->mmap_base += mm->delta_mmap;
12521+#endif
12522+
12523+ mm->free_area_cache = mm->mmap_base;
12524+ mm->cached_hole_size = ~0UL;
12525+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12526+ /*
12527+ * Restore the topdown base:
12528+ */
12529+ mm->mmap_base = base;
12530+ mm->free_area_cache = base;
12531+ mm->cached_hole_size = ~0UL;
12532+
12533+ return addr;
12534+}
12535
12536 struct sel_arg_struct {
12537 unsigned long n;
12538@@ -93,7 +307,7 @@ asmlinkage int sys_ipc(uint call, int fi
12539 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
12540 case SEMTIMEDOP:
12541 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
12542- (const struct timespec __user *)fifth);
12543+ (__force const struct timespec __user *)fifth);
12544
12545 case SEMGET:
12546 return sys_semget(first, second, third);
12547@@ -140,7 +354,7 @@ asmlinkage int sys_ipc(uint call, int fi
12548 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
12549 if (ret)
12550 return ret;
12551- return put_user(raddr, (ulong __user *) third);
12552+ return put_user(raddr, (__force ulong __user *) third);
12553 }
12554 case 1: /* iBCS2 emulator entry point */
12555 if (!segment_eq(get_fs(), get_ds()))
12556diff -urNp linux-2.6.32.9/arch/x86/kernel/sys_x86_64.c linux-2.6.32.9/arch/x86/kernel/sys_x86_64.c
12557--- linux-2.6.32.9/arch/x86/kernel/sys_x86_64.c 2010-02-09 07:57:19.000000000 -0500
12558+++ linux-2.6.32.9/arch/x86/kernel/sys_x86_64.c 2010-02-23 17:09:53.123619300 -0500
12559@@ -32,8 +32,8 @@ out:
12560 return error;
12561 }
12562
12563-static void find_start_end(unsigned long flags, unsigned long *begin,
12564- unsigned long *end)
12565+static void find_start_end(struct mm_struct *mm, unsigned long flags,
12566+ unsigned long *begin, unsigned long *end)
12567 {
12568 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
12569 unsigned long new_begin;
12570@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
12571 *begin = new_begin;
12572 }
12573 } else {
12574- *begin = TASK_UNMAPPED_BASE;
12575+ *begin = mm->mmap_base;
12576 *end = TASK_SIZE;
12577 }
12578 }
12579@@ -69,11 +69,15 @@ arch_get_unmapped_area(struct file *filp
12580 if (flags & MAP_FIXED)
12581 return addr;
12582
12583- find_start_end(flags, &begin, &end);
12584+ find_start_end(mm, flags, &begin, &end);
12585
12586 if (len > end)
12587 return -ENOMEM;
12588
12589+#ifdef CONFIG_PAX_RANDMMAP
12590+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12591+#endif
12592+
12593 if (addr) {
12594 addr = PAGE_ALIGN(addr);
12595 vma = find_vma(mm, addr);
12596@@ -128,7 +132,7 @@ arch_get_unmapped_area_topdown(struct fi
12597 {
12598 struct vm_area_struct *vma;
12599 struct mm_struct *mm = current->mm;
12600- unsigned long addr = addr0;
12601+ unsigned long base = mm->mmap_base, addr = addr0;
12602
12603 /* requested length too big for entire address space */
12604 if (len > TASK_SIZE)
12605@@ -141,6 +145,10 @@ arch_get_unmapped_area_topdown(struct fi
12606 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
12607 goto bottomup;
12608
12609+#ifdef CONFIG_PAX_RANDMMAP
12610+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12611+#endif
12612+
12613 /* requesting a specific address */
12614 if (addr) {
12615 addr = PAGE_ALIGN(addr);
12616@@ -198,13 +206,21 @@ bottomup:
12617 * can happen with large stack limits and large mmap()
12618 * allocations.
12619 */
12620+ mm->mmap_base = TASK_UNMAPPED_BASE;
12621+
12622+#ifdef CONFIG_PAX_RANDMMAP
12623+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12624+ mm->mmap_base += mm->delta_mmap;
12625+#endif
12626+
12627+ mm->free_area_cache = mm->mmap_base;
12628 mm->cached_hole_size = ~0UL;
12629- mm->free_area_cache = TASK_UNMAPPED_BASE;
12630 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12631 /*
12632 * Restore the topdown base:
12633 */
12634- mm->free_area_cache = mm->mmap_base;
12635+ mm->mmap_base = base;
12636+ mm->free_area_cache = base;
12637 mm->cached_hole_size = ~0UL;
12638
12639 return addr;
12640diff -urNp linux-2.6.32.9/arch/x86/kernel/time.c linux-2.6.32.9/arch/x86/kernel/time.c
12641--- linux-2.6.32.9/arch/x86/kernel/time.c 2010-02-09 07:57:19.000000000 -0500
12642+++ linux-2.6.32.9/arch/x86/kernel/time.c 2010-02-23 17:09:53.123619300 -0500
12643@@ -26,17 +26,13 @@
12644 int timer_ack;
12645 #endif
12646
12647-#ifdef CONFIG_X86_64
12648-volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
12649-#endif
12650-
12651 unsigned long profile_pc(struct pt_regs *regs)
12652 {
12653 unsigned long pc = instruction_pointer(regs);
12654
12655- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
12656+ if (!user_mode(regs) && in_lock_functions(pc)) {
12657 #ifdef CONFIG_FRAME_POINTER
12658- return *(unsigned long *)(regs->bp + sizeof(long));
12659+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
12660 #else
12661 unsigned long *sp =
12662 (unsigned long *)kernel_stack_pointer(regs);
12663@@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
12664 * or above a saved flags. Eflags has bits 22-31 zero,
12665 * kernel addresses don't.
12666 */
12667+
12668+#ifdef CONFIG_PAX_KERNEXEC
12669+ return ktla_ktva(sp[0]);
12670+#else
12671 if (sp[0] >> 22)
12672 return sp[0];
12673 if (sp[1] >> 22)
12674 return sp[1];
12675 #endif
12676+
12677+#endif
12678 }
12679 return pc;
12680 }
12681diff -urNp linux-2.6.32.9/arch/x86/kernel/tls.c linux-2.6.32.9/arch/x86/kernel/tls.c
12682--- linux-2.6.32.9/arch/x86/kernel/tls.c 2010-02-09 07:57:19.000000000 -0500
12683+++ linux-2.6.32.9/arch/x86/kernel/tls.c 2010-02-23 17:09:53.123619300 -0500
12684@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
12685 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
12686 return -EINVAL;
12687
12688+#ifdef CONFIG_PAX_SEGMEXEC
12689+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
12690+ return -EINVAL;
12691+#endif
12692+
12693 set_tls_desc(p, idx, &info, 1);
12694
12695 return 0;
12696diff -urNp linux-2.6.32.9/arch/x86/kernel/trampoline_32.S linux-2.6.32.9/arch/x86/kernel/trampoline_32.S
12697--- linux-2.6.32.9/arch/x86/kernel/trampoline_32.S 2010-02-09 07:57:19.000000000 -0500
12698+++ linux-2.6.32.9/arch/x86/kernel/trampoline_32.S 2010-02-23 17:09:53.123619300 -0500
12699@@ -32,6 +32,12 @@
12700 #include <asm/segment.h>
12701 #include <asm/page_types.h>
12702
12703+#ifdef CONFIG_PAX_KERNEXEC
12704+#define ta(X) (X)
12705+#else
12706+#define ta(X) ((X) - __PAGE_OFFSET)
12707+#endif
12708+
12709 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
12710 __CPUINITRODATA
12711 .code16
12712@@ -60,7 +66,7 @@ r_base = .
12713 inc %ax # protected mode (PE) bit
12714 lmsw %ax # into protected mode
12715 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
12716- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
12717+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
12718
12719 # These need to be in the same 64K segment as the above;
12720 # hence we don't use the boot_gdt_descr defined in head.S
12721diff -urNp linux-2.6.32.9/arch/x86/kernel/traps.c linux-2.6.32.9/arch/x86/kernel/traps.c
12722--- linux-2.6.32.9/arch/x86/kernel/traps.c 2010-02-09 07:57:19.000000000 -0500
12723+++ linux-2.6.32.9/arch/x86/kernel/traps.c 2010-02-23 17:09:53.123619300 -0500
12724@@ -69,12 +69,6 @@ asmlinkage int system_call(void);
12725
12726 /* Do we ignore FPU interrupts ? */
12727 char ignore_fpu_irq;
12728-
12729-/*
12730- * The IDT has to be page-aligned to simplify the Pentium
12731- * F0 0F bug workaround.
12732- */
12733-gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
12734 #endif
12735
12736 DECLARE_BITMAP(used_vectors, NR_VECTORS);
12737@@ -112,19 +106,19 @@ static inline void preempt_conditional_c
12738 static inline void
12739 die_if_kernel(const char *str, struct pt_regs *regs, long err)
12740 {
12741- if (!user_mode_vm(regs))
12742+ if (!user_mode(regs))
12743 die(str, regs, err);
12744 }
12745 #endif
12746
12747 static void __kprobes
12748-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
12749+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
12750 long error_code, siginfo_t *info)
12751 {
12752 struct task_struct *tsk = current;
12753
12754 #ifdef CONFIG_X86_32
12755- if (regs->flags & X86_VM_MASK) {
12756+ if (v8086_mode(regs)) {
12757 /*
12758 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
12759 * On nmi (interrupt 2), do_trap should not be called.
12760@@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
12761 }
12762 #endif
12763
12764- if (!user_mode(regs))
12765+ if (!user_mode_novm(regs))
12766 goto kernel_trap;
12767
12768 #ifdef CONFIG_X86_32
12769@@ -158,7 +152,7 @@ trap_signal:
12770 printk_ratelimit()) {
12771 printk(KERN_INFO
12772 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
12773- tsk->comm, tsk->pid, str,
12774+ tsk->comm, task_pid_nr(tsk), str,
12775 regs->ip, regs->sp, error_code);
12776 print_vma_addr(" in ", regs->ip);
12777 printk("\n");
12778@@ -175,8 +169,20 @@ kernel_trap:
12779 if (!fixup_exception(regs)) {
12780 tsk->thread.error_code = error_code;
12781 tsk->thread.trap_no = trapnr;
12782+
12783+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
12784+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
12785+ str = "PAX: suspicious stack segment fault";
12786+#endif
12787+
12788 die(str, regs, error_code);
12789 }
12790+
12791+#ifdef CONFIG_PAX_REFCOUNT
12792+ if (trapnr == 4)
12793+ pax_report_refcount_overflow(regs);
12794+#endif
12795+
12796 return;
12797
12798 #ifdef CONFIG_X86_32
12799@@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
12800 conditional_sti(regs);
12801
12802 #ifdef CONFIG_X86_32
12803- if (regs->flags & X86_VM_MASK)
12804+ if (v8086_mode(regs))
12805 goto gp_in_vm86;
12806 #endif
12807
12808 tsk = current;
12809- if (!user_mode(regs))
12810+ if (!user_mode_novm(regs))
12811 goto gp_in_kernel;
12812
12813+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
12814+ if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
12815+ struct mm_struct *mm = tsk->mm;
12816+ unsigned long limit;
12817+
12818+ down_write(&mm->mmap_sem);
12819+ limit = mm->context.user_cs_limit;
12820+ if (limit < TASK_SIZE) {
12821+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
12822+ up_write(&mm->mmap_sem);
12823+ return;
12824+ }
12825+ up_write(&mm->mmap_sem);
12826+ }
12827+#endif
12828+
12829 tsk->thread.error_code = error_code;
12830 tsk->thread.trap_no = 13;
12831
12832@@ -305,6 +327,13 @@ gp_in_kernel:
12833 if (notify_die(DIE_GPF, "general protection fault", regs,
12834 error_code, 13, SIGSEGV) == NOTIFY_STOP)
12835 return;
12836+
12837+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
12838+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
12839+ die("PAX: suspicious general protection fault", regs, error_code);
12840+ else
12841+#endif
12842+
12843 die("general protection fault", regs, error_code);
12844 }
12845
12846@@ -558,7 +587,7 @@ dotraplinkage void __kprobes do_debug(st
12847 }
12848
12849 #ifdef CONFIG_X86_32
12850- if (regs->flags & X86_VM_MASK)
12851+ if (v8086_mode(regs))
12852 goto debug_vm86;
12853 #endif
12854
12855@@ -570,7 +599,7 @@ dotraplinkage void __kprobes do_debug(st
12856 * kernel space (but re-enable TF when returning to user mode).
12857 */
12858 if (condition & DR_STEP) {
12859- if (!user_mode(regs))
12860+ if (!user_mode_novm(regs))
12861 goto clear_TF_reenable;
12862 }
12863
12864@@ -757,7 +786,7 @@ do_simd_coprocessor_error(struct pt_regs
12865 * Handle strange cache flush from user space exception
12866 * in all other cases. This is undocumented behaviour.
12867 */
12868- if (regs->flags & X86_VM_MASK) {
12869+ if (v8086_mode(regs)) {
12870 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
12871 return;
12872 }
12873diff -urNp linux-2.6.32.9/arch/x86/kernel/tsc.c linux-2.6.32.9/arch/x86/kernel/tsc.c
12874--- linux-2.6.32.9/arch/x86/kernel/tsc.c 2010-02-09 07:57:19.000000000 -0500
12875+++ linux-2.6.32.9/arch/x86/kernel/tsc.c 2010-02-23 17:09:53.123619300 -0500
12876@@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
12877 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
12878 },
12879 },
12880- {}
12881+ { NULL, NULL, {{0, {0}}}, NULL}
12882 };
12883
12884 static void __init check_system_tsc_reliable(void)
12885diff -urNp linux-2.6.32.9/arch/x86/kernel/vm86_32.c linux-2.6.32.9/arch/x86/kernel/vm86_32.c
12886--- linux-2.6.32.9/arch/x86/kernel/vm86_32.c 2010-02-09 07:57:19.000000000 -0500
12887+++ linux-2.6.32.9/arch/x86/kernel/vm86_32.c 2010-02-23 17:09:53.123619300 -0500
12888@@ -41,6 +41,7 @@
12889 #include <linux/ptrace.h>
12890 #include <linux/audit.h>
12891 #include <linux/stddef.h>
12892+#include <linux/grsecurity.h>
12893
12894 #include <asm/uaccess.h>
12895 #include <asm/io.h>
12896@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
12897 do_exit(SIGSEGV);
12898 }
12899
12900- tss = &per_cpu(init_tss, get_cpu());
12901+ tss = init_tss + get_cpu();
12902 current->thread.sp0 = current->thread.saved_sp0;
12903 current->thread.sysenter_cs = __KERNEL_CS;
12904 load_sp0(tss, &current->thread);
12905@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
12906 struct task_struct *tsk;
12907 int tmp, ret = -EPERM;
12908
12909+#ifdef CONFIG_GRKERNSEC_VM86
12910+ if (!capable(CAP_SYS_RAWIO)) {
12911+ gr_handle_vm86();
12912+ goto out;
12913+ }
12914+#endif
12915+
12916 tsk = current;
12917 if (tsk->thread.saved_sp0)
12918 goto out;
12919@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
12920 int tmp, ret;
12921 struct vm86plus_struct __user *v86;
12922
12923+#ifdef CONFIG_GRKERNSEC_VM86
12924+ if (!capable(CAP_SYS_RAWIO)) {
12925+ gr_handle_vm86();
12926+ ret = -EPERM;
12927+ goto out;
12928+ }
12929+#endif
12930+
12931 tsk = current;
12932 switch (regs->bx) {
12933 case VM86_REQUEST_IRQ:
12934@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
12935 tsk->thread.saved_fs = info->regs32->fs;
12936 tsk->thread.saved_gs = get_user_gs(info->regs32);
12937
12938- tss = &per_cpu(init_tss, get_cpu());
12939+ tss = init_tss + get_cpu();
12940 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
12941 if (cpu_has_sep)
12942 tsk->thread.sysenter_cs = 0;
12943@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
12944 goto cannot_handle;
12945 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
12946 goto cannot_handle;
12947- intr_ptr = (unsigned long __user *) (i << 2);
12948+ intr_ptr = (__force unsigned long __user *) (i << 2);
12949 if (get_user(segoffs, intr_ptr))
12950 goto cannot_handle;
12951 if ((segoffs >> 16) == BIOSSEG)
12952diff -urNp linux-2.6.32.9/arch/x86/kernel/vmi_32.c linux-2.6.32.9/arch/x86/kernel/vmi_32.c
12953--- linux-2.6.32.9/arch/x86/kernel/vmi_32.c 2010-02-09 07:57:19.000000000 -0500
12954+++ linux-2.6.32.9/arch/x86/kernel/vmi_32.c 2010-02-23 17:09:53.123619300 -0500
12955@@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
12956 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
12957
12958 #define call_vrom_func(rom,func) \
12959- (((VROMFUNC *)(rom->func))())
12960+ (((VROMFUNC *)(ktva_ktla(rom.func)))())
12961
12962 #define call_vrom_long_func(rom,func,arg) \
12963- (((VROMLONGFUNC *)(rom->func)) (arg))
12964+({\
12965+ u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
12966+ struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
12967+ __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
12968+ __reloc;\
12969+})
12970
12971-static struct vrom_header *vmi_rom;
12972+static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
12973 static int disable_pge;
12974 static int disable_pse;
12975 static int disable_sep;
12976@@ -76,10 +81,10 @@ static struct {
12977 void (*set_initial_ap_state)(int, int);
12978 void (*halt)(void);
12979 void (*set_lazy_mode)(int mode);
12980-} vmi_ops;
12981+} vmi_ops __read_only;
12982
12983 /* Cached VMI operations */
12984-struct vmi_timer_ops vmi_timer_ops;
12985+struct vmi_timer_ops vmi_timer_ops __read_only;
12986
12987 /*
12988 * VMI patching routines.
12989@@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
12990 static inline void patch_offset(void *insnbuf,
12991 unsigned long ip, unsigned long dest)
12992 {
12993- *(unsigned long *)(insnbuf+1) = dest-ip-5;
12994+ *(unsigned long *)(insnbuf+1) = dest-ip-5;
12995 }
12996
12997 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
12998@@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
12999 {
13000 u64 reloc;
13001 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
13002+
13003 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
13004 switch(rel->type) {
13005 case VMI_RELOCATION_CALL_REL:
13006@@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
13007
13008 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
13009 {
13010- const pte_t pte = { .pte = 0 };
13011+ const pte_t pte = __pte(0ULL);
13012 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
13013 }
13014
13015 static void vmi_pmd_clear(pmd_t *pmd)
13016 {
13017- const pte_t pte = { .pte = 0 };
13018+ const pte_t pte = __pte(0ULL);
13019 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
13020 }
13021 #endif
13022@@ -438,8 +444,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
13023 ap.ss = __KERNEL_DS;
13024 ap.esp = (unsigned long) start_esp;
13025
13026- ap.ds = __USER_DS;
13027- ap.es = __USER_DS;
13028+ ap.ds = __KERNEL_DS;
13029+ ap.es = __KERNEL_DS;
13030 ap.fs = __KERNEL_PERCPU;
13031 ap.gs = __KERNEL_STACK_CANARY;
13032
13033@@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
13034 paravirt_leave_lazy_mmu();
13035 }
13036
13037+#ifdef CONFIG_PAX_KERNEXEC
13038+static unsigned long vmi_pax_open_kernel(void)
13039+{
13040+ return 0;
13041+}
13042+
13043+static unsigned long vmi_pax_close_kernel(void)
13044+{
13045+ return 0;
13046+}
13047+#endif
13048+
13049 static inline int __init check_vmi_rom(struct vrom_header *rom)
13050 {
13051 struct pci_header *pci;
13052@@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
13053 return 0;
13054 if (rom->vrom_signature != VMI_SIGNATURE)
13055 return 0;
13056+ if (rom->rom_length * 512 > sizeof(*rom)) {
13057+ printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
13058+ return 0;
13059+ }
13060 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
13061 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
13062 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
13063@@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
13064 struct vrom_header *romstart;
13065 romstart = (struct vrom_header *)isa_bus_to_virt(base);
13066 if (check_vmi_rom(romstart)) {
13067- vmi_rom = romstart;
13068+ vmi_rom = *romstart;
13069 return 1;
13070 }
13071 }
13072@@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
13073
13074 para_fill(pv_irq_ops.safe_halt, Halt);
13075
13076+#ifdef CONFIG_PAX_KERNEXEC
13077+ pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
13078+ pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
13079+#endif
13080+
13081 /*
13082 * Alternative instruction rewriting doesn't happen soon enough
13083 * to convert VMI_IRET to a call instead of a jump; so we have
13084@@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
13085
13086 void __init vmi_init(void)
13087 {
13088- if (!vmi_rom)
13089+ if (!vmi_rom.rom_signature)
13090 probe_vmi_rom();
13091 else
13092- check_vmi_rom(vmi_rom);
13093+ check_vmi_rom(&vmi_rom);
13094
13095 /* In case probing for or validating the ROM failed, basil */
13096- if (!vmi_rom)
13097+ if (!vmi_rom.rom_signature)
13098 return;
13099
13100- reserve_top_address(-vmi_rom->virtual_top);
13101+ reserve_top_address(-vmi_rom.virtual_top);
13102
13103 #ifdef CONFIG_X86_IO_APIC
13104 /* This is virtual hardware; timer routing is wired correctly */
13105@@ -874,7 +901,7 @@ void __init vmi_activate(void)
13106 {
13107 unsigned long flags;
13108
13109- if (!vmi_rom)
13110+ if (!vmi_rom.rom_signature)
13111 return;
13112
13113 local_irq_save(flags);
13114diff -urNp linux-2.6.32.9/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.9/arch/x86/kernel/vmlinux.lds.S
13115--- linux-2.6.32.9/arch/x86/kernel/vmlinux.lds.S 2010-02-09 07:57:19.000000000 -0500
13116+++ linux-2.6.32.9/arch/x86/kernel/vmlinux.lds.S 2010-02-23 17:09:53.127681323 -0500
13117@@ -26,6 +26,22 @@
13118 #include <asm/page_types.h>
13119 #include <asm/cache.h>
13120 #include <asm/boot.h>
13121+#include <asm/segment.h>
13122+
13123+#undef PMD_SIZE
13124+#undef PMD_SHIFT
13125+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
13126+#define PMD_SHIFT 21
13127+#else
13128+#define PMD_SHIFT 22
13129+#endif
13130+#define PMD_SIZE (1 << PMD_SHIFT)
13131+
13132+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13133+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
13134+#else
13135+#define __KERNEL_TEXT_OFFSET 0
13136+#endif
13137
13138 #undef i386 /* in case the preprocessor is a 32bit one */
13139
13140@@ -34,40 +50,55 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
13141 #ifdef CONFIG_X86_32
13142 OUTPUT_ARCH(i386)
13143 ENTRY(phys_startup_32)
13144-jiffies = jiffies_64;
13145 #else
13146 OUTPUT_ARCH(i386:x86-64)
13147 ENTRY(phys_startup_64)
13148-jiffies_64 = jiffies;
13149 #endif
13150
13151+jiffies = jiffies_64;
13152+
13153 PHDRS {
13154 text PT_LOAD FLAGS(5); /* R_E */
13155- data PT_LOAD FLAGS(7); /* RWE */
13156+#ifdef CONFIG_XEN
13157+ rodata PT_LOAD FLAGS(5); /* R_E */
13158+#else
13159+ rodata PT_LOAD FLAGS(4); /* R__ */
13160+#endif
13161+#ifdef CONFIG_X86_32
13162+ module PT_LOAD FLAGS(5); /* R_E */
13163+#endif
13164+ data PT_LOAD FLAGS(6); /* RW_ */
13165 #ifdef CONFIG_X86_64
13166 user PT_LOAD FLAGS(5); /* R_E */
13167+#endif
13168+ init.begin PT_LOAD FLAGS(6); /* RW_ */
13169 #ifdef CONFIG_SMP
13170 percpu PT_LOAD FLAGS(6); /* RW_ */
13171 #endif
13172+ text.init PT_LOAD FLAGS(5); /* R_E */
13173+ text.exit PT_LOAD FLAGS(5); /* R_E */
13174 init PT_LOAD FLAGS(7); /* RWE */
13175-#endif
13176 note PT_NOTE FLAGS(0); /* ___ */
13177 }
13178
13179 SECTIONS
13180 {
13181 #ifdef CONFIG_X86_32
13182- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
13183- phys_startup_32 = startup_32 - LOAD_OFFSET;
13184+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
13185 #else
13186- . = __START_KERNEL;
13187- phys_startup_64 = startup_64 - LOAD_OFFSET;
13188+ . = __START_KERNEL;
13189 #endif
13190
13191 /* Text and read-only data */
13192- .text : AT(ADDR(.text) - LOAD_OFFSET) {
13193- _text = .;
13194+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
13195 /* bootstrapping code */
13196+#ifdef CONFIG_X86_32
13197+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13198+#else
13199+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13200+#endif
13201+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13202+ _text = .;
13203 HEAD_TEXT
13204 #ifdef CONFIG_X86_32
13205 . = ALIGN(PAGE_SIZE);
13206@@ -82,28 +113,64 @@ SECTIONS
13207 IRQENTRY_TEXT
13208 *(.fixup)
13209 *(.gnu.warning)
13210- /* End of text section */
13211- _etext = .;
13212 } :text = 0x9090
13213
13214- NOTES :text :note
13215+ . += __KERNEL_TEXT_OFFSET;
13216+
13217+ . = ALIGN(PAGE_SIZE);
13218+ NOTES :rodata :note
13219
13220- EXCEPTION_TABLE(16) :text = 0x9090
13221+ EXCEPTION_TABLE(16) :rodata
13222
13223 RO_DATA(PAGE_SIZE)
13224
13225+#ifdef CONFIG_X86_32
13226+ . = ALIGN(PAGE_SIZE);
13227+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
13228+ *(.idt)
13229+ . = ALIGN(PAGE_SIZE);
13230+ *(.empty_zero_page)
13231+ *(.swapper_pg_pmd)
13232+ *(.swapper_pg_dir)
13233+ }
13234+
13235+ . = ALIGN(PAGE_SIZE);
13236+ .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
13237+ *(.vmi.rom)
13238+ } :module
13239+
13240+ . = ALIGN(PAGE_SIZE);
13241+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
13242+
13243+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
13244+ MODULES_EXEC_VADDR = .;
13245+ BYTE(0)
13246+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
13247+ . = ALIGN(PMD_SIZE);
13248+ MODULES_EXEC_END = . - 1;
13249+#endif
13250+
13251+ } :module
13252+#endif
13253+
13254 /* Data */
13255 .data : AT(ADDR(.data) - LOAD_OFFSET) {
13256+ /* End of text section */
13257+ _etext = . - __KERNEL_TEXT_OFFSET;
13258+
13259+#ifdef CONFIG_PAX_KERNEXEC
13260+ . = ALIGN(PMD_SIZE);
13261+#else
13262+ . = ALIGN(PAGE_SIZE);
13263+#endif
13264+
13265 /* Start of data section */
13266 _sdata = .;
13267
13268 /* init_task */
13269 INIT_TASK_DATA(THREAD_SIZE)
13270
13271-#ifdef CONFIG_X86_32
13272- /* 32 bit has nosave before _edata */
13273 NOSAVE_DATA
13274-#endif
13275
13276 PAGE_ALIGNED_DATA(PAGE_SIZE)
13277
13278@@ -166,12 +233,6 @@ SECTIONS
13279 }
13280 vgetcpu_mode = VVIRT(.vgetcpu_mode);
13281
13282- . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
13283- .jiffies : AT(VLOAD(.jiffies)) {
13284- *(.jiffies)
13285- }
13286- jiffies = VVIRT(.jiffies);
13287-
13288 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
13289 *(.vsyscall_3)
13290 }
13291@@ -187,12 +248,19 @@ SECTIONS
13292 #endif /* CONFIG_X86_64 */
13293
13294 /* Init code and data - will be freed after init */
13295- . = ALIGN(PAGE_SIZE);
13296 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
13297+ BYTE(0)
13298+
13299+#ifdef CONFIG_PAX_KERNEXEC
13300+ . = ALIGN(PMD_SIZE);
13301+#else
13302+ . = ALIGN(PAGE_SIZE);
13303+#endif
13304+
13305 __init_begin = .; /* paired with __init_end */
13306- }
13307+ } :init.begin
13308
13309-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
13310+#ifdef CONFIG_SMP
13311 /*
13312 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
13313 * output PHDR, so the next output section - .init.text - should
13314@@ -201,12 +269,27 @@ SECTIONS
13315 PERCPU_VADDR(0, :percpu)
13316 #endif
13317
13318- INIT_TEXT_SECTION(PAGE_SIZE)
13319-#ifdef CONFIG_X86_64
13320- :init
13321-#endif
13322+ . = ALIGN(PAGE_SIZE);
13323+ init_begin = .;
13324+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
13325+ VMLINUX_SYMBOL(_sinittext) = .;
13326+ INIT_TEXT
13327+ VMLINUX_SYMBOL(_einittext) = .;
13328+ . = ALIGN(PAGE_SIZE);
13329+ } :text.init
13330+
13331+ /*
13332+ * .exit.text is discard at runtime, not link time, to deal with
13333+ * references from .altinstructions and .eh_frame
13334+ */
13335+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13336+ EXIT_TEXT
13337+ . = ALIGN(16);
13338+ } :text.exit
13339+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
13340
13341- INIT_DATA_SECTION(16)
13342+ . = ALIGN(PAGE_SIZE);
13343+ INIT_DATA_SECTION(16) :init
13344
13345 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
13346 __x86_cpu_dev_start = .;
13347@@ -232,19 +315,11 @@ SECTIONS
13348 *(.altinstr_replacement)
13349 }
13350
13351- /*
13352- * .exit.text is discard at runtime, not link time, to deal with
13353- * references from .altinstructions and .eh_frame
13354- */
13355- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13356- EXIT_TEXT
13357- }
13358-
13359 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
13360 EXIT_DATA
13361 }
13362
13363-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
13364+#ifndef CONFIG_SMP
13365 PERCPU(PAGE_SIZE)
13366 #endif
13367
13368@@ -267,12 +342,6 @@ SECTIONS
13369 . = ALIGN(PAGE_SIZE);
13370 }
13371
13372-#ifdef CONFIG_X86_64
13373- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
13374- NOSAVE_DATA
13375- }
13376-#endif
13377-
13378 /* BSS */
13379 . = ALIGN(PAGE_SIZE);
13380 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
13381@@ -288,6 +357,7 @@ SECTIONS
13382 __brk_base = .;
13383 . += 64 * 1024; /* 64k alignment slop space */
13384 *(.brk_reservation) /* areas brk users have reserved */
13385+ . = ALIGN(PMD_SIZE);
13386 __brk_limit = .;
13387 }
13388
13389@@ -316,13 +386,12 @@ SECTIONS
13390 * for the boot processor.
13391 */
13392 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
13393-INIT_PER_CPU(gdt_page);
13394 INIT_PER_CPU(irq_stack_union);
13395
13396 /*
13397 * Build-time check on the image size:
13398 */
13399-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
13400+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
13401 "kernel image bigger than KERNEL_IMAGE_SIZE");
13402
13403 #ifdef CONFIG_SMP
13404diff -urNp linux-2.6.32.9/arch/x86/kernel/vsyscall_64.c linux-2.6.32.9/arch/x86/kernel/vsyscall_64.c
13405--- linux-2.6.32.9/arch/x86/kernel/vsyscall_64.c 2010-02-09 07:57:19.000000000 -0500
13406+++ linux-2.6.32.9/arch/x86/kernel/vsyscall_64.c 2010-02-23 17:09:53.127681323 -0500
13407@@ -79,6 +79,7 @@ void update_vsyscall(struct timespec *wa
13408
13409 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
13410 /* copy vsyscall data */
13411+ strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
13412 vsyscall_gtod_data.clock.vread = clock->vread;
13413 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
13414 vsyscall_gtod_data.clock.mask = clock->mask;
13415@@ -202,7 +203,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
13416 We do this here because otherwise user space would do it on
13417 its own in a likely inferior way (no access to jiffies).
13418 If you don't like it pass NULL. */
13419- if (tcache && tcache->blob[0] == (j = __jiffies)) {
13420+ if (tcache && tcache->blob[0] == (j = jiffies)) {
13421 p = tcache->blob[1];
13422 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
13423 /* Load per CPU data from RDTSCP */
13424@@ -233,13 +234,13 @@ static ctl_table kernel_table2[] = {
13425 .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
13426 .mode = 0644,
13427 .proc_handler = proc_dointvec },
13428- {}
13429+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
13430 };
13431
13432 static ctl_table kernel_root_table2[] = {
13433 { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
13434 .child = kernel_table2 },
13435- {}
13436+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
13437 };
13438 #endif
13439
13440diff -urNp linux-2.6.32.9/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.9/arch/x86/kernel/x8664_ksyms_64.c
13441--- linux-2.6.32.9/arch/x86/kernel/x8664_ksyms_64.c 2010-02-09 07:57:19.000000000 -0500
13442+++ linux-2.6.32.9/arch/x86/kernel/x8664_ksyms_64.c 2010-02-23 17:09:53.127681323 -0500
13443@@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
13444
13445 EXPORT_SYMBOL(copy_user_generic);
13446 EXPORT_SYMBOL(__copy_user_nocache);
13447-EXPORT_SYMBOL(copy_from_user);
13448-EXPORT_SYMBOL(copy_to_user);
13449 EXPORT_SYMBOL(__copy_from_user_inatomic);
13450
13451 EXPORT_SYMBOL(copy_page);
13452diff -urNp linux-2.6.32.9/arch/x86/kernel/xsave.c linux-2.6.32.9/arch/x86/kernel/xsave.c
13453--- linux-2.6.32.9/arch/x86/kernel/xsave.c 2010-02-09 07:57:19.000000000 -0500
13454+++ linux-2.6.32.9/arch/x86/kernel/xsave.c 2010-02-23 17:09:53.127681323 -0500
13455@@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
13456 fx_sw_user->xstate_size > fx_sw_user->extended_size)
13457 return -1;
13458
13459- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
13460+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
13461 fx_sw_user->extended_size -
13462 FP_XSTATE_MAGIC2_SIZE));
13463 /*
13464@@ -196,7 +196,7 @@ fx_only:
13465 * the other extended state.
13466 */
13467 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
13468- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
13469+ return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
13470 }
13471
13472 /*
13473@@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
13474 if (task_thread_info(tsk)->status & TS_XSAVE)
13475 err = restore_user_xstate(buf);
13476 else
13477- err = fxrstor_checking((__force struct i387_fxsave_struct *)
13478+ err = fxrstor_checking((struct i387_fxsave_struct __user *)
13479 buf);
13480 if (unlikely(err)) {
13481 /*
13482diff -urNp linux-2.6.32.9/arch/x86/kvm/emulate.c linux-2.6.32.9/arch/x86/kvm/emulate.c
13483--- linux-2.6.32.9/arch/x86/kvm/emulate.c 2010-02-09 07:57:19.000000000 -0500
13484+++ linux-2.6.32.9/arch/x86/kvm/emulate.c 2010-02-23 17:09:53.127681323 -0500
13485@@ -389,6 +389,7 @@ static u32 group2_table[] = {
13486
13487 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
13488 do { \
13489+ unsigned long _tmp; \
13490 __asm__ __volatile__ ( \
13491 _PRE_EFLAGS("0", "4", "2") \
13492 _op _suffix " %"_x"3,%1; " \
13493@@ -402,8 +403,6 @@ static u32 group2_table[] = {
13494 /* Raw emulation: instruction has two explicit operands. */
13495 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
13496 do { \
13497- unsigned long _tmp; \
13498- \
13499 switch ((_dst).bytes) { \
13500 case 2: \
13501 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
13502@@ -419,7 +418,6 @@ static u32 group2_table[] = {
13503
13504 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
13505 do { \
13506- unsigned long _tmp; \
13507 switch ((_dst).bytes) { \
13508 case 1: \
13509 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
13510diff -urNp linux-2.6.32.9/arch/x86/kvm/svm.c linux-2.6.32.9/arch/x86/kvm/svm.c
13511--- linux-2.6.32.9/arch/x86/kvm/svm.c 2010-02-09 07:57:19.000000000 -0500
13512+++ linux-2.6.32.9/arch/x86/kvm/svm.c 2010-02-23 17:09:53.127681323 -0500
13513@@ -2389,9 +2389,12 @@ static int handle_exit(struct kvm_run *k
13514 static void reload_tss(struct kvm_vcpu *vcpu)
13515 {
13516 int cpu = raw_smp_processor_id();
13517-
13518 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
13519+
13520+ pax_open_kernel();
13521 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
13522+ pax_close_kernel();
13523+
13524 load_TR_desc();
13525 }
13526
13527@@ -2839,7 +2842,7 @@ static bool svm_gb_page_enable(void)
13528 return true;
13529 }
13530
13531-static struct kvm_x86_ops svm_x86_ops = {
13532+static const struct kvm_x86_ops svm_x86_ops = {
13533 .cpu_has_kvm_support = has_svm,
13534 .disabled_by_bios = is_disabled,
13535 .hardware_setup = svm_hardware_setup,
13536diff -urNp linux-2.6.32.9/arch/x86/kvm/vmx.c linux-2.6.32.9/arch/x86/kvm/vmx.c
13537--- linux-2.6.32.9/arch/x86/kvm/vmx.c 2010-02-09 07:57:19.000000000 -0500
13538+++ linux-2.6.32.9/arch/x86/kvm/vmx.c 2010-02-23 17:09:53.127681323 -0500
13539@@ -566,7 +566,11 @@ static void reload_tss(void)
13540
13541 kvm_get_gdt(&gdt);
13542 descs = (void *)gdt.base;
13543+
13544+ pax_open_kernel();
13545 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
13546+ pax_close_kernel();
13547+
13548 load_TR_desc();
13549 }
13550
13551@@ -1388,8 +1392,11 @@ static __init int hardware_setup(void)
13552 if (!cpu_has_vmx_flexpriority())
13553 flexpriority_enabled = 0;
13554
13555- if (!cpu_has_vmx_tpr_shadow())
13556- kvm_x86_ops->update_cr8_intercept = NULL;
13557+ if (!cpu_has_vmx_tpr_shadow()) {
13558+ pax_open_kernel();
13559+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
13560+ pax_close_kernel();
13561+ }
13562
13563 if (enable_ept && !cpu_has_vmx_ept_2m_page())
13564 kvm_disable_largepages();
13565@@ -2339,7 +2346,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
13566 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
13567
13568 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
13569- vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
13570+ vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
13571 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
13572 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
13573 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
13574@@ -3682,6 +3689,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
13575 "jmp .Lkvm_vmx_return \n\t"
13576 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
13577 ".Lkvm_vmx_return: "
13578+
13579+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13580+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
13581+ ".Lkvm_vmx_return2: "
13582+#endif
13583+
13584 /* Save guest registers, load host registers, keep flags */
13585 "xchg %0, (%%"R"sp) \n\t"
13586 "mov %%"R"ax, %c[rax](%0) \n\t"
13587@@ -3728,6 +3741,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
13588 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
13589 #endif
13590 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
13591+
13592+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13593+ ,[cs]"i"(__KERNEL_CS)
13594+#endif
13595+
13596 : "cc", "memory"
13597 , R"bx", R"di", R"si"
13598 #ifdef CONFIG_X86_64
13599@@ -3746,7 +3764,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
13600 if (vmx->rmode.irq.pending)
13601 fixup_rmode_irq(vmx);
13602
13603- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
13604+ asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
13605 vmx->launched = 1;
13606
13607 vmx_complete_interrupts(vmx);
13608@@ -3921,7 +3939,7 @@ static bool vmx_gb_page_enable(void)
13609 return false;
13610 }
13611
13612-static struct kvm_x86_ops vmx_x86_ops = {
13613+static const struct kvm_x86_ops vmx_x86_ops = {
13614 .cpu_has_kvm_support = cpu_has_kvm_support,
13615 .disabled_by_bios = vmx_disabled_by_bios,
13616 .hardware_setup = hardware_setup,
13617diff -urNp linux-2.6.32.9/arch/x86/kvm/x86.c linux-2.6.32.9/arch/x86/kvm/x86.c
13618--- linux-2.6.32.9/arch/x86/kvm/x86.c 2010-02-23 17:04:11.867584476 -0500
13619+++ linux-2.6.32.9/arch/x86/kvm/x86.c 2010-02-23 17:09:53.127681323 -0500
13620@@ -81,45 +81,45 @@ static void update_cr8_intercept(struct
13621 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
13622 struct kvm_cpuid_entry2 __user *entries);
13623
13624-struct kvm_x86_ops *kvm_x86_ops;
13625+const struct kvm_x86_ops *kvm_x86_ops;
13626 EXPORT_SYMBOL_GPL(kvm_x86_ops);
13627
13628 int ignore_msrs = 0;
13629 module_param_named(ignore_msrs, ignore_msrs, bool, S_IRUGO | S_IWUSR);
13630
13631 struct kvm_stats_debugfs_item debugfs_entries[] = {
13632- { "pf_fixed", VCPU_STAT(pf_fixed) },
13633- { "pf_guest", VCPU_STAT(pf_guest) },
13634- { "tlb_flush", VCPU_STAT(tlb_flush) },
13635- { "invlpg", VCPU_STAT(invlpg) },
13636- { "exits", VCPU_STAT(exits) },
13637- { "io_exits", VCPU_STAT(io_exits) },
13638- { "mmio_exits", VCPU_STAT(mmio_exits) },
13639- { "signal_exits", VCPU_STAT(signal_exits) },
13640- { "irq_window", VCPU_STAT(irq_window_exits) },
13641- { "nmi_window", VCPU_STAT(nmi_window_exits) },
13642- { "halt_exits", VCPU_STAT(halt_exits) },
13643- { "halt_wakeup", VCPU_STAT(halt_wakeup) },
13644- { "hypercalls", VCPU_STAT(hypercalls) },
13645- { "request_irq", VCPU_STAT(request_irq_exits) },
13646- { "irq_exits", VCPU_STAT(irq_exits) },
13647- { "host_state_reload", VCPU_STAT(host_state_reload) },
13648- { "efer_reload", VCPU_STAT(efer_reload) },
13649- { "fpu_reload", VCPU_STAT(fpu_reload) },
13650- { "insn_emulation", VCPU_STAT(insn_emulation) },
13651- { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
13652- { "irq_injections", VCPU_STAT(irq_injections) },
13653- { "nmi_injections", VCPU_STAT(nmi_injections) },
13654- { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
13655- { "mmu_pte_write", VM_STAT(mmu_pte_write) },
13656- { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
13657- { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
13658- { "mmu_flooded", VM_STAT(mmu_flooded) },
13659- { "mmu_recycled", VM_STAT(mmu_recycled) },
13660- { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
13661- { "mmu_unsync", VM_STAT(mmu_unsync) },
13662- { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
13663- { "largepages", VM_STAT(lpages) },
13664+ { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
13665+ { "pf_guest", VCPU_STAT(pf_guest), NULL },
13666+ { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
13667+ { "invlpg", VCPU_STAT(invlpg), NULL },
13668+ { "exits", VCPU_STAT(exits), NULL },
13669+ { "io_exits", VCPU_STAT(io_exits), NULL },
13670+ { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
13671+ { "signal_exits", VCPU_STAT(signal_exits), NULL },
13672+ { "irq_window", VCPU_STAT(irq_window_exits), NULL },
13673+ { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
13674+ { "halt_exits", VCPU_STAT(halt_exits), NULL },
13675+ { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
13676+ { "hypercalls", VCPU_STAT(hypercalls), NULL },
13677+ { "request_irq", VCPU_STAT(request_irq_exits), NULL },
13678+ { "irq_exits", VCPU_STAT(irq_exits), NULL },
13679+ { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
13680+ { "efer_reload", VCPU_STAT(efer_reload), NULL },
13681+ { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
13682+ { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
13683+ { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
13684+ { "irq_injections", VCPU_STAT(irq_injections), NULL },
13685+ { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
13686+ { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
13687+ { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
13688+ { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
13689+ { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
13690+ { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
13691+ { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
13692+ { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
13693+ { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
13694+ { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
13695+ { "largepages", VM_STAT(lpages), NULL },
13696 { NULL }
13697 };
13698
13699@@ -1658,7 +1658,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
13700 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
13701 struct kvm_interrupt *irq)
13702 {
13703- if (irq->irq < 0 || irq->irq >= 256)
13704+ if (irq->irq >= 256)
13705 return -EINVAL;
13706 if (irqchip_in_kernel(vcpu->kvm))
13707 return -ENXIO;
13708@@ -3170,10 +3170,10 @@ static struct notifier_block kvmclock_cp
13709 .notifier_call = kvmclock_cpufreq_notifier
13710 };
13711
13712-int kvm_arch_init(void *opaque)
13713+int kvm_arch_init(const void *opaque)
13714 {
13715 int r, cpu;
13716- struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
13717+ const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
13718
13719 if (kvm_x86_ops) {
13720 printk(KERN_ERR "kvm: already loaded the other module\n");
13721diff -urNp linux-2.6.32.9/arch/x86/lib/checksum_32.S linux-2.6.32.9/arch/x86/lib/checksum_32.S
13722--- linux-2.6.32.9/arch/x86/lib/checksum_32.S 2010-02-09 07:57:19.000000000 -0500
13723+++ linux-2.6.32.9/arch/x86/lib/checksum_32.S 2010-02-23 17:09:53.127681323 -0500
13724@@ -28,7 +28,8 @@
13725 #include <linux/linkage.h>
13726 #include <asm/dwarf2.h>
13727 #include <asm/errno.h>
13728-
13729+#include <asm/segment.h>
13730+
13731 /*
13732 * computes a partial checksum, e.g. for TCP/UDP fragments
13733 */
13734@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
13735
13736 #define ARGBASE 16
13737 #define FP 12
13738-
13739-ENTRY(csum_partial_copy_generic)
13740+
13741+ENTRY(csum_partial_copy_generic_to_user)
13742 CFI_STARTPROC
13743+ pushl $(__USER_DS)
13744+ CFI_ADJUST_CFA_OFFSET 4
13745+ popl %es
13746+ CFI_ADJUST_CFA_OFFSET -4
13747+ jmp csum_partial_copy_generic
13748+
13749+ENTRY(csum_partial_copy_generic_from_user)
13750+ pushl $(__USER_DS)
13751+ CFI_ADJUST_CFA_OFFSET 4
13752+ popl %ds
13753+ CFI_ADJUST_CFA_OFFSET -4
13754+
13755+ENTRY(csum_partial_copy_generic)
13756 subl $4,%esp
13757 CFI_ADJUST_CFA_OFFSET 4
13758 pushl %edi
13759@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
13760 jmp 4f
13761 SRC(1: movw (%esi), %bx )
13762 addl $2, %esi
13763-DST( movw %bx, (%edi) )
13764+DST( movw %bx, %es:(%edi) )
13765 addl $2, %edi
13766 addw %bx, %ax
13767 adcl $0, %eax
13768@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
13769 SRC(1: movl (%esi), %ebx )
13770 SRC( movl 4(%esi), %edx )
13771 adcl %ebx, %eax
13772-DST( movl %ebx, (%edi) )
13773+DST( movl %ebx, %es:(%edi) )
13774 adcl %edx, %eax
13775-DST( movl %edx, 4(%edi) )
13776+DST( movl %edx, %es:4(%edi) )
13777
13778 SRC( movl 8(%esi), %ebx )
13779 SRC( movl 12(%esi), %edx )
13780 adcl %ebx, %eax
13781-DST( movl %ebx, 8(%edi) )
13782+DST( movl %ebx, %es:8(%edi) )
13783 adcl %edx, %eax
13784-DST( movl %edx, 12(%edi) )
13785+DST( movl %edx, %es:12(%edi) )
13786
13787 SRC( movl 16(%esi), %ebx )
13788 SRC( movl 20(%esi), %edx )
13789 adcl %ebx, %eax
13790-DST( movl %ebx, 16(%edi) )
13791+DST( movl %ebx, %es:16(%edi) )
13792 adcl %edx, %eax
13793-DST( movl %edx, 20(%edi) )
13794+DST( movl %edx, %es:20(%edi) )
13795
13796 SRC( movl 24(%esi), %ebx )
13797 SRC( movl 28(%esi), %edx )
13798 adcl %ebx, %eax
13799-DST( movl %ebx, 24(%edi) )
13800+DST( movl %ebx, %es:24(%edi) )
13801 adcl %edx, %eax
13802-DST( movl %edx, 28(%edi) )
13803+DST( movl %edx, %es:28(%edi) )
13804
13805 lea 32(%esi), %esi
13806 lea 32(%edi), %edi
13807@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
13808 shrl $2, %edx # This clears CF
13809 SRC(3: movl (%esi), %ebx )
13810 adcl %ebx, %eax
13811-DST( movl %ebx, (%edi) )
13812+DST( movl %ebx, %es:(%edi) )
13813 lea 4(%esi), %esi
13814 lea 4(%edi), %edi
13815 dec %edx
13816@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
13817 jb 5f
13818 SRC( movw (%esi), %cx )
13819 leal 2(%esi), %esi
13820-DST( movw %cx, (%edi) )
13821+DST( movw %cx, %es:(%edi) )
13822 leal 2(%edi), %edi
13823 je 6f
13824 shll $16,%ecx
13825 SRC(5: movb (%esi), %cl )
13826-DST( movb %cl, (%edi) )
13827+DST( movb %cl, %es:(%edi) )
13828 6: addl %ecx, %eax
13829 adcl $0, %eax
13830 7:
13831@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
13832
13833 6001:
13834 movl ARGBASE+20(%esp), %ebx # src_err_ptr
13835- movl $-EFAULT, (%ebx)
13836+ movl $-EFAULT, %ss:(%ebx)
13837
13838 # zero the complete destination - computing the rest
13839 # is too much work
13840@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
13841
13842 6002:
13843 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
13844- movl $-EFAULT,(%ebx)
13845+ movl $-EFAULT,%ss:(%ebx)
13846 jmp 5000b
13847
13848 .previous
13849
13850+ pushl %ss
13851+ CFI_ADJUST_CFA_OFFSET 4
13852+ popl %ds
13853+ CFI_ADJUST_CFA_OFFSET -4
13854+ pushl %ss
13855+ CFI_ADJUST_CFA_OFFSET 4
13856+ popl %es
13857+ CFI_ADJUST_CFA_OFFSET -4
13858 popl %ebx
13859 CFI_ADJUST_CFA_OFFSET -4
13860 CFI_RESTORE ebx
13861@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
13862 CFI_ADJUST_CFA_OFFSET -4
13863 ret
13864 CFI_ENDPROC
13865-ENDPROC(csum_partial_copy_generic)
13866+ENDPROC(csum_partial_copy_generic_to_user)
13867
13868 #else
13869
13870 /* Version for PentiumII/PPro */
13871
13872 #define ROUND1(x) \
13873+ nop; nop; nop; \
13874 SRC(movl x(%esi), %ebx ) ; \
13875 addl %ebx, %eax ; \
13876- DST(movl %ebx, x(%edi) ) ;
13877+ DST(movl %ebx, %es:x(%edi)) ;
13878
13879 #define ROUND(x) \
13880+ nop; nop; nop; \
13881 SRC(movl x(%esi), %ebx ) ; \
13882 adcl %ebx, %eax ; \
13883- DST(movl %ebx, x(%edi) ) ;
13884+ DST(movl %ebx, %es:x(%edi)) ;
13885
13886 #define ARGBASE 12
13887-
13888-ENTRY(csum_partial_copy_generic)
13889+
13890+ENTRY(csum_partial_copy_generic_to_user)
13891 CFI_STARTPROC
13892+ pushl $(__USER_DS)
13893+ CFI_ADJUST_CFA_OFFSET 4
13894+ popl %es
13895+ CFI_ADJUST_CFA_OFFSET -4
13896+ jmp csum_partial_copy_generic
13897+
13898+ENTRY(csum_partial_copy_generic_from_user)
13899+ pushl $(__USER_DS)
13900+ CFI_ADJUST_CFA_OFFSET 4
13901+ popl %ds
13902+ CFI_ADJUST_CFA_OFFSET -4
13903+
13904+ENTRY(csum_partial_copy_generic)
13905 pushl %ebx
13906 CFI_ADJUST_CFA_OFFSET 4
13907 CFI_REL_OFFSET ebx, 0
13908@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
13909 subl %ebx, %edi
13910 lea -1(%esi),%edx
13911 andl $-32,%edx
13912- lea 3f(%ebx,%ebx), %ebx
13913+ lea 3f(%ebx,%ebx,2), %ebx
13914 testl %esi, %esi
13915 jmp *%ebx
13916 1: addl $64,%esi
13917@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
13918 jb 5f
13919 SRC( movw (%esi), %dx )
13920 leal 2(%esi), %esi
13921-DST( movw %dx, (%edi) )
13922+DST( movw %dx, %es:(%edi) )
13923 leal 2(%edi), %edi
13924 je 6f
13925 shll $16,%edx
13926 5:
13927 SRC( movb (%esi), %dl )
13928-DST( movb %dl, (%edi) )
13929+DST( movb %dl, %es:(%edi) )
13930 6: addl %edx, %eax
13931 adcl $0, %eax
13932 7:
13933 .section .fixup, "ax"
13934 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
13935- movl $-EFAULT, (%ebx)
13936+ movl $-EFAULT, %ss:(%ebx)
13937 # zero the complete destination (computing the rest is too much work)
13938 movl ARGBASE+8(%esp),%edi # dst
13939 movl ARGBASE+12(%esp),%ecx # len
13940@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
13941 rep; stosb
13942 jmp 7b
13943 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
13944- movl $-EFAULT, (%ebx)
13945+ movl $-EFAULT, %ss:(%ebx)
13946 jmp 7b
13947 .previous
13948
13949+ pushl %ss
13950+ CFI_ADJUST_CFA_OFFSET 4
13951+ popl %ds
13952+ CFI_ADJUST_CFA_OFFSET -4
13953+ pushl %ss
13954+ CFI_ADJUST_CFA_OFFSET 4
13955+ popl %es
13956+ CFI_ADJUST_CFA_OFFSET -4
13957 popl %esi
13958 CFI_ADJUST_CFA_OFFSET -4
13959 CFI_RESTORE esi
13960@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
13961 CFI_RESTORE ebx
13962 ret
13963 CFI_ENDPROC
13964-ENDPROC(csum_partial_copy_generic)
13965+ENDPROC(csum_partial_copy_generic_to_user)
13966
13967 #undef ROUND
13968 #undef ROUND1
13969diff -urNp linux-2.6.32.9/arch/x86/lib/clear_page_64.S linux-2.6.32.9/arch/x86/lib/clear_page_64.S
13970--- linux-2.6.32.9/arch/x86/lib/clear_page_64.S 2010-02-09 07:57:19.000000000 -0500
13971+++ linux-2.6.32.9/arch/x86/lib/clear_page_64.S 2010-02-23 17:09:53.127681323 -0500
13972@@ -43,7 +43,7 @@ ENDPROC(clear_page)
13973
13974 #include <asm/cpufeature.h>
13975
13976- .section .altinstr_replacement,"ax"
13977+ .section .altinstr_replacement,"a"
13978 1: .byte 0xeb /* jmp <disp8> */
13979 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
13980 2:
13981diff -urNp linux-2.6.32.9/arch/x86/lib/copy_page_64.S linux-2.6.32.9/arch/x86/lib/copy_page_64.S
13982--- linux-2.6.32.9/arch/x86/lib/copy_page_64.S 2010-02-09 07:57:19.000000000 -0500
13983+++ linux-2.6.32.9/arch/x86/lib/copy_page_64.S 2010-02-23 17:09:53.127681323 -0500
13984@@ -104,7 +104,7 @@ ENDPROC(copy_page)
13985
13986 #include <asm/cpufeature.h>
13987
13988- .section .altinstr_replacement,"ax"
13989+ .section .altinstr_replacement,"a"
13990 1: .byte 0xeb /* jmp <disp8> */
13991 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
13992 2:
13993diff -urNp linux-2.6.32.9/arch/x86/lib/copy_user_64.S linux-2.6.32.9/arch/x86/lib/copy_user_64.S
13994--- linux-2.6.32.9/arch/x86/lib/copy_user_64.S 2010-02-09 07:57:19.000000000 -0500
13995+++ linux-2.6.32.9/arch/x86/lib/copy_user_64.S 2010-02-23 17:09:53.127681323 -0500
13996@@ -21,7 +21,7 @@
13997 .byte 0xe9 /* 32bit jump */
13998 .long \orig-1f /* by default jump to orig */
13999 1:
14000- .section .altinstr_replacement,"ax"
14001+ .section .altinstr_replacement,"a"
14002 2: .byte 0xe9 /* near jump with 32bit immediate */
14003 .long \alt-1b /* offset */ /* or alternatively to alt */
14004 .previous
14005@@ -64,32 +64,6 @@
14006 #endif
14007 .endm
14008
14009-/* Standard copy_to_user with segment limit checking */
14010-ENTRY(copy_to_user)
14011- CFI_STARTPROC
14012- GET_THREAD_INFO(%rax)
14013- movq %rdi,%rcx
14014- addq %rdx,%rcx
14015- jc bad_to_user
14016- cmpq TI_addr_limit(%rax),%rcx
14017- jae bad_to_user
14018- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14019- CFI_ENDPROC
14020-ENDPROC(copy_to_user)
14021-
14022-/* Standard copy_from_user with segment limit checking */
14023-ENTRY(copy_from_user)
14024- CFI_STARTPROC
14025- GET_THREAD_INFO(%rax)
14026- movq %rsi,%rcx
14027- addq %rdx,%rcx
14028- jc bad_from_user
14029- cmpq TI_addr_limit(%rax),%rcx
14030- jae bad_from_user
14031- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14032- CFI_ENDPROC
14033-ENDPROC(copy_from_user)
14034-
14035 ENTRY(copy_user_generic)
14036 CFI_STARTPROC
14037 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14038@@ -107,6 +81,8 @@ ENDPROC(__copy_from_user_inatomic)
14039 ENTRY(bad_from_user)
14040 bad_from_user:
14041 CFI_STARTPROC
14042+ testl %edx,%edx
14043+ js bad_to_user
14044 movl %edx,%ecx
14045 xorl %eax,%eax
14046 rep
14047diff -urNp linux-2.6.32.9/arch/x86/lib/getuser.S linux-2.6.32.9/arch/x86/lib/getuser.S
14048--- linux-2.6.32.9/arch/x86/lib/getuser.S 2010-02-09 07:57:19.000000000 -0500
14049+++ linux-2.6.32.9/arch/x86/lib/getuser.S 2010-02-23 17:09:53.127681323 -0500
14050@@ -33,14 +33,28 @@
14051 #include <asm/asm-offsets.h>
14052 #include <asm/thread_info.h>
14053 #include <asm/asm.h>
14054+#include <asm/segment.h>
14055
14056 .text
14057 ENTRY(__get_user_1)
14058 CFI_STARTPROC
14059+
14060+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14061+ pushl $(__USER_DS)
14062+ popl %ds
14063+#else
14064 GET_THREAD_INFO(%_ASM_DX)
14065 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14066 jae bad_get_user
14067+#endif
14068+
14069 1: movzb (%_ASM_AX),%edx
14070+
14071+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14072+ pushl %ss
14073+ pop %ds
14074+#endif
14075+
14076 xor %eax,%eax
14077 ret
14078 CFI_ENDPROC
14079@@ -49,11 +63,24 @@ ENDPROC(__get_user_1)
14080 ENTRY(__get_user_2)
14081 CFI_STARTPROC
14082 add $1,%_ASM_AX
14083+
14084+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14085+ pushl $(__USER_DS)
14086+ popl %ds
14087+#else
14088 jc bad_get_user
14089 GET_THREAD_INFO(%_ASM_DX)
14090 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14091 jae bad_get_user
14092+#endif
14093+
14094 2: movzwl -1(%_ASM_AX),%edx
14095+
14096+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14097+ pushl %ss
14098+ pop %ds
14099+#endif
14100+
14101 xor %eax,%eax
14102 ret
14103 CFI_ENDPROC
14104@@ -62,11 +89,24 @@ ENDPROC(__get_user_2)
14105 ENTRY(__get_user_4)
14106 CFI_STARTPROC
14107 add $3,%_ASM_AX
14108+
14109+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14110+ pushl $(__USER_DS)
14111+ popl %ds
14112+#else
14113 jc bad_get_user
14114 GET_THREAD_INFO(%_ASM_DX)
14115 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14116 jae bad_get_user
14117+#endif
14118+
14119 3: mov -3(%_ASM_AX),%edx
14120+
14121+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14122+ pushl %ss
14123+ pop %ds
14124+#endif
14125+
14126 xor %eax,%eax
14127 ret
14128 CFI_ENDPROC
14129@@ -89,6 +129,12 @@ ENDPROC(__get_user_8)
14130
14131 bad_get_user:
14132 CFI_STARTPROC
14133+
14134+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14135+ pushl %ss
14136+ pop %ds
14137+#endif
14138+
14139 xor %edx,%edx
14140 mov $(-EFAULT),%_ASM_AX
14141 ret
14142diff -urNp linux-2.6.32.9/arch/x86/lib/memcpy_64.S linux-2.6.32.9/arch/x86/lib/memcpy_64.S
14143--- linux-2.6.32.9/arch/x86/lib/memcpy_64.S 2010-02-09 07:57:19.000000000 -0500
14144+++ linux-2.6.32.9/arch/x86/lib/memcpy_64.S 2010-02-23 17:09:53.127681323 -0500
14145@@ -128,7 +128,7 @@ ENDPROC(__memcpy)
14146 * It is also a lot simpler. Use this when possible:
14147 */
14148
14149- .section .altinstr_replacement, "ax"
14150+ .section .altinstr_replacement, "a"
14151 1: .byte 0xeb /* jmp <disp8> */
14152 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
14153 2:
14154diff -urNp linux-2.6.32.9/arch/x86/lib/memset_64.S linux-2.6.32.9/arch/x86/lib/memset_64.S
14155--- linux-2.6.32.9/arch/x86/lib/memset_64.S 2010-02-09 07:57:19.000000000 -0500
14156+++ linux-2.6.32.9/arch/x86/lib/memset_64.S 2010-02-23 17:09:53.127681323 -0500
14157@@ -118,7 +118,7 @@ ENDPROC(__memset)
14158
14159 #include <asm/cpufeature.h>
14160
14161- .section .altinstr_replacement,"ax"
14162+ .section .altinstr_replacement,"a"
14163 1: .byte 0xeb /* jmp <disp8> */
14164 .byte (memset_c - memset) - (2f - 1b) /* offset */
14165 2:
14166diff -urNp linux-2.6.32.9/arch/x86/lib/mmx_32.c linux-2.6.32.9/arch/x86/lib/mmx_32.c
14167--- linux-2.6.32.9/arch/x86/lib/mmx_32.c 2010-02-09 07:57:19.000000000 -0500
14168+++ linux-2.6.32.9/arch/x86/lib/mmx_32.c 2010-02-23 17:09:53.127681323 -0500
14169@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
14170 {
14171 void *p;
14172 int i;
14173+ unsigned long cr0;
14174
14175 if (unlikely(in_interrupt()))
14176 return __memcpy(to, from, len);
14177@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
14178 kernel_fpu_begin();
14179
14180 __asm__ __volatile__ (
14181- "1: prefetch (%0)\n" /* This set is 28 bytes */
14182- " prefetch 64(%0)\n"
14183- " prefetch 128(%0)\n"
14184- " prefetch 192(%0)\n"
14185- " prefetch 256(%0)\n"
14186+ "1: prefetch (%1)\n" /* This set is 28 bytes */
14187+ " prefetch 64(%1)\n"
14188+ " prefetch 128(%1)\n"
14189+ " prefetch 192(%1)\n"
14190+ " prefetch 256(%1)\n"
14191 "2: \n"
14192 ".section .fixup, \"ax\"\n"
14193- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14194+ "3: \n"
14195+
14196+#ifdef CONFIG_PAX_KERNEXEC
14197+ " movl %%cr0, %0\n"
14198+ " movl %0, %%eax\n"
14199+ " andl $0xFFFEFFFF, %%eax\n"
14200+ " movl %%eax, %%cr0\n"
14201+#endif
14202+
14203+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14204+
14205+#ifdef CONFIG_PAX_KERNEXEC
14206+ " movl %0, %%cr0\n"
14207+#endif
14208+
14209 " jmp 2b\n"
14210 ".previous\n"
14211 _ASM_EXTABLE(1b, 3b)
14212- : : "r" (from));
14213+ : "=&r" (cr0) : "r" (from) : "ax");
14214
14215 for ( ; i > 5; i--) {
14216 __asm__ __volatile__ (
14217- "1: prefetch 320(%0)\n"
14218- "2: movq (%0), %%mm0\n"
14219- " movq 8(%0), %%mm1\n"
14220- " movq 16(%0), %%mm2\n"
14221- " movq 24(%0), %%mm3\n"
14222- " movq %%mm0, (%1)\n"
14223- " movq %%mm1, 8(%1)\n"
14224- " movq %%mm2, 16(%1)\n"
14225- " movq %%mm3, 24(%1)\n"
14226- " movq 32(%0), %%mm0\n"
14227- " movq 40(%0), %%mm1\n"
14228- " movq 48(%0), %%mm2\n"
14229- " movq 56(%0), %%mm3\n"
14230- " movq %%mm0, 32(%1)\n"
14231- " movq %%mm1, 40(%1)\n"
14232- " movq %%mm2, 48(%1)\n"
14233- " movq %%mm3, 56(%1)\n"
14234+ "1: prefetch 320(%1)\n"
14235+ "2: movq (%1), %%mm0\n"
14236+ " movq 8(%1), %%mm1\n"
14237+ " movq 16(%1), %%mm2\n"
14238+ " movq 24(%1), %%mm3\n"
14239+ " movq %%mm0, (%2)\n"
14240+ " movq %%mm1, 8(%2)\n"
14241+ " movq %%mm2, 16(%2)\n"
14242+ " movq %%mm3, 24(%2)\n"
14243+ " movq 32(%1), %%mm0\n"
14244+ " movq 40(%1), %%mm1\n"
14245+ " movq 48(%1), %%mm2\n"
14246+ " movq 56(%1), %%mm3\n"
14247+ " movq %%mm0, 32(%2)\n"
14248+ " movq %%mm1, 40(%2)\n"
14249+ " movq %%mm2, 48(%2)\n"
14250+ " movq %%mm3, 56(%2)\n"
14251 ".section .fixup, \"ax\"\n"
14252- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14253+ "3:\n"
14254+
14255+#ifdef CONFIG_PAX_KERNEXEC
14256+ " movl %%cr0, %0\n"
14257+ " movl %0, %%eax\n"
14258+ " andl $0xFFFEFFFF, %%eax\n"
14259+ " movl %%eax, %%cr0\n"
14260+#endif
14261+
14262+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14263+
14264+#ifdef CONFIG_PAX_KERNEXEC
14265+ " movl %0, %%cr0\n"
14266+#endif
14267+
14268 " jmp 2b\n"
14269 ".previous\n"
14270 _ASM_EXTABLE(1b, 3b)
14271- : : "r" (from), "r" (to) : "memory");
14272+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14273
14274 from += 64;
14275 to += 64;
14276@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
14277 static void fast_copy_page(void *to, void *from)
14278 {
14279 int i;
14280+ unsigned long cr0;
14281
14282 kernel_fpu_begin();
14283
14284@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
14285 * but that is for later. -AV
14286 */
14287 __asm__ __volatile__(
14288- "1: prefetch (%0)\n"
14289- " prefetch 64(%0)\n"
14290- " prefetch 128(%0)\n"
14291- " prefetch 192(%0)\n"
14292- " prefetch 256(%0)\n"
14293+ "1: prefetch (%1)\n"
14294+ " prefetch 64(%1)\n"
14295+ " prefetch 128(%1)\n"
14296+ " prefetch 192(%1)\n"
14297+ " prefetch 256(%1)\n"
14298 "2: \n"
14299 ".section .fixup, \"ax\"\n"
14300- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14301+ "3: \n"
14302+
14303+#ifdef CONFIG_PAX_KERNEXEC
14304+ " movl %%cr0, %0\n"
14305+ " movl %0, %%eax\n"
14306+ " andl $0xFFFEFFFF, %%eax\n"
14307+ " movl %%eax, %%cr0\n"
14308+#endif
14309+
14310+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14311+
14312+#ifdef CONFIG_PAX_KERNEXEC
14313+ " movl %0, %%cr0\n"
14314+#endif
14315+
14316 " jmp 2b\n"
14317 ".previous\n"
14318- _ASM_EXTABLE(1b, 3b) : : "r" (from));
14319+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14320
14321 for (i = 0; i < (4096-320)/64; i++) {
14322 __asm__ __volatile__ (
14323- "1: prefetch 320(%0)\n"
14324- "2: movq (%0), %%mm0\n"
14325- " movntq %%mm0, (%1)\n"
14326- " movq 8(%0), %%mm1\n"
14327- " movntq %%mm1, 8(%1)\n"
14328- " movq 16(%0), %%mm2\n"
14329- " movntq %%mm2, 16(%1)\n"
14330- " movq 24(%0), %%mm3\n"
14331- " movntq %%mm3, 24(%1)\n"
14332- " movq 32(%0), %%mm4\n"
14333- " movntq %%mm4, 32(%1)\n"
14334- " movq 40(%0), %%mm5\n"
14335- " movntq %%mm5, 40(%1)\n"
14336- " movq 48(%0), %%mm6\n"
14337- " movntq %%mm6, 48(%1)\n"
14338- " movq 56(%0), %%mm7\n"
14339- " movntq %%mm7, 56(%1)\n"
14340+ "1: prefetch 320(%1)\n"
14341+ "2: movq (%1), %%mm0\n"
14342+ " movntq %%mm0, (%2)\n"
14343+ " movq 8(%1), %%mm1\n"
14344+ " movntq %%mm1, 8(%2)\n"
14345+ " movq 16(%1), %%mm2\n"
14346+ " movntq %%mm2, 16(%2)\n"
14347+ " movq 24(%1), %%mm3\n"
14348+ " movntq %%mm3, 24(%2)\n"
14349+ " movq 32(%1), %%mm4\n"
14350+ " movntq %%mm4, 32(%2)\n"
14351+ " movq 40(%1), %%mm5\n"
14352+ " movntq %%mm5, 40(%2)\n"
14353+ " movq 48(%1), %%mm6\n"
14354+ " movntq %%mm6, 48(%2)\n"
14355+ " movq 56(%1), %%mm7\n"
14356+ " movntq %%mm7, 56(%2)\n"
14357 ".section .fixup, \"ax\"\n"
14358- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14359+ "3:\n"
14360+
14361+#ifdef CONFIG_PAX_KERNEXEC
14362+ " movl %%cr0, %0\n"
14363+ " movl %0, %%eax\n"
14364+ " andl $0xFFFEFFFF, %%eax\n"
14365+ " movl %%eax, %%cr0\n"
14366+#endif
14367+
14368+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14369+
14370+#ifdef CONFIG_PAX_KERNEXEC
14371+ " movl %0, %%cr0\n"
14372+#endif
14373+
14374 " jmp 2b\n"
14375 ".previous\n"
14376- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
14377+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14378
14379 from += 64;
14380 to += 64;
14381@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
14382 static void fast_copy_page(void *to, void *from)
14383 {
14384 int i;
14385+ unsigned long cr0;
14386
14387 kernel_fpu_begin();
14388
14389 __asm__ __volatile__ (
14390- "1: prefetch (%0)\n"
14391- " prefetch 64(%0)\n"
14392- " prefetch 128(%0)\n"
14393- " prefetch 192(%0)\n"
14394- " prefetch 256(%0)\n"
14395+ "1: prefetch (%1)\n"
14396+ " prefetch 64(%1)\n"
14397+ " prefetch 128(%1)\n"
14398+ " prefetch 192(%1)\n"
14399+ " prefetch 256(%1)\n"
14400 "2: \n"
14401 ".section .fixup, \"ax\"\n"
14402- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14403+ "3: \n"
14404+
14405+#ifdef CONFIG_PAX_KERNEXEC
14406+ " movl %%cr0, %0\n"
14407+ " movl %0, %%eax\n"
14408+ " andl $0xFFFEFFFF, %%eax\n"
14409+ " movl %%eax, %%cr0\n"
14410+#endif
14411+
14412+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14413+
14414+#ifdef CONFIG_PAX_KERNEXEC
14415+ " movl %0, %%cr0\n"
14416+#endif
14417+
14418 " jmp 2b\n"
14419 ".previous\n"
14420- _ASM_EXTABLE(1b, 3b) : : "r" (from));
14421+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14422
14423 for (i = 0; i < 4096/64; i++) {
14424 __asm__ __volatile__ (
14425- "1: prefetch 320(%0)\n"
14426- "2: movq (%0), %%mm0\n"
14427- " movq 8(%0), %%mm1\n"
14428- " movq 16(%0), %%mm2\n"
14429- " movq 24(%0), %%mm3\n"
14430- " movq %%mm0, (%1)\n"
14431- " movq %%mm1, 8(%1)\n"
14432- " movq %%mm2, 16(%1)\n"
14433- " movq %%mm3, 24(%1)\n"
14434- " movq 32(%0), %%mm0\n"
14435- " movq 40(%0), %%mm1\n"
14436- " movq 48(%0), %%mm2\n"
14437- " movq 56(%0), %%mm3\n"
14438- " movq %%mm0, 32(%1)\n"
14439- " movq %%mm1, 40(%1)\n"
14440- " movq %%mm2, 48(%1)\n"
14441- " movq %%mm3, 56(%1)\n"
14442+ "1: prefetch 320(%1)\n"
14443+ "2: movq (%1), %%mm0\n"
14444+ " movq 8(%1), %%mm1\n"
14445+ " movq 16(%1), %%mm2\n"
14446+ " movq 24(%1), %%mm3\n"
14447+ " movq %%mm0, (%2)\n"
14448+ " movq %%mm1, 8(%2)\n"
14449+ " movq %%mm2, 16(%2)\n"
14450+ " movq %%mm3, 24(%2)\n"
14451+ " movq 32(%1), %%mm0\n"
14452+ " movq 40(%1), %%mm1\n"
14453+ " movq 48(%1), %%mm2\n"
14454+ " movq 56(%1), %%mm3\n"
14455+ " movq %%mm0, 32(%2)\n"
14456+ " movq %%mm1, 40(%2)\n"
14457+ " movq %%mm2, 48(%2)\n"
14458+ " movq %%mm3, 56(%2)\n"
14459 ".section .fixup, \"ax\"\n"
14460- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14461+ "3:\n"
14462+
14463+#ifdef CONFIG_PAX_KERNEXEC
14464+ " movl %%cr0, %0\n"
14465+ " movl %0, %%eax\n"
14466+ " andl $0xFFFEFFFF, %%eax\n"
14467+ " movl %%eax, %%cr0\n"
14468+#endif
14469+
14470+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14471+
14472+#ifdef CONFIG_PAX_KERNEXEC
14473+ " movl %0, %%cr0\n"
14474+#endif
14475+
14476 " jmp 2b\n"
14477 ".previous\n"
14478 _ASM_EXTABLE(1b, 3b)
14479- : : "r" (from), "r" (to) : "memory");
14480+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14481
14482 from += 64;
14483 to += 64;
14484diff -urNp linux-2.6.32.9/arch/x86/lib/putuser.S linux-2.6.32.9/arch/x86/lib/putuser.S
14485--- linux-2.6.32.9/arch/x86/lib/putuser.S 2010-02-09 07:57:19.000000000 -0500
14486+++ linux-2.6.32.9/arch/x86/lib/putuser.S 2010-02-23 17:09:53.127681323 -0500
14487@@ -15,6 +15,7 @@
14488 #include <asm/thread_info.h>
14489 #include <asm/errno.h>
14490 #include <asm/asm.h>
14491+#include <asm/segment.h>
14492
14493
14494 /*
14495@@ -39,7 +40,19 @@ ENTRY(__put_user_1)
14496 ENTER
14497 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
14498 jae bad_put_user
14499+
14500+#ifdef CONFIG_X86_32
14501+ pushl $(__USER_DS)
14502+ popl %ds
14503+#endif
14504+
14505 1: movb %al,(%_ASM_CX)
14506+
14507+#ifdef CONFIG_X86_32
14508+ pushl %ss
14509+ popl %ds
14510+#endif
14511+
14512 xor %eax,%eax
14513 EXIT
14514 ENDPROC(__put_user_1)
14515@@ -50,7 +63,19 @@ ENTRY(__put_user_2)
14516 sub $1,%_ASM_BX
14517 cmp %_ASM_BX,%_ASM_CX
14518 jae bad_put_user
14519+
14520+#ifdef CONFIG_X86_32
14521+ pushl $(__USER_DS)
14522+ popl %ds
14523+#endif
14524+
14525 2: movw %ax,(%_ASM_CX)
14526+
14527+#ifdef CONFIG_X86_32
14528+ pushl %ss
14529+ popl %ds
14530+#endif
14531+
14532 xor %eax,%eax
14533 EXIT
14534 ENDPROC(__put_user_2)
14535@@ -61,7 +86,19 @@ ENTRY(__put_user_4)
14536 sub $3,%_ASM_BX
14537 cmp %_ASM_BX,%_ASM_CX
14538 jae bad_put_user
14539+
14540+#ifdef CONFIG_X86_32
14541+ pushl $(__USER_DS)
14542+ popl %ds
14543+#endif
14544+
14545 3: movl %eax,(%_ASM_CX)
14546+
14547+#ifdef CONFIG_X86_32
14548+ pushl %ss
14549+ popl %ds
14550+#endif
14551+
14552 xor %eax,%eax
14553 EXIT
14554 ENDPROC(__put_user_4)
14555@@ -72,16 +109,34 @@ ENTRY(__put_user_8)
14556 sub $7,%_ASM_BX
14557 cmp %_ASM_BX,%_ASM_CX
14558 jae bad_put_user
14559+
14560+#ifdef CONFIG_X86_32
14561+ pushl $(__USER_DS)
14562+ popl %ds
14563+#endif
14564+
14565 4: mov %_ASM_AX,(%_ASM_CX)
14566 #ifdef CONFIG_X86_32
14567 5: movl %edx,4(%_ASM_CX)
14568 #endif
14569+
14570+#ifdef CONFIG_X86_32
14571+ pushl %ss
14572+ popl %ds
14573+#endif
14574+
14575 xor %eax,%eax
14576 EXIT
14577 ENDPROC(__put_user_8)
14578
14579 bad_put_user:
14580 CFI_STARTPROC
14581+
14582+#ifdef CONFIG_X86_32
14583+ pushl %ss
14584+ popl %ds
14585+#endif
14586+
14587 movl $-EFAULT,%eax
14588 EXIT
14589 END(bad_put_user)
14590diff -urNp linux-2.6.32.9/arch/x86/lib/usercopy_32.c linux-2.6.32.9/arch/x86/lib/usercopy_32.c
14591--- linux-2.6.32.9/arch/x86/lib/usercopy_32.c 2010-02-09 07:57:19.000000000 -0500
14592+++ linux-2.6.32.9/arch/x86/lib/usercopy_32.c 2010-02-23 17:09:53.132248096 -0500
14593@@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
14594 * Copy a null terminated string from userspace.
14595 */
14596
14597-#define __do_strncpy_from_user(dst, src, count, res) \
14598-do { \
14599- int __d0, __d1, __d2; \
14600- might_fault(); \
14601- __asm__ __volatile__( \
14602- " testl %1,%1\n" \
14603- " jz 2f\n" \
14604- "0: lodsb\n" \
14605- " stosb\n" \
14606- " testb %%al,%%al\n" \
14607- " jz 1f\n" \
14608- " decl %1\n" \
14609- " jnz 0b\n" \
14610- "1: subl %1,%0\n" \
14611- "2:\n" \
14612- ".section .fixup,\"ax\"\n" \
14613- "3: movl %5,%0\n" \
14614- " jmp 2b\n" \
14615- ".previous\n" \
14616- _ASM_EXTABLE(0b,3b) \
14617- : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
14618- "=&D" (__d2) \
14619- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
14620- : "memory"); \
14621-} while (0)
14622+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
14623+{
14624+ int __d0, __d1, __d2;
14625+ long res = -EFAULT;
14626+
14627+ might_fault();
14628+ __asm__ __volatile__(
14629+ " movw %w10,%%ds\n"
14630+ " testl %1,%1\n"
14631+ " jz 2f\n"
14632+ "0: lodsb\n"
14633+ " stosb\n"
14634+ " testb %%al,%%al\n"
14635+ " jz 1f\n"
14636+ " decl %1\n"
14637+ " jnz 0b\n"
14638+ "1: subl %1,%0\n"
14639+ "2:\n"
14640+ " pushl %%ss\n"
14641+ " popl %%ds\n"
14642+ ".section .fixup,\"ax\"\n"
14643+ "3: movl %5,%0\n"
14644+ " jmp 2b\n"
14645+ ".previous\n"
14646+ _ASM_EXTABLE(0b,3b)
14647+ : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
14648+ "=&D" (__d2)
14649+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
14650+ "r"(__USER_DS)
14651+ : "memory");
14652+ return res;
14653+}
14654
14655 /**
14656 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
14657@@ -85,9 +92,7 @@ do { \
14658 long
14659 __strncpy_from_user(char *dst, const char __user *src, long count)
14660 {
14661- long res;
14662- __do_strncpy_from_user(dst, src, count, res);
14663- return res;
14664+ return __do_strncpy_from_user(dst, src, count);
14665 }
14666 EXPORT_SYMBOL(__strncpy_from_user);
14667
14668@@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
14669 {
14670 long res = -EFAULT;
14671 if (access_ok(VERIFY_READ, src, 1))
14672- __do_strncpy_from_user(dst, src, count, res);
14673+ res = __do_strncpy_from_user(dst, src, count);
14674 return res;
14675 }
14676 EXPORT_SYMBOL(strncpy_from_user);
14677@@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
14678 * Zero Userspace
14679 */
14680
14681-#define __do_clear_user(addr,size) \
14682-do { \
14683- int __d0; \
14684- might_fault(); \
14685- __asm__ __volatile__( \
14686- "0: rep; stosl\n" \
14687- " movl %2,%0\n" \
14688- "1: rep; stosb\n" \
14689- "2:\n" \
14690- ".section .fixup,\"ax\"\n" \
14691- "3: lea 0(%2,%0,4),%0\n" \
14692- " jmp 2b\n" \
14693- ".previous\n" \
14694- _ASM_EXTABLE(0b,3b) \
14695- _ASM_EXTABLE(1b,2b) \
14696- : "=&c"(size), "=&D" (__d0) \
14697- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
14698-} while (0)
14699+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
14700+{
14701+ int __d0;
14702+
14703+ might_fault();
14704+ __asm__ __volatile__(
14705+ " movw %w6,%%es\n"
14706+ "0: rep; stosl\n"
14707+ " movl %2,%0\n"
14708+ "1: rep; stosb\n"
14709+ "2:\n"
14710+ " pushl %%ss\n"
14711+ " popl %%es\n"
14712+ ".section .fixup,\"ax\"\n"
14713+ "3: lea 0(%2,%0,4),%0\n"
14714+ " jmp 2b\n"
14715+ ".previous\n"
14716+ _ASM_EXTABLE(0b,3b)
14717+ _ASM_EXTABLE(1b,2b)
14718+ : "=&c"(size), "=&D" (__d0)
14719+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
14720+ "r"(__USER_DS));
14721+ return size;
14722+}
14723
14724 /**
14725 * clear_user: - Zero a block of memory in user space.
14726@@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
14727 {
14728 might_fault();
14729 if (access_ok(VERIFY_WRITE, to, n))
14730- __do_clear_user(to, n);
14731+ n = __do_clear_user(to, n);
14732 return n;
14733 }
14734 EXPORT_SYMBOL(clear_user);
14735@@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
14736 unsigned long
14737 __clear_user(void __user *to, unsigned long n)
14738 {
14739- __do_clear_user(to, n);
14740- return n;
14741+ return __do_clear_user(to, n);
14742 }
14743 EXPORT_SYMBOL(__clear_user);
14744
14745@@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
14746 might_fault();
14747
14748 __asm__ __volatile__(
14749+ " movw %w8,%%es\n"
14750 " testl %0, %0\n"
14751 " jz 3f\n"
14752- " andl %0,%%ecx\n"
14753+ " movl %0,%%ecx\n"
14754 "0: repne; scasb\n"
14755 " setne %%al\n"
14756 " subl %%ecx,%0\n"
14757 " addl %0,%%eax\n"
14758 "1:\n"
14759+ " pushl %%ss\n"
14760+ " popl %%es\n"
14761 ".section .fixup,\"ax\"\n"
14762 "2: xorl %%eax,%%eax\n"
14763 " jmp 1b\n"
14764@@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
14765 " .long 0b,2b\n"
14766 ".previous"
14767 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
14768- :"0" (n), "1" (s), "2" (0), "3" (mask)
14769+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
14770 :"cc");
14771 return res & mask;
14772 }
14773@@ -227,10 +240,11 @@ EXPORT_SYMBOL(strnlen_user);
14774
14775 #ifdef CONFIG_X86_INTEL_USERCOPY
14776 static unsigned long
14777-__copy_user_intel(void __user *to, const void *from, unsigned long size)
14778+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
14779 {
14780 int d0, d1;
14781 __asm__ __volatile__(
14782+ " movw %w6, %%es\n"
14783 " .align 2,0x90\n"
14784 "1: movl 32(%4), %%eax\n"
14785 " cmpl $67, %0\n"
14786@@ -239,36 +253,36 @@ __copy_user_intel(void __user *to, const
14787 " .align 2,0x90\n"
14788 "3: movl 0(%4), %%eax\n"
14789 "4: movl 4(%4), %%edx\n"
14790- "5: movl %%eax, 0(%3)\n"
14791- "6: movl %%edx, 4(%3)\n"
14792+ "5: movl %%eax, %%es:0(%3)\n"
14793+ "6: movl %%edx, %%es:4(%3)\n"
14794 "7: movl 8(%4), %%eax\n"
14795 "8: movl 12(%4),%%edx\n"
14796- "9: movl %%eax, 8(%3)\n"
14797- "10: movl %%edx, 12(%3)\n"
14798+ "9: movl %%eax, %%es:8(%3)\n"
14799+ "10: movl %%edx, %%es:12(%3)\n"
14800 "11: movl 16(%4), %%eax\n"
14801 "12: movl 20(%4), %%edx\n"
14802- "13: movl %%eax, 16(%3)\n"
14803- "14: movl %%edx, 20(%3)\n"
14804+ "13: movl %%eax, %%es:16(%3)\n"
14805+ "14: movl %%edx, %%es:20(%3)\n"
14806 "15: movl 24(%4), %%eax\n"
14807 "16: movl 28(%4), %%edx\n"
14808- "17: movl %%eax, 24(%3)\n"
14809- "18: movl %%edx, 28(%3)\n"
14810+ "17: movl %%eax, %%es:24(%3)\n"
14811+ "18: movl %%edx, %%es:28(%3)\n"
14812 "19: movl 32(%4), %%eax\n"
14813 "20: movl 36(%4), %%edx\n"
14814- "21: movl %%eax, 32(%3)\n"
14815- "22: movl %%edx, 36(%3)\n"
14816+ "21: movl %%eax, %%es:32(%3)\n"
14817+ "22: movl %%edx, %%es:36(%3)\n"
14818 "23: movl 40(%4), %%eax\n"
14819 "24: movl 44(%4), %%edx\n"
14820- "25: movl %%eax, 40(%3)\n"
14821- "26: movl %%edx, 44(%3)\n"
14822+ "25: movl %%eax, %%es:40(%3)\n"
14823+ "26: movl %%edx, %%es:44(%3)\n"
14824 "27: movl 48(%4), %%eax\n"
14825 "28: movl 52(%4), %%edx\n"
14826- "29: movl %%eax, 48(%3)\n"
14827- "30: movl %%edx, 52(%3)\n"
14828+ "29: movl %%eax, %%es:48(%3)\n"
14829+ "30: movl %%edx, %%es:52(%3)\n"
14830 "31: movl 56(%4), %%eax\n"
14831 "32: movl 60(%4), %%edx\n"
14832- "33: movl %%eax, 56(%3)\n"
14833- "34: movl %%edx, 60(%3)\n"
14834+ "33: movl %%eax, %%es:56(%3)\n"
14835+ "34: movl %%edx, %%es:60(%3)\n"
14836 " addl $-64, %0\n"
14837 " addl $64, %4\n"
14838 " addl $64, %3\n"
14839@@ -282,6 +296,8 @@ __copy_user_intel(void __user *to, const
14840 "36: movl %%eax, %0\n"
14841 "37: rep; movsb\n"
14842 "100:\n"
14843+ " pushl %%ss\n"
14844+ " popl %%es\n"
14845 ".section .fixup,\"ax\"\n"
14846 "101: lea 0(%%eax,%0,4),%0\n"
14847 " jmp 100b\n"
14848@@ -328,7 +344,117 @@ __copy_user_intel(void __user *to, const
14849 " .long 99b,101b\n"
14850 ".previous"
14851 : "=&c"(size), "=&D" (d0), "=&S" (d1)
14852- : "1"(to), "2"(from), "0"(size)
14853+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
14854+ : "eax", "edx", "memory");
14855+ return size;
14856+}
14857+
14858+static unsigned long
14859+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
14860+{
14861+ int d0, d1;
14862+ __asm__ __volatile__(
14863+ " movw %w6, %%ds\n"
14864+ " .align 2,0x90\n"
14865+ "1: movl 32(%4), %%eax\n"
14866+ " cmpl $67, %0\n"
14867+ " jbe 3f\n"
14868+ "2: movl 64(%4), %%eax\n"
14869+ " .align 2,0x90\n"
14870+ "3: movl 0(%4), %%eax\n"
14871+ "4: movl 4(%4), %%edx\n"
14872+ "5: movl %%eax, %%es:0(%3)\n"
14873+ "6: movl %%edx, %%es:4(%3)\n"
14874+ "7: movl 8(%4), %%eax\n"
14875+ "8: movl 12(%4),%%edx\n"
14876+ "9: movl %%eax, %%es:8(%3)\n"
14877+ "10: movl %%edx, %%es:12(%3)\n"
14878+ "11: movl 16(%4), %%eax\n"
14879+ "12: movl 20(%4), %%edx\n"
14880+ "13: movl %%eax, %%es:16(%3)\n"
14881+ "14: movl %%edx, %%es:20(%3)\n"
14882+ "15: movl 24(%4), %%eax\n"
14883+ "16: movl 28(%4), %%edx\n"
14884+ "17: movl %%eax, %%es:24(%3)\n"
14885+ "18: movl %%edx, %%es:28(%3)\n"
14886+ "19: movl 32(%4), %%eax\n"
14887+ "20: movl 36(%4), %%edx\n"
14888+ "21: movl %%eax, %%es:32(%3)\n"
14889+ "22: movl %%edx, %%es:36(%3)\n"
14890+ "23: movl 40(%4), %%eax\n"
14891+ "24: movl 44(%4), %%edx\n"
14892+ "25: movl %%eax, %%es:40(%3)\n"
14893+ "26: movl %%edx, %%es:44(%3)\n"
14894+ "27: movl 48(%4), %%eax\n"
14895+ "28: movl 52(%4), %%edx\n"
14896+ "29: movl %%eax, %%es:48(%3)\n"
14897+ "30: movl %%edx, %%es:52(%3)\n"
14898+ "31: movl 56(%4), %%eax\n"
14899+ "32: movl 60(%4), %%edx\n"
14900+ "33: movl %%eax, %%es:56(%3)\n"
14901+ "34: movl %%edx, %%es:60(%3)\n"
14902+ " addl $-64, %0\n"
14903+ " addl $64, %4\n"
14904+ " addl $64, %3\n"
14905+ " cmpl $63, %0\n"
14906+ " ja 1b\n"
14907+ "35: movl %0, %%eax\n"
14908+ " shrl $2, %0\n"
14909+ " andl $3, %%eax\n"
14910+ " cld\n"
14911+ "99: rep; movsl\n"
14912+ "36: movl %%eax, %0\n"
14913+ "37: rep; movsb\n"
14914+ "100:\n"
14915+ " pushl %%ss\n"
14916+ " popl %%ds\n"
14917+ ".section .fixup,\"ax\"\n"
14918+ "101: lea 0(%%eax,%0,4),%0\n"
14919+ " jmp 100b\n"
14920+ ".previous\n"
14921+ ".section __ex_table,\"a\"\n"
14922+ " .align 4\n"
14923+ " .long 1b,100b\n"
14924+ " .long 2b,100b\n"
14925+ " .long 3b,100b\n"
14926+ " .long 4b,100b\n"
14927+ " .long 5b,100b\n"
14928+ " .long 6b,100b\n"
14929+ " .long 7b,100b\n"
14930+ " .long 8b,100b\n"
14931+ " .long 9b,100b\n"
14932+ " .long 10b,100b\n"
14933+ " .long 11b,100b\n"
14934+ " .long 12b,100b\n"
14935+ " .long 13b,100b\n"
14936+ " .long 14b,100b\n"
14937+ " .long 15b,100b\n"
14938+ " .long 16b,100b\n"
14939+ " .long 17b,100b\n"
14940+ " .long 18b,100b\n"
14941+ " .long 19b,100b\n"
14942+ " .long 20b,100b\n"
14943+ " .long 21b,100b\n"
14944+ " .long 22b,100b\n"
14945+ " .long 23b,100b\n"
14946+ " .long 24b,100b\n"
14947+ " .long 25b,100b\n"
14948+ " .long 26b,100b\n"
14949+ " .long 27b,100b\n"
14950+ " .long 28b,100b\n"
14951+ " .long 29b,100b\n"
14952+ " .long 30b,100b\n"
14953+ " .long 31b,100b\n"
14954+ " .long 32b,100b\n"
14955+ " .long 33b,100b\n"
14956+ " .long 34b,100b\n"
14957+ " .long 35b,100b\n"
14958+ " .long 36b,100b\n"
14959+ " .long 37b,100b\n"
14960+ " .long 99b,101b\n"
14961+ ".previous"
14962+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
14963+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
14964 : "eax", "edx", "memory");
14965 return size;
14966 }
14967@@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
14968 {
14969 int d0, d1;
14970 __asm__ __volatile__(
14971+ " movw %w6, %%ds\n"
14972 " .align 2,0x90\n"
14973 "0: movl 32(%4), %%eax\n"
14974 " cmpl $67, %0\n"
14975@@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
14976 " .align 2,0x90\n"
14977 "2: movl 0(%4), %%eax\n"
14978 "21: movl 4(%4), %%edx\n"
14979- " movl %%eax, 0(%3)\n"
14980- " movl %%edx, 4(%3)\n"
14981+ " movl %%eax, %%es:0(%3)\n"
14982+ " movl %%edx, %%es:4(%3)\n"
14983 "3: movl 8(%4), %%eax\n"
14984 "31: movl 12(%4),%%edx\n"
14985- " movl %%eax, 8(%3)\n"
14986- " movl %%edx, 12(%3)\n"
14987+ " movl %%eax, %%es:8(%3)\n"
14988+ " movl %%edx, %%es:12(%3)\n"
14989 "4: movl 16(%4), %%eax\n"
14990 "41: movl 20(%4), %%edx\n"
14991- " movl %%eax, 16(%3)\n"
14992- " movl %%edx, 20(%3)\n"
14993+ " movl %%eax, %%es:16(%3)\n"
14994+ " movl %%edx, %%es:20(%3)\n"
14995 "10: movl 24(%4), %%eax\n"
14996 "51: movl 28(%4), %%edx\n"
14997- " movl %%eax, 24(%3)\n"
14998- " movl %%edx, 28(%3)\n"
14999+ " movl %%eax, %%es:24(%3)\n"
15000+ " movl %%edx, %%es:28(%3)\n"
15001 "11: movl 32(%4), %%eax\n"
15002 "61: movl 36(%4), %%edx\n"
15003- " movl %%eax, 32(%3)\n"
15004- " movl %%edx, 36(%3)\n"
15005+ " movl %%eax, %%es:32(%3)\n"
15006+ " movl %%edx, %%es:36(%3)\n"
15007 "12: movl 40(%4), %%eax\n"
15008 "71: movl 44(%4), %%edx\n"
15009- " movl %%eax, 40(%3)\n"
15010- " movl %%edx, 44(%3)\n"
15011+ " movl %%eax, %%es:40(%3)\n"
15012+ " movl %%edx, %%es:44(%3)\n"
15013 "13: movl 48(%4), %%eax\n"
15014 "81: movl 52(%4), %%edx\n"
15015- " movl %%eax, 48(%3)\n"
15016- " movl %%edx, 52(%3)\n"
15017+ " movl %%eax, %%es:48(%3)\n"
15018+ " movl %%edx, %%es:52(%3)\n"
15019 "14: movl 56(%4), %%eax\n"
15020 "91: movl 60(%4), %%edx\n"
15021- " movl %%eax, 56(%3)\n"
15022- " movl %%edx, 60(%3)\n"
15023+ " movl %%eax, %%es:56(%3)\n"
15024+ " movl %%edx, %%es:60(%3)\n"
15025 " addl $-64, %0\n"
15026 " addl $64, %4\n"
15027 " addl $64, %3\n"
15028@@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
15029 " movl %%eax,%0\n"
15030 "7: rep; movsb\n"
15031 "8:\n"
15032+ " pushl %%ss\n"
15033+ " popl %%ds\n"
15034 ".section .fixup,\"ax\"\n"
15035 "9: lea 0(%%eax,%0,4),%0\n"
15036 "16: pushl %0\n"
15037@@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
15038 " .long 7b,16b\n"
15039 ".previous"
15040 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15041- : "1"(to), "2"(from), "0"(size)
15042+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15043 : "eax", "edx", "memory");
15044 return size;
15045 }
15046@@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
15047 int d0, d1;
15048
15049 __asm__ __volatile__(
15050+ " movw %w6, %%ds\n"
15051 " .align 2,0x90\n"
15052 "0: movl 32(%4), %%eax\n"
15053 " cmpl $67, %0\n"
15054@@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
15055 " .align 2,0x90\n"
15056 "2: movl 0(%4), %%eax\n"
15057 "21: movl 4(%4), %%edx\n"
15058- " movnti %%eax, 0(%3)\n"
15059- " movnti %%edx, 4(%3)\n"
15060+ " movnti %%eax, %%es:0(%3)\n"
15061+ " movnti %%edx, %%es:4(%3)\n"
15062 "3: movl 8(%4), %%eax\n"
15063 "31: movl 12(%4),%%edx\n"
15064- " movnti %%eax, 8(%3)\n"
15065- " movnti %%edx, 12(%3)\n"
15066+ " movnti %%eax, %%es:8(%3)\n"
15067+ " movnti %%edx, %%es:12(%3)\n"
15068 "4: movl 16(%4), %%eax\n"
15069 "41: movl 20(%4), %%edx\n"
15070- " movnti %%eax, 16(%3)\n"
15071- " movnti %%edx, 20(%3)\n"
15072+ " movnti %%eax, %%es:16(%3)\n"
15073+ " movnti %%edx, %%es:20(%3)\n"
15074 "10: movl 24(%4), %%eax\n"
15075 "51: movl 28(%4), %%edx\n"
15076- " movnti %%eax, 24(%3)\n"
15077- " movnti %%edx, 28(%3)\n"
15078+ " movnti %%eax, %%es:24(%3)\n"
15079+ " movnti %%edx, %%es:28(%3)\n"
15080 "11: movl 32(%4), %%eax\n"
15081 "61: movl 36(%4), %%edx\n"
15082- " movnti %%eax, 32(%3)\n"
15083- " movnti %%edx, 36(%3)\n"
15084+ " movnti %%eax, %%es:32(%3)\n"
15085+ " movnti %%edx, %%es:36(%3)\n"
15086 "12: movl 40(%4), %%eax\n"
15087 "71: movl 44(%4), %%edx\n"
15088- " movnti %%eax, 40(%3)\n"
15089- " movnti %%edx, 44(%3)\n"
15090+ " movnti %%eax, %%es:40(%3)\n"
15091+ " movnti %%edx, %%es:44(%3)\n"
15092 "13: movl 48(%4), %%eax\n"
15093 "81: movl 52(%4), %%edx\n"
15094- " movnti %%eax, 48(%3)\n"
15095- " movnti %%edx, 52(%3)\n"
15096+ " movnti %%eax, %%es:48(%3)\n"
15097+ " movnti %%edx, %%es:52(%3)\n"
15098 "14: movl 56(%4), %%eax\n"
15099 "91: movl 60(%4), %%edx\n"
15100- " movnti %%eax, 56(%3)\n"
15101- " movnti %%edx, 60(%3)\n"
15102+ " movnti %%eax, %%es:56(%3)\n"
15103+ " movnti %%edx, %%es:60(%3)\n"
15104 " addl $-64, %0\n"
15105 " addl $64, %4\n"
15106 " addl $64, %3\n"
15107@@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
15108 " movl %%eax,%0\n"
15109 "7: rep; movsb\n"
15110 "8:\n"
15111+ " pushl %%ss\n"
15112+ " popl %%ds\n"
15113 ".section .fixup,\"ax\"\n"
15114 "9: lea 0(%%eax,%0,4),%0\n"
15115 "16: pushl %0\n"
15116@@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
15117 " .long 7b,16b\n"
15118 ".previous"
15119 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15120- : "1"(to), "2"(from), "0"(size)
15121+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15122 : "eax", "edx", "memory");
15123 return size;
15124 }
15125@@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
15126 int d0, d1;
15127
15128 __asm__ __volatile__(
15129+ " movw %w6, %%ds\n"
15130 " .align 2,0x90\n"
15131 "0: movl 32(%4), %%eax\n"
15132 " cmpl $67, %0\n"
15133@@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
15134 " .align 2,0x90\n"
15135 "2: movl 0(%4), %%eax\n"
15136 "21: movl 4(%4), %%edx\n"
15137- " movnti %%eax, 0(%3)\n"
15138- " movnti %%edx, 4(%3)\n"
15139+ " movnti %%eax, %%es:0(%3)\n"
15140+ " movnti %%edx, %%es:4(%3)\n"
15141 "3: movl 8(%4), %%eax\n"
15142 "31: movl 12(%4),%%edx\n"
15143- " movnti %%eax, 8(%3)\n"
15144- " movnti %%edx, 12(%3)\n"
15145+ " movnti %%eax, %%es:8(%3)\n"
15146+ " movnti %%edx, %%es:12(%3)\n"
15147 "4: movl 16(%4), %%eax\n"
15148 "41: movl 20(%4), %%edx\n"
15149- " movnti %%eax, 16(%3)\n"
15150- " movnti %%edx, 20(%3)\n"
15151+ " movnti %%eax, %%es:16(%3)\n"
15152+ " movnti %%edx, %%es:20(%3)\n"
15153 "10: movl 24(%4), %%eax\n"
15154 "51: movl 28(%4), %%edx\n"
15155- " movnti %%eax, 24(%3)\n"
15156- " movnti %%edx, 28(%3)\n"
15157+ " movnti %%eax, %%es:24(%3)\n"
15158+ " movnti %%edx, %%es:28(%3)\n"
15159 "11: movl 32(%4), %%eax\n"
15160 "61: movl 36(%4), %%edx\n"
15161- " movnti %%eax, 32(%3)\n"
15162- " movnti %%edx, 36(%3)\n"
15163+ " movnti %%eax, %%es:32(%3)\n"
15164+ " movnti %%edx, %%es:36(%3)\n"
15165 "12: movl 40(%4), %%eax\n"
15166 "71: movl 44(%4), %%edx\n"
15167- " movnti %%eax, 40(%3)\n"
15168- " movnti %%edx, 44(%3)\n"
15169+ " movnti %%eax, %%es:40(%3)\n"
15170+ " movnti %%edx, %%es:44(%3)\n"
15171 "13: movl 48(%4), %%eax\n"
15172 "81: movl 52(%4), %%edx\n"
15173- " movnti %%eax, 48(%3)\n"
15174- " movnti %%edx, 52(%3)\n"
15175+ " movnti %%eax, %%es:48(%3)\n"
15176+ " movnti %%edx, %%es:52(%3)\n"
15177 "14: movl 56(%4), %%eax\n"
15178 "91: movl 60(%4), %%edx\n"
15179- " movnti %%eax, 56(%3)\n"
15180- " movnti %%edx, 60(%3)\n"
15181+ " movnti %%eax, %%es:56(%3)\n"
15182+ " movnti %%edx, %%es:60(%3)\n"
15183 " addl $-64, %0\n"
15184 " addl $64, %4\n"
15185 " addl $64, %3\n"
15186@@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
15187 " movl %%eax,%0\n"
15188 "7: rep; movsb\n"
15189 "8:\n"
15190+ " pushl %%ss\n"
15191+ " popl %%ds\n"
15192 ".section .fixup,\"ax\"\n"
15193 "9: lea 0(%%eax,%0,4),%0\n"
15194 "16: jmp 8b\n"
15195@@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
15196 " .long 7b,16b\n"
15197 ".previous"
15198 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15199- : "1"(to), "2"(from), "0"(size)
15200+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15201 : "eax", "edx", "memory");
15202 return size;
15203 }
15204@@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
15205 */
15206 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
15207 unsigned long size);
15208-unsigned long __copy_user_intel(void __user *to, const void *from,
15209+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
15210+ unsigned long size);
15211+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
15212 unsigned long size);
15213 unsigned long __copy_user_zeroing_intel_nocache(void *to,
15214 const void __user *from, unsigned long size);
15215 #endif /* CONFIG_X86_INTEL_USERCOPY */
15216
15217 /* Generic arbitrary sized copy. */
15218-#define __copy_user(to, from, size) \
15219-do { \
15220- int __d0, __d1, __d2; \
15221- __asm__ __volatile__( \
15222- " cmp $7,%0\n" \
15223- " jbe 1f\n" \
15224- " movl %1,%0\n" \
15225- " negl %0\n" \
15226- " andl $7,%0\n" \
15227- " subl %0,%3\n" \
15228- "4: rep; movsb\n" \
15229- " movl %3,%0\n" \
15230- " shrl $2,%0\n" \
15231- " andl $3,%3\n" \
15232- " .align 2,0x90\n" \
15233- "0: rep; movsl\n" \
15234- " movl %3,%0\n" \
15235- "1: rep; movsb\n" \
15236- "2:\n" \
15237- ".section .fixup,\"ax\"\n" \
15238- "5: addl %3,%0\n" \
15239- " jmp 2b\n" \
15240- "3: lea 0(%3,%0,4),%0\n" \
15241- " jmp 2b\n" \
15242- ".previous\n" \
15243- ".section __ex_table,\"a\"\n" \
15244- " .align 4\n" \
15245- " .long 4b,5b\n" \
15246- " .long 0b,3b\n" \
15247- " .long 1b,2b\n" \
15248- ".previous" \
15249- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15250- : "3"(size), "0"(size), "1"(to), "2"(from) \
15251- : "memory"); \
15252-} while (0)
15253-
15254-#define __copy_user_zeroing(to, from, size) \
15255-do { \
15256- int __d0, __d1, __d2; \
15257- __asm__ __volatile__( \
15258- " cmp $7,%0\n" \
15259- " jbe 1f\n" \
15260- " movl %1,%0\n" \
15261- " negl %0\n" \
15262- " andl $7,%0\n" \
15263- " subl %0,%3\n" \
15264- "4: rep; movsb\n" \
15265- " movl %3,%0\n" \
15266- " shrl $2,%0\n" \
15267- " andl $3,%3\n" \
15268- " .align 2,0x90\n" \
15269- "0: rep; movsl\n" \
15270- " movl %3,%0\n" \
15271- "1: rep; movsb\n" \
15272- "2:\n" \
15273- ".section .fixup,\"ax\"\n" \
15274- "5: addl %3,%0\n" \
15275- " jmp 6f\n" \
15276- "3: lea 0(%3,%0,4),%0\n" \
15277- "6: pushl %0\n" \
15278- " pushl %%eax\n" \
15279- " xorl %%eax,%%eax\n" \
15280- " rep; stosb\n" \
15281- " popl %%eax\n" \
15282- " popl %0\n" \
15283- " jmp 2b\n" \
15284- ".previous\n" \
15285- ".section __ex_table,\"a\"\n" \
15286- " .align 4\n" \
15287- " .long 4b,5b\n" \
15288- " .long 0b,3b\n" \
15289- " .long 1b,6b\n" \
15290- ".previous" \
15291- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15292- : "3"(size), "0"(size), "1"(to), "2"(from) \
15293- : "memory"); \
15294-} while (0)
15295+static unsigned long
15296+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
15297+{
15298+ int __d0, __d1, __d2;
15299+
15300+ __asm__ __volatile__(
15301+ " movw %w8,%%es\n"
15302+ " cmp $7,%0\n"
15303+ " jbe 1f\n"
15304+ " movl %1,%0\n"
15305+ " negl %0\n"
15306+ " andl $7,%0\n"
15307+ " subl %0,%3\n"
15308+ "4: rep; movsb\n"
15309+ " movl %3,%0\n"
15310+ " shrl $2,%0\n"
15311+ " andl $3,%3\n"
15312+ " .align 2,0x90\n"
15313+ "0: rep; movsl\n"
15314+ " movl %3,%0\n"
15315+ "1: rep; movsb\n"
15316+ "2:\n"
15317+ " pushl %%ss\n"
15318+ " popl %%es\n"
15319+ ".section .fixup,\"ax\"\n"
15320+ "5: addl %3,%0\n"
15321+ " jmp 2b\n"
15322+ "3: lea 0(%3,%0,4),%0\n"
15323+ " jmp 2b\n"
15324+ ".previous\n"
15325+ ".section __ex_table,\"a\"\n"
15326+ " .align 4\n"
15327+ " .long 4b,5b\n"
15328+ " .long 0b,3b\n"
15329+ " .long 1b,2b\n"
15330+ ".previous"
15331+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15332+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15333+ : "memory");
15334+ return size;
15335+}
15336+
15337+static unsigned long
15338+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
15339+{
15340+ int __d0, __d1, __d2;
15341+
15342+ __asm__ __volatile__(
15343+ " movw %w8,%%ds\n"
15344+ " cmp $7,%0\n"
15345+ " jbe 1f\n"
15346+ " movl %1,%0\n"
15347+ " negl %0\n"
15348+ " andl $7,%0\n"
15349+ " subl %0,%3\n"
15350+ "4: rep; movsb\n"
15351+ " movl %3,%0\n"
15352+ " shrl $2,%0\n"
15353+ " andl $3,%3\n"
15354+ " .align 2,0x90\n"
15355+ "0: rep; movsl\n"
15356+ " movl %3,%0\n"
15357+ "1: rep; movsb\n"
15358+ "2:\n"
15359+ " pushl %%ss\n"
15360+ " popl %%ds\n"
15361+ ".section .fixup,\"ax\"\n"
15362+ "5: addl %3,%0\n"
15363+ " jmp 2b\n"
15364+ "3: lea 0(%3,%0,4),%0\n"
15365+ " jmp 2b\n"
15366+ ".previous\n"
15367+ ".section __ex_table,\"a\"\n"
15368+ " .align 4\n"
15369+ " .long 4b,5b\n"
15370+ " .long 0b,3b\n"
15371+ " .long 1b,2b\n"
15372+ ".previous"
15373+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15374+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15375+ : "memory");
15376+ return size;
15377+}
15378+
15379+static unsigned long
15380+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
15381+{
15382+ int __d0, __d1, __d2;
15383+
15384+ __asm__ __volatile__(
15385+ " movw %w8,%%ds\n"
15386+ " cmp $7,%0\n"
15387+ " jbe 1f\n"
15388+ " movl %1,%0\n"
15389+ " negl %0\n"
15390+ " andl $7,%0\n"
15391+ " subl %0,%3\n"
15392+ "4: rep; movsb\n"
15393+ " movl %3,%0\n"
15394+ " shrl $2,%0\n"
15395+ " andl $3,%3\n"
15396+ " .align 2,0x90\n"
15397+ "0: rep; movsl\n"
15398+ " movl %3,%0\n"
15399+ "1: rep; movsb\n"
15400+ "2:\n"
15401+ " pushl %%ss\n"
15402+ " popl %%ds\n"
15403+ ".section .fixup,\"ax\"\n"
15404+ "5: addl %3,%0\n"
15405+ " jmp 6f\n"
15406+ "3: lea 0(%3,%0,4),%0\n"
15407+ "6: pushl %0\n"
15408+ " pushl %%eax\n"
15409+ " xorl %%eax,%%eax\n"
15410+ " rep; stosb\n"
15411+ " popl %%eax\n"
15412+ " popl %0\n"
15413+ " jmp 2b\n"
15414+ ".previous\n"
15415+ ".section __ex_table,\"a\"\n"
15416+ " .align 4\n"
15417+ " .long 4b,5b\n"
15418+ " .long 0b,3b\n"
15419+ " .long 1b,6b\n"
15420+ ".previous"
15421+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15422+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15423+ : "memory");
15424+ return size;
15425+}
15426
15427 unsigned long __copy_to_user_ll(void __user *to, const void *from,
15428 unsigned long n)
15429@@ -775,9 +966,9 @@ survive:
15430 }
15431 #endif
15432 if (movsl_is_ok(to, from, n))
15433- __copy_user(to, from, n);
15434+ n = __generic_copy_to_user(to, from, n);
15435 else
15436- n = __copy_user_intel(to, from, n);
15437+ n = __generic_copy_to_user_intel(to, from, n);
15438 return n;
15439 }
15440 EXPORT_SYMBOL(__copy_to_user_ll);
15441@@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
15442 unsigned long n)
15443 {
15444 if (movsl_is_ok(to, from, n))
15445- __copy_user_zeroing(to, from, n);
15446+ n = __copy_user_zeroing(to, from, n);
15447 else
15448 n = __copy_user_zeroing_intel(to, from, n);
15449 return n;
15450@@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
15451 unsigned long n)
15452 {
15453 if (movsl_is_ok(to, from, n))
15454- __copy_user(to, from, n);
15455+ n = __generic_copy_from_user(to, from, n);
15456 else
15457- n = __copy_user_intel((void __user *)to,
15458- (const void *)from, n);
15459+ n = __generic_copy_from_user_intel(to, from, n);
15460 return n;
15461 }
15462 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
15463@@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
15464 if (n > 64 && cpu_has_xmm2)
15465 n = __copy_user_zeroing_intel_nocache(to, from, n);
15466 else
15467- __copy_user_zeroing(to, from, n);
15468+ n = __copy_user_zeroing(to, from, n);
15469 #else
15470- __copy_user_zeroing(to, from, n);
15471+ n = __copy_user_zeroing(to, from, n);
15472 #endif
15473 return n;
15474 }
15475@@ -827,59 +1017,40 @@ unsigned long __copy_from_user_ll_nocach
15476 if (n > 64 && cpu_has_xmm2)
15477 n = __copy_user_intel_nocache(to, from, n);
15478 else
15479- __copy_user(to, from, n);
15480+ n = __generic_copy_from_user(to, from, n);
15481 #else
15482- __copy_user(to, from, n);
15483+ n = __generic_copy_from_user(to, from, n);
15484 #endif
15485 return n;
15486 }
15487 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
15488
15489-/**
15490- * copy_to_user: - Copy a block of data into user space.
15491- * @to: Destination address, in user space.
15492- * @from: Source address, in kernel space.
15493- * @n: Number of bytes to copy.
15494- *
15495- * Context: User context only. This function may sleep.
15496- *
15497- * Copy data from kernel space to user space.
15498- *
15499- * Returns number of bytes that could not be copied.
15500- * On success, this will be zero.
15501- */
15502-unsigned long
15503-copy_to_user(void __user *to, const void *from, unsigned long n)
15504+#ifdef CONFIG_PAX_MEMORY_UDEREF
15505+void __set_fs(mm_segment_t x, int cpu)
15506 {
15507- if (access_ok(VERIFY_WRITE, to, n))
15508- n = __copy_to_user(to, from, n);
15509- return n;
15510+ unsigned long limit = x.seg;
15511+ struct desc_struct d;
15512+
15513+ current_thread_info()->addr_limit = x;
15514+ if (unlikely(paravirt_enabled()))
15515+ return;
15516+
15517+ if (likely(limit))
15518+ limit = (limit - 1UL) >> PAGE_SHIFT;
15519+ pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
15520+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
15521 }
15522-EXPORT_SYMBOL(copy_to_user);
15523
15524-/**
15525- * copy_from_user: - Copy a block of data from user space.
15526- * @to: Destination address, in kernel space.
15527- * @from: Source address, in user space.
15528- * @n: Number of bytes to copy.
15529- *
15530- * Context: User context only. This function may sleep.
15531- *
15532- * Copy data from user space to kernel space.
15533- *
15534- * Returns number of bytes that could not be copied.
15535- * On success, this will be zero.
15536- *
15537- * If some data could not be copied, this function will pad the copied
15538- * data to the requested size using zero bytes.
15539- */
15540-unsigned long
15541-copy_from_user(void *to, const void __user *from, unsigned long n)
15542+void set_fs(mm_segment_t x)
15543 {
15544- if (access_ok(VERIFY_READ, from, n))
15545- n = __copy_from_user(to, from, n);
15546- else
15547- memset(to, 0, n);
15548- return n;
15549+ __set_fs(x, get_cpu());
15550+ put_cpu();
15551 }
15552-EXPORT_SYMBOL(copy_from_user);
15553+#else
15554+void set_fs(mm_segment_t x)
15555+{
15556+ current_thread_info()->addr_limit = x;
15557+}
15558+#endif
15559+
15560+EXPORT_SYMBOL(set_fs);
15561diff -urNp linux-2.6.32.9/arch/x86/Makefile linux-2.6.32.9/arch/x86/Makefile
15562--- linux-2.6.32.9/arch/x86/Makefile 2010-02-09 07:57:19.000000000 -0500
15563+++ linux-2.6.32.9/arch/x86/Makefile 2010-02-23 17:09:53.132248096 -0500
15564@@ -189,3 +189,12 @@ define archhelp
15565 echo ' FDARGS="..." arguments for the booted kernel'
15566 echo ' FDINITRD=file initrd for the booted kernel'
15567 endef
15568+
15569+define OLD_LD
15570+
15571+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
15572+*** Please upgrade your binutils to 2.18 or newer
15573+endef
15574+
15575+archprepare:
15576+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
15577diff -urNp linux-2.6.32.9/arch/x86/mm/extable.c linux-2.6.32.9/arch/x86/mm/extable.c
15578--- linux-2.6.32.9/arch/x86/mm/extable.c 2010-02-09 07:57:19.000000000 -0500
15579+++ linux-2.6.32.9/arch/x86/mm/extable.c 2010-02-23 17:09:53.132248096 -0500
15580@@ -1,14 +1,71 @@
15581 #include <linux/module.h>
15582 #include <linux/spinlock.h>
15583+#include <linux/sort.h>
15584 #include <asm/uaccess.h>
15585+#include <asm/pgtable.h>
15586
15587+/*
15588+ * The exception table needs to be sorted so that the binary
15589+ * search that we use to find entries in it works properly.
15590+ * This is used both for the kernel exception table and for
15591+ * the exception tables of modules that get loaded.
15592+ */
15593+static int cmp_ex(const void *a, const void *b)
15594+{
15595+ const struct exception_table_entry *x = a, *y = b;
15596+
15597+ /* avoid overflow */
15598+ if (x->insn > y->insn)
15599+ return 1;
15600+ if (x->insn < y->insn)
15601+ return -1;
15602+ return 0;
15603+}
15604+
15605+static void swap_ex(void *a, void *b, int size)
15606+{
15607+ struct exception_table_entry t, *x = a, *y = b;
15608+
15609+ t = *x;
15610+
15611+ pax_open_kernel();
15612+ *x = *y;
15613+ *y = t;
15614+ pax_close_kernel();
15615+}
15616+
15617+void sort_extable(struct exception_table_entry *start,
15618+ struct exception_table_entry *finish)
15619+{
15620+ sort(start, finish - start, sizeof(struct exception_table_entry),
15621+ cmp_ex, swap_ex);
15622+}
15623+
15624+#ifdef CONFIG_MODULES
15625+/*
15626+ * If the exception table is sorted, any referring to the module init
15627+ * will be at the beginning or the end.
15628+ */
15629+void trim_init_extable(struct module *m)
15630+{
15631+ /*trim the beginning*/
15632+ while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
15633+ m->extable++;
15634+ m->num_exentries--;
15635+ }
15636+ /*trim the end*/
15637+ while (m->num_exentries &&
15638+ within_module_init(m->extable[m->num_exentries-1].insn, m))
15639+ m->num_exentries--;
15640+}
15641+#endif /* CONFIG_MODULES */
15642
15643 int fixup_exception(struct pt_regs *regs)
15644 {
15645 const struct exception_table_entry *fixup;
15646
15647 #ifdef CONFIG_PNPBIOS
15648- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
15649+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
15650 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
15651 extern u32 pnp_bios_is_utter_crap;
15652 pnp_bios_is_utter_crap = 1;
15653diff -urNp linux-2.6.32.9/arch/x86/mm/fault.c linux-2.6.32.9/arch/x86/mm/fault.c
15654--- linux-2.6.32.9/arch/x86/mm/fault.c 2010-02-09 07:57:19.000000000 -0500
15655+++ linux-2.6.32.9/arch/x86/mm/fault.c 2010-02-23 17:09:53.132248096 -0500
15656@@ -11,10 +11,14 @@
15657 #include <linux/kprobes.h> /* __kprobes, ... */
15658 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
15659 #include <linux/perf_event.h> /* perf_sw_event */
15660+#include <linux/unistd.h>
15661+#include <linux/compiler.h>
15662
15663 #include <asm/traps.h> /* dotraplinkage, ... */
15664 #include <asm/pgalloc.h> /* pgd_*(), ... */
15665 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
15666+#include <asm/vsyscall.h>
15667+#include <asm/tlbflush.h>
15668
15669 /*
15670 * Page fault error code bits:
15671@@ -51,7 +55,7 @@ static inline int notify_page_fault(stru
15672 int ret = 0;
15673
15674 /* kprobe_running() needs smp_processor_id() */
15675- if (kprobes_built_in() && !user_mode_vm(regs)) {
15676+ if (kprobes_built_in() && !user_mode(regs)) {
15677 preempt_disable();
15678 if (kprobe_running() && kprobe_fault_handler(regs, 14))
15679 ret = 1;
15680@@ -172,6 +176,30 @@ force_sig_info_fault(int si_signo, int s
15681 force_sig_info(si_signo, &info, tsk);
15682 }
15683
15684+#ifdef CONFIG_PAX_EMUTRAMP
15685+static int pax_handle_fetch_fault(struct pt_regs *regs);
15686+#endif
15687+
15688+#ifdef CONFIG_PAX_PAGEEXEC
15689+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
15690+{
15691+ pgd_t *pgd;
15692+ pud_t *pud;
15693+ pmd_t *pmd;
15694+
15695+ pgd = pgd_offset(mm, address);
15696+ if (!pgd_present(*pgd))
15697+ return NULL;
15698+ pud = pud_offset(pgd, address);
15699+ if (!pud_present(*pud))
15700+ return NULL;
15701+ pmd = pmd_offset(pud, address);
15702+ if (!pmd_present(*pmd))
15703+ return NULL;
15704+ return pmd;
15705+}
15706+#endif
15707+
15708 DEFINE_SPINLOCK(pgd_lock);
15709 LIST_HEAD(pgd_list);
15710
15711@@ -535,7 +563,7 @@ static int is_errata93(struct pt_regs *r
15712 static int is_errata100(struct pt_regs *regs, unsigned long address)
15713 {
15714 #ifdef CONFIG_X86_64
15715- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
15716+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
15717 return 1;
15718 #endif
15719 return 0;
15720@@ -562,7 +590,7 @@ static int is_f00f_bug(struct pt_regs *r
15721 }
15722
15723 static const char nx_warning[] = KERN_CRIT
15724-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
15725+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
15726
15727 static void
15728 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
15729@@ -571,15 +599,26 @@ show_fault_oops(struct pt_regs *regs, un
15730 if (!oops_may_print())
15731 return;
15732
15733- if (error_code & PF_INSTR) {
15734+ if (nx_enabled && (error_code & PF_INSTR)) {
15735 unsigned int level;
15736
15737 pte_t *pte = lookup_address(address, &level);
15738
15739 if (pte && pte_present(*pte) && !pte_exec(*pte))
15740- printk(nx_warning, current_uid());
15741+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
15742 }
15743
15744+#ifdef CONFIG_PAX_KERNEXEC
15745+ if (init_mm.start_code <= address && address < init_mm.end_code) {
15746+ if (current->signal->curr_ip)
15747+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
15748+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
15749+ else
15750+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
15751+ current->comm, task_pid_nr(current), current_uid(), current_euid());
15752+ }
15753+#endif
15754+
15755 printk(KERN_ALERT "BUG: unable to handle kernel ");
15756 if (address < PAGE_SIZE)
15757 printk(KERN_CONT "NULL pointer dereference");
15758@@ -704,6 +743,68 @@ __bad_area_nosemaphore(struct pt_regs *r
15759 unsigned long address, int si_code)
15760 {
15761 struct task_struct *tsk = current;
15762+ struct mm_struct *mm = tsk->mm;
15763+
15764+#ifdef CONFIG_X86_64
15765+ if (mm && (error_code & PF_INSTR)) {
15766+ if (regs->ip == (unsigned long)vgettimeofday) {
15767+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
15768+ return;
15769+ } else if (regs->ip == (unsigned long)vtime) {
15770+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
15771+ return;
15772+ } else if (regs->ip == (unsigned long)vgetcpu) {
15773+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
15774+ return;
15775+ }
15776+ }
15777+#endif
15778+
15779+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15780+ if (mm && (error_code & PF_USER)) {
15781+ unsigned long ip = regs->ip;
15782+
15783+ if (v8086_mode(regs))
15784+ ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
15785+
15786+ /*
15787+ * It's possible to have interrupts off here:
15788+ */
15789+ local_irq_enable();
15790+
15791+#ifdef CONFIG_PAX_PAGEEXEC
15792+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
15793+ ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
15794+
15795+#ifdef CONFIG_PAX_EMUTRAMP
15796+ switch (pax_handle_fetch_fault(regs)) {
15797+ case 2:
15798+ return;
15799+ }
15800+#endif
15801+
15802+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
15803+ do_group_exit(SIGKILL);
15804+ }
15805+#endif
15806+
15807+#ifdef CONFIG_PAX_SEGMEXEC
15808+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
15809+
15810+#ifdef CONFIG_PAX_EMUTRAMP
15811+ switch (pax_handle_fetch_fault(regs)) {
15812+ case 2:
15813+ return;
15814+ }
15815+#endif
15816+
15817+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
15818+ do_group_exit(SIGKILL);
15819+ }
15820+#endif
15821+
15822+ }
15823+#endif
15824
15825 /* User mode accesses just cause a SIGSEGV */
15826 if (error_code & PF_USER) {
15827@@ -848,6 +949,106 @@ static int spurious_fault_check(unsigned
15828 return 1;
15829 }
15830
15831+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
15832+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
15833+{
15834+ pte_t *pte;
15835+ pmd_t *pmd;
15836+ spinlock_t *ptl;
15837+ unsigned char pte_mask;
15838+
15839+ if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
15840+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
15841+ return 0;
15842+
15843+ /* PaX: it's our fault, let's handle it if we can */
15844+
15845+ /* PaX: take a look at read faults before acquiring any locks */
15846+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
15847+ /* instruction fetch attempt from a protected page in user mode */
15848+ up_read(&mm->mmap_sem);
15849+
15850+#ifdef CONFIG_PAX_EMUTRAMP
15851+ switch (pax_handle_fetch_fault(regs)) {
15852+ case 2:
15853+ return 1;
15854+ }
15855+#endif
15856+
15857+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
15858+ do_group_exit(SIGKILL);
15859+ }
15860+
15861+ pmd = pax_get_pmd(mm, address);
15862+ if (unlikely(!pmd))
15863+ return 0;
15864+
15865+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
15866+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
15867+ pte_unmap_unlock(pte, ptl);
15868+ return 0;
15869+ }
15870+
15871+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
15872+ /* write attempt to a protected page in user mode */
15873+ pte_unmap_unlock(pte, ptl);
15874+ return 0;
15875+ }
15876+
15877+#ifdef CONFIG_SMP
15878+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
15879+#else
15880+ if (likely(address > get_limit(regs->cs)))
15881+#endif
15882+ {
15883+ set_pte(pte, pte_mkread(*pte));
15884+ __flush_tlb_one(address);
15885+ pte_unmap_unlock(pte, ptl);
15886+ up_read(&mm->mmap_sem);
15887+ return 1;
15888+ }
15889+
15890+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
15891+
15892+ /*
15893+ * PaX: fill DTLB with user rights and retry
15894+ */
15895+ __asm__ __volatile__ (
15896+#ifdef CONFIG_PAX_MEMORY_UDEREF
15897+ "movw %w4,%%es\n"
15898+#endif
15899+ "orb %2,(%1)\n"
15900+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
15901+/*
15902+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
15903+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
15904+ * page fault when examined during a TLB load attempt. this is true not only
15905+ * for PTEs holding a non-present entry but also present entries that will
15906+ * raise a page fault (such as those set up by PaX, or the copy-on-write
15907+ * mechanism). in effect it means that we do *not* need to flush the TLBs
15908+ * for our target pages since their PTEs are simply not in the TLBs at all.
15909+
15910+ * the best thing in omitting it is that we gain around 15-20% speed in the
15911+ * fast path of the page fault handler and can get rid of tracing since we
15912+ * can no longer flush unintended entries.
15913+ */
15914+ "invlpg (%0)\n"
15915+#endif
15916+ "testb $0,%%es:(%0)\n"
15917+ "xorb %3,(%1)\n"
15918+#ifdef CONFIG_PAX_MEMORY_UDEREF
15919+ "pushl %%ss\n"
15920+ "popl %%es\n"
15921+#endif
15922+ :
15923+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
15924+ : "memory", "cc");
15925+ pte_unmap_unlock(pte, ptl);
15926+ up_read(&mm->mmap_sem);
15927+ return 1;
15928+}
15929+#endif
15930+
15931 /*
15932 * Handle a spurious fault caused by a stale TLB entry.
15933 *
15934@@ -914,6 +1115,9 @@ int show_unhandled_signals = 1;
15935 static inline int
15936 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
15937 {
15938+ if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
15939+ return 1;
15940+
15941 if (write) {
15942 /* write, present and write, not present: */
15943 if (unlikely(!(vma->vm_flags & VM_WRITE)))
15944@@ -947,17 +1151,16 @@ do_page_fault(struct pt_regs *regs, unsi
15945 {
15946 struct vm_area_struct *vma;
15947 struct task_struct *tsk;
15948- unsigned long address;
15949 struct mm_struct *mm;
15950 int write;
15951 int fault;
15952
15953+ /* Get the faulting address: */
15954+ const unsigned long address = read_cr2();
15955+
15956 tsk = current;
15957 mm = tsk->mm;
15958
15959- /* Get the faulting address: */
15960- address = read_cr2();
15961-
15962 /*
15963 * Detect and handle instructions that would cause a page fault for
15964 * both a tracked kernel page and a userspace page.
15965@@ -1017,7 +1220,7 @@ do_page_fault(struct pt_regs *regs, unsi
15966 * User-mode registers count as a user access even for any
15967 * potential system fault or CPU buglet:
15968 */
15969- if (user_mode_vm(regs)) {
15970+ if (user_mode(regs)) {
15971 local_irq_enable();
15972 error_code |= PF_USER;
15973 } else {
15974@@ -1071,6 +1274,11 @@ do_page_fault(struct pt_regs *regs, unsi
15975 might_sleep();
15976 }
15977
15978+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
15979+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
15980+ return;
15981+#endif
15982+
15983 vma = find_vma(mm, address);
15984 if (unlikely(!vma)) {
15985 bad_area(regs, error_code, address);
15986@@ -1082,18 +1290,24 @@ do_page_fault(struct pt_regs *regs, unsi
15987 bad_area(regs, error_code, address);
15988 return;
15989 }
15990- if (error_code & PF_USER) {
15991- /*
15992- * Accessing the stack below %sp is always a bug.
15993- * The large cushion allows instructions like enter
15994- * and pusha to work. ("enter $65535, $31" pushes
15995- * 32 pointers and then decrements %sp by 65535.)
15996- */
15997- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
15998- bad_area(regs, error_code, address);
15999- return;
16000- }
16001+ /*
16002+ * Accessing the stack below %sp is always a bug.
16003+ * The large cushion allows instructions like enter
16004+ * and pusha to work. ("enter $65535, $31" pushes
16005+ * 32 pointers and then decrements %sp by 65535.)
16006+ */
16007+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
16008+ bad_area(regs, error_code, address);
16009+ return;
16010+ }
16011+
16012+#ifdef CONFIG_PAX_SEGMEXEC
16013+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
16014+ bad_area(regs, error_code, address);
16015+ return;
16016 }
16017+#endif
16018+
16019 if (unlikely(expand_stack(vma, address))) {
16020 bad_area(regs, error_code, address);
16021 return;
16022@@ -1137,3 +1351,199 @@ good_area:
16023
16024 up_read(&mm->mmap_sem);
16025 }
16026+
16027+#ifdef CONFIG_PAX_EMUTRAMP
16028+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
16029+{
16030+ int err;
16031+
16032+ do { /* PaX: gcc trampoline emulation #1 */
16033+ unsigned char mov1, mov2;
16034+ unsigned short jmp;
16035+ unsigned int addr1, addr2;
16036+
16037+#ifdef CONFIG_X86_64
16038+ if ((regs->ip + 11) >> 32)
16039+ break;
16040+#endif
16041+
16042+ err = get_user(mov1, (unsigned char __user *)regs->ip);
16043+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16044+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
16045+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16046+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
16047+
16048+ if (err)
16049+ break;
16050+
16051+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
16052+ regs->cx = addr1;
16053+ regs->ax = addr2;
16054+ regs->ip = addr2;
16055+ return 2;
16056+ }
16057+ } while (0);
16058+
16059+ do { /* PaX: gcc trampoline emulation #2 */
16060+ unsigned char mov, jmp;
16061+ unsigned int addr1, addr2;
16062+
16063+#ifdef CONFIG_X86_64
16064+ if ((regs->ip + 9) >> 32)
16065+ break;
16066+#endif
16067+
16068+ err = get_user(mov, (unsigned char __user *)regs->ip);
16069+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16070+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
16071+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16072+
16073+ if (err)
16074+ break;
16075+
16076+ if (mov == 0xB9 && jmp == 0xE9) {
16077+ regs->cx = addr1;
16078+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
16079+ return 2;
16080+ }
16081+ } while (0);
16082+
16083+ return 1; /* PaX in action */
16084+}
16085+
16086+#ifdef CONFIG_X86_64
16087+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
16088+{
16089+ int err;
16090+
16091+ do { /* PaX: gcc trampoline emulation #1 */
16092+ unsigned short mov1, mov2, jmp1;
16093+ unsigned char jmp2;
16094+ unsigned int addr1;
16095+ unsigned long addr2;
16096+
16097+ err = get_user(mov1, (unsigned short __user *)regs->ip);
16098+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
16099+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
16100+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
16101+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
16102+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
16103+
16104+ if (err)
16105+ break;
16106+
16107+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16108+ regs->r11 = addr1;
16109+ regs->r10 = addr2;
16110+ regs->ip = addr1;
16111+ return 2;
16112+ }
16113+ } while (0);
16114+
16115+ do { /* PaX: gcc trampoline emulation #2 */
16116+ unsigned short mov1, mov2, jmp1;
16117+ unsigned char jmp2;
16118+ unsigned long addr1, addr2;
16119+
16120+ err = get_user(mov1, (unsigned short __user *)regs->ip);
16121+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
16122+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
16123+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
16124+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
16125+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
16126+
16127+ if (err)
16128+ break;
16129+
16130+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16131+ regs->r11 = addr1;
16132+ regs->r10 = addr2;
16133+ regs->ip = addr1;
16134+ return 2;
16135+ }
16136+ } while (0);
16137+
16138+ return 1; /* PaX in action */
16139+}
16140+#endif
16141+
16142+/*
16143+ * PaX: decide what to do with offenders (regs->ip = fault address)
16144+ *
16145+ * returns 1 when task should be killed
16146+ * 2 when gcc trampoline was detected
16147+ */
16148+static int pax_handle_fetch_fault(struct pt_regs *regs)
16149+{
16150+ if (v8086_mode(regs))
16151+ return 1;
16152+
16153+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
16154+ return 1;
16155+
16156+#ifdef CONFIG_X86_32
16157+ return pax_handle_fetch_fault_32(regs);
16158+#else
16159+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
16160+ return pax_handle_fetch_fault_32(regs);
16161+ else
16162+ return pax_handle_fetch_fault_64(regs);
16163+#endif
16164+}
16165+#endif
16166+
16167+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16168+void pax_report_insns(void *pc, void *sp)
16169+{
16170+ long i;
16171+
16172+ printk(KERN_ERR "PAX: bytes at PC: ");
16173+ for (i = 0; i < 20; i++) {
16174+ unsigned char c;
16175+ if (get_user(c, (__force unsigned char __user *)pc+i))
16176+ printk(KERN_CONT "?? ");
16177+ else
16178+ printk(KERN_CONT "%02x ", c);
16179+ }
16180+ printk("\n");
16181+
16182+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
16183+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
16184+ unsigned long c;
16185+ if (get_user(c, (__force unsigned long __user *)sp+i))
16186+#ifdef CONFIG_X86_32
16187+ printk(KERN_CONT "???????? ");
16188+#else
16189+ printk(KERN_CONT "???????????????? ");
16190+#endif
16191+ else
16192+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
16193+ }
16194+ printk("\n");
16195+}
16196+#endif
16197+
16198+/**
16199+ * probe_kernel_write(): safely attempt to write to a location
16200+ * @dst: address to write to
16201+ * @src: pointer to the data that shall be written
16202+ * @size: size of the data chunk
16203+ *
16204+ * Safely write to address @dst from the buffer at @src. If a kernel fault
16205+ * happens, handle that and return -EFAULT.
16206+ */
16207+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
16208+{
16209+ long ret;
16210+ mm_segment_t old_fs = get_fs();
16211+
16212+ set_fs(KERNEL_DS);
16213+ pagefault_disable();
16214+ pax_open_kernel();
16215+ ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
16216+ pax_close_kernel();
16217+ pagefault_enable();
16218+ set_fs(old_fs);
16219+
16220+ return ret ? -EFAULT : 0;
16221+}
16222diff -urNp linux-2.6.32.9/arch/x86/mm/gup.c linux-2.6.32.9/arch/x86/mm/gup.c
16223--- linux-2.6.32.9/arch/x86/mm/gup.c 2010-02-09 07:57:19.000000000 -0500
16224+++ linux-2.6.32.9/arch/x86/mm/gup.c 2010-02-23 17:09:53.132248096 -0500
16225@@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
16226 addr = start;
16227 len = (unsigned long) nr_pages << PAGE_SHIFT;
16228 end = start + len;
16229- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16230+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16231 (void __user *)start, len)))
16232 return 0;
16233
16234diff -urNp linux-2.6.32.9/arch/x86/mm/highmem_32.c linux-2.6.32.9/arch/x86/mm/highmem_32.c
16235--- linux-2.6.32.9/arch/x86/mm/highmem_32.c 2010-02-09 07:57:19.000000000 -0500
16236+++ linux-2.6.32.9/arch/x86/mm/highmem_32.c 2010-02-23 17:09:53.132248096 -0500
16237@@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
16238 idx = type + KM_TYPE_NR*smp_processor_id();
16239 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
16240 BUG_ON(!pte_none(*(kmap_pte-idx)));
16241+
16242+ pax_open_kernel();
16243 set_pte(kmap_pte-idx, mk_pte(page, prot));
16244+ pax_close_kernel();
16245
16246 return (void *)vaddr;
16247 }
16248diff -urNp linux-2.6.32.9/arch/x86/mm/hugetlbpage.c linux-2.6.32.9/arch/x86/mm/hugetlbpage.c
16249--- linux-2.6.32.9/arch/x86/mm/hugetlbpage.c 2010-02-09 07:57:19.000000000 -0500
16250+++ linux-2.6.32.9/arch/x86/mm/hugetlbpage.c 2010-02-23 17:09:53.132248096 -0500
16251@@ -267,13 +267,18 @@ static unsigned long hugetlb_get_unmappe
16252 struct hstate *h = hstate_file(file);
16253 struct mm_struct *mm = current->mm;
16254 struct vm_area_struct *vma;
16255- unsigned long start_addr;
16256+ unsigned long start_addr, pax_task_size = TASK_SIZE;
16257+
16258+#ifdef CONFIG_PAX_SEGMEXEC
16259+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16260+ pax_task_size = SEGMEXEC_TASK_SIZE;
16261+#endif
16262
16263 if (len > mm->cached_hole_size) {
16264- start_addr = mm->free_area_cache;
16265+ start_addr = mm->free_area_cache;
16266 } else {
16267- start_addr = TASK_UNMAPPED_BASE;
16268- mm->cached_hole_size = 0;
16269+ start_addr = mm->mmap_base;
16270+ mm->cached_hole_size = 0;
16271 }
16272
16273 full_search:
16274@@ -281,13 +286,13 @@ full_search:
16275
16276 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
16277 /* At this point: (!vma || addr < vma->vm_end). */
16278- if (TASK_SIZE - len < addr) {
16279+ if (pax_task_size - len < addr) {
16280 /*
16281 * Start a new search - just in case we missed
16282 * some holes.
16283 */
16284- if (start_addr != TASK_UNMAPPED_BASE) {
16285- start_addr = TASK_UNMAPPED_BASE;
16286+ if (start_addr != mm->mmap_base) {
16287+ start_addr = mm->mmap_base;
16288 mm->cached_hole_size = 0;
16289 goto full_search;
16290 }
16291@@ -310,9 +315,8 @@ static unsigned long hugetlb_get_unmappe
16292 struct hstate *h = hstate_file(file);
16293 struct mm_struct *mm = current->mm;
16294 struct vm_area_struct *vma, *prev_vma;
16295- unsigned long base = mm->mmap_base, addr = addr0;
16296+ unsigned long base = mm->mmap_base, addr;
16297 unsigned long largest_hole = mm->cached_hole_size;
16298- int first_time = 1;
16299
16300 /* don't allow allocations above current base */
16301 if (mm->free_area_cache > base)
16302@@ -322,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
16303 largest_hole = 0;
16304 mm->free_area_cache = base;
16305 }
16306-try_again:
16307+
16308 /* make sure it can fit in the remaining address space */
16309 if (mm->free_area_cache < len)
16310 goto fail;
16311@@ -364,22 +368,26 @@ try_again:
16312
16313 fail:
16314 /*
16315- * if hint left us with no space for the requested
16316- * mapping then try again:
16317- */
16318- if (first_time) {
16319- mm->free_area_cache = base;
16320- largest_hole = 0;
16321- first_time = 0;
16322- goto try_again;
16323- }
16324- /*
16325 * A failed mmap() very likely causes application failure,
16326 * so fall back to the bottom-up function here. This scenario
16327 * can happen with large stack limits and large mmap()
16328 * allocations.
16329 */
16330- mm->free_area_cache = TASK_UNMAPPED_BASE;
16331+
16332+#ifdef CONFIG_PAX_SEGMEXEC
16333+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16334+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
16335+ else
16336+#endif
16337+
16338+ mm->mmap_base = TASK_UNMAPPED_BASE;
16339+
16340+#ifdef CONFIG_PAX_RANDMMAP
16341+ if (mm->pax_flags & MF_PAX_RANDMMAP)
16342+ mm->mmap_base += mm->delta_mmap;
16343+#endif
16344+
16345+ mm->free_area_cache = mm->mmap_base;
16346 mm->cached_hole_size = ~0UL;
16347 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
16348 len, pgoff, flags);
16349@@ -387,6 +395,7 @@ fail:
16350 /*
16351 * Restore the topdown base:
16352 */
16353+ mm->mmap_base = base;
16354 mm->free_area_cache = base;
16355 mm->cached_hole_size = ~0UL;
16356
16357@@ -400,10 +409,17 @@ hugetlb_get_unmapped_area(struct file *f
16358 struct hstate *h = hstate_file(file);
16359 struct mm_struct *mm = current->mm;
16360 struct vm_area_struct *vma;
16361+ unsigned long pax_task_size = TASK_SIZE;
16362
16363 if (len & ~huge_page_mask(h))
16364 return -EINVAL;
16365- if (len > TASK_SIZE)
16366+
16367+#ifdef CONFIG_PAX_SEGMEXEC
16368+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16369+ pax_task_size = SEGMEXEC_TASK_SIZE;
16370+#endif
16371+
16372+ if (len > pax_task_size)
16373 return -ENOMEM;
16374
16375 if (flags & MAP_FIXED) {
16376@@ -415,7 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
16377 if (addr) {
16378 addr = ALIGN(addr, huge_page_size(h));
16379 vma = find_vma(mm, addr);
16380- if (TASK_SIZE - len >= addr &&
16381+ if (pax_task_size - len >= addr &&
16382 (!vma || addr + len <= vma->vm_start))
16383 return addr;
16384 }
16385diff -urNp linux-2.6.32.9/arch/x86/mm/init_32.c linux-2.6.32.9/arch/x86/mm/init_32.c
16386--- linux-2.6.32.9/arch/x86/mm/init_32.c 2010-02-09 07:57:19.000000000 -0500
16387+++ linux-2.6.32.9/arch/x86/mm/init_32.c 2010-02-23 17:09:53.132248096 -0500
16388@@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
16389 }
16390
16391 /*
16392- * Creates a middle page table and puts a pointer to it in the
16393- * given global directory entry. This only returns the gd entry
16394- * in non-PAE compilation mode, since the middle layer is folded.
16395- */
16396-static pmd_t * __init one_md_table_init(pgd_t *pgd)
16397-{
16398- pud_t *pud;
16399- pmd_t *pmd_table;
16400-
16401-#ifdef CONFIG_X86_PAE
16402- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
16403- if (after_bootmem)
16404- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
16405- else
16406- pmd_table = (pmd_t *)alloc_low_page();
16407- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
16408- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
16409- pud = pud_offset(pgd, 0);
16410- BUG_ON(pmd_table != pmd_offset(pud, 0));
16411-
16412- return pmd_table;
16413- }
16414-#endif
16415- pud = pud_offset(pgd, 0);
16416- pmd_table = pmd_offset(pud, 0);
16417-
16418- return pmd_table;
16419-}
16420-
16421-/*
16422 * Create a page table and place a pointer to it in a middle page
16423 * directory entry:
16424 */
16425@@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
16426 page_table = (pte_t *)alloc_low_page();
16427
16428 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
16429+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16430+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
16431+#else
16432 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
16433+#endif
16434 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
16435 }
16436
16437 return pte_offset_kernel(pmd, 0);
16438 }
16439
16440+static pmd_t * __init one_md_table_init(pgd_t *pgd)
16441+{
16442+ pud_t *pud;
16443+ pmd_t *pmd_table;
16444+
16445+ pud = pud_offset(pgd, 0);
16446+ pmd_table = pmd_offset(pud, 0);
16447+
16448+ return pmd_table;
16449+}
16450+
16451 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
16452 {
16453 int pgd_idx = pgd_index(vaddr);
16454@@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
16455 int pgd_idx, pmd_idx;
16456 unsigned long vaddr;
16457 pgd_t *pgd;
16458+ pud_t *pud;
16459 pmd_t *pmd;
16460 pte_t *pte = NULL;
16461
16462@@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
16463 pgd = pgd_base + pgd_idx;
16464
16465 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
16466- pmd = one_md_table_init(pgd);
16467- pmd = pmd + pmd_index(vaddr);
16468+ pud = pud_offset(pgd, vaddr);
16469+ pmd = pmd_offset(pud, vaddr);
16470+
16471+#ifdef CONFIG_X86_PAE
16472+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16473+#endif
16474+
16475 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
16476 pmd++, pmd_idx++) {
16477 pte = page_table_kmap_check(one_page_table_init(pmd),
16478@@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
16479 }
16480 }
16481
16482-static inline int is_kernel_text(unsigned long addr)
16483+static inline int is_kernel_text(unsigned long start, unsigned long end)
16484 {
16485- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
16486- return 1;
16487- return 0;
16488+ if ((start > ktla_ktva((unsigned long)_etext) ||
16489+ end <= ktla_ktva((unsigned long)_stext)) &&
16490+ (start > ktla_ktva((unsigned long)_einittext) ||
16491+ end <= ktla_ktva((unsigned long)_sinittext)) &&
16492+
16493+#ifdef CONFIG_ACPI_SLEEP
16494+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
16495+#endif
16496+
16497+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
16498+ return 0;
16499+ return 1;
16500 }
16501
16502 /*
16503@@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
16504 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
16505 unsigned long start_pfn, end_pfn;
16506 pgd_t *pgd_base = swapper_pg_dir;
16507- int pgd_idx, pmd_idx, pte_ofs;
16508+ unsigned int pgd_idx, pmd_idx, pte_ofs;
16509 unsigned long pfn;
16510 pgd_t *pgd;
16511+ pud_t *pud;
16512 pmd_t *pmd;
16513 pte_t *pte;
16514 unsigned pages_2m, pages_4k;
16515@@ -278,8 +279,13 @@ repeat:
16516 pfn = start_pfn;
16517 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16518 pgd = pgd_base + pgd_idx;
16519- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
16520- pmd = one_md_table_init(pgd);
16521+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
16522+ pud = pud_offset(pgd, 0);
16523+ pmd = pmd_offset(pud, 0);
16524+
16525+#ifdef CONFIG_X86_PAE
16526+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16527+#endif
16528
16529 if (pfn >= end_pfn)
16530 continue;
16531@@ -291,14 +297,13 @@ repeat:
16532 #endif
16533 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
16534 pmd++, pmd_idx++) {
16535- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
16536+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
16537
16538 /*
16539 * Map with big pages if possible, otherwise
16540 * create normal page tables:
16541 */
16542 if (use_pse) {
16543- unsigned int addr2;
16544 pgprot_t prot = PAGE_KERNEL_LARGE;
16545 /*
16546 * first pass will use the same initial
16547@@ -308,11 +313,7 @@ repeat:
16548 __pgprot(PTE_IDENT_ATTR |
16549 _PAGE_PSE);
16550
16551- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
16552- PAGE_OFFSET + PAGE_SIZE-1;
16553-
16554- if (is_kernel_text(addr) ||
16555- is_kernel_text(addr2))
16556+ if (is_kernel_text(address, address + PMD_SIZE))
16557 prot = PAGE_KERNEL_LARGE_EXEC;
16558
16559 pages_2m++;
16560@@ -329,7 +330,7 @@ repeat:
16561 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16562 pte += pte_ofs;
16563 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
16564- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
16565+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
16566 pgprot_t prot = PAGE_KERNEL;
16567 /*
16568 * first pass will use the same initial
16569@@ -337,7 +338,7 @@ repeat:
16570 */
16571 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
16572
16573- if (is_kernel_text(addr))
16574+ if (is_kernel_text(address, address + PAGE_SIZE))
16575 prot = PAGE_KERNEL_EXEC;
16576
16577 pages_4k++;
16578@@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
16579
16580 pud = pud_offset(pgd, va);
16581 pmd = pmd_offset(pud, va);
16582- if (!pmd_present(*pmd))
16583+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
16584 break;
16585
16586 pte = pte_offset_kernel(pmd, va);
16587@@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
16588
16589 static void __init pagetable_init(void)
16590 {
16591- pgd_t *pgd_base = swapper_pg_dir;
16592-
16593- permanent_kmaps_init(pgd_base);
16594+ permanent_kmaps_init(swapper_pg_dir);
16595 }
16596
16597 #ifdef CONFIG_ACPI_SLEEP
16598@@ -551,12 +550,12 @@ static void __init pagetable_init(void)
16599 * ACPI suspend needs this for resume, because things like the intel-agp
16600 * driver might have split up a kernel 4MB mapping.
16601 */
16602-char swsusp_pg_dir[PAGE_SIZE]
16603+pgd_t swsusp_pg_dir[PTRS_PER_PGD]
16604 __attribute__ ((aligned(PAGE_SIZE)));
16605
16606 static inline void save_pg_dir(void)
16607 {
16608- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
16609+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
16610 }
16611 #else /* !CONFIG_ACPI_SLEEP */
16612 static inline void save_pg_dir(void)
16613@@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
16614 flush_tlb_all();
16615 }
16616
16617-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16618+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16619 EXPORT_SYMBOL_GPL(__supported_pte_mask);
16620
16621 /* user-defined highmem size */
16622@@ -881,7 +880,7 @@ void __init mem_init(void)
16623 set_highmem_pages_init();
16624
16625 codesize = (unsigned long) &_etext - (unsigned long) &_text;
16626- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
16627+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
16628 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
16629
16630 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
16631@@ -923,10 +922,10 @@ void __init mem_init(void)
16632 ((unsigned long)&__init_end -
16633 (unsigned long)&__init_begin) >> 10,
16634
16635- (unsigned long)&_etext, (unsigned long)&_edata,
16636- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
16637+ (unsigned long)&_sdata, (unsigned long)&_edata,
16638+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
16639
16640- (unsigned long)&_text, (unsigned long)&_etext,
16641+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
16642 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
16643
16644 /*
16645@@ -1007,6 +1006,7 @@ void set_kernel_text_rw(void)
16646 if (!kernel_set_to_readonly)
16647 return;
16648
16649+ start = ktla_ktva(start);
16650 pr_debug("Set kernel text: %lx - %lx for read write\n",
16651 start, start+size);
16652
16653@@ -1021,6 +1021,7 @@ void set_kernel_text_ro(void)
16654 if (!kernel_set_to_readonly)
16655 return;
16656
16657+ start = ktla_ktva(start);
16658 pr_debug("Set kernel text: %lx - %lx for read only\n",
16659 start, start+size);
16660
16661@@ -1032,6 +1033,7 @@ void mark_rodata_ro(void)
16662 unsigned long start = PFN_ALIGN(_text);
16663 unsigned long size = PFN_ALIGN(_etext) - start;
16664
16665+ start = ktla_ktva(start);
16666 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
16667 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
16668 size >> 10);
16669diff -urNp linux-2.6.32.9/arch/x86/mm/init_64.c linux-2.6.32.9/arch/x86/mm/init_64.c
16670--- linux-2.6.32.9/arch/x86/mm/init_64.c 2010-02-09 07:57:19.000000000 -0500
16671+++ linux-2.6.32.9/arch/x86/mm/init_64.c 2010-02-23 17:09:53.132248096 -0500
16672@@ -163,7 +163,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
16673 pmd = fill_pmd(pud, vaddr);
16674 pte = fill_pte(pmd, vaddr);
16675
16676+ pax_open_kernel();
16677 set_pte(pte, new_pte);
16678+ pax_close_kernel();
16679
16680 /*
16681 * It's enough to flush this one mapping.
16682@@ -222,14 +224,12 @@ static void __init __init_extra_mapping(
16683 pgd = pgd_offset_k((unsigned long)__va(phys));
16684 if (pgd_none(*pgd)) {
16685 pud = (pud_t *) spp_getpage();
16686- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
16687- _PAGE_USER));
16688+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
16689 }
16690 pud = pud_offset(pgd, (unsigned long)__va(phys));
16691 if (pud_none(*pud)) {
16692 pmd = (pmd_t *) spp_getpage();
16693- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
16694- _PAGE_USER));
16695+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
16696 }
16697 pmd = pmd_offset(pud, phys);
16698 BUG_ON(!pmd_none(*pmd));
16699@@ -842,8 +842,8 @@ int kern_addr_valid(unsigned long addr)
16700 static struct vm_area_struct gate_vma = {
16701 .vm_start = VSYSCALL_START,
16702 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
16703- .vm_page_prot = PAGE_READONLY_EXEC,
16704- .vm_flags = VM_READ | VM_EXEC
16705+ .vm_page_prot = PAGE_READONLY,
16706+ .vm_flags = VM_READ
16707 };
16708
16709 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
16710@@ -877,7 +877,7 @@ int in_gate_area_no_task(unsigned long a
16711
16712 const char *arch_vma_name(struct vm_area_struct *vma)
16713 {
16714- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
16715+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
16716 return "[vdso]";
16717 if (vma == &gate_vma)
16718 return "[vsyscall]";
16719diff -urNp linux-2.6.32.9/arch/x86/mm/init.c linux-2.6.32.9/arch/x86/mm/init.c
16720--- linux-2.6.32.9/arch/x86/mm/init.c 2010-02-09 07:57:19.000000000 -0500
16721+++ linux-2.6.32.9/arch/x86/mm/init.c 2010-02-23 17:09:53.132248096 -0500
16722@@ -331,7 +331,13 @@ unsigned long __init_refok init_memory_m
16723 */
16724 int devmem_is_allowed(unsigned long pagenr)
16725 {
16726- if (pagenr <= 256)
16727+ if (!pagenr)
16728+ return 1;
16729+#ifdef CONFIG_VM86
16730+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
16731+ return 1;
16732+#endif
16733+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
16734 return 1;
16735 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
16736 return 0;
16737@@ -379,6 +385,83 @@ void free_init_pages(char *what, unsigne
16738
16739 void free_initmem(void)
16740 {
16741+
16742+#ifdef CONFIG_PAX_KERNEXEC
16743+ pgd_t *pgd;
16744+ pud_t *pud;
16745+ pmd_t *pmd;
16746+
16747+#ifdef CONFIG_X86_32
16748+ /* PaX: limit KERNEL_CS to actual size */
16749+ unsigned long addr, limit;
16750+ struct desc_struct d;
16751+ int cpu;
16752+
16753+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
16754+ limit = (limit - 1UL) >> PAGE_SHIFT;
16755+
16756+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
16757+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
16758+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
16759+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
16760+ }
16761+
16762+ /* PaX: make KERNEL_CS read-only */
16763+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
16764+ if (!paravirt_enabled())
16765+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
16766+/*
16767+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
16768+ pgd = pgd_offset_k(addr);
16769+ pud = pud_offset(pgd, addr);
16770+ pmd = pmd_offset(pud, addr);
16771+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
16772+ }
16773+*/
16774+#ifdef CONFIG_X86_PAE
16775+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
16776+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
16777+ pgd = pgd_offset_k(addr);
16778+ pud = pud_offset(pgd, addr);
16779+ pmd = pmd_offset(pud, addr);
16780+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
16781+ }
16782+#endif
16783+
16784+#ifdef CONFIG_MODULES
16785+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
16786+#endif
16787+
16788+#else
16789+ unsigned long addr, end;
16790+
16791+ /* PaX: make kernel code/rodata read-only, rest non-executable */
16792+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
16793+ pgd = pgd_offset_k(addr);
16794+ pud = pud_offset(pgd, addr);
16795+ pmd = pmd_offset(pud, addr);
16796+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
16797+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
16798+ else
16799+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
16800+ }
16801+
16802+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
16803+ end = addr + KERNEL_IMAGE_SIZE;
16804+ for (; addr < end; addr += PMD_SIZE) {
16805+ pgd = pgd_offset_k(addr);
16806+ pud = pud_offset(pgd, addr);
16807+ pmd = pmd_offset(pud, addr);
16808+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
16809+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
16810+ else
16811+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
16812+ }
16813+#endif
16814+
16815+ flush_tlb_all();
16816+#endif
16817+
16818 free_init_pages("unused kernel memory",
16819 (unsigned long)(&__init_begin),
16820 (unsigned long)(&__init_end));
16821diff -urNp linux-2.6.32.9/arch/x86/mm/iomap_32.c linux-2.6.32.9/arch/x86/mm/iomap_32.c
16822--- linux-2.6.32.9/arch/x86/mm/iomap_32.c 2010-02-09 07:57:19.000000000 -0500
16823+++ linux-2.6.32.9/arch/x86/mm/iomap_32.c 2010-02-23 17:09:53.132248096 -0500
16824@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
16825 debug_kmap_atomic(type);
16826 idx = type + KM_TYPE_NR * smp_processor_id();
16827 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
16828+
16829+ pax_open_kernel();
16830 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
16831+ pax_close_kernel();
16832+
16833 arch_flush_lazy_mmu_mode();
16834
16835 return (void *)vaddr;
16836diff -urNp linux-2.6.32.9/arch/x86/mm/ioremap.c linux-2.6.32.9/arch/x86/mm/ioremap.c
16837--- linux-2.6.32.9/arch/x86/mm/ioremap.c 2010-02-09 07:57:19.000000000 -0500
16838+++ linux-2.6.32.9/arch/x86/mm/ioremap.c 2010-02-23 17:09:53.132248096 -0500
16839@@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
16840 * Second special case: Some BIOSen report the PC BIOS
16841 * area (640->1Mb) as ram even though it is not.
16842 */
16843- if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
16844- pagenr < (BIOS_END >> PAGE_SHIFT))
16845+ if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
16846+ pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
16847 return 0;
16848
16849 for (i = 0; i < e820.nr_map; i++) {
16850@@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
16851 /*
16852 * Don't allow anybody to remap normal RAM that we're using..
16853 */
16854- for (pfn = phys_addr >> PAGE_SHIFT;
16855- (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
16856- pfn++) {
16857-
16858+ for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
16859 int is_ram = page_is_ram(pfn);
16860
16861- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
16862+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
16863 return NULL;
16864 WARN_ON_ONCE(is_ram);
16865 }
16866@@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
16867 early_param("early_ioremap_debug", early_ioremap_debug_setup);
16868
16869 static __initdata int after_paging_init;
16870-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
16871+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
16872
16873 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
16874 {
16875@@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
16876 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
16877
16878 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
16879- memset(bm_pte, 0, sizeof(bm_pte));
16880- pmd_populate_kernel(&init_mm, pmd, bm_pte);
16881+ pmd_populate_user(&init_mm, pmd, bm_pte);
16882
16883 /*
16884 * The boot-ioremap range spans multiple pmds, for which
16885diff -urNp linux-2.6.32.9/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.9/arch/x86/mm/kmemcheck/kmemcheck.c
16886--- linux-2.6.32.9/arch/x86/mm/kmemcheck/kmemcheck.c 2010-02-09 07:57:19.000000000 -0500
16887+++ linux-2.6.32.9/arch/x86/mm/kmemcheck/kmemcheck.c 2010-02-23 17:09:53.132248096 -0500
16888@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
16889 * memory (e.g. tracked pages)? For now, we need this to avoid
16890 * invoking kmemcheck for PnP BIOS calls.
16891 */
16892- if (regs->flags & X86_VM_MASK)
16893+ if (v8086_mode(regs))
16894 return false;
16895- if (regs->cs != __KERNEL_CS)
16896+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
16897 return false;
16898
16899 pte = kmemcheck_pte_lookup(address);
16900diff -urNp linux-2.6.32.9/arch/x86/mm/mmap.c linux-2.6.32.9/arch/x86/mm/mmap.c
16901--- linux-2.6.32.9/arch/x86/mm/mmap.c 2010-02-09 07:57:19.000000000 -0500
16902+++ linux-2.6.32.9/arch/x86/mm/mmap.c 2010-02-23 17:09:53.132248096 -0500
16903@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
16904 * Leave an at least ~128 MB hole with possible stack randomization.
16905 */
16906 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
16907-#define MAX_GAP (TASK_SIZE/6*5)
16908+#define MAX_GAP (pax_task_size/6*5)
16909
16910 /*
16911 * True on X86_32 or when emulating IA32 on X86_64
16912@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
16913 return rnd << PAGE_SHIFT;
16914 }
16915
16916-static unsigned long mmap_base(void)
16917+static unsigned long mmap_base(struct mm_struct *mm)
16918 {
16919 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
16920+ unsigned long pax_task_size = TASK_SIZE;
16921+
16922+#ifdef CONFIG_PAX_SEGMEXEC
16923+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16924+ pax_task_size = SEGMEXEC_TASK_SIZE;
16925+#endif
16926
16927 if (gap < MIN_GAP)
16928 gap = MIN_GAP;
16929 else if (gap > MAX_GAP)
16930 gap = MAX_GAP;
16931
16932- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
16933+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
16934 }
16935
16936 /*
16937 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
16938 * does, but not when emulating X86_32
16939 */
16940-static unsigned long mmap_legacy_base(void)
16941+static unsigned long mmap_legacy_base(struct mm_struct *mm)
16942 {
16943- if (mmap_is_ia32())
16944+ if (mmap_is_ia32()) {
16945+
16946+#ifdef CONFIG_PAX_SEGMEXEC
16947+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16948+ return SEGMEXEC_TASK_UNMAPPED_BASE;
16949+ else
16950+#endif
16951+
16952 return TASK_UNMAPPED_BASE;
16953- else
16954+ } else
16955 return TASK_UNMAPPED_BASE + mmap_rnd();
16956 }
16957
16958@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
16959 void arch_pick_mmap_layout(struct mm_struct *mm)
16960 {
16961 if (mmap_is_legacy()) {
16962- mm->mmap_base = mmap_legacy_base();
16963+ mm->mmap_base = mmap_legacy_base(mm);
16964+
16965+#ifdef CONFIG_PAX_RANDMMAP
16966+ if (mm->pax_flags & MF_PAX_RANDMMAP)
16967+ mm->mmap_base += mm->delta_mmap;
16968+#endif
16969+
16970 mm->get_unmapped_area = arch_get_unmapped_area;
16971 mm->unmap_area = arch_unmap_area;
16972 } else {
16973- mm->mmap_base = mmap_base();
16974+ mm->mmap_base = mmap_base(mm);
16975+
16976+#ifdef CONFIG_PAX_RANDMMAP
16977+ if (mm->pax_flags & MF_PAX_RANDMMAP)
16978+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
16979+#endif
16980+
16981 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
16982 mm->unmap_area = arch_unmap_area_topdown;
16983 }
16984diff -urNp linux-2.6.32.9/arch/x86/mm/numa_32.c linux-2.6.32.9/arch/x86/mm/numa_32.c
16985--- linux-2.6.32.9/arch/x86/mm/numa_32.c 2010-02-09 07:57:19.000000000 -0500
16986+++ linux-2.6.32.9/arch/x86/mm/numa_32.c 2010-02-23 17:09:53.136027747 -0500
16987@@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
16988 }
16989 #endif
16990
16991-extern unsigned long find_max_low_pfn(void);
16992 extern unsigned long highend_pfn, highstart_pfn;
16993
16994 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
16995diff -urNp linux-2.6.32.9/arch/x86/mm/pageattr.c linux-2.6.32.9/arch/x86/mm/pageattr.c
16996--- linux-2.6.32.9/arch/x86/mm/pageattr.c 2010-02-09 07:57:19.000000000 -0500
16997+++ linux-2.6.32.9/arch/x86/mm/pageattr.c 2010-02-23 17:09:53.136027747 -0500
16998@@ -268,9 +268,10 @@ static inline pgprot_t static_protection
16999 * Does not cover __inittext since that is gone later on. On
17000 * 64bit we do not enforce !NX on the low mapping
17001 */
17002- if (within(address, (unsigned long)_text, (unsigned long)_etext))
17003+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
17004 pgprot_val(forbidden) |= _PAGE_NX;
17005
17006+#ifdef CONFIG_DEBUG_RODATA
17007 /*
17008 * The .rodata section needs to be read-only. Using the pfn
17009 * catches all aliases.
17010@@ -278,6 +279,7 @@ static inline pgprot_t static_protection
17011 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
17012 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
17013 pgprot_val(forbidden) |= _PAGE_RW;
17014+#endif
17015
17016 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
17017
17018@@ -331,7 +333,10 @@ EXPORT_SYMBOL_GPL(lookup_address);
17019 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
17020 {
17021 /* change init_mm */
17022+ pax_open_kernel();
17023 set_pte_atomic(kpte, pte);
17024+ pax_close_kernel();
17025+
17026 #ifdef CONFIG_X86_32
17027 if (!SHARED_KERNEL_PMD) {
17028 struct page *page;
17029diff -urNp linux-2.6.32.9/arch/x86/mm/pageattr-test.c linux-2.6.32.9/arch/x86/mm/pageattr-test.c
17030--- linux-2.6.32.9/arch/x86/mm/pageattr-test.c 2010-02-09 07:57:19.000000000 -0500
17031+++ linux-2.6.32.9/arch/x86/mm/pageattr-test.c 2010-02-23 17:09:53.136027747 -0500
17032@@ -36,7 +36,7 @@ enum {
17033
17034 static int pte_testbit(pte_t pte)
17035 {
17036- return pte_flags(pte) & _PAGE_UNUSED1;
17037+ return pte_flags(pte) & _PAGE_CPA_TEST;
17038 }
17039
17040 struct split_state {
17041diff -urNp linux-2.6.32.9/arch/x86/mm/pat.c linux-2.6.32.9/arch/x86/mm/pat.c
17042--- linux-2.6.32.9/arch/x86/mm/pat.c 2010-02-09 07:57:19.000000000 -0500
17043+++ linux-2.6.32.9/arch/x86/mm/pat.c 2010-02-23 17:09:53.136027747 -0500
17044@@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
17045
17046 conflict:
17047 printk(KERN_INFO "%s:%d conflicting memory types "
17048- "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
17049+ "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
17050 new->end, cattr_name(new->type), cattr_name(entry->type));
17051 return -EBUSY;
17052 }
17053@@ -559,7 +559,7 @@ unlock_ret:
17054
17055 if (err) {
17056 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
17057- current->comm, current->pid, start, end);
17058+ current->comm, task_pid_nr(current), start, end);
17059 }
17060
17061 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
17062@@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
17063 printk(KERN_INFO
17064 "%s:%d ioremap_change_attr failed %s "
17065 "for %Lx-%Lx\n",
17066- current->comm, current->pid,
17067+ current->comm, task_pid_nr(current),
17068 cattr_name(flags),
17069 base, (unsigned long long)(base + size));
17070 return -EINVAL;
17071@@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
17072 free_memtype(paddr, paddr + size);
17073 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
17074 " for %Lx-%Lx, got %s\n",
17075- current->comm, current->pid,
17076+ current->comm, task_pid_nr(current),
17077 cattr_name(want_flags),
17078 (unsigned long long)paddr,
17079 (unsigned long long)(paddr + size),
17080diff -urNp linux-2.6.32.9/arch/x86/mm/pgtable_32.c linux-2.6.32.9/arch/x86/mm/pgtable_32.c
17081--- linux-2.6.32.9/arch/x86/mm/pgtable_32.c 2010-02-09 07:57:19.000000000 -0500
17082+++ linux-2.6.32.9/arch/x86/mm/pgtable_32.c 2010-02-23 17:09:53.136027747 -0500
17083@@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
17084 return;
17085 }
17086 pte = pte_offset_kernel(pmd, vaddr);
17087+
17088+ pax_open_kernel();
17089 if (pte_val(pteval))
17090 set_pte_at(&init_mm, vaddr, pte, pteval);
17091 else
17092 pte_clear(&init_mm, vaddr, pte);
17093+ pax_close_kernel();
17094
17095 /*
17096 * It's enough to flush this one mapping.
17097diff -urNp linux-2.6.32.9/arch/x86/mm/setup_nx.c linux-2.6.32.9/arch/x86/mm/setup_nx.c
17098--- linux-2.6.32.9/arch/x86/mm/setup_nx.c 2010-02-09 07:57:19.000000000 -0500
17099+++ linux-2.6.32.9/arch/x86/mm/setup_nx.c 2010-02-23 17:09:53.136027747 -0500
17100@@ -4,11 +4,10 @@
17101
17102 #include <asm/pgtable.h>
17103
17104+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17105 int nx_enabled;
17106
17107-#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
17108-static int disable_nx __cpuinitdata;
17109-
17110+#ifndef CONFIG_PAX_PAGEEXEC
17111 /*
17112 * noexec = on|off
17113 *
17114@@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
17115 if (!str)
17116 return -EINVAL;
17117 if (!strncmp(str, "on", 2)) {
17118- __supported_pte_mask |= _PAGE_NX;
17119- disable_nx = 0;
17120+ nx_enabled = 1;
17121 } else if (!strncmp(str, "off", 3)) {
17122- disable_nx = 1;
17123- __supported_pte_mask &= ~_PAGE_NX;
17124+ nx_enabled = 0;
17125 }
17126 return 0;
17127 }
17128 early_param("noexec", noexec_setup);
17129 #endif
17130+#endif
17131
17132 #ifdef CONFIG_X86_PAE
17133 void __init set_nx(void)
17134 {
17135- unsigned int v[4], l, h;
17136+ if (!nx_enabled && cpu_has_nx) {
17137+ unsigned l, h;
17138
17139- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
17140- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
17141-
17142- if ((v[3] & (1 << 20)) && !disable_nx) {
17143- rdmsr(MSR_EFER, l, h);
17144- l |= EFER_NX;
17145- wrmsr(MSR_EFER, l, h);
17146- nx_enabled = 1;
17147- __supported_pte_mask |= _PAGE_NX;
17148- }
17149+ __supported_pte_mask &= ~_PAGE_NX;
17150+ rdmsr(MSR_EFER, l, h);
17151+ l &= ~EFER_NX;
17152+ wrmsr(MSR_EFER, l, h);
17153 }
17154 }
17155 #else
17156@@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
17157 unsigned long efer;
17158
17159 rdmsrl(MSR_EFER, efer);
17160- if (!(efer & EFER_NX) || disable_nx)
17161+ if (!(efer & EFER_NX) || !nx_enabled)
17162 __supported_pte_mask &= ~_PAGE_NX;
17163 }
17164 #endif
17165diff -urNp linux-2.6.32.9/arch/x86/mm/tlb.c linux-2.6.32.9/arch/x86/mm/tlb.c
17166--- linux-2.6.32.9/arch/x86/mm/tlb.c 2010-02-09 07:57:19.000000000 -0500
17167+++ linux-2.6.32.9/arch/x86/mm/tlb.c 2010-02-23 17:09:53.136027747 -0500
17168@@ -12,7 +12,7 @@
17169 #include <asm/uv/uv.h>
17170
17171 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
17172- = { &init_mm, 0, };
17173+ = { &init_mm, 0 };
17174
17175 /*
17176 * Smarter SMP flushing macros.
17177diff -urNp linux-2.6.32.9/arch/x86/oprofile/backtrace.c linux-2.6.32.9/arch/x86/oprofile/backtrace.c
17178--- linux-2.6.32.9/arch/x86/oprofile/backtrace.c 2010-02-09 07:57:19.000000000 -0500
17179+++ linux-2.6.32.9/arch/x86/oprofile/backtrace.c 2010-02-23 17:09:53.136027747 -0500
17180@@ -37,7 +37,7 @@ static void backtrace_address(void *data
17181 unsigned int *depth = data;
17182
17183 if ((*depth)--)
17184- oprofile_add_trace(addr);
17185+ oprofile_add_trace(ktla_ktva(addr));
17186 }
17187
17188 static struct stacktrace_ops backtrace_ops = {
17189@@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
17190 struct frame_head bufhead[2];
17191
17192 /* Also check accessibility of one struct frame_head beyond */
17193- if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
17194+ if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
17195 return NULL;
17196 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
17197 return NULL;
17198@@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
17199 {
17200 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
17201
17202- if (!user_mode_vm(regs)) {
17203+ if (!user_mode(regs)) {
17204 unsigned long stack = kernel_stack_pointer(regs);
17205 if (depth)
17206 dump_trace(NULL, regs, (unsigned long *)stack, 0,
17207diff -urNp linux-2.6.32.9/arch/x86/oprofile/op_model_p4.c linux-2.6.32.9/arch/x86/oprofile/op_model_p4.c
17208--- linux-2.6.32.9/arch/x86/oprofile/op_model_p4.c 2010-02-09 07:57:19.000000000 -0500
17209+++ linux-2.6.32.9/arch/x86/oprofile/op_model_p4.c 2010-02-23 17:09:53.136027747 -0500
17210@@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
17211 #endif
17212 }
17213
17214-static int inline addr_increment(void)
17215+static inline int addr_increment(void)
17216 {
17217 #ifdef CONFIG_SMP
17218 return smp_num_siblings == 2 ? 2 : 1;
17219diff -urNp linux-2.6.32.9/arch/x86/pci/common.c linux-2.6.32.9/arch/x86/pci/common.c
17220--- linux-2.6.32.9/arch/x86/pci/common.c 2010-02-09 07:57:19.000000000 -0500
17221+++ linux-2.6.32.9/arch/x86/pci/common.c 2010-02-23 17:09:53.136027747 -0500
17222@@ -31,8 +31,8 @@ int noioapicreroute = 1;
17223 int pcibios_last_bus = -1;
17224 unsigned long pirq_table_addr;
17225 struct pci_bus *pci_root_bus;
17226-struct pci_raw_ops *raw_pci_ops;
17227-struct pci_raw_ops *raw_pci_ext_ops;
17228+const struct pci_raw_ops *raw_pci_ops;
17229+const struct pci_raw_ops *raw_pci_ext_ops;
17230
17231 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
17232 int reg, int len, u32 *val)
17233@@ -370,7 +370,7 @@ static const struct dmi_system_id __devi
17234 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
17235 },
17236 },
17237- {}
17238+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
17239 };
17240
17241 void __init dmi_check_pciprobe(void)
17242diff -urNp linux-2.6.32.9/arch/x86/pci/direct.c linux-2.6.32.9/arch/x86/pci/direct.c
17243--- linux-2.6.32.9/arch/x86/pci/direct.c 2010-02-09 07:57:19.000000000 -0500
17244+++ linux-2.6.32.9/arch/x86/pci/direct.c 2010-02-23 17:09:53.136027747 -0500
17245@@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
17246
17247 #undef PCI_CONF1_ADDRESS
17248
17249-struct pci_raw_ops pci_direct_conf1 = {
17250+const struct pci_raw_ops pci_direct_conf1 = {
17251 .read = pci_conf1_read,
17252 .write = pci_conf1_write,
17253 };
17254@@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
17255
17256 #undef PCI_CONF2_ADDRESS
17257
17258-struct pci_raw_ops pci_direct_conf2 = {
17259+const struct pci_raw_ops pci_direct_conf2 = {
17260 .read = pci_conf2_read,
17261 .write = pci_conf2_write,
17262 };
17263@@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
17264 * This should be close to trivial, but it isn't, because there are buggy
17265 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
17266 */
17267-static int __init pci_sanity_check(struct pci_raw_ops *o)
17268+static int __init pci_sanity_check(const struct pci_raw_ops *o)
17269 {
17270 u32 x = 0;
17271 int year, devfn;
17272diff -urNp linux-2.6.32.9/arch/x86/pci/fixup.c linux-2.6.32.9/arch/x86/pci/fixup.c
17273--- linux-2.6.32.9/arch/x86/pci/fixup.c 2010-02-09 07:57:19.000000000 -0500
17274+++ linux-2.6.32.9/arch/x86/pci/fixup.c 2010-02-23 17:09:53.136027747 -0500
17275@@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
17276 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
17277 },
17278 },
17279- {}
17280+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17281 };
17282
17283 /*
17284@@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
17285 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
17286 },
17287 },
17288- { }
17289+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17290 };
17291
17292 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
17293diff -urNp linux-2.6.32.9/arch/x86/pci/irq.c linux-2.6.32.9/arch/x86/pci/irq.c
17294--- linux-2.6.32.9/arch/x86/pci/irq.c 2010-02-09 07:57:19.000000000 -0500
17295+++ linux-2.6.32.9/arch/x86/pci/irq.c 2010-02-23 17:09:53.136027747 -0500
17296@@ -543,7 +543,7 @@ static __init int intel_router_probe(str
17297 static struct pci_device_id __initdata pirq_440gx[] = {
17298 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
17299 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
17300- { },
17301+ { PCI_DEVICE(0, 0) }
17302 };
17303
17304 /* 440GX has a proprietary PIRQ router -- don't use it */
17305@@ -1107,7 +1107,7 @@ static struct dmi_system_id __initdata p
17306 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
17307 },
17308 },
17309- { }
17310+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17311 };
17312
17313 int __init pcibios_irq_init(void)
17314diff -urNp linux-2.6.32.9/arch/x86/pci/mmconfig_32.c linux-2.6.32.9/arch/x86/pci/mmconfig_32.c
17315--- linux-2.6.32.9/arch/x86/pci/mmconfig_32.c 2010-02-09 07:57:19.000000000 -0500
17316+++ linux-2.6.32.9/arch/x86/pci/mmconfig_32.c 2010-02-23 17:09:53.136027747 -0500
17317@@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
17318 return 0;
17319 }
17320
17321-static struct pci_raw_ops pci_mmcfg = {
17322+static const struct pci_raw_ops pci_mmcfg = {
17323 .read = pci_mmcfg_read,
17324 .write = pci_mmcfg_write,
17325 };
17326diff -urNp linux-2.6.32.9/arch/x86/pci/mmconfig_64.c linux-2.6.32.9/arch/x86/pci/mmconfig_64.c
17327--- linux-2.6.32.9/arch/x86/pci/mmconfig_64.c 2010-02-09 07:57:19.000000000 -0500
17328+++ linux-2.6.32.9/arch/x86/pci/mmconfig_64.c 2010-02-23 17:09:53.136027747 -0500
17329@@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
17330 return 0;
17331 }
17332
17333-static struct pci_raw_ops pci_mmcfg = {
17334+static const struct pci_raw_ops pci_mmcfg = {
17335 .read = pci_mmcfg_read,
17336 .write = pci_mmcfg_write,
17337 };
17338diff -urNp linux-2.6.32.9/arch/x86/pci/numaq_32.c linux-2.6.32.9/arch/x86/pci/numaq_32.c
17339--- linux-2.6.32.9/arch/x86/pci/numaq_32.c 2010-02-09 07:57:19.000000000 -0500
17340+++ linux-2.6.32.9/arch/x86/pci/numaq_32.c 2010-02-23 17:09:53.136027747 -0500
17341@@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
17342
17343 #undef PCI_CONF1_MQ_ADDRESS
17344
17345-static struct pci_raw_ops pci_direct_conf1_mq = {
17346+static const struct pci_raw_ops pci_direct_conf1_mq = {
17347 .read = pci_conf1_mq_read,
17348 .write = pci_conf1_mq_write
17349 };
17350diff -urNp linux-2.6.32.9/arch/x86/pci/olpc.c linux-2.6.32.9/arch/x86/pci/olpc.c
17351--- linux-2.6.32.9/arch/x86/pci/olpc.c 2010-02-09 07:57:19.000000000 -0500
17352+++ linux-2.6.32.9/arch/x86/pci/olpc.c 2010-02-23 17:09:53.136027747 -0500
17353@@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
17354 return 0;
17355 }
17356
17357-static struct pci_raw_ops pci_olpc_conf = {
17358+static const struct pci_raw_ops pci_olpc_conf = {
17359 .read = pci_olpc_read,
17360 .write = pci_olpc_write,
17361 };
17362diff -urNp linux-2.6.32.9/arch/x86/pci/pcbios.c linux-2.6.32.9/arch/x86/pci/pcbios.c
17363--- linux-2.6.32.9/arch/x86/pci/pcbios.c 2010-02-09 07:57:19.000000000 -0500
17364+++ linux-2.6.32.9/arch/x86/pci/pcbios.c 2010-02-23 17:09:53.136027747 -0500
17365@@ -56,50 +56,93 @@ union bios32 {
17366 static struct {
17367 unsigned long address;
17368 unsigned short segment;
17369-} bios32_indirect = { 0, __KERNEL_CS };
17370+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
17371
17372 /*
17373 * Returns the entry point for the given service, NULL on error
17374 */
17375
17376-static unsigned long bios32_service(unsigned long service)
17377+static unsigned long __devinit bios32_service(unsigned long service)
17378 {
17379 unsigned char return_code; /* %al */
17380 unsigned long address; /* %ebx */
17381 unsigned long length; /* %ecx */
17382 unsigned long entry; /* %edx */
17383 unsigned long flags;
17384+ struct desc_struct d, *gdt;
17385
17386 local_irq_save(flags);
17387- __asm__("lcall *(%%edi); cld"
17388+
17389+ gdt = get_cpu_gdt_table(smp_processor_id());
17390+
17391+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
17392+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17393+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
17394+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17395+
17396+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
17397 : "=a" (return_code),
17398 "=b" (address),
17399 "=c" (length),
17400 "=d" (entry)
17401 : "0" (service),
17402 "1" (0),
17403- "D" (&bios32_indirect));
17404+ "D" (&bios32_indirect),
17405+ "r"(__PCIBIOS_DS)
17406+ : "memory");
17407+
17408+ pax_open_kernel();
17409+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
17410+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
17411+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
17412+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
17413+ pax_close_kernel();
17414+
17415 local_irq_restore(flags);
17416
17417 switch (return_code) {
17418- case 0:
17419- return address + entry;
17420- case 0x80: /* Not present */
17421- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17422- return 0;
17423- default: /* Shouldn't happen */
17424- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17425- service, return_code);
17426+ case 0: {
17427+ int cpu;
17428+ unsigned char flags;
17429+
17430+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
17431+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
17432+ printk(KERN_WARNING "bios32_service: not valid\n");
17433 return 0;
17434+ }
17435+ address = address + PAGE_OFFSET;
17436+ length += 16UL; /* some BIOSs underreport this... */
17437+ flags = 4;
17438+ if (length >= 64*1024*1024) {
17439+ length >>= PAGE_SHIFT;
17440+ flags |= 8;
17441+ }
17442+
17443+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
17444+ gdt = get_cpu_gdt_table(cpu);
17445+ pack_descriptor(&d, address, length, 0x9b, flags);
17446+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17447+ pack_descriptor(&d, address, length, 0x93, flags);
17448+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17449+ }
17450+ return entry;
17451+ }
17452+ case 0x80: /* Not present */
17453+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17454+ return 0;
17455+ default: /* Shouldn't happen */
17456+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17457+ service, return_code);
17458+ return 0;
17459 }
17460 }
17461
17462 static struct {
17463 unsigned long address;
17464 unsigned short segment;
17465-} pci_indirect = { 0, __KERNEL_CS };
17466+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
17467
17468-static int pci_bios_present;
17469+static int pci_bios_present __read_only;
17470
17471 static int __devinit check_pcibios(void)
17472 {
17473@@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
17474 unsigned long flags, pcibios_entry;
17475
17476 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
17477- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
17478+ pci_indirect.address = pcibios_entry;
17479
17480 local_irq_save(flags);
17481- __asm__(
17482- "lcall *(%%edi); cld\n\t"
17483+ __asm__("movw %w6, %%ds\n\t"
17484+ "lcall *%%ss:(%%edi); cld\n\t"
17485+ "push %%ss\n\t"
17486+ "pop %%ds\n\t"
17487 "jc 1f\n\t"
17488 "xor %%ah, %%ah\n"
17489 "1:"
17490@@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
17491 "=b" (ebx),
17492 "=c" (ecx)
17493 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
17494- "D" (&pci_indirect)
17495+ "D" (&pci_indirect),
17496+ "r" (__PCIBIOS_DS)
17497 : "memory");
17498 local_irq_restore(flags);
17499
17500@@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
17501
17502 switch (len) {
17503 case 1:
17504- __asm__("lcall *(%%esi); cld\n\t"
17505+ __asm__("movw %w6, %%ds\n\t"
17506+ "lcall *%%ss:(%%esi); cld\n\t"
17507+ "push %%ss\n\t"
17508+ "pop %%ds\n\t"
17509 "jc 1f\n\t"
17510 "xor %%ah, %%ah\n"
17511 "1:"
17512@@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
17513 : "1" (PCIBIOS_READ_CONFIG_BYTE),
17514 "b" (bx),
17515 "D" ((long)reg),
17516- "S" (&pci_indirect));
17517+ "S" (&pci_indirect),
17518+ "r" (__PCIBIOS_DS));
17519 /*
17520 * Zero-extend the result beyond 8 bits, do not trust the
17521 * BIOS having done it:
17522@@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
17523 *value &= 0xff;
17524 break;
17525 case 2:
17526- __asm__("lcall *(%%esi); cld\n\t"
17527+ __asm__("movw %w6, %%ds\n\t"
17528+ "lcall *%%ss:(%%esi); cld\n\t"
17529+ "push %%ss\n\t"
17530+ "pop %%ds\n\t"
17531 "jc 1f\n\t"
17532 "xor %%ah, %%ah\n"
17533 "1:"
17534@@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
17535 : "1" (PCIBIOS_READ_CONFIG_WORD),
17536 "b" (bx),
17537 "D" ((long)reg),
17538- "S" (&pci_indirect));
17539+ "S" (&pci_indirect),
17540+ "r" (__PCIBIOS_DS));
17541 /*
17542 * Zero-extend the result beyond 16 bits, do not trust the
17543 * BIOS having done it:
17544@@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
17545 *value &= 0xffff;
17546 break;
17547 case 4:
17548- __asm__("lcall *(%%esi); cld\n\t"
17549+ __asm__("movw %w6, %%ds\n\t"
17550+ "lcall *%%ss:(%%esi); cld\n\t"
17551+ "push %%ss\n\t"
17552+ "pop %%ds\n\t"
17553 "jc 1f\n\t"
17554 "xor %%ah, %%ah\n"
17555 "1:"
17556@@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
17557 : "1" (PCIBIOS_READ_CONFIG_DWORD),
17558 "b" (bx),
17559 "D" ((long)reg),
17560- "S" (&pci_indirect));
17561+ "S" (&pci_indirect),
17562+ "r" (__PCIBIOS_DS));
17563 break;
17564 }
17565
17566@@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
17567
17568 switch (len) {
17569 case 1:
17570- __asm__("lcall *(%%esi); cld\n\t"
17571+ __asm__("movw %w6, %%ds\n\t"
17572+ "lcall *%%ss:(%%esi); cld\n\t"
17573+ "push %%ss\n\t"
17574+ "pop %%ds\n\t"
17575 "jc 1f\n\t"
17576 "xor %%ah, %%ah\n"
17577 "1:"
17578@@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
17579 "c" (value),
17580 "b" (bx),
17581 "D" ((long)reg),
17582- "S" (&pci_indirect));
17583+ "S" (&pci_indirect),
17584+ "r" (__PCIBIOS_DS));
17585 break;
17586 case 2:
17587- __asm__("lcall *(%%esi); cld\n\t"
17588+ __asm__("movw %w6, %%ds\n\t"
17589+ "lcall *%%ss:(%%esi); cld\n\t"
17590+ "push %%ss\n\t"
17591+ "pop %%ds\n\t"
17592 "jc 1f\n\t"
17593 "xor %%ah, %%ah\n"
17594 "1:"
17595@@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
17596 "c" (value),
17597 "b" (bx),
17598 "D" ((long)reg),
17599- "S" (&pci_indirect));
17600+ "S" (&pci_indirect),
17601+ "r" (__PCIBIOS_DS));
17602 break;
17603 case 4:
17604- __asm__("lcall *(%%esi); cld\n\t"
17605+ __asm__("movw %w6, %%ds\n\t"
17606+ "lcall *%%ss:(%%esi); cld\n\t"
17607+ "push %%ss\n\t"
17608+ "pop %%ds\n\t"
17609 "jc 1f\n\t"
17610 "xor %%ah, %%ah\n"
17611 "1:"
17612@@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
17613 "c" (value),
17614 "b" (bx),
17615 "D" ((long)reg),
17616- "S" (&pci_indirect));
17617+ "S" (&pci_indirect),
17618+ "r" (__PCIBIOS_DS));
17619 break;
17620 }
17621
17622@@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
17623 * Function table for BIOS32 access
17624 */
17625
17626-static struct pci_raw_ops pci_bios_access = {
17627+static const struct pci_raw_ops pci_bios_access = {
17628 .read = pci_bios_read,
17629 .write = pci_bios_write
17630 };
17631@@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
17632 * Try to find PCI BIOS.
17633 */
17634
17635-static struct pci_raw_ops * __devinit pci_find_bios(void)
17636+static const struct pci_raw_ops * __devinit pci_find_bios(void)
17637 {
17638 union bios32 *check;
17639 unsigned char sum;
17640@@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
17641
17642 DBG("PCI: Fetching IRQ routing table... ");
17643 __asm__("push %%es\n\t"
17644+ "movw %w8, %%ds\n\t"
17645 "push %%ds\n\t"
17646 "pop %%es\n\t"
17647- "lcall *(%%esi); cld\n\t"
17648+ "lcall *%%ss:(%%esi); cld\n\t"
17649 "pop %%es\n\t"
17650+ "push %%ss\n\t"
17651+ "pop %%ds\n"
17652 "jc 1f\n\t"
17653 "xor %%ah, %%ah\n"
17654 "1:"
17655@@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
17656 "1" (0),
17657 "D" ((long) &opt),
17658 "S" (&pci_indirect),
17659- "m" (opt)
17660+ "m" (opt),
17661+ "r" (__PCIBIOS_DS)
17662 : "memory");
17663 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
17664 if (ret & 0xff00)
17665@@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
17666 {
17667 int ret;
17668
17669- __asm__("lcall *(%%esi); cld\n\t"
17670+ __asm__("movw %w5, %%ds\n\t"
17671+ "lcall *%%ss:(%%esi); cld\n\t"
17672+ "push %%ss\n\t"
17673+ "pop %%ds\n"
17674 "jc 1f\n\t"
17675 "xor %%ah, %%ah\n"
17676 "1:"
17677@@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
17678 : "0" (PCIBIOS_SET_PCI_HW_INT),
17679 "b" ((dev->bus->number << 8) | dev->devfn),
17680 "c" ((irq << 8) | (pin + 10)),
17681- "S" (&pci_indirect));
17682+ "S" (&pci_indirect),
17683+ "r" (__PCIBIOS_DS));
17684 return !(ret & 0xff00);
17685 }
17686 EXPORT_SYMBOL(pcibios_set_irq_routing);
17687diff -urNp linux-2.6.32.9/arch/x86/power/cpu.c linux-2.6.32.9/arch/x86/power/cpu.c
17688--- linux-2.6.32.9/arch/x86/power/cpu.c 2010-02-09 07:57:19.000000000 -0500
17689+++ linux-2.6.32.9/arch/x86/power/cpu.c 2010-02-23 17:09:53.136027747 -0500
17690@@ -126,7 +126,7 @@ static void do_fpu_end(void)
17691 static void fix_processor_context(void)
17692 {
17693 int cpu = smp_processor_id();
17694- struct tss_struct *t = &per_cpu(init_tss, cpu);
17695+ struct tss_struct *t = init_tss + cpu;
17696
17697 set_tss_desc(cpu, t); /*
17698 * This just modifies memory; should not be
17699@@ -136,7 +136,9 @@ static void fix_processor_context(void)
17700 */
17701
17702 #ifdef CONFIG_X86_64
17703+ pax_open_kernel();
17704 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
17705+ pax_close_kernel();
17706
17707 syscall_init(); /* This sets MSR_*STAR and related */
17708 #endif
17709diff -urNp linux-2.6.32.9/arch/x86/vdso/Makefile linux-2.6.32.9/arch/x86/vdso/Makefile
17710--- linux-2.6.32.9/arch/x86/vdso/Makefile 2010-02-09 07:57:19.000000000 -0500
17711+++ linux-2.6.32.9/arch/x86/vdso/Makefile 2010-02-23 17:09:53.136027747 -0500
17712@@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
17713 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
17714 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
17715
17716-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
17717+VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
17718 GCOV_PROFILE := n
17719
17720 #
17721diff -urNp linux-2.6.32.9/arch/x86/vdso/vclock_gettime.c linux-2.6.32.9/arch/x86/vdso/vclock_gettime.c
17722--- linux-2.6.32.9/arch/x86/vdso/vclock_gettime.c 2010-02-09 07:57:19.000000000 -0500
17723+++ linux-2.6.32.9/arch/x86/vdso/vclock_gettime.c 2010-02-23 17:09:53.136027747 -0500
17724@@ -22,24 +22,48 @@
17725 #include <asm/hpet.h>
17726 #include <asm/unistd.h>
17727 #include <asm/io.h>
17728+#include <asm/fixmap.h>
17729 #include "vextern.h"
17730
17731 #define gtod vdso_vsyscall_gtod_data
17732
17733+notrace noinline long __vdso_fallback_time(long *t)
17734+{
17735+ long secs;
17736+ asm volatile("syscall"
17737+ : "=a" (secs)
17738+ : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
17739+ return secs;
17740+}
17741+
17742 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
17743 {
17744 long ret;
17745 asm("syscall" : "=a" (ret) :
17746- "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
17747+ "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
17748 return ret;
17749 }
17750
17751+notrace static inline cycle_t __vdso_vread_hpet(void)
17752+{
17753+ return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
17754+}
17755+
17756+notrace static inline cycle_t __vdso_vread_tsc(void)
17757+{
17758+ cycle_t ret = (cycle_t)vget_cycles();
17759+
17760+ return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
17761+}
17762+
17763 notrace static inline long vgetns(void)
17764 {
17765 long v;
17766- cycles_t (*vread)(void);
17767- vread = gtod->clock.vread;
17768- v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
17769+ if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
17770+ v = __vdso_vread_tsc();
17771+ else
17772+ v = __vdso_vread_hpet();
17773+ v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
17774 return (v * gtod->clock.mult) >> gtod->clock.shift;
17775 }
17776
17777@@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
17778
17779 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
17780 {
17781- if (likely(gtod->sysctl_enabled))
17782+ if (likely(gtod->sysctl_enabled &&
17783+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
17784+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
17785 switch (clock) {
17786 case CLOCK_REALTIME:
17787 if (likely(gtod->clock.vread))
17788@@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
17789 int clock_gettime(clockid_t, struct timespec *)
17790 __attribute__((weak, alias("__vdso_clock_gettime")));
17791
17792-notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
17793+notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
17794 {
17795 long ret;
17796- if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
17797+ asm("syscall" : "=a" (ret) :
17798+ "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
17799+ return ret;
17800+}
17801+
17802+notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
17803+{
17804+ if (likely(gtod->sysctl_enabled &&
17805+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
17806+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
17807+ {
17808 if (likely(tv != NULL)) {
17809 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
17810 offsetof(struct timespec, tv_nsec) ||
17811@@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
17812 }
17813 return 0;
17814 }
17815- asm("syscall" : "=a" (ret) :
17816- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
17817- return ret;
17818+ return __vdso_fallback_gettimeofday(tv, tz);
17819 }
17820 int gettimeofday(struct timeval *, struct timezone *)
17821 __attribute__((weak, alias("__vdso_gettimeofday")));
17822diff -urNp linux-2.6.32.9/arch/x86/vdso/vdso32-setup.c linux-2.6.32.9/arch/x86/vdso/vdso32-setup.c
17823--- linux-2.6.32.9/arch/x86/vdso/vdso32-setup.c 2010-02-09 07:57:19.000000000 -0500
17824+++ linux-2.6.32.9/arch/x86/vdso/vdso32-setup.c 2010-02-23 17:09:53.136027747 -0500
17825@@ -25,6 +25,7 @@
17826 #include <asm/tlbflush.h>
17827 #include <asm/vdso.h>
17828 #include <asm/proto.h>
17829+#include <asm/mman.h>
17830
17831 enum {
17832 VDSO_DISABLED = 0,
17833@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
17834 void enable_sep_cpu(void)
17835 {
17836 int cpu = get_cpu();
17837- struct tss_struct *tss = &per_cpu(init_tss, cpu);
17838+ struct tss_struct *tss = init_tss + cpu;
17839
17840 if (!boot_cpu_has(X86_FEATURE_SEP)) {
17841 put_cpu();
17842@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
17843 gate_vma.vm_start = FIXADDR_USER_START;
17844 gate_vma.vm_end = FIXADDR_USER_END;
17845 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
17846- gate_vma.vm_page_prot = __P101;
17847+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
17848 /*
17849 * Make sure the vDSO gets into every core dump.
17850 * Dumping its contents makes post-mortem fully interpretable later
17851@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
17852 if (compat)
17853 addr = VDSO_HIGH_BASE;
17854 else {
17855- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
17856+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
17857 if (IS_ERR_VALUE(addr)) {
17858 ret = addr;
17859 goto up_fail;
17860 }
17861 }
17862
17863- current->mm->context.vdso = (void *)addr;
17864+ current->mm->context.vdso = addr;
17865
17866 if (compat_uses_vma || !compat) {
17867 /*
17868@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
17869 }
17870
17871 current_thread_info()->sysenter_return =
17872- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
17873+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
17874
17875 up_fail:
17876 if (ret)
17877- current->mm->context.vdso = NULL;
17878+ current->mm->context.vdso = 0;
17879
17880 up_write(&mm->mmap_sem);
17881
17882@@ -388,7 +389,7 @@ static ctl_table abi_table2[] = {
17883 .mode = 0644,
17884 .proc_handler = proc_dointvec
17885 },
17886- {}
17887+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
17888 };
17889
17890 static ctl_table abi_root_table2[] = {
17891@@ -398,7 +399,7 @@ static ctl_table abi_root_table2[] = {
17892 .mode = 0555,
17893 .child = abi_table2
17894 },
17895- {}
17896+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
17897 };
17898
17899 static __init int ia32_binfmt_init(void)
17900@@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
17901
17902 const char *arch_vma_name(struct vm_area_struct *vma)
17903 {
17904- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
17905+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
17906 return "[vdso]";
17907+
17908+#ifdef CONFIG_PAX_SEGMEXEC
17909+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
17910+ return "[vdso]";
17911+#endif
17912+
17913 return NULL;
17914 }
17915
17916@@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
17917 struct mm_struct *mm = tsk->mm;
17918
17919 /* Check to see if this task was created in compat vdso mode */
17920- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
17921+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
17922 return &gate_vma;
17923 return NULL;
17924 }
17925diff -urNp linux-2.6.32.9/arch/x86/vdso/vdso.lds.S linux-2.6.32.9/arch/x86/vdso/vdso.lds.S
17926--- linux-2.6.32.9/arch/x86/vdso/vdso.lds.S 2010-02-09 07:57:19.000000000 -0500
17927+++ linux-2.6.32.9/arch/x86/vdso/vdso.lds.S 2010-02-23 17:09:53.136027747 -0500
17928@@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
17929 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
17930 #include "vextern.h"
17931 #undef VEXTERN
17932+
17933+#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
17934+VEXTERN(fallback_gettimeofday)
17935+VEXTERN(fallback_time)
17936+VEXTERN(getcpu)
17937+#undef VEXTERN
17938diff -urNp linux-2.6.32.9/arch/x86/vdso/vextern.h linux-2.6.32.9/arch/x86/vdso/vextern.h
17939--- linux-2.6.32.9/arch/x86/vdso/vextern.h 2010-02-09 07:57:19.000000000 -0500
17940+++ linux-2.6.32.9/arch/x86/vdso/vextern.h 2010-02-23 17:09:53.136027747 -0500
17941@@ -11,6 +11,5 @@
17942 put into vextern.h and be referenced as a pointer with vdso prefix.
17943 The main kernel later fills in the values. */
17944
17945-VEXTERN(jiffies)
17946 VEXTERN(vgetcpu_mode)
17947 VEXTERN(vsyscall_gtod_data)
17948diff -urNp linux-2.6.32.9/arch/x86/vdso/vma.c linux-2.6.32.9/arch/x86/vdso/vma.c
17949--- linux-2.6.32.9/arch/x86/vdso/vma.c 2010-02-09 07:57:19.000000000 -0500
17950+++ linux-2.6.32.9/arch/x86/vdso/vma.c 2010-02-23 17:09:53.136027747 -0500
17951@@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
17952 if (!vbase)
17953 goto oom;
17954
17955- if (memcmp(vbase, "\177ELF", 4)) {
17956+ if (memcmp(vbase, ELFMAG, SELFMAG)) {
17957 printk("VDSO: I'm broken; not ELF\n");
17958 vdso_enabled = 0;
17959 }
17960@@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
17961 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
17962 #include "vextern.h"
17963 #undef VEXTERN
17964+ vunmap(vbase);
17965 return 0;
17966
17967 oom:
17968@@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
17969 goto up_fail;
17970 }
17971
17972- current->mm->context.vdso = (void *)addr;
17973+ current->mm->context.vdso = addr;
17974
17975 ret = install_special_mapping(mm, addr, vdso_size,
17976 VM_READ|VM_EXEC|
17977@@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
17978 VM_ALWAYSDUMP,
17979 vdso_pages);
17980 if (ret) {
17981- current->mm->context.vdso = NULL;
17982+ current->mm->context.vdso = 0;
17983 goto up_fail;
17984 }
17985
17986@@ -132,10 +133,3 @@ up_fail:
17987 up_write(&mm->mmap_sem);
17988 return ret;
17989 }
17990-
17991-static __init int vdso_setup(char *s)
17992-{
17993- vdso_enabled = simple_strtoul(s, NULL, 0);
17994- return 0;
17995-}
17996-__setup("vdso=", vdso_setup);
17997diff -urNp linux-2.6.32.9/arch/x86/xen/enlighten.c linux-2.6.32.9/arch/x86/xen/enlighten.c
17998--- linux-2.6.32.9/arch/x86/xen/enlighten.c 2010-02-09 07:57:19.000000000 -0500
17999+++ linux-2.6.32.9/arch/x86/xen/enlighten.c 2010-02-23 17:09:53.140103788 -0500
18000@@ -70,8 +70,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
18001
18002 struct shared_info xen_dummy_shared_info;
18003
18004-void *xen_initial_gdt;
18005-
18006 /*
18007 * Point at some empty memory to start with. We map the real shared_info
18008 * page as soon as fixmap is up and running.
18009@@ -547,7 +545,7 @@ static void xen_write_idt_entry(gate_des
18010
18011 preempt_disable();
18012
18013- start = __get_cpu_var(idt_desc).address;
18014+ start = (unsigned long)__get_cpu_var(idt_desc).address;
18015 end = start + __get_cpu_var(idt_desc).size + 1;
18016
18017 xen_mc_flush();
18018@@ -1126,13 +1124,6 @@ asmlinkage void __init xen_start_kernel(
18019
18020 machine_ops = xen_machine_ops;
18021
18022- /*
18023- * The only reliable way to retain the initial address of the
18024- * percpu gdt_page is to remember it here, so we can go and
18025- * mark it RW later, when the initial percpu area is freed.
18026- */
18027- xen_initial_gdt = &per_cpu(gdt_page, 0);
18028-
18029 xen_smp_init();
18030
18031 pgd = (pgd_t *)xen_start_info->pt_base;
18032diff -urNp linux-2.6.32.9/arch/x86/xen/mmu.c linux-2.6.32.9/arch/x86/xen/mmu.c
18033--- linux-2.6.32.9/arch/x86/xen/mmu.c 2010-02-09 07:57:19.000000000 -0500
18034+++ linux-2.6.32.9/arch/x86/xen/mmu.c 2010-02-23 17:09:53.140103788 -0500
18035@@ -1710,6 +1710,8 @@ __init pgd_t *xen_setup_kernel_pagetable
18036 convert_pfn_mfn(init_level4_pgt);
18037 convert_pfn_mfn(level3_ident_pgt);
18038 convert_pfn_mfn(level3_kernel_pgt);
18039+ convert_pfn_mfn(level3_vmalloc_pgt);
18040+ convert_pfn_mfn(level3_vmemmap_pgt);
18041
18042 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
18043 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
18044@@ -1728,7 +1730,10 @@ __init pgd_t *xen_setup_kernel_pagetable
18045 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
18046 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
18047 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
18048+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
18049+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
18050 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
18051+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
18052 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
18053 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
18054
18055diff -urNp linux-2.6.32.9/arch/x86/xen/smp.c linux-2.6.32.9/arch/x86/xen/smp.c
18056--- linux-2.6.32.9/arch/x86/xen/smp.c 2010-02-09 07:57:19.000000000 -0500
18057+++ linux-2.6.32.9/arch/x86/xen/smp.c 2010-02-23 17:09:53.140103788 -0500
18058@@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
18059 {
18060 BUG_ON(smp_processor_id() != 0);
18061 native_smp_prepare_boot_cpu();
18062-
18063- /* We've switched to the "real" per-cpu gdt, so make sure the
18064- old memory can be recycled */
18065- make_lowmem_page_readwrite(xen_initial_gdt);
18066-
18067 xen_setup_vcpu_info_placement();
18068 }
18069
18070@@ -231,8 +226,8 @@ cpu_initialize_context(unsigned int cpu,
18071 gdt = get_cpu_gdt_table(cpu);
18072
18073 ctxt->flags = VGCF_IN_KERNEL;
18074- ctxt->user_regs.ds = __USER_DS;
18075- ctxt->user_regs.es = __USER_DS;
18076+ ctxt->user_regs.ds = __KERNEL_DS;
18077+ ctxt->user_regs.es = __KERNEL_DS;
18078 ctxt->user_regs.ss = __KERNEL_DS;
18079 #ifdef CONFIG_X86_32
18080 ctxt->user_regs.fs = __KERNEL_PERCPU;
18081diff -urNp linux-2.6.32.9/arch/x86/xen/xen-ops.h linux-2.6.32.9/arch/x86/xen/xen-ops.h
18082--- linux-2.6.32.9/arch/x86/xen/xen-ops.h 2010-02-09 07:57:19.000000000 -0500
18083+++ linux-2.6.32.9/arch/x86/xen/xen-ops.h 2010-02-23 17:09:53.140103788 -0500
18084@@ -10,8 +10,6 @@
18085 extern const char xen_hypervisor_callback[];
18086 extern const char xen_failsafe_callback[];
18087
18088-extern void *xen_initial_gdt;
18089-
18090 struct trap_info;
18091 void xen_copy_trap_info(struct trap_info *traps);
18092
18093diff -urNp linux-2.6.32.9/block/blk-integrity.c linux-2.6.32.9/block/blk-integrity.c
18094--- linux-2.6.32.9/block/blk-integrity.c 2010-02-09 07:57:19.000000000 -0500
18095+++ linux-2.6.32.9/block/blk-integrity.c 2010-02-23 17:09:53.140103788 -0500
18096@@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
18097 NULL,
18098 };
18099
18100-static struct sysfs_ops integrity_ops = {
18101+static const struct sysfs_ops integrity_ops = {
18102 .show = &integrity_attr_show,
18103 .store = &integrity_attr_store,
18104 };
18105diff -urNp linux-2.6.32.9/block/blk-iopoll.c linux-2.6.32.9/block/blk-iopoll.c
18106--- linux-2.6.32.9/block/blk-iopoll.c 2010-02-09 07:57:19.000000000 -0500
18107+++ linux-2.6.32.9/block/blk-iopoll.c 2010-02-23 17:09:53.140103788 -0500
18108@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
18109 }
18110 EXPORT_SYMBOL(blk_iopoll_complete);
18111
18112-static void blk_iopoll_softirq(struct softirq_action *h)
18113+static void blk_iopoll_softirq(void)
18114 {
18115 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
18116 int rearm = 0, budget = blk_iopoll_budget;
18117diff -urNp linux-2.6.32.9/block/blk-map.c linux-2.6.32.9/block/blk-map.c
18118--- linux-2.6.32.9/block/blk-map.c 2010-02-09 07:57:19.000000000 -0500
18119+++ linux-2.6.32.9/block/blk-map.c 2010-02-23 17:09:53.140103788 -0500
18120@@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
18121 * direct dma. else, set up kernel bounce buffers
18122 */
18123 uaddr = (unsigned long) ubuf;
18124- if (blk_rq_aligned(q, ubuf, len) && !map_data)
18125+ if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
18126 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
18127 else
18128 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
18129@@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
18130 if (!len || !kbuf)
18131 return -EINVAL;
18132
18133- do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
18134+ do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
18135 if (do_copy)
18136 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
18137 else
18138diff -urNp linux-2.6.32.9/block/blk-softirq.c linux-2.6.32.9/block/blk-softirq.c
18139--- linux-2.6.32.9/block/blk-softirq.c 2010-02-09 07:57:19.000000000 -0500
18140+++ linux-2.6.32.9/block/blk-softirq.c 2010-02-23 17:09:53.140103788 -0500
18141@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
18142 * Softirq action handler - move entries to local list and loop over them
18143 * while passing them to the queue registered handler.
18144 */
18145-static void blk_done_softirq(struct softirq_action *h)
18146+static void blk_done_softirq(void)
18147 {
18148 struct list_head *cpu_list, local_list;
18149
18150diff -urNp linux-2.6.32.9/block/blk-sysfs.c linux-2.6.32.9/block/blk-sysfs.c
18151--- linux-2.6.32.9/block/blk-sysfs.c 2010-02-09 07:57:19.000000000 -0500
18152+++ linux-2.6.32.9/block/blk-sysfs.c 2010-02-23 17:09:53.140103788 -0500
18153@@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
18154 kmem_cache_free(blk_requestq_cachep, q);
18155 }
18156
18157-static struct sysfs_ops queue_sysfs_ops = {
18158+static const struct sysfs_ops queue_sysfs_ops = {
18159 .show = queue_attr_show,
18160 .store = queue_attr_store,
18161 };
18162diff -urNp linux-2.6.32.9/block/elevator.c linux-2.6.32.9/block/elevator.c
18163--- linux-2.6.32.9/block/elevator.c 2010-02-09 07:57:19.000000000 -0500
18164+++ linux-2.6.32.9/block/elevator.c 2010-02-23 17:09:53.140103788 -0500
18165@@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
18166 return error;
18167 }
18168
18169-static struct sysfs_ops elv_sysfs_ops = {
18170+static const struct sysfs_ops elv_sysfs_ops = {
18171 .show = elv_attr_show,
18172 .store = elv_attr_store,
18173 };
18174diff -urNp linux-2.6.32.9/crypto/lrw.c linux-2.6.32.9/crypto/lrw.c
18175--- linux-2.6.32.9/crypto/lrw.c 2010-02-09 07:57:19.000000000 -0500
18176+++ linux-2.6.32.9/crypto/lrw.c 2010-02-23 17:09:53.140103788 -0500
18177@@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
18178 struct priv *ctx = crypto_tfm_ctx(parent);
18179 struct crypto_cipher *child = ctx->child;
18180 int err, i;
18181- be128 tmp = { 0 };
18182+ be128 tmp = { 0, 0 };
18183 int bsize = crypto_cipher_blocksize(child);
18184
18185 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
18186diff -urNp linux-2.6.32.9/Documentation/dontdiff linux-2.6.32.9/Documentation/dontdiff
18187--- linux-2.6.32.9/Documentation/dontdiff 2010-02-09 07:57:19.000000000 -0500
18188+++ linux-2.6.32.9/Documentation/dontdiff 2010-02-23 17:09:53.140103788 -0500
18189@@ -3,6 +3,7 @@
18190 *.bin
18191 *.cpio
18192 *.csp
18193+*.dbg
18194 *.dsp
18195 *.dvi
18196 *.elf
18197@@ -40,6 +41,7 @@
18198 *.ver
18199 *.xml
18200 *_MODULES
18201+*_reg_safe.h
18202 *_vga16.c
18203 *~
18204 *.9
18205@@ -49,11 +51,16 @@
18206 53c700_d.h
18207 CVS
18208 ChangeSet
18209+GPATH
18210+GRTAGS
18211+GSYMS
18212+GTAGS
18213 Image
18214 Kerntypes
18215 Module.markers
18216 Module.symvers
18217 PENDING
18218+PERF*
18219 SCCS
18220 System.map*
18221 TAGS
18222@@ -76,7 +83,9 @@ btfixupprep
18223 build
18224 bvmlinux
18225 bzImage*
18226+capflags.c
18227 classlist.h*
18228+common-cmds.h
18229 comp*.log
18230 compile.h*
18231 conf
18232@@ -103,13 +112,14 @@ gen_crc32table
18233 gen_init_cpio
18234 genksyms
18235 *_gray256.c
18236+hash
18237 ihex2fw
18238 ikconfig.h*
18239 initramfs_data.cpio
18240+initramfs_data.cpio.bz2
18241 initramfs_data.cpio.gz
18242 initramfs_list
18243 kallsyms
18244-kconfig
18245 keywords.c
18246 ksym.c*
18247 ksym.h*
18248@@ -133,7 +143,9 @@ mkboot
18249 mkbugboot
18250 mkcpustr
18251 mkdep
18252+mkpiggy
18253 mkprep
18254+mkregtable
18255 mktables
18256 mktree
18257 modpost
18258@@ -149,6 +161,7 @@ patches*
18259 pca200e.bin
18260 pca200e_ecd.bin2
18261 piggy.gz
18262+piggy.S
18263 piggyback
18264 pnmtologo
18265 ppc_defs.h*
18266@@ -163,6 +176,7 @@ setup
18267 setup.bin
18268 setup.elf
18269 sImage
18270+slabinfo
18271 sm_tbl*
18272 split-include
18273 syscalltab.h
18274@@ -186,14 +200,20 @@ version.h*
18275 vmlinux
18276 vmlinux-*
18277 vmlinux.aout
18278+vmlinux.bin.all
18279+vmlinux.bin.bz2
18280 vmlinux.lds
18281+vmlinux.relocs
18282+voffset.h
18283 vsyscall.lds
18284 vsyscall_32.lds
18285 wanxlfw.inc
18286 uImage
18287 unifdef
18288+utsrelease.h
18289 wakeup.bin
18290 wakeup.elf
18291 wakeup.lds
18292 zImage*
18293 zconf.hash.c
18294+zoffset.h
18295diff -urNp linux-2.6.32.9/Documentation/kernel-parameters.txt linux-2.6.32.9/Documentation/kernel-parameters.txt
18296--- linux-2.6.32.9/Documentation/kernel-parameters.txt 2010-02-09 07:57:19.000000000 -0500
18297+++ linux-2.6.32.9/Documentation/kernel-parameters.txt 2010-02-23 17:09:53.140103788 -0500
18298@@ -1833,6 +1833,12 @@ and is between 256 and 4096 characters.
18299 the specified number of seconds. This is to be used if
18300 your oopses keep scrolling off the screen.
18301
18302+ pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
18303+ virtualization environments that don't cope well with the
18304+ expand down segment used by UDEREF on X86-32.
18305+
18306+ pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
18307+
18308 pcbit= [HW,ISDN]
18309
18310 pcd. [PARIDE]
18311diff -urNp linux-2.6.32.9/drivers/acpi/battery.c linux-2.6.32.9/drivers/acpi/battery.c
18312--- linux-2.6.32.9/drivers/acpi/battery.c 2010-02-09 07:57:19.000000000 -0500
18313+++ linux-2.6.32.9/drivers/acpi/battery.c 2010-02-23 17:09:53.140103788 -0500
18314@@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
18315 }
18316
18317 static struct battery_file {
18318- struct file_operations ops;
18319+ const struct file_operations ops;
18320 mode_t mode;
18321 const char *name;
18322 } acpi_battery_file[] = {
18323diff -urNp linux-2.6.32.9/drivers/acpi/blacklist.c linux-2.6.32.9/drivers/acpi/blacklist.c
18324--- linux-2.6.32.9/drivers/acpi/blacklist.c 2010-02-09 07:57:19.000000000 -0500
18325+++ linux-2.6.32.9/drivers/acpi/blacklist.c 2010-02-23 17:09:53.140103788 -0500
18326@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
18327 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
18328 "Incorrect _ADR", 1},
18329
18330- {""}
18331+ {"", "", 0, NULL, all_versions, NULL, 0}
18332 };
18333
18334 #if CONFIG_ACPI_BLACKLIST_YEAR
18335diff -urNp linux-2.6.32.9/drivers/acpi/dock.c linux-2.6.32.9/drivers/acpi/dock.c
18336--- linux-2.6.32.9/drivers/acpi/dock.c 2010-02-09 07:57:19.000000000 -0500
18337+++ linux-2.6.32.9/drivers/acpi/dock.c 2010-02-23 17:09:53.140103788 -0500
18338@@ -77,7 +77,7 @@ struct dock_dependent_device {
18339 struct list_head list;
18340 struct list_head hotplug_list;
18341 acpi_handle handle;
18342- struct acpi_dock_ops *ops;
18343+ const struct acpi_dock_ops *ops;
18344 void *context;
18345 };
18346
18347@@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
18348 * the dock driver after _DCK is executed.
18349 */
18350 int
18351-register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
18352+register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
18353 void *context)
18354 {
18355 struct dock_dependent_device *dd;
18356diff -urNp linux-2.6.32.9/drivers/acpi/osl.c linux-2.6.32.9/drivers/acpi/osl.c
18357--- linux-2.6.32.9/drivers/acpi/osl.c 2010-02-09 07:57:19.000000000 -0500
18358+++ linux-2.6.32.9/drivers/acpi/osl.c 2010-02-23 17:09:53.140103788 -0500
18359@@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
18360 void __iomem *virt_addr;
18361
18362 virt_addr = ioremap(phys_addr, width);
18363+ if (!virt_addr)
18364+ return AE_NO_MEMORY;
18365 if (!value)
18366 value = &dummy;
18367
18368@@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
18369 void __iomem *virt_addr;
18370
18371 virt_addr = ioremap(phys_addr, width);
18372+ if (!virt_addr)
18373+ return AE_NO_MEMORY;
18374
18375 switch (width) {
18376 case 8:
18377diff -urNp linux-2.6.32.9/drivers/acpi/processor_core.c linux-2.6.32.9/drivers/acpi/processor_core.c
18378--- linux-2.6.32.9/drivers/acpi/processor_core.c 2010-02-09 07:57:19.000000000 -0500
18379+++ linux-2.6.32.9/drivers/acpi/processor_core.c 2010-02-23 17:09:53.140103788 -0500
18380@@ -796,7 +796,7 @@ static int __cpuinit acpi_processor_add(
18381 return 0;
18382 }
18383
18384- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
18385+ BUG_ON(pr->id >= nr_cpu_ids);
18386
18387 /*
18388 * Buggy BIOS check
18389diff -urNp linux-2.6.32.9/drivers/acpi/processor_idle.c linux-2.6.32.9/drivers/acpi/processor_idle.c
18390--- linux-2.6.32.9/drivers/acpi/processor_idle.c 2010-02-23 17:04:11.889592859 -0500
18391+++ linux-2.6.32.9/drivers/acpi/processor_idle.c 2010-02-23 17:26:35.520309994 -0500
18392@@ -118,7 +118,7 @@ static struct dmi_system_id __cpuinitdat
18393 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
18394 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
18395 (void *)1},
18396- {},
18397+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
18398 };
18399
18400
18401diff -urNp linux-2.6.32.9/drivers/acpi/sleep.c linux-2.6.32.9/drivers/acpi/sleep.c
18402--- linux-2.6.32.9/drivers/acpi/sleep.c 2010-02-09 07:57:19.000000000 -0500
18403+++ linux-2.6.32.9/drivers/acpi/sleep.c 2010-02-23 17:09:53.140103788 -0500
18404@@ -297,7 +297,7 @@ static int acpi_suspend_state_valid(susp
18405 }
18406 }
18407
18408-static struct platform_suspend_ops acpi_suspend_ops = {
18409+static const struct platform_suspend_ops acpi_suspend_ops = {
18410 .valid = acpi_suspend_state_valid,
18411 .begin = acpi_suspend_begin,
18412 .prepare_late = acpi_pm_prepare,
18413@@ -325,7 +325,7 @@ static int acpi_suspend_begin_old(suspen
18414 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18415 * been requested.
18416 */
18417-static struct platform_suspend_ops acpi_suspend_ops_old = {
18418+static const struct platform_suspend_ops acpi_suspend_ops_old = {
18419 .valid = acpi_suspend_state_valid,
18420 .begin = acpi_suspend_begin_old,
18421 .prepare_late = acpi_pm_disable_gpes,
18422@@ -552,7 +552,7 @@ static void acpi_pm_enable_gpes(void)
18423 acpi_enable_all_runtime_gpes();
18424 }
18425
18426-static struct platform_hibernation_ops acpi_hibernation_ops = {
18427+static const struct platform_hibernation_ops acpi_hibernation_ops = {
18428 .begin = acpi_hibernation_begin,
18429 .end = acpi_pm_end,
18430 .pre_snapshot = acpi_hibernation_pre_snapshot,
18431@@ -605,7 +605,7 @@ static int acpi_hibernation_pre_snapshot
18432 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18433 * been requested.
18434 */
18435-static struct platform_hibernation_ops acpi_hibernation_ops_old = {
18436+static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
18437 .begin = acpi_hibernation_begin_old,
18438 .end = acpi_pm_end,
18439 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
18440diff -urNp linux-2.6.32.9/drivers/acpi/video.c linux-2.6.32.9/drivers/acpi/video.c
18441--- linux-2.6.32.9/drivers/acpi/video.c 2010-02-09 07:57:19.000000000 -0500
18442+++ linux-2.6.32.9/drivers/acpi/video.c 2010-02-23 17:09:53.144538224 -0500
18443@@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
18444 vd->brightness->levels[request_level]);
18445 }
18446
18447-static struct backlight_ops acpi_backlight_ops = {
18448+static const struct backlight_ops acpi_backlight_ops = {
18449 .get_brightness = acpi_video_get_brightness,
18450 .update_status = acpi_video_set_brightness,
18451 };
18452diff -urNp linux-2.6.32.9/drivers/ata/ahci.c linux-2.6.32.9/drivers/ata/ahci.c
18453--- linux-2.6.32.9/drivers/ata/ahci.c 2010-02-23 17:04:11.996660027 -0500
18454+++ linux-2.6.32.9/drivers/ata/ahci.c 2010-02-23 17:09:53.144538224 -0500
18455@@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
18456 .sdev_attrs = ahci_sdev_attrs,
18457 };
18458
18459-static struct ata_port_operations ahci_ops = {
18460+static const struct ata_port_operations ahci_ops = {
18461 .inherits = &sata_pmp_port_ops,
18462
18463 .qc_defer = sata_pmp_qc_defer_cmd_switch,
18464@@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
18465 .port_stop = ahci_port_stop,
18466 };
18467
18468-static struct ata_port_operations ahci_vt8251_ops = {
18469+static const struct ata_port_operations ahci_vt8251_ops = {
18470 .inherits = &ahci_ops,
18471 .hardreset = ahci_vt8251_hardreset,
18472 };
18473
18474-static struct ata_port_operations ahci_p5wdh_ops = {
18475+static const struct ata_port_operations ahci_p5wdh_ops = {
18476 .inherits = &ahci_ops,
18477 .hardreset = ahci_p5wdh_hardreset,
18478 };
18479
18480-static struct ata_port_operations ahci_sb600_ops = {
18481+static const struct ata_port_operations ahci_sb600_ops = {
18482 .inherits = &ahci_ops,
18483 .softreset = ahci_sb600_softreset,
18484 .pmp_softreset = ahci_sb600_softreset,
18485@@ -681,7 +681,7 @@ static const struct pci_device_id ahci_p
18486 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
18487 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
18488
18489- { } /* terminate list */
18490+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18491 };
18492
18493
18494diff -urNp linux-2.6.32.9/drivers/ata/ata_generic.c linux-2.6.32.9/drivers/ata/ata_generic.c
18495--- linux-2.6.32.9/drivers/ata/ata_generic.c 2010-02-09 07:57:19.000000000 -0500
18496+++ linux-2.6.32.9/drivers/ata/ata_generic.c 2010-02-23 17:09:53.144538224 -0500
18497@@ -95,7 +95,7 @@ static struct scsi_host_template generic
18498 ATA_BMDMA_SHT(DRV_NAME),
18499 };
18500
18501-static struct ata_port_operations generic_port_ops = {
18502+static const struct ata_port_operations generic_port_ops = {
18503 .inherits = &ata_bmdma_port_ops,
18504 .cable_detect = ata_cable_unknown,
18505 .set_mode = generic_set_mode,
18506diff -urNp linux-2.6.32.9/drivers/ata/ata_piix.c linux-2.6.32.9/drivers/ata/ata_piix.c
18507--- linux-2.6.32.9/drivers/ata/ata_piix.c 2010-02-09 07:57:19.000000000 -0500
18508+++ linux-2.6.32.9/drivers/ata/ata_piix.c 2010-02-23 17:09:53.144538224 -0500
18509@@ -291,7 +291,7 @@ static const struct pci_device_id piix_p
18510 { 0x8086, 0x3b2d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
18511 /* SATA Controller IDE (PCH) */
18512 { 0x8086, 0x3b2e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
18513- { } /* terminate list */
18514+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18515 };
18516
18517 static struct pci_driver piix_pci_driver = {
18518@@ -309,7 +309,7 @@ static struct scsi_host_template piix_sh
18519 ATA_BMDMA_SHT(DRV_NAME),
18520 };
18521
18522-static struct ata_port_operations piix_pata_ops = {
18523+static const struct ata_port_operations piix_pata_ops = {
18524 .inherits = &ata_bmdma32_port_ops,
18525 .cable_detect = ata_cable_40wire,
18526 .set_piomode = piix_set_piomode,
18527@@ -317,22 +317,22 @@ static struct ata_port_operations piix_p
18528 .prereset = piix_pata_prereset,
18529 };
18530
18531-static struct ata_port_operations piix_vmw_ops = {
18532+static const struct ata_port_operations piix_vmw_ops = {
18533 .inherits = &piix_pata_ops,
18534 .bmdma_status = piix_vmw_bmdma_status,
18535 };
18536
18537-static struct ata_port_operations ich_pata_ops = {
18538+static const struct ata_port_operations ich_pata_ops = {
18539 .inherits = &piix_pata_ops,
18540 .cable_detect = ich_pata_cable_detect,
18541 .set_dmamode = ich_set_dmamode,
18542 };
18543
18544-static struct ata_port_operations piix_sata_ops = {
18545+static const struct ata_port_operations piix_sata_ops = {
18546 .inherits = &ata_bmdma_port_ops,
18547 };
18548
18549-static struct ata_port_operations piix_sidpr_sata_ops = {
18550+static const struct ata_port_operations piix_sidpr_sata_ops = {
18551 .inherits = &piix_sata_ops,
18552 .hardreset = sata_std_hardreset,
18553 .scr_read = piix_sidpr_scr_read,
18554@@ -608,7 +608,7 @@ static const struct ich_laptop ich_lapto
18555 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
18556 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
18557 /* end marker */
18558- { 0, }
18559+ { 0, 0, 0 }
18560 };
18561
18562 /**
18563@@ -1086,7 +1086,7 @@ static int piix_broken_suspend(void)
18564 },
18565 },
18566
18567- { } /* terminate list */
18568+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
18569 };
18570 static const char *oemstrs[] = {
18571 "Tecra M3,",
18572diff -urNp linux-2.6.32.9/drivers/ata/libata-acpi.c linux-2.6.32.9/drivers/ata/libata-acpi.c
18573--- linux-2.6.32.9/drivers/ata/libata-acpi.c 2010-02-09 07:57:19.000000000 -0500
18574+++ linux-2.6.32.9/drivers/ata/libata-acpi.c 2010-02-23 17:09:53.144538224 -0500
18575@@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
18576 ata_acpi_uevent(dev->link->ap, dev, event);
18577 }
18578
18579-static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18580+static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18581 .handler = ata_acpi_dev_notify_dock,
18582 .uevent = ata_acpi_dev_uevent,
18583 };
18584
18585-static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18586+static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18587 .handler = ata_acpi_ap_notify_dock,
18588 .uevent = ata_acpi_ap_uevent,
18589 };
18590diff -urNp linux-2.6.32.9/drivers/ata/libata-core.c linux-2.6.32.9/drivers/ata/libata-core.c
18591--- linux-2.6.32.9/drivers/ata/libata-core.c 2010-02-09 07:57:19.000000000 -0500
18592+++ linux-2.6.32.9/drivers/ata/libata-core.c 2010-02-23 17:09:53.144538224 -0500
18593@@ -896,7 +896,7 @@ static const struct ata_xfer_ent {
18594 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
18595 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
18596 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
18597- { -1, },
18598+ { -1, 0, 0 }
18599 };
18600
18601 /**
18602@@ -3163,7 +3163,7 @@ static const struct ata_timing ata_timin
18603 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
18604 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
18605
18606- { 0xFF }
18607+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
18608 };
18609
18610 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
18611@@ -4385,7 +4385,7 @@ static const struct ata_blacklist_entry
18612 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
18613
18614 /* End Marker */
18615- { }
18616+ { NULL, NULL, 0 }
18617 };
18618
18619 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
18620@@ -5961,7 +5961,7 @@ static void ata_host_stop(struct device
18621 * LOCKING:
18622 * None.
18623 */
18624-static void ata_finalize_port_ops(struct ata_port_operations *ops)
18625+static void ata_finalize_port_ops(const struct ata_port_operations *ops)
18626 {
18627 static DEFINE_SPINLOCK(lock);
18628 const struct ata_port_operations *cur;
18629@@ -5973,6 +5973,7 @@ static void ata_finalize_port_ops(struct
18630 return;
18631
18632 spin_lock(&lock);
18633+ pax_open_kernel();
18634
18635 for (cur = ops->inherits; cur; cur = cur->inherits) {
18636 void **inherit = (void **)cur;
18637@@ -5986,8 +5987,9 @@ static void ata_finalize_port_ops(struct
18638 if (IS_ERR(*pp))
18639 *pp = NULL;
18640
18641- ops->inherits = NULL;
18642+ ((struct ata_port_operations *)ops)->inherits = NULL;
18643
18644+ pax_close_kernel();
18645 spin_unlock(&lock);
18646 }
18647
18648@@ -6084,7 +6086,7 @@ int ata_host_start(struct ata_host *host
18649 */
18650 /* KILLME - the only user left is ipr */
18651 void ata_host_init(struct ata_host *host, struct device *dev,
18652- unsigned long flags, struct ata_port_operations *ops)
18653+ unsigned long flags, const struct ata_port_operations *ops)
18654 {
18655 spin_lock_init(&host->lock);
18656 host->dev = dev;
18657@@ -6747,7 +6749,7 @@ static void ata_dummy_error_handler(stru
18658 /* truly dummy */
18659 }
18660
18661-struct ata_port_operations ata_dummy_port_ops = {
18662+const struct ata_port_operations ata_dummy_port_ops = {
18663 .qc_prep = ata_noop_qc_prep,
18664 .qc_issue = ata_dummy_qc_issue,
18665 .error_handler = ata_dummy_error_handler,
18666diff -urNp linux-2.6.32.9/drivers/ata/libata-eh.c linux-2.6.32.9/drivers/ata/libata-eh.c
18667--- linux-2.6.32.9/drivers/ata/libata-eh.c 2010-02-09 07:57:19.000000000 -0500
18668+++ linux-2.6.32.9/drivers/ata/libata-eh.c 2010-02-23 17:09:53.148068131 -0500
18669@@ -3581,7 +3581,7 @@ void ata_do_eh(struct ata_port *ap, ata_
18670 */
18671 void ata_std_error_handler(struct ata_port *ap)
18672 {
18673- struct ata_port_operations *ops = ap->ops;
18674+ const struct ata_port_operations *ops = ap->ops;
18675 ata_reset_fn_t hardreset = ops->hardreset;
18676
18677 /* ignore built-in hardreset if SCR access is not available */
18678diff -urNp linux-2.6.32.9/drivers/ata/libata-pmp.c linux-2.6.32.9/drivers/ata/libata-pmp.c
18679--- linux-2.6.32.9/drivers/ata/libata-pmp.c 2010-02-09 07:57:19.000000000 -0500
18680+++ linux-2.6.32.9/drivers/ata/libata-pmp.c 2010-02-23 17:09:53.148068131 -0500
18681@@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
18682 */
18683 static int sata_pmp_eh_recover(struct ata_port *ap)
18684 {
18685- struct ata_port_operations *ops = ap->ops;
18686+ const struct ata_port_operations *ops = ap->ops;
18687 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
18688 struct ata_link *pmp_link = &ap->link;
18689 struct ata_device *pmp_dev = pmp_link->device;
18690diff -urNp linux-2.6.32.9/drivers/ata/pata_acpi.c linux-2.6.32.9/drivers/ata/pata_acpi.c
18691--- linux-2.6.32.9/drivers/ata/pata_acpi.c 2010-02-09 07:57:19.000000000 -0500
18692+++ linux-2.6.32.9/drivers/ata/pata_acpi.c 2010-02-23 17:09:53.148068131 -0500
18693@@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
18694 ATA_BMDMA_SHT(DRV_NAME),
18695 };
18696
18697-static struct ata_port_operations pacpi_ops = {
18698+static const struct ata_port_operations pacpi_ops = {
18699 .inherits = &ata_bmdma_port_ops,
18700 .qc_issue = pacpi_qc_issue,
18701 .cable_detect = pacpi_cable_detect,
18702diff -urNp linux-2.6.32.9/drivers/ata/pata_ali.c linux-2.6.32.9/drivers/ata/pata_ali.c
18703--- linux-2.6.32.9/drivers/ata/pata_ali.c 2010-02-09 07:57:19.000000000 -0500
18704+++ linux-2.6.32.9/drivers/ata/pata_ali.c 2010-02-23 17:09:53.148068131 -0500
18705@@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
18706 * Port operations for PIO only ALi
18707 */
18708
18709-static struct ata_port_operations ali_early_port_ops = {
18710+static const struct ata_port_operations ali_early_port_ops = {
18711 .inherits = &ata_sff_port_ops,
18712 .cable_detect = ata_cable_40wire,
18713 .set_piomode = ali_set_piomode,
18714@@ -382,7 +382,7 @@ static const struct ata_port_operations
18715 * Port operations for DMA capable ALi without cable
18716 * detect
18717 */
18718-static struct ata_port_operations ali_20_port_ops = {
18719+static const struct ata_port_operations ali_20_port_ops = {
18720 .inherits = &ali_dma_base_ops,
18721 .cable_detect = ata_cable_40wire,
18722 .mode_filter = ali_20_filter,
18723@@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
18724 /*
18725 * Port operations for DMA capable ALi with cable detect
18726 */
18727-static struct ata_port_operations ali_c2_port_ops = {
18728+static const struct ata_port_operations ali_c2_port_ops = {
18729 .inherits = &ali_dma_base_ops,
18730 .check_atapi_dma = ali_check_atapi_dma,
18731 .cable_detect = ali_c2_cable_detect,
18732@@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
18733 /*
18734 * Port operations for DMA capable ALi with cable detect
18735 */
18736-static struct ata_port_operations ali_c4_port_ops = {
18737+static const struct ata_port_operations ali_c4_port_ops = {
18738 .inherits = &ali_dma_base_ops,
18739 .check_atapi_dma = ali_check_atapi_dma,
18740 .cable_detect = ali_c2_cable_detect,
18741@@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
18742 /*
18743 * Port operations for DMA capable ALi with cable detect and LBA48
18744 */
18745-static struct ata_port_operations ali_c5_port_ops = {
18746+static const struct ata_port_operations ali_c5_port_ops = {
18747 .inherits = &ali_dma_base_ops,
18748 .check_atapi_dma = ali_check_atapi_dma,
18749 .dev_config = ali_warn_atapi_dma,
18750diff -urNp linux-2.6.32.9/drivers/ata/pata_amd.c linux-2.6.32.9/drivers/ata/pata_amd.c
18751--- linux-2.6.32.9/drivers/ata/pata_amd.c 2010-02-09 07:57:19.000000000 -0500
18752+++ linux-2.6.32.9/drivers/ata/pata_amd.c 2010-02-23 17:09:53.148068131 -0500
18753@@ -397,28 +397,28 @@ static const struct ata_port_operations
18754 .prereset = amd_pre_reset,
18755 };
18756
18757-static struct ata_port_operations amd33_port_ops = {
18758+static const struct ata_port_operations amd33_port_ops = {
18759 .inherits = &amd_base_port_ops,
18760 .cable_detect = ata_cable_40wire,
18761 .set_piomode = amd33_set_piomode,
18762 .set_dmamode = amd33_set_dmamode,
18763 };
18764
18765-static struct ata_port_operations amd66_port_ops = {
18766+static const struct ata_port_operations amd66_port_ops = {
18767 .inherits = &amd_base_port_ops,
18768 .cable_detect = ata_cable_unknown,
18769 .set_piomode = amd66_set_piomode,
18770 .set_dmamode = amd66_set_dmamode,
18771 };
18772
18773-static struct ata_port_operations amd100_port_ops = {
18774+static const struct ata_port_operations amd100_port_ops = {
18775 .inherits = &amd_base_port_ops,
18776 .cable_detect = ata_cable_unknown,
18777 .set_piomode = amd100_set_piomode,
18778 .set_dmamode = amd100_set_dmamode,
18779 };
18780
18781-static struct ata_port_operations amd133_port_ops = {
18782+static const struct ata_port_operations amd133_port_ops = {
18783 .inherits = &amd_base_port_ops,
18784 .cable_detect = amd_cable_detect,
18785 .set_piomode = amd133_set_piomode,
18786@@ -433,13 +433,13 @@ static const struct ata_port_operations
18787 .host_stop = nv_host_stop,
18788 };
18789
18790-static struct ata_port_operations nv100_port_ops = {
18791+static const struct ata_port_operations nv100_port_ops = {
18792 .inherits = &nv_base_port_ops,
18793 .set_piomode = nv100_set_piomode,
18794 .set_dmamode = nv100_set_dmamode,
18795 };
18796
18797-static struct ata_port_operations nv133_port_ops = {
18798+static const struct ata_port_operations nv133_port_ops = {
18799 .inherits = &nv_base_port_ops,
18800 .set_piomode = nv133_set_piomode,
18801 .set_dmamode = nv133_set_dmamode,
18802diff -urNp linux-2.6.32.9/drivers/ata/pata_artop.c linux-2.6.32.9/drivers/ata/pata_artop.c
18803--- linux-2.6.32.9/drivers/ata/pata_artop.c 2010-02-09 07:57:19.000000000 -0500
18804+++ linux-2.6.32.9/drivers/ata/pata_artop.c 2010-02-23 17:09:53.148068131 -0500
18805@@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
18806 ATA_BMDMA_SHT(DRV_NAME),
18807 };
18808
18809-static struct ata_port_operations artop6210_ops = {
18810+static const struct ata_port_operations artop6210_ops = {
18811 .inherits = &ata_bmdma_port_ops,
18812 .cable_detect = ata_cable_40wire,
18813 .set_piomode = artop6210_set_piomode,
18814@@ -320,7 +320,7 @@ static struct ata_port_operations artop6
18815 .qc_defer = artop6210_qc_defer,
18816 };
18817
18818-static struct ata_port_operations artop6260_ops = {
18819+static const struct ata_port_operations artop6260_ops = {
18820 .inherits = &ata_bmdma_port_ops,
18821 .cable_detect = artop6260_cable_detect,
18822 .set_piomode = artop6260_set_piomode,
18823diff -urNp linux-2.6.32.9/drivers/ata/pata_at32.c linux-2.6.32.9/drivers/ata/pata_at32.c
18824--- linux-2.6.32.9/drivers/ata/pata_at32.c 2010-02-09 07:57:19.000000000 -0500
18825+++ linux-2.6.32.9/drivers/ata/pata_at32.c 2010-02-23 17:09:53.148068131 -0500
18826@@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
18827 ATA_PIO_SHT(DRV_NAME),
18828 };
18829
18830-static struct ata_port_operations at32_port_ops = {
18831+static const struct ata_port_operations at32_port_ops = {
18832 .inherits = &ata_sff_port_ops,
18833 .cable_detect = ata_cable_40wire,
18834 .set_piomode = pata_at32_set_piomode,
18835diff -urNp linux-2.6.32.9/drivers/ata/pata_at91.c linux-2.6.32.9/drivers/ata/pata_at91.c
18836--- linux-2.6.32.9/drivers/ata/pata_at91.c 2010-02-09 07:57:19.000000000 -0500
18837+++ linux-2.6.32.9/drivers/ata/pata_at91.c 2010-02-23 17:09:53.148068131 -0500
18838@@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
18839 ATA_PIO_SHT(DRV_NAME),
18840 };
18841
18842-static struct ata_port_operations pata_at91_port_ops = {
18843+static const struct ata_port_operations pata_at91_port_ops = {
18844 .inherits = &ata_sff_port_ops,
18845
18846 .sff_data_xfer = pata_at91_data_xfer_noirq,
18847diff -urNp linux-2.6.32.9/drivers/ata/pata_atiixp.c linux-2.6.32.9/drivers/ata/pata_atiixp.c
18848--- linux-2.6.32.9/drivers/ata/pata_atiixp.c 2010-02-09 07:57:19.000000000 -0500
18849+++ linux-2.6.32.9/drivers/ata/pata_atiixp.c 2010-02-23 17:09:53.148068131 -0500
18850@@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
18851 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
18852 };
18853
18854-static struct ata_port_operations atiixp_port_ops = {
18855+static const struct ata_port_operations atiixp_port_ops = {
18856 .inherits = &ata_bmdma_port_ops,
18857
18858 .qc_prep = ata_sff_dumb_qc_prep,
18859diff -urNp linux-2.6.32.9/drivers/ata/pata_atp867x.c linux-2.6.32.9/drivers/ata/pata_atp867x.c
18860--- linux-2.6.32.9/drivers/ata/pata_atp867x.c 2010-02-09 07:57:19.000000000 -0500
18861+++ linux-2.6.32.9/drivers/ata/pata_atp867x.c 2010-02-23 17:09:53.148068131 -0500
18862@@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
18863 ATA_BMDMA_SHT(DRV_NAME),
18864 };
18865
18866-static struct ata_port_operations atp867x_ops = {
18867+static const struct ata_port_operations atp867x_ops = {
18868 .inherits = &ata_bmdma_port_ops,
18869 .cable_detect = atp867x_cable_detect,
18870 .set_piomode = atp867x_set_piomode,
18871diff -urNp linux-2.6.32.9/drivers/ata/pata_bf54x.c linux-2.6.32.9/drivers/ata/pata_bf54x.c
18872--- linux-2.6.32.9/drivers/ata/pata_bf54x.c 2010-02-09 07:57:19.000000000 -0500
18873+++ linux-2.6.32.9/drivers/ata/pata_bf54x.c 2010-02-23 17:09:53.148068131 -0500
18874@@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
18875 .dma_boundary = ATA_DMA_BOUNDARY,
18876 };
18877
18878-static struct ata_port_operations bfin_pata_ops = {
18879+static const struct ata_port_operations bfin_pata_ops = {
18880 .inherits = &ata_sff_port_ops,
18881
18882 .set_piomode = bfin_set_piomode,
18883diff -urNp linux-2.6.32.9/drivers/ata/pata_cmd640.c linux-2.6.32.9/drivers/ata/pata_cmd640.c
18884--- linux-2.6.32.9/drivers/ata/pata_cmd640.c 2010-02-09 07:57:19.000000000 -0500
18885+++ linux-2.6.32.9/drivers/ata/pata_cmd640.c 2010-02-23 17:09:53.148068131 -0500
18886@@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
18887 ATA_BMDMA_SHT(DRV_NAME),
18888 };
18889
18890-static struct ata_port_operations cmd640_port_ops = {
18891+static const struct ata_port_operations cmd640_port_ops = {
18892 .inherits = &ata_bmdma_port_ops,
18893 /* In theory xfer_noirq is not needed once we kill the prefetcher */
18894 .sff_data_xfer = ata_sff_data_xfer_noirq,
18895diff -urNp linux-2.6.32.9/drivers/ata/pata_cmd64x.c linux-2.6.32.9/drivers/ata/pata_cmd64x.c
18896--- linux-2.6.32.9/drivers/ata/pata_cmd64x.c 2010-02-09 07:57:19.000000000 -0500
18897+++ linux-2.6.32.9/drivers/ata/pata_cmd64x.c 2010-02-23 17:09:53.148068131 -0500
18898@@ -275,18 +275,18 @@ static const struct ata_port_operations
18899 .set_dmamode = cmd64x_set_dmamode,
18900 };
18901
18902-static struct ata_port_operations cmd64x_port_ops = {
18903+static const struct ata_port_operations cmd64x_port_ops = {
18904 .inherits = &cmd64x_base_ops,
18905 .cable_detect = ata_cable_40wire,
18906 };
18907
18908-static struct ata_port_operations cmd646r1_port_ops = {
18909+static const struct ata_port_operations cmd646r1_port_ops = {
18910 .inherits = &cmd64x_base_ops,
18911 .bmdma_stop = cmd646r1_bmdma_stop,
18912 .cable_detect = ata_cable_40wire,
18913 };
18914
18915-static struct ata_port_operations cmd648_port_ops = {
18916+static const struct ata_port_operations cmd648_port_ops = {
18917 .inherits = &cmd64x_base_ops,
18918 .bmdma_stop = cmd648_bmdma_stop,
18919 .cable_detect = cmd648_cable_detect,
18920diff -urNp linux-2.6.32.9/drivers/ata/pata_cs5520.c linux-2.6.32.9/drivers/ata/pata_cs5520.c
18921--- linux-2.6.32.9/drivers/ata/pata_cs5520.c 2010-02-09 07:57:19.000000000 -0500
18922+++ linux-2.6.32.9/drivers/ata/pata_cs5520.c 2010-02-23 17:09:53.148068131 -0500
18923@@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
18924 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
18925 };
18926
18927-static struct ata_port_operations cs5520_port_ops = {
18928+static const struct ata_port_operations cs5520_port_ops = {
18929 .inherits = &ata_bmdma_port_ops,
18930 .qc_prep = ata_sff_dumb_qc_prep,
18931 .cable_detect = ata_cable_40wire,
18932diff -urNp linux-2.6.32.9/drivers/ata/pata_cs5530.c linux-2.6.32.9/drivers/ata/pata_cs5530.c
18933--- linux-2.6.32.9/drivers/ata/pata_cs5530.c 2010-02-09 07:57:19.000000000 -0500
18934+++ linux-2.6.32.9/drivers/ata/pata_cs5530.c 2010-02-23 17:09:53.148068131 -0500
18935@@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
18936 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
18937 };
18938
18939-static struct ata_port_operations cs5530_port_ops = {
18940+static const struct ata_port_operations cs5530_port_ops = {
18941 .inherits = &ata_bmdma_port_ops,
18942
18943 .qc_prep = ata_sff_dumb_qc_prep,
18944diff -urNp linux-2.6.32.9/drivers/ata/pata_cs5535.c linux-2.6.32.9/drivers/ata/pata_cs5535.c
18945--- linux-2.6.32.9/drivers/ata/pata_cs5535.c 2010-02-09 07:57:19.000000000 -0500
18946+++ linux-2.6.32.9/drivers/ata/pata_cs5535.c 2010-02-23 17:09:53.148068131 -0500
18947@@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
18948 ATA_BMDMA_SHT(DRV_NAME),
18949 };
18950
18951-static struct ata_port_operations cs5535_port_ops = {
18952+static const struct ata_port_operations cs5535_port_ops = {
18953 .inherits = &ata_bmdma_port_ops,
18954 .cable_detect = cs5535_cable_detect,
18955 .set_piomode = cs5535_set_piomode,
18956diff -urNp linux-2.6.32.9/drivers/ata/pata_cs5536.c linux-2.6.32.9/drivers/ata/pata_cs5536.c
18957--- linux-2.6.32.9/drivers/ata/pata_cs5536.c 2010-02-09 07:57:19.000000000 -0500
18958+++ linux-2.6.32.9/drivers/ata/pata_cs5536.c 2010-02-23 17:09:53.148068131 -0500
18959@@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
18960 ATA_BMDMA_SHT(DRV_NAME),
18961 };
18962
18963-static struct ata_port_operations cs5536_port_ops = {
18964+static const struct ata_port_operations cs5536_port_ops = {
18965 .inherits = &ata_bmdma_port_ops,
18966 .cable_detect = cs5536_cable_detect,
18967 .set_piomode = cs5536_set_piomode,
18968diff -urNp linux-2.6.32.9/drivers/ata/pata_cypress.c linux-2.6.32.9/drivers/ata/pata_cypress.c
18969--- linux-2.6.32.9/drivers/ata/pata_cypress.c 2010-02-09 07:57:19.000000000 -0500
18970+++ linux-2.6.32.9/drivers/ata/pata_cypress.c 2010-02-23 17:09:53.148068131 -0500
18971@@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
18972 ATA_BMDMA_SHT(DRV_NAME),
18973 };
18974
18975-static struct ata_port_operations cy82c693_port_ops = {
18976+static const struct ata_port_operations cy82c693_port_ops = {
18977 .inherits = &ata_bmdma_port_ops,
18978 .cable_detect = ata_cable_40wire,
18979 .set_piomode = cy82c693_set_piomode,
18980diff -urNp linux-2.6.32.9/drivers/ata/pata_efar.c linux-2.6.32.9/drivers/ata/pata_efar.c
18981--- linux-2.6.32.9/drivers/ata/pata_efar.c 2010-02-09 07:57:19.000000000 -0500
18982+++ linux-2.6.32.9/drivers/ata/pata_efar.c 2010-02-23 17:09:53.148068131 -0500
18983@@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
18984 ATA_BMDMA_SHT(DRV_NAME),
18985 };
18986
18987-static struct ata_port_operations efar_ops = {
18988+static const struct ata_port_operations efar_ops = {
18989 .inherits = &ata_bmdma_port_ops,
18990 .cable_detect = efar_cable_detect,
18991 .set_piomode = efar_set_piomode,
18992diff -urNp linux-2.6.32.9/drivers/ata/pata_hpt366.c linux-2.6.32.9/drivers/ata/pata_hpt366.c
18993--- linux-2.6.32.9/drivers/ata/pata_hpt366.c 2010-02-09 07:57:19.000000000 -0500
18994+++ linux-2.6.32.9/drivers/ata/pata_hpt366.c 2010-02-23 17:09:53.148068131 -0500
18995@@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
18996 * Configuration for HPT366/68
18997 */
18998
18999-static struct ata_port_operations hpt366_port_ops = {
19000+static const struct ata_port_operations hpt366_port_ops = {
19001 .inherits = &ata_bmdma_port_ops,
19002 .cable_detect = hpt36x_cable_detect,
19003 .mode_filter = hpt366_filter,
19004diff -urNp linux-2.6.32.9/drivers/ata/pata_hpt37x.c linux-2.6.32.9/drivers/ata/pata_hpt37x.c
19005--- linux-2.6.32.9/drivers/ata/pata_hpt37x.c 2010-02-09 07:57:19.000000000 -0500
19006+++ linux-2.6.32.9/drivers/ata/pata_hpt37x.c 2010-02-23 17:09:53.148068131 -0500
19007@@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
19008 * Configuration for HPT370
19009 */
19010
19011-static struct ata_port_operations hpt370_port_ops = {
19012+static const struct ata_port_operations hpt370_port_ops = {
19013 .inherits = &ata_bmdma_port_ops,
19014
19015 .bmdma_stop = hpt370_bmdma_stop,
19016@@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
19017 * Configuration for HPT370A. Close to 370 but less filters
19018 */
19019
19020-static struct ata_port_operations hpt370a_port_ops = {
19021+static const struct ata_port_operations hpt370a_port_ops = {
19022 .inherits = &hpt370_port_ops,
19023 .mode_filter = hpt370a_filter,
19024 };
19025@@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
19026 * and DMA mode setting functionality.
19027 */
19028
19029-static struct ata_port_operations hpt372_port_ops = {
19030+static const struct ata_port_operations hpt372_port_ops = {
19031 .inherits = &ata_bmdma_port_ops,
19032
19033 .bmdma_stop = hpt37x_bmdma_stop,
19034@@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
19035 * but we have a different cable detection procedure for function 1.
19036 */
19037
19038-static struct ata_port_operations hpt374_fn1_port_ops = {
19039+static const struct ata_port_operations hpt374_fn1_port_ops = {
19040 .inherits = &hpt372_port_ops,
19041 .prereset = hpt374_fn1_pre_reset,
19042 };
19043diff -urNp linux-2.6.32.9/drivers/ata/pata_hpt3x2n.c linux-2.6.32.9/drivers/ata/pata_hpt3x2n.c
19044--- linux-2.6.32.9/drivers/ata/pata_hpt3x2n.c 2010-02-09 07:57:19.000000000 -0500
19045+++ linux-2.6.32.9/drivers/ata/pata_hpt3x2n.c 2010-02-23 17:09:53.148068131 -0500
19046@@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
19047 * Configuration for HPT3x2n.
19048 */
19049
19050-static struct ata_port_operations hpt3x2n_port_ops = {
19051+static const struct ata_port_operations hpt3x2n_port_ops = {
19052 .inherits = &ata_bmdma_port_ops,
19053
19054 .bmdma_stop = hpt3x2n_bmdma_stop,
19055diff -urNp linux-2.6.32.9/drivers/ata/pata_hpt3x3.c linux-2.6.32.9/drivers/ata/pata_hpt3x3.c
19056--- linux-2.6.32.9/drivers/ata/pata_hpt3x3.c 2010-02-09 07:57:19.000000000 -0500
19057+++ linux-2.6.32.9/drivers/ata/pata_hpt3x3.c 2010-02-23 17:09:53.148068131 -0500
19058@@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
19059 ATA_BMDMA_SHT(DRV_NAME),
19060 };
19061
19062-static struct ata_port_operations hpt3x3_port_ops = {
19063+static const struct ata_port_operations hpt3x3_port_ops = {
19064 .inherits = &ata_bmdma_port_ops,
19065 .cable_detect = ata_cable_40wire,
19066 .set_piomode = hpt3x3_set_piomode,
19067diff -urNp linux-2.6.32.9/drivers/ata/pata_icside.c linux-2.6.32.9/drivers/ata/pata_icside.c
19068--- linux-2.6.32.9/drivers/ata/pata_icside.c 2010-02-09 07:57:19.000000000 -0500
19069+++ linux-2.6.32.9/drivers/ata/pata_icside.c 2010-02-23 17:09:53.148068131 -0500
19070@@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
19071 }
19072 }
19073
19074-static struct ata_port_operations pata_icside_port_ops = {
19075+static const struct ata_port_operations pata_icside_port_ops = {
19076 .inherits = &ata_sff_port_ops,
19077 /* no need to build any PRD tables for DMA */
19078 .qc_prep = ata_noop_qc_prep,
19079diff -urNp linux-2.6.32.9/drivers/ata/pata_isapnp.c linux-2.6.32.9/drivers/ata/pata_isapnp.c
19080--- linux-2.6.32.9/drivers/ata/pata_isapnp.c 2010-02-09 07:57:19.000000000 -0500
19081+++ linux-2.6.32.9/drivers/ata/pata_isapnp.c 2010-02-23 17:09:53.152210910 -0500
19082@@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
19083 ATA_PIO_SHT(DRV_NAME),
19084 };
19085
19086-static struct ata_port_operations isapnp_port_ops = {
19087+static const struct ata_port_operations isapnp_port_ops = {
19088 .inherits = &ata_sff_port_ops,
19089 .cable_detect = ata_cable_40wire,
19090 };
19091
19092-static struct ata_port_operations isapnp_noalt_port_ops = {
19093+static const struct ata_port_operations isapnp_noalt_port_ops = {
19094 .inherits = &ata_sff_port_ops,
19095 .cable_detect = ata_cable_40wire,
19096 /* No altstatus so we don't want to use the lost interrupt poll */
19097diff -urNp linux-2.6.32.9/drivers/ata/pata_it8213.c linux-2.6.32.9/drivers/ata/pata_it8213.c
19098--- linux-2.6.32.9/drivers/ata/pata_it8213.c 2010-02-09 07:57:19.000000000 -0500
19099+++ linux-2.6.32.9/drivers/ata/pata_it8213.c 2010-02-23 17:09:53.152210910 -0500
19100@@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
19101 };
19102
19103
19104-static struct ata_port_operations it8213_ops = {
19105+static const struct ata_port_operations it8213_ops = {
19106 .inherits = &ata_bmdma_port_ops,
19107 .cable_detect = it8213_cable_detect,
19108 .set_piomode = it8213_set_piomode,
19109diff -urNp linux-2.6.32.9/drivers/ata/pata_it821x.c linux-2.6.32.9/drivers/ata/pata_it821x.c
19110--- linux-2.6.32.9/drivers/ata/pata_it821x.c 2010-02-09 07:57:19.000000000 -0500
19111+++ linux-2.6.32.9/drivers/ata/pata_it821x.c 2010-02-23 17:09:53.152210910 -0500
19112@@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
19113 ATA_BMDMA_SHT(DRV_NAME),
19114 };
19115
19116-static struct ata_port_operations it821x_smart_port_ops = {
19117+static const struct ata_port_operations it821x_smart_port_ops = {
19118 .inherits = &ata_bmdma_port_ops,
19119
19120 .check_atapi_dma= it821x_check_atapi_dma,
19121@@ -814,7 +814,7 @@ static struct ata_port_operations it821x
19122 .port_start = it821x_port_start,
19123 };
19124
19125-static struct ata_port_operations it821x_passthru_port_ops = {
19126+static const struct ata_port_operations it821x_passthru_port_ops = {
19127 .inherits = &ata_bmdma_port_ops,
19128
19129 .check_atapi_dma= it821x_check_atapi_dma,
19130@@ -830,7 +830,7 @@ static struct ata_port_operations it821x
19131 .port_start = it821x_port_start,
19132 };
19133
19134-static struct ata_port_operations it821x_rdc_port_ops = {
19135+static const struct ata_port_operations it821x_rdc_port_ops = {
19136 .inherits = &ata_bmdma_port_ops,
19137
19138 .check_atapi_dma= it821x_check_atapi_dma,
19139diff -urNp linux-2.6.32.9/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.9/drivers/ata/pata_ixp4xx_cf.c
19140--- linux-2.6.32.9/drivers/ata/pata_ixp4xx_cf.c 2010-02-09 07:57:19.000000000 -0500
19141+++ linux-2.6.32.9/drivers/ata/pata_ixp4xx_cf.c 2010-02-23 17:09:53.152210910 -0500
19142@@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
19143 ATA_PIO_SHT(DRV_NAME),
19144 };
19145
19146-static struct ata_port_operations ixp4xx_port_ops = {
19147+static const struct ata_port_operations ixp4xx_port_ops = {
19148 .inherits = &ata_sff_port_ops,
19149 .sff_data_xfer = ixp4xx_mmio_data_xfer,
19150 .cable_detect = ata_cable_40wire,
19151diff -urNp linux-2.6.32.9/drivers/ata/pata_jmicron.c linux-2.6.32.9/drivers/ata/pata_jmicron.c
19152--- linux-2.6.32.9/drivers/ata/pata_jmicron.c 2010-02-09 07:57:19.000000000 -0500
19153+++ linux-2.6.32.9/drivers/ata/pata_jmicron.c 2010-02-23 17:09:53.152210910 -0500
19154@@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
19155 ATA_BMDMA_SHT(DRV_NAME),
19156 };
19157
19158-static struct ata_port_operations jmicron_ops = {
19159+static const struct ata_port_operations jmicron_ops = {
19160 .inherits = &ata_bmdma_port_ops,
19161 .prereset = jmicron_pre_reset,
19162 };
19163diff -urNp linux-2.6.32.9/drivers/ata/pata_legacy.c linux-2.6.32.9/drivers/ata/pata_legacy.c
19164--- linux-2.6.32.9/drivers/ata/pata_legacy.c 2010-02-09 07:57:19.000000000 -0500
19165+++ linux-2.6.32.9/drivers/ata/pata_legacy.c 2010-02-23 17:09:53.152210910 -0500
19166@@ -106,7 +106,7 @@ struct legacy_probe {
19167
19168 struct legacy_controller {
19169 const char *name;
19170- struct ata_port_operations *ops;
19171+ const struct ata_port_operations *ops;
19172 unsigned int pio_mask;
19173 unsigned int flags;
19174 unsigned int pflags;
19175@@ -223,12 +223,12 @@ static const struct ata_port_operations
19176 * pio_mask as well.
19177 */
19178
19179-static struct ata_port_operations simple_port_ops = {
19180+static const struct ata_port_operations simple_port_ops = {
19181 .inherits = &legacy_base_port_ops,
19182 .sff_data_xfer = ata_sff_data_xfer_noirq,
19183 };
19184
19185-static struct ata_port_operations legacy_port_ops = {
19186+static const struct ata_port_operations legacy_port_ops = {
19187 .inherits = &legacy_base_port_ops,
19188 .sff_data_xfer = ata_sff_data_xfer_noirq,
19189 .set_mode = legacy_set_mode,
19190@@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
19191 return buflen;
19192 }
19193
19194-static struct ata_port_operations pdc20230_port_ops = {
19195+static const struct ata_port_operations pdc20230_port_ops = {
19196 .inherits = &legacy_base_port_ops,
19197 .set_piomode = pdc20230_set_piomode,
19198 .sff_data_xfer = pdc_data_xfer_vlb,
19199@@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
19200 ioread8(ap->ioaddr.status_addr);
19201 }
19202
19203-static struct ata_port_operations ht6560a_port_ops = {
19204+static const struct ata_port_operations ht6560a_port_ops = {
19205 .inherits = &legacy_base_port_ops,
19206 .set_piomode = ht6560a_set_piomode,
19207 };
19208@@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
19209 ioread8(ap->ioaddr.status_addr);
19210 }
19211
19212-static struct ata_port_operations ht6560b_port_ops = {
19213+static const struct ata_port_operations ht6560b_port_ops = {
19214 .inherits = &legacy_base_port_ops,
19215 .set_piomode = ht6560b_set_piomode,
19216 };
19217@@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
19218 }
19219
19220
19221-static struct ata_port_operations opti82c611a_port_ops = {
19222+static const struct ata_port_operations opti82c611a_port_ops = {
19223 .inherits = &legacy_base_port_ops,
19224 .set_piomode = opti82c611a_set_piomode,
19225 };
19226@@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
19227 return ata_sff_qc_issue(qc);
19228 }
19229
19230-static struct ata_port_operations opti82c46x_port_ops = {
19231+static const struct ata_port_operations opti82c46x_port_ops = {
19232 .inherits = &legacy_base_port_ops,
19233 .set_piomode = opti82c46x_set_piomode,
19234 .qc_issue = opti82c46x_qc_issue,
19235@@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
19236 return 0;
19237 }
19238
19239-static struct ata_port_operations qdi6500_port_ops = {
19240+static const struct ata_port_operations qdi6500_port_ops = {
19241 .inherits = &legacy_base_port_ops,
19242 .set_piomode = qdi6500_set_piomode,
19243 .qc_issue = qdi_qc_issue,
19244 .sff_data_xfer = vlb32_data_xfer,
19245 };
19246
19247-static struct ata_port_operations qdi6580_port_ops = {
19248+static const struct ata_port_operations qdi6580_port_ops = {
19249 .inherits = &legacy_base_port_ops,
19250 .set_piomode = qdi6580_set_piomode,
19251 .sff_data_xfer = vlb32_data_xfer,
19252 };
19253
19254-static struct ata_port_operations qdi6580dp_port_ops = {
19255+static const struct ata_port_operations qdi6580dp_port_ops = {
19256 .inherits = &legacy_base_port_ops,
19257 .set_piomode = qdi6580dp_set_piomode,
19258 .sff_data_xfer = vlb32_data_xfer,
19259@@ -855,7 +855,7 @@ static int winbond_port(struct platform_
19260 return 0;
19261 }
19262
19263-static struct ata_port_operations winbond_port_ops = {
19264+static const struct ata_port_operations winbond_port_ops = {
19265 .inherits = &legacy_base_port_ops,
19266 .set_piomode = winbond_set_piomode,
19267 .sff_data_xfer = vlb32_data_xfer,
19268@@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
19269 int pio_modes = controller->pio_mask;
19270 unsigned long io = probe->port;
19271 u32 mask = (1 << probe->slot);
19272- struct ata_port_operations *ops = controller->ops;
19273+ const struct ata_port_operations *ops = controller->ops;
19274 struct legacy_data *ld = &legacy_data[probe->slot];
19275 struct ata_host *host = NULL;
19276 struct ata_port *ap;
19277diff -urNp linux-2.6.32.9/drivers/ata/pata_marvell.c linux-2.6.32.9/drivers/ata/pata_marvell.c
19278--- linux-2.6.32.9/drivers/ata/pata_marvell.c 2010-02-09 07:57:19.000000000 -0500
19279+++ linux-2.6.32.9/drivers/ata/pata_marvell.c 2010-02-23 17:09:53.152210910 -0500
19280@@ -100,7 +100,7 @@ static struct scsi_host_template marvell
19281 ATA_BMDMA_SHT(DRV_NAME),
19282 };
19283
19284-static struct ata_port_operations marvell_ops = {
19285+static const struct ata_port_operations marvell_ops = {
19286 .inherits = &ata_bmdma_port_ops,
19287 .cable_detect = marvell_cable_detect,
19288 .prereset = marvell_pre_reset,
19289diff -urNp linux-2.6.32.9/drivers/ata/pata_mpc52xx.c linux-2.6.32.9/drivers/ata/pata_mpc52xx.c
19290--- linux-2.6.32.9/drivers/ata/pata_mpc52xx.c 2010-02-09 07:57:19.000000000 -0500
19291+++ linux-2.6.32.9/drivers/ata/pata_mpc52xx.c 2010-02-23 17:09:53.152210910 -0500
19292@@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
19293 ATA_PIO_SHT(DRV_NAME),
19294 };
19295
19296-static struct ata_port_operations mpc52xx_ata_port_ops = {
19297+static const struct ata_port_operations mpc52xx_ata_port_ops = {
19298 .inherits = &ata_sff_port_ops,
19299 .sff_dev_select = mpc52xx_ata_dev_select,
19300 .set_piomode = mpc52xx_ata_set_piomode,
19301diff -urNp linux-2.6.32.9/drivers/ata/pata_mpiix.c linux-2.6.32.9/drivers/ata/pata_mpiix.c
19302--- linux-2.6.32.9/drivers/ata/pata_mpiix.c 2010-02-09 07:57:19.000000000 -0500
19303+++ linux-2.6.32.9/drivers/ata/pata_mpiix.c 2010-02-23 17:09:53.152210910 -0500
19304@@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
19305 ATA_PIO_SHT(DRV_NAME),
19306 };
19307
19308-static struct ata_port_operations mpiix_port_ops = {
19309+static const struct ata_port_operations mpiix_port_ops = {
19310 .inherits = &ata_sff_port_ops,
19311 .qc_issue = mpiix_qc_issue,
19312 .cable_detect = ata_cable_40wire,
19313diff -urNp linux-2.6.32.9/drivers/ata/pata_netcell.c linux-2.6.32.9/drivers/ata/pata_netcell.c
19314--- linux-2.6.32.9/drivers/ata/pata_netcell.c 2010-02-09 07:57:19.000000000 -0500
19315+++ linux-2.6.32.9/drivers/ata/pata_netcell.c 2010-02-23 17:09:53.152210910 -0500
19316@@ -34,7 +34,7 @@ static struct scsi_host_template netcell
19317 ATA_BMDMA_SHT(DRV_NAME),
19318 };
19319
19320-static struct ata_port_operations netcell_ops = {
19321+static const struct ata_port_operations netcell_ops = {
19322 .inherits = &ata_bmdma_port_ops,
19323 .cable_detect = ata_cable_80wire,
19324 .read_id = netcell_read_id,
19325diff -urNp linux-2.6.32.9/drivers/ata/pata_ninja32.c linux-2.6.32.9/drivers/ata/pata_ninja32.c
19326--- linux-2.6.32.9/drivers/ata/pata_ninja32.c 2010-02-09 07:57:19.000000000 -0500
19327+++ linux-2.6.32.9/drivers/ata/pata_ninja32.c 2010-02-23 17:09:53.152210910 -0500
19328@@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
19329 ATA_BMDMA_SHT(DRV_NAME),
19330 };
19331
19332-static struct ata_port_operations ninja32_port_ops = {
19333+static const struct ata_port_operations ninja32_port_ops = {
19334 .inherits = &ata_bmdma_port_ops,
19335 .sff_dev_select = ninja32_dev_select,
19336 .cable_detect = ata_cable_40wire,
19337diff -urNp linux-2.6.32.9/drivers/ata/pata_ns87410.c linux-2.6.32.9/drivers/ata/pata_ns87410.c
19338--- linux-2.6.32.9/drivers/ata/pata_ns87410.c 2010-02-09 07:57:19.000000000 -0500
19339+++ linux-2.6.32.9/drivers/ata/pata_ns87410.c 2010-02-23 17:09:53.152210910 -0500
19340@@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
19341 ATA_PIO_SHT(DRV_NAME),
19342 };
19343
19344-static struct ata_port_operations ns87410_port_ops = {
19345+static const struct ata_port_operations ns87410_port_ops = {
19346 .inherits = &ata_sff_port_ops,
19347 .qc_issue = ns87410_qc_issue,
19348 .cable_detect = ata_cable_40wire,
19349diff -urNp linux-2.6.32.9/drivers/ata/pata_ns87415.c linux-2.6.32.9/drivers/ata/pata_ns87415.c
19350--- linux-2.6.32.9/drivers/ata/pata_ns87415.c 2010-02-09 07:57:19.000000000 -0500
19351+++ linux-2.6.32.9/drivers/ata/pata_ns87415.c 2010-02-23 17:09:53.152210910 -0500
19352@@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
19353 }
19354 #endif /* 87560 SuperIO Support */
19355
19356-static struct ata_port_operations ns87415_pata_ops = {
19357+static const struct ata_port_operations ns87415_pata_ops = {
19358 .inherits = &ata_bmdma_port_ops,
19359
19360 .check_atapi_dma = ns87415_check_atapi_dma,
19361@@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
19362 };
19363
19364 #if defined(CONFIG_SUPERIO)
19365-static struct ata_port_operations ns87560_pata_ops = {
19366+static const struct ata_port_operations ns87560_pata_ops = {
19367 .inherits = &ns87415_pata_ops,
19368 .sff_tf_read = ns87560_tf_read,
19369 .sff_check_status = ns87560_check_status,
19370diff -urNp linux-2.6.32.9/drivers/ata/pata_octeon_cf.c linux-2.6.32.9/drivers/ata/pata_octeon_cf.c
19371--- linux-2.6.32.9/drivers/ata/pata_octeon_cf.c 2010-02-09 07:57:19.000000000 -0500
19372+++ linux-2.6.32.9/drivers/ata/pata_octeon_cf.c 2010-02-23 17:09:53.152210910 -0500
19373@@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
19374 return 0;
19375 }
19376
19377+/* cannot be const */
19378 static struct ata_port_operations octeon_cf_ops = {
19379 .inherits = &ata_sff_port_ops,
19380 .check_atapi_dma = octeon_cf_check_atapi_dma,
19381diff -urNp linux-2.6.32.9/drivers/ata/pata_oldpiix.c linux-2.6.32.9/drivers/ata/pata_oldpiix.c
19382--- linux-2.6.32.9/drivers/ata/pata_oldpiix.c 2010-02-09 07:57:19.000000000 -0500
19383+++ linux-2.6.32.9/drivers/ata/pata_oldpiix.c 2010-02-23 17:09:53.152210910 -0500
19384@@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
19385 ATA_BMDMA_SHT(DRV_NAME),
19386 };
19387
19388-static struct ata_port_operations oldpiix_pata_ops = {
19389+static const struct ata_port_operations oldpiix_pata_ops = {
19390 .inherits = &ata_bmdma_port_ops,
19391 .qc_issue = oldpiix_qc_issue,
19392 .cable_detect = ata_cable_40wire,
19393diff -urNp linux-2.6.32.9/drivers/ata/pata_opti.c linux-2.6.32.9/drivers/ata/pata_opti.c
19394--- linux-2.6.32.9/drivers/ata/pata_opti.c 2010-02-09 07:57:19.000000000 -0500
19395+++ linux-2.6.32.9/drivers/ata/pata_opti.c 2010-02-23 17:09:53.152210910 -0500
19396@@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
19397 ATA_PIO_SHT(DRV_NAME),
19398 };
19399
19400-static struct ata_port_operations opti_port_ops = {
19401+static const struct ata_port_operations opti_port_ops = {
19402 .inherits = &ata_sff_port_ops,
19403 .cable_detect = ata_cable_40wire,
19404 .set_piomode = opti_set_piomode,
19405diff -urNp linux-2.6.32.9/drivers/ata/pata_optidma.c linux-2.6.32.9/drivers/ata/pata_optidma.c
19406--- linux-2.6.32.9/drivers/ata/pata_optidma.c 2010-02-09 07:57:19.000000000 -0500
19407+++ linux-2.6.32.9/drivers/ata/pata_optidma.c 2010-02-23 17:09:53.152210910 -0500
19408@@ -337,7 +337,7 @@ static struct scsi_host_template optidma
19409 ATA_BMDMA_SHT(DRV_NAME),
19410 };
19411
19412-static struct ata_port_operations optidma_port_ops = {
19413+static const struct ata_port_operations optidma_port_ops = {
19414 .inherits = &ata_bmdma_port_ops,
19415 .cable_detect = ata_cable_40wire,
19416 .set_piomode = optidma_set_pio_mode,
19417@@ -346,7 +346,7 @@ static struct ata_port_operations optidm
19418 .prereset = optidma_pre_reset,
19419 };
19420
19421-static struct ata_port_operations optiplus_port_ops = {
19422+static const struct ata_port_operations optiplus_port_ops = {
19423 .inherits = &optidma_port_ops,
19424 .set_piomode = optiplus_set_pio_mode,
19425 .set_dmamode = optiplus_set_dma_mode,
19426diff -urNp linux-2.6.32.9/drivers/ata/pata_palmld.c linux-2.6.32.9/drivers/ata/pata_palmld.c
19427--- linux-2.6.32.9/drivers/ata/pata_palmld.c 2010-02-09 07:57:19.000000000 -0500
19428+++ linux-2.6.32.9/drivers/ata/pata_palmld.c 2010-02-23 17:09:53.152210910 -0500
19429@@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
19430 ATA_PIO_SHT(DRV_NAME),
19431 };
19432
19433-static struct ata_port_operations palmld_port_ops = {
19434+static const struct ata_port_operations palmld_port_ops = {
19435 .inherits = &ata_sff_port_ops,
19436 .sff_data_xfer = ata_sff_data_xfer_noirq,
19437 .cable_detect = ata_cable_40wire,
19438diff -urNp linux-2.6.32.9/drivers/ata/pata_pcmcia.c linux-2.6.32.9/drivers/ata/pata_pcmcia.c
19439--- linux-2.6.32.9/drivers/ata/pata_pcmcia.c 2010-02-09 07:57:19.000000000 -0500
19440+++ linux-2.6.32.9/drivers/ata/pata_pcmcia.c 2010-02-23 17:09:53.152210910 -0500
19441@@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
19442 ATA_PIO_SHT(DRV_NAME),
19443 };
19444
19445-static struct ata_port_operations pcmcia_port_ops = {
19446+static const struct ata_port_operations pcmcia_port_ops = {
19447 .inherits = &ata_sff_port_ops,
19448 .sff_data_xfer = ata_sff_data_xfer_noirq,
19449 .cable_detect = ata_cable_40wire,
19450 .set_mode = pcmcia_set_mode,
19451 };
19452
19453-static struct ata_port_operations pcmcia_8bit_port_ops = {
19454+static const struct ata_port_operations pcmcia_8bit_port_ops = {
19455 .inherits = &ata_sff_port_ops,
19456 .sff_data_xfer = ata_data_xfer_8bit,
19457 .cable_detect = ata_cable_40wire,
19458@@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
19459 unsigned long io_base, ctl_base;
19460 void __iomem *io_addr, *ctl_addr;
19461 int n_ports = 1;
19462- struct ata_port_operations *ops = &pcmcia_port_ops;
19463+ const struct ata_port_operations *ops = &pcmcia_port_ops;
19464
19465 info = kzalloc(sizeof(*info), GFP_KERNEL);
19466 if (info == NULL)
19467diff -urNp linux-2.6.32.9/drivers/ata/pata_pdc2027x.c linux-2.6.32.9/drivers/ata/pata_pdc2027x.c
19468--- linux-2.6.32.9/drivers/ata/pata_pdc2027x.c 2010-02-09 07:57:19.000000000 -0500
19469+++ linux-2.6.32.9/drivers/ata/pata_pdc2027x.c 2010-02-23 17:09:53.152210910 -0500
19470@@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
19471 ATA_BMDMA_SHT(DRV_NAME),
19472 };
19473
19474-static struct ata_port_operations pdc2027x_pata100_ops = {
19475+static const struct ata_port_operations pdc2027x_pata100_ops = {
19476 .inherits = &ata_bmdma_port_ops,
19477 .check_atapi_dma = pdc2027x_check_atapi_dma,
19478 .cable_detect = pdc2027x_cable_detect,
19479 .prereset = pdc2027x_prereset,
19480 };
19481
19482-static struct ata_port_operations pdc2027x_pata133_ops = {
19483+static const struct ata_port_operations pdc2027x_pata133_ops = {
19484 .inherits = &pdc2027x_pata100_ops,
19485 .mode_filter = pdc2027x_mode_filter,
19486 .set_piomode = pdc2027x_set_piomode,
19487diff -urNp linux-2.6.32.9/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.9/drivers/ata/pata_pdc202xx_old.c
19488--- linux-2.6.32.9/drivers/ata/pata_pdc202xx_old.c 2010-02-09 07:57:19.000000000 -0500
19489+++ linux-2.6.32.9/drivers/ata/pata_pdc202xx_old.c 2010-02-23 17:09:53.152210910 -0500
19490@@ -265,7 +265,7 @@ static struct scsi_host_template pdc202x
19491 ATA_BMDMA_SHT(DRV_NAME),
19492 };
19493
19494-static struct ata_port_operations pdc2024x_port_ops = {
19495+static const struct ata_port_operations pdc2024x_port_ops = {
19496 .inherits = &ata_bmdma_port_ops,
19497
19498 .cable_detect = ata_cable_40wire,
19499@@ -273,7 +273,7 @@ static struct ata_port_operations pdc202
19500 .set_dmamode = pdc202xx_set_dmamode,
19501 };
19502
19503-static struct ata_port_operations pdc2026x_port_ops = {
19504+static const struct ata_port_operations pdc2026x_port_ops = {
19505 .inherits = &pdc2024x_port_ops,
19506
19507 .check_atapi_dma = pdc2026x_check_atapi_dma,
19508diff -urNp linux-2.6.32.9/drivers/ata/pata_platform.c linux-2.6.32.9/drivers/ata/pata_platform.c
19509--- linux-2.6.32.9/drivers/ata/pata_platform.c 2010-02-09 07:57:19.000000000 -0500
19510+++ linux-2.6.32.9/drivers/ata/pata_platform.c 2010-02-23 17:09:53.152210910 -0500
19511@@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
19512 ATA_PIO_SHT(DRV_NAME),
19513 };
19514
19515-static struct ata_port_operations pata_platform_port_ops = {
19516+static const struct ata_port_operations pata_platform_port_ops = {
19517 .inherits = &ata_sff_port_ops,
19518 .sff_data_xfer = ata_sff_data_xfer_noirq,
19519 .cable_detect = ata_cable_unknown,
19520diff -urNp linux-2.6.32.9/drivers/ata/pata_qdi.c linux-2.6.32.9/drivers/ata/pata_qdi.c
19521--- linux-2.6.32.9/drivers/ata/pata_qdi.c 2010-02-09 07:57:19.000000000 -0500
19522+++ linux-2.6.32.9/drivers/ata/pata_qdi.c 2010-02-23 17:09:53.152210910 -0500
19523@@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
19524 ATA_PIO_SHT(DRV_NAME),
19525 };
19526
19527-static struct ata_port_operations qdi6500_port_ops = {
19528+static const struct ata_port_operations qdi6500_port_ops = {
19529 .inherits = &ata_sff_port_ops,
19530 .qc_issue = qdi_qc_issue,
19531 .sff_data_xfer = qdi_data_xfer,
19532@@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
19533 .set_piomode = qdi6500_set_piomode,
19534 };
19535
19536-static struct ata_port_operations qdi6580_port_ops = {
19537+static const struct ata_port_operations qdi6580_port_ops = {
19538 .inherits = &qdi6500_port_ops,
19539 .set_piomode = qdi6580_set_piomode,
19540 };
19541diff -urNp linux-2.6.32.9/drivers/ata/pata_radisys.c linux-2.6.32.9/drivers/ata/pata_radisys.c
19542--- linux-2.6.32.9/drivers/ata/pata_radisys.c 2010-02-09 07:57:19.000000000 -0500
19543+++ linux-2.6.32.9/drivers/ata/pata_radisys.c 2010-02-23 17:09:53.152210910 -0500
19544@@ -187,7 +187,7 @@ static struct scsi_host_template radisys
19545 ATA_BMDMA_SHT(DRV_NAME),
19546 };
19547
19548-static struct ata_port_operations radisys_pata_ops = {
19549+static const struct ata_port_operations radisys_pata_ops = {
19550 .inherits = &ata_bmdma_port_ops,
19551 .qc_issue = radisys_qc_issue,
19552 .cable_detect = ata_cable_unknown,
19553diff -urNp linux-2.6.32.9/drivers/ata/pata_rb532_cf.c linux-2.6.32.9/drivers/ata/pata_rb532_cf.c
19554--- linux-2.6.32.9/drivers/ata/pata_rb532_cf.c 2010-02-09 07:57:19.000000000 -0500
19555+++ linux-2.6.32.9/drivers/ata/pata_rb532_cf.c 2010-02-23 17:09:53.152210910 -0500
19556@@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
19557 return IRQ_HANDLED;
19558 }
19559
19560-static struct ata_port_operations rb532_pata_port_ops = {
19561+static const struct ata_port_operations rb532_pata_port_ops = {
19562 .inherits = &ata_sff_port_ops,
19563 .sff_data_xfer = ata_sff_data_xfer32,
19564 };
19565diff -urNp linux-2.6.32.9/drivers/ata/pata_rdc.c linux-2.6.32.9/drivers/ata/pata_rdc.c
19566--- linux-2.6.32.9/drivers/ata/pata_rdc.c 2010-02-09 07:57:19.000000000 -0500
19567+++ linux-2.6.32.9/drivers/ata/pata_rdc.c 2010-02-23 17:09:53.156212249 -0500
19568@@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
19569 pci_write_config_byte(dev, 0x48, udma_enable);
19570 }
19571
19572-static struct ata_port_operations rdc_pata_ops = {
19573+static const struct ata_port_operations rdc_pata_ops = {
19574 .inherits = &ata_bmdma32_port_ops,
19575 .cable_detect = rdc_pata_cable_detect,
19576 .set_piomode = rdc_set_piomode,
19577diff -urNp linux-2.6.32.9/drivers/ata/pata_rz1000.c linux-2.6.32.9/drivers/ata/pata_rz1000.c
19578--- linux-2.6.32.9/drivers/ata/pata_rz1000.c 2010-02-09 07:57:19.000000000 -0500
19579+++ linux-2.6.32.9/drivers/ata/pata_rz1000.c 2010-02-23 17:09:53.156212249 -0500
19580@@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
19581 ATA_PIO_SHT(DRV_NAME),
19582 };
19583
19584-static struct ata_port_operations rz1000_port_ops = {
19585+static const struct ata_port_operations rz1000_port_ops = {
19586 .inherits = &ata_sff_port_ops,
19587 .cable_detect = ata_cable_40wire,
19588 .set_mode = rz1000_set_mode,
19589diff -urNp linux-2.6.32.9/drivers/ata/pata_sc1200.c linux-2.6.32.9/drivers/ata/pata_sc1200.c
19590--- linux-2.6.32.9/drivers/ata/pata_sc1200.c 2010-02-09 07:57:19.000000000 -0500
19591+++ linux-2.6.32.9/drivers/ata/pata_sc1200.c 2010-02-23 17:09:53.156212249 -0500
19592@@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
19593 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19594 };
19595
19596-static struct ata_port_operations sc1200_port_ops = {
19597+static const struct ata_port_operations sc1200_port_ops = {
19598 .inherits = &ata_bmdma_port_ops,
19599 .qc_prep = ata_sff_dumb_qc_prep,
19600 .qc_issue = sc1200_qc_issue,
19601diff -urNp linux-2.6.32.9/drivers/ata/pata_scc.c linux-2.6.32.9/drivers/ata/pata_scc.c
19602--- linux-2.6.32.9/drivers/ata/pata_scc.c 2010-02-09 07:57:19.000000000 -0500
19603+++ linux-2.6.32.9/drivers/ata/pata_scc.c 2010-02-23 17:09:53.156212249 -0500
19604@@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
19605 ATA_BMDMA_SHT(DRV_NAME),
19606 };
19607
19608-static struct ata_port_operations scc_pata_ops = {
19609+static const struct ata_port_operations scc_pata_ops = {
19610 .inherits = &ata_bmdma_port_ops,
19611
19612 .set_piomode = scc_set_piomode,
19613diff -urNp linux-2.6.32.9/drivers/ata/pata_sch.c linux-2.6.32.9/drivers/ata/pata_sch.c
19614--- linux-2.6.32.9/drivers/ata/pata_sch.c 2010-02-09 07:57:19.000000000 -0500
19615+++ linux-2.6.32.9/drivers/ata/pata_sch.c 2010-02-23 17:09:53.156212249 -0500
19616@@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
19617 ATA_BMDMA_SHT(DRV_NAME),
19618 };
19619
19620-static struct ata_port_operations sch_pata_ops = {
19621+static const struct ata_port_operations sch_pata_ops = {
19622 .inherits = &ata_bmdma_port_ops,
19623 .cable_detect = ata_cable_unknown,
19624 .set_piomode = sch_set_piomode,
19625diff -urNp linux-2.6.32.9/drivers/ata/pata_serverworks.c linux-2.6.32.9/drivers/ata/pata_serverworks.c
19626--- linux-2.6.32.9/drivers/ata/pata_serverworks.c 2010-02-09 07:57:19.000000000 -0500
19627+++ linux-2.6.32.9/drivers/ata/pata_serverworks.c 2010-02-23 17:09:53.156212249 -0500
19628@@ -299,7 +299,7 @@ static struct scsi_host_template serverw
19629 ATA_BMDMA_SHT(DRV_NAME),
19630 };
19631
19632-static struct ata_port_operations serverworks_osb4_port_ops = {
19633+static const struct ata_port_operations serverworks_osb4_port_ops = {
19634 .inherits = &ata_bmdma_port_ops,
19635 .cable_detect = serverworks_cable_detect,
19636 .mode_filter = serverworks_osb4_filter,
19637@@ -307,7 +307,7 @@ static struct ata_port_operations server
19638 .set_dmamode = serverworks_set_dmamode,
19639 };
19640
19641-static struct ata_port_operations serverworks_csb_port_ops = {
19642+static const struct ata_port_operations serverworks_csb_port_ops = {
19643 .inherits = &serverworks_osb4_port_ops,
19644 .mode_filter = serverworks_csb_filter,
19645 };
19646diff -urNp linux-2.6.32.9/drivers/ata/pata_sil680.c linux-2.6.32.9/drivers/ata/pata_sil680.c
19647--- linux-2.6.32.9/drivers/ata/pata_sil680.c 2010-02-09 07:57:19.000000000 -0500
19648+++ linux-2.6.32.9/drivers/ata/pata_sil680.c 2010-02-23 17:09:53.156212249 -0500
19649@@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
19650 ATA_BMDMA_SHT(DRV_NAME),
19651 };
19652
19653-static struct ata_port_operations sil680_port_ops = {
19654+static const struct ata_port_operations sil680_port_ops = {
19655 .inherits = &ata_bmdma32_port_ops,
19656 .cable_detect = sil680_cable_detect,
19657 .set_piomode = sil680_set_piomode,
19658diff -urNp linux-2.6.32.9/drivers/ata/pata_sis.c linux-2.6.32.9/drivers/ata/pata_sis.c
19659--- linux-2.6.32.9/drivers/ata/pata_sis.c 2010-02-09 07:57:19.000000000 -0500
19660+++ linux-2.6.32.9/drivers/ata/pata_sis.c 2010-02-23 17:09:53.156212249 -0500
19661@@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
19662 ATA_BMDMA_SHT(DRV_NAME),
19663 };
19664
19665-static struct ata_port_operations sis_133_for_sata_ops = {
19666+static const struct ata_port_operations sis_133_for_sata_ops = {
19667 .inherits = &ata_bmdma_port_ops,
19668 .set_piomode = sis_133_set_piomode,
19669 .set_dmamode = sis_133_set_dmamode,
19670 .cable_detect = sis_133_cable_detect,
19671 };
19672
19673-static struct ata_port_operations sis_base_ops = {
19674+static const struct ata_port_operations sis_base_ops = {
19675 .inherits = &ata_bmdma_port_ops,
19676 .prereset = sis_pre_reset,
19677 };
19678
19679-static struct ata_port_operations sis_133_ops = {
19680+static const struct ata_port_operations sis_133_ops = {
19681 .inherits = &sis_base_ops,
19682 .set_piomode = sis_133_set_piomode,
19683 .set_dmamode = sis_133_set_dmamode,
19684 .cable_detect = sis_133_cable_detect,
19685 };
19686
19687-static struct ata_port_operations sis_133_early_ops = {
19688+static const struct ata_port_operations sis_133_early_ops = {
19689 .inherits = &sis_base_ops,
19690 .set_piomode = sis_100_set_piomode,
19691 .set_dmamode = sis_133_early_set_dmamode,
19692 .cable_detect = sis_66_cable_detect,
19693 };
19694
19695-static struct ata_port_operations sis_100_ops = {
19696+static const struct ata_port_operations sis_100_ops = {
19697 .inherits = &sis_base_ops,
19698 .set_piomode = sis_100_set_piomode,
19699 .set_dmamode = sis_100_set_dmamode,
19700 .cable_detect = sis_66_cable_detect,
19701 };
19702
19703-static struct ata_port_operations sis_66_ops = {
19704+static const struct ata_port_operations sis_66_ops = {
19705 .inherits = &sis_base_ops,
19706 .set_piomode = sis_old_set_piomode,
19707 .set_dmamode = sis_66_set_dmamode,
19708 .cable_detect = sis_66_cable_detect,
19709 };
19710
19711-static struct ata_port_operations sis_old_ops = {
19712+static const struct ata_port_operations sis_old_ops = {
19713 .inherits = &sis_base_ops,
19714 .set_piomode = sis_old_set_piomode,
19715 .set_dmamode = sis_old_set_dmamode,
19716diff -urNp linux-2.6.32.9/drivers/ata/pata_sl82c105.c linux-2.6.32.9/drivers/ata/pata_sl82c105.c
19717--- linux-2.6.32.9/drivers/ata/pata_sl82c105.c 2010-02-09 07:57:19.000000000 -0500
19718+++ linux-2.6.32.9/drivers/ata/pata_sl82c105.c 2010-02-23 17:09:53.156212249 -0500
19719@@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
19720 ATA_BMDMA_SHT(DRV_NAME),
19721 };
19722
19723-static struct ata_port_operations sl82c105_port_ops = {
19724+static const struct ata_port_operations sl82c105_port_ops = {
19725 .inherits = &ata_bmdma_port_ops,
19726 .qc_defer = sl82c105_qc_defer,
19727 .bmdma_start = sl82c105_bmdma_start,
19728diff -urNp linux-2.6.32.9/drivers/ata/pata_triflex.c linux-2.6.32.9/drivers/ata/pata_triflex.c
19729--- linux-2.6.32.9/drivers/ata/pata_triflex.c 2010-02-09 07:57:19.000000000 -0500
19730+++ linux-2.6.32.9/drivers/ata/pata_triflex.c 2010-02-23 17:09:53.156212249 -0500
19731@@ -178,7 +178,7 @@ static struct scsi_host_template triflex
19732 ATA_BMDMA_SHT(DRV_NAME),
19733 };
19734
19735-static struct ata_port_operations triflex_port_ops = {
19736+static const struct ata_port_operations triflex_port_ops = {
19737 .inherits = &ata_bmdma_port_ops,
19738 .bmdma_start = triflex_bmdma_start,
19739 .bmdma_stop = triflex_bmdma_stop,
19740diff -urNp linux-2.6.32.9/drivers/ata/pata_via.c linux-2.6.32.9/drivers/ata/pata_via.c
19741--- linux-2.6.32.9/drivers/ata/pata_via.c 2010-02-09 07:57:19.000000000 -0500
19742+++ linux-2.6.32.9/drivers/ata/pata_via.c 2010-02-23 17:09:53.156212249 -0500
19743@@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
19744 ATA_BMDMA_SHT(DRV_NAME),
19745 };
19746
19747-static struct ata_port_operations via_port_ops = {
19748+static const struct ata_port_operations via_port_ops = {
19749 .inherits = &ata_bmdma_port_ops,
19750 .cable_detect = via_cable_detect,
19751 .set_piomode = via_set_piomode,
19752@@ -429,7 +429,7 @@ static struct ata_port_operations via_po
19753 .port_start = via_port_start,
19754 };
19755
19756-static struct ata_port_operations via_port_ops_noirq = {
19757+static const struct ata_port_operations via_port_ops_noirq = {
19758 .inherits = &via_port_ops,
19759 .sff_data_xfer = ata_sff_data_xfer_noirq,
19760 };
19761diff -urNp linux-2.6.32.9/drivers/ata/pata_winbond.c linux-2.6.32.9/drivers/ata/pata_winbond.c
19762--- linux-2.6.32.9/drivers/ata/pata_winbond.c 2010-02-09 07:57:19.000000000 -0500
19763+++ linux-2.6.32.9/drivers/ata/pata_winbond.c 2010-02-23 17:09:53.156212249 -0500
19764@@ -125,7 +125,7 @@ static struct scsi_host_template winbond
19765 ATA_PIO_SHT(DRV_NAME),
19766 };
19767
19768-static struct ata_port_operations winbond_port_ops = {
19769+static const struct ata_port_operations winbond_port_ops = {
19770 .inherits = &ata_sff_port_ops,
19771 .sff_data_xfer = winbond_data_xfer,
19772 .cable_detect = ata_cable_40wire,
19773diff -urNp linux-2.6.32.9/drivers/ata/pdc_adma.c linux-2.6.32.9/drivers/ata/pdc_adma.c
19774--- linux-2.6.32.9/drivers/ata/pdc_adma.c 2010-02-09 07:57:19.000000000 -0500
19775+++ linux-2.6.32.9/drivers/ata/pdc_adma.c 2010-02-23 17:09:53.156212249 -0500
19776@@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
19777 .dma_boundary = ADMA_DMA_BOUNDARY,
19778 };
19779
19780-static struct ata_port_operations adma_ata_ops = {
19781+static const struct ata_port_operations adma_ata_ops = {
19782 .inherits = &ata_sff_port_ops,
19783
19784 .lost_interrupt = ATA_OP_NULL,
19785diff -urNp linux-2.6.32.9/drivers/ata/sata_fsl.c linux-2.6.32.9/drivers/ata/sata_fsl.c
19786--- linux-2.6.32.9/drivers/ata/sata_fsl.c 2010-02-09 07:57:19.000000000 -0500
19787+++ linux-2.6.32.9/drivers/ata/sata_fsl.c 2010-02-23 17:09:53.156212249 -0500
19788@@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
19789 .dma_boundary = ATA_DMA_BOUNDARY,
19790 };
19791
19792-static struct ata_port_operations sata_fsl_ops = {
19793+static const struct ata_port_operations sata_fsl_ops = {
19794 .inherits = &sata_pmp_port_ops,
19795
19796 .qc_defer = ata_std_qc_defer,
19797diff -urNp linux-2.6.32.9/drivers/ata/sata_inic162x.c linux-2.6.32.9/drivers/ata/sata_inic162x.c
19798--- linux-2.6.32.9/drivers/ata/sata_inic162x.c 2010-02-09 07:57:19.000000000 -0500
19799+++ linux-2.6.32.9/drivers/ata/sata_inic162x.c 2010-02-23 17:09:53.156212249 -0500
19800@@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
19801 return 0;
19802 }
19803
19804-static struct ata_port_operations inic_port_ops = {
19805+static const struct ata_port_operations inic_port_ops = {
19806 .inherits = &sata_port_ops,
19807
19808 .check_atapi_dma = inic_check_atapi_dma,
19809diff -urNp linux-2.6.32.9/drivers/ata/sata_mv.c linux-2.6.32.9/drivers/ata/sata_mv.c
19810--- linux-2.6.32.9/drivers/ata/sata_mv.c 2010-02-09 07:57:19.000000000 -0500
19811+++ linux-2.6.32.9/drivers/ata/sata_mv.c 2010-02-23 17:09:53.156212249 -0500
19812@@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
19813 .dma_boundary = MV_DMA_BOUNDARY,
19814 };
19815
19816-static struct ata_port_operations mv5_ops = {
19817+static const struct ata_port_operations mv5_ops = {
19818 .inherits = &ata_sff_port_ops,
19819
19820 .lost_interrupt = ATA_OP_NULL,
19821@@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
19822 .port_stop = mv_port_stop,
19823 };
19824
19825-static struct ata_port_operations mv6_ops = {
19826+static const struct ata_port_operations mv6_ops = {
19827 .inherits = &mv5_ops,
19828 .dev_config = mv6_dev_config,
19829 .scr_read = mv_scr_read,
19830@@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
19831 .bmdma_status = mv_bmdma_status,
19832 };
19833
19834-static struct ata_port_operations mv_iie_ops = {
19835+static const struct ata_port_operations mv_iie_ops = {
19836 .inherits = &mv6_ops,
19837 .dev_config = ATA_OP_NULL,
19838 .qc_prep = mv_qc_prep_iie,
19839diff -urNp linux-2.6.32.9/drivers/ata/sata_nv.c linux-2.6.32.9/drivers/ata/sata_nv.c
19840--- linux-2.6.32.9/drivers/ata/sata_nv.c 2010-02-09 07:57:19.000000000 -0500
19841+++ linux-2.6.32.9/drivers/ata/sata_nv.c 2010-02-23 17:09:53.156212249 -0500
19842@@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
19843 * cases. Define nv_hardreset() which only kicks in for post-boot
19844 * probing and use it for all variants.
19845 */
19846-static struct ata_port_operations nv_generic_ops = {
19847+static const struct ata_port_operations nv_generic_ops = {
19848 .inherits = &ata_bmdma_port_ops,
19849 .lost_interrupt = ATA_OP_NULL,
19850 .scr_read = nv_scr_read,
19851@@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
19852 .hardreset = nv_hardreset,
19853 };
19854
19855-static struct ata_port_operations nv_nf2_ops = {
19856+static const struct ata_port_operations nv_nf2_ops = {
19857 .inherits = &nv_generic_ops,
19858 .freeze = nv_nf2_freeze,
19859 .thaw = nv_nf2_thaw,
19860 };
19861
19862-static struct ata_port_operations nv_ck804_ops = {
19863+static const struct ata_port_operations nv_ck804_ops = {
19864 .inherits = &nv_generic_ops,
19865 .freeze = nv_ck804_freeze,
19866 .thaw = nv_ck804_thaw,
19867 .host_stop = nv_ck804_host_stop,
19868 };
19869
19870-static struct ata_port_operations nv_adma_ops = {
19871+static const struct ata_port_operations nv_adma_ops = {
19872 .inherits = &nv_ck804_ops,
19873
19874 .check_atapi_dma = nv_adma_check_atapi_dma,
19875@@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
19876 .host_stop = nv_adma_host_stop,
19877 };
19878
19879-static struct ata_port_operations nv_swncq_ops = {
19880+static const struct ata_port_operations nv_swncq_ops = {
19881 .inherits = &nv_generic_ops,
19882
19883 .qc_defer = ata_std_qc_defer,
19884diff -urNp linux-2.6.32.9/drivers/ata/sata_promise.c linux-2.6.32.9/drivers/ata/sata_promise.c
19885--- linux-2.6.32.9/drivers/ata/sata_promise.c 2010-02-09 07:57:19.000000000 -0500
19886+++ linux-2.6.32.9/drivers/ata/sata_promise.c 2010-02-23 17:09:53.156212249 -0500
19887@@ -195,7 +195,7 @@ static const struct ata_port_operations
19888 .error_handler = pdc_error_handler,
19889 };
19890
19891-static struct ata_port_operations pdc_sata_ops = {
19892+static const struct ata_port_operations pdc_sata_ops = {
19893 .inherits = &pdc_common_ops,
19894 .cable_detect = pdc_sata_cable_detect,
19895 .freeze = pdc_sata_freeze,
19896@@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
19897
19898 /* First-generation chips need a more restrictive ->check_atapi_dma op,
19899 and ->freeze/thaw that ignore the hotplug controls. */
19900-static struct ata_port_operations pdc_old_sata_ops = {
19901+static const struct ata_port_operations pdc_old_sata_ops = {
19902 .inherits = &pdc_sata_ops,
19903 .freeze = pdc_freeze,
19904 .thaw = pdc_thaw,
19905 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
19906 };
19907
19908-static struct ata_port_operations pdc_pata_ops = {
19909+static const struct ata_port_operations pdc_pata_ops = {
19910 .inherits = &pdc_common_ops,
19911 .cable_detect = pdc_pata_cable_detect,
19912 .freeze = pdc_freeze,
19913diff -urNp linux-2.6.32.9/drivers/ata/sata_qstor.c linux-2.6.32.9/drivers/ata/sata_qstor.c
19914--- linux-2.6.32.9/drivers/ata/sata_qstor.c 2010-02-09 07:57:19.000000000 -0500
19915+++ linux-2.6.32.9/drivers/ata/sata_qstor.c 2010-02-23 17:09:53.156212249 -0500
19916@@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
19917 .dma_boundary = QS_DMA_BOUNDARY,
19918 };
19919
19920-static struct ata_port_operations qs_ata_ops = {
19921+static const struct ata_port_operations qs_ata_ops = {
19922 .inherits = &ata_sff_port_ops,
19923
19924 .check_atapi_dma = qs_check_atapi_dma,
19925diff -urNp linux-2.6.32.9/drivers/ata/sata_sil24.c linux-2.6.32.9/drivers/ata/sata_sil24.c
19926--- linux-2.6.32.9/drivers/ata/sata_sil24.c 2010-02-09 07:57:19.000000000 -0500
19927+++ linux-2.6.32.9/drivers/ata/sata_sil24.c 2010-02-23 17:09:53.160339709 -0500
19928@@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
19929 .dma_boundary = ATA_DMA_BOUNDARY,
19930 };
19931
19932-static struct ata_port_operations sil24_ops = {
19933+static const struct ata_port_operations sil24_ops = {
19934 .inherits = &sata_pmp_port_ops,
19935
19936 .qc_defer = sil24_qc_defer,
19937diff -urNp linux-2.6.32.9/drivers/ata/sata_sil.c linux-2.6.32.9/drivers/ata/sata_sil.c
19938--- linux-2.6.32.9/drivers/ata/sata_sil.c 2010-02-09 07:57:19.000000000 -0500
19939+++ linux-2.6.32.9/drivers/ata/sata_sil.c 2010-02-23 17:09:53.160339709 -0500
19940@@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
19941 .sg_tablesize = ATA_MAX_PRD
19942 };
19943
19944-static struct ata_port_operations sil_ops = {
19945+static const struct ata_port_operations sil_ops = {
19946 .inherits = &ata_bmdma32_port_ops,
19947 .dev_config = sil_dev_config,
19948 .set_mode = sil_set_mode,
19949diff -urNp linux-2.6.32.9/drivers/ata/sata_sis.c linux-2.6.32.9/drivers/ata/sata_sis.c
19950--- linux-2.6.32.9/drivers/ata/sata_sis.c 2010-02-09 07:57:19.000000000 -0500
19951+++ linux-2.6.32.9/drivers/ata/sata_sis.c 2010-02-23 17:09:53.160339709 -0500
19952@@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
19953 ATA_BMDMA_SHT(DRV_NAME),
19954 };
19955
19956-static struct ata_port_operations sis_ops = {
19957+static const struct ata_port_operations sis_ops = {
19958 .inherits = &ata_bmdma_port_ops,
19959 .scr_read = sis_scr_read,
19960 .scr_write = sis_scr_write,
19961diff -urNp linux-2.6.32.9/drivers/ata/sata_svw.c linux-2.6.32.9/drivers/ata/sata_svw.c
19962--- linux-2.6.32.9/drivers/ata/sata_svw.c 2010-02-09 07:57:19.000000000 -0500
19963+++ linux-2.6.32.9/drivers/ata/sata_svw.c 2010-02-23 17:09:53.160339709 -0500
19964@@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
19965 };
19966
19967
19968-static struct ata_port_operations k2_sata_ops = {
19969+static const struct ata_port_operations k2_sata_ops = {
19970 .inherits = &ata_bmdma_port_ops,
19971 .sff_tf_load = k2_sata_tf_load,
19972 .sff_tf_read = k2_sata_tf_read,
19973diff -urNp linux-2.6.32.9/drivers/ata/sata_sx4.c linux-2.6.32.9/drivers/ata/sata_sx4.c
19974--- linux-2.6.32.9/drivers/ata/sata_sx4.c 2010-02-09 07:57:19.000000000 -0500
19975+++ linux-2.6.32.9/drivers/ata/sata_sx4.c 2010-02-23 17:09:53.160339709 -0500
19976@@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
19977 };
19978
19979 /* TODO: inherit from base port_ops after converting to new EH */
19980-static struct ata_port_operations pdc_20621_ops = {
19981+static const struct ata_port_operations pdc_20621_ops = {
19982 .inherits = &ata_sff_port_ops,
19983
19984 .check_atapi_dma = pdc_check_atapi_dma,
19985diff -urNp linux-2.6.32.9/drivers/ata/sata_uli.c linux-2.6.32.9/drivers/ata/sata_uli.c
19986--- linux-2.6.32.9/drivers/ata/sata_uli.c 2010-02-09 07:57:19.000000000 -0500
19987+++ linux-2.6.32.9/drivers/ata/sata_uli.c 2010-02-23 17:09:53.160339709 -0500
19988@@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
19989 ATA_BMDMA_SHT(DRV_NAME),
19990 };
19991
19992-static struct ata_port_operations uli_ops = {
19993+static const struct ata_port_operations uli_ops = {
19994 .inherits = &ata_bmdma_port_ops,
19995 .scr_read = uli_scr_read,
19996 .scr_write = uli_scr_write,
19997diff -urNp linux-2.6.32.9/drivers/ata/sata_via.c linux-2.6.32.9/drivers/ata/sata_via.c
19998--- linux-2.6.32.9/drivers/ata/sata_via.c 2010-02-09 07:57:19.000000000 -0500
19999+++ linux-2.6.32.9/drivers/ata/sata_via.c 2010-02-23 17:09:53.160339709 -0500
20000@@ -112,31 +112,31 @@ static struct scsi_host_template svia_sh
20001 ATA_BMDMA_SHT(DRV_NAME),
20002 };
20003
20004-static struct ata_port_operations svia_base_ops = {
20005+static const struct ata_port_operations svia_base_ops = {
20006 .inherits = &ata_bmdma_port_ops,
20007 .sff_tf_load = svia_tf_load,
20008 };
20009
20010-static struct ata_port_operations vt6420_sata_ops = {
20011+static const struct ata_port_operations vt6420_sata_ops = {
20012 .inherits = &svia_base_ops,
20013 .freeze = svia_noop_freeze,
20014 .prereset = vt6420_prereset,
20015 };
20016
20017-static struct ata_port_operations vt6421_pata_ops = {
20018+static const struct ata_port_operations vt6421_pata_ops = {
20019 .inherits = &svia_base_ops,
20020 .cable_detect = vt6421_pata_cable_detect,
20021 .set_piomode = vt6421_set_pio_mode,
20022 .set_dmamode = vt6421_set_dma_mode,
20023 };
20024
20025-static struct ata_port_operations vt6421_sata_ops = {
20026+static const struct ata_port_operations vt6421_sata_ops = {
20027 .inherits = &svia_base_ops,
20028 .scr_read = svia_scr_read,
20029 .scr_write = svia_scr_write,
20030 };
20031
20032-static struct ata_port_operations vt8251_ops = {
20033+static const struct ata_port_operations vt8251_ops = {
20034 .inherits = &svia_base_ops,
20035 .hardreset = sata_std_hardreset,
20036 .scr_read = vt8251_scr_read,
20037diff -urNp linux-2.6.32.9/drivers/ata/sata_vsc.c linux-2.6.32.9/drivers/ata/sata_vsc.c
20038--- linux-2.6.32.9/drivers/ata/sata_vsc.c 2010-02-09 07:57:19.000000000 -0500
20039+++ linux-2.6.32.9/drivers/ata/sata_vsc.c 2010-02-23 17:09:53.160339709 -0500
20040@@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
20041 };
20042
20043
20044-static struct ata_port_operations vsc_sata_ops = {
20045+static const struct ata_port_operations vsc_sata_ops = {
20046 .inherits = &ata_bmdma_port_ops,
20047 /* The IRQ handling is not quite standard SFF behaviour so we
20048 cannot use the default lost interrupt handler */
20049diff -urNp linux-2.6.32.9/drivers/atm/adummy.c linux-2.6.32.9/drivers/atm/adummy.c
20050--- linux-2.6.32.9/drivers/atm/adummy.c 2010-02-09 07:57:19.000000000 -0500
20051+++ linux-2.6.32.9/drivers/atm/adummy.c 2010-02-23 17:09:53.160339709 -0500
20052@@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
20053 vcc->pop(vcc, skb);
20054 else
20055 dev_kfree_skb_any(skb);
20056- atomic_inc(&vcc->stats->tx);
20057+ atomic_inc_unchecked(&vcc->stats->tx);
20058
20059 return 0;
20060 }
20061diff -urNp linux-2.6.32.9/drivers/atm/ambassador.c linux-2.6.32.9/drivers/atm/ambassador.c
20062--- linux-2.6.32.9/drivers/atm/ambassador.c 2010-02-09 07:57:19.000000000 -0500
20063+++ linux-2.6.32.9/drivers/atm/ambassador.c 2010-02-23 17:09:53.160339709 -0500
20064@@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
20065 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
20066
20067 // VC layer stats
20068- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20069+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20070
20071 // free the descriptor
20072 kfree (tx_descr);
20073@@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
20074 dump_skb ("<<<", vc, skb);
20075
20076 // VC layer stats
20077- atomic_inc(&atm_vcc->stats->rx);
20078+ atomic_inc_unchecked(&atm_vcc->stats->rx);
20079 __net_timestamp(skb);
20080 // end of our responsability
20081 atm_vcc->push (atm_vcc, skb);
20082@@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
20083 } else {
20084 PRINTK (KERN_INFO, "dropped over-size frame");
20085 // should we count this?
20086- atomic_inc(&atm_vcc->stats->rx_drop);
20087+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20088 }
20089
20090 } else {
20091@@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
20092 }
20093
20094 if (check_area (skb->data, skb->len)) {
20095- atomic_inc(&atm_vcc->stats->tx_err);
20096+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
20097 return -ENOMEM; // ?
20098 }
20099
20100diff -urNp linux-2.6.32.9/drivers/atm/atmtcp.c linux-2.6.32.9/drivers/atm/atmtcp.c
20101--- linux-2.6.32.9/drivers/atm/atmtcp.c 2010-02-09 07:57:19.000000000 -0500
20102+++ linux-2.6.32.9/drivers/atm/atmtcp.c 2010-02-23 17:09:53.160339709 -0500
20103@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
20104 if (vcc->pop) vcc->pop(vcc,skb);
20105 else dev_kfree_skb(skb);
20106 if (dev_data) return 0;
20107- atomic_inc(&vcc->stats->tx_err);
20108+ atomic_inc_unchecked(&vcc->stats->tx_err);
20109 return -ENOLINK;
20110 }
20111 size = skb->len+sizeof(struct atmtcp_hdr);
20112@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
20113 if (!new_skb) {
20114 if (vcc->pop) vcc->pop(vcc,skb);
20115 else dev_kfree_skb(skb);
20116- atomic_inc(&vcc->stats->tx_err);
20117+ atomic_inc_unchecked(&vcc->stats->tx_err);
20118 return -ENOBUFS;
20119 }
20120 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
20121@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
20122 if (vcc->pop) vcc->pop(vcc,skb);
20123 else dev_kfree_skb(skb);
20124 out_vcc->push(out_vcc,new_skb);
20125- atomic_inc(&vcc->stats->tx);
20126- atomic_inc(&out_vcc->stats->rx);
20127+ atomic_inc_unchecked(&vcc->stats->tx);
20128+ atomic_inc_unchecked(&out_vcc->stats->rx);
20129 return 0;
20130 }
20131
20132@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
20133 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
20134 read_unlock(&vcc_sklist_lock);
20135 if (!out_vcc) {
20136- atomic_inc(&vcc->stats->tx_err);
20137+ atomic_inc_unchecked(&vcc->stats->tx_err);
20138 goto done;
20139 }
20140 skb_pull(skb,sizeof(struct atmtcp_hdr));
20141@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
20142 __net_timestamp(new_skb);
20143 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
20144 out_vcc->push(out_vcc,new_skb);
20145- atomic_inc(&vcc->stats->tx);
20146- atomic_inc(&out_vcc->stats->rx);
20147+ atomic_inc_unchecked(&vcc->stats->tx);
20148+ atomic_inc_unchecked(&out_vcc->stats->rx);
20149 done:
20150 if (vcc->pop) vcc->pop(vcc,skb);
20151 else dev_kfree_skb(skb);
20152diff -urNp linux-2.6.32.9/drivers/atm/eni.c linux-2.6.32.9/drivers/atm/eni.c
20153--- linux-2.6.32.9/drivers/atm/eni.c 2010-02-09 07:57:19.000000000 -0500
20154+++ linux-2.6.32.9/drivers/atm/eni.c 2010-02-23 17:09:53.160339709 -0500
20155@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
20156 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
20157 vcc->dev->number);
20158 length = 0;
20159- atomic_inc(&vcc->stats->rx_err);
20160+ atomic_inc_unchecked(&vcc->stats->rx_err);
20161 }
20162 else {
20163 length = ATM_CELL_SIZE-1; /* no HEC */
20164@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20165 size);
20166 }
20167 eff = length = 0;
20168- atomic_inc(&vcc->stats->rx_err);
20169+ atomic_inc_unchecked(&vcc->stats->rx_err);
20170 }
20171 else {
20172 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
20173@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20174 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
20175 vcc->dev->number,vcc->vci,length,size << 2,descr);
20176 length = eff = 0;
20177- atomic_inc(&vcc->stats->rx_err);
20178+ atomic_inc_unchecked(&vcc->stats->rx_err);
20179 }
20180 }
20181 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
20182@@ -770,7 +770,7 @@ rx_dequeued++;
20183 vcc->push(vcc,skb);
20184 pushed++;
20185 }
20186- atomic_inc(&vcc->stats->rx);
20187+ atomic_inc_unchecked(&vcc->stats->rx);
20188 }
20189 wake_up(&eni_dev->rx_wait);
20190 }
20191@@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
20192 PCI_DMA_TODEVICE);
20193 if (vcc->pop) vcc->pop(vcc,skb);
20194 else dev_kfree_skb_irq(skb);
20195- atomic_inc(&vcc->stats->tx);
20196+ atomic_inc_unchecked(&vcc->stats->tx);
20197 wake_up(&eni_dev->tx_wait);
20198 dma_complete++;
20199 }
20200diff -urNp linux-2.6.32.9/drivers/atm/firestream.c linux-2.6.32.9/drivers/atm/firestream.c
20201--- linux-2.6.32.9/drivers/atm/firestream.c 2010-02-09 07:57:19.000000000 -0500
20202+++ linux-2.6.32.9/drivers/atm/firestream.c 2010-02-23 17:09:53.160339709 -0500
20203@@ -748,7 +748,7 @@ static void process_txdone_queue (struct
20204 }
20205 }
20206
20207- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20208+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20209
20210 fs_dprintk (FS_DEBUG_TXMEM, "i");
20211 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
20212@@ -815,7 +815,7 @@ static void process_incoming (struct fs_
20213 #endif
20214 skb_put (skb, qe->p1 & 0xffff);
20215 ATM_SKB(skb)->vcc = atm_vcc;
20216- atomic_inc(&atm_vcc->stats->rx);
20217+ atomic_inc_unchecked(&atm_vcc->stats->rx);
20218 __net_timestamp(skb);
20219 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
20220 atm_vcc->push (atm_vcc, skb);
20221@@ -836,12 +836,12 @@ static void process_incoming (struct fs_
20222 kfree (pe);
20223 }
20224 if (atm_vcc)
20225- atomic_inc(&atm_vcc->stats->rx_drop);
20226+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20227 break;
20228 case 0x1f: /* Reassembly abort: no buffers. */
20229 /* Silently increment error counter. */
20230 if (atm_vcc)
20231- atomic_inc(&atm_vcc->stats->rx_drop);
20232+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20233 break;
20234 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
20235 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
20236diff -urNp linux-2.6.32.9/drivers/atm/fore200e.c linux-2.6.32.9/drivers/atm/fore200e.c
20237--- linux-2.6.32.9/drivers/atm/fore200e.c 2010-02-09 07:57:19.000000000 -0500
20238+++ linux-2.6.32.9/drivers/atm/fore200e.c 2010-02-23 17:09:53.160339709 -0500
20239@@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
20240 #endif
20241 /* check error condition */
20242 if (*entry->status & STATUS_ERROR)
20243- atomic_inc(&vcc->stats->tx_err);
20244+ atomic_inc_unchecked(&vcc->stats->tx_err);
20245 else
20246- atomic_inc(&vcc->stats->tx);
20247+ atomic_inc_unchecked(&vcc->stats->tx);
20248 }
20249 }
20250
20251@@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
20252 if (skb == NULL) {
20253 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
20254
20255- atomic_inc(&vcc->stats->rx_drop);
20256+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20257 return -ENOMEM;
20258 }
20259
20260@@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
20261
20262 dev_kfree_skb_any(skb);
20263
20264- atomic_inc(&vcc->stats->rx_drop);
20265+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20266 return -ENOMEM;
20267 }
20268
20269 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20270
20271 vcc->push(vcc, skb);
20272- atomic_inc(&vcc->stats->rx);
20273+ atomic_inc_unchecked(&vcc->stats->rx);
20274
20275 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20276
20277@@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
20278 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
20279 fore200e->atm_dev->number,
20280 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
20281- atomic_inc(&vcc->stats->rx_err);
20282+ atomic_inc_unchecked(&vcc->stats->rx_err);
20283 }
20284 }
20285
20286@@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
20287 goto retry_here;
20288 }
20289
20290- atomic_inc(&vcc->stats->tx_err);
20291+ atomic_inc_unchecked(&vcc->stats->tx_err);
20292
20293 fore200e->tx_sat++;
20294 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
20295diff -urNp linux-2.6.32.9/drivers/atm/he.c linux-2.6.32.9/drivers/atm/he.c
20296--- linux-2.6.32.9/drivers/atm/he.c 2010-02-09 07:57:19.000000000 -0500
20297+++ linux-2.6.32.9/drivers/atm/he.c 2010-02-23 17:09:53.164177137 -0500
20298@@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20299
20300 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
20301 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
20302- atomic_inc(&vcc->stats->rx_drop);
20303+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20304 goto return_host_buffers;
20305 }
20306
20307@@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20308 RBRQ_LEN_ERR(he_dev->rbrq_head)
20309 ? "LEN_ERR" : "",
20310 vcc->vpi, vcc->vci);
20311- atomic_inc(&vcc->stats->rx_err);
20312+ atomic_inc_unchecked(&vcc->stats->rx_err);
20313 goto return_host_buffers;
20314 }
20315
20316@@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20317 vcc->push(vcc, skb);
20318 spin_lock(&he_dev->global_lock);
20319
20320- atomic_inc(&vcc->stats->rx);
20321+ atomic_inc_unchecked(&vcc->stats->rx);
20322
20323 return_host_buffers:
20324 ++pdus_assembled;
20325@@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
20326 tpd->vcc->pop(tpd->vcc, tpd->skb);
20327 else
20328 dev_kfree_skb_any(tpd->skb);
20329- atomic_inc(&tpd->vcc->stats->tx_err);
20330+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
20331 }
20332 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
20333 return;
20334@@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20335 vcc->pop(vcc, skb);
20336 else
20337 dev_kfree_skb_any(skb);
20338- atomic_inc(&vcc->stats->tx_err);
20339+ atomic_inc_unchecked(&vcc->stats->tx_err);
20340 return -EINVAL;
20341 }
20342
20343@@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20344 vcc->pop(vcc, skb);
20345 else
20346 dev_kfree_skb_any(skb);
20347- atomic_inc(&vcc->stats->tx_err);
20348+ atomic_inc_unchecked(&vcc->stats->tx_err);
20349 return -EINVAL;
20350 }
20351 #endif
20352@@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20353 vcc->pop(vcc, skb);
20354 else
20355 dev_kfree_skb_any(skb);
20356- atomic_inc(&vcc->stats->tx_err);
20357+ atomic_inc_unchecked(&vcc->stats->tx_err);
20358 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20359 return -ENOMEM;
20360 }
20361@@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20362 vcc->pop(vcc, skb);
20363 else
20364 dev_kfree_skb_any(skb);
20365- atomic_inc(&vcc->stats->tx_err);
20366+ atomic_inc_unchecked(&vcc->stats->tx_err);
20367 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20368 return -ENOMEM;
20369 }
20370@@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20371 __enqueue_tpd(he_dev, tpd, cid);
20372 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20373
20374- atomic_inc(&vcc->stats->tx);
20375+ atomic_inc_unchecked(&vcc->stats->tx);
20376
20377 return 0;
20378 }
20379diff -urNp linux-2.6.32.9/drivers/atm/horizon.c linux-2.6.32.9/drivers/atm/horizon.c
20380--- linux-2.6.32.9/drivers/atm/horizon.c 2010-02-09 07:57:19.000000000 -0500
20381+++ linux-2.6.32.9/drivers/atm/horizon.c 2010-02-23 17:09:53.164177137 -0500
20382@@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
20383 {
20384 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
20385 // VC layer stats
20386- atomic_inc(&vcc->stats->rx);
20387+ atomic_inc_unchecked(&vcc->stats->rx);
20388 __net_timestamp(skb);
20389 // end of our responsability
20390 vcc->push (vcc, skb);
20391@@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
20392 dev->tx_iovec = NULL;
20393
20394 // VC layer stats
20395- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20396+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20397
20398 // free the skb
20399 hrz_kfree_skb (skb);
20400diff -urNp linux-2.6.32.9/drivers/atm/idt77252.c linux-2.6.32.9/drivers/atm/idt77252.c
20401--- linux-2.6.32.9/drivers/atm/idt77252.c 2010-02-09 07:57:19.000000000 -0500
20402+++ linux-2.6.32.9/drivers/atm/idt77252.c 2010-02-23 17:09:53.164177137 -0500
20403@@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
20404 else
20405 dev_kfree_skb(skb);
20406
20407- atomic_inc(&vcc->stats->tx);
20408+ atomic_inc_unchecked(&vcc->stats->tx);
20409 }
20410
20411 atomic_dec(&scq->used);
20412@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
20413 if ((sb = dev_alloc_skb(64)) == NULL) {
20414 printk("%s: Can't allocate buffers for aal0.\n",
20415 card->name);
20416- atomic_add(i, &vcc->stats->rx_drop);
20417+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
20418 break;
20419 }
20420 if (!atm_charge(vcc, sb->truesize)) {
20421 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
20422 card->name);
20423- atomic_add(i - 1, &vcc->stats->rx_drop);
20424+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
20425 dev_kfree_skb(sb);
20426 break;
20427 }
20428@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
20429 ATM_SKB(sb)->vcc = vcc;
20430 __net_timestamp(sb);
20431 vcc->push(vcc, sb);
20432- atomic_inc(&vcc->stats->rx);
20433+ atomic_inc_unchecked(&vcc->stats->rx);
20434
20435 cell += ATM_CELL_PAYLOAD;
20436 }
20437@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
20438 "(CDC: %08x)\n",
20439 card->name, len, rpp->len, readl(SAR_REG_CDC));
20440 recycle_rx_pool_skb(card, rpp);
20441- atomic_inc(&vcc->stats->rx_err);
20442+ atomic_inc_unchecked(&vcc->stats->rx_err);
20443 return;
20444 }
20445 if (stat & SAR_RSQE_CRC) {
20446 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
20447 recycle_rx_pool_skb(card, rpp);
20448- atomic_inc(&vcc->stats->rx_err);
20449+ atomic_inc_unchecked(&vcc->stats->rx_err);
20450 return;
20451 }
20452 if (skb_queue_len(&rpp->queue) > 1) {
20453@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
20454 RXPRINTK("%s: Can't alloc RX skb.\n",
20455 card->name);
20456 recycle_rx_pool_skb(card, rpp);
20457- atomic_inc(&vcc->stats->rx_err);
20458+ atomic_inc_unchecked(&vcc->stats->rx_err);
20459 return;
20460 }
20461 if (!atm_charge(vcc, skb->truesize)) {
20462@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
20463 __net_timestamp(skb);
20464
20465 vcc->push(vcc, skb);
20466- atomic_inc(&vcc->stats->rx);
20467+ atomic_inc_unchecked(&vcc->stats->rx);
20468
20469 return;
20470 }
20471@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
20472 __net_timestamp(skb);
20473
20474 vcc->push(vcc, skb);
20475- atomic_inc(&vcc->stats->rx);
20476+ atomic_inc_unchecked(&vcc->stats->rx);
20477
20478 if (skb->truesize > SAR_FB_SIZE_3)
20479 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
20480@@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
20481 if (vcc->qos.aal != ATM_AAL0) {
20482 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
20483 card->name, vpi, vci);
20484- atomic_inc(&vcc->stats->rx_drop);
20485+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20486 goto drop;
20487 }
20488
20489 if ((sb = dev_alloc_skb(64)) == NULL) {
20490 printk("%s: Can't allocate buffers for AAL0.\n",
20491 card->name);
20492- atomic_inc(&vcc->stats->rx_err);
20493+ atomic_inc_unchecked(&vcc->stats->rx_err);
20494 goto drop;
20495 }
20496
20497@@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
20498 ATM_SKB(sb)->vcc = vcc;
20499 __net_timestamp(sb);
20500 vcc->push(vcc, sb);
20501- atomic_inc(&vcc->stats->rx);
20502+ atomic_inc_unchecked(&vcc->stats->rx);
20503
20504 drop:
20505 skb_pull(queue, 64);
20506@@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20507
20508 if (vc == NULL) {
20509 printk("%s: NULL connection in send().\n", card->name);
20510- atomic_inc(&vcc->stats->tx_err);
20511+ atomic_inc_unchecked(&vcc->stats->tx_err);
20512 dev_kfree_skb(skb);
20513 return -EINVAL;
20514 }
20515 if (!test_bit(VCF_TX, &vc->flags)) {
20516 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
20517- atomic_inc(&vcc->stats->tx_err);
20518+ atomic_inc_unchecked(&vcc->stats->tx_err);
20519 dev_kfree_skb(skb);
20520 return -EINVAL;
20521 }
20522@@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20523 break;
20524 default:
20525 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
20526- atomic_inc(&vcc->stats->tx_err);
20527+ atomic_inc_unchecked(&vcc->stats->tx_err);
20528 dev_kfree_skb(skb);
20529 return -EINVAL;
20530 }
20531
20532 if (skb_shinfo(skb)->nr_frags != 0) {
20533 printk("%s: No scatter-gather yet.\n", card->name);
20534- atomic_inc(&vcc->stats->tx_err);
20535+ atomic_inc_unchecked(&vcc->stats->tx_err);
20536 dev_kfree_skb(skb);
20537 return -EINVAL;
20538 }
20539@@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20540
20541 err = queue_skb(card, vc, skb, oam);
20542 if (err) {
20543- atomic_inc(&vcc->stats->tx_err);
20544+ atomic_inc_unchecked(&vcc->stats->tx_err);
20545 dev_kfree_skb(skb);
20546 return err;
20547 }
20548@@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
20549 skb = dev_alloc_skb(64);
20550 if (!skb) {
20551 printk("%s: Out of memory in send_oam().\n", card->name);
20552- atomic_inc(&vcc->stats->tx_err);
20553+ atomic_inc_unchecked(&vcc->stats->tx_err);
20554 return -ENOMEM;
20555 }
20556 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
20557diff -urNp linux-2.6.32.9/drivers/atm/iphase.c linux-2.6.32.9/drivers/atm/iphase.c
20558--- linux-2.6.32.9/drivers/atm/iphase.c 2010-02-09 07:57:19.000000000 -0500
20559+++ linux-2.6.32.9/drivers/atm/iphase.c 2010-02-23 17:09:53.164177137 -0500
20560@@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
20561 status = (u_short) (buf_desc_ptr->desc_mode);
20562 if (status & (RX_CER | RX_PTE | RX_OFL))
20563 {
20564- atomic_inc(&vcc->stats->rx_err);
20565+ atomic_inc_unchecked(&vcc->stats->rx_err);
20566 IF_ERR(printk("IA: bad packet, dropping it");)
20567 if (status & RX_CER) {
20568 IF_ERR(printk(" cause: packet CRC error\n");)
20569@@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
20570 len = dma_addr - buf_addr;
20571 if (len > iadev->rx_buf_sz) {
20572 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
20573- atomic_inc(&vcc->stats->rx_err);
20574+ atomic_inc_unchecked(&vcc->stats->rx_err);
20575 goto out_free_desc;
20576 }
20577
20578@@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
20579 ia_vcc = INPH_IA_VCC(vcc);
20580 if (ia_vcc == NULL)
20581 {
20582- atomic_inc(&vcc->stats->rx_err);
20583+ atomic_inc_unchecked(&vcc->stats->rx_err);
20584 dev_kfree_skb_any(skb);
20585 atm_return(vcc, atm_guess_pdu2truesize(len));
20586 goto INCR_DLE;
20587@@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
20588 if ((length > iadev->rx_buf_sz) || (length >
20589 (skb->len - sizeof(struct cpcs_trailer))))
20590 {
20591- atomic_inc(&vcc->stats->rx_err);
20592+ atomic_inc_unchecked(&vcc->stats->rx_err);
20593 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
20594 length, skb->len);)
20595 dev_kfree_skb_any(skb);
20596@@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
20597
20598 IF_RX(printk("rx_dle_intr: skb push");)
20599 vcc->push(vcc,skb);
20600- atomic_inc(&vcc->stats->rx);
20601+ atomic_inc_unchecked(&vcc->stats->rx);
20602 iadev->rx_pkt_cnt++;
20603 }
20604 INCR_DLE:
20605@@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
20606 {
20607 struct k_sonet_stats *stats;
20608 stats = &PRIV(_ia_dev[board])->sonet_stats;
20609- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
20610- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
20611- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
20612- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
20613- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
20614- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
20615- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
20616- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
20617- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
20618+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
20619+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
20620+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
20621+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
20622+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
20623+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
20624+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
20625+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
20626+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
20627 }
20628 ia_cmds.status = 0;
20629 break;
20630@@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
20631 if ((desc == 0) || (desc > iadev->num_tx_desc))
20632 {
20633 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
20634- atomic_inc(&vcc->stats->tx);
20635+ atomic_inc_unchecked(&vcc->stats->tx);
20636 if (vcc->pop)
20637 vcc->pop(vcc, skb);
20638 else
20639@@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
20640 ATM_DESC(skb) = vcc->vci;
20641 skb_queue_tail(&iadev->tx_dma_q, skb);
20642
20643- atomic_inc(&vcc->stats->tx);
20644+ atomic_inc_unchecked(&vcc->stats->tx);
20645 iadev->tx_pkt_cnt++;
20646 /* Increment transaction counter */
20647 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
20648
20649 #if 0
20650 /* add flow control logic */
20651- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
20652+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
20653 if (iavcc->vc_desc_cnt > 10) {
20654 vcc->tx_quota = vcc->tx_quota * 3 / 4;
20655 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
20656diff -urNp linux-2.6.32.9/drivers/atm/lanai.c linux-2.6.32.9/drivers/atm/lanai.c
20657--- linux-2.6.32.9/drivers/atm/lanai.c 2010-02-09 07:57:19.000000000 -0500
20658+++ linux-2.6.32.9/drivers/atm/lanai.c 2010-02-23 17:09:53.164177137 -0500
20659@@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
20660 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
20661 lanai_endtx(lanai, lvcc);
20662 lanai_free_skb(lvcc->tx.atmvcc, skb);
20663- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
20664+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
20665 }
20666
20667 /* Try to fill the buffer - don't call unless there is backlog */
20668@@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
20669 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
20670 __net_timestamp(skb);
20671 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
20672- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
20673+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
20674 out:
20675 lvcc->rx.buf.ptr = end;
20676 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
20677@@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
20678 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
20679 "vcc %d\n", lanai->number, (unsigned int) s, vci);
20680 lanai->stats.service_rxnotaal5++;
20681- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20682+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20683 return 0;
20684 }
20685 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
20686@@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
20687 int bytes;
20688 read_unlock(&vcc_sklist_lock);
20689 DPRINTK("got trashed rx pdu on vci %d\n", vci);
20690- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20691+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20692 lvcc->stats.x.aal5.service_trash++;
20693 bytes = (SERVICE_GET_END(s) * 16) -
20694 (((unsigned long) lvcc->rx.buf.ptr) -
20695@@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
20696 }
20697 if (s & SERVICE_STREAM) {
20698 read_unlock(&vcc_sklist_lock);
20699- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20700+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20701 lvcc->stats.x.aal5.service_stream++;
20702 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
20703 "PDU on VCI %d!\n", lanai->number, vci);
20704@@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
20705 return 0;
20706 }
20707 DPRINTK("got rx crc error on vci %d\n", vci);
20708- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20709+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20710 lvcc->stats.x.aal5.service_rxcrc++;
20711 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
20712 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
20713diff -urNp linux-2.6.32.9/drivers/atm/nicstar.c linux-2.6.32.9/drivers/atm/nicstar.c
20714--- linux-2.6.32.9/drivers/atm/nicstar.c 2010-02-09 07:57:19.000000000 -0500
20715+++ linux-2.6.32.9/drivers/atm/nicstar.c 2010-02-23 17:09:53.164177137 -0500
20716@@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
20717 if ((vc = (vc_map *) vcc->dev_data) == NULL)
20718 {
20719 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
20720- atomic_inc(&vcc->stats->tx_err);
20721+ atomic_inc_unchecked(&vcc->stats->tx_err);
20722 dev_kfree_skb_any(skb);
20723 return -EINVAL;
20724 }
20725@@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
20726 if (!vc->tx)
20727 {
20728 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
20729- atomic_inc(&vcc->stats->tx_err);
20730+ atomic_inc_unchecked(&vcc->stats->tx_err);
20731 dev_kfree_skb_any(skb);
20732 return -EINVAL;
20733 }
20734@@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
20735 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
20736 {
20737 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
20738- atomic_inc(&vcc->stats->tx_err);
20739+ atomic_inc_unchecked(&vcc->stats->tx_err);
20740 dev_kfree_skb_any(skb);
20741 return -EINVAL;
20742 }
20743@@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
20744 if (skb_shinfo(skb)->nr_frags != 0)
20745 {
20746 printk("nicstar%d: No scatter-gather yet.\n", card->index);
20747- atomic_inc(&vcc->stats->tx_err);
20748+ atomic_inc_unchecked(&vcc->stats->tx_err);
20749 dev_kfree_skb_any(skb);
20750 return -EINVAL;
20751 }
20752@@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
20753
20754 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
20755 {
20756- atomic_inc(&vcc->stats->tx_err);
20757+ atomic_inc_unchecked(&vcc->stats->tx_err);
20758 dev_kfree_skb_any(skb);
20759 return -EIO;
20760 }
20761- atomic_inc(&vcc->stats->tx);
20762+ atomic_inc_unchecked(&vcc->stats->tx);
20763
20764 return 0;
20765 }
20766@@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
20767 {
20768 printk("nicstar%d: Can't allocate buffers for aal0.\n",
20769 card->index);
20770- atomic_add(i,&vcc->stats->rx_drop);
20771+ atomic_add_unchecked(i,&vcc->stats->rx_drop);
20772 break;
20773 }
20774 if (!atm_charge(vcc, sb->truesize))
20775 {
20776 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
20777 card->index);
20778- atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
20779+ atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
20780 dev_kfree_skb_any(sb);
20781 break;
20782 }
20783@@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
20784 ATM_SKB(sb)->vcc = vcc;
20785 __net_timestamp(sb);
20786 vcc->push(vcc, sb);
20787- atomic_inc(&vcc->stats->rx);
20788+ atomic_inc_unchecked(&vcc->stats->rx);
20789 cell += ATM_CELL_PAYLOAD;
20790 }
20791
20792@@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
20793 if (iovb == NULL)
20794 {
20795 printk("nicstar%d: Out of iovec buffers.\n", card->index);
20796- atomic_inc(&vcc->stats->rx_drop);
20797+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20798 recycle_rx_buf(card, skb);
20799 return;
20800 }
20801@@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
20802 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
20803 {
20804 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
20805- atomic_inc(&vcc->stats->rx_err);
20806+ atomic_inc_unchecked(&vcc->stats->rx_err);
20807 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
20808 NS_SKB(iovb)->iovcnt = 0;
20809 iovb->len = 0;
20810@@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
20811 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
20812 card->index);
20813 which_list(card, skb);
20814- atomic_inc(&vcc->stats->rx_err);
20815+ atomic_inc_unchecked(&vcc->stats->rx_err);
20816 recycle_rx_buf(card, skb);
20817 vc->rx_iov = NULL;
20818 recycle_iov_buf(card, iovb);
20819@@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
20820 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
20821 card->index);
20822 which_list(card, skb);
20823- atomic_inc(&vcc->stats->rx_err);
20824+ atomic_inc_unchecked(&vcc->stats->rx_err);
20825 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
20826 NS_SKB(iovb)->iovcnt);
20827 vc->rx_iov = NULL;
20828@@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
20829 printk(" - PDU size mismatch.\n");
20830 else
20831 printk(".\n");
20832- atomic_inc(&vcc->stats->rx_err);
20833+ atomic_inc_unchecked(&vcc->stats->rx_err);
20834 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
20835 NS_SKB(iovb)->iovcnt);
20836 vc->rx_iov = NULL;
20837@@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
20838 if (!atm_charge(vcc, skb->truesize))
20839 {
20840 push_rxbufs(card, skb);
20841- atomic_inc(&vcc->stats->rx_drop);
20842+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20843 }
20844 else
20845 {
20846@@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
20847 ATM_SKB(skb)->vcc = vcc;
20848 __net_timestamp(skb);
20849 vcc->push(vcc, skb);
20850- atomic_inc(&vcc->stats->rx);
20851+ atomic_inc_unchecked(&vcc->stats->rx);
20852 }
20853 }
20854 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
20855@@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
20856 if (!atm_charge(vcc, sb->truesize))
20857 {
20858 push_rxbufs(card, sb);
20859- atomic_inc(&vcc->stats->rx_drop);
20860+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20861 }
20862 else
20863 {
20864@@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
20865 ATM_SKB(sb)->vcc = vcc;
20866 __net_timestamp(sb);
20867 vcc->push(vcc, sb);
20868- atomic_inc(&vcc->stats->rx);
20869+ atomic_inc_unchecked(&vcc->stats->rx);
20870 }
20871
20872 push_rxbufs(card, skb);
20873@@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
20874 if (!atm_charge(vcc, skb->truesize))
20875 {
20876 push_rxbufs(card, skb);
20877- atomic_inc(&vcc->stats->rx_drop);
20878+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20879 }
20880 else
20881 {
20882@@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
20883 ATM_SKB(skb)->vcc = vcc;
20884 __net_timestamp(skb);
20885 vcc->push(vcc, skb);
20886- atomic_inc(&vcc->stats->rx);
20887+ atomic_inc_unchecked(&vcc->stats->rx);
20888 }
20889
20890 push_rxbufs(card, sb);
20891@@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
20892 if (hb == NULL)
20893 {
20894 printk("nicstar%d: Out of huge buffers.\n", card->index);
20895- atomic_inc(&vcc->stats->rx_drop);
20896+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20897 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
20898 NS_SKB(iovb)->iovcnt);
20899 vc->rx_iov = NULL;
20900@@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
20901 }
20902 else
20903 dev_kfree_skb_any(hb);
20904- atomic_inc(&vcc->stats->rx_drop);
20905+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20906 }
20907 else
20908 {
20909@@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
20910 #endif /* NS_USE_DESTRUCTORS */
20911 __net_timestamp(hb);
20912 vcc->push(vcc, hb);
20913- atomic_inc(&vcc->stats->rx);
20914+ atomic_inc_unchecked(&vcc->stats->rx);
20915 }
20916 }
20917
20918diff -urNp linux-2.6.32.9/drivers/atm/solos-pci.c linux-2.6.32.9/drivers/atm/solos-pci.c
20919--- linux-2.6.32.9/drivers/atm/solos-pci.c 2010-02-09 07:57:19.000000000 -0500
20920+++ linux-2.6.32.9/drivers/atm/solos-pci.c 2010-02-23 17:09:53.164177137 -0500
20921@@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
20922 }
20923 atm_charge(vcc, skb->truesize);
20924 vcc->push(vcc, skb);
20925- atomic_inc(&vcc->stats->rx);
20926+ atomic_inc_unchecked(&vcc->stats->rx);
20927 break;
20928
20929 case PKT_STATUS:
20930@@ -1011,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
20931 vcc = SKB_CB(oldskb)->vcc;
20932
20933 if (vcc) {
20934- atomic_inc(&vcc->stats->tx);
20935+ atomic_inc_unchecked(&vcc->stats->tx);
20936 solos_pop(vcc, oldskb);
20937 } else
20938 dev_kfree_skb_irq(oldskb);
20939diff -urNp linux-2.6.32.9/drivers/atm/suni.c linux-2.6.32.9/drivers/atm/suni.c
20940--- linux-2.6.32.9/drivers/atm/suni.c 2010-02-09 07:57:19.000000000 -0500
20941+++ linux-2.6.32.9/drivers/atm/suni.c 2010-02-23 17:09:53.168233068 -0500
20942@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
20943
20944
20945 #define ADD_LIMITED(s,v) \
20946- atomic_add((v),&stats->s); \
20947- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
20948+ atomic_add_unchecked((v),&stats->s); \
20949+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
20950
20951
20952 static void suni_hz(unsigned long from_timer)
20953diff -urNp linux-2.6.32.9/drivers/atm/uPD98402.c linux-2.6.32.9/drivers/atm/uPD98402.c
20954--- linux-2.6.32.9/drivers/atm/uPD98402.c 2010-02-09 07:57:19.000000000 -0500
20955+++ linux-2.6.32.9/drivers/atm/uPD98402.c 2010-02-23 17:09:53.168233068 -0500
20956@@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
20957 struct sonet_stats tmp;
20958 int error = 0;
20959
20960- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
20961+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
20962 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
20963 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
20964 if (zero && !error) {
20965@@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
20966
20967
20968 #define ADD_LIMITED(s,v) \
20969- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
20970- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
20971- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
20972+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
20973+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
20974+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
20975
20976
20977 static void stat_event(struct atm_dev *dev)
20978@@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
20979 if (reason & uPD98402_INT_PFM) stat_event(dev);
20980 if (reason & uPD98402_INT_PCO) {
20981 (void) GET(PCOCR); /* clear interrupt cause */
20982- atomic_add(GET(HECCT),
20983+ atomic_add_unchecked(GET(HECCT),
20984 &PRIV(dev)->sonet_stats.uncorr_hcs);
20985 }
20986 if ((reason & uPD98402_INT_RFO) &&
20987@@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
20988 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
20989 uPD98402_INT_LOS),PIMR); /* enable them */
20990 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
20991- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
20992- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
20993- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
20994+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
20995+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
20996+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
20997 return 0;
20998 }
20999
21000diff -urNp linux-2.6.32.9/drivers/atm/zatm.c linux-2.6.32.9/drivers/atm/zatm.c
21001--- linux-2.6.32.9/drivers/atm/zatm.c 2010-02-09 07:57:19.000000000 -0500
21002+++ linux-2.6.32.9/drivers/atm/zatm.c 2010-02-23 17:09:53.168233068 -0500
21003@@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21004 }
21005 if (!size) {
21006 dev_kfree_skb_irq(skb);
21007- if (vcc) atomic_inc(&vcc->stats->rx_err);
21008+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
21009 continue;
21010 }
21011 if (!atm_charge(vcc,skb->truesize)) {
21012@@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21013 skb->len = size;
21014 ATM_SKB(skb)->vcc = vcc;
21015 vcc->push(vcc,skb);
21016- atomic_inc(&vcc->stats->rx);
21017+ atomic_inc_unchecked(&vcc->stats->rx);
21018 }
21019 zout(pos & 0xffff,MTA(mbx));
21020 #if 0 /* probably a stupid idea */
21021@@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
21022 skb_queue_head(&zatm_vcc->backlog,skb);
21023 break;
21024 }
21025- atomic_inc(&vcc->stats->tx);
21026+ atomic_inc_unchecked(&vcc->stats->tx);
21027 wake_up(&zatm_vcc->tx_wait);
21028 }
21029
21030diff -urNp linux-2.6.32.9/drivers/base/bus.c linux-2.6.32.9/drivers/base/bus.c
21031--- linux-2.6.32.9/drivers/base/bus.c 2010-02-09 07:57:19.000000000 -0500
21032+++ linux-2.6.32.9/drivers/base/bus.c 2010-02-23 17:09:53.168233068 -0500
21033@@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
21034 return ret;
21035 }
21036
21037-static struct sysfs_ops driver_sysfs_ops = {
21038+static const struct sysfs_ops driver_sysfs_ops = {
21039 .show = drv_attr_show,
21040 .store = drv_attr_store,
21041 };
21042@@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
21043 return ret;
21044 }
21045
21046-static struct sysfs_ops bus_sysfs_ops = {
21047+static const struct sysfs_ops bus_sysfs_ops = {
21048 .show = bus_attr_show,
21049 .store = bus_attr_store,
21050 };
21051@@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
21052 return 0;
21053 }
21054
21055-static struct kset_uevent_ops bus_uevent_ops = {
21056+static const struct kset_uevent_ops bus_uevent_ops = {
21057 .filter = bus_uevent_filter,
21058 };
21059
21060diff -urNp linux-2.6.32.9/drivers/base/class.c linux-2.6.32.9/drivers/base/class.c
21061--- linux-2.6.32.9/drivers/base/class.c 2010-02-23 17:04:12.007594284 -0500
21062+++ linux-2.6.32.9/drivers/base/class.c 2010-02-23 17:25:23.631619477 -0500
21063@@ -63,7 +63,7 @@ static void class_release(struct kobject
21064 kfree(cp);
21065 }
21066
21067-static struct sysfs_ops class_sysfs_ops = {
21068+static const struct sysfs_ops class_sysfs_ops = {
21069 .show = class_attr_show,
21070 .store = class_attr_store,
21071 };
21072diff -urNp linux-2.6.32.9/drivers/base/core.c linux-2.6.32.9/drivers/base/core.c
21073--- linux-2.6.32.9/drivers/base/core.c 2010-02-09 07:57:19.000000000 -0500
21074+++ linux-2.6.32.9/drivers/base/core.c 2010-02-23 17:09:53.168233068 -0500
21075@@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
21076 return ret;
21077 }
21078
21079-static struct sysfs_ops dev_sysfs_ops = {
21080+static const struct sysfs_ops dev_sysfs_ops = {
21081 .show = dev_attr_show,
21082 .store = dev_attr_store,
21083 };
21084@@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
21085 return retval;
21086 }
21087
21088-static struct kset_uevent_ops device_uevent_ops = {
21089+static const struct kset_uevent_ops device_uevent_ops = {
21090 .filter = dev_uevent_filter,
21091 .name = dev_uevent_name,
21092 .uevent = dev_uevent,
21093diff -urNp linux-2.6.32.9/drivers/base/memory.c linux-2.6.32.9/drivers/base/memory.c
21094--- linux-2.6.32.9/drivers/base/memory.c 2010-02-09 07:57:19.000000000 -0500
21095+++ linux-2.6.32.9/drivers/base/memory.c 2010-02-23 17:09:53.168233068 -0500
21096@@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
21097 return retval;
21098 }
21099
21100-static struct kset_uevent_ops memory_uevent_ops = {
21101+static const struct kset_uevent_ops memory_uevent_ops = {
21102 .name = memory_uevent_name,
21103 .uevent = memory_uevent,
21104 };
21105diff -urNp linux-2.6.32.9/drivers/base/sys.c linux-2.6.32.9/drivers/base/sys.c
21106--- linux-2.6.32.9/drivers/base/sys.c 2010-02-09 07:57:19.000000000 -0500
21107+++ linux-2.6.32.9/drivers/base/sys.c 2010-02-23 17:09:53.168233068 -0500
21108@@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
21109 return -EIO;
21110 }
21111
21112-static struct sysfs_ops sysfs_ops = {
21113+static const struct sysfs_ops sysfs_ops = {
21114 .show = sysdev_show,
21115 .store = sysdev_store,
21116 };
21117@@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
21118 return -EIO;
21119 }
21120
21121-static struct sysfs_ops sysfs_class_ops = {
21122+static const struct sysfs_ops sysfs_class_ops = {
21123 .show = sysdev_class_show,
21124 .store = sysdev_class_store,
21125 };
21126diff -urNp linux-2.6.32.9/drivers/block/pktcdvd.c linux-2.6.32.9/drivers/block/pktcdvd.c
21127--- linux-2.6.32.9/drivers/block/pktcdvd.c 2010-02-09 07:57:19.000000000 -0500
21128+++ linux-2.6.32.9/drivers/block/pktcdvd.c 2010-02-23 17:09:53.168233068 -0500
21129@@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
21130 return len;
21131 }
21132
21133-static struct sysfs_ops kobj_pkt_ops = {
21134+static const struct sysfs_ops kobj_pkt_ops = {
21135 .show = kobj_pkt_show,
21136 .store = kobj_pkt_store
21137 };
21138diff -urNp linux-2.6.32.9/drivers/char/agp/frontend.c linux-2.6.32.9/drivers/char/agp/frontend.c
21139--- linux-2.6.32.9/drivers/char/agp/frontend.c 2010-02-09 07:57:19.000000000 -0500
21140+++ linux-2.6.32.9/drivers/char/agp/frontend.c 2010-02-23 17:09:53.168233068 -0500
21141@@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
21142 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
21143 return -EFAULT;
21144
21145- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
21146+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
21147 return -EFAULT;
21148
21149 client = agp_find_client_by_pid(reserve.pid);
21150diff -urNp linux-2.6.32.9/drivers/char/agp/intel-agp.c linux-2.6.32.9/drivers/char/agp/intel-agp.c
21151--- linux-2.6.32.9/drivers/char/agp/intel-agp.c 2010-02-09 07:57:19.000000000 -0500
21152+++ linux-2.6.32.9/drivers/char/agp/intel-agp.c 2010-02-23 17:09:53.168233068 -0500
21153@@ -2571,7 +2571,7 @@ static struct pci_device_id agp_intel_pc
21154 ID(PCI_DEVICE_ID_INTEL_IGDNG_M_HB),
21155 ID(PCI_DEVICE_ID_INTEL_IGDNG_MA_HB),
21156 ID(PCI_DEVICE_ID_INTEL_IGDNG_MC2_HB),
21157- { }
21158+ { 0, 0, 0, 0, 0, 0, 0 }
21159 };
21160
21161 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
21162diff -urNp linux-2.6.32.9/drivers/char/hpet.c linux-2.6.32.9/drivers/char/hpet.c
21163--- linux-2.6.32.9/drivers/char/hpet.c 2010-02-09 07:57:19.000000000 -0500
21164+++ linux-2.6.32.9/drivers/char/hpet.c 2010-02-23 17:09:53.168233068 -0500
21165@@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
21166 },
21167 };
21168
21169-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
21170+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
21171
21172 static int __init hpet_init(void)
21173 {
21174diff -urNp linux-2.6.32.9/drivers/char/hvc_beat.c linux-2.6.32.9/drivers/char/hvc_beat.c
21175--- linux-2.6.32.9/drivers/char/hvc_beat.c 2010-02-09 07:57:19.000000000 -0500
21176+++ linux-2.6.32.9/drivers/char/hvc_beat.c 2010-02-23 17:09:53.168233068 -0500
21177@@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
21178 return cnt;
21179 }
21180
21181-static struct hv_ops hvc_beat_get_put_ops = {
21182+static const struct hv_ops hvc_beat_get_put_ops = {
21183 .get_chars = hvc_beat_get_chars,
21184 .put_chars = hvc_beat_put_chars,
21185 };
21186diff -urNp linux-2.6.32.9/drivers/char/hvc_console.c linux-2.6.32.9/drivers/char/hvc_console.c
21187--- linux-2.6.32.9/drivers/char/hvc_console.c 2010-02-09 07:57:19.000000000 -0500
21188+++ linux-2.6.32.9/drivers/char/hvc_console.c 2010-02-23 17:09:53.168233068 -0500
21189@@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
21190 * console interfaces but can still be used as a tty device. This has to be
21191 * static because kmalloc will not work during early console init.
21192 */
21193-static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21194+static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21195 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
21196 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
21197
21198@@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
21199 * vty adapters do NOT get an hvc_instantiate() callback since they
21200 * appear after early console init.
21201 */
21202-int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
21203+int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
21204 {
21205 struct hvc_struct *hp;
21206
21207@@ -749,7 +749,7 @@ static const struct tty_operations hvc_o
21208 };
21209
21210 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
21211- struct hv_ops *ops, int outbuf_size)
21212+ const struct hv_ops *ops, int outbuf_size)
21213 {
21214 struct hvc_struct *hp;
21215 int i;
21216diff -urNp linux-2.6.32.9/drivers/char/hvc_console.h linux-2.6.32.9/drivers/char/hvc_console.h
21217--- linux-2.6.32.9/drivers/char/hvc_console.h 2010-02-09 07:57:19.000000000 -0500
21218+++ linux-2.6.32.9/drivers/char/hvc_console.h 2010-02-23 17:09:53.168233068 -0500
21219@@ -55,7 +55,7 @@ struct hvc_struct {
21220 int outbuf_size;
21221 int n_outbuf;
21222 uint32_t vtermno;
21223- struct hv_ops *ops;
21224+ const struct hv_ops *ops;
21225 int irq_requested;
21226 int data;
21227 struct winsize ws;
21228@@ -76,11 +76,11 @@ struct hv_ops {
21229 };
21230
21231 /* Register a vterm and a slot index for use as a console (console_init) */
21232-extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
21233+extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
21234
21235 /* register a vterm for hvc tty operation (module_init or hotplug add) */
21236 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
21237- struct hv_ops *ops, int outbuf_size);
21238+ const struct hv_ops *ops, int outbuf_size);
21239 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
21240 extern int hvc_remove(struct hvc_struct *hp);
21241
21242diff -urNp linux-2.6.32.9/drivers/char/hvc_iseries.c linux-2.6.32.9/drivers/char/hvc_iseries.c
21243--- linux-2.6.32.9/drivers/char/hvc_iseries.c 2010-02-09 07:57:19.000000000 -0500
21244+++ linux-2.6.32.9/drivers/char/hvc_iseries.c 2010-02-23 17:09:53.168233068 -0500
21245@@ -197,7 +197,7 @@ done:
21246 return sent;
21247 }
21248
21249-static struct hv_ops hvc_get_put_ops = {
21250+static const struct hv_ops hvc_get_put_ops = {
21251 .get_chars = get_chars,
21252 .put_chars = put_chars,
21253 .notifier_add = notifier_add_irq,
21254diff -urNp linux-2.6.32.9/drivers/char/hvc_iucv.c linux-2.6.32.9/drivers/char/hvc_iucv.c
21255--- linux-2.6.32.9/drivers/char/hvc_iucv.c 2010-02-09 07:57:19.000000000 -0500
21256+++ linux-2.6.32.9/drivers/char/hvc_iucv.c 2010-02-23 17:09:53.172065136 -0500
21257@@ -922,7 +922,7 @@ static int hvc_iucv_pm_restore_thaw(stru
21258
21259
21260 /* HVC operations */
21261-static struct hv_ops hvc_iucv_ops = {
21262+static const struct hv_ops hvc_iucv_ops = {
21263 .get_chars = hvc_iucv_get_chars,
21264 .put_chars = hvc_iucv_put_chars,
21265 .notifier_add = hvc_iucv_notifier_add,
21266diff -urNp linux-2.6.32.9/drivers/char/hvc_rtas.c linux-2.6.32.9/drivers/char/hvc_rtas.c
21267--- linux-2.6.32.9/drivers/char/hvc_rtas.c 2010-02-09 07:57:19.000000000 -0500
21268+++ linux-2.6.32.9/drivers/char/hvc_rtas.c 2010-02-23 17:09:53.172065136 -0500
21269@@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
21270 return i;
21271 }
21272
21273-static struct hv_ops hvc_rtas_get_put_ops = {
21274+static const struct hv_ops hvc_rtas_get_put_ops = {
21275 .get_chars = hvc_rtas_read_console,
21276 .put_chars = hvc_rtas_write_console,
21277 };
21278diff -urNp linux-2.6.32.9/drivers/char/hvcs.c linux-2.6.32.9/drivers/char/hvcs.c
21279--- linux-2.6.32.9/drivers/char/hvcs.c 2010-02-09 07:57:19.000000000 -0500
21280+++ linux-2.6.32.9/drivers/char/hvcs.c 2010-02-23 17:09:53.172065136 -0500
21281@@ -269,7 +269,7 @@ struct hvcs_struct {
21282 unsigned int index;
21283
21284 struct tty_struct *tty;
21285- int open_count;
21286+ atomic_t open_count;
21287
21288 /*
21289 * Used to tell the driver kernel_thread what operations need to take
21290@@ -419,7 +419,7 @@ static ssize_t hvcs_vterm_state_store(st
21291
21292 spin_lock_irqsave(&hvcsd->lock, flags);
21293
21294- if (hvcsd->open_count > 0) {
21295+ if (atomic_read(&hvcsd->open_count) > 0) {
21296 spin_unlock_irqrestore(&hvcsd->lock, flags);
21297 printk(KERN_INFO "HVCS: vterm state unchanged. "
21298 "The hvcs device node is still in use.\n");
21299@@ -1135,7 +1135,7 @@ static int hvcs_open(struct tty_struct *
21300 if ((retval = hvcs_partner_connect(hvcsd)))
21301 goto error_release;
21302
21303- hvcsd->open_count = 1;
21304+ atomic_set(&hvcsd->open_count, 1);
21305 hvcsd->tty = tty;
21306 tty->driver_data = hvcsd;
21307
21308@@ -1169,7 +1169,7 @@ fast_open:
21309
21310 spin_lock_irqsave(&hvcsd->lock, flags);
21311 kref_get(&hvcsd->kref);
21312- hvcsd->open_count++;
21313+ atomic_inc(&hvcsd->open_count);
21314 hvcsd->todo_mask |= HVCS_SCHED_READ;
21315 spin_unlock_irqrestore(&hvcsd->lock, flags);
21316
21317@@ -1213,7 +1213,7 @@ static void hvcs_close(struct tty_struct
21318 hvcsd = tty->driver_data;
21319
21320 spin_lock_irqsave(&hvcsd->lock, flags);
21321- if (--hvcsd->open_count == 0) {
21322+ if (atomic_dec_and_test(&hvcsd->open_count)) {
21323
21324 vio_disable_interrupts(hvcsd->vdev);
21325
21326@@ -1239,10 +1239,10 @@ static void hvcs_close(struct tty_struct
21327 free_irq(irq, hvcsd);
21328 kref_put(&hvcsd->kref, destroy_hvcs_struct);
21329 return;
21330- } else if (hvcsd->open_count < 0) {
21331+ } else if (atomic_read(&hvcsd->open_count) < 0) {
21332 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
21333 " is missmanaged.\n",
21334- hvcsd->vdev->unit_address, hvcsd->open_count);
21335+ hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
21336 }
21337
21338 spin_unlock_irqrestore(&hvcsd->lock, flags);
21339@@ -1258,7 +1258,7 @@ static void hvcs_hangup(struct tty_struc
21340
21341 spin_lock_irqsave(&hvcsd->lock, flags);
21342 /* Preserve this so that we know how many kref refs to put */
21343- temp_open_count = hvcsd->open_count;
21344+ temp_open_count = atomic_read(&hvcsd->open_count);
21345
21346 /*
21347 * Don't kref put inside the spinlock because the destruction
21348@@ -1273,7 +1273,7 @@ static void hvcs_hangup(struct tty_struc
21349 hvcsd->tty->driver_data = NULL;
21350 hvcsd->tty = NULL;
21351
21352- hvcsd->open_count = 0;
21353+ atomic_set(&hvcsd->open_count, 0);
21354
21355 /* This will drop any buffered data on the floor which is OK in a hangup
21356 * scenario. */
21357@@ -1344,7 +1344,7 @@ static int hvcs_write(struct tty_struct
21358 * the middle of a write operation? This is a crummy place to do this
21359 * but we want to keep it all in the spinlock.
21360 */
21361- if (hvcsd->open_count <= 0) {
21362+ if (atomic_read(&hvcsd->open_count) <= 0) {
21363 spin_unlock_irqrestore(&hvcsd->lock, flags);
21364 return -ENODEV;
21365 }
21366@@ -1418,7 +1418,7 @@ static int hvcs_write_room(struct tty_st
21367 {
21368 struct hvcs_struct *hvcsd = tty->driver_data;
21369
21370- if (!hvcsd || hvcsd->open_count <= 0)
21371+ if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
21372 return 0;
21373
21374 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
21375diff -urNp linux-2.6.32.9/drivers/char/hvc_udbg.c linux-2.6.32.9/drivers/char/hvc_udbg.c
21376--- linux-2.6.32.9/drivers/char/hvc_udbg.c 2010-02-09 07:57:19.000000000 -0500
21377+++ linux-2.6.32.9/drivers/char/hvc_udbg.c 2010-02-23 17:09:53.172065136 -0500
21378@@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
21379 return i;
21380 }
21381
21382-static struct hv_ops hvc_udbg_ops = {
21383+static const struct hv_ops hvc_udbg_ops = {
21384 .get_chars = hvc_udbg_get,
21385 .put_chars = hvc_udbg_put,
21386 };
21387diff -urNp linux-2.6.32.9/drivers/char/hvc_vio.c linux-2.6.32.9/drivers/char/hvc_vio.c
21388--- linux-2.6.32.9/drivers/char/hvc_vio.c 2010-02-09 07:57:19.000000000 -0500
21389+++ linux-2.6.32.9/drivers/char/hvc_vio.c 2010-02-23 17:09:53.172065136 -0500
21390@@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
21391 return got;
21392 }
21393
21394-static struct hv_ops hvc_get_put_ops = {
21395+static const struct hv_ops hvc_get_put_ops = {
21396 .get_chars = filtered_get_chars,
21397 .put_chars = hvc_put_chars,
21398 .notifier_add = notifier_add_irq,
21399diff -urNp linux-2.6.32.9/drivers/char/hvc_xen.c linux-2.6.32.9/drivers/char/hvc_xen.c
21400--- linux-2.6.32.9/drivers/char/hvc_xen.c 2010-02-09 07:57:19.000000000 -0500
21401+++ linux-2.6.32.9/drivers/char/hvc_xen.c 2010-02-23 17:09:53.172065136 -0500
21402@@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
21403 return recv;
21404 }
21405
21406-static struct hv_ops hvc_ops = {
21407+static const struct hv_ops hvc_ops = {
21408 .get_chars = read_console,
21409 .put_chars = write_console,
21410 .notifier_add = notifier_add_irq,
21411diff -urNp linux-2.6.32.9/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.9/drivers/char/ipmi/ipmi_msghandler.c
21412--- linux-2.6.32.9/drivers/char/ipmi/ipmi_msghandler.c 2010-02-09 07:57:19.000000000 -0500
21413+++ linux-2.6.32.9/drivers/char/ipmi/ipmi_msghandler.c 2010-02-23 17:09:53.172065136 -0500
21414@@ -414,7 +414,7 @@ struct ipmi_smi {
21415 struct proc_dir_entry *proc_dir;
21416 char proc_dir_name[10];
21417
21418- atomic_t stats[IPMI_NUM_STATS];
21419+ atomic_unchecked_t stats[IPMI_NUM_STATS];
21420
21421 /*
21422 * run_to_completion duplicate of smb_info, smi_info
21423@@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
21424
21425
21426 #define ipmi_inc_stat(intf, stat) \
21427- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
21428+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
21429 #define ipmi_get_stat(intf, stat) \
21430- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
21431+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
21432
21433 static int is_lan_addr(struct ipmi_addr *addr)
21434 {
21435@@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
21436 INIT_LIST_HEAD(&intf->cmd_rcvrs);
21437 init_waitqueue_head(&intf->waitq);
21438 for (i = 0; i < IPMI_NUM_STATS; i++)
21439- atomic_set(&intf->stats[i], 0);
21440+ atomic_set_unchecked(&intf->stats[i], 0);
21441
21442 intf->proc_dir = NULL;
21443
21444diff -urNp linux-2.6.32.9/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.9/drivers/char/ipmi/ipmi_si_intf.c
21445--- linux-2.6.32.9/drivers/char/ipmi/ipmi_si_intf.c 2010-02-09 07:57:19.000000000 -0500
21446+++ linux-2.6.32.9/drivers/char/ipmi/ipmi_si_intf.c 2010-02-23 17:09:53.172065136 -0500
21447@@ -277,7 +277,7 @@ struct smi_info {
21448 unsigned char slave_addr;
21449
21450 /* Counters and things for the proc filesystem. */
21451- atomic_t stats[SI_NUM_STATS];
21452+ atomic_unchecked_t stats[SI_NUM_STATS];
21453
21454 struct task_struct *thread;
21455
21456@@ -285,9 +285,9 @@ struct smi_info {
21457 };
21458
21459 #define smi_inc_stat(smi, stat) \
21460- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
21461+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
21462 #define smi_get_stat(smi, stat) \
21463- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
21464+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
21465
21466 #define SI_MAX_PARMS 4
21467
21468@@ -2926,7 +2926,7 @@ static int try_smi_init(struct smi_info
21469 atomic_set(&new_smi->req_events, 0);
21470 new_smi->run_to_completion = 0;
21471 for (i = 0; i < SI_NUM_STATS; i++)
21472- atomic_set(&new_smi->stats[i], 0);
21473+ atomic_set_unchecked(&new_smi->stats[i], 0);
21474
21475 new_smi->interrupt_disabled = 0;
21476 atomic_set(&new_smi->stop_operation, 0);
21477diff -urNp linux-2.6.32.9/drivers/char/keyboard.c linux-2.6.32.9/drivers/char/keyboard.c
21478--- linux-2.6.32.9/drivers/char/keyboard.c 2010-02-09 07:57:19.000000000 -0500
21479+++ linux-2.6.32.9/drivers/char/keyboard.c 2010-02-23 17:09:53.172065136 -0500
21480@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
21481 kbd->kbdmode == VC_MEDIUMRAW) &&
21482 value != KVAL(K_SAK))
21483 return; /* SAK is allowed even in raw mode */
21484+
21485+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
21486+ {
21487+ void *func = fn_handler[value];
21488+ if (func == fn_show_state || func == fn_show_ptregs ||
21489+ func == fn_show_mem)
21490+ return;
21491+ }
21492+#endif
21493+
21494 fn_handler[value](vc);
21495 }
21496
21497@@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
21498 .evbit = { BIT_MASK(EV_SND) },
21499 },
21500
21501- { }, /* Terminating entry */
21502+ { 0 }, /* Terminating entry */
21503 };
21504
21505 MODULE_DEVICE_TABLE(input, kbd_ids);
21506diff -urNp linux-2.6.32.9/drivers/char/mem.c linux-2.6.32.9/drivers/char/mem.c
21507--- linux-2.6.32.9/drivers/char/mem.c 2010-02-23 17:04:12.039606376 -0500
21508+++ linux-2.6.32.9/drivers/char/mem.c 2010-02-23 17:28:21.287708349 -0500
21509@@ -18,6 +18,7 @@
21510 #include <linux/raw.h>
21511 #include <linux/tty.h>
21512 #include <linux/capability.h>
21513+#include <linux/security.h>
21514 #include <linux/ptrace.h>
21515 #include <linux/device.h>
21516 #include <linux/highmem.h>
21517@@ -35,6 +36,10 @@
21518 # include <linux/efi.h>
21519 #endif
21520
21521+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21522+extern struct file_operations grsec_fops;
21523+#endif
21524+
21525 static inline unsigned long size_inside_page(unsigned long start,
21526 unsigned long size)
21527 {
21528@@ -205,6 +210,11 @@ static ssize_t write_mem(struct file * f
21529 if (!valid_phys_addr_range(p, count))
21530 return -EFAULT;
21531
21532+#ifdef CONFIG_GRKERNSEC_KMEM
21533+ gr_handle_mem_write();
21534+ return -EPERM;
21535+#endif
21536+
21537 written = 0;
21538
21539 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
21540@@ -337,6 +347,11 @@ static int mmap_mem(struct file * file,
21541 &vma->vm_page_prot))
21542 return -EINVAL;
21543
21544+#ifdef CONFIG_GRKERNSEC_KMEM
21545+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
21546+ return -EPERM;
21547+#endif
21548+
21549 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
21550 size,
21551 vma->vm_page_prot);
21552@@ -560,6 +575,11 @@ static ssize_t write_kmem(struct file *
21553 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
21554 int err = 0;
21555
21556+#ifdef CONFIG_GRKERNSEC_KMEM
21557+ gr_handle_kmem_write();
21558+ return -EPERM;
21559+#endif
21560+
21561 if (p < (unsigned long) high_memory) {
21562
21563 wrote = count;
21564@@ -765,6 +785,16 @@ static loff_t memory_lseek(struct file *
21565
21566 static int open_port(struct inode * inode, struct file * filp)
21567 {
21568+#ifdef CONFIG_GRKERNSEC_KMEM
21569+ gr_handle_open_port();
21570+ return -EPERM;
21571+#endif
21572+
21573+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21574+}
21575+
21576+static int open_mem(struct inode * inode, struct file * filp)
21577+{
21578 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21579 }
21580
21581@@ -772,7 +802,6 @@ static int open_port(struct inode * inod
21582 #define full_lseek null_lseek
21583 #define write_zero write_null
21584 #define read_full read_zero
21585-#define open_mem open_port
21586 #define open_kmem open_mem
21587 #define open_oldmem open_mem
21588
21589@@ -888,6 +917,9 @@ static const struct memdev {
21590 #ifdef CONFIG_CRASH_DUMP
21591 [12] = { "oldmem", 0, &oldmem_fops, NULL },
21592 #endif
21593+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21594+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
21595+#endif
21596 };
21597
21598 static int memory_open(struct inode *inode, struct file *filp)
21599diff -urNp linux-2.6.32.9/drivers/char/nvram.c linux-2.6.32.9/drivers/char/nvram.c
21600--- linux-2.6.32.9/drivers/char/nvram.c 2010-02-09 07:57:19.000000000 -0500
21601+++ linux-2.6.32.9/drivers/char/nvram.c 2010-02-23 17:09:53.172065136 -0500
21602@@ -429,7 +429,10 @@ static const struct file_operations nvra
21603 static struct miscdevice nvram_dev = {
21604 NVRAM_MINOR,
21605 "nvram",
21606- &nvram_fops
21607+ &nvram_fops,
21608+ {NULL, NULL},
21609+ NULL,
21610+ NULL
21611 };
21612
21613 static int __init nvram_init(void)
21614diff -urNp linux-2.6.32.9/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.9/drivers/char/pcmcia/ipwireless/tty.c
21615--- linux-2.6.32.9/drivers/char/pcmcia/ipwireless/tty.c 2010-02-09 07:57:19.000000000 -0500
21616+++ linux-2.6.32.9/drivers/char/pcmcia/ipwireless/tty.c 2010-02-23 17:09:53.172065136 -0500
21617@@ -51,7 +51,7 @@ struct ipw_tty {
21618 int tty_type;
21619 struct ipw_network *network;
21620 struct tty_struct *linux_tty;
21621- int open_count;
21622+ atomic_t open_count;
21623 unsigned int control_lines;
21624 struct mutex ipw_tty_mutex;
21625 int tx_bytes_queued;
21626@@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
21627 mutex_unlock(&tty->ipw_tty_mutex);
21628 return -ENODEV;
21629 }
21630- if (tty->open_count == 0)
21631+ if (atomic_read(&tty->open_count) == 0)
21632 tty->tx_bytes_queued = 0;
21633
21634- tty->open_count++;
21635+ atomic_inc(&tty->open_count);
21636
21637 tty->linux_tty = linux_tty;
21638 linux_tty->driver_data = tty;
21639@@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
21640
21641 static void do_ipw_close(struct ipw_tty *tty)
21642 {
21643- tty->open_count--;
21644-
21645- if (tty->open_count == 0) {
21646+ if (atomic_dec_return(&tty->open_count) == 0) {
21647 struct tty_struct *linux_tty = tty->linux_tty;
21648
21649 if (linux_tty != NULL) {
21650@@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
21651 return;
21652
21653 mutex_lock(&tty->ipw_tty_mutex);
21654- if (tty->open_count == 0) {
21655+ if (atomic_read(&tty->open_count) == 0) {
21656 mutex_unlock(&tty->ipw_tty_mutex);
21657 return;
21658 }
21659@@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
21660 return;
21661 }
21662
21663- if (!tty->open_count) {
21664+ if (!atomic_read(&tty->open_count)) {
21665 mutex_unlock(&tty->ipw_tty_mutex);
21666 return;
21667 }
21668@@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
21669 return -ENODEV;
21670
21671 mutex_lock(&tty->ipw_tty_mutex);
21672- if (!tty->open_count) {
21673+ if (!atomic_read(&tty->open_count)) {
21674 mutex_unlock(&tty->ipw_tty_mutex);
21675 return -EINVAL;
21676 }
21677@@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
21678 if (!tty)
21679 return -ENODEV;
21680
21681- if (!tty->open_count)
21682+ if (!atomic_read(&tty->open_count))
21683 return -EINVAL;
21684
21685 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
21686@@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
21687 if (!tty)
21688 return 0;
21689
21690- if (!tty->open_count)
21691+ if (!atomic_read(&tty->open_count))
21692 return 0;
21693
21694 return tty->tx_bytes_queued;
21695@@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
21696 if (!tty)
21697 return -ENODEV;
21698
21699- if (!tty->open_count)
21700+ if (!atomic_read(&tty->open_count))
21701 return -EINVAL;
21702
21703 return get_control_lines(tty);
21704@@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
21705 if (!tty)
21706 return -ENODEV;
21707
21708- if (!tty->open_count)
21709+ if (!atomic_read(&tty->open_count))
21710 return -EINVAL;
21711
21712 return set_control_lines(tty, set, clear);
21713@@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
21714 if (!tty)
21715 return -ENODEV;
21716
21717- if (!tty->open_count)
21718+ if (!atomic_read(&tty->open_count))
21719 return -EINVAL;
21720
21721 /* FIXME: Exactly how is the tty object locked here .. */
21722@@ -591,7 +589,7 @@ void ipwireless_tty_free(struct ipw_tty
21723 against a parallel ioctl etc */
21724 mutex_lock(&ttyj->ipw_tty_mutex);
21725 }
21726- while (ttyj->open_count)
21727+ while (atomic_read(&ttyj->open_count))
21728 do_ipw_close(ttyj);
21729 ipwireless_disassociate_network_ttys(network,
21730 ttyj->channel_idx);
21731diff -urNp linux-2.6.32.9/drivers/char/pty.c linux-2.6.32.9/drivers/char/pty.c
21732--- linux-2.6.32.9/drivers/char/pty.c 2010-02-09 07:57:19.000000000 -0500
21733+++ linux-2.6.32.9/drivers/char/pty.c 2010-02-23 17:09:53.176362503 -0500
21734@@ -682,7 +682,18 @@ static int ptmx_open(struct inode *inode
21735 return ret;
21736 }
21737
21738-static struct file_operations ptmx_fops;
21739+static const struct file_operations ptmx_fops = {
21740+ .llseek = no_llseek,
21741+ .read = tty_read,
21742+ .write = tty_write,
21743+ .poll = tty_poll,
21744+ .unlocked_ioctl = tty_ioctl,
21745+ .compat_ioctl = tty_compat_ioctl,
21746+ .open = ptmx_open,
21747+ .release = tty_release,
21748+ .fasync = tty_fasync,
21749+};
21750+
21751
21752 static void __init unix98_pty_init(void)
21753 {
21754@@ -736,9 +747,6 @@ static void __init unix98_pty_init(void)
21755 register_sysctl_table(pty_root_table);
21756
21757 /* Now create the /dev/ptmx special device */
21758- tty_default_fops(&ptmx_fops);
21759- ptmx_fops.open = ptmx_open;
21760-
21761 cdev_init(&ptmx_cdev, &ptmx_fops);
21762 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
21763 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
21764diff -urNp linux-2.6.32.9/drivers/char/random.c linux-2.6.32.9/drivers/char/random.c
21765--- linux-2.6.32.9/drivers/char/random.c 2010-02-09 07:57:19.000000000 -0500
21766+++ linux-2.6.32.9/drivers/char/random.c 2010-02-23 17:09:53.176362503 -0500
21767@@ -254,8 +254,13 @@
21768 /*
21769 * Configuration information
21770 */
21771+#ifdef CONFIG_GRKERNSEC_RANDNET
21772+#define INPUT_POOL_WORDS 512
21773+#define OUTPUT_POOL_WORDS 128
21774+#else
21775 #define INPUT_POOL_WORDS 128
21776 #define OUTPUT_POOL_WORDS 32
21777+#endif
21778 #define SEC_XFER_SIZE 512
21779
21780 /*
21781@@ -292,10 +297,17 @@ static struct poolinfo {
21782 int poolwords;
21783 int tap1, tap2, tap3, tap4, tap5;
21784 } poolinfo_table[] = {
21785+#ifdef CONFIG_GRKERNSEC_RANDNET
21786+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
21787+ { 512, 411, 308, 208, 104, 1 },
21788+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
21789+ { 128, 103, 76, 51, 25, 1 },
21790+#else
21791 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
21792 { 128, 103, 76, 51, 25, 1 },
21793 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
21794 { 32, 26, 20, 14, 7, 1 },
21795+#endif
21796 #if 0
21797 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
21798 { 2048, 1638, 1231, 819, 411, 1 },
21799@@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
21800 #include <linux/sysctl.h>
21801
21802 static int min_read_thresh = 8, min_write_thresh;
21803-static int max_read_thresh = INPUT_POOL_WORDS * 32;
21804+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
21805 static int max_write_thresh = INPUT_POOL_WORDS * 32;
21806 static char sysctl_bootid[16];
21807
21808diff -urNp linux-2.6.32.9/drivers/char/sonypi.c linux-2.6.32.9/drivers/char/sonypi.c
21809--- linux-2.6.32.9/drivers/char/sonypi.c 2010-02-09 07:57:19.000000000 -0500
21810+++ linux-2.6.32.9/drivers/char/sonypi.c 2010-02-23 17:09:53.176362503 -0500
21811@@ -491,7 +491,7 @@ static struct sonypi_device {
21812 spinlock_t fifo_lock;
21813 wait_queue_head_t fifo_proc_list;
21814 struct fasync_struct *fifo_async;
21815- int open_count;
21816+ atomic_t open_count;
21817 int model;
21818 struct input_dev *input_jog_dev;
21819 struct input_dev *input_key_dev;
21820@@ -895,7 +895,7 @@ static int sonypi_misc_fasync(int fd, st
21821 static int sonypi_misc_release(struct inode *inode, struct file *file)
21822 {
21823 mutex_lock(&sonypi_device.lock);
21824- sonypi_device.open_count--;
21825+ atomic_dec(&sonypi_device.open_count);
21826 mutex_unlock(&sonypi_device.lock);
21827 return 0;
21828 }
21829@@ -905,9 +905,9 @@ static int sonypi_misc_open(struct inode
21830 lock_kernel();
21831 mutex_lock(&sonypi_device.lock);
21832 /* Flush input queue on first open */
21833- if (!sonypi_device.open_count)
21834+ if (!atomic_read(&sonypi_device.open_count))
21835 kfifo_reset(sonypi_device.fifo);
21836- sonypi_device.open_count++;
21837+ atomic_inc(&sonypi_device.open_count);
21838 mutex_unlock(&sonypi_device.lock);
21839 unlock_kernel();
21840 return 0;
21841diff -urNp linux-2.6.32.9/drivers/char/tpm/tpm_bios.c linux-2.6.32.9/drivers/char/tpm/tpm_bios.c
21842--- linux-2.6.32.9/drivers/char/tpm/tpm_bios.c 2010-02-09 07:57:19.000000000 -0500
21843+++ linux-2.6.32.9/drivers/char/tpm/tpm_bios.c 2010-02-23 17:09:53.176362503 -0500
21844@@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
21845 event = addr;
21846
21847 if ((event->event_type == 0 && event->event_size == 0) ||
21848- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
21849+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
21850 return NULL;
21851
21852 return addr;
21853@@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
21854 return NULL;
21855
21856 if ((event->event_type == 0 && event->event_size == 0) ||
21857- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
21858+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
21859 return NULL;
21860
21861 (*pos)++;
21862@@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
21863 int i;
21864
21865 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
21866- seq_putc(m, data[i]);
21867+ if (!seq_putc(m, data[i]))
21868+ return -EFAULT;
21869
21870 return 0;
21871 }
21872@@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
21873 log->bios_event_log_end = log->bios_event_log + len;
21874
21875 virt = acpi_os_map_memory(start, len);
21876+ if (!virt) {
21877+ kfree(log->bios_event_log);
21878+ log->bios_event_log = NULL;
21879+ return -EFAULT;
21880+ }
21881
21882 memcpy(log->bios_event_log, virt, len);
21883
21884diff -urNp linux-2.6.32.9/drivers/char/tty_io.c linux-2.6.32.9/drivers/char/tty_io.c
21885--- linux-2.6.32.9/drivers/char/tty_io.c 2010-02-23 17:04:12.063589634 -0500
21886+++ linux-2.6.32.9/drivers/char/tty_io.c 2010-02-23 17:09:53.176362503 -0500
21887@@ -136,21 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
21888 DEFINE_MUTEX(tty_mutex);
21889 EXPORT_SYMBOL(tty_mutex);
21890
21891-static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
21892-static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
21893 ssize_t redirected_tty_write(struct file *, const char __user *,
21894 size_t, loff_t *);
21895-static unsigned int tty_poll(struct file *, poll_table *);
21896 static int tty_open(struct inode *, struct file *);
21897-static int tty_release(struct inode *, struct file *);
21898 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
21899-#ifdef CONFIG_COMPAT
21900-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
21901- unsigned long arg);
21902-#else
21903-#define tty_compat_ioctl NULL
21904-#endif
21905-static int tty_fasync(int fd, struct file *filp, int on);
21906 static void release_tty(struct tty_struct *tty, int idx);
21907 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
21908 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
21909@@ -870,7 +859,7 @@ EXPORT_SYMBOL(start_tty);
21910 * read calls may be outstanding in parallel.
21911 */
21912
21913-static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
21914+ssize_t tty_read(struct file *file, char __user *buf, size_t count,
21915 loff_t *ppos)
21916 {
21917 int i;
21918@@ -898,6 +887,8 @@ static ssize_t tty_read(struct file *fil
21919 return i;
21920 }
21921
21922+EXPORT_SYMBOL(tty_read);
21923+
21924 void tty_write_unlock(struct tty_struct *tty)
21925 {
21926 mutex_unlock(&tty->atomic_write_lock);
21927@@ -1045,7 +1036,7 @@ void tty_write_message(struct tty_struct
21928 * write method will not be invoked in parallel for each device.
21929 */
21930
21931-static ssize_t tty_write(struct file *file, const char __user *buf,
21932+ssize_t tty_write(struct file *file, const char __user *buf,
21933 size_t count, loff_t *ppos)
21934 {
21935 struct tty_struct *tty;
21936@@ -1072,6 +1063,8 @@ static ssize_t tty_write(struct file *fi
21937 return ret;
21938 }
21939
21940+EXPORT_SYMBOL(tty_write);
21941+
21942 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
21943 size_t count, loff_t *ppos)
21944 {
21945@@ -1865,7 +1858,7 @@ static int tty_open(struct inode *inode,
21946 * Takes bkl. See tty_release_dev
21947 */
21948
21949-static int tty_release(struct inode *inode, struct file *filp)
21950+int tty_release(struct inode *inode, struct file *filp)
21951 {
21952 lock_kernel();
21953 tty_release_dev(filp);
21954@@ -1873,6 +1866,8 @@ static int tty_release(struct inode *ino
21955 return 0;
21956 }
21957
21958+EXPORT_SYMBOL(tty_release);
21959+
21960 /**
21961 * tty_poll - check tty status
21962 * @filp: file being polled
21963@@ -1885,7 +1880,7 @@ static int tty_release(struct inode *ino
21964 * may be re-entered freely by other callers.
21965 */
21966
21967-static unsigned int tty_poll(struct file *filp, poll_table *wait)
21968+unsigned int tty_poll(struct file *filp, poll_table *wait)
21969 {
21970 struct tty_struct *tty;
21971 struct tty_ldisc *ld;
21972@@ -1902,7 +1897,9 @@ static unsigned int tty_poll(struct file
21973 return ret;
21974 }
21975
21976-static int tty_fasync(int fd, struct file *filp, int on)
21977+EXPORT_SYMBOL(tty_poll);
21978+
21979+int tty_fasync(int fd, struct file *filp, int on)
21980 {
21981 struct tty_struct *tty;
21982 unsigned long flags;
21983@@ -1946,6 +1943,8 @@ out:
21984 return retval;
21985 }
21986
21987+EXPORT_SYMBOL(tty_fasync);
21988+
21989 /**
21990 * tiocsti - fake input character
21991 * @tty: tty to fake input into
21992@@ -2580,8 +2579,10 @@ long tty_ioctl(struct file *file, unsign
21993 return retval;
21994 }
21995
21996+EXPORT_SYMBOL(tty_ioctl);
21997+
21998 #ifdef CONFIG_COMPAT
21999-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22000+long tty_compat_ioctl(struct file *file, unsigned int cmd,
22001 unsigned long arg)
22002 {
22003 struct inode *inode = file->f_dentry->d_inode;
22004@@ -2605,6 +2606,8 @@ static long tty_compat_ioctl(struct file
22005
22006 return retval;
22007 }
22008+
22009+EXPORT_SYMBOL(tty_compat_ioctl);
22010 #endif
22011
22012 /*
22013@@ -3048,11 +3051,6 @@ struct tty_struct *get_current_tty(void)
22014 }
22015 EXPORT_SYMBOL_GPL(get_current_tty);
22016
22017-void tty_default_fops(struct file_operations *fops)
22018-{
22019- *fops = tty_fops;
22020-}
22021-
22022 /*
22023 * Initialize the console device. This is called *early*, so
22024 * we can't necessarily depend on lots of kernel help here.
22025diff -urNp linux-2.6.32.9/drivers/char/tty_ldisc.c linux-2.6.32.9/drivers/char/tty_ldisc.c
22026--- linux-2.6.32.9/drivers/char/tty_ldisc.c 2010-02-09 07:57:19.000000000 -0500
22027+++ linux-2.6.32.9/drivers/char/tty_ldisc.c 2010-02-23 17:09:53.176362503 -0500
22028@@ -73,7 +73,7 @@ static void put_ldisc(struct tty_ldisc *
22029 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
22030 struct tty_ldisc_ops *ldo = ld->ops;
22031
22032- ldo->refcount--;
22033+ atomic_dec(&ldo->refcount);
22034 module_put(ldo->owner);
22035 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22036
22037@@ -107,7 +107,7 @@ int tty_register_ldisc(int disc, struct
22038 spin_lock_irqsave(&tty_ldisc_lock, flags);
22039 tty_ldiscs[disc] = new_ldisc;
22040 new_ldisc->num = disc;
22041- new_ldisc->refcount = 0;
22042+ atomic_set(&new_ldisc->refcount, 0);
22043 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22044
22045 return ret;
22046@@ -135,7 +135,7 @@ int tty_unregister_ldisc(int disc)
22047 return -EINVAL;
22048
22049 spin_lock_irqsave(&tty_ldisc_lock, flags);
22050- if (tty_ldiscs[disc]->refcount)
22051+ if (atomic_read(&tty_ldiscs[disc]->refcount))
22052 ret = -EBUSY;
22053 else
22054 tty_ldiscs[disc] = NULL;
22055@@ -156,7 +156,7 @@ static struct tty_ldisc_ops *get_ldops(i
22056 if (ldops) {
22057 ret = ERR_PTR(-EAGAIN);
22058 if (try_module_get(ldops->owner)) {
22059- ldops->refcount++;
22060+ atomic_inc(&ldops->refcount);
22061 ret = ldops;
22062 }
22063 }
22064@@ -169,7 +169,7 @@ static void put_ldops(struct tty_ldisc_o
22065 unsigned long flags;
22066
22067 spin_lock_irqsave(&tty_ldisc_lock, flags);
22068- ldops->refcount--;
22069+ atomic_dec(&ldops->refcount);
22070 module_put(ldops->owner);
22071 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22072 }
22073diff -urNp linux-2.6.32.9/drivers/char/virtio_console.c linux-2.6.32.9/drivers/char/virtio_console.c
22074--- linux-2.6.32.9/drivers/char/virtio_console.c 2010-02-09 07:57:19.000000000 -0500
22075+++ linux-2.6.32.9/drivers/char/virtio_console.c 2010-02-23 17:09:53.176362503 -0500
22076@@ -44,6 +44,7 @@ static unsigned int in_len;
22077 static char *in, *inbuf;
22078
22079 /* The operations for our console. */
22080+/* cannot be const */
22081 static struct hv_ops virtio_cons;
22082
22083 /* The hvc device */
22084diff -urNp linux-2.6.32.9/drivers/char/vt_ioctl.c linux-2.6.32.9/drivers/char/vt_ioctl.c
22085--- linux-2.6.32.9/drivers/char/vt_ioctl.c 2010-02-09 07:57:19.000000000 -0500
22086+++ linux-2.6.32.9/drivers/char/vt_ioctl.c 2010-02-23 17:09:53.176362503 -0500
22087@@ -226,6 +226,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
22088 case KDSKBENT:
22089 if (!perm)
22090 return -EPERM;
22091+
22092+#ifdef CONFIG_GRKERNSEC
22093+ if (!capable(CAP_SYS_TTY_CONFIG))
22094+ return -EPERM;
22095+#endif
22096+
22097 if (!i && v == K_NOSUCHMAP) {
22098 /* deallocate map */
22099 key_map = key_maps[s];
22100@@ -366,6 +372,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
22101 goto reterr;
22102 }
22103
22104+#ifdef CONFIG_GRKERNSEC
22105+ if (!capable(CAP_SYS_TTY_CONFIG)) {
22106+ ret = -EPERM;
22107+ goto reterr;
22108+ }
22109+#endif
22110+
22111 q = func_table[i];
22112 first_free = funcbufptr + (funcbufsize - funcbufleft);
22113 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
22114diff -urNp linux-2.6.32.9/drivers/cpufreq/cpufreq.c linux-2.6.32.9/drivers/cpufreq/cpufreq.c
22115--- linux-2.6.32.9/drivers/cpufreq/cpufreq.c 2010-02-09 07:57:19.000000000 -0500
22116+++ linux-2.6.32.9/drivers/cpufreq/cpufreq.c 2010-02-23 17:09:53.176362503 -0500
22117@@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
22118 complete(&policy->kobj_unregister);
22119 }
22120
22121-static struct sysfs_ops sysfs_ops = {
22122+static const struct sysfs_ops sysfs_ops = {
22123 .show = show,
22124 .store = store,
22125 };
22126diff -urNp linux-2.6.32.9/drivers/cpuidle/sysfs.c linux-2.6.32.9/drivers/cpuidle/sysfs.c
22127--- linux-2.6.32.9/drivers/cpuidle/sysfs.c 2010-02-09 07:57:19.000000000 -0500
22128+++ linux-2.6.32.9/drivers/cpuidle/sysfs.c 2010-02-23 17:09:53.176362503 -0500
22129@@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
22130 return ret;
22131 }
22132
22133-static struct sysfs_ops cpuidle_sysfs_ops = {
22134+static const struct sysfs_ops cpuidle_sysfs_ops = {
22135 .show = cpuidle_show,
22136 .store = cpuidle_store,
22137 };
22138@@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
22139 return ret;
22140 }
22141
22142-static struct sysfs_ops cpuidle_state_sysfs_ops = {
22143+static const struct sysfs_ops cpuidle_state_sysfs_ops = {
22144 .show = cpuidle_state_show,
22145 };
22146
22147diff -urNp linux-2.6.32.9/drivers/dma/ioat/dma.c linux-2.6.32.9/drivers/dma/ioat/dma.c
22148--- linux-2.6.32.9/drivers/dma/ioat/dma.c 2010-02-09 07:57:19.000000000 -0500
22149+++ linux-2.6.32.9/drivers/dma/ioat/dma.c 2010-02-23 17:09:53.176362503 -0500
22150@@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
22151 return entry->show(&chan->common, page);
22152 }
22153
22154-struct sysfs_ops ioat_sysfs_ops = {
22155+const struct sysfs_ops ioat_sysfs_ops = {
22156 .show = ioat_attr_show,
22157 };
22158
22159diff -urNp linux-2.6.32.9/drivers/dma/ioat/dma.h linux-2.6.32.9/drivers/dma/ioat/dma.h
22160--- linux-2.6.32.9/drivers/dma/ioat/dma.h 2010-02-09 07:57:19.000000000 -0500
22161+++ linux-2.6.32.9/drivers/dma/ioat/dma.h 2010-02-23 17:09:53.176362503 -0500
22162@@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
22163 unsigned long *phys_complete);
22164 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
22165 void ioat_kobject_del(struct ioatdma_device *device);
22166-extern struct sysfs_ops ioat_sysfs_ops;
22167+extern const struct sysfs_ops ioat_sysfs_ops;
22168 extern struct ioat_sysfs_entry ioat_version_attr;
22169 extern struct ioat_sysfs_entry ioat_cap_attr;
22170 #endif /* IOATDMA_H */
22171diff -urNp linux-2.6.32.9/drivers/edac/edac_core.h linux-2.6.32.9/drivers/edac/edac_core.h
22172--- linux-2.6.32.9/drivers/edac/edac_core.h 2010-02-09 07:57:19.000000000 -0500
22173+++ linux-2.6.32.9/drivers/edac/edac_core.h 2010-02-23 17:09:53.176362503 -0500
22174@@ -99,11 +99,11 @@ extern int edac_debug_level;
22175
22176 #else /* !CONFIG_EDAC_DEBUG */
22177
22178-#define debugf0( ... )
22179-#define debugf1( ... )
22180-#define debugf2( ... )
22181-#define debugf3( ... )
22182-#define debugf4( ... )
22183+#define debugf0( ... ) do {} while (0)
22184+#define debugf1( ... ) do {} while (0)
22185+#define debugf2( ... ) do {} while (0)
22186+#define debugf3( ... ) do {} while (0)
22187+#define debugf4( ... ) do {} while (0)
22188
22189 #endif /* !CONFIG_EDAC_DEBUG */
22190
22191diff -urNp linux-2.6.32.9/drivers/edac/edac_device_sysfs.c linux-2.6.32.9/drivers/edac/edac_device_sysfs.c
22192--- linux-2.6.32.9/drivers/edac/edac_device_sysfs.c 2010-02-09 07:57:19.000000000 -0500
22193+++ linux-2.6.32.9/drivers/edac/edac_device_sysfs.c 2010-02-23 17:09:53.176362503 -0500
22194@@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
22195 }
22196
22197 /* edac_dev file operations for an 'ctl_info' */
22198-static struct sysfs_ops device_ctl_info_ops = {
22199+static const struct sysfs_ops device_ctl_info_ops = {
22200 .show = edac_dev_ctl_info_show,
22201 .store = edac_dev_ctl_info_store
22202 };
22203@@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
22204 }
22205
22206 /* edac_dev file operations for an 'instance' */
22207-static struct sysfs_ops device_instance_ops = {
22208+static const struct sysfs_ops device_instance_ops = {
22209 .show = edac_dev_instance_show,
22210 .store = edac_dev_instance_store
22211 };
22212@@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
22213 }
22214
22215 /* edac_dev file operations for a 'block' */
22216-static struct sysfs_ops device_block_ops = {
22217+static const struct sysfs_ops device_block_ops = {
22218 .show = edac_dev_block_show,
22219 .store = edac_dev_block_store
22220 };
22221diff -urNp linux-2.6.32.9/drivers/edac/edac_mc_sysfs.c linux-2.6.32.9/drivers/edac/edac_mc_sysfs.c
22222--- linux-2.6.32.9/drivers/edac/edac_mc_sysfs.c 2010-02-09 07:57:19.000000000 -0500
22223+++ linux-2.6.32.9/drivers/edac/edac_mc_sysfs.c 2010-02-23 17:09:53.176362503 -0500
22224@@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
22225 return -EIO;
22226 }
22227
22228-static struct sysfs_ops csrowfs_ops = {
22229+static const struct sysfs_ops csrowfs_ops = {
22230 .show = csrowdev_show,
22231 .store = csrowdev_store
22232 };
22233@@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
22234 }
22235
22236 /* Intermediate show/store table */
22237-static struct sysfs_ops mci_ops = {
22238+static const struct sysfs_ops mci_ops = {
22239 .show = mcidev_show,
22240 .store = mcidev_store
22241 };
22242diff -urNp linux-2.6.32.9/drivers/edac/edac_pci_sysfs.c linux-2.6.32.9/drivers/edac/edac_pci_sysfs.c
22243--- linux-2.6.32.9/drivers/edac/edac_pci_sysfs.c 2010-02-09 07:57:19.000000000 -0500
22244+++ linux-2.6.32.9/drivers/edac/edac_pci_sysfs.c 2010-02-23 17:09:53.180370058 -0500
22245@@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
22246 }
22247
22248 /* fs_ops table */
22249-static struct sysfs_ops pci_instance_ops = {
22250+static const struct sysfs_ops pci_instance_ops = {
22251 .show = edac_pci_instance_show,
22252 .store = edac_pci_instance_store
22253 };
22254@@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
22255 return -EIO;
22256 }
22257
22258-static struct sysfs_ops edac_pci_sysfs_ops = {
22259+static const struct sysfs_ops edac_pci_sysfs_ops = {
22260 .show = edac_pci_dev_show,
22261 .store = edac_pci_dev_store
22262 };
22263diff -urNp linux-2.6.32.9/drivers/firmware/dmi_scan.c linux-2.6.32.9/drivers/firmware/dmi_scan.c
22264--- linux-2.6.32.9/drivers/firmware/dmi_scan.c 2010-02-09 07:57:19.000000000 -0500
22265+++ linux-2.6.32.9/drivers/firmware/dmi_scan.c 2010-02-23 17:09:53.180370058 -0500
22266@@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
22267 }
22268 }
22269 else {
22270- /*
22271- * no iounmap() for that ioremap(); it would be a no-op, but
22272- * it's so early in setup that sucker gets confused into doing
22273- * what it shouldn't if we actually call it.
22274- */
22275 p = dmi_ioremap(0xF0000, 0x10000);
22276 if (p == NULL)
22277 goto error;
22278diff -urNp linux-2.6.32.9/drivers/firmware/edd.c linux-2.6.32.9/drivers/firmware/edd.c
22279--- linux-2.6.32.9/drivers/firmware/edd.c 2010-02-09 07:57:19.000000000 -0500
22280+++ linux-2.6.32.9/drivers/firmware/edd.c 2010-02-23 17:09:53.180370058 -0500
22281@@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
22282 return ret;
22283 }
22284
22285-static struct sysfs_ops edd_attr_ops = {
22286+static const struct sysfs_ops edd_attr_ops = {
22287 .show = edd_attr_show,
22288 };
22289
22290diff -urNp linux-2.6.32.9/drivers/firmware/efivars.c linux-2.6.32.9/drivers/firmware/efivars.c
22291--- linux-2.6.32.9/drivers/firmware/efivars.c 2010-02-09 07:57:19.000000000 -0500
22292+++ linux-2.6.32.9/drivers/firmware/efivars.c 2010-02-23 17:09:53.180370058 -0500
22293@@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
22294 return ret;
22295 }
22296
22297-static struct sysfs_ops efivar_attr_ops = {
22298+static const struct sysfs_ops efivar_attr_ops = {
22299 .show = efivar_attr_show,
22300 .store = efivar_attr_store,
22301 };
22302diff -urNp linux-2.6.32.9/drivers/firmware/iscsi_ibft.c linux-2.6.32.9/drivers/firmware/iscsi_ibft.c
22303--- linux-2.6.32.9/drivers/firmware/iscsi_ibft.c 2010-02-09 07:57:19.000000000 -0500
22304+++ linux-2.6.32.9/drivers/firmware/iscsi_ibft.c 2010-02-23 17:09:53.180370058 -0500
22305@@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
22306 return ret;
22307 }
22308
22309-static struct sysfs_ops ibft_attr_ops = {
22310+static const struct sysfs_ops ibft_attr_ops = {
22311 .show = ibft_show_attribute,
22312 };
22313
22314diff -urNp linux-2.6.32.9/drivers/firmware/memmap.c linux-2.6.32.9/drivers/firmware/memmap.c
22315--- linux-2.6.32.9/drivers/firmware/memmap.c 2010-02-09 07:57:19.000000000 -0500
22316+++ linux-2.6.32.9/drivers/firmware/memmap.c 2010-02-23 17:09:53.180370058 -0500
22317@@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
22318 NULL
22319 };
22320
22321-static struct sysfs_ops memmap_attr_ops = {
22322+static const struct sysfs_ops memmap_attr_ops = {
22323 .show = memmap_attr_show,
22324 };
22325
22326diff -urNp linux-2.6.32.9/drivers/gpu/drm/drm_drv.c linux-2.6.32.9/drivers/gpu/drm/drm_drv.c
22327--- linux-2.6.32.9/drivers/gpu/drm/drm_drv.c 2010-02-09 07:57:19.000000000 -0500
22328+++ linux-2.6.32.9/drivers/gpu/drm/drm_drv.c 2010-02-23 17:09:53.180370058 -0500
22329@@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
22330 char *kdata = NULL;
22331
22332 atomic_inc(&dev->ioctl_count);
22333- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
22334+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
22335 ++file_priv->ioctl_count;
22336
22337 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
22338diff -urNp linux-2.6.32.9/drivers/gpu/drm/drm_fops.c linux-2.6.32.9/drivers/gpu/drm/drm_fops.c
22339--- linux-2.6.32.9/drivers/gpu/drm/drm_fops.c 2010-02-09 07:57:19.000000000 -0500
22340+++ linux-2.6.32.9/drivers/gpu/drm/drm_fops.c 2010-02-23 17:09:53.180370058 -0500
22341@@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
22342 }
22343
22344 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
22345- atomic_set(&dev->counts[i], 0);
22346+ atomic_set_unchecked(&dev->counts[i], 0);
22347
22348 dev->sigdata.lock = NULL;
22349
22350@@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
22351
22352 retcode = drm_open_helper(inode, filp, dev);
22353 if (!retcode) {
22354- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
22355+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
22356 spin_lock(&dev->count_lock);
22357- if (!dev->open_count++) {
22358+ if (atomic_inc_return(&dev->open_count) == 1) {
22359 spin_unlock(&dev->count_lock);
22360 retcode = drm_setup(dev);
22361 goto out;
22362@@ -433,7 +433,7 @@ int drm_release(struct inode *inode, str
22363
22364 lock_kernel();
22365
22366- DRM_DEBUG("open_count = %d\n", dev->open_count);
22367+ DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
22368
22369 if (dev->driver->preclose)
22370 dev->driver->preclose(dev, file_priv);
22371@@ -445,7 +445,7 @@ int drm_release(struct inode *inode, str
22372 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
22373 task_pid_nr(current),
22374 (long)old_encode_dev(file_priv->minor->device),
22375- dev->open_count);
22376+ atomic_read(&dev->open_count));
22377
22378 /* if the master has gone away we can't do anything with the lock */
22379 if (file_priv->minor->master)
22380@@ -522,9 +522,9 @@ int drm_release(struct inode *inode, str
22381 * End inline drm_release
22382 */
22383
22384- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
22385+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
22386 spin_lock(&dev->count_lock);
22387- if (!--dev->open_count) {
22388+ if (atomic_dec_and_test(&dev->open_count)) {
22389 if (atomic_read(&dev->ioctl_count)) {
22390 DRM_ERROR("Device busy: %d\n",
22391 atomic_read(&dev->ioctl_count));
22392diff -urNp linux-2.6.32.9/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.9/drivers/gpu/drm/drm_ioctl.c
22393--- linux-2.6.32.9/drivers/gpu/drm/drm_ioctl.c 2010-02-09 07:57:19.000000000 -0500
22394+++ linux-2.6.32.9/drivers/gpu/drm/drm_ioctl.c 2010-02-23 17:09:53.180370058 -0500
22395@@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
22396 stats->data[i].value =
22397 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
22398 else
22399- stats->data[i].value = atomic_read(&dev->counts[i]);
22400+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
22401 stats->data[i].type = dev->types[i];
22402 }
22403
22404diff -urNp linux-2.6.32.9/drivers/gpu/drm/drm_lock.c linux-2.6.32.9/drivers/gpu/drm/drm_lock.c
22405--- linux-2.6.32.9/drivers/gpu/drm/drm_lock.c 2010-02-09 07:57:19.000000000 -0500
22406+++ linux-2.6.32.9/drivers/gpu/drm/drm_lock.c 2010-02-23 17:09:53.180370058 -0500
22407@@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
22408 if (drm_lock_take(&master->lock, lock->context)) {
22409 master->lock.file_priv = file_priv;
22410 master->lock.lock_time = jiffies;
22411- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
22412+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
22413 break; /* Got lock */
22414 }
22415
22416@@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
22417 return -EINVAL;
22418 }
22419
22420- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
22421+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
22422
22423 /* kernel_context_switch isn't used by any of the x86 drm
22424 * modules but is required by the Sparc driver.
22425diff -urNp linux-2.6.32.9/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.9/drivers/gpu/drm/i810/i810_dma.c
22426--- linux-2.6.32.9/drivers/gpu/drm/i810/i810_dma.c 2010-02-09 07:57:19.000000000 -0500
22427+++ linux-2.6.32.9/drivers/gpu/drm/i810/i810_dma.c 2010-02-23 17:09:53.180370058 -0500
22428@@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
22429 dma->buflist[vertex->idx],
22430 vertex->discard, vertex->used);
22431
22432- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22433- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22434+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22435+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22436 sarea_priv->last_enqueue = dev_priv->counter - 1;
22437 sarea_priv->last_dispatch = (int)hw_status[5];
22438
22439@@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
22440 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
22441 mc->last_render);
22442
22443- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22444- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22445+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22446+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22447 sarea_priv->last_enqueue = dev_priv->counter - 1;
22448 sarea_priv->last_dispatch = (int)hw_status[5];
22449
22450diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7017.c
22451--- linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7017.c 2010-02-09 07:57:19.000000000 -0500
22452+++ linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7017.c 2010-02-23 17:09:53.180370058 -0500
22453@@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
22454 }
22455 }
22456
22457-struct intel_dvo_dev_ops ch7017_ops = {
22458+const struct intel_dvo_dev_ops ch7017_ops = {
22459 .init = ch7017_init,
22460 .detect = ch7017_detect,
22461 .mode_valid = ch7017_mode_valid,
22462diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7xxx.c
22463--- linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-02-09 07:57:19.000000000 -0500
22464+++ linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-02-23 17:09:53.180370058 -0500
22465@@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
22466 }
22467 }
22468
22469-struct intel_dvo_dev_ops ch7xxx_ops = {
22470+const struct intel_dvo_dev_ops ch7xxx_ops = {
22471 .init = ch7xxx_init,
22472 .detect = ch7xxx_detect,
22473 .mode_valid = ch7xxx_mode_valid,
22474diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/dvo.h linux-2.6.32.9/drivers/gpu/drm/i915/dvo.h
22475--- linux-2.6.32.9/drivers/gpu/drm/i915/dvo.h 2010-02-09 07:57:19.000000000 -0500
22476+++ linux-2.6.32.9/drivers/gpu/drm/i915/dvo.h 2010-02-23 17:09:53.180370058 -0500
22477@@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
22478 *
22479 * \return singly-linked list of modes or NULL if no modes found.
22480 */
22481- struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
22482+ struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
22483
22484 /**
22485 * Clean up driver-specific bits of the output
22486 */
22487- void (*destroy) (struct intel_dvo_device *dvo);
22488+ void (* const destroy) (struct intel_dvo_device *dvo);
22489
22490 /**
22491 * Debugging hook to dump device registers to log file
22492 */
22493- void (*dump_regs)(struct intel_dvo_device *dvo);
22494+ void (* const dump_regs)(struct intel_dvo_device *dvo);
22495 };
22496
22497-extern struct intel_dvo_dev_ops sil164_ops;
22498-extern struct intel_dvo_dev_ops ch7xxx_ops;
22499-extern struct intel_dvo_dev_ops ivch_ops;
22500-extern struct intel_dvo_dev_ops tfp410_ops;
22501-extern struct intel_dvo_dev_ops ch7017_ops;
22502+extern const struct intel_dvo_dev_ops sil164_ops;
22503+extern const struct intel_dvo_dev_ops ch7xxx_ops;
22504+extern const struct intel_dvo_dev_ops ivch_ops;
22505+extern const struct intel_dvo_dev_ops tfp410_ops;
22506+extern const struct intel_dvo_dev_ops ch7017_ops;
22507
22508 #endif /* _INTEL_DVO_H */
22509diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ivch.c
22510--- linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ivch.c 2010-02-09 07:57:19.000000000 -0500
22511+++ linux-2.6.32.9/drivers/gpu/drm/i915/dvo_ivch.c 2010-02-23 17:09:53.180370058 -0500
22512@@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
22513 }
22514 }
22515
22516-struct intel_dvo_dev_ops ivch_ops= {
22517+const struct intel_dvo_dev_ops ivch_ops= {
22518 .init = ivch_init,
22519 .dpms = ivch_dpms,
22520 .save = ivch_save,
22521diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.9/drivers/gpu/drm/i915/dvo_sil164.c
22522--- linux-2.6.32.9/drivers/gpu/drm/i915/dvo_sil164.c 2010-02-09 07:57:19.000000000 -0500
22523+++ linux-2.6.32.9/drivers/gpu/drm/i915/dvo_sil164.c 2010-02-23 17:09:53.180370058 -0500
22524@@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
22525 }
22526 }
22527
22528-struct intel_dvo_dev_ops sil164_ops = {
22529+const struct intel_dvo_dev_ops sil164_ops = {
22530 .init = sil164_init,
22531 .detect = sil164_detect,
22532 .mode_valid = sil164_mode_valid,
22533diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.9/drivers/gpu/drm/i915/dvo_tfp410.c
22534--- linux-2.6.32.9/drivers/gpu/drm/i915/dvo_tfp410.c 2010-02-09 07:57:19.000000000 -0500
22535+++ linux-2.6.32.9/drivers/gpu/drm/i915/dvo_tfp410.c 2010-02-23 17:09:53.180370058 -0500
22536@@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
22537 }
22538 }
22539
22540-struct intel_dvo_dev_ops tfp410_ops = {
22541+const struct intel_dvo_dev_ops tfp410_ops = {
22542 .init = tfp410_init,
22543 .detect = tfp410_detect,
22544 .mode_valid = tfp410_mode_valid,
22545diff -urNp linux-2.6.32.9/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.9/drivers/gpu/drm/i915/i915_drv.c
22546--- linux-2.6.32.9/drivers/gpu/drm/i915/i915_drv.c 2010-02-09 07:57:19.000000000 -0500
22547+++ linux-2.6.32.9/drivers/gpu/drm/i915/i915_drv.c 2010-02-23 17:09:53.180370058 -0500
22548@@ -284,7 +284,7 @@ i915_pci_resume(struct pci_dev *pdev)
22549 return i915_resume(dev);
22550 }
22551
22552-static struct vm_operations_struct i915_gem_vm_ops = {
22553+static const struct vm_operations_struct i915_gem_vm_ops = {
22554 .fault = i915_gem_fault,
22555 .open = drm_gem_vm_open,
22556 .close = drm_gem_vm_close,
22557diff -urNp linux-2.6.32.9/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.9/drivers/gpu/drm/radeon/mkregtable.c
22558--- linux-2.6.32.9/drivers/gpu/drm/radeon/mkregtable.c 2010-02-09 07:57:19.000000000 -0500
22559+++ linux-2.6.32.9/drivers/gpu/drm/radeon/mkregtable.c 2010-02-23 17:09:53.180370058 -0500
22560@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
22561 regex_t mask_rex;
22562 regmatch_t match[4];
22563 char buf[1024];
22564- size_t end;
22565+ long end;
22566 int len;
22567 int done = 0;
22568 int r;
22569 unsigned o;
22570 struct offset *offset;
22571 char last_reg_s[10];
22572- int last_reg;
22573+ unsigned long last_reg;
22574
22575 if (regcomp
22576 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
22577diff -urNp linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_atombios.c
22578--- linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_atombios.c 2010-02-09 07:57:19.000000000 -0500
22579+++ linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_atombios.c 2010-02-23 17:09:53.184132288 -0500
22580@@ -504,13 +504,13 @@ static uint16_t atombios_get_connector_o
22581 }
22582 }
22583
22584-struct bios_connector {
22585+static struct bios_connector {
22586 bool valid;
22587 uint16_t line_mux;
22588 uint16_t devices;
22589 int connector_type;
22590 struct radeon_i2c_bus_rec ddc_bus;
22591-};
22592+} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22593
22594 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
22595 drm_device
22596@@ -526,7 +526,6 @@ bool radeon_get_atom_connector_info_from
22597 uint8_t dac;
22598 union atom_supported_devices *supported_devices;
22599 int i, j;
22600- struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22601
22602 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
22603
22604diff -urNp linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_state.c
22605--- linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_state.c 2010-02-09 07:57:19.000000000 -0500
22606+++ linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_state.c 2010-02-23 17:09:53.184132288 -0500
22607@@ -3014,7 +3014,7 @@ static int radeon_cp_getparam(struct drm
22608 {
22609 drm_radeon_private_t *dev_priv = dev->dev_private;
22610 drm_radeon_getparam_t *param = data;
22611- int value;
22612+ int value = 0;
22613
22614 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
22615
22616diff -urNp linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_ttm.c
22617--- linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_ttm.c 2010-02-09 07:57:19.000000000 -0500
22618+++ linux-2.6.32.9/drivers/gpu/drm/radeon/radeon_ttm.c 2010-02-23 17:09:53.184132288 -0500
22619@@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
22620 DRM_INFO("radeon: ttm finalized\n");
22621 }
22622
22623-static struct vm_operations_struct radeon_ttm_vm_ops;
22624-static const struct vm_operations_struct *ttm_vm_ops = NULL;
22625-
22626-static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
22627-{
22628- struct ttm_buffer_object *bo;
22629- int r;
22630-
22631- bo = (struct ttm_buffer_object *)vma->vm_private_data;
22632- if (bo == NULL) {
22633- return VM_FAULT_NOPAGE;
22634- }
22635- r = ttm_vm_ops->fault(vma, vmf);
22636- return r;
22637-}
22638-
22639 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
22640 {
22641 struct drm_file *file_priv;
22642 struct radeon_device *rdev;
22643- int r;
22644
22645 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
22646 return drm_mmap(filp, vma);
22647@@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
22648
22649 file_priv = (struct drm_file *)filp->private_data;
22650 rdev = file_priv->minor->dev->dev_private;
22651- if (rdev == NULL) {
22652+ if (!rdev)
22653 return -EINVAL;
22654- }
22655- r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
22656- if (unlikely(r != 0)) {
22657- return r;
22658- }
22659- if (unlikely(ttm_vm_ops == NULL)) {
22660- ttm_vm_ops = vma->vm_ops;
22661- radeon_ttm_vm_ops = *ttm_vm_ops;
22662- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
22663- }
22664- vma->vm_ops = &radeon_ttm_vm_ops;
22665- return 0;
22666+ return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
22667 }
22668
22669
22670diff -urNp linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo.c
22671--- linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo.c 2010-02-09 07:57:19.000000000 -0500
22672+++ linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo.c 2010-02-23 17:09:53.184132288 -0500
22673@@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
22674 NULL
22675 };
22676
22677-static struct sysfs_ops ttm_bo_global_ops = {
22678+static const struct sysfs_ops ttm_bo_global_ops = {
22679 .show = &ttm_bo_global_show
22680 };
22681
22682diff -urNp linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo_vm.c
22683--- linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-02-09 07:57:19.000000000 -0500
22684+++ linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-02-23 17:09:53.184132288 -0500
22685@@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
22686 {
22687 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
22688 vma->vm_private_data;
22689- struct ttm_bo_device *bdev = bo->bdev;
22690+ struct ttm_bo_device *bdev;
22691 unsigned long bus_base;
22692 unsigned long bus_offset;
22693 unsigned long bus_size;
22694@@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
22695 unsigned long address = (unsigned long)vmf->virtual_address;
22696 int retval = VM_FAULT_NOPAGE;
22697
22698+ if (!bo)
22699+ return VM_FAULT_NOPAGE;
22700+ bdev = bo->bdev;
22701+
22702 /*
22703 * Work around locking order reversal in fault / nopfn
22704 * between mmap_sem and bo_reserve: Perform a trylock operation
22705diff -urNp linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_global.c
22706--- linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_global.c 2010-02-09 07:57:19.000000000 -0500
22707+++ linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_global.c 2010-02-23 17:09:53.184132288 -0500
22708@@ -36,7 +36,7 @@
22709 struct ttm_global_item {
22710 struct mutex mutex;
22711 void *object;
22712- int refcount;
22713+ atomic_t refcount;
22714 };
22715
22716 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
22717@@ -49,7 +49,7 @@ void ttm_global_init(void)
22718 struct ttm_global_item *item = &glob[i];
22719 mutex_init(&item->mutex);
22720 item->object = NULL;
22721- item->refcount = 0;
22722+ atomic_set(&item->refcount, 0);
22723 }
22724 }
22725
22726@@ -59,7 +59,7 @@ void ttm_global_release(void)
22727 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
22728 struct ttm_global_item *item = &glob[i];
22729 BUG_ON(item->object != NULL);
22730- BUG_ON(item->refcount != 0);
22731+ BUG_ON(atomic_read(&item->refcount) != 0);
22732 }
22733 }
22734
22735@@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
22736 void *object;
22737
22738 mutex_lock(&item->mutex);
22739- if (item->refcount == 0) {
22740+ if (atomic_read(&item->refcount) == 0) {
22741 item->object = kzalloc(ref->size, GFP_KERNEL);
22742 if (unlikely(item->object == NULL)) {
22743 ret = -ENOMEM;
22744@@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
22745 goto out_err;
22746
22747 }
22748- ++item->refcount;
22749+ atomic_inc(&item->refcount);
22750 ref->object = item->object;
22751 object = item->object;
22752 mutex_unlock(&item->mutex);
22753@@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
22754 struct ttm_global_item *item = &glob[ref->global_type];
22755
22756 mutex_lock(&item->mutex);
22757- BUG_ON(item->refcount == 0);
22758+ BUG_ON(atomic_read(&item->refcount) == 0);
22759 BUG_ON(ref->object != item->object);
22760- if (--item->refcount == 0) {
22761+ if (atomic_dec_and_test(&item->refcount)) {
22762 ref->release(ref);
22763 item->object = NULL;
22764 }
22765diff -urNp linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_memory.c
22766--- linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_memory.c 2010-02-09 07:57:19.000000000 -0500
22767+++ linux-2.6.32.9/drivers/gpu/drm/ttm/ttm_memory.c 2010-02-23 17:09:53.184132288 -0500
22768@@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
22769 NULL
22770 };
22771
22772-static struct sysfs_ops ttm_mem_zone_ops = {
22773+static const struct sysfs_ops ttm_mem_zone_ops = {
22774 .show = &ttm_mem_zone_show,
22775 .store = &ttm_mem_zone_store
22776 };
22777diff -urNp linux-2.6.32.9/drivers/gpu/vga/vgaarb.c linux-2.6.32.9/drivers/gpu/vga/vgaarb.c
22778--- linux-2.6.32.9/drivers/gpu/vga/vgaarb.c 2010-02-09 07:57:19.000000000 -0500
22779+++ linux-2.6.32.9/drivers/gpu/vga/vgaarb.c 2010-02-23 17:09:53.184132288 -0500
22780@@ -961,7 +961,7 @@ static ssize_t vga_arb_write(struct file
22781 remaining -= 7;
22782 pr_devel("client 0x%p called 'target'\n", priv);
22783 /* if target is default */
22784- if (!strncmp(buf, "default", 7))
22785+ if (!strncmp(curr_pos, "default", 7))
22786 pdev = pci_dev_get(vga_default_device());
22787 else {
22788 if (!vga_pci_str_to_vars(curr_pos, remaining,
22789diff -urNp linux-2.6.32.9/drivers/hwmon/k8temp.c linux-2.6.32.9/drivers/hwmon/k8temp.c
22790--- linux-2.6.32.9/drivers/hwmon/k8temp.c 2010-02-09 07:57:19.000000000 -0500
22791+++ linux-2.6.32.9/drivers/hwmon/k8temp.c 2010-02-23 17:09:53.184132288 -0500
22792@@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
22793
22794 static struct pci_device_id k8temp_ids[] = {
22795 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
22796- { 0 },
22797+ { 0, 0, 0, 0, 0, 0, 0 },
22798 };
22799
22800 MODULE_DEVICE_TABLE(pci, k8temp_ids);
22801diff -urNp linux-2.6.32.9/drivers/hwmon/sis5595.c linux-2.6.32.9/drivers/hwmon/sis5595.c
22802--- linux-2.6.32.9/drivers/hwmon/sis5595.c 2010-02-09 07:57:19.000000000 -0500
22803+++ linux-2.6.32.9/drivers/hwmon/sis5595.c 2010-02-23 17:09:53.184132288 -0500
22804@@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
22805
22806 static struct pci_device_id sis5595_pci_ids[] = {
22807 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
22808- { 0, }
22809+ { 0, 0, 0, 0, 0, 0, 0 }
22810 };
22811
22812 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
22813diff -urNp linux-2.6.32.9/drivers/hwmon/via686a.c linux-2.6.32.9/drivers/hwmon/via686a.c
22814--- linux-2.6.32.9/drivers/hwmon/via686a.c 2010-02-09 07:57:19.000000000 -0500
22815+++ linux-2.6.32.9/drivers/hwmon/via686a.c 2010-02-23 17:09:53.184132288 -0500
22816@@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
22817
22818 static struct pci_device_id via686a_pci_ids[] = {
22819 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
22820- { 0, }
22821+ { 0, 0, 0, 0, 0, 0, 0 }
22822 };
22823
22824 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
22825diff -urNp linux-2.6.32.9/drivers/hwmon/vt8231.c linux-2.6.32.9/drivers/hwmon/vt8231.c
22826--- linux-2.6.32.9/drivers/hwmon/vt8231.c 2010-02-09 07:57:19.000000000 -0500
22827+++ linux-2.6.32.9/drivers/hwmon/vt8231.c 2010-02-23 17:09:53.184132288 -0500
22828@@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
22829
22830 static struct pci_device_id vt8231_pci_ids[] = {
22831 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
22832- { 0, }
22833+ { 0, 0, 0, 0, 0, 0, 0 }
22834 };
22835
22836 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
22837diff -urNp linux-2.6.32.9/drivers/hwmon/w83791d.c linux-2.6.32.9/drivers/hwmon/w83791d.c
22838--- linux-2.6.32.9/drivers/hwmon/w83791d.c 2010-02-09 07:57:19.000000000 -0500
22839+++ linux-2.6.32.9/drivers/hwmon/w83791d.c 2010-02-23 17:09:53.184132288 -0500
22840@@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
22841 struct i2c_board_info *info);
22842 static int w83791d_remove(struct i2c_client *client);
22843
22844-static int w83791d_read(struct i2c_client *client, u8 register);
22845-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
22846+static int w83791d_read(struct i2c_client *client, u8 reg);
22847+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
22848 static struct w83791d_data *w83791d_update_device(struct device *dev);
22849
22850 #ifdef DEBUG
22851diff -urNp linux-2.6.32.9/drivers/i2c/busses/i2c-i801.c linux-2.6.32.9/drivers/i2c/busses/i2c-i801.c
22852--- linux-2.6.32.9/drivers/i2c/busses/i2c-i801.c 2010-02-09 07:57:19.000000000 -0500
22853+++ linux-2.6.32.9/drivers/i2c/busses/i2c-i801.c 2010-02-23 17:09:53.188075376 -0500
22854@@ -578,7 +578,7 @@ static struct pci_device_id i801_ids[] =
22855 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_4) },
22856 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
22857 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
22858- { 0, }
22859+ { 0, 0, 0, 0, 0, 0, 0 }
22860 };
22861
22862 MODULE_DEVICE_TABLE (pci, i801_ids);
22863diff -urNp linux-2.6.32.9/drivers/i2c/busses/i2c-piix4.c linux-2.6.32.9/drivers/i2c/busses/i2c-piix4.c
22864--- linux-2.6.32.9/drivers/i2c/busses/i2c-piix4.c 2010-02-09 07:57:19.000000000 -0500
22865+++ linux-2.6.32.9/drivers/i2c/busses/i2c-piix4.c 2010-02-23 17:09:53.188075376 -0500
22866@@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
22867 .ident = "IBM",
22868 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
22869 },
22870- { },
22871+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
22872 };
22873
22874 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
22875@@ -491,7 +491,7 @@ static struct pci_device_id piix4_ids[]
22876 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
22877 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
22878 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
22879- { 0, }
22880+ { 0, 0, 0, 0, 0, 0, 0 }
22881 };
22882
22883 MODULE_DEVICE_TABLE (pci, piix4_ids);
22884diff -urNp linux-2.6.32.9/drivers/i2c/busses/i2c-sis630.c linux-2.6.32.9/drivers/i2c/busses/i2c-sis630.c
22885--- linux-2.6.32.9/drivers/i2c/busses/i2c-sis630.c 2010-02-09 07:57:19.000000000 -0500
22886+++ linux-2.6.32.9/drivers/i2c/busses/i2c-sis630.c 2010-02-23 17:09:53.188075376 -0500
22887@@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
22888 static struct pci_device_id sis630_ids[] __devinitdata = {
22889 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
22890 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
22891- { 0, }
22892+ { 0, 0, 0, 0, 0, 0, 0 }
22893 };
22894
22895 MODULE_DEVICE_TABLE (pci, sis630_ids);
22896diff -urNp linux-2.6.32.9/drivers/i2c/busses/i2c-sis96x.c linux-2.6.32.9/drivers/i2c/busses/i2c-sis96x.c
22897--- linux-2.6.32.9/drivers/i2c/busses/i2c-sis96x.c 2010-02-09 07:57:19.000000000 -0500
22898+++ linux-2.6.32.9/drivers/i2c/busses/i2c-sis96x.c 2010-02-23 17:09:53.188075376 -0500
22899@@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
22900
22901 static struct pci_device_id sis96x_ids[] = {
22902 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
22903- { 0, }
22904+ { 0, 0, 0, 0, 0, 0, 0 }
22905 };
22906
22907 MODULE_DEVICE_TABLE (pci, sis96x_ids);
22908diff -urNp linux-2.6.32.9/drivers/ide/ide-cd.c linux-2.6.32.9/drivers/ide/ide-cd.c
22909--- linux-2.6.32.9/drivers/ide/ide-cd.c 2010-02-09 07:57:19.000000000 -0500
22910+++ linux-2.6.32.9/drivers/ide/ide-cd.c 2010-02-23 17:09:53.188075376 -0500
22911@@ -766,7 +766,7 @@ static void cdrom_do_block_pc(ide_drive_
22912 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
22913 if ((unsigned long)buf & alignment
22914 || blk_rq_bytes(rq) & q->dma_pad_mask
22915- || object_is_on_stack(buf))
22916+ || object_starts_on_stack(buf))
22917 drive->dma = 0;
22918 }
22919 }
22920diff -urNp linux-2.6.32.9/drivers/ieee1394/dv1394.c linux-2.6.32.9/drivers/ieee1394/dv1394.c
22921--- linux-2.6.32.9/drivers/ieee1394/dv1394.c 2010-02-09 07:57:19.000000000 -0500
22922+++ linux-2.6.32.9/drivers/ieee1394/dv1394.c 2010-02-23 17:09:53.188075376 -0500
22923@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
22924 based upon DIF section and sequence
22925 */
22926
22927-static void inline
22928+static inline void
22929 frame_put_packet (struct frame *f, struct packet *p)
22930 {
22931 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
22932@@ -2178,7 +2178,7 @@ static const struct ieee1394_device_id d
22933 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
22934 .version = AVC_SW_VERSION_ENTRY & 0xffffff
22935 },
22936- { }
22937+ { 0, 0, 0, 0, 0, 0 }
22938 };
22939
22940 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
22941diff -urNp linux-2.6.32.9/drivers/ieee1394/eth1394.c linux-2.6.32.9/drivers/ieee1394/eth1394.c
22942--- linux-2.6.32.9/drivers/ieee1394/eth1394.c 2010-02-09 07:57:19.000000000 -0500
22943+++ linux-2.6.32.9/drivers/ieee1394/eth1394.c 2010-02-23 17:09:53.188075376 -0500
22944@@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
22945 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
22946 .version = ETHER1394_GASP_VERSION,
22947 },
22948- {}
22949+ { 0, 0, 0, 0, 0, 0 }
22950 };
22951
22952 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
22953diff -urNp linux-2.6.32.9/drivers/ieee1394/hosts.c linux-2.6.32.9/drivers/ieee1394/hosts.c
22954--- linux-2.6.32.9/drivers/ieee1394/hosts.c 2010-02-09 07:57:19.000000000 -0500
22955+++ linux-2.6.32.9/drivers/ieee1394/hosts.c 2010-02-23 17:09:53.188075376 -0500
22956@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
22957 }
22958
22959 static struct hpsb_host_driver dummy_driver = {
22960+ .name = "dummy",
22961 .transmit_packet = dummy_transmit_packet,
22962 .devctl = dummy_devctl,
22963 .isoctl = dummy_isoctl
22964diff -urNp linux-2.6.32.9/drivers/ieee1394/ohci1394.c linux-2.6.32.9/drivers/ieee1394/ohci1394.c
22965--- linux-2.6.32.9/drivers/ieee1394/ohci1394.c 2010-02-09 07:57:19.000000000 -0500
22966+++ linux-2.6.32.9/drivers/ieee1394/ohci1394.c 2010-02-23 17:09:53.188075376 -0500
22967@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
22968 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
22969
22970 /* Module Parameters */
22971-static int phys_dma = 1;
22972+static int phys_dma;
22973 module_param(phys_dma, int, 0444);
22974-MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
22975+MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
22976
22977 static void dma_trm_tasklet(unsigned long data);
22978 static void dma_trm_reset(struct dma_trm_ctx *d);
22979@@ -3449,7 +3449,7 @@ static struct pci_device_id ohci1394_pci
22980 .subvendor = PCI_ANY_ID,
22981 .subdevice = PCI_ANY_ID,
22982 },
22983- { 0, },
22984+ { 0, 0, 0, 0, 0, 0, 0 },
22985 };
22986
22987 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
22988diff -urNp linux-2.6.32.9/drivers/ieee1394/raw1394.c linux-2.6.32.9/drivers/ieee1394/raw1394.c
22989--- linux-2.6.32.9/drivers/ieee1394/raw1394.c 2010-02-09 07:57:19.000000000 -0500
22990+++ linux-2.6.32.9/drivers/ieee1394/raw1394.c 2010-02-23 17:09:53.188075376 -0500
22991@@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
22992 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
22993 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
22994 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
22995- {}
22996+ { 0, 0, 0, 0, 0, 0 }
22997 };
22998
22999 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
23000diff -urNp linux-2.6.32.9/drivers/ieee1394/sbp2.c linux-2.6.32.9/drivers/ieee1394/sbp2.c
23001--- linux-2.6.32.9/drivers/ieee1394/sbp2.c 2010-02-09 07:57:19.000000000 -0500
23002+++ linux-2.6.32.9/drivers/ieee1394/sbp2.c 2010-02-23 17:09:53.192542032 -0500
23003@@ -290,7 +290,7 @@ static const struct ieee1394_device_id s
23004 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23005 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
23006 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
23007- {}
23008+ { 0, 0, 0, 0, 0, 0 }
23009 };
23010 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
23011
23012@@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
23013 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
23014 MODULE_LICENSE("GPL");
23015
23016-static int sbp2_module_init(void)
23017+static int __init sbp2_module_init(void)
23018 {
23019 int ret;
23020
23021diff -urNp linux-2.6.32.9/drivers/ieee1394/video1394.c linux-2.6.32.9/drivers/ieee1394/video1394.c
23022--- linux-2.6.32.9/drivers/ieee1394/video1394.c 2010-02-09 07:57:19.000000000 -0500
23023+++ linux-2.6.32.9/drivers/ieee1394/video1394.c 2010-02-23 17:09:53.192542032 -0500
23024@@ -1311,7 +1311,7 @@ static const struct ieee1394_device_id v
23025 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23026 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
23027 },
23028- { }
23029+ { 0, 0, 0, 0, 0, 0 }
23030 };
23031
23032 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
23033diff -urNp linux-2.6.32.9/drivers/infiniband/core/cm.c linux-2.6.32.9/drivers/infiniband/core/cm.c
23034--- linux-2.6.32.9/drivers/infiniband/core/cm.c 2010-02-09 07:57:19.000000000 -0500
23035+++ linux-2.6.32.9/drivers/infiniband/core/cm.c 2010-02-23 17:09:53.192542032 -0500
23036@@ -112,7 +112,7 @@ static char const counter_group_names[CM
23037
23038 struct cm_counter_group {
23039 struct kobject obj;
23040- atomic_long_t counter[CM_ATTR_COUNT];
23041+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
23042 };
23043
23044 struct cm_counter_attribute {
23045@@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
23046 struct ib_mad_send_buf *msg = NULL;
23047 int ret;
23048
23049- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23050+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23051 counter[CM_REQ_COUNTER]);
23052
23053 /* Quick state check to discard duplicate REQs. */
23054@@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
23055 if (!cm_id_priv)
23056 return;
23057
23058- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23059+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23060 counter[CM_REP_COUNTER]);
23061 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
23062 if (ret)
23063@@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
23064 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
23065 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
23066 spin_unlock_irq(&cm_id_priv->lock);
23067- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23068+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23069 counter[CM_RTU_COUNTER]);
23070 goto out;
23071 }
23072@@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
23073 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
23074 dreq_msg->local_comm_id);
23075 if (!cm_id_priv) {
23076- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23077+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23078 counter[CM_DREQ_COUNTER]);
23079 cm_issue_drep(work->port, work->mad_recv_wc);
23080 return -EINVAL;
23081@@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
23082 case IB_CM_MRA_REP_RCVD:
23083 break;
23084 case IB_CM_TIMEWAIT:
23085- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23086+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23087 counter[CM_DREQ_COUNTER]);
23088 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23089 goto unlock;
23090@@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
23091 cm_free_msg(msg);
23092 goto deref;
23093 case IB_CM_DREQ_RCVD:
23094- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23095+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23096 counter[CM_DREQ_COUNTER]);
23097 goto unlock;
23098 default:
23099@@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
23100 ib_modify_mad(cm_id_priv->av.port->mad_agent,
23101 cm_id_priv->msg, timeout)) {
23102 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
23103- atomic_long_inc(&work->port->
23104+ atomic_long_inc_unchecked(&work->port->
23105 counter_group[CM_RECV_DUPLICATES].
23106 counter[CM_MRA_COUNTER]);
23107 goto out;
23108@@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
23109 break;
23110 case IB_CM_MRA_REQ_RCVD:
23111 case IB_CM_MRA_REP_RCVD:
23112- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23113+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23114 counter[CM_MRA_COUNTER]);
23115 /* fall through */
23116 default:
23117@@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
23118 case IB_CM_LAP_IDLE:
23119 break;
23120 case IB_CM_MRA_LAP_SENT:
23121- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23122+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23123 counter[CM_LAP_COUNTER]);
23124 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23125 goto unlock;
23126@@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
23127 cm_free_msg(msg);
23128 goto deref;
23129 case IB_CM_LAP_RCVD:
23130- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23131+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23132 counter[CM_LAP_COUNTER]);
23133 goto unlock;
23134 default:
23135@@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
23136 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
23137 if (cur_cm_id_priv) {
23138 spin_unlock_irq(&cm.lock);
23139- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23140+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23141 counter[CM_SIDR_REQ_COUNTER]);
23142 goto out; /* Duplicate message. */
23143 }
23144@@ -3183,10 +3183,10 @@ static void cm_send_handler(struct ib_ma
23145 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
23146 msg->retries = 1;
23147
23148- atomic_long_add(1 + msg->retries,
23149+ atomic_long_add_unchecked(1 + msg->retries,
23150 &port->counter_group[CM_XMIT].counter[attr_index]);
23151 if (msg->retries)
23152- atomic_long_add(msg->retries,
23153+ atomic_long_add_unchecked(msg->retries,
23154 &port->counter_group[CM_XMIT_RETRIES].
23155 counter[attr_index]);
23156
23157@@ -3396,7 +3396,7 @@ static void cm_recv_handler(struct ib_ma
23158 }
23159
23160 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
23161- atomic_long_inc(&port->counter_group[CM_RECV].
23162+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
23163 counter[attr_id - CM_ATTR_ID_OFFSET]);
23164
23165 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
23166@@ -3594,10 +3594,10 @@ static ssize_t cm_show_counter(struct ko
23167 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
23168
23169 return sprintf(buf, "%ld\n",
23170- atomic_long_read(&group->counter[cm_attr->index]));
23171+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
23172 }
23173
23174-static struct sysfs_ops cm_counter_ops = {
23175+static const struct sysfs_ops cm_counter_ops = {
23176 .show = cm_show_counter
23177 };
23178
23179diff -urNp linux-2.6.32.9/drivers/infiniband/core/sysfs.c linux-2.6.32.9/drivers/infiniband/core/sysfs.c
23180--- linux-2.6.32.9/drivers/infiniband/core/sysfs.c 2010-02-09 07:57:19.000000000 -0500
23181+++ linux-2.6.32.9/drivers/infiniband/core/sysfs.c 2010-02-23 17:09:53.192542032 -0500
23182@@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
23183 return port_attr->show(p, port_attr, buf);
23184 }
23185
23186-static struct sysfs_ops port_sysfs_ops = {
23187+static const struct sysfs_ops port_sysfs_ops = {
23188 .show = port_attr_show
23189 };
23190
23191diff -urNp linux-2.6.32.9/drivers/input/keyboard/atkbd.c linux-2.6.32.9/drivers/input/keyboard/atkbd.c
23192--- linux-2.6.32.9/drivers/input/keyboard/atkbd.c 2010-02-09 07:57:19.000000000 -0500
23193+++ linux-2.6.32.9/drivers/input/keyboard/atkbd.c 2010-02-23 17:09:53.192542032 -0500
23194@@ -1212,7 +1212,7 @@ static struct serio_device_id atkbd_seri
23195 .id = SERIO_ANY,
23196 .extra = SERIO_ANY,
23197 },
23198- { 0 }
23199+ { 0, 0, 0, 0 }
23200 };
23201
23202 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
23203diff -urNp linux-2.6.32.9/drivers/input/mouse/lifebook.c linux-2.6.32.9/drivers/input/mouse/lifebook.c
23204--- linux-2.6.32.9/drivers/input/mouse/lifebook.c 2010-02-09 07:57:19.000000000 -0500
23205+++ linux-2.6.32.9/drivers/input/mouse/lifebook.c 2010-02-23 17:09:53.192542032 -0500
23206@@ -115,7 +115,7 @@ static const struct dmi_system_id lifebo
23207 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
23208 },
23209 },
23210- { }
23211+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
23212 };
23213
23214 static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
23215diff -urNp linux-2.6.32.9/drivers/input/mouse/psmouse-base.c linux-2.6.32.9/drivers/input/mouse/psmouse-base.c
23216--- linux-2.6.32.9/drivers/input/mouse/psmouse-base.c 2010-02-09 07:57:19.000000000 -0500
23217+++ linux-2.6.32.9/drivers/input/mouse/psmouse-base.c 2010-02-23 17:09:53.192542032 -0500
23218@@ -1409,7 +1409,7 @@ static struct serio_device_id psmouse_se
23219 .id = SERIO_ANY,
23220 .extra = SERIO_ANY,
23221 },
23222- { 0 }
23223+ { 0, 0, 0, 0 }
23224 };
23225
23226 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
23227diff -urNp linux-2.6.32.9/drivers/input/mouse/synaptics.c linux-2.6.32.9/drivers/input/mouse/synaptics.c
23228--- linux-2.6.32.9/drivers/input/mouse/synaptics.c 2010-02-09 07:57:19.000000000 -0500
23229+++ linux-2.6.32.9/drivers/input/mouse/synaptics.c 2010-02-23 17:09:53.192542032 -0500
23230@@ -437,7 +437,7 @@ static void synaptics_process_packet(str
23231 break;
23232 case 2:
23233 if (SYN_MODEL_PEN(priv->model_id))
23234- ; /* Nothing, treat a pen as a single finger */
23235+ break; /* Nothing, treat a pen as a single finger */
23236 break;
23237 case 4 ... 15:
23238 if (SYN_CAP_PALMDETECT(priv->capabilities))
23239@@ -652,7 +652,6 @@ static const struct dmi_system_id toshib
23240 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
23241 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
23242 },
23243-
23244 },
23245 {
23246 .ident = "Toshiba Portege M300",
23247@@ -661,9 +660,8 @@ static const struct dmi_system_id toshib
23248 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
23249 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
23250 },
23251-
23252 },
23253- { }
23254+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23255 };
23256 #endif
23257
23258diff -urNp linux-2.6.32.9/drivers/input/mousedev.c linux-2.6.32.9/drivers/input/mousedev.c
23259--- linux-2.6.32.9/drivers/input/mousedev.c 2010-02-09 07:57:19.000000000 -0500
23260+++ linux-2.6.32.9/drivers/input/mousedev.c 2010-02-23 17:09:53.192542032 -0500
23261@@ -1057,7 +1057,7 @@ static struct input_handler mousedev_han
23262
23263 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
23264 static struct miscdevice psaux_mouse = {
23265- PSMOUSE_MINOR, "psaux", &mousedev_fops
23266+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
23267 };
23268 static int psaux_registered;
23269 #endif
23270diff -urNp linux-2.6.32.9/drivers/input/serio/i8042-x86ia64io.h linux-2.6.32.9/drivers/input/serio/i8042-x86ia64io.h
23271--- linux-2.6.32.9/drivers/input/serio/i8042-x86ia64io.h 2010-02-09 07:57:19.000000000 -0500
23272+++ linux-2.6.32.9/drivers/input/serio/i8042-x86ia64io.h 2010-02-23 17:09:53.192542032 -0500
23273@@ -172,7 +172,7 @@ static const struct dmi_system_id __init
23274 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
23275 },
23276 },
23277- { }
23278+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23279 };
23280
23281 /*
23282@@ -402,7 +402,7 @@ static const struct dmi_system_id __init
23283 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
23284 },
23285 },
23286- { }
23287+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23288 };
23289
23290 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
23291@@ -469,7 +469,7 @@ static const struct dmi_system_id __init
23292 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
23293 },
23294 },
23295- { }
23296+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23297 };
23298
23299 #ifdef CONFIG_PNP
23300@@ -488,7 +488,7 @@ static const struct dmi_system_id __init
23301 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
23302 },
23303 },
23304- { }
23305+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23306 };
23307
23308 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
23309@@ -512,7 +512,7 @@ static const struct dmi_system_id __init
23310 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
23311 },
23312 },
23313- { }
23314+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23315 };
23316 #endif
23317
23318@@ -586,7 +586,7 @@ static const struct dmi_system_id __init
23319 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
23320 },
23321 },
23322- { }
23323+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23324 };
23325
23326 #endif /* CONFIG_X86 */
23327diff -urNp linux-2.6.32.9/drivers/input/serio/serio_raw.c linux-2.6.32.9/drivers/input/serio/serio_raw.c
23328--- linux-2.6.32.9/drivers/input/serio/serio_raw.c 2010-02-09 07:57:19.000000000 -0500
23329+++ linux-2.6.32.9/drivers/input/serio/serio_raw.c 2010-02-23 17:09:53.192542032 -0500
23330@@ -377,7 +377,7 @@ static struct serio_device_id serio_raw_
23331 .id = SERIO_ANY,
23332 .extra = SERIO_ANY,
23333 },
23334- { 0 }
23335+ { 0, 0, 0, 0 }
23336 };
23337
23338 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
23339diff -urNp linux-2.6.32.9/drivers/isdn/gigaset/common.c linux-2.6.32.9/drivers/isdn/gigaset/common.c
23340--- linux-2.6.32.9/drivers/isdn/gigaset/common.c 2010-02-09 07:57:19.000000000 -0500
23341+++ linux-2.6.32.9/drivers/isdn/gigaset/common.c 2010-02-23 17:09:53.192542032 -0500
23342@@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
23343 cs->commands_pending = 0;
23344 cs->cur_at_seq = 0;
23345 cs->gotfwver = -1;
23346- cs->open_count = 0;
23347+ atomic_set(&cs->open_count, 0);
23348 cs->dev = NULL;
23349 cs->tty = NULL;
23350 cs->tty_dev = NULL;
23351diff -urNp linux-2.6.32.9/drivers/isdn/gigaset/gigaset.h linux-2.6.32.9/drivers/isdn/gigaset/gigaset.h
23352--- linux-2.6.32.9/drivers/isdn/gigaset/gigaset.h 2010-02-09 07:57:19.000000000 -0500
23353+++ linux-2.6.32.9/drivers/isdn/gigaset/gigaset.h 2010-02-23 17:09:53.192542032 -0500
23354@@ -446,7 +446,7 @@ struct cardstate {
23355 spinlock_t cmdlock;
23356 unsigned curlen, cmdbytes;
23357
23358- unsigned open_count;
23359+ atomic_t open_count;
23360 struct tty_struct *tty;
23361 struct tasklet_struct if_wake_tasklet;
23362 unsigned control_state;
23363diff -urNp linux-2.6.32.9/drivers/isdn/gigaset/interface.c linux-2.6.32.9/drivers/isdn/gigaset/interface.c
23364--- linux-2.6.32.9/drivers/isdn/gigaset/interface.c 2010-02-09 07:57:19.000000000 -0500
23365+++ linux-2.6.32.9/drivers/isdn/gigaset/interface.c 2010-02-23 17:09:53.196332354 -0500
23366@@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
23367 return -ERESTARTSYS; // FIXME -EINTR?
23368 tty->driver_data = cs;
23369
23370- ++cs->open_count;
23371-
23372- if (cs->open_count == 1) {
23373+ if (atomic_inc_return(&cs->open_count) == 1) {
23374 spin_lock_irqsave(&cs->lock, flags);
23375 cs->tty = tty;
23376 spin_unlock_irqrestore(&cs->lock, flags);
23377@@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
23378
23379 if (!cs->connected)
23380 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23381- else if (!cs->open_count)
23382+ else if (!atomic_read(&cs->open_count))
23383 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23384 else {
23385- if (!--cs->open_count) {
23386+ if (!atomic_dec_return(&cs->open_count)) {
23387 spin_lock_irqsave(&cs->lock, flags);
23388 cs->tty = NULL;
23389 spin_unlock_irqrestore(&cs->lock, flags);
23390@@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
23391 if (!cs->connected) {
23392 gig_dbg(DEBUG_IF, "not connected");
23393 retval = -ENODEV;
23394- } else if (!cs->open_count)
23395+ } else if (!atomic_read(&cs->open_count))
23396 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23397 else {
23398 retval = 0;
23399@@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
23400 if (!cs->connected) {
23401 gig_dbg(DEBUG_IF, "not connected");
23402 retval = -ENODEV;
23403- } else if (!cs->open_count)
23404+ } else if (!atomic_read(&cs->open_count))
23405 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23406 else if (cs->mstate != MS_LOCKED) {
23407 dev_warn(cs->dev, "can't write to unlocked device\n");
23408@@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
23409 if (!cs->connected) {
23410 gig_dbg(DEBUG_IF, "not connected");
23411 retval = -ENODEV;
23412- } else if (!cs->open_count)
23413+ } else if (!atomic_read(&cs->open_count))
23414 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23415 else if (cs->mstate != MS_LOCKED) {
23416 dev_warn(cs->dev, "can't write to unlocked device\n");
23417@@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
23418
23419 if (!cs->connected)
23420 gig_dbg(DEBUG_IF, "not connected");
23421- else if (!cs->open_count)
23422+ else if (!atomic_read(&cs->open_count))
23423 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23424 else if (cs->mstate != MS_LOCKED)
23425 dev_warn(cs->dev, "can't write to unlocked device\n");
23426@@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
23427
23428 if (!cs->connected)
23429 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23430- else if (!cs->open_count)
23431+ else if (!atomic_read(&cs->open_count))
23432 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23433 else {
23434 //FIXME
23435@@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
23436
23437 if (!cs->connected)
23438 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23439- else if (!cs->open_count)
23440+ else if (!atomic_read(&cs->open_count))
23441 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23442 else {
23443 //FIXME
23444@@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
23445 goto out;
23446 }
23447
23448- if (!cs->open_count) {
23449+ if (!atomic_read(&cs->open_count)) {
23450 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23451 goto out;
23452 }
23453diff -urNp linux-2.6.32.9/drivers/lguest/core.c linux-2.6.32.9/drivers/lguest/core.c
23454--- linux-2.6.32.9/drivers/lguest/core.c 2010-02-09 07:57:19.000000000 -0500
23455+++ linux-2.6.32.9/drivers/lguest/core.c 2010-02-23 17:09:53.196332354 -0500
23456@@ -91,9 +91,17 @@ static __init int map_switcher(void)
23457 * it's worked so far. The end address needs +1 because __get_vm_area
23458 * allocates an extra guard page, so we need space for that.
23459 */
23460+
23461+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23462+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23463+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
23464+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23465+#else
23466 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23467 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
23468 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23469+#endif
23470+
23471 if (!switcher_vma) {
23472 err = -ENOMEM;
23473 printk("lguest: could not map switcher pages high\n");
23474diff -urNp linux-2.6.32.9/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.9/drivers/macintosh/via-pmu-backlight.c
23475--- linux-2.6.32.9/drivers/macintosh/via-pmu-backlight.c 2010-02-09 07:57:19.000000000 -0500
23476+++ linux-2.6.32.9/drivers/macintosh/via-pmu-backlight.c 2010-02-23 17:09:53.196332354 -0500
23477@@ -15,7 +15,7 @@
23478
23479 #define MAX_PMU_LEVEL 0xFF
23480
23481-static struct backlight_ops pmu_backlight_data;
23482+static const struct backlight_ops pmu_backlight_data;
23483 static DEFINE_SPINLOCK(pmu_backlight_lock);
23484 static int sleeping, uses_pmu_bl;
23485 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
23486@@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
23487 return bd->props.brightness;
23488 }
23489
23490-static struct backlight_ops pmu_backlight_data = {
23491+static const struct backlight_ops pmu_backlight_data = {
23492 .get_brightness = pmu_backlight_get_brightness,
23493 .update_status = pmu_backlight_update_status,
23494
23495diff -urNp linux-2.6.32.9/drivers/macintosh/via-pmu.c linux-2.6.32.9/drivers/macintosh/via-pmu.c
23496--- linux-2.6.32.9/drivers/macintosh/via-pmu.c 2010-02-09 07:57:19.000000000 -0500
23497+++ linux-2.6.32.9/drivers/macintosh/via-pmu.c 2010-02-23 17:09:53.196332354 -0500
23498@@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
23499 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
23500 }
23501
23502-static struct platform_suspend_ops pmu_pm_ops = {
23503+static const struct platform_suspend_ops pmu_pm_ops = {
23504 .enter = powerbook_sleep,
23505 .valid = pmu_sleep_valid,
23506 };
23507diff -urNp linux-2.6.32.9/drivers/md/bitmap.c linux-2.6.32.9/drivers/md/bitmap.c
23508--- linux-2.6.32.9/drivers/md/bitmap.c 2010-02-09 07:57:19.000000000 -0500
23509+++ linux-2.6.32.9/drivers/md/bitmap.c 2010-02-23 17:09:53.196332354 -0500
23510@@ -58,7 +58,7 @@
23511 # if DEBUG > 0
23512 # define PRINTK(x...) printk(KERN_DEBUG x)
23513 # else
23514-# define PRINTK(x...)
23515+# define PRINTK(x...) do {} while (0)
23516 # endif
23517 #endif
23518
23519diff -urNp linux-2.6.32.9/drivers/md/dm-sysfs.c linux-2.6.32.9/drivers/md/dm-sysfs.c
23520--- linux-2.6.32.9/drivers/md/dm-sysfs.c 2010-02-09 07:57:19.000000000 -0500
23521+++ linux-2.6.32.9/drivers/md/dm-sysfs.c 2010-02-23 17:09:53.196332354 -0500
23522@@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
23523 NULL,
23524 };
23525
23526-static struct sysfs_ops dm_sysfs_ops = {
23527+static const struct sysfs_ops dm_sysfs_ops = {
23528 .show = dm_attr_show,
23529 };
23530
23531diff -urNp linux-2.6.32.9/drivers/md/dm-table.c linux-2.6.32.9/drivers/md/dm-table.c
23532--- linux-2.6.32.9/drivers/md/dm-table.c 2010-02-09 07:57:19.000000000 -0500
23533+++ linux-2.6.32.9/drivers/md/dm-table.c 2010-02-23 17:09:53.196332354 -0500
23534@@ -359,7 +359,7 @@ static int device_area_is_invalid(struct
23535 if (!dev_size)
23536 return 0;
23537
23538- if ((start >= dev_size) || (start + len > dev_size)) {
23539+ if ((start >= dev_size) || (len > dev_size - start)) {
23540 DMWARN("%s: %s too small for target: "
23541 "start=%llu, len=%llu, dev_size=%llu",
23542 dm_device_name(ti->table->md), bdevname(bdev, b),
23543diff -urNp linux-2.6.32.9/drivers/md/md.c linux-2.6.32.9/drivers/md/md.c
23544--- linux-2.6.32.9/drivers/md/md.c 2010-02-09 07:57:19.000000000 -0500
23545+++ linux-2.6.32.9/drivers/md/md.c 2010-02-23 17:09:53.196332354 -0500
23546@@ -2508,7 +2508,7 @@ static void rdev_free(struct kobject *ko
23547 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
23548 kfree(rdev);
23549 }
23550-static struct sysfs_ops rdev_sysfs_ops = {
23551+static const struct sysfs_ops rdev_sysfs_ops = {
23552 .show = rdev_attr_show,
23553 .store = rdev_attr_store,
23554 };
23555@@ -3878,7 +3878,7 @@ static void md_free(struct kobject *ko)
23556 kfree(mddev);
23557 }
23558
23559-static struct sysfs_ops md_sysfs_ops = {
23560+static const struct sysfs_ops md_sysfs_ops = {
23561 .show = md_attr_show,
23562 .store = md_attr_store,
23563 };
23564@@ -6004,7 +6004,7 @@ static int md_seq_show(struct seq_file *
23565 chunk_kb ? "KB" : "B");
23566 if (bitmap->file) {
23567 seq_printf(seq, ", file: ");
23568- seq_path(seq, &bitmap->file->f_path, " \t\n");
23569+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
23570 }
23571
23572 seq_printf(seq, "\n");
23573@@ -6098,7 +6098,7 @@ static int is_mddev_idle(mddev_t *mddev,
23574 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
23575 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
23576 (int)part_stat_read(&disk->part0, sectors[1]) -
23577- atomic_read(&disk->sync_io);
23578+ atomic_read_unchecked(&disk->sync_io);
23579 /* sync IO will cause sync_io to increase before the disk_stats
23580 * as sync_io is counted when a request starts, and
23581 * disk_stats is counted when it completes.
23582diff -urNp linux-2.6.32.9/drivers/md/md.h linux-2.6.32.9/drivers/md/md.h
23583--- linux-2.6.32.9/drivers/md/md.h 2010-02-09 07:57:19.000000000 -0500
23584+++ linux-2.6.32.9/drivers/md/md.h 2010-02-23 17:09:53.196332354 -0500
23585@@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
23586
23587 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
23588 {
23589- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23590+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23591 }
23592
23593 struct mdk_personality
23594diff -urNp linux-2.6.32.9/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.9/drivers/media/dvb/dvb-core/dvbdev.c
23595--- linux-2.6.32.9/drivers/media/dvb/dvb-core/dvbdev.c 2010-02-09 07:57:19.000000000 -0500
23596+++ linux-2.6.32.9/drivers/media/dvb/dvb-core/dvbdev.c 2010-02-23 17:09:53.196332354 -0500
23597@@ -191,6 +191,7 @@ int dvb_register_device(struct dvb_adapt
23598 const struct dvb_device *template, void *priv, int type)
23599 {
23600 struct dvb_device *dvbdev;
23601+ /* cannot be const */
23602 struct file_operations *dvbdevfops;
23603 struct device *clsdev;
23604 int minor;
23605diff -urNp linux-2.6.32.9/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.9/drivers/media/video/usbvideo/konicawc.c
23606--- linux-2.6.32.9/drivers/media/video/usbvideo/konicawc.c 2010-02-09 07:57:19.000000000 -0500
23607+++ linux-2.6.32.9/drivers/media/video/usbvideo/konicawc.c 2010-02-23 17:09:53.196332354 -0500
23608@@ -225,7 +225,7 @@ static void konicawc_register_input(stru
23609 int error;
23610
23611 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
23612- strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
23613+ strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
23614
23615 cam->input = input_dev = input_allocate_device();
23616 if (!input_dev) {
23617diff -urNp linux-2.6.32.9/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.9/drivers/media/video/usbvideo/quickcam_messenger.c
23618--- linux-2.6.32.9/drivers/media/video/usbvideo/quickcam_messenger.c 2010-02-09 07:57:19.000000000 -0500
23619+++ linux-2.6.32.9/drivers/media/video/usbvideo/quickcam_messenger.c 2010-02-23 17:09:53.196332354 -0500
23620@@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
23621 int error;
23622
23623 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
23624- strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
23625+ strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
23626
23627 cam->input = input_dev = input_allocate_device();
23628 if (!input_dev) {
23629diff -urNp linux-2.6.32.9/drivers/message/i2o/i2o_proc.c linux-2.6.32.9/drivers/message/i2o/i2o_proc.c
23630--- linux-2.6.32.9/drivers/message/i2o/i2o_proc.c 2010-02-09 07:57:19.000000000 -0500
23631+++ linux-2.6.32.9/drivers/message/i2o/i2o_proc.c 2010-02-23 17:09:53.200463728 -0500
23632@@ -259,13 +259,6 @@ static char *scsi_devices[] = {
23633 "Array Controller Device"
23634 };
23635
23636-static char *chtostr(u8 * chars, int n)
23637-{
23638- char tmp[256];
23639- tmp[0] = 0;
23640- return strncat(tmp, (char *)chars, n);
23641-}
23642-
23643 static int i2o_report_query_status(struct seq_file *seq, int block_status,
23644 char *group)
23645 {
23646@@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
23647
23648 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
23649 seq_printf(seq, "%-#8x", ddm_table.module_id);
23650- seq_printf(seq, "%-29s",
23651- chtostr(ddm_table.module_name_version, 28));
23652+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
23653 seq_printf(seq, "%9d ", ddm_table.data_size);
23654 seq_printf(seq, "%8d", ddm_table.code_size);
23655
23656@@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
23657
23658 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
23659 seq_printf(seq, "%-#8x", dst->module_id);
23660- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
23661- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
23662+ seq_printf(seq, "%-.28s", dst->module_name_version);
23663+ seq_printf(seq, "%-.8s", dst->date);
23664 seq_printf(seq, "%8d ", dst->module_size);
23665 seq_printf(seq, "%8d ", dst->mpb_size);
23666 seq_printf(seq, "0x%04x", dst->module_flags);
23667@@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
23668 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
23669 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
23670 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
23671- seq_printf(seq, "Vendor info : %s\n",
23672- chtostr((u8 *) (work32 + 2), 16));
23673- seq_printf(seq, "Product info : %s\n",
23674- chtostr((u8 *) (work32 + 6), 16));
23675- seq_printf(seq, "Description : %s\n",
23676- chtostr((u8 *) (work32 + 10), 16));
23677- seq_printf(seq, "Product rev. : %s\n",
23678- chtostr((u8 *) (work32 + 14), 8));
23679+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
23680+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
23681+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
23682+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
23683
23684 seq_printf(seq, "Serial number : ");
23685 print_serial_number(seq, (u8 *) (work32 + 16),
23686@@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
23687 }
23688
23689 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
23690- seq_printf(seq, "Module name : %s\n",
23691- chtostr(result.module_name, 24));
23692- seq_printf(seq, "Module revision : %s\n",
23693- chtostr(result.module_rev, 8));
23694+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
23695+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
23696
23697 seq_printf(seq, "Serial number : ");
23698 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
23699@@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
23700 return 0;
23701 }
23702
23703- seq_printf(seq, "Device name : %s\n",
23704- chtostr(result.device_name, 64));
23705- seq_printf(seq, "Service name : %s\n",
23706- chtostr(result.service_name, 64));
23707- seq_printf(seq, "Physical name : %s\n",
23708- chtostr(result.physical_location, 64));
23709- seq_printf(seq, "Instance number : %s\n",
23710- chtostr(result.instance_number, 4));
23711+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
23712+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
23713+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
23714+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
23715
23716 return 0;
23717 }
23718diff -urNp linux-2.6.32.9/drivers/misc/kgdbts.c linux-2.6.32.9/drivers/misc/kgdbts.c
23719--- linux-2.6.32.9/drivers/misc/kgdbts.c 2010-02-09 07:57:19.000000000 -0500
23720+++ linux-2.6.32.9/drivers/misc/kgdbts.c 2010-02-23 17:09:53.200463728 -0500
23721@@ -118,7 +118,7 @@
23722 } while (0)
23723 #define MAX_CONFIG_LEN 40
23724
23725-static struct kgdb_io kgdbts_io_ops;
23726+static const struct kgdb_io kgdbts_io_ops;
23727 static char get_buf[BUFMAX];
23728 static int get_buf_cnt;
23729 static char put_buf[BUFMAX];
23730@@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
23731 module_put(THIS_MODULE);
23732 }
23733
23734-static struct kgdb_io kgdbts_io_ops = {
23735+static const struct kgdb_io kgdbts_io_ops = {
23736 .name = "kgdbts",
23737 .read_char = kgdbts_get_char,
23738 .write_char = kgdbts_put_char,
23739diff -urNp linux-2.6.32.9/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.9/drivers/misc/sgi-gru/gruhandles.c
23740--- linux-2.6.32.9/drivers/misc/sgi-gru/gruhandles.c 2010-02-09 07:57:19.000000000 -0500
23741+++ linux-2.6.32.9/drivers/misc/sgi-gru/gruhandles.c 2010-02-23 17:09:53.200463728 -0500
23742@@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
23743
23744 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
23745 {
23746- atomic_long_inc(&mcs_op_statistics[op].count);
23747- atomic_long_add(clks, &mcs_op_statistics[op].total);
23748+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
23749+ atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
23750 if (mcs_op_statistics[op].max < clks)
23751 mcs_op_statistics[op].max = clks;
23752 }
23753diff -urNp linux-2.6.32.9/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.9/drivers/misc/sgi-gru/gruprocfs.c
23754--- linux-2.6.32.9/drivers/misc/sgi-gru/gruprocfs.c 2010-02-09 07:57:19.000000000 -0500
23755+++ linux-2.6.32.9/drivers/misc/sgi-gru/gruprocfs.c 2010-02-23 17:09:53.200463728 -0500
23756@@ -32,9 +32,9 @@
23757
23758 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
23759
23760-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
23761+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
23762 {
23763- unsigned long val = atomic_long_read(v);
23764+ unsigned long val = atomic_long_read_unchecked(v);
23765
23766 if (val)
23767 seq_printf(s, "%16lu %s\n", val, id);
23768@@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
23769 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
23770
23771 for (op = 0; op < mcsop_last; op++) {
23772- count = atomic_long_read(&mcs_op_statistics[op].count);
23773- total = atomic_long_read(&mcs_op_statistics[op].total);
23774+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
23775+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
23776 max = mcs_op_statistics[op].max;
23777 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
23778 count ? total / count : 0, max);
23779diff -urNp linux-2.6.32.9/drivers/misc/sgi-gru/grutables.h linux-2.6.32.9/drivers/misc/sgi-gru/grutables.h
23780--- linux-2.6.32.9/drivers/misc/sgi-gru/grutables.h 2010-02-09 07:57:19.000000000 -0500
23781+++ linux-2.6.32.9/drivers/misc/sgi-gru/grutables.h 2010-02-23 17:09:53.200463728 -0500
23782@@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
23783 * GRU statistics.
23784 */
23785 struct gru_stats_s {
23786- atomic_long_t vdata_alloc;
23787- atomic_long_t vdata_free;
23788- atomic_long_t gts_alloc;
23789- atomic_long_t gts_free;
23790- atomic_long_t vdata_double_alloc;
23791- atomic_long_t gts_double_allocate;
23792- atomic_long_t assign_context;
23793- atomic_long_t assign_context_failed;
23794- atomic_long_t free_context;
23795- atomic_long_t load_user_context;
23796- atomic_long_t load_kernel_context;
23797- atomic_long_t lock_kernel_context;
23798- atomic_long_t unlock_kernel_context;
23799- atomic_long_t steal_user_context;
23800- atomic_long_t steal_kernel_context;
23801- atomic_long_t steal_context_failed;
23802- atomic_long_t nopfn;
23803- atomic_long_t break_cow;
23804- atomic_long_t asid_new;
23805- atomic_long_t asid_next;
23806- atomic_long_t asid_wrap;
23807- atomic_long_t asid_reuse;
23808- atomic_long_t intr;
23809- atomic_long_t intr_mm_lock_failed;
23810- atomic_long_t call_os;
23811- atomic_long_t call_os_offnode_reference;
23812- atomic_long_t call_os_check_for_bug;
23813- atomic_long_t call_os_wait_queue;
23814- atomic_long_t user_flush_tlb;
23815- atomic_long_t user_unload_context;
23816- atomic_long_t user_exception;
23817- atomic_long_t set_context_option;
23818- atomic_long_t migrate_check;
23819- atomic_long_t migrated_retarget;
23820- atomic_long_t migrated_unload;
23821- atomic_long_t migrated_unload_delay;
23822- atomic_long_t migrated_nopfn_retarget;
23823- atomic_long_t migrated_nopfn_unload;
23824- atomic_long_t tlb_dropin;
23825- atomic_long_t tlb_dropin_fail_no_asid;
23826- atomic_long_t tlb_dropin_fail_upm;
23827- atomic_long_t tlb_dropin_fail_invalid;
23828- atomic_long_t tlb_dropin_fail_range_active;
23829- atomic_long_t tlb_dropin_fail_idle;
23830- atomic_long_t tlb_dropin_fail_fmm;
23831- atomic_long_t tlb_dropin_fail_no_exception;
23832- atomic_long_t tlb_dropin_fail_no_exception_war;
23833- atomic_long_t tfh_stale_on_fault;
23834- atomic_long_t mmu_invalidate_range;
23835- atomic_long_t mmu_invalidate_page;
23836- atomic_long_t mmu_clear_flush_young;
23837- atomic_long_t flush_tlb;
23838- atomic_long_t flush_tlb_gru;
23839- atomic_long_t flush_tlb_gru_tgh;
23840- atomic_long_t flush_tlb_gru_zero_asid;
23841-
23842- atomic_long_t copy_gpa;
23843-
23844- atomic_long_t mesq_receive;
23845- atomic_long_t mesq_receive_none;
23846- atomic_long_t mesq_send;
23847- atomic_long_t mesq_send_failed;
23848- atomic_long_t mesq_noop;
23849- atomic_long_t mesq_send_unexpected_error;
23850- atomic_long_t mesq_send_lb_overflow;
23851- atomic_long_t mesq_send_qlimit_reached;
23852- atomic_long_t mesq_send_amo_nacked;
23853- atomic_long_t mesq_send_put_nacked;
23854- atomic_long_t mesq_qf_not_full;
23855- atomic_long_t mesq_qf_locked;
23856- atomic_long_t mesq_qf_noop_not_full;
23857- atomic_long_t mesq_qf_switch_head_failed;
23858- atomic_long_t mesq_qf_unexpected_error;
23859- atomic_long_t mesq_noop_unexpected_error;
23860- atomic_long_t mesq_noop_lb_overflow;
23861- atomic_long_t mesq_noop_qlimit_reached;
23862- atomic_long_t mesq_noop_amo_nacked;
23863- atomic_long_t mesq_noop_put_nacked;
23864+ atomic_long_unchecked_t vdata_alloc;
23865+ atomic_long_unchecked_t vdata_free;
23866+ atomic_long_unchecked_t gts_alloc;
23867+ atomic_long_unchecked_t gts_free;
23868+ atomic_long_unchecked_t vdata_double_alloc;
23869+ atomic_long_unchecked_t gts_double_allocate;
23870+ atomic_long_unchecked_t assign_context;
23871+ atomic_long_unchecked_t assign_context_failed;
23872+ atomic_long_unchecked_t free_context;
23873+ atomic_long_unchecked_t load_user_context;
23874+ atomic_long_unchecked_t load_kernel_context;
23875+ atomic_long_unchecked_t lock_kernel_context;
23876+ atomic_long_unchecked_t unlock_kernel_context;
23877+ atomic_long_unchecked_t steal_user_context;
23878+ atomic_long_unchecked_t steal_kernel_context;
23879+ atomic_long_unchecked_t steal_context_failed;
23880+ atomic_long_unchecked_t nopfn;
23881+ atomic_long_unchecked_t break_cow;
23882+ atomic_long_unchecked_t asid_new;
23883+ atomic_long_unchecked_t asid_next;
23884+ atomic_long_unchecked_t asid_wrap;
23885+ atomic_long_unchecked_t asid_reuse;
23886+ atomic_long_unchecked_t intr;
23887+ atomic_long_unchecked_t intr_mm_lock_failed;
23888+ atomic_long_unchecked_t call_os;
23889+ atomic_long_unchecked_t call_os_offnode_reference;
23890+ atomic_long_unchecked_t call_os_check_for_bug;
23891+ atomic_long_unchecked_t call_os_wait_queue;
23892+ atomic_long_unchecked_t user_flush_tlb;
23893+ atomic_long_unchecked_t user_unload_context;
23894+ atomic_long_unchecked_t user_exception;
23895+ atomic_long_unchecked_t set_context_option;
23896+ atomic_long_unchecked_t migrate_check;
23897+ atomic_long_unchecked_t migrated_retarget;
23898+ atomic_long_unchecked_t migrated_unload;
23899+ atomic_long_unchecked_t migrated_unload_delay;
23900+ atomic_long_unchecked_t migrated_nopfn_retarget;
23901+ atomic_long_unchecked_t migrated_nopfn_unload;
23902+ atomic_long_unchecked_t tlb_dropin;
23903+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
23904+ atomic_long_unchecked_t tlb_dropin_fail_upm;
23905+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
23906+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
23907+ atomic_long_unchecked_t tlb_dropin_fail_idle;
23908+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
23909+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
23910+ atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
23911+ atomic_long_unchecked_t tfh_stale_on_fault;
23912+ atomic_long_unchecked_t mmu_invalidate_range;
23913+ atomic_long_unchecked_t mmu_invalidate_page;
23914+ atomic_long_unchecked_t mmu_clear_flush_young;
23915+ atomic_long_unchecked_t flush_tlb;
23916+ atomic_long_unchecked_t flush_tlb_gru;
23917+ atomic_long_unchecked_t flush_tlb_gru_tgh;
23918+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
23919+
23920+ atomic_long_unchecked_t copy_gpa;
23921+
23922+ atomic_long_unchecked_t mesq_receive;
23923+ atomic_long_unchecked_t mesq_receive_none;
23924+ atomic_long_unchecked_t mesq_send;
23925+ atomic_long_unchecked_t mesq_send_failed;
23926+ atomic_long_unchecked_t mesq_noop;
23927+ atomic_long_unchecked_t mesq_send_unexpected_error;
23928+ atomic_long_unchecked_t mesq_send_lb_overflow;
23929+ atomic_long_unchecked_t mesq_send_qlimit_reached;
23930+ atomic_long_unchecked_t mesq_send_amo_nacked;
23931+ atomic_long_unchecked_t mesq_send_put_nacked;
23932+ atomic_long_unchecked_t mesq_qf_not_full;
23933+ atomic_long_unchecked_t mesq_qf_locked;
23934+ atomic_long_unchecked_t mesq_qf_noop_not_full;
23935+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
23936+ atomic_long_unchecked_t mesq_qf_unexpected_error;
23937+ atomic_long_unchecked_t mesq_noop_unexpected_error;
23938+ atomic_long_unchecked_t mesq_noop_lb_overflow;
23939+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
23940+ atomic_long_unchecked_t mesq_noop_amo_nacked;
23941+ atomic_long_unchecked_t mesq_noop_put_nacked;
23942
23943 };
23944
23945@@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
23946 cchop_deallocate, tghop_invalidate, mcsop_last};
23947
23948 struct mcs_op_statistic {
23949- atomic_long_t count;
23950- atomic_long_t total;
23951+ atomic_long_unchecked_t count;
23952+ atomic_long_unchecked_t total;
23953 unsigned long max;
23954 };
23955
23956@@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
23957
23958 #define STAT(id) do { \
23959 if (gru_options & OPT_STATS) \
23960- atomic_long_inc(&gru_stats.id); \
23961+ atomic_long_inc_unchecked(&gru_stats.id); \
23962 } while (0)
23963
23964 #ifdef CONFIG_SGI_GRU_DEBUG
23965diff -urNp linux-2.6.32.9/drivers/mtd/devices/doc2000.c linux-2.6.32.9/drivers/mtd/devices/doc2000.c
23966--- linux-2.6.32.9/drivers/mtd/devices/doc2000.c 2010-02-09 07:57:19.000000000 -0500
23967+++ linux-2.6.32.9/drivers/mtd/devices/doc2000.c 2010-02-23 17:09:53.200463728 -0500
23968@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
23969
23970 /* The ECC will not be calculated correctly if less than 512 is written */
23971 /* DBB-
23972- if (len != 0x200 && eccbuf)
23973+ if (len != 0x200)
23974 printk(KERN_WARNING
23975 "ECC needs a full sector write (adr: %lx size %lx)\n",
23976 (long) to, (long) len);
23977diff -urNp linux-2.6.32.9/drivers/mtd/devices/doc2001.c linux-2.6.32.9/drivers/mtd/devices/doc2001.c
23978--- linux-2.6.32.9/drivers/mtd/devices/doc2001.c 2010-02-09 07:57:19.000000000 -0500
23979+++ linux-2.6.32.9/drivers/mtd/devices/doc2001.c 2010-02-23 17:09:53.200463728 -0500
23980@@ -395,6 +395,8 @@ static int doc_read (struct mtd_info *mt
23981 /* Don't allow read past end of device */
23982 if (from >= this->totlen)
23983 return -EINVAL;
23984+ if (!len)
23985+ return -EINVAL;
23986
23987 /* Don't allow a single read to cross a 512-byte block boundary */
23988 if (from + len > ((from | 0x1ff) + 1))
23989diff -urNp linux-2.6.32.9/drivers/mtd/ubi/build.c linux-2.6.32.9/drivers/mtd/ubi/build.c
23990--- linux-2.6.32.9/drivers/mtd/ubi/build.c 2010-02-09 07:57:19.000000000 -0500
23991+++ linux-2.6.32.9/drivers/mtd/ubi/build.c 2010-02-23 17:09:53.200463728 -0500
23992@@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
23993 static int __init bytes_str_to_int(const char *str)
23994 {
23995 char *endp;
23996- unsigned long result;
23997+ unsigned long result, scale = 1;
23998
23999 result = simple_strtoul(str, &endp, 0);
24000 if (str == endp || result >= INT_MAX) {
24001@@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
24002
24003 switch (*endp) {
24004 case 'G':
24005- result *= 1024;
24006+ scale *= 1024;
24007 case 'M':
24008- result *= 1024;
24009+ scale *= 1024;
24010 case 'K':
24011- result *= 1024;
24012+ scale *= 1024;
24013 if (endp[1] == 'i' && endp[2] == 'B')
24014 endp += 2;
24015 case '\0':
24016@@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
24017 return -EINVAL;
24018 }
24019
24020- return result;
24021+ if ((intoverflow_t)result*scale >= INT_MAX) {
24022+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
24023+ str);
24024+ return -EINVAL;
24025+ }
24026+
24027+ return result*scale;
24028 }
24029
24030 /**
24031diff -urNp linux-2.6.32.9/drivers/net/e1000e/82571.c linux-2.6.32.9/drivers/net/e1000e/82571.c
24032--- linux-2.6.32.9/drivers/net/e1000e/82571.c 2010-02-09 07:57:19.000000000 -0500
24033+++ linux-2.6.32.9/drivers/net/e1000e/82571.c 2010-02-23 17:09:53.200463728 -0500
24034@@ -212,6 +212,7 @@ static s32 e1000_init_mac_params_82571(s
24035 {
24036 struct e1000_hw *hw = &adapter->hw;
24037 struct e1000_mac_info *mac = &hw->mac;
24038+ /* cannot be const */
24039 struct e1000_mac_operations *func = &mac->ops;
24040 u32 swsm = 0;
24041 u32 swsm2 = 0;
24042@@ -1656,7 +1657,7 @@ static void e1000_clear_hw_cntrs_82571(s
24043 temp = er32(ICRXDMTC);
24044 }
24045
24046-static struct e1000_mac_operations e82571_mac_ops = {
24047+static const struct e1000_mac_operations e82571_mac_ops = {
24048 /* .check_mng_mode: mac type dependent */
24049 /* .check_for_link: media type dependent */
24050 .id_led_init = e1000e_id_led_init,
24051@@ -1674,7 +1675,7 @@ static struct e1000_mac_operations e8257
24052 .setup_led = e1000e_setup_led_generic,
24053 };
24054
24055-static struct e1000_phy_operations e82_phy_ops_igp = {
24056+static const struct e1000_phy_operations e82_phy_ops_igp = {
24057 .acquire_phy = e1000_get_hw_semaphore_82571,
24058 .check_reset_block = e1000e_check_reset_block_generic,
24059 .commit_phy = NULL,
24060@@ -1691,7 +1692,7 @@ static struct e1000_phy_operations e82_p
24061 .cfg_on_link_up = NULL,
24062 };
24063
24064-static struct e1000_phy_operations e82_phy_ops_m88 = {
24065+static const struct e1000_phy_operations e82_phy_ops_m88 = {
24066 .acquire_phy = e1000_get_hw_semaphore_82571,
24067 .check_reset_block = e1000e_check_reset_block_generic,
24068 .commit_phy = e1000e_phy_sw_reset,
24069@@ -1708,7 +1709,7 @@ static struct e1000_phy_operations e82_p
24070 .cfg_on_link_up = NULL,
24071 };
24072
24073-static struct e1000_phy_operations e82_phy_ops_bm = {
24074+static const struct e1000_phy_operations e82_phy_ops_bm = {
24075 .acquire_phy = e1000_get_hw_semaphore_82571,
24076 .check_reset_block = e1000e_check_reset_block_generic,
24077 .commit_phy = e1000e_phy_sw_reset,
24078@@ -1725,7 +1726,7 @@ static struct e1000_phy_operations e82_p
24079 .cfg_on_link_up = NULL,
24080 };
24081
24082-static struct e1000_nvm_operations e82571_nvm_ops = {
24083+static const struct e1000_nvm_operations e82571_nvm_ops = {
24084 .acquire_nvm = e1000_acquire_nvm_82571,
24085 .read_nvm = e1000e_read_nvm_eerd,
24086 .release_nvm = e1000_release_nvm_82571,
24087diff -urNp linux-2.6.32.9/drivers/net/e1000e/e1000.h linux-2.6.32.9/drivers/net/e1000e/e1000.h
24088--- linux-2.6.32.9/drivers/net/e1000e/e1000.h 2010-02-09 07:57:19.000000000 -0500
24089+++ linux-2.6.32.9/drivers/net/e1000e/e1000.h 2010-02-23 17:09:53.200463728 -0500
24090@@ -375,9 +375,9 @@ struct e1000_info {
24091 u32 pba;
24092 u32 max_hw_frame_size;
24093 s32 (*get_variants)(struct e1000_adapter *);
24094- struct e1000_mac_operations *mac_ops;
24095- struct e1000_phy_operations *phy_ops;
24096- struct e1000_nvm_operations *nvm_ops;
24097+ const struct e1000_mac_operations *mac_ops;
24098+ const struct e1000_phy_operations *phy_ops;
24099+ const struct e1000_nvm_operations *nvm_ops;
24100 };
24101
24102 /* hardware capability, feature, and workaround flags */
24103diff -urNp linux-2.6.32.9/drivers/net/e1000e/es2lan.c linux-2.6.32.9/drivers/net/e1000e/es2lan.c
24104--- linux-2.6.32.9/drivers/net/e1000e/es2lan.c 2010-02-09 07:57:19.000000000 -0500
24105+++ linux-2.6.32.9/drivers/net/e1000e/es2lan.c 2010-02-23 17:09:53.200463728 -0500
24106@@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_80003es
24107 {
24108 struct e1000_hw *hw = &adapter->hw;
24109 struct e1000_mac_info *mac = &hw->mac;
24110+ /* cannot be const */
24111 struct e1000_mac_operations *func = &mac->ops;
24112
24113 /* Set media type */
24114@@ -1365,7 +1366,7 @@ static void e1000_clear_hw_cntrs_80003es
24115 temp = er32(ICRXDMTC);
24116 }
24117
24118-static struct e1000_mac_operations es2_mac_ops = {
24119+static const struct e1000_mac_operations es2_mac_ops = {
24120 .id_led_init = e1000e_id_led_init,
24121 .check_mng_mode = e1000e_check_mng_mode_generic,
24122 /* check_for_link dependent on media type */
24123@@ -1383,7 +1384,7 @@ static struct e1000_mac_operations es2_m
24124 .setup_led = e1000e_setup_led_generic,
24125 };
24126
24127-static struct e1000_phy_operations es2_phy_ops = {
24128+static const struct e1000_phy_operations es2_phy_ops = {
24129 .acquire_phy = e1000_acquire_phy_80003es2lan,
24130 .check_reset_block = e1000e_check_reset_block_generic,
24131 .commit_phy = e1000e_phy_sw_reset,
24132@@ -1400,7 +1401,7 @@ static struct e1000_phy_operations es2_p
24133 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
24134 };
24135
24136-static struct e1000_nvm_operations es2_nvm_ops = {
24137+static const struct e1000_nvm_operations es2_nvm_ops = {
24138 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
24139 .read_nvm = e1000e_read_nvm_eerd,
24140 .release_nvm = e1000_release_nvm_80003es2lan,
24141diff -urNp linux-2.6.32.9/drivers/net/e1000e/hw.h linux-2.6.32.9/drivers/net/e1000e/hw.h
24142--- linux-2.6.32.9/drivers/net/e1000e/hw.h 2010-02-09 07:57:19.000000000 -0500
24143+++ linux-2.6.32.9/drivers/net/e1000e/hw.h 2010-02-23 17:09:53.200463728 -0500
24144@@ -755,34 +755,34 @@ struct e1000_mac_operations {
24145
24146 /* Function pointers for the PHY. */
24147 struct e1000_phy_operations {
24148- s32 (*acquire_phy)(struct e1000_hw *);
24149- s32 (*check_polarity)(struct e1000_hw *);
24150- s32 (*check_reset_block)(struct e1000_hw *);
24151- s32 (*commit_phy)(struct e1000_hw *);
24152- s32 (*force_speed_duplex)(struct e1000_hw *);
24153- s32 (*get_cfg_done)(struct e1000_hw *hw);
24154- s32 (*get_cable_length)(struct e1000_hw *);
24155- s32 (*get_phy_info)(struct e1000_hw *);
24156- s32 (*read_phy_reg)(struct e1000_hw *, u32, u16 *);
24157- s32 (*read_phy_reg_locked)(struct e1000_hw *, u32, u16 *);
24158- void (*release_phy)(struct e1000_hw *);
24159- s32 (*reset_phy)(struct e1000_hw *);
24160- s32 (*set_d0_lplu_state)(struct e1000_hw *, bool);
24161- s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
24162- s32 (*write_phy_reg)(struct e1000_hw *, u32, u16);
24163- s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
24164- s32 (*cfg_on_link_up)(struct e1000_hw *);
24165+ s32 (* acquire_phy)(struct e1000_hw *);
24166+ s32 (* check_polarity)(struct e1000_hw *);
24167+ s32 (* check_reset_block)(struct e1000_hw *);
24168+ s32 (* commit_phy)(struct e1000_hw *);
24169+ s32 (* force_speed_duplex)(struct e1000_hw *);
24170+ s32 (* get_cfg_done)(struct e1000_hw *hw);
24171+ s32 (* get_cable_length)(struct e1000_hw *);
24172+ s32 (* get_phy_info)(struct e1000_hw *);
24173+ s32 (* read_phy_reg)(struct e1000_hw *, u32, u16 *);
24174+ s32 (* read_phy_reg_locked)(struct e1000_hw *, u32, u16 *);
24175+ void (* release_phy)(struct e1000_hw *);
24176+ s32 (* reset_phy)(struct e1000_hw *);
24177+ s32 (* set_d0_lplu_state)(struct e1000_hw *, bool);
24178+ s32 (* set_d3_lplu_state)(struct e1000_hw *, bool);
24179+ s32 (* write_phy_reg)(struct e1000_hw *, u32, u16);
24180+ s32 (* write_phy_reg_locked)(struct e1000_hw *, u32, u16);
24181+ s32 (* cfg_on_link_up)(struct e1000_hw *);
24182 };
24183
24184 /* Function pointers for the NVM. */
24185 struct e1000_nvm_operations {
24186- s32 (*acquire_nvm)(struct e1000_hw *);
24187- s32 (*read_nvm)(struct e1000_hw *, u16, u16, u16 *);
24188- void (*release_nvm)(struct e1000_hw *);
24189- s32 (*update_nvm)(struct e1000_hw *);
24190- s32 (*valid_led_default)(struct e1000_hw *, u16 *);
24191- s32 (*validate_nvm)(struct e1000_hw *);
24192- s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
24193+ s32 (* const acquire_nvm)(struct e1000_hw *);
24194+ s32 (* const read_nvm)(struct e1000_hw *, u16, u16, u16 *);
24195+ void (* const release_nvm)(struct e1000_hw *);
24196+ s32 (* const update_nvm)(struct e1000_hw *);
24197+ s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
24198+ s32 (* const validate_nvm)(struct e1000_hw *);
24199+ s32 (* const write_nvm)(struct e1000_hw *, u16, u16, u16 *);
24200 };
24201
24202 struct e1000_mac_info {
24203diff -urNp linux-2.6.32.9/drivers/net/e1000e/ich8lan.c linux-2.6.32.9/drivers/net/e1000e/ich8lan.c
24204--- linux-2.6.32.9/drivers/net/e1000e/ich8lan.c 2010-02-09 07:57:19.000000000 -0500
24205+++ linux-2.6.32.9/drivers/net/e1000e/ich8lan.c 2010-02-23 17:09:53.200463728 -0500
24206@@ -3451,7 +3451,7 @@ static void e1000_clear_hw_cntrs_ich8lan
24207 }
24208 }
24209
24210-static struct e1000_mac_operations ich8_mac_ops = {
24211+static const struct e1000_mac_operations ich8_mac_ops = {
24212 .id_led_init = e1000e_id_led_init,
24213 .check_mng_mode = e1000_check_mng_mode_ich8lan,
24214 .check_for_link = e1000_check_for_copper_link_ich8lan,
24215@@ -3469,7 +3469,7 @@ static struct e1000_mac_operations ich8_
24216 /* id_led_init dependent on mac type */
24217 };
24218
24219-static struct e1000_phy_operations ich8_phy_ops = {
24220+static const struct e1000_phy_operations ich8_phy_ops = {
24221 .acquire_phy = e1000_acquire_swflag_ich8lan,
24222 .check_reset_block = e1000_check_reset_block_ich8lan,
24223 .commit_phy = NULL,
24224@@ -3485,7 +3485,7 @@ static struct e1000_phy_operations ich8_
24225 .write_phy_reg = e1000e_write_phy_reg_igp,
24226 };
24227
24228-static struct e1000_nvm_operations ich8_nvm_ops = {
24229+static const struct e1000_nvm_operations ich8_nvm_ops = {
24230 .acquire_nvm = e1000_acquire_nvm_ich8lan,
24231 .read_nvm = e1000_read_nvm_ich8lan,
24232 .release_nvm = e1000_release_nvm_ich8lan,
24233diff -urNp linux-2.6.32.9/drivers/net/ibmveth.c linux-2.6.32.9/drivers/net/ibmveth.c
24234--- linux-2.6.32.9/drivers/net/ibmveth.c 2010-02-09 07:57:19.000000000 -0500
24235+++ linux-2.6.32.9/drivers/net/ibmveth.c 2010-02-23 17:09:53.200463728 -0500
24236@@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
24237 NULL,
24238 };
24239
24240-static struct sysfs_ops veth_pool_ops = {
24241+static const struct sysfs_ops veth_pool_ops = {
24242 .show = veth_pool_show,
24243 .store = veth_pool_store,
24244 };
24245diff -urNp linux-2.6.32.9/drivers/net/igb/e1000_82575.c linux-2.6.32.9/drivers/net/igb/e1000_82575.c
24246--- linux-2.6.32.9/drivers/net/igb/e1000_82575.c 2010-02-09 07:57:19.000000000 -0500
24247+++ linux-2.6.32.9/drivers/net/igb/e1000_82575.c 2010-02-23 17:09:53.200463728 -0500
24248@@ -1400,7 +1400,7 @@ void igb_vmdq_set_replication_pf(struct
24249 wr32(E1000_VT_CTL, vt_ctl);
24250 }
24251
24252-static struct e1000_mac_operations e1000_mac_ops_82575 = {
24253+static const struct e1000_mac_operations e1000_mac_ops_82575 = {
24254 .reset_hw = igb_reset_hw_82575,
24255 .init_hw = igb_init_hw_82575,
24256 .check_for_link = igb_check_for_link_82575,
24257@@ -1409,13 +1409,13 @@ static struct e1000_mac_operations e1000
24258 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
24259 };
24260
24261-static struct e1000_phy_operations e1000_phy_ops_82575 = {
24262+static const struct e1000_phy_operations e1000_phy_ops_82575 = {
24263 .acquire = igb_acquire_phy_82575,
24264 .get_cfg_done = igb_get_cfg_done_82575,
24265 .release = igb_release_phy_82575,
24266 };
24267
24268-static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24269+static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24270 .acquire = igb_acquire_nvm_82575,
24271 .read = igb_read_nvm_eerd,
24272 .release = igb_release_nvm_82575,
24273diff -urNp linux-2.6.32.9/drivers/net/igb/e1000_hw.h linux-2.6.32.9/drivers/net/igb/e1000_hw.h
24274--- linux-2.6.32.9/drivers/net/igb/e1000_hw.h 2010-02-09 07:57:19.000000000 -0500
24275+++ linux-2.6.32.9/drivers/net/igb/e1000_hw.h 2010-02-23 17:09:53.204540597 -0500
24276@@ -302,17 +302,17 @@ struct e1000_phy_operations {
24277 };
24278
24279 struct e1000_nvm_operations {
24280- s32 (*acquire)(struct e1000_hw *);
24281- s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24282- void (*release)(struct e1000_hw *);
24283- s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24284+ s32 (* const acquire)(struct e1000_hw *);
24285+ s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24286+ void (* const release)(struct e1000_hw *);
24287+ s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24288 };
24289
24290 struct e1000_info {
24291 s32 (*get_invariants)(struct e1000_hw *);
24292- struct e1000_mac_operations *mac_ops;
24293- struct e1000_phy_operations *phy_ops;
24294- struct e1000_nvm_operations *nvm_ops;
24295+ const struct e1000_mac_operations *mac_ops;
24296+ const struct e1000_phy_operations *phy_ops;
24297+ const struct e1000_nvm_operations *nvm_ops;
24298 };
24299
24300 extern const struct e1000_info e1000_82575_info;
24301diff -urNp linux-2.6.32.9/drivers/net/irda/vlsi_ir.c linux-2.6.32.9/drivers/net/irda/vlsi_ir.c
24302--- linux-2.6.32.9/drivers/net/irda/vlsi_ir.c 2010-02-09 07:57:19.000000000 -0500
24303+++ linux-2.6.32.9/drivers/net/irda/vlsi_ir.c 2010-02-23 17:09:53.204540597 -0500
24304@@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
24305 /* no race - tx-ring already empty */
24306 vlsi_set_baud(idev, iobase);
24307 netif_wake_queue(ndev);
24308- }
24309- else
24310- ;
24311+ } else {
24312 /* keep the speed change pending like it would
24313 * for any len>0 packet. tx completion interrupt
24314 * will apply it when the tx ring becomes empty.
24315 */
24316+ }
24317 spin_unlock_irqrestore(&idev->lock, flags);
24318 dev_kfree_skb_any(skb);
24319 return NETDEV_TX_OK;
24320diff -urNp linux-2.6.32.9/drivers/net/iseries_veth.c linux-2.6.32.9/drivers/net/iseries_veth.c
24321--- linux-2.6.32.9/drivers/net/iseries_veth.c 2010-02-09 07:57:19.000000000 -0500
24322+++ linux-2.6.32.9/drivers/net/iseries_veth.c 2010-02-23 17:09:53.204540597 -0500
24323@@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
24324 NULL
24325 };
24326
24327-static struct sysfs_ops veth_cnx_sysfs_ops = {
24328+static const struct sysfs_ops veth_cnx_sysfs_ops = {
24329 .show = veth_cnx_attribute_show
24330 };
24331
24332@@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
24333 NULL
24334 };
24335
24336-static struct sysfs_ops veth_port_sysfs_ops = {
24337+static const struct sysfs_ops veth_port_sysfs_ops = {
24338 .show = veth_port_attribute_show
24339 };
24340
24341diff -urNp linux-2.6.32.9/drivers/net/pcnet32.c linux-2.6.32.9/drivers/net/pcnet32.c
24342--- linux-2.6.32.9/drivers/net/pcnet32.c 2010-02-09 07:57:19.000000000 -0500
24343+++ linux-2.6.32.9/drivers/net/pcnet32.c 2010-02-23 17:09:53.204540597 -0500
24344@@ -79,7 +79,7 @@ static int cards_found;
24345 /*
24346 * VLB I/O addresses
24347 */
24348-static unsigned int pcnet32_portlist[] __initdata =
24349+static unsigned int pcnet32_portlist[] __devinitdata =
24350 { 0x300, 0x320, 0x340, 0x360, 0 };
24351
24352 static int pcnet32_debug = 0;
24353diff -urNp linux-2.6.32.9/drivers/net/tg3.h linux-2.6.32.9/drivers/net/tg3.h
24354--- linux-2.6.32.9/drivers/net/tg3.h 2010-02-09 07:57:19.000000000 -0500
24355+++ linux-2.6.32.9/drivers/net/tg3.h 2010-02-23 17:09:53.204540597 -0500
24356@@ -95,6 +95,7 @@
24357 #define CHIPREV_ID_5750_A0 0x4000
24358 #define CHIPREV_ID_5750_A1 0x4001
24359 #define CHIPREV_ID_5750_A3 0x4003
24360+#define CHIPREV_ID_5750_C1 0x4201
24361 #define CHIPREV_ID_5750_C2 0x4202
24362 #define CHIPREV_ID_5752_A0_HW 0x5000
24363 #define CHIPREV_ID_5752_A0 0x6000
24364diff -urNp linux-2.6.32.9/drivers/net/usb/hso.c linux-2.6.32.9/drivers/net/usb/hso.c
24365--- linux-2.6.32.9/drivers/net/usb/hso.c 2010-02-09 07:57:19.000000000 -0500
24366+++ linux-2.6.32.9/drivers/net/usb/hso.c 2010-02-23 17:09:53.204540597 -0500
24367@@ -258,7 +258,7 @@ struct hso_serial {
24368
24369 /* from usb_serial_port */
24370 struct tty_struct *tty;
24371- int open_count;
24372+ atomic_t open_count;
24373 spinlock_t serial_lock;
24374
24375 int (*write_data) (struct hso_serial *serial);
24376@@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
24377 struct urb *urb;
24378
24379 urb = serial->rx_urb[0];
24380- if (serial->open_count > 0) {
24381+ if (atomic_read(&serial->open_count) > 0) {
24382 count = put_rxbuf_data(urb, serial);
24383 if (count == -1)
24384 return;
24385@@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
24386 DUMP1(urb->transfer_buffer, urb->actual_length);
24387
24388 /* Anyone listening? */
24389- if (serial->open_count == 0)
24390+ if (atomic_read(&serial->open_count) == 0)
24391 return;
24392
24393 if (status == 0) {
24394@@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
24395 spin_unlock_irq(&serial->serial_lock);
24396
24397 /* check for port already opened, if not set the termios */
24398- serial->open_count++;
24399- if (serial->open_count == 1) {
24400+ if (atomic_inc_return(&serial->open_count) == 1) {
24401 tty->low_latency = 1;
24402 serial->rx_state = RX_IDLE;
24403 /* Force default termio settings */
24404@@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
24405 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
24406 if (result) {
24407 hso_stop_serial_device(serial->parent);
24408- serial->open_count--;
24409+ atomic_dec(&serial->open_count);
24410 kref_put(&serial->parent->ref, hso_serial_ref_free);
24411 }
24412 } else {
24413@@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
24414
24415 /* reset the rts and dtr */
24416 /* do the actual close */
24417- serial->open_count--;
24418+ atomic_dec(&serial->open_count);
24419
24420- if (serial->open_count <= 0) {
24421- serial->open_count = 0;
24422+ if (atomic_read(&serial->open_count) <= 0) {
24423+ atomic_set(&serial->open_count, 0);
24424 spin_lock_irq(&serial->serial_lock);
24425 if (serial->tty == tty) {
24426 serial->tty->driver_data = NULL;
24427@@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
24428
24429 /* the actual setup */
24430 spin_lock_irqsave(&serial->serial_lock, flags);
24431- if (serial->open_count)
24432+ if (atomic_read(&serial->open_count))
24433 _hso_serial_set_termios(tty, old);
24434 else
24435 tty->termios = old;
24436@@ -3095,7 +3094,7 @@ static int hso_resume(struct usb_interfa
24437 /* Start all serial ports */
24438 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
24439 if (serial_table[i] && (serial_table[i]->interface == iface)) {
24440- if (dev2ser(serial_table[i])->open_count) {
24441+ if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
24442 result =
24443 hso_start_serial_device(serial_table[i], GFP_NOIO);
24444 hso_kick_transmit(dev2ser(serial_table[i]));
24445diff -urNp linux-2.6.32.9/drivers/net/wireless/b43/debugfs.c linux-2.6.32.9/drivers/net/wireless/b43/debugfs.c
24446--- linux-2.6.32.9/drivers/net/wireless/b43/debugfs.c 2010-02-09 07:57:19.000000000 -0500
24447+++ linux-2.6.32.9/drivers/net/wireless/b43/debugfs.c 2010-02-23 17:09:53.204540597 -0500
24448@@ -43,7 +43,7 @@ static struct dentry *rootdir;
24449 struct b43_debugfs_fops {
24450 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
24451 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
24452- struct file_operations fops;
24453+ const struct file_operations fops;
24454 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
24455 size_t file_struct_offset;
24456 };
24457diff -urNp linux-2.6.32.9/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.9/drivers/net/wireless/b43legacy/debugfs.c
24458--- linux-2.6.32.9/drivers/net/wireless/b43legacy/debugfs.c 2010-02-09 07:57:19.000000000 -0500
24459+++ linux-2.6.32.9/drivers/net/wireless/b43legacy/debugfs.c 2010-02-23 17:09:53.204540597 -0500
24460@@ -44,7 +44,7 @@ static struct dentry *rootdir;
24461 struct b43legacy_debugfs_fops {
24462 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
24463 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
24464- struct file_operations fops;
24465+ const struct file_operations fops;
24466 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
24467 size_t file_struct_offset;
24468 /* Take wl->irq_lock before calling read/write? */
24469diff -urNp linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-1000.c
24470--- linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-02-09 07:57:19.000000000 -0500
24471+++ linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-02-23 17:09:53.204540597 -0500
24472@@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
24473 },
24474 };
24475
24476-static struct iwl_ops iwl1000_ops = {
24477+static const struct iwl_ops iwl1000_ops = {
24478 .ucode = &iwl5000_ucode,
24479 .lib = &iwl1000_lib,
24480 .hcmd = &iwl5000_hcmd,
24481diff -urNp linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-3945.c
24482--- linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-02-09 07:57:19.000000000 -0500
24483+++ linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-02-23 17:09:53.204540597 -0500
24484@@ -2876,7 +2876,7 @@ static struct iwl_hcmd_utils_ops iwl3945
24485 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
24486 };
24487
24488-static struct iwl_ops iwl3945_ops = {
24489+static const struct iwl_ops iwl3945_ops = {
24490 .ucode = &iwl3945_ucode,
24491 .lib = &iwl3945_lib,
24492 .hcmd = &iwl3945_hcmd,
24493diff -urNp linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-4965.c
24494--- linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-02-09 07:57:19.000000000 -0500
24495+++ linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-02-23 17:09:53.204540597 -0500
24496@@ -2335,7 +2335,7 @@ static struct iwl_lib_ops iwl4965_lib =
24497 },
24498 };
24499
24500-static struct iwl_ops iwl4965_ops = {
24501+static const struct iwl_ops iwl4965_ops = {
24502 .ucode = &iwl4965_ucode,
24503 .lib = &iwl4965_lib,
24504 .hcmd = &iwl4965_hcmd,
24505diff -urNp linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-5000.c
24506--- linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-02-09 07:57:19.000000000 -0500
24507+++ linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-02-23 17:09:53.204540597 -0500
24508@@ -1628,14 +1628,14 @@ static struct iwl_lib_ops iwl5150_lib =
24509 },
24510 };
24511
24512-struct iwl_ops iwl5000_ops = {
24513+const struct iwl_ops iwl5000_ops = {
24514 .ucode = &iwl5000_ucode,
24515 .lib = &iwl5000_lib,
24516 .hcmd = &iwl5000_hcmd,
24517 .utils = &iwl5000_hcmd_utils,
24518 };
24519
24520-static struct iwl_ops iwl5150_ops = {
24521+static const struct iwl_ops iwl5150_ops = {
24522 .ucode = &iwl5000_ucode,
24523 .lib = &iwl5150_lib,
24524 .hcmd = &iwl5000_hcmd,
24525diff -urNp linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-6000.c
24526--- linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-02-09 07:57:19.000000000 -0500
24527+++ linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-02-23 17:09:53.208535454 -0500
24528@@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
24529 .calc_rssi = iwl5000_calc_rssi,
24530 };
24531
24532-static struct iwl_ops iwl6000_ops = {
24533+static const struct iwl_ops iwl6000_ops = {
24534 .ucode = &iwl5000_ucode,
24535 .lib = &iwl6000_lib,
24536 .hcmd = &iwl5000_hcmd,
24537diff -urNp linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-dev.h
24538--- linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-dev.h 2010-02-09 07:57:19.000000000 -0500
24539+++ linux-2.6.32.9/drivers/net/wireless/iwlwifi/iwl-dev.h 2010-02-23 17:09:53.208535454 -0500
24540@@ -67,7 +67,7 @@ struct iwl_tx_queue;
24541
24542 /* shared structures from iwl-5000.c */
24543 extern struct iwl_mod_params iwl50_mod_params;
24544-extern struct iwl_ops iwl5000_ops;
24545+extern const struct iwl_ops iwl5000_ops;
24546 extern struct iwl_ucode_ops iwl5000_ucode;
24547 extern struct iwl_lib_ops iwl5000_lib;
24548 extern struct iwl_hcmd_ops iwl5000_hcmd;
24549diff -urNp linux-2.6.32.9/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.9/drivers/net/wireless/libertas/debugfs.c
24550--- linux-2.6.32.9/drivers/net/wireless/libertas/debugfs.c 2010-02-09 07:57:19.000000000 -0500
24551+++ linux-2.6.32.9/drivers/net/wireless/libertas/debugfs.c 2010-02-23 17:09:53.208535454 -0500
24552@@ -708,7 +708,7 @@ out_unlock:
24553 struct lbs_debugfs_files {
24554 const char *name;
24555 int perm;
24556- struct file_operations fops;
24557+ const struct file_operations fops;
24558 };
24559
24560 static const struct lbs_debugfs_files debugfs_files[] = {
24561diff -urNp linux-2.6.32.9/drivers/oprofile/buffer_sync.c linux-2.6.32.9/drivers/oprofile/buffer_sync.c
24562--- linux-2.6.32.9/drivers/oprofile/buffer_sync.c 2010-02-09 07:57:19.000000000 -0500
24563+++ linux-2.6.32.9/drivers/oprofile/buffer_sync.c 2010-02-23 17:09:53.208535454 -0500
24564@@ -340,7 +340,7 @@ static void add_data(struct op_entry *en
24565 if (cookie == NO_COOKIE)
24566 offset = pc;
24567 if (cookie == INVALID_COOKIE) {
24568- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24569+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24570 offset = pc;
24571 }
24572 if (cookie != last_cookie) {
24573@@ -384,14 +384,14 @@ add_sample(struct mm_struct *mm, struct
24574 /* add userspace sample */
24575
24576 if (!mm) {
24577- atomic_inc(&oprofile_stats.sample_lost_no_mm);
24578+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
24579 return 0;
24580 }
24581
24582 cookie = lookup_dcookie(mm, s->eip, &offset);
24583
24584 if (cookie == INVALID_COOKIE) {
24585- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24586+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24587 return 0;
24588 }
24589
24590@@ -560,7 +560,7 @@ void sync_buffer(int cpu)
24591 /* ignore backtraces if failed to add a sample */
24592 if (state == sb_bt_start) {
24593 state = sb_bt_ignore;
24594- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
24595+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
24596 }
24597 }
24598 release_mm(mm);
24599diff -urNp linux-2.6.32.9/drivers/oprofile/event_buffer.c linux-2.6.32.9/drivers/oprofile/event_buffer.c
24600--- linux-2.6.32.9/drivers/oprofile/event_buffer.c 2010-02-09 07:57:19.000000000 -0500
24601+++ linux-2.6.32.9/drivers/oprofile/event_buffer.c 2010-02-23 17:09:53.208535454 -0500
24602@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
24603 }
24604
24605 if (buffer_pos == buffer_size) {
24606- atomic_inc(&oprofile_stats.event_lost_overflow);
24607+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
24608 return;
24609 }
24610
24611diff -urNp linux-2.6.32.9/drivers/oprofile/oprof.c linux-2.6.32.9/drivers/oprofile/oprof.c
24612--- linux-2.6.32.9/drivers/oprofile/oprof.c 2010-02-09 07:57:19.000000000 -0500
24613+++ linux-2.6.32.9/drivers/oprofile/oprof.c 2010-02-23 17:09:53.208535454 -0500
24614@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
24615 if (oprofile_ops.switch_events())
24616 return;
24617
24618- atomic_inc(&oprofile_stats.multiplex_counter);
24619+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
24620 start_switch_worker();
24621 }
24622
24623diff -urNp linux-2.6.32.9/drivers/oprofile/oprofilefs.c linux-2.6.32.9/drivers/oprofile/oprofilefs.c
24624--- linux-2.6.32.9/drivers/oprofile/oprofilefs.c 2010-02-09 07:57:19.000000000 -0500
24625+++ linux-2.6.32.9/drivers/oprofile/oprofilefs.c 2010-02-23 17:09:53.208535454 -0500
24626@@ -187,7 +187,7 @@ static const struct file_operations atom
24627
24628
24629 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
24630- char const *name, atomic_t *val)
24631+ char const *name, atomic_unchecked_t *val)
24632 {
24633 struct dentry *d = __oprofilefs_create_file(sb, root, name,
24634 &atomic_ro_fops, 0444);
24635diff -urNp linux-2.6.32.9/drivers/oprofile/oprofile_stats.c linux-2.6.32.9/drivers/oprofile/oprofile_stats.c
24636--- linux-2.6.32.9/drivers/oprofile/oprofile_stats.c 2010-02-09 07:57:19.000000000 -0500
24637+++ linux-2.6.32.9/drivers/oprofile/oprofile_stats.c 2010-02-23 17:09:53.208535454 -0500
24638@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
24639 cpu_buf->sample_invalid_eip = 0;
24640 }
24641
24642- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
24643- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
24644- atomic_set(&oprofile_stats.event_lost_overflow, 0);
24645- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
24646- atomic_set(&oprofile_stats.multiplex_counter, 0);
24647+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
24648+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
24649+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
24650+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
24651+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
24652 }
24653
24654
24655diff -urNp linux-2.6.32.9/drivers/oprofile/oprofile_stats.h linux-2.6.32.9/drivers/oprofile/oprofile_stats.h
24656--- linux-2.6.32.9/drivers/oprofile/oprofile_stats.h 2010-02-09 07:57:19.000000000 -0500
24657+++ linux-2.6.32.9/drivers/oprofile/oprofile_stats.h 2010-02-23 17:09:53.208535454 -0500
24658@@ -13,11 +13,11 @@
24659 #include <asm/atomic.h>
24660
24661 struct oprofile_stat_struct {
24662- atomic_t sample_lost_no_mm;
24663- atomic_t sample_lost_no_mapping;
24664- atomic_t bt_lost_no_mapping;
24665- atomic_t event_lost_overflow;
24666- atomic_t multiplex_counter;
24667+ atomic_unchecked_t sample_lost_no_mm;
24668+ atomic_unchecked_t sample_lost_no_mapping;
24669+ atomic_unchecked_t bt_lost_no_mapping;
24670+ atomic_unchecked_t event_lost_overflow;
24671+ atomic_unchecked_t multiplex_counter;
24672 };
24673
24674 extern struct oprofile_stat_struct oprofile_stats;
24675diff -urNp linux-2.6.32.9/drivers/parisc/pdc_stable.c linux-2.6.32.9/drivers/parisc/pdc_stable.c
24676--- linux-2.6.32.9/drivers/parisc/pdc_stable.c 2010-02-09 07:57:19.000000000 -0500
24677+++ linux-2.6.32.9/drivers/parisc/pdc_stable.c 2010-02-23 17:09:53.208535454 -0500
24678@@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
24679 return ret;
24680 }
24681
24682-static struct sysfs_ops pdcspath_attr_ops = {
24683+static const struct sysfs_ops pdcspath_attr_ops = {
24684 .show = pdcspath_attr_show,
24685 .store = pdcspath_attr_store,
24686 };
24687diff -urNp linux-2.6.32.9/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.9/drivers/pci/hotplug/acpiphp_glue.c
24688--- linux-2.6.32.9/drivers/pci/hotplug/acpiphp_glue.c 2010-02-09 07:57:19.000000000 -0500
24689+++ linux-2.6.32.9/drivers/pci/hotplug/acpiphp_glue.c 2010-02-23 17:09:53.208535454 -0500
24690@@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
24691 }
24692
24693
24694-static struct acpi_dock_ops acpiphp_dock_ops = {
24695+static const struct acpi_dock_ops acpiphp_dock_ops = {
24696 .handler = handle_hotplug_event_func,
24697 };
24698
24699diff -urNp linux-2.6.32.9/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.9/drivers/pci/hotplug/cpqphp_nvram.c
24700--- linux-2.6.32.9/drivers/pci/hotplug/cpqphp_nvram.c 2010-02-09 07:57:19.000000000 -0500
24701+++ linux-2.6.32.9/drivers/pci/hotplug/cpqphp_nvram.c 2010-02-23 17:09:53.208535454 -0500
24702@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
24703
24704 void compaq_nvram_init (void __iomem *rom_start)
24705 {
24706+
24707+#ifndef CONFIG_PAX_KERNEXEC
24708 if (rom_start) {
24709 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
24710 }
24711+#endif
24712+
24713 dbg("int15 entry = %p\n", compaq_int15_entry_point);
24714
24715 /* initialize our int15 lock */
24716diff -urNp linux-2.6.32.9/drivers/pci/hotplug/fakephp.c linux-2.6.32.9/drivers/pci/hotplug/fakephp.c
24717--- linux-2.6.32.9/drivers/pci/hotplug/fakephp.c 2010-02-09 07:57:19.000000000 -0500
24718+++ linux-2.6.32.9/drivers/pci/hotplug/fakephp.c 2010-02-23 17:09:53.208535454 -0500
24719@@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
24720 }
24721
24722 static struct kobj_type legacy_ktype = {
24723- .sysfs_ops = &(struct sysfs_ops){
24724+ .sysfs_ops = &(const struct sysfs_ops){
24725 .store = legacy_store, .show = legacy_show
24726 },
24727 .release = &legacy_release,
24728diff -urNp linux-2.6.32.9/drivers/pci/intel-iommu.c linux-2.6.32.9/drivers/pci/intel-iommu.c
24729--- linux-2.6.32.9/drivers/pci/intel-iommu.c 2010-02-09 07:57:19.000000000 -0500
24730+++ linux-2.6.32.9/drivers/pci/intel-iommu.c 2010-02-23 17:09:53.208535454 -0500
24731@@ -2950,7 +2950,7 @@ static int intel_mapping_error(struct de
24732 return !dma_addr;
24733 }
24734
24735-struct dma_map_ops intel_dma_ops = {
24736+const struct dma_map_ops intel_dma_ops = {
24737 .alloc_coherent = intel_alloc_coherent,
24738 .free_coherent = intel_free_coherent,
24739 .map_sg = intel_map_sg,
24740diff -urNp linux-2.6.32.9/drivers/pci/pcie/portdrv_pci.c linux-2.6.32.9/drivers/pci/pcie/portdrv_pci.c
24741--- linux-2.6.32.9/drivers/pci/pcie/portdrv_pci.c 2010-02-09 07:57:19.000000000 -0500
24742+++ linux-2.6.32.9/drivers/pci/pcie/portdrv_pci.c 2010-02-23 17:09:53.208535454 -0500
24743@@ -249,7 +249,7 @@ static void pcie_portdrv_err_resume(stru
24744 static const struct pci_device_id port_pci_ids[] = { {
24745 /* handle any PCI-Express port */
24746 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
24747- }, { /* end: all zeroes */ }
24748+ }, { 0, 0, 0, 0, 0, 0, 0 }
24749 };
24750 MODULE_DEVICE_TABLE(pci, port_pci_ids);
24751
24752diff -urNp linux-2.6.32.9/drivers/pci/proc.c linux-2.6.32.9/drivers/pci/proc.c
24753--- linux-2.6.32.9/drivers/pci/proc.c 2010-02-09 07:57:19.000000000 -0500
24754+++ linux-2.6.32.9/drivers/pci/proc.c 2010-02-23 17:09:53.208535454 -0500
24755@@ -480,7 +480,16 @@ static const struct file_operations proc
24756 static int __init pci_proc_init(void)
24757 {
24758 struct pci_dev *dev = NULL;
24759+
24760+#ifdef CONFIG_GRKERNSEC_PROC_ADD
24761+#ifdef CONFIG_GRKERNSEC_PROC_USER
24762+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
24763+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
24764+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
24765+#endif
24766+#else
24767 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
24768+#endif
24769 proc_create("devices", 0, proc_bus_pci_dir,
24770 &proc_bus_pci_dev_operations);
24771 proc_initialized = 1;
24772diff -urNp linux-2.6.32.9/drivers/pci/slot.c linux-2.6.32.9/drivers/pci/slot.c
24773--- linux-2.6.32.9/drivers/pci/slot.c 2010-02-09 07:57:19.000000000 -0500
24774+++ linux-2.6.32.9/drivers/pci/slot.c 2010-02-23 17:09:53.208535454 -0500
24775@@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
24776 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
24777 }
24778
24779-static struct sysfs_ops pci_slot_sysfs_ops = {
24780+static const struct sysfs_ops pci_slot_sysfs_ops = {
24781 .show = pci_slot_attr_show,
24782 .store = pci_slot_attr_store,
24783 };
24784diff -urNp linux-2.6.32.9/drivers/pcmcia/ti113x.h linux-2.6.32.9/drivers/pcmcia/ti113x.h
24785--- linux-2.6.32.9/drivers/pcmcia/ti113x.h 2010-02-09 07:57:19.000000000 -0500
24786+++ linux-2.6.32.9/drivers/pcmcia/ti113x.h 2010-02-23 17:09:53.208535454 -0500
24787@@ -903,7 +903,7 @@ static struct pci_device_id ene_tune_tbl
24788 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
24789 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
24790
24791- {}
24792+ { 0, 0, 0, 0, 0, 0, 0 }
24793 };
24794
24795 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
24796diff -urNp linux-2.6.32.9/drivers/pcmcia/yenta_socket.c linux-2.6.32.9/drivers/pcmcia/yenta_socket.c
24797--- linux-2.6.32.9/drivers/pcmcia/yenta_socket.c 2010-02-09 07:57:19.000000000 -0500
24798+++ linux-2.6.32.9/drivers/pcmcia/yenta_socket.c 2010-02-23 17:09:53.208535454 -0500
24799@@ -1387,7 +1387,7 @@ static struct pci_device_id yenta_table
24800
24801 /* match any cardbus bridge */
24802 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
24803- { /* all zeroes */ }
24804+ { 0, 0, 0, 0, 0, 0, 0 }
24805 };
24806 MODULE_DEVICE_TABLE(pci, yenta_table);
24807
24808diff -urNp linux-2.6.32.9/drivers/platform/x86/acer-wmi.c linux-2.6.32.9/drivers/platform/x86/acer-wmi.c
24809--- linux-2.6.32.9/drivers/platform/x86/acer-wmi.c 2010-02-09 07:57:19.000000000 -0500
24810+++ linux-2.6.32.9/drivers/platform/x86/acer-wmi.c 2010-02-23 17:09:53.208535454 -0500
24811@@ -918,7 +918,7 @@ static int update_bl_status(struct backl
24812 return 0;
24813 }
24814
24815-static struct backlight_ops acer_bl_ops = {
24816+static const struct backlight_ops acer_bl_ops = {
24817 .get_brightness = read_brightness,
24818 .update_status = update_bl_status,
24819 };
24820diff -urNp linux-2.6.32.9/drivers/platform/x86/asus_acpi.c linux-2.6.32.9/drivers/platform/x86/asus_acpi.c
24821--- linux-2.6.32.9/drivers/platform/x86/asus_acpi.c 2010-02-09 07:57:19.000000000 -0500
24822+++ linux-2.6.32.9/drivers/platform/x86/asus_acpi.c 2010-02-23 17:09:53.212539101 -0500
24823@@ -1402,7 +1402,7 @@ static int asus_hotk_remove(struct acpi_
24824 return 0;
24825 }
24826
24827-static struct backlight_ops asus_backlight_data = {
24828+static const struct backlight_ops asus_backlight_data = {
24829 .get_brightness = read_brightness,
24830 .update_status = set_brightness_status,
24831 };
24832diff -urNp linux-2.6.32.9/drivers/platform/x86/asus-laptop.c linux-2.6.32.9/drivers/platform/x86/asus-laptop.c
24833--- linux-2.6.32.9/drivers/platform/x86/asus-laptop.c 2010-02-09 07:57:19.000000000 -0500
24834+++ linux-2.6.32.9/drivers/platform/x86/asus-laptop.c 2010-02-23 17:09:53.212539101 -0500
24835@@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
24836 */
24837 static int read_brightness(struct backlight_device *bd);
24838 static int update_bl_status(struct backlight_device *bd);
24839-static struct backlight_ops asusbl_ops = {
24840+static const struct backlight_ops asusbl_ops = {
24841 .get_brightness = read_brightness,
24842 .update_status = update_bl_status,
24843 };
24844diff -urNp linux-2.6.32.9/drivers/platform/x86/compal-laptop.c linux-2.6.32.9/drivers/platform/x86/compal-laptop.c
24845--- linux-2.6.32.9/drivers/platform/x86/compal-laptop.c 2010-02-09 07:57:19.000000000 -0500
24846+++ linux-2.6.32.9/drivers/platform/x86/compal-laptop.c 2010-02-23 17:09:53.212539101 -0500
24847@@ -163,7 +163,7 @@ static int bl_update_status(struct backl
24848 return set_lcd_level(b->props.brightness);
24849 }
24850
24851-static struct backlight_ops compalbl_ops = {
24852+static const struct backlight_ops compalbl_ops = {
24853 .get_brightness = bl_get_brightness,
24854 .update_status = bl_update_status,
24855 };
24856diff -urNp linux-2.6.32.9/drivers/platform/x86/dell-laptop.c linux-2.6.32.9/drivers/platform/x86/dell-laptop.c
24857--- linux-2.6.32.9/drivers/platform/x86/dell-laptop.c 2010-02-09 07:57:19.000000000 -0500
24858+++ linux-2.6.32.9/drivers/platform/x86/dell-laptop.c 2010-02-23 17:09:53.212539101 -0500
24859@@ -305,7 +305,7 @@ static int dell_get_intensity(struct bac
24860 return buffer.output[1];
24861 }
24862
24863-static struct backlight_ops dell_ops = {
24864+static const struct backlight_ops dell_ops = {
24865 .get_brightness = dell_get_intensity,
24866 .update_status = dell_send_intensity,
24867 };
24868diff -urNp linux-2.6.32.9/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.9/drivers/platform/x86/eeepc-laptop.c
24869--- linux-2.6.32.9/drivers/platform/x86/eeepc-laptop.c 2010-02-09 07:57:19.000000000 -0500
24870+++ linux-2.6.32.9/drivers/platform/x86/eeepc-laptop.c 2010-02-23 17:09:53.212539101 -0500
24871@@ -242,7 +242,7 @@ static struct device *eeepc_hwmon_device
24872 */
24873 static int read_brightness(struct backlight_device *bd);
24874 static int update_bl_status(struct backlight_device *bd);
24875-static struct backlight_ops eeepcbl_ops = {
24876+static const struct backlight_ops eeepcbl_ops = {
24877 .get_brightness = read_brightness,
24878 .update_status = update_bl_status,
24879 };
24880diff -urNp linux-2.6.32.9/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.9/drivers/platform/x86/fujitsu-laptop.c
24881--- linux-2.6.32.9/drivers/platform/x86/fujitsu-laptop.c 2010-02-09 07:57:19.000000000 -0500
24882+++ linux-2.6.32.9/drivers/platform/x86/fujitsu-laptop.c 2010-02-23 17:09:53.212539101 -0500
24883@@ -436,7 +436,7 @@ static int bl_update_status(struct backl
24884 return ret;
24885 }
24886
24887-static struct backlight_ops fujitsubl_ops = {
24888+static const struct backlight_ops fujitsubl_ops = {
24889 .get_brightness = bl_get_brightness,
24890 .update_status = bl_update_status,
24891 };
24892diff -urNp linux-2.6.32.9/drivers/platform/x86/msi-laptop.c linux-2.6.32.9/drivers/platform/x86/msi-laptop.c
24893--- linux-2.6.32.9/drivers/platform/x86/msi-laptop.c 2010-02-09 07:57:19.000000000 -0500
24894+++ linux-2.6.32.9/drivers/platform/x86/msi-laptop.c 2010-02-23 17:09:53.212539101 -0500
24895@@ -161,7 +161,7 @@ static int bl_update_status(struct backl
24896 return set_lcd_level(b->props.brightness);
24897 }
24898
24899-static struct backlight_ops msibl_ops = {
24900+static const struct backlight_ops msibl_ops = {
24901 .get_brightness = bl_get_brightness,
24902 .update_status = bl_update_status,
24903 };
24904diff -urNp linux-2.6.32.9/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.9/drivers/platform/x86/panasonic-laptop.c
24905--- linux-2.6.32.9/drivers/platform/x86/panasonic-laptop.c 2010-02-09 07:57:19.000000000 -0500
24906+++ linux-2.6.32.9/drivers/platform/x86/panasonic-laptop.c 2010-02-23 17:09:53.212539101 -0500
24907@@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
24908 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
24909 }
24910
24911-static struct backlight_ops pcc_backlight_ops = {
24912+static const struct backlight_ops pcc_backlight_ops = {
24913 .get_brightness = bl_get,
24914 .update_status = bl_set_status,
24915 };
24916diff -urNp linux-2.6.32.9/drivers/platform/x86/sony-laptop.c linux-2.6.32.9/drivers/platform/x86/sony-laptop.c
24917--- linux-2.6.32.9/drivers/platform/x86/sony-laptop.c 2010-02-09 07:57:19.000000000 -0500
24918+++ linux-2.6.32.9/drivers/platform/x86/sony-laptop.c 2010-02-23 17:09:53.212539101 -0500
24919@@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
24920 }
24921
24922 static struct backlight_device *sony_backlight_device;
24923-static struct backlight_ops sony_backlight_ops = {
24924+static const struct backlight_ops sony_backlight_ops = {
24925 .update_status = sony_backlight_update_status,
24926 .get_brightness = sony_backlight_get_brightness,
24927 };
24928diff -urNp linux-2.6.32.9/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.9/drivers/platform/x86/thinkpad_acpi.c
24929--- linux-2.6.32.9/drivers/platform/x86/thinkpad_acpi.c 2010-02-09 07:57:19.000000000 -0500
24930+++ linux-2.6.32.9/drivers/platform/x86/thinkpad_acpi.c 2010-02-23 17:09:53.212539101 -0500
24931@@ -6073,7 +6073,7 @@ static int brightness_get(struct backlig
24932 return status & TP_EC_BACKLIGHT_LVLMSK;
24933 }
24934
24935-static struct backlight_ops ibm_backlight_data = {
24936+static const struct backlight_ops ibm_backlight_data = {
24937 .get_brightness = brightness_get,
24938 .update_status = brightness_update_status,
24939 };
24940diff -urNp linux-2.6.32.9/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.9/drivers/platform/x86/toshiba_acpi.c
24941--- linux-2.6.32.9/drivers/platform/x86/toshiba_acpi.c 2010-02-09 07:57:19.000000000 -0500
24942+++ linux-2.6.32.9/drivers/platform/x86/toshiba_acpi.c 2010-02-23 17:09:53.212539101 -0500
24943@@ -671,7 +671,7 @@ static acpi_status remove_device(void)
24944 return AE_OK;
24945 }
24946
24947-static struct backlight_ops toshiba_backlight_data = {
24948+static const struct backlight_ops toshiba_backlight_data = {
24949 .get_brightness = get_lcd,
24950 .update_status = set_lcd_status,
24951 };
24952diff -urNp linux-2.6.32.9/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.9/drivers/pnp/pnpbios/bioscalls.c
24953--- linux-2.6.32.9/drivers/pnp/pnpbios/bioscalls.c 2010-02-09 07:57:19.000000000 -0500
24954+++ linux-2.6.32.9/drivers/pnp/pnpbios/bioscalls.c 2010-02-23 17:09:53.212539101 -0500
24955@@ -60,7 +60,7 @@ do { \
24956 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
24957 } while(0)
24958
24959-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
24960+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
24961 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
24962
24963 /*
24964@@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
24965
24966 cpu = get_cpu();
24967 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
24968+
24969+ pax_open_kernel();
24970 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
24971+ pax_close_kernel();
24972
24973 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
24974 spin_lock_irqsave(&pnp_bios_lock, flags);
24975@@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
24976 :"memory");
24977 spin_unlock_irqrestore(&pnp_bios_lock, flags);
24978
24979+ pax_open_kernel();
24980 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
24981+ pax_close_kernel();
24982+
24983 put_cpu();
24984
24985 /* If we get here and this is set then the PnP BIOS faulted on us. */
24986@@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
24987 return status;
24988 }
24989
24990-void pnpbios_calls_init(union pnp_bios_install_struct *header)
24991+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
24992 {
24993 int i;
24994
24995@@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
24996 pnp_bios_callpoint.offset = header->fields.pm16offset;
24997 pnp_bios_callpoint.segment = PNP_CS16;
24998
24999+ pax_open_kernel();
25000+
25001 for_each_possible_cpu(i) {
25002 struct desc_struct *gdt = get_cpu_gdt_table(i);
25003 if (!gdt)
25004@@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
25005 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
25006 (unsigned long)__va(header->fields.pm16dseg));
25007 }
25008+
25009+ pax_close_kernel();
25010 }
25011diff -urNp linux-2.6.32.9/drivers/pnp/quirks.c linux-2.6.32.9/drivers/pnp/quirks.c
25012--- linux-2.6.32.9/drivers/pnp/quirks.c 2010-02-09 07:57:19.000000000 -0500
25013+++ linux-2.6.32.9/drivers/pnp/quirks.c 2010-02-23 17:09:53.212539101 -0500
25014@@ -327,7 +327,7 @@ static struct pnp_fixup pnp_fixups[] = {
25015 /* PnP resources that might overlap PCI BARs */
25016 {"PNP0c01", quirk_system_pci_resources},
25017 {"PNP0c02", quirk_system_pci_resources},
25018- {""}
25019+ {"", NULL}
25020 };
25021
25022 void pnp_fixup_device(struct pnp_dev *dev)
25023diff -urNp linux-2.6.32.9/drivers/pnp/resource.c linux-2.6.32.9/drivers/pnp/resource.c
25024--- linux-2.6.32.9/drivers/pnp/resource.c 2010-02-09 07:57:19.000000000 -0500
25025+++ linux-2.6.32.9/drivers/pnp/resource.c 2010-02-23 17:09:53.212539101 -0500
25026@@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
25027 return 1;
25028
25029 /* check if the resource is valid */
25030- if (*irq < 0 || *irq > 15)
25031+ if (*irq > 15)
25032 return 0;
25033
25034 /* check if the resource is reserved */
25035@@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
25036 return 1;
25037
25038 /* check if the resource is valid */
25039- if (*dma < 0 || *dma == 4 || *dma > 7)
25040+ if (*dma == 4 || *dma > 7)
25041 return 0;
25042
25043 /* check if the resource is reserved */
25044diff -urNp linux-2.6.32.9/drivers/s390/cio/qdio_perf.c linux-2.6.32.9/drivers/s390/cio/qdio_perf.c
25045--- linux-2.6.32.9/drivers/s390/cio/qdio_perf.c 2010-02-09 07:57:19.000000000 -0500
25046+++ linux-2.6.32.9/drivers/s390/cio/qdio_perf.c 2010-02-23 17:09:53.216464462 -0500
25047@@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
25048 static int qdio_perf_proc_show(struct seq_file *m, void *v)
25049 {
25050 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
25051- (long)atomic_long_read(&perf_stats.qdio_int));
25052+ (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
25053 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
25054- (long)atomic_long_read(&perf_stats.pci_int));
25055+ (long)atomic_long_read_unchecked(&perf_stats.pci_int));
25056 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
25057- (long)atomic_long_read(&perf_stats.thin_int));
25058+ (long)atomic_long_read_unchecked(&perf_stats.thin_int));
25059 seq_printf(m, "\n");
25060 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
25061- (long)atomic_long_read(&perf_stats.tasklet_inbound));
25062+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
25063 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
25064- (long)atomic_long_read(&perf_stats.tasklet_outbound));
25065+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
25066 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
25067- (long)atomic_long_read(&perf_stats.tasklet_thinint),
25068- (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
25069+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
25070+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
25071 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
25072- (long)atomic_long_read(&perf_stats.thinint_inbound),
25073- (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
25074+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
25075+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
25076 seq_printf(m, "\n");
25077 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
25078- (long)atomic_long_read(&perf_stats.siga_in));
25079+ (long)atomic_long_read_unchecked(&perf_stats.siga_in));
25080 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
25081- (long)atomic_long_read(&perf_stats.siga_out));
25082+ (long)atomic_long_read_unchecked(&perf_stats.siga_out));
25083 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
25084- (long)atomic_long_read(&perf_stats.siga_sync));
25085+ (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
25086 seq_printf(m, "\n");
25087 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
25088- (long)atomic_long_read(&perf_stats.inbound_handler));
25089+ (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
25090 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
25091- (long)atomic_long_read(&perf_stats.outbound_handler));
25092+ (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
25093 seq_printf(m, "\n");
25094 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
25095- (long)atomic_long_read(&perf_stats.fast_requeue));
25096+ (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
25097 seq_printf(m, "Number of outbound target full condition\t: %li\n",
25098- (long)atomic_long_read(&perf_stats.outbound_target_full));
25099+ (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
25100 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
25101- (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
25102+ (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
25103 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
25104- (long)atomic_long_read(&perf_stats.debug_stop_polling));
25105+ (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
25106 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
25107- (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
25108+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
25109 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
25110- (long)atomic_long_read(&perf_stats.debug_eqbs_all),
25111- (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
25112+ (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
25113+ (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
25114 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
25115- (long)atomic_long_read(&perf_stats.debug_sqbs_all),
25116- (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
25117+ (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
25118+ (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
25119 seq_printf(m, "\n");
25120 return 0;
25121 }
25122diff -urNp linux-2.6.32.9/drivers/s390/cio/qdio_perf.h linux-2.6.32.9/drivers/s390/cio/qdio_perf.h
25123--- linux-2.6.32.9/drivers/s390/cio/qdio_perf.h 2010-02-09 07:57:19.000000000 -0500
25124+++ linux-2.6.32.9/drivers/s390/cio/qdio_perf.h 2010-02-23 17:09:53.216464462 -0500
25125@@ -13,46 +13,46 @@
25126
25127 struct qdio_perf_stats {
25128 /* interrupt handler calls */
25129- atomic_long_t qdio_int;
25130- atomic_long_t pci_int;
25131- atomic_long_t thin_int;
25132+ atomic_long_unchecked_t qdio_int;
25133+ atomic_long_unchecked_t pci_int;
25134+ atomic_long_unchecked_t thin_int;
25135
25136 /* tasklet runs */
25137- atomic_long_t tasklet_inbound;
25138- atomic_long_t tasklet_outbound;
25139- atomic_long_t tasklet_thinint;
25140- atomic_long_t tasklet_thinint_loop;
25141- atomic_long_t thinint_inbound;
25142- atomic_long_t thinint_inbound_loop;
25143- atomic_long_t thinint_inbound_loop2;
25144+ atomic_long_unchecked_t tasklet_inbound;
25145+ atomic_long_unchecked_t tasklet_outbound;
25146+ atomic_long_unchecked_t tasklet_thinint;
25147+ atomic_long_unchecked_t tasklet_thinint_loop;
25148+ atomic_long_unchecked_t thinint_inbound;
25149+ atomic_long_unchecked_t thinint_inbound_loop;
25150+ atomic_long_unchecked_t thinint_inbound_loop2;
25151
25152 /* signal adapter calls */
25153- atomic_long_t siga_out;
25154- atomic_long_t siga_in;
25155- atomic_long_t siga_sync;
25156+ atomic_long_unchecked_t siga_out;
25157+ atomic_long_unchecked_t siga_in;
25158+ atomic_long_unchecked_t siga_sync;
25159
25160 /* misc */
25161- atomic_long_t inbound_handler;
25162- atomic_long_t outbound_handler;
25163- atomic_long_t fast_requeue;
25164- atomic_long_t outbound_target_full;
25165+ atomic_long_unchecked_t inbound_handler;
25166+ atomic_long_unchecked_t outbound_handler;
25167+ atomic_long_unchecked_t fast_requeue;
25168+ atomic_long_unchecked_t outbound_target_full;
25169
25170 /* for debugging */
25171- atomic_long_t debug_tl_out_timer;
25172- atomic_long_t debug_stop_polling;
25173- atomic_long_t debug_eqbs_all;
25174- atomic_long_t debug_eqbs_incomplete;
25175- atomic_long_t debug_sqbs_all;
25176- atomic_long_t debug_sqbs_incomplete;
25177+ atomic_long_unchecked_t debug_tl_out_timer;
25178+ atomic_long_unchecked_t debug_stop_polling;
25179+ atomic_long_unchecked_t debug_eqbs_all;
25180+ atomic_long_unchecked_t debug_eqbs_incomplete;
25181+ atomic_long_unchecked_t debug_sqbs_all;
25182+ atomic_long_unchecked_t debug_sqbs_incomplete;
25183 };
25184
25185 extern struct qdio_perf_stats perf_stats;
25186 extern int qdio_performance_stats;
25187
25188-static inline void qdio_perf_stat_inc(atomic_long_t *count)
25189+static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
25190 {
25191 if (qdio_performance_stats)
25192- atomic_long_inc(count);
25193+ atomic_long_inc_unchecked(count);
25194 }
25195
25196 int qdio_setup_perf_stats(void);
25197diff -urNp linux-2.6.32.9/drivers/scsi/ipr.c linux-2.6.32.9/drivers/scsi/ipr.c
25198--- linux-2.6.32.9/drivers/scsi/ipr.c 2010-02-09 07:57:19.000000000 -0500
25199+++ linux-2.6.32.9/drivers/scsi/ipr.c 2010-02-23 17:09:53.216464462 -0500
25200@@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
25201 return true;
25202 }
25203
25204-static struct ata_port_operations ipr_sata_ops = {
25205+static const struct ata_port_operations ipr_sata_ops = {
25206 .phy_reset = ipr_ata_phy_reset,
25207 .hardreset = ipr_sata_reset,
25208 .post_internal_cmd = ipr_ata_post_internal,
25209diff -urNp linux-2.6.32.9/drivers/scsi/libfc/fc_exch.c linux-2.6.32.9/drivers/scsi/libfc/fc_exch.c
25210--- linux-2.6.32.9/drivers/scsi/libfc/fc_exch.c 2010-02-09 07:57:19.000000000 -0500
25211+++ linux-2.6.32.9/drivers/scsi/libfc/fc_exch.c 2010-02-23 17:09:53.216464462 -0500
25212@@ -86,12 +86,12 @@ struct fc_exch_mgr {
25213 * all together if not used XXX
25214 */
25215 struct {
25216- atomic_t no_free_exch;
25217- atomic_t no_free_exch_xid;
25218- atomic_t xid_not_found;
25219- atomic_t xid_busy;
25220- atomic_t seq_not_found;
25221- atomic_t non_bls_resp;
25222+ atomic_unchecked_t no_free_exch;
25223+ atomic_unchecked_t no_free_exch_xid;
25224+ atomic_unchecked_t xid_not_found;
25225+ atomic_unchecked_t xid_busy;
25226+ atomic_unchecked_t seq_not_found;
25227+ atomic_unchecked_t non_bls_resp;
25228 } stats;
25229 };
25230 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
25231@@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
25232 /* allocate memory for exchange */
25233 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
25234 if (!ep) {
25235- atomic_inc(&mp->stats.no_free_exch);
25236+ atomic_inc_unchecked(&mp->stats.no_free_exch);
25237 goto out;
25238 }
25239 memset(ep, 0, sizeof(*ep));
25240@@ -557,7 +557,7 @@ out:
25241 return ep;
25242 err:
25243 spin_unlock_bh(&pool->lock);
25244- atomic_inc(&mp->stats.no_free_exch_xid);
25245+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
25246 mempool_free(ep, mp->ep_pool);
25247 return NULL;
25248 }
25249@@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25250 xid = ntohs(fh->fh_ox_id); /* we originated exch */
25251 ep = fc_exch_find(mp, xid);
25252 if (!ep) {
25253- atomic_inc(&mp->stats.xid_not_found);
25254+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25255 reject = FC_RJT_OX_ID;
25256 goto out;
25257 }
25258@@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25259 ep = fc_exch_find(mp, xid);
25260 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
25261 if (ep) {
25262- atomic_inc(&mp->stats.xid_busy);
25263+ atomic_inc_unchecked(&mp->stats.xid_busy);
25264 reject = FC_RJT_RX_ID;
25265 goto rel;
25266 }
25267@@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25268 }
25269 xid = ep->xid; /* get our XID */
25270 } else if (!ep) {
25271- atomic_inc(&mp->stats.xid_not_found);
25272+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25273 reject = FC_RJT_RX_ID; /* XID not found */
25274 goto out;
25275 }
25276@@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25277 } else {
25278 sp = &ep->seq;
25279 if (sp->id != fh->fh_seq_id) {
25280- atomic_inc(&mp->stats.seq_not_found);
25281+ atomic_inc_unchecked(&mp->stats.seq_not_found);
25282 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
25283 goto rel;
25284 }
25285@@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
25286
25287 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
25288 if (!ep) {
25289- atomic_inc(&mp->stats.xid_not_found);
25290+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25291 goto out;
25292 }
25293 if (ep->esb_stat & ESB_ST_COMPLETE) {
25294- atomic_inc(&mp->stats.xid_not_found);
25295+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25296 goto out;
25297 }
25298 if (ep->rxid == FC_XID_UNKNOWN)
25299 ep->rxid = ntohs(fh->fh_rx_id);
25300 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
25301- atomic_inc(&mp->stats.xid_not_found);
25302+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25303 goto rel;
25304 }
25305 if (ep->did != ntoh24(fh->fh_s_id) &&
25306 ep->did != FC_FID_FLOGI) {
25307- atomic_inc(&mp->stats.xid_not_found);
25308+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25309 goto rel;
25310 }
25311 sof = fr_sof(fp);
25312@@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
25313 } else {
25314 sp = &ep->seq;
25315 if (sp->id != fh->fh_seq_id) {
25316- atomic_inc(&mp->stats.seq_not_found);
25317+ atomic_inc_unchecked(&mp->stats.seq_not_found);
25318 goto rel;
25319 }
25320 }
25321@@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
25322 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
25323
25324 if (!sp)
25325- atomic_inc(&mp->stats.xid_not_found);
25326+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25327 else
25328- atomic_inc(&mp->stats.non_bls_resp);
25329+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
25330
25331 fc_frame_free(fp);
25332 }
25333diff -urNp linux-2.6.32.9/drivers/scsi/libsas/sas_ata.c linux-2.6.32.9/drivers/scsi/libsas/sas_ata.c
25334--- linux-2.6.32.9/drivers/scsi/libsas/sas_ata.c 2010-02-09 07:57:19.000000000 -0500
25335+++ linux-2.6.32.9/drivers/scsi/libsas/sas_ata.c 2010-02-23 17:09:53.216464462 -0500
25336@@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
25337 }
25338 }
25339
25340-static struct ata_port_operations sas_sata_ops = {
25341+static const struct ata_port_operations sas_sata_ops = {
25342 .phy_reset = sas_ata_phy_reset,
25343 .post_internal_cmd = sas_ata_post_internal,
25344 .qc_prep = ata_noop_qc_prep,
25345diff -urNp linux-2.6.32.9/drivers/scsi/scsi_logging.h linux-2.6.32.9/drivers/scsi/scsi_logging.h
25346--- linux-2.6.32.9/drivers/scsi/scsi_logging.h 2010-02-09 07:57:19.000000000 -0500
25347+++ linux-2.6.32.9/drivers/scsi/scsi_logging.h 2010-02-23 17:09:53.216464462 -0500
25348@@ -51,7 +51,7 @@ do { \
25349 } while (0); \
25350 } while (0)
25351 #else
25352-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
25353+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
25354 #endif /* CONFIG_SCSI_LOGGING */
25355
25356 /*
25357diff -urNp linux-2.6.32.9/drivers/scsi/sg.c linux-2.6.32.9/drivers/scsi/sg.c
25358--- linux-2.6.32.9/drivers/scsi/sg.c 2010-02-09 07:57:19.000000000 -0500
25359+++ linux-2.6.32.9/drivers/scsi/sg.c 2010-02-23 17:09:53.216464462 -0500
25360@@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
25361 const struct file_operations * fops;
25362 };
25363
25364-static struct sg_proc_leaf sg_proc_leaf_arr[] = {
25365+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
25366 {"allow_dio", &adio_fops},
25367 {"debug", &debug_fops},
25368 {"def_reserved_size", &dressz_fops},
25369@@ -2307,7 +2307,7 @@ sg_proc_init(void)
25370 {
25371 int k, mask;
25372 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
25373- struct sg_proc_leaf * leaf;
25374+ const struct sg_proc_leaf * leaf;
25375
25376 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
25377 if (!sg_proc_sgp)
25378diff -urNp linux-2.6.32.9/drivers/serial/8250_pci.c linux-2.6.32.9/drivers/serial/8250_pci.c
25379--- linux-2.6.32.9/drivers/serial/8250_pci.c 2010-02-09 07:57:19.000000000 -0500
25380+++ linux-2.6.32.9/drivers/serial/8250_pci.c 2010-02-23 17:09:53.216464462 -0500
25381@@ -3664,7 +3664,7 @@ static struct pci_device_id serial_pci_t
25382 PCI_ANY_ID, PCI_ANY_ID,
25383 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
25384 0xffff00, pbn_default },
25385- { 0, }
25386+ { 0, 0, 0, 0, 0, 0, 0 }
25387 };
25388
25389 static struct pci_driver serial_pci_driver = {
25390diff -urNp linux-2.6.32.9/drivers/serial/kgdboc.c linux-2.6.32.9/drivers/serial/kgdboc.c
25391--- linux-2.6.32.9/drivers/serial/kgdboc.c 2010-02-09 07:57:19.000000000 -0500
25392+++ linux-2.6.32.9/drivers/serial/kgdboc.c 2010-02-23 17:09:53.216464462 -0500
25393@@ -18,7 +18,7 @@
25394
25395 #define MAX_CONFIG_LEN 40
25396
25397-static struct kgdb_io kgdboc_io_ops;
25398+static const struct kgdb_io kgdboc_io_ops;
25399
25400 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
25401 static int configured = -1;
25402@@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
25403 module_put(THIS_MODULE);
25404 }
25405
25406-static struct kgdb_io kgdboc_io_ops = {
25407+static const struct kgdb_io kgdboc_io_ops = {
25408 .name = "kgdboc",
25409 .read_char = kgdboc_get_char,
25410 .write_char = kgdboc_put_char,
25411diff -urNp linux-2.6.32.9/drivers/staging/android/binder.c linux-2.6.32.9/drivers/staging/android/binder.c
25412--- linux-2.6.32.9/drivers/staging/android/binder.c 2010-02-09 07:57:19.000000000 -0500
25413+++ linux-2.6.32.9/drivers/staging/android/binder.c 2010-02-23 17:09:53.216464462 -0500
25414@@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
25415 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
25416 }
25417
25418-static struct vm_operations_struct binder_vm_ops = {
25419+static const struct vm_operations_struct binder_vm_ops = {
25420 .open = binder_vma_open,
25421 .close = binder_vma_close,
25422 };
25423diff -urNp linux-2.6.32.9/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.9/drivers/staging/b3dfg/b3dfg.c
25424--- linux-2.6.32.9/drivers/staging/b3dfg/b3dfg.c 2010-02-09 07:57:19.000000000 -0500
25425+++ linux-2.6.32.9/drivers/staging/b3dfg/b3dfg.c 2010-02-23 17:09:53.220509464 -0500
25426@@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
25427 return VM_FAULT_NOPAGE;
25428 }
25429
25430-static struct vm_operations_struct b3dfg_vm_ops = {
25431+static const struct vm_operations_struct b3dfg_vm_ops = {
25432 .fault = b3dfg_vma_fault,
25433 };
25434
25435@@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
25436 return r;
25437 }
25438
25439-static struct file_operations b3dfg_fops = {
25440+static const struct file_operations b3dfg_fops = {
25441 .owner = THIS_MODULE,
25442 .open = b3dfg_open,
25443 .release = b3dfg_release,
25444diff -urNp linux-2.6.32.9/drivers/staging/comedi/comedi_fops.c linux-2.6.32.9/drivers/staging/comedi/comedi_fops.c
25445--- linux-2.6.32.9/drivers/staging/comedi/comedi_fops.c 2010-02-09 07:57:19.000000000 -0500
25446+++ linux-2.6.32.9/drivers/staging/comedi/comedi_fops.c 2010-02-23 17:09:53.220509464 -0500
25447@@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
25448 mutex_unlock(&dev->mutex);
25449 }
25450
25451-static struct vm_operations_struct comedi_vm_ops = {
25452+static const struct vm_operations_struct comedi_vm_ops = {
25453 .close = comedi_unmap,
25454 };
25455
25456diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.9/drivers/staging/dream/qdsp5/adsp_driver.c
25457--- linux-2.6.32.9/drivers/staging/dream/qdsp5/adsp_driver.c 2010-02-09 07:57:19.000000000 -0500
25458+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/adsp_driver.c 2010-02-23 17:09:53.220509464 -0500
25459@@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
25460 static dev_t adsp_devno;
25461 static struct class *adsp_class;
25462
25463-static struct file_operations adsp_fops = {
25464+static const struct file_operations adsp_fops = {
25465 .owner = THIS_MODULE,
25466 .open = adsp_open,
25467 .unlocked_ioctl = adsp_ioctl,
25468diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_aac.c
25469--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_aac.c 2010-02-09 07:57:19.000000000 -0500
25470+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_aac.c 2010-02-23 17:09:53.220509464 -0500
25471@@ -1022,7 +1022,7 @@ done:
25472 return rc;
25473 }
25474
25475-static struct file_operations audio_aac_fops = {
25476+static const struct file_operations audio_aac_fops = {
25477 .owner = THIS_MODULE,
25478 .open = audio_open,
25479 .release = audio_release,
25480diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_amrnb.c
25481--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-02-09 07:57:19.000000000 -0500
25482+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-02-23 17:09:53.220509464 -0500
25483@@ -833,7 +833,7 @@ done:
25484 return rc;
25485 }
25486
25487-static struct file_operations audio_amrnb_fops = {
25488+static const struct file_operations audio_amrnb_fops = {
25489 .owner = THIS_MODULE,
25490 .open = audamrnb_open,
25491 .release = audamrnb_release,
25492diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_evrc.c
25493--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_evrc.c 2010-02-09 07:57:19.000000000 -0500
25494+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_evrc.c 2010-02-23 17:09:53.220509464 -0500
25495@@ -805,7 +805,7 @@ dma_fail:
25496 return rc;
25497 }
25498
25499-static struct file_operations audio_evrc_fops = {
25500+static const struct file_operations audio_evrc_fops = {
25501 .owner = THIS_MODULE,
25502 .open = audevrc_open,
25503 .release = audevrc_release,
25504diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_in.c
25505--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_in.c 2010-02-09 07:57:19.000000000 -0500
25506+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_in.c 2010-02-23 17:09:53.220509464 -0500
25507@@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
25508 return 0;
25509 }
25510
25511-static struct file_operations audio_fops = {
25512+static const struct file_operations audio_fops = {
25513 .owner = THIS_MODULE,
25514 .open = audio_in_open,
25515 .release = audio_in_release,
25516@@ -922,7 +922,7 @@ static struct file_operations audio_fops
25517 .unlocked_ioctl = audio_in_ioctl,
25518 };
25519
25520-static struct file_operations audpre_fops = {
25521+static const struct file_operations audpre_fops = {
25522 .owner = THIS_MODULE,
25523 .open = audpre_open,
25524 .unlocked_ioctl = audpre_ioctl,
25525diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_mp3.c
25526--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_mp3.c 2010-02-09 07:57:19.000000000 -0500
25527+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_mp3.c 2010-02-23 17:09:53.220509464 -0500
25528@@ -941,7 +941,7 @@ done:
25529 return rc;
25530 }
25531
25532-static struct file_operations audio_mp3_fops = {
25533+static const struct file_operations audio_mp3_fops = {
25534 .owner = THIS_MODULE,
25535 .open = audio_open,
25536 .release = audio_release,
25537diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_out.c
25538--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_out.c 2010-02-09 07:57:19.000000000 -0500
25539+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_out.c 2010-02-23 17:09:53.220509464 -0500
25540@@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
25541 return 0;
25542 }
25543
25544-static struct file_operations audio_fops = {
25545+static const struct file_operations audio_fops = {
25546 .owner = THIS_MODULE,
25547 .open = audio_open,
25548 .release = audio_release,
25549@@ -819,7 +819,7 @@ static struct file_operations audio_fops
25550 .unlocked_ioctl = audio_ioctl,
25551 };
25552
25553-static struct file_operations audpp_fops = {
25554+static const struct file_operations audpp_fops = {
25555 .owner = THIS_MODULE,
25556 .open = audpp_open,
25557 .unlocked_ioctl = audpp_ioctl,
25558diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_qcelp.c
25559--- linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-02-09 07:57:19.000000000 -0500
25560+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-02-23 17:09:53.220509464 -0500
25561@@ -816,7 +816,7 @@ err:
25562 return rc;
25563 }
25564
25565-static struct file_operations audio_qcelp_fops = {
25566+static const struct file_operations audio_qcelp_fops = {
25567 .owner = THIS_MODULE,
25568 .open = audqcelp_open,
25569 .release = audqcelp_release,
25570diff -urNp linux-2.6.32.9/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.9/drivers/staging/dream/qdsp5/snd.c
25571--- linux-2.6.32.9/drivers/staging/dream/qdsp5/snd.c 2010-02-09 07:57:19.000000000 -0500
25572+++ linux-2.6.32.9/drivers/staging/dream/qdsp5/snd.c 2010-02-23 17:09:53.220509464 -0500
25573@@ -242,7 +242,7 @@ err:
25574 return rc;
25575 }
25576
25577-static struct file_operations snd_fops = {
25578+static const struct file_operations snd_fops = {
25579 .owner = THIS_MODULE,
25580 .open = snd_open,
25581 .release = snd_release,
25582diff -urNp linux-2.6.32.9/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.9/drivers/staging/dream/smd/smd_qmi.c
25583--- linux-2.6.32.9/drivers/staging/dream/smd/smd_qmi.c 2010-02-09 07:57:19.000000000 -0500
25584+++ linux-2.6.32.9/drivers/staging/dream/smd/smd_qmi.c 2010-02-23 17:09:53.220509464 -0500
25585@@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
25586 return 0;
25587 }
25588
25589-static struct file_operations qmi_fops = {
25590+static const struct file_operations qmi_fops = {
25591 .owner = THIS_MODULE,
25592 .read = qmi_read,
25593 .write = qmi_write,
25594diff -urNp linux-2.6.32.9/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.9/drivers/staging/dream/smd/smd_rpcrouter_device.c
25595--- linux-2.6.32.9/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-02-09 07:57:19.000000000 -0500
25596+++ linux-2.6.32.9/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-02-23 17:09:53.220509464 -0500
25597@@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
25598 return rc;
25599 }
25600
25601-static struct file_operations rpcrouter_server_fops = {
25602+static const struct file_operations rpcrouter_server_fops = {
25603 .owner = THIS_MODULE,
25604 .open = rpcrouter_open,
25605 .release = rpcrouter_release,
25606@@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
25607 .unlocked_ioctl = rpcrouter_ioctl,
25608 };
25609
25610-static struct file_operations rpcrouter_router_fops = {
25611+static const struct file_operations rpcrouter_router_fops = {
25612 .owner = THIS_MODULE,
25613 .open = rpcrouter_open,
25614 .release = rpcrouter_release,
25615diff -urNp linux-2.6.32.9/drivers/staging/dst/dcore.c linux-2.6.32.9/drivers/staging/dst/dcore.c
25616--- linux-2.6.32.9/drivers/staging/dst/dcore.c 2010-02-09 07:57:19.000000000 -0500
25617+++ linux-2.6.32.9/drivers/staging/dst/dcore.c 2010-02-23 17:09:53.220509464 -0500
25618@@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
25619 return 0;
25620 }
25621
25622-static struct block_device_operations dst_blk_ops = {
25623+static const struct block_device_operations dst_blk_ops = {
25624 .open = dst_bdev_open,
25625 .release = dst_bdev_release,
25626 .owner = THIS_MODULE,
25627@@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
25628 n->size = ctl->size;
25629
25630 atomic_set(&n->refcnt, 1);
25631- atomic_long_set(&n->gen, 0);
25632+ atomic_long_set_unchecked(&n->gen, 0);
25633 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
25634
25635 err = dst_node_sysfs_init(n);
25636diff -urNp linux-2.6.32.9/drivers/staging/dst/trans.c linux-2.6.32.9/drivers/staging/dst/trans.c
25637--- linux-2.6.32.9/drivers/staging/dst/trans.c 2010-02-09 07:57:19.000000000 -0500
25638+++ linux-2.6.32.9/drivers/staging/dst/trans.c 2010-02-23 17:09:53.220509464 -0500
25639@@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
25640 t->error = 0;
25641 t->retries = 0;
25642 atomic_set(&t->refcnt, 1);
25643- t->gen = atomic_long_inc_return(&n->gen);
25644+ t->gen = atomic_long_inc_return_unchecked(&n->gen);
25645
25646 t->enc = bio_data_dir(bio);
25647 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
25648diff -urNp linux-2.6.32.9/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.9/drivers/staging/go7007/go7007-v4l2.c
25649--- linux-2.6.32.9/drivers/staging/go7007/go7007-v4l2.c 2010-02-09 07:57:19.000000000 -0500
25650+++ linux-2.6.32.9/drivers/staging/go7007/go7007-v4l2.c 2010-02-23 17:09:53.220509464 -0500
25651@@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
25652 return 0;
25653 }
25654
25655-static struct vm_operations_struct go7007_vm_ops = {
25656+static const struct vm_operations_struct go7007_vm_ops = {
25657 .open = go7007_vm_open,
25658 .close = go7007_vm_close,
25659 .fault = go7007_vm_fault,
25660diff -urNp linux-2.6.32.9/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.9/drivers/staging/hv/blkvsc_drv.c
25661--- linux-2.6.32.9/drivers/staging/hv/blkvsc_drv.c 2010-02-09 07:57:19.000000000 -0500
25662+++ linux-2.6.32.9/drivers/staging/hv/blkvsc_drv.c 2010-02-23 17:09:53.220509464 -0500
25663@@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
25664 /* The one and only one */
25665 static struct blkvsc_driver_context g_blkvsc_drv;
25666
25667-static struct block_device_operations block_ops = {
25668+static const struct block_device_operations block_ops = {
25669 .owner = THIS_MODULE,
25670 .open = blkvsc_open,
25671 .release = blkvsc_release,
25672diff -urNp linux-2.6.32.9/drivers/staging/panel/panel.c linux-2.6.32.9/drivers/staging/panel/panel.c
25673--- linux-2.6.32.9/drivers/staging/panel/panel.c 2010-02-09 07:57:19.000000000 -0500
25674+++ linux-2.6.32.9/drivers/staging/panel/panel.c 2010-02-23 17:09:53.224545810 -0500
25675@@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
25676 return 0;
25677 }
25678
25679-static struct file_operations lcd_fops = {
25680+static const struct file_operations lcd_fops = {
25681 .write = lcd_write,
25682 .open = lcd_open,
25683 .release = lcd_release,
25684@@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
25685 return 0;
25686 }
25687
25688-static struct file_operations keypad_fops = {
25689+static const struct file_operations keypad_fops = {
25690 .read = keypad_read, /* read */
25691 .open = keypad_open, /* open */
25692 .release = keypad_release, /* close */
25693diff -urNp linux-2.6.32.9/drivers/staging/phison/phison.c linux-2.6.32.9/drivers/staging/phison/phison.c
25694--- linux-2.6.32.9/drivers/staging/phison/phison.c 2010-02-09 07:57:19.000000000 -0500
25695+++ linux-2.6.32.9/drivers/staging/phison/phison.c 2010-02-23 17:09:53.224545810 -0500
25696@@ -43,7 +43,7 @@ static struct scsi_host_template phison_
25697 ATA_BMDMA_SHT(DRV_NAME),
25698 };
25699
25700-static struct ata_port_operations phison_ops = {
25701+static const struct ata_port_operations phison_ops = {
25702 .inherits = &ata_bmdma_port_ops,
25703 .prereset = phison_pre_reset,
25704 };
25705diff -urNp linux-2.6.32.9/drivers/staging/poch/poch.c linux-2.6.32.9/drivers/staging/poch/poch.c
25706--- linux-2.6.32.9/drivers/staging/poch/poch.c 2010-02-09 07:57:19.000000000 -0500
25707+++ linux-2.6.32.9/drivers/staging/poch/poch.c 2010-02-23 17:09:53.224545810 -0500
25708@@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
25709 return 0;
25710 }
25711
25712-static struct file_operations poch_fops = {
25713+static const struct file_operations poch_fops = {
25714 .owner = THIS_MODULE,
25715 .open = poch_open,
25716 .release = poch_release,
25717diff -urNp linux-2.6.32.9/drivers/staging/pohmelfs/inode.c linux-2.6.32.9/drivers/staging/pohmelfs/inode.c
25718--- linux-2.6.32.9/drivers/staging/pohmelfs/inode.c 2010-02-09 07:57:19.000000000 -0500
25719+++ linux-2.6.32.9/drivers/staging/pohmelfs/inode.c 2010-02-23 17:09:53.224545810 -0500
25720@@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
25721 mutex_init(&psb->mcache_lock);
25722 psb->mcache_root = RB_ROOT;
25723 psb->mcache_timeout = msecs_to_jiffies(5000);
25724- atomic_long_set(&psb->mcache_gen, 0);
25725+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
25726
25727 psb->trans_max_pages = 100;
25728
25729diff -urNp linux-2.6.32.9/drivers/staging/pohmelfs/mcache.c linux-2.6.32.9/drivers/staging/pohmelfs/mcache.c
25730--- linux-2.6.32.9/drivers/staging/pohmelfs/mcache.c 2010-02-09 07:57:19.000000000 -0500
25731+++ linux-2.6.32.9/drivers/staging/pohmelfs/mcache.c 2010-02-23 17:09:53.224545810 -0500
25732@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
25733 m->data = data;
25734 m->start = start;
25735 m->size = size;
25736- m->gen = atomic_long_inc_return(&psb->mcache_gen);
25737+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
25738
25739 mutex_lock(&psb->mcache_lock);
25740 err = pohmelfs_mcache_insert(psb, m);
25741diff -urNp linux-2.6.32.9/drivers/staging/pohmelfs/netfs.h linux-2.6.32.9/drivers/staging/pohmelfs/netfs.h
25742--- linux-2.6.32.9/drivers/staging/pohmelfs/netfs.h 2010-02-09 07:57:19.000000000 -0500
25743+++ linux-2.6.32.9/drivers/staging/pohmelfs/netfs.h 2010-02-23 17:09:53.224545810 -0500
25744@@ -570,7 +570,7 @@ struct pohmelfs_config;
25745 struct pohmelfs_sb {
25746 struct rb_root mcache_root;
25747 struct mutex mcache_lock;
25748- atomic_long_t mcache_gen;
25749+ atomic_long_unchecked_t mcache_gen;
25750 unsigned long mcache_timeout;
25751
25752 unsigned int idx;
25753diff -urNp linux-2.6.32.9/drivers/staging/sep/sep_driver.c linux-2.6.32.9/drivers/staging/sep/sep_driver.c
25754--- linux-2.6.32.9/drivers/staging/sep/sep_driver.c 2010-02-09 07:57:19.000000000 -0500
25755+++ linux-2.6.32.9/drivers/staging/sep/sep_driver.c 2010-02-23 17:09:53.224545810 -0500
25756@@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
25757 static dev_t sep_devno;
25758
25759 /* the files operations structure of the driver */
25760-static struct file_operations sep_file_operations = {
25761+static const struct file_operations sep_file_operations = {
25762 .owner = THIS_MODULE,
25763 .ioctl = sep_ioctl,
25764 .poll = sep_poll,
25765diff -urNp linux-2.6.32.9/drivers/staging/vme/devices/vme_user.c linux-2.6.32.9/drivers/staging/vme/devices/vme_user.c
25766--- linux-2.6.32.9/drivers/staging/vme/devices/vme_user.c 2010-02-09 07:57:19.000000000 -0500
25767+++ linux-2.6.32.9/drivers/staging/vme/devices/vme_user.c 2010-02-23 17:09:53.224545810 -0500
25768@@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
25769 static int __init vme_user_probe(struct device *, int, int);
25770 static int __exit vme_user_remove(struct device *, int, int);
25771
25772-static struct file_operations vme_user_fops = {
25773+static const struct file_operations vme_user_fops = {
25774 .open = vme_user_open,
25775 .release = vme_user_release,
25776 .read = vme_user_read,
25777diff -urNp linux-2.6.32.9/drivers/uio/uio.c linux-2.6.32.9/drivers/uio/uio.c
25778--- linux-2.6.32.9/drivers/uio/uio.c 2010-02-09 07:57:19.000000000 -0500
25779+++ linux-2.6.32.9/drivers/uio/uio.c 2010-02-23 17:09:53.224545810 -0500
25780@@ -129,7 +129,7 @@ static ssize_t map_type_show(struct kobj
25781 return entry->show(mem, buf);
25782 }
25783
25784-static struct sysfs_ops map_sysfs_ops = {
25785+static const struct sysfs_ops map_sysfs_ops = {
25786 .show = map_type_show,
25787 };
25788
25789@@ -217,7 +217,7 @@ static ssize_t portio_type_show(struct k
25790 return entry->show(port, buf);
25791 }
25792
25793-static struct sysfs_ops portio_sysfs_ops = {
25794+static const struct sysfs_ops portio_sysfs_ops = {
25795 .show = portio_type_show,
25796 };
25797
25798diff -urNp linux-2.6.32.9/drivers/usb/atm/usbatm.c linux-2.6.32.9/drivers/usb/atm/usbatm.c
25799--- linux-2.6.32.9/drivers/usb/atm/usbatm.c 2010-02-09 07:57:19.000000000 -0500
25800+++ linux-2.6.32.9/drivers/usb/atm/usbatm.c 2010-02-23 17:09:53.258048533 -0500
25801@@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
25802 if (printk_ratelimit())
25803 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
25804 __func__, vpi, vci);
25805- atomic_inc(&vcc->stats->rx_err);
25806+ atomic_inc_unchecked(&vcc->stats->rx_err);
25807 return;
25808 }
25809
25810@@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
25811 if (length > ATM_MAX_AAL5_PDU) {
25812 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
25813 __func__, length, vcc);
25814- atomic_inc(&vcc->stats->rx_err);
25815+ atomic_inc_unchecked(&vcc->stats->rx_err);
25816 goto out;
25817 }
25818
25819@@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
25820 if (sarb->len < pdu_length) {
25821 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
25822 __func__, pdu_length, sarb->len, vcc);
25823- atomic_inc(&vcc->stats->rx_err);
25824+ atomic_inc_unchecked(&vcc->stats->rx_err);
25825 goto out;
25826 }
25827
25828 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
25829 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
25830 __func__, vcc);
25831- atomic_inc(&vcc->stats->rx_err);
25832+ atomic_inc_unchecked(&vcc->stats->rx_err);
25833 goto out;
25834 }
25835
25836@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
25837 if (printk_ratelimit())
25838 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
25839 __func__, length);
25840- atomic_inc(&vcc->stats->rx_drop);
25841+ atomic_inc_unchecked(&vcc->stats->rx_drop);
25842 goto out;
25843 }
25844
25845@@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
25846
25847 vcc->push(vcc, skb);
25848
25849- atomic_inc(&vcc->stats->rx);
25850+ atomic_inc_unchecked(&vcc->stats->rx);
25851 out:
25852 skb_trim(sarb, 0);
25853 }
25854@@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
25855 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
25856
25857 usbatm_pop(vcc, skb);
25858- atomic_inc(&vcc->stats->tx);
25859+ atomic_inc_unchecked(&vcc->stats->tx);
25860
25861 skb = skb_dequeue(&instance->sndqueue);
25862 }
25863@@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
25864 if (!left--)
25865 return sprintf(page,
25866 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
25867- atomic_read(&atm_dev->stats.aal5.tx),
25868- atomic_read(&atm_dev->stats.aal5.tx_err),
25869- atomic_read(&atm_dev->stats.aal5.rx),
25870- atomic_read(&atm_dev->stats.aal5.rx_err),
25871- atomic_read(&atm_dev->stats.aal5.rx_drop));
25872+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
25873+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
25874+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
25875+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
25876+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
25877
25878 if (!left--) {
25879 if (instance->disconnected)
25880diff -urNp linux-2.6.32.9/drivers/usb/class/cdc-acm.c linux-2.6.32.9/drivers/usb/class/cdc-acm.c
25881--- linux-2.6.32.9/drivers/usb/class/cdc-acm.c 2010-02-09 07:57:19.000000000 -0500
25882+++ linux-2.6.32.9/drivers/usb/class/cdc-acm.c 2010-02-23 17:09:53.258048533 -0500
25883@@ -1534,7 +1534,7 @@ static struct usb_device_id acm_ids[] =
25884 USB_CDC_ACM_PROTO_AT_CDMA) },
25885
25886 /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
25887- { }
25888+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
25889 };
25890
25891 MODULE_DEVICE_TABLE(usb, acm_ids);
25892diff -urNp linux-2.6.32.9/drivers/usb/class/usblp.c linux-2.6.32.9/drivers/usb/class/usblp.c
25893--- linux-2.6.32.9/drivers/usb/class/usblp.c 2010-02-09 07:57:19.000000000 -0500
25894+++ linux-2.6.32.9/drivers/usb/class/usblp.c 2010-02-23 17:09:53.258048533 -0500
25895@@ -228,7 +228,7 @@ static const struct quirk_printer_struct
25896 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
25897 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
25898 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
25899- { 0, 0 }
25900+ { 0, 0, 0 }
25901 };
25902
25903 static int usblp_wwait(struct usblp *usblp, int nonblock);
25904@@ -1412,7 +1412,7 @@ static struct usb_device_id usblp_ids []
25905 { USB_INTERFACE_INFO(7, 1, 2) },
25906 { USB_INTERFACE_INFO(7, 1, 3) },
25907 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
25908- { } /* Terminating entry */
25909+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
25910 };
25911
25912 MODULE_DEVICE_TABLE (usb, usblp_ids);
25913diff -urNp linux-2.6.32.9/drivers/usb/core/hcd.c linux-2.6.32.9/drivers/usb/core/hcd.c
25914--- linux-2.6.32.9/drivers/usb/core/hcd.c 2010-02-09 07:57:19.000000000 -0500
25915+++ linux-2.6.32.9/drivers/usb/core/hcd.c 2010-02-23 17:09:53.258048533 -0500
25916@@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
25917
25918 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
25919
25920-struct usb_mon_operations *mon_ops;
25921+const struct usb_mon_operations *mon_ops;
25922
25923 /*
25924 * The registration is unlocked.
25925@@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
25926 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
25927 */
25928
25929-int usb_mon_register (struct usb_mon_operations *ops)
25930+int usb_mon_register (const struct usb_mon_operations *ops)
25931 {
25932
25933 if (mon_ops)
25934diff -urNp linux-2.6.32.9/drivers/usb/core/hcd.h linux-2.6.32.9/drivers/usb/core/hcd.h
25935--- linux-2.6.32.9/drivers/usb/core/hcd.h 2010-02-09 07:57:19.000000000 -0500
25936+++ linux-2.6.32.9/drivers/usb/core/hcd.h 2010-02-23 17:09:53.258048533 -0500
25937@@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
25938 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
25939
25940 struct usb_mon_operations {
25941- void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
25942- void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
25943- void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
25944+ void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
25945+ void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
25946+ void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
25947 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
25948 };
25949
25950-extern struct usb_mon_operations *mon_ops;
25951+extern const struct usb_mon_operations *mon_ops;
25952
25953 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
25954 {
25955@@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
25956 (*mon_ops->urb_complete)(bus, urb, status);
25957 }
25958
25959-int usb_mon_register(struct usb_mon_operations *ops);
25960+int usb_mon_register(const struct usb_mon_operations *ops);
25961 void usb_mon_deregister(void);
25962
25963 #else
25964diff -urNp linux-2.6.32.9/drivers/usb/core/hub.c linux-2.6.32.9/drivers/usb/core/hub.c
25965--- linux-2.6.32.9/drivers/usb/core/hub.c 2010-02-09 07:57:19.000000000 -0500
25966+++ linux-2.6.32.9/drivers/usb/core/hub.c 2010-02-23 17:09:53.260755480 -0500
25967@@ -3385,7 +3385,7 @@ static struct usb_device_id hub_id_table
25968 .bDeviceClass = USB_CLASS_HUB},
25969 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
25970 .bInterfaceClass = USB_CLASS_HUB},
25971- { } /* Terminating entry */
25972+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
25973 };
25974
25975 MODULE_DEVICE_TABLE (usb, hub_id_table);
25976diff -urNp linux-2.6.32.9/drivers/usb/core/message.c linux-2.6.32.9/drivers/usb/core/message.c
25977--- linux-2.6.32.9/drivers/usb/core/message.c 2010-02-09 07:57:19.000000000 -0500
25978+++ linux-2.6.32.9/drivers/usb/core/message.c 2010-02-23 17:09:53.260755480 -0500
25979@@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
25980 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
25981 if (buf) {
25982 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
25983- if (len > 0) {
25984- smallbuf = kmalloc(++len, GFP_NOIO);
25985+ if (len++ > 0) {
25986+ smallbuf = kmalloc(len, GFP_NOIO);
25987 if (!smallbuf)
25988 return buf;
25989 memcpy(smallbuf, buf, len);
25990diff -urNp linux-2.6.32.9/drivers/usb/host/ehci-pci.c linux-2.6.32.9/drivers/usb/host/ehci-pci.c
25991--- linux-2.6.32.9/drivers/usb/host/ehci-pci.c 2010-02-09 07:57:19.000000000 -0500
25992+++ linux-2.6.32.9/drivers/usb/host/ehci-pci.c 2010-02-23 17:09:53.260755480 -0500
25993@@ -422,7 +422,7 @@ static const struct pci_device_id pci_id
25994 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
25995 .driver_data = (unsigned long) &ehci_pci_hc_driver,
25996 },
25997- { /* end: all zeroes */ }
25998+ { 0, 0, 0, 0, 0, 0, 0 }
25999 };
26000 MODULE_DEVICE_TABLE(pci, pci_ids);
26001
26002diff -urNp linux-2.6.32.9/drivers/usb/host/uhci-hcd.c linux-2.6.32.9/drivers/usb/host/uhci-hcd.c
26003--- linux-2.6.32.9/drivers/usb/host/uhci-hcd.c 2010-02-09 07:57:19.000000000 -0500
26004+++ linux-2.6.32.9/drivers/usb/host/uhci-hcd.c 2010-02-23 17:09:53.260755480 -0500
26005@@ -940,7 +940,7 @@ static const struct pci_device_id uhci_p
26006 /* handle any USB UHCI controller */
26007 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
26008 .driver_data = (unsigned long) &uhci_driver,
26009- }, { /* end: all zeroes */ }
26010+ }, { 0, 0, 0, 0, 0, 0, 0 }
26011 };
26012
26013 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
26014diff -urNp linux-2.6.32.9/drivers/usb/misc/appledisplay.c linux-2.6.32.9/drivers/usb/misc/appledisplay.c
26015--- linux-2.6.32.9/drivers/usb/misc/appledisplay.c 2010-02-09 07:57:19.000000000 -0500
26016+++ linux-2.6.32.9/drivers/usb/misc/appledisplay.c 2010-02-23 17:09:53.260755480 -0500
26017@@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
26018 return pdata->msgdata[1];
26019 }
26020
26021-static struct backlight_ops appledisplay_bl_data = {
26022+static const struct backlight_ops appledisplay_bl_data = {
26023 .get_brightness = appledisplay_bl_get_brightness,
26024 .update_status = appledisplay_bl_update_status,
26025 };
26026diff -urNp linux-2.6.32.9/drivers/usb/mon/mon_main.c linux-2.6.32.9/drivers/usb/mon/mon_main.c
26027--- linux-2.6.32.9/drivers/usb/mon/mon_main.c 2010-02-09 07:57:19.000000000 -0500
26028+++ linux-2.6.32.9/drivers/usb/mon/mon_main.c 2010-02-23 17:09:53.260755480 -0500
26029@@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
26030 /*
26031 * Ops
26032 */
26033-static struct usb_mon_operations mon_ops_0 = {
26034+static const struct usb_mon_operations mon_ops_0 = {
26035 .urb_submit = mon_submit,
26036 .urb_submit_error = mon_submit_error,
26037 .urb_complete = mon_complete,
26038diff -urNp linux-2.6.32.9/drivers/usb/storage/debug.h linux-2.6.32.9/drivers/usb/storage/debug.h
26039--- linux-2.6.32.9/drivers/usb/storage/debug.h 2010-02-09 07:57:19.000000000 -0500
26040+++ linux-2.6.32.9/drivers/usb/storage/debug.h 2010-02-23 17:09:53.260755480 -0500
26041@@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
26042 #define US_DEBUGPX(x...) printk( x )
26043 #define US_DEBUG(x) x
26044 #else
26045-#define US_DEBUGP(x...)
26046-#define US_DEBUGPX(x...)
26047-#define US_DEBUG(x)
26048+#define US_DEBUGP(x...) do {} while (0)
26049+#define US_DEBUGPX(x...) do {} while (0)
26050+#define US_DEBUG(x) do {} while (0)
26051 #endif
26052
26053 #endif
26054diff -urNp linux-2.6.32.9/drivers/usb/storage/usb.c linux-2.6.32.9/drivers/usb/storage/usb.c
26055--- linux-2.6.32.9/drivers/usb/storage/usb.c 2010-02-09 07:57:19.000000000 -0500
26056+++ linux-2.6.32.9/drivers/usb/storage/usb.c 2010-02-23 17:09:53.260755480 -0500
26057@@ -118,7 +118,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
26058
26059 static struct us_unusual_dev us_unusual_dev_list[] = {
26060 # include "unusual_devs.h"
26061- { } /* Terminating entry */
26062+ { NULL, NULL, 0, 0, NULL } /* Terminating entry */
26063 };
26064
26065 #undef UNUSUAL_DEV
26066diff -urNp linux-2.6.32.9/drivers/usb/storage/usual-tables.c linux-2.6.32.9/drivers/usb/storage/usual-tables.c
26067--- linux-2.6.32.9/drivers/usb/storage/usual-tables.c 2010-02-09 07:57:19.000000000 -0500
26068+++ linux-2.6.32.9/drivers/usb/storage/usual-tables.c 2010-02-23 17:09:53.260755480 -0500
26069@@ -48,7 +48,7 @@
26070
26071 struct usb_device_id usb_storage_usb_ids[] = {
26072 # include "unusual_devs.h"
26073- { } /* Terminating entry */
26074+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26075 };
26076 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
26077
26078diff -urNp linux-2.6.32.9/drivers/uwb/wlp/messages.c linux-2.6.32.9/drivers/uwb/wlp/messages.c
26079--- linux-2.6.32.9/drivers/uwb/wlp/messages.c 2010-02-09 07:57:19.000000000 -0500
26080+++ linux-2.6.32.9/drivers/uwb/wlp/messages.c 2010-02-23 17:09:53.260755480 -0500
26081@@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
26082 size_t len = skb->len;
26083 size_t used;
26084 ssize_t result;
26085- struct wlp_nonce enonce, rnonce;
26086+ struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
26087 enum wlp_assc_error assc_err;
26088 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
26089 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
26090diff -urNp linux-2.6.32.9/drivers/uwb/wlp/sysfs.c linux-2.6.32.9/drivers/uwb/wlp/sysfs.c
26091--- linux-2.6.32.9/drivers/uwb/wlp/sysfs.c 2010-02-09 07:57:19.000000000 -0500
26092+++ linux-2.6.32.9/drivers/uwb/wlp/sysfs.c 2010-02-23 17:09:53.263724942 -0500
26093@@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
26094 return ret;
26095 }
26096
26097-static
26098-struct sysfs_ops wss_sysfs_ops = {
26099+static const struct sysfs_ops wss_sysfs_ops = {
26100 .show = wlp_wss_attr_show,
26101 .store = wlp_wss_attr_store,
26102 };
26103diff -urNp linux-2.6.32.9/drivers/video/atmel_lcdfb.c linux-2.6.32.9/drivers/video/atmel_lcdfb.c
26104--- linux-2.6.32.9/drivers/video/atmel_lcdfb.c 2010-02-09 07:57:19.000000000 -0500
26105+++ linux-2.6.32.9/drivers/video/atmel_lcdfb.c 2010-02-23 17:09:53.263724942 -0500
26106@@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
26107 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
26108 }
26109
26110-static struct backlight_ops atmel_lcdc_bl_ops = {
26111+static const struct backlight_ops atmel_lcdc_bl_ops = {
26112 .update_status = atmel_bl_update_status,
26113 .get_brightness = atmel_bl_get_brightness,
26114 };
26115diff -urNp linux-2.6.32.9/drivers/video/aty/aty128fb.c linux-2.6.32.9/drivers/video/aty/aty128fb.c
26116--- linux-2.6.32.9/drivers/video/aty/aty128fb.c 2010-02-09 07:57:19.000000000 -0500
26117+++ linux-2.6.32.9/drivers/video/aty/aty128fb.c 2010-02-23 17:09:53.263724942 -0500
26118@@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
26119 return bd->props.brightness;
26120 }
26121
26122-static struct backlight_ops aty128_bl_data = {
26123+static const struct backlight_ops aty128_bl_data = {
26124 .get_brightness = aty128_bl_get_brightness,
26125 .update_status = aty128_bl_update_status,
26126 };
26127diff -urNp linux-2.6.32.9/drivers/video/aty/atyfb_base.c linux-2.6.32.9/drivers/video/aty/atyfb_base.c
26128--- linux-2.6.32.9/drivers/video/aty/atyfb_base.c 2010-02-09 07:57:19.000000000 -0500
26129+++ linux-2.6.32.9/drivers/video/aty/atyfb_base.c 2010-02-23 17:09:53.263724942 -0500
26130@@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
26131 return bd->props.brightness;
26132 }
26133
26134-static struct backlight_ops aty_bl_data = {
26135+static const struct backlight_ops aty_bl_data = {
26136 .get_brightness = aty_bl_get_brightness,
26137 .update_status = aty_bl_update_status,
26138 };
26139diff -urNp linux-2.6.32.9/drivers/video/aty/radeon_backlight.c linux-2.6.32.9/drivers/video/aty/radeon_backlight.c
26140--- linux-2.6.32.9/drivers/video/aty/radeon_backlight.c 2010-02-09 07:57:19.000000000 -0500
26141+++ linux-2.6.32.9/drivers/video/aty/radeon_backlight.c 2010-02-23 17:09:53.263724942 -0500
26142@@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
26143 return bd->props.brightness;
26144 }
26145
26146-static struct backlight_ops radeon_bl_data = {
26147+static const struct backlight_ops radeon_bl_data = {
26148 .get_brightness = radeon_bl_get_brightness,
26149 .update_status = radeon_bl_update_status,
26150 };
26151diff -urNp linux-2.6.32.9/drivers/video/backlight/adp5520_bl.c linux-2.6.32.9/drivers/video/backlight/adp5520_bl.c
26152--- linux-2.6.32.9/drivers/video/backlight/adp5520_bl.c 2010-02-09 07:57:19.000000000 -0500
26153+++ linux-2.6.32.9/drivers/video/backlight/adp5520_bl.c 2010-02-23 17:09:53.263724942 -0500
26154@@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
26155 return error ? data->current_brightness : reg_val;
26156 }
26157
26158-static struct backlight_ops adp5520_bl_ops = {
26159+static const struct backlight_ops adp5520_bl_ops = {
26160 .update_status = adp5520_bl_update_status,
26161 .get_brightness = adp5520_bl_get_brightness,
26162 };
26163diff -urNp linux-2.6.32.9/drivers/video/backlight/adx_bl.c linux-2.6.32.9/drivers/video/backlight/adx_bl.c
26164--- linux-2.6.32.9/drivers/video/backlight/adx_bl.c 2010-02-09 07:57:19.000000000 -0500
26165+++ linux-2.6.32.9/drivers/video/backlight/adx_bl.c 2010-02-23 17:09:53.263724942 -0500
26166@@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
26167 return 1;
26168 }
26169
26170-static struct backlight_ops adx_backlight_ops = {
26171+static const struct backlight_ops adx_backlight_ops = {
26172 .options = 0,
26173 .update_status = adx_backlight_update_status,
26174 .get_brightness = adx_backlight_get_brightness,
26175diff -urNp linux-2.6.32.9/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.9/drivers/video/backlight/atmel-pwm-bl.c
26176--- linux-2.6.32.9/drivers/video/backlight/atmel-pwm-bl.c 2010-02-09 07:57:19.000000000 -0500
26177+++ linux-2.6.32.9/drivers/video/backlight/atmel-pwm-bl.c 2010-02-23 17:09:53.263724942 -0500
26178@@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
26179 return pwm_channel_enable(&pwmbl->pwmc);
26180 }
26181
26182-static struct backlight_ops atmel_pwm_bl_ops = {
26183+static const struct backlight_ops atmel_pwm_bl_ops = {
26184 .get_brightness = atmel_pwm_bl_get_intensity,
26185 .update_status = atmel_pwm_bl_set_intensity,
26186 };
26187diff -urNp linux-2.6.32.9/drivers/video/backlight/backlight.c linux-2.6.32.9/drivers/video/backlight/backlight.c
26188--- linux-2.6.32.9/drivers/video/backlight/backlight.c 2010-02-09 07:57:19.000000000 -0500
26189+++ linux-2.6.32.9/drivers/video/backlight/backlight.c 2010-02-23 17:09:53.263724942 -0500
26190@@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
26191 * ERR_PTR() or a pointer to the newly allocated device.
26192 */
26193 struct backlight_device *backlight_device_register(const char *name,
26194- struct device *parent, void *devdata, struct backlight_ops *ops)
26195+ struct device *parent, void *devdata, const struct backlight_ops *ops)
26196 {
26197 struct backlight_device *new_bd;
26198 int rc;
26199diff -urNp linux-2.6.32.9/drivers/video/backlight/corgi_lcd.c linux-2.6.32.9/drivers/video/backlight/corgi_lcd.c
26200--- linux-2.6.32.9/drivers/video/backlight/corgi_lcd.c 2010-02-09 07:57:19.000000000 -0500
26201+++ linux-2.6.32.9/drivers/video/backlight/corgi_lcd.c 2010-02-23 17:09:53.263724942 -0500
26202@@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
26203 }
26204 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
26205
26206-static struct backlight_ops corgi_bl_ops = {
26207+static const struct backlight_ops corgi_bl_ops = {
26208 .get_brightness = corgi_bl_get_intensity,
26209 .update_status = corgi_bl_update_status,
26210 };
26211diff -urNp linux-2.6.32.9/drivers/video/backlight/cr_bllcd.c linux-2.6.32.9/drivers/video/backlight/cr_bllcd.c
26212--- linux-2.6.32.9/drivers/video/backlight/cr_bllcd.c 2010-02-09 07:57:19.000000000 -0500
26213+++ linux-2.6.32.9/drivers/video/backlight/cr_bllcd.c 2010-02-23 17:09:53.263724942 -0500
26214@@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
26215 return intensity;
26216 }
26217
26218-static struct backlight_ops cr_backlight_ops = {
26219+static const struct backlight_ops cr_backlight_ops = {
26220 .get_brightness = cr_backlight_get_intensity,
26221 .update_status = cr_backlight_set_intensity,
26222 };
26223diff -urNp linux-2.6.32.9/drivers/video/backlight/da903x_bl.c linux-2.6.32.9/drivers/video/backlight/da903x_bl.c
26224--- linux-2.6.32.9/drivers/video/backlight/da903x_bl.c 2010-02-09 07:57:19.000000000 -0500
26225+++ linux-2.6.32.9/drivers/video/backlight/da903x_bl.c 2010-02-23 17:09:53.263724942 -0500
26226@@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
26227 return data->current_brightness;
26228 }
26229
26230-static struct backlight_ops da903x_backlight_ops = {
26231+static const struct backlight_ops da903x_backlight_ops = {
26232 .update_status = da903x_backlight_update_status,
26233 .get_brightness = da903x_backlight_get_brightness,
26234 };
26235diff -urNp linux-2.6.32.9/drivers/video/backlight/generic_bl.c linux-2.6.32.9/drivers/video/backlight/generic_bl.c
26236--- linux-2.6.32.9/drivers/video/backlight/generic_bl.c 2010-02-09 07:57:19.000000000 -0500
26237+++ linux-2.6.32.9/drivers/video/backlight/generic_bl.c 2010-02-23 17:09:53.263724942 -0500
26238@@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
26239 }
26240 EXPORT_SYMBOL(corgibl_limit_intensity);
26241
26242-static struct backlight_ops genericbl_ops = {
26243+static const struct backlight_ops genericbl_ops = {
26244 .options = BL_CORE_SUSPENDRESUME,
26245 .get_brightness = genericbl_get_intensity,
26246 .update_status = genericbl_send_intensity,
26247diff -urNp linux-2.6.32.9/drivers/video/backlight/hp680_bl.c linux-2.6.32.9/drivers/video/backlight/hp680_bl.c
26248--- linux-2.6.32.9/drivers/video/backlight/hp680_bl.c 2010-02-09 07:57:19.000000000 -0500
26249+++ linux-2.6.32.9/drivers/video/backlight/hp680_bl.c 2010-02-23 17:09:53.263724942 -0500
26250@@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
26251 return current_intensity;
26252 }
26253
26254-static struct backlight_ops hp680bl_ops = {
26255+static const struct backlight_ops hp680bl_ops = {
26256 .get_brightness = hp680bl_get_intensity,
26257 .update_status = hp680bl_set_intensity,
26258 };
26259diff -urNp linux-2.6.32.9/drivers/video/backlight/jornada720_bl.c linux-2.6.32.9/drivers/video/backlight/jornada720_bl.c
26260--- linux-2.6.32.9/drivers/video/backlight/jornada720_bl.c 2010-02-09 07:57:19.000000000 -0500
26261+++ linux-2.6.32.9/drivers/video/backlight/jornada720_bl.c 2010-02-23 17:09:53.263724942 -0500
26262@@ -93,7 +93,7 @@ out:
26263 return ret;
26264 }
26265
26266-static struct backlight_ops jornada_bl_ops = {
26267+static const struct backlight_ops jornada_bl_ops = {
26268 .get_brightness = jornada_bl_get_brightness,
26269 .update_status = jornada_bl_update_status,
26270 .options = BL_CORE_SUSPENDRESUME,
26271diff -urNp linux-2.6.32.9/drivers/video/backlight/kb3886_bl.c linux-2.6.32.9/drivers/video/backlight/kb3886_bl.c
26272--- linux-2.6.32.9/drivers/video/backlight/kb3886_bl.c 2010-02-09 07:57:19.000000000 -0500
26273+++ linux-2.6.32.9/drivers/video/backlight/kb3886_bl.c 2010-02-23 17:09:53.263724942 -0500
26274@@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
26275 return kb3886bl_intensity;
26276 }
26277
26278-static struct backlight_ops kb3886bl_ops = {
26279+static const struct backlight_ops kb3886bl_ops = {
26280 .get_brightness = kb3886bl_get_intensity,
26281 .update_status = kb3886bl_send_intensity,
26282 };
26283diff -urNp linux-2.6.32.9/drivers/video/backlight/locomolcd.c linux-2.6.32.9/drivers/video/backlight/locomolcd.c
26284--- linux-2.6.32.9/drivers/video/backlight/locomolcd.c 2010-02-09 07:57:19.000000000 -0500
26285+++ linux-2.6.32.9/drivers/video/backlight/locomolcd.c 2010-02-23 17:09:53.263724942 -0500
26286@@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
26287 return current_intensity;
26288 }
26289
26290-static struct backlight_ops locomobl_data = {
26291+static const struct backlight_ops locomobl_data = {
26292 .get_brightness = locomolcd_get_intensity,
26293 .update_status = locomolcd_set_intensity,
26294 };
26295diff -urNp linux-2.6.32.9/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.9/drivers/video/backlight/mbp_nvidia_bl.c
26296--- linux-2.6.32.9/drivers/video/backlight/mbp_nvidia_bl.c 2010-02-09 07:57:19.000000000 -0500
26297+++ linux-2.6.32.9/drivers/video/backlight/mbp_nvidia_bl.c 2010-02-23 17:09:53.263724942 -0500
26298@@ -33,7 +33,7 @@ struct dmi_match_data {
26299 unsigned long iostart;
26300 unsigned long iolen;
26301 /* Backlight operations structure. */
26302- struct backlight_ops backlight_ops;
26303+ const struct backlight_ops backlight_ops;
26304 };
26305
26306 /* Module parameters. */
26307diff -urNp linux-2.6.32.9/drivers/video/backlight/omap1_bl.c linux-2.6.32.9/drivers/video/backlight/omap1_bl.c
26308--- linux-2.6.32.9/drivers/video/backlight/omap1_bl.c 2010-02-09 07:57:19.000000000 -0500
26309+++ linux-2.6.32.9/drivers/video/backlight/omap1_bl.c 2010-02-23 17:09:53.263724942 -0500
26310@@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
26311 return bl->current_intensity;
26312 }
26313
26314-static struct backlight_ops omapbl_ops = {
26315+static const struct backlight_ops omapbl_ops = {
26316 .get_brightness = omapbl_get_intensity,
26317 .update_status = omapbl_update_status,
26318 };
26319diff -urNp linux-2.6.32.9/drivers/video/backlight/progear_bl.c linux-2.6.32.9/drivers/video/backlight/progear_bl.c
26320--- linux-2.6.32.9/drivers/video/backlight/progear_bl.c 2010-02-09 07:57:19.000000000 -0500
26321+++ linux-2.6.32.9/drivers/video/backlight/progear_bl.c 2010-02-23 17:09:53.263724942 -0500
26322@@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
26323 return intensity - HW_LEVEL_MIN;
26324 }
26325
26326-static struct backlight_ops progearbl_ops = {
26327+static const struct backlight_ops progearbl_ops = {
26328 .get_brightness = progearbl_get_intensity,
26329 .update_status = progearbl_set_intensity,
26330 };
26331diff -urNp linux-2.6.32.9/drivers/video/backlight/pwm_bl.c linux-2.6.32.9/drivers/video/backlight/pwm_bl.c
26332--- linux-2.6.32.9/drivers/video/backlight/pwm_bl.c 2010-02-09 07:57:19.000000000 -0500
26333+++ linux-2.6.32.9/drivers/video/backlight/pwm_bl.c 2010-02-23 17:09:53.263724942 -0500
26334@@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
26335 return bl->props.brightness;
26336 }
26337
26338-static struct backlight_ops pwm_backlight_ops = {
26339+static const struct backlight_ops pwm_backlight_ops = {
26340 .update_status = pwm_backlight_update_status,
26341 .get_brightness = pwm_backlight_get_brightness,
26342 };
26343diff -urNp linux-2.6.32.9/drivers/video/backlight/tosa_bl.c linux-2.6.32.9/drivers/video/backlight/tosa_bl.c
26344--- linux-2.6.32.9/drivers/video/backlight/tosa_bl.c 2010-02-09 07:57:19.000000000 -0500
26345+++ linux-2.6.32.9/drivers/video/backlight/tosa_bl.c 2010-02-23 17:09:53.268343828 -0500
26346@@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
26347 return props->brightness;
26348 }
26349
26350-static struct backlight_ops bl_ops = {
26351+static const struct backlight_ops bl_ops = {
26352 .get_brightness = tosa_bl_get_brightness,
26353 .update_status = tosa_bl_update_status,
26354 };
26355diff -urNp linux-2.6.32.9/drivers/video/backlight/wm831x_bl.c linux-2.6.32.9/drivers/video/backlight/wm831x_bl.c
26356--- linux-2.6.32.9/drivers/video/backlight/wm831x_bl.c 2010-02-09 07:57:19.000000000 -0500
26357+++ linux-2.6.32.9/drivers/video/backlight/wm831x_bl.c 2010-02-23 17:09:53.268343828 -0500
26358@@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
26359 return data->current_brightness;
26360 }
26361
26362-static struct backlight_ops wm831x_backlight_ops = {
26363+static const struct backlight_ops wm831x_backlight_ops = {
26364 .options = BL_CORE_SUSPENDRESUME,
26365 .update_status = wm831x_backlight_update_status,
26366 .get_brightness = wm831x_backlight_get_brightness,
26367diff -urNp linux-2.6.32.9/drivers/video/bf54x-lq043fb.c linux-2.6.32.9/drivers/video/bf54x-lq043fb.c
26368--- linux-2.6.32.9/drivers/video/bf54x-lq043fb.c 2010-02-09 07:57:19.000000000 -0500
26369+++ linux-2.6.32.9/drivers/video/bf54x-lq043fb.c 2010-02-23 17:09:53.268343828 -0500
26370@@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
26371 return 0;
26372 }
26373
26374-static struct backlight_ops bfin_lq043fb_bl_ops = {
26375+static const struct backlight_ops bfin_lq043fb_bl_ops = {
26376 .get_brightness = bl_get_brightness,
26377 };
26378
26379diff -urNp linux-2.6.32.9/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.9/drivers/video/bfin-t350mcqb-fb.c
26380--- linux-2.6.32.9/drivers/video/bfin-t350mcqb-fb.c 2010-02-09 07:57:19.000000000 -0500
26381+++ linux-2.6.32.9/drivers/video/bfin-t350mcqb-fb.c 2010-02-23 17:09:53.268343828 -0500
26382@@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
26383 return 0;
26384 }
26385
26386-static struct backlight_ops bfin_lq043fb_bl_ops = {
26387+static const struct backlight_ops bfin_lq043fb_bl_ops = {
26388 .get_brightness = bl_get_brightness,
26389 };
26390
26391diff -urNp linux-2.6.32.9/drivers/video/fbmem.c linux-2.6.32.9/drivers/video/fbmem.c
26392--- linux-2.6.32.9/drivers/video/fbmem.c 2010-02-09 07:57:19.000000000 -0500
26393+++ linux-2.6.32.9/drivers/video/fbmem.c 2010-02-23 17:09:53.268343828 -0500
26394@@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
26395 image->dx += image->width + 8;
26396 }
26397 } else if (rotate == FB_ROTATE_UD) {
26398- for (x = 0; x < num && image->dx >= 0; x++) {
26399+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
26400 info->fbops->fb_imageblit(info, image);
26401 image->dx -= image->width + 8;
26402 }
26403@@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
26404 image->dy += image->height + 8;
26405 }
26406 } else if (rotate == FB_ROTATE_CCW) {
26407- for (x = 0; x < num && image->dy >= 0; x++) {
26408+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
26409 info->fbops->fb_imageblit(info, image);
26410 image->dy -= image->height + 8;
26411 }
26412@@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
26413 return -EFAULT;
26414 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
26415 return -EINVAL;
26416- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
26417+ if (con2fb.framebuffer >= FB_MAX)
26418 return -EINVAL;
26419 if (!registered_fb[con2fb.framebuffer])
26420 request_module("fb%d", con2fb.framebuffer);
26421diff -urNp linux-2.6.32.9/drivers/video/fbmon.c linux-2.6.32.9/drivers/video/fbmon.c
26422--- linux-2.6.32.9/drivers/video/fbmon.c 2010-02-09 07:57:19.000000000 -0500
26423+++ linux-2.6.32.9/drivers/video/fbmon.c 2010-02-23 17:09:53.268343828 -0500
26424@@ -45,7 +45,7 @@
26425 #ifdef DEBUG
26426 #define DPRINTK(fmt, args...) printk(fmt,## args)
26427 #else
26428-#define DPRINTK(fmt, args...)
26429+#define DPRINTK(fmt, args...) do {} while (0)
26430 #endif
26431
26432 #define FBMON_FIX_HEADER 1
26433diff -urNp linux-2.6.32.9/drivers/video/i810/i810_accel.c linux-2.6.32.9/drivers/video/i810/i810_accel.c
26434--- linux-2.6.32.9/drivers/video/i810/i810_accel.c 2010-02-09 07:57:19.000000000 -0500
26435+++ linux-2.6.32.9/drivers/video/i810/i810_accel.c 2010-02-23 17:09:53.268343828 -0500
26436@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
26437 }
26438 }
26439 printk("ringbuffer lockup!!!\n");
26440+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
26441 i810_report_error(mmio);
26442 par->dev_flags |= LOCKUP;
26443 info->pixmap.scan_align = 1;
26444diff -urNp linux-2.6.32.9/drivers/video/i810/i810_main.c linux-2.6.32.9/drivers/video/i810/i810_main.c
26445--- linux-2.6.32.9/drivers/video/i810/i810_main.c 2010-02-09 07:57:19.000000000 -0500
26446+++ linux-2.6.32.9/drivers/video/i810/i810_main.c 2010-02-23 17:09:53.268343828 -0500
26447@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
26448 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
26449 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
26450 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
26451- { 0 },
26452+ { 0, 0, 0, 0, 0, 0, 0 },
26453 };
26454
26455 static struct pci_driver i810fb_driver = {
26456diff -urNp linux-2.6.32.9/drivers/video/modedb.c linux-2.6.32.9/drivers/video/modedb.c
26457--- linux-2.6.32.9/drivers/video/modedb.c 2010-02-09 07:57:19.000000000 -0500
26458+++ linux-2.6.32.9/drivers/video/modedb.c 2010-02-23 17:09:53.268343828 -0500
26459@@ -38,240 +38,240 @@ static const struct fb_videomode modedb[
26460 {
26461 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
26462 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
26463- 0, FB_VMODE_NONINTERLACED
26464+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26465 }, {
26466 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
26467 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
26468- 0, FB_VMODE_NONINTERLACED
26469+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26470 }, {
26471 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
26472 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
26473- 0, FB_VMODE_NONINTERLACED
26474+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26475 }, {
26476 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
26477 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
26478- 0, FB_VMODE_INTERLACED
26479+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26480 }, {
26481 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
26482 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
26483- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26484+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26485 }, {
26486 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
26487 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
26488- 0, FB_VMODE_NONINTERLACED
26489+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26490 }, {
26491 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
26492 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
26493- 0, FB_VMODE_NONINTERLACED
26494+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26495 }, {
26496 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
26497 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
26498- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26499+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26500 }, {
26501 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
26502 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
26503- 0, FB_VMODE_NONINTERLACED
26504+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26505 }, {
26506 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
26507 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
26508- 0, FB_VMODE_INTERLACED
26509+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26510 }, {
26511 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
26512 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
26513- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26514+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26515 }, {
26516 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
26517 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
26518- 0, FB_VMODE_NONINTERLACED
26519+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26520 }, {
26521 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
26522 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
26523- 0, FB_VMODE_NONINTERLACED
26524+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26525 }, {
26526 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
26527 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
26528- 0, FB_VMODE_NONINTERLACED
26529+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26530 }, {
26531 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
26532 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
26533- 0, FB_VMODE_NONINTERLACED
26534+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26535 }, {
26536 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
26537 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
26538- 0, FB_VMODE_NONINTERLACED
26539+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26540 }, {
26541 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
26542 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
26543- 0, FB_VMODE_INTERLACED
26544+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26545 }, {
26546 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
26547 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
26548- 0, FB_VMODE_NONINTERLACED
26549+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26550 }, {
26551 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
26552 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
26553- 0, FB_VMODE_NONINTERLACED
26554+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26555 }, {
26556 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
26557 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
26558- 0, FB_VMODE_NONINTERLACED
26559+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26560 }, {
26561 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
26562 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
26563- 0, FB_VMODE_NONINTERLACED
26564+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26565 }, {
26566 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
26567 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
26568- 0, FB_VMODE_NONINTERLACED
26569+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26570 }, {
26571 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
26572 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
26573- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26574+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26575 }, {
26576 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
26577 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
26578- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26579+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26580 }, {
26581 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
26582 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
26583- 0, FB_VMODE_NONINTERLACED
26584+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26585 }, {
26586 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
26587 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
26588- 0, FB_VMODE_NONINTERLACED
26589+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26590 }, {
26591 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
26592 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
26593- 0, FB_VMODE_NONINTERLACED
26594+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26595 }, {
26596 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
26597 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
26598- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26599+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26600 }, {
26601 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
26602 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
26603- 0, FB_VMODE_NONINTERLACED
26604+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26605 }, {
26606 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
26607 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
26608- 0, FB_VMODE_NONINTERLACED
26609+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26610 }, {
26611 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
26612 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
26613- 0, FB_VMODE_NONINTERLACED
26614+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26615 }, {
26616 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
26617 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
26618- 0, FB_VMODE_NONINTERLACED
26619+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26620 }, {
26621 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
26622 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
26623- 0, FB_VMODE_NONINTERLACED
26624+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26625 }, {
26626 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
26627 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
26628- 0, FB_VMODE_NONINTERLACED
26629+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26630 }, {
26631 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
26632 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
26633- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26634+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26635 }, {
26636 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
26637 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
26638- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26639+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26640 }, {
26641 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
26642 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
26643- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26644+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26645 }, {
26646 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
26647 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
26648- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26649+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26650 }, {
26651 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
26652 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
26653- 0, FB_VMODE_NONINTERLACED
26654+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26655 }, {
26656 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
26657 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
26658- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26659+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26660 }, {
26661 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
26662 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
26663- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26664+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26665 }, {
26666 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
26667 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
26668- 0, FB_VMODE_NONINTERLACED
26669+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26670 }, {
26671 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
26672 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
26673- 0, FB_VMODE_NONINTERLACED
26674+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26675 }, {
26676 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
26677 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
26678- 0, FB_VMODE_DOUBLE
26679+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26680 }, {
26681 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
26682 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
26683- 0, FB_VMODE_DOUBLE
26684+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26685 }, {
26686 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
26687 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
26688- 0, FB_VMODE_DOUBLE
26689+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26690 }, {
26691 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
26692 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
26693- 0, FB_VMODE_DOUBLE
26694+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26695 }, {
26696 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
26697 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
26698- 0, FB_VMODE_DOUBLE
26699+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26700 }, {
26701 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
26702 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
26703- 0, FB_VMODE_DOUBLE
26704+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26705 }, {
26706 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
26707 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
26708- 0, FB_VMODE_DOUBLE
26709+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26710 }, {
26711 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
26712 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
26713- 0, FB_VMODE_DOUBLE
26714+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26715 }, {
26716 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
26717 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
26718- 0, FB_VMODE_DOUBLE
26719+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26720 }, {
26721 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
26722 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
26723- 0, FB_VMODE_DOUBLE
26724+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26725 }, {
26726 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
26727 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
26728 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
26729- FB_VMODE_NONINTERLACED
26730+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26731 }, {
26732 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
26733 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
26734- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26735+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26736 }, {
26737 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
26738 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
26739- 0, FB_VMODE_NONINTERLACED
26740+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26741 }, {
26742 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
26743 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
26744- 0, FB_VMODE_NONINTERLACED
26745+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26746 }, {
26747 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26748 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
26749- 0, FB_VMODE_INTERLACED
26750+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26751 }, {
26752 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26753 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
26754- 0, FB_VMODE_INTERLACED
26755+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26756 },
26757 };
26758
26759diff -urNp linux-2.6.32.9/drivers/video/nvidia/nv_backlight.c linux-2.6.32.9/drivers/video/nvidia/nv_backlight.c
26760--- linux-2.6.32.9/drivers/video/nvidia/nv_backlight.c 2010-02-09 07:57:19.000000000 -0500
26761+++ linux-2.6.32.9/drivers/video/nvidia/nv_backlight.c 2010-02-23 17:09:53.268343828 -0500
26762@@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
26763 return bd->props.brightness;
26764 }
26765
26766-static struct backlight_ops nvidia_bl_ops = {
26767+static const struct backlight_ops nvidia_bl_ops = {
26768 .get_brightness = nvidia_bl_get_brightness,
26769 .update_status = nvidia_bl_update_status,
26770 };
26771diff -urNp linux-2.6.32.9/drivers/video/riva/fbdev.c linux-2.6.32.9/drivers/video/riva/fbdev.c
26772--- linux-2.6.32.9/drivers/video/riva/fbdev.c 2010-02-09 07:57:19.000000000 -0500
26773+++ linux-2.6.32.9/drivers/video/riva/fbdev.c 2010-02-23 17:09:53.268343828 -0500
26774@@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
26775 return bd->props.brightness;
26776 }
26777
26778-static struct backlight_ops riva_bl_ops = {
26779+static const struct backlight_ops riva_bl_ops = {
26780 .get_brightness = riva_bl_get_brightness,
26781 .update_status = riva_bl_update_status,
26782 };
26783diff -urNp linux-2.6.32.9/drivers/video/uvesafb.c linux-2.6.32.9/drivers/video/uvesafb.c
26784--- linux-2.6.32.9/drivers/video/uvesafb.c 2010-02-09 07:57:19.000000000 -0500
26785+++ linux-2.6.32.9/drivers/video/uvesafb.c 2010-02-23 17:09:53.268343828 -0500
26786@@ -18,6 +18,7 @@
26787 #include <linux/fb.h>
26788 #include <linux/io.h>
26789 #include <linux/mutex.h>
26790+#include <linux/moduleloader.h>
26791 #include <video/edid.h>
26792 #include <video/uvesafb.h>
26793 #ifdef CONFIG_X86
26794@@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
26795 NULL,
26796 };
26797
26798- return call_usermodehelper(v86d_path, argv, envp, 1);
26799+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
26800 }
26801
26802 /*
26803@@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
26804 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
26805 par->pmi_setpal = par->ypan = 0;
26806 } else {
26807+
26808+#ifdef CONFIG_PAX_KERNEXEC
26809+#ifdef CONFIG_MODULES
26810+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
26811+#endif
26812+ if (!par->pmi_code) {
26813+ par->pmi_setpal = par->ypan = 0;
26814+ return 0;
26815+ }
26816+#endif
26817+
26818 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
26819 + task->t.regs.edi);
26820+
26821+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26822+ pax_open_kernel();
26823+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
26824+ pax_close_kernel();
26825+
26826+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
26827+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
26828+#else
26829 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
26830 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
26831+#endif
26832+
26833 printk(KERN_INFO "uvesafb: protected mode interface info at "
26834 "%04x:%04x\n",
26835 (u16)task->t.regs.es, (u16)task->t.regs.edi);
26836@@ -1799,6 +1822,11 @@ out:
26837 if (par->vbe_modes)
26838 kfree(par->vbe_modes);
26839
26840+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26841+ if (par->pmi_code)
26842+ module_free_exec(NULL, par->pmi_code);
26843+#endif
26844+
26845 framebuffer_release(info);
26846 return err;
26847 }
26848@@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
26849 kfree(par->vbe_state_orig);
26850 if (par->vbe_state_saved)
26851 kfree(par->vbe_state_saved);
26852+
26853+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26854+ if (par->pmi_code)
26855+ module_free_exec(NULL, par->pmi_code);
26856+#endif
26857+
26858 }
26859
26860 framebuffer_release(info);
26861diff -urNp linux-2.6.32.9/drivers/video/vesafb.c linux-2.6.32.9/drivers/video/vesafb.c
26862--- linux-2.6.32.9/drivers/video/vesafb.c 2010-02-09 07:57:19.000000000 -0500
26863+++ linux-2.6.32.9/drivers/video/vesafb.c 2010-02-23 17:09:53.268343828 -0500
26864@@ -9,6 +9,7 @@
26865 */
26866
26867 #include <linux/module.h>
26868+#include <linux/moduleloader.h>
26869 #include <linux/kernel.h>
26870 #include <linux/errno.h>
26871 #include <linux/string.h>
26872@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
26873 static int vram_total __initdata; /* Set total amount of memory */
26874 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
26875 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
26876-static void (*pmi_start)(void) __read_mostly;
26877-static void (*pmi_pal) (void) __read_mostly;
26878+static void (*pmi_start)(void) __read_only;
26879+static void (*pmi_pal) (void) __read_only;
26880 static int depth __read_mostly;
26881 static int vga_compat __read_mostly;
26882 /* --------------------------------------------------------------------- */
26883@@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
26884 unsigned int size_vmode;
26885 unsigned int size_remap;
26886 unsigned int size_total;
26887+ void *pmi_code = NULL;
26888
26889 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
26890 return -ENODEV;
26891@@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
26892 size_remap = size_total;
26893 vesafb_fix.smem_len = size_remap;
26894
26895-#ifndef __i386__
26896- screen_info.vesapm_seg = 0;
26897-#endif
26898-
26899 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
26900 printk(KERN_WARNING
26901 "vesafb: cannot reserve video memory at 0x%lx\n",
26902@@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
26903 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
26904 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
26905
26906+#ifdef __i386__
26907+
26908+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26909+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
26910+ if (!pmi_code)
26911+#elif !defined(CONFIG_PAX_KERNEXEC)
26912+ if (0)
26913+#endif
26914+
26915+#endif
26916+ screen_info.vesapm_seg = 0;
26917+
26918 if (screen_info.vesapm_seg) {
26919- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
26920- screen_info.vesapm_seg,screen_info.vesapm_off);
26921+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
26922+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
26923 }
26924
26925 if (screen_info.vesapm_seg < 0xc000)
26926@@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
26927
26928 if (ypan || pmi_setpal) {
26929 unsigned short *pmi_base;
26930- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
26931- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
26932- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
26933+
26934+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
26935+
26936+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26937+ pax_open_kernel();
26938+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
26939+#else
26940+ pmi_code = pmi_base;
26941+#endif
26942+
26943+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
26944+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
26945+
26946+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26947+ pmi_start = ktva_ktla(pmi_start);
26948+ pmi_pal = ktva_ktla(pmi_pal);
26949+ pax_close_kernel();
26950+#endif
26951+
26952 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
26953 if (pmi_base[3]) {
26954 printk(KERN_INFO "vesafb: pmi: ports = ");
26955@@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
26956 info->node, info->fix.id);
26957 return 0;
26958 err:
26959+
26960+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26961+ module_free_exec(NULL, pmi_code);
26962+#endif
26963+
26964 if (info->screen_base)
26965 iounmap(info->screen_base);
26966 framebuffer_release(info);
26967diff -urNp linux-2.6.32.9/drivers/xen/sys-hypervisor.c linux-2.6.32.9/drivers/xen/sys-hypervisor.c
26968--- linux-2.6.32.9/drivers/xen/sys-hypervisor.c 2010-02-09 07:57:19.000000000 -0500
26969+++ linux-2.6.32.9/drivers/xen/sys-hypervisor.c 2010-02-23 17:09:53.268343828 -0500
26970@@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
26971 return 0;
26972 }
26973
26974-static struct sysfs_ops hyp_sysfs_ops = {
26975+static const struct sysfs_ops hyp_sysfs_ops = {
26976 .show = hyp_sysfs_show,
26977 .store = hyp_sysfs_store,
26978 };
26979diff -urNp linux-2.6.32.9/fs/9p/vfs_inode.c linux-2.6.32.9/fs/9p/vfs_inode.c
26980--- linux-2.6.32.9/fs/9p/vfs_inode.c 2010-02-09 07:57:19.000000000 -0500
26981+++ linux-2.6.32.9/fs/9p/vfs_inode.c 2010-02-23 17:09:53.272463050 -0500
26982@@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
26983 static void
26984 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
26985 {
26986- char *s = nd_get_link(nd);
26987+ const char *s = nd_get_link(nd);
26988
26989 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
26990 IS_ERR(s) ? "<error>" : s);
26991diff -urNp linux-2.6.32.9/fs/aio.c linux-2.6.32.9/fs/aio.c
26992--- linux-2.6.32.9/fs/aio.c 2010-02-09 07:57:19.000000000 -0500
26993+++ linux-2.6.32.9/fs/aio.c 2010-02-23 17:09:53.272463050 -0500
26994@@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
26995 size += sizeof(struct io_event) * nr_events;
26996 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
26997
26998- if (nr_pages < 0)
26999+ if (nr_pages <= 0)
27000 return -EINVAL;
27001
27002 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
27003diff -urNp linux-2.6.32.9/fs/attr.c linux-2.6.32.9/fs/attr.c
27004--- linux-2.6.32.9/fs/attr.c 2010-02-09 07:57:19.000000000 -0500
27005+++ linux-2.6.32.9/fs/attr.c 2010-02-23 17:09:53.272463050 -0500
27006@@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
27007 unsigned long limit;
27008
27009 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
27010+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
27011 if (limit != RLIM_INFINITY && offset > limit)
27012 goto out_sig;
27013 if (offset > inode->i_sb->s_maxbytes)
27014diff -urNp linux-2.6.32.9/fs/autofs/root.c linux-2.6.32.9/fs/autofs/root.c
27015--- linux-2.6.32.9/fs/autofs/root.c 2010-02-09 07:57:19.000000000 -0500
27016+++ linux-2.6.32.9/fs/autofs/root.c 2010-02-23 17:09:53.272463050 -0500
27017@@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
27018 set_bit(n,sbi->symlink_bitmap);
27019 sl = &sbi->symlink[n];
27020 sl->len = strlen(symname);
27021- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27022+ slsize = sl->len+1;
27023+ sl->data = kmalloc(slsize, GFP_KERNEL);
27024 if (!sl->data) {
27025 clear_bit(n,sbi->symlink_bitmap);
27026 unlock_kernel();
27027diff -urNp linux-2.6.32.9/fs/autofs4/symlink.c linux-2.6.32.9/fs/autofs4/symlink.c
27028--- linux-2.6.32.9/fs/autofs4/symlink.c 2010-02-09 07:57:19.000000000 -0500
27029+++ linux-2.6.32.9/fs/autofs4/symlink.c 2010-02-23 17:09:53.272463050 -0500
27030@@ -15,7 +15,7 @@
27031 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
27032 {
27033 struct autofs_info *ino = autofs4_dentry_ino(dentry);
27034- nd_set_link(nd, (char *)ino->u.symlink);
27035+ nd_set_link(nd, ino->u.symlink);
27036 return NULL;
27037 }
27038
27039diff -urNp linux-2.6.32.9/fs/befs/linuxvfs.c linux-2.6.32.9/fs/befs/linuxvfs.c
27040--- linux-2.6.32.9/fs/befs/linuxvfs.c 2010-02-23 17:04:12.513858925 -0500
27041+++ linux-2.6.32.9/fs/befs/linuxvfs.c 2010-02-23 17:09:53.272463050 -0500
27042@@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
27043 {
27044 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
27045 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
27046- char *link = nd_get_link(nd);
27047+ const char *link = nd_get_link(nd);
27048 if (!IS_ERR(link))
27049 kfree(link);
27050 }
27051diff -urNp linux-2.6.32.9/fs/binfmt_aout.c linux-2.6.32.9/fs/binfmt_aout.c
27052--- linux-2.6.32.9/fs/binfmt_aout.c 2010-02-09 07:57:19.000000000 -0500
27053+++ linux-2.6.32.9/fs/binfmt_aout.c 2010-02-23 17:09:53.272463050 -0500
27054@@ -16,6 +16,7 @@
27055 #include <linux/string.h>
27056 #include <linux/fs.h>
27057 #include <linux/file.h>
27058+#include <linux/security.h>
27059 #include <linux/stat.h>
27060 #include <linux/fcntl.h>
27061 #include <linux/ptrace.h>
27062@@ -113,10 +114,12 @@ static int aout_core_dump(long signr, st
27063
27064 /* If the size of the dump file exceeds the rlimit, then see what would happen
27065 if we wrote the stack, but not the data area. */
27066+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
27067 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
27068 dump.u_dsize = 0;
27069
27070 /* Make sure we have enough room to write the stack and data areas. */
27071+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
27072 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
27073 dump.u_ssize = 0;
27074
27075@@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
27076 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
27077 if (rlim >= RLIM_INFINITY)
27078 rlim = ~0;
27079+
27080+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
27081 if (ex.a_data + ex.a_bss > rlim)
27082 return -ENOMEM;
27083
27084@@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
27085 install_exec_creds(bprm);
27086 current->flags &= ~PF_FORKNOEXEC;
27087
27088+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27089+ current->mm->pax_flags = 0UL;
27090+#endif
27091+
27092+#ifdef CONFIG_PAX_PAGEEXEC
27093+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
27094+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
27095+
27096+#ifdef CONFIG_PAX_EMUTRAMP
27097+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
27098+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
27099+#endif
27100+
27101+#ifdef CONFIG_PAX_MPROTECT
27102+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
27103+ current->mm->pax_flags |= MF_PAX_MPROTECT;
27104+#endif
27105+
27106+ }
27107+#endif
27108+
27109 if (N_MAGIC(ex) == OMAGIC) {
27110 unsigned long text_addr, map_size;
27111 loff_t pos;
27112@@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
27113
27114 down_write(&current->mm->mmap_sem);
27115 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
27116- PROT_READ | PROT_WRITE | PROT_EXEC,
27117+ PROT_READ | PROT_WRITE,
27118 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
27119 fd_offset + ex.a_text);
27120 up_write(&current->mm->mmap_sem);
27121diff -urNp linux-2.6.32.9/fs/binfmt_elf.c linux-2.6.32.9/fs/binfmt_elf.c
27122--- linux-2.6.32.9/fs/binfmt_elf.c 2010-02-09 07:57:19.000000000 -0500
27123+++ linux-2.6.32.9/fs/binfmt_elf.c 2010-02-23 17:09:53.272463050 -0500
27124@@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
27125 #define elf_core_dump NULL
27126 #endif
27127
27128+#ifdef CONFIG_PAX_MPROTECT
27129+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
27130+#endif
27131+
27132 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
27133 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
27134 #else
27135@@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
27136 .load_binary = load_elf_binary,
27137 .load_shlib = load_elf_library,
27138 .core_dump = elf_core_dump,
27139+
27140+#ifdef CONFIG_PAX_MPROTECT
27141+ .handle_mprotect= elf_handle_mprotect,
27142+#endif
27143+
27144 .min_coredump = ELF_EXEC_PAGESIZE,
27145 .hasvdso = 1
27146 };
27147@@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
27148
27149 static int set_brk(unsigned long start, unsigned long end)
27150 {
27151+ unsigned long e = end;
27152+
27153 start = ELF_PAGEALIGN(start);
27154 end = ELF_PAGEALIGN(end);
27155 if (end > start) {
27156@@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
27157 if (BAD_ADDR(addr))
27158 return addr;
27159 }
27160- current->mm->start_brk = current->mm->brk = end;
27161+ current->mm->start_brk = current->mm->brk = e;
27162 return 0;
27163 }
27164
27165@@ -148,7 +159,7 @@ create_elf_tables(struct linux_binprm *b
27166 elf_addr_t __user *u_rand_bytes;
27167 const char *k_platform = ELF_PLATFORM;
27168 const char *k_base_platform = ELF_BASE_PLATFORM;
27169- unsigned char k_rand_bytes[16];
27170+ u32 k_rand_bytes[4];
27171 int items;
27172 elf_addr_t *elf_info;
27173 int ei_index = 0;
27174@@ -195,6 +206,10 @@ create_elf_tables(struct linux_binprm *b
27175 * Generate 16 random bytes for userspace PRNG seeding.
27176 */
27177 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
27178+ srandom32(k_rand_bytes[0] ^ random32());
27179+ srandom32(k_rand_bytes[1] ^ random32());
27180+ srandom32(k_rand_bytes[2] ^ random32());
27181+ srandom32(k_rand_bytes[3] ^ random32());
27182 u_rand_bytes = (elf_addr_t __user *)
27183 STACK_ALLOC(p, sizeof(k_rand_bytes));
27184 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
27185@@ -385,10 +400,10 @@ static unsigned long load_elf_interp(str
27186 {
27187 struct elf_phdr *elf_phdata;
27188 struct elf_phdr *eppnt;
27189- unsigned long load_addr = 0;
27190+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
27191 int load_addr_set = 0;
27192 unsigned long last_bss = 0, elf_bss = 0;
27193- unsigned long error = ~0UL;
27194+ unsigned long error = -EINVAL;
27195 unsigned long total_size;
27196 int retval, i, size;
27197
27198@@ -434,6 +449,11 @@ static unsigned long load_elf_interp(str
27199 goto out_close;
27200 }
27201
27202+#ifdef CONFIG_PAX_SEGMEXEC
27203+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
27204+ pax_task_size = SEGMEXEC_TASK_SIZE;
27205+#endif
27206+
27207 eppnt = elf_phdata;
27208 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
27209 if (eppnt->p_type == PT_LOAD) {
27210@@ -477,8 +497,8 @@ static unsigned long load_elf_interp(str
27211 k = load_addr + eppnt->p_vaddr;
27212 if (BAD_ADDR(k) ||
27213 eppnt->p_filesz > eppnt->p_memsz ||
27214- eppnt->p_memsz > TASK_SIZE ||
27215- TASK_SIZE - eppnt->p_memsz < k) {
27216+ eppnt->p_memsz > pax_task_size ||
27217+ pax_task_size - eppnt->p_memsz < k) {
27218 error = -ENOMEM;
27219 goto out_close;
27220 }
27221@@ -532,6 +552,177 @@ out:
27222 return error;
27223 }
27224
27225+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
27226+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
27227+{
27228+ unsigned long pax_flags = 0UL;
27229+
27230+#ifdef CONFIG_PAX_PAGEEXEC
27231+ if (elf_phdata->p_flags & PF_PAGEEXEC)
27232+ pax_flags |= MF_PAX_PAGEEXEC;
27233+#endif
27234+
27235+#ifdef CONFIG_PAX_SEGMEXEC
27236+ if (elf_phdata->p_flags & PF_SEGMEXEC)
27237+ pax_flags |= MF_PAX_SEGMEXEC;
27238+#endif
27239+
27240+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27241+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27242+ if (nx_enabled)
27243+ pax_flags &= ~MF_PAX_SEGMEXEC;
27244+ else
27245+ pax_flags &= ~MF_PAX_PAGEEXEC;
27246+ }
27247+#endif
27248+
27249+#ifdef CONFIG_PAX_EMUTRAMP
27250+ if (elf_phdata->p_flags & PF_EMUTRAMP)
27251+ pax_flags |= MF_PAX_EMUTRAMP;
27252+#endif
27253+
27254+#ifdef CONFIG_PAX_MPROTECT
27255+ if (elf_phdata->p_flags & PF_MPROTECT)
27256+ pax_flags |= MF_PAX_MPROTECT;
27257+#endif
27258+
27259+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27260+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
27261+ pax_flags |= MF_PAX_RANDMMAP;
27262+#endif
27263+
27264+ return pax_flags;
27265+}
27266+#endif
27267+
27268+#ifdef CONFIG_PAX_PT_PAX_FLAGS
27269+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
27270+{
27271+ unsigned long pax_flags = 0UL;
27272+
27273+#ifdef CONFIG_PAX_PAGEEXEC
27274+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
27275+ pax_flags |= MF_PAX_PAGEEXEC;
27276+#endif
27277+
27278+#ifdef CONFIG_PAX_SEGMEXEC
27279+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
27280+ pax_flags |= MF_PAX_SEGMEXEC;
27281+#endif
27282+
27283+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27284+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27285+ if (nx_enabled)
27286+ pax_flags &= ~MF_PAX_SEGMEXEC;
27287+ else
27288+ pax_flags &= ~MF_PAX_PAGEEXEC;
27289+ }
27290+#endif
27291+
27292+#ifdef CONFIG_PAX_EMUTRAMP
27293+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
27294+ pax_flags |= MF_PAX_EMUTRAMP;
27295+#endif
27296+
27297+#ifdef CONFIG_PAX_MPROTECT
27298+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
27299+ pax_flags |= MF_PAX_MPROTECT;
27300+#endif
27301+
27302+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27303+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
27304+ pax_flags |= MF_PAX_RANDMMAP;
27305+#endif
27306+
27307+ return pax_flags;
27308+}
27309+#endif
27310+
27311+#ifdef CONFIG_PAX_EI_PAX
27312+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
27313+{
27314+ unsigned long pax_flags = 0UL;
27315+
27316+#ifdef CONFIG_PAX_PAGEEXEC
27317+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
27318+ pax_flags |= MF_PAX_PAGEEXEC;
27319+#endif
27320+
27321+#ifdef CONFIG_PAX_SEGMEXEC
27322+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
27323+ pax_flags |= MF_PAX_SEGMEXEC;
27324+#endif
27325+
27326+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27327+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27328+ if (nx_enabled)
27329+ pax_flags &= ~MF_PAX_SEGMEXEC;
27330+ else
27331+ pax_flags &= ~MF_PAX_PAGEEXEC;
27332+ }
27333+#endif
27334+
27335+#ifdef CONFIG_PAX_EMUTRAMP
27336+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
27337+ pax_flags |= MF_PAX_EMUTRAMP;
27338+#endif
27339+
27340+#ifdef CONFIG_PAX_MPROTECT
27341+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
27342+ pax_flags |= MF_PAX_MPROTECT;
27343+#endif
27344+
27345+#ifdef CONFIG_PAX_ASLR
27346+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
27347+ pax_flags |= MF_PAX_RANDMMAP;
27348+#endif
27349+
27350+ return pax_flags;
27351+}
27352+#endif
27353+
27354+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27355+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
27356+{
27357+ unsigned long pax_flags = 0UL;
27358+
27359+#ifdef CONFIG_PAX_PT_PAX_FLAGS
27360+ unsigned long i;
27361+#endif
27362+
27363+#ifdef CONFIG_PAX_EI_PAX
27364+ pax_flags = pax_parse_ei_pax(elf_ex);
27365+#endif
27366+
27367+#ifdef CONFIG_PAX_PT_PAX_FLAGS
27368+ for (i = 0UL; i < elf_ex->e_phnum; i++)
27369+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
27370+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
27371+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
27372+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
27373+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
27374+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
27375+ return -EINVAL;
27376+
27377+#ifdef CONFIG_PAX_SOFTMODE
27378+ if (pax_softmode)
27379+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
27380+ else
27381+#endif
27382+
27383+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
27384+ break;
27385+ }
27386+#endif
27387+
27388+ if (0 > pax_check_flags(&pax_flags))
27389+ return -EINVAL;
27390+
27391+ current->mm->pax_flags = pax_flags;
27392+ return 0;
27393+}
27394+#endif
27395+
27396 /*
27397 * These are the functions used to load ELF style executables and shared
27398 * libraries. There is no binary dependent code anywhere else.
27399@@ -548,6 +739,11 @@ static unsigned long randomize_stack_top
27400 {
27401 unsigned int random_variable = 0;
27402
27403+#ifdef CONFIG_PAX_RANDUSTACK
27404+ if (randomize_va_space)
27405+ return stack_top - current->mm->delta_stack;
27406+#endif
27407+
27408 if ((current->flags & PF_RANDOMIZE) &&
27409 !(current->personality & ADDR_NO_RANDOMIZE)) {
27410 random_variable = get_random_int() & STACK_RND_MASK;
27411@@ -566,7 +762,7 @@ static int load_elf_binary(struct linux_
27412 unsigned long load_addr = 0, load_bias = 0;
27413 int load_addr_set = 0;
27414 char * elf_interpreter = NULL;
27415- unsigned long error;
27416+ unsigned long error = 0;
27417 struct elf_phdr *elf_ppnt, *elf_phdata;
27418 unsigned long elf_bss, elf_brk;
27419 int retval, i;
27420@@ -576,11 +772,11 @@ static int load_elf_binary(struct linux_
27421 unsigned long start_code, end_code, start_data, end_data;
27422 unsigned long reloc_func_desc = 0;
27423 int executable_stack = EXSTACK_DEFAULT;
27424- unsigned long def_flags = 0;
27425 struct {
27426 struct elfhdr elf_ex;
27427 struct elfhdr interp_elf_ex;
27428 } *loc;
27429+ unsigned long pax_task_size = TASK_SIZE;
27430
27431 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
27432 if (!loc) {
27433@@ -718,11 +914,80 @@ static int load_elf_binary(struct linux_
27434
27435 /* OK, This is the point of no return */
27436 current->flags &= ~PF_FORKNOEXEC;
27437- current->mm->def_flags = def_flags;
27438+
27439+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27440+ current->mm->pax_flags = 0UL;
27441+#endif
27442+
27443+#ifdef CONFIG_PAX_DLRESOLVE
27444+ current->mm->call_dl_resolve = 0UL;
27445+#endif
27446+
27447+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
27448+ current->mm->call_syscall = 0UL;
27449+#endif
27450+
27451+#ifdef CONFIG_PAX_ASLR
27452+ current->mm->delta_mmap = 0UL;
27453+ current->mm->delta_stack = 0UL;
27454+#endif
27455+
27456+ current->mm->def_flags = 0;
27457+
27458+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27459+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
27460+ send_sig(SIGKILL, current, 0);
27461+ goto out_free_dentry;
27462+ }
27463+#endif
27464+
27465+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
27466+ pax_set_initial_flags(bprm);
27467+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
27468+ if (pax_set_initial_flags_func)
27469+ (pax_set_initial_flags_func)(bprm);
27470+#endif
27471+
27472+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
27473+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
27474+ current->mm->context.user_cs_limit = PAGE_SIZE;
27475+ current->mm->def_flags |= VM_PAGEEXEC;
27476+ }
27477+#endif
27478+
27479+#ifdef CONFIG_PAX_SEGMEXEC
27480+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
27481+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
27482+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
27483+ pax_task_size = SEGMEXEC_TASK_SIZE;
27484+ }
27485+#endif
27486+
27487+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
27488+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27489+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
27490+ put_cpu();
27491+ }
27492+#endif
27493
27494 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
27495 may depend on the personality. */
27496 SET_PERSONALITY(loc->elf_ex);
27497+
27498+#ifdef CONFIG_PAX_ASLR
27499+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
27500+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
27501+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
27502+ }
27503+#endif
27504+
27505+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
27506+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27507+ executable_stack = EXSTACK_DISABLE_X;
27508+ current->personality &= ~READ_IMPLIES_EXEC;
27509+ } else
27510+#endif
27511+
27512 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
27513 current->personality |= READ_IMPLIES_EXEC;
27514
27515@@ -804,6 +1069,20 @@ static int load_elf_binary(struct linux_
27516 #else
27517 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
27518 #endif
27519+
27520+#ifdef CONFIG_PAX_RANDMMAP
27521+ /* PaX: randomize base address at the default exe base if requested */
27522+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
27523+#ifdef CONFIG_SPARC64
27524+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
27525+#else
27526+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
27527+#endif
27528+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
27529+ elf_flags |= MAP_FIXED;
27530+ }
27531+#endif
27532+
27533 }
27534
27535 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
27536@@ -836,9 +1115,9 @@ static int load_elf_binary(struct linux_
27537 * allowed task size. Note that p_filesz must always be
27538 * <= p_memsz so it is only necessary to check p_memsz.
27539 */
27540- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27541- elf_ppnt->p_memsz > TASK_SIZE ||
27542- TASK_SIZE - elf_ppnt->p_memsz < k) {
27543+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27544+ elf_ppnt->p_memsz > pax_task_size ||
27545+ pax_task_size - elf_ppnt->p_memsz < k) {
27546 /* set_brk can never work. Avoid overflows. */
27547 send_sig(SIGKILL, current, 0);
27548 retval = -EINVAL;
27549@@ -866,6 +1145,11 @@ static int load_elf_binary(struct linux_
27550 start_data += load_bias;
27551 end_data += load_bias;
27552
27553+#ifdef CONFIG_PAX_RANDMMAP
27554+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
27555+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
27556+#endif
27557+
27558 /* Calling set_brk effectively mmaps the pages that we need
27559 * for the bss and break sections. We must do this before
27560 * mapping in the interpreter, to make sure it doesn't wind
27561@@ -877,9 +1161,11 @@ static int load_elf_binary(struct linux_
27562 goto out_free_dentry;
27563 }
27564 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
27565- send_sig(SIGSEGV, current, 0);
27566- retval = -EFAULT; /* Nobody gets to see this, but.. */
27567- goto out_free_dentry;
27568+ /*
27569+ * This bss-zeroing can fail if the ELF
27570+ * file specifies odd protections. So
27571+ * we don't check the return value
27572+ */
27573 }
27574
27575 if (elf_interpreter) {
27576@@ -1112,8 +1398,10 @@ static int dump_seek(struct file *file,
27577 unsigned long n = off;
27578 if (n > PAGE_SIZE)
27579 n = PAGE_SIZE;
27580- if (!dump_write(file, buf, n))
27581+ if (!dump_write(file, buf, n)) {
27582+ free_page((unsigned long)buf);
27583 return 0;
27584+ }
27585 off -= n;
27586 }
27587 free_page((unsigned long)buf);
27588@@ -1125,7 +1413,7 @@ static int dump_seek(struct file *file,
27589 * Decide what to dump of a segment, part, all or none.
27590 */
27591 static unsigned long vma_dump_size(struct vm_area_struct *vma,
27592- unsigned long mm_flags)
27593+ unsigned long mm_flags, long signr)
27594 {
27595 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
27596
27597@@ -1159,7 +1447,7 @@ static unsigned long vma_dump_size(struc
27598 if (vma->vm_file == NULL)
27599 return 0;
27600
27601- if (FILTER(MAPPED_PRIVATE))
27602+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
27603 goto whole;
27604
27605 /*
27606@@ -1255,8 +1543,11 @@ static int writenote(struct memelfnote *
27607 #undef DUMP_WRITE
27608
27609 #define DUMP_WRITE(addr, nr) \
27610+ do { \
27611+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
27612 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
27613- goto end_coredump;
27614+ goto end_coredump; \
27615+ } while (0);
27616
27617 static void fill_elf_header(struct elfhdr *elf, int segs,
27618 u16 machine, u32 flags, u8 osabi)
27619@@ -1385,9 +1676,9 @@ static void fill_auxv_note(struct memelf
27620 {
27621 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
27622 int i = 0;
27623- do
27624+ do {
27625 i += 2;
27626- while (auxv[i - 2] != AT_NULL);
27627+ } while (auxv[i - 2] != AT_NULL);
27628 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
27629 }
27630
27631@@ -1973,7 +2264,7 @@ static int elf_core_dump(long signr, str
27632 phdr.p_offset = offset;
27633 phdr.p_vaddr = vma->vm_start;
27634 phdr.p_paddr = 0;
27635- phdr.p_filesz = vma_dump_size(vma, mm_flags);
27636+ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
27637 phdr.p_memsz = vma->vm_end - vma->vm_start;
27638 offset += phdr.p_filesz;
27639 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
27640@@ -2006,7 +2297,7 @@ static int elf_core_dump(long signr, str
27641 unsigned long addr;
27642 unsigned long end;
27643
27644- end = vma->vm_start + vma_dump_size(vma, mm_flags);
27645+ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
27646
27647 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
27648 struct page *page;
27649@@ -2015,6 +2306,7 @@ static int elf_core_dump(long signr, str
27650 page = get_dump_page(addr);
27651 if (page) {
27652 void *kaddr = kmap(page);
27653+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
27654 stop = ((size += PAGE_SIZE) > limit) ||
27655 !dump_write(file, kaddr, PAGE_SIZE);
27656 kunmap(page);
27657@@ -2042,6 +2334,97 @@ out:
27658
27659 #endif /* USE_ELF_CORE_DUMP */
27660
27661+#ifdef CONFIG_PAX_MPROTECT
27662+/* PaX: non-PIC ELF libraries need relocations on their executable segments
27663+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
27664+ * we'll remove VM_MAYWRITE for good on RELRO segments.
27665+ *
27666+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
27667+ * basis because we want to allow the common case and not the special ones.
27668+ */
27669+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
27670+{
27671+ struct elfhdr elf_h;
27672+ struct elf_phdr elf_p;
27673+ unsigned long i;
27674+ unsigned long oldflags;
27675+ bool is_textrel_rw, is_textrel_rx, is_relro;
27676+
27677+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
27678+ return;
27679+
27680+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
27681+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
27682+
27683+#ifdef CONFIG_PAX_NOELFRELOCS
27684+ is_textrel_rw = false;
27685+ is_textrel_rx = false;
27686+#else
27687+ /* possible TEXTREL */
27688+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
27689+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
27690+#endif
27691+
27692+ /* possible RELRO */
27693+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
27694+
27695+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
27696+ return;
27697+
27698+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
27699+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
27700+
27701+#ifdef CONFIG_PAX_ETEXECRELOCS
27702+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27703+#else
27704+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
27705+#endif
27706+
27707+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27708+ !elf_check_arch(&elf_h) ||
27709+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
27710+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
27711+ return;
27712+
27713+ for (i = 0UL; i < elf_h.e_phnum; i++) {
27714+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
27715+ return;
27716+ switch (elf_p.p_type) {
27717+ case PT_DYNAMIC:
27718+ if (!is_textrel_rw && !is_textrel_rx)
27719+ continue;
27720+ i = 0UL;
27721+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
27722+ elf_dyn dyn;
27723+
27724+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
27725+ return;
27726+ if (dyn.d_tag == DT_NULL)
27727+ return;
27728+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
27729+ gr_log_textrel(vma);
27730+ if (is_textrel_rw)
27731+ vma->vm_flags |= VM_MAYWRITE;
27732+ else
27733+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
27734+ vma->vm_flags &= ~VM_MAYWRITE;
27735+ return;
27736+ }
27737+ i++;
27738+ }
27739+ return;
27740+
27741+ case PT_GNU_RELRO:
27742+ if (!is_relro)
27743+ continue;
27744+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
27745+ vma->vm_flags &= ~VM_MAYWRITE;
27746+ return;
27747+ }
27748+ }
27749+}
27750+#endif
27751+
27752 static int __init init_elf_binfmt(void)
27753 {
27754 return register_binfmt(&elf_format);
27755diff -urNp linux-2.6.32.9/fs/binfmt_flat.c linux-2.6.32.9/fs/binfmt_flat.c
27756--- linux-2.6.32.9/fs/binfmt_flat.c 2010-02-09 07:57:19.000000000 -0500
27757+++ linux-2.6.32.9/fs/binfmt_flat.c 2010-02-23 17:09:53.272463050 -0500
27758@@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
27759 realdatastart = (unsigned long) -ENOMEM;
27760 printk("Unable to allocate RAM for process data, errno %d\n",
27761 (int)-realdatastart);
27762+ down_write(&current->mm->mmap_sem);
27763 do_munmap(current->mm, textpos, text_len);
27764+ up_write(&current->mm->mmap_sem);
27765 ret = realdatastart;
27766 goto err;
27767 }
27768@@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
27769 }
27770 if (IS_ERR_VALUE(result)) {
27771 printk("Unable to read data+bss, errno %d\n", (int)-result);
27772+ down_write(&current->mm->mmap_sem);
27773 do_munmap(current->mm, textpos, text_len);
27774 do_munmap(current->mm, realdatastart, data_len + extra);
27775+ up_write(&current->mm->mmap_sem);
27776 ret = result;
27777 goto err;
27778 }
27779@@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
27780 }
27781 if (IS_ERR_VALUE(result)) {
27782 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
27783+ down_write(&current->mm->mmap_sem);
27784 do_munmap(current->mm, textpos, text_len + data_len + extra +
27785 MAX_SHARED_LIBS * sizeof(unsigned long));
27786+ up_write(&current->mm->mmap_sem);
27787 ret = result;
27788 goto err;
27789 }
27790diff -urNp linux-2.6.32.9/fs/binfmt_misc.c linux-2.6.32.9/fs/binfmt_misc.c
27791--- linux-2.6.32.9/fs/binfmt_misc.c 2010-02-09 07:57:19.000000000 -0500
27792+++ linux-2.6.32.9/fs/binfmt_misc.c 2010-02-23 17:09:53.272463050 -0500
27793@@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
27794 static struct tree_descr bm_files[] = {
27795 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
27796 [3] = {"register", &bm_register_operations, S_IWUSR},
27797- /* last one */ {""}
27798+ /* last one */ {"", NULL, 0}
27799 };
27800 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
27801 if (!err)
27802diff -urNp linux-2.6.32.9/fs/bio.c linux-2.6.32.9/fs/bio.c
27803--- linux-2.6.32.9/fs/bio.c 2010-02-09 07:57:19.000000000 -0500
27804+++ linux-2.6.32.9/fs/bio.c 2010-02-23 17:09:53.272463050 -0500
27805@@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
27806
27807 i = 0;
27808 while (i < bio_slab_nr) {
27809- struct bio_slab *bslab = &bio_slabs[i];
27810+ bslab = &bio_slabs[i];
27811
27812 if (!bslab->slab && entry == -1)
27813 entry = i;
27814@@ -1217,7 +1217,7 @@ static void bio_copy_kern_endio(struct b
27815 const int read = bio_data_dir(bio) == READ;
27816 struct bio_map_data *bmd = bio->bi_private;
27817 int i;
27818- char *p = bmd->sgvecs[0].iov_base;
27819+ char *p = (__force char *)bmd->sgvecs[0].iov_base;
27820
27821 __bio_for_each_segment(bvec, bio, i, 0) {
27822 char *addr = page_address(bvec->bv_page);
27823diff -urNp linux-2.6.32.9/fs/btrfs/ctree.c linux-2.6.32.9/fs/btrfs/ctree.c
27824--- linux-2.6.32.9/fs/btrfs/ctree.c 2010-02-09 07:57:19.000000000 -0500
27825+++ linux-2.6.32.9/fs/btrfs/ctree.c 2010-02-23 17:09:53.272463050 -0500
27826@@ -3568,7 +3568,6 @@ setup_items_for_insert(struct btrfs_tran
27827
27828 ret = 0;
27829 if (slot == 0) {
27830- struct btrfs_disk_key disk_key;
27831 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
27832 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
27833 }
27834diff -urNp linux-2.6.32.9/fs/btrfs/disk-io.c linux-2.6.32.9/fs/btrfs/disk-io.c
27835--- linux-2.6.32.9/fs/btrfs/disk-io.c 2010-02-09 07:57:19.000000000 -0500
27836+++ linux-2.6.32.9/fs/btrfs/disk-io.c 2010-02-23 17:09:53.276137164 -0500
27837@@ -39,7 +39,7 @@
27838 #include "tree-log.h"
27839 #include "free-space-cache.h"
27840
27841-static struct extent_io_ops btree_extent_io_ops;
27842+static const struct extent_io_ops btree_extent_io_ops;
27843 static void end_workqueue_fn(struct btrfs_work *work);
27844 static void free_fs_root(struct btrfs_root *root);
27845
27846@@ -2585,7 +2585,7 @@ out:
27847 return 0;
27848 }
27849
27850-static struct extent_io_ops btree_extent_io_ops = {
27851+static const struct extent_io_ops btree_extent_io_ops = {
27852 .write_cache_pages_lock_hook = btree_lock_page_hook,
27853 .readpage_end_io_hook = btree_readpage_end_io_hook,
27854 .submit_bio_hook = btree_submit_bio_hook,
27855diff -urNp linux-2.6.32.9/fs/btrfs/extent_io.h linux-2.6.32.9/fs/btrfs/extent_io.h
27856--- linux-2.6.32.9/fs/btrfs/extent_io.h 2010-02-09 07:57:19.000000000 -0500
27857+++ linux-2.6.32.9/fs/btrfs/extent_io.h 2010-02-23 17:09:53.276137164 -0500
27858@@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
27859 struct bio *bio, int mirror_num,
27860 unsigned long bio_flags);
27861 struct extent_io_ops {
27862- int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
27863+ int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
27864 u64 start, u64 end, int *page_started,
27865 unsigned long *nr_written);
27866- int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
27867- int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
27868+ int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
27869+ int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
27870 extent_submit_bio_hook_t *submit_bio_hook;
27871- int (*merge_bio_hook)(struct page *page, unsigned long offset,
27872+ int (* const merge_bio_hook)(struct page *page, unsigned long offset,
27873 size_t size, struct bio *bio,
27874 unsigned long bio_flags);
27875- int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
27876- int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
27877+ int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
27878+ int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
27879 u64 start, u64 end,
27880 struct extent_state *state);
27881- int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
27882+ int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
27883 u64 start, u64 end,
27884 struct extent_state *state);
27885- int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
27886+ int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
27887 struct extent_state *state);
27888- int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
27889+ int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
27890 struct extent_state *state, int uptodate);
27891- int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
27892+ int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
27893 unsigned long old, unsigned long bits);
27894- int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
27895+ int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
27896 unsigned long bits);
27897- int (*merge_extent_hook)(struct inode *inode,
27898+ int (* const merge_extent_hook)(struct inode *inode,
27899 struct extent_state *new,
27900 struct extent_state *other);
27901- int (*split_extent_hook)(struct inode *inode,
27902+ int (* const split_extent_hook)(struct inode *inode,
27903 struct extent_state *orig, u64 split);
27904- int (*write_cache_pages_lock_hook)(struct page *page);
27905+ int (* const write_cache_pages_lock_hook)(struct page *page);
27906 };
27907
27908 struct extent_io_tree {
27909@@ -88,7 +88,7 @@ struct extent_io_tree {
27910 u64 dirty_bytes;
27911 spinlock_t lock;
27912 spinlock_t buffer_lock;
27913- struct extent_io_ops *ops;
27914+ const struct extent_io_ops *ops;
27915 };
27916
27917 struct extent_state {
27918diff -urNp linux-2.6.32.9/fs/btrfs/free-space-cache.c linux-2.6.32.9/fs/btrfs/free-space-cache.c
27919--- linux-2.6.32.9/fs/btrfs/free-space-cache.c 2010-02-09 07:57:19.000000000 -0500
27920+++ linux-2.6.32.9/fs/btrfs/free-space-cache.c 2010-02-23 17:09:53.276137164 -0500
27921@@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
27922
27923 while(1) {
27924 if (entry->bytes < bytes || entry->offset < min_start) {
27925- struct rb_node *node;
27926-
27927 node = rb_next(&entry->offset_index);
27928 if (!node)
27929 break;
27930@@ -1226,7 +1224,7 @@ again:
27931 */
27932 while (entry->bitmap || found_bitmap ||
27933 (!entry->bitmap && entry->bytes < min_bytes)) {
27934- struct rb_node *node = rb_next(&entry->offset_index);
27935+ node = rb_next(&entry->offset_index);
27936
27937 if (entry->bitmap && entry->bytes > bytes + empty_size) {
27938 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
27939diff -urNp linux-2.6.32.9/fs/btrfs/inode.c linux-2.6.32.9/fs/btrfs/inode.c
27940--- linux-2.6.32.9/fs/btrfs/inode.c 2010-02-09 07:57:19.000000000 -0500
27941+++ linux-2.6.32.9/fs/btrfs/inode.c 2010-02-23 17:09:53.276137164 -0500
27942@@ -63,7 +63,7 @@ static const struct inode_operations btr
27943 static const struct address_space_operations btrfs_aops;
27944 static const struct address_space_operations btrfs_symlink_aops;
27945 static const struct file_operations btrfs_dir_file_operations;
27946-static struct extent_io_ops btrfs_extent_io_ops;
27947+static const struct extent_io_ops btrfs_extent_io_ops;
27948
27949 static struct kmem_cache *btrfs_inode_cachep;
27950 struct kmem_cache *btrfs_trans_handle_cachep;
27951@@ -5854,7 +5854,7 @@ static const struct file_operations btrf
27952 .fsync = btrfs_sync_file,
27953 };
27954
27955-static struct extent_io_ops btrfs_extent_io_ops = {
27956+static const struct extent_io_ops btrfs_extent_io_ops = {
27957 .fill_delalloc = run_delalloc_range,
27958 .submit_bio_hook = btrfs_submit_bio_hook,
27959 .merge_bio_hook = btrfs_merge_bio_hook,
27960diff -urNp linux-2.6.32.9/fs/btrfs/sysfs.c linux-2.6.32.9/fs/btrfs/sysfs.c
27961--- linux-2.6.32.9/fs/btrfs/sysfs.c 2010-02-09 07:57:19.000000000 -0500
27962+++ linux-2.6.32.9/fs/btrfs/sysfs.c 2010-02-23 17:09:53.276137164 -0500
27963@@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
27964 complete(&root->kobj_unregister);
27965 }
27966
27967-static struct sysfs_ops btrfs_super_attr_ops = {
27968+static const struct sysfs_ops btrfs_super_attr_ops = {
27969 .show = btrfs_super_attr_show,
27970 .store = btrfs_super_attr_store,
27971 };
27972
27973-static struct sysfs_ops btrfs_root_attr_ops = {
27974+static const struct sysfs_ops btrfs_root_attr_ops = {
27975 .show = btrfs_root_attr_show,
27976 .store = btrfs_root_attr_store,
27977 };
27978diff -urNp linux-2.6.32.9/fs/buffer.c linux-2.6.32.9/fs/buffer.c
27979--- linux-2.6.32.9/fs/buffer.c 2010-02-09 07:57:19.000000000 -0500
27980+++ linux-2.6.32.9/fs/buffer.c 2010-02-23 17:09:53.276137164 -0500
27981@@ -25,6 +25,7 @@
27982 #include <linux/percpu.h>
27983 #include <linux/slab.h>
27984 #include <linux/capability.h>
27985+#include <linux/security.h>
27986 #include <linux/blkdev.h>
27987 #include <linux/file.h>
27988 #include <linux/quotaops.h>
27989diff -urNp linux-2.6.32.9/fs/cachefiles/rdwr.c linux-2.6.32.9/fs/cachefiles/rdwr.c
27990--- linux-2.6.32.9/fs/cachefiles/rdwr.c 2010-02-09 07:57:19.000000000 -0500
27991+++ linux-2.6.32.9/fs/cachefiles/rdwr.c 2010-02-23 17:09:53.276137164 -0500
27992@@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
27993 old_fs = get_fs();
27994 set_fs(KERNEL_DS);
27995 ret = file->f_op->write(
27996- file, (const void __user *) data, len, &pos);
27997+ file, (__force const void __user *) data, len, &pos);
27998 set_fs(old_fs);
27999 kunmap(page);
28000 if (ret != len)
28001diff -urNp linux-2.6.32.9/fs/cifs/cifs_uniupr.h linux-2.6.32.9/fs/cifs/cifs_uniupr.h
28002--- linux-2.6.32.9/fs/cifs/cifs_uniupr.h 2010-02-09 07:57:19.000000000 -0500
28003+++ linux-2.6.32.9/fs/cifs/cifs_uniupr.h 2010-02-23 17:09:53.276137164 -0500
28004@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
28005 {0x0490, 0x04cc, UniCaseRangeU0490},
28006 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
28007 {0xff40, 0xff5a, UniCaseRangeUff40},
28008- {0}
28009+ {0, 0, NULL}
28010 };
28011 #endif
28012
28013diff -urNp linux-2.6.32.9/fs/cifs/link.c linux-2.6.32.9/fs/cifs/link.c
28014--- linux-2.6.32.9/fs/cifs/link.c 2010-02-09 07:57:19.000000000 -0500
28015+++ linux-2.6.32.9/fs/cifs/link.c 2010-02-23 17:09:53.276137164 -0500
28016@@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
28017
28018 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
28019 {
28020- char *p = nd_get_link(nd);
28021+ const char *p = nd_get_link(nd);
28022 if (!IS_ERR(p))
28023 kfree(p);
28024 }
28025diff -urNp linux-2.6.32.9/fs/compat_binfmt_elf.c linux-2.6.32.9/fs/compat_binfmt_elf.c
28026--- linux-2.6.32.9/fs/compat_binfmt_elf.c 2010-02-09 07:57:19.000000000 -0500
28027+++ linux-2.6.32.9/fs/compat_binfmt_elf.c 2010-02-23 17:09:53.276137164 -0500
28028@@ -29,10 +29,12 @@
28029 #undef elfhdr
28030 #undef elf_phdr
28031 #undef elf_note
28032+#undef elf_dyn
28033 #undef elf_addr_t
28034 #define elfhdr elf32_hdr
28035 #define elf_phdr elf32_phdr
28036 #define elf_note elf32_note
28037+#define elf_dyn Elf32_Dyn
28038 #define elf_addr_t Elf32_Addr
28039
28040 /*
28041diff -urNp linux-2.6.32.9/fs/compat.c linux-2.6.32.9/fs/compat.c
28042--- linux-2.6.32.9/fs/compat.c 2010-02-09 07:57:19.000000000 -0500
28043+++ linux-2.6.32.9/fs/compat.c 2010-02-23 17:09:53.276137164 -0500
28044@@ -1410,14 +1410,12 @@ static int compat_copy_strings(int argc,
28045 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
28046 struct page *page;
28047
28048-#ifdef CONFIG_STACK_GROWSUP
28049 ret = expand_stack_downwards(bprm->vma, pos);
28050 if (ret < 0) {
28051 /* We've exceed the stack rlimit. */
28052 ret = -E2BIG;
28053 goto out;
28054 }
28055-#endif
28056 ret = get_user_pages(current, bprm->mm, pos,
28057 1, 1, 1, &page, NULL);
28058 if (ret <= 0) {
28059@@ -1463,6 +1461,11 @@ int compat_do_execve(char * filename,
28060 compat_uptr_t __user *envp,
28061 struct pt_regs * regs)
28062 {
28063+#ifdef CONFIG_GRKERNSEC
28064+ struct file *old_exec_file;
28065+ struct acl_subject_label *old_acl;
28066+ struct rlimit old_rlim[RLIM_NLIMITS];
28067+#endif
28068 struct linux_binprm *bprm;
28069 struct file *file;
28070 struct files_struct *displaced;
28071@@ -1499,6 +1502,14 @@ int compat_do_execve(char * filename,
28072 bprm->filename = filename;
28073 bprm->interp = filename;
28074
28075+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
28076+ retval = -EAGAIN;
28077+ if (gr_handle_nproc())
28078+ goto out_file;
28079+ retval = -EACCES;
28080+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
28081+ goto out_file;
28082+
28083 retval = bprm_mm_init(bprm);
28084 if (retval)
28085 goto out_file;
28086@@ -1528,9 +1539,40 @@ int compat_do_execve(char * filename,
28087 if (retval < 0)
28088 goto out;
28089
28090+ if (!gr_tpe_allow(file)) {
28091+ retval = -EACCES;
28092+ goto out;
28093+ }
28094+
28095+ if (gr_check_crash_exec(file)) {
28096+ retval = -EACCES;
28097+ goto out;
28098+ }
28099+
28100+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28101+
28102+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
28103+
28104+#ifdef CONFIG_GRKERNSEC
28105+ old_acl = current->acl;
28106+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28107+ old_exec_file = current->exec_file;
28108+ get_file(file);
28109+ current->exec_file = file;
28110+#endif
28111+
28112+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28113+ bprm->unsafe & LSM_UNSAFE_SHARE);
28114+ if (retval < 0)
28115+ goto out_fail;
28116+
28117 retval = search_binary_handler(bprm, regs);
28118 if (retval < 0)
28119- goto out;
28120+ goto out_fail;
28121+#ifdef CONFIG_GRKERNSEC
28122+ if (old_exec_file)
28123+ fput(old_exec_file);
28124+#endif
28125
28126 current->stack_start = current->mm->start_stack;
28127
28128@@ -1543,6 +1585,14 @@ int compat_do_execve(char * filename,
28129 put_files_struct(displaced);
28130 return retval;
28131
28132+out_fail:
28133+#ifdef CONFIG_GRKERNSEC
28134+ current->acl = old_acl;
28135+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28136+ fput(current->exec_file);
28137+ current->exec_file = old_exec_file;
28138+#endif
28139+
28140 out:
28141 if (bprm->mm)
28142 mmput(bprm->mm);
28143diff -urNp linux-2.6.32.9/fs/compat_ioctl.c linux-2.6.32.9/fs/compat_ioctl.c
28144--- linux-2.6.32.9/fs/compat_ioctl.c 2010-02-09 07:57:19.000000000 -0500
28145+++ linux-2.6.32.9/fs/compat_ioctl.c 2010-02-23 17:09:53.276137164 -0500
28146@@ -1827,15 +1827,15 @@ struct ioctl_trans {
28147 };
28148
28149 #define HANDLE_IOCTL(cmd,handler) \
28150- { (cmd), (ioctl_trans_handler_t)(handler) },
28151+ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
28152
28153 /* pointer to compatible structure or no argument */
28154 #define COMPATIBLE_IOCTL(cmd) \
28155- { (cmd), do_ioctl32_pointer },
28156+ { (cmd), do_ioctl32_pointer, NULL },
28157
28158 /* argument is an unsigned long integer, not a pointer */
28159 #define ULONG_IOCTL(cmd) \
28160- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
28161+ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
28162
28163 /* ioctl should not be warned about even if it's not implemented.
28164 Valid reasons to use this:
28165diff -urNp linux-2.6.32.9/fs/debugfs/inode.c linux-2.6.32.9/fs/debugfs/inode.c
28166--- linux-2.6.32.9/fs/debugfs/inode.c 2010-02-09 07:57:19.000000000 -0500
28167+++ linux-2.6.32.9/fs/debugfs/inode.c 2010-02-23 17:09:53.276137164 -0500
28168@@ -128,7 +128,7 @@ static inline int debugfs_positive(struc
28169
28170 static int debug_fill_super(struct super_block *sb, void *data, int silent)
28171 {
28172- static struct tree_descr debug_files[] = {{""}};
28173+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
28174
28175 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
28176 }
28177diff -urNp linux-2.6.32.9/fs/dlm/lockspace.c linux-2.6.32.9/fs/dlm/lockspace.c
28178--- linux-2.6.32.9/fs/dlm/lockspace.c 2010-02-09 07:57:19.000000000 -0500
28179+++ linux-2.6.32.9/fs/dlm/lockspace.c 2010-02-23 17:09:53.280435608 -0500
28180@@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
28181 kfree(ls);
28182 }
28183
28184-static struct sysfs_ops dlm_attr_ops = {
28185+static const struct sysfs_ops dlm_attr_ops = {
28186 .show = dlm_attr_show,
28187 .store = dlm_attr_store,
28188 };
28189diff -urNp linux-2.6.32.9/fs/ecryptfs/inode.c linux-2.6.32.9/fs/ecryptfs/inode.c
28190--- linux-2.6.32.9/fs/ecryptfs/inode.c 2010-02-23 17:04:12.533572395 -0500
28191+++ linux-2.6.32.9/fs/ecryptfs/inode.c 2010-02-23 17:09:53.280435608 -0500
28192@@ -676,7 +676,7 @@ ecryptfs_readlink(struct dentry *dentry,
28193 old_fs = get_fs();
28194 set_fs(get_ds());
28195 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
28196- (char __user *)lower_buf,
28197+ (__force char __user *)lower_buf,
28198 lower_bufsiz);
28199 set_fs(old_fs);
28200 if (rc >= 0) {
28201@@ -720,7 +720,7 @@ static void *ecryptfs_follow_link(struct
28202 }
28203 old_fs = get_fs();
28204 set_fs(get_ds());
28205- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
28206+ rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
28207 set_fs(old_fs);
28208 if (rc < 0)
28209 goto out_free;
28210diff -urNp linux-2.6.32.9/fs/exec.c linux-2.6.32.9/fs/exec.c
28211--- linux-2.6.32.9/fs/exec.c 2010-02-23 17:04:12.533572395 -0500
28212+++ linux-2.6.32.9/fs/exec.c 2010-02-23 17:24:19.199824476 -0500
28213@@ -56,12 +56,24 @@
28214 #include <linux/fsnotify.h>
28215 #include <linux/fs_struct.h>
28216 #include <linux/pipe_fs_i.h>
28217+#include <linux/random.h>
28218+#include <linux/seq_file.h>
28219+
28220+#ifdef CONFIG_PAX_REFCOUNT
28221+#include <linux/kallsyms.h>
28222+#include <linux/kdebug.h>
28223+#endif
28224
28225 #include <asm/uaccess.h>
28226 #include <asm/mmu_context.h>
28227 #include <asm/tlb.h>
28228 #include "internal.h"
28229
28230+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
28231+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
28232+EXPORT_SYMBOL(pax_set_initial_flags_func);
28233+#endif
28234+
28235 int core_uses_pid;
28236 char core_pattern[CORENAME_MAX_SIZE] = "core";
28237 unsigned int core_pipe_limit;
28238@@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
28239 goto out;
28240
28241 file = do_filp_open(AT_FDCWD, tmp,
28242- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28243+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28244 MAY_READ | MAY_EXEC | MAY_OPEN);
28245 putname(tmp);
28246 error = PTR_ERR(file);
28247@@ -163,18 +175,10 @@ static struct page *get_arg_page(struct
28248 int write)
28249 {
28250 struct page *page;
28251- int ret;
28252
28253-#ifdef CONFIG_STACK_GROWSUP
28254- if (write) {
28255- ret = expand_stack_downwards(bprm->vma, pos);
28256- if (ret < 0)
28257- return NULL;
28258- }
28259-#endif
28260- ret = get_user_pages(current, bprm->mm, pos,
28261- 1, write, 1, &page, NULL);
28262- if (ret <= 0)
28263+ if (0 > expand_stack_downwards(bprm->vma, pos))
28264+ return NULL;
28265+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
28266 return NULL;
28267
28268 if (write) {
28269@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
28270 vma->vm_end = STACK_TOP_MAX;
28271 vma->vm_start = vma->vm_end - PAGE_SIZE;
28272 vma->vm_flags = VM_STACK_FLAGS;
28273+
28274+#ifdef CONFIG_PAX_SEGMEXEC
28275+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
28276+#endif
28277+
28278 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
28279 err = insert_vm_struct(mm, vma);
28280 if (err)
28281@@ -254,6 +263,12 @@ static int __bprm_mm_init(struct linux_b
28282 mm->stack_vm = mm->total_vm = 1;
28283 up_write(&mm->mmap_sem);
28284 bprm->p = vma->vm_end - sizeof(void *);
28285+
28286+#ifdef CONFIG_PAX_RANDUSTACK
28287+ if (randomize_va_space)
28288+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
28289+#endif
28290+
28291 return 0;
28292 err:
28293 up_write(&mm->mmap_sem);
28294@@ -475,7 +490,7 @@ int copy_strings_kernel(int argc,char **
28295 int r;
28296 mm_segment_t oldfs = get_fs();
28297 set_fs(KERNEL_DS);
28298- r = copy_strings(argc, (char __user * __user *)argv, bprm);
28299+ r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
28300 set_fs(oldfs);
28301 return r;
28302 }
28303@@ -505,7 +520,8 @@ static int shift_arg_pages(struct vm_are
28304 unsigned long new_end = old_end - shift;
28305 struct mmu_gather *tlb;
28306
28307- BUG_ON(new_start > new_end);
28308+ if (new_start >= new_end || new_start < mmap_min_addr)
28309+ return -EFAULT;
28310
28311 /*
28312 * ensure there are no vmas between where we want to go
28313@@ -514,6 +530,10 @@ static int shift_arg_pages(struct vm_are
28314 if (vma != find_vma(mm, new_start))
28315 return -EFAULT;
28316
28317+#ifdef CONFIG_PAX_SEGMEXEC
28318+ BUG_ON(pax_find_mirror_vma(vma));
28319+#endif
28320+
28321 /*
28322 * cover the whole range: [new_start, old_end)
28323 */
28324@@ -605,6 +625,14 @@ int setup_arg_pages(struct linux_binprm
28325 bprm->exec -= stack_shift;
28326
28327 down_write(&mm->mmap_sem);
28328+
28329+ /* Move stack pages down in memory. */
28330+ if (stack_shift) {
28331+ ret = shift_arg_pages(vma, stack_shift);
28332+ if (ret)
28333+ goto out_unlock;
28334+ }
28335+
28336 vm_flags = VM_STACK_FLAGS;
28337
28338 /*
28339@@ -618,19 +646,24 @@ int setup_arg_pages(struct linux_binprm
28340 vm_flags &= ~VM_EXEC;
28341 vm_flags |= mm->def_flags;
28342
28343+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28344+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
28345+ vm_flags &= ~VM_EXEC;
28346+
28347+#ifdef CONFIG_PAX_MPROTECT
28348+ if (mm->pax_flags & MF_PAX_MPROTECT)
28349+ vm_flags &= ~VM_MAYEXEC;
28350+#endif
28351+
28352+ }
28353+#endif
28354+
28355 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
28356 vm_flags);
28357 if (ret)
28358 goto out_unlock;
28359 BUG_ON(prev != vma);
28360
28361- /* Move stack pages down in memory. */
28362- if (stack_shift) {
28363- ret = shift_arg_pages(vma, stack_shift);
28364- if (ret)
28365- goto out_unlock;
28366- }
28367-
28368 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
28369 stack_size = vma->vm_end - vma->vm_start;
28370 /*
28371@@ -638,7 +671,6 @@ int setup_arg_pages(struct linux_binprm
28372 * will align it up.
28373 */
28374 rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
28375- rlim_stack = min(rlim_stack, stack_size);
28376 #ifdef CONFIG_STACK_GROWSUP
28377 if (stack_size + stack_expand > rlim_stack)
28378 stack_base = vma->vm_start + rlim_stack;
28379@@ -668,7 +700,7 @@ struct file *open_exec(const char *name)
28380 int err;
28381
28382 file = do_filp_open(AT_FDCWD, name,
28383- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28384+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28385 MAY_EXEC | MAY_OPEN);
28386 if (IS_ERR(file))
28387 goto out;
28388@@ -705,7 +737,7 @@ int kernel_read(struct file *file, loff_
28389 old_fs = get_fs();
28390 set_fs(get_ds());
28391 /* The cast to a user pointer is valid due to the set_fs() */
28392- result = vfs_read(file, (void __user *)addr, count, &pos);
28393+ result = vfs_read(file, (__force void __user *)addr, count, &pos);
28394 set_fs(old_fs);
28395 return result;
28396 }
28397@@ -1111,7 +1143,7 @@ int check_unsafe_exec(struct linux_binpr
28398 }
28399 rcu_read_unlock();
28400
28401- if (p->fs->users > n_fs) {
28402+ if (atomic_read(&p->fs->users) > n_fs) {
28403 bprm->unsafe |= LSM_UNSAFE_SHARE;
28404 } else {
28405 res = -EAGAIN;
28406@@ -1310,6 +1342,11 @@ int do_execve(char * filename,
28407 char __user *__user *envp,
28408 struct pt_regs * regs)
28409 {
28410+#ifdef CONFIG_GRKERNSEC
28411+ struct file *old_exec_file;
28412+ struct acl_subject_label *old_acl;
28413+ struct rlimit old_rlim[RLIM_NLIMITS];
28414+#endif
28415 struct linux_binprm *bprm;
28416 struct file *file;
28417 struct files_struct *displaced;
28418@@ -1346,6 +1383,18 @@ int do_execve(char * filename,
28419 bprm->filename = filename;
28420 bprm->interp = filename;
28421
28422+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
28423+
28424+ if (gr_handle_nproc()) {
28425+ retval = -EAGAIN;
28426+ goto out_file;
28427+ }
28428+
28429+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
28430+ retval = -EACCES;
28431+ goto out_file;
28432+ }
28433+
28434 retval = bprm_mm_init(bprm);
28435 if (retval)
28436 goto out_file;
28437@@ -1375,10 +1424,41 @@ int do_execve(char * filename,
28438 if (retval < 0)
28439 goto out;
28440
28441+ if (!gr_tpe_allow(file)) {
28442+ retval = -EACCES;
28443+ goto out;
28444+ }
28445+
28446+ if (gr_check_crash_exec(file)) {
28447+ retval = -EACCES;
28448+ goto out;
28449+ }
28450+
28451+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28452+
28453+ gr_handle_exec_args(bprm, argv);
28454+
28455+#ifdef CONFIG_GRKERNSEC
28456+ old_acl = current->acl;
28457+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28458+ old_exec_file = current->exec_file;
28459+ get_file(file);
28460+ current->exec_file = file;
28461+#endif
28462+
28463+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28464+ bprm->unsafe & LSM_UNSAFE_SHARE);
28465+ if (retval < 0)
28466+ goto out_fail;
28467+
28468 current->flags &= ~PF_KTHREAD;
28469 retval = search_binary_handler(bprm,regs);
28470 if (retval < 0)
28471- goto out;
28472+ goto out_fail;
28473+#ifdef CONFIG_GRKERNSEC
28474+ if (old_exec_file)
28475+ fput(old_exec_file);
28476+#endif
28477
28478 current->stack_start = current->mm->start_stack;
28479
28480@@ -1391,6 +1471,14 @@ int do_execve(char * filename,
28481 put_files_struct(displaced);
28482 return retval;
28483
28484+out_fail:
28485+#ifdef CONFIG_GRKERNSEC
28486+ current->acl = old_acl;
28487+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28488+ fput(current->exec_file);
28489+ current->exec_file = old_exec_file;
28490+#endif
28491+
28492 out:
28493 if (bprm->mm)
28494 mmput (bprm->mm);
28495@@ -1554,6 +1642,169 @@ out:
28496 return ispipe;
28497 }
28498
28499+int pax_check_flags(unsigned long *flags)
28500+{
28501+ int retval = 0;
28502+
28503+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
28504+ if (*flags & MF_PAX_SEGMEXEC)
28505+ {
28506+ *flags &= ~MF_PAX_SEGMEXEC;
28507+ retval = -EINVAL;
28508+ }
28509+#endif
28510+
28511+ if ((*flags & MF_PAX_PAGEEXEC)
28512+
28513+#ifdef CONFIG_PAX_PAGEEXEC
28514+ && (*flags & MF_PAX_SEGMEXEC)
28515+#endif
28516+
28517+ )
28518+ {
28519+ *flags &= ~MF_PAX_PAGEEXEC;
28520+ retval = -EINVAL;
28521+ }
28522+
28523+ if ((*flags & MF_PAX_MPROTECT)
28524+
28525+#ifdef CONFIG_PAX_MPROTECT
28526+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28527+#endif
28528+
28529+ )
28530+ {
28531+ *flags &= ~MF_PAX_MPROTECT;
28532+ retval = -EINVAL;
28533+ }
28534+
28535+ if ((*flags & MF_PAX_EMUTRAMP)
28536+
28537+#ifdef CONFIG_PAX_EMUTRAMP
28538+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28539+#endif
28540+
28541+ )
28542+ {
28543+ *flags &= ~MF_PAX_EMUTRAMP;
28544+ retval = -EINVAL;
28545+ }
28546+
28547+ return retval;
28548+}
28549+
28550+EXPORT_SYMBOL(pax_check_flags);
28551+
28552+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28553+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
28554+{
28555+ struct task_struct *tsk = current;
28556+ struct mm_struct *mm = current->mm;
28557+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
28558+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
28559+ char *path_exec = NULL;
28560+ char *path_fault = NULL;
28561+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
28562+
28563+ if (buffer_exec && buffer_fault) {
28564+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
28565+
28566+ down_read(&mm->mmap_sem);
28567+ vma = mm->mmap;
28568+ while (vma && (!vma_exec || !vma_fault)) {
28569+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
28570+ vma_exec = vma;
28571+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
28572+ vma_fault = vma;
28573+ vma = vma->vm_next;
28574+ }
28575+ if (vma_exec) {
28576+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
28577+ if (IS_ERR(path_exec))
28578+ path_exec = "<path too long>";
28579+ else {
28580+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
28581+ if (path_exec) {
28582+ *path_exec = 0;
28583+ path_exec = buffer_exec;
28584+ } else
28585+ path_exec = "<path too long>";
28586+ }
28587+ }
28588+ if (vma_fault) {
28589+ start = vma_fault->vm_start;
28590+ end = vma_fault->vm_end;
28591+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
28592+ if (vma_fault->vm_file) {
28593+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
28594+ if (IS_ERR(path_fault))
28595+ path_fault = "<path too long>";
28596+ else {
28597+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
28598+ if (path_fault) {
28599+ *path_fault = 0;
28600+ path_fault = buffer_fault;
28601+ } else
28602+ path_fault = "<path too long>";
28603+ }
28604+ } else
28605+ path_fault = "<anonymous mapping>";
28606+ }
28607+ up_read(&mm->mmap_sem);
28608+ }
28609+ if (tsk->signal->curr_ip)
28610+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
28611+ else
28612+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
28613+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
28614+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
28615+ task_uid(tsk), task_euid(tsk), pc, sp);
28616+ free_page((unsigned long)buffer_exec);
28617+ free_page((unsigned long)buffer_fault);
28618+ pax_report_insns(pc, sp);
28619+ do_coredump(SIGKILL, SIGKILL, regs);
28620+}
28621+#endif
28622+
28623+#ifdef CONFIG_PAX_REFCOUNT
28624+void pax_report_refcount_overflow(struct pt_regs *regs)
28625+{
28626+ if (current->signal->curr_ip)
28627+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28628+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
28629+ else
28630+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28631+ current->comm, task_pid_nr(current), current_uid(), current_euid());
28632+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
28633+ show_regs(regs);
28634+ force_sig_specific(SIGKILL, current);
28635+}
28636+#endif
28637+
28638+#ifdef CONFIG_PAX_USERCOPY
28639+void pax_report_leak_to_user(const void *ptr, unsigned long len)
28640+{
28641+ if (current->signal->curr_ip)
28642+ printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
28643+ &current->signal->curr_ip, ptr, len);
28644+ else
28645+ printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
28646+ dump_stack();
28647+ do_group_exit(SIGKILL);
28648+}
28649+
28650+void pax_report_overflow_from_user(const void *ptr, unsigned long len)
28651+{
28652+ if (current->signal->curr_ip)
28653+ printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
28654+ &current->signal->curr_ip, ptr, len);
28655+ else
28656+ printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
28657+ dump_stack();
28658+ do_group_exit(SIGKILL);
28659+}
28660+#endif
28661+
28662 static int zap_process(struct task_struct *start)
28663 {
28664 struct task_struct *t;
28665@@ -1756,17 +2007,17 @@ static void wait_for_dump_helpers(struct
28666 pipe = file->f_path.dentry->d_inode->i_pipe;
28667
28668 pipe_lock(pipe);
28669- pipe->readers++;
28670- pipe->writers--;
28671+ atomic_inc(&pipe->readers);
28672+ atomic_dec(&pipe->writers);
28673
28674- while ((pipe->readers > 1) && (!signal_pending(current))) {
28675+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
28676 wake_up_interruptible_sync(&pipe->wait);
28677 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
28678 pipe_wait(pipe);
28679 }
28680
28681- pipe->readers--;
28682- pipe->writers++;
28683+ atomic_dec(&pipe->readers);
28684+ atomic_inc(&pipe->writers);
28685 pipe_unlock(pipe);
28686
28687 }
28688@@ -1837,6 +2088,10 @@ void do_coredump(long signr, int exit_co
28689 */
28690 clear_thread_flag(TIF_SIGPENDING);
28691
28692+ if (signr == SIGKILL || signr == SIGILL)
28693+ gr_handle_brute_attach(current);
28694+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
28695+
28696 /*
28697 * lock_kernel() because format_corename() is controlled by sysctl, which
28698 * uses lock_kernel()
28699diff -urNp linux-2.6.32.9/fs/ext2/balloc.c linux-2.6.32.9/fs/ext2/balloc.c
28700--- linux-2.6.32.9/fs/ext2/balloc.c 2010-02-09 07:57:19.000000000 -0500
28701+++ linux-2.6.32.9/fs/ext2/balloc.c 2010-02-23 17:09:53.280435608 -0500
28702@@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
28703
28704 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28705 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28706- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28707+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28708 sbi->s_resuid != current_fsuid() &&
28709 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28710 return 0;
28711diff -urNp linux-2.6.32.9/fs/ext3/balloc.c linux-2.6.32.9/fs/ext3/balloc.c
28712--- linux-2.6.32.9/fs/ext3/balloc.c 2010-02-09 07:57:19.000000000 -0500
28713+++ linux-2.6.32.9/fs/ext3/balloc.c 2010-02-23 17:09:53.280435608 -0500
28714@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
28715
28716 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28717 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28718- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28719+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28720 sbi->s_resuid != current_fsuid() &&
28721 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28722 return 0;
28723diff -urNp linux-2.6.32.9/fs/ext3/namei.c linux-2.6.32.9/fs/ext3/namei.c
28724--- linux-2.6.32.9/fs/ext3/namei.c 2010-02-09 07:57:19.000000000 -0500
28725+++ linux-2.6.32.9/fs/ext3/namei.c 2010-02-23 17:09:53.280435608 -0500
28726@@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
28727 char *data1 = (*bh)->b_data, *data2;
28728 unsigned split, move, size;
28729 struct ext3_dir_entry_2 *de = NULL, *de2;
28730- int err = 0, i;
28731+ int i, err = 0;
28732
28733 bh2 = ext3_append (handle, dir, &newblock, &err);
28734 if (!(bh2)) {
28735diff -urNp linux-2.6.32.9/fs/ext3/xattr.c linux-2.6.32.9/fs/ext3/xattr.c
28736--- linux-2.6.32.9/fs/ext3/xattr.c 2010-02-09 07:57:19.000000000 -0500
28737+++ linux-2.6.32.9/fs/ext3/xattr.c 2010-02-23 17:09:53.280435608 -0500
28738@@ -89,8 +89,8 @@
28739 printk("\n"); \
28740 } while (0)
28741 #else
28742-# define ea_idebug(f...)
28743-# define ea_bdebug(f...)
28744+# define ea_idebug(f...) do {} while (0)
28745+# define ea_bdebug(f...) do {} while (0)
28746 #endif
28747
28748 static void ext3_xattr_cache_insert(struct buffer_head *);
28749diff -urNp linux-2.6.32.9/fs/ext4/balloc.c linux-2.6.32.9/fs/ext4/balloc.c
28750--- linux-2.6.32.9/fs/ext4/balloc.c 2010-02-09 07:57:19.000000000 -0500
28751+++ linux-2.6.32.9/fs/ext4/balloc.c 2010-02-23 17:09:53.280435608 -0500
28752@@ -573,7 +573,7 @@ int ext4_has_free_blocks(struct ext4_sb_
28753 /* Hm, nope. Are (enough) root reserved blocks available? */
28754 if (sbi->s_resuid == current_fsuid() ||
28755 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
28756- capable(CAP_SYS_RESOURCE)) {
28757+ capable_nolog(CAP_SYS_RESOURCE)) {
28758 if (free_blocks >= (nblocks + dirty_blocks))
28759 return 1;
28760 }
28761diff -urNp linux-2.6.32.9/fs/ext4/ioctl.c linux-2.6.32.9/fs/ext4/ioctl.c
28762--- linux-2.6.32.9/fs/ext4/ioctl.c 2010-02-09 07:57:19.000000000 -0500
28763+++ linux-2.6.32.9/fs/ext4/ioctl.c 2010-02-23 17:09:53.280435608 -0500
28764@@ -221,6 +221,9 @@ setversion_out:
28765 struct file *donor_filp;
28766 int err;
28767
28768+ /* temporary workaround for bugs in here */
28769+ return -EOPNOTSUPP;
28770+
28771 if (!(filp->f_mode & FMODE_READ) ||
28772 !(filp->f_mode & FMODE_WRITE))
28773 return -EBADF;
28774diff -urNp linux-2.6.32.9/fs/ext4/namei.c linux-2.6.32.9/fs/ext4/namei.c
28775--- linux-2.6.32.9/fs/ext4/namei.c 2010-02-09 07:57:19.000000000 -0500
28776+++ linux-2.6.32.9/fs/ext4/namei.c 2010-02-23 17:09:53.280435608 -0500
28777@@ -1203,7 +1203,7 @@ static struct ext4_dir_entry_2 *do_split
28778 char *data1 = (*bh)->b_data, *data2;
28779 unsigned split, move, size;
28780 struct ext4_dir_entry_2 *de = NULL, *de2;
28781- int err = 0, i;
28782+ int i, err = 0;
28783
28784 bh2 = ext4_append (handle, dir, &newblock, &err);
28785 if (!(bh2)) {
28786diff -urNp linux-2.6.32.9/fs/ext4/super.c linux-2.6.32.9/fs/ext4/super.c
28787--- linux-2.6.32.9/fs/ext4/super.c 2010-02-09 07:57:19.000000000 -0500
28788+++ linux-2.6.32.9/fs/ext4/super.c 2010-02-23 17:09:53.284244949 -0500
28789@@ -2276,7 +2276,7 @@ static void ext4_sb_release(struct kobje
28790 }
28791
28792
28793-static struct sysfs_ops ext4_attr_ops = {
28794+static const struct sysfs_ops ext4_attr_ops = {
28795 .show = ext4_attr_show,
28796 .store = ext4_attr_store,
28797 };
28798diff -urNp linux-2.6.32.9/fs/fcntl.c linux-2.6.32.9/fs/fcntl.c
28799--- linux-2.6.32.9/fs/fcntl.c 2010-02-23 17:04:12.533572395 -0500
28800+++ linux-2.6.32.9/fs/fcntl.c 2010-02-23 17:09:53.284244949 -0500
28801@@ -344,6 +344,7 @@ static long do_fcntl(int fd, unsigned in
28802 switch (cmd) {
28803 case F_DUPFD:
28804 case F_DUPFD_CLOEXEC:
28805+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
28806 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
28807 break;
28808 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
28809@@ -500,7 +501,8 @@ static inline int sigio_perm(struct task
28810 ret = ((fown->euid == 0 ||
28811 fown->euid == cred->suid || fown->euid == cred->uid ||
28812 fown->uid == cred->suid || fown->uid == cred->uid) &&
28813- !security_file_send_sigiotask(p, fown, sig));
28814+ !security_file_send_sigiotask(p, fown, sig) &&
28815+ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
28816 rcu_read_unlock();
28817 return ret;
28818 }
28819diff -urNp linux-2.6.32.9/fs/fifo.c linux-2.6.32.9/fs/fifo.c
28820--- linux-2.6.32.9/fs/fifo.c 2010-02-09 07:57:19.000000000 -0500
28821+++ linux-2.6.32.9/fs/fifo.c 2010-02-23 17:09:53.284244949 -0500
28822@@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
28823 */
28824 filp->f_op = &read_pipefifo_fops;
28825 pipe->r_counter++;
28826- if (pipe->readers++ == 0)
28827+ if (atomic_inc_return(&pipe->readers) == 1)
28828 wake_up_partner(inode);
28829
28830- if (!pipe->writers) {
28831+ if (!atomic_read(&pipe->writers)) {
28832 if ((filp->f_flags & O_NONBLOCK)) {
28833 /* suppress POLLHUP until we have
28834 * seen a writer */
28835@@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
28836 * errno=ENXIO when there is no process reading the FIFO.
28837 */
28838 ret = -ENXIO;
28839- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
28840+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
28841 goto err;
28842
28843 filp->f_op = &write_pipefifo_fops;
28844 pipe->w_counter++;
28845- if (!pipe->writers++)
28846+ if (atomic_inc_return(&pipe->writers) == 1)
28847 wake_up_partner(inode);
28848
28849- if (!pipe->readers) {
28850+ if (!atomic_read(&pipe->readers)) {
28851 wait_for_partner(inode, &pipe->r_counter);
28852 if (signal_pending(current))
28853 goto err_wr;
28854@@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
28855 */
28856 filp->f_op = &rdwr_pipefifo_fops;
28857
28858- pipe->readers++;
28859- pipe->writers++;
28860+ atomic_inc(&pipe->readers);
28861+ atomic_inc(&pipe->writers);
28862 pipe->r_counter++;
28863 pipe->w_counter++;
28864- if (pipe->readers == 1 || pipe->writers == 1)
28865+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
28866 wake_up_partner(inode);
28867 break;
28868
28869@@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
28870 return 0;
28871
28872 err_rd:
28873- if (!--pipe->readers)
28874+ if (atomic_dec_and_test(&pipe->readers))
28875 wake_up_interruptible(&pipe->wait);
28876 ret = -ERESTARTSYS;
28877 goto err;
28878
28879 err_wr:
28880- if (!--pipe->writers)
28881+ if (atomic_dec_and_test(&pipe->writers))
28882 wake_up_interruptible(&pipe->wait);
28883 ret = -ERESTARTSYS;
28884 goto err;
28885
28886 err:
28887- if (!pipe->readers && !pipe->writers)
28888+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
28889 free_pipe_info(inode);
28890
28891 err_nocleanup:
28892diff -urNp linux-2.6.32.9/fs/file.c linux-2.6.32.9/fs/file.c
28893--- linux-2.6.32.9/fs/file.c 2010-02-09 07:57:19.000000000 -0500
28894+++ linux-2.6.32.9/fs/file.c 2010-02-23 17:09:53.284244949 -0500
28895@@ -14,6 +14,7 @@
28896 #include <linux/slab.h>
28897 #include <linux/vmalloc.h>
28898 #include <linux/file.h>
28899+#include <linux/security.h>
28900 #include <linux/fdtable.h>
28901 #include <linux/bitops.h>
28902 #include <linux/interrupt.h>
28903@@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
28904 * N.B. For clone tasks sharing a files structure, this test
28905 * will limit the total number of files that can be opened.
28906 */
28907+
28908+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
28909 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
28910 return -EMFILE;
28911
28912diff -urNp linux-2.6.32.9/fs/fs_struct.c linux-2.6.32.9/fs/fs_struct.c
28913--- linux-2.6.32.9/fs/fs_struct.c 2010-02-09 07:57:19.000000000 -0500
28914+++ linux-2.6.32.9/fs/fs_struct.c 2010-02-23 17:09:53.284244949 -0500
28915@@ -45,10 +45,12 @@ void chroot_fs_refs(struct path *old_roo
28916 struct task_struct *g, *p;
28917 struct fs_struct *fs;
28918 int count = 0;
28919+ unsigned long flags;
28920
28921 read_lock(&tasklist_lock);
28922 do_each_thread(g, p) {
28923 task_lock(p);
28924+ gr_fs_write_lock_irqsave(p, flags);
28925 fs = p->fs;
28926 if (fs) {
28927 write_lock(&fs->lock);
28928@@ -66,6 +68,7 @@ void chroot_fs_refs(struct path *old_roo
28929 }
28930 write_unlock(&fs->lock);
28931 }
28932+ gr_fs_write_unlock_irqrestore(p, flags);
28933 task_unlock(p);
28934 } while_each_thread(g, p);
28935 read_unlock(&tasklist_lock);
28936@@ -83,14 +86,17 @@ void free_fs_struct(struct fs_struct *fs
28937 void exit_fs(struct task_struct *tsk)
28938 {
28939 struct fs_struct *fs = tsk->fs;
28940+ unsigned long flags;
28941
28942 if (fs) {
28943 int kill;
28944 task_lock(tsk);
28945+ gr_fs_write_lock_irqsave(tsk, flags);
28946 write_lock(&fs->lock);
28947 tsk->fs = NULL;
28948- kill = !--fs->users;
28949+ kill = !atomic_dec_return(&fs->users);
28950 write_unlock(&fs->lock);
28951+ gr_fs_write_unlock_irqrestore(tsk, flags);
28952 task_unlock(tsk);
28953 if (kill)
28954 free_fs_struct(fs);
28955@@ -102,7 +108,7 @@ struct fs_struct *copy_fs_struct(struct
28956 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
28957 /* We don't need to lock fs - think why ;-) */
28958 if (fs) {
28959- fs->users = 1;
28960+ atomic_set(&fs->users, 1);
28961 fs->in_exec = 0;
28962 rwlock_init(&fs->lock);
28963 fs->umask = old->umask;
28964@@ -121,15 +127,18 @@ int unshare_fs_struct(void)
28965 struct fs_struct *fs = current->fs;
28966 struct fs_struct *new_fs = copy_fs_struct(fs);
28967 int kill;
28968+ unsigned long flags;
28969
28970 if (!new_fs)
28971 return -ENOMEM;
28972
28973 task_lock(current);
28974+ gr_fs_write_lock_irqsave(current, flags);
28975 write_lock(&fs->lock);
28976- kill = !--fs->users;
28977+ kill = !atomic_dec_return(&fs->users);
28978 current->fs = new_fs;
28979 write_unlock(&fs->lock);
28980+ gr_fs_write_unlock_irqrestore(current, flags);
28981 task_unlock(current);
28982
28983 if (kill)
28984@@ -147,7 +156,7 @@ EXPORT_SYMBOL(current_umask);
28985
28986 /* to be mentioned only in INIT_TASK */
28987 struct fs_struct init_fs = {
28988- .users = 1,
28989+ .users = ATOMIC_INIT(1),
28990 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
28991 .umask = 0022,
28992 };
28993@@ -155,6 +164,7 @@ struct fs_struct init_fs = {
28994 void daemonize_fs_struct(void)
28995 {
28996 struct fs_struct *fs = current->fs;
28997+ unsigned long flags;
28998
28999 if (fs) {
29000 int kill;
29001@@ -162,13 +172,15 @@ void daemonize_fs_struct(void)
29002 task_lock(current);
29003
29004 write_lock(&init_fs.lock);
29005- init_fs.users++;
29006+ atomic_inc(&init_fs.users);
29007 write_unlock(&init_fs.lock);
29008
29009+ gr_fs_write_lock_irqsave(current, flags);
29010 write_lock(&fs->lock);
29011 current->fs = &init_fs;
29012- kill = !--fs->users;
29013+ kill = !atomic_dec_return(&fs->users);
29014 write_unlock(&fs->lock);
29015+ gr_fs_write_unlock_irqrestore(current, flags);
29016
29017 task_unlock(current);
29018 if (kill)
29019diff -urNp linux-2.6.32.9/fs/fuse/control.c linux-2.6.32.9/fs/fuse/control.c
29020--- linux-2.6.32.9/fs/fuse/control.c 2010-02-09 07:57:19.000000000 -0500
29021+++ linux-2.6.32.9/fs/fuse/control.c 2010-02-23 17:09:53.284244949 -0500
29022@@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
29023
29024 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
29025 {
29026- struct tree_descr empty_descr = {""};
29027+ struct tree_descr empty_descr = {"", NULL, 0};
29028 struct fuse_conn *fc;
29029 int err;
29030
29031diff -urNp linux-2.6.32.9/fs/fuse/cuse.c linux-2.6.32.9/fs/fuse/cuse.c
29032--- linux-2.6.32.9/fs/fuse/cuse.c 2010-02-09 07:57:19.000000000 -0500
29033+++ linux-2.6.32.9/fs/fuse/cuse.c 2010-02-23 17:09:53.284244949 -0500
29034@@ -528,8 +528,18 @@ static int cuse_channel_release(struct i
29035 return rc;
29036 }
29037
29038-static struct file_operations cuse_channel_fops; /* initialized during init */
29039-
29040+static const struct file_operations cuse_channel_fops = { /* initialized during init */
29041+ .owner = THIS_MODULE,
29042+ .llseek = no_llseek,
29043+ .read = do_sync_read,
29044+ .aio_read = fuse_dev_read,
29045+ .write = do_sync_write,
29046+ .aio_write = fuse_dev_write,
29047+ .poll = fuse_dev_poll,
29048+ .open = cuse_channel_open,
29049+ .release = cuse_channel_release,
29050+ .fasync = fuse_dev_fasync,
29051+};
29052
29053 /**************************************************************************
29054 * Misc stuff and module initializatiion
29055@@ -575,12 +585,6 @@ static int __init cuse_init(void)
29056 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
29057 INIT_LIST_HEAD(&cuse_conntbl[i]);
29058
29059- /* inherit and extend fuse_dev_operations */
29060- cuse_channel_fops = fuse_dev_operations;
29061- cuse_channel_fops.owner = THIS_MODULE;
29062- cuse_channel_fops.open = cuse_channel_open;
29063- cuse_channel_fops.release = cuse_channel_release;
29064-
29065 cuse_class = class_create(THIS_MODULE, "cuse");
29066 if (IS_ERR(cuse_class))
29067 return PTR_ERR(cuse_class);
29068diff -urNp linux-2.6.32.9/fs/fuse/dev.c linux-2.6.32.9/fs/fuse/dev.c
29069--- linux-2.6.32.9/fs/fuse/dev.c 2010-02-09 07:57:19.000000000 -0500
29070+++ linux-2.6.32.9/fs/fuse/dev.c 2010-02-23 17:09:53.284244949 -0500
29071@@ -745,7 +745,7 @@ __releases(&fc->lock)
29072 * request_end(). Otherwise add it to the processing list, and set
29073 * the 'sent' flag.
29074 */
29075-static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29076+ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29077 unsigned long nr_segs, loff_t pos)
29078 {
29079 int err;
29080@@ -827,6 +827,7 @@ static ssize_t fuse_dev_read(struct kioc
29081 spin_unlock(&fc->lock);
29082 return err;
29083 }
29084+EXPORT_SYMBOL_GPL(fuse_dev_read);
29085
29086 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
29087 struct fuse_copy_state *cs)
29088@@ -885,7 +886,7 @@ static int fuse_notify_inval_entry(struc
29089 {
29090 struct fuse_notify_inval_entry_out outarg;
29091 int err = -EINVAL;
29092- char buf[FUSE_NAME_MAX+1];
29093+ char *buf = NULL;
29094 struct qstr name;
29095
29096 if (size < sizeof(outarg))
29097@@ -899,6 +900,11 @@ static int fuse_notify_inval_entry(struc
29098 if (outarg.namelen > FUSE_NAME_MAX)
29099 goto err;
29100
29101+ err = -ENOMEM;
29102+ buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
29103+ if (!buf)
29104+ goto err;
29105+
29106 name.name = buf;
29107 name.len = outarg.namelen;
29108 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
29109@@ -910,17 +916,15 @@ static int fuse_notify_inval_entry(struc
29110
29111 down_read(&fc->killsb);
29112 err = -ENOENT;
29113- if (!fc->sb)
29114- goto err_unlock;
29115-
29116- err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29117-
29118-err_unlock:
29119+ if (fc->sb)
29120+ err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29121 up_read(&fc->killsb);
29122+ kfree(buf);
29123 return err;
29124
29125 err:
29126 fuse_copy_finish(cs);
29127+ kfree(buf);
29128 return err;
29129 }
29130
29131@@ -987,7 +991,7 @@ static int copy_out_args(struct fuse_cop
29132 * it from the list and copy the rest of the buffer to the request.
29133 * The request is finished by calling request_end()
29134 */
29135-static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29136+ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29137 unsigned long nr_segs, loff_t pos)
29138 {
29139 int err;
29140@@ -1083,8 +1087,9 @@ static ssize_t fuse_dev_write(struct kio
29141 fuse_copy_finish(&cs);
29142 return err;
29143 }
29144+EXPORT_SYMBOL_GPL(fuse_dev_write);
29145
29146-static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29147+unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29148 {
29149 unsigned mask = POLLOUT | POLLWRNORM;
29150 struct fuse_conn *fc = fuse_get_conn(file);
29151@@ -1102,6 +1107,7 @@ static unsigned fuse_dev_poll(struct fil
29152
29153 return mask;
29154 }
29155+EXPORT_SYMBOL_GPL(fuse_dev_poll);
29156
29157 /*
29158 * Abort all requests on the given list (pending or processing)
29159@@ -1210,7 +1216,7 @@ int fuse_dev_release(struct inode *inode
29160 }
29161 EXPORT_SYMBOL_GPL(fuse_dev_release);
29162
29163-static int fuse_dev_fasync(int fd, struct file *file, int on)
29164+int fuse_dev_fasync(int fd, struct file *file, int on)
29165 {
29166 struct fuse_conn *fc = fuse_get_conn(file);
29167 if (!fc)
29168@@ -1219,6 +1225,7 @@ static int fuse_dev_fasync(int fd, struc
29169 /* No locking - fasync_helper does its own locking */
29170 return fasync_helper(fd, file, on, &fc->fasync);
29171 }
29172+EXPORT_SYMBOL_GPL(fuse_dev_fasync);
29173
29174 const struct file_operations fuse_dev_operations = {
29175 .owner = THIS_MODULE,
29176diff -urNp linux-2.6.32.9/fs/fuse/dir.c linux-2.6.32.9/fs/fuse/dir.c
29177--- linux-2.6.32.9/fs/fuse/dir.c 2010-02-09 07:57:19.000000000 -0500
29178+++ linux-2.6.32.9/fs/fuse/dir.c 2010-02-23 17:09:53.284244949 -0500
29179@@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
29180 return link;
29181 }
29182
29183-static void free_link(char *link)
29184+static void free_link(const char *link)
29185 {
29186 if (!IS_ERR(link))
29187 free_page((unsigned long) link);
29188diff -urNp linux-2.6.32.9/fs/fuse/fuse_i.h linux-2.6.32.9/fs/fuse/fuse_i.h
29189--- linux-2.6.32.9/fs/fuse/fuse_i.h 2010-02-09 07:57:19.000000000 -0500
29190+++ linux-2.6.32.9/fs/fuse/fuse_i.h 2010-02-23 17:09:53.284244949 -0500
29191@@ -521,6 +521,16 @@ extern const struct file_operations fuse
29192
29193 extern const struct dentry_operations fuse_dentry_operations;
29194
29195+extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29196+ unsigned long nr_segs, loff_t pos);
29197+
29198+extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29199+ unsigned long nr_segs, loff_t pos);
29200+
29201+extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
29202+
29203+extern int fuse_dev_fasync(int fd, struct file *file, int on);
29204+
29205 /**
29206 * Inode to nodeid comparison.
29207 */
29208diff -urNp linux-2.6.32.9/fs/gfs2/sys.c linux-2.6.32.9/fs/gfs2/sys.c
29209--- linux-2.6.32.9/fs/gfs2/sys.c 2010-02-09 07:57:19.000000000 -0500
29210+++ linux-2.6.32.9/fs/gfs2/sys.c 2010-02-23 17:09:53.284244949 -0500
29211@@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
29212 return a->store ? a->store(sdp, buf, len) : len;
29213 }
29214
29215-static struct sysfs_ops gfs2_attr_ops = {
29216+static const struct sysfs_ops gfs2_attr_ops = {
29217 .show = gfs2_attr_show,
29218 .store = gfs2_attr_store,
29219 };
29220@@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
29221 return 0;
29222 }
29223
29224-static struct kset_uevent_ops gfs2_uevent_ops = {
29225+static const struct kset_uevent_ops gfs2_uevent_ops = {
29226 .uevent = gfs2_uevent,
29227 };
29228
29229diff -urNp linux-2.6.32.9/fs/hfs/inode.c linux-2.6.32.9/fs/hfs/inode.c
29230--- linux-2.6.32.9/fs/hfs/inode.c 2010-02-09 07:57:19.000000000 -0500
29231+++ linux-2.6.32.9/fs/hfs/inode.c 2010-02-23 17:09:53.284244949 -0500
29232@@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
29233
29234 if (S_ISDIR(main_inode->i_mode)) {
29235 if (fd.entrylength < sizeof(struct hfs_cat_dir))
29236- /* panic? */;
29237+ {/* panic? */}
29238 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29239 sizeof(struct hfs_cat_dir));
29240 if (rec.type != HFS_CDR_DIR ||
29241@@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
29242 sizeof(struct hfs_cat_file));
29243 } else {
29244 if (fd.entrylength < sizeof(struct hfs_cat_file))
29245- /* panic? */;
29246+ {/* panic? */}
29247 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29248 sizeof(struct hfs_cat_file));
29249 if (rec.type != HFS_CDR_FIL ||
29250diff -urNp linux-2.6.32.9/fs/hfsplus/inode.c linux-2.6.32.9/fs/hfsplus/inode.c
29251--- linux-2.6.32.9/fs/hfsplus/inode.c 2010-02-09 07:57:19.000000000 -0500
29252+++ linux-2.6.32.9/fs/hfsplus/inode.c 2010-02-23 17:09:53.284244949 -0500
29253@@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
29254 struct hfsplus_cat_folder *folder = &entry.folder;
29255
29256 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
29257- /* panic? */;
29258+ {/* panic? */}
29259 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29260 sizeof(struct hfsplus_cat_folder));
29261 hfsplus_get_perms(inode, &folder->permissions, 1);
29262@@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
29263 struct hfsplus_cat_file *file = &entry.file;
29264
29265 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
29266- /* panic? */;
29267+ {/* panic? */}
29268 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29269 sizeof(struct hfsplus_cat_file));
29270
29271@@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
29272 struct hfsplus_cat_folder *folder = &entry.folder;
29273
29274 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
29275- /* panic? */;
29276+ {/* panic? */}
29277 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29278 sizeof(struct hfsplus_cat_folder));
29279 /* simple node checks? */
29280@@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
29281 struct hfsplus_cat_file *file = &entry.file;
29282
29283 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
29284- /* panic? */;
29285+ {/* panic? */}
29286 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29287 sizeof(struct hfsplus_cat_file));
29288 hfsplus_inode_write_fork(inode, &file->data_fork);
29289diff -urNp linux-2.6.32.9/fs/ioctl.c linux-2.6.32.9/fs/ioctl.c
29290--- linux-2.6.32.9/fs/ioctl.c 2010-02-09 07:57:19.000000000 -0500
29291+++ linux-2.6.32.9/fs/ioctl.c 2010-02-23 17:09:53.284244949 -0500
29292@@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
29293 u64 phys, u64 len, u32 flags)
29294 {
29295 struct fiemap_extent extent;
29296- struct fiemap_extent *dest = fieinfo->fi_extents_start;
29297+ struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
29298
29299 /* only count the extents */
29300 if (fieinfo->fi_extents_max == 0) {
29301@@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
29302
29303 fieinfo.fi_flags = fiemap.fm_flags;
29304 fieinfo.fi_extents_max = fiemap.fm_extent_count;
29305- fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
29306+ fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
29307
29308 if (fiemap.fm_extent_count != 0 &&
29309 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
29310@@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
29311 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
29312 fiemap.fm_flags = fieinfo.fi_flags;
29313 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
29314- if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
29315+ if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
29316 error = -EFAULT;
29317
29318 return error;
29319diff -urNp linux-2.6.32.9/fs/jffs2/debug.h linux-2.6.32.9/fs/jffs2/debug.h
29320--- linux-2.6.32.9/fs/jffs2/debug.h 2010-02-09 07:57:19.000000000 -0500
29321+++ linux-2.6.32.9/fs/jffs2/debug.h 2010-02-23 17:09:53.284244949 -0500
29322@@ -52,13 +52,13 @@
29323 #if CONFIG_JFFS2_FS_DEBUG > 0
29324 #define D1(x) x
29325 #else
29326-#define D1(x)
29327+#define D1(x) do {} while (0);
29328 #endif
29329
29330 #if CONFIG_JFFS2_FS_DEBUG > 1
29331 #define D2(x) x
29332 #else
29333-#define D2(x)
29334+#define D2(x) do {} while (0);
29335 #endif
29336
29337 /* The prefixes of JFFS2 messages */
29338@@ -114,73 +114,73 @@
29339 #ifdef JFFS2_DBG_READINODE_MESSAGES
29340 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29341 #else
29342-#define dbg_readinode(fmt, ...)
29343+#define dbg_readinode(fmt, ...) do {} while (0)
29344 #endif
29345 #ifdef JFFS2_DBG_READINODE2_MESSAGES
29346 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29347 #else
29348-#define dbg_readinode2(fmt, ...)
29349+#define dbg_readinode2(fmt, ...) do {} while (0)
29350 #endif
29351
29352 /* Fragtree build debugging messages */
29353 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
29354 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29355 #else
29356-#define dbg_fragtree(fmt, ...)
29357+#define dbg_fragtree(fmt, ...) do {} while (0)
29358 #endif
29359 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
29360 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29361 #else
29362-#define dbg_fragtree2(fmt, ...)
29363+#define dbg_fragtree2(fmt, ...) do {} while (0)
29364 #endif
29365
29366 /* Directory entry list manilulation debugging messages */
29367 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
29368 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29369 #else
29370-#define dbg_dentlist(fmt, ...)
29371+#define dbg_dentlist(fmt, ...) do {} while (0)
29372 #endif
29373
29374 /* Print the messages about manipulating node_refs */
29375 #ifdef JFFS2_DBG_NODEREF_MESSAGES
29376 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29377 #else
29378-#define dbg_noderef(fmt, ...)
29379+#define dbg_noderef(fmt, ...) do {} while (0)
29380 #endif
29381
29382 /* Manipulations with the list of inodes (JFFS2 inocache) */
29383 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
29384 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29385 #else
29386-#define dbg_inocache(fmt, ...)
29387+#define dbg_inocache(fmt, ...) do {} while (0)
29388 #endif
29389
29390 /* Summary debugging messages */
29391 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
29392 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29393 #else
29394-#define dbg_summary(fmt, ...)
29395+#define dbg_summary(fmt, ...) do {} while (0)
29396 #endif
29397
29398 /* File system build messages */
29399 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
29400 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29401 #else
29402-#define dbg_fsbuild(fmt, ...)
29403+#define dbg_fsbuild(fmt, ...) do {} while (0)
29404 #endif
29405
29406 /* Watch the object allocations */
29407 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
29408 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29409 #else
29410-#define dbg_memalloc(fmt, ...)
29411+#define dbg_memalloc(fmt, ...) do {} while (0)
29412 #endif
29413
29414 /* Watch the XATTR subsystem */
29415 #ifdef JFFS2_DBG_XATTR_MESSAGES
29416 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29417 #else
29418-#define dbg_xattr(fmt, ...)
29419+#define dbg_xattr(fmt, ...) do {} while (0)
29420 #endif
29421
29422 /* "Sanity" checks */
29423diff -urNp linux-2.6.32.9/fs/jffs2/erase.c linux-2.6.32.9/fs/jffs2/erase.c
29424--- linux-2.6.32.9/fs/jffs2/erase.c 2010-02-09 07:57:19.000000000 -0500
29425+++ linux-2.6.32.9/fs/jffs2/erase.c 2010-02-23 17:09:53.284244949 -0500
29426@@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
29427 struct jffs2_unknown_node marker = {
29428 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
29429 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29430- .totlen = cpu_to_je32(c->cleanmarker_size)
29431+ .totlen = cpu_to_je32(c->cleanmarker_size),
29432+ .hdr_crc = cpu_to_je32(0)
29433 };
29434
29435 jffs2_prealloc_raw_node_refs(c, jeb, 1);
29436diff -urNp linux-2.6.32.9/fs/jffs2/summary.h linux-2.6.32.9/fs/jffs2/summary.h
29437--- linux-2.6.32.9/fs/jffs2/summary.h 2010-02-09 07:57:19.000000000 -0500
29438+++ linux-2.6.32.9/fs/jffs2/summary.h 2010-02-23 17:09:53.284244949 -0500
29439@@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
29440
29441 #define jffs2_sum_active() (0)
29442 #define jffs2_sum_init(a) (0)
29443-#define jffs2_sum_exit(a)
29444-#define jffs2_sum_disable_collecting(a)
29445+#define jffs2_sum_exit(a) do {} while (0)
29446+#define jffs2_sum_disable_collecting(a) do {} while (0)
29447 #define jffs2_sum_is_disabled(a) (0)
29448-#define jffs2_sum_reset_collected(a)
29449+#define jffs2_sum_reset_collected(a) do {} while (0)
29450 #define jffs2_sum_add_kvec(a,b,c,d) (0)
29451-#define jffs2_sum_move_collected(a,b)
29452+#define jffs2_sum_move_collected(a,b) do {} while (0)
29453 #define jffs2_sum_write_sumnode(a) (0)
29454-#define jffs2_sum_add_padding_mem(a,b)
29455-#define jffs2_sum_add_inode_mem(a,b,c)
29456-#define jffs2_sum_add_dirent_mem(a,b,c)
29457-#define jffs2_sum_add_xattr_mem(a,b,c)
29458-#define jffs2_sum_add_xref_mem(a,b,c)
29459+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
29460+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
29461+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
29462+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
29463+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
29464 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
29465
29466 #endif /* CONFIG_JFFS2_SUMMARY */
29467diff -urNp linux-2.6.32.9/fs/jffs2/wbuf.c linux-2.6.32.9/fs/jffs2/wbuf.c
29468--- linux-2.6.32.9/fs/jffs2/wbuf.c 2010-02-09 07:57:19.000000000 -0500
29469+++ linux-2.6.32.9/fs/jffs2/wbuf.c 2010-02-23 17:09:53.284244949 -0500
29470@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
29471 {
29472 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
29473 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29474- .totlen = constant_cpu_to_je32(8)
29475+ .totlen = constant_cpu_to_je32(8),
29476+ .hdr_crc = constant_cpu_to_je32(0)
29477 };
29478
29479 /*
29480diff -urNp linux-2.6.32.9/fs/lockd/svc.c linux-2.6.32.9/fs/lockd/svc.c
29481--- linux-2.6.32.9/fs/lockd/svc.c 2010-02-09 07:57:19.000000000 -0500
29482+++ linux-2.6.32.9/fs/lockd/svc.c 2010-02-23 17:09:53.288151568 -0500
29483@@ -43,7 +43,7 @@
29484
29485 static struct svc_program nlmsvc_program;
29486
29487-struct nlmsvc_binding * nlmsvc_ops;
29488+const struct nlmsvc_binding * nlmsvc_ops;
29489 EXPORT_SYMBOL_GPL(nlmsvc_ops);
29490
29491 static DEFINE_MUTEX(nlmsvc_mutex);
29492diff -urNp linux-2.6.32.9/fs/locks.c linux-2.6.32.9/fs/locks.c
29493--- linux-2.6.32.9/fs/locks.c 2010-02-09 07:57:19.000000000 -0500
29494+++ linux-2.6.32.9/fs/locks.c 2010-02-23 17:09:53.288151568 -0500
29495@@ -2007,16 +2007,16 @@ void locks_remove_flock(struct file *fil
29496 return;
29497
29498 if (filp->f_op && filp->f_op->flock) {
29499- struct file_lock fl = {
29500+ struct file_lock flock = {
29501 .fl_pid = current->tgid,
29502 .fl_file = filp,
29503 .fl_flags = FL_FLOCK,
29504 .fl_type = F_UNLCK,
29505 .fl_end = OFFSET_MAX,
29506 };
29507- filp->f_op->flock(filp, F_SETLKW, &fl);
29508- if (fl.fl_ops && fl.fl_ops->fl_release_private)
29509- fl.fl_ops->fl_release_private(&fl);
29510+ filp->f_op->flock(filp, F_SETLKW, &flock);
29511+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
29512+ flock.fl_ops->fl_release_private(&flock);
29513 }
29514
29515 lock_kernel();
29516diff -urNp linux-2.6.32.9/fs/namei.c linux-2.6.32.9/fs/namei.c
29517--- linux-2.6.32.9/fs/namei.c 2010-02-09 07:57:19.000000000 -0500
29518+++ linux-2.6.32.9/fs/namei.c 2010-02-23 17:09:53.288151568 -0500
29519@@ -638,7 +638,7 @@ static __always_inline int __do_follow_l
29520 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
29521 error = PTR_ERR(cookie);
29522 if (!IS_ERR(cookie)) {
29523- char *s = nd_get_link(nd);
29524+ const char *s = nd_get_link(nd);
29525 error = 0;
29526 if (s)
29527 error = __vfs_follow_link(nd, s);
29528@@ -669,6 +669,13 @@ static inline int do_follow_link(struct
29529 err = security_inode_follow_link(path->dentry, nd);
29530 if (err)
29531 goto loop;
29532+
29533+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
29534+ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
29535+ err = -EACCES;
29536+ goto loop;
29537+ }
29538+
29539 current->link_count++;
29540 current->total_link_count++;
29541 nd->depth++;
29542@@ -1006,11 +1013,18 @@ return_reval:
29543 break;
29544 }
29545 return_base:
29546+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
29547+ path_put(&nd->path);
29548+ return -ENOENT;
29549+ }
29550 return 0;
29551 out_dput:
29552 path_put_conditional(&next, nd);
29553 break;
29554 }
29555+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
29556+ err = -ENOENT;
29557+
29558 path_put(&nd->path);
29559 return_err:
29560 return err;
29561@@ -1611,12 +1625,19 @@ static int __open_namei_create(struct na
29562 int error;
29563 struct dentry *dir = nd->path.dentry;
29564
29565+ if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
29566+ error = -EACCES;
29567+ goto out_unlock;
29568+ }
29569+
29570 if (!IS_POSIXACL(dir->d_inode))
29571 mode &= ~current_umask();
29572 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
29573 if (error)
29574 goto out_unlock;
29575 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
29576+ if (!error)
29577+ gr_handle_create(path->dentry, nd->path.mnt);
29578 out_unlock:
29579 mutex_unlock(&dir->d_inode->i_mutex);
29580 dput(nd->path.dentry);
29581@@ -1699,6 +1720,22 @@ struct file *do_filp_open(int dfd, const
29582 &nd, flag);
29583 if (error)
29584 return ERR_PTR(error);
29585+
29586+ if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
29587+ error = -EPERM;
29588+ goto exit;
29589+ }
29590+
29591+ if (gr_handle_rawio(nd.path.dentry->d_inode)) {
29592+ error = -EPERM;
29593+ goto exit;
29594+ }
29595+
29596+ if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
29597+ error = -EACCES;
29598+ goto exit;
29599+ }
29600+
29601 goto ok;
29602 }
29603
29604@@ -1785,6 +1822,24 @@ do_last:
29605 /*
29606 * It already exists.
29607 */
29608+
29609+ if (gr_handle_rofs_blockwrite(path.dentry, nd.path.mnt, acc_mode)) {
29610+ error = -EPERM;
29611+ goto exit_mutex_unlock;
29612+ }
29613+ if (gr_handle_rawio(path.dentry->d_inode)) {
29614+ error = -EPERM;
29615+ goto exit_mutex_unlock;
29616+ }
29617+ if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) {
29618+ error = -EACCES;
29619+ goto exit_mutex_unlock;
29620+ }
29621+ if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
29622+ error = -EACCES;
29623+ goto exit_mutex_unlock;
29624+ }
29625+
29626 mutex_unlock(&dir->d_inode->i_mutex);
29627 audit_inode(pathname, path.dentry);
29628
29629@@ -1877,6 +1932,13 @@ do_link:
29630 error = security_inode_follow_link(path.dentry, &nd);
29631 if (error)
29632 goto exit_dput;
29633+
29634+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
29635+ path.dentry, nd.path.mnt)) {
29636+ error = -EACCES;
29637+ goto exit_dput;
29638+ }
29639+
29640 error = __do_follow_link(&path, &nd);
29641 if (error) {
29642 /* Does someone understand code flow here? Or it is only
29643@@ -2051,6 +2113,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
29644 error = may_mknod(mode);
29645 if (error)
29646 goto out_dput;
29647+
29648+ if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
29649+ error = -EPERM;
29650+ goto out_dput;
29651+ }
29652+
29653+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
29654+ error = -EACCES;
29655+ goto out_dput;
29656+ }
29657+
29658 error = mnt_want_write(nd.path.mnt);
29659 if (error)
29660 goto out_dput;
29661@@ -2071,6 +2144,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
29662 }
29663 out_drop_write:
29664 mnt_drop_write(nd.path.mnt);
29665+
29666+ if (!error)
29667+ gr_handle_create(dentry, nd.path.mnt);
29668 out_dput:
29669 dput(dentry);
29670 out_unlock:
29671@@ -2124,6 +2200,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
29672 if (IS_ERR(dentry))
29673 goto out_unlock;
29674
29675+ if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
29676+ error = -EACCES;
29677+ goto out_dput;
29678+ }
29679+
29680 if (!IS_POSIXACL(nd.path.dentry->d_inode))
29681 mode &= ~current_umask();
29682 error = mnt_want_write(nd.path.mnt);
29683@@ -2135,6 +2216,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
29684 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
29685 out_drop_write:
29686 mnt_drop_write(nd.path.mnt);
29687+
29688+ if (!error)
29689+ gr_handle_create(dentry, nd.path.mnt);
29690+
29691 out_dput:
29692 dput(dentry);
29693 out_unlock:
29694@@ -2216,6 +2301,8 @@ static long do_rmdir(int dfd, const char
29695 char * name;
29696 struct dentry *dentry;
29697 struct nameidata nd;
29698+ ino_t saved_ino = 0;
29699+ dev_t saved_dev = 0;
29700
29701 error = user_path_parent(dfd, pathname, &nd, &name);
29702 if (error)
29703@@ -2240,6 +2327,19 @@ static long do_rmdir(int dfd, const char
29704 error = PTR_ERR(dentry);
29705 if (IS_ERR(dentry))
29706 goto exit2;
29707+
29708+ if (dentry->d_inode != NULL) {
29709+ if (dentry->d_inode->i_nlink <= 1) {
29710+ saved_ino = dentry->d_inode->i_ino;
29711+ saved_dev = dentry->d_inode->i_sb->s_dev;
29712+ }
29713+
29714+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
29715+ error = -EACCES;
29716+ goto exit3;
29717+ }
29718+ }
29719+
29720 error = mnt_want_write(nd.path.mnt);
29721 if (error)
29722 goto exit3;
29723@@ -2247,6 +2347,8 @@ static long do_rmdir(int dfd, const char
29724 if (error)
29725 goto exit4;
29726 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
29727+ if (!error && (saved_dev || saved_ino))
29728+ gr_handle_delete(saved_ino, saved_dev);
29729 exit4:
29730 mnt_drop_write(nd.path.mnt);
29731 exit3:
29732@@ -2308,6 +2410,8 @@ static long do_unlinkat(int dfd, const c
29733 struct dentry *dentry;
29734 struct nameidata nd;
29735 struct inode *inode = NULL;
29736+ ino_t saved_ino = 0;
29737+ dev_t saved_dev = 0;
29738
29739 error = user_path_parent(dfd, pathname, &nd, &name);
29740 if (error)
29741@@ -2327,8 +2431,19 @@ static long do_unlinkat(int dfd, const c
29742 if (nd.last.name[nd.last.len])
29743 goto slashes;
29744 inode = dentry->d_inode;
29745- if (inode)
29746+ if (inode) {
29747+ if (inode->i_nlink <= 1) {
29748+ saved_ino = inode->i_ino;
29749+ saved_dev = inode->i_sb->s_dev;
29750+ }
29751+
29752 atomic_inc(&inode->i_count);
29753+
29754+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
29755+ error = -EACCES;
29756+ goto exit2;
29757+ }
29758+ }
29759 error = mnt_want_write(nd.path.mnt);
29760 if (error)
29761 goto exit2;
29762@@ -2336,6 +2451,8 @@ static long do_unlinkat(int dfd, const c
29763 if (error)
29764 goto exit3;
29765 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
29766+ if (!error && (saved_ino || saved_dev))
29767+ gr_handle_delete(saved_ino, saved_dev);
29768 exit3:
29769 mnt_drop_write(nd.path.mnt);
29770 exit2:
29771@@ -2414,6 +2531,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
29772 if (IS_ERR(dentry))
29773 goto out_unlock;
29774
29775+ if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
29776+ error = -EACCES;
29777+ goto out_dput;
29778+ }
29779+
29780 error = mnt_want_write(nd.path.mnt);
29781 if (error)
29782 goto out_dput;
29783@@ -2421,6 +2543,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
29784 if (error)
29785 goto out_drop_write;
29786 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
29787+ if (!error)
29788+ gr_handle_create(dentry, nd.path.mnt);
29789 out_drop_write:
29790 mnt_drop_write(nd.path.mnt);
29791 out_dput:
29792@@ -2514,6 +2638,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
29793 error = PTR_ERR(new_dentry);
29794 if (IS_ERR(new_dentry))
29795 goto out_unlock;
29796+
29797+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
29798+ old_path.dentry->d_inode,
29799+ old_path.dentry->d_inode->i_mode, to)) {
29800+ error = -EACCES;
29801+ goto out_dput;
29802+ }
29803+
29804+ if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
29805+ old_path.dentry, old_path.mnt, to)) {
29806+ error = -EACCES;
29807+ goto out_dput;
29808+ }
29809+
29810 error = mnt_want_write(nd.path.mnt);
29811 if (error)
29812 goto out_dput;
29813@@ -2521,6 +2659,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
29814 if (error)
29815 goto out_drop_write;
29816 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
29817+ if (!error)
29818+ gr_handle_create(new_dentry, nd.path.mnt);
29819 out_drop_write:
29820 mnt_drop_write(nd.path.mnt);
29821 out_dput:
29822@@ -2754,6 +2894,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
29823 if (new_dentry == trap)
29824 goto exit5;
29825
29826+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
29827+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
29828+ to);
29829+ if (error)
29830+ goto exit5;
29831+
29832 error = mnt_want_write(oldnd.path.mnt);
29833 if (error)
29834 goto exit5;
29835@@ -2763,6 +2909,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
29836 goto exit6;
29837 error = vfs_rename(old_dir->d_inode, old_dentry,
29838 new_dir->d_inode, new_dentry);
29839+ if (!error)
29840+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
29841+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
29842 exit6:
29843 mnt_drop_write(oldnd.path.mnt);
29844 exit5:
29845diff -urNp linux-2.6.32.9/fs/namespace.c linux-2.6.32.9/fs/namespace.c
29846--- linux-2.6.32.9/fs/namespace.c 2010-02-09 07:57:19.000000000 -0500
29847+++ linux-2.6.32.9/fs/namespace.c 2010-02-23 17:09:53.288151568 -0500
29848@@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
29849 if (!(sb->s_flags & MS_RDONLY))
29850 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
29851 up_write(&sb->s_umount);
29852+
29853+ gr_log_remount(mnt->mnt_devname, retval);
29854+
29855 return retval;
29856 }
29857
29858@@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
29859 security_sb_umount_busy(mnt);
29860 up_write(&namespace_sem);
29861 release_mounts(&umount_list);
29862+
29863+ gr_log_unmount(mnt->mnt_devname, retval);
29864+
29865 return retval;
29866 }
29867
29868@@ -1955,6 +1961,16 @@ long do_mount(char *dev_name, char *dir_
29869 if (retval)
29870 goto dput_out;
29871
29872+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
29873+ retval = -EPERM;
29874+ goto dput_out;
29875+ }
29876+
29877+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
29878+ retval = -EPERM;
29879+ goto dput_out;
29880+ }
29881+
29882 if (flags & MS_REMOUNT)
29883 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
29884 data_page);
29885@@ -1969,6 +1985,9 @@ long do_mount(char *dev_name, char *dir_
29886 dev_name, data_page);
29887 dput_out:
29888 path_put(&path);
29889+
29890+ gr_log_mount(dev_name, dir_name, retval);
29891+
29892 return retval;
29893 }
29894
29895@@ -2175,6 +2194,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
29896 goto out1;
29897 }
29898
29899+ if (gr_handle_chroot_pivot()) {
29900+ error = -EPERM;
29901+ path_put(&old);
29902+ goto out1;
29903+ }
29904+
29905 read_lock(&current->fs->lock);
29906 root = current->fs->root;
29907 path_get(&current->fs->root);
29908diff -urNp linux-2.6.32.9/fs/nfs/inode.c linux-2.6.32.9/fs/nfs/inode.c
29909--- linux-2.6.32.9/fs/nfs/inode.c 2010-02-09 07:57:19.000000000 -0500
29910+++ linux-2.6.32.9/fs/nfs/inode.c 2010-02-23 17:09:53.288151568 -0500
29911@@ -965,16 +965,16 @@ static int nfs_size_need_update(const st
29912 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
29913 }
29914
29915-static atomic_long_t nfs_attr_generation_counter;
29916+static atomic_long_unchecked_t nfs_attr_generation_counter;
29917
29918 static unsigned long nfs_read_attr_generation_counter(void)
29919 {
29920- return atomic_long_read(&nfs_attr_generation_counter);
29921+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
29922 }
29923
29924 unsigned long nfs_inc_attr_generation_counter(void)
29925 {
29926- return atomic_long_inc_return(&nfs_attr_generation_counter);
29927+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
29928 }
29929
29930 void nfs_fattr_init(struct nfs_fattr *fattr)
29931diff -urNp linux-2.6.32.9/fs/nfs/nfs4proc.c linux-2.6.32.9/fs/nfs/nfs4proc.c
29932--- linux-2.6.32.9/fs/nfs/nfs4proc.c 2010-02-23 17:04:12.571669129 -0500
29933+++ linux-2.6.32.9/fs/nfs/nfs4proc.c 2010-02-23 17:09:53.288151568 -0500
29934@@ -1131,7 +1131,7 @@ static int _nfs4_do_open_reclaim(struct
29935 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
29936 {
29937 struct nfs_server *server = NFS_SERVER(state->inode);
29938- struct nfs4_exception exception = { };
29939+ struct nfs4_exception exception = {0, 0};
29940 int err;
29941 do {
29942 err = _nfs4_do_open_reclaim(ctx, state);
29943@@ -1173,7 +1173,7 @@ static int _nfs4_open_delegation_recall(
29944
29945 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
29946 {
29947- struct nfs4_exception exception = { };
29948+ struct nfs4_exception exception = {0, 0};
29949 struct nfs_server *server = NFS_SERVER(state->inode);
29950 int err;
29951 do {
29952@@ -1491,7 +1491,7 @@ static int _nfs4_open_expired(struct nfs
29953 static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
29954 {
29955 struct nfs_server *server = NFS_SERVER(state->inode);
29956- struct nfs4_exception exception = { };
29957+ struct nfs4_exception exception = {0, 0};
29958 int err;
29959
29960 do {
29961@@ -1591,7 +1591,7 @@ out_err:
29962
29963 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
29964 {
29965- struct nfs4_exception exception = { };
29966+ struct nfs4_exception exception = {0, 0};
29967 struct nfs4_state *res;
29968 int status;
29969
29970@@ -1682,7 +1682,7 @@ static int nfs4_do_setattr(struct inode
29971 struct nfs4_state *state)
29972 {
29973 struct nfs_server *server = NFS_SERVER(inode);
29974- struct nfs4_exception exception = { };
29975+ struct nfs4_exception exception = {0, 0};
29976 int err;
29977 do {
29978 err = nfs4_handle_exception(server,
29979@@ -2048,7 +2048,7 @@ static int _nfs4_server_capabilities(str
29980
29981 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
29982 {
29983- struct nfs4_exception exception = { };
29984+ struct nfs4_exception exception = {0, 0};
29985 int err;
29986 do {
29987 err = nfs4_handle_exception(server,
29988@@ -2082,7 +2082,7 @@ static int _nfs4_lookup_root(struct nfs_
29989 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
29990 struct nfs_fsinfo *info)
29991 {
29992- struct nfs4_exception exception = { };
29993+ struct nfs4_exception exception = {0, 0};
29994 int err;
29995 do {
29996 err = nfs4_handle_exception(server,
29997@@ -2171,7 +2171,7 @@ static int _nfs4_proc_getattr(struct nfs
29998
29999 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30000 {
30001- struct nfs4_exception exception = { };
30002+ struct nfs4_exception exception = {0, 0};
30003 int err;
30004 do {
30005 err = nfs4_handle_exception(server,
30006@@ -2259,7 +2259,7 @@ static int nfs4_proc_lookupfh(struct nfs
30007 struct qstr *name, struct nfs_fh *fhandle,
30008 struct nfs_fattr *fattr)
30009 {
30010- struct nfs4_exception exception = { };
30011+ struct nfs4_exception exception = {0, 0};
30012 int err;
30013 do {
30014 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
30015@@ -2288,7 +2288,7 @@ static int _nfs4_proc_lookup(struct inod
30016
30017 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30018 {
30019- struct nfs4_exception exception = { };
30020+ struct nfs4_exception exception = {0, 0};
30021 int err;
30022 do {
30023 err = nfs4_handle_exception(NFS_SERVER(dir),
30024@@ -2352,7 +2352,7 @@ static int _nfs4_proc_access(struct inod
30025
30026 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
30027 {
30028- struct nfs4_exception exception = { };
30029+ struct nfs4_exception exception = {0, 0};
30030 int err;
30031 do {
30032 err = nfs4_handle_exception(NFS_SERVER(inode),
30033@@ -2408,7 +2408,7 @@ static int _nfs4_proc_readlink(struct in
30034 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
30035 unsigned int pgbase, unsigned int pglen)
30036 {
30037- struct nfs4_exception exception = { };
30038+ struct nfs4_exception exception = {0, 0};
30039 int err;
30040 do {
30041 err = nfs4_handle_exception(NFS_SERVER(inode),
30042@@ -2506,7 +2506,7 @@ static int _nfs4_proc_remove(struct inod
30043
30044 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
30045 {
30046- struct nfs4_exception exception = { };
30047+ struct nfs4_exception exception = {0, 0};
30048 int err;
30049 do {
30050 err = nfs4_handle_exception(NFS_SERVER(dir),
30051@@ -2580,7 +2580,7 @@ static int _nfs4_proc_rename(struct inod
30052 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
30053 struct inode *new_dir, struct qstr *new_name)
30054 {
30055- struct nfs4_exception exception = { };
30056+ struct nfs4_exception exception = {0, 0};
30057 int err;
30058 do {
30059 err = nfs4_handle_exception(NFS_SERVER(old_dir),
30060@@ -2627,7 +2627,7 @@ static int _nfs4_proc_link(struct inode
30061
30062 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
30063 {
30064- struct nfs4_exception exception = { };
30065+ struct nfs4_exception exception = {0, 0};
30066 int err;
30067 do {
30068 err = nfs4_handle_exception(NFS_SERVER(inode),
30069@@ -2719,7 +2719,7 @@ out:
30070 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
30071 struct page *page, unsigned int len, struct iattr *sattr)
30072 {
30073- struct nfs4_exception exception = { };
30074+ struct nfs4_exception exception = {0, 0};
30075 int err;
30076 do {
30077 err = nfs4_handle_exception(NFS_SERVER(dir),
30078@@ -2750,7 +2750,7 @@ out:
30079 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
30080 struct iattr *sattr)
30081 {
30082- struct nfs4_exception exception = { };
30083+ struct nfs4_exception exception = {0, 0};
30084 int err;
30085 do {
30086 err = nfs4_handle_exception(NFS_SERVER(dir),
30087@@ -2799,7 +2799,7 @@ static int _nfs4_proc_readdir(struct den
30088 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
30089 u64 cookie, struct page *page, unsigned int count, int plus)
30090 {
30091- struct nfs4_exception exception = { };
30092+ struct nfs4_exception exception = {0, 0};
30093 int err;
30094 do {
30095 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
30096@@ -2847,7 +2847,7 @@ out:
30097 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
30098 struct iattr *sattr, dev_t rdev)
30099 {
30100- struct nfs4_exception exception = { };
30101+ struct nfs4_exception exception = {0, 0};
30102 int err;
30103 do {
30104 err = nfs4_handle_exception(NFS_SERVER(dir),
30105@@ -2879,7 +2879,7 @@ static int _nfs4_proc_statfs(struct nfs_
30106
30107 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
30108 {
30109- struct nfs4_exception exception = { };
30110+ struct nfs4_exception exception = {0, 0};
30111 int err;
30112 do {
30113 err = nfs4_handle_exception(server,
30114@@ -2910,7 +2910,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
30115
30116 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
30117 {
30118- struct nfs4_exception exception = { };
30119+ struct nfs4_exception exception = {0, 0};
30120 int err;
30121
30122 do {
30123@@ -2956,7 +2956,7 @@ static int _nfs4_proc_pathconf(struct nf
30124 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
30125 struct nfs_pathconf *pathconf)
30126 {
30127- struct nfs4_exception exception = { };
30128+ struct nfs4_exception exception = {0, 0};
30129 int err;
30130
30131 do {
30132@@ -3255,7 +3255,7 @@ out_free:
30133
30134 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
30135 {
30136- struct nfs4_exception exception = { };
30137+ struct nfs4_exception exception = {0, 0};
30138 ssize_t ret;
30139 do {
30140 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
30141@@ -3311,7 +3311,7 @@ static int __nfs4_proc_set_acl(struct in
30142
30143 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
30144 {
30145- struct nfs4_exception exception = { };
30146+ struct nfs4_exception exception = {0, 0};
30147 int err;
30148 do {
30149 err = nfs4_handle_exception(NFS_SERVER(inode),
30150@@ -3576,7 +3576,7 @@ out:
30151 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
30152 {
30153 struct nfs_server *server = NFS_SERVER(inode);
30154- struct nfs4_exception exception = { };
30155+ struct nfs4_exception exception = {0, 0};
30156 int err;
30157 do {
30158 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
30159@@ -3649,7 +3649,7 @@ out:
30160
30161 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30162 {
30163- struct nfs4_exception exception = { };
30164+ struct nfs4_exception exception = {0, 0};
30165 int err;
30166
30167 do {
30168@@ -4042,7 +4042,7 @@ static int _nfs4_do_setlk(struct nfs4_st
30169 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
30170 {
30171 struct nfs_server *server = NFS_SERVER(state->inode);
30172- struct nfs4_exception exception = { };
30173+ struct nfs4_exception exception = {0, 0};
30174 int err;
30175
30176 do {
30177@@ -4060,7 +4060,7 @@ static int nfs4_lock_reclaim(struct nfs4
30178 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
30179 {
30180 struct nfs_server *server = NFS_SERVER(state->inode);
30181- struct nfs4_exception exception = { };
30182+ struct nfs4_exception exception = {0, 0};
30183 int err;
30184
30185 err = nfs4_set_lock_state(state, request);
30186@@ -4118,7 +4118,7 @@ out:
30187
30188 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30189 {
30190- struct nfs4_exception exception = { };
30191+ struct nfs4_exception exception = {0, 0};
30192 int err;
30193
30194 do {
30195@@ -4178,7 +4178,7 @@ nfs4_proc_lock(struct file *filp, int cm
30196 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
30197 {
30198 struct nfs_server *server = NFS_SERVER(state->inode);
30199- struct nfs4_exception exception = { };
30200+ struct nfs4_exception exception = {0, 0};
30201 int err;
30202
30203 err = nfs4_set_lock_state(state, fl);
30204diff -urNp linux-2.6.32.9/fs/nfsd/lockd.c linux-2.6.32.9/fs/nfsd/lockd.c
30205--- linux-2.6.32.9/fs/nfsd/lockd.c 2010-02-09 07:57:19.000000000 -0500
30206+++ linux-2.6.32.9/fs/nfsd/lockd.c 2010-02-23 17:09:53.288151568 -0500
30207@@ -67,7 +67,7 @@ nlm_fclose(struct file *filp)
30208 fput(filp);
30209 }
30210
30211-static struct nlmsvc_binding nfsd_nlm_ops = {
30212+static const struct nlmsvc_binding nfsd_nlm_ops = {
30213 .fopen = nlm_fopen, /* open file for locking */
30214 .fclose = nlm_fclose, /* close file */
30215 };
30216diff -urNp linux-2.6.32.9/fs/nfsd/vfs.c linux-2.6.32.9/fs/nfsd/vfs.c
30217--- linux-2.6.32.9/fs/nfsd/vfs.c 2010-02-09 07:57:19.000000000 -0500
30218+++ linux-2.6.32.9/fs/nfsd/vfs.c 2010-02-23 17:09:53.288151568 -0500
30219@@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
30220 } else {
30221 oldfs = get_fs();
30222 set_fs(KERNEL_DS);
30223- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
30224+ host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
30225 set_fs(oldfs);
30226 }
30227
30228@@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
30229
30230 /* Write the data. */
30231 oldfs = get_fs(); set_fs(KERNEL_DS);
30232- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
30233+ host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
30234 set_fs(oldfs);
30235 if (host_err < 0)
30236 goto out_nfserr;
30237@@ -1535,7 +1535,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
30238 */
30239
30240 oldfs = get_fs(); set_fs(KERNEL_DS);
30241- host_err = inode->i_op->readlink(dentry, buf, *lenp);
30242+ host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
30243 set_fs(oldfs);
30244
30245 if (host_err < 0)
30246diff -urNp linux-2.6.32.9/fs/nls/nls_base.c linux-2.6.32.9/fs/nls/nls_base.c
30247--- linux-2.6.32.9/fs/nls/nls_base.c 2010-02-09 07:57:19.000000000 -0500
30248+++ linux-2.6.32.9/fs/nls/nls_base.c 2010-02-23 17:09:53.288151568 -0500
30249@@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
30250 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
30251 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
30252 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
30253- {0, /* end of table */}
30254+ {0, 0, 0, 0, 0, /* end of table */}
30255 };
30256
30257 #define UNICODE_MAX 0x0010ffff
30258diff -urNp linux-2.6.32.9/fs/ntfs/file.c linux-2.6.32.9/fs/ntfs/file.c
30259--- linux-2.6.32.9/fs/ntfs/file.c 2010-02-09 07:57:19.000000000 -0500
30260+++ linux-2.6.32.9/fs/ntfs/file.c 2010-02-23 17:09:53.288151568 -0500
30261@@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
30262 #endif /* NTFS_RW */
30263 };
30264
30265-const struct file_operations ntfs_empty_file_ops = {};
30266+const struct file_operations ntfs_empty_file_ops __read_only;
30267
30268-const struct inode_operations ntfs_empty_inode_ops = {};
30269+const struct inode_operations ntfs_empty_inode_ops __read_only;
30270diff -urNp linux-2.6.32.9/fs/ocfs2/cluster/masklog.c linux-2.6.32.9/fs/ocfs2/cluster/masklog.c
30271--- linux-2.6.32.9/fs/ocfs2/cluster/masklog.c 2010-02-09 07:57:19.000000000 -0500
30272+++ linux-2.6.32.9/fs/ocfs2/cluster/masklog.c 2010-02-23 17:09:53.288151568 -0500
30273@@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
30274 return mlog_mask_store(mlog_attr->mask, buf, count);
30275 }
30276
30277-static struct sysfs_ops mlog_attr_ops = {
30278+static const struct sysfs_ops mlog_attr_ops = {
30279 .show = mlog_show,
30280 .store = mlog_store,
30281 };
30282diff -urNp linux-2.6.32.9/fs/ocfs2/localalloc.c linux-2.6.32.9/fs/ocfs2/localalloc.c
30283--- linux-2.6.32.9/fs/ocfs2/localalloc.c 2010-02-09 07:57:19.000000000 -0500
30284+++ linux-2.6.32.9/fs/ocfs2/localalloc.c 2010-02-23 17:09:53.292465795 -0500
30285@@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
30286 goto bail;
30287 }
30288
30289- atomic_inc(&osb->alloc_stats.moves);
30290+ atomic_inc_unchecked(&osb->alloc_stats.moves);
30291
30292 status = 0;
30293 bail:
30294diff -urNp linux-2.6.32.9/fs/ocfs2/ocfs2.h linux-2.6.32.9/fs/ocfs2/ocfs2.h
30295--- linux-2.6.32.9/fs/ocfs2/ocfs2.h 2010-02-09 07:57:19.000000000 -0500
30296+++ linux-2.6.32.9/fs/ocfs2/ocfs2.h 2010-02-23 17:09:53.292465795 -0500
30297@@ -217,11 +217,11 @@ enum ocfs2_vol_state
30298
30299 struct ocfs2_alloc_stats
30300 {
30301- atomic_t moves;
30302- atomic_t local_data;
30303- atomic_t bitmap_data;
30304- atomic_t bg_allocs;
30305- atomic_t bg_extends;
30306+ atomic_unchecked_t moves;
30307+ atomic_unchecked_t local_data;
30308+ atomic_unchecked_t bitmap_data;
30309+ atomic_unchecked_t bg_allocs;
30310+ atomic_unchecked_t bg_extends;
30311 };
30312
30313 enum ocfs2_local_alloc_state
30314diff -urNp linux-2.6.32.9/fs/ocfs2/suballoc.c linux-2.6.32.9/fs/ocfs2/suballoc.c
30315--- linux-2.6.32.9/fs/ocfs2/suballoc.c 2010-02-09 07:57:19.000000000 -0500
30316+++ linux-2.6.32.9/fs/ocfs2/suballoc.c 2010-02-23 17:09:53.292465795 -0500
30317@@ -620,7 +620,7 @@ static int ocfs2_reserve_suballoc_bits(s
30318 mlog_errno(status);
30319 goto bail;
30320 }
30321- atomic_inc(&osb->alloc_stats.bg_extends);
30322+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
30323
30324 /* You should never ask for this much metadata */
30325 BUG_ON(bits_wanted >
30326@@ -1651,7 +1651,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
30327 mlog_errno(status);
30328 goto bail;
30329 }
30330- atomic_inc(&osb->alloc_stats.bg_allocs);
30331+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30332
30333 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
30334 ac->ac_bits_given += (*num_bits);
30335@@ -1725,7 +1725,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
30336 mlog_errno(status);
30337 goto bail;
30338 }
30339- atomic_inc(&osb->alloc_stats.bg_allocs);
30340+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30341
30342 BUG_ON(num_bits != 1);
30343
30344@@ -1827,7 +1827,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
30345 cluster_start,
30346 num_clusters);
30347 if (!status)
30348- atomic_inc(&osb->alloc_stats.local_data);
30349+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
30350 } else {
30351 if (min_clusters > (osb->bitmap_cpg - 1)) {
30352 /* The only paths asking for contiguousness
30353@@ -1855,7 +1855,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
30354 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
30355 bg_blkno,
30356 bg_bit_off);
30357- atomic_inc(&osb->alloc_stats.bitmap_data);
30358+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
30359 }
30360 }
30361 if (status < 0) {
30362diff -urNp linux-2.6.32.9/fs/ocfs2/super.c linux-2.6.32.9/fs/ocfs2/super.c
30363--- linux-2.6.32.9/fs/ocfs2/super.c 2010-02-09 07:57:19.000000000 -0500
30364+++ linux-2.6.32.9/fs/ocfs2/super.c 2010-02-23 17:09:53.292465795 -0500
30365@@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
30366 "%10s => GlobalAllocs: %d LocalAllocs: %d "
30367 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
30368 "Stats",
30369- atomic_read(&osb->alloc_stats.bitmap_data),
30370- atomic_read(&osb->alloc_stats.local_data),
30371- atomic_read(&osb->alloc_stats.bg_allocs),
30372- atomic_read(&osb->alloc_stats.moves),
30373- atomic_read(&osb->alloc_stats.bg_extends));
30374+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
30375+ atomic_read_unchecked(&osb->alloc_stats.local_data),
30376+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
30377+ atomic_read_unchecked(&osb->alloc_stats.moves),
30378+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
30379
30380 out += snprintf(buf + out, len - out,
30381 "%10s => State: %u Descriptor: %llu Size: %u bits "
30382@@ -1998,11 +1998,11 @@ static int ocfs2_initialize_super(struct
30383 spin_lock_init(&osb->osb_xattr_lock);
30384 ocfs2_init_inode_steal_slot(osb);
30385
30386- atomic_set(&osb->alloc_stats.moves, 0);
30387- atomic_set(&osb->alloc_stats.local_data, 0);
30388- atomic_set(&osb->alloc_stats.bitmap_data, 0);
30389- atomic_set(&osb->alloc_stats.bg_allocs, 0);
30390- atomic_set(&osb->alloc_stats.bg_extends, 0);
30391+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
30392+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
30393+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
30394+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
30395+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
30396
30397 /* Copy the blockcheck stats from the superblock probe */
30398 osb->osb_ecc_stats = *stats;
30399diff -urNp linux-2.6.32.9/fs/open.c linux-2.6.32.9/fs/open.c
30400--- linux-2.6.32.9/fs/open.c 2010-02-09 07:57:19.000000000 -0500
30401+++ linux-2.6.32.9/fs/open.c 2010-02-23 17:09:53.292465795 -0500
30402@@ -206,6 +206,9 @@ int do_truncate(struct dentry *dentry, l
30403 if (length < 0)
30404 return -EINVAL;
30405
30406+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
30407+ return -EACCES;
30408+
30409 newattrs.ia_size = length;
30410 newattrs.ia_valid = ATTR_SIZE | time_attrs;
30411 if (filp) {
30412@@ -511,6 +514,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
30413 if (__mnt_is_readonly(path.mnt))
30414 res = -EROFS;
30415
30416+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
30417+ res = -EACCES;
30418+
30419 out_path_release:
30420 path_put(&path);
30421 out:
30422@@ -537,6 +543,8 @@ SYSCALL_DEFINE1(chdir, const char __user
30423 if (error)
30424 goto dput_and_out;
30425
30426+ gr_log_chdir(path.dentry, path.mnt);
30427+
30428 set_fs_pwd(current->fs, &path);
30429
30430 dput_and_out:
30431@@ -563,6 +571,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
30432 goto out_putf;
30433
30434 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
30435+
30436+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
30437+ error = -EPERM;
30438+
30439+ if (!error)
30440+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
30441+
30442 if (!error)
30443 set_fs_pwd(current->fs, &file->f_path);
30444 out_putf:
30445@@ -588,7 +603,18 @@ SYSCALL_DEFINE1(chroot, const char __use
30446 if (!capable(CAP_SYS_CHROOT))
30447 goto dput_and_out;
30448
30449+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
30450+ goto dput_and_out;
30451+
30452+ if (gr_handle_chroot_caps(&path)) {
30453+ error = -ENOMEM;
30454+ goto dput_and_out;
30455+ }
30456+
30457 set_fs_root(current->fs, &path);
30458+
30459+ gr_handle_chroot_chdir(&path);
30460+
30461 error = 0;
30462 dput_and_out:
30463 path_put(&path);
30464@@ -616,13 +642,28 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
30465 err = mnt_want_write_file(file);
30466 if (err)
30467 goto out_putf;
30468+
30469+ if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
30470+ err = -EACCES;
30471+ goto out_drop_write;
30472+ }
30473+
30474 mutex_lock(&inode->i_mutex);
30475 if (mode == (mode_t) -1)
30476 mode = inode->i_mode;
30477+
30478+ if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
30479+ err = -EPERM;
30480+ mutex_unlock(&inode->i_mutex);
30481+ goto out_drop_write;
30482+ }
30483+
30484 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
30485 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
30486 err = notify_change(dentry, &newattrs);
30487 mutex_unlock(&inode->i_mutex);
30488+
30489+out_drop_write:
30490 mnt_drop_write(file->f_path.mnt);
30491 out_putf:
30492 fput(file);
30493@@ -645,13 +686,28 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
30494 error = mnt_want_write(path.mnt);
30495 if (error)
30496 goto dput_and_out;
30497+
30498+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
30499+ error = -EACCES;
30500+ goto out_drop_write;
30501+ }
30502+
30503 mutex_lock(&inode->i_mutex);
30504 if (mode == (mode_t) -1)
30505 mode = inode->i_mode;
30506+
30507+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
30508+ error = -EACCES;
30509+ mutex_unlock(&inode->i_mutex);
30510+ goto out_drop_write;
30511+ }
30512+
30513 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
30514 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
30515 error = notify_change(path.dentry, &newattrs);
30516 mutex_unlock(&inode->i_mutex);
30517+
30518+out_drop_write:
30519 mnt_drop_write(path.mnt);
30520 dput_and_out:
30521 path_put(&path);
30522@@ -664,12 +720,15 @@ SYSCALL_DEFINE2(chmod, const char __user
30523 return sys_fchmodat(AT_FDCWD, filename, mode);
30524 }
30525
30526-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
30527+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
30528 {
30529 struct inode *inode = dentry->d_inode;
30530 int error;
30531 struct iattr newattrs;
30532
30533+ if (!gr_acl_handle_chown(dentry, mnt))
30534+ return -EACCES;
30535+
30536 newattrs.ia_valid = ATTR_CTIME;
30537 if (user != (uid_t) -1) {
30538 newattrs.ia_valid |= ATTR_UID;
30539@@ -700,7 +759,7 @@ SYSCALL_DEFINE3(chown, const char __user
30540 error = mnt_want_write(path.mnt);
30541 if (error)
30542 goto out_release;
30543- error = chown_common(path.dentry, user, group);
30544+ error = chown_common(path.dentry, user, group, path.mnt);
30545 mnt_drop_write(path.mnt);
30546 out_release:
30547 path_put(&path);
30548@@ -725,7 +784,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
30549 error = mnt_want_write(path.mnt);
30550 if (error)
30551 goto out_release;
30552- error = chown_common(path.dentry, user, group);
30553+ error = chown_common(path.dentry, user, group, path.mnt);
30554 mnt_drop_write(path.mnt);
30555 out_release:
30556 path_put(&path);
30557@@ -744,7 +803,7 @@ SYSCALL_DEFINE3(lchown, const char __use
30558 error = mnt_want_write(path.mnt);
30559 if (error)
30560 goto out_release;
30561- error = chown_common(path.dentry, user, group);
30562+ error = chown_common(path.dentry, user, group, path.mnt);
30563 mnt_drop_write(path.mnt);
30564 out_release:
30565 path_put(&path);
30566@@ -767,7 +826,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
30567 goto out_fput;
30568 dentry = file->f_path.dentry;
30569 audit_inode(NULL, dentry);
30570- error = chown_common(dentry, user, group);
30571+ error = chown_common(dentry, user, group, file->f_path.mnt);
30572 mnt_drop_write(file->f_path.mnt);
30573 out_fput:
30574 fput(file);
30575diff -urNp linux-2.6.32.9/fs/pipe.c linux-2.6.32.9/fs/pipe.c
30576--- linux-2.6.32.9/fs/pipe.c 2010-02-09 07:57:19.000000000 -0500
30577+++ linux-2.6.32.9/fs/pipe.c 2010-02-23 17:09:53.292465795 -0500
30578@@ -401,9 +401,9 @@ redo:
30579 }
30580 if (bufs) /* More to do? */
30581 continue;
30582- if (!pipe->writers)
30583+ if (!atomic_read(&pipe->writers))
30584 break;
30585- if (!pipe->waiting_writers) {
30586+ if (!atomic_read(&pipe->waiting_writers)) {
30587 /* syscall merging: Usually we must not sleep
30588 * if O_NONBLOCK is set, or if we got some data.
30589 * But if a writer sleeps in kernel space, then
30590@@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
30591 mutex_lock(&inode->i_mutex);
30592 pipe = inode->i_pipe;
30593
30594- if (!pipe->readers) {
30595+ if (!atomic_read(&pipe->readers)) {
30596 send_sig(SIGPIPE, current, 0);
30597 ret = -EPIPE;
30598 goto out;
30599@@ -511,7 +511,7 @@ redo1:
30600 for (;;) {
30601 int bufs;
30602
30603- if (!pipe->readers) {
30604+ if (!atomic_read(&pipe->readers)) {
30605 send_sig(SIGPIPE, current, 0);
30606 if (!ret)
30607 ret = -EPIPE;
30608@@ -597,9 +597,9 @@ redo2:
30609 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30610 do_wakeup = 0;
30611 }
30612- pipe->waiting_writers++;
30613+ atomic_inc(&pipe->waiting_writers);
30614 pipe_wait(pipe);
30615- pipe->waiting_writers--;
30616+ atomic_dec(&pipe->waiting_writers);
30617 }
30618 out:
30619 mutex_unlock(&inode->i_mutex);
30620@@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
30621 mask = 0;
30622 if (filp->f_mode & FMODE_READ) {
30623 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
30624- if (!pipe->writers && filp->f_version != pipe->w_counter)
30625+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
30626 mask |= POLLHUP;
30627 }
30628
30629@@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
30630 * Most Unices do not set POLLERR for FIFOs but on Linux they
30631 * behave exactly like pipes for poll().
30632 */
30633- if (!pipe->readers)
30634+ if (!atomic_read(&pipe->readers))
30635 mask |= POLLERR;
30636 }
30637
30638@@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
30639
30640 mutex_lock(&inode->i_mutex);
30641 pipe = inode->i_pipe;
30642- pipe->readers -= decr;
30643- pipe->writers -= decw;
30644+ atomic_sub(decr, &pipe->readers);
30645+ atomic_sub(decw, &pipe->writers);
30646
30647- if (!pipe->readers && !pipe->writers) {
30648+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
30649 free_pipe_info(inode);
30650 } else {
30651 wake_up_interruptible_sync(&pipe->wait);
30652@@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
30653
30654 if (inode->i_pipe) {
30655 ret = 0;
30656- inode->i_pipe->readers++;
30657+ atomic_inc(&inode->i_pipe->readers);
30658 }
30659
30660 mutex_unlock(&inode->i_mutex);
30661@@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
30662
30663 if (inode->i_pipe) {
30664 ret = 0;
30665- inode->i_pipe->writers++;
30666+ atomic_inc(&inode->i_pipe->writers);
30667 }
30668
30669 mutex_unlock(&inode->i_mutex);
30670@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
30671 if (inode->i_pipe) {
30672 ret = 0;
30673 if (filp->f_mode & FMODE_READ)
30674- inode->i_pipe->readers++;
30675+ atomic_inc(&inode->i_pipe->readers);
30676 if (filp->f_mode & FMODE_WRITE)
30677- inode->i_pipe->writers++;
30678+ atomic_inc(&inode->i_pipe->writers);
30679 }
30680
30681 mutex_unlock(&inode->i_mutex);
30682@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
30683 inode->i_pipe = NULL;
30684 }
30685
30686-static struct vfsmount *pipe_mnt __read_mostly;
30687+struct vfsmount *pipe_mnt __read_mostly;
30688 static int pipefs_delete_dentry(struct dentry *dentry)
30689 {
30690 /*
30691@@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
30692 goto fail_iput;
30693 inode->i_pipe = pipe;
30694
30695- pipe->readers = pipe->writers = 1;
30696+ atomic_set(&pipe->readers, 1);
30697+ atomic_set(&pipe->writers, 1);
30698 inode->i_fop = &rdwr_pipefifo_fops;
30699
30700 /*
30701diff -urNp linux-2.6.32.9/fs/proc/array.c linux-2.6.32.9/fs/proc/array.c
30702--- linux-2.6.32.9/fs/proc/array.c 2010-02-09 07:57:19.000000000 -0500
30703+++ linux-2.6.32.9/fs/proc/array.c 2010-02-23 17:09:53.292465795 -0500
30704@@ -410,6 +410,21 @@ static void task_show_stack_usage(struct
30705 }
30706 #endif /* CONFIG_MMU */
30707
30708+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30709+static inline void task_pax(struct seq_file *m, struct task_struct *p)
30710+{
30711+ if (p->mm)
30712+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
30713+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
30714+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
30715+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
30716+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
30717+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
30718+ else
30719+ seq_printf(m, "PaX:\t-----\n");
30720+}
30721+#endif
30722+
30723 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
30724 struct pid *pid, struct task_struct *task)
30725 {
30726@@ -430,9 +445,20 @@ int proc_pid_status(struct seq_file *m,
30727 #endif
30728 task_context_switch_counts(m, task);
30729 task_show_stack_usage(m, task);
30730+
30731+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30732+ task_pax(m, task);
30733+#endif
30734+
30735 return 0;
30736 }
30737
30738+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30739+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30740+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
30741+ _mm->pax_flags & MF_PAX_SEGMEXEC))
30742+#endif
30743+
30744 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
30745 struct pid *pid, struct task_struct *task, int whole)
30746 {
30747@@ -529,6 +555,19 @@ static int do_task_stat(struct seq_file
30748 gtime = task_gtime(task);
30749 }
30750
30751+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30752+ if (PAX_RAND_FLAGS(mm)) {
30753+ eip = 0;
30754+ esp = 0;
30755+ wchan = 0;
30756+ }
30757+#endif
30758+#ifdef CONFIG_GRKERNSEC_HIDESYM
30759+ wchan = 0;
30760+ eip =0;
30761+ esp =0;
30762+#endif
30763+
30764 /* scale priority and nice values from timeslices to -20..20 */
30765 /* to make it look like a "normal" Unix priority/nice value */
30766 priority = task_prio(task);
30767@@ -569,9 +608,15 @@ static int do_task_stat(struct seq_file
30768 vsize,
30769 mm ? get_mm_rss(mm) : 0,
30770 rsslim,
30771+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30772+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
30773+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
30774+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? task->stack_start : 0),
30775+#else
30776 mm ? mm->start_code : 0,
30777 mm ? mm->end_code : 0,
30778 (permitted && mm) ? task->stack_start : 0,
30779+#endif
30780 esp,
30781 eip,
30782 /* The signal information here is obsolete.
30783@@ -624,3 +669,10 @@ int proc_pid_statm(struct seq_file *m, s
30784
30785 return 0;
30786 }
30787+
30788+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
30789+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
30790+{
30791+ return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
30792+}
30793+#endif
30794diff -urNp linux-2.6.32.9/fs/proc/base.c linux-2.6.32.9/fs/proc/base.c
30795--- linux-2.6.32.9/fs/proc/base.c 2010-02-09 07:57:19.000000000 -0500
30796+++ linux-2.6.32.9/fs/proc/base.c 2010-02-23 17:09:53.292465795 -0500
30797@@ -102,6 +102,22 @@ struct pid_entry {
30798 union proc_op op;
30799 };
30800
30801+struct getdents_callback {
30802+ struct linux_dirent __user * current_dir;
30803+ struct linux_dirent __user * previous;
30804+ struct file * file;
30805+ int count;
30806+ int error;
30807+};
30808+
30809+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
30810+ loff_t offset, u64 ino, unsigned int d_type)
30811+{
30812+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
30813+ buf->error = -EINVAL;
30814+ return 0;
30815+}
30816+
30817 #define NOD(NAME, MODE, IOP, FOP, OP) { \
30818 .name = (NAME), \
30819 .len = sizeof(NAME) - 1, \
30820@@ -213,6 +229,9 @@ static int check_mem_permission(struct t
30821 if (task == current)
30822 return 0;
30823
30824+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
30825+ return -EPERM;
30826+
30827 /*
30828 * If current is actively ptrace'ing, and would also be
30829 * permitted to freshly attach with ptrace now, permit it.
30830@@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
30831 if (!mm->arg_end)
30832 goto out_mm; /* Shh! No looking before we're done */
30833
30834+ if (gr_acl_handle_procpidmem(task))
30835+ goto out_mm;
30836+
30837 len = mm->arg_end - mm->arg_start;
30838
30839 if (len > PAGE_SIZE)
30840@@ -287,12 +309,26 @@ out:
30841 return res;
30842 }
30843
30844+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30845+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30846+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
30847+ _mm->pax_flags & MF_PAX_SEGMEXEC))
30848+#endif
30849+
30850 static int proc_pid_auxv(struct task_struct *task, char *buffer)
30851 {
30852 int res = 0;
30853 struct mm_struct *mm = get_task_mm(task);
30854 if (mm) {
30855 unsigned int nwords = 0;
30856+
30857+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30858+ if (PAX_RAND_FLAGS(mm)) {
30859+ mmput(mm);
30860+ return res;
30861+ }
30862+#endif
30863+
30864 do {
30865 nwords += 2;
30866 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
30867@@ -328,7 +364,7 @@ static int proc_pid_wchan(struct task_st
30868 }
30869 #endif /* CONFIG_KALLSYMS */
30870
30871-#ifdef CONFIG_STACKTRACE
30872+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
30873
30874 #define MAX_STACK_TRACE_DEPTH 64
30875
30876@@ -521,7 +557,7 @@ static int proc_pid_limits(struct task_s
30877 return count;
30878 }
30879
30880-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
30881+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
30882 static int proc_pid_syscall(struct task_struct *task, char *buffer)
30883 {
30884 long nr;
30885@@ -935,6 +971,9 @@ static ssize_t environ_read(struct file
30886 if (!task)
30887 goto out_no_task;
30888
30889+ if (gr_acl_handle_procpidmem(task))
30890+ goto out;
30891+
30892 if (!ptrace_may_access(task, PTRACE_MODE_READ))
30893 goto out;
30894
30895@@ -1455,7 +1494,11 @@ static struct inode *proc_pid_make_inode
30896 rcu_read_lock();
30897 cred = __task_cred(task);
30898 inode->i_uid = cred->euid;
30899+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30900+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
30901+#else
30902 inode->i_gid = cred->egid;
30903+#endif
30904 rcu_read_unlock();
30905 }
30906 security_task_to_inode(task, inode);
30907@@ -1473,6 +1516,9 @@ static int pid_getattr(struct vfsmount *
30908 struct inode *inode = dentry->d_inode;
30909 struct task_struct *task;
30910 const struct cred *cred;
30911+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30912+ const struct cred *tmpcred = current_cred();
30913+#endif
30914
30915 generic_fillattr(inode, stat);
30916
30917@@ -1480,12 +1526,34 @@ static int pid_getattr(struct vfsmount *
30918 stat->uid = 0;
30919 stat->gid = 0;
30920 task = pid_task(proc_pid(inode), PIDTYPE_PID);
30921+
30922+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
30923+ rcu_read_unlock();
30924+ return -ENOENT;
30925+ }
30926+
30927 if (task) {
30928+ cred = __task_cred(task);
30929+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30930+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
30931+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30932+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
30933+#endif
30934+ )
30935+#endif
30936 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
30937+#ifdef CONFIG_GRKERNSEC_PROC_USER
30938+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
30939+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30940+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
30941+#endif
30942 task_dumpable(task)) {
30943- cred = __task_cred(task);
30944 stat->uid = cred->euid;
30945+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30946+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
30947+#else
30948 stat->gid = cred->egid;
30949+#endif
30950 }
30951 }
30952 rcu_read_unlock();
30953@@ -1517,11 +1585,20 @@ static int pid_revalidate(struct dentry
30954
30955 if (task) {
30956 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
30957+#ifdef CONFIG_GRKERNSEC_PROC_USER
30958+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
30959+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30960+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
30961+#endif
30962 task_dumpable(task)) {
30963 rcu_read_lock();
30964 cred = __task_cred(task);
30965 inode->i_uid = cred->euid;
30966+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30967+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
30968+#else
30969 inode->i_gid = cred->egid;
30970+#endif
30971 rcu_read_unlock();
30972 } else {
30973 inode->i_uid = 0;
30974@@ -1642,7 +1719,8 @@ static int proc_fd_info(struct inode *in
30975 int fd = proc_fd(inode);
30976
30977 if (task) {
30978- files = get_files_struct(task);
30979+ if (!gr_acl_handle_procpidmem(task))
30980+ files = get_files_struct(task);
30981 put_task_struct(task);
30982 }
30983 if (files) {
30984@@ -1894,12 +1972,22 @@ static const struct file_operations proc
30985 static int proc_fd_permission(struct inode *inode, int mask)
30986 {
30987 int rv;
30988+ struct task_struct *task;
30989
30990 rv = generic_permission(inode, mask, NULL);
30991- if (rv == 0)
30992- return 0;
30993+
30994 if (task_pid(current) == proc_pid(inode))
30995 rv = 0;
30996+
30997+ task = get_proc_task(inode);
30998+ if (task == NULL)
30999+ return rv;
31000+
31001+ if (gr_acl_handle_procpidmem(task))
31002+ rv = -EACCES;
31003+
31004+ put_task_struct(task);
31005+
31006 return rv;
31007 }
31008
31009@@ -2008,6 +2096,9 @@ static struct dentry *proc_pident_lookup
31010 if (!task)
31011 goto out_no_task;
31012
31013+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31014+ goto out;
31015+
31016 /*
31017 * Yes, it does not scale. And it should not. Don't add
31018 * new entries into /proc/<tgid>/ without very good reasons.
31019@@ -2052,6 +2143,9 @@ static int proc_pident_readdir(struct fi
31020 if (!task)
31021 goto out_no_task;
31022
31023+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31024+ goto out;
31025+
31026 ret = 0;
31027 i = filp->f_pos;
31028 switch (i) {
31029@@ -2418,6 +2512,9 @@ static struct dentry *proc_base_lookup(s
31030 if (p > last)
31031 goto out;
31032
31033+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31034+ goto out;
31035+
31036 error = proc_base_instantiate(dir, dentry, task, p);
31037
31038 out:
31039@@ -2504,7 +2601,7 @@ static const struct pid_entry tgid_base_
31040 #ifdef CONFIG_SCHED_DEBUG
31041 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31042 #endif
31043-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31044+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31045 INF("syscall", S_IRUSR, proc_pid_syscall),
31046 #endif
31047 INF("cmdline", S_IRUGO, proc_pid_cmdline),
31048@@ -2532,7 +2629,7 @@ static const struct pid_entry tgid_base_
31049 #ifdef CONFIG_KALLSYMS
31050 INF("wchan", S_IRUGO, proc_pid_wchan),
31051 #endif
31052-#ifdef CONFIG_STACKTRACE
31053+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31054 ONE("stack", S_IRUSR, proc_pid_stack),
31055 #endif
31056 #ifdef CONFIG_SCHEDSTATS
31057@@ -2562,6 +2659,9 @@ static const struct pid_entry tgid_base_
31058 #ifdef CONFIG_TASK_IO_ACCOUNTING
31059 INF("io", S_IRUGO, proc_tgid_io_accounting),
31060 #endif
31061+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31062+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
31063+#endif
31064 };
31065
31066 static int proc_tgid_base_readdir(struct file * filp,
31067@@ -2686,7 +2786,14 @@ static struct dentry *proc_pid_instantia
31068 if (!inode)
31069 goto out;
31070
31071+#ifdef CONFIG_GRKERNSEC_PROC_USER
31072+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
31073+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31074+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31075+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
31076+#else
31077 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
31078+#endif
31079 inode->i_op = &proc_tgid_base_inode_operations;
31080 inode->i_fop = &proc_tgid_base_operations;
31081 inode->i_flags|=S_IMMUTABLE;
31082@@ -2728,7 +2835,11 @@ struct dentry *proc_pid_lookup(struct in
31083 if (!task)
31084 goto out;
31085
31086+ if (gr_check_hidden_task(task))
31087+ goto out_put_task;
31088+
31089 result = proc_pid_instantiate(dir, dentry, task, NULL);
31090+out_put_task:
31091 put_task_struct(task);
31092 out:
31093 return result;
31094@@ -2793,6 +2904,11 @@ int proc_pid_readdir(struct file * filp,
31095 {
31096 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
31097 struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
31098+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31099+ const struct cred *tmpcred = current_cred();
31100+ const struct cred *itercred;
31101+#endif
31102+ filldir_t __filldir = filldir;
31103 struct tgid_iter iter;
31104 struct pid_namespace *ns;
31105
31106@@ -2811,8 +2927,27 @@ int proc_pid_readdir(struct file * filp,
31107 for (iter = next_tgid(ns, iter);
31108 iter.task;
31109 iter.tgid += 1, iter = next_tgid(ns, iter)) {
31110+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31111+ rcu_read_lock();
31112+ itercred = __task_cred(iter.task);
31113+#endif
31114+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
31115+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31116+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
31117+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31118+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
31119+#endif
31120+ )
31121+#endif
31122+ )
31123+ __filldir = &gr_fake_filldir;
31124+ else
31125+ __filldir = filldir;
31126+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31127+ rcu_read_unlock();
31128+#endif
31129 filp->f_pos = iter.tgid + TGID_OFFSET;
31130- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
31131+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
31132 put_task_struct(iter.task);
31133 goto out;
31134 }
31135@@ -2838,7 +2973,7 @@ static const struct pid_entry tid_base_s
31136 #ifdef CONFIG_SCHED_DEBUG
31137 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31138 #endif
31139-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31140+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31141 INF("syscall", S_IRUSR, proc_pid_syscall),
31142 #endif
31143 INF("cmdline", S_IRUGO, proc_pid_cmdline),
31144@@ -2865,7 +3000,7 @@ static const struct pid_entry tid_base_s
31145 #ifdef CONFIG_KALLSYMS
31146 INF("wchan", S_IRUGO, proc_pid_wchan),
31147 #endif
31148-#ifdef CONFIG_STACKTRACE
31149+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31150 ONE("stack", S_IRUSR, proc_pid_stack),
31151 #endif
31152 #ifdef CONFIG_SCHEDSTATS
31153diff -urNp linux-2.6.32.9/fs/proc/cmdline.c linux-2.6.32.9/fs/proc/cmdline.c
31154--- linux-2.6.32.9/fs/proc/cmdline.c 2010-02-09 07:57:19.000000000 -0500
31155+++ linux-2.6.32.9/fs/proc/cmdline.c 2010-02-23 17:09:53.292465795 -0500
31156@@ -23,7 +23,11 @@ static const struct file_operations cmdl
31157
31158 static int __init proc_cmdline_init(void)
31159 {
31160+#ifdef CONFIG_GRKERNSEC_PROC_ADD
31161+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
31162+#else
31163 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
31164+#endif
31165 return 0;
31166 }
31167 module_init(proc_cmdline_init);
31168diff -urNp linux-2.6.32.9/fs/proc/devices.c linux-2.6.32.9/fs/proc/devices.c
31169--- linux-2.6.32.9/fs/proc/devices.c 2010-02-09 07:57:19.000000000 -0500
31170+++ linux-2.6.32.9/fs/proc/devices.c 2010-02-23 17:09:53.292465795 -0500
31171@@ -64,7 +64,11 @@ static const struct file_operations proc
31172
31173 static int __init proc_devices_init(void)
31174 {
31175+#ifdef CONFIG_GRKERNSEC_PROC_ADD
31176+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
31177+#else
31178 proc_create("devices", 0, NULL, &proc_devinfo_operations);
31179+#endif
31180 return 0;
31181 }
31182 module_init(proc_devices_init);
31183diff -urNp linux-2.6.32.9/fs/proc/inode.c linux-2.6.32.9/fs/proc/inode.c
31184--- linux-2.6.32.9/fs/proc/inode.c 2010-02-09 07:57:19.000000000 -0500
31185+++ linux-2.6.32.9/fs/proc/inode.c 2010-02-23 17:09:53.292465795 -0500
31186@@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
31187 if (de->mode) {
31188 inode->i_mode = de->mode;
31189 inode->i_uid = de->uid;
31190+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31191+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31192+#else
31193 inode->i_gid = de->gid;
31194+#endif
31195 }
31196 if (de->size)
31197 inode->i_size = de->size;
31198diff -urNp linux-2.6.32.9/fs/proc/internal.h linux-2.6.32.9/fs/proc/internal.h
31199--- linux-2.6.32.9/fs/proc/internal.h 2010-02-09 07:57:19.000000000 -0500
31200+++ linux-2.6.32.9/fs/proc/internal.h 2010-02-23 17:09:53.292465795 -0500
31201@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
31202 struct pid *pid, struct task_struct *task);
31203 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
31204 struct pid *pid, struct task_struct *task);
31205+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31206+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
31207+#endif
31208 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
31209
31210 extern const struct file_operations proc_maps_operations;
31211diff -urNp linux-2.6.32.9/fs/proc/Kconfig linux-2.6.32.9/fs/proc/Kconfig
31212--- linux-2.6.32.9/fs/proc/Kconfig 2010-02-09 07:57:19.000000000 -0500
31213+++ linux-2.6.32.9/fs/proc/Kconfig 2010-02-23 17:09:53.296048133 -0500
31214@@ -30,12 +30,12 @@ config PROC_FS
31215
31216 config PROC_KCORE
31217 bool "/proc/kcore support" if !ARM
31218- depends on PROC_FS && MMU
31219+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
31220
31221 config PROC_VMCORE
31222 bool "/proc/vmcore support (EXPERIMENTAL)"
31223- depends on PROC_FS && CRASH_DUMP
31224- default y
31225+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
31226+ default n
31227 help
31228 Exports the dump image of crashed kernel in ELF format.
31229
31230@@ -59,8 +59,8 @@ config PROC_SYSCTL
31231 limited in memory.
31232
31233 config PROC_PAGE_MONITOR
31234- default y
31235- depends on PROC_FS && MMU
31236+ default n
31237+ depends on PROC_FS && MMU && !GRKERNSEC
31238 bool "Enable /proc page monitoring" if EMBEDDED
31239 help
31240 Various /proc files exist to monitor process memory utilization:
31241diff -urNp linux-2.6.32.9/fs/proc/kcore.c linux-2.6.32.9/fs/proc/kcore.c
31242--- linux-2.6.32.9/fs/proc/kcore.c 2010-02-09 07:57:19.000000000 -0500
31243+++ linux-2.6.32.9/fs/proc/kcore.c 2010-02-23 17:09:53.296048133 -0500
31244@@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use
31245
31246 static int open_kcore(struct inode *inode, struct file *filp)
31247 {
31248+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
31249+ return -EPERM;
31250+#endif
31251 if (!capable(CAP_SYS_RAWIO))
31252 return -EPERM;
31253 if (kcore_need_update)
31254diff -urNp linux-2.6.32.9/fs/proc/meminfo.c linux-2.6.32.9/fs/proc/meminfo.c
31255--- linux-2.6.32.9/fs/proc/meminfo.c 2010-02-09 07:57:19.000000000 -0500
31256+++ linux-2.6.32.9/fs/proc/meminfo.c 2010-02-23 17:09:53.296048133 -0500
31257@@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
31258 vmi.used >> 10,
31259 vmi.largest_chunk >> 10
31260 #ifdef CONFIG_MEMORY_FAILURE
31261- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
31262+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
31263 #endif
31264 );
31265
31266diff -urNp linux-2.6.32.9/fs/proc/nommu.c linux-2.6.32.9/fs/proc/nommu.c
31267--- linux-2.6.32.9/fs/proc/nommu.c 2010-02-09 07:57:19.000000000 -0500
31268+++ linux-2.6.32.9/fs/proc/nommu.c 2010-02-23 17:09:53.296048133 -0500
31269@@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
31270 if (len < 1)
31271 len = 1;
31272 seq_printf(m, "%*c", len, ' ');
31273- seq_path(m, &file->f_path, "");
31274+ seq_path(m, &file->f_path, "\n\\");
31275 }
31276
31277 seq_putc(m, '\n');
31278diff -urNp linux-2.6.32.9/fs/proc/proc_net.c linux-2.6.32.9/fs/proc/proc_net.c
31279--- linux-2.6.32.9/fs/proc/proc_net.c 2010-02-09 07:57:19.000000000 -0500
31280+++ linux-2.6.32.9/fs/proc/proc_net.c 2010-02-23 17:09:53.296048133 -0500
31281@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
31282 struct task_struct *task;
31283 struct nsproxy *ns;
31284 struct net *net = NULL;
31285+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31286+ const struct cred *cred = current_cred();
31287+#endif
31288+
31289+#ifdef CONFIG_GRKERNSEC_PROC_USER
31290+ if (cred->fsuid)
31291+ return net;
31292+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31293+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
31294+ return net;
31295+#endif
31296
31297 rcu_read_lock();
31298 task = pid_task(proc_pid(dir), PIDTYPE_PID);
31299diff -urNp linux-2.6.32.9/fs/proc/proc_sysctl.c linux-2.6.32.9/fs/proc/proc_sysctl.c
31300--- linux-2.6.32.9/fs/proc/proc_sysctl.c 2010-02-09 07:57:19.000000000 -0500
31301+++ linux-2.6.32.9/fs/proc/proc_sysctl.c 2010-02-23 17:09:53.296048133 -0500
31302@@ -7,6 +7,8 @@
31303 #include <linux/security.h>
31304 #include "internal.h"
31305
31306+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
31307+
31308 static const struct dentry_operations proc_sys_dentry_operations;
31309 static const struct file_operations proc_sys_file_operations;
31310 static const struct inode_operations proc_sys_inode_operations;
31311@@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
31312 if (!p)
31313 goto out;
31314
31315+ if (gr_handle_sysctl(p, MAY_EXEC))
31316+ goto out;
31317+
31318 err = ERR_PTR(-ENOMEM);
31319 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
31320 if (h)
31321@@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
31322 if (*pos < file->f_pos)
31323 continue;
31324
31325+ if (gr_handle_sysctl(table, 0))
31326+ continue;
31327+
31328 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
31329 if (res)
31330 return res;
31331@@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
31332 if (IS_ERR(head))
31333 return PTR_ERR(head);
31334
31335+ if (table && gr_handle_sysctl(table, MAY_EXEC))
31336+ return -ENOENT;
31337+
31338 generic_fillattr(inode, stat);
31339 if (table)
31340 stat->mode = (stat->mode & S_IFMT) | table->mode;
31341diff -urNp linux-2.6.32.9/fs/proc/root.c linux-2.6.32.9/fs/proc/root.c
31342--- linux-2.6.32.9/fs/proc/root.c 2010-02-09 07:57:19.000000000 -0500
31343+++ linux-2.6.32.9/fs/proc/root.c 2010-02-23 17:09:53.296048133 -0500
31344@@ -134,7 +134,15 @@ void __init proc_root_init(void)
31345 #ifdef CONFIG_PROC_DEVICETREE
31346 proc_device_tree_init();
31347 #endif
31348+#ifdef CONFIG_GRKERNSEC_PROC_ADD
31349+#ifdef CONFIG_GRKERNSEC_PROC_USER
31350+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
31351+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31352+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
31353+#endif
31354+#else
31355 proc_mkdir("bus", NULL);
31356+#endif
31357 proc_sys_init();
31358 }
31359
31360diff -urNp linux-2.6.32.9/fs/proc/task_mmu.c linux-2.6.32.9/fs/proc/task_mmu.c
31361--- linux-2.6.32.9/fs/proc/task_mmu.c 2010-02-09 07:57:19.000000000 -0500
31362+++ linux-2.6.32.9/fs/proc/task_mmu.c 2010-02-23 17:09:53.296048133 -0500
31363@@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
31364 "VmStk:\t%8lu kB\n"
31365 "VmExe:\t%8lu kB\n"
31366 "VmLib:\t%8lu kB\n"
31367- "VmPTE:\t%8lu kB\n",
31368- hiwater_vm << (PAGE_SHIFT-10),
31369+ "VmPTE:\t%8lu kB\n"
31370+
31371+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31372+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
31373+#endif
31374+
31375+ ,hiwater_vm << (PAGE_SHIFT-10),
31376 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
31377 mm->locked_vm << (PAGE_SHIFT-10),
31378 hiwater_rss << (PAGE_SHIFT-10),
31379 total_rss << (PAGE_SHIFT-10),
31380 data << (PAGE_SHIFT-10),
31381 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
31382- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
31383+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
31384+
31385+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31386+ , mm->context.user_cs_base, mm->context.user_cs_limit
31387+#endif
31388+
31389+ );
31390 }
31391
31392 unsigned long task_vsize(struct mm_struct *mm)
31393@@ -199,6 +210,12 @@ static int do_maps_open(struct inode *in
31394 return ret;
31395 }
31396
31397+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31398+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
31399+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
31400+ _mm->pax_flags & MF_PAX_SEGMEXEC))
31401+#endif
31402+
31403 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
31404 {
31405 struct mm_struct *mm = vma->vm_mm;
31406@@ -217,13 +234,22 @@ static void show_map_vma(struct seq_file
31407 }
31408
31409 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
31410+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31411+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
31412+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
31413+#else
31414 vma->vm_start,
31415 vma->vm_end,
31416+#endif
31417 flags & VM_READ ? 'r' : '-',
31418 flags & VM_WRITE ? 'w' : '-',
31419 flags & VM_EXEC ? 'x' : '-',
31420 flags & VM_MAYSHARE ? 's' : 'p',
31421+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31422+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
31423+#else
31424 pgoff,
31425+#endif
31426 MAJOR(dev), MINOR(dev), ino, &len);
31427
31428 /*
31429@@ -232,16 +258,16 @@ static void show_map_vma(struct seq_file
31430 */
31431 if (file) {
31432 pad_len_spaces(m, len);
31433- seq_path(m, &file->f_path, "\n");
31434+ seq_path(m, &file->f_path, "\n\\");
31435 } else {
31436 const char *name = arch_vma_name(vma);
31437 if (!name) {
31438 if (mm) {
31439- if (vma->vm_start <= mm->start_brk &&
31440- vma->vm_end >= mm->brk) {
31441+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
31442 name = "[heap]";
31443- } else if (vma->vm_start <= mm->start_stack &&
31444- vma->vm_end >= mm->start_stack) {
31445+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
31446+ (vma->vm_start <= mm->start_stack &&
31447+ vma->vm_end >= mm->start_stack)) {
31448 name = "[stack]";
31449 } else {
31450 unsigned long stack_start;
31451@@ -403,9 +429,16 @@ static int show_smap(struct seq_file *m,
31452 };
31453
31454 memset(&mss, 0, sizeof mss);
31455- mss.vma = vma;
31456- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31457- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31458+
31459+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31460+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
31461+#endif
31462+ mss.vma = vma;
31463+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31464+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31465+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31466+ }
31467+#endif
31468
31469 show_map_vma(m, vma);
31470
31471@@ -421,7 +454,11 @@ static int show_smap(struct seq_file *m,
31472 "Swap: %8lu kB\n"
31473 "KernelPageSize: %8lu kB\n"
31474 "MMUPageSize: %8lu kB\n",
31475+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31476+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
31477+#else
31478 (vma->vm_end - vma->vm_start) >> 10,
31479+#endif
31480 mss.resident >> 10,
31481 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
31482 mss.shared_clean >> 10,
31483diff -urNp linux-2.6.32.9/fs/proc/task_nommu.c linux-2.6.32.9/fs/proc/task_nommu.c
31484--- linux-2.6.32.9/fs/proc/task_nommu.c 2010-02-09 07:57:19.000000000 -0500
31485+++ linux-2.6.32.9/fs/proc/task_nommu.c 2010-02-23 17:09:53.296048133 -0500
31486@@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
31487 else
31488 bytes += kobjsize(mm);
31489
31490- if (current->fs && current->fs->users > 1)
31491+ if (current->fs && atomic_read(&current->fs->users) > 1)
31492 sbytes += kobjsize(current->fs);
31493 else
31494 bytes += kobjsize(current->fs);
31495@@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
31496 if (len < 1)
31497 len = 1;
31498 seq_printf(m, "%*c", len, ' ');
31499- seq_path(m, &file->f_path, "");
31500+ seq_path(m, &file->f_path, "\n\\");
31501 }
31502
31503 seq_putc(m, '\n');
31504diff -urNp linux-2.6.32.9/fs/readdir.c linux-2.6.32.9/fs/readdir.c
31505--- linux-2.6.32.9/fs/readdir.c 2010-02-09 07:57:19.000000000 -0500
31506+++ linux-2.6.32.9/fs/readdir.c 2010-02-23 17:09:53.296048133 -0500
31507@@ -16,6 +16,7 @@
31508 #include <linux/security.h>
31509 #include <linux/syscalls.h>
31510 #include <linux/unistd.h>
31511+#include <linux/namei.h>
31512
31513 #include <asm/uaccess.h>
31514
31515@@ -67,6 +68,7 @@ struct old_linux_dirent {
31516
31517 struct readdir_callback {
31518 struct old_linux_dirent __user * dirent;
31519+ struct file * file;
31520 int result;
31521 };
31522
31523@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
31524 buf->result = -EOVERFLOW;
31525 return -EOVERFLOW;
31526 }
31527+
31528+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31529+ return 0;
31530+
31531 buf->result++;
31532 dirent = buf->dirent;
31533 if (!access_ok(VERIFY_WRITE, dirent,
31534@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
31535
31536 buf.result = 0;
31537 buf.dirent = dirent;
31538+ buf.file = file;
31539
31540 error = vfs_readdir(file, fillonedir, &buf);
31541 if (buf.result)
31542@@ -142,6 +149,7 @@ struct linux_dirent {
31543 struct getdents_callback {
31544 struct linux_dirent __user * current_dir;
31545 struct linux_dirent __user * previous;
31546+ struct file * file;
31547 int count;
31548 int error;
31549 };
31550@@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
31551 buf->error = -EOVERFLOW;
31552 return -EOVERFLOW;
31553 }
31554+
31555+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31556+ return 0;
31557+
31558 dirent = buf->previous;
31559 if (dirent) {
31560 if (__put_user(offset, &dirent->d_off))
31561@@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
31562 buf.previous = NULL;
31563 buf.count = count;
31564 buf.error = 0;
31565+ buf.file = file;
31566
31567 error = vfs_readdir(file, filldir, &buf);
31568 if (error >= 0)
31569@@ -228,6 +241,7 @@ out:
31570 struct getdents_callback64 {
31571 struct linux_dirent64 __user * current_dir;
31572 struct linux_dirent64 __user * previous;
31573+ struct file *file;
31574 int count;
31575 int error;
31576 };
31577@@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
31578 buf->error = -EINVAL; /* only used if we fail.. */
31579 if (reclen > buf->count)
31580 return -EINVAL;
31581+
31582+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31583+ return 0;
31584+
31585 dirent = buf->previous;
31586 if (dirent) {
31587 if (__put_user(offset, &dirent->d_off))
31588@@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
31589
31590 buf.current_dir = dirent;
31591 buf.previous = NULL;
31592+ buf.file = file;
31593 buf.count = count;
31594 buf.error = 0;
31595
31596diff -urNp linux-2.6.32.9/fs/reiserfs/do_balan.c linux-2.6.32.9/fs/reiserfs/do_balan.c
31597--- linux-2.6.32.9/fs/reiserfs/do_balan.c 2010-02-09 07:57:19.000000000 -0500
31598+++ linux-2.6.32.9/fs/reiserfs/do_balan.c 2010-02-23 17:09:53.296048133 -0500
31599@@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
31600 return;
31601 }
31602
31603- atomic_inc(&(fs_generation(tb->tb_sb)));
31604+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
31605 do_balance_starts(tb);
31606
31607 /* balance leaf returns 0 except if combining L R and S into
31608diff -urNp linux-2.6.32.9/fs/reiserfs/item_ops.c linux-2.6.32.9/fs/reiserfs/item_ops.c
31609--- linux-2.6.32.9/fs/reiserfs/item_ops.c 2010-02-09 07:57:19.000000000 -0500
31610+++ linux-2.6.32.9/fs/reiserfs/item_ops.c 2010-02-23 17:09:53.296048133 -0500
31611@@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
31612 vi->vi_index, vi->vi_type, vi->vi_ih);
31613 }
31614
31615-static struct item_operations stat_data_ops = {
31616+static const struct item_operations stat_data_ops = {
31617 .bytes_number = sd_bytes_number,
31618 .decrement_key = sd_decrement_key,
31619 .is_left_mergeable = sd_is_left_mergeable,
31620@@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
31621 vi->vi_index, vi->vi_type, vi->vi_ih);
31622 }
31623
31624-static struct item_operations direct_ops = {
31625+static const struct item_operations direct_ops = {
31626 .bytes_number = direct_bytes_number,
31627 .decrement_key = direct_decrement_key,
31628 .is_left_mergeable = direct_is_left_mergeable,
31629@@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
31630 vi->vi_index, vi->vi_type, vi->vi_ih);
31631 }
31632
31633-static struct item_operations indirect_ops = {
31634+static const struct item_operations indirect_ops = {
31635 .bytes_number = indirect_bytes_number,
31636 .decrement_key = indirect_decrement_key,
31637 .is_left_mergeable = indirect_is_left_mergeable,
31638@@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
31639 printk("\n");
31640 }
31641
31642-static struct item_operations direntry_ops = {
31643+static const struct item_operations direntry_ops = {
31644 .bytes_number = direntry_bytes_number,
31645 .decrement_key = direntry_decrement_key,
31646 .is_left_mergeable = direntry_is_left_mergeable,
31647@@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
31648 "Invalid item type observed, run fsck ASAP");
31649 }
31650
31651-static struct item_operations errcatch_ops = {
31652+static const struct item_operations errcatch_ops = {
31653 errcatch_bytes_number,
31654 errcatch_decrement_key,
31655 errcatch_is_left_mergeable,
31656@@ -746,7 +746,7 @@ static struct item_operations errcatch_o
31657 #error Item types must use disk-format assigned values.
31658 #endif
31659
31660-struct item_operations *item_ops[TYPE_ANY + 1] = {
31661+const struct item_operations * const item_ops[TYPE_ANY + 1] = {
31662 &stat_data_ops,
31663 &indirect_ops,
31664 &direct_ops,
31665diff -urNp linux-2.6.32.9/fs/reiserfs/procfs.c linux-2.6.32.9/fs/reiserfs/procfs.c
31666--- linux-2.6.32.9/fs/reiserfs/procfs.c 2010-02-09 07:57:19.000000000 -0500
31667+++ linux-2.6.32.9/fs/reiserfs/procfs.c 2010-02-23 17:09:53.296048133 -0500
31668@@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
31669 "SMALL_TAILS " : "NO_TAILS ",
31670 replay_only(sb) ? "REPLAY_ONLY " : "",
31671 convert_reiserfs(sb) ? "CONV " : "",
31672- atomic_read(&r->s_generation_counter),
31673+ atomic_read_unchecked(&r->s_generation_counter),
31674 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
31675 SF(s_do_balance), SF(s_unneeded_left_neighbor),
31676 SF(s_good_search_by_key_reada), SF(s_bmaps),
31677diff -urNp linux-2.6.32.9/fs/select.c linux-2.6.32.9/fs/select.c
31678--- linux-2.6.32.9/fs/select.c 2010-02-09 07:57:19.000000000 -0500
31679+++ linux-2.6.32.9/fs/select.c 2010-02-23 17:09:53.296048133 -0500
31680@@ -20,6 +20,7 @@
31681 #include <linux/module.h>
31682 #include <linux/slab.h>
31683 #include <linux/poll.h>
31684+#include <linux/security.h>
31685 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
31686 #include <linux/file.h>
31687 #include <linux/fdtable.h>
31688@@ -821,6 +822,7 @@ int do_sys_poll(struct pollfd __user *uf
31689 struct poll_list *walk = head;
31690 unsigned long todo = nfds;
31691
31692+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
31693 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
31694 return -EINVAL;
31695
31696diff -urNp linux-2.6.32.9/fs/seq_file.c linux-2.6.32.9/fs/seq_file.c
31697--- linux-2.6.32.9/fs/seq_file.c 2010-02-09 07:57:19.000000000 -0500
31698+++ linux-2.6.32.9/fs/seq_file.c 2010-02-23 17:09:53.296048133 -0500
31699@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
31700 return 0;
31701 }
31702 if (!m->buf) {
31703- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31704+ m->size = PAGE_SIZE;
31705+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
31706 if (!m->buf)
31707 return -ENOMEM;
31708 }
31709@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
31710 Eoverflow:
31711 m->op->stop(m, p);
31712 kfree(m->buf);
31713- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31714+ m->size <<= 1;
31715+ m->buf = kmalloc(m->size, GFP_KERNEL);
31716 return !m->buf ? -ENOMEM : -EAGAIN;
31717 }
31718
31719@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
31720 m->version = file->f_version;
31721 /* grab buffer if we didn't have one */
31722 if (!m->buf) {
31723- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31724+ m->size = PAGE_SIZE;
31725+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
31726 if (!m->buf)
31727 goto Enomem;
31728 }
31729@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
31730 goto Fill;
31731 m->op->stop(m, p);
31732 kfree(m->buf);
31733- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31734+ m->size <<= 1;
31735+ m->buf = kmalloc(m->size, GFP_KERNEL);
31736 if (!m->buf)
31737 goto Enomem;
31738 m->count = 0;
31739diff -urNp linux-2.6.32.9/fs/smbfs/symlink.c linux-2.6.32.9/fs/smbfs/symlink.c
31740--- linux-2.6.32.9/fs/smbfs/symlink.c 2010-02-09 07:57:19.000000000 -0500
31741+++ linux-2.6.32.9/fs/smbfs/symlink.c 2010-02-23 17:09:53.296048133 -0500
31742@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
31743
31744 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
31745 {
31746- char *s = nd_get_link(nd);
31747+ const char *s = nd_get_link(nd);
31748 if (!IS_ERR(s))
31749 __putname(s);
31750 }
31751diff -urNp linux-2.6.32.9/fs/splice.c linux-2.6.32.9/fs/splice.c
31752--- linux-2.6.32.9/fs/splice.c 2010-02-09 07:57:19.000000000 -0500
31753+++ linux-2.6.32.9/fs/splice.c 2010-02-23 17:09:53.300060401 -0500
31754@@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
31755 pipe_lock(pipe);
31756
31757 for (;;) {
31758- if (!pipe->readers) {
31759+ if (!atomic_read(&pipe->readers)) {
31760 send_sig(SIGPIPE, current, 0);
31761 if (!ret)
31762 ret = -EPIPE;
31763@@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
31764 do_wakeup = 0;
31765 }
31766
31767- pipe->waiting_writers++;
31768+ atomic_inc(&pipe->waiting_writers);
31769 pipe_wait(pipe);
31770- pipe->waiting_writers--;
31771+ atomic_dec(&pipe->waiting_writers);
31772 }
31773
31774 pipe_unlock(pipe);
31775@@ -531,7 +531,7 @@ static ssize_t kernel_readv(struct file
31776 old_fs = get_fs();
31777 set_fs(get_ds());
31778 /* The cast to a user pointer is valid due to the set_fs() */
31779- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
31780+ res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
31781 set_fs(old_fs);
31782
31783 return res;
31784@@ -546,7 +546,7 @@ static ssize_t kernel_write(struct file
31785 old_fs = get_fs();
31786 set_fs(get_ds());
31787 /* The cast to a user pointer is valid due to the set_fs() */
31788- res = vfs_write(file, (const char __user *)buf, count, &pos);
31789+ res = vfs_write(file, (__force const char __user *)buf, count, &pos);
31790 set_fs(old_fs);
31791
31792 return res;
31793@@ -588,7 +588,7 @@ ssize_t default_file_splice_read(struct
31794 goto err;
31795
31796 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
31797- vec[i].iov_base = (void __user *) page_address(page);
31798+ vec[i].iov_base = (__force void __user *) page_address(page);
31799 vec[i].iov_len = this_len;
31800 pages[i] = page;
31801 spd.nr_pages++;
31802@@ -808,10 +808,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
31803 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
31804 {
31805 while (!pipe->nrbufs) {
31806- if (!pipe->writers)
31807+ if (!atomic_read(&pipe->writers))
31808 return 0;
31809
31810- if (!pipe->waiting_writers && sd->num_spliced)
31811+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
31812 return 0;
31813
31814 if (sd->flags & SPLICE_F_NONBLOCK)
31815@@ -1146,7 +1146,7 @@ ssize_t splice_direct_to_actor(struct fi
31816 * out of the pipe right after the splice_to_pipe(). So set
31817 * PIPE_READERS appropriately.
31818 */
31819- pipe->readers = 1;
31820+ atomic_set(&pipe->readers, 1);
31821
31822 current->splice_pipe = pipe;
31823 }
31824@@ -1704,9 +1704,9 @@ static int ipipe_prep(struct pipe_inode_
31825 ret = -ERESTARTSYS;
31826 break;
31827 }
31828- if (!pipe->writers)
31829+ if (!atomic_read(&pipe->writers))
31830 break;
31831- if (!pipe->waiting_writers) {
31832+ if (!atomic_read(&pipe->waiting_writers)) {
31833 if (flags & SPLICE_F_NONBLOCK) {
31834 ret = -EAGAIN;
31835 break;
31836@@ -1738,7 +1738,7 @@ static int opipe_prep(struct pipe_inode_
31837 pipe_lock(pipe);
31838
31839 while (pipe->nrbufs >= PIPE_BUFFERS) {
31840- if (!pipe->readers) {
31841+ if (!atomic_read(&pipe->readers)) {
31842 send_sig(SIGPIPE, current, 0);
31843 ret = -EPIPE;
31844 break;
31845@@ -1751,9 +1751,9 @@ static int opipe_prep(struct pipe_inode_
31846 ret = -ERESTARTSYS;
31847 break;
31848 }
31849- pipe->waiting_writers++;
31850+ atomic_inc(&pipe->waiting_writers);
31851 pipe_wait(pipe);
31852- pipe->waiting_writers--;
31853+ atomic_dec(&pipe->waiting_writers);
31854 }
31855
31856 pipe_unlock(pipe);
31857@@ -1789,14 +1789,14 @@ retry:
31858 pipe_double_lock(ipipe, opipe);
31859
31860 do {
31861- if (!opipe->readers) {
31862+ if (!atomic_read(&opipe->readers)) {
31863 send_sig(SIGPIPE, current, 0);
31864 if (!ret)
31865 ret = -EPIPE;
31866 break;
31867 }
31868
31869- if (!ipipe->nrbufs && !ipipe->writers)
31870+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
31871 break;
31872
31873 /*
31874@@ -1896,7 +1896,7 @@ static int link_pipe(struct pipe_inode_i
31875 pipe_double_lock(ipipe, opipe);
31876
31877 do {
31878- if (!opipe->readers) {
31879+ if (!atomic_read(&opipe->readers)) {
31880 send_sig(SIGPIPE, current, 0);
31881 if (!ret)
31882 ret = -EPIPE;
31883@@ -1941,7 +1941,7 @@ static int link_pipe(struct pipe_inode_i
31884 * return EAGAIN if we have the potential of some data in the
31885 * future, otherwise just return 0
31886 */
31887- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
31888+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
31889 ret = -EAGAIN;
31890
31891 pipe_unlock(ipipe);
31892diff -urNp linux-2.6.32.9/fs/sysfs/file.c linux-2.6.32.9/fs/sysfs/file.c
31893--- linux-2.6.32.9/fs/sysfs/file.c 2010-02-09 07:57:19.000000000 -0500
31894+++ linux-2.6.32.9/fs/sysfs/file.c 2010-02-23 17:09:53.300060401 -0500
31895@@ -53,7 +53,7 @@ struct sysfs_buffer {
31896 size_t count;
31897 loff_t pos;
31898 char * page;
31899- struct sysfs_ops * ops;
31900+ const struct sysfs_ops * ops;
31901 struct mutex mutex;
31902 int needs_read_fill;
31903 int event;
31904@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
31905 {
31906 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
31907 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
31908- struct sysfs_ops * ops = buffer->ops;
31909+ const struct sysfs_ops * ops = buffer->ops;
31910 int ret = 0;
31911 ssize_t count;
31912
31913@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
31914 {
31915 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
31916 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
31917- struct sysfs_ops * ops = buffer->ops;
31918+ const struct sysfs_ops * ops = buffer->ops;
31919 int rc;
31920
31921 /* need attr_sd for attr and ops, its parent for kobj */
31922@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
31923 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
31924 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
31925 struct sysfs_buffer *buffer;
31926- struct sysfs_ops *ops;
31927+ const struct sysfs_ops *ops;
31928 int error = -EACCES;
31929 char *p;
31930
31931diff -urNp linux-2.6.32.9/fs/sysfs/symlink.c linux-2.6.32.9/fs/sysfs/symlink.c
31932--- linux-2.6.32.9/fs/sysfs/symlink.c 2010-02-09 07:57:19.000000000 -0500
31933+++ linux-2.6.32.9/fs/sysfs/symlink.c 2010-02-23 17:09:53.300060401 -0500
31934@@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
31935
31936 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
31937 {
31938- char *page = nd_get_link(nd);
31939+ const char *page = nd_get_link(nd);
31940 if (!IS_ERR(page))
31941 free_page((unsigned long)page);
31942 }
31943diff -urNp linux-2.6.32.9/fs/udf/balloc.c linux-2.6.32.9/fs/udf/balloc.c
31944--- linux-2.6.32.9/fs/udf/balloc.c 2010-02-09 07:57:19.000000000 -0500
31945+++ linux-2.6.32.9/fs/udf/balloc.c 2010-02-23 17:09:53.300060401 -0500
31946@@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
31947
31948 mutex_lock(&sbi->s_alloc_mutex);
31949 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
31950- if (bloc->logicalBlockNum < 0 ||
31951- (bloc->logicalBlockNum + count) >
31952- partmap->s_partition_len) {
31953+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
31954 udf_debug("%d < %d || %d + %d > %d\n",
31955 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
31956 count, partmap->s_partition_len);
31957@@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
31958
31959 mutex_lock(&sbi->s_alloc_mutex);
31960 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
31961- if (bloc->logicalBlockNum < 0 ||
31962- (bloc->logicalBlockNum + count) >
31963- partmap->s_partition_len) {
31964+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
31965 udf_debug("%d < %d || %d + %d > %d\n",
31966 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
31967 partmap->s_partition_len);
31968diff -urNp linux-2.6.32.9/fs/utimes.c linux-2.6.32.9/fs/utimes.c
31969--- linux-2.6.32.9/fs/utimes.c 2010-02-09 07:57:19.000000000 -0500
31970+++ linux-2.6.32.9/fs/utimes.c 2010-02-23 17:09:53.300060401 -0500
31971@@ -1,6 +1,7 @@
31972 #include <linux/compiler.h>
31973 #include <linux/file.h>
31974 #include <linux/fs.h>
31975+#include <linux/security.h>
31976 #include <linux/linkage.h>
31977 #include <linux/mount.h>
31978 #include <linux/namei.h>
31979@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
31980 goto mnt_drop_write_and_out;
31981 }
31982 }
31983+
31984+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
31985+ error = -EACCES;
31986+ goto mnt_drop_write_and_out;
31987+ }
31988+
31989 mutex_lock(&inode->i_mutex);
31990 error = notify_change(path->dentry, &newattrs);
31991 mutex_unlock(&inode->i_mutex);
31992diff -urNp linux-2.6.32.9/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.9/fs/xfs/linux-2.6/xfs_iops.c
31993--- linux-2.6.32.9/fs/xfs/linux-2.6/xfs_iops.c 2010-02-09 07:57:19.000000000 -0500
31994+++ linux-2.6.32.9/fs/xfs/linux-2.6/xfs_iops.c 2010-02-23 17:09:53.300060401 -0500
31995@@ -468,7 +468,7 @@ xfs_vn_put_link(
31996 struct nameidata *nd,
31997 void *p)
31998 {
31999- char *s = nd_get_link(nd);
32000+ const char *s = nd_get_link(nd);
32001
32002 if (!IS_ERR(s))
32003 kfree(s);
32004diff -urNp linux-2.6.32.9/fs/xfs/xfs_bmap.c linux-2.6.32.9/fs/xfs/xfs_bmap.c
32005--- linux-2.6.32.9/fs/xfs/xfs_bmap.c 2010-02-09 07:57:19.000000000 -0500
32006+++ linux-2.6.32.9/fs/xfs/xfs_bmap.c 2010-02-23 17:09:53.300060401 -0500
32007@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
32008 int nmap,
32009 int ret_nmap);
32010 #else
32011-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
32012+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
32013 #endif /* DEBUG */
32014
32015 #if defined(XFS_RW_TRACE)
32016diff -urNp linux-2.6.32.9/grsecurity/gracl_alloc.c linux-2.6.32.9/grsecurity/gracl_alloc.c
32017--- linux-2.6.32.9/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
32018+++ linux-2.6.32.9/grsecurity/gracl_alloc.c 2010-02-23 17:09:53.300060401 -0500
32019@@ -0,0 +1,105 @@
32020+#include <linux/kernel.h>
32021+#include <linux/mm.h>
32022+#include <linux/slab.h>
32023+#include <linux/vmalloc.h>
32024+#include <linux/gracl.h>
32025+#include <linux/grsecurity.h>
32026+
32027+static unsigned long alloc_stack_next = 1;
32028+static unsigned long alloc_stack_size = 1;
32029+static void **alloc_stack;
32030+
32031+static __inline__ int
32032+alloc_pop(void)
32033+{
32034+ if (alloc_stack_next == 1)
32035+ return 0;
32036+
32037+ kfree(alloc_stack[alloc_stack_next - 2]);
32038+
32039+ alloc_stack_next--;
32040+
32041+ return 1;
32042+}
32043+
32044+static __inline__ int
32045+alloc_push(void *buf)
32046+{
32047+ if (alloc_stack_next >= alloc_stack_size)
32048+ return 1;
32049+
32050+ alloc_stack[alloc_stack_next - 1] = buf;
32051+
32052+ alloc_stack_next++;
32053+
32054+ return 0;
32055+}
32056+
32057+void *
32058+acl_alloc(unsigned long len)
32059+{
32060+ void *ret = NULL;
32061+
32062+ if (!len || len > PAGE_SIZE)
32063+ goto out;
32064+
32065+ ret = kmalloc(len, GFP_KERNEL);
32066+
32067+ if (ret) {
32068+ if (alloc_push(ret)) {
32069+ kfree(ret);
32070+ ret = NULL;
32071+ }
32072+ }
32073+
32074+out:
32075+ return ret;
32076+}
32077+
32078+void *
32079+acl_alloc_num(unsigned long num, unsigned long len)
32080+{
32081+ if (!len || (num > (PAGE_SIZE / len)))
32082+ return NULL;
32083+
32084+ return acl_alloc(num * len);
32085+}
32086+
32087+void
32088+acl_free_all(void)
32089+{
32090+ if (gr_acl_is_enabled() || !alloc_stack)
32091+ return;
32092+
32093+ while (alloc_pop()) ;
32094+
32095+ if (alloc_stack) {
32096+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
32097+ kfree(alloc_stack);
32098+ else
32099+ vfree(alloc_stack);
32100+ }
32101+
32102+ alloc_stack = NULL;
32103+ alloc_stack_size = 1;
32104+ alloc_stack_next = 1;
32105+
32106+ return;
32107+}
32108+
32109+int
32110+acl_alloc_stack_init(unsigned long size)
32111+{
32112+ if ((size * sizeof (void *)) <= PAGE_SIZE)
32113+ alloc_stack =
32114+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
32115+ else
32116+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
32117+
32118+ alloc_stack_size = size;
32119+
32120+ if (!alloc_stack)
32121+ return 0;
32122+ else
32123+ return 1;
32124+}
32125diff -urNp linux-2.6.32.9/grsecurity/gracl.c linux-2.6.32.9/grsecurity/gracl.c
32126--- linux-2.6.32.9/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
32127+++ linux-2.6.32.9/grsecurity/gracl.c 2010-02-23 17:09:53.304046495 -0500
32128@@ -0,0 +1,3918 @@
32129+#include <linux/kernel.h>
32130+#include <linux/module.h>
32131+#include <linux/sched.h>
32132+#include <linux/mm.h>
32133+#include <linux/file.h>
32134+#include <linux/fs.h>
32135+#include <linux/namei.h>
32136+#include <linux/mount.h>
32137+#include <linux/tty.h>
32138+#include <linux/proc_fs.h>
32139+#include <linux/smp_lock.h>
32140+#include <linux/slab.h>
32141+#include <linux/vmalloc.h>
32142+#include <linux/types.h>
32143+#include <linux/sysctl.h>
32144+#include <linux/netdevice.h>
32145+#include <linux/ptrace.h>
32146+#include <linux/gracl.h>
32147+#include <linux/gralloc.h>
32148+#include <linux/grsecurity.h>
32149+#include <linux/grinternal.h>
32150+#include <linux/pid_namespace.h>
32151+#include <linux/fdtable.h>
32152+#include <linux/percpu.h>
32153+
32154+#include <asm/uaccess.h>
32155+#include <asm/errno.h>
32156+#include <asm/mman.h>
32157+
32158+static struct acl_role_db acl_role_set;
32159+static struct name_db name_set;
32160+static struct inodev_db inodev_set;
32161+
32162+/* for keeping track of userspace pointers used for subjects, so we
32163+ can share references in the kernel as well
32164+*/
32165+
32166+static struct dentry *real_root;
32167+static struct vfsmount *real_root_mnt;
32168+
32169+static struct acl_subj_map_db subj_map_set;
32170+
32171+static struct acl_role_label *default_role;
32172+
32173+static struct acl_role_label *role_list;
32174+
32175+static u16 acl_sp_role_value;
32176+
32177+extern char *gr_shared_page[4];
32178+static DECLARE_MUTEX(gr_dev_sem);
32179+DEFINE_RWLOCK(gr_inode_lock);
32180+
32181+struct gr_arg *gr_usermode;
32182+
32183+static unsigned int gr_status __read_only = GR_STATUS_INIT;
32184+
32185+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
32186+extern void gr_clear_learn_entries(void);
32187+
32188+#ifdef CONFIG_GRKERNSEC_RESLOG
32189+extern void gr_log_resource(const struct task_struct *task,
32190+ const int res, const unsigned long wanted, const int gt);
32191+#endif
32192+
32193+unsigned char *gr_system_salt;
32194+unsigned char *gr_system_sum;
32195+
32196+static struct sprole_pw **acl_special_roles = NULL;
32197+static __u16 num_sprole_pws = 0;
32198+
32199+static struct acl_role_label *kernel_role = NULL;
32200+
32201+static unsigned int gr_auth_attempts = 0;
32202+static unsigned long gr_auth_expires = 0UL;
32203+
32204+extern struct vfsmount *sock_mnt;
32205+extern struct vfsmount *pipe_mnt;
32206+extern struct vfsmount *shm_mnt;
32207+static struct acl_object_label *fakefs_obj;
32208+
32209+extern int gr_init_uidset(void);
32210+extern void gr_free_uidset(void);
32211+extern void gr_remove_uid(uid_t uid);
32212+extern int gr_find_uid(uid_t uid);
32213+
32214+__inline__ int
32215+gr_acl_is_enabled(void)
32216+{
32217+ return (gr_status & GR_READY);
32218+}
32219+
32220+char gr_roletype_to_char(void)
32221+{
32222+ switch (current->role->roletype &
32223+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
32224+ GR_ROLE_SPECIAL)) {
32225+ case GR_ROLE_DEFAULT:
32226+ return 'D';
32227+ case GR_ROLE_USER:
32228+ return 'U';
32229+ case GR_ROLE_GROUP:
32230+ return 'G';
32231+ case GR_ROLE_SPECIAL:
32232+ return 'S';
32233+ }
32234+
32235+ return 'X';
32236+}
32237+
32238+__inline__ int
32239+gr_acl_tpe_check(void)
32240+{
32241+ if (unlikely(!(gr_status & GR_READY)))
32242+ return 0;
32243+ if (current->role->roletype & GR_ROLE_TPE)
32244+ return 1;
32245+ else
32246+ return 0;
32247+}
32248+
32249+int
32250+gr_handle_rawio(const struct inode *inode)
32251+{
32252+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
32253+ if (inode && S_ISBLK(inode->i_mode) &&
32254+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
32255+ !capable(CAP_SYS_RAWIO))
32256+ return 1;
32257+#endif
32258+ return 0;
32259+}
32260+
32261+static int
32262+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
32263+{
32264+ int i;
32265+ unsigned long *l1;
32266+ unsigned long *l2;
32267+ unsigned char *c1;
32268+ unsigned char *c2;
32269+ int num_longs;
32270+
32271+ if (likely(lena != lenb))
32272+ return 0;
32273+
32274+ l1 = (unsigned long *)a;
32275+ l2 = (unsigned long *)b;
32276+
32277+ num_longs = lena / sizeof(unsigned long);
32278+
32279+ for (i = num_longs; i--; l1++, l2++) {
32280+ if (unlikely(*l1 != *l2))
32281+ return 0;
32282+ }
32283+
32284+ c1 = (unsigned char *) l1;
32285+ c2 = (unsigned char *) l2;
32286+
32287+ i = lena - (num_longs * sizeof(unsigned long));
32288+
32289+ for (; i--; c1++, c2++) {
32290+ if (unlikely(*c1 != *c2))
32291+ return 0;
32292+ }
32293+
32294+ return 1;
32295+}
32296+
32297+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32298+ struct dentry *root, struct vfsmount *rootmnt,
32299+ char *buffer, int buflen)
32300+{
32301+ char * end = buffer+buflen;
32302+ char * retval;
32303+ int namelen;
32304+
32305+ *--end = '\0';
32306+ buflen--;
32307+
32308+ if (buflen < 1)
32309+ goto Elong;
32310+ /* Get '/' right */
32311+ retval = end-1;
32312+ *retval = '/';
32313+
32314+ for (;;) {
32315+ struct dentry * parent;
32316+
32317+ if (dentry == root && vfsmnt == rootmnt)
32318+ break;
32319+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
32320+ /* Global root? */
32321+ spin_lock(&vfsmount_lock);
32322+ if (vfsmnt->mnt_parent == vfsmnt) {
32323+ spin_unlock(&vfsmount_lock);
32324+ goto global_root;
32325+ }
32326+ dentry = vfsmnt->mnt_mountpoint;
32327+ vfsmnt = vfsmnt->mnt_parent;
32328+ spin_unlock(&vfsmount_lock);
32329+ continue;
32330+ }
32331+ parent = dentry->d_parent;
32332+ prefetch(parent);
32333+ namelen = dentry->d_name.len;
32334+ buflen -= namelen + 1;
32335+ if (buflen < 0)
32336+ goto Elong;
32337+ end -= namelen;
32338+ memcpy(end, dentry->d_name.name, namelen);
32339+ *--end = '/';
32340+ retval = end;
32341+ dentry = parent;
32342+ }
32343+
32344+ return retval;
32345+
32346+global_root:
32347+ namelen = dentry->d_name.len;
32348+ buflen -= namelen;
32349+ if (buflen < 0)
32350+ goto Elong;
32351+ retval -= namelen-1; /* hit the slash */
32352+ memcpy(retval, dentry->d_name.name, namelen);
32353+ return retval;
32354+Elong:
32355+ return ERR_PTR(-ENAMETOOLONG);
32356+}
32357+
32358+static char *
32359+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32360+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
32361+{
32362+ char *retval;
32363+
32364+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
32365+ if (unlikely(IS_ERR(retval)))
32366+ retval = strcpy(buf, "<path too long>");
32367+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
32368+ retval[1] = '\0';
32369+
32370+ return retval;
32371+}
32372+
32373+static char *
32374+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32375+ char *buf, int buflen)
32376+{
32377+ char *res;
32378+
32379+ /* we can use real_root, real_root_mnt, because this is only called
32380+ by the RBAC system */
32381+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
32382+
32383+ return res;
32384+}
32385+
32386+static char *
32387+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32388+ char *buf, int buflen)
32389+{
32390+ char *res;
32391+ struct dentry *root;
32392+ struct vfsmount *rootmnt;
32393+ struct task_struct *reaper = &init_task;
32394+
32395+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
32396+ read_lock(&reaper->fs->lock);
32397+ root = dget(reaper->fs->root.dentry);
32398+ rootmnt = mntget(reaper->fs->root.mnt);
32399+ read_unlock(&reaper->fs->lock);
32400+
32401+ spin_lock(&dcache_lock);
32402+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
32403+ spin_unlock(&dcache_lock);
32404+
32405+ dput(root);
32406+ mntput(rootmnt);
32407+ return res;
32408+}
32409+
32410+static char *
32411+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
32412+{
32413+ char *ret;
32414+ spin_lock(&dcache_lock);
32415+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32416+ PAGE_SIZE);
32417+ spin_unlock(&dcache_lock);
32418+ return ret;
32419+}
32420+
32421+char *
32422+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
32423+{
32424+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32425+ PAGE_SIZE);
32426+}
32427+
32428+char *
32429+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
32430+{
32431+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
32432+ PAGE_SIZE);
32433+}
32434+
32435+char *
32436+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
32437+{
32438+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
32439+ PAGE_SIZE);
32440+}
32441+
32442+char *
32443+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
32444+{
32445+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
32446+ PAGE_SIZE);
32447+}
32448+
32449+char *
32450+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
32451+{
32452+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
32453+ PAGE_SIZE);
32454+}
32455+
32456+__inline__ __u32
32457+to_gr_audit(const __u32 reqmode)
32458+{
32459+ /* masks off auditable permission flags, then shifts them to create
32460+ auditing flags, and adds the special case of append auditing if
32461+ we're requesting write */
32462+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
32463+}
32464+
32465+struct acl_subject_label *
32466+lookup_subject_map(const struct acl_subject_label *userp)
32467+{
32468+ unsigned int index = shash(userp, subj_map_set.s_size);
32469+ struct subject_map *match;
32470+
32471+ match = subj_map_set.s_hash[index];
32472+
32473+ while (match && match->user != userp)
32474+ match = match->next;
32475+
32476+ if (match != NULL)
32477+ return match->kernel;
32478+ else
32479+ return NULL;
32480+}
32481+
32482+static void
32483+insert_subj_map_entry(struct subject_map *subjmap)
32484+{
32485+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
32486+ struct subject_map **curr;
32487+
32488+ subjmap->prev = NULL;
32489+
32490+ curr = &subj_map_set.s_hash[index];
32491+ if (*curr != NULL)
32492+ (*curr)->prev = subjmap;
32493+
32494+ subjmap->next = *curr;
32495+ *curr = subjmap;
32496+
32497+ return;
32498+}
32499+
32500+static struct acl_role_label *
32501+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
32502+ const gid_t gid)
32503+{
32504+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
32505+ struct acl_role_label *match;
32506+ struct role_allowed_ip *ipp;
32507+ unsigned int x;
32508+
32509+ match = acl_role_set.r_hash[index];
32510+
32511+ while (match) {
32512+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
32513+ for (x = 0; x < match->domain_child_num; x++) {
32514+ if (match->domain_children[x] == uid)
32515+ goto found;
32516+ }
32517+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
32518+ break;
32519+ match = match->next;
32520+ }
32521+found:
32522+ if (match == NULL) {
32523+ try_group:
32524+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
32525+ match = acl_role_set.r_hash[index];
32526+
32527+ while (match) {
32528+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
32529+ for (x = 0; x < match->domain_child_num; x++) {
32530+ if (match->domain_children[x] == gid)
32531+ goto found2;
32532+ }
32533+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
32534+ break;
32535+ match = match->next;
32536+ }
32537+found2:
32538+ if (match == NULL)
32539+ match = default_role;
32540+ if (match->allowed_ips == NULL)
32541+ return match;
32542+ else {
32543+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32544+ if (likely
32545+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32546+ (ntohl(ipp->addr) & ipp->netmask)))
32547+ return match;
32548+ }
32549+ match = default_role;
32550+ }
32551+ } else if (match->allowed_ips == NULL) {
32552+ return match;
32553+ } else {
32554+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32555+ if (likely
32556+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32557+ (ntohl(ipp->addr) & ipp->netmask)))
32558+ return match;
32559+ }
32560+ goto try_group;
32561+ }
32562+
32563+ return match;
32564+}
32565+
32566+struct acl_subject_label *
32567+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
32568+ const struct acl_role_label *role)
32569+{
32570+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
32571+ struct acl_subject_label *match;
32572+
32573+ match = role->subj_hash[index];
32574+
32575+ while (match && (match->inode != ino || match->device != dev ||
32576+ (match->mode & GR_DELETED))) {
32577+ match = match->next;
32578+ }
32579+
32580+ if (match && !(match->mode & GR_DELETED))
32581+ return match;
32582+ else
32583+ return NULL;
32584+}
32585+
32586+struct acl_subject_label *
32587+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
32588+ const struct acl_role_label *role)
32589+{
32590+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
32591+ struct acl_subject_label *match;
32592+
32593+ match = role->subj_hash[index];
32594+
32595+ while (match && (match->inode != ino || match->device != dev ||
32596+ !(match->mode & GR_DELETED))) {
32597+ match = match->next;
32598+ }
32599+
32600+ if (match && (match->mode & GR_DELETED))
32601+ return match;
32602+ else
32603+ return NULL;
32604+}
32605+
32606+static struct acl_object_label *
32607+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
32608+ const struct acl_subject_label *subj)
32609+{
32610+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32611+ struct acl_object_label *match;
32612+
32613+ match = subj->obj_hash[index];
32614+
32615+ while (match && (match->inode != ino || match->device != dev ||
32616+ (match->mode & GR_DELETED))) {
32617+ match = match->next;
32618+ }
32619+
32620+ if (match && !(match->mode & GR_DELETED))
32621+ return match;
32622+ else
32623+ return NULL;
32624+}
32625+
32626+static struct acl_object_label *
32627+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
32628+ const struct acl_subject_label *subj)
32629+{
32630+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32631+ struct acl_object_label *match;
32632+
32633+ match = subj->obj_hash[index];
32634+
32635+ while (match && (match->inode != ino || match->device != dev ||
32636+ !(match->mode & GR_DELETED))) {
32637+ match = match->next;
32638+ }
32639+
32640+ if (match && (match->mode & GR_DELETED))
32641+ return match;
32642+
32643+ match = subj->obj_hash[index];
32644+
32645+ while (match && (match->inode != ino || match->device != dev ||
32646+ (match->mode & GR_DELETED))) {
32647+ match = match->next;
32648+ }
32649+
32650+ if (match && !(match->mode & GR_DELETED))
32651+ return match;
32652+ else
32653+ return NULL;
32654+}
32655+
32656+static struct name_entry *
32657+lookup_name_entry(const char *name)
32658+{
32659+ unsigned int len = strlen(name);
32660+ unsigned int key = full_name_hash(name, len);
32661+ unsigned int index = key % name_set.n_size;
32662+ struct name_entry *match;
32663+
32664+ match = name_set.n_hash[index];
32665+
32666+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
32667+ match = match->next;
32668+
32669+ return match;
32670+}
32671+
32672+static struct name_entry *
32673+lookup_name_entry_create(const char *name)
32674+{
32675+ unsigned int len = strlen(name);
32676+ unsigned int key = full_name_hash(name, len);
32677+ unsigned int index = key % name_set.n_size;
32678+ struct name_entry *match;
32679+
32680+ match = name_set.n_hash[index];
32681+
32682+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32683+ !match->deleted))
32684+ match = match->next;
32685+
32686+ if (match && match->deleted)
32687+ return match;
32688+
32689+ match = name_set.n_hash[index];
32690+
32691+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32692+ match->deleted))
32693+ match = match->next;
32694+
32695+ if (match && !match->deleted)
32696+ return match;
32697+ else
32698+ return NULL;
32699+}
32700+
32701+static struct inodev_entry *
32702+lookup_inodev_entry(const ino_t ino, const dev_t dev)
32703+{
32704+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
32705+ struct inodev_entry *match;
32706+
32707+ match = inodev_set.i_hash[index];
32708+
32709+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
32710+ match = match->next;
32711+
32712+ return match;
32713+}
32714+
32715+static void
32716+insert_inodev_entry(struct inodev_entry *entry)
32717+{
32718+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
32719+ inodev_set.i_size);
32720+ struct inodev_entry **curr;
32721+
32722+ entry->prev = NULL;
32723+
32724+ curr = &inodev_set.i_hash[index];
32725+ if (*curr != NULL)
32726+ (*curr)->prev = entry;
32727+
32728+ entry->next = *curr;
32729+ *curr = entry;
32730+
32731+ return;
32732+}
32733+
32734+static void
32735+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
32736+{
32737+ unsigned int index =
32738+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
32739+ struct acl_role_label **curr;
32740+ struct acl_role_label *tmp;
32741+
32742+ curr = &acl_role_set.r_hash[index];
32743+
32744+ /* if role was already inserted due to domains and already has
32745+ a role in the same bucket as it attached, then we need to
32746+ combine these two buckets
32747+ */
32748+ if (role->next) {
32749+ tmp = role->next;
32750+ while (tmp->next)
32751+ tmp = tmp->next;
32752+ tmp->next = *curr;
32753+ } else
32754+ role->next = *curr;
32755+ *curr = role;
32756+
32757+ return;
32758+}
32759+
32760+static void
32761+insert_acl_role_label(struct acl_role_label *role)
32762+{
32763+ int i;
32764+
32765+ if (role_list == NULL) {
32766+ role_list = role;
32767+ role->prev = NULL;
32768+ } else {
32769+ role->prev = role_list;
32770+ role_list = role;
32771+ }
32772+
32773+ /* used for hash chains */
32774+ role->next = NULL;
32775+
32776+ if (role->roletype & GR_ROLE_DOMAIN) {
32777+ for (i = 0; i < role->domain_child_num; i++)
32778+ __insert_acl_role_label(role, role->domain_children[i]);
32779+ } else
32780+ __insert_acl_role_label(role, role->uidgid);
32781+}
32782+
32783+static int
32784+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
32785+{
32786+ struct name_entry **curr, *nentry;
32787+ struct inodev_entry *ientry;
32788+ unsigned int len = strlen(name);
32789+ unsigned int key = full_name_hash(name, len);
32790+ unsigned int index = key % name_set.n_size;
32791+
32792+ curr = &name_set.n_hash[index];
32793+
32794+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
32795+ curr = &((*curr)->next);
32796+
32797+ if (*curr != NULL)
32798+ return 1;
32799+
32800+ nentry = acl_alloc(sizeof (struct name_entry));
32801+ if (nentry == NULL)
32802+ return 0;
32803+ ientry = acl_alloc(sizeof (struct inodev_entry));
32804+ if (ientry == NULL)
32805+ return 0;
32806+ ientry->nentry = nentry;
32807+
32808+ nentry->key = key;
32809+ nentry->name = name;
32810+ nentry->inode = inode;
32811+ nentry->device = device;
32812+ nentry->len = len;
32813+ nentry->deleted = deleted;
32814+
32815+ nentry->prev = NULL;
32816+ curr = &name_set.n_hash[index];
32817+ if (*curr != NULL)
32818+ (*curr)->prev = nentry;
32819+ nentry->next = *curr;
32820+ *curr = nentry;
32821+
32822+ /* insert us into the table searchable by inode/dev */
32823+ insert_inodev_entry(ientry);
32824+
32825+ return 1;
32826+}
32827+
32828+static void
32829+insert_acl_obj_label(struct acl_object_label *obj,
32830+ struct acl_subject_label *subj)
32831+{
32832+ unsigned int index =
32833+ fhash(obj->inode, obj->device, subj->obj_hash_size);
32834+ struct acl_object_label **curr;
32835+
32836+
32837+ obj->prev = NULL;
32838+
32839+ curr = &subj->obj_hash[index];
32840+ if (*curr != NULL)
32841+ (*curr)->prev = obj;
32842+
32843+ obj->next = *curr;
32844+ *curr = obj;
32845+
32846+ return;
32847+}
32848+
32849+static void
32850+insert_acl_subj_label(struct acl_subject_label *obj,
32851+ struct acl_role_label *role)
32852+{
32853+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
32854+ struct acl_subject_label **curr;
32855+
32856+ obj->prev = NULL;
32857+
32858+ curr = &role->subj_hash[index];
32859+ if (*curr != NULL)
32860+ (*curr)->prev = obj;
32861+
32862+ obj->next = *curr;
32863+ *curr = obj;
32864+
32865+ return;
32866+}
32867+
32868+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
32869+
32870+static void *
32871+create_table(__u32 * len, int elementsize)
32872+{
32873+ unsigned int table_sizes[] = {
32874+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
32875+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
32876+ 4194301, 8388593, 16777213, 33554393, 67108859
32877+ };
32878+ void *newtable = NULL;
32879+ unsigned int pwr = 0;
32880+
32881+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
32882+ table_sizes[pwr] <= *len)
32883+ pwr++;
32884+
32885+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
32886+ return newtable;
32887+
32888+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
32889+ newtable =
32890+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
32891+ else
32892+ newtable = vmalloc(table_sizes[pwr] * elementsize);
32893+
32894+ *len = table_sizes[pwr];
32895+
32896+ return newtable;
32897+}
32898+
32899+static int
32900+init_variables(const struct gr_arg *arg)
32901+{
32902+ struct task_struct *reaper = &init_task;
32903+ unsigned int stacksize;
32904+
32905+ subj_map_set.s_size = arg->role_db.num_subjects;
32906+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
32907+ name_set.n_size = arg->role_db.num_objects;
32908+ inodev_set.i_size = arg->role_db.num_objects;
32909+
32910+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
32911+ !name_set.n_size || !inodev_set.i_size)
32912+ return 1;
32913+
32914+ if (!gr_init_uidset())
32915+ return 1;
32916+
32917+ /* set up the stack that holds allocation info */
32918+
32919+ stacksize = arg->role_db.num_pointers + 5;
32920+
32921+ if (!acl_alloc_stack_init(stacksize))
32922+ return 1;
32923+
32924+ /* grab reference for the real root dentry and vfsmount */
32925+ read_lock(&reaper->fs->lock);
32926+ real_root_mnt = mntget(reaper->fs->root.mnt);
32927+ real_root = dget(reaper->fs->root.dentry);
32928+ read_unlock(&reaper->fs->lock);
32929+
32930+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
32931+ if (fakefs_obj == NULL)
32932+ return 1;
32933+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
32934+
32935+ subj_map_set.s_hash =
32936+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
32937+ acl_role_set.r_hash =
32938+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
32939+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
32940+ inodev_set.i_hash =
32941+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
32942+
32943+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
32944+ !name_set.n_hash || !inodev_set.i_hash)
32945+ return 1;
32946+
32947+ memset(subj_map_set.s_hash, 0,
32948+ sizeof(struct subject_map *) * subj_map_set.s_size);
32949+ memset(acl_role_set.r_hash, 0,
32950+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
32951+ memset(name_set.n_hash, 0,
32952+ sizeof (struct name_entry *) * name_set.n_size);
32953+ memset(inodev_set.i_hash, 0,
32954+ sizeof (struct inodev_entry *) * inodev_set.i_size);
32955+
32956+ return 0;
32957+}
32958+
32959+/* free information not needed after startup
32960+ currently contains user->kernel pointer mappings for subjects
32961+*/
32962+
32963+static void
32964+free_init_variables(void)
32965+{
32966+ __u32 i;
32967+
32968+ if (subj_map_set.s_hash) {
32969+ for (i = 0; i < subj_map_set.s_size; i++) {
32970+ if (subj_map_set.s_hash[i]) {
32971+ kfree(subj_map_set.s_hash[i]);
32972+ subj_map_set.s_hash[i] = NULL;
32973+ }
32974+ }
32975+
32976+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
32977+ PAGE_SIZE)
32978+ kfree(subj_map_set.s_hash);
32979+ else
32980+ vfree(subj_map_set.s_hash);
32981+ }
32982+
32983+ return;
32984+}
32985+
32986+static void
32987+free_variables(void)
32988+{
32989+ struct acl_subject_label *s;
32990+ struct acl_role_label *r;
32991+ struct task_struct *task, *task2;
32992+ unsigned int x;
32993+
32994+ gr_clear_learn_entries();
32995+
32996+ read_lock(&tasklist_lock);
32997+ do_each_thread(task2, task) {
32998+ task->acl_sp_role = 0;
32999+ task->acl_role_id = 0;
33000+ task->acl = NULL;
33001+ task->role = NULL;
33002+ } while_each_thread(task2, task);
33003+ read_unlock(&tasklist_lock);
33004+
33005+ /* release the reference to the real root dentry and vfsmount */
33006+ if (real_root)
33007+ dput(real_root);
33008+ real_root = NULL;
33009+ if (real_root_mnt)
33010+ mntput(real_root_mnt);
33011+ real_root_mnt = NULL;
33012+
33013+ /* free all object hash tables */
33014+
33015+ FOR_EACH_ROLE_START(r)
33016+ if (r->subj_hash == NULL)
33017+ goto next_role;
33018+ FOR_EACH_SUBJECT_START(r, s, x)
33019+ if (s->obj_hash == NULL)
33020+ break;
33021+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33022+ kfree(s->obj_hash);
33023+ else
33024+ vfree(s->obj_hash);
33025+ FOR_EACH_SUBJECT_END(s, x)
33026+ FOR_EACH_NESTED_SUBJECT_START(r, s)
33027+ if (s->obj_hash == NULL)
33028+ break;
33029+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33030+ kfree(s->obj_hash);
33031+ else
33032+ vfree(s->obj_hash);
33033+ FOR_EACH_NESTED_SUBJECT_END(s)
33034+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
33035+ kfree(r->subj_hash);
33036+ else
33037+ vfree(r->subj_hash);
33038+ r->subj_hash = NULL;
33039+next_role:
33040+ FOR_EACH_ROLE_END(r)
33041+
33042+ acl_free_all();
33043+
33044+ if (acl_role_set.r_hash) {
33045+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
33046+ PAGE_SIZE)
33047+ kfree(acl_role_set.r_hash);
33048+ else
33049+ vfree(acl_role_set.r_hash);
33050+ }
33051+ if (name_set.n_hash) {
33052+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
33053+ PAGE_SIZE)
33054+ kfree(name_set.n_hash);
33055+ else
33056+ vfree(name_set.n_hash);
33057+ }
33058+
33059+ if (inodev_set.i_hash) {
33060+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
33061+ PAGE_SIZE)
33062+ kfree(inodev_set.i_hash);
33063+ else
33064+ vfree(inodev_set.i_hash);
33065+ }
33066+
33067+ gr_free_uidset();
33068+
33069+ memset(&name_set, 0, sizeof (struct name_db));
33070+ memset(&inodev_set, 0, sizeof (struct inodev_db));
33071+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
33072+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
33073+
33074+ default_role = NULL;
33075+ role_list = NULL;
33076+
33077+ return;
33078+}
33079+
33080+static __u32
33081+count_user_objs(struct acl_object_label *userp)
33082+{
33083+ struct acl_object_label o_tmp;
33084+ __u32 num = 0;
33085+
33086+ while (userp) {
33087+ if (copy_from_user(&o_tmp, userp,
33088+ sizeof (struct acl_object_label)))
33089+ break;
33090+
33091+ userp = o_tmp.prev;
33092+ num++;
33093+ }
33094+
33095+ return num;
33096+}
33097+
33098+static struct acl_subject_label *
33099+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
33100+
33101+static int
33102+copy_user_glob(struct acl_object_label *obj)
33103+{
33104+ struct acl_object_label *g_tmp, **guser;
33105+ unsigned int len;
33106+ char *tmp;
33107+
33108+ if (obj->globbed == NULL)
33109+ return 0;
33110+
33111+ guser = &obj->globbed;
33112+ while (*guser) {
33113+ g_tmp = (struct acl_object_label *)
33114+ acl_alloc(sizeof (struct acl_object_label));
33115+ if (g_tmp == NULL)
33116+ return -ENOMEM;
33117+
33118+ if (copy_from_user(g_tmp, *guser,
33119+ sizeof (struct acl_object_label)))
33120+ return -EFAULT;
33121+
33122+ len = strnlen_user(g_tmp->filename, PATH_MAX);
33123+
33124+ if (!len || len >= PATH_MAX)
33125+ return -EINVAL;
33126+
33127+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33128+ return -ENOMEM;
33129+
33130+ if (copy_from_user(tmp, g_tmp->filename, len))
33131+ return -EFAULT;
33132+ tmp[len-1] = '\0';
33133+ g_tmp->filename = tmp;
33134+
33135+ *guser = g_tmp;
33136+ guser = &(g_tmp->next);
33137+ }
33138+
33139+ return 0;
33140+}
33141+
33142+static int
33143+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
33144+ struct acl_role_label *role)
33145+{
33146+ struct acl_object_label *o_tmp;
33147+ unsigned int len;
33148+ int ret;
33149+ char *tmp;
33150+
33151+ while (userp) {
33152+ if ((o_tmp = (struct acl_object_label *)
33153+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
33154+ return -ENOMEM;
33155+
33156+ if (copy_from_user(o_tmp, userp,
33157+ sizeof (struct acl_object_label)))
33158+ return -EFAULT;
33159+
33160+ userp = o_tmp->prev;
33161+
33162+ len = strnlen_user(o_tmp->filename, PATH_MAX);
33163+
33164+ if (!len || len >= PATH_MAX)
33165+ return -EINVAL;
33166+
33167+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33168+ return -ENOMEM;
33169+
33170+ if (copy_from_user(tmp, o_tmp->filename, len))
33171+ return -EFAULT;
33172+ tmp[len-1] = '\0';
33173+ o_tmp->filename = tmp;
33174+
33175+ insert_acl_obj_label(o_tmp, subj);
33176+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
33177+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
33178+ return -ENOMEM;
33179+
33180+ ret = copy_user_glob(o_tmp);
33181+ if (ret)
33182+ return ret;
33183+
33184+ if (o_tmp->nested) {
33185+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
33186+ if (IS_ERR(o_tmp->nested))
33187+ return PTR_ERR(o_tmp->nested);
33188+
33189+ /* insert into nested subject list */
33190+ o_tmp->nested->next = role->hash->first;
33191+ role->hash->first = o_tmp->nested;
33192+ }
33193+ }
33194+
33195+ return 0;
33196+}
33197+
33198+static __u32
33199+count_user_subjs(struct acl_subject_label *userp)
33200+{
33201+ struct acl_subject_label s_tmp;
33202+ __u32 num = 0;
33203+
33204+ while (userp) {
33205+ if (copy_from_user(&s_tmp, userp,
33206+ sizeof (struct acl_subject_label)))
33207+ break;
33208+
33209+ userp = s_tmp.prev;
33210+ /* do not count nested subjects against this count, since
33211+ they are not included in the hash table, but are
33212+ attached to objects. We have already counted
33213+ the subjects in userspace for the allocation
33214+ stack
33215+ */
33216+ if (!(s_tmp.mode & GR_NESTED))
33217+ num++;
33218+ }
33219+
33220+ return num;
33221+}
33222+
33223+static int
33224+copy_user_allowedips(struct acl_role_label *rolep)
33225+{
33226+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
33227+
33228+ ruserip = rolep->allowed_ips;
33229+
33230+ while (ruserip) {
33231+ rlast = rtmp;
33232+
33233+ if ((rtmp = (struct role_allowed_ip *)
33234+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
33235+ return -ENOMEM;
33236+
33237+ if (copy_from_user(rtmp, ruserip,
33238+ sizeof (struct role_allowed_ip)))
33239+ return -EFAULT;
33240+
33241+ ruserip = rtmp->prev;
33242+
33243+ if (!rlast) {
33244+ rtmp->prev = NULL;
33245+ rolep->allowed_ips = rtmp;
33246+ } else {
33247+ rlast->next = rtmp;
33248+ rtmp->prev = rlast;
33249+ }
33250+
33251+ if (!ruserip)
33252+ rtmp->next = NULL;
33253+ }
33254+
33255+ return 0;
33256+}
33257+
33258+static int
33259+copy_user_transitions(struct acl_role_label *rolep)
33260+{
33261+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
33262+
33263+ unsigned int len;
33264+ char *tmp;
33265+
33266+ rusertp = rolep->transitions;
33267+
33268+ while (rusertp) {
33269+ rlast = rtmp;
33270+
33271+ if ((rtmp = (struct role_transition *)
33272+ acl_alloc(sizeof (struct role_transition))) == NULL)
33273+ return -ENOMEM;
33274+
33275+ if (copy_from_user(rtmp, rusertp,
33276+ sizeof (struct role_transition)))
33277+ return -EFAULT;
33278+
33279+ rusertp = rtmp->prev;
33280+
33281+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
33282+
33283+ if (!len || len >= GR_SPROLE_LEN)
33284+ return -EINVAL;
33285+
33286+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33287+ return -ENOMEM;
33288+
33289+ if (copy_from_user(tmp, rtmp->rolename, len))
33290+ return -EFAULT;
33291+ tmp[len-1] = '\0';
33292+ rtmp->rolename = tmp;
33293+
33294+ if (!rlast) {
33295+ rtmp->prev = NULL;
33296+ rolep->transitions = rtmp;
33297+ } else {
33298+ rlast->next = rtmp;
33299+ rtmp->prev = rlast;
33300+ }
33301+
33302+ if (!rusertp)
33303+ rtmp->next = NULL;
33304+ }
33305+
33306+ return 0;
33307+}
33308+
33309+static struct acl_subject_label *
33310+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
33311+{
33312+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
33313+ unsigned int len;
33314+ char *tmp;
33315+ __u32 num_objs;
33316+ struct acl_ip_label **i_tmp, *i_utmp2;
33317+ struct gr_hash_struct ghash;
33318+ struct subject_map *subjmap;
33319+ unsigned int i_num;
33320+ int err;
33321+
33322+ s_tmp = lookup_subject_map(userp);
33323+
33324+ /* we've already copied this subject into the kernel, just return
33325+ the reference to it, and don't copy it over again
33326+ */
33327+ if (s_tmp)
33328+ return(s_tmp);
33329+
33330+ if ((s_tmp = (struct acl_subject_label *)
33331+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
33332+ return ERR_PTR(-ENOMEM);
33333+
33334+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
33335+ if (subjmap == NULL)
33336+ return ERR_PTR(-ENOMEM);
33337+
33338+ subjmap->user = userp;
33339+ subjmap->kernel = s_tmp;
33340+ insert_subj_map_entry(subjmap);
33341+
33342+ if (copy_from_user(s_tmp, userp,
33343+ sizeof (struct acl_subject_label)))
33344+ return ERR_PTR(-EFAULT);
33345+
33346+ len = strnlen_user(s_tmp->filename, PATH_MAX);
33347+
33348+ if (!len || len >= PATH_MAX)
33349+ return ERR_PTR(-EINVAL);
33350+
33351+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33352+ return ERR_PTR(-ENOMEM);
33353+
33354+ if (copy_from_user(tmp, s_tmp->filename, len))
33355+ return ERR_PTR(-EFAULT);
33356+ tmp[len-1] = '\0';
33357+ s_tmp->filename = tmp;
33358+
33359+ if (!strcmp(s_tmp->filename, "/"))
33360+ role->root_label = s_tmp;
33361+
33362+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
33363+ return ERR_PTR(-EFAULT);
33364+
33365+ /* copy user and group transition tables */
33366+
33367+ if (s_tmp->user_trans_num) {
33368+ uid_t *uidlist;
33369+
33370+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
33371+ if (uidlist == NULL)
33372+ return ERR_PTR(-ENOMEM);
33373+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
33374+ return ERR_PTR(-EFAULT);
33375+
33376+ s_tmp->user_transitions = uidlist;
33377+ }
33378+
33379+ if (s_tmp->group_trans_num) {
33380+ gid_t *gidlist;
33381+
33382+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
33383+ if (gidlist == NULL)
33384+ return ERR_PTR(-ENOMEM);
33385+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
33386+ return ERR_PTR(-EFAULT);
33387+
33388+ s_tmp->group_transitions = gidlist;
33389+ }
33390+
33391+ /* set up object hash table */
33392+ num_objs = count_user_objs(ghash.first);
33393+
33394+ s_tmp->obj_hash_size = num_objs;
33395+ s_tmp->obj_hash =
33396+ (struct acl_object_label **)
33397+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
33398+
33399+ if (!s_tmp->obj_hash)
33400+ return ERR_PTR(-ENOMEM);
33401+
33402+ memset(s_tmp->obj_hash, 0,
33403+ s_tmp->obj_hash_size *
33404+ sizeof (struct acl_object_label *));
33405+
33406+ /* add in objects */
33407+ err = copy_user_objs(ghash.first, s_tmp, role);
33408+
33409+ if (err)
33410+ return ERR_PTR(err);
33411+
33412+ /* set pointer for parent subject */
33413+ if (s_tmp->parent_subject) {
33414+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
33415+
33416+ if (IS_ERR(s_tmp2))
33417+ return s_tmp2;
33418+
33419+ s_tmp->parent_subject = s_tmp2;
33420+ }
33421+
33422+ /* add in ip acls */
33423+
33424+ if (!s_tmp->ip_num) {
33425+ s_tmp->ips = NULL;
33426+ goto insert;
33427+ }
33428+
33429+ i_tmp =
33430+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
33431+ sizeof (struct acl_ip_label *));
33432+
33433+ if (!i_tmp)
33434+ return ERR_PTR(-ENOMEM);
33435+
33436+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
33437+ *(i_tmp + i_num) =
33438+ (struct acl_ip_label *)
33439+ acl_alloc(sizeof (struct acl_ip_label));
33440+ if (!*(i_tmp + i_num))
33441+ return ERR_PTR(-ENOMEM);
33442+
33443+ if (copy_from_user
33444+ (&i_utmp2, s_tmp->ips + i_num,
33445+ sizeof (struct acl_ip_label *)))
33446+ return ERR_PTR(-EFAULT);
33447+
33448+ if (copy_from_user
33449+ (*(i_tmp + i_num), i_utmp2,
33450+ sizeof (struct acl_ip_label)))
33451+ return ERR_PTR(-EFAULT);
33452+
33453+ if ((*(i_tmp + i_num))->iface == NULL)
33454+ continue;
33455+
33456+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
33457+ if (!len || len >= IFNAMSIZ)
33458+ return ERR_PTR(-EINVAL);
33459+ tmp = acl_alloc(len);
33460+ if (tmp == NULL)
33461+ return ERR_PTR(-ENOMEM);
33462+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
33463+ return ERR_PTR(-EFAULT);
33464+ (*(i_tmp + i_num))->iface = tmp;
33465+ }
33466+
33467+ s_tmp->ips = i_tmp;
33468+
33469+insert:
33470+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
33471+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
33472+ return ERR_PTR(-ENOMEM);
33473+
33474+ return s_tmp;
33475+}
33476+
33477+static int
33478+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
33479+{
33480+ struct acl_subject_label s_pre;
33481+ struct acl_subject_label * ret;
33482+ int err;
33483+
33484+ while (userp) {
33485+ if (copy_from_user(&s_pre, userp,
33486+ sizeof (struct acl_subject_label)))
33487+ return -EFAULT;
33488+
33489+ /* do not add nested subjects here, add
33490+ while parsing objects
33491+ */
33492+
33493+ if (s_pre.mode & GR_NESTED) {
33494+ userp = s_pre.prev;
33495+ continue;
33496+ }
33497+
33498+ ret = do_copy_user_subj(userp, role);
33499+
33500+ err = PTR_ERR(ret);
33501+ if (IS_ERR(ret))
33502+ return err;
33503+
33504+ insert_acl_subj_label(ret, role);
33505+
33506+ userp = s_pre.prev;
33507+ }
33508+
33509+ return 0;
33510+}
33511+
33512+static int
33513+copy_user_acl(struct gr_arg *arg)
33514+{
33515+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
33516+ struct sprole_pw *sptmp;
33517+ struct gr_hash_struct *ghash;
33518+ uid_t *domainlist;
33519+ unsigned int r_num;
33520+ unsigned int len;
33521+ char *tmp;
33522+ int err = 0;
33523+ __u16 i;
33524+ __u32 num_subjs;
33525+
33526+ /* we need a default and kernel role */
33527+ if (arg->role_db.num_roles < 2)
33528+ return -EINVAL;
33529+
33530+ /* copy special role authentication info from userspace */
33531+
33532+ num_sprole_pws = arg->num_sprole_pws;
33533+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
33534+
33535+ if (!acl_special_roles) {
33536+ err = -ENOMEM;
33537+ goto cleanup;
33538+ }
33539+
33540+ for (i = 0; i < num_sprole_pws; i++) {
33541+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
33542+ if (!sptmp) {
33543+ err = -ENOMEM;
33544+ goto cleanup;
33545+ }
33546+ if (copy_from_user(sptmp, arg->sprole_pws + i,
33547+ sizeof (struct sprole_pw))) {
33548+ err = -EFAULT;
33549+ goto cleanup;
33550+ }
33551+
33552+ len =
33553+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
33554+
33555+ if (!len || len >= GR_SPROLE_LEN) {
33556+ err = -EINVAL;
33557+ goto cleanup;
33558+ }
33559+
33560+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
33561+ err = -ENOMEM;
33562+ goto cleanup;
33563+ }
33564+
33565+ if (copy_from_user(tmp, sptmp->rolename, len)) {
33566+ err = -EFAULT;
33567+ goto cleanup;
33568+ }
33569+ tmp[len-1] = '\0';
33570+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
33571+ printk(KERN_ALERT "Copying special role %s\n", tmp);
33572+#endif
33573+ sptmp->rolename = tmp;
33574+ acl_special_roles[i] = sptmp;
33575+ }
33576+
33577+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
33578+
33579+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
33580+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
33581+
33582+ if (!r_tmp) {
33583+ err = -ENOMEM;
33584+ goto cleanup;
33585+ }
33586+
33587+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
33588+ sizeof (struct acl_role_label *))) {
33589+ err = -EFAULT;
33590+ goto cleanup;
33591+ }
33592+
33593+ if (copy_from_user(r_tmp, r_utmp2,
33594+ sizeof (struct acl_role_label))) {
33595+ err = -EFAULT;
33596+ goto cleanup;
33597+ }
33598+
33599+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
33600+
33601+ if (!len || len >= PATH_MAX) {
33602+ err = -EINVAL;
33603+ goto cleanup;
33604+ }
33605+
33606+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
33607+ err = -ENOMEM;
33608+ goto cleanup;
33609+ }
33610+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
33611+ err = -EFAULT;
33612+ goto cleanup;
33613+ }
33614+ tmp[len-1] = '\0';
33615+ r_tmp->rolename = tmp;
33616+
33617+ if (!strcmp(r_tmp->rolename, "default")
33618+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
33619+ default_role = r_tmp;
33620+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
33621+ kernel_role = r_tmp;
33622+ }
33623+
33624+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
33625+ err = -ENOMEM;
33626+ goto cleanup;
33627+ }
33628+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
33629+ err = -EFAULT;
33630+ goto cleanup;
33631+ }
33632+
33633+ r_tmp->hash = ghash;
33634+
33635+ num_subjs = count_user_subjs(r_tmp->hash->first);
33636+
33637+ r_tmp->subj_hash_size = num_subjs;
33638+ r_tmp->subj_hash =
33639+ (struct acl_subject_label **)
33640+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
33641+
33642+ if (!r_tmp->subj_hash) {
33643+ err = -ENOMEM;
33644+ goto cleanup;
33645+ }
33646+
33647+ err = copy_user_allowedips(r_tmp);
33648+ if (err)
33649+ goto cleanup;
33650+
33651+ /* copy domain info */
33652+ if (r_tmp->domain_children != NULL) {
33653+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
33654+ if (domainlist == NULL) {
33655+ err = -ENOMEM;
33656+ goto cleanup;
33657+ }
33658+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
33659+ err = -EFAULT;
33660+ goto cleanup;
33661+ }
33662+ r_tmp->domain_children = domainlist;
33663+ }
33664+
33665+ err = copy_user_transitions(r_tmp);
33666+ if (err)
33667+ goto cleanup;
33668+
33669+ memset(r_tmp->subj_hash, 0,
33670+ r_tmp->subj_hash_size *
33671+ sizeof (struct acl_subject_label *));
33672+
33673+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
33674+
33675+ if (err)
33676+ goto cleanup;
33677+
33678+ /* set nested subject list to null */
33679+ r_tmp->hash->first = NULL;
33680+
33681+ insert_acl_role_label(r_tmp);
33682+ }
33683+
33684+ goto return_err;
33685+ cleanup:
33686+ free_variables();
33687+ return_err:
33688+ return err;
33689+
33690+}
33691+
33692+static int
33693+gracl_init(struct gr_arg *args)
33694+{
33695+ int error = 0;
33696+
33697+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
33698+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
33699+
33700+ if (init_variables(args)) {
33701+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
33702+ error = -ENOMEM;
33703+ free_variables();
33704+ goto out;
33705+ }
33706+
33707+ error = copy_user_acl(args);
33708+ free_init_variables();
33709+ if (error) {
33710+ free_variables();
33711+ goto out;
33712+ }
33713+
33714+ if ((error = gr_set_acls(0))) {
33715+ free_variables();
33716+ goto out;
33717+ }
33718+
33719+ pax_open_kernel();
33720+ gr_status |= GR_READY;
33721+ pax_close_kernel();
33722+
33723+ out:
33724+ return error;
33725+}
33726+
33727+/* derived from glibc fnmatch() 0: match, 1: no match*/
33728+
33729+static int
33730+glob_match(const char *p, const char *n)
33731+{
33732+ char c;
33733+
33734+ while ((c = *p++) != '\0') {
33735+ switch (c) {
33736+ case '?':
33737+ if (*n == '\0')
33738+ return 1;
33739+ else if (*n == '/')
33740+ return 1;
33741+ break;
33742+ case '\\':
33743+ if (*n != c)
33744+ return 1;
33745+ break;
33746+ case '*':
33747+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
33748+ if (*n == '/')
33749+ return 1;
33750+ else if (c == '?') {
33751+ if (*n == '\0')
33752+ return 1;
33753+ else
33754+ ++n;
33755+ }
33756+ }
33757+ if (c == '\0') {
33758+ return 0;
33759+ } else {
33760+ const char *endp;
33761+
33762+ if ((endp = strchr(n, '/')) == NULL)
33763+ endp = n + strlen(n);
33764+
33765+ if (c == '[') {
33766+ for (--p; n < endp; ++n)
33767+ if (!glob_match(p, n))
33768+ return 0;
33769+ } else if (c == '/') {
33770+ while (*n != '\0' && *n != '/')
33771+ ++n;
33772+ if (*n == '/' && !glob_match(p, n + 1))
33773+ return 0;
33774+ } else {
33775+ for (--p; n < endp; ++n)
33776+ if (*n == c && !glob_match(p, n))
33777+ return 0;
33778+ }
33779+
33780+ return 1;
33781+ }
33782+ case '[':
33783+ {
33784+ int not;
33785+ char cold;
33786+
33787+ if (*n == '\0' || *n == '/')
33788+ return 1;
33789+
33790+ not = (*p == '!' || *p == '^');
33791+ if (not)
33792+ ++p;
33793+
33794+ c = *p++;
33795+ for (;;) {
33796+ unsigned char fn = (unsigned char)*n;
33797+
33798+ if (c == '\0')
33799+ return 1;
33800+ else {
33801+ if (c == fn)
33802+ goto matched;
33803+ cold = c;
33804+ c = *p++;
33805+
33806+ if (c == '-' && *p != ']') {
33807+ unsigned char cend = *p++;
33808+
33809+ if (cend == '\0')
33810+ return 1;
33811+
33812+ if (cold <= fn && fn <= cend)
33813+ goto matched;
33814+
33815+ c = *p++;
33816+ }
33817+ }
33818+
33819+ if (c == ']')
33820+ break;
33821+ }
33822+ if (!not)
33823+ return 1;
33824+ break;
33825+ matched:
33826+ while (c != ']') {
33827+ if (c == '\0')
33828+ return 1;
33829+
33830+ c = *p++;
33831+ }
33832+ if (not)
33833+ return 1;
33834+ }
33835+ break;
33836+ default:
33837+ if (c != *n)
33838+ return 1;
33839+ }
33840+
33841+ ++n;
33842+ }
33843+
33844+ if (*n == '\0')
33845+ return 0;
33846+
33847+ if (*n == '/')
33848+ return 0;
33849+
33850+ return 1;
33851+}
33852+
33853+static struct acl_object_label *
33854+chk_glob_label(struct acl_object_label *globbed,
33855+ struct dentry *dentry, struct vfsmount *mnt, char **path)
33856+{
33857+ struct acl_object_label *tmp;
33858+
33859+ if (*path == NULL)
33860+ *path = gr_to_filename_nolock(dentry, mnt);
33861+
33862+ tmp = globbed;
33863+
33864+ while (tmp) {
33865+ if (!glob_match(tmp->filename, *path))
33866+ return tmp;
33867+ tmp = tmp->next;
33868+ }
33869+
33870+ return NULL;
33871+}
33872+
33873+static struct acl_object_label *
33874+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
33875+ const ino_t curr_ino, const dev_t curr_dev,
33876+ const struct acl_subject_label *subj, char **path, const int checkglob)
33877+{
33878+ struct acl_subject_label *tmpsubj;
33879+ struct acl_object_label *retval;
33880+ struct acl_object_label *retval2;
33881+
33882+ tmpsubj = (struct acl_subject_label *) subj;
33883+ read_lock(&gr_inode_lock);
33884+ do {
33885+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
33886+ if (retval) {
33887+ if (checkglob && retval->globbed) {
33888+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
33889+ (struct vfsmount *)orig_mnt, path);
33890+ if (retval2)
33891+ retval = retval2;
33892+ }
33893+ break;
33894+ }
33895+ } while ((tmpsubj = tmpsubj->parent_subject));
33896+ read_unlock(&gr_inode_lock);
33897+
33898+ return retval;
33899+}
33900+
33901+static __inline__ struct acl_object_label *
33902+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
33903+ const struct dentry *curr_dentry,
33904+ const struct acl_subject_label *subj, char **path, const int checkglob)
33905+{
33906+ return __full_lookup(orig_dentry, orig_mnt,
33907+ curr_dentry->d_inode->i_ino,
33908+ curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
33909+}
33910+
33911+static struct acl_object_label *
33912+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
33913+ const struct acl_subject_label *subj, char *path, const int checkglob)
33914+{
33915+ struct dentry *dentry = (struct dentry *) l_dentry;
33916+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
33917+ struct acl_object_label *retval;
33918+
33919+ spin_lock(&dcache_lock);
33920+
33921+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
33922+ /* ignore Eric Biederman */
33923+ IS_PRIVATE(l_dentry->d_inode))) {
33924+ retval = fakefs_obj;
33925+ goto out;
33926+ }
33927+
33928+ for (;;) {
33929+ if (dentry == real_root && mnt == real_root_mnt)
33930+ break;
33931+
33932+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
33933+ if (mnt->mnt_parent == mnt)
33934+ break;
33935+
33936+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
33937+ if (retval != NULL)
33938+ goto out;
33939+
33940+ dentry = mnt->mnt_mountpoint;
33941+ mnt = mnt->mnt_parent;
33942+ continue;
33943+ }
33944+
33945+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
33946+ if (retval != NULL)
33947+ goto out;
33948+
33949+ dentry = dentry->d_parent;
33950+ }
33951+
33952+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
33953+
33954+ if (retval == NULL)
33955+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
33956+out:
33957+ spin_unlock(&dcache_lock);
33958+ return retval;
33959+}
33960+
33961+static __inline__ struct acl_object_label *
33962+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
33963+ const struct acl_subject_label *subj)
33964+{
33965+ char *path = NULL;
33966+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
33967+}
33968+
33969+static __inline__ struct acl_object_label *
33970+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
33971+ const struct acl_subject_label *subj)
33972+{
33973+ char *path = NULL;
33974+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
33975+}
33976+
33977+static __inline__ struct acl_object_label *
33978+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
33979+ const struct acl_subject_label *subj, char *path)
33980+{
33981+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
33982+}
33983+
33984+static struct acl_subject_label *
33985+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
33986+ const struct acl_role_label *role)
33987+{
33988+ struct dentry *dentry = (struct dentry *) l_dentry;
33989+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
33990+ struct acl_subject_label *retval;
33991+
33992+ spin_lock(&dcache_lock);
33993+
33994+ for (;;) {
33995+ if (dentry == real_root && mnt == real_root_mnt)
33996+ break;
33997+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
33998+ if (mnt->mnt_parent == mnt)
33999+ break;
34000+
34001+ read_lock(&gr_inode_lock);
34002+ retval =
34003+ lookup_acl_subj_label(dentry->d_inode->i_ino,
34004+ dentry->d_inode->i_sb->s_dev, role);
34005+ read_unlock(&gr_inode_lock);
34006+ if (retval != NULL)
34007+ goto out;
34008+
34009+ dentry = mnt->mnt_mountpoint;
34010+ mnt = mnt->mnt_parent;
34011+ continue;
34012+ }
34013+
34014+ read_lock(&gr_inode_lock);
34015+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34016+ dentry->d_inode->i_sb->s_dev, role);
34017+ read_unlock(&gr_inode_lock);
34018+ if (retval != NULL)
34019+ goto out;
34020+
34021+ dentry = dentry->d_parent;
34022+ }
34023+
34024+ read_lock(&gr_inode_lock);
34025+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34026+ dentry->d_inode->i_sb->s_dev, role);
34027+ read_unlock(&gr_inode_lock);
34028+
34029+ if (unlikely(retval == NULL)) {
34030+ read_lock(&gr_inode_lock);
34031+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
34032+ real_root->d_inode->i_sb->s_dev, role);
34033+ read_unlock(&gr_inode_lock);
34034+ }
34035+out:
34036+ spin_unlock(&dcache_lock);
34037+
34038+ return retval;
34039+}
34040+
34041+static void
34042+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
34043+{
34044+ struct task_struct *task = current;
34045+ const struct cred *cred = current_cred();
34046+
34047+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34048+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34049+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34050+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
34051+
34052+ return;
34053+}
34054+
34055+static void
34056+gr_log_learn_sysctl(const char *path, const __u32 mode)
34057+{
34058+ struct task_struct *task = current;
34059+ const struct cred *cred = current_cred();
34060+
34061+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34062+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34063+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34064+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
34065+
34066+ return;
34067+}
34068+
34069+static void
34070+gr_log_learn_id_change(const char type, const unsigned int real,
34071+ const unsigned int effective, const unsigned int fs)
34072+{
34073+ struct task_struct *task = current;
34074+ const struct cred *cred = current_cred();
34075+
34076+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
34077+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34078+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34079+ type, real, effective, fs, &task->signal->curr_ip);
34080+
34081+ return;
34082+}
34083+
34084+__u32
34085+gr_check_link(const struct dentry * new_dentry,
34086+ const struct dentry * parent_dentry,
34087+ const struct vfsmount * parent_mnt,
34088+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
34089+{
34090+ struct acl_object_label *obj;
34091+ __u32 oldmode, newmode;
34092+ __u32 needmode;
34093+
34094+ if (unlikely(!(gr_status & GR_READY)))
34095+ return (GR_CREATE | GR_LINK);
34096+
34097+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
34098+ oldmode = obj->mode;
34099+
34100+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34101+ oldmode |= (GR_CREATE | GR_LINK);
34102+
34103+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
34104+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34105+ needmode |= GR_SETID | GR_AUDIT_SETID;
34106+
34107+ newmode =
34108+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
34109+ oldmode | needmode);
34110+
34111+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
34112+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
34113+ GR_INHERIT | GR_AUDIT_INHERIT);
34114+
34115+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
34116+ goto bad;
34117+
34118+ if ((oldmode & needmode) != needmode)
34119+ goto bad;
34120+
34121+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
34122+ if ((newmode & needmode) != needmode)
34123+ goto bad;
34124+
34125+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
34126+ return newmode;
34127+bad:
34128+ needmode = oldmode;
34129+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34130+ needmode |= GR_SETID;
34131+
34132+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34133+ gr_log_learn(old_dentry, old_mnt, needmode);
34134+ return (GR_CREATE | GR_LINK);
34135+ } else if (newmode & GR_SUPPRESS)
34136+ return GR_SUPPRESS;
34137+ else
34138+ return 0;
34139+}
34140+
34141+__u32
34142+gr_search_file(const struct dentry * dentry, const __u32 mode,
34143+ const struct vfsmount * mnt)
34144+{
34145+ __u32 retval = mode;
34146+ struct acl_subject_label *curracl;
34147+ struct acl_object_label *currobj;
34148+
34149+ if (unlikely(!(gr_status & GR_READY)))
34150+ return (mode & ~GR_AUDITS);
34151+
34152+ curracl = current->acl;
34153+
34154+ currobj = chk_obj_label(dentry, mnt, curracl);
34155+ retval = currobj->mode & mode;
34156+
34157+ if (unlikely
34158+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
34159+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
34160+ __u32 new_mode = mode;
34161+
34162+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34163+
34164+ retval = new_mode;
34165+
34166+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
34167+ new_mode |= GR_INHERIT;
34168+
34169+ if (!(mode & GR_NOLEARN))
34170+ gr_log_learn(dentry, mnt, new_mode);
34171+ }
34172+
34173+ return retval;
34174+}
34175+
34176+__u32
34177+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
34178+ const struct vfsmount * mnt, const __u32 mode)
34179+{
34180+ struct name_entry *match;
34181+ struct acl_object_label *matchpo;
34182+ struct acl_subject_label *curracl;
34183+ char *path;
34184+ __u32 retval;
34185+
34186+ if (unlikely(!(gr_status & GR_READY)))
34187+ return (mode & ~GR_AUDITS);
34188+
34189+ preempt_disable();
34190+ path = gr_to_filename_rbac(new_dentry, mnt);
34191+ match = lookup_name_entry_create(path);
34192+
34193+ if (!match)
34194+ goto check_parent;
34195+
34196+ curracl = current->acl;
34197+
34198+ read_lock(&gr_inode_lock);
34199+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
34200+ read_unlock(&gr_inode_lock);
34201+
34202+ if (matchpo) {
34203+ if ((matchpo->mode & mode) !=
34204+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
34205+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34206+ __u32 new_mode = mode;
34207+
34208+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34209+
34210+ gr_log_learn(new_dentry, mnt, new_mode);
34211+
34212+ preempt_enable();
34213+ return new_mode;
34214+ }
34215+ preempt_enable();
34216+ return (matchpo->mode & mode);
34217+ }
34218+
34219+ check_parent:
34220+ curracl = current->acl;
34221+
34222+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
34223+ retval = matchpo->mode & mode;
34224+
34225+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
34226+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
34227+ __u32 new_mode = mode;
34228+
34229+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34230+
34231+ gr_log_learn(new_dentry, mnt, new_mode);
34232+ preempt_enable();
34233+ return new_mode;
34234+ }
34235+
34236+ preempt_enable();
34237+ return retval;
34238+}
34239+
34240+int
34241+gr_check_hidden_task(const struct task_struct *task)
34242+{
34243+ if (unlikely(!(gr_status & GR_READY)))
34244+ return 0;
34245+
34246+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
34247+ return 1;
34248+
34249+ return 0;
34250+}
34251+
34252+int
34253+gr_check_protected_task(const struct task_struct *task)
34254+{
34255+ if (unlikely(!(gr_status & GR_READY) || !task))
34256+ return 0;
34257+
34258+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
34259+ task->acl != current->acl)
34260+ return 1;
34261+
34262+ return 0;
34263+}
34264+
34265+void
34266+gr_copy_label(struct task_struct *tsk)
34267+{
34268+ tsk->signal->used_accept = 0;
34269+ tsk->acl_sp_role = 0;
34270+ tsk->acl_role_id = current->acl_role_id;
34271+ tsk->acl = current->acl;
34272+ tsk->role = current->role;
34273+ tsk->signal->curr_ip = current->signal->curr_ip;
34274+ if (current->exec_file)
34275+ get_file(current->exec_file);
34276+ tsk->exec_file = current->exec_file;
34277+ tsk->is_writable = current->is_writable;
34278+ if (unlikely(current->signal->used_accept))
34279+ current->signal->curr_ip = 0;
34280+
34281+ return;
34282+}
34283+
34284+static void
34285+gr_set_proc_res(struct task_struct *task)
34286+{
34287+ struct acl_subject_label *proc;
34288+ unsigned short i;
34289+
34290+ proc = task->acl;
34291+
34292+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
34293+ return;
34294+
34295+ for (i = 0; i < RLIM_NLIMITS; i++) {
34296+ if (!(proc->resmask & (1 << i)))
34297+ continue;
34298+
34299+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
34300+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
34301+ }
34302+
34303+ return;
34304+}
34305+
34306+int
34307+gr_check_user_change(int real, int effective, int fs)
34308+{
34309+ unsigned int i;
34310+ __u16 num;
34311+ uid_t *uidlist;
34312+ int curuid;
34313+ int realok = 0;
34314+ int effectiveok = 0;
34315+ int fsok = 0;
34316+
34317+ if (unlikely(!(gr_status & GR_READY)))
34318+ return 0;
34319+
34320+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34321+ gr_log_learn_id_change('u', real, effective, fs);
34322+
34323+ num = current->acl->user_trans_num;
34324+ uidlist = current->acl->user_transitions;
34325+
34326+ if (uidlist == NULL)
34327+ return 0;
34328+
34329+ if (real == -1)
34330+ realok = 1;
34331+ if (effective == -1)
34332+ effectiveok = 1;
34333+ if (fs == -1)
34334+ fsok = 1;
34335+
34336+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
34337+ for (i = 0; i < num; i++) {
34338+ curuid = (int)uidlist[i];
34339+ if (real == curuid)
34340+ realok = 1;
34341+ if (effective == curuid)
34342+ effectiveok = 1;
34343+ if (fs == curuid)
34344+ fsok = 1;
34345+ }
34346+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
34347+ for (i = 0; i < num; i++) {
34348+ curuid = (int)uidlist[i];
34349+ if (real == curuid)
34350+ break;
34351+ if (effective == curuid)
34352+ break;
34353+ if (fs == curuid)
34354+ break;
34355+ }
34356+ /* not in deny list */
34357+ if (i == num) {
34358+ realok = 1;
34359+ effectiveok = 1;
34360+ fsok = 1;
34361+ }
34362+ }
34363+
34364+ if (realok && effectiveok && fsok)
34365+ return 0;
34366+ else {
34367+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34368+ return 1;
34369+ }
34370+}
34371+
34372+int
34373+gr_check_group_change(int real, int effective, int fs)
34374+{
34375+ unsigned int i;
34376+ __u16 num;
34377+ gid_t *gidlist;
34378+ int curgid;
34379+ int realok = 0;
34380+ int effectiveok = 0;
34381+ int fsok = 0;
34382+
34383+ if (unlikely(!(gr_status & GR_READY)))
34384+ return 0;
34385+
34386+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34387+ gr_log_learn_id_change('g', real, effective, fs);
34388+
34389+ num = current->acl->group_trans_num;
34390+ gidlist = current->acl->group_transitions;
34391+
34392+ if (gidlist == NULL)
34393+ return 0;
34394+
34395+ if (real == -1)
34396+ realok = 1;
34397+ if (effective == -1)
34398+ effectiveok = 1;
34399+ if (fs == -1)
34400+ fsok = 1;
34401+
34402+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
34403+ for (i = 0; i < num; i++) {
34404+ curgid = (int)gidlist[i];
34405+ if (real == curgid)
34406+ realok = 1;
34407+ if (effective == curgid)
34408+ effectiveok = 1;
34409+ if (fs == curgid)
34410+ fsok = 1;
34411+ }
34412+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
34413+ for (i = 0; i < num; i++) {
34414+ curgid = (int)gidlist[i];
34415+ if (real == curgid)
34416+ break;
34417+ if (effective == curgid)
34418+ break;
34419+ if (fs == curgid)
34420+ break;
34421+ }
34422+ /* not in deny list */
34423+ if (i == num) {
34424+ realok = 1;
34425+ effectiveok = 1;
34426+ fsok = 1;
34427+ }
34428+ }
34429+
34430+ if (realok && effectiveok && fsok)
34431+ return 0;
34432+ else {
34433+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34434+ return 1;
34435+ }
34436+}
34437+
34438+void
34439+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
34440+{
34441+ struct acl_role_label *role = task->role;
34442+ struct acl_subject_label *subj = NULL;
34443+ struct acl_object_label *obj;
34444+ struct file *filp;
34445+
34446+ if (unlikely(!(gr_status & GR_READY)))
34447+ return;
34448+
34449+ filp = task->exec_file;
34450+
34451+ /* kernel process, we'll give them the kernel role */
34452+ if (unlikely(!filp)) {
34453+ task->role = kernel_role;
34454+ task->acl = kernel_role->root_label;
34455+ return;
34456+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
34457+ role = lookup_acl_role_label(task, uid, gid);
34458+
34459+ /* perform subject lookup in possibly new role
34460+ we can use this result below in the case where role == task->role
34461+ */
34462+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
34463+
34464+ /* if we changed uid/gid, but result in the same role
34465+ and are using inheritance, don't lose the inherited subject
34466+ if current subject is other than what normal lookup
34467+ would result in, we arrived via inheritance, don't
34468+ lose subject
34469+ */
34470+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
34471+ (subj == task->acl)))
34472+ task->acl = subj;
34473+
34474+ task->role = role;
34475+
34476+ task->is_writable = 0;
34477+
34478+ /* ignore additional mmap checks for processes that are writable
34479+ by the default ACL */
34480+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
34481+ if (unlikely(obj->mode & GR_WRITE))
34482+ task->is_writable = 1;
34483+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
34484+ if (unlikely(obj->mode & GR_WRITE))
34485+ task->is_writable = 1;
34486+
34487+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34488+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34489+#endif
34490+
34491+ gr_set_proc_res(task);
34492+
34493+ return;
34494+}
34495+
34496+int
34497+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
34498+ const int unsafe_share)
34499+{
34500+ struct task_struct *task = current;
34501+ struct acl_subject_label *newacl;
34502+ struct acl_object_label *obj;
34503+ __u32 retmode;
34504+
34505+ if (unlikely(!(gr_status & GR_READY)))
34506+ return 0;
34507+
34508+ newacl = chk_subj_label(dentry, mnt, task->role);
34509+
34510+ task_lock(task);
34511+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
34512+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
34513+ !(task->role->roletype & GR_ROLE_GOD) &&
34514+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
34515+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
34516+ task_unlock(task);
34517+ if (unsafe_share)
34518+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
34519+ else
34520+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
34521+ return -EACCES;
34522+ }
34523+ task_unlock(task);
34524+
34525+ obj = chk_obj_label(dentry, mnt, task->acl);
34526+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
34527+
34528+ if (!(task->acl->mode & GR_INHERITLEARN) &&
34529+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
34530+ if (obj->nested)
34531+ task->acl = obj->nested;
34532+ else
34533+ task->acl = newacl;
34534+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
34535+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
34536+
34537+ task->is_writable = 0;
34538+
34539+ /* ignore additional mmap checks for processes that are writable
34540+ by the default ACL */
34541+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
34542+ if (unlikely(obj->mode & GR_WRITE))
34543+ task->is_writable = 1;
34544+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
34545+ if (unlikely(obj->mode & GR_WRITE))
34546+ task->is_writable = 1;
34547+
34548+ gr_set_proc_res(task);
34549+
34550+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34551+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34552+#endif
34553+ return 0;
34554+}
34555+
34556+/* always called with valid inodev ptr */
34557+static void
34558+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
34559+{
34560+ struct acl_object_label *matchpo;
34561+ struct acl_subject_label *matchps;
34562+ struct acl_subject_label *subj;
34563+ struct acl_role_label *role;
34564+ unsigned int x;
34565+
34566+ FOR_EACH_ROLE_START(role)
34567+ FOR_EACH_SUBJECT_START(role, subj, x)
34568+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
34569+ matchpo->mode |= GR_DELETED;
34570+ FOR_EACH_SUBJECT_END(subj,x)
34571+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
34572+ if (subj->inode == ino && subj->device == dev)
34573+ subj->mode |= GR_DELETED;
34574+ FOR_EACH_NESTED_SUBJECT_END(subj)
34575+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
34576+ matchps->mode |= GR_DELETED;
34577+ FOR_EACH_ROLE_END(role)
34578+
34579+ inodev->nentry->deleted = 1;
34580+
34581+ return;
34582+}
34583+
34584+void
34585+gr_handle_delete(const ino_t ino, const dev_t dev)
34586+{
34587+ struct inodev_entry *inodev;
34588+
34589+ if (unlikely(!(gr_status & GR_READY)))
34590+ return;
34591+
34592+ write_lock(&gr_inode_lock);
34593+ inodev = lookup_inodev_entry(ino, dev);
34594+ if (inodev != NULL)
34595+ do_handle_delete(inodev, ino, dev);
34596+ write_unlock(&gr_inode_lock);
34597+
34598+ return;
34599+}
34600+
34601+static void
34602+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
34603+ const ino_t newinode, const dev_t newdevice,
34604+ struct acl_subject_label *subj)
34605+{
34606+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
34607+ struct acl_object_label *match;
34608+
34609+ match = subj->obj_hash[index];
34610+
34611+ while (match && (match->inode != oldinode ||
34612+ match->device != olddevice ||
34613+ !(match->mode & GR_DELETED)))
34614+ match = match->next;
34615+
34616+ if (match && (match->inode == oldinode)
34617+ && (match->device == olddevice)
34618+ && (match->mode & GR_DELETED)) {
34619+ if (match->prev == NULL) {
34620+ subj->obj_hash[index] = match->next;
34621+ if (match->next != NULL)
34622+ match->next->prev = NULL;
34623+ } else {
34624+ match->prev->next = match->next;
34625+ if (match->next != NULL)
34626+ match->next->prev = match->prev;
34627+ }
34628+ match->prev = NULL;
34629+ match->next = NULL;
34630+ match->inode = newinode;
34631+ match->device = newdevice;
34632+ match->mode &= ~GR_DELETED;
34633+
34634+ insert_acl_obj_label(match, subj);
34635+ }
34636+
34637+ return;
34638+}
34639+
34640+static void
34641+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
34642+ const ino_t newinode, const dev_t newdevice,
34643+ struct acl_role_label *role)
34644+{
34645+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
34646+ struct acl_subject_label *match;
34647+
34648+ match = role->subj_hash[index];
34649+
34650+ while (match && (match->inode != oldinode ||
34651+ match->device != olddevice ||
34652+ !(match->mode & GR_DELETED)))
34653+ match = match->next;
34654+
34655+ if (match && (match->inode == oldinode)
34656+ && (match->device == olddevice)
34657+ && (match->mode & GR_DELETED)) {
34658+ if (match->prev == NULL) {
34659+ role->subj_hash[index] = match->next;
34660+ if (match->next != NULL)
34661+ match->next->prev = NULL;
34662+ } else {
34663+ match->prev->next = match->next;
34664+ if (match->next != NULL)
34665+ match->next->prev = match->prev;
34666+ }
34667+ match->prev = NULL;
34668+ match->next = NULL;
34669+ match->inode = newinode;
34670+ match->device = newdevice;
34671+ match->mode &= ~GR_DELETED;
34672+
34673+ insert_acl_subj_label(match, role);
34674+ }
34675+
34676+ return;
34677+}
34678+
34679+static void
34680+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
34681+ const ino_t newinode, const dev_t newdevice)
34682+{
34683+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
34684+ struct inodev_entry *match;
34685+
34686+ match = inodev_set.i_hash[index];
34687+
34688+ while (match && (match->nentry->inode != oldinode ||
34689+ match->nentry->device != olddevice || !match->nentry->deleted))
34690+ match = match->next;
34691+
34692+ if (match && (match->nentry->inode == oldinode)
34693+ && (match->nentry->device == olddevice) &&
34694+ match->nentry->deleted) {
34695+ if (match->prev == NULL) {
34696+ inodev_set.i_hash[index] = match->next;
34697+ if (match->next != NULL)
34698+ match->next->prev = NULL;
34699+ } else {
34700+ match->prev->next = match->next;
34701+ if (match->next != NULL)
34702+ match->next->prev = match->prev;
34703+ }
34704+ match->prev = NULL;
34705+ match->next = NULL;
34706+ match->nentry->inode = newinode;
34707+ match->nentry->device = newdevice;
34708+ match->nentry->deleted = 0;
34709+
34710+ insert_inodev_entry(match);
34711+ }
34712+
34713+ return;
34714+}
34715+
34716+static void
34717+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
34718+ const struct vfsmount *mnt)
34719+{
34720+ struct acl_subject_label *subj;
34721+ struct acl_role_label *role;
34722+ unsigned int x;
34723+
34724+ FOR_EACH_ROLE_START(role)
34725+ update_acl_subj_label(matchn->inode, matchn->device,
34726+ dentry->d_inode->i_ino,
34727+ dentry->d_inode->i_sb->s_dev, role);
34728+
34729+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
34730+ if ((subj->inode == dentry->d_inode->i_ino) &&
34731+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
34732+ subj->inode = dentry->d_inode->i_ino;
34733+ subj->device = dentry->d_inode->i_sb->s_dev;
34734+ }
34735+ FOR_EACH_NESTED_SUBJECT_END(subj)
34736+ FOR_EACH_SUBJECT_START(role, subj, x)
34737+ update_acl_obj_label(matchn->inode, matchn->device,
34738+ dentry->d_inode->i_ino,
34739+ dentry->d_inode->i_sb->s_dev, subj);
34740+ FOR_EACH_SUBJECT_END(subj,x)
34741+ FOR_EACH_ROLE_END(role)
34742+
34743+ update_inodev_entry(matchn->inode, matchn->device,
34744+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
34745+
34746+ return;
34747+}
34748+
34749+void
34750+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
34751+{
34752+ struct name_entry *matchn;
34753+
34754+ if (unlikely(!(gr_status & GR_READY)))
34755+ return;
34756+
34757+ preempt_disable();
34758+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
34759+
34760+ if (unlikely((unsigned long)matchn)) {
34761+ write_lock(&gr_inode_lock);
34762+ do_handle_create(matchn, dentry, mnt);
34763+ write_unlock(&gr_inode_lock);
34764+ }
34765+ preempt_enable();
34766+
34767+ return;
34768+}
34769+
34770+void
34771+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
34772+ struct dentry *old_dentry,
34773+ struct dentry *new_dentry,
34774+ struct vfsmount *mnt, const __u8 replace)
34775+{
34776+ struct name_entry *matchn;
34777+ struct inodev_entry *inodev;
34778+
34779+ /* vfs_rename swaps the name and parent link for old_dentry and
34780+ new_dentry
34781+ at this point, old_dentry has the new name, parent link, and inode
34782+ for the renamed file
34783+ if a file is being replaced by a rename, new_dentry has the inode
34784+ and name for the replaced file
34785+ */
34786+
34787+ if (unlikely(!(gr_status & GR_READY)))
34788+ return;
34789+
34790+ preempt_disable();
34791+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
34792+
34793+ /* we wouldn't have to check d_inode if it weren't for
34794+ NFS silly-renaming
34795+ */
34796+
34797+ write_lock(&gr_inode_lock);
34798+ if (unlikely(replace && new_dentry->d_inode)) {
34799+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
34800+ new_dentry->d_inode->i_sb->s_dev);
34801+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
34802+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
34803+ new_dentry->d_inode->i_sb->s_dev);
34804+ }
34805+
34806+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
34807+ old_dentry->d_inode->i_sb->s_dev);
34808+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
34809+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
34810+ old_dentry->d_inode->i_sb->s_dev);
34811+
34812+ if (unlikely((unsigned long)matchn))
34813+ do_handle_create(matchn, old_dentry, mnt);
34814+
34815+ write_unlock(&gr_inode_lock);
34816+ preempt_enable();
34817+
34818+ return;
34819+}
34820+
34821+static int
34822+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
34823+ unsigned char **sum)
34824+{
34825+ struct acl_role_label *r;
34826+ struct role_allowed_ip *ipp;
34827+ struct role_transition *trans;
34828+ unsigned int i;
34829+ int found = 0;
34830+
34831+ /* check transition table */
34832+
34833+ for (trans = current->role->transitions; trans; trans = trans->next) {
34834+ if (!strcmp(rolename, trans->rolename)) {
34835+ found = 1;
34836+ break;
34837+ }
34838+ }
34839+
34840+ if (!found)
34841+ return 0;
34842+
34843+ /* handle special roles that do not require authentication
34844+ and check ip */
34845+
34846+ FOR_EACH_ROLE_START(r)
34847+ if (!strcmp(rolename, r->rolename) &&
34848+ (r->roletype & GR_ROLE_SPECIAL)) {
34849+ found = 0;
34850+ if (r->allowed_ips != NULL) {
34851+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
34852+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
34853+ (ntohl(ipp->addr) & ipp->netmask))
34854+ found = 1;
34855+ }
34856+ } else
34857+ found = 2;
34858+ if (!found)
34859+ return 0;
34860+
34861+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
34862+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
34863+ *salt = NULL;
34864+ *sum = NULL;
34865+ return 1;
34866+ }
34867+ }
34868+ FOR_EACH_ROLE_END(r)
34869+
34870+ for (i = 0; i < num_sprole_pws; i++) {
34871+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
34872+ *salt = acl_special_roles[i]->salt;
34873+ *sum = acl_special_roles[i]->sum;
34874+ return 1;
34875+ }
34876+ }
34877+
34878+ return 0;
34879+}
34880+
34881+static void
34882+assign_special_role(char *rolename)
34883+{
34884+ struct acl_object_label *obj;
34885+ struct acl_role_label *r;
34886+ struct acl_role_label *assigned = NULL;
34887+ struct task_struct *tsk;
34888+ struct file *filp;
34889+
34890+ FOR_EACH_ROLE_START(r)
34891+ if (!strcmp(rolename, r->rolename) &&
34892+ (r->roletype & GR_ROLE_SPECIAL)) {
34893+ assigned = r;
34894+ break;
34895+ }
34896+ FOR_EACH_ROLE_END(r)
34897+
34898+ if (!assigned)
34899+ return;
34900+
34901+ read_lock(&tasklist_lock);
34902+ read_lock(&grsec_exec_file_lock);
34903+
34904+ tsk = current->parent;
34905+ if (tsk == NULL)
34906+ goto out_unlock;
34907+
34908+ filp = tsk->exec_file;
34909+ if (filp == NULL)
34910+ goto out_unlock;
34911+
34912+ tsk->is_writable = 0;
34913+
34914+ tsk->acl_sp_role = 1;
34915+ tsk->acl_role_id = ++acl_sp_role_value;
34916+ tsk->role = assigned;
34917+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
34918+
34919+ /* ignore additional mmap checks for processes that are writable
34920+ by the default ACL */
34921+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
34922+ if (unlikely(obj->mode & GR_WRITE))
34923+ tsk->is_writable = 1;
34924+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
34925+ if (unlikely(obj->mode & GR_WRITE))
34926+ tsk->is_writable = 1;
34927+
34928+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34929+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
34930+#endif
34931+
34932+out_unlock:
34933+ read_unlock(&grsec_exec_file_lock);
34934+ read_unlock(&tasklist_lock);
34935+ return;
34936+}
34937+
34938+int gr_check_secure_terminal(struct task_struct *task)
34939+{
34940+ struct task_struct *p, *p2, *p3;
34941+ struct files_struct *files;
34942+ struct fdtable *fdt;
34943+ struct file *our_file = NULL, *file;
34944+ int i;
34945+
34946+ if (task->signal->tty == NULL)
34947+ return 1;
34948+
34949+ files = get_files_struct(task);
34950+ if (files != NULL) {
34951+ rcu_read_lock();
34952+ fdt = files_fdtable(files);
34953+ for (i=0; i < fdt->max_fds; i++) {
34954+ file = fcheck_files(files, i);
34955+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
34956+ get_file(file);
34957+ our_file = file;
34958+ }
34959+ }
34960+ rcu_read_unlock();
34961+ put_files_struct(files);
34962+ }
34963+
34964+ if (our_file == NULL)
34965+ return 1;
34966+
34967+ read_lock(&tasklist_lock);
34968+ do_each_thread(p2, p) {
34969+ files = get_files_struct(p);
34970+ if (files == NULL ||
34971+ (p->signal && p->signal->tty == task->signal->tty)) {
34972+ if (files != NULL)
34973+ put_files_struct(files);
34974+ continue;
34975+ }
34976+ rcu_read_lock();
34977+ fdt = files_fdtable(files);
34978+ for (i=0; i < fdt->max_fds; i++) {
34979+ file = fcheck_files(files, i);
34980+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
34981+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
34982+ p3 = task;
34983+ while (p3->pid > 0) {
34984+ if (p3 == p)
34985+ break;
34986+ p3 = p3->parent;
34987+ }
34988+ if (p3 == p)
34989+ break;
34990+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
34991+ gr_handle_alertkill(p);
34992+ rcu_read_unlock();
34993+ put_files_struct(files);
34994+ read_unlock(&tasklist_lock);
34995+ fput(our_file);
34996+ return 0;
34997+ }
34998+ }
34999+ rcu_read_unlock();
35000+ put_files_struct(files);
35001+ } while_each_thread(p2, p);
35002+ read_unlock(&tasklist_lock);
35003+
35004+ fput(our_file);
35005+ return 1;
35006+}
35007+
35008+ssize_t
35009+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
35010+{
35011+ struct gr_arg_wrapper uwrap;
35012+ unsigned char *sprole_salt = NULL;
35013+ unsigned char *sprole_sum = NULL;
35014+ int error = sizeof (struct gr_arg_wrapper);
35015+ int error2 = 0;
35016+
35017+ down(&gr_dev_sem);
35018+
35019+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
35020+ error = -EPERM;
35021+ goto out;
35022+ }
35023+
35024+ if (count != sizeof (struct gr_arg_wrapper)) {
35025+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
35026+ error = -EINVAL;
35027+ goto out;
35028+ }
35029+
35030+
35031+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
35032+ gr_auth_expires = 0;
35033+ gr_auth_attempts = 0;
35034+ }
35035+
35036+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
35037+ error = -EFAULT;
35038+ goto out;
35039+ }
35040+
35041+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
35042+ error = -EINVAL;
35043+ goto out;
35044+ }
35045+
35046+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
35047+ error = -EFAULT;
35048+ goto out;
35049+ }
35050+
35051+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35052+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35053+ time_after(gr_auth_expires, get_seconds())) {
35054+ error = -EBUSY;
35055+ goto out;
35056+ }
35057+
35058+ /* if non-root trying to do anything other than use a special role,
35059+ do not attempt authentication, do not count towards authentication
35060+ locking
35061+ */
35062+
35063+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
35064+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35065+ current_uid()) {
35066+ error = -EPERM;
35067+ goto out;
35068+ }
35069+
35070+ /* ensure pw and special role name are null terminated */
35071+
35072+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
35073+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
35074+
35075+ /* Okay.
35076+ * We have our enough of the argument structure..(we have yet
35077+ * to copy_from_user the tables themselves) . Copy the tables
35078+ * only if we need them, i.e. for loading operations. */
35079+
35080+ switch (gr_usermode->mode) {
35081+ case GR_STATUS:
35082+ if (gr_status & GR_READY) {
35083+ error = 1;
35084+ if (!gr_check_secure_terminal(current))
35085+ error = 3;
35086+ } else
35087+ error = 2;
35088+ goto out;
35089+ case GR_SHUTDOWN:
35090+ if ((gr_status & GR_READY)
35091+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35092+ pax_open_kernel();
35093+ gr_status &= ~GR_READY;
35094+ pax_close_kernel();
35095+
35096+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
35097+ free_variables();
35098+ memset(gr_usermode, 0, sizeof (struct gr_arg));
35099+ memset(gr_system_salt, 0, GR_SALT_LEN);
35100+ memset(gr_system_sum, 0, GR_SHA_LEN);
35101+ } else if (gr_status & GR_READY) {
35102+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
35103+ error = -EPERM;
35104+ } else {
35105+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
35106+ error = -EAGAIN;
35107+ }
35108+ break;
35109+ case GR_ENABLE:
35110+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
35111+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
35112+ else {
35113+ if (gr_status & GR_READY)
35114+ error = -EAGAIN;
35115+ else
35116+ error = error2;
35117+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
35118+ }
35119+ break;
35120+ case GR_RELOAD:
35121+ if (!(gr_status & GR_READY)) {
35122+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
35123+ error = -EAGAIN;
35124+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35125+ lock_kernel();
35126+
35127+ pax_open_kernel();
35128+ gr_status &= ~GR_READY;
35129+ pax_close_kernel();
35130+
35131+ free_variables();
35132+ if (!(error2 = gracl_init(gr_usermode))) {
35133+ unlock_kernel();
35134+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
35135+ } else {
35136+ unlock_kernel();
35137+ error = error2;
35138+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35139+ }
35140+ } else {
35141+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35142+ error = -EPERM;
35143+ }
35144+ break;
35145+ case GR_SEGVMOD:
35146+ if (unlikely(!(gr_status & GR_READY))) {
35147+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
35148+ error = -EAGAIN;
35149+ break;
35150+ }
35151+
35152+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35153+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
35154+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
35155+ struct acl_subject_label *segvacl;
35156+ segvacl =
35157+ lookup_acl_subj_label(gr_usermode->segv_inode,
35158+ gr_usermode->segv_device,
35159+ current->role);
35160+ if (segvacl) {
35161+ segvacl->crashes = 0;
35162+ segvacl->expires = 0;
35163+ }
35164+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
35165+ gr_remove_uid(gr_usermode->segv_uid);
35166+ }
35167+ } else {
35168+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
35169+ error = -EPERM;
35170+ }
35171+ break;
35172+ case GR_SPROLE:
35173+ case GR_SPROLEPAM:
35174+ if (unlikely(!(gr_status & GR_READY))) {
35175+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
35176+ error = -EAGAIN;
35177+ break;
35178+ }
35179+
35180+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
35181+ current->role->expires = 0;
35182+ current->role->auth_attempts = 0;
35183+ }
35184+
35185+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35186+ time_after(current->role->expires, get_seconds())) {
35187+ error = -EBUSY;
35188+ goto out;
35189+ }
35190+
35191+ if (lookup_special_role_auth
35192+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
35193+ && ((!sprole_salt && !sprole_sum)
35194+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
35195+ char *p = "";
35196+ assign_special_role(gr_usermode->sp_role);
35197+ read_lock(&tasklist_lock);
35198+ if (current->parent)
35199+ p = current->parent->role->rolename;
35200+ read_unlock(&tasklist_lock);
35201+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
35202+ p, acl_sp_role_value);
35203+ } else {
35204+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
35205+ error = -EPERM;
35206+ if(!(current->role->auth_attempts++))
35207+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35208+
35209+ goto out;
35210+ }
35211+ break;
35212+ case GR_UNSPROLE:
35213+ if (unlikely(!(gr_status & GR_READY))) {
35214+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
35215+ error = -EAGAIN;
35216+ break;
35217+ }
35218+
35219+ if (current->role->roletype & GR_ROLE_SPECIAL) {
35220+ char *p = "";
35221+ int i = 0;
35222+
35223+ read_lock(&tasklist_lock);
35224+ if (current->parent) {
35225+ p = current->parent->role->rolename;
35226+ i = current->parent->acl_role_id;
35227+ }
35228+ read_unlock(&tasklist_lock);
35229+
35230+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
35231+ gr_set_acls(1);
35232+ } else {
35233+ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
35234+ error = -EPERM;
35235+ goto out;
35236+ }
35237+ break;
35238+ default:
35239+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
35240+ error = -EINVAL;
35241+ break;
35242+ }
35243+
35244+ if (error != -EPERM)
35245+ goto out;
35246+
35247+ if(!(gr_auth_attempts++))
35248+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35249+
35250+ out:
35251+ up(&gr_dev_sem);
35252+ return error;
35253+}
35254+
35255+int
35256+gr_set_acls(const int type)
35257+{
35258+ struct acl_object_label *obj;
35259+ struct task_struct *task, *task2;
35260+ struct file *filp;
35261+ struct acl_role_label *role = current->role;
35262+ __u16 acl_role_id = current->acl_role_id;
35263+ const struct cred *cred;
35264+ char *tmpname;
35265+ struct name_entry *nmatch;
35266+ struct acl_subject_label *tmpsubj;
35267+
35268+ rcu_read_lock();
35269+ read_lock(&tasklist_lock);
35270+ read_lock(&grsec_exec_file_lock);
35271+ do_each_thread(task2, task) {
35272+ /* check to see if we're called from the exit handler,
35273+ if so, only replace ACLs that have inherited the admin
35274+ ACL */
35275+
35276+ if (type && (task->role != role ||
35277+ task->acl_role_id != acl_role_id))
35278+ continue;
35279+
35280+ task->acl_role_id = 0;
35281+ task->acl_sp_role = 0;
35282+
35283+ if ((filp = task->exec_file)) {
35284+ cred = __task_cred(task);
35285+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
35286+
35287+ /* the following is to apply the correct subject
35288+ on binaries running when the RBAC system
35289+ is enabled, when the binaries have been
35290+ replaced or deleted since their execution
35291+ -----
35292+ when the RBAC system starts, the inode/dev
35293+ from exec_file will be one the RBAC system
35294+ is unaware of. It only knows the inode/dev
35295+ of the present file on disk, or the absence
35296+ of it.
35297+ */
35298+ preempt_disable();
35299+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
35300+
35301+ nmatch = lookup_name_entry(tmpname);
35302+ preempt_enable();
35303+ tmpsubj = NULL;
35304+ if (nmatch) {
35305+ if (nmatch->deleted)
35306+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
35307+ else
35308+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
35309+ if (tmpsubj != NULL)
35310+ task->acl = tmpsubj;
35311+ }
35312+ if (tmpsubj == NULL)
35313+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
35314+ task->role);
35315+ if (task->acl) {
35316+ struct acl_subject_label *curr;
35317+ curr = task->acl;
35318+
35319+ task->is_writable = 0;
35320+ /* ignore additional mmap checks for processes that are writable
35321+ by the default ACL */
35322+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35323+ if (unlikely(obj->mode & GR_WRITE))
35324+ task->is_writable = 1;
35325+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
35326+ if (unlikely(obj->mode & GR_WRITE))
35327+ task->is_writable = 1;
35328+
35329+ gr_set_proc_res(task);
35330+
35331+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35332+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
35333+#endif
35334+ } else {
35335+ read_unlock(&grsec_exec_file_lock);
35336+ read_unlock(&tasklist_lock);
35337+ rcu_read_unlock();
35338+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
35339+ return 1;
35340+ }
35341+ } else {
35342+ // it's a kernel process
35343+ task->role = kernel_role;
35344+ task->acl = kernel_role->root_label;
35345+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
35346+ task->acl->mode &= ~GR_PROCFIND;
35347+#endif
35348+ }
35349+ } while_each_thread(task2, task);
35350+ read_unlock(&grsec_exec_file_lock);
35351+ read_unlock(&tasklist_lock);
35352+ rcu_read_unlock();
35353+
35354+ return 0;
35355+}
35356+
35357+void
35358+gr_learn_resource(const struct task_struct *task,
35359+ const int res, const unsigned long wanted, const int gt)
35360+{
35361+ struct acl_subject_label *acl;
35362+ const struct cred *cred;
35363+
35364+ if (unlikely((gr_status & GR_READY) &&
35365+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
35366+ goto skip_reslog;
35367+
35368+#ifdef CONFIG_GRKERNSEC_RESLOG
35369+ gr_log_resource(task, res, wanted, gt);
35370+#endif
35371+ skip_reslog:
35372+
35373+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
35374+ return;
35375+
35376+ acl = task->acl;
35377+
35378+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
35379+ !(acl->resmask & (1 << (unsigned short) res))))
35380+ return;
35381+
35382+ if (wanted >= acl->res[res].rlim_cur) {
35383+ unsigned long res_add;
35384+
35385+ res_add = wanted;
35386+ switch (res) {
35387+ case RLIMIT_CPU:
35388+ res_add += GR_RLIM_CPU_BUMP;
35389+ break;
35390+ case RLIMIT_FSIZE:
35391+ res_add += GR_RLIM_FSIZE_BUMP;
35392+ break;
35393+ case RLIMIT_DATA:
35394+ res_add += GR_RLIM_DATA_BUMP;
35395+ break;
35396+ case RLIMIT_STACK:
35397+ res_add += GR_RLIM_STACK_BUMP;
35398+ break;
35399+ case RLIMIT_CORE:
35400+ res_add += GR_RLIM_CORE_BUMP;
35401+ break;
35402+ case RLIMIT_RSS:
35403+ res_add += GR_RLIM_RSS_BUMP;
35404+ break;
35405+ case RLIMIT_NPROC:
35406+ res_add += GR_RLIM_NPROC_BUMP;
35407+ break;
35408+ case RLIMIT_NOFILE:
35409+ res_add += GR_RLIM_NOFILE_BUMP;
35410+ break;
35411+ case RLIMIT_MEMLOCK:
35412+ res_add += GR_RLIM_MEMLOCK_BUMP;
35413+ break;
35414+ case RLIMIT_AS:
35415+ res_add += GR_RLIM_AS_BUMP;
35416+ break;
35417+ case RLIMIT_LOCKS:
35418+ res_add += GR_RLIM_LOCKS_BUMP;
35419+ break;
35420+ case RLIMIT_SIGPENDING:
35421+ res_add += GR_RLIM_SIGPENDING_BUMP;
35422+ break;
35423+ case RLIMIT_MSGQUEUE:
35424+ res_add += GR_RLIM_MSGQUEUE_BUMP;
35425+ break;
35426+ case RLIMIT_NICE:
35427+ res_add += GR_RLIM_NICE_BUMP;
35428+ break;
35429+ case RLIMIT_RTPRIO:
35430+ res_add += GR_RLIM_RTPRIO_BUMP;
35431+ break;
35432+ case RLIMIT_RTTIME:
35433+ res_add += GR_RLIM_RTTIME_BUMP;
35434+ break;
35435+ }
35436+
35437+ acl->res[res].rlim_cur = res_add;
35438+
35439+ if (wanted > acl->res[res].rlim_max)
35440+ acl->res[res].rlim_max = res_add;
35441+
35442+ /* only log the subject filename, since resource logging is supported for
35443+ single-subject learning only */
35444+ rcu_read_lock();
35445+ cred = __task_cred(task);
35446+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
35447+ task->role->roletype, cred->uid, cred->gid, acl->filename,
35448+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
35449+ "", (unsigned long) res, &task->signal->curr_ip);
35450+ rcu_read_unlock();
35451+ }
35452+
35453+ return;
35454+}
35455+
35456+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
35457+void
35458+pax_set_initial_flags(struct linux_binprm *bprm)
35459+{
35460+ struct task_struct *task = current;
35461+ struct acl_subject_label *proc;
35462+ unsigned long flags;
35463+
35464+ if (unlikely(!(gr_status & GR_READY)))
35465+ return;
35466+
35467+ flags = pax_get_flags(task);
35468+
35469+ proc = task->acl;
35470+
35471+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
35472+ flags &= ~MF_PAX_PAGEEXEC;
35473+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
35474+ flags &= ~MF_PAX_SEGMEXEC;
35475+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
35476+ flags &= ~MF_PAX_RANDMMAP;
35477+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
35478+ flags &= ~MF_PAX_EMUTRAMP;
35479+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
35480+ flags &= ~MF_PAX_MPROTECT;
35481+
35482+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
35483+ flags |= MF_PAX_PAGEEXEC;
35484+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
35485+ flags |= MF_PAX_SEGMEXEC;
35486+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
35487+ flags |= MF_PAX_RANDMMAP;
35488+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
35489+ flags |= MF_PAX_EMUTRAMP;
35490+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
35491+ flags |= MF_PAX_MPROTECT;
35492+
35493+ pax_set_flags(task, flags);
35494+
35495+ return;
35496+}
35497+#endif
35498+
35499+#ifdef CONFIG_SYSCTL
35500+/* Eric Biederman likes breaking userland ABI and every inode-based security
35501+ system to save 35kb of memory */
35502+
35503+/* we modify the passed in filename, but adjust it back before returning */
35504+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
35505+{
35506+ struct name_entry *nmatch;
35507+ char *p, *lastp = NULL;
35508+ struct acl_object_label *obj = NULL, *tmp;
35509+ struct acl_subject_label *tmpsubj;
35510+ char c = '\0';
35511+
35512+ read_lock(&gr_inode_lock);
35513+
35514+ p = name + len - 1;
35515+ do {
35516+ nmatch = lookup_name_entry(name);
35517+ if (lastp != NULL)
35518+ *lastp = c;
35519+
35520+ if (nmatch == NULL)
35521+ goto next_component;
35522+ tmpsubj = current->acl;
35523+ do {
35524+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
35525+ if (obj != NULL) {
35526+ tmp = obj->globbed;
35527+ while (tmp) {
35528+ if (!glob_match(tmp->filename, name)) {
35529+ obj = tmp;
35530+ goto found_obj;
35531+ }
35532+ tmp = tmp->next;
35533+ }
35534+ goto found_obj;
35535+ }
35536+ } while ((tmpsubj = tmpsubj->parent_subject));
35537+next_component:
35538+ /* end case */
35539+ if (p == name)
35540+ break;
35541+
35542+ while (*p != '/')
35543+ p--;
35544+ if (p == name)
35545+ lastp = p + 1;
35546+ else {
35547+ lastp = p;
35548+ p--;
35549+ }
35550+ c = *lastp;
35551+ *lastp = '\0';
35552+ } while (1);
35553+found_obj:
35554+ read_unlock(&gr_inode_lock);
35555+ /* obj returned will always be non-null */
35556+ return obj;
35557+}
35558+
35559+/* returns 0 when allowing, non-zero on error
35560+ op of 0 is used for readdir, so we don't log the names of hidden files
35561+*/
35562+__u32
35563+gr_handle_sysctl(const struct ctl_table *table, const int op)
35564+{
35565+ ctl_table *tmp;
35566+ const char *proc_sys = "/proc/sys";
35567+ char *path;
35568+ struct acl_object_label *obj;
35569+ unsigned short len = 0, pos = 0, depth = 0, i;
35570+ __u32 err = 0;
35571+ __u32 mode = 0;
35572+
35573+ if (unlikely(!(gr_status & GR_READY)))
35574+ return 0;
35575+
35576+ /* for now, ignore operations on non-sysctl entries if it's not a
35577+ readdir*/
35578+ if (table->child != NULL && op != 0)
35579+ return 0;
35580+
35581+ mode |= GR_FIND;
35582+ /* it's only a read if it's an entry, read on dirs is for readdir */
35583+ if (op & MAY_READ)
35584+ mode |= GR_READ;
35585+ if (op & MAY_WRITE)
35586+ mode |= GR_WRITE;
35587+
35588+ preempt_disable();
35589+
35590+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
35591+
35592+ /* it's only a read/write if it's an actual entry, not a dir
35593+ (which are opened for readdir)
35594+ */
35595+
35596+ /* convert the requested sysctl entry into a pathname */
35597+
35598+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35599+ len += strlen(tmp->procname);
35600+ len++;
35601+ depth++;
35602+ }
35603+
35604+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
35605+ /* deny */
35606+ goto out;
35607+ }
35608+
35609+ memset(path, 0, PAGE_SIZE);
35610+
35611+ memcpy(path, proc_sys, strlen(proc_sys));
35612+
35613+ pos += strlen(proc_sys);
35614+
35615+ for (; depth > 0; depth--) {
35616+ path[pos] = '/';
35617+ pos++;
35618+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35619+ if (depth == i) {
35620+ memcpy(path + pos, tmp->procname,
35621+ strlen(tmp->procname));
35622+ pos += strlen(tmp->procname);
35623+ }
35624+ i++;
35625+ }
35626+ }
35627+
35628+ obj = gr_lookup_by_name(path, pos);
35629+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
35630+
35631+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
35632+ ((err & mode) != mode))) {
35633+ __u32 new_mode = mode;
35634+
35635+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
35636+
35637+ err = 0;
35638+ gr_log_learn_sysctl(path, new_mode);
35639+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
35640+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
35641+ err = -ENOENT;
35642+ } else if (!(err & GR_FIND)) {
35643+ err = -ENOENT;
35644+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
35645+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
35646+ path, (mode & GR_READ) ? " reading" : "",
35647+ (mode & GR_WRITE) ? " writing" : "");
35648+ err = -EACCES;
35649+ } else if ((err & mode) != mode) {
35650+ err = -EACCES;
35651+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
35652+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
35653+ path, (mode & GR_READ) ? " reading" : "",
35654+ (mode & GR_WRITE) ? " writing" : "");
35655+ err = 0;
35656+ } else
35657+ err = 0;
35658+
35659+ out:
35660+ preempt_enable();
35661+
35662+ return err;
35663+}
35664+#endif
35665+
35666+int
35667+gr_handle_proc_ptrace(struct task_struct *task)
35668+{
35669+ struct file *filp;
35670+ struct task_struct *tmp = task;
35671+ struct task_struct *curtemp = current;
35672+ __u32 retmode;
35673+
35674+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35675+ if (unlikely(!(gr_status & GR_READY)))
35676+ return 0;
35677+#endif
35678+
35679+ read_lock(&tasklist_lock);
35680+ read_lock(&grsec_exec_file_lock);
35681+ filp = task->exec_file;
35682+
35683+ while (tmp->pid > 0) {
35684+ if (tmp == curtemp)
35685+ break;
35686+ tmp = tmp->parent;
35687+ }
35688+
35689+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35690+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
35691+ read_unlock(&grsec_exec_file_lock);
35692+ read_unlock(&tasklist_lock);
35693+ return 1;
35694+ }
35695+
35696+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35697+ if (!(gr_status & GR_READY)) {
35698+ read_unlock(&grsec_exec_file_lock);
35699+ read_unlock(&tasklist_lock);
35700+ return 0;
35701+ }
35702+#endif
35703+
35704+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
35705+ read_unlock(&grsec_exec_file_lock);
35706+ read_unlock(&tasklist_lock);
35707+
35708+ if (retmode & GR_NOPTRACE)
35709+ return 1;
35710+
35711+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
35712+ && (current->acl != task->acl || (current->acl != current->role->root_label
35713+ && current->pid != task->pid)))
35714+ return 1;
35715+
35716+ return 0;
35717+}
35718+
35719+int
35720+gr_handle_ptrace(struct task_struct *task, const long request)
35721+{
35722+ struct task_struct *tmp = task;
35723+ struct task_struct *curtemp = current;
35724+ __u32 retmode;
35725+
35726+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35727+ if (unlikely(!(gr_status & GR_READY)))
35728+ return 0;
35729+#endif
35730+
35731+ read_lock(&tasklist_lock);
35732+ while (tmp->pid > 0) {
35733+ if (tmp == curtemp)
35734+ break;
35735+ tmp = tmp->parent;
35736+ }
35737+
35738+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35739+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
35740+ read_unlock(&tasklist_lock);
35741+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35742+ return 1;
35743+ }
35744+ read_unlock(&tasklist_lock);
35745+
35746+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35747+ if (!(gr_status & GR_READY))
35748+ return 0;
35749+#endif
35750+
35751+ read_lock(&grsec_exec_file_lock);
35752+ if (unlikely(!task->exec_file)) {
35753+ read_unlock(&grsec_exec_file_lock);
35754+ return 0;
35755+ }
35756+
35757+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
35758+ read_unlock(&grsec_exec_file_lock);
35759+
35760+ if (retmode & GR_NOPTRACE) {
35761+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35762+ return 1;
35763+ }
35764+
35765+ if (retmode & GR_PTRACERD) {
35766+ switch (request) {
35767+ case PTRACE_POKETEXT:
35768+ case PTRACE_POKEDATA:
35769+ case PTRACE_POKEUSR:
35770+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
35771+ case PTRACE_SETREGS:
35772+ case PTRACE_SETFPREGS:
35773+#endif
35774+#ifdef CONFIG_X86
35775+ case PTRACE_SETFPXREGS:
35776+#endif
35777+#ifdef CONFIG_ALTIVEC
35778+ case PTRACE_SETVRREGS:
35779+#endif
35780+ return 1;
35781+ default:
35782+ return 0;
35783+ }
35784+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
35785+ !(current->role->roletype & GR_ROLE_GOD) &&
35786+ (current->acl != task->acl)) {
35787+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35788+ return 1;
35789+ }
35790+
35791+ return 0;
35792+}
35793+
35794+static int is_writable_mmap(const struct file *filp)
35795+{
35796+ struct task_struct *task = current;
35797+ struct acl_object_label *obj, *obj2;
35798+
35799+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
35800+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode)) {
35801+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35802+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
35803+ task->role->root_label);
35804+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
35805+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
35806+ return 1;
35807+ }
35808+ }
35809+ return 0;
35810+}
35811+
35812+int
35813+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
35814+{
35815+ __u32 mode;
35816+
35817+ if (unlikely(!file || !(prot & PROT_EXEC)))
35818+ return 1;
35819+
35820+ if (is_writable_mmap(file))
35821+ return 0;
35822+
35823+ mode =
35824+ gr_search_file(file->f_path.dentry,
35825+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35826+ file->f_path.mnt);
35827+
35828+ if (!gr_tpe_allow(file))
35829+ return 0;
35830+
35831+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35832+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35833+ return 0;
35834+ } else if (unlikely(!(mode & GR_EXEC))) {
35835+ return 0;
35836+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35837+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35838+ return 1;
35839+ }
35840+
35841+ return 1;
35842+}
35843+
35844+int
35845+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
35846+{
35847+ __u32 mode;
35848+
35849+ if (unlikely(!file || !(prot & PROT_EXEC)))
35850+ return 1;
35851+
35852+ if (is_writable_mmap(file))
35853+ return 0;
35854+
35855+ mode =
35856+ gr_search_file(file->f_path.dentry,
35857+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35858+ file->f_path.mnt);
35859+
35860+ if (!gr_tpe_allow(file))
35861+ return 0;
35862+
35863+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35864+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35865+ return 0;
35866+ } else if (unlikely(!(mode & GR_EXEC))) {
35867+ return 0;
35868+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35869+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35870+ return 1;
35871+ }
35872+
35873+ return 1;
35874+}
35875+
35876+void
35877+gr_acl_handle_psacct(struct task_struct *task, const long code)
35878+{
35879+ unsigned long runtime;
35880+ unsigned long cputime;
35881+ unsigned int wday, cday;
35882+ __u8 whr, chr;
35883+ __u8 wmin, cmin;
35884+ __u8 wsec, csec;
35885+ struct timespec timeval;
35886+
35887+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
35888+ !(task->acl->mode & GR_PROCACCT)))
35889+ return;
35890+
35891+ do_posix_clock_monotonic_gettime(&timeval);
35892+ runtime = timeval.tv_sec - task->start_time.tv_sec;
35893+ wday = runtime / (3600 * 24);
35894+ runtime -= wday * (3600 * 24);
35895+ whr = runtime / 3600;
35896+ runtime -= whr * 3600;
35897+ wmin = runtime / 60;
35898+ runtime -= wmin * 60;
35899+ wsec = runtime;
35900+
35901+ cputime = (task->utime + task->stime) / HZ;
35902+ cday = cputime / (3600 * 24);
35903+ cputime -= cday * (3600 * 24);
35904+ chr = cputime / 3600;
35905+ cputime -= chr * 3600;
35906+ cmin = cputime / 60;
35907+ cputime -= cmin * 60;
35908+ csec = cputime;
35909+
35910+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
35911+
35912+ return;
35913+}
35914+
35915+void gr_set_kernel_label(struct task_struct *task)
35916+{
35917+ if (gr_status & GR_READY) {
35918+ task->role = kernel_role;
35919+ task->acl = kernel_role->root_label;
35920+ }
35921+ return;
35922+}
35923+
35924+#ifdef CONFIG_TASKSTATS
35925+int gr_is_taskstats_denied(int pid)
35926+{
35927+ struct task_struct *task;
35928+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35929+ const struct cred *cred;
35930+#endif
35931+ int ret = 0;
35932+
35933+ /* restrict taskstats viewing to un-chrooted root users
35934+ who have the 'view' subject flag if the RBAC system is enabled
35935+ */
35936+
35937+ read_lock(&tasklist_lock);
35938+ task = find_task_by_vpid(pid);
35939+ if (task) {
35940+ gr_fs_read_lock(task);
35941+#ifdef CONFIG_GRKERNSEC_CHROOT
35942+ if (proc_is_chrooted(task))
35943+ ret = -EACCES;
35944+#endif
35945+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35946+ cred = __task_cred(task);
35947+#ifdef CONFIG_GRKERNSEC_PROC_USER
35948+ if (cred->uid != 0)
35949+ ret = -EACCES;
35950+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35951+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
35952+ ret = -EACCES;
35953+#endif
35954+#endif
35955+ if (gr_status & GR_READY) {
35956+ if (!(task->acl->mode & GR_VIEW))
35957+ ret = -EACCES;
35958+ }
35959+
35960+ gr_fs_read_unlock(task);
35961+ } else
35962+ ret = -ENOENT;
35963+
35964+ read_unlock(&tasklist_lock);
35965+
35966+ return ret;
35967+}
35968+#endif
35969+
35970+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
35971+{
35972+ struct task_struct *task = current;
35973+ struct dentry *dentry = file->f_path.dentry;
35974+ struct vfsmount *mnt = file->f_path.mnt;
35975+ struct acl_object_label *obj, *tmp;
35976+ struct acl_subject_label *subj;
35977+ unsigned int bufsize;
35978+ int is_not_root;
35979+ char *path;
35980+
35981+ if (unlikely(!(gr_status & GR_READY)))
35982+ return 1;
35983+
35984+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
35985+ return 1;
35986+
35987+ /* ignore Eric Biederman */
35988+ if (IS_PRIVATE(dentry->d_inode))
35989+ return 1;
35990+
35991+ subj = task->acl;
35992+ do {
35993+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
35994+ if (obj != NULL)
35995+ return (obj->mode & GR_FIND) ? 1 : 0;
35996+ } while ((subj = subj->parent_subject));
35997+
35998+ /* this is purely an optimization since we're looking for an object
35999+ for the directory we're doing a readdir on
36000+ if it's possible for any globbed object to match the entry we're
36001+ filling into the directory, then the object we find here will be
36002+ an anchor point with attached globbed objects
36003+ */
36004+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
36005+ if (obj->globbed == NULL)
36006+ return (obj->mode & GR_FIND) ? 1 : 0;
36007+
36008+ is_not_root = ((obj->filename[0] == '/') &&
36009+ (obj->filename[1] == '\0')) ? 0 : 1;
36010+ bufsize = PAGE_SIZE - namelen - is_not_root;
36011+
36012+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
36013+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
36014+ return 1;
36015+
36016+ preempt_disable();
36017+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
36018+ bufsize);
36019+
36020+ bufsize = strlen(path);
36021+
36022+ /* if base is "/", don't append an additional slash */
36023+ if (is_not_root)
36024+ *(path + bufsize) = '/';
36025+ memcpy(path + bufsize + is_not_root, name, namelen);
36026+ *(path + bufsize + namelen + is_not_root) = '\0';
36027+
36028+ tmp = obj->globbed;
36029+ while (tmp) {
36030+ if (!glob_match(tmp->filename, path)) {
36031+ preempt_enable();
36032+ return (tmp->mode & GR_FIND) ? 1 : 0;
36033+ }
36034+ tmp = tmp->next;
36035+ }
36036+ preempt_enable();
36037+ return (obj->mode & GR_FIND) ? 1 : 0;
36038+}
36039+
36040+EXPORT_SYMBOL(gr_learn_resource);
36041+EXPORT_SYMBOL(gr_set_kernel_label);
36042+#ifdef CONFIG_SECURITY
36043+EXPORT_SYMBOL(gr_check_user_change);
36044+EXPORT_SYMBOL(gr_check_group_change);
36045+#endif
36046+
36047diff -urNp linux-2.6.32.9/grsecurity/gracl_cap.c linux-2.6.32.9/grsecurity/gracl_cap.c
36048--- linux-2.6.32.9/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
36049+++ linux-2.6.32.9/grsecurity/gracl_cap.c 2010-02-23 17:09:53.304046495 -0500
36050@@ -0,0 +1,131 @@
36051+#include <linux/kernel.h>
36052+#include <linux/module.h>
36053+#include <linux/sched.h>
36054+#include <linux/gracl.h>
36055+#include <linux/grsecurity.h>
36056+#include <linux/grinternal.h>
36057+
36058+static const char *captab_log[] = {
36059+ "CAP_CHOWN",
36060+ "CAP_DAC_OVERRIDE",
36061+ "CAP_DAC_READ_SEARCH",
36062+ "CAP_FOWNER",
36063+ "CAP_FSETID",
36064+ "CAP_KILL",
36065+ "CAP_SETGID",
36066+ "CAP_SETUID",
36067+ "CAP_SETPCAP",
36068+ "CAP_LINUX_IMMUTABLE",
36069+ "CAP_NET_BIND_SERVICE",
36070+ "CAP_NET_BROADCAST",
36071+ "CAP_NET_ADMIN",
36072+ "CAP_NET_RAW",
36073+ "CAP_IPC_LOCK",
36074+ "CAP_IPC_OWNER",
36075+ "CAP_SYS_MODULE",
36076+ "CAP_SYS_RAWIO",
36077+ "CAP_SYS_CHROOT",
36078+ "CAP_SYS_PTRACE",
36079+ "CAP_SYS_PACCT",
36080+ "CAP_SYS_ADMIN",
36081+ "CAP_SYS_BOOT",
36082+ "CAP_SYS_NICE",
36083+ "CAP_SYS_RESOURCE",
36084+ "CAP_SYS_TIME",
36085+ "CAP_SYS_TTY_CONFIG",
36086+ "CAP_MKNOD",
36087+ "CAP_LEASE",
36088+ "CAP_AUDIT_WRITE",
36089+ "CAP_AUDIT_CONTROL",
36090+ "CAP_SETFCAP",
36091+ "CAP_MAC_OVERRIDE",
36092+ "CAP_MAC_ADMIN"
36093+};
36094+
36095+EXPORT_SYMBOL(gr_is_capable);
36096+EXPORT_SYMBOL(gr_is_capable_nolog);
36097+
36098+int
36099+gr_is_capable(const int cap)
36100+{
36101+ struct task_struct *task = current;
36102+ const struct cred *cred = current_cred();
36103+ struct acl_subject_label *curracl;
36104+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36105+
36106+ if (!gr_acl_is_enabled())
36107+ return 1;
36108+
36109+ curracl = task->acl;
36110+
36111+ cap_drop = curracl->cap_lower;
36112+ cap_mask = curracl->cap_mask;
36113+
36114+ while ((curracl = curracl->parent_subject)) {
36115+ /* if the cap isn't specified in the current computed mask but is specified in the
36116+ current level subject, and is lowered in the current level subject, then add
36117+ it to the set of dropped capabilities
36118+ otherwise, add the current level subject's mask to the current computed mask
36119+ */
36120+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36121+ cap_raise(cap_mask, cap);
36122+ if (cap_raised(curracl->cap_lower, cap))
36123+ cap_raise(cap_drop, cap);
36124+ }
36125+ }
36126+
36127+ if (!cap_raised(cap_drop, cap))
36128+ return 1;
36129+
36130+ curracl = task->acl;
36131+
36132+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
36133+ && cap_raised(cred->cap_effective, cap)) {
36134+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
36135+ task->role->roletype, cred->uid,
36136+ cred->gid, task->exec_file ?
36137+ gr_to_filename(task->exec_file->f_path.dentry,
36138+ task->exec_file->f_path.mnt) : curracl->filename,
36139+ curracl->filename, 0UL,
36140+ 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
36141+ return 1;
36142+ }
36143+
36144+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap))
36145+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
36146+ return 0;
36147+}
36148+
36149+int
36150+gr_is_capable_nolog(const int cap)
36151+{
36152+ struct acl_subject_label *curracl;
36153+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36154+
36155+ if (!gr_acl_is_enabled())
36156+ return 1;
36157+
36158+ curracl = current->acl;
36159+
36160+ cap_drop = curracl->cap_lower;
36161+ cap_mask = curracl->cap_mask;
36162+
36163+ while ((curracl = curracl->parent_subject)) {
36164+ /* if the cap isn't specified in the current computed mask but is specified in the
36165+ current level subject, and is lowered in the current level subject, then add
36166+ it to the set of dropped capabilities
36167+ otherwise, add the current level subject's mask to the current computed mask
36168+ */
36169+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36170+ cap_raise(cap_mask, cap);
36171+ if (cap_raised(curracl->cap_lower, cap))
36172+ cap_raise(cap_drop, cap);
36173+ }
36174+ }
36175+
36176+ if (!cap_raised(cap_drop, cap))
36177+ return 1;
36178+
36179+ return 0;
36180+}
36181+
36182diff -urNp linux-2.6.32.9/grsecurity/gracl_fs.c linux-2.6.32.9/grsecurity/gracl_fs.c
36183--- linux-2.6.32.9/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
36184+++ linux-2.6.32.9/grsecurity/gracl_fs.c 2010-02-23 17:09:53.304046495 -0500
36185@@ -0,0 +1,424 @@
36186+#include <linux/kernel.h>
36187+#include <linux/sched.h>
36188+#include <linux/types.h>
36189+#include <linux/fs.h>
36190+#include <linux/file.h>
36191+#include <linux/stat.h>
36192+#include <linux/grsecurity.h>
36193+#include <linux/grinternal.h>
36194+#include <linux/gracl.h>
36195+
36196+__u32
36197+gr_acl_handle_hidden_file(const struct dentry * dentry,
36198+ const struct vfsmount * mnt)
36199+{
36200+ __u32 mode;
36201+
36202+ if (unlikely(!dentry->d_inode))
36203+ return GR_FIND;
36204+
36205+ mode =
36206+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
36207+
36208+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
36209+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36210+ return mode;
36211+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
36212+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36213+ return 0;
36214+ } else if (unlikely(!(mode & GR_FIND)))
36215+ return 0;
36216+
36217+ return GR_FIND;
36218+}
36219+
36220+__u32
36221+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
36222+ const int fmode)
36223+{
36224+ __u32 reqmode = GR_FIND;
36225+ __u32 mode;
36226+
36227+ if (unlikely(!dentry->d_inode))
36228+ return reqmode;
36229+
36230+ if (unlikely(fmode & O_APPEND))
36231+ reqmode |= GR_APPEND;
36232+ else if (unlikely(fmode & FMODE_WRITE))
36233+ reqmode |= GR_WRITE;
36234+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36235+ reqmode |= GR_READ;
36236+ if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
36237+ reqmode &= ~GR_READ;
36238+ mode =
36239+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36240+ mnt);
36241+
36242+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36243+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36244+ reqmode & GR_READ ? " reading" : "",
36245+ reqmode & GR_WRITE ? " writing" : reqmode &
36246+ GR_APPEND ? " appending" : "");
36247+ return reqmode;
36248+ } else
36249+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36250+ {
36251+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36252+ reqmode & GR_READ ? " reading" : "",
36253+ reqmode & GR_WRITE ? " writing" : reqmode &
36254+ GR_APPEND ? " appending" : "");
36255+ return 0;
36256+ } else if (unlikely((mode & reqmode) != reqmode))
36257+ return 0;
36258+
36259+ return reqmode;
36260+}
36261+
36262+__u32
36263+gr_acl_handle_creat(const struct dentry * dentry,
36264+ const struct dentry * p_dentry,
36265+ const struct vfsmount * p_mnt, const int fmode,
36266+ const int imode)
36267+{
36268+ __u32 reqmode = GR_WRITE | GR_CREATE;
36269+ __u32 mode;
36270+
36271+ if (unlikely(fmode & O_APPEND))
36272+ reqmode |= GR_APPEND;
36273+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36274+ reqmode |= GR_READ;
36275+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
36276+ reqmode |= GR_SETID;
36277+
36278+ mode =
36279+ gr_check_create(dentry, p_dentry, p_mnt,
36280+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36281+
36282+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36283+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36284+ reqmode & GR_READ ? " reading" : "",
36285+ reqmode & GR_WRITE ? " writing" : reqmode &
36286+ GR_APPEND ? " appending" : "");
36287+ return reqmode;
36288+ } else
36289+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36290+ {
36291+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36292+ reqmode & GR_READ ? " reading" : "",
36293+ reqmode & GR_WRITE ? " writing" : reqmode &
36294+ GR_APPEND ? " appending" : "");
36295+ return 0;
36296+ } else if (unlikely((mode & reqmode) != reqmode))
36297+ return 0;
36298+
36299+ return reqmode;
36300+}
36301+
36302+__u32
36303+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
36304+ const int fmode)
36305+{
36306+ __u32 mode, reqmode = GR_FIND;
36307+
36308+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
36309+ reqmode |= GR_EXEC;
36310+ if (fmode & S_IWOTH)
36311+ reqmode |= GR_WRITE;
36312+ if (fmode & S_IROTH)
36313+ reqmode |= GR_READ;
36314+
36315+ mode =
36316+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36317+ mnt);
36318+
36319+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36320+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36321+ reqmode & GR_READ ? " reading" : "",
36322+ reqmode & GR_WRITE ? " writing" : "",
36323+ reqmode & GR_EXEC ? " executing" : "");
36324+ return reqmode;
36325+ } else
36326+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36327+ {
36328+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36329+ reqmode & GR_READ ? " reading" : "",
36330+ reqmode & GR_WRITE ? " writing" : "",
36331+ reqmode & GR_EXEC ? " executing" : "");
36332+ return 0;
36333+ } else if (unlikely((mode & reqmode) != reqmode))
36334+ return 0;
36335+
36336+ return reqmode;
36337+}
36338+
36339+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
36340+{
36341+ __u32 mode;
36342+
36343+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
36344+
36345+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36346+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
36347+ return mode;
36348+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36349+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
36350+ return 0;
36351+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
36352+ return 0;
36353+
36354+ return (reqmode);
36355+}
36356+
36357+__u32
36358+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
36359+{
36360+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
36361+}
36362+
36363+__u32
36364+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
36365+{
36366+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
36367+}
36368+
36369+__u32
36370+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
36371+{
36372+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
36373+}
36374+
36375+__u32
36376+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
36377+{
36378+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
36379+}
36380+
36381+__u32
36382+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
36383+ mode_t mode)
36384+{
36385+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
36386+ return 1;
36387+
36388+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36389+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36390+ GR_FCHMOD_ACL_MSG);
36391+ } else {
36392+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
36393+ }
36394+}
36395+
36396+__u32
36397+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
36398+ mode_t mode)
36399+{
36400+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36401+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36402+ GR_CHMOD_ACL_MSG);
36403+ } else {
36404+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
36405+ }
36406+}
36407+
36408+__u32
36409+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
36410+{
36411+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
36412+}
36413+
36414+__u32
36415+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
36416+{
36417+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
36418+}
36419+
36420+__u32
36421+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
36422+{
36423+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
36424+ GR_UNIXCONNECT_ACL_MSG);
36425+}
36426+
36427+/* hardlinks require at minimum create permission,
36428+ any additional privilege required is based on the
36429+ privilege of the file being linked to
36430+*/
36431+__u32
36432+gr_acl_handle_link(const struct dentry * new_dentry,
36433+ const struct dentry * parent_dentry,
36434+ const struct vfsmount * parent_mnt,
36435+ const struct dentry * old_dentry,
36436+ const struct vfsmount * old_mnt, const char *to)
36437+{
36438+ __u32 mode;
36439+ __u32 needmode = GR_CREATE | GR_LINK;
36440+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
36441+
36442+ mode =
36443+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
36444+ old_mnt);
36445+
36446+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
36447+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36448+ return mode;
36449+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36450+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36451+ return 0;
36452+ } else if (unlikely((mode & needmode) != needmode))
36453+ return 0;
36454+
36455+ return 1;
36456+}
36457+
36458+__u32
36459+gr_acl_handle_symlink(const struct dentry * new_dentry,
36460+ const struct dentry * parent_dentry,
36461+ const struct vfsmount * parent_mnt, const char *from)
36462+{
36463+ __u32 needmode = GR_WRITE | GR_CREATE;
36464+ __u32 mode;
36465+
36466+ mode =
36467+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
36468+ GR_CREATE | GR_AUDIT_CREATE |
36469+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
36470+
36471+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
36472+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36473+ return mode;
36474+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36475+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36476+ return 0;
36477+ } else if (unlikely((mode & needmode) != needmode))
36478+ return 0;
36479+
36480+ return (GR_WRITE | GR_CREATE);
36481+}
36482+
36483+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
36484+{
36485+ __u32 mode;
36486+
36487+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36488+
36489+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36490+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
36491+ return mode;
36492+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36493+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
36494+ return 0;
36495+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
36496+ return 0;
36497+
36498+ return (reqmode);
36499+}
36500+
36501+__u32
36502+gr_acl_handle_mknod(const struct dentry * new_dentry,
36503+ const struct dentry * parent_dentry,
36504+ const struct vfsmount * parent_mnt,
36505+ const int mode)
36506+{
36507+ __u32 reqmode = GR_WRITE | GR_CREATE;
36508+ if (unlikely(mode & (S_ISUID | S_ISGID)))
36509+ reqmode |= GR_SETID;
36510+
36511+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36512+ reqmode, GR_MKNOD_ACL_MSG);
36513+}
36514+
36515+__u32
36516+gr_acl_handle_mkdir(const struct dentry *new_dentry,
36517+ const struct dentry *parent_dentry,
36518+ const struct vfsmount *parent_mnt)
36519+{
36520+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36521+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
36522+}
36523+
36524+#define RENAME_CHECK_SUCCESS(old, new) \
36525+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
36526+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
36527+
36528+int
36529+gr_acl_handle_rename(struct dentry *new_dentry,
36530+ struct dentry *parent_dentry,
36531+ const struct vfsmount *parent_mnt,
36532+ struct dentry *old_dentry,
36533+ struct inode *old_parent_inode,
36534+ struct vfsmount *old_mnt, const char *newname)
36535+{
36536+ __u32 comp1, comp2;
36537+ int error = 0;
36538+
36539+ if (unlikely(!gr_acl_is_enabled()))
36540+ return 0;
36541+
36542+ if (!new_dentry->d_inode) {
36543+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
36544+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
36545+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
36546+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
36547+ GR_DELETE | GR_AUDIT_DELETE |
36548+ GR_AUDIT_READ | GR_AUDIT_WRITE |
36549+ GR_SUPPRESS, old_mnt);
36550+ } else {
36551+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
36552+ GR_CREATE | GR_DELETE |
36553+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
36554+ GR_AUDIT_READ | GR_AUDIT_WRITE |
36555+ GR_SUPPRESS, parent_mnt);
36556+ comp2 =
36557+ gr_search_file(old_dentry,
36558+ GR_READ | GR_WRITE | GR_AUDIT_READ |
36559+ GR_DELETE | GR_AUDIT_DELETE |
36560+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
36561+ }
36562+
36563+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
36564+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
36565+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36566+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
36567+ && !(comp2 & GR_SUPPRESS)) {
36568+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36569+ error = -EACCES;
36570+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
36571+ error = -EACCES;
36572+
36573+ return error;
36574+}
36575+
36576+void
36577+gr_acl_handle_exit(void)
36578+{
36579+ u16 id;
36580+ char *rolename;
36581+ struct file *exec_file;
36582+
36583+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
36584+ id = current->acl_role_id;
36585+ rolename = current->role->rolename;
36586+ gr_set_acls(1);
36587+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
36588+ }
36589+
36590+ write_lock(&grsec_exec_file_lock);
36591+ exec_file = current->exec_file;
36592+ current->exec_file = NULL;
36593+ write_unlock(&grsec_exec_file_lock);
36594+
36595+ if (exec_file)
36596+ fput(exec_file);
36597+}
36598+
36599+int
36600+gr_acl_handle_procpidmem(const struct task_struct *task)
36601+{
36602+ if (unlikely(!gr_acl_is_enabled()))
36603+ return 0;
36604+
36605+ if (task != current && task->acl->mode & GR_PROTPROCFD)
36606+ return -EACCES;
36607+
36608+ return 0;
36609+}
36610diff -urNp linux-2.6.32.9/grsecurity/gracl_ip.c linux-2.6.32.9/grsecurity/gracl_ip.c
36611--- linux-2.6.32.9/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
36612+++ linux-2.6.32.9/grsecurity/gracl_ip.c 2010-02-23 17:09:53.304046495 -0500
36613@@ -0,0 +1,339 @@
36614+#include <linux/kernel.h>
36615+#include <asm/uaccess.h>
36616+#include <asm/errno.h>
36617+#include <net/sock.h>
36618+#include <linux/file.h>
36619+#include <linux/fs.h>
36620+#include <linux/net.h>
36621+#include <linux/in.h>
36622+#include <linux/skbuff.h>
36623+#include <linux/ip.h>
36624+#include <linux/udp.h>
36625+#include <linux/smp_lock.h>
36626+#include <linux/types.h>
36627+#include <linux/sched.h>
36628+#include <linux/netdevice.h>
36629+#include <linux/inetdevice.h>
36630+#include <linux/gracl.h>
36631+#include <linux/grsecurity.h>
36632+#include <linux/grinternal.h>
36633+
36634+#define GR_BIND 0x01
36635+#define GR_CONNECT 0x02
36636+#define GR_INVERT 0x04
36637+#define GR_BINDOVERRIDE 0x08
36638+#define GR_CONNECTOVERRIDE 0x10
36639+
36640+static const char * gr_protocols[256] = {
36641+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
36642+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
36643+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
36644+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
36645+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
36646+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
36647+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
36648+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
36649+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
36650+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
36651+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
36652+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
36653+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
36654+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
36655+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
36656+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
36657+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
36658+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
36659+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
36660+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
36661+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
36662+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
36663+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
36664+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
36665+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
36666+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
36667+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
36668+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
36669+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
36670+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
36671+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
36672+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
36673+ };
36674+
36675+static const char * gr_socktypes[11] = {
36676+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
36677+ "unknown:7", "unknown:8", "unknown:9", "packet"
36678+ };
36679+
36680+const char *
36681+gr_proto_to_name(unsigned char proto)
36682+{
36683+ return gr_protocols[proto];
36684+}
36685+
36686+const char *
36687+gr_socktype_to_name(unsigned char type)
36688+{
36689+ return gr_socktypes[type];
36690+}
36691+
36692+int
36693+gr_search_socket(const int domain, const int type, const int protocol)
36694+{
36695+ struct acl_subject_label *curr;
36696+ const struct cred *cred = current_cred();
36697+
36698+ if (unlikely(!gr_acl_is_enabled()))
36699+ goto exit;
36700+
36701+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
36702+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
36703+ goto exit; // let the kernel handle it
36704+
36705+ curr = current->acl;
36706+
36707+ if (!curr->ips)
36708+ goto exit;
36709+
36710+ if ((curr->ip_type & (1 << type)) &&
36711+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
36712+ goto exit;
36713+
36714+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36715+ /* we don't place acls on raw sockets , and sometimes
36716+ dgram/ip sockets are opened for ioctl and not
36717+ bind/connect, so we'll fake a bind learn log */
36718+ if (type == SOCK_RAW || type == SOCK_PACKET) {
36719+ __u32 fakeip = 0;
36720+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36721+ current->role->roletype, cred->uid,
36722+ cred->gid, current->exec_file ?
36723+ gr_to_filename(current->exec_file->f_path.dentry,
36724+ current->exec_file->f_path.mnt) :
36725+ curr->filename, curr->filename,
36726+ &fakeip, 0, type,
36727+ protocol, GR_CONNECT, &current->signal->curr_ip);
36728+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
36729+ __u32 fakeip = 0;
36730+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36731+ current->role->roletype, cred->uid,
36732+ cred->gid, current->exec_file ?
36733+ gr_to_filename(current->exec_file->f_path.dentry,
36734+ current->exec_file->f_path.mnt) :
36735+ curr->filename, curr->filename,
36736+ &fakeip, 0, type,
36737+ protocol, GR_BIND, &current->signal->curr_ip);
36738+ }
36739+ /* we'll log when they use connect or bind */
36740+ goto exit;
36741+ }
36742+
36743+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
36744+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
36745+
36746+ return 0;
36747+ exit:
36748+ return 1;
36749+}
36750+
36751+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
36752+{
36753+ if ((ip->mode & mode) &&
36754+ (ip_port >= ip->low) &&
36755+ (ip_port <= ip->high) &&
36756+ ((ntohl(ip_addr) & our_netmask) ==
36757+ (ntohl(our_addr) & our_netmask))
36758+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
36759+ && (ip->type & (1 << type))) {
36760+ if (ip->mode & GR_INVERT)
36761+ return 2; // specifically denied
36762+ else
36763+ return 1; // allowed
36764+ }
36765+
36766+ return 0; // not specifically allowed, may continue parsing
36767+}
36768+
36769+static int
36770+gr_search_connectbind(const int full_mode, struct sock *sk,
36771+ struct sockaddr_in *addr, const int type)
36772+{
36773+ char iface[IFNAMSIZ] = {0};
36774+ struct acl_subject_label *curr;
36775+ struct acl_ip_label *ip;
36776+ struct inet_sock *isk;
36777+ struct net_device *dev;
36778+ struct in_device *idev;
36779+ unsigned long i;
36780+ int ret;
36781+ int mode = full_mode & (GR_BIND | GR_CONNECT);
36782+ __u32 ip_addr = 0;
36783+ __u32 our_addr;
36784+ __u32 our_netmask;
36785+ char *p;
36786+ __u16 ip_port = 0;
36787+ const struct cred *cred = current_cred();
36788+
36789+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
36790+ return 0;
36791+
36792+ curr = current->acl;
36793+ isk = inet_sk(sk);
36794+
36795+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
36796+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
36797+ addr->sin_addr.s_addr = curr->inaddr_any_override;
36798+ if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
36799+ struct sockaddr_in saddr;
36800+ int err;
36801+
36802+ saddr.sin_family = AF_INET;
36803+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
36804+ saddr.sin_port = isk->sport;
36805+
36806+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36807+ if (err)
36808+ return err;
36809+
36810+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36811+ if (err)
36812+ return err;
36813+ }
36814+
36815+ if (!curr->ips)
36816+ return 0;
36817+
36818+ ip_addr = addr->sin_addr.s_addr;
36819+ ip_port = ntohs(addr->sin_port);
36820+
36821+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36822+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36823+ current->role->roletype, cred->uid,
36824+ cred->gid, current->exec_file ?
36825+ gr_to_filename(current->exec_file->f_path.dentry,
36826+ current->exec_file->f_path.mnt) :
36827+ curr->filename, curr->filename,
36828+ &ip_addr, ip_port, type,
36829+ sk->sk_protocol, mode, &current->signal->curr_ip);
36830+ return 0;
36831+ }
36832+
36833+ for (i = 0; i < curr->ip_num; i++) {
36834+ ip = *(curr->ips + i);
36835+ if (ip->iface != NULL) {
36836+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
36837+ p = strchr(iface, ':');
36838+ if (p != NULL)
36839+ *p = '\0';
36840+ dev = dev_get_by_name(sock_net(sk), iface);
36841+ if (dev == NULL)
36842+ continue;
36843+ idev = in_dev_get(dev);
36844+ if (idev == NULL) {
36845+ dev_put(dev);
36846+ continue;
36847+ }
36848+ rcu_read_lock();
36849+ for_ifa(idev) {
36850+ if (!strcmp(ip->iface, ifa->ifa_label)) {
36851+ our_addr = ifa->ifa_address;
36852+ our_netmask = 0xffffffff;
36853+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36854+ if (ret == 1) {
36855+ rcu_read_unlock();
36856+ in_dev_put(idev);
36857+ dev_put(dev);
36858+ return 0;
36859+ } else if (ret == 2) {
36860+ rcu_read_unlock();
36861+ in_dev_put(idev);
36862+ dev_put(dev);
36863+ goto denied;
36864+ }
36865+ }
36866+ } endfor_ifa(idev);
36867+ rcu_read_unlock();
36868+ in_dev_put(idev);
36869+ dev_put(dev);
36870+ } else {
36871+ our_addr = ip->addr;
36872+ our_netmask = ip->netmask;
36873+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36874+ if (ret == 1)
36875+ return 0;
36876+ else if (ret == 2)
36877+ goto denied;
36878+ }
36879+ }
36880+
36881+denied:
36882+ if (mode == GR_BIND)
36883+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
36884+ else if (mode == GR_CONNECT)
36885+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
36886+
36887+ return -EACCES;
36888+}
36889+
36890+int
36891+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
36892+{
36893+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
36894+}
36895+
36896+int
36897+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
36898+{
36899+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
36900+}
36901+
36902+int gr_search_listen(struct socket *sock)
36903+{
36904+ struct sock *sk = sock->sk;
36905+ struct sockaddr_in addr;
36906+
36907+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
36908+ addr.sin_port = inet_sk(sk)->sport;
36909+
36910+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
36911+}
36912+
36913+int gr_search_accept(struct socket *sock)
36914+{
36915+ struct sock *sk = sock->sk;
36916+ struct sockaddr_in addr;
36917+
36918+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
36919+ addr.sin_port = inet_sk(sk)->sport;
36920+
36921+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
36922+}
36923+
36924+int
36925+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
36926+{
36927+ if (addr)
36928+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
36929+ else {
36930+ struct sockaddr_in sin;
36931+ const struct inet_sock *inet = inet_sk(sk);
36932+
36933+ sin.sin_addr.s_addr = inet->daddr;
36934+ sin.sin_port = inet->dport;
36935+
36936+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
36937+ }
36938+}
36939+
36940+int
36941+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
36942+{
36943+ struct sockaddr_in sin;
36944+
36945+ if (unlikely(skb->len < sizeof (struct udphdr)))
36946+ return 0; // skip this packet
36947+
36948+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
36949+ sin.sin_port = udp_hdr(skb)->source;
36950+
36951+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
36952+}
36953diff -urNp linux-2.6.32.9/grsecurity/gracl_learn.c linux-2.6.32.9/grsecurity/gracl_learn.c
36954--- linux-2.6.32.9/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
36955+++ linux-2.6.32.9/grsecurity/gracl_learn.c 2010-02-23 17:09:53.304046495 -0500
36956@@ -0,0 +1,211 @@
36957+#include <linux/kernel.h>
36958+#include <linux/mm.h>
36959+#include <linux/sched.h>
36960+#include <linux/poll.h>
36961+#include <linux/smp_lock.h>
36962+#include <linux/string.h>
36963+#include <linux/file.h>
36964+#include <linux/types.h>
36965+#include <linux/vmalloc.h>
36966+#include <linux/grinternal.h>
36967+
36968+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
36969+ size_t count, loff_t *ppos);
36970+extern int gr_acl_is_enabled(void);
36971+
36972+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
36973+static int gr_learn_attached;
36974+
36975+/* use a 512k buffer */
36976+#define LEARN_BUFFER_SIZE (512 * 1024)
36977+
36978+static DEFINE_SPINLOCK(gr_learn_lock);
36979+static DECLARE_MUTEX(gr_learn_user_sem);
36980+
36981+/* we need to maintain two buffers, so that the kernel context of grlearn
36982+ uses a semaphore around the userspace copying, and the other kernel contexts
36983+ use a spinlock when copying into the buffer, since they cannot sleep
36984+*/
36985+static char *learn_buffer;
36986+static char *learn_buffer_user;
36987+static int learn_buffer_len;
36988+static int learn_buffer_user_len;
36989+
36990+static ssize_t
36991+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
36992+{
36993+ DECLARE_WAITQUEUE(wait, current);
36994+ ssize_t retval = 0;
36995+
36996+ add_wait_queue(&learn_wait, &wait);
36997+ set_current_state(TASK_INTERRUPTIBLE);
36998+ do {
36999+ down(&gr_learn_user_sem);
37000+ spin_lock(&gr_learn_lock);
37001+ if (learn_buffer_len)
37002+ break;
37003+ spin_unlock(&gr_learn_lock);
37004+ up(&gr_learn_user_sem);
37005+ if (file->f_flags & O_NONBLOCK) {
37006+ retval = -EAGAIN;
37007+ goto out;
37008+ }
37009+ if (signal_pending(current)) {
37010+ retval = -ERESTARTSYS;
37011+ goto out;
37012+ }
37013+
37014+ schedule();
37015+ } while (1);
37016+
37017+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
37018+ learn_buffer_user_len = learn_buffer_len;
37019+ retval = learn_buffer_len;
37020+ learn_buffer_len = 0;
37021+
37022+ spin_unlock(&gr_learn_lock);
37023+
37024+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
37025+ retval = -EFAULT;
37026+
37027+ up(&gr_learn_user_sem);
37028+out:
37029+ set_current_state(TASK_RUNNING);
37030+ remove_wait_queue(&learn_wait, &wait);
37031+ return retval;
37032+}
37033+
37034+static unsigned int
37035+poll_learn(struct file * file, poll_table * wait)
37036+{
37037+ poll_wait(file, &learn_wait, wait);
37038+
37039+ if (learn_buffer_len)
37040+ return (POLLIN | POLLRDNORM);
37041+
37042+ return 0;
37043+}
37044+
37045+void
37046+gr_clear_learn_entries(void)
37047+{
37048+ char *tmp;
37049+
37050+ down(&gr_learn_user_sem);
37051+ if (learn_buffer != NULL) {
37052+ spin_lock(&gr_learn_lock);
37053+ tmp = learn_buffer;
37054+ learn_buffer = NULL;
37055+ spin_unlock(&gr_learn_lock);
37056+ vfree(learn_buffer);
37057+ }
37058+ if (learn_buffer_user != NULL) {
37059+ vfree(learn_buffer_user);
37060+ learn_buffer_user = NULL;
37061+ }
37062+ learn_buffer_len = 0;
37063+ up(&gr_learn_user_sem);
37064+
37065+ return;
37066+}
37067+
37068+void
37069+gr_add_learn_entry(const char *fmt, ...)
37070+{
37071+ va_list args;
37072+ unsigned int len;
37073+
37074+ if (!gr_learn_attached)
37075+ return;
37076+
37077+ spin_lock(&gr_learn_lock);
37078+
37079+ /* leave a gap at the end so we know when it's "full" but don't have to
37080+ compute the exact length of the string we're trying to append
37081+ */
37082+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
37083+ spin_unlock(&gr_learn_lock);
37084+ wake_up_interruptible(&learn_wait);
37085+ return;
37086+ }
37087+ if (learn_buffer == NULL) {
37088+ spin_unlock(&gr_learn_lock);
37089+ return;
37090+ }
37091+
37092+ va_start(args, fmt);
37093+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
37094+ va_end(args);
37095+
37096+ learn_buffer_len += len + 1;
37097+
37098+ spin_unlock(&gr_learn_lock);
37099+ wake_up_interruptible(&learn_wait);
37100+
37101+ return;
37102+}
37103+
37104+static int
37105+open_learn(struct inode *inode, struct file *file)
37106+{
37107+ if (file->f_mode & FMODE_READ && gr_learn_attached)
37108+ return -EBUSY;
37109+ if (file->f_mode & FMODE_READ) {
37110+ int retval = 0;
37111+ down(&gr_learn_user_sem);
37112+ if (learn_buffer == NULL)
37113+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
37114+ if (learn_buffer_user == NULL)
37115+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
37116+ if (learn_buffer == NULL) {
37117+ retval = -ENOMEM;
37118+ goto out_error;
37119+ }
37120+ if (learn_buffer_user == NULL) {
37121+ retval = -ENOMEM;
37122+ goto out_error;
37123+ }
37124+ learn_buffer_len = 0;
37125+ learn_buffer_user_len = 0;
37126+ gr_learn_attached = 1;
37127+out_error:
37128+ up(&gr_learn_user_sem);
37129+ return retval;
37130+ }
37131+ return 0;
37132+}
37133+
37134+static int
37135+close_learn(struct inode *inode, struct file *file)
37136+{
37137+ char *tmp;
37138+
37139+ if (file->f_mode & FMODE_READ) {
37140+ down(&gr_learn_user_sem);
37141+ if (learn_buffer != NULL) {
37142+ spin_lock(&gr_learn_lock);
37143+ tmp = learn_buffer;
37144+ learn_buffer = NULL;
37145+ spin_unlock(&gr_learn_lock);
37146+ vfree(tmp);
37147+ }
37148+ if (learn_buffer_user != NULL) {
37149+ vfree(learn_buffer_user);
37150+ learn_buffer_user = NULL;
37151+ }
37152+ learn_buffer_len = 0;
37153+ learn_buffer_user_len = 0;
37154+ gr_learn_attached = 0;
37155+ up(&gr_learn_user_sem);
37156+ }
37157+
37158+ return 0;
37159+}
37160+
37161+const struct file_operations grsec_fops = {
37162+ .read = read_learn,
37163+ .write = write_grsec_handler,
37164+ .open = open_learn,
37165+ .release = close_learn,
37166+ .poll = poll_learn,
37167+};
37168diff -urNp linux-2.6.32.9/grsecurity/gracl_res.c linux-2.6.32.9/grsecurity/gracl_res.c
37169--- linux-2.6.32.9/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
37170+++ linux-2.6.32.9/grsecurity/gracl_res.c 2010-02-23 17:09:53.304046495 -0500
37171@@ -0,0 +1,65 @@
37172+#include <linux/kernel.h>
37173+#include <linux/sched.h>
37174+#include <linux/gracl.h>
37175+#include <linux/grinternal.h>
37176+
37177+static const char *restab_log[] = {
37178+ [RLIMIT_CPU] = "RLIMIT_CPU",
37179+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
37180+ [RLIMIT_DATA] = "RLIMIT_DATA",
37181+ [RLIMIT_STACK] = "RLIMIT_STACK",
37182+ [RLIMIT_CORE] = "RLIMIT_CORE",
37183+ [RLIMIT_RSS] = "RLIMIT_RSS",
37184+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
37185+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
37186+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
37187+ [RLIMIT_AS] = "RLIMIT_AS",
37188+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
37189+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
37190+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
37191+ [RLIMIT_NICE] = "RLIMIT_NICE",
37192+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
37193+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
37194+ [GR_CRASH_RES] = "RLIMIT_CRASH"
37195+};
37196+
37197+void
37198+gr_log_resource(const struct task_struct *task,
37199+ const int res, const unsigned long wanted, const int gt)
37200+{
37201+ const struct cred *cred;
37202+
37203+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
37204+ return;
37205+
37206+ // not yet supported resource
37207+ if (!restab_log[res])
37208+ return;
37209+
37210+ rcu_read_lock();
37211+ cred = __task_cred(task);
37212+
37213+ if (res == RLIMIT_NPROC &&
37214+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
37215+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
37216+ goto out_rcu_unlock;
37217+ else if (res == RLIMIT_MEMLOCK &&
37218+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
37219+ goto out_rcu_unlock;
37220+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
37221+ goto out_rcu_unlock;
37222+ rcu_read_unlock();
37223+
37224+ preempt_disable();
37225+
37226+ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
37227+ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
37228+ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
37229+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
37230+ preempt_enable_no_resched();
37231+
37232+ return;
37233+out_rcu_unlock:
37234+ rcu_read_unlock();
37235+ return;
37236+}
37237diff -urNp linux-2.6.32.9/grsecurity/gracl_segv.c linux-2.6.32.9/grsecurity/gracl_segv.c
37238--- linux-2.6.32.9/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
37239+++ linux-2.6.32.9/grsecurity/gracl_segv.c 2010-02-23 17:09:53.304046495 -0500
37240@@ -0,0 +1,310 @@
37241+#include <linux/kernel.h>
37242+#include <linux/mm.h>
37243+#include <asm/uaccess.h>
37244+#include <asm/errno.h>
37245+#include <asm/mman.h>
37246+#include <net/sock.h>
37247+#include <linux/file.h>
37248+#include <linux/fs.h>
37249+#include <linux/net.h>
37250+#include <linux/in.h>
37251+#include <linux/smp_lock.h>
37252+#include <linux/slab.h>
37253+#include <linux/types.h>
37254+#include <linux/sched.h>
37255+#include <linux/timer.h>
37256+#include <linux/gracl.h>
37257+#include <linux/grsecurity.h>
37258+#include <linux/grinternal.h>
37259+
37260+static struct crash_uid *uid_set;
37261+static unsigned short uid_used;
37262+static DEFINE_SPINLOCK(gr_uid_lock);
37263+extern rwlock_t gr_inode_lock;
37264+extern struct acl_subject_label *
37265+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
37266+ struct acl_role_label *role);
37267+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
37268+
37269+int
37270+gr_init_uidset(void)
37271+{
37272+ uid_set =
37273+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
37274+ uid_used = 0;
37275+
37276+ return uid_set ? 1 : 0;
37277+}
37278+
37279+void
37280+gr_free_uidset(void)
37281+{
37282+ if (uid_set)
37283+ kfree(uid_set);
37284+
37285+ return;
37286+}
37287+
37288+int
37289+gr_find_uid(const uid_t uid)
37290+{
37291+ struct crash_uid *tmp = uid_set;
37292+ uid_t buid;
37293+ int low = 0, high = uid_used - 1, mid;
37294+
37295+ while (high >= low) {
37296+ mid = (low + high) >> 1;
37297+ buid = tmp[mid].uid;
37298+ if (buid == uid)
37299+ return mid;
37300+ if (buid > uid)
37301+ high = mid - 1;
37302+ if (buid < uid)
37303+ low = mid + 1;
37304+ }
37305+
37306+ return -1;
37307+}
37308+
37309+static __inline__ void
37310+gr_insertsort(void)
37311+{
37312+ unsigned short i, j;
37313+ struct crash_uid index;
37314+
37315+ for (i = 1; i < uid_used; i++) {
37316+ index = uid_set[i];
37317+ j = i;
37318+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
37319+ uid_set[j] = uid_set[j - 1];
37320+ j--;
37321+ }
37322+ uid_set[j] = index;
37323+ }
37324+
37325+ return;
37326+}
37327+
37328+static __inline__ void
37329+gr_insert_uid(const uid_t uid, const unsigned long expires)
37330+{
37331+ int loc;
37332+
37333+ if (uid_used == GR_UIDTABLE_MAX)
37334+ return;
37335+
37336+ loc = gr_find_uid(uid);
37337+
37338+ if (loc >= 0) {
37339+ uid_set[loc].expires = expires;
37340+ return;
37341+ }
37342+
37343+ uid_set[uid_used].uid = uid;
37344+ uid_set[uid_used].expires = expires;
37345+ uid_used++;
37346+
37347+ gr_insertsort();
37348+
37349+ return;
37350+}
37351+
37352+void
37353+gr_remove_uid(const unsigned short loc)
37354+{
37355+ unsigned short i;
37356+
37357+ for (i = loc + 1; i < uid_used; i++)
37358+ uid_set[i - 1] = uid_set[i];
37359+
37360+ uid_used--;
37361+
37362+ return;
37363+}
37364+
37365+int
37366+gr_check_crash_uid(const uid_t uid)
37367+{
37368+ int loc;
37369+ int ret = 0;
37370+
37371+ if (unlikely(!gr_acl_is_enabled()))
37372+ return 0;
37373+
37374+ spin_lock(&gr_uid_lock);
37375+ loc = gr_find_uid(uid);
37376+
37377+ if (loc < 0)
37378+ goto out_unlock;
37379+
37380+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
37381+ gr_remove_uid(loc);
37382+ else
37383+ ret = 1;
37384+
37385+out_unlock:
37386+ spin_unlock(&gr_uid_lock);
37387+ return ret;
37388+}
37389+
37390+static __inline__ int
37391+proc_is_setxid(const struct cred *cred)
37392+{
37393+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
37394+ cred->uid != cred->fsuid)
37395+ return 1;
37396+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
37397+ cred->gid != cred->fsgid)
37398+ return 1;
37399+
37400+ return 0;
37401+}
37402+static __inline__ int
37403+gr_fake_force_sig(int sig, struct task_struct *t)
37404+{
37405+ unsigned long int flags;
37406+ int ret, blocked, ignored;
37407+ struct k_sigaction *action;
37408+
37409+ spin_lock_irqsave(&t->sighand->siglock, flags);
37410+ action = &t->sighand->action[sig-1];
37411+ ignored = action->sa.sa_handler == SIG_IGN;
37412+ blocked = sigismember(&t->blocked, sig);
37413+ if (blocked || ignored) {
37414+ action->sa.sa_handler = SIG_DFL;
37415+ if (blocked) {
37416+ sigdelset(&t->blocked, sig);
37417+ recalc_sigpending_and_wake(t);
37418+ }
37419+ }
37420+ if (action->sa.sa_handler == SIG_DFL)
37421+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
37422+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
37423+
37424+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
37425+
37426+ return ret;
37427+}
37428+
37429+void
37430+gr_handle_crash(struct task_struct *task, const int sig)
37431+{
37432+ struct acl_subject_label *curr;
37433+ struct acl_subject_label *curr2;
37434+ struct task_struct *tsk, *tsk2;
37435+ const struct cred *cred;
37436+ const struct cred *cred2;
37437+
37438+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
37439+ return;
37440+
37441+ if (unlikely(!gr_acl_is_enabled()))
37442+ return;
37443+
37444+ curr = task->acl;
37445+
37446+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
37447+ return;
37448+
37449+ if (time_before_eq(curr->expires, get_seconds())) {
37450+ curr->expires = 0;
37451+ curr->crashes = 0;
37452+ }
37453+
37454+ curr->crashes++;
37455+
37456+ if (!curr->expires)
37457+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
37458+
37459+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37460+ time_after(curr->expires, get_seconds())) {
37461+ rcu_read_lock();
37462+ cred = __task_cred(task);
37463+ if (cred->uid && proc_is_setxid(cred)) {
37464+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37465+ spin_lock(&gr_uid_lock);
37466+ gr_insert_uid(cred->uid, curr->expires);
37467+ spin_unlock(&gr_uid_lock);
37468+ curr->expires = 0;
37469+ curr->crashes = 0;
37470+ read_lock(&tasklist_lock);
37471+ do_each_thread(tsk2, tsk) {
37472+ cred2 = __task_cred(tsk);
37473+ if (tsk != task && cred2->uid == cred->uid)
37474+ gr_fake_force_sig(SIGKILL, tsk);
37475+ } while_each_thread(tsk2, tsk);
37476+ read_unlock(&tasklist_lock);
37477+ } else {
37478+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37479+ read_lock(&tasklist_lock);
37480+ do_each_thread(tsk2, tsk) {
37481+ if (likely(tsk != task)) {
37482+ curr2 = tsk->acl;
37483+
37484+ if (curr2->device == curr->device &&
37485+ curr2->inode == curr->inode)
37486+ gr_fake_force_sig(SIGKILL, tsk);
37487+ }
37488+ } while_each_thread(tsk2, tsk);
37489+ read_unlock(&tasklist_lock);
37490+ }
37491+ rcu_read_unlock();
37492+ }
37493+
37494+ return;
37495+}
37496+
37497+int
37498+gr_check_crash_exec(const struct file *filp)
37499+{
37500+ struct acl_subject_label *curr;
37501+
37502+ if (unlikely(!gr_acl_is_enabled()))
37503+ return 0;
37504+
37505+ read_lock(&gr_inode_lock);
37506+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
37507+ filp->f_path.dentry->d_inode->i_sb->s_dev,
37508+ current->role);
37509+ read_unlock(&gr_inode_lock);
37510+
37511+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
37512+ (!curr->crashes && !curr->expires))
37513+ return 0;
37514+
37515+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37516+ time_after(curr->expires, get_seconds()))
37517+ return 1;
37518+ else if (time_before_eq(curr->expires, get_seconds())) {
37519+ curr->crashes = 0;
37520+ curr->expires = 0;
37521+ }
37522+
37523+ return 0;
37524+}
37525+
37526+void
37527+gr_handle_alertkill(struct task_struct *task)
37528+{
37529+ struct acl_subject_label *curracl;
37530+ __u32 curr_ip;
37531+ struct task_struct *p, *p2;
37532+
37533+ if (unlikely(!gr_acl_is_enabled()))
37534+ return;
37535+
37536+ curracl = task->acl;
37537+ curr_ip = task->signal->curr_ip;
37538+
37539+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
37540+ read_lock(&tasklist_lock);
37541+ do_each_thread(p2, p) {
37542+ if (p->signal->curr_ip == curr_ip)
37543+ gr_fake_force_sig(SIGKILL, p);
37544+ } while_each_thread(p2, p);
37545+ read_unlock(&tasklist_lock);
37546+ } else if (curracl->mode & GR_KILLPROC)
37547+ gr_fake_force_sig(SIGKILL, task);
37548+
37549+ return;
37550+}
37551diff -urNp linux-2.6.32.9/grsecurity/gracl_shm.c linux-2.6.32.9/grsecurity/gracl_shm.c
37552--- linux-2.6.32.9/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
37553+++ linux-2.6.32.9/grsecurity/gracl_shm.c 2010-02-23 17:09:53.304046495 -0500
37554@@ -0,0 +1,37 @@
37555+#include <linux/kernel.h>
37556+#include <linux/mm.h>
37557+#include <linux/sched.h>
37558+#include <linux/file.h>
37559+#include <linux/ipc.h>
37560+#include <linux/gracl.h>
37561+#include <linux/grsecurity.h>
37562+#include <linux/grinternal.h>
37563+
37564+int
37565+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37566+ const time_t shm_createtime, const uid_t cuid, const int shmid)
37567+{
37568+ struct task_struct *task;
37569+
37570+ if (!gr_acl_is_enabled())
37571+ return 1;
37572+
37573+ read_lock(&tasklist_lock);
37574+
37575+ task = find_task_by_vpid(shm_cprid);
37576+
37577+ if (unlikely(!task))
37578+ task = find_task_by_vpid(shm_lapid);
37579+
37580+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
37581+ (task->pid == shm_lapid)) &&
37582+ (task->acl->mode & GR_PROTSHM) &&
37583+ (task->acl != current->acl))) {
37584+ read_unlock(&tasklist_lock);
37585+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
37586+ return 0;
37587+ }
37588+ read_unlock(&tasklist_lock);
37589+
37590+ return 1;
37591+}
37592diff -urNp linux-2.6.32.9/grsecurity/grsec_chdir.c linux-2.6.32.9/grsecurity/grsec_chdir.c
37593--- linux-2.6.32.9/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
37594+++ linux-2.6.32.9/grsecurity/grsec_chdir.c 2010-02-23 17:09:53.304046495 -0500
37595@@ -0,0 +1,19 @@
37596+#include <linux/kernel.h>
37597+#include <linux/sched.h>
37598+#include <linux/fs.h>
37599+#include <linux/file.h>
37600+#include <linux/grsecurity.h>
37601+#include <linux/grinternal.h>
37602+
37603+void
37604+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
37605+{
37606+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
37607+ if ((grsec_enable_chdir && grsec_enable_group &&
37608+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
37609+ !grsec_enable_group)) {
37610+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
37611+ }
37612+#endif
37613+ return;
37614+}
37615diff -urNp linux-2.6.32.9/grsecurity/grsec_chroot.c linux-2.6.32.9/grsecurity/grsec_chroot.c
37616--- linux-2.6.32.9/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
37617+++ linux-2.6.32.9/grsecurity/grsec_chroot.c 2010-02-23 17:09:53.304046495 -0500
37618@@ -0,0 +1,348 @@
37619+#include <linux/kernel.h>
37620+#include <linux/module.h>
37621+#include <linux/sched.h>
37622+#include <linux/file.h>
37623+#include <linux/fs.h>
37624+#include <linux/mount.h>
37625+#include <linux/types.h>
37626+#include <linux/pid_namespace.h>
37627+#include <linux/grsecurity.h>
37628+#include <linux/grinternal.h>
37629+
37630+int
37631+gr_handle_chroot_unix(const pid_t pid)
37632+{
37633+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
37634+ struct pid *spid = NULL;
37635+
37636+ if (unlikely(!grsec_enable_chroot_unix))
37637+ return 1;
37638+
37639+ if (likely(!proc_is_chrooted(current)))
37640+ return 1;
37641+
37642+ read_lock(&tasklist_lock);
37643+
37644+ spid = find_vpid(pid);
37645+ if (spid) {
37646+ struct task_struct *p;
37647+ p = pid_task(spid, PIDTYPE_PID);
37648+ gr_fs_read_lock(p);
37649+ if (unlikely(!have_same_root(current, p))) {
37650+ gr_fs_read_unlock(p);
37651+ read_unlock(&tasklist_lock);
37652+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
37653+ return 0;
37654+ }
37655+ gr_fs_read_unlock(p);
37656+ }
37657+ read_unlock(&tasklist_lock);
37658+#endif
37659+ return 1;
37660+}
37661+
37662+int
37663+gr_handle_chroot_nice(void)
37664+{
37665+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37666+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
37667+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
37668+ return -EPERM;
37669+ }
37670+#endif
37671+ return 0;
37672+}
37673+
37674+int
37675+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
37676+{
37677+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37678+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
37679+ && proc_is_chrooted(current)) {
37680+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
37681+ return -EACCES;
37682+ }
37683+#endif
37684+ return 0;
37685+}
37686+
37687+int
37688+gr_handle_chroot_rawio(const struct inode *inode)
37689+{
37690+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
37691+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
37692+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
37693+ return 1;
37694+#endif
37695+ return 0;
37696+}
37697+
37698+int
37699+gr_pid_is_chrooted(struct task_struct *p)
37700+{
37701+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
37702+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
37703+ return 0;
37704+
37705+ gr_fs_read_lock(p);
37706+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
37707+ !have_same_root(current, p)) {
37708+ gr_fs_read_unlock(p);
37709+ return 1;
37710+ }
37711+ gr_fs_read_unlock(p);
37712+#endif
37713+ return 0;
37714+}
37715+
37716+EXPORT_SYMBOL(gr_pid_is_chrooted);
37717+
37718+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
37719+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
37720+{
37721+ struct dentry *dentry = (struct dentry *)u_dentry;
37722+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
37723+ struct dentry *realroot;
37724+ struct vfsmount *realrootmnt;
37725+ struct dentry *currentroot;
37726+ struct vfsmount *currentmnt;
37727+ struct task_struct *reaper = &init_task;
37728+ int ret = 1;
37729+
37730+ read_lock(&reaper->fs->lock);
37731+ realrootmnt = mntget(reaper->fs->root.mnt);
37732+ realroot = dget(reaper->fs->root.dentry);
37733+ read_unlock(&reaper->fs->lock);
37734+
37735+ read_lock(&current->fs->lock);
37736+ currentmnt = mntget(current->fs->root.mnt);
37737+ currentroot = dget(current->fs->root.dentry);
37738+ read_unlock(&current->fs->lock);
37739+
37740+ spin_lock(&dcache_lock);
37741+ for (;;) {
37742+ if (unlikely((dentry == realroot && mnt == realrootmnt)
37743+ || (dentry == currentroot && mnt == currentmnt)))
37744+ break;
37745+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
37746+ if (mnt->mnt_parent == mnt)
37747+ break;
37748+ dentry = mnt->mnt_mountpoint;
37749+ mnt = mnt->mnt_parent;
37750+ continue;
37751+ }
37752+ dentry = dentry->d_parent;
37753+ }
37754+ spin_unlock(&dcache_lock);
37755+
37756+ dput(currentroot);
37757+ mntput(currentmnt);
37758+
37759+ /* access is outside of chroot */
37760+ if (dentry == realroot && mnt == realrootmnt)
37761+ ret = 0;
37762+
37763+ dput(realroot);
37764+ mntput(realrootmnt);
37765+ return ret;
37766+}
37767+#endif
37768+
37769+int
37770+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
37771+{
37772+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
37773+ if (!grsec_enable_chroot_fchdir)
37774+ return 1;
37775+
37776+ if (!proc_is_chrooted(current))
37777+ return 1;
37778+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
37779+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
37780+ return 0;
37781+ }
37782+#endif
37783+ return 1;
37784+}
37785+
37786+int
37787+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37788+ const time_t shm_createtime)
37789+{
37790+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
37791+ struct pid *pid = NULL;
37792+ time_t starttime;
37793+
37794+ if (unlikely(!grsec_enable_chroot_shmat))
37795+ return 1;
37796+
37797+ if (likely(!proc_is_chrooted(current)))
37798+ return 1;
37799+
37800+ read_lock(&tasklist_lock);
37801+
37802+ pid = find_vpid(shm_cprid);
37803+ if (pid) {
37804+ struct task_struct *p;
37805+ p = pid_task(pid, PIDTYPE_PID);
37806+ gr_fs_read_lock(p);
37807+ starttime = p->start_time.tv_sec;
37808+ if (unlikely(!have_same_root(current, p) &&
37809+ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
37810+ gr_fs_read_unlock(p);
37811+ read_unlock(&tasklist_lock);
37812+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37813+ return 0;
37814+ }
37815+ gr_fs_read_unlock(p);
37816+ } else {
37817+ pid = find_vpid(shm_lapid);
37818+ if (pid) {
37819+ struct task_struct *p;
37820+ p = pid_task(pid, PIDTYPE_PID);
37821+ gr_fs_read_lock(p);
37822+ if (unlikely(!have_same_root(current, p))) {
37823+ gr_fs_read_unlock(p);
37824+ read_unlock(&tasklist_lock);
37825+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37826+ return 0;
37827+ }
37828+ gr_fs_read_unlock(p);
37829+ }
37830+ }
37831+
37832+ read_unlock(&tasklist_lock);
37833+#endif
37834+ return 1;
37835+}
37836+
37837+void
37838+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
37839+{
37840+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
37841+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
37842+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
37843+#endif
37844+ return;
37845+}
37846+
37847+int
37848+gr_handle_chroot_mknod(const struct dentry *dentry,
37849+ const struct vfsmount *mnt, const int mode)
37850+{
37851+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
37852+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
37853+ proc_is_chrooted(current)) {
37854+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
37855+ return -EPERM;
37856+ }
37857+#endif
37858+ return 0;
37859+}
37860+
37861+int
37862+gr_handle_chroot_mount(const struct dentry *dentry,
37863+ const struct vfsmount *mnt, const char *dev_name)
37864+{
37865+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
37866+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
37867+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
37868+ return -EPERM;
37869+ }
37870+#endif
37871+ return 0;
37872+}
37873+
37874+int
37875+gr_handle_chroot_pivot(void)
37876+{
37877+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
37878+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
37879+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
37880+ return -EPERM;
37881+ }
37882+#endif
37883+ return 0;
37884+}
37885+
37886+int
37887+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
37888+{
37889+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
37890+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
37891+ !gr_is_outside_chroot(dentry, mnt)) {
37892+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
37893+ return -EPERM;
37894+ }
37895+#endif
37896+ return 0;
37897+}
37898+
37899+int
37900+gr_handle_chroot_caps(struct path *path)
37901+{
37902+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
37903+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
37904+ (init_task.fs->root.dentry != path->dentry) &&
37905+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
37906+
37907+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
37908+ const struct cred *old = current_cred();
37909+ struct cred *new = prepare_creds();
37910+ if (new == NULL)
37911+ return 1;
37912+
37913+ new->cap_permitted = cap_drop(old->cap_permitted,
37914+ chroot_caps);
37915+ new->cap_inheritable = cap_drop(old->cap_inheritable,
37916+ chroot_caps);
37917+ new->cap_effective = cap_drop(old->cap_effective,
37918+ chroot_caps);
37919+
37920+ commit_creds(new);
37921+
37922+ return 0;
37923+ }
37924+#endif
37925+ return 0;
37926+}
37927+
37928+int
37929+gr_handle_chroot_sysctl(const int op)
37930+{
37931+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
37932+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
37933+ && (op & MAY_WRITE))
37934+ return -EACCES;
37935+#endif
37936+ return 0;
37937+}
37938+
37939+void
37940+gr_handle_chroot_chdir(struct path *path)
37941+{
37942+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
37943+ if (grsec_enable_chroot_chdir)
37944+ set_fs_pwd(current->fs, path);
37945+#endif
37946+ return;
37947+}
37948+
37949+int
37950+gr_handle_chroot_chmod(const struct dentry *dentry,
37951+ const struct vfsmount *mnt, const int mode)
37952+{
37953+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
37954+ if (grsec_enable_chroot_chmod &&
37955+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
37956+ proc_is_chrooted(current)) {
37957+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
37958+ return -EPERM;
37959+ }
37960+#endif
37961+ return 0;
37962+}
37963+
37964+#ifdef CONFIG_SECURITY
37965+EXPORT_SYMBOL(gr_handle_chroot_caps);
37966+#endif
37967diff -urNp linux-2.6.32.9/grsecurity/grsec_disabled.c linux-2.6.32.9/grsecurity/grsec_disabled.c
37968--- linux-2.6.32.9/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
37969+++ linux-2.6.32.9/grsecurity/grsec_disabled.c 2010-02-23 17:09:53.304046495 -0500
37970@@ -0,0 +1,426 @@
37971+#include <linux/kernel.h>
37972+#include <linux/module.h>
37973+#include <linux/sched.h>
37974+#include <linux/file.h>
37975+#include <linux/fs.h>
37976+#include <linux/kdev_t.h>
37977+#include <linux/net.h>
37978+#include <linux/in.h>
37979+#include <linux/ip.h>
37980+#include <linux/skbuff.h>
37981+#include <linux/sysctl.h>
37982+
37983+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
37984+void
37985+pax_set_initial_flags(struct linux_binprm *bprm)
37986+{
37987+ return;
37988+}
37989+#endif
37990+
37991+#ifdef CONFIG_SYSCTL
37992+__u32
37993+gr_handle_sysctl(const struct ctl_table * table, const int op)
37994+{
37995+ return 0;
37996+}
37997+#endif
37998+
37999+#ifdef CONFIG_TASKSTATS
38000+int gr_is_taskstats_denied(int pid)
38001+{
38002+ return 0;
38003+}
38004+#endif
38005+
38006+int
38007+gr_acl_is_enabled(void)
38008+{
38009+ return 0;
38010+}
38011+
38012+int
38013+gr_handle_rawio(const struct inode *inode)
38014+{
38015+ return 0;
38016+}
38017+
38018+void
38019+gr_acl_handle_psacct(struct task_struct *task, const long code)
38020+{
38021+ return;
38022+}
38023+
38024+int
38025+gr_handle_ptrace(struct task_struct *task, const long request)
38026+{
38027+ return 0;
38028+}
38029+
38030+int
38031+gr_handle_proc_ptrace(struct task_struct *task)
38032+{
38033+ return 0;
38034+}
38035+
38036+void
38037+gr_learn_resource(const struct task_struct *task,
38038+ const int res, const unsigned long wanted, const int gt)
38039+{
38040+ return;
38041+}
38042+
38043+int
38044+gr_set_acls(const int type)
38045+{
38046+ return 0;
38047+}
38048+
38049+int
38050+gr_check_hidden_task(const struct task_struct *tsk)
38051+{
38052+ return 0;
38053+}
38054+
38055+int
38056+gr_check_protected_task(const struct task_struct *task)
38057+{
38058+ return 0;
38059+}
38060+
38061+void
38062+gr_copy_label(struct task_struct *tsk)
38063+{
38064+ return;
38065+}
38066+
38067+void
38068+gr_set_pax_flags(struct task_struct *task)
38069+{
38070+ return;
38071+}
38072+
38073+int
38074+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
38075+ const int unsafe_share)
38076+{
38077+ return 0;
38078+}
38079+
38080+void
38081+gr_handle_delete(const ino_t ino, const dev_t dev)
38082+{
38083+ return;
38084+}
38085+
38086+void
38087+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
38088+{
38089+ return;
38090+}
38091+
38092+void
38093+gr_handle_crash(struct task_struct *task, const int sig)
38094+{
38095+ return;
38096+}
38097+
38098+int
38099+gr_check_crash_exec(const struct file *filp)
38100+{
38101+ return 0;
38102+}
38103+
38104+int
38105+gr_check_crash_uid(const uid_t uid)
38106+{
38107+ return 0;
38108+}
38109+
38110+void
38111+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
38112+ struct dentry *old_dentry,
38113+ struct dentry *new_dentry,
38114+ struct vfsmount *mnt, const __u8 replace)
38115+{
38116+ return;
38117+}
38118+
38119+int
38120+gr_search_socket(const int family, const int type, const int protocol)
38121+{
38122+ return 1;
38123+}
38124+
38125+int
38126+gr_search_connectbind(const int mode, const struct socket *sock,
38127+ const struct sockaddr_in *addr)
38128+{
38129+ return 0;
38130+}
38131+
38132+int
38133+gr_is_capable(const int cap)
38134+{
38135+ return 1;
38136+}
38137+
38138+int
38139+gr_is_capable_nolog(const int cap)
38140+{
38141+ return 1;
38142+}
38143+
38144+void
38145+gr_handle_alertkill(struct task_struct *task)
38146+{
38147+ return;
38148+}
38149+
38150+__u32
38151+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
38152+{
38153+ return 1;
38154+}
38155+
38156+__u32
38157+gr_acl_handle_hidden_file(const struct dentry * dentry,
38158+ const struct vfsmount * mnt)
38159+{
38160+ return 1;
38161+}
38162+
38163+__u32
38164+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38165+ const int fmode)
38166+{
38167+ return 1;
38168+}
38169+
38170+__u32
38171+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38172+{
38173+ return 1;
38174+}
38175+
38176+__u32
38177+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
38178+{
38179+ return 1;
38180+}
38181+
38182+int
38183+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
38184+ unsigned int *vm_flags)
38185+{
38186+ return 1;
38187+}
38188+
38189+__u32
38190+gr_acl_handle_truncate(const struct dentry * dentry,
38191+ const struct vfsmount * mnt)
38192+{
38193+ return 1;
38194+}
38195+
38196+__u32
38197+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
38198+{
38199+ return 1;
38200+}
38201+
38202+__u32
38203+gr_acl_handle_access(const struct dentry * dentry,
38204+ const struct vfsmount * mnt, const int fmode)
38205+{
38206+ return 1;
38207+}
38208+
38209+__u32
38210+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
38211+ mode_t mode)
38212+{
38213+ return 1;
38214+}
38215+
38216+__u32
38217+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
38218+ mode_t mode)
38219+{
38220+ return 1;
38221+}
38222+
38223+__u32
38224+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
38225+{
38226+ return 1;
38227+}
38228+
38229+void
38230+grsecurity_init(void)
38231+{
38232+ return;
38233+}
38234+
38235+__u32
38236+gr_acl_handle_mknod(const struct dentry * new_dentry,
38237+ const struct dentry * parent_dentry,
38238+ const struct vfsmount * parent_mnt,
38239+ const int mode)
38240+{
38241+ return 1;
38242+}
38243+
38244+__u32
38245+gr_acl_handle_mkdir(const struct dentry * new_dentry,
38246+ const struct dentry * parent_dentry,
38247+ const struct vfsmount * parent_mnt)
38248+{
38249+ return 1;
38250+}
38251+
38252+__u32
38253+gr_acl_handle_symlink(const struct dentry * new_dentry,
38254+ const struct dentry * parent_dentry,
38255+ const struct vfsmount * parent_mnt, const char *from)
38256+{
38257+ return 1;
38258+}
38259+
38260+__u32
38261+gr_acl_handle_link(const struct dentry * new_dentry,
38262+ const struct dentry * parent_dentry,
38263+ const struct vfsmount * parent_mnt,
38264+ const struct dentry * old_dentry,
38265+ const struct vfsmount * old_mnt, const char *to)
38266+{
38267+ return 1;
38268+}
38269+
38270+int
38271+gr_acl_handle_rename(const struct dentry *new_dentry,
38272+ const struct dentry *parent_dentry,
38273+ const struct vfsmount *parent_mnt,
38274+ const struct dentry *old_dentry,
38275+ const struct inode *old_parent_inode,
38276+ const struct vfsmount *old_mnt, const char *newname)
38277+{
38278+ return 0;
38279+}
38280+
38281+int
38282+gr_acl_handle_filldir(const struct file *file, const char *name,
38283+ const int namelen, const ino_t ino)
38284+{
38285+ return 1;
38286+}
38287+
38288+int
38289+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
38290+ const time_t shm_createtime, const uid_t cuid, const int shmid)
38291+{
38292+ return 1;
38293+}
38294+
38295+int
38296+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
38297+{
38298+ return 0;
38299+}
38300+
38301+int
38302+gr_search_accept(const struct socket *sock)
38303+{
38304+ return 0;
38305+}
38306+
38307+int
38308+gr_search_listen(const struct socket *sock)
38309+{
38310+ return 0;
38311+}
38312+
38313+int
38314+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
38315+{
38316+ return 0;
38317+}
38318+
38319+__u32
38320+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
38321+{
38322+ return 1;
38323+}
38324+
38325+__u32
38326+gr_acl_handle_creat(const struct dentry * dentry,
38327+ const struct dentry * p_dentry,
38328+ const struct vfsmount * p_mnt, const int fmode,
38329+ const int imode)
38330+{
38331+ return 1;
38332+}
38333+
38334+void
38335+gr_acl_handle_exit(void)
38336+{
38337+ return;
38338+}
38339+
38340+int
38341+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38342+{
38343+ return 1;
38344+}
38345+
38346+void
38347+gr_set_role_label(const uid_t uid, const gid_t gid)
38348+{
38349+ return;
38350+}
38351+
38352+int
38353+gr_acl_handle_procpidmem(const struct task_struct *task)
38354+{
38355+ return 0;
38356+}
38357+
38358+int
38359+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
38360+{
38361+ return 0;
38362+}
38363+
38364+int
38365+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
38366+{
38367+ return 0;
38368+}
38369+
38370+void
38371+gr_set_kernel_label(struct task_struct *task)
38372+{
38373+ return;
38374+}
38375+
38376+int
38377+gr_check_user_change(int real, int effective, int fs)
38378+{
38379+ return 0;
38380+}
38381+
38382+int
38383+gr_check_group_change(int real, int effective, int fs)
38384+{
38385+ return 0;
38386+}
38387+
38388+
38389+EXPORT_SYMBOL(gr_is_capable);
38390+EXPORT_SYMBOL(gr_is_capable_nolog);
38391+EXPORT_SYMBOL(gr_learn_resource);
38392+EXPORT_SYMBOL(gr_set_kernel_label);
38393+#ifdef CONFIG_SECURITY
38394+EXPORT_SYMBOL(gr_check_user_change);
38395+EXPORT_SYMBOL(gr_check_group_change);
38396+#endif
38397diff -urNp linux-2.6.32.9/grsecurity/grsec_exec.c linux-2.6.32.9/grsecurity/grsec_exec.c
38398--- linux-2.6.32.9/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
38399+++ linux-2.6.32.9/grsecurity/grsec_exec.c 2010-02-23 17:09:53.304046495 -0500
38400@@ -0,0 +1,89 @@
38401+#include <linux/kernel.h>
38402+#include <linux/sched.h>
38403+#include <linux/file.h>
38404+#include <linux/binfmts.h>
38405+#include <linux/smp_lock.h>
38406+#include <linux/fs.h>
38407+#include <linux/types.h>
38408+#include <linux/grdefs.h>
38409+#include <linux/grinternal.h>
38410+#include <linux/capability.h>
38411+
38412+#include <asm/uaccess.h>
38413+
38414+#ifdef CONFIG_GRKERNSEC_EXECLOG
38415+static char gr_exec_arg_buf[132];
38416+static DECLARE_MUTEX(gr_exec_arg_sem);
38417+#endif
38418+
38419+int
38420+gr_handle_nproc(void)
38421+{
38422+#ifdef CONFIG_GRKERNSEC_EXECVE
38423+ const struct cred *cred = current_cred();
38424+ if (grsec_enable_execve && cred->user &&
38425+ (atomic_read(&cred->user->processes) >
38426+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
38427+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
38428+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
38429+ return -EAGAIN;
38430+ }
38431+#endif
38432+ return 0;
38433+}
38434+
38435+void
38436+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
38437+{
38438+#ifdef CONFIG_GRKERNSEC_EXECLOG
38439+ char *grarg = gr_exec_arg_buf;
38440+ unsigned int i, x, execlen = 0;
38441+ char c;
38442+
38443+ if (!((grsec_enable_execlog && grsec_enable_group &&
38444+ in_group_p(grsec_audit_gid))
38445+ || (grsec_enable_execlog && !grsec_enable_group)))
38446+ return;
38447+
38448+ down(&gr_exec_arg_sem);
38449+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
38450+
38451+ if (unlikely(argv == NULL))
38452+ goto log;
38453+
38454+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
38455+ const char __user *p;
38456+ unsigned int len;
38457+
38458+ if (copy_from_user(&p, argv + i, sizeof(p)))
38459+ goto log;
38460+ if (!p)
38461+ goto log;
38462+ len = strnlen_user(p, 128 - execlen);
38463+ if (len > 128 - execlen)
38464+ len = 128 - execlen;
38465+ else if (len > 0)
38466+ len--;
38467+ if (copy_from_user(grarg + execlen, p, len))
38468+ goto log;
38469+
38470+ /* rewrite unprintable characters */
38471+ for (x = 0; x < len; x++) {
38472+ c = *(grarg + execlen + x);
38473+ if (c < 32 || c > 126)
38474+ *(grarg + execlen + x) = ' ';
38475+ }
38476+
38477+ execlen += len;
38478+ *(grarg + execlen) = ' ';
38479+ *(grarg + execlen + 1) = '\0';
38480+ execlen++;
38481+ }
38482+
38483+ log:
38484+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
38485+ bprm->file->f_path.mnt, grarg);
38486+ up(&gr_exec_arg_sem);
38487+#endif
38488+ return;
38489+}
38490diff -urNp linux-2.6.32.9/grsecurity/grsec_fifo.c linux-2.6.32.9/grsecurity/grsec_fifo.c
38491--- linux-2.6.32.9/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
38492+++ linux-2.6.32.9/grsecurity/grsec_fifo.c 2010-02-23 17:09:53.304046495 -0500
38493@@ -0,0 +1,24 @@
38494+#include <linux/kernel.h>
38495+#include <linux/sched.h>
38496+#include <linux/fs.h>
38497+#include <linux/file.h>
38498+#include <linux/grinternal.h>
38499+
38500+int
38501+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
38502+ const struct dentry *dir, const int flag, const int acc_mode)
38503+{
38504+#ifdef CONFIG_GRKERNSEC_FIFO
38505+ const struct cred *cred = current_cred();
38506+
38507+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
38508+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
38509+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
38510+ (cred->fsuid != dentry->d_inode->i_uid)) {
38511+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
38512+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
38513+ return -EACCES;
38514+ }
38515+#endif
38516+ return 0;
38517+}
38518diff -urNp linux-2.6.32.9/grsecurity/grsec_fork.c linux-2.6.32.9/grsecurity/grsec_fork.c
38519--- linux-2.6.32.9/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
38520+++ linux-2.6.32.9/grsecurity/grsec_fork.c 2010-02-23 17:09:53.304046495 -0500
38521@@ -0,0 +1,15 @@
38522+#include <linux/kernel.h>
38523+#include <linux/sched.h>
38524+#include <linux/grsecurity.h>
38525+#include <linux/grinternal.h>
38526+#include <linux/errno.h>
38527+
38528+void
38529+gr_log_forkfail(const int retval)
38530+{
38531+#ifdef CONFIG_GRKERNSEC_FORKFAIL
38532+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
38533+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
38534+#endif
38535+ return;
38536+}
38537diff -urNp linux-2.6.32.9/grsecurity/grsec_init.c linux-2.6.32.9/grsecurity/grsec_init.c
38538--- linux-2.6.32.9/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
38539+++ linux-2.6.32.9/grsecurity/grsec_init.c 2010-02-23 17:09:53.304046495 -0500
38540@@ -0,0 +1,231 @@
38541+#include <linux/kernel.h>
38542+#include <linux/sched.h>
38543+#include <linux/mm.h>
38544+#include <linux/smp_lock.h>
38545+#include <linux/gracl.h>
38546+#include <linux/slab.h>
38547+#include <linux/vmalloc.h>
38548+#include <linux/percpu.h>
38549+
38550+int grsec_enable_link;
38551+int grsec_enable_dmesg;
38552+int grsec_enable_harden_ptrace;
38553+int grsec_enable_fifo;
38554+int grsec_enable_execve;
38555+int grsec_enable_execlog;
38556+int grsec_enable_signal;
38557+int grsec_enable_forkfail;
38558+int grsec_enable_time;
38559+int grsec_enable_audit_textrel;
38560+int grsec_enable_group;
38561+int grsec_audit_gid;
38562+int grsec_enable_chdir;
38563+int grsec_enable_mount;
38564+int grsec_enable_rofs;
38565+int grsec_enable_chroot_findtask;
38566+int grsec_enable_chroot_mount;
38567+int grsec_enable_chroot_shmat;
38568+int grsec_enable_chroot_fchdir;
38569+int grsec_enable_chroot_double;
38570+int grsec_enable_chroot_pivot;
38571+int grsec_enable_chroot_chdir;
38572+int grsec_enable_chroot_chmod;
38573+int grsec_enable_chroot_mknod;
38574+int grsec_enable_chroot_nice;
38575+int grsec_enable_chroot_execlog;
38576+int grsec_enable_chroot_caps;
38577+int grsec_enable_chroot_sysctl;
38578+int grsec_enable_chroot_unix;
38579+int grsec_enable_tpe;
38580+int grsec_tpe_gid;
38581+int grsec_enable_tpe_all;
38582+int grsec_enable_socket_all;
38583+int grsec_socket_all_gid;
38584+int grsec_enable_socket_client;
38585+int grsec_socket_client_gid;
38586+int grsec_enable_socket_server;
38587+int grsec_socket_server_gid;
38588+int grsec_resource_logging;
38589+int grsec_lock;
38590+
38591+DEFINE_SPINLOCK(grsec_alert_lock);
38592+unsigned long grsec_alert_wtime = 0;
38593+unsigned long grsec_alert_fyet = 0;
38594+
38595+DEFINE_SPINLOCK(grsec_audit_lock);
38596+
38597+DEFINE_RWLOCK(grsec_exec_file_lock);
38598+
38599+char *gr_shared_page[4];
38600+
38601+char *gr_alert_log_fmt;
38602+char *gr_audit_log_fmt;
38603+char *gr_alert_log_buf;
38604+char *gr_audit_log_buf;
38605+
38606+extern struct gr_arg *gr_usermode;
38607+extern unsigned char *gr_system_salt;
38608+extern unsigned char *gr_system_sum;
38609+
38610+void __init
38611+grsecurity_init(void)
38612+{
38613+ int j;
38614+ /* create the per-cpu shared pages */
38615+
38616+#ifdef CONFIG_X86
38617+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
38618+#endif
38619+
38620+ for (j = 0; j < 4; j++) {
38621+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
38622+ if (gr_shared_page[j] == NULL) {
38623+ panic("Unable to allocate grsecurity shared page");
38624+ return;
38625+ }
38626+ }
38627+
38628+ /* allocate log buffers */
38629+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
38630+ if (!gr_alert_log_fmt) {
38631+ panic("Unable to allocate grsecurity alert log format buffer");
38632+ return;
38633+ }
38634+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
38635+ if (!gr_audit_log_fmt) {
38636+ panic("Unable to allocate grsecurity audit log format buffer");
38637+ return;
38638+ }
38639+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38640+ if (!gr_alert_log_buf) {
38641+ panic("Unable to allocate grsecurity alert log buffer");
38642+ return;
38643+ }
38644+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38645+ if (!gr_audit_log_buf) {
38646+ panic("Unable to allocate grsecurity audit log buffer");
38647+ return;
38648+ }
38649+
38650+ /* allocate memory for authentication structure */
38651+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
38652+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
38653+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
38654+
38655+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
38656+ panic("Unable to allocate grsecurity authentication structure");
38657+ return;
38658+ }
38659+
38660+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
38661+#ifndef CONFIG_GRKERNSEC_SYSCTL
38662+ grsec_lock = 1;
38663+#endif
38664+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
38665+ grsec_enable_audit_textrel = 1;
38666+#endif
38667+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
38668+ grsec_enable_group = 1;
38669+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
38670+#endif
38671+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
38672+ grsec_enable_chdir = 1;
38673+#endif
38674+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38675+ grsec_enable_harden_ptrace = 1;
38676+#endif
38677+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
38678+ grsec_enable_mount = 1;
38679+#endif
38680+#ifdef CONFIG_GRKERNSEC_LINK
38681+ grsec_enable_link = 1;
38682+#endif
38683+#ifdef CONFIG_GRKERNSEC_DMESG
38684+ grsec_enable_dmesg = 1;
38685+#endif
38686+#ifdef CONFIG_GRKERNSEC_FIFO
38687+ grsec_enable_fifo = 1;
38688+#endif
38689+#ifdef CONFIG_GRKERNSEC_EXECVE
38690+ grsec_enable_execve = 1;
38691+#endif
38692+#ifdef CONFIG_GRKERNSEC_EXECLOG
38693+ grsec_enable_execlog = 1;
38694+#endif
38695+#ifdef CONFIG_GRKERNSEC_SIGNAL
38696+ grsec_enable_signal = 1;
38697+#endif
38698+#ifdef CONFIG_GRKERNSEC_FORKFAIL
38699+ grsec_enable_forkfail = 1;
38700+#endif
38701+#ifdef CONFIG_GRKERNSEC_TIME
38702+ grsec_enable_time = 1;
38703+#endif
38704+#ifdef CONFIG_GRKERNSEC_RESLOG
38705+ grsec_resource_logging = 1;
38706+#endif
38707+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
38708+ grsec_enable_chroot_findtask = 1;
38709+#endif
38710+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
38711+ grsec_enable_chroot_unix = 1;
38712+#endif
38713+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
38714+ grsec_enable_chroot_mount = 1;
38715+#endif
38716+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
38717+ grsec_enable_chroot_fchdir = 1;
38718+#endif
38719+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
38720+ grsec_enable_chroot_shmat = 1;
38721+#endif
38722+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
38723+ grsec_enable_chroot_double = 1;
38724+#endif
38725+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
38726+ grsec_enable_chroot_pivot = 1;
38727+#endif
38728+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38729+ grsec_enable_chroot_chdir = 1;
38730+#endif
38731+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38732+ grsec_enable_chroot_chmod = 1;
38733+#endif
38734+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
38735+ grsec_enable_chroot_mknod = 1;
38736+#endif
38737+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
38738+ grsec_enable_chroot_nice = 1;
38739+#endif
38740+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
38741+ grsec_enable_chroot_execlog = 1;
38742+#endif
38743+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
38744+ grsec_enable_chroot_caps = 1;
38745+#endif
38746+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
38747+ grsec_enable_chroot_sysctl = 1;
38748+#endif
38749+#ifdef CONFIG_GRKERNSEC_TPE
38750+ grsec_enable_tpe = 1;
38751+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
38752+#ifdef CONFIG_GRKERNSEC_TPE_ALL
38753+ grsec_enable_tpe_all = 1;
38754+#endif
38755+#endif
38756+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
38757+ grsec_enable_socket_all = 1;
38758+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
38759+#endif
38760+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
38761+ grsec_enable_socket_client = 1;
38762+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
38763+#endif
38764+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
38765+ grsec_enable_socket_server = 1;
38766+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
38767+#endif
38768+#endif
38769+
38770+ return;
38771+}
38772diff -urNp linux-2.6.32.9/grsecurity/grsec_link.c linux-2.6.32.9/grsecurity/grsec_link.c
38773--- linux-2.6.32.9/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
38774+++ linux-2.6.32.9/grsecurity/grsec_link.c 2010-02-23 17:09:53.304046495 -0500
38775@@ -0,0 +1,43 @@
38776+#include <linux/kernel.h>
38777+#include <linux/sched.h>
38778+#include <linux/fs.h>
38779+#include <linux/file.h>
38780+#include <linux/grinternal.h>
38781+
38782+int
38783+gr_handle_follow_link(const struct inode *parent,
38784+ const struct inode *inode,
38785+ const struct dentry *dentry, const struct vfsmount *mnt)
38786+{
38787+#ifdef CONFIG_GRKERNSEC_LINK
38788+ const struct cred *cred = current_cred();
38789+
38790+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
38791+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
38792+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
38793+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
38794+ return -EACCES;
38795+ }
38796+#endif
38797+ return 0;
38798+}
38799+
38800+int
38801+gr_handle_hardlink(const struct dentry *dentry,
38802+ const struct vfsmount *mnt,
38803+ struct inode *inode, const int mode, const char *to)
38804+{
38805+#ifdef CONFIG_GRKERNSEC_LINK
38806+ const struct cred *cred = current_cred();
38807+
38808+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
38809+ (!S_ISREG(mode) || (mode & S_ISUID) ||
38810+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
38811+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
38812+ !capable(CAP_FOWNER) && cred->uid) {
38813+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
38814+ return -EPERM;
38815+ }
38816+#endif
38817+ return 0;
38818+}
38819diff -urNp linux-2.6.32.9/grsecurity/grsec_log.c linux-2.6.32.9/grsecurity/grsec_log.c
38820--- linux-2.6.32.9/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
38821+++ linux-2.6.32.9/grsecurity/grsec_log.c 2010-02-23 17:09:53.304046495 -0500
38822@@ -0,0 +1,296 @@
38823+#include <linux/kernel.h>
38824+#include <linux/sched.h>
38825+#include <linux/file.h>
38826+#include <linux/tty.h>
38827+#include <linux/fs.h>
38828+#include <linux/grinternal.h>
38829+
38830+#define BEGIN_LOCKS(x) \
38831+ rcu_read_lock(); \
38832+ read_lock(&tasklist_lock); \
38833+ read_lock(&grsec_exec_file_lock); \
38834+ if (x != GR_DO_AUDIT) \
38835+ spin_lock(&grsec_alert_lock); \
38836+ else \
38837+ spin_lock(&grsec_audit_lock)
38838+
38839+#define END_LOCKS(x) \
38840+ if (x != GR_DO_AUDIT) \
38841+ spin_unlock(&grsec_alert_lock); \
38842+ else \
38843+ spin_unlock(&grsec_audit_lock); \
38844+ read_unlock(&grsec_exec_file_lock); \
38845+ read_unlock(&tasklist_lock); \
38846+ rcu_read_unlock(); \
38847+ if (x == GR_DONT_AUDIT) \
38848+ gr_handle_alertkill(current)
38849+
38850+enum {
38851+ FLOODING,
38852+ NO_FLOODING
38853+};
38854+
38855+extern char *gr_alert_log_fmt;
38856+extern char *gr_audit_log_fmt;
38857+extern char *gr_alert_log_buf;
38858+extern char *gr_audit_log_buf;
38859+
38860+static int gr_log_start(int audit)
38861+{
38862+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
38863+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
38864+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38865+
38866+ if (audit == GR_DO_AUDIT)
38867+ goto set_fmt;
38868+
38869+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
38870+ grsec_alert_wtime = jiffies;
38871+ grsec_alert_fyet = 0;
38872+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
38873+ grsec_alert_fyet++;
38874+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
38875+ grsec_alert_wtime = jiffies;
38876+ grsec_alert_fyet++;
38877+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
38878+ return FLOODING;
38879+ } else return FLOODING;
38880+
38881+set_fmt:
38882+ memset(buf, 0, PAGE_SIZE);
38883+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
38884+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
38885+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
38886+ } else if (current->signal->curr_ip) {
38887+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
38888+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
38889+ } else if (gr_acl_is_enabled()) {
38890+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
38891+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
38892+ } else {
38893+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
38894+ strcpy(buf, fmt);
38895+ }
38896+
38897+ return NO_FLOODING;
38898+}
38899+
38900+static void gr_log_middle(int audit, const char *msg, va_list ap)
38901+ __attribute__ ((format (printf, 2, 0)));
38902+
38903+static void gr_log_middle(int audit, const char *msg, va_list ap)
38904+{
38905+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38906+ unsigned int len = strlen(buf);
38907+
38908+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
38909+
38910+ return;
38911+}
38912+
38913+static void gr_log_middle_varargs(int audit, const char *msg, ...)
38914+ __attribute__ ((format (printf, 2, 3)));
38915+
38916+static void gr_log_middle_varargs(int audit, const char *msg, ...)
38917+{
38918+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38919+ unsigned int len = strlen(buf);
38920+ va_list ap;
38921+
38922+ va_start(ap, msg);
38923+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
38924+ va_end(ap);
38925+
38926+ return;
38927+}
38928+
38929+static void gr_log_end(int audit)
38930+{
38931+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38932+ unsigned int len = strlen(buf);
38933+
38934+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
38935+ printk("%s\n", buf);
38936+
38937+ return;
38938+}
38939+
38940+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
38941+{
38942+ int logtype;
38943+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
38944+ char *str1, *str2, *str3;
38945+ void *voidptr;
38946+ int num1, num2;
38947+ unsigned long ulong1, ulong2;
38948+ struct dentry *dentry;
38949+ struct vfsmount *mnt;
38950+ struct file *file;
38951+ struct task_struct *task;
38952+ const struct cred *cred, *pcred;
38953+ va_list ap;
38954+
38955+ BEGIN_LOCKS(audit);
38956+ logtype = gr_log_start(audit);
38957+ if (logtype == FLOODING) {
38958+ END_LOCKS(audit);
38959+ return;
38960+ }
38961+ va_start(ap, argtypes);
38962+ switch (argtypes) {
38963+ case GR_TTYSNIFF:
38964+ task = va_arg(ap, struct task_struct *);
38965+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
38966+ break;
38967+ case GR_SYSCTL_HIDDEN:
38968+ str1 = va_arg(ap, char *);
38969+ gr_log_middle_varargs(audit, msg, result, str1);
38970+ break;
38971+ case GR_RBAC:
38972+ dentry = va_arg(ap, struct dentry *);
38973+ mnt = va_arg(ap, struct vfsmount *);
38974+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
38975+ break;
38976+ case GR_RBAC_STR:
38977+ dentry = va_arg(ap, struct dentry *);
38978+ mnt = va_arg(ap, struct vfsmount *);
38979+ str1 = va_arg(ap, char *);
38980+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
38981+ break;
38982+ case GR_STR_RBAC:
38983+ str1 = va_arg(ap, char *);
38984+ dentry = va_arg(ap, struct dentry *);
38985+ mnt = va_arg(ap, struct vfsmount *);
38986+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
38987+ break;
38988+ case GR_RBAC_MODE2:
38989+ dentry = va_arg(ap, struct dentry *);
38990+ mnt = va_arg(ap, struct vfsmount *);
38991+ str1 = va_arg(ap, char *);
38992+ str2 = va_arg(ap, char *);
38993+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
38994+ break;
38995+ case GR_RBAC_MODE3:
38996+ dentry = va_arg(ap, struct dentry *);
38997+ mnt = va_arg(ap, struct vfsmount *);
38998+ str1 = va_arg(ap, char *);
38999+ str2 = va_arg(ap, char *);
39000+ str3 = va_arg(ap, char *);
39001+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
39002+ break;
39003+ case GR_FILENAME:
39004+ dentry = va_arg(ap, struct dentry *);
39005+ mnt = va_arg(ap, struct vfsmount *);
39006+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
39007+ break;
39008+ case GR_STR_FILENAME:
39009+ str1 = va_arg(ap, char *);
39010+ dentry = va_arg(ap, struct dentry *);
39011+ mnt = va_arg(ap, struct vfsmount *);
39012+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
39013+ break;
39014+ case GR_FILENAME_STR:
39015+ dentry = va_arg(ap, struct dentry *);
39016+ mnt = va_arg(ap, struct vfsmount *);
39017+ str1 = va_arg(ap, char *);
39018+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
39019+ break;
39020+ case GR_FILENAME_TWO_INT:
39021+ dentry = va_arg(ap, struct dentry *);
39022+ mnt = va_arg(ap, struct vfsmount *);
39023+ num1 = va_arg(ap, int);
39024+ num2 = va_arg(ap, int);
39025+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
39026+ break;
39027+ case GR_FILENAME_TWO_INT_STR:
39028+ dentry = va_arg(ap, struct dentry *);
39029+ mnt = va_arg(ap, struct vfsmount *);
39030+ num1 = va_arg(ap, int);
39031+ num2 = va_arg(ap, int);
39032+ str1 = va_arg(ap, char *);
39033+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
39034+ break;
39035+ case GR_TEXTREL:
39036+ file = va_arg(ap, struct file *);
39037+ ulong1 = va_arg(ap, unsigned long);
39038+ ulong2 = va_arg(ap, unsigned long);
39039+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
39040+ break;
39041+ case GR_PTRACE:
39042+ task = va_arg(ap, struct task_struct *);
39043+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
39044+ break;
39045+ case GR_RESOURCE:
39046+ task = va_arg(ap, struct task_struct *);
39047+ cred = __task_cred(task);
39048+ pcred = __task_cred(task->parent);
39049+ ulong1 = va_arg(ap, unsigned long);
39050+ str1 = va_arg(ap, char *);
39051+ ulong2 = va_arg(ap, unsigned long);
39052+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39053+ break;
39054+ case GR_CAP:
39055+ task = va_arg(ap, struct task_struct *);
39056+ cred = __task_cred(task);
39057+ pcred = __task_cred(task->parent);
39058+ str1 = va_arg(ap, char *);
39059+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39060+ break;
39061+ case GR_SIG:
39062+ str1 = va_arg(ap, char *);
39063+ voidptr = va_arg(ap, void *);
39064+ gr_log_middle_varargs(audit, msg, str1, voidptr);
39065+ break;
39066+ case GR_SIG2:
39067+ task = va_arg(ap, struct task_struct *);
39068+ cred = __task_cred(task);
39069+ pcred = __task_cred(task->parent);
39070+ num1 = va_arg(ap, int);
39071+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39072+ break;
39073+ case GR_CRASH1:
39074+ task = va_arg(ap, struct task_struct *);
39075+ cred = __task_cred(task);
39076+ pcred = __task_cred(task->parent);
39077+ ulong1 = va_arg(ap, unsigned long);
39078+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
39079+ break;
39080+ case GR_CRASH2:
39081+ task = va_arg(ap, struct task_struct *);
39082+ cred = __task_cred(task);
39083+ pcred = __task_cred(task->parent);
39084+ ulong1 = va_arg(ap, unsigned long);
39085+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
39086+ break;
39087+ case GR_PSACCT:
39088+ {
39089+ unsigned int wday, cday;
39090+ __u8 whr, chr;
39091+ __u8 wmin, cmin;
39092+ __u8 wsec, csec;
39093+ char cur_tty[64] = { 0 };
39094+ char parent_tty[64] = { 0 };
39095+
39096+ task = va_arg(ap, struct task_struct *);
39097+ wday = va_arg(ap, unsigned int);
39098+ cday = va_arg(ap, unsigned int);
39099+ whr = va_arg(ap, int);
39100+ chr = va_arg(ap, int);
39101+ wmin = va_arg(ap, int);
39102+ cmin = va_arg(ap, int);
39103+ wsec = va_arg(ap, int);
39104+ csec = va_arg(ap, int);
39105+ ulong1 = va_arg(ap, unsigned long);
39106+ cred = __task_cred(task);
39107+ pcred = __task_cred(task->parent);
39108+
39109+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39110+ }
39111+ break;
39112+ default:
39113+ gr_log_middle(audit, msg, ap);
39114+ }
39115+ va_end(ap);
39116+ gr_log_end(audit);
39117+ END_LOCKS(audit);
39118+}
39119diff -urNp linux-2.6.32.9/grsecurity/grsec_mem.c linux-2.6.32.9/grsecurity/grsec_mem.c
39120--- linux-2.6.32.9/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
39121+++ linux-2.6.32.9/grsecurity/grsec_mem.c 2010-02-23 17:09:53.304046495 -0500
39122@@ -0,0 +1,85 @@
39123+#include <linux/kernel.h>
39124+#include <linux/sched.h>
39125+#include <linux/mm.h>
39126+#include <linux/mman.h>
39127+#include <linux/grinternal.h>
39128+
39129+void
39130+gr_handle_ioperm(void)
39131+{
39132+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
39133+ return;
39134+}
39135+
39136+void
39137+gr_handle_iopl(void)
39138+{
39139+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
39140+ return;
39141+}
39142+
39143+void
39144+gr_handle_mem_write(void)
39145+{
39146+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
39147+ return;
39148+}
39149+
39150+void
39151+gr_handle_kmem_write(void)
39152+{
39153+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
39154+ return;
39155+}
39156+
39157+void
39158+gr_handle_open_port(void)
39159+{
39160+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
39161+ return;
39162+}
39163+
39164+int
39165+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
39166+{
39167+ unsigned long start, end;
39168+
39169+ start = offset;
39170+ end = start + vma->vm_end - vma->vm_start;
39171+
39172+ if (start > end) {
39173+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39174+ return -EPERM;
39175+ }
39176+
39177+ /* allowed ranges : ISA I/O BIOS */
39178+ if ((start >= __pa(high_memory))
39179+#if defined(CONFIG_X86) || defined(CONFIG_PPC)
39180+ || (start >= 0x000a0000 && end <= 0x00100000)
39181+ || (start >= 0x00000000 && end <= 0x00001000)
39182+#endif
39183+ )
39184+ return 0;
39185+
39186+ if (vma->vm_flags & VM_WRITE) {
39187+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39188+ return -EPERM;
39189+ } else
39190+ vma->vm_flags &= ~VM_MAYWRITE;
39191+
39192+ return 0;
39193+}
39194+
39195+void
39196+gr_log_nonroot_mod_load(const char *modname)
39197+{
39198+ gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
39199+ return;
39200+}
39201+
39202+void
39203+gr_handle_vm86(void)
39204+{
39205+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
39206+ return;
39207+}
39208diff -urNp linux-2.6.32.9/grsecurity/grsec_mount.c linux-2.6.32.9/grsecurity/grsec_mount.c
39209--- linux-2.6.32.9/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
39210+++ linux-2.6.32.9/grsecurity/grsec_mount.c 2010-02-23 17:09:53.304046495 -0500
39211@@ -0,0 +1,62 @@
39212+#include <linux/kernel.h>
39213+#include <linux/sched.h>
39214+#include <linux/mount.h>
39215+#include <linux/grsecurity.h>
39216+#include <linux/grinternal.h>
39217+
39218+void
39219+gr_log_remount(const char *devname, const int retval)
39220+{
39221+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39222+ if (grsec_enable_mount && (retval >= 0))
39223+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
39224+#endif
39225+ return;
39226+}
39227+
39228+void
39229+gr_log_unmount(const char *devname, const int retval)
39230+{
39231+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39232+ if (grsec_enable_mount && (retval >= 0))
39233+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
39234+#endif
39235+ return;
39236+}
39237+
39238+void
39239+gr_log_mount(const char *from, const char *to, const int retval)
39240+{
39241+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39242+ if (grsec_enable_mount && (retval >= 0))
39243+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
39244+#endif
39245+ return;
39246+}
39247+
39248+int
39249+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
39250+{
39251+#ifdef CONFIG_GRKERNSEC_ROFS
39252+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
39253+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
39254+ return -EPERM;
39255+ } else
39256+ return 0;
39257+#endif
39258+ return 0;
39259+}
39260+
39261+int
39262+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
39263+{
39264+#ifdef CONFIG_GRKERNSEC_ROFS
39265+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
39266+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
39267+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
39268+ return -EPERM;
39269+ } else
39270+ return 0;
39271+#endif
39272+ return 0;
39273+}
39274diff -urNp linux-2.6.32.9/grsecurity/grsec_sig.c linux-2.6.32.9/grsecurity/grsec_sig.c
39275--- linux-2.6.32.9/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
39276+++ linux-2.6.32.9/grsecurity/grsec_sig.c 2010-02-23 17:09:53.304046495 -0500
39277@@ -0,0 +1,65 @@
39278+#include <linux/kernel.h>
39279+#include <linux/sched.h>
39280+#include <linux/delay.h>
39281+#include <linux/grsecurity.h>
39282+#include <linux/grinternal.h>
39283+
39284+char *signames[] = {
39285+ [SIGSEGV] = "Segmentation fault",
39286+ [SIGILL] = "Illegal instruction",
39287+ [SIGABRT] = "Abort",
39288+ [SIGBUS] = "Invalid alignment/Bus error"
39289+};
39290+
39291+void
39292+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
39293+{
39294+#ifdef CONFIG_GRKERNSEC_SIGNAL
39295+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
39296+ (sig == SIGABRT) || (sig == SIGBUS))) {
39297+ if (t->pid == current->pid) {
39298+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
39299+ } else {
39300+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
39301+ }
39302+ }
39303+#endif
39304+ return;
39305+}
39306+
39307+int
39308+gr_handle_signal(const struct task_struct *p, const int sig)
39309+{
39310+#ifdef CONFIG_GRKERNSEC
39311+ if (current->pid > 1 && gr_check_protected_task(p)) {
39312+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
39313+ return -EPERM;
39314+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
39315+ return -EPERM;
39316+ }
39317+#endif
39318+ return 0;
39319+}
39320+
39321+void gr_handle_brute_attach(struct task_struct *p)
39322+{
39323+#ifdef CONFIG_GRKERNSEC_BRUTE
39324+ read_lock(&tasklist_lock);
39325+ read_lock(&grsec_exec_file_lock);
39326+ if (p->parent && p->parent->exec_file == p->exec_file)
39327+ p->parent->brute = 1;
39328+ read_unlock(&grsec_exec_file_lock);
39329+ read_unlock(&tasklist_lock);
39330+#endif
39331+ return;
39332+}
39333+
39334+void gr_handle_brute_check(void)
39335+{
39336+#ifdef CONFIG_GRKERNSEC_BRUTE
39337+ if (current->brute)
39338+ msleep(30 * 1000);
39339+#endif
39340+ return;
39341+}
39342+
39343diff -urNp linux-2.6.32.9/grsecurity/grsec_sock.c linux-2.6.32.9/grsecurity/grsec_sock.c
39344--- linux-2.6.32.9/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
39345+++ linux-2.6.32.9/grsecurity/grsec_sock.c 2010-02-23 17:09:53.304046495 -0500
39346@@ -0,0 +1,271 @@
39347+#include <linux/kernel.h>
39348+#include <linux/module.h>
39349+#include <linux/sched.h>
39350+#include <linux/file.h>
39351+#include <linux/net.h>
39352+#include <linux/in.h>
39353+#include <linux/ip.h>
39354+#include <net/sock.h>
39355+#include <net/inet_sock.h>
39356+#include <linux/grsecurity.h>
39357+#include <linux/grinternal.h>
39358+#include <linux/gracl.h>
39359+
39360+kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
39361+EXPORT_SYMBOL(gr_cap_rtnetlink);
39362+
39363+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
39364+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
39365+
39366+EXPORT_SYMBOL(gr_search_udp_recvmsg);
39367+EXPORT_SYMBOL(gr_search_udp_sendmsg);
39368+
39369+#ifdef CONFIG_UNIX_MODULE
39370+EXPORT_SYMBOL(gr_acl_handle_unix);
39371+EXPORT_SYMBOL(gr_acl_handle_mknod);
39372+EXPORT_SYMBOL(gr_handle_chroot_unix);
39373+EXPORT_SYMBOL(gr_handle_create);
39374+#endif
39375+
39376+#ifdef CONFIG_GRKERNSEC
39377+#define gr_conn_table_size 32749
39378+struct conn_table_entry {
39379+ struct conn_table_entry *next;
39380+ struct signal_struct *sig;
39381+};
39382+
39383+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
39384+DEFINE_SPINLOCK(gr_conn_table_lock);
39385+
39386+extern const char * gr_socktype_to_name(unsigned char type);
39387+extern const char * gr_proto_to_name(unsigned char proto);
39388+
39389+static __inline__ int
39390+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
39391+{
39392+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
39393+}
39394+
39395+static __inline__ int
39396+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
39397+ __u16 sport, __u16 dport)
39398+{
39399+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
39400+ sig->gr_sport == sport && sig->gr_dport == dport))
39401+ return 1;
39402+ else
39403+ return 0;
39404+}
39405+
39406+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
39407+{
39408+ struct conn_table_entry **match;
39409+ unsigned int index;
39410+
39411+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39412+ sig->gr_sport, sig->gr_dport,
39413+ gr_conn_table_size);
39414+
39415+ newent->sig = sig;
39416+
39417+ match = &gr_conn_table[index];
39418+ newent->next = *match;
39419+ *match = newent;
39420+
39421+ return;
39422+}
39423+
39424+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
39425+{
39426+ struct conn_table_entry *match, *last = NULL;
39427+ unsigned int index;
39428+
39429+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39430+ sig->gr_sport, sig->gr_dport,
39431+ gr_conn_table_size);
39432+
39433+ match = gr_conn_table[index];
39434+ while (match && !conn_match(match->sig,
39435+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
39436+ sig->gr_dport)) {
39437+ last = match;
39438+ match = match->next;
39439+ }
39440+
39441+ if (match) {
39442+ if (last)
39443+ last->next = match->next;
39444+ else
39445+ gr_conn_table[index] = NULL;
39446+ kfree(match);
39447+ }
39448+
39449+ return;
39450+}
39451+
39452+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
39453+ __u16 sport, __u16 dport)
39454+{
39455+ struct conn_table_entry *match;
39456+ unsigned int index;
39457+
39458+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
39459+
39460+ match = gr_conn_table[index];
39461+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
39462+ match = match->next;
39463+
39464+ if (match)
39465+ return match->sig;
39466+ else
39467+ return NULL;
39468+}
39469+
39470+#endif
39471+
39472+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
39473+{
39474+#ifdef CONFIG_GRKERNSEC
39475+ struct signal_struct *sig = task->signal;
39476+ struct conn_table_entry *newent;
39477+
39478+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
39479+ if (newent == NULL)
39480+ return;
39481+ /* no bh lock needed since we are called with bh disabled */
39482+ spin_lock(&gr_conn_table_lock);
39483+ gr_del_task_from_ip_table_nolock(sig);
39484+ sig->gr_saddr = inet->rcv_saddr;
39485+ sig->gr_daddr = inet->daddr;
39486+ sig->gr_sport = inet->sport;
39487+ sig->gr_dport = inet->dport;
39488+ gr_add_to_task_ip_table_nolock(sig, newent);
39489+ spin_unlock(&gr_conn_table_lock);
39490+#endif
39491+ return;
39492+}
39493+
39494+void gr_del_task_from_ip_table(struct task_struct *task)
39495+{
39496+#ifdef CONFIG_GRKERNSEC
39497+ spin_lock_bh(&gr_conn_table_lock);
39498+ gr_del_task_from_ip_table_nolock(task->signal);
39499+ spin_unlock_bh(&gr_conn_table_lock);
39500+#endif
39501+ return;
39502+}
39503+
39504+void
39505+gr_attach_curr_ip(const struct sock *sk)
39506+{
39507+#ifdef CONFIG_GRKERNSEC
39508+ struct signal_struct *p, *set;
39509+ const struct inet_sock *inet = inet_sk(sk);
39510+
39511+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
39512+ return;
39513+
39514+ set = current->signal;
39515+
39516+ spin_lock_bh(&gr_conn_table_lock);
39517+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
39518+ inet->dport, inet->sport);
39519+ if (unlikely(p != NULL)) {
39520+ set->curr_ip = p->curr_ip;
39521+ set->used_accept = 1;
39522+ gr_del_task_from_ip_table_nolock(p);
39523+ spin_unlock_bh(&gr_conn_table_lock);
39524+ return;
39525+ }
39526+ spin_unlock_bh(&gr_conn_table_lock);
39527+
39528+ set->curr_ip = inet->daddr;
39529+ set->used_accept = 1;
39530+#endif
39531+ return;
39532+}
39533+
39534+int
39535+gr_handle_sock_all(const int family, const int type, const int protocol)
39536+{
39537+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
39538+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
39539+ (family != AF_UNIX) && (family != AF_LOCAL)) {
39540+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
39541+ return -EACCES;
39542+ }
39543+#endif
39544+ return 0;
39545+}
39546+
39547+int
39548+gr_handle_sock_server(const struct sockaddr *sck)
39549+{
39550+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39551+ if (grsec_enable_socket_server &&
39552+ in_group_p(grsec_socket_server_gid) &&
39553+ sck && (sck->sa_family != AF_UNIX) &&
39554+ (sck->sa_family != AF_LOCAL)) {
39555+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39556+ return -EACCES;
39557+ }
39558+#endif
39559+ return 0;
39560+}
39561+
39562+int
39563+gr_handle_sock_server_other(const struct sock *sck)
39564+{
39565+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39566+ if (grsec_enable_socket_server &&
39567+ in_group_p(grsec_socket_server_gid) &&
39568+ sck && (sck->sk_family != AF_UNIX) &&
39569+ (sck->sk_family != AF_LOCAL)) {
39570+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39571+ return -EACCES;
39572+ }
39573+#endif
39574+ return 0;
39575+}
39576+
39577+int
39578+gr_handle_sock_client(const struct sockaddr *sck)
39579+{
39580+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
39581+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
39582+ sck && (sck->sa_family != AF_UNIX) &&
39583+ (sck->sa_family != AF_LOCAL)) {
39584+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
39585+ return -EACCES;
39586+ }
39587+#endif
39588+ return 0;
39589+}
39590+
39591+kernel_cap_t
39592+gr_cap_rtnetlink(struct sock *sock)
39593+{
39594+#ifdef CONFIG_GRKERNSEC
39595+ if (!gr_acl_is_enabled())
39596+ return current_cap();
39597+ else if (sock->sk_protocol == NETLINK_ISCSI &&
39598+ cap_raised(current_cap(), CAP_SYS_ADMIN) &&
39599+ gr_is_capable(CAP_SYS_ADMIN))
39600+ return current_cap();
39601+ else if (sock->sk_protocol == NETLINK_AUDIT &&
39602+ cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
39603+ gr_is_capable(CAP_AUDIT_WRITE) &&
39604+ cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
39605+ gr_is_capable(CAP_AUDIT_CONTROL))
39606+ return current_cap();
39607+ else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
39608+ ((sock->sk_protocol == NETLINK_ROUTE) ?
39609+ gr_is_capable_nolog(CAP_NET_ADMIN) :
39610+ gr_is_capable(CAP_NET_ADMIN)))
39611+ return current_cap();
39612+ else
39613+ return __cap_empty_set;
39614+#else
39615+ return current_cap();
39616+#endif
39617+}
39618diff -urNp linux-2.6.32.9/grsecurity/grsec_sysctl.c linux-2.6.32.9/grsecurity/grsec_sysctl.c
39619--- linux-2.6.32.9/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
39620+++ linux-2.6.32.9/grsecurity/grsec_sysctl.c 2010-02-23 17:09:53.304046495 -0500
39621@@ -0,0 +1,419 @@
39622+#include <linux/kernel.h>
39623+#include <linux/sched.h>
39624+#include <linux/sysctl.h>
39625+#include <linux/grsecurity.h>
39626+#include <linux/grinternal.h>
39627+
39628+int
39629+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
39630+{
39631+#ifdef CONFIG_GRKERNSEC_SYSCTL
39632+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
39633+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
39634+ return -EACCES;
39635+ }
39636+#endif
39637+ return 0;
39638+}
39639+
39640+#ifdef CONFIG_GRKERNSEC_ROFS
39641+static int __maybe_unused one = 1;
39642+#endif
39643+
39644+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
39645+ctl_table grsecurity_table[] = {
39646+#ifdef CONFIG_GRKERNSEC_SYSCTL
39647+#ifdef CONFIG_GRKERNSEC_LINK
39648+ {
39649+ .ctl_name = CTL_UNNUMBERED,
39650+ .procname = "linking_restrictions",
39651+ .data = &grsec_enable_link,
39652+ .maxlen = sizeof(int),
39653+ .mode = 0600,
39654+ .proc_handler = &proc_dointvec,
39655+ },
39656+#endif
39657+#ifdef CONFIG_GRKERNSEC_FIFO
39658+ {
39659+ .ctl_name = CTL_UNNUMBERED,
39660+ .procname = "fifo_restrictions",
39661+ .data = &grsec_enable_fifo,
39662+ .maxlen = sizeof(int),
39663+ .mode = 0600,
39664+ .proc_handler = &proc_dointvec,
39665+ },
39666+#endif
39667+#ifdef CONFIG_GRKERNSEC_EXECVE
39668+ {
39669+ .ctl_name = CTL_UNNUMBERED,
39670+ .procname = "execve_limiting",
39671+ .data = &grsec_enable_execve,
39672+ .maxlen = sizeof(int),
39673+ .mode = 0600,
39674+ .proc_handler = &proc_dointvec,
39675+ },
39676+#endif
39677+#ifdef CONFIG_GRKERNSEC_EXECLOG
39678+ {
39679+ .ctl_name = CTL_UNNUMBERED,
39680+ .procname = "exec_logging",
39681+ .data = &grsec_enable_execlog,
39682+ .maxlen = sizeof(int),
39683+ .mode = 0600,
39684+ .proc_handler = &proc_dointvec,
39685+ },
39686+#endif
39687+#ifdef CONFIG_GRKERNSEC_SIGNAL
39688+ {
39689+ .ctl_name = CTL_UNNUMBERED,
39690+ .procname = "signal_logging",
39691+ .data = &grsec_enable_signal,
39692+ .maxlen = sizeof(int),
39693+ .mode = 0600,
39694+ .proc_handler = &proc_dointvec,
39695+ },
39696+#endif
39697+#ifdef CONFIG_GRKERNSEC_FORKFAIL
39698+ {
39699+ .ctl_name = CTL_UNNUMBERED,
39700+ .procname = "forkfail_logging",
39701+ .data = &grsec_enable_forkfail,
39702+ .maxlen = sizeof(int),
39703+ .mode = 0600,
39704+ .proc_handler = &proc_dointvec,
39705+ },
39706+#endif
39707+#ifdef CONFIG_GRKERNSEC_TIME
39708+ {
39709+ .ctl_name = CTL_UNNUMBERED,
39710+ .procname = "timechange_logging",
39711+ .data = &grsec_enable_time,
39712+ .maxlen = sizeof(int),
39713+ .mode = 0600,
39714+ .proc_handler = &proc_dointvec,
39715+ },
39716+#endif
39717+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39718+ {
39719+ .ctl_name = CTL_UNNUMBERED,
39720+ .procname = "chroot_deny_shmat",
39721+ .data = &grsec_enable_chroot_shmat,
39722+ .maxlen = sizeof(int),
39723+ .mode = 0600,
39724+ .proc_handler = &proc_dointvec,
39725+ },
39726+#endif
39727+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39728+ {
39729+ .ctl_name = CTL_UNNUMBERED,
39730+ .procname = "chroot_deny_unix",
39731+ .data = &grsec_enable_chroot_unix,
39732+ .maxlen = sizeof(int),
39733+ .mode = 0600,
39734+ .proc_handler = &proc_dointvec,
39735+ },
39736+#endif
39737+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39738+ {
39739+ .ctl_name = CTL_UNNUMBERED,
39740+ .procname = "chroot_deny_mount",
39741+ .data = &grsec_enable_chroot_mount,
39742+ .maxlen = sizeof(int),
39743+ .mode = 0600,
39744+ .proc_handler = &proc_dointvec,
39745+ },
39746+#endif
39747+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39748+ {
39749+ .ctl_name = CTL_UNNUMBERED,
39750+ .procname = "chroot_deny_fchdir",
39751+ .data = &grsec_enable_chroot_fchdir,
39752+ .maxlen = sizeof(int),
39753+ .mode = 0600,
39754+ .proc_handler = &proc_dointvec,
39755+ },
39756+#endif
39757+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39758+ {
39759+ .ctl_name = CTL_UNNUMBERED,
39760+ .procname = "chroot_deny_chroot",
39761+ .data = &grsec_enable_chroot_double,
39762+ .maxlen = sizeof(int),
39763+ .mode = 0600,
39764+ .proc_handler = &proc_dointvec,
39765+ },
39766+#endif
39767+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39768+ {
39769+ .ctl_name = CTL_UNNUMBERED,
39770+ .procname = "chroot_deny_pivot",
39771+ .data = &grsec_enable_chroot_pivot,
39772+ .maxlen = sizeof(int),
39773+ .mode = 0600,
39774+ .proc_handler = &proc_dointvec,
39775+ },
39776+#endif
39777+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39778+ {
39779+ .ctl_name = CTL_UNNUMBERED,
39780+ .procname = "chroot_enforce_chdir",
39781+ .data = &grsec_enable_chroot_chdir,
39782+ .maxlen = sizeof(int),
39783+ .mode = 0600,
39784+ .proc_handler = &proc_dointvec,
39785+ },
39786+#endif
39787+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
39788+ {
39789+ .ctl_name = CTL_UNNUMBERED,
39790+ .procname = "chroot_deny_chmod",
39791+ .data = &grsec_enable_chroot_chmod,
39792+ .maxlen = sizeof(int),
39793+ .mode = 0600,
39794+ .proc_handler = &proc_dointvec,
39795+ },
39796+#endif
39797+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39798+ {
39799+ .ctl_name = CTL_UNNUMBERED,
39800+ .procname = "chroot_deny_mknod",
39801+ .data = &grsec_enable_chroot_mknod,
39802+ .maxlen = sizeof(int),
39803+ .mode = 0600,
39804+ .proc_handler = &proc_dointvec,
39805+ },
39806+#endif
39807+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39808+ {
39809+ .ctl_name = CTL_UNNUMBERED,
39810+ .procname = "chroot_restrict_nice",
39811+ .data = &grsec_enable_chroot_nice,
39812+ .maxlen = sizeof(int),
39813+ .mode = 0600,
39814+ .proc_handler = &proc_dointvec,
39815+ },
39816+#endif
39817+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39818+ {
39819+ .ctl_name = CTL_UNNUMBERED,
39820+ .procname = "chroot_execlog",
39821+ .data = &grsec_enable_chroot_execlog,
39822+ .maxlen = sizeof(int),
39823+ .mode = 0600,
39824+ .proc_handler = &proc_dointvec,
39825+ },
39826+#endif
39827+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39828+ {
39829+ .ctl_name = CTL_UNNUMBERED,
39830+ .procname = "chroot_caps",
39831+ .data = &grsec_enable_chroot_caps,
39832+ .maxlen = sizeof(int),
39833+ .mode = 0600,
39834+ .proc_handler = &proc_dointvec,
39835+ },
39836+#endif
39837+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39838+ {
39839+ .ctl_name = CTL_UNNUMBERED,
39840+ .procname = "chroot_deny_sysctl",
39841+ .data = &grsec_enable_chroot_sysctl,
39842+ .maxlen = sizeof(int),
39843+ .mode = 0600,
39844+ .proc_handler = &proc_dointvec,
39845+ },
39846+#endif
39847+#ifdef CONFIG_GRKERNSEC_TPE
39848+ {
39849+ .ctl_name = CTL_UNNUMBERED,
39850+ .procname = "tpe",
39851+ .data = &grsec_enable_tpe,
39852+ .maxlen = sizeof(int),
39853+ .mode = 0600,
39854+ .proc_handler = &proc_dointvec,
39855+ },
39856+ {
39857+ .ctl_name = CTL_UNNUMBERED,
39858+ .procname = "tpe_gid",
39859+ .data = &grsec_tpe_gid,
39860+ .maxlen = sizeof(int),
39861+ .mode = 0600,
39862+ .proc_handler = &proc_dointvec,
39863+ },
39864+#endif
39865+#ifdef CONFIG_GRKERNSEC_TPE_ALL
39866+ {
39867+ .ctl_name = CTL_UNNUMBERED,
39868+ .procname = "tpe_restrict_all",
39869+ .data = &grsec_enable_tpe_all,
39870+ .maxlen = sizeof(int),
39871+ .mode = 0600,
39872+ .proc_handler = &proc_dointvec,
39873+ },
39874+#endif
39875+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
39876+ {
39877+ .ctl_name = CTL_UNNUMBERED,
39878+ .procname = "socket_all",
39879+ .data = &grsec_enable_socket_all,
39880+ .maxlen = sizeof(int),
39881+ .mode = 0600,
39882+ .proc_handler = &proc_dointvec,
39883+ },
39884+ {
39885+ .ctl_name = CTL_UNNUMBERED,
39886+ .procname = "socket_all_gid",
39887+ .data = &grsec_socket_all_gid,
39888+ .maxlen = sizeof(int),
39889+ .mode = 0600,
39890+ .proc_handler = &proc_dointvec,
39891+ },
39892+#endif
39893+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
39894+ {
39895+ .ctl_name = CTL_UNNUMBERED,
39896+ .procname = "socket_client",
39897+ .data = &grsec_enable_socket_client,
39898+ .maxlen = sizeof(int),
39899+ .mode = 0600,
39900+ .proc_handler = &proc_dointvec,
39901+ },
39902+ {
39903+ .ctl_name = CTL_UNNUMBERED,
39904+ .procname = "socket_client_gid",
39905+ .data = &grsec_socket_client_gid,
39906+ .maxlen = sizeof(int),
39907+ .mode = 0600,
39908+ .proc_handler = &proc_dointvec,
39909+ },
39910+#endif
39911+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39912+ {
39913+ .ctl_name = CTL_UNNUMBERED,
39914+ .procname = "socket_server",
39915+ .data = &grsec_enable_socket_server,
39916+ .maxlen = sizeof(int),
39917+ .mode = 0600,
39918+ .proc_handler = &proc_dointvec,
39919+ },
39920+ {
39921+ .ctl_name = CTL_UNNUMBERED,
39922+ .procname = "socket_server_gid",
39923+ .data = &grsec_socket_server_gid,
39924+ .maxlen = sizeof(int),
39925+ .mode = 0600,
39926+ .proc_handler = &proc_dointvec,
39927+ },
39928+#endif
39929+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
39930+ {
39931+ .ctl_name = CTL_UNNUMBERED,
39932+ .procname = "audit_group",
39933+ .data = &grsec_enable_group,
39934+ .maxlen = sizeof(int),
39935+ .mode = 0600,
39936+ .proc_handler = &proc_dointvec,
39937+ },
39938+ {
39939+ .ctl_name = CTL_UNNUMBERED,
39940+ .procname = "audit_gid",
39941+ .data = &grsec_audit_gid,
39942+ .maxlen = sizeof(int),
39943+ .mode = 0600,
39944+ .proc_handler = &proc_dointvec,
39945+ },
39946+#endif
39947+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
39948+ {
39949+ .ctl_name = CTL_UNNUMBERED,
39950+ .procname = "audit_chdir",
39951+ .data = &grsec_enable_chdir,
39952+ .maxlen = sizeof(int),
39953+ .mode = 0600,
39954+ .proc_handler = &proc_dointvec,
39955+ },
39956+#endif
39957+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39958+ {
39959+ .ctl_name = CTL_UNNUMBERED,
39960+ .procname = "audit_mount",
39961+ .data = &grsec_enable_mount,
39962+ .maxlen = sizeof(int),
39963+ .mode = 0600,
39964+ .proc_handler = &proc_dointvec,
39965+ },
39966+#endif
39967+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
39968+ {
39969+ .ctl_name = CTL_UNNUMBERED,
39970+ .procname = "audit_textrel",
39971+ .data = &grsec_enable_audit_textrel,
39972+ .maxlen = sizeof(int),
39973+ .mode = 0600,
39974+ .proc_handler = &proc_dointvec,
39975+ },
39976+#endif
39977+#ifdef CONFIG_GRKERNSEC_DMESG
39978+ {
39979+ .ctl_name = CTL_UNNUMBERED,
39980+ .procname = "dmesg",
39981+ .data = &grsec_enable_dmesg,
39982+ .maxlen = sizeof(int),
39983+ .mode = 0600,
39984+ .proc_handler = &proc_dointvec,
39985+ },
39986+#endif
39987+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39988+ {
39989+ .ctl_name = CTL_UNNUMBERED,
39990+ .procname = "chroot_findtask",
39991+ .data = &grsec_enable_chroot_findtask,
39992+ .maxlen = sizeof(int),
39993+ .mode = 0600,
39994+ .proc_handler = &proc_dointvec,
39995+ },
39996+#endif
39997+#ifdef CONFIG_GRKERNSEC_RESLOG
39998+ {
39999+ .ctl_name = CTL_UNNUMBERED,
40000+ .procname = "resource_logging",
40001+ .data = &grsec_resource_logging,
40002+ .maxlen = sizeof(int),
40003+ .mode = 0600,
40004+ .proc_handler = &proc_dointvec,
40005+ },
40006+#endif
40007+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40008+ {
40009+ .ctl_name = CTL_UNNUMBERED,
40010+ .procname = "harden_ptrace",
40011+ .data = &grsec_enable_harden_ptrace,
40012+ .maxlen = sizeof(int),
40013+ .mode = 0600,
40014+ .proc_handler = &proc_dointvec,
40015+ },
40016+#endif
40017+ {
40018+ .ctl_name = CTL_UNNUMBERED,
40019+ .procname = "grsec_lock",
40020+ .data = &grsec_lock,
40021+ .maxlen = sizeof(int),
40022+ .mode = 0600,
40023+ .proc_handler = &proc_dointvec,
40024+ },
40025+#endif
40026+#ifdef CONFIG_GRKERNSEC_ROFS
40027+ {
40028+ .ctl_name = CTL_UNNUMBERED,
40029+ .procname = "romount_protect",
40030+ .data = &grsec_enable_rofs,
40031+ .maxlen = sizeof(int),
40032+ .mode = 0600,
40033+ .proc_handler = &proc_dointvec_minmax,
40034+ .extra1 = &one,
40035+ .extra2 = &one,
40036+ },
40037+#endif
40038+ { .ctl_name = 0 }
40039+};
40040+#endif
40041diff -urNp linux-2.6.32.9/grsecurity/grsec_textrel.c linux-2.6.32.9/grsecurity/grsec_textrel.c
40042--- linux-2.6.32.9/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
40043+++ linux-2.6.32.9/grsecurity/grsec_textrel.c 2010-02-23 17:09:53.304046495 -0500
40044@@ -0,0 +1,16 @@
40045+#include <linux/kernel.h>
40046+#include <linux/sched.h>
40047+#include <linux/mm.h>
40048+#include <linux/file.h>
40049+#include <linux/grinternal.h>
40050+#include <linux/grsecurity.h>
40051+
40052+void
40053+gr_log_textrel(struct vm_area_struct * vma)
40054+{
40055+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40056+ if (grsec_enable_audit_textrel)
40057+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
40058+#endif
40059+ return;
40060+}
40061diff -urNp linux-2.6.32.9/grsecurity/grsec_time.c linux-2.6.32.9/grsecurity/grsec_time.c
40062--- linux-2.6.32.9/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
40063+++ linux-2.6.32.9/grsecurity/grsec_time.c 2010-02-23 17:09:53.304046495 -0500
40064@@ -0,0 +1,13 @@
40065+#include <linux/kernel.h>
40066+#include <linux/sched.h>
40067+#include <linux/grinternal.h>
40068+
40069+void
40070+gr_log_timechange(void)
40071+{
40072+#ifdef CONFIG_GRKERNSEC_TIME
40073+ if (grsec_enable_time)
40074+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
40075+#endif
40076+ return;
40077+}
40078diff -urNp linux-2.6.32.9/grsecurity/grsec_tpe.c linux-2.6.32.9/grsecurity/grsec_tpe.c
40079--- linux-2.6.32.9/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
40080+++ linux-2.6.32.9/grsecurity/grsec_tpe.c 2010-02-23 17:09:53.304046495 -0500
40081@@ -0,0 +1,38 @@
40082+#include <linux/kernel.h>
40083+#include <linux/sched.h>
40084+#include <linux/file.h>
40085+#include <linux/fs.h>
40086+#include <linux/grinternal.h>
40087+
40088+extern int gr_acl_tpe_check(void);
40089+
40090+int
40091+gr_tpe_allow(const struct file *file)
40092+{
40093+#ifdef CONFIG_GRKERNSEC
40094+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
40095+ const struct cred *cred = current_cred();
40096+
40097+ if (cred->uid && ((grsec_enable_tpe &&
40098+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40099+ !in_group_p(grsec_tpe_gid)
40100+#else
40101+ in_group_p(grsec_tpe_gid)
40102+#endif
40103+ ) || gr_acl_tpe_check()) &&
40104+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
40105+ (inode->i_mode & S_IWOTH))))) {
40106+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40107+ return 0;
40108+ }
40109+#ifdef CONFIG_GRKERNSEC_TPE_ALL
40110+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
40111+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
40112+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
40113+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40114+ return 0;
40115+ }
40116+#endif
40117+#endif
40118+ return 1;
40119+}
40120diff -urNp linux-2.6.32.9/grsecurity/grsum.c linux-2.6.32.9/grsecurity/grsum.c
40121--- linux-2.6.32.9/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
40122+++ linux-2.6.32.9/grsecurity/grsum.c 2010-02-23 17:09:53.304046495 -0500
40123@@ -0,0 +1,59 @@
40124+#include <linux/err.h>
40125+#include <linux/kernel.h>
40126+#include <linux/sched.h>
40127+#include <linux/mm.h>
40128+#include <linux/scatterlist.h>
40129+#include <linux/crypto.h>
40130+#include <linux/gracl.h>
40131+
40132+
40133+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
40134+#error "crypto and sha256 must be built into the kernel"
40135+#endif
40136+
40137+int
40138+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
40139+{
40140+ char *p;
40141+ struct crypto_hash *tfm;
40142+ struct hash_desc desc;
40143+ struct scatterlist sg;
40144+ unsigned char temp_sum[GR_SHA_LEN];
40145+ volatile int retval = 0;
40146+ volatile int dummy = 0;
40147+ unsigned int i;
40148+
40149+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
40150+ if (IS_ERR(tfm)) {
40151+ /* should never happen, since sha256 should be built in */
40152+ return 1;
40153+ }
40154+
40155+ desc.tfm = tfm;
40156+ desc.flags = 0;
40157+
40158+ crypto_hash_init(&desc);
40159+
40160+ p = salt;
40161+ sg_set_buf(&sg, p, GR_SALT_LEN);
40162+ crypto_hash_update(&desc, &sg, sg.length);
40163+
40164+ p = entry->pw;
40165+ sg_set_buf(&sg, p, strlen(p));
40166+
40167+ crypto_hash_update(&desc, &sg, sg.length);
40168+
40169+ crypto_hash_final(&desc, temp_sum);
40170+
40171+ memset(entry->pw, 0, GR_PW_LEN);
40172+
40173+ for (i = 0; i < GR_SHA_LEN; i++)
40174+ if (sum[i] != temp_sum[i])
40175+ retval = 1;
40176+ else
40177+ dummy = 1; // waste a cycle
40178+
40179+ crypto_free_hash(tfm);
40180+
40181+ return retval;
40182+}
40183diff -urNp linux-2.6.32.9/grsecurity/Kconfig linux-2.6.32.9/grsecurity/Kconfig
40184--- linux-2.6.32.9/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
40185+++ linux-2.6.32.9/grsecurity/Kconfig 2010-02-23 17:09:53.308131663 -0500
40186@@ -0,0 +1,937 @@
40187+#
40188+# grecurity configuration
40189+#
40190+
40191+menu "Grsecurity"
40192+
40193+config GRKERNSEC
40194+ bool "Grsecurity"
40195+ select CRYPTO
40196+ select CRYPTO_SHA256
40197+ help
40198+ If you say Y here, you will be able to configure many features
40199+ that will enhance the security of your system. It is highly
40200+ recommended that you say Y here and read through the help
40201+ for each option so that you fully understand the features and
40202+ can evaluate their usefulness for your machine.
40203+
40204+choice
40205+ prompt "Security Level"
40206+ depends on GRKERNSEC
40207+ default GRKERNSEC_CUSTOM
40208+
40209+config GRKERNSEC_LOW
40210+ bool "Low"
40211+ select GRKERNSEC_LINK
40212+ select GRKERNSEC_FIFO
40213+ select GRKERNSEC_EXECVE
40214+ select GRKERNSEC_RANDNET
40215+ select GRKERNSEC_DMESG
40216+ select GRKERNSEC_CHROOT
40217+ select GRKERNSEC_CHROOT_CHDIR
40218+
40219+ help
40220+ If you choose this option, several of the grsecurity options will
40221+ be enabled that will give you greater protection against a number
40222+ of attacks, while assuring that none of your software will have any
40223+ conflicts with the additional security measures. If you run a lot
40224+ of unusual software, or you are having problems with the higher
40225+ security levels, you should say Y here. With this option, the
40226+ following features are enabled:
40227+
40228+ - Linking restrictions
40229+ - FIFO restrictions
40230+ - Enforcing RLIMIT_NPROC on execve
40231+ - Restricted dmesg
40232+ - Enforced chdir("/") on chroot
40233+ - Runtime module disabling
40234+
40235+config GRKERNSEC_MEDIUM
40236+ bool "Medium"
40237+ select PAX
40238+ select PAX_EI_PAX
40239+ select PAX_PT_PAX_FLAGS
40240+ select PAX_HAVE_ACL_FLAGS
40241+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40242+ select GRKERNSEC_CHROOT
40243+ select GRKERNSEC_CHROOT_SYSCTL
40244+ select GRKERNSEC_LINK
40245+ select GRKERNSEC_FIFO
40246+ select GRKERNSEC_EXECVE
40247+ select GRKERNSEC_DMESG
40248+ select GRKERNSEC_RANDNET
40249+ select GRKERNSEC_FORKFAIL
40250+ select GRKERNSEC_TIME
40251+ select GRKERNSEC_SIGNAL
40252+ select GRKERNSEC_CHROOT
40253+ select GRKERNSEC_CHROOT_UNIX
40254+ select GRKERNSEC_CHROOT_MOUNT
40255+ select GRKERNSEC_CHROOT_PIVOT
40256+ select GRKERNSEC_CHROOT_DOUBLE
40257+ select GRKERNSEC_CHROOT_CHDIR
40258+ select GRKERNSEC_CHROOT_MKNOD
40259+ select GRKERNSEC_PROC
40260+ select GRKERNSEC_PROC_USERGROUP
40261+ select PAX_RANDUSTACK
40262+ select PAX_ASLR
40263+ select PAX_RANDMMAP
40264+ select PAX_REFCOUNT if (X86 || SPARC64)
40265+ select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC32 || PPC64) && (SLAB || SLUB || SLOB))
40266+
40267+ help
40268+ If you say Y here, several features in addition to those included
40269+ in the low additional security level will be enabled. These
40270+ features provide even more security to your system, though in rare
40271+ cases they may be incompatible with very old or poorly written
40272+ software. If you enable this option, make sure that your auth
40273+ service (identd) is running as gid 1001. With this option,
40274+ the following features (in addition to those provided in the
40275+ low additional security level) will be enabled:
40276+
40277+ - Failed fork logging
40278+ - Time change logging
40279+ - Signal logging
40280+ - Deny mounts in chroot
40281+ - Deny double chrooting
40282+ - Deny sysctl writes in chroot
40283+ - Deny mknod in chroot
40284+ - Deny access to abstract AF_UNIX sockets out of chroot
40285+ - Deny pivot_root in chroot
40286+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
40287+ - /proc restrictions with special GID set to 10 (usually wheel)
40288+ - Address Space Layout Randomization (ASLR)
40289+ - Prevent exploitation of most refcount overflows
40290+ - Bounds checking of copying between the kernel and userland
40291+
40292+config GRKERNSEC_HIGH
40293+ bool "High"
40294+ select GRKERNSEC_LINK
40295+ select GRKERNSEC_FIFO
40296+ select GRKERNSEC_EXECVE
40297+ select GRKERNSEC_DMESG
40298+ select GRKERNSEC_FORKFAIL
40299+ select GRKERNSEC_TIME
40300+ select GRKERNSEC_SIGNAL
40301+ select GRKERNSEC_CHROOT
40302+ select GRKERNSEC_CHROOT_SHMAT
40303+ select GRKERNSEC_CHROOT_UNIX
40304+ select GRKERNSEC_CHROOT_MOUNT
40305+ select GRKERNSEC_CHROOT_FCHDIR
40306+ select GRKERNSEC_CHROOT_PIVOT
40307+ select GRKERNSEC_CHROOT_DOUBLE
40308+ select GRKERNSEC_CHROOT_CHDIR
40309+ select GRKERNSEC_CHROOT_MKNOD
40310+ select GRKERNSEC_CHROOT_CAPS
40311+ select GRKERNSEC_CHROOT_SYSCTL
40312+ select GRKERNSEC_CHROOT_FINDTASK
40313+ select GRKERNSEC_PROC
40314+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40315+ select GRKERNSEC_HIDESYM
40316+ select GRKERNSEC_BRUTE
40317+ select GRKERNSEC_PROC_USERGROUP
40318+ select GRKERNSEC_KMEM
40319+ select GRKERNSEC_RESLOG
40320+ select GRKERNSEC_RANDNET
40321+ select GRKERNSEC_PROC_ADD
40322+ select GRKERNSEC_CHROOT_CHMOD
40323+ select GRKERNSEC_CHROOT_NICE
40324+ select GRKERNSEC_AUDIT_MOUNT
40325+ select GRKERNSEC_MODHARDEN if (MODULES)
40326+ select GRKERNSEC_HARDEN_PTRACE
40327+ select GRKERNSEC_VM86 if (X86_32)
40328+ select PAX
40329+ select PAX_RANDUSTACK
40330+ select PAX_ASLR
40331+ select PAX_RANDMMAP
40332+ select PAX_NOEXEC
40333+ select PAX_MPROTECT
40334+ select PAX_EI_PAX
40335+ select PAX_PT_PAX_FLAGS
40336+ select PAX_HAVE_ACL_FLAGS
40337+ select PAX_KERNEXEC if ((PPC32 || PPC64 || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
40338+ select PAX_MEMORY_UDEREF if (X86_32 && !XEN)
40339+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
40340+ select PAX_SEGMEXEC if (X86_32)
40341+ select PAX_PAGEEXEC
40342+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
40343+ select PAX_EMUTRAMP if (PARISC)
40344+ select PAX_EMUSIGRT if (PARISC)
40345+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
40346+ select PAX_REFCOUNT if (X86 || SPARC64)
40347+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
40348+ help
40349+ If you say Y here, many of the features of grsecurity will be
40350+ enabled, which will protect you against many kinds of attacks
40351+ against your system. The heightened security comes at a cost
40352+ of an increased chance of incompatibilities with rare software
40353+ on your machine. Since this security level enables PaX, you should
40354+ view <http://pax.grsecurity.net> and read about the PaX
40355+ project. While you are there, download chpax and run it on
40356+ binaries that cause problems with PaX. Also remember that
40357+ since the /proc restrictions are enabled, you must run your
40358+ identd as gid 1001. This security level enables the following
40359+ features in addition to those listed in the low and medium
40360+ security levels:
40361+
40362+ - Additional /proc restrictions
40363+ - Chmod restrictions in chroot
40364+ - No signals, ptrace, or viewing of processes outside of chroot
40365+ - Capability restrictions in chroot
40366+ - Deny fchdir out of chroot
40367+ - Priority restrictions in chroot
40368+ - Segmentation-based implementation of PaX
40369+ - Mprotect restrictions
40370+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
40371+ - Kernel stack randomization
40372+ - Mount/unmount/remount logging
40373+ - Kernel symbol hiding
40374+ - Prevention of memory exhaustion-based exploits
40375+ - Hardening of module auto-loading
40376+ - Ptrace restrictions
40377+ - Restricted vm86 mode
40378+
40379+config GRKERNSEC_CUSTOM
40380+ bool "Custom"
40381+ help
40382+ If you say Y here, you will be able to configure every grsecurity
40383+ option, which allows you to enable many more features that aren't
40384+ covered in the basic security levels. These additional features
40385+ include TPE, socket restrictions, and the sysctl system for
40386+ grsecurity. It is advised that you read through the help for
40387+ each option to determine its usefulness in your situation.
40388+
40389+endchoice
40390+
40391+menu "Address Space Protection"
40392+depends on GRKERNSEC
40393+
40394+config GRKERNSEC_KMEM
40395+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
40396+ help
40397+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
40398+ be written to via mmap or otherwise to modify the running kernel.
40399+ /dev/port will also not be allowed to be opened. If you have module
40400+ support disabled, enabling this will close up four ways that are
40401+ currently used to insert malicious code into the running kernel.
40402+ Even with all these features enabled, we still highly recommend that
40403+ you use the RBAC system, as it is still possible for an attacker to
40404+ modify the running kernel through privileged I/O granted by ioperm/iopl.
40405+ If you are not using XFree86, you may be able to stop this additional
40406+ case by enabling the 'Disable privileged I/O' option. Though nothing
40407+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
40408+ but only to video memory, which is the only writing we allow in this
40409+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
40410+ not be allowed to mprotect it with PROT_WRITE later.
40411+ It is highly recommended that you say Y here if you meet all the
40412+ conditions above.
40413+
40414+config GRKERNSEC_VM86
40415+ bool "Restrict VM86 mode"
40416+ depends on X86_32
40417+
40418+ help
40419+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
40420+ make use of a special execution mode on 32bit x86 processors called
40421+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
40422+ video cards and will still work with this option enabled. The purpose
40423+ of the option is to prevent exploitation of emulation errors in
40424+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
40425+ Nearly all users should be able to enable this option.
40426+
40427+config GRKERNSEC_IO
40428+ bool "Disable privileged I/O"
40429+ depends on X86
40430+ select RTC_CLASS
40431+ select RTC_INTF_DEV
40432+ select RTC_DRV_CMOS
40433+
40434+ help
40435+ If you say Y here, all ioperm and iopl calls will return an error.
40436+ Ioperm and iopl can be used to modify the running kernel.
40437+ Unfortunately, some programs need this access to operate properly,
40438+ the most notable of which are XFree86 and hwclock. hwclock can be
40439+ remedied by having RTC support in the kernel, so real-time
40440+ clock support is enabled if this option is enabled, to ensure
40441+ that hwclock operates correctly. XFree86 still will not
40442+ operate correctly with this option enabled, so DO NOT CHOOSE Y
40443+ IF YOU USE XFree86. If you use XFree86 and you still want to
40444+ protect your kernel against modification, use the RBAC system.
40445+
40446+config GRKERNSEC_PROC_MEMMAP
40447+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
40448+ default y if (PAX_NOEXEC || PAX_ASLR)
40449+ depends on PAX_NOEXEC || PAX_ASLR
40450+ help
40451+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
40452+ give no information about the addresses of its mappings if
40453+ PaX features that rely on random addresses are enabled on the task.
40454+ If you use PaX it is greatly recommended that you say Y here as it
40455+ closes up a hole that makes the full ASLR useless for suid
40456+ binaries.
40457+
40458+config GRKERNSEC_BRUTE
40459+ bool "Deter exploit bruteforcing"
40460+ help
40461+ If you say Y here, attempts to bruteforce exploits against forking
40462+ daemons such as apache or sshd will be deterred. When a child of a
40463+ forking daemon is killed by PaX or crashes due to an illegal
40464+ instruction, the parent process will be delayed 30 seconds upon every
40465+ subsequent fork until the administrator is able to assess the
40466+ situation and restart the daemon. It is recommended that you also
40467+ enable signal logging in the auditing section so that logs are
40468+ generated when a process performs an illegal instruction.
40469+
40470+config GRKERNSEC_MODHARDEN
40471+ bool "Harden module auto-loading"
40472+ depends on MODULES
40473+ help
40474+ If you say Y here, module auto-loading in response to use of some
40475+ feature implemented by an unloaded module will be restricted to
40476+ root users. Enabling this option helps defend against attacks
40477+ by unprivileged users who abuse the auto-loading behavior to
40478+ cause a vulnerable module to load that is then exploited.
40479+
40480+ If this option prevents a legitimate use of auto-loading for a
40481+ non-root user, the administrator can execute modprobe manually
40482+ with the exact name of the module mentioned in the alert log.
40483+ Alternatively, the administrator can add the module to the list
40484+ of modules loaded at boot by modifying init scripts.
40485+
40486+ Modification of init scripts will most likely be needed on
40487+ Ubuntu servers with encrypted home directory support enabled,
40488+ as the first non-root user logging in will cause the ecb(aes),
40489+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
40490+
40491+config GRKERNSEC_HIDESYM
40492+ bool "Hide kernel symbols"
40493+ help
40494+ If you say Y here, getting information on loaded modules, and
40495+ displaying all kernel symbols through a syscall will be restricted
40496+ to users with CAP_SYS_MODULE. For software compatibility reasons,
40497+ /proc/kallsyms will be restricted to the root user. The RBAC
40498+ system can hide that entry even from root. Note that this option
40499+ is only effective provided the following conditions are met:
40500+ 1) The kernel using grsecurity is not precompiled by some distribution
40501+ 2) You are using the RBAC system and hiding other files such as your
40502+ kernel image and System.map. Alternatively, enabling this option
40503+ causes the permissions on /boot, /lib/modules, and the kernel
40504+ source directory to change at compile time to prevent
40505+ reading by non-root users.
40506+ If the above conditions are met, this option will aid in providing a
40507+ useful protection against local kernel exploitation of overflows
40508+ and arbitrary read/write vulnerabilities.
40509+
40510+endmenu
40511+menu "Role Based Access Control Options"
40512+depends on GRKERNSEC
40513+
40514+config GRKERNSEC_NO_RBAC
40515+ bool "Disable RBAC system"
40516+ help
40517+ If you say Y here, the /dev/grsec device will be removed from the kernel,
40518+ preventing the RBAC system from being enabled. You should only say Y
40519+ here if you have no intention of using the RBAC system, so as to prevent
40520+ an attacker with root access from misusing the RBAC system to hide files
40521+ and processes when loadable module support and /dev/[k]mem have been
40522+ locked down.
40523+
40524+config GRKERNSEC_ACL_HIDEKERN
40525+ bool "Hide kernel processes"
40526+ help
40527+ If you say Y here, all kernel threads will be hidden to all
40528+ processes but those whose subject has the "view hidden processes"
40529+ flag.
40530+
40531+config GRKERNSEC_ACL_MAXTRIES
40532+ int "Maximum tries before password lockout"
40533+ default 3
40534+ help
40535+ This option enforces the maximum number of times a user can attempt
40536+ to authorize themselves with the grsecurity RBAC system before being
40537+ denied the ability to attempt authorization again for a specified time.
40538+ The lower the number, the harder it will be to brute-force a password.
40539+
40540+config GRKERNSEC_ACL_TIMEOUT
40541+ int "Time to wait after max password tries, in seconds"
40542+ default 30
40543+ help
40544+ This option specifies the time the user must wait after attempting to
40545+ authorize to the RBAC system with the maximum number of invalid
40546+ passwords. The higher the number, the harder it will be to brute-force
40547+ a password.
40548+
40549+endmenu
40550+menu "Filesystem Protections"
40551+depends on GRKERNSEC
40552+
40553+config GRKERNSEC_PROC
40554+ bool "Proc restrictions"
40555+ help
40556+ If you say Y here, the permissions of the /proc filesystem
40557+ will be altered to enhance system security and privacy. You MUST
40558+ choose either a user only restriction or a user and group restriction.
40559+ Depending upon the option you choose, you can either restrict users to
40560+ see only the processes they themselves run, or choose a group that can
40561+ view all processes and files normally restricted to root if you choose
40562+ the "restrict to user only" option. NOTE: If you're running identd as
40563+ a non-root user, you will have to run it as the group you specify here.
40564+
40565+config GRKERNSEC_PROC_USER
40566+ bool "Restrict /proc to user only"
40567+ depends on GRKERNSEC_PROC
40568+ help
40569+ If you say Y here, non-root users will only be able to view their own
40570+ processes, and restricts them from viewing network-related information,
40571+ and viewing kernel symbol and module information.
40572+
40573+config GRKERNSEC_PROC_USERGROUP
40574+ bool "Allow special group"
40575+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
40576+ help
40577+ If you say Y here, you will be able to select a group that will be
40578+ able to view all processes, network-related information, and
40579+ kernel and symbol information. This option is useful if you want
40580+ to run identd as a non-root user.
40581+
40582+config GRKERNSEC_PROC_GID
40583+ int "GID for special group"
40584+ depends on GRKERNSEC_PROC_USERGROUP
40585+ default 1001
40586+
40587+config GRKERNSEC_PROC_ADD
40588+ bool "Additional restrictions"
40589+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
40590+ help
40591+ If you say Y here, additional restrictions will be placed on
40592+ /proc that keep normal users from viewing device information and
40593+ slabinfo information that could be useful for exploits.
40594+
40595+config GRKERNSEC_LINK
40596+ bool "Linking restrictions"
40597+ help
40598+ If you say Y here, /tmp race exploits will be prevented, since users
40599+ will no longer be able to follow symlinks owned by other users in
40600+ world-writable +t directories (i.e. /tmp), unless the owner of the
40601+ symlink is the owner of the directory. users will also not be
40602+ able to hardlink to files they do not own. If the sysctl option is
40603+ enabled, a sysctl option with name "linking_restrictions" is created.
40604+
40605+config GRKERNSEC_FIFO
40606+ bool "FIFO restrictions"
40607+ help
40608+ If you say Y here, users will not be able to write to FIFOs they don't
40609+ own in world-writable +t directories (i.e. /tmp), unless the owner of
40610+ the FIFO is the same owner of the directory it's held in. If the sysctl
40611+ option is enabled, a sysctl option with name "fifo_restrictions" is
40612+ created.
40613+
40614+config GRKERNSEC_ROFS
40615+ bool "Runtime read-only mount protection"
40616+ help
40617+ If you say Y here, a sysctl option with name "romount_protect" will
40618+ be created. By setting this option to 1 at runtime, filesystems
40619+ will be protected in the following ways:
40620+ * No new writable mounts will be allowed
40621+ * Existing read-only mounts won't be able to be remounted read/write
40622+ * Write operations will be denied on all block devices
40623+ This option acts independently of grsec_lock: once it is set to 1,
40624+ it cannot be turned off. Therefore, please be mindful of the resulting
40625+ behavior if this option is enabled in an init script on a read-only
40626+ filesystem. This feature is mainly intended for secure embedded systems.
40627+
40628+config GRKERNSEC_CHROOT
40629+ bool "Chroot jail restrictions"
40630+ help
40631+ If you say Y here, you will be able to choose several options that will
40632+ make breaking out of a chrooted jail much more difficult. If you
40633+ encounter no software incompatibilities with the following options, it
40634+ is recommended that you enable each one.
40635+
40636+config GRKERNSEC_CHROOT_MOUNT
40637+ bool "Deny mounts"
40638+ depends on GRKERNSEC_CHROOT
40639+ help
40640+ If you say Y here, processes inside a chroot will not be able to
40641+ mount or remount filesystems. If the sysctl option is enabled, a
40642+ sysctl option with name "chroot_deny_mount" is created.
40643+
40644+config GRKERNSEC_CHROOT_DOUBLE
40645+ bool "Deny double-chroots"
40646+ depends on GRKERNSEC_CHROOT
40647+ help
40648+ If you say Y here, processes inside a chroot will not be able to chroot
40649+ again outside the chroot. This is a widely used method of breaking
40650+ out of a chroot jail and should not be allowed. If the sysctl
40651+ option is enabled, a sysctl option with name
40652+ "chroot_deny_chroot" is created.
40653+
40654+config GRKERNSEC_CHROOT_PIVOT
40655+ bool "Deny pivot_root in chroot"
40656+ depends on GRKERNSEC_CHROOT
40657+ help
40658+ If you say Y here, processes inside a chroot will not be able to use
40659+ a function called pivot_root() that was introduced in Linux 2.3.41. It
40660+ works similar to chroot in that it changes the root filesystem. This
40661+ function could be misused in a chrooted process to attempt to break out
40662+ of the chroot, and therefore should not be allowed. If the sysctl
40663+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
40664+ created.
40665+
40666+config GRKERNSEC_CHROOT_CHDIR
40667+ bool "Enforce chdir(\"/\") on all chroots"
40668+ depends on GRKERNSEC_CHROOT
40669+ help
40670+ If you say Y here, the current working directory of all newly-chrooted
40671+ applications will be set to the the root directory of the chroot.
40672+ The man page on chroot(2) states:
40673+ Note that this call does not change the current working
40674+ directory, so that `.' can be outside the tree rooted at
40675+ `/'. In particular, the super-user can escape from a
40676+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
40677+
40678+ It is recommended that you say Y here, since it's not known to break
40679+ any software. If the sysctl option is enabled, a sysctl option with
40680+ name "chroot_enforce_chdir" is created.
40681+
40682+config GRKERNSEC_CHROOT_CHMOD
40683+ bool "Deny (f)chmod +s"
40684+ depends on GRKERNSEC_CHROOT
40685+ help
40686+ If you say Y here, processes inside a chroot will not be able to chmod
40687+ or fchmod files to make them have suid or sgid bits. This protects
40688+ against another published method of breaking a chroot. If the sysctl
40689+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
40690+ created.
40691+
40692+config GRKERNSEC_CHROOT_FCHDIR
40693+ bool "Deny fchdir out of chroot"
40694+ depends on GRKERNSEC_CHROOT
40695+ help
40696+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
40697+ to a file descriptor of the chrooting process that points to a directory
40698+ outside the filesystem will be stopped. If the sysctl option
40699+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
40700+
40701+config GRKERNSEC_CHROOT_MKNOD
40702+ bool "Deny mknod"
40703+ depends on GRKERNSEC_CHROOT
40704+ help
40705+ If you say Y here, processes inside a chroot will not be allowed to
40706+ mknod. The problem with using mknod inside a chroot is that it
40707+ would allow an attacker to create a device entry that is the same
40708+ as one on the physical root of your system, which could range from
40709+ anything from the console device to a device for your harddrive (which
40710+ they could then use to wipe the drive or steal data). It is recommended
40711+ that you say Y here, unless you run into software incompatibilities.
40712+ If the sysctl option is enabled, a sysctl option with name
40713+ "chroot_deny_mknod" is created.
40714+
40715+config GRKERNSEC_CHROOT_SHMAT
40716+ bool "Deny shmat() out of chroot"
40717+ depends on GRKERNSEC_CHROOT
40718+ help
40719+ If you say Y here, processes inside a chroot will not be able to attach
40720+ to shared memory segments that were created outside of the chroot jail.
40721+ It is recommended that you say Y here. If the sysctl option is enabled,
40722+ a sysctl option with name "chroot_deny_shmat" is created.
40723+
40724+config GRKERNSEC_CHROOT_UNIX
40725+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
40726+ depends on GRKERNSEC_CHROOT
40727+ help
40728+ If you say Y here, processes inside a chroot will not be able to
40729+ connect to abstract (meaning not belonging to a filesystem) Unix
40730+ domain sockets that were bound outside of a chroot. It is recommended
40731+ that you say Y here. If the sysctl option is enabled, a sysctl option
40732+ with name "chroot_deny_unix" is created.
40733+
40734+config GRKERNSEC_CHROOT_FINDTASK
40735+ bool "Protect outside processes"
40736+ depends on GRKERNSEC_CHROOT
40737+ help
40738+ If you say Y here, processes inside a chroot will not be able to
40739+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
40740+ getsid, or view any process outside of the chroot. If the sysctl
40741+ option is enabled, a sysctl option with name "chroot_findtask" is
40742+ created.
40743+
40744+config GRKERNSEC_CHROOT_NICE
40745+ bool "Restrict priority changes"
40746+ depends on GRKERNSEC_CHROOT
40747+ help
40748+ If you say Y here, processes inside a chroot will not be able to raise
40749+ the priority of processes in the chroot, or alter the priority of
40750+ processes outside the chroot. This provides more security than simply
40751+ removing CAP_SYS_NICE from the process' capability set. If the
40752+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
40753+ is created.
40754+
40755+config GRKERNSEC_CHROOT_SYSCTL
40756+ bool "Deny sysctl writes"
40757+ depends on GRKERNSEC_CHROOT
40758+ help
40759+ If you say Y here, an attacker in a chroot will not be able to
40760+ write to sysctl entries, either by sysctl(2) or through a /proc
40761+ interface. It is strongly recommended that you say Y here. If the
40762+ sysctl option is enabled, a sysctl option with name
40763+ "chroot_deny_sysctl" is created.
40764+
40765+config GRKERNSEC_CHROOT_CAPS
40766+ bool "Capability restrictions"
40767+ depends on GRKERNSEC_CHROOT
40768+ help
40769+ If you say Y here, the capabilities on all root processes within a
40770+ chroot jail will be lowered to stop module insertion, raw i/o,
40771+ system and net admin tasks, rebooting the system, modifying immutable
40772+ files, modifying IPC owned by another, and changing the system time.
40773+ This is left an option because it can break some apps. Disable this
40774+ if your chrooted apps are having problems performing those kinds of
40775+ tasks. If the sysctl option is enabled, a sysctl option with
40776+ name "chroot_caps" is created.
40777+
40778+endmenu
40779+menu "Kernel Auditing"
40780+depends on GRKERNSEC
40781+
40782+config GRKERNSEC_AUDIT_GROUP
40783+ bool "Single group for auditing"
40784+ help
40785+ If you say Y here, the exec, chdir, and (un)mount logging features
40786+ will only operate on a group you specify. This option is recommended
40787+ if you only want to watch certain users instead of having a large
40788+ amount of logs from the entire system. If the sysctl option is enabled,
40789+ a sysctl option with name "audit_group" is created.
40790+
40791+config GRKERNSEC_AUDIT_GID
40792+ int "GID for auditing"
40793+ depends on GRKERNSEC_AUDIT_GROUP
40794+ default 1007
40795+
40796+config GRKERNSEC_EXECLOG
40797+ bool "Exec logging"
40798+ help
40799+ If you say Y here, all execve() calls will be logged (since the
40800+ other exec*() calls are frontends to execve(), all execution
40801+ will be logged). Useful for shell-servers that like to keep track
40802+ of their users. If the sysctl option is enabled, a sysctl option with
40803+ name "exec_logging" is created.
40804+ WARNING: This option when enabled will produce a LOT of logs, especially
40805+ on an active system.
40806+
40807+config GRKERNSEC_RESLOG
40808+ bool "Resource logging"
40809+ help
40810+ If you say Y here, all attempts to overstep resource limits will
40811+ be logged with the resource name, the requested size, and the current
40812+ limit. It is highly recommended that you say Y here. If the sysctl
40813+ option is enabled, a sysctl option with name "resource_logging" is
40814+ created. If the RBAC system is enabled, the sysctl value is ignored.
40815+
40816+config GRKERNSEC_CHROOT_EXECLOG
40817+ bool "Log execs within chroot"
40818+ help
40819+ If you say Y here, all executions inside a chroot jail will be logged
40820+ to syslog. This can cause a large amount of logs if certain
40821+ applications (eg. djb's daemontools) are installed on the system, and
40822+ is therefore left as an option. If the sysctl option is enabled, a
40823+ sysctl option with name "chroot_execlog" is created.
40824+
40825+config GRKERNSEC_AUDIT_CHDIR
40826+ bool "Chdir logging"
40827+ help
40828+ If you say Y here, all chdir() calls will be logged. If the sysctl
40829+ option is enabled, a sysctl option with name "audit_chdir" is created.
40830+
40831+config GRKERNSEC_AUDIT_MOUNT
40832+ bool "(Un)Mount logging"
40833+ help
40834+ If you say Y here, all mounts and unmounts will be logged. If the
40835+ sysctl option is enabled, a sysctl option with name "audit_mount" is
40836+ created.
40837+
40838+config GRKERNSEC_SIGNAL
40839+ bool "Signal logging"
40840+ help
40841+ If you say Y here, certain important signals will be logged, such as
40842+ SIGSEGV, which will as a result inform you of when a error in a program
40843+ occurred, which in some cases could mean a possible exploit attempt.
40844+ If the sysctl option is enabled, a sysctl option with name
40845+ "signal_logging" is created.
40846+
40847+config GRKERNSEC_FORKFAIL
40848+ bool "Fork failure logging"
40849+ help
40850+ If you say Y here, all failed fork() attempts will be logged.
40851+ This could suggest a fork bomb, or someone attempting to overstep
40852+ their process limit. If the sysctl option is enabled, a sysctl option
40853+ with name "forkfail_logging" is created.
40854+
40855+config GRKERNSEC_TIME
40856+ bool "Time change logging"
40857+ help
40858+ If you say Y here, any changes of the system clock will be logged.
40859+ If the sysctl option is enabled, a sysctl option with name
40860+ "timechange_logging" is created.
40861+
40862+config GRKERNSEC_PROC_IPADDR
40863+ bool "/proc/<pid>/ipaddr support"
40864+ help
40865+ If you say Y here, a new entry will be added to each /proc/<pid>
40866+ directory that contains the IP address of the person using the task.
40867+ The IP is carried across local TCP and AF_UNIX stream sockets.
40868+ This information can be useful for IDS/IPSes to perform remote response
40869+ to a local attack. The entry is readable by only the owner of the
40870+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
40871+ the RBAC system), and thus does not create privacy concerns.
40872+
40873+config GRKERNSEC_AUDIT_TEXTREL
40874+ bool 'ELF text relocations logging (READ HELP)'
40875+ depends on PAX_MPROTECT
40876+ help
40877+ If you say Y here, text relocations will be logged with the filename
40878+ of the offending library or binary. The purpose of the feature is
40879+ to help Linux distribution developers get rid of libraries and
40880+ binaries that need text relocations which hinder the future progress
40881+ of PaX. Only Linux distribution developers should say Y here, and
40882+ never on a production machine, as this option creates an information
40883+ leak that could aid an attacker in defeating the randomization of
40884+ a single memory region. If the sysctl option is enabled, a sysctl
40885+ option with name "audit_textrel" is created.
40886+
40887+endmenu
40888+
40889+menu "Executable Protections"
40890+depends on GRKERNSEC
40891+
40892+config GRKERNSEC_EXECVE
40893+ bool "Enforce RLIMIT_NPROC on execs"
40894+ help
40895+ If you say Y here, users with a resource limit on processes will
40896+ have the value checked during execve() calls. The current system
40897+ only checks the system limit during fork() calls. If the sysctl option
40898+ is enabled, a sysctl option with name "execve_limiting" is created.
40899+
40900+config GRKERNSEC_DMESG
40901+ bool "Dmesg(8) restriction"
40902+ help
40903+ If you say Y here, non-root users will not be able to use dmesg(8)
40904+ to view up to the last 4kb of messages in the kernel's log buffer.
40905+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
40906+ created.
40907+
40908+config GRKERNSEC_HARDEN_PTRACE
40909+ bool "Deter ptrace-based process snooping"
40910+ help
40911+ If you say Y here, TTY sniffers and other malicious monitoring
40912+ programs implemented through ptrace will be defeated. If you
40913+ have been using the RBAC system, this option has already been
40914+ enabled for several years for all users, with the ability to make
40915+ fine-grained exceptions.
40916+
40917+ This option only affects the ability of non-root users to ptrace
40918+ processes that are not a descendent of the ptracing process.
40919+ This means that strace ./binary and gdb ./binary will still work,
40920+ but attaching to arbitrary processes will not. If the sysctl
40921+ option is enabled, a sysctl option with name "harden_ptrace" is
40922+ created.
40923+
40924+config GRKERNSEC_TPE
40925+ bool "Trusted Path Execution (TPE)"
40926+ help
40927+ If you say Y here, you will be able to choose a gid to add to the
40928+ supplementary groups of users you want to mark as "untrusted."
40929+ These users will not be able to execute any files that are not in
40930+ root-owned directories writable only by root. If the sysctl option
40931+ is enabled, a sysctl option with name "tpe" is created.
40932+
40933+config GRKERNSEC_TPE_ALL
40934+ bool "Partially restrict non-root users"
40935+ depends on GRKERNSEC_TPE
40936+ help
40937+ If you say Y here, All non-root users other than the ones in the
40938+ group specified in the main TPE option will only be allowed to
40939+ execute files in directories they own that are not group or
40940+ world-writable, or in directories owned by root and writable only by
40941+ root. If the sysctl option is enabled, a sysctl option with name
40942+ "tpe_restrict_all" is created.
40943+
40944+config GRKERNSEC_TPE_INVERT
40945+ bool "Invert GID option"
40946+ depends on GRKERNSEC_TPE
40947+ help
40948+ If you say Y here, the group you specify in the TPE configuration will
40949+ decide what group TPE restrictions will be *disabled* for. This
40950+ option is useful if you want TPE restrictions to be applied to most
40951+ users on the system.
40952+
40953+config GRKERNSEC_TPE_GID
40954+ int "GID for untrusted users"
40955+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
40956+ default 1005
40957+ help
40958+ If you have selected the "Invert GID option" above, setting this
40959+ GID determines what group TPE restrictions will be *disabled* for.
40960+ If you have not selected the "Invert GID option" above, setting this
40961+ GID determines what group TPE restrictions will be *enabled* for.
40962+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
40963+ is created.
40964+
40965+config GRKERNSEC_TPE_GID
40966+ int "GID for trusted users"
40967+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
40968+ default 1005
40969+ help
40970+ If you have selected the "Invert GID option" above, setting this
40971+ GID determines what group TPE restrictions will be *disabled* for.
40972+ If you have not selected the "Invert GID option" above, setting this
40973+ GID determines what group TPE restrictions will be *enabled* for.
40974+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
40975+ is created.
40976+
40977+endmenu
40978+menu "Network Protections"
40979+depends on GRKERNSEC
40980+
40981+config GRKERNSEC_RANDNET
40982+ bool "Larger entropy pools"
40983+ help
40984+ If you say Y here, the entropy pools used for many features of Linux
40985+ and grsecurity will be doubled in size. Since several grsecurity
40986+ features use additional randomness, it is recommended that you say Y
40987+ here. Saying Y here has a similar effect as modifying
40988+ /proc/sys/kernel/random/poolsize.
40989+
40990+config GRKERNSEC_BLACKHOLE
40991+ bool "TCP/UDP blackhole"
40992+ help
40993+ If you say Y here, neither TCP resets nor ICMP
40994+ destination-unreachable packets will be sent in response to packets
40995+ send to ports for which no associated listening process exists.
40996+ This feature supports both IPV4 and IPV6 and exempts the
40997+ loopback interface from blackholing. Enabling this feature
40998+ makes a host more resilient to DoS attacks and reduces network
40999+ visibility against scanners.
41000+
41001+config GRKERNSEC_SOCKET
41002+ bool "Socket restrictions"
41003+ help
41004+ If you say Y here, you will be able to choose from several options.
41005+ If you assign a GID on your system and add it to the supplementary
41006+ groups of users you want to restrict socket access to, this patch
41007+ will perform up to three things, based on the option(s) you choose.
41008+
41009+config GRKERNSEC_SOCKET_ALL
41010+ bool "Deny any sockets to group"
41011+ depends on GRKERNSEC_SOCKET
41012+ help
41013+ If you say Y here, you will be able to choose a GID of whose users will
41014+ be unable to connect to other hosts from your machine or run server
41015+ applications from your machine. If the sysctl option is enabled, a
41016+ sysctl option with name "socket_all" is created.
41017+
41018+config GRKERNSEC_SOCKET_ALL_GID
41019+ int "GID to deny all sockets for"
41020+ depends on GRKERNSEC_SOCKET_ALL
41021+ default 1004
41022+ help
41023+ Here you can choose the GID to disable socket access for. Remember to
41024+ add the users you want socket access disabled for to the GID
41025+ specified here. If the sysctl option is enabled, a sysctl option
41026+ with name "socket_all_gid" is created.
41027+
41028+config GRKERNSEC_SOCKET_CLIENT
41029+ bool "Deny client sockets to group"
41030+ depends on GRKERNSEC_SOCKET
41031+ help
41032+ If you say Y here, you will be able to choose a GID of whose users will
41033+ be unable to connect to other hosts from your machine, but will be
41034+ able to run servers. If this option is enabled, all users in the group
41035+ you specify will have to use passive mode when initiating ftp transfers
41036+ from the shell on your machine. If the sysctl option is enabled, a
41037+ sysctl option with name "socket_client" is created.
41038+
41039+config GRKERNSEC_SOCKET_CLIENT_GID
41040+ int "GID to deny client sockets for"
41041+ depends on GRKERNSEC_SOCKET_CLIENT
41042+ default 1003
41043+ help
41044+ Here you can choose the GID to disable client socket access for.
41045+ Remember to add the users you want client socket access disabled for to
41046+ the GID specified here. If the sysctl option is enabled, a sysctl
41047+ option with name "socket_client_gid" is created.
41048+
41049+config GRKERNSEC_SOCKET_SERVER
41050+ bool "Deny server sockets to group"
41051+ depends on GRKERNSEC_SOCKET
41052+ help
41053+ If you say Y here, you will be able to choose a GID of whose users will
41054+ be unable to run server applications from your machine. If the sysctl
41055+ option is enabled, a sysctl option with name "socket_server" is created.
41056+
41057+config GRKERNSEC_SOCKET_SERVER_GID
41058+ int "GID to deny server sockets for"
41059+ depends on GRKERNSEC_SOCKET_SERVER
41060+ default 1002
41061+ help
41062+ Here you can choose the GID to disable server socket access for.
41063+ Remember to add the users you want server socket access disabled for to
41064+ the GID specified here. If the sysctl option is enabled, a sysctl
41065+ option with name "socket_server_gid" is created.
41066+
41067+endmenu
41068+menu "Sysctl support"
41069+depends on GRKERNSEC && SYSCTL
41070+
41071+config GRKERNSEC_SYSCTL
41072+ bool "Sysctl support"
41073+ help
41074+ If you say Y here, you will be able to change the options that
41075+ grsecurity runs with at bootup, without having to recompile your
41076+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
41077+ to enable (1) or disable (0) various features. All the sysctl entries
41078+ are mutable until the "grsec_lock" entry is set to a non-zero value.
41079+ All features enabled in the kernel configuration are disabled at boot
41080+ if you do not say Y to the "Turn on features by default" option.
41081+ All options should be set at startup, and the grsec_lock entry should
41082+ be set to a non-zero value after all the options are set.
41083+ *THIS IS EXTREMELY IMPORTANT*
41084+
41085+config GRKERNSEC_SYSCTL_ON
41086+ bool "Turn on features by default"
41087+ depends on GRKERNSEC_SYSCTL
41088+ help
41089+ If you say Y here, instead of having all features enabled in the
41090+ kernel configuration disabled at boot time, the features will be
41091+ enabled at boot time. It is recommended you say Y here unless
41092+ there is some reason you would want all sysctl-tunable features to
41093+ be disabled by default. As mentioned elsewhere, it is important
41094+ to enable the grsec_lock entry once you have finished modifying
41095+ the sysctl entries.
41096+
41097+endmenu
41098+menu "Logging Options"
41099+depends on GRKERNSEC
41100+
41101+config GRKERNSEC_FLOODTIME
41102+ int "Seconds in between log messages (minimum)"
41103+ default 10
41104+ help
41105+ This option allows you to enforce the number of seconds between
41106+ grsecurity log messages. The default should be suitable for most
41107+ people, however, if you choose to change it, choose a value small enough
41108+ to allow informative logs to be produced, but large enough to
41109+ prevent flooding.
41110+
41111+config GRKERNSEC_FLOODBURST
41112+ int "Number of messages in a burst (maximum)"
41113+ default 4
41114+ help
41115+ This option allows you to choose the maximum number of messages allowed
41116+ within the flood time interval you chose in a separate option. The
41117+ default should be suitable for most people, however if you find that
41118+ many of your logs are being interpreted as flooding, you may want to
41119+ raise this value.
41120+
41121+endmenu
41122+
41123+endmenu
41124diff -urNp linux-2.6.32.9/grsecurity/Makefile linux-2.6.32.9/grsecurity/Makefile
41125--- linux-2.6.32.9/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
41126+++ linux-2.6.32.9/grsecurity/Makefile 2010-02-23 17:09:53.308131663 -0500
41127@@ -0,0 +1,29 @@
41128+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
41129+# during 2001-2009 it has been completely redesigned by Brad Spengler
41130+# into an RBAC system
41131+#
41132+# All code in this directory and various hooks inserted throughout the kernel
41133+# are copyright Brad Spengler - Open Source Security, Inc., and released
41134+# under the GPL v2 or higher
41135+
41136+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
41137+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
41138+ grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o
41139+
41140+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
41141+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
41142+ gracl_learn.o grsec_log.o
41143+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
41144+
41145+ifndef CONFIG_GRKERNSEC
41146+obj-y += grsec_disabled.o
41147+endif
41148+
41149+ifdef CONFIG_GRKERNSEC_HIDESYM
41150+extra-y := grsec_hidesym.o
41151+$(obj)/grsec_hidesym.o:
41152+ @-chmod -f 500 /boot
41153+ @-chmod -f 500 /lib/modules
41154+ @-chmod -f 700 .
41155+ @echo ' grsec: protected kernel image paths'
41156+endif
41157diff -urNp linux-2.6.32.9/include/acpi/acpi_drivers.h linux-2.6.32.9/include/acpi/acpi_drivers.h
41158--- linux-2.6.32.9/include/acpi/acpi_drivers.h 2010-02-09 07:57:19.000000000 -0500
41159+++ linux-2.6.32.9/include/acpi/acpi_drivers.h 2010-02-23 17:09:53.308131663 -0500
41160@@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
41161 Dock Station
41162 -------------------------------------------------------------------------- */
41163 struct acpi_dock_ops {
41164- acpi_notify_handler handler;
41165- acpi_notify_handler uevent;
41166+ const acpi_notify_handler handler;
41167+ const acpi_notify_handler uevent;
41168 };
41169
41170 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
41171@@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
41172 extern int register_dock_notifier(struct notifier_block *nb);
41173 extern void unregister_dock_notifier(struct notifier_block *nb);
41174 extern int register_hotplug_dock_device(acpi_handle handle,
41175- struct acpi_dock_ops *ops,
41176+ const struct acpi_dock_ops *ops,
41177 void *context);
41178 extern void unregister_hotplug_dock_device(acpi_handle handle);
41179 #else
41180@@ -144,7 +144,7 @@ static inline void unregister_dock_notif
41181 {
41182 }
41183 static inline int register_hotplug_dock_device(acpi_handle handle,
41184- struct acpi_dock_ops *ops,
41185+ const struct acpi_dock_ops *ops,
41186 void *context)
41187 {
41188 return -ENODEV;
41189diff -urNp linux-2.6.32.9/include/asm-generic/atomic-long.h linux-2.6.32.9/include/asm-generic/atomic-long.h
41190--- linux-2.6.32.9/include/asm-generic/atomic-long.h 2010-02-09 07:57:19.000000000 -0500
41191+++ linux-2.6.32.9/include/asm-generic/atomic-long.h 2010-02-23 17:09:53.308131663 -0500
41192@@ -22,6 +22,12 @@
41193
41194 typedef atomic64_t atomic_long_t;
41195
41196+#ifdef CONFIG_PAX_REFCOUNT
41197+typedef atomic64_unchecked_t atomic_long_unchecked_t;
41198+#else
41199+typedef atomic64_t atomic_long_unchecked_t;
41200+#endif
41201+
41202 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
41203
41204 static inline long atomic_long_read(atomic_long_t *l)
41205@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
41206 return (long)atomic64_read(v);
41207 }
41208
41209+#ifdef CONFIG_PAX_REFCOUNT
41210+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41211+{
41212+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41213+
41214+ return (long)atomic64_read_unchecked(v);
41215+}
41216+#endif
41217+
41218 static inline void atomic_long_set(atomic_long_t *l, long i)
41219 {
41220 atomic64_t *v = (atomic64_t *)l;
41221@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
41222 atomic64_set(v, i);
41223 }
41224
41225+#ifdef CONFIG_PAX_REFCOUNT
41226+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41227+{
41228+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41229+
41230+ atomic64_set_unchecked(v, i);
41231+}
41232+#endif
41233+
41234 static inline void atomic_long_inc(atomic_long_t *l)
41235 {
41236 atomic64_t *v = (atomic64_t *)l;
41237@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
41238 atomic64_inc(v);
41239 }
41240
41241+#ifdef CONFIG_PAX_REFCOUNT
41242+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41243+{
41244+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41245+
41246+ atomic64_inc_unchecked(v);
41247+}
41248+#endif
41249+
41250 static inline void atomic_long_dec(atomic_long_t *l)
41251 {
41252 atomic64_t *v = (atomic64_t *)l;
41253@@ -59,6 +92,15 @@ static inline void atomic_long_add(long
41254 atomic64_add(i, v);
41255 }
41256
41257+#ifdef CONFIG_PAX_REFCOUNT
41258+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41259+{
41260+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41261+
41262+ atomic64_add_unchecked(i, v);
41263+}
41264+#endif
41265+
41266 static inline void atomic_long_sub(long i, atomic_long_t *l)
41267 {
41268 atomic64_t *v = (atomic64_t *)l;
41269@@ -115,6 +157,15 @@ static inline long atomic_long_inc_retur
41270 return (long)atomic64_inc_return(v);
41271 }
41272
41273+#ifdef CONFIG_PAX_REFCOUNT
41274+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41275+{
41276+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41277+
41278+ return (long)atomic64_inc_return_unchecked(v);
41279+}
41280+#endif
41281+
41282 static inline long atomic_long_dec_return(atomic_long_t *l)
41283 {
41284 atomic64_t *v = (atomic64_t *)l;
41285@@ -140,6 +191,12 @@ static inline long atomic_long_add_unles
41286
41287 typedef atomic_t atomic_long_t;
41288
41289+#ifdef CONFIG_PAX_REFCOUNT
41290+typedef atomic_unchecked_t atomic_long_unchecked_t;
41291+#else
41292+typedef atomic_t atomic_long_unchecked_t;
41293+#endif
41294+
41295 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
41296 static inline long atomic_long_read(atomic_long_t *l)
41297 {
41298@@ -148,6 +205,15 @@ static inline long atomic_long_read(atom
41299 return (long)atomic_read(v);
41300 }
41301
41302+#ifdef CONFIG_PAX_REFCOUNT
41303+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41304+{
41305+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41306+
41307+ return (long)atomic_read_unchecked(v);
41308+}
41309+#endif
41310+
41311 static inline void atomic_long_set(atomic_long_t *l, long i)
41312 {
41313 atomic_t *v = (atomic_t *)l;
41314@@ -155,6 +221,15 @@ static inline void atomic_long_set(atomi
41315 atomic_set(v, i);
41316 }
41317
41318+#ifdef CONFIG_PAX_REFCOUNT
41319+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41320+{
41321+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41322+
41323+ atomic_set_unchecked(v, i);
41324+}
41325+#endif
41326+
41327 static inline void atomic_long_inc(atomic_long_t *l)
41328 {
41329 atomic_t *v = (atomic_t *)l;
41330@@ -162,6 +237,15 @@ static inline void atomic_long_inc(atomi
41331 atomic_inc(v);
41332 }
41333
41334+#ifdef CONFIG_PAX_REFCOUNT
41335+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41336+{
41337+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41338+
41339+ atomic_inc_unchecked(v);
41340+}
41341+#endif
41342+
41343 static inline void atomic_long_dec(atomic_long_t *l)
41344 {
41345 atomic_t *v = (atomic_t *)l;
41346@@ -176,6 +260,15 @@ static inline void atomic_long_add(long
41347 atomic_add(i, v);
41348 }
41349
41350+#ifdef CONFIG_PAX_REFCOUNT
41351+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41352+{
41353+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41354+
41355+ atomic_add_unchecked(i, v);
41356+}
41357+#endif
41358+
41359 static inline void atomic_long_sub(long i, atomic_long_t *l)
41360 {
41361 atomic_t *v = (atomic_t *)l;
41362@@ -232,6 +325,15 @@ static inline long atomic_long_inc_retur
41363 return (long)atomic_inc_return(v);
41364 }
41365
41366+#ifdef CONFIG_PAX_REFCOUNT
41367+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41368+{
41369+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41370+
41371+ return (long)atomic_inc_return_unchecked(v);
41372+}
41373+#endif
41374+
41375 static inline long atomic_long_dec_return(atomic_long_t *l)
41376 {
41377 atomic_t *v = (atomic_t *)l;
41378@@ -255,4 +357,33 @@ static inline long atomic_long_add_unles
41379
41380 #endif /* BITS_PER_LONG == 64 */
41381
41382+#ifdef CONFIG_PAX_REFCOUNT
41383+static inline void pax_refcount_needs_these_functions(void)
41384+{
41385+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
41386+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
41387+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
41388+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
41389+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
41390+
41391+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
41392+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
41393+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
41394+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
41395+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
41396+}
41397+#else
41398+#define atomic_read_unchecked(v) atomic_read(v)
41399+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
41400+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
41401+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
41402+#define atomic_inc_unchecked(v) atomic_inc(v)
41403+
41404+#define atomic_long_read_unchecked(v) atomic_long_read(v)
41405+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
41406+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
41407+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
41408+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
41409+#endif
41410+
41411 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
41412diff -urNp linux-2.6.32.9/include/asm-generic/dma-mapping-common.h linux-2.6.32.9/include/asm-generic/dma-mapping-common.h
41413--- linux-2.6.32.9/include/asm-generic/dma-mapping-common.h 2010-02-09 07:57:19.000000000 -0500
41414+++ linux-2.6.32.9/include/asm-generic/dma-mapping-common.h 2010-02-23 17:09:53.308131663 -0500
41415@@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
41416 enum dma_data_direction dir,
41417 struct dma_attrs *attrs)
41418 {
41419- struct dma_map_ops *ops = get_dma_ops(dev);
41420+ const struct dma_map_ops *ops = get_dma_ops(dev);
41421 dma_addr_t addr;
41422
41423 kmemcheck_mark_initialized(ptr, size);
41424@@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
41425 enum dma_data_direction dir,
41426 struct dma_attrs *attrs)
41427 {
41428- struct dma_map_ops *ops = get_dma_ops(dev);
41429+ const struct dma_map_ops *ops = get_dma_ops(dev);
41430
41431 BUG_ON(!valid_dma_direction(dir));
41432 if (ops->unmap_page)
41433@@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
41434 int nents, enum dma_data_direction dir,
41435 struct dma_attrs *attrs)
41436 {
41437- struct dma_map_ops *ops = get_dma_ops(dev);
41438+ const struct dma_map_ops *ops = get_dma_ops(dev);
41439 int i, ents;
41440 struct scatterlist *s;
41441
41442@@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
41443 int nents, enum dma_data_direction dir,
41444 struct dma_attrs *attrs)
41445 {
41446- struct dma_map_ops *ops = get_dma_ops(dev);
41447+ const struct dma_map_ops *ops = get_dma_ops(dev);
41448
41449 BUG_ON(!valid_dma_direction(dir));
41450 debug_dma_unmap_sg(dev, sg, nents, dir);
41451@@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
41452 size_t offset, size_t size,
41453 enum dma_data_direction dir)
41454 {
41455- struct dma_map_ops *ops = get_dma_ops(dev);
41456+ const struct dma_map_ops *ops = get_dma_ops(dev);
41457 dma_addr_t addr;
41458
41459 kmemcheck_mark_initialized(page_address(page) + offset, size);
41460@@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
41461 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
41462 size_t size, enum dma_data_direction dir)
41463 {
41464- struct dma_map_ops *ops = get_dma_ops(dev);
41465+ const struct dma_map_ops *ops = get_dma_ops(dev);
41466
41467 BUG_ON(!valid_dma_direction(dir));
41468 if (ops->unmap_page)
41469@@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
41470 size_t size,
41471 enum dma_data_direction dir)
41472 {
41473- struct dma_map_ops *ops = get_dma_ops(dev);
41474+ const struct dma_map_ops *ops = get_dma_ops(dev);
41475
41476 BUG_ON(!valid_dma_direction(dir));
41477 if (ops->sync_single_for_cpu)
41478@@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
41479 dma_addr_t addr, size_t size,
41480 enum dma_data_direction dir)
41481 {
41482- struct dma_map_ops *ops = get_dma_ops(dev);
41483+ const struct dma_map_ops *ops = get_dma_ops(dev);
41484
41485 BUG_ON(!valid_dma_direction(dir));
41486 if (ops->sync_single_for_device)
41487@@ -123,7 +123,7 @@ static inline void dma_sync_single_range
41488 size_t size,
41489 enum dma_data_direction dir)
41490 {
41491- struct dma_map_ops *ops = get_dma_ops(dev);
41492+ const struct dma_map_ops *ops = get_dma_ops(dev);
41493
41494 BUG_ON(!valid_dma_direction(dir));
41495 if (ops->sync_single_range_for_cpu) {
41496@@ -140,7 +140,7 @@ static inline void dma_sync_single_range
41497 size_t size,
41498 enum dma_data_direction dir)
41499 {
41500- struct dma_map_ops *ops = get_dma_ops(dev);
41501+ const struct dma_map_ops *ops = get_dma_ops(dev);
41502
41503 BUG_ON(!valid_dma_direction(dir));
41504 if (ops->sync_single_range_for_device) {
41505@@ -155,7 +155,7 @@ static inline void
41506 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
41507 int nelems, enum dma_data_direction dir)
41508 {
41509- struct dma_map_ops *ops = get_dma_ops(dev);
41510+ const struct dma_map_ops *ops = get_dma_ops(dev);
41511
41512 BUG_ON(!valid_dma_direction(dir));
41513 if (ops->sync_sg_for_cpu)
41514@@ -167,7 +167,7 @@ static inline void
41515 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
41516 int nelems, enum dma_data_direction dir)
41517 {
41518- struct dma_map_ops *ops = get_dma_ops(dev);
41519+ const struct dma_map_ops *ops = get_dma_ops(dev);
41520
41521 BUG_ON(!valid_dma_direction(dir));
41522 if (ops->sync_sg_for_device)
41523diff -urNp linux-2.6.32.9/include/asm-generic/futex.h linux-2.6.32.9/include/asm-generic/futex.h
41524--- linux-2.6.32.9/include/asm-generic/futex.h 2010-02-09 07:57:19.000000000 -0500
41525+++ linux-2.6.32.9/include/asm-generic/futex.h 2010-02-23 17:09:53.308131663 -0500
41526@@ -6,7 +6,7 @@
41527 #include <asm/errno.h>
41528
41529 static inline int
41530-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
41531+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
41532 {
41533 int op = (encoded_op >> 28) & 7;
41534 int cmp = (encoded_op >> 24) & 15;
41535@@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
41536 }
41537
41538 static inline int
41539-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
41540+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
41541 {
41542 return -ENOSYS;
41543 }
41544diff -urNp linux-2.6.32.9/include/asm-generic/int-l64.h linux-2.6.32.9/include/asm-generic/int-l64.h
41545--- linux-2.6.32.9/include/asm-generic/int-l64.h 2010-02-09 07:57:19.000000000 -0500
41546+++ linux-2.6.32.9/include/asm-generic/int-l64.h 2010-02-23 17:09:53.308131663 -0500
41547@@ -46,6 +46,8 @@ typedef unsigned int u32;
41548 typedef signed long s64;
41549 typedef unsigned long u64;
41550
41551+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
41552+
41553 #define S8_C(x) x
41554 #define U8_C(x) x ## U
41555 #define S16_C(x) x
41556diff -urNp linux-2.6.32.9/include/asm-generic/int-ll64.h linux-2.6.32.9/include/asm-generic/int-ll64.h
41557--- linux-2.6.32.9/include/asm-generic/int-ll64.h 2010-02-09 07:57:19.000000000 -0500
41558+++ linux-2.6.32.9/include/asm-generic/int-ll64.h 2010-02-23 17:09:53.308131663 -0500
41559@@ -51,6 +51,8 @@ typedef unsigned int u32;
41560 typedef signed long long s64;
41561 typedef unsigned long long u64;
41562
41563+typedef unsigned long long intoverflow_t;
41564+
41565 #define S8_C(x) x
41566 #define U8_C(x) x ## U
41567 #define S16_C(x) x
41568diff -urNp linux-2.6.32.9/include/asm-generic/kmap_types.h linux-2.6.32.9/include/asm-generic/kmap_types.h
41569--- linux-2.6.32.9/include/asm-generic/kmap_types.h 2010-02-09 07:57:19.000000000 -0500
41570+++ linux-2.6.32.9/include/asm-generic/kmap_types.h 2010-02-23 17:09:53.308131663 -0500
41571@@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
41572 KMAP_D(16) KM_IRQ_PTE,
41573 KMAP_D(17) KM_NMI,
41574 KMAP_D(18) KM_NMI_PTE,
41575-KMAP_D(19) KM_TYPE_NR
41576+KMAP_D(19) KM_CLEARPAGE,
41577+KMAP_D(20) KM_TYPE_NR
41578 };
41579
41580 #undef KMAP_D
41581diff -urNp linux-2.6.32.9/include/asm-generic/pgtable.h linux-2.6.32.9/include/asm-generic/pgtable.h
41582--- linux-2.6.32.9/include/asm-generic/pgtable.h 2010-02-09 07:57:19.000000000 -0500
41583+++ linux-2.6.32.9/include/asm-generic/pgtable.h 2010-02-23 17:09:53.308131663 -0500
41584@@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
41585 unsigned long size);
41586 #endif
41587
41588+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
41589+static inline unsigned long pax_open_kernel(void) { return 0; }
41590+#endif
41591+
41592+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
41593+static inline unsigned long pax_close_kernel(void) { return 0; }
41594+#endif
41595+
41596 #endif /* !__ASSEMBLY__ */
41597
41598 #endif /* _ASM_GENERIC_PGTABLE_H */
41599diff -urNp linux-2.6.32.9/include/asm-generic/vmlinux.lds.h linux-2.6.32.9/include/asm-generic/vmlinux.lds.h
41600--- linux-2.6.32.9/include/asm-generic/vmlinux.lds.h 2010-02-09 07:57:19.000000000 -0500
41601+++ linux-2.6.32.9/include/asm-generic/vmlinux.lds.h 2010-02-23 17:09:53.308131663 -0500
41602@@ -199,6 +199,7 @@
41603 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
41604 VMLINUX_SYMBOL(__start_rodata) = .; \
41605 *(.rodata) *(.rodata.*) \
41606+ *(.data.read_only) \
41607 *(__vermagic) /* Kernel version magic */ \
41608 *(__markers_strings) /* Markers: strings */ \
41609 *(__tracepoints_strings)/* Tracepoints: strings */ \
41610@@ -656,22 +657,24 @@
41611 * section in the linker script will go there too. @phdr should have
41612 * a leading colon.
41613 *
41614- * Note that this macros defines __per_cpu_load as an absolute symbol.
41615+ * Note that this macros defines per_cpu_load as an absolute symbol.
41616 * If there is no need to put the percpu section at a predetermined
41617 * address, use PERCPU().
41618 */
41619 #define PERCPU_VADDR(vaddr, phdr) \
41620- VMLINUX_SYMBOL(__per_cpu_load) = .; \
41621- .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
41622+ per_cpu_load = .; \
41623+ .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
41624 - LOAD_OFFSET) { \
41625+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
41626 VMLINUX_SYMBOL(__per_cpu_start) = .; \
41627 *(.data.percpu.first) \
41628- *(.data.percpu.page_aligned) \
41629 *(.data.percpu) \
41630+ . = ALIGN(PAGE_SIZE); \
41631+ *(.data.percpu.page_aligned) \
41632 *(.data.percpu.shared_aligned) \
41633 VMLINUX_SYMBOL(__per_cpu_end) = .; \
41634 } phdr \
41635- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
41636+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
41637
41638 /**
41639 * PERCPU - define output section for percpu area, simple version
41640diff -urNp linux-2.6.32.9/include/drm/drm_pciids.h linux-2.6.32.9/include/drm/drm_pciids.h
41641--- linux-2.6.32.9/include/drm/drm_pciids.h 2010-02-09 07:57:19.000000000 -0500
41642+++ linux-2.6.32.9/include/drm/drm_pciids.h 2010-02-23 17:09:53.308131663 -0500
41643@@ -375,7 +375,7 @@
41644 {0x1002, 0x9712, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41645 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41646 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41647- {0, 0, 0}
41648+ {0, 0, 0, 0, 0, 0}
41649
41650 #define r128_PCI_IDS \
41651 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41652@@ -415,14 +415,14 @@
41653 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41654 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41655 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41656- {0, 0, 0}
41657+ {0, 0, 0, 0, 0, 0}
41658
41659 #define mga_PCI_IDS \
41660 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41661 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41662 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
41663 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
41664- {0, 0, 0}
41665+ {0, 0, 0, 0, 0, 0}
41666
41667 #define mach64_PCI_IDS \
41668 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41669@@ -445,7 +445,7 @@
41670 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41671 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41672 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41673- {0, 0, 0}
41674+ {0, 0, 0, 0, 0, 0}
41675
41676 #define sisdrv_PCI_IDS \
41677 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41678@@ -456,7 +456,7 @@
41679 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41680 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41681 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41682- {0, 0, 0}
41683+ {0, 0, 0, 0, 0, 0}
41684
41685 #define tdfx_PCI_IDS \
41686 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41687@@ -465,7 +465,7 @@
41688 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41689 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41690 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41691- {0, 0, 0}
41692+ {0, 0, 0, 0, 0, 0}
41693
41694 #define viadrv_PCI_IDS \
41695 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41696@@ -477,14 +477,14 @@
41697 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41698 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
41699 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
41700- {0, 0, 0}
41701+ {0, 0, 0, 0, 0, 0}
41702
41703 #define i810_PCI_IDS \
41704 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41705 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41706 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41707 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41708- {0, 0, 0}
41709+ {0, 0, 0, 0, 0, 0}
41710
41711 #define i830_PCI_IDS \
41712 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41713@@ -492,11 +492,11 @@
41714 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41715 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41716 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41717- {0, 0, 0}
41718+ {0, 0, 0, 0, 0, 0}
41719
41720 #define gamma_PCI_IDS \
41721 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41722- {0, 0, 0}
41723+ {0, 0, 0, 0, 0, 0}
41724
41725 #define savage_PCI_IDS \
41726 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
41727@@ -522,10 +522,10 @@
41728 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
41729 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41730 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41731- {0, 0, 0}
41732+ {0, 0, 0, 0, 0, 0}
41733
41734 #define ffb_PCI_IDS \
41735- {0, 0, 0}
41736+ {0, 0, 0, 0, 0, 0}
41737
41738 #define i915_PCI_IDS \
41739 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41740@@ -558,4 +558,4 @@
41741 {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41742 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41743 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41744- {0, 0, 0}
41745+ {0, 0, 0, 0, 0, 0}
41746diff -urNp linux-2.6.32.9/include/drm/drmP.h linux-2.6.32.9/include/drm/drmP.h
41747--- linux-2.6.32.9/include/drm/drmP.h 2010-02-09 07:57:19.000000000 -0500
41748+++ linux-2.6.32.9/include/drm/drmP.h 2010-02-23 17:09:53.308131663 -0500
41749@@ -814,7 +814,7 @@ struct drm_driver {
41750 void (*vgaarb_irq)(struct drm_device *dev, bool state);
41751
41752 /* Driver private ops for this object */
41753- struct vm_operations_struct *gem_vm_ops;
41754+ const struct vm_operations_struct *gem_vm_ops;
41755
41756 int major;
41757 int minor;
41758@@ -917,7 +917,7 @@ struct drm_device {
41759
41760 /** \name Usage Counters */
41761 /*@{ */
41762- int open_count; /**< Outstanding files open */
41763+ atomic_t open_count; /**< Outstanding files open */
41764 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
41765 atomic_t vma_count; /**< Outstanding vma areas open */
41766 int buf_use; /**< Buffers in use -- cannot alloc */
41767@@ -928,7 +928,7 @@ struct drm_device {
41768 /*@{ */
41769 unsigned long counters;
41770 enum drm_stat_type types[15];
41771- atomic_t counts[15];
41772+ atomic_unchecked_t counts[15];
41773 /*@} */
41774
41775 struct list_head filelist;
41776diff -urNp linux-2.6.32.9/include/linux/a.out.h linux-2.6.32.9/include/linux/a.out.h
41777--- linux-2.6.32.9/include/linux/a.out.h 2010-02-09 07:57:19.000000000 -0500
41778+++ linux-2.6.32.9/include/linux/a.out.h 2010-02-23 17:09:53.308131663 -0500
41779@@ -39,6 +39,14 @@ enum machine_type {
41780 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
41781 };
41782
41783+/* Constants for the N_FLAGS field */
41784+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
41785+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
41786+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
41787+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
41788+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
41789+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
41790+
41791 #if !defined (N_MAGIC)
41792 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
41793 #endif
41794diff -urNp linux-2.6.32.9/include/linux/atmdev.h linux-2.6.32.9/include/linux/atmdev.h
41795--- linux-2.6.32.9/include/linux/atmdev.h 2010-02-09 07:57:19.000000000 -0500
41796+++ linux-2.6.32.9/include/linux/atmdev.h 2010-02-23 17:09:53.308131663 -0500
41797@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
41798 #endif
41799
41800 struct k_atm_aal_stats {
41801-#define __HANDLE_ITEM(i) atomic_t i
41802+#define __HANDLE_ITEM(i) atomic_unchecked_t i
41803 __AAL_STAT_ITEMS
41804 #undef __HANDLE_ITEM
41805 };
41806diff -urNp linux-2.6.32.9/include/linux/backlight.h linux-2.6.32.9/include/linux/backlight.h
41807--- linux-2.6.32.9/include/linux/backlight.h 2010-02-09 07:57:19.000000000 -0500
41808+++ linux-2.6.32.9/include/linux/backlight.h 2010-02-23 17:09:53.308131663 -0500
41809@@ -36,18 +36,18 @@ struct backlight_device;
41810 struct fb_info;
41811
41812 struct backlight_ops {
41813- unsigned int options;
41814+ const unsigned int options;
41815
41816 #define BL_CORE_SUSPENDRESUME (1 << 0)
41817
41818 /* Notify the backlight driver some property has changed */
41819- int (*update_status)(struct backlight_device *);
41820+ int (* const update_status)(struct backlight_device *);
41821 /* Return the current backlight brightness (accounting for power,
41822 fb_blank etc.) */
41823- int (*get_brightness)(struct backlight_device *);
41824+ int (* const get_brightness)(struct backlight_device *);
41825 /* Check if given framebuffer device is the one bound to this backlight;
41826 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
41827- int (*check_fb)(struct fb_info *);
41828+ int (* const check_fb)(struct fb_info *);
41829 };
41830
41831 /* This structure defines all the properties of a backlight */
41832@@ -86,7 +86,7 @@ struct backlight_device {
41833 registered this device has been unloaded, and if class_get_devdata()
41834 points to something in the body of that driver, it is also invalid. */
41835 struct mutex ops_lock;
41836- struct backlight_ops *ops;
41837+ const struct backlight_ops *ops;
41838
41839 /* The framebuffer notifier block */
41840 struct notifier_block fb_notif;
41841@@ -103,7 +103,7 @@ static inline void backlight_update_stat
41842 }
41843
41844 extern struct backlight_device *backlight_device_register(const char *name,
41845- struct device *dev, void *devdata, struct backlight_ops *ops);
41846+ struct device *dev, void *devdata, const struct backlight_ops *ops);
41847 extern void backlight_device_unregister(struct backlight_device *bd);
41848 extern void backlight_force_update(struct backlight_device *bd,
41849 enum backlight_update_reason reason);
41850diff -urNp linux-2.6.32.9/include/linux/binfmts.h linux-2.6.32.9/include/linux/binfmts.h
41851--- linux-2.6.32.9/include/linux/binfmts.h 2010-02-09 07:57:19.000000000 -0500
41852+++ linux-2.6.32.9/include/linux/binfmts.h 2010-02-23 17:09:53.311553777 -0500
41853@@ -78,6 +78,7 @@ struct linux_binfmt {
41854 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
41855 int (*load_shlib)(struct file *);
41856 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
41857+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
41858 unsigned long min_coredump; /* minimal dump size */
41859 int hasvdso;
41860 };
41861diff -urNp linux-2.6.32.9/include/linux/blkdev.h linux-2.6.32.9/include/linux/blkdev.h
41862--- linux-2.6.32.9/include/linux/blkdev.h 2010-02-09 07:57:19.000000000 -0500
41863+++ linux-2.6.32.9/include/linux/blkdev.h 2010-02-23 17:09:53.311553777 -0500
41864@@ -1262,19 +1262,19 @@ static inline int blk_integrity_rq(struc
41865 #endif /* CONFIG_BLK_DEV_INTEGRITY */
41866
41867 struct block_device_operations {
41868- int (*open) (struct block_device *, fmode_t);
41869- int (*release) (struct gendisk *, fmode_t);
41870- int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41871- int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41872- int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41873- int (*direct_access) (struct block_device *, sector_t,
41874+ int (* const open) (struct block_device *, fmode_t);
41875+ int (* const release) (struct gendisk *, fmode_t);
41876+ int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41877+ int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41878+ int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41879+ int (* const direct_access) (struct block_device *, sector_t,
41880 void **, unsigned long *);
41881- int (*media_changed) (struct gendisk *);
41882- unsigned long long (*set_capacity) (struct gendisk *,
41883+ int (* const media_changed) (struct gendisk *);
41884+ unsigned long long (* const set_capacity) (struct gendisk *,
41885 unsigned long long);
41886- int (*revalidate_disk) (struct gendisk *);
41887- int (*getgeo)(struct block_device *, struct hd_geometry *);
41888- struct module *owner;
41889+ int (* const revalidate_disk) (struct gendisk *);
41890+ int (*const getgeo)(struct block_device *, struct hd_geometry *);
41891+ struct module * const owner;
41892 };
41893
41894 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
41895diff -urNp linux-2.6.32.9/include/linux/cache.h linux-2.6.32.9/include/linux/cache.h
41896--- linux-2.6.32.9/include/linux/cache.h 2010-02-09 07:57:19.000000000 -0500
41897+++ linux-2.6.32.9/include/linux/cache.h 2010-02-23 17:09:53.311553777 -0500
41898@@ -16,6 +16,10 @@
41899 #define __read_mostly
41900 #endif
41901
41902+#ifndef __read_only
41903+#define __read_only __read_mostly
41904+#endif
41905+
41906 #ifndef ____cacheline_aligned
41907 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
41908 #endif
41909diff -urNp linux-2.6.32.9/include/linux/capability.h linux-2.6.32.9/include/linux/capability.h
41910--- linux-2.6.32.9/include/linux/capability.h 2010-02-09 07:57:19.000000000 -0500
41911+++ linux-2.6.32.9/include/linux/capability.h 2010-02-23 17:09:53.311553777 -0500
41912@@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
41913 (security_real_capable_noaudit((t), (cap)) == 0)
41914
41915 extern int capable(int cap);
41916+int capable_nolog(int cap);
41917
41918 /* audit system wants to get cap info from files as well */
41919 struct dentry;
41920diff -urNp linux-2.6.32.9/include/linux/compiler-gcc4.h linux-2.6.32.9/include/linux/compiler-gcc4.h
41921--- linux-2.6.32.9/include/linux/compiler-gcc4.h 2010-02-09 07:57:19.000000000 -0500
41922+++ linux-2.6.32.9/include/linux/compiler-gcc4.h 2010-02-23 17:09:53.311553777 -0500
41923@@ -36,4 +36,8 @@
41924 the kernel context */
41925 #define __cold __attribute__((__cold__))
41926
41927+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
41928+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
41929+#define __bos0(ptr) __bos((ptr), 0)
41930+#define __bos1(ptr) __bos((ptr), 1)
41931 #endif
41932diff -urNp linux-2.6.32.9/include/linux/compiler.h linux-2.6.32.9/include/linux/compiler.h
41933--- linux-2.6.32.9/include/linux/compiler.h 2010-02-09 07:57:19.000000000 -0500
41934+++ linux-2.6.32.9/include/linux/compiler.h 2010-02-23 17:09:53.311553777 -0500
41935@@ -256,6 +256,22 @@ void ftrace_likely_update(struct ftrace_
41936 #define __cold
41937 #endif
41938
41939+#ifndef __alloc_size
41940+#define __alloc_size
41941+#endif
41942+
41943+#ifndef __bos
41944+#define __bos
41945+#endif
41946+
41947+#ifndef __bos0
41948+#define __bos0
41949+#endif
41950+
41951+#ifndef __bos1
41952+#define __bos1
41953+#endif
41954+
41955 /* Simple shorthand for a section definition */
41956 #ifndef __section
41957 # define __section(S) __attribute__ ((__section__(#S)))
41958diff -urNp linux-2.6.32.9/include/linux/decompress/mm.h linux-2.6.32.9/include/linux/decompress/mm.h
41959--- linux-2.6.32.9/include/linux/decompress/mm.h 2010-02-09 07:57:19.000000000 -0500
41960+++ linux-2.6.32.9/include/linux/decompress/mm.h 2010-02-23 17:09:53.311553777 -0500
41961@@ -68,7 +68,7 @@ static void free(void *where)
41962 * warnings when not needed (indeed large_malloc / large_free are not
41963 * needed by inflate */
41964
41965-#define malloc(a) kmalloc(a, GFP_KERNEL)
41966+#define malloc(a) kmalloc((a), GFP_KERNEL)
41967 #define free(a) kfree(a)
41968
41969 #define large_malloc(a) vmalloc(a)
41970diff -urNp linux-2.6.32.9/include/linux/dma-mapping.h linux-2.6.32.9/include/linux/dma-mapping.h
41971--- linux-2.6.32.9/include/linux/dma-mapping.h 2010-02-09 07:57:19.000000000 -0500
41972+++ linux-2.6.32.9/include/linux/dma-mapping.h 2010-02-23 17:09:53.311553777 -0500
41973@@ -16,50 +16,50 @@ enum dma_data_direction {
41974 };
41975
41976 struct dma_map_ops {
41977- void* (*alloc_coherent)(struct device *dev, size_t size,
41978+ void* (* const alloc_coherent)(struct device *dev, size_t size,
41979 dma_addr_t *dma_handle, gfp_t gfp);
41980- void (*free_coherent)(struct device *dev, size_t size,
41981+ void (* const free_coherent)(struct device *dev, size_t size,
41982 void *vaddr, dma_addr_t dma_handle);
41983- dma_addr_t (*map_page)(struct device *dev, struct page *page,
41984+ dma_addr_t (* const map_page)(struct device *dev, struct page *page,
41985 unsigned long offset, size_t size,
41986 enum dma_data_direction dir,
41987 struct dma_attrs *attrs);
41988- void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
41989+ void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
41990 size_t size, enum dma_data_direction dir,
41991 struct dma_attrs *attrs);
41992- int (*map_sg)(struct device *dev, struct scatterlist *sg,
41993+ int (* const map_sg)(struct device *dev, struct scatterlist *sg,
41994 int nents, enum dma_data_direction dir,
41995 struct dma_attrs *attrs);
41996- void (*unmap_sg)(struct device *dev,
41997+ void (* const unmap_sg)(struct device *dev,
41998 struct scatterlist *sg, int nents,
41999 enum dma_data_direction dir,
42000 struct dma_attrs *attrs);
42001- void (*sync_single_for_cpu)(struct device *dev,
42002+ void (* const sync_single_for_cpu)(struct device *dev,
42003 dma_addr_t dma_handle, size_t size,
42004 enum dma_data_direction dir);
42005- void (*sync_single_for_device)(struct device *dev,
42006+ void (* const sync_single_for_device)(struct device *dev,
42007 dma_addr_t dma_handle, size_t size,
42008 enum dma_data_direction dir);
42009- void (*sync_single_range_for_cpu)(struct device *dev,
42010+ void (* const sync_single_range_for_cpu)(struct device *dev,
42011 dma_addr_t dma_handle,
42012 unsigned long offset,
42013 size_t size,
42014 enum dma_data_direction dir);
42015- void (*sync_single_range_for_device)(struct device *dev,
42016+ void (* const sync_single_range_for_device)(struct device *dev,
42017 dma_addr_t dma_handle,
42018 unsigned long offset,
42019 size_t size,
42020 enum dma_data_direction dir);
42021- void (*sync_sg_for_cpu)(struct device *dev,
42022+ void (* const sync_sg_for_cpu)(struct device *dev,
42023 struct scatterlist *sg, int nents,
42024 enum dma_data_direction dir);
42025- void (*sync_sg_for_device)(struct device *dev,
42026+ void (* const sync_sg_for_device)(struct device *dev,
42027 struct scatterlist *sg, int nents,
42028 enum dma_data_direction dir);
42029- int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
42030- int (*dma_supported)(struct device *dev, u64 mask);
42031+ int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
42032+ int (* const dma_supported)(struct device *dev, u64 mask);
42033 int (*set_dma_mask)(struct device *dev, u64 mask);
42034- int is_phys;
42035+ const int is_phys;
42036 };
42037
42038 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
42039diff -urNp linux-2.6.32.9/include/linux/dst.h linux-2.6.32.9/include/linux/dst.h
42040--- linux-2.6.32.9/include/linux/dst.h 2010-02-09 07:57:19.000000000 -0500
42041+++ linux-2.6.32.9/include/linux/dst.h 2010-02-23 17:09:53.311553777 -0500
42042@@ -380,7 +380,7 @@ struct dst_node
42043 struct thread_pool *pool;
42044
42045 /* Transaction IDs live here */
42046- atomic_long_t gen;
42047+ atomic_long_unchecked_t gen;
42048
42049 /*
42050 * How frequently and how many times transaction
42051diff -urNp linux-2.6.32.9/include/linux/elf.h linux-2.6.32.9/include/linux/elf.h
42052--- linux-2.6.32.9/include/linux/elf.h 2010-02-09 07:57:19.000000000 -0500
42053+++ linux-2.6.32.9/include/linux/elf.h 2010-02-23 17:09:53.311553777 -0500
42054@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
42055 #define PT_GNU_EH_FRAME 0x6474e550
42056
42057 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
42058+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
42059+
42060+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
42061+
42062+/* Constants for the e_flags field */
42063+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
42064+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
42065+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
42066+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
42067+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
42068+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
42069
42070 /* These constants define the different elf file types */
42071 #define ET_NONE 0
42072@@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
42073 #define DT_DEBUG 21
42074 #define DT_TEXTREL 22
42075 #define DT_JMPREL 23
42076+#define DT_FLAGS 30
42077+ #define DF_TEXTREL 0x00000004
42078 #define DT_ENCODING 32
42079 #define OLD_DT_LOOS 0x60000000
42080 #define DT_LOOS 0x6000000d
42081@@ -230,6 +243,19 @@ typedef struct elf64_hdr {
42082 #define PF_W 0x2
42083 #define PF_X 0x1
42084
42085+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
42086+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
42087+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
42088+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
42089+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
42090+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
42091+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
42092+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
42093+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
42094+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
42095+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
42096+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
42097+
42098 typedef struct elf32_phdr{
42099 Elf32_Word p_type;
42100 Elf32_Off p_offset;
42101@@ -322,6 +348,8 @@ typedef struct elf64_shdr {
42102 #define EI_OSABI 7
42103 #define EI_PAD 8
42104
42105+#define EI_PAX 14
42106+
42107 #define ELFMAG0 0x7f /* EI_MAG */
42108 #define ELFMAG1 'E'
42109 #define ELFMAG2 'L'
42110@@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
42111 #define elf_phdr elf32_phdr
42112 #define elf_note elf32_note
42113 #define elf_addr_t Elf32_Off
42114+#define elf_dyn Elf32_Dyn
42115
42116 #else
42117
42118@@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
42119 #define elf_phdr elf64_phdr
42120 #define elf_note elf64_note
42121 #define elf_addr_t Elf64_Off
42122+#define elf_dyn Elf64_Dyn
42123
42124 #endif
42125
42126diff -urNp linux-2.6.32.9/include/linux/fs.h linux-2.6.32.9/include/linux/fs.h
42127--- linux-2.6.32.9/include/linux/fs.h 2010-02-09 07:57:19.000000000 -0500
42128+++ linux-2.6.32.9/include/linux/fs.h 2010-02-23 17:09:53.311553777 -0500
42129@@ -87,6 +87,10 @@ struct inodes_stat_t {
42130 */
42131 #define FMODE_NOCMTIME ((__force fmode_t)2048)
42132
42133+/* Hack for grsec so as not to require read permission simply to execute
42134+ a binary */
42135+#define FMODE_GREXEC ((__force fmode_t)8192)
42136+
42137 /*
42138 * The below are the various read and write types that we support. Some of
42139 * them include behavioral modifiers that send information down to the
42140@@ -565,41 +569,41 @@ typedef int (*read_actor_t)(read_descrip
42141 unsigned long, unsigned long);
42142
42143 struct address_space_operations {
42144- int (*writepage)(struct page *page, struct writeback_control *wbc);
42145- int (*readpage)(struct file *, struct page *);
42146- void (*sync_page)(struct page *);
42147+ int (* const writepage)(struct page *page, struct writeback_control *wbc);
42148+ int (* const readpage)(struct file *, struct page *);
42149+ void (* const sync_page)(struct page *);
42150
42151 /* Write back some dirty pages from this mapping. */
42152- int (*writepages)(struct address_space *, struct writeback_control *);
42153+ int (* const writepages)(struct address_space *, struct writeback_control *);
42154
42155 /* Set a page dirty. Return true if this dirtied it */
42156- int (*set_page_dirty)(struct page *page);
42157+ int (* const set_page_dirty)(struct page *page);
42158
42159- int (*readpages)(struct file *filp, struct address_space *mapping,
42160+ int (* const readpages)(struct file *filp, struct address_space *mapping,
42161 struct list_head *pages, unsigned nr_pages);
42162
42163- int (*write_begin)(struct file *, struct address_space *mapping,
42164+ int (* const write_begin)(struct file *, struct address_space *mapping,
42165 loff_t pos, unsigned len, unsigned flags,
42166 struct page **pagep, void **fsdata);
42167- int (*write_end)(struct file *, struct address_space *mapping,
42168+ int (* const write_end)(struct file *, struct address_space *mapping,
42169 loff_t pos, unsigned len, unsigned copied,
42170 struct page *page, void *fsdata);
42171
42172 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
42173- sector_t (*bmap)(struct address_space *, sector_t);
42174- void (*invalidatepage) (struct page *, unsigned long);
42175- int (*releasepage) (struct page *, gfp_t);
42176- ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
42177+ sector_t (* const bmap)(struct address_space *, sector_t);
42178+ void (* const invalidatepage) (struct page *, unsigned long);
42179+ int (* const releasepage) (struct page *, gfp_t);
42180+ ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
42181 loff_t offset, unsigned long nr_segs);
42182- int (*get_xip_mem)(struct address_space *, pgoff_t, int,
42183+ int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
42184 void **, unsigned long *);
42185 /* migrate the contents of a page to the specified target */
42186- int (*migratepage) (struct address_space *,
42187+ int (* const migratepage) (struct address_space *,
42188 struct page *, struct page *);
42189- int (*launder_page) (struct page *);
42190- int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
42191+ int (* const launder_page) (struct page *);
42192+ int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
42193 unsigned long);
42194- int (*error_remove_page)(struct address_space *, struct page *);
42195+ int (* const error_remove_page)(struct address_space *, struct page *);
42196 };
42197
42198 /*
42199@@ -1027,19 +1031,19 @@ static inline int file_check_writeable(s
42200 typedef struct files_struct *fl_owner_t;
42201
42202 struct file_lock_operations {
42203- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42204- void (*fl_release_private)(struct file_lock *);
42205+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42206+ void (* const fl_release_private)(struct file_lock *);
42207 };
42208
42209 struct lock_manager_operations {
42210- int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
42211- void (*fl_notify)(struct file_lock *); /* unblock callback */
42212- int (*fl_grant)(struct file_lock *, struct file_lock *, int);
42213- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42214- void (*fl_release_private)(struct file_lock *);
42215- void (*fl_break)(struct file_lock *);
42216- int (*fl_mylease)(struct file_lock *, struct file_lock *);
42217- int (*fl_change)(struct file_lock **, int);
42218+ int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
42219+ void (* const fl_notify)(struct file_lock *); /* unblock callback */
42220+ int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
42221+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42222+ void (* const fl_release_private)(struct file_lock *);
42223+ void (* const fl_break)(struct file_lock *);
42224+ int (* const fl_mylease)(struct file_lock *, struct file_lock *);
42225+ int (* const fl_change)(struct file_lock **, int);
42226 };
42227
42228 struct lock_manager {
42229@@ -1436,7 +1440,7 @@ struct fiemap_extent_info {
42230 unsigned int fi_flags; /* Flags as passed from user */
42231 unsigned int fi_extents_mapped; /* Number of mapped extents */
42232 unsigned int fi_extents_max; /* Size of fiemap_extent array */
42233- struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
42234+ struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
42235 * array */
42236 };
42237 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
42238@@ -1553,30 +1557,30 @@ extern ssize_t vfs_writev(struct file *,
42239 unsigned long, loff_t *);
42240
42241 struct super_operations {
42242- struct inode *(*alloc_inode)(struct super_block *sb);
42243- void (*destroy_inode)(struct inode *);
42244+ struct inode *(* const alloc_inode)(struct super_block *sb);
42245+ void (* const destroy_inode)(struct inode *);
42246
42247- void (*dirty_inode) (struct inode *);
42248- int (*write_inode) (struct inode *, int);
42249- void (*drop_inode) (struct inode *);
42250- void (*delete_inode) (struct inode *);
42251- void (*put_super) (struct super_block *);
42252- void (*write_super) (struct super_block *);
42253- int (*sync_fs)(struct super_block *sb, int wait);
42254- int (*freeze_fs) (struct super_block *);
42255- int (*unfreeze_fs) (struct super_block *);
42256- int (*statfs) (struct dentry *, struct kstatfs *);
42257- int (*remount_fs) (struct super_block *, int *, char *);
42258- void (*clear_inode) (struct inode *);
42259- void (*umount_begin) (struct super_block *);
42260+ void (* const dirty_inode) (struct inode *);
42261+ int (* const write_inode) (struct inode *, int);
42262+ void (* const drop_inode) (struct inode *);
42263+ void (* const delete_inode) (struct inode *);
42264+ void (* const put_super) (struct super_block *);
42265+ void (* const write_super) (struct super_block *);
42266+ int (* const sync_fs)(struct super_block *sb, int wait);
42267+ int (* const freeze_fs) (struct super_block *);
42268+ int (* const unfreeze_fs) (struct super_block *);
42269+ int (* const statfs) (struct dentry *, struct kstatfs *);
42270+ int (* const remount_fs) (struct super_block *, int *, char *);
42271+ void (* const clear_inode) (struct inode *);
42272+ void (* const umount_begin) (struct super_block *);
42273
42274- int (*show_options)(struct seq_file *, struct vfsmount *);
42275- int (*show_stats)(struct seq_file *, struct vfsmount *);
42276+ int (* const show_options)(struct seq_file *, struct vfsmount *);
42277+ int (* const show_stats)(struct seq_file *, struct vfsmount *);
42278 #ifdef CONFIG_QUOTA
42279- ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
42280- ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42281+ ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
42282+ ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42283 #endif
42284- int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42285+ int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42286 };
42287
42288 /*
42289diff -urNp linux-2.6.32.9/include/linux/fs_struct.h linux-2.6.32.9/include/linux/fs_struct.h
42290--- linux-2.6.32.9/include/linux/fs_struct.h 2010-02-09 07:57:19.000000000 -0500
42291+++ linux-2.6.32.9/include/linux/fs_struct.h 2010-02-23 17:09:53.311553777 -0500
42292@@ -4,7 +4,7 @@
42293 #include <linux/path.h>
42294
42295 struct fs_struct {
42296- int users;
42297+ atomic_t users;
42298 rwlock_t lock;
42299 int umask;
42300 int in_exec;
42301diff -urNp linux-2.6.32.9/include/linux/genhd.h linux-2.6.32.9/include/linux/genhd.h
42302--- linux-2.6.32.9/include/linux/genhd.h 2010-02-09 07:57:19.000000000 -0500
42303+++ linux-2.6.32.9/include/linux/genhd.h 2010-02-23 17:09:53.311553777 -0500
42304@@ -161,7 +161,7 @@ struct gendisk {
42305
42306 struct timer_rand_state *random;
42307
42308- atomic_t sync_io; /* RAID */
42309+ atomic_unchecked_t sync_io; /* RAID */
42310 struct work_struct async_notify;
42311 #ifdef CONFIG_BLK_DEV_INTEGRITY
42312 struct blk_integrity *integrity;
42313diff -urNp linux-2.6.32.9/include/linux/gracl.h linux-2.6.32.9/include/linux/gracl.h
42314--- linux-2.6.32.9/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
42315+++ linux-2.6.32.9/include/linux/gracl.h 2010-02-23 17:09:53.311553777 -0500
42316@@ -0,0 +1,309 @@
42317+#ifndef GR_ACL_H
42318+#define GR_ACL_H
42319+
42320+#include <linux/grdefs.h>
42321+#include <linux/resource.h>
42322+#include <linux/capability.h>
42323+#include <linux/dcache.h>
42324+#include <asm/resource.h>
42325+
42326+/* Major status information */
42327+
42328+#define GR_VERSION "grsecurity 2.1.14"
42329+#define GRSECURITY_VERSION 0x2114
42330+
42331+enum {
42332+ GR_SHUTDOWN = 0,
42333+ GR_ENABLE = 1,
42334+ GR_SPROLE = 2,
42335+ GR_RELOAD = 3,
42336+ GR_SEGVMOD = 4,
42337+ GR_STATUS = 5,
42338+ GR_UNSPROLE = 6,
42339+ GR_PASSSET = 7,
42340+ GR_SPROLEPAM = 8,
42341+};
42342+
42343+/* Password setup definitions
42344+ * kernel/grhash.c */
42345+enum {
42346+ GR_PW_LEN = 128,
42347+ GR_SALT_LEN = 16,
42348+ GR_SHA_LEN = 32,
42349+};
42350+
42351+enum {
42352+ GR_SPROLE_LEN = 64,
42353+};
42354+
42355+#define GR_NLIMITS 32
42356+
42357+/* Begin Data Structures */
42358+
42359+struct sprole_pw {
42360+ unsigned char *rolename;
42361+ unsigned char salt[GR_SALT_LEN];
42362+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
42363+};
42364+
42365+struct name_entry {
42366+ __u32 key;
42367+ ino_t inode;
42368+ dev_t device;
42369+ char *name;
42370+ __u16 len;
42371+ __u8 deleted;
42372+ struct name_entry *prev;
42373+ struct name_entry *next;
42374+};
42375+
42376+struct inodev_entry {
42377+ struct name_entry *nentry;
42378+ struct inodev_entry *prev;
42379+ struct inodev_entry *next;
42380+};
42381+
42382+struct acl_role_db {
42383+ struct acl_role_label **r_hash;
42384+ __u32 r_size;
42385+};
42386+
42387+struct inodev_db {
42388+ struct inodev_entry **i_hash;
42389+ __u32 i_size;
42390+};
42391+
42392+struct name_db {
42393+ struct name_entry **n_hash;
42394+ __u32 n_size;
42395+};
42396+
42397+struct crash_uid {
42398+ uid_t uid;
42399+ unsigned long expires;
42400+};
42401+
42402+struct gr_hash_struct {
42403+ void **table;
42404+ void **nametable;
42405+ void *first;
42406+ __u32 table_size;
42407+ __u32 used_size;
42408+ int type;
42409+};
42410+
42411+/* Userspace Grsecurity ACL data structures */
42412+
42413+struct acl_subject_label {
42414+ char *filename;
42415+ ino_t inode;
42416+ dev_t device;
42417+ __u32 mode;
42418+ kernel_cap_t cap_mask;
42419+ kernel_cap_t cap_lower;
42420+
42421+ struct rlimit res[GR_NLIMITS];
42422+ __u32 resmask;
42423+
42424+ __u8 user_trans_type;
42425+ __u8 group_trans_type;
42426+ uid_t *user_transitions;
42427+ gid_t *group_transitions;
42428+ __u16 user_trans_num;
42429+ __u16 group_trans_num;
42430+
42431+ __u32 ip_proto[8];
42432+ __u32 ip_type;
42433+ struct acl_ip_label **ips;
42434+ __u32 ip_num;
42435+ __u32 inaddr_any_override;
42436+
42437+ __u32 crashes;
42438+ unsigned long expires;
42439+
42440+ struct acl_subject_label *parent_subject;
42441+ struct gr_hash_struct *hash;
42442+ struct acl_subject_label *prev;
42443+ struct acl_subject_label *next;
42444+
42445+ struct acl_object_label **obj_hash;
42446+ __u32 obj_hash_size;
42447+ __u16 pax_flags;
42448+};
42449+
42450+struct role_allowed_ip {
42451+ __u32 addr;
42452+ __u32 netmask;
42453+
42454+ struct role_allowed_ip *prev;
42455+ struct role_allowed_ip *next;
42456+};
42457+
42458+struct role_transition {
42459+ char *rolename;
42460+
42461+ struct role_transition *prev;
42462+ struct role_transition *next;
42463+};
42464+
42465+struct acl_role_label {
42466+ char *rolename;
42467+ uid_t uidgid;
42468+ __u16 roletype;
42469+
42470+ __u16 auth_attempts;
42471+ unsigned long expires;
42472+
42473+ struct acl_subject_label *root_label;
42474+ struct gr_hash_struct *hash;
42475+
42476+ struct acl_role_label *prev;
42477+ struct acl_role_label *next;
42478+
42479+ struct role_transition *transitions;
42480+ struct role_allowed_ip *allowed_ips;
42481+ uid_t *domain_children;
42482+ __u16 domain_child_num;
42483+
42484+ struct acl_subject_label **subj_hash;
42485+ __u32 subj_hash_size;
42486+};
42487+
42488+struct user_acl_role_db {
42489+ struct acl_role_label **r_table;
42490+ __u32 num_pointers; /* Number of allocations to track */
42491+ __u32 num_roles; /* Number of roles */
42492+ __u32 num_domain_children; /* Number of domain children */
42493+ __u32 num_subjects; /* Number of subjects */
42494+ __u32 num_objects; /* Number of objects */
42495+};
42496+
42497+struct acl_object_label {
42498+ char *filename;
42499+ ino_t inode;
42500+ dev_t device;
42501+ __u32 mode;
42502+
42503+ struct acl_subject_label *nested;
42504+ struct acl_object_label *globbed;
42505+
42506+ /* next two structures not used */
42507+
42508+ struct acl_object_label *prev;
42509+ struct acl_object_label *next;
42510+};
42511+
42512+struct acl_ip_label {
42513+ char *iface;
42514+ __u32 addr;
42515+ __u32 netmask;
42516+ __u16 low, high;
42517+ __u8 mode;
42518+ __u32 type;
42519+ __u32 proto[8];
42520+
42521+ /* next two structures not used */
42522+
42523+ struct acl_ip_label *prev;
42524+ struct acl_ip_label *next;
42525+};
42526+
42527+struct gr_arg {
42528+ struct user_acl_role_db role_db;
42529+ unsigned char pw[GR_PW_LEN];
42530+ unsigned char salt[GR_SALT_LEN];
42531+ unsigned char sum[GR_SHA_LEN];
42532+ unsigned char sp_role[GR_SPROLE_LEN];
42533+ struct sprole_pw *sprole_pws;
42534+ dev_t segv_device;
42535+ ino_t segv_inode;
42536+ uid_t segv_uid;
42537+ __u16 num_sprole_pws;
42538+ __u16 mode;
42539+};
42540+
42541+struct gr_arg_wrapper {
42542+ struct gr_arg *arg;
42543+ __u32 version;
42544+ __u32 size;
42545+};
42546+
42547+struct subject_map {
42548+ struct acl_subject_label *user;
42549+ struct acl_subject_label *kernel;
42550+ struct subject_map *prev;
42551+ struct subject_map *next;
42552+};
42553+
42554+struct acl_subj_map_db {
42555+ struct subject_map **s_hash;
42556+ __u32 s_size;
42557+};
42558+
42559+/* End Data Structures Section */
42560+
42561+/* Hash functions generated by empirical testing by Brad Spengler
42562+ Makes good use of the low bits of the inode. Generally 0-1 times
42563+ in loop for successful match. 0-3 for unsuccessful match.
42564+ Shift/add algorithm with modulus of table size and an XOR*/
42565+
42566+static __inline__ unsigned int
42567+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
42568+{
42569+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
42570+}
42571+
42572+ static __inline__ unsigned int
42573+shash(const struct acl_subject_label *userp, const unsigned int sz)
42574+{
42575+ return ((const unsigned long)userp % sz);
42576+}
42577+
42578+static __inline__ unsigned int
42579+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
42580+{
42581+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
42582+}
42583+
42584+static __inline__ unsigned int
42585+nhash(const char *name, const __u16 len, const unsigned int sz)
42586+{
42587+ return full_name_hash((const unsigned char *)name, len) % sz;
42588+}
42589+
42590+#define FOR_EACH_ROLE_START(role) \
42591+ role = role_list; \
42592+ while (role) {
42593+
42594+#define FOR_EACH_ROLE_END(role) \
42595+ role = role->prev; \
42596+ }
42597+
42598+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
42599+ subj = NULL; \
42600+ iter = 0; \
42601+ while (iter < role->subj_hash_size) { \
42602+ if (subj == NULL) \
42603+ subj = role->subj_hash[iter]; \
42604+ if (subj == NULL) { \
42605+ iter++; \
42606+ continue; \
42607+ }
42608+
42609+#define FOR_EACH_SUBJECT_END(subj,iter) \
42610+ subj = subj->next; \
42611+ if (subj == NULL) \
42612+ iter++; \
42613+ }
42614+
42615+
42616+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
42617+ subj = role->hash->first; \
42618+ while (subj != NULL) {
42619+
42620+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
42621+ subj = subj->next; \
42622+ }
42623+
42624+#endif
42625+
42626diff -urNp linux-2.6.32.9/include/linux/gralloc.h linux-2.6.32.9/include/linux/gralloc.h
42627--- linux-2.6.32.9/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
42628+++ linux-2.6.32.9/include/linux/gralloc.h 2010-02-23 17:09:53.311553777 -0500
42629@@ -0,0 +1,9 @@
42630+#ifndef __GRALLOC_H
42631+#define __GRALLOC_H
42632+
42633+void acl_free_all(void);
42634+int acl_alloc_stack_init(unsigned long size);
42635+void *acl_alloc(unsigned long len);
42636+void *acl_alloc_num(unsigned long num, unsigned long len);
42637+
42638+#endif
42639diff -urNp linux-2.6.32.9/include/linux/grdefs.h linux-2.6.32.9/include/linux/grdefs.h
42640--- linux-2.6.32.9/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
42641+++ linux-2.6.32.9/include/linux/grdefs.h 2010-02-23 17:09:53.311553777 -0500
42642@@ -0,0 +1,136 @@
42643+#ifndef GRDEFS_H
42644+#define GRDEFS_H
42645+
42646+/* Begin grsecurity status declarations */
42647+
42648+enum {
42649+ GR_READY = 0x01,
42650+ GR_STATUS_INIT = 0x00 // disabled state
42651+};
42652+
42653+/* Begin ACL declarations */
42654+
42655+/* Role flags */
42656+
42657+enum {
42658+ GR_ROLE_USER = 0x0001,
42659+ GR_ROLE_GROUP = 0x0002,
42660+ GR_ROLE_DEFAULT = 0x0004,
42661+ GR_ROLE_SPECIAL = 0x0008,
42662+ GR_ROLE_AUTH = 0x0010,
42663+ GR_ROLE_NOPW = 0x0020,
42664+ GR_ROLE_GOD = 0x0040,
42665+ GR_ROLE_LEARN = 0x0080,
42666+ GR_ROLE_TPE = 0x0100,
42667+ GR_ROLE_DOMAIN = 0x0200,
42668+ GR_ROLE_PAM = 0x0400
42669+};
42670+
42671+/* ACL Subject and Object mode flags */
42672+enum {
42673+ GR_DELETED = 0x80000000
42674+};
42675+
42676+/* ACL Object-only mode flags */
42677+enum {
42678+ GR_READ = 0x00000001,
42679+ GR_APPEND = 0x00000002,
42680+ GR_WRITE = 0x00000004,
42681+ GR_EXEC = 0x00000008,
42682+ GR_FIND = 0x00000010,
42683+ GR_INHERIT = 0x00000020,
42684+ GR_SETID = 0x00000040,
42685+ GR_CREATE = 0x00000080,
42686+ GR_DELETE = 0x00000100,
42687+ GR_LINK = 0x00000200,
42688+ GR_AUDIT_READ = 0x00000400,
42689+ GR_AUDIT_APPEND = 0x00000800,
42690+ GR_AUDIT_WRITE = 0x00001000,
42691+ GR_AUDIT_EXEC = 0x00002000,
42692+ GR_AUDIT_FIND = 0x00004000,
42693+ GR_AUDIT_INHERIT= 0x00008000,
42694+ GR_AUDIT_SETID = 0x00010000,
42695+ GR_AUDIT_CREATE = 0x00020000,
42696+ GR_AUDIT_DELETE = 0x00040000,
42697+ GR_AUDIT_LINK = 0x00080000,
42698+ GR_PTRACERD = 0x00100000,
42699+ GR_NOPTRACE = 0x00200000,
42700+ GR_SUPPRESS = 0x00400000,
42701+ GR_NOLEARN = 0x00800000
42702+};
42703+
42704+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
42705+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
42706+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
42707+
42708+/* ACL subject-only mode flags */
42709+enum {
42710+ GR_KILL = 0x00000001,
42711+ GR_VIEW = 0x00000002,
42712+ GR_PROTECTED = 0x00000004,
42713+ GR_LEARN = 0x00000008,
42714+ GR_OVERRIDE = 0x00000010,
42715+ /* just a placeholder, this mode is only used in userspace */
42716+ GR_DUMMY = 0x00000020,
42717+ GR_PROTSHM = 0x00000040,
42718+ GR_KILLPROC = 0x00000080,
42719+ GR_KILLIPPROC = 0x00000100,
42720+ /* just a placeholder, this mode is only used in userspace */
42721+ GR_NOTROJAN = 0x00000200,
42722+ GR_PROTPROCFD = 0x00000400,
42723+ GR_PROCACCT = 0x00000800,
42724+ GR_RELAXPTRACE = 0x00001000,
42725+ GR_NESTED = 0x00002000,
42726+ GR_INHERITLEARN = 0x00004000,
42727+ GR_PROCFIND = 0x00008000,
42728+ GR_POVERRIDE = 0x00010000,
42729+ GR_KERNELAUTH = 0x00020000,
42730+};
42731+
42732+enum {
42733+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
42734+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
42735+ GR_PAX_ENABLE_MPROTECT = 0x0004,
42736+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
42737+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
42738+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
42739+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
42740+ GR_PAX_DISABLE_MPROTECT = 0x0400,
42741+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
42742+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
42743+};
42744+
42745+enum {
42746+ GR_ID_USER = 0x01,
42747+ GR_ID_GROUP = 0x02,
42748+};
42749+
42750+enum {
42751+ GR_ID_ALLOW = 0x01,
42752+ GR_ID_DENY = 0x02,
42753+};
42754+
42755+#define GR_CRASH_RES 31
42756+#define GR_UIDTABLE_MAX 500
42757+
42758+/* begin resource learning section */
42759+enum {
42760+ GR_RLIM_CPU_BUMP = 60,
42761+ GR_RLIM_FSIZE_BUMP = 50000,
42762+ GR_RLIM_DATA_BUMP = 10000,
42763+ GR_RLIM_STACK_BUMP = 1000,
42764+ GR_RLIM_CORE_BUMP = 10000,
42765+ GR_RLIM_RSS_BUMP = 500000,
42766+ GR_RLIM_NPROC_BUMP = 1,
42767+ GR_RLIM_NOFILE_BUMP = 5,
42768+ GR_RLIM_MEMLOCK_BUMP = 50000,
42769+ GR_RLIM_AS_BUMP = 500000,
42770+ GR_RLIM_LOCKS_BUMP = 2,
42771+ GR_RLIM_SIGPENDING_BUMP = 5,
42772+ GR_RLIM_MSGQUEUE_BUMP = 10000,
42773+ GR_RLIM_NICE_BUMP = 1,
42774+ GR_RLIM_RTPRIO_BUMP = 1,
42775+ GR_RLIM_RTTIME_BUMP = 1000000
42776+};
42777+
42778+#endif
42779diff -urNp linux-2.6.32.9/include/linux/grinternal.h linux-2.6.32.9/include/linux/grinternal.h
42780--- linux-2.6.32.9/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
42781+++ linux-2.6.32.9/include/linux/grinternal.h 2010-02-23 17:09:53.311553777 -0500
42782@@ -0,0 +1,212 @@
42783+#ifndef __GRINTERNAL_H
42784+#define __GRINTERNAL_H
42785+
42786+#ifdef CONFIG_GRKERNSEC
42787+
42788+#include <linux/fs.h>
42789+#include <linux/mnt_namespace.h>
42790+#include <linux/nsproxy.h>
42791+#include <linux/gracl.h>
42792+#include <linux/grdefs.h>
42793+#include <linux/grmsg.h>
42794+
42795+void gr_add_learn_entry(const char *fmt, ...)
42796+ __attribute__ ((format (printf, 1, 2)));
42797+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
42798+ const struct vfsmount *mnt);
42799+__u32 gr_check_create(const struct dentry *new_dentry,
42800+ const struct dentry *parent,
42801+ const struct vfsmount *mnt, const __u32 mode);
42802+int gr_check_protected_task(const struct task_struct *task);
42803+__u32 to_gr_audit(const __u32 reqmode);
42804+int gr_set_acls(const int type);
42805+
42806+int gr_acl_is_enabled(void);
42807+char gr_roletype_to_char(void);
42808+
42809+void gr_handle_alertkill(struct task_struct *task);
42810+char *gr_to_filename(const struct dentry *dentry,
42811+ const struct vfsmount *mnt);
42812+char *gr_to_filename1(const struct dentry *dentry,
42813+ const struct vfsmount *mnt);
42814+char *gr_to_filename2(const struct dentry *dentry,
42815+ const struct vfsmount *mnt);
42816+char *gr_to_filename3(const struct dentry *dentry,
42817+ const struct vfsmount *mnt);
42818+
42819+extern int grsec_enable_harden_ptrace;
42820+extern int grsec_enable_link;
42821+extern int grsec_enable_fifo;
42822+extern int grsec_enable_execve;
42823+extern int grsec_enable_shm;
42824+extern int grsec_enable_execlog;
42825+extern int grsec_enable_signal;
42826+extern int grsec_enable_forkfail;
42827+extern int grsec_enable_time;
42828+extern int grsec_enable_rofs;
42829+extern int grsec_enable_chroot_shmat;
42830+extern int grsec_enable_chroot_findtask;
42831+extern int grsec_enable_chroot_mount;
42832+extern int grsec_enable_chroot_double;
42833+extern int grsec_enable_chroot_pivot;
42834+extern int grsec_enable_chroot_chdir;
42835+extern int grsec_enable_chroot_chmod;
42836+extern int grsec_enable_chroot_mknod;
42837+extern int grsec_enable_chroot_fchdir;
42838+extern int grsec_enable_chroot_nice;
42839+extern int grsec_enable_chroot_execlog;
42840+extern int grsec_enable_chroot_caps;
42841+extern int grsec_enable_chroot_sysctl;
42842+extern int grsec_enable_chroot_unix;
42843+extern int grsec_enable_tpe;
42844+extern int grsec_tpe_gid;
42845+extern int grsec_enable_tpe_all;
42846+extern int grsec_enable_sidcaps;
42847+extern int grsec_enable_socket_all;
42848+extern int grsec_socket_all_gid;
42849+extern int grsec_enable_socket_client;
42850+extern int grsec_socket_client_gid;
42851+extern int grsec_enable_socket_server;
42852+extern int grsec_socket_server_gid;
42853+extern int grsec_audit_gid;
42854+extern int grsec_enable_group;
42855+extern int grsec_enable_audit_textrel;
42856+extern int grsec_enable_mount;
42857+extern int grsec_enable_chdir;
42858+extern int grsec_resource_logging;
42859+extern int grsec_lock;
42860+
42861+extern spinlock_t grsec_alert_lock;
42862+extern unsigned long grsec_alert_wtime;
42863+extern unsigned long grsec_alert_fyet;
42864+
42865+extern spinlock_t grsec_audit_lock;
42866+
42867+extern rwlock_t grsec_exec_file_lock;
42868+
42869+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
42870+ gr_to_filename2(tsk->exec_file->f_path.dentry, \
42871+ tsk->exec_file->f_vfsmnt) : "/")
42872+
42873+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
42874+ gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
42875+ tsk->parent->exec_file->f_vfsmnt) : "/")
42876+
42877+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
42878+ gr_to_filename(tsk->exec_file->f_path.dentry, \
42879+ tsk->exec_file->f_vfsmnt) : "/")
42880+
42881+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
42882+ gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
42883+ tsk->parent->exec_file->f_vfsmnt) : "/")
42884+
42885+#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
42886+ ((init_task.fs->root.dentry != tsk_a->fs->root.dentry) && \
42887+ (tsk_a->nsproxy->mnt_ns->root->mnt_root != \
42888+ tsk_a->fs->root.dentry)))
42889+
42890+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
42891+ (tsk_a->fs->root.dentry == tsk_b->fs->root.dentry))
42892+
42893+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
42894+ task->pid, cred->uid, \
42895+ cred->euid, cred->gid, cred->egid, \
42896+ gr_parent_task_fullpath(task), \
42897+ task->parent->comm, task->parent->pid, \
42898+ pcred->uid, pcred->euid, \
42899+ pcred->gid, pcred->egid
42900+
42901+#define GR_CHROOT_CAPS {{ \
42902+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
42903+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
42904+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
42905+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
42906+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
42907+ CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
42908+
42909+#define security_learn(normal_msg,args...) \
42910+({ \
42911+ read_lock(&grsec_exec_file_lock); \
42912+ gr_add_learn_entry(normal_msg "\n", ## args); \
42913+ read_unlock(&grsec_exec_file_lock); \
42914+})
42915+
42916+enum {
42917+ GR_DO_AUDIT,
42918+ GR_DONT_AUDIT,
42919+ GR_DONT_AUDIT_GOOD
42920+};
42921+
42922+enum {
42923+ GR_TTYSNIFF,
42924+ GR_RBAC,
42925+ GR_RBAC_STR,
42926+ GR_STR_RBAC,
42927+ GR_RBAC_MODE2,
42928+ GR_RBAC_MODE3,
42929+ GR_FILENAME,
42930+ GR_SYSCTL_HIDDEN,
42931+ GR_NOARGS,
42932+ GR_ONE_INT,
42933+ GR_ONE_INT_TWO_STR,
42934+ GR_ONE_STR,
42935+ GR_STR_INT,
42936+ GR_TWO_INT,
42937+ GR_THREE_INT,
42938+ GR_FIVE_INT_TWO_STR,
42939+ GR_TWO_STR,
42940+ GR_THREE_STR,
42941+ GR_FOUR_STR,
42942+ GR_STR_FILENAME,
42943+ GR_FILENAME_STR,
42944+ GR_FILENAME_TWO_INT,
42945+ GR_FILENAME_TWO_INT_STR,
42946+ GR_TEXTREL,
42947+ GR_PTRACE,
42948+ GR_RESOURCE,
42949+ GR_CAP,
42950+ GR_SIG,
42951+ GR_SIG2,
42952+ GR_CRASH1,
42953+ GR_CRASH2,
42954+ GR_PSACCT
42955+};
42956+
42957+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
42958+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
42959+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
42960+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
42961+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
42962+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
42963+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
42964+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
42965+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
42966+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
42967+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
42968+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
42969+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
42970+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
42971+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
42972+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
42973+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
42974+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
42975+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
42976+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
42977+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
42978+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
42979+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
42980+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
42981+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
42982+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
42983+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
42984+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
42985+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
42986+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
42987+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
42988+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
42989+
42990+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
42991+
42992+#endif
42993+
42994+#endif
42995diff -urNp linux-2.6.32.9/include/linux/grmsg.h linux-2.6.32.9/include/linux/grmsg.h
42996--- linux-2.6.32.9/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
42997+++ linux-2.6.32.9/include/linux/grmsg.h 2010-02-23 17:09:53.311553777 -0500
42998@@ -0,0 +1,107 @@
42999+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
43000+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
43001+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
43002+#define GR_STOPMOD_MSG "denied modification of module state by "
43003+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
43004+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
43005+#define GR_IOPERM_MSG "denied use of ioperm() by "
43006+#define GR_IOPL_MSG "denied use of iopl() by "
43007+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
43008+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
43009+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
43010+#define GR_KMEM_MSG "denied write of /dev/kmem by "
43011+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
43012+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
43013+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
43014+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
43015+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
43016+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
43017+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
43018+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
43019+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
43020+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
43021+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
43022+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
43023+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
43024+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
43025+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
43026+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
43027+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
43028+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
43029+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
43030+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
43031+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
43032+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
43033+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
43034+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
43035+#define GR_NPROC_MSG "denied overstep of process limit by "
43036+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
43037+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
43038+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
43039+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
43040+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
43041+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
43042+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
43043+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
43044+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
43045+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
43046+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
43047+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
43048+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
43049+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
43050+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
43051+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
43052+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
43053+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
43054+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
43055+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
43056+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
43057+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
43058+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
43059+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
43060+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
43061+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
43062+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
43063+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
43064+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
43065+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
43066+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
43067+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
43068+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
43069+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
43070+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
43071+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
43072+#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
43073+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
43074+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
43075+#define GR_FAILFORK_MSG "failed fork with errno %d by "
43076+#define GR_NICE_CHROOT_MSG "denied priority change by "
43077+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
43078+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
43079+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
43080+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
43081+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
43082+#define GR_TIME_MSG "time set by "
43083+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
43084+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
43085+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
43086+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
43087+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
43088+#define GR_BIND_MSG "denied bind() by "
43089+#define GR_CONNECT_MSG "denied connect() by "
43090+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
43091+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
43092+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
43093+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
43094+#define GR_CAP_ACL_MSG "use of %s denied for "
43095+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
43096+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
43097+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
43098+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
43099+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
43100+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
43101+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
43102+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
43103+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
43104+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
43105+#define GR_VM86_MSG "denied use of vm86 by "
43106diff -urNp linux-2.6.32.9/include/linux/grsecurity.h linux-2.6.32.9/include/linux/grsecurity.h
43107--- linux-2.6.32.9/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
43108+++ linux-2.6.32.9/include/linux/grsecurity.h 2010-02-23 17:09:53.311553777 -0500
43109@@ -0,0 +1,200 @@
43110+#ifndef GR_SECURITY_H
43111+#define GR_SECURITY_H
43112+#include <linux/fs.h>
43113+#include <linux/fs_struct.h>
43114+#include <linux/binfmts.h>
43115+#include <linux/gracl.h>
43116+
43117+/* notify of brain-dead configs */
43118+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
43119+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
43120+#endif
43121+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43122+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43123+#endif
43124+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43125+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43126+#endif
43127+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
43128+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
43129+#endif
43130+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
43131+#error "CONFIG_PAX enabled, but no PaX options are enabled."
43132+#endif
43133+
43134+void gr_handle_brute_attach(struct task_struct *p);
43135+void gr_handle_brute_check(void);
43136+
43137+char gr_roletype_to_char(void);
43138+
43139+int gr_check_user_change(int real, int effective, int fs);
43140+int gr_check_group_change(int real, int effective, int fs);
43141+
43142+void gr_del_task_from_ip_table(struct task_struct *p);
43143+
43144+int gr_pid_is_chrooted(struct task_struct *p);
43145+int gr_handle_chroot_nice(void);
43146+int gr_handle_chroot_sysctl(const int op);
43147+int gr_handle_chroot_setpriority(struct task_struct *p,
43148+ const int niceval);
43149+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
43150+int gr_handle_chroot_chroot(const struct dentry *dentry,
43151+ const struct vfsmount *mnt);
43152+int gr_handle_chroot_caps(struct path *path);
43153+void gr_handle_chroot_chdir(struct path *path);
43154+int gr_handle_chroot_chmod(const struct dentry *dentry,
43155+ const struct vfsmount *mnt, const int mode);
43156+int gr_handle_chroot_mknod(const struct dentry *dentry,
43157+ const struct vfsmount *mnt, const int mode);
43158+int gr_handle_chroot_mount(const struct dentry *dentry,
43159+ const struct vfsmount *mnt,
43160+ const char *dev_name);
43161+int gr_handle_chroot_pivot(void);
43162+int gr_handle_chroot_unix(const pid_t pid);
43163+
43164+int gr_handle_rawio(const struct inode *inode);
43165+int gr_handle_nproc(void);
43166+
43167+void gr_handle_ioperm(void);
43168+void gr_handle_iopl(void);
43169+
43170+int gr_tpe_allow(const struct file *file);
43171+
43172+int gr_random_pid(void);
43173+
43174+void gr_log_forkfail(const int retval);
43175+void gr_log_timechange(void);
43176+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
43177+void gr_log_chdir(const struct dentry *dentry,
43178+ const struct vfsmount *mnt);
43179+void gr_log_chroot_exec(const struct dentry *dentry,
43180+ const struct vfsmount *mnt);
43181+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
43182+void gr_log_remount(const char *devname, const int retval);
43183+void gr_log_unmount(const char *devname, const int retval);
43184+void gr_log_mount(const char *from, const char *to, const int retval);
43185+void gr_log_textrel(struct vm_area_struct *vma);
43186+
43187+int gr_handle_follow_link(const struct inode *parent,
43188+ const struct inode *inode,
43189+ const struct dentry *dentry,
43190+ const struct vfsmount *mnt);
43191+int gr_handle_fifo(const struct dentry *dentry,
43192+ const struct vfsmount *mnt,
43193+ const struct dentry *dir, const int flag,
43194+ const int acc_mode);
43195+int gr_handle_hardlink(const struct dentry *dentry,
43196+ const struct vfsmount *mnt,
43197+ struct inode *inode,
43198+ const int mode, const char *to);
43199+
43200+int gr_is_capable(const int cap);
43201+int gr_is_capable_nolog(const int cap);
43202+void gr_learn_resource(const struct task_struct *task, const int limit,
43203+ const unsigned long wanted, const int gt);
43204+void gr_copy_label(struct task_struct *tsk);
43205+void gr_handle_crash(struct task_struct *task, const int sig);
43206+int gr_handle_signal(const struct task_struct *p, const int sig);
43207+int gr_check_crash_uid(const uid_t uid);
43208+int gr_check_protected_task(const struct task_struct *task);
43209+int gr_acl_handle_mmap(const struct file *file,
43210+ const unsigned long prot);
43211+int gr_acl_handle_mprotect(const struct file *file,
43212+ const unsigned long prot);
43213+int gr_check_hidden_task(const struct task_struct *tsk);
43214+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
43215+ const struct vfsmount *mnt);
43216+__u32 gr_acl_handle_utime(const struct dentry *dentry,
43217+ const struct vfsmount *mnt);
43218+__u32 gr_acl_handle_access(const struct dentry *dentry,
43219+ const struct vfsmount *mnt, const int fmode);
43220+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
43221+ const struct vfsmount *mnt, mode_t mode);
43222+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
43223+ const struct vfsmount *mnt, mode_t mode);
43224+__u32 gr_acl_handle_chown(const struct dentry *dentry,
43225+ const struct vfsmount *mnt);
43226+int gr_handle_ptrace(struct task_struct *task, const long request);
43227+int gr_handle_proc_ptrace(struct task_struct *task);
43228+__u32 gr_acl_handle_execve(const struct dentry *dentry,
43229+ const struct vfsmount *mnt);
43230+int gr_check_crash_exec(const struct file *filp);
43231+int gr_acl_is_enabled(void);
43232+void gr_set_kernel_label(struct task_struct *task);
43233+void gr_set_role_label(struct task_struct *task, const uid_t uid,
43234+ const gid_t gid);
43235+int gr_set_proc_label(const struct dentry *dentry,
43236+ const struct vfsmount *mnt,
43237+ const int unsafe_share);
43238+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
43239+ const struct vfsmount *mnt);
43240+__u32 gr_acl_handle_open(const struct dentry *dentry,
43241+ const struct vfsmount *mnt, const int fmode);
43242+__u32 gr_acl_handle_creat(const struct dentry *dentry,
43243+ const struct dentry *p_dentry,
43244+ const struct vfsmount *p_mnt, const int fmode,
43245+ const int imode);
43246+void gr_handle_create(const struct dentry *dentry,
43247+ const struct vfsmount *mnt);
43248+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
43249+ const struct dentry *parent_dentry,
43250+ const struct vfsmount *parent_mnt,
43251+ const int mode);
43252+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
43253+ const struct dentry *parent_dentry,
43254+ const struct vfsmount *parent_mnt);
43255+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
43256+ const struct vfsmount *mnt);
43257+void gr_handle_delete(const ino_t ino, const dev_t dev);
43258+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
43259+ const struct vfsmount *mnt);
43260+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
43261+ const struct dentry *parent_dentry,
43262+ const struct vfsmount *parent_mnt,
43263+ const char *from);
43264+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
43265+ const struct dentry *parent_dentry,
43266+ const struct vfsmount *parent_mnt,
43267+ const struct dentry *old_dentry,
43268+ const struct vfsmount *old_mnt, const char *to);
43269+int gr_acl_handle_rename(struct dentry *new_dentry,
43270+ struct dentry *parent_dentry,
43271+ const struct vfsmount *parent_mnt,
43272+ struct dentry *old_dentry,
43273+ struct inode *old_parent_inode,
43274+ struct vfsmount *old_mnt, const char *newname);
43275+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
43276+ struct dentry *old_dentry,
43277+ struct dentry *new_dentry,
43278+ struct vfsmount *mnt, const __u8 replace);
43279+__u32 gr_check_link(const struct dentry *new_dentry,
43280+ const struct dentry *parent_dentry,
43281+ const struct vfsmount *parent_mnt,
43282+ const struct dentry *old_dentry,
43283+ const struct vfsmount *old_mnt);
43284+int gr_acl_handle_filldir(const struct file *file, const char *name,
43285+ const unsigned int namelen, const ino_t ino);
43286+
43287+__u32 gr_acl_handle_unix(const struct dentry *dentry,
43288+ const struct vfsmount *mnt);
43289+void gr_acl_handle_exit(void);
43290+void gr_acl_handle_psacct(struct task_struct *task, const long code);
43291+int gr_acl_handle_procpidmem(const struct task_struct *task);
43292+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
43293+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
43294+
43295+#ifdef CONFIG_GRKERNSEC
43296+void gr_log_nonroot_mod_load(const char *modname);
43297+void gr_handle_vm86(void);
43298+void gr_handle_mem_write(void);
43299+void gr_handle_kmem_write(void);
43300+void gr_handle_open_port(void);
43301+int gr_handle_mem_mmap(const unsigned long offset,
43302+ struct vm_area_struct *vma);
43303+
43304+extern int grsec_enable_dmesg;
43305+extern int grsec_enable_randsrc;
43306+extern int grsec_enable_shm;
43307+#endif
43308+
43309+#endif
43310diff -urNp linux-2.6.32.9/include/linux/hdpu_features.h linux-2.6.32.9/include/linux/hdpu_features.h
43311--- linux-2.6.32.9/include/linux/hdpu_features.h 2010-02-09 07:57:19.000000000 -0500
43312+++ linux-2.6.32.9/include/linux/hdpu_features.h 2010-02-23 17:09:53.311553777 -0500
43313@@ -3,7 +3,7 @@
43314 struct cpustate_t {
43315 spinlock_t lock;
43316 int excl;
43317- int open_count;
43318+ atomic_t open_count;
43319 unsigned char cached_val;
43320 int inited;
43321 unsigned long *set_addr;
43322diff -urNp linux-2.6.32.9/include/linux/highmem.h linux-2.6.32.9/include/linux/highmem.h
43323--- linux-2.6.32.9/include/linux/highmem.h 2010-02-09 07:57:19.000000000 -0500
43324+++ linux-2.6.32.9/include/linux/highmem.h 2010-02-23 17:09:53.311553777 -0500
43325@@ -137,6 +137,18 @@ static inline void clear_highpage(struct
43326 kunmap_atomic(kaddr, KM_USER0);
43327 }
43328
43329+static inline void sanitize_highpage(struct page *page)
43330+{
43331+ void *kaddr;
43332+ unsigned long flags;
43333+
43334+ local_irq_save(flags);
43335+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
43336+ clear_page(kaddr);
43337+ kunmap_atomic(kaddr, KM_CLEARPAGE);
43338+ local_irq_restore(flags);
43339+}
43340+
43341 static inline void zero_user_segments(struct page *page,
43342 unsigned start1, unsigned end1,
43343 unsigned start2, unsigned end2)
43344diff -urNp linux-2.6.32.9/include/linux/init_task.h linux-2.6.32.9/include/linux/init_task.h
43345--- linux-2.6.32.9/include/linux/init_task.h 2010-02-09 07:57:19.000000000 -0500
43346+++ linux-2.6.32.9/include/linux/init_task.h 2010-02-23 17:09:53.311553777 -0500
43347@@ -115,6 +115,13 @@ extern struct cred init_cred;
43348 # define INIT_PERF_EVENTS(tsk)
43349 #endif
43350
43351+#ifdef CONFIG_GRKERNSEC
43352+# define INIT_GR_FS_LOCK \
43353+ .gr_fs_lock = __RW_LOCK_UNLOCKED(gr_fs_lock),
43354+#else
43355+# define INIT_GR_FS_LOCK
43356+#endif
43357+
43358 /*
43359 * INIT_TASK is used to set up the first task table, touch at
43360 * your own risk!. Base=0, limit=0x1fffff (=2MB)
43361@@ -184,6 +191,7 @@ extern struct cred init_cred;
43362 INIT_FTRACE_GRAPH \
43363 INIT_TRACE_RECURSION \
43364 INIT_TASK_RCU_PREEMPT(tsk) \
43365+ INIT_GR_FS_LOCK \
43366 }
43367
43368
43369diff -urNp linux-2.6.32.9/include/linux/interrupt.h linux-2.6.32.9/include/linux/interrupt.h
43370--- linux-2.6.32.9/include/linux/interrupt.h 2010-02-09 07:57:19.000000000 -0500
43371+++ linux-2.6.32.9/include/linux/interrupt.h 2010-02-23 17:09:53.311553777 -0500
43372@@ -357,7 +357,7 @@ enum
43373 /* map softirq index to softirq name. update 'softirq_to_name' in
43374 * kernel/softirq.c when adding a new softirq.
43375 */
43376-extern char *softirq_to_name[NR_SOFTIRQS];
43377+extern const char * const softirq_to_name[NR_SOFTIRQS];
43378
43379 /* softirq mask and active fields moved to irq_cpustat_t in
43380 * asm/hardirq.h to get better cache usage. KAO
43381@@ -365,12 +365,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
43382
43383 struct softirq_action
43384 {
43385- void (*action)(struct softirq_action *);
43386+ void (*action)(void);
43387 };
43388
43389 asmlinkage void do_softirq(void);
43390 asmlinkage void __do_softirq(void);
43391-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
43392+extern void open_softirq(int nr, void (*action)(void));
43393 extern void softirq_init(void);
43394 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
43395 extern void raise_softirq_irqoff(unsigned int nr);
43396diff -urNp linux-2.6.32.9/include/linux/jbd2.h linux-2.6.32.9/include/linux/jbd2.h
43397--- linux-2.6.32.9/include/linux/jbd2.h 2010-02-09 07:57:19.000000000 -0500
43398+++ linux-2.6.32.9/include/linux/jbd2.h 2010-02-23 17:09:53.311553777 -0500
43399@@ -66,7 +66,7 @@ extern u8 jbd2_journal_enable_debug;
43400 } \
43401 } while (0)
43402 #else
43403-#define jbd_debug(f, a...) /**/
43404+#define jbd_debug(f, a...) do {} while (0)
43405 #endif
43406
43407 static inline void *jbd2_alloc(size_t size, gfp_t flags)
43408diff -urNp linux-2.6.32.9/include/linux/jbd.h linux-2.6.32.9/include/linux/jbd.h
43409--- linux-2.6.32.9/include/linux/jbd.h 2010-02-09 07:57:19.000000000 -0500
43410+++ linux-2.6.32.9/include/linux/jbd.h 2010-02-23 17:09:53.311553777 -0500
43411@@ -66,7 +66,7 @@ extern u8 journal_enable_debug;
43412 } \
43413 } while (0)
43414 #else
43415-#define jbd_debug(f, a...) /**/
43416+#define jbd_debug(f, a...) do {} while (0)
43417 #endif
43418
43419 static inline void *jbd_alloc(size_t size, gfp_t flags)
43420diff -urNp linux-2.6.32.9/include/linux/kallsyms.h linux-2.6.32.9/include/linux/kallsyms.h
43421--- linux-2.6.32.9/include/linux/kallsyms.h 2010-02-09 07:57:19.000000000 -0500
43422+++ linux-2.6.32.9/include/linux/kallsyms.h 2010-02-23 17:09:53.316454635 -0500
43423@@ -15,7 +15,8 @@
43424
43425 struct module;
43426
43427-#ifdef CONFIG_KALLSYMS
43428+#ifndef __INCLUDED_BY_HIDESYM
43429+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
43430 /* Lookup the address for a symbol. Returns 0 if not found. */
43431 unsigned long kallsyms_lookup_name(const char *name);
43432
43433@@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
43434 /* Stupid that this does nothing, but I didn't create this mess. */
43435 #define __print_symbol(fmt, addr)
43436 #endif /*CONFIG_KALLSYMS*/
43437+#else /* when included by kallsyms.c, with HIDESYM enabled */
43438+extern void __print_symbol(const char *fmt, unsigned long address);
43439+#endif
43440
43441 /* This macro allows us to keep printk typechecking */
43442 static void __check_printsym_format(const char *fmt, ...)
43443diff -urNp linux-2.6.32.9/include/linux/kgdb.h linux-2.6.32.9/include/linux/kgdb.h
43444--- linux-2.6.32.9/include/linux/kgdb.h 2010-02-09 07:57:19.000000000 -0500
43445+++ linux-2.6.32.9/include/linux/kgdb.h 2010-02-23 17:09:53.316454635 -0500
43446@@ -251,20 +251,20 @@ struct kgdb_arch {
43447 */
43448 struct kgdb_io {
43449 const char *name;
43450- int (*read_char) (void);
43451- void (*write_char) (u8);
43452- void (*flush) (void);
43453- int (*init) (void);
43454- void (*pre_exception) (void);
43455- void (*post_exception) (void);
43456+ int (* const read_char) (void);
43457+ void (* const write_char) (u8);
43458+ void (* const flush) (void);
43459+ int (* const init) (void);
43460+ void (* const pre_exception) (void);
43461+ void (* const post_exception) (void);
43462 };
43463
43464-extern struct kgdb_arch arch_kgdb_ops;
43465+extern const struct kgdb_arch arch_kgdb_ops;
43466
43467 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
43468
43469-extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
43470-extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
43471+extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
43472+extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
43473
43474 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
43475 extern int kgdb_mem2hex(char *mem, char *buf, int count);
43476diff -urNp linux-2.6.32.9/include/linux/kobject.h linux-2.6.32.9/include/linux/kobject.h
43477--- linux-2.6.32.9/include/linux/kobject.h 2010-02-09 07:57:19.000000000 -0500
43478+++ linux-2.6.32.9/include/linux/kobject.h 2010-02-23 17:09:53.316454635 -0500
43479@@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
43480
43481 struct kobj_type {
43482 void (*release)(struct kobject *kobj);
43483- struct sysfs_ops *sysfs_ops;
43484+ const struct sysfs_ops *sysfs_ops;
43485 struct attribute **default_attrs;
43486 };
43487
43488@@ -118,9 +118,9 @@ struct kobj_uevent_env {
43489 };
43490
43491 struct kset_uevent_ops {
43492- int (*filter)(struct kset *kset, struct kobject *kobj);
43493- const char *(*name)(struct kset *kset, struct kobject *kobj);
43494- int (*uevent)(struct kset *kset, struct kobject *kobj,
43495+ int (* const filter)(struct kset *kset, struct kobject *kobj);
43496+ const char *(* const name)(struct kset *kset, struct kobject *kobj);
43497+ int (* const uevent)(struct kset *kset, struct kobject *kobj,
43498 struct kobj_uevent_env *env);
43499 };
43500
43501@@ -132,7 +132,7 @@ struct kobj_attribute {
43502 const char *buf, size_t count);
43503 };
43504
43505-extern struct sysfs_ops kobj_sysfs_ops;
43506+extern const struct sysfs_ops kobj_sysfs_ops;
43507
43508 /**
43509 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
43510@@ -155,14 +155,14 @@ struct kset {
43511 struct list_head list;
43512 spinlock_t list_lock;
43513 struct kobject kobj;
43514- struct kset_uevent_ops *uevent_ops;
43515+ const struct kset_uevent_ops *uevent_ops;
43516 };
43517
43518 extern void kset_init(struct kset *kset);
43519 extern int __must_check kset_register(struct kset *kset);
43520 extern void kset_unregister(struct kset *kset);
43521 extern struct kset * __must_check kset_create_and_add(const char *name,
43522- struct kset_uevent_ops *u,
43523+ const struct kset_uevent_ops *u,
43524 struct kobject *parent_kobj);
43525
43526 static inline struct kset *to_kset(struct kobject *kobj)
43527diff -urNp linux-2.6.32.9/include/linux/kvm_host.h linux-2.6.32.9/include/linux/kvm_host.h
43528--- linux-2.6.32.9/include/linux/kvm_host.h 2010-02-09 07:57:19.000000000 -0500
43529+++ linux-2.6.32.9/include/linux/kvm_host.h 2010-02-23 17:09:53.316454635 -0500
43530@@ -205,7 +205,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
43531 void vcpu_load(struct kvm_vcpu *vcpu);
43532 void vcpu_put(struct kvm_vcpu *vcpu);
43533
43534-int kvm_init(void *opaque, unsigned int vcpu_size,
43535+int kvm_init(const void *opaque, unsigned int vcpu_size,
43536 struct module *module);
43537 void kvm_exit(void);
43538
43539@@ -311,7 +311,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
43540 struct kvm_guest_debug *dbg);
43541 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
43542
43543-int kvm_arch_init(void *opaque);
43544+int kvm_arch_init(const void *opaque);
43545 void kvm_arch_exit(void);
43546
43547 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
43548diff -urNp linux-2.6.32.9/include/linux/libata.h linux-2.6.32.9/include/linux/libata.h
43549--- linux-2.6.32.9/include/linux/libata.h 2010-02-09 07:57:19.000000000 -0500
43550+++ linux-2.6.32.9/include/linux/libata.h 2010-02-23 17:09:53.316454635 -0500
43551@@ -64,11 +64,11 @@
43552 #ifdef ATA_VERBOSE_DEBUG
43553 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43554 #else
43555-#define VPRINTK(fmt, args...)
43556+#define VPRINTK(fmt, args...) do {} while (0)
43557 #endif /* ATA_VERBOSE_DEBUG */
43558 #else
43559-#define DPRINTK(fmt, args...)
43560-#define VPRINTK(fmt, args...)
43561+#define DPRINTK(fmt, args...) do {} while (0)
43562+#define VPRINTK(fmt, args...) do {} while (0)
43563 #endif /* ATA_DEBUG */
43564
43565 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43566@@ -524,11 +524,11 @@ struct ata_ioports {
43567
43568 struct ata_host {
43569 spinlock_t lock;
43570- struct device *dev;
43571+ struct device *dev;
43572 void __iomem * const *iomap;
43573 unsigned int n_ports;
43574 void *private_data;
43575- struct ata_port_operations *ops;
43576+ const struct ata_port_operations *ops;
43577 unsigned long flags;
43578 #ifdef CONFIG_ATA_ACPI
43579 acpi_handle acpi_handle;
43580@@ -709,7 +709,7 @@ struct ata_link {
43581
43582 struct ata_port {
43583 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
43584- struct ata_port_operations *ops;
43585+ const struct ata_port_operations *ops;
43586 spinlock_t *lock;
43587 /* Flags owned by the EH context. Only EH should touch these once the
43588 port is active */
43589@@ -891,7 +891,7 @@ struct ata_port_info {
43590 unsigned long pio_mask;
43591 unsigned long mwdma_mask;
43592 unsigned long udma_mask;
43593- struct ata_port_operations *port_ops;
43594+ const struct ata_port_operations *port_ops;
43595 void *private_data;
43596 };
43597
43598@@ -915,7 +915,7 @@ extern const unsigned long sata_deb_timi
43599 extern const unsigned long sata_deb_timing_hotplug[];
43600 extern const unsigned long sata_deb_timing_long[];
43601
43602-extern struct ata_port_operations ata_dummy_port_ops;
43603+extern const struct ata_port_operations ata_dummy_port_ops;
43604 extern const struct ata_port_info ata_dummy_port_info;
43605
43606 static inline const unsigned long *
43607@@ -961,7 +961,7 @@ extern int ata_host_activate(struct ata_
43608 struct scsi_host_template *sht);
43609 extern void ata_host_detach(struct ata_host *host);
43610 extern void ata_host_init(struct ata_host *, struct device *,
43611- unsigned long, struct ata_port_operations *);
43612+ unsigned long, const struct ata_port_operations *);
43613 extern int ata_scsi_detect(struct scsi_host_template *sht);
43614 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
43615 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
43616diff -urNp linux-2.6.32.9/include/linux/lockd/bind.h linux-2.6.32.9/include/linux/lockd/bind.h
43617--- linux-2.6.32.9/include/linux/lockd/bind.h 2010-02-09 07:57:19.000000000 -0500
43618+++ linux-2.6.32.9/include/linux/lockd/bind.h 2010-02-23 17:09:53.316454635 -0500
43619@@ -23,13 +23,13 @@ struct svc_rqst;
43620 * This is the set of functions for lockd->nfsd communication
43621 */
43622 struct nlmsvc_binding {
43623- __be32 (*fopen)(struct svc_rqst *,
43624+ __be32 (* const fopen)(struct svc_rqst *,
43625 struct nfs_fh *,
43626 struct file **);
43627- void (*fclose)(struct file *);
43628+ void (* const fclose)(struct file *);
43629 };
43630
43631-extern struct nlmsvc_binding * nlmsvc_ops;
43632+extern const struct nlmsvc_binding * nlmsvc_ops;
43633
43634 /*
43635 * Similar to nfs_client_initdata, but without the NFS-specific
43636diff -urNp linux-2.6.32.9/include/linux/mm.h linux-2.6.32.9/include/linux/mm.h
43637--- linux-2.6.32.9/include/linux/mm.h 2010-02-09 07:57:19.000000000 -0500
43638+++ linux-2.6.32.9/include/linux/mm.h 2010-02-23 17:09:53.316454635 -0500
43639@@ -106,6 +106,10 @@ extern unsigned int kobjsize(const void
43640 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
43641 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
43642
43643+#ifdef CONFIG_PAX_PAGEEXEC
43644+#define VM_PAGEEXEC 0x80000000 /* vma->vm_page_prot needs special handling */
43645+#endif
43646+
43647 #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
43648 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
43649 #endif
43650@@ -880,6 +884,8 @@ struct shrinker {
43651 extern void register_shrinker(struct shrinker *);
43652 extern void unregister_shrinker(struct shrinker *);
43653
43654+pgprot_t vm_get_page_prot(unsigned long vm_flags);
43655+
43656 int vma_wants_writenotify(struct vm_area_struct *vma);
43657
43658 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
43659@@ -1152,6 +1158,7 @@ out:
43660 }
43661
43662 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
43663+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
43664
43665 extern unsigned long do_brk(unsigned long, unsigned long);
43666
43667@@ -1206,6 +1213,10 @@ extern struct vm_area_struct * find_vma(
43668 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
43669 struct vm_area_struct **pprev);
43670
43671+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
43672+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
43673+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
43674+
43675 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
43676 NULL if none. Assume start_addr < end_addr. */
43677 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
43678@@ -1222,7 +1233,6 @@ static inline unsigned long vma_pages(st
43679 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
43680 }
43681
43682-pgprot_t vm_get_page_prot(unsigned long vm_flags);
43683 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
43684 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
43685 unsigned long pfn, unsigned long size, pgprot_t);
43686@@ -1320,7 +1330,13 @@ extern void memory_failure(unsigned long
43687 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
43688 extern int sysctl_memory_failure_early_kill;
43689 extern int sysctl_memory_failure_recovery;
43690-extern atomic_long_t mce_bad_pages;
43691+extern atomic_long_unchecked_t mce_bad_pages;
43692+
43693+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43694+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
43695+#else
43696+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
43697+#endif
43698
43699 #endif /* __KERNEL__ */
43700 #endif /* _LINUX_MM_H */
43701diff -urNp linux-2.6.32.9/include/linux/mm_types.h linux-2.6.32.9/include/linux/mm_types.h
43702--- linux-2.6.32.9/include/linux/mm_types.h 2010-02-09 07:57:19.000000000 -0500
43703+++ linux-2.6.32.9/include/linux/mm_types.h 2010-02-23 17:09:53.316454635 -0500
43704@@ -186,6 +186,8 @@ struct vm_area_struct {
43705 #ifdef CONFIG_NUMA
43706 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
43707 #endif
43708+
43709+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
43710 };
43711
43712 struct core_thread {
43713@@ -287,6 +289,24 @@ struct mm_struct {
43714 #ifdef CONFIG_MMU_NOTIFIER
43715 struct mmu_notifier_mm *mmu_notifier_mm;
43716 #endif
43717+
43718+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43719+ unsigned long pax_flags;
43720+#endif
43721+
43722+#ifdef CONFIG_PAX_DLRESOLVE
43723+ unsigned long call_dl_resolve;
43724+#endif
43725+
43726+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
43727+ unsigned long call_syscall;
43728+#endif
43729+
43730+#ifdef CONFIG_PAX_ASLR
43731+ unsigned long delta_mmap; /* randomized offset */
43732+ unsigned long delta_stack; /* randomized offset */
43733+#endif
43734+
43735 };
43736
43737 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
43738diff -urNp linux-2.6.32.9/include/linux/mmu_notifier.h linux-2.6.32.9/include/linux/mmu_notifier.h
43739--- linux-2.6.32.9/include/linux/mmu_notifier.h 2010-02-09 07:57:19.000000000 -0500
43740+++ linux-2.6.32.9/include/linux/mmu_notifier.h 2010-02-23 17:09:53.316454635 -0500
43741@@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
43742 */
43743 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
43744 ({ \
43745- pte_t __pte; \
43746+ pte_t ___pte; \
43747 struct vm_area_struct *___vma = __vma; \
43748 unsigned long ___address = __address; \
43749- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
43750+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
43751 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
43752- __pte; \
43753+ ___pte; \
43754 })
43755
43756 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
43757diff -urNp linux-2.6.32.9/include/linux/mod_devicetable.h linux-2.6.32.9/include/linux/mod_devicetable.h
43758--- linux-2.6.32.9/include/linux/mod_devicetable.h 2010-02-09 07:57:19.000000000 -0500
43759+++ linux-2.6.32.9/include/linux/mod_devicetable.h 2010-02-23 17:09:53.316454635 -0500
43760@@ -12,7 +12,7 @@
43761 typedef unsigned long kernel_ulong_t;
43762 #endif
43763
43764-#define PCI_ANY_ID (~0)
43765+#define PCI_ANY_ID ((__u16)~0)
43766
43767 struct pci_device_id {
43768 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
43769@@ -131,7 +131,7 @@ struct usb_device_id {
43770 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
43771 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
43772
43773-#define HID_ANY_ID (~0)
43774+#define HID_ANY_ID (~0U)
43775
43776 struct hid_device_id {
43777 __u16 bus;
43778diff -urNp linux-2.6.32.9/include/linux/module.h linux-2.6.32.9/include/linux/module.h
43779--- linux-2.6.32.9/include/linux/module.h 2010-02-09 07:57:19.000000000 -0500
43780+++ linux-2.6.32.9/include/linux/module.h 2010-02-23 17:09:53.316454635 -0500
43781@@ -287,16 +287,16 @@ struct module
43782 int (*init)(void);
43783
43784 /* If this is non-NULL, vfree after init() returns */
43785- void *module_init;
43786+ void *module_init_rx, *module_init_rw;
43787
43788 /* Here is the actual code + data, vfree'd on unload. */
43789- void *module_core;
43790+ void *module_core_rx, *module_core_rw;
43791
43792 /* Here are the sizes of the init and core sections */
43793- unsigned int init_size, core_size;
43794+ unsigned int init_size_rw, core_size_rw;
43795
43796 /* The size of the executable code in each section. */
43797- unsigned int init_text_size, core_text_size;
43798+ unsigned int init_size_rx, core_size_rx;
43799
43800 /* Arch-specific module values */
43801 struct mod_arch_specific arch;
43802@@ -393,16 +393,46 @@ struct module *__module_address(unsigned
43803 bool is_module_address(unsigned long addr);
43804 bool is_module_text_address(unsigned long addr);
43805
43806+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
43807+{
43808+
43809+#ifdef CONFIG_PAX_KERNEXEC
43810+ if (ktla_ktva(addr) >= (unsigned long)start &&
43811+ ktla_ktva(addr) < (unsigned long)start + size)
43812+ return 1;
43813+#endif
43814+
43815+ return ((void *)addr >= start && (void *)addr < start + size);
43816+}
43817+
43818+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
43819+{
43820+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
43821+}
43822+
43823+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
43824+{
43825+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
43826+}
43827+
43828+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
43829+{
43830+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
43831+}
43832+
43833+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
43834+{
43835+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
43836+}
43837+
43838 static inline int within_module_core(unsigned long addr, struct module *mod)
43839 {
43840- return (unsigned long)mod->module_core <= addr &&
43841- addr < (unsigned long)mod->module_core + mod->core_size;
43842+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
43843 }
43844
43845 static inline int within_module_init(unsigned long addr, struct module *mod)
43846 {
43847- return (unsigned long)mod->module_init <= addr &&
43848- addr < (unsigned long)mod->module_init + mod->init_size;
43849+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
43850 }
43851
43852 /* Search for module by name: must hold module_mutex. */
43853diff -urNp linux-2.6.32.9/include/linux/moduleloader.h linux-2.6.32.9/include/linux/moduleloader.h
43854--- linux-2.6.32.9/include/linux/moduleloader.h 2010-02-09 07:57:19.000000000 -0500
43855+++ linux-2.6.32.9/include/linux/moduleloader.h 2010-02-23 17:09:53.316454635 -0500
43856@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
43857 sections. Returns NULL on failure. */
43858 void *module_alloc(unsigned long size);
43859
43860+#ifdef CONFIG_PAX_KERNEXEC
43861+void *module_alloc_exec(unsigned long size);
43862+#else
43863+#define module_alloc_exec(x) module_alloc(x)
43864+#endif
43865+
43866 /* Free memory returned from module_alloc. */
43867 void module_free(struct module *mod, void *module_region);
43868
43869+#ifdef CONFIG_PAX_KERNEXEC
43870+void module_free_exec(struct module *mod, void *module_region);
43871+#else
43872+#define module_free_exec(x, y) module_free((x), (y))
43873+#endif
43874+
43875 /* Apply the given relocation to the (simplified) ELF. Return -error
43876 or 0. */
43877 int apply_relocate(Elf_Shdr *sechdrs,
43878diff -urNp linux-2.6.32.9/include/linux/namei.h linux-2.6.32.9/include/linux/namei.h
43879--- linux-2.6.32.9/include/linux/namei.h 2010-02-09 07:57:19.000000000 -0500
43880+++ linux-2.6.32.9/include/linux/namei.h 2010-02-23 17:09:53.316454635 -0500
43881@@ -22,7 +22,7 @@ struct nameidata {
43882 unsigned int flags;
43883 int last_type;
43884 unsigned depth;
43885- char *saved_names[MAX_NESTED_LINKS + 1];
43886+ const char *saved_names[MAX_NESTED_LINKS + 1];
43887
43888 /* Intent data */
43889 union {
43890@@ -84,12 +84,12 @@ extern int follow_up(struct path *);
43891 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
43892 extern void unlock_rename(struct dentry *, struct dentry *);
43893
43894-static inline void nd_set_link(struct nameidata *nd, char *path)
43895+static inline void nd_set_link(struct nameidata *nd, const char *path)
43896 {
43897 nd->saved_names[nd->depth] = path;
43898 }
43899
43900-static inline char *nd_get_link(struct nameidata *nd)
43901+static inline const char *nd_get_link(const struct nameidata *nd)
43902 {
43903 return nd->saved_names[nd->depth];
43904 }
43905diff -urNp linux-2.6.32.9/include/linux/nodemask.h linux-2.6.32.9/include/linux/nodemask.h
43906--- linux-2.6.32.9/include/linux/nodemask.h 2010-02-09 07:57:19.000000000 -0500
43907+++ linux-2.6.32.9/include/linux/nodemask.h 2010-02-23 17:09:53.316454635 -0500
43908@@ -464,11 +464,11 @@ static inline int num_node_state(enum no
43909
43910 #define any_online_node(mask) \
43911 ({ \
43912- int node; \
43913- for_each_node_mask(node, (mask)) \
43914- if (node_online(node)) \
43915+ int __node; \
43916+ for_each_node_mask(__node, (mask)) \
43917+ if (node_online(__node)) \
43918 break; \
43919- node; \
43920+ __node; \
43921 })
43922
43923 #define num_online_nodes() num_node_state(N_ONLINE)
43924diff -urNp linux-2.6.32.9/include/linux/oprofile.h linux-2.6.32.9/include/linux/oprofile.h
43925--- linux-2.6.32.9/include/linux/oprofile.h 2010-02-09 07:57:19.000000000 -0500
43926+++ linux-2.6.32.9/include/linux/oprofile.h 2010-02-23 17:09:53.316454635 -0500
43927@@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
43928 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
43929 char const * name, ulong * val);
43930
43931-/** Create a file for read-only access to an atomic_t. */
43932+/** Create a file for read-only access to an atomic_unchecked_t. */
43933 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
43934- char const * name, atomic_t * val);
43935+ char const * name, atomic_unchecked_t * val);
43936
43937 /** create a directory */
43938 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
43939diff -urNp linux-2.6.32.9/include/linux/pipe_fs_i.h linux-2.6.32.9/include/linux/pipe_fs_i.h
43940--- linux-2.6.32.9/include/linux/pipe_fs_i.h 2010-02-09 07:57:19.000000000 -0500
43941+++ linux-2.6.32.9/include/linux/pipe_fs_i.h 2010-02-23 17:09:53.316454635 -0500
43942@@ -46,9 +46,9 @@ struct pipe_inode_info {
43943 wait_queue_head_t wait;
43944 unsigned int nrbufs, curbuf;
43945 struct page *tmp_page;
43946- unsigned int readers;
43947- unsigned int writers;
43948- unsigned int waiting_writers;
43949+ atomic_t readers;
43950+ atomic_t writers;
43951+ atomic_t waiting_writers;
43952 unsigned int r_counter;
43953 unsigned int w_counter;
43954 struct fasync_struct *fasync_readers;
43955diff -urNp linux-2.6.32.9/include/linux/poison.h linux-2.6.32.9/include/linux/poison.h
43956--- linux-2.6.32.9/include/linux/poison.h 2010-02-09 07:57:19.000000000 -0500
43957+++ linux-2.6.32.9/include/linux/poison.h 2010-02-23 17:09:53.316454635 -0500
43958@@ -7,8 +7,8 @@
43959 * under normal circumstances, used to verify that nobody uses
43960 * non-initialized list entries.
43961 */
43962-#define LIST_POISON1 ((void *) 0x00100100)
43963-#define LIST_POISON2 ((void *) 0x00200200)
43964+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
43965+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
43966
43967 /********** include/linux/timer.h **********/
43968 /*
43969diff -urNp linux-2.6.32.9/include/linux/proc_fs.h linux-2.6.32.9/include/linux/proc_fs.h
43970--- linux-2.6.32.9/include/linux/proc_fs.h 2010-02-09 07:57:19.000000000 -0500
43971+++ linux-2.6.32.9/include/linux/proc_fs.h 2010-02-23 17:09:53.316454635 -0500
43972@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
43973 return proc_create_data(name, mode, parent, proc_fops, NULL);
43974 }
43975
43976+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
43977+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
43978+{
43979+#ifdef CONFIG_GRKERNSEC_PROC_USER
43980+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
43981+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
43982+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
43983+#else
43984+ return proc_create_data(name, mode, parent, proc_fops, NULL);
43985+#endif
43986+}
43987+
43988+
43989 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
43990 mode_t mode, struct proc_dir_entry *base,
43991 read_proc_t *read_proc, void * data)
43992diff -urNp linux-2.6.32.9/include/linux/random.h linux-2.6.32.9/include/linux/random.h
43993--- linux-2.6.32.9/include/linux/random.h 2010-02-09 07:57:19.000000000 -0500
43994+++ linux-2.6.32.9/include/linux/random.h 2010-02-23 17:09:53.316454635 -0500
43995@@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
43996 u32 random32(void);
43997 void srandom32(u32 seed);
43998
43999+static inline unsigned long pax_get_random_long(void)
44000+{
44001+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
44002+}
44003+
44004 #endif /* __KERNEL___ */
44005
44006 #endif /* _LINUX_RANDOM_H */
44007diff -urNp linux-2.6.32.9/include/linux/reiserfs_fs.h linux-2.6.32.9/include/linux/reiserfs_fs.h
44008--- linux-2.6.32.9/include/linux/reiserfs_fs.h 2010-02-09 07:57:19.000000000 -0500
44009+++ linux-2.6.32.9/include/linux/reiserfs_fs.h 2010-02-23 17:09:53.316454635 -0500
44010@@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
44011 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
44012
44013 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
44014-#define get_generation(s) atomic_read (&fs_generation(s))
44015+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
44016 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
44017 #define __fs_changed(gen,s) (gen != get_generation (s))
44018 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
44019@@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
44020 */
44021
44022 struct item_operations {
44023- int (*bytes_number) (struct item_head * ih, int block_size);
44024- void (*decrement_key) (struct cpu_key *);
44025- int (*is_left_mergeable) (struct reiserfs_key * ih,
44026+ int (* const bytes_number) (struct item_head * ih, int block_size);
44027+ void (* const decrement_key) (struct cpu_key *);
44028+ int (* const is_left_mergeable) (struct reiserfs_key * ih,
44029 unsigned long bsize);
44030- void (*print_item) (struct item_head *, char *item);
44031- void (*check_item) (struct item_head *, char *item);
44032+ void (* const print_item) (struct item_head *, char *item);
44033+ void (* const check_item) (struct item_head *, char *item);
44034
44035- int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44036+ int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44037 int is_affected, int insert_size);
44038- int (*check_left) (struct virtual_item * vi, int free,
44039+ int (* const check_left) (struct virtual_item * vi, int free,
44040 int start_skip, int end_skip);
44041- int (*check_right) (struct virtual_item * vi, int free);
44042- int (*part_size) (struct virtual_item * vi, int from, int to);
44043- int (*unit_num) (struct virtual_item * vi);
44044- void (*print_vi) (struct virtual_item * vi);
44045+ int (* const check_right) (struct virtual_item * vi, int free);
44046+ int (* const part_size) (struct virtual_item * vi, int from, int to);
44047+ int (* const unit_num) (struct virtual_item * vi);
44048+ void (* const print_vi) (struct virtual_item * vi);
44049 };
44050
44051-extern struct item_operations *item_ops[TYPE_ANY + 1];
44052+extern const struct item_operations * const item_ops[TYPE_ANY + 1];
44053
44054 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
44055 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
44056diff -urNp linux-2.6.32.9/include/linux/reiserfs_fs_sb.h linux-2.6.32.9/include/linux/reiserfs_fs_sb.h
44057--- linux-2.6.32.9/include/linux/reiserfs_fs_sb.h 2010-02-09 07:57:19.000000000 -0500
44058+++ linux-2.6.32.9/include/linux/reiserfs_fs_sb.h 2010-02-23 17:09:53.320537081 -0500
44059@@ -377,7 +377,7 @@ struct reiserfs_sb_info {
44060 /* Comment? -Hans */
44061 wait_queue_head_t s_wait;
44062 /* To be obsoleted soon by per buffer seals.. -Hans */
44063- atomic_t s_generation_counter; // increased by one every time the
44064+ atomic_unchecked_t s_generation_counter; // increased by one every time the
44065 // tree gets re-balanced
44066 unsigned long s_properties; /* File system properties. Currently holds
44067 on-disk FS format */
44068diff -urNp linux-2.6.32.9/include/linux/sched.h linux-2.6.32.9/include/linux/sched.h
44069--- linux-2.6.32.9/include/linux/sched.h 2010-02-23 17:04:12.651619895 -0500
44070+++ linux-2.6.32.9/include/linux/sched.h 2010-02-23 17:09:53.320537081 -0500
44071@@ -101,6 +101,7 @@ struct bio;
44072 struct fs_struct;
44073 struct bts_context;
44074 struct perf_event_context;
44075+struct linux_binprm;
44076
44077 /*
44078 * List of flags we want to share for kernel threads,
44079@@ -664,6 +665,15 @@ struct signal_struct {
44080 struct tty_audit_buf *tty_audit_buf;
44081 #endif
44082
44083+#ifdef CONFIG_GRKERNSEC
44084+ u32 curr_ip;
44085+ u32 gr_saddr;
44086+ u32 gr_daddr;
44087+ u16 gr_sport;
44088+ u16 gr_dport;
44089+ u8 used_accept:1;
44090+#endif
44091+
44092 int oom_adj; /* OOM kill score adjustment (bit shift) */
44093 };
44094
44095@@ -1214,7 +1224,7 @@ struct rcu_node;
44096
44097 struct task_struct {
44098 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
44099- void *stack;
44100+ struct thread_info *stack;
44101 atomic_t usage;
44102 unsigned int flags; /* per process flags, defined below */
44103 unsigned int ptrace;
44104@@ -1326,8 +1336,8 @@ struct task_struct {
44105 struct list_head thread_group;
44106
44107 struct completion *vfork_done; /* for vfork() */
44108- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
44109- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44110+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
44111+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44112
44113 cputime_t utime, stime, utimescaled, stimescaled;
44114 cputime_t gtime;
44115@@ -1341,16 +1351,6 @@ struct task_struct {
44116 struct task_cputime cputime_expires;
44117 struct list_head cpu_timers[3];
44118
44119-/* process credentials */
44120- const struct cred *real_cred; /* objective and real subjective task
44121- * credentials (COW) */
44122- const struct cred *cred; /* effective (overridable) subjective task
44123- * credentials (COW) */
44124- struct mutex cred_guard_mutex; /* guard against foreign influences on
44125- * credential calculations
44126- * (notably. ptrace) */
44127- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
44128-
44129 char comm[TASK_COMM_LEN]; /* executable name excluding path
44130 - access with [gs]et_task_comm (which lock
44131 it with task_lock())
44132@@ -1434,6 +1434,15 @@ struct task_struct {
44133 int hardirq_context;
44134 int softirq_context;
44135 #endif
44136+
44137+/* process credentials */
44138+ const struct cred *real_cred; /* objective and real subjective task
44139+ * credentials (COW) */
44140+ struct mutex cred_guard_mutex; /* guard against foreign influences on
44141+ * credential calculations
44142+ * (notably. ptrace) */
44143+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
44144+
44145 #ifdef CONFIG_LOCKDEP
44146 # define MAX_LOCK_DEPTH 48UL
44147 u64 curr_chain_key;
44148@@ -1454,6 +1463,9 @@ struct task_struct {
44149
44150 struct backing_dev_info *backing_dev_info;
44151
44152+ const struct cred *cred; /* effective (overridable) subjective task
44153+ * credentials (COW) */
44154+
44155 struct io_context *io_context;
44156
44157 unsigned long ptrace_message;
44158@@ -1517,6 +1529,19 @@ struct task_struct {
44159 unsigned long default_timer_slack_ns;
44160
44161 struct list_head *scm_work_list;
44162+
44163+#ifdef CONFIG_GRKERNSEC
44164+ /* grsecurity */
44165+ rwlock_t gr_fs_lock;
44166+ struct acl_subject_label *acl;
44167+ struct acl_role_label *role;
44168+ struct file *exec_file;
44169+ u16 acl_role_id;
44170+ u8 acl_sp_role;
44171+ u8 is_writable;
44172+ u8 brute;
44173+#endif
44174+
44175 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
44176 /* Index of current stored adress in ret_stack */
44177 int curr_ret_stack;
44178@@ -1541,6 +1566,52 @@ struct task_struct {
44179 unsigned long stack_start;
44180 };
44181
44182+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
44183+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
44184+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
44185+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
44186+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
44187+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
44188+
44189+#ifdef CONFIG_PAX_SOFTMODE
44190+extern unsigned int pax_softmode;
44191+#endif
44192+
44193+extern int pax_check_flags(unsigned long *);
44194+
44195+/* if tsk != current then task_lock must be held on it */
44196+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44197+static inline unsigned long pax_get_flags(struct task_struct *tsk)
44198+{
44199+ if (likely(tsk->mm))
44200+ return tsk->mm->pax_flags;
44201+ else
44202+ return 0UL;
44203+}
44204+
44205+/* if tsk != current then task_lock must be held on it */
44206+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
44207+{
44208+ if (likely(tsk->mm)) {
44209+ tsk->mm->pax_flags = flags;
44210+ return 0;
44211+ }
44212+ return -EINVAL;
44213+}
44214+#endif
44215+
44216+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44217+extern void pax_set_initial_flags(struct linux_binprm *bprm);
44218+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44219+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
44220+#endif
44221+
44222+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
44223+void pax_report_insns(void *pc, void *sp);
44224+void pax_report_refcount_overflow(struct pt_regs *regs);
44225+void pax_report_leak_to_user(const void *ptr, unsigned long len);
44226+void pax_report_overflow_from_user(const void *ptr, unsigned long len);
44227+
44228 /* Future-safe accessor for struct task_struct's cpus_allowed. */
44229 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
44230
44231@@ -2140,7 +2211,7 @@ extern void __cleanup_sighand(struct sig
44232 extern void exit_itimers(struct signal_struct *);
44233 extern void flush_itimer_signals(void);
44234
44235-extern NORET_TYPE void do_group_exit(int);
44236+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
44237
44238 extern void daemonize(const char *, ...);
44239 extern int allow_signal(int);
44240@@ -2242,6 +2313,33 @@ static inline void task_unlock(struct ta
44241 spin_unlock(&p->alloc_lock);
44242 }
44243
44244+/* grsec: protects only ->fs as task_lock is overkill and we can't
44245+ be using a spin_lock in interrupt context
44246+*/
44247+#ifdef CONFIG_GRKERNSEC
44248+#define gr_fs_write_lock_irqsave(x, y) \
44249+ write_lock_irqsave(&x->gr_fs_lock, y)
44250+#define gr_fs_write_unlock_irqrestore(x, y) \
44251+ write_unlock_irqrestore(&x->gr_fs_lock, y)
44252+#else
44253+#define gr_fs_write_lock_irqsave(x, y)
44254+#define gr_fs_write_unlock_irqrestore(x, y)
44255+#endif
44256+
44257+static inline void gr_fs_read_lock(struct task_struct *p)
44258+{
44259+#ifdef CONFIG_GRKERNSEC
44260+ read_lock(&p->gr_fs_lock);
44261+#endif
44262+}
44263+
44264+static inline void gr_fs_read_unlock(struct task_struct *p)
44265+{
44266+#ifdef CONFIG_GRKERNSEC
44267+ read_unlock(&p->gr_fs_lock);
44268+#endif
44269+}
44270+
44271 extern struct sighand_struct *lock_task_sighand(struct task_struct *tsk,
44272 unsigned long *flags);
44273
44274@@ -2253,8 +2351,8 @@ static inline void unlock_task_sighand(s
44275
44276 #ifndef __HAVE_THREAD_FUNCTIONS
44277
44278-#define task_thread_info(task) ((struct thread_info *)(task)->stack)
44279-#define task_stack_page(task) ((task)->stack)
44280+#define task_thread_info(task) ((task)->stack)
44281+#define task_stack_page(task) ((void *)(task)->stack)
44282
44283 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
44284 {
44285@@ -2269,13 +2367,31 @@ static inline unsigned long *end_of_stac
44286
44287 #endif
44288
44289-static inline int object_is_on_stack(void *obj)
44290+static inline int object_starts_on_stack(void *obj)
44291 {
44292- void *stack = task_stack_page(current);
44293+ const void *stack = task_stack_page(current);
44294
44295 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
44296 }
44297
44298+/* 0: not at all, 1: fully, -1: partially (implies an error) */
44299+static inline int object_is_on_stack(const void *obj, unsigned long len)
44300+{
44301+ const void *stack = task_stack_page(current);
44302+ const void *stackend = stack + THREAD_SIZE;
44303+
44304+ if (obj + len < obj)
44305+ return -1;
44306+
44307+ if (stack <= obj && obj + len <= stackend)
44308+ return 1;
44309+
44310+ if (obj + len <= stack || stackend <= obj)
44311+ return 0;
44312+
44313+ return -1;
44314+}
44315+
44316 extern void thread_info_cache_init(void);
44317
44318 #ifdef CONFIG_DEBUG_STACK_USAGE
44319diff -urNp linux-2.6.32.9/include/linux/screen_info.h linux-2.6.32.9/include/linux/screen_info.h
44320--- linux-2.6.32.9/include/linux/screen_info.h 2010-02-09 07:57:19.000000000 -0500
44321+++ linux-2.6.32.9/include/linux/screen_info.h 2010-02-23 17:09:53.320537081 -0500
44322@@ -42,7 +42,8 @@ struct screen_info {
44323 __u16 pages; /* 0x32 */
44324 __u16 vesa_attributes; /* 0x34 */
44325 __u32 capabilities; /* 0x36 */
44326- __u8 _reserved[6]; /* 0x3a */
44327+ __u16 vesapm_size; /* 0x3a */
44328+ __u8 _reserved[4]; /* 0x3c */
44329 } __attribute__((packed));
44330
44331 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
44332diff -urNp linux-2.6.32.9/include/linux/security.h linux-2.6.32.9/include/linux/security.h
44333--- linux-2.6.32.9/include/linux/security.h 2010-02-09 07:57:19.000000000 -0500
44334+++ linux-2.6.32.9/include/linux/security.h 2010-02-23 17:09:53.320537081 -0500
44335@@ -34,6 +34,7 @@
44336 #include <linux/key.h>
44337 #include <linux/xfrm.h>
44338 #include <linux/gfp.h>
44339+#include <linux/grsecurity.h>
44340 #include <net/flow.h>
44341
44342 /* Maximum number of letters for an LSM name string */
44343diff -urNp linux-2.6.32.9/include/linux/shm.h linux-2.6.32.9/include/linux/shm.h
44344--- linux-2.6.32.9/include/linux/shm.h 2010-02-09 07:57:19.000000000 -0500
44345+++ linux-2.6.32.9/include/linux/shm.h 2010-02-23 17:09:53.320537081 -0500
44346@@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
44347 pid_t shm_cprid;
44348 pid_t shm_lprid;
44349 struct user_struct *mlock_user;
44350+#ifdef CONFIG_GRKERNSEC
44351+ time_t shm_createtime;
44352+ pid_t shm_lapid;
44353+#endif
44354 };
44355
44356 /* shm_mode upper byte flags */
44357diff -urNp linux-2.6.32.9/include/linux/slab.h linux-2.6.32.9/include/linux/slab.h
44358--- linux-2.6.32.9/include/linux/slab.h 2010-02-09 07:57:19.000000000 -0500
44359+++ linux-2.6.32.9/include/linux/slab.h 2010-02-23 17:09:53.320537081 -0500
44360@@ -11,6 +11,7 @@
44361
44362 #include <linux/gfp.h>
44363 #include <linux/types.h>
44364+#include <linux/err.h>
44365
44366 /*
44367 * Flags to pass to kmem_cache_create().
44368@@ -82,10 +83,13 @@
44369 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
44370 * Both make kfree a no-op.
44371 */
44372-#define ZERO_SIZE_PTR ((void *)16)
44373+#define ZERO_SIZE_PTR \
44374+({ \
44375+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
44376+ (void *)(-MAX_ERRNO-1L); \
44377+})
44378
44379-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
44380- (unsigned long)ZERO_SIZE_PTR)
44381+#define ZERO_OR_NULL_PTR(x) (!(x) || (x) == ZERO_SIZE_PTR)
44382
44383 /*
44384 * struct kmem_cache related prototypes
44385@@ -138,6 +142,7 @@ void * __must_check krealloc(const void
44386 void kfree(const void *);
44387 void kzfree(const void *);
44388 size_t ksize(const void *);
44389+void check_object_size(const void *ptr, unsigned long n, bool to);
44390
44391 /*
44392 * Allocator specific definitions. These are mainly used to establish optimized
44393@@ -328,4 +333,37 @@ static inline void *kzalloc_node(size_t
44394
44395 void __init kmem_cache_init_late(void);
44396
44397+#define kmalloc(x, y) \
44398+({ \
44399+ void *___retval; \
44400+ intoverflow_t ___x = (intoverflow_t)x; \
44401+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
44402+ ___retval = NULL; \
44403+ else \
44404+ ___retval = kmalloc((size_t)___x, (y)); \
44405+ ___retval; \
44406+})
44407+
44408+#define kmalloc_node(x, y, z) \
44409+({ \
44410+ void *___retval; \
44411+ intoverflow_t ___x = (intoverflow_t)x; \
44412+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
44413+ ___retval = NULL; \
44414+ else \
44415+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
44416+ ___retval; \
44417+})
44418+
44419+#define kzalloc(x, y) \
44420+({ \
44421+ void *___retval; \
44422+ intoverflow_t ___x = (intoverflow_t)x; \
44423+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
44424+ ___retval = NULL; \
44425+ else \
44426+ ___retval = kzalloc((size_t)___x, (y)); \
44427+ ___retval; \
44428+})
44429+
44430 #endif /* _LINUX_SLAB_H */
44431diff -urNp linux-2.6.32.9/include/linux/slub_def.h linux-2.6.32.9/include/linux/slub_def.h
44432--- linux-2.6.32.9/include/linux/slub_def.h 2010-02-09 07:57:19.000000000 -0500
44433+++ linux-2.6.32.9/include/linux/slub_def.h 2010-02-23 17:09:53.320537081 -0500
44434@@ -86,7 +86,7 @@ struct kmem_cache {
44435 struct kmem_cache_order_objects max;
44436 struct kmem_cache_order_objects min;
44437 gfp_t allocflags; /* gfp flags to use on each alloc */
44438- int refcount; /* Refcount for slab cache destroy */
44439+ atomic_t refcount; /* Refcount for slab cache destroy */
44440 void (*ctor)(void *);
44441 int inuse; /* Offset to metadata */
44442 int align; /* Alignment */
44443diff -urNp linux-2.6.32.9/include/linux/sonet.h linux-2.6.32.9/include/linux/sonet.h
44444--- linux-2.6.32.9/include/linux/sonet.h 2010-02-09 07:57:19.000000000 -0500
44445+++ linux-2.6.32.9/include/linux/sonet.h 2010-02-23 17:09:53.320537081 -0500
44446@@ -61,7 +61,7 @@ struct sonet_stats {
44447 #include <asm/atomic.h>
44448
44449 struct k_sonet_stats {
44450-#define __HANDLE_ITEM(i) atomic_t i
44451+#define __HANDLE_ITEM(i) atomic_unchecked_t i
44452 __SONET_ITEMS
44453 #undef __HANDLE_ITEM
44454 };
44455diff -urNp linux-2.6.32.9/include/linux/suspend.h linux-2.6.32.9/include/linux/suspend.h
44456--- linux-2.6.32.9/include/linux/suspend.h 2010-02-09 07:57:19.000000000 -0500
44457+++ linux-2.6.32.9/include/linux/suspend.h 2010-02-23 17:09:53.320537081 -0500
44458@@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
44459 * which require special recovery actions in that situation.
44460 */
44461 struct platform_suspend_ops {
44462- int (*valid)(suspend_state_t state);
44463- int (*begin)(suspend_state_t state);
44464- int (*prepare)(void);
44465- int (*prepare_late)(void);
44466- int (*enter)(suspend_state_t state);
44467- void (*wake)(void);
44468- void (*finish)(void);
44469- void (*end)(void);
44470- void (*recover)(void);
44471+ int (* const valid)(suspend_state_t state);
44472+ int (* const begin)(suspend_state_t state);
44473+ int (* const prepare)(void);
44474+ int (* const prepare_late)(void);
44475+ int (* const enter)(suspend_state_t state);
44476+ void (* const wake)(void);
44477+ void (* const finish)(void);
44478+ void (* const end)(void);
44479+ void (* const recover)(void);
44480 };
44481
44482 #ifdef CONFIG_SUSPEND
44483@@ -120,7 +120,7 @@ struct platform_suspend_ops {
44484 * suspend_set_ops - set platform dependent suspend operations
44485 * @ops: The new suspend operations to set.
44486 */
44487-extern void suspend_set_ops(struct platform_suspend_ops *ops);
44488+extern void suspend_set_ops(const struct platform_suspend_ops *ops);
44489 extern int suspend_valid_only_mem(suspend_state_t state);
44490
44491 /**
44492@@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
44493 #else /* !CONFIG_SUSPEND */
44494 #define suspend_valid_only_mem NULL
44495
44496-static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
44497+static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
44498 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
44499 #endif /* !CONFIG_SUSPEND */
44500
44501@@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
44502 * platforms which require special recovery actions in that situation.
44503 */
44504 struct platform_hibernation_ops {
44505- int (*begin)(void);
44506- void (*end)(void);
44507- int (*pre_snapshot)(void);
44508- void (*finish)(void);
44509- int (*prepare)(void);
44510- int (*enter)(void);
44511- void (*leave)(void);
44512- int (*pre_restore)(void);
44513- void (*restore_cleanup)(void);
44514- void (*recover)(void);
44515+ int (* const begin)(void);
44516+ void (* const end)(void);
44517+ int (* const pre_snapshot)(void);
44518+ void (* const finish)(void);
44519+ int (* const prepare)(void);
44520+ int (* const enter)(void);
44521+ void (* const leave)(void);
44522+ int (* const pre_restore)(void);
44523+ void (* const restore_cleanup)(void);
44524+ void (* const recover)(void);
44525 };
44526
44527 #ifdef CONFIG_HIBERNATION
44528@@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
44529 extern void swsusp_unset_page_free(struct page *);
44530 extern unsigned long get_safe_page(gfp_t gfp_mask);
44531
44532-extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
44533+extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
44534 extern int hibernate(void);
44535 extern bool system_entering_hibernation(void);
44536 #else /* CONFIG_HIBERNATION */
44537@@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
44538 static inline void swsusp_set_page_free(struct page *p) {}
44539 static inline void swsusp_unset_page_free(struct page *p) {}
44540
44541-static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
44542+static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
44543 static inline int hibernate(void) { return -ENOSYS; }
44544 static inline bool system_entering_hibernation(void) { return false; }
44545 #endif /* CONFIG_HIBERNATION */
44546diff -urNp linux-2.6.32.9/include/linux/sysctl.h linux-2.6.32.9/include/linux/sysctl.h
44547--- linux-2.6.32.9/include/linux/sysctl.h 2010-02-09 07:57:19.000000000 -0500
44548+++ linux-2.6.32.9/include/linux/sysctl.h 2010-02-23 17:09:53.320537081 -0500
44549@@ -164,7 +164,11 @@ enum
44550 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
44551 };
44552
44553-
44554+#ifdef CONFIG_PAX_SOFTMODE
44555+enum {
44556+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
44557+};
44558+#endif
44559
44560 /* CTL_VM names: */
44561 enum
44562diff -urNp linux-2.6.32.9/include/linux/sysfs.h linux-2.6.32.9/include/linux/sysfs.h
44563--- linux-2.6.32.9/include/linux/sysfs.h 2010-02-09 07:57:19.000000000 -0500
44564+++ linux-2.6.32.9/include/linux/sysfs.h 2010-02-23 17:09:53.320537081 -0500
44565@@ -75,8 +75,8 @@ struct bin_attribute {
44566 };
44567
44568 struct sysfs_ops {
44569- ssize_t (*show)(struct kobject *, struct attribute *,char *);
44570- ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
44571+ ssize_t (* const show)(struct kobject *, struct attribute *,char *);
44572+ ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
44573 };
44574
44575 struct sysfs_dirent;
44576diff -urNp linux-2.6.32.9/include/linux/thread_info.h linux-2.6.32.9/include/linux/thread_info.h
44577--- linux-2.6.32.9/include/linux/thread_info.h 2010-02-09 07:57:19.000000000 -0500
44578+++ linux-2.6.32.9/include/linux/thread_info.h 2010-02-23 17:09:53.320537081 -0500
44579@@ -23,7 +23,7 @@ struct restart_block {
44580 };
44581 /* For futex_wait and futex_wait_requeue_pi */
44582 struct {
44583- u32 *uaddr;
44584+ u32 __user *uaddr;
44585 u32 val;
44586 u32 flags;
44587 u32 bitset;
44588diff -urNp linux-2.6.32.9/include/linux/tty.h linux-2.6.32.9/include/linux/tty.h
44589--- linux-2.6.32.9/include/linux/tty.h 2010-02-09 07:57:19.000000000 -0500
44590+++ linux-2.6.32.9/include/linux/tty.h 2010-02-23 17:09:53.320537081 -0500
44591@@ -13,6 +13,7 @@
44592 #include <linux/tty_driver.h>
44593 #include <linux/tty_ldisc.h>
44594 #include <linux/mutex.h>
44595+#include <linux/poll.h>
44596
44597 #include <asm/system.h>
44598
44599@@ -432,7 +433,6 @@ extern int tty_perform_flush(struct tty_
44600 extern dev_t tty_devnum(struct tty_struct *tty);
44601 extern void proc_clear_tty(struct task_struct *p);
44602 extern struct tty_struct *get_current_tty(void);
44603-extern void tty_default_fops(struct file_operations *fops);
44604 extern struct tty_struct *alloc_tty_struct(void);
44605 extern void free_tty_struct(struct tty_struct *tty);
44606 extern void initialize_tty_struct(struct tty_struct *tty,
44607@@ -482,6 +482,18 @@ extern void tty_ldisc_begin(void);
44608 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
44609 extern void tty_ldisc_enable(struct tty_struct *tty);
44610
44611+/* tty_io.c */
44612+extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
44613+extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
44614+extern unsigned int tty_poll(struct file *, poll_table *);
44615+#ifdef CONFIG_COMPAT
44616+extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
44617+ unsigned long arg);
44618+#else
44619+#define tty_compat_ioctl NULL
44620+#endif
44621+extern int tty_release(struct inode *, struct file *);
44622+extern int tty_fasync(int fd, struct file *filp, int on);
44623
44624 /* n_tty.c */
44625 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
44626diff -urNp linux-2.6.32.9/include/linux/tty_ldisc.h linux-2.6.32.9/include/linux/tty_ldisc.h
44627--- linux-2.6.32.9/include/linux/tty_ldisc.h 2010-02-09 07:57:19.000000000 -0500
44628+++ linux-2.6.32.9/include/linux/tty_ldisc.h 2010-02-23 17:09:53.320537081 -0500
44629@@ -139,7 +139,7 @@ struct tty_ldisc_ops {
44630
44631 struct module *owner;
44632
44633- int refcount;
44634+ atomic_t refcount;
44635 };
44636
44637 struct tty_ldisc {
44638diff -urNp linux-2.6.32.9/include/linux/types.h linux-2.6.32.9/include/linux/types.h
44639--- linux-2.6.32.9/include/linux/types.h 2010-02-09 07:57:19.000000000 -0500
44640+++ linux-2.6.32.9/include/linux/types.h 2010-02-23 17:09:53.320537081 -0500
44641@@ -191,10 +191,26 @@ typedef struct {
44642 volatile int counter;
44643 } atomic_t;
44644
44645+#ifdef CONFIG_PAX_REFCOUNT
44646+typedef struct {
44647+ volatile int counter;
44648+} atomic_unchecked_t;
44649+#else
44650+typedef atomic_t atomic_unchecked_t;
44651+#endif
44652+
44653 #ifdef CONFIG_64BIT
44654 typedef struct {
44655 volatile long counter;
44656 } atomic64_t;
44657+
44658+#ifdef CONFIG_PAX_REFCOUNT
44659+typedef struct {
44660+ volatile long counter;
44661+} atomic64_unchecked_t;
44662+#else
44663+typedef atomic64_t atomic64_unchecked_t;
44664+#endif
44665 #endif
44666
44667 struct ustat {
44668diff -urNp linux-2.6.32.9/include/linux/uaccess.h linux-2.6.32.9/include/linux/uaccess.h
44669--- linux-2.6.32.9/include/linux/uaccess.h 2010-02-09 07:57:19.000000000 -0500
44670+++ linux-2.6.32.9/include/linux/uaccess.h 2010-02-23 17:09:53.324062460 -0500
44671@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
44672 long ret; \
44673 mm_segment_t old_fs = get_fs(); \
44674 \
44675- set_fs(KERNEL_DS); \
44676 pagefault_disable(); \
44677+ set_fs(KERNEL_DS); \
44678 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
44679- pagefault_enable(); \
44680 set_fs(old_fs); \
44681+ pagefault_enable(); \
44682 ret; \
44683 })
44684
44685@@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
44686 * Safely read from address @src to the buffer at @dst. If a kernel fault
44687 * happens, handle that and return -EFAULT.
44688 */
44689-extern long probe_kernel_read(void *dst, void *src, size_t size);
44690+extern long probe_kernel_read(void *dst, const void *src, size_t size);
44691
44692 /*
44693 * probe_kernel_write(): safely attempt to write to a location
44694@@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
44695 * Safely write to address @dst from the buffer at @src. If a kernel fault
44696 * happens, handle that and return -EFAULT.
44697 */
44698-extern long probe_kernel_write(void *dst, void *src, size_t size);
44699+extern long probe_kernel_write(void *dst, const void *src, size_t size);
44700
44701 #endif /* __LINUX_UACCESS_H__ */
44702diff -urNp linux-2.6.32.9/include/linux/vmalloc.h linux-2.6.32.9/include/linux/vmalloc.h
44703--- linux-2.6.32.9/include/linux/vmalloc.h 2010-02-09 07:57:19.000000000 -0500
44704+++ linux-2.6.32.9/include/linux/vmalloc.h 2010-02-23 17:09:53.324062460 -0500
44705@@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
44706 #define VM_MAP 0x00000004 /* vmap()ed pages */
44707 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
44708 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
44709+
44710+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44711+#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
44712+#endif
44713+
44714 /* bits [20..32] reserved for arch specific ioremap internals */
44715
44716 /*
44717@@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
44718
44719 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
44720
44721+#define vmalloc(x) \
44722+({ \
44723+ void *___retval; \
44724+ intoverflow_t ___x = (intoverflow_t)x; \
44725+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
44726+ ___retval = NULL; \
44727+ else \
44728+ ___retval = vmalloc((unsigned long)___x); \
44729+ ___retval; \
44730+})
44731+
44732+#define __vmalloc(x, y, z) \
44733+({ \
44734+ void *___retval; \
44735+ intoverflow_t ___x = (intoverflow_t)x; \
44736+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
44737+ ___retval = NULL; \
44738+ else \
44739+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
44740+ ___retval; \
44741+})
44742+
44743+#define vmalloc_user(x) \
44744+({ \
44745+ void *___retval; \
44746+ intoverflow_t ___x = (intoverflow_t)x; \
44747+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
44748+ ___retval = NULL; \
44749+ else \
44750+ ___retval = vmalloc_user((unsigned long)___x); \
44751+ ___retval; \
44752+})
44753+
44754+#define vmalloc_exec(x) \
44755+({ \
44756+ void *___retval; \
44757+ intoverflow_t ___x = (intoverflow_t)x; \
44758+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
44759+ ___retval = NULL; \
44760+ else \
44761+ ___retval = vmalloc_exec((unsigned long)___x); \
44762+ ___retval; \
44763+})
44764+
44765+#define vmalloc_node(x, y) \
44766+({ \
44767+ void *___retval; \
44768+ intoverflow_t ___x = (intoverflow_t)x; \
44769+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
44770+ ___retval = NULL; \
44771+ else \
44772+ ___retval = vmalloc_node((unsigned long)___x, (y));\
44773+ ___retval; \
44774+})
44775+
44776+#define vmalloc_32(x) \
44777+({ \
44778+ void *___retval; \
44779+ intoverflow_t ___x = (intoverflow_t)x; \
44780+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
44781+ ___retval = NULL; \
44782+ else \
44783+ ___retval = vmalloc_32((unsigned long)___x); \
44784+ ___retval; \
44785+})
44786+
44787+#define vmalloc_32_user(x) \
44788+({ \
44789+ void *___retval; \
44790+ intoverflow_t ___x = (intoverflow_t)x; \
44791+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
44792+ ___retval = NULL; \
44793+ else \
44794+ ___retval = vmalloc_32_user((unsigned long)___x);\
44795+ ___retval; \
44796+})
44797+
44798 #endif /* _LINUX_VMALLOC_H */
44799diff -urNp linux-2.6.32.9/include/net/irda/ircomm_tty.h linux-2.6.32.9/include/net/irda/ircomm_tty.h
44800--- linux-2.6.32.9/include/net/irda/ircomm_tty.h 2010-02-09 07:57:19.000000000 -0500
44801+++ linux-2.6.32.9/include/net/irda/ircomm_tty.h 2010-02-23 17:09:53.324062460 -0500
44802@@ -105,8 +105,8 @@ struct ircomm_tty_cb {
44803 unsigned short close_delay;
44804 unsigned short closing_wait; /* time to wait before closing */
44805
44806- int open_count;
44807- int blocked_open; /* # of blocked opens */
44808+ atomic_t open_count;
44809+ atomic_t blocked_open; /* # of blocked opens */
44810
44811 /* Protect concurent access to :
44812 * o self->open_count
44813diff -urNp linux-2.6.32.9/include/net/neighbour.h linux-2.6.32.9/include/net/neighbour.h
44814--- linux-2.6.32.9/include/net/neighbour.h 2010-02-09 07:57:19.000000000 -0500
44815+++ linux-2.6.32.9/include/net/neighbour.h 2010-02-23 17:09:53.324062460 -0500
44816@@ -125,12 +125,12 @@ struct neighbour
44817 struct neigh_ops
44818 {
44819 int family;
44820- void (*solicit)(struct neighbour *, struct sk_buff*);
44821- void (*error_report)(struct neighbour *, struct sk_buff*);
44822- int (*output)(struct sk_buff*);
44823- int (*connected_output)(struct sk_buff*);
44824- int (*hh_output)(struct sk_buff*);
44825- int (*queue_xmit)(struct sk_buff*);
44826+ void (* const solicit)(struct neighbour *, struct sk_buff*);
44827+ void (* const error_report)(struct neighbour *, struct sk_buff*);
44828+ int (* const output)(struct sk_buff*);
44829+ int (* const connected_output)(struct sk_buff*);
44830+ int (* const hh_output)(struct sk_buff*);
44831+ int (* const queue_xmit)(struct sk_buff*);
44832 };
44833
44834 struct pneigh_entry
44835diff -urNp linux-2.6.32.9/include/net/sctp/sctp.h linux-2.6.32.9/include/net/sctp/sctp.h
44836--- linux-2.6.32.9/include/net/sctp/sctp.h 2010-02-09 07:57:19.000000000 -0500
44837+++ linux-2.6.32.9/include/net/sctp/sctp.h 2010-02-23 17:09:53.324062460 -0500
44838@@ -305,8 +305,8 @@ extern int sctp_debug_flag;
44839
44840 #else /* SCTP_DEBUG */
44841
44842-#define SCTP_DEBUG_PRINTK(whatever...)
44843-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
44844+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
44845+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
44846 #define SCTP_ENABLE_DEBUG
44847 #define SCTP_DISABLE_DEBUG
44848 #define SCTP_ASSERT(expr, str, func)
44849diff -urNp linux-2.6.32.9/include/net/tcp.h linux-2.6.32.9/include/net/tcp.h
44850--- linux-2.6.32.9/include/net/tcp.h 2010-02-09 07:57:19.000000000 -0500
44851+++ linux-2.6.32.9/include/net/tcp.h 2010-02-23 17:09:53.324062460 -0500
44852@@ -1420,6 +1420,7 @@ enum tcp_seq_states {
44853 struct tcp_seq_afinfo {
44854 char *name;
44855 sa_family_t family;
44856+ /* cannot be const */
44857 struct file_operations seq_fops;
44858 struct seq_operations seq_ops;
44859 };
44860diff -urNp linux-2.6.32.9/include/net/udp.h linux-2.6.32.9/include/net/udp.h
44861--- linux-2.6.32.9/include/net/udp.h 2010-02-09 07:57:19.000000000 -0500
44862+++ linux-2.6.32.9/include/net/udp.h 2010-02-23 17:09:53.324062460 -0500
44863@@ -187,6 +187,7 @@ struct udp_seq_afinfo {
44864 char *name;
44865 sa_family_t family;
44866 struct udp_table *udp_table;
44867+ /* cannot be const */
44868 struct file_operations seq_fops;
44869 struct seq_operations seq_ops;
44870 };
44871diff -urNp linux-2.6.32.9/include/sound/ac97_codec.h linux-2.6.32.9/include/sound/ac97_codec.h
44872--- linux-2.6.32.9/include/sound/ac97_codec.h 2010-02-09 07:57:19.000000000 -0500
44873+++ linux-2.6.32.9/include/sound/ac97_codec.h 2010-02-23 17:09:53.324062460 -0500
44874@@ -419,15 +419,15 @@
44875 struct snd_ac97;
44876
44877 struct snd_ac97_build_ops {
44878- int (*build_3d) (struct snd_ac97 *ac97);
44879- int (*build_specific) (struct snd_ac97 *ac97);
44880- int (*build_spdif) (struct snd_ac97 *ac97);
44881- int (*build_post_spdif) (struct snd_ac97 *ac97);
44882+ int (* const build_3d) (struct snd_ac97 *ac97);
44883+ int (* const build_specific) (struct snd_ac97 *ac97);
44884+ int (* const build_spdif) (struct snd_ac97 *ac97);
44885+ int (* const build_post_spdif) (struct snd_ac97 *ac97);
44886 #ifdef CONFIG_PM
44887- void (*suspend) (struct snd_ac97 *ac97);
44888- void (*resume) (struct snd_ac97 *ac97);
44889+ void (* const suspend) (struct snd_ac97 *ac97);
44890+ void (* const resume) (struct snd_ac97 *ac97);
44891 #endif
44892- void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
44893+ void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
44894 };
44895
44896 struct snd_ac97_bus_ops {
44897@@ -477,7 +477,7 @@ struct snd_ac97_template {
44898
44899 struct snd_ac97 {
44900 /* -- lowlevel (hardware) driver specific -- */
44901- struct snd_ac97_build_ops * build_ops;
44902+ const struct snd_ac97_build_ops * build_ops;
44903 void *private_data;
44904 void (*private_free) (struct snd_ac97 *ac97);
44905 /* --- */
44906diff -urNp linux-2.6.32.9/include/trace/events/irq.h linux-2.6.32.9/include/trace/events/irq.h
44907--- linux-2.6.32.9/include/trace/events/irq.h 2010-02-09 07:57:19.000000000 -0500
44908+++ linux-2.6.32.9/include/trace/events/irq.h 2010-02-23 17:09:53.324062460 -0500
44909@@ -34,7 +34,7 @@
44910 */
44911 TRACE_EVENT(irq_handler_entry,
44912
44913- TP_PROTO(int irq, struct irqaction *action),
44914+ TP_PROTO(int irq, const struct irqaction *action),
44915
44916 TP_ARGS(irq, action),
44917
44918@@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
44919 */
44920 TRACE_EVENT(irq_handler_exit,
44921
44922- TP_PROTO(int irq, struct irqaction *action, int ret),
44923+ TP_PROTO(int irq, const struct irqaction *action, int ret),
44924
44925 TP_ARGS(irq, action, ret),
44926
44927@@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
44928 */
44929 TRACE_EVENT(softirq_entry,
44930
44931- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
44932+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
44933
44934 TP_ARGS(h, vec),
44935
44936@@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
44937 */
44938 TRACE_EVENT(softirq_exit,
44939
44940- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
44941+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
44942
44943 TP_ARGS(h, vec),
44944
44945diff -urNp linux-2.6.32.9/include/video/uvesafb.h linux-2.6.32.9/include/video/uvesafb.h
44946--- linux-2.6.32.9/include/video/uvesafb.h 2010-02-09 07:57:19.000000000 -0500
44947+++ linux-2.6.32.9/include/video/uvesafb.h 2010-02-23 17:09:53.324062460 -0500
44948@@ -177,6 +177,7 @@ struct uvesafb_par {
44949 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
44950 u8 pmi_setpal; /* PMI for palette changes */
44951 u16 *pmi_base; /* protected mode interface location */
44952+ u8 *pmi_code; /* protected mode code location */
44953 void *pmi_start;
44954 void *pmi_pal;
44955 u8 *vbe_state_orig; /*
44956diff -urNp linux-2.6.32.9/init/do_mounts.c linux-2.6.32.9/init/do_mounts.c
44957--- linux-2.6.32.9/init/do_mounts.c 2010-02-09 07:57:19.000000000 -0500
44958+++ linux-2.6.32.9/init/do_mounts.c 2010-02-23 17:09:53.324062460 -0500
44959@@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
44960
44961 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
44962 {
44963- int err = sys_mount(name, "/root", fs, flags, data);
44964+ int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
44965 if (err)
44966 return err;
44967
44968- sys_chdir("/root");
44969+ sys_chdir((__force char __user *)"/root");
44970 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
44971 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
44972 current->fs->pwd.mnt->mnt_sb->s_type->name,
44973@@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
44974 va_start(args, fmt);
44975 vsprintf(buf, fmt, args);
44976 va_end(args);
44977- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
44978+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
44979 if (fd >= 0) {
44980 sys_ioctl(fd, FDEJECT, 0);
44981 sys_close(fd);
44982 }
44983 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
44984- fd = sys_open("/dev/console", O_RDWR, 0);
44985+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
44986 if (fd >= 0) {
44987 sys_ioctl(fd, TCGETS, (long)&termios);
44988 termios.c_lflag &= ~ICANON;
44989 sys_ioctl(fd, TCSETSF, (long)&termios);
44990- sys_read(fd, &c, 1);
44991+ sys_read(fd, (char __user *)&c, 1);
44992 termios.c_lflag |= ICANON;
44993 sys_ioctl(fd, TCSETSF, (long)&termios);
44994 sys_close(fd);
44995@@ -416,6 +416,6 @@ void __init prepare_namespace(void)
44996 mount_root();
44997 out:
44998 devtmpfs_mount("dev");
44999- sys_mount(".", "/", NULL, MS_MOVE, NULL);
45000- sys_chroot(".");
45001+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45002+ sys_chroot((__force char __user *)".");
45003 }
45004diff -urNp linux-2.6.32.9/init/do_mounts.h linux-2.6.32.9/init/do_mounts.h
45005--- linux-2.6.32.9/init/do_mounts.h 2010-02-09 07:57:19.000000000 -0500
45006+++ linux-2.6.32.9/init/do_mounts.h 2010-02-23 17:09:53.324062460 -0500
45007@@ -15,15 +15,15 @@ extern int root_mountflags;
45008
45009 static inline int create_dev(char *name, dev_t dev)
45010 {
45011- sys_unlink(name);
45012- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
45013+ sys_unlink((__force char __user *)name);
45014+ return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
45015 }
45016
45017 #if BITS_PER_LONG == 32
45018 static inline u32 bstat(char *name)
45019 {
45020 struct stat64 stat;
45021- if (sys_stat64(name, &stat) != 0)
45022+ if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
45023 return 0;
45024 if (!S_ISBLK(stat.st_mode))
45025 return 0;
45026diff -urNp linux-2.6.32.9/init/do_mounts_initrd.c linux-2.6.32.9/init/do_mounts_initrd.c
45027--- linux-2.6.32.9/init/do_mounts_initrd.c 2010-02-09 07:57:19.000000000 -0500
45028+++ linux-2.6.32.9/init/do_mounts_initrd.c 2010-02-23 17:09:53.324062460 -0500
45029@@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
45030 sys_close(old_fd);sys_close(root_fd);
45031 sys_close(0);sys_close(1);sys_close(2);
45032 sys_setsid();
45033- (void) sys_open("/dev/console",O_RDWR,0);
45034+ (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
45035 (void) sys_dup(0);
45036 (void) sys_dup(0);
45037 return kernel_execve(shell, argv, envp_init);
45038@@ -47,13 +47,13 @@ static void __init handle_initrd(void)
45039 create_dev("/dev/root.old", Root_RAM0);
45040 /* mount initrd on rootfs' /root */
45041 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
45042- sys_mkdir("/old", 0700);
45043- root_fd = sys_open("/", 0, 0);
45044- old_fd = sys_open("/old", 0, 0);
45045+ sys_mkdir((__force const char __user *)"/old", 0700);
45046+ root_fd = sys_open((__force const char __user *)"/", 0, 0);
45047+ old_fd = sys_open((__force const char __user *)"/old", 0, 0);
45048 /* move initrd over / and chdir/chroot in initrd root */
45049- sys_chdir("/root");
45050- sys_mount(".", "/", NULL, MS_MOVE, NULL);
45051- sys_chroot(".");
45052+ sys_chdir((__force const char __user *)"/root");
45053+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45054+ sys_chroot((__force const char __user *)".");
45055
45056 /*
45057 * In case that a resume from disk is carried out by linuxrc or one of
45058@@ -70,15 +70,15 @@ static void __init handle_initrd(void)
45059
45060 /* move initrd to rootfs' /old */
45061 sys_fchdir(old_fd);
45062- sys_mount("/", ".", NULL, MS_MOVE, NULL);
45063+ sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
45064 /* switch root and cwd back to / of rootfs */
45065 sys_fchdir(root_fd);
45066- sys_chroot(".");
45067+ sys_chroot((__force const char __user *)".");
45068 sys_close(old_fd);
45069 sys_close(root_fd);
45070
45071 if (new_decode_dev(real_root_dev) == Root_RAM0) {
45072- sys_chdir("/old");
45073+ sys_chdir((__force const char __user *)"/old");
45074 return;
45075 }
45076
45077@@ -86,17 +86,17 @@ static void __init handle_initrd(void)
45078 mount_root();
45079
45080 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
45081- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
45082+ error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
45083 if (!error)
45084 printk("okay\n");
45085 else {
45086- int fd = sys_open("/dev/root.old", O_RDWR, 0);
45087+ int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
45088 if (error == -ENOENT)
45089 printk("/initrd does not exist. Ignored.\n");
45090 else
45091 printk("failed\n");
45092 printk(KERN_NOTICE "Unmounting old root\n");
45093- sys_umount("/old", MNT_DETACH);
45094+ sys_umount((__force char __user *)"/old", MNT_DETACH);
45095 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
45096 if (fd < 0) {
45097 error = fd;
45098@@ -119,11 +119,11 @@ int __init initrd_load(void)
45099 * mounted in the normal path.
45100 */
45101 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
45102- sys_unlink("/initrd.image");
45103+ sys_unlink((__force const char __user *)"/initrd.image");
45104 handle_initrd();
45105 return 1;
45106 }
45107 }
45108- sys_unlink("/initrd.image");
45109+ sys_unlink((__force const char __user *)"/initrd.image");
45110 return 0;
45111 }
45112diff -urNp linux-2.6.32.9/init/do_mounts_md.c linux-2.6.32.9/init/do_mounts_md.c
45113--- linux-2.6.32.9/init/do_mounts_md.c 2010-02-09 07:57:19.000000000 -0500
45114+++ linux-2.6.32.9/init/do_mounts_md.c 2010-02-23 17:09:53.324062460 -0500
45115@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
45116 partitioned ? "_d" : "", minor,
45117 md_setup_args[ent].device_names);
45118
45119- fd = sys_open(name, 0, 0);
45120+ fd = sys_open((__force char __user *)name, 0, 0);
45121 if (fd < 0) {
45122 printk(KERN_ERR "md: open failed - cannot start "
45123 "array %s\n", name);
45124@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
45125 * array without it
45126 */
45127 sys_close(fd);
45128- fd = sys_open(name, 0, 0);
45129+ fd = sys_open((__force char __user *)name, 0, 0);
45130 sys_ioctl(fd, BLKRRPART, 0);
45131 }
45132 sys_close(fd);
45133@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
45134
45135 wait_for_device_probe();
45136
45137- fd = sys_open("/dev/md0", 0, 0);
45138+ fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
45139 if (fd >= 0) {
45140 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
45141 sys_close(fd);
45142diff -urNp linux-2.6.32.9/init/initramfs.c linux-2.6.32.9/init/initramfs.c
45143--- linux-2.6.32.9/init/initramfs.c 2010-02-09 07:57:19.000000000 -0500
45144+++ linux-2.6.32.9/init/initramfs.c 2010-02-23 17:09:53.324062460 -0500
45145@@ -74,7 +74,7 @@ static void __init free_hash(void)
45146 }
45147 }
45148
45149-static long __init do_utime(char __user *filename, time_t mtime)
45150+static long __init do_utime(__force char __user *filename, time_t mtime)
45151 {
45152 struct timespec t[2];
45153
45154@@ -109,7 +109,7 @@ static void __init dir_utime(void)
45155 struct dir_entry *de, *tmp;
45156 list_for_each_entry_safe(de, tmp, &dir_list, list) {
45157 list_del(&de->list);
45158- do_utime(de->name, de->mtime);
45159+ do_utime((__force char __user *)de->name, de->mtime);
45160 kfree(de->name);
45161 kfree(de);
45162 }
45163@@ -271,7 +271,7 @@ static int __init maybe_link(void)
45164 if (nlink >= 2) {
45165 char *old = find_link(major, minor, ino, mode, collected);
45166 if (old)
45167- return (sys_link(old, collected) < 0) ? -1 : 1;
45168+ return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
45169 }
45170 return 0;
45171 }
45172@@ -280,11 +280,11 @@ static void __init clean_path(char *path
45173 {
45174 struct stat st;
45175
45176- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
45177+ if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
45178 if (S_ISDIR(st.st_mode))
45179- sys_rmdir(path);
45180+ sys_rmdir((__force char __user *)path);
45181 else
45182- sys_unlink(path);
45183+ sys_unlink((__force char __user *)path);
45184 }
45185 }
45186
45187@@ -305,7 +305,7 @@ static int __init do_name(void)
45188 int openflags = O_WRONLY|O_CREAT;
45189 if (ml != 1)
45190 openflags |= O_TRUNC;
45191- wfd = sys_open(collected, openflags, mode);
45192+ wfd = sys_open((__force char __user *)collected, openflags, mode);
45193
45194 if (wfd >= 0) {
45195 sys_fchown(wfd, uid, gid);
45196@@ -317,17 +317,17 @@ static int __init do_name(void)
45197 }
45198 }
45199 } else if (S_ISDIR(mode)) {
45200- sys_mkdir(collected, mode);
45201- sys_chown(collected, uid, gid);
45202- sys_chmod(collected, mode);
45203+ sys_mkdir((__force char __user *)collected, mode);
45204+ sys_chown((__force char __user *)collected, uid, gid);
45205+ sys_chmod((__force char __user *)collected, mode);
45206 dir_add(collected, mtime);
45207 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
45208 S_ISFIFO(mode) || S_ISSOCK(mode)) {
45209 if (maybe_link() == 0) {
45210- sys_mknod(collected, mode, rdev);
45211- sys_chown(collected, uid, gid);
45212- sys_chmod(collected, mode);
45213- do_utime(collected, mtime);
45214+ sys_mknod((__force char __user *)collected, mode, rdev);
45215+ sys_chown((__force char __user *)collected, uid, gid);
45216+ sys_chmod((__force char __user *)collected, mode);
45217+ do_utime((__force char __user *)collected, mtime);
45218 }
45219 }
45220 return 0;
45221@@ -336,15 +336,15 @@ static int __init do_name(void)
45222 static int __init do_copy(void)
45223 {
45224 if (count >= body_len) {
45225- sys_write(wfd, victim, body_len);
45226+ sys_write(wfd, (__force char __user *)victim, body_len);
45227 sys_close(wfd);
45228- do_utime(vcollected, mtime);
45229+ do_utime((__force char __user *)vcollected, mtime);
45230 kfree(vcollected);
45231 eat(body_len);
45232 state = SkipIt;
45233 return 0;
45234 } else {
45235- sys_write(wfd, victim, count);
45236+ sys_write(wfd, (__force char __user *)victim, count);
45237 body_len -= count;
45238 eat(count);
45239 return 1;
45240@@ -355,9 +355,9 @@ static int __init do_symlink(void)
45241 {
45242 collected[N_ALIGN(name_len) + body_len] = '\0';
45243 clean_path(collected, 0);
45244- sys_symlink(collected + N_ALIGN(name_len), collected);
45245- sys_lchown(collected, uid, gid);
45246- do_utime(collected, mtime);
45247+ sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
45248+ sys_lchown((__force char __user *)collected, uid, gid);
45249+ do_utime((__force char __user *)collected, mtime);
45250 state = SkipIt;
45251 next_state = Reset;
45252 return 0;
45253diff -urNp linux-2.6.32.9/init/Kconfig linux-2.6.32.9/init/Kconfig
45254--- linux-2.6.32.9/init/Kconfig 2010-02-09 07:57:19.000000000 -0500
45255+++ linux-2.6.32.9/init/Kconfig 2010-02-23 17:09:53.324062460 -0500
45256@@ -1026,7 +1026,7 @@ config SLUB_DEBUG
45257
45258 config COMPAT_BRK
45259 bool "Disable heap randomization"
45260- default y
45261+ default n
45262 help
45263 Randomizing heap placement makes heap exploits harder, but it
45264 also breaks ancient binaries (including anything libc5 based).
45265@@ -1116,9 +1116,9 @@ config HAVE_GENERIC_DMA_COHERENT
45266
45267 config SLABINFO
45268 bool
45269- depends on PROC_FS
45270+ depends on PROC_FS && !GRKERNSEC_PROC_ADD
45271 depends on SLAB || SLUB_DEBUG
45272- default y
45273+ default n
45274
45275 config RT_MUTEXES
45276 boolean
45277diff -urNp linux-2.6.32.9/init/main.c linux-2.6.32.9/init/main.c
45278--- linux-2.6.32.9/init/main.c 2010-02-09 07:57:19.000000000 -0500
45279+++ linux-2.6.32.9/init/main.c 2010-02-23 17:09:53.324062460 -0500
45280@@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
45281 #ifdef CONFIG_TC
45282 extern void tc_init(void);
45283 #endif
45284+extern void grsecurity_init(void);
45285
45286 enum system_states system_state __read_mostly;
45287 EXPORT_SYMBOL(system_state);
45288@@ -183,6 +184,35 @@ static int __init set_reset_devices(char
45289
45290 __setup("reset_devices", set_reset_devices);
45291
45292+#if defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32)
45293+static int __init setup_pax_nouderef(char *str)
45294+{
45295+ unsigned int cpu;
45296+
45297+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
45298+ get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
45299+ get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
45300+ }
45301+ asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
45302+ asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
45303+ asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
45304+
45305+ return 0;
45306+}
45307+early_param("pax_nouderef", setup_pax_nouderef);
45308+#endif
45309+
45310+#ifdef CONFIG_PAX_SOFTMODE
45311+unsigned int pax_softmode;
45312+
45313+static int __init setup_pax_softmode(char *str)
45314+{
45315+ get_option(&str, &pax_softmode);
45316+ return 1;
45317+}
45318+__setup("pax_softmode=", setup_pax_softmode);
45319+#endif
45320+
45321 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
45322 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
45323 static const char *panic_later, *panic_param;
45324@@ -702,52 +732,53 @@ int initcall_debug;
45325 core_param(initcall_debug, initcall_debug, bool, 0644);
45326
45327 static char msgbuf[64];
45328-static struct boot_trace_call call;
45329-static struct boot_trace_ret ret;
45330+static struct boot_trace_call trace_call;
45331+static struct boot_trace_ret trace_ret;
45332
45333 int do_one_initcall(initcall_t fn)
45334 {
45335 int count = preempt_count();
45336 ktime_t calltime, delta, rettime;
45337+ const char *msg1 = "", *msg2 = "";
45338
45339 if (initcall_debug) {
45340- call.caller = task_pid_nr(current);
45341- printk("calling %pF @ %i\n", fn, call.caller);
45342+ trace_call.caller = task_pid_nr(current);
45343+ printk("calling %pF @ %i\n", fn, trace_call.caller);
45344 calltime = ktime_get();
45345- trace_boot_call(&call, fn);
45346+ trace_boot_call(&trace_call, fn);
45347 enable_boot_trace();
45348 }
45349
45350- ret.result = fn();
45351+ trace_ret.result = fn();
45352
45353 if (initcall_debug) {
45354 disable_boot_trace();
45355 rettime = ktime_get();
45356 delta = ktime_sub(rettime, calltime);
45357- ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45358- trace_boot_ret(&ret, fn);
45359+ trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45360+ trace_boot_ret(&trace_ret, fn);
45361 printk("initcall %pF returned %d after %Ld usecs\n", fn,
45362- ret.result, ret.duration);
45363+ trace_ret.result, trace_ret.duration);
45364 }
45365
45366 msgbuf[0] = 0;
45367
45368- if (ret.result && ret.result != -ENODEV && initcall_debug)
45369- sprintf(msgbuf, "error code %d ", ret.result);
45370+ if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
45371+ sprintf(msgbuf, "error code %d ", trace_ret.result);
45372
45373 if (preempt_count() != count) {
45374- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
45375+ msg1 = " preemption imbalance";
45376 preempt_count() = count;
45377 }
45378 if (irqs_disabled()) {
45379- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
45380+ msg2 = " disabled interrupts";
45381 local_irq_enable();
45382 }
45383- if (msgbuf[0]) {
45384- printk("initcall %pF returned with %s\n", fn, msgbuf);
45385+ if (msgbuf[0] || *msg1 || *msg2) {
45386+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
45387 }
45388
45389- return ret.result;
45390+ return trace_ret.result;
45391 }
45392
45393
45394@@ -886,11 +917,13 @@ static int __init kernel_init(void * unu
45395 if (!ramdisk_execute_command)
45396 ramdisk_execute_command = "/init";
45397
45398- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
45399+ if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
45400 ramdisk_execute_command = NULL;
45401 prepare_namespace();
45402 }
45403
45404+ grsecurity_init();
45405+
45406 /*
45407 * Ok, we have completed the initial bootup, and
45408 * we're essentially up and running. Get rid of the
45409diff -urNp linux-2.6.32.9/init/noinitramfs.c linux-2.6.32.9/init/noinitramfs.c
45410--- linux-2.6.32.9/init/noinitramfs.c 2010-02-09 07:57:19.000000000 -0500
45411+++ linux-2.6.32.9/init/noinitramfs.c 2010-02-23 17:09:53.324062460 -0500
45412@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
45413 {
45414 int err;
45415
45416- err = sys_mkdir("/dev", 0755);
45417+ err = sys_mkdir((const char __user *)"/dev", 0755);
45418 if (err < 0)
45419 goto out;
45420
45421@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
45422 if (err < 0)
45423 goto out;
45424
45425- err = sys_mkdir("/root", 0700);
45426+ err = sys_mkdir((const char __user *)"/root", 0700);
45427 if (err < 0)
45428 goto out;
45429
45430diff -urNp linux-2.6.32.9/ipc/ipc_sysctl.c linux-2.6.32.9/ipc/ipc_sysctl.c
45431--- linux-2.6.32.9/ipc/ipc_sysctl.c 2010-02-09 07:57:19.000000000 -0500
45432+++ linux-2.6.32.9/ipc/ipc_sysctl.c 2010-02-23 17:09:53.324062460 -0500
45433@@ -267,7 +267,7 @@ static struct ctl_table ipc_kern_table[]
45434 .extra1 = &zero,
45435 .extra2 = &one,
45436 },
45437- {}
45438+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
45439 };
45440
45441 static struct ctl_table ipc_root_table[] = {
45442@@ -277,7 +277,7 @@ static struct ctl_table ipc_root_table[]
45443 .mode = 0555,
45444 .child = ipc_kern_table,
45445 },
45446- {}
45447+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
45448 };
45449
45450 static int __init ipc_sysctl_init(void)
45451diff -urNp linux-2.6.32.9/ipc/mqueue.c linux-2.6.32.9/ipc/mqueue.c
45452--- linux-2.6.32.9/ipc/mqueue.c 2010-02-09 07:57:19.000000000 -0500
45453+++ linux-2.6.32.9/ipc/mqueue.c 2010-02-23 17:09:53.324062460 -0500
45454@@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
45455 mq_bytes = (mq_msg_tblsz +
45456 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
45457
45458+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
45459 spin_lock(&mq_lock);
45460 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
45461 u->mq_bytes + mq_bytes >
45462diff -urNp linux-2.6.32.9/ipc/shm.c linux-2.6.32.9/ipc/shm.c
45463--- linux-2.6.32.9/ipc/shm.c 2010-02-09 07:57:19.000000000 -0500
45464+++ linux-2.6.32.9/ipc/shm.c 2010-02-23 17:09:53.324062460 -0500
45465@@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
45466 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
45467 #endif
45468
45469+#ifdef CONFIG_GRKERNSEC
45470+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45471+ const time_t shm_createtime, const uid_t cuid,
45472+ const int shmid);
45473+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45474+ const time_t shm_createtime);
45475+#endif
45476+
45477 void shm_init_ns(struct ipc_namespace *ns)
45478 {
45479 ns->shm_ctlmax = SHMMAX;
45480@@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
45481 shp->shm_lprid = 0;
45482 shp->shm_atim = shp->shm_dtim = 0;
45483 shp->shm_ctim = get_seconds();
45484+#ifdef CONFIG_GRKERNSEC
45485+ {
45486+ struct timespec timeval;
45487+ do_posix_clock_monotonic_gettime(&timeval);
45488+
45489+ shp->shm_createtime = timeval.tv_sec;
45490+ }
45491+#endif
45492 shp->shm_segsz = size;
45493 shp->shm_nattch = 0;
45494 shp->shm_file = file;
45495@@ -879,9 +895,21 @@ long do_shmat(int shmid, char __user *sh
45496 if (err)
45497 goto out_unlock;
45498
45499+#ifdef CONFIG_GRKERNSEC
45500+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
45501+ shp->shm_perm.cuid, shmid) ||
45502+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
45503+ err = -EACCES;
45504+ goto out_unlock;
45505+ }
45506+#endif
45507+
45508 path.dentry = dget(shp->shm_file->f_path.dentry);
45509 path.mnt = shp->shm_file->f_path.mnt;
45510 shp->shm_nattch++;
45511+#ifdef CONFIG_GRKERNSEC
45512+ shp->shm_lapid = current->pid;
45513+#endif
45514 size = i_size_read(path.dentry->d_inode);
45515 shm_unlock(shp);
45516
45517diff -urNp linux-2.6.32.9/kernel/acct.c linux-2.6.32.9/kernel/acct.c
45518--- linux-2.6.32.9/kernel/acct.c 2010-02-09 07:57:19.000000000 -0500
45519+++ linux-2.6.32.9/kernel/acct.c 2010-02-23 17:09:53.328047341 -0500
45520@@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
45521 */
45522 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
45523 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
45524- file->f_op->write(file, (char *)&ac,
45525+ file->f_op->write(file, (__force char __user *)&ac,
45526 sizeof(acct_t), &file->f_pos);
45527 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
45528 set_fs(fs);
45529diff -urNp linux-2.6.32.9/kernel/capability.c linux-2.6.32.9/kernel/capability.c
45530--- linux-2.6.32.9/kernel/capability.c 2010-02-09 07:57:19.000000000 -0500
45531+++ linux-2.6.32.9/kernel/capability.c 2010-02-23 17:09:53.328047341 -0500
45532@@ -306,10 +306,21 @@ int capable(int cap)
45533 BUG();
45534 }
45535
45536- if (security_capable(cap) == 0) {
45537+ if (security_capable(cap) == 0 && gr_is_capable(cap)) {
45538 current->flags |= PF_SUPERPRIV;
45539 return 1;
45540 }
45541 return 0;
45542 }
45543+
45544+int capable_nolog(int cap)
45545+{
45546+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
45547+ current->flags |= PF_SUPERPRIV;
45548+ return 1;
45549+ }
45550+ return 0;
45551+}
45552+
45553 EXPORT_SYMBOL(capable);
45554+EXPORT_SYMBOL(capable_nolog);
45555diff -urNp linux-2.6.32.9/kernel/configs.c linux-2.6.32.9/kernel/configs.c
45556--- linux-2.6.32.9/kernel/configs.c 2010-02-09 07:57:19.000000000 -0500
45557+++ linux-2.6.32.9/kernel/configs.c 2010-02-23 17:09:53.328047341 -0500
45558@@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
45559 struct proc_dir_entry *entry;
45560
45561 /* create the current config file */
45562+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
45563+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
45564+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
45565+ &ikconfig_file_ops);
45566+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45567+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
45568+ &ikconfig_file_ops);
45569+#endif
45570+#else
45571 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
45572 &ikconfig_file_ops);
45573+#endif
45574+
45575 if (!entry)
45576 return -ENOMEM;
45577
45578diff -urNp linux-2.6.32.9/kernel/cpu.c linux-2.6.32.9/kernel/cpu.c
45579--- linux-2.6.32.9/kernel/cpu.c 2010-02-09 07:57:19.000000000 -0500
45580+++ linux-2.6.32.9/kernel/cpu.c 2010-02-23 17:09:53.328047341 -0500
45581@@ -19,7 +19,7 @@
45582 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
45583 static DEFINE_MUTEX(cpu_add_remove_lock);
45584
45585-static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
45586+static RAW_NOTIFIER_HEAD(cpu_chain);
45587
45588 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
45589 * Should always be manipulated under cpu_add_remove_lock
45590diff -urNp linux-2.6.32.9/kernel/cred.c linux-2.6.32.9/kernel/cred.c
45591--- linux-2.6.32.9/kernel/cred.c 2010-02-09 07:57:19.000000000 -0500
45592+++ linux-2.6.32.9/kernel/cred.c 2010-02-23 17:09:53.328047341 -0500
45593@@ -520,6 +520,8 @@ int commit_creds(struct cred *new)
45594
45595 get_cred(new); /* we will require a ref for the subj creds too */
45596
45597+ gr_set_role_label(task, new->uid, new->gid);
45598+
45599 /* dumpability changes */
45600 if (old->euid != new->euid ||
45601 old->egid != new->egid ||
45602diff -urNp linux-2.6.32.9/kernel/exit.c linux-2.6.32.9/kernel/exit.c
45603--- linux-2.6.32.9/kernel/exit.c 2010-02-09 07:57:19.000000000 -0500
45604+++ linux-2.6.32.9/kernel/exit.c 2010-02-23 17:09:53.328047341 -0500
45605@@ -56,6 +56,10 @@
45606 #include <asm/mmu_context.h>
45607 #include "cred-internals.h"
45608
45609+#ifdef CONFIG_GRKERNSEC
45610+extern rwlock_t grsec_exec_file_lock;
45611+#endif
45612+
45613 static void exit_mm(struct task_struct * tsk);
45614
45615 static void __unhash_process(struct task_struct *p)
45616@@ -167,6 +171,8 @@ void release_task(struct task_struct * p
45617 struct task_struct *leader;
45618 int zap_leader;
45619 repeat:
45620+ gr_del_task_from_ip_table(p);
45621+
45622 tracehook_prepare_release_task(p);
45623 /* don't need to get the RCU readlock here - the process is dead and
45624 * can't be modifying its own credentials */
45625@@ -334,11 +340,22 @@ static void reparent_to_kthreadd(void)
45626 {
45627 write_lock_irq(&tasklist_lock);
45628
45629+#ifdef CONFIG_GRKERNSEC
45630+ write_lock(&grsec_exec_file_lock);
45631+ if (current->exec_file) {
45632+ fput(current->exec_file);
45633+ current->exec_file = NULL;
45634+ }
45635+ write_unlock(&grsec_exec_file_lock);
45636+#endif
45637+
45638 ptrace_unlink(current);
45639 /* Reparent to init */
45640 current->real_parent = current->parent = kthreadd_task;
45641 list_move_tail(&current->sibling, &current->real_parent->children);
45642
45643+ gr_set_kernel_label(current);
45644+
45645 /* Set the exit signal to SIGCHLD so we signal init on exit */
45646 current->exit_signal = SIGCHLD;
45647
45648@@ -390,7 +407,7 @@ int allow_signal(int sig)
45649 * know it'll be handled, so that they don't get converted to
45650 * SIGKILL or just silently dropped.
45651 */
45652- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
45653+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
45654 recalc_sigpending();
45655 spin_unlock_irq(&current->sighand->siglock);
45656 return 0;
45657@@ -426,6 +443,17 @@ void daemonize(const char *name, ...)
45658 vsnprintf(current->comm, sizeof(current->comm), name, args);
45659 va_end(args);
45660
45661+#ifdef CONFIG_GRKERNSEC
45662+ write_lock(&grsec_exec_file_lock);
45663+ if (current->exec_file) {
45664+ fput(current->exec_file);
45665+ current->exec_file = NULL;
45666+ }
45667+ write_unlock(&grsec_exec_file_lock);
45668+#endif
45669+
45670+ gr_set_kernel_label(current);
45671+
45672 /*
45673 * If we were started as result of loading a module, close all of the
45674 * user space pages. We don't need them, and if we didn't close them
45675@@ -957,6 +985,9 @@ NORET_TYPE void do_exit(long code)
45676 tsk->exit_code = code;
45677 taskstats_exit(tsk, group_dead);
45678
45679+ gr_acl_handle_psacct(tsk, code);
45680+ gr_acl_handle_exit();
45681+
45682 exit_mm(tsk);
45683
45684 if (group_dead)
45685@@ -1172,7 +1203,7 @@ static int wait_task_zombie(struct wait_
45686
45687 if (unlikely(wo->wo_flags & WNOWAIT)) {
45688 int exit_code = p->exit_code;
45689- int why, status;
45690+ int why;
45691
45692 get_task_struct(p);
45693 read_unlock(&tasklist_lock);
45694diff -urNp linux-2.6.32.9/kernel/fork.c linux-2.6.32.9/kernel/fork.c
45695--- linux-2.6.32.9/kernel/fork.c 2010-02-09 07:57:19.000000000 -0500
45696+++ linux-2.6.32.9/kernel/fork.c 2010-02-23 17:09:53.328047341 -0500
45697@@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
45698 *stackend = STACK_END_MAGIC; /* for overflow detection */
45699
45700 #ifdef CONFIG_CC_STACKPROTECTOR
45701- tsk->stack_canary = get_random_int();
45702+ tsk->stack_canary = pax_get_random_long();
45703 #endif
45704
45705 /* One for us, one for whoever does the "release_task()" (usually parent) */
45706@@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
45707 mm->locked_vm = 0;
45708 mm->mmap = NULL;
45709 mm->mmap_cache = NULL;
45710- mm->free_area_cache = oldmm->mmap_base;
45711- mm->cached_hole_size = ~0UL;
45712+ mm->free_area_cache = oldmm->free_area_cache;
45713+ mm->cached_hole_size = oldmm->cached_hole_size;
45714 mm->map_count = 0;
45715 cpumask_clear(mm_cpumask(mm));
45716 mm->mm_rb = RB_ROOT;
45717@@ -334,6 +334,7 @@ static int dup_mmap(struct mm_struct *mm
45718 tmp->vm_flags &= ~VM_LOCKED;
45719 tmp->vm_mm = mm;
45720 tmp->vm_next = NULL;
45721+ tmp->vm_mirror = NULL;
45722 anon_vma_link(tmp);
45723 file = tmp->vm_file;
45724 if (file) {
45725@@ -381,6 +382,31 @@ static int dup_mmap(struct mm_struct *mm
45726 if (retval)
45727 goto out;
45728 }
45729+
45730+#ifdef CONFIG_PAX_SEGMEXEC
45731+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
45732+ struct vm_area_struct *mpnt_m;
45733+
45734+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
45735+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
45736+
45737+ if (!mpnt->vm_mirror)
45738+ continue;
45739+
45740+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
45741+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
45742+ mpnt->vm_mirror = mpnt_m;
45743+ } else {
45744+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
45745+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
45746+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
45747+ mpnt->vm_mirror->vm_mirror = mpnt;
45748+ }
45749+ }
45750+ BUG_ON(mpnt_m);
45751+ }
45752+#endif
45753+
45754 /* a new mm has just been created */
45755 arch_dup_mmap(oldmm, mm);
45756 retval = 0;
45757@@ -731,7 +757,7 @@ static int copy_fs(unsigned long clone_f
45758 write_unlock(&fs->lock);
45759 return -EAGAIN;
45760 }
45761- fs->users++;
45762+ atomic_inc(&fs->users);
45763 write_unlock(&fs->lock);
45764 return 0;
45765 }
45766@@ -1027,10 +1053,13 @@ static struct task_struct *copy_process(
45767 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
45768 #endif
45769 retval = -EAGAIN;
45770+
45771+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
45772+
45773 if (atomic_read(&p->real_cred->user->processes) >=
45774 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
45775- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
45776- p->real_cred->user != INIT_USER)
45777+ if (p->real_cred->user != INIT_USER &&
45778+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
45779 goto bad_fork_free;
45780 }
45781
45782@@ -1059,6 +1088,10 @@ static struct task_struct *copy_process(
45783 p->vfork_done = NULL;
45784 spin_lock_init(&p->alloc_lock);
45785
45786+#ifdef CONFIG_GRKERNSEC
45787+ rwlock_init(&p->gr_fs_lock);
45788+#endif
45789+
45790 init_sigpending(&p->pending);
45791
45792 p->utime = cputime_zero;
45793@@ -1179,6 +1212,8 @@ static struct task_struct *copy_process(
45794 goto bad_fork_free_pid;
45795 }
45796
45797+ gr_copy_label(p);
45798+
45799 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
45800 /*
45801 * Clear TID on mm_release()?
45802@@ -1344,6 +1379,8 @@ bad_fork_cleanup_count:
45803 bad_fork_free:
45804 free_task(p);
45805 fork_out:
45806+ gr_log_forkfail(retval);
45807+
45808 return ERR_PTR(retval);
45809 }
45810
45811@@ -1437,6 +1474,8 @@ long do_fork(unsigned long clone_flags,
45812 if (clone_flags & CLONE_PARENT_SETTID)
45813 put_user(nr, parent_tidptr);
45814
45815+ gr_handle_brute_check();
45816+
45817 if (clone_flags & CLONE_VFORK) {
45818 p->vfork_done = &vfork;
45819 init_completion(&vfork);
45820@@ -1569,7 +1608,7 @@ static int unshare_fs(unsigned long unsh
45821 return 0;
45822
45823 /* don't need lock here; in the worst case we'll do useless copy */
45824- if (fs->users == 1)
45825+ if (atomic_read(&fs->users) == 1)
45826 return 0;
45827
45828 *new_fsp = copy_fs_struct(fs);
45829@@ -1689,14 +1728,18 @@ SYSCALL_DEFINE1(unshare, unsigned long,
45830 task_lock(current);
45831
45832 if (new_fs) {
45833+ unsigned long flags;
45834+
45835+ gr_fs_write_lock_irqsave(current, flags);
45836 fs = current->fs;
45837 write_lock(&fs->lock);
45838 current->fs = new_fs;
45839- if (--fs->users)
45840+ if (atomic_dec_return(&fs->users))
45841 new_fs = NULL;
45842 else
45843 new_fs = fs;
45844 write_unlock(&fs->lock);
45845+ gr_fs_write_unlock_irqrestore(current, flags);
45846 }
45847
45848 if (new_mm) {
45849diff -urNp linux-2.6.32.9/kernel/futex.c linux-2.6.32.9/kernel/futex.c
45850--- linux-2.6.32.9/kernel/futex.c 2010-02-23 17:04:12.667616804 -0500
45851+++ linux-2.6.32.9/kernel/futex.c 2010-02-23 17:09:53.328047341 -0500
45852@@ -54,6 +54,7 @@
45853 #include <linux/mount.h>
45854 #include <linux/pagemap.h>
45855 #include <linux/syscalls.h>
45856+#include <linux/ptrace.h>
45857 #include <linux/signal.h>
45858 #include <linux/module.h>
45859 #include <linux/magic.h>
45860@@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
45861 struct page *page;
45862 int err;
45863
45864+#ifdef CONFIG_PAX_SEGMEXEC
45865+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
45866+ return -EFAULT;
45867+#endif
45868+
45869 /*
45870 * The futex address must be "naturally" aligned.
45871 */
45872@@ -1852,7 +1858,7 @@ retry:
45873
45874 restart = &current_thread_info()->restart_block;
45875 restart->fn = futex_wait_restart;
45876- restart->futex.uaddr = (u32 *)uaddr;
45877+ restart->futex.uaddr = uaddr;
45878 restart->futex.val = val;
45879 restart->futex.time = abs_time->tv64;
45880 restart->futex.bitset = bitset;
45881@@ -2385,7 +2391,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
45882 {
45883 struct robust_list_head __user *head;
45884 unsigned long ret;
45885- const struct cred *cred = current_cred(), *pcred;
45886+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
45887+ const struct cred *cred = current_cred();
45888+ const struct cred *pcred;
45889+#endif
45890
45891 if (!futex_cmpxchg_enabled)
45892 return -ENOSYS;
45893@@ -2401,11 +2410,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
45894 if (!p)
45895 goto err_unlock;
45896 ret = -EPERM;
45897+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45898+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
45899+ goto err_unlock;
45900+#else
45901 pcred = __task_cred(p);
45902 if (cred->euid != pcred->euid &&
45903 cred->euid != pcred->uid &&
45904 !capable(CAP_SYS_PTRACE))
45905 goto err_unlock;
45906+#endif
45907 head = p->robust_list;
45908 rcu_read_unlock();
45909 }
45910@@ -2467,7 +2481,7 @@ retry:
45911 */
45912 static inline int fetch_robust_entry(struct robust_list __user **entry,
45913 struct robust_list __user * __user *head,
45914- int *pi)
45915+ unsigned int *pi)
45916 {
45917 unsigned long uentry;
45918
45919diff -urNp linux-2.6.32.9/kernel/futex_compat.c linux-2.6.32.9/kernel/futex_compat.c
45920--- linux-2.6.32.9/kernel/futex_compat.c 2010-02-09 07:57:19.000000000 -0500
45921+++ linux-2.6.32.9/kernel/futex_compat.c 2010-02-23 17:09:53.328047341 -0500
45922@@ -10,6 +10,7 @@
45923 #include <linux/compat.h>
45924 #include <linux/nsproxy.h>
45925 #include <linux/futex.h>
45926+#include <linux/ptrace.h>
45927
45928 #include <asm/uaccess.h>
45929
45930@@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
45931 {
45932 struct compat_robust_list_head __user *head;
45933 unsigned long ret;
45934- const struct cred *cred = current_cred(), *pcred;
45935+ const struct cred *cred = current_cred();
45936+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
45937+ const struct cred *pcred;
45938+#endif
45939
45940 if (!futex_cmpxchg_enabled)
45941 return -ENOSYS;
45942@@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
45943 if (!p)
45944 goto err_unlock;
45945 ret = -EPERM;
45946+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45947+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
45948+ goto err_unlock;
45949+#else
45950 pcred = __task_cred(p);
45951 if (cred->euid != pcred->euid &&
45952 cred->euid != pcred->uid &&
45953 !capable(CAP_SYS_PTRACE))
45954 goto err_unlock;
45955+#endif
45956 head = p->compat_robust_list;
45957 read_unlock(&tasklist_lock);
45958 }
45959diff -urNp linux-2.6.32.9/kernel/gcov/base.c linux-2.6.32.9/kernel/gcov/base.c
45960--- linux-2.6.32.9/kernel/gcov/base.c 2010-02-09 07:57:19.000000000 -0500
45961+++ linux-2.6.32.9/kernel/gcov/base.c 2010-02-23 17:09:53.328047341 -0500
45962@@ -102,11 +102,6 @@ void gcov_enable_events(void)
45963 }
45964
45965 #ifdef CONFIG_MODULES
45966-static inline int within(void *addr, void *start, unsigned long size)
45967-{
45968- return ((addr >= start) && (addr < start + size));
45969-}
45970-
45971 /* Update list and generate events when modules are unloaded. */
45972 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
45973 void *data)
45974@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
45975 prev = NULL;
45976 /* Remove entries located in module from linked list. */
45977 for (info = gcov_info_head; info; info = info->next) {
45978- if (within(info, mod->module_core, mod->core_size)) {
45979+ if (within_module_core_rw((unsigned long)info, mod)) {
45980 if (prev)
45981 prev->next = info->next;
45982 else
45983diff -urNp linux-2.6.32.9/kernel/hrtimer.c linux-2.6.32.9/kernel/hrtimer.c
45984--- linux-2.6.32.9/kernel/hrtimer.c 2010-02-09 07:57:19.000000000 -0500
45985+++ linux-2.6.32.9/kernel/hrtimer.c 2010-02-23 17:09:53.328047341 -0500
45986@@ -1364,7 +1364,7 @@ void hrtimer_peek_ahead_timers(void)
45987 local_irq_restore(flags);
45988 }
45989
45990-static void run_hrtimer_softirq(struct softirq_action *h)
45991+static void run_hrtimer_softirq(void)
45992 {
45993 hrtimer_peek_ahead_timers();
45994 }
45995diff -urNp linux-2.6.32.9/kernel/kallsyms.c linux-2.6.32.9/kernel/kallsyms.c
45996--- linux-2.6.32.9/kernel/kallsyms.c 2010-02-09 07:57:19.000000000 -0500
45997+++ linux-2.6.32.9/kernel/kallsyms.c 2010-02-23 17:09:53.328047341 -0500
45998@@ -11,6 +11,9 @@
45999 * Changed the compression method from stem compression to "table lookup"
46000 * compression (see scripts/kallsyms.c for a more complete description)
46001 */
46002+#ifdef CONFIG_GRKERNSEC_HIDESYM
46003+#define __INCLUDED_BY_HIDESYM 1
46004+#endif
46005 #include <linux/kallsyms.h>
46006 #include <linux/module.h>
46007 #include <linux/init.h>
46008@@ -51,6 +54,9 @@ extern const unsigned long kallsyms_mark
46009
46010 static inline int is_kernel_inittext(unsigned long addr)
46011 {
46012+ if (system_state != SYSTEM_BOOTING)
46013+ return 0;
46014+
46015 if (addr >= (unsigned long)_sinittext
46016 && addr <= (unsigned long)_einittext)
46017 return 1;
46018@@ -67,6 +73,24 @@ static inline int is_kernel_text(unsigne
46019
46020 static inline int is_kernel(unsigned long addr)
46021 {
46022+ if (is_kernel_inittext(addr))
46023+ return 1;
46024+
46025+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
46026+ if ((unsigned long)MODULES_EXEC_VADDR <= ktla_ktva(addr) && ktla_ktva(addr) <= (unsigned long)MODULES_EXEC_END)
46027+ return 0;
46028+
46029+ if (is_kernel_text(addr))
46030+ return 1;
46031+
46032+ if (ktla_ktva((unsigned long)_stext) <= addr && addr < ktla_ktva((unsigned long)_etext))
46033+ return 1;
46034+
46035+ if ((addr >= (unsigned long)_sdata && addr <= (unsigned long)_end))
46036+ return 1;
46037+ return in_gate_area_no_task(addr);
46038+#endif
46039+
46040 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
46041 return 1;
46042 return in_gate_area_no_task(addr);
46043@@ -413,7 +437,6 @@ static unsigned long get_ksymbol_core(st
46044
46045 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
46046 {
46047- iter->name[0] = '\0';
46048 iter->nameoff = get_symbol_offset(new_pos);
46049 iter->pos = new_pos;
46050 }
46051@@ -461,6 +484,11 @@ static int s_show(struct seq_file *m, vo
46052 {
46053 struct kallsym_iter *iter = m->private;
46054
46055+#ifdef CONFIG_GRKERNSEC_HIDESYM
46056+ if (current_uid())
46057+ return 0;
46058+#endif
46059+
46060 /* Some debugging symbols have no name. Ignore them. */
46061 if (!iter->name[0])
46062 return 0;
46063@@ -501,7 +529,7 @@ static int kallsyms_open(struct inode *i
46064 struct kallsym_iter *iter;
46065 int ret;
46066
46067- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
46068+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
46069 if (!iter)
46070 return -ENOMEM;
46071 reset_iter(iter, 0);
46072diff -urNp linux-2.6.32.9/kernel/kgdb.c linux-2.6.32.9/kernel/kgdb.c
46073--- linux-2.6.32.9/kernel/kgdb.c 2010-02-09 07:57:19.000000000 -0500
46074+++ linux-2.6.32.9/kernel/kgdb.c 2010-02-23 17:09:53.331561124 -0500
46075@@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
46076 /* Guard for recursive entry */
46077 static int exception_level;
46078
46079-static struct kgdb_io *kgdb_io_ops;
46080+static const struct kgdb_io *kgdb_io_ops;
46081 static DEFINE_SPINLOCK(kgdb_registration_lock);
46082
46083 /* kgdb console driver is loaded */
46084@@ -1637,7 +1637,7 @@ static void kgdb_initial_breakpoint(void
46085 *
46086 * Register it with the KGDB core.
46087 */
46088-int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
46089+int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
46090 {
46091 int err;
46092
46093@@ -1682,7 +1682,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
46094 *
46095 * Unregister it with the KGDB core.
46096 */
46097-void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
46098+void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
46099 {
46100 BUG_ON(kgdb_connected);
46101
46102diff -urNp linux-2.6.32.9/kernel/kmod.c linux-2.6.32.9/kernel/kmod.c
46103--- linux-2.6.32.9/kernel/kmod.c 2010-02-09 07:57:19.000000000 -0500
46104+++ linux-2.6.32.9/kernel/kmod.c 2010-02-23 17:09:53.331561124 -0500
46105@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
46106 if (ret >= MODULE_NAME_LEN)
46107 return -ENAMETOOLONG;
46108
46109+#ifdef CONFIG_GRKERNSEC_MODHARDEN
46110+ /* we could do a tighter check here, but some distros
46111+ are taking it upon themselves to remove CAP_SYS_MODULE
46112+ from even root-running apps which cause modules to be
46113+ auto-loaded
46114+ */
46115+ if (current_uid()) {
46116+ gr_log_nonroot_mod_load(module_name);
46117+ return -EPERM;
46118+ }
46119+#endif
46120+
46121 /* If modprobe needs a service that is in a module, we get a recursive
46122 * loop. Limit the number of running kmod threads to max_threads/2 or
46123 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
46124diff -urNp linux-2.6.32.9/kernel/kprobes.c linux-2.6.32.9/kernel/kprobes.c
46125--- linux-2.6.32.9/kernel/kprobes.c 2010-02-09 07:57:19.000000000 -0500
46126+++ linux-2.6.32.9/kernel/kprobes.c 2010-02-23 17:09:53.331561124 -0500
46127@@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
46128 * kernel image and loaded module images reside. This is required
46129 * so x86_64 can correctly handle the %rip-relative fixups.
46130 */
46131- kip->insns = module_alloc(PAGE_SIZE);
46132+ kip->insns = module_alloc_exec(PAGE_SIZE);
46133 if (!kip->insns) {
46134 kfree(kip);
46135 return NULL;
46136@@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
46137 */
46138 if (!list_is_singular(&kprobe_insn_pages)) {
46139 list_del(&kip->list);
46140- module_free(NULL, kip->insns);
46141+ module_free_exec(NULL, kip->insns);
46142 kfree(kip);
46143 }
46144 return 1;
46145diff -urNp linux-2.6.32.9/kernel/lockdep.c linux-2.6.32.9/kernel/lockdep.c
46146--- linux-2.6.32.9/kernel/lockdep.c 2010-02-09 07:57:19.000000000 -0500
46147+++ linux-2.6.32.9/kernel/lockdep.c 2010-02-23 17:09:53.331561124 -0500
46148@@ -577,6 +577,10 @@ static int static_obj(void *obj)
46149 int i;
46150 #endif
46151
46152+#ifdef CONFIG_PAX_KERNEXEC
46153+ start = ktla_ktva(start);
46154+#endif
46155+
46156 /*
46157 * static variable?
46158 */
46159@@ -592,8 +596,7 @@ static int static_obj(void *obj)
46160 */
46161 for_each_possible_cpu(i) {
46162 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
46163- end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
46164- + per_cpu_offset(i);
46165+ end = start + PERCPU_ENOUGH_ROOM;
46166
46167 if ((addr >= start) && (addr < end))
46168 return 1;
46169@@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
46170 if (!static_obj(lock->key)) {
46171 debug_locks_off();
46172 printk("INFO: trying to register non-static key.\n");
46173+ printk("lock:%pS key:%pS.\n", lock, lock->key);
46174 printk("the code is fine but needs lockdep annotation.\n");
46175 printk("turning off the locking correctness validator.\n");
46176 dump_stack();
46177diff -urNp linux-2.6.32.9/kernel/module.c linux-2.6.32.9/kernel/module.c
46178--- linux-2.6.32.9/kernel/module.c 2010-02-09 07:57:19.000000000 -0500
46179+++ linux-2.6.32.9/kernel/module.c 2010-02-23 17:09:53.331561124 -0500
46180@@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
46181 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
46182
46183 /* Bounds of module allocation, for speeding __module_address */
46184-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
46185+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
46186+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
46187
46188 int register_module_notifier(struct notifier_block * nb)
46189 {
46190@@ -245,7 +246,7 @@ bool each_symbol(bool (*fn)(const struct
46191 return true;
46192
46193 list_for_each_entry_rcu(mod, &modules, list) {
46194- struct symsearch arr[] = {
46195+ struct symsearch modarr[] = {
46196 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
46197 NOT_GPL_ONLY, false },
46198 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
46199@@ -267,7 +268,7 @@ bool each_symbol(bool (*fn)(const struct
46200 #endif
46201 };
46202
46203- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
46204+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
46205 return true;
46206 }
46207 return false;
46208@@ -442,7 +443,7 @@ static void *percpu_modalloc(unsigned lo
46209 void *ptr;
46210 int cpu;
46211
46212- if (align > PAGE_SIZE) {
46213+ if (align-1 >= PAGE_SIZE) {
46214 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
46215 name, align, PAGE_SIZE);
46216 align = PAGE_SIZE;
46217@@ -1543,7 +1544,8 @@ static void free_module(struct module *m
46218 destroy_params(mod->kp, mod->num_kp);
46219
46220 /* This may be NULL, but that's OK */
46221- module_free(mod, mod->module_init);
46222+ module_free(mod, mod->module_init_rw);
46223+ module_free_exec(mod, mod->module_init_rx);
46224 kfree(mod->args);
46225 if (mod->percpu)
46226 percpu_modfree(mod->percpu);
46227@@ -1552,10 +1554,12 @@ static void free_module(struct module *m
46228 percpu_modfree(mod->refptr);
46229 #endif
46230 /* Free lock-classes: */
46231- lockdep_free_key_range(mod->module_core, mod->core_size);
46232+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
46233+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
46234
46235 /* Finally, free the core (containing the module structure) */
46236- module_free(mod, mod->module_core);
46237+ module_free_exec(mod, mod->module_core_rx);
46238+ module_free(mod, mod->module_core_rw);
46239
46240 #ifdef CONFIG_MPU
46241 update_protections(current->mm);
46242@@ -1649,7 +1653,9 @@ static int simplify_symbols(Elf_Shdr *se
46243 strtab + sym[i].st_name, mod);
46244 /* Ok if resolved. */
46245 if (ksym) {
46246+ pax_open_kernel();
46247 sym[i].st_value = ksym->value;
46248+ pax_close_kernel();
46249 break;
46250 }
46251
46252@@ -1668,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
46253 secbase = (unsigned long)mod->percpu;
46254 else
46255 secbase = sechdrs[sym[i].st_shndx].sh_addr;
46256+ pax_open_kernel();
46257 sym[i].st_value += secbase;
46258+ pax_close_kernel();
46259 break;
46260 }
46261 }
46262@@ -1729,11 +1737,12 @@ static void layout_sections(struct modul
46263 || s->sh_entsize != ~0UL
46264 || strstarts(secstrings + s->sh_name, ".init"))
46265 continue;
46266- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
46267+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46268+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
46269+ else
46270+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
46271 DEBUGP("\t%s\n", secstrings + s->sh_name);
46272 }
46273- if (m == 0)
46274- mod->core_text_size = mod->core_size;
46275 }
46276
46277 DEBUGP("Init section allocation order:\n");
46278@@ -1746,12 +1755,13 @@ static void layout_sections(struct modul
46279 || s->sh_entsize != ~0UL
46280 || !strstarts(secstrings + s->sh_name, ".init"))
46281 continue;
46282- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
46283- | INIT_OFFSET_MASK);
46284+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46285+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
46286+ else
46287+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
46288+ s->sh_entsize |= INIT_OFFSET_MASK;
46289 DEBUGP("\t%s\n", secstrings + s->sh_name);
46290 }
46291- if (m == 0)
46292- mod->init_text_size = mod->init_size;
46293 }
46294 }
46295
46296@@ -1855,9 +1865,8 @@ static int is_exported(const char *name,
46297
46298 /* As per nm */
46299 static char elf_type(const Elf_Sym *sym,
46300- Elf_Shdr *sechdrs,
46301- const char *secstrings,
46302- struct module *mod)
46303+ const Elf_Shdr *sechdrs,
46304+ const char *secstrings)
46305 {
46306 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
46307 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
46308@@ -1932,7 +1941,7 @@ static unsigned long layout_symtab(struc
46309
46310 /* Put symbol section at end of init part of module. */
46311 symsect->sh_flags |= SHF_ALLOC;
46312- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
46313+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
46314 symindex) | INIT_OFFSET_MASK;
46315 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
46316
46317@@ -1949,19 +1958,19 @@ static unsigned long layout_symtab(struc
46318 }
46319
46320 /* Append room for core symbols at end of core part. */
46321- symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
46322- mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
46323+ symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
46324+ mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
46325
46326 /* Put string table section at end of init part of module. */
46327 strsect->sh_flags |= SHF_ALLOC;
46328- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
46329+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
46330 strindex) | INIT_OFFSET_MASK;
46331 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
46332
46333 /* Append room for core symbols' strings at end of core part. */
46334- *pstroffs = mod->core_size;
46335+ *pstroffs = mod->core_size_rx;
46336 __set_bit(0, strmap);
46337- mod->core_size += bitmap_weight(strmap, strsect->sh_size);
46338+ mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
46339
46340 return symoffs;
46341 }
46342@@ -1985,12 +1994,14 @@ static void add_kallsyms(struct module *
46343 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
46344 mod->strtab = (void *)sechdrs[strindex].sh_addr;
46345
46346+ pax_open_kernel();
46347+
46348 /* Set types up while we still have access to sections. */
46349 for (i = 0; i < mod->num_symtab; i++)
46350 mod->symtab[i].st_info
46351- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
46352+ = elf_type(&mod->symtab[i], sechdrs, secstrings);
46353
46354- mod->core_symtab = dst = mod->module_core + symoffs;
46355+ mod->core_symtab = dst = mod->module_core_rx + symoffs;
46356 src = mod->symtab;
46357 *dst = *src;
46358 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
46359@@ -2002,10 +2013,12 @@ static void add_kallsyms(struct module *
46360 }
46361 mod->core_num_syms = ndst;
46362
46363- mod->core_strtab = s = mod->module_core + stroffs;
46364+ mod->core_strtab = s = mod->module_core_rx + stroffs;
46365 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
46366 if (test_bit(i, strmap))
46367 *++s = mod->strtab[i];
46368+
46369+ pax_close_kernel();
46370 }
46371 #else
46372 static inline unsigned long layout_symtab(struct module *mod,
46373@@ -2042,16 +2055,30 @@ static void dynamic_debug_setup(struct _
46374 #endif
46375 }
46376
46377-static void *module_alloc_update_bounds(unsigned long size)
46378+static void *module_alloc_update_bounds_rw(unsigned long size)
46379 {
46380 void *ret = module_alloc(size);
46381
46382 if (ret) {
46383 /* Update module bounds. */
46384- if ((unsigned long)ret < module_addr_min)
46385- module_addr_min = (unsigned long)ret;
46386- if ((unsigned long)ret + size > module_addr_max)
46387- module_addr_max = (unsigned long)ret + size;
46388+ if ((unsigned long)ret < module_addr_min_rw)
46389+ module_addr_min_rw = (unsigned long)ret;
46390+ if ((unsigned long)ret + size > module_addr_max_rw)
46391+ module_addr_max_rw = (unsigned long)ret + size;
46392+ }
46393+ return ret;
46394+}
46395+
46396+static void *module_alloc_update_bounds_rx(unsigned long size)
46397+{
46398+ void *ret = module_alloc_exec(size);
46399+
46400+ if (ret) {
46401+ /* Update module bounds. */
46402+ if ((unsigned long)ret < module_addr_min_rx)
46403+ module_addr_min_rx = (unsigned long)ret;
46404+ if ((unsigned long)ret + size > module_addr_max_rx)
46405+ module_addr_max_rx = (unsigned long)ret + size;
46406 }
46407 return ret;
46408 }
46409@@ -2063,8 +2090,8 @@ static void kmemleak_load_module(struct
46410 unsigned int i;
46411
46412 /* only scan the sections containing data */
46413- kmemleak_scan_area(mod->module_core, (unsigned long)mod -
46414- (unsigned long)mod->module_core,
46415+ kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
46416+ (unsigned long)mod->module_core_rw,
46417 sizeof(struct module), GFP_KERNEL);
46418
46419 for (i = 1; i < hdr->e_shnum; i++) {
46420@@ -2074,8 +2101,8 @@ static void kmemleak_load_module(struct
46421 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
46422 continue;
46423
46424- kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
46425- (unsigned long)mod->module_core,
46426+ kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
46427+ (unsigned long)mod->module_core_rw,
46428 sechdrs[i].sh_size, GFP_KERNEL);
46429 }
46430 }
46431@@ -2261,7 +2288,7 @@ static noinline struct module *load_modu
46432 secstrings, &stroffs, strmap);
46433
46434 /* Do the allocs. */
46435- ptr = module_alloc_update_bounds(mod->core_size);
46436+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
46437 /*
46438 * The pointer to this block is stored in the module structure
46439 * which is inside the block. Just mark it as not being a
46440@@ -2272,23 +2299,47 @@ static noinline struct module *load_modu
46441 err = -ENOMEM;
46442 goto free_percpu;
46443 }
46444- memset(ptr, 0, mod->core_size);
46445- mod->module_core = ptr;
46446+ memset(ptr, 0, mod->core_size_rw);
46447+ mod->module_core_rw = ptr;
46448
46449- ptr = module_alloc_update_bounds(mod->init_size);
46450+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
46451 /*
46452 * The pointer to this block is stored in the module structure
46453 * which is inside the block. This block doesn't need to be
46454 * scanned as it contains data and code that will be freed
46455 * after the module is initialized.
46456 */
46457- kmemleak_ignore(ptr);
46458- if (!ptr && mod->init_size) {
46459+ kmemleak_not_leak(ptr);
46460+ if (!ptr && mod->init_size_rw) {
46461+ err = -ENOMEM;
46462+ goto free_core_rw;
46463+ }
46464+ memset(ptr, 0, mod->init_size_rw);
46465+ mod->module_init_rw = ptr;
46466+
46467+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
46468+ kmemleak_not_leak(ptr);
46469+ if (!ptr) {
46470 err = -ENOMEM;
46471- goto free_core;
46472+ goto free_init_rw;
46473 }
46474- memset(ptr, 0, mod->init_size);
46475- mod->module_init = ptr;
46476+
46477+ pax_open_kernel();
46478+ memset(ptr, 0, mod->core_size_rx);
46479+ pax_close_kernel();
46480+ mod->module_core_rx = ptr;
46481+
46482+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
46483+ kmemleak_not_leak(ptr);
46484+ if (!ptr && mod->init_size_rx) {
46485+ err = -ENOMEM;
46486+ goto free_core_rx;
46487+ }
46488+
46489+ pax_open_kernel();
46490+ memset(ptr, 0, mod->init_size_rx);
46491+ pax_close_kernel();
46492+ mod->module_init_rx = ptr;
46493
46494 /* Transfer each section which specifies SHF_ALLOC */
46495 DEBUGP("final section addresses:\n");
46496@@ -2298,17 +2349,41 @@ static noinline struct module *load_modu
46497 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
46498 continue;
46499
46500- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
46501- dest = mod->module_init
46502- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46503- else
46504- dest = mod->module_core + sechdrs[i].sh_entsize;
46505+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
46506+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46507+ dest = mod->module_init_rw
46508+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46509+ else
46510+ dest = mod->module_init_rx
46511+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46512+ } else {
46513+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46514+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
46515+ else
46516+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
46517+ }
46518+
46519+ if (sechdrs[i].sh_type != SHT_NOBITS) {
46520+
46521+#ifdef CONFIG_PAX_KERNEXEC
46522+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
46523+ pax_open_kernel();
46524+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46525+ pax_close_kernel();
46526+ } else
46527+#endif
46528
46529- if (sechdrs[i].sh_type != SHT_NOBITS)
46530- memcpy(dest, (void *)sechdrs[i].sh_addr,
46531- sechdrs[i].sh_size);
46532+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46533+ }
46534 /* Update sh_addr to point to copy in image. */
46535- sechdrs[i].sh_addr = (unsigned long)dest;
46536+
46537+#ifdef CONFIG_PAX_KERNEXEC
46538+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
46539+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
46540+ else
46541+#endif
46542+
46543+ sechdrs[i].sh_addr = (unsigned long)dest;
46544 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
46545 }
46546 /* Module has been moved. */
46547@@ -2320,7 +2395,7 @@ static noinline struct module *load_modu
46548 mod->name);
46549 if (!mod->refptr) {
46550 err = -ENOMEM;
46551- goto free_init;
46552+ goto free_init_rx;
46553 }
46554 #endif
46555 /* Now we've moved module, initialize linked lists, etc. */
46556@@ -2429,8 +2504,8 @@ static noinline struct module *load_modu
46557
46558 /* Now do relocations. */
46559 for (i = 1; i < hdr->e_shnum; i++) {
46560- const char *strtab = (char *)sechdrs[strindex].sh_addr;
46561 unsigned int info = sechdrs[i].sh_info;
46562+ strtab = (char *)sechdrs[strindex].sh_addr;
46563
46564 /* Not a valid relocation section? */
46565 if (info >= hdr->e_shnum)
46566@@ -2491,12 +2566,12 @@ static noinline struct module *load_modu
46567 * Do it before processing of module parameters, so the module
46568 * can provide parameter accessor functions of its own.
46569 */
46570- if (mod->module_init)
46571- flush_icache_range((unsigned long)mod->module_init,
46572- (unsigned long)mod->module_init
46573- + mod->init_size);
46574- flush_icache_range((unsigned long)mod->module_core,
46575- (unsigned long)mod->module_core + mod->core_size);
46576+ if (mod->module_init_rx)
46577+ flush_icache_range((unsigned long)mod->module_init_rx,
46578+ (unsigned long)mod->module_init_rx
46579+ + mod->init_size_rx);
46580+ flush_icache_range((unsigned long)mod->module_core_rx,
46581+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
46582
46583 set_fs(old_fs);
46584
46585@@ -2544,12 +2619,16 @@ static noinline struct module *load_modu
46586 free_unload:
46587 module_unload_free(mod);
46588 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
46589+ free_init_rx:
46590 percpu_modfree(mod->refptr);
46591- free_init:
46592 #endif
46593- module_free(mod, mod->module_init);
46594- free_core:
46595- module_free(mod, mod->module_core);
46596+ module_free_exec(mod, mod->module_init_rx);
46597+ free_core_rx:
46598+ module_free_exec(mod, mod->module_core_rx);
46599+ free_init_rw:
46600+ module_free(mod, mod->module_init_rw);
46601+ free_core_rw:
46602+ module_free(mod, mod->module_core_rw);
46603 /* mod will be freed with core. Don't access it beyond this line! */
46604 free_percpu:
46605 if (percpu)
46606@@ -2651,10 +2730,12 @@ SYSCALL_DEFINE3(init_module, void __user
46607 mod->symtab = mod->core_symtab;
46608 mod->strtab = mod->core_strtab;
46609 #endif
46610- module_free(mod, mod->module_init);
46611- mod->module_init = NULL;
46612- mod->init_size = 0;
46613- mod->init_text_size = 0;
46614+ module_free(mod, mod->module_init_rw);
46615+ module_free_exec(mod, mod->module_init_rx);
46616+ mod->module_init_rw = NULL;
46617+ mod->module_init_rx = NULL;
46618+ mod->init_size_rw = 0;
46619+ mod->init_size_rx = 0;
46620 mutex_unlock(&module_mutex);
46621
46622 return 0;
46623@@ -2685,10 +2766,16 @@ static const char *get_ksymbol(struct mo
46624 unsigned long nextval;
46625
46626 /* At worse, next value is at end of module */
46627- if (within_module_init(addr, mod))
46628- nextval = (unsigned long)mod->module_init+mod->init_text_size;
46629+ if (within_module_init_rx(addr, mod))
46630+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
46631+ else if (within_module_init_rw(addr, mod))
46632+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
46633+ else if (within_module_core_rx(addr, mod))
46634+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
46635+ else if (within_module_core_rw(addr, mod))
46636+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
46637 else
46638- nextval = (unsigned long)mod->module_core+mod->core_text_size;
46639+ return NULL;
46640
46641 /* Scan for closest preceeding symbol, and next symbol. (ELF
46642 starts real symbols at 1). */
46643@@ -2934,7 +3021,7 @@ static int m_show(struct seq_file *m, vo
46644 char buf[8];
46645
46646 seq_printf(m, "%s %u",
46647- mod->name, mod->init_size + mod->core_size);
46648+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
46649 print_unload_info(m, mod);
46650
46651 /* Informative for users. */
46652@@ -2943,7 +3030,7 @@ static int m_show(struct seq_file *m, vo
46653 mod->state == MODULE_STATE_COMING ? "Loading":
46654 "Live");
46655 /* Used by oprofile and other similar tools. */
46656- seq_printf(m, " 0x%p", mod->module_core);
46657+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
46658
46659 /* Taints info */
46660 if (mod->taints)
46661@@ -2979,7 +3066,17 @@ static const struct file_operations proc
46662
46663 static int __init proc_modules_init(void)
46664 {
46665+#ifndef CONFIG_GRKERNSEC_HIDESYM
46666+#ifdef CONFIG_GRKERNSEC_PROC_USER
46667+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46668+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46669+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
46670+#else
46671 proc_create("modules", 0, NULL, &proc_modules_operations);
46672+#endif
46673+#else
46674+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46675+#endif
46676 return 0;
46677 }
46678 module_init(proc_modules_init);
46679@@ -3038,12 +3135,12 @@ struct module *__module_address(unsigned
46680 {
46681 struct module *mod;
46682
46683- if (addr < module_addr_min || addr > module_addr_max)
46684+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
46685+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
46686 return NULL;
46687
46688 list_for_each_entry_rcu(mod, &modules, list)
46689- if (within_module_core(addr, mod)
46690- || within_module_init(addr, mod))
46691+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
46692 return mod;
46693 return NULL;
46694 }
46695@@ -3077,11 +3174,20 @@ bool is_module_text_address(unsigned lon
46696 */
46697 struct module *__module_text_address(unsigned long addr)
46698 {
46699- struct module *mod = __module_address(addr);
46700+ struct module *mod;
46701+
46702+#ifdef CONFIG_X86_32
46703+ addr = ktla_ktva(addr);
46704+#endif
46705+
46706+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
46707+ return NULL;
46708+
46709+ mod = __module_address(addr);
46710+
46711 if (mod) {
46712 /* Make sure it's within the text section. */
46713- if (!within(addr, mod->module_init, mod->init_text_size)
46714- && !within(addr, mod->module_core, mod->core_text_size))
46715+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
46716 mod = NULL;
46717 }
46718 return mod;
46719diff -urNp linux-2.6.32.9/kernel/panic.c linux-2.6.32.9/kernel/panic.c
46720--- linux-2.6.32.9/kernel/panic.c 2010-02-09 07:57:19.000000000 -0500
46721+++ linux-2.6.32.9/kernel/panic.c 2010-02-23 17:09:53.331561124 -0500
46722@@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
46723 */
46724 void __stack_chk_fail(void)
46725 {
46726- panic("stack-protector: Kernel stack is corrupted in: %p\n",
46727+ dump_stack();
46728+ panic("stack-protector: Kernel stack is corrupted in: %pS\n",
46729 __builtin_return_address(0));
46730 }
46731 EXPORT_SYMBOL(__stack_chk_fail);
46732diff -urNp linux-2.6.32.9/kernel/params.c linux-2.6.32.9/kernel/params.c
46733--- linux-2.6.32.9/kernel/params.c 2010-02-09 07:57:19.000000000 -0500
46734+++ linux-2.6.32.9/kernel/params.c 2010-02-23 17:09:53.331561124 -0500
46735@@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
46736 return ret;
46737 }
46738
46739-static struct sysfs_ops module_sysfs_ops = {
46740+static const struct sysfs_ops module_sysfs_ops = {
46741 .show = module_attr_show,
46742 .store = module_attr_store,
46743 };
46744@@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
46745 return 0;
46746 }
46747
46748-static struct kset_uevent_ops module_uevent_ops = {
46749+static const struct kset_uevent_ops module_uevent_ops = {
46750 .filter = uevent_filter,
46751 };
46752
46753diff -urNp linux-2.6.32.9/kernel/pid.c linux-2.6.32.9/kernel/pid.c
46754--- linux-2.6.32.9/kernel/pid.c 2010-02-09 07:57:19.000000000 -0500
46755+++ linux-2.6.32.9/kernel/pid.c 2010-02-23 17:09:53.331561124 -0500
46756@@ -33,6 +33,7 @@
46757 #include <linux/rculist.h>
46758 #include <linux/bootmem.h>
46759 #include <linux/hash.h>
46760+#include <linux/security.h>
46761 #include <linux/pid_namespace.h>
46762 #include <linux/init_task.h>
46763 #include <linux/syscalls.h>
46764@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
46765
46766 int pid_max = PID_MAX_DEFAULT;
46767
46768-#define RESERVED_PIDS 300
46769+#define RESERVED_PIDS 500
46770
46771 int pid_max_min = RESERVED_PIDS + 1;
46772 int pid_max_max = PID_MAX_LIMIT;
46773@@ -380,7 +381,14 @@ EXPORT_SYMBOL(pid_task);
46774 */
46775 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
46776 {
46777- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
46778+ struct task_struct *task;
46779+
46780+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
46781+
46782+ if (gr_pid_is_chrooted(task))
46783+ return NULL;
46784+
46785+ return task;
46786 }
46787
46788 struct task_struct *find_task_by_vpid(pid_t vnr)
46789diff -urNp linux-2.6.32.9/kernel/posix-cpu-timers.c linux-2.6.32.9/kernel/posix-cpu-timers.c
46790--- linux-2.6.32.9/kernel/posix-cpu-timers.c 2010-02-09 07:57:19.000000000 -0500
46791+++ linux-2.6.32.9/kernel/posix-cpu-timers.c 2010-02-23 17:09:53.331561124 -0500
46792@@ -6,6 +6,7 @@
46793 #include <linux/posix-timers.h>
46794 #include <linux/errno.h>
46795 #include <linux/math64.h>
46796+#include <linux/security.h>
46797 #include <asm/uaccess.h>
46798 #include <linux/kernel_stat.h>
46799 #include <trace/events/timer.h>
46800@@ -1044,6 +1045,7 @@ static void check_thread_timers(struct t
46801 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46802 return;
46803 }
46804+ gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout, 1);
46805 if (tsk->rt.timeout > DIV_ROUND_UP(*soft, USEC_PER_SEC/HZ)) {
46806 /*
46807 * At the soft limit, send a SIGXCPU every second.
46808@@ -1206,6 +1208,7 @@ static void check_process_timers(struct
46809 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46810 return;
46811 }
46812+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
46813 if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
46814 /*
46815 * At the soft limit, send a SIGXCPU every second.
46816diff -urNp linux-2.6.32.9/kernel/power/hibernate.c linux-2.6.32.9/kernel/power/hibernate.c
46817--- linux-2.6.32.9/kernel/power/hibernate.c 2010-02-09 07:57:19.000000000 -0500
46818+++ linux-2.6.32.9/kernel/power/hibernate.c 2010-02-23 17:09:53.331561124 -0500
46819@@ -48,14 +48,14 @@ enum {
46820
46821 static int hibernation_mode = HIBERNATION_SHUTDOWN;
46822
46823-static struct platform_hibernation_ops *hibernation_ops;
46824+static const struct platform_hibernation_ops *hibernation_ops;
46825
46826 /**
46827 * hibernation_set_ops - set the global hibernate operations
46828 * @ops: the hibernation operations to use in subsequent hibernation transitions
46829 */
46830
46831-void hibernation_set_ops(struct platform_hibernation_ops *ops)
46832+void hibernation_set_ops(const struct platform_hibernation_ops *ops)
46833 {
46834 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
46835 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
46836diff -urNp linux-2.6.32.9/kernel/power/poweroff.c linux-2.6.32.9/kernel/power/poweroff.c
46837--- linux-2.6.32.9/kernel/power/poweroff.c 2010-02-09 07:57:19.000000000 -0500
46838+++ linux-2.6.32.9/kernel/power/poweroff.c 2010-02-23 17:09:53.336191874 -0500
46839@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
46840 .enable_mask = SYSRQ_ENABLE_BOOT,
46841 };
46842
46843-static int pm_sysrq_init(void)
46844+static int __init pm_sysrq_init(void)
46845 {
46846 register_sysrq_key('o', &sysrq_poweroff_op);
46847 return 0;
46848diff -urNp linux-2.6.32.9/kernel/power/process.c linux-2.6.32.9/kernel/power/process.c
46849--- linux-2.6.32.9/kernel/power/process.c 2010-02-09 07:57:19.000000000 -0500
46850+++ linux-2.6.32.9/kernel/power/process.c 2010-02-23 17:09:53.336191874 -0500
46851@@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
46852 struct timeval start, end;
46853 u64 elapsed_csecs64;
46854 unsigned int elapsed_csecs;
46855+ bool timedout = false;
46856
46857 do_gettimeofday(&start);
46858
46859 end_time = jiffies + TIMEOUT;
46860 do {
46861 todo = 0;
46862+ if (time_after(jiffies, end_time))
46863+ timedout = true;
46864 read_lock(&tasklist_lock);
46865 do_each_thread(g, p) {
46866 if (frozen(p) || !freezeable(p))
46867@@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
46868 * It is "frozen enough". If the task does wake
46869 * up, it will immediately call try_to_freeze.
46870 */
46871- if (!task_is_stopped_or_traced(p) &&
46872- !freezer_should_skip(p))
46873+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
46874 todo++;
46875+ if (timedout) {
46876+ printk(KERN_ERR "Task refusing to freeze:\n");
46877+ sched_show_task(p);
46878+ }
46879+ }
46880 } while_each_thread(g, p);
46881 read_unlock(&tasklist_lock);
46882 yield(); /* Yield is okay here */
46883- if (time_after(jiffies, end_time))
46884- break;
46885- } while (todo);
46886+ } while (todo && !timedout);
46887
46888 do_gettimeofday(&end);
46889 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
46890diff -urNp linux-2.6.32.9/kernel/power/suspend.c linux-2.6.32.9/kernel/power/suspend.c
46891--- linux-2.6.32.9/kernel/power/suspend.c 2010-02-09 07:57:19.000000000 -0500
46892+++ linux-2.6.32.9/kernel/power/suspend.c 2010-02-23 17:09:53.336191874 -0500
46893@@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
46894 [PM_SUSPEND_MEM] = "mem",
46895 };
46896
46897-static struct platform_suspend_ops *suspend_ops;
46898+static const struct platform_suspend_ops *suspend_ops;
46899
46900 /**
46901 * suspend_set_ops - Set the global suspend method table.
46902 * @ops: Pointer to ops structure.
46903 */
46904-void suspend_set_ops(struct platform_suspend_ops *ops)
46905+void suspend_set_ops(const struct platform_suspend_ops *ops)
46906 {
46907 mutex_lock(&pm_mutex);
46908 suspend_ops = ops;
46909diff -urNp linux-2.6.32.9/kernel/printk.c linux-2.6.32.9/kernel/printk.c
46910--- linux-2.6.32.9/kernel/printk.c 2010-02-09 07:57:19.000000000 -0500
46911+++ linux-2.6.32.9/kernel/printk.c 2010-02-23 17:09:53.336191874 -0500
46912@@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
46913 char c;
46914 int error = 0;
46915
46916+#ifdef CONFIG_GRKERNSEC_DMESG
46917+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
46918+ return -EPERM;
46919+#endif
46920+
46921 error = security_syslog(type);
46922 if (error)
46923 return error;
46924diff -urNp linux-2.6.32.9/kernel/ptrace.c linux-2.6.32.9/kernel/ptrace.c
46925--- linux-2.6.32.9/kernel/ptrace.c 2010-02-09 07:57:19.000000000 -0500
46926+++ linux-2.6.32.9/kernel/ptrace.c 2010-02-23 17:09:53.336191874 -0500
46927@@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru
46928 cred->gid != tcred->egid ||
46929 cred->gid != tcred->sgid ||
46930 cred->gid != tcred->gid) &&
46931- !capable(CAP_SYS_PTRACE)) {
46932+ !capable_nolog(CAP_SYS_PTRACE)) {
46933 rcu_read_unlock();
46934 return -EPERM;
46935 }
46936@@ -149,7 +149,7 @@ int __ptrace_may_access(struct task_stru
46937 smp_rmb();
46938 if (task->mm)
46939 dumpable = get_dumpable(task->mm);
46940- if (!dumpable && !capable(CAP_SYS_PTRACE))
46941+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
46942 return -EPERM;
46943
46944 return security_ptrace_access_check(task, mode);
46945@@ -199,7 +199,7 @@ int ptrace_attach(struct task_struct *ta
46946 goto unlock_tasklist;
46947
46948 task->ptrace = PT_PTRACED;
46949- if (capable(CAP_SYS_PTRACE))
46950+ if (capable_nolog(CAP_SYS_PTRACE))
46951 task->ptrace |= PT_PTRACE_CAP;
46952
46953 __ptrace_link(task, current);
46954@@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c
46955 ret = ptrace_setoptions(child, data);
46956 break;
46957 case PTRACE_GETEVENTMSG:
46958- ret = put_user(child->ptrace_message, (unsigned long __user *) data);
46959+ ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
46960 break;
46961
46962 case PTRACE_GETSIGINFO:
46963 ret = ptrace_getsiginfo(child, &siginfo);
46964 if (!ret)
46965- ret = copy_siginfo_to_user((siginfo_t __user *) data,
46966+ ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
46967 &siginfo);
46968 break;
46969
46970 case PTRACE_SETSIGINFO:
46971- if (copy_from_user(&siginfo, (siginfo_t __user *) data,
46972+ if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
46973 sizeof siginfo))
46974 ret = -EFAULT;
46975 else
46976@@ -621,6 +621,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
46977 goto out;
46978 }
46979
46980+ if (gr_handle_ptrace(child, request)) {
46981+ ret = -EPERM;
46982+ goto out_put_task_struct;
46983+ }
46984+
46985 if (request == PTRACE_ATTACH) {
46986 ret = ptrace_attach(child);
46987 /*
46988@@ -653,7 +658,7 @@ int generic_ptrace_peekdata(struct task_
46989 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
46990 if (copied != sizeof(tmp))
46991 return -EIO;
46992- return put_user(tmp, (unsigned long __user *)data);
46993+ return put_user(tmp, (__force unsigned long __user *)data);
46994 }
46995
46996 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
46997diff -urNp linux-2.6.32.9/kernel/rcutree.c linux-2.6.32.9/kernel/rcutree.c
46998--- linux-2.6.32.9/kernel/rcutree.c 2010-02-09 07:57:19.000000000 -0500
46999+++ linux-2.6.32.9/kernel/rcutree.c 2010-02-23 17:09:53.336191874 -0500
47000@@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
47001 /*
47002 * Do softirq processing for the current CPU.
47003 */
47004-static void rcu_process_callbacks(struct softirq_action *unused)
47005+static void rcu_process_callbacks(void)
47006 {
47007 /*
47008 * Memory references from any prior RCU read-side critical sections
47009diff -urNp linux-2.6.32.9/kernel/relay.c linux-2.6.32.9/kernel/relay.c
47010--- linux-2.6.32.9/kernel/relay.c 2010-02-09 07:57:19.000000000 -0500
47011+++ linux-2.6.32.9/kernel/relay.c 2010-02-23 17:09:53.336191874 -0500
47012@@ -1292,7 +1292,7 @@ static int subbuf_splice_actor(struct fi
47013 return 0;
47014
47015 ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
47016- if (ret < 0 || ret < total_len)
47017+ if ((int)ret < 0 || ret < total_len)
47018 return ret;
47019
47020 if (read_start + ret == nonpad_end)
47021diff -urNp linux-2.6.32.9/kernel/resource.c linux-2.6.32.9/kernel/resource.c
47022--- linux-2.6.32.9/kernel/resource.c 2010-02-09 07:57:19.000000000 -0500
47023+++ linux-2.6.32.9/kernel/resource.c 2010-02-23 17:09:53.336191874 -0500
47024@@ -132,8 +132,18 @@ static const struct file_operations proc
47025
47026 static int __init ioresources_init(void)
47027 {
47028+#ifdef CONFIG_GRKERNSEC_PROC_ADD
47029+#ifdef CONFIG_GRKERNSEC_PROC_USER
47030+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
47031+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
47032+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47033+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
47034+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
47035+#endif
47036+#else
47037 proc_create("ioports", 0, NULL, &proc_ioports_operations);
47038 proc_create("iomem", 0, NULL, &proc_iomem_operations);
47039+#endif
47040 return 0;
47041 }
47042 __initcall(ioresources_init);
47043diff -urNp linux-2.6.32.9/kernel/sched.c linux-2.6.32.9/kernel/sched.c
47044--- linux-2.6.32.9/kernel/sched.c 2010-02-09 07:57:19.000000000 -0500
47045+++ linux-2.6.32.9/kernel/sched.c 2010-02-23 17:09:53.336191874 -0500
47046@@ -4822,7 +4822,7 @@ out:
47047 * In CONFIG_NO_HZ case, the idle load balance owner will do the
47048 * rebalancing for all the cpus for whom scheduler ticks are stopped.
47049 */
47050-static void run_rebalance_domains(struct softirq_action *h)
47051+static void run_rebalance_domains(void)
47052 {
47053 int this_cpu = smp_processor_id();
47054 struct rq *this_rq = cpu_rq(this_cpu);
47055@@ -6090,6 +6090,8 @@ int can_nice(const struct task_struct *p
47056 /* convert nice value [19,-20] to rlimit style value [1,40] */
47057 int nice_rlim = 20 - nice;
47058
47059+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
47060+
47061 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
47062 capable(CAP_SYS_NICE));
47063 }
47064@@ -6123,7 +6125,8 @@ SYSCALL_DEFINE1(nice, int, increment)
47065 if (nice > 19)
47066 nice = 19;
47067
47068- if (increment < 0 && !can_nice(current, nice))
47069+ if (increment < 0 && (!can_nice(current, nice) ||
47070+ gr_handle_chroot_nice()))
47071 return -EPERM;
47072
47073 retval = security_task_setnice(current, nice);
47074@@ -6273,6 +6276,8 @@ recheck:
47075 if (rt_policy(policy)) {
47076 unsigned long rlim_rtprio;
47077
47078+ gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
47079+
47080 if (!lock_task_sighand(p, &flags))
47081 return -ESRCH;
47082 rlim_rtprio = p->signal->rlim[RLIMIT_RTPRIO].rlim_cur;
47083@@ -7424,7 +7429,7 @@ static struct ctl_table sd_ctl_dir[] = {
47084 .procname = "sched_domain",
47085 .mode = 0555,
47086 },
47087- {0, },
47088+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47089 };
47090
47091 static struct ctl_table sd_ctl_root[] = {
47092@@ -7434,7 +7439,7 @@ static struct ctl_table sd_ctl_root[] =
47093 .mode = 0555,
47094 .child = sd_ctl_dir,
47095 },
47096- {0, },
47097+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47098 };
47099
47100 static struct ctl_table *sd_alloc_ctl_entry(int n)
47101diff -urNp linux-2.6.32.9/kernel/signal.c linux-2.6.32.9/kernel/signal.c
47102--- linux-2.6.32.9/kernel/signal.c 2010-02-09 07:57:19.000000000 -0500
47103+++ linux-2.6.32.9/kernel/signal.c 2010-02-23 17:09:53.340074701 -0500
47104@@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
47105 */
47106 user = get_uid(__task_cred(t)->user);
47107 atomic_inc(&user->sigpending);
47108+
47109+ if (!override_rlimit)
47110+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
47111 if (override_rlimit ||
47112 atomic_read(&user->sigpending) <=
47113 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
47114@@ -625,6 +628,9 @@ static int check_kill_permission(int sig
47115 }
47116 }
47117
47118+ if (gr_handle_signal(t, sig))
47119+ return -EPERM;
47120+
47121 return security_task_kill(t, info, sig, 0);
47122 }
47123
47124@@ -966,7 +972,7 @@ __group_send_sig_info(int sig, struct si
47125 return send_signal(sig, info, p, 1);
47126 }
47127
47128-static int
47129+int
47130 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
47131 {
47132 return send_signal(sig, info, t, 0);
47133@@ -1020,6 +1026,9 @@ force_sig_info(int sig, struct siginfo *
47134 ret = specific_send_sig_info(sig, info, t);
47135 spin_unlock_irqrestore(&t->sighand->siglock, flags);
47136
47137+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
47138+ gr_handle_crash(t, sig);
47139+
47140 return ret;
47141 }
47142
47143@@ -1079,8 +1088,11 @@ int group_send_sig_info(int sig, struct
47144 {
47145 int ret = check_kill_permission(sig, info, p);
47146
47147- if (!ret && sig)
47148+ if (!ret && sig) {
47149 ret = do_send_sig_info(sig, info, p, true);
47150+ if (!ret)
47151+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
47152+ }
47153
47154 return ret;
47155 }
47156diff -urNp linux-2.6.32.9/kernel/smp.c linux-2.6.32.9/kernel/smp.c
47157--- linux-2.6.32.9/kernel/smp.c 2010-02-09 07:57:19.000000000 -0500
47158+++ linux-2.6.32.9/kernel/smp.c 2010-02-23 17:09:53.340074701 -0500
47159@@ -459,22 +459,22 @@ int smp_call_function(void (*func)(void
47160 }
47161 EXPORT_SYMBOL(smp_call_function);
47162
47163-void ipi_call_lock(void)
47164+void ipi_call_lock(void) __acquires(call_function.lock)
47165 {
47166 spin_lock(&call_function.lock);
47167 }
47168
47169-void ipi_call_unlock(void)
47170+void ipi_call_unlock(void) __releases(call_function.lock)
47171 {
47172 spin_unlock(&call_function.lock);
47173 }
47174
47175-void ipi_call_lock_irq(void)
47176+void ipi_call_lock_irq(void) __acquires(call_function.lock)
47177 {
47178 spin_lock_irq(&call_function.lock);
47179 }
47180
47181-void ipi_call_unlock_irq(void)
47182+void ipi_call_unlock_irq(void) __releases(call_function.lock)
47183 {
47184 spin_unlock_irq(&call_function.lock);
47185 }
47186diff -urNp linux-2.6.32.9/kernel/softirq.c linux-2.6.32.9/kernel/softirq.c
47187--- linux-2.6.32.9/kernel/softirq.c 2010-02-09 07:57:19.000000000 -0500
47188+++ linux-2.6.32.9/kernel/softirq.c 2010-02-23 17:09:53.340074701 -0500
47189@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
47190
47191 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
47192
47193-char *softirq_to_name[NR_SOFTIRQS] = {
47194+const char * const softirq_to_name[NR_SOFTIRQS] = {
47195 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
47196 "TASKLET", "SCHED", "HRTIMER", "RCU"
47197 };
47198@@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
47199
47200 asmlinkage void __do_softirq(void)
47201 {
47202- struct softirq_action *h;
47203+ const struct softirq_action *h;
47204 __u32 pending;
47205 int max_restart = MAX_SOFTIRQ_RESTART;
47206 int cpu;
47207@@ -216,7 +216,7 @@ restart:
47208 kstat_incr_softirqs_this_cpu(h - softirq_vec);
47209
47210 trace_softirq_entry(h, softirq_vec);
47211- h->action(h);
47212+ h->action();
47213 trace_softirq_exit(h, softirq_vec);
47214 if (unlikely(prev_count != preempt_count())) {
47215 printk(KERN_ERR "huh, entered softirq %td %s %p"
47216@@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
47217 local_irq_restore(flags);
47218 }
47219
47220-void open_softirq(int nr, void (*action)(struct softirq_action *))
47221+void open_softirq(int nr, void (*action)(void))
47222 {
47223 softirq_vec[nr].action = action;
47224 }
47225@@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
47226
47227 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
47228
47229-static void tasklet_action(struct softirq_action *a)
47230+static void tasklet_action(void)
47231 {
47232 struct tasklet_struct *list;
47233
47234@@ -431,7 +431,7 @@ static void tasklet_action(struct softir
47235 }
47236 }
47237
47238-static void tasklet_hi_action(struct softirq_action *a)
47239+static void tasklet_hi_action(void)
47240 {
47241 struct tasklet_struct *list;
47242
47243diff -urNp linux-2.6.32.9/kernel/sys.c linux-2.6.32.9/kernel/sys.c
47244--- linux-2.6.32.9/kernel/sys.c 2010-02-09 07:57:19.000000000 -0500
47245+++ linux-2.6.32.9/kernel/sys.c 2010-02-23 17:09:53.340074701 -0500
47246@@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
47247 error = -EACCES;
47248 goto out;
47249 }
47250+
47251+ if (gr_handle_chroot_setpriority(p, niceval)) {
47252+ error = -EACCES;
47253+ goto out;
47254+ }
47255+
47256 no_nice = security_task_setnice(p, niceval);
47257 if (no_nice) {
47258 error = no_nice;
47259@@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
47260 !(user = find_user(who)))
47261 goto out_unlock; /* No processes for this user */
47262
47263- do_each_thread(g, p)
47264+ do_each_thread(g, p) {
47265 if (__task_cred(p)->uid == who)
47266 error = set_one_prio(p, niceval, error);
47267- while_each_thread(g, p);
47268+ } while_each_thread(g, p);
47269 if (who != cred->uid)
47270 free_uid(user); /* For find_user() */
47271 break;
47272@@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
47273 !(user = find_user(who)))
47274 goto out_unlock; /* No processes for this user */
47275
47276- do_each_thread(g, p)
47277+ do_each_thread(g, p) {
47278 if (__task_cred(p)->uid == who) {
47279 niceval = 20 - task_nice(p);
47280 if (niceval > retval)
47281 retval = niceval;
47282 }
47283- while_each_thread(g, p);
47284+ } while_each_thread(g, p);
47285 if (who != cred->uid)
47286 free_uid(user); /* for find_user() */
47287 break;
47288@@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
47289 goto error;
47290 }
47291
47292+ if (gr_check_group_change(new->gid, new->egid, -1))
47293+ goto error;
47294+
47295 if (rgid != (gid_t) -1 ||
47296 (egid != (gid_t) -1 && egid != old->gid))
47297 new->sgid = new->egid;
47298@@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
47299 goto error;
47300
47301 retval = -EPERM;
47302+
47303+ if (gr_check_group_change(gid, gid, gid))
47304+ goto error;
47305+
47306 if (capable(CAP_SETGID))
47307 new->gid = new->egid = new->sgid = new->fsgid = gid;
47308 else if (gid == old->gid || gid == old->sgid)
47309@@ -632,6 +645,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
47310 goto error;
47311 }
47312
47313+ if (gr_check_user_change(new->uid, new->euid, -1))
47314+ goto error;
47315+
47316 if (new->uid != old->uid) {
47317 retval = set_user(new);
47318 if (retval < 0)
47319@@ -680,6 +696,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
47320 goto error;
47321
47322 retval = -EPERM;
47323+
47324+ if (gr_check_crash_uid(uid))
47325+ goto error;
47326+ if (gr_check_user_change(uid, uid, uid))
47327+ goto error;
47328+
47329 if (capable(CAP_SETUID)) {
47330 new->suid = new->uid = uid;
47331 if (uid != old->uid) {
47332@@ -737,6 +759,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
47333 goto error;
47334 }
47335
47336+ if (gr_check_user_change(ruid, euid, -1))
47337+ goto error;
47338+
47339 if (ruid != (uid_t) -1) {
47340 new->uid = ruid;
47341 if (ruid != old->uid) {
47342@@ -805,6 +830,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
47343 goto error;
47344 }
47345
47346+ if (gr_check_group_change(rgid, egid, -1))
47347+ goto error;
47348+
47349 if (rgid != (gid_t) -1)
47350 new->gid = rgid;
47351 if (egid != (gid_t) -1)
47352@@ -854,6 +882,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
47353 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
47354 goto error;
47355
47356+ if (gr_check_user_change(-1, -1, uid))
47357+ goto error;
47358+
47359 if (uid == old->uid || uid == old->euid ||
47360 uid == old->suid || uid == old->fsuid ||
47361 capable(CAP_SETUID)) {
47362@@ -894,6 +925,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
47363 if (gid == old->gid || gid == old->egid ||
47364 gid == old->sgid || gid == old->fsgid ||
47365 capable(CAP_SETGID)) {
47366+ if (gr_check_group_change(-1, -1, gid))
47367+ goto error;
47368+
47369 if (gid != old_fsgid) {
47370 new->fsgid = gid;
47371 goto change_okay;
47372@@ -1459,7 +1493,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
47373 error = get_dumpable(me->mm);
47374 break;
47375 case PR_SET_DUMPABLE:
47376- if (arg2 < 0 || arg2 > 1) {
47377+ if (arg2 > 1) {
47378 error = -EINVAL;
47379 break;
47380 }
47381diff -urNp linux-2.6.32.9/kernel/sysctl.c linux-2.6.32.9/kernel/sysctl.c
47382--- linux-2.6.32.9/kernel/sysctl.c 2010-02-09 07:57:19.000000000 -0500
47383+++ linux-2.6.32.9/kernel/sysctl.c 2010-02-23 17:09:53.340074701 -0500
47384@@ -63,6 +63,13 @@
47385 static int deprecated_sysctl_warning(struct __sysctl_args *args);
47386
47387 #if defined(CONFIG_SYSCTL)
47388+#include <linux/grsecurity.h>
47389+#include <linux/grinternal.h>
47390+
47391+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
47392+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
47393+ const int op);
47394+extern int gr_handle_chroot_sysctl(const int op);
47395
47396 /* External variables not in a header file. */
47397 extern int C_A_D;
47398@@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
47399 static int proc_taint(struct ctl_table *table, int write,
47400 void __user *buffer, size_t *lenp, loff_t *ppos);
47401 #endif
47402+extern ctl_table grsecurity_table[];
47403
47404 static struct ctl_table root_table[];
47405 static struct ctl_table_root sysctl_table_root;
47406@@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
47407 int sysctl_legacy_va_layout;
47408 #endif
47409
47410+#ifdef CONFIG_PAX_SOFTMODE
47411+static ctl_table pax_table[] = {
47412+ {
47413+ .ctl_name = CTL_UNNUMBERED,
47414+ .procname = "softmode",
47415+ .data = &pax_softmode,
47416+ .maxlen = sizeof(unsigned int),
47417+ .mode = 0600,
47418+ .proc_handler = &proc_dointvec,
47419+ },
47420+
47421+ { .ctl_name = 0 }
47422+};
47423+#endif
47424+
47425 extern int prove_locking;
47426 extern int lock_stat;
47427
47428@@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
47429 #endif
47430
47431 static struct ctl_table kern_table[] = {
47432+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
47433+ {
47434+ .ctl_name = CTL_UNNUMBERED,
47435+ .procname = "grsecurity",
47436+ .mode = 0500,
47437+ .child = grsecurity_table,
47438+ },
47439+#endif
47440+
47441+#ifdef CONFIG_PAX_SOFTMODE
47442+ {
47443+ .ctl_name = CTL_UNNUMBERED,
47444+ .procname = "pax",
47445+ .mode = 0500,
47446+ .child = pax_table,
47447+ },
47448+#endif
47449+
47450 {
47451 .ctl_name = CTL_UNNUMBERED,
47452 .procname = "sched_child_runs_first",
47453@@ -1803,6 +1844,8 @@ static int do_sysctl_strategy(struct ctl
47454 return 0;
47455 }
47456
47457+static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
47458+
47459 static int parse_table(int __user *name, int nlen,
47460 void __user *oldval, size_t __user *oldlenp,
47461 void __user *newval, size_t newlen,
47462@@ -1821,7 +1864,7 @@ repeat:
47463 if (n == table->ctl_name) {
47464 int error;
47465 if (table->child) {
47466- if (sysctl_perm(root, table, MAY_EXEC))
47467+ if (sysctl_perm_nochk(root, table, MAY_EXEC))
47468 return -EPERM;
47469 name++;
47470 nlen--;
47471@@ -1906,6 +1949,33 @@ int sysctl_perm(struct ctl_table_root *r
47472 int error;
47473 int mode;
47474
47475+ if (table->parent != NULL && table->parent->procname != NULL &&
47476+ table->procname != NULL &&
47477+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
47478+ return -EACCES;
47479+ if (gr_handle_chroot_sysctl(op))
47480+ return -EACCES;
47481+ error = gr_handle_sysctl(table, op);
47482+ if (error)
47483+ return error;
47484+
47485+ error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
47486+ if (error)
47487+ return error;
47488+
47489+ if (root->permissions)
47490+ mode = root->permissions(root, current->nsproxy, table);
47491+ else
47492+ mode = table->mode;
47493+
47494+ return test_perm(mode, op);
47495+}
47496+
47497+int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
47498+{
47499+ int error;
47500+ int mode;
47501+
47502 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
47503 if (error)
47504 return error;
47505diff -urNp linux-2.6.32.9/kernel/taskstats.c linux-2.6.32.9/kernel/taskstats.c
47506--- linux-2.6.32.9/kernel/taskstats.c 2010-02-09 07:57:19.000000000 -0500
47507+++ linux-2.6.32.9/kernel/taskstats.c 2010-02-23 17:09:53.340074701 -0500
47508@@ -26,9 +26,12 @@
47509 #include <linux/cgroup.h>
47510 #include <linux/fs.h>
47511 #include <linux/file.h>
47512+#include <linux/grsecurity.h>
47513 #include <net/genetlink.h>
47514 #include <asm/atomic.h>
47515
47516+extern int gr_is_taskstats_denied(int pid);
47517+
47518 /*
47519 * Maximum length of a cpumask that can be specified in
47520 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
47521@@ -433,6 +436,9 @@ static int taskstats_user_cmd(struct sk_
47522 size_t size;
47523 cpumask_var_t mask;
47524
47525+ if (gr_is_taskstats_denied(current->pid))
47526+ return -EACCES;
47527+
47528 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
47529 return -ENOMEM;
47530
47531diff -urNp linux-2.6.32.9/kernel/time/tick-broadcast.c linux-2.6.32.9/kernel/time/tick-broadcast.c
47532--- linux-2.6.32.9/kernel/time/tick-broadcast.c 2010-02-09 07:57:19.000000000 -0500
47533+++ linux-2.6.32.9/kernel/time/tick-broadcast.c 2010-02-23 17:09:53.340074701 -0500
47534@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
47535 * then clear the broadcast bit.
47536 */
47537 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
47538- int cpu = smp_processor_id();
47539+ cpu = smp_processor_id();
47540
47541 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
47542 tick_broadcast_clear_oneshot(cpu);
47543diff -urNp linux-2.6.32.9/kernel/time.c linux-2.6.32.9/kernel/time.c
47544--- linux-2.6.32.9/kernel/time.c 2010-02-09 07:57:19.000000000 -0500
47545+++ linux-2.6.32.9/kernel/time.c 2010-02-23 17:09:53.340074701 -0500
47546@@ -94,6 +94,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
47547 return err;
47548
47549 do_settimeofday(&tv);
47550+
47551+ gr_log_timechange();
47552+
47553 return 0;
47554 }
47555
47556@@ -202,6 +205,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
47557 return -EFAULT;
47558 }
47559
47560+ gr_log_timechange();
47561+
47562 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
47563 }
47564
47565@@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
47566 * Avoid unnecessary multiplications/divisions in the
47567 * two most common HZ cases:
47568 */
47569-unsigned int inline jiffies_to_msecs(const unsigned long j)
47570+inline unsigned int jiffies_to_msecs(const unsigned long j)
47571 {
47572 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
47573 return (MSEC_PER_SEC / HZ) * j;
47574@@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
47575 }
47576 EXPORT_SYMBOL(jiffies_to_msecs);
47577
47578-unsigned int inline jiffies_to_usecs(const unsigned long j)
47579+inline unsigned int jiffies_to_usecs(const unsigned long j)
47580 {
47581 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
47582 return (USEC_PER_SEC / HZ) * j;
47583diff -urNp linux-2.6.32.9/kernel/timer.c linux-2.6.32.9/kernel/timer.c
47584--- linux-2.6.32.9/kernel/timer.c 2010-02-09 07:57:19.000000000 -0500
47585+++ linux-2.6.32.9/kernel/timer.c 2010-02-23 17:09:53.340074701 -0500
47586@@ -1207,7 +1207,7 @@ void update_process_times(int user_tick)
47587 /*
47588 * This function runs timers and the timer-tq in bottom half context.
47589 */
47590-static void run_timer_softirq(struct softirq_action *h)
47591+static void run_timer_softirq(void)
47592 {
47593 struct tvec_base *base = __get_cpu_var(tvec_bases);
47594
47595diff -urNp linux-2.6.32.9/kernel/trace/ftrace.c linux-2.6.32.9/kernel/trace/ftrace.c
47596--- linux-2.6.32.9/kernel/trace/ftrace.c 2010-02-09 07:57:19.000000000 -0500
47597+++ linux-2.6.32.9/kernel/trace/ftrace.c 2010-02-23 17:09:53.340074701 -0500
47598@@ -1093,13 +1093,18 @@ ftrace_code_disable(struct module *mod,
47599
47600 ip = rec->ip;
47601
47602+ ret = ftrace_arch_code_modify_prepare();
47603+ FTRACE_WARN_ON(ret);
47604+ if (ret)
47605+ return 0;
47606+
47607 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
47608+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
47609 if (ret) {
47610 ftrace_bug(ret, ip);
47611 rec->flags |= FTRACE_FL_FAILED;
47612- return 0;
47613 }
47614- return 1;
47615+ return ret ? 0 : 1;
47616 }
47617
47618 /*
47619diff -urNp linux-2.6.32.9/kernel/trace/Kconfig linux-2.6.32.9/kernel/trace/Kconfig
47620--- linux-2.6.32.9/kernel/trace/Kconfig 2010-02-09 07:57:19.000000000 -0500
47621+++ linux-2.6.32.9/kernel/trace/Kconfig 2010-02-23 17:09:53.340074701 -0500
47622@@ -126,6 +126,7 @@ if FTRACE
47623 config FUNCTION_TRACER
47624 bool "Kernel Function Tracer"
47625 depends on HAVE_FUNCTION_TRACER
47626+ depends on !PAX_KERNEXEC
47627 select FRAME_POINTER
47628 select KALLSYMS
47629 select GENERIC_TRACER
47630@@ -343,6 +344,7 @@ config POWER_TRACER
47631 config STACK_TRACER
47632 bool "Trace max stack"
47633 depends on HAVE_FUNCTION_TRACER
47634+ depends on !PAX_KERNEXEC
47635 select FUNCTION_TRACER
47636 select STACKTRACE
47637 select KALLSYMS
47638diff -urNp linux-2.6.32.9/kernel/trace/trace.c linux-2.6.32.9/kernel/trace/trace.c
47639--- linux-2.6.32.9/kernel/trace/trace.c 2010-02-09 07:57:19.000000000 -0500
47640+++ linux-2.6.32.9/kernel/trace/trace.c 2010-02-23 17:09:53.343560823 -0500
47641@@ -3792,10 +3792,9 @@ static const struct file_operations trac
47642 };
47643 #endif
47644
47645-static struct dentry *d_tracer;
47646-
47647 struct dentry *tracing_init_dentry(void)
47648 {
47649+ static struct dentry *d_tracer;
47650 static int once;
47651
47652 if (d_tracer)
47653@@ -3815,10 +3814,9 @@ struct dentry *tracing_init_dentry(void)
47654 return d_tracer;
47655 }
47656
47657-static struct dentry *d_percpu;
47658-
47659 struct dentry *tracing_dentry_percpu(void)
47660 {
47661+ static struct dentry *d_percpu;
47662 static int once;
47663 struct dentry *d_tracer;
47664
47665diff -urNp linux-2.6.32.9/kernel/trace/trace_events.c linux-2.6.32.9/kernel/trace/trace_events.c
47666--- linux-2.6.32.9/kernel/trace/trace_events.c 2010-02-09 07:57:19.000000000 -0500
47667+++ linux-2.6.32.9/kernel/trace/trace_events.c 2010-02-23 17:09:53.343560823 -0500
47668@@ -951,6 +951,8 @@ static LIST_HEAD(ftrace_module_file_list
47669 * Modules must own their file_operations to keep up with
47670 * reference counting.
47671 */
47672+
47673+/* cannot be const */
47674 struct ftrace_module_file_ops {
47675 struct list_head list;
47676 struct module *mod;
47677diff -urNp linux-2.6.32.9/kernel/trace/trace_output.c linux-2.6.32.9/kernel/trace/trace_output.c
47678--- linux-2.6.32.9/kernel/trace/trace_output.c 2010-02-09 07:57:19.000000000 -0500
47679+++ linux-2.6.32.9/kernel/trace/trace_output.c 2010-02-23 17:09:53.343560823 -0500
47680@@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
47681 return 0;
47682 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
47683 if (!IS_ERR(p)) {
47684- p = mangle_path(s->buffer + s->len, p, "\n");
47685+ p = mangle_path(s->buffer + s->len, p, "\n\\");
47686 if (p) {
47687 s->len = p - s->buffer;
47688 return 1;
47689diff -urNp linux-2.6.32.9/kernel/trace/trace_stack.c linux-2.6.32.9/kernel/trace/trace_stack.c
47690--- linux-2.6.32.9/kernel/trace/trace_stack.c 2010-02-09 07:57:19.000000000 -0500
47691+++ linux-2.6.32.9/kernel/trace/trace_stack.c 2010-02-23 17:09:53.343560823 -0500
47692@@ -50,7 +50,7 @@ static inline void check_stack(void)
47693 return;
47694
47695 /* we do not handle interrupt stacks yet */
47696- if (!object_is_on_stack(&this_size))
47697+ if (!object_starts_on_stack(&this_size))
47698 return;
47699
47700 local_irq_save(flags);
47701diff -urNp linux-2.6.32.9/kernel/utsname_sysctl.c linux-2.6.32.9/kernel/utsname_sysctl.c
47702--- linux-2.6.32.9/kernel/utsname_sysctl.c 2010-02-09 07:57:19.000000000 -0500
47703+++ linux-2.6.32.9/kernel/utsname_sysctl.c 2010-02-23 17:09:53.343560823 -0500
47704@@ -123,7 +123,7 @@ static struct ctl_table uts_kern_table[]
47705 .proc_handler = proc_do_uts_string,
47706 .strategy = sysctl_uts_string,
47707 },
47708- {}
47709+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47710 };
47711
47712 static struct ctl_table uts_root_table[] = {
47713@@ -133,7 +133,7 @@ static struct ctl_table uts_root_table[]
47714 .mode = 0555,
47715 .child = uts_kern_table,
47716 },
47717- {}
47718+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47719 };
47720
47721 static int __init utsname_sysctl_init(void)
47722diff -urNp linux-2.6.32.9/lib/bug.c linux-2.6.32.9/lib/bug.c
47723--- linux-2.6.32.9/lib/bug.c 2010-02-09 07:57:19.000000000 -0500
47724+++ linux-2.6.32.9/lib/bug.c 2010-02-23 17:09:53.343560823 -0500
47725@@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
47726 return BUG_TRAP_TYPE_NONE;
47727
47728 bug = find_bug(bugaddr);
47729+ if (!bug)
47730+ return BUG_TRAP_TYPE_NONE;
47731
47732 printk(KERN_EMERG "------------[ cut here ]------------\n");
47733
47734diff -urNp linux-2.6.32.9/lib/debugobjects.c linux-2.6.32.9/lib/debugobjects.c
47735--- linux-2.6.32.9/lib/debugobjects.c 2010-02-09 07:57:19.000000000 -0500
47736+++ linux-2.6.32.9/lib/debugobjects.c 2010-02-23 17:09:53.343560823 -0500
47737@@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
47738 if (limit > 4)
47739 return;
47740
47741- is_on_stack = object_is_on_stack(addr);
47742+ is_on_stack = object_starts_on_stack(addr);
47743 if (is_on_stack == onstack)
47744 return;
47745
47746diff -urNp linux-2.6.32.9/lib/dma-debug.c linux-2.6.32.9/lib/dma-debug.c
47747--- linux-2.6.32.9/lib/dma-debug.c 2010-02-09 07:57:19.000000000 -0500
47748+++ linux-2.6.32.9/lib/dma-debug.c 2010-02-23 17:09:53.343560823 -0500
47749@@ -861,7 +861,7 @@ out:
47750
47751 static void check_for_stack(struct device *dev, void *addr)
47752 {
47753- if (object_is_on_stack(addr))
47754+ if (object_starts_on_stack(addr))
47755 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
47756 "stack [addr=%p]\n", addr);
47757 }
47758diff -urNp linux-2.6.32.9/lib/idr.c linux-2.6.32.9/lib/idr.c
47759--- linux-2.6.32.9/lib/idr.c 2010-02-09 07:57:19.000000000 -0500
47760+++ linux-2.6.32.9/lib/idr.c 2010-02-23 17:10:38.011844955 -0500
47761@@ -156,10 +156,12 @@ static int sub_alloc(struct idr *idp, in
47762 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
47763
47764 /* if already at the top layer, we need to grow */
47765- if (!(p = pa[l])) {
47766+ if (id >= (1 << (idp->layers * IDR_BITS))) {
47767 *starting_id = id;
47768 return IDR_NEED_TO_GROW;
47769 }
47770+ p = pa[l];
47771+ BUG_ON(!p);
47772
47773 /* If we need to go up one layer, continue the
47774 * loop; otherwise, restart from the top.
47775diff -urNp linux-2.6.32.9/lib/inflate.c linux-2.6.32.9/lib/inflate.c
47776--- linux-2.6.32.9/lib/inflate.c 2010-02-09 07:57:19.000000000 -0500
47777+++ linux-2.6.32.9/lib/inflate.c 2010-02-23 17:09:53.343560823 -0500
47778@@ -266,7 +266,7 @@ static void free(void *where)
47779 malloc_ptr = free_mem_ptr;
47780 }
47781 #else
47782-#define malloc(a) kmalloc(a, GFP_KERNEL)
47783+#define malloc(a) kmalloc((a), GFP_KERNEL)
47784 #define free(a) kfree(a)
47785 #endif
47786
47787diff -urNp linux-2.6.32.9/lib/Kconfig.debug linux-2.6.32.9/lib/Kconfig.debug
47788--- linux-2.6.32.9/lib/Kconfig.debug 2010-02-09 07:57:19.000000000 -0500
47789+++ linux-2.6.32.9/lib/Kconfig.debug 2010-02-23 17:09:53.343560823 -0500
47790@@ -905,7 +905,7 @@ config LATENCYTOP
47791 select STACKTRACE
47792 select SCHEDSTATS
47793 select SCHED_DEBUG
47794- depends on HAVE_LATENCYTOP_SUPPORT
47795+ depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
47796 help
47797 Enable this option if you want to use the LatencyTOP tool
47798 to find out which userspace is blocking on what kernel operations.
47799diff -urNp linux-2.6.32.9/lib/kobject.c linux-2.6.32.9/lib/kobject.c
47800--- linux-2.6.32.9/lib/kobject.c 2010-02-09 07:57:19.000000000 -0500
47801+++ linux-2.6.32.9/lib/kobject.c 2010-02-23 17:09:53.343560823 -0500
47802@@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
47803 return ret;
47804 }
47805
47806-struct sysfs_ops kobj_sysfs_ops = {
47807+const struct sysfs_ops kobj_sysfs_ops = {
47808 .show = kobj_attr_show,
47809 .store = kobj_attr_store,
47810 };
47811@@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
47812 * If the kset was not able to be created, NULL will be returned.
47813 */
47814 static struct kset *kset_create(const char *name,
47815- struct kset_uevent_ops *uevent_ops,
47816+ const struct kset_uevent_ops *uevent_ops,
47817 struct kobject *parent_kobj)
47818 {
47819 struct kset *kset;
47820@@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
47821 * If the kset was not able to be created, NULL will be returned.
47822 */
47823 struct kset *kset_create_and_add(const char *name,
47824- struct kset_uevent_ops *uevent_ops,
47825+ const struct kset_uevent_ops *uevent_ops,
47826 struct kobject *parent_kobj)
47827 {
47828 struct kset *kset;
47829diff -urNp linux-2.6.32.9/lib/kobject_uevent.c linux-2.6.32.9/lib/kobject_uevent.c
47830--- linux-2.6.32.9/lib/kobject_uevent.c 2010-02-09 07:57:19.000000000 -0500
47831+++ linux-2.6.32.9/lib/kobject_uevent.c 2010-02-23 17:09:53.343560823 -0500
47832@@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
47833 const char *subsystem;
47834 struct kobject *top_kobj;
47835 struct kset *kset;
47836- struct kset_uevent_ops *uevent_ops;
47837+ const struct kset_uevent_ops *uevent_ops;
47838 u64 seq;
47839 int i = 0;
47840 int retval = 0;
47841diff -urNp linux-2.6.32.9/lib/parser.c linux-2.6.32.9/lib/parser.c
47842--- linux-2.6.32.9/lib/parser.c 2010-02-09 07:57:19.000000000 -0500
47843+++ linux-2.6.32.9/lib/parser.c 2010-02-23 17:09:53.343560823 -0500
47844@@ -126,7 +126,7 @@ static int match_number(substring_t *s,
47845 char *buf;
47846 int ret;
47847
47848- buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
47849+ buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
47850 if (!buf)
47851 return -ENOMEM;
47852 memcpy(buf, s->from, s->to - s->from);
47853diff -urNp linux-2.6.32.9/lib/radix-tree.c linux-2.6.32.9/lib/radix-tree.c
47854--- linux-2.6.32.9/lib/radix-tree.c 2010-02-09 07:57:19.000000000 -0500
47855+++ linux-2.6.32.9/lib/radix-tree.c 2010-02-23 17:09:53.343560823 -0500
47856@@ -81,7 +81,7 @@ struct radix_tree_preload {
47857 int nr;
47858 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
47859 };
47860-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
47861+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
47862
47863 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
47864 {
47865diff -urNp linux-2.6.32.9/lib/random32.c linux-2.6.32.9/lib/random32.c
47866--- linux-2.6.32.9/lib/random32.c 2010-02-09 07:57:19.000000000 -0500
47867+++ linux-2.6.32.9/lib/random32.c 2010-02-23 17:09:53.343560823 -0500
47868@@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
47869 */
47870 static inline u32 __seed(u32 x, u32 m)
47871 {
47872- return (x < m) ? x + m : x;
47873+ return (x <= m) ? x + m + 1 : x;
47874 }
47875
47876 /**
47877diff -urNp linux-2.6.32.9/localversion-grsec linux-2.6.32.9/localversion-grsec
47878--- linux-2.6.32.9/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
47879+++ linux-2.6.32.9/localversion-grsec 2010-02-23 17:09:53.343560823 -0500
47880@@ -0,0 +1 @@
47881+-grsec
47882diff -urNp linux-2.6.32.9/Makefile linux-2.6.32.9/Makefile
47883--- linux-2.6.32.9/Makefile 2010-02-23 17:04:11.556067453 -0500
47884+++ linux-2.6.32.9/Makefile 2010-02-23 17:09:53.343560823 -0500
47885@@ -221,8 +221,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
47886
47887 HOSTCC = gcc
47888 HOSTCXX = g++
47889-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
47890-HOSTCXXFLAGS = -O2
47891+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
47892+HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
47893
47894 # Decide whether to build built-in, modular, or both.
47895 # Normally, just do built-in.
47896@@ -644,7 +644,7 @@ export mod_strip_cmd
47897
47898
47899 ifeq ($(KBUILD_EXTMOD),)
47900-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
47901+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
47902
47903 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
47904 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
47905diff -urNp linux-2.6.32.9/mm/filemap.c linux-2.6.32.9/mm/filemap.c
47906--- linux-2.6.32.9/mm/filemap.c 2010-02-09 07:57:19.000000000 -0500
47907+++ linux-2.6.32.9/mm/filemap.c 2010-02-23 17:09:53.343560823 -0500
47908@@ -1622,7 +1622,7 @@ int generic_file_mmap(struct file * file
47909 struct address_space *mapping = file->f_mapping;
47910
47911 if (!mapping->a_ops->readpage)
47912- return -ENOEXEC;
47913+ return -ENODEV;
47914 file_accessed(file);
47915 vma->vm_ops = &generic_file_vm_ops;
47916 vma->vm_flags |= VM_CAN_NONLINEAR;
47917@@ -2018,6 +2018,7 @@ inline int generic_write_checks(struct f
47918 *pos = i_size_read(inode);
47919
47920 if (limit != RLIM_INFINITY) {
47921+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
47922 if (*pos >= limit) {
47923 send_sig(SIGXFSZ, current, 0);
47924 return -EFBIG;
47925diff -urNp linux-2.6.32.9/mm/fremap.c linux-2.6.32.9/mm/fremap.c
47926--- linux-2.6.32.9/mm/fremap.c 2010-02-09 07:57:19.000000000 -0500
47927+++ linux-2.6.32.9/mm/fremap.c 2010-02-23 17:09:53.343560823 -0500
47928@@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
47929 retry:
47930 vma = find_vma(mm, start);
47931
47932+#ifdef CONFIG_PAX_SEGMEXEC
47933+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
47934+ goto out;
47935+#endif
47936+
47937 /*
47938 * Make sure the vma is shared, that it supports prefaulting,
47939 * and that the remapped range is valid and fully within
47940diff -urNp linux-2.6.32.9/mm/highmem.c linux-2.6.32.9/mm/highmem.c
47941--- linux-2.6.32.9/mm/highmem.c 2010-02-09 07:57:19.000000000 -0500
47942+++ linux-2.6.32.9/mm/highmem.c 2010-02-23 17:09:53.343560823 -0500
47943@@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
47944 * So no dangers, even with speculative execution.
47945 */
47946 page = pte_page(pkmap_page_table[i]);
47947+ pax_open_kernel();
47948 pte_clear(&init_mm, (unsigned long)page_address(page),
47949 &pkmap_page_table[i]);
47950-
47951+ pax_close_kernel();
47952 set_page_address(page, NULL);
47953 need_flush = 1;
47954 }
47955@@ -177,9 +178,11 @@ start:
47956 }
47957 }
47958 vaddr = PKMAP_ADDR(last_pkmap_nr);
47959+
47960+ pax_open_kernel();
47961 set_pte_at(&init_mm, vaddr,
47962 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
47963-
47964+ pax_close_kernel();
47965 pkmap_count[last_pkmap_nr] = 1;
47966 set_page_address(page, (void *)vaddr);
47967
47968diff -urNp linux-2.6.32.9/mm/hugetlb.c linux-2.6.32.9/mm/hugetlb.c
47969--- linux-2.6.32.9/mm/hugetlb.c 2010-02-09 07:57:19.000000000 -0500
47970+++ linux-2.6.32.9/mm/hugetlb.c 2010-02-23 17:09:53.348068268 -0500
47971@@ -1924,6 +1924,26 @@ static int unmap_ref_private(struct mm_s
47972 return 1;
47973 }
47974
47975+#ifdef CONFIG_PAX_SEGMEXEC
47976+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
47977+{
47978+ struct mm_struct *mm = vma->vm_mm;
47979+ struct vm_area_struct *vma_m;
47980+ unsigned long address_m;
47981+ pte_t *ptep_m;
47982+
47983+ vma_m = pax_find_mirror_vma(vma);
47984+ if (!vma_m)
47985+ return;
47986+
47987+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
47988+ address_m = address + SEGMEXEC_TASK_SIZE;
47989+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
47990+ get_page(page_m);
47991+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
47992+}
47993+#endif
47994+
47995 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
47996 unsigned long address, pte_t *ptep, pte_t pte,
47997 struct page *pagecache_page)
47998@@ -1995,6 +2015,11 @@ retry_avoidcopy:
47999 huge_ptep_clear_flush(vma, address, ptep);
48000 set_huge_pte_at(mm, address, ptep,
48001 make_huge_pte(vma, new_page, 1));
48002+
48003+#ifdef CONFIG_PAX_SEGMEXEC
48004+ pax_mirror_huge_pte(vma, address, new_page);
48005+#endif
48006+
48007 /* Make the old page be freed below */
48008 new_page = old_page;
48009 }
48010@@ -2124,6 +2149,10 @@ retry:
48011 && (vma->vm_flags & VM_SHARED)));
48012 set_huge_pte_at(mm, address, ptep, new_pte);
48013
48014+#ifdef CONFIG_PAX_SEGMEXEC
48015+ pax_mirror_huge_pte(vma, address, page);
48016+#endif
48017+
48018 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
48019 /* Optimization, do the COW without a second fault */
48020 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
48021@@ -2152,6 +2181,28 @@ int hugetlb_fault(struct mm_struct *mm,
48022 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
48023 struct hstate *h = hstate_vma(vma);
48024
48025+#ifdef CONFIG_PAX_SEGMEXEC
48026+ struct vm_area_struct *vma_m;
48027+
48028+ vma_m = pax_find_mirror_vma(vma);
48029+ if (vma_m) {
48030+ unsigned long address_m;
48031+
48032+ if (vma->vm_start > vma_m->vm_start) {
48033+ address_m = address;
48034+ address -= SEGMEXEC_TASK_SIZE;
48035+ vma = vma_m;
48036+ h = hstate_vma(vma);
48037+ } else
48038+ address_m = address + SEGMEXEC_TASK_SIZE;
48039+
48040+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
48041+ return VM_FAULT_OOM;
48042+ address_m &= HPAGE_MASK;
48043+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
48044+ }
48045+#endif
48046+
48047 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
48048 if (!ptep)
48049 return VM_FAULT_OOM;
48050diff -urNp linux-2.6.32.9/mm/Kconfig linux-2.6.32.9/mm/Kconfig
48051--- linux-2.6.32.9/mm/Kconfig 2010-02-09 07:57:19.000000000 -0500
48052+++ linux-2.6.32.9/mm/Kconfig 2010-02-23 17:09:53.348068268 -0500
48053@@ -228,7 +228,7 @@ config KSM
48054 config DEFAULT_MMAP_MIN_ADDR
48055 int "Low address space to protect from user allocation"
48056 depends on MMU
48057- default 4096
48058+ default 65536
48059 help
48060 This is the portion of low virtual memory which should be protected
48061 from userspace allocation. Keeping a user from writing to low pages
48062diff -urNp linux-2.6.32.9/mm/maccess.c linux-2.6.32.9/mm/maccess.c
48063--- linux-2.6.32.9/mm/maccess.c 2010-02-09 07:57:19.000000000 -0500
48064+++ linux-2.6.32.9/mm/maccess.c 2010-02-23 17:09:53.348068268 -0500
48065@@ -14,7 +14,7 @@
48066 * Safely read from address @src to the buffer at @dst. If a kernel fault
48067 * happens, handle that and return -EFAULT.
48068 */
48069-long probe_kernel_read(void *dst, void *src, size_t size)
48070+long probe_kernel_read(void *dst, const void *src, size_t size)
48071 {
48072 long ret;
48073 mm_segment_t old_fs = get_fs();
48074@@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
48075 * Safely write to address @dst from the buffer at @src. If a kernel fault
48076 * happens, handle that and return -EFAULT.
48077 */
48078-long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
48079+long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
48080 {
48081 long ret;
48082 mm_segment_t old_fs = get_fs();
48083diff -urNp linux-2.6.32.9/mm/madvise.c linux-2.6.32.9/mm/madvise.c
48084--- linux-2.6.32.9/mm/madvise.c 2010-02-09 07:57:19.000000000 -0500
48085+++ linux-2.6.32.9/mm/madvise.c 2010-02-23 17:09:53.348068268 -0500
48086@@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
48087 pgoff_t pgoff;
48088 unsigned long new_flags = vma->vm_flags;
48089
48090+#ifdef CONFIG_PAX_SEGMEXEC
48091+ struct vm_area_struct *vma_m;
48092+#endif
48093+
48094 switch (behavior) {
48095 case MADV_NORMAL:
48096 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
48097@@ -103,6 +107,13 @@ success:
48098 /*
48099 * vm_flags is protected by the mmap_sem held in write mode.
48100 */
48101+
48102+#ifdef CONFIG_PAX_SEGMEXEC
48103+ vma_m = pax_find_mirror_vma(vma);
48104+ if (vma_m)
48105+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
48106+#endif
48107+
48108 vma->vm_flags = new_flags;
48109
48110 out:
48111@@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
48112 struct vm_area_struct ** prev,
48113 unsigned long start, unsigned long end)
48114 {
48115+
48116+#ifdef CONFIG_PAX_SEGMEXEC
48117+ struct vm_area_struct *vma_m;
48118+#endif
48119+
48120 *prev = vma;
48121 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
48122 return -EINVAL;
48123@@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
48124 zap_page_range(vma, start, end - start, &details);
48125 } else
48126 zap_page_range(vma, start, end - start, NULL);
48127+
48128+#ifdef CONFIG_PAX_SEGMEXEC
48129+ vma_m = pax_find_mirror_vma(vma);
48130+ if (vma_m) {
48131+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
48132+ struct zap_details details = {
48133+ .nonlinear_vma = vma_m,
48134+ .last_index = ULONG_MAX,
48135+ };
48136+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
48137+ } else
48138+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
48139+ }
48140+#endif
48141+
48142 return 0;
48143 }
48144
48145@@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
48146 if (end < start)
48147 goto out;
48148
48149+#ifdef CONFIG_PAX_SEGMEXEC
48150+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48151+ if (end > SEGMEXEC_TASK_SIZE)
48152+ goto out;
48153+ } else
48154+#endif
48155+
48156+ if (end > TASK_SIZE)
48157+ goto out;
48158+
48159 error = 0;
48160 if (end == start)
48161 goto out;
48162diff -urNp linux-2.6.32.9/mm/memory.c linux-2.6.32.9/mm/memory.c
48163--- linux-2.6.32.9/mm/memory.c 2010-02-09 07:57:19.000000000 -0500
48164+++ linux-2.6.32.9/mm/memory.c 2010-02-23 17:09:53.348068268 -0500
48165@@ -48,6 +48,7 @@
48166 #include <linux/ksm.h>
48167 #include <linux/rmap.h>
48168 #include <linux/module.h>
48169+#include <linux/security.h>
48170 #include <linux/delayacct.h>
48171 #include <linux/init.h>
48172 #include <linux/writeback.h>
48173@@ -1251,10 +1252,10 @@ int __get_user_pages(struct task_struct
48174 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
48175 i = 0;
48176
48177- do {
48178+ while (nr_pages) {
48179 struct vm_area_struct *vma;
48180
48181- vma = find_extend_vma(mm, start);
48182+ vma = find_vma(mm, start);
48183 if (!vma && in_gate_area(tsk, start)) {
48184 unsigned long pg = start & PAGE_MASK;
48185 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
48186@@ -1296,7 +1297,7 @@ int __get_user_pages(struct task_struct
48187 continue;
48188 }
48189
48190- if (!vma ||
48191+ if (!vma || start < vma->vm_start ||
48192 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
48193 !(vm_flags & vma->vm_flags))
48194 return i ? : -EFAULT;
48195@@ -1371,7 +1372,7 @@ int __get_user_pages(struct task_struct
48196 start += PAGE_SIZE;
48197 nr_pages--;
48198 } while (nr_pages && start < vma->vm_end);
48199- } while (nr_pages);
48200+ }
48201 return i;
48202 }
48203
48204@@ -1967,6 +1968,186 @@ static inline void cow_user_page(struct
48205 copy_user_highpage(dst, src, va, vma);
48206 }
48207
48208+#ifdef CONFIG_PAX_SEGMEXEC
48209+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
48210+{
48211+ struct mm_struct *mm = vma->vm_mm;
48212+ spinlock_t *ptl;
48213+ pte_t *pte, entry;
48214+
48215+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
48216+ entry = *pte;
48217+ if (!pte_present(entry)) {
48218+ if (!pte_none(entry)) {
48219+ BUG_ON(pte_file(entry));
48220+ free_swap_and_cache(pte_to_swp_entry(entry));
48221+ pte_clear_not_present_full(mm, address, pte, 0);
48222+ }
48223+ } else {
48224+ struct page *page;
48225+
48226+ flush_cache_page(vma, address, pte_pfn(entry));
48227+ entry = ptep_clear_flush(vma, address, pte);
48228+ BUG_ON(pte_dirty(entry));
48229+ page = vm_normal_page(vma, address, entry);
48230+ if (page) {
48231+ update_hiwater_rss(mm);
48232+ if (PageAnon(page))
48233+ dec_mm_counter(mm, anon_rss);
48234+ else
48235+ dec_mm_counter(mm, file_rss);
48236+ page_remove_rmap(page);
48237+ page_cache_release(page);
48238+ }
48239+ }
48240+ pte_unmap_unlock(pte, ptl);
48241+}
48242+
48243+/* PaX: if vma is mirrored, synchronize the mirror's PTE
48244+ *
48245+ * the ptl of the lower mapped page is held on entry and is not released on exit
48246+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
48247+ */
48248+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48249+{
48250+ struct mm_struct *mm = vma->vm_mm;
48251+ unsigned long address_m;
48252+ spinlock_t *ptl_m;
48253+ struct vm_area_struct *vma_m;
48254+ pmd_t *pmd_m;
48255+ pte_t *pte_m, entry_m;
48256+
48257+ BUG_ON(!page_m || !PageAnon(page_m));
48258+
48259+ vma_m = pax_find_mirror_vma(vma);
48260+ if (!vma_m)
48261+ return;
48262+
48263+ BUG_ON(!PageLocked(page_m));
48264+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48265+ address_m = address + SEGMEXEC_TASK_SIZE;
48266+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48267+ pte_m = pte_offset_map_nested(pmd_m, address_m);
48268+ ptl_m = pte_lockptr(mm, pmd_m);
48269+ if (ptl != ptl_m) {
48270+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48271+ if (!pte_none(*pte_m))
48272+ goto out;
48273+ }
48274+
48275+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48276+ page_cache_get(page_m);
48277+ page_add_anon_rmap(page_m, vma_m, address_m);
48278+ inc_mm_counter(mm, anon_rss);
48279+ set_pte_at(mm, address_m, pte_m, entry_m);
48280+ update_mmu_cache(vma_m, address_m, entry_m);
48281+out:
48282+ if (ptl != ptl_m)
48283+ spin_unlock(ptl_m);
48284+ pte_unmap_nested(pte_m);
48285+ unlock_page(page_m);
48286+}
48287+
48288+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48289+{
48290+ struct mm_struct *mm = vma->vm_mm;
48291+ unsigned long address_m;
48292+ spinlock_t *ptl_m;
48293+ struct vm_area_struct *vma_m;
48294+ pmd_t *pmd_m;
48295+ pte_t *pte_m, entry_m;
48296+
48297+ BUG_ON(!page_m || PageAnon(page_m));
48298+
48299+ vma_m = pax_find_mirror_vma(vma);
48300+ if (!vma_m)
48301+ return;
48302+
48303+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48304+ address_m = address + SEGMEXEC_TASK_SIZE;
48305+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48306+ pte_m = pte_offset_map_nested(pmd_m, address_m);
48307+ ptl_m = pte_lockptr(mm, pmd_m);
48308+ if (ptl != ptl_m) {
48309+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48310+ if (!pte_none(*pte_m))
48311+ goto out;
48312+ }
48313+
48314+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48315+ page_cache_get(page_m);
48316+ page_add_file_rmap(page_m);
48317+ inc_mm_counter(mm, file_rss);
48318+ set_pte_at(mm, address_m, pte_m, entry_m);
48319+ update_mmu_cache(vma_m, address_m, entry_m);
48320+out:
48321+ if (ptl != ptl_m)
48322+ spin_unlock(ptl_m);
48323+ pte_unmap_nested(pte_m);
48324+}
48325+
48326+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
48327+{
48328+ struct mm_struct *mm = vma->vm_mm;
48329+ unsigned long address_m;
48330+ spinlock_t *ptl_m;
48331+ struct vm_area_struct *vma_m;
48332+ pmd_t *pmd_m;
48333+ pte_t *pte_m, entry_m;
48334+
48335+ vma_m = pax_find_mirror_vma(vma);
48336+ if (!vma_m)
48337+ return;
48338+
48339+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48340+ address_m = address + SEGMEXEC_TASK_SIZE;
48341+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48342+ pte_m = pte_offset_map_nested(pmd_m, address_m);
48343+ ptl_m = pte_lockptr(mm, pmd_m);
48344+ if (ptl != ptl_m) {
48345+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48346+ if (!pte_none(*pte_m))
48347+ goto out;
48348+ }
48349+
48350+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
48351+ set_pte_at(mm, address_m, pte_m, entry_m);
48352+out:
48353+ if (ptl != ptl_m)
48354+ spin_unlock(ptl_m);
48355+ pte_unmap_nested(pte_m);
48356+}
48357+
48358+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
48359+{
48360+ struct page *page_m;
48361+ pte_t entry;
48362+
48363+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
48364+ goto out;
48365+
48366+ entry = *pte;
48367+ page_m = vm_normal_page(vma, address, entry);
48368+ if (!page_m)
48369+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
48370+ else if (PageAnon(page_m)) {
48371+ if (pax_find_mirror_vma(vma)) {
48372+ pte_unmap_unlock(pte, ptl);
48373+ lock_page(page_m);
48374+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
48375+ if (pte_same(entry, *pte))
48376+ pax_mirror_anon_pte(vma, address, page_m, ptl);
48377+ else
48378+ unlock_page(page_m);
48379+ }
48380+ } else
48381+ pax_mirror_file_pte(vma, address, page_m, ptl);
48382+
48383+out:
48384+ pte_unmap_unlock(pte, ptl);
48385+}
48386+#endif
48387+
48388 /*
48389 * This routine handles present pages, when users try to write
48390 * to a shared page. It is done by copying the page to a new address
48391@@ -2146,6 +2327,12 @@ gotten:
48392 */
48393 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
48394 if (likely(pte_same(*page_table, orig_pte))) {
48395+
48396+#ifdef CONFIG_PAX_SEGMEXEC
48397+ if (pax_find_mirror_vma(vma))
48398+ BUG_ON(!trylock_page(new_page));
48399+#endif
48400+
48401 if (old_page) {
48402 if (!PageAnon(old_page)) {
48403 dec_mm_counter(mm, file_rss);
48404@@ -2197,6 +2384,10 @@ gotten:
48405 page_remove_rmap(old_page);
48406 }
48407
48408+#ifdef CONFIG_PAX_SEGMEXEC
48409+ pax_mirror_anon_pte(vma, address, new_page, ptl);
48410+#endif
48411+
48412 /* Free the old page.. */
48413 new_page = old_page;
48414 ret |= VM_FAULT_WRITE;
48415@@ -2594,6 +2785,11 @@ static int do_swap_page(struct mm_struct
48416 swap_free(entry);
48417 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
48418 try_to_free_swap(page);
48419+
48420+#ifdef CONFIG_PAX_SEGMEXEC
48421+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
48422+#endif
48423+
48424 unlock_page(page);
48425
48426 if (flags & FAULT_FLAG_WRITE) {
48427@@ -2605,6 +2801,11 @@ static int do_swap_page(struct mm_struct
48428
48429 /* No need to invalidate - it was non-present before */
48430 update_mmu_cache(vma, address, pte);
48431+
48432+#ifdef CONFIG_PAX_SEGMEXEC
48433+ pax_mirror_anon_pte(vma, address, page, ptl);
48434+#endif
48435+
48436 unlock:
48437 pte_unmap_unlock(page_table, ptl);
48438 out:
48439@@ -2628,7 +2829,7 @@ static int do_anonymous_page(struct mm_s
48440 unsigned long address, pte_t *page_table, pmd_t *pmd,
48441 unsigned int flags)
48442 {
48443- struct page *page;
48444+ struct page *page = NULL;
48445 spinlock_t *ptl;
48446 pte_t entry;
48447
48448@@ -2663,6 +2864,11 @@ static int do_anonymous_page(struct mm_s
48449 if (!pte_none(*page_table))
48450 goto release;
48451
48452+#ifdef CONFIG_PAX_SEGMEXEC
48453+ if (pax_find_mirror_vma(vma))
48454+ BUG_ON(!trylock_page(page));
48455+#endif
48456+
48457 inc_mm_counter(mm, anon_rss);
48458 page_add_new_anon_rmap(page, vma, address);
48459 setpte:
48460@@ -2670,6 +2876,12 @@ setpte:
48461
48462 /* No need to invalidate - it was non-present before */
48463 update_mmu_cache(vma, address, entry);
48464+
48465+#ifdef CONFIG_PAX_SEGMEXEC
48466+ if (page)
48467+ pax_mirror_anon_pte(vma, address, page, ptl);
48468+#endif
48469+
48470 unlock:
48471 pte_unmap_unlock(page_table, ptl);
48472 return 0;
48473@@ -2812,6 +3024,12 @@ static int __do_fault(struct mm_struct *
48474 */
48475 /* Only go through if we didn't race with anybody else... */
48476 if (likely(pte_same(*page_table, orig_pte))) {
48477+
48478+#ifdef CONFIG_PAX_SEGMEXEC
48479+ if (anon && pax_find_mirror_vma(vma))
48480+ BUG_ON(!trylock_page(page));
48481+#endif
48482+
48483 flush_icache_page(vma, page);
48484 entry = mk_pte(page, vma->vm_page_prot);
48485 if (flags & FAULT_FLAG_WRITE)
48486@@ -2831,6 +3049,14 @@ static int __do_fault(struct mm_struct *
48487
48488 /* no need to invalidate: a not-present page won't be cached */
48489 update_mmu_cache(vma, address, entry);
48490+
48491+#ifdef CONFIG_PAX_SEGMEXEC
48492+ if (anon)
48493+ pax_mirror_anon_pte(vma, address, page, ptl);
48494+ else
48495+ pax_mirror_file_pte(vma, address, page, ptl);
48496+#endif
48497+
48498 } else {
48499 if (charged)
48500 mem_cgroup_uncharge_page(page);
48501@@ -2978,6 +3204,12 @@ static inline int handle_pte_fault(struc
48502 if (flags & FAULT_FLAG_WRITE)
48503 flush_tlb_page(vma, address);
48504 }
48505+
48506+#ifdef CONFIG_PAX_SEGMEXEC
48507+ pax_mirror_pte(vma, address, pte, pmd, ptl);
48508+ return 0;
48509+#endif
48510+
48511 unlock:
48512 pte_unmap_unlock(pte, ptl);
48513 return 0;
48514@@ -2994,6 +3226,10 @@ int handle_mm_fault(struct mm_struct *mm
48515 pmd_t *pmd;
48516 pte_t *pte;
48517
48518+#ifdef CONFIG_PAX_SEGMEXEC
48519+ struct vm_area_struct *vma_m;
48520+#endif
48521+
48522 __set_current_state(TASK_RUNNING);
48523
48524 count_vm_event(PGFAULT);
48525@@ -3001,6 +3237,34 @@ int handle_mm_fault(struct mm_struct *mm
48526 if (unlikely(is_vm_hugetlb_page(vma)))
48527 return hugetlb_fault(mm, vma, address, flags);
48528
48529+#ifdef CONFIG_PAX_SEGMEXEC
48530+ vma_m = pax_find_mirror_vma(vma);
48531+ if (vma_m) {
48532+ unsigned long address_m;
48533+ pgd_t *pgd_m;
48534+ pud_t *pud_m;
48535+ pmd_t *pmd_m;
48536+
48537+ if (vma->vm_start > vma_m->vm_start) {
48538+ address_m = address;
48539+ address -= SEGMEXEC_TASK_SIZE;
48540+ vma = vma_m;
48541+ } else
48542+ address_m = address + SEGMEXEC_TASK_SIZE;
48543+
48544+ pgd_m = pgd_offset(mm, address_m);
48545+ pud_m = pud_alloc(mm, pgd_m, address_m);
48546+ if (!pud_m)
48547+ return VM_FAULT_OOM;
48548+ pmd_m = pmd_alloc(mm, pud_m, address_m);
48549+ if (!pmd_m)
48550+ return VM_FAULT_OOM;
48551+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
48552+ return VM_FAULT_OOM;
48553+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
48554+ }
48555+#endif
48556+
48557 pgd = pgd_offset(mm, address);
48558 pud = pud_alloc(mm, pgd, address);
48559 if (!pud)
48560@@ -3098,7 +3362,7 @@ static int __init gate_vma_init(void)
48561 gate_vma.vm_start = FIXADDR_USER_START;
48562 gate_vma.vm_end = FIXADDR_USER_END;
48563 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
48564- gate_vma.vm_page_prot = __P101;
48565+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
48566 /*
48567 * Make sure the vDSO gets into every core dump.
48568 * Dumping its contents makes post-mortem fully interpretable later
48569diff -urNp linux-2.6.32.9/mm/memory-failure.c linux-2.6.32.9/mm/memory-failure.c
48570--- linux-2.6.32.9/mm/memory-failure.c 2010-02-09 07:57:19.000000000 -0500
48571+++ linux-2.6.32.9/mm/memory-failure.c 2010-02-23 17:09:53.348068268 -0500
48572@@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
48573
48574 int sysctl_memory_failure_recovery __read_mostly = 1;
48575
48576-atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48577+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48578
48579 /*
48580 * Send all the processes who have the page mapped an ``action optional''
48581@@ -741,7 +741,7 @@ int __memory_failure(unsigned long pfn,
48582 return 0;
48583 }
48584
48585- atomic_long_add(1, &mce_bad_pages);
48586+ atomic_long_add_unchecked(1, &mce_bad_pages);
48587
48588 /*
48589 * We need/can do nothing about count=0 pages.
48590diff -urNp linux-2.6.32.9/mm/mempolicy.c linux-2.6.32.9/mm/mempolicy.c
48591--- linux-2.6.32.9/mm/mempolicy.c 2010-02-09 07:57:19.000000000 -0500
48592+++ linux-2.6.32.9/mm/mempolicy.c 2010-02-23 17:09:53.348068268 -0500
48593@@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
48594 struct vm_area_struct *next;
48595 int err;
48596
48597+#ifdef CONFIG_PAX_SEGMEXEC
48598+ struct vm_area_struct *vma_m;
48599+#endif
48600+
48601 err = 0;
48602 for (; vma && vma->vm_start < end; vma = next) {
48603 next = vma->vm_next;
48604@@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
48605 err = policy_vma(vma, new);
48606 if (err)
48607 break;
48608+
48609+#ifdef CONFIG_PAX_SEGMEXEC
48610+ vma_m = pax_find_mirror_vma(vma);
48611+ if (vma_m) {
48612+ err = policy_vma(vma_m, new);
48613+ if (err)
48614+ break;
48615+ }
48616+#endif
48617+
48618 }
48619 return err;
48620 }
48621@@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
48622
48623 if (end < start)
48624 return -EINVAL;
48625+
48626+#ifdef CONFIG_PAX_SEGMEXEC
48627+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
48628+ if (end > SEGMEXEC_TASK_SIZE)
48629+ return -EINVAL;
48630+ } else
48631+#endif
48632+
48633+ if (end > TASK_SIZE)
48634+ return -EINVAL;
48635+
48636 if (end == start)
48637 return 0;
48638
48639@@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
48640 if (!mm)
48641 return -EINVAL;
48642
48643+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48644+ if (mm != current->mm &&
48645+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48646+ err = -EPERM;
48647+ goto out;
48648+ }
48649+#endif
48650+
48651 /*
48652 * Check if this process has the right to modify the specified
48653 * process. The right exists if the process has administrative
48654@@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
48655 rcu_read_lock();
48656 tcred = __task_cred(task);
48657 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48658- cred->uid != tcred->suid && cred->uid != tcred->uid &&
48659- !capable(CAP_SYS_NICE)) {
48660+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48661 rcu_read_unlock();
48662 err = -EPERM;
48663 goto out;
48664@@ -2386,7 +2418,7 @@ int show_numa_map(struct seq_file *m, vo
48665
48666 if (file) {
48667 seq_printf(m, " file=");
48668- seq_path(m, &file->f_path, "\n\t= ");
48669+ seq_path(m, &file->f_path, "\n\t\\= ");
48670 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
48671 seq_printf(m, " heap");
48672 } else if (vma->vm_start <= mm->start_stack &&
48673diff -urNp linux-2.6.32.9/mm/migrate.c linux-2.6.32.9/mm/migrate.c
48674--- linux-2.6.32.9/mm/migrate.c 2010-02-23 17:04:12.687619162 -0500
48675+++ linux-2.6.32.9/mm/migrate.c 2010-02-23 17:36:13.156353174 -0500
48676@@ -1106,6 +1106,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
48677 if (!mm)
48678 return -EINVAL;
48679
48680+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48681+ if (mm != current->mm &&
48682+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48683+ err = -EPERM;
48684+ goto out;
48685+ }
48686+#endif
48687+
48688 /*
48689 * Check if this process has the right to modify the specified
48690 * process. The right exists if the process has administrative
48691@@ -1115,8 +1123,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
48692 rcu_read_lock();
48693 tcred = __task_cred(task);
48694 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48695- cred->uid != tcred->suid && cred->uid != tcred->uid &&
48696- !capable(CAP_SYS_NICE)) {
48697+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48698 rcu_read_unlock();
48699 err = -EPERM;
48700 goto out;
48701diff -urNp linux-2.6.32.9/mm/mlock.c linux-2.6.32.9/mm/mlock.c
48702--- linux-2.6.32.9/mm/mlock.c 2010-02-09 07:57:19.000000000 -0500
48703+++ linux-2.6.32.9/mm/mlock.c 2010-02-23 17:09:56.652716557 -0500
48704@@ -13,6 +13,7 @@
48705 #include <linux/pagemap.h>
48706 #include <linux/mempolicy.h>
48707 #include <linux/syscalls.h>
48708+#include <linux/security.h>
48709 #include <linux/sched.h>
48710 #include <linux/module.h>
48711 #include <linux/rmap.h>
48712@@ -435,6 +436,17 @@ static int do_mlock(unsigned long start,
48713 return -EINVAL;
48714 if (end == start)
48715 return 0;
48716+
48717+#ifdef CONFIG_PAX_SEGMEXEC
48718+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48719+ if (end > SEGMEXEC_TASK_SIZE)
48720+ return -EINVAL;
48721+ } else
48722+#endif
48723+
48724+ if (end > TASK_SIZE)
48725+ return -EINVAL;
48726+
48727 vma = find_vma_prev(current->mm, start, &prev);
48728 if (!vma || vma->vm_start > start)
48729 return -ENOMEM;
48730@@ -494,6 +506,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
48731 lock_limit >>= PAGE_SHIFT;
48732
48733 /* check against resource limits */
48734+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
48735 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
48736 error = do_mlock(start, len, 1);
48737 up_write(&current->mm->mmap_sem);
48738@@ -515,10 +528,10 @@ SYSCALL_DEFINE2(munlock, unsigned long,
48739 static int do_mlockall(int flags)
48740 {
48741 struct vm_area_struct * vma, * prev = NULL;
48742- unsigned int def_flags = 0;
48743+ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
48744
48745 if (flags & MCL_FUTURE)
48746- def_flags = VM_LOCKED;
48747+ def_flags |= VM_LOCKED;
48748 current->mm->def_flags = def_flags;
48749 if (flags == MCL_FUTURE)
48750 goto out;
48751@@ -526,6 +539,12 @@ static int do_mlockall(int flags)
48752 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
48753 unsigned int newflags;
48754
48755+#ifdef CONFIG_PAX_SEGMEXEC
48756+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
48757+ break;
48758+#endif
48759+
48760+ BUG_ON(vma->vm_end > TASK_SIZE);
48761 newflags = vma->vm_flags | VM_LOCKED;
48762 if (!(flags & MCL_CURRENT))
48763 newflags &= ~VM_LOCKED;
48764@@ -557,6 +576,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
48765 lock_limit >>= PAGE_SHIFT;
48766
48767 ret = -ENOMEM;
48768+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
48769 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
48770 capable(CAP_IPC_LOCK))
48771 ret = do_mlockall(flags);
48772diff -urNp linux-2.6.32.9/mm/mmap.c linux-2.6.32.9/mm/mmap.c
48773--- linux-2.6.32.9/mm/mmap.c 2010-02-09 07:57:19.000000000 -0500
48774+++ linux-2.6.32.9/mm/mmap.c 2010-02-23 17:09:56.652716557 -0500
48775@@ -45,6 +45,16 @@
48776 #define arch_rebalance_pgtables(addr, len) (addr)
48777 #endif
48778
48779+static inline void verify_mm_writelocked(struct mm_struct *mm)
48780+{
48781+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
48782+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
48783+ up_read(&mm->mmap_sem);
48784+ BUG();
48785+ }
48786+#endif
48787+}
48788+
48789 static void unmap_region(struct mm_struct *mm,
48790 struct vm_area_struct *vma, struct vm_area_struct *prev,
48791 unsigned long start, unsigned long end);
48792@@ -70,16 +80,25 @@ static void unmap_region(struct mm_struc
48793 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
48794 *
48795 */
48796-pgprot_t protection_map[16] = {
48797+pgprot_t protection_map[16] __read_only = {
48798 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
48799 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
48800 };
48801
48802 pgprot_t vm_get_page_prot(unsigned long vm_flags)
48803 {
48804- return __pgprot(pgprot_val(protection_map[vm_flags &
48805+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
48806 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
48807 pgprot_val(arch_vm_get_page_prot(vm_flags)));
48808+
48809+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
48810+ if (!nx_enabled &&
48811+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
48812+ (vm_flags & (VM_READ | VM_WRITE)))
48813+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
48814+#endif
48815+
48816+ return prot;
48817 }
48818 EXPORT_SYMBOL(vm_get_page_prot);
48819
48820@@ -231,6 +250,7 @@ static struct vm_area_struct *remove_vma
48821 struct vm_area_struct *next = vma->vm_next;
48822
48823 might_sleep();
48824+ BUG_ON(vma->vm_mirror);
48825 if (vma->vm_ops && vma->vm_ops->close)
48826 vma->vm_ops->close(vma);
48827 if (vma->vm_file) {
48828@@ -267,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
48829 * not page aligned -Ram Gupta
48830 */
48831 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
48832+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
48833 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
48834 (mm->end_data - mm->start_data) > rlim)
48835 goto out;
48836@@ -694,6 +715,12 @@ static int
48837 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
48838 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48839 {
48840+
48841+#ifdef CONFIG_PAX_SEGMEXEC
48842+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
48843+ return 0;
48844+#endif
48845+
48846 if (is_mergeable_vma(vma, file, vm_flags) &&
48847 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48848 if (vma->vm_pgoff == vm_pgoff)
48849@@ -713,6 +740,12 @@ static int
48850 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
48851 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48852 {
48853+
48854+#ifdef CONFIG_PAX_SEGMEXEC
48855+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
48856+ return 0;
48857+#endif
48858+
48859 if (is_mergeable_vma(vma, file, vm_flags) &&
48860 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48861 pgoff_t vm_pglen;
48862@@ -755,12 +788,19 @@ can_vma_merge_after(struct vm_area_struc
48863 struct vm_area_struct *vma_merge(struct mm_struct *mm,
48864 struct vm_area_struct *prev, unsigned long addr,
48865 unsigned long end, unsigned long vm_flags,
48866- struct anon_vma *anon_vma, struct file *file,
48867+ struct anon_vma *anon_vma, struct file *file,
48868 pgoff_t pgoff, struct mempolicy *policy)
48869 {
48870 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
48871 struct vm_area_struct *area, *next;
48872
48873+#ifdef CONFIG_PAX_SEGMEXEC
48874+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
48875+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
48876+
48877+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
48878+#endif
48879+
48880 /*
48881 * We later require that vma->vm_flags == vm_flags,
48882 * so this tests vma->vm_flags & VM_SPECIAL, too.
48883@@ -776,6 +816,15 @@ struct vm_area_struct *vma_merge(struct
48884 if (next && next->vm_end == end) /* cases 6, 7, 8 */
48885 next = next->vm_next;
48886
48887+#ifdef CONFIG_PAX_SEGMEXEC
48888+ if (prev)
48889+ prev_m = pax_find_mirror_vma(prev);
48890+ if (area)
48891+ area_m = pax_find_mirror_vma(area);
48892+ if (next)
48893+ next_m = pax_find_mirror_vma(next);
48894+#endif
48895+
48896 /*
48897 * Can it merge with the predecessor?
48898 */
48899@@ -795,9 +844,24 @@ struct vm_area_struct *vma_merge(struct
48900 /* cases 1, 6 */
48901 vma_adjust(prev, prev->vm_start,
48902 next->vm_end, prev->vm_pgoff, NULL);
48903- } else /* cases 2, 5, 7 */
48904+
48905+#ifdef CONFIG_PAX_SEGMEXEC
48906+ if (prev_m)
48907+ vma_adjust(prev_m, prev_m->vm_start,
48908+ next_m->vm_end, prev_m->vm_pgoff, NULL);
48909+#endif
48910+
48911+ } else { /* cases 2, 5, 7 */
48912 vma_adjust(prev, prev->vm_start,
48913 end, prev->vm_pgoff, NULL);
48914+
48915+#ifdef CONFIG_PAX_SEGMEXEC
48916+ if (prev_m)
48917+ vma_adjust(prev_m, prev_m->vm_start,
48918+ end_m, prev_m->vm_pgoff, NULL);
48919+#endif
48920+
48921+ }
48922 return prev;
48923 }
48924
48925@@ -808,12 +872,27 @@ struct vm_area_struct *vma_merge(struct
48926 mpol_equal(policy, vma_policy(next)) &&
48927 can_vma_merge_before(next, vm_flags,
48928 anon_vma, file, pgoff+pglen)) {
48929- if (prev && addr < prev->vm_end) /* case 4 */
48930+ if (prev && addr < prev->vm_end) { /* case 4 */
48931 vma_adjust(prev, prev->vm_start,
48932 addr, prev->vm_pgoff, NULL);
48933- else /* cases 3, 8 */
48934+
48935+#ifdef CONFIG_PAX_SEGMEXEC
48936+ if (prev_m)
48937+ vma_adjust(prev_m, prev_m->vm_start,
48938+ addr_m, prev_m->vm_pgoff, NULL);
48939+#endif
48940+
48941+ } else { /* cases 3, 8 */
48942 vma_adjust(area, addr, next->vm_end,
48943 next->vm_pgoff - pglen, NULL);
48944+
48945+#ifdef CONFIG_PAX_SEGMEXEC
48946+ if (area_m)
48947+ vma_adjust(area_m, addr_m, next_m->vm_end,
48948+ next_m->vm_pgoff - pglen, NULL);
48949+#endif
48950+
48951+ }
48952 return area;
48953 }
48954
48955@@ -888,14 +967,11 @@ none:
48956 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
48957 struct file *file, long pages)
48958 {
48959- const unsigned long stack_flags
48960- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
48961-
48962 if (file) {
48963 mm->shared_vm += pages;
48964 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
48965 mm->exec_vm += pages;
48966- } else if (flags & stack_flags)
48967+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
48968 mm->stack_vm += pages;
48969 if (flags & (VM_RESERVED|VM_IO))
48970 mm->reserved_vm += pages;
48971@@ -922,7 +998,7 @@ unsigned long do_mmap_pgoff(struct file
48972 * (the exception is when the underlying filesystem is noexec
48973 * mounted, in which case we dont add PROT_EXEC.)
48974 */
48975- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
48976+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
48977 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
48978 prot |= PROT_EXEC;
48979
48980@@ -948,7 +1024,7 @@ unsigned long do_mmap_pgoff(struct file
48981 /* Obtain the address to map to. we verify (or select) it and ensure
48982 * that it represents a valid section of the address space.
48983 */
48984- addr = get_unmapped_area(file, addr, len, pgoff, flags);
48985+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
48986 if (addr & ~PAGE_MASK)
48987 return addr;
48988
48989@@ -959,6 +1035,26 @@ unsigned long do_mmap_pgoff(struct file
48990 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
48991 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
48992
48993+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48994+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
48995+
48996+#ifdef CONFIG_PAX_MPROTECT
48997+ if (mm->pax_flags & MF_PAX_MPROTECT) {
48998+ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
48999+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49000+ else
49001+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49002+ }
49003+#endif
49004+
49005+ }
49006+#endif
49007+
49008+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49009+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
49010+ vm_flags &= ~VM_PAGEEXEC;
49011+#endif
49012+
49013 if (flags & MAP_LOCKED)
49014 if (!can_do_mlock())
49015 return -EPERM;
49016@@ -970,6 +1066,7 @@ unsigned long do_mmap_pgoff(struct file
49017 locked += mm->locked_vm;
49018 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49019 lock_limit >>= PAGE_SHIFT;
49020+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49021 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
49022 return -EAGAIN;
49023 }
49024@@ -1043,6 +1140,9 @@ unsigned long do_mmap_pgoff(struct file
49025 if (error)
49026 return error;
49027
49028+ if (!gr_acl_handle_mmap(file, prot))
49029+ return -EACCES;
49030+
49031 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
49032 }
49033 EXPORT_SYMBOL(do_mmap_pgoff);
49034@@ -1055,10 +1155,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
49035 */
49036 int vma_wants_writenotify(struct vm_area_struct *vma)
49037 {
49038- unsigned int vm_flags = vma->vm_flags;
49039+ unsigned long vm_flags = vma->vm_flags;
49040
49041 /* If it was private or non-writable, the write bit is already clear */
49042- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
49043+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
49044 return 0;
49045
49046 /* The backer wishes to know when pages are first written to? */
49047@@ -1107,14 +1207,24 @@ unsigned long mmap_region(struct file *f
49048 unsigned long charged = 0;
49049 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
49050
49051+#ifdef CONFIG_PAX_SEGMEXEC
49052+ struct vm_area_struct *vma_m = NULL;
49053+#endif
49054+
49055+ /*
49056+ * mm->mmap_sem is required to protect against another thread
49057+ * changing the mappings in case we sleep.
49058+ */
49059+ verify_mm_writelocked(mm);
49060+
49061 /* Clear old maps */
49062 error = -ENOMEM;
49063-munmap_back:
49064 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49065 if (vma && vma->vm_start < addr + len) {
49066 if (do_munmap(mm, addr, len))
49067 return -ENOMEM;
49068- goto munmap_back;
49069+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49070+ BUG_ON(vma && vma->vm_start < addr + len);
49071 }
49072
49073 /* Check against address space limit. */
49074@@ -1163,6 +1273,16 @@ munmap_back:
49075 goto unacct_error;
49076 }
49077
49078+#ifdef CONFIG_PAX_SEGMEXEC
49079+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
49080+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49081+ if (!vma_m) {
49082+ error = -ENOMEM;
49083+ goto free_vma;
49084+ }
49085+ }
49086+#endif
49087+
49088 vma->vm_mm = mm;
49089 vma->vm_start = addr;
49090 vma->vm_end = addr + len;
49091@@ -1185,6 +1305,19 @@ munmap_back:
49092 error = file->f_op->mmap(file, vma);
49093 if (error)
49094 goto unmap_and_free_vma;
49095+
49096+#ifdef CONFIG_PAX_SEGMEXEC
49097+ if (vma_m && (vm_flags & VM_EXECUTABLE))
49098+ added_exe_file_vma(mm);
49099+#endif
49100+
49101+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49102+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
49103+ vma->vm_flags |= VM_PAGEEXEC;
49104+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49105+ }
49106+#endif
49107+
49108 if (vm_flags & VM_EXECUTABLE)
49109 added_exe_file_vma(mm);
49110
49111@@ -1208,6 +1341,11 @@ munmap_back:
49112 vma_link(mm, vma, prev, rb_link, rb_parent);
49113 file = vma->vm_file;
49114
49115+#ifdef CONFIG_PAX_SEGMEXEC
49116+ if (vma_m)
49117+ pax_mirror_vma(vma_m, vma);
49118+#endif
49119+
49120 /* Once vma denies write, undo our temporary denial count */
49121 if (correct_wcount)
49122 atomic_inc(&inode->i_writecount);
49123@@ -1216,6 +1354,7 @@ out:
49124
49125 mm->total_vm += len >> PAGE_SHIFT;
49126 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
49127+ track_exec_limit(mm, addr, addr + len, vm_flags);
49128 if (vm_flags & VM_LOCKED) {
49129 /*
49130 * makes pages present; downgrades, drops, reacquires mmap_sem
49131@@ -1238,6 +1377,12 @@ unmap_and_free_vma:
49132 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
49133 charged = 0;
49134 free_vma:
49135+
49136+#ifdef CONFIG_PAX_SEGMEXEC
49137+ if (vma_m)
49138+ kmem_cache_free(vm_area_cachep, vma_m);
49139+#endif
49140+
49141 kmem_cache_free(vm_area_cachep, vma);
49142 unacct_error:
49143 if (charged)
49144@@ -1271,6 +1416,10 @@ arch_get_unmapped_area(struct file *filp
49145 if (flags & MAP_FIXED)
49146 return addr;
49147
49148+#ifdef CONFIG_PAX_RANDMMAP
49149+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49150+#endif
49151+
49152 if (addr) {
49153 addr = PAGE_ALIGN(addr);
49154 vma = find_vma(mm, addr);
49155@@ -1279,10 +1428,10 @@ arch_get_unmapped_area(struct file *filp
49156 return addr;
49157 }
49158 if (len > mm->cached_hole_size) {
49159- start_addr = addr = mm->free_area_cache;
49160+ start_addr = addr = mm->free_area_cache;
49161 } else {
49162- start_addr = addr = TASK_UNMAPPED_BASE;
49163- mm->cached_hole_size = 0;
49164+ start_addr = addr = mm->mmap_base;
49165+ mm->cached_hole_size = 0;
49166 }
49167
49168 full_search:
49169@@ -1293,9 +1442,8 @@ full_search:
49170 * Start a new search - just in case we missed
49171 * some holes.
49172 */
49173- if (start_addr != TASK_UNMAPPED_BASE) {
49174- addr = TASK_UNMAPPED_BASE;
49175- start_addr = addr;
49176+ if (start_addr != mm->mmap_base) {
49177+ start_addr = addr = mm->mmap_base;
49178 mm->cached_hole_size = 0;
49179 goto full_search;
49180 }
49181@@ -1317,10 +1465,16 @@ full_search:
49182
49183 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
49184 {
49185+
49186+#ifdef CONFIG_PAX_SEGMEXEC
49187+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49188+ return;
49189+#endif
49190+
49191 /*
49192 * Is this a new hole at the lowest possible address?
49193 */
49194- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
49195+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
49196 mm->free_area_cache = addr;
49197 mm->cached_hole_size = ~0UL;
49198 }
49199@@ -1338,7 +1492,7 @@ arch_get_unmapped_area_topdown(struct fi
49200 {
49201 struct vm_area_struct *vma;
49202 struct mm_struct *mm = current->mm;
49203- unsigned long addr = addr0;
49204+ unsigned long base = mm->mmap_base, addr = addr0;
49205
49206 /* requested length too big for entire address space */
49207 if (len > TASK_SIZE)
49208@@ -1347,6 +1501,10 @@ arch_get_unmapped_area_topdown(struct fi
49209 if (flags & MAP_FIXED)
49210 return addr;
49211
49212+#ifdef CONFIG_PAX_RANDMMAP
49213+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49214+#endif
49215+
49216 /* requesting a specific address */
49217 if (addr) {
49218 addr = PAGE_ALIGN(addr);
49219@@ -1404,13 +1562,21 @@ bottomup:
49220 * can happen with large stack limits and large mmap()
49221 * allocations.
49222 */
49223+ mm->mmap_base = TASK_UNMAPPED_BASE;
49224+
49225+#ifdef CONFIG_PAX_RANDMMAP
49226+ if (mm->pax_flags & MF_PAX_RANDMMAP)
49227+ mm->mmap_base += mm->delta_mmap;
49228+#endif
49229+
49230+ mm->free_area_cache = mm->mmap_base;
49231 mm->cached_hole_size = ~0UL;
49232- mm->free_area_cache = TASK_UNMAPPED_BASE;
49233 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
49234 /*
49235 * Restore the topdown base:
49236 */
49237- mm->free_area_cache = mm->mmap_base;
49238+ mm->mmap_base = base;
49239+ mm->free_area_cache = base;
49240 mm->cached_hole_size = ~0UL;
49241
49242 return addr;
49243@@ -1419,6 +1585,12 @@ bottomup:
49244
49245 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
49246 {
49247+
49248+#ifdef CONFIG_PAX_SEGMEXEC
49249+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49250+ return;
49251+#endif
49252+
49253 /*
49254 * Is this a new hole at the highest possible address?
49255 */
49256@@ -1426,8 +1598,10 @@ void arch_unmap_area_topdown(struct mm_s
49257 mm->free_area_cache = addr;
49258
49259 /* dont allow allocations above current base */
49260- if (mm->free_area_cache > mm->mmap_base)
49261+ if (mm->free_area_cache > mm->mmap_base) {
49262 mm->free_area_cache = mm->mmap_base;
49263+ mm->cached_hole_size = ~0UL;
49264+ }
49265 }
49266
49267 unsigned long
49268@@ -1535,6 +1709,27 @@ out:
49269 return prev ? prev->vm_next : vma;
49270 }
49271
49272+#ifdef CONFIG_PAX_SEGMEXEC
49273+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
49274+{
49275+ struct vm_area_struct *vma_m;
49276+
49277+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
49278+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
49279+ BUG_ON(vma->vm_mirror);
49280+ return NULL;
49281+ }
49282+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
49283+ vma_m = vma->vm_mirror;
49284+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
49285+ BUG_ON(vma->vm_file != vma_m->vm_file);
49286+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
49287+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
49288+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
49289+ return vma_m;
49290+}
49291+#endif
49292+
49293 /*
49294 * Verify that the stack growth is acceptable and
49295 * update accounting. This is shared with both the
49296@@ -1551,6 +1746,7 @@ static int acct_stack_growth(struct vm_a
49297 return -ENOMEM;
49298
49299 /* Stack limit test */
49300+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
49301 if (size > rlim[RLIMIT_STACK].rlim_cur)
49302 return -ENOMEM;
49303
49304@@ -1560,6 +1756,7 @@ static int acct_stack_growth(struct vm_a
49305 unsigned long limit;
49306 locked = mm->locked_vm + grow;
49307 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
49308+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49309 if (locked > limit && !capable(CAP_IPC_LOCK))
49310 return -ENOMEM;
49311 }
49312@@ -1595,35 +1792,40 @@ static
49313 #endif
49314 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
49315 {
49316- int error;
49317+ int error, locknext;
49318
49319 if (!(vma->vm_flags & VM_GROWSUP))
49320 return -EFAULT;
49321
49322+ /* Also guard against wrapping around to address 0. */
49323+ if (address < PAGE_ALIGN(address+1))
49324+ address = PAGE_ALIGN(address+1);
49325+ else
49326+ return -ENOMEM;
49327+
49328 /*
49329 * We must make sure the anon_vma is allocated
49330 * so that the anon_vma locking is not a noop.
49331 */
49332 if (unlikely(anon_vma_prepare(vma)))
49333 return -ENOMEM;
49334+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
49335+ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
49336+ return -ENOMEM;
49337 anon_vma_lock(vma);
49338+ if (locknext)
49339+ anon_vma_lock(vma->vm_next);
49340
49341 /*
49342 * vma->vm_start/vm_end cannot change under us because the caller
49343 * is required to hold the mmap_sem in read mode. We need the
49344- * anon_vma lock to serialize against concurrent expand_stacks.
49345- * Also guard against wrapping around to address 0.
49346+ * anon_vma locks to serialize against concurrent expand_stacks
49347+ * and expand_upwards.
49348 */
49349- if (address < PAGE_ALIGN(address+4))
49350- address = PAGE_ALIGN(address+4);
49351- else {
49352- anon_vma_unlock(vma);
49353- return -ENOMEM;
49354- }
49355 error = 0;
49356
49357 /* Somebody else might have raced and expanded it already */
49358- if (address > vma->vm_end) {
49359+ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
49360 unsigned long size, grow;
49361
49362 size = address - vma->vm_start;
49363@@ -1633,6 +1835,8 @@ int expand_upwards(struct vm_area_struct
49364 if (!error)
49365 vma->vm_end = address;
49366 }
49367+ if (locknext)
49368+ anon_vma_unlock(vma->vm_next);
49369 anon_vma_unlock(vma);
49370 return error;
49371 }
49372@@ -1644,7 +1848,8 @@ int expand_upwards(struct vm_area_struct
49373 static int expand_downwards(struct vm_area_struct *vma,
49374 unsigned long address)
49375 {
49376- int error;
49377+ int error, lockprev = 0;
49378+ struct vm_area_struct *prev = NULL;
49379
49380 /*
49381 * We must make sure the anon_vma is allocated
49382@@ -1658,6 +1863,15 @@ static int expand_downwards(struct vm_ar
49383 if (error)
49384 return error;
49385
49386+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
49387+ find_vma_prev(vma->vm_mm, address, &prev);
49388+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
49389+#endif
49390+ if (lockprev && unlikely(anon_vma_prepare(prev)))
49391+ return -ENOMEM;
49392+ if (lockprev)
49393+ anon_vma_lock(prev);
49394+
49395 anon_vma_lock(vma);
49396
49397 /*
49398@@ -1667,9 +1881,15 @@ static int expand_downwards(struct vm_ar
49399 */
49400
49401 /* Somebody else might have raced and expanded it already */
49402- if (address < vma->vm_start) {
49403+ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
49404 unsigned long size, grow;
49405
49406+#ifdef CONFIG_PAX_SEGMEXEC
49407+ struct vm_area_struct *vma_m;
49408+
49409+ vma_m = pax_find_mirror_vma(vma);
49410+#endif
49411+
49412 size = vma->vm_end - address;
49413 grow = (vma->vm_start - address) >> PAGE_SHIFT;
49414
49415@@ -1677,9 +1897,20 @@ static int expand_downwards(struct vm_ar
49416 if (!error) {
49417 vma->vm_start = address;
49418 vma->vm_pgoff -= grow;
49419+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
49420+
49421+#ifdef CONFIG_PAX_SEGMEXEC
49422+ if (vma_m) {
49423+ vma_m->vm_start -= grow << PAGE_SHIFT;
49424+ vma_m->vm_pgoff -= grow;
49425+ }
49426+#endif
49427+
49428 }
49429 }
49430 anon_vma_unlock(vma);
49431+ if (lockprev)
49432+ anon_vma_unlock(prev);
49433 return error;
49434 }
49435
49436@@ -1755,6 +1986,13 @@ static void remove_vma_list(struct mm_st
49437 do {
49438 long nrpages = vma_pages(vma);
49439
49440+#ifdef CONFIG_PAX_SEGMEXEC
49441+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
49442+ vma = remove_vma(vma);
49443+ continue;
49444+ }
49445+#endif
49446+
49447 mm->total_vm -= nrpages;
49448 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
49449 vma = remove_vma(vma);
49450@@ -1799,6 +2037,16 @@ detach_vmas_to_be_unmapped(struct mm_str
49451
49452 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
49453 do {
49454+
49455+#ifdef CONFIG_PAX_SEGMEXEC
49456+ if (vma->vm_mirror) {
49457+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
49458+ vma->vm_mirror->vm_mirror = NULL;
49459+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
49460+ vma->vm_mirror = NULL;
49461+ }
49462+#endif
49463+
49464 rb_erase(&vma->vm_rb, &mm->mm_rb);
49465 mm->map_count--;
49466 tail_vma = vma;
49467@@ -1824,10 +2072,25 @@ int split_vma(struct mm_struct * mm, str
49468 struct mempolicy *pol;
49469 struct vm_area_struct *new;
49470
49471+#ifdef CONFIG_PAX_SEGMEXEC
49472+ struct vm_area_struct *vma_m, *new_m = NULL;
49473+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
49474+#endif
49475+
49476 if (is_vm_hugetlb_page(vma) && (addr &
49477 ~(huge_page_mask(hstate_vma(vma)))))
49478 return -EINVAL;
49479
49480+#ifdef CONFIG_PAX_SEGMEXEC
49481+ vma_m = pax_find_mirror_vma(vma);
49482+
49483+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
49484+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
49485+ if (mm->map_count >= sysctl_max_map_count-1)
49486+ return -ENOMEM;
49487+ } else
49488+#endif
49489+
49490 if (mm->map_count >= sysctl_max_map_count)
49491 return -ENOMEM;
49492
49493@@ -1835,6 +2098,16 @@ int split_vma(struct mm_struct * mm, str
49494 if (!new)
49495 return -ENOMEM;
49496
49497+#ifdef CONFIG_PAX_SEGMEXEC
49498+ if (vma_m) {
49499+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49500+ if (!new_m) {
49501+ kmem_cache_free(vm_area_cachep, new);
49502+ return -ENOMEM;
49503+ }
49504+ }
49505+#endif
49506+
49507 /* most fields are the same, copy all, and then fixup */
49508 *new = *vma;
49509
49510@@ -1845,8 +2118,29 @@ int split_vma(struct mm_struct * mm, str
49511 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
49512 }
49513
49514+#ifdef CONFIG_PAX_SEGMEXEC
49515+ if (vma_m) {
49516+ *new_m = *vma_m;
49517+ new_m->vm_mirror = new;
49518+ new->vm_mirror = new_m;
49519+
49520+ if (new_below)
49521+ new_m->vm_end = addr_m;
49522+ else {
49523+ new_m->vm_start = addr_m;
49524+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
49525+ }
49526+ }
49527+#endif
49528+
49529 pol = mpol_dup(vma_policy(vma));
49530 if (IS_ERR(pol)) {
49531+
49532+#ifdef CONFIG_PAX_SEGMEXEC
49533+ if (new_m)
49534+ kmem_cache_free(vm_area_cachep, new_m);
49535+#endif
49536+
49537 kmem_cache_free(vm_area_cachep, new);
49538 return PTR_ERR(pol);
49539 }
49540@@ -1867,6 +2161,28 @@ int split_vma(struct mm_struct * mm, str
49541 else
49542 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
49543
49544+#ifdef CONFIG_PAX_SEGMEXEC
49545+ if (vma_m) {
49546+ mpol_get(pol);
49547+ vma_set_policy(new_m, pol);
49548+
49549+ if (new_m->vm_file) {
49550+ get_file(new_m->vm_file);
49551+ if (vma_m->vm_flags & VM_EXECUTABLE)
49552+ added_exe_file_vma(mm);
49553+ }
49554+
49555+ if (new_m->vm_ops && new_m->vm_ops->open)
49556+ new_m->vm_ops->open(new_m);
49557+
49558+ if (new_below)
49559+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
49560+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
49561+ else
49562+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
49563+ }
49564+#endif
49565+
49566 return 0;
49567 }
49568
49569@@ -1875,11 +2191,30 @@ int split_vma(struct mm_struct * mm, str
49570 * work. This now handles partial unmappings.
49571 * Jeremy Fitzhardinge <jeremy@goop.org>
49572 */
49573+#ifdef CONFIG_PAX_SEGMEXEC
49574 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49575 {
49576+ int ret = __do_munmap(mm, start, len);
49577+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
49578+ return ret;
49579+
49580+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
49581+}
49582+
49583+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49584+#else
49585+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49586+#endif
49587+{
49588 unsigned long end;
49589 struct vm_area_struct *vma, *prev, *last;
49590
49591+ /*
49592+ * mm->mmap_sem is required to protect against another thread
49593+ * changing the mappings in case we sleep.
49594+ */
49595+ verify_mm_writelocked(mm);
49596+
49597 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
49598 return -EINVAL;
49599
49600@@ -1943,6 +2278,8 @@ int do_munmap(struct mm_struct *mm, unsi
49601 /* Fix up all other VM information */
49602 remove_vma_list(mm, vma);
49603
49604+ track_exec_limit(mm, start, end, 0UL);
49605+
49606 return 0;
49607 }
49608
49609@@ -1955,22 +2292,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
49610
49611 profile_munmap(addr);
49612
49613+#ifdef CONFIG_PAX_SEGMEXEC
49614+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
49615+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
49616+ return -EINVAL;
49617+#endif
49618+
49619 down_write(&mm->mmap_sem);
49620 ret = do_munmap(mm, addr, len);
49621 up_write(&mm->mmap_sem);
49622 return ret;
49623 }
49624
49625-static inline void verify_mm_writelocked(struct mm_struct *mm)
49626-{
49627-#ifdef CONFIG_DEBUG_VM
49628- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
49629- WARN_ON(1);
49630- up_read(&mm->mmap_sem);
49631- }
49632-#endif
49633-}
49634-
49635 /*
49636 * this is really a simplified "do_mmap". it only handles
49637 * anonymous maps. eventually we may be able to do some
49638@@ -1984,6 +2317,11 @@ unsigned long do_brk(unsigned long addr,
49639 struct rb_node ** rb_link, * rb_parent;
49640 pgoff_t pgoff = addr >> PAGE_SHIFT;
49641 int error;
49642+ unsigned long charged;
49643+
49644+#ifdef CONFIG_PAX_SEGMEXEC
49645+ struct vm_area_struct *vma_m = NULL;
49646+#endif
49647
49648 len = PAGE_ALIGN(len);
49649 if (!len)
49650@@ -1995,16 +2333,30 @@ unsigned long do_brk(unsigned long addr,
49651
49652 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
49653
49654+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49655+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49656+ flags &= ~VM_EXEC;
49657+
49658+#ifdef CONFIG_PAX_MPROTECT
49659+ if (mm->pax_flags & MF_PAX_MPROTECT)
49660+ flags &= ~VM_MAYEXEC;
49661+#endif
49662+
49663+ }
49664+#endif
49665+
49666 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
49667 if (error & ~PAGE_MASK)
49668 return error;
49669
49670+ charged = len >> PAGE_SHIFT;
49671+
49672 /*
49673 * mlock MCL_FUTURE?
49674 */
49675 if (mm->def_flags & VM_LOCKED) {
49676 unsigned long locked, lock_limit;
49677- locked = len >> PAGE_SHIFT;
49678+ locked = charged;
49679 locked += mm->locked_vm;
49680 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49681 lock_limit >>= PAGE_SHIFT;
49682@@ -2021,22 +2373,22 @@ unsigned long do_brk(unsigned long addr,
49683 /*
49684 * Clear old maps. this also does some error checking for us
49685 */
49686- munmap_back:
49687 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49688 if (vma && vma->vm_start < addr + len) {
49689 if (do_munmap(mm, addr, len))
49690 return -ENOMEM;
49691- goto munmap_back;
49692+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49693+ BUG_ON(vma && vma->vm_start < addr + len);
49694 }
49695
49696 /* Check against address space limits *after* clearing old maps... */
49697- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
49698+ if (!may_expand_vm(mm, charged))
49699 return -ENOMEM;
49700
49701 if (mm->map_count > sysctl_max_map_count)
49702 return -ENOMEM;
49703
49704- if (security_vm_enough_memory(len >> PAGE_SHIFT))
49705+ if (security_vm_enough_memory(charged))
49706 return -ENOMEM;
49707
49708 /* Can we just expand an old private anonymous mapping? */
49709@@ -2050,10 +2402,21 @@ unsigned long do_brk(unsigned long addr,
49710 */
49711 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49712 if (!vma) {
49713- vm_unacct_memory(len >> PAGE_SHIFT);
49714+ vm_unacct_memory(charged);
49715 return -ENOMEM;
49716 }
49717
49718+#ifdef CONFIG_PAX_SEGMEXEC
49719+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
49720+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49721+ if (!vma_m) {
49722+ kmem_cache_free(vm_area_cachep, vma);
49723+ vm_unacct_memory(charged);
49724+ return -ENOMEM;
49725+ }
49726+ }
49727+#endif
49728+
49729 vma->vm_mm = mm;
49730 vma->vm_start = addr;
49731 vma->vm_end = addr + len;
49732@@ -2062,11 +2425,12 @@ unsigned long do_brk(unsigned long addr,
49733 vma->vm_page_prot = vm_get_page_prot(flags);
49734 vma_link(mm, vma, prev, rb_link, rb_parent);
49735 out:
49736- mm->total_vm += len >> PAGE_SHIFT;
49737+ mm->total_vm += charged;
49738 if (flags & VM_LOCKED) {
49739 if (!mlock_vma_pages_range(vma, addr, addr + len))
49740- mm->locked_vm += (len >> PAGE_SHIFT);
49741+ mm->locked_vm += charged;
49742 }
49743+ track_exec_limit(mm, addr, addr + len, flags);
49744 return addr;
49745 }
49746
49747@@ -2113,8 +2477,10 @@ void exit_mmap(struct mm_struct *mm)
49748 * Walk the list again, actually closing and freeing it,
49749 * with preemption enabled, without holding any MM locks.
49750 */
49751- while (vma)
49752+ while (vma) {
49753+ vma->vm_mirror = NULL;
49754 vma = remove_vma(vma);
49755+ }
49756
49757 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
49758 }
49759@@ -2128,6 +2494,10 @@ int insert_vm_struct(struct mm_struct *
49760 struct vm_area_struct * __vma, * prev;
49761 struct rb_node ** rb_link, * rb_parent;
49762
49763+#ifdef CONFIG_PAX_SEGMEXEC
49764+ struct vm_area_struct *vma_m = NULL;
49765+#endif
49766+
49767 /*
49768 * The vm_pgoff of a purely anonymous vma should be irrelevant
49769 * until its first write fault, when page's anon_vma and index
49770@@ -2150,7 +2520,22 @@ int insert_vm_struct(struct mm_struct *
49771 if ((vma->vm_flags & VM_ACCOUNT) &&
49772 security_vm_enough_memory_mm(mm, vma_pages(vma)))
49773 return -ENOMEM;
49774+
49775+#ifdef CONFIG_PAX_SEGMEXEC
49776+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
49777+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49778+ if (!vma_m)
49779+ return -ENOMEM;
49780+ }
49781+#endif
49782+
49783 vma_link(mm, vma, prev, rb_link, rb_parent);
49784+
49785+#ifdef CONFIG_PAX_SEGMEXEC
49786+ if (vma_m)
49787+ pax_mirror_vma(vma_m, vma);
49788+#endif
49789+
49790 return 0;
49791 }
49792
49793@@ -2168,6 +2553,8 @@ struct vm_area_struct *copy_vma(struct v
49794 struct rb_node **rb_link, *rb_parent;
49795 struct mempolicy *pol;
49796
49797+ BUG_ON(vma->vm_mirror);
49798+
49799 /*
49800 * If anonymous vma has not yet been faulted, update new pgoff
49801 * to match new location, to increase its chance of merging.
49802@@ -2211,6 +2598,35 @@ struct vm_area_struct *copy_vma(struct v
49803 return new_vma;
49804 }
49805
49806+#ifdef CONFIG_PAX_SEGMEXEC
49807+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
49808+{
49809+ struct vm_area_struct *prev_m;
49810+ struct rb_node **rb_link_m, *rb_parent_m;
49811+ struct mempolicy *pol_m;
49812+
49813+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
49814+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
49815+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
49816+ *vma_m = *vma;
49817+ pol_m = vma_policy(vma_m);
49818+ mpol_get(pol_m);
49819+ vma_set_policy(vma_m, pol_m);
49820+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
49821+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
49822+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
49823+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
49824+ if (vma_m->vm_file)
49825+ get_file(vma_m->vm_file);
49826+ if (vma_m->vm_ops && vma_m->vm_ops->open)
49827+ vma_m->vm_ops->open(vma_m);
49828+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
49829+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
49830+ vma_m->vm_mirror = vma;
49831+ vma->vm_mirror = vma_m;
49832+}
49833+#endif
49834+
49835 /*
49836 * Return true if the calling process may expand its vm space by the passed
49837 * number of pages
49838@@ -2221,7 +2637,7 @@ int may_expand_vm(struct mm_struct *mm,
49839 unsigned long lim;
49840
49841 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
49842-
49843+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
49844 if (cur + npages > lim)
49845 return 0;
49846 return 1;
49847@@ -2290,6 +2706,15 @@ int install_special_mapping(struct mm_st
49848 vma->vm_start = addr;
49849 vma->vm_end = addr + len;
49850
49851+#ifdef CONFIG_PAX_MPROTECT
49852+ if (mm->pax_flags & MF_PAX_MPROTECT) {
49853+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
49854+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49855+ else
49856+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49857+ }
49858+#endif
49859+
49860 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
49861 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49862
49863diff -urNp linux-2.6.32.9/mm/mprotect.c linux-2.6.32.9/mm/mprotect.c
49864--- linux-2.6.32.9/mm/mprotect.c 2010-02-09 07:57:19.000000000 -0500
49865+++ linux-2.6.32.9/mm/mprotect.c 2010-02-23 17:09:56.652716557 -0500
49866@@ -24,10 +24,16 @@
49867 #include <linux/mmu_notifier.h>
49868 #include <linux/migrate.h>
49869 #include <linux/perf_event.h>
49870+
49871+#ifdef CONFIG_PAX_MPROTECT
49872+#include <linux/elf.h>
49873+#endif
49874+
49875 #include <asm/uaccess.h>
49876 #include <asm/pgtable.h>
49877 #include <asm/cacheflush.h>
49878 #include <asm/tlbflush.h>
49879+#include <asm/mmu_context.h>
49880
49881 #ifndef pgprot_modify
49882 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
49883@@ -132,6 +138,48 @@ static void change_protection(struct vm_
49884 flush_tlb_range(vma, start, end);
49885 }
49886
49887+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49888+/* called while holding the mmap semaphor for writing except stack expansion */
49889+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
49890+{
49891+ unsigned long oldlimit, newlimit = 0UL;
49892+
49893+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
49894+ return;
49895+
49896+ spin_lock(&mm->page_table_lock);
49897+ oldlimit = mm->context.user_cs_limit;
49898+ if ((prot & VM_EXEC) && oldlimit < end)
49899+ /* USER_CS limit moved up */
49900+ newlimit = end;
49901+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
49902+ /* USER_CS limit moved down */
49903+ newlimit = start;
49904+
49905+ if (newlimit) {
49906+ mm->context.user_cs_limit = newlimit;
49907+
49908+#ifdef CONFIG_SMP
49909+ wmb();
49910+ cpus_clear(mm->context.cpu_user_cs_mask);
49911+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
49912+#endif
49913+
49914+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
49915+ }
49916+ spin_unlock(&mm->page_table_lock);
49917+ if (newlimit == end) {
49918+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
49919+
49920+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
49921+ if (is_vm_hugetlb_page(vma))
49922+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
49923+ else
49924+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
49925+ }
49926+}
49927+#endif
49928+
49929 int
49930 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
49931 unsigned long start, unsigned long end, unsigned long newflags)
49932@@ -144,6 +192,14 @@ mprotect_fixup(struct vm_area_struct *vm
49933 int error;
49934 int dirty_accountable = 0;
49935
49936+#ifdef CONFIG_PAX_SEGMEXEC
49937+ struct vm_area_struct *vma_m = NULL;
49938+ unsigned long start_m, end_m;
49939+
49940+ start_m = start + SEGMEXEC_TASK_SIZE;
49941+ end_m = end + SEGMEXEC_TASK_SIZE;
49942+#endif
49943+
49944 if (newflags == oldflags) {
49945 *pprev = vma;
49946 return 0;
49947@@ -165,6 +221,38 @@ mprotect_fixup(struct vm_area_struct *vm
49948 }
49949 }
49950
49951+#ifdef CONFIG_PAX_SEGMEXEC
49952+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
49953+ if (start != vma->vm_start) {
49954+ error = split_vma(mm, vma, start, 1);
49955+ if (error)
49956+ goto fail;
49957+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
49958+ *pprev = (*pprev)->vm_next;
49959+ }
49960+
49961+ if (end != vma->vm_end) {
49962+ error = split_vma(mm, vma, end, 0);
49963+ if (error)
49964+ goto fail;
49965+ }
49966+
49967+ if (pax_find_mirror_vma(vma)) {
49968+ error = __do_munmap(mm, start_m, end_m - start_m);
49969+ if (error)
49970+ goto fail;
49971+ } else {
49972+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49973+ if (!vma_m) {
49974+ error = -ENOMEM;
49975+ goto fail;
49976+ }
49977+ vma->vm_flags = newflags;
49978+ pax_mirror_vma(vma_m, vma);
49979+ }
49980+ }
49981+#endif
49982+
49983 /*
49984 * First try to merge with previous and/or next vma.
49985 */
49986@@ -196,8 +284,14 @@ success:
49987 * held in write mode.
49988 */
49989 vma->vm_flags = newflags;
49990+
49991+#ifdef CONFIG_PAX_MPROTECT
49992+ if (mm->binfmt && mm->binfmt->handle_mprotect)
49993+ mm->binfmt->handle_mprotect(vma, newflags);
49994+#endif
49995+
49996 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
49997- vm_get_page_prot(newflags));
49998+ vm_get_page_prot(vma->vm_flags));
49999
50000 if (vma_wants_writenotify(vma)) {
50001 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
50002@@ -238,6 +332,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50003 end = start + len;
50004 if (end <= start)
50005 return -ENOMEM;
50006+
50007+#ifdef CONFIG_PAX_SEGMEXEC
50008+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50009+ if (end > SEGMEXEC_TASK_SIZE)
50010+ return -EINVAL;
50011+ } else
50012+#endif
50013+
50014+ if (end > TASK_SIZE)
50015+ return -EINVAL;
50016+
50017 if (!arch_validate_prot(prot))
50018 return -EINVAL;
50019
50020@@ -245,7 +350,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50021 /*
50022 * Does the application expect PROT_READ to imply PROT_EXEC:
50023 */
50024- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
50025+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
50026 prot |= PROT_EXEC;
50027
50028 vm_flags = calc_vm_prot_bits(prot);
50029@@ -277,6 +382,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50030 if (start > vma->vm_start)
50031 prev = vma;
50032
50033+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
50034+ error = -EACCES;
50035+ goto out;
50036+ }
50037+
50038+#ifdef CONFIG_PAX_MPROTECT
50039+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
50040+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
50041+#endif
50042+
50043 for (nstart = start ; ; ) {
50044 unsigned long newflags;
50045
50046@@ -301,6 +416,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50047 if (error)
50048 goto out;
50049 perf_event_mmap(vma);
50050+
50051+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
50052+
50053 nstart = tmp;
50054
50055 if (nstart < prev->vm_end)
50056diff -urNp linux-2.6.32.9/mm/mremap.c linux-2.6.32.9/mm/mremap.c
50057--- linux-2.6.32.9/mm/mremap.c 2010-02-09 07:57:19.000000000 -0500
50058+++ linux-2.6.32.9/mm/mremap.c 2010-02-23 17:09:56.652716557 -0500
50059@@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
50060 continue;
50061 pte = ptep_clear_flush(vma, old_addr, old_pte);
50062 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
50063+
50064+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50065+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
50066+ pte = pte_exprotect(pte);
50067+#endif
50068+
50069 set_pte_at(mm, new_addr, new_pte, pte);
50070 }
50071
50072@@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
50073 if (is_vm_hugetlb_page(vma))
50074 goto Einval;
50075
50076+#ifdef CONFIG_PAX_SEGMEXEC
50077+ if (pax_find_mirror_vma(vma))
50078+ goto Einval;
50079+#endif
50080+
50081 /* We can't remap across vm area boundaries */
50082 if (old_len > vma->vm_end - addr)
50083 goto Efault;
50084@@ -322,20 +333,23 @@ static unsigned long mremap_to(unsigned
50085 unsigned long ret = -EINVAL;
50086 unsigned long charged = 0;
50087 unsigned long map_flags;
50088+ unsigned long pax_task_size = TASK_SIZE;
50089
50090 if (new_addr & ~PAGE_MASK)
50091 goto out;
50092
50093- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
50094+#ifdef CONFIG_PAX_SEGMEXEC
50095+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
50096+ pax_task_size = SEGMEXEC_TASK_SIZE;
50097+#endif
50098+
50099+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
50100 goto out;
50101
50102 /* Check if the location we're moving into overlaps the
50103 * old location at all, and fail if it does.
50104 */
50105- if ((new_addr <= addr) && (new_addr+new_len) > addr)
50106- goto out;
50107-
50108- if ((addr <= new_addr) && (addr+old_len) > new_addr)
50109+ if (addr + old_len > new_addr && new_addr + new_len > addr)
50110 goto out;
50111
50112 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50113@@ -407,6 +421,7 @@ unsigned long do_mremap(unsigned long ad
50114 struct vm_area_struct *vma;
50115 unsigned long ret = -EINVAL;
50116 unsigned long charged = 0;
50117+ unsigned long pax_task_size = TASK_SIZE;
50118
50119 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
50120 goto out;
50121@@ -425,6 +440,15 @@ unsigned long do_mremap(unsigned long ad
50122 if (!new_len)
50123 goto out;
50124
50125+#ifdef CONFIG_PAX_SEGMEXEC
50126+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
50127+ pax_task_size = SEGMEXEC_TASK_SIZE;
50128+#endif
50129+
50130+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
50131+ old_len > pax_task_size || addr > pax_task_size-old_len)
50132+ goto out;
50133+
50134 if (flags & MREMAP_FIXED) {
50135 if (flags & MREMAP_MAYMOVE)
50136 ret = mremap_to(addr, old_len, new_addr, new_len);
50137@@ -471,6 +495,7 @@ unsigned long do_mremap(unsigned long ad
50138 addr + new_len);
50139 }
50140 ret = addr;
50141+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
50142 goto out;
50143 }
50144 }
50145@@ -497,7 +522,13 @@ unsigned long do_mremap(unsigned long ad
50146 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50147 if (ret)
50148 goto out;
50149+
50150+ map_flags = vma->vm_flags;
50151 ret = move_vma(vma, addr, old_len, new_len, new_addr);
50152+ if (!(ret & ~PAGE_MASK)) {
50153+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
50154+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
50155+ }
50156 }
50157 out:
50158 if (ret & ~PAGE_MASK)
50159diff -urNp linux-2.6.32.9/mm/nommu.c linux-2.6.32.9/mm/nommu.c
50160--- linux-2.6.32.9/mm/nommu.c 2010-02-09 07:57:19.000000000 -0500
50161+++ linux-2.6.32.9/mm/nommu.c 2010-02-23 17:09:56.652716557 -0500
50162@@ -758,15 +758,6 @@ struct vm_area_struct *find_vma(struct m
50163 EXPORT_SYMBOL(find_vma);
50164
50165 /*
50166- * find a VMA
50167- * - we don't extend stack VMAs under NOMMU conditions
50168- */
50169-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
50170-{
50171- return find_vma(mm, addr);
50172-}
50173-
50174-/*
50175 * expand a stack to a given address
50176 * - not supported under NOMMU conditions
50177 */
50178diff -urNp linux-2.6.32.9/mm/page_alloc.c linux-2.6.32.9/mm/page_alloc.c
50179--- linux-2.6.32.9/mm/page_alloc.c 2010-02-09 07:57:19.000000000 -0500
50180+++ linux-2.6.32.9/mm/page_alloc.c 2010-02-23 17:09:56.652716557 -0500
50181@@ -586,6 +586,10 @@ static void __free_pages_ok(struct page
50182 int bad = 0;
50183 int wasMlocked = __TestClearPageMlocked(page);
50184
50185+#ifdef CONFIG_PAX_MEMORY_SANITIZE
50186+ unsigned long index = 1UL << order;
50187+#endif
50188+
50189 kmemcheck_free_shadow(page, order);
50190
50191 for (i = 0 ; i < (1 << order) ; ++i)
50192@@ -598,6 +602,12 @@ static void __free_pages_ok(struct page
50193 debug_check_no_obj_freed(page_address(page),
50194 PAGE_SIZE << order);
50195 }
50196+
50197+#ifdef CONFIG_PAX_MEMORY_SANITIZE
50198+ for (; index; --index)
50199+ sanitize_highpage(page + index - 1);
50200+#endif
50201+
50202 arch_free_page(page, order);
50203 kernel_map_pages(page, 1 << order, 0);
50204
50205@@ -701,8 +711,10 @@ static int prep_new_page(struct page *pa
50206 arch_alloc_page(page, order);
50207 kernel_map_pages(page, 1 << order, 1);
50208
50209+#ifndef CONFIG_PAX_MEMORY_SANITIZE
50210 if (gfp_flags & __GFP_ZERO)
50211 prep_zero_page(page, order, gfp_flags);
50212+#endif
50213
50214 if (order && (gfp_flags & __GFP_COMP))
50215 prep_compound_page(page, order);
50216@@ -1096,6 +1108,11 @@ static void free_hot_cold_page(struct pa
50217 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
50218 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
50219 }
50220+
50221+#ifdef CONFIG_PAX_MEMORY_SANITIZE
50222+ sanitize_highpage(page);
50223+#endif
50224+
50225 arch_free_page(page, 0);
50226 kernel_map_pages(page, 1, 0);
50227
50228diff -urNp linux-2.6.32.9/mm/percpu.c linux-2.6.32.9/mm/percpu.c
50229--- linux-2.6.32.9/mm/percpu.c 2010-02-09 07:57:19.000000000 -0500
50230+++ linux-2.6.32.9/mm/percpu.c 2010-02-23 17:09:56.652716557 -0500
50231@@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
50232 static unsigned int pcpu_last_unit_cpu __read_mostly;
50233
50234 /* the address of the first chunk which starts with the kernel static area */
50235-void *pcpu_base_addr __read_mostly;
50236+void *pcpu_base_addr __read_only;
50237 EXPORT_SYMBOL_GPL(pcpu_base_addr);
50238
50239 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
50240diff -urNp linux-2.6.32.9/mm/rmap.c linux-2.6.32.9/mm/rmap.c
50241--- linux-2.6.32.9/mm/rmap.c 2010-02-09 07:57:19.000000000 -0500
50242+++ linux-2.6.32.9/mm/rmap.c 2010-02-23 17:09:56.656790635 -0500
50243@@ -108,6 +108,10 @@ int anon_vma_prepare(struct vm_area_stru
50244 struct mm_struct *mm = vma->vm_mm;
50245 struct anon_vma *allocated;
50246
50247+#ifdef CONFIG_PAX_SEGMEXEC
50248+ struct vm_area_struct *vma_m;
50249+#endif
50250+
50251 anon_vma = find_mergeable_anon_vma(vma);
50252 allocated = NULL;
50253 if (!anon_vma) {
50254@@ -121,6 +125,15 @@ int anon_vma_prepare(struct vm_area_stru
50255 /* page_table_lock to protect against threads */
50256 spin_lock(&mm->page_table_lock);
50257 if (likely(!vma->anon_vma)) {
50258+
50259+#ifdef CONFIG_PAX_SEGMEXEC
50260+ vma_m = pax_find_mirror_vma(vma);
50261+ if (vma_m) {
50262+ vma_m->anon_vma = anon_vma;
50263+ __anon_vma_link(vma_m);
50264+ }
50265+#endif
50266+
50267 vma->anon_vma = anon_vma;
50268 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
50269 allocated = NULL;
50270diff -urNp linux-2.6.32.9/mm/shmem.c linux-2.6.32.9/mm/shmem.c
50271--- linux-2.6.32.9/mm/shmem.c 2010-02-09 07:57:19.000000000 -0500
50272+++ linux-2.6.32.9/mm/shmem.c 2010-02-23 17:09:56.656790635 -0500
50273@@ -31,7 +31,7 @@
50274 #include <linux/swap.h>
50275 #include <linux/ima.h>
50276
50277-static struct vfsmount *shm_mnt;
50278+struct vfsmount *shm_mnt;
50279
50280 #ifdef CONFIG_SHMEM
50281 /*
50282diff -urNp linux-2.6.32.9/mm/slab.c linux-2.6.32.9/mm/slab.c
50283--- linux-2.6.32.9/mm/slab.c 2010-02-09 07:57:19.000000000 -0500
50284+++ linux-2.6.32.9/mm/slab.c 2010-02-23 17:09:56.656790635 -0500
50285@@ -308,7 +308,7 @@ struct kmem_list3 {
50286 * Need this for bootstrapping a per node allocator.
50287 */
50288 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
50289-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
50290+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
50291 #define CACHE_CACHE 0
50292 #define SIZE_AC MAX_NUMNODES
50293 #define SIZE_L3 (2 * MAX_NUMNODES)
50294@@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
50295 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
50296 */
50297 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
50298- const struct slab *slab, void *obj)
50299+ const struct slab *slab, const void *obj)
50300 {
50301 u32 offset = (obj - slab->s_mem);
50302 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
50303@@ -584,14 +584,14 @@ struct cache_names {
50304 static struct cache_names __initdata cache_names[] = {
50305 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
50306 #include <linux/kmalloc_sizes.h>
50307- {NULL,}
50308+ {NULL, NULL}
50309 #undef CACHE
50310 };
50311
50312 static struct arraycache_init initarray_cache __initdata =
50313- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50314+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50315 static struct arraycache_init initarray_generic =
50316- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50317+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50318
50319 /* internal cache of cache description objs */
50320 static struct kmem_cache cache_cache = {
50321@@ -4084,7 +4084,7 @@ out:
50322 schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_CPUC));
50323 }
50324
50325-#ifdef CONFIG_SLABINFO
50326+#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50327
50328 static void print_slabinfo_header(struct seq_file *m)
50329 {
50330@@ -4482,6 +4482,51 @@ static int __init slab_proc_init(void)
50331 module_init(slab_proc_init);
50332 #endif
50333
50334+void check_object_size(const void *ptr, unsigned long n, bool to)
50335+{
50336+
50337+#ifdef CONFIG_PAX_USERCOPY
50338+ struct kmem_cache *cachep;
50339+ struct slab *slabp;
50340+ struct page *page;
50341+ unsigned int objnr;
50342+ unsigned long offset;
50343+
50344+ if (!n)
50345+ return;
50346+
50347+ if (ZERO_OR_NULL_PTR(ptr))
50348+ goto report;
50349+
50350+ if (!virt_addr_valid(ptr))
50351+ return;
50352+
50353+ page = virt_to_head_page(ptr);
50354+
50355+ if (!PageSlab(page)) {
50356+ if (object_is_on_stack(ptr, n) == -1)
50357+ goto report;
50358+ return;
50359+ }
50360+
50361+ cachep = page_get_cache(page);
50362+ slabp = page_get_slab(page);
50363+ objnr = obj_to_index(cachep, slabp, ptr);
50364+ BUG_ON(objnr >= cachep->num);
50365+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
50366+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
50367+ return;
50368+
50369+report:
50370+ if (to)
50371+ pax_report_leak_to_user(ptr, n);
50372+ else
50373+ pax_report_overflow_from_user(ptr, n);
50374+#endif
50375+
50376+}
50377+EXPORT_SYMBOL(check_object_size);
50378+
50379 /**
50380 * ksize - get the actual amount of memory allocated for a given object
50381 * @objp: Pointer to the object
50382diff -urNp linux-2.6.32.9/mm/slob.c linux-2.6.32.9/mm/slob.c
50383--- linux-2.6.32.9/mm/slob.c 2010-02-09 07:57:19.000000000 -0500
50384+++ linux-2.6.32.9/mm/slob.c 2010-02-23 17:09:56.713257424 -0500
50385@@ -29,7 +29,7 @@
50386 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
50387 * alloc_pages() directly, allocating compound pages so the page order
50388 * does not have to be separately tracked, and also stores the exact
50389- * allocation size in page->private so that it can be used to accurately
50390+ * allocation size in slob_page->size so that it can be used to accurately
50391 * provide ksize(). These objects are detected in kfree() because slob_page()
50392 * is false for them.
50393 *
50394@@ -58,6 +58,7 @@
50395 */
50396
50397 #include <linux/kernel.h>
50398+#include <linux/sched.h>
50399 #include <linux/slab.h>
50400 #include <linux/mm.h>
50401 #include <linux/swap.h> /* struct reclaim_state */
50402@@ -100,7 +101,8 @@ struct slob_page {
50403 unsigned long flags; /* mandatory */
50404 atomic_t _count; /* mandatory */
50405 slobidx_t units; /* free units left in page */
50406- unsigned long pad[2];
50407+ unsigned long pad[1];
50408+ unsigned long size; /* size when >=PAGE_SIZE */
50409 slob_t *free; /* first free slob_t in page */
50410 struct list_head list; /* linked list of free pages */
50411 };
50412@@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
50413 */
50414 static inline int is_slob_page(struct slob_page *sp)
50415 {
50416- return PageSlab((struct page *)sp);
50417+ return PageSlab((struct page *)sp) && !sp->size;
50418 }
50419
50420 static inline void set_slob_page(struct slob_page *sp)
50421@@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
50422
50423 static inline struct slob_page *slob_page(const void *addr)
50424 {
50425- return (struct slob_page *)virt_to_page(addr);
50426+ return (struct slob_page *)virt_to_head_page(addr);
50427 }
50428
50429 /*
50430@@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
50431 /*
50432 * Return the size of a slob block.
50433 */
50434-static slobidx_t slob_units(slob_t *s)
50435+static slobidx_t slob_units(const slob_t *s)
50436 {
50437 if (s->units > 0)
50438 return s->units;
50439@@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
50440 /*
50441 * Return the next free slob block pointer after this one.
50442 */
50443-static slob_t *slob_next(slob_t *s)
50444+static slob_t *slob_next(const slob_t *s)
50445 {
50446 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
50447 slobidx_t next;
50448@@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
50449 /*
50450 * Returns true if s is the last free block in its page.
50451 */
50452-static int slob_last(slob_t *s)
50453+static int slob_last(const slob_t *s)
50454 {
50455 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
50456 }
50457@@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
50458 if (!page)
50459 return NULL;
50460
50461+ set_slob_page(page);
50462 return page_address(page);
50463 }
50464
50465@@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
50466 if (!b)
50467 return NULL;
50468 sp = slob_page(b);
50469- set_slob_page(sp);
50470
50471 spin_lock_irqsave(&slob_lock, flags);
50472 sp->units = SLOB_UNITS(PAGE_SIZE);
50473 sp->free = b;
50474+ sp->size = 0;
50475 INIT_LIST_HEAD(&sp->list);
50476 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
50477 set_slob_page_free(sp, slob_list);
50478@@ -475,10 +478,9 @@ out:
50479 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
50480 #endif
50481
50482-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50483+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
50484 {
50485- unsigned int *m;
50486- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50487+ slob_t *m;
50488 void *ret;
50489
50490 lockdep_trace_alloc(gfp);
50491@@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
50492
50493 if (!m)
50494 return NULL;
50495- *m = size;
50496+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
50497+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
50498+ m[0].units = size;
50499+ m[1].units = align;
50500 ret = (void *)m + align;
50501
50502 trace_kmalloc_node(_RET_IP_, ret,
50503@@ -501,9 +506,9 @@ void *__kmalloc_node(size_t size, gfp_t
50504
50505 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
50506 if (ret) {
50507- struct page *page;
50508- page = virt_to_page(ret);
50509- page->private = size;
50510+ struct slob_page *sp;
50511+ sp = slob_page(ret);
50512+ sp->size = size;
50513 }
50514
50515 trace_kmalloc_node(_RET_IP_, ret,
50516@@ -513,6 +518,13 @@ void *__kmalloc_node(size_t size, gfp_t
50517 kmemleak_alloc(ret, size, 1, gfp);
50518 return ret;
50519 }
50520+
50521+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50522+{
50523+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50524+
50525+ return __kmalloc_node_align(size, gfp, node, align);
50526+}
50527 EXPORT_SYMBOL(__kmalloc_node);
50528
50529 void kfree(const void *block)
50530@@ -528,13 +540,84 @@ void kfree(const void *block)
50531 sp = slob_page(block);
50532 if (is_slob_page(sp)) {
50533 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50534- unsigned int *m = (unsigned int *)(block - align);
50535- slob_free(m, *m + align);
50536- } else
50537+ slob_t *m = (slob_t *)(block - align);
50538+ slob_free(m, m[0].units + align);
50539+ } else {
50540+ clear_slob_page(sp);
50541+ free_slob_page(sp);
50542+ sp->size = 0;
50543 put_page(&sp->page);
50544+ }
50545 }
50546 EXPORT_SYMBOL(kfree);
50547
50548+void check_object_size(const void *ptr, unsigned long n, bool to)
50549+{
50550+
50551+#ifdef CONFIG_PAX_USERCOPY
50552+ struct slob_page *sp;
50553+ const slob_t *free;
50554+ const void *base;
50555+
50556+ if (!n)
50557+ return;
50558+
50559+ if (ZERO_OR_NULL_PTR(ptr))
50560+ goto report;
50561+
50562+ if (!virt_addr_valid(ptr))
50563+ return;
50564+
50565+ sp = slob_page(ptr);
50566+ if (!PageSlab((struct page*)sp)) {
50567+ if (object_is_on_stack(ptr, n) == -1)
50568+ goto report;
50569+ return;
50570+ }
50571+
50572+ if (sp->size) {
50573+ base = page_address(&sp->page);
50574+ if (base <= ptr && n <= sp->size - (ptr - base))
50575+ return;
50576+ goto report;
50577+ }
50578+
50579+ /* some tricky double walking to find the chunk */
50580+ base = (void *)((unsigned long)ptr & PAGE_MASK);
50581+ free = sp->free;
50582+
50583+ while (!slob_last(free) && (void *)free <= ptr) {
50584+ base = free + slob_units(free);
50585+ free = slob_next(free);
50586+ }
50587+
50588+ while (base < (void *)free) {
50589+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
50590+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
50591+ int offset;
50592+
50593+ if (ptr < base + align)
50594+ goto report;
50595+
50596+ offset = ptr - base - align;
50597+ if (offset < m) {
50598+ if (n <= m - offset)
50599+ return;
50600+ goto report;
50601+ }
50602+ base += size;
50603+ }
50604+
50605+report:
50606+ if (to)
50607+ pax_report_leak_to_user(ptr, n);
50608+ else
50609+ pax_report_overflow_from_user(ptr, n);
50610+#endif
50611+
50612+}
50613+EXPORT_SYMBOL(check_object_size);
50614+
50615 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
50616 size_t ksize(const void *block)
50617 {
50618@@ -547,10 +630,10 @@ size_t ksize(const void *block)
50619 sp = slob_page(block);
50620 if (is_slob_page(sp)) {
50621 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50622- unsigned int *m = (unsigned int *)(block - align);
50623- return SLOB_UNITS(*m) * SLOB_UNIT;
50624+ slob_t *m = (slob_t *)(block - align);
50625+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
50626 } else
50627- return sp->page.private;
50628+ return sp->size;
50629 }
50630 EXPORT_SYMBOL(ksize);
50631
50632@@ -605,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
50633 {
50634 void *b;
50635
50636+#ifdef CONFIG_PAX_USERCOPY
50637+ b = __kmalloc_node_align(c->size, flags, node, c->align);
50638+#else
50639 if (c->size < PAGE_SIZE) {
50640 b = slob_alloc(c->size, flags, c->align, node);
50641 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50642 SLOB_UNITS(c->size) * SLOB_UNIT,
50643 flags, node);
50644 } else {
50645+ struct slob_page *sp;
50646+
50647 b = slob_new_pages(flags, get_order(c->size), node);
50648+ sp = slob_page(b);
50649+ sp->size = c->size;
50650 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50651 PAGE_SIZE << get_order(c->size),
50652 flags, node);
50653 }
50654+#endif
50655
50656 if (c->ctor)
50657 c->ctor(b);
50658@@ -627,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
50659
50660 static void __kmem_cache_free(void *b, int size)
50661 {
50662- if (size < PAGE_SIZE)
50663+ struct slob_page *sp = slob_page(b);
50664+
50665+ if (is_slob_page(sp))
50666 slob_free(b, size);
50667- else
50668+ else {
50669+ clear_slob_page(sp);
50670+ free_slob_page(sp);
50671+ sp->size = 0;
50672 slob_free_pages(b, get_order(size));
50673+ }
50674 }
50675
50676 static void kmem_rcu_free(struct rcu_head *head)
50677@@ -643,15 +740,24 @@ static void kmem_rcu_free(struct rcu_hea
50678
50679 void kmem_cache_free(struct kmem_cache *c, void *b)
50680 {
50681+ int size = c->size;
50682+
50683+#ifdef CONFIG_PAX_USERCOPY
50684+ if (size + c->align < PAGE_SIZE) {
50685+ size += c->align;
50686+ b -= c->align;
50687+ }
50688+#endif
50689+
50690 kmemleak_free_recursive(b, c->flags);
50691 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
50692 struct slob_rcu *slob_rcu;
50693- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
50694+ slob_rcu = b + (size - sizeof(struct slob_rcu));
50695 INIT_RCU_HEAD(&slob_rcu->head);
50696- slob_rcu->size = c->size;
50697+ slob_rcu->size = size;
50698 call_rcu(&slob_rcu->head, kmem_rcu_free);
50699 } else {
50700- __kmem_cache_free(b, c->size);
50701+ __kmem_cache_free(b, size);
50702 }
50703
50704 trace_kmem_cache_free(_RET_IP_, b);
50705diff -urNp linux-2.6.32.9/mm/slub.c linux-2.6.32.9/mm/slub.c
50706--- linux-2.6.32.9/mm/slub.c 2010-02-09 07:57:19.000000000 -0500
50707+++ linux-2.6.32.9/mm/slub.c 2010-02-23 17:09:56.713257424 -0500
50708@@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
50709
50710 page = virt_to_head_page(x);
50711
50712+ BUG_ON(!PageSlab(page));
50713+
50714 slab_free(s, page, x, _RET_IP_);
50715
50716 trace_kmem_cache_free(_RET_IP_, x);
50717@@ -1937,7 +1939,7 @@ static int slub_min_objects;
50718 * Merge control. If this is set then no merging of slab caches will occur.
50719 * (Could be removed. This was introduced to pacify the merge skeptics.)
50720 */
50721-static int slub_nomerge;
50722+static int slub_nomerge = 1;
50723
50724 /*
50725 * Calculate the order of allocation given an slab object size.
50726@@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
50727 * list to avoid pounding the page allocator excessively.
50728 */
50729 set_min_partial(s, ilog2(s->size));
50730- s->refcount = 1;
50731+ atomic_set(&s->refcount, 1);
50732 #ifdef CONFIG_NUMA
50733 s->remote_node_defrag_ratio = 1000;
50734 #endif
50735@@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
50736 void kmem_cache_destroy(struct kmem_cache *s)
50737 {
50738 down_write(&slub_lock);
50739- s->refcount--;
50740- if (!s->refcount) {
50741+ if (atomic_dec_and_test(&s->refcount)) {
50742 list_del(&s->list);
50743 up_write(&slub_lock);
50744 if (kmem_cache_close(s)) {
50745@@ -2915,6 +2916,46 @@ void *__kmalloc_node(size_t size, gfp_t
50746 EXPORT_SYMBOL(__kmalloc_node);
50747 #endif
50748
50749+void check_object_size(const void *ptr, unsigned long n, bool to)
50750+{
50751+
50752+#ifdef CONFIG_PAX_USERCOPY
50753+ struct page *page;
50754+ struct kmem_cache *s;
50755+ unsigned long offset;
50756+
50757+ if (!n)
50758+ return;
50759+
50760+ if (ZERO_OR_NULL_PTR(ptr))
50761+ goto report;
50762+
50763+ if (!virt_addr_valid(ptr))
50764+ return;
50765+
50766+ page = get_object_page(ptr);
50767+
50768+ if (!page) {
50769+ if (object_is_on_stack(ptr, n) == -1)
50770+ goto report;
50771+ return;
50772+ }
50773+
50774+ s = page->slab;
50775+ offset = (ptr - page_address(page)) % s->size;
50776+ if (offset <= s->objsize && n <= s->objsize - offset)
50777+ return;
50778+
50779+report:
50780+ if (to)
50781+ pax_report_leak_to_user(ptr, n);
50782+ else
50783+ pax_report_overflow_from_user(ptr, n);
50784+#endif
50785+
50786+}
50787+EXPORT_SYMBOL(check_object_size);
50788+
50789 size_t ksize(const void *object)
50790 {
50791 struct page *page;
50792@@ -3186,7 +3227,7 @@ void __init kmem_cache_init(void)
50793 */
50794 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
50795 sizeof(struct kmem_cache_node), GFP_NOWAIT);
50796- kmalloc_caches[0].refcount = -1;
50797+ atomic_set(&kmalloc_caches[0].refcount, -1);
50798 caches++;
50799
50800 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
50801@@ -3293,7 +3334,7 @@ static int slab_unmergeable(struct kmem_
50802 /*
50803 * We may have set a slab to be unmergeable during bootstrap.
50804 */
50805- if (s->refcount < 0)
50806+ if (atomic_read(&s->refcount) < 0)
50807 return 1;
50808
50809 return 0;
50810@@ -3353,7 +3394,7 @@ struct kmem_cache *kmem_cache_create(con
50811 if (s) {
50812 int cpu;
50813
50814- s->refcount++;
50815+ atomic_inc(&s->refcount);
50816 /*
50817 * Adjust the object sizes so that we clear
50818 * the complete object on kzalloc.
50819@@ -3372,7 +3413,7 @@ struct kmem_cache *kmem_cache_create(con
50820
50821 if (sysfs_slab_alias(s, name)) {
50822 down_write(&slub_lock);
50823- s->refcount--;
50824+ atomic_dec(&s->refcount);
50825 up_write(&slub_lock);
50826 goto err;
50827 }
50828@@ -4101,7 +4142,7 @@ SLAB_ATTR_RO(ctor);
50829
50830 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
50831 {
50832- return sprintf(buf, "%d\n", s->refcount - 1);
50833+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
50834 }
50835 SLAB_ATTR_RO(aliases);
50836
50837@@ -4503,7 +4544,7 @@ static void kmem_cache_release(struct ko
50838 kfree(s);
50839 }
50840
50841-static struct sysfs_ops slab_sysfs_ops = {
50842+static const struct sysfs_ops slab_sysfs_ops = {
50843 .show = slab_attr_show,
50844 .store = slab_attr_store,
50845 };
50846@@ -4522,7 +4563,7 @@ static int uevent_filter(struct kset *ks
50847 return 0;
50848 }
50849
50850-static struct kset_uevent_ops slab_uevent_ops = {
50851+static const struct kset_uevent_ops slab_uevent_ops = {
50852 .filter = uevent_filter,
50853 };
50854
50855@@ -4696,7 +4737,7 @@ __initcall(slab_sysfs_init);
50856 /*
50857 * The /proc/slabinfo ABI
50858 */
50859-#ifdef CONFIG_SLABINFO
50860+#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50861 static void print_slabinfo_header(struct seq_file *m)
50862 {
50863 seq_puts(m, "slabinfo - version: 2.1\n");
50864diff -urNp linux-2.6.32.9/mm/util.c linux-2.6.32.9/mm/util.c
50865--- linux-2.6.32.9/mm/util.c 2010-02-09 07:57:19.000000000 -0500
50866+++ linux-2.6.32.9/mm/util.c 2010-02-23 17:09:56.713257424 -0500
50867@@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
50868 void arch_pick_mmap_layout(struct mm_struct *mm)
50869 {
50870 mm->mmap_base = TASK_UNMAPPED_BASE;
50871+
50872+#ifdef CONFIG_PAX_RANDMMAP
50873+ if (mm->pax_flags & MF_PAX_RANDMMAP)
50874+ mm->mmap_base += mm->delta_mmap;
50875+#endif
50876+
50877 mm->get_unmapped_area = arch_get_unmapped_area;
50878 mm->unmap_area = arch_unmap_area;
50879 }
50880diff -urNp linux-2.6.32.9/mm/vmalloc.c linux-2.6.32.9/mm/vmalloc.c
50881--- linux-2.6.32.9/mm/vmalloc.c 2010-02-09 07:57:19.000000000 -0500
50882+++ linux-2.6.32.9/mm/vmalloc.c 2010-02-23 17:09:56.713257424 -0500
50883@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
50884
50885 pte = pte_offset_kernel(pmd, addr);
50886 do {
50887- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50888- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50889+
50890+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50891+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
50892+ BUG_ON(!pte_exec(*pte));
50893+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
50894+ continue;
50895+ }
50896+#endif
50897+
50898+ {
50899+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50900+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50901+ }
50902 } while (pte++, addr += PAGE_SIZE, addr != end);
50903 }
50904
50905@@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
50906 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
50907 {
50908 pte_t *pte;
50909+ int ret = -ENOMEM;
50910
50911 /*
50912 * nr is a running index into the array which helps higher level
50913@@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
50914 pte = pte_alloc_kernel(pmd, addr);
50915 if (!pte)
50916 return -ENOMEM;
50917+
50918+ pax_open_kernel();
50919 do {
50920 struct page *page = pages[*nr];
50921
50922- if (WARN_ON(!pte_none(*pte)))
50923- return -EBUSY;
50924- if (WARN_ON(!page))
50925- return -ENOMEM;
50926+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50927+ if (pgprot_val(prot) & _PAGE_NX)
50928+#endif
50929+
50930+ if (WARN_ON(!pte_none(*pte))) {
50931+ ret = -EBUSY;
50932+ goto out;
50933+ }
50934+ if (WARN_ON(!page)) {
50935+ ret = -ENOMEM;
50936+ goto out;
50937+ }
50938 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
50939 (*nr)++;
50940 } while (pte++, addr += PAGE_SIZE, addr != end);
50941- return 0;
50942+ ret = 0;
50943+out:
50944+ pax_close_kernel();
50945+ return ret;
50946 }
50947
50948 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
50949@@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
50950 * and fall back on vmalloc() if that fails. Others
50951 * just put it in the vmalloc space.
50952 */
50953-#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
50954+#ifdef CONFIG_MODULES
50955+#ifdef MODULES_VADDR
50956 unsigned long addr = (unsigned long)x;
50957 if (addr >= MODULES_VADDR && addr < MODULES_END)
50958 return 1;
50959 #endif
50960+
50961+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50962+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
50963+ return 1;
50964+#endif
50965+
50966+#endif
50967+
50968 return is_vmalloc_addr(x);
50969 }
50970
50971@@ -292,13 +326,13 @@ static void __insert_vmap_area(struct vm
50972 struct rb_node *tmp;
50973
50974 while (*p) {
50975- struct vmap_area *tmp;
50976+ struct vmap_area *varea;
50977
50978 parent = *p;
50979- tmp = rb_entry(parent, struct vmap_area, rb_node);
50980- if (va->va_start < tmp->va_end)
50981+ varea = rb_entry(parent, struct vmap_area, rb_node);
50982+ if (va->va_start < varea->va_end)
50983 p = &(*p)->rb_left;
50984- else if (va->va_end > tmp->va_start)
50985+ else if (va->va_end > varea->va_start)
50986 p = &(*p)->rb_right;
50987 else
50988 BUG();
50989@@ -1223,6 +1257,16 @@ static struct vm_struct *__get_vm_area_n
50990 struct vm_struct *area;
50991
50992 BUG_ON(in_interrupt());
50993+
50994+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50995+ if (flags & VM_KERNEXEC) {
50996+ if (start != VMALLOC_START || end != VMALLOC_END)
50997+ return NULL;
50998+ start = (unsigned long)&MODULES_EXEC_VADDR;
50999+ end = (unsigned long)&MODULES_EXEC_END;
51000+ }
51001+#endif
51002+
51003 if (flags & VM_IOREMAP) {
51004 int bit = fls(size);
51005
51006@@ -1448,6 +1492,11 @@ void *vmap(struct page **pages, unsigned
51007 if (count > totalram_pages)
51008 return NULL;
51009
51010+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51011+ if (!(pgprot_val(prot) & _PAGE_NX))
51012+ flags |= VM_KERNEXEC;
51013+#endif
51014+
51015 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
51016 __builtin_return_address(0));
51017 if (!area)
51018@@ -1558,6 +1607,13 @@ static void *__vmalloc_node(unsigned lon
51019 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
51020 return NULL;
51021
51022+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51023+ if (!(pgprot_val(prot) & _PAGE_NX))
51024+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
51025+ node, gfp_mask, caller);
51026+ else
51027+#endif
51028+
51029 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
51030 VMALLOC_END, node, gfp_mask, caller);
51031
51032@@ -1576,6 +1632,7 @@ static void *__vmalloc_node(unsigned lon
51033 return addr;
51034 }
51035
51036+#undef __vmalloc
51037 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
51038 {
51039 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
51040@@ -1592,6 +1649,7 @@ EXPORT_SYMBOL(__vmalloc);
51041 * For tight control over page level allocator and protection flags
51042 * use __vmalloc() instead.
51043 */
51044+#undef vmalloc
51045 void *vmalloc(unsigned long size)
51046 {
51047 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51048@@ -1606,6 +1664,7 @@ EXPORT_SYMBOL(vmalloc);
51049 * The resulting memory area is zeroed so it can be mapped to userspace
51050 * without leaking data.
51051 */
51052+#undef vmalloc_user
51053 void *vmalloc_user(unsigned long size)
51054 {
51055 struct vm_struct *area;
51056@@ -1633,6 +1692,7 @@ EXPORT_SYMBOL(vmalloc_user);
51057 * For tight control over page level allocator and protection flags
51058 * use __vmalloc() instead.
51059 */
51060+#undef vmalloc_node
51061 void *vmalloc_node(unsigned long size, int node)
51062 {
51063 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51064@@ -1655,10 +1715,10 @@ EXPORT_SYMBOL(vmalloc_node);
51065 * For tight control over page level allocator and protection flags
51066 * use __vmalloc() instead.
51067 */
51068-
51069+#undef vmalloc_exec
51070 void *vmalloc_exec(unsigned long size)
51071 {
51072- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
51073+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
51074 -1, __builtin_return_address(0));
51075 }
51076
51077@@ -1677,6 +1737,7 @@ void *vmalloc_exec(unsigned long size)
51078 * Allocate enough 32bit PA addressable pages to cover @size from the
51079 * page level allocator and map them into contiguous kernel virtual space.
51080 */
51081+#undef vmalloc_32
51082 void *vmalloc_32(unsigned long size)
51083 {
51084 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
51085@@ -1691,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc_32);
51086 * The resulting memory area is 32bit addressable and zeroed so it can be
51087 * mapped to userspace without leaking data.
51088 */
51089+#undef vmalloc_32_user
51090 void *vmalloc_32_user(unsigned long size)
51091 {
51092 struct vm_struct *area;
51093diff -urNp linux-2.6.32.9/net/atm/atm_misc.c linux-2.6.32.9/net/atm/atm_misc.c
51094--- linux-2.6.32.9/net/atm/atm_misc.c 2010-02-09 07:57:19.000000000 -0500
51095+++ linux-2.6.32.9/net/atm/atm_misc.c 2010-02-23 17:09:56.713257424 -0500
51096@@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
51097 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
51098 return 1;
51099 atm_return(vcc,truesize);
51100- atomic_inc(&vcc->stats->rx_drop);
51101+ atomic_inc_unchecked(&vcc->stats->rx_drop);
51102 return 0;
51103 }
51104
51105@@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
51106 }
51107 }
51108 atm_return(vcc,guess);
51109- atomic_inc(&vcc->stats->rx_drop);
51110+ atomic_inc_unchecked(&vcc->stats->rx_drop);
51111 return NULL;
51112 }
51113
51114@@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
51115
51116 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51117 {
51118-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51119+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51120 __SONET_ITEMS
51121 #undef __HANDLE_ITEM
51122 }
51123@@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
51124
51125 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51126 {
51127-#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
51128+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
51129 __SONET_ITEMS
51130 #undef __HANDLE_ITEM
51131 }
51132diff -urNp linux-2.6.32.9/net/atm/proc.c linux-2.6.32.9/net/atm/proc.c
51133--- linux-2.6.32.9/net/atm/proc.c 2010-02-09 07:57:19.000000000 -0500
51134+++ linux-2.6.32.9/net/atm/proc.c 2010-02-23 17:09:56.713257424 -0500
51135@@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
51136 const struct k_atm_aal_stats *stats)
51137 {
51138 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
51139- atomic_read(&stats->tx),atomic_read(&stats->tx_err),
51140- atomic_read(&stats->rx),atomic_read(&stats->rx_err),
51141- atomic_read(&stats->rx_drop));
51142+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
51143+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
51144+ atomic_read_unchecked(&stats->rx_drop));
51145 }
51146
51147 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
51148diff -urNp linux-2.6.32.9/net/atm/resources.c linux-2.6.32.9/net/atm/resources.c
51149--- linux-2.6.32.9/net/atm/resources.c 2010-02-09 07:57:19.000000000 -0500
51150+++ linux-2.6.32.9/net/atm/resources.c 2010-02-23 17:09:56.716220139 -0500
51151@@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
51152 static void copy_aal_stats(struct k_atm_aal_stats *from,
51153 struct atm_aal_stats *to)
51154 {
51155-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51156+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51157 __AAL_STAT_ITEMS
51158 #undef __HANDLE_ITEM
51159 }
51160@@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
51161 static void subtract_aal_stats(struct k_atm_aal_stats *from,
51162 struct atm_aal_stats *to)
51163 {
51164-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
51165+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
51166 __AAL_STAT_ITEMS
51167 #undef __HANDLE_ITEM
51168 }
51169diff -urNp linux-2.6.32.9/net/bridge/br_private.h linux-2.6.32.9/net/bridge/br_private.h
51170--- linux-2.6.32.9/net/bridge/br_private.h 2010-02-09 07:57:19.000000000 -0500
51171+++ linux-2.6.32.9/net/bridge/br_private.h 2010-02-23 17:09:56.716220139 -0500
51172@@ -254,7 +254,7 @@ extern void br_ifinfo_notify(int event,
51173
51174 #ifdef CONFIG_SYSFS
51175 /* br_sysfs_if.c */
51176-extern struct sysfs_ops brport_sysfs_ops;
51177+extern const struct sysfs_ops brport_sysfs_ops;
51178 extern int br_sysfs_addif(struct net_bridge_port *p);
51179
51180 /* br_sysfs_br.c */
51181diff -urNp linux-2.6.32.9/net/bridge/br_stp_if.c linux-2.6.32.9/net/bridge/br_stp_if.c
51182--- linux-2.6.32.9/net/bridge/br_stp_if.c 2010-02-09 07:57:19.000000000 -0500
51183+++ linux-2.6.32.9/net/bridge/br_stp_if.c 2010-02-23 17:09:56.716220139 -0500
51184@@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
51185 char *envp[] = { NULL };
51186
51187 if (br->stp_enabled == BR_USER_STP) {
51188- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
51189+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
51190 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
51191 br->dev->name, r);
51192
51193diff -urNp linux-2.6.32.9/net/bridge/br_sysfs_if.c linux-2.6.32.9/net/bridge/br_sysfs_if.c
51194--- linux-2.6.32.9/net/bridge/br_sysfs_if.c 2010-02-09 07:57:19.000000000 -0500
51195+++ linux-2.6.32.9/net/bridge/br_sysfs_if.c 2010-02-23 17:09:56.716220139 -0500
51196@@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
51197 return ret;
51198 }
51199
51200-struct sysfs_ops brport_sysfs_ops = {
51201+const struct sysfs_ops brport_sysfs_ops = {
51202 .show = brport_show,
51203 .store = brport_store,
51204 };
51205diff -urNp linux-2.6.32.9/net/core/dev.c linux-2.6.32.9/net/core/dev.c
51206--- linux-2.6.32.9/net/core/dev.c 2010-02-09 07:57:19.000000000 -0500
51207+++ linux-2.6.32.9/net/core/dev.c 2010-02-23 17:09:56.716220139 -0500
51208@@ -2047,7 +2047,7 @@ int netif_rx_ni(struct sk_buff *skb)
51209 }
51210 EXPORT_SYMBOL(netif_rx_ni);
51211
51212-static void net_tx_action(struct softirq_action *h)
51213+static void net_tx_action(void)
51214 {
51215 struct softnet_data *sd = &__get_cpu_var(softnet_data);
51216
51217@@ -2808,7 +2808,7 @@ void netif_napi_del(struct napi_struct *
51218 EXPORT_SYMBOL(netif_napi_del);
51219
51220
51221-static void net_rx_action(struct softirq_action *h)
51222+static void net_rx_action(void)
51223 {
51224 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
51225 unsigned long time_limit = jiffies + 2;
51226diff -urNp linux-2.6.32.9/net/core/flow.c linux-2.6.32.9/net/core/flow.c
51227--- linux-2.6.32.9/net/core/flow.c 2010-02-09 07:57:19.000000000 -0500
51228+++ linux-2.6.32.9/net/core/flow.c 2010-02-23 17:09:56.716220139 -0500
51229@@ -39,7 +39,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
51230
51231 static u32 flow_hash_shift;
51232 #define flow_hash_size (1 << flow_hash_shift)
51233-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
51234+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
51235
51236 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
51237
51238@@ -52,7 +52,7 @@ struct flow_percpu_info {
51239 u32 hash_rnd;
51240 int count;
51241 };
51242-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
51243+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
51244
51245 #define flow_hash_rnd_recalc(cpu) \
51246 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
51247@@ -69,7 +69,7 @@ struct flow_flush_info {
51248 atomic_t cpuleft;
51249 struct completion completion;
51250 };
51251-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
51252+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
51253
51254 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
51255
51256diff -urNp linux-2.6.32.9/net/dccp/ccids/ccid3.c linux-2.6.32.9/net/dccp/ccids/ccid3.c
51257--- linux-2.6.32.9/net/dccp/ccids/ccid3.c 2010-02-09 07:57:19.000000000 -0500
51258+++ linux-2.6.32.9/net/dccp/ccids/ccid3.c 2010-02-23 17:09:56.716220139 -0500
51259@@ -41,7 +41,7 @@
51260 static int ccid3_debug;
51261 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
51262 #else
51263-#define ccid3_pr_debug(format, a...)
51264+#define ccid3_pr_debug(format, a...) do {} while (0)
51265 #endif
51266
51267 /*
51268diff -urNp linux-2.6.32.9/net/dccp/dccp.h linux-2.6.32.9/net/dccp/dccp.h
51269--- linux-2.6.32.9/net/dccp/dccp.h 2010-02-09 07:57:19.000000000 -0500
51270+++ linux-2.6.32.9/net/dccp/dccp.h 2010-02-23 17:09:56.716220139 -0500
51271@@ -44,9 +44,9 @@ extern int dccp_debug;
51272 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
51273 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
51274 #else
51275-#define dccp_pr_debug(format, a...)
51276-#define dccp_pr_debug_cat(format, a...)
51277-#define dccp_debug(format, a...)
51278+#define dccp_pr_debug(format, a...) do {} while (0)
51279+#define dccp_pr_debug_cat(format, a...) do {} while (0)
51280+#define dccp_debug(format, a...) do {} while (0)
51281 #endif
51282
51283 extern struct inet_hashinfo dccp_hashinfo;
51284diff -urNp linux-2.6.32.9/net/ipv4/inet_hashtables.c linux-2.6.32.9/net/ipv4/inet_hashtables.c
51285--- linux-2.6.32.9/net/ipv4/inet_hashtables.c 2010-02-09 07:57:19.000000000 -0500
51286+++ linux-2.6.32.9/net/ipv4/inet_hashtables.c 2010-02-23 17:09:56.720158253 -0500
51287@@ -18,11 +18,14 @@
51288 #include <linux/sched.h>
51289 #include <linux/slab.h>
51290 #include <linux/wait.h>
51291+#include <linux/security.h>
51292
51293 #include <net/inet_connection_sock.h>
51294 #include <net/inet_hashtables.h>
51295 #include <net/ip.h>
51296
51297+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
51298+
51299 /*
51300 * Allocate and initialize a new local port bind bucket.
51301 * The bindhash mutex for snum's hash chain must be held here.
51302@@ -490,6 +493,8 @@ ok:
51303 }
51304 spin_unlock(&head->lock);
51305
51306+ gr_update_task_in_ip_table(current, inet_sk(sk));
51307+
51308 if (tw) {
51309 inet_twsk_deschedule(tw, death_row);
51310 inet_twsk_put(tw);
51311diff -urNp linux-2.6.32.9/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.9/net/ipv4/netfilter/nf_nat_snmp_basic.c
51312--- linux-2.6.32.9/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-02-09 07:57:19.000000000 -0500
51313+++ linux-2.6.32.9/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-02-23 17:09:56.720158253 -0500
51314@@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
51315
51316 *len = 0;
51317
51318- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
51319+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
51320 if (*octets == NULL) {
51321 if (net_ratelimit())
51322 printk("OOM in bsalg (%d)\n", __LINE__);
51323diff -urNp linux-2.6.32.9/net/ipv4/tcp_ipv4.c linux-2.6.32.9/net/ipv4/tcp_ipv4.c
51324--- linux-2.6.32.9/net/ipv4/tcp_ipv4.c 2010-02-09 07:57:19.000000000 -0500
51325+++ linux-2.6.32.9/net/ipv4/tcp_ipv4.c 2010-02-23 17:09:56.720158253 -0500
51326@@ -1542,6 +1542,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
51327 return 0;
51328
51329 reset:
51330+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51331+ if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
51332+#endif
51333 tcp_v4_send_reset(rsk, skb);
51334 discard:
51335 kfree_skb(skb);
51336@@ -1650,6 +1653,9 @@ no_tcp_socket:
51337 bad_packet:
51338 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51339 } else {
51340+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51341+ if (skb->dev->flags & IFF_LOOPBACK)
51342+#endif
51343 tcp_v4_send_reset(NULL, skb);
51344 }
51345
51346diff -urNp linux-2.6.32.9/net/ipv4/tcp_minisocks.c linux-2.6.32.9/net/ipv4/tcp_minisocks.c
51347--- linux-2.6.32.9/net/ipv4/tcp_minisocks.c 2010-02-09 07:57:19.000000000 -0500
51348+++ linux-2.6.32.9/net/ipv4/tcp_minisocks.c 2010-02-23 17:09:56.720158253 -0500
51349@@ -672,8 +672,11 @@ listen_overflow:
51350
51351 embryonic_reset:
51352 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
51353+
51354+#ifndef CONFIG_GRKERNSEC_BLACKHOLE
51355 if (!(flg & TCP_FLAG_RST))
51356 req->rsk_ops->send_reset(sk, skb);
51357+#endif
51358
51359 inet_csk_reqsk_queue_drop(sk, req, prev);
51360 return NULL;
51361diff -urNp linux-2.6.32.9/net/ipv4/udp.c linux-2.6.32.9/net/ipv4/udp.c
51362--- linux-2.6.32.9/net/ipv4/udp.c 2010-02-09 07:57:19.000000000 -0500
51363+++ linux-2.6.32.9/net/ipv4/udp.c 2010-02-23 17:09:56.720158253 -0500
51364@@ -86,6 +86,7 @@
51365 #include <linux/types.h>
51366 #include <linux/fcntl.h>
51367 #include <linux/module.h>
51368+#include <linux/security.h>
51369 #include <linux/socket.h>
51370 #include <linux/sockios.h>
51371 #include <linux/igmp.h>
51372@@ -371,6 +372,9 @@ found:
51373 return s;
51374 }
51375
51376+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
51377+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
51378+
51379 /*
51380 * This routine is called by the ICMP module when it gets some
51381 * sort of error condition. If err < 0 then the socket should
51382@@ -639,9 +643,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
51383 dport = usin->sin_port;
51384 if (dport == 0)
51385 return -EINVAL;
51386+
51387+ err = gr_search_udp_sendmsg(sk, usin);
51388+ if (err)
51389+ return err;
51390 } else {
51391 if (sk->sk_state != TCP_ESTABLISHED)
51392 return -EDESTADDRREQ;
51393+
51394+ err = gr_search_udp_sendmsg(sk, NULL);
51395+ if (err)
51396+ return err;
51397+
51398 daddr = inet->daddr;
51399 dport = inet->dport;
51400 /* Open fast path for connected socket.
51401@@ -945,6 +958,10 @@ try_again:
51402 if (!skb)
51403 goto out;
51404
51405+ err = gr_search_udp_recvmsg(sk, skb);
51406+ if (err)
51407+ goto out_free;
51408+
51409 ulen = skb->len - sizeof(struct udphdr);
51410 copied = len;
51411 if (copied > ulen)
51412@@ -1335,6 +1352,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
51413 goto csum_error;
51414
51415 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
51416+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51417+ if (skb->dev->flags & IFF_LOOPBACK)
51418+#endif
51419 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
51420
51421 /*
51422diff -urNp linux-2.6.32.9/net/ipv6/exthdrs.c linux-2.6.32.9/net/ipv6/exthdrs.c
51423--- linux-2.6.32.9/net/ipv6/exthdrs.c 2010-02-09 07:57:19.000000000 -0500
51424+++ linux-2.6.32.9/net/ipv6/exthdrs.c 2010-02-23 17:09:56.720158253 -0500
51425@@ -635,7 +635,7 @@ static struct tlvtype_proc tlvprochopopt
51426 .type = IPV6_TLV_JUMBO,
51427 .func = ipv6_hop_jumbo,
51428 },
51429- { -1, }
51430+ { -1, NULL }
51431 };
51432
51433 int ipv6_parse_hopopts(struct sk_buff *skb)
51434diff -urNp linux-2.6.32.9/net/ipv6/raw.c linux-2.6.32.9/net/ipv6/raw.c
51435--- linux-2.6.32.9/net/ipv6/raw.c 2010-02-09 07:57:19.000000000 -0500
51436+++ linux-2.6.32.9/net/ipv6/raw.c 2010-02-23 17:09:56.720158253 -0500
51437@@ -600,7 +600,7 @@ out:
51438 return err;
51439 }
51440
51441-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
51442+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
51443 struct flowi *fl, struct rt6_info *rt,
51444 unsigned int flags)
51445 {
51446diff -urNp linux-2.6.32.9/net/ipv6/tcp_ipv6.c linux-2.6.32.9/net/ipv6/tcp_ipv6.c
51447--- linux-2.6.32.9/net/ipv6/tcp_ipv6.c 2010-02-09 07:57:19.000000000 -0500
51448+++ linux-2.6.32.9/net/ipv6/tcp_ipv6.c 2010-02-23 17:09:56.720158253 -0500
51449@@ -1578,6 +1578,9 @@ static int tcp_v6_do_rcv(struct sock *sk
51450 return 0;
51451
51452 reset:
51453+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51454+ if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
51455+#endif
51456 tcp_v6_send_reset(sk, skb);
51457 discard:
51458 if (opt_skb)
51459@@ -1700,6 +1703,9 @@ no_tcp_socket:
51460 bad_packet:
51461 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51462 } else {
51463+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51464+ if (skb->dev->flags & IFF_LOOPBACK)
51465+#endif
51466 tcp_v6_send_reset(NULL, skb);
51467 }
51468
51469diff -urNp linux-2.6.32.9/net/ipv6/udp.c linux-2.6.32.9/net/ipv6/udp.c
51470--- linux-2.6.32.9/net/ipv6/udp.c 2010-02-09 07:57:19.000000000 -0500
51471+++ linux-2.6.32.9/net/ipv6/udp.c 2010-02-23 17:09:56.720158253 -0500
51472@@ -587,6 +587,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
51473 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
51474 proto == IPPROTO_UDPLITE);
51475
51476+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51477+ if (skb->dev->flags & IFF_LOOPBACK)
51478+#endif
51479 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
51480
51481 kfree_skb(skb);
51482diff -urNp linux-2.6.32.9/net/irda/ircomm/ircomm_tty.c linux-2.6.32.9/net/irda/ircomm/ircomm_tty.c
51483--- linux-2.6.32.9/net/irda/ircomm/ircomm_tty.c 2010-02-09 07:57:19.000000000 -0500
51484+++ linux-2.6.32.9/net/irda/ircomm/ircomm_tty.c 2010-02-23 17:09:56.720158253 -0500
51485@@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
51486 add_wait_queue(&self->open_wait, &wait);
51487
51488 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
51489- __FILE__,__LINE__, tty->driver->name, self->open_count );
51490+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51491
51492 /* As far as I can see, we protect open_count - Jean II */
51493 spin_lock_irqsave(&self->spinlock, flags);
51494 if (!tty_hung_up_p(filp)) {
51495 extra_count = 1;
51496- self->open_count--;
51497+ atomic_dec(&self->open_count);
51498 }
51499 spin_unlock_irqrestore(&self->spinlock, flags);
51500- self->blocked_open++;
51501+ atomic_inc(&self->blocked_open);
51502
51503 while (1) {
51504 if (tty->termios->c_cflag & CBAUD) {
51505@@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
51506 }
51507
51508 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
51509- __FILE__,__LINE__, tty->driver->name, self->open_count );
51510+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51511
51512 schedule();
51513 }
51514@@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
51515 if (extra_count) {
51516 /* ++ is not atomic, so this should be protected - Jean II */
51517 spin_lock_irqsave(&self->spinlock, flags);
51518- self->open_count++;
51519+ atomic_inc(&self->open_count);
51520 spin_unlock_irqrestore(&self->spinlock, flags);
51521 }
51522- self->blocked_open--;
51523+ atomic_dec(&self->blocked_open);
51524
51525 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
51526- __FILE__,__LINE__, tty->driver->name, self->open_count);
51527+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
51528
51529 if (!retval)
51530 self->flags |= ASYNC_NORMAL_ACTIVE;
51531@@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
51532 }
51533 /* ++ is not atomic, so this should be protected - Jean II */
51534 spin_lock_irqsave(&self->spinlock, flags);
51535- self->open_count++;
51536+ atomic_inc(&self->open_count);
51537
51538 tty->driver_data = self;
51539 self->tty = tty;
51540 spin_unlock_irqrestore(&self->spinlock, flags);
51541
51542 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
51543- self->line, self->open_count);
51544+ self->line, atomic_read(&self->open_count));
51545
51546 /* Not really used by us, but lets do it anyway */
51547 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
51548@@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
51549 return;
51550 }
51551
51552- if ((tty->count == 1) && (self->open_count != 1)) {
51553+ if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
51554 /*
51555 * Uh, oh. tty->count is 1, which means that the tty
51556 * structure will be freed. state->count should always
51557@@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
51558 */
51559 IRDA_DEBUG(0, "%s(), bad serial port count; "
51560 "tty->count is 1, state->count is %d\n", __func__ ,
51561- self->open_count);
51562- self->open_count = 1;
51563+ atomic_read(&self->open_count));
51564+ atomic_set(&self->open_count, 1);
51565 }
51566
51567- if (--self->open_count < 0) {
51568+ if (atomic_dec_return(&self->open_count) < 0) {
51569 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
51570- __func__, self->line, self->open_count);
51571- self->open_count = 0;
51572+ __func__, self->line, atomic_read(&self->open_count));
51573+ atomic_set(&self->open_count, 0);
51574 }
51575- if (self->open_count) {
51576+ if (atomic_read(&self->open_count)) {
51577 spin_unlock_irqrestore(&self->spinlock, flags);
51578
51579 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
51580@@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
51581 tty->closing = 0;
51582 self->tty = NULL;
51583
51584- if (self->blocked_open) {
51585+ if (atomic_read(&self->blocked_open)) {
51586 if (self->close_delay)
51587 schedule_timeout_interruptible(self->close_delay);
51588 wake_up_interruptible(&self->open_wait);
51589@@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
51590 spin_lock_irqsave(&self->spinlock, flags);
51591 self->flags &= ~ASYNC_NORMAL_ACTIVE;
51592 self->tty = NULL;
51593- self->open_count = 0;
51594+ atomic_set(&self->open_count, 0);
51595 spin_unlock_irqrestore(&self->spinlock, flags);
51596
51597 wake_up_interruptible(&self->open_wait);
51598@@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
51599 seq_putc(m, '\n');
51600
51601 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
51602- seq_printf(m, "Open count: %d\n", self->open_count);
51603+ seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
51604 seq_printf(m, "Max data size: %d\n", self->max_data_size);
51605 seq_printf(m, "Max header size: %d\n", self->max_header_size);
51606
51607diff -urNp linux-2.6.32.9/net/mac80211/ieee80211_i.h linux-2.6.32.9/net/mac80211/ieee80211_i.h
51608--- linux-2.6.32.9/net/mac80211/ieee80211_i.h 2010-02-09 07:57:19.000000000 -0500
51609+++ linux-2.6.32.9/net/mac80211/ieee80211_i.h 2010-02-23 17:09:56.720158253 -0500
51610@@ -634,7 +634,7 @@ struct ieee80211_local {
51611 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
51612 spinlock_t queue_stop_reason_lock;
51613
51614- int open_count;
51615+ atomic_t open_count;
51616 int monitors, cooked_mntrs;
51617 /* number of interfaces with corresponding FIF_ flags */
51618 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
51619diff -urNp linux-2.6.32.9/net/mac80211/iface.c linux-2.6.32.9/net/mac80211/iface.c
51620--- linux-2.6.32.9/net/mac80211/iface.c 2010-02-09 07:57:19.000000000 -0500
51621+++ linux-2.6.32.9/net/mac80211/iface.c 2010-02-23 17:09:56.720158253 -0500
51622@@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
51623 break;
51624 }
51625
51626- if (local->open_count == 0) {
51627+ if (atomic_read(&local->open_count) == 0) {
51628 res = drv_start(local);
51629 if (res)
51630 goto err_del_bss;
51631@@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
51632 * Validate the MAC address for this device.
51633 */
51634 if (!is_valid_ether_addr(dev->dev_addr)) {
51635- if (!local->open_count)
51636+ if (!atomic_read(&local->open_count))
51637 drv_stop(local);
51638 return -EADDRNOTAVAIL;
51639 }
51640@@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
51641
51642 hw_reconf_flags |= __ieee80211_recalc_idle(local);
51643
51644- local->open_count++;
51645+ atomic_inc(&local->open_count);
51646 if (hw_reconf_flags) {
51647 ieee80211_hw_config(local, hw_reconf_flags);
51648 /*
51649@@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
51650 err_del_interface:
51651 drv_remove_interface(local, &conf);
51652 err_stop:
51653- if (!local->open_count)
51654+ if (!atomic_read(&local->open_count))
51655 drv_stop(local);
51656 err_del_bss:
51657 sdata->bss = NULL;
51658@@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
51659 WARN_ON(!list_empty(&sdata->u.ap.vlans));
51660 }
51661
51662- local->open_count--;
51663+ atomic_dec(&local->open_count);
51664
51665 switch (sdata->vif.type) {
51666 case NL80211_IFTYPE_AP_VLAN:
51667@@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
51668
51669 ieee80211_recalc_ps(local, -1);
51670
51671- if (local->open_count == 0) {
51672+ if (atomic_read(&local->open_count) == 0) {
51673 ieee80211_clear_tx_pending(local);
51674 ieee80211_stop_device(local);
51675
51676diff -urNp linux-2.6.32.9/net/mac80211/main.c linux-2.6.32.9/net/mac80211/main.c
51677--- linux-2.6.32.9/net/mac80211/main.c 2010-02-09 07:57:19.000000000 -0500
51678+++ linux-2.6.32.9/net/mac80211/main.c 2010-02-23 17:09:56.736738853 -0500
51679@@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
51680 local->hw.conf.power_level = power;
51681 }
51682
51683- if (changed && local->open_count) {
51684+ if (changed && atomic_read(&local->open_count)) {
51685 ret = drv_config(local, changed);
51686 /*
51687 * Goal:
51688diff -urNp linux-2.6.32.9/net/mac80211/pm.c linux-2.6.32.9/net/mac80211/pm.c
51689--- linux-2.6.32.9/net/mac80211/pm.c 2010-02-09 07:57:19.000000000 -0500
51690+++ linux-2.6.32.9/net/mac80211/pm.c 2010-02-23 17:09:56.736738853 -0500
51691@@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
51692 }
51693
51694 /* stop hardware - this must stop RX */
51695- if (local->open_count)
51696+ if (atomic_read(&local->open_count))
51697 ieee80211_stop_device(local);
51698
51699 local->suspended = true;
51700diff -urNp linux-2.6.32.9/net/mac80211/rate.c linux-2.6.32.9/net/mac80211/rate.c
51701--- linux-2.6.32.9/net/mac80211/rate.c 2010-02-09 07:57:19.000000000 -0500
51702+++ linux-2.6.32.9/net/mac80211/rate.c 2010-02-23 17:09:56.736738853 -0500
51703@@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
51704 struct rate_control_ref *ref, *old;
51705
51706 ASSERT_RTNL();
51707- if (local->open_count)
51708+ if (atomic_read(&local->open_count))
51709 return -EBUSY;
51710
51711 ref = rate_control_alloc(name, local);
51712diff -urNp linux-2.6.32.9/net/mac80211/util.c linux-2.6.32.9/net/mac80211/util.c
51713--- linux-2.6.32.9/net/mac80211/util.c 2010-02-09 07:57:19.000000000 -0500
51714+++ linux-2.6.32.9/net/mac80211/util.c 2010-02-23 17:09:56.736738853 -0500
51715@@ -1042,14 +1042,14 @@ int ieee80211_reconfig(struct ieee80211_
51716 local->resuming = true;
51717
51718 /* restart hardware */
51719- if (local->open_count) {
51720+ if (atomic_read(&local->open_count)) {
51721 /*
51722 * Upon resume hardware can sometimes be goofy due to
51723 * various platform / driver / bus issues, so restarting
51724 * the device may at times not work immediately. Propagate
51725 * the error.
51726 */
51727- res = drv_start(local);
51728+ res = drv_start(local);
51729 if (res) {
51730 WARN(local->suspended, "Harware became unavailable "
51731 "upon resume. This is could be a software issue"
51732diff -urNp linux-2.6.32.9/net/sctp/socket.c linux-2.6.32.9/net/sctp/socket.c
51733--- linux-2.6.32.9/net/sctp/socket.c 2010-02-09 07:57:19.000000000 -0500
51734+++ linux-2.6.32.9/net/sctp/socket.c 2010-02-23 17:09:56.748973675 -0500
51735@@ -1482,7 +1482,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
51736 struct sctp_sndrcvinfo *sinfo;
51737 struct sctp_initmsg *sinit;
51738 sctp_assoc_t associd = 0;
51739- sctp_cmsgs_t cmsgs = { NULL };
51740+ sctp_cmsgs_t cmsgs = { NULL, NULL };
51741 int err;
51742 sctp_scope_t scope;
51743 long timeo;
51744@@ -5802,7 +5802,6 @@ pp_found:
51745 */
51746 int reuse = sk->sk_reuse;
51747 struct sock *sk2;
51748- struct hlist_node *node;
51749
51750 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
51751 if (pp->fastreuse && sk->sk_reuse &&
51752diff -urNp linux-2.6.32.9/net/socket.c linux-2.6.32.9/net/socket.c
51753--- linux-2.6.32.9/net/socket.c 2010-02-09 07:57:19.000000000 -0500
51754+++ linux-2.6.32.9/net/socket.c 2010-02-23 17:09:56.748973675 -0500
51755@@ -87,6 +87,7 @@
51756 #include <linux/wireless.h>
51757 #include <linux/nsproxy.h>
51758 #include <linux/magic.h>
51759+#include <linux/in.h>
51760
51761 #include <asm/uaccess.h>
51762 #include <asm/unistd.h>
51763@@ -97,6 +98,21 @@
51764 #include <net/sock.h>
51765 #include <linux/netfilter.h>
51766
51767+extern void gr_attach_curr_ip(const struct sock *sk);
51768+extern int gr_handle_sock_all(const int family, const int type,
51769+ const int protocol);
51770+extern int gr_handle_sock_server(const struct sockaddr *sck);
51771+extern int gr_handle_sock_server_other(const struct socket *sck);
51772+extern int gr_handle_sock_client(const struct sockaddr *sck);
51773+extern int gr_search_connect(struct socket * sock,
51774+ struct sockaddr_in * addr);
51775+extern int gr_search_bind(struct socket * sock,
51776+ struct sockaddr_in * addr);
51777+extern int gr_search_listen(struct socket * sock);
51778+extern int gr_search_accept(struct socket * sock);
51779+extern int gr_search_socket(const int domain, const int type,
51780+ const int protocol);
51781+
51782 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
51783 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
51784 unsigned long nr_segs, loff_t pos);
51785@@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
51786 mnt);
51787 }
51788
51789-static struct vfsmount *sock_mnt __read_mostly;
51790+struct vfsmount *sock_mnt __read_mostly;
51791
51792 static struct file_system_type sock_fs_type = {
51793 .name = "sockfs",
51794@@ -1283,6 +1299,16 @@ SYSCALL_DEFINE3(socket, int, family, int
51795 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
51796 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
51797
51798+ if(!gr_search_socket(family, type, protocol)) {
51799+ retval = -EACCES;
51800+ goto out;
51801+ }
51802+
51803+ if (gr_handle_sock_all(family, type, protocol)) {
51804+ retval = -EACCES;
51805+ goto out;
51806+ }
51807+
51808 retval = sock_create(family, type, protocol, &sock);
51809 if (retval < 0)
51810 goto out;
51811@@ -1415,6 +1441,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
51812 if (sock) {
51813 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
51814 if (err >= 0) {
51815+ if (gr_handle_sock_server((struct sockaddr *)&address)) {
51816+ err = -EACCES;
51817+ goto error;
51818+ }
51819+ err = gr_search_bind(sock, (struct sockaddr_in *)&address);
51820+ if (err)
51821+ goto error;
51822+
51823 err = security_socket_bind(sock,
51824 (struct sockaddr *)&address,
51825 addrlen);
51826@@ -1423,6 +1457,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
51827 (struct sockaddr *)
51828 &address, addrlen);
51829 }
51830+error:
51831 fput_light(sock->file, fput_needed);
51832 }
51833 return err;
51834@@ -1446,10 +1481,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
51835 if ((unsigned)backlog > somaxconn)
51836 backlog = somaxconn;
51837
51838+ if (gr_handle_sock_server_other(sock)) {
51839+ err = -EPERM;
51840+ goto error;
51841+ }
51842+
51843+ err = gr_search_listen(sock);
51844+ if (err)
51845+ goto error;
51846+
51847 err = security_socket_listen(sock, backlog);
51848 if (!err)
51849 err = sock->ops->listen(sock, backlog);
51850
51851+error:
51852 fput_light(sock->file, fput_needed);
51853 }
51854 return err;
51855@@ -1492,6 +1537,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
51856 newsock->type = sock->type;
51857 newsock->ops = sock->ops;
51858
51859+ if (gr_handle_sock_server_other(sock)) {
51860+ err = -EPERM;
51861+ sock_release(newsock);
51862+ goto out_put;
51863+ }
51864+
51865+ err = gr_search_accept(sock);
51866+ if (err) {
51867+ sock_release(newsock);
51868+ goto out_put;
51869+ }
51870+
51871 /*
51872 * We don't need try_module_get here, as the listening socket (sock)
51873 * has the protocol module (sock->ops->owner) held.
51874@@ -1534,6 +1591,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
51875 fd_install(newfd, newfile);
51876 err = newfd;
51877
51878+ gr_attach_curr_ip(newsock->sk);
51879+
51880 out_put:
51881 fput_light(sock->file, fput_needed);
51882 out:
51883@@ -1571,6 +1630,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
51884 int, addrlen)
51885 {
51886 struct socket *sock;
51887+ struct sockaddr *sck;
51888 struct sockaddr_storage address;
51889 int err, fput_needed;
51890
51891@@ -1581,6 +1641,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
51892 if (err < 0)
51893 goto out_put;
51894
51895+ sck = (struct sockaddr *)&address;
51896+
51897+ if (gr_handle_sock_client(sck)) {
51898+ err = -EACCES;
51899+ goto out_put;
51900+ }
51901+
51902+ err = gr_search_connect(sock, (struct sockaddr_in *)sck);
51903+ if (err)
51904+ goto out_put;
51905+
51906 err =
51907 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
51908 if (err)
51909diff -urNp linux-2.6.32.9/net/sysctl_net.c linux-2.6.32.9/net/sysctl_net.c
51910--- linux-2.6.32.9/net/sysctl_net.c 2010-02-09 07:57:19.000000000 -0500
51911+++ linux-2.6.32.9/net/sysctl_net.c 2010-02-23 17:09:56.748973675 -0500
51912@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
51913 struct ctl_table *table)
51914 {
51915 /* Allow network administrator to have same access as root. */
51916- if (capable(CAP_NET_ADMIN)) {
51917+ if (capable_nolog(CAP_NET_ADMIN)) {
51918 int mode = (table->mode >> 6) & 7;
51919 return (mode << 6) | (mode << 3) | mode;
51920 }
51921diff -urNp linux-2.6.32.9/net/unix/af_unix.c linux-2.6.32.9/net/unix/af_unix.c
51922--- linux-2.6.32.9/net/unix/af_unix.c 2010-02-09 07:57:19.000000000 -0500
51923+++ linux-2.6.32.9/net/unix/af_unix.c 2010-02-23 17:09:56.748973675 -0500
51924@@ -734,6 +734,12 @@ static struct sock *unix_find_other(stru
51925 err = -ECONNREFUSED;
51926 if (!S_ISSOCK(inode->i_mode))
51927 goto put_fail;
51928+
51929+ if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
51930+ err = -EACCES;
51931+ goto put_fail;
51932+ }
51933+
51934 u = unix_find_socket_byinode(net, inode);
51935 if (!u)
51936 goto put_fail;
51937@@ -754,6 +760,13 @@ static struct sock *unix_find_other(stru
51938 if (u) {
51939 struct dentry *dentry;
51940 dentry = unix_sk(u)->dentry;
51941+
51942+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
51943+ err = -EPERM;
51944+ sock_put(u);
51945+ goto fail;
51946+ }
51947+
51948 if (dentry)
51949 touch_atime(unix_sk(u)->mnt, dentry);
51950 } else
51951@@ -839,11 +852,18 @@ static int unix_bind(struct socket *sock
51952 err = security_path_mknod(&nd.path, dentry, mode, 0);
51953 if (err)
51954 goto out_mknod_drop_write;
51955+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
51956+ err = -EACCES;
51957+ goto out_mknod_drop_write;
51958+ }
51959 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
51960 out_mknod_drop_write:
51961 mnt_drop_write(nd.path.mnt);
51962 if (err)
51963 goto out_mknod_dput;
51964+
51965+ gr_handle_create(dentry, nd.path.mnt);
51966+
51967 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
51968 dput(nd.path.dentry);
51969 nd.path.dentry = dentry;
51970@@ -861,6 +881,10 @@ out_mknod_drop_write:
51971 goto out_unlock;
51972 }
51973
51974+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
51975+ sk->sk_peercred.pid = current->pid;
51976+#endif
51977+
51978 list = &unix_socket_table[addr->hash];
51979 } else {
51980 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
51981diff -urNp linux-2.6.32.9/samples/kobject/kset-example.c linux-2.6.32.9/samples/kobject/kset-example.c
51982--- linux-2.6.32.9/samples/kobject/kset-example.c 2010-02-09 07:57:19.000000000 -0500
51983+++ linux-2.6.32.9/samples/kobject/kset-example.c 2010-02-23 17:09:56.748973675 -0500
51984@@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
51985 }
51986
51987 /* Our custom sysfs_ops that we will associate with our ktype later on */
51988-static struct sysfs_ops foo_sysfs_ops = {
51989+static const struct sysfs_ops foo_sysfs_ops = {
51990 .show = foo_attr_show,
51991 .store = foo_attr_store,
51992 };
51993diff -urNp linux-2.6.32.9/scripts/basic/fixdep.c linux-2.6.32.9/scripts/basic/fixdep.c
51994--- linux-2.6.32.9/scripts/basic/fixdep.c 2010-02-09 07:57:19.000000000 -0500
51995+++ linux-2.6.32.9/scripts/basic/fixdep.c 2010-02-23 17:09:56.748973675 -0500
51996@@ -222,9 +222,9 @@ static void use_config(char *m, int slen
51997
51998 static void parse_config_file(char *map, size_t len)
51999 {
52000- int *end = (int *) (map + len);
52001+ unsigned int *end = (unsigned int *) (map + len);
52002 /* start at +1, so that p can never be < map */
52003- int *m = (int *) map + 1;
52004+ unsigned int *m = (unsigned int *) map + 1;
52005 char *p, *q;
52006
52007 for (; m < end; m++) {
52008@@ -371,7 +371,7 @@ static void print_deps(void)
52009 static void traps(void)
52010 {
52011 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
52012- int *p = (int *)test;
52013+ unsigned int *p = (unsigned int *)test;
52014
52015 if (*p != INT_CONF) {
52016 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
52017diff -urNp linux-2.6.32.9/scripts/kallsyms.c linux-2.6.32.9/scripts/kallsyms.c
52018--- linux-2.6.32.9/scripts/kallsyms.c 2010-02-09 07:57:19.000000000 -0500
52019+++ linux-2.6.32.9/scripts/kallsyms.c 2010-02-23 17:09:56.748973675 -0500
52020@@ -43,10 +43,10 @@ struct text_range {
52021
52022 static unsigned long long _text;
52023 static struct text_range text_ranges[] = {
52024- { "_stext", "_etext" },
52025- { "_sinittext", "_einittext" },
52026- { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
52027- { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
52028+ { "_stext", "_etext", 0, 0 },
52029+ { "_sinittext", "_einittext", 0, 0 },
52030+ { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
52031+ { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
52032 };
52033 #define text_range_text (&text_ranges[0])
52034 #define text_range_inittext (&text_ranges[1])
52035diff -urNp linux-2.6.32.9/scripts/mod/file2alias.c linux-2.6.32.9/scripts/mod/file2alias.c
52036--- linux-2.6.32.9/scripts/mod/file2alias.c 2010-02-09 07:57:19.000000000 -0500
52037+++ linux-2.6.32.9/scripts/mod/file2alias.c 2010-02-23 17:09:56.748973675 -0500
52038@@ -72,7 +72,7 @@ static void device_id_check(const char *
52039 unsigned long size, unsigned long id_size,
52040 void *symval)
52041 {
52042- int i;
52043+ unsigned int i;
52044
52045 if (size % id_size || size < id_size) {
52046 if (cross_build != 0)
52047@@ -102,7 +102,7 @@ static void device_id_check(const char *
52048 /* USB is special because the bcdDevice can be matched against a numeric range */
52049 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
52050 static void do_usb_entry(struct usb_device_id *id,
52051- unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
52052+ unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
52053 unsigned char range_lo, unsigned char range_hi,
52054 struct module *mod)
52055 {
52056@@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
52057 for (i = 0; i < count; i++) {
52058 const char *id = (char *)devs[i].id;
52059 char acpi_id[sizeof(devs[0].id)];
52060- int j;
52061+ unsigned int j;
52062
52063 buf_printf(&mod->dev_table_buf,
52064 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
52065@@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
52066
52067 for (j = 0; j < PNP_MAX_DEVICES; j++) {
52068 const char *id = (char *)card->devs[j].id;
52069- int i2, j2;
52070+ unsigned int i2, j2;
52071 int dup = 0;
52072
52073 if (!id[0])
52074@@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
52075 /* add an individual alias for every device entry */
52076 if (!dup) {
52077 char acpi_id[sizeof(card->devs[0].id)];
52078- int k;
52079+ unsigned int k;
52080
52081 buf_printf(&mod->dev_table_buf,
52082 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
52083@@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
52084 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
52085 char *alias)
52086 {
52087- int i, j;
52088+ unsigned int i, j;
52089
52090 sprintf(alias, "dmi*");
52091
52092diff -urNp linux-2.6.32.9/scripts/mod/modpost.c linux-2.6.32.9/scripts/mod/modpost.c
52093--- linux-2.6.32.9/scripts/mod/modpost.c 2010-02-09 07:57:19.000000000 -0500
52094+++ linux-2.6.32.9/scripts/mod/modpost.c 2010-02-23 17:09:56.748973675 -0500
52095@@ -835,6 +835,7 @@ enum mismatch {
52096 INIT_TO_EXIT,
52097 EXIT_TO_INIT,
52098 EXPORT_TO_INIT_EXIT,
52099+ DATA_TO_TEXT
52100 };
52101
52102 struct sectioncheck {
52103@@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
52104 .fromsec = { "__ksymtab*", NULL },
52105 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
52106 .mismatch = EXPORT_TO_INIT_EXIT
52107+},
52108+/* Do not reference code from writable data */
52109+{
52110+ .fromsec = { DATA_SECTIONS, NULL },
52111+ .tosec = { TEXT_SECTIONS, NULL },
52112+ .mismatch = DATA_TO_TEXT
52113 }
52114 };
52115
52116@@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
52117 continue;
52118 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
52119 continue;
52120- if (sym->st_value == addr)
52121- return sym;
52122 /* Find a symbol nearby - addr are maybe negative */
52123 d = sym->st_value - addr;
52124+ if (d == 0)
52125+ return sym;
52126 if (d < 0)
52127 d = addr - sym->st_value;
52128 if (d < distance) {
52129@@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
52130 "Fix this by removing the %sannotation of %s "
52131 "or drop the export.\n",
52132 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
52133+ case DATA_TO_TEXT:
52134+/*
52135+ fprintf(stderr,
52136+ "The variable %s references\n"
52137+ "the %s %s%s%s\n",
52138+ fromsym, to, sec2annotation(tosec), tosym, to_p);
52139+*/
52140+ break;
52141 case NO_MISMATCH:
52142 /* To get warnings on missing members */
52143 break;
52144@@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
52145 va_end(ap);
52146 }
52147
52148-void buf_write(struct buffer *buf, const char *s, int len)
52149+void buf_write(struct buffer *buf, const char *s, unsigned int len)
52150 {
52151 if (buf->size - buf->pos < len) {
52152 buf->size += len + SZ;
52153@@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
52154 if (fstat(fileno(file), &st) < 0)
52155 goto close_write;
52156
52157- if (st.st_size != b->pos)
52158+ if (st.st_size != (off_t)b->pos)
52159 goto close_write;
52160
52161 tmp = NOFAIL(malloc(b->pos));
52162diff -urNp linux-2.6.32.9/scripts/mod/modpost.h linux-2.6.32.9/scripts/mod/modpost.h
52163--- linux-2.6.32.9/scripts/mod/modpost.h 2010-02-09 07:57:19.000000000 -0500
52164+++ linux-2.6.32.9/scripts/mod/modpost.h 2010-02-23 17:09:56.748973675 -0500
52165@@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
52166
52167 struct buffer {
52168 char *p;
52169- int pos;
52170- int size;
52171+ unsigned int pos;
52172+ unsigned int size;
52173 };
52174
52175 void __attribute__((format(printf, 2, 3)))
52176 buf_printf(struct buffer *buf, const char *fmt, ...);
52177
52178 void
52179-buf_write(struct buffer *buf, const char *s, int len);
52180+buf_write(struct buffer *buf, const char *s, unsigned int len);
52181
52182 struct module {
52183 struct module *next;
52184diff -urNp linux-2.6.32.9/scripts/mod/sumversion.c linux-2.6.32.9/scripts/mod/sumversion.c
52185--- linux-2.6.32.9/scripts/mod/sumversion.c 2010-02-09 07:57:19.000000000 -0500
52186+++ linux-2.6.32.9/scripts/mod/sumversion.c 2010-02-23 17:09:56.748973675 -0500
52187@@ -455,7 +455,7 @@ static void write_version(const char *fi
52188 goto out;
52189 }
52190
52191- if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
52192+ if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
52193 warn("writing sum in %s failed: %s\n",
52194 filename, strerror(errno));
52195 goto out;
52196diff -urNp linux-2.6.32.9/scripts/pnmtologo.c linux-2.6.32.9/scripts/pnmtologo.c
52197--- linux-2.6.32.9/scripts/pnmtologo.c 2010-02-09 07:57:19.000000000 -0500
52198+++ linux-2.6.32.9/scripts/pnmtologo.c 2010-02-23 17:09:56.748973675 -0500
52199@@ -237,14 +237,14 @@ static void write_header(void)
52200 fprintf(out, " * Linux logo %s\n", logoname);
52201 fputs(" */\n\n", out);
52202 fputs("#include <linux/linux_logo.h>\n\n", out);
52203- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
52204+ fprintf(out, "static unsigned char %s_data[] = {\n",
52205 logoname);
52206 }
52207
52208 static void write_footer(void)
52209 {
52210 fputs("\n};\n\n", out);
52211- fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
52212+ fprintf(out, "const struct linux_logo %s = {\n", logoname);
52213 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
52214 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
52215 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
52216@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
52217 fputs("\n};\n\n", out);
52218
52219 /* write logo clut */
52220- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
52221+ fprintf(out, "static unsigned char %s_clut[] = {\n",
52222 logoname);
52223 write_hex_cnt = 0;
52224 for (i = 0; i < logo_clutsize; i++) {
52225diff -urNp linux-2.6.32.9/security/commoncap.c linux-2.6.32.9/security/commoncap.c
52226--- linux-2.6.32.9/security/commoncap.c 2010-02-09 07:57:19.000000000 -0500
52227+++ linux-2.6.32.9/security/commoncap.c 2010-02-23 17:09:56.752223260 -0500
52228@@ -27,7 +27,7 @@
52229 #include <linux/sched.h>
52230 #include <linux/prctl.h>
52231 #include <linux/securebits.h>
52232-
52233+#include <net/sock.h>
52234 /*
52235 * If a non-root user executes a setuid-root binary in
52236 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
52237@@ -50,9 +50,11 @@ static void warn_setuid_and_fcaps_mixed(
52238 }
52239 }
52240
52241+extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
52242+
52243 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
52244 {
52245- NETLINK_CB(skb).eff_cap = current_cap();
52246+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
52247 return 0;
52248 }
52249
52250diff -urNp linux-2.6.32.9/security/integrity/ima/ima_api.c linux-2.6.32.9/security/integrity/ima/ima_api.c
52251--- linux-2.6.32.9/security/integrity/ima/ima_api.c 2010-02-09 07:57:19.000000000 -0500
52252+++ linux-2.6.32.9/security/integrity/ima/ima_api.c 2010-02-23 17:09:56.752223260 -0500
52253@@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
52254 int result;
52255
52256 /* can overflow, only indicator */
52257- atomic_long_inc(&ima_htable.violations);
52258+ atomic_long_inc_unchecked(&ima_htable.violations);
52259
52260 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
52261 if (!entry) {
52262diff -urNp linux-2.6.32.9/security/integrity/ima/ima_fs.c linux-2.6.32.9/security/integrity/ima/ima_fs.c
52263--- linux-2.6.32.9/security/integrity/ima/ima_fs.c 2010-02-09 07:57:19.000000000 -0500
52264+++ linux-2.6.32.9/security/integrity/ima/ima_fs.c 2010-02-23 17:09:56.752223260 -0500
52265@@ -27,12 +27,12 @@
52266 static int valid_policy = 1;
52267 #define TMPBUFLEN 12
52268 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
52269- loff_t *ppos, atomic_long_t *val)
52270+ loff_t *ppos, atomic_long_unchecked_t *val)
52271 {
52272 char tmpbuf[TMPBUFLEN];
52273 ssize_t len;
52274
52275- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
52276+ len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
52277 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
52278 }
52279
52280diff -urNp linux-2.6.32.9/security/integrity/ima/ima.h linux-2.6.32.9/security/integrity/ima/ima.h
52281--- linux-2.6.32.9/security/integrity/ima/ima.h 2010-02-09 07:57:19.000000000 -0500
52282+++ linux-2.6.32.9/security/integrity/ima/ima.h 2010-02-23 17:09:56.752223260 -0500
52283@@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
52284 extern spinlock_t ima_queue_lock;
52285
52286 struct ima_h_table {
52287- atomic_long_t len; /* number of stored measurements in the list */
52288- atomic_long_t violations;
52289+ atomic_long_unchecked_t len; /* number of stored measurements in the list */
52290+ atomic_long_unchecked_t violations;
52291 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
52292 };
52293 extern struct ima_h_table ima_htable;
52294diff -urNp linux-2.6.32.9/security/integrity/ima/ima_queue.c linux-2.6.32.9/security/integrity/ima/ima_queue.c
52295--- linux-2.6.32.9/security/integrity/ima/ima_queue.c 2010-02-09 07:57:19.000000000 -0500
52296+++ linux-2.6.32.9/security/integrity/ima/ima_queue.c 2010-02-23 17:09:56.752223260 -0500
52297@@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
52298 INIT_LIST_HEAD(&qe->later);
52299 list_add_tail_rcu(&qe->later, &ima_measurements);
52300
52301- atomic_long_inc(&ima_htable.len);
52302+ atomic_long_inc_unchecked(&ima_htable.len);
52303 key = ima_hash_key(entry->digest);
52304 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
52305 return 0;
52306diff -urNp linux-2.6.32.9/security/Kconfig linux-2.6.32.9/security/Kconfig
52307--- linux-2.6.32.9/security/Kconfig 2010-02-09 07:57:19.000000000 -0500
52308+++ linux-2.6.32.9/security/Kconfig 2010-02-23 17:09:56.752223260 -0500
52309@@ -4,6 +4,488 @@
52310
52311 menu "Security options"
52312
52313+source grsecurity/Kconfig
52314+
52315+menu "PaX"
52316+
52317+config PAX
52318+ bool "Enable various PaX features"
52319+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86)
52320+ help
52321+ This allows you to enable various PaX features. PaX adds
52322+ intrusion prevention mechanisms to the kernel that reduce
52323+ the risks posed by exploitable memory corruption bugs.
52324+
52325+menu "PaX Control"
52326+ depends on PAX
52327+
52328+config PAX_SOFTMODE
52329+ bool 'Support soft mode'
52330+ select PAX_PT_PAX_FLAGS
52331+ help
52332+ Enabling this option will allow you to run PaX in soft mode, that
52333+ is, PaX features will not be enforced by default, only on executables
52334+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
52335+ is the only way to mark executables for soft mode use.
52336+
52337+ Soft mode can be activated by using the "pax_softmode=1" kernel command
52338+ line option on boot. Furthermore you can control various PaX features
52339+ at runtime via the entries in /proc/sys/kernel/pax.
52340+
52341+config PAX_EI_PAX
52342+ bool 'Use legacy ELF header marking'
52343+ help
52344+ Enabling this option will allow you to control PaX features on
52345+ a per executable basis via the 'chpax' utility available at
52346+ http://pax.grsecurity.net/. The control flags will be read from
52347+ an otherwise reserved part of the ELF header. This marking has
52348+ numerous drawbacks (no support for soft-mode, toolchain does not
52349+ know about the non-standard use of the ELF header) therefore it
52350+ has been deprecated in favour of PT_PAX_FLAGS support.
52351+
52352+ If you have applications not marked by the PT_PAX_FLAGS ELF
52353+ program header then you MUST enable this option otherwise they
52354+ will not get any protection.
52355+
52356+ Note that if you enable PT_PAX_FLAGS marking support as well,
52357+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
52358+
52359+config PAX_PT_PAX_FLAGS
52360+ bool 'Use ELF program header marking'
52361+ help
52362+ Enabling this option will allow you to control PaX features on
52363+ a per executable basis via the 'paxctl' utility available at
52364+ http://pax.grsecurity.net/. The control flags will be read from
52365+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
52366+ has the benefits of supporting both soft mode and being fully
52367+ integrated into the toolchain (the binutils patch is available
52368+ from http://pax.grsecurity.net).
52369+
52370+ If you have applications not marked by the PT_PAX_FLAGS ELF
52371+ program header then you MUST enable the EI_PAX marking support
52372+ otherwise they will not get any protection.
52373+
52374+ Note that if you enable the legacy EI_PAX marking support as well,
52375+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
52376+
52377+choice
52378+ prompt 'MAC system integration'
52379+ default PAX_HAVE_ACL_FLAGS
52380+ help
52381+ Mandatory Access Control systems have the option of controlling
52382+ PaX flags on a per executable basis, choose the method supported
52383+ by your particular system.
52384+
52385+ - "none": if your MAC system does not interact with PaX,
52386+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
52387+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
52388+
52389+ NOTE: this option is for developers/integrators only.
52390+
52391+ config PAX_NO_ACL_FLAGS
52392+ bool 'none'
52393+
52394+ config PAX_HAVE_ACL_FLAGS
52395+ bool 'direct'
52396+
52397+ config PAX_HOOK_ACL_FLAGS
52398+ bool 'hook'
52399+endchoice
52400+
52401+endmenu
52402+
52403+menu "Non-executable pages"
52404+ depends on PAX
52405+
52406+config PAX_NOEXEC
52407+ bool "Enforce non-executable pages"
52408+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || S390 || SPARC32 || SPARC64 || X86)
52409+ help
52410+ By design some architectures do not allow for protecting memory
52411+ pages against execution or even if they do, Linux does not make
52412+ use of this feature. In practice this means that if a page is
52413+ readable (such as the stack or heap) it is also executable.
52414+
52415+ There is a well known exploit technique that makes use of this
52416+ fact and a common programming mistake where an attacker can
52417+ introduce code of his choice somewhere in the attacked program's
52418+ memory (typically the stack or the heap) and then execute it.
52419+
52420+ If the attacked program was running with different (typically
52421+ higher) privileges than that of the attacker, then he can elevate
52422+ his own privilege level (e.g. get a root shell, write to files for
52423+ which he does not have write access to, etc).
52424+
52425+ Enabling this option will let you choose from various features
52426+ that prevent the injection and execution of 'foreign' code in
52427+ a program.
52428+
52429+ This will also break programs that rely on the old behaviour and
52430+ expect that dynamically allocated memory via the malloc() family
52431+ of functions is executable (which it is not). Notable examples
52432+ are the XFree86 4.x server, the java runtime and wine.
52433+
52434+config PAX_PAGEEXEC
52435+ bool "Paging based non-executable pages"
52436+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
52437+ select S390_SWITCH_AMODE if S390
52438+ select S390_EXEC_PROTECT if S390
52439+ help
52440+ This implementation is based on the paging feature of the CPU.
52441+ On i386 without hardware non-executable bit support there is a
52442+ variable but usually low performance impact, however on Intel's
52443+ P4 core based CPUs it is very high so you should not enable this
52444+ for kernels meant to be used on such CPUs.
52445+
52446+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
52447+ with hardware non-executable bit support there is no performance
52448+ impact, on ppc the impact is negligible.
52449+
52450+ Note that several architectures require various emulations due to
52451+ badly designed userland ABIs, this will cause a performance impact
52452+ but will disappear as soon as userland is fixed. For example, ppc
52453+ userland MUST have been built with secure-plt by a recent toolchain.
52454+
52455+config PAX_SEGMEXEC
52456+ bool "Segmentation based non-executable pages"
52457+ depends on PAX_NOEXEC && X86_32
52458+ help
52459+ This implementation is based on the segmentation feature of the
52460+ CPU and has a very small performance impact, however applications
52461+ will be limited to a 1.5 GB address space instead of the normal
52462+ 3 GB.
52463+
52464+config PAX_EMUTRAMP
52465+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
52466+ default y if PARISC
52467+ help
52468+ There are some programs and libraries that for one reason or
52469+ another attempt to execute special small code snippets from
52470+ non-executable memory pages. Most notable examples are the
52471+ signal handler return code generated by the kernel itself and
52472+ the GCC trampolines.
52473+
52474+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
52475+ such programs will no longer work under your kernel.
52476+
52477+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
52478+ utilities to enable trampoline emulation for the affected programs
52479+ yet still have the protection provided by the non-executable pages.
52480+
52481+ On parisc you MUST enable this option and EMUSIGRT as well, otherwise
52482+ your system will not even boot.
52483+
52484+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
52485+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
52486+ for the affected files.
52487+
52488+ NOTE: enabling this feature *may* open up a loophole in the
52489+ protection provided by non-executable pages that an attacker
52490+ could abuse. Therefore the best solution is to not have any
52491+ files on your system that would require this option. This can
52492+ be achieved by not using libc5 (which relies on the kernel
52493+ signal handler return code) and not using or rewriting programs
52494+ that make use of the nested function implementation of GCC.
52495+ Skilled users can just fix GCC itself so that it implements
52496+ nested function calls in a way that does not interfere with PaX.
52497+
52498+config PAX_EMUSIGRT
52499+ bool "Automatically emulate sigreturn trampolines"
52500+ depends on PAX_EMUTRAMP && PARISC
52501+ default y
52502+ help
52503+ Enabling this option will have the kernel automatically detect
52504+ and emulate signal return trampolines executing on the stack
52505+ that would otherwise lead to task termination.
52506+
52507+ This solution is intended as a temporary one for users with
52508+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
52509+ Modula-3 runtime, etc) or executables linked to such, basically
52510+ everything that does not specify its own SA_RESTORER function in
52511+ normal executable memory like glibc 2.1+ does.
52512+
52513+ On parisc you MUST enable this option, otherwise your system will
52514+ not even boot.
52515+
52516+ NOTE: this feature cannot be disabled on a per executable basis
52517+ and since it *does* open up a loophole in the protection provided
52518+ by non-executable pages, the best solution is to not have any
52519+ files on your system that would require this option.
52520+
52521+config PAX_MPROTECT
52522+ bool "Restrict mprotect()"
52523+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
52524+ help
52525+ Enabling this option will prevent programs from
52526+ - changing the executable status of memory pages that were
52527+ not originally created as executable,
52528+ - making read-only executable pages writable again,
52529+ - creating executable pages from anonymous memory.
52530+
52531+ You should say Y here to complete the protection provided by
52532+ the enforcement of non-executable pages.
52533+
52534+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52535+ this feature on a per file basis.
52536+
52537+config PAX_NOELFRELOCS
52538+ bool "Disallow ELF text relocations"
52539+ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || PPC || X86)
52540+ help
52541+ Non-executable pages and mprotect() restrictions are effective
52542+ in preventing the introduction of new executable code into an
52543+ attacked task's address space. There remain only two venues
52544+ for this kind of attack: if the attacker can execute already
52545+ existing code in the attacked task then he can either have it
52546+ create and mmap() a file containing his code or have it mmap()
52547+ an already existing ELF library that does not have position
52548+ independent code in it and use mprotect() on it to make it
52549+ writable and copy his code there. While protecting against
52550+ the former approach is beyond PaX, the latter can be prevented
52551+ by having only PIC ELF libraries on one's system (which do not
52552+ need to relocate their code). If you are sure this is your case,
52553+ then enable this option otherwise be careful as you may not even
52554+ be able to boot or log on your system (for example, some PAM
52555+ modules are erroneously compiled as non-PIC by default).
52556+
52557+ NOTE: if you are using dynamic ELF executables (as suggested
52558+ when using ASLR) then you must have made sure that you linked
52559+ your files using the PIC version of crt1 (the et_dyn.tar.gz package
52560+ referenced there has already been updated to support this).
52561+
52562+config PAX_ETEXECRELOCS
52563+ bool "Allow ELF ET_EXEC text relocations"
52564+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
52565+ default y
52566+ help
52567+ On some architectures there are incorrectly created applications
52568+ that require text relocations and would not work without enabling
52569+ this option. If you are an alpha, ia64 or parisc user, you should
52570+ enable this option and disable it once you have made sure that
52571+ none of your applications need it.
52572+
52573+config PAX_EMUPLT
52574+ bool "Automatically emulate ELF PLT"
52575+ depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC32 || SPARC64)
52576+ default y
52577+ help
52578+ Enabling this option will have the kernel automatically detect
52579+ and emulate the Procedure Linkage Table entries in ELF files.
52580+ On some architectures such entries are in writable memory, and
52581+ become non-executable leading to task termination. Therefore
52582+ it is mandatory that you enable this option on alpha, parisc,
52583+ sparc and sparc64, otherwise your system would not even boot.
52584+
52585+ NOTE: this feature *does* open up a loophole in the protection
52586+ provided by the non-executable pages, therefore the proper
52587+ solution is to modify the toolchain to produce a PLT that does
52588+ not need to be writable.
52589+
52590+config PAX_DLRESOLVE
52591+ bool 'Emulate old glibc resolver stub'
52592+ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
52593+ default n
52594+ help
52595+ This option is needed if userland has an old glibc (before 2.4)
52596+ that puts a 'save' instruction into the runtime generated resolver
52597+ stub that needs special emulation.
52598+
52599+config PAX_KERNEXEC
52600+ bool "Enforce non-executable kernel pages"
52601+ depends on PAX_NOEXEC && (PPC32 || PPC64 || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
52602+ help
52603+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
52604+ that is, enabling this option will make it harder to inject
52605+ and execute 'foreign' code in kernel memory itself.
52606+
52607+config PAX_KERNEXEC_MODULE_TEXT
52608+ int "Minimum amount of memory reserved for module code"
52609+ default "4"
52610+ depends on PAX_KERNEXEC && X86_32 && MODULES
52611+ help
52612+ Due to implementation details the kernel must reserve a fixed
52613+ amount of memory for module code at compile time that cannot be
52614+ changed at runtime. Here you can specify the minimum amount
52615+ in MB that will be reserved. Due to the same implementation
52616+ details this size will always be rounded up to the next 2/4 MB
52617+ boundary (depends on PAE) so the actually available memory for
52618+ module code will usually be more than this minimum.
52619+
52620+ The default 4 MB should be enough for most users but if you have
52621+ an excessive number of modules (e.g., most distribution configs
52622+ compile many drivers as modules) or use huge modules such as
52623+ nvidia's kernel driver, you will need to adjust this amount.
52624+ A good rule of thumb is to look at your currently loaded kernel
52625+ modules and add up their sizes.
52626+
52627+endmenu
52628+
52629+menu "Address Space Layout Randomization"
52630+ depends on PAX
52631+
52632+config PAX_ASLR
52633+ bool "Address Space Layout Randomization"
52634+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
52635+ help
52636+ Many if not most exploit techniques rely on the knowledge of
52637+ certain addresses in the attacked program. The following options
52638+ will allow the kernel to apply a certain amount of randomization
52639+ to specific parts of the program thereby forcing an attacker to
52640+ guess them in most cases. Any failed guess will most likely crash
52641+ the attacked program which allows the kernel to detect such attempts
52642+ and react on them. PaX itself provides no reaction mechanisms,
52643+ instead it is strongly encouraged that you make use of Nergal's
52644+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
52645+ (http://www.grsecurity.net/) built-in crash detection features or
52646+ develop one yourself.
52647+
52648+ By saying Y here you can choose to randomize the following areas:
52649+ - top of the task's kernel stack
52650+ - top of the task's userland stack
52651+ - base address for mmap() requests that do not specify one
52652+ (this includes all libraries)
52653+ - base address of the main executable
52654+
52655+ It is strongly recommended to say Y here as address space layout
52656+ randomization has negligible impact on performance yet it provides
52657+ a very effective protection.
52658+
52659+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52660+ this feature on a per file basis.
52661+
52662+config PAX_RANDKSTACK
52663+ bool "Randomize kernel stack base"
52664+ depends on PAX_ASLR && X86_TSC && X86_32
52665+ help
52666+ By saying Y here the kernel will randomize every task's kernel
52667+ stack on every system call. This will not only force an attacker
52668+ to guess it but also prevent him from making use of possible
52669+ leaked information about it.
52670+
52671+ Since the kernel stack is a rather scarce resource, randomization
52672+ may cause unexpected stack overflows, therefore you should very
52673+ carefully test your system. Note that once enabled in the kernel
52674+ configuration, this feature cannot be disabled on a per file basis.
52675+
52676+config PAX_RANDUSTACK
52677+ bool "Randomize user stack base"
52678+ depends on PAX_ASLR
52679+ help
52680+ By saying Y here the kernel will randomize every task's userland
52681+ stack. The randomization is done in two steps where the second
52682+ one may apply a big amount of shift to the top of the stack and
52683+ cause problems for programs that want to use lots of memory (more
52684+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
52685+ For this reason the second step can be controlled by 'chpax' or
52686+ 'paxctl' on a per file basis.
52687+
52688+config PAX_RANDMMAP
52689+ bool "Randomize mmap() base"
52690+ depends on PAX_ASLR
52691+ help
52692+ By saying Y here the kernel will use a randomized base address for
52693+ mmap() requests that do not specify one themselves. As a result
52694+ all dynamically loaded libraries will appear at random addresses
52695+ and therefore be harder to exploit by a technique where an attacker
52696+ attempts to execute library code for his purposes (e.g. spawn a
52697+ shell from an exploited program that is running at an elevated
52698+ privilege level).
52699+
52700+ Furthermore, if a program is relinked as a dynamic ELF file, its
52701+ base address will be randomized as well, completing the full
52702+ randomization of the address space layout. Attacking such programs
52703+ becomes a guess game. You can find an example of doing this at
52704+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
52705+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
52706+
52707+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
52708+ feature on a per file basis.
52709+
52710+endmenu
52711+
52712+menu "Miscellaneous hardening features"
52713+
52714+config PAX_MEMORY_SANITIZE
52715+ bool "Sanitize all freed memory"
52716+ help
52717+ By saying Y here the kernel will erase memory pages as soon as they
52718+ are freed. This in turn reduces the lifetime of data stored in the
52719+ pages, making it less likely that sensitive information such as
52720+ passwords, cryptographic secrets, etc stay in memory for too long.
52721+
52722+ This is especially useful for programs whose runtime is short, long
52723+ lived processes and the kernel itself benefit from this as long as
52724+ they operate on whole memory pages and ensure timely freeing of pages
52725+ that may hold sensitive information.
52726+
52727+ The tradeoff is performance impact, on a single CPU system kernel
52728+ compilation sees a 3% slowdown, other systems and workloads may vary
52729+ and you are advised to test this feature on your expected workload
52730+ before deploying it.
52731+
52732+ Note that this feature does not protect data stored in live pages,
52733+ e.g., process memory swapped to disk may stay there for a long time.
52734+
52735+config PAX_MEMORY_UDEREF
52736+ bool "Prevent invalid userland pointer dereference"
52737+ depends on X86_32 && !UML_X86 && !XEN
52738+ help
52739+ By saying Y here the kernel will be prevented from dereferencing
52740+ userland pointers in contexts where the kernel expects only kernel
52741+ pointers. This is both a useful runtime debugging feature and a
52742+ security measure that prevents exploiting a class of kernel bugs.
52743+
52744+ The tradeoff is that some virtualization solutions may experience
52745+ a huge slowdown and therefore you should not enable this feature
52746+ for kernels meant to run in such environments. Whether a given VM
52747+ solution is affected or not is best determined by simply trying it
52748+ out, the performance impact will be obvious right on boot as this
52749+ mechanism engages from very early on. A good rule of thumb is that
52750+ VMs running on CPUs without hardware virtualization support (i.e.,
52751+ the majority of IA-32 CPUs) will likely experience the slowdown.
52752+
52753+config PAX_REFCOUNT
52754+ bool "Prevent various kernel object reference counter overflows"
52755+ depends on GRKERNSEC && (X86 || SPARC64)
52756+ help
52757+ By saying Y here the kernel will detect and prevent overflowing
52758+ various (but not all) kinds of object reference counters. Such
52759+ overflows can normally occur due to bugs only and are often, if
52760+ not always, exploitable.
52761+
52762+ The tradeoff is that data structures protected by an overflowed
52763+ refcount will never be freed and therefore will leak memory. Note
52764+ that this leak also happens even without this protection but in
52765+ that case the overflow can eventually trigger the freeing of the
52766+ data structure while it is still being used elsewhere, resulting
52767+ in the exploitable situation that this feature prevents.
52768+
52769+ Since this has a negligible performance impact, you should enable
52770+ this feature.
52771+
52772+config PAX_USERCOPY
52773+ bool "Bounds check heap object copies between kernel and userland"
52774+ depends on X86 || PPC32 || PPC64 || SPARC32 || SPARC64
52775+ depends on GRKERNSEC && (SLAB || SLUB || SLOB)
52776+ help
52777+ By saying Y here the kernel will enforce the size of heap objects
52778+ when they are copied in either direction between the kernel and
52779+ userland, even if only a part of the heap object is copied.
52780+
52781+ Specifically, this checking prevents information leaking from the
52782+ kernel heap during kernel to userland copies (if the kernel heap
52783+ object is otherwise fully initialized) and prevents kernel heap
52784+ overflows during userland to kernel copies.
52785+
52786+ Note that the current implementation provides the strictest checks
52787+ for the SLUB allocator.
52788+
52789+ Since this has a negligible performance impact, you should enable
52790+ this feature.
52791+endmenu
52792+
52793+endmenu
52794+
52795 config KEYS
52796 bool "Enable access key retention support"
52797 help
52798@@ -146,7 +628,7 @@ config INTEL_TXT
52799 config LSM_MMAP_MIN_ADDR
52800 int "Low address space for LSM to protect from user allocation"
52801 depends on SECURITY && SECURITY_SELINUX
52802- default 65536
52803+ default 32768
52804 help
52805 This is the portion of low virtual memory which should be protected
52806 from userspace allocation. Keeping a user from writing to low pages
52807diff -urNp linux-2.6.32.9/security/min_addr.c linux-2.6.32.9/security/min_addr.c
52808--- linux-2.6.32.9/security/min_addr.c 2010-02-09 07:57:19.000000000 -0500
52809+++ linux-2.6.32.9/security/min_addr.c 2010-02-23 17:09:56.752223260 -0500
52810@@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
52811 */
52812 static void update_mmap_min_addr(void)
52813 {
52814+#ifndef SPARC
52815 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
52816 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
52817 mmap_min_addr = dac_mmap_min_addr;
52818@@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
52819 #else
52820 mmap_min_addr = dac_mmap_min_addr;
52821 #endif
52822+#endif
52823 }
52824
52825 /*
52826@@ -33,6 +35,9 @@ int mmap_min_addr_handler(struct ctl_tab
52827 {
52828 int ret;
52829
52830+ if (!capable(CAP_SYS_RAWIO))
52831+ return -EPERM;
52832+
52833 ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
52834
52835 update_mmap_min_addr();
52836diff -urNp linux-2.6.32.9/sound/aoa/codecs/onyx.c linux-2.6.32.9/sound/aoa/codecs/onyx.c
52837--- linux-2.6.32.9/sound/aoa/codecs/onyx.c 2010-02-09 07:57:19.000000000 -0500
52838+++ linux-2.6.32.9/sound/aoa/codecs/onyx.c 2010-02-23 17:09:56.752223260 -0500
52839@@ -53,7 +53,7 @@ struct onyx {
52840 spdif_locked:1,
52841 analog_locked:1,
52842 original_mute:2;
52843- int open_count;
52844+ atomic_t open_count;
52845 struct codec_info *codec_info;
52846
52847 /* mutex serializes concurrent access to the device
52848@@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
52849 struct onyx *onyx = cii->codec_data;
52850
52851 mutex_lock(&onyx->mutex);
52852- onyx->open_count++;
52853+ atomic_inc(&onyx->open_count);
52854 mutex_unlock(&onyx->mutex);
52855
52856 return 0;
52857@@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
52858 struct onyx *onyx = cii->codec_data;
52859
52860 mutex_lock(&onyx->mutex);
52861- onyx->open_count--;
52862- if (!onyx->open_count)
52863+ if (atomic_dec_and_test(&onyx->open_count))
52864 onyx->spdif_locked = onyx->analog_locked = 0;
52865 mutex_unlock(&onyx->mutex);
52866
52867diff -urNp linux-2.6.32.9/sound/core/oss/pcm_oss.c linux-2.6.32.9/sound/core/oss/pcm_oss.c
52868--- linux-2.6.32.9/sound/core/oss/pcm_oss.c 2010-02-09 07:57:19.000000000 -0500
52869+++ linux-2.6.32.9/sound/core/oss/pcm_oss.c 2010-02-23 17:09:56.752223260 -0500
52870@@ -2949,8 +2949,8 @@ static void snd_pcm_oss_proc_done(struct
52871 }
52872 }
52873 #else /* !CONFIG_SND_VERBOSE_PROCFS */
52874-#define snd_pcm_oss_proc_init(pcm)
52875-#define snd_pcm_oss_proc_done(pcm)
52876+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
52877+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
52878 #endif /* CONFIG_SND_VERBOSE_PROCFS */
52879
52880 /*
52881diff -urNp linux-2.6.32.9/sound/core/seq/seq_lock.h linux-2.6.32.9/sound/core/seq/seq_lock.h
52882--- linux-2.6.32.9/sound/core/seq/seq_lock.h 2010-02-09 07:57:19.000000000 -0500
52883+++ linux-2.6.32.9/sound/core/seq/seq_lock.h 2010-02-23 17:09:56.752223260 -0500
52884@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
52885 #else /* SMP || CONFIG_SND_DEBUG */
52886
52887 typedef spinlock_t snd_use_lock_t; /* dummy */
52888-#define snd_use_lock_init(lockp) /**/
52889-#define snd_use_lock_use(lockp) /**/
52890-#define snd_use_lock_free(lockp) /**/
52891-#define snd_use_lock_sync(lockp) /**/
52892+#define snd_use_lock_init(lockp) do {} while (0)
52893+#define snd_use_lock_use(lockp) do {} while (0)
52894+#define snd_use_lock_free(lockp) do {} while (0)
52895+#define snd_use_lock_sync(lockp) do {} while (0)
52896
52897 #endif /* SMP || CONFIG_SND_DEBUG */
52898
52899diff -urNp linux-2.6.32.9/sound/drivers/mts64.c linux-2.6.32.9/sound/drivers/mts64.c
52900--- linux-2.6.32.9/sound/drivers/mts64.c 2010-02-09 07:57:19.000000000 -0500
52901+++ linux-2.6.32.9/sound/drivers/mts64.c 2010-02-23 17:09:56.752223260 -0500
52902@@ -65,7 +65,7 @@ struct mts64 {
52903 struct pardevice *pardev;
52904 int pardev_claimed;
52905
52906- int open_count;
52907+ atomic_t open_count;
52908 int current_midi_output_port;
52909 int current_midi_input_port;
52910 u8 mode[MTS64_NUM_INPUT_PORTS];
52911@@ -695,7 +695,7 @@ static int snd_mts64_rawmidi_open(struct
52912 {
52913 struct mts64 *mts = substream->rmidi->private_data;
52914
52915- if (mts->open_count == 0) {
52916+ if (atomic_read(&mts->open_count) == 0) {
52917 /* We don't need a spinlock here, because this is just called
52918 if the device has not been opened before.
52919 So there aren't any IRQs from the device */
52920@@ -703,7 +703,7 @@ static int snd_mts64_rawmidi_open(struct
52921
52922 msleep(50);
52923 }
52924- ++(mts->open_count);
52925+ atomic_inc(&mts->open_count);
52926
52927 return 0;
52928 }
52929@@ -713,8 +713,7 @@ static int snd_mts64_rawmidi_close(struc
52930 struct mts64 *mts = substream->rmidi->private_data;
52931 unsigned long flags;
52932
52933- --(mts->open_count);
52934- if (mts->open_count == 0) {
52935+ if (atomic_dec_return(&mts->open_count) == 0) {
52936 /* We need the spinlock_irqsave here because we can still
52937 have IRQs at this point */
52938 spin_lock_irqsave(&mts->lock, flags);
52939@@ -723,8 +722,8 @@ static int snd_mts64_rawmidi_close(struc
52940
52941 msleep(500);
52942
52943- } else if (mts->open_count < 0)
52944- mts->open_count = 0;
52945+ } else if (atomic_read(&mts->open_count) < 0)
52946+ atomic_set(&mts->open_count, 0);
52947
52948 return 0;
52949 }
52950diff -urNp linux-2.6.32.9/sound/drivers/portman2x4.c linux-2.6.32.9/sound/drivers/portman2x4.c
52951--- linux-2.6.32.9/sound/drivers/portman2x4.c 2010-02-09 07:57:19.000000000 -0500
52952+++ linux-2.6.32.9/sound/drivers/portman2x4.c 2010-02-23 17:09:56.752223260 -0500
52953@@ -83,7 +83,7 @@ struct portman {
52954 struct pardevice *pardev;
52955 int pardev_claimed;
52956
52957- int open_count;
52958+ atomic_t open_count;
52959 int mode[PORTMAN_NUM_INPUT_PORTS];
52960 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
52961 };
52962diff -urNp linux-2.6.32.9/sound/pci/ac97/ac97_codec.c linux-2.6.32.9/sound/pci/ac97/ac97_codec.c
52963--- linux-2.6.32.9/sound/pci/ac97/ac97_codec.c 2010-02-09 07:57:19.000000000 -0500
52964+++ linux-2.6.32.9/sound/pci/ac97/ac97_codec.c 2010-02-23 17:09:56.752223260 -0500
52965@@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
52966 }
52967
52968 /* build_ops to do nothing */
52969-static struct snd_ac97_build_ops null_build_ops;
52970+static const struct snd_ac97_build_ops null_build_ops;
52971
52972 #ifdef CONFIG_SND_AC97_POWER_SAVE
52973 static void do_update_power(struct work_struct *work)
52974diff -urNp linux-2.6.32.9/sound/pci/ac97/ac97_patch.c linux-2.6.32.9/sound/pci/ac97/ac97_patch.c
52975--- linux-2.6.32.9/sound/pci/ac97/ac97_patch.c 2010-02-09 07:57:19.000000000 -0500
52976+++ linux-2.6.32.9/sound/pci/ac97/ac97_patch.c 2010-02-23 17:09:56.762371914 -0500
52977@@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
52978 return 0;
52979 }
52980
52981-static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
52982+static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
52983 .build_spdif = patch_yamaha_ymf743_build_spdif,
52984 .build_3d = patch_yamaha_ymf7x3_3d,
52985 };
52986@@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
52987 return 0;
52988 }
52989
52990-static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
52991+static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
52992 .build_3d = patch_yamaha_ymf7x3_3d,
52993 .build_post_spdif = patch_yamaha_ymf753_post_spdif
52994 };
52995@@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
52996 return 0;
52997 }
52998
52999-static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53000+static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53001 .build_specific = patch_wolfson_wm9703_specific,
53002 };
53003
53004@@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
53005 return 0;
53006 }
53007
53008-static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53009+static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53010 .build_specific = patch_wolfson_wm9704_specific,
53011 };
53012
53013@@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
53014 return 0;
53015 }
53016
53017-static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53018+static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53019 .build_specific = patch_wolfson_wm9705_specific,
53020 };
53021
53022@@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
53023 return 0;
53024 }
53025
53026-static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53027+static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53028 .build_specific = patch_wolfson_wm9711_specific,
53029 };
53030
53031@@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
53032 }
53033 #endif
53034
53035-static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53036+static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53037 .build_specific = patch_wolfson_wm9713_specific,
53038 .build_3d = patch_wolfson_wm9713_3d,
53039 #ifdef CONFIG_PM
53040@@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
53041 return 0;
53042 }
53043
53044-static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53045+static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53046 .build_3d = patch_sigmatel_stac9700_3d,
53047 .build_specific = patch_sigmatel_stac97xx_specific
53048 };
53049@@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
53050 return patch_sigmatel_stac97xx_specific(ac97);
53051 }
53052
53053-static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53054+static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53055 .build_3d = patch_sigmatel_stac9708_3d,
53056 .build_specific = patch_sigmatel_stac9708_specific
53057 };
53058@@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
53059 return 0;
53060 }
53061
53062-static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53063+static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53064 .build_3d = patch_sigmatel_stac9700_3d,
53065 .build_specific = patch_sigmatel_stac9758_specific
53066 };
53067@@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
53068 return 0;
53069 }
53070
53071-static struct snd_ac97_build_ops patch_cirrus_ops = {
53072+static const struct snd_ac97_build_ops patch_cirrus_ops = {
53073 .build_spdif = patch_cirrus_build_spdif
53074 };
53075
53076@@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
53077 return 0;
53078 }
53079
53080-static struct snd_ac97_build_ops patch_conexant_ops = {
53081+static const struct snd_ac97_build_ops patch_conexant_ops = {
53082 .build_spdif = patch_conexant_build_spdif
53083 };
53084
53085@@ -1501,7 +1501,7 @@ static const struct snd_ac97_res_table a
53086 { AC97_VIDEO, 0x9f1f },
53087 { AC97_AUX, 0x9f1f },
53088 { AC97_PCM, 0x9f1f },
53089- { } /* terminator */
53090+ { 0, 0 } /* terminator */
53091 };
53092
53093 static int patch_ad1819(struct snd_ac97 * ac97)
53094@@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
53095 }
53096 }
53097
53098-static struct snd_ac97_build_ops patch_ad1881_build_ops = {
53099+static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
53100 #ifdef CONFIG_PM
53101 .resume = ad18xx_resume
53102 #endif
53103@@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
53104 return 0;
53105 }
53106
53107-static struct snd_ac97_build_ops patch_ad1885_build_ops = {
53108+static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
53109 .build_specific = &patch_ad1885_specific,
53110 #ifdef CONFIG_PM
53111 .resume = ad18xx_resume
53112@@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
53113 return 0;
53114 }
53115
53116-static struct snd_ac97_build_ops patch_ad1886_build_ops = {
53117+static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
53118 .build_specific = &patch_ad1886_specific,
53119 #ifdef CONFIG_PM
53120 .resume = ad18xx_resume
53121@@ -1894,7 +1894,7 @@ static int patch_ad1981a_specific(struct
53122 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53123 }
53124
53125-static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53126+static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53127 .build_post_spdif = patch_ad198x_post_spdif,
53128 .build_specific = patch_ad1981a_specific,
53129 #ifdef CONFIG_PM
53130@@ -1949,7 +1949,7 @@ static int patch_ad1981b_specific(struct
53131 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53132 }
53133
53134-static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53135+static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53136 .build_post_spdif = patch_ad198x_post_spdif,
53137 .build_specific = patch_ad1981b_specific,
53138 #ifdef CONFIG_PM
53139@@ -2088,7 +2088,7 @@ static int patch_ad1888_specific(struct
53140 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
53141 }
53142
53143-static struct snd_ac97_build_ops patch_ad1888_build_ops = {
53144+static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
53145 .build_post_spdif = patch_ad198x_post_spdif,
53146 .build_specific = patch_ad1888_specific,
53147 #ifdef CONFIG_PM
53148@@ -2137,7 +2137,7 @@ static int patch_ad1980_specific(struct
53149 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
53150 }
53151
53152-static struct snd_ac97_build_ops patch_ad1980_build_ops = {
53153+static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
53154 .build_post_spdif = patch_ad198x_post_spdif,
53155 .build_specific = patch_ad1980_specific,
53156 #ifdef CONFIG_PM
53157@@ -2252,7 +2252,7 @@ static int patch_ad1985_specific(struct
53158 ARRAY_SIZE(snd_ac97_ad1985_controls));
53159 }
53160
53161-static struct snd_ac97_build_ops patch_ad1985_build_ops = {
53162+static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
53163 .build_post_spdif = patch_ad198x_post_spdif,
53164 .build_specific = patch_ad1985_specific,
53165 #ifdef CONFIG_PM
53166@@ -2544,7 +2544,7 @@ static int patch_ad1986_specific(struct
53167 ARRAY_SIZE(snd_ac97_ad1985_controls));
53168 }
53169
53170-static struct snd_ac97_build_ops patch_ad1986_build_ops = {
53171+static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
53172 .build_post_spdif = patch_ad198x_post_spdif,
53173 .build_specific = patch_ad1986_specific,
53174 #ifdef CONFIG_PM
53175@@ -2649,7 +2649,7 @@ static int patch_alc650_specific(struct
53176 return 0;
53177 }
53178
53179-static struct snd_ac97_build_ops patch_alc650_ops = {
53180+static const struct snd_ac97_build_ops patch_alc650_ops = {
53181 .build_specific = patch_alc650_specific,
53182 .update_jacks = alc650_update_jacks
53183 };
53184@@ -2801,7 +2801,7 @@ static int patch_alc655_specific(struct
53185 return 0;
53186 }
53187
53188-static struct snd_ac97_build_ops patch_alc655_ops = {
53189+static const struct snd_ac97_build_ops patch_alc655_ops = {
53190 .build_specific = patch_alc655_specific,
53191 .update_jacks = alc655_update_jacks
53192 };
53193@@ -2913,7 +2913,7 @@ static int patch_alc850_specific(struct
53194 return 0;
53195 }
53196
53197-static struct snd_ac97_build_ops patch_alc850_ops = {
53198+static const struct snd_ac97_build_ops patch_alc850_ops = {
53199 .build_specific = patch_alc850_specific,
53200 .update_jacks = alc850_update_jacks
53201 };
53202@@ -2975,7 +2975,7 @@ static int patch_cm9738_specific(struct
53203 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
53204 }
53205
53206-static struct snd_ac97_build_ops patch_cm9738_ops = {
53207+static const struct snd_ac97_build_ops patch_cm9738_ops = {
53208 .build_specific = patch_cm9738_specific,
53209 .update_jacks = cm9738_update_jacks
53210 };
53211@@ -3066,7 +3066,7 @@ static int patch_cm9739_post_spdif(struc
53212 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
53213 }
53214
53215-static struct snd_ac97_build_ops patch_cm9739_ops = {
53216+static const struct snd_ac97_build_ops patch_cm9739_ops = {
53217 .build_specific = patch_cm9739_specific,
53218 .build_post_spdif = patch_cm9739_post_spdif,
53219 .update_jacks = cm9739_update_jacks
53220@@ -3240,7 +3240,7 @@ static int patch_cm9761_specific(struct
53221 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
53222 }
53223
53224-static struct snd_ac97_build_ops patch_cm9761_ops = {
53225+static const struct snd_ac97_build_ops patch_cm9761_ops = {
53226 .build_specific = patch_cm9761_specific,
53227 .build_post_spdif = patch_cm9761_post_spdif,
53228 .update_jacks = cm9761_update_jacks
53229@@ -3336,7 +3336,7 @@ static int patch_cm9780_specific(struct
53230 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
53231 }
53232
53233-static struct snd_ac97_build_ops patch_cm9780_ops = {
53234+static const struct snd_ac97_build_ops patch_cm9780_ops = {
53235 .build_specific = patch_cm9780_specific,
53236 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
53237 };
53238@@ -3456,7 +3456,7 @@ static int patch_vt1616_specific(struct
53239 return 0;
53240 }
53241
53242-static struct snd_ac97_build_ops patch_vt1616_ops = {
53243+static const struct snd_ac97_build_ops patch_vt1616_ops = {
53244 .build_specific = patch_vt1616_specific
53245 };
53246
53247@@ -3810,7 +3810,7 @@ static int patch_it2646_specific(struct
53248 return 0;
53249 }
53250
53251-static struct snd_ac97_build_ops patch_it2646_ops = {
53252+static const struct snd_ac97_build_ops patch_it2646_ops = {
53253 .build_specific = patch_it2646_specific,
53254 .update_jacks = it2646_update_jacks
53255 };
53256@@ -3844,7 +3844,7 @@ static int patch_si3036_specific(struct
53257 return 0;
53258 }
53259
53260-static struct snd_ac97_build_ops patch_si3036_ops = {
53261+static const struct snd_ac97_build_ops patch_si3036_ops = {
53262 .build_specific = patch_si3036_specific,
53263 };
53264
53265@@ -3877,7 +3877,7 @@ static struct snd_ac97_res_table lm4550_
53266 { AC97_AUX, 0x1f1f },
53267 { AC97_PCM, 0x1f1f },
53268 { AC97_REC_GAIN, 0x0f0f },
53269- { } /* terminator */
53270+ { 0, 0 } /* terminator */
53271 };
53272
53273 static int patch_lm4550(struct snd_ac97 *ac97)
53274@@ -3911,7 +3911,7 @@ static int patch_ucb1400_specific(struct
53275 return 0;
53276 }
53277
53278-static struct snd_ac97_build_ops patch_ucb1400_ops = {
53279+static const struct snd_ac97_build_ops patch_ucb1400_ops = {
53280 .build_specific = patch_ucb1400_specific,
53281 };
53282
53283diff -urNp linux-2.6.32.9/sound/pci/ens1370.c linux-2.6.32.9/sound/pci/ens1370.c
53284--- linux-2.6.32.9/sound/pci/ens1370.c 2010-02-09 07:57:19.000000000 -0500
53285+++ linux-2.6.32.9/sound/pci/ens1370.c 2010-02-23 17:09:56.764228986 -0500
53286@@ -452,7 +452,7 @@ static struct pci_device_id snd_audiopci
53287 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
53288 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
53289 #endif
53290- { 0, }
53291+ { 0, 0, 0, 0, 0, 0, 0 }
53292 };
53293
53294 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
53295diff -urNp linux-2.6.32.9/sound/pci/intel8x0.c linux-2.6.32.9/sound/pci/intel8x0.c
53296--- linux-2.6.32.9/sound/pci/intel8x0.c 2010-02-09 07:57:19.000000000 -0500
53297+++ linux-2.6.32.9/sound/pci/intel8x0.c 2010-02-23 17:09:56.764228986 -0500
53298@@ -444,7 +444,7 @@ static struct pci_device_id snd_intel8x0
53299 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53300 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
53301 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53302- { 0, }
53303+ { 0, 0, 0, 0, 0, 0, 0 }
53304 };
53305
53306 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
53307@@ -2123,7 +2123,7 @@ static struct ac97_quirk ac97_quirks[] _
53308 .type = AC97_TUNE_HP_ONLY
53309 },
53310 #endif
53311- { } /* terminator */
53312+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
53313 };
53314
53315 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
53316diff -urNp linux-2.6.32.9/sound/pci/intel8x0m.c linux-2.6.32.9/sound/pci/intel8x0m.c
53317--- linux-2.6.32.9/sound/pci/intel8x0m.c 2010-02-09 07:57:19.000000000 -0500
53318+++ linux-2.6.32.9/sound/pci/intel8x0m.c 2010-02-23 17:09:56.764228986 -0500
53319@@ -239,7 +239,7 @@ static struct pci_device_id snd_intel8x0
53320 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53321 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53322 #endif
53323- { 0, }
53324+ { 0, 0, 0, 0, 0, 0, 0 }
53325 };
53326
53327 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
53328@@ -1264,7 +1264,7 @@ static struct shortname_table {
53329 { 0x5455, "ALi M5455" },
53330 { 0x746d, "AMD AMD8111" },
53331 #endif
53332- { 0 },
53333+ { 0, NULL },
53334 };
53335
53336 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
53337diff -urNp linux-2.6.32.9/usr/gen_init_cpio.c linux-2.6.32.9/usr/gen_init_cpio.c
53338--- linux-2.6.32.9/usr/gen_init_cpio.c 2010-02-09 07:57:19.000000000 -0500
53339+++ linux-2.6.32.9/usr/gen_init_cpio.c 2010-02-23 17:09:56.764228986 -0500
53340@@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
53341 int retval;
53342 int rc = -1;
53343 int namesize;
53344- int i;
53345+ unsigned int i;
53346
53347 mode |= S_IFREG;
53348
53349@@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
53350 *env_var = *expanded = '\0';
53351 strncat(env_var, start + 2, end - start - 2);
53352 strncat(expanded, new_location, start - new_location);
53353- strncat(expanded, getenv(env_var), PATH_MAX);
53354- strncat(expanded, end + 1, PATH_MAX);
53355+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
53356+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
53357 strncpy(new_location, expanded, PATH_MAX);
53358+ new_location[PATH_MAX] = 0;
53359 } else
53360 break;
53361 }
53362diff -urNp linux-2.6.32.9/virt/kvm/kvm_main.c linux-2.6.32.9/virt/kvm/kvm_main.c
53363--- linux-2.6.32.9/virt/kvm/kvm_main.c 2010-02-09 07:57:19.000000000 -0500
53364+++ linux-2.6.32.9/virt/kvm/kvm_main.c 2010-02-23 17:09:56.764228986 -0500
53365@@ -1745,6 +1745,7 @@ static int kvm_vcpu_release(struct inode
53366 return 0;
53367 }
53368
53369+/* cannot be const */
53370 static struct file_operations kvm_vcpu_fops = {
53371 .release = kvm_vcpu_release,
53372 .unlocked_ioctl = kvm_vcpu_ioctl,
53373@@ -2341,6 +2342,7 @@ static int kvm_vm_mmap(struct file *file
53374 return 0;
53375 }
53376
53377+/* cannot be const */
53378 static struct file_operations kvm_vm_fops = {
53379 .release = kvm_vm_release,
53380 .unlocked_ioctl = kvm_vm_ioctl,
53381@@ -2428,6 +2430,7 @@ out:
53382 return r;
53383 }
53384
53385+/* cannot be const */
53386 static struct file_operations kvm_chardev_ops = {
53387 .unlocked_ioctl = kvm_dev_ioctl,
53388 .compat_ioctl = kvm_dev_ioctl,
53389@@ -2437,6 +2440,9 @@ static struct miscdevice kvm_dev = {
53390 KVM_MINOR,
53391 "kvm",
53392 &kvm_chardev_ops,
53393+ {NULL, NULL},
53394+ NULL,
53395+ NULL
53396 };
53397
53398 static void hardware_enable(void *junk)
53399@@ -2711,7 +2717,7 @@ static void kvm_sched_out(struct preempt
53400 kvm_arch_vcpu_put(vcpu);
53401 }
53402
53403-int kvm_init(void *opaque, unsigned int vcpu_size,
53404+int kvm_init(const void *opaque, unsigned int vcpu_size,
53405 struct module *module)
53406 {
53407 int r;
diff --git a/main/linux-grsec/xfrm-cache-size-revert.patch b/main/linux-grsec/xfrm-cache-size-revert.patch
new file mode 100644
index 0000000000..c8fcbd0d79
--- /dev/null
+++ b/main/linux-grsec/xfrm-cache-size-revert.patch
@@ -0,0 +1,12 @@
1diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
2index 74fb2eb..e158860 100644
3--- a/net/ipv4/xfrm4_policy.c
4+++ b/net/ipv4/xfrm4_policy.c
5@@ -308,7 +308,6 @@ void __init xfrm4_init(int rt_max_size)
6 * That will let us store an ipsec connection per route table entry,
7 * and start cleaning when were 1/2 full
8 */
9- xfrm4_dst_ops.gc_thresh = rt_max_size/2;
10 #ifdef CONFIG_SYSCTL
11 sysctl_hdr = register_net_sysctl_table(&init_net, net_ipv4_ctl_path,
12 xfrm4_policy_table);
© 2015 Mike Crute